Updates Exploits - Miscellaneous proof of concept exploit code.

Updates Exploits – Miscellaneous proof of concept exploit code.

Changelog 01.04.2015:
+ ElasticSearch Remote Code Execution (CVE-2015-1427)
+ ShellShock (httpd) Remote Code Execution (CVE-2014-6271)

Bash "ShellShock" Remote Code Execution

Bash “ShellShock” Remote Code Execution

Miscellaneous proof of concept exploit code written at Xiphos Research for testing purposes.
Updates Exploits 01.04.2015 :
+ phpMoAdmin Remote Code Execution (CVE-2015-2208)
+ LotusCMS Remote Code Execution (OSVDB-75095)
+ ElasticSearch Remote Code Execution (CVE-2015-1427)
+ ShellShock (httpd) Remote Code Execution (CVE-2014-6271)
+ TBA

There is no changelogs here, as that would be too much effort, just git commits. Exploits may be updated regularly for greater stability, reliability or stealthiness, so check them for updates regularlyexploit_for_php_myadmin

Exploit for CVE-2015-2208, phpMoAdmin Unauthenticated Remote Code Execution
This is an exploit for the eval() injection vulnerability recently disclosed in the phpMoAdmin MongoDB frontend. Very quick and dirty exploit, written to test out some new ideas I had for writing more streamlined PHP RCE exploits, in this case, using the cookie to set the connectback host/port at runtime when doing a filedropper type thing. See the code for what I mean…

Usage :
To use, simply select which payload you want to use (currently only back_python.php is available, but I plan on adding back_php.php and back_perl.php at a later date). This is the “payload.php”. You also must specify a callback host and port, along with the URL to the vulnerable phpMoAdmin script.

Exploit for OSVDB-75095, LotusCMS 3.0 Unauthenticated Remote Code Execution
This is an exploit for the eval() injection vulnerability found ages ago in LotusCMS. Very quick and dirty exploit, written to test out some new ideas I had for writing more streamlined PHP RCE exploits, in this case, using the cookie to set the connectback host/port at runtime when doing a filedropper type thing. I ended up storing the payload itself in a POST variable, as storing it in the cookie lead to some strange encoding issues. See the code for what I mean. The reason for writing this was to have a reliable “playground” in which to test ideas, and it is going to probably be an evolving piece of work.

Usage:
To use, simply select which payload you want to use (currently only back_python.php is available, but I plan on adding back_php.php and back_perl.php at a later date). This is the “payload.php”. You also must specify a callback host and port, along with the URL to the vulnerable LotusCMS installation.

Download : Master.zip  | Clone Url | Our Post Before
Source : https://github.com/XiphosResearch | http://www.xiphosresearch.com/