880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
16 lines
No EOL
1.8 KiB
Text
16 lines
No EOL
1.8 KiB
Text
source: https://www.securityfocus.com/bid/282/info
|
|
|
|
A vulnerability in the Compaq Management Agents and the Compaq Survey Utility when running as an agent allows remote malicious users to steal local files. All Compaq Server and Client Management Agents version 4.0 or later are vulnerable. All Compaq Survey Utility versions 2.0 or later are vulnerable.
|
|
|
|
Compaq's Insight Manger a comprehensive management tool to monitor and control the operation of Compaq servers and clients and DIGITAL X86 and Alpha-based servers. One of its features is web acess to its device and configuration information via a built-in web server in the agents. Insight Manager is available for several platforms including Windows NT and Netware.
|
|
|
|
The web server in the agents fails to check whether requested files fall outside its document tree (by using ".." in the URL). Thus attackers can retrieve files in the same drives as that on which the software resides if they know or can get it's filename.
|
|
|
|
The web server listens on port 2301. By default the only user accounts available in the agents are account "anonymous", username "anonymous", no password, account "user", username "user", password "public", and account "administrator", username "administrator", and password "administrator". You login via the URL http://www.example.com:2301/cpqlogin.htm.
|
|
|
|
One an attacker has access to on such machine, using Compaq's HTTP Auto-Discovery Device List at the URL http://www.example.com/cpqdev.htm they can locate other machines.
|
|
|
|
The web agent service also appears to be vulnerable a a denial of service. By sending it a request for over 223 bytes long ("AAAA...") the service will fail with an access violation.
|
|
|
|
http://vulnerable-NT.com:2301/../../../winnt/repair/sam._
|
|
http://vulnerable-Netware.com:2301/../../../system/ldremote.ncf |